With an IMA policy requiring signed firmware, this patch prevents the sysfs fallback method of loading firmware. Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> Cc: Luis R. Rodriguez <mcgrof@xxxxxxxx> Cc: David Howells <dhowells@xxxxxxxxxx> Cc: Matthew Garrett <mjg59@xxxxxxxxxx> --- security/integrity/ima/ima_main.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 7e1a127f18fe..29d1a929af5c 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -451,7 +451,17 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) } return 0; } + + if (read_id == READING_FIRMWARE_FALLBACK_SYSFS) { + if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) { + pr_err("Prevent firmware sysfs fallback loading.\n"); + return -EACCES; + } + return 0; + } return 0; + } static int read_idmap[READING_MAX_ID] = { -- 2.7.5