With an IMA policy requiring signed firmware, this patch prevents the sysfs fallback method of loading firmware. Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> Cc: Luis R. Rodriguez <mcgrof@xxxxxxxx> Cc: David Howells <dhowells@xxxxxxxxxx> Cc: Matthew Garrett <mjg59@xxxxxxxxxx> --- security/integrity/ima/ima_main.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index fbbcc02a1380..dd1f263f950a 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -451,10 +451,17 @@ int ima_read_data(struct file *file, enum kernel_read_file_id read_id) pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file syscall.\n"); return -EACCES; /* INTEGRITY_UNKNOWN */ } + break; + case READING_FIRMWARE_FALLBACK_SYSFS: + if (ima_appraise & IMA_APPRAISE_FIRMWARE) { + pr_err("Prevent firmware sysfs fallback loading.\n"); + return -EACCES; /* INTEGRITY_UNKNOWN */ + } default: break; } return 0; + } static int read_idmap[READING_MAX_ID] = { -- 2.7.5