Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on Sep 24, 2020. It is now read-only.

*: backport changes from v4.3-coreos #4

Merged
merged 21 commits into from
Dec 17, 2015
Merged

*: backport changes from v4.3-coreos #4

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
a4715e7
Add secure_modules() call
Aug 9, 2013
59a1862
PCI: Lock down BAR access when module security is enabled
Mar 8, 2012
0e48816
x86: Lock down IO port access when module security is enabled
Mar 8, 2012
e7814fd
ACPI: Limit access to custom_method
Mar 9, 2012
80198ae
asus-wmi: Restrict debugfs interface when module loading is restricted
Mar 9, 2012
c92077b
Restrict /dev/mem and /dev/kmem when module loading is restricted
Mar 9, 2012
60daa41
acpi: Ignore acpi_rsdp kernel parameter when module loading is restri…
jwboyer Jun 25, 2012
7610966
kexec: Disable at runtime if the kernel enforces module loading restr…
Nov 20, 2015
fa15f4f
x86: Restrict MSR access when module loading is restricted
Feb 8, 2013
a111cd3
Add option to automatically enforce module signatures when in Secure …
Aug 9, 2013
b19e692
efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
Aug 27, 2013
783e023
efi: Add EFI_SECURE_BOOT bit
Aug 27, 2013
dee15a2
hibernate: Disable in a signed modules environment
Jun 20, 2014
33a9f95
Security: Provide copy-up security hooks for unioned files
dhowells Jun 16, 2015
f34a790
Overlayfs: Use copy-up security hooks
dhowells Jun 16, 2015
ea05ed2
SELinux: Stub in copy-up handling
dhowells Jun 16, 2015
3a1a354
SELinux: Handle opening of a unioned file
dhowells Jun 16, 2015
8b5096e
SELinux: Check against union label for file operations
dhowells Jun 16, 2015
ed6d767
net/wireless/wl18xx: Add missing MODULE_FIRMWARE
glevand Sep 2, 2015
e815c8b
overlayfs: use a minimal buffer in ovl_copy_xattr
Oct 20, 2015
337f09a
kbuild: derive relative path for KBUILD_SRC from CURDIR
Nov 25, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Add secure_modules() call 
Provide a single call to allow kernel code to determine whether the system
has been configured to either disable module loading entirely or to load
only modules signed with a trusted key.

Bugzilla: N/A
Upstream-status: Fedora mustard.  Replaced by securelevels, but that was nak'd

Signed-off-by: Matthew Garrett <[email protected]>
  • Loading branch information
@crawford
Matthew Garrett authored and crawford committed Dec 17, 2015
commit a4715e7344d1f33260ad8a05178319d0e4ea5694
6 changes: 6 additions & 0 deletions include/linux/module.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -635,6 +635,8 @@ static inline bool module_requested_async_probing(struct module *module)
return module && module->async_probe_requested;
}

extern bool secure_modules(void);

#else /* !CONFIG_MODULES... */

/* Given an address, look for it in the exception tables. */
Expand Down Expand Up @@ -751,6 +753,10 @@ static inline bool module_requested_async_probing(struct module *module)
return false;
}

static inline bool secure_modules(void)
{
return false;
}
#endif /* CONFIG_MODULES */

#ifdef CONFIG_SYSFS
Expand Down
10 changes: 10 additions & 0 deletions kernel/module.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4091,3 +4091,13 @@ void module_layout(struct module *mod,
}
EXPORT_SYMBOL(module_layout);
#endif

bool secure_modules(void)
{
#ifdef CONFIG_MODULE_SIG
return (sig_enforce || modules_disabled);
#else
return modules_disabled;
#endif
}
EXPORT_SYMBOL(secure_modules);