commit 16c267aac86b463b1fcccd43c89f4c8e5c5c86fa
author Mimi Zohar <zohar@linux.vnet.ibm.com> Fri Jul 13 14:05:58 2018 -0400
committer James Morris <james.morris@microsoft.com> Mon Jul 16 12:31:57 2018 -0700
tree 550e6fcb00d732a3c018b3258302f8ffd61a4379
parent a210fd32a46bae6d05b43860fe3b47732501d63b

ima: based on policy require signed kexec kernel images

The original kexec_load syscall can not verify file signatures, nor can
the kexec image be measured.  Based on policy, deny the kexec_load
syscall.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Kees Cook <keescook@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>

security/security.c

diff --git a/security/security.c b/security/security.c
index c2de2f1..4927e7c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1058,7 +1058,12 @@ EXPORT_SYMBOL_GPL(security_kernel_post_read_file);
 
 int security_kernel_load_data(enum kernel_load_data_id id)
 {
-	return call_int_hook(kernel_load_data, 0, id);
+	int ret;
+
+	ret = call_int_hook(kernel_load_data, 0, id);
+	if (ret)
+		return ret;
+	return ima_load_data(id);
 }
 
 int security_task_fix_setuid(struct cred *new, const struct cred *old,