From: Matthew Garrett <matthew.garrett@nebula.com>

Date: Fri, 9 Aug 2013 17:58:15 -0400

Subject: [PATCH] Add secure_modules() call

Provide a single call to allow kernel code to determine whether the system

has been configured to either disable module loading entirely or to load

only modules signed with a trusted key.

Bugzilla: N/A

Upstream-status: Fedora mustard.  Replaced by securelevels, but that was nak'd

Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>

---

 include/linux/module.h |  7 +++++++

 kernel/module.c        | 10 ++++++++++

 2 files changed, 17 insertions(+)

diff --git a/include/linux/module.h b/include/linux/module.h

index b03485bcb82a..b033dab5c8bf 100644

--- a/include/linux/module.h

+++ b/include/linux/module.h

@@ -506,6 +506,8 @@ int unregister_module_notifier(struct notifier_block *nb);

 extern void print_modules(void);

+extern bool secure_modules(void);

+

 #else /* !CONFIG_MODULES... */

 /* Given an address, look for it in the exception tables. */

@@ -616,6 +618,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb)

 static inline void print_modules(void)

 {

 }

+

+static inline bool secure_modules(void)

+{

+	return false;

+}

 #endif /* CONFIG_MODULES */

 #ifdef CONFIG_SYSFS

diff --git a/kernel/module.c b/kernel/module.c

index 538794ce3cc7..f3489ef9e409 100644

--- a/kernel/module.c

+++ b/kernel/module.c

@@ -3911,3 +3911,13 @@ void module_layout(struct module *mod,

 }

 EXPORT_SYMBOL(module_layout);

 #endif

+

+bool secure_modules(void)

+{

+#ifdef CONFIG_MODULE_SIG

+	return (sig_enforce || modules_disabled);

+#else

+	return modules_disabled;

+#endif

+}

+EXPORT_SYMBOL(secure_modules);