From 0f6eec5ca124baf1372fb4edeacd11a002378f5e Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 17:58:15 -0400 Subject: [PATCH 01/20] Add secure_modules() call Provide a single call to allow kernel code to determine whether the system has been configured to either disable module loading entirely or to load only modules signed with a trusted key. Bugzilla: N/A Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd Signed-off-by: Matthew Garrett --- include/linux/module.h | 6 ++++++ kernel/module.c | 10 ++++++++++ 2 files changed, 16 insertions(+) diff --git a/include/linux/module.h b/include/linux/module.h index 3daf2b3..082298a 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -655,6 +655,8 @@ static inline bool is_livepatch_module(struct module *mod) } #endif /* CONFIG_LIVEPATCH */ +extern bool secure_modules(void); + #else /* !CONFIG_MODULES... */ /* Given an address, look for it in the exception tables. */ @@ -771,6 +773,10 @@ static inline bool module_requested_async_probing(struct module *module) return false; } +static inline bool secure_modules(void) +{ + return false; +} #endif /* CONFIG_MODULES */ #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c index 5f71aa6..3c38496 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -4199,3 +4199,13 @@ void module_layout(struct module *mod, } EXPORT_SYMBOL(module_layout); #endif + +bool secure_modules(void) +{ +#ifdef CONFIG_MODULE_SIG + return (sig_enforce || modules_disabled); +#else + return modules_disabled; +#endif +} +EXPORT_SYMBOL(secure_modules); -- 2.5.5