summaryrefslogtreecommitdiffstats
path: root/Add-secure_modules-call.patch
diff options
context:
space:
mode:
Diffstat (limited to 'Add-secure_modules-call.patch')
-rw-r--r--Add-secure_modules-call.patch64
1 files changed, 64 insertions, 0 deletions
diff --git a/Add-secure_modules-call.patch b/Add-secure_modules-call.patch
new file mode 100644
index 000000000..25a60e5b6
--- /dev/null
+++ b/Add-secure_modules-call.patch
@@ -0,0 +1,64 @@
+From 2b10c8cae99674ce201497dda8830d13291f46b5 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Fri, 9 Aug 2013 17:58:15 -0400
+Subject: [PATCH] Add secure_modules() call
+
+Provide a single call to allow kernel code to determine whether the system
+has been configured to either disable module loading entirely or to load
+only modules signed with a trusted key.
+
+Bugzilla: N/A
+Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+---
+ include/linux/module.h | 7 +++++++
+ kernel/module.c | 10 ++++++++++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/include/linux/module.h b/include/linux/module.h
+index 71f282a4e307..341a73ecea2e 100644
+--- a/include/linux/module.h
++++ b/include/linux/module.h
+@@ -516,6 +516,8 @@ int unregister_module_notifier(struct notifier_block *nb);
+
+ extern void print_modules(void);
+
++extern bool secure_modules(void);
++
+ #else /* !CONFIG_MODULES... */
+
+ /* Given an address, look for it in the exception tables. */
+@@ -626,6 +628,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb)
+ static inline void print_modules(void)
+ {
+ }
++
++static inline bool secure_modules(void)
++{
++ return false;
++}
+ #endif /* CONFIG_MODULES */
+
+ #ifdef CONFIG_SYSFS
+diff --git a/kernel/module.c b/kernel/module.c
+index 03214bd288e9..1f7b4664300e 100644
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -3842,3 +3842,13 @@ void module_layout(struct module *mod,
+ }
+ EXPORT_SYMBOL(module_layout);
+ #endif
++
++bool secure_modules(void)
++{
++#ifdef CONFIG_MODULE_SIG
++ return (sig_enforce || modules_disabled);
++#else
++ return modules_disabled;
++#endif
++}
++EXPORT_SYMBOL(secure_modules);
+--
+1.9.3
+