ima: log message to module appraisal error

Simple but useful message log to the user in case of module appraise is forced and fails due to the lack of file descriptor, that might be caused by kmod calls to compressed modules. Signed-off-by: Bruno E. O. Meneguele <brdeoliv@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
author: Bruno E. O. Meneguele <bmeneguele@gmail.com> 2017-12-05 11:35:32 -0200
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2017-12-18 09:43:48 -0500
commit: 9c655be0644429b71396347887b43676ab4f6781 (patch)
tree: 8c4cf2283c3fa79d712e4119d3684f08dac2d73c /security
parent: ima: pass filename to ima_rdwr_violation_check() (diff)
download: linux-dev-9c655be0644429b71396347887b43676ab4f6781.tar.xz
linux-dev-9c655be0644429b71396347887b43676ab4f6781.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 0abc7d0db90b..21330d0455b0 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -404,8 +404,10 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
 
 	if (!file && read_id == READING_MODULE) {
 		if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) &&
-		    (ima_appraise & IMA_APPRAISE_ENFORCE))
+		    (ima_appraise & IMA_APPRAISE_ENFORCE)) {
+			pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
 			return -EACCES;	/* INTEGRITY_UNKNOWN */
+		}
 		return 0;	/* We rely on module signature checking */
 	}
 	return 0;
author	Bruno E. O. Meneguele <bmeneguele@gmail.com>	2017-12-05 11:35:32 -0200
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2017-12-18 09:43:48 -0500
commit	9c655be0644429b71396347887b43676ab4f6781 (patch)
tree	8c4cf2283c3fa79d712e4119d3684f08dac2d73c /security
parent	ima: pass filename to ima_rdwr_violation_check() (diff)
download	linux-dev-9c655be0644429b71396347887b43676ab4f6781.tar.xz linux-dev-9c655be0644429b71396347887b43676ab4f6781.zip