From 2c8fd268f41884bef5d37acda08d8006dc7da0ea Mon Sep 17 00:00:00 2001 From: Jia Zhang Date: Wed, 11 Apr 2018 11:53:33 +0800 Subject: module: Do not access sig_enforce directly Call is_module_sig_enforced() instead. Signed-off-by: Jia Zhang Signed-off-by: Jessica Yu --- kernel/module.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'kernel') diff --git a/kernel/module.c b/kernel/module.c index a6e43a5..f695474 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2785,7 +2785,7 @@ static int module_sig_check(struct load_info *info, int flags) } /* Not having a signature is only an error if we're strict. */ - if (err == -ENOKEY && !sig_enforce) + if (err == -ENOKEY && !is_module_sig_enforced()) err = 0; return err; -- cgit v1.1 From c554b89868015d86cd330d9cc10656c3756352a5 Mon Sep 17 00:00:00 2001 From: Jia Zhang Date: Wed, 11 Apr 2018 11:53:34 +0800 Subject: module: Allow to always show the status of modsign The sig_enforce parameter could be always shown to reflect the current status of signature enforcement. For the case of CONFIG_MODULE_SIG_FORCE=y, this modification doesn't do anything, since sig_enforce can only be enabled, and not disabled, even via the kernel cmdline. Signed-off-by: Jia Zhang [jeyu: reworded commit message to provide clarification] Signed-off-by: Jessica Yu --- kernel/module.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'kernel') diff --git a/kernel/module.c b/kernel/module.c index f695474..1e3337b 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -274,9 +274,7 @@ static void module_assert_mutex_or_preempt(void) } static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE); -#ifndef CONFIG_MODULE_SIG_FORCE module_param(sig_enforce, bool_enable_only, 0644); -#endif /* !CONFIG_MODULE_SIG_FORCE */ /* * Export sig_enforce kernel cmdline parameter to allow other subsystems rely -- cgit v1.1