[PATCH kernel-4.19 080/106] module: limit enabling module.sig_enforce

From: Mimi Zohar zohar@linux.ibm.com

[ Upstream commit 0c18f29aae7ce3dadd26d8ee3505d07cc982df75 ]

Irrespective as to whether CONFIG_MODULE_SIG is configured, specifying "module.sig_enforce=1" on the boot command line sets "sig_enforce". Only allow "sig_enforce" to be set when CONFIG_MODULE_SIG is configured.

This patch makes the presence of /sys/module/module/parameters/sig_enforce dependent on CONFIG_MODULE_SIG=y.

Fixes: fda784e50aac ("module: export module signature enforcement status") Reported-by: Nayna Jain nayna@linux.ibm.com Tested-by: Mimi Zohar zohar@linux.ibm.com Tested-by: Jessica Yu jeyu@kernel.org Signed-off-by: Mimi Zohar zohar@linux.ibm.com Signed-off-by: Jessica Yu jeyu@kernel.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- kernel/module.c | 9 +++++++++ 1 file changed, 9 insertions(+)

diff --git a/kernel/module.c b/kernel/module.c index 126d273e47738..69d0e28804a8a 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -268,9 +268,18 @@ static void module_assert_mutex_or_preempt(void) #endif }

+#ifdef CONFIG_MODULE_SIG static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE); module_param(sig_enforce, bool_enable_only, 0644);

+void set_module_sig_enforced(void) +{ + sig_enforce = true; +} +#else +#define sig_enforce false +#endif + /* * Export sig_enforce kernel cmdline parameter to allow other subsystems rely * on that instead of directly to CONFIG_MODULE_SIG_FORCE config.