[PATCH 0/3] kexec: limit kexec_load syscall
Mimi Zohar
zohar at linux.vnet.ibm.com
Thu Apr 12 15:41:48 PDT 2018
In environments that require the kexec kernel image to be signed, prevent
using the kexec_load syscall. In order for LSMs and IMA to differentiate
between kexec_load and kexec_file_load syscalls, this patch set adds a
call to security_kernel_read_file() in kexec_load_check().
Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
Mimi Zohar (3):
ima: based on the "secure_boot" policy limit syscalls
kexec: call LSM hook for kexec_load syscall
ima: based on policy require signed kexec kernel images
kernel/kexec.c | 11 +++++++++++
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_main.c | 9 +++++++++
security/integrity/ima/ima_policy.c | 27 ++++++++++++++++++++-------
4 files changed, 41 insertions(+), 7 deletions(-)
--
2.7.5
More information about the kexec
mailing list