From 8961886c2470a81c137c47a1b5c83977553a1265 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 10 Aug 2020 10:44:43 +0300 Subject: [PATCH] patch: allow to off modules signature check dynamically --- ...o-off-modules-signature-check-dynami.patch | 36 +++++++++++++++++++ kernel.spec | 4 ++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch diff --git a/0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch b/0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch new file mode 100644 index 0000000..7a8dabf --- /dev/null +++ b/0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch @@ -0,0 +1,36 @@ +From 36dc5cf3039c0751fe95370a247ca1c23c06571c Mon Sep 17 00:00:00 2001 +From: Mikhail Novosyolov +Date: Mon, 10 Aug 2020 10:38:20 +0300 +Subject: [PATCH] ROSA: ima: allow to off modules signature check dynamically + +Allow module.sig_enforce=0 kernel cmdline, not only module.sig_enforce=1 +It allows to keep CONFIG_MODULE_SIG_FORCE=y, but disable it when really needed. + +GRUB or another bootloader is password-protected when needed, +so I am not afraid much that someone will be able to turn it off when not needed. + +in production systems. + +ROSA-specific patch. + +Signed-off-by: Mikhail Novosyolov +--- + kernel/module.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/module.c b/kernel/module.c +index 6baa1080c..118d8ee60 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -268,7 +268,7 @@ static void module_assert_mutex_or_preempt(void) + } + + static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE); +-module_param(sig_enforce, bool_enable_only, 0644); ++module_param(sig_enforce, bool, 0644); + + /* + * Export sig_enforce kernel cmdline parameter to allow other subsystems rely +-- +2.17.1 + diff --git a/kernel.spec b/kernel.spec index c830bb3..5d9d4f6 100644 --- a/kernel.spec +++ b/kernel.spec @@ -24,7 +24,7 @@ %define sublevel 40 # Release number. Increase this before a rebuild. -%define rpmrel 10 +%define rpmrel 11 %define fullrpmrel %{rpmrel} %define rpmtag %{disttag} @@ -285,6 +285,8 @@ Patch303: perf-5.4.20-binutil-libs-2.34.patch Patch304: 0001-mm-add-sysctl-to-disable-disk-based-swap.patch # Support loading GOST-signed modules Patch305: 0001-crypto-support-loading-GOST-signed-kernel-modules.patch +# Allow to off modules signature check dynamically +Patch306: 0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch # Disable AutoReq AutoReq: 0