Enforce module signatures when securelevel is greater than 0

author Matthew Garrett <mjg59@srcf.ucam.org>

Mon, 9 Sep 2013 12:46:52 +0000 (08:46 -0400)

committer Yves-Alexis Perez <corsac@debian.org>

Fri, 9 Feb 2018 12:58:52 +0000 (12:58 +0000)
author Matthew Garrett <mjg59@srcf.ucam.org>
Mon, 9 Sep 2013 12:46:52 +0000 (08:46 -0400)
committer Yves-Alexis Perez <corsac@debian.org>
Fri, 9 Feb 2018 12:58:52 +0000 (12:58 +0000)
diff --git a/kernel/module.c b/kernel/module.c

index 0e54d5bf0097f57954d4848db6a830f5a0bc7072..129db6ce6752aa65791f7744afc2c9d6bcde776f 100644 (file)
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2745,7 +2745,7 @@ static int module_sig_check(struct load_info *info, int flags)
         }
  
         /* Not having a signature is only an error if we're strict. */
-       if (err == -ENOKEY && !sig_enforce)
+       if ((err == -ENOKEY && !sig_enforce) && (get_securelevel() <= 0))
                 err = 0;
  
         return err;
author	Matthew Garrett <mjg59@srcf.ucam.org>
	Mon, 9 Sep 2013 12:46:52 +0000 (08:46 -0400)
committer	Yves-Alexis Perez <corsac@debian.org>
	Fri, 9 Feb 2018 12:58:52 +0000 (12:58 +0000)