CHROMIUM: LSM: allow old style loads when locking disabled

This is needed when our kernel is used with other userspaces, i.e. Ubuntu
and other distros.

Enabling old-style module init when locking is explicitly disabled doesn't
open up any security exposure for users unless they have disabled
rootfs_verification AND module load restrictions. I.e. default users have
no added exposure.

BUG=chromium-os:37055
TEST=needs a new testcase (crosbug.com/37056)

Change-Id: If5ec577a4c7be64a7fa6a0be6a76f3044de42e14
Signed-off-by: Olof Johansson <olofj@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/39383
Reviewed-by: Kees Cook <keescook@chromium.org>

diff --git a/security/chromiumos/lsm.c b/security/chromiumos/lsm.c
index deefdb4..ec41bdc 100644 (file)
--- a/security/chromiumos/lsm.c
+++ b/security/chromiumos/lsm.c
@@ -158,6 +158,11 @@ static int chromiumos_security_load_module(struct file *file)
        struct dentry *module_root;
 
        if (!file) {
+               if (!module_locking) {
+                       report_load_module(NULL, "old-api-locking-ignored");
+                       return 0;
+               }
+
                report_load_module(NULL, "old-api-denied");
                return -EPERM;
        }