From 056a345be53a86b7cfa1e6828feef47c9d818b72 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Mon, 9 Sep 2013 15:49:36 -0700
Subject: [PATCH] Enforce module signatures when securelevel is greater than 0

Orabug: 21539498

If securelevel has been set to 1 or greater, require that all modules have
valid signatures.

Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
---
 kernel/module.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/module.c b/kernel/module.c
index cfc9e843a924..5f6d8700ae1b 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2447,7 +2447,7 @@ static int module_sig_check(struct load_info *info)
 	}
 
 	/* Not having a signature is only an error if we're strict. */
-	if (err == -ENOKEY && !sig_enforce)
+	if ((err == -ENOKEY && !sig_enforce) && (get_securelevel() <= 0))
 		err = 0;
 
 	return err;
-- 
2.50.1