ALSA: pcm: Fix missing check of the new non-cached buffer type

[linux-2.6-block.git] / kernel / kexec_file.c

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 43109ef4d6bf3686dfe6ba1a6a4dfe9f93fb0e38..79f252af7dee3b98391fcb1058f3e4463973e941 100644 (file)
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -208,7 +208,15 @@ kimage_validate_signature(struct kimage *image)
                        return ret;
                }
 
-               return security_locked_down(LOCKDOWN_KEXEC);
+               /* If IMA is guaranteed to appraise a signature on the kexec
+                * image, permit it even if the kernel is otherwise locked
+                * down.
+                */
+               if (!ima_appraise_signature(READING_KEXEC_IMAGE) &&
+                   security_locked_down(LOCKDOWN_KEXEC))
+                       return -EPERM;
+
+               return 0;
 
                /* All other errors are fatal, including nomem, unparseable
                 * signatures and signature check failures - even if signatures
@@ -241,9 +249,6 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
                return ret;
        image->kernel_buf_len = size;
 
-       /* IMA needs to pass the measurement list to the next kernel. */
-       ima_add_kexec_buffer(image);
-
        /* Call arch image probe handlers */
        ret = arch_kexec_kernel_image_probe(image, image->kernel_buf,
                                            image->kernel_buf_len);
@@ -281,8 +286,14 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
                        ret = -EINVAL;
                        goto out;
                }
+
+               ima_kexec_cmdline(image->cmdline_buf,
+                                 image->cmdline_buf_len - 1);
        }
 
+       /* IMA needs to pass the measurement list to the next kernel. */
+       ima_add_kexec_buffer(image);
+
        /* Call arch image load handlers */
        ldata = arch_kexec_kernel_image_load(image);