All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit 6727bb9c authored by Luis R. Rodriguez's avatar Luis R. Rodriguez Committed by Rusty Russell

kernel/module.c: avoid ifdefs for sig_enforce declaration

There's no need to require an ifdef over the declaration
of sig_enforce as IS_ENABLED() can be used. While at it,
there's no harm in exposing this kernel parameter outside of
CONFIG_MODULE_SIG as it'd be a no-op on non module sig

Now, technically we should in theory be able to remove
the #ifdef'ery over the declaration of the module parameter
as we are also trusting the bool_enable_only code for
CONFIG_MODULE_SIG kernels but for now remain paranoid
and keep it.

With time if no one can put a bullet through bool_enable_only
and if there are no technical requirements over not exposing
CONFIG_MODULE_SIG_FORCE with the measures in place by
bool_enable_only we could remove this last ifdef.

Cc: Rusty Russell <>
Cc: Andrew Morton <>
Cc: Kees Cook <>
Cc: Tejun Heo <>
Cc: Ingo Molnar <>
Signed-off-by: default avatarLuis R. Rodriguez <>
Signed-off-by: default avatarRusty Russell <>
parent 552f530c
......@@ -292,15 +292,10 @@ static void module_assert_mutex_or_preempt(void)
static bool sig_enforce = true;
static bool sig_enforce = false;
static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
module_param(sig_enforce, bool_enable_only, 0644);
#endif /* CONFIG_MODULE_SIG */
/* Block module loading/unloading? */
int modules_disabled = 0;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment