CVE-2021-35039: Linux kernel loading unsigned kernel modules via init_module syscall

[Nayna <nayna () linux vnet ibm com>]

Vulnerability: Linux Kernel loading unsigned kernel modules via 
init_module syscall

Fixes: 7c9bc0983f89 ("ima: check signature enforcement against cmdline 
param instead of CONFIG")

Commit:  0c18f29aae7c ("module: limit enabling module.sig_enforce")

CVE:  CVE-2021-35039

Details:
The IMA arch specific policy rules, when enabled on x86, arm or powerpc, 
kernels with IMA_APPRAISE_REQUIRE_MODULE_SIGS configured, or systems 
with custom IMA policies containing a similar module rule, require all 
kernel modules to be signed. IMA, currently, only verifies kernel module 
signatures loaded via finit_module and relies on CONFIG_MODULE_SIG to 
verify kernel modules signatures loaded via init_module. The patch 
addresses the situation where MODULE_SIG is not enabled, but 
"module.sig_enforce=1" is specified on the boot command line.

Affected Kernel Versions: 4.15 through 5.12