ima: silence measurement list hexdump during kexec

Directly calling print_hex_dump() dumps the IMA measurement list on soft
resets (kexec) straight to the syslog (kmsg/dmesg) without considering the
DEBUG flag or the dynamic debug state, causing the output to be always
printed, including during boot time.

Since this output is only valid for IMA debugging, but not necessary on
normal kexec operation, print_hex_dump_debug() adheres to the pr_debug()
behavior: the dump is only printed to syslog when DEBUG is defined or when
explicitly requested by the user through dynamic debugging.

Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
index f799cc278a9a84e7c61cef2c8d96cca52ecc5e68..13753136f03f089a31dc9ff245b1e4bded915d99 100644 (file)
--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c
@@ -61,9 +61,9 @@ static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer,
        }
        memcpy(file.buf, &khdr, sizeof(khdr));
 
-       print_hex_dump(KERN_DEBUG, "ima dump: ", DUMP_PREFIX_NONE,
-                       16, 1, file.buf,
-                       file.count < 100 ? file.count : 100, true);
+       print_hex_dump_debug("ima dump: ", DUMP_PREFIX_NONE, 16, 1,
+                            file.buf, file.count < 100 ? file.count : 100,
+                            true);
 
        *buffer_size = file.count;
        *buffer = file.buf;