diff options
author | Petr Vorel <pvorel@suse.cz> | 2019-05-15 08:18:07 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-06-09 09:16:14 +0200 |
commit | 407eb63f2aa4f1f9b0962df530f3aeec401d6e3e (patch) | |
tree | bbf4243484b6c9f83f422cd91418ca5f5e756ee4 /security | |
parent | c59e2a64128e30a16394b2fa09b7470c2e2f6f68 (diff) | |
download | linux-stable-407eb63f2aa4f1f9b0962df530f3aeec401d6e3e.tar.gz linux-stable-407eb63f2aa4f1f9b0962df530f3aeec401d6e3e.tar.bz2 linux-stable-407eb63f2aa4f1f9b0962df530f3aeec401d6e3e.zip |
ima: fix wrong signed policy requirement when not appraising
commit f40019475bbbe9b455e7fd4385fcf13896c492ca upstream.
Kernel booted just with ima_policy=tcb (not with
ima_policy=appraise_tcb) shouldn't require signed policy.
Regression found with LTP test ima_policy.sh.
Fixes: c52657d93b05 ("ima: refactor ima_init_policy()")
Cc: stable@vger.kernel.org (linux-5.0)
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/integrity/ima/ima_policy.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index e0cc323f948f..0f6fe53cef09 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -498,10 +498,11 @@ static void add_rules(struct ima_rule_entry *entries, int count, list_add_tail(&entry->list, &ima_policy_rules); } - if (entries[i].action == APPRAISE) + if (entries[i].action == APPRAISE) { temp_ima_appraise |= ima_appraise_flag(entries[i].func); - if (entries[i].func == POLICY_CHECK) - temp_ima_appraise |= IMA_APPRAISE_POLICY; + if (entries[i].func == POLICY_CHECK) + temp_ima_appraise |= IMA_APPRAISE_POLICY; + } } } |