summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2013-02-25 05:42:36 +0100
committerJames Morris <james.l.morris@oracle.com>2013-02-25 16:46:38 +0100
commita2c2c3a71c25627e4840795b3c269918d0e71b28 (patch)
treef643772b0087e7bf5a9801ed07580ee8d5ce93c9
parentMerge tag 'mfd-3.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/... (diff)
downloadlinux-a2c2c3a71c25627e4840795b3c269918d0e71b28.tar.xz
linux-a2c2c3a71c25627e4840795b3c269918d0e71b28.zip
ima: "remove enforce checking duplication" merge fix
Commit "750943a ima: remove enforce checking duplication" combined the 'in IMA policy' and 'enforcing file integrity' checks. For the non-file, kernel module verification, a specific check for 'enforcing file integrity' was not added. This patch adds the check. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
-rw-r--r--security/integrity/ima/ima_main.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 5127afcc4b89..5b14a0946d6e 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -284,7 +284,8 @@ int ima_module_check(struct file *file)
{
if (!file) {
#ifndef CONFIG_MODULE_SIG_FORCE
- if (ima_appraise & IMA_APPRAISE_MODULES)
+ if ((ima_appraise & IMA_APPRAISE_MODULES) &&
+ (ima_appraise & IMA_APPRAISE_ENFORCE))
return -EACCES; /* INTEGRITY_UNKNOWN */
#endif
return 0; /* We rely on module signature checking */