diff options
author | Petr Vorel <pvorel@suse.cz> | 2019-05-15 08:18:07 +0200 |
---|---|---|
committer | Mimi Zohar <zohar@linux.ibm.com> | 2019-05-20 02:27:12 +0200 |
commit | f40019475bbbe9b455e7fd4385fcf13896c492ca (patch) | |
tree | e1ef8d96b511c5f9a8a94b53ee2290b4d5834c89 /security/integrity/ima | |
parent | x86/ima: Check EFI_RUNTIME_SERVICES before using (diff) | |
download | linux-f40019475bbbe9b455e7fd4385fcf13896c492ca.tar.xz linux-f40019475bbbe9b455e7fd4385fcf13896c492ca.zip |
ima: fix wrong signed policy requirement when not appraising
Kernel booted just with ima_policy=tcb (not with
ima_policy=appraise_tcb) shouldn't require signed policy.
Regression found with LTP test ima_policy.sh.
Fixes: c52657d93b05 ("ima: refactor ima_init_policy()")
Cc: stable@vger.kernel.org (linux-5.0)
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security/integrity/ima')
-rw-r--r-- | security/integrity/ima/ima_policy.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index e0cc323f948f..0f6fe53cef09 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -498,10 +498,11 @@ static void add_rules(struct ima_rule_entry *entries, int count, list_add_tail(&entry->list, &ima_policy_rules); } - if (entries[i].action == APPRAISE) + if (entries[i].action == APPRAISE) { temp_ima_appraise |= ima_appraise_flag(entries[i].func); - if (entries[i].func == POLICY_CHECK) - temp_ima_appraise |= IMA_APPRAISE_POLICY; + if (entries[i].func == POLICY_CHECK) + temp_ima_appraise |= IMA_APPRAISE_POLICY; + } } } |