summaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorPetr Vorel <pvorel@suse.cz>2019-05-15 08:18:07 +0200
committerMimi Zohar <zohar@linux.ibm.com>2019-05-20 02:27:12 +0200
commitf40019475bbbe9b455e7fd4385fcf13896c492ca (patch)
treee1ef8d96b511c5f9a8a94b53ee2290b4d5834c89 /security/integrity
parentx86/ima: Check EFI_RUNTIME_SERVICES before using (diff)
downloadlinux-f40019475bbbe9b455e7fd4385fcf13896c492ca.tar.xz
linux-f40019475bbbe9b455e7fd4385fcf13896c492ca.zip
ima: fix wrong signed policy requirement when not appraising
Kernel booted just with ima_policy=tcb (not with ima_policy=appraise_tcb) shouldn't require signed policy. Regression found with LTP test ima_policy.sh. Fixes: c52657d93b05 ("ima: refactor ima_init_policy()") Cc: stable@vger.kernel.org (linux-5.0) Signed-off-by: Petr Vorel <pvorel@suse.cz> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/ima/ima_policy.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e0cc323f948f..0f6fe53cef09 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -498,10 +498,11 @@ static void add_rules(struct ima_rule_entry *entries, int count,
list_add_tail(&entry->list, &ima_policy_rules);
}
- if (entries[i].action == APPRAISE)
+ if (entries[i].action == APPRAISE) {
temp_ima_appraise |= ima_appraise_flag(entries[i].func);
- if (entries[i].func == POLICY_CHECK)
- temp_ima_appraise |= IMA_APPRAISE_POLICY;
+ if (entries[i].func == POLICY_CHECK)
+ temp_ima_appraise |= IMA_APPRAISE_POLICY;
+ }
}
}