diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2015-12-07 20:35:47 +0100 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2015-12-15 16:01:43 +0100 |
commit | 6ad6afa14610c1fed3303c719b1f8f86f19f1fd3 (patch) | |
tree | 93a14e6217adbcb1232d50927c2f3c09eef9a242 /security/integrity | |
parent | IMA: prevent keys on the .ima_blacklist from being removed (diff) | |
download | linux-6ad6afa14610c1fed3303c719b1f8f86f19f1fd3.tar.xz linux-6ad6afa14610c1fed3303c719b1f8f86f19f1fd3.zip |
ima: update appraise flags after policy update completes
While creating a temporary list of new rules, the ima_appraise flag is
updated, but not reverted on failure to append the new rules to the
existing policy. This patch defines temp_ima_appraise flag. Only when
the new rules are appended to the policy is the flag updated.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: Petko Manolov <petkan@mip-labs.com>
Diffstat (limited to 'security/integrity')
-rw-r--r-- | security/integrity/ima/ima_policy.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 2f4e0f5f31e2..ba5d2fc61394 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -40,6 +40,7 @@ #define AUDIT 0x0040 int ima_policy_flag; +static int temp_ima_appraise; #define MAX_LSM_RULES 6 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, @@ -370,6 +371,7 @@ void ima_update_policy_flag(void) ima_policy_flag |= entry->action; } + ima_appraise |= temp_ima_appraise; if (!ima_appraise) ima_policy_flag &= ~IMA_APPRAISE; } @@ -757,9 +759,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) if (!result && (entry->action == UNKNOWN)) result = -EINVAL; else if (entry->func == MODULE_CHECK) - ima_appraise |= IMA_APPRAISE_MODULES; + temp_ima_appraise |= IMA_APPRAISE_MODULES; else if (entry->func == FIRMWARE_CHECK) - ima_appraise |= IMA_APPRAISE_FIRMWARE; + temp_ima_appraise |= IMA_APPRAISE_FIRMWARE; audit_log_format(ab, "res=%d", !result); audit_log_end(ab); return result; @@ -821,6 +823,7 @@ void ima_delete_rules(void) struct ima_rule_entry *entry, *tmp; int i; + temp_ima_appraise = 0; list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { for (i = 0; i < MAX_LSM_RULES; i++) kfree(entry->lsm[i].args_p); |