diff options
author | Petr Vorel <pvorel@suse.cz> | 2018-04-20 15:28:57 +0200 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2018-05-17 13:47:17 +0200 |
commit | ffb122de9a60bd789422fd9caa4d8363acf1e851 (patch) | |
tree | 570885ea5e46c5e574ef949135aad858eccba8e0 /security | |
parent | dh key: get rid of stack allocated array for zeroes (diff) | |
download | linux-ffb122de9a60bd789422fd9caa4d8363acf1e851.tar.xz linux-ffb122de9a60bd789422fd9caa4d8363acf1e851.zip |
ima: Reflect correct permissions for policy
Kernel configured as CONFIG_IMA_READ_POLICY=y && CONFIG_IMA_WRITE_POLICY=n
keeps 0600 mode after loading policy. Remove write permission to state
that policy file no longer be written.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/integrity/ima/ima_fs.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index fa540c0469da..c1265127d1b6 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -434,6 +434,8 @@ static int ima_release_policy(struct inode *inode, struct file *file) ima_policy = NULL; #elif defined(CONFIG_IMA_WRITE_POLICY) clear_bit(IMA_FS_BUSY, &ima_fs_flags); +#elif defined(CONFIG_IMA_READ_POLICY) + inode->i_mode &= ~S_IWUSR; #endif return 0; } |