summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorPetr Vorel <pvorel@suse.cz>2018-04-20 15:28:57 +0200
committerMimi Zohar <zohar@linux.vnet.ibm.com>2018-05-17 13:47:17 +0200
commitffb122de9a60bd789422fd9caa4d8363acf1e851 (patch)
tree570885ea5e46c5e574ef949135aad858eccba8e0 /security
parentdh key: get rid of stack allocated array for zeroes (diff)
downloadlinux-ffb122de9a60bd789422fd9caa4d8363acf1e851.tar.xz
linux-ffb122de9a60bd789422fd9caa4d8363acf1e851.zip
ima: Reflect correct permissions for policy
Kernel configured as CONFIG_IMA_READ_POLICY=y && CONFIG_IMA_WRITE_POLICY=n keeps 0600 mode after loading policy. Remove write permission to state that policy file no longer be written. Signed-off-by: Petr Vorel <pvorel@suse.cz> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security')
-rw-r--r--security/integrity/ima/ima_fs.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index fa540c0469da..c1265127d1b6 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -434,6 +434,8 @@ static int ima_release_policy(struct inode *inode, struct file *file)
ima_policy = NULL;
#elif defined(CONFIG_IMA_WRITE_POLICY)
clear_bit(IMA_FS_BUSY, &ima_fs_flags);
+#elif defined(CONFIG_IMA_READ_POLICY)
+ inode->i_mode &= ~S_IWUSR;
#endif
return 0;
}