Message ID | 20190514220125.31222-1-pvorel@suse.cz (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | ima: fix wrong signed policy requirement when not appraising | expand |
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index e0cc323f948f..df0e6a1b063b 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -500,7 +500,7 @@ static void add_rules(struct ima_rule_entry *entries, int count, } if (entries[i].action == APPRAISE) temp_ima_appraise |= ima_appraise_flag(entries[i].func); - if (entries[i].func == POLICY_CHECK) + if (ima_use_appraise_tcb && entries[i].func == POLICY_CHECK) temp_ima_appraise |= IMA_APPRAISE_POLICY; } }
Kernel booted just with ima_policy=tcb (not with ima_policy=appraise_tcb) shouldn't require signed policy. Regression found with LTP test ima_policy.sh. Fixes: c52657d93b05 ("ima: refactor ima_init_policy()") Signed-off-by: Petr Vorel <pvorel@suse.cz> --- Hi, assuming behavior prior c52657d93b05 was correct. BTW I admit that using global variable inside helper function is nasty. Kind regards, Petr security/integrity/ima/ima_policy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)