| Message ID | 20190514220845.408-1-pvorel@suse.cz (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: fix wrong signed policy requirement when not appraising | expand |
On Wed, 2019-05-15 at 00:08 +0200, Petr Vorel wrote: > Kernel booted just with ima_policy=tcb (not with > ima_policy=appraise_tcb) shouldn't require signed policy. > > Regression found with LTP test ima_policy.sh. > > Fixes: c52657d93b05 ("ima: refactor ima_init_policy()") > > Signed-off-by: Petr Vorel <pvorel@suse.cz> > --- > Hi, > > assuming behavior prior c52657d93b05 was correct. > BTW I admit that using global variable inside helper function is nasty. > > Kind regards, > Petr > > security/integrity/ima/ima_policy.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index e0cc323f948f..df0e6a1b063b 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -500,7 +500,7 @@ static void add_rules(struct ima_rule_entry *entries, int count, > } > if (entries[i].action == APPRAISE) > temp_ima_appraise |= ima_appraise_flag(entries[i].func); > - if (entries[i].func == POLICY_CHECK) > + if (ima_use_appraise_tcb && entries[i].func == POLICY_CHECK) > temp_ima_appraise |= IMA_APPRAISE_POLICY; Instead of also testing "ima_use_appraise_tcb", try including the POLICY_CHECK as part of the APPRAISE condition. thanks! Mimi > } > }
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index e0cc323f948f..df0e6a1b063b 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -500,7 +500,7 @@ static void add_rules(struct ima_rule_entry *entries, int count, } if (entries[i].action == APPRAISE) temp_ima_appraise |= ima_appraise_flag(entries[i].func); - if (entries[i].func == POLICY_CHECK) + if (ima_use_appraise_tcb && entries[i].func == POLICY_CHECK) temp_ima_appraise |= IMA_APPRAISE_POLICY; } }
Kernel booted just with ima_policy=tcb (not with ima_policy=appraise_tcb) shouldn't require signed policy. Regression found with LTP test ima_policy.sh. Fixes: c52657d93b05 ("ima: refactor ima_init_policy()") Signed-off-by: Petr Vorel <pvorel@suse.cz> --- Hi, assuming behavior prior c52657d93b05 was correct. BTW I admit that using global variable inside helper function is nasty. Kind regards, Petr security/integrity/ima/ima_policy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)