* [PATCH v2] ima: fix wrong signed policy requirement when not appraising
@ 2019-05-15 6:18 Petr Vorel
0 siblings, 0 replies; only message in thread
From: Petr Vorel @ 2019-05-15 6:18 UTC (permalink / raw)
To: linux-integrity; +Cc: Petr Vorel, Mimi Zohar, Nayna Jain, Mimi Zohar
Kernel booted just with ima_policy=tcb (not with
ima_policy=appraise_tcb) shouldn't require signed policy.
Regression found with LTP test ima_policy.sh.
Fixes: c52657d93b05 ("ima: refactor ima_init_policy()")
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Changelog v1->v2:
* Use POLICY_CHECK instead of ima_use_appraise_tcb.
Thanks Mimi for obvious hint :).
Kind regards,
Petr
security/integrity/ima/ima_policy.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e0cc323f948f..0f6fe53cef09 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -498,10 +498,11 @@ static void add_rules(struct ima_rule_entry *entries, int count,
list_add_tail(&entry->list, &ima_policy_rules);
}
- if (entries[i].action == APPRAISE)
+ if (entries[i].action == APPRAISE) {
temp_ima_appraise |= ima_appraise_flag(entries[i].func);
- if (entries[i].func == POLICY_CHECK)
- temp_ima_appraise |= IMA_APPRAISE_POLICY;
+ if (entries[i].func == POLICY_CHECK)
+ temp_ima_appraise |= IMA_APPRAISE_POLICY;
+ }
}
}
--
2.16.4
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2019-05-15 6:18 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-15 6:18 [PATCH v2] ima: fix wrong signed policy requirement when not appraising Petr Vorel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).