From: Petr Vorel <pvo...@suse.cz>
commit f40019475bbbe9b455e7fd4385fcf13896c492ca upstream.
Kernel booted just with ima_policy=tcb (not with
ima_policy=appraise_tcb) shouldn't require signed policy.
Regression found with LTP test ima_policy.sh.
Fixes: c52657d93b05 ("ima: refactor ima_init_policy()")
Cc: sta...@vger.kernel.org (linux-5.0)
Signed-off-by: Petr Vorel <pvo...@suse.cz>
Signed-off-by: Mimi Zohar <zo...@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
security/integrity/ima/ima_policy.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -498,10 +498,11 @@ static void add_rules(struct ima_rule_en
list_add_tail(&entry->list, &ima_policy_rules);
}
- if (entries[i].action == APPRAISE)
+ if (entries[i].action == APPRAISE) {
temp_ima_appraise |= ima_appraise_flag(entries[i].func);
- if (entries[i].func == POLICY_CHECK)
- temp_ima_appraise |= IMA_APPRAISE_POLICY;
+ if (entries[i].func == POLICY_CHECK)
+ temp_ima_appraise |= IMA_APPRAISE_POLICY;
+ }
}
}
