ima: fix wrong signed policy requirement when not appraising

commit f40019475bbbe9b455e7fd4385fcf13896c492ca upstream. Kernel booted just with ima_policy=tcb (not with ima_policy=appraise_tcb) shouldn't require signed policy. Regression found with LTP test ima_policy.sh. Fixes: c52657d93b05 ("ima: refactor ima_init_policy()") Cc: stable@vger.kernel.org (linux-5.0) Signed-off-by: Petr Vorel <pvorel@suse.cz> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Petr Vorel <pvorel@suse.cz> 2019-05-15 08:18:07 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-06-09 09:16:14 +0200
commit: 407eb63f2aa4f1f9b0962df530f3aeec401d6e3e (patch)
tree: bbf4243484b6c9f83f422cd91418ca5f5e756ee4
parent: c59e2a64128e30a16394b2fa09b7470c2e2f6f68 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e0cc323f948f..0f6fe53cef09 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -498,10 +498,11 @@ static void add_rules(struct ima_rule_entry *entries, int count,
 
 			list_add_tail(&entry->list, &ima_policy_rules);
 		}
-		if (entries[i].action == APPRAISE)
+		if (entries[i].action == APPRAISE) {
 			temp_ima_appraise |= ima_appraise_flag(entries[i].func);
-		if (entries[i].func == POLICY_CHECK)
-			temp_ima_appraise |= IMA_APPRAISE_POLICY;
+			if (entries[i].func == POLICY_CHECK)
+				temp_ima_appraise |= IMA_APPRAISE_POLICY;
+		}
 	}
 }
author	Petr Vorel <pvorel@suse.cz>	2019-05-15 08:18:07 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-06-09 09:16:14 +0200
commit	407eb63f2aa4f1f9b0962df530f3aeec401d6e3e (patch)
tree	bbf4243484b6c9f83f422cd91418ca5f5e756ee4
parent	c59e2a64128e30a16394b2fa09b7470c2e2f6f68 (diff)