Kernel booted just with ima_policy=tcb (not with
ima_policy=appraise_tcb) shouldn't require signed policy.
Regression found with LTP test ima_policy.sh.
Fixes: c52657d93b05 ("ima: refactor ima_init_policy()")
Signed-off-by: Petr Vorel <pvorel@xxxxxxx>
---
Hi,
assuming behavior prior c52657d93b05 was correct.
BTW I admit that using global variable inside helper function is nasty.
Kind regards,
Petr
security/integrity/ima/ima_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e0cc323f948f..df0e6a1b063b 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -500,7 +500,7 @@ static void add_rules(struct ima_rule_entry *entries, int count,
}
if (entries[i].action == APPRAISE)
temp_ima_appraise |= ima_appraise_flag(entries[i].func);
- if (entries[i].func == POLICY_CHECK)
+ if (ima_use_appraise_tcb && entries[i].func == POLICY_CHECK)
temp_ima_appraise |= IMA_APPRAISE_POLICY;
}
}
--
2.16.4
