On Wed, 2019-05-15 at 00:08 +0200, Petr Vorel wrote: > Kernel booted just with ima_policy=tcb (not with > ima_policy=appraise_tcb) shouldn't require signed policy. > > Regression found with LTP test ima_policy.sh. > > Fixes: c52657d93b05 ("ima: refactor ima_init_policy()") > > Signed-off-by: Petr Vorel <pvorel@xxxxxxx> > --- > Hi, > > assuming behavior prior c52657d93b05 was correct. > BTW I admit that using global variable inside helper function is nasty. > > Kind regards, > Petr > > security/integrity/ima/ima_policy.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index e0cc323f948f..df0e6a1b063b 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -500,7 +500,7 @@ static void add_rules(struct ima_rule_entry *entries, int count, > } > if (entries[i].action == APPRAISE) > temp_ima_appraise |= ima_appraise_flag(entries[i].func); > - if (entries[i].func == POLICY_CHECK) > + if (ima_use_appraise_tcb && entries[i].func == POLICY_CHECK) > temp_ima_appraise |= IMA_APPRAISE_POLICY; Instead of also testing "ima_use_appraise_tcb", try including the POLICY_CHECK as part of the APPRAISE condition. thanks! Mimi > } > }