On Wed, 2019-05-15 at 00:08 +0200, Petr Vorel wrote:
> Kernel booted just with ima_policy=tcb (not with
> ima_policy=appraise_tcb) shouldn't require signed policy.
>
> Regression found with LTP test ima_policy.sh.
>
> Fixes: c52657d93b05 ("ima: refactor ima_init_policy()")
>
> Signed-off-by: Petr Vorel <pvorel@xxxxxxx>
> ---
> Hi,
>
> assuming behavior prior c52657d93b05 was correct.
> BTW I admit that using global variable inside helper function is nasty.
>
> Kind regards,
> Petr
>
> security/integrity/ima/ima_policy.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index e0cc323f948f..df0e6a1b063b 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -500,7 +500,7 @@ static void add_rules(struct ima_rule_entry *entries, int count,
> }
> if (entries[i].action == APPRAISE)
> temp_ima_appraise |= ima_appraise_flag(entries[i].func);
> - if (entries[i].func == POLICY_CHECK)
> + if (ima_use_appraise_tcb && entries[i].func == POLICY_CHECK)
> temp_ima_appraise |= IMA_APPRAISE_POLICY;
Instead of also testing "ima_use_appraise_tcb", try including the
POLICY_CHECK as part of the APPRAISE condition.
thanks!
Mimi
> }
> }
