On Wed, 2019-12-04 at 14:41 -0800, Lakshmi Ramasubramanian wrote: > Return immediately from process_buffer_measurement() > if the IMA policy flag is set to zero. Not doing this > can result in kernel panic when process_buffer_measurement() > is called before IMA is initialized (for instance, when > the IMA hook is called when a key is added to > the .builtin_trusted_keys keyring). > > This change adds the check in process_buffer_measurement() > to return immediately if ima_policy_flag is set to zero. Patch descriptions aren't suppose to be written as pseudo code. Start with the current status and problem description. For example, "process_buffer_measurement() may be called prior to IMA being initialized, which would result in a kernel panic. This patch ..." Mimi > > Signed-off-by: Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx> > --- > security/integrity/ima/ima_main.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index d7e987baf127..9b35db2fc777 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -655,6 +655,9 @@ void process_buffer_measurement(const void *buf, int size, > int action = 0; > u32 secid; > > + if (!ima_policy_flag) > + return; > + > /* > * Both LSM hooks and auxilary based buffer measurements are > * based on policy. To avoid code duplication, differentiate
