summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2013-02-24 23:42:36 -0500
committerJames Morris <james.l.morris@oracle.com>2013-02-26 02:46:38 +1100
commita2c2c3a71c25627e4840795b3c269918d0e71b28 (patch)
treef643772b0087e7bf5a9801ed07580ee8d5ce93c9
parentab7826595e9ec51a51f622c5fc91e2f59440481a (diff)
downloadlwn-a2c2c3a71c25627e4840795b3c269918d0e71b28.tar.gz
lwn-a2c2c3a71c25627e4840795b3c269918d0e71b28.zip
ima: "remove enforce checking duplication" merge fix
Commit "750943a ima: remove enforce checking duplication" combined the 'in IMA policy' and 'enforcing file integrity' checks. For the non-file, kernel module verification, a specific check for 'enforcing file integrity' was not added. This patch adds the check. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
-rw-r--r--security/integrity/ima/ima_main.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 5127afcc4b89..5b14a0946d6e 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -284,7 +284,8 @@ int ima_module_check(struct file *file)
{
if (!file) {
#ifndef CONFIG_MODULE_SIG_FORCE
- if (ima_appraise & IMA_APPRAISE_MODULES)
+ if ((ima_appraise & IMA_APPRAISE_MODULES) &&
+ (ima_appraise & IMA_APPRAISE_ENFORCE))
return -EACCES; /* INTEGRITY_UNKNOWN */
#endif
return 0; /* We rely on module signature checking */