diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2021-05-01 15:32:18 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2021-05-01 15:32:18 -0700 |
| commit | e6f0bf09f0669b3c2cd77fa906830123279a0a21 (patch) | |
| tree | 57aed6ff25d40e31f129b934403c7fac7a8cc8c8 /security/integrity/ima/ima_main.c | |
| parent | 10a3efd0fee5e881b1866cf45950808575cb0f24 (diff) | |
| parent | 781a5739489949fd0f32432a9da17f7ddbccf1cc (diff) | |
| download | lwn-e6f0bf09f0669b3c2cd77fa906830123279a0a21.tar.gz lwn-e6f0bf09f0669b3c2cd77fa906830123279a0a21.zip | |
Merge tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull IMA updates from Mimi Zohar:
"In addition to loading the kernel module signing key onto the builtin
keyring, load it onto the IMA keyring as well.
Also six trivial changes and bug fixes"
* tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies
ima: Fix fall-through warnings for Clang
integrity: Add declarations to init_once void arguments.
ima: Fix function name error in comment.
ima: enable loading of build time generated key on .ima keyring
ima: enable signing of modules with build time generated key
keys: cleanup build time module signing keys
ima: Fix the error code for restoring the PCR value
ima: without an IMA policy loaded, return quickly
Diffstat (limited to 'security/integrity/ima/ima_main.c')
| -rw-r--r-- | security/integrity/ima/ima_main.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index b85d9e429426..906c1d8e0b71 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -482,7 +482,7 @@ int ima_bprm_check(struct linux_binprm *bprm) } /** - * ima_path_check - based on policy, collect/store measurement. + * ima_file_check - based on policy, collect/store measurement. * @file: pointer to the file to be measured * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND * @@ -606,6 +606,9 @@ void ima_post_create_tmpfile(struct user_namespace *mnt_userns, struct integrity_iint_cache *iint; int must_appraise; + if (!ima_policy_flag || !S_ISREG(inode->i_mode)) + return; + must_appraise = ima_must_appraise(mnt_userns, inode, MAY_ACCESS, FILE_CHECK); if (!must_appraise) @@ -636,6 +639,9 @@ void ima_post_path_mknod(struct user_namespace *mnt_userns, struct inode *inode = dentry->d_inode; int must_appraise; + if (!ima_policy_flag || !S_ISREG(inode->i_mode)) + return; + must_appraise = ima_must_appraise(mnt_userns, inode, MAY_ACCESS, FILE_CHECK); if (!must_appraise) @@ -780,6 +786,7 @@ int ima_load_data(enum kernel_load_data_id id, bool contents) pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n"); return -EACCES; /* INTEGRITY_UNKNOWN */ } + break; default: break; } |