ima: fix wrong signed policy requirement when not appraising

Kernel booted just with ima_policy=tcb (not with ima_policy=appraise_tcb) shouldn't require signed policy. Regression found with LTP test ima_policy.sh. Fixes: c52657d93b05 ("ima: refactor ima_init_policy()") Cc: stable@vger.kernel.org (linux-5.0) Signed-off-by: Petr Vorel <pvorel@suse.cz> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
author: Petr Vorel <pvorel@suse.cz> 2019-05-15 08:18:07 +0200
committer: Mimi Zohar <zohar@linux.ibm.com> 2019-05-19 20:27:12 -0400
commit: f40019475bbbe9b455e7fd4385fcf13896c492ca (patch)
tree: e1ef8d96b511c5f9a8a94b53ee2290b4d5834c89 /security
parent: 558b523d46289f111d53d7c42211069063be5985 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e0cc323f948f..0f6fe53cef09 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -498,10 +498,11 @@ static void add_rules(struct ima_rule_entry *entries, int count,
 
 			list_add_tail(&entry->list, &ima_policy_rules);
 		}
-		if (entries[i].action == APPRAISE)
+		if (entries[i].action == APPRAISE) {
 			temp_ima_appraise |= ima_appraise_flag(entries[i].func);
-		if (entries[i].func == POLICY_CHECK)
-			temp_ima_appraise |= IMA_APPRAISE_POLICY;
+			if (entries[i].func == POLICY_CHECK)
+				temp_ima_appraise |= IMA_APPRAISE_POLICY;
+		}
 	}
 }
author	Petr Vorel <pvorel@suse.cz>	2019-05-15 08:18:07 +0200
committer	Mimi Zohar <zohar@linux.ibm.com>	2019-05-19 20:27:12 -0400
commit	f40019475bbbe9b455e7fd4385fcf13896c492ca (patch)
tree	e1ef8d96b511c5f9a8a94b53ee2290b4d5834c89 /security
parent	558b523d46289f111d53d7c42211069063be5985 (diff)