From: Mimi Zohar Date: Mon, 7 Dec 2015 19:35:47 +0000 (-0500) Subject: ima: update appraise flags after policy update completes X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=6ad6afa14610c1fed3303c719b1f8f86f19f1fd3;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git ima: update appraise flags after policy update completes While creating a temporary list of new rules, the ima_appraise flag is updated, but not reverted on failure to append the new rules to the existing policy. This patch defines temp_ima_appraise flag. Only when the new rules are appended to the policy is the flag updated. Signed-off-by: Mimi Zohar Acked-by: Petko Manolov --- diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 2f4e0f5f31e2..ba5d2fc61394 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -40,6 +40,7 @@ #define AUDIT 0x0040 int ima_policy_flag; +static int temp_ima_appraise; #define MAX_LSM_RULES 6 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, @@ -370,6 +371,7 @@ void ima_update_policy_flag(void) ima_policy_flag |= entry->action; } + ima_appraise |= temp_ima_appraise; if (!ima_appraise) ima_policy_flag &= ~IMA_APPRAISE; } @@ -757,9 +759,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) if (!result && (entry->action == UNKNOWN)) result = -EINVAL; else if (entry->func == MODULE_CHECK) - ima_appraise |= IMA_APPRAISE_MODULES; + temp_ima_appraise |= IMA_APPRAISE_MODULES; else if (entry->func == FIRMWARE_CHECK) - ima_appraise |= IMA_APPRAISE_FIRMWARE; + temp_ima_appraise |= IMA_APPRAISE_FIRMWARE; audit_log_format(ab, "res=%d", !result); audit_log_end(ab); return result; @@ -821,6 +823,7 @@ void ima_delete_rules(void) struct ima_rule_entry *entry, *tmp; int i; + temp_ima_appraise = 0; list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { for (i = 0; i < MAX_LSM_RULES; i++) kfree(entry->lsm[i].args_p);