summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2017-06-27 23:10:39 +0300
committerMimi Zohar <zohar@linux.vnet.ibm.com>2017-11-08 23:16:36 +0300
commit2068626d1345f23fd2b926d834d4f74b37cd7134 (patch)
treeef05b137a8c28a25f7b262214ff60a3d418e43ea /security
parent46cdc6d533c925c7477feea7caa404466bac7ac8 (diff)
downloadlinux-2068626d1345f23fd2b926d834d4f74b37cd7134.tar.xz
ima: don't remove the securityfs policy file
The securityfs policy file is removed unless additional rules can be appended to the IMA policy (CONFIG_IMA_WRITE_POLICY), regardless as to whether the policy is configured so that it can be displayed. This patch changes this behavior, removing the securityfs policy file, only if CONFIG_IMA_READ_POLICY is also not enabled. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security')
-rw-r--r--security/integrity/ima/ima_fs.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index ad491c51e833..4d50b982b453 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -429,10 +429,10 @@ static int ima_release_policy(struct inode *inode, struct file *file)
}
ima_update_policy();
-#ifndef CONFIG_IMA_WRITE_POLICY
+#if !defined(CONFIG_IMA_WRITE_POLICY) && !defined(CONFIG_IMA_READ_POLICY)
securityfs_remove(ima_policy);
ima_policy = NULL;
-#else
+#elif defined(CONFIG_IMA_WRITE_POLICY)
clear_bit(IMA_FS_BUSY, &ima_fs_flags);
#endif
return 0;