summaryrefslogtreecommitdiff
path: root/security/integrity/ima/ima_fs.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/integrity/ima/ima_fs.c')
-rw-r--r--security/integrity/ima/ima_fs.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index a6c61b351f36..60d011aaec38 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -325,10 +325,18 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
if (result < 0)
goto out_free;
- if (data[0] == '/')
+ if (data[0] == '/') {
result = ima_read_policy(data);
- else
+ } else if (ima_appraise & IMA_APPRAISE_POLICY) {
+ pr_err("IMA: signed policy file (specified as an absolute pathname) required\n");
+ integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
+ "policy_update", "signed policy required",
+ 1, 0);
+ if (ima_appraise & IMA_APPRAISE_ENFORCE)
+ result = -EACCES;
+ } else {
result = ima_parse_add_rule(data);
+ }
mutex_unlock(&ima_write_mutex);
out_free:
kfree(data);
generated by cgit v1.2.3 (git 2.39.0) at 2024-12-19 12:55:23 +0300