diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2013-02-25 08:42:36 +0400 |
---|---|---|
committer | James Morris <james.l.morris@oracle.com> | 2013-02-25 19:46:38 +0400 |
commit | a2c2c3a71c25627e4840795b3c269918d0e71b28 (patch) | |
tree | f643772b0087e7bf5a9801ed07580ee8d5ce93c9 /security/integrity | |
parent | ab7826595e9ec51a51f622c5fc91e2f59440481a (diff) | |
download | linux-a2c2c3a71c25627e4840795b3c269918d0e71b28.tar.xz |
ima: "remove enforce checking duplication" merge fix
Commit "750943a ima: remove enforce checking duplication" combined
the 'in IMA policy' and 'enforcing file integrity' checks. For
the non-file, kernel module verification, a specific check for
'enforcing file integrity' was not added. This patch adds the
check.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'security/integrity')
-rw-r--r-- | security/integrity/ima/ima_main.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 5127afcc4b89..5b14a0946d6e 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -284,7 +284,8 @@ int ima_module_check(struct file *file) { if (!file) { #ifndef CONFIG_MODULE_SIG_FORCE - if (ima_appraise & IMA_APPRAISE_MODULES) + if ((ima_appraise & IMA_APPRAISE_MODULES) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) return -EACCES; /* INTEGRITY_UNKNOWN */ #endif return 0; /* We rely on module signature checking */ |