ima: Fix return value of ima_write_policy()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This patch fixes the return value of ima_write_policy() when a new policy
is directly passed to IMA and the current policy requires appraisal of the
file containing the policy. Currently, if appraisal is not in ENFORCE mode,
ima_write_policy() returns 0 and leads user space applications to an
endless loop. Fix this issue by denying the operation regardless of the
appraisal mode.

Cc: stable@vger.kernel.org # 4.10.x
Fixes: 19f8a84713edc ("ima: measure and appraise the IMA policy itself")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

authored by

Roberto Sassu and committed by

Mimi Zohar 5 years ago 2e3a34e9 53de3b08

+1 -2

1 changed file

expand all

security

integrity

ima

ima_fs.c

+1 -2

security/integrity/ima/ima_fs.c

··· 338 338 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, 339 339 "policy_update", "signed policy required", 340 340 1, 0); 341 - if (ima_appraise & IMA_APPRAISE_ENFORCE) 342 - result = -EACCES; 341 + result = -EACCES; 343 342 } else { 344 343 result = ima_parse_add_rule(data); 345 344 }