ima: initialize the "template" field with the default template

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

IMA policy rules are walked sequentially. Depending on the ordering of
the policy rules, the "template" field might be defined in one rule, but
will be replaced by subsequent, applicable rules, even if the rule does
not explicitly define the "template" field.

This patch initializes the "template" once and only replaces the
"template", when explicitly defined.

Fixes: 19453ce0bcfb ("IMA: support for per policy rule template formats")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

Mimi Zohar 6 years ago b36f281f 609488bc

+4 -2

1 changed file

expand all

security

integrity

ima

ima_policy.c

+4 -2

security/integrity/ima/ima_policy.c

··· 491 491 struct ima_rule_entry *entry; 492 492 int action = 0, actmask = flags | (flags << 1); 493 493 494 + if (template_desc) 495 + *template_desc = ima_template_desc_current(); 496 + 494 497 rcu_read_lock(); 495 498 list_for_each_entry_rcu(entry, ima_rules, list) { 496 499 ··· 513 510 action |= IMA_FAIL_UNVERIFIABLE_SIGS; 514 511 } 515 512 513 + 516 514 if (entry->action & IMA_DO_MASK) 517 515 actmask &= ~(entry->action | entry->action << 1); 518 516 else ··· 524 520 525 521 if (template_desc && entry->template) 526 522 *template_desc = entry->template; 527 - else if (template_desc) 528 - *template_desc = ima_template_desc_current(); 529 523 530 524 if (!actmask) 531 525 break;