diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2017-06-27 16:10:39 -0400 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2017-11-08 15:16:36 -0500 |
commit | 2068626d1345f23fd2b926d834d4f74b37cd7134 (patch) | |
tree | ef05b137a8c28a25f7b262214ff60a3d418e43ea /security/integrity/ima | |
parent | 46cdc6d533c925c7477feea7caa404466bac7ac8 (diff) | |
download | op-kernel-dev-2068626d1345f23fd2b926d834d4f74b37cd7134.zip op-kernel-dev-2068626d1345f23fd2b926d834d4f74b37cd7134.tar.gz |
ima: don't remove the securityfs policy file
The securityfs policy file is removed unless additional rules can be
appended to the IMA policy (CONFIG_IMA_WRITE_POLICY), regardless as
to whether the policy is configured so that it can be displayed.
This patch changes this behavior, removing the securityfs policy file,
only if CONFIG_IMA_READ_POLICY is also not enabled.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/ima')
-rw-r--r-- | security/integrity/ima/ima_fs.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index ad491c5..4d50b98 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -429,10 +429,10 @@ static int ima_release_policy(struct inode *inode, struct file *file) } ima_update_policy(); -#ifndef CONFIG_IMA_WRITE_POLICY +#if !defined(CONFIG_IMA_WRITE_POLICY) && !defined(CONFIG_IMA_READ_POLICY) securityfs_remove(ima_policy); ima_policy = NULL; -#else +#elif defined(CONFIG_IMA_WRITE_POLICY) clear_bit(IMA_FS_BUSY, &ima_fs_flags); #endif return 0; |