From 0f34a0060aebf202010b3f8fef348653a2df2346 Mon Sep 17 00:00:00 2001 From: Dmitry Kasatkin Date: Wed, 24 Sep 2014 11:05:10 +0300 Subject: ima: check ima_policy_flag in the ima_file_free() hook This patch completes the switching to the 'ima_policy_flag' variable in the checks at the beginning of IMA functions, starting with the commit a756024e. Checking 'iint_initialized' is completely unnecessary, because S_IMA flag is unset if iint was not allocated. At the same time the integrity cache is allocated with SLAB_PANIC and the kernel will panic if the allocation fails during kernel initialization. So on a running system iint_initialized is always true and can be removed. Changes in v3: * not limiting test to IMA_APPRAISE (spotted by Roberto Sassu) Changes in v2: * 'iint_initialized' removal patch merged to this patch (requested by Mimi) Signed-off-by: Dmitry Kasatkin Acked-by: Roberto Sassu --- security/integrity/ima/ima_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/integrity/ima/ima_main.c') diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 62f59ec..72faf0b 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -143,7 +143,7 @@ void ima_file_free(struct file *file) struct inode *inode = file_inode(file); struct integrity_iint_cache *iint; - if (!iint_initialized || !S_ISREG(inode->i_mode)) + if (!ima_policy_flag || !S_ISREG(inode->i_mode)) return; iint = integrity_iint_find(inode); -- cgit v1.1