ima: initialize the "template" field with the default template
authorMimi Zohar <zohar@linux.ibm.com>
Fri, 19 Jul 2019 11:16:57 +0000 (07:16 -0400)
committerMimi Zohar <zohar@linux.ibm.com>
Thu, 1 Aug 2019 12:25:36 +0000 (08:25 -0400)
IMA policy rules are walked sequentially.  Depending on the ordering of
the policy rules, the "template" field might be defined in one rule, but
will be replaced by subsequent, applicable rules, even if the rule does
not explicitly define the "template" field.

This patch initializes the "template" once and only replaces the
"template", when explicitly defined.

Fixes: 19453ce0bcfb ("IMA: support for per policy rule template formats")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
security/integrity/ima/ima_policy.c

index 6df7f641ff66658e7793185a51c04862e7100728..36a0727f1d7af6c1b4561e8613a089c1fd1e7eca 100644 (file)
@@ -491,6 +491,9 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
        struct ima_rule_entry *entry;
        int action = 0, actmask = flags | (flags << 1);
 
+       if (template_desc)
+               *template_desc = ima_template_desc_current();
+
        rcu_read_lock();
        list_for_each_entry_rcu(entry, ima_rules, list) {
 
@@ -510,6 +513,7 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
                                action |= IMA_FAIL_UNVERIFIABLE_SIGS;
                }
 
+
                if (entry->action & IMA_DO_MASK)
                        actmask &= ~(entry->action | entry->action << 1);
                else
@@ -520,8 +524,6 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
 
                if (template_desc && entry->template)
                        *template_desc = entry->template;
-               else if (template_desc)
-                       *template_desc = ima_template_desc_current();
 
                if (!actmask)
                        break;