From: Mimi Zohar Date: Mon, 25 Feb 2013 04:42:36 +0000 (-0500) Subject: ima: "remove enforce checking duplication" merge fix X-Git-Tag: v4.14-rc1~10274^2~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a2c2c3a71c25627e4840795b3c269918d0e71b28;p=platform%2Fkernel%2Flinux-rpi.git ima: "remove enforce checking duplication" merge fix Commit "750943a ima: remove enforce checking duplication" combined the 'in IMA policy' and 'enforcing file integrity' checks. For the non-file, kernel module verification, a specific check for 'enforcing file integrity' was not added. This patch adds the check. Signed-off-by: Mimi Zohar Signed-off-by: James Morris --- diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 5127afcc4b89..5b14a0946d6e 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -284,7 +284,8 @@ int ima_module_check(struct file *file) { if (!file) { #ifndef CONFIG_MODULE_SIG_FORCE - if (ima_appraise & IMA_APPRAISE_MODULES) + if ((ima_appraise & IMA_APPRAISE_MODULES) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) return -EACCES; /* INTEGRITY_UNKNOWN */ #endif return 0; /* We rely on module signature checking */