From: Petr Vorel <pvorel@suse.cz>
Date: Fri, 20 Apr 2018 13:28:57 +0000 (+0200)
Subject: ima: Reflect correct permissions for policy
X-Git-Tag: v4.19~858^2~14
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=ffb122de9a60bd789422fd9caa4d8363acf1e851;p=platform%2Fkernel%2Flinux-rpi.git

ima: Reflect correct permissions for policy

Kernel configured as CONFIG_IMA_READ_POLICY=y && CONFIG_IMA_WRITE_POLICY=n
keeps 0600 mode after loading policy. Remove write permission to state
that policy file no longer be written.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---

diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index fa540c0..c126512 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -434,6 +434,8 @@ static int ima_release_policy(struct inode *inode, struct file *file)
 	ima_policy = NULL;
 #elif defined(CONFIG_IMA_WRITE_POLICY)
 	clear_bit(IMA_FS_BUSY, &ima_fs_flags);
+#elif defined(CONFIG_IMA_READ_POLICY)
+	inode->i_mode &= ~S_IWUSR;
 #endif
 	return 0;
 }