ima: "remove enforce checking duplication" merge fix

Commit "750943a ima: remove enforce checking duplication" combined the 'in IMA policy' and 'enforcing file integrity' checks. For the non-file, kernel module verification, a specific check for 'enforcing file integrity' was not added. This patch adds the check. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
author: Mimi Zohar <zohar@linux.vnet.ibm.com> 2013-02-24 23:42:36 -0500
committer: James Morris <james.l.morris@oracle.com> 2013-02-26 02:46:38 +1100
commit: a2c2c3a71c25627e4840795b3c269918d0e71b28 (patch)
tree: f643772b0087e7bf5a9801ed07580ee8d5ce93c9 /security
parent: ab7826595e9ec51a51f622c5fc91e2f59440481a (diff)
download: linux-a2c2c3a71c25627e4840795b3c269918d0e71b28.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 5127afcc4b89..5b14a0946d6e 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -284,7 +284,8 @@ int ima_module_check(struct file *file)
 {
 	if (!file) {
 #ifndef CONFIG_MODULE_SIG_FORCE
-		if (ima_appraise & IMA_APPRAISE_MODULES)
+		if ((ima_appraise & IMA_APPRAISE_MODULES) &&
+		    (ima_appraise & IMA_APPRAISE_ENFORCE))
 			return -EACCES;	/* INTEGRITY_UNKNOWN */
 #endif
 		return 0;	/* We rely on module signature checking */
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	2013-02-24 23:42:36 -0500
committer	James Morris <james.l.morris@oracle.com>	2013-02-26 02:46:38 +1100
commit	a2c2c3a71c25627e4840795b3c269918d0e71b28 (patch)
tree	f643772b0087e7bf5a9801ed07580ee8d5ce93c9 /security
parent	ab7826595e9ec51a51f622c5fc91e2f59440481a (diff)
download	linux-a2c2c3a71c25627e4840795b3c269918d0e71b28.tar.gz