ima: Reflect correct permissions for policy

Kernel configured as CONFIG_IMA_READ_POLICY=y && CONFIG_IMA_WRITE_POLICY=n keeps 0600 mode after loading policy. Remove write permission to state that policy file no longer be written. Signed-off-by: N Petr Vorel <pvorel@suse.cz> Signed-off-by: N Mimi Zohar <zohar@linux.vnet.ibm.com>

ima: Reflect correct permissions for policy
Kernel configured as CONFIG_IMA_READ_POLICY=y && CONFIG_IMA_WRITE_POLICY=n keeps 0600 mode after loading policy. Remove write permission to state that policy file no longer be written. Signed-off-by: N Petr Vorel <pvorel@suse.cz> Signed-off-by: N Mimi Zohar <zohar@linux.vnet.ibm.com>
ffb122de · Petr Vorel · Mimi Zohar · 890e2abe · ffb122de
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

security/integrity/ima/ima_fs.c security/integrity/ima/ima_fs.c +2 -0

未找到文件。
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -434,6 +434,8 @@ static int ima_release_policy(struct inode *inode, struct file *file)
 	ima_policy = NULL;
 #elif defined(CONFIG_IMA_WRITE_POLICY)
 	clear_bit(IMA_FS_BUSY, &ima_fs_flags);
+#elif defined(CONFIG_IMA_READ_POLICY)
+	inode->i_mode &= ~S_IWUSR;
 #endif
 	return 0;
 }