Commit 2068626d authored by Mimi Zohar's avatar Mimi Zohar
Browse files

ima: don't remove the securityfs policy file 



The securityfs policy file is removed unless additional rules can be
appended to the IMA policy (CONFIG_IMA_WRITE_POLICY), regardless as
to whether the policy is configured so that it can be displayed.

This patch changes this behavior, removing the securityfs policy file,
only if CONFIG_IMA_READ_POLICY is also not enabled.

Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent 46cdc6d5

security/integrity/ima/ima_fs.c

+2 −2
Original line number Diff line number Diff line
@@ -429,10 +429,10 @@ static int ima_release_policy(struct inode *inode, struct file *file) 
	}



	ima_update_policy();

#ifndef	CONFIG_IMA_WRITE_POLICY

#if !defined(CONFIG_IMA_WRITE_POLICY) && !defined(CONFIG_IMA_READ_POLICY)

	securityfs_remove(ima_policy);

	ima_policy = NULL;

#else

#elif defined(CONFIG_IMA_WRITE_POLICY)

	clear_bit(IMA_FS_BUSY, &ima_fs_flags);

#endif

	return 0;

CRA Git | Maintained and supported by SUSTech CRA and CCSE