Commit b36f281f authored by Mimi Zohar's avatar Mimi Zohar

ima: initialize the "template" field with the default template

IMA policy rules are walked sequentially.  Depending on the ordering of
the policy rules, the "template" field might be defined in one rule, but
will be replaced by subsequent, applicable rules, even if the rule does
not explicitly define the "template" field.

This patch initializes the "template" once and only replaces the
"template", when explicitly defined.

Fixes: 19453ce0 ("IMA: support for per policy rule template formats")
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 609488bc
...@@ -491,6 +491,9 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, ...@@ -491,6 +491,9 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
struct ima_rule_entry *entry; struct ima_rule_entry *entry;
int action = 0, actmask = flags | (flags << 1); int action = 0, actmask = flags | (flags << 1);
if (template_desc)
*template_desc = ima_template_desc_current();
rcu_read_lock(); rcu_read_lock();
list_for_each_entry_rcu(entry, ima_rules, list) { list_for_each_entry_rcu(entry, ima_rules, list) {
...@@ -510,6 +513,7 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, ...@@ -510,6 +513,7 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
action |= IMA_FAIL_UNVERIFIABLE_SIGS; action |= IMA_FAIL_UNVERIFIABLE_SIGS;
} }
if (entry->action & IMA_DO_MASK) if (entry->action & IMA_DO_MASK)
actmask &= ~(entry->action | entry->action << 1); actmask &= ~(entry->action | entry->action << 1);
else else
...@@ -520,8 +524,6 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, ...@@ -520,8 +524,6 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
if (template_desc && entry->template) if (template_desc && entry->template)
*template_desc = entry->template; *template_desc = entry->template;
else if (template_desc)
*template_desc = ima_template_desc_current();
if (!actmask) if (!actmask)
break; break;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment