--- /dev/null
+From 553d5822ea3e1447a23d7e832c51607cc6ff5af5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 12:28:58 +0200
+Subject: ima: Remove redundant policy rule set in add_rules()
+
+From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+
+[ Upstream commit 6ee28442a465ab4c4be45e3b15015af24b1ba906 ]
+
+Function ima_appraise_flag() returns the flag to be set in
+temp_ima_appraise depending on the hook identifier passed as an argument.
+It is not necessary to set the flag again for the POLICY_CHECK hook.
+
+Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/ima/ima_policy.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
+index 1c78cbbd27d8..7414443c19bf 100644
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -643,11 +643,8 @@ static void add_rules(struct ima_rule_entry *entries, int count,
+
+ list_add_tail(&entry->list, &ima_policy_rules);
+ }
+- if (entries[i].action == APPRAISE) {
++ if (entries[i].action == APPRAISE)
+ temp_ima_appraise |= ima_appraise_flag(entries[i].func);
+- if (entries[i].func == POLICY_CHECK)
+- temp_ima_appraise |= IMA_APPRAISE_POLICY;
+- }
+ }
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 0aa33cae67e47c5b8724abde312a38672155fffd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 12:28:59 +0200
+Subject: ima: Set again build_ima_appraise variable
+
+From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+
+[ Upstream commit b59fda449cf07f2db3be3a67142e6c000f5e8d79 ]
+
+After adding the new add_rule() function in commit c52657d93b05
+("ima: refactor ima_init_policy()"), all appraisal flags are added to the
+temp_ima_appraise variable. Revert to the previous behavior instead of
+removing build_ima_appraise, to benefit from the protection offered by
+__ro_after_init.
+
+The mentioned commit introduced a bug, as it makes all the flags
+modifiable, while build_ima_appraise flags can be protected with
+__ro_after_init.
+
+Cc: stable@vger.kernel.org # 5.0.x
+Fixes: c52657d93b05 ("ima: refactor ima_init_policy()")
+Co-developed-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/ima/ima_policy.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
+index 7414443c19bf..e493063a3c34 100644
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -643,8 +643,14 @@ static void add_rules(struct ima_rule_entry *entries, int count,
+
+ list_add_tail(&entry->list, &ima_policy_rules);
+ }
+- if (entries[i].action == APPRAISE)
+- temp_ima_appraise |= ima_appraise_flag(entries[i].func);
++ if (entries[i].action == APPRAISE) {
++ if (entries != build_appraise_rules)
++ temp_ima_appraise |=
++ ima_appraise_flag(entries[i].func);
++ else
++ build_ima_appraise |=
++ ima_appraise_flag(entries[i].func);
++ }
+ }
+ }
+
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
