ima: don't remove the securityfs policy file
The securityfs policy file is removed unless additional rules can be appended to the IMA policy (CONFIG_IMA_WRITE_POLICY), regardless as to whether the policy is configured so that it can be displayed. This patch changes this behavior, removing the securityfs policy file, only if CONFIG_IMA_READ_POLICY is also not enabled. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
Mimi Zohar
parent
46cdc6d533
commit
2068626d13
|
|
@ -429,10 +429,10 @@ static int ima_release_policy(struct inode *inode, struct file *file)
|
||||||
}
|
}
|
||||||
|
|
||||||
ima_update_policy();
|
ima_update_policy();
|
||||||
#ifndef CONFIG_IMA_WRITE_POLICY
|
#if !defined(CONFIG_IMA_WRITE_POLICY) && !defined(CONFIG_IMA_READ_POLICY)
|
||||||
securityfs_remove(ima_policy);
|
securityfs_remove(ima_policy);
|
||||||
ima_policy = NULL;
|
ima_policy = NULL;
|
||||||
#else
|
#elif defined(CONFIG_IMA_WRITE_POLICY)
|
||||||
clear_bit(IMA_FS_BUSY, &ima_fs_flags);
|
clear_bit(IMA_FS_BUSY, &ima_fs_flags);
|
||||||
#endif
|
#endif
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue