Commit 2068626d authored by Mimi Zohar's avatar Mimi Zohar

ima: don't remove the securityfs policy file

The securityfs policy file is removed unless additional rules can be
appended to the IMA policy (CONFIG_IMA_WRITE_POLICY), regardless as
to whether the policy is configured so that it can be displayed.

This patch changes this behavior, removing the securityfs policy file,
only if CONFIG_IMA_READ_POLICY is also not enabled.
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent 46cdc6d5
...@@ -429,10 +429,10 @@ static int ima_release_policy(struct inode *inode, struct file *file) ...@@ -429,10 +429,10 @@ static int ima_release_policy(struct inode *inode, struct file *file)
} }
ima_update_policy(); ima_update_policy();
#ifndef CONFIG_IMA_WRITE_POLICY #if !defined(CONFIG_IMA_WRITE_POLICY) && !defined(CONFIG_IMA_READ_POLICY)
securityfs_remove(ima_policy); securityfs_remove(ima_policy);
ima_policy = NULL; ima_policy = NULL;
#else #elif defined(CONFIG_IMA_WRITE_POLICY)
clear_bit(IMA_FS_BUSY, &ima_fs_flags); clear_bit(IMA_FS_BUSY, &ima_fs_flags);
#endif #endif
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment