1 files changed, 19 insertions, 9 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 03cbba423e59..8bbc18eb07eb 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -440,6 +440,17 @@ void ima_update_policy_flag(void)
                ima_policy_flag &= ~IMA_APPRAISE;
 }
+static int ima_appraise_flag(enum ima_hooks func)
+{
+        if (func == MODULE_CHECK)
+                return IMA_APPRAISE_MODULES;
+        else if (func == FIRMWARE_CHECK)
+                return IMA_APPRAISE_FIRMWARE;
+        else if (func == POLICY_CHECK)
+                return IMA_APPRAISE_POLICY;
+        return 0;
+}
 /**
 * ima_init_policy - initialize the default measure rules.
 *
@@ -478,9 +489,11 @@ void __init ima_init_policy(void)
         * Insert the appraise rules requiring file signatures, prior to
         * any other appraise rules.
         */
-        for (i = 0; i < secure_boot_entries; i++)
+        for (i = 0; i < secure_boot_entries; i++) {
-                list_add_tail(&secure_boot_rules[i].list,
+                list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
-                              &ima_default_rules);
+                temp_ima_appraise |=
+                    ima_appraise_flag(secure_boot_rules[i].func);
+        }
        for (i = 0; i < appraise_entries; i++) {
                list_add_tail(&default_appraise_rules[i].list,
@@ -934,12 +947,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
        }
        if (!result && (entry->action == UNKNOWN))
                result = -EINVAL;
-        else if (entry->func == MODULE_CHECK)
+        else if (entry->action == APPRAISE)
-                temp_ima_appraise |= IMA_APPRAISE_MODULES;
+                temp_ima_appraise |= ima_appraise_flag(entry->func);
-        else if (entry->func == FIRMWARE_CHECK)
-                temp_ima_appraise |= IMA_APPRAISE_FIRMWARE;
-        else if (entry->func == POLICY_CHECK)
-                temp_ima_appraise |= IMA_APPRAISE_POLICY;
        audit_log_format(ab, "res=%d", !result);
        audit_log_end(ab);
        return result;

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 03cbba423e59..8bbc18eb07eb 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c
@@ -440,6 +440,17 @@ void ima_update_policy_flag(void)
440	ima_policy_flag &= ~IMA_APPRAISE;	440	ima_policy_flag &= ~IMA_APPRAISE;
441	}	441	}
442		442
		443	static int ima_appraise_flag(enum ima_hooks func)
		444	{
		445	if (func == MODULE_CHECK)
		446	return IMA_APPRAISE_MODULES;
		447	else if (func == FIRMWARE_CHECK)
		448	return IMA_APPRAISE_FIRMWARE;
		449	else if (func == POLICY_CHECK)
		450	return IMA_APPRAISE_POLICY;
		451	return 0;
		452	}
		453
443	/**	454	/**
444	* ima_init_policy - initialize the default measure rules.	455	* ima_init_policy - initialize the default measure rules.
445	*	456	*
@@ -478,9 +489,11 @@ void __init ima_init_policy(void)
478	* Insert the appraise rules requiring file signatures, prior to	489	* Insert the appraise rules requiring file signatures, prior to
479	* any other appraise rules.	490	* any other appraise rules.
480	*/	491	*/
481	for (i = 0; i < secure_boot_entries; i++)	492	for (i = 0; i < secure_boot_entries; i++) {
482	list_add_tail(&secure_boot_rules[i].list,	493	list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
483	&ima_default_rules);	494	temp_ima_appraise \|=
		495	ima_appraise_flag(secure_boot_rules[i].func);
		496	}
484		497
485	for (i = 0; i < appraise_entries; i++) {	498	for (i = 0; i < appraise_entries; i++) {
486	list_add_tail(&default_appraise_rules[i].list,	499	list_add_tail(&default_appraise_rules[i].list,
@@ -934,12 +947,9 @@ static int ima_parse_rule(char rule, struct ima_rule_entry entry)
934	}	947	}
935	if (!result && (entry->action == UNKNOWN))	948	if (!result && (entry->action == UNKNOWN))
936	result = -EINVAL;	949	result = -EINVAL;
937	else if (entry->func == MODULE_CHECK)	950	else if (entry->action == APPRAISE)
938	temp_ima_appraise \|= IMA_APPRAISE_MODULES;	951	temp_ima_appraise \|= ima_appraise_flag(entry->func);
939	else if (entry->func == FIRMWARE_CHECK)	952
940	temp_ima_appraise \|= IMA_APPRAISE_FIRMWARE;
941	else if (entry->func == POLICY_CHECK)
942	temp_ima_appraise \|= IMA_APPRAISE_POLICY;
943	audit_log_format(ab, "res=%d", !result);	953	audit_log_format(ab, "res=%d", !result);
944	audit_log_end(ab);	954	audit_log_end(ab);
945	return result;	955	return result;