Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem fixes from James Morris:
 "From Mimi:

    Both of these patches are bug fixes for patches, which were
    upstreamed in this open window.  The first patch addresses a merge
    issue.  The second patch addresses a CONFIG_BLOCK dependency."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  block: fix part_pack_uuid() build error
  ima: "remove enforce checking duplication" merge fix

3 files changed, 18 insertions, 6 deletions

diff --git a/include/linux/genhd.h b/include/linux/genhd.h
index 79b8bba19363..9f3c275e053e 100644
--- a/include/linux/genhd.h
+++ b/include/linux/genhd.h
@@ -231,6 +231,12 @@ static inline void part_pack_uuid(const u8 *uuid_str, u8 *to)
         }
 }
 
+static inline int blk_part_pack_uuid(const u8 *uuid_str, u8 *to)
+{
+        part_pack_uuid(uuid_str, to);
+        return 0;
+}
+
 static inline int disk_max_parts(struct gendisk *disk)
 {
         if (disk->flags & GENHD_FL_EXT_DEVT)
@@ -718,6 +724,10 @@ static inline dev_t blk_lookup_devt(const char *name, int partno)
         return devt;
 }
 
+static inline int blk_part_pack_uuid(const u8 *uuid_str, u8 *to)
+{
+        return -EINVAL;
+}
 #endif /* CONFIG_BLOCK */
 
 #endif /* _LINUX_GENHD_H */
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 5127afcc4b89..5b14a0946d6e 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -284,7 +284,8 @@ int ima_module_check(struct file *file)
 {
         if (!file) {
 #ifndef CONFIG_MODULE_SIG_FORCE
-                if (ima_appraise & IMA_APPRAISE_MODULES)
+                if ((ima_appraise & IMA_APPRAISE_MODULES) &&
+                    (ima_appraise & IMA_APPRAISE_ENFORCE))
                         return -EACCES; /* INTEGRITY_UNKNOWN */
 #endif
                 return 0;       /* We rely on module signature checking */
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index b27535a13a79..399433ad614e 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -176,7 +176,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
             && rule->fsmagic != inode->i_sb->s_magic)
                 return false;
         if ((rule->flags & IMA_FSUUID) &&
-                memcmp(rule->fsuuid, inode->i_sb->s_uuid, sizeof(rule->fsuuid)))
+            memcmp(rule->fsuuid, inode->i_sb->s_uuid, sizeof(rule->fsuuid)))
                 return false;
         if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
                 return false;
@@ -530,14 +530,15 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
                         ima_log_string(ab, "fsuuid", args[0].from);
 
                         if (memchr_inv(entry->fsuuid, 0x00,
-                            sizeof(entry->fsuuid))) {
+                                       sizeof(entry->fsuuid))) {
                                 result = -EINVAL;
                                 break;
                         }
 
-                        part_pack_uuid(args[0].from, entry->fsuuid);
-                        entry->flags |= IMA_FSUUID;
-                        result = 0;
+                        result = blk_part_pack_uuid(args[0].from,
+                                                    entry->fsuuid);
+                        if (!result)
+                                entry->flags |= IMA_FSUUID;
                         break;
                 case Opt_uid:
                         ima_log_string(ab, "uid", args[0].from);