diff options
| -rw-r--r-- | security/integrity/ima/ima_fs.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index ffbe259700b1..3305a9615863 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c | |||
| @@ -15,6 +15,7 @@ | |||
| 15 | * implemenents security file system for reporting | 15 | * implemenents security file system for reporting |
| 16 | * current measurement list and IMA statistics | 16 | * current measurement list and IMA statistics |
| 17 | */ | 17 | */ |
| 18 | #include <linux/fcntl.h> | ||
| 18 | #include <linux/module.h> | 19 | #include <linux/module.h> |
| 19 | #include <linux/seq_file.h> | 20 | #include <linux/seq_file.h> |
| 20 | #include <linux/rculist.h> | 21 | #include <linux/rculist.h> |
| @@ -283,6 +284,9 @@ static atomic_t policy_opencount = ATOMIC_INIT(1); | |||
| 283 | */ | 284 | */ |
| 284 | int ima_open_policy(struct inode * inode, struct file * filp) | 285 | int ima_open_policy(struct inode * inode, struct file * filp) |
| 285 | { | 286 | { |
| 287 | /* No point in being allowed to open it if you aren't going to write */ | ||
| 288 | if (!(filp->f_flags & O_WRONLY)) | ||
| 289 | return -EACCES; | ||
| 286 | if (atomic_dec_and_test(&policy_opencount)) | 290 | if (atomic_dec_and_test(&policy_opencount)) |
| 287 | return 0; | 291 | return 0; |
| 288 | return -EBUSY; | 292 | return -EBUSY; |
| @@ -349,7 +353,7 @@ int ima_fs_init(void) | |||
| 349 | goto out; | 353 | goto out; |
| 350 | 354 | ||
| 351 | ima_policy = securityfs_create_file("policy", | 355 | ima_policy = securityfs_create_file("policy", |
| 352 | S_IRUSR | S_IRGRP | S_IWUSR, | 356 | S_IWUSR, |
| 353 | ima_dir, NULL, | 357 | ima_dir, NULL, |
| 354 | &ima_measure_policy_ops); | 358 | &ima_measure_policy_ops); |
| 355 | if (IS_ERR(ima_policy)) | 359 | if (IS_ERR(ima_policy)) |