1 files changed, 23 insertions, 0 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 07099a8bc283..cdc620b2152f 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -35,6 +35,8 @@
 #define DONT_APPRAISE   0x0008
 #define AUDIT           0x0040
+int ima_policy_flag;
 #define MAX_LSM_RULES 6
 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
        LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
@@ -295,6 +297,26 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
        return action;
 }
+/*
+ * Initialize the ima_policy_flag variable based on the currently
+ * loaded policy.  Based on this flag, the decision to short circuit
+ * out of a function or not call the function in the first place
+ * can be made earlier.
+ */
+void ima_update_policy_flag(void)
+{
+        struct ima_rule_entry *entry;
+        ima_policy_flag = 0;
+        list_for_each_entry(entry, ima_rules, list) {
+                if (entry->action & IMA_DO_MASK)
+                        ima_policy_flag |= entry->action;
+        }
+        if (!ima_appraise)
+                ima_policy_flag &= ~IMA_APPRAISE;
+}
 /**
 * ima_init_policy - initialize the default measure rules.
 *
@@ -341,6 +363,7 @@ void ima_update_policy(void)
        if (ima_rules == &ima_default_rules) {
                ima_rules = &ima_policy_rules;
+                ima_update_policy_flag();
                cause = "complete";
                result = 0;
        }

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 07099a8bc283..cdc620b2152f 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c
@@ -35,6 +35,8 @@
35	#define DONT_APPRAISE 0x0008	35	#define DONT_APPRAISE 0x0008
36	#define AUDIT 0x0040	36	#define AUDIT 0x0040
37		37
		38	int ima_policy_flag;
		39
38	#define MAX_LSM_RULES 6	40	#define MAX_LSM_RULES 6
39	enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,	41	enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
40	LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE	42	LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
@@ -295,6 +297,26 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
295	return action;	297	return action;
296	}	298	}
297		299
		300	/*
		301	* Initialize the ima_policy_flag variable based on the currently
		302	* loaded policy. Based on this flag, the decision to short circuit
		303	* out of a function or not call the function in the first place
		304	* can be made earlier.
		305	*/
		306	void ima_update_policy_flag(void)
		307	{
		308	struct ima_rule_entry *entry;
		309
		310	ima_policy_flag = 0;
		311	list_for_each_entry(entry, ima_rules, list) {
		312	if (entry->action & IMA_DO_MASK)
		313	ima_policy_flag \|= entry->action;
		314	}
		315
		316	if (!ima_appraise)
		317	ima_policy_flag &= ~IMA_APPRAISE;
		318	}
		319
298	/**	320	/**
299	* ima_init_policy - initialize the default measure rules.	321	* ima_init_policy - initialize the default measure rules.
300	*	322	*
@@ -341,6 +363,7 @@ void ima_update_policy(void)
341		363
342	if (ima_rules == &ima_default_rules) {	364	if (ima_rules == &ima_default_rules) {
343	ima_rules = &ima_policy_rules;	365	ima_rules = &ima_policy_rules;
		366	ima_update_policy_flag();
344	cause = "complete";	367	cause = "complete";
345	result = 0;	368	result = 0;
346	}	369	}