picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

ima: Ensure policy exists before asking the kernel to load it (#5777)

Browse source 
e8e42b31c5 added support for having the
kernel load the IMA policy directly, but didn't check that the policy
file exists.  If not, this produced a kernel message:

    IMA: policy update failed
This commit is contained in:
Benjamin Gilbert 2017-04-21 01:53:40 -07:00 committed by Lennart Poettering
parent 5bf1386624
commit a2c74c0ce8
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/core/ima-setup.c
View file

@ -49,6 +49,11 @@ int ima_setup(void) {
return 0;
}
if (access(IMA_POLICY_PATH, F_OK) < 0) {
log_debug("No IMA custom policy file "IMA_POLICY_PATH", ignoring.");
return 0;
}
imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC);
if (imafd < 0) {
log_error_errno(errno, "Failed to open the IMA kernel interface "IMA_SECFS_POLICY", ignoring: %m");
@ -62,8 +67,7 @@ int ima_setup(void) {
/* fall back to copying the policy line-by-line */
input = fopen(IMA_POLICY_PATH, "re");
if (!input) {
log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno,
"Failed to open the IMA custom policy file "IMA_POLICY_PATH", ignoring: %m");
log_warning_errno(errno, "Failed to open the IMA custom policy file "IMA_POLICY_PATH", ignoring: %m");
return 0;
}