ima: fix wrong signed policy requirement when not appraising

Kernel booted just with ima_policy=tcb (not with
ima_policy=appraise_tcb) shouldn't require signed policy.

Regression found with LTP test ima_policy.sh.

Fixes: c52657d93b05 ("ima: refactor ima_init_policy()")
Cc: stable@vger.kernel.org  (linux-5.0)
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e0cc323f948f465bc2343c3da7a113c0138f045a..0f6fe53cef09879e3a2f11aac6d2a40d95b01503 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -498,10 +498,11 @@ static void add_rules(struct ima_rule_entry *entries, int count,
 
                        list_add_tail(&entry->list, &ima_policy_rules);
                }
-               if (entries[i].action == APPRAISE)
+               if (entries[i].action == APPRAISE) {
                        temp_ima_appraise |= ima_appraise_flag(entries[i].func);
-               if (entries[i].func == POLICY_CHECK)
-                       temp_ima_appraise |= IMA_APPRAISE_POLICY;
+                       if (entries[i].func == POLICY_CHECK)
+                               temp_ima_appraise |= IMA_APPRAISE_POLICY;
+               }
        }
 }