hulk inclusion category: feature feature: digest-lists
---------------------------
The meta_immutable requirement is necessary only for executables to ensure that the correct label is applied to the new process.
For other hooks, the imasig requirement is sufficient as it ensures data provenance and wouldn't allow access of data that can be modified locally in the system.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- security/integrity/ima/ima_policy.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 94ba751a8191..fa5ce0de932b 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -551,9 +551,6 @@ void __init ima_init_policy(void) * signatures, prior to any other appraise rules. */ for (i = 0; i < secure_boot_entries; i++) { - if (ima_use_appraise_exec_immutable) - secure_boot_rules[i].flags |= - IMA_META_IMMUTABLE_REQUIRED; list_add_tail(&secure_boot_rules[i].list, &ima_default_rules); temp_ima_appraise |= ima_appraise_flag(secure_boot_rules[i].func); @@ -594,7 +591,8 @@ void __init ima_init_policy(void) }
for (i = 0; i < appraise_exec_entries; i++) { - if (ima_use_appraise_exec_immutable) + if (ima_use_appraise_exec_immutable && + appraise_exec_rules[i].func == BPRM_CHECK) appraise_exec_rules[i].flags |= IMA_META_IMMUTABLE_REQUIRED; list_add_tail(&appraise_exec_rules[i].list,