ima: "remove enforce checking duplication" merge fix

Commit "750943a ima: remove enforce checking duplication" combined
the 'in IMA policy' and 'enforcing file integrity' checks.  For
the non-file, kernel module verification, a specific check for
'enforcing file integrity' was not added.  This patch adds the
check.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 5127afc..5b14a09 100644 (file)
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -284,7 +284,8 @@ int ima_module_check(struct file *file)
 {
        if (!file) {
 #ifndef CONFIG_MODULE_SIG_FORCE
-               if (ima_appraise & IMA_APPRAISE_MODULES)
+               if ((ima_appraise & IMA_APPRAISE_MODULES) &&
+                   (ima_appraise & IMA_APPRAISE_ENFORCE))
                        return -EACCES; /* INTEGRITY_UNKNOWN */
 #endif
                return 0;       /* We rely on module signature checking */