mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
ima: Ensure policy exists before asking the kernel to load it (#5777)
e8e42b31c5
added support for having the
kernel load the IMA policy directly, but didn't check that the policy
file exists. If not, this produced a kernel message:
IMA: policy update failed
This commit is contained in:
parent
5bf1386624
commit
a2c74c0ce8
@ -49,6 +49,11 @@ int ima_setup(void) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (access(IMA_POLICY_PATH, F_OK) < 0) {
|
||||
log_debug("No IMA custom policy file "IMA_POLICY_PATH", ignoring.");
|
||||
return 0;
|
||||
}
|
||||
|
||||
imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC);
|
||||
if (imafd < 0) {
|
||||
log_error_errno(errno, "Failed to open the IMA kernel interface "IMA_SECFS_POLICY", ignoring: %m");
|
||||
@ -62,8 +67,7 @@ int ima_setup(void) {
|
||||
/* fall back to copying the policy line-by-line */
|
||||
input = fopen(IMA_POLICY_PATH, "re");
|
||||
if (!input) {
|
||||
log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno,
|
||||
"Failed to open the IMA custom policy file "IMA_POLICY_PATH", ignoring: %m");
|
||||
log_warning_errno(errno, "Failed to open the IMA custom policy file "IMA_POLICY_PATH", ignoring: %m");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user