ima: fix mprotect checking

Make sure IMA is enabled before checking mprotect change. Addresses report of a 3.7% regression of boot-time.dhcp. Fixes: 8eb613c ("ima: verify mprotect change is consistent with mmap policy") Reported-by: kernel test robot <[email protected]> Reviewed-by: Lakshmi Ramasubramanian <[email protected]> Tested-by: Xing Zhengjun <[email protected]> Signed-off-by: Mimi Zohar <[email protected]>
kawasaki · Jun 12, 2020 · 4235b1a · 4235b1a
1 parent 42413b4
commit 4235b1a
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
@@ -419,7 +419,8 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot)
 	int pcr;
 
 	/* Is mprotect making an mmap'ed file executable? */
-	if (!vma->vm_file || !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC))
+	if (!(ima_policy_flag & IMA_APPRAISE) || !vma->vm_file ||
+	    !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC))
 		return 0;
 
 	security_task_getsecid(current, &secid);