ima: delay template descriptor lookup until use

process_measurement() always calls ima_template_desc_current(),
including when an IMA policy has not been defined.

This patch delays template descriptor lookup until action is
determined.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index cf1c3696c72e056733a7c559d13544449a40fb24..f474c608fa1194ebde04e21f2bdabc5be64c5d4a 100644 (file)
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -159,7 +159,7 @@ static int process_measurement(struct file *file, const char *filename,
 {
        struct inode *inode = file_inode(file);
        struct integrity_iint_cache *iint;
-       struct ima_template_desc *template_desc = ima_template_desc_current();
+       struct ima_template_desc *template_desc;
        char *pathbuf = NULL;
        const char *pathname = NULL;
        int rc = -ENOMEM, action, must_appraise, _func;
@@ -203,6 +203,7 @@ static int process_measurement(struct file *file, const char *filename,
                goto out_digsig;
        }
 
+       template_desc = ima_template_desc_current();
        if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
                if (action & IMA_APPRAISE_SUBMASK)
                        xattr_ptr = &xattr_value;