Re: [PATCH 5/5] ima: Remove unused build_ima_appraise variable

[Mimi Zohar <zohar@linux.ibm.com>]

Hi Roberto, Krzysztof,

On Wed, 2020-03-25 at 17:14 +0100, Roberto Sassu wrote:
> From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
> 
> After adding the new add_rule() function in commit c52657d93b05
> ("ima: refactor ima_init_policy()"), all appraisal flags are added to the
> temp_ima_appraise variable. Remove build_ima_appraise that is not set
> anymore.
> 
> Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
> ---
>  security/integrity/ima/ima_policy.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index ea9b991f0232..fcc26bddd7fc 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -48,7 +48,6 @@
>  
>  int ima_policy_flag;
>  static int temp_ima_appraise;
> -static int build_ima_appraise __ro_after_init;
>  
>  #define MAX_LSM_RULES 6
>  enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
> @@ -606,7 +605,7 @@ void ima_update_policy_flag(void)
>  			ima_policy_flag |= entry->action;
>  	}
>  
> -	ima_appraise |= (build_ima_appraise | temp_ima_appraise);
> +	ima_appraise |= temp_ima_appraise;

You're correct that build_ima_appraise isn't being used any longer,
but ima_appraise isn't defined as __ro_after_init.  Instead of
removing build_ima_appraise, does it make sense to set it?

Mimi

>  	if (!ima_appraise)
>  		ima_policy_flag &= ~IMA_APPRAISE;
>  }