ima: fix mprotect checking

Make sure IMA is enabled before checking mprotect change.  Addresses
report of a 3.7% regression of boot-time.dhcp.

Fixes: 8eb613c ("ima: verify mprotect change is consistent with mmap policy")
Reported-by: kernel test robot <[email protected]>
Reviewed-by: Lakshmi Ramasubramanian <[email protected]>
Tested-by: Xing Zhengjun <[email protected]>
Signed-off-by: Mimi Zohar <[email protected]>

Author: mimizohar

security/integrity/ima/ima_main.c

@@ -419,7 +419,8 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot)
 	int pcr;
 
 	/* Is mprotect making an mmap'ed file executable? */
-	if (!vma->vm_file || !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC))
+	if (!(ima_policy_flag & IMA_APPRAISE) || !vma->vm_file ||
+	    !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC))
 		return 0;
 
 	security_task_getsecid(current, &secid);