2 files changed, 25 insertions, 8 deletions

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index bd6248406f..6dab6e9043 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -293,8 +293,11 @@ static int whitelist_device(const char *path, const char *node, const char *acc)
         assert(acc);
 
         if (stat(node, &st) < 0) {
-                log_warning("Couldn't stat device %s", node);
-                return -errno;
+                /* path starting with "-" must be silently ignored */
+                if (errno == ENOENT && startswith(node, "-"))
+                        return 0;
+
+                return log_warning_errno(errno, "Couldn't stat device %s: %m", node);
         }
 
         if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
@@ -914,8 +917,8 @@ static void cgroup_context_apply(Unit *u, CGroupMask mask, ManagerState state) {
                                 "/dev/tty\0" "rwm\0"
                                 "/dev/pts/ptmx\0" "rw\0" /* /dev/pts/ptmx may not be duplicated, but accessed */
                                 /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */
-                                "/run/systemd/inaccessible/chr\0" "rwm\0"
-                                "/run/systemd/inaccessible/blk\0" "rwm\0";
+                                "-/run/systemd/inaccessible/chr\0" "rwm\0"
+                                "-/run/systemd/inaccessible/blk\0" "rwm\0";
 
                         const char *x, *y;
 
diff --git a/src/core/ima-setup.c b/src/core/ima-setup.c
index d1b0ce76ef..94ae429f46 100644
--- a/src/core/ima-setup.c
+++ b/src/core/ima-setup.c
@@ -44,6 +44,22 @@ int ima_setup(void) {
                 return 0;
         }
 
+        if (access(IMA_SECFS_POLICY, W_OK) < 0) {
+                log_warning("Another IMA custom policy has already been loaded, ignoring.");
+                return 0;
+        }
+
+        imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC);
+        if (imafd < 0) {
+                log_error_errno(errno, "Failed to open the IMA kernel interface "IMA_SECFS_POLICY", ignoring: %m");
+                return 0;
+        }
+
+        /* attempt to write the name of the policy file into sysfs file */
+        if (write(imafd, IMA_POLICY_PATH, strlen(IMA_POLICY_PATH)) > 0)
+                goto done;
+
+        /* fall back to copying the policy line-by-line */
         input = fopen(IMA_POLICY_PATH, "re");
         if (!input) {
                 log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno,
@@ -51,10 +67,7 @@ int ima_setup(void) {
                 return 0;
         }
 
-        if (access(IMA_SECFS_POLICY, F_OK) < 0) {
-                log_warning("Another IMA custom policy has already been loaded, ignoring.");
-                return 0;
-        }
+        close(imafd);
 
         imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC);
         if (imafd < 0) {
@@ -74,6 +87,7 @@ int ima_setup(void) {
                                                lineno);
         }
 
+done:
         log_info("Successfully loaded the IMA custom policy "IMA_POLICY_PATH".");
 #endif /* HAVE_IMA */
         return 0;