IMA: handle comments in policy · tjh.dev/kernel@7233e3e

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

IMA: handle comments in policy

IMA policy load parser will reject any policies with a comment. This patch
will allow the parser to just ignore lines which start with a #. This is not
very robust. # can ONLY be used at the very beginning of a line. Inline
comments are not allowed.

Signed-off-by: Eric Paris
Acked-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>

authored by

Eric Paris and committed by

James Morris 16 years ago 7233e3ee 28ef4002

+14 -7

1 changed file

expand all

security

integrity

ima

ima_policy.c

+14 -7

security/integrity/ima/ima_policy.c

··· 445 445 446 446 p = strsep(&rule, "\n"); 447 447 len = strlen(p) + 1; 448 + 449 + if (*p == '#') { 450 + kfree(entry); 451 + return len; 452 + } 453 + 448 454 result = ima_parse_rule(p, entry); 449 - if (!result) { 450 - result = len; 451 - mutex_lock(&ima_measure_mutex); 452 - list_add_tail(&entry->list, &measure_policy_rules); 453 - mutex_unlock(&ima_measure_mutex); 454 - } else { 455 + if (result) { 455 456 kfree(entry); 456 457 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 457 458 NULL, op, "invalid policy", result, 458 459 audit_info); 460 + return result; 459 461 } 460 - return result; 462 + 463 + mutex_lock(&ima_measure_mutex); 464 + list_add_tail(&entry->list, &measure_policy_rules); 465 + mutex_unlock(&ima_measure_mutex); 466 + 467 + return len; 461 468 } 462 469 463 470 /* ima_delete_rules called to cleanup invalid policy */