ima: extend the "ima_policy" boot command line to support multiple policies

Add support for providing multiple builtin policies on the "ima_policy="
boot command line.  Use "|" as the delimitor separating the policy names.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

1 files changed, 10 insertions, 5 deletions

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 3ab1067db624..0ddc41389a9c 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -170,19 +170,24 @@ static int __init default_measure_policy_setup(char *str)
 }
 __setup("ima_tcb", default_measure_policy_setup);
 
+static bool ima_use_appraise_tcb __initdata;
 static int __init policy_setup(char *str)
 {
-        if (ima_policy)
-                return 1;
+        char *p;
 
-        if (strcmp(str, "tcb") == 0)
-                ima_policy = DEFAULT_TCB;
+        while ((p = strsep(&str, " |\n")) != NULL) {
+                if (*p == ' ')
+                        continue;
+                if ((strcmp(p, "tcb") == 0) && !ima_policy)
+                        ima_policy = DEFAULT_TCB;
+                else if (strcmp(p, "appraise_tcb") == 0)
+                        ima_use_appraise_tcb = 1;
+        }
 
         return 1;
 }
 __setup("ima_policy=", policy_setup);
 
-static bool ima_use_appraise_tcb __initdata;
 static int __init default_appraise_policy_setup(char *str)
 {
         ima_use_appraise_tcb = 1;