IMA: handle comments in policy

IMA policy load parser will reject any policies with a comment. This patch will allow the parser to just ignore lines which start with a #. This is not very robust. # can ONLY be used at the very beginning of a line. Inline comments are not allowed. Signed-off-by: Eric Paris Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Eric Paris <eparis@redhat.com> 2010-04-20 10:21:24 -0400
committer: James Morris <jmorris@namei.org> 2010-04-20 19:58:16 -0400
commit: 7233e3ee22b1506723411fe437bcf69f678e8cdd (patch)
tree: 3d84d037890a9918ed02b89fde875fd6e6cd3b10
parent: 28ef4002ec7b4be27f1110b83e255df8159c786a (diff)
1 files changed, 14 insertions, 7 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 1bc9e31ae250..babc5009756d 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -445,19 +445,26 @@ ssize_t ima_parse_add_rule(char *rule)
        p = strsep(&rule, "\n");
        len = strlen(p) + 1;
+        if (*p == '#') {
+                kfree(entry);
+                return len;
+        }
        result = ima_parse_rule(p, entry);
-        if (!result) {
+        if (result) {
-                result = len;
-                mutex_lock(&ima_measure_mutex);
-                list_add_tail(&entry->list, &measure_policy_rules);
-                mutex_unlock(&ima_measure_mutex);
-        } else {
                kfree(entry);
                integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
                                    NULL, op, "invalid policy", result,
                                    audit_info);
+                return result;
        }
-        return result;
+        mutex_lock(&ima_measure_mutex);
+        list_add_tail(&entry->list, &measure_policy_rules);
+        mutex_unlock(&ima_measure_mutex);
+        return len;
 }
 /* ima_delete_rules called to cleanup invalid policy */
author	Eric Paris <eparis@redhat.com>	2010-04-20 10:21:24 -0400
committer	James Morris <jmorris@namei.org>	2010-04-20 19:58:16 -0400
commit	7233e3ee22b1506723411fe437bcf69f678e8cdd (patch)
tree	3d84d037890a9918ed02b89fde875fd6e6cd3b10
parent	28ef4002ec7b4be27f1110b83e255df8159c786a (diff)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 1bc9e31ae250..babc5009756d 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c
@@ -445,19 +445,26 @@ ssize_t ima_parse_add_rule(char *rule)
445		445
446	p = strsep(&rule, "\n");	446	p = strsep(&rule, "\n");
447	len = strlen(p) + 1;	447	len = strlen(p) + 1;
		448
		449	if (*p == '#') {
		450	kfree(entry);
		451	return len;
		452	}
		453
448	result = ima_parse_rule(p, entry);	454	result = ima_parse_rule(p, entry);
449	if (!result) {	455	if (result) {
450	result = len;
451	mutex_lock(&ima_measure_mutex);
452	list_add_tail(&entry->list, &measure_policy_rules);
453	mutex_unlock(&ima_measure_mutex);
454	} else {
455	kfree(entry);	456	kfree(entry);
456	integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,	457	integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
457	NULL, op, "invalid policy", result,	458	NULL, op, "invalid policy", result,
458	audit_info);	459	audit_info);
		460	return result;
459	}	461	}
460	return result;	462
		463	mutex_lock(&ima_measure_mutex);
		464	list_add_tail(&entry->list, &measure_policy_rules);
		465	mutex_unlock(&ima_measure_mutex);
		466
		467	return len;
461	}	468	}
462		469
463	/* ima_delete_rules called to cleanup invalid policy */	470	/* ima_delete_rules called to cleanup invalid policy */