IMA: handle comments in policy

IMA policy load parser will reject any policies with a comment.  This patch
will allow the parser to just ignore lines which start with a #.  This is not
very robust.  # can ONLY be used at the very beginning of a line.  Inline
comments are not allowed.

Signed-off-by: Eric Paris
Acked-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>

1 files changed, 14 insertions, 7 deletions

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 1bc9e31ae250..babc5009756d 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -445,19 +445,26 @@ ssize_t ima_parse_add_rule(char *rule)
 
         p = strsep(&rule, "\n");
         len = strlen(p) + 1;
+
+        if (*p == '#') {
+                kfree(entry);
+                return len;
+        }
+
         result = ima_parse_rule(p, entry);
-        if (!result) {
-                result = len;
-                mutex_lock(&ima_measure_mutex);
-                list_add_tail(&entry->list, &measure_policy_rules);
-                mutex_unlock(&ima_measure_mutex);
-        } else {
+        if (result) {
                 kfree(entry);
                 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
                                     NULL, op, "invalid policy", result,
                                     audit_info);
+                return result;
         }
-        return result;
+
+        mutex_lock(&ima_measure_mutex);
+        list_add_tail(&entry->list, &measure_policy_rules);
+        mutex_unlock(&ima_measure_mutex);
+
+        return len;
 }
 
 /* ima_delete_rules called to cleanup invalid policy */