From 7233e3ee22b1506723411fe437bcf69f678e8cdd Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 20 Apr 2010 10:21:24 -0400 Subject: [PATCH] IMA: handle comments in policy IMA policy load parser will reject any policies with a comment. This patch will allow the parser to just ignore lines which start with a #. This is not very robust. # can ONLY be used at the very beginning of a line. Inline comments are not allowed. Signed-off-by: Eric Paris Acked-by: Mimi Zohar Signed-off-by: James Morris --- security/integrity/ima/ima_policy.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 1bc9e31ae250..babc5009756d 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -445,19 +445,26 @@ ssize_t ima_parse_add_rule(char *rule) p = strsep(&rule, "\n"); len = strlen(p) + 1; + + if (*p == '#') { + kfree(entry); + return len; + } + result = ima_parse_rule(p, entry); - if (!result) { - result = len; - mutex_lock(&ima_measure_mutex); - list_add_tail(&entry->list, &measure_policy_rules); - mutex_unlock(&ima_measure_mutex); - } else { + if (result) { kfree(entry); integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, op, "invalid policy", result, audit_info); + return result; } - return result; + + mutex_lock(&ima_measure_mutex); + list_add_tail(&entry->list, &measure_policy_rules); + mutex_unlock(&ima_measure_mutex); + + return len; } /* ima_delete_rules called to cleanup invalid policy */