IMA: handle comments in policy

IMA policy load parser will reject any policies with a comment. This patch will allow the parser to just ignore lines which start with a #. This is not very robust. # can ONLY be used at the very beginning of a line. Inline comments are not allowed. Signed-off-by: Eric Paris Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>

IMA: handle comments in policy
IMA policy load parser will reject any policies with a comment. This patch will allow the parser to just ignore lines which start with a #. This is not very robust. # can ONLY be used at the very beginning of a line. Inline comments are not allowed. Signed-off-by: Eric Paris Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
7233e3ee · Eric Paris · James Morris · 28ef4002 · 7233e3ee
Commit 7233e3ee authored Apr 20, 2010 by Eric Paris Committed by James Morris Apr 21, 2010
Show whitespace changes
Inline Side-by-side

Showing with 14 additions and 7 deletions

security/integrity/ima/ima_policy.c security/integrity/ima/ima_policy.c +14 -7

No files found.
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -445,19 +445,26 @@ ssize_t ima_parse_add_rule(char *rule)
 	p = strsep(&rule, "\n");
 	len = strlen(p) + 1;
+	if (*p == '#') {
+		kfree(entry);
+		return len;
+	}
 	result = ima_parse_rule(p, entry);
-	if (!result) {
+	if (result) {
-		result = len;
-		mutex_lock(&ima_measure_mutex);
-		list_add_tail(&entry->list, &measure_policy_rules);
-		mutex_unlock(&ima_measure_mutex);
-	} else {
 		kfree(entry);
 		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
 				    NULL, op, "invalid policy", result,
 				    audit_info);
-	}
 		return result;
+	}
+	mutex_lock(&ima_measure_mutex);
+	list_add_tail(&entry->list, &measure_policy_rules);
+	mutex_unlock(&ima_measure_mutex);
+	return len;
 }
 /* ima_delete_rules called to cleanup invalid policy */