IMA: handle comments in policy

IMA policy load parser will reject any policies with a comment.  This patch
will allow the parser to just ignore lines which start with a #.  This is not
very robust.  # can ONLY be used at the very beginning of a line.  Inline
comments are not allowed.

Signed-off-by: Eric Paris
Acked-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 1bc9e31ae2501f929d52f9f35095243e7cf8f059..babc5009756d4a2d525c38067d18c06e625448fb 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -445,19 +445,26 @@ ssize_t ima_parse_add_rule(char *rule)
 
        p = strsep(&rule, "\n");
        len = strlen(p) + 1;
+
+       if (*p == '#') {
+               kfree(entry);
+               return len;
+       }
+
        result = ima_parse_rule(p, entry);
-       if (!result) {
-               result = len;
-               mutex_lock(&ima_measure_mutex);
-               list_add_tail(&entry->list, &measure_policy_rules);
-               mutex_unlock(&ima_measure_mutex);
-       } else {
+       if (result) {
                kfree(entry);
                integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
                                    NULL, op, "invalid policy", result,
                                    audit_info);
+               return result;
        }
-       return result;
+
+       mutex_lock(&ima_measure_mutex);
+       list_add_tail(&entry->list, &measure_policy_rules);
+       mutex_unlock(&ima_measure_mutex);
+
+       return len;
 }
 
 /* ima_delete_rules called to cleanup invalid policy */