From: Mimi Zohar <zohar@linux.ibm.com>
Date: Fri, 27 Dec 2024 13:28:32 +0000 (-0500)
Subject: ima: ignore suffixed policy rule comments
X-Git-Tag: v6.14-rc1~168^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4785ed362a24d4f37ee0eb4403f587fee886f8da;p=thirdparty%2Fkernel%2Flinux.git

ima: ignore suffixed policy rule comments

Lines beginning with '#' in the IMA policy are comments and are ignored.
Instead of placing the rule and comment on separate lines, allow the
comment to be suffixed to the IMA policy rule.

Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 23bbe2c405f01..128fab8979308 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1432,7 +1432,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 		int token;
 		unsigned long lnum;
 
-		if (result < 0)
+		if (result < 0 || *p == '#')  /* ignore suffixed comment */
 			break;
 		if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
 			continue;