From: Clay Chang <[email protected]>
When reading ima_policy from securityfs, there is a missing
space between output string of LSM rules.
Signed-off-by: Clay Chang <[email protected]>
---
security/integrity/ima/ima_policy.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index ef8dfd47c7e3..1a266e4f99bc 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1496,6 +1496,7 @@ int ima_policy_show(struct seq_file *m, void *v)
(char *)entry->lsm[i].args_p);
break;
}
+ seq_puts(m, " ");
}
}
if (entry->template)
--
2.18.1
On Fri, 2020-01-03 at 15:51 +0800, [email protected] wrote:
> From: Clay Chang <[email protected]>
Normally this "From" line is only seen when the sender isn't the patch
author. Any ideas what happened?
>
> When reading ima_policy from securityfs, there is a missing
> space between output string of LSM rules.
>
> Signed-off-by: Clay Chang <[email protected]>
Good catch! IMA policy rules based on LSM labels are used to
constrain which files are in policy. Normally a single LSM label is
enough (e.g. dont_measure obj_type=auditd_log_t). Could you include
in this patch description a use case where multiple LSM labels are
needed?
thanks,
Mimi
> ---
> security/integrity/ima/ima_policy.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index ef8dfd47c7e3..1a266e4f99bc 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1496,6 +1496,7 @@ int ima_policy_show(struct seq_file *m, void *v)
> (char *)entry->lsm[i].args_p);
> break;
> }
> + seq_puts(m, " ");
> }
> }
> if (entry->template)
On Fri, Jan 03, 2020 at 12:11:27PM -0500, Mimi Zohar wrote:
> On Fri, 2020-01-03 at 15:51 +0800, [email protected] wrote:
> > From: Clay Chang <[email protected]>
>
> Normally this "From" line is only seen when the sender isn't the patch
> author. ?Any ideas what happened??
>
Hi Mimi,
Apparently I should not use "--from" in git-send-email command.
> >
> > When reading ima_policy from securityfs, there is a missing
> > space between output string of LSM rules.
> >
> > Signed-off-by: Clay Chang <[email protected]>
>
> Good catch! ?IMA policy rules based on LSM labels are used to
> constrain which files are in policy. ?Normally a single LSM label is
> enough (e.g. dont_measure obj_type=auditd_log_t). ?Could you include
> in this patch description a use case where multiple LSM labels are
> needed?
>
Apology for not expressed my intention clearly. The intention of this
patch is to add a space after printing LSM rules (if any) and the
remaining rules.
Currently, if I have a policy, for example:
appraise func=BPRM_CHECK obj_type=shell_exec_t appraise_type=imasig
The read back result is:
appraise func=BPRM_CHECK obj_type=shell_exec_tappraise_type=imasig
which is not correct.
I do not have a case for multiple LSM labels, but if there is one
such case, this patch will also apply.
I will post a v2 patch with tuned description.
Thanks,
Clay