On Mon, 2021-02-22 at 15:45 -0800, Casey Schaufler wrote:
On 2/14/2021 10:21 AM, Mimi Zohar wrote:
Would these changes match your suggestion?
security/integrity/ima/ima_policy.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 9ac673472781..e80956548243 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -78,11 +78,11 @@ struct ima_rule_entry {
bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */
bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
int pcr;
+ int which_lsm; /* which of the rules to use */
struct {
void *rules[LSMBLOB_ENTRIES]; /* LSM file metadata specific */
If each IMA policy rule may only contain a single LSM specific
LSM_OBJ_{USER | ROLE | TYPE} and LSM_SUBJ_{USER | ROLE | TYPE}, then
there is no need for rules[LSMBLOB_ENTRIES]. Leave it as "*rule".
Otherwise it looks good.
Mimi
char *args_p; /* audit value */
int type; /* audit type */
- int which_lsm; /* which of the rules to use */
} lsm[MAX_LSM_RULES];
char *fsname;
struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */