Message ID | 1492546666-16615-4-git-send-email-bauerman@linux.vnet.ibm.com (mailing list archive) |
---|---|
State | Not Applicable |
Delegated to: | Herbert Xu |
Headers | show |
On Tue, 2017-04-18 at 17:17 -0300, Thiago Jung Bauermann wrote: > If the func_tokens array uses the same indices as enum ima_hooks, > policy_func_show can be a lot simpler, and the func_* enum becomes > unnecessary. My main concern with separating the enumeration from the string definition is that they might become out of sync. Perhaps using macros, similar to those used for kernel_read_file_id_str(), would be better? > Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> > --- > security/integrity/ima/ima_policy.c | 47 ++++++------------------------------- > 1 file changed, 7 insertions(+), 40 deletions(-) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index cfda5d7b17ec..158eafef64e8 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -896,20 +896,14 @@ static const char *const mask_tokens[] = { > "MAY_APPEND" > }; > > -enum { > - func_file = 0, func_mmap, func_bprm, > - func_module, func_firmware, func_post, > - func_kexec_kernel, func_kexec_initramfs, > - func_policy > -}; > - At least, add a comment here and near the ima_hooks enumeration to prevent them from becoming out of sync. Mimi > static const char *const func_tokens[] = { > + NULL, > "FILE_CHECK", > "MMAP_CHECK", > "BPRM_CHECK", > + "POST_SETATTR", > "MODULE_CHECK", > "FIRMWARE_CHECK", > - "POST_SETATTR", > "KEXEC_KERNEL_CHECK", > "KEXEC_INITRAMFS_CHECK", > "POLICY_CHECK" > @@ -949,48 +943,21 @@ void ima_policy_stop(struct seq_file *m, void *v) > > #define pt(token) policy_tokens[token + Opt_err].pattern > #define mt(token) mask_tokens[token] > -#define ft(token) func_tokens[token] > > /* > * policy_func_show - display the ima_hooks policy rule > */ > static void policy_func_show(struct seq_file *m, enum ima_hooks func) > { > - char tbuf[64] = {0,}; > + if (func > 0 && func < MAX_CHECK) > + seq_printf(m, pt(Opt_func), func_tokens[func]); > + else { > + char tbuf[64] = {0,}; > > - switch (func) { > - case FILE_CHECK: > - seq_printf(m, pt(Opt_func), ft(func_file)); > - break; > - case MMAP_CHECK: > - seq_printf(m, pt(Opt_func), ft(func_mmap)); > - break; > - case BPRM_CHECK: > - seq_printf(m, pt(Opt_func), ft(func_bprm)); > - break; > - case MODULE_CHECK: > - seq_printf(m, pt(Opt_func), ft(func_module)); > - break; > - case FIRMWARE_CHECK: > - seq_printf(m, pt(Opt_func), ft(func_firmware)); > - break; > - case POST_SETATTR: > - seq_printf(m, pt(Opt_func), ft(func_post)); > - break; > - case KEXEC_KERNEL_CHECK: > - seq_printf(m, pt(Opt_func), ft(func_kexec_kernel)); > - break; > - case KEXEC_INITRAMFS_CHECK: > - seq_printf(m, pt(Opt_func), ft(func_kexec_initramfs)); > - break; > - case POLICY_CHECK: > - seq_printf(m, pt(Opt_func), ft(func_policy)); > - break; > - default: > snprintf(tbuf, sizeof(tbuf), "%d", func); > seq_printf(m, pt(Opt_func), tbuf); > - break; > } > + > seq_puts(m, " "); > } >
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index cfda5d7b17ec..158eafef64e8 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -896,20 +896,14 @@ static const char *const mask_tokens[] = { "MAY_APPEND" }; -enum { - func_file = 0, func_mmap, func_bprm, - func_module, func_firmware, func_post, - func_kexec_kernel, func_kexec_initramfs, - func_policy -}; - static const char *const func_tokens[] = { + NULL, "FILE_CHECK", "MMAP_CHECK", "BPRM_CHECK", + "POST_SETATTR", "MODULE_CHECK", "FIRMWARE_CHECK", - "POST_SETATTR", "KEXEC_KERNEL_CHECK", "KEXEC_INITRAMFS_CHECK", "POLICY_CHECK" @@ -949,48 +943,21 @@ void ima_policy_stop(struct seq_file *m, void *v) #define pt(token) policy_tokens[token + Opt_err].pattern #define mt(token) mask_tokens[token] -#define ft(token) func_tokens[token] /* * policy_func_show - display the ima_hooks policy rule */ static void policy_func_show(struct seq_file *m, enum ima_hooks func) { - char tbuf[64] = {0,}; + if (func > 0 && func < MAX_CHECK) + seq_printf(m, pt(Opt_func), func_tokens[func]); + else { + char tbuf[64] = {0,}; - switch (func) { - case FILE_CHECK: - seq_printf(m, pt(Opt_func), ft(func_file)); - break; - case MMAP_CHECK: - seq_printf(m, pt(Opt_func), ft(func_mmap)); - break; - case BPRM_CHECK: - seq_printf(m, pt(Opt_func), ft(func_bprm)); - break; - case MODULE_CHECK: - seq_printf(m, pt(Opt_func), ft(func_module)); - break; - case FIRMWARE_CHECK: - seq_printf(m, pt(Opt_func), ft(func_firmware)); - break; - case POST_SETATTR: - seq_printf(m, pt(Opt_func), ft(func_post)); - break; - case KEXEC_KERNEL_CHECK: - seq_printf(m, pt(Opt_func), ft(func_kexec_kernel)); - break; - case KEXEC_INITRAMFS_CHECK: - seq_printf(m, pt(Opt_func), ft(func_kexec_initramfs)); - break; - case POLICY_CHECK: - seq_printf(m, pt(Opt_func), ft(func_policy)); - break; - default: snprintf(tbuf, sizeof(tbuf), "%d", func); seq_printf(m, pt(Opt_func), tbuf); - break; } + seq_puts(m, " "); }
If the func_tokens array uses the same indices as enum ima_hooks, policy_func_show can be a lot simpler, and the func_* enum becomes unnecessary. Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> --- security/integrity/ima/ima_policy.c | 47 ++++++------------------------------- 1 file changed, 7 insertions(+), 40 deletions(-)