| Message ID | 1578037863-7102-1-git-send-email-clayc@hpe.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: Add a space after printing a LSM rule for readability | expand |
On Fri, 2020-01-03 at 15:51 +0800, clayc@hpe.com wrote: > From: Clay Chang <clayc@hpe.com> Normally this "From" line is only seen when the sender isn't the patch author. Any ideas what happened? > > When reading ima_policy from securityfs, there is a missing > space between output string of LSM rules. > > Signed-off-by: Clay Chang <clayc@hpe.com> Good catch! IMA policy rules based on LSM labels are used to constrain which files are in policy. Normally a single LSM label is enough (e.g. dont_measure obj_type=auditd_log_t). Could you include in this patch description a use case where multiple LSM labels are needed? thanks, Mimi > --- > security/integrity/ima/ima_policy.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index ef8dfd47c7e3..1a266e4f99bc 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -1496,6 +1496,7 @@ int ima_policy_show(struct seq_file *m, void *v) > (char *)entry->lsm[i].args_p); > break; > } > + seq_puts(m, " "); > } > } > if (entry->template)
On Fri, Jan 03, 2020 at 12:11:27PM -0500, Mimi Zohar wrote: > On Fri, 2020-01-03 at 15:51 +0800, clayc@hpe.com wrote: > > From: Clay Chang <clayc@hpe.com> > > Normally this "From" line is only seen when the sender isn't the patch > author. Any ideas what happened? > Hi Mimi, Apparently I should not use "--from" in git-send-email command. > > > > When reading ima_policy from securityfs, there is a missing > > space between output string of LSM rules. > > > > Signed-off-by: Clay Chang <clayc@hpe.com> > > Good catch! IMA policy rules based on LSM labels are used to > constrain which files are in policy. Normally a single LSM label is > enough (e.g. dont_measure obj_type=auditd_log_t). Could you include > in this patch description a use case where multiple LSM labels are > needed? > Apology for not expressed my intention clearly. The intention of this patch is to add a space after printing LSM rules (if any) and the remaining rules. Currently, if I have a policy, for example: appraise func=BPRM_CHECK obj_type=shell_exec_t appraise_type=imasig The read back result is: appraise func=BPRM_CHECK obj_type=shell_exec_tappraise_type=imasig which is not correct. I do not have a case for multiple LSM labels, but if there is one such case, this patch will also apply. I will post a v2 patch with tuned description. Thanks, Clay
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index ef8dfd47c7e3..1a266e4f99bc 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1496,6 +1496,7 @@ int ima_policy_show(struct seq_file *m, void *v) (char *)entry->lsm[i].args_p); break; } + seq_puts(m, " "); } } if (entry->template)