---

yaml --- r: 192423 b: refs/heads/master c: 7b62e16 h: refs/heads/master i: 192421: 55f0190 192419: 7d9ec56 192415: 2bcb2a9 v: v3
git-mirror · Apr 20, 2010 · 434ffbf · 434ffbf
1 parent f997034
commit 434ffbf
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 2 deletions.
diff --git a/[refs] b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 6ccd045630054c99ba1bb35673db12cfcf1eea58
+refs/heads/master: 7b62e162129c3b28d51016774e0c7c57c710c452
diff --git a/trunk/security/integrity/ima/ima_policy.c b/trunk/security/integrity/ima/ima_policy.c
@@ -245,6 +245,9 @@ static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry,
 {
 	int result;
 
+	if (entry->lsm[lsm_rule].rule)
+		return -EINVAL;
+
 	entry->lsm[lsm_rule].type = audit_type;
 	result = security_filter_rule_init(entry->lsm[lsm_rule].type,
 					   Audit_equal, args,
@@ -260,6 +263,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
 
 	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
 
+	entry->uid = -1;
 	entry->action = -1;
 	while ((p = strsep(&rule, " ")) != NULL) {
 		substring_t args[MAX_OPT_ARGS];
@@ -274,14 +278,26 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
 		switch (token) {
 		case Opt_measure:
 			audit_log_format(ab, "%s ", "measure");
+
+			if (entry->action != UNKNOWN)
+				result = -EINVAL;
+
 			entry->action = MEASURE;
 			break;
 		case Opt_dont_measure:
 			audit_log_format(ab, "%s ", "dont_measure");
+
+			if (entry->action != UNKNOWN)
+				result = -EINVAL;
+
 			entry->action = DONT_MEASURE;
 			break;
 		case Opt_func:
 			audit_log_format(ab, "func=%s ", args[0].from);
+
+			if (entry->func)
+				result  = -EINVAL;
+
 			if (strcmp(args[0].from, "FILE_CHECK") == 0)
 				entry->func = FILE_CHECK;
 			/* PATH_CHECK is for backwards compat */
@@ -298,6 +314,10 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
 			break;
 		case Opt_mask:
 			audit_log_format(ab, "mask=%s ", args[0].from);
+
+			if (entry->mask)
+				result = -EINVAL;
+
 			if ((strcmp(args[0].from, "MAY_EXEC")) == 0)
 				entry->mask = MAY_EXEC;
 			else if (strcmp(args[0].from, "MAY_WRITE") == 0)
@@ -313,13 +333,25 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
 			break;
 		case Opt_fsmagic:
 			audit_log_format(ab, "fsmagic=%s ", args[0].from);
+
+			if (entry->fsmagic) {
+				result = -EINVAL;
+				break;
+			}
+
 			result = strict_strtoul(args[0].from, 16,
 						&entry->fsmagic);
 			if (!result)
 				entry->flags |= IMA_FSMAGIC;
 			break;
 		case Opt_uid:
 			audit_log_format(ab, "uid=%s ", args[0].from);
+
+			if (entry->uid != -1) {
+				result = -EINVAL;
+				break;
+			}
+
 			result = strict_strtoul(args[0].from, 10, &lnum);
 			if (!result) {
 				entry->uid = (uid_t) lnum;
@@ -370,7 +402,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
 			break;
 		}
 	}
-	if (entry->action == UNKNOWN)
+	if (!result && (entry->action == UNKNOWN))
 		result = -EINVAL;
 
 	audit_log_format(ab, "res=%d", !!result);