On Wed, 2019-05-29 at 15:30 +0200, Roberto Sassu wrote:
> Show the '^' character when a policy rule has flag IMA_INMASK.
>
> Fixes: 80eae209d63ac ("IMA: allow reading back the current IMA policy")
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
Thanks, queued.
> ---
> security/integrity/ima/ima_policy.c | 21 ++++++++++++---------
> 1 file changed, 12 insertions(+), 9 deletions(-)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index e0cc323f948f..ae4034f041c4 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1146,10 +1146,10 @@ enum {
> };
>
> static const char *const mask_tokens[] = {
> - "MAY_EXEC",
> - "MAY_WRITE",
> - "MAY_READ",
> - "MAY_APPEND"
> + "^MAY_EXEC",
> + "^MAY_WRITE",
> + "^MAY_READ",
> + "^MAY_APPEND"
> };
>
> #define __ima_hook_stringify(str) (#str),
> @@ -1209,6 +1209,7 @@ int ima_policy_show(struct seq_file *m, void *v)
> struct ima_rule_entry *entry = v;
> int i;
> char tbuf[64] = {0,};
> + int offset = 0;
>
> rcu_read_lock();
>
> @@ -1232,15 +1233,17 @@ int ima_policy_show(struct seq_file *m, void *v)
> if (entry->flags & IMA_FUNC)
> policy_func_show(m, entry->func);
>
> - if (entry->flags & IMA_MASK) {
> + if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) {
> + if (entry->flags & IMA_MASK)
> + offset = 1;
> if (entry->mask & MAY_EXEC)
> - seq_printf(m, pt(Opt_mask), mt(mask_exec));
> + seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset);
> if (entry->mask & MAY_WRITE)
> - seq_printf(m, pt(Opt_mask), mt(mask_write));
> + seq_printf(m, pt(Opt_mask), mt(mask_write) + offset);
> if (entry->mask & MAY_READ)
> - seq_printf(m, pt(Opt_mask), mt(mask_read));
> + seq_printf(m, pt(Opt_mask), mt(mask_read) + offset);
> if (entry->mask & MAY_APPEND)
> - seq_printf(m, pt(Opt_mask), mt(mask_append));
> + seq_printf(m, pt(Opt_mask), mt(mask_append) + offset);
> seq_puts(m, " ");
> }
>
