Hi Lakshmi,
Trimming the Cc list. This patch is limited to IMA.
On Thu, 2020-01-16 at 15:46 -0800, Lakshmi Ramasubramanian wrote:
>
> @@ -949,6 +949,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> bool uid_token;
> struct ima_template_desc *template_desc;
> int result = 0;
> + size_t keyrings_len;
>
> ab = integrity_audit_log_start(audit_context(), GFP_KERNEL,
> AUDIT_INTEGRITY_POLICY_RULE);
> @@ -1114,14 +1115,47 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> case Opt_keyrings:
> ima_log_string(ab, "keyrings", args[0].from);
>
> + keyrings_len = strlen(args[0].from) + 1;
> +
> if ((entry->keyrings) ||
> (entry->action != MEASURE) ||
> - (entry->func != KEY_CHECK)) {
> + (entry->func != KEY_CHECK) ||
> + (keyrings_len < 2)) {
> result = -EINVAL;
> break;
> }
> +
> + if (ima_keyrings) {
> + if (keyrings_len > ima_keyrings_len) {
> + char *tmpbuf;
> +
> + tmpbuf = krealloc(ima_keyrings,
> + keyrings_len,
> + GFP_KERNEL);
> + if (!tmpbuf) {
> + result = -ENOMEM;
> + break;
> + }
> +
> + ima_keyrings = tmpbuf;
> + ima_keyrings_len = keyrings_len;
> + }
> + } else {
> + ima_keyrings = kzalloc(keyrings_len,
> + GFP_KERNEL);
> + if (!ima_keyrings) {
> + result = -ENOMEM;
> + break;
> + }
> +
> + ima_keyrings_len = keyrings_len;
> + }
The first time this code is executed ima_keyrings_len is 0. So "if
(ima_keyrings_len < keyring_len)" will be true. There's no reason to
differentiate between the first time or subsequent times this code is
executed. In both cases, krealloc() can be used.
Mimi
> +
> entry->keyrings = kstrdup(args[0].from, GFP_KERNEL);
> if (!entry->keyrings) {
> + kfree(ima_keyrings);
> + ima_keyrings = NULL;
> + ima_keyrings_len = 0;
> result = -ENOMEM;
> break;
> }
