Merge tag 'integrity-v6.14' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull integrity updates from Mimi Zohar: "There's just a couple of changes: two kernel messages addressed, a measurement policy collision addressed, and one policy cleanup. Please note that the contents of the IMA measurement list is potentially affected. The builtin tmpfs IMA policy rule change might introduce additional measurements, while detecting a reboot might eliminate some measurements" * tag 'integrity-v6.14' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: ignore suffixed policy rule comments ima: limit the builtin 'tcb' dont_measure tmpfs policy rule ima: kexec: silence RCU list traversal warning ima: Suspend PCR extends and log appends when rebooting
author: Linus Torvalds <torvalds@linux-foundation.org> 2025-01-21 19:54:32 -0800
committer: Linus Torvalds <torvalds@linux-foundation.org> 2025-01-21 19:54:32 -0800
commit: 0ca0cf9f8cb16e3850e5242d68a1825d286e6a68 (patch)
tree: 1888053b0c78962a204856e08a83be7fbf757c9c /security/integrity/ima/ima_policy.c
parent: 7dd457a2fd78f3dd39aad4579d13e9eed2effbca (diff)
parent: 4785ed362a24d4f37ee0eb4403f587fee886f8da (diff)
download: linux-0ca0cf9f8cb16e3850e5242d68a1825d286e6a68.tar.gz
linux-0ca0cf9f8cb16e3850e5242d68a1825d286e6a68.tar.bz2
linux-0ca0cf9f8cb16e3850e5242d68a1825d286e6a68.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 21a8e54c383f..128fab897930 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -148,7 +148,8 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
 	{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 	{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
 	{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
-	{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
+	{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK,
+	 .flags = IMA_FSMAGIC | IMA_FUNC},
 	{.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 	{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
 	{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
@@ -1431,7 +1432,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 		int token;
 		unsigned long lnum;
 
-		if (result < 0)
+		if (result < 0 || *p == '#')  /* ignore suffixed comment */
 			break;
 		if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
 			continue;
author	Linus Torvalds <torvalds@linux-foundation.org>	2025-01-21 19:54:32 -0800
committer	Linus Torvalds <torvalds@linux-foundation.org>	2025-01-21 19:54:32 -0800
commit	0ca0cf9f8cb16e3850e5242d68a1825d286e6a68 (patch)
tree	1888053b0c78962a204856e08a83be7fbf757c9c /security/integrity/ima/ima_policy.c
parent	7dd457a2fd78f3dd39aad4579d13e9eed2effbca (diff)
parent	4785ed362a24d4f37ee0eb4403f587fee886f8da (diff)
download	linux-0ca0cf9f8cb16e3850e5242d68a1825d286e6a68.tar.gz linux-0ca0cf9f8cb16e3850e5242d68a1825d286e6a68.tar.bz2 linux-0ca0cf9f8cb16e3850e5242d68a1825d286e6a68.zip