On Mon, 2021-02-22 at 15:45 -0800, Casey Schaufler wrote: > On 2/14/2021 10:21 AM, Mimi Zohar wrote: > > Would these changes match your suggestion? > > security/integrity/ima/ima_policy.c | 24 ++++++++++++------------ > 1 file changed, 12 insertions(+), 12 deletions(-) > > diff --git a/security/integrity/ima/ima_policy.c > b/security/integrity/ima/ima_policy.c > index 9ac673472781..e80956548243 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -78,11 +78,11 @@ struct ima_rule_entry { > bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ > bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ > int pcr; > + int which_lsm; /* which of the rules to use */ > struct { > void *rules[LSMBLOB_ENTRIES]; /* LSM file metadata specific */
If each IMA policy rule may only contain a single LSM specific LSM_OBJ_{USER | ROLE | TYPE} and LSM_SUBJ_{USER | ROLE | TYPE}, then there is no need for rules[LSMBLOB_ENTRIES]. Leave it as "*rule". Otherwise it looks good. Mimi > char *args_p; /* audit value */ > int type; /* audit type */ > - int which_lsm; /* which of the rules to use */ > } lsm[MAX_LSM_RULES]; > char *fsname; > struct ima_rule_opt_list *keyrings; /* Measure keys added to these > keyrings */ -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit