ima: ignore suffixed policy rule comments

Lines beginning with '#' in the IMA policy are comments and are ignored.
Instead of placing the rule and comment on separate lines, allow the
comment to be suffixed to the IMA policy rule.

Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 23bbe2c405f0188ec84d4d1c3b252dfa2b5530ae..128fab8979308ac7e5489f21ebf550b22b264d61 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1432,7 +1432,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
                int token;
                unsigned long lnum;
 
-               if (result < 0)
+               if (result < 0 || *p == '#')  /* ignore suffixed comment */
                        break;
                if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
                        continue;