[PATCH Jammy 1/1] UBUNTU: SAUCE: ima_policy: fix test for empty rule set

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Thu Mar 10 11:39:14 UTC 2022

SAUCE commit "LSM: Create and manage the lsmblob data structure."
changes the single audit rule data into an array.

Upstream commit 89677197ae70 ("ima: Do not print policy rule with
inactive LSM labels") adds a test for the rule on ima_rule_entry when
showing in proc files, which use the unsauced rule test.

Use the function ima_lsm_isset introduced by the SAUCE patch to test
whether a rule is set.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
 security/integrity/ima/ima_policy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index fa7f118a9ee7..ebf438e74490 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1872,7 +1872,7 @@ int ima_policy_show(struct seq_file *m, void *v)
 	/* Do not print rules with inactive LSM labels */
 	for (i = 0; i < MAX_LSM_RULES; i++) {
-		if (entry->lsm[i].args_p && !entry->lsm[i].rule) {
+		if (entry->lsm[i].args_p && !ima_lsm_isset(entry->lsm[i].rules)) {
 			return 0;

More information about the kernel-team mailing list