Re: [PATCH v6 2/3] ima: use the lsm policy update notifier

+static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) +{

• struct ima_rule_entry *nentry;
• int i, result;
• nentry = kmalloc(sizeof(*nentry), GFP_KERNEL);
• if (!nentry)

• return NULL;
  

• /*

• * Immutable elements are copied over as pointers and data; only
  

• * lsm rules can change
  

• */
  

• memcpy(nentry, entry, sizeof(*nentry));
• memset(nentry->lsm, 0, FIELD_SIZEOF(struct ima_rule_entry, lsm));
• for (i = 0; i < MAX_LSM_RULES; i++) {

• security_filter_rule_free(entry->lsm[i].rule);
  

• kfree(entry->lsm[i].args_p);
  

• if (!entry->lsm[i].rule)
  

• 	continue;
  

• nentry->lsm[i].type = entry->lsm[i].type;
  

• nentry->lsm[i].args_p = kstrdup(entry->lsm[i].args_p,
  

• 				GFP_KERNEL);
  

• if (!nentry->lsm[i].args_p)
  

• 	goto out_err;
  

• result = security_filter_rule_init(nentry->lsm[i].type,
  

• 				   Audit_equal,
  

• 				   nentry->lsm[i].args_p,
  

• 				   &nentry->lsm[i].rule);
  

• if (result == -EINVAL)
  

• 	pr_warn("ima: rule for LSM \'%d\' is undefined\n",
  

• 		entry->lsm[i].type);
  

  }
• return nentry;

+out_err:

• ima_lsm_free_rule(entry); kfree(entry);

This should be "nentry". Otherwise, it looks good.

thanks,

Mimi

• return NULL;

+}