Mimi Zohar [off-list ref] writes:

Hi Thiago,

quoted

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index fca7a3f23321..a7a20a8c15c1 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c

@@ -1144,6 +1144,12 @@ void ima_delete_rules(void)
 	}
 }

+#define __ima_hook_stringify(str)	(#str),
+
+const char *const func_tokens[] = {
+	__ima_hooks(__ima_hook_stringify)
+};
+
 #ifdef	CONFIG_IMA_READ_POLICY
 enum {
 	mask_exec = 0, mask_write, mask_read, mask_append

@@ -1156,12 +1162,6 @@ static const char *const mask_tokens[] = {
 	"MAY_APPEND"
 };

-#define __ima_hook_stringify(str)	(#str),
-
-static const char *const func_tokens[] = {
-	__ima_hooks(__ima_hook_stringify)
-};
-
 void *ima_policy_start(struct seq_file *m, loff_t *pos)
 {
 	loff_t l = *pos;

Is moving this something left over from previous versions or there is
a need for this change?

Well, it's not a strong need, but it's still relevant in the current
version. I use func_tokens in ima_read_modsig() in order to be able to
mention the hook name in mod_check_sig()'s error message:

In ima_read_modsig():

	rc = mod_check_sig(sig, buf_len, func_tokens[func]);

And in mod_check_sig():

		pr_err("%s: Module is not signed with expected PKCS#7 message\n",
		       name);

If you think it's not worth it to expose func_tokens, I can make
ima_read_modsig() pass a more generic const string such as "IMA modsig"
for example.

Other than this, the patch looks good.

Nice!

--
Thiago Jung Bauermann
IBM Linux Technology Center