Exclude conflicted property

diff --git a/include/openpts.h b/include/openpts.h
index 1473f8a..8967b96 100644 (file)
--- a/include/openpts.h
+++ b/include/openpts.h
@@ -154,6 +154,7 @@
  */
 typedef struct {
     int num;     /**< */
+    int ignore;   /**< flag to exclude policy check. 0: policy check, 1:ignore*/
     char *name;  /**< name */
     char *value; /**< value */
     void *next;  /**< ptr to the next property */

diff --git a/src/action.c b/src/action.c
index a40ff34..0cf3aa2 100644 (file)
--- a/src/action.c
+++ b/src/action.c
@@ -373,9 +373,14 @@ int setModuleProperty(OPENPTS_CONTEXT *ctx, OPENPTS_PCR_EVENT_WRAPPER *eventWrap
  *
  *  linux.kernel.cmdline.ro="" 
  *  linux.kernel.cmdline.ima_tcb="1" 
- * 
+ *
  *
  * UnitTest - tests/check_action.c
+ *
+ * 2012-01-04 conflict happen
+ * e.g.
+ *  linux.kernel.cmdline.rd_LVM_LV=vg_oc3277723285/lv_root
+ *  linux.kernel.cmdline.rd_LVM_LV=vg_oc3277723285/lv_swap
  * 
  */
 int setLinuxKernelCmdlineAssertion(OPENPTS_CONTEXT *ctx, OPENPTS_PCR_EVENT_WRAPPER *eventWrapper) {
@@ -425,11 +430,28 @@ int setLinuxKernelCmdlineAssertion(OPENPTS_CONTEXT *ctx, OPENPTS_PCR_EVENT_WRAPP
             /* A=B? */
             ep = strchr(tp, '=');
             if (ep != NULL) {
+                OPENPTS_PROPERTY *prop;
                 *ep = 0;
                 ep++;
                 snprintf(name, BUF_SIZE, "linux.kernel.cmdline.%s", tp);
                 snprintf(value, BUF_SIZE, "%s", ep);
-                addProperty(ctx, name, value);
+                /* check */
+                prop = getProperty(ctx, name);
+                if (prop != NULL) {
+                    // conflict
+                    DEBUG(
+                        "Property %s=%s and %s=%s are conflicted. Drop them from the policy list.",
+                        name, prop->value,
+                        name, value);
+                    VERBOSE(2, // TODO NLS
+                        "Property %s=%s and %s=%s are conflicted. Drop them from the policy list.",
+                        name, prop->value,
+                        name, value);
+                    prop->ignore = 1;
+                } else {
+                    // new prop, no conflict
+                    addProperty(ctx, name, value);
+                }
                 cnt++;
             } else {
                 snprintf(name, BUF_SIZE, "linux.kernel.cmdline.%s", tp);

diff --git a/src/verifier.c b/src/verifier.c
index 951a8d5..32d2ee5 100644 (file)
--- a/src/verifier.c
+++ b/src/verifier.c
@@ -715,6 +715,9 @@ int  writePolicyConf(OPENPTS_CONTEXT *ctx, char *filename) {
             /* IMA measurement - SKIP */
         } else if (!strncmp(prop->name, "disable.", 8)) {
             /* Indicates a disabled tpm quote - SKIP */
+        } else if (prop->ignore == 1) {
+            ERROR( // TODO NLS
+                "The property %s is conflicted and excluded from the policy.\n", prop->name);
         } else {
             fprintf(fp, "%s=%s\n", prop->name, prop->value);
             i++;