ima: fix a potential crash owing to the compiler optimisation

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I49KW1
CVE: NA

--------------------------------

The build_appraise_rules may be a zero length array depends on the kernel
configuration. This is (vaguely) forbidden in a standard and leads to the
compiler optimisation where the address of the build_appraise_rules is the
same as the default_appraise_rules. That leads to the unexpected flow in
add_rules() where condition:
if (entries != build_appraise_rules)
is false for entries equal to default_appraise_rules.
Signed-off-by: NKrzysztof Struczynski <krzysztof.struczynski@huawei.com>
Reviewed-by: NZhang Tianxing <zhangtianxing3@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

security/integrity/ima/ima_policy.c

@@ -208,6 +208,13 @@ static struct ima_rule_entry build_appraise_rules[] __ro_after_init = {
 	{.action = APPRAISE, .func = POLICY_CHECK,
 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 #endif
+#if !defined(CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS) && \
+	!defined(CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS) && \
+	!defined(CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS) && \
+	!defined(CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS)
+	/* Add a member to avoid a zero length array */
+	{.action = UNKNOWN, .func = NONE, .flags = 0},
+#endif
 };
 
 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {