diff options
| author | Coiby Xu <coxu@redhat.com> | 2025-09-30 10:26:57 +0800 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2026-03-11 17:28:03 -0400 |
| commit | 5d05360d748d477acfe1f0d05593c12beb507387 (patch) | |
| tree | b8b063f6d96d484e14f8ab209671c74549bc9fdc | |
| parent | d7bd8cf0b348d3edae7bee33e74a32b21668b181 (diff) | |
ima: Add code comments to explain IMA iint cache atomic_flags
Explain these atomic flags to improve code readability. For example, the
flag IMA_DIGSIG is to indicate we mustn't update a file's security.ima
on close because the file already has IMA signature. The code comments
for the first three flags come from commit 0d73a55208e9 ("ima:
re-introduce own integrity cache lock") with a minor tweak.
Signed-off-by: Coiby Xu <coxu@redhat.com>
[zohar@linux.ibm.com: remove duplicate "integrity violation", unnecessary commas]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
| -rw-r--r-- | security/integrity/ima/ima.h | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index c38a9eb945b6..0eea02ff04df 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -177,7 +177,32 @@ struct ima_kexec_hdr { IMA_BPRM_APPRAISED | IMA_READ_APPRAISED | \ IMA_CREDS_APPRAISED) -/* IMA iint cache atomic_flags */ +/* + * IMA iint cache atomic_flags + * + * IMA_CHANGE_ATTR - indicates that chATTR() was called (chmod, chown, chgrp) + * and file attributes have changed. On file open, it causes IMA to clear + * iint->flags to re-evaluate policy and perform IMA functions again. + * + * IMA_CHANGE_XATTR - indicates that setxattr or removexattr was called and + * extended attributes have changed. On file open, it causes IMA to clear + * iint->flags IMA_DONE_MASK to re-appraise. + * + * IMA_UPDATE_XATTR - indicates that security.ima needs to be updated. It is + * cleared if file policy changes and no update is needed. + * + * IMA_DIGSIG - indicates that file security.ima has signature and file + * security.ima must not update on file close. + * + * IMA_MAY_EMIT_TOMTOU - indicates to add Time-of-Measure-Time-of-Use (ToMToU) + * integrity violation (a file that is already opened for read is opened for + * write) to the measurement list and to also emit an audit message. + * + * IMA_EMITTED_OPENWRITERS - indicates to add open-writers integrity violation + * (a file that is already opened for write is opened for read) to the + * measurement list and to also emit an audit message. + * + */ #define IMA_CHANGE_XATTR 0 #define IMA_UPDATE_XATTR 1 #define IMA_CHANGE_ATTR 2 |