summaryrefslogtreecommitdiff
path: root/security/integrity/ima
diff options
context:
space:
mode:
authorDmitry Kasatkin <dmitry.kasatkin@intel.com>2012-09-12 20:51:32 +0300
committerMimi Zohar <zohar@linux.vnet.ibm.com>2012-09-13 14:23:57 -0400
commit45e2472e67bf66f794d507b52e82af92e0614e49 (patch)
tree4b3ba557d4f9da9bca14ce85bee965e4a9fcd6ac /security/integrity/ima
parentd9d300cdb6f233c4c591348919c758062198a4f4 (diff)
ima: generic IMA action flag handling
Make the IMA action flag handling generic in order to support additional new actions, without requiring changes to the base implementation. New actions, like audit logging, will only need to modify the define statements. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/ima')
-rw-r--r--security/integrity/ima/ima_appraise.c2
-rw-r--r--security/integrity/ima/ima_main.c4
-rw-r--r--security/integrity/ima/ima_policy.c21
3 files changed, 14 insertions, 13 deletions
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 4cdf36ad884a..0aa43bde441c 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -232,7 +232,7 @@ static void ima_reset_appraise_flags(struct inode *inode)
if (!iint)
return;
- iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED);
+ iint->flags &= ~IMA_DONE_MASK;
return;
}
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 60b047e96f4e..5da08b75d367 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -117,7 +117,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
mutex_lock(&inode->i_mutex);
if (atomic_read(&inode->i_writecount) == 1 &&
iint->version != inode->i_version) {
- iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED);
+ iint->flags &= ~IMA_DONE_MASK;
if (iint->flags & IMA_APPRAISE)
ima_update_xattr(iint, file);
}
@@ -173,7 +173,7 @@ static int process_measurement(struct file *file, const unsigned char *filename,
/* Determine if already appraised/measured based on bitmask
* (IMA_MEASURE, IMA_MEASURED, IMA_APPRAISE, IMA_APPRAISED) */
iint->flags |= action;
- action &= ~((iint->flags & (IMA_MEASURED | IMA_APPRAISED)) >> 1);
+ action &= ~((iint->flags & IMA_DONE_MASK) >> 1);
/* Nothing to do, just return existing appraised status */
if (!action) {
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 0d6d60b4ba6f..f46f685a1711 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -26,13 +26,11 @@
#define IMA_UID 0x0008
#define IMA_FOWNER 0x0010
-#define UNKNOWN 0
-#define MEASURE 1 /* same as IMA_MEASURE */
-#define DONT_MEASURE 2
-#define MEASURE_MASK 3
-#define APPRAISE 4 /* same as IMA_APPRAISE */
-#define DONT_APPRAISE 8
-#define APPRAISE_MASK 12
+#define UNKNOWN 0
+#define MEASURE 0x0001 /* same as IMA_MEASURE */
+#define DONT_MEASURE 0x0002
+#define APPRAISE 0x0004 /* same as IMA_APPRAISE */
+#define DONT_APPRAISE 0x0008
#define MAX_LSM_RULES 6
enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
@@ -209,9 +207,12 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
if (!ima_match_rules(entry, inode, func, mask))
continue;
- action |= (entry->action & (IMA_APPRAISE | IMA_MEASURE));
- actmask &= (entry->action & APPRAISE_MASK) ?
- ~APPRAISE_MASK : ~MEASURE_MASK;
+ action |= entry->action & IMA_DO_MASK;
+ if (entry->action & IMA_DO_MASK)
+ actmask &= ~(entry->action | entry->action << 1);
+ else
+ actmask &= ~(entry->action | entry->action >> 1);
+
if (!actmask)
break;
}