Commit 45e2472e authored by Dmitry Kasatkin's avatar Dmitry Kasatkin Committed by Mimi Zohar

ima: generic IMA action flag handling

Make the IMA action flag handling generic in order to support
additional new actions, without requiring changes to the base
implementation.  New actions, like audit logging, will only
need to modify the define statements.
Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent d9d300cd
...@@ -232,7 +232,7 @@ static void ima_reset_appraise_flags(struct inode *inode) ...@@ -232,7 +232,7 @@ static void ima_reset_appraise_flags(struct inode *inode)
if (!iint) if (!iint)
return; return;
iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED); iint->flags &= ~IMA_DONE_MASK;
return; return;
} }
......
...@@ -117,7 +117,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint, ...@@ -117,7 +117,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
mutex_lock(&inode->i_mutex); mutex_lock(&inode->i_mutex);
if (atomic_read(&inode->i_writecount) == 1 && if (atomic_read(&inode->i_writecount) == 1 &&
iint->version != inode->i_version) { iint->version != inode->i_version) {
iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED); iint->flags &= ~IMA_DONE_MASK;
if (iint->flags & IMA_APPRAISE) if (iint->flags & IMA_APPRAISE)
ima_update_xattr(iint, file); ima_update_xattr(iint, file);
} }
...@@ -173,7 +173,7 @@ static int process_measurement(struct file *file, const unsigned char *filename, ...@@ -173,7 +173,7 @@ static int process_measurement(struct file *file, const unsigned char *filename,
/* Determine if already appraised/measured based on bitmask /* Determine if already appraised/measured based on bitmask
* (IMA_MEASURE, IMA_MEASURED, IMA_APPRAISE, IMA_APPRAISED) */ * (IMA_MEASURE, IMA_MEASURED, IMA_APPRAISE, IMA_APPRAISED) */
iint->flags |= action; iint->flags |= action;
action &= ~((iint->flags & (IMA_MEASURED | IMA_APPRAISED)) >> 1); action &= ~((iint->flags & IMA_DONE_MASK) >> 1);
/* Nothing to do, just return existing appraised status */ /* Nothing to do, just return existing appraised status */
if (!action) { if (!action) {
......
...@@ -26,13 +26,11 @@ ...@@ -26,13 +26,11 @@
#define IMA_UID 0x0008 #define IMA_UID 0x0008
#define IMA_FOWNER 0x0010 #define IMA_FOWNER 0x0010
#define UNKNOWN 0 #define UNKNOWN 0
#define MEASURE 1 /* same as IMA_MEASURE */ #define MEASURE 0x0001 /* same as IMA_MEASURE */
#define DONT_MEASURE 2 #define DONT_MEASURE 0x0002
#define MEASURE_MASK 3 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */
#define APPRAISE 4 /* same as IMA_APPRAISE */ #define DONT_APPRAISE 0x0008
#define DONT_APPRAISE 8
#define APPRAISE_MASK 12
#define MAX_LSM_RULES 6 #define MAX_LSM_RULES 6
enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
...@@ -209,9 +207,12 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, ...@@ -209,9 +207,12 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
if (!ima_match_rules(entry, inode, func, mask)) if (!ima_match_rules(entry, inode, func, mask))
continue; continue;
action |= (entry->action & (IMA_APPRAISE | IMA_MEASURE)); action |= entry->action & IMA_DO_MASK;
actmask &= (entry->action & APPRAISE_MASK) ? if (entry->action & IMA_DO_MASK)
~APPRAISE_MASK : ~MEASURE_MASK; actmask &= ~(entry->action | entry->action << 1);
else
actmask &= ~(entry->action | entry->action >> 1);
if (!actmask) if (!actmask)
break; break;
} }
......
...@@ -15,13 +15,19 @@ ...@@ -15,13 +15,19 @@
#include <linux/integrity.h> #include <linux/integrity.h>
#include <crypto/sha.h> #include <crypto/sha.h>
/* iint action cache flags */
#define IMA_MEASURE 0x0001
#define IMA_MEASURED 0x0002
#define IMA_APPRAISE 0x0004
#define IMA_APPRAISED 0x0008
/*#define IMA_COLLECT 0x0010 do not use this flag */
#define IMA_COLLECTED 0x0020
/* iint cache flags */ /* iint cache flags */
#define IMA_MEASURE 0x01 #define IMA_DIGSIG 0x0100
#define IMA_MEASURED 0x02
#define IMA_APPRAISE 0x04 #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE)
#define IMA_APPRAISED 0x08 #define IMA_DONE_MASK (IMA_MEASURED | IMA_APPRAISED | IMA_COLLECTED)
#define IMA_COLLECTED 0x10
#define IMA_DIGSIG 0x20
enum evm_ima_xattr_type { enum evm_ima_xattr_type {
IMA_XATTR_DIGEST = 0x01, IMA_XATTR_DIGEST = 0x01,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment