ima: remove firmware and module specific cached status info

Each time a file is read by the kernel, the file should be re-measured and the file signature re-appraised, based on policy. As there is no need to preserve the status information, this patch replaces the firmware and module specific cache status with a generic one named read_file. This change simplifies adding support for other files read by the kernel. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Petko Manolov <petkan@mip-labs.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
author: Mimi Zohar <zohar@linux.vnet.ibm.com> 2015-11-19 12:39:22 -0500
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2016-02-21 09:06:13 -0500
commit: c6af8efe97d87fa308eb1bbd0cf4feb820a4d622 (patch)
tree: 7a7ea8e33a28b7b47ec7c6fa16e14c6838b269ff /security
parent: a1db74209483a24c861c848b4bb79a4d945ef6fa (diff)
5 files changed, 28 insertions, 39 deletions
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 8f1ab37f2897..345b75997e4c 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -77,7 +77,7 @@ static void iint_free(struct integrity_iint_cache *iint)
        iint->ima_file_status = INTEGRITY_UNKNOWN;
        iint->ima_mmap_status = INTEGRITY_UNKNOWN;
        iint->ima_bprm_status = INTEGRITY_UNKNOWN;
-        iint->ima_module_status = INTEGRITY_UNKNOWN;
+        iint->ima_read_status = INTEGRITY_UNKNOWN;
        iint->evm_status = INTEGRITY_UNKNOWN;
        kmem_cache_free(iint_cache, iint);
 }
@@ -157,7 +157,7 @@ static void init_once(void *foo)
        iint->ima_file_status = INTEGRITY_UNKNOWN;
        iint->ima_mmap_status = INTEGRITY_UNKNOWN;
        iint->ima_bprm_status = INTEGRITY_UNKNOWN;
-        iint->ima_module_status = INTEGRITY_UNKNOWN;
+        iint->ima_read_status = INTEGRITY_UNKNOWN;
        iint->evm_status = INTEGRITY_UNKNOWN;
 }
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 0b7134c04165..a5d25921ee3c 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -144,9 +144,10 @@ enum ima_hooks {
        FILE_CHECK = 1,
        MMAP_CHECK,
        BPRM_CHECK,
+        POST_SETATTR,
        MODULE_CHECK,
        FIRMWARE_CHECK,
-        POST_SETATTR
+        MAX_CHECK
 };
 /* LIM API function definitions */
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index cb0d0ff1137b..6b4694aedae8 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -74,13 +74,12 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
                return iint->ima_mmap_status;
        case BPRM_CHECK:
                return iint->ima_bprm_status;
-        case MODULE_CHECK:
-                return iint->ima_module_status;
-        case FIRMWARE_CHECK:
-                return iint->ima_firmware_status;
        case FILE_CHECK:
-        default:
+        case POST_SETATTR:
                return iint->ima_file_status;
+        case MODULE_CHECK ... MAX_CHECK - 1:
+        default:
+                return iint->ima_read_status;
        }
 }
@@ -95,15 +94,14 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint,
        case BPRM_CHECK:
                iint->ima_bprm_status = status;
                break;
-        case MODULE_CHECK:
-                iint->ima_module_status = status;
-                break;
-        case FIRMWARE_CHECK:
-                iint->ima_firmware_status = status;
-                break;
        case FILE_CHECK:
-        default:
+        case POST_SETATTR:
                iint->ima_file_status = status;
+                break;
+        case MODULE_CHECK ... MAX_CHECK - 1:
+        default:
+                iint->ima_read_status = status;
+                break;
        }
 }
@@ -117,15 +115,14 @@ static void ima_cache_flags(struct integrity_iint_cache *iint,
        case BPRM_CHECK:
                iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
                break;
-        case MODULE_CHECK:
-                iint->flags |= (IMA_MODULE_APPRAISED | IMA_APPRAISED);
-                break;
-        case FIRMWARE_CHECK:
-                iint->flags |= (IMA_FIRMWARE_APPRAISED | IMA_APPRAISED);
-                break;
        case FILE_CHECK:
-        default:
+        case POST_SETATTR:
                iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
+                break;
+        case MODULE_CHECK ... MAX_CHECK - 1:
+        default:
+                iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
+                break;
        }
 }
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index cfbe86f476d0..7571ce8841ff 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -300,13 +300,12 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
                return IMA_MMAP_APPRAISE;
        case BPRM_CHECK:
                return IMA_BPRM_APPRAISE;
-        case MODULE_CHECK:
-                return IMA_MODULE_APPRAISE;
-        case FIRMWARE_CHECK:
-                return IMA_FIRMWARE_APPRAISE;
        case FILE_CHECK:
-        default:
+        case POST_SETATTR:
                return IMA_FILE_APPRAISE;
+        case MODULE_CHECK ... MAX_CHECK - 1:
+        default:
+                return IMA_READ_APPRAISE;
        }
 }
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 9a0ea4c4e3dd..c7a111cc7d89 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -45,18 +45,12 @@
 #define IMA_MMAP_APPRAISED      0x00000800
 #define IMA_BPRM_APPRAISE       0x00001000
 #define IMA_BPRM_APPRAISED      0x00002000
-#define IMA_MODULE_APPRAISE     0x00004000
+#define IMA_READ_APPRAISE       0x00004000
-#define IMA_MODULE_APPRAISED    0x00008000
+#define IMA_READ_APPRAISED      0x00008000
-#define IMA_FIRMWARE_APPRAISE   0x00010000
-#define IMA_FIRMWARE_APPRAISED  0x00020000
-#define IMA_READ_APPRAISE       0x00040000
-#define IMA_READ_APPRAISED      0x00080000
 #define IMA_APPRAISE_SUBMASK    (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \
-                                 IMA_BPRM_APPRAISE | IMA_MODULE_APPRAISE | \
+                                 IMA_BPRM_APPRAISE | IMA_READ_APPRAISE)
-                                 IMA_FIRMWARE_APPRAISE | IMA_READ_APPRAISE)
 #define IMA_APPRAISED_SUBMASK   (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \
-                                 IMA_BPRM_APPRAISED | IMA_MODULE_APPRAISED | \
+                                 IMA_BPRM_APPRAISED | IMA_READ_APPRAISED)
-                                 IMA_FIRMWARE_APPRAISED | IMA_READ_APPRAISED)
 enum evm_ima_xattr_type {
        IMA_XATTR_DIGEST = 0x01,
@@ -111,8 +105,6 @@ struct integrity_iint_cache {
        enum integrity_status ima_file_status:4;
        enum integrity_status ima_mmap_status:4;
        enum integrity_status ima_bprm_status:4;
-        enum integrity_status ima_module_status:4;
-        enum integrity_status ima_firmware_status:4;
        enum integrity_status ima_read_status:4;
        enum integrity_status evm_status:4;
        struct ima_digest_data *ima_hash;
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	2015-11-19 12:39:22 -0500
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2016-02-21 09:06:13 -0500
commit	c6af8efe97d87fa308eb1bbd0cf4feb820a4d622 (patch)
tree	7a7ea8e33a28b7b47ec7c6fa16e14c6838b269ff /security
parent	a1db74209483a24c861c848b4bb79a4d945ef6fa (diff)