ima: generic IMA action flag handling

Make the IMA action flag handling generic in order to support additional new actions, without requiring changes to the base implementation. New actions, like audit logging, will only need to modify the define statements. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
author: Dmitry Kasatkin <dmitry.kasatkin@intel.com> 2012-09-12 13:51:32 -0400
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2012-09-13 14:23:57 -0400
commit: 45e2472e67bf66f794d507b52e82af92e0614e49 (patch)
tree: 4b3ba557d4f9da9bca14ce85bee965e4a9fcd6ac /security
parent: d9d300cdb6f233c4c591348919c758062198a4f4 (diff)
4 files changed, 26 insertions, 19 deletions
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 4cdf36ad884a..0aa43bde441c 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -232,7 +232,7 @@ static void ima_reset_appraise_flags(struct inode *inode)
        if (!iint)
                return;
-        iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED);
+        iint->flags &= ~IMA_DONE_MASK;
        return;
 }
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 60b047e96f4e..5da08b75d367 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -117,7 +117,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
        mutex_lock(&inode->i_mutex);
        if (atomic_read(&inode->i_writecount) == 1 &&
            iint->version != inode->i_version) {
-                iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED);
+                iint->flags &= ~IMA_DONE_MASK;
                if (iint->flags & IMA_APPRAISE)
                        ima_update_xattr(iint, file);
        }
@@ -173,7 +173,7 @@ static int process_measurement(struct file *file, const unsigned char *filename,
        /* Determine if already appraised/measured based on bitmask
         * (IMA_MEASURE, IMA_MEASURED, IMA_APPRAISE, IMA_APPRAISED) */
        iint->flags |= action;
-        action &= ~((iint->flags & (IMA_MEASURED | IMA_APPRAISED)) >> 1);
+        action &= ~((iint->flags & IMA_DONE_MASK) >> 1);
        /* Nothing to do, just return existing appraised status */
        if (!action) {
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 0d6d60b4ba6f..f46f685a1711 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -26,13 +26,11 @@
 #define IMA_UID         0x0008
 #define IMA_FOWNER      0x0010
-#define UNKNOWN                 0
+#define UNKNOWN         0
-#define MEASURE                 1       /* same as IMA_MEASURE */
+#define MEASURE         0x0001  /* same as IMA_MEASURE */
-#define DONT_MEASURE            2
+#define DONT_MEASURE    0x0002
-#define MEASURE_MASK            3
+#define APPRAISE        0x0004  /* same as IMA_APPRAISE */
-#define APPRAISE                4       /* same as IMA_APPRAISE */
+#define DONT_APPRAISE   0x0008
-#define DONT_APPRAISE           8
-#define APPRAISE_MASK           12
 #define MAX_LSM_RULES 6
 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
@@ -209,9 +207,12 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
                if (!ima_match_rules(entry, inode, func, mask))
                        continue;
-                action |= (entry->action & (IMA_APPRAISE | IMA_MEASURE));
+                action |= entry->action & IMA_DO_MASK;
-                actmask &= (entry->action & APPRAISE_MASK) ?
+                if (entry->action & IMA_DO_MASK)
-                    ~APPRAISE_MASK : ~MEASURE_MASK;
+                        actmask &= ~(entry->action | entry->action << 1);
+                else
+                        actmask &= ~(entry->action | entry->action >> 1);
                if (!actmask)
                        break;
        }
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 4eec1b14193e..564ba7db5f6a 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -15,13 +15,19 @@
 #include <linux/integrity.h>
 #include <crypto/sha.h>
+/* iint action cache flags */
+#define IMA_MEASURE             0x0001
+#define IMA_MEASURED            0x0002
+#define IMA_APPRAISE            0x0004
+#define IMA_APPRAISED           0x0008
+/*#define IMA_COLLECT           0x0010  do not use this flag */
+#define IMA_COLLECTED           0x0020
 /* iint cache flags */
-#define IMA_MEASURE             0x01
+#define IMA_DIGSIG              0x0100
-#define IMA_MEASURED            0x02
-#define IMA_APPRAISE            0x04
+#define IMA_DO_MASK             (IMA_MEASURE | IMA_APPRAISE)
-#define IMA_APPRAISED           0x08
+#define IMA_DONE_MASK           (IMA_MEASURED | IMA_APPRAISED | IMA_COLLECTED)
-#define IMA_COLLECTED           0x10
-#define IMA_DIGSIG              0x20
 enum evm_ima_xattr_type {
        IMA_XATTR_DIGEST = 0x01,
author	Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-09-12 13:51:32 -0400
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2012-09-13 14:23:57 -0400
commit	45e2472e67bf66f794d507b52e82af92e0614e49 (patch)
tree	4b3ba557d4f9da9bca14ce85bee965e4a9fcd6ac /security
parent	d9d300cdb6f233c4c591348919c758062198a4f4 (diff)

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 4cdf36ad884a..0aa43bde441c 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c
@@ -232,7 +232,7 @@ static void ima_reset_appraise_flags(struct inode *inode)
232	if (!iint)	232	if (!iint)
233	return;	233	return;
234		234
235	iint->flags &= ~(IMA_COLLECTED \| IMA_APPRAISED \| IMA_MEASURED);	235	iint->flags &= ~IMA_DONE_MASK;
236	return;	236	return;
237	}	237	}
238		238


diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 60b047e96f4e..5da08b75d367 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c
@@ -117,7 +117,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
117	mutex_lock(&inode->i_mutex);	117	mutex_lock(&inode->i_mutex);
118	if (atomic_read(&inode->i_writecount) == 1 &&	118	if (atomic_read(&inode->i_writecount) == 1 &&
119	iint->version != inode->i_version) {	119	iint->version != inode->i_version) {
120	iint->flags &= ~(IMA_COLLECTED \| IMA_APPRAISED \| IMA_MEASURED);	120	iint->flags &= ~IMA_DONE_MASK;
121	if (iint->flags & IMA_APPRAISE)	121	if (iint->flags & IMA_APPRAISE)
122	ima_update_xattr(iint, file);	122	ima_update_xattr(iint, file);
123	}	123	}
@@ -173,7 +173,7 @@ static int process_measurement(struct file file, const unsigned char filename,
173	/* Determine if already appraised/measured based on bitmask	173	/* Determine if already appraised/measured based on bitmask
174	* (IMA_MEASURE, IMA_MEASURED, IMA_APPRAISE, IMA_APPRAISED) */	174	* (IMA_MEASURE, IMA_MEASURED, IMA_APPRAISE, IMA_APPRAISED) */
175	iint->flags \|= action;	175	iint->flags \|= action;
176	action &= ~((iint->flags & (IMA_MEASURED \| IMA_APPRAISED)) >> 1);	176	action &= ~((iint->flags & IMA_DONE_MASK) >> 1);
177		177
178	/* Nothing to do, just return existing appraised status */	178	/* Nothing to do, just return existing appraised status */
179	if (!action) {	179	if (!action) {


diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 0d6d60b4ba6f..f46f685a1711 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c
@@ -26,13 +26,11 @@
26	#define IMA_UID 0x0008	26	#define IMA_UID 0x0008
27	#define IMA_FOWNER 0x0010	27	#define IMA_FOWNER 0x0010
28		28
29	#define UNKNOWN 0	29	#define UNKNOWN 0
30	#define MEASURE 1 /* same as IMA_MEASURE */	30	#define MEASURE 0x0001 /* same as IMA_MEASURE */
31	#define DONT_MEASURE 2	31	#define DONT_MEASURE 0x0002
32	#define MEASURE_MASK 3	32	#define APPRAISE 0x0004 /* same as IMA_APPRAISE */
33	#define APPRAISE 4 /* same as IMA_APPRAISE */	33	#define DONT_APPRAISE 0x0008
34	#define DONT_APPRAISE 8
35	#define APPRAISE_MASK 12
36		34
37	#define MAX_LSM_RULES 6	35	#define MAX_LSM_RULES 6
38	enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,	36	enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
@@ -209,9 +207,12 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
209	if (!ima_match_rules(entry, inode, func, mask))	207	if (!ima_match_rules(entry, inode, func, mask))
210	continue;	208	continue;
211		209
212	action \|= (entry->action & (IMA_APPRAISE \| IMA_MEASURE));	210	action \|= entry->action & IMA_DO_MASK;
213	actmask &= (entry->action & APPRAISE_MASK) ?	211	if (entry->action & IMA_DO_MASK)
214	~APPRAISE_MASK : ~MEASURE_MASK;	212	actmask &= ~(entry->action \| entry->action << 1);
		213	else
		214	actmask &= ~(entry->action \| entry->action >> 1);
		215
215	if (!actmask)	216	if (!actmask)
216	break;	217	break;
217	}	218	}


diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 4eec1b14193e..564ba7db5f6a 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h
@@ -15,13 +15,19 @@
15	#include <linux/integrity.h>	15	#include <linux/integrity.h>
16	#include <crypto/sha.h>	16	#include <crypto/sha.h>
17		17
		18	/* iint action cache flags */
		19	#define IMA_MEASURE 0x0001
		20	#define IMA_MEASURED 0x0002
		21	#define IMA_APPRAISE 0x0004
		22	#define IMA_APPRAISED 0x0008
		23	/#define IMA_COLLECT 0x0010 do not use this flag /
		24	#define IMA_COLLECTED 0x0020
		25
18	/* iint cache flags */	26	/* iint cache flags */
19	#define IMA_MEASURE 0x01	27	#define IMA_DIGSIG 0x0100
20	#define IMA_MEASURED 0x02	28
21	#define IMA_APPRAISE 0x04	29	#define IMA_DO_MASK (IMA_MEASURE \| IMA_APPRAISE)
22	#define IMA_APPRAISED 0x08	30	#define IMA_DONE_MASK (IMA_MEASURED \| IMA_APPRAISED \| IMA_COLLECTED)
23	#define IMA_COLLECTED 0x10
24	#define IMA_DIGSIG 0x20
25		31
26	enum evm_ima_xattr_type {	32	enum evm_ima_xattr_type {
27	IMA_XATTR_DIGEST = 0x01,	33	IMA_XATTR_DIGEST = 0x01,