diff options
| -rw-r--r-- | security/integrity/ima/ima_appraise.c | 2 | ||||
| -rw-r--r-- | security/integrity/ima/ima_main.c | 4 | ||||
| -rw-r--r-- | security/integrity/ima/ima_policy.c | 21 | ||||
| -rw-r--r-- | security/integrity/integrity.h | 18 |
4 files changed, 26 insertions, 19 deletions
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 4cdf36ad884a..0aa43bde441c 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c | |||
| @@ -232,7 +232,7 @@ static void ima_reset_appraise_flags(struct inode *inode) | |||
| 232 | if (!iint) | 232 | if (!iint) |
| 233 | return; | 233 | return; |
| 234 | 234 | ||
| 235 | iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED); | 235 | iint->flags &= ~IMA_DONE_MASK; |
| 236 | return; | 236 | return; |
| 237 | } | 237 | } |
| 238 | 238 | ||
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 60b047e96f4e..5da08b75d367 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c | |||
| @@ -117,7 +117,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint, | |||
| 117 | mutex_lock(&inode->i_mutex); | 117 | mutex_lock(&inode->i_mutex); |
| 118 | if (atomic_read(&inode->i_writecount) == 1 && | 118 | if (atomic_read(&inode->i_writecount) == 1 && |
| 119 | iint->version != inode->i_version) { | 119 | iint->version != inode->i_version) { |
| 120 | iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED); | 120 | iint->flags &= ~IMA_DONE_MASK; |
| 121 | if (iint->flags & IMA_APPRAISE) | 121 | if (iint->flags & IMA_APPRAISE) |
| 122 | ima_update_xattr(iint, file); | 122 | ima_update_xattr(iint, file); |
| 123 | } | 123 | } |
| @@ -173,7 +173,7 @@ static int process_measurement(struct file *file, const unsigned char *filename, | |||
| 173 | /* Determine if already appraised/measured based on bitmask | 173 | /* Determine if already appraised/measured based on bitmask |
| 174 | * (IMA_MEASURE, IMA_MEASURED, IMA_APPRAISE, IMA_APPRAISED) */ | 174 | * (IMA_MEASURE, IMA_MEASURED, IMA_APPRAISE, IMA_APPRAISED) */ |
| 175 | iint->flags |= action; | 175 | iint->flags |= action; |
| 176 | action &= ~((iint->flags & (IMA_MEASURED | IMA_APPRAISED)) >> 1); | 176 | action &= ~((iint->flags & IMA_DONE_MASK) >> 1); |
| 177 | 177 | ||
| 178 | /* Nothing to do, just return existing appraised status */ | 178 | /* Nothing to do, just return existing appraised status */ |
| 179 | if (!action) { | 179 | if (!action) { |
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 0d6d60b4ba6f..f46f685a1711 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c | |||
| @@ -26,13 +26,11 @@ | |||
| 26 | #define IMA_UID 0x0008 | 26 | #define IMA_UID 0x0008 |
| 27 | #define IMA_FOWNER 0x0010 | 27 | #define IMA_FOWNER 0x0010 |
| 28 | 28 | ||
| 29 | #define UNKNOWN 0 | 29 | #define UNKNOWN 0 |
| 30 | #define MEASURE 1 /* same as IMA_MEASURE */ | 30 | #define MEASURE 0x0001 /* same as IMA_MEASURE */ |
| 31 | #define DONT_MEASURE 2 | 31 | #define DONT_MEASURE 0x0002 |
| 32 | #define MEASURE_MASK 3 | 32 | #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ |
| 33 | #define APPRAISE 4 /* same as IMA_APPRAISE */ | 33 | #define DONT_APPRAISE 0x0008 |
| 34 | #define DONT_APPRAISE 8 | ||
| 35 | #define APPRAISE_MASK 12 | ||
| 36 | 34 | ||
| 37 | #define MAX_LSM_RULES 6 | 35 | #define MAX_LSM_RULES 6 |
| 38 | enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, | 36 | enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, |
| @@ -209,9 +207,12 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, | |||
| 209 | if (!ima_match_rules(entry, inode, func, mask)) | 207 | if (!ima_match_rules(entry, inode, func, mask)) |
| 210 | continue; | 208 | continue; |
| 211 | 209 | ||
| 212 | action |= (entry->action & (IMA_APPRAISE | IMA_MEASURE)); | 210 | action |= entry->action & IMA_DO_MASK; |
| 213 | actmask &= (entry->action & APPRAISE_MASK) ? | 211 | if (entry->action & IMA_DO_MASK) |
| 214 | ~APPRAISE_MASK : ~MEASURE_MASK; | 212 | actmask &= ~(entry->action | entry->action << 1); |
| 213 | else | ||
| 214 | actmask &= ~(entry->action | entry->action >> 1); | ||
| 215 | |||
| 215 | if (!actmask) | 216 | if (!actmask) |
| 216 | break; | 217 | break; |
| 217 | } | 218 | } |
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 4eec1b14193e..564ba7db5f6a 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h | |||
| @@ -15,13 +15,19 @@ | |||
| 15 | #include <linux/integrity.h> | 15 | #include <linux/integrity.h> |
| 16 | #include <crypto/sha.h> | 16 | #include <crypto/sha.h> |
| 17 | 17 | ||
| 18 | /* iint action cache flags */ | ||
| 19 | #define IMA_MEASURE 0x0001 | ||
| 20 | #define IMA_MEASURED 0x0002 | ||
| 21 | #define IMA_APPRAISE 0x0004 | ||
| 22 | #define IMA_APPRAISED 0x0008 | ||
| 23 | /*#define IMA_COLLECT 0x0010 do not use this flag */ | ||
| 24 | #define IMA_COLLECTED 0x0020 | ||
| 25 | |||
| 18 | /* iint cache flags */ | 26 | /* iint cache flags */ |
| 19 | #define IMA_MEASURE 0x01 | 27 | #define IMA_DIGSIG 0x0100 |
| 20 | #define IMA_MEASURED 0x02 | 28 | |
| 21 | #define IMA_APPRAISE 0x04 | 29 | #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE) |
| 22 | #define IMA_APPRAISED 0x08 | 30 | #define IMA_DONE_MASK (IMA_MEASURED | IMA_APPRAISED | IMA_COLLECTED) |
| 23 | #define IMA_COLLECTED 0x10 | ||
| 24 | #define IMA_DIGSIG 0x20 | ||
| 25 | 31 | ||
| 26 | enum evm_ima_xattr_type { | 32 | enum evm_ima_xattr_type { |
| 27 | IMA_XATTR_DIGEST = 0x01, | 33 | IMA_XATTR_DIGEST = 0x01, |