diff options
Diffstat (limited to 'security/integrity/ima/ima_policy.c')
| -rw-r--r-- | security/integrity/ima/ima_policy.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 95194539d75e..1a2543a8ee53 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c | |||
| @@ -245,6 +245,8 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, | |||
| 245 | if (!ima_match_rules(entry, inode, func, mask)) | 245 | if (!ima_match_rules(entry, inode, func, mask)) |
| 246 | continue; | 246 | continue; |
| 247 | 247 | ||
| 248 | action |= entry->flags & IMA_ACTION_FLAGS; | ||
| 249 | |||
| 248 | action |= entry->action & IMA_DO_MASK; | 250 | action |= entry->action & IMA_DO_MASK; |
| 249 | if (entry->action & IMA_DO_MASK) | 251 | if (entry->action & IMA_DO_MASK) |
| 250 | actmask &= ~(entry->action | entry->action << 1); | 252 | actmask &= ~(entry->action | entry->action << 1); |
| @@ -318,7 +320,8 @@ enum { | |||
| 318 | Opt_audit, | 320 | Opt_audit, |
| 319 | Opt_obj_user, Opt_obj_role, Opt_obj_type, | 321 | Opt_obj_user, Opt_obj_role, Opt_obj_type, |
| 320 | Opt_subj_user, Opt_subj_role, Opt_subj_type, | 322 | Opt_subj_user, Opt_subj_role, Opt_subj_type, |
| 321 | Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner | 323 | Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner, |
| 324 | Opt_appraise_type | ||
| 322 | }; | 325 | }; |
| 323 | 326 | ||
| 324 | static match_table_t policy_tokens = { | 327 | static match_table_t policy_tokens = { |
| @@ -338,6 +341,7 @@ static match_table_t policy_tokens = { | |||
| 338 | {Opt_fsmagic, "fsmagic=%s"}, | 341 | {Opt_fsmagic, "fsmagic=%s"}, |
| 339 | {Opt_uid, "uid=%s"}, | 342 | {Opt_uid, "uid=%s"}, |
| 340 | {Opt_fowner, "fowner=%s"}, | 343 | {Opt_fowner, "fowner=%s"}, |
| 344 | {Opt_appraise_type, "appraise_type=%s"}, | ||
| 341 | {Opt_err, NULL} | 345 | {Opt_err, NULL} |
| 342 | }; | 346 | }; |
| 343 | 347 | ||
| @@ -560,6 +564,18 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) | |||
| 560 | LSM_SUBJ_TYPE, | 564 | LSM_SUBJ_TYPE, |
| 561 | AUDIT_SUBJ_TYPE); | 565 | AUDIT_SUBJ_TYPE); |
| 562 | break; | 566 | break; |
| 567 | case Opt_appraise_type: | ||
| 568 | if (entry->action != APPRAISE) { | ||
| 569 | result = -EINVAL; | ||
| 570 | break; | ||
| 571 | } | ||
| 572 | |||
| 573 | ima_log_string(ab, "appraise_type", args[0].from); | ||
| 574 | if ((strcmp(args[0].from, "imasig")) == 0) | ||
| 575 | entry->flags |= IMA_DIGSIG_REQUIRED; | ||
| 576 | else | ||
| 577 | result = -EINVAL; | ||
| 578 | break; | ||
| 563 | case Opt_err: | 579 | case Opt_err: |
| 564 | ima_log_string(ab, "UNKNOWN", p); | 580 | ima_log_string(ab, "UNKNOWN", p); |
| 565 | result = -EINVAL; | 581 | result = -EINVAL; |