diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2012-12-06 00:14:38 +0400 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2013-01-23 01:10:39 +0400 |
commit | 5a73fcfa8875a94c2956e7ff8fba54d31a3e2854 (patch) | |
tree | 4f7a55a1f4c7524aaa422fc216717c1c0424d48e | |
parent | d79d72e02485c00b886179538dc8deaffa3be507 (diff) | |
download | linux-5a73fcfa8875a94c2956e7ff8fba54d31a3e2854.tar.xz |
ima: differentiate appraise status only for hook specific rules
Different hooks can require different methods for appraising a
file's integrity. As a result, an integrity appraisal status is
cached on a per hook basis.
Only a hook specific rule, requires the inode to be re-appraised.
This patch eliminates unnecessary appraisals.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
-rw-r--r-- | security/integrity/ima/ima_main.c | 9 | ||||
-rw-r--r-- | security/integrity/ima/ima_policy.c | 9 |
2 files changed, 12 insertions, 6 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 66b7f408eff2..3e751a9743a1 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -146,7 +146,7 @@ static int process_measurement(struct file *file, const char *filename, struct integrity_iint_cache *iint; char *pathbuf = NULL; const char *pathname = NULL; - int rc = -ENOMEM, action, must_appraise; + int rc = -ENOMEM, action, must_appraise, _func; if (!ima_initialized || !S_ISREG(inode->i_mode)) return 0; @@ -161,6 +161,9 @@ static int process_measurement(struct file *file, const char *filename, must_appraise = action & IMA_APPRAISE; + /* Is the appraise rule hook specific? */ + _func = (action & IMA_FILE_APPRAISE) ? FILE_CHECK : function; + mutex_lock(&inode->i_mutex); iint = integrity_inode_get(inode); @@ -178,7 +181,7 @@ static int process_measurement(struct file *file, const char *filename, /* Nothing to do, just return existing appraised status */ if (!action) { if (must_appraise) - rc = ima_get_cache_status(iint, function); + rc = ima_get_cache_status(iint, _func); goto out_digsig; } @@ -195,7 +198,7 @@ static int process_measurement(struct file *file, const char *filename, if (action & IMA_MEASURE) ima_store_measurement(iint, file, pathname); if (action & IMA_APPRAISE_SUBMASK) - rc = ima_appraise_measurement(function, iint, file, pathname); + rc = ima_appraise_measurement(_func, iint, file, pathname); if (action & IMA_AUDIT) ima_audit_measurement(iint, pathname); kfree(pathbuf); diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 4d7c0ae656d3..4adcd0f8c1dd 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -220,10 +220,13 @@ retry: /* * In addition to knowing that we need to appraise the file in general, - * we need to differentiate between calling hooks. + * we need to differentiate between calling hooks, for hook specific rules. */ -static int get_subaction(int func) +static int get_subaction(struct ima_rule_entry *rule, int func) { + if (!(rule->flags & IMA_FUNC)) + return IMA_FILE_APPRAISE; + switch(func) { case MMAP_CHECK: return IMA_MMAP_APPRAISE; @@ -268,7 +271,7 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, action |= entry->action & IMA_DO_MASK; if (entry->action & IMA_APPRAISE) - action |= get_subaction(func); + action |= get_subaction(entry, func); if (entry->action & IMA_DO_MASK) actmask &= ~(entry->action | entry->action << 1); |