summaryrefslogtreecommitdiff
path: root/security/integrity/ima
diff options
context:
space:
mode:
Diffstat (limited to 'security/integrity/ima')
-rw-r--r--security/integrity/ima/ima_appraise.c2
-rw-r--r--security/integrity/ima/ima_main.c4
-rw-r--r--security/integrity/ima/ima_policy.c21
3 files changed, 14 insertions, 13 deletions
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 4cdf36ad884a..0aa43bde441c 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -232,7 +232,7 @@ static void ima_reset_appraise_flags(struct inode *inode)
if (!iint)
return;
- iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED);
+ iint->flags &= ~IMA_DONE_MASK;
return;
}
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 60b047e96f4e..5da08b75d367 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -117,7 +117,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
mutex_lock(&inode->i_mutex);
if (atomic_read(&inode->i_writecount) == 1 &&
iint->version != inode->i_version) {
- iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED);
+ iint->flags &= ~IMA_DONE_MASK;
if (iint->flags & IMA_APPRAISE)
ima_update_xattr(iint, file);
}
@@ -173,7 +173,7 @@ static int process_measurement(struct file *file, const unsigned char *filename,
/* Determine if already appraised/measured based on bitmask
* (IMA_MEASURE, IMA_MEASURED, IMA_APPRAISE, IMA_APPRAISED) */
iint->flags |= action;
- action &= ~((iint->flags & (IMA_MEASURED | IMA_APPRAISED)) >> 1);
+ action &= ~((iint->flags & IMA_DONE_MASK) >> 1);
/* Nothing to do, just return existing appraised status */
if (!action) {
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 0d6d60b4ba6f..f46f685a1711 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -26,13 +26,11 @@
#define IMA_UID 0x0008
#define IMA_FOWNER 0x0010
-#define UNKNOWN 0
-#define MEASURE 1 /* same as IMA_MEASURE */
-#define DONT_MEASURE 2
-#define MEASURE_MASK 3
-#define APPRAISE 4 /* same as IMA_APPRAISE */
-#define DONT_APPRAISE 8
-#define APPRAISE_MASK 12
+#define UNKNOWN 0
+#define MEASURE 0x0001 /* same as IMA_MEASURE */
+#define DONT_MEASURE 0x0002
+#define APPRAISE 0x0004 /* same as IMA_APPRAISE */
+#define DONT_APPRAISE 0x0008
#define MAX_LSM_RULES 6
enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
@@ -209,9 +207,12 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
if (!ima_match_rules(entry, inode, func, mask))
continue;
- action |= (entry->action & (IMA_APPRAISE | IMA_MEASURE));
- actmask &= (entry->action & APPRAISE_MASK) ?
- ~APPRAISE_MASK : ~MEASURE_MASK;
+ action |= entry->action & IMA_DO_MASK;
+ if (entry->action & IMA_DO_MASK)
+ actmask &= ~(entry->action | entry->action << 1);
+ else
+ actmask &= ~(entry->action | entry->action >> 1);
+
if (!actmask)
break;
}