diff options
| author | Mimi Zohar <zohar@linux.ibm.com> | 2021-12-28 17:53:14 +0300 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2022-02-15 19:21:59 +0300 |
| commit | aae6ccbd826d26730a6fd9bc01884f0a0a9cbb25 (patch) | |
| tree | 978973744ca1b7c07dd76ce1afc65a861f069a77 /security | |
| parent | e4e071baea41e43aebd7f17ed1ffceeca6aa9868 (diff) | |
| download | linux-aae6ccbd826d26730a6fd9bc01884f0a0a9cbb25.tar.xz | |
ima: rename IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS
Simple policy rule options, such as fowner, uid, or euid, can be checked
immediately, while other policy rule options, such as requiring a file
signature, need to be deferred.
The 'flags' field in the integrity_iint_cache struct contains the policy
action', 'subaction', and non action/subaction.
action: measure/measured, appraise/appraised, (collect)/collected,
audit/audited
subaction: appraise status for each hook (e.g. file, mmap, bprm, read,
creds)
non action/subaction: deferred policy rule options and state
Rename the IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/integrity/ima/ima_main.c | 2 | ||||
| -rw-r--r-- | security/integrity/ima/ima_policy.c | 2 | ||||
| -rw-r--r-- | security/integrity/integrity.h | 4 |
3 files changed, 4 insertions, 4 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 8ed6da428328..7c80dfe2c7a5 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -263,7 +263,7 @@ static int process_measurement(struct file *file, const struct cred *cred, /* reset appraisal flags if ima_inode_post_setattr was called */ iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | - IMA_ACTION_FLAGS); + IMA_NONACTION_FLAGS); /* * Re-evaulate the file if either the xattr has changed or the diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 90f528558adc..a0f3775cbd82 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -712,7 +712,7 @@ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, func, mask, func_data)) continue; - action |= entry->flags & IMA_ACTION_FLAGS; + action |= entry->flags & IMA_NONACTION_FLAGS; action |= entry->action & IMA_DO_MASK; if (entry->action & IMA_APPRAISE) { diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 547425c20e11..d045dccd415a 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -30,8 +30,8 @@ #define IMA_HASH 0x00000100 #define IMA_HASHED 0x00000200 -/* iint cache flags */ -#define IMA_ACTION_FLAGS 0xff000000 +/* iint policy rule cache flags */ +#define IMA_NONACTION_FLAGS 0xff000000 #define IMA_DIGSIG_REQUIRED 0x01000000 #define IMA_PERMIT_DIRECTIO 0x02000000 #define IMA_NEW_FILE 0x04000000 |