diff mbox series

[v5,1/8] ima: rename IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS

Message ID 20220211214310.119257-2-zohar@linux.ibm.com (mailing list archive)
State Superseded
Headers show
Series ima: support fs-verity digests and signatures | expand

Commit Message

Mimi Zohar Feb. 11, 2022, 9:43 p.m. UTC
Simple policy rule options, such as fowner, uid, or euid, can be checked
immediately, while other policy rule options, such as requiring a file
signature, need to be deferred.

The 'flags' field in the integrity_iint_cache struct contains the policy
action', 'subaction', and non action/subaction.

action: measure/measured, appraise/appraised, (collect)/collected,
        audit/audited
subaction: appraise status for each hook (e.g. file, mmap, bprm, read,
        creds)
non action/subaction: deferred policy rule options and state

Rename the IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 security/integrity/ima/ima_main.c   | 2 +-
 security/integrity/ima/ima_policy.c | 2 +-
 security/integrity/integrity.h      | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

Comments

Stefan Berger Feb. 14, 2022, 8:03 p.m. UTC | #1
On 2/11/22 16:43, Mimi Zohar wrote:
> Simple policy rule options, such as fowner, uid, or euid, can be checked
> immediately, while other policy rule options, such as requiring a file
> signature, need to be deferred.
>
> The 'flags' field in the integrity_iint_cache struct contains the policy
> action', 'subaction', and non action/subaction.
>
> action: measure/measured, appraise/appraised, (collect)/collected,
>          audit/audited
> subaction: appraise status for each hook (e.g. file, mmap, bprm, read,
>          creds)
> non action/subaction: deferred policy rule options and state
>
> Rename the IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS.
>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Mimi Zohar Feb. 15, 2022, 6:11 p.m. UTC | #2
On Mon, 2022-02-14 at 15:03 -0500, Stefan Berger wrote:
> On 2/11/22 16:43, Mimi Zohar wrote:
> > Simple policy rule options, such as fowner, uid, or euid, can be checked
> > immediately, while other policy rule options, such as requiring a file
> > signature, need to be deferred.
> >
> > The 'flags' field in the integrity_iint_cache struct contains the policy
> > action', 'subaction', and non action/subaction.
> >
> > action: measure/measured, appraise/appraised, (collect)/collected,
> >          audit/audited
> > subaction: appraise status for each hook (e.g. file, mmap, bprm, read,
> >          creds)
> > non action/subaction: deferred policy rule options and state
> >
> > Rename the IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS.
> >
> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> 
> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

Thanks, Stefan.  Both 1/8 & 2/8 cleanup are now queued in next-
integrity.
diff mbox series

Patch

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 8ed6da428328..7c80dfe2c7a5 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -263,7 +263,7 @@  static int process_measurement(struct file *file, const struct cred *cred,
 		/* reset appraisal flags if ima_inode_post_setattr was called */
 		iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
 				 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
-				 IMA_ACTION_FLAGS);
+				 IMA_NONACTION_FLAGS);
 
 	/*
 	 * Re-evaulate the file if either the xattr has changed or the
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 90f528558adc..a0f3775cbd82 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -712,7 +712,7 @@  int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode,
 				     func, mask, func_data))
 			continue;
 
-		action |= entry->flags & IMA_ACTION_FLAGS;
+		action |= entry->flags & IMA_NONACTION_FLAGS;
 
 		action |= entry->action & IMA_DO_MASK;
 		if (entry->action & IMA_APPRAISE) {
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 547425c20e11..d045dccd415a 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -30,8 +30,8 @@ 
 #define IMA_HASH		0x00000100
 #define IMA_HASHED		0x00000200
 
-/* iint cache flags */
-#define IMA_ACTION_FLAGS	0xff000000
+/* iint policy rule cache flags */
+#define IMA_NONACTION_FLAGS	0xff000000
 #define IMA_DIGSIG_REQUIRED	0x01000000
 #define IMA_PERMIT_DIRECTIO	0x02000000
 #define IMA_NEW_FILE		0x04000000