| Message ID | 20220211214310.119257-2-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: support fs-verity digests and signatures | expand |
On 2/11/22 16:43, Mimi Zohar wrote: > Simple policy rule options, such as fowner, uid, or euid, can be checked > immediately, while other policy rule options, such as requiring a file > signature, need to be deferred. > > The 'flags' field in the integrity_iint_cache struct contains the policy > action', 'subaction', and non action/subaction. > > action: measure/measured, appraise/appraised, (collect)/collected, > audit/audited > subaction: appraise status for each hook (e.g. file, mmap, bprm, read, > creds) > non action/subaction: deferred policy rule options and state > > Rename the IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS. > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
On Mon, 2022-02-14 at 15:03 -0500, Stefan Berger wrote: > On 2/11/22 16:43, Mimi Zohar wrote: > > Simple policy rule options, such as fowner, uid, or euid, can be checked > > immediately, while other policy rule options, such as requiring a file > > signature, need to be deferred. > > > > The 'flags' field in the integrity_iint_cache struct contains the policy > > action', 'subaction', and non action/subaction. > > > > action: measure/measured, appraise/appraised, (collect)/collected, > > audit/audited > > subaction: appraise status for each hook (e.g. file, mmap, bprm, read, > > creds) > > non action/subaction: deferred policy rule options and state > > > > Rename the IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS. > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Thanks, Stefan. Both 1/8 & 2/8 cleanup are now queued in next- integrity.
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 8ed6da428328..7c80dfe2c7a5 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -263,7 +263,7 @@ static int process_measurement(struct file *file, const struct cred *cred, /* reset appraisal flags if ima_inode_post_setattr was called */ iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | - IMA_ACTION_FLAGS); + IMA_NONACTION_FLAGS); /* * Re-evaulate the file if either the xattr has changed or the diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 90f528558adc..a0f3775cbd82 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -712,7 +712,7 @@ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, func, mask, func_data)) continue; - action |= entry->flags & IMA_ACTION_FLAGS; + action |= entry->flags & IMA_NONACTION_FLAGS; action |= entry->action & IMA_DO_MASK; if (entry->action & IMA_APPRAISE) { diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 547425c20e11..d045dccd415a 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -30,8 +30,8 @@ #define IMA_HASH 0x00000100 #define IMA_HASHED 0x00000200 -/* iint cache flags */ -#define IMA_ACTION_FLAGS 0xff000000 +/* iint policy rule cache flags */ +#define IMA_NONACTION_FLAGS 0xff000000 #define IMA_DIGSIG_REQUIRED 0x01000000 #define IMA_PERMIT_DIRECTIO 0x02000000 #define IMA_NEW_FILE 0x04000000
Simple policy rule options, such as fowner, uid, or euid, can be checked immediately, while other policy rule options, such as requiring a file signature, need to be deferred. The 'flags' field in the integrity_iint_cache struct contains the policy action', 'subaction', and non action/subaction. action: measure/measured, appraise/appraised, (collect)/collected, audit/audited subaction: appraise status for each hook (e.g. file, mmap, bprm, read, creds) non action/subaction: deferred policy rule options and state Rename the IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- security/integrity/ima/ima_main.c | 2 +- security/integrity/ima/ima_policy.c | 2 +- security/integrity/integrity.h | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-)