ima: generic IMA action flag handling

Make the IMA action flag handling generic in order to support
additional new actions, without requiring changes to the base
implementation.  New actions, like audit logging, will only
need to modify the define statements.

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 4cdf36ad884a99ef50b3c392ea62fd951578a7f3..0aa43bde441cbffc035e2eaad39b65b3c8bdd954 100644 (file)
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -232,7 +232,7 @@ static void ima_reset_appraise_flags(struct inode *inode)
        if (!iint)
                return;
 
-       iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED);
+       iint->flags &= ~IMA_DONE_MASK;
        return;
 }
 

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 60b047e96f4e9681892b39e1430c36cc492a1230..5da08b75d367a4172b3458bda04cf28cab60c689 100644 (file)
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -117,7 +117,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
        mutex_lock(&inode->i_mutex);
        if (atomic_read(&inode->i_writecount) == 1 &&
            iint->version != inode->i_version) {
-               iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED);
+               iint->flags &= ~IMA_DONE_MASK;
                if (iint->flags & IMA_APPRAISE)
                        ima_update_xattr(iint, file);
        }
@@ -173,7 +173,7 @@ static int process_measurement(struct file *file, const unsigned char *filename,
        /* Determine if already appraised/measured based on bitmask
         * (IMA_MEASURE, IMA_MEASURED, IMA_APPRAISE, IMA_APPRAISED) */
        iint->flags |= action;
-       action &= ~((iint->flags & (IMA_MEASURED | IMA_APPRAISED)) >> 1);
+       action &= ~((iint->flags & IMA_DONE_MASK) >> 1);
 
        /* Nothing to do, just return existing appraised status */
        if (!action) {

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 0d6d60b4ba6f8bb4dbba57f70e1385db6f7924ad..f46f685a1711e6c718d767dbde785ccf81121487 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -26,13 +26,11 @@
 #define IMA_UID                0x0008
 #define IMA_FOWNER     0x0010
 
-#define UNKNOWN                        0
-#define MEASURE                        1       /* same as IMA_MEASURE */
-#define DONT_MEASURE           2
-#define MEASURE_MASK           3
-#define APPRAISE               4       /* same as IMA_APPRAISE */
-#define DONT_APPRAISE          8
-#define APPRAISE_MASK          12
+#define UNKNOWN                0
+#define MEASURE                0x0001  /* same as IMA_MEASURE */
+#define DONT_MEASURE   0x0002
+#define APPRAISE       0x0004  /* same as IMA_APPRAISE */
+#define DONT_APPRAISE  0x0008
 
 #define MAX_LSM_RULES 6
 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
@@ -209,9 +207,12 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
                if (!ima_match_rules(entry, inode, func, mask))
                        continue;
 
-               action |= (entry->action & (IMA_APPRAISE | IMA_MEASURE));
-               actmask &= (entry->action & APPRAISE_MASK) ?
-                   ~APPRAISE_MASK : ~MEASURE_MASK;
+               action |= entry->action & IMA_DO_MASK;
+               if (entry->action & IMA_DO_MASK)
+                       actmask &= ~(entry->action | entry->action << 1);
+               else
+                       actmask &= ~(entry->action | entry->action >> 1);
+
                if (!actmask)
                        break;
        }

diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 4eec1b14193e3262f0c487917ffea4bb42afad7b..564ba7db5f6a6d9e16bb367b88ec6cce3d93b55d 100644 (file)
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -15,13 +15,19 @@
 #include <linux/integrity.h>
 #include <crypto/sha.h>
 
+/* iint action cache flags */
+#define IMA_MEASURE            0x0001
+#define IMA_MEASURED           0x0002
+#define IMA_APPRAISE           0x0004
+#define IMA_APPRAISED          0x0008
+/*#define IMA_COLLECT          0x0010  do not use this flag */
+#define IMA_COLLECTED          0x0020
+
 /* iint cache flags */
-#define IMA_MEASURE            0x01
-#define IMA_MEASURED           0x02
-#define IMA_APPRAISE           0x04
-#define IMA_APPRAISED          0x08
-#define IMA_COLLECTED          0x10
-#define IMA_DIGSIG             0x20
+#define IMA_DIGSIG             0x0100
+
+#define IMA_DO_MASK            (IMA_MEASURE | IMA_APPRAISE)
+#define IMA_DONE_MASK          (IMA_MEASURED | IMA_APPRAISED | IMA_COLLECTED)
 
 enum evm_ima_xattr_type {
        IMA_XATTR_DIGEST = 0x01,