diff options
| author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2012-12-03 23:08:11 +0100 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2013-01-22 22:10:36 +0100 |
| commit | d79d72e02485c00b886179538dc8deaffa3be507 (patch) | |
| tree | 92690d5cbd6e4a0a3bee369033fe18d9b2d065f7 /security/integrity/ima/ima_main.c | |
| parent | ima: increase iint flag size (diff) | |
| download | linux-d79d72e02485c00b886179538dc8deaffa3be507.tar.xz linux-d79d72e02485c00b886179538dc8deaffa3be507.zip | |
ima: per hook cache integrity appraisal status
With the new IMA policy 'appraise_type=' option, different hooks
can require different methods for appraising a file's integrity.
For example, the existing 'ima_appraise_tcb' policy defines a
generic rule, requiring all root files to be appraised, without
specfying the appraisal method. A more specific rule could require
all kernel modules, for example, to be signed.
appraise fowner=0 func=MODULE_CHECK appraise_type=imasig
appraise fowner=0
As a result, the integrity appraisal results for the same inode, but
for different hooks, could differ. This patch caches the integrity
appraisal results on a per hook basis.
Changelog v2:
- Rename ima_cache_status() to ima_set_cache_status()
- Rename and move get_appraise_status() to ima_get_cache_status()
Changelog v0:
- include IMA_APPRAISE/APPRAISED_SUBMASK in IMA_DO/DONE_MASK (Dmitry)
- Support independent MODULE_CHECK appraise status.
- fixed IMA_XXXX_APPRAISE/APPRAISED flags
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Diffstat (limited to 'security/integrity/ima/ima_main.c')
| -rw-r--r-- | security/integrity/ima/ima_main.c | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 3cdd78768c29..66b7f408eff2 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -151,8 +151,10 @@ static int process_measurement(struct file *file, const char *filename, if (!ima_initialized || !S_ISREG(inode->i_mode)) return 0; - /* Determine if in appraise/audit/measurement policy, - * returns IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT bitmask. */ + /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action + * bitmask based on the appraise/audit/measurement policy. + * Included is the appraise submask. + */ action = ima_get_action(inode, mask, function); if (!action) return 0; @@ -166,16 +168,17 @@ static int process_measurement(struct file *file, const char *filename, goto out; /* Determine if already appraised/measured based on bitmask - * (IMA_MEASURE, IMA_MEASURED, IMA_APPRAISE, IMA_APPRAISED, - * IMA_AUDIT, IMA_AUDITED) */ + * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED, + * IMA_AUDIT, IMA_AUDITED) + */ iint->flags |= action; action &= IMA_DO_MASK; action &= ~((iint->flags & IMA_DONE_MASK) >> 1); /* Nothing to do, just return existing appraised status */ if (!action) { - if (iint->flags & IMA_APPRAISED) - rc = iint->ima_status; + if (must_appraise) + rc = ima_get_cache_status(iint, function); goto out_digsig; } @@ -191,8 +194,8 @@ static int process_measurement(struct file *file, const char *filename, if (action & IMA_MEASURE) ima_store_measurement(iint, file, pathname); - if (action & IMA_APPRAISE) - rc = ima_appraise_measurement(iint, file, pathname); + if (action & IMA_APPRAISE_SUBMASK) + rc = ima_appraise_measurement(function, iint, file, pathname); if (action & IMA_AUDIT) ima_audit_measurement(iint, pathname); kfree(pathbuf); |