summaryrefslogtreecommitdiffstats
path: root/security/integrity/ima/ima_policy.c
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2012-12-05 21:14:38 +0100
committerMimi Zohar <zohar@linux.vnet.ibm.com>2013-01-22 22:10:39 +0100
commit5a73fcfa8875a94c2956e7ff8fba54d31a3e2854 (patch)
tree4f7a55a1f4c7524aaa422fc216717c1c0424d48e /security/integrity/ima/ima_policy.c
parentima: per hook cache integrity appraisal status (diff)
downloadlinux-5a73fcfa8875a94c2956e7ff8fba54d31a3e2854.tar.xz
linux-5a73fcfa8875a94c2956e7ff8fba54d31a3e2854.zip
ima: differentiate appraise status only for hook specific rules
Different hooks can require different methods for appraising a file's integrity. As a result, an integrity appraisal status is cached on a per hook basis. Only a hook specific rule, requires the inode to be re-appraised. This patch eliminates unnecessary appraisals. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Diffstat (limited to 'security/integrity/ima/ima_policy.c')
-rw-r--r--security/integrity/ima/ima_policy.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 4d7c0ae656d3..4adcd0f8c1dd 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -220,10 +220,13 @@ retry:
/*
* In addition to knowing that we need to appraise the file in general,
- * we need to differentiate between calling hooks.
+ * we need to differentiate between calling hooks, for hook specific rules.
*/
-static int get_subaction(int func)
+static int get_subaction(struct ima_rule_entry *rule, int func)
{
+ if (!(rule->flags & IMA_FUNC))
+ return IMA_FILE_APPRAISE;
+
switch(func) {
case MMAP_CHECK:
return IMA_MMAP_APPRAISE;
@@ -268,7 +271,7 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
action |= entry->action & IMA_DO_MASK;
if (entry->action & IMA_APPRAISE)
- action |= get_subaction(func);
+ action |= get_subaction(entry, func);
if (entry->action & IMA_DO_MASK)
actmask &= ~(entry->action | entry->action << 1);