ima: rename IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS

Simple policy rule options, such as fowner, uid, or euid, can be checked
immediately, while other policy rule options, such as requiring a file
signature, need to be deferred.

The 'flags' field in the integrity_iint_cache struct contains the policy
action', 'subaction', and non action/subaction.

action: measure/measured, appraise/appraised, (collect)/collected,
        audit/audited
subaction: appraise status for each hook (e.g. file, mmap, bprm, read,
        creds)
non action/subaction: deferred policy rule options and state

Rename the IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS.

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 8ed6da428328ba207f49f0c57197d8d7c63c6d5d..7c80dfe2c7a54813088dabadc8b8a6a04bfcd809 100644 (file)
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -263,7 +263,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
                /* reset appraisal flags if ima_inode_post_setattr was called */
                iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
                                 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
-                                IMA_ACTION_FLAGS);
+                                IMA_NONACTION_FLAGS);
 
        /*
         * Re-evaulate the file if either the xattr has changed or the

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 90f528558adc23734e363e52a3aa916db5149fd2..a0f3775cbd82b8afe52b965911594d1db3b2a7f9 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -712,7 +712,7 @@ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode,
                                     func, mask, func_data))
                        continue;
 
-               action |= entry->flags & IMA_ACTION_FLAGS;
+               action |= entry->flags & IMA_NONACTION_FLAGS;
 
                action |= entry->action & IMA_DO_MASK;
                if (entry->action & IMA_APPRAISE) {

diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 547425c20e11720a40a8fd5a3b5f3f5b007fd905..d045dccd415af13f2b46ba97b9c45659c163c43b 100644 (file)
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -30,8 +30,8 @@
 #define IMA_HASH               0x00000100
 #define IMA_HASHED             0x00000200
 
-/* iint cache flags */
-#define IMA_ACTION_FLAGS       0xff000000
+/* iint policy rule cache flags */
+#define IMA_NONACTION_FLAGS    0xff000000
 #define IMA_DIGSIG_REQUIRED    0x01000000
 #define IMA_PERMIT_DIRECTIO    0x02000000
 #define IMA_NEW_FILE           0x04000000