ima: rename IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS

Simple policy rule options, such as fowner, uid, or euid, can be checked immediately, while other policy rule options, such as requiring a file signature, need to be deferred. The 'flags' field in the integrity_iint_cache struct contains the policy action', 'subaction', and non action/subaction. action: measure/measured, appraise/appraised, (collect)/collected, audit/audited subaction: appraise status for each hook (e.g. file, mmap, bprm, read, creds) non action/subaction: deferred policy rule options and state Rename the IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS. Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
author: Mimi Zohar <zohar@linux.ibm.com> 2021-12-28 09:53:14 -0500
committer: Mimi Zohar <zohar@linux.ibm.com> 2022-02-15 11:21:59 -0500
commit: aae6ccbd826d26730a6fd9bc01884f0a0a9cbb25 (patch)
tree: 978973744ca1b7c07dd76ce1afc65a861f069a77 /security/integrity
parent: ima: Return error code obtained from securityfs functions (diff)
download: linux-dev-aae6ccbd826d26730a6fd9bc01884f0a0a9cbb25.tar.xz
linux-dev-aae6ccbd826d26730a6fd9bc01884f0a0a9cbb25.zip
3 files changed, 4 insertions, 4 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 8ed6da428328..7c80dfe2c7a5 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -263,7 +263,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
 		/* reset appraisal flags if ima_inode_post_setattr was called */
 		iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
 				 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
-				 IMA_ACTION_FLAGS);
+				 IMA_NONACTION_FLAGS);
 
 	/*
 	 * Re-evaulate the file if either the xattr has changed or the
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 90f528558adc..a0f3775cbd82 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -712,7 +712,7 @@ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode,
 				     func, mask, func_data))
 			continue;
 
-		action |= entry->flags & IMA_ACTION_FLAGS;
+		action |= entry->flags & IMA_NONACTION_FLAGS;
 
 		action |= entry->action & IMA_DO_MASK;
 		if (entry->action & IMA_APPRAISE) {
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 547425c20e11..d045dccd415a 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -30,8 +30,8 @@
 #define IMA_HASH		0x00000100
 #define IMA_HASHED		0x00000200
 
-/* iint cache flags */
-#define IMA_ACTION_FLAGS	0xff000000
+/* iint policy rule cache flags */
+#define IMA_NONACTION_FLAGS	0xff000000
 #define IMA_DIGSIG_REQUIRED	0x01000000
 #define IMA_PERMIT_DIRECTIO	0x02000000
 #define IMA_NEW_FILE		0x04000000
author	Mimi Zohar <zohar@linux.ibm.com>	2021-12-28 09:53:14 -0500
committer	Mimi Zohar <zohar@linux.ibm.com>	2022-02-15 11:21:59 -0500
commit	aae6ccbd826d26730a6fd9bc01884f0a0a9cbb25 (patch)
tree	978973744ca1b7c07dd76ce1afc65a861f069a77 /security/integrity
parent	ima: Return error code obtained from securityfs functions (diff)
download	linux-dev-aae6ccbd826d26730a6fd9bc01884f0a0a9cbb25.tar.xz linux-dev-aae6ccbd826d26730a6fd9bc01884f0a0a9cbb25.zip