---

yaml
---
r: 329116
b: refs/heads/master
c: 45e2472
h: refs/heads/master
v: v3

[refs]

@@ -1,2 +1,2 @@
 ---
-refs/heads/master: d9d300cdb6f233c4c591348919c758062198a4f4
+refs/heads/master: 45e2472e67bf66f794d507b52e82af92e0614e49

trunk/security/integrity/ima/ima_appraise.c

@@ -232,7 +232,7 @@ static void ima_reset_appraise_flags(struct inode *inode)
 	if (!iint)
 		return;
 
-	iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED);
+	iint->flags &= ~IMA_DONE_MASK;
 	return;
 }
 

trunk/security/integrity/ima/ima_main.c

@@ -117,7 +117,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
 	mutex_lock(&inode->i_mutex);
 	if (atomic_read(&inode->i_writecount) == 1 &&
 	    iint->version != inode->i_version) {
-		iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED);
+		iint->flags &= ~IMA_DONE_MASK;
 		if (iint->flags & IMA_APPRAISE)
 			ima_update_xattr(iint, file);
 	}
@@ -173,7 +173,7 @@ static int process_measurement(struct file *file, const unsigned char *filename,
 	/* Determine if already appraised/measured based on bitmask
 	 * (IMA_MEASURE, IMA_MEASURED, IMA_APPRAISE, IMA_APPRAISED) */
 	iint->flags |= action;
-	action &= ~((iint->flags & (IMA_MEASURED | IMA_APPRAISED)) >> 1);
+	action &= ~((iint->flags & IMA_DONE_MASK) >> 1);
 
 	/* Nothing to do, just return existing appraised status */
 	if (!action) {

trunk/security/integrity/ima/ima_policy.c

@@ -26,13 +26,11 @@
 #define IMA_UID		0x0008
 #define IMA_FOWNER	0x0010
 
-#define UNKNOWN			0
-#define MEASURE			1	/* same as IMA_MEASURE */
-#define DONT_MEASURE		2
-#define MEASURE_MASK		3
-#define APPRAISE		4	/* same as IMA_APPRAISE */
-#define DONT_APPRAISE		8
-#define APPRAISE_MASK		12
+#define UNKNOWN		0
+#define MEASURE		0x0001	/* same as IMA_MEASURE */
+#define DONT_MEASURE	0x0002
+#define APPRAISE	0x0004	/* same as IMA_APPRAISE */
+#define DONT_APPRAISE	0x0008
 
 #define MAX_LSM_RULES 6
 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
@@ -209,9 +207,12 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
 		if (!ima_match_rules(entry, inode, func, mask))
 			continue;
 
-		action |= (entry->action & (IMA_APPRAISE | IMA_MEASURE));
-		actmask &= (entry->action & APPRAISE_MASK) ?
-		    ~APPRAISE_MASK : ~MEASURE_MASK;
+		action |= entry->action & IMA_DO_MASK;
+		if (entry->action & IMA_DO_MASK)
+			actmask &= ~(entry->action | entry->action << 1);
+		else
+			actmask &= ~(entry->action | entry->action >> 1);
+
 		if (!actmask)
 			break;
 	}

trunk/security/integrity/integrity.h

@@ -15,13 +15,19 @@
 #include <linux/integrity.h>
 #include <crypto/sha.h>
 
+/* iint action cache flags */
+#define IMA_MEASURE		0x0001
+#define IMA_MEASURED		0x0002
+#define IMA_APPRAISE		0x0004
+#define IMA_APPRAISED		0x0008
+/*#define IMA_COLLECT		0x0010  do not use this flag */
+#define IMA_COLLECTED		0x0020
+
 /* iint cache flags */
-#define IMA_MEASURE		0x01
-#define IMA_MEASURED		0x02
-#define IMA_APPRAISE		0x04
-#define IMA_APPRAISED		0x08
-#define IMA_COLLECTED		0x10
-#define IMA_DIGSIG		0x20
+#define IMA_DIGSIG		0x0100
+
+#define IMA_DO_MASK		(IMA_MEASURE | IMA_APPRAISE)
+#define IMA_DONE_MASK		(IMA_MEASURED | IMA_APPRAISED | IMA_COLLECTED)
 
 enum evm_ima_xattr_type {
 	IMA_XATTR_DIGEST = 0x01,