From e9ffb297520ebd70fc60656959d98a8a6fec0547 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Wed, 5 Dec 2012 15:14:38 -0500 Subject: [PATCH] --- yaml --- r: 352847 b: refs/heads/master c: 5a73fcfa8875a94c2956e7ff8fba54d31a3e2854 h: refs/heads/master i: 352845: 965d731e369635f9a57df82869f38143630b160b 352843: 866d259aabcd4e4434480295b384131c5a2bb4df 352839: 7417e0a8bd5f3d31dc37034c201d8e7f7e91f54b 352831: 1e7a4cdb1ebd81f3fff54867ae72c4b829d0916c v: v3 --- [refs] | 2 +- trunk/security/integrity/ima/ima_main.c | 9 ++++++--- trunk/security/integrity/ima/ima_policy.c | 9 ++++++--- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/[refs] b/[refs] index 60148db1413b..04f37248a741 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: d79d72e02485c00b886179538dc8deaffa3be507 +refs/heads/master: 5a73fcfa8875a94c2956e7ff8fba54d31a3e2854 diff --git a/trunk/security/integrity/ima/ima_main.c b/trunk/security/integrity/ima/ima_main.c index 66b7f408eff2..3e751a9743a1 100644 --- a/trunk/security/integrity/ima/ima_main.c +++ b/trunk/security/integrity/ima/ima_main.c @@ -146,7 +146,7 @@ static int process_measurement(struct file *file, const char *filename, struct integrity_iint_cache *iint; char *pathbuf = NULL; const char *pathname = NULL; - int rc = -ENOMEM, action, must_appraise; + int rc = -ENOMEM, action, must_appraise, _func; if (!ima_initialized || !S_ISREG(inode->i_mode)) return 0; @@ -161,6 +161,9 @@ static int process_measurement(struct file *file, const char *filename, must_appraise = action & IMA_APPRAISE; + /* Is the appraise rule hook specific? */ + _func = (action & IMA_FILE_APPRAISE) ? FILE_CHECK : function; + mutex_lock(&inode->i_mutex); iint = integrity_inode_get(inode); @@ -178,7 +181,7 @@ static int process_measurement(struct file *file, const char *filename, /* Nothing to do, just return existing appraised status */ if (!action) { if (must_appraise) - rc = ima_get_cache_status(iint, function); + rc = ima_get_cache_status(iint, _func); goto out_digsig; } @@ -195,7 +198,7 @@ static int process_measurement(struct file *file, const char *filename, if (action & IMA_MEASURE) ima_store_measurement(iint, file, pathname); if (action & IMA_APPRAISE_SUBMASK) - rc = ima_appraise_measurement(function, iint, file, pathname); + rc = ima_appraise_measurement(_func, iint, file, pathname); if (action & IMA_AUDIT) ima_audit_measurement(iint, pathname); kfree(pathbuf); diff --git a/trunk/security/integrity/ima/ima_policy.c b/trunk/security/integrity/ima/ima_policy.c index 4d7c0ae656d3..4adcd0f8c1dd 100644 --- a/trunk/security/integrity/ima/ima_policy.c +++ b/trunk/security/integrity/ima/ima_policy.c @@ -220,10 +220,13 @@ static bool ima_match_rules(struct ima_rule_entry *rule, /* * In addition to knowing that we need to appraise the file in general, - * we need to differentiate between calling hooks. + * we need to differentiate between calling hooks, for hook specific rules. */ -static int get_subaction(int func) +static int get_subaction(struct ima_rule_entry *rule, int func) { + if (!(rule->flags & IMA_FUNC)) + return IMA_FILE_APPRAISE; + switch(func) { case MMAP_CHECK: return IMA_MMAP_APPRAISE; @@ -268,7 +271,7 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, action |= entry->action & IMA_DO_MASK; if (entry->action & IMA_APPRAISE) - action |= get_subaction(func); + action |= get_subaction(entry, func); if (entry->action & IMA_DO_MASK) actmask &= ~(entry->action | entry->action << 1);