diff options
| author | Mimi Zohar | 2012-12-03 23:08:11 +0100 |
|---|---|---|
| committer | Mimi Zohar | 2013-01-22 22:10:36 +0100 |
| commit | d79d72e02485c00b886179538dc8deaffa3be507 (patch) | |
| tree | 92690d5cbd6e4a0a3bee369033fe18d9b2d065f7 /security/integrity/ima/ima_policy.c | |
| parent | ima: increase iint flag size (diff) | |
| download | kernel-qcow2-linux-d79d72e02485c00b886179538dc8deaffa3be507.tar.gz kernel-qcow2-linux-d79d72e02485c00b886179538dc8deaffa3be507.tar.xz kernel-qcow2-linux-d79d72e02485c00b886179538dc8deaffa3be507.zip | |
ima: per hook cache integrity appraisal status
With the new IMA policy 'appraise_type=' option, different hooks
can require different methods for appraising a file's integrity.
For example, the existing 'ima_appraise_tcb' policy defines a
generic rule, requiring all root files to be appraised, without
specfying the appraisal method. A more specific rule could require
all kernel modules, for example, to be signed.
appraise fowner=0 func=MODULE_CHECK appraise_type=imasig
appraise fowner=0
As a result, the integrity appraisal results for the same inode, but
for different hooks, could differ. This patch caches the integrity
appraisal results on a per hook basis.
Changelog v2:
- Rename ima_cache_status() to ima_set_cache_status()
- Rename and move get_appraise_status() to ima_get_cache_status()
Changelog v0:
- include IMA_APPRAISE/APPRAISED_SUBMASK in IMA_DO/DONE_MASK (Dmitry)
- Support independent MODULE_CHECK appraise status.
- fixed IMA_XXXX_APPRAISE/APPRAISED flags
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Diffstat (limited to 'security/integrity/ima/ima_policy.c')
| -rw-r--r-- | security/integrity/ima/ima_policy.c | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 1a2543a8ee53..4d7c0ae656d3 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -218,6 +218,25 @@ retry: return true; } +/* + * In addition to knowing that we need to appraise the file in general, + * we need to differentiate between calling hooks. + */ +static int get_subaction(int func) +{ + switch(func) { + case MMAP_CHECK: + return IMA_MMAP_APPRAISE; + case BPRM_CHECK: + return IMA_BPRM_APPRAISE; + case MODULE_CHECK: + return IMA_MODULE_APPRAISE; + case FILE_CHECK: + default: + return IMA_FILE_APPRAISE; + } +} + /** * ima_match_policy - decision based on LSM and other conditions * @inode: pointer to an inode for which the policy decision is being made @@ -248,6 +267,9 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, action |= entry->flags & IMA_ACTION_FLAGS; action |= entry->action & IMA_DO_MASK; + if (entry->action & IMA_APPRAISE) + action |= get_subaction(func); + if (entry->action & IMA_DO_MASK) actmask &= ~(entry->action | entry->action << 1); else |