diff options
| -rw-r--r-- | security/integrity/ima/ima_main.c | 9 | ||||
| -rw-r--r-- | security/integrity/ima/ima_policy.c | 9 |
2 files changed, 12 insertions, 6 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 66b7f408eff..3e751a9743a 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -146,7 +146,7 @@ static int process_measurement(struct file *file, const char *filename, struct integrity_iint_cache *iint; char *pathbuf = NULL; const char *pathname = NULL; - int rc = -ENOMEM, action, must_appraise; + int rc = -ENOMEM, action, must_appraise, _func; if (!ima_initialized || !S_ISREG(inode->i_mode)) return 0; @@ -161,6 +161,9 @@ static int process_measurement(struct file *file, const char *filename, must_appraise = action & IMA_APPRAISE; + /* Is the appraise rule hook specific? */ + _func = (action & IMA_FILE_APPRAISE) ? FILE_CHECK : function; + mutex_lock(&inode->i_mutex); iint = integrity_inode_get(inode); @@ -178,7 +181,7 @@ static int process_measurement(struct file *file, const char *filename, /* Nothing to do, just return existing appraised status */ if (!action) { if (must_appraise) - rc = ima_get_cache_status(iint, function); + rc = ima_get_cache_status(iint, _func); goto out_digsig; } @@ -195,7 +198,7 @@ static int process_measurement(struct file *file, const char *filename, if (action & IMA_MEASURE) ima_store_measurement(iint, file, pathname); if (action & IMA_APPRAISE_SUBMASK) - rc = ima_appraise_measurement(function, iint, file, pathname); + rc = ima_appraise_measurement(_func, iint, file, pathname); if (action & IMA_AUDIT) ima_audit_measurement(iint, pathname); kfree(pathbuf); diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 4d7c0ae656d..4adcd0f8c1d 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -220,10 +220,13 @@ retry: /* * In addition to knowing that we need to appraise the file in general, - * we need to differentiate between calling hooks. + * we need to differentiate between calling hooks, for hook specific rules. */ -static int get_subaction(int func) +static int get_subaction(struct ima_rule_entry *rule, int func) { + if (!(rule->flags & IMA_FUNC)) + return IMA_FILE_APPRAISE; + switch(func) { case MMAP_CHECK: return IMA_MMAP_APPRAISE; @@ -268,7 +271,7 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, action |= entry->action & IMA_DO_MASK; if (entry->action & IMA_APPRAISE) - action |= get_subaction(func); + action |= get_subaction(entry, func); if (entry->action & IMA_DO_MASK) actmask &= ~(entry->action | entry->action << 1); |