Change the type of the flags member of integrity_iint_cache and ima_rule_entry, and the type of return value of ima_match_policy() and ima_get_action() to u64 to make room for more flags. Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> --- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_main.c | 3 +- security/integrity/ima/ima_policy.c | 6 +-- security/integrity/integrity.h | 60 ++++++++++++++--------------- 5 files changed, 38 insertions(+), 37 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index d01ca3566aec..cde2e1c2a6be 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -255,7 +255,7 @@ static inline void ima_process_queued_keys(void) {} #endif /* CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS */ /* LIM API function definitions */ -int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, +u64 ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, const struct cred *cred, u32 secid, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, @@ -286,7 +286,7 @@ void ima_free_template_entry(struct ima_template_entry *entry); const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); /* IMA policy related functions */ -int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, +u64 ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, const struct cred *cred, u32 secid, enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 2c6c3a5228b5..bd9316d89243 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -185,7 +185,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * Returns IMA_MEASURE, IMA_APPRAISE mask. * */ -int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, +u64 ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, const struct cred *cred, u32 secid, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index d33765c7aaa7..fe1f4ef1bb9d 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -208,7 +208,8 @@ static int process_measurement(struct file *file, const struct cred *cred, char *pathbuf = NULL; char filename[NAME_MAX]; const char *pathname = NULL; - int rc = 0, action, must_appraise = 0; + u64 action; + int rc = 0, must_appraise = 0; int pcr = CONFIG_IMA_MEASURE_PCR_IDX; struct evm_ima_xattr_data *xattr_value = NULL; struct modsig *modsig = NULL; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 8d6f5d85dfa4..084b5d9257da 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -74,7 +74,7 @@ struct ima_rule_opt_list { struct ima_rule_entry { struct list_head list; int action; - unsigned int flags; + u64 flags; enum ima_hooks func; int mask; unsigned long fsmagic; @@ -702,14 +702,14 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * list when walking it. Reads are many orders of magnitude more numerous * than writes so ima_match_policy() is classical RCU candidate. */ -int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, +u64 ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, const struct cred *cred, u32 secid, enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos) { struct ima_rule_entry *entry; - int action = 0, actmask = flags | (flags << 1); + u64 action = 0, actmask = flags | (flags << 1); struct list_head *ima_rules_tmp; if (template_desc && !*template_desc) diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 2ab85f286d17..cb4a8cd2a213 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -23,27 +23,27 @@ #include <crypto/hash_info.h> /* iint action cache flags */ -#define IMA_MEASURE 0x00000001 -#define IMA_MEASURED 0x00000002 -#define IMA_APPRAISE 0x00000004 -#define IMA_APPRAISED 0x00000008 -/*#define IMA_COLLECT 0x00000010 do not use this flag */ -#define IMA_COLLECTED 0x00000020 -#define IMA_AUDIT 0x00000040 -#define IMA_AUDITED 0x00000080 -#define IMA_HASH 0x00000100 -#define IMA_HASHED 0x00000200 +#define IMA_MEASURE 0x0000000000000001 +#define IMA_MEASURED 0x0000000000000002 +#define IMA_APPRAISE 0x0000000000000004 +#define IMA_APPRAISED 0x0000000000000008 +/*#define IMA_COLLECT 0x0000000000000010 do not use this flag */ +#define IMA_COLLECTED 0x0000000000000020 +#define IMA_AUDIT 0x0000000000000040 +#define IMA_AUDITED 0x0000000000000080 +#define IMA_HASH 0x0000000000000100 +#define IMA_HASHED 0x0000000000000200 /* iint cache flags */ -#define IMA_ACTION_FLAGS 0xff000000 -#define IMA_DIGSIG_REQUIRED 0x01000000 -#define IMA_PERMIT_DIRECTIO 0x02000000 -#define IMA_NEW_FILE 0x04000000 -#define EVM_IMMUTABLE_DIGSIG 0x08000000 -#define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000 -#define IMA_MODSIG_ALLOWED 0x20000000 -#define IMA_CHECK_BLACKLIST 0x40000000 -#define IMA_META_IMMUTABLE_REQUIRED 0x80000000 +#define IMA_ACTION_FLAGS 0xffffffffff000000 +#define IMA_DIGSIG_REQUIRED 0x0000000001000000 +#define IMA_PERMIT_DIRECTIO 0x0000000002000000 +#define IMA_NEW_FILE 0x0000000004000000 +#define EVM_IMMUTABLE_DIGSIG 0x0000000008000000 +#define IMA_FAIL_UNVERIFIABLE_SIGS 0x0000000010000000 +#define IMA_MODSIG_ALLOWED 0x0000000020000000 +#define IMA_CHECK_BLACKLIST 0x0000000040000000 +#define IMA_META_IMMUTABLE_REQUIRED 0x0000000080000000 #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ IMA_HASH | IMA_APPRAISE_SUBMASK) @@ -52,16 +52,16 @@ IMA_APPRAISED_SUBMASK) /* iint subaction appraise cache flags */ -#define IMA_FILE_APPRAISE 0x00001000 -#define IMA_FILE_APPRAISED 0x00002000 -#define IMA_MMAP_APPRAISE 0x00004000 -#define IMA_MMAP_APPRAISED 0x00008000 -#define IMA_BPRM_APPRAISE 0x00010000 -#define IMA_BPRM_APPRAISED 0x00020000 -#define IMA_READ_APPRAISE 0x00040000 -#define IMA_READ_APPRAISED 0x00080000 -#define IMA_CREDS_APPRAISE 0x00100000 -#define IMA_CREDS_APPRAISED 0x00200000 +#define IMA_FILE_APPRAISE 0x0000000000001000 +#define IMA_FILE_APPRAISED 0x0000000000002000 +#define IMA_MMAP_APPRAISE 0x0000000000004000 +#define IMA_MMAP_APPRAISED 0x0000000000008000 +#define IMA_BPRM_APPRAISE 0x0000000000010000 +#define IMA_BPRM_APPRAISED 0x0000000000020000 +#define IMA_READ_APPRAISE 0x0000000000040000 +#define IMA_READ_APPRAISED 0x0000000000080000 +#define IMA_CREDS_APPRAISE 0x0000000000100000 +#define IMA_CREDS_APPRAISED 0x0000000000200000 #define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \ IMA_BPRM_APPRAISE | IMA_READ_APPRAISE | \ IMA_CREDS_APPRAISE) @@ -133,7 +133,7 @@ struct integrity_iint_cache { struct mutex mutex; /* protects: version, flags, digest */ struct inode *inode; /* back pointer to inode in question */ u64 version; /* track inode changes */ - unsigned long flags; + u64 flags; unsigned long measured_pcrs; unsigned long atomic_flags; enum integrity_status ima_file_status:4; -- 2.32.0