tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ima: Add code comments to explain IMA iint cache atomic_flags

Explain these atomic flags to improve code readability. For example, the
flag IMA_DIGSIG is to indicate we mustn't update a file's security.ima
on close because the file already has IMA signature. The code comments
for the first three flags come from commit 0d73a55208e9 ("ima:
re-introduce own integrity cache lock") with a minor tweak.

Signed-off-by: Coiby Xu <coxu@redhat.com>
[zohar@linux.ibm.com: remove duplicate "integrity violation", unnecessary commas]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

authored by

Coiby Xu and committed by
Mimi Zohar 5d05360d d7bd8cf0

+26 -1
+26 -1
security/integrity/ima/ima.h
··· 177 177 IMA_BPRM_APPRAISED | IMA_READ_APPRAISED | \ 178 178 IMA_CREDS_APPRAISED) 179 179 180 - /* IMA iint cache atomic_flags */ 180 + /* 181 + * IMA iint cache atomic_flags 182 + * 183 + * IMA_CHANGE_ATTR - indicates that chATTR() was called (chmod, chown, chgrp) 184 + * and file attributes have changed. On file open, it causes IMA to clear 185 + * iint->flags to re-evaluate policy and perform IMA functions again. 186 + * 187 + * IMA_CHANGE_XATTR - indicates that setxattr or removexattr was called and 188 + * extended attributes have changed. On file open, it causes IMA to clear 189 + * iint->flags IMA_DONE_MASK to re-appraise. 190 + * 191 + * IMA_UPDATE_XATTR - indicates that security.ima needs to be updated. It is 192 + * cleared if file policy changes and no update is needed. 193 + * 194 + * IMA_DIGSIG - indicates that file security.ima has signature and file 195 + * security.ima must not update on file close. 196 + * 197 + * IMA_MAY_EMIT_TOMTOU - indicates to add Time-of-Measure-Time-of-Use (ToMToU) 198 + * integrity violation (a file that is already opened for read is opened for 199 + * write) to the measurement list and to also emit an audit message. 200 + * 201 + * IMA_EMITTED_OPENWRITERS - indicates to add open-writers integrity violation 202 + * (a file that is already opened for write is opened for read) to the 203 + * measurement list and to also emit an audit message. 204 + * 205 + */ 181 206 #define IMA_CHANGE_XATTR 0 182 207 #define IMA_UPDATE_XATTR 1 183 208 #define IMA_CHANGE_ATTR 2