Menu
▾
▴
[Linux-ima-user] [RFC][PATCH][2/2] ima: policy matching decision depends on the overall "ima_measure" list
|
From: Roberto S. <rob...@po...> - 2010-04-14 09:52:17
|
The "ima_policy_match" function has been modified to handle situations in a
different manner: when two or more policies match criteria given, the MEASURE
decision is taken if there are no rule with action DONT_MEASURE.
Signed-off-by: Roberto Sassu <rob...@po...>
Acked-by: Gianluca Ramunno <ra...@po...>
diff --git a/security/integrity/ima/ima_policy.c
b/security/integrity/ima/ima_policy.c
index 4759d0f..668e40f 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -161,15 +185,19 @@ static bool ima_match_rules(struct
ima_measure_rule_entry *rule,
int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask)
{
struct ima_measure_rule_entry *entry;
+ int flag_matched = 0;
list_for_each_entry(entry, ima_measure, list) {
bool rc;
rc = ima_match_rules(entry, inode, func, mask);
- if (rc)
- return entry->action;
+ if (rc) {
+ if(!entry->action)
+ return 0;
+ flag_matched = 1;
+ }
}
- return 0;
+ return flag_matched;
}
/**
|
