Re: [Linux-ima-devel] [RFC PATCH 3/5] ima: mamespace audit status flags

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

> On Jul 21, 2017, at 4:29 PM, Magalhaes, Guilherme (Brazil R&D-CL) <gui...@hp...> wrote:
> 
> Mehmet,
> 
> +#define IMA_NS_STATUS_ACTIONS	IMA_AUDIT
> +#define IMA_NS_STATUS_FLAGS	IMA_AUDITED
> +
> +unsigned long iint_flags(struct integrity_iint_cache *iint,
> +			 struct ns_status *status)
> +{
> +	if (!status)
> +		return iint->flags;
> +
> +	return iint->flags & (status->flags & IMA_NS_STATUS_FLAGS); }
> 
> I believe the first '&' should be replaced with '|', so you can return the consolidated 'flags | ns_flags'.

Yes, it should be OR'ed.

> +
> +unsigned long set_iint_flags(struct integrity_iint_cache *iint,
> +			     struct ns_status *status, unsigned long flags) {
> +	iint->flags = flags;
> 
> I believe the global flags should consider if status is NULL, otherwise the namespaced flags such as IMA_AUDITED should not be set to the global flags otherwise this namespace flag IMA_AUDITED could be incorrectly injected into other namespaces.

I think we can apply a mask:
	iint->flags & ~(IMA_NS_STATUS_FLAGS)

so that it is clear these flags are moved to ns_status.

Mehmet