ima: generic IMA action flag handling

Make the IMA action flag handling generic in order to support
additional new actions, without requiring changes to the base
implementation.  New actions, like audit logging, will only
need to modify the define statements.

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

security/integrity/ima/ima_appraise.c

@@ -232,7 +232,7 @@ static void ima_reset_appraise_flags(struct inode *inode)
 	if (!iint)
 		return;
 
-	iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED);
+	iint->flags &= ~IMA_DONE_MASK;
 	return;
 }
 

security/integrity/ima/ima_main.c

@@ -117,7 +117,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
 	mutex_lock(&inode->i_mutex);
 	if (atomic_read(&inode->i_writecount) == 1 &&
 	    iint->version != inode->i_version) {
-		iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED);
+		iint->flags &= ~IMA_DONE_MASK;
 		if (iint->flags & IMA_APPRAISE)
 			ima_update_xattr(iint, file);
 	}
@@ -173,7 +173,7 @@ static int process_measurement(struct file *file, const unsigned char *filename,
 	/* Determine if already appraised/measured based on bitmask
 	 * (IMA_MEASURE, IMA_MEASURED, IMA_APPRAISE, IMA_APPRAISED) */
 	iint->flags |= action;
-	action &= ~((iint->flags & (IMA_MEASURED | IMA_APPRAISED)) >> 1);
+	action &= ~((iint->flags & IMA_DONE_MASK) >> 1);
 
 	/* Nothing to do, just return existing appraised status */
 	if (!action) {

security/integrity/ima/ima_policy.c

@@ -26,13 +26,11 @@
 #define IMA_UID		0x0008
 #define IMA_FOWNER	0x0010
 
-#define UNKNOWN			0
-#define MEASURE			1	/* same as IMA_MEASURE */
-#define DONT_MEASURE		2
-#define MEASURE_MASK		3
-#define APPRAISE		4	/* same as IMA_APPRAISE */
-#define DONT_APPRAISE		8
-#define APPRAISE_MASK		12
+#define UNKNOWN		0
+#define MEASURE		0x0001	/* same as IMA_MEASURE */
+#define DONT_MEASURE	0x0002
+#define APPRAISE	0x0004	/* same as IMA_APPRAISE */
+#define DONT_APPRAISE	0x0008
 
 #define MAX_LSM_RULES 6
 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
@@ -209,9 +207,12 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
 		if (!ima_match_rules(entry, inode, func, mask))
 			continue;
 
-		action |= (entry->action & (IMA_APPRAISE | IMA_MEASURE));
-		actmask &= (entry->action & APPRAISE_MASK) ?
-		    ~APPRAISE_MASK : ~MEASURE_MASK;
+		action |= entry->action & IMA_DO_MASK;
+		if (entry->action & IMA_DO_MASK)
+			actmask &= ~(entry->action | entry->action << 1);
+		else
+			actmask &= ~(entry->action | entry->action >> 1);
+
 		if (!actmask)
 			break;
 	}

security/integrity/integrity.h

@@ -15,13 +15,19 @@
 #include <linux/integrity.h>
 #include <crypto/sha.h>
 
+/* iint action cache flags */
+#define IMA_MEASURE		0x0001
+#define IMA_MEASURED		0x0002
+#define IMA_APPRAISE		0x0004
+#define IMA_APPRAISED		0x0008
+/*#define IMA_COLLECT		0x0010  do not use this flag */
+#define IMA_COLLECTED		0x0020
+
 /* iint cache flags */
-#define IMA_MEASURE		0x01
-#define IMA_MEASURED		0x02
-#define IMA_APPRAISE		0x04
-#define IMA_APPRAISED		0x08
-#define IMA_COLLECTED		0x10
-#define IMA_DIGSIG		0x20
+#define IMA_DIGSIG		0x0100
+
+#define IMA_DO_MASK		(IMA_MEASURE | IMA_APPRAISE)
+#define IMA_DONE_MASK		(IMA_MEASURED | IMA_APPRAISED | IMA_COLLECTED)
 
 enum evm_ima_xattr_type {
 	IMA_XATTR_DIGEST = 0x01,