ima: change integrity cache to store measured pcr

IMA avoids re-measuring files by storing the current state as a flag in the integrity cache. It will then skip adding a new measurement log entry if the cache reports the file as already measured. If a policy measures an already measured file to a new PCR, the measurement will not be added to the list. This patch implements a new bitfield for specifying which PCR the file was measured into, rather than if it was measured. Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
author: Eric Richter <erichte@linux.vnet.ibm.com> 2016-06-01 13:14:06 -0500
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2016-06-30 01:14:22 -0400
commit: a422638d492a35316e3fd9bb31bfc9769b249bca (patch)
tree: ee3c83ca967003972763fb18de707bd7cc5bb58f /security/integrity/ima/ima_appraise.c
parent: 67696f6d79923cdc0084b73b4bbe52e6749a43a4 (diff)
download: linux-next-a422638d492a35316e3fd9bb31bfc9769b249bca.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index fe8e92360d77..4b9b4a4e1b89 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -370,6 +370,7 @@ static void ima_reset_appraise_flags(struct inode *inode, int digsig)
 		return;
 
 	iint->flags &= ~IMA_DONE_MASK;
+	iint->measured_pcrs = 0;
 	if (digsig)
 		iint->flags |= IMA_DIGSIG;
 	return;
author	Eric Richter <erichte@linux.vnet.ibm.com>	2016-06-01 13:14:06 -0500
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2016-06-30 01:14:22 -0400
commit	a422638d492a35316e3fd9bb31bfc9769b249bca (patch)
tree	ee3c83ca967003972763fb18de707bd7cc5bb58f /security/integrity/ima/ima_appraise.c
parent	67696f6d79923cdc0084b73b4bbe52e6749a43a4 (diff)
download	linux-next-a422638d492a35316e3fd9bb31bfc9769b249bca.tar.gz