Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751974AbdHARVc convert rfc822-to-8bit (ORCPT ); Tue, 1 Aug 2017 13:21:32 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:53208 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751862AbdHARVa (ORCPT ); Tue, 1 Aug 2017 13:21:30 -0400 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: [RFC PATCH 3/5] ima: mamespace audit status flags From: Mehmet Kayaalp In-Reply-To: <20170801171702.f2szj5huzbt7fdfl@docker> Date: Tue, 1 Aug 2017 13:25:31 -0400 Cc: ima-devel , containers , linux-kernel , linux-security-module , "Serge E . Hallyn" , Yuqiong Sun , David Safford , Mehmet Kayaalp , Stefan Berger Content-Transfer-Encoding: 8BIT References: <20170720225033.21298-1-mkayaalp@linux.vnet.ibm.com> <20170720225033.21298-4-mkayaalp@linux.vnet.ibm.com> <20170801171702.f2szj5huzbt7fdfl@docker> To: Tycho Andersen X-Mailer: Apple Mail (2.3273) X-TM-AS-GCONF: 00 x-cbid: 17080117-0016-0000-0000-000007477A50 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00007466; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000215; SDB=6.00896090; UDB=6.00448238; IPR=6.00676277; BA=6.00005506; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00016482; XFM=3.00000015; UTC=2017-08-01 17:21:29 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17080117-0017-0000-0000-00003AD9D6D0 Message-Id: <2848EE0A-2DB8-420B-A611-60967EB90F5C@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-08-01_09:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1708010283 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1081 Lines: 42 > On Aug 1, 2017, at 1:17 PM, Tycho Andersen wrote: > > Hi Mehmet, > > On Thu, Jul 20, 2017 at 06:50:31PM -0400, Mehmet Kayaalp wrote: >> --- a/security/integrity/ima/ima_ns.c >> +++ b/security/integrity/ima/ima_ns.c >> @@ -301,3 +301,24 @@ struct ns_status *ima_get_ns_status(struct ima_namespace *ns, >> >> return status; >> } >> + >> +#define IMA_NS_STATUS_ACTIONS IMA_AUDIT >> +#define IMA_NS_STATUS_FLAGS IMA_AUDITED >> + > > Seems like these are defined in ima.h above in the patch, and > re-defined here? Yes, it should be in the ima.h only. >> +unsigned long iint_flags(struct integrity_iint_cache *iint, >> + struct ns_status *status) >> +{ >> + if (!status) >> + return iint->flags; >> + >> + return iint->flags & (status->flags & IMA_NS_STATUS_FLAGS); > > Just to confirm, is there any situation where: > > iint->flags & IMA_NS_STATUS_FLAGS != status->flags & IMA_NS_STATUS_FLAGS > > ? i.e. can this line just be: > > return status->flags & IMA_NS_STATUS_FLAGS; > As Guilherme had pointed out, the first & should be |. Mehmet