Received: by 10.223.176.46 with SMTP id f43csp2033294wra;
        Thu, 25 Jan 2018 03:57:36 -0800 (PST)
X-Google-Smtp-Source: AH8x226LtBGb/9KQgCfIjRNz0Qc9YuMnhsBbLcnNMjJGFiavCcZ/tH3kShd7olYVy98rbvHxSd7o
X-Received: by 2002:a17:902:b68b:: with SMTP id c11-v6mr10975988pls.95.1516881456644;
        Thu, 25 Jan 2018 03:57:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516881456; cv=none;
        d=google.com; s=arc-20160816;
        b=GX+jZhaDvDipShu8JYFXXkeU36i1h4Fr++E6sskBisIjKzEeHZD9j7p+rBuTR3T2dB
         9OPVsDpzgCSjgeeNu901csjfLSHZ4oBE7mfy0Ofy47pSUZiWHm9o0iu3bM+c1sImjlZU
         NKBrndUN+SrYMu2WUnqdLVr+MV5GTUiwcoi94559wMNRoPY6oDaA1WN16MeQOZfNfCnu
         MvHSKXSDJ4BMGg00TbKn7M4GFasQOE8GlaupozRH1IOfv48F82oHgrh4r4HsrsBgzu72
         W1aD5oEFyLl8LyGcX741OwB5vd2lhHFxgXrogCdX25iOqQnhN6SSD0/FLdNDr5AxUd7F
         Zb6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:content-transfer-encoding
         :mime-version:references:in-reply-to:date:cc:to:from:subject
         :arc-authentication-results;
        bh=F3uRtG0qjQaWBuGjvWeHtzlcjw1j26FO4Nig3yFvGDU=;
        b=yb4md4ukJ9w55Rsz0CqKz7RJ+r8K98g2aEFMxeK7VB0WYqr2nt2OZ2Szaa+aUgksu9
         yR7sy/2+jpkcZnjQV4obWzzZtn93wziZuWhKByeH605BgYBHaNtwwYdyOcOK6hWqoqxj
         UMq4EaiQFnOQ9SIMEdR0u9INM/CLwz756wyKcKlEmGtt7Jvu9mpaOlJj4do7nmqzHATV
         g288PLodSbAL2xL1tbBDDmCsDk4yGSfMG2/0AIggbACGhP48VJ7fG3ai5vFzS2NzWkX9
         n60utavXhpkx+hcoqTpTTWQ0/MJAvN26x++y0iut/KTdYwpu8NMuOOoIVrkb6SVgqMVR
         F6zQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a61-v6si1871894plc.593.2018.01.25.03.57.22;
        Thu, 25 Jan 2018 03:57:36 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751849AbeAYL44 (ORCPT <rfc822;marvinzhang.kernel@gmail.com>
        + 99 others); Thu, 25 Jan 2018 06:56:56 -0500
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:56178 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1751802AbeAYL4w (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 25 Jan 2018 06:56:52 -0500
Received: from pps.filterd (m0098399.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w0PBuG5a113310
        for <linux-kernel@vger.kernel.org>; Thu, 25 Jan 2018 06:56:51 -0500
Received: from e06smtp10.uk.ibm.com (e06smtp10.uk.ibm.com [195.75.94.106])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2fqdnu2vd4-1
        (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Thu, 25 Jan 2018 06:56:51 -0500
Received: from localhost
        by e06smtp10.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <zohar@linux.vnet.ibm.com>;
        Thu, 25 Jan 2018 11:56:48 -0000
Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195)
        by e06smtp10.uk.ibm.com (192.168.101.140) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        Thu, 25 Jan 2018 11:56:44 -0000
Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58])
        by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w0PBuiKG64815160;
        Thu, 25 Jan 2018 11:56:44 GMT
Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 2FA164C044;
        Thu, 25 Jan 2018 11:50:47 +0000 (GMT)
Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 2DBD34C040;
        Thu, 25 Jan 2018 11:50:45 +0000 (GMT)
Received: from localhost.localdomain (unknown [9.80.93.176])
        by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP;
        Thu, 25 Jan 2018 11:50:45 +0000 (GMT)
Subject: Re: [RFC PATCH v3 2/2] ima: force re-appraisal on filesystems with
 FS_IMA_NO_CACHE
From:   Mimi Zohar <zohar@linux.vnet.ibm.com>
To:     "Serge E. Hallyn" <serge@hallyn.com>,
        Alban Crequy <alban.crequy@gmail.com>
Cc:     alban@kinvolk.io, dongsu@kinvolk.io, iago@kinvolk.io,
        linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, miklos@szeredi.hu,
        viro@zeniv.linux.org.uk, dmitry.kasatkin@gmail.com,
        james.l.morris@oracle.com, seth.forshee@canonical.com,
        hch@infradead.org
Date:   Thu, 25 Jan 2018 06:56:41 -0500
In-Reply-To: <20180124175234.GA29811@mail.hallyn.com>
References: <20180122162452.8756-1-alban@kinvolk.io>
         <20180122162452.8756-3-alban@kinvolk.io>
         <20180124175234.GA29811@mail.hallyn.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
x-cbid: 18012511-0040-0000-0000-00000408ACD4
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18012511-0041-0000-0000-0000260C35E1
Message-Id: <1516881401.3751.37.camel@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-01-25_03:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000
 definitions=main-1801250163
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


> > @@ -228,9 +229,28 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
> >  				 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
> >  				 IMA_ACTION_FLAGS);
> >  
> > -	if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags))
> > -		/* reset all flags if ima_inode_setxattr was called */
> > +	/*
> > +	 * Reset the measure, appraise and audit cached flags either if:
> > +	 * - ima_inode_setxattr was called, or
> > +	 * - based on filesystem feature flag
> > +	 * forcing the file to be re-evaluated.
> > +	 */
> > +	if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags)) {
> >  		iint->flags &= ~IMA_DONE_MASK;
> > +	} else if (inode->i_sb->s_type->fs_flags & FS_IMA_NO_CACHE) {
> > +		if (action & IMA_MEASURE) {
> > +			iint->measured_pcrs = 0;
> > +			iint->flags &=
> > +			    ~(IMA_COLLECTED | IMA_MEASURE | IMA_MEASURED);
> > +		}
> > +		if (action & IMA_APPRAISE)
> > +			iint->flags &=
> > +			    ~(IMA_COLLECTED | IMA_APPRAISE | IMA_APPRAISED |
> > +			      IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK);
> > +		if (action & IMA_AUDIT)
> > +			iint->flags &=
> > +			    ~(IMA_COLLECTED | IMA_AUDIT | IMA_AUDITED);
> > +	}
> > 

Alban, I don't know what I was thinking, but this can be simplified
like for the IMA_CHANGE_XATTR case.  Except in the IMA_CHANGE_XATTR
case, "measured_pcrs" was already reset, whereas in this case
"measured_pcrs" needs to be reset.

Mimi