63 	int action;  member
94 	{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
95 	{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
96 	{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
97 	{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
98 	{.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
99 	{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
100 	{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
101 	{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
102 	{.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
103 	{.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
105 	{.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC,
107 	{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
111 	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
113 	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
115 	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
118 	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
119 	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
123 	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
125 	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
127 	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
130 	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
133 	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
134 	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
135 	{.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
139 	{.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
140 	{.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
141 	{.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
142 	{.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
143 	{.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
144 	{.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
145 	{.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
146 	{.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
147 	{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
148 	{.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
149 	{.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
150 	{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
151 	{.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
153 	{.action = APPRAISE, .func = POLICY_CHECK,
157 	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
161 	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
168 	{.action = APPRAISE, .func = MODULE_CHECK,
172 	{.action = APPRAISE, .func = FIRMWARE_CHECK,
176 	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
180 	{.action = APPRAISE, .func = POLICY_CHECK,
186 	{.action = APPRAISE, .func = MODULE_CHECK,
188 	{.action = APPRAISE, .func = FIRMWARE_CHECK,
190 	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
192 	{.action = APPRAISE, .func = POLICY_CHECK,
406 	int action = 0, actmask = flags | (flags << 1);  in ima_match_policy()  local
411 		if (!(entry->action & actmask))  in ima_match_policy()
417 		action |= entry->flags & IMA_ACTION_FLAGS;  in ima_match_policy()
419 		action |= entry->action & IMA_DO_MASK;  in ima_match_policy()
420 		if (entry->action & IMA_APPRAISE) {  in ima_match_policy()
421 			action |= get_subaction(entry, func);  in ima_match_policy()
422 			action &= ~IMA_HASH;  in ima_match_policy()
424 				action |= IMA_FAIL_UNVERIFIABLE_SIGS;  in ima_match_policy()
427 		if (entry->action & IMA_DO_MASK)  in ima_match_policy()
428 			actmask &= ~(entry->action | entry->action << 1);  in ima_match_policy()
430 			actmask &= ~(entry->action | entry->action >> 1);  in ima_match_policy()
440 	return action;  in ima_match_policy()
454 		if (entry->action & IMA_DO_MASK)  in ima_update_policy_flag()
455 			ima_policy_flag |= entry->action;  in ima_update_policy_flag()
691 	entry->action = UNKNOWN;  in ima_parse_rule()
706 			if (entry->action != UNKNOWN)  in ima_parse_rule()
709 			entry->action = MEASURE;  in ima_parse_rule()
714 			if (entry->action != UNKNOWN)  in ima_parse_rule()
717 			entry->action = DONT_MEASURE;  in ima_parse_rule()
722 			if (entry->action != UNKNOWN)  in ima_parse_rule()
725 			entry->action = APPRAISE;  in ima_parse_rule()
730 			if (entry->action != UNKNOWN)  in ima_parse_rule()
733 			entry->action = DONT_APPRAISE;  in ima_parse_rule()
738 			if (entry->action != UNKNOWN)  in ima_parse_rule()
741 			entry->action = AUDIT;  in ima_parse_rule()
746 			if (entry->action != UNKNOWN)  in ima_parse_rule()
749 			entry->action = HASH;  in ima_parse_rule()
754 			if (entry->action != UNKNOWN)  in ima_parse_rule()
757 			entry->action = DONT_HASH;  in ima_parse_rule()
946 			if (entry->action != APPRAISE) {  in ima_parse_rule()
961 			if (entry->action != MEASURE) {  in ima_parse_rule()
980 	if (!result && (entry->action == UNKNOWN))  in ima_parse_rule()
982 	else if (entry->action == APPRAISE)  in ima_parse_rule()
1128 	if (entry->action & MEASURE)  in ima_policy_show()
1130 	if (entry->action & DONT_MEASURE)  in ima_policy_show()
1132 	if (entry->action & APPRAISE)  in ima_policy_show()
1134 	if (entry->action & DONT_APPRAISE)  in ima_policy_show()
1136 	if (entry->action & AUDIT)  in ima_policy_show()
1138 	if (entry->action & HASH)  in ima_policy_show()
1140 	if (entry->action & DONT_HASH)  in ima_policy_show()