Re: [PATCH v3 1/2] ima: fix build error redeclaration of enumerator

[James Morris]

On Thu, 14 Feb 2019, Mimi Zohar wrote:

> Ok, this looks reasonable, but will have a minor clash with Gustavo's
> "security: mark expected switch fall-throughs and add a missing
> break".
> 
> James, are you picking up Gastavo's v2 patch from Friday?

Nope.

> 
> Mimi
> 
> > ---
> > 
> > No change since v2.
> > 
> >  security/integrity/ima/ima.h          | 24 +++----
> >  security/integrity/ima/ima_api.c      |  3 +-
> >  security/integrity/ima/ima_appraise.c | 40 ++++++------
> >  security/integrity/ima/ima_main.c     | 30 ++++-----
> >  security/integrity/ima/ima_policy.c   | 92 +++++++++++++--------------
> >  5 files changed, 95 insertions(+), 94 deletions(-)
> > 
> > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> > index d213e835c498..89ceb61f279c 100644
> > --- a/security/integrity/ima/ima.h
> > +++ b/security/integrity/ima/ima.h
> > @@ -173,18 +173,18 @@ static inline unsigned long ima_hash_key(u8 *digest)
> >  }
> >  
> >  #define __ima_hooks(hook)          \
> > -   hook(NONE)                      \
> > -   hook(FILE_CHECK)                \
> > -   hook(MMAP_CHECK)                \
> > -   hook(BPRM_CHECK)                \
> > -   hook(CREDS_CHECK)               \
> > -   hook(POST_SETATTR)              \
> > -   hook(MODULE_CHECK)              \
> > -   hook(FIRMWARE_CHECK)            \
> > -   hook(KEXEC_KERNEL_CHECK)        \
> > -   hook(KEXEC_INITRAMFS_CHECK)     \
> > -   hook(POLICY_CHECK)              \
> > -   hook(MAX_CHECK)
> > +   hook(IMA_NONE)                  \
> > +   hook(IMA_FILE_CHECK)            \
> > +   hook(IMA_MMAP_CHECK)            \
> > +   hook(IMA_BPRM_CHECK)            \
> > +   hook(IMA_CREDS_CHECK)           \
> > +   hook(IMA_POST_SETATTR)          \
> > +   hook(IMA_MODULE_CHECK)          \
> > +   hook(IMA_FIRMWARE_CHECK)        \
> > +   hook(IMA_KEXEC_KERNEL_CHECK)    \
> > +   hook(IMA_KEXEC_INITRAMFS_CHECK) \
> > +   hook(IMA_POLICY_CHECK)          \
> > +   hook(IMA_MAX_CHECK)
> >  #define __ima_hook_enumify(ENUM)   ENUM,
> >  
> >  enum ima_hooks {
> > diff --git a/security/integrity/ima/ima_api.c 
> > b/security/integrity/ima/ima_api.c
> > index c7505fb122d4..81e705423894 100644
> > --- a/security/integrity/ima/ima_api.c
> > +++ b/security/integrity/ima/ima_api.c
> > @@ -168,7 +168,8 @@ void ima_add_violation(struct file *file, const 
> > unsigned char *filename,
> >   * The policy is defined in terms of keypairs:
> >   *         subj=, obj=, type=, func=, mask=, fsmagic=
> >   * subj,obj, and type: are LSM specific.
> > - * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK
> > + * func: IMA_FILE_CHECK | IMA_BPRM_CHECK | IMA_CREDS_CHECK \
> > + *       | IMA_MMAP_CHECK | IMA_MODULE_CHECK
> >   * mask: contains the permission mask
> >   * fsmagic: hex value
> >   *
> > diff --git a/security/integrity/ima/ima_appraise.c 
> > b/security/integrity/ima/ima_appraise.c
> > index a2baa85ea2f5..c527cf3f37d3 100644
> > --- a/security/integrity/ima/ima_appraise.c
> > +++ b/security/integrity/ima/ima_appraise.c
> > @@ -86,16 +86,16 @@ enum integrity_status ima_get_cache_status(struct 
> > integrity_iint_cache *iint,
> >                                        enum ima_hooks func)
> >  {
> >     switch (func) {
> > -   case MMAP_CHECK:
> > +   case IMA_MMAP_CHECK:
> >             return iint->ima_mmap_status;
> > -   case BPRM_CHECK:
> > +   case IMA_BPRM_CHECK:
> >             return iint->ima_bprm_status;
> > -   case CREDS_CHECK:
> > +   case IMA_CREDS_CHECK:
> >             return iint->ima_creds_status;
> > -   case FILE_CHECK:
> > -   case POST_SETATTR:
> > +   case IMA_FILE_CHECK:
> > +   case IMA_POST_SETATTR:
> >             return iint->ima_file_status;
> > -   case MODULE_CHECK ... MAX_CHECK - 1:
> > +   case IMA_MODULE_CHECK ... IMA_MAX_CHECK - 1:
> >     default:
> >             return iint->ima_read_status;
> >     }
> > @@ -106,19 +106,19 @@ static void ima_set_cache_status(struct 
> > integrity_iint_cache *iint,
> >                              enum integrity_status status)
> >  {
> >     switch (func) {
> > -   case MMAP_CHECK:
> > +   case IMA_MMAP_CHECK:
> >             iint->ima_mmap_status = status;
> >             break;
> > -   case BPRM_CHECK:
> > +   case IMA_BPRM_CHECK:
> >             iint->ima_bprm_status = status;
> >             break;
> > -   case CREDS_CHECK:
> > +   case IMA_CREDS_CHECK:
> >             iint->ima_creds_status = status;
> > -   case FILE_CHECK:
> > -   case POST_SETATTR:
> > +   case IMA_FILE_CHECK:
> > +   case IMA_POST_SETATTR:
> >             iint->ima_file_status = status;
> >             break;
> > -   case MODULE_CHECK ... MAX_CHECK - 1:
> > +   case IMA_MODULE_CHECK ... IMA_MAX_CHECK - 1:
> >     default:
> >             iint->ima_read_status = status;
> >             break;
> > @@ -129,20 +129,20 @@ static void ima_cache_flags(struct 
> > integrity_iint_cache *iint,
> >                          enum ima_hooks func)
> >  {
> >     switch (func) {
> > -   case MMAP_CHECK:
> > +   case IMA_MMAP_CHECK:
> >             iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
> >             break;
> > -   case BPRM_CHECK:
> > +   case IMA_BPRM_CHECK:
> >             iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
> >             break;
> > -   case CREDS_CHECK:
> > +   case IMA_CREDS_CHECK:
> >             iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED);
> >             break;
> > -   case FILE_CHECK:
> > -   case POST_SETATTR:
> > +   case IMA_FILE_CHECK:
> > +   case IMA_POST_SETATTR:
> >             iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
> >             break;
> > -   case MODULE_CHECK ... MAX_CHECK - 1:
> > +   case IMA_MODULE_CHECK ... IMA_MAX_CHECK - 1:
> >     default:
> >             iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
> >             break;
> > @@ -298,7 +298,7 @@ int ima_appraise_measurement(enum ima_hooks func,
> >                     break;
> >             }
> >             if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
> > -               func == KEXEC_KERNEL_CHECK)
> > +               func == IMA_KEXEC_KERNEL_CHECK)
> >                     rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM,
> >                                                  (const char *)xattr_value,
> >                                                  xattr_len,
> > @@ -400,7 +400,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
> >         || !(inode->i_opflags & IOP_XATTR))
> >             return;
> >  
> > -   action = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR);
> > +   action = ima_must_appraise(inode, MAY_ACCESS, IMA_POST_SETATTR);
> >     if (!action)
> >             __vfs_removexattr(dentry, XATTR_NAME_IMA);
> >     iint = integrity_iint_find(inode);
> > diff --git a/security/integrity/ima/ima_main.c 
> > b/security/integrity/ima/ima_main.c
> > index 357edd140c09..1ddbe39cba8a 100644
> > --- a/security/integrity/ima/ima_main.c
> > +++ b/security/integrity/ima/ima_main.c
> > @@ -193,7 +193,7 @@ static int process_measurement(struct file *file, const 
> > struct cred *cred,
> >      * Included is the appraise submask.
> >      */
> >     action = ima_get_action(inode, cred, secid, mask, func, &pcr);
> > -   violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
> > +   violation_check = ((func == IMA_FILE_CHECK || func == IMA_MMAP_CHECK) &&
> >                        (ima_policy_flag & IMA_MEASURE));
> >     if (!action && !violation_check)
> >             return 0;
> > @@ -202,7 +202,7 @@ static int process_measurement(struct file *file, const 
> > struct cred *cred,
> >  
> >     /*  Is the appraise rule hook specific?  */
> >     if (action & IMA_FILE_APPRAISE)
> > -           func = FILE_CHECK;
> > +           func = IMA_FILE_CHECK;
> >  
> >     inode_lock(inode);
> >  
> > @@ -340,7 +340,7 @@ int ima_file_mmap(struct file *file, unsigned long prot)
> >     if (file && (prot & PROT_EXEC)) {
> >             security_task_getsecid(current, &secid);
> >             return process_measurement(file, current_cred(), secid, NULL,
> > -                                      0, MAY_EXEC, MMAP_CHECK);
> > +                                      0, MAY_EXEC, IMA_MMAP_CHECK);
> >     }
> >  
> >     return 0;
> > @@ -366,13 +366,13 @@ int ima_bprm_check(struct linux_binprm *bprm)
> >  
> >     security_task_getsecid(current, &secid);
> >     ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0,
> > -                             MAY_EXEC, BPRM_CHECK);
> > +                             MAY_EXEC, IMA_BPRM_CHECK);
> >     if (ret)
> >             return ret;
> >  
> >     security_cred_getsecid(bprm->cred, &secid);
> >     return process_measurement(bprm->file, bprm->cred, secid, NULL, 0,
> > -                              MAY_EXEC, CREDS_CHECK);
> > +                              MAY_EXEC, IMA_CREDS_CHECK);
> >  }
> >  
> >  /**
> > @@ -392,7 +392,7 @@ int ima_file_check(struct file *file, int mask)
> >     security_task_getsecid(current, &secid);
> >     return process_measurement(file, current_cred(), secid, NULL, 0,
> >                                mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
> > -                                      MAY_APPEND), FILE_CHECK);
> > +                                      MAY_APPEND), IMA_FILE_CHECK);
> >  }
> >  EXPORT_SYMBOL_GPL(ima_file_check);
> >  
> > @@ -409,7 +409,7 @@ void ima_post_create_tmpfile(struct inode *inode)
> >     struct integrity_iint_cache *iint;
> >     int must_appraise;
> >  
> > -   must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
> > +   must_appraise = ima_must_appraise(inode, MAY_ACCESS, IMA_FILE_CHECK);
> >     if (!must_appraise)
> >             return;
> >  
> > @@ -436,7 +436,7 @@ void ima_post_path_mknod(struct dentry *dentry)
> >     struct inode *inode = dentry->d_inode;
> >     int must_appraise;
> >  
> > -   must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
> > +   must_appraise = ima_must_appraise(inode, MAY_ACCESS, IMA_FILE_CHECK);
> >     if (!must_appraise)
> >             return;
> >  
> > @@ -474,12 +474,12 @@ int ima_read_file(struct file *file, enum 
> > kernel_read_file_id read_id)
> >  }
> >  
> >  static const int read_idmap[READING_MAX_ID] = {
> > -   [READING_FIRMWARE] = FIRMWARE_CHECK,
> > -   [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK,
> > -   [READING_MODULE] = MODULE_CHECK,
> > -   [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK,
> > -   [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK,
> > -   [READING_POLICY] = POLICY_CHECK
> > +   [READING_FIRMWARE] = IMA_FIRMWARE_CHECK,
> > +   [READING_FIRMWARE_PREALLOC_BUFFER] = IMA_FIRMWARE_CHECK,
> > +   [READING_MODULE] = IMA_MODULE_CHECK,
> > +   [READING_KEXEC_IMAGE] = IMA_KEXEC_KERNEL_CHECK,
> > +   [READING_KEXEC_INITRAMFS] = IMA_KEXEC_INITRAMFS_CHECK,
> > +   [READING_POLICY] = IMA_POLICY_CHECK
> >  };
> >  
> >  /**
> > @@ -520,7 +520,7 @@ int ima_post_read_file(struct file *file, void *buf, 
> > loff_t size,
> >             return 0;
> >     }
> >  
> > -   func = read_idmap[read_id] ?: FILE_CHECK;
> > +   func = read_idmap[read_id] ?: IMA_FILE_CHECK;
> >     security_task_getsecid(current, &secid);
> >     return process_measurement(file, current_cred(), secid, buf, size,
> >                                MAY_READ, func);
> > diff --git a/security/integrity/ima/ima_policy.c 
> > b/security/integrity/ima/ima_policy.c
> > index 26fa9d9723f6..6b39b835861b 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -112,31 +112,31 @@ static struct ima_rule_entry dont_measure_rules[] 
> > __ro_after_init = {
> >  };
> >  
> >  static struct ima_rule_entry original_measurement_rules[] __ro_after_init 
> > = {
> > -   {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
> > +   {.action = MEASURE, .func = IMA_MMAP_CHECK, .mask = MAY_EXEC,
> >      .flags = IMA_FUNC | IMA_MASK},
> > -   {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
> > +   {.action = MEASURE, .func = IMA_BPRM_CHECK, .mask = MAY_EXEC,
> >      .flags = IMA_FUNC | IMA_MASK},
> > -   {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
> > +   {.action = MEASURE, .func = IMA_FILE_CHECK, .mask = MAY_READ,
> >      .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
> >      .flags = IMA_FUNC | IMA_MASK | IMA_UID},
> > -   {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
> > -   {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
> > +   {.action = MEASURE, .func = IMA_MODULE_CHECK, .flags = IMA_FUNC},
> > +   {.action = MEASURE, .func = IMA_FIRMWARE_CHECK, .flags = IMA_FUNC},
> >  };
> >  
> >  static struct ima_rule_entry default_measurement_rules[] __ro_after_init = 
> > {
> > -   {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
> > +   {.action = MEASURE, .func = IMA_MMAP_CHECK, .mask = MAY_EXEC,
> >      .flags = IMA_FUNC | IMA_MASK},
> > -   {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
> > +   {.action = MEASURE, .func = IMA_BPRM_CHECK, .mask = MAY_EXEC,
> >      .flags = IMA_FUNC | IMA_MASK},
> > -   {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
> > +   {.action = MEASURE, .func = IMA_FILE_CHECK, .mask = MAY_READ,
> >      .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
> >      .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
> > -   {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
> > +   {.action = MEASURE, .func = IMA_FILE_CHECK, .mask = MAY_READ,
> >      .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
> >      .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
> > -   {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
> > -   {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
> > -   {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
> > +   {.action = MEASURE, .func = IMA_MODULE_CHECK, .flags = IMA_FUNC},
> > +   {.action = MEASURE, .func = IMA_FIRMWARE_CHECK, .flags = IMA_FUNC},
> > +   {.action = MEASURE, .func = IMA_POLICY_CHECK, .flags = IMA_FUNC},
> >  };
> >  
> >  static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
> > @@ -155,7 +155,7 @@ static struct ima_rule_entry default_appraise_rules[] 
> > __ro_after_init = {
> >     {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = 
> > IMA_FSMAGIC},
> >     {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = 
> > IMA_FSMAGIC},
> >  #ifdef CONFIG_IMA_WRITE_POLICY
> > -   {.action = APPRAISE, .func = POLICY_CHECK,
> > +   {.action = APPRAISE, .func = IMA_POLICY_CHECK,
> >     .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
> >  #endif
> >  #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
> > @@ -170,31 +170,31 @@ static struct ima_rule_entry default_appraise_rules[] 
> > __ro_after_init = {
> >  
> >  static struct ima_rule_entry build_appraise_rules[] __ro_after_init = {
> >  #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS
> > -   {.action = APPRAISE, .func = MODULE_CHECK,
> > +   {.action = APPRAISE, .func = IMA_MODULE_CHECK,
> >      .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
> >  #endif
> >  #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
> > -   {.action = APPRAISE, .func = FIRMWARE_CHECK,
> > +   {.action = APPRAISE, .func = IMA_FIRMWARE_CHECK,
> >      .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
> >  #endif
> >  #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS
> > -   {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
> > +   {.action = APPRAISE, .func = IMA_KEXEC_KERNEL_CHECK,
> >      .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
> >  #endif
> >  #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS
> > -   {.action = APPRAISE, .func = POLICY_CHECK,
> > +   {.action = APPRAISE, .func = IMA_POLICY_CHECK,
> >      .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
> >  #endif
> >  };
> >  
> >  static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
> > -   {.action = APPRAISE, .func = MODULE_CHECK,
> > +   {.action = APPRAISE, .func = IMA_MODULE_CHECK,
> >      .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
> > -   {.action = APPRAISE, .func = FIRMWARE_CHECK,
> > +   {.action = APPRAISE, .func = IMA_FIRMWARE_CHECK,
> >      .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
> > -   {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
> > +   {.action = APPRAISE, .func = IMA_KEXEC_KERNEL_CHECK,
> >      .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
> > -   {.action = APPRAISE, .func = POLICY_CHECK,
> > +   {.action = APPRAISE, .func = IMA_POLICY_CHECK,
> >      .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
> >  };
> >  
> > @@ -292,13 +292,13 @@ static bool ima_match_rules(struct ima_rule_entry 
> > *rule, struct inode *inode,
> >     int i;
> >  
> >     if ((rule->flags & IMA_FUNC) &&
> > -       (rule->func != func && func != POST_SETATTR))
> > +       (rule->func != func && func != IMA_POST_SETATTR))
> >             return false;
> >     if ((rule->flags & IMA_MASK) &&
> > -       (rule->mask != mask && func != POST_SETATTR))
> > +       (rule->mask != mask && func != IMA_POST_SETATTR))
> >             return false;
> >     if ((rule->flags & IMA_INMASK) &&
> > -       (!(rule->mask & mask) && func != POST_SETATTR))
> > +       (!(rule->mask & mask) && func != IMA_POST_SETATTR))
> >             return false;
> >     if ((rule->flags & IMA_FSMAGIC)
> >         && rule->fsmagic != inode->i_sb->s_magic)
> > @@ -373,16 +373,16 @@ static int get_subaction(struct ima_rule_entry *rule, 
> > enum ima_hooks func)
> >             return IMA_FILE_APPRAISE;
> >  
> >     switch (func) {
> > -   case MMAP_CHECK:
> > +   case IMA_MMAP_CHECK:
> >             return IMA_MMAP_APPRAISE;
> > -   case BPRM_CHECK:
> > +   case IMA_BPRM_CHECK:
> >             return IMA_BPRM_APPRAISE;
> > -   case CREDS_CHECK:
> > +   case IMA_CREDS_CHECK:
> >             return IMA_CREDS_APPRAISE;
> > -   case FILE_CHECK:
> > -   case POST_SETATTR:
> > +   case IMA_FILE_CHECK:
> > +   case IMA_POST_SETATTR:
> >             return IMA_FILE_APPRAISE;
> > -   case MODULE_CHECK ... MAX_CHECK - 1:
> > +   case IMA_MODULE_CHECK ... IMA_MAX_CHECK - 1:
> >     default:
> >             return IMA_READ_APPRAISE;
> >     }
> > @@ -468,13 +468,13 @@ void ima_update_policy_flag(void)
> >  
> >  static int ima_appraise_flag(enum ima_hooks func)
> >  {
> > -   if (func == MODULE_CHECK)
> > +   if (func == IMA_MODULE_CHECK)
> >             return IMA_APPRAISE_MODULES;
> > -   else if (func == FIRMWARE_CHECK)
> > +   else if (func == IMA_FIRMWARE_CHECK)
> >             return IMA_APPRAISE_FIRMWARE;
> > -   else if (func == POLICY_CHECK)
> > +   else if (func == IMA_POLICY_CHECK)
> >             return IMA_APPRAISE_POLICY;
> > -   else if (func == KEXEC_KERNEL_CHECK)
> > +   else if (func == IMA_KEXEC_KERNEL_CHECK)
> >             return IMA_APPRAISE_KEXEC;
> >     return 0;
> >  }
> > @@ -500,7 +500,7 @@ static void add_rules(struct ima_rule_entry *entries, 
> > int count,
> >             }
> >             if (entries[i].action == APPRAISE)
> >                     temp_ima_appraise |= ima_appraise_flag(entries[i].func);
> > -           if (entries[i].func == POLICY_CHECK)
> > +           if (entries[i].func == IMA_POLICY_CHECK)
> >                     temp_ima_appraise |= IMA_APPRAISE_POLICY;
> >     }
> >  }
> > @@ -846,29 +846,29 @@ static int ima_parse_rule(char *rule, struct 
> > ima_rule_entry *entry)
> >                             result = -EINVAL;
> >  
> >                     if (strcmp(args[0].from, "FILE_CHECK") == 0)
> > -                           entry->func = FILE_CHECK;
> > +                           entry->func = IMA_FILE_CHECK;
> >                     /* PATH_CHECK is for backwards compat */
> >                     else if (strcmp(args[0].from, "PATH_CHECK") == 0)
> > -                           entry->func = FILE_CHECK;
> > +                           entry->func = IMA_FILE_CHECK;
> >                     else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
> > -                           entry->func = MODULE_CHECK;
> > +                           entry->func = IMA_MODULE_CHECK;
> >                     else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
> > -                           entry->func = FIRMWARE_CHECK;
> > +                           entry->func = IMA_FIRMWARE_CHECK;
> >                     else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
> >                             || (strcmp(args[0].from, "MMAP_CHECK") == 0))
> > -                           entry->func = MMAP_CHECK;
> > +                           entry->func = IMA_MMAP_CHECK;
> >                     else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
> > -                           entry->func = BPRM_CHECK;
> > +                           entry->func = IMA_BPRM_CHECK;
> >                     else if (strcmp(args[0].from, "CREDS_CHECK") == 0)
> > -                           entry->func = CREDS_CHECK;
> > +                           entry->func = IMA_CREDS_CHECK;
> >                     else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
> >                              0)
> > -                           entry->func = KEXEC_KERNEL_CHECK;
> > +                           entry->func = IMA_KEXEC_KERNEL_CHECK;
> >                     else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
> >                              == 0)
> > -                           entry->func = KEXEC_INITRAMFS_CHECK;
> > +                           entry->func = IMA_KEXEC_INITRAMFS_CHECK;
> >                     else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
> > -                           entry->func = POLICY_CHECK;
> > +                           entry->func = IMA_POLICY_CHECK;
> >                     else
> >                             result = -EINVAL;
> >                     if (!result)
> > @@ -1194,7 +1194,7 @@ void ima_policy_stop(struct seq_file *m, void *v)
> >   */
> >  static void policy_func_show(struct seq_file *m, enum ima_hooks func)
> >  {
> > -   if (func > 0 && func < MAX_CHECK)
> > +   if (func > 0 && func < IMA_MAX_CHECK)
> >             seq_printf(m, "func=%s ", func_tokens[func]);
> >     else
> >             seq_printf(m, "func=%d ", func);
> 

-- 
James Morris
<jmor...@namei.org>