04 Jul, 2013
1 commit
-
Pull security subsystem updates from James Morris:
"In this update, Smack learns to love IPv6 and to mount a filesystem
with a transmutable hierarchy (i.e. security labels are inherited
from parent directory upon creation rather than creating process).The rest of the changes are maintenance"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (37 commits)
tpm/tpm_i2c_infineon: Remove unused header file
tpm: tpm_i2c_infinion: Don't modify i2c_client->driver
evm: audit integrity metadata failures
integrity: move integrity_audit_msg()
evm: calculate HMAC after initializing posix acl on tmpfs
maintainers: add Dmitry Kasatkin
Smack: Fix the bug smackcipso can't set CIPSO correctly
Smack: Fix possible NULL pointer dereference at smk_netlbl_mls()
Smack: Add smkfstransmute mount option
Smack: Improve access check performance
Smack: Local IPv6 port based controls
tpm: fix regression caused by section type conflict of tpm_dev_release() in ppc builds
maintainers: Remove Kent from maintainers
tpm: move TPM_DIGEST_SIZE defintion
tpm_tis: missing platform_driver_unregister() on error in init_tis()
security: clarify cap_inode_getsecctx description
apparmor: no need to delay vfree()
apparmor: fix fully qualified name parsing
apparmor: fix setprocattr arg processing for onexec
apparmor: localize getting the security context to a few macros
...
29 Jun, 2013
1 commit
-
Replace a bunch of file->dentry->d_inode refs with file_inode().
In __fput(), use file->f_inode instead so as not to be affected by any tricks
that file_inode() might grow.Signed-off-by: David Howells
Signed-off-by: Al Viro
20 Jun, 2013
2 commits
-
Before modifying an EVM protected extended attribute or any other
metadata included in the HMAC calculation, the existing 'security.evm'
is verified. This patch adds calls to integrity_audit_msg() to audit
integrity metadata failures.Reported-by: Sven Vermeulen
Signed-off-by: Mimi Zohar -
This patch moves the integrity_audit_msg() function and defintion to
security/integrity/, the parent directory, renames the 'ima_audit'
boot command line option to 'integrity_audit', and fixes the Kconfig
help text to reflect the actual code.Changelog:
- Fixed ifdef inclusion of integrity_audit_msg() (Fengguang Wu)Signed-off-by: Mimi Zohar
18 Apr, 2013
1 commit
-
Passing a pointer to the dentry name, as a parameter to
process_measurement(), causes a race condition with rename() and
is unnecessary, as the dentry name is already accessible via the
file parameter.In the normal case, we use the full pathname as provided by
brpm->filename, bprm->interp, or ima_d_path(). Only on ima_d_path()
failure, do we fallback to using the d_name.name, which points
either to external memory or d_iname.Reported-by: Al Viro
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
28 Feb, 2013
1 commit
-
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;type T;
expression a,c,d,e;
identifier b;
statement S;
@@-T b;
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin
Acked-by: Paul E. McKenney
Signed-off-by: Sasha Levin
Cc: Wu Fengguang
Cc: Marcelo Tosatti
Cc: Gleb Natapov
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
27 Feb, 2013
1 commit
-
Pull vfs pile (part one) from Al Viro:
"Assorted stuff - cleaning namei.c up a bit, fixing ->d_name/->d_parent
locking violations, etc.The most visible changes here are death of FS_REVAL_DOT (replaced with
"has ->d_weak_revalidate()") and a new helper getting from struct file
to inode. Some bits of preparation to xattr method interface changes.Misc patches by various people sent this cycle *and* ocfs2 fixes from
several cycles ago that should've been upstream right then.PS: the next vfs pile will be xattr stuff."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (46 commits)
saner proc_get_inode() calling conventions
proc: avoid extra pde_put() in proc_fill_super()
fs: change return values from -EACCES to -EPERM
fs/exec.c: make bprm_mm_init() static
ocfs2/dlm: use GFP_ATOMIC inside a spin_lock
ocfs2: fix possible use-after-free with AIO
ocfs2: Fix oops in ocfs2_fast_symlink_readpage() code path
get_empty_filp()/alloc_file() leave both ->f_pos and ->f_version zero
target: writev() on single-element vector is pointless
export kernel_write(), convert open-coded instances
fs: encode_fh: return FILEID_INVALID if invalid fid_type
kill f_vfsmnt
vfs: kill FS_REVAL_DOT by adding a d_weak_revalidate dentry op
nfsd: handle vfs_getattr errors in acl protocol
switch vfs_getattr() to struct path
default SET_PERSONALITY() in linux/elf.h
ceph: prepopulate inodes only when request is aborted
d_hash_and_lookup(): export, switch open-coded instances
9p: switch v9fs_set_create_acl() to inode+fid, do it before d_instantiate()
9p: split dropping the acls from v9fs_set_create_acl()
...
26 Feb, 2013
1 commit
-
Commit "85865c1 ima: add policy support for file system uuid"
introduced a CONFIG_BLOCK dependency. This patch defines a
wrapper called blk_part_pack_uuid(), which returns -EINVAL,
when CONFIG_BLOCK is not defined.security/integrity/ima/ima_policy.c:538:4: error: implicit declaration
of function 'part_pack_uuid' [-Werror=implicit-function-declaration]Changelog v2:
- Reference commit number in patch description
Changelog v1:
- rename ima_part_pack_uuid() to blk_part_pack_uuid()
- resolve scripts/checkpatch.pl warnings
Changelog v0:
- fix UUID scripts/Lindent msgsReported-by: Randy Dunlap
Reported-by: David Rientjes
Signed-off-by: Mimi Zohar
Acked-by: David Rientjes
Acked-by: Randy Dunlap
Cc: Jens Axboe
Signed-off-by: James Morris
25 Feb, 2013
1 commit
-
Commit "750943a ima: remove enforce checking duplication" combined
the 'in IMA policy' and 'enforcing file integrity' checks. For
the non-file, kernel module verification, a specific check for
'enforcing file integrity' was not added. This patch adds the
check.Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
23 Feb, 2013
1 commit
-
Signed-off-by: Al Viro
22 Feb, 2013
1 commit
-
Pull security subsystem updates from James Morris:
"This is basically a maintenance update for the TPM driver and EVM/IMA"Fix up conflicts in lib/digsig.c and security/integrity/ima/ima_main.c
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (45 commits)
tpm/ibmvtpm: build only when IBM pseries is configured
ima: digital signature verification using asymmetric keys
ima: rename hash calculation functions
ima: use new crypto_shash API instead of old crypto_hash
ima: add policy support for file system uuid
evm: add file system uuid to EVM hmac
tpm_tis: check pnp_acpi_device return code
char/tpm/tpm_i2c_stm_st33: drop temporary variable for return value
char/tpm/tpm_i2c_stm_st33: remove dead assignment in tpm_st33_i2c_probe
char/tpm/tpm_i2c_stm_st33: Remove __devexit attribute
char/tpm/tpm_i2c_stm_st33: Don't use memcpy for one byte assignment
tpm_i2c_stm_st33: removed unused variables/code
TPM: Wait for TPM_ACCESS tpmRegValidSts to go high at startup
tpm: Fix cancellation of TPM commands (interrupt mode)
tpm: Fix cancellation of TPM commands (polling mode)
tpm: Store TPM vendor ID
TPM: Work around buggy TPMs that block during continue self test
tpm_i2c_stm_st33: fix oops when i2c client is unavailable
char/tpm: Use struct dev_pm_ops for power management
TPM: STMicroelectronics ST33 I2C BUILD STUFF
...
07 Feb, 2013
1 commit
-
Asymmetric keys were introduced in linux-3.7 to verify the signature on
signed kernel modules. The asymmetric keys infrastructure abstracts the
signature verification from the crypto details. This patch adds IMA/EVM
signature verification using asymmetric keys. Support for additional
signature verification methods can now be delegated to the asymmetric
key infrastructure.Although the module signature header and the IMA/EVM signature header
could use the same format, to minimize the signature length and save
space in the extended attribute, this patch defines a new IMA/EVM
header format. The main difference is that the key identifier is a
sha1[12 - 19] hash of the key modulus and exponent, similar to the
current implementation. The only purpose of the key identifier is to
identify the corresponding key in the kernel keyring. ima-evm-utils
was updated to support the new signature format.While asymmetric signature verification functionality supports many
different hash algorithms, the hash used in this patch is calculated
during the IMA collection phase, based on the configured algorithm.
The default algorithm is sha1, but for backwards compatibility md5
is supported. Due to this current limitation, signatures should be
generated using a sha1 hash algorithm.Changes in this patch:
- Functionality has been moved to separate source file in order to get rid of
in source #ifdefs.
- keyid is derived according to the RFC 3280. It does not require to assign
IMA/EVM specific "description" when loading X509 certificate. Kernel
asymmetric key subsystem automatically generate the description. Also
loading a certificate does not require using of ima-evm-utils and can be
done using keyctl only.
- keyid size is reduced to 32 bits to save xattr space. Key search is done
using partial match functionality of asymmetric_key_match().
- Kconfig option title was changedSigned-off-by: Dmitry Kasatkin
Acked-by: David Howells
Signed-off-by: Mimi Zohar
06 Feb, 2013
4 commits
-
Rename hash calculation functions to reflect meaning
and change argument order in conventional way.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Old crypto hash API internally uses shash API.
Using shash API directly is more efficient.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
The IMA policy permits specifying rules to enable or disable
measurement/appraisal/audit based on the file system magic number.
If, for example, the policy contains an ext4 measurement rule,
the rule is enabled for all ext4 partitions.Sometimes it might be necessary to enable measurement/appraisal/audit
only for one partition and disable it for another partition of the
same type. With the existing IMA policy syntax, this can not be done.This patch provides support for IMA policy rules to specify the file
system by its UUID (eg. fsuuid=397449cd-687d-4145-8698-7fed4a3e0363).For partitions not being appraised, it might be a good idea to mount
file systems with the 'noexec' option to prevent executing non-verified
binaries.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
EVM uses the same key for all file systems to calculate the HMAC,
making it possible to paste inodes from one file system on to another
one, without EVM being able to detect it. To prevent such an attack,
it is necessary to make the EVM HMAC file system specific.This patch uses the file system UUID, a file system unique identifier,
to bind the EVM HMAC to the file system. The value inode->i_sb->s_uuid
is used for the HMAC hash calculation, instead of using it for deriving
the file system specific key. Initializing the key for every inode HMAC
calculation is a bit more expensive operation than adding the uuid to
the HMAC hash.Changing the HMAC calculation method or adding additional info to the
calculation, requires existing EVM labeled file systems to be relabeled.
This patch adds a Kconfig HMAC version option for backwards compatability.Changelog v1:
- squash "hmac version setting"
Changelog v0:
- add missing Kconfig depends (Mimi)Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
23 Jan, 2013
4 commits
-
Different hooks can require different methods for appraising a
file's integrity. As a result, an integrity appraisal status is
cached on a per hook basis.Only a hook specific rule, requires the inode to be re-appraised.
This patch eliminates unnecessary appraisals.Signed-off-by: Mimi Zohar
Signed-off-by: Dmitry Kasatkin -
With the new IMA policy 'appraise_type=' option, different hooks
can require different methods for appraising a file's integrity.For example, the existing 'ima_appraise_tcb' policy defines a
generic rule, requiring all root files to be appraised, without
specfying the appraisal method. A more specific rule could require
all kernel modules, for example, to be signed.appraise fowner=0 func=MODULE_CHECK appraise_type=imasig
appraise fowner=0As a result, the integrity appraisal results for the same inode, but
for different hooks, could differ. This patch caches the integrity
appraisal results on a per hook basis.Changelog v2:
- Rename ima_cache_status() to ima_set_cache_status()
- Rename and move get_appraise_status() to ima_get_cache_status()
Changelog v0:
- include IMA_APPRAISE/APPRAISED_SUBMASK in IMA_DO/DONE_MASK (Dmitry)
- Support independent MODULE_CHECK appraise status.
- fixed IMA_XXXX_APPRAISE/APPRAISED flagsSigned-off-by: Mimi Zohar
Signed-off-by: Dmitry Kasatkin -
In preparation for hook specific appraise status results, increase
the iint flags size.Signed-off-by: Mimi Zohar
Signed-off-by: Dmitry Kasatkin -
The 'security.ima' extended attribute may contain either the file data's
hash or a digital signature. This patch adds support for requiring a
specific extended attribute type. It extends the IMA policy with a new
keyword 'appraise_type=imasig'. (Default is hash.)Changelog v2:
- Fixed Documentation/ABI/testing/ima_policy option syntax
Changelog v1:
- Differentiate between 'required' vs. 'actual' extended attributeSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
21 Jan, 2013
1 commit
-
The following lines of code produce a kernel oops.
fd = socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
fchmod(fd, 0666);[ 139.922364] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 139.924982] IP: [< (null)>] (null)
[ 139.924982] *pde = 00000000
[ 139.924982] Oops: 0000 [#5] SMP
[ 139.924982] Modules linked in: fuse dm_crypt dm_mod i2c_piix4 serio_raw evdev binfmt_misc button
[ 139.924982] Pid: 3070, comm: acpid Tainted: G D 3.8.0-rc2-kds+ #465 Bochs Bochs
[ 139.924982] EIP: 0060:[] EFLAGS: 00010246 CPU: 0
[ 139.924982] EIP is at 0x0
[ 139.924982] EAX: cf5ef000 EBX: cf5ef000 ECX: c143d600 EDX: c15225f2
[ 139.924982] ESI: cf4d2a1c EDI: cf4d2a1c EBP: cc02df10 ESP: cc02dee4
[ 139.924982] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 139.924982] CR0: 80050033 CR2: 00000000 CR3: 0c059000 CR4: 000006d0
[ 139.924982] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 139.924982] DR6: ffff0ff0 DR7: 00000400
[ 139.924982] Process acpid (pid: 3070, ti=cc02c000 task=d7705340 task.ti=cc02c000)
[ 139.924982] Stack:
[ 139.924982] c1203c88 00000000 cc02def4 cf4d2a1c ae21eefa 471b60d5 1083c1ba c26a5940
[ 139.924982] e891fb5e 00000041 00000004 cc02df1c c1203964 00000000 cc02df4c c10e20c3
[ 139.924982] 00000002 00000000 00000000 22222222 c1ff2222 cf5ef000 00000000 d76efb08
[ 139.924982] Call Trace:
[ 139.924982] [] ? evm_update_evmxattr+0x5b/0x62
[ 139.924982] [] evm_inode_post_setattr+0x22/0x26
[ 139.924982] [] notify_change+0x25f/0x281
[ 139.924982] [] chmod_common+0x59/0x76
[ 139.924982] [] ? put_unused_fd+0x33/0x33
[ 139.924982] [] sys_fchmod+0x39/0x5c
[ 139.924982] [] syscall_call+0x7/0xb
[ 139.924982] Code: Bad EIP value.This happens because sockets do not define the removexattr operation.
Before removing the xattr, verify the removexattr function pointer is
not NULL.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
Cc: stable@vger.kernel.org
Signed-off-by: James Morris
17 Jan, 2013
9 commits
-
This patch forbids write access to files with digital signatures, as they
are considered immutable.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Define a new function ima_d_path(), which returns the full pathname.
This function will be used further, for example, by the directory
verification code.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
This patch reduces size of the iint structure by 8 bytes.
It saves about 15% of iint cache memory.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Rename FILE_MMAP hook to MMAP_CHECK to be consistent with the other
hook names.Signed-off-by: Mimi Zohar
-
Hexdump is not really helping. Audit messages prints error messages.
Remove it.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Based on the IMA appraisal policy, files are appraised. For those
files appraised, the IMA hooks return the integrity appraisal result,
assuming IMA-appraisal is in enforcing mode. This patch combines
both of these criteria (in policy and enforcing file integrity),
removing the checking duplication.Changelog v1:
- Update hook commentsSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
When a file system is mounted read-only, setting the xattr value in
fix mode fails with an error code -EROFS. The xattr should be fixed
after the file system is remounted read-write. This patch verifies
that the set xattr succeeds, before setting the appraise status value
to INTEGRITY_PASS.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
EVM cannot be built as a kernel module. Remove the unncessary __exit
functions.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Although the IMA policy does not change, the LSM policy can be
reloaded, leaving the IMA LSM based rules referring to the old,
stale LSM policy. This patch updates the IMA LSM based rules
to reflect the reloaded LSM policy.Reported-by: Sven Vermeulen
tested-by: Sven Vermeulen
Signed-off-by: Mimi Zohar
Cc: Eric Paris
Cc: Casey Schaufler
24 Dec, 2012
1 commit
-
The new kernel module syscall appraises kernel modules based
on policy. If the IMA policy requires kernel module checking,
fallback to module signature enforcing for the existing syscall.
Without CONFIG_MODULE_SIG_FORCE enabled, the kernel module's
integrity is unknown, return -EACCES.Changelog v1:
- Fix ima_module_check() return result (Tetsuo Handa)Reported-by: Tetsuo Handa
Reviewed-by: Tetsuo Handa
Signed-off-by: Mimi Zohar
14 Dec, 2012
1 commit
-
With the addition of the new kernel module syscall, which defines two
arguments - a file descriptor to the kernel module and a pointer to a NULL
terminated string of module arguments - it is now possible to measure and
appraise kernel modules like any other file on the file system.This patch adds support to measure and appraise kernel modules in an
extensible and consistent manner.To support filesystems without extended attribute support, additional
patches could pass the signature as the first parameter.Signed-off-by: Mimi Zohar
Signed-off-by: Rusty Russell
05 Oct, 2012
1 commit
-
mask argument goes first, then func, like ima_must_measure
and ima_get_action. ima_inode_post_setattr() assumes that.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
03 Oct, 2012
1 commit
-
Pull security subsystem updates from James Morris:
"Highlights:- Integrity: add local fs integrity verification to detect offline
attacks
- Integrity: add digital signature verification
- Simple stacking of Yama with other LSMs (per LSS discussions)
- IBM vTPM support on ppc64
- Add new driver for Infineon I2C TIS TPM
- Smack: add rule revocation for subject labels"Fixed conflicts with the user namespace support in kernel/auditsc.c and
security/integrity/ima/ima_policy.c.* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (39 commits)
Documentation: Update git repository URL for Smack userland tools
ima: change flags container data type
Smack: setprocattr memory leak fix
Smack: implement revoking all rules for a subject label
Smack: remove task_wait() hook.
ima: audit log hashes
ima: generic IMA action flag handling
ima: rename ima_must_appraise_or_measure
audit: export audit_log_task_info
tpm: fix tpm_acpi sparse warning on different address spaces
samples/seccomp: fix 31 bit build on s390
ima: digital signature verification support
ima: add support for different security.ima data types
ima: add ima_inode_setxattr/removexattr function and calls
ima: add inode_post_setattr call
ima: replace iint spinblock with rwlock/read_lock
ima: allocating iint improvements
ima: add appraise action keywords and default rules
ima: integrity appraisal extension
vfs: move ima_file_free before releasing the file
...
21 Sep, 2012
2 commits
-
Use kuid's in the IMA rules.
When reporting the current uid in audit logs use from_kuid
to get a usable value.Cc: Mimi Zohar
Acked-by: Serge Hallyn
Signed-off-by: Eric W. Biederman -
Cc: Mimi Zohar
Acked-by: Serge Hallyn
Signed-off-by: Eric W. Biederman
19 Sep, 2012
1 commit
-
IMA audit hashes patches introduced new IMA flags and required
space went beyond 8 bits. Currently the only flag is IMA_DIGSIG.
This patch use 16 bit short instead of 8 bit char.
Without this fix IMA signature will be replaced with hash, which
should not happen.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
14 Sep, 2012
2 commits
-
This adds an 'audit' policy action which audit logs file measurements.
Changelog v6:
- use new action flag handling (Dmitry Kasatkin).
- removed whitespace (Mimi)Changelog v5:
- use audit_log_untrustedstring.Changelog v4:
- cleanup digest -> hash conversion.
- use filename rather than d_path in ima_audit_measurement.Changelog v3:
- Use newly exported audit_log_task_info for logging pid/ppid/uid/etc.
- Update the ima_policy ABI documentation.Changelog v2:
- Use 'audit' action rather than 'measure_and_audit' to permit
auditing in the absence of measuring..Changelog v1:
- Initial posting.Signed-off-by: Peter Moody
Signed-off-by: Mimi Zohar -
Make the IMA action flag handling generic in order to support
additional new actions, without requiring changes to the base
implementation. New actions, like audit logging, will only
need to modify the define statements.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
12 Sep, 2012
1 commit
-
When AUDIT action support is added to the IMA,
ima_must_appraise_or_measure() does not reflect the real meaning anymore.
Rename it to ima_get_action().Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar