root/security/integrity/ima/ima_policy.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. default_measure_policy_setup
  2. policy_setup
  3. default_appraise_policy_setup
  4. ima_lsm_free_rule
  5. ima_lsm_copy_rule
  6. ima_lsm_update_rule
  7. ima_lsm_update_rules
  8. ima_lsm_policy_change
  9. ima_match_rules
  10. get_subaction
  11. ima_match_policy
  12. ima_update_policy_flag
  13. ima_appraise_flag
  14. add_rules
  15. ima_init_arch_policy
  16. ima_init_policy
  17. ima_check_policy
  18. ima_update_policy
  19. ima_lsm_rule_init
  20. ima_log_string_op
  21. ima_log_string
  22. check_template_modsig
  23. ima_parse_rule
  24. ima_parse_add_rule
  25. ima_delete_rules
  26. ima_policy_start
  27. ima_policy_next
  28. ima_policy_stop
  29. policy_func_show
  30. ima_policy_show
  31. ima_appraise_signature

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * Copyright (C) 2008 IBM Corporation
   4  * Author: Mimi Zohar <zohar@us.ibm.com>
   5  *
   6  * ima_policy.c
   7  *      - initialize default measure policy rules
   8  */
   9 
  10 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  11 
  12 #include <linux/init.h>
  13 #include <linux/list.h>
  14 #include <linux/fs.h>
  15 #include <linux/security.h>
  16 #include <linux/magic.h>
  17 #include <linux/parser.h>
  18 #include <linux/slab.h>
  19 #include <linux/rculist.h>
  20 #include <linux/genhd.h>
  21 #include <linux/seq_file.h>
  22 #include <linux/ima.h>
  23 
  24 #include "ima.h"
  25 
  26 /* flags definitions */
  27 #define IMA_FUNC        0x0001
  28 #define IMA_MASK        0x0002
  29 #define IMA_FSMAGIC     0x0004
  30 #define IMA_UID         0x0008
  31 #define IMA_FOWNER      0x0010
  32 #define IMA_FSUUID      0x0020
  33 #define IMA_INMASK      0x0040
  34 #define IMA_EUID        0x0080
  35 #define IMA_PCR         0x0100
  36 #define IMA_FSNAME      0x0200
  37 
  38 #define UNKNOWN         0
  39 #define MEASURE         0x0001  /* same as IMA_MEASURE */
  40 #define DONT_MEASURE    0x0002
  41 #define APPRAISE        0x0004  /* same as IMA_APPRAISE */
  42 #define DONT_APPRAISE   0x0008
  43 #define AUDIT           0x0040
  44 #define HASH            0x0100
  45 #define DONT_HASH       0x0200
  46 
  47 #define INVALID_PCR(a) (((a) < 0) || \
  48         (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
  49 
  50 int ima_policy_flag;
  51 static int temp_ima_appraise;
  52 static int build_ima_appraise __ro_after_init;
  53 
  54 #define MAX_LSM_RULES 6
  55 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
  56         LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
  57 };
  58 
  59 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
  60 
  61 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY };
  62 
  63 struct ima_rule_entry {
  64         struct list_head list;
  65         int action;
  66         unsigned int flags;
  67         enum ima_hooks func;
  68         int mask;
  69         unsigned long fsmagic;
  70         uuid_t fsuuid;
  71         kuid_t uid;
  72         kuid_t fowner;
  73         bool (*uid_op)(kuid_t, kuid_t);    /* Handlers for operators       */
  74         bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
  75         int pcr;
  76         struct {
  77                 void *rule;     /* LSM file metadata specific */
  78                 void *args_p;   /* audit value */
  79                 int type;       /* audit type */
  80         } lsm[MAX_LSM_RULES];
  81         char *fsname;
  82         struct ima_template_desc *template;
  83 };
  84 
  85 /*
  86  * Without LSM specific knowledge, the default policy can only be
  87  * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
  88  */
  89 
  90 /*
  91  * The minimum rule set to allow for full TCB coverage.  Measures all files
  92  * opened or mmap for exec and everything read by root.  Dangerous because
  93  * normal users can easily run the machine out of memory simply building
  94  * and running executables.
  95  */
  96 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
  97         {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
  98         {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
  99         {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
 100         {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
 101         {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 102         {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
 103         {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
 104         {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
 105         {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
 106         {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
 107          .flags = IMA_FSMAGIC},
 108         {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC,
 109          .flags = IMA_FSMAGIC},
 110         {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
 111         {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}
 112 };
 113 
 114 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
 115         {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
 116          .flags = IMA_FUNC | IMA_MASK},
 117         {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
 118          .flags = IMA_FUNC | IMA_MASK},
 119         {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
 120          .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
 121          .flags = IMA_FUNC | IMA_MASK | IMA_UID},
 122         {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
 123         {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
 124 };
 125 
 126 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
 127         {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
 128          .flags = IMA_FUNC | IMA_MASK},
 129         {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
 130          .flags = IMA_FUNC | IMA_MASK},
 131         {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
 132          .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
 133          .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
 134         {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
 135          .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
 136          .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
 137         {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
 138         {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
 139         {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
 140 };
 141 
 142 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
 143         {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 144         {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
 145         {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
 146         {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
 147         {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
 148         {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 149         {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
 150         {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
 151         {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
 152         {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
 153         {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
 154         {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC},
 155         {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 156         {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 157 #ifdef CONFIG_IMA_WRITE_POLICY
 158         {.action = APPRAISE, .func = POLICY_CHECK,
 159         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 160 #endif
 161 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
 162         {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
 163          .flags = IMA_FOWNER},
 164 #else
 165         /* force signature */
 166         {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
 167          .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
 168 #endif
 169 };
 170 
 171 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = {
 172 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS
 173         {.action = APPRAISE, .func = MODULE_CHECK,
 174          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 175 #endif
 176 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
 177         {.action = APPRAISE, .func = FIRMWARE_CHECK,
 178          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 179 #endif
 180 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS
 181         {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
 182          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 183 #endif
 184 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS
 185         {.action = APPRAISE, .func = POLICY_CHECK,
 186          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 187 #endif
 188 };
 189 
 190 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
 191         {.action = APPRAISE, .func = MODULE_CHECK,
 192          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 193         {.action = APPRAISE, .func = FIRMWARE_CHECK,
 194          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 195         {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
 196          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 197         {.action = APPRAISE, .func = POLICY_CHECK,
 198          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 199 };
 200 
 201 /* An array of architecture specific rules */
 202 static struct ima_rule_entry *arch_policy_entry __ro_after_init;
 203 
 204 static LIST_HEAD(ima_default_rules);
 205 static LIST_HEAD(ima_policy_rules);
 206 static LIST_HEAD(ima_temp_rules);
 207 static struct list_head *ima_rules;
 208 
 209 static int ima_policy __initdata;
 210 
 211 static int __init default_measure_policy_setup(char *str)
 212 {
 213         if (ima_policy)
 214                 return 1;
 215 
 216         ima_policy = ORIGINAL_TCB;
 217         return 1;
 218 }
 219 __setup("ima_tcb", default_measure_policy_setup);
 220 
 221 static bool ima_use_appraise_tcb __initdata;
 222 static bool ima_use_secure_boot __initdata;
 223 static bool ima_fail_unverifiable_sigs __ro_after_init;
 224 static int __init policy_setup(char *str)
 225 {
 226         char *p;
 227 
 228         while ((p = strsep(&str, " |\n")) != NULL) {
 229                 if (*p == ' ')
 230                         continue;
 231                 if ((strcmp(p, "tcb") == 0) && !ima_policy)
 232                         ima_policy = DEFAULT_TCB;
 233                 else if (strcmp(p, "appraise_tcb") == 0)
 234                         ima_use_appraise_tcb = true;
 235                 else if (strcmp(p, "secure_boot") == 0)
 236                         ima_use_secure_boot = true;
 237                 else if (strcmp(p, "fail_securely") == 0)
 238                         ima_fail_unverifiable_sigs = true;
 239         }
 240 
 241         return 1;
 242 }
 243 __setup("ima_policy=", policy_setup);
 244 
 245 static int __init default_appraise_policy_setup(char *str)
 246 {
 247         ima_use_appraise_tcb = true;
 248         return 1;
 249 }
 250 __setup("ima_appraise_tcb", default_appraise_policy_setup);
 251 
 252 static void ima_lsm_free_rule(struct ima_rule_entry *entry)
 253 {
 254         int i;
 255 
 256         for (i = 0; i < MAX_LSM_RULES; i++) {
 257                 kfree(entry->lsm[i].rule);
 258                 kfree(entry->lsm[i].args_p);
 259         }
 260         kfree(entry);
 261 }
 262 
 263 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
 264 {
 265         struct ima_rule_entry *nentry;
 266         int i;
 267 
 268         nentry = kmalloc(sizeof(*nentry), GFP_KERNEL);
 269         if (!nentry)
 270                 return NULL;
 271 
 272         /*
 273          * Immutable elements are copied over as pointers and data; only
 274          * lsm rules can change
 275          */
 276         memcpy(nentry, entry, sizeof(*nentry));
 277         memset(nentry->lsm, 0, FIELD_SIZEOF(struct ima_rule_entry, lsm));
 278 
 279         for (i = 0; i < MAX_LSM_RULES; i++) {
 280                 if (!entry->lsm[i].args_p)
 281                         continue;
 282 
 283                 nentry->lsm[i].type = entry->lsm[i].type;
 284                 nentry->lsm[i].args_p = kstrdup(entry->lsm[i].args_p,
 285                                                 GFP_KERNEL);
 286                 if (!nentry->lsm[i].args_p)
 287                         goto out_err;
 288 
 289                 security_filter_rule_init(nentry->lsm[i].type,
 290                                           Audit_equal,
 291                                           nentry->lsm[i].args_p,
 292                                           &nentry->lsm[i].rule);
 293                 if (!nentry->lsm[i].rule)
 294                         pr_warn("rule for LSM \'%s\' is undefined\n",
 295                                 (char *)entry->lsm[i].args_p);
 296         }
 297         return nentry;
 298 
 299 out_err:
 300         ima_lsm_free_rule(nentry);
 301         return NULL;
 302 }
 303 
 304 static int ima_lsm_update_rule(struct ima_rule_entry *entry)
 305 {
 306         struct ima_rule_entry *nentry;
 307 
 308         nentry = ima_lsm_copy_rule(entry);
 309         if (!nentry)
 310                 return -ENOMEM;
 311 
 312         list_replace_rcu(&entry->list, &nentry->list);
 313         synchronize_rcu();
 314         ima_lsm_free_rule(entry);
 315 
 316         return 0;
 317 }
 318 
 319 /*
 320  * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
 321  * to the old, stale LSM policy.  Update the IMA LSM based rules to reflect
 322  * the reloaded LSM policy.
 323  */
 324 static void ima_lsm_update_rules(void)
 325 {
 326         struct ima_rule_entry *entry, *e;
 327         int i, result, needs_update;
 328 
 329         list_for_each_entry_safe(entry, e, &ima_policy_rules, list) {
 330                 needs_update = 0;
 331                 for (i = 0; i < MAX_LSM_RULES; i++) {
 332                         if (entry->lsm[i].args_p) {
 333                                 needs_update = 1;
 334                                 break;
 335                         }
 336                 }
 337                 if (!needs_update)
 338                         continue;
 339 
 340                 result = ima_lsm_update_rule(entry);
 341                 if (result) {
 342                         pr_err("lsm rule update error %d\n", result);
 343                         return;
 344                 }
 345         }
 346 }
 347 
 348 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
 349                           void *lsm_data)
 350 {
 351         if (event != LSM_POLICY_CHANGE)
 352                 return NOTIFY_DONE;
 353 
 354         ima_lsm_update_rules();
 355         return NOTIFY_OK;
 356 }
 357 
 358 /**
 359  * ima_match_rules - determine whether an inode matches the policy rule.
 360  * @rule: a pointer to a rule
 361  * @inode: a pointer to an inode
 362  * @cred: a pointer to a credentials structure for user validation
 363  * @secid: the secid of the task to be validated
 364  * @func: LIM hook identifier
 365  * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
 366  *
 367  * Returns true on rule match, false on failure.
 368  */
 369 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
 370                             const struct cred *cred, u32 secid,
 371                             enum ima_hooks func, int mask)
 372 {
 373         int i;
 374 
 375         if (func == KEXEC_CMDLINE) {
 376                 if ((rule->flags & IMA_FUNC) && (rule->func == func))
 377                         return true;
 378                 return false;
 379         }
 380         if ((rule->flags & IMA_FUNC) &&
 381             (rule->func != func && func != POST_SETATTR))
 382                 return false;
 383         if ((rule->flags & IMA_MASK) &&
 384             (rule->mask != mask && func != POST_SETATTR))
 385                 return false;
 386         if ((rule->flags & IMA_INMASK) &&
 387             (!(rule->mask & mask) && func != POST_SETATTR))
 388                 return false;
 389         if ((rule->flags & IMA_FSMAGIC)
 390             && rule->fsmagic != inode->i_sb->s_magic)
 391                 return false;
 392         if ((rule->flags & IMA_FSNAME)
 393             && strcmp(rule->fsname, inode->i_sb->s_type->name))
 394                 return false;
 395         if ((rule->flags & IMA_FSUUID) &&
 396             !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
 397                 return false;
 398         if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
 399                 return false;
 400         if (rule->flags & IMA_EUID) {
 401                 if (has_capability_noaudit(current, CAP_SETUID)) {
 402                         if (!rule->uid_op(cred->euid, rule->uid)
 403                             && !rule->uid_op(cred->suid, rule->uid)
 404                             && !rule->uid_op(cred->uid, rule->uid))
 405                                 return false;
 406                 } else if (!rule->uid_op(cred->euid, rule->uid))
 407                         return false;
 408         }
 409 
 410         if ((rule->flags & IMA_FOWNER) &&
 411             !rule->fowner_op(inode->i_uid, rule->fowner))
 412                 return false;
 413         for (i = 0; i < MAX_LSM_RULES; i++) {
 414                 int rc = 0;
 415                 u32 osid;
 416 
 417                 if (!rule->lsm[i].rule) {
 418                         if (!rule->lsm[i].args_p)
 419                                 continue;
 420                         else
 421                                 return false;
 422                 }
 423                 switch (i) {
 424                 case LSM_OBJ_USER:
 425                 case LSM_OBJ_ROLE:
 426                 case LSM_OBJ_TYPE:
 427                         security_inode_getsecid(inode, &osid);
 428                         rc = security_filter_rule_match(osid,
 429                                                         rule->lsm[i].type,
 430                                                         Audit_equal,
 431                                                         rule->lsm[i].rule);
 432                         break;
 433                 case LSM_SUBJ_USER:
 434                 case LSM_SUBJ_ROLE:
 435                 case LSM_SUBJ_TYPE:
 436                         rc = security_filter_rule_match(secid,
 437                                                         rule->lsm[i].type,
 438                                                         Audit_equal,
 439                                                         rule->lsm[i].rule);
 440                 default:
 441                         break;
 442                 }
 443                 if (!rc)
 444                         return false;
 445         }
 446         return true;
 447 }
 448 
 449 /*
 450  * In addition to knowing that we need to appraise the file in general,
 451  * we need to differentiate between calling hooks, for hook specific rules.
 452  */
 453 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
 454 {
 455         if (!(rule->flags & IMA_FUNC))
 456                 return IMA_FILE_APPRAISE;
 457 
 458         switch (func) {
 459         case MMAP_CHECK:
 460                 return IMA_MMAP_APPRAISE;
 461         case BPRM_CHECK:
 462                 return IMA_BPRM_APPRAISE;
 463         case CREDS_CHECK:
 464                 return IMA_CREDS_APPRAISE;
 465         case FILE_CHECK:
 466         case POST_SETATTR:
 467                 return IMA_FILE_APPRAISE;
 468         case MODULE_CHECK ... MAX_CHECK - 1:
 469         default:
 470                 return IMA_READ_APPRAISE;
 471         }
 472 }
 473 
 474 /**
 475  * ima_match_policy - decision based on LSM and other conditions
 476  * @inode: pointer to an inode for which the policy decision is being made
 477  * @cred: pointer to a credentials structure for which the policy decision is
 478  *        being made
 479  * @secid: LSM secid of the task to be validated
 480  * @func: IMA hook identifier
 481  * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
 482  * @pcr: set the pcr to extend
 483  * @template_desc: the template that should be used for this rule
 484  *
 485  * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
 486  * conditions.
 487  *
 488  * Since the IMA policy may be updated multiple times we need to lock the
 489  * list when walking it.  Reads are many orders of magnitude more numerous
 490  * than writes so ima_match_policy() is classical RCU candidate.
 491  */
 492 int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
 493                      enum ima_hooks func, int mask, int flags, int *pcr,
 494                      struct ima_template_desc **template_desc)
 495 {
 496         struct ima_rule_entry *entry;
 497         int action = 0, actmask = flags | (flags << 1);
 498 
 499         if (template_desc)
 500                 *template_desc = ima_template_desc_current();
 501 
 502         rcu_read_lock();
 503         list_for_each_entry_rcu(entry, ima_rules, list) {
 504 
 505                 if (!(entry->action & actmask))
 506                         continue;
 507 
 508                 if (!ima_match_rules(entry, inode, cred, secid, func, mask))
 509                         continue;
 510 
 511                 action |= entry->flags & IMA_ACTION_FLAGS;
 512 
 513                 action |= entry->action & IMA_DO_MASK;
 514                 if (entry->action & IMA_APPRAISE) {
 515                         action |= get_subaction(entry, func);
 516                         action &= ~IMA_HASH;
 517                         if (ima_fail_unverifiable_sigs)
 518                                 action |= IMA_FAIL_UNVERIFIABLE_SIGS;
 519                 }
 520 
 521 
 522                 if (entry->action & IMA_DO_MASK)
 523                         actmask &= ~(entry->action | entry->action << 1);
 524                 else
 525                         actmask &= ~(entry->action | entry->action >> 1);
 526 
 527                 if ((pcr) && (entry->flags & IMA_PCR))
 528                         *pcr = entry->pcr;
 529 
 530                 if (template_desc && entry->template)
 531                         *template_desc = entry->template;
 532 
 533                 if (!actmask)
 534                         break;
 535         }
 536         rcu_read_unlock();
 537 
 538         return action;
 539 }
 540 
 541 /*
 542  * Initialize the ima_policy_flag variable based on the currently
 543  * loaded policy.  Based on this flag, the decision to short circuit
 544  * out of a function or not call the function in the first place
 545  * can be made earlier.
 546  */
 547 void ima_update_policy_flag(void)
 548 {
 549         struct ima_rule_entry *entry;
 550 
 551         list_for_each_entry(entry, ima_rules, list) {
 552                 if (entry->action & IMA_DO_MASK)
 553                         ima_policy_flag |= entry->action;
 554         }
 555 
 556         ima_appraise |= (build_ima_appraise | temp_ima_appraise);
 557         if (!ima_appraise)
 558                 ima_policy_flag &= ~IMA_APPRAISE;
 559 }
 560 
 561 static int ima_appraise_flag(enum ima_hooks func)
 562 {
 563         if (func == MODULE_CHECK)
 564                 return IMA_APPRAISE_MODULES;
 565         else if (func == FIRMWARE_CHECK)
 566                 return IMA_APPRAISE_FIRMWARE;
 567         else if (func == POLICY_CHECK)
 568                 return IMA_APPRAISE_POLICY;
 569         else if (func == KEXEC_KERNEL_CHECK)
 570                 return IMA_APPRAISE_KEXEC;
 571         return 0;
 572 }
 573 
 574 static void add_rules(struct ima_rule_entry *entries, int count,
 575                       enum policy_rule_list policy_rule)
 576 {
 577         int i = 0;
 578 
 579         for (i = 0; i < count; i++) {
 580                 struct ima_rule_entry *entry;
 581 
 582                 if (policy_rule & IMA_DEFAULT_POLICY)
 583                         list_add_tail(&entries[i].list, &ima_default_rules);
 584 
 585                 if (policy_rule & IMA_CUSTOM_POLICY) {
 586                         entry = kmemdup(&entries[i], sizeof(*entry),
 587                                         GFP_KERNEL);
 588                         if (!entry)
 589                                 continue;
 590 
 591                         list_add_tail(&entry->list, &ima_policy_rules);
 592                 }
 593                 if (entries[i].action == APPRAISE) {
 594                         temp_ima_appraise |= ima_appraise_flag(entries[i].func);
 595                         if (entries[i].func == POLICY_CHECK)
 596                                 temp_ima_appraise |= IMA_APPRAISE_POLICY;
 597                 }
 598         }
 599 }
 600 
 601 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
 602 
 603 static int __init ima_init_arch_policy(void)
 604 {
 605         const char * const *arch_rules;
 606         const char * const *rules;
 607         int arch_entries = 0;
 608         int i = 0;
 609 
 610         arch_rules = arch_get_ima_policy();
 611         if (!arch_rules)
 612                 return arch_entries;
 613 
 614         /* Get number of rules */
 615         for (rules = arch_rules; *rules != NULL; rules++)
 616                 arch_entries++;
 617 
 618         arch_policy_entry = kcalloc(arch_entries + 1,
 619                                     sizeof(*arch_policy_entry), GFP_KERNEL);
 620         if (!arch_policy_entry)
 621                 return 0;
 622 
 623         /* Convert each policy string rules to struct ima_rule_entry format */
 624         for (rules = arch_rules, i = 0; *rules != NULL; rules++) {
 625                 char rule[255];
 626                 int result;
 627 
 628                 result = strlcpy(rule, *rules, sizeof(rule));
 629 
 630                 INIT_LIST_HEAD(&arch_policy_entry[i].list);
 631                 result = ima_parse_rule(rule, &arch_policy_entry[i]);
 632                 if (result) {
 633                         pr_warn("Skipping unknown architecture policy rule: %s\n",
 634                                 rule);
 635                         memset(&arch_policy_entry[i], 0,
 636                                sizeof(*arch_policy_entry));
 637                         continue;
 638                 }
 639                 i++;
 640         }
 641         return i;
 642 }
 643 
 644 /**
 645  * ima_init_policy - initialize the default measure rules.
 646  *
 647  * ima_rules points to either the ima_default_rules or the
 648  * the new ima_policy_rules.
 649  */
 650 void __init ima_init_policy(void)
 651 {
 652         int build_appraise_entries, arch_entries;
 653 
 654         /* if !ima_policy, we load NO default rules */
 655         if (ima_policy)
 656                 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules),
 657                           IMA_DEFAULT_POLICY);
 658 
 659         switch (ima_policy) {
 660         case ORIGINAL_TCB:
 661                 add_rules(original_measurement_rules,
 662                           ARRAY_SIZE(original_measurement_rules),
 663                           IMA_DEFAULT_POLICY);
 664                 break;
 665         case DEFAULT_TCB:
 666                 add_rules(default_measurement_rules,
 667                           ARRAY_SIZE(default_measurement_rules),
 668                           IMA_DEFAULT_POLICY);
 669         default:
 670                 break;
 671         }
 672 
 673         /*
 674          * Based on runtime secure boot flags, insert arch specific measurement
 675          * and appraise rules requiring file signatures for both the initial
 676          * and custom policies, prior to other appraise rules.
 677          * (Highest priority)
 678          */
 679         arch_entries = ima_init_arch_policy();
 680         if (!arch_entries)
 681                 pr_info("No architecture policies found\n");
 682         else
 683                 add_rules(arch_policy_entry, arch_entries,
 684                           IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
 685 
 686         /*
 687          * Insert the builtin "secure_boot" policy rules requiring file
 688          * signatures, prior to other appraise rules.
 689          */
 690         if (ima_use_secure_boot)
 691                 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules),
 692                           IMA_DEFAULT_POLICY);
 693 
 694         /*
 695          * Insert the build time appraise rules requiring file signatures
 696          * for both the initial and custom policies, prior to other appraise
 697          * rules. As the secure boot rules includes all of the build time
 698          * rules, include either one or the other set of rules, but not both.
 699          */
 700         build_appraise_entries = ARRAY_SIZE(build_appraise_rules);
 701         if (build_appraise_entries) {
 702                 if (ima_use_secure_boot)
 703                         add_rules(build_appraise_rules, build_appraise_entries,
 704                                   IMA_CUSTOM_POLICY);
 705                 else
 706                         add_rules(build_appraise_rules, build_appraise_entries,
 707                                   IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
 708         }
 709 
 710         if (ima_use_appraise_tcb)
 711                 add_rules(default_appraise_rules,
 712                           ARRAY_SIZE(default_appraise_rules),
 713                           IMA_DEFAULT_POLICY);
 714 
 715         ima_rules = &ima_default_rules;
 716         ima_update_policy_flag();
 717 }
 718 
 719 /* Make sure we have a valid policy, at least containing some rules. */
 720 int ima_check_policy(void)
 721 {
 722         if (list_empty(&ima_temp_rules))
 723                 return -EINVAL;
 724         return 0;
 725 }
 726 
 727 /**
 728  * ima_update_policy - update default_rules with new measure rules
 729  *
 730  * Called on file .release to update the default rules with a complete new
 731  * policy.  What we do here is to splice ima_policy_rules and ima_temp_rules so
 732  * they make a queue.  The policy may be updated multiple times and this is the
 733  * RCU updater.
 734  *
 735  * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
 736  * we switch from the default policy to user defined.
 737  */
 738 void ima_update_policy(void)
 739 {
 740         struct list_head *policy = &ima_policy_rules;
 741 
 742         list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu);
 743 
 744         if (ima_rules != policy) {
 745                 ima_policy_flag = 0;
 746                 ima_rules = policy;
 747 
 748                 /*
 749                  * IMA architecture specific policy rules are specified
 750                  * as strings and converted to an array of ima_entry_rules
 751                  * on boot.  After loading a custom policy, free the
 752                  * architecture specific rules stored as an array.
 753                  */
 754                 kfree(arch_policy_entry);
 755         }
 756         ima_update_policy_flag();
 757 }
 758 
 759 /* Keep the enumeration in sync with the policy_tokens! */
 760 enum {
 761         Opt_measure, Opt_dont_measure,
 762         Opt_appraise, Opt_dont_appraise,
 763         Opt_audit, Opt_hash, Opt_dont_hash,
 764         Opt_obj_user, Opt_obj_role, Opt_obj_type,
 765         Opt_subj_user, Opt_subj_role, Opt_subj_type,
 766         Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname,
 767         Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
 768         Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
 769         Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
 770         Opt_appraise_type, Opt_permit_directio,
 771         Opt_pcr, Opt_template, Opt_err
 772 };
 773 
 774 static const match_table_t policy_tokens = {
 775         {Opt_measure, "measure"},
 776         {Opt_dont_measure, "dont_measure"},
 777         {Opt_appraise, "appraise"},
 778         {Opt_dont_appraise, "dont_appraise"},
 779         {Opt_audit, "audit"},
 780         {Opt_hash, "hash"},
 781         {Opt_dont_hash, "dont_hash"},
 782         {Opt_obj_user, "obj_user=%s"},
 783         {Opt_obj_role, "obj_role=%s"},
 784         {Opt_obj_type, "obj_type=%s"},
 785         {Opt_subj_user, "subj_user=%s"},
 786         {Opt_subj_role, "subj_role=%s"},
 787         {Opt_subj_type, "subj_type=%s"},
 788         {Opt_func, "func=%s"},
 789         {Opt_mask, "mask=%s"},
 790         {Opt_fsmagic, "fsmagic=%s"},
 791         {Opt_fsname, "fsname=%s"},
 792         {Opt_fsuuid, "fsuuid=%s"},
 793         {Opt_uid_eq, "uid=%s"},
 794         {Opt_euid_eq, "euid=%s"},
 795         {Opt_fowner_eq, "fowner=%s"},
 796         {Opt_uid_gt, "uid>%s"},
 797         {Opt_euid_gt, "euid>%s"},
 798         {Opt_fowner_gt, "fowner>%s"},
 799         {Opt_uid_lt, "uid<%s"},
 800         {Opt_euid_lt, "euid<%s"},
 801         {Opt_fowner_lt, "fowner<%s"},
 802         {Opt_appraise_type, "appraise_type=%s"},
 803         {Opt_permit_directio, "permit_directio"},
 804         {Opt_pcr, "pcr=%s"},
 805         {Opt_template, "template=%s"},
 806         {Opt_err, NULL}
 807 };
 808 
 809 static int ima_lsm_rule_init(struct ima_rule_entry *entry,
 810                              substring_t *args, int lsm_rule, int audit_type)
 811 {
 812         int result;
 813 
 814         if (entry->lsm[lsm_rule].rule)
 815                 return -EINVAL;
 816 
 817         entry->lsm[lsm_rule].args_p = match_strdup(args);
 818         if (!entry->lsm[lsm_rule].args_p)
 819                 return -ENOMEM;
 820 
 821         entry->lsm[lsm_rule].type = audit_type;
 822         result = security_filter_rule_init(entry->lsm[lsm_rule].type,
 823                                            Audit_equal,
 824                                            entry->lsm[lsm_rule].args_p,
 825                                            &entry->lsm[lsm_rule].rule);
 826         if (!entry->lsm[lsm_rule].rule) {
 827                 pr_warn("rule for LSM \'%s\' is undefined\n",
 828                         (char *)entry->lsm[lsm_rule].args_p);
 829 
 830                 if (ima_rules == &ima_default_rules) {
 831                         kfree(entry->lsm[lsm_rule].args_p);
 832                         result = -EINVAL;
 833                 } else
 834                         result = 0;
 835         }
 836 
 837         return result;
 838 }
 839 
 840 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
 841                               bool (*rule_operator)(kuid_t, kuid_t))
 842 {
 843         if (!ab)
 844                 return;
 845 
 846         if (rule_operator == &uid_gt)
 847                 audit_log_format(ab, "%s>", key);
 848         else if (rule_operator == &uid_lt)
 849                 audit_log_format(ab, "%s<", key);
 850         else
 851                 audit_log_format(ab, "%s=", key);
 852         audit_log_format(ab, "%s ", value);
 853 }
 854 static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
 855 {
 856         ima_log_string_op(ab, key, value, NULL);
 857 }
 858 
 859 /*
 860  * Validating the appended signature included in the measurement list requires
 861  * the file hash calculated without the appended signature (i.e., the 'd-modsig'
 862  * field). Therefore, notify the user if they have the 'modsig' field but not
 863  * the 'd-modsig' field in the template.
 864  */
 865 static void check_template_modsig(const struct ima_template_desc *template)
 866 {
 867 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n"
 868         bool has_modsig, has_dmodsig;
 869         static bool checked;
 870         int i;
 871 
 872         /* We only need to notify the user once. */
 873         if (checked)
 874                 return;
 875 
 876         has_modsig = has_dmodsig = false;
 877         for (i = 0; i < template->num_fields; i++) {
 878                 if (!strcmp(template->fields[i]->field_id, "modsig"))
 879                         has_modsig = true;
 880                 else if (!strcmp(template->fields[i]->field_id, "d-modsig"))
 881                         has_dmodsig = true;
 882         }
 883 
 884         if (has_modsig && !has_dmodsig)
 885                 pr_notice(MSG);
 886 
 887         checked = true;
 888 #undef MSG
 889 }
 890 
 891 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 892 {
 893         struct audit_buffer *ab;
 894         char *from;
 895         char *p;
 896         bool uid_token;
 897         struct ima_template_desc *template_desc;
 898         int result = 0;
 899 
 900         ab = integrity_audit_log_start(audit_context(), GFP_KERNEL,
 901                                        AUDIT_INTEGRITY_POLICY_RULE);
 902 
 903         entry->uid = INVALID_UID;
 904         entry->fowner = INVALID_UID;
 905         entry->uid_op = &uid_eq;
 906         entry->fowner_op = &uid_eq;
 907         entry->action = UNKNOWN;
 908         while ((p = strsep(&rule, " \t")) != NULL) {
 909                 substring_t args[MAX_OPT_ARGS];
 910                 int token;
 911                 unsigned long lnum;
 912 
 913                 if (result < 0)
 914                         break;
 915                 if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
 916                         continue;
 917                 token = match_token(p, policy_tokens, args);
 918                 switch (token) {
 919                 case Opt_measure:
 920                         ima_log_string(ab, "action", "measure");
 921 
 922                         if (entry->action != UNKNOWN)
 923                                 result = -EINVAL;
 924 
 925                         entry->action = MEASURE;
 926                         break;
 927                 case Opt_dont_measure:
 928                         ima_log_string(ab, "action", "dont_measure");
 929 
 930                         if (entry->action != UNKNOWN)
 931                                 result = -EINVAL;
 932 
 933                         entry->action = DONT_MEASURE;
 934                         break;
 935                 case Opt_appraise:
 936                         ima_log_string(ab, "action", "appraise");
 937 
 938                         if (entry->action != UNKNOWN)
 939                                 result = -EINVAL;
 940 
 941                         entry->action = APPRAISE;
 942                         break;
 943                 case Opt_dont_appraise:
 944                         ima_log_string(ab, "action", "dont_appraise");
 945 
 946                         if (entry->action != UNKNOWN)
 947                                 result = -EINVAL;
 948 
 949                         entry->action = DONT_APPRAISE;
 950                         break;
 951                 case Opt_audit:
 952                         ima_log_string(ab, "action", "audit");
 953 
 954                         if (entry->action != UNKNOWN)
 955                                 result = -EINVAL;
 956 
 957                         entry->action = AUDIT;
 958                         break;
 959                 case Opt_hash:
 960                         ima_log_string(ab, "action", "hash");
 961 
 962                         if (entry->action != UNKNOWN)
 963                                 result = -EINVAL;
 964 
 965                         entry->action = HASH;
 966                         break;
 967                 case Opt_dont_hash:
 968                         ima_log_string(ab, "action", "dont_hash");
 969 
 970                         if (entry->action != UNKNOWN)
 971                                 result = -EINVAL;
 972 
 973                         entry->action = DONT_HASH;
 974                         break;
 975                 case Opt_func:
 976                         ima_log_string(ab, "func", args[0].from);
 977 
 978                         if (entry->func)
 979                                 result = -EINVAL;
 980 
 981                         if (strcmp(args[0].from, "FILE_CHECK") == 0)
 982                                 entry->func = FILE_CHECK;
 983                         /* PATH_CHECK is for backwards compat */
 984                         else if (strcmp(args[0].from, "PATH_CHECK") == 0)
 985                                 entry->func = FILE_CHECK;
 986                         else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
 987                                 entry->func = MODULE_CHECK;
 988                         else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
 989                                 entry->func = FIRMWARE_CHECK;
 990                         else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
 991                                 || (strcmp(args[0].from, "MMAP_CHECK") == 0))
 992                                 entry->func = MMAP_CHECK;
 993                         else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
 994                                 entry->func = BPRM_CHECK;
 995                         else if (strcmp(args[0].from, "CREDS_CHECK") == 0)
 996                                 entry->func = CREDS_CHECK;
 997                         else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
 998                                  0)
 999                                 entry->func = KEXEC_KERNEL_CHECK;
1000                         else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
1001                                  == 0)
1002                                 entry->func = KEXEC_INITRAMFS_CHECK;
1003                         else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
1004                                 entry->func = POLICY_CHECK;
1005                         else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
1006                                 entry->func = KEXEC_CMDLINE;
1007                         else
1008                                 result = -EINVAL;
1009                         if (!result)
1010                                 entry->flags |= IMA_FUNC;
1011                         break;
1012                 case Opt_mask:
1013                         ima_log_string(ab, "mask", args[0].from);
1014 
1015                         if (entry->mask)
1016                                 result = -EINVAL;
1017 
1018                         from = args[0].from;
1019                         if (*from == '^')
1020                                 from++;
1021 
1022                         if ((strcmp(from, "MAY_EXEC")) == 0)
1023                                 entry->mask = MAY_EXEC;
1024                         else if (strcmp(from, "MAY_WRITE") == 0)
1025                                 entry->mask = MAY_WRITE;
1026                         else if (strcmp(from, "MAY_READ") == 0)
1027                                 entry->mask = MAY_READ;
1028                         else if (strcmp(from, "MAY_APPEND") == 0)
1029                                 entry->mask = MAY_APPEND;
1030                         else
1031                                 result = -EINVAL;
1032                         if (!result)
1033                                 entry->flags |= (*args[0].from == '^')
1034                                      ? IMA_INMASK : IMA_MASK;
1035                         break;
1036                 case Opt_fsmagic:
1037                         ima_log_string(ab, "fsmagic", args[0].from);
1038 
1039                         if (entry->fsmagic) {
1040                                 result = -EINVAL;
1041                                 break;
1042                         }
1043 
1044                         result = kstrtoul(args[0].from, 16, &entry->fsmagic);
1045                         if (!result)
1046                                 entry->flags |= IMA_FSMAGIC;
1047                         break;
1048                 case Opt_fsname:
1049                         ima_log_string(ab, "fsname", args[0].from);
1050 
1051                         entry->fsname = kstrdup(args[0].from, GFP_KERNEL);
1052                         if (!entry->fsname) {
1053                                 result = -ENOMEM;
1054                                 break;
1055                         }
1056                         result = 0;
1057                         entry->flags |= IMA_FSNAME;
1058                         break;
1059                 case Opt_fsuuid:
1060                         ima_log_string(ab, "fsuuid", args[0].from);
1061 
1062                         if (!uuid_is_null(&entry->fsuuid)) {
1063                                 result = -EINVAL;
1064                                 break;
1065                         }
1066 
1067                         result = uuid_parse(args[0].from, &entry->fsuuid);
1068                         if (!result)
1069                                 entry->flags |= IMA_FSUUID;
1070                         break;
1071                 case Opt_uid_gt:
1072                 case Opt_euid_gt:
1073                         entry->uid_op = &uid_gt;
1074                         /* fall through */
1075                 case Opt_uid_lt:
1076                 case Opt_euid_lt:
1077                         if ((token == Opt_uid_lt) || (token == Opt_euid_lt))
1078                                 entry->uid_op = &uid_lt;
1079                         /* fall through */
1080                 case Opt_uid_eq:
1081                 case Opt_euid_eq:
1082                         uid_token = (token == Opt_uid_eq) ||
1083                                     (token == Opt_uid_gt) ||
1084                                     (token == Opt_uid_lt);
1085 
1086                         ima_log_string_op(ab, uid_token ? "uid" : "euid",
1087                                           args[0].from, entry->uid_op);
1088 
1089                         if (uid_valid(entry->uid)) {
1090                                 result = -EINVAL;
1091                                 break;
1092                         }
1093 
1094                         result = kstrtoul(args[0].from, 10, &lnum);
1095                         if (!result) {
1096                                 entry->uid = make_kuid(current_user_ns(),
1097                                                        (uid_t) lnum);
1098                                 if (!uid_valid(entry->uid) ||
1099                                     (uid_t)lnum != lnum)
1100                                         result = -EINVAL;
1101                                 else
1102                                         entry->flags |= uid_token
1103                                             ? IMA_UID : IMA_EUID;
1104                         }
1105                         break;
1106                 case Opt_fowner_gt:
1107                         entry->fowner_op = &uid_gt;
1108                         /* fall through */
1109                 case Opt_fowner_lt:
1110                         if (token == Opt_fowner_lt)
1111                                 entry->fowner_op = &uid_lt;
1112                         /* fall through */
1113                 case Opt_fowner_eq:
1114                         ima_log_string_op(ab, "fowner", args[0].from,
1115                                           entry->fowner_op);
1116 
1117                         if (uid_valid(entry->fowner)) {
1118                                 result = -EINVAL;
1119                                 break;
1120                         }
1121 
1122                         result = kstrtoul(args[0].from, 10, &lnum);
1123                         if (!result) {
1124                                 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
1125                                 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))
1126                                         result = -EINVAL;
1127                                 else
1128                                         entry->flags |= IMA_FOWNER;
1129                         }
1130                         break;
1131                 case Opt_obj_user:
1132                         ima_log_string(ab, "obj_user", args[0].from);
1133                         result = ima_lsm_rule_init(entry, args,
1134                                                    LSM_OBJ_USER,
1135                                                    AUDIT_OBJ_USER);
1136                         break;
1137                 case Opt_obj_role:
1138                         ima_log_string(ab, "obj_role", args[0].from);
1139                         result = ima_lsm_rule_init(entry, args,
1140                                                    LSM_OBJ_ROLE,
1141                                                    AUDIT_OBJ_ROLE);
1142                         break;
1143                 case Opt_obj_type:
1144                         ima_log_string(ab, "obj_type", args[0].from);
1145                         result = ima_lsm_rule_init(entry, args,
1146                                                    LSM_OBJ_TYPE,
1147                                                    AUDIT_OBJ_TYPE);
1148                         break;
1149                 case Opt_subj_user:
1150                         ima_log_string(ab, "subj_user", args[0].from);
1151                         result = ima_lsm_rule_init(entry, args,
1152                                                    LSM_SUBJ_USER,
1153                                                    AUDIT_SUBJ_USER);
1154                         break;
1155                 case Opt_subj_role:
1156                         ima_log_string(ab, "subj_role", args[0].from);
1157                         result = ima_lsm_rule_init(entry, args,
1158                                                    LSM_SUBJ_ROLE,
1159                                                    AUDIT_SUBJ_ROLE);
1160                         break;
1161                 case Opt_subj_type:
1162                         ima_log_string(ab, "subj_type", args[0].from);
1163                         result = ima_lsm_rule_init(entry, args,
1164                                                    LSM_SUBJ_TYPE,
1165                                                    AUDIT_SUBJ_TYPE);
1166                         break;
1167                 case Opt_appraise_type:
1168                         if (entry->action != APPRAISE) {
1169                                 result = -EINVAL;
1170                                 break;
1171                         }
1172 
1173                         ima_log_string(ab, "appraise_type", args[0].from);
1174                         if ((strcmp(args[0].from, "imasig")) == 0)
1175                                 entry->flags |= IMA_DIGSIG_REQUIRED;
1176                         else if (ima_hook_supports_modsig(entry->func) &&
1177                                  strcmp(args[0].from, "imasig|modsig") == 0)
1178                                 entry->flags |= IMA_DIGSIG_REQUIRED |
1179                                                 IMA_MODSIG_ALLOWED;
1180                         else
1181                                 result = -EINVAL;
1182                         break;
1183                 case Opt_permit_directio:
1184                         entry->flags |= IMA_PERMIT_DIRECTIO;
1185                         break;
1186                 case Opt_pcr:
1187                         if (entry->action != MEASURE) {
1188                                 result = -EINVAL;
1189                                 break;
1190                         }
1191                         ima_log_string(ab, "pcr", args[0].from);
1192 
1193                         result = kstrtoint(args[0].from, 10, &entry->pcr);
1194                         if (result || INVALID_PCR(entry->pcr))
1195                                 result = -EINVAL;
1196                         else
1197                                 entry->flags |= IMA_PCR;
1198 
1199                         break;
1200                 case Opt_template:
1201                         ima_log_string(ab, "template", args[0].from);
1202                         if (entry->action != MEASURE) {
1203                                 result = -EINVAL;
1204                                 break;
1205                         }
1206                         template_desc = lookup_template_desc(args[0].from);
1207                         if (!template_desc || entry->template) {
1208                                 result = -EINVAL;
1209                                 break;
1210                         }
1211 
1212                         /*
1213                          * template_desc_init_fields() does nothing if
1214                          * the template is already initialised, so
1215                          * it's safe to do this unconditionally
1216                          */
1217                         template_desc_init_fields(template_desc->fmt,
1218                                                  &(template_desc->fields),
1219                                                  &(template_desc->num_fields));
1220                         entry->template = template_desc;
1221                         break;
1222                 case Opt_err:
1223                         ima_log_string(ab, "UNKNOWN", p);
1224                         result = -EINVAL;
1225                         break;
1226                 }
1227         }
1228         if (!result && (entry->action == UNKNOWN))
1229                 result = -EINVAL;
1230         else if (entry->action == APPRAISE)
1231                 temp_ima_appraise |= ima_appraise_flag(entry->func);
1232 
1233         if (!result && entry->flags & IMA_MODSIG_ALLOWED) {
1234                 template_desc = entry->template ? entry->template :
1235                                                   ima_template_desc_current();
1236                 check_template_modsig(template_desc);
1237         }
1238 
1239         audit_log_format(ab, "res=%d", !result);
1240         audit_log_end(ab);
1241         return result;
1242 }
1243 
1244 /**
1245  * ima_parse_add_rule - add a rule to ima_policy_rules
1246  * @rule - ima measurement policy rule
1247  *
1248  * Avoid locking by allowing just one writer at a time in ima_write_policy()
1249  * Returns the length of the rule parsed, an error code on failure
1250  */
1251 ssize_t ima_parse_add_rule(char *rule)
1252 {
1253         static const char op[] = "update_policy";
1254         char *p;
1255         struct ima_rule_entry *entry;
1256         ssize_t result, len;
1257         int audit_info = 0;
1258 
1259         p = strsep(&rule, "\n");
1260         len = strlen(p) + 1;
1261         p += strspn(p, " \t");
1262 
1263         if (*p == '#' || *p == '\0')
1264                 return len;
1265 
1266         entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1267         if (!entry) {
1268                 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1269                                     NULL, op, "-ENOMEM", -ENOMEM, audit_info);
1270                 return -ENOMEM;
1271         }
1272 
1273         INIT_LIST_HEAD(&entry->list);
1274 
1275         result = ima_parse_rule(p, entry);
1276         if (result) {
1277                 kfree(entry);
1278                 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1279                                     NULL, op, "invalid-policy", result,
1280                                     audit_info);
1281                 return result;
1282         }
1283 
1284         list_add_tail(&entry->list, &ima_temp_rules);
1285 
1286         return len;
1287 }
1288 
1289 /**
1290  * ima_delete_rules() called to cleanup invalid in-flight policy.
1291  * We don't need locking as we operate on the temp list, which is
1292  * different from the active one.  There is also only one user of
1293  * ima_delete_rules() at a time.
1294  */
1295 void ima_delete_rules(void)
1296 {
1297         struct ima_rule_entry *entry, *tmp;
1298         int i;
1299 
1300         temp_ima_appraise = 0;
1301         list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
1302                 for (i = 0; i < MAX_LSM_RULES; i++)
1303                         kfree(entry->lsm[i].args_p);
1304 
1305                 list_del(&entry->list);
1306                 kfree(entry);
1307         }
1308 }
1309 
1310 #define __ima_hook_stringify(str)       (#str),
1311 
1312 const char *const func_tokens[] = {
1313         __ima_hooks(__ima_hook_stringify)
1314 };
1315 
1316 #ifdef  CONFIG_IMA_READ_POLICY
1317 enum {
1318         mask_exec = 0, mask_write, mask_read, mask_append
1319 };
1320 
1321 static const char *const mask_tokens[] = {
1322         "^MAY_EXEC",
1323         "^MAY_WRITE",
1324         "^MAY_READ",
1325         "^MAY_APPEND"
1326 };
1327 
1328 void *ima_policy_start(struct seq_file *m, loff_t *pos)
1329 {
1330         loff_t l = *pos;
1331         struct ima_rule_entry *entry;
1332 
1333         rcu_read_lock();
1334         list_for_each_entry_rcu(entry, ima_rules, list) {
1335                 if (!l--) {
1336                         rcu_read_unlock();
1337                         return entry;
1338                 }
1339         }
1340         rcu_read_unlock();
1341         return NULL;
1342 }
1343 
1344 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos)
1345 {
1346         struct ima_rule_entry *entry = v;
1347 
1348         rcu_read_lock();
1349         entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list);
1350         rcu_read_unlock();
1351         (*pos)++;
1352 
1353         return (&entry->list == ima_rules) ? NULL : entry;
1354 }
1355 
1356 void ima_policy_stop(struct seq_file *m, void *v)
1357 {
1358 }
1359 
1360 #define pt(token)       policy_tokens[token].pattern
1361 #define mt(token)       mask_tokens[token]
1362 
1363 /*
1364  * policy_func_show - display the ima_hooks policy rule
1365  */
1366 static void policy_func_show(struct seq_file *m, enum ima_hooks func)
1367 {
1368         if (func > 0 && func < MAX_CHECK)
1369                 seq_printf(m, "func=%s ", func_tokens[func]);
1370         else
1371                 seq_printf(m, "func=%d ", func);
1372 }
1373 
1374 int ima_policy_show(struct seq_file *m, void *v)
1375 {
1376         struct ima_rule_entry *entry = v;
1377         int i;
1378         char tbuf[64] = {0,};
1379         int offset = 0;
1380 
1381         rcu_read_lock();
1382 
1383         if (entry->action & MEASURE)
1384                 seq_puts(m, pt(Opt_measure));
1385         if (entry->action & DONT_MEASURE)
1386                 seq_puts(m, pt(Opt_dont_measure));
1387         if (entry->action & APPRAISE)
1388                 seq_puts(m, pt(Opt_appraise));
1389         if (entry->action & DONT_APPRAISE)
1390                 seq_puts(m, pt(Opt_dont_appraise));
1391         if (entry->action & AUDIT)
1392                 seq_puts(m, pt(Opt_audit));
1393         if (entry->action & HASH)
1394                 seq_puts(m, pt(Opt_hash));
1395         if (entry->action & DONT_HASH)
1396                 seq_puts(m, pt(Opt_dont_hash));
1397 
1398         seq_puts(m, " ");
1399 
1400         if (entry->flags & IMA_FUNC)
1401                 policy_func_show(m, entry->func);
1402 
1403         if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) {
1404                 if (entry->flags & IMA_MASK)
1405                         offset = 1;
1406                 if (entry->mask & MAY_EXEC)
1407                         seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset);
1408                 if (entry->mask & MAY_WRITE)
1409                         seq_printf(m, pt(Opt_mask), mt(mask_write) + offset);
1410                 if (entry->mask & MAY_READ)
1411                         seq_printf(m, pt(Opt_mask), mt(mask_read) + offset);
1412                 if (entry->mask & MAY_APPEND)
1413                         seq_printf(m, pt(Opt_mask), mt(mask_append) + offset);
1414                 seq_puts(m, " ");
1415         }
1416 
1417         if (entry->flags & IMA_FSMAGIC) {
1418                 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);
1419                 seq_printf(m, pt(Opt_fsmagic), tbuf);
1420                 seq_puts(m, " ");
1421         }
1422 
1423         if (entry->flags & IMA_FSNAME) {
1424                 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname);
1425                 seq_printf(m, pt(Opt_fsname), tbuf);
1426                 seq_puts(m, " ");
1427         }
1428 
1429         if (entry->flags & IMA_PCR) {
1430                 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
1431                 seq_printf(m, pt(Opt_pcr), tbuf);
1432                 seq_puts(m, " ");
1433         }
1434 
1435         if (entry->flags & IMA_FSUUID) {
1436                 seq_printf(m, "fsuuid=%pU", &entry->fsuuid);
1437                 seq_puts(m, " ");
1438         }
1439 
1440         if (entry->flags & IMA_UID) {
1441                 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1442                 if (entry->uid_op == &uid_gt)
1443                         seq_printf(m, pt(Opt_uid_gt), tbuf);
1444                 else if (entry->uid_op == &uid_lt)
1445                         seq_printf(m, pt(Opt_uid_lt), tbuf);
1446                 else
1447                         seq_printf(m, pt(Opt_uid_eq), tbuf);
1448                 seq_puts(m, " ");
1449         }
1450 
1451         if (entry->flags & IMA_EUID) {
1452                 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1453                 if (entry->uid_op == &uid_gt)
1454                         seq_printf(m, pt(Opt_euid_gt), tbuf);
1455                 else if (entry->uid_op == &uid_lt)
1456                         seq_printf(m, pt(Opt_euid_lt), tbuf);
1457                 else
1458                         seq_printf(m, pt(Opt_euid_eq), tbuf);
1459                 seq_puts(m, " ");
1460         }
1461 
1462         if (entry->flags & IMA_FOWNER) {
1463                 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
1464                 if (entry->fowner_op == &uid_gt)
1465                         seq_printf(m, pt(Opt_fowner_gt), tbuf);
1466                 else if (entry->fowner_op == &uid_lt)
1467                         seq_printf(m, pt(Opt_fowner_lt), tbuf);
1468                 else
1469                         seq_printf(m, pt(Opt_fowner_eq), tbuf);
1470                 seq_puts(m, " ");
1471         }
1472 
1473         for (i = 0; i < MAX_LSM_RULES; i++) {
1474                 if (entry->lsm[i].rule) {
1475                         switch (i) {
1476                         case LSM_OBJ_USER:
1477                                 seq_printf(m, pt(Opt_obj_user),
1478                                            (char *)entry->lsm[i].args_p);
1479                                 break;
1480                         case LSM_OBJ_ROLE:
1481                                 seq_printf(m, pt(Opt_obj_role),
1482                                            (char *)entry->lsm[i].args_p);
1483                                 break;
1484                         case LSM_OBJ_TYPE:
1485                                 seq_printf(m, pt(Opt_obj_type),
1486                                            (char *)entry->lsm[i].args_p);
1487                                 break;
1488                         case LSM_SUBJ_USER:
1489                                 seq_printf(m, pt(Opt_subj_user),
1490                                            (char *)entry->lsm[i].args_p);
1491                                 break;
1492                         case LSM_SUBJ_ROLE:
1493                                 seq_printf(m, pt(Opt_subj_role),
1494                                            (char *)entry->lsm[i].args_p);
1495                                 break;
1496                         case LSM_SUBJ_TYPE:
1497                                 seq_printf(m, pt(Opt_subj_type),
1498                                            (char *)entry->lsm[i].args_p);
1499                                 break;
1500                         }
1501                 }
1502         }
1503         if (entry->template)
1504                 seq_printf(m, "template=%s ", entry->template->name);
1505         if (entry->flags & IMA_DIGSIG_REQUIRED) {
1506                 if (entry->flags & IMA_MODSIG_ALLOWED)
1507                         seq_puts(m, "appraise_type=imasig|modsig ");
1508                 else
1509                         seq_puts(m, "appraise_type=imasig ");
1510         }
1511         if (entry->flags & IMA_PERMIT_DIRECTIO)
1512                 seq_puts(m, "permit_directio ");
1513         rcu_read_unlock();
1514         seq_puts(m, "\n");
1515         return 0;
1516 }
1517 #endif  /* CONFIG_IMA_READ_POLICY */
1518 
1519 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
1520 /*
1521  * ima_appraise_signature: whether IMA will appraise a given function using
1522  * an IMA digital signature. This is restricted to cases where the kernel
1523  * has a set of built-in trusted keys in order to avoid an attacker simply
1524  * loading additional keys.
1525  */
1526 bool ima_appraise_signature(enum kernel_read_file_id id)
1527 {
1528         struct ima_rule_entry *entry;
1529         bool found = false;
1530         enum ima_hooks func;
1531 
1532         if (id >= READING_MAX_ID)
1533                 return false;
1534 
1535         func = read_idmap[id] ?: FILE_CHECK;
1536 
1537         rcu_read_lock();
1538         list_for_each_entry_rcu(entry, ima_rules, list) {
1539                 if (entry->action != APPRAISE)
1540                         continue;
1541 
1542                 /*
1543                  * A generic entry will match, but otherwise require that it
1544                  * match the func we're looking for
1545                  */
1546                 if (entry->func && entry->func != func)
1547                         continue;
1548 
1549                 /*
1550                  * We require this to be a digital signature, not a raw IMA
1551                  * hash.
1552                  */
1553                 if (entry->flags & IMA_DIGSIG_REQUIRED)
1554                         found = true;
1555 
1556                 /*
1557                  * We've found a rule that matches, so break now even if it
1558                  * didn't require a digital signature - a later rule that does
1559                  * won't override it, so would be a false positive.
1560                  */
1561                 break;
1562         }
1563 
1564         rcu_read_unlock();
1565         return found;
1566 }
1567 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */

/* [<][>][^][v][top][bottom][index][help] */