LXR linux/security/integrity/ima/ima

   1/*
   2 * Copyright (C) 2008 IBM Corporation
   3 * Author: Mimi Zohar <zohar@us.ibm.com>
   4 *
   5 * This program is free software; you can redistribute it and/or modify
   6 * it under the terms of the GNU General Public License as published by
   7 * the Free Software Foundation, version 2 of the License.
   8 *
   9 * ima_policy.c
  10 *      - initialize default measure policy rules
  11 *
  12 */
  13#include <linux/module.h>
  14#include <linux/list.h>
  15#include <linux/fs.h>
  16#include <linux/security.h>
  17#include <linux/magic.h>
  18#include <linux/parser.h>
  19#include <linux/slab.h>
  20#include <linux/rculist.h>
  21#include <linux/genhd.h>
  22#include <linux/seq_file.h>
  23
  24#include "ima.h"
  25
  26/* flags definitions */
  27#define IMA_FUNC        0x0001
  28#define IMA_MASK        0x0002
  29#define IMA_FSMAGIC     0x0004
  30#define IMA_UID         0x0008
  31#define IMA_FOWNER      0x0010
  32#define IMA_FSUUID      0x0020
  33#define IMA_INMASK      0x0040
  34#define IMA_EUID        0x0080
  35#define IMA_PCR         0x0100
  36
  37#define UNKNOWN         0
  38#define MEASURE         0x0001  /* same as IMA_MEASURE */
  39#define DONT_MEASURE    0x0002
  40#define APPRAISE        0x0004  /* same as IMA_APPRAISE */
  41#define DONT_APPRAISE   0x0008
  42#define AUDIT           0x0040
  43
  44#define INVALID_PCR(a) (((a) < 0) || \
  45        (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
  46
  47int ima_policy_flag;
  48static int temp_ima_appraise;
  49
  50#define MAX_LSM_RULES 6
  51enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
  52        LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
  53};
  54
  55enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
  56
  57struct ima_rule_entry {
  58        struct list_head list;
  59        int action;
  60        unsigned int flags;
  61        enum ima_hooks func;
  62        int mask;
  63        unsigned long fsmagic;
  64        uuid_t fsuuid;
  65        kuid_t uid;
  66        kuid_t fowner;
  67        bool (*uid_op)(kuid_t, kuid_t);    /* Handlers for operators       */
  68        bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
  69        int pcr;
  70        struct {
  71                void *rule;     /* LSM file metadata specific */
  72                void *args_p;   /* audit value */
  73                int type;       /* audit type */
  74        } lsm[MAX_LSM_RULES];
  75};
  76
  77/*
  78 * Without LSM specific knowledge, the default policy can only be
  79 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
  80 */
  81
  82/*
  83 * The minimum rule set to allow for full TCB coverage.  Measures all files
  84 * opened or mmap for exec and everything read by root.  Dangerous because
  85 * normal users can easily run the machine out of memory simply building
  86 * and running executables.
  87 */
  88static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
  89        {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
  90        {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
  91        {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
  92        {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
  93        {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
  94        {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
  95        {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
  96        {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
  97        {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
  98         .flags = IMA_FSMAGIC},
  99        {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC,
 100         .flags = IMA_FSMAGIC},
 101        {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
 102};
 103
 104static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
 105        {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
 106         .flags = IMA_FUNC | IMA_MASK},
 107        {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
 108         .flags = IMA_FUNC | IMA_MASK},
 109        {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
 110         .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
 111         .flags = IMA_FUNC | IMA_MASK | IMA_UID},
 112        {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
 113        {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
 114};
 115
 116static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
 117        {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
 118         .flags = IMA_FUNC | IMA_MASK},
 119        {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
 120         .flags = IMA_FUNC | IMA_MASK},
 121        {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
 122         .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
 123         .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
 124        {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
 125         .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
 126         .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
 127        {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
 128        {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
 129        {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
 130};
 131
 132static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
 133        {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 134        {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
 135        {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
 136        {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
 137        {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
 138        {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 139        {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
 140        {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
 141        {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
 142        {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
 143        {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 144        {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 145#ifdef CONFIG_IMA_WRITE_POLICY
 146        {.action = APPRAISE, .func = POLICY_CHECK,
 147        .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 148#endif
 149#ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
 150        {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
 151         .flags = IMA_FOWNER},
 152#else
 153        /* force signature */
 154        {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
 155         .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
 156#endif
 157};
 158
 159static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
 160        {.action = APPRAISE, .func = MODULE_CHECK,
 161         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 162        {.action = APPRAISE, .func = FIRMWARE_CHECK,
 163         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 164        {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
 165         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 166        {.action = APPRAISE, .func = POLICY_CHECK,
 167         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 168};
 169
 170static LIST_HEAD(ima_default_rules);
 171static LIST_HEAD(ima_policy_rules);
 172static LIST_HEAD(ima_temp_rules);
 173static struct list_head *ima_rules;
 174
 175static int ima_policy __initdata;
 176
 177static int __init default_measure_policy_setup(char *str)
 178{
 179        if (ima_policy)
 180                return 1;
 181
 182        ima_policy = ORIGINAL_TCB;
 183        return 1;
 184}
 185__setup("ima_tcb", default_measure_policy_setup);
 186
 187static bool ima_use_appraise_tcb __initdata;
 188static bool ima_use_secure_boot __initdata;
 189static int __init policy_setup(char *str)
 190{
 191        char *p;
 192
 193        while ((p = strsep(&str, " |\n")) != NULL) {
 194                if (*p == ' ')
 195                        continue;
 196                if ((strcmp(p, "tcb") == 0) && !ima_policy)
 197                        ima_policy = DEFAULT_TCB;
 198                else if (strcmp(p, "appraise_tcb") == 0)
 199                        ima_use_appraise_tcb = 1;
 200                else if (strcmp(p, "secure_boot") == 0)
 201                        ima_use_secure_boot = 1;
 202        }
 203
 204        return 1;
 205}
 206__setup("ima_policy=", policy_setup);
 207
 208static int __init default_appraise_policy_setup(char *str)
 209{
 210        ima_use_appraise_tcb = 1;
 211        return 1;
 212}
 213__setup("ima_appraise_tcb", default_appraise_policy_setup);
 214
 215/*
 216 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
 217 * to the old, stale LSM policy.  Update the IMA LSM based rules to reflect
 218 * the reloaded LSM policy.  We assume the rules still exist; and BUG_ON() if
 219 * they don't.
 220 */
 221static void ima_lsm_update_rules(void)
 222{
 223        struct ima_rule_entry *entry;
 224        int result;
 225        int i;
 226
 227        list_for_each_entry(entry, &ima_policy_rules, list) {
 228                for (i = 0; i < MAX_LSM_RULES; i++) {
 229                        if (!entry->lsm[i].rule)
 230                                continue;
 231                        result = security_filter_rule_init(entry->lsm[i].type,
 232                                                           Audit_equal,
 233                                                           entry->lsm[i].args_p,
 234                                                           &entry->lsm[i].rule);
 235                        BUG_ON(!entry->lsm[i].rule);
 236                }
 237        }
 238}
 239
 240/**
 241 * ima_match_rules - determine whether an inode matches the measure rule.
 242 * @rule: a pointer to a rule
 243 * @inode: a pointer to an inode
 244 * @func: LIM hook identifier
 245 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
 246 *
 247 * Returns true on rule match, false on failure.
 248 */
 249static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
 250                            enum ima_hooks func, int mask)
 251{
 252        struct task_struct *tsk = current;
 253        const struct cred *cred = current_cred();
 254        int i;
 255
 256        if ((rule->flags & IMA_FUNC) &&
 257            (rule->func != func && func != POST_SETATTR))
 258                return false;
 259        if ((rule->flags & IMA_MASK) &&
 260            (rule->mask != mask && func != POST_SETATTR))
 261                return false;
 262        if ((rule->flags & IMA_INMASK) &&
 263            (!(rule->mask & mask) && func != POST_SETATTR))
 264                return false;
 265        if ((rule->flags & IMA_FSMAGIC)
 266            && rule->fsmagic != inode->i_sb->s_magic)
 267                return false;
 268        if ((rule->flags & IMA_FSUUID) &&
 269            !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
 270                return false;
 271        if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
 272                return false;
 273        if (rule->flags & IMA_EUID) {
 274                if (has_capability_noaudit(current, CAP_SETUID)) {
 275                        if (!rule->uid_op(cred->euid, rule->uid)
 276                            && !rule->uid_op(cred->suid, rule->uid)
 277                            && !rule->uid_op(cred->uid, rule->uid))
 278                                return false;
 279                } else if (!rule->uid_op(cred->euid, rule->uid))
 280                        return false;
 281        }
 282
 283        if ((rule->flags & IMA_FOWNER) &&
 284            !rule->fowner_op(inode->i_uid, rule->fowner))
 285                return false;
 286        for (i = 0; i < MAX_LSM_RULES; i++) {
 287                int rc = 0;
 288                u32 osid, sid;
 289                int retried = 0;
 290
 291                if (!rule->lsm[i].rule)
 292                        continue;
 293retry:
 294                switch (i) {
 295                case LSM_OBJ_USER:
 296                case LSM_OBJ_ROLE:
 297                case LSM_OBJ_TYPE:
 298                        security_inode_getsecid(inode, &osid);
 299                        rc = security_filter_rule_match(osid,
 300                                                        rule->lsm[i].type,
 301                                                        Audit_equal,
 302                                                        rule->lsm[i].rule,
 303                                                        NULL);
 304                        break;
 305                case LSM_SUBJ_USER:
 306                case LSM_SUBJ_ROLE:
 307                case LSM_SUBJ_TYPE:
 308                        security_task_getsecid(tsk, &sid);
 309                        rc = security_filter_rule_match(sid,
 310                                                        rule->lsm[i].type,
 311                                                        Audit_equal,
 312                                                        rule->lsm[i].rule,
 313                                                        NULL);
 314                default:
 315                        break;
 316                }
 317                if ((rc < 0) && (!retried)) {
 318                        retried = 1;
 319                        ima_lsm_update_rules();
 320                        goto retry;
 321                }
 322                if (!rc)
 323                        return false;
 324        }
 325        return true;
 326}
 327
 328/*
 329 * In addition to knowing that we need to appraise the file in general,
 330 * we need to differentiate between calling hooks, for hook specific rules.
 331 */
 332static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
 333{
 334        if (!(rule->flags & IMA_FUNC))
 335                return IMA_FILE_APPRAISE;
 336
 337        switch (func) {
 338        case MMAP_CHECK:
 339                return IMA_MMAP_APPRAISE;
 340        case BPRM_CHECK:
 341                return IMA_BPRM_APPRAISE;
 342        case FILE_CHECK:
 343        case POST_SETATTR:
 344                return IMA_FILE_APPRAISE;
 345        case MODULE_CHECK ... MAX_CHECK - 1:
 346        default:
 347                return IMA_READ_APPRAISE;
 348        }
 349}
 350
 351/**
 352 * ima_match_policy - decision based on LSM and other conditions
 353 * @inode: pointer to an inode for which the policy decision is being made
 354 * @func: IMA hook identifier
 355 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
 356 * @pcr: set the pcr to extend
 357 *
 358 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
 359 * conditions.
 360 *
 361 * Since the IMA policy may be updated multiple times we need to lock the
 362 * list when walking it.  Reads are many orders of magnitude more numerous
 363 * than writes so ima_match_policy() is classical RCU candidate.
 364 */
 365int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
 366                     int flags, int *pcr)
 367{
 368        struct ima_rule_entry *entry;
 369        int action = 0, actmask = flags | (flags << 1);
 370
 371        rcu_read_lock();
 372        list_for_each_entry_rcu(entry, ima_rules, list) {
 373
 374                if (!(entry->action & actmask))
 375                        continue;
 376
 377                if (!ima_match_rules(entry, inode, func, mask))
 378                        continue;
 379
 380                action |= entry->flags & IMA_ACTION_FLAGS;
 381
 382                action |= entry->action & IMA_DO_MASK;
 383                if (entry->action & IMA_APPRAISE)
 384                        action |= get_subaction(entry, func);
 385
 386                if (entry->action & IMA_DO_MASK)
 387                        actmask &= ~(entry->action | entry->action << 1);
 388                else
 389                        actmask &= ~(entry->action | entry->action >> 1);
 390
 391                if ((pcr) && (entry->flags & IMA_PCR))
 392                        *pcr = entry->pcr;
 393
 394                if (!actmask)
 395                        break;
 396        }
 397        rcu_read_unlock();
 398
 399        return action;
 400}
 401
 402/*
 403 * Initialize the ima_policy_flag variable based on the currently
 404 * loaded policy.  Based on this flag, the decision to short circuit
 405 * out of a function or not call the function in the first place
 406 * can be made earlier.
 407 */
 408void ima_update_policy_flag(void)
 409{
 410        struct ima_rule_entry *entry;
 411
 412        list_for_each_entry(entry, ima_rules, list) {
 413                if (entry->action & IMA_DO_MASK)
 414                        ima_policy_flag |= entry->action;
 415        }
 416
 417        ima_appraise |= temp_ima_appraise;
 418        if (!ima_appraise)
 419                ima_policy_flag &= ~IMA_APPRAISE;
 420}
 421
 422/**
 423 * ima_init_policy - initialize the default measure rules.
 424 *
 425 * ima_rules points to either the ima_default_rules or the
 426 * the new ima_policy_rules.
 427 */
 428void __init ima_init_policy(void)
 429{
 430        int i, measure_entries, appraise_entries, secure_boot_entries;
 431
 432        /* if !ima_policy set entries = 0 so we load NO default rules */
 433        measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
 434        appraise_entries = ima_use_appraise_tcb ?
 435                         ARRAY_SIZE(default_appraise_rules) : 0;
 436        secure_boot_entries = ima_use_secure_boot ?
 437                        ARRAY_SIZE(secure_boot_rules) : 0;
 438
 439        for (i = 0; i < measure_entries; i++)
 440                list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
 441
 442        switch (ima_policy) {
 443        case ORIGINAL_TCB:
 444                for (i = 0; i < ARRAY_SIZE(original_measurement_rules); i++)
 445                        list_add_tail(&original_measurement_rules[i].list,
 446                                      &ima_default_rules);
 447                break;
 448        case DEFAULT_TCB:
 449                for (i = 0; i < ARRAY_SIZE(default_measurement_rules); i++)
 450                        list_add_tail(&default_measurement_rules[i].list,
 451                                      &ima_default_rules);
 452        default:
 453                break;
 454        }
 455
 456        /*
 457         * Insert the appraise rules requiring file signatures, prior to
 458         * any other appraise rules.
 459         */
 460        for (i = 0; i < secure_boot_entries; i++)
 461                list_add_tail(&secure_boot_rules[i].list,
 462                              &ima_default_rules);
 463
 464        for (i = 0; i < appraise_entries; i++) {
 465                list_add_tail(&default_appraise_rules[i].list,
 466                              &ima_default_rules);
 467                if (default_appraise_rules[i].func == POLICY_CHECK)
 468                        temp_ima_appraise |= IMA_APPRAISE_POLICY;
 469        }
 470
 471        ima_rules = &ima_default_rules;
 472        ima_update_policy_flag();
 473}
 474
 475/* Make sure we have a valid policy, at least containing some rules. */
 476int ima_check_policy(void)
 477{
 478        if (list_empty(&ima_temp_rules))
 479                return -EINVAL;
 480        return 0;
 481}
 482
 483/**
 484 * ima_update_policy - update default_rules with new measure rules
 485 *
 486 * Called on file .release to update the default rules with a complete new
 487 * policy.  What we do here is to splice ima_policy_rules and ima_temp_rules so
 488 * they make a queue.  The policy may be updated multiple times and this is the
 489 * RCU updater.
 490 *
 491 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
 492 * we switch from the default policy to user defined.
 493 */
 494void ima_update_policy(void)
 495{
 496        struct list_head *first, *last, *policy;
 497
 498        /* append current policy with the new rules */
 499        first = (&ima_temp_rules)->next;
 500        last = (&ima_temp_rules)->prev;
 501        policy = &ima_policy_rules;
 502
 503        synchronize_rcu();
 504
 505        last->next = policy;
 506        rcu_assign_pointer(list_next_rcu(policy->prev), first);
 507        first->prev = policy->prev;
 508        policy->prev = last;
 509
 510        /* prepare for the next policy rules addition */
 511        INIT_LIST_HEAD(&ima_temp_rules);
 512
 513        if (ima_rules != policy) {
 514                ima_policy_flag = 0;
 515                ima_rules = policy;
 516        }
 517        ima_update_policy_flag();
 518}
 519
 520enum {
 521        Opt_err = -1,
 522        Opt_measure = 1, Opt_dont_measure,
 523        Opt_appraise, Opt_dont_appraise,
 524        Opt_audit,
 525        Opt_obj_user, Opt_obj_role, Opt_obj_type,
 526        Opt_subj_user, Opt_subj_role, Opt_subj_type,
 527        Opt_func, Opt_mask, Opt_fsmagic,
 528        Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
 529        Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
 530        Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
 531        Opt_appraise_type, Opt_permit_directio,
 532        Opt_pcr
 533};
 534
 535static match_table_t policy_tokens = {
 536        {Opt_measure, "measure"},
 537        {Opt_dont_measure, "dont_measure"},
 538        {Opt_appraise, "appraise"},
 539        {Opt_dont_appraise, "dont_appraise"},
 540        {Opt_audit, "audit"},
 541        {Opt_obj_user, "obj_user=%s"},
 542        {Opt_obj_role, "obj_role=%s"},
 543        {Opt_obj_type, "obj_type=%s"},
 544        {Opt_subj_user, "subj_user=%s"},
 545        {Opt_subj_role, "subj_role=%s"},
 546        {Opt_subj_type, "subj_type=%s"},
 547        {Opt_func, "func=%s"},
 548        {Opt_mask, "mask=%s"},
 549        {Opt_fsmagic, "fsmagic=%s"},
 550        {Opt_fsuuid, "fsuuid=%s"},
 551        {Opt_uid_eq, "uid=%s"},
 552        {Opt_euid_eq, "euid=%s"},
 553        {Opt_fowner_eq, "fowner=%s"},
 554        {Opt_uid_gt, "uid>%s"},
 555        {Opt_euid_gt, "euid>%s"},
 556        {Opt_fowner_gt, "fowner>%s"},
 557        {Opt_uid_lt, "uid<%s"},
 558        {Opt_euid_lt, "euid<%s"},
 559        {Opt_fowner_lt, "fowner<%s"},
 560        {Opt_appraise_type, "appraise_type=%s"},
 561        {Opt_permit_directio, "permit_directio"},
 562        {Opt_pcr, "pcr=%s"},
 563        {Opt_err, NULL}
 564};
 565
 566static int ima_lsm_rule_init(struct ima_rule_entry *entry,
 567                             substring_t *args, int lsm_rule, int audit_type)
 568{
 569        int result;
 570
 571        if (entry->lsm[lsm_rule].rule)
 572                return -EINVAL;
 573
 574        entry->lsm[lsm_rule].args_p = match_strdup(args);
 575        if (!entry->lsm[lsm_rule].args_p)
 576                return -ENOMEM;
 577
 578        entry->lsm[lsm_rule].type = audit_type;
 579        result = security_filter_rule_init(entry->lsm[lsm_rule].type,
 580                                           Audit_equal,
 581                                           entry->lsm[lsm_rule].args_p,
 582                                           &entry->lsm[lsm_rule].rule);
 583        if (!entry->lsm[lsm_rule].rule) {
 584                kfree(entry->lsm[lsm_rule].args_p);
 585                return -EINVAL;
 586        }
 587
 588        return result;
 589}
 590
 591static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
 592                              bool (*rule_operator)(kuid_t, kuid_t))
 593{
 594        if (rule_operator == &uid_gt)
 595                audit_log_format(ab, "%s>", key);
 596        else if (rule_operator == &uid_lt)
 597                audit_log_format(ab, "%s<", key);
 598        else
 599                audit_log_format(ab, "%s=", key);
 600        audit_log_untrustedstring(ab, value);
 601        audit_log_format(ab, " ");
 602}
 603static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
 604{
 605        ima_log_string_op(ab, key, value, NULL);
 606}
 607
 608static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 609{
 610        struct audit_buffer *ab;
 611        char *from;
 612        char *p;
 613        bool uid_token;
 614        int result = 0;
 615
 616        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
 617
 618        entry->uid = INVALID_UID;
 619        entry->fowner = INVALID_UID;
 620        entry->uid_op = &uid_eq;
 621        entry->fowner_op = &uid_eq;
 622        entry->action = UNKNOWN;
 623        while ((p = strsep(&rule, " \t")) != NULL) {
 624                substring_t args[MAX_OPT_ARGS];
 625                int token;
 626                unsigned long lnum;
 627
 628                if (result < 0)
 629                        break;
 630                if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
 631                        continue;
 632                token = match_token(p, policy_tokens, args);
 633                switch (token) {
 634                case Opt_measure:
 635                        ima_log_string(ab, "action", "measure");
 636
 637                        if (entry->action != UNKNOWN)
 638                                result = -EINVAL;
 639
 640                        entry->action = MEASURE;
 641                        break;
 642                case Opt_dont_measure:
 643                        ima_log_string(ab, "action", "dont_measure");
 644
 645                        if (entry->action != UNKNOWN)
 646                                result = -EINVAL;
 647
 648                        entry->action = DONT_MEASURE;
 649                        break;
 650                case Opt_appraise:
 651                        ima_log_string(ab, "action", "appraise");
 652
 653                        if (entry->action != UNKNOWN)
 654                                result = -EINVAL;
 655
 656                        entry->action = APPRAISE;
 657                        break;
 658                case Opt_dont_appraise:
 659                        ima_log_string(ab, "action", "dont_appraise");
 660
 661                        if (entry->action != UNKNOWN)
 662                                result = -EINVAL;
 663
 664                        entry->action = DONT_APPRAISE;
 665                        break;
 666                case Opt_audit:
 667                        ima_log_string(ab, "action", "audit");
 668
 669                        if (entry->action != UNKNOWN)
 670                                result = -EINVAL;
 671
 672                        entry->action = AUDIT;
 673                        break;
 674                case Opt_func:
 675                        ima_log_string(ab, "func", args[0].from);
 676
 677                        if (entry->func)
 678                                result = -EINVAL;
 679
 680                        if (strcmp(args[0].from, "FILE_CHECK") == 0)
 681                                entry->func = FILE_CHECK;
 682                        /* PATH_CHECK is for backwards compat */
 683                        else if (strcmp(args[0].from, "PATH_CHECK") == 0)
 684                                entry->func = FILE_CHECK;
 685                        else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
 686                                entry->func = MODULE_CHECK;
 687                        else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
 688                                entry->func = FIRMWARE_CHECK;
 689                        else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
 690                                || (strcmp(args[0].from, "MMAP_CHECK") == 0))
 691                                entry->func = MMAP_CHECK;
 692                        else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
 693                                entry->func = BPRM_CHECK;
 694                        else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
 695                                 0)
 696                                entry->func = KEXEC_KERNEL_CHECK;
 697                        else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
 698                                 == 0)
 699                                entry->func = KEXEC_INITRAMFS_CHECK;
 700                        else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
 701                                entry->func = POLICY_CHECK;
 702                        else
 703                                result = -EINVAL;
 704                        if (!result)
 705                                entry->flags |= IMA_FUNC;
 706                        break;
 707                case Opt_mask:
 708                        ima_log_string(ab, "mask", args[0].from);
 709
 710                        if (entry->mask)
 711                                result = -EINVAL;
 712
 713                        from = args[0].from;
 714                        if (*from == '^')
 715                                from++;
 716
 717                        if ((strcmp(from, "MAY_EXEC")) == 0)
 718                                entry->mask = MAY_EXEC;
 719                        else if (strcmp(from, "MAY_WRITE") == 0)
 720                                entry->mask = MAY_WRITE;
 721                        else if (strcmp(from, "MAY_READ") == 0)
 722                                entry->mask = MAY_READ;
 723                        else if (strcmp(from, "MAY_APPEND") == 0)
 724                                entry->mask = MAY_APPEND;
 725                        else
 726                                result = -EINVAL;
 727                        if (!result)
 728                                entry->flags |= (*args[0].from == '^')
 729                                     ? IMA_INMASK : IMA_MASK;
 730                        break;
 731                case Opt_fsmagic:
 732                        ima_log_string(ab, "fsmagic", args[0].from);
 733
 734                        if (entry->fsmagic) {
 735                                result = -EINVAL;
 736                                break;
 737                        }
 738
 739                        result = kstrtoul(args[0].from, 16, &entry->fsmagic);
 740                        if (!result)
 741                                entry->flags |= IMA_FSMAGIC;
 742                        break;
 743                case Opt_fsuuid:
 744                        ima_log_string(ab, "fsuuid", args[0].from);
 745
 746                        if (uuid_is_null(&entry->fsuuid)) {
 747                                result = -EINVAL;
 748                                break;
 749                        }
 750
 751                        result = uuid_parse(args[0].from, &entry->fsuuid);
 752                        if (!result)
 753                                entry->flags |= IMA_FSUUID;
 754                        break;
 755                case Opt_uid_gt:
 756                case Opt_euid_gt:
 757                        entry->uid_op = &uid_gt;
 758                case Opt_uid_lt:
 759                case Opt_euid_lt:
 760                        if ((token == Opt_uid_lt) || (token == Opt_euid_lt))
 761                                entry->uid_op = &uid_lt;
 762                case Opt_uid_eq:
 763                case Opt_euid_eq:
 764                        uid_token = (token == Opt_uid_eq) ||
 765                                    (token == Opt_uid_gt) ||
 766                                    (token == Opt_uid_lt);
 767
 768                        ima_log_string_op(ab, uid_token ? "uid" : "euid",
 769                                          args[0].from, entry->uid_op);
 770
 771                        if (uid_valid(entry->uid)) {
 772                                result = -EINVAL;
 773                                break;
 774                        }
 775
 776                        result = kstrtoul(args[0].from, 10, &lnum);
 777                        if (!result) {
 778                                entry->uid = make_kuid(current_user_ns(),
 779                                                       (uid_t) lnum);
 780                                if (!uid_valid(entry->uid) ||
 781                                    (uid_t)lnum != lnum)
 782                                        result = -EINVAL;
 783                                else
 784                                        entry->flags |= uid_token
 785                                            ? IMA_UID : IMA_EUID;
 786                        }
 787                        break;
 788                case Opt_fowner_gt:
 789                        entry->fowner_op = &uid_gt;
 790                case Opt_fowner_lt:
 791                        if (token == Opt_fowner_lt)
 792                                entry->fowner_op = &uid_lt;
 793                case Opt_fowner_eq:
 794                        ima_log_string_op(ab, "fowner", args[0].from,
 795                                          entry->fowner_op);
 796
 797                        if (uid_valid(entry->fowner)) {
 798                                result = -EINVAL;
 799                                break;
 800                        }
 801
 802                        result = kstrtoul(args[0].from, 10, &lnum);
 803                        if (!result) {
 804                                entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
 805                                if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))
 806                                        result = -EINVAL;
 807                                else
 808                                        entry->flags |= IMA_FOWNER;
 809                        }
 810                        break;
 811                case Opt_obj_user:
 812                        ima_log_string(ab, "obj_user", args[0].from);
 813                        result = ima_lsm_rule_init(entry, args,
 814                                                   LSM_OBJ_USER,
 815                                                   AUDIT_OBJ_USER);
 816                        break;
 817                case Opt_obj_role:
 818                        ima_log_string(ab, "obj_role", args[0].from);
 819                        result = ima_lsm_rule_init(entry, args,
 820                                                   LSM_OBJ_ROLE,
 821                                                   AUDIT_OBJ_ROLE);
 822                        break;
 823                case Opt_obj_type:
 824                        ima_log_string(ab, "obj_type", args[0].from);
 825                        result = ima_lsm_rule_init(entry, args,
 826                                                   LSM_OBJ_TYPE,
 827                                                   AUDIT_OBJ_TYPE);
 828                        break;
 829                case Opt_subj_user:
 830                        ima_log_string(ab, "subj_user", args[0].from);
 831                        result = ima_lsm_rule_init(entry, args,
 832                                                   LSM_SUBJ_USER,
 833                                                   AUDIT_SUBJ_USER);
 834                        break;
 835                case Opt_subj_role:
 836                        ima_log_string(ab, "subj_role", args[0].from);
 837                        result = ima_lsm_rule_init(entry, args,
 838                                                   LSM_SUBJ_ROLE,
 839                                                   AUDIT_SUBJ_ROLE);
 840                        break;
 841                case Opt_subj_type:
 842                        ima_log_string(ab, "subj_type", args[0].from);
 843                        result = ima_lsm_rule_init(entry, args,
 844                                                   LSM_SUBJ_TYPE,
 845                                                   AUDIT_SUBJ_TYPE);
 846                        break;
 847                case Opt_appraise_type:
 848                        if (entry->action != APPRAISE) {
 849                                result = -EINVAL;
 850                                break;
 851                        }
 852
 853                        ima_log_string(ab, "appraise_type", args[0].from);
 854                        if ((strcmp(args[0].from, "imasig")) == 0)
 855                                entry->flags |= IMA_DIGSIG_REQUIRED;
 856                        else
 857                                result = -EINVAL;
 858                        break;
 859                case Opt_permit_directio:
 860                        entry->flags |= IMA_PERMIT_DIRECTIO;
 861                        break;
 862                case Opt_pcr:
 863                        if (entry->action != MEASURE) {
 864                                result = -EINVAL;
 865                                break;
 866                        }
 867                        ima_log_string(ab, "pcr", args[0].from);
 868
 869                        result = kstrtoint(args[0].from, 10, &entry->pcr);
 870                        if (result || INVALID_PCR(entry->pcr))
 871                                result = -EINVAL;
 872                        else
 873                                entry->flags |= IMA_PCR;
 874
 875                        break;
 876                case Opt_err:
 877                        ima_log_string(ab, "UNKNOWN", p);
 878                        result = -EINVAL;
 879                        break;
 880                }
 881        }
 882        if (!result && (entry->action == UNKNOWN))
 883                result = -EINVAL;
 884        else if (entry->func == MODULE_CHECK)
 885                temp_ima_appraise |= IMA_APPRAISE_MODULES;
 886        else if (entry->func == FIRMWARE_CHECK)
 887                temp_ima_appraise |= IMA_APPRAISE_FIRMWARE;
 888        else if (entry->func == POLICY_CHECK)
 889                temp_ima_appraise |= IMA_APPRAISE_POLICY;
 890        audit_log_format(ab, "res=%d", !result);
 891        audit_log_end(ab);
 892        return result;
 893}
 894
 895/**
 896 * ima_parse_add_rule - add a rule to ima_policy_rules
 897 * @rule - ima measurement policy rule
 898 *
 899 * Avoid locking by allowing just one writer at a time in ima_write_policy()
 900 * Returns the length of the rule parsed, an error code on failure
 901 */
 902ssize_t ima_parse_add_rule(char *rule)
 903{
 904        static const char op[] = "update_policy";
 905        char *p;
 906        struct ima_rule_entry *entry;
 907        ssize_t result, len;
 908        int audit_info = 0;
 909
 910        p = strsep(&rule, "\n");
 911        len = strlen(p) + 1;
 912        p += strspn(p, " \t");
 913
 914        if (*p == '#' || *p == '\0')
 915                return len;
 916
 917        entry = kzalloc(sizeof(*entry), GFP_KERNEL);
 918        if (!entry) {
 919                integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
 920                                    NULL, op, "-ENOMEM", -ENOMEM, audit_info);
 921                return -ENOMEM;
 922        }
 923
 924        INIT_LIST_HEAD(&entry->list);
 925
 926        result = ima_parse_rule(p, entry);
 927        if (result) {
 928                kfree(entry);
 929                integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
 930                                    NULL, op, "invalid-policy", result,
 931                                    audit_info);
 932                return result;
 933        }
 934
 935        list_add_tail(&entry->list, &ima_temp_rules);
 936
 937        return len;
 938}
 939
 940/**
 941 * ima_delete_rules() called to cleanup invalid in-flight policy.
 942 * We don't need locking as we operate on the temp list, which is
 943 * different from the active one.  There is also only one user of
 944 * ima_delete_rules() at a time.
 945 */
 946void ima_delete_rules(void)
 947{
 948        struct ima_rule_entry *entry, *tmp;
 949        int i;
 950
 951        temp_ima_appraise = 0;
 952        list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
 953                for (i = 0; i < MAX_LSM_RULES; i++)
 954                        kfree(entry->lsm[i].args_p);
 955
 956                list_del(&entry->list);
 957                kfree(entry);
 958        }
 959}
 960
 961#ifdef  CONFIG_IMA_READ_POLICY
 962enum {
 963        mask_exec = 0, mask_write, mask_read, mask_append
 964};
 965
 966static const char *const mask_tokens[] = {
 967        "MAY_EXEC",
 968        "MAY_WRITE",
 969        "MAY_READ",
 970        "MAY_APPEND"
 971};
 972
 973#define __ima_hook_stringify(str)       (#str),
 974
 975static const char *const func_tokens[] = {
 976        __ima_hooks(__ima_hook_stringify)
 977};
 978
 979void *ima_policy_start(struct seq_file *m, loff_t *pos)
 980{
 981        loff_t l = *pos;
 982        struct ima_rule_entry *entry;
 983
 984        rcu_read_lock();
 985        list_for_each_entry_rcu(entry, ima_rules, list) {
 986                if (!l--) {
 987                        rcu_read_unlock();
 988                        return entry;
 989                }
 990        }
 991        rcu_read_unlock();
 992        return NULL;
 993}
 994
 995void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos)
 996{
 997        struct ima_rule_entry *entry = v;
 998
 999        rcu_read_lock();
1000        entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list);

1001        rcu_read_unlock();
1002        (*pos)++;
1003
1004        return (&entry->list == ima_rules) ? NULL : entry;
1005}
1006
1007void ima_policy_stop(struct seq_file *m, void *v)
1008{
1009}
1010
1011#define pt(token)       policy_tokens[token + Opt_err].pattern
1012#define mt(token)       mask_tokens[token]
1013
1014/*
1015 * policy_func_show - display the ima_hooks policy rule
1016 */
1017static void policy_func_show(struct seq_file *m, enum ima_hooks func)
1018{
1019        if (func > 0 && func < MAX_CHECK)
1020                seq_printf(m, "func=%s ", func_tokens[func]);
1021        else
1022                seq_printf(m, "func=%d ", func);
1023}
1024
1025int ima_policy_show(struct seq_file *m, void *v)
1026{
1027        struct ima_rule_entry *entry = v;
1028        int i;
1029        char tbuf[64] = {0,};
1030
1031        rcu_read_lock();
1032
1033        if (entry->action & MEASURE)
1034                seq_puts(m, pt(Opt_measure));
1035        if (entry->action & DONT_MEASURE)
1036                seq_puts(m, pt(Opt_dont_measure));
1037        if (entry->action & APPRAISE)
1038                seq_puts(m, pt(Opt_appraise));
1039        if (entry->action & DONT_APPRAISE)
1040                seq_puts(m, pt(Opt_dont_appraise));
1041        if (entry->action & AUDIT)
1042                seq_puts(m, pt(Opt_audit));
1043
1044        seq_puts(m, " ");
1045
1046        if (entry->flags & IMA_FUNC)
1047                policy_func_show(m, entry->func);
1048
1049        if (entry->flags & IMA_MASK) {
1050                if (entry->mask & MAY_EXEC)
1051                        seq_printf(m, pt(Opt_mask), mt(mask_exec));
1052                if (entry->mask & MAY_WRITE)
1053                        seq_printf(m, pt(Opt_mask), mt(mask_write));
1054                if (entry->mask & MAY_READ)
1055                        seq_printf(m, pt(Opt_mask), mt(mask_read));
1056                if (entry->mask & MAY_APPEND)
1057                        seq_printf(m, pt(Opt_mask), mt(mask_append));
1058                seq_puts(m, " ");
1059        }
1060
1061        if (entry->flags & IMA_FSMAGIC) {
1062                snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);
1063                seq_printf(m, pt(Opt_fsmagic), tbuf);
1064                seq_puts(m, " ");
1065        }
1066
1067        if (entry->flags & IMA_PCR) {
1068                snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
1069                seq_printf(m, pt(Opt_pcr), tbuf);
1070                seq_puts(m, " ");
1071        }
1072
1073        if (entry->flags & IMA_FSUUID) {
1074                seq_printf(m, "fsuuid=%pU", &entry->fsuuid);
1075                seq_puts(m, " ");
1076        }
1077
1078        if (entry->flags & IMA_UID) {
1079                snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1080                if (entry->uid_op == &uid_gt)
1081                        seq_printf(m, pt(Opt_uid_gt), tbuf);
1082                else if (entry->uid_op == &uid_lt)
1083                        seq_printf(m, pt(Opt_uid_lt), tbuf);
1084                else
1085                        seq_printf(m, pt(Opt_uid_eq), tbuf);
1086                seq_puts(m, " ");
1087        }
1088
1089        if (entry->flags & IMA_EUID) {
1090                snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1091                if (entry->uid_op == &uid_gt)
1092                        seq_printf(m, pt(Opt_euid_gt), tbuf);
1093                else if (entry->uid_op == &uid_lt)
1094                        seq_printf(m, pt(Opt_euid_lt), tbuf);
1095                else
1096                        seq_printf(m, pt(Opt_euid_eq), tbuf);
1097                seq_puts(m, " ");
1098        }
1099
1100        if (entry->flags & IMA_FOWNER) {
1101                snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
1102                if (entry->fowner_op == &uid_gt)
1103                        seq_printf(m, pt(Opt_fowner_gt), tbuf);
1104                else if (entry->fowner_op == &uid_lt)
1105                        seq_printf(m, pt(Opt_fowner_lt), tbuf);
1106                else
1107                        seq_printf(m, pt(Opt_fowner_eq), tbuf);
1108                seq_puts(m, " ");
1109        }
1110
1111        for (i = 0; i < MAX_LSM_RULES; i++) {
1112                if (entry->lsm[i].rule) {
1113                        switch (i) {
1114                        case LSM_OBJ_USER:
1115                                seq_printf(m, pt(Opt_obj_user),
1116                                           (char *)entry->lsm[i].args_p);
1117                                break;
1118                        case LSM_OBJ_ROLE:
1119                                seq_printf(m, pt(Opt_obj_role),
1120                                           (char *)entry->lsm[i].args_p);
1121                                break;
1122                        case LSM_OBJ_TYPE:
1123                                seq_printf(m, pt(Opt_obj_type),
1124                                           (char *)entry->lsm[i].args_p);
1125                                break;
1126                        case LSM_SUBJ_USER:
1127                                seq_printf(m, pt(Opt_subj_user),
1128                                           (char *)entry->lsm[i].args_p);
1129                                break;
1130                        case LSM_SUBJ_ROLE:
1131                                seq_printf(m, pt(Opt_subj_role),
1132                                           (char *)entry->lsm[i].args_p);
1133                                break;
1134                        case LSM_SUBJ_TYPE:
1135                                seq_printf(m, pt(Opt_subj_type),
1136                                           (char *)entry->lsm[i].args_p);
1137                                break;
1138                        }
1139                }
1140        }
1141        if (entry->flags & IMA_DIGSIG_REQUIRED)
1142                seq_puts(m, "appraise_type=imasig ");
1143        if (entry->flags & IMA_PERMIT_DIRECTIO)
1144                seq_puts(m, "permit_directio ");
1145        rcu_read_unlock();
1146        seq_puts(m, "\n");
1147        return 0;
1148}
1149#endif  /* CONFIG_IMA_READ_POLICY */
1150