linux/security/integrity/ima/ima_policy.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * Copyright (C) 2008 IBM Corporation
   4 * Author: Mimi Zohar <zohar@us.ibm.com>
   5 *
   6 * ima_policy.c
   7 *      - initialize default measure policy rules
   8 */
   9
  10#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  11
  12#include <linux/init.h>
  13#include <linux/list.h>
  14#include <linux/fs.h>
  15#include <linux/security.h>
  16#include <linux/magic.h>
  17#include <linux/parser.h>
  18#include <linux/slab.h>
  19#include <linux/rculist.h>
  20#include <linux/genhd.h>
  21#include <linux/seq_file.h>
  22#include <linux/ima.h>
  23
  24#include "ima.h"
  25
  26/* flags definitions */
  27#define IMA_FUNC        0x0001
  28#define IMA_MASK        0x0002
  29#define IMA_FSMAGIC     0x0004
  30#define IMA_UID         0x0008
  31#define IMA_FOWNER      0x0010
  32#define IMA_FSUUID      0x0020
  33#define IMA_INMASK      0x0040
  34#define IMA_EUID        0x0080
  35#define IMA_PCR         0x0100
  36#define IMA_FSNAME      0x0200
  37
  38#define UNKNOWN         0
  39#define MEASURE         0x0001  /* same as IMA_MEASURE */
  40#define DONT_MEASURE    0x0002
  41#define APPRAISE        0x0004  /* same as IMA_APPRAISE */
  42#define DONT_APPRAISE   0x0008
  43#define AUDIT           0x0040
  44#define HASH            0x0100
  45#define DONT_HASH       0x0200
  46
  47#define INVALID_PCR(a) (((a) < 0) || \
  48        (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
  49
  50int ima_policy_flag;
  51static int temp_ima_appraise;
  52static int build_ima_appraise __ro_after_init;
  53
  54#define MAX_LSM_RULES 6
  55enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
  56        LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
  57};
  58
  59enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
  60
  61enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY };
  62
  63struct ima_rule_entry {
  64        struct list_head list;
  65        int action;
  66        unsigned int flags;
  67        enum ima_hooks func;
  68        int mask;
  69        unsigned long fsmagic;
  70        uuid_t fsuuid;
  71        kuid_t uid;
  72        kuid_t fowner;
  73        bool (*uid_op)(kuid_t, kuid_t);    /* Handlers for operators       */
  74        bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
  75        int pcr;
  76        struct {
  77                void *rule;     /* LSM file metadata specific */
  78                void *args_p;   /* audit value */
  79                int type;       /* audit type */
  80        } lsm[MAX_LSM_RULES];
  81        char *fsname;
  82        struct ima_template_desc *template;
  83};
  84
  85/*
  86 * Without LSM specific knowledge, the default policy can only be
  87 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
  88 */
  89
  90/*
  91 * The minimum rule set to allow for full TCB coverage.  Measures all files
  92 * opened or mmap for exec and everything read by root.  Dangerous because
  93 * normal users can easily run the machine out of memory simply building
  94 * and running executables.
  95 */
  96static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
  97        {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
  98        {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
  99        {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
 100        {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
 101        {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 102        {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
 103        {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
 104        {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
 105        {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
 106        {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
 107         .flags = IMA_FSMAGIC},
 108        {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC,
 109         .flags = IMA_FSMAGIC},
 110        {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
 111        {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}
 112};
 113
 114static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
 115        {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
 116         .flags = IMA_FUNC | IMA_MASK},
 117        {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
 118         .flags = IMA_FUNC | IMA_MASK},
 119        {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
 120         .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
 121         .flags = IMA_FUNC | IMA_MASK | IMA_UID},
 122        {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
 123        {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
 124};
 125
 126static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
 127        {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
 128         .flags = IMA_FUNC | IMA_MASK},
 129        {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
 130         .flags = IMA_FUNC | IMA_MASK},
 131        {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
 132         .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
 133         .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
 134        {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
 135         .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
 136         .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
 137        {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
 138        {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
 139        {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
 140};
 141
 142static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
 143        {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 144        {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
 145        {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
 146        {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
 147        {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
 148        {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 149        {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
 150        {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
 151        {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
 152        {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
 153        {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
 154        {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC},
 155        {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 156        {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 157#ifdef CONFIG_IMA_WRITE_POLICY
 158        {.action = APPRAISE, .func = POLICY_CHECK,
 159        .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 160#endif
 161#ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
 162        {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
 163         .flags = IMA_FOWNER},
 164#else
 165        /* force signature */
 166        {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
 167         .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
 168#endif
 169};
 170
 171static struct ima_rule_entry build_appraise_rules[] __ro_after_init = {
 172#ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS
 173        {.action = APPRAISE, .func = MODULE_CHECK,
 174         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 175#endif
 176#ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
 177        {.action = APPRAISE, .func = FIRMWARE_CHECK,
 178         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 179#endif
 180#ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS
 181        {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
 182         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 183#endif
 184#ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS
 185        {.action = APPRAISE, .func = POLICY_CHECK,
 186         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 187#endif
 188};
 189
 190static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
 191        {.action = APPRAISE, .func = MODULE_CHECK,
 192         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 193        {.action = APPRAISE, .func = FIRMWARE_CHECK,
 194         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 195        {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
 196         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 197        {.action = APPRAISE, .func = POLICY_CHECK,
 198         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 199};
 200
 201/* An array of architecture specific rules */
 202static struct ima_rule_entry *arch_policy_entry __ro_after_init;
 203
 204static LIST_HEAD(ima_default_rules);
 205static LIST_HEAD(ima_policy_rules);
 206static LIST_HEAD(ima_temp_rules);
 207static struct list_head *ima_rules;
 208
 209static int ima_policy __initdata;
 210
 211static int __init default_measure_policy_setup(char *str)
 212{
 213        if (ima_policy)
 214                return 1;
 215
 216        ima_policy = ORIGINAL_TCB;
 217        return 1;
 218}
 219__setup("ima_tcb", default_measure_policy_setup);
 220
 221static bool ima_use_appraise_tcb __initdata;
 222static bool ima_use_secure_boot __initdata;
 223static bool ima_fail_unverifiable_sigs __ro_after_init;
 224static int __init policy_setup(char *str)
 225{
 226        char *p;
 227
 228        while ((p = strsep(&str, " |\n")) != NULL) {
 229                if (*p == ' ')
 230                        continue;
 231                if ((strcmp(p, "tcb") == 0) && !ima_policy)
 232                        ima_policy = DEFAULT_TCB;
 233                else if (strcmp(p, "appraise_tcb") == 0)
 234                        ima_use_appraise_tcb = true;
 235                else if (strcmp(p, "secure_boot") == 0)
 236                        ima_use_secure_boot = true;
 237                else if (strcmp(p, "fail_securely") == 0)
 238                        ima_fail_unverifiable_sigs = true;
 239        }
 240
 241        return 1;
 242}
 243__setup("ima_policy=", policy_setup);
 244
 245static int __init default_appraise_policy_setup(char *str)
 246{
 247        ima_use_appraise_tcb = true;
 248        return 1;
 249}
 250__setup("ima_appraise_tcb", default_appraise_policy_setup);
 251
 252static void ima_lsm_free_rule(struct ima_rule_entry *entry)
 253{
 254        int i;
 255
 256        for (i = 0; i < MAX_LSM_RULES; i++) {
 257                kfree(entry->lsm[i].rule);
 258                kfree(entry->lsm[i].args_p);
 259        }
 260        kfree(entry);
 261}
 262
 263static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
 264{
 265        struct ima_rule_entry *nentry;
 266        int i, result;
 267
 268        nentry = kmalloc(sizeof(*nentry), GFP_KERNEL);
 269        if (!nentry)
 270                return NULL;
 271
 272        /*
 273         * Immutable elements are copied over as pointers and data; only
 274         * lsm rules can change
 275         */
 276        memcpy(nentry, entry, sizeof(*nentry));
 277        memset(nentry->lsm, 0, FIELD_SIZEOF(struct ima_rule_entry, lsm));
 278
 279        for (i = 0; i < MAX_LSM_RULES; i++) {
 280                if (!entry->lsm[i].rule)
 281                        continue;
 282
 283                nentry->lsm[i].type = entry->lsm[i].type;
 284                nentry->lsm[i].args_p = kstrdup(entry->lsm[i].args_p,
 285                                                GFP_KERNEL);
 286                if (!nentry->lsm[i].args_p)
 287                        goto out_err;
 288
 289                result = security_filter_rule_init(nentry->lsm[i].type,
 290                                                   Audit_equal,
 291                                                   nentry->lsm[i].args_p,
 292                                                   &nentry->lsm[i].rule);
 293                if (result == -EINVAL)
 294                        pr_warn("ima: rule for LSM \'%d\' is undefined\n",
 295                                entry->lsm[i].type);
 296        }
 297        return nentry;
 298
 299out_err:
 300        ima_lsm_free_rule(nentry);
 301        return NULL;
 302}
 303
 304static int ima_lsm_update_rule(struct ima_rule_entry *entry)
 305{
 306        struct ima_rule_entry *nentry;
 307
 308        nentry = ima_lsm_copy_rule(entry);
 309        if (!nentry)
 310                return -ENOMEM;
 311
 312        list_replace_rcu(&entry->list, &nentry->list);
 313        synchronize_rcu();
 314        ima_lsm_free_rule(entry);
 315
 316        return 0;
 317}
 318
 319/*
 320 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
 321 * to the old, stale LSM policy.  Update the IMA LSM based rules to reflect
 322 * the reloaded LSM policy.
 323 */
 324static void ima_lsm_update_rules(void)
 325{
 326        struct ima_rule_entry *entry, *e;
 327        int i, result, needs_update;
 328
 329        list_for_each_entry_safe(entry, e, &ima_policy_rules, list) {
 330                needs_update = 0;
 331                for (i = 0; i < MAX_LSM_RULES; i++) {
 332                        if (entry->lsm[i].rule) {
 333                                needs_update = 1;
 334                                break;
 335                        }
 336                }
 337                if (!needs_update)
 338                        continue;
 339
 340                result = ima_lsm_update_rule(entry);
 341                if (result) {
 342                        pr_err("ima: lsm rule update error %d\n",
 343                                result);
 344                        return;
 345                }
 346        }
 347}
 348
 349int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
 350                          void *lsm_data)
 351{
 352        if (event != LSM_POLICY_CHANGE)
 353                return NOTIFY_DONE;
 354
 355        ima_lsm_update_rules();
 356        return NOTIFY_OK;
 357}
 358
 359/**
 360 * ima_match_rules - determine whether an inode matches the measure rule.
 361 * @rule: a pointer to a rule
 362 * @inode: a pointer to an inode
 363 * @cred: a pointer to a credentials structure for user validation
 364 * @secid: the secid of the task to be validated
 365 * @func: LIM hook identifier
 366 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
 367 *
 368 * Returns true on rule match, false on failure.
 369 */
 370static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
 371                            const struct cred *cred, u32 secid,
 372                            enum ima_hooks func, int mask)
 373{
 374        int i;
 375
 376        if (func == KEXEC_CMDLINE) {
 377                if ((rule->flags & IMA_FUNC) && (rule->func == func))
 378                        return true;
 379                return false;
 380        }
 381        if ((rule->flags & IMA_FUNC) &&
 382            (rule->func != func && func != POST_SETATTR))
 383                return false;
 384        if ((rule->flags & IMA_MASK) &&
 385            (rule->mask != mask && func != POST_SETATTR))
 386                return false;
 387        if ((rule->flags & IMA_INMASK) &&
 388            (!(rule->mask & mask) && func != POST_SETATTR))
 389                return false;
 390        if ((rule->flags & IMA_FSMAGIC)
 391            && rule->fsmagic != inode->i_sb->s_magic)
 392                return false;
 393        if ((rule->flags & IMA_FSNAME)
 394            && strcmp(rule->fsname, inode->i_sb->s_type->name))
 395                return false;
 396        if ((rule->flags & IMA_FSUUID) &&
 397            !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
 398                return false;
 399        if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
 400                return false;
 401        if (rule->flags & IMA_EUID) {
 402                if (has_capability_noaudit(current, CAP_SETUID)) {
 403                        if (!rule->uid_op(cred->euid, rule->uid)
 404                            && !rule->uid_op(cred->suid, rule->uid)
 405                            && !rule->uid_op(cred->uid, rule->uid))
 406                                return false;
 407                } else if (!rule->uid_op(cred->euid, rule->uid))
 408                        return false;
 409        }
 410
 411        if ((rule->flags & IMA_FOWNER) &&
 412            !rule->fowner_op(inode->i_uid, rule->fowner))
 413                return false;
 414        for (i = 0; i < MAX_LSM_RULES; i++) {
 415                int rc = 0;
 416                u32 osid;
 417
 418                if (!rule->lsm[i].rule)
 419                        continue;
 420
 421                switch (i) {
 422                case LSM_OBJ_USER:
 423                case LSM_OBJ_ROLE:
 424                case LSM_OBJ_TYPE:
 425                        security_inode_getsecid(inode, &osid);
 426                        rc = security_filter_rule_match(osid,
 427                                                        rule->lsm[i].type,
 428                                                        Audit_equal,
 429                                                        rule->lsm[i].rule);
 430                        break;
 431                case LSM_SUBJ_USER:
 432                case LSM_SUBJ_ROLE:
 433                case LSM_SUBJ_TYPE:
 434                        rc = security_filter_rule_match(secid,
 435                                                        rule->lsm[i].type,
 436                                                        Audit_equal,
 437                                                        rule->lsm[i].rule);
 438                default:
 439                        break;
 440                }
 441                if (!rc)
 442                        return false;
 443        }
 444        return true;
 445}
 446
 447/*
 448 * In addition to knowing that we need to appraise the file in general,
 449 * we need to differentiate between calling hooks, for hook specific rules.
 450 */
 451static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
 452{
 453        if (!(rule->flags & IMA_FUNC))
 454                return IMA_FILE_APPRAISE;
 455
 456        switch (func) {
 457        case MMAP_CHECK:
 458                return IMA_MMAP_APPRAISE;
 459        case BPRM_CHECK:
 460                return IMA_BPRM_APPRAISE;
 461        case CREDS_CHECK:
 462                return IMA_CREDS_APPRAISE;
 463        case FILE_CHECK:
 464        case POST_SETATTR:
 465                return IMA_FILE_APPRAISE;
 466        case MODULE_CHECK ... MAX_CHECK - 1:
 467        default:
 468                return IMA_READ_APPRAISE;
 469        }
 470}
 471
 472/**
 473 * ima_match_policy - decision based on LSM and other conditions
 474 * @inode: pointer to an inode for which the policy decision is being made
 475 * @cred: pointer to a credentials structure for which the policy decision is
 476 *        being made
 477 * @secid: LSM secid of the task to be validated
 478 * @func: IMA hook identifier
 479 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
 480 * @pcr: set the pcr to extend
 481 * @template_desc: the template that should be used for this rule
 482 *
 483 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
 484 * conditions.
 485 *
 486 * Since the IMA policy may be updated multiple times we need to lock the
 487 * list when walking it.  Reads are many orders of magnitude more numerous
 488 * than writes so ima_match_policy() is classical RCU candidate.
 489 */
 490int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
 491                     enum ima_hooks func, int mask, int flags, int *pcr,
 492                     struct ima_template_desc **template_desc)
 493{
 494        struct ima_rule_entry *entry;
 495        int action = 0, actmask = flags | (flags << 1);
 496
 497        if (template_desc)
 498                *template_desc = ima_template_desc_current();
 499
 500        rcu_read_lock();
 501        list_for_each_entry_rcu(entry, ima_rules, list) {
 502
 503                if (!(entry->action & actmask))
 504                        continue;
 505
 506                if (!ima_match_rules(entry, inode, cred, secid, func, mask))
 507                        continue;
 508
 509                action |= entry->flags & IMA_ACTION_FLAGS;
 510
 511                action |= entry->action & IMA_DO_MASK;
 512                if (entry->action & IMA_APPRAISE) {
 513                        action |= get_subaction(entry, func);
 514                        action &= ~IMA_HASH;
 515                        if (ima_fail_unverifiable_sigs)
 516                                action |= IMA_FAIL_UNVERIFIABLE_SIGS;
 517                }
 518
 519
 520                if (entry->action & IMA_DO_MASK)
 521                        actmask &= ~(entry->action | entry->action << 1);
 522                else
 523                        actmask &= ~(entry->action | entry->action >> 1);
 524
 525                if ((pcr) && (entry->flags & IMA_PCR))
 526                        *pcr = entry->pcr;
 527
 528                if (template_desc && entry->template)
 529                        *template_desc = entry->template;
 530
 531                if (!actmask)
 532                        break;
 533        }
 534        rcu_read_unlock();
 535
 536        return action;
 537}
 538
 539/*
 540 * Initialize the ima_policy_flag variable based on the currently
 541 * loaded policy.  Based on this flag, the decision to short circuit
 542 * out of a function or not call the function in the first place
 543 * can be made earlier.
 544 */
 545void ima_update_policy_flag(void)
 546{
 547        struct ima_rule_entry *entry;
 548
 549        list_for_each_entry(entry, ima_rules, list) {
 550                if (entry->action & IMA_DO_MASK)
 551                        ima_policy_flag |= entry->action;
 552        }
 553
 554        ima_appraise |= (build_ima_appraise | temp_ima_appraise);
 555        if (!ima_appraise)
 556                ima_policy_flag &= ~IMA_APPRAISE;
 557}
 558
 559static int ima_appraise_flag(enum ima_hooks func)
 560{
 561        if (func == MODULE_CHECK)
 562                return IMA_APPRAISE_MODULES;
 563        else if (func == FIRMWARE_CHECK)
 564                return IMA_APPRAISE_FIRMWARE;
 565        else if (func == POLICY_CHECK)
 566                return IMA_APPRAISE_POLICY;
 567        else if (func == KEXEC_KERNEL_CHECK)
 568                return IMA_APPRAISE_KEXEC;
 569        return 0;
 570}
 571
 572static void add_rules(struct ima_rule_entry *entries, int count,
 573                      enum policy_rule_list policy_rule)
 574{
 575        int i = 0;
 576
 577        for (i = 0; i < count; i++) {
 578                struct ima_rule_entry *entry;
 579
 580                if (policy_rule & IMA_DEFAULT_POLICY)
 581                        list_add_tail(&entries[i].list, &ima_default_rules);
 582
 583                if (policy_rule & IMA_CUSTOM_POLICY) {
 584                        entry = kmemdup(&entries[i], sizeof(*entry),
 585                                        GFP_KERNEL);
 586                        if (!entry)
 587                                continue;
 588
 589                        list_add_tail(&entry->list, &ima_policy_rules);
 590                }
 591                if (entries[i].action == APPRAISE) {
 592                        temp_ima_appraise |= ima_appraise_flag(entries[i].func);
 593                        if (entries[i].func == POLICY_CHECK)
 594                                temp_ima_appraise |= IMA_APPRAISE_POLICY;
 595                }
 596        }
 597}
 598
 599static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
 600
 601static int __init ima_init_arch_policy(void)
 602{
 603        const char * const *arch_rules;
 604        const char * const *rules;
 605        int arch_entries = 0;
 606        int i = 0;
 607
 608        arch_rules = arch_get_ima_policy();
 609        if (!arch_rules)
 610                return arch_entries;
 611
 612        /* Get number of rules */
 613        for (rules = arch_rules; *rules != NULL; rules++)
 614                arch_entries++;
 615
 616        arch_policy_entry = kcalloc(arch_entries + 1,
 617                                    sizeof(*arch_policy_entry), GFP_KERNEL);
 618        if (!arch_policy_entry)
 619                return 0;
 620
 621        /* Convert each policy string rules to struct ima_rule_entry format */
 622        for (rules = arch_rules, i = 0; *rules != NULL; rules++) {
 623                char rule[255];
 624                int result;
 625
 626                result = strlcpy(rule, *rules, sizeof(rule));
 627
 628                INIT_LIST_HEAD(&arch_policy_entry[i].list);
 629                result = ima_parse_rule(rule, &arch_policy_entry[i]);
 630                if (result) {
 631                        pr_warn("Skipping unknown architecture policy rule: %s\n",
 632                                rule);
 633                        memset(&arch_policy_entry[i], 0,
 634                               sizeof(*arch_policy_entry));
 635                        continue;
 636                }
 637                i++;
 638        }
 639        return i;
 640}
 641
 642/**
 643 * ima_init_policy - initialize the default measure rules.
 644 *
 645 * ima_rules points to either the ima_default_rules or the
 646 * the new ima_policy_rules.
 647 */
 648void __init ima_init_policy(void)
 649{
 650        int build_appraise_entries, arch_entries;
 651
 652        /* if !ima_policy, we load NO default rules */
 653        if (ima_policy)
 654                add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules),
 655                          IMA_DEFAULT_POLICY);
 656
 657        switch (ima_policy) {
 658        case ORIGINAL_TCB:
 659                add_rules(original_measurement_rules,
 660                          ARRAY_SIZE(original_measurement_rules),
 661                          IMA_DEFAULT_POLICY);
 662                break;
 663        case DEFAULT_TCB:
 664                add_rules(default_measurement_rules,
 665                          ARRAY_SIZE(default_measurement_rules),
 666                          IMA_DEFAULT_POLICY);
 667        default:
 668                break;
 669        }
 670
 671        /*
 672         * Based on runtime secure boot flags, insert arch specific measurement
 673         * and appraise rules requiring file signatures for both the initial
 674         * and custom policies, prior to other appraise rules.
 675         * (Highest priority)
 676         */
 677        arch_entries = ima_init_arch_policy();
 678        if (!arch_entries)
 679                pr_info("No architecture policies found\n");
 680        else
 681                add_rules(arch_policy_entry, arch_entries,
 682                          IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
 683
 684        /*
 685         * Insert the builtin "secure_boot" policy rules requiring file
 686         * signatures, prior to other appraise rules.
 687         */
 688        if (ima_use_secure_boot)
 689                add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules),
 690                          IMA_DEFAULT_POLICY);
 691
 692        /*
 693         * Insert the build time appraise rules requiring file signatures
 694         * for both the initial and custom policies, prior to other appraise
 695         * rules. As the secure boot rules includes all of the build time
 696         * rules, include either one or the other set of rules, but not both.
 697         */
 698        build_appraise_entries = ARRAY_SIZE(build_appraise_rules);
 699        if (build_appraise_entries) {
 700                if (ima_use_secure_boot)
 701                        add_rules(build_appraise_rules, build_appraise_entries,
 702                                  IMA_CUSTOM_POLICY);
 703                else
 704                        add_rules(build_appraise_rules, build_appraise_entries,
 705                                  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
 706        }
 707
 708        if (ima_use_appraise_tcb)
 709                add_rules(default_appraise_rules,
 710                          ARRAY_SIZE(default_appraise_rules),
 711                          IMA_DEFAULT_POLICY);
 712
 713        ima_rules = &ima_default_rules;
 714        ima_update_policy_flag();
 715}
 716
 717/* Make sure we have a valid policy, at least containing some rules. */
 718int ima_check_policy(void)
 719{
 720        if (list_empty(&ima_temp_rules))
 721                return -EINVAL;
 722        return 0;
 723}
 724
 725/**
 726 * ima_update_policy - update default_rules with new measure rules
 727 *
 728 * Called on file .release to update the default rules with a complete new
 729 * policy.  What we do here is to splice ima_policy_rules and ima_temp_rules so
 730 * they make a queue.  The policy may be updated multiple times and this is the
 731 * RCU updater.
 732 *
 733 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
 734 * we switch from the default policy to user defined.
 735 */
 736void ima_update_policy(void)
 737{
 738        struct list_head *policy = &ima_policy_rules;
 739
 740        list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu);
 741
 742        if (ima_rules != policy) {
 743                ima_policy_flag = 0;
 744                ima_rules = policy;
 745
 746                /*
 747                 * IMA architecture specific policy rules are specified
 748                 * as strings and converted to an array of ima_entry_rules
 749                 * on boot.  After loading a custom policy, free the
 750                 * architecture specific rules stored as an array.
 751                 */
 752                kfree(arch_policy_entry);
 753        }
 754        ima_update_policy_flag();
 755}
 756
 757/* Keep the enumeration in sync with the policy_tokens! */
 758enum {
 759        Opt_measure, Opt_dont_measure,
 760        Opt_appraise, Opt_dont_appraise,
 761        Opt_audit, Opt_hash, Opt_dont_hash,
 762        Opt_obj_user, Opt_obj_role, Opt_obj_type,
 763        Opt_subj_user, Opt_subj_role, Opt_subj_type,
 764        Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname,
 765        Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
 766        Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
 767        Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
 768        Opt_appraise_type, Opt_permit_directio,
 769        Opt_pcr, Opt_template, Opt_err
 770};
 771
 772static const match_table_t policy_tokens = {
 773        {Opt_measure, "measure"},
 774        {Opt_dont_measure, "dont_measure"},
 775        {Opt_appraise, "appraise"},
 776        {Opt_dont_appraise, "dont_appraise"},
 777        {Opt_audit, "audit"},
 778        {Opt_hash, "hash"},
 779        {Opt_dont_hash, "dont_hash"},
 780        {Opt_obj_user, "obj_user=%s"},
 781        {Opt_obj_role, "obj_role=%s"},
 782        {Opt_obj_type, "obj_type=%s"},
 783        {Opt_subj_user, "subj_user=%s"},
 784        {Opt_subj_role, "subj_role=%s"},
 785        {Opt_subj_type, "subj_type=%s"},
 786        {Opt_func, "func=%s"},
 787        {Opt_mask, "mask=%s"},
 788        {Opt_fsmagic, "fsmagic=%s"},
 789        {Opt_fsname, "fsname=%s"},
 790        {Opt_fsuuid, "fsuuid=%s"},
 791        {Opt_uid_eq, "uid=%s"},
 792        {Opt_euid_eq, "euid=%s"},
 793        {Opt_fowner_eq, "fowner=%s"},
 794        {Opt_uid_gt, "uid>%s"},
 795        {Opt_euid_gt, "euid>%s"},
 796        {Opt_fowner_gt, "fowner>%s"},
 797        {Opt_uid_lt, "uid<%s"},
 798        {Opt_euid_lt, "euid<%s"},
 799        {Opt_fowner_lt, "fowner<%s"},
 800        {Opt_appraise_type, "appraise_type=%s"},
 801        {Opt_permit_directio, "permit_directio"},
 802        {Opt_pcr, "pcr=%s"},
 803        {Opt_template, "template=%s"},
 804        {Opt_err, NULL}
 805};
 806
 807static int ima_lsm_rule_init(struct ima_rule_entry *entry,
 808                             substring_t *args, int lsm_rule, int audit_type)
 809{
 810        int result;
 811
 812        if (entry->lsm[lsm_rule].rule)
 813                return -EINVAL;
 814
 815        entry->lsm[lsm_rule].args_p = match_strdup(args);
 816        if (!entry->lsm[lsm_rule].args_p)
 817                return -ENOMEM;
 818
 819        entry->lsm[lsm_rule].type = audit_type;
 820        result = security_filter_rule_init(entry->lsm[lsm_rule].type,
 821                                           Audit_equal,
 822                                           entry->lsm[lsm_rule].args_p,
 823                                           &entry->lsm[lsm_rule].rule);
 824        if (!entry->lsm[lsm_rule].rule) {
 825                kfree(entry->lsm[lsm_rule].args_p);
 826                return -EINVAL;
 827        }
 828
 829        return result;
 830}
 831
 832static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
 833                              bool (*rule_operator)(kuid_t, kuid_t))
 834{
 835        if (!ab)
 836                return;
 837
 838        if (rule_operator == &uid_gt)
 839                audit_log_format(ab, "%s>", key);
 840        else if (rule_operator == &uid_lt)
 841                audit_log_format(ab, "%s<", key);
 842        else
 843                audit_log_format(ab, "%s=", key);
 844        audit_log_format(ab, "%s ", value);
 845}
 846static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
 847{
 848        ima_log_string_op(ab, key, value, NULL);
 849}
 850
 851/*
 852 * Validating the appended signature included in the measurement list requires
 853 * the file hash calculated without the appended signature (i.e., the 'd-modsig'
 854 * field). Therefore, notify the user if they have the 'modsig' field but not
 855 * the 'd-modsig' field in the template.
 856 */
 857static void check_template_modsig(const struct ima_template_desc *template)
 858{
 859#define MSG "template with 'modsig' field also needs 'd-modsig' field\n"
 860        bool has_modsig, has_dmodsig;
 861        static bool checked;
 862        int i;
 863
 864        /* We only need to notify the user once. */
 865        if (checked)
 866                return;
 867
 868        has_modsig = has_dmodsig = false;
 869        for (i = 0; i < template->num_fields; i++) {
 870                if (!strcmp(template->fields[i]->field_id, "modsig"))
 871                        has_modsig = true;
 872                else if (!strcmp(template->fields[i]->field_id, "d-modsig"))
 873                        has_dmodsig = true;
 874        }
 875
 876        if (has_modsig && !has_dmodsig)
 877                pr_notice(MSG);
 878
 879        checked = true;
 880#undef MSG
 881}
 882
 883static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 884{
 885        struct audit_buffer *ab;
 886        char *from;
 887        char *p;
 888        bool uid_token;
 889        struct ima_template_desc *template_desc;
 890        int result = 0;
 891
 892        ab = integrity_audit_log_start(audit_context(), GFP_KERNEL,
 893                                       AUDIT_INTEGRITY_POLICY_RULE);
 894
 895        entry->uid = INVALID_UID;
 896        entry->fowner = INVALID_UID;
 897        entry->uid_op = &uid_eq;
 898        entry->fowner_op = &uid_eq;
 899        entry->action = UNKNOWN;
 900        while ((p = strsep(&rule, " \t")) != NULL) {
 901                substring_t args[MAX_OPT_ARGS];
 902                int token;
 903                unsigned long lnum;
 904
 905                if (result < 0)
 906                        break;
 907                if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
 908                        continue;
 909                token = match_token(p, policy_tokens, args);
 910                switch (token) {
 911                case Opt_measure:
 912                        ima_log_string(ab, "action", "measure");
 913
 914                        if (entry->action != UNKNOWN)
 915                                result = -EINVAL;
 916
 917                        entry->action = MEASURE;
 918                        break;
 919                case Opt_dont_measure:
 920                        ima_log_string(ab, "action", "dont_measure");
 921
 922                        if (entry->action != UNKNOWN)
 923                                result = -EINVAL;
 924
 925                        entry->action = DONT_MEASURE;
 926                        break;
 927                case Opt_appraise:
 928                        ima_log_string(ab, "action", "appraise");
 929
 930                        if (entry->action != UNKNOWN)
 931                                result = -EINVAL;
 932
 933                        entry->action = APPRAISE;
 934                        break;
 935                case Opt_dont_appraise:
 936                        ima_log_string(ab, "action", "dont_appraise");
 937
 938                        if (entry->action != UNKNOWN)
 939                                result = -EINVAL;
 940
 941                        entry->action = DONT_APPRAISE;
 942                        break;
 943                case Opt_audit:
 944                        ima_log_string(ab, "action", "audit");
 945
 946                        if (entry->action != UNKNOWN)
 947                                result = -EINVAL;
 948
 949                        entry->action = AUDIT;
 950                        break;
 951                case Opt_hash:
 952                        ima_log_string(ab, "action", "hash");
 953
 954                        if (entry->action != UNKNOWN)
 955                                result = -EINVAL;
 956
 957                        entry->action = HASH;
 958                        break;
 959                case Opt_dont_hash:
 960                        ima_log_string(ab, "action", "dont_hash");
 961
 962                        if (entry->action != UNKNOWN)
 963                                result = -EINVAL;
 964
 965                        entry->action = DONT_HASH;
 966                        break;
 967                case Opt_func:
 968                        ima_log_string(ab, "func", args[0].from);
 969
 970                        if (entry->func)
 971                                result = -EINVAL;
 972
 973                        if (strcmp(args[0].from, "FILE_CHECK") == 0)
 974                                entry->func = FILE_CHECK;
 975                        /* PATH_CHECK is for backwards compat */
 976                        else if (strcmp(args[0].from, "PATH_CHECK") == 0)
 977                                entry->func = FILE_CHECK;
 978                        else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
 979                                entry->func = MODULE_CHECK;
 980                        else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
 981                                entry->func = FIRMWARE_CHECK;
 982                        else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
 983                                || (strcmp(args[0].from, "MMAP_CHECK") == 0))
 984                                entry->func = MMAP_CHECK;
 985                        else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
 986                                entry->func = BPRM_CHECK;
 987                        else if (strcmp(args[0].from, "CREDS_CHECK") == 0)
 988                                entry->func = CREDS_CHECK;
 989                        else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
 990                                 0)
 991                                entry->func = KEXEC_KERNEL_CHECK;
 992                        else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
 993                                 == 0)
 994                                entry->func = KEXEC_INITRAMFS_CHECK;
 995                        else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
 996                                entry->func = POLICY_CHECK;
 997                        else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
 998                                entry->func = KEXEC_CMDLINE;
 999                        else
1000                                result = -EINVAL;
1001                        if (!result)
1002                                entry->flags |= IMA_FUNC;
1003                        break;
1004                case Opt_mask:
1005                        ima_log_string(ab, "mask", args[0].from);
1006
1007                        if (entry->mask)
1008                                result = -EINVAL;
1009
1010                        from = args[0].from;
1011                        if (*from == '^')
1012                                from++;
1013
1014                        if ((strcmp(from, "MAY_EXEC")) == 0)
1015                                entry->mask = MAY_EXEC;
1016                        else if (strcmp(from, "MAY_WRITE") == 0)
1017                                entry->mask = MAY_WRITE;
1018                        else if (strcmp(from, "MAY_READ") == 0)
1019                                entry->mask = MAY_READ;
1020                        else if (strcmp(from, "MAY_APPEND") == 0)
1021                                entry->mask = MAY_APPEND;
1022                        else
1023                                result = -EINVAL;
1024                        if (!result)
1025                                entry->flags |= (*args[0].from == '^')
1026                                     ? IMA_INMASK : IMA_MASK;
1027                        break;
1028                case Opt_fsmagic:
1029                        ima_log_string(ab, "fsmagic", args[0].from);
1030
1031                        if (entry->fsmagic) {
1032                                result = -EINVAL;
1033                                break;
1034                        }
1035
1036                        result = kstrtoul(args[0].from, 16, &entry->fsmagic);
1037                        if (!result)
1038                                entry->flags |= IMA_FSMAGIC;
1039                        break;
1040                case Opt_fsname:
1041                        ima_log_string(ab, "fsname", args[0].from);
1042
1043                        entry->fsname = kstrdup(args[0].from, GFP_KERNEL);
1044                        if (!entry->fsname) {
1045                                result = -ENOMEM;
1046                                break;
1047                        }
1048                        result = 0;
1049                        entry->flags |= IMA_FSNAME;
1050                        break;
1051                case Opt_fsuuid:
1052                        ima_log_string(ab, "fsuuid", args[0].from);
1053
1054                        if (!uuid_is_null(&entry->fsuuid)) {
1055                                result = -EINVAL;
1056                                break;
1057                        }
1058
1059                        result = uuid_parse(args[0].from, &entry->fsuuid);
1060                        if (!result)
1061                                entry->flags |= IMA_FSUUID;
1062                        break;
1063                case Opt_uid_gt:
1064                case Opt_euid_gt:
1065                        entry->uid_op = &uid_gt;
1066                        /* fall through */
1067                case Opt_uid_lt:
1068                case Opt_euid_lt:
1069                        if ((token == Opt_uid_lt) || (token == Opt_euid_lt))
1070                                entry->uid_op = &uid_lt;
1071                        /* fall through */
1072                case Opt_uid_eq:
1073                case Opt_euid_eq:
1074                        uid_token = (token == Opt_uid_eq) ||
1075                                    (token == Opt_uid_gt) ||
1076                                    (token == Opt_uid_lt);
1077
1078                        ima_log_string_op(ab, uid_token ? "uid" : "euid",
1079                                          args[0].from, entry->uid_op);
1080
1081                        if (uid_valid(entry->uid)) {
1082                                result = -EINVAL;
1083                                break;
1084                        }
1085
1086                        result = kstrtoul(args[0].from, 10, &lnum);
1087                        if (!result) {
1088                                entry->uid = make_kuid(current_user_ns(),
1089                                                       (uid_t) lnum);
1090                                if (!uid_valid(entry->uid) ||
1091                                    (uid_t)lnum != lnum)
1092                                        result = -EINVAL;
1093                                else
1094                                        entry->flags |= uid_token
1095                                            ? IMA_UID : IMA_EUID;
1096                        }
1097                        break;
1098                case Opt_fowner_gt:
1099                        entry->fowner_op = &uid_gt;
1100                        /* fall through */
1101                case Opt_fowner_lt:
1102                        if (token == Opt_fowner_lt)
1103                                entry->fowner_op = &uid_lt;
1104                        /* fall through */
1105                case Opt_fowner_eq:
1106                        ima_log_string_op(ab, "fowner", args[0].from,
1107                                          entry->fowner_op);
1108
1109                        if (uid_valid(entry->fowner)) {
1110                                result = -EINVAL;
1111                                break;
1112                        }
1113
1114                        result = kstrtoul(args[0].from, 10, &lnum);
1115                        if (!result) {
1116                                entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
1117                                if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))
1118                                        result = -EINVAL;
1119                                else
1120                                        entry->flags |= IMA_FOWNER;
1121                        }
1122                        break;
1123                case Opt_obj_user:
1124                        ima_log_string(ab, "obj_user", args[0].from);
1125                        result = ima_lsm_rule_init(entry, args,
1126                                                   LSM_OBJ_USER,
1127                                                   AUDIT_OBJ_USER);
1128                        break;
1129                case Opt_obj_role:
1130                        ima_log_string(ab, "obj_role", args[0].from);
1131                        result = ima_lsm_rule_init(entry, args,
1132                                                   LSM_OBJ_ROLE,
1133                                                   AUDIT_OBJ_ROLE);
1134                        break;
1135                case Opt_obj_type:
1136                        ima_log_string(ab, "obj_type", args[0].from);
1137                        result = ima_lsm_rule_init(entry, args,
1138                                                   LSM_OBJ_TYPE,
1139                                                   AUDIT_OBJ_TYPE);
1140                        break;
1141                case Opt_subj_user:
1142                        ima_log_string(ab, "subj_user", args[0].from);
1143                        result = ima_lsm_rule_init(entry, args,
1144                                                   LSM_SUBJ_USER,
1145                                                   AUDIT_SUBJ_USER);
1146                        break;
1147                case Opt_subj_role:
1148                        ima_log_string(ab, "subj_role", args[0].from);
1149                        result = ima_lsm_rule_init(entry, args,
1150                                                   LSM_SUBJ_ROLE,
1151                                                   AUDIT_SUBJ_ROLE);
1152                        break;
1153                case Opt_subj_type:
1154                        ima_log_string(ab, "subj_type", args[0].from);
1155                        result = ima_lsm_rule_init(entry, args,
1156                                                   LSM_SUBJ_TYPE,
1157                                                   AUDIT_SUBJ_TYPE);
1158                        break;
1159                case Opt_appraise_type:
1160                        if (entry->action != APPRAISE) {
1161                                result = -EINVAL;
1162                                break;
1163                        }
1164
1165                        ima_log_string(ab, "appraise_type", args[0].from);
1166                        if ((strcmp(args[0].from, "imasig")) == 0)
1167                                entry->flags |= IMA_DIGSIG_REQUIRED;
1168                        else if (ima_hook_supports_modsig(entry->func) &&
1169                                 strcmp(args[0].from, "imasig|modsig") == 0)
1170                                entry->flags |= IMA_DIGSIG_REQUIRED |
1171                                                IMA_MODSIG_ALLOWED;
1172                        else
1173                                result = -EINVAL;
1174                        break;
1175                case Opt_permit_directio:
1176                        entry->flags |= IMA_PERMIT_DIRECTIO;
1177                        break;
1178                case Opt_pcr:
1179                        if (entry->action != MEASURE) {
1180                                result = -EINVAL;
1181                                break;
1182                        }
1183                        ima_log_string(ab, "pcr", args[0].from);
1184
1185                        result = kstrtoint(args[0].from, 10, &entry->pcr);
1186                        if (result || INVALID_PCR(entry->pcr))
1187                                result = -EINVAL;
1188                        else
1189                                entry->flags |= IMA_PCR;
1190
1191                        break;
1192                case Opt_template:
1193                        ima_log_string(ab, "template", args[0].from);
1194                        if (entry->action != MEASURE) {
1195                                result = -EINVAL;
1196                                break;
1197                        }
1198                        template_desc = lookup_template_desc(args[0].from);
1199                        if (!template_desc || entry->template) {
1200                                result = -EINVAL;
1201                                break;
1202                        }
1203
1204                        /*
1205                         * template_desc_init_fields() does nothing if
1206                         * the template is already initialised, so
1207                         * it's safe to do this unconditionally
1208                         */
1209                        template_desc_init_fields(template_desc->fmt,
1210                                                 &(template_desc->fields),
1211                                                 &(template_desc->num_fields));
1212                        entry->template = template_desc;
1213                        break;
1214                case Opt_err:
1215                        ima_log_string(ab, "UNKNOWN", p);
1216                        result = -EINVAL;
1217                        break;
1218                }
1219        }
1220        if (!result && (entry->action == UNKNOWN))
1221                result = -EINVAL;
1222        else if (entry->action == APPRAISE)
1223                temp_ima_appraise |= ima_appraise_flag(entry->func);
1224
1225        if (!result && entry->flags & IMA_MODSIG_ALLOWED) {
1226                template_desc = entry->template ? entry->template :
1227                                                  ima_template_desc_current();
1228                check_template_modsig(template_desc);
1229        }
1230
1231        audit_log_format(ab, "res=%d", !result);
1232        audit_log_end(ab);
1233        return result;
1234}
1235
1236/**
1237 * ima_parse_add_rule - add a rule to ima_policy_rules
1238 * @rule - ima measurement policy rule
1239 *
1240 * Avoid locking by allowing just one writer at a time in ima_write_policy()
1241 * Returns the length of the rule parsed, an error code on failure
1242 */
1243ssize_t ima_parse_add_rule(char *rule)
1244{
1245        static const char op[] = "update_policy";
1246        char *p;
1247        struct ima_rule_entry *entry;
1248        ssize_t result, len;
1249        int audit_info = 0;
1250
1251        p = strsep(&rule, "\n");
1252        len = strlen(p) + 1;
1253        p += strspn(p, " \t");
1254
1255        if (*p == '#' || *p == '\0')
1256                return len;
1257
1258        entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1259        if (!entry) {
1260                integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1261                                    NULL, op, "-ENOMEM", -ENOMEM, audit_info);
1262                return -ENOMEM;
1263        }
1264
1265        INIT_LIST_HEAD(&entry->list);
1266
1267        result = ima_parse_rule(p, entry);
1268        if (result) {
1269                kfree(entry);
1270                integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1271                                    NULL, op, "invalid-policy", result,
1272                                    audit_info);
1273                return result;
1274        }
1275
1276        list_add_tail(&entry->list, &ima_temp_rules);
1277
1278        return len;
1279}
1280
1281/**
1282 * ima_delete_rules() called to cleanup invalid in-flight policy.
1283 * We don't need locking as we operate on the temp list, which is
1284 * different from the active one.  There is also only one user of
1285 * ima_delete_rules() at a time.
1286 */
1287void ima_delete_rules(void)
1288{
1289        struct ima_rule_entry *entry, *tmp;
1290        int i;
1291
1292        temp_ima_appraise = 0;
1293        list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
1294                for (i = 0; i < MAX_LSM_RULES; i++)
1295                        kfree(entry->lsm[i].args_p);
1296
1297                list_del(&entry->list);
1298                kfree(entry);
1299        }
1300}
1301
1302#define __ima_hook_stringify(str)       (#str),
1303
1304const char *const func_tokens[] = {
1305        __ima_hooks(__ima_hook_stringify)
1306};
1307
1308#ifdef  CONFIG_IMA_READ_POLICY
1309enum {
1310        mask_exec = 0, mask_write, mask_read, mask_append
1311};
1312
1313static const char *const mask_tokens[] = {
1314        "^MAY_EXEC",
1315        "^MAY_WRITE",
1316        "^MAY_READ",
1317        "^MAY_APPEND"
1318};
1319
1320void *ima_policy_start(struct seq_file *m, loff_t *pos)
1321{
1322        loff_t l = *pos;
1323        struct ima_rule_entry *entry;
1324
1325        rcu_read_lock();
1326        list_for_each_entry_rcu(entry, ima_rules, list) {
1327                if (!l--) {
1328                        rcu_read_unlock();
1329                        return entry;
1330                }
1331        }
1332        rcu_read_unlock();
1333        return NULL;
1334}
1335
1336void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos)
1337{
1338        struct ima_rule_entry *entry = v;
1339
1340        rcu_read_lock();
1341        entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list);
1342        rcu_read_unlock();
1343        (*pos)++;
1344
1345        return (&entry->list == ima_rules) ? NULL : entry;
1346}
1347
1348void ima_policy_stop(struct seq_file *m, void *v)
1349{
1350}
1351
1352#define pt(token)       policy_tokens[token].pattern
1353#define mt(token)       mask_tokens[token]
1354
1355/*
1356 * policy_func_show - display the ima_hooks policy rule
1357 */
1358static void policy_func_show(struct seq_file *m, enum ima_hooks func)
1359{
1360        if (func > 0 && func < MAX_CHECK)
1361                seq_printf(m, "func=%s ", func_tokens[func]);
1362        else
1363                seq_printf(m, "func=%d ", func);
1364}
1365
1366int ima_policy_show(struct seq_file *m, void *v)
1367{
1368        struct ima_rule_entry *entry = v;
1369        int i;
1370        char tbuf[64] = {0,};
1371        int offset = 0;
1372
1373        rcu_read_lock();
1374
1375        if (entry->action & MEASURE)
1376                seq_puts(m, pt(Opt_measure));
1377        if (entry->action & DONT_MEASURE)
1378                seq_puts(m, pt(Opt_dont_measure));
1379        if (entry->action & APPRAISE)
1380                seq_puts(m, pt(Opt_appraise));
1381        if (entry->action & DONT_APPRAISE)
1382                seq_puts(m, pt(Opt_dont_appraise));
1383        if (entry->action & AUDIT)
1384                seq_puts(m, pt(Opt_audit));
1385        if (entry->action & HASH)
1386                seq_puts(m, pt(Opt_hash));
1387        if (entry->action & DONT_HASH)
1388                seq_puts(m, pt(Opt_dont_hash));
1389
1390        seq_puts(m, " ");
1391
1392        if (entry->flags & IMA_FUNC)
1393                policy_func_show(m, entry->func);
1394
1395        if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) {
1396                if (entry->flags & IMA_MASK)
1397                        offset = 1;
1398                if (entry->mask & MAY_EXEC)
1399                        seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset);
1400                if (entry->mask & MAY_WRITE)
1401                        seq_printf(m, pt(Opt_mask), mt(mask_write) + offset);
1402                if (entry->mask & MAY_READ)
1403                        seq_printf(m, pt(Opt_mask), mt(mask_read) + offset);
1404                if (entry->mask & MAY_APPEND)
1405                        seq_printf(m, pt(Opt_mask), mt(mask_append) + offset);
1406                seq_puts(m, " ");
1407        }
1408
1409        if (entry->flags & IMA_FSMAGIC) {
1410                snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);
1411                seq_printf(m, pt(Opt_fsmagic), tbuf);
1412                seq_puts(m, " ");
1413        }
1414
1415        if (entry->flags & IMA_FSNAME) {
1416                snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname);
1417                seq_printf(m, pt(Opt_fsname), tbuf);
1418                seq_puts(m, " ");
1419        }
1420
1421        if (entry->flags & IMA_PCR) {
1422                snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
1423                seq_printf(m, pt(Opt_pcr), tbuf);
1424                seq_puts(m, " ");
1425        }
1426
1427        if (entry->flags & IMA_FSUUID) {
1428                seq_printf(m, "fsuuid=%pU", &entry->fsuuid);
1429                seq_puts(m, " ");
1430        }
1431
1432        if (entry->flags & IMA_UID) {
1433                snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1434                if (entry->uid_op == &uid_gt)
1435                        seq_printf(m, pt(Opt_uid_gt), tbuf);
1436                else if (entry->uid_op == &uid_lt)
1437                        seq_printf(m, pt(Opt_uid_lt), tbuf);
1438                else
1439                        seq_printf(m, pt(Opt_uid_eq), tbuf);
1440                seq_puts(m, " ");
1441        }
1442
1443        if (entry->flags & IMA_EUID) {
1444                snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1445                if (entry->uid_op == &uid_gt)
1446                        seq_printf(m, pt(Opt_euid_gt), tbuf);
1447                else if (entry->uid_op == &uid_lt)
1448                        seq_printf(m, pt(Opt_euid_lt), tbuf);
1449                else
1450                        seq_printf(m, pt(Opt_euid_eq), tbuf);
1451                seq_puts(m, " ");
1452        }
1453
1454        if (entry->flags & IMA_FOWNER) {
1455                snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
1456                if (entry->fowner_op == &uid_gt)
1457                        seq_printf(m, pt(Opt_fowner_gt), tbuf);
1458                else if (entry->fowner_op == &uid_lt)
1459                        seq_printf(m, pt(Opt_fowner_lt), tbuf);
1460                else
1461                        seq_printf(m, pt(Opt_fowner_eq), tbuf);
1462                seq_puts(m, " ");
1463        }
1464
1465        for (i = 0; i < MAX_LSM_RULES; i++) {
1466                if (entry->lsm[i].rule) {
1467                        switch (i) {
1468                        case LSM_OBJ_USER:
1469                                seq_printf(m, pt(Opt_obj_user),
1470                                           (char *)entry->lsm[i].args_p);
1471                                break;
1472                        case LSM_OBJ_ROLE:
1473                                seq_printf(m, pt(Opt_obj_role),
1474                                           (char *)entry->lsm[i].args_p);
1475                                break;
1476                        case LSM_OBJ_TYPE:
1477                                seq_printf(m, pt(Opt_obj_type),
1478                                           (char *)entry->lsm[i].args_p);
1479                                break;
1480                        case LSM_SUBJ_USER:
1481                                seq_printf(m, pt(Opt_subj_user),
1482                                           (char *)entry->lsm[i].args_p);
1483                                break;
1484                        case LSM_SUBJ_ROLE:
1485                                seq_printf(m, pt(Opt_subj_role),
1486                                           (char *)entry->lsm[i].args_p);
1487                                break;
1488                        case LSM_SUBJ_TYPE:
1489                                seq_printf(m, pt(Opt_subj_type),
1490                                           (char *)entry->lsm[i].args_p);
1491                                break;
1492                        }
1493                }
1494        }
1495        if (entry->template)
1496                seq_printf(m, "template=%s ", entry->template->name);
1497        if (entry->flags & IMA_DIGSIG_REQUIRED) {
1498                if (entry->flags & IMA_MODSIG_ALLOWED)
1499                        seq_puts(m, "appraise_type=imasig|modsig ");
1500                else
1501                        seq_puts(m, "appraise_type=imasig ");
1502        }
1503        if (entry->flags & IMA_PERMIT_DIRECTIO)
1504                seq_puts(m, "permit_directio ");
1505        rcu_read_unlock();
1506        seq_puts(m, "\n");
1507        return 0;
1508}
1509#endif  /* CONFIG_IMA_READ_POLICY */
1510
1511#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
1512/*
1513 * ima_appraise_signature: whether IMA will appraise a given function using
1514 * an IMA digital signature. This is restricted to cases where the kernel
1515 * has a set of built-in trusted keys in order to avoid an attacker simply
1516 * loading additional keys.
1517 */
1518bool ima_appraise_signature(enum kernel_read_file_id id)
1519{
1520        struct ima_rule_entry *entry;
1521        bool found = false;
1522        enum ima_hooks func;
1523
1524        if (id >= READING_MAX_ID)
1525                return false;
1526
1527        func = read_idmap[id] ?: FILE_CHECK;
1528
1529        rcu_read_lock();
1530        list_for_each_entry_rcu(entry, ima_rules, list) {
1531                if (entry->action != APPRAISE)
1532                        continue;
1533
1534                /*
1535                 * A generic entry will match, but otherwise require that it
1536                 * match the func we're looking for
1537                 */
1538                if (entry->func && entry->func != func)
1539                        continue;
1540
1541                /*
1542                 * We require this to be a digital signature, not a raw IMA
1543                 * hash.
1544                 */
1545                if (entry->flags & IMA_DIGSIG_REQUIRED)
1546                        found = true;
1547
1548                /*
1549                 * We've found a rule that matches, so break now even if it
1550                 * didn't require a digital signature - a later rule that does
1551                 * won't override it, so would be a false positive.
1552                 */
1553                break;
1554        }
1555
1556        rcu_read_unlock();
1557        return found;
1558}
1559#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
1560