1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2008 IBM Corporation 4 * Author: Mimi Zohar <zohar@us.ibm.com> 5 * 6 * ima_policy.c 7 * - initialize default measure policy rules 8 */ 9 10 #include <linux/init.h> 11 #include <linux/list.h> 12 #include <linux/kernel_read_file.h> 13 #include <linux/fs.h> 14 #include <linux/security.h> 15 #include <linux/magic.h> 16 #include <linux/parser.h> 17 #include <linux/slab.h> 18 #include <linux/rculist.h> 19 #include <linux/genhd.h> 20 #include <linux/seq_file.h> 21 #include <linux/ima.h> 22 23 #include "ima.h" 24 25 /* flags definitions */ 26 #define IMA_FUNC 0x0001 27 #define IMA_MASK 0x0002 28 #define IMA_FSMAGIC 0x0004 29 #define IMA_UID 0x0008 30 #define IMA_FOWNER 0x0010 31 #define IMA_FSUUID 0x0020 32 #define IMA_INMASK 0x0040 33 #define IMA_EUID 0x0080 34 #define IMA_PCR 0x0100 35 #define IMA_FSNAME 0x0200 36 #define IMA_KEYRINGS 0x0400 37 #define IMA_LABEL 0x0800 38 #define IMA_VALIDATE_ALGOS 0x1000 39 40 #define UNKNOWN 0 41 #define MEASURE 0x0001 /* same as IMA_MEASURE */ 42 #define DONT_MEASURE 0x0002 43 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 44 #define DONT_APPRAISE 0x0008 45 #define AUDIT 0x0040 46 #define HASH 0x0100 47 #define DONT_HASH 0x0200 48 49 #define INVALID_PCR(a) (((a) < 0) || \ 50 (a) >= (sizeof_field(struct integrity_iint_cache, measured_pcrs) * 8)) 51 52 int ima_policy_flag; 53 static int temp_ima_appraise; 54 static int build_ima_appraise __ro_after_init; 55 56 atomic_t ima_setxattr_allowed_hash_algorithms; 57 58 #define MAX_LSM_RULES 6 59 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, 60 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE 61 }; 62 63 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; 64 65 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY }; 66 67 struct ima_rule_opt_list { 68 size_t count; 69 char *items[]; 70 }; 71 72 struct ima_rule_entry { 73 struct list_head list; 74 int action; 75 unsigned int flags; 76 enum ima_hooks func; 77 int mask; 78 unsigned long fsmagic; 79 uuid_t fsuuid; 80 kuid_t uid; 81 kuid_t fowner; 82 bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ 83 bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ 84 int pcr; 85 unsigned int allowed_algos; /* bitfield of allowed hash algorithms */ 86 struct { 87 void *rule; /* LSM file metadata specific */ 88 char *args_p; /* audit value */ 89 int type; /* audit type */ 90 } lsm[MAX_LSM_RULES]; 91 char *fsname; 92 struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ 93 struct ima_rule_opt_list *label; /* Measure data grouped under this label */ 94 struct ima_template_desc *template; 95 }; 96 97 /* 98 * sanity check in case the kernels gains more hash algorithms that can 99 * fit in an unsigned int 100 */ 101 static_assert( 102 8 * sizeof(unsigned int) >= HASH_ALGO__LAST, 103 "The bitfield allowed_algos in ima_rule_entry is too small to contain all the supported hash algorithms, consider using a bigger type"); 104 105 /* 106 * Without LSM specific knowledge, the default policy can only be 107 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner 108 */ 109 110 /* 111 * The minimum rule set to allow for full TCB coverage. Measures all files 112 * opened or mmap for exec and everything read by root. Dangerous because 113 * normal users can easily run the machine out of memory simply building 114 * and running executables. 115 */ 116 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { 117 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 118 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 119 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 120 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 121 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 122 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 123 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 124 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 125 {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 126 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, 127 .flags = IMA_FSMAGIC}, 128 {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, 129 .flags = IMA_FSMAGIC}, 130 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 131 {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} 132 }; 133 134 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { 135 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 136 .flags = IMA_FUNC | IMA_MASK}, 137 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 138 .flags = IMA_FUNC | IMA_MASK}, 139 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 140 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 141 .flags = IMA_FUNC | IMA_MASK | IMA_UID}, 142 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 143 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 144 }; 145 146 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { 147 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 148 .flags = IMA_FUNC | IMA_MASK}, 149 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 150 .flags = IMA_FUNC | IMA_MASK}, 151 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 152 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 153 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, 154 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 155 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 156 .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, 157 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 158 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 159 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, 160 }; 161 162 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { 163 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 164 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 165 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 166 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 167 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC}, 168 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 169 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 170 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 171 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 172 {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 173 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 174 {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, 175 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 176 {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 177 #ifdef CONFIG_IMA_WRITE_POLICY 178 {.action = APPRAISE, .func = POLICY_CHECK, 179 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 180 #endif 181 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT 182 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 183 .flags = IMA_FOWNER}, 184 #else 185 /* force signature */ 186 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 187 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, 188 #endif 189 }; 190 191 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { 192 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS 193 {.action = APPRAISE, .func = MODULE_CHECK, 194 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 195 #endif 196 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS 197 {.action = APPRAISE, .func = FIRMWARE_CHECK, 198 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 199 #endif 200 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS 201 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 202 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 203 #endif 204 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS 205 {.action = APPRAISE, .func = POLICY_CHECK, 206 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 207 #endif 208 }; 209 210 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { 211 {.action = APPRAISE, .func = MODULE_CHECK, 212 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 213 {.action = APPRAISE, .func = FIRMWARE_CHECK, 214 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 215 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 216 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 217 {.action = APPRAISE, .func = POLICY_CHECK, 218 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 219 }; 220 221 static struct ima_rule_entry critical_data_rules[] __ro_after_init = { 222 {.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC}, 223 }; 224 225 /* An array of architecture specific rules */ 226 static struct ima_rule_entry *arch_policy_entry __ro_after_init; 227 228 static LIST_HEAD(ima_default_rules); 229 static LIST_HEAD(ima_policy_rules); 230 static LIST_HEAD(ima_temp_rules); 231 static struct list_head *ima_rules = &ima_default_rules; 232 233 static int ima_policy __initdata; 234 235 static int __init default_measure_policy_setup(char *str) 236 { 237 if (ima_policy) 238 return 1; 239 240 ima_policy = ORIGINAL_TCB; 241 return 1; 242 } 243 __setup("ima_tcb", default_measure_policy_setup); 244 245 static bool ima_use_appraise_tcb __initdata; 246 static bool ima_use_secure_boot __initdata; 247 static bool ima_use_critical_data __initdata; 248 static bool ima_fail_unverifiable_sigs __ro_after_init; 249 static int __init policy_setup(char *str) 250 { 251 char *p; 252 253 while ((p = strsep(&str, " |\n")) != NULL) { 254 if (*p == ' ') 255 continue; 256 if ((strcmp(p, "tcb") == 0) && !ima_policy) 257 ima_policy = DEFAULT_TCB; 258 else if (strcmp(p, "appraise_tcb") == 0) 259 ima_use_appraise_tcb = true; 260 else if (strcmp(p, "secure_boot") == 0) 261 ima_use_secure_boot = true; 262 else if (strcmp(p, "critical_data") == 0) 263 ima_use_critical_data = true; 264 else if (strcmp(p, "fail_securely") == 0) 265 ima_fail_unverifiable_sigs = true; 266 else 267 pr_err("policy \"%s\" not found", p); 268 } 269 270 return 1; 271 } 272 __setup("ima_policy=", policy_setup); 273 274 static int __init default_appraise_policy_setup(char *str) 275 { 276 ima_use_appraise_tcb = true; 277 return 1; 278 } 279 __setup("ima_appraise_tcb", default_appraise_policy_setup); 280 281 static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src) 282 { 283 struct ima_rule_opt_list *opt_list; 284 size_t count = 0; 285 char *src_copy; 286 char *cur, *next; 287 size_t i; 288 289 src_copy = match_strdup(src); 290 if (!src_copy) 291 return ERR_PTR(-ENOMEM); 292 293 next = src_copy; 294 while ((cur = strsep(&next, "|"))) { 295 /* Don't accept an empty list item */ 296 if (!(*cur)) { 297 kfree(src_copy); 298 return ERR_PTR(-EINVAL); 299 } 300 count++; 301 } 302 303 /* Don't accept an empty list */ 304 if (!count) { 305 kfree(src_copy); 306 return ERR_PTR(-EINVAL); 307 } 308 309 opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL); 310 if (!opt_list) { 311 kfree(src_copy); 312 return ERR_PTR(-ENOMEM); 313 } 314 315 /* 316 * strsep() has already replaced all instances of '|' with '\0', 317 * leaving a byte sequence of NUL-terminated strings. Reference each 318 * string with the array of items. 319 * 320 * IMPORTANT: Ownership of the allocated buffer is transferred from 321 * src_copy to the first element in the items array. To free the 322 * buffer, kfree() must only be called on the first element of the 323 * array. 324 */ 325 for (i = 0, cur = src_copy; i < count; i++) { 326 opt_list->items[i] = cur; 327 cur = strchr(cur, '\0') + 1; 328 } 329 opt_list->count = count; 330 331 return opt_list; 332 } 333 334 static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list) 335 { 336 if (!opt_list) 337 return; 338 339 if (opt_list->count) { 340 kfree(opt_list->items[0]); 341 opt_list->count = 0; 342 } 343 344 kfree(opt_list); 345 } 346 347 static void ima_lsm_free_rule(struct ima_rule_entry *entry) 348 { 349 int i; 350 351 for (i = 0; i < MAX_LSM_RULES; i++) { 352 ima_filter_rule_free(entry->lsm[i].rule); 353 kfree(entry->lsm[i].args_p); 354 } 355 } 356 357 static void ima_free_rule(struct ima_rule_entry *entry) 358 { 359 if (!entry) 360 return; 361 362 /* 363 * entry->template->fields may be allocated in ima_parse_rule() but that 364 * reference is owned by the corresponding ima_template_desc element in 365 * the defined_templates list and cannot be freed here 366 */ 367 kfree(entry->fsname); 368 ima_free_rule_opt_list(entry->keyrings); 369 ima_lsm_free_rule(entry); 370 kfree(entry); 371 } 372 373 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) 374 { 375 struct ima_rule_entry *nentry; 376 int i; 377 378 /* 379 * Immutable elements are copied over as pointers and data; only 380 * lsm rules can change 381 */ 382 nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); 383 if (!nentry) 384 return NULL; 385 386 memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm)); 387 388 for (i = 0; i < MAX_LSM_RULES; i++) { 389 if (!entry->lsm[i].args_p) 390 continue; 391 392 nentry->lsm[i].type = entry->lsm[i].type; 393 nentry->lsm[i].args_p = entry->lsm[i].args_p; 394 /* 395 * Remove the reference from entry so that the associated 396 * memory will not be freed during a later call to 397 * ima_lsm_free_rule(entry). 398 */ 399 entry->lsm[i].args_p = NULL; 400 401 ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, 402 nentry->lsm[i].args_p, 403 &nentry->lsm[i].rule); 404 if (!nentry->lsm[i].rule) 405 pr_warn("rule for LSM \'%s\' is undefined\n", 406 nentry->lsm[i].args_p); 407 } 408 return nentry; 409 } 410 411 static int ima_lsm_update_rule(struct ima_rule_entry *entry) 412 { 413 struct ima_rule_entry *nentry; 414 415 nentry = ima_lsm_copy_rule(entry); 416 if (!nentry) 417 return -ENOMEM; 418 419 list_replace_rcu(&entry->list, &nentry->list); 420 synchronize_rcu(); 421 /* 422 * ima_lsm_copy_rule() shallow copied all references, except for the 423 * LSM references, from entry to nentry so we only want to free the LSM 424 * references and the entry itself. All other memory refrences will now 425 * be owned by nentry. 426 */ 427 ima_lsm_free_rule(entry); 428 kfree(entry); 429 430 return 0; 431 } 432 433 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry) 434 { 435 int i; 436 437 for (i = 0; i < MAX_LSM_RULES; i++) 438 if (entry->lsm[i].args_p) 439 return true; 440 441 return false; 442 } 443 444 /* 445 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 446 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 447 * the reloaded LSM policy. 448 */ 449 static void ima_lsm_update_rules(void) 450 { 451 struct ima_rule_entry *entry, *e; 452 int result; 453 454 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { 455 if (!ima_rule_contains_lsm_cond(entry)) 456 continue; 457 458 result = ima_lsm_update_rule(entry); 459 if (result) { 460 pr_err("lsm rule update error %d\n", result); 461 return; 462 } 463 } 464 } 465 466 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, 467 void *lsm_data) 468 { 469 if (event != LSM_POLICY_CHANGE) 470 return NOTIFY_DONE; 471 472 ima_lsm_update_rules(); 473 return NOTIFY_OK; 474 } 475 476 /** 477 * ima_match_rule_data - determine whether func_data matches the policy rule 478 * @rule: a pointer to a rule 479 * @func_data: data to match against the measure rule data 480 * @cred: a pointer to a credentials structure for user validation 481 * 482 * Returns true if func_data matches one in the rule, false otherwise. 483 */ 484 static bool ima_match_rule_data(struct ima_rule_entry *rule, 485 const char *func_data, 486 const struct cred *cred) 487 { 488 const struct ima_rule_opt_list *opt_list = NULL; 489 bool matched = false; 490 size_t i; 491 492 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 493 return false; 494 495 switch (rule->func) { 496 case KEY_CHECK: 497 if (!rule->keyrings) 498 return true; 499 500 opt_list = rule->keyrings; 501 break; 502 case CRITICAL_DATA: 503 if (!rule->label) 504 return true; 505 506 opt_list = rule->label; 507 break; 508 default: 509 return false; 510 } 511 512 if (!func_data) 513 return false; 514 515 for (i = 0; i < opt_list->count; i++) { 516 if (!strcmp(opt_list->items[i], func_data)) { 517 matched = true; 518 break; 519 } 520 } 521 522 return matched; 523 } 524 525 /** 526 * ima_match_rules - determine whether an inode matches the policy rule. 527 * @rule: a pointer to a rule 528 * @mnt_userns: user namespace of the mount the inode was found from 529 * @inode: a pointer to an inode 530 * @cred: a pointer to a credentials structure for user validation 531 * @secid: the secid of the task to be validated 532 * @func: LIM hook identifier 533 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 534 * @func_data: func specific data, may be NULL 535 * 536 * Returns true on rule match, false on failure. 537 */ 538 static bool ima_match_rules(struct ima_rule_entry *rule, 539 struct user_namespace *mnt_userns, 540 struct inode *inode, const struct cred *cred, 541 u32 secid, enum ima_hooks func, int mask, 542 const char *func_data) 543 { 544 int i; 545 546 if ((rule->flags & IMA_FUNC) && 547 (rule->func != func && func != POST_SETATTR)) 548 return false; 549 550 switch (func) { 551 case KEY_CHECK: 552 case CRITICAL_DATA: 553 return ((rule->func == func) && 554 ima_match_rule_data(rule, func_data, cred)); 555 default: 556 break; 557 } 558 559 if ((rule->flags & IMA_MASK) && 560 (rule->mask != mask && func != POST_SETATTR)) 561 return false; 562 if ((rule->flags & IMA_INMASK) && 563 (!(rule->mask & mask) && func != POST_SETATTR)) 564 return false; 565 if ((rule->flags & IMA_FSMAGIC) 566 && rule->fsmagic != inode->i_sb->s_magic) 567 return false; 568 if ((rule->flags & IMA_FSNAME) 569 && strcmp(rule->fsname, inode->i_sb->s_type->name)) 570 return false; 571 if ((rule->flags & IMA_FSUUID) && 572 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 573 return false; 574 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 575 return false; 576 if (rule->flags & IMA_EUID) { 577 if (has_capability_noaudit(current, CAP_SETUID)) { 578 if (!rule->uid_op(cred->euid, rule->uid) 579 && !rule->uid_op(cred->suid, rule->uid) 580 && !rule->uid_op(cred->uid, rule->uid)) 581 return false; 582 } else if (!rule->uid_op(cred->euid, rule->uid)) 583 return false; 584 } 585 586 if ((rule->flags & IMA_FOWNER) && 587 !rule->fowner_op(i_uid_into_mnt(mnt_userns, inode), rule->fowner)) 588 return false; 589 for (i = 0; i < MAX_LSM_RULES; i++) { 590 int rc = 0; 591 u32 osid; 592 593 if (!rule->lsm[i].rule) { 594 if (!rule->lsm[i].args_p) 595 continue; 596 else 597 return false; 598 } 599 switch (i) { 600 case LSM_OBJ_USER: 601 case LSM_OBJ_ROLE: 602 case LSM_OBJ_TYPE: 603 security_inode_getsecid(inode, &osid); 604 rc = ima_filter_rule_match(osid, rule->lsm[i].type, 605 Audit_equal, 606 rule->lsm[i].rule); 607 break; 608 case LSM_SUBJ_USER: 609 case LSM_SUBJ_ROLE: 610 case LSM_SUBJ_TYPE: 611 rc = ima_filter_rule_match(secid, rule->lsm[i].type, 612 Audit_equal, 613 rule->lsm[i].rule); 614 break; 615 default: 616 break; 617 } 618 if (!rc) 619 return false; 620 } 621 return true; 622 } 623 624 /* 625 * In addition to knowing that we need to appraise the file in general, 626 * we need to differentiate between calling hooks, for hook specific rules. 627 */ 628 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) 629 { 630 if (!(rule->flags & IMA_FUNC)) 631 return IMA_FILE_APPRAISE; 632 633 switch (func) { 634 case MMAP_CHECK: 635 return IMA_MMAP_APPRAISE; 636 case BPRM_CHECK: 637 return IMA_BPRM_APPRAISE; 638 case CREDS_CHECK: 639 return IMA_CREDS_APPRAISE; 640 case FILE_CHECK: 641 case POST_SETATTR: 642 return IMA_FILE_APPRAISE; 643 case MODULE_CHECK ... MAX_CHECK - 1: 644 default: 645 return IMA_READ_APPRAISE; 646 } 647 } 648 649 /** 650 * ima_match_policy - decision based on LSM and other conditions 651 * @mnt_userns: user namespace of the mount the inode was found from 652 * @inode: pointer to an inode for which the policy decision is being made 653 * @cred: pointer to a credentials structure for which the policy decision is 654 * being made 655 * @secid: LSM secid of the task to be validated 656 * @func: IMA hook identifier 657 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 658 * @pcr: set the pcr to extend 659 * @template_desc: the template that should be used for this rule 660 * @func_data: func specific data, may be NULL 661 * @allowed_algos: allowlist of hash algorithms for the IMA xattr 662 * 663 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 664 * conditions. 665 * 666 * Since the IMA policy may be updated multiple times we need to lock the 667 * list when walking it. Reads are many orders of magnitude more numerous 668 * than writes so ima_match_policy() is classical RCU candidate. 669 */ 670 int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, 671 const struct cred *cred, u32 secid, enum ima_hooks func, 672 int mask, int flags, int *pcr, 673 struct ima_template_desc **template_desc, 674 const char *func_data, unsigned int *allowed_algos) 675 { 676 struct ima_rule_entry *entry; 677 int action = 0, actmask = flags | (flags << 1); 678 679 if (template_desc && !*template_desc) 680 *template_desc = ima_template_desc_current(); 681 682 rcu_read_lock(); 683 list_for_each_entry_rcu(entry, ima_rules, list) { 684 685 if (!(entry->action & actmask)) 686 continue; 687 688 if (!ima_match_rules(entry, mnt_userns, inode, cred, secid, 689 func, mask, func_data)) 690 continue; 691 692 action |= entry->flags & IMA_ACTION_FLAGS; 693 694 action |= entry->action & IMA_DO_MASK; 695 if (entry->action & IMA_APPRAISE) { 696 action |= get_subaction(entry, func); 697 action &= ~IMA_HASH; 698 if (ima_fail_unverifiable_sigs) 699 action |= IMA_FAIL_UNVERIFIABLE_SIGS; 700 701 if (allowed_algos && 702 entry->flags & IMA_VALIDATE_ALGOS) 703 *allowed_algos = entry->allowed_algos; 704 } 705 706 if (entry->action & IMA_DO_MASK) 707 actmask &= ~(entry->action | entry->action << 1); 708 else 709 actmask &= ~(entry->action | entry->action >> 1); 710 711 if ((pcr) && (entry->flags & IMA_PCR)) 712 *pcr = entry->pcr; 713 714 if (template_desc && entry->template) 715 *template_desc = entry->template; 716 717 if (!actmask) 718 break; 719 } 720 rcu_read_unlock(); 721 722 return action; 723 } 724 725 /** 726 * ima_update_policy_flags() - Update global IMA variables 727 * 728 * Update ima_policy_flag and ima_setxattr_allowed_hash_algorithms 729 * based on the currently loaded policy. 730 * 731 * With ima_policy_flag, the decision to short circuit out of a function 732 * or not call the function in the first place can be made earlier. 733 * 734 * With ima_setxattr_allowed_hash_algorithms, the policy can restrict the 735 * set of hash algorithms accepted when updating the security.ima xattr of 736 * a file. 737 * 738 * Context: called after a policy update and at system initialization. 739 */ 740 void ima_update_policy_flags(void) 741 { 742 struct ima_rule_entry *entry; 743 int new_policy_flag = 0; 744 745 rcu_read_lock(); 746 list_for_each_entry(entry, ima_rules, list) { 747 /* 748 * SETXATTR_CHECK rules do not implement a full policy check 749 * because rule checking would probably have an important 750 * performance impact on setxattr(). As a consequence, only one 751 * SETXATTR_CHECK can be active at a given time. 752 * Because we want to preserve that property, we set out to use 753 * atomic_cmpxchg. Either: 754 * - the atomic was non-zero: a setxattr hash policy is 755 * already enforced, we do nothing 756 * - the atomic was zero: no setxattr policy was set, enable 757 * the setxattr hash policy 758 */ 759 if (entry->func == SETXATTR_CHECK) { 760 atomic_cmpxchg(&ima_setxattr_allowed_hash_algorithms, 761 0, entry->allowed_algos); 762 /* SETXATTR_CHECK doesn't impact ima_policy_flag */ 763 continue; 764 } 765 766 if (entry->action & IMA_DO_MASK) 767 new_policy_flag |= entry->action; 768 } 769 rcu_read_unlock(); 770 771 ima_appraise |= (build_ima_appraise | temp_ima_appraise); 772 if (!ima_appraise) 773 new_policy_flag &= ~IMA_APPRAISE; 774 775 ima_policy_flag = new_policy_flag; 776 } 777 778 static int ima_appraise_flag(enum ima_hooks func) 779 { 780 if (func == MODULE_CHECK) 781 return IMA_APPRAISE_MODULES; 782 else if (func == FIRMWARE_CHECK) 783 return IMA_APPRAISE_FIRMWARE; 784 else if (func == POLICY_CHECK) 785 return IMA_APPRAISE_POLICY; 786 else if (func == KEXEC_KERNEL_CHECK) 787 return IMA_APPRAISE_KEXEC; 788 return 0; 789 } 790 791 static void add_rules(struct ima_rule_entry *entries, int count, 792 enum policy_rule_list policy_rule) 793 { 794 int i = 0; 795 796 for (i = 0; i < count; i++) { 797 struct ima_rule_entry *entry; 798 799 if (policy_rule & IMA_DEFAULT_POLICY) 800 list_add_tail(&entries[i].list, &ima_default_rules); 801 802 if (policy_rule & IMA_CUSTOM_POLICY) { 803 entry = kmemdup(&entries[i], sizeof(*entry), 804 GFP_KERNEL); 805 if (!entry) 806 continue; 807 808 list_add_tail(&entry->list, &ima_policy_rules); 809 } 810 if (entries[i].action == APPRAISE) { 811 if (entries != build_appraise_rules) 812 temp_ima_appraise |= 813 ima_appraise_flag(entries[i].func); 814 else 815 build_ima_appraise |= 816 ima_appraise_flag(entries[i].func); 817 } 818 } 819 } 820 821 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); 822 823 static int __init ima_init_arch_policy(void) 824 { 825 const char * const *arch_rules; 826 const char * const *rules; 827 int arch_entries = 0; 828 int i = 0; 829 830 arch_rules = arch_get_ima_policy(); 831 if (!arch_rules) 832 return arch_entries; 833 834 /* Get number of rules */ 835 for (rules = arch_rules; *rules != NULL; rules++) 836 arch_entries++; 837 838 arch_policy_entry = kcalloc(arch_entries + 1, 839 sizeof(*arch_policy_entry), GFP_KERNEL); 840 if (!arch_policy_entry) 841 return 0; 842 843 /* Convert each policy string rules to struct ima_rule_entry format */ 844 for (rules = arch_rules, i = 0; *rules != NULL; rules++) { 845 char rule[255]; 846 int result; 847 848 result = strlcpy(rule, *rules, sizeof(rule)); 849 850 INIT_LIST_HEAD(&arch_policy_entry[i].list); 851 result = ima_parse_rule(rule, &arch_policy_entry[i]); 852 if (result) { 853 pr_warn("Skipping unknown architecture policy rule: %s\n", 854 rule); 855 memset(&arch_policy_entry[i], 0, 856 sizeof(*arch_policy_entry)); 857 continue; 858 } 859 i++; 860 } 861 return i; 862 } 863 864 /** 865 * ima_init_policy - initialize the default measure rules. 866 * 867 * ima_rules points to either the ima_default_rules or the 868 * the new ima_policy_rules. 869 */ 870 void __init ima_init_policy(void) 871 { 872 int build_appraise_entries, arch_entries; 873 874 /* if !ima_policy, we load NO default rules */ 875 if (ima_policy) 876 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules), 877 IMA_DEFAULT_POLICY); 878 879 switch (ima_policy) { 880 case ORIGINAL_TCB: 881 add_rules(original_measurement_rules, 882 ARRAY_SIZE(original_measurement_rules), 883 IMA_DEFAULT_POLICY); 884 break; 885 case DEFAULT_TCB: 886 add_rules(default_measurement_rules, 887 ARRAY_SIZE(default_measurement_rules), 888 IMA_DEFAULT_POLICY); 889 break; 890 default: 891 break; 892 } 893 894 /* 895 * Based on runtime secure boot flags, insert arch specific measurement 896 * and appraise rules requiring file signatures for both the initial 897 * and custom policies, prior to other appraise rules. 898 * (Highest priority) 899 */ 900 arch_entries = ima_init_arch_policy(); 901 if (!arch_entries) 902 pr_info("No architecture policies found\n"); 903 else 904 add_rules(arch_policy_entry, arch_entries, 905 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 906 907 /* 908 * Insert the builtin "secure_boot" policy rules requiring file 909 * signatures, prior to other appraise rules. 910 */ 911 if (ima_use_secure_boot) 912 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules), 913 IMA_DEFAULT_POLICY); 914 915 /* 916 * Insert the build time appraise rules requiring file signatures 917 * for both the initial and custom policies, prior to other appraise 918 * rules. As the secure boot rules includes all of the build time 919 * rules, include either one or the other set of rules, but not both. 920 */ 921 build_appraise_entries = ARRAY_SIZE(build_appraise_rules); 922 if (build_appraise_entries) { 923 if (ima_use_secure_boot) 924 add_rules(build_appraise_rules, build_appraise_entries, 925 IMA_CUSTOM_POLICY); 926 else 927 add_rules(build_appraise_rules, build_appraise_entries, 928 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 929 } 930 931 if (ima_use_appraise_tcb) 932 add_rules(default_appraise_rules, 933 ARRAY_SIZE(default_appraise_rules), 934 IMA_DEFAULT_POLICY); 935 936 if (ima_use_critical_data) 937 add_rules(critical_data_rules, 938 ARRAY_SIZE(critical_data_rules), 939 IMA_DEFAULT_POLICY); 940 941 atomic_set(&ima_setxattr_allowed_hash_algorithms, 0); 942 943 ima_update_policy_flags(); 944 } 945 946 /* Make sure we have a valid policy, at least containing some rules. */ 947 int ima_check_policy(void) 948 { 949 if (list_empty(&ima_temp_rules)) 950 return -EINVAL; 951 return 0; 952 } 953 954 /** 955 * ima_update_policy - update default_rules with new measure rules 956 * 957 * Called on file .release to update the default rules with a complete new 958 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so 959 * they make a queue. The policy may be updated multiple times and this is the 960 * RCU updater. 961 * 962 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 963 * we switch from the default policy to user defined. 964 */ 965 void ima_update_policy(void) 966 { 967 struct list_head *policy = &ima_policy_rules; 968 969 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); 970 971 if (ima_rules != policy) { 972 ima_policy_flag = 0; 973 ima_rules = policy; 974 975 /* 976 * IMA architecture specific policy rules are specified 977 * as strings and converted to an array of ima_entry_rules 978 * on boot. After loading a custom policy, free the 979 * architecture specific rules stored as an array. 980 */ 981 kfree(arch_policy_entry); 982 } 983 ima_update_policy_flags(); 984 985 /* Custom IMA policy has been loaded */ 986 ima_process_queued_keys(); 987 } 988 989 /* Keep the enumeration in sync with the policy_tokens! */ 990 enum { 991 Opt_measure, Opt_dont_measure, 992 Opt_appraise, Opt_dont_appraise, 993 Opt_audit, Opt_hash, Opt_dont_hash, 994 Opt_obj_user, Opt_obj_role, Opt_obj_type, 995 Opt_subj_user, Opt_subj_role, Opt_subj_type, 996 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, 997 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, 998 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, 999 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, 1000 Opt_appraise_type, Opt_appraise_flag, Opt_appraise_algos, 1001 Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, 1002 Opt_label, Opt_err 1003 }; 1004 1005 static const match_table_t policy_tokens = { 1006 {Opt_measure, "measure"}, 1007 {Opt_dont_measure, "dont_measure"}, 1008 {Opt_appraise, "appraise"}, 1009 {Opt_dont_appraise, "dont_appraise"}, 1010 {Opt_audit, "audit"}, 1011 {Opt_hash, "hash"}, 1012 {Opt_dont_hash, "dont_hash"}, 1013 {Opt_obj_user, "obj_user=%s"}, 1014 {Opt_obj_role, "obj_role=%s"}, 1015 {Opt_obj_type, "obj_type=%s"}, 1016 {Opt_subj_user, "subj_user=%s"}, 1017 {Opt_subj_role, "subj_role=%s"}, 1018 {Opt_subj_type, "subj_type=%s"}, 1019 {Opt_func, "func=%s"}, 1020 {Opt_mask, "mask=%s"}, 1021 {Opt_fsmagic, "fsmagic=%s"}, 1022 {Opt_fsname, "fsname=%s"}, 1023 {Opt_fsuuid, "fsuuid=%s"}, 1024 {Opt_uid_eq, "uid=%s"}, 1025 {Opt_euid_eq, "euid=%s"}, 1026 {Opt_fowner_eq, "fowner=%s"}, 1027 {Opt_uid_gt, "uid>%s"}, 1028 {Opt_euid_gt, "euid>%s"}, 1029 {Opt_fowner_gt, "fowner>%s"}, 1030 {Opt_uid_lt, "uid<%s"}, 1031 {Opt_euid_lt, "euid<%s"}, 1032 {Opt_fowner_lt, "fowner<%s"}, 1033 {Opt_appraise_type, "appraise_type=%s"}, 1034 {Opt_appraise_flag, "appraise_flag=%s"}, 1035 {Opt_appraise_algos, "appraise_algos=%s"}, 1036 {Opt_permit_directio, "permit_directio"}, 1037 {Opt_pcr, "pcr=%s"}, 1038 {Opt_template, "template=%s"}, 1039 {Opt_keyrings, "keyrings=%s"}, 1040 {Opt_label, "label=%s"}, 1041 {Opt_err, NULL} 1042 }; 1043 1044 static int ima_lsm_rule_init(struct ima_rule_entry *entry, 1045 substring_t *args, int lsm_rule, int audit_type) 1046 { 1047 int result; 1048 1049 if (entry->lsm[lsm_rule].rule) 1050 return -EINVAL; 1051 1052 entry->lsm[lsm_rule].args_p = match_strdup(args); 1053 if (!entry->lsm[lsm_rule].args_p) 1054 return -ENOMEM; 1055 1056 entry->lsm[lsm_rule].type = audit_type; 1057 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, 1058 entry->lsm[lsm_rule].args_p, 1059 &entry->lsm[lsm_rule].rule); 1060 if (!entry->lsm[lsm_rule].rule) { 1061 pr_warn("rule for LSM \'%s\' is undefined\n", 1062 entry->lsm[lsm_rule].args_p); 1063 1064 if (ima_rules == &ima_default_rules) { 1065 kfree(entry->lsm[lsm_rule].args_p); 1066 entry->lsm[lsm_rule].args_p = NULL; 1067 result = -EINVAL; 1068 } else 1069 result = 0; 1070 } 1071 1072 return result; 1073 } 1074 1075 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, 1076 bool (*rule_operator)(kuid_t, kuid_t)) 1077 { 1078 if (!ab) 1079 return; 1080 1081 if (rule_operator == &uid_gt) 1082 audit_log_format(ab, "%s>", key); 1083 else if (rule_operator == &uid_lt) 1084 audit_log_format(ab, "%s<", key); 1085 else 1086 audit_log_format(ab, "%s=", key); 1087 audit_log_format(ab, "%s ", value); 1088 } 1089 static void ima_log_string(struct audit_buffer *ab, char *key, char *value) 1090 { 1091 ima_log_string_op(ab, key, value, NULL); 1092 } 1093 1094 /* 1095 * Validating the appended signature included in the measurement list requires 1096 * the file hash calculated without the appended signature (i.e., the 'd-modsig' 1097 * field). Therefore, notify the user if they have the 'modsig' field but not 1098 * the 'd-modsig' field in the template. 1099 */ 1100 static void check_template_modsig(const struct ima_template_desc *template) 1101 { 1102 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n" 1103 bool has_modsig, has_dmodsig; 1104 static bool checked; 1105 int i; 1106 1107 /* We only need to notify the user once. */ 1108 if (checked) 1109 return; 1110 1111 has_modsig = has_dmodsig = false; 1112 for (i = 0; i < template->num_fields; i++) { 1113 if (!strcmp(template->fields[i]->field_id, "modsig")) 1114 has_modsig = true; 1115 else if (!strcmp(template->fields[i]->field_id, "d-modsig")) 1116 has_dmodsig = true; 1117 } 1118 1119 if (has_modsig && !has_dmodsig) 1120 pr_notice(MSG); 1121 1122 checked = true; 1123 #undef MSG 1124 } 1125 1126 static bool ima_validate_rule(struct ima_rule_entry *entry) 1127 { 1128 /* Ensure that the action is set and is compatible with the flags */ 1129 if (entry->action == UNKNOWN) 1130 return false; 1131 1132 if (entry->action != MEASURE && entry->flags & IMA_PCR) 1133 return false; 1134 1135 if (entry->action != APPRAISE && 1136 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | 1137 IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) 1138 return false; 1139 1140 /* 1141 * The IMA_FUNC bit must be set if and only if there's a valid hook 1142 * function specified, and vice versa. Enforcing this property allows 1143 * for the NONE case below to validate a rule without an explicit hook 1144 * function. 1145 */ 1146 if (((entry->flags & IMA_FUNC) && entry->func == NONE) || 1147 (!(entry->flags & IMA_FUNC) && entry->func != NONE)) 1148 return false; 1149 1150 /* 1151 * Ensure that the hook function is compatible with the other 1152 * components of the rule 1153 */ 1154 switch (entry->func) { 1155 case NONE: 1156 case FILE_CHECK: 1157 case MMAP_CHECK: 1158 case BPRM_CHECK: 1159 case CREDS_CHECK: 1160 case POST_SETATTR: 1161 case FIRMWARE_CHECK: 1162 case POLICY_CHECK: 1163 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1164 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1165 IMA_INMASK | IMA_EUID | IMA_PCR | 1166 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1167 IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS)) 1168 return false; 1169 1170 break; 1171 case MODULE_CHECK: 1172 case KEXEC_KERNEL_CHECK: 1173 case KEXEC_INITRAMFS_CHECK: 1174 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1175 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1176 IMA_INMASK | IMA_EUID | IMA_PCR | 1177 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1178 IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | 1179 IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) 1180 return false; 1181 1182 break; 1183 case KEXEC_CMDLINE: 1184 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1185 return false; 1186 1187 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | 1188 IMA_FOWNER | IMA_FSUUID | IMA_EUID | 1189 IMA_PCR | IMA_FSNAME)) 1190 return false; 1191 1192 break; 1193 case KEY_CHECK: 1194 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1195 return false; 1196 1197 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | 1198 IMA_KEYRINGS)) 1199 return false; 1200 1201 if (ima_rule_contains_lsm_cond(entry)) 1202 return false; 1203 1204 break; 1205 case CRITICAL_DATA: 1206 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1207 return false; 1208 1209 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | 1210 IMA_LABEL)) 1211 return false; 1212 1213 if (ima_rule_contains_lsm_cond(entry)) 1214 return false; 1215 1216 break; 1217 case SETXATTR_CHECK: 1218 /* any action other than APPRAISE is unsupported */ 1219 if (entry->action != APPRAISE) 1220 return false; 1221 1222 /* SETXATTR_CHECK requires an appraise_algos parameter */ 1223 if (!(entry->flags & IMA_VALIDATE_ALGOS)) 1224 return false; 1225 1226 /* 1227 * full policies are not supported, they would have too 1228 * much of a performance impact 1229 */ 1230 if (entry->flags & ~(IMA_FUNC | IMA_VALIDATE_ALGOS)) 1231 return false; 1232 1233 break; 1234 default: 1235 return false; 1236 } 1237 1238 /* Ensure that combinations of flags are compatible with each other */ 1239 if (entry->flags & IMA_CHECK_BLACKLIST && 1240 !(entry->flags & IMA_MODSIG_ALLOWED)) 1241 return false; 1242 1243 return true; 1244 } 1245 1246 static unsigned int ima_parse_appraise_algos(char *arg) 1247 { 1248 unsigned int res = 0; 1249 int idx; 1250 char *token; 1251 1252 while ((token = strsep(&arg, ",")) != NULL) { 1253 idx = match_string(hash_algo_name, HASH_ALGO__LAST, token); 1254 1255 if (idx < 0) { 1256 pr_err("unknown hash algorithm \"%s\"", 1257 token); 1258 return 0; 1259 } 1260 1261 if (!crypto_has_alg(hash_algo_name[idx], 0, 0)) { 1262 pr_err("unavailable hash algorithm \"%s\", check your kernel configuration", 1263 token); 1264 return 0; 1265 } 1266 1267 /* Add the hash algorithm to the 'allowed' bitfield */ 1268 res |= (1U << idx); 1269 } 1270 1271 return res; 1272 } 1273 1274 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 1275 { 1276 struct audit_buffer *ab; 1277 char *from; 1278 char *p; 1279 bool uid_token; 1280 struct ima_template_desc *template_desc; 1281 int result = 0; 1282 1283 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, 1284 AUDIT_INTEGRITY_POLICY_RULE); 1285 1286 entry->uid = INVALID_UID; 1287 entry->fowner = INVALID_UID; 1288 entry->uid_op = &uid_eq; 1289 entry->fowner_op = &uid_eq; 1290 entry->action = UNKNOWN; 1291 while ((p = strsep(&rule, " \t")) != NULL) { 1292 substring_t args[MAX_OPT_ARGS]; 1293 int token; 1294 unsigned long lnum; 1295 1296 if (result < 0) 1297 break; 1298 if ((*p == '\0') || (*p == ' ') || (*p == '\t')) 1299 continue; 1300 token = match_token(p, policy_tokens, args); 1301 switch (token) { 1302 case Opt_measure: 1303 ima_log_string(ab, "action", "measure"); 1304 1305 if (entry->action != UNKNOWN) 1306 result = -EINVAL; 1307 1308 entry->action = MEASURE; 1309 break; 1310 case Opt_dont_measure: 1311 ima_log_string(ab, "action", "dont_measure"); 1312 1313 if (entry->action != UNKNOWN) 1314 result = -EINVAL; 1315 1316 entry->action = DONT_MEASURE; 1317 break; 1318 case Opt_appraise: 1319 ima_log_string(ab, "action", "appraise"); 1320 1321 if (entry->action != UNKNOWN) 1322 result = -EINVAL; 1323 1324 entry->action = APPRAISE; 1325 break; 1326 case Opt_dont_appraise: 1327 ima_log_string(ab, "action", "dont_appraise"); 1328 1329 if (entry->action != UNKNOWN) 1330 result = -EINVAL; 1331 1332 entry->action = DONT_APPRAISE; 1333 break; 1334 case Opt_audit: 1335 ima_log_string(ab, "action", "audit"); 1336 1337 if (entry->action != UNKNOWN) 1338 result = -EINVAL; 1339 1340 entry->action = AUDIT; 1341 break; 1342 case Opt_hash: 1343 ima_log_string(ab, "action", "hash"); 1344 1345 if (entry->action != UNKNOWN) 1346 result = -EINVAL; 1347 1348 entry->action = HASH; 1349 break; 1350 case Opt_dont_hash: 1351 ima_log_string(ab, "action", "dont_hash"); 1352 1353 if (entry->action != UNKNOWN) 1354 result = -EINVAL; 1355 1356 entry->action = DONT_HASH; 1357 break; 1358 case Opt_func: 1359 ima_log_string(ab, "func", args[0].from); 1360 1361 if (entry->func) 1362 result = -EINVAL; 1363 1364 if (strcmp(args[0].from, "FILE_CHECK") == 0) 1365 entry->func = FILE_CHECK; 1366 /* PATH_CHECK is for backwards compat */ 1367 else if (strcmp(args[0].from, "PATH_CHECK") == 0) 1368 entry->func = FILE_CHECK; 1369 else if (strcmp(args[0].from, "MODULE_CHECK") == 0) 1370 entry->func = MODULE_CHECK; 1371 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0) 1372 entry->func = FIRMWARE_CHECK; 1373 else if ((strcmp(args[0].from, "FILE_MMAP") == 0) 1374 || (strcmp(args[0].from, "MMAP_CHECK") == 0)) 1375 entry->func = MMAP_CHECK; 1376 else if (strcmp(args[0].from, "BPRM_CHECK") == 0) 1377 entry->func = BPRM_CHECK; 1378 else if (strcmp(args[0].from, "CREDS_CHECK") == 0) 1379 entry->func = CREDS_CHECK; 1380 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == 1381 0) 1382 entry->func = KEXEC_KERNEL_CHECK; 1383 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK") 1384 == 0) 1385 entry->func = KEXEC_INITRAMFS_CHECK; 1386 else if (strcmp(args[0].from, "POLICY_CHECK") == 0) 1387 entry->func = POLICY_CHECK; 1388 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) 1389 entry->func = KEXEC_CMDLINE; 1390 else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && 1391 strcmp(args[0].from, "KEY_CHECK") == 0) 1392 entry->func = KEY_CHECK; 1393 else if (strcmp(args[0].from, "CRITICAL_DATA") == 0) 1394 entry->func = CRITICAL_DATA; 1395 else if (strcmp(args[0].from, "SETXATTR_CHECK") == 0) 1396 entry->func = SETXATTR_CHECK; 1397 else 1398 result = -EINVAL; 1399 if (!result) 1400 entry->flags |= IMA_FUNC; 1401 break; 1402 case Opt_mask: 1403 ima_log_string(ab, "mask", args[0].from); 1404 1405 if (entry->mask) 1406 result = -EINVAL; 1407 1408 from = args[0].from; 1409 if (*from == '^') 1410 from++; 1411 1412 if ((strcmp(from, "MAY_EXEC")) == 0) 1413 entry->mask = MAY_EXEC; 1414 else if (strcmp(from, "MAY_WRITE") == 0) 1415 entry->mask = MAY_WRITE; 1416 else if (strcmp(from, "MAY_READ") == 0) 1417 entry->mask = MAY_READ; 1418 else if (strcmp(from, "MAY_APPEND") == 0) 1419 entry->mask = MAY_APPEND; 1420 else 1421 result = -EINVAL; 1422 if (!result) 1423 entry->flags |= (*args[0].from == '^') 1424 ? IMA_INMASK : IMA_MASK; 1425 break; 1426 case Opt_fsmagic: 1427 ima_log_string(ab, "fsmagic", args[0].from); 1428 1429 if (entry->fsmagic) { 1430 result = -EINVAL; 1431 break; 1432 } 1433 1434 result = kstrtoul(args[0].from, 16, &entry->fsmagic); 1435 if (!result) 1436 entry->flags |= IMA_FSMAGIC; 1437 break; 1438 case Opt_fsname: 1439 ima_log_string(ab, "fsname", args[0].from); 1440 1441 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); 1442 if (!entry->fsname) { 1443 result = -ENOMEM; 1444 break; 1445 } 1446 result = 0; 1447 entry->flags |= IMA_FSNAME; 1448 break; 1449 case Opt_keyrings: 1450 ima_log_string(ab, "keyrings", args[0].from); 1451 1452 if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) || 1453 entry->keyrings) { 1454 result = -EINVAL; 1455 break; 1456 } 1457 1458 entry->keyrings = ima_alloc_rule_opt_list(args); 1459 if (IS_ERR(entry->keyrings)) { 1460 result = PTR_ERR(entry->keyrings); 1461 entry->keyrings = NULL; 1462 break; 1463 } 1464 1465 entry->flags |= IMA_KEYRINGS; 1466 break; 1467 case Opt_label: 1468 ima_log_string(ab, "label", args[0].from); 1469 1470 if (entry->label) { 1471 result = -EINVAL; 1472 break; 1473 } 1474 1475 entry->label = ima_alloc_rule_opt_list(args); 1476 if (IS_ERR(entry->label)) { 1477 result = PTR_ERR(entry->label); 1478 entry->label = NULL; 1479 break; 1480 } 1481 1482 entry->flags |= IMA_LABEL; 1483 break; 1484 case Opt_fsuuid: 1485 ima_log_string(ab, "fsuuid", args[0].from); 1486 1487 if (!uuid_is_null(&entry->fsuuid)) { 1488 result = -EINVAL; 1489 break; 1490 } 1491 1492 result = uuid_parse(args[0].from, &entry->fsuuid); 1493 if (!result) 1494 entry->flags |= IMA_FSUUID; 1495 break; 1496 case Opt_uid_gt: 1497 case Opt_euid_gt: 1498 entry->uid_op = &uid_gt; 1499 fallthrough; 1500 case Opt_uid_lt: 1501 case Opt_euid_lt: 1502 if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) 1503 entry->uid_op = &uid_lt; 1504 fallthrough; 1505 case Opt_uid_eq: 1506 case Opt_euid_eq: 1507 uid_token = (token == Opt_uid_eq) || 1508 (token == Opt_uid_gt) || 1509 (token == Opt_uid_lt); 1510 1511 ima_log_string_op(ab, uid_token ? "uid" : "euid", 1512 args[0].from, entry->uid_op); 1513 1514 if (uid_valid(entry->uid)) { 1515 result = -EINVAL; 1516 break; 1517 } 1518 1519 result = kstrtoul(args[0].from, 10, &lnum); 1520 if (!result) { 1521 entry->uid = make_kuid(current_user_ns(), 1522 (uid_t) lnum); 1523 if (!uid_valid(entry->uid) || 1524 (uid_t)lnum != lnum) 1525 result = -EINVAL; 1526 else 1527 entry->flags |= uid_token 1528 ? IMA_UID : IMA_EUID; 1529 } 1530 break; 1531 case Opt_fowner_gt: 1532 entry->fowner_op = &uid_gt; 1533 fallthrough; 1534 case Opt_fowner_lt: 1535 if (token == Opt_fowner_lt) 1536 entry->fowner_op = &uid_lt; 1537 fallthrough; 1538 case Opt_fowner_eq: 1539 ima_log_string_op(ab, "fowner", args[0].from, 1540 entry->fowner_op); 1541 1542 if (uid_valid(entry->fowner)) { 1543 result = -EINVAL; 1544 break; 1545 } 1546 1547 result = kstrtoul(args[0].from, 10, &lnum); 1548 if (!result) { 1549 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum); 1550 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum)) 1551 result = -EINVAL; 1552 else 1553 entry->flags |= IMA_FOWNER; 1554 } 1555 break; 1556 case Opt_obj_user: 1557 ima_log_string(ab, "obj_user", args[0].from); 1558 result = ima_lsm_rule_init(entry, args, 1559 LSM_OBJ_USER, 1560 AUDIT_OBJ_USER); 1561 break; 1562 case Opt_obj_role: 1563 ima_log_string(ab, "obj_role", args[0].from); 1564 result = ima_lsm_rule_init(entry, args, 1565 LSM_OBJ_ROLE, 1566 AUDIT_OBJ_ROLE); 1567 break; 1568 case Opt_obj_type: 1569 ima_log_string(ab, "obj_type", args[0].from); 1570 result = ima_lsm_rule_init(entry, args, 1571 LSM_OBJ_TYPE, 1572 AUDIT_OBJ_TYPE); 1573 break; 1574 case Opt_subj_user: 1575 ima_log_string(ab, "subj_user", args[0].from); 1576 result = ima_lsm_rule_init(entry, args, 1577 LSM_SUBJ_USER, 1578 AUDIT_SUBJ_USER); 1579 break; 1580 case Opt_subj_role: 1581 ima_log_string(ab, "subj_role", args[0].from); 1582 result = ima_lsm_rule_init(entry, args, 1583 LSM_SUBJ_ROLE, 1584 AUDIT_SUBJ_ROLE); 1585 break; 1586 case Opt_subj_type: 1587 ima_log_string(ab, "subj_type", args[0].from); 1588 result = ima_lsm_rule_init(entry, args, 1589 LSM_SUBJ_TYPE, 1590 AUDIT_SUBJ_TYPE); 1591 break; 1592 case Opt_appraise_type: 1593 ima_log_string(ab, "appraise_type", args[0].from); 1594 if ((strcmp(args[0].from, "imasig")) == 0) 1595 entry->flags |= IMA_DIGSIG_REQUIRED; 1596 else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1597 strcmp(args[0].from, "imasig|modsig") == 0) 1598 entry->flags |= IMA_DIGSIG_REQUIRED | 1599 IMA_MODSIG_ALLOWED; 1600 else 1601 result = -EINVAL; 1602 break; 1603 case Opt_appraise_flag: 1604 ima_log_string(ab, "appraise_flag", args[0].from); 1605 if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1606 strstr(args[0].from, "blacklist")) 1607 entry->flags |= IMA_CHECK_BLACKLIST; 1608 else 1609 result = -EINVAL; 1610 break; 1611 case Opt_appraise_algos: 1612 ima_log_string(ab, "appraise_algos", args[0].from); 1613 1614 if (entry->allowed_algos) { 1615 result = -EINVAL; 1616 break; 1617 } 1618 1619 entry->allowed_algos = 1620 ima_parse_appraise_algos(args[0].from); 1621 /* invalid or empty list of algorithms */ 1622 if (!entry->allowed_algos) { 1623 result = -EINVAL; 1624 break; 1625 } 1626 1627 entry->flags |= IMA_VALIDATE_ALGOS; 1628 1629 break; 1630 case Opt_permit_directio: 1631 entry->flags |= IMA_PERMIT_DIRECTIO; 1632 break; 1633 case Opt_pcr: 1634 ima_log_string(ab, "pcr", args[0].from); 1635 1636 result = kstrtoint(args[0].from, 10, &entry->pcr); 1637 if (result || INVALID_PCR(entry->pcr)) 1638 result = -EINVAL; 1639 else 1640 entry->flags |= IMA_PCR; 1641 1642 break; 1643 case Opt_template: 1644 ima_log_string(ab, "template", args[0].from); 1645 if (entry->action != MEASURE) { 1646 result = -EINVAL; 1647 break; 1648 } 1649 template_desc = lookup_template_desc(args[0].from); 1650 if (!template_desc || entry->template) { 1651 result = -EINVAL; 1652 break; 1653 } 1654 1655 /* 1656 * template_desc_init_fields() does nothing if 1657 * the template is already initialised, so 1658 * it's safe to do this unconditionally 1659 */ 1660 template_desc_init_fields(template_desc->fmt, 1661 &(template_desc->fields), 1662 &(template_desc->num_fields)); 1663 entry->template = template_desc; 1664 break; 1665 case Opt_err: 1666 ima_log_string(ab, "UNKNOWN", p); 1667 result = -EINVAL; 1668 break; 1669 } 1670 } 1671 if (!result && !ima_validate_rule(entry)) 1672 result = -EINVAL; 1673 else if (entry->action == APPRAISE) 1674 temp_ima_appraise |= ima_appraise_flag(entry->func); 1675 1676 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { 1677 template_desc = entry->template ? entry->template : 1678 ima_template_desc_current(); 1679 check_template_modsig(template_desc); 1680 } 1681 1682 audit_log_format(ab, "res=%d", !result); 1683 audit_log_end(ab); 1684 return result; 1685 } 1686 1687 /** 1688 * ima_parse_add_rule - add a rule to ima_policy_rules 1689 * @rule - ima measurement policy rule 1690 * 1691 * Avoid locking by allowing just one writer at a time in ima_write_policy() 1692 * Returns the length of the rule parsed, an error code on failure 1693 */ 1694 ssize_t ima_parse_add_rule(char *rule) 1695 { 1696 static const char op[] = "update_policy"; 1697 char *p; 1698 struct ima_rule_entry *entry; 1699 ssize_t result, len; 1700 int audit_info = 0; 1701 1702 p = strsep(&rule, "\n"); 1703 len = strlen(p) + 1; 1704 p += strspn(p, " \t"); 1705 1706 if (*p == '#' || *p == '\0') 1707 return len; 1708 1709 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1710 if (!entry) { 1711 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1712 NULL, op, "-ENOMEM", -ENOMEM, audit_info); 1713 return -ENOMEM; 1714 } 1715 1716 INIT_LIST_HEAD(&entry->list); 1717 1718 result = ima_parse_rule(p, entry); 1719 if (result) { 1720 ima_free_rule(entry); 1721 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1722 NULL, op, "invalid-policy", result, 1723 audit_info); 1724 return result; 1725 } 1726 1727 list_add_tail(&entry->list, &ima_temp_rules); 1728 1729 return len; 1730 } 1731 1732 /** 1733 * ima_delete_rules() called to cleanup invalid in-flight policy. 1734 * We don't need locking as we operate on the temp list, which is 1735 * different from the active one. There is also only one user of 1736 * ima_delete_rules() at a time. 1737 */ 1738 void ima_delete_rules(void) 1739 { 1740 struct ima_rule_entry *entry, *tmp; 1741 1742 temp_ima_appraise = 0; 1743 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { 1744 list_del(&entry->list); 1745 ima_free_rule(entry); 1746 } 1747 } 1748 1749 #define __ima_hook_stringify(func, str) (#func), 1750 1751 const char *const func_tokens[] = { 1752 __ima_hooks(__ima_hook_stringify) 1753 }; 1754 1755 #ifdef CONFIG_IMA_READ_POLICY 1756 enum { 1757 mask_exec = 0, mask_write, mask_read, mask_append 1758 }; 1759 1760 static const char *const mask_tokens[] = { 1761 "^MAY_EXEC", 1762 "^MAY_WRITE", 1763 "^MAY_READ", 1764 "^MAY_APPEND" 1765 }; 1766 1767 void *ima_policy_start(struct seq_file *m, loff_t *pos) 1768 { 1769 loff_t l = *pos; 1770 struct ima_rule_entry *entry; 1771 1772 rcu_read_lock(); 1773 list_for_each_entry_rcu(entry, ima_rules, list) { 1774 if (!l--) { 1775 rcu_read_unlock(); 1776 return entry; 1777 } 1778 } 1779 rcu_read_unlock(); 1780 return NULL; 1781 } 1782 1783 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) 1784 { 1785 struct ima_rule_entry *entry = v; 1786 1787 rcu_read_lock(); 1788 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); 1789 rcu_read_unlock(); 1790 (*pos)++; 1791 1792 return (&entry->list == ima_rules) ? NULL : entry; 1793 } 1794 1795 void ima_policy_stop(struct seq_file *m, void *v) 1796 { 1797 } 1798 1799 #define pt(token) policy_tokens[token].pattern 1800 #define mt(token) mask_tokens[token] 1801 1802 /* 1803 * policy_func_show - display the ima_hooks policy rule 1804 */ 1805 static void policy_func_show(struct seq_file *m, enum ima_hooks func) 1806 { 1807 if (func > 0 && func < MAX_CHECK) 1808 seq_printf(m, "func=%s ", func_tokens[func]); 1809 else 1810 seq_printf(m, "func=%d ", func); 1811 } 1812 1813 static void ima_show_rule_opt_list(struct seq_file *m, 1814 const struct ima_rule_opt_list *opt_list) 1815 { 1816 size_t i; 1817 1818 for (i = 0; i < opt_list->count; i++) 1819 seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]); 1820 } 1821 1822 static void ima_policy_show_appraise_algos(struct seq_file *m, 1823 unsigned int allowed_hashes) 1824 { 1825 int idx, list_size = 0; 1826 1827 for (idx = 0; idx < HASH_ALGO__LAST; idx++) { 1828 if (!(allowed_hashes & (1U << idx))) 1829 continue; 1830 1831 /* only add commas if the list contains multiple entries */ 1832 if (list_size++) 1833 seq_puts(m, ","); 1834 1835 seq_puts(m, hash_algo_name[idx]); 1836 } 1837 } 1838 1839 int ima_policy_show(struct seq_file *m, void *v) 1840 { 1841 struct ima_rule_entry *entry = v; 1842 int i; 1843 char tbuf[64] = {0,}; 1844 int offset = 0; 1845 1846 rcu_read_lock(); 1847 1848 if (entry->action & MEASURE) 1849 seq_puts(m, pt(Opt_measure)); 1850 if (entry->action & DONT_MEASURE) 1851 seq_puts(m, pt(Opt_dont_measure)); 1852 if (entry->action & APPRAISE) 1853 seq_puts(m, pt(Opt_appraise)); 1854 if (entry->action & DONT_APPRAISE) 1855 seq_puts(m, pt(Opt_dont_appraise)); 1856 if (entry->action & AUDIT) 1857 seq_puts(m, pt(Opt_audit)); 1858 if (entry->action & HASH) 1859 seq_puts(m, pt(Opt_hash)); 1860 if (entry->action & DONT_HASH) 1861 seq_puts(m, pt(Opt_dont_hash)); 1862 1863 seq_puts(m, " "); 1864 1865 if (entry->flags & IMA_FUNC) 1866 policy_func_show(m, entry->func); 1867 1868 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { 1869 if (entry->flags & IMA_MASK) 1870 offset = 1; 1871 if (entry->mask & MAY_EXEC) 1872 seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); 1873 if (entry->mask & MAY_WRITE) 1874 seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); 1875 if (entry->mask & MAY_READ) 1876 seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); 1877 if (entry->mask & MAY_APPEND) 1878 seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); 1879 seq_puts(m, " "); 1880 } 1881 1882 if (entry->flags & IMA_FSMAGIC) { 1883 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 1884 seq_printf(m, pt(Opt_fsmagic), tbuf); 1885 seq_puts(m, " "); 1886 } 1887 1888 if (entry->flags & IMA_FSNAME) { 1889 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); 1890 seq_printf(m, pt(Opt_fsname), tbuf); 1891 seq_puts(m, " "); 1892 } 1893 1894 if (entry->flags & IMA_KEYRINGS) { 1895 seq_puts(m, "keyrings="); 1896 ima_show_rule_opt_list(m, entry->keyrings); 1897 seq_puts(m, " "); 1898 } 1899 1900 if (entry->flags & IMA_LABEL) { 1901 seq_puts(m, "label="); 1902 ima_show_rule_opt_list(m, entry->label); 1903 seq_puts(m, " "); 1904 } 1905 1906 if (entry->flags & IMA_PCR) { 1907 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 1908 seq_printf(m, pt(Opt_pcr), tbuf); 1909 seq_puts(m, " "); 1910 } 1911 1912 if (entry->flags & IMA_FSUUID) { 1913 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); 1914 seq_puts(m, " "); 1915 } 1916 1917 if (entry->flags & IMA_UID) { 1918 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1919 if (entry->uid_op == &uid_gt) 1920 seq_printf(m, pt(Opt_uid_gt), tbuf); 1921 else if (entry->uid_op == &uid_lt) 1922 seq_printf(m, pt(Opt_uid_lt), tbuf); 1923 else 1924 seq_printf(m, pt(Opt_uid_eq), tbuf); 1925 seq_puts(m, " "); 1926 } 1927 1928 if (entry->flags & IMA_EUID) { 1929 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1930 if (entry->uid_op == &uid_gt) 1931 seq_printf(m, pt(Opt_euid_gt), tbuf); 1932 else if (entry->uid_op == &uid_lt) 1933 seq_printf(m, pt(Opt_euid_lt), tbuf); 1934 else 1935 seq_printf(m, pt(Opt_euid_eq), tbuf); 1936 seq_puts(m, " "); 1937 } 1938 1939 if (entry->flags & IMA_FOWNER) { 1940 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); 1941 if (entry->fowner_op == &uid_gt) 1942 seq_printf(m, pt(Opt_fowner_gt), tbuf); 1943 else if (entry->fowner_op == &uid_lt) 1944 seq_printf(m, pt(Opt_fowner_lt), tbuf); 1945 else 1946 seq_printf(m, pt(Opt_fowner_eq), tbuf); 1947 seq_puts(m, " "); 1948 } 1949 1950 if (entry->flags & IMA_VALIDATE_ALGOS) { 1951 seq_puts(m, "appraise_algos="); 1952 ima_policy_show_appraise_algos(m, entry->allowed_algos); 1953 seq_puts(m, " "); 1954 } 1955 1956 for (i = 0; i < MAX_LSM_RULES; i++) { 1957 if (entry->lsm[i].rule) { 1958 switch (i) { 1959 case LSM_OBJ_USER: 1960 seq_printf(m, pt(Opt_obj_user), 1961 entry->lsm[i].args_p); 1962 break; 1963 case LSM_OBJ_ROLE: 1964 seq_printf(m, pt(Opt_obj_role), 1965 entry->lsm[i].args_p); 1966 break; 1967 case LSM_OBJ_TYPE: 1968 seq_printf(m, pt(Opt_obj_type), 1969 entry->lsm[i].args_p); 1970 break; 1971 case LSM_SUBJ_USER: 1972 seq_printf(m, pt(Opt_subj_user), 1973 entry->lsm[i].args_p); 1974 break; 1975 case LSM_SUBJ_ROLE: 1976 seq_printf(m, pt(Opt_subj_role), 1977 entry->lsm[i].args_p); 1978 break; 1979 case LSM_SUBJ_TYPE: 1980 seq_printf(m, pt(Opt_subj_type), 1981 entry->lsm[i].args_p); 1982 break; 1983 } 1984 seq_puts(m, " "); 1985 } 1986 } 1987 if (entry->template) 1988 seq_printf(m, "template=%s ", entry->template->name); 1989 if (entry->flags & IMA_DIGSIG_REQUIRED) { 1990 if (entry->flags & IMA_MODSIG_ALLOWED) 1991 seq_puts(m, "appraise_type=imasig|modsig "); 1992 else 1993 seq_puts(m, "appraise_type=imasig "); 1994 } 1995 if (entry->flags & IMA_CHECK_BLACKLIST) 1996 seq_puts(m, "appraise_flag=check_blacklist "); 1997 if (entry->flags & IMA_PERMIT_DIRECTIO) 1998 seq_puts(m, "permit_directio "); 1999 rcu_read_unlock(); 2000 seq_puts(m, "\n"); 2001 return 0; 2002 } 2003 #endif /* CONFIG_IMA_READ_POLICY */ 2004 2005 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) 2006 /* 2007 * ima_appraise_signature: whether IMA will appraise a given function using 2008 * an IMA digital signature. This is restricted to cases where the kernel 2009 * has a set of built-in trusted keys in order to avoid an attacker simply 2010 * loading additional keys. 2011 */ 2012 bool ima_appraise_signature(enum kernel_read_file_id id) 2013 { 2014 struct ima_rule_entry *entry; 2015 bool found = false; 2016 enum ima_hooks func; 2017 2018 if (id >= READING_MAX_ID) 2019 return false; 2020 2021 func = read_idmap[id] ?: FILE_CHECK; 2022 2023 rcu_read_lock(); 2024 list_for_each_entry_rcu(entry, ima_rules, list) { 2025 if (entry->action != APPRAISE) 2026 continue; 2027 2028 /* 2029 * A generic entry will match, but otherwise require that it 2030 * match the func we're looking for 2031 */ 2032 if (entry->func && entry->func != func) 2033 continue; 2034 2035 /* 2036 * We require this to be a digital signature, not a raw IMA 2037 * hash. 2038 */ 2039 if (entry->flags & IMA_DIGSIG_REQUIRED) 2040 found = true; 2041 2042 /* 2043 * We've found a rule that matches, so break now even if it 2044 * didn't require a digital signature - a later rule that does 2045 * won't override it, so would be a false positive. 2046 */ 2047 break; 2048 } 2049 2050 rcu_read_unlock(); 2051 return found; 2052 } 2053 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ 2054