1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2008 IBM Corporation
4  * Author: Mimi Zohar <zohar@us.ibm.com>
5  *
6  * ima_policy.c
7  *	- initialize default measure policy rules
8  */
9 
10 #include <linux/init.h>
11 #include <linux/list.h>
12 #include <linux/fs.h>
13 #include <linux/security.h>
14 #include <linux/magic.h>
15 #include <linux/parser.h>
16 #include <linux/slab.h>
17 #include <linux/rculist.h>
18 #include <linux/genhd.h>
19 #include <linux/seq_file.h>
20 #include <linux/ima.h>
21 
22 #include "ima.h"
23 
24 /* flags definitions */
25 #define IMA_FUNC	0x0001
26 #define IMA_MASK	0x0002
27 #define IMA_FSMAGIC	0x0004
28 #define IMA_UID		0x0008
29 #define IMA_FOWNER	0x0010
30 #define IMA_FSUUID	0x0020
31 #define IMA_INMASK	0x0040
32 #define IMA_EUID	0x0080
33 #define IMA_PCR		0x0100
34 #define IMA_FSNAME	0x0200
35 #define IMA_KEYRINGS	0x0400
36 
37 #define UNKNOWN		0
38 #define MEASURE		0x0001	/* same as IMA_MEASURE */
39 #define DONT_MEASURE	0x0002
40 #define APPRAISE	0x0004	/* same as IMA_APPRAISE */
41 #define DONT_APPRAISE	0x0008
42 #define AUDIT		0x0040
43 #define HASH		0x0100
44 #define DONT_HASH	0x0200
45 
46 #define INVALID_PCR(a) (((a) < 0) || \
47 	(a) >= (sizeof_field(struct integrity_iint_cache, measured_pcrs) * 8))
48 
49 int ima_policy_flag;
50 static int temp_ima_appraise;
51 static int build_ima_appraise __ro_after_init;
52 
53 #define MAX_LSM_RULES 6
54 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
55 	LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
56 };
57 
58 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
59 
60 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY };
61 
62 struct ima_rule_entry {
63 	struct list_head list;
64 	int action;
65 	unsigned int flags;
66 	enum ima_hooks func;
67 	int mask;
68 	unsigned long fsmagic;
69 	uuid_t fsuuid;
70 	kuid_t uid;
71 	kuid_t fowner;
72 	bool (*uid_op)(kuid_t, kuid_t);    /* Handlers for operators       */
73 	bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
74 	int pcr;
75 	struct {
76 		void *rule;	/* LSM file metadata specific */
77 		char *args_p;	/* audit value */
78 		int type;	/* audit type */
79 	} lsm[MAX_LSM_RULES];
80 	char *fsname;
81 	char *keyrings; /* Measure keys added to these keyrings */
82 	struct ima_template_desc *template;
83 };
84 
85 /*
86  * Without LSM specific knowledge, the default policy can only be
87  * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
88  */
89 
90 /*
91  * The minimum rule set to allow for full TCB coverage.  Measures all files
92  * opened or mmap for exec and everything read by root.  Dangerous because
93  * normal users can easily run the machine out of memory simply building
94  * and running executables.
95  */
96 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
97 	{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
98 	{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
99 	{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
100 	{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
101 	{.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
102 	{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
103 	{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
104 	{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
105 	{.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
106 	{.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
107 	 .flags = IMA_FSMAGIC},
108 	{.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC,
109 	 .flags = IMA_FSMAGIC},
110 	{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
111 	{.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}
112 };
113 
114 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
115 	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
116 	 .flags = IMA_FUNC | IMA_MASK},
117 	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
118 	 .flags = IMA_FUNC | IMA_MASK},
119 	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
120 	 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
121 	 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
122 	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
123 	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
124 };
125 
126 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
127 	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
128 	 .flags = IMA_FUNC | IMA_MASK},
129 	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
130 	 .flags = IMA_FUNC | IMA_MASK},
131 	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
132 	 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
133 	 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
134 	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
135 	 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
136 	 .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
137 	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
138 	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
139 	{.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
140 };
141 
142 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
143 	{.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
144 	{.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
145 	{.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
146 	{.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
147 	{.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
148 	{.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
149 	{.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
150 	{.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
151 	{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
152 	{.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
153 	{.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
154 	{.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC},
155 	{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
156 	{.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
157 #ifdef CONFIG_IMA_WRITE_POLICY
158 	{.action = APPRAISE, .func = POLICY_CHECK,
159 	.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
160 #endif
161 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
162 	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
163 	 .flags = IMA_FOWNER},
164 #else
165 	/* force signature */
166 	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
167 	 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
168 #endif
169 };
170 
171 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = {
172 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS
173 	{.action = APPRAISE, .func = MODULE_CHECK,
174 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
175 #endif
176 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
177 	{.action = APPRAISE, .func = FIRMWARE_CHECK,
178 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
179 #endif
180 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS
181 	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
182 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
183 #endif
184 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS
185 	{.action = APPRAISE, .func = POLICY_CHECK,
186 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
187 #endif
188 };
189 
190 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
191 	{.action = APPRAISE, .func = MODULE_CHECK,
192 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
193 	{.action = APPRAISE, .func = FIRMWARE_CHECK,
194 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
195 	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
196 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
197 	{.action = APPRAISE, .func = POLICY_CHECK,
198 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
199 };
200 
201 /* An array of architecture specific rules */
202 static struct ima_rule_entry *arch_policy_entry __ro_after_init;
203 
204 static LIST_HEAD(ima_default_rules);
205 static LIST_HEAD(ima_policy_rules);
206 static LIST_HEAD(ima_temp_rules);
207 static struct list_head *ima_rules = &ima_default_rules;
208 
209 /* Pre-allocated buffer used for matching keyrings. */
210 static char *ima_keyrings;
211 static size_t ima_keyrings_len;
212 
213 static int ima_policy __initdata;
214 
215 static int __init default_measure_policy_setup(char *str)
216 {
217 	if (ima_policy)
218 		return 1;
219 
220 	ima_policy = ORIGINAL_TCB;
221 	return 1;
222 }
223 __setup("ima_tcb", default_measure_policy_setup);
224 
225 static bool ima_use_appraise_tcb __initdata;
226 static bool ima_use_secure_boot __initdata;
227 static bool ima_fail_unverifiable_sigs __ro_after_init;
228 static int __init policy_setup(char *str)
229 {
230 	char *p;
231 
232 	while ((p = strsep(&str, " |\n")) != NULL) {
233 		if (*p == ' ')
234 			continue;
235 		if ((strcmp(p, "tcb") == 0) && !ima_policy)
236 			ima_policy = DEFAULT_TCB;
237 		else if (strcmp(p, "appraise_tcb") == 0)
238 			ima_use_appraise_tcb = true;
239 		else if (strcmp(p, "secure_boot") == 0)
240 			ima_use_secure_boot = true;
241 		else if (strcmp(p, "fail_securely") == 0)
242 			ima_fail_unverifiable_sigs = true;
243 	}
244 
245 	return 1;
246 }
247 __setup("ima_policy=", policy_setup);
248 
249 static int __init default_appraise_policy_setup(char *str)
250 {
251 	ima_use_appraise_tcb = true;
252 	return 1;
253 }
254 __setup("ima_appraise_tcb", default_appraise_policy_setup);
255 
256 static void ima_lsm_free_rule(struct ima_rule_entry *entry)
257 {
258 	int i;
259 
260 	for (i = 0; i < MAX_LSM_RULES; i++) {
261 		ima_filter_rule_free(entry->lsm[i].rule);
262 		kfree(entry->lsm[i].args_p);
263 	}
264 }
265 
266 static void ima_free_rule(struct ima_rule_entry *entry)
267 {
268 	if (!entry)
269 		return;
270 
271 	/*
272 	 * entry->template->fields may be allocated in ima_parse_rule() but that
273 	 * reference is owned by the corresponding ima_template_desc element in
274 	 * the defined_templates list and cannot be freed here
275 	 */
276 	kfree(entry->fsname);
277 	kfree(entry->keyrings);
278 	ima_lsm_free_rule(entry);
279 	kfree(entry);
280 }
281 
282 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
283 {
284 	struct ima_rule_entry *nentry;
285 	int i;
286 
287 	nentry = kmalloc(sizeof(*nentry), GFP_KERNEL);
288 	if (!nentry)
289 		return NULL;
290 
291 	/*
292 	 * Immutable elements are copied over as pointers and data; only
293 	 * lsm rules can change
294 	 */
295 	memcpy(nentry, entry, sizeof(*nentry));
296 	memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm));
297 
298 	for (i = 0; i < MAX_LSM_RULES; i++) {
299 		if (!entry->lsm[i].args_p)
300 			continue;
301 
302 		nentry->lsm[i].type = entry->lsm[i].type;
303 		nentry->lsm[i].args_p = entry->lsm[i].args_p;
304 		/*
305 		 * Remove the reference from entry so that the associated
306 		 * memory will not be freed during a later call to
307 		 * ima_lsm_free_rule(entry).
308 		 */
309 		entry->lsm[i].args_p = NULL;
310 
311 		ima_filter_rule_init(nentry->lsm[i].type, Audit_equal,
312 				     nentry->lsm[i].args_p,
313 				     &nentry->lsm[i].rule);
314 		if (!nentry->lsm[i].rule)
315 			pr_warn("rule for LSM \'%s\' is undefined\n",
316 				nentry->lsm[i].args_p);
317 	}
318 	return nentry;
319 }
320 
321 static int ima_lsm_update_rule(struct ima_rule_entry *entry)
322 {
323 	struct ima_rule_entry *nentry;
324 
325 	nentry = ima_lsm_copy_rule(entry);
326 	if (!nentry)
327 		return -ENOMEM;
328 
329 	list_replace_rcu(&entry->list, &nentry->list);
330 	synchronize_rcu();
331 	/*
332 	 * ima_lsm_copy_rule() shallow copied all references, except for the
333 	 * LSM references, from entry to nentry so we only want to free the LSM
334 	 * references and the entry itself. All other memory refrences will now
335 	 * be owned by nentry.
336 	 */
337 	ima_lsm_free_rule(entry);
338 	kfree(entry);
339 
340 	return 0;
341 }
342 
343 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry)
344 {
345 	int i;
346 
347 	for (i = 0; i < MAX_LSM_RULES; i++)
348 		if (entry->lsm[i].args_p)
349 			return true;
350 
351 	return false;
352 }
353 
354 /*
355  * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
356  * to the old, stale LSM policy.  Update the IMA LSM based rules to reflect
357  * the reloaded LSM policy.
358  */
359 static void ima_lsm_update_rules(void)
360 {
361 	struct ima_rule_entry *entry, *e;
362 	int result;
363 
364 	list_for_each_entry_safe(entry, e, &ima_policy_rules, list) {
365 		if (!ima_rule_contains_lsm_cond(entry))
366 			continue;
367 
368 		result = ima_lsm_update_rule(entry);
369 		if (result) {
370 			pr_err("lsm rule update error %d\n", result);
371 			return;
372 		}
373 	}
374 }
375 
376 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
377 			  void *lsm_data)
378 {
379 	if (event != LSM_POLICY_CHANGE)
380 		return NOTIFY_DONE;
381 
382 	ima_lsm_update_rules();
383 	return NOTIFY_OK;
384 }
385 
386 /**
387  * ima_match_keyring - determine whether the keyring matches the measure rule
388  * @rule: a pointer to a rule
389  * @keyring: name of the keyring to match against the measure rule
390  * @cred: a pointer to a credentials structure for user validation
391  *
392  * Returns true if keyring matches one in the rule, false otherwise.
393  */
394 static bool ima_match_keyring(struct ima_rule_entry *rule,
395 			      const char *keyring, const struct cred *cred)
396 {
397 	char *next_keyring, *keyrings_ptr;
398 	bool matched = false;
399 
400 	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
401 		return false;
402 
403 	if (!rule->keyrings)
404 		return true;
405 
406 	if (!keyring)
407 		return false;
408 
409 	strcpy(ima_keyrings, rule->keyrings);
410 
411 	/*
412 	 * "keyrings=" is specified in the policy in the format below:
413 	 * keyrings=.builtin_trusted_keys|.ima|.evm
414 	 */
415 	keyrings_ptr = ima_keyrings;
416 	while ((next_keyring = strsep(&keyrings_ptr, "|")) != NULL) {
417 		if (!strcmp(next_keyring, keyring)) {
418 			matched = true;
419 			break;
420 		}
421 	}
422 
423 	return matched;
424 }
425 
426 /**
427  * ima_match_rules - determine whether an inode matches the policy rule.
428  * @rule: a pointer to a rule
429  * @inode: a pointer to an inode
430  * @cred: a pointer to a credentials structure for user validation
431  * @secid: the secid of the task to be validated
432  * @func: LIM hook identifier
433  * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
434  * @keyring: keyring name to check in policy for KEY_CHECK func
435  *
436  * Returns true on rule match, false on failure.
437  */
438 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
439 			    const struct cred *cred, u32 secid,
440 			    enum ima_hooks func, int mask,
441 			    const char *keyring)
442 {
443 	int i;
444 
445 	if (func == KEY_CHECK) {
446 		return (rule->flags & IMA_FUNC) && (rule->func == func) &&
447 		       ima_match_keyring(rule, keyring, cred);
448 	}
449 	if ((rule->flags & IMA_FUNC) &&
450 	    (rule->func != func && func != POST_SETATTR))
451 		return false;
452 	if ((rule->flags & IMA_MASK) &&
453 	    (rule->mask != mask && func != POST_SETATTR))
454 		return false;
455 	if ((rule->flags & IMA_INMASK) &&
456 	    (!(rule->mask & mask) && func != POST_SETATTR))
457 		return false;
458 	if ((rule->flags & IMA_FSMAGIC)
459 	    && rule->fsmagic != inode->i_sb->s_magic)
460 		return false;
461 	if ((rule->flags & IMA_FSNAME)
462 	    && strcmp(rule->fsname, inode->i_sb->s_type->name))
463 		return false;
464 	if ((rule->flags & IMA_FSUUID) &&
465 	    !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
466 		return false;
467 	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
468 		return false;
469 	if (rule->flags & IMA_EUID) {
470 		if (has_capability_noaudit(current, CAP_SETUID)) {
471 			if (!rule->uid_op(cred->euid, rule->uid)
472 			    && !rule->uid_op(cred->suid, rule->uid)
473 			    && !rule->uid_op(cred->uid, rule->uid))
474 				return false;
475 		} else if (!rule->uid_op(cred->euid, rule->uid))
476 			return false;
477 	}
478 
479 	if ((rule->flags & IMA_FOWNER) &&
480 	    !rule->fowner_op(inode->i_uid, rule->fowner))
481 		return false;
482 	for (i = 0; i < MAX_LSM_RULES; i++) {
483 		int rc = 0;
484 		u32 osid;
485 
486 		if (!rule->lsm[i].rule) {
487 			if (!rule->lsm[i].args_p)
488 				continue;
489 			else
490 				return false;
491 		}
492 		switch (i) {
493 		case LSM_OBJ_USER:
494 		case LSM_OBJ_ROLE:
495 		case LSM_OBJ_TYPE:
496 			security_inode_getsecid(inode, &osid);
497 			rc = ima_filter_rule_match(osid, rule->lsm[i].type,
498 						   Audit_equal,
499 						   rule->lsm[i].rule);
500 			break;
501 		case LSM_SUBJ_USER:
502 		case LSM_SUBJ_ROLE:
503 		case LSM_SUBJ_TYPE:
504 			rc = ima_filter_rule_match(secid, rule->lsm[i].type,
505 						   Audit_equal,
506 						   rule->lsm[i].rule);
507 		default:
508 			break;
509 		}
510 		if (!rc)
511 			return false;
512 	}
513 	return true;
514 }
515 
516 /*
517  * In addition to knowing that we need to appraise the file in general,
518  * we need to differentiate between calling hooks, for hook specific rules.
519  */
520 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
521 {
522 	if (!(rule->flags & IMA_FUNC))
523 		return IMA_FILE_APPRAISE;
524 
525 	switch (func) {
526 	case MMAP_CHECK:
527 		return IMA_MMAP_APPRAISE;
528 	case BPRM_CHECK:
529 		return IMA_BPRM_APPRAISE;
530 	case CREDS_CHECK:
531 		return IMA_CREDS_APPRAISE;
532 	case FILE_CHECK:
533 	case POST_SETATTR:
534 		return IMA_FILE_APPRAISE;
535 	case MODULE_CHECK ... MAX_CHECK - 1:
536 	default:
537 		return IMA_READ_APPRAISE;
538 	}
539 }
540 
541 /**
542  * ima_match_policy - decision based on LSM and other conditions
543  * @inode: pointer to an inode for which the policy decision is being made
544  * @cred: pointer to a credentials structure for which the policy decision is
545  *        being made
546  * @secid: LSM secid of the task to be validated
547  * @func: IMA hook identifier
548  * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
549  * @pcr: set the pcr to extend
550  * @template_desc: the template that should be used for this rule
551  * @keyring: the keyring name, if given, to be used to check in the policy.
552  *           keyring can be NULL if func is anything other than KEY_CHECK.
553  *
554  * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
555  * conditions.
556  *
557  * Since the IMA policy may be updated multiple times we need to lock the
558  * list when walking it.  Reads are many orders of magnitude more numerous
559  * than writes so ima_match_policy() is classical RCU candidate.
560  */
561 int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
562 		     enum ima_hooks func, int mask, int flags, int *pcr,
563 		     struct ima_template_desc **template_desc,
564 		     const char *keyring)
565 {
566 	struct ima_rule_entry *entry;
567 	int action = 0, actmask = flags | (flags << 1);
568 
569 	if (template_desc)
570 		*template_desc = ima_template_desc_current();
571 
572 	rcu_read_lock();
573 	list_for_each_entry_rcu(entry, ima_rules, list) {
574 
575 		if (!(entry->action & actmask))
576 			continue;
577 
578 		if (!ima_match_rules(entry, inode, cred, secid, func, mask,
579 				     keyring))
580 			continue;
581 
582 		action |= entry->flags & IMA_ACTION_FLAGS;
583 
584 		action |= entry->action & IMA_DO_MASK;
585 		if (entry->action & IMA_APPRAISE) {
586 			action |= get_subaction(entry, func);
587 			action &= ~IMA_HASH;
588 			if (ima_fail_unverifiable_sigs)
589 				action |= IMA_FAIL_UNVERIFIABLE_SIGS;
590 		}
591 
592 
593 		if (entry->action & IMA_DO_MASK)
594 			actmask &= ~(entry->action | entry->action << 1);
595 		else
596 			actmask &= ~(entry->action | entry->action >> 1);
597 
598 		if ((pcr) && (entry->flags & IMA_PCR))
599 			*pcr = entry->pcr;
600 
601 		if (template_desc && entry->template)
602 			*template_desc = entry->template;
603 
604 		if (!actmask)
605 			break;
606 	}
607 	rcu_read_unlock();
608 
609 	return action;
610 }
611 
612 /*
613  * Initialize the ima_policy_flag variable based on the currently
614  * loaded policy.  Based on this flag, the decision to short circuit
615  * out of a function or not call the function in the first place
616  * can be made earlier.
617  */
618 void ima_update_policy_flag(void)
619 {
620 	struct ima_rule_entry *entry;
621 
622 	list_for_each_entry(entry, ima_rules, list) {
623 		if (entry->action & IMA_DO_MASK)
624 			ima_policy_flag |= entry->action;
625 	}
626 
627 	ima_appraise |= (build_ima_appraise | temp_ima_appraise);
628 	if (!ima_appraise)
629 		ima_policy_flag &= ~IMA_APPRAISE;
630 }
631 
632 static int ima_appraise_flag(enum ima_hooks func)
633 {
634 	if (func == MODULE_CHECK)
635 		return IMA_APPRAISE_MODULES;
636 	else if (func == FIRMWARE_CHECK)
637 		return IMA_APPRAISE_FIRMWARE;
638 	else if (func == POLICY_CHECK)
639 		return IMA_APPRAISE_POLICY;
640 	else if (func == KEXEC_KERNEL_CHECK)
641 		return IMA_APPRAISE_KEXEC;
642 	return 0;
643 }
644 
645 static void add_rules(struct ima_rule_entry *entries, int count,
646 		      enum policy_rule_list policy_rule)
647 {
648 	int i = 0;
649 
650 	for (i = 0; i < count; i++) {
651 		struct ima_rule_entry *entry;
652 
653 		if (policy_rule & IMA_DEFAULT_POLICY)
654 			list_add_tail(&entries[i].list, &ima_default_rules);
655 
656 		if (policy_rule & IMA_CUSTOM_POLICY) {
657 			entry = kmemdup(&entries[i], sizeof(*entry),
658 					GFP_KERNEL);
659 			if (!entry)
660 				continue;
661 
662 			list_add_tail(&entry->list, &ima_policy_rules);
663 		}
664 		if (entries[i].action == APPRAISE) {
665 			if (entries != build_appraise_rules)
666 				temp_ima_appraise |=
667 					ima_appraise_flag(entries[i].func);
668 			else
669 				build_ima_appraise |=
670 					ima_appraise_flag(entries[i].func);
671 		}
672 	}
673 }
674 
675 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
676 
677 static int __init ima_init_arch_policy(void)
678 {
679 	const char * const *arch_rules;
680 	const char * const *rules;
681 	int arch_entries = 0;
682 	int i = 0;
683 
684 	arch_rules = arch_get_ima_policy();
685 	if (!arch_rules)
686 		return arch_entries;
687 
688 	/* Get number of rules */
689 	for (rules = arch_rules; *rules != NULL; rules++)
690 		arch_entries++;
691 
692 	arch_policy_entry = kcalloc(arch_entries + 1,
693 				    sizeof(*arch_policy_entry), GFP_KERNEL);
694 	if (!arch_policy_entry)
695 		return 0;
696 
697 	/* Convert each policy string rules to struct ima_rule_entry format */
698 	for (rules = arch_rules, i = 0; *rules != NULL; rules++) {
699 		char rule[255];
700 		int result;
701 
702 		result = strlcpy(rule, *rules, sizeof(rule));
703 
704 		INIT_LIST_HEAD(&arch_policy_entry[i].list);
705 		result = ima_parse_rule(rule, &arch_policy_entry[i]);
706 		if (result) {
707 			pr_warn("Skipping unknown architecture policy rule: %s\n",
708 				rule);
709 			memset(&arch_policy_entry[i], 0,
710 			       sizeof(*arch_policy_entry));
711 			continue;
712 		}
713 		i++;
714 	}
715 	return i;
716 }
717 
718 /**
719  * ima_init_policy - initialize the default measure rules.
720  *
721  * ima_rules points to either the ima_default_rules or the
722  * the new ima_policy_rules.
723  */
724 void __init ima_init_policy(void)
725 {
726 	int build_appraise_entries, arch_entries;
727 
728 	/* if !ima_policy, we load NO default rules */
729 	if (ima_policy)
730 		add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules),
731 			  IMA_DEFAULT_POLICY);
732 
733 	switch (ima_policy) {
734 	case ORIGINAL_TCB:
735 		add_rules(original_measurement_rules,
736 			  ARRAY_SIZE(original_measurement_rules),
737 			  IMA_DEFAULT_POLICY);
738 		break;
739 	case DEFAULT_TCB:
740 		add_rules(default_measurement_rules,
741 			  ARRAY_SIZE(default_measurement_rules),
742 			  IMA_DEFAULT_POLICY);
743 	default:
744 		break;
745 	}
746 
747 	/*
748 	 * Based on runtime secure boot flags, insert arch specific measurement
749 	 * and appraise rules requiring file signatures for both the initial
750 	 * and custom policies, prior to other appraise rules.
751 	 * (Highest priority)
752 	 */
753 	arch_entries = ima_init_arch_policy();
754 	if (!arch_entries)
755 		pr_info("No architecture policies found\n");
756 	else
757 		add_rules(arch_policy_entry, arch_entries,
758 			  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
759 
760 	/*
761 	 * Insert the builtin "secure_boot" policy rules requiring file
762 	 * signatures, prior to other appraise rules.
763 	 */
764 	if (ima_use_secure_boot)
765 		add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules),
766 			  IMA_DEFAULT_POLICY);
767 
768 	/*
769 	 * Insert the build time appraise rules requiring file signatures
770 	 * for both the initial and custom policies, prior to other appraise
771 	 * rules. As the secure boot rules includes all of the build time
772 	 * rules, include either one or the other set of rules, but not both.
773 	 */
774 	build_appraise_entries = ARRAY_SIZE(build_appraise_rules);
775 	if (build_appraise_entries) {
776 		if (ima_use_secure_boot)
777 			add_rules(build_appraise_rules, build_appraise_entries,
778 				  IMA_CUSTOM_POLICY);
779 		else
780 			add_rules(build_appraise_rules, build_appraise_entries,
781 				  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
782 	}
783 
784 	if (ima_use_appraise_tcb)
785 		add_rules(default_appraise_rules,
786 			  ARRAY_SIZE(default_appraise_rules),
787 			  IMA_DEFAULT_POLICY);
788 
789 	ima_update_policy_flag();
790 }
791 
792 /* Make sure we have a valid policy, at least containing some rules. */
793 int ima_check_policy(void)
794 {
795 	if (list_empty(&ima_temp_rules))
796 		return -EINVAL;
797 	return 0;
798 }
799 
800 /**
801  * ima_update_policy - update default_rules with new measure rules
802  *
803  * Called on file .release to update the default rules with a complete new
804  * policy.  What we do here is to splice ima_policy_rules and ima_temp_rules so
805  * they make a queue.  The policy may be updated multiple times and this is the
806  * RCU updater.
807  *
808  * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
809  * we switch from the default policy to user defined.
810  */
811 void ima_update_policy(void)
812 {
813 	struct list_head *policy = &ima_policy_rules;
814 
815 	list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu);
816 
817 	if (ima_rules != policy) {
818 		ima_policy_flag = 0;
819 		ima_rules = policy;
820 
821 		/*
822 		 * IMA architecture specific policy rules are specified
823 		 * as strings and converted to an array of ima_entry_rules
824 		 * on boot.  After loading a custom policy, free the
825 		 * architecture specific rules stored as an array.
826 		 */
827 		kfree(arch_policy_entry);
828 	}
829 	ima_update_policy_flag();
830 
831 	/* Custom IMA policy has been loaded */
832 	ima_process_queued_keys();
833 }
834 
835 /* Keep the enumeration in sync with the policy_tokens! */
836 enum {
837 	Opt_measure, Opt_dont_measure,
838 	Opt_appraise, Opt_dont_appraise,
839 	Opt_audit, Opt_hash, Opt_dont_hash,
840 	Opt_obj_user, Opt_obj_role, Opt_obj_type,
841 	Opt_subj_user, Opt_subj_role, Opt_subj_type,
842 	Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname,
843 	Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
844 	Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
845 	Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
846 	Opt_appraise_type, Opt_appraise_flag,
847 	Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings,
848 	Opt_err
849 };
850 
851 static const match_table_t policy_tokens = {
852 	{Opt_measure, "measure"},
853 	{Opt_dont_measure, "dont_measure"},
854 	{Opt_appraise, "appraise"},
855 	{Opt_dont_appraise, "dont_appraise"},
856 	{Opt_audit, "audit"},
857 	{Opt_hash, "hash"},
858 	{Opt_dont_hash, "dont_hash"},
859 	{Opt_obj_user, "obj_user=%s"},
860 	{Opt_obj_role, "obj_role=%s"},
861 	{Opt_obj_type, "obj_type=%s"},
862 	{Opt_subj_user, "subj_user=%s"},
863 	{Opt_subj_role, "subj_role=%s"},
864 	{Opt_subj_type, "subj_type=%s"},
865 	{Opt_func, "func=%s"},
866 	{Opt_mask, "mask=%s"},
867 	{Opt_fsmagic, "fsmagic=%s"},
868 	{Opt_fsname, "fsname=%s"},
869 	{Opt_fsuuid, "fsuuid=%s"},
870 	{Opt_uid_eq, "uid=%s"},
871 	{Opt_euid_eq, "euid=%s"},
872 	{Opt_fowner_eq, "fowner=%s"},
873 	{Opt_uid_gt, "uid>%s"},
874 	{Opt_euid_gt, "euid>%s"},
875 	{Opt_fowner_gt, "fowner>%s"},
876 	{Opt_uid_lt, "uid<%s"},
877 	{Opt_euid_lt, "euid<%s"},
878 	{Opt_fowner_lt, "fowner<%s"},
879 	{Opt_appraise_type, "appraise_type=%s"},
880 	{Opt_appraise_flag, "appraise_flag=%s"},
881 	{Opt_permit_directio, "permit_directio"},
882 	{Opt_pcr, "pcr=%s"},
883 	{Opt_template, "template=%s"},
884 	{Opt_keyrings, "keyrings=%s"},
885 	{Opt_err, NULL}
886 };
887 
888 static int ima_lsm_rule_init(struct ima_rule_entry *entry,
889 			     substring_t *args, int lsm_rule, int audit_type)
890 {
891 	int result;
892 
893 	if (entry->lsm[lsm_rule].rule)
894 		return -EINVAL;
895 
896 	entry->lsm[lsm_rule].args_p = match_strdup(args);
897 	if (!entry->lsm[lsm_rule].args_p)
898 		return -ENOMEM;
899 
900 	entry->lsm[lsm_rule].type = audit_type;
901 	result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal,
902 				      entry->lsm[lsm_rule].args_p,
903 				      &entry->lsm[lsm_rule].rule);
904 	if (!entry->lsm[lsm_rule].rule) {
905 		pr_warn("rule for LSM \'%s\' is undefined\n",
906 			entry->lsm[lsm_rule].args_p);
907 
908 		if (ima_rules == &ima_default_rules) {
909 			kfree(entry->lsm[lsm_rule].args_p);
910 			entry->lsm[lsm_rule].args_p = NULL;
911 			result = -EINVAL;
912 		} else
913 			result = 0;
914 	}
915 
916 	return result;
917 }
918 
919 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
920 			      bool (*rule_operator)(kuid_t, kuid_t))
921 {
922 	if (!ab)
923 		return;
924 
925 	if (rule_operator == &uid_gt)
926 		audit_log_format(ab, "%s>", key);
927 	else if (rule_operator == &uid_lt)
928 		audit_log_format(ab, "%s<", key);
929 	else
930 		audit_log_format(ab, "%s=", key);
931 	audit_log_format(ab, "%s ", value);
932 }
933 static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
934 {
935 	ima_log_string_op(ab, key, value, NULL);
936 }
937 
938 /*
939  * Validating the appended signature included in the measurement list requires
940  * the file hash calculated without the appended signature (i.e., the 'd-modsig'
941  * field). Therefore, notify the user if they have the 'modsig' field but not
942  * the 'd-modsig' field in the template.
943  */
944 static void check_template_modsig(const struct ima_template_desc *template)
945 {
946 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n"
947 	bool has_modsig, has_dmodsig;
948 	static bool checked;
949 	int i;
950 
951 	/* We only need to notify the user once. */
952 	if (checked)
953 		return;
954 
955 	has_modsig = has_dmodsig = false;
956 	for (i = 0; i < template->num_fields; i++) {
957 		if (!strcmp(template->fields[i]->field_id, "modsig"))
958 			has_modsig = true;
959 		else if (!strcmp(template->fields[i]->field_id, "d-modsig"))
960 			has_dmodsig = true;
961 	}
962 
963 	if (has_modsig && !has_dmodsig)
964 		pr_notice(MSG);
965 
966 	checked = true;
967 #undef MSG
968 }
969 
970 static bool ima_validate_rule(struct ima_rule_entry *entry)
971 {
972 	/* Ensure that the action is set and is compatible with the flags */
973 	if (entry->action == UNKNOWN)
974 		return false;
975 
976 	if (entry->action != MEASURE && entry->flags & IMA_PCR)
977 		return false;
978 
979 	if (entry->action != APPRAISE &&
980 	    entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST))
981 		return false;
982 
983 	/*
984 	 * The IMA_FUNC bit must be set if and only if there's a valid hook
985 	 * function specified, and vice versa. Enforcing this property allows
986 	 * for the NONE case below to validate a rule without an explicit hook
987 	 * function.
988 	 */
989 	if (((entry->flags & IMA_FUNC) && entry->func == NONE) ||
990 	    (!(entry->flags & IMA_FUNC) && entry->func != NONE))
991 		return false;
992 
993 	/*
994 	 * Ensure that the hook function is compatible with the other
995 	 * components of the rule
996 	 */
997 	switch (entry->func) {
998 	case NONE:
999 	case FILE_CHECK:
1000 	case MMAP_CHECK:
1001 	case BPRM_CHECK:
1002 	case CREDS_CHECK:
1003 	case POST_SETATTR:
1004 	case FIRMWARE_CHECK:
1005 	case POLICY_CHECK:
1006 		if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1007 				     IMA_UID | IMA_FOWNER | IMA_FSUUID |
1008 				     IMA_INMASK | IMA_EUID | IMA_PCR |
1009 				     IMA_FSNAME | IMA_DIGSIG_REQUIRED |
1010 				     IMA_PERMIT_DIRECTIO))
1011 			return false;
1012 
1013 		break;
1014 	case MODULE_CHECK:
1015 	case KEXEC_KERNEL_CHECK:
1016 	case KEXEC_INITRAMFS_CHECK:
1017 		if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1018 				     IMA_UID | IMA_FOWNER | IMA_FSUUID |
1019 				     IMA_INMASK | IMA_EUID | IMA_PCR |
1020 				     IMA_FSNAME | IMA_DIGSIG_REQUIRED |
1021 				     IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED |
1022 				     IMA_CHECK_BLACKLIST))
1023 			return false;
1024 
1025 		break;
1026 	case KEXEC_CMDLINE:
1027 		if (entry->action & ~(MEASURE | DONT_MEASURE))
1028 			return false;
1029 
1030 		if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID |
1031 				     IMA_FOWNER | IMA_FSUUID | IMA_EUID |
1032 				     IMA_PCR | IMA_FSNAME))
1033 			return false;
1034 
1035 		break;
1036 	case KEY_CHECK:
1037 		if (entry->action & ~(MEASURE | DONT_MEASURE))
1038 			return false;
1039 
1040 		if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
1041 				     IMA_KEYRINGS))
1042 			return false;
1043 
1044 		if (ima_rule_contains_lsm_cond(entry))
1045 			return false;
1046 
1047 		break;
1048 	default:
1049 		return false;
1050 	}
1051 
1052 	/* Ensure that combinations of flags are compatible with each other */
1053 	if (entry->flags & IMA_CHECK_BLACKLIST &&
1054 	    !(entry->flags & IMA_MODSIG_ALLOWED))
1055 		return false;
1056 
1057 	return true;
1058 }
1059 
1060 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
1061 {
1062 	struct audit_buffer *ab;
1063 	char *from;
1064 	char *p;
1065 	bool uid_token;
1066 	struct ima_template_desc *template_desc;
1067 	int result = 0;
1068 	size_t keyrings_len;
1069 
1070 	ab = integrity_audit_log_start(audit_context(), GFP_KERNEL,
1071 				       AUDIT_INTEGRITY_POLICY_RULE);
1072 
1073 	entry->uid = INVALID_UID;
1074 	entry->fowner = INVALID_UID;
1075 	entry->uid_op = &uid_eq;
1076 	entry->fowner_op = &uid_eq;
1077 	entry->action = UNKNOWN;
1078 	while ((p = strsep(&rule, " \t")) != NULL) {
1079 		substring_t args[MAX_OPT_ARGS];
1080 		int token;
1081 		unsigned long lnum;
1082 
1083 		if (result < 0)
1084 			break;
1085 		if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
1086 			continue;
1087 		token = match_token(p, policy_tokens, args);
1088 		switch (token) {
1089 		case Opt_measure:
1090 			ima_log_string(ab, "action", "measure");
1091 
1092 			if (entry->action != UNKNOWN)
1093 				result = -EINVAL;
1094 
1095 			entry->action = MEASURE;
1096 			break;
1097 		case Opt_dont_measure:
1098 			ima_log_string(ab, "action", "dont_measure");
1099 
1100 			if (entry->action != UNKNOWN)
1101 				result = -EINVAL;
1102 
1103 			entry->action = DONT_MEASURE;
1104 			break;
1105 		case Opt_appraise:
1106 			ima_log_string(ab, "action", "appraise");
1107 
1108 			if (entry->action != UNKNOWN)
1109 				result = -EINVAL;
1110 
1111 			entry->action = APPRAISE;
1112 			break;
1113 		case Opt_dont_appraise:
1114 			ima_log_string(ab, "action", "dont_appraise");
1115 
1116 			if (entry->action != UNKNOWN)
1117 				result = -EINVAL;
1118 
1119 			entry->action = DONT_APPRAISE;
1120 			break;
1121 		case Opt_audit:
1122 			ima_log_string(ab, "action", "audit");
1123 
1124 			if (entry->action != UNKNOWN)
1125 				result = -EINVAL;
1126 
1127 			entry->action = AUDIT;
1128 			break;
1129 		case Opt_hash:
1130 			ima_log_string(ab, "action", "hash");
1131 
1132 			if (entry->action != UNKNOWN)
1133 				result = -EINVAL;
1134 
1135 			entry->action = HASH;
1136 			break;
1137 		case Opt_dont_hash:
1138 			ima_log_string(ab, "action", "dont_hash");
1139 
1140 			if (entry->action != UNKNOWN)
1141 				result = -EINVAL;
1142 
1143 			entry->action = DONT_HASH;
1144 			break;
1145 		case Opt_func:
1146 			ima_log_string(ab, "func", args[0].from);
1147 
1148 			if (entry->func)
1149 				result = -EINVAL;
1150 
1151 			if (strcmp(args[0].from, "FILE_CHECK") == 0)
1152 				entry->func = FILE_CHECK;
1153 			/* PATH_CHECK is for backwards compat */
1154 			else if (strcmp(args[0].from, "PATH_CHECK") == 0)
1155 				entry->func = FILE_CHECK;
1156 			else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
1157 				entry->func = MODULE_CHECK;
1158 			else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
1159 				entry->func = FIRMWARE_CHECK;
1160 			else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
1161 				|| (strcmp(args[0].from, "MMAP_CHECK") == 0))
1162 				entry->func = MMAP_CHECK;
1163 			else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
1164 				entry->func = BPRM_CHECK;
1165 			else if (strcmp(args[0].from, "CREDS_CHECK") == 0)
1166 				entry->func = CREDS_CHECK;
1167 			else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
1168 				 0)
1169 				entry->func = KEXEC_KERNEL_CHECK;
1170 			else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
1171 				 == 0)
1172 				entry->func = KEXEC_INITRAMFS_CHECK;
1173 			else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
1174 				entry->func = POLICY_CHECK;
1175 			else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
1176 				entry->func = KEXEC_CMDLINE;
1177 			else if (strcmp(args[0].from, "KEY_CHECK") == 0)
1178 				entry->func = KEY_CHECK;
1179 			else
1180 				result = -EINVAL;
1181 			if (!result)
1182 				entry->flags |= IMA_FUNC;
1183 			break;
1184 		case Opt_mask:
1185 			ima_log_string(ab, "mask", args[0].from);
1186 
1187 			if (entry->mask)
1188 				result = -EINVAL;
1189 
1190 			from = args[0].from;
1191 			if (*from == '^')
1192 				from++;
1193 
1194 			if ((strcmp(from, "MAY_EXEC")) == 0)
1195 				entry->mask = MAY_EXEC;
1196 			else if (strcmp(from, "MAY_WRITE") == 0)
1197 				entry->mask = MAY_WRITE;
1198 			else if (strcmp(from, "MAY_READ") == 0)
1199 				entry->mask = MAY_READ;
1200 			else if (strcmp(from, "MAY_APPEND") == 0)
1201 				entry->mask = MAY_APPEND;
1202 			else
1203 				result = -EINVAL;
1204 			if (!result)
1205 				entry->flags |= (*args[0].from == '^')
1206 				     ? IMA_INMASK : IMA_MASK;
1207 			break;
1208 		case Opt_fsmagic:
1209 			ima_log_string(ab, "fsmagic", args[0].from);
1210 
1211 			if (entry->fsmagic) {
1212 				result = -EINVAL;
1213 				break;
1214 			}
1215 
1216 			result = kstrtoul(args[0].from, 16, &entry->fsmagic);
1217 			if (!result)
1218 				entry->flags |= IMA_FSMAGIC;
1219 			break;
1220 		case Opt_fsname:
1221 			ima_log_string(ab, "fsname", args[0].from);
1222 
1223 			entry->fsname = kstrdup(args[0].from, GFP_KERNEL);
1224 			if (!entry->fsname) {
1225 				result = -ENOMEM;
1226 				break;
1227 			}
1228 			result = 0;
1229 			entry->flags |= IMA_FSNAME;
1230 			break;
1231 		case Opt_keyrings:
1232 			ima_log_string(ab, "keyrings", args[0].from);
1233 
1234 			keyrings_len = strlen(args[0].from) + 1;
1235 
1236 			if ((entry->keyrings) ||
1237 			    (keyrings_len < 2)) {
1238 				result = -EINVAL;
1239 				break;
1240 			}
1241 
1242 			if (keyrings_len > ima_keyrings_len) {
1243 				char *tmpbuf;
1244 
1245 				tmpbuf = krealloc(ima_keyrings, keyrings_len,
1246 						  GFP_KERNEL);
1247 				if (!tmpbuf) {
1248 					result = -ENOMEM;
1249 					break;
1250 				}
1251 
1252 				ima_keyrings = tmpbuf;
1253 				ima_keyrings_len = keyrings_len;
1254 			}
1255 
1256 			entry->keyrings = kstrdup(args[0].from, GFP_KERNEL);
1257 			if (!entry->keyrings) {
1258 				kfree(ima_keyrings);
1259 				ima_keyrings = NULL;
1260 				ima_keyrings_len = 0;
1261 				result = -ENOMEM;
1262 				break;
1263 			}
1264 			result = 0;
1265 			entry->flags |= IMA_KEYRINGS;
1266 			break;
1267 		case Opt_fsuuid:
1268 			ima_log_string(ab, "fsuuid", args[0].from);
1269 
1270 			if (!uuid_is_null(&entry->fsuuid)) {
1271 				result = -EINVAL;
1272 				break;
1273 			}
1274 
1275 			result = uuid_parse(args[0].from, &entry->fsuuid);
1276 			if (!result)
1277 				entry->flags |= IMA_FSUUID;
1278 			break;
1279 		case Opt_uid_gt:
1280 		case Opt_euid_gt:
1281 			entry->uid_op = &uid_gt;
1282 			/* fall through */
1283 		case Opt_uid_lt:
1284 		case Opt_euid_lt:
1285 			if ((token == Opt_uid_lt) || (token == Opt_euid_lt))
1286 				entry->uid_op = &uid_lt;
1287 			/* fall through */
1288 		case Opt_uid_eq:
1289 		case Opt_euid_eq:
1290 			uid_token = (token == Opt_uid_eq) ||
1291 				    (token == Opt_uid_gt) ||
1292 				    (token == Opt_uid_lt);
1293 
1294 			ima_log_string_op(ab, uid_token ? "uid" : "euid",
1295 					  args[0].from, entry->uid_op);
1296 
1297 			if (uid_valid(entry->uid)) {
1298 				result = -EINVAL;
1299 				break;
1300 			}
1301 
1302 			result = kstrtoul(args[0].from, 10, &lnum);
1303 			if (!result) {
1304 				entry->uid = make_kuid(current_user_ns(),
1305 						       (uid_t) lnum);
1306 				if (!uid_valid(entry->uid) ||
1307 				    (uid_t)lnum != lnum)
1308 					result = -EINVAL;
1309 				else
1310 					entry->flags |= uid_token
1311 					    ? IMA_UID : IMA_EUID;
1312 			}
1313 			break;
1314 		case Opt_fowner_gt:
1315 			entry->fowner_op = &uid_gt;
1316 			/* fall through */
1317 		case Opt_fowner_lt:
1318 			if (token == Opt_fowner_lt)
1319 				entry->fowner_op = &uid_lt;
1320 			/* fall through */
1321 		case Opt_fowner_eq:
1322 			ima_log_string_op(ab, "fowner", args[0].from,
1323 					  entry->fowner_op);
1324 
1325 			if (uid_valid(entry->fowner)) {
1326 				result = -EINVAL;
1327 				break;
1328 			}
1329 
1330 			result = kstrtoul(args[0].from, 10, &lnum);
1331 			if (!result) {
1332 				entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
1333 				if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))
1334 					result = -EINVAL;
1335 				else
1336 					entry->flags |= IMA_FOWNER;
1337 			}
1338 			break;
1339 		case Opt_obj_user:
1340 			ima_log_string(ab, "obj_user", args[0].from);
1341 			result = ima_lsm_rule_init(entry, args,
1342 						   LSM_OBJ_USER,
1343 						   AUDIT_OBJ_USER);
1344 			break;
1345 		case Opt_obj_role:
1346 			ima_log_string(ab, "obj_role", args[0].from);
1347 			result = ima_lsm_rule_init(entry, args,
1348 						   LSM_OBJ_ROLE,
1349 						   AUDIT_OBJ_ROLE);
1350 			break;
1351 		case Opt_obj_type:
1352 			ima_log_string(ab, "obj_type", args[0].from);
1353 			result = ima_lsm_rule_init(entry, args,
1354 						   LSM_OBJ_TYPE,
1355 						   AUDIT_OBJ_TYPE);
1356 			break;
1357 		case Opt_subj_user:
1358 			ima_log_string(ab, "subj_user", args[0].from);
1359 			result = ima_lsm_rule_init(entry, args,
1360 						   LSM_SUBJ_USER,
1361 						   AUDIT_SUBJ_USER);
1362 			break;
1363 		case Opt_subj_role:
1364 			ima_log_string(ab, "subj_role", args[0].from);
1365 			result = ima_lsm_rule_init(entry, args,
1366 						   LSM_SUBJ_ROLE,
1367 						   AUDIT_SUBJ_ROLE);
1368 			break;
1369 		case Opt_subj_type:
1370 			ima_log_string(ab, "subj_type", args[0].from);
1371 			result = ima_lsm_rule_init(entry, args,
1372 						   LSM_SUBJ_TYPE,
1373 						   AUDIT_SUBJ_TYPE);
1374 			break;
1375 		case Opt_appraise_type:
1376 			ima_log_string(ab, "appraise_type", args[0].from);
1377 			if ((strcmp(args[0].from, "imasig")) == 0)
1378 				entry->flags |= IMA_DIGSIG_REQUIRED;
1379 			else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
1380 				 strcmp(args[0].from, "imasig|modsig") == 0)
1381 				entry->flags |= IMA_DIGSIG_REQUIRED |
1382 						IMA_MODSIG_ALLOWED;
1383 			else
1384 				result = -EINVAL;
1385 			break;
1386 		case Opt_appraise_flag:
1387 			ima_log_string(ab, "appraise_flag", args[0].from);
1388 			if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
1389 			    strstr(args[0].from, "blacklist"))
1390 				entry->flags |= IMA_CHECK_BLACKLIST;
1391 			else
1392 				result = -EINVAL;
1393 			break;
1394 		case Opt_permit_directio:
1395 			entry->flags |= IMA_PERMIT_DIRECTIO;
1396 			break;
1397 		case Opt_pcr:
1398 			ima_log_string(ab, "pcr", args[0].from);
1399 
1400 			result = kstrtoint(args[0].from, 10, &entry->pcr);
1401 			if (result || INVALID_PCR(entry->pcr))
1402 				result = -EINVAL;
1403 			else
1404 				entry->flags |= IMA_PCR;
1405 
1406 			break;
1407 		case Opt_template:
1408 			ima_log_string(ab, "template", args[0].from);
1409 			if (entry->action != MEASURE) {
1410 				result = -EINVAL;
1411 				break;
1412 			}
1413 			template_desc = lookup_template_desc(args[0].from);
1414 			if (!template_desc || entry->template) {
1415 				result = -EINVAL;
1416 				break;
1417 			}
1418 
1419 			/*
1420 			 * template_desc_init_fields() does nothing if
1421 			 * the template is already initialised, so
1422 			 * it's safe to do this unconditionally
1423 			 */
1424 			template_desc_init_fields(template_desc->fmt,
1425 						 &(template_desc->fields),
1426 						 &(template_desc->num_fields));
1427 			entry->template = template_desc;
1428 			break;
1429 		case Opt_err:
1430 			ima_log_string(ab, "UNKNOWN", p);
1431 			result = -EINVAL;
1432 			break;
1433 		}
1434 	}
1435 	if (!result && !ima_validate_rule(entry))
1436 		result = -EINVAL;
1437 	else if (entry->action == APPRAISE)
1438 		temp_ima_appraise |= ima_appraise_flag(entry->func);
1439 
1440 	if (!result && entry->flags & IMA_MODSIG_ALLOWED) {
1441 		template_desc = entry->template ? entry->template :
1442 						  ima_template_desc_current();
1443 		check_template_modsig(template_desc);
1444 	}
1445 
1446 	audit_log_format(ab, "res=%d", !result);
1447 	audit_log_end(ab);
1448 	return result;
1449 }
1450 
1451 /**
1452  * ima_parse_add_rule - add a rule to ima_policy_rules
1453  * @rule - ima measurement policy rule
1454  *
1455  * Avoid locking by allowing just one writer at a time in ima_write_policy()
1456  * Returns the length of the rule parsed, an error code on failure
1457  */
1458 ssize_t ima_parse_add_rule(char *rule)
1459 {
1460 	static const char op[] = "update_policy";
1461 	char *p;
1462 	struct ima_rule_entry *entry;
1463 	ssize_t result, len;
1464 	int audit_info = 0;
1465 
1466 	p = strsep(&rule, "\n");
1467 	len = strlen(p) + 1;
1468 	p += strspn(p, " \t");
1469 
1470 	if (*p == '#' || *p == '\0')
1471 		return len;
1472 
1473 	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1474 	if (!entry) {
1475 		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1476 				    NULL, op, "-ENOMEM", -ENOMEM, audit_info);
1477 		return -ENOMEM;
1478 	}
1479 
1480 	INIT_LIST_HEAD(&entry->list);
1481 
1482 	result = ima_parse_rule(p, entry);
1483 	if (result) {
1484 		ima_free_rule(entry);
1485 		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1486 				    NULL, op, "invalid-policy", result,
1487 				    audit_info);
1488 		return result;
1489 	}
1490 
1491 	list_add_tail(&entry->list, &ima_temp_rules);
1492 
1493 	return len;
1494 }
1495 
1496 /**
1497  * ima_delete_rules() called to cleanup invalid in-flight policy.
1498  * We don't need locking as we operate on the temp list, which is
1499  * different from the active one.  There is also only one user of
1500  * ima_delete_rules() at a time.
1501  */
1502 void ima_delete_rules(void)
1503 {
1504 	struct ima_rule_entry *entry, *tmp;
1505 
1506 	temp_ima_appraise = 0;
1507 	list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
1508 		list_del(&entry->list);
1509 		ima_free_rule(entry);
1510 	}
1511 }
1512 
1513 #define __ima_hook_stringify(func, str)	(#func),
1514 
1515 const char *const func_tokens[] = {
1516 	__ima_hooks(__ima_hook_stringify)
1517 };
1518 
1519 #ifdef	CONFIG_IMA_READ_POLICY
1520 enum {
1521 	mask_exec = 0, mask_write, mask_read, mask_append
1522 };
1523 
1524 static const char *const mask_tokens[] = {
1525 	"^MAY_EXEC",
1526 	"^MAY_WRITE",
1527 	"^MAY_READ",
1528 	"^MAY_APPEND"
1529 };
1530 
1531 void *ima_policy_start(struct seq_file *m, loff_t *pos)
1532 {
1533 	loff_t l = *pos;
1534 	struct ima_rule_entry *entry;
1535 
1536 	rcu_read_lock();
1537 	list_for_each_entry_rcu(entry, ima_rules, list) {
1538 		if (!l--) {
1539 			rcu_read_unlock();
1540 			return entry;
1541 		}
1542 	}
1543 	rcu_read_unlock();
1544 	return NULL;
1545 }
1546 
1547 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos)
1548 {
1549 	struct ima_rule_entry *entry = v;
1550 
1551 	rcu_read_lock();
1552 	entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list);
1553 	rcu_read_unlock();
1554 	(*pos)++;
1555 
1556 	return (&entry->list == ima_rules) ? NULL : entry;
1557 }
1558 
1559 void ima_policy_stop(struct seq_file *m, void *v)
1560 {
1561 }
1562 
1563 #define pt(token)	policy_tokens[token].pattern
1564 #define mt(token)	mask_tokens[token]
1565 
1566 /*
1567  * policy_func_show - display the ima_hooks policy rule
1568  */
1569 static void policy_func_show(struct seq_file *m, enum ima_hooks func)
1570 {
1571 	if (func > 0 && func < MAX_CHECK)
1572 		seq_printf(m, "func=%s ", func_tokens[func]);
1573 	else
1574 		seq_printf(m, "func=%d ", func);
1575 }
1576 
1577 int ima_policy_show(struct seq_file *m, void *v)
1578 {
1579 	struct ima_rule_entry *entry = v;
1580 	int i;
1581 	char tbuf[64] = {0,};
1582 	int offset = 0;
1583 
1584 	rcu_read_lock();
1585 
1586 	if (entry->action & MEASURE)
1587 		seq_puts(m, pt(Opt_measure));
1588 	if (entry->action & DONT_MEASURE)
1589 		seq_puts(m, pt(Opt_dont_measure));
1590 	if (entry->action & APPRAISE)
1591 		seq_puts(m, pt(Opt_appraise));
1592 	if (entry->action & DONT_APPRAISE)
1593 		seq_puts(m, pt(Opt_dont_appraise));
1594 	if (entry->action & AUDIT)
1595 		seq_puts(m, pt(Opt_audit));
1596 	if (entry->action & HASH)
1597 		seq_puts(m, pt(Opt_hash));
1598 	if (entry->action & DONT_HASH)
1599 		seq_puts(m, pt(Opt_dont_hash));
1600 
1601 	seq_puts(m, " ");
1602 
1603 	if (entry->flags & IMA_FUNC)
1604 		policy_func_show(m, entry->func);
1605 
1606 	if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) {
1607 		if (entry->flags & IMA_MASK)
1608 			offset = 1;
1609 		if (entry->mask & MAY_EXEC)
1610 			seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset);
1611 		if (entry->mask & MAY_WRITE)
1612 			seq_printf(m, pt(Opt_mask), mt(mask_write) + offset);
1613 		if (entry->mask & MAY_READ)
1614 			seq_printf(m, pt(Opt_mask), mt(mask_read) + offset);
1615 		if (entry->mask & MAY_APPEND)
1616 			seq_printf(m, pt(Opt_mask), mt(mask_append) + offset);
1617 		seq_puts(m, " ");
1618 	}
1619 
1620 	if (entry->flags & IMA_FSMAGIC) {
1621 		snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);
1622 		seq_printf(m, pt(Opt_fsmagic), tbuf);
1623 		seq_puts(m, " ");
1624 	}
1625 
1626 	if (entry->flags & IMA_FSNAME) {
1627 		snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname);
1628 		seq_printf(m, pt(Opt_fsname), tbuf);
1629 		seq_puts(m, " ");
1630 	}
1631 
1632 	if (entry->flags & IMA_KEYRINGS) {
1633 		if (entry->keyrings != NULL)
1634 			snprintf(tbuf, sizeof(tbuf), "%s", entry->keyrings);
1635 		seq_printf(m, pt(Opt_keyrings), tbuf);
1636 		seq_puts(m, " ");
1637 	}
1638 
1639 	if (entry->flags & IMA_PCR) {
1640 		snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
1641 		seq_printf(m, pt(Opt_pcr), tbuf);
1642 		seq_puts(m, " ");
1643 	}
1644 
1645 	if (entry->flags & IMA_FSUUID) {
1646 		seq_printf(m, "fsuuid=%pU", &entry->fsuuid);
1647 		seq_puts(m, " ");
1648 	}
1649 
1650 	if (entry->flags & IMA_UID) {
1651 		snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1652 		if (entry->uid_op == &uid_gt)
1653 			seq_printf(m, pt(Opt_uid_gt), tbuf);
1654 		else if (entry->uid_op == &uid_lt)
1655 			seq_printf(m, pt(Opt_uid_lt), tbuf);
1656 		else
1657 			seq_printf(m, pt(Opt_uid_eq), tbuf);
1658 		seq_puts(m, " ");
1659 	}
1660 
1661 	if (entry->flags & IMA_EUID) {
1662 		snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1663 		if (entry->uid_op == &uid_gt)
1664 			seq_printf(m, pt(Opt_euid_gt), tbuf);
1665 		else if (entry->uid_op == &uid_lt)
1666 			seq_printf(m, pt(Opt_euid_lt), tbuf);
1667 		else
1668 			seq_printf(m, pt(Opt_euid_eq), tbuf);
1669 		seq_puts(m, " ");
1670 	}
1671 
1672 	if (entry->flags & IMA_FOWNER) {
1673 		snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
1674 		if (entry->fowner_op == &uid_gt)
1675 			seq_printf(m, pt(Opt_fowner_gt), tbuf);
1676 		else if (entry->fowner_op == &uid_lt)
1677 			seq_printf(m, pt(Opt_fowner_lt), tbuf);
1678 		else
1679 			seq_printf(m, pt(Opt_fowner_eq), tbuf);
1680 		seq_puts(m, " ");
1681 	}
1682 
1683 	for (i = 0; i < MAX_LSM_RULES; i++) {
1684 		if (entry->lsm[i].rule) {
1685 			switch (i) {
1686 			case LSM_OBJ_USER:
1687 				seq_printf(m, pt(Opt_obj_user),
1688 					   entry->lsm[i].args_p);
1689 				break;
1690 			case LSM_OBJ_ROLE:
1691 				seq_printf(m, pt(Opt_obj_role),
1692 					   entry->lsm[i].args_p);
1693 				break;
1694 			case LSM_OBJ_TYPE:
1695 				seq_printf(m, pt(Opt_obj_type),
1696 					   entry->lsm[i].args_p);
1697 				break;
1698 			case LSM_SUBJ_USER:
1699 				seq_printf(m, pt(Opt_subj_user),
1700 					   entry->lsm[i].args_p);
1701 				break;
1702 			case LSM_SUBJ_ROLE:
1703 				seq_printf(m, pt(Opt_subj_role),
1704 					   entry->lsm[i].args_p);
1705 				break;
1706 			case LSM_SUBJ_TYPE:
1707 				seq_printf(m, pt(Opt_subj_type),
1708 					   entry->lsm[i].args_p);
1709 				break;
1710 			}
1711 			seq_puts(m, " ");
1712 		}
1713 	}
1714 	if (entry->template)
1715 		seq_printf(m, "template=%s ", entry->template->name);
1716 	if (entry->flags & IMA_DIGSIG_REQUIRED) {
1717 		if (entry->flags & IMA_MODSIG_ALLOWED)
1718 			seq_puts(m, "appraise_type=imasig|modsig ");
1719 		else
1720 			seq_puts(m, "appraise_type=imasig ");
1721 	}
1722 	if (entry->flags & IMA_CHECK_BLACKLIST)
1723 		seq_puts(m, "appraise_flag=check_blacklist ");
1724 	if (entry->flags & IMA_PERMIT_DIRECTIO)
1725 		seq_puts(m, "permit_directio ");
1726 	rcu_read_unlock();
1727 	seq_puts(m, "\n");
1728 	return 0;
1729 }
1730 #endif	/* CONFIG_IMA_READ_POLICY */
1731 
1732 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
1733 /*
1734  * ima_appraise_signature: whether IMA will appraise a given function using
1735  * an IMA digital signature. This is restricted to cases where the kernel
1736  * has a set of built-in trusted keys in order to avoid an attacker simply
1737  * loading additional keys.
1738  */
1739 bool ima_appraise_signature(enum kernel_read_file_id id)
1740 {
1741 	struct ima_rule_entry *entry;
1742 	bool found = false;
1743 	enum ima_hooks func;
1744 
1745 	if (id >= READING_MAX_ID)
1746 		return false;
1747 
1748 	func = read_idmap[id] ?: FILE_CHECK;
1749 
1750 	rcu_read_lock();
1751 	list_for_each_entry_rcu(entry, ima_rules, list) {
1752 		if (entry->action != APPRAISE)
1753 			continue;
1754 
1755 		/*
1756 		 * A generic entry will match, but otherwise require that it
1757 		 * match the func we're looking for
1758 		 */
1759 		if (entry->func && entry->func != func)
1760 			continue;
1761 
1762 		/*
1763 		 * We require this to be a digital signature, not a raw IMA
1764 		 * hash.
1765 		 */
1766 		if (entry->flags & IMA_DIGSIG_REQUIRED)
1767 			found = true;
1768 
1769 		/*
1770 		 * We've found a rule that matches, so break now even if it
1771 		 * didn't require a digital signature - a later rule that does
1772 		 * won't override it, so would be a false positive.
1773 		 */
1774 		break;
1775 	}
1776 
1777 	rcu_read_unlock();
1778 	return found;
1779 }
1780 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
1781