1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2008 IBM Corporation 4 * Author: Mimi Zohar <zohar@us.ibm.com> 5 * 6 * ima_policy.c 7 * - initialize default measure policy rules 8 */ 9 10 #include <linux/init.h> 11 #include <linux/list.h> 12 #include <linux/kernel_read_file.h> 13 #include <linux/fs.h> 14 #include <linux/security.h> 15 #include <linux/magic.h> 16 #include <linux/parser.h> 17 #include <linux/slab.h> 18 #include <linux/rculist.h> 19 #include <linux/seq_file.h> 20 #include <linux/ima.h> 21 22 #include "ima.h" 23 24 /* flags definitions */ 25 #define IMA_FUNC 0x0001 26 #define IMA_MASK 0x0002 27 #define IMA_FSMAGIC 0x0004 28 #define IMA_UID 0x0008 29 #define IMA_FOWNER 0x0010 30 #define IMA_FSUUID 0x0020 31 #define IMA_INMASK 0x0040 32 #define IMA_EUID 0x0080 33 #define IMA_PCR 0x0100 34 #define IMA_FSNAME 0x0200 35 #define IMA_KEYRINGS 0x0400 36 #define IMA_LABEL 0x0800 37 #define IMA_VALIDATE_ALGOS 0x1000 38 #define IMA_GID 0x2000 39 #define IMA_EGID 0x4000 40 #define IMA_FGROUP 0x8000 41 42 #define UNKNOWN 0 43 #define MEASURE 0x0001 /* same as IMA_MEASURE */ 44 #define DONT_MEASURE 0x0002 45 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 46 #define DONT_APPRAISE 0x0008 47 #define AUDIT 0x0040 48 #define HASH 0x0100 49 #define DONT_HASH 0x0200 50 51 #define INVALID_PCR(a) (((a) < 0) || \ 52 (a) >= (sizeof_field(struct integrity_iint_cache, measured_pcrs) * 8)) 53 54 int ima_policy_flag; 55 static int temp_ima_appraise; 56 static int build_ima_appraise __ro_after_init; 57 58 atomic_t ima_setxattr_allowed_hash_algorithms; 59 60 #define MAX_LSM_RULES 6 61 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, 62 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE 63 }; 64 65 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; 66 67 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY }; 68 69 struct ima_rule_opt_list { 70 size_t count; 71 char *items[]; 72 }; 73 74 /* 75 * These comparators are needed nowhere outside of ima so just define them here. 76 * This pattern should hopefully never be needed outside of ima. 77 */ 78 static inline bool vfsuid_gt_kuid(vfsuid_t vfsuid, kuid_t kuid) 79 { 80 return __vfsuid_val(vfsuid) > __kuid_val(kuid); 81 } 82 83 static inline bool vfsgid_gt_kgid(vfsgid_t vfsgid, kgid_t kgid) 84 { 85 return __vfsgid_val(vfsgid) > __kgid_val(kgid); 86 } 87 88 static inline bool vfsuid_lt_kuid(vfsuid_t vfsuid, kuid_t kuid) 89 { 90 return __vfsuid_val(vfsuid) < __kuid_val(kuid); 91 } 92 93 static inline bool vfsgid_lt_kgid(vfsgid_t vfsgid, kgid_t kgid) 94 { 95 return __vfsgid_val(vfsgid) < __kgid_val(kgid); 96 } 97 98 struct ima_rule_entry { 99 struct list_head list; 100 int action; 101 unsigned int flags; 102 enum ima_hooks func; 103 int mask; 104 unsigned long fsmagic; 105 uuid_t fsuuid; 106 kuid_t uid; 107 kgid_t gid; 108 kuid_t fowner; 109 kgid_t fgroup; 110 bool (*uid_op)(kuid_t cred_uid, kuid_t rule_uid); /* Handlers for operators */ 111 bool (*gid_op)(kgid_t cred_gid, kgid_t rule_gid); 112 bool (*fowner_op)(vfsuid_t vfsuid, kuid_t rule_uid); /* vfsuid_eq_kuid(), vfsuid_gt_kuid(), vfsuid_lt_kuid() */ 113 bool (*fgroup_op)(vfsgid_t vfsgid, kgid_t rule_gid); /* vfsgid_eq_kgid(), vfsgid_gt_kgid(), vfsgid_lt_kgid() */ 114 int pcr; 115 unsigned int allowed_algos; /* bitfield of allowed hash algorithms */ 116 struct { 117 void *rule; /* LSM file metadata specific */ 118 char *args_p; /* audit value */ 119 int type; /* audit type */ 120 } lsm[MAX_LSM_RULES]; 121 char *fsname; 122 struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ 123 struct ima_rule_opt_list *label; /* Measure data grouped under this label */ 124 struct ima_template_desc *template; 125 }; 126 127 /* 128 * sanity check in case the kernels gains more hash algorithms that can 129 * fit in an unsigned int 130 */ 131 static_assert( 132 8 * sizeof(unsigned int) >= HASH_ALGO__LAST, 133 "The bitfield allowed_algos in ima_rule_entry is too small to contain all the supported hash algorithms, consider using a bigger type"); 134 135 /* 136 * Without LSM specific knowledge, the default policy can only be 137 * written in terms of .action, .func, .mask, .fsmagic, .uid, .gid, 138 * .fowner, and .fgroup 139 */ 140 141 /* 142 * The minimum rule set to allow for full TCB coverage. Measures all files 143 * opened or mmap for exec and everything read by root. Dangerous because 144 * normal users can easily run the machine out of memory simply building 145 * and running executables. 146 */ 147 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { 148 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 149 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 150 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 151 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 152 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 153 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 154 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 155 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 156 {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 157 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, 158 .flags = IMA_FSMAGIC}, 159 {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, 160 .flags = IMA_FSMAGIC}, 161 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 162 {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} 163 }; 164 165 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { 166 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 167 .flags = IMA_FUNC | IMA_MASK}, 168 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 169 .flags = IMA_FUNC | IMA_MASK}, 170 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 171 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 172 .flags = IMA_FUNC | IMA_MASK | IMA_UID}, 173 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 174 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 175 }; 176 177 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { 178 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 179 .flags = IMA_FUNC | IMA_MASK}, 180 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 181 .flags = IMA_FUNC | IMA_MASK}, 182 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 183 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 184 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, 185 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 186 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 187 .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, 188 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 189 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 190 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, 191 }; 192 193 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { 194 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 195 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 196 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 197 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 198 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC}, 199 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 200 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 201 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 202 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 203 {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 204 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 205 {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, 206 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 207 {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 208 #ifdef CONFIG_IMA_WRITE_POLICY 209 {.action = APPRAISE, .func = POLICY_CHECK, 210 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 211 #endif 212 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT 213 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid, 214 .flags = IMA_FOWNER}, 215 #else 216 /* force signature */ 217 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid, 218 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, 219 #endif 220 }; 221 222 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { 223 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS 224 {.action = APPRAISE, .func = MODULE_CHECK, 225 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 226 #endif 227 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS 228 {.action = APPRAISE, .func = FIRMWARE_CHECK, 229 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 230 #endif 231 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS 232 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 233 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 234 #endif 235 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS 236 {.action = APPRAISE, .func = POLICY_CHECK, 237 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 238 #endif 239 }; 240 241 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { 242 {.action = APPRAISE, .func = MODULE_CHECK, 243 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 244 {.action = APPRAISE, .func = FIRMWARE_CHECK, 245 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 246 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 247 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 248 {.action = APPRAISE, .func = POLICY_CHECK, 249 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 250 }; 251 252 static struct ima_rule_entry critical_data_rules[] __ro_after_init = { 253 {.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC}, 254 }; 255 256 /* An array of architecture specific rules */ 257 static struct ima_rule_entry *arch_policy_entry __ro_after_init; 258 259 static LIST_HEAD(ima_default_rules); 260 static LIST_HEAD(ima_policy_rules); 261 static LIST_HEAD(ima_temp_rules); 262 static struct list_head __rcu *ima_rules = (struct list_head __rcu *)(&ima_default_rules); 263 264 static int ima_policy __initdata; 265 266 static int __init default_measure_policy_setup(char *str) 267 { 268 if (ima_policy) 269 return 1; 270 271 ima_policy = ORIGINAL_TCB; 272 return 1; 273 } 274 __setup("ima_tcb", default_measure_policy_setup); 275 276 static bool ima_use_appraise_tcb __initdata; 277 static bool ima_use_secure_boot __initdata; 278 static bool ima_use_critical_data __initdata; 279 static bool ima_fail_unverifiable_sigs __ro_after_init; 280 static int __init policy_setup(char *str) 281 { 282 char *p; 283 284 while ((p = strsep(&str, " |\n")) != NULL) { 285 if (*p == ' ') 286 continue; 287 if ((strcmp(p, "tcb") == 0) && !ima_policy) 288 ima_policy = DEFAULT_TCB; 289 else if (strcmp(p, "appraise_tcb") == 0) 290 ima_use_appraise_tcb = true; 291 else if (strcmp(p, "secure_boot") == 0) 292 ima_use_secure_boot = true; 293 else if (strcmp(p, "critical_data") == 0) 294 ima_use_critical_data = true; 295 else if (strcmp(p, "fail_securely") == 0) 296 ima_fail_unverifiable_sigs = true; 297 else 298 pr_err("policy \"%s\" not found", p); 299 } 300 301 return 1; 302 } 303 __setup("ima_policy=", policy_setup); 304 305 static int __init default_appraise_policy_setup(char *str) 306 { 307 ima_use_appraise_tcb = true; 308 return 1; 309 } 310 __setup("ima_appraise_tcb", default_appraise_policy_setup); 311 312 static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src) 313 { 314 struct ima_rule_opt_list *opt_list; 315 size_t count = 0; 316 char *src_copy; 317 char *cur, *next; 318 size_t i; 319 320 src_copy = match_strdup(src); 321 if (!src_copy) 322 return ERR_PTR(-ENOMEM); 323 324 next = src_copy; 325 while ((cur = strsep(&next, "|"))) { 326 /* Don't accept an empty list item */ 327 if (!(*cur)) { 328 kfree(src_copy); 329 return ERR_PTR(-EINVAL); 330 } 331 count++; 332 } 333 334 /* Don't accept an empty list */ 335 if (!count) { 336 kfree(src_copy); 337 return ERR_PTR(-EINVAL); 338 } 339 340 opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL); 341 if (!opt_list) { 342 kfree(src_copy); 343 return ERR_PTR(-ENOMEM); 344 } 345 346 /* 347 * strsep() has already replaced all instances of '|' with '\0', 348 * leaving a byte sequence of NUL-terminated strings. Reference each 349 * string with the array of items. 350 * 351 * IMPORTANT: Ownership of the allocated buffer is transferred from 352 * src_copy to the first element in the items array. To free the 353 * buffer, kfree() must only be called on the first element of the 354 * array. 355 */ 356 for (i = 0, cur = src_copy; i < count; i++) { 357 opt_list->items[i] = cur; 358 cur = strchr(cur, '\0') + 1; 359 } 360 opt_list->count = count; 361 362 return opt_list; 363 } 364 365 static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list) 366 { 367 if (!opt_list) 368 return; 369 370 if (opt_list->count) { 371 kfree(opt_list->items[0]); 372 opt_list->count = 0; 373 } 374 375 kfree(opt_list); 376 } 377 378 static void ima_lsm_free_rule(struct ima_rule_entry *entry) 379 { 380 int i; 381 382 for (i = 0; i < MAX_LSM_RULES; i++) { 383 ima_filter_rule_free(entry->lsm[i].rule); 384 kfree(entry->lsm[i].args_p); 385 } 386 } 387 388 static void ima_free_rule(struct ima_rule_entry *entry) 389 { 390 if (!entry) 391 return; 392 393 /* 394 * entry->template->fields may be allocated in ima_parse_rule() but that 395 * reference is owned by the corresponding ima_template_desc element in 396 * the defined_templates list and cannot be freed here 397 */ 398 kfree(entry->fsname); 399 ima_free_rule_opt_list(entry->keyrings); 400 ima_lsm_free_rule(entry); 401 kfree(entry); 402 } 403 404 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) 405 { 406 struct ima_rule_entry *nentry; 407 int i; 408 409 /* 410 * Immutable elements are copied over as pointers and data; only 411 * lsm rules can change 412 */ 413 nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); 414 if (!nentry) 415 return NULL; 416 417 memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm)); 418 419 for (i = 0; i < MAX_LSM_RULES; i++) { 420 if (!entry->lsm[i].args_p) 421 continue; 422 423 nentry->lsm[i].type = entry->lsm[i].type; 424 nentry->lsm[i].args_p = entry->lsm[i].args_p; 425 426 ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, 427 nentry->lsm[i].args_p, 428 &nentry->lsm[i].rule); 429 if (!nentry->lsm[i].rule) 430 pr_warn("rule for LSM \'%s\' is undefined\n", 431 nentry->lsm[i].args_p); 432 } 433 return nentry; 434 } 435 436 static int ima_lsm_update_rule(struct ima_rule_entry *entry) 437 { 438 int i; 439 struct ima_rule_entry *nentry; 440 441 nentry = ima_lsm_copy_rule(entry); 442 if (!nentry) 443 return -ENOMEM; 444 445 list_replace_rcu(&entry->list, &nentry->list); 446 synchronize_rcu(); 447 /* 448 * ima_lsm_copy_rule() shallow copied all references, except for the 449 * LSM references, from entry to nentry so we only want to free the LSM 450 * references and the entry itself. All other memory references will now 451 * be owned by nentry. 452 */ 453 for (i = 0; i < MAX_LSM_RULES; i++) 454 ima_filter_rule_free(entry->lsm[i].rule); 455 kfree(entry); 456 457 return 0; 458 } 459 460 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry) 461 { 462 int i; 463 464 for (i = 0; i < MAX_LSM_RULES; i++) 465 if (entry->lsm[i].args_p) 466 return true; 467 468 return false; 469 } 470 471 /* 472 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 473 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 474 * the reloaded LSM policy. 475 */ 476 static void ima_lsm_update_rules(void) 477 { 478 struct ima_rule_entry *entry, *e; 479 int result; 480 481 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { 482 if (!ima_rule_contains_lsm_cond(entry)) 483 continue; 484 485 result = ima_lsm_update_rule(entry); 486 if (result) { 487 pr_err("lsm rule update error %d\n", result); 488 return; 489 } 490 } 491 } 492 493 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, 494 void *lsm_data) 495 { 496 if (event != LSM_POLICY_CHANGE) 497 return NOTIFY_DONE; 498 499 ima_lsm_update_rules(); 500 return NOTIFY_OK; 501 } 502 503 /** 504 * ima_match_rule_data - determine whether func_data matches the policy rule 505 * @rule: a pointer to a rule 506 * @func_data: data to match against the measure rule data 507 * @cred: a pointer to a credentials structure for user validation 508 * 509 * Returns true if func_data matches one in the rule, false otherwise. 510 */ 511 static bool ima_match_rule_data(struct ima_rule_entry *rule, 512 const char *func_data, 513 const struct cred *cred) 514 { 515 const struct ima_rule_opt_list *opt_list = NULL; 516 bool matched = false; 517 size_t i; 518 519 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 520 return false; 521 522 switch (rule->func) { 523 case KEY_CHECK: 524 if (!rule->keyrings) 525 return true; 526 527 opt_list = rule->keyrings; 528 break; 529 case CRITICAL_DATA: 530 if (!rule->label) 531 return true; 532 533 opt_list = rule->label; 534 break; 535 default: 536 return false; 537 } 538 539 if (!func_data) 540 return false; 541 542 for (i = 0; i < opt_list->count; i++) { 543 if (!strcmp(opt_list->items[i], func_data)) { 544 matched = true; 545 break; 546 } 547 } 548 549 return matched; 550 } 551 552 /** 553 * ima_match_rules - determine whether an inode matches the policy rule. 554 * @rule: a pointer to a rule 555 * @mnt_userns: user namespace of the mount the inode was found from 556 * @inode: a pointer to an inode 557 * @cred: a pointer to a credentials structure for user validation 558 * @secid: the secid of the task to be validated 559 * @func: LIM hook identifier 560 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 561 * @func_data: func specific data, may be NULL 562 * 563 * Returns true on rule match, false on failure. 564 */ 565 static bool ima_match_rules(struct ima_rule_entry *rule, 566 struct user_namespace *mnt_userns, 567 struct inode *inode, const struct cred *cred, 568 u32 secid, enum ima_hooks func, int mask, 569 const char *func_data) 570 { 571 int i; 572 bool result = false; 573 struct ima_rule_entry *lsm_rule = rule; 574 bool rule_reinitialized = false; 575 576 if ((rule->flags & IMA_FUNC) && 577 (rule->func != func && func != POST_SETATTR)) 578 return false; 579 580 switch (func) { 581 case KEY_CHECK: 582 case CRITICAL_DATA: 583 return ((rule->func == func) && 584 ima_match_rule_data(rule, func_data, cred)); 585 default: 586 break; 587 } 588 589 if ((rule->flags & IMA_MASK) && 590 (rule->mask != mask && func != POST_SETATTR)) 591 return false; 592 if ((rule->flags & IMA_INMASK) && 593 (!(rule->mask & mask) && func != POST_SETATTR)) 594 return false; 595 if ((rule->flags & IMA_FSMAGIC) 596 && rule->fsmagic != inode->i_sb->s_magic) 597 return false; 598 if ((rule->flags & IMA_FSNAME) 599 && strcmp(rule->fsname, inode->i_sb->s_type->name)) 600 return false; 601 if ((rule->flags & IMA_FSUUID) && 602 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 603 return false; 604 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 605 return false; 606 if (rule->flags & IMA_EUID) { 607 if (has_capability_noaudit(current, CAP_SETUID)) { 608 if (!rule->uid_op(cred->euid, rule->uid) 609 && !rule->uid_op(cred->suid, rule->uid) 610 && !rule->uid_op(cred->uid, rule->uid)) 611 return false; 612 } else if (!rule->uid_op(cred->euid, rule->uid)) 613 return false; 614 } 615 if ((rule->flags & IMA_GID) && !rule->gid_op(cred->gid, rule->gid)) 616 return false; 617 if (rule->flags & IMA_EGID) { 618 if (has_capability_noaudit(current, CAP_SETGID)) { 619 if (!rule->gid_op(cred->egid, rule->gid) 620 && !rule->gid_op(cred->sgid, rule->gid) 621 && !rule->gid_op(cred->gid, rule->gid)) 622 return false; 623 } else if (!rule->gid_op(cred->egid, rule->gid)) 624 return false; 625 } 626 if ((rule->flags & IMA_FOWNER) && 627 !rule->fowner_op(i_uid_into_vfsuid(mnt_userns, inode), 628 rule->fowner)) 629 return false; 630 if ((rule->flags & IMA_FGROUP) && 631 !rule->fgroup_op(i_gid_into_vfsgid(mnt_userns, inode), 632 rule->fgroup)) 633 return false; 634 for (i = 0; i < MAX_LSM_RULES; i++) { 635 int rc = 0; 636 u32 osid; 637 638 if (!lsm_rule->lsm[i].rule) { 639 if (!lsm_rule->lsm[i].args_p) 640 continue; 641 else 642 return false; 643 } 644 645 retry: 646 switch (i) { 647 case LSM_OBJ_USER: 648 case LSM_OBJ_ROLE: 649 case LSM_OBJ_TYPE: 650 security_inode_getsecid(inode, &osid); 651 rc = ima_filter_rule_match(osid, lsm_rule->lsm[i].type, 652 Audit_equal, 653 lsm_rule->lsm[i].rule); 654 break; 655 case LSM_SUBJ_USER: 656 case LSM_SUBJ_ROLE: 657 case LSM_SUBJ_TYPE: 658 rc = ima_filter_rule_match(secid, lsm_rule->lsm[i].type, 659 Audit_equal, 660 lsm_rule->lsm[i].rule); 661 break; 662 default: 663 break; 664 } 665 666 if (rc == -ESTALE && !rule_reinitialized) { 667 lsm_rule = ima_lsm_copy_rule(rule); 668 if (lsm_rule) { 669 rule_reinitialized = true; 670 goto retry; 671 } 672 } 673 if (!rc) { 674 result = false; 675 goto out; 676 } 677 } 678 result = true; 679 680 out: 681 if (rule_reinitialized) { 682 for (i = 0; i < MAX_LSM_RULES; i++) 683 ima_filter_rule_free(lsm_rule->lsm[i].rule); 684 kfree(lsm_rule); 685 } 686 return result; 687 } 688 689 /* 690 * In addition to knowing that we need to appraise the file in general, 691 * we need to differentiate between calling hooks, for hook specific rules. 692 */ 693 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) 694 { 695 if (!(rule->flags & IMA_FUNC)) 696 return IMA_FILE_APPRAISE; 697 698 switch (func) { 699 case MMAP_CHECK: 700 return IMA_MMAP_APPRAISE; 701 case BPRM_CHECK: 702 return IMA_BPRM_APPRAISE; 703 case CREDS_CHECK: 704 return IMA_CREDS_APPRAISE; 705 case FILE_CHECK: 706 case POST_SETATTR: 707 return IMA_FILE_APPRAISE; 708 case MODULE_CHECK ... MAX_CHECK - 1: 709 default: 710 return IMA_READ_APPRAISE; 711 } 712 } 713 714 /** 715 * ima_match_policy - decision based on LSM and other conditions 716 * @mnt_userns: user namespace of the mount the inode was found from 717 * @inode: pointer to an inode for which the policy decision is being made 718 * @cred: pointer to a credentials structure for which the policy decision is 719 * being made 720 * @secid: LSM secid of the task to be validated 721 * @func: IMA hook identifier 722 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 723 * @pcr: set the pcr to extend 724 * @template_desc: the template that should be used for this rule 725 * @func_data: func specific data, may be NULL 726 * @allowed_algos: allowlist of hash algorithms for the IMA xattr 727 * 728 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 729 * conditions. 730 * 731 * Since the IMA policy may be updated multiple times we need to lock the 732 * list when walking it. Reads are many orders of magnitude more numerous 733 * than writes so ima_match_policy() is classical RCU candidate. 734 */ 735 int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, 736 const struct cred *cred, u32 secid, enum ima_hooks func, 737 int mask, int flags, int *pcr, 738 struct ima_template_desc **template_desc, 739 const char *func_data, unsigned int *allowed_algos) 740 { 741 struct ima_rule_entry *entry; 742 int action = 0, actmask = flags | (flags << 1); 743 struct list_head *ima_rules_tmp; 744 745 if (template_desc && !*template_desc) 746 *template_desc = ima_template_desc_current(); 747 748 rcu_read_lock(); 749 ima_rules_tmp = rcu_dereference(ima_rules); 750 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 751 752 if (!(entry->action & actmask)) 753 continue; 754 755 if (!ima_match_rules(entry, mnt_userns, inode, cred, secid, 756 func, mask, func_data)) 757 continue; 758 759 action |= entry->flags & IMA_NONACTION_FLAGS; 760 761 action |= entry->action & IMA_DO_MASK; 762 if (entry->action & IMA_APPRAISE) { 763 action |= get_subaction(entry, func); 764 action &= ~IMA_HASH; 765 if (ima_fail_unverifiable_sigs) 766 action |= IMA_FAIL_UNVERIFIABLE_SIGS; 767 768 if (allowed_algos && 769 entry->flags & IMA_VALIDATE_ALGOS) 770 *allowed_algos = entry->allowed_algos; 771 } 772 773 if (entry->action & IMA_DO_MASK) 774 actmask &= ~(entry->action | entry->action << 1); 775 else 776 actmask &= ~(entry->action | entry->action >> 1); 777 778 if ((pcr) && (entry->flags & IMA_PCR)) 779 *pcr = entry->pcr; 780 781 if (template_desc && entry->template) 782 *template_desc = entry->template; 783 784 if (!actmask) 785 break; 786 } 787 rcu_read_unlock(); 788 789 return action; 790 } 791 792 /** 793 * ima_update_policy_flags() - Update global IMA variables 794 * 795 * Update ima_policy_flag and ima_setxattr_allowed_hash_algorithms 796 * based on the currently loaded policy. 797 * 798 * With ima_policy_flag, the decision to short circuit out of a function 799 * or not call the function in the first place can be made earlier. 800 * 801 * With ima_setxattr_allowed_hash_algorithms, the policy can restrict the 802 * set of hash algorithms accepted when updating the security.ima xattr of 803 * a file. 804 * 805 * Context: called after a policy update and at system initialization. 806 */ 807 void ima_update_policy_flags(void) 808 { 809 struct ima_rule_entry *entry; 810 int new_policy_flag = 0; 811 struct list_head *ima_rules_tmp; 812 813 rcu_read_lock(); 814 ima_rules_tmp = rcu_dereference(ima_rules); 815 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 816 /* 817 * SETXATTR_CHECK rules do not implement a full policy check 818 * because rule checking would probably have an important 819 * performance impact on setxattr(). As a consequence, only one 820 * SETXATTR_CHECK can be active at a given time. 821 * Because we want to preserve that property, we set out to use 822 * atomic_cmpxchg. Either: 823 * - the atomic was non-zero: a setxattr hash policy is 824 * already enforced, we do nothing 825 * - the atomic was zero: no setxattr policy was set, enable 826 * the setxattr hash policy 827 */ 828 if (entry->func == SETXATTR_CHECK) { 829 atomic_cmpxchg(&ima_setxattr_allowed_hash_algorithms, 830 0, entry->allowed_algos); 831 /* SETXATTR_CHECK doesn't impact ima_policy_flag */ 832 continue; 833 } 834 835 if (entry->action & IMA_DO_MASK) 836 new_policy_flag |= entry->action; 837 } 838 rcu_read_unlock(); 839 840 ima_appraise |= (build_ima_appraise | temp_ima_appraise); 841 if (!ima_appraise) 842 new_policy_flag &= ~IMA_APPRAISE; 843 844 ima_policy_flag = new_policy_flag; 845 } 846 847 static int ima_appraise_flag(enum ima_hooks func) 848 { 849 if (func == MODULE_CHECK) 850 return IMA_APPRAISE_MODULES; 851 else if (func == FIRMWARE_CHECK) 852 return IMA_APPRAISE_FIRMWARE; 853 else if (func == POLICY_CHECK) 854 return IMA_APPRAISE_POLICY; 855 else if (func == KEXEC_KERNEL_CHECK) 856 return IMA_APPRAISE_KEXEC; 857 return 0; 858 } 859 860 static void add_rules(struct ima_rule_entry *entries, int count, 861 enum policy_rule_list policy_rule) 862 { 863 int i = 0; 864 865 for (i = 0; i < count; i++) { 866 struct ima_rule_entry *entry; 867 868 if (policy_rule & IMA_DEFAULT_POLICY) 869 list_add_tail(&entries[i].list, &ima_default_rules); 870 871 if (policy_rule & IMA_CUSTOM_POLICY) { 872 entry = kmemdup(&entries[i], sizeof(*entry), 873 GFP_KERNEL); 874 if (!entry) 875 continue; 876 877 list_add_tail(&entry->list, &ima_policy_rules); 878 } 879 if (entries[i].action == APPRAISE) { 880 if (entries != build_appraise_rules) 881 temp_ima_appraise |= 882 ima_appraise_flag(entries[i].func); 883 else 884 build_ima_appraise |= 885 ima_appraise_flag(entries[i].func); 886 } 887 } 888 } 889 890 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); 891 892 static int __init ima_init_arch_policy(void) 893 { 894 const char * const *arch_rules; 895 const char * const *rules; 896 int arch_entries = 0; 897 int i = 0; 898 899 arch_rules = arch_get_ima_policy(); 900 if (!arch_rules) 901 return arch_entries; 902 903 /* Get number of rules */ 904 for (rules = arch_rules; *rules != NULL; rules++) 905 arch_entries++; 906 907 arch_policy_entry = kcalloc(arch_entries + 1, 908 sizeof(*arch_policy_entry), GFP_KERNEL); 909 if (!arch_policy_entry) 910 return 0; 911 912 /* Convert each policy string rules to struct ima_rule_entry format */ 913 for (rules = arch_rules, i = 0; *rules != NULL; rules++) { 914 char rule[255]; 915 int result; 916 917 result = strscpy(rule, *rules, sizeof(rule)); 918 919 INIT_LIST_HEAD(&arch_policy_entry[i].list); 920 result = ima_parse_rule(rule, &arch_policy_entry[i]); 921 if (result) { 922 pr_warn("Skipping unknown architecture policy rule: %s\n", 923 rule); 924 memset(&arch_policy_entry[i], 0, 925 sizeof(*arch_policy_entry)); 926 continue; 927 } 928 i++; 929 } 930 return i; 931 } 932 933 /** 934 * ima_init_policy - initialize the default measure rules. 935 * 936 * ima_rules points to either the ima_default_rules or the new ima_policy_rules. 937 */ 938 void __init ima_init_policy(void) 939 { 940 int build_appraise_entries, arch_entries; 941 942 /* if !ima_policy, we load NO default rules */ 943 if (ima_policy) 944 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules), 945 IMA_DEFAULT_POLICY); 946 947 switch (ima_policy) { 948 case ORIGINAL_TCB: 949 add_rules(original_measurement_rules, 950 ARRAY_SIZE(original_measurement_rules), 951 IMA_DEFAULT_POLICY); 952 break; 953 case DEFAULT_TCB: 954 add_rules(default_measurement_rules, 955 ARRAY_SIZE(default_measurement_rules), 956 IMA_DEFAULT_POLICY); 957 break; 958 default: 959 break; 960 } 961 962 /* 963 * Based on runtime secure boot flags, insert arch specific measurement 964 * and appraise rules requiring file signatures for both the initial 965 * and custom policies, prior to other appraise rules. 966 * (Highest priority) 967 */ 968 arch_entries = ima_init_arch_policy(); 969 if (!arch_entries) 970 pr_info("No architecture policies found\n"); 971 else 972 add_rules(arch_policy_entry, arch_entries, 973 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 974 975 /* 976 * Insert the builtin "secure_boot" policy rules requiring file 977 * signatures, prior to other appraise rules. 978 */ 979 if (ima_use_secure_boot) 980 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules), 981 IMA_DEFAULT_POLICY); 982 983 /* 984 * Insert the build time appraise rules requiring file signatures 985 * for both the initial and custom policies, prior to other appraise 986 * rules. As the secure boot rules includes all of the build time 987 * rules, include either one or the other set of rules, but not both. 988 */ 989 build_appraise_entries = ARRAY_SIZE(build_appraise_rules); 990 if (build_appraise_entries) { 991 if (ima_use_secure_boot) 992 add_rules(build_appraise_rules, build_appraise_entries, 993 IMA_CUSTOM_POLICY); 994 else 995 add_rules(build_appraise_rules, build_appraise_entries, 996 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 997 } 998 999 if (ima_use_appraise_tcb) 1000 add_rules(default_appraise_rules, 1001 ARRAY_SIZE(default_appraise_rules), 1002 IMA_DEFAULT_POLICY); 1003 1004 if (ima_use_critical_data) 1005 add_rules(critical_data_rules, 1006 ARRAY_SIZE(critical_data_rules), 1007 IMA_DEFAULT_POLICY); 1008 1009 atomic_set(&ima_setxattr_allowed_hash_algorithms, 0); 1010 1011 ima_update_policy_flags(); 1012 } 1013 1014 /* Make sure we have a valid policy, at least containing some rules. */ 1015 int ima_check_policy(void) 1016 { 1017 if (list_empty(&ima_temp_rules)) 1018 return -EINVAL; 1019 return 0; 1020 } 1021 1022 /** 1023 * ima_update_policy - update default_rules with new measure rules 1024 * 1025 * Called on file .release to update the default rules with a complete new 1026 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so 1027 * they make a queue. The policy may be updated multiple times and this is the 1028 * RCU updater. 1029 * 1030 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 1031 * we switch from the default policy to user defined. 1032 */ 1033 void ima_update_policy(void) 1034 { 1035 struct list_head *policy = &ima_policy_rules; 1036 1037 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); 1038 1039 if (ima_rules != (struct list_head __rcu *)policy) { 1040 ima_policy_flag = 0; 1041 1042 rcu_assign_pointer(ima_rules, policy); 1043 /* 1044 * IMA architecture specific policy rules are specified 1045 * as strings and converted to an array of ima_entry_rules 1046 * on boot. After loading a custom policy, free the 1047 * architecture specific rules stored as an array. 1048 */ 1049 kfree(arch_policy_entry); 1050 } 1051 ima_update_policy_flags(); 1052 1053 /* Custom IMA policy has been loaded */ 1054 ima_process_queued_keys(); 1055 } 1056 1057 /* Keep the enumeration in sync with the policy_tokens! */ 1058 enum policy_opt { 1059 Opt_measure, Opt_dont_measure, 1060 Opt_appraise, Opt_dont_appraise, 1061 Opt_audit, Opt_hash, Opt_dont_hash, 1062 Opt_obj_user, Opt_obj_role, Opt_obj_type, 1063 Opt_subj_user, Opt_subj_role, Opt_subj_type, 1064 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fsuuid, 1065 Opt_uid_eq, Opt_euid_eq, Opt_gid_eq, Opt_egid_eq, 1066 Opt_fowner_eq, Opt_fgroup_eq, 1067 Opt_uid_gt, Opt_euid_gt, Opt_gid_gt, Opt_egid_gt, 1068 Opt_fowner_gt, Opt_fgroup_gt, 1069 Opt_uid_lt, Opt_euid_lt, Opt_gid_lt, Opt_egid_lt, 1070 Opt_fowner_lt, Opt_fgroup_lt, 1071 Opt_digest_type, 1072 Opt_appraise_type, Opt_appraise_flag, Opt_appraise_algos, 1073 Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, 1074 Opt_label, Opt_err 1075 }; 1076 1077 static const match_table_t policy_tokens = { 1078 {Opt_measure, "measure"}, 1079 {Opt_dont_measure, "dont_measure"}, 1080 {Opt_appraise, "appraise"}, 1081 {Opt_dont_appraise, "dont_appraise"}, 1082 {Opt_audit, "audit"}, 1083 {Opt_hash, "hash"}, 1084 {Opt_dont_hash, "dont_hash"}, 1085 {Opt_obj_user, "obj_user=%s"}, 1086 {Opt_obj_role, "obj_role=%s"}, 1087 {Opt_obj_type, "obj_type=%s"}, 1088 {Opt_subj_user, "subj_user=%s"}, 1089 {Opt_subj_role, "subj_role=%s"}, 1090 {Opt_subj_type, "subj_type=%s"}, 1091 {Opt_func, "func=%s"}, 1092 {Opt_mask, "mask=%s"}, 1093 {Opt_fsmagic, "fsmagic=%s"}, 1094 {Opt_fsname, "fsname=%s"}, 1095 {Opt_fsuuid, "fsuuid=%s"}, 1096 {Opt_uid_eq, "uid=%s"}, 1097 {Opt_euid_eq, "euid=%s"}, 1098 {Opt_gid_eq, "gid=%s"}, 1099 {Opt_egid_eq, "egid=%s"}, 1100 {Opt_fowner_eq, "fowner=%s"}, 1101 {Opt_fgroup_eq, "fgroup=%s"}, 1102 {Opt_uid_gt, "uid>%s"}, 1103 {Opt_euid_gt, "euid>%s"}, 1104 {Opt_gid_gt, "gid>%s"}, 1105 {Opt_egid_gt, "egid>%s"}, 1106 {Opt_fowner_gt, "fowner>%s"}, 1107 {Opt_fgroup_gt, "fgroup>%s"}, 1108 {Opt_uid_lt, "uid<%s"}, 1109 {Opt_euid_lt, "euid<%s"}, 1110 {Opt_gid_lt, "gid<%s"}, 1111 {Opt_egid_lt, "egid<%s"}, 1112 {Opt_fowner_lt, "fowner<%s"}, 1113 {Opt_fgroup_lt, "fgroup<%s"}, 1114 {Opt_digest_type, "digest_type=%s"}, 1115 {Opt_appraise_type, "appraise_type=%s"}, 1116 {Opt_appraise_flag, "appraise_flag=%s"}, 1117 {Opt_appraise_algos, "appraise_algos=%s"}, 1118 {Opt_permit_directio, "permit_directio"}, 1119 {Opt_pcr, "pcr=%s"}, 1120 {Opt_template, "template=%s"}, 1121 {Opt_keyrings, "keyrings=%s"}, 1122 {Opt_label, "label=%s"}, 1123 {Opt_err, NULL} 1124 }; 1125 1126 static int ima_lsm_rule_init(struct ima_rule_entry *entry, 1127 substring_t *args, int lsm_rule, int audit_type) 1128 { 1129 int result; 1130 1131 if (entry->lsm[lsm_rule].rule) 1132 return -EINVAL; 1133 1134 entry->lsm[lsm_rule].args_p = match_strdup(args); 1135 if (!entry->lsm[lsm_rule].args_p) 1136 return -ENOMEM; 1137 1138 entry->lsm[lsm_rule].type = audit_type; 1139 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, 1140 entry->lsm[lsm_rule].args_p, 1141 &entry->lsm[lsm_rule].rule); 1142 if (!entry->lsm[lsm_rule].rule) { 1143 pr_warn("rule for LSM \'%s\' is undefined\n", 1144 entry->lsm[lsm_rule].args_p); 1145 1146 if (ima_rules == (struct list_head __rcu *)(&ima_default_rules)) { 1147 kfree(entry->lsm[lsm_rule].args_p); 1148 entry->lsm[lsm_rule].args_p = NULL; 1149 result = -EINVAL; 1150 } else 1151 result = 0; 1152 } 1153 1154 return result; 1155 } 1156 1157 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, 1158 enum policy_opt rule_operator) 1159 { 1160 if (!ab) 1161 return; 1162 1163 switch (rule_operator) { 1164 case Opt_uid_gt: 1165 case Opt_euid_gt: 1166 case Opt_gid_gt: 1167 case Opt_egid_gt: 1168 case Opt_fowner_gt: 1169 case Opt_fgroup_gt: 1170 audit_log_format(ab, "%s>", key); 1171 break; 1172 case Opt_uid_lt: 1173 case Opt_euid_lt: 1174 case Opt_gid_lt: 1175 case Opt_egid_lt: 1176 case Opt_fowner_lt: 1177 case Opt_fgroup_lt: 1178 audit_log_format(ab, "%s<", key); 1179 break; 1180 default: 1181 audit_log_format(ab, "%s=", key); 1182 } 1183 audit_log_format(ab, "%s ", value); 1184 } 1185 static void ima_log_string(struct audit_buffer *ab, char *key, char *value) 1186 { 1187 ima_log_string_op(ab, key, value, Opt_err); 1188 } 1189 1190 /* 1191 * Validating the appended signature included in the measurement list requires 1192 * the file hash calculated without the appended signature (i.e., the 'd-modsig' 1193 * field). Therefore, notify the user if they have the 'modsig' field but not 1194 * the 'd-modsig' field in the template. 1195 */ 1196 static void check_template_modsig(const struct ima_template_desc *template) 1197 { 1198 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n" 1199 bool has_modsig, has_dmodsig; 1200 static bool checked; 1201 int i; 1202 1203 /* We only need to notify the user once. */ 1204 if (checked) 1205 return; 1206 1207 has_modsig = has_dmodsig = false; 1208 for (i = 0; i < template->num_fields; i++) { 1209 if (!strcmp(template->fields[i]->field_id, "modsig")) 1210 has_modsig = true; 1211 else if (!strcmp(template->fields[i]->field_id, "d-modsig")) 1212 has_dmodsig = true; 1213 } 1214 1215 if (has_modsig && !has_dmodsig) 1216 pr_notice(MSG); 1217 1218 checked = true; 1219 #undef MSG 1220 } 1221 1222 /* 1223 * Warn if the template does not contain the given field. 1224 */ 1225 static void check_template_field(const struct ima_template_desc *template, 1226 const char *field, const char *msg) 1227 { 1228 int i; 1229 1230 for (i = 0; i < template->num_fields; i++) 1231 if (!strcmp(template->fields[i]->field_id, field)) 1232 return; 1233 1234 pr_notice_once("%s", msg); 1235 } 1236 1237 static bool ima_validate_rule(struct ima_rule_entry *entry) 1238 { 1239 /* Ensure that the action is set and is compatible with the flags */ 1240 if (entry->action == UNKNOWN) 1241 return false; 1242 1243 if (entry->action != MEASURE && entry->flags & IMA_PCR) 1244 return false; 1245 1246 if (entry->action != APPRAISE && 1247 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | 1248 IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) 1249 return false; 1250 1251 /* 1252 * The IMA_FUNC bit must be set if and only if there's a valid hook 1253 * function specified, and vice versa. Enforcing this property allows 1254 * for the NONE case below to validate a rule without an explicit hook 1255 * function. 1256 */ 1257 if (((entry->flags & IMA_FUNC) && entry->func == NONE) || 1258 (!(entry->flags & IMA_FUNC) && entry->func != NONE)) 1259 return false; 1260 1261 /* 1262 * Ensure that the hook function is compatible with the other 1263 * components of the rule 1264 */ 1265 switch (entry->func) { 1266 case NONE: 1267 case FILE_CHECK: 1268 case MMAP_CHECK: 1269 case BPRM_CHECK: 1270 case CREDS_CHECK: 1271 case POST_SETATTR: 1272 case FIRMWARE_CHECK: 1273 case POLICY_CHECK: 1274 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1275 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1276 IMA_INMASK | IMA_EUID | IMA_PCR | 1277 IMA_FSNAME | IMA_GID | IMA_EGID | 1278 IMA_FGROUP | IMA_DIGSIG_REQUIRED | 1279 IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS | 1280 IMA_VERITY_REQUIRED)) 1281 return false; 1282 1283 break; 1284 case MODULE_CHECK: 1285 case KEXEC_KERNEL_CHECK: 1286 case KEXEC_INITRAMFS_CHECK: 1287 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1288 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1289 IMA_INMASK | IMA_EUID | IMA_PCR | 1290 IMA_FSNAME | IMA_GID | IMA_EGID | 1291 IMA_FGROUP | IMA_DIGSIG_REQUIRED | 1292 IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | 1293 IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) 1294 return false; 1295 1296 break; 1297 case KEXEC_CMDLINE: 1298 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1299 return false; 1300 1301 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | 1302 IMA_FOWNER | IMA_FSUUID | IMA_EUID | 1303 IMA_PCR | IMA_FSNAME | IMA_GID | IMA_EGID | 1304 IMA_FGROUP)) 1305 return false; 1306 1307 break; 1308 case KEY_CHECK: 1309 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1310 return false; 1311 1312 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR | 1313 IMA_KEYRINGS)) 1314 return false; 1315 1316 if (ima_rule_contains_lsm_cond(entry)) 1317 return false; 1318 1319 break; 1320 case CRITICAL_DATA: 1321 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1322 return false; 1323 1324 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR | 1325 IMA_LABEL)) 1326 return false; 1327 1328 if (ima_rule_contains_lsm_cond(entry)) 1329 return false; 1330 1331 break; 1332 case SETXATTR_CHECK: 1333 /* any action other than APPRAISE is unsupported */ 1334 if (entry->action != APPRAISE) 1335 return false; 1336 1337 /* SETXATTR_CHECK requires an appraise_algos parameter */ 1338 if (!(entry->flags & IMA_VALIDATE_ALGOS)) 1339 return false; 1340 1341 /* 1342 * full policies are not supported, they would have too 1343 * much of a performance impact 1344 */ 1345 if (entry->flags & ~(IMA_FUNC | IMA_VALIDATE_ALGOS)) 1346 return false; 1347 1348 break; 1349 default: 1350 return false; 1351 } 1352 1353 /* Ensure that combinations of flags are compatible with each other */ 1354 if (entry->flags & IMA_CHECK_BLACKLIST && 1355 !(entry->flags & IMA_MODSIG_ALLOWED)) 1356 return false; 1357 1358 /* 1359 * Unlike for regular IMA 'appraise' policy rules where security.ima 1360 * xattr may contain either a file hash or signature, the security.ima 1361 * xattr for fsverity must contain a file signature (sigv3). Ensure 1362 * that 'appraise' rules for fsverity require file signatures by 1363 * checking the IMA_DIGSIG_REQUIRED flag is set. 1364 */ 1365 if (entry->action == APPRAISE && 1366 (entry->flags & IMA_VERITY_REQUIRED) && 1367 !(entry->flags & IMA_DIGSIG_REQUIRED)) 1368 return false; 1369 1370 return true; 1371 } 1372 1373 static unsigned int ima_parse_appraise_algos(char *arg) 1374 { 1375 unsigned int res = 0; 1376 int idx; 1377 char *token; 1378 1379 while ((token = strsep(&arg, ",")) != NULL) { 1380 idx = match_string(hash_algo_name, HASH_ALGO__LAST, token); 1381 1382 if (idx < 0) { 1383 pr_err("unknown hash algorithm \"%s\"", 1384 token); 1385 return 0; 1386 } 1387 1388 if (!crypto_has_alg(hash_algo_name[idx], 0, 0)) { 1389 pr_err("unavailable hash algorithm \"%s\", check your kernel configuration", 1390 token); 1391 return 0; 1392 } 1393 1394 /* Add the hash algorithm to the 'allowed' bitfield */ 1395 res |= (1U << idx); 1396 } 1397 1398 return res; 1399 } 1400 1401 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 1402 { 1403 struct audit_buffer *ab; 1404 char *from; 1405 char *p; 1406 bool eid_token; /* either euid or egid */ 1407 struct ima_template_desc *template_desc; 1408 int result = 0; 1409 1410 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, 1411 AUDIT_INTEGRITY_POLICY_RULE); 1412 1413 entry->uid = INVALID_UID; 1414 entry->gid = INVALID_GID; 1415 entry->fowner = INVALID_UID; 1416 entry->fgroup = INVALID_GID; 1417 entry->uid_op = &uid_eq; 1418 entry->gid_op = &gid_eq; 1419 entry->fowner_op = &vfsuid_eq_kuid; 1420 entry->fgroup_op = &vfsgid_eq_kgid; 1421 entry->action = UNKNOWN; 1422 while ((p = strsep(&rule, " \t")) != NULL) { 1423 substring_t args[MAX_OPT_ARGS]; 1424 int token; 1425 unsigned long lnum; 1426 1427 if (result < 0) 1428 break; 1429 if ((*p == '\0') || (*p == ' ') || (*p == '\t')) 1430 continue; 1431 token = match_token(p, policy_tokens, args); 1432 switch (token) { 1433 case Opt_measure: 1434 ima_log_string(ab, "action", "measure"); 1435 1436 if (entry->action != UNKNOWN) 1437 result = -EINVAL; 1438 1439 entry->action = MEASURE; 1440 break; 1441 case Opt_dont_measure: 1442 ima_log_string(ab, "action", "dont_measure"); 1443 1444 if (entry->action != UNKNOWN) 1445 result = -EINVAL; 1446 1447 entry->action = DONT_MEASURE; 1448 break; 1449 case Opt_appraise: 1450 ima_log_string(ab, "action", "appraise"); 1451 1452 if (entry->action != UNKNOWN) 1453 result = -EINVAL; 1454 1455 entry->action = APPRAISE; 1456 break; 1457 case Opt_dont_appraise: 1458 ima_log_string(ab, "action", "dont_appraise"); 1459 1460 if (entry->action != UNKNOWN) 1461 result = -EINVAL; 1462 1463 entry->action = DONT_APPRAISE; 1464 break; 1465 case Opt_audit: 1466 ima_log_string(ab, "action", "audit"); 1467 1468 if (entry->action != UNKNOWN) 1469 result = -EINVAL; 1470 1471 entry->action = AUDIT; 1472 break; 1473 case Opt_hash: 1474 ima_log_string(ab, "action", "hash"); 1475 1476 if (entry->action != UNKNOWN) 1477 result = -EINVAL; 1478 1479 entry->action = HASH; 1480 break; 1481 case Opt_dont_hash: 1482 ima_log_string(ab, "action", "dont_hash"); 1483 1484 if (entry->action != UNKNOWN) 1485 result = -EINVAL; 1486 1487 entry->action = DONT_HASH; 1488 break; 1489 case Opt_func: 1490 ima_log_string(ab, "func", args[0].from); 1491 1492 if (entry->func) 1493 result = -EINVAL; 1494 1495 if (strcmp(args[0].from, "FILE_CHECK") == 0) 1496 entry->func = FILE_CHECK; 1497 /* PATH_CHECK is for backwards compat */ 1498 else if (strcmp(args[0].from, "PATH_CHECK") == 0) 1499 entry->func = FILE_CHECK; 1500 else if (strcmp(args[0].from, "MODULE_CHECK") == 0) 1501 entry->func = MODULE_CHECK; 1502 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0) 1503 entry->func = FIRMWARE_CHECK; 1504 else if ((strcmp(args[0].from, "FILE_MMAP") == 0) 1505 || (strcmp(args[0].from, "MMAP_CHECK") == 0)) 1506 entry->func = MMAP_CHECK; 1507 else if (strcmp(args[0].from, "BPRM_CHECK") == 0) 1508 entry->func = BPRM_CHECK; 1509 else if (strcmp(args[0].from, "CREDS_CHECK") == 0) 1510 entry->func = CREDS_CHECK; 1511 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == 1512 0) 1513 entry->func = KEXEC_KERNEL_CHECK; 1514 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK") 1515 == 0) 1516 entry->func = KEXEC_INITRAMFS_CHECK; 1517 else if (strcmp(args[0].from, "POLICY_CHECK") == 0) 1518 entry->func = POLICY_CHECK; 1519 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) 1520 entry->func = KEXEC_CMDLINE; 1521 else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && 1522 strcmp(args[0].from, "KEY_CHECK") == 0) 1523 entry->func = KEY_CHECK; 1524 else if (strcmp(args[0].from, "CRITICAL_DATA") == 0) 1525 entry->func = CRITICAL_DATA; 1526 else if (strcmp(args[0].from, "SETXATTR_CHECK") == 0) 1527 entry->func = SETXATTR_CHECK; 1528 else 1529 result = -EINVAL; 1530 if (!result) 1531 entry->flags |= IMA_FUNC; 1532 break; 1533 case Opt_mask: 1534 ima_log_string(ab, "mask", args[0].from); 1535 1536 if (entry->mask) 1537 result = -EINVAL; 1538 1539 from = args[0].from; 1540 if (*from == '^') 1541 from++; 1542 1543 if ((strcmp(from, "MAY_EXEC")) == 0) 1544 entry->mask = MAY_EXEC; 1545 else if (strcmp(from, "MAY_WRITE") == 0) 1546 entry->mask = MAY_WRITE; 1547 else if (strcmp(from, "MAY_READ") == 0) 1548 entry->mask = MAY_READ; 1549 else if (strcmp(from, "MAY_APPEND") == 0) 1550 entry->mask = MAY_APPEND; 1551 else 1552 result = -EINVAL; 1553 if (!result) 1554 entry->flags |= (*args[0].from == '^') 1555 ? IMA_INMASK : IMA_MASK; 1556 break; 1557 case Opt_fsmagic: 1558 ima_log_string(ab, "fsmagic", args[0].from); 1559 1560 if (entry->fsmagic) { 1561 result = -EINVAL; 1562 break; 1563 } 1564 1565 result = kstrtoul(args[0].from, 16, &entry->fsmagic); 1566 if (!result) 1567 entry->flags |= IMA_FSMAGIC; 1568 break; 1569 case Opt_fsname: 1570 ima_log_string(ab, "fsname", args[0].from); 1571 1572 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); 1573 if (!entry->fsname) { 1574 result = -ENOMEM; 1575 break; 1576 } 1577 result = 0; 1578 entry->flags |= IMA_FSNAME; 1579 break; 1580 case Opt_keyrings: 1581 ima_log_string(ab, "keyrings", args[0].from); 1582 1583 if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) || 1584 entry->keyrings) { 1585 result = -EINVAL; 1586 break; 1587 } 1588 1589 entry->keyrings = ima_alloc_rule_opt_list(args); 1590 if (IS_ERR(entry->keyrings)) { 1591 result = PTR_ERR(entry->keyrings); 1592 entry->keyrings = NULL; 1593 break; 1594 } 1595 1596 entry->flags |= IMA_KEYRINGS; 1597 break; 1598 case Opt_label: 1599 ima_log_string(ab, "label", args[0].from); 1600 1601 if (entry->label) { 1602 result = -EINVAL; 1603 break; 1604 } 1605 1606 entry->label = ima_alloc_rule_opt_list(args); 1607 if (IS_ERR(entry->label)) { 1608 result = PTR_ERR(entry->label); 1609 entry->label = NULL; 1610 break; 1611 } 1612 1613 entry->flags |= IMA_LABEL; 1614 break; 1615 case Opt_fsuuid: 1616 ima_log_string(ab, "fsuuid", args[0].from); 1617 1618 if (!uuid_is_null(&entry->fsuuid)) { 1619 result = -EINVAL; 1620 break; 1621 } 1622 1623 result = uuid_parse(args[0].from, &entry->fsuuid); 1624 if (!result) 1625 entry->flags |= IMA_FSUUID; 1626 break; 1627 case Opt_uid_gt: 1628 case Opt_euid_gt: 1629 entry->uid_op = &uid_gt; 1630 fallthrough; 1631 case Opt_uid_lt: 1632 case Opt_euid_lt: 1633 if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) 1634 entry->uid_op = &uid_lt; 1635 fallthrough; 1636 case Opt_uid_eq: 1637 case Opt_euid_eq: 1638 eid_token = (token == Opt_euid_eq) || 1639 (token == Opt_euid_gt) || 1640 (token == Opt_euid_lt); 1641 1642 ima_log_string_op(ab, eid_token ? "euid" : "uid", 1643 args[0].from, token); 1644 1645 if (uid_valid(entry->uid)) { 1646 result = -EINVAL; 1647 break; 1648 } 1649 1650 result = kstrtoul(args[0].from, 10, &lnum); 1651 if (!result) { 1652 entry->uid = make_kuid(current_user_ns(), 1653 (uid_t) lnum); 1654 if (!uid_valid(entry->uid) || 1655 (uid_t)lnum != lnum) 1656 result = -EINVAL; 1657 else 1658 entry->flags |= eid_token 1659 ? IMA_EUID : IMA_UID; 1660 } 1661 break; 1662 case Opt_gid_gt: 1663 case Opt_egid_gt: 1664 entry->gid_op = &gid_gt; 1665 fallthrough; 1666 case Opt_gid_lt: 1667 case Opt_egid_lt: 1668 if ((token == Opt_gid_lt) || (token == Opt_egid_lt)) 1669 entry->gid_op = &gid_lt; 1670 fallthrough; 1671 case Opt_gid_eq: 1672 case Opt_egid_eq: 1673 eid_token = (token == Opt_egid_eq) || 1674 (token == Opt_egid_gt) || 1675 (token == Opt_egid_lt); 1676 1677 ima_log_string_op(ab, eid_token ? "egid" : "gid", 1678 args[0].from, token); 1679 1680 if (gid_valid(entry->gid)) { 1681 result = -EINVAL; 1682 break; 1683 } 1684 1685 result = kstrtoul(args[0].from, 10, &lnum); 1686 if (!result) { 1687 entry->gid = make_kgid(current_user_ns(), 1688 (gid_t)lnum); 1689 if (!gid_valid(entry->gid) || 1690 (((gid_t)lnum) != lnum)) 1691 result = -EINVAL; 1692 else 1693 entry->flags |= eid_token 1694 ? IMA_EGID : IMA_GID; 1695 } 1696 break; 1697 case Opt_fowner_gt: 1698 entry->fowner_op = &vfsuid_gt_kuid; 1699 fallthrough; 1700 case Opt_fowner_lt: 1701 if (token == Opt_fowner_lt) 1702 entry->fowner_op = &vfsuid_lt_kuid; 1703 fallthrough; 1704 case Opt_fowner_eq: 1705 ima_log_string_op(ab, "fowner", args[0].from, token); 1706 1707 if (uid_valid(entry->fowner)) { 1708 result = -EINVAL; 1709 break; 1710 } 1711 1712 result = kstrtoul(args[0].from, 10, &lnum); 1713 if (!result) { 1714 entry->fowner = make_kuid(current_user_ns(), 1715 (uid_t)lnum); 1716 if (!uid_valid(entry->fowner) || 1717 (((uid_t)lnum) != lnum)) 1718 result = -EINVAL; 1719 else 1720 entry->flags |= IMA_FOWNER; 1721 } 1722 break; 1723 case Opt_fgroup_gt: 1724 entry->fgroup_op = &vfsgid_gt_kgid; 1725 fallthrough; 1726 case Opt_fgroup_lt: 1727 if (token == Opt_fgroup_lt) 1728 entry->fgroup_op = &vfsgid_lt_kgid; 1729 fallthrough; 1730 case Opt_fgroup_eq: 1731 ima_log_string_op(ab, "fgroup", args[0].from, token); 1732 1733 if (gid_valid(entry->fgroup)) { 1734 result = -EINVAL; 1735 break; 1736 } 1737 1738 result = kstrtoul(args[0].from, 10, &lnum); 1739 if (!result) { 1740 entry->fgroup = make_kgid(current_user_ns(), 1741 (gid_t)lnum); 1742 if (!gid_valid(entry->fgroup) || 1743 (((gid_t)lnum) != lnum)) 1744 result = -EINVAL; 1745 else 1746 entry->flags |= IMA_FGROUP; 1747 } 1748 break; 1749 case Opt_obj_user: 1750 ima_log_string(ab, "obj_user", args[0].from); 1751 result = ima_lsm_rule_init(entry, args, 1752 LSM_OBJ_USER, 1753 AUDIT_OBJ_USER); 1754 break; 1755 case Opt_obj_role: 1756 ima_log_string(ab, "obj_role", args[0].from); 1757 result = ima_lsm_rule_init(entry, args, 1758 LSM_OBJ_ROLE, 1759 AUDIT_OBJ_ROLE); 1760 break; 1761 case Opt_obj_type: 1762 ima_log_string(ab, "obj_type", args[0].from); 1763 result = ima_lsm_rule_init(entry, args, 1764 LSM_OBJ_TYPE, 1765 AUDIT_OBJ_TYPE); 1766 break; 1767 case Opt_subj_user: 1768 ima_log_string(ab, "subj_user", args[0].from); 1769 result = ima_lsm_rule_init(entry, args, 1770 LSM_SUBJ_USER, 1771 AUDIT_SUBJ_USER); 1772 break; 1773 case Opt_subj_role: 1774 ima_log_string(ab, "subj_role", args[0].from); 1775 result = ima_lsm_rule_init(entry, args, 1776 LSM_SUBJ_ROLE, 1777 AUDIT_SUBJ_ROLE); 1778 break; 1779 case Opt_subj_type: 1780 ima_log_string(ab, "subj_type", args[0].from); 1781 result = ima_lsm_rule_init(entry, args, 1782 LSM_SUBJ_TYPE, 1783 AUDIT_SUBJ_TYPE); 1784 break; 1785 case Opt_digest_type: 1786 ima_log_string(ab, "digest_type", args[0].from); 1787 if (entry->flags & IMA_DIGSIG_REQUIRED) 1788 result = -EINVAL; 1789 else if ((strcmp(args[0].from, "verity")) == 0) 1790 entry->flags |= IMA_VERITY_REQUIRED; 1791 else 1792 result = -EINVAL; 1793 break; 1794 case Opt_appraise_type: 1795 ima_log_string(ab, "appraise_type", args[0].from); 1796 1797 if ((strcmp(args[0].from, "imasig")) == 0) { 1798 if (entry->flags & IMA_VERITY_REQUIRED) 1799 result = -EINVAL; 1800 else 1801 entry->flags |= IMA_DIGSIG_REQUIRED; 1802 } else if (strcmp(args[0].from, "sigv3") == 0) { 1803 /* Only fsverity supports sigv3 for now */ 1804 if (entry->flags & IMA_VERITY_REQUIRED) 1805 entry->flags |= IMA_DIGSIG_REQUIRED; 1806 else 1807 result = -EINVAL; 1808 } else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1809 strcmp(args[0].from, "imasig|modsig") == 0) { 1810 if (entry->flags & IMA_VERITY_REQUIRED) 1811 result = -EINVAL; 1812 else 1813 entry->flags |= IMA_DIGSIG_REQUIRED | 1814 IMA_MODSIG_ALLOWED; 1815 } else { 1816 result = -EINVAL; 1817 } 1818 break; 1819 case Opt_appraise_flag: 1820 ima_log_string(ab, "appraise_flag", args[0].from); 1821 if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1822 strstr(args[0].from, "blacklist")) 1823 entry->flags |= IMA_CHECK_BLACKLIST; 1824 else 1825 result = -EINVAL; 1826 break; 1827 case Opt_appraise_algos: 1828 ima_log_string(ab, "appraise_algos", args[0].from); 1829 1830 if (entry->allowed_algos) { 1831 result = -EINVAL; 1832 break; 1833 } 1834 1835 entry->allowed_algos = 1836 ima_parse_appraise_algos(args[0].from); 1837 /* invalid or empty list of algorithms */ 1838 if (!entry->allowed_algos) { 1839 result = -EINVAL; 1840 break; 1841 } 1842 1843 entry->flags |= IMA_VALIDATE_ALGOS; 1844 1845 break; 1846 case Opt_permit_directio: 1847 entry->flags |= IMA_PERMIT_DIRECTIO; 1848 break; 1849 case Opt_pcr: 1850 ima_log_string(ab, "pcr", args[0].from); 1851 1852 result = kstrtoint(args[0].from, 10, &entry->pcr); 1853 if (result || INVALID_PCR(entry->pcr)) 1854 result = -EINVAL; 1855 else 1856 entry->flags |= IMA_PCR; 1857 1858 break; 1859 case Opt_template: 1860 ima_log_string(ab, "template", args[0].from); 1861 if (entry->action != MEASURE) { 1862 result = -EINVAL; 1863 break; 1864 } 1865 template_desc = lookup_template_desc(args[0].from); 1866 if (!template_desc || entry->template) { 1867 result = -EINVAL; 1868 break; 1869 } 1870 1871 /* 1872 * template_desc_init_fields() does nothing if 1873 * the template is already initialised, so 1874 * it's safe to do this unconditionally 1875 */ 1876 template_desc_init_fields(template_desc->fmt, 1877 &(template_desc->fields), 1878 &(template_desc->num_fields)); 1879 entry->template = template_desc; 1880 break; 1881 case Opt_err: 1882 ima_log_string(ab, "UNKNOWN", p); 1883 result = -EINVAL; 1884 break; 1885 } 1886 } 1887 if (!result && !ima_validate_rule(entry)) 1888 result = -EINVAL; 1889 else if (entry->action == APPRAISE) 1890 temp_ima_appraise |= ima_appraise_flag(entry->func); 1891 1892 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { 1893 template_desc = entry->template ? entry->template : 1894 ima_template_desc_current(); 1895 check_template_modsig(template_desc); 1896 } 1897 1898 /* d-ngv2 template field recommended for unsigned fs-verity digests */ 1899 if (!result && entry->action == MEASURE && 1900 entry->flags & IMA_VERITY_REQUIRED) { 1901 template_desc = entry->template ? entry->template : 1902 ima_template_desc_current(); 1903 check_template_field(template_desc, "d-ngv2", 1904 "verity rules should include d-ngv2"); 1905 } 1906 1907 audit_log_format(ab, "res=%d", !result); 1908 audit_log_end(ab); 1909 return result; 1910 } 1911 1912 /** 1913 * ima_parse_add_rule - add a rule to ima_policy_rules 1914 * @rule - ima measurement policy rule 1915 * 1916 * Avoid locking by allowing just one writer at a time in ima_write_policy() 1917 * Returns the length of the rule parsed, an error code on failure 1918 */ 1919 ssize_t ima_parse_add_rule(char *rule) 1920 { 1921 static const char op[] = "update_policy"; 1922 char *p; 1923 struct ima_rule_entry *entry; 1924 ssize_t result, len; 1925 int audit_info = 0; 1926 1927 p = strsep(&rule, "\n"); 1928 len = strlen(p) + 1; 1929 p += strspn(p, " \t"); 1930 1931 if (*p == '#' || *p == '\0') 1932 return len; 1933 1934 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1935 if (!entry) { 1936 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1937 NULL, op, "-ENOMEM", -ENOMEM, audit_info); 1938 return -ENOMEM; 1939 } 1940 1941 INIT_LIST_HEAD(&entry->list); 1942 1943 result = ima_parse_rule(p, entry); 1944 if (result) { 1945 ima_free_rule(entry); 1946 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1947 NULL, op, "invalid-policy", result, 1948 audit_info); 1949 return result; 1950 } 1951 1952 list_add_tail(&entry->list, &ima_temp_rules); 1953 1954 return len; 1955 } 1956 1957 /** 1958 * ima_delete_rules() called to cleanup invalid in-flight policy. 1959 * We don't need locking as we operate on the temp list, which is 1960 * different from the active one. There is also only one user of 1961 * ima_delete_rules() at a time. 1962 */ 1963 void ima_delete_rules(void) 1964 { 1965 struct ima_rule_entry *entry, *tmp; 1966 1967 temp_ima_appraise = 0; 1968 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { 1969 list_del(&entry->list); 1970 ima_free_rule(entry); 1971 } 1972 } 1973 1974 #define __ima_hook_stringify(func, str) (#func), 1975 1976 const char *const func_tokens[] = { 1977 __ima_hooks(__ima_hook_stringify) 1978 }; 1979 1980 #ifdef CONFIG_IMA_READ_POLICY 1981 enum { 1982 mask_exec = 0, mask_write, mask_read, mask_append 1983 }; 1984 1985 static const char *const mask_tokens[] = { 1986 "^MAY_EXEC", 1987 "^MAY_WRITE", 1988 "^MAY_READ", 1989 "^MAY_APPEND" 1990 }; 1991 1992 void *ima_policy_start(struct seq_file *m, loff_t *pos) 1993 { 1994 loff_t l = *pos; 1995 struct ima_rule_entry *entry; 1996 struct list_head *ima_rules_tmp; 1997 1998 rcu_read_lock(); 1999 ima_rules_tmp = rcu_dereference(ima_rules); 2000 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 2001 if (!l--) { 2002 rcu_read_unlock(); 2003 return entry; 2004 } 2005 } 2006 rcu_read_unlock(); 2007 return NULL; 2008 } 2009 2010 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) 2011 { 2012 struct ima_rule_entry *entry = v; 2013 2014 rcu_read_lock(); 2015 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); 2016 rcu_read_unlock(); 2017 (*pos)++; 2018 2019 return (&entry->list == &ima_default_rules || 2020 &entry->list == &ima_policy_rules) ? NULL : entry; 2021 } 2022 2023 void ima_policy_stop(struct seq_file *m, void *v) 2024 { 2025 } 2026 2027 #define pt(token) policy_tokens[token].pattern 2028 #define mt(token) mask_tokens[token] 2029 2030 /* 2031 * policy_func_show - display the ima_hooks policy rule 2032 */ 2033 static void policy_func_show(struct seq_file *m, enum ima_hooks func) 2034 { 2035 if (func > 0 && func < MAX_CHECK) 2036 seq_printf(m, "func=%s ", func_tokens[func]); 2037 else 2038 seq_printf(m, "func=%d ", func); 2039 } 2040 2041 static void ima_show_rule_opt_list(struct seq_file *m, 2042 const struct ima_rule_opt_list *opt_list) 2043 { 2044 size_t i; 2045 2046 for (i = 0; i < opt_list->count; i++) 2047 seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]); 2048 } 2049 2050 static void ima_policy_show_appraise_algos(struct seq_file *m, 2051 unsigned int allowed_hashes) 2052 { 2053 int idx, list_size = 0; 2054 2055 for (idx = 0; idx < HASH_ALGO__LAST; idx++) { 2056 if (!(allowed_hashes & (1U << idx))) 2057 continue; 2058 2059 /* only add commas if the list contains multiple entries */ 2060 if (list_size++) 2061 seq_puts(m, ","); 2062 2063 seq_puts(m, hash_algo_name[idx]); 2064 } 2065 } 2066 2067 int ima_policy_show(struct seq_file *m, void *v) 2068 { 2069 struct ima_rule_entry *entry = v; 2070 int i; 2071 char tbuf[64] = {0,}; 2072 int offset = 0; 2073 2074 rcu_read_lock(); 2075 2076 /* Do not print rules with inactive LSM labels */ 2077 for (i = 0; i < MAX_LSM_RULES; i++) { 2078 if (entry->lsm[i].args_p && !entry->lsm[i].rule) { 2079 rcu_read_unlock(); 2080 return 0; 2081 } 2082 } 2083 2084 if (entry->action & MEASURE) 2085 seq_puts(m, pt(Opt_measure)); 2086 if (entry->action & DONT_MEASURE) 2087 seq_puts(m, pt(Opt_dont_measure)); 2088 if (entry->action & APPRAISE) 2089 seq_puts(m, pt(Opt_appraise)); 2090 if (entry->action & DONT_APPRAISE) 2091 seq_puts(m, pt(Opt_dont_appraise)); 2092 if (entry->action & AUDIT) 2093 seq_puts(m, pt(Opt_audit)); 2094 if (entry->action & HASH) 2095 seq_puts(m, pt(Opt_hash)); 2096 if (entry->action & DONT_HASH) 2097 seq_puts(m, pt(Opt_dont_hash)); 2098 2099 seq_puts(m, " "); 2100 2101 if (entry->flags & IMA_FUNC) 2102 policy_func_show(m, entry->func); 2103 2104 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { 2105 if (entry->flags & IMA_MASK) 2106 offset = 1; 2107 if (entry->mask & MAY_EXEC) 2108 seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); 2109 if (entry->mask & MAY_WRITE) 2110 seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); 2111 if (entry->mask & MAY_READ) 2112 seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); 2113 if (entry->mask & MAY_APPEND) 2114 seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); 2115 seq_puts(m, " "); 2116 } 2117 2118 if (entry->flags & IMA_FSMAGIC) { 2119 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 2120 seq_printf(m, pt(Opt_fsmagic), tbuf); 2121 seq_puts(m, " "); 2122 } 2123 2124 if (entry->flags & IMA_FSNAME) { 2125 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); 2126 seq_printf(m, pt(Opt_fsname), tbuf); 2127 seq_puts(m, " "); 2128 } 2129 2130 if (entry->flags & IMA_KEYRINGS) { 2131 seq_puts(m, "keyrings="); 2132 ima_show_rule_opt_list(m, entry->keyrings); 2133 seq_puts(m, " "); 2134 } 2135 2136 if (entry->flags & IMA_LABEL) { 2137 seq_puts(m, "label="); 2138 ima_show_rule_opt_list(m, entry->label); 2139 seq_puts(m, " "); 2140 } 2141 2142 if (entry->flags & IMA_PCR) { 2143 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 2144 seq_printf(m, pt(Opt_pcr), tbuf); 2145 seq_puts(m, " "); 2146 } 2147 2148 if (entry->flags & IMA_FSUUID) { 2149 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); 2150 seq_puts(m, " "); 2151 } 2152 2153 if (entry->flags & IMA_UID) { 2154 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 2155 if (entry->uid_op == &uid_gt) 2156 seq_printf(m, pt(Opt_uid_gt), tbuf); 2157 else if (entry->uid_op == &uid_lt) 2158 seq_printf(m, pt(Opt_uid_lt), tbuf); 2159 else 2160 seq_printf(m, pt(Opt_uid_eq), tbuf); 2161 seq_puts(m, " "); 2162 } 2163 2164 if (entry->flags & IMA_EUID) { 2165 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 2166 if (entry->uid_op == &uid_gt) 2167 seq_printf(m, pt(Opt_euid_gt), tbuf); 2168 else if (entry->uid_op == &uid_lt) 2169 seq_printf(m, pt(Opt_euid_lt), tbuf); 2170 else 2171 seq_printf(m, pt(Opt_euid_eq), tbuf); 2172 seq_puts(m, " "); 2173 } 2174 2175 if (entry->flags & IMA_GID) { 2176 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); 2177 if (entry->gid_op == &gid_gt) 2178 seq_printf(m, pt(Opt_gid_gt), tbuf); 2179 else if (entry->gid_op == &gid_lt) 2180 seq_printf(m, pt(Opt_gid_lt), tbuf); 2181 else 2182 seq_printf(m, pt(Opt_gid_eq), tbuf); 2183 seq_puts(m, " "); 2184 } 2185 2186 if (entry->flags & IMA_EGID) { 2187 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); 2188 if (entry->gid_op == &gid_gt) 2189 seq_printf(m, pt(Opt_egid_gt), tbuf); 2190 else if (entry->gid_op == &gid_lt) 2191 seq_printf(m, pt(Opt_egid_lt), tbuf); 2192 else 2193 seq_printf(m, pt(Opt_egid_eq), tbuf); 2194 seq_puts(m, " "); 2195 } 2196 2197 if (entry->flags & IMA_FOWNER) { 2198 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); 2199 if (entry->fowner_op == &vfsuid_gt_kuid) 2200 seq_printf(m, pt(Opt_fowner_gt), tbuf); 2201 else if (entry->fowner_op == &vfsuid_lt_kuid) 2202 seq_printf(m, pt(Opt_fowner_lt), tbuf); 2203 else 2204 seq_printf(m, pt(Opt_fowner_eq), tbuf); 2205 seq_puts(m, " "); 2206 } 2207 2208 if (entry->flags & IMA_FGROUP) { 2209 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->fgroup)); 2210 if (entry->fgroup_op == &vfsgid_gt_kgid) 2211 seq_printf(m, pt(Opt_fgroup_gt), tbuf); 2212 else if (entry->fgroup_op == &vfsgid_lt_kgid) 2213 seq_printf(m, pt(Opt_fgroup_lt), tbuf); 2214 else 2215 seq_printf(m, pt(Opt_fgroup_eq), tbuf); 2216 seq_puts(m, " "); 2217 } 2218 2219 if (entry->flags & IMA_VALIDATE_ALGOS) { 2220 seq_puts(m, "appraise_algos="); 2221 ima_policy_show_appraise_algos(m, entry->allowed_algos); 2222 seq_puts(m, " "); 2223 } 2224 2225 for (i = 0; i < MAX_LSM_RULES; i++) { 2226 if (entry->lsm[i].rule) { 2227 switch (i) { 2228 case LSM_OBJ_USER: 2229 seq_printf(m, pt(Opt_obj_user), 2230 entry->lsm[i].args_p); 2231 break; 2232 case LSM_OBJ_ROLE: 2233 seq_printf(m, pt(Opt_obj_role), 2234 entry->lsm[i].args_p); 2235 break; 2236 case LSM_OBJ_TYPE: 2237 seq_printf(m, pt(Opt_obj_type), 2238 entry->lsm[i].args_p); 2239 break; 2240 case LSM_SUBJ_USER: 2241 seq_printf(m, pt(Opt_subj_user), 2242 entry->lsm[i].args_p); 2243 break; 2244 case LSM_SUBJ_ROLE: 2245 seq_printf(m, pt(Opt_subj_role), 2246 entry->lsm[i].args_p); 2247 break; 2248 case LSM_SUBJ_TYPE: 2249 seq_printf(m, pt(Opt_subj_type), 2250 entry->lsm[i].args_p); 2251 break; 2252 } 2253 seq_puts(m, " "); 2254 } 2255 } 2256 if (entry->template) 2257 seq_printf(m, "template=%s ", entry->template->name); 2258 if (entry->flags & IMA_DIGSIG_REQUIRED) { 2259 if (entry->flags & IMA_VERITY_REQUIRED) 2260 seq_puts(m, "appraise_type=sigv3 "); 2261 else if (entry->flags & IMA_MODSIG_ALLOWED) 2262 seq_puts(m, "appraise_type=imasig|modsig "); 2263 else 2264 seq_puts(m, "appraise_type=imasig "); 2265 } 2266 if (entry->flags & IMA_VERITY_REQUIRED) 2267 seq_puts(m, "digest_type=verity "); 2268 if (entry->flags & IMA_CHECK_BLACKLIST) 2269 seq_puts(m, "appraise_flag=check_blacklist "); 2270 if (entry->flags & IMA_PERMIT_DIRECTIO) 2271 seq_puts(m, "permit_directio "); 2272 rcu_read_unlock(); 2273 seq_puts(m, "\n"); 2274 return 0; 2275 } 2276 #endif /* CONFIG_IMA_READ_POLICY */ 2277 2278 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) 2279 /* 2280 * ima_appraise_signature: whether IMA will appraise a given function using 2281 * an IMA digital signature. This is restricted to cases where the kernel 2282 * has a set of built-in trusted keys in order to avoid an attacker simply 2283 * loading additional keys. 2284 */ 2285 bool ima_appraise_signature(enum kernel_read_file_id id) 2286 { 2287 struct ima_rule_entry *entry; 2288 bool found = false; 2289 enum ima_hooks func; 2290 struct list_head *ima_rules_tmp; 2291 2292 if (id >= READING_MAX_ID) 2293 return false; 2294 2295 if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE) 2296 && security_locked_down(LOCKDOWN_KEXEC)) 2297 return false; 2298 2299 func = read_idmap[id] ?: FILE_CHECK; 2300 2301 rcu_read_lock(); 2302 ima_rules_tmp = rcu_dereference(ima_rules); 2303 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 2304 if (entry->action != APPRAISE) 2305 continue; 2306 2307 /* 2308 * A generic entry will match, but otherwise require that it 2309 * match the func we're looking for 2310 */ 2311 if (entry->func && entry->func != func) 2312 continue; 2313 2314 /* 2315 * We require this to be a digital signature, not a raw IMA 2316 * hash. 2317 */ 2318 if (entry->flags & IMA_DIGSIG_REQUIRED) 2319 found = true; 2320 2321 /* 2322 * We've found a rule that matches, so break now even if it 2323 * didn't require a digital signature - a later rule that does 2324 * won't override it, so would be a false positive. 2325 */ 2326 break; 2327 } 2328 2329 rcu_read_unlock(); 2330 return found; 2331 } 2332 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ 2333