1 /*
2  * Copyright (C) 2008 IBM Corporation
3  * Author: Mimi Zohar <zohar@us.ibm.com>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License as published by
7  * the Free Software Foundation, version 2 of the License.
8  *
9  * ima_policy.c
10  *	- initialize default measure policy rules
11  *
12  */
13 #include <linux/module.h>
14 #include <linux/list.h>
15 #include <linux/security.h>
16 #include <linux/magic.h>
17 #include <linux/parser.h>
18 #include <linux/slab.h>
19 #include <linux/genhd.h>
20 
21 #include "ima.h"
22 
23 /* flags definitions */
24 #define IMA_FUNC	0x0001
25 #define IMA_MASK	0x0002
26 #define IMA_FSMAGIC	0x0004
27 #define IMA_UID		0x0008
28 #define IMA_FOWNER	0x0010
29 #define IMA_FSUUID	0x0020
30 
31 #define UNKNOWN		0
32 #define MEASURE		0x0001	/* same as IMA_MEASURE */
33 #define DONT_MEASURE	0x0002
34 #define APPRAISE	0x0004	/* same as IMA_APPRAISE */
35 #define DONT_APPRAISE	0x0008
36 #define AUDIT		0x0040
37 
38 int ima_policy_flag;
39 
40 #define MAX_LSM_RULES 6
41 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
42 	LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
43 };
44 
45 struct ima_rule_entry {
46 	struct list_head list;
47 	int action;
48 	unsigned int flags;
49 	enum ima_hooks func;
50 	int mask;
51 	unsigned long fsmagic;
52 	u8 fsuuid[16];
53 	kuid_t uid;
54 	kuid_t fowner;
55 	struct {
56 		void *rule;	/* LSM file metadata specific */
57 		void *args_p;	/* audit value */
58 		int type;	/* audit type */
59 	} lsm[MAX_LSM_RULES];
60 };
61 
62 /*
63  * Without LSM specific knowledge, the default policy can only be
64  * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
65  */
66 
67 /*
68  * The minimum rule set to allow for full TCB coverage.  Measures all files
69  * opened or mmap for exec and everything read by root.  Dangerous because
70  * normal users can easily run the machine out of memory simply building
71  * and running executables.
72  */
73 static struct ima_rule_entry default_rules[] = {
74 	{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
75 	{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
76 	{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
77 	{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
78 	{.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
79 	{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
80 	{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
81 	{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
82 	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
83 	 .flags = IMA_FUNC | IMA_MASK},
84 	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
85 	 .flags = IMA_FUNC | IMA_MASK},
86 	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, .uid = GLOBAL_ROOT_UID,
87 	 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
88 	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
89 	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
90 };
91 
92 static struct ima_rule_entry default_appraise_rules[] = {
93 	{.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
94 	{.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
95 	{.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
96 	{.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
97 	{.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
98 	{.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
99 	{.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
100 	{.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
101 	{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
102 	{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
103 	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .flags = IMA_FOWNER},
104 };
105 
106 static LIST_HEAD(ima_default_rules);
107 static LIST_HEAD(ima_policy_rules);
108 static struct list_head *ima_rules;
109 
110 static DEFINE_MUTEX(ima_rules_mutex);
111 
112 static bool ima_use_tcb __initdata;
113 static int __init default_measure_policy_setup(char *str)
114 {
115 	ima_use_tcb = 1;
116 	return 1;
117 }
118 __setup("ima_tcb", default_measure_policy_setup);
119 
120 static bool ima_use_appraise_tcb __initdata;
121 static int __init default_appraise_policy_setup(char *str)
122 {
123 	ima_use_appraise_tcb = 1;
124 	return 1;
125 }
126 __setup("ima_appraise_tcb", default_appraise_policy_setup);
127 
128 /*
129  * Although the IMA policy does not change, the LSM policy can be
130  * reloaded, leaving the IMA LSM based rules referring to the old,
131  * stale LSM policy.
132  *
133  * Update the IMA LSM based rules to reflect the reloaded LSM policy.
134  * We assume the rules still exist; and BUG_ON() if they don't.
135  */
136 static void ima_lsm_update_rules(void)
137 {
138 	struct ima_rule_entry *entry, *tmp;
139 	int result;
140 	int i;
141 
142 	mutex_lock(&ima_rules_mutex);
143 	list_for_each_entry_safe(entry, tmp, &ima_policy_rules, list) {
144 		for (i = 0; i < MAX_LSM_RULES; i++) {
145 			if (!entry->lsm[i].rule)
146 				continue;
147 			result = security_filter_rule_init(entry->lsm[i].type,
148 							   Audit_equal,
149 							   entry->lsm[i].args_p,
150 							   &entry->lsm[i].rule);
151 			BUG_ON(!entry->lsm[i].rule);
152 		}
153 	}
154 	mutex_unlock(&ima_rules_mutex);
155 }
156 
157 /**
158  * ima_match_rules - determine whether an inode matches the measure rule.
159  * @rule: a pointer to a rule
160  * @inode: a pointer to an inode
161  * @func: LIM hook identifier
162  * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
163  *
164  * Returns true on rule match, false on failure.
165  */
166 static bool ima_match_rules(struct ima_rule_entry *rule,
167 			    struct inode *inode, enum ima_hooks func, int mask)
168 {
169 	struct task_struct *tsk = current;
170 	const struct cred *cred = current_cred();
171 	int i;
172 
173 	if ((rule->flags & IMA_FUNC) &&
174 	    (rule->func != func && func != POST_SETATTR))
175 		return false;
176 	if ((rule->flags & IMA_MASK) &&
177 	    (rule->mask != mask && func != POST_SETATTR))
178 		return false;
179 	if ((rule->flags & IMA_FSMAGIC)
180 	    && rule->fsmagic != inode->i_sb->s_magic)
181 		return false;
182 	if ((rule->flags & IMA_FSUUID) &&
183 	    memcmp(rule->fsuuid, inode->i_sb->s_uuid, sizeof(rule->fsuuid)))
184 		return false;
185 	if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
186 		return false;
187 	if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid))
188 		return false;
189 	for (i = 0; i < MAX_LSM_RULES; i++) {
190 		int rc = 0;
191 		u32 osid, sid;
192 		int retried = 0;
193 
194 		if (!rule->lsm[i].rule)
195 			continue;
196 retry:
197 		switch (i) {
198 		case LSM_OBJ_USER:
199 		case LSM_OBJ_ROLE:
200 		case LSM_OBJ_TYPE:
201 			security_inode_getsecid(inode, &osid);
202 			rc = security_filter_rule_match(osid,
203 							rule->lsm[i].type,
204 							Audit_equal,
205 							rule->lsm[i].rule,
206 							NULL);
207 			break;
208 		case LSM_SUBJ_USER:
209 		case LSM_SUBJ_ROLE:
210 		case LSM_SUBJ_TYPE:
211 			security_task_getsecid(tsk, &sid);
212 			rc = security_filter_rule_match(sid,
213 							rule->lsm[i].type,
214 							Audit_equal,
215 							rule->lsm[i].rule,
216 							NULL);
217 		default:
218 			break;
219 		}
220 		if ((rc < 0) && (!retried)) {
221 			retried = 1;
222 			ima_lsm_update_rules();
223 			goto retry;
224 		}
225 		if (!rc)
226 			return false;
227 	}
228 	return true;
229 }
230 
231 /*
232  * In addition to knowing that we need to appraise the file in general,
233  * we need to differentiate between calling hooks, for hook specific rules.
234  */
235 static int get_subaction(struct ima_rule_entry *rule, int func)
236 {
237 	if (!(rule->flags & IMA_FUNC))
238 		return IMA_FILE_APPRAISE;
239 
240 	switch (func) {
241 	case MMAP_CHECK:
242 		return IMA_MMAP_APPRAISE;
243 	case BPRM_CHECK:
244 		return IMA_BPRM_APPRAISE;
245 	case MODULE_CHECK:
246 		return IMA_MODULE_APPRAISE;
247 	case FIRMWARE_CHECK:
248 		return IMA_FIRMWARE_APPRAISE;
249 	case FILE_CHECK:
250 	default:
251 		return IMA_FILE_APPRAISE;
252 	}
253 }
254 
255 /**
256  * ima_match_policy - decision based on LSM and other conditions
257  * @inode: pointer to an inode for which the policy decision is being made
258  * @func: IMA hook identifier
259  * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
260  *
261  * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
262  * conditions.
263  *
264  * (There is no need for locking when walking the policy list,
265  * as elements in the list are never deleted, nor does the list
266  * change.)
267  */
268 int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
269 		     int flags)
270 {
271 	struct ima_rule_entry *entry;
272 	int action = 0, actmask = flags | (flags << 1);
273 
274 	list_for_each_entry(entry, ima_rules, list) {
275 
276 		if (!(entry->action & actmask))
277 			continue;
278 
279 		if (!ima_match_rules(entry, inode, func, mask))
280 			continue;
281 
282 		action |= entry->flags & IMA_ACTION_FLAGS;
283 
284 		action |= entry->action & IMA_DO_MASK;
285 		if (entry->action & IMA_APPRAISE)
286 			action |= get_subaction(entry, func);
287 
288 		if (entry->action & IMA_DO_MASK)
289 			actmask &= ~(entry->action | entry->action << 1);
290 		else
291 			actmask &= ~(entry->action | entry->action >> 1);
292 
293 		if (!actmask)
294 			break;
295 	}
296 
297 	return action;
298 }
299 
300 /*
301  * Initialize the ima_policy_flag variable based on the currently
302  * loaded policy.  Based on this flag, the decision to short circuit
303  * out of a function or not call the function in the first place
304  * can be made earlier.
305  */
306 void ima_update_policy_flag(void)
307 {
308 	struct ima_rule_entry *entry;
309 
310 	ima_policy_flag = 0;
311 	list_for_each_entry(entry, ima_rules, list) {
312 		if (entry->action & IMA_DO_MASK)
313 			ima_policy_flag |= entry->action;
314 	}
315 
316 	if (!ima_appraise)
317 		ima_policy_flag &= ~IMA_APPRAISE;
318 }
319 
320 /**
321  * ima_init_policy - initialize the default measure rules.
322  *
323  * ima_rules points to either the ima_default_rules or the
324  * the new ima_policy_rules.
325  */
326 void __init ima_init_policy(void)
327 {
328 	int i, measure_entries, appraise_entries;
329 
330 	/* if !ima_use_tcb set entries = 0 so we load NO default rules */
331 	measure_entries = ima_use_tcb ? ARRAY_SIZE(default_rules) : 0;
332 	appraise_entries = ima_use_appraise_tcb ?
333 			 ARRAY_SIZE(default_appraise_rules) : 0;
334 
335 	for (i = 0; i < measure_entries + appraise_entries; i++) {
336 		if (i < measure_entries)
337 			list_add_tail(&default_rules[i].list,
338 				      &ima_default_rules);
339 		else {
340 			int j = i - measure_entries;
341 
342 			list_add_tail(&default_appraise_rules[j].list,
343 				      &ima_default_rules);
344 		}
345 	}
346 
347 	ima_rules = &ima_default_rules;
348 }
349 
350 /**
351  * ima_update_policy - update default_rules with new measure rules
352  *
353  * Called on file .release to update the default rules with a complete new
354  * policy.  Once updated, the policy is locked, no additional rules can be
355  * added to the policy.
356  */
357 void ima_update_policy(void)
358 {
359 	static const char op[] = "policy_update";
360 	const char *cause = "already-exists";
361 	int result = 1;
362 	int audit_info = 0;
363 
364 	if (ima_rules == &ima_default_rules) {
365 		ima_rules = &ima_policy_rules;
366 		ima_update_policy_flag();
367 		cause = "complete";
368 		result = 0;
369 	}
370 	integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
371 			    NULL, op, cause, result, audit_info);
372 }
373 
374 enum {
375 	Opt_err = -1,
376 	Opt_measure = 1, Opt_dont_measure,
377 	Opt_appraise, Opt_dont_appraise,
378 	Opt_audit,
379 	Opt_obj_user, Opt_obj_role, Opt_obj_type,
380 	Opt_subj_user, Opt_subj_role, Opt_subj_type,
381 	Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner,
382 	Opt_appraise_type, Opt_fsuuid, Opt_permit_directio
383 };
384 
385 static match_table_t policy_tokens = {
386 	{Opt_measure, "measure"},
387 	{Opt_dont_measure, "dont_measure"},
388 	{Opt_appraise, "appraise"},
389 	{Opt_dont_appraise, "dont_appraise"},
390 	{Opt_audit, "audit"},
391 	{Opt_obj_user, "obj_user=%s"},
392 	{Opt_obj_role, "obj_role=%s"},
393 	{Opt_obj_type, "obj_type=%s"},
394 	{Opt_subj_user, "subj_user=%s"},
395 	{Opt_subj_role, "subj_role=%s"},
396 	{Opt_subj_type, "subj_type=%s"},
397 	{Opt_func, "func=%s"},
398 	{Opt_mask, "mask=%s"},
399 	{Opt_fsmagic, "fsmagic=%s"},
400 	{Opt_fsuuid, "fsuuid=%s"},
401 	{Opt_uid, "uid=%s"},
402 	{Opt_fowner, "fowner=%s"},
403 	{Opt_appraise_type, "appraise_type=%s"},
404 	{Opt_permit_directio, "permit_directio"},
405 	{Opt_err, NULL}
406 };
407 
408 static int ima_lsm_rule_init(struct ima_rule_entry *entry,
409 			     substring_t *args, int lsm_rule, int audit_type)
410 {
411 	int result;
412 
413 	if (entry->lsm[lsm_rule].rule)
414 		return -EINVAL;
415 
416 	entry->lsm[lsm_rule].args_p = match_strdup(args);
417 	if (!entry->lsm[lsm_rule].args_p)
418 		return -ENOMEM;
419 
420 	entry->lsm[lsm_rule].type = audit_type;
421 	result = security_filter_rule_init(entry->lsm[lsm_rule].type,
422 					   Audit_equal,
423 					   entry->lsm[lsm_rule].args_p,
424 					   &entry->lsm[lsm_rule].rule);
425 	if (!entry->lsm[lsm_rule].rule) {
426 		kfree(entry->lsm[lsm_rule].args_p);
427 		return -EINVAL;
428 	}
429 
430 	return result;
431 }
432 
433 static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
434 {
435 	audit_log_format(ab, "%s=", key);
436 	audit_log_untrustedstring(ab, value);
437 	audit_log_format(ab, " ");
438 }
439 
440 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
441 {
442 	struct audit_buffer *ab;
443 	char *p;
444 	int result = 0;
445 
446 	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
447 
448 	entry->uid = INVALID_UID;
449 	entry->fowner = INVALID_UID;
450 	entry->action = UNKNOWN;
451 	while ((p = strsep(&rule, " \t")) != NULL) {
452 		substring_t args[MAX_OPT_ARGS];
453 		int token;
454 		unsigned long lnum;
455 
456 		if (result < 0)
457 			break;
458 		if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
459 			continue;
460 		token = match_token(p, policy_tokens, args);
461 		switch (token) {
462 		case Opt_measure:
463 			ima_log_string(ab, "action", "measure");
464 
465 			if (entry->action != UNKNOWN)
466 				result = -EINVAL;
467 
468 			entry->action = MEASURE;
469 			break;
470 		case Opt_dont_measure:
471 			ima_log_string(ab, "action", "dont_measure");
472 
473 			if (entry->action != UNKNOWN)
474 				result = -EINVAL;
475 
476 			entry->action = DONT_MEASURE;
477 			break;
478 		case Opt_appraise:
479 			ima_log_string(ab, "action", "appraise");
480 
481 			if (entry->action != UNKNOWN)
482 				result = -EINVAL;
483 
484 			entry->action = APPRAISE;
485 			break;
486 		case Opt_dont_appraise:
487 			ima_log_string(ab, "action", "dont_appraise");
488 
489 			if (entry->action != UNKNOWN)
490 				result = -EINVAL;
491 
492 			entry->action = DONT_APPRAISE;
493 			break;
494 		case Opt_audit:
495 			ima_log_string(ab, "action", "audit");
496 
497 			if (entry->action != UNKNOWN)
498 				result = -EINVAL;
499 
500 			entry->action = AUDIT;
501 			break;
502 		case Opt_func:
503 			ima_log_string(ab, "func", args[0].from);
504 
505 			if (entry->func)
506 				result = -EINVAL;
507 
508 			if (strcmp(args[0].from, "FILE_CHECK") == 0)
509 				entry->func = FILE_CHECK;
510 			/* PATH_CHECK is for backwards compat */
511 			else if (strcmp(args[0].from, "PATH_CHECK") == 0)
512 				entry->func = FILE_CHECK;
513 			else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
514 				entry->func = MODULE_CHECK;
515 			else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
516 				entry->func = FIRMWARE_CHECK;
517 			else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
518 				|| (strcmp(args[0].from, "MMAP_CHECK") == 0))
519 				entry->func = MMAP_CHECK;
520 			else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
521 				entry->func = BPRM_CHECK;
522 			else
523 				result = -EINVAL;
524 			if (!result)
525 				entry->flags |= IMA_FUNC;
526 			break;
527 		case Opt_mask:
528 			ima_log_string(ab, "mask", args[0].from);
529 
530 			if (entry->mask)
531 				result = -EINVAL;
532 
533 			if ((strcmp(args[0].from, "MAY_EXEC")) == 0)
534 				entry->mask = MAY_EXEC;
535 			else if (strcmp(args[0].from, "MAY_WRITE") == 0)
536 				entry->mask = MAY_WRITE;
537 			else if (strcmp(args[0].from, "MAY_READ") == 0)
538 				entry->mask = MAY_READ;
539 			else if (strcmp(args[0].from, "MAY_APPEND") == 0)
540 				entry->mask = MAY_APPEND;
541 			else
542 				result = -EINVAL;
543 			if (!result)
544 				entry->flags |= IMA_MASK;
545 			break;
546 		case Opt_fsmagic:
547 			ima_log_string(ab, "fsmagic", args[0].from);
548 
549 			if (entry->fsmagic) {
550 				result = -EINVAL;
551 				break;
552 			}
553 
554 			result = kstrtoul(args[0].from, 16, &entry->fsmagic);
555 			if (!result)
556 				entry->flags |= IMA_FSMAGIC;
557 			break;
558 		case Opt_fsuuid:
559 			ima_log_string(ab, "fsuuid", args[0].from);
560 
561 			if (memchr_inv(entry->fsuuid, 0x00,
562 				       sizeof(entry->fsuuid))) {
563 				result = -EINVAL;
564 				break;
565 			}
566 
567 			result = blk_part_pack_uuid(args[0].from,
568 						    entry->fsuuid);
569 			if (!result)
570 				entry->flags |= IMA_FSUUID;
571 			break;
572 		case Opt_uid:
573 			ima_log_string(ab, "uid", args[0].from);
574 
575 			if (uid_valid(entry->uid)) {
576 				result = -EINVAL;
577 				break;
578 			}
579 
580 			result = kstrtoul(args[0].from, 10, &lnum);
581 			if (!result) {
582 				entry->uid = make_kuid(current_user_ns(), (uid_t)lnum);
583 				if (!uid_valid(entry->uid) || (((uid_t)lnum) != lnum))
584 					result = -EINVAL;
585 				else
586 					entry->flags |= IMA_UID;
587 			}
588 			break;
589 		case Opt_fowner:
590 			ima_log_string(ab, "fowner", args[0].from);
591 
592 			if (uid_valid(entry->fowner)) {
593 				result = -EINVAL;
594 				break;
595 			}
596 
597 			result = kstrtoul(args[0].from, 10, &lnum);
598 			if (!result) {
599 				entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
600 				if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))
601 					result = -EINVAL;
602 				else
603 					entry->flags |= IMA_FOWNER;
604 			}
605 			break;
606 		case Opt_obj_user:
607 			ima_log_string(ab, "obj_user", args[0].from);
608 			result = ima_lsm_rule_init(entry, args,
609 						   LSM_OBJ_USER,
610 						   AUDIT_OBJ_USER);
611 			break;
612 		case Opt_obj_role:
613 			ima_log_string(ab, "obj_role", args[0].from);
614 			result = ima_lsm_rule_init(entry, args,
615 						   LSM_OBJ_ROLE,
616 						   AUDIT_OBJ_ROLE);
617 			break;
618 		case Opt_obj_type:
619 			ima_log_string(ab, "obj_type", args[0].from);
620 			result = ima_lsm_rule_init(entry, args,
621 						   LSM_OBJ_TYPE,
622 						   AUDIT_OBJ_TYPE);
623 			break;
624 		case Opt_subj_user:
625 			ima_log_string(ab, "subj_user", args[0].from);
626 			result = ima_lsm_rule_init(entry, args,
627 						   LSM_SUBJ_USER,
628 						   AUDIT_SUBJ_USER);
629 			break;
630 		case Opt_subj_role:
631 			ima_log_string(ab, "subj_role", args[0].from);
632 			result = ima_lsm_rule_init(entry, args,
633 						   LSM_SUBJ_ROLE,
634 						   AUDIT_SUBJ_ROLE);
635 			break;
636 		case Opt_subj_type:
637 			ima_log_string(ab, "subj_type", args[0].from);
638 			result = ima_lsm_rule_init(entry, args,
639 						   LSM_SUBJ_TYPE,
640 						   AUDIT_SUBJ_TYPE);
641 			break;
642 		case Opt_appraise_type:
643 			if (entry->action != APPRAISE) {
644 				result = -EINVAL;
645 				break;
646 			}
647 
648 			ima_log_string(ab, "appraise_type", args[0].from);
649 			if ((strcmp(args[0].from, "imasig")) == 0)
650 				entry->flags |= IMA_DIGSIG_REQUIRED;
651 			else
652 				result = -EINVAL;
653 			break;
654 		case Opt_permit_directio:
655 			entry->flags |= IMA_PERMIT_DIRECTIO;
656 			break;
657 		case Opt_err:
658 			ima_log_string(ab, "UNKNOWN", p);
659 			result = -EINVAL;
660 			break;
661 		}
662 	}
663 	if (!result && (entry->action == UNKNOWN))
664 		result = -EINVAL;
665 	else if (entry->func == MODULE_CHECK)
666 		ima_appraise |= IMA_APPRAISE_MODULES;
667 	else if (entry->func == FIRMWARE_CHECK)
668 		ima_appraise |= IMA_APPRAISE_FIRMWARE;
669 	audit_log_format(ab, "res=%d", !result);
670 	audit_log_end(ab);
671 	return result;
672 }
673 
674 /**
675  * ima_parse_add_rule - add a rule to ima_policy_rules
676  * @rule - ima measurement policy rule
677  *
678  * Uses a mutex to protect the policy list from multiple concurrent writers.
679  * Returns the length of the rule parsed, an error code on failure
680  */
681 ssize_t ima_parse_add_rule(char *rule)
682 {
683 	static const char op[] = "update_policy";
684 	char *p;
685 	struct ima_rule_entry *entry;
686 	ssize_t result, len;
687 	int audit_info = 0;
688 
689 	/* Prevent installed policy from changing */
690 	if (ima_rules != &ima_default_rules) {
691 		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
692 				    NULL, op, "already-exists",
693 				    -EACCES, audit_info);
694 		return -EACCES;
695 	}
696 
697 	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
698 	if (!entry) {
699 		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
700 				    NULL, op, "-ENOMEM", -ENOMEM, audit_info);
701 		return -ENOMEM;
702 	}
703 
704 	INIT_LIST_HEAD(&entry->list);
705 
706 	p = strsep(&rule, "\n");
707 	len = strlen(p) + 1;
708 
709 	if (*p == '#') {
710 		kfree(entry);
711 		return len;
712 	}
713 
714 	result = ima_parse_rule(p, entry);
715 	if (result) {
716 		kfree(entry);
717 		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
718 				    NULL, op, "invalid-policy", result,
719 				    audit_info);
720 		return result;
721 	}
722 
723 	mutex_lock(&ima_rules_mutex);
724 	list_add_tail(&entry->list, &ima_policy_rules);
725 	mutex_unlock(&ima_rules_mutex);
726 
727 	return len;
728 }
729 
730 /* ima_delete_rules called to cleanup invalid policy */
731 void ima_delete_rules(void)
732 {
733 	struct ima_rule_entry *entry, *tmp;
734 	int i;
735 
736 	mutex_lock(&ima_rules_mutex);
737 	list_for_each_entry_safe(entry, tmp, &ima_policy_rules, list) {
738 		for (i = 0; i < MAX_LSM_RULES; i++)
739 			kfree(entry->lsm[i].args_p);
740 
741 		list_del(&entry->list);
742 		kfree(entry);
743 	}
744 	mutex_unlock(&ima_rules_mutex);
745 }
746