1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2008 IBM Corporation 4 * Author: Mimi Zohar <zohar@us.ibm.com> 5 * 6 * ima_policy.c 7 * - initialize default measure policy rules 8 */ 9 10 #include <linux/init.h> 11 #include <linux/list.h> 12 #include <linux/kernel_read_file.h> 13 #include <linux/fs.h> 14 #include <linux/security.h> 15 #include <linux/magic.h> 16 #include <linux/parser.h> 17 #include <linux/slab.h> 18 #include <linux/rculist.h> 19 #include <linux/genhd.h> 20 #include <linux/seq_file.h> 21 #include <linux/ima.h> 22 23 #include "ima.h" 24 25 /* flags definitions */ 26 #define IMA_FUNC 0x0001 27 #define IMA_MASK 0x0002 28 #define IMA_FSMAGIC 0x0004 29 #define IMA_UID 0x0008 30 #define IMA_FOWNER 0x0010 31 #define IMA_FSUUID 0x0020 32 #define IMA_INMASK 0x0040 33 #define IMA_EUID 0x0080 34 #define IMA_PCR 0x0100 35 #define IMA_FSNAME 0x0200 36 #define IMA_KEYRINGS 0x0400 37 38 #define UNKNOWN 0 39 #define MEASURE 0x0001 /* same as IMA_MEASURE */ 40 #define DONT_MEASURE 0x0002 41 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 42 #define DONT_APPRAISE 0x0008 43 #define AUDIT 0x0040 44 #define HASH 0x0100 45 #define DONT_HASH 0x0200 46 47 #define INVALID_PCR(a) (((a) < 0) || \ 48 (a) >= (sizeof_field(struct integrity_iint_cache, measured_pcrs) * 8)) 49 50 int ima_policy_flag; 51 static int temp_ima_appraise; 52 static int build_ima_appraise __ro_after_init; 53 54 #define MAX_LSM_RULES 6 55 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, 56 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE 57 }; 58 59 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; 60 61 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY }; 62 63 struct ima_rule_entry { 64 struct list_head list; 65 int action; 66 unsigned int flags; 67 enum ima_hooks func; 68 int mask; 69 unsigned long fsmagic; 70 uuid_t fsuuid; 71 kuid_t uid; 72 kuid_t fowner; 73 bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ 74 bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ 75 int pcr; 76 struct { 77 void *rule; /* LSM file metadata specific */ 78 char *args_p; /* audit value */ 79 int type; /* audit type */ 80 } lsm[MAX_LSM_RULES]; 81 char *fsname; 82 char *keyrings; /* Measure keys added to these keyrings */ 83 struct ima_template_desc *template; 84 }; 85 86 /* 87 * Without LSM specific knowledge, the default policy can only be 88 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner 89 */ 90 91 /* 92 * The minimum rule set to allow for full TCB coverage. Measures all files 93 * opened or mmap for exec and everything read by root. Dangerous because 94 * normal users can easily run the machine out of memory simply building 95 * and running executables. 96 */ 97 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { 98 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 99 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 100 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 101 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 102 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 103 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 104 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 105 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 106 {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 107 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, 108 .flags = IMA_FSMAGIC}, 109 {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, 110 .flags = IMA_FSMAGIC}, 111 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 112 {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} 113 }; 114 115 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { 116 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 117 .flags = IMA_FUNC | IMA_MASK}, 118 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 119 .flags = IMA_FUNC | IMA_MASK}, 120 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 121 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 122 .flags = IMA_FUNC | IMA_MASK | IMA_UID}, 123 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 124 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 125 }; 126 127 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { 128 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 129 .flags = IMA_FUNC | IMA_MASK}, 130 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 131 .flags = IMA_FUNC | IMA_MASK}, 132 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 133 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 134 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, 135 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 136 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 137 .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, 138 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 139 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 140 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, 141 }; 142 143 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { 144 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 145 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 146 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 147 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 148 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC}, 149 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 150 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 151 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 152 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 153 {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 154 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 155 {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, 156 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 157 {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 158 #ifdef CONFIG_IMA_WRITE_POLICY 159 {.action = APPRAISE, .func = POLICY_CHECK, 160 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 161 #endif 162 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT 163 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 164 .flags = IMA_FOWNER}, 165 #else 166 /* force signature */ 167 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 168 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, 169 #endif 170 }; 171 172 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { 173 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS 174 {.action = APPRAISE, .func = MODULE_CHECK, 175 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 176 #endif 177 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS 178 {.action = APPRAISE, .func = FIRMWARE_CHECK, 179 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 180 #endif 181 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS 182 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 183 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 184 #endif 185 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS 186 {.action = APPRAISE, .func = POLICY_CHECK, 187 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 188 #endif 189 }; 190 191 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { 192 {.action = APPRAISE, .func = MODULE_CHECK, 193 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 194 {.action = APPRAISE, .func = FIRMWARE_CHECK, 195 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 196 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 197 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 198 {.action = APPRAISE, .func = POLICY_CHECK, 199 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 200 }; 201 202 /* An array of architecture specific rules */ 203 static struct ima_rule_entry *arch_policy_entry __ro_after_init; 204 205 static LIST_HEAD(ima_default_rules); 206 static LIST_HEAD(ima_policy_rules); 207 static LIST_HEAD(ima_temp_rules); 208 static struct list_head *ima_rules = &ima_default_rules; 209 210 /* Pre-allocated buffer used for matching keyrings. */ 211 static char *ima_keyrings; 212 static size_t ima_keyrings_len; 213 214 static int ima_policy __initdata; 215 216 static int __init default_measure_policy_setup(char *str) 217 { 218 if (ima_policy) 219 return 1; 220 221 ima_policy = ORIGINAL_TCB; 222 return 1; 223 } 224 __setup("ima_tcb", default_measure_policy_setup); 225 226 static bool ima_use_appraise_tcb __initdata; 227 static bool ima_use_secure_boot __initdata; 228 static bool ima_fail_unverifiable_sigs __ro_after_init; 229 static int __init policy_setup(char *str) 230 { 231 char *p; 232 233 while ((p = strsep(&str, " |\n")) != NULL) { 234 if (*p == ' ') 235 continue; 236 if ((strcmp(p, "tcb") == 0) && !ima_policy) 237 ima_policy = DEFAULT_TCB; 238 else if (strcmp(p, "appraise_tcb") == 0) 239 ima_use_appraise_tcb = true; 240 else if (strcmp(p, "secure_boot") == 0) 241 ima_use_secure_boot = true; 242 else if (strcmp(p, "fail_securely") == 0) 243 ima_fail_unverifiable_sigs = true; 244 } 245 246 return 1; 247 } 248 __setup("ima_policy=", policy_setup); 249 250 static int __init default_appraise_policy_setup(char *str) 251 { 252 ima_use_appraise_tcb = true; 253 return 1; 254 } 255 __setup("ima_appraise_tcb", default_appraise_policy_setup); 256 257 static void ima_lsm_free_rule(struct ima_rule_entry *entry) 258 { 259 int i; 260 261 for (i = 0; i < MAX_LSM_RULES; i++) { 262 ima_filter_rule_free(entry->lsm[i].rule); 263 kfree(entry->lsm[i].args_p); 264 } 265 } 266 267 static void ima_free_rule(struct ima_rule_entry *entry) 268 { 269 if (!entry) 270 return; 271 272 /* 273 * entry->template->fields may be allocated in ima_parse_rule() but that 274 * reference is owned by the corresponding ima_template_desc element in 275 * the defined_templates list and cannot be freed here 276 */ 277 kfree(entry->fsname); 278 kfree(entry->keyrings); 279 ima_lsm_free_rule(entry); 280 kfree(entry); 281 } 282 283 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) 284 { 285 struct ima_rule_entry *nentry; 286 int i; 287 288 nentry = kmalloc(sizeof(*nentry), GFP_KERNEL); 289 if (!nentry) 290 return NULL; 291 292 /* 293 * Immutable elements are copied over as pointers and data; only 294 * lsm rules can change 295 */ 296 memcpy(nentry, entry, sizeof(*nentry)); 297 memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm)); 298 299 for (i = 0; i < MAX_LSM_RULES; i++) { 300 if (!entry->lsm[i].args_p) 301 continue; 302 303 nentry->lsm[i].type = entry->lsm[i].type; 304 nentry->lsm[i].args_p = entry->lsm[i].args_p; 305 /* 306 * Remove the reference from entry so that the associated 307 * memory will not be freed during a later call to 308 * ima_lsm_free_rule(entry). 309 */ 310 entry->lsm[i].args_p = NULL; 311 312 ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, 313 nentry->lsm[i].args_p, 314 &nentry->lsm[i].rule); 315 if (!nentry->lsm[i].rule) 316 pr_warn("rule for LSM \'%s\' is undefined\n", 317 nentry->lsm[i].args_p); 318 } 319 return nentry; 320 } 321 322 static int ima_lsm_update_rule(struct ima_rule_entry *entry) 323 { 324 struct ima_rule_entry *nentry; 325 326 nentry = ima_lsm_copy_rule(entry); 327 if (!nentry) 328 return -ENOMEM; 329 330 list_replace_rcu(&entry->list, &nentry->list); 331 synchronize_rcu(); 332 /* 333 * ima_lsm_copy_rule() shallow copied all references, except for the 334 * LSM references, from entry to nentry so we only want to free the LSM 335 * references and the entry itself. All other memory refrences will now 336 * be owned by nentry. 337 */ 338 ima_lsm_free_rule(entry); 339 kfree(entry); 340 341 return 0; 342 } 343 344 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry) 345 { 346 int i; 347 348 for (i = 0; i < MAX_LSM_RULES; i++) 349 if (entry->lsm[i].args_p) 350 return true; 351 352 return false; 353 } 354 355 /* 356 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 357 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 358 * the reloaded LSM policy. 359 */ 360 static void ima_lsm_update_rules(void) 361 { 362 struct ima_rule_entry *entry, *e; 363 int result; 364 365 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { 366 if (!ima_rule_contains_lsm_cond(entry)) 367 continue; 368 369 result = ima_lsm_update_rule(entry); 370 if (result) { 371 pr_err("lsm rule update error %d\n", result); 372 return; 373 } 374 } 375 } 376 377 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, 378 void *lsm_data) 379 { 380 if (event != LSM_POLICY_CHANGE) 381 return NOTIFY_DONE; 382 383 ima_lsm_update_rules(); 384 return NOTIFY_OK; 385 } 386 387 /** 388 * ima_match_keyring - determine whether the keyring matches the measure rule 389 * @rule: a pointer to a rule 390 * @keyring: name of the keyring to match against the measure rule 391 * @cred: a pointer to a credentials structure for user validation 392 * 393 * Returns true if keyring matches one in the rule, false otherwise. 394 */ 395 static bool ima_match_keyring(struct ima_rule_entry *rule, 396 const char *keyring, const struct cred *cred) 397 { 398 char *next_keyring, *keyrings_ptr; 399 bool matched = false; 400 401 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 402 return false; 403 404 if (!rule->keyrings) 405 return true; 406 407 if (!keyring) 408 return false; 409 410 strcpy(ima_keyrings, rule->keyrings); 411 412 /* 413 * "keyrings=" is specified in the policy in the format below: 414 * keyrings=.builtin_trusted_keys|.ima|.evm 415 */ 416 keyrings_ptr = ima_keyrings; 417 while ((next_keyring = strsep(&keyrings_ptr, "|")) != NULL) { 418 if (!strcmp(next_keyring, keyring)) { 419 matched = true; 420 break; 421 } 422 } 423 424 return matched; 425 } 426 427 /** 428 * ima_match_rules - determine whether an inode matches the policy rule. 429 * @rule: a pointer to a rule 430 * @inode: a pointer to an inode 431 * @cred: a pointer to a credentials structure for user validation 432 * @secid: the secid of the task to be validated 433 * @func: LIM hook identifier 434 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 435 * @keyring: keyring name to check in policy for KEY_CHECK func 436 * 437 * Returns true on rule match, false on failure. 438 */ 439 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, 440 const struct cred *cred, u32 secid, 441 enum ima_hooks func, int mask, 442 const char *keyring) 443 { 444 int i; 445 446 if (func == KEY_CHECK) { 447 return (rule->flags & IMA_FUNC) && (rule->func == func) && 448 ima_match_keyring(rule, keyring, cred); 449 } 450 if ((rule->flags & IMA_FUNC) && 451 (rule->func != func && func != POST_SETATTR)) 452 return false; 453 if ((rule->flags & IMA_MASK) && 454 (rule->mask != mask && func != POST_SETATTR)) 455 return false; 456 if ((rule->flags & IMA_INMASK) && 457 (!(rule->mask & mask) && func != POST_SETATTR)) 458 return false; 459 if ((rule->flags & IMA_FSMAGIC) 460 && rule->fsmagic != inode->i_sb->s_magic) 461 return false; 462 if ((rule->flags & IMA_FSNAME) 463 && strcmp(rule->fsname, inode->i_sb->s_type->name)) 464 return false; 465 if ((rule->flags & IMA_FSUUID) && 466 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 467 return false; 468 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 469 return false; 470 if (rule->flags & IMA_EUID) { 471 if (has_capability_noaudit(current, CAP_SETUID)) { 472 if (!rule->uid_op(cred->euid, rule->uid) 473 && !rule->uid_op(cred->suid, rule->uid) 474 && !rule->uid_op(cred->uid, rule->uid)) 475 return false; 476 } else if (!rule->uid_op(cred->euid, rule->uid)) 477 return false; 478 } 479 480 if ((rule->flags & IMA_FOWNER) && 481 !rule->fowner_op(inode->i_uid, rule->fowner)) 482 return false; 483 for (i = 0; i < MAX_LSM_RULES; i++) { 484 int rc = 0; 485 u32 osid; 486 487 if (!rule->lsm[i].rule) { 488 if (!rule->lsm[i].args_p) 489 continue; 490 else 491 return false; 492 } 493 switch (i) { 494 case LSM_OBJ_USER: 495 case LSM_OBJ_ROLE: 496 case LSM_OBJ_TYPE: 497 security_inode_getsecid(inode, &osid); 498 rc = ima_filter_rule_match(osid, rule->lsm[i].type, 499 Audit_equal, 500 rule->lsm[i].rule); 501 break; 502 case LSM_SUBJ_USER: 503 case LSM_SUBJ_ROLE: 504 case LSM_SUBJ_TYPE: 505 rc = ima_filter_rule_match(secid, rule->lsm[i].type, 506 Audit_equal, 507 rule->lsm[i].rule); 508 default: 509 break; 510 } 511 if (!rc) 512 return false; 513 } 514 return true; 515 } 516 517 /* 518 * In addition to knowing that we need to appraise the file in general, 519 * we need to differentiate between calling hooks, for hook specific rules. 520 */ 521 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) 522 { 523 if (!(rule->flags & IMA_FUNC)) 524 return IMA_FILE_APPRAISE; 525 526 switch (func) { 527 case MMAP_CHECK: 528 return IMA_MMAP_APPRAISE; 529 case BPRM_CHECK: 530 return IMA_BPRM_APPRAISE; 531 case CREDS_CHECK: 532 return IMA_CREDS_APPRAISE; 533 case FILE_CHECK: 534 case POST_SETATTR: 535 return IMA_FILE_APPRAISE; 536 case MODULE_CHECK ... MAX_CHECK - 1: 537 default: 538 return IMA_READ_APPRAISE; 539 } 540 } 541 542 /** 543 * ima_match_policy - decision based on LSM and other conditions 544 * @inode: pointer to an inode for which the policy decision is being made 545 * @cred: pointer to a credentials structure for which the policy decision is 546 * being made 547 * @secid: LSM secid of the task to be validated 548 * @func: IMA hook identifier 549 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 550 * @pcr: set the pcr to extend 551 * @template_desc: the template that should be used for this rule 552 * @keyring: the keyring name, if given, to be used to check in the policy. 553 * keyring can be NULL if func is anything other than KEY_CHECK. 554 * 555 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 556 * conditions. 557 * 558 * Since the IMA policy may be updated multiple times we need to lock the 559 * list when walking it. Reads are many orders of magnitude more numerous 560 * than writes so ima_match_policy() is classical RCU candidate. 561 */ 562 int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, 563 enum ima_hooks func, int mask, int flags, int *pcr, 564 struct ima_template_desc **template_desc, 565 const char *keyring) 566 { 567 struct ima_rule_entry *entry; 568 int action = 0, actmask = flags | (flags << 1); 569 570 if (template_desc) 571 *template_desc = ima_template_desc_current(); 572 573 rcu_read_lock(); 574 list_for_each_entry_rcu(entry, ima_rules, list) { 575 576 if (!(entry->action & actmask)) 577 continue; 578 579 if (!ima_match_rules(entry, inode, cred, secid, func, mask, 580 keyring)) 581 continue; 582 583 action |= entry->flags & IMA_ACTION_FLAGS; 584 585 action |= entry->action & IMA_DO_MASK; 586 if (entry->action & IMA_APPRAISE) { 587 action |= get_subaction(entry, func); 588 action &= ~IMA_HASH; 589 if (ima_fail_unverifiable_sigs) 590 action |= IMA_FAIL_UNVERIFIABLE_SIGS; 591 } 592 593 594 if (entry->action & IMA_DO_MASK) 595 actmask &= ~(entry->action | entry->action << 1); 596 else 597 actmask &= ~(entry->action | entry->action >> 1); 598 599 if ((pcr) && (entry->flags & IMA_PCR)) 600 *pcr = entry->pcr; 601 602 if (template_desc && entry->template) 603 *template_desc = entry->template; 604 605 if (!actmask) 606 break; 607 } 608 rcu_read_unlock(); 609 610 return action; 611 } 612 613 /* 614 * Initialize the ima_policy_flag variable based on the currently 615 * loaded policy. Based on this flag, the decision to short circuit 616 * out of a function or not call the function in the first place 617 * can be made earlier. 618 */ 619 void ima_update_policy_flag(void) 620 { 621 struct ima_rule_entry *entry; 622 623 list_for_each_entry(entry, ima_rules, list) { 624 if (entry->action & IMA_DO_MASK) 625 ima_policy_flag |= entry->action; 626 } 627 628 ima_appraise |= (build_ima_appraise | temp_ima_appraise); 629 if (!ima_appraise) 630 ima_policy_flag &= ~IMA_APPRAISE; 631 } 632 633 static int ima_appraise_flag(enum ima_hooks func) 634 { 635 if (func == MODULE_CHECK) 636 return IMA_APPRAISE_MODULES; 637 else if (func == FIRMWARE_CHECK) 638 return IMA_APPRAISE_FIRMWARE; 639 else if (func == POLICY_CHECK) 640 return IMA_APPRAISE_POLICY; 641 else if (func == KEXEC_KERNEL_CHECK) 642 return IMA_APPRAISE_KEXEC; 643 return 0; 644 } 645 646 static void add_rules(struct ima_rule_entry *entries, int count, 647 enum policy_rule_list policy_rule) 648 { 649 int i = 0; 650 651 for (i = 0; i < count; i++) { 652 struct ima_rule_entry *entry; 653 654 if (policy_rule & IMA_DEFAULT_POLICY) 655 list_add_tail(&entries[i].list, &ima_default_rules); 656 657 if (policy_rule & IMA_CUSTOM_POLICY) { 658 entry = kmemdup(&entries[i], sizeof(*entry), 659 GFP_KERNEL); 660 if (!entry) 661 continue; 662 663 list_add_tail(&entry->list, &ima_policy_rules); 664 } 665 if (entries[i].action == APPRAISE) { 666 if (entries != build_appraise_rules) 667 temp_ima_appraise |= 668 ima_appraise_flag(entries[i].func); 669 else 670 build_ima_appraise |= 671 ima_appraise_flag(entries[i].func); 672 } 673 } 674 } 675 676 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); 677 678 static int __init ima_init_arch_policy(void) 679 { 680 const char * const *arch_rules; 681 const char * const *rules; 682 int arch_entries = 0; 683 int i = 0; 684 685 arch_rules = arch_get_ima_policy(); 686 if (!arch_rules) 687 return arch_entries; 688 689 /* Get number of rules */ 690 for (rules = arch_rules; *rules != NULL; rules++) 691 arch_entries++; 692 693 arch_policy_entry = kcalloc(arch_entries + 1, 694 sizeof(*arch_policy_entry), GFP_KERNEL); 695 if (!arch_policy_entry) 696 return 0; 697 698 /* Convert each policy string rules to struct ima_rule_entry format */ 699 for (rules = arch_rules, i = 0; *rules != NULL; rules++) { 700 char rule[255]; 701 int result; 702 703 result = strlcpy(rule, *rules, sizeof(rule)); 704 705 INIT_LIST_HEAD(&arch_policy_entry[i].list); 706 result = ima_parse_rule(rule, &arch_policy_entry[i]); 707 if (result) { 708 pr_warn("Skipping unknown architecture policy rule: %s\n", 709 rule); 710 memset(&arch_policy_entry[i], 0, 711 sizeof(*arch_policy_entry)); 712 continue; 713 } 714 i++; 715 } 716 return i; 717 } 718 719 /** 720 * ima_init_policy - initialize the default measure rules. 721 * 722 * ima_rules points to either the ima_default_rules or the 723 * the new ima_policy_rules. 724 */ 725 void __init ima_init_policy(void) 726 { 727 int build_appraise_entries, arch_entries; 728 729 /* if !ima_policy, we load NO default rules */ 730 if (ima_policy) 731 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules), 732 IMA_DEFAULT_POLICY); 733 734 switch (ima_policy) { 735 case ORIGINAL_TCB: 736 add_rules(original_measurement_rules, 737 ARRAY_SIZE(original_measurement_rules), 738 IMA_DEFAULT_POLICY); 739 break; 740 case DEFAULT_TCB: 741 add_rules(default_measurement_rules, 742 ARRAY_SIZE(default_measurement_rules), 743 IMA_DEFAULT_POLICY); 744 default: 745 break; 746 } 747 748 /* 749 * Based on runtime secure boot flags, insert arch specific measurement 750 * and appraise rules requiring file signatures for both the initial 751 * and custom policies, prior to other appraise rules. 752 * (Highest priority) 753 */ 754 arch_entries = ima_init_arch_policy(); 755 if (!arch_entries) 756 pr_info("No architecture policies found\n"); 757 else 758 add_rules(arch_policy_entry, arch_entries, 759 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 760 761 /* 762 * Insert the builtin "secure_boot" policy rules requiring file 763 * signatures, prior to other appraise rules. 764 */ 765 if (ima_use_secure_boot) 766 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules), 767 IMA_DEFAULT_POLICY); 768 769 /* 770 * Insert the build time appraise rules requiring file signatures 771 * for both the initial and custom policies, prior to other appraise 772 * rules. As the secure boot rules includes all of the build time 773 * rules, include either one or the other set of rules, but not both. 774 */ 775 build_appraise_entries = ARRAY_SIZE(build_appraise_rules); 776 if (build_appraise_entries) { 777 if (ima_use_secure_boot) 778 add_rules(build_appraise_rules, build_appraise_entries, 779 IMA_CUSTOM_POLICY); 780 else 781 add_rules(build_appraise_rules, build_appraise_entries, 782 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 783 } 784 785 if (ima_use_appraise_tcb) 786 add_rules(default_appraise_rules, 787 ARRAY_SIZE(default_appraise_rules), 788 IMA_DEFAULT_POLICY); 789 790 ima_update_policy_flag(); 791 } 792 793 /* Make sure we have a valid policy, at least containing some rules. */ 794 int ima_check_policy(void) 795 { 796 if (list_empty(&ima_temp_rules)) 797 return -EINVAL; 798 return 0; 799 } 800 801 /** 802 * ima_update_policy - update default_rules with new measure rules 803 * 804 * Called on file .release to update the default rules with a complete new 805 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so 806 * they make a queue. The policy may be updated multiple times and this is the 807 * RCU updater. 808 * 809 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 810 * we switch from the default policy to user defined. 811 */ 812 void ima_update_policy(void) 813 { 814 struct list_head *policy = &ima_policy_rules; 815 816 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); 817 818 if (ima_rules != policy) { 819 ima_policy_flag = 0; 820 ima_rules = policy; 821 822 /* 823 * IMA architecture specific policy rules are specified 824 * as strings and converted to an array of ima_entry_rules 825 * on boot. After loading a custom policy, free the 826 * architecture specific rules stored as an array. 827 */ 828 kfree(arch_policy_entry); 829 } 830 ima_update_policy_flag(); 831 832 /* Custom IMA policy has been loaded */ 833 ima_process_queued_keys(); 834 } 835 836 /* Keep the enumeration in sync with the policy_tokens! */ 837 enum { 838 Opt_measure, Opt_dont_measure, 839 Opt_appraise, Opt_dont_appraise, 840 Opt_audit, Opt_hash, Opt_dont_hash, 841 Opt_obj_user, Opt_obj_role, Opt_obj_type, 842 Opt_subj_user, Opt_subj_role, Opt_subj_type, 843 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, 844 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, 845 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, 846 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, 847 Opt_appraise_type, Opt_appraise_flag, 848 Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, 849 Opt_err 850 }; 851 852 static const match_table_t policy_tokens = { 853 {Opt_measure, "measure"}, 854 {Opt_dont_measure, "dont_measure"}, 855 {Opt_appraise, "appraise"}, 856 {Opt_dont_appraise, "dont_appraise"}, 857 {Opt_audit, "audit"}, 858 {Opt_hash, "hash"}, 859 {Opt_dont_hash, "dont_hash"}, 860 {Opt_obj_user, "obj_user=%s"}, 861 {Opt_obj_role, "obj_role=%s"}, 862 {Opt_obj_type, "obj_type=%s"}, 863 {Opt_subj_user, "subj_user=%s"}, 864 {Opt_subj_role, "subj_role=%s"}, 865 {Opt_subj_type, "subj_type=%s"}, 866 {Opt_func, "func=%s"}, 867 {Opt_mask, "mask=%s"}, 868 {Opt_fsmagic, "fsmagic=%s"}, 869 {Opt_fsname, "fsname=%s"}, 870 {Opt_fsuuid, "fsuuid=%s"}, 871 {Opt_uid_eq, "uid=%s"}, 872 {Opt_euid_eq, "euid=%s"}, 873 {Opt_fowner_eq, "fowner=%s"}, 874 {Opt_uid_gt, "uid>%s"}, 875 {Opt_euid_gt, "euid>%s"}, 876 {Opt_fowner_gt, "fowner>%s"}, 877 {Opt_uid_lt, "uid<%s"}, 878 {Opt_euid_lt, "euid<%s"}, 879 {Opt_fowner_lt, "fowner<%s"}, 880 {Opt_appraise_type, "appraise_type=%s"}, 881 {Opt_appraise_flag, "appraise_flag=%s"}, 882 {Opt_permit_directio, "permit_directio"}, 883 {Opt_pcr, "pcr=%s"}, 884 {Opt_template, "template=%s"}, 885 {Opt_keyrings, "keyrings=%s"}, 886 {Opt_err, NULL} 887 }; 888 889 static int ima_lsm_rule_init(struct ima_rule_entry *entry, 890 substring_t *args, int lsm_rule, int audit_type) 891 { 892 int result; 893 894 if (entry->lsm[lsm_rule].rule) 895 return -EINVAL; 896 897 entry->lsm[lsm_rule].args_p = match_strdup(args); 898 if (!entry->lsm[lsm_rule].args_p) 899 return -ENOMEM; 900 901 entry->lsm[lsm_rule].type = audit_type; 902 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, 903 entry->lsm[lsm_rule].args_p, 904 &entry->lsm[lsm_rule].rule); 905 if (!entry->lsm[lsm_rule].rule) { 906 pr_warn("rule for LSM \'%s\' is undefined\n", 907 entry->lsm[lsm_rule].args_p); 908 909 if (ima_rules == &ima_default_rules) { 910 kfree(entry->lsm[lsm_rule].args_p); 911 entry->lsm[lsm_rule].args_p = NULL; 912 result = -EINVAL; 913 } else 914 result = 0; 915 } 916 917 return result; 918 } 919 920 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, 921 bool (*rule_operator)(kuid_t, kuid_t)) 922 { 923 if (!ab) 924 return; 925 926 if (rule_operator == &uid_gt) 927 audit_log_format(ab, "%s>", key); 928 else if (rule_operator == &uid_lt) 929 audit_log_format(ab, "%s<", key); 930 else 931 audit_log_format(ab, "%s=", key); 932 audit_log_format(ab, "%s ", value); 933 } 934 static void ima_log_string(struct audit_buffer *ab, char *key, char *value) 935 { 936 ima_log_string_op(ab, key, value, NULL); 937 } 938 939 /* 940 * Validating the appended signature included in the measurement list requires 941 * the file hash calculated without the appended signature (i.e., the 'd-modsig' 942 * field). Therefore, notify the user if they have the 'modsig' field but not 943 * the 'd-modsig' field in the template. 944 */ 945 static void check_template_modsig(const struct ima_template_desc *template) 946 { 947 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n" 948 bool has_modsig, has_dmodsig; 949 static bool checked; 950 int i; 951 952 /* We only need to notify the user once. */ 953 if (checked) 954 return; 955 956 has_modsig = has_dmodsig = false; 957 for (i = 0; i < template->num_fields; i++) { 958 if (!strcmp(template->fields[i]->field_id, "modsig")) 959 has_modsig = true; 960 else if (!strcmp(template->fields[i]->field_id, "d-modsig")) 961 has_dmodsig = true; 962 } 963 964 if (has_modsig && !has_dmodsig) 965 pr_notice(MSG); 966 967 checked = true; 968 #undef MSG 969 } 970 971 static bool ima_validate_rule(struct ima_rule_entry *entry) 972 { 973 /* Ensure that the action is set and is compatible with the flags */ 974 if (entry->action == UNKNOWN) 975 return false; 976 977 if (entry->action != MEASURE && entry->flags & IMA_PCR) 978 return false; 979 980 if (entry->action != APPRAISE && 981 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST)) 982 return false; 983 984 /* 985 * The IMA_FUNC bit must be set if and only if there's a valid hook 986 * function specified, and vice versa. Enforcing this property allows 987 * for the NONE case below to validate a rule without an explicit hook 988 * function. 989 */ 990 if (((entry->flags & IMA_FUNC) && entry->func == NONE) || 991 (!(entry->flags & IMA_FUNC) && entry->func != NONE)) 992 return false; 993 994 /* 995 * Ensure that the hook function is compatible with the other 996 * components of the rule 997 */ 998 switch (entry->func) { 999 case NONE: 1000 case FILE_CHECK: 1001 case MMAP_CHECK: 1002 case BPRM_CHECK: 1003 case CREDS_CHECK: 1004 case POST_SETATTR: 1005 case FIRMWARE_CHECK: 1006 case POLICY_CHECK: 1007 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1008 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1009 IMA_INMASK | IMA_EUID | IMA_PCR | 1010 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1011 IMA_PERMIT_DIRECTIO)) 1012 return false; 1013 1014 break; 1015 case MODULE_CHECK: 1016 case KEXEC_KERNEL_CHECK: 1017 case KEXEC_INITRAMFS_CHECK: 1018 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1019 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1020 IMA_INMASK | IMA_EUID | IMA_PCR | 1021 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1022 IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | 1023 IMA_CHECK_BLACKLIST)) 1024 return false; 1025 1026 break; 1027 case KEXEC_CMDLINE: 1028 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1029 return false; 1030 1031 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | 1032 IMA_FOWNER | IMA_FSUUID | IMA_EUID | 1033 IMA_PCR | IMA_FSNAME)) 1034 return false; 1035 1036 break; 1037 case KEY_CHECK: 1038 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1039 return false; 1040 1041 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | 1042 IMA_KEYRINGS)) 1043 return false; 1044 1045 if (ima_rule_contains_lsm_cond(entry)) 1046 return false; 1047 1048 break; 1049 default: 1050 return false; 1051 } 1052 1053 /* Ensure that combinations of flags are compatible with each other */ 1054 if (entry->flags & IMA_CHECK_BLACKLIST && 1055 !(entry->flags & IMA_MODSIG_ALLOWED)) 1056 return false; 1057 1058 return true; 1059 } 1060 1061 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 1062 { 1063 struct audit_buffer *ab; 1064 char *from; 1065 char *p; 1066 bool uid_token; 1067 struct ima_template_desc *template_desc; 1068 int result = 0; 1069 size_t keyrings_len; 1070 1071 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, 1072 AUDIT_INTEGRITY_POLICY_RULE); 1073 1074 entry->uid = INVALID_UID; 1075 entry->fowner = INVALID_UID; 1076 entry->uid_op = &uid_eq; 1077 entry->fowner_op = &uid_eq; 1078 entry->action = UNKNOWN; 1079 while ((p = strsep(&rule, " \t")) != NULL) { 1080 substring_t args[MAX_OPT_ARGS]; 1081 int token; 1082 unsigned long lnum; 1083 1084 if (result < 0) 1085 break; 1086 if ((*p == '\0') || (*p == ' ') || (*p == '\t')) 1087 continue; 1088 token = match_token(p, policy_tokens, args); 1089 switch (token) { 1090 case Opt_measure: 1091 ima_log_string(ab, "action", "measure"); 1092 1093 if (entry->action != UNKNOWN) 1094 result = -EINVAL; 1095 1096 entry->action = MEASURE; 1097 break; 1098 case Opt_dont_measure: 1099 ima_log_string(ab, "action", "dont_measure"); 1100 1101 if (entry->action != UNKNOWN) 1102 result = -EINVAL; 1103 1104 entry->action = DONT_MEASURE; 1105 break; 1106 case Opt_appraise: 1107 ima_log_string(ab, "action", "appraise"); 1108 1109 if (entry->action != UNKNOWN) 1110 result = -EINVAL; 1111 1112 entry->action = APPRAISE; 1113 break; 1114 case Opt_dont_appraise: 1115 ima_log_string(ab, "action", "dont_appraise"); 1116 1117 if (entry->action != UNKNOWN) 1118 result = -EINVAL; 1119 1120 entry->action = DONT_APPRAISE; 1121 break; 1122 case Opt_audit: 1123 ima_log_string(ab, "action", "audit"); 1124 1125 if (entry->action != UNKNOWN) 1126 result = -EINVAL; 1127 1128 entry->action = AUDIT; 1129 break; 1130 case Opt_hash: 1131 ima_log_string(ab, "action", "hash"); 1132 1133 if (entry->action != UNKNOWN) 1134 result = -EINVAL; 1135 1136 entry->action = HASH; 1137 break; 1138 case Opt_dont_hash: 1139 ima_log_string(ab, "action", "dont_hash"); 1140 1141 if (entry->action != UNKNOWN) 1142 result = -EINVAL; 1143 1144 entry->action = DONT_HASH; 1145 break; 1146 case Opt_func: 1147 ima_log_string(ab, "func", args[0].from); 1148 1149 if (entry->func) 1150 result = -EINVAL; 1151 1152 if (strcmp(args[0].from, "FILE_CHECK") == 0) 1153 entry->func = FILE_CHECK; 1154 /* PATH_CHECK is for backwards compat */ 1155 else if (strcmp(args[0].from, "PATH_CHECK") == 0) 1156 entry->func = FILE_CHECK; 1157 else if (strcmp(args[0].from, "MODULE_CHECK") == 0) 1158 entry->func = MODULE_CHECK; 1159 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0) 1160 entry->func = FIRMWARE_CHECK; 1161 else if ((strcmp(args[0].from, "FILE_MMAP") == 0) 1162 || (strcmp(args[0].from, "MMAP_CHECK") == 0)) 1163 entry->func = MMAP_CHECK; 1164 else if (strcmp(args[0].from, "BPRM_CHECK") == 0) 1165 entry->func = BPRM_CHECK; 1166 else if (strcmp(args[0].from, "CREDS_CHECK") == 0) 1167 entry->func = CREDS_CHECK; 1168 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == 1169 0) 1170 entry->func = KEXEC_KERNEL_CHECK; 1171 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK") 1172 == 0) 1173 entry->func = KEXEC_INITRAMFS_CHECK; 1174 else if (strcmp(args[0].from, "POLICY_CHECK") == 0) 1175 entry->func = POLICY_CHECK; 1176 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) 1177 entry->func = KEXEC_CMDLINE; 1178 else if (strcmp(args[0].from, "KEY_CHECK") == 0) 1179 entry->func = KEY_CHECK; 1180 else 1181 result = -EINVAL; 1182 if (!result) 1183 entry->flags |= IMA_FUNC; 1184 break; 1185 case Opt_mask: 1186 ima_log_string(ab, "mask", args[0].from); 1187 1188 if (entry->mask) 1189 result = -EINVAL; 1190 1191 from = args[0].from; 1192 if (*from == '^') 1193 from++; 1194 1195 if ((strcmp(from, "MAY_EXEC")) == 0) 1196 entry->mask = MAY_EXEC; 1197 else if (strcmp(from, "MAY_WRITE") == 0) 1198 entry->mask = MAY_WRITE; 1199 else if (strcmp(from, "MAY_READ") == 0) 1200 entry->mask = MAY_READ; 1201 else if (strcmp(from, "MAY_APPEND") == 0) 1202 entry->mask = MAY_APPEND; 1203 else 1204 result = -EINVAL; 1205 if (!result) 1206 entry->flags |= (*args[0].from == '^') 1207 ? IMA_INMASK : IMA_MASK; 1208 break; 1209 case Opt_fsmagic: 1210 ima_log_string(ab, "fsmagic", args[0].from); 1211 1212 if (entry->fsmagic) { 1213 result = -EINVAL; 1214 break; 1215 } 1216 1217 result = kstrtoul(args[0].from, 16, &entry->fsmagic); 1218 if (!result) 1219 entry->flags |= IMA_FSMAGIC; 1220 break; 1221 case Opt_fsname: 1222 ima_log_string(ab, "fsname", args[0].from); 1223 1224 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); 1225 if (!entry->fsname) { 1226 result = -ENOMEM; 1227 break; 1228 } 1229 result = 0; 1230 entry->flags |= IMA_FSNAME; 1231 break; 1232 case Opt_keyrings: 1233 ima_log_string(ab, "keyrings", args[0].from); 1234 1235 keyrings_len = strlen(args[0].from) + 1; 1236 1237 if ((entry->keyrings) || 1238 (keyrings_len < 2)) { 1239 result = -EINVAL; 1240 break; 1241 } 1242 1243 if (keyrings_len > ima_keyrings_len) { 1244 char *tmpbuf; 1245 1246 tmpbuf = krealloc(ima_keyrings, keyrings_len, 1247 GFP_KERNEL); 1248 if (!tmpbuf) { 1249 result = -ENOMEM; 1250 break; 1251 } 1252 1253 ima_keyrings = tmpbuf; 1254 ima_keyrings_len = keyrings_len; 1255 } 1256 1257 entry->keyrings = kstrdup(args[0].from, GFP_KERNEL); 1258 if (!entry->keyrings) { 1259 kfree(ima_keyrings); 1260 ima_keyrings = NULL; 1261 ima_keyrings_len = 0; 1262 result = -ENOMEM; 1263 break; 1264 } 1265 result = 0; 1266 entry->flags |= IMA_KEYRINGS; 1267 break; 1268 case Opt_fsuuid: 1269 ima_log_string(ab, "fsuuid", args[0].from); 1270 1271 if (!uuid_is_null(&entry->fsuuid)) { 1272 result = -EINVAL; 1273 break; 1274 } 1275 1276 result = uuid_parse(args[0].from, &entry->fsuuid); 1277 if (!result) 1278 entry->flags |= IMA_FSUUID; 1279 break; 1280 case Opt_uid_gt: 1281 case Opt_euid_gt: 1282 entry->uid_op = &uid_gt; 1283 fallthrough; 1284 case Opt_uid_lt: 1285 case Opt_euid_lt: 1286 if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) 1287 entry->uid_op = &uid_lt; 1288 fallthrough; 1289 case Opt_uid_eq: 1290 case Opt_euid_eq: 1291 uid_token = (token == Opt_uid_eq) || 1292 (token == Opt_uid_gt) || 1293 (token == Opt_uid_lt); 1294 1295 ima_log_string_op(ab, uid_token ? "uid" : "euid", 1296 args[0].from, entry->uid_op); 1297 1298 if (uid_valid(entry->uid)) { 1299 result = -EINVAL; 1300 break; 1301 } 1302 1303 result = kstrtoul(args[0].from, 10, &lnum); 1304 if (!result) { 1305 entry->uid = make_kuid(current_user_ns(), 1306 (uid_t) lnum); 1307 if (!uid_valid(entry->uid) || 1308 (uid_t)lnum != lnum) 1309 result = -EINVAL; 1310 else 1311 entry->flags |= uid_token 1312 ? IMA_UID : IMA_EUID; 1313 } 1314 break; 1315 case Opt_fowner_gt: 1316 entry->fowner_op = &uid_gt; 1317 fallthrough; 1318 case Opt_fowner_lt: 1319 if (token == Opt_fowner_lt) 1320 entry->fowner_op = &uid_lt; 1321 fallthrough; 1322 case Opt_fowner_eq: 1323 ima_log_string_op(ab, "fowner", args[0].from, 1324 entry->fowner_op); 1325 1326 if (uid_valid(entry->fowner)) { 1327 result = -EINVAL; 1328 break; 1329 } 1330 1331 result = kstrtoul(args[0].from, 10, &lnum); 1332 if (!result) { 1333 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum); 1334 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum)) 1335 result = -EINVAL; 1336 else 1337 entry->flags |= IMA_FOWNER; 1338 } 1339 break; 1340 case Opt_obj_user: 1341 ima_log_string(ab, "obj_user", args[0].from); 1342 result = ima_lsm_rule_init(entry, args, 1343 LSM_OBJ_USER, 1344 AUDIT_OBJ_USER); 1345 break; 1346 case Opt_obj_role: 1347 ima_log_string(ab, "obj_role", args[0].from); 1348 result = ima_lsm_rule_init(entry, args, 1349 LSM_OBJ_ROLE, 1350 AUDIT_OBJ_ROLE); 1351 break; 1352 case Opt_obj_type: 1353 ima_log_string(ab, "obj_type", args[0].from); 1354 result = ima_lsm_rule_init(entry, args, 1355 LSM_OBJ_TYPE, 1356 AUDIT_OBJ_TYPE); 1357 break; 1358 case Opt_subj_user: 1359 ima_log_string(ab, "subj_user", args[0].from); 1360 result = ima_lsm_rule_init(entry, args, 1361 LSM_SUBJ_USER, 1362 AUDIT_SUBJ_USER); 1363 break; 1364 case Opt_subj_role: 1365 ima_log_string(ab, "subj_role", args[0].from); 1366 result = ima_lsm_rule_init(entry, args, 1367 LSM_SUBJ_ROLE, 1368 AUDIT_SUBJ_ROLE); 1369 break; 1370 case Opt_subj_type: 1371 ima_log_string(ab, "subj_type", args[0].from); 1372 result = ima_lsm_rule_init(entry, args, 1373 LSM_SUBJ_TYPE, 1374 AUDIT_SUBJ_TYPE); 1375 break; 1376 case Opt_appraise_type: 1377 ima_log_string(ab, "appraise_type", args[0].from); 1378 if ((strcmp(args[0].from, "imasig")) == 0) 1379 entry->flags |= IMA_DIGSIG_REQUIRED; 1380 else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1381 strcmp(args[0].from, "imasig|modsig") == 0) 1382 entry->flags |= IMA_DIGSIG_REQUIRED | 1383 IMA_MODSIG_ALLOWED; 1384 else 1385 result = -EINVAL; 1386 break; 1387 case Opt_appraise_flag: 1388 ima_log_string(ab, "appraise_flag", args[0].from); 1389 if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1390 strstr(args[0].from, "blacklist")) 1391 entry->flags |= IMA_CHECK_BLACKLIST; 1392 else 1393 result = -EINVAL; 1394 break; 1395 case Opt_permit_directio: 1396 entry->flags |= IMA_PERMIT_DIRECTIO; 1397 break; 1398 case Opt_pcr: 1399 ima_log_string(ab, "pcr", args[0].from); 1400 1401 result = kstrtoint(args[0].from, 10, &entry->pcr); 1402 if (result || INVALID_PCR(entry->pcr)) 1403 result = -EINVAL; 1404 else 1405 entry->flags |= IMA_PCR; 1406 1407 break; 1408 case Opt_template: 1409 ima_log_string(ab, "template", args[0].from); 1410 if (entry->action != MEASURE) { 1411 result = -EINVAL; 1412 break; 1413 } 1414 template_desc = lookup_template_desc(args[0].from); 1415 if (!template_desc || entry->template) { 1416 result = -EINVAL; 1417 break; 1418 } 1419 1420 /* 1421 * template_desc_init_fields() does nothing if 1422 * the template is already initialised, so 1423 * it's safe to do this unconditionally 1424 */ 1425 template_desc_init_fields(template_desc->fmt, 1426 &(template_desc->fields), 1427 &(template_desc->num_fields)); 1428 entry->template = template_desc; 1429 break; 1430 case Opt_err: 1431 ima_log_string(ab, "UNKNOWN", p); 1432 result = -EINVAL; 1433 break; 1434 } 1435 } 1436 if (!result && !ima_validate_rule(entry)) 1437 result = -EINVAL; 1438 else if (entry->action == APPRAISE) 1439 temp_ima_appraise |= ima_appraise_flag(entry->func); 1440 1441 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { 1442 template_desc = entry->template ? entry->template : 1443 ima_template_desc_current(); 1444 check_template_modsig(template_desc); 1445 } 1446 1447 audit_log_format(ab, "res=%d", !result); 1448 audit_log_end(ab); 1449 return result; 1450 } 1451 1452 /** 1453 * ima_parse_add_rule - add a rule to ima_policy_rules 1454 * @rule - ima measurement policy rule 1455 * 1456 * Avoid locking by allowing just one writer at a time in ima_write_policy() 1457 * Returns the length of the rule parsed, an error code on failure 1458 */ 1459 ssize_t ima_parse_add_rule(char *rule) 1460 { 1461 static const char op[] = "update_policy"; 1462 char *p; 1463 struct ima_rule_entry *entry; 1464 ssize_t result, len; 1465 int audit_info = 0; 1466 1467 p = strsep(&rule, "\n"); 1468 len = strlen(p) + 1; 1469 p += strspn(p, " \t"); 1470 1471 if (*p == '#' || *p == '\0') 1472 return len; 1473 1474 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1475 if (!entry) { 1476 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1477 NULL, op, "-ENOMEM", -ENOMEM, audit_info); 1478 return -ENOMEM; 1479 } 1480 1481 INIT_LIST_HEAD(&entry->list); 1482 1483 result = ima_parse_rule(p, entry); 1484 if (result) { 1485 ima_free_rule(entry); 1486 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1487 NULL, op, "invalid-policy", result, 1488 audit_info); 1489 return result; 1490 } 1491 1492 list_add_tail(&entry->list, &ima_temp_rules); 1493 1494 return len; 1495 } 1496 1497 /** 1498 * ima_delete_rules() called to cleanup invalid in-flight policy. 1499 * We don't need locking as we operate on the temp list, which is 1500 * different from the active one. There is also only one user of 1501 * ima_delete_rules() at a time. 1502 */ 1503 void ima_delete_rules(void) 1504 { 1505 struct ima_rule_entry *entry, *tmp; 1506 1507 temp_ima_appraise = 0; 1508 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { 1509 list_del(&entry->list); 1510 ima_free_rule(entry); 1511 } 1512 } 1513 1514 #define __ima_hook_stringify(func, str) (#func), 1515 1516 const char *const func_tokens[] = { 1517 __ima_hooks(__ima_hook_stringify) 1518 }; 1519 1520 #ifdef CONFIG_IMA_READ_POLICY 1521 enum { 1522 mask_exec = 0, mask_write, mask_read, mask_append 1523 }; 1524 1525 static const char *const mask_tokens[] = { 1526 "^MAY_EXEC", 1527 "^MAY_WRITE", 1528 "^MAY_READ", 1529 "^MAY_APPEND" 1530 }; 1531 1532 void *ima_policy_start(struct seq_file *m, loff_t *pos) 1533 { 1534 loff_t l = *pos; 1535 struct ima_rule_entry *entry; 1536 1537 rcu_read_lock(); 1538 list_for_each_entry_rcu(entry, ima_rules, list) { 1539 if (!l--) { 1540 rcu_read_unlock(); 1541 return entry; 1542 } 1543 } 1544 rcu_read_unlock(); 1545 return NULL; 1546 } 1547 1548 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) 1549 { 1550 struct ima_rule_entry *entry = v; 1551 1552 rcu_read_lock(); 1553 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); 1554 rcu_read_unlock(); 1555 (*pos)++; 1556 1557 return (&entry->list == ima_rules) ? NULL : entry; 1558 } 1559 1560 void ima_policy_stop(struct seq_file *m, void *v) 1561 { 1562 } 1563 1564 #define pt(token) policy_tokens[token].pattern 1565 #define mt(token) mask_tokens[token] 1566 1567 /* 1568 * policy_func_show - display the ima_hooks policy rule 1569 */ 1570 static void policy_func_show(struct seq_file *m, enum ima_hooks func) 1571 { 1572 if (func > 0 && func < MAX_CHECK) 1573 seq_printf(m, "func=%s ", func_tokens[func]); 1574 else 1575 seq_printf(m, "func=%d ", func); 1576 } 1577 1578 int ima_policy_show(struct seq_file *m, void *v) 1579 { 1580 struct ima_rule_entry *entry = v; 1581 int i; 1582 char tbuf[64] = {0,}; 1583 int offset = 0; 1584 1585 rcu_read_lock(); 1586 1587 if (entry->action & MEASURE) 1588 seq_puts(m, pt(Opt_measure)); 1589 if (entry->action & DONT_MEASURE) 1590 seq_puts(m, pt(Opt_dont_measure)); 1591 if (entry->action & APPRAISE) 1592 seq_puts(m, pt(Opt_appraise)); 1593 if (entry->action & DONT_APPRAISE) 1594 seq_puts(m, pt(Opt_dont_appraise)); 1595 if (entry->action & AUDIT) 1596 seq_puts(m, pt(Opt_audit)); 1597 if (entry->action & HASH) 1598 seq_puts(m, pt(Opt_hash)); 1599 if (entry->action & DONT_HASH) 1600 seq_puts(m, pt(Opt_dont_hash)); 1601 1602 seq_puts(m, " "); 1603 1604 if (entry->flags & IMA_FUNC) 1605 policy_func_show(m, entry->func); 1606 1607 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { 1608 if (entry->flags & IMA_MASK) 1609 offset = 1; 1610 if (entry->mask & MAY_EXEC) 1611 seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); 1612 if (entry->mask & MAY_WRITE) 1613 seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); 1614 if (entry->mask & MAY_READ) 1615 seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); 1616 if (entry->mask & MAY_APPEND) 1617 seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); 1618 seq_puts(m, " "); 1619 } 1620 1621 if (entry->flags & IMA_FSMAGIC) { 1622 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 1623 seq_printf(m, pt(Opt_fsmagic), tbuf); 1624 seq_puts(m, " "); 1625 } 1626 1627 if (entry->flags & IMA_FSNAME) { 1628 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); 1629 seq_printf(m, pt(Opt_fsname), tbuf); 1630 seq_puts(m, " "); 1631 } 1632 1633 if (entry->flags & IMA_KEYRINGS) { 1634 if (entry->keyrings != NULL) 1635 snprintf(tbuf, sizeof(tbuf), "%s", entry->keyrings); 1636 seq_printf(m, pt(Opt_keyrings), tbuf); 1637 seq_puts(m, " "); 1638 } 1639 1640 if (entry->flags & IMA_PCR) { 1641 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 1642 seq_printf(m, pt(Opt_pcr), tbuf); 1643 seq_puts(m, " "); 1644 } 1645 1646 if (entry->flags & IMA_FSUUID) { 1647 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); 1648 seq_puts(m, " "); 1649 } 1650 1651 if (entry->flags & IMA_UID) { 1652 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1653 if (entry->uid_op == &uid_gt) 1654 seq_printf(m, pt(Opt_uid_gt), tbuf); 1655 else if (entry->uid_op == &uid_lt) 1656 seq_printf(m, pt(Opt_uid_lt), tbuf); 1657 else 1658 seq_printf(m, pt(Opt_uid_eq), tbuf); 1659 seq_puts(m, " "); 1660 } 1661 1662 if (entry->flags & IMA_EUID) { 1663 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1664 if (entry->uid_op == &uid_gt) 1665 seq_printf(m, pt(Opt_euid_gt), tbuf); 1666 else if (entry->uid_op == &uid_lt) 1667 seq_printf(m, pt(Opt_euid_lt), tbuf); 1668 else 1669 seq_printf(m, pt(Opt_euid_eq), tbuf); 1670 seq_puts(m, " "); 1671 } 1672 1673 if (entry->flags & IMA_FOWNER) { 1674 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); 1675 if (entry->fowner_op == &uid_gt) 1676 seq_printf(m, pt(Opt_fowner_gt), tbuf); 1677 else if (entry->fowner_op == &uid_lt) 1678 seq_printf(m, pt(Opt_fowner_lt), tbuf); 1679 else 1680 seq_printf(m, pt(Opt_fowner_eq), tbuf); 1681 seq_puts(m, " "); 1682 } 1683 1684 for (i = 0; i < MAX_LSM_RULES; i++) { 1685 if (entry->lsm[i].rule) { 1686 switch (i) { 1687 case LSM_OBJ_USER: 1688 seq_printf(m, pt(Opt_obj_user), 1689 entry->lsm[i].args_p); 1690 break; 1691 case LSM_OBJ_ROLE: 1692 seq_printf(m, pt(Opt_obj_role), 1693 entry->lsm[i].args_p); 1694 break; 1695 case LSM_OBJ_TYPE: 1696 seq_printf(m, pt(Opt_obj_type), 1697 entry->lsm[i].args_p); 1698 break; 1699 case LSM_SUBJ_USER: 1700 seq_printf(m, pt(Opt_subj_user), 1701 entry->lsm[i].args_p); 1702 break; 1703 case LSM_SUBJ_ROLE: 1704 seq_printf(m, pt(Opt_subj_role), 1705 entry->lsm[i].args_p); 1706 break; 1707 case LSM_SUBJ_TYPE: 1708 seq_printf(m, pt(Opt_subj_type), 1709 entry->lsm[i].args_p); 1710 break; 1711 } 1712 seq_puts(m, " "); 1713 } 1714 } 1715 if (entry->template) 1716 seq_printf(m, "template=%s ", entry->template->name); 1717 if (entry->flags & IMA_DIGSIG_REQUIRED) { 1718 if (entry->flags & IMA_MODSIG_ALLOWED) 1719 seq_puts(m, "appraise_type=imasig|modsig "); 1720 else 1721 seq_puts(m, "appraise_type=imasig "); 1722 } 1723 if (entry->flags & IMA_CHECK_BLACKLIST) 1724 seq_puts(m, "appraise_flag=check_blacklist "); 1725 if (entry->flags & IMA_PERMIT_DIRECTIO) 1726 seq_puts(m, "permit_directio "); 1727 rcu_read_unlock(); 1728 seq_puts(m, "\n"); 1729 return 0; 1730 } 1731 #endif /* CONFIG_IMA_READ_POLICY */ 1732 1733 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) 1734 /* 1735 * ima_appraise_signature: whether IMA will appraise a given function using 1736 * an IMA digital signature. This is restricted to cases where the kernel 1737 * has a set of built-in trusted keys in order to avoid an attacker simply 1738 * loading additional keys. 1739 */ 1740 bool ima_appraise_signature(enum kernel_read_file_id id) 1741 { 1742 struct ima_rule_entry *entry; 1743 bool found = false; 1744 enum ima_hooks func; 1745 1746 if (id >= READING_MAX_ID) 1747 return false; 1748 1749 func = read_idmap[id] ?: FILE_CHECK; 1750 1751 rcu_read_lock(); 1752 list_for_each_entry_rcu(entry, ima_rules, list) { 1753 if (entry->action != APPRAISE) 1754 continue; 1755 1756 /* 1757 * A generic entry will match, but otherwise require that it 1758 * match the func we're looking for 1759 */ 1760 if (entry->func && entry->func != func) 1761 continue; 1762 1763 /* 1764 * We require this to be a digital signature, not a raw IMA 1765 * hash. 1766 */ 1767 if (entry->flags & IMA_DIGSIG_REQUIRED) 1768 found = true; 1769 1770 /* 1771 * We've found a rule that matches, so break now even if it 1772 * didn't require a digital signature - a later rule that does 1773 * won't override it, so would be a false positive. 1774 */ 1775 break; 1776 } 1777 1778 rcu_read_unlock(); 1779 return found; 1780 } 1781 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ 1782