1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2008 IBM Corporation 4 * Author: Mimi Zohar <zohar@us.ibm.com> 5 * 6 * ima_policy.c 7 * - initialize default measure policy rules 8 */ 9 10 #include <linux/init.h> 11 #include <linux/list.h> 12 #include <linux/kernel_read_file.h> 13 #include <linux/fs.h> 14 #include <linux/security.h> 15 #include <linux/magic.h> 16 #include <linux/parser.h> 17 #include <linux/slab.h> 18 #include <linux/rculist.h> 19 #include <linux/genhd.h> 20 #include <linux/seq_file.h> 21 #include <linux/ima.h> 22 23 #include "ima.h" 24 25 /* flags definitions */ 26 #define IMA_FUNC 0x0001 27 #define IMA_MASK 0x0002 28 #define IMA_FSMAGIC 0x0004 29 #define IMA_UID 0x0008 30 #define IMA_FOWNER 0x0010 31 #define IMA_FSUUID 0x0020 32 #define IMA_INMASK 0x0040 33 #define IMA_EUID 0x0080 34 #define IMA_PCR 0x0100 35 #define IMA_FSNAME 0x0200 36 #define IMA_KEYRINGS 0x0400 37 #define IMA_LABEL 0x0800 38 39 #define UNKNOWN 0 40 #define MEASURE 0x0001 /* same as IMA_MEASURE */ 41 #define DONT_MEASURE 0x0002 42 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 43 #define DONT_APPRAISE 0x0008 44 #define AUDIT 0x0040 45 #define HASH 0x0100 46 #define DONT_HASH 0x0200 47 48 #define INVALID_PCR(a) (((a) < 0) || \ 49 (a) >= (sizeof_field(struct integrity_iint_cache, measured_pcrs) * 8)) 50 51 int ima_policy_flag; 52 static int temp_ima_appraise; 53 static int build_ima_appraise __ro_after_init; 54 55 #define MAX_LSM_RULES 6 56 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, 57 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE 58 }; 59 60 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; 61 62 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY }; 63 64 struct ima_rule_opt_list { 65 size_t count; 66 char *items[]; 67 }; 68 69 struct ima_rule_entry { 70 struct list_head list; 71 int action; 72 unsigned int flags; 73 enum ima_hooks func; 74 int mask; 75 unsigned long fsmagic; 76 uuid_t fsuuid; 77 kuid_t uid; 78 kuid_t fowner; 79 bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ 80 bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ 81 int pcr; 82 struct { 83 void *rule; /* LSM file metadata specific */ 84 char *args_p; /* audit value */ 85 int type; /* audit type */ 86 } lsm[MAX_LSM_RULES]; 87 char *fsname; 88 struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ 89 struct ima_rule_opt_list *label; /* Measure data grouped under this label */ 90 struct ima_template_desc *template; 91 }; 92 93 /* 94 * Without LSM specific knowledge, the default policy can only be 95 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner 96 */ 97 98 /* 99 * The minimum rule set to allow for full TCB coverage. Measures all files 100 * opened or mmap for exec and everything read by root. Dangerous because 101 * normal users can easily run the machine out of memory simply building 102 * and running executables. 103 */ 104 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { 105 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 106 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 107 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 108 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 109 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 110 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 111 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 112 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 113 {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 114 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, 115 .flags = IMA_FSMAGIC}, 116 {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, 117 .flags = IMA_FSMAGIC}, 118 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 119 {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} 120 }; 121 122 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { 123 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 124 .flags = IMA_FUNC | IMA_MASK}, 125 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 126 .flags = IMA_FUNC | IMA_MASK}, 127 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 128 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 129 .flags = IMA_FUNC | IMA_MASK | IMA_UID}, 130 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 131 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 132 }; 133 134 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { 135 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 136 .flags = IMA_FUNC | IMA_MASK}, 137 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 138 .flags = IMA_FUNC | IMA_MASK}, 139 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 140 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 141 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, 142 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 143 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 144 .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, 145 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 146 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 147 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, 148 }; 149 150 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { 151 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 152 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 153 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 154 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 155 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC}, 156 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 157 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 158 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 159 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 160 {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 161 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 162 {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, 163 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 164 {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 165 #ifdef CONFIG_IMA_WRITE_POLICY 166 {.action = APPRAISE, .func = POLICY_CHECK, 167 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 168 #endif 169 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT 170 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 171 .flags = IMA_FOWNER}, 172 #else 173 /* force signature */ 174 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 175 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, 176 #endif 177 }; 178 179 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { 180 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS 181 {.action = APPRAISE, .func = MODULE_CHECK, 182 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 183 #endif 184 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS 185 {.action = APPRAISE, .func = FIRMWARE_CHECK, 186 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 187 #endif 188 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS 189 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 190 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 191 #endif 192 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS 193 {.action = APPRAISE, .func = POLICY_CHECK, 194 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 195 #endif 196 }; 197 198 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { 199 {.action = APPRAISE, .func = MODULE_CHECK, 200 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 201 {.action = APPRAISE, .func = FIRMWARE_CHECK, 202 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 203 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 204 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 205 {.action = APPRAISE, .func = POLICY_CHECK, 206 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 207 }; 208 209 static struct ima_rule_entry critical_data_rules[] __ro_after_init = { 210 {.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC}, 211 }; 212 213 /* An array of architecture specific rules */ 214 static struct ima_rule_entry *arch_policy_entry __ro_after_init; 215 216 static LIST_HEAD(ima_default_rules); 217 static LIST_HEAD(ima_policy_rules); 218 static LIST_HEAD(ima_temp_rules); 219 static struct list_head *ima_rules = &ima_default_rules; 220 221 static int ima_policy __initdata; 222 223 static int __init default_measure_policy_setup(char *str) 224 { 225 if (ima_policy) 226 return 1; 227 228 ima_policy = ORIGINAL_TCB; 229 return 1; 230 } 231 __setup("ima_tcb", default_measure_policy_setup); 232 233 static bool ima_use_appraise_tcb __initdata; 234 static bool ima_use_secure_boot __initdata; 235 static bool ima_use_critical_data __initdata; 236 static bool ima_fail_unverifiable_sigs __ro_after_init; 237 static int __init policy_setup(char *str) 238 { 239 char *p; 240 241 while ((p = strsep(&str, " |\n")) != NULL) { 242 if (*p == ' ') 243 continue; 244 if ((strcmp(p, "tcb") == 0) && !ima_policy) 245 ima_policy = DEFAULT_TCB; 246 else if (strcmp(p, "appraise_tcb") == 0) 247 ima_use_appraise_tcb = true; 248 else if (strcmp(p, "secure_boot") == 0) 249 ima_use_secure_boot = true; 250 else if (strcmp(p, "critical_data") == 0) 251 ima_use_critical_data = true; 252 else if (strcmp(p, "fail_securely") == 0) 253 ima_fail_unverifiable_sigs = true; 254 else 255 pr_err("policy \"%s\" not found", p); 256 } 257 258 return 1; 259 } 260 __setup("ima_policy=", policy_setup); 261 262 static int __init default_appraise_policy_setup(char *str) 263 { 264 ima_use_appraise_tcb = true; 265 return 1; 266 } 267 __setup("ima_appraise_tcb", default_appraise_policy_setup); 268 269 static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src) 270 { 271 struct ima_rule_opt_list *opt_list; 272 size_t count = 0; 273 char *src_copy; 274 char *cur, *next; 275 size_t i; 276 277 src_copy = match_strdup(src); 278 if (!src_copy) 279 return ERR_PTR(-ENOMEM); 280 281 next = src_copy; 282 while ((cur = strsep(&next, "|"))) { 283 /* Don't accept an empty list item */ 284 if (!(*cur)) { 285 kfree(src_copy); 286 return ERR_PTR(-EINVAL); 287 } 288 count++; 289 } 290 291 /* Don't accept an empty list */ 292 if (!count) { 293 kfree(src_copy); 294 return ERR_PTR(-EINVAL); 295 } 296 297 opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL); 298 if (!opt_list) { 299 kfree(src_copy); 300 return ERR_PTR(-ENOMEM); 301 } 302 303 /* 304 * strsep() has already replaced all instances of '|' with '\0', 305 * leaving a byte sequence of NUL-terminated strings. Reference each 306 * string with the array of items. 307 * 308 * IMPORTANT: Ownership of the allocated buffer is transferred from 309 * src_copy to the first element in the items array. To free the 310 * buffer, kfree() must only be called on the first element of the 311 * array. 312 */ 313 for (i = 0, cur = src_copy; i < count; i++) { 314 opt_list->items[i] = cur; 315 cur = strchr(cur, '\0') + 1; 316 } 317 opt_list->count = count; 318 319 return opt_list; 320 } 321 322 static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list) 323 { 324 if (!opt_list) 325 return; 326 327 if (opt_list->count) { 328 kfree(opt_list->items[0]); 329 opt_list->count = 0; 330 } 331 332 kfree(opt_list); 333 } 334 335 static void ima_lsm_free_rule(struct ima_rule_entry *entry) 336 { 337 int i; 338 339 for (i = 0; i < MAX_LSM_RULES; i++) { 340 ima_filter_rule_free(entry->lsm[i].rule); 341 kfree(entry->lsm[i].args_p); 342 } 343 } 344 345 static void ima_free_rule(struct ima_rule_entry *entry) 346 { 347 if (!entry) 348 return; 349 350 /* 351 * entry->template->fields may be allocated in ima_parse_rule() but that 352 * reference is owned by the corresponding ima_template_desc element in 353 * the defined_templates list and cannot be freed here 354 */ 355 kfree(entry->fsname); 356 ima_free_rule_opt_list(entry->keyrings); 357 ima_lsm_free_rule(entry); 358 kfree(entry); 359 } 360 361 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) 362 { 363 struct ima_rule_entry *nentry; 364 int i; 365 366 /* 367 * Immutable elements are copied over as pointers and data; only 368 * lsm rules can change 369 */ 370 nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); 371 if (!nentry) 372 return NULL; 373 374 memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm)); 375 376 for (i = 0; i < MAX_LSM_RULES; i++) { 377 if (!entry->lsm[i].args_p) 378 continue; 379 380 nentry->lsm[i].type = entry->lsm[i].type; 381 nentry->lsm[i].args_p = entry->lsm[i].args_p; 382 /* 383 * Remove the reference from entry so that the associated 384 * memory will not be freed during a later call to 385 * ima_lsm_free_rule(entry). 386 */ 387 entry->lsm[i].args_p = NULL; 388 389 ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, 390 nentry->lsm[i].args_p, 391 &nentry->lsm[i].rule); 392 if (!nentry->lsm[i].rule) 393 pr_warn("rule for LSM \'%s\' is undefined\n", 394 nentry->lsm[i].args_p); 395 } 396 return nentry; 397 } 398 399 static int ima_lsm_update_rule(struct ima_rule_entry *entry) 400 { 401 struct ima_rule_entry *nentry; 402 403 nentry = ima_lsm_copy_rule(entry); 404 if (!nentry) 405 return -ENOMEM; 406 407 list_replace_rcu(&entry->list, &nentry->list); 408 synchronize_rcu(); 409 /* 410 * ima_lsm_copy_rule() shallow copied all references, except for the 411 * LSM references, from entry to nentry so we only want to free the LSM 412 * references and the entry itself. All other memory refrences will now 413 * be owned by nentry. 414 */ 415 ima_lsm_free_rule(entry); 416 kfree(entry); 417 418 return 0; 419 } 420 421 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry) 422 { 423 int i; 424 425 for (i = 0; i < MAX_LSM_RULES; i++) 426 if (entry->lsm[i].args_p) 427 return true; 428 429 return false; 430 } 431 432 /* 433 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 434 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 435 * the reloaded LSM policy. 436 */ 437 static void ima_lsm_update_rules(void) 438 { 439 struct ima_rule_entry *entry, *e; 440 int result; 441 442 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { 443 if (!ima_rule_contains_lsm_cond(entry)) 444 continue; 445 446 result = ima_lsm_update_rule(entry); 447 if (result) { 448 pr_err("lsm rule update error %d\n", result); 449 return; 450 } 451 } 452 } 453 454 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, 455 void *lsm_data) 456 { 457 if (event != LSM_POLICY_CHANGE) 458 return NOTIFY_DONE; 459 460 ima_lsm_update_rules(); 461 return NOTIFY_OK; 462 } 463 464 /** 465 * ima_match_rule_data - determine whether func_data matches the policy rule 466 * @rule: a pointer to a rule 467 * @func_data: data to match against the measure rule data 468 * @cred: a pointer to a credentials structure for user validation 469 * 470 * Returns true if func_data matches one in the rule, false otherwise. 471 */ 472 static bool ima_match_rule_data(struct ima_rule_entry *rule, 473 const char *func_data, 474 const struct cred *cred) 475 { 476 const struct ima_rule_opt_list *opt_list = NULL; 477 bool matched = false; 478 size_t i; 479 480 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 481 return false; 482 483 switch (rule->func) { 484 case KEY_CHECK: 485 if (!rule->keyrings) 486 return true; 487 488 opt_list = rule->keyrings; 489 break; 490 case CRITICAL_DATA: 491 if (!rule->label) 492 return true; 493 494 opt_list = rule->label; 495 break; 496 default: 497 return false; 498 } 499 500 if (!func_data) 501 return false; 502 503 for (i = 0; i < opt_list->count; i++) { 504 if (!strcmp(opt_list->items[i], func_data)) { 505 matched = true; 506 break; 507 } 508 } 509 510 return matched; 511 } 512 513 /** 514 * ima_match_rules - determine whether an inode matches the policy rule. 515 * @rule: a pointer to a rule 516 * @mnt_userns: user namespace of the mount the inode was found from 517 * @inode: a pointer to an inode 518 * @cred: a pointer to a credentials structure for user validation 519 * @secid: the secid of the task to be validated 520 * @func: LIM hook identifier 521 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 522 * @func_data: func specific data, may be NULL 523 * 524 * Returns true on rule match, false on failure. 525 */ 526 static bool ima_match_rules(struct ima_rule_entry *rule, 527 struct user_namespace *mnt_userns, 528 struct inode *inode, const struct cred *cred, 529 u32 secid, enum ima_hooks func, int mask, 530 const char *func_data) 531 { 532 int i; 533 534 if ((rule->flags & IMA_FUNC) && 535 (rule->func != func && func != POST_SETATTR)) 536 return false; 537 538 switch (func) { 539 case KEY_CHECK: 540 case CRITICAL_DATA: 541 return ((rule->func == func) && 542 ima_match_rule_data(rule, func_data, cred)); 543 default: 544 break; 545 } 546 547 if ((rule->flags & IMA_MASK) && 548 (rule->mask != mask && func != POST_SETATTR)) 549 return false; 550 if ((rule->flags & IMA_INMASK) && 551 (!(rule->mask & mask) && func != POST_SETATTR)) 552 return false; 553 if ((rule->flags & IMA_FSMAGIC) 554 && rule->fsmagic != inode->i_sb->s_magic) 555 return false; 556 if ((rule->flags & IMA_FSNAME) 557 && strcmp(rule->fsname, inode->i_sb->s_type->name)) 558 return false; 559 if ((rule->flags & IMA_FSUUID) && 560 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 561 return false; 562 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 563 return false; 564 if (rule->flags & IMA_EUID) { 565 if (has_capability_noaudit(current, CAP_SETUID)) { 566 if (!rule->uid_op(cred->euid, rule->uid) 567 && !rule->uid_op(cred->suid, rule->uid) 568 && !rule->uid_op(cred->uid, rule->uid)) 569 return false; 570 } else if (!rule->uid_op(cred->euid, rule->uid)) 571 return false; 572 } 573 574 if ((rule->flags & IMA_FOWNER) && 575 !rule->fowner_op(i_uid_into_mnt(mnt_userns, inode), rule->fowner)) 576 return false; 577 for (i = 0; i < MAX_LSM_RULES; i++) { 578 int rc = 0; 579 u32 osid; 580 581 if (!rule->lsm[i].rule) { 582 if (!rule->lsm[i].args_p) 583 continue; 584 else 585 return false; 586 } 587 switch (i) { 588 case LSM_OBJ_USER: 589 case LSM_OBJ_ROLE: 590 case LSM_OBJ_TYPE: 591 security_inode_getsecid(inode, &osid); 592 rc = ima_filter_rule_match(osid, rule->lsm[i].type, 593 Audit_equal, 594 rule->lsm[i].rule); 595 break; 596 case LSM_SUBJ_USER: 597 case LSM_SUBJ_ROLE: 598 case LSM_SUBJ_TYPE: 599 rc = ima_filter_rule_match(secid, rule->lsm[i].type, 600 Audit_equal, 601 rule->lsm[i].rule); 602 break; 603 default: 604 break; 605 } 606 if (!rc) 607 return false; 608 } 609 return true; 610 } 611 612 /* 613 * In addition to knowing that we need to appraise the file in general, 614 * we need to differentiate between calling hooks, for hook specific rules. 615 */ 616 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) 617 { 618 if (!(rule->flags & IMA_FUNC)) 619 return IMA_FILE_APPRAISE; 620 621 switch (func) { 622 case MMAP_CHECK: 623 return IMA_MMAP_APPRAISE; 624 case BPRM_CHECK: 625 return IMA_BPRM_APPRAISE; 626 case CREDS_CHECK: 627 return IMA_CREDS_APPRAISE; 628 case FILE_CHECK: 629 case POST_SETATTR: 630 return IMA_FILE_APPRAISE; 631 case MODULE_CHECK ... MAX_CHECK - 1: 632 default: 633 return IMA_READ_APPRAISE; 634 } 635 } 636 637 /** 638 * ima_match_policy - decision based on LSM and other conditions 639 * @mnt_userns: user namespace of the mount the inode was found from 640 * @inode: pointer to an inode for which the policy decision is being made 641 * @cred: pointer to a credentials structure for which the policy decision is 642 * being made 643 * @secid: LSM secid of the task to be validated 644 * @func: IMA hook identifier 645 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 646 * @pcr: set the pcr to extend 647 * @template_desc: the template that should be used for this rule 648 * @func_data: func specific data, may be NULL 649 * 650 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 651 * conditions. 652 * 653 * Since the IMA policy may be updated multiple times we need to lock the 654 * list when walking it. Reads are many orders of magnitude more numerous 655 * than writes so ima_match_policy() is classical RCU candidate. 656 */ 657 int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, 658 const struct cred *cred, u32 secid, enum ima_hooks func, 659 int mask, int flags, int *pcr, 660 struct ima_template_desc **template_desc, 661 const char *func_data) 662 { 663 struct ima_rule_entry *entry; 664 int action = 0, actmask = flags | (flags << 1); 665 666 if (template_desc && !*template_desc) 667 *template_desc = ima_template_desc_current(); 668 669 rcu_read_lock(); 670 list_for_each_entry_rcu(entry, ima_rules, list) { 671 672 if (!(entry->action & actmask)) 673 continue; 674 675 if (!ima_match_rules(entry, mnt_userns, inode, cred, secid, 676 func, mask, func_data)) 677 continue; 678 679 action |= entry->flags & IMA_ACTION_FLAGS; 680 681 action |= entry->action & IMA_DO_MASK; 682 if (entry->action & IMA_APPRAISE) { 683 action |= get_subaction(entry, func); 684 action &= ~IMA_HASH; 685 if (ima_fail_unverifiable_sigs) 686 action |= IMA_FAIL_UNVERIFIABLE_SIGS; 687 } 688 689 690 if (entry->action & IMA_DO_MASK) 691 actmask &= ~(entry->action | entry->action << 1); 692 else 693 actmask &= ~(entry->action | entry->action >> 1); 694 695 if ((pcr) && (entry->flags & IMA_PCR)) 696 *pcr = entry->pcr; 697 698 if (template_desc && entry->template) 699 *template_desc = entry->template; 700 701 if (!actmask) 702 break; 703 } 704 rcu_read_unlock(); 705 706 return action; 707 } 708 709 /* 710 * Initialize the ima_policy_flag variable based on the currently 711 * loaded policy. Based on this flag, the decision to short circuit 712 * out of a function or not call the function in the first place 713 * can be made earlier. 714 */ 715 void ima_update_policy_flag(void) 716 { 717 struct ima_rule_entry *entry; 718 719 list_for_each_entry(entry, ima_rules, list) { 720 if (entry->action & IMA_DO_MASK) 721 ima_policy_flag |= entry->action; 722 } 723 724 ima_appraise |= (build_ima_appraise | temp_ima_appraise); 725 if (!ima_appraise) 726 ima_policy_flag &= ~IMA_APPRAISE; 727 } 728 729 static int ima_appraise_flag(enum ima_hooks func) 730 { 731 if (func == MODULE_CHECK) 732 return IMA_APPRAISE_MODULES; 733 else if (func == FIRMWARE_CHECK) 734 return IMA_APPRAISE_FIRMWARE; 735 else if (func == POLICY_CHECK) 736 return IMA_APPRAISE_POLICY; 737 else if (func == KEXEC_KERNEL_CHECK) 738 return IMA_APPRAISE_KEXEC; 739 return 0; 740 } 741 742 static void add_rules(struct ima_rule_entry *entries, int count, 743 enum policy_rule_list policy_rule) 744 { 745 int i = 0; 746 747 for (i = 0; i < count; i++) { 748 struct ima_rule_entry *entry; 749 750 if (policy_rule & IMA_DEFAULT_POLICY) 751 list_add_tail(&entries[i].list, &ima_default_rules); 752 753 if (policy_rule & IMA_CUSTOM_POLICY) { 754 entry = kmemdup(&entries[i], sizeof(*entry), 755 GFP_KERNEL); 756 if (!entry) 757 continue; 758 759 list_add_tail(&entry->list, &ima_policy_rules); 760 } 761 if (entries[i].action == APPRAISE) { 762 if (entries != build_appraise_rules) 763 temp_ima_appraise |= 764 ima_appraise_flag(entries[i].func); 765 else 766 build_ima_appraise |= 767 ima_appraise_flag(entries[i].func); 768 } 769 } 770 } 771 772 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); 773 774 static int __init ima_init_arch_policy(void) 775 { 776 const char * const *arch_rules; 777 const char * const *rules; 778 int arch_entries = 0; 779 int i = 0; 780 781 arch_rules = arch_get_ima_policy(); 782 if (!arch_rules) 783 return arch_entries; 784 785 /* Get number of rules */ 786 for (rules = arch_rules; *rules != NULL; rules++) 787 arch_entries++; 788 789 arch_policy_entry = kcalloc(arch_entries + 1, 790 sizeof(*arch_policy_entry), GFP_KERNEL); 791 if (!arch_policy_entry) 792 return 0; 793 794 /* Convert each policy string rules to struct ima_rule_entry format */ 795 for (rules = arch_rules, i = 0; *rules != NULL; rules++) { 796 char rule[255]; 797 int result; 798 799 result = strlcpy(rule, *rules, sizeof(rule)); 800 801 INIT_LIST_HEAD(&arch_policy_entry[i].list); 802 result = ima_parse_rule(rule, &arch_policy_entry[i]); 803 if (result) { 804 pr_warn("Skipping unknown architecture policy rule: %s\n", 805 rule); 806 memset(&arch_policy_entry[i], 0, 807 sizeof(*arch_policy_entry)); 808 continue; 809 } 810 i++; 811 } 812 return i; 813 } 814 815 /** 816 * ima_init_policy - initialize the default measure rules. 817 * 818 * ima_rules points to either the ima_default_rules or the 819 * the new ima_policy_rules. 820 */ 821 void __init ima_init_policy(void) 822 { 823 int build_appraise_entries, arch_entries; 824 825 /* if !ima_policy, we load NO default rules */ 826 if (ima_policy) 827 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules), 828 IMA_DEFAULT_POLICY); 829 830 switch (ima_policy) { 831 case ORIGINAL_TCB: 832 add_rules(original_measurement_rules, 833 ARRAY_SIZE(original_measurement_rules), 834 IMA_DEFAULT_POLICY); 835 break; 836 case DEFAULT_TCB: 837 add_rules(default_measurement_rules, 838 ARRAY_SIZE(default_measurement_rules), 839 IMA_DEFAULT_POLICY); 840 break; 841 default: 842 break; 843 } 844 845 /* 846 * Based on runtime secure boot flags, insert arch specific measurement 847 * and appraise rules requiring file signatures for both the initial 848 * and custom policies, prior to other appraise rules. 849 * (Highest priority) 850 */ 851 arch_entries = ima_init_arch_policy(); 852 if (!arch_entries) 853 pr_info("No architecture policies found\n"); 854 else 855 add_rules(arch_policy_entry, arch_entries, 856 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 857 858 /* 859 * Insert the builtin "secure_boot" policy rules requiring file 860 * signatures, prior to other appraise rules. 861 */ 862 if (ima_use_secure_boot) 863 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules), 864 IMA_DEFAULT_POLICY); 865 866 /* 867 * Insert the build time appraise rules requiring file signatures 868 * for both the initial and custom policies, prior to other appraise 869 * rules. As the secure boot rules includes all of the build time 870 * rules, include either one or the other set of rules, but not both. 871 */ 872 build_appraise_entries = ARRAY_SIZE(build_appraise_rules); 873 if (build_appraise_entries) { 874 if (ima_use_secure_boot) 875 add_rules(build_appraise_rules, build_appraise_entries, 876 IMA_CUSTOM_POLICY); 877 else 878 add_rules(build_appraise_rules, build_appraise_entries, 879 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 880 } 881 882 if (ima_use_appraise_tcb) 883 add_rules(default_appraise_rules, 884 ARRAY_SIZE(default_appraise_rules), 885 IMA_DEFAULT_POLICY); 886 887 if (ima_use_critical_data) 888 add_rules(critical_data_rules, 889 ARRAY_SIZE(critical_data_rules), 890 IMA_DEFAULT_POLICY); 891 892 ima_update_policy_flag(); 893 } 894 895 /* Make sure we have a valid policy, at least containing some rules. */ 896 int ima_check_policy(void) 897 { 898 if (list_empty(&ima_temp_rules)) 899 return -EINVAL; 900 return 0; 901 } 902 903 /** 904 * ima_update_policy - update default_rules with new measure rules 905 * 906 * Called on file .release to update the default rules with a complete new 907 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so 908 * they make a queue. The policy may be updated multiple times and this is the 909 * RCU updater. 910 * 911 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 912 * we switch from the default policy to user defined. 913 */ 914 void ima_update_policy(void) 915 { 916 struct list_head *policy = &ima_policy_rules; 917 918 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); 919 920 if (ima_rules != policy) { 921 ima_policy_flag = 0; 922 ima_rules = policy; 923 924 /* 925 * IMA architecture specific policy rules are specified 926 * as strings and converted to an array of ima_entry_rules 927 * on boot. After loading a custom policy, free the 928 * architecture specific rules stored as an array. 929 */ 930 kfree(arch_policy_entry); 931 } 932 ima_update_policy_flag(); 933 934 /* Custom IMA policy has been loaded */ 935 ima_process_queued_keys(); 936 } 937 938 /* Keep the enumeration in sync with the policy_tokens! */ 939 enum { 940 Opt_measure, Opt_dont_measure, 941 Opt_appraise, Opt_dont_appraise, 942 Opt_audit, Opt_hash, Opt_dont_hash, 943 Opt_obj_user, Opt_obj_role, Opt_obj_type, 944 Opt_subj_user, Opt_subj_role, Opt_subj_type, 945 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, 946 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, 947 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, 948 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, 949 Opt_appraise_type, Opt_appraise_flag, 950 Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, 951 Opt_label, Opt_err 952 }; 953 954 static const match_table_t policy_tokens = { 955 {Opt_measure, "measure"}, 956 {Opt_dont_measure, "dont_measure"}, 957 {Opt_appraise, "appraise"}, 958 {Opt_dont_appraise, "dont_appraise"}, 959 {Opt_audit, "audit"}, 960 {Opt_hash, "hash"}, 961 {Opt_dont_hash, "dont_hash"}, 962 {Opt_obj_user, "obj_user=%s"}, 963 {Opt_obj_role, "obj_role=%s"}, 964 {Opt_obj_type, "obj_type=%s"}, 965 {Opt_subj_user, "subj_user=%s"}, 966 {Opt_subj_role, "subj_role=%s"}, 967 {Opt_subj_type, "subj_type=%s"}, 968 {Opt_func, "func=%s"}, 969 {Opt_mask, "mask=%s"}, 970 {Opt_fsmagic, "fsmagic=%s"}, 971 {Opt_fsname, "fsname=%s"}, 972 {Opt_fsuuid, "fsuuid=%s"}, 973 {Opt_uid_eq, "uid=%s"}, 974 {Opt_euid_eq, "euid=%s"}, 975 {Opt_fowner_eq, "fowner=%s"}, 976 {Opt_uid_gt, "uid>%s"}, 977 {Opt_euid_gt, "euid>%s"}, 978 {Opt_fowner_gt, "fowner>%s"}, 979 {Opt_uid_lt, "uid<%s"}, 980 {Opt_euid_lt, "euid<%s"}, 981 {Opt_fowner_lt, "fowner<%s"}, 982 {Opt_appraise_type, "appraise_type=%s"}, 983 {Opt_appraise_flag, "appraise_flag=%s"}, 984 {Opt_permit_directio, "permit_directio"}, 985 {Opt_pcr, "pcr=%s"}, 986 {Opt_template, "template=%s"}, 987 {Opt_keyrings, "keyrings=%s"}, 988 {Opt_label, "label=%s"}, 989 {Opt_err, NULL} 990 }; 991 992 static int ima_lsm_rule_init(struct ima_rule_entry *entry, 993 substring_t *args, int lsm_rule, int audit_type) 994 { 995 int result; 996 997 if (entry->lsm[lsm_rule].rule) 998 return -EINVAL; 999 1000 entry->lsm[lsm_rule].args_p = match_strdup(args); 1001 if (!entry->lsm[lsm_rule].args_p) 1002 return -ENOMEM; 1003 1004 entry->lsm[lsm_rule].type = audit_type; 1005 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, 1006 entry->lsm[lsm_rule].args_p, 1007 &entry->lsm[lsm_rule].rule); 1008 if (!entry->lsm[lsm_rule].rule) { 1009 pr_warn("rule for LSM \'%s\' is undefined\n", 1010 entry->lsm[lsm_rule].args_p); 1011 1012 if (ima_rules == &ima_default_rules) { 1013 kfree(entry->lsm[lsm_rule].args_p); 1014 entry->lsm[lsm_rule].args_p = NULL; 1015 result = -EINVAL; 1016 } else 1017 result = 0; 1018 } 1019 1020 return result; 1021 } 1022 1023 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, 1024 bool (*rule_operator)(kuid_t, kuid_t)) 1025 { 1026 if (!ab) 1027 return; 1028 1029 if (rule_operator == &uid_gt) 1030 audit_log_format(ab, "%s>", key); 1031 else if (rule_operator == &uid_lt) 1032 audit_log_format(ab, "%s<", key); 1033 else 1034 audit_log_format(ab, "%s=", key); 1035 audit_log_format(ab, "%s ", value); 1036 } 1037 static void ima_log_string(struct audit_buffer *ab, char *key, char *value) 1038 { 1039 ima_log_string_op(ab, key, value, NULL); 1040 } 1041 1042 /* 1043 * Validating the appended signature included in the measurement list requires 1044 * the file hash calculated without the appended signature (i.e., the 'd-modsig' 1045 * field). Therefore, notify the user if they have the 'modsig' field but not 1046 * the 'd-modsig' field in the template. 1047 */ 1048 static void check_template_modsig(const struct ima_template_desc *template) 1049 { 1050 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n" 1051 bool has_modsig, has_dmodsig; 1052 static bool checked; 1053 int i; 1054 1055 /* We only need to notify the user once. */ 1056 if (checked) 1057 return; 1058 1059 has_modsig = has_dmodsig = false; 1060 for (i = 0; i < template->num_fields; i++) { 1061 if (!strcmp(template->fields[i]->field_id, "modsig")) 1062 has_modsig = true; 1063 else if (!strcmp(template->fields[i]->field_id, "d-modsig")) 1064 has_dmodsig = true; 1065 } 1066 1067 if (has_modsig && !has_dmodsig) 1068 pr_notice(MSG); 1069 1070 checked = true; 1071 #undef MSG 1072 } 1073 1074 static bool ima_validate_rule(struct ima_rule_entry *entry) 1075 { 1076 /* Ensure that the action is set and is compatible with the flags */ 1077 if (entry->action == UNKNOWN) 1078 return false; 1079 1080 if (entry->action != MEASURE && entry->flags & IMA_PCR) 1081 return false; 1082 1083 if (entry->action != APPRAISE && 1084 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST)) 1085 return false; 1086 1087 /* 1088 * The IMA_FUNC bit must be set if and only if there's a valid hook 1089 * function specified, and vice versa. Enforcing this property allows 1090 * for the NONE case below to validate a rule without an explicit hook 1091 * function. 1092 */ 1093 if (((entry->flags & IMA_FUNC) && entry->func == NONE) || 1094 (!(entry->flags & IMA_FUNC) && entry->func != NONE)) 1095 return false; 1096 1097 /* 1098 * Ensure that the hook function is compatible with the other 1099 * components of the rule 1100 */ 1101 switch (entry->func) { 1102 case NONE: 1103 case FILE_CHECK: 1104 case MMAP_CHECK: 1105 case BPRM_CHECK: 1106 case CREDS_CHECK: 1107 case POST_SETATTR: 1108 case FIRMWARE_CHECK: 1109 case POLICY_CHECK: 1110 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1111 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1112 IMA_INMASK | IMA_EUID | IMA_PCR | 1113 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1114 IMA_PERMIT_DIRECTIO)) 1115 return false; 1116 1117 break; 1118 case MODULE_CHECK: 1119 case KEXEC_KERNEL_CHECK: 1120 case KEXEC_INITRAMFS_CHECK: 1121 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1122 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1123 IMA_INMASK | IMA_EUID | IMA_PCR | 1124 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1125 IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | 1126 IMA_CHECK_BLACKLIST)) 1127 return false; 1128 1129 break; 1130 case KEXEC_CMDLINE: 1131 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1132 return false; 1133 1134 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | 1135 IMA_FOWNER | IMA_FSUUID | IMA_EUID | 1136 IMA_PCR | IMA_FSNAME)) 1137 return false; 1138 1139 break; 1140 case KEY_CHECK: 1141 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1142 return false; 1143 1144 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | 1145 IMA_KEYRINGS)) 1146 return false; 1147 1148 if (ima_rule_contains_lsm_cond(entry)) 1149 return false; 1150 1151 break; 1152 case CRITICAL_DATA: 1153 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1154 return false; 1155 1156 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | 1157 IMA_LABEL)) 1158 return false; 1159 1160 if (ima_rule_contains_lsm_cond(entry)) 1161 return false; 1162 1163 break; 1164 default: 1165 return false; 1166 } 1167 1168 /* Ensure that combinations of flags are compatible with each other */ 1169 if (entry->flags & IMA_CHECK_BLACKLIST && 1170 !(entry->flags & IMA_MODSIG_ALLOWED)) 1171 return false; 1172 1173 return true; 1174 } 1175 1176 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 1177 { 1178 struct audit_buffer *ab; 1179 char *from; 1180 char *p; 1181 bool uid_token; 1182 struct ima_template_desc *template_desc; 1183 int result = 0; 1184 1185 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, 1186 AUDIT_INTEGRITY_POLICY_RULE); 1187 1188 entry->uid = INVALID_UID; 1189 entry->fowner = INVALID_UID; 1190 entry->uid_op = &uid_eq; 1191 entry->fowner_op = &uid_eq; 1192 entry->action = UNKNOWN; 1193 while ((p = strsep(&rule, " \t")) != NULL) { 1194 substring_t args[MAX_OPT_ARGS]; 1195 int token; 1196 unsigned long lnum; 1197 1198 if (result < 0) 1199 break; 1200 if ((*p == '\0') || (*p == ' ') || (*p == '\t')) 1201 continue; 1202 token = match_token(p, policy_tokens, args); 1203 switch (token) { 1204 case Opt_measure: 1205 ima_log_string(ab, "action", "measure"); 1206 1207 if (entry->action != UNKNOWN) 1208 result = -EINVAL; 1209 1210 entry->action = MEASURE; 1211 break; 1212 case Opt_dont_measure: 1213 ima_log_string(ab, "action", "dont_measure"); 1214 1215 if (entry->action != UNKNOWN) 1216 result = -EINVAL; 1217 1218 entry->action = DONT_MEASURE; 1219 break; 1220 case Opt_appraise: 1221 ima_log_string(ab, "action", "appraise"); 1222 1223 if (entry->action != UNKNOWN) 1224 result = -EINVAL; 1225 1226 entry->action = APPRAISE; 1227 break; 1228 case Opt_dont_appraise: 1229 ima_log_string(ab, "action", "dont_appraise"); 1230 1231 if (entry->action != UNKNOWN) 1232 result = -EINVAL; 1233 1234 entry->action = DONT_APPRAISE; 1235 break; 1236 case Opt_audit: 1237 ima_log_string(ab, "action", "audit"); 1238 1239 if (entry->action != UNKNOWN) 1240 result = -EINVAL; 1241 1242 entry->action = AUDIT; 1243 break; 1244 case Opt_hash: 1245 ima_log_string(ab, "action", "hash"); 1246 1247 if (entry->action != UNKNOWN) 1248 result = -EINVAL; 1249 1250 entry->action = HASH; 1251 break; 1252 case Opt_dont_hash: 1253 ima_log_string(ab, "action", "dont_hash"); 1254 1255 if (entry->action != UNKNOWN) 1256 result = -EINVAL; 1257 1258 entry->action = DONT_HASH; 1259 break; 1260 case Opt_func: 1261 ima_log_string(ab, "func", args[0].from); 1262 1263 if (entry->func) 1264 result = -EINVAL; 1265 1266 if (strcmp(args[0].from, "FILE_CHECK") == 0) 1267 entry->func = FILE_CHECK; 1268 /* PATH_CHECK is for backwards compat */ 1269 else if (strcmp(args[0].from, "PATH_CHECK") == 0) 1270 entry->func = FILE_CHECK; 1271 else if (strcmp(args[0].from, "MODULE_CHECK") == 0) 1272 entry->func = MODULE_CHECK; 1273 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0) 1274 entry->func = FIRMWARE_CHECK; 1275 else if ((strcmp(args[0].from, "FILE_MMAP") == 0) 1276 || (strcmp(args[0].from, "MMAP_CHECK") == 0)) 1277 entry->func = MMAP_CHECK; 1278 else if (strcmp(args[0].from, "BPRM_CHECK") == 0) 1279 entry->func = BPRM_CHECK; 1280 else if (strcmp(args[0].from, "CREDS_CHECK") == 0) 1281 entry->func = CREDS_CHECK; 1282 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == 1283 0) 1284 entry->func = KEXEC_KERNEL_CHECK; 1285 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK") 1286 == 0) 1287 entry->func = KEXEC_INITRAMFS_CHECK; 1288 else if (strcmp(args[0].from, "POLICY_CHECK") == 0) 1289 entry->func = POLICY_CHECK; 1290 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) 1291 entry->func = KEXEC_CMDLINE; 1292 else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && 1293 strcmp(args[0].from, "KEY_CHECK") == 0) 1294 entry->func = KEY_CHECK; 1295 else if (strcmp(args[0].from, "CRITICAL_DATA") == 0) 1296 entry->func = CRITICAL_DATA; 1297 else 1298 result = -EINVAL; 1299 if (!result) 1300 entry->flags |= IMA_FUNC; 1301 break; 1302 case Opt_mask: 1303 ima_log_string(ab, "mask", args[0].from); 1304 1305 if (entry->mask) 1306 result = -EINVAL; 1307 1308 from = args[0].from; 1309 if (*from == '^') 1310 from++; 1311 1312 if ((strcmp(from, "MAY_EXEC")) == 0) 1313 entry->mask = MAY_EXEC; 1314 else if (strcmp(from, "MAY_WRITE") == 0) 1315 entry->mask = MAY_WRITE; 1316 else if (strcmp(from, "MAY_READ") == 0) 1317 entry->mask = MAY_READ; 1318 else if (strcmp(from, "MAY_APPEND") == 0) 1319 entry->mask = MAY_APPEND; 1320 else 1321 result = -EINVAL; 1322 if (!result) 1323 entry->flags |= (*args[0].from == '^') 1324 ? IMA_INMASK : IMA_MASK; 1325 break; 1326 case Opt_fsmagic: 1327 ima_log_string(ab, "fsmagic", args[0].from); 1328 1329 if (entry->fsmagic) { 1330 result = -EINVAL; 1331 break; 1332 } 1333 1334 result = kstrtoul(args[0].from, 16, &entry->fsmagic); 1335 if (!result) 1336 entry->flags |= IMA_FSMAGIC; 1337 break; 1338 case Opt_fsname: 1339 ima_log_string(ab, "fsname", args[0].from); 1340 1341 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); 1342 if (!entry->fsname) { 1343 result = -ENOMEM; 1344 break; 1345 } 1346 result = 0; 1347 entry->flags |= IMA_FSNAME; 1348 break; 1349 case Opt_keyrings: 1350 ima_log_string(ab, "keyrings", args[0].from); 1351 1352 if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) || 1353 entry->keyrings) { 1354 result = -EINVAL; 1355 break; 1356 } 1357 1358 entry->keyrings = ima_alloc_rule_opt_list(args); 1359 if (IS_ERR(entry->keyrings)) { 1360 result = PTR_ERR(entry->keyrings); 1361 entry->keyrings = NULL; 1362 break; 1363 } 1364 1365 entry->flags |= IMA_KEYRINGS; 1366 break; 1367 case Opt_label: 1368 ima_log_string(ab, "label", args[0].from); 1369 1370 if (entry->label) { 1371 result = -EINVAL; 1372 break; 1373 } 1374 1375 entry->label = ima_alloc_rule_opt_list(args); 1376 if (IS_ERR(entry->label)) { 1377 result = PTR_ERR(entry->label); 1378 entry->label = NULL; 1379 break; 1380 } 1381 1382 entry->flags |= IMA_LABEL; 1383 break; 1384 case Opt_fsuuid: 1385 ima_log_string(ab, "fsuuid", args[0].from); 1386 1387 if (!uuid_is_null(&entry->fsuuid)) { 1388 result = -EINVAL; 1389 break; 1390 } 1391 1392 result = uuid_parse(args[0].from, &entry->fsuuid); 1393 if (!result) 1394 entry->flags |= IMA_FSUUID; 1395 break; 1396 case Opt_uid_gt: 1397 case Opt_euid_gt: 1398 entry->uid_op = &uid_gt; 1399 fallthrough; 1400 case Opt_uid_lt: 1401 case Opt_euid_lt: 1402 if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) 1403 entry->uid_op = &uid_lt; 1404 fallthrough; 1405 case Opt_uid_eq: 1406 case Opt_euid_eq: 1407 uid_token = (token == Opt_uid_eq) || 1408 (token == Opt_uid_gt) || 1409 (token == Opt_uid_lt); 1410 1411 ima_log_string_op(ab, uid_token ? "uid" : "euid", 1412 args[0].from, entry->uid_op); 1413 1414 if (uid_valid(entry->uid)) { 1415 result = -EINVAL; 1416 break; 1417 } 1418 1419 result = kstrtoul(args[0].from, 10, &lnum); 1420 if (!result) { 1421 entry->uid = make_kuid(current_user_ns(), 1422 (uid_t) lnum); 1423 if (!uid_valid(entry->uid) || 1424 (uid_t)lnum != lnum) 1425 result = -EINVAL; 1426 else 1427 entry->flags |= uid_token 1428 ? IMA_UID : IMA_EUID; 1429 } 1430 break; 1431 case Opt_fowner_gt: 1432 entry->fowner_op = &uid_gt; 1433 fallthrough; 1434 case Opt_fowner_lt: 1435 if (token == Opt_fowner_lt) 1436 entry->fowner_op = &uid_lt; 1437 fallthrough; 1438 case Opt_fowner_eq: 1439 ima_log_string_op(ab, "fowner", args[0].from, 1440 entry->fowner_op); 1441 1442 if (uid_valid(entry->fowner)) { 1443 result = -EINVAL; 1444 break; 1445 } 1446 1447 result = kstrtoul(args[0].from, 10, &lnum); 1448 if (!result) { 1449 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum); 1450 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum)) 1451 result = -EINVAL; 1452 else 1453 entry->flags |= IMA_FOWNER; 1454 } 1455 break; 1456 case Opt_obj_user: 1457 ima_log_string(ab, "obj_user", args[0].from); 1458 result = ima_lsm_rule_init(entry, args, 1459 LSM_OBJ_USER, 1460 AUDIT_OBJ_USER); 1461 break; 1462 case Opt_obj_role: 1463 ima_log_string(ab, "obj_role", args[0].from); 1464 result = ima_lsm_rule_init(entry, args, 1465 LSM_OBJ_ROLE, 1466 AUDIT_OBJ_ROLE); 1467 break; 1468 case Opt_obj_type: 1469 ima_log_string(ab, "obj_type", args[0].from); 1470 result = ima_lsm_rule_init(entry, args, 1471 LSM_OBJ_TYPE, 1472 AUDIT_OBJ_TYPE); 1473 break; 1474 case Opt_subj_user: 1475 ima_log_string(ab, "subj_user", args[0].from); 1476 result = ima_lsm_rule_init(entry, args, 1477 LSM_SUBJ_USER, 1478 AUDIT_SUBJ_USER); 1479 break; 1480 case Opt_subj_role: 1481 ima_log_string(ab, "subj_role", args[0].from); 1482 result = ima_lsm_rule_init(entry, args, 1483 LSM_SUBJ_ROLE, 1484 AUDIT_SUBJ_ROLE); 1485 break; 1486 case Opt_subj_type: 1487 ima_log_string(ab, "subj_type", args[0].from); 1488 result = ima_lsm_rule_init(entry, args, 1489 LSM_SUBJ_TYPE, 1490 AUDIT_SUBJ_TYPE); 1491 break; 1492 case Opt_appraise_type: 1493 ima_log_string(ab, "appraise_type", args[0].from); 1494 if ((strcmp(args[0].from, "imasig")) == 0) 1495 entry->flags |= IMA_DIGSIG_REQUIRED; 1496 else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1497 strcmp(args[0].from, "imasig|modsig") == 0) 1498 entry->flags |= IMA_DIGSIG_REQUIRED | 1499 IMA_MODSIG_ALLOWED; 1500 else 1501 result = -EINVAL; 1502 break; 1503 case Opt_appraise_flag: 1504 ima_log_string(ab, "appraise_flag", args[0].from); 1505 if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1506 strstr(args[0].from, "blacklist")) 1507 entry->flags |= IMA_CHECK_BLACKLIST; 1508 else 1509 result = -EINVAL; 1510 break; 1511 case Opt_permit_directio: 1512 entry->flags |= IMA_PERMIT_DIRECTIO; 1513 break; 1514 case Opt_pcr: 1515 ima_log_string(ab, "pcr", args[0].from); 1516 1517 result = kstrtoint(args[0].from, 10, &entry->pcr); 1518 if (result || INVALID_PCR(entry->pcr)) 1519 result = -EINVAL; 1520 else 1521 entry->flags |= IMA_PCR; 1522 1523 break; 1524 case Opt_template: 1525 ima_log_string(ab, "template", args[0].from); 1526 if (entry->action != MEASURE) { 1527 result = -EINVAL; 1528 break; 1529 } 1530 template_desc = lookup_template_desc(args[0].from); 1531 if (!template_desc || entry->template) { 1532 result = -EINVAL; 1533 break; 1534 } 1535 1536 /* 1537 * template_desc_init_fields() does nothing if 1538 * the template is already initialised, so 1539 * it's safe to do this unconditionally 1540 */ 1541 template_desc_init_fields(template_desc->fmt, 1542 &(template_desc->fields), 1543 &(template_desc->num_fields)); 1544 entry->template = template_desc; 1545 break; 1546 case Opt_err: 1547 ima_log_string(ab, "UNKNOWN", p); 1548 result = -EINVAL; 1549 break; 1550 } 1551 } 1552 if (!result && !ima_validate_rule(entry)) 1553 result = -EINVAL; 1554 else if (entry->action == APPRAISE) 1555 temp_ima_appraise |= ima_appraise_flag(entry->func); 1556 1557 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { 1558 template_desc = entry->template ? entry->template : 1559 ima_template_desc_current(); 1560 check_template_modsig(template_desc); 1561 } 1562 1563 audit_log_format(ab, "res=%d", !result); 1564 audit_log_end(ab); 1565 return result; 1566 } 1567 1568 /** 1569 * ima_parse_add_rule - add a rule to ima_policy_rules 1570 * @rule - ima measurement policy rule 1571 * 1572 * Avoid locking by allowing just one writer at a time in ima_write_policy() 1573 * Returns the length of the rule parsed, an error code on failure 1574 */ 1575 ssize_t ima_parse_add_rule(char *rule) 1576 { 1577 static const char op[] = "update_policy"; 1578 char *p; 1579 struct ima_rule_entry *entry; 1580 ssize_t result, len; 1581 int audit_info = 0; 1582 1583 p = strsep(&rule, "\n"); 1584 len = strlen(p) + 1; 1585 p += strspn(p, " \t"); 1586 1587 if (*p == '#' || *p == '\0') 1588 return len; 1589 1590 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1591 if (!entry) { 1592 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1593 NULL, op, "-ENOMEM", -ENOMEM, audit_info); 1594 return -ENOMEM; 1595 } 1596 1597 INIT_LIST_HEAD(&entry->list); 1598 1599 result = ima_parse_rule(p, entry); 1600 if (result) { 1601 ima_free_rule(entry); 1602 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1603 NULL, op, "invalid-policy", result, 1604 audit_info); 1605 return result; 1606 } 1607 1608 list_add_tail(&entry->list, &ima_temp_rules); 1609 1610 return len; 1611 } 1612 1613 /** 1614 * ima_delete_rules() called to cleanup invalid in-flight policy. 1615 * We don't need locking as we operate on the temp list, which is 1616 * different from the active one. There is also only one user of 1617 * ima_delete_rules() at a time. 1618 */ 1619 void ima_delete_rules(void) 1620 { 1621 struct ima_rule_entry *entry, *tmp; 1622 1623 temp_ima_appraise = 0; 1624 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { 1625 list_del(&entry->list); 1626 ima_free_rule(entry); 1627 } 1628 } 1629 1630 #define __ima_hook_stringify(func, str) (#func), 1631 1632 const char *const func_tokens[] = { 1633 __ima_hooks(__ima_hook_stringify) 1634 }; 1635 1636 #ifdef CONFIG_IMA_READ_POLICY 1637 enum { 1638 mask_exec = 0, mask_write, mask_read, mask_append 1639 }; 1640 1641 static const char *const mask_tokens[] = { 1642 "^MAY_EXEC", 1643 "^MAY_WRITE", 1644 "^MAY_READ", 1645 "^MAY_APPEND" 1646 }; 1647 1648 void *ima_policy_start(struct seq_file *m, loff_t *pos) 1649 { 1650 loff_t l = *pos; 1651 struct ima_rule_entry *entry; 1652 1653 rcu_read_lock(); 1654 list_for_each_entry_rcu(entry, ima_rules, list) { 1655 if (!l--) { 1656 rcu_read_unlock(); 1657 return entry; 1658 } 1659 } 1660 rcu_read_unlock(); 1661 return NULL; 1662 } 1663 1664 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) 1665 { 1666 struct ima_rule_entry *entry = v; 1667 1668 rcu_read_lock(); 1669 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); 1670 rcu_read_unlock(); 1671 (*pos)++; 1672 1673 return (&entry->list == ima_rules) ? NULL : entry; 1674 } 1675 1676 void ima_policy_stop(struct seq_file *m, void *v) 1677 { 1678 } 1679 1680 #define pt(token) policy_tokens[token].pattern 1681 #define mt(token) mask_tokens[token] 1682 1683 /* 1684 * policy_func_show - display the ima_hooks policy rule 1685 */ 1686 static void policy_func_show(struct seq_file *m, enum ima_hooks func) 1687 { 1688 if (func > 0 && func < MAX_CHECK) 1689 seq_printf(m, "func=%s ", func_tokens[func]); 1690 else 1691 seq_printf(m, "func=%d ", func); 1692 } 1693 1694 static void ima_show_rule_opt_list(struct seq_file *m, 1695 const struct ima_rule_opt_list *opt_list) 1696 { 1697 size_t i; 1698 1699 for (i = 0; i < opt_list->count; i++) 1700 seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]); 1701 } 1702 1703 int ima_policy_show(struct seq_file *m, void *v) 1704 { 1705 struct ima_rule_entry *entry = v; 1706 int i; 1707 char tbuf[64] = {0,}; 1708 int offset = 0; 1709 1710 rcu_read_lock(); 1711 1712 if (entry->action & MEASURE) 1713 seq_puts(m, pt(Opt_measure)); 1714 if (entry->action & DONT_MEASURE) 1715 seq_puts(m, pt(Opt_dont_measure)); 1716 if (entry->action & APPRAISE) 1717 seq_puts(m, pt(Opt_appraise)); 1718 if (entry->action & DONT_APPRAISE) 1719 seq_puts(m, pt(Opt_dont_appraise)); 1720 if (entry->action & AUDIT) 1721 seq_puts(m, pt(Opt_audit)); 1722 if (entry->action & HASH) 1723 seq_puts(m, pt(Opt_hash)); 1724 if (entry->action & DONT_HASH) 1725 seq_puts(m, pt(Opt_dont_hash)); 1726 1727 seq_puts(m, " "); 1728 1729 if (entry->flags & IMA_FUNC) 1730 policy_func_show(m, entry->func); 1731 1732 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { 1733 if (entry->flags & IMA_MASK) 1734 offset = 1; 1735 if (entry->mask & MAY_EXEC) 1736 seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); 1737 if (entry->mask & MAY_WRITE) 1738 seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); 1739 if (entry->mask & MAY_READ) 1740 seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); 1741 if (entry->mask & MAY_APPEND) 1742 seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); 1743 seq_puts(m, " "); 1744 } 1745 1746 if (entry->flags & IMA_FSMAGIC) { 1747 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 1748 seq_printf(m, pt(Opt_fsmagic), tbuf); 1749 seq_puts(m, " "); 1750 } 1751 1752 if (entry->flags & IMA_FSNAME) { 1753 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); 1754 seq_printf(m, pt(Opt_fsname), tbuf); 1755 seq_puts(m, " "); 1756 } 1757 1758 if (entry->flags & IMA_KEYRINGS) { 1759 seq_puts(m, "keyrings="); 1760 ima_show_rule_opt_list(m, entry->keyrings); 1761 seq_puts(m, " "); 1762 } 1763 1764 if (entry->flags & IMA_LABEL) { 1765 seq_puts(m, "label="); 1766 ima_show_rule_opt_list(m, entry->label); 1767 seq_puts(m, " "); 1768 } 1769 1770 if (entry->flags & IMA_PCR) { 1771 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 1772 seq_printf(m, pt(Opt_pcr), tbuf); 1773 seq_puts(m, " "); 1774 } 1775 1776 if (entry->flags & IMA_FSUUID) { 1777 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); 1778 seq_puts(m, " "); 1779 } 1780 1781 if (entry->flags & IMA_UID) { 1782 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1783 if (entry->uid_op == &uid_gt) 1784 seq_printf(m, pt(Opt_uid_gt), tbuf); 1785 else if (entry->uid_op == &uid_lt) 1786 seq_printf(m, pt(Opt_uid_lt), tbuf); 1787 else 1788 seq_printf(m, pt(Opt_uid_eq), tbuf); 1789 seq_puts(m, " "); 1790 } 1791 1792 if (entry->flags & IMA_EUID) { 1793 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1794 if (entry->uid_op == &uid_gt) 1795 seq_printf(m, pt(Opt_euid_gt), tbuf); 1796 else if (entry->uid_op == &uid_lt) 1797 seq_printf(m, pt(Opt_euid_lt), tbuf); 1798 else 1799 seq_printf(m, pt(Opt_euid_eq), tbuf); 1800 seq_puts(m, " "); 1801 } 1802 1803 if (entry->flags & IMA_FOWNER) { 1804 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); 1805 if (entry->fowner_op == &uid_gt) 1806 seq_printf(m, pt(Opt_fowner_gt), tbuf); 1807 else if (entry->fowner_op == &uid_lt) 1808 seq_printf(m, pt(Opt_fowner_lt), tbuf); 1809 else 1810 seq_printf(m, pt(Opt_fowner_eq), tbuf); 1811 seq_puts(m, " "); 1812 } 1813 1814 for (i = 0; i < MAX_LSM_RULES; i++) { 1815 if (entry->lsm[i].rule) { 1816 switch (i) { 1817 case LSM_OBJ_USER: 1818 seq_printf(m, pt(Opt_obj_user), 1819 entry->lsm[i].args_p); 1820 break; 1821 case LSM_OBJ_ROLE: 1822 seq_printf(m, pt(Opt_obj_role), 1823 entry->lsm[i].args_p); 1824 break; 1825 case LSM_OBJ_TYPE: 1826 seq_printf(m, pt(Opt_obj_type), 1827 entry->lsm[i].args_p); 1828 break; 1829 case LSM_SUBJ_USER: 1830 seq_printf(m, pt(Opt_subj_user), 1831 entry->lsm[i].args_p); 1832 break; 1833 case LSM_SUBJ_ROLE: 1834 seq_printf(m, pt(Opt_subj_role), 1835 entry->lsm[i].args_p); 1836 break; 1837 case LSM_SUBJ_TYPE: 1838 seq_printf(m, pt(Opt_subj_type), 1839 entry->lsm[i].args_p); 1840 break; 1841 } 1842 seq_puts(m, " "); 1843 } 1844 } 1845 if (entry->template) 1846 seq_printf(m, "template=%s ", entry->template->name); 1847 if (entry->flags & IMA_DIGSIG_REQUIRED) { 1848 if (entry->flags & IMA_MODSIG_ALLOWED) 1849 seq_puts(m, "appraise_type=imasig|modsig "); 1850 else 1851 seq_puts(m, "appraise_type=imasig "); 1852 } 1853 if (entry->flags & IMA_CHECK_BLACKLIST) 1854 seq_puts(m, "appraise_flag=check_blacklist "); 1855 if (entry->flags & IMA_PERMIT_DIRECTIO) 1856 seq_puts(m, "permit_directio "); 1857 rcu_read_unlock(); 1858 seq_puts(m, "\n"); 1859 return 0; 1860 } 1861 #endif /* CONFIG_IMA_READ_POLICY */ 1862 1863 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) 1864 /* 1865 * ima_appraise_signature: whether IMA will appraise a given function using 1866 * an IMA digital signature. This is restricted to cases where the kernel 1867 * has a set of built-in trusted keys in order to avoid an attacker simply 1868 * loading additional keys. 1869 */ 1870 bool ima_appraise_signature(enum kernel_read_file_id id) 1871 { 1872 struct ima_rule_entry *entry; 1873 bool found = false; 1874 enum ima_hooks func; 1875 1876 if (id >= READING_MAX_ID) 1877 return false; 1878 1879 func = read_idmap[id] ?: FILE_CHECK; 1880 1881 rcu_read_lock(); 1882 list_for_each_entry_rcu(entry, ima_rules, list) { 1883 if (entry->action != APPRAISE) 1884 continue; 1885 1886 /* 1887 * A generic entry will match, but otherwise require that it 1888 * match the func we're looking for 1889 */ 1890 if (entry->func && entry->func != func) 1891 continue; 1892 1893 /* 1894 * We require this to be a digital signature, not a raw IMA 1895 * hash. 1896 */ 1897 if (entry->flags & IMA_DIGSIG_REQUIRED) 1898 found = true; 1899 1900 /* 1901 * We've found a rule that matches, so break now even if it 1902 * didn't require a digital signature - a later rule that does 1903 * won't override it, so would be a false positive. 1904 */ 1905 break; 1906 } 1907 1908 rcu_read_unlock(); 1909 return found; 1910 } 1911 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ 1912