1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2008 IBM Corporation 4 * Author: Mimi Zohar <zohar@us.ibm.com> 5 * 6 * ima_policy.c 7 * - initialize default measure policy rules 8 */ 9 10 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 11 12 #include <linux/init.h> 13 #include <linux/list.h> 14 #include <linux/fs.h> 15 #include <linux/security.h> 16 #include <linux/magic.h> 17 #include <linux/parser.h> 18 #include <linux/slab.h> 19 #include <linux/rculist.h> 20 #include <linux/genhd.h> 21 #include <linux/seq_file.h> 22 #include <linux/ima.h> 23 24 #include "ima.h" 25 26 /* flags definitions */ 27 #define IMA_FUNC 0x0001 28 #define IMA_MASK 0x0002 29 #define IMA_FSMAGIC 0x0004 30 #define IMA_UID 0x0008 31 #define IMA_FOWNER 0x0010 32 #define IMA_FSUUID 0x0020 33 #define IMA_INMASK 0x0040 34 #define IMA_EUID 0x0080 35 #define IMA_PCR 0x0100 36 #define IMA_FSNAME 0x0200 37 38 #define UNKNOWN 0 39 #define MEASURE 0x0001 /* same as IMA_MEASURE */ 40 #define DONT_MEASURE 0x0002 41 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 42 #define DONT_APPRAISE 0x0008 43 #define AUDIT 0x0040 44 #define HASH 0x0100 45 #define DONT_HASH 0x0200 46 47 #define INVALID_PCR(a) (((a) < 0) || \ 48 (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8)) 49 50 int ima_policy_flag; 51 static int temp_ima_appraise; 52 static int build_ima_appraise __ro_after_init; 53 54 #define MAX_LSM_RULES 6 55 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, 56 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE 57 }; 58 59 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; 60 61 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY }; 62 63 struct ima_rule_entry { 64 struct list_head list; 65 int action; 66 unsigned int flags; 67 enum ima_hooks func; 68 int mask; 69 unsigned long fsmagic; 70 uuid_t fsuuid; 71 kuid_t uid; 72 kuid_t fowner; 73 bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ 74 bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ 75 int pcr; 76 struct { 77 void *rule; /* LSM file metadata specific */ 78 void *args_p; /* audit value */ 79 int type; /* audit type */ 80 } lsm[MAX_LSM_RULES]; 81 char *fsname; 82 struct ima_template_desc *template; 83 }; 84 85 /* 86 * Without LSM specific knowledge, the default policy can only be 87 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner 88 */ 89 90 /* 91 * The minimum rule set to allow for full TCB coverage. Measures all files 92 * opened or mmap for exec and everything read by root. Dangerous because 93 * normal users can easily run the machine out of memory simply building 94 * and running executables. 95 */ 96 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { 97 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 98 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 99 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 100 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 101 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 102 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 103 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 104 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 105 {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 106 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, 107 .flags = IMA_FSMAGIC}, 108 {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, 109 .flags = IMA_FSMAGIC}, 110 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 111 {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} 112 }; 113 114 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { 115 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 116 .flags = IMA_FUNC | IMA_MASK}, 117 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 118 .flags = IMA_FUNC | IMA_MASK}, 119 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 120 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 121 .flags = IMA_FUNC | IMA_MASK | IMA_UID}, 122 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 123 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 124 }; 125 126 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { 127 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 128 .flags = IMA_FUNC | IMA_MASK}, 129 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 130 .flags = IMA_FUNC | IMA_MASK}, 131 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 132 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 133 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, 134 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 135 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 136 .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, 137 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 138 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 139 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, 140 }; 141 142 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { 143 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 144 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 145 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 146 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 147 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC}, 148 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 149 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 150 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 151 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 152 {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 153 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 154 {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, 155 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 156 {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 157 #ifdef CONFIG_IMA_WRITE_POLICY 158 {.action = APPRAISE, .func = POLICY_CHECK, 159 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 160 #endif 161 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT 162 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 163 .flags = IMA_FOWNER}, 164 #else 165 /* force signature */ 166 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 167 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, 168 #endif 169 }; 170 171 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { 172 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS 173 {.action = APPRAISE, .func = MODULE_CHECK, 174 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 175 #endif 176 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS 177 {.action = APPRAISE, .func = FIRMWARE_CHECK, 178 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 179 #endif 180 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS 181 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 182 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 183 #endif 184 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS 185 {.action = APPRAISE, .func = POLICY_CHECK, 186 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 187 #endif 188 }; 189 190 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { 191 {.action = APPRAISE, .func = MODULE_CHECK, 192 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 193 {.action = APPRAISE, .func = FIRMWARE_CHECK, 194 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 195 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 196 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 197 {.action = APPRAISE, .func = POLICY_CHECK, 198 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 199 }; 200 201 /* An array of architecture specific rules */ 202 static struct ima_rule_entry *arch_policy_entry __ro_after_init; 203 204 static LIST_HEAD(ima_default_rules); 205 static LIST_HEAD(ima_policy_rules); 206 static LIST_HEAD(ima_temp_rules); 207 static struct list_head *ima_rules; 208 209 static int ima_policy __initdata; 210 211 static int __init default_measure_policy_setup(char *str) 212 { 213 if (ima_policy) 214 return 1; 215 216 ima_policy = ORIGINAL_TCB; 217 return 1; 218 } 219 __setup("ima_tcb", default_measure_policy_setup); 220 221 static bool ima_use_appraise_tcb __initdata; 222 static bool ima_use_secure_boot __initdata; 223 static bool ima_fail_unverifiable_sigs __ro_after_init; 224 static int __init policy_setup(char *str) 225 { 226 char *p; 227 228 while ((p = strsep(&str, " |\n")) != NULL) { 229 if (*p == ' ') 230 continue; 231 if ((strcmp(p, "tcb") == 0) && !ima_policy) 232 ima_policy = DEFAULT_TCB; 233 else if (strcmp(p, "appraise_tcb") == 0) 234 ima_use_appraise_tcb = true; 235 else if (strcmp(p, "secure_boot") == 0) 236 ima_use_secure_boot = true; 237 else if (strcmp(p, "fail_securely") == 0) 238 ima_fail_unverifiable_sigs = true; 239 } 240 241 return 1; 242 } 243 __setup("ima_policy=", policy_setup); 244 245 static int __init default_appraise_policy_setup(char *str) 246 { 247 ima_use_appraise_tcb = true; 248 return 1; 249 } 250 __setup("ima_appraise_tcb", default_appraise_policy_setup); 251 252 static void ima_lsm_free_rule(struct ima_rule_entry *entry) 253 { 254 int i; 255 256 for (i = 0; i < MAX_LSM_RULES; i++) { 257 kfree(entry->lsm[i].rule); 258 kfree(entry->lsm[i].args_p); 259 } 260 kfree(entry); 261 } 262 263 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) 264 { 265 struct ima_rule_entry *nentry; 266 int i, result; 267 268 nentry = kmalloc(sizeof(*nentry), GFP_KERNEL); 269 if (!nentry) 270 return NULL; 271 272 /* 273 * Immutable elements are copied over as pointers and data; only 274 * lsm rules can change 275 */ 276 memcpy(nentry, entry, sizeof(*nentry)); 277 memset(nentry->lsm, 0, FIELD_SIZEOF(struct ima_rule_entry, lsm)); 278 279 for (i = 0; i < MAX_LSM_RULES; i++) { 280 if (!entry->lsm[i].rule) 281 continue; 282 283 nentry->lsm[i].type = entry->lsm[i].type; 284 nentry->lsm[i].args_p = kstrdup(entry->lsm[i].args_p, 285 GFP_KERNEL); 286 if (!nentry->lsm[i].args_p) 287 goto out_err; 288 289 result = security_filter_rule_init(nentry->lsm[i].type, 290 Audit_equal, 291 nentry->lsm[i].args_p, 292 &nentry->lsm[i].rule); 293 if (result == -EINVAL) 294 pr_warn("ima: rule for LSM \'%d\' is undefined\n", 295 entry->lsm[i].type); 296 } 297 return nentry; 298 299 out_err: 300 ima_lsm_free_rule(nentry); 301 return NULL; 302 } 303 304 static int ima_lsm_update_rule(struct ima_rule_entry *entry) 305 { 306 struct ima_rule_entry *nentry; 307 308 nentry = ima_lsm_copy_rule(entry); 309 if (!nentry) 310 return -ENOMEM; 311 312 list_replace_rcu(&entry->list, &nentry->list); 313 synchronize_rcu(); 314 ima_lsm_free_rule(entry); 315 316 return 0; 317 } 318 319 /* 320 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 321 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 322 * the reloaded LSM policy. 323 */ 324 static void ima_lsm_update_rules(void) 325 { 326 struct ima_rule_entry *entry, *e; 327 int i, result, needs_update; 328 329 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { 330 needs_update = 0; 331 for (i = 0; i < MAX_LSM_RULES; i++) { 332 if (entry->lsm[i].rule) { 333 needs_update = 1; 334 break; 335 } 336 } 337 if (!needs_update) 338 continue; 339 340 result = ima_lsm_update_rule(entry); 341 if (result) { 342 pr_err("ima: lsm rule update error %d\n", 343 result); 344 return; 345 } 346 } 347 } 348 349 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, 350 void *lsm_data) 351 { 352 if (event != LSM_POLICY_CHANGE) 353 return NOTIFY_DONE; 354 355 ima_lsm_update_rules(); 356 return NOTIFY_OK; 357 } 358 359 /** 360 * ima_match_rules - determine whether an inode matches the measure rule. 361 * @rule: a pointer to a rule 362 * @inode: a pointer to an inode 363 * @cred: a pointer to a credentials structure for user validation 364 * @secid: the secid of the task to be validated 365 * @func: LIM hook identifier 366 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 367 * 368 * Returns true on rule match, false on failure. 369 */ 370 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, 371 const struct cred *cred, u32 secid, 372 enum ima_hooks func, int mask) 373 { 374 int i; 375 376 if (func == KEXEC_CMDLINE) { 377 if ((rule->flags & IMA_FUNC) && (rule->func == func)) 378 return true; 379 return false; 380 } 381 if ((rule->flags & IMA_FUNC) && 382 (rule->func != func && func != POST_SETATTR)) 383 return false; 384 if ((rule->flags & IMA_MASK) && 385 (rule->mask != mask && func != POST_SETATTR)) 386 return false; 387 if ((rule->flags & IMA_INMASK) && 388 (!(rule->mask & mask) && func != POST_SETATTR)) 389 return false; 390 if ((rule->flags & IMA_FSMAGIC) 391 && rule->fsmagic != inode->i_sb->s_magic) 392 return false; 393 if ((rule->flags & IMA_FSNAME) 394 && strcmp(rule->fsname, inode->i_sb->s_type->name)) 395 return false; 396 if ((rule->flags & IMA_FSUUID) && 397 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 398 return false; 399 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 400 return false; 401 if (rule->flags & IMA_EUID) { 402 if (has_capability_noaudit(current, CAP_SETUID)) { 403 if (!rule->uid_op(cred->euid, rule->uid) 404 && !rule->uid_op(cred->suid, rule->uid) 405 && !rule->uid_op(cred->uid, rule->uid)) 406 return false; 407 } else if (!rule->uid_op(cred->euid, rule->uid)) 408 return false; 409 } 410 411 if ((rule->flags & IMA_FOWNER) && 412 !rule->fowner_op(inode->i_uid, rule->fowner)) 413 return false; 414 for (i = 0; i < MAX_LSM_RULES; i++) { 415 int rc = 0; 416 u32 osid; 417 418 if (!rule->lsm[i].rule) 419 continue; 420 421 switch (i) { 422 case LSM_OBJ_USER: 423 case LSM_OBJ_ROLE: 424 case LSM_OBJ_TYPE: 425 security_inode_getsecid(inode, &osid); 426 rc = security_filter_rule_match(osid, 427 rule->lsm[i].type, 428 Audit_equal, 429 rule->lsm[i].rule); 430 break; 431 case LSM_SUBJ_USER: 432 case LSM_SUBJ_ROLE: 433 case LSM_SUBJ_TYPE: 434 rc = security_filter_rule_match(secid, 435 rule->lsm[i].type, 436 Audit_equal, 437 rule->lsm[i].rule); 438 default: 439 break; 440 } 441 if (!rc) 442 return false; 443 } 444 return true; 445 } 446 447 /* 448 * In addition to knowing that we need to appraise the file in general, 449 * we need to differentiate between calling hooks, for hook specific rules. 450 */ 451 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) 452 { 453 if (!(rule->flags & IMA_FUNC)) 454 return IMA_FILE_APPRAISE; 455 456 switch (func) { 457 case MMAP_CHECK: 458 return IMA_MMAP_APPRAISE; 459 case BPRM_CHECK: 460 return IMA_BPRM_APPRAISE; 461 case CREDS_CHECK: 462 return IMA_CREDS_APPRAISE; 463 case FILE_CHECK: 464 case POST_SETATTR: 465 return IMA_FILE_APPRAISE; 466 case MODULE_CHECK ... MAX_CHECK - 1: 467 default: 468 return IMA_READ_APPRAISE; 469 } 470 } 471 472 /** 473 * ima_match_policy - decision based on LSM and other conditions 474 * @inode: pointer to an inode for which the policy decision is being made 475 * @cred: pointer to a credentials structure for which the policy decision is 476 * being made 477 * @secid: LSM secid of the task to be validated 478 * @func: IMA hook identifier 479 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 480 * @pcr: set the pcr to extend 481 * @template_desc: the template that should be used for this rule 482 * 483 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 484 * conditions. 485 * 486 * Since the IMA policy may be updated multiple times we need to lock the 487 * list when walking it. Reads are many orders of magnitude more numerous 488 * than writes so ima_match_policy() is classical RCU candidate. 489 */ 490 int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, 491 enum ima_hooks func, int mask, int flags, int *pcr, 492 struct ima_template_desc **template_desc) 493 { 494 struct ima_rule_entry *entry; 495 int action = 0, actmask = flags | (flags << 1); 496 497 if (template_desc) 498 *template_desc = ima_template_desc_current(); 499 500 rcu_read_lock(); 501 list_for_each_entry_rcu(entry, ima_rules, list) { 502 503 if (!(entry->action & actmask)) 504 continue; 505 506 if (!ima_match_rules(entry, inode, cred, secid, func, mask)) 507 continue; 508 509 action |= entry->flags & IMA_ACTION_FLAGS; 510 511 action |= entry->action & IMA_DO_MASK; 512 if (entry->action & IMA_APPRAISE) { 513 action |= get_subaction(entry, func); 514 action &= ~IMA_HASH; 515 if (ima_fail_unverifiable_sigs) 516 action |= IMA_FAIL_UNVERIFIABLE_SIGS; 517 } 518 519 520 if (entry->action & IMA_DO_MASK) 521 actmask &= ~(entry->action | entry->action << 1); 522 else 523 actmask &= ~(entry->action | entry->action >> 1); 524 525 if ((pcr) && (entry->flags & IMA_PCR)) 526 *pcr = entry->pcr; 527 528 if (template_desc && entry->template) 529 *template_desc = entry->template; 530 531 if (!actmask) 532 break; 533 } 534 rcu_read_unlock(); 535 536 return action; 537 } 538 539 /* 540 * Initialize the ima_policy_flag variable based on the currently 541 * loaded policy. Based on this flag, the decision to short circuit 542 * out of a function or not call the function in the first place 543 * can be made earlier. 544 */ 545 void ima_update_policy_flag(void) 546 { 547 struct ima_rule_entry *entry; 548 549 list_for_each_entry(entry, ima_rules, list) { 550 if (entry->action & IMA_DO_MASK) 551 ima_policy_flag |= entry->action; 552 } 553 554 ima_appraise |= (build_ima_appraise | temp_ima_appraise); 555 if (!ima_appraise) 556 ima_policy_flag &= ~IMA_APPRAISE; 557 } 558 559 static int ima_appraise_flag(enum ima_hooks func) 560 { 561 if (func == MODULE_CHECK) 562 return IMA_APPRAISE_MODULES; 563 else if (func == FIRMWARE_CHECK) 564 return IMA_APPRAISE_FIRMWARE; 565 else if (func == POLICY_CHECK) 566 return IMA_APPRAISE_POLICY; 567 else if (func == KEXEC_KERNEL_CHECK) 568 return IMA_APPRAISE_KEXEC; 569 return 0; 570 } 571 572 static void add_rules(struct ima_rule_entry *entries, int count, 573 enum policy_rule_list policy_rule) 574 { 575 int i = 0; 576 577 for (i = 0; i < count; i++) { 578 struct ima_rule_entry *entry; 579 580 if (policy_rule & IMA_DEFAULT_POLICY) 581 list_add_tail(&entries[i].list, &ima_default_rules); 582 583 if (policy_rule & IMA_CUSTOM_POLICY) { 584 entry = kmemdup(&entries[i], sizeof(*entry), 585 GFP_KERNEL); 586 if (!entry) 587 continue; 588 589 list_add_tail(&entry->list, &ima_policy_rules); 590 } 591 if (entries[i].action == APPRAISE) { 592 temp_ima_appraise |= ima_appraise_flag(entries[i].func); 593 if (entries[i].func == POLICY_CHECK) 594 temp_ima_appraise |= IMA_APPRAISE_POLICY; 595 } 596 } 597 } 598 599 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); 600 601 static int __init ima_init_arch_policy(void) 602 { 603 const char * const *arch_rules; 604 const char * const *rules; 605 int arch_entries = 0; 606 int i = 0; 607 608 arch_rules = arch_get_ima_policy(); 609 if (!arch_rules) 610 return arch_entries; 611 612 /* Get number of rules */ 613 for (rules = arch_rules; *rules != NULL; rules++) 614 arch_entries++; 615 616 arch_policy_entry = kcalloc(arch_entries + 1, 617 sizeof(*arch_policy_entry), GFP_KERNEL); 618 if (!arch_policy_entry) 619 return 0; 620 621 /* Convert each policy string rules to struct ima_rule_entry format */ 622 for (rules = arch_rules, i = 0; *rules != NULL; rules++) { 623 char rule[255]; 624 int result; 625 626 result = strlcpy(rule, *rules, sizeof(rule)); 627 628 INIT_LIST_HEAD(&arch_policy_entry[i].list); 629 result = ima_parse_rule(rule, &arch_policy_entry[i]); 630 if (result) { 631 pr_warn("Skipping unknown architecture policy rule: %s\n", 632 rule); 633 memset(&arch_policy_entry[i], 0, 634 sizeof(*arch_policy_entry)); 635 continue; 636 } 637 i++; 638 } 639 return i; 640 } 641 642 /** 643 * ima_init_policy - initialize the default measure rules. 644 * 645 * ima_rules points to either the ima_default_rules or the 646 * the new ima_policy_rules. 647 */ 648 void __init ima_init_policy(void) 649 { 650 int build_appraise_entries, arch_entries; 651 652 /* if !ima_policy, we load NO default rules */ 653 if (ima_policy) 654 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules), 655 IMA_DEFAULT_POLICY); 656 657 switch (ima_policy) { 658 case ORIGINAL_TCB: 659 add_rules(original_measurement_rules, 660 ARRAY_SIZE(original_measurement_rules), 661 IMA_DEFAULT_POLICY); 662 break; 663 case DEFAULT_TCB: 664 add_rules(default_measurement_rules, 665 ARRAY_SIZE(default_measurement_rules), 666 IMA_DEFAULT_POLICY); 667 default: 668 break; 669 } 670 671 /* 672 * Based on runtime secure boot flags, insert arch specific measurement 673 * and appraise rules requiring file signatures for both the initial 674 * and custom policies, prior to other appraise rules. 675 * (Highest priority) 676 */ 677 arch_entries = ima_init_arch_policy(); 678 if (!arch_entries) 679 pr_info("No architecture policies found\n"); 680 else 681 add_rules(arch_policy_entry, arch_entries, 682 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 683 684 /* 685 * Insert the builtin "secure_boot" policy rules requiring file 686 * signatures, prior to other appraise rules. 687 */ 688 if (ima_use_secure_boot) 689 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules), 690 IMA_DEFAULT_POLICY); 691 692 /* 693 * Insert the build time appraise rules requiring file signatures 694 * for both the initial and custom policies, prior to other appraise 695 * rules. As the secure boot rules includes all of the build time 696 * rules, include either one or the other set of rules, but not both. 697 */ 698 build_appraise_entries = ARRAY_SIZE(build_appraise_rules); 699 if (build_appraise_entries) { 700 if (ima_use_secure_boot) 701 add_rules(build_appraise_rules, build_appraise_entries, 702 IMA_CUSTOM_POLICY); 703 else 704 add_rules(build_appraise_rules, build_appraise_entries, 705 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 706 } 707 708 if (ima_use_appraise_tcb) 709 add_rules(default_appraise_rules, 710 ARRAY_SIZE(default_appraise_rules), 711 IMA_DEFAULT_POLICY); 712 713 ima_rules = &ima_default_rules; 714 ima_update_policy_flag(); 715 } 716 717 /* Make sure we have a valid policy, at least containing some rules. */ 718 int ima_check_policy(void) 719 { 720 if (list_empty(&ima_temp_rules)) 721 return -EINVAL; 722 return 0; 723 } 724 725 /** 726 * ima_update_policy - update default_rules with new measure rules 727 * 728 * Called on file .release to update the default rules with a complete new 729 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so 730 * they make a queue. The policy may be updated multiple times and this is the 731 * RCU updater. 732 * 733 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 734 * we switch from the default policy to user defined. 735 */ 736 void ima_update_policy(void) 737 { 738 struct list_head *policy = &ima_policy_rules; 739 740 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); 741 742 if (ima_rules != policy) { 743 ima_policy_flag = 0; 744 ima_rules = policy; 745 746 /* 747 * IMA architecture specific policy rules are specified 748 * as strings and converted to an array of ima_entry_rules 749 * on boot. After loading a custom policy, free the 750 * architecture specific rules stored as an array. 751 */ 752 kfree(arch_policy_entry); 753 } 754 ima_update_policy_flag(); 755 } 756 757 /* Keep the enumeration in sync with the policy_tokens! */ 758 enum { 759 Opt_measure, Opt_dont_measure, 760 Opt_appraise, Opt_dont_appraise, 761 Opt_audit, Opt_hash, Opt_dont_hash, 762 Opt_obj_user, Opt_obj_role, Opt_obj_type, 763 Opt_subj_user, Opt_subj_role, Opt_subj_type, 764 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, 765 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, 766 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, 767 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, 768 Opt_appraise_type, Opt_permit_directio, 769 Opt_pcr, Opt_template, Opt_err 770 }; 771 772 static const match_table_t policy_tokens = { 773 {Opt_measure, "measure"}, 774 {Opt_dont_measure, "dont_measure"}, 775 {Opt_appraise, "appraise"}, 776 {Opt_dont_appraise, "dont_appraise"}, 777 {Opt_audit, "audit"}, 778 {Opt_hash, "hash"}, 779 {Opt_dont_hash, "dont_hash"}, 780 {Opt_obj_user, "obj_user=%s"}, 781 {Opt_obj_role, "obj_role=%s"}, 782 {Opt_obj_type, "obj_type=%s"}, 783 {Opt_subj_user, "subj_user=%s"}, 784 {Opt_subj_role, "subj_role=%s"}, 785 {Opt_subj_type, "subj_type=%s"}, 786 {Opt_func, "func=%s"}, 787 {Opt_mask, "mask=%s"}, 788 {Opt_fsmagic, "fsmagic=%s"}, 789 {Opt_fsname, "fsname=%s"}, 790 {Opt_fsuuid, "fsuuid=%s"}, 791 {Opt_uid_eq, "uid=%s"}, 792 {Opt_euid_eq, "euid=%s"}, 793 {Opt_fowner_eq, "fowner=%s"}, 794 {Opt_uid_gt, "uid>%s"}, 795 {Opt_euid_gt, "euid>%s"}, 796 {Opt_fowner_gt, "fowner>%s"}, 797 {Opt_uid_lt, "uid<%s"}, 798 {Opt_euid_lt, "euid<%s"}, 799 {Opt_fowner_lt, "fowner<%s"}, 800 {Opt_appraise_type, "appraise_type=%s"}, 801 {Opt_permit_directio, "permit_directio"}, 802 {Opt_pcr, "pcr=%s"}, 803 {Opt_template, "template=%s"}, 804 {Opt_err, NULL} 805 }; 806 807 static int ima_lsm_rule_init(struct ima_rule_entry *entry, 808 substring_t *args, int lsm_rule, int audit_type) 809 { 810 int result; 811 812 if (entry->lsm[lsm_rule].rule) 813 return -EINVAL; 814 815 entry->lsm[lsm_rule].args_p = match_strdup(args); 816 if (!entry->lsm[lsm_rule].args_p) 817 return -ENOMEM; 818 819 entry->lsm[lsm_rule].type = audit_type; 820 result = security_filter_rule_init(entry->lsm[lsm_rule].type, 821 Audit_equal, 822 entry->lsm[lsm_rule].args_p, 823 &entry->lsm[lsm_rule].rule); 824 if (!entry->lsm[lsm_rule].rule) { 825 kfree(entry->lsm[lsm_rule].args_p); 826 return -EINVAL; 827 } 828 829 return result; 830 } 831 832 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, 833 bool (*rule_operator)(kuid_t, kuid_t)) 834 { 835 if (!ab) 836 return; 837 838 if (rule_operator == &uid_gt) 839 audit_log_format(ab, "%s>", key); 840 else if (rule_operator == &uid_lt) 841 audit_log_format(ab, "%s<", key); 842 else 843 audit_log_format(ab, "%s=", key); 844 audit_log_format(ab, "%s ", value); 845 } 846 static void ima_log_string(struct audit_buffer *ab, char *key, char *value) 847 { 848 ima_log_string_op(ab, key, value, NULL); 849 } 850 851 /* 852 * Validating the appended signature included in the measurement list requires 853 * the file hash calculated without the appended signature (i.e., the 'd-modsig' 854 * field). Therefore, notify the user if they have the 'modsig' field but not 855 * the 'd-modsig' field in the template. 856 */ 857 static void check_template_modsig(const struct ima_template_desc *template) 858 { 859 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n" 860 bool has_modsig, has_dmodsig; 861 static bool checked; 862 int i; 863 864 /* We only need to notify the user once. */ 865 if (checked) 866 return; 867 868 has_modsig = has_dmodsig = false; 869 for (i = 0; i < template->num_fields; i++) { 870 if (!strcmp(template->fields[i]->field_id, "modsig")) 871 has_modsig = true; 872 else if (!strcmp(template->fields[i]->field_id, "d-modsig")) 873 has_dmodsig = true; 874 } 875 876 if (has_modsig && !has_dmodsig) 877 pr_notice(MSG); 878 879 checked = true; 880 #undef MSG 881 } 882 883 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 884 { 885 struct audit_buffer *ab; 886 char *from; 887 char *p; 888 bool uid_token; 889 struct ima_template_desc *template_desc; 890 int result = 0; 891 892 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, 893 AUDIT_INTEGRITY_POLICY_RULE); 894 895 entry->uid = INVALID_UID; 896 entry->fowner = INVALID_UID; 897 entry->uid_op = &uid_eq; 898 entry->fowner_op = &uid_eq; 899 entry->action = UNKNOWN; 900 while ((p = strsep(&rule, " \t")) != NULL) { 901 substring_t args[MAX_OPT_ARGS]; 902 int token; 903 unsigned long lnum; 904 905 if (result < 0) 906 break; 907 if ((*p == '\0') || (*p == ' ') || (*p == '\t')) 908 continue; 909 token = match_token(p, policy_tokens, args); 910 switch (token) { 911 case Opt_measure: 912 ima_log_string(ab, "action", "measure"); 913 914 if (entry->action != UNKNOWN) 915 result = -EINVAL; 916 917 entry->action = MEASURE; 918 break; 919 case Opt_dont_measure: 920 ima_log_string(ab, "action", "dont_measure"); 921 922 if (entry->action != UNKNOWN) 923 result = -EINVAL; 924 925 entry->action = DONT_MEASURE; 926 break; 927 case Opt_appraise: 928 ima_log_string(ab, "action", "appraise"); 929 930 if (entry->action != UNKNOWN) 931 result = -EINVAL; 932 933 entry->action = APPRAISE; 934 break; 935 case Opt_dont_appraise: 936 ima_log_string(ab, "action", "dont_appraise"); 937 938 if (entry->action != UNKNOWN) 939 result = -EINVAL; 940 941 entry->action = DONT_APPRAISE; 942 break; 943 case Opt_audit: 944 ima_log_string(ab, "action", "audit"); 945 946 if (entry->action != UNKNOWN) 947 result = -EINVAL; 948 949 entry->action = AUDIT; 950 break; 951 case Opt_hash: 952 ima_log_string(ab, "action", "hash"); 953 954 if (entry->action != UNKNOWN) 955 result = -EINVAL; 956 957 entry->action = HASH; 958 break; 959 case Opt_dont_hash: 960 ima_log_string(ab, "action", "dont_hash"); 961 962 if (entry->action != UNKNOWN) 963 result = -EINVAL; 964 965 entry->action = DONT_HASH; 966 break; 967 case Opt_func: 968 ima_log_string(ab, "func", args[0].from); 969 970 if (entry->func) 971 result = -EINVAL; 972 973 if (strcmp(args[0].from, "FILE_CHECK") == 0) 974 entry->func = FILE_CHECK; 975 /* PATH_CHECK is for backwards compat */ 976 else if (strcmp(args[0].from, "PATH_CHECK") == 0) 977 entry->func = FILE_CHECK; 978 else if (strcmp(args[0].from, "MODULE_CHECK") == 0) 979 entry->func = MODULE_CHECK; 980 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0) 981 entry->func = FIRMWARE_CHECK; 982 else if ((strcmp(args[0].from, "FILE_MMAP") == 0) 983 || (strcmp(args[0].from, "MMAP_CHECK") == 0)) 984 entry->func = MMAP_CHECK; 985 else if (strcmp(args[0].from, "BPRM_CHECK") == 0) 986 entry->func = BPRM_CHECK; 987 else if (strcmp(args[0].from, "CREDS_CHECK") == 0) 988 entry->func = CREDS_CHECK; 989 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == 990 0) 991 entry->func = KEXEC_KERNEL_CHECK; 992 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK") 993 == 0) 994 entry->func = KEXEC_INITRAMFS_CHECK; 995 else if (strcmp(args[0].from, "POLICY_CHECK") == 0) 996 entry->func = POLICY_CHECK; 997 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) 998 entry->func = KEXEC_CMDLINE; 999 else 1000 result = -EINVAL; 1001 if (!result) 1002 entry->flags |= IMA_FUNC; 1003 break; 1004 case Opt_mask: 1005 ima_log_string(ab, "mask", args[0].from); 1006 1007 if (entry->mask) 1008 result = -EINVAL; 1009 1010 from = args[0].from; 1011 if (*from == '^') 1012 from++; 1013 1014 if ((strcmp(from, "MAY_EXEC")) == 0) 1015 entry->mask = MAY_EXEC; 1016 else if (strcmp(from, "MAY_WRITE") == 0) 1017 entry->mask = MAY_WRITE; 1018 else if (strcmp(from, "MAY_READ") == 0) 1019 entry->mask = MAY_READ; 1020 else if (strcmp(from, "MAY_APPEND") == 0) 1021 entry->mask = MAY_APPEND; 1022 else 1023 result = -EINVAL; 1024 if (!result) 1025 entry->flags |= (*args[0].from == '^') 1026 ? IMA_INMASK : IMA_MASK; 1027 break; 1028 case Opt_fsmagic: 1029 ima_log_string(ab, "fsmagic", args[0].from); 1030 1031 if (entry->fsmagic) { 1032 result = -EINVAL; 1033 break; 1034 } 1035 1036 result = kstrtoul(args[0].from, 16, &entry->fsmagic); 1037 if (!result) 1038 entry->flags |= IMA_FSMAGIC; 1039 break; 1040 case Opt_fsname: 1041 ima_log_string(ab, "fsname", args[0].from); 1042 1043 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); 1044 if (!entry->fsname) { 1045 result = -ENOMEM; 1046 break; 1047 } 1048 result = 0; 1049 entry->flags |= IMA_FSNAME; 1050 break; 1051 case Opt_fsuuid: 1052 ima_log_string(ab, "fsuuid", args[0].from); 1053 1054 if (!uuid_is_null(&entry->fsuuid)) { 1055 result = -EINVAL; 1056 break; 1057 } 1058 1059 result = uuid_parse(args[0].from, &entry->fsuuid); 1060 if (!result) 1061 entry->flags |= IMA_FSUUID; 1062 break; 1063 case Opt_uid_gt: 1064 case Opt_euid_gt: 1065 entry->uid_op = &uid_gt; 1066 /* fall through */ 1067 case Opt_uid_lt: 1068 case Opt_euid_lt: 1069 if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) 1070 entry->uid_op = &uid_lt; 1071 /* fall through */ 1072 case Opt_uid_eq: 1073 case Opt_euid_eq: 1074 uid_token = (token == Opt_uid_eq) || 1075 (token == Opt_uid_gt) || 1076 (token == Opt_uid_lt); 1077 1078 ima_log_string_op(ab, uid_token ? "uid" : "euid", 1079 args[0].from, entry->uid_op); 1080 1081 if (uid_valid(entry->uid)) { 1082 result = -EINVAL; 1083 break; 1084 } 1085 1086 result = kstrtoul(args[0].from, 10, &lnum); 1087 if (!result) { 1088 entry->uid = make_kuid(current_user_ns(), 1089 (uid_t) lnum); 1090 if (!uid_valid(entry->uid) || 1091 (uid_t)lnum != lnum) 1092 result = -EINVAL; 1093 else 1094 entry->flags |= uid_token 1095 ? IMA_UID : IMA_EUID; 1096 } 1097 break; 1098 case Opt_fowner_gt: 1099 entry->fowner_op = &uid_gt; 1100 /* fall through */ 1101 case Opt_fowner_lt: 1102 if (token == Opt_fowner_lt) 1103 entry->fowner_op = &uid_lt; 1104 /* fall through */ 1105 case Opt_fowner_eq: 1106 ima_log_string_op(ab, "fowner", args[0].from, 1107 entry->fowner_op); 1108 1109 if (uid_valid(entry->fowner)) { 1110 result = -EINVAL; 1111 break; 1112 } 1113 1114 result = kstrtoul(args[0].from, 10, &lnum); 1115 if (!result) { 1116 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum); 1117 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum)) 1118 result = -EINVAL; 1119 else 1120 entry->flags |= IMA_FOWNER; 1121 } 1122 break; 1123 case Opt_obj_user: 1124 ima_log_string(ab, "obj_user", args[0].from); 1125 result = ima_lsm_rule_init(entry, args, 1126 LSM_OBJ_USER, 1127 AUDIT_OBJ_USER); 1128 break; 1129 case Opt_obj_role: 1130 ima_log_string(ab, "obj_role", args[0].from); 1131 result = ima_lsm_rule_init(entry, args, 1132 LSM_OBJ_ROLE, 1133 AUDIT_OBJ_ROLE); 1134 break; 1135 case Opt_obj_type: 1136 ima_log_string(ab, "obj_type", args[0].from); 1137 result = ima_lsm_rule_init(entry, args, 1138 LSM_OBJ_TYPE, 1139 AUDIT_OBJ_TYPE); 1140 break; 1141 case Opt_subj_user: 1142 ima_log_string(ab, "subj_user", args[0].from); 1143 result = ima_lsm_rule_init(entry, args, 1144 LSM_SUBJ_USER, 1145 AUDIT_SUBJ_USER); 1146 break; 1147 case Opt_subj_role: 1148 ima_log_string(ab, "subj_role", args[0].from); 1149 result = ima_lsm_rule_init(entry, args, 1150 LSM_SUBJ_ROLE, 1151 AUDIT_SUBJ_ROLE); 1152 break; 1153 case Opt_subj_type: 1154 ima_log_string(ab, "subj_type", args[0].from); 1155 result = ima_lsm_rule_init(entry, args, 1156 LSM_SUBJ_TYPE, 1157 AUDIT_SUBJ_TYPE); 1158 break; 1159 case Opt_appraise_type: 1160 if (entry->action != APPRAISE) { 1161 result = -EINVAL; 1162 break; 1163 } 1164 1165 ima_log_string(ab, "appraise_type", args[0].from); 1166 if ((strcmp(args[0].from, "imasig")) == 0) 1167 entry->flags |= IMA_DIGSIG_REQUIRED; 1168 else if (ima_hook_supports_modsig(entry->func) && 1169 strcmp(args[0].from, "imasig|modsig") == 0) 1170 entry->flags |= IMA_DIGSIG_REQUIRED | 1171 IMA_MODSIG_ALLOWED; 1172 else 1173 result = -EINVAL; 1174 break; 1175 case Opt_permit_directio: 1176 entry->flags |= IMA_PERMIT_DIRECTIO; 1177 break; 1178 case Opt_pcr: 1179 if (entry->action != MEASURE) { 1180 result = -EINVAL; 1181 break; 1182 } 1183 ima_log_string(ab, "pcr", args[0].from); 1184 1185 result = kstrtoint(args[0].from, 10, &entry->pcr); 1186 if (result || INVALID_PCR(entry->pcr)) 1187 result = -EINVAL; 1188 else 1189 entry->flags |= IMA_PCR; 1190 1191 break; 1192 case Opt_template: 1193 ima_log_string(ab, "template", args[0].from); 1194 if (entry->action != MEASURE) { 1195 result = -EINVAL; 1196 break; 1197 } 1198 template_desc = lookup_template_desc(args[0].from); 1199 if (!template_desc || entry->template) { 1200 result = -EINVAL; 1201 break; 1202 } 1203 1204 /* 1205 * template_desc_init_fields() does nothing if 1206 * the template is already initialised, so 1207 * it's safe to do this unconditionally 1208 */ 1209 template_desc_init_fields(template_desc->fmt, 1210 &(template_desc->fields), 1211 &(template_desc->num_fields)); 1212 entry->template = template_desc; 1213 break; 1214 case Opt_err: 1215 ima_log_string(ab, "UNKNOWN", p); 1216 result = -EINVAL; 1217 break; 1218 } 1219 } 1220 if (!result && (entry->action == UNKNOWN)) 1221 result = -EINVAL; 1222 else if (entry->action == APPRAISE) 1223 temp_ima_appraise |= ima_appraise_flag(entry->func); 1224 1225 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { 1226 template_desc = entry->template ? entry->template : 1227 ima_template_desc_current(); 1228 check_template_modsig(template_desc); 1229 } 1230 1231 audit_log_format(ab, "res=%d", !result); 1232 audit_log_end(ab); 1233 return result; 1234 } 1235 1236 /** 1237 * ima_parse_add_rule - add a rule to ima_policy_rules 1238 * @rule - ima measurement policy rule 1239 * 1240 * Avoid locking by allowing just one writer at a time in ima_write_policy() 1241 * Returns the length of the rule parsed, an error code on failure 1242 */ 1243 ssize_t ima_parse_add_rule(char *rule) 1244 { 1245 static const char op[] = "update_policy"; 1246 char *p; 1247 struct ima_rule_entry *entry; 1248 ssize_t result, len; 1249 int audit_info = 0; 1250 1251 p = strsep(&rule, "\n"); 1252 len = strlen(p) + 1; 1253 p += strspn(p, " \t"); 1254 1255 if (*p == '#' || *p == '\0') 1256 return len; 1257 1258 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1259 if (!entry) { 1260 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1261 NULL, op, "-ENOMEM", -ENOMEM, audit_info); 1262 return -ENOMEM; 1263 } 1264 1265 INIT_LIST_HEAD(&entry->list); 1266 1267 result = ima_parse_rule(p, entry); 1268 if (result) { 1269 kfree(entry); 1270 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1271 NULL, op, "invalid-policy", result, 1272 audit_info); 1273 return result; 1274 } 1275 1276 list_add_tail(&entry->list, &ima_temp_rules); 1277 1278 return len; 1279 } 1280 1281 /** 1282 * ima_delete_rules() called to cleanup invalid in-flight policy. 1283 * We don't need locking as we operate on the temp list, which is 1284 * different from the active one. There is also only one user of 1285 * ima_delete_rules() at a time. 1286 */ 1287 void ima_delete_rules(void) 1288 { 1289 struct ima_rule_entry *entry, *tmp; 1290 int i; 1291 1292 temp_ima_appraise = 0; 1293 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { 1294 for (i = 0; i < MAX_LSM_RULES; i++) 1295 kfree(entry->lsm[i].args_p); 1296 1297 list_del(&entry->list); 1298 kfree(entry); 1299 } 1300 } 1301 1302 #define __ima_hook_stringify(str) (#str), 1303 1304 const char *const func_tokens[] = { 1305 __ima_hooks(__ima_hook_stringify) 1306 }; 1307 1308 #ifdef CONFIG_IMA_READ_POLICY 1309 enum { 1310 mask_exec = 0, mask_write, mask_read, mask_append 1311 }; 1312 1313 static const char *const mask_tokens[] = { 1314 "^MAY_EXEC", 1315 "^MAY_WRITE", 1316 "^MAY_READ", 1317 "^MAY_APPEND" 1318 }; 1319 1320 void *ima_policy_start(struct seq_file *m, loff_t *pos) 1321 { 1322 loff_t l = *pos; 1323 struct ima_rule_entry *entry; 1324 1325 rcu_read_lock(); 1326 list_for_each_entry_rcu(entry, ima_rules, list) { 1327 if (!l--) { 1328 rcu_read_unlock(); 1329 return entry; 1330 } 1331 } 1332 rcu_read_unlock(); 1333 return NULL; 1334 } 1335 1336 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) 1337 { 1338 struct ima_rule_entry *entry = v; 1339 1340 rcu_read_lock(); 1341 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); 1342 rcu_read_unlock(); 1343 (*pos)++; 1344 1345 return (&entry->list == ima_rules) ? NULL : entry; 1346 } 1347 1348 void ima_policy_stop(struct seq_file *m, void *v) 1349 { 1350 } 1351 1352 #define pt(token) policy_tokens[token].pattern 1353 #define mt(token) mask_tokens[token] 1354 1355 /* 1356 * policy_func_show - display the ima_hooks policy rule 1357 */ 1358 static void policy_func_show(struct seq_file *m, enum ima_hooks func) 1359 { 1360 if (func > 0 && func < MAX_CHECK) 1361 seq_printf(m, "func=%s ", func_tokens[func]); 1362 else 1363 seq_printf(m, "func=%d ", func); 1364 } 1365 1366 int ima_policy_show(struct seq_file *m, void *v) 1367 { 1368 struct ima_rule_entry *entry = v; 1369 int i; 1370 char tbuf[64] = {0,}; 1371 int offset = 0; 1372 1373 rcu_read_lock(); 1374 1375 if (entry->action & MEASURE) 1376 seq_puts(m, pt(Opt_measure)); 1377 if (entry->action & DONT_MEASURE) 1378 seq_puts(m, pt(Opt_dont_measure)); 1379 if (entry->action & APPRAISE) 1380 seq_puts(m, pt(Opt_appraise)); 1381 if (entry->action & DONT_APPRAISE) 1382 seq_puts(m, pt(Opt_dont_appraise)); 1383 if (entry->action & AUDIT) 1384 seq_puts(m, pt(Opt_audit)); 1385 if (entry->action & HASH) 1386 seq_puts(m, pt(Opt_hash)); 1387 if (entry->action & DONT_HASH) 1388 seq_puts(m, pt(Opt_dont_hash)); 1389 1390 seq_puts(m, " "); 1391 1392 if (entry->flags & IMA_FUNC) 1393 policy_func_show(m, entry->func); 1394 1395 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { 1396 if (entry->flags & IMA_MASK) 1397 offset = 1; 1398 if (entry->mask & MAY_EXEC) 1399 seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); 1400 if (entry->mask & MAY_WRITE) 1401 seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); 1402 if (entry->mask & MAY_READ) 1403 seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); 1404 if (entry->mask & MAY_APPEND) 1405 seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); 1406 seq_puts(m, " "); 1407 } 1408 1409 if (entry->flags & IMA_FSMAGIC) { 1410 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 1411 seq_printf(m, pt(Opt_fsmagic), tbuf); 1412 seq_puts(m, " "); 1413 } 1414 1415 if (entry->flags & IMA_FSNAME) { 1416 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); 1417 seq_printf(m, pt(Opt_fsname), tbuf); 1418 seq_puts(m, " "); 1419 } 1420 1421 if (entry->flags & IMA_PCR) { 1422 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 1423 seq_printf(m, pt(Opt_pcr), tbuf); 1424 seq_puts(m, " "); 1425 } 1426 1427 if (entry->flags & IMA_FSUUID) { 1428 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); 1429 seq_puts(m, " "); 1430 } 1431 1432 if (entry->flags & IMA_UID) { 1433 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1434 if (entry->uid_op == &uid_gt) 1435 seq_printf(m, pt(Opt_uid_gt), tbuf); 1436 else if (entry->uid_op == &uid_lt) 1437 seq_printf(m, pt(Opt_uid_lt), tbuf); 1438 else 1439 seq_printf(m, pt(Opt_uid_eq), tbuf); 1440 seq_puts(m, " "); 1441 } 1442 1443 if (entry->flags & IMA_EUID) { 1444 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1445 if (entry->uid_op == &uid_gt) 1446 seq_printf(m, pt(Opt_euid_gt), tbuf); 1447 else if (entry->uid_op == &uid_lt) 1448 seq_printf(m, pt(Opt_euid_lt), tbuf); 1449 else 1450 seq_printf(m, pt(Opt_euid_eq), tbuf); 1451 seq_puts(m, " "); 1452 } 1453 1454 if (entry->flags & IMA_FOWNER) { 1455 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); 1456 if (entry->fowner_op == &uid_gt) 1457 seq_printf(m, pt(Opt_fowner_gt), tbuf); 1458 else if (entry->fowner_op == &uid_lt) 1459 seq_printf(m, pt(Opt_fowner_lt), tbuf); 1460 else 1461 seq_printf(m, pt(Opt_fowner_eq), tbuf); 1462 seq_puts(m, " "); 1463 } 1464 1465 for (i = 0; i < MAX_LSM_RULES; i++) { 1466 if (entry->lsm[i].rule) { 1467 switch (i) { 1468 case LSM_OBJ_USER: 1469 seq_printf(m, pt(Opt_obj_user), 1470 (char *)entry->lsm[i].args_p); 1471 break; 1472 case LSM_OBJ_ROLE: 1473 seq_printf(m, pt(Opt_obj_role), 1474 (char *)entry->lsm[i].args_p); 1475 break; 1476 case LSM_OBJ_TYPE: 1477 seq_printf(m, pt(Opt_obj_type), 1478 (char *)entry->lsm[i].args_p); 1479 break; 1480 case LSM_SUBJ_USER: 1481 seq_printf(m, pt(Opt_subj_user), 1482 (char *)entry->lsm[i].args_p); 1483 break; 1484 case LSM_SUBJ_ROLE: 1485 seq_printf(m, pt(Opt_subj_role), 1486 (char *)entry->lsm[i].args_p); 1487 break; 1488 case LSM_SUBJ_TYPE: 1489 seq_printf(m, pt(Opt_subj_type), 1490 (char *)entry->lsm[i].args_p); 1491 break; 1492 } 1493 } 1494 } 1495 if (entry->template) 1496 seq_printf(m, "template=%s ", entry->template->name); 1497 if (entry->flags & IMA_DIGSIG_REQUIRED) { 1498 if (entry->flags & IMA_MODSIG_ALLOWED) 1499 seq_puts(m, "appraise_type=imasig|modsig "); 1500 else 1501 seq_puts(m, "appraise_type=imasig "); 1502 } 1503 if (entry->flags & IMA_PERMIT_DIRECTIO) 1504 seq_puts(m, "permit_directio "); 1505 rcu_read_unlock(); 1506 seq_puts(m, "\n"); 1507 return 0; 1508 } 1509 #endif /* CONFIG_IMA_READ_POLICY */ 1510 1511 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) 1512 /* 1513 * ima_appraise_signature: whether IMA will appraise a given function using 1514 * an IMA digital signature. This is restricted to cases where the kernel 1515 * has a set of built-in trusted keys in order to avoid an attacker simply 1516 * loading additional keys. 1517 */ 1518 bool ima_appraise_signature(enum kernel_read_file_id id) 1519 { 1520 struct ima_rule_entry *entry; 1521 bool found = false; 1522 enum ima_hooks func; 1523 1524 if (id >= READING_MAX_ID) 1525 return false; 1526 1527 func = read_idmap[id] ?: FILE_CHECK; 1528 1529 rcu_read_lock(); 1530 list_for_each_entry_rcu(entry, ima_rules, list) { 1531 if (entry->action != APPRAISE) 1532 continue; 1533 1534 /* 1535 * A generic entry will match, but otherwise require that it 1536 * match the func we're looking for 1537 */ 1538 if (entry->func && entry->func != func) 1539 continue; 1540 1541 /* 1542 * We require this to be a digital signature, not a raw IMA 1543 * hash. 1544 */ 1545 if (entry->flags & IMA_DIGSIG_REQUIRED) 1546 found = true; 1547 1548 /* 1549 * We've found a rule that matches, so break now even if it 1550 * didn't require a digital signature - a later rule that does 1551 * won't override it, so would be a false positive. 1552 */ 1553 break; 1554 } 1555 1556 rcu_read_unlock(); 1557 return found; 1558 } 1559 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ 1560