1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2008 IBM Corporation 4 * Author: Mimi Zohar <zohar@us.ibm.com> 5 * 6 * ima_policy.c 7 * - initialize default measure policy rules 8 */ 9 10 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 11 12 #include <linux/init.h> 13 #include <linux/list.h> 14 #include <linux/fs.h> 15 #include <linux/security.h> 16 #include <linux/magic.h> 17 #include <linux/parser.h> 18 #include <linux/slab.h> 19 #include <linux/rculist.h> 20 #include <linux/genhd.h> 21 #include <linux/seq_file.h> 22 #include <linux/ima.h> 23 24 #include "ima.h" 25 26 /* flags definitions */ 27 #define IMA_FUNC 0x0001 28 #define IMA_MASK 0x0002 29 #define IMA_FSMAGIC 0x0004 30 #define IMA_UID 0x0008 31 #define IMA_FOWNER 0x0010 32 #define IMA_FSUUID 0x0020 33 #define IMA_INMASK 0x0040 34 #define IMA_EUID 0x0080 35 #define IMA_PCR 0x0100 36 #define IMA_FSNAME 0x0200 37 #define IMA_KEYRINGS 0x0400 38 39 #define UNKNOWN 0 40 #define MEASURE 0x0001 /* same as IMA_MEASURE */ 41 #define DONT_MEASURE 0x0002 42 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 43 #define DONT_APPRAISE 0x0008 44 #define AUDIT 0x0040 45 #define HASH 0x0100 46 #define DONT_HASH 0x0200 47 48 #define INVALID_PCR(a) (((a) < 0) || \ 49 (a) >= (sizeof_field(struct integrity_iint_cache, measured_pcrs) * 8)) 50 51 int ima_policy_flag; 52 static int temp_ima_appraise; 53 static int build_ima_appraise __ro_after_init; 54 55 #define MAX_LSM_RULES 6 56 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, 57 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE 58 }; 59 60 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; 61 62 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY }; 63 64 struct ima_rule_entry { 65 struct list_head list; 66 int action; 67 unsigned int flags; 68 enum ima_hooks func; 69 int mask; 70 unsigned long fsmagic; 71 uuid_t fsuuid; 72 kuid_t uid; 73 kuid_t fowner; 74 bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ 75 bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ 76 int pcr; 77 struct { 78 void *rule; /* LSM file metadata specific */ 79 void *args_p; /* audit value */ 80 int type; /* audit type */ 81 } lsm[MAX_LSM_RULES]; 82 char *fsname; 83 char *keyrings; /* Measure keys added to these keyrings */ 84 struct ima_template_desc *template; 85 }; 86 87 /* 88 * Without LSM specific knowledge, the default policy can only be 89 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner 90 */ 91 92 /* 93 * The minimum rule set to allow for full TCB coverage. Measures all files 94 * opened or mmap for exec and everything read by root. Dangerous because 95 * normal users can easily run the machine out of memory simply building 96 * and running executables. 97 */ 98 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { 99 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 100 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 101 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 102 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 103 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 104 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 105 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 106 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 107 {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 108 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, 109 .flags = IMA_FSMAGIC}, 110 {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, 111 .flags = IMA_FSMAGIC}, 112 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 113 {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} 114 }; 115 116 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { 117 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 118 .flags = IMA_FUNC | IMA_MASK}, 119 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 120 .flags = IMA_FUNC | IMA_MASK}, 121 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 122 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 123 .flags = IMA_FUNC | IMA_MASK | IMA_UID}, 124 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 125 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 126 }; 127 128 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { 129 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 130 .flags = IMA_FUNC | IMA_MASK}, 131 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 132 .flags = IMA_FUNC | IMA_MASK}, 133 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 134 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 135 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, 136 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 137 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 138 .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, 139 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 140 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 141 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, 142 }; 143 144 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { 145 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 146 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 147 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 148 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 149 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC}, 150 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 151 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 152 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 153 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 154 {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 155 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 156 {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, 157 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 158 {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 159 #ifdef CONFIG_IMA_WRITE_POLICY 160 {.action = APPRAISE, .func = POLICY_CHECK, 161 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 162 #endif 163 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT 164 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 165 .flags = IMA_FOWNER}, 166 #else 167 /* force signature */ 168 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 169 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, 170 #endif 171 }; 172 173 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { 174 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS 175 {.action = APPRAISE, .func = MODULE_CHECK, 176 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 177 #endif 178 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS 179 {.action = APPRAISE, .func = FIRMWARE_CHECK, 180 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 181 #endif 182 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS 183 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 184 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 185 #endif 186 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS 187 {.action = APPRAISE, .func = POLICY_CHECK, 188 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 189 #endif 190 }; 191 192 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { 193 {.action = APPRAISE, .func = MODULE_CHECK, 194 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 195 {.action = APPRAISE, .func = FIRMWARE_CHECK, 196 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 197 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 198 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 199 {.action = APPRAISE, .func = POLICY_CHECK, 200 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 201 }; 202 203 /* An array of architecture specific rules */ 204 static struct ima_rule_entry *arch_policy_entry __ro_after_init; 205 206 static LIST_HEAD(ima_default_rules); 207 static LIST_HEAD(ima_policy_rules); 208 static LIST_HEAD(ima_temp_rules); 209 static struct list_head *ima_rules; 210 211 /* Pre-allocated buffer used for matching keyrings. */ 212 static char *ima_keyrings; 213 static size_t ima_keyrings_len; 214 215 static int ima_policy __initdata; 216 217 static int __init default_measure_policy_setup(char *str) 218 { 219 if (ima_policy) 220 return 1; 221 222 ima_policy = ORIGINAL_TCB; 223 return 1; 224 } 225 __setup("ima_tcb", default_measure_policy_setup); 226 227 static bool ima_use_appraise_tcb __initdata; 228 static bool ima_use_secure_boot __initdata; 229 static bool ima_fail_unverifiable_sigs __ro_after_init; 230 static int __init policy_setup(char *str) 231 { 232 char *p; 233 234 while ((p = strsep(&str, " |\n")) != NULL) { 235 if (*p == ' ') 236 continue; 237 if ((strcmp(p, "tcb") == 0) && !ima_policy) 238 ima_policy = DEFAULT_TCB; 239 else if (strcmp(p, "appraise_tcb") == 0) 240 ima_use_appraise_tcb = true; 241 else if (strcmp(p, "secure_boot") == 0) 242 ima_use_secure_boot = true; 243 else if (strcmp(p, "fail_securely") == 0) 244 ima_fail_unverifiable_sigs = true; 245 } 246 247 return 1; 248 } 249 __setup("ima_policy=", policy_setup); 250 251 static int __init default_appraise_policy_setup(char *str) 252 { 253 ima_use_appraise_tcb = true; 254 return 1; 255 } 256 __setup("ima_appraise_tcb", default_appraise_policy_setup); 257 258 static void ima_lsm_free_rule(struct ima_rule_entry *entry) 259 { 260 int i; 261 262 for (i = 0; i < MAX_LSM_RULES; i++) { 263 kfree(entry->lsm[i].rule); 264 kfree(entry->lsm[i].args_p); 265 } 266 kfree(entry); 267 } 268 269 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) 270 { 271 struct ima_rule_entry *nentry; 272 int i; 273 274 nentry = kmalloc(sizeof(*nentry), GFP_KERNEL); 275 if (!nentry) 276 return NULL; 277 278 /* 279 * Immutable elements are copied over as pointers and data; only 280 * lsm rules can change 281 */ 282 memcpy(nentry, entry, sizeof(*nentry)); 283 memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm)); 284 285 for (i = 0; i < MAX_LSM_RULES; i++) { 286 if (!entry->lsm[i].args_p) 287 continue; 288 289 nentry->lsm[i].type = entry->lsm[i].type; 290 nentry->lsm[i].args_p = kstrdup(entry->lsm[i].args_p, 291 GFP_KERNEL); 292 if (!nentry->lsm[i].args_p) 293 goto out_err; 294 295 security_filter_rule_init(nentry->lsm[i].type, 296 Audit_equal, 297 nentry->lsm[i].args_p, 298 &nentry->lsm[i].rule); 299 if (!nentry->lsm[i].rule) 300 pr_warn("rule for LSM \'%s\' is undefined\n", 301 (char *)entry->lsm[i].args_p); 302 } 303 return nentry; 304 305 out_err: 306 ima_lsm_free_rule(nentry); 307 return NULL; 308 } 309 310 static int ima_lsm_update_rule(struct ima_rule_entry *entry) 311 { 312 struct ima_rule_entry *nentry; 313 314 nentry = ima_lsm_copy_rule(entry); 315 if (!nentry) 316 return -ENOMEM; 317 318 list_replace_rcu(&entry->list, &nentry->list); 319 synchronize_rcu(); 320 ima_lsm_free_rule(entry); 321 322 return 0; 323 } 324 325 /* 326 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 327 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 328 * the reloaded LSM policy. 329 */ 330 static void ima_lsm_update_rules(void) 331 { 332 struct ima_rule_entry *entry, *e; 333 int i, result, needs_update; 334 335 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { 336 needs_update = 0; 337 for (i = 0; i < MAX_LSM_RULES; i++) { 338 if (entry->lsm[i].args_p) { 339 needs_update = 1; 340 break; 341 } 342 } 343 if (!needs_update) 344 continue; 345 346 result = ima_lsm_update_rule(entry); 347 if (result) { 348 pr_err("lsm rule update error %d\n", result); 349 return; 350 } 351 } 352 } 353 354 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, 355 void *lsm_data) 356 { 357 if (event != LSM_POLICY_CHANGE) 358 return NOTIFY_DONE; 359 360 ima_lsm_update_rules(); 361 return NOTIFY_OK; 362 } 363 364 /** 365 * ima_match_keyring - determine whether the keyring matches the measure rule 366 * @rule: a pointer to a rule 367 * @keyring: name of the keyring to match against the measure rule 368 * @cred: a pointer to a credentials structure for user validation 369 * 370 * Returns true if keyring matches one in the rule, false otherwise. 371 */ 372 static bool ima_match_keyring(struct ima_rule_entry *rule, 373 const char *keyring, const struct cred *cred) 374 { 375 char *next_keyring, *keyrings_ptr; 376 bool matched = false; 377 378 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 379 return false; 380 381 if (!rule->keyrings) 382 return true; 383 384 if (!keyring) 385 return false; 386 387 strcpy(ima_keyrings, rule->keyrings); 388 389 /* 390 * "keyrings=" is specified in the policy in the format below: 391 * keyrings=.builtin_trusted_keys|.ima|.evm 392 */ 393 keyrings_ptr = ima_keyrings; 394 while ((next_keyring = strsep(&keyrings_ptr, "|")) != NULL) { 395 if (!strcmp(next_keyring, keyring)) { 396 matched = true; 397 break; 398 } 399 } 400 401 return matched; 402 } 403 404 /** 405 * ima_match_rules - determine whether an inode matches the policy rule. 406 * @rule: a pointer to a rule 407 * @inode: a pointer to an inode 408 * @cred: a pointer to a credentials structure for user validation 409 * @secid: the secid of the task to be validated 410 * @func: LIM hook identifier 411 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 412 * @keyring: keyring name to check in policy for KEY_CHECK func 413 * 414 * Returns true on rule match, false on failure. 415 */ 416 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, 417 const struct cred *cred, u32 secid, 418 enum ima_hooks func, int mask, 419 const char *keyring) 420 { 421 int i; 422 423 if ((func == KEXEC_CMDLINE) || (func == KEY_CHECK)) { 424 if ((rule->flags & IMA_FUNC) && (rule->func == func)) { 425 if (func == KEY_CHECK) 426 return ima_match_keyring(rule, keyring, cred); 427 return true; 428 } 429 return false; 430 } 431 if ((rule->flags & IMA_FUNC) && 432 (rule->func != func && func != POST_SETATTR)) 433 return false; 434 if ((rule->flags & IMA_MASK) && 435 (rule->mask != mask && func != POST_SETATTR)) 436 return false; 437 if ((rule->flags & IMA_INMASK) && 438 (!(rule->mask & mask) && func != POST_SETATTR)) 439 return false; 440 if ((rule->flags & IMA_FSMAGIC) 441 && rule->fsmagic != inode->i_sb->s_magic) 442 return false; 443 if ((rule->flags & IMA_FSNAME) 444 && strcmp(rule->fsname, inode->i_sb->s_type->name)) 445 return false; 446 if ((rule->flags & IMA_FSUUID) && 447 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 448 return false; 449 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 450 return false; 451 if (rule->flags & IMA_EUID) { 452 if (has_capability_noaudit(current, CAP_SETUID)) { 453 if (!rule->uid_op(cred->euid, rule->uid) 454 && !rule->uid_op(cred->suid, rule->uid) 455 && !rule->uid_op(cred->uid, rule->uid)) 456 return false; 457 } else if (!rule->uid_op(cred->euid, rule->uid)) 458 return false; 459 } 460 461 if ((rule->flags & IMA_FOWNER) && 462 !rule->fowner_op(inode->i_uid, rule->fowner)) 463 return false; 464 for (i = 0; i < MAX_LSM_RULES; i++) { 465 int rc = 0; 466 u32 osid; 467 468 if (!rule->lsm[i].rule) { 469 if (!rule->lsm[i].args_p) 470 continue; 471 else 472 return false; 473 } 474 switch (i) { 475 case LSM_OBJ_USER: 476 case LSM_OBJ_ROLE: 477 case LSM_OBJ_TYPE: 478 security_inode_getsecid(inode, &osid); 479 rc = security_filter_rule_match(osid, 480 rule->lsm[i].type, 481 Audit_equal, 482 rule->lsm[i].rule); 483 break; 484 case LSM_SUBJ_USER: 485 case LSM_SUBJ_ROLE: 486 case LSM_SUBJ_TYPE: 487 rc = security_filter_rule_match(secid, 488 rule->lsm[i].type, 489 Audit_equal, 490 rule->lsm[i].rule); 491 default: 492 break; 493 } 494 if (!rc) 495 return false; 496 } 497 return true; 498 } 499 500 /* 501 * In addition to knowing that we need to appraise the file in general, 502 * we need to differentiate between calling hooks, for hook specific rules. 503 */ 504 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) 505 { 506 if (!(rule->flags & IMA_FUNC)) 507 return IMA_FILE_APPRAISE; 508 509 switch (func) { 510 case MMAP_CHECK: 511 return IMA_MMAP_APPRAISE; 512 case BPRM_CHECK: 513 return IMA_BPRM_APPRAISE; 514 case CREDS_CHECK: 515 return IMA_CREDS_APPRAISE; 516 case FILE_CHECK: 517 case POST_SETATTR: 518 return IMA_FILE_APPRAISE; 519 case MODULE_CHECK ... MAX_CHECK - 1: 520 default: 521 return IMA_READ_APPRAISE; 522 } 523 } 524 525 /** 526 * ima_match_policy - decision based on LSM and other conditions 527 * @inode: pointer to an inode for which the policy decision is being made 528 * @cred: pointer to a credentials structure for which the policy decision is 529 * being made 530 * @secid: LSM secid of the task to be validated 531 * @func: IMA hook identifier 532 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 533 * @pcr: set the pcr to extend 534 * @template_desc: the template that should be used for this rule 535 * @keyring: the keyring name, if given, to be used to check in the policy. 536 * keyring can be NULL if func is anything other than KEY_CHECK. 537 * 538 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 539 * conditions. 540 * 541 * Since the IMA policy may be updated multiple times we need to lock the 542 * list when walking it. Reads are many orders of magnitude more numerous 543 * than writes so ima_match_policy() is classical RCU candidate. 544 */ 545 int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, 546 enum ima_hooks func, int mask, int flags, int *pcr, 547 struct ima_template_desc **template_desc, 548 const char *keyring) 549 { 550 struct ima_rule_entry *entry; 551 int action = 0, actmask = flags | (flags << 1); 552 553 if (template_desc) 554 *template_desc = ima_template_desc_current(); 555 556 rcu_read_lock(); 557 list_for_each_entry_rcu(entry, ima_rules, list) { 558 559 if (!(entry->action & actmask)) 560 continue; 561 562 if (!ima_match_rules(entry, inode, cred, secid, func, mask, 563 keyring)) 564 continue; 565 566 action |= entry->flags & IMA_ACTION_FLAGS; 567 568 action |= entry->action & IMA_DO_MASK; 569 if (entry->action & IMA_APPRAISE) { 570 action |= get_subaction(entry, func); 571 action &= ~IMA_HASH; 572 if (ima_fail_unverifiable_sigs) 573 action |= IMA_FAIL_UNVERIFIABLE_SIGS; 574 } 575 576 577 if (entry->action & IMA_DO_MASK) 578 actmask &= ~(entry->action | entry->action << 1); 579 else 580 actmask &= ~(entry->action | entry->action >> 1); 581 582 if ((pcr) && (entry->flags & IMA_PCR)) 583 *pcr = entry->pcr; 584 585 if (template_desc && entry->template) 586 *template_desc = entry->template; 587 588 if (!actmask) 589 break; 590 } 591 rcu_read_unlock(); 592 593 return action; 594 } 595 596 /* 597 * Initialize the ima_policy_flag variable based on the currently 598 * loaded policy. Based on this flag, the decision to short circuit 599 * out of a function or not call the function in the first place 600 * can be made earlier. 601 */ 602 void ima_update_policy_flag(void) 603 { 604 struct ima_rule_entry *entry; 605 606 list_for_each_entry(entry, ima_rules, list) { 607 if (entry->action & IMA_DO_MASK) 608 ima_policy_flag |= entry->action; 609 } 610 611 ima_appraise |= (build_ima_appraise | temp_ima_appraise); 612 if (!ima_appraise) 613 ima_policy_flag &= ~IMA_APPRAISE; 614 } 615 616 static int ima_appraise_flag(enum ima_hooks func) 617 { 618 if (func == MODULE_CHECK) 619 return IMA_APPRAISE_MODULES; 620 else if (func == FIRMWARE_CHECK) 621 return IMA_APPRAISE_FIRMWARE; 622 else if (func == POLICY_CHECK) 623 return IMA_APPRAISE_POLICY; 624 else if (func == KEXEC_KERNEL_CHECK) 625 return IMA_APPRAISE_KEXEC; 626 return 0; 627 } 628 629 static void add_rules(struct ima_rule_entry *entries, int count, 630 enum policy_rule_list policy_rule) 631 { 632 int i = 0; 633 634 for (i = 0; i < count; i++) { 635 struct ima_rule_entry *entry; 636 637 if (policy_rule & IMA_DEFAULT_POLICY) 638 list_add_tail(&entries[i].list, &ima_default_rules); 639 640 if (policy_rule & IMA_CUSTOM_POLICY) { 641 entry = kmemdup(&entries[i], sizeof(*entry), 642 GFP_KERNEL); 643 if (!entry) 644 continue; 645 646 list_add_tail(&entry->list, &ima_policy_rules); 647 } 648 if (entries[i].action == APPRAISE) { 649 temp_ima_appraise |= ima_appraise_flag(entries[i].func); 650 if (entries[i].func == POLICY_CHECK) 651 temp_ima_appraise |= IMA_APPRAISE_POLICY; 652 } 653 } 654 } 655 656 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); 657 658 static int __init ima_init_arch_policy(void) 659 { 660 const char * const *arch_rules; 661 const char * const *rules; 662 int arch_entries = 0; 663 int i = 0; 664 665 arch_rules = arch_get_ima_policy(); 666 if (!arch_rules) 667 return arch_entries; 668 669 /* Get number of rules */ 670 for (rules = arch_rules; *rules != NULL; rules++) 671 arch_entries++; 672 673 arch_policy_entry = kcalloc(arch_entries + 1, 674 sizeof(*arch_policy_entry), GFP_KERNEL); 675 if (!arch_policy_entry) 676 return 0; 677 678 /* Convert each policy string rules to struct ima_rule_entry format */ 679 for (rules = arch_rules, i = 0; *rules != NULL; rules++) { 680 char rule[255]; 681 int result; 682 683 result = strlcpy(rule, *rules, sizeof(rule)); 684 685 INIT_LIST_HEAD(&arch_policy_entry[i].list); 686 result = ima_parse_rule(rule, &arch_policy_entry[i]); 687 if (result) { 688 pr_warn("Skipping unknown architecture policy rule: %s\n", 689 rule); 690 memset(&arch_policy_entry[i], 0, 691 sizeof(*arch_policy_entry)); 692 continue; 693 } 694 i++; 695 } 696 return i; 697 } 698 699 /** 700 * ima_init_policy - initialize the default measure rules. 701 * 702 * ima_rules points to either the ima_default_rules or the 703 * the new ima_policy_rules. 704 */ 705 void __init ima_init_policy(void) 706 { 707 int build_appraise_entries, arch_entries; 708 709 /* if !ima_policy, we load NO default rules */ 710 if (ima_policy) 711 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules), 712 IMA_DEFAULT_POLICY); 713 714 switch (ima_policy) { 715 case ORIGINAL_TCB: 716 add_rules(original_measurement_rules, 717 ARRAY_SIZE(original_measurement_rules), 718 IMA_DEFAULT_POLICY); 719 break; 720 case DEFAULT_TCB: 721 add_rules(default_measurement_rules, 722 ARRAY_SIZE(default_measurement_rules), 723 IMA_DEFAULT_POLICY); 724 default: 725 break; 726 } 727 728 /* 729 * Based on runtime secure boot flags, insert arch specific measurement 730 * and appraise rules requiring file signatures for both the initial 731 * and custom policies, prior to other appraise rules. 732 * (Highest priority) 733 */ 734 arch_entries = ima_init_arch_policy(); 735 if (!arch_entries) 736 pr_info("No architecture policies found\n"); 737 else 738 add_rules(arch_policy_entry, arch_entries, 739 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 740 741 /* 742 * Insert the builtin "secure_boot" policy rules requiring file 743 * signatures, prior to other appraise rules. 744 */ 745 if (ima_use_secure_boot) 746 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules), 747 IMA_DEFAULT_POLICY); 748 749 /* 750 * Insert the build time appraise rules requiring file signatures 751 * for both the initial and custom policies, prior to other appraise 752 * rules. As the secure boot rules includes all of the build time 753 * rules, include either one or the other set of rules, but not both. 754 */ 755 build_appraise_entries = ARRAY_SIZE(build_appraise_rules); 756 if (build_appraise_entries) { 757 if (ima_use_secure_boot) 758 add_rules(build_appraise_rules, build_appraise_entries, 759 IMA_CUSTOM_POLICY); 760 else 761 add_rules(build_appraise_rules, build_appraise_entries, 762 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 763 } 764 765 if (ima_use_appraise_tcb) 766 add_rules(default_appraise_rules, 767 ARRAY_SIZE(default_appraise_rules), 768 IMA_DEFAULT_POLICY); 769 770 ima_rules = &ima_default_rules; 771 ima_update_policy_flag(); 772 } 773 774 /* Make sure we have a valid policy, at least containing some rules. */ 775 int ima_check_policy(void) 776 { 777 if (list_empty(&ima_temp_rules)) 778 return -EINVAL; 779 return 0; 780 } 781 782 /** 783 * ima_update_policy - update default_rules with new measure rules 784 * 785 * Called on file .release to update the default rules with a complete new 786 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so 787 * they make a queue. The policy may be updated multiple times and this is the 788 * RCU updater. 789 * 790 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 791 * we switch from the default policy to user defined. 792 */ 793 void ima_update_policy(void) 794 { 795 struct list_head *policy = &ima_policy_rules; 796 797 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); 798 799 if (ima_rules != policy) { 800 ima_policy_flag = 0; 801 ima_rules = policy; 802 803 /* 804 * IMA architecture specific policy rules are specified 805 * as strings and converted to an array of ima_entry_rules 806 * on boot. After loading a custom policy, free the 807 * architecture specific rules stored as an array. 808 */ 809 kfree(arch_policy_entry); 810 } 811 ima_update_policy_flag(); 812 813 /* Custom IMA policy has been loaded */ 814 ima_process_queued_keys(); 815 } 816 817 /* Keep the enumeration in sync with the policy_tokens! */ 818 enum { 819 Opt_measure, Opt_dont_measure, 820 Opt_appraise, Opt_dont_appraise, 821 Opt_audit, Opt_hash, Opt_dont_hash, 822 Opt_obj_user, Opt_obj_role, Opt_obj_type, 823 Opt_subj_user, Opt_subj_role, Opt_subj_type, 824 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, 825 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, 826 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, 827 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, 828 Opt_appraise_type, Opt_appraise_flag, 829 Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, 830 Opt_err 831 }; 832 833 static const match_table_t policy_tokens = { 834 {Opt_measure, "measure"}, 835 {Opt_dont_measure, "dont_measure"}, 836 {Opt_appraise, "appraise"}, 837 {Opt_dont_appraise, "dont_appraise"}, 838 {Opt_audit, "audit"}, 839 {Opt_hash, "hash"}, 840 {Opt_dont_hash, "dont_hash"}, 841 {Opt_obj_user, "obj_user=%s"}, 842 {Opt_obj_role, "obj_role=%s"}, 843 {Opt_obj_type, "obj_type=%s"}, 844 {Opt_subj_user, "subj_user=%s"}, 845 {Opt_subj_role, "subj_role=%s"}, 846 {Opt_subj_type, "subj_type=%s"}, 847 {Opt_func, "func=%s"}, 848 {Opt_mask, "mask=%s"}, 849 {Opt_fsmagic, "fsmagic=%s"}, 850 {Opt_fsname, "fsname=%s"}, 851 {Opt_fsuuid, "fsuuid=%s"}, 852 {Opt_uid_eq, "uid=%s"}, 853 {Opt_euid_eq, "euid=%s"}, 854 {Opt_fowner_eq, "fowner=%s"}, 855 {Opt_uid_gt, "uid>%s"}, 856 {Opt_euid_gt, "euid>%s"}, 857 {Opt_fowner_gt, "fowner>%s"}, 858 {Opt_uid_lt, "uid<%s"}, 859 {Opt_euid_lt, "euid<%s"}, 860 {Opt_fowner_lt, "fowner<%s"}, 861 {Opt_appraise_type, "appraise_type=%s"}, 862 {Opt_appraise_flag, "appraise_flag=%s"}, 863 {Opt_permit_directio, "permit_directio"}, 864 {Opt_pcr, "pcr=%s"}, 865 {Opt_template, "template=%s"}, 866 {Opt_keyrings, "keyrings=%s"}, 867 {Opt_err, NULL} 868 }; 869 870 static int ima_lsm_rule_init(struct ima_rule_entry *entry, 871 substring_t *args, int lsm_rule, int audit_type) 872 { 873 int result; 874 875 if (entry->lsm[lsm_rule].rule) 876 return -EINVAL; 877 878 entry->lsm[lsm_rule].args_p = match_strdup(args); 879 if (!entry->lsm[lsm_rule].args_p) 880 return -ENOMEM; 881 882 entry->lsm[lsm_rule].type = audit_type; 883 result = security_filter_rule_init(entry->lsm[lsm_rule].type, 884 Audit_equal, 885 entry->lsm[lsm_rule].args_p, 886 &entry->lsm[lsm_rule].rule); 887 if (!entry->lsm[lsm_rule].rule) { 888 pr_warn("rule for LSM \'%s\' is undefined\n", 889 (char *)entry->lsm[lsm_rule].args_p); 890 891 if (ima_rules == &ima_default_rules) { 892 kfree(entry->lsm[lsm_rule].args_p); 893 result = -EINVAL; 894 } else 895 result = 0; 896 } 897 898 return result; 899 } 900 901 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, 902 bool (*rule_operator)(kuid_t, kuid_t)) 903 { 904 if (!ab) 905 return; 906 907 if (rule_operator == &uid_gt) 908 audit_log_format(ab, "%s>", key); 909 else if (rule_operator == &uid_lt) 910 audit_log_format(ab, "%s<", key); 911 else 912 audit_log_format(ab, "%s=", key); 913 audit_log_format(ab, "%s ", value); 914 } 915 static void ima_log_string(struct audit_buffer *ab, char *key, char *value) 916 { 917 ima_log_string_op(ab, key, value, NULL); 918 } 919 920 /* 921 * Validating the appended signature included in the measurement list requires 922 * the file hash calculated without the appended signature (i.e., the 'd-modsig' 923 * field). Therefore, notify the user if they have the 'modsig' field but not 924 * the 'd-modsig' field in the template. 925 */ 926 static void check_template_modsig(const struct ima_template_desc *template) 927 { 928 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n" 929 bool has_modsig, has_dmodsig; 930 static bool checked; 931 int i; 932 933 /* We only need to notify the user once. */ 934 if (checked) 935 return; 936 937 has_modsig = has_dmodsig = false; 938 for (i = 0; i < template->num_fields; i++) { 939 if (!strcmp(template->fields[i]->field_id, "modsig")) 940 has_modsig = true; 941 else if (!strcmp(template->fields[i]->field_id, "d-modsig")) 942 has_dmodsig = true; 943 } 944 945 if (has_modsig && !has_dmodsig) 946 pr_notice(MSG); 947 948 checked = true; 949 #undef MSG 950 } 951 952 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 953 { 954 struct audit_buffer *ab; 955 char *from; 956 char *p; 957 bool uid_token; 958 struct ima_template_desc *template_desc; 959 int result = 0; 960 size_t keyrings_len; 961 962 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, 963 AUDIT_INTEGRITY_POLICY_RULE); 964 965 entry->uid = INVALID_UID; 966 entry->fowner = INVALID_UID; 967 entry->uid_op = &uid_eq; 968 entry->fowner_op = &uid_eq; 969 entry->action = UNKNOWN; 970 while ((p = strsep(&rule, " \t")) != NULL) { 971 substring_t args[MAX_OPT_ARGS]; 972 int token; 973 unsigned long lnum; 974 975 if (result < 0) 976 break; 977 if ((*p == '\0') || (*p == ' ') || (*p == '\t')) 978 continue; 979 token = match_token(p, policy_tokens, args); 980 switch (token) { 981 case Opt_measure: 982 ima_log_string(ab, "action", "measure"); 983 984 if (entry->action != UNKNOWN) 985 result = -EINVAL; 986 987 entry->action = MEASURE; 988 break; 989 case Opt_dont_measure: 990 ima_log_string(ab, "action", "dont_measure"); 991 992 if (entry->action != UNKNOWN) 993 result = -EINVAL; 994 995 entry->action = DONT_MEASURE; 996 break; 997 case Opt_appraise: 998 ima_log_string(ab, "action", "appraise"); 999 1000 if (entry->action != UNKNOWN) 1001 result = -EINVAL; 1002 1003 entry->action = APPRAISE; 1004 break; 1005 case Opt_dont_appraise: 1006 ima_log_string(ab, "action", "dont_appraise"); 1007 1008 if (entry->action != UNKNOWN) 1009 result = -EINVAL; 1010 1011 entry->action = DONT_APPRAISE; 1012 break; 1013 case Opt_audit: 1014 ima_log_string(ab, "action", "audit"); 1015 1016 if (entry->action != UNKNOWN) 1017 result = -EINVAL; 1018 1019 entry->action = AUDIT; 1020 break; 1021 case Opt_hash: 1022 ima_log_string(ab, "action", "hash"); 1023 1024 if (entry->action != UNKNOWN) 1025 result = -EINVAL; 1026 1027 entry->action = HASH; 1028 break; 1029 case Opt_dont_hash: 1030 ima_log_string(ab, "action", "dont_hash"); 1031 1032 if (entry->action != UNKNOWN) 1033 result = -EINVAL; 1034 1035 entry->action = DONT_HASH; 1036 break; 1037 case Opt_func: 1038 ima_log_string(ab, "func", args[0].from); 1039 1040 if (entry->func) 1041 result = -EINVAL; 1042 1043 if (strcmp(args[0].from, "FILE_CHECK") == 0) 1044 entry->func = FILE_CHECK; 1045 /* PATH_CHECK is for backwards compat */ 1046 else if (strcmp(args[0].from, "PATH_CHECK") == 0) 1047 entry->func = FILE_CHECK; 1048 else if (strcmp(args[0].from, "MODULE_CHECK") == 0) 1049 entry->func = MODULE_CHECK; 1050 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0) 1051 entry->func = FIRMWARE_CHECK; 1052 else if ((strcmp(args[0].from, "FILE_MMAP") == 0) 1053 || (strcmp(args[0].from, "MMAP_CHECK") == 0)) 1054 entry->func = MMAP_CHECK; 1055 else if (strcmp(args[0].from, "BPRM_CHECK") == 0) 1056 entry->func = BPRM_CHECK; 1057 else if (strcmp(args[0].from, "CREDS_CHECK") == 0) 1058 entry->func = CREDS_CHECK; 1059 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == 1060 0) 1061 entry->func = KEXEC_KERNEL_CHECK; 1062 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK") 1063 == 0) 1064 entry->func = KEXEC_INITRAMFS_CHECK; 1065 else if (strcmp(args[0].from, "POLICY_CHECK") == 0) 1066 entry->func = POLICY_CHECK; 1067 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) 1068 entry->func = KEXEC_CMDLINE; 1069 else if (strcmp(args[0].from, "KEY_CHECK") == 0) 1070 entry->func = KEY_CHECK; 1071 else 1072 result = -EINVAL; 1073 if (!result) 1074 entry->flags |= IMA_FUNC; 1075 break; 1076 case Opt_mask: 1077 ima_log_string(ab, "mask", args[0].from); 1078 1079 if (entry->mask) 1080 result = -EINVAL; 1081 1082 from = args[0].from; 1083 if (*from == '^') 1084 from++; 1085 1086 if ((strcmp(from, "MAY_EXEC")) == 0) 1087 entry->mask = MAY_EXEC; 1088 else if (strcmp(from, "MAY_WRITE") == 0) 1089 entry->mask = MAY_WRITE; 1090 else if (strcmp(from, "MAY_READ") == 0) 1091 entry->mask = MAY_READ; 1092 else if (strcmp(from, "MAY_APPEND") == 0) 1093 entry->mask = MAY_APPEND; 1094 else 1095 result = -EINVAL; 1096 if (!result) 1097 entry->flags |= (*args[0].from == '^') 1098 ? IMA_INMASK : IMA_MASK; 1099 break; 1100 case Opt_fsmagic: 1101 ima_log_string(ab, "fsmagic", args[0].from); 1102 1103 if (entry->fsmagic) { 1104 result = -EINVAL; 1105 break; 1106 } 1107 1108 result = kstrtoul(args[0].from, 16, &entry->fsmagic); 1109 if (!result) 1110 entry->flags |= IMA_FSMAGIC; 1111 break; 1112 case Opt_fsname: 1113 ima_log_string(ab, "fsname", args[0].from); 1114 1115 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); 1116 if (!entry->fsname) { 1117 result = -ENOMEM; 1118 break; 1119 } 1120 result = 0; 1121 entry->flags |= IMA_FSNAME; 1122 break; 1123 case Opt_keyrings: 1124 ima_log_string(ab, "keyrings", args[0].from); 1125 1126 keyrings_len = strlen(args[0].from) + 1; 1127 1128 if ((entry->keyrings) || 1129 (entry->action != MEASURE) || 1130 (entry->func != KEY_CHECK) || 1131 (keyrings_len < 2)) { 1132 result = -EINVAL; 1133 break; 1134 } 1135 1136 if (keyrings_len > ima_keyrings_len) { 1137 char *tmpbuf; 1138 1139 tmpbuf = krealloc(ima_keyrings, keyrings_len, 1140 GFP_KERNEL); 1141 if (!tmpbuf) { 1142 result = -ENOMEM; 1143 break; 1144 } 1145 1146 ima_keyrings = tmpbuf; 1147 ima_keyrings_len = keyrings_len; 1148 } 1149 1150 entry->keyrings = kstrdup(args[0].from, GFP_KERNEL); 1151 if (!entry->keyrings) { 1152 kfree(ima_keyrings); 1153 ima_keyrings = NULL; 1154 ima_keyrings_len = 0; 1155 result = -ENOMEM; 1156 break; 1157 } 1158 result = 0; 1159 entry->flags |= IMA_KEYRINGS; 1160 break; 1161 case Opt_fsuuid: 1162 ima_log_string(ab, "fsuuid", args[0].from); 1163 1164 if (!uuid_is_null(&entry->fsuuid)) { 1165 result = -EINVAL; 1166 break; 1167 } 1168 1169 result = uuid_parse(args[0].from, &entry->fsuuid); 1170 if (!result) 1171 entry->flags |= IMA_FSUUID; 1172 break; 1173 case Opt_uid_gt: 1174 case Opt_euid_gt: 1175 entry->uid_op = &uid_gt; 1176 /* fall through */ 1177 case Opt_uid_lt: 1178 case Opt_euid_lt: 1179 if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) 1180 entry->uid_op = &uid_lt; 1181 /* fall through */ 1182 case Opt_uid_eq: 1183 case Opt_euid_eq: 1184 uid_token = (token == Opt_uid_eq) || 1185 (token == Opt_uid_gt) || 1186 (token == Opt_uid_lt); 1187 1188 ima_log_string_op(ab, uid_token ? "uid" : "euid", 1189 args[0].from, entry->uid_op); 1190 1191 if (uid_valid(entry->uid)) { 1192 result = -EINVAL; 1193 break; 1194 } 1195 1196 result = kstrtoul(args[0].from, 10, &lnum); 1197 if (!result) { 1198 entry->uid = make_kuid(current_user_ns(), 1199 (uid_t) lnum); 1200 if (!uid_valid(entry->uid) || 1201 (uid_t)lnum != lnum) 1202 result = -EINVAL; 1203 else 1204 entry->flags |= uid_token 1205 ? IMA_UID : IMA_EUID; 1206 } 1207 break; 1208 case Opt_fowner_gt: 1209 entry->fowner_op = &uid_gt; 1210 /* fall through */ 1211 case Opt_fowner_lt: 1212 if (token == Opt_fowner_lt) 1213 entry->fowner_op = &uid_lt; 1214 /* fall through */ 1215 case Opt_fowner_eq: 1216 ima_log_string_op(ab, "fowner", args[0].from, 1217 entry->fowner_op); 1218 1219 if (uid_valid(entry->fowner)) { 1220 result = -EINVAL; 1221 break; 1222 } 1223 1224 result = kstrtoul(args[0].from, 10, &lnum); 1225 if (!result) { 1226 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum); 1227 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum)) 1228 result = -EINVAL; 1229 else 1230 entry->flags |= IMA_FOWNER; 1231 } 1232 break; 1233 case Opt_obj_user: 1234 ima_log_string(ab, "obj_user", args[0].from); 1235 result = ima_lsm_rule_init(entry, args, 1236 LSM_OBJ_USER, 1237 AUDIT_OBJ_USER); 1238 break; 1239 case Opt_obj_role: 1240 ima_log_string(ab, "obj_role", args[0].from); 1241 result = ima_lsm_rule_init(entry, args, 1242 LSM_OBJ_ROLE, 1243 AUDIT_OBJ_ROLE); 1244 break; 1245 case Opt_obj_type: 1246 ima_log_string(ab, "obj_type", args[0].from); 1247 result = ima_lsm_rule_init(entry, args, 1248 LSM_OBJ_TYPE, 1249 AUDIT_OBJ_TYPE); 1250 break; 1251 case Opt_subj_user: 1252 ima_log_string(ab, "subj_user", args[0].from); 1253 result = ima_lsm_rule_init(entry, args, 1254 LSM_SUBJ_USER, 1255 AUDIT_SUBJ_USER); 1256 break; 1257 case Opt_subj_role: 1258 ima_log_string(ab, "subj_role", args[0].from); 1259 result = ima_lsm_rule_init(entry, args, 1260 LSM_SUBJ_ROLE, 1261 AUDIT_SUBJ_ROLE); 1262 break; 1263 case Opt_subj_type: 1264 ima_log_string(ab, "subj_type", args[0].from); 1265 result = ima_lsm_rule_init(entry, args, 1266 LSM_SUBJ_TYPE, 1267 AUDIT_SUBJ_TYPE); 1268 break; 1269 case Opt_appraise_type: 1270 if (entry->action != APPRAISE) { 1271 result = -EINVAL; 1272 break; 1273 } 1274 1275 ima_log_string(ab, "appraise_type", args[0].from); 1276 if ((strcmp(args[0].from, "imasig")) == 0) 1277 entry->flags |= IMA_DIGSIG_REQUIRED; 1278 else if (ima_hook_supports_modsig(entry->func) && 1279 strcmp(args[0].from, "imasig|modsig") == 0) 1280 entry->flags |= IMA_DIGSIG_REQUIRED | 1281 IMA_MODSIG_ALLOWED; 1282 else 1283 result = -EINVAL; 1284 break; 1285 case Opt_appraise_flag: 1286 ima_log_string(ab, "appraise_flag", args[0].from); 1287 if (strstr(args[0].from, "blacklist")) 1288 entry->flags |= IMA_CHECK_BLACKLIST; 1289 break; 1290 case Opt_permit_directio: 1291 entry->flags |= IMA_PERMIT_DIRECTIO; 1292 break; 1293 case Opt_pcr: 1294 if (entry->action != MEASURE) { 1295 result = -EINVAL; 1296 break; 1297 } 1298 ima_log_string(ab, "pcr", args[0].from); 1299 1300 result = kstrtoint(args[0].from, 10, &entry->pcr); 1301 if (result || INVALID_PCR(entry->pcr)) 1302 result = -EINVAL; 1303 else 1304 entry->flags |= IMA_PCR; 1305 1306 break; 1307 case Opt_template: 1308 ima_log_string(ab, "template", args[0].from); 1309 if (entry->action != MEASURE) { 1310 result = -EINVAL; 1311 break; 1312 } 1313 template_desc = lookup_template_desc(args[0].from); 1314 if (!template_desc || entry->template) { 1315 result = -EINVAL; 1316 break; 1317 } 1318 1319 /* 1320 * template_desc_init_fields() does nothing if 1321 * the template is already initialised, so 1322 * it's safe to do this unconditionally 1323 */ 1324 template_desc_init_fields(template_desc->fmt, 1325 &(template_desc->fields), 1326 &(template_desc->num_fields)); 1327 entry->template = template_desc; 1328 break; 1329 case Opt_err: 1330 ima_log_string(ab, "UNKNOWN", p); 1331 result = -EINVAL; 1332 break; 1333 } 1334 } 1335 if (!result && (entry->action == UNKNOWN)) 1336 result = -EINVAL; 1337 else if (entry->action == APPRAISE) 1338 temp_ima_appraise |= ima_appraise_flag(entry->func); 1339 1340 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { 1341 template_desc = entry->template ? entry->template : 1342 ima_template_desc_current(); 1343 check_template_modsig(template_desc); 1344 } 1345 1346 audit_log_format(ab, "res=%d", !result); 1347 audit_log_end(ab); 1348 return result; 1349 } 1350 1351 /** 1352 * ima_parse_add_rule - add a rule to ima_policy_rules 1353 * @rule - ima measurement policy rule 1354 * 1355 * Avoid locking by allowing just one writer at a time in ima_write_policy() 1356 * Returns the length of the rule parsed, an error code on failure 1357 */ 1358 ssize_t ima_parse_add_rule(char *rule) 1359 { 1360 static const char op[] = "update_policy"; 1361 char *p; 1362 struct ima_rule_entry *entry; 1363 ssize_t result, len; 1364 int audit_info = 0; 1365 1366 p = strsep(&rule, "\n"); 1367 len = strlen(p) + 1; 1368 p += strspn(p, " \t"); 1369 1370 if (*p == '#' || *p == '\0') 1371 return len; 1372 1373 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1374 if (!entry) { 1375 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1376 NULL, op, "-ENOMEM", -ENOMEM, audit_info); 1377 return -ENOMEM; 1378 } 1379 1380 INIT_LIST_HEAD(&entry->list); 1381 1382 result = ima_parse_rule(p, entry); 1383 if (result) { 1384 kfree(entry); 1385 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1386 NULL, op, "invalid-policy", result, 1387 audit_info); 1388 return result; 1389 } 1390 1391 list_add_tail(&entry->list, &ima_temp_rules); 1392 1393 return len; 1394 } 1395 1396 /** 1397 * ima_delete_rules() called to cleanup invalid in-flight policy. 1398 * We don't need locking as we operate on the temp list, which is 1399 * different from the active one. There is also only one user of 1400 * ima_delete_rules() at a time. 1401 */ 1402 void ima_delete_rules(void) 1403 { 1404 struct ima_rule_entry *entry, *tmp; 1405 int i; 1406 1407 temp_ima_appraise = 0; 1408 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { 1409 for (i = 0; i < MAX_LSM_RULES; i++) 1410 kfree(entry->lsm[i].args_p); 1411 1412 list_del(&entry->list); 1413 kfree(entry); 1414 } 1415 } 1416 1417 #define __ima_hook_stringify(str) (#str), 1418 1419 const char *const func_tokens[] = { 1420 __ima_hooks(__ima_hook_stringify) 1421 }; 1422 1423 #ifdef CONFIG_IMA_READ_POLICY 1424 enum { 1425 mask_exec = 0, mask_write, mask_read, mask_append 1426 }; 1427 1428 static const char *const mask_tokens[] = { 1429 "^MAY_EXEC", 1430 "^MAY_WRITE", 1431 "^MAY_READ", 1432 "^MAY_APPEND" 1433 }; 1434 1435 void *ima_policy_start(struct seq_file *m, loff_t *pos) 1436 { 1437 loff_t l = *pos; 1438 struct ima_rule_entry *entry; 1439 1440 rcu_read_lock(); 1441 list_for_each_entry_rcu(entry, ima_rules, list) { 1442 if (!l--) { 1443 rcu_read_unlock(); 1444 return entry; 1445 } 1446 } 1447 rcu_read_unlock(); 1448 return NULL; 1449 } 1450 1451 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) 1452 { 1453 struct ima_rule_entry *entry = v; 1454 1455 rcu_read_lock(); 1456 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); 1457 rcu_read_unlock(); 1458 (*pos)++; 1459 1460 return (&entry->list == ima_rules) ? NULL : entry; 1461 } 1462 1463 void ima_policy_stop(struct seq_file *m, void *v) 1464 { 1465 } 1466 1467 #define pt(token) policy_tokens[token].pattern 1468 #define mt(token) mask_tokens[token] 1469 1470 /* 1471 * policy_func_show - display the ima_hooks policy rule 1472 */ 1473 static void policy_func_show(struct seq_file *m, enum ima_hooks func) 1474 { 1475 if (func > 0 && func < MAX_CHECK) 1476 seq_printf(m, "func=%s ", func_tokens[func]); 1477 else 1478 seq_printf(m, "func=%d ", func); 1479 } 1480 1481 int ima_policy_show(struct seq_file *m, void *v) 1482 { 1483 struct ima_rule_entry *entry = v; 1484 int i; 1485 char tbuf[64] = {0,}; 1486 int offset = 0; 1487 1488 rcu_read_lock(); 1489 1490 if (entry->action & MEASURE) 1491 seq_puts(m, pt(Opt_measure)); 1492 if (entry->action & DONT_MEASURE) 1493 seq_puts(m, pt(Opt_dont_measure)); 1494 if (entry->action & APPRAISE) 1495 seq_puts(m, pt(Opt_appraise)); 1496 if (entry->action & DONT_APPRAISE) 1497 seq_puts(m, pt(Opt_dont_appraise)); 1498 if (entry->action & AUDIT) 1499 seq_puts(m, pt(Opt_audit)); 1500 if (entry->action & HASH) 1501 seq_puts(m, pt(Opt_hash)); 1502 if (entry->action & DONT_HASH) 1503 seq_puts(m, pt(Opt_dont_hash)); 1504 1505 seq_puts(m, " "); 1506 1507 if (entry->flags & IMA_FUNC) 1508 policy_func_show(m, entry->func); 1509 1510 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { 1511 if (entry->flags & IMA_MASK) 1512 offset = 1; 1513 if (entry->mask & MAY_EXEC) 1514 seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); 1515 if (entry->mask & MAY_WRITE) 1516 seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); 1517 if (entry->mask & MAY_READ) 1518 seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); 1519 if (entry->mask & MAY_APPEND) 1520 seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); 1521 seq_puts(m, " "); 1522 } 1523 1524 if (entry->flags & IMA_FSMAGIC) { 1525 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 1526 seq_printf(m, pt(Opt_fsmagic), tbuf); 1527 seq_puts(m, " "); 1528 } 1529 1530 if (entry->flags & IMA_FSNAME) { 1531 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); 1532 seq_printf(m, pt(Opt_fsname), tbuf); 1533 seq_puts(m, " "); 1534 } 1535 1536 if (entry->flags & IMA_KEYRINGS) { 1537 if (entry->keyrings != NULL) 1538 snprintf(tbuf, sizeof(tbuf), "%s", entry->keyrings); 1539 seq_printf(m, pt(Opt_keyrings), tbuf); 1540 seq_puts(m, " "); 1541 } 1542 1543 if (entry->flags & IMA_PCR) { 1544 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 1545 seq_printf(m, pt(Opt_pcr), tbuf); 1546 seq_puts(m, " "); 1547 } 1548 1549 if (entry->flags & IMA_FSUUID) { 1550 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); 1551 seq_puts(m, " "); 1552 } 1553 1554 if (entry->flags & IMA_UID) { 1555 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1556 if (entry->uid_op == &uid_gt) 1557 seq_printf(m, pt(Opt_uid_gt), tbuf); 1558 else if (entry->uid_op == &uid_lt) 1559 seq_printf(m, pt(Opt_uid_lt), tbuf); 1560 else 1561 seq_printf(m, pt(Opt_uid_eq), tbuf); 1562 seq_puts(m, " "); 1563 } 1564 1565 if (entry->flags & IMA_EUID) { 1566 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1567 if (entry->uid_op == &uid_gt) 1568 seq_printf(m, pt(Opt_euid_gt), tbuf); 1569 else if (entry->uid_op == &uid_lt) 1570 seq_printf(m, pt(Opt_euid_lt), tbuf); 1571 else 1572 seq_printf(m, pt(Opt_euid_eq), tbuf); 1573 seq_puts(m, " "); 1574 } 1575 1576 if (entry->flags & IMA_FOWNER) { 1577 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); 1578 if (entry->fowner_op == &uid_gt) 1579 seq_printf(m, pt(Opt_fowner_gt), tbuf); 1580 else if (entry->fowner_op == &uid_lt) 1581 seq_printf(m, pt(Opt_fowner_lt), tbuf); 1582 else 1583 seq_printf(m, pt(Opt_fowner_eq), tbuf); 1584 seq_puts(m, " "); 1585 } 1586 1587 for (i = 0; i < MAX_LSM_RULES; i++) { 1588 if (entry->lsm[i].rule) { 1589 switch (i) { 1590 case LSM_OBJ_USER: 1591 seq_printf(m, pt(Opt_obj_user), 1592 (char *)entry->lsm[i].args_p); 1593 break; 1594 case LSM_OBJ_ROLE: 1595 seq_printf(m, pt(Opt_obj_role), 1596 (char *)entry->lsm[i].args_p); 1597 break; 1598 case LSM_OBJ_TYPE: 1599 seq_printf(m, pt(Opt_obj_type), 1600 (char *)entry->lsm[i].args_p); 1601 break; 1602 case LSM_SUBJ_USER: 1603 seq_printf(m, pt(Opt_subj_user), 1604 (char *)entry->lsm[i].args_p); 1605 break; 1606 case LSM_SUBJ_ROLE: 1607 seq_printf(m, pt(Opt_subj_role), 1608 (char *)entry->lsm[i].args_p); 1609 break; 1610 case LSM_SUBJ_TYPE: 1611 seq_printf(m, pt(Opt_subj_type), 1612 (char *)entry->lsm[i].args_p); 1613 break; 1614 } 1615 seq_puts(m, " "); 1616 } 1617 } 1618 if (entry->template) 1619 seq_printf(m, "template=%s ", entry->template->name); 1620 if (entry->flags & IMA_DIGSIG_REQUIRED) { 1621 if (entry->flags & IMA_MODSIG_ALLOWED) 1622 seq_puts(m, "appraise_type=imasig|modsig "); 1623 else 1624 seq_puts(m, "appraise_type=imasig "); 1625 } 1626 if (entry->flags & IMA_CHECK_BLACKLIST) 1627 seq_puts(m, "appraise_flag=check_blacklist "); 1628 if (entry->flags & IMA_PERMIT_DIRECTIO) 1629 seq_puts(m, "permit_directio "); 1630 rcu_read_unlock(); 1631 seq_puts(m, "\n"); 1632 return 0; 1633 } 1634 #endif /* CONFIG_IMA_READ_POLICY */ 1635 1636 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) 1637 /* 1638 * ima_appraise_signature: whether IMA will appraise a given function using 1639 * an IMA digital signature. This is restricted to cases where the kernel 1640 * has a set of built-in trusted keys in order to avoid an attacker simply 1641 * loading additional keys. 1642 */ 1643 bool ima_appraise_signature(enum kernel_read_file_id id) 1644 { 1645 struct ima_rule_entry *entry; 1646 bool found = false; 1647 enum ima_hooks func; 1648 1649 if (id >= READING_MAX_ID) 1650 return false; 1651 1652 func = read_idmap[id] ?: FILE_CHECK; 1653 1654 rcu_read_lock(); 1655 list_for_each_entry_rcu(entry, ima_rules, list) { 1656 if (entry->action != APPRAISE) 1657 continue; 1658 1659 /* 1660 * A generic entry will match, but otherwise require that it 1661 * match the func we're looking for 1662 */ 1663 if (entry->func && entry->func != func) 1664 continue; 1665 1666 /* 1667 * We require this to be a digital signature, not a raw IMA 1668 * hash. 1669 */ 1670 if (entry->flags & IMA_DIGSIG_REQUIRED) 1671 found = true; 1672 1673 /* 1674 * We've found a rule that matches, so break now even if it 1675 * didn't require a digital signature - a later rule that does 1676 * won't override it, so would be a false positive. 1677 */ 1678 break; 1679 } 1680 1681 rcu_read_unlock(); 1682 return found; 1683 } 1684 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ 1685