| ima_policy.c (754451342fc5954061ede74b0a8485ec4a4c6eaa) | ima_policy.c (53b626f9038ee357a2183a6994c11fd9dfb3f94d) |
|---|---|
| 1/* 2 * Copyright (C) 2008 IBM Corporation 3 * Author: Mimi Zohar <zohar@us.ibm.com> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License as published by 7 * the Free Software Foundation, version 2 of the License. 8 * --- 19 unchanged lines hidden (view full) --- 28#define IMA_MASK 0x0002 29#define IMA_FSMAGIC 0x0004 30#define IMA_UID 0x0008 31#define IMA_FOWNER 0x0010 32#define IMA_FSUUID 0x0020 33#define IMA_INMASK 0x0040 34#define IMA_EUID 0x0080 35#define IMA_PCR 0x0100 | 1/* 2 * Copyright (C) 2008 IBM Corporation 3 * Author: Mimi Zohar <zohar@us.ibm.com> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License as published by 7 * the Free Software Foundation, version 2 of the License. 8 * --- 19 unchanged lines hidden (view full) --- 28#define IMA_MASK 0x0002 29#define IMA_FSMAGIC 0x0004 30#define IMA_UID 0x0008 31#define IMA_FOWNER 0x0010 32#define IMA_FSUUID 0x0020 33#define IMA_INMASK 0x0040 34#define IMA_EUID 0x0080 35#define IMA_PCR 0x0100 |
| 36#define IMA_FSNAME 0x0200 |
|
| 36 37#define UNKNOWN 0 38#define MEASURE 0x0001 /* same as IMA_MEASURE */ 39#define DONT_MEASURE 0x0002 40#define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 41#define DONT_APPRAISE 0x0008 42#define AUDIT 0x0040 43#define HASH 0x0100 --- 25 unchanged lines hidden (view full) --- 69 bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ 70 bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ 71 int pcr; 72 struct { 73 void *rule; /* LSM file metadata specific */ 74 void *args_p; /* audit value */ 75 int type; /* audit type */ 76 } lsm[MAX_LSM_RULES]; | 37 38#define UNKNOWN 0 39#define MEASURE 0x0001 /* same as IMA_MEASURE */ 40#define DONT_MEASURE 0x0002 41#define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 42#define DONT_APPRAISE 0x0008 43#define AUDIT 0x0040 44#define HASH 0x0100 --- 25 unchanged lines hidden (view full) --- 70 bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ 71 bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ 72 int pcr; 73 struct { 74 void *rule; /* LSM file metadata specific */ 75 void *args_p; /* audit value */ 76 int type; /* audit type */ 77 } lsm[MAX_LSM_RULES]; |
| 78 char *fsname; |
|
| 77}; 78 79/* 80 * Without LSM specific knowledge, the default policy can only be 81 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner 82 */ 83 84/* --- 183 unchanged lines hidden (view full) --- 268 (rule->mask != mask && func != POST_SETATTR)) 269 return false; 270 if ((rule->flags & IMA_INMASK) && 271 (!(rule->mask & mask) && func != POST_SETATTR)) 272 return false; 273 if ((rule->flags & IMA_FSMAGIC) 274 && rule->fsmagic != inode->i_sb->s_magic) 275 return false; | 79}; 80 81/* 82 * Without LSM specific knowledge, the default policy can only be 83 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner 84 */ 85 86/* --- 183 unchanged lines hidden (view full) --- 270 (rule->mask != mask && func != POST_SETATTR)) 271 return false; 272 if ((rule->flags & IMA_INMASK) && 273 (!(rule->mask & mask) && func != POST_SETATTR)) 274 return false; 275 if ((rule->flags & IMA_FSMAGIC) 276 && rule->fsmagic != inode->i_sb->s_magic) 277 return false; |
| 278 if ((rule->flags & IMA_FSNAME) 279 && strcmp(rule->fsname, inode->i_sb->s_type->name)) 280 return false; |
|
| 276 if ((rule->flags & IMA_FSUUID) && 277 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 278 return false; 279 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 280 return false; 281 if (rule->flags & IMA_EUID) { 282 if (has_capability_noaudit(current, CAP_SETUID)) { 283 if (!rule->uid_op(cred->euid, rule->uid) --- 146 unchanged lines hidden (view full) --- 430 ima_policy_flag |= entry->action; 431 } 432 433 ima_appraise |= temp_ima_appraise; 434 if (!ima_appraise) 435 ima_policy_flag &= ~IMA_APPRAISE; 436} 437 | 281 if ((rule->flags & IMA_FSUUID) && 282 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 283 return false; 284 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 285 return false; 286 if (rule->flags & IMA_EUID) { 287 if (has_capability_noaudit(current, CAP_SETUID)) { 288 if (!rule->uid_op(cred->euid, rule->uid) --- 146 unchanged lines hidden (view full) --- 435 ima_policy_flag |= entry->action; 436 } 437 438 ima_appraise |= temp_ima_appraise; 439 if (!ima_appraise) 440 ima_policy_flag &= ~IMA_APPRAISE; 441} 442 |
| 443static int ima_appraise_flag(enum ima_hooks func) 444{ 445 if (func == MODULE_CHECK) 446 return IMA_APPRAISE_MODULES; 447 else if (func == FIRMWARE_CHECK) 448 return IMA_APPRAISE_FIRMWARE; 449 else if (func == POLICY_CHECK) 450 return IMA_APPRAISE_POLICY; 451 return 0; 452} 453 |
|
| 438/** 439 * ima_init_policy - initialize the default measure rules. 440 * 441 * ima_rules points to either the ima_default_rules or the 442 * the new ima_policy_rules. 443 */ 444void __init ima_init_policy(void) 445{ --- 22 unchanged lines hidden (view full) --- 468 default: 469 break; 470 } 471 472 /* 473 * Insert the appraise rules requiring file signatures, prior to 474 * any other appraise rules. 475 */ | 454/** 455 * ima_init_policy - initialize the default measure rules. 456 * 457 * ima_rules points to either the ima_default_rules or the 458 * the new ima_policy_rules. 459 */ 460void __init ima_init_policy(void) 461{ --- 22 unchanged lines hidden (view full) --- 484 default: 485 break; 486 } 487 488 /* 489 * Insert the appraise rules requiring file signatures, prior to 490 * any other appraise rules. 491 */ |
| 476 for (i = 0; i < secure_boot_entries; i++) 477 list_add_tail(&secure_boot_rules[i].list, 478 &ima_default_rules); | 492 for (i = 0; i < secure_boot_entries; i++) { 493 list_add_tail(&secure_boot_rules[i].list, &ima_default_rules); 494 temp_ima_appraise |= 495 ima_appraise_flag(secure_boot_rules[i].func); 496 } |
| 479 480 for (i = 0; i < appraise_entries; i++) { 481 list_add_tail(&default_appraise_rules[i].list, 482 &ima_default_rules); 483 if (default_appraise_rules[i].func == POLICY_CHECK) 484 temp_ima_appraise |= IMA_APPRAISE_POLICY; 485 } 486 --- 17 unchanged lines hidden (view full) --- 504 * they make a queue. The policy may be updated multiple times and this is the 505 * RCU updater. 506 * 507 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 508 * we switch from the default policy to user defined. 509 */ 510void ima_update_policy(void) 511{ | 497 498 for (i = 0; i < appraise_entries; i++) { 499 list_add_tail(&default_appraise_rules[i].list, 500 &ima_default_rules); 501 if (default_appraise_rules[i].func == POLICY_CHECK) 502 temp_ima_appraise |= IMA_APPRAISE_POLICY; 503 } 504 --- 17 unchanged lines hidden (view full) --- 522 * they make a queue. The policy may be updated multiple times and this is the 523 * RCU updater. 524 * 525 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 526 * we switch from the default policy to user defined. 527 */ 528void ima_update_policy(void) 529{ |
| 512 struct list_head *first, *last, *policy; | 530 struct list_head *policy = &ima_policy_rules; |
| 513 | 531 |
| 514 /* append current policy with the new rules */ 515 first = (&ima_temp_rules)->next; 516 last = (&ima_temp_rules)->prev; 517 policy = &ima_policy_rules; | 532 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); |
| 518 | 533 |
| 519 synchronize_rcu(); 520 521 last->next = policy; 522 rcu_assign_pointer(list_next_rcu(policy->prev), first); 523 first->prev = policy->prev; 524 policy->prev = last; 525 526 /* prepare for the next policy rules addition */ 527 INIT_LIST_HEAD(&ima_temp_rules); 528 | |
| 529 if (ima_rules != policy) { 530 ima_policy_flag = 0; 531 ima_rules = policy; 532 } 533 ima_update_policy_flag(); 534} 535 536enum { 537 Opt_err = -1, 538 Opt_measure = 1, Opt_dont_measure, 539 Opt_appraise, Opt_dont_appraise, 540 Opt_audit, Opt_hash, Opt_dont_hash, 541 Opt_obj_user, Opt_obj_role, Opt_obj_type, 542 Opt_subj_user, Opt_subj_role, Opt_subj_type, | 534 if (ima_rules != policy) { 535 ima_policy_flag = 0; 536 ima_rules = policy; 537 } 538 ima_update_policy_flag(); 539} 540 541enum { 542 Opt_err = -1, 543 Opt_measure = 1, Opt_dont_measure, 544 Opt_appraise, Opt_dont_appraise, 545 Opt_audit, Opt_hash, Opt_dont_hash, 546 Opt_obj_user, Opt_obj_role, Opt_obj_type, 547 Opt_subj_user, Opt_subj_role, Opt_subj_type, |
| 543 Opt_func, Opt_mask, Opt_fsmagic, | 548 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, |
| 544 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, 545 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, 546 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, 547 Opt_appraise_type, Opt_permit_directio, 548 Opt_pcr 549}; 550 551static match_table_t policy_tokens = { --- 8 unchanged lines hidden (view full) --- 560 {Opt_obj_role, "obj_role=%s"}, 561 {Opt_obj_type, "obj_type=%s"}, 562 {Opt_subj_user, "subj_user=%s"}, 563 {Opt_subj_role, "subj_role=%s"}, 564 {Opt_subj_type, "subj_type=%s"}, 565 {Opt_func, "func=%s"}, 566 {Opt_mask, "mask=%s"}, 567 {Opt_fsmagic, "fsmagic=%s"}, | 549 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, 550 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, 551 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, 552 Opt_appraise_type, Opt_permit_directio, 553 Opt_pcr 554}; 555 556static match_table_t policy_tokens = { --- 8 unchanged lines hidden (view full) --- 565 {Opt_obj_role, "obj_role=%s"}, 566 {Opt_obj_type, "obj_type=%s"}, 567 {Opt_subj_user, "subj_user=%s"}, 568 {Opt_subj_role, "subj_role=%s"}, 569 {Opt_subj_type, "subj_type=%s"}, 570 {Opt_func, "func=%s"}, 571 {Opt_mask, "mask=%s"}, 572 {Opt_fsmagic, "fsmagic=%s"}, |
| 573 {Opt_fsname, "fsname=%s"}, |
|
| 568 {Opt_fsuuid, "fsuuid=%s"}, 569 {Opt_uid_eq, "uid=%s"}, 570 {Opt_euid_eq, "euid=%s"}, 571 {Opt_fowner_eq, "fowner=%s"}, 572 {Opt_uid_gt, "uid>%s"}, 573 {Opt_euid_gt, "euid>%s"}, 574 {Opt_fowner_gt, "fowner>%s"}, 575 {Opt_uid_lt, "uid<%s"}, --- 195 unchanged lines hidden (view full) --- 771 result = -EINVAL; 772 break; 773 } 774 775 result = kstrtoul(args[0].from, 16, &entry->fsmagic); 776 if (!result) 777 entry->flags |= IMA_FSMAGIC; 778 break; | 574 {Opt_fsuuid, "fsuuid=%s"}, 575 {Opt_uid_eq, "uid=%s"}, 576 {Opt_euid_eq, "euid=%s"}, 577 {Opt_fowner_eq, "fowner=%s"}, 578 {Opt_uid_gt, "uid>%s"}, 579 {Opt_euid_gt, "euid>%s"}, 580 {Opt_fowner_gt, "fowner>%s"}, 581 {Opt_uid_lt, "uid<%s"}, --- 195 unchanged lines hidden (view full) --- 777 result = -EINVAL; 778 break; 779 } 780 781 result = kstrtoul(args[0].from, 16, &entry->fsmagic); 782 if (!result) 783 entry->flags |= IMA_FSMAGIC; 784 break; |
| 785 case Opt_fsname: 786 ima_log_string(ab, "fsname", args[0].from); 787 788 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); 789 if (!entry->fsname) { 790 result = -ENOMEM; 791 break; 792 } 793 result = 0; 794 entry->flags |= IMA_FSNAME; 795 break; |
|
| 779 case Opt_fsuuid: 780 ima_log_string(ab, "fsuuid", args[0].from); 781 782 if (!uuid_is_null(&entry->fsuuid)) { 783 result = -EINVAL; 784 break; 785 } 786 --- 125 unchanged lines hidden (view full) --- 912 case Opt_err: 913 ima_log_string(ab, "UNKNOWN", p); 914 result = -EINVAL; 915 break; 916 } 917 } 918 if (!result && (entry->action == UNKNOWN)) 919 result = -EINVAL; | 796 case Opt_fsuuid: 797 ima_log_string(ab, "fsuuid", args[0].from); 798 799 if (!uuid_is_null(&entry->fsuuid)) { 800 result = -EINVAL; 801 break; 802 } 803 --- 125 unchanged lines hidden (view full) --- 929 case Opt_err: 930 ima_log_string(ab, "UNKNOWN", p); 931 result = -EINVAL; 932 break; 933 } 934 } 935 if (!result && (entry->action == UNKNOWN)) 936 result = -EINVAL; |
| 920 else if (entry->func == MODULE_CHECK) 921 temp_ima_appraise |= IMA_APPRAISE_MODULES; 922 else if (entry->func == FIRMWARE_CHECK) 923 temp_ima_appraise |= IMA_APPRAISE_FIRMWARE; 924 else if (entry->func == POLICY_CHECK) 925 temp_ima_appraise |= IMA_APPRAISE_POLICY; | 937 else if (entry->action == APPRAISE) 938 temp_ima_appraise |= ima_appraise_flag(entry->func); 939 |
| 926 audit_log_format(ab, "res=%d", !result); 927 audit_log_end(ab); 928 return result; 929} 930 931/** 932 * ima_parse_add_rule - add a rule to ima_policy_rules 933 * @rule - ima measurement policy rule --- 165 unchanged lines hidden (view full) --- 1099 } 1100 1101 if (entry->flags & IMA_FSMAGIC) { 1102 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 1103 seq_printf(m, pt(Opt_fsmagic), tbuf); 1104 seq_puts(m, " "); 1105 } 1106 | 940 audit_log_format(ab, "res=%d", !result); 941 audit_log_end(ab); 942 return result; 943} 944 945/** 946 * ima_parse_add_rule - add a rule to ima_policy_rules 947 * @rule - ima measurement policy rule --- 165 unchanged lines hidden (view full) --- 1113 } 1114 1115 if (entry->flags & IMA_FSMAGIC) { 1116 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 1117 seq_printf(m, pt(Opt_fsmagic), tbuf); 1118 seq_puts(m, " "); 1119 } 1120 |
| 1121 if (entry->flags & IMA_FSNAME) { 1122 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); 1123 seq_printf(m, pt(Opt_fsname), tbuf); 1124 seq_puts(m, " "); 1125 } 1126 |
|
| 1107 if (entry->flags & IMA_PCR) { 1108 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 1109 seq_printf(m, pt(Opt_pcr), tbuf); 1110 seq_puts(m, " "); 1111 } 1112 1113 if (entry->flags & IMA_FSUUID) { 1114 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); --- 75 unchanged lines hidden --- | 1127 if (entry->flags & IMA_PCR) { 1128 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 1129 seq_printf(m, pt(Opt_pcr), tbuf); 1130 seq_puts(m, " "); 1131 } 1132 1133 if (entry->flags & IMA_FSUUID) { 1134 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); --- 75 unchanged lines hidden --- |