xref: /linux/security/integrity/ima/ima_policy.c (revision 172cdcaefea5c297fdb3d20b7d5aff60ae4fbce6)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2008 IBM Corporation
4  * Author: Mimi Zohar <zohar@us.ibm.com>
5  *
6  * ima_policy.c
7  *	- initialize default measure policy rules
8  */
9 
10 #include <linux/init.h>
11 #include <linux/list.h>
12 #include <linux/kernel_read_file.h>
13 #include <linux/fs.h>
14 #include <linux/security.h>
15 #include <linux/magic.h>
16 #include <linux/parser.h>
17 #include <linux/slab.h>
18 #include <linux/rculist.h>
19 #include <linux/genhd.h>
20 #include <linux/seq_file.h>
21 #include <linux/ima.h>
22 
23 #include "ima.h"
24 
25 /* flags definitions */
26 #define IMA_FUNC	0x0001
27 #define IMA_MASK	0x0002
28 #define IMA_FSMAGIC	0x0004
29 #define IMA_UID		0x0008
30 #define IMA_FOWNER	0x0010
31 #define IMA_FSUUID	0x0020
32 #define IMA_INMASK	0x0040
33 #define IMA_EUID	0x0080
34 #define IMA_PCR		0x0100
35 #define IMA_FSNAME	0x0200
36 #define IMA_KEYRINGS	0x0400
37 #define IMA_LABEL	0x0800
38 
39 #define UNKNOWN		0
40 #define MEASURE		0x0001	/* same as IMA_MEASURE */
41 #define DONT_MEASURE	0x0002
42 #define APPRAISE	0x0004	/* same as IMA_APPRAISE */
43 #define DONT_APPRAISE	0x0008
44 #define AUDIT		0x0040
45 #define HASH		0x0100
46 #define DONT_HASH	0x0200
47 
48 #define INVALID_PCR(a) (((a) < 0) || \
49 	(a) >= (sizeof_field(struct integrity_iint_cache, measured_pcrs) * 8))
50 
51 int ima_policy_flag;
52 static int temp_ima_appraise;
53 static int build_ima_appraise __ro_after_init;
54 
55 #define MAX_LSM_RULES 6
56 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
57 	LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
58 };
59 
60 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
61 
62 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY };
63 
64 struct ima_rule_opt_list {
65 	size_t count;
66 	char *items[];
67 };
68 
69 struct ima_rule_entry {
70 	struct list_head list;
71 	int action;
72 	unsigned int flags;
73 	enum ima_hooks func;
74 	int mask;
75 	unsigned long fsmagic;
76 	uuid_t fsuuid;
77 	kuid_t uid;
78 	kuid_t fowner;
79 	bool (*uid_op)(kuid_t, kuid_t);    /* Handlers for operators       */
80 	bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
81 	int pcr;
82 	struct {
83 		void *rule;	/* LSM file metadata specific */
84 		char *args_p;	/* audit value */
85 		int type;	/* audit type */
86 	} lsm[MAX_LSM_RULES];
87 	char *fsname;
88 	struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */
89 	struct ima_rule_opt_list *label; /* Measure data grouped under this label */
90 	struct ima_template_desc *template;
91 };
92 
93 /*
94  * Without LSM specific knowledge, the default policy can only be
95  * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
96  */
97 
98 /*
99  * The minimum rule set to allow for full TCB coverage.  Measures all files
100  * opened or mmap for exec and everything read by root.  Dangerous because
101  * normal users can easily run the machine out of memory simply building
102  * and running executables.
103  */
104 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
105 	{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
106 	{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
107 	{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
108 	{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
109 	{.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
110 	{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
111 	{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
112 	{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
113 	{.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
114 	{.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
115 	 .flags = IMA_FSMAGIC},
116 	{.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC,
117 	 .flags = IMA_FSMAGIC},
118 	{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
119 	{.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}
120 };
121 
122 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
123 	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
124 	 .flags = IMA_FUNC | IMA_MASK},
125 	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
126 	 .flags = IMA_FUNC | IMA_MASK},
127 	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
128 	 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
129 	 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
130 	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
131 	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
132 };
133 
134 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
135 	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
136 	 .flags = IMA_FUNC | IMA_MASK},
137 	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
138 	 .flags = IMA_FUNC | IMA_MASK},
139 	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
140 	 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
141 	 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
142 	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
143 	 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
144 	 .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
145 	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
146 	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
147 	{.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
148 };
149 
150 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
151 	{.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
152 	{.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
153 	{.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
154 	{.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
155 	{.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
156 	{.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
157 	{.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
158 	{.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
159 	{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
160 	{.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
161 	{.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
162 	{.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC},
163 	{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
164 	{.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
165 #ifdef CONFIG_IMA_WRITE_POLICY
166 	{.action = APPRAISE, .func = POLICY_CHECK,
167 	.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
168 #endif
169 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
170 	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
171 	 .flags = IMA_FOWNER},
172 #else
173 	/* force signature */
174 	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
175 	 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
176 #endif
177 };
178 
179 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = {
180 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS
181 	{.action = APPRAISE, .func = MODULE_CHECK,
182 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
183 #endif
184 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
185 	{.action = APPRAISE, .func = FIRMWARE_CHECK,
186 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
187 #endif
188 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS
189 	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
190 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
191 #endif
192 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS
193 	{.action = APPRAISE, .func = POLICY_CHECK,
194 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
195 #endif
196 };
197 
198 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
199 	{.action = APPRAISE, .func = MODULE_CHECK,
200 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
201 	{.action = APPRAISE, .func = FIRMWARE_CHECK,
202 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
203 	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
204 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
205 	{.action = APPRAISE, .func = POLICY_CHECK,
206 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
207 };
208 
209 static struct ima_rule_entry critical_data_rules[] __ro_after_init = {
210 	{.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC},
211 };
212 
213 /* An array of architecture specific rules */
214 static struct ima_rule_entry *arch_policy_entry __ro_after_init;
215 
216 static LIST_HEAD(ima_default_rules);
217 static LIST_HEAD(ima_policy_rules);
218 static LIST_HEAD(ima_temp_rules);
219 static struct list_head *ima_rules = &ima_default_rules;
220 
221 static int ima_policy __initdata;
222 
223 static int __init default_measure_policy_setup(char *str)
224 {
225 	if (ima_policy)
226 		return 1;
227 
228 	ima_policy = ORIGINAL_TCB;
229 	return 1;
230 }
231 __setup("ima_tcb", default_measure_policy_setup);
232 
233 static bool ima_use_appraise_tcb __initdata;
234 static bool ima_use_secure_boot __initdata;
235 static bool ima_use_critical_data __initdata;
236 static bool ima_fail_unverifiable_sigs __ro_after_init;
237 static int __init policy_setup(char *str)
238 {
239 	char *p;
240 
241 	while ((p = strsep(&str, " |\n")) != NULL) {
242 		if (*p == ' ')
243 			continue;
244 		if ((strcmp(p, "tcb") == 0) && !ima_policy)
245 			ima_policy = DEFAULT_TCB;
246 		else if (strcmp(p, "appraise_tcb") == 0)
247 			ima_use_appraise_tcb = true;
248 		else if (strcmp(p, "secure_boot") == 0)
249 			ima_use_secure_boot = true;
250 		else if (strcmp(p, "critical_data") == 0)
251 			ima_use_critical_data = true;
252 		else if (strcmp(p, "fail_securely") == 0)
253 			ima_fail_unverifiable_sigs = true;
254 		else
255 			pr_err("policy \"%s\" not found", p);
256 	}
257 
258 	return 1;
259 }
260 __setup("ima_policy=", policy_setup);
261 
262 static int __init default_appraise_policy_setup(char *str)
263 {
264 	ima_use_appraise_tcb = true;
265 	return 1;
266 }
267 __setup("ima_appraise_tcb", default_appraise_policy_setup);
268 
269 static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src)
270 {
271 	struct ima_rule_opt_list *opt_list;
272 	size_t count = 0;
273 	char *src_copy;
274 	char *cur, *next;
275 	size_t i;
276 
277 	src_copy = match_strdup(src);
278 	if (!src_copy)
279 		return ERR_PTR(-ENOMEM);
280 
281 	next = src_copy;
282 	while ((cur = strsep(&next, "|"))) {
283 		/* Don't accept an empty list item */
284 		if (!(*cur)) {
285 			kfree(src_copy);
286 			return ERR_PTR(-EINVAL);
287 		}
288 		count++;
289 	}
290 
291 	/* Don't accept an empty list */
292 	if (!count) {
293 		kfree(src_copy);
294 		return ERR_PTR(-EINVAL);
295 	}
296 
297 	opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL);
298 	if (!opt_list) {
299 		kfree(src_copy);
300 		return ERR_PTR(-ENOMEM);
301 	}
302 
303 	/*
304 	 * strsep() has already replaced all instances of '|' with '\0',
305 	 * leaving a byte sequence of NUL-terminated strings. Reference each
306 	 * string with the array of items.
307 	 *
308 	 * IMPORTANT: Ownership of the allocated buffer is transferred from
309 	 * src_copy to the first element in the items array. To free the
310 	 * buffer, kfree() must only be called on the first element of the
311 	 * array.
312 	 */
313 	for (i = 0, cur = src_copy; i < count; i++) {
314 		opt_list->items[i] = cur;
315 		cur = strchr(cur, '\0') + 1;
316 	}
317 	opt_list->count = count;
318 
319 	return opt_list;
320 }
321 
322 static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list)
323 {
324 	if (!opt_list)
325 		return;
326 
327 	if (opt_list->count) {
328 		kfree(opt_list->items[0]);
329 		opt_list->count = 0;
330 	}
331 
332 	kfree(opt_list);
333 }
334 
335 static void ima_lsm_free_rule(struct ima_rule_entry *entry)
336 {
337 	int i;
338 
339 	for (i = 0; i < MAX_LSM_RULES; i++) {
340 		ima_filter_rule_free(entry->lsm[i].rule);
341 		kfree(entry->lsm[i].args_p);
342 	}
343 }
344 
345 static void ima_free_rule(struct ima_rule_entry *entry)
346 {
347 	if (!entry)
348 		return;
349 
350 	/*
351 	 * entry->template->fields may be allocated in ima_parse_rule() but that
352 	 * reference is owned by the corresponding ima_template_desc element in
353 	 * the defined_templates list and cannot be freed here
354 	 */
355 	kfree(entry->fsname);
356 	ima_free_rule_opt_list(entry->keyrings);
357 	ima_lsm_free_rule(entry);
358 	kfree(entry);
359 }
360 
361 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
362 {
363 	struct ima_rule_entry *nentry;
364 	int i;
365 
366 	/*
367 	 * Immutable elements are copied over as pointers and data; only
368 	 * lsm rules can change
369 	 */
370 	nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL);
371 	if (!nentry)
372 		return NULL;
373 
374 	memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm));
375 
376 	for (i = 0; i < MAX_LSM_RULES; i++) {
377 		if (!entry->lsm[i].args_p)
378 			continue;
379 
380 		nentry->lsm[i].type = entry->lsm[i].type;
381 		nentry->lsm[i].args_p = entry->lsm[i].args_p;
382 		/*
383 		 * Remove the reference from entry so that the associated
384 		 * memory will not be freed during a later call to
385 		 * ima_lsm_free_rule(entry).
386 		 */
387 		entry->lsm[i].args_p = NULL;
388 
389 		ima_filter_rule_init(nentry->lsm[i].type, Audit_equal,
390 				     nentry->lsm[i].args_p,
391 				     &nentry->lsm[i].rule);
392 		if (!nentry->lsm[i].rule)
393 			pr_warn("rule for LSM \'%s\' is undefined\n",
394 				nentry->lsm[i].args_p);
395 	}
396 	return nentry;
397 }
398 
399 static int ima_lsm_update_rule(struct ima_rule_entry *entry)
400 {
401 	struct ima_rule_entry *nentry;
402 
403 	nentry = ima_lsm_copy_rule(entry);
404 	if (!nentry)
405 		return -ENOMEM;
406 
407 	list_replace_rcu(&entry->list, &nentry->list);
408 	synchronize_rcu();
409 	/*
410 	 * ima_lsm_copy_rule() shallow copied all references, except for the
411 	 * LSM references, from entry to nentry so we only want to free the LSM
412 	 * references and the entry itself. All other memory refrences will now
413 	 * be owned by nentry.
414 	 */
415 	ima_lsm_free_rule(entry);
416 	kfree(entry);
417 
418 	return 0;
419 }
420 
421 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry)
422 {
423 	int i;
424 
425 	for (i = 0; i < MAX_LSM_RULES; i++)
426 		if (entry->lsm[i].args_p)
427 			return true;
428 
429 	return false;
430 }
431 
432 /*
433  * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
434  * to the old, stale LSM policy.  Update the IMA LSM based rules to reflect
435  * the reloaded LSM policy.
436  */
437 static void ima_lsm_update_rules(void)
438 {
439 	struct ima_rule_entry *entry, *e;
440 	int result;
441 
442 	list_for_each_entry_safe(entry, e, &ima_policy_rules, list) {
443 		if (!ima_rule_contains_lsm_cond(entry))
444 			continue;
445 
446 		result = ima_lsm_update_rule(entry);
447 		if (result) {
448 			pr_err("lsm rule update error %d\n", result);
449 			return;
450 		}
451 	}
452 }
453 
454 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
455 			  void *lsm_data)
456 {
457 	if (event != LSM_POLICY_CHANGE)
458 		return NOTIFY_DONE;
459 
460 	ima_lsm_update_rules();
461 	return NOTIFY_OK;
462 }
463 
464 /**
465  * ima_match_rule_data - determine whether func_data matches the policy rule
466  * @rule: a pointer to a rule
467  * @func_data: data to match against the measure rule data
468  * @cred: a pointer to a credentials structure for user validation
469  *
470  * Returns true if func_data matches one in the rule, false otherwise.
471  */
472 static bool ima_match_rule_data(struct ima_rule_entry *rule,
473 				const char *func_data,
474 				const struct cred *cred)
475 {
476 	const struct ima_rule_opt_list *opt_list = NULL;
477 	bool matched = false;
478 	size_t i;
479 
480 	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
481 		return false;
482 
483 	switch (rule->func) {
484 	case KEY_CHECK:
485 		if (!rule->keyrings)
486 			return true;
487 
488 		opt_list = rule->keyrings;
489 		break;
490 	case CRITICAL_DATA:
491 		if (!rule->label)
492 			return true;
493 
494 		opt_list = rule->label;
495 		break;
496 	default:
497 		return false;
498 	}
499 
500 	if (!func_data)
501 		return false;
502 
503 	for (i = 0; i < opt_list->count; i++) {
504 		if (!strcmp(opt_list->items[i], func_data)) {
505 			matched = true;
506 			break;
507 		}
508 	}
509 
510 	return matched;
511 }
512 
513 /**
514  * ima_match_rules - determine whether an inode matches the policy rule.
515  * @rule: a pointer to a rule
516  * @mnt_userns:	user namespace of the mount the inode was found from
517  * @inode: a pointer to an inode
518  * @cred: a pointer to a credentials structure for user validation
519  * @secid: the secid of the task to be validated
520  * @func: LIM hook identifier
521  * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
522  * @func_data: func specific data, may be NULL
523  *
524  * Returns true on rule match, false on failure.
525  */
526 static bool ima_match_rules(struct ima_rule_entry *rule,
527 			    struct user_namespace *mnt_userns,
528 			    struct inode *inode, const struct cred *cred,
529 			    u32 secid, enum ima_hooks func, int mask,
530 			    const char *func_data)
531 {
532 	int i;
533 
534 	if ((rule->flags & IMA_FUNC) &&
535 	    (rule->func != func && func != POST_SETATTR))
536 		return false;
537 
538 	switch (func) {
539 	case KEY_CHECK:
540 	case CRITICAL_DATA:
541 		return ((rule->func == func) &&
542 			ima_match_rule_data(rule, func_data, cred));
543 	default:
544 		break;
545 	}
546 
547 	if ((rule->flags & IMA_MASK) &&
548 	    (rule->mask != mask && func != POST_SETATTR))
549 		return false;
550 	if ((rule->flags & IMA_INMASK) &&
551 	    (!(rule->mask & mask) && func != POST_SETATTR))
552 		return false;
553 	if ((rule->flags & IMA_FSMAGIC)
554 	    && rule->fsmagic != inode->i_sb->s_magic)
555 		return false;
556 	if ((rule->flags & IMA_FSNAME)
557 	    && strcmp(rule->fsname, inode->i_sb->s_type->name))
558 		return false;
559 	if ((rule->flags & IMA_FSUUID) &&
560 	    !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
561 		return false;
562 	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
563 		return false;
564 	if (rule->flags & IMA_EUID) {
565 		if (has_capability_noaudit(current, CAP_SETUID)) {
566 			if (!rule->uid_op(cred->euid, rule->uid)
567 			    && !rule->uid_op(cred->suid, rule->uid)
568 			    && !rule->uid_op(cred->uid, rule->uid))
569 				return false;
570 		} else if (!rule->uid_op(cred->euid, rule->uid))
571 			return false;
572 	}
573 
574 	if ((rule->flags & IMA_FOWNER) &&
575 	    !rule->fowner_op(i_uid_into_mnt(mnt_userns, inode), rule->fowner))
576 		return false;
577 	for (i = 0; i < MAX_LSM_RULES; i++) {
578 		int rc = 0;
579 		u32 osid;
580 
581 		if (!rule->lsm[i].rule) {
582 			if (!rule->lsm[i].args_p)
583 				continue;
584 			else
585 				return false;
586 		}
587 		switch (i) {
588 		case LSM_OBJ_USER:
589 		case LSM_OBJ_ROLE:
590 		case LSM_OBJ_TYPE:
591 			security_inode_getsecid(inode, &osid);
592 			rc = ima_filter_rule_match(osid, rule->lsm[i].type,
593 						   Audit_equal,
594 						   rule->lsm[i].rule);
595 			break;
596 		case LSM_SUBJ_USER:
597 		case LSM_SUBJ_ROLE:
598 		case LSM_SUBJ_TYPE:
599 			rc = ima_filter_rule_match(secid, rule->lsm[i].type,
600 						   Audit_equal,
601 						   rule->lsm[i].rule);
602 			break;
603 		default:
604 			break;
605 		}
606 		if (!rc)
607 			return false;
608 	}
609 	return true;
610 }
611 
612 /*
613  * In addition to knowing that we need to appraise the file in general,
614  * we need to differentiate between calling hooks, for hook specific rules.
615  */
616 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
617 {
618 	if (!(rule->flags & IMA_FUNC))
619 		return IMA_FILE_APPRAISE;
620 
621 	switch (func) {
622 	case MMAP_CHECK:
623 		return IMA_MMAP_APPRAISE;
624 	case BPRM_CHECK:
625 		return IMA_BPRM_APPRAISE;
626 	case CREDS_CHECK:
627 		return IMA_CREDS_APPRAISE;
628 	case FILE_CHECK:
629 	case POST_SETATTR:
630 		return IMA_FILE_APPRAISE;
631 	case MODULE_CHECK ... MAX_CHECK - 1:
632 	default:
633 		return IMA_READ_APPRAISE;
634 	}
635 }
636 
637 /**
638  * ima_match_policy - decision based on LSM and other conditions
639  * @mnt_userns:	user namespace of the mount the inode was found from
640  * @inode: pointer to an inode for which the policy decision is being made
641  * @cred: pointer to a credentials structure for which the policy decision is
642  *        being made
643  * @secid: LSM secid of the task to be validated
644  * @func: IMA hook identifier
645  * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
646  * @pcr: set the pcr to extend
647  * @template_desc: the template that should be used for this rule
648  * @func_data: func specific data, may be NULL
649  *
650  * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
651  * conditions.
652  *
653  * Since the IMA policy may be updated multiple times we need to lock the
654  * list when walking it.  Reads are many orders of magnitude more numerous
655  * than writes so ima_match_policy() is classical RCU candidate.
656  */
657 int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode,
658 		     const struct cred *cred, u32 secid, enum ima_hooks func,
659 		     int mask, int flags, int *pcr,
660 		     struct ima_template_desc **template_desc,
661 		     const char *func_data)
662 {
663 	struct ima_rule_entry *entry;
664 	int action = 0, actmask = flags | (flags << 1);
665 
666 	if (template_desc && !*template_desc)
667 		*template_desc = ima_template_desc_current();
668 
669 	rcu_read_lock();
670 	list_for_each_entry_rcu(entry, ima_rules, list) {
671 
672 		if (!(entry->action & actmask))
673 			continue;
674 
675 		if (!ima_match_rules(entry, mnt_userns, inode, cred, secid,
676 				     func, mask, func_data))
677 			continue;
678 
679 		action |= entry->flags & IMA_ACTION_FLAGS;
680 
681 		action |= entry->action & IMA_DO_MASK;
682 		if (entry->action & IMA_APPRAISE) {
683 			action |= get_subaction(entry, func);
684 			action &= ~IMA_HASH;
685 			if (ima_fail_unverifiable_sigs)
686 				action |= IMA_FAIL_UNVERIFIABLE_SIGS;
687 		}
688 
689 
690 		if (entry->action & IMA_DO_MASK)
691 			actmask &= ~(entry->action | entry->action << 1);
692 		else
693 			actmask &= ~(entry->action | entry->action >> 1);
694 
695 		if ((pcr) && (entry->flags & IMA_PCR))
696 			*pcr = entry->pcr;
697 
698 		if (template_desc && entry->template)
699 			*template_desc = entry->template;
700 
701 		if (!actmask)
702 			break;
703 	}
704 	rcu_read_unlock();
705 
706 	return action;
707 }
708 
709 /*
710  * Initialize the ima_policy_flag variable based on the currently
711  * loaded policy.  Based on this flag, the decision to short circuit
712  * out of a function or not call the function in the first place
713  * can be made earlier.
714  */
715 void ima_update_policy_flag(void)
716 {
717 	struct ima_rule_entry *entry;
718 
719 	list_for_each_entry(entry, ima_rules, list) {
720 		if (entry->action & IMA_DO_MASK)
721 			ima_policy_flag |= entry->action;
722 	}
723 
724 	ima_appraise |= (build_ima_appraise | temp_ima_appraise);
725 	if (!ima_appraise)
726 		ima_policy_flag &= ~IMA_APPRAISE;
727 }
728 
729 static int ima_appraise_flag(enum ima_hooks func)
730 {
731 	if (func == MODULE_CHECK)
732 		return IMA_APPRAISE_MODULES;
733 	else if (func == FIRMWARE_CHECK)
734 		return IMA_APPRAISE_FIRMWARE;
735 	else if (func == POLICY_CHECK)
736 		return IMA_APPRAISE_POLICY;
737 	else if (func == KEXEC_KERNEL_CHECK)
738 		return IMA_APPRAISE_KEXEC;
739 	return 0;
740 }
741 
742 static void add_rules(struct ima_rule_entry *entries, int count,
743 		      enum policy_rule_list policy_rule)
744 {
745 	int i = 0;
746 
747 	for (i = 0; i < count; i++) {
748 		struct ima_rule_entry *entry;
749 
750 		if (policy_rule & IMA_DEFAULT_POLICY)
751 			list_add_tail(&entries[i].list, &ima_default_rules);
752 
753 		if (policy_rule & IMA_CUSTOM_POLICY) {
754 			entry = kmemdup(&entries[i], sizeof(*entry),
755 					GFP_KERNEL);
756 			if (!entry)
757 				continue;
758 
759 			list_add_tail(&entry->list, &ima_policy_rules);
760 		}
761 		if (entries[i].action == APPRAISE) {
762 			if (entries != build_appraise_rules)
763 				temp_ima_appraise |=
764 					ima_appraise_flag(entries[i].func);
765 			else
766 				build_ima_appraise |=
767 					ima_appraise_flag(entries[i].func);
768 		}
769 	}
770 }
771 
772 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
773 
774 static int __init ima_init_arch_policy(void)
775 {
776 	const char * const *arch_rules;
777 	const char * const *rules;
778 	int arch_entries = 0;
779 	int i = 0;
780 
781 	arch_rules = arch_get_ima_policy();
782 	if (!arch_rules)
783 		return arch_entries;
784 
785 	/* Get number of rules */
786 	for (rules = arch_rules; *rules != NULL; rules++)
787 		arch_entries++;
788 
789 	arch_policy_entry = kcalloc(arch_entries + 1,
790 				    sizeof(*arch_policy_entry), GFP_KERNEL);
791 	if (!arch_policy_entry)
792 		return 0;
793 
794 	/* Convert each policy string rules to struct ima_rule_entry format */
795 	for (rules = arch_rules, i = 0; *rules != NULL; rules++) {
796 		char rule[255];
797 		int result;
798 
799 		result = strlcpy(rule, *rules, sizeof(rule));
800 
801 		INIT_LIST_HEAD(&arch_policy_entry[i].list);
802 		result = ima_parse_rule(rule, &arch_policy_entry[i]);
803 		if (result) {
804 			pr_warn("Skipping unknown architecture policy rule: %s\n",
805 				rule);
806 			memset(&arch_policy_entry[i], 0,
807 			       sizeof(*arch_policy_entry));
808 			continue;
809 		}
810 		i++;
811 	}
812 	return i;
813 }
814 
815 /**
816  * ima_init_policy - initialize the default measure rules.
817  *
818  * ima_rules points to either the ima_default_rules or the
819  * the new ima_policy_rules.
820  */
821 void __init ima_init_policy(void)
822 {
823 	int build_appraise_entries, arch_entries;
824 
825 	/* if !ima_policy, we load NO default rules */
826 	if (ima_policy)
827 		add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules),
828 			  IMA_DEFAULT_POLICY);
829 
830 	switch (ima_policy) {
831 	case ORIGINAL_TCB:
832 		add_rules(original_measurement_rules,
833 			  ARRAY_SIZE(original_measurement_rules),
834 			  IMA_DEFAULT_POLICY);
835 		break;
836 	case DEFAULT_TCB:
837 		add_rules(default_measurement_rules,
838 			  ARRAY_SIZE(default_measurement_rules),
839 			  IMA_DEFAULT_POLICY);
840 		break;
841 	default:
842 		break;
843 	}
844 
845 	/*
846 	 * Based on runtime secure boot flags, insert arch specific measurement
847 	 * and appraise rules requiring file signatures for both the initial
848 	 * and custom policies, prior to other appraise rules.
849 	 * (Highest priority)
850 	 */
851 	arch_entries = ima_init_arch_policy();
852 	if (!arch_entries)
853 		pr_info("No architecture policies found\n");
854 	else
855 		add_rules(arch_policy_entry, arch_entries,
856 			  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
857 
858 	/*
859 	 * Insert the builtin "secure_boot" policy rules requiring file
860 	 * signatures, prior to other appraise rules.
861 	 */
862 	if (ima_use_secure_boot)
863 		add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules),
864 			  IMA_DEFAULT_POLICY);
865 
866 	/*
867 	 * Insert the build time appraise rules requiring file signatures
868 	 * for both the initial and custom policies, prior to other appraise
869 	 * rules. As the secure boot rules includes all of the build time
870 	 * rules, include either one or the other set of rules, but not both.
871 	 */
872 	build_appraise_entries = ARRAY_SIZE(build_appraise_rules);
873 	if (build_appraise_entries) {
874 		if (ima_use_secure_boot)
875 			add_rules(build_appraise_rules, build_appraise_entries,
876 				  IMA_CUSTOM_POLICY);
877 		else
878 			add_rules(build_appraise_rules, build_appraise_entries,
879 				  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
880 	}
881 
882 	if (ima_use_appraise_tcb)
883 		add_rules(default_appraise_rules,
884 			  ARRAY_SIZE(default_appraise_rules),
885 			  IMA_DEFAULT_POLICY);
886 
887 	if (ima_use_critical_data)
888 		add_rules(critical_data_rules,
889 			  ARRAY_SIZE(critical_data_rules),
890 			  IMA_DEFAULT_POLICY);
891 
892 	ima_update_policy_flag();
893 }
894 
895 /* Make sure we have a valid policy, at least containing some rules. */
896 int ima_check_policy(void)
897 {
898 	if (list_empty(&ima_temp_rules))
899 		return -EINVAL;
900 	return 0;
901 }
902 
903 /**
904  * ima_update_policy - update default_rules with new measure rules
905  *
906  * Called on file .release to update the default rules with a complete new
907  * policy.  What we do here is to splice ima_policy_rules and ima_temp_rules so
908  * they make a queue.  The policy may be updated multiple times and this is the
909  * RCU updater.
910  *
911  * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
912  * we switch from the default policy to user defined.
913  */
914 void ima_update_policy(void)
915 {
916 	struct list_head *policy = &ima_policy_rules;
917 
918 	list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu);
919 
920 	if (ima_rules != policy) {
921 		ima_policy_flag = 0;
922 		ima_rules = policy;
923 
924 		/*
925 		 * IMA architecture specific policy rules are specified
926 		 * as strings and converted to an array of ima_entry_rules
927 		 * on boot.  After loading a custom policy, free the
928 		 * architecture specific rules stored as an array.
929 		 */
930 		kfree(arch_policy_entry);
931 	}
932 	ima_update_policy_flag();
933 
934 	/* Custom IMA policy has been loaded */
935 	ima_process_queued_keys();
936 }
937 
938 /* Keep the enumeration in sync with the policy_tokens! */
939 enum {
940 	Opt_measure, Opt_dont_measure,
941 	Opt_appraise, Opt_dont_appraise,
942 	Opt_audit, Opt_hash, Opt_dont_hash,
943 	Opt_obj_user, Opt_obj_role, Opt_obj_type,
944 	Opt_subj_user, Opt_subj_role, Opt_subj_type,
945 	Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname,
946 	Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
947 	Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
948 	Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
949 	Opt_appraise_type, Opt_appraise_flag,
950 	Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings,
951 	Opt_label, Opt_err
952 };
953 
954 static const match_table_t policy_tokens = {
955 	{Opt_measure, "measure"},
956 	{Opt_dont_measure, "dont_measure"},
957 	{Opt_appraise, "appraise"},
958 	{Opt_dont_appraise, "dont_appraise"},
959 	{Opt_audit, "audit"},
960 	{Opt_hash, "hash"},
961 	{Opt_dont_hash, "dont_hash"},
962 	{Opt_obj_user, "obj_user=%s"},
963 	{Opt_obj_role, "obj_role=%s"},
964 	{Opt_obj_type, "obj_type=%s"},
965 	{Opt_subj_user, "subj_user=%s"},
966 	{Opt_subj_role, "subj_role=%s"},
967 	{Opt_subj_type, "subj_type=%s"},
968 	{Opt_func, "func=%s"},
969 	{Opt_mask, "mask=%s"},
970 	{Opt_fsmagic, "fsmagic=%s"},
971 	{Opt_fsname, "fsname=%s"},
972 	{Opt_fsuuid, "fsuuid=%s"},
973 	{Opt_uid_eq, "uid=%s"},
974 	{Opt_euid_eq, "euid=%s"},
975 	{Opt_fowner_eq, "fowner=%s"},
976 	{Opt_uid_gt, "uid>%s"},
977 	{Opt_euid_gt, "euid>%s"},
978 	{Opt_fowner_gt, "fowner>%s"},
979 	{Opt_uid_lt, "uid<%s"},
980 	{Opt_euid_lt, "euid<%s"},
981 	{Opt_fowner_lt, "fowner<%s"},
982 	{Opt_appraise_type, "appraise_type=%s"},
983 	{Opt_appraise_flag, "appraise_flag=%s"},
984 	{Opt_permit_directio, "permit_directio"},
985 	{Opt_pcr, "pcr=%s"},
986 	{Opt_template, "template=%s"},
987 	{Opt_keyrings, "keyrings=%s"},
988 	{Opt_label, "label=%s"},
989 	{Opt_err, NULL}
990 };
991 
992 static int ima_lsm_rule_init(struct ima_rule_entry *entry,
993 			     substring_t *args, int lsm_rule, int audit_type)
994 {
995 	int result;
996 
997 	if (entry->lsm[lsm_rule].rule)
998 		return -EINVAL;
999 
1000 	entry->lsm[lsm_rule].args_p = match_strdup(args);
1001 	if (!entry->lsm[lsm_rule].args_p)
1002 		return -ENOMEM;
1003 
1004 	entry->lsm[lsm_rule].type = audit_type;
1005 	result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal,
1006 				      entry->lsm[lsm_rule].args_p,
1007 				      &entry->lsm[lsm_rule].rule);
1008 	if (!entry->lsm[lsm_rule].rule) {
1009 		pr_warn("rule for LSM \'%s\' is undefined\n",
1010 			entry->lsm[lsm_rule].args_p);
1011 
1012 		if (ima_rules == &ima_default_rules) {
1013 			kfree(entry->lsm[lsm_rule].args_p);
1014 			entry->lsm[lsm_rule].args_p = NULL;
1015 			result = -EINVAL;
1016 		} else
1017 			result = 0;
1018 	}
1019 
1020 	return result;
1021 }
1022 
1023 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
1024 			      bool (*rule_operator)(kuid_t, kuid_t))
1025 {
1026 	if (!ab)
1027 		return;
1028 
1029 	if (rule_operator == &uid_gt)
1030 		audit_log_format(ab, "%s>", key);
1031 	else if (rule_operator == &uid_lt)
1032 		audit_log_format(ab, "%s<", key);
1033 	else
1034 		audit_log_format(ab, "%s=", key);
1035 	audit_log_format(ab, "%s ", value);
1036 }
1037 static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
1038 {
1039 	ima_log_string_op(ab, key, value, NULL);
1040 }
1041 
1042 /*
1043  * Validating the appended signature included in the measurement list requires
1044  * the file hash calculated without the appended signature (i.e., the 'd-modsig'
1045  * field). Therefore, notify the user if they have the 'modsig' field but not
1046  * the 'd-modsig' field in the template.
1047  */
1048 static void check_template_modsig(const struct ima_template_desc *template)
1049 {
1050 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n"
1051 	bool has_modsig, has_dmodsig;
1052 	static bool checked;
1053 	int i;
1054 
1055 	/* We only need to notify the user once. */
1056 	if (checked)
1057 		return;
1058 
1059 	has_modsig = has_dmodsig = false;
1060 	for (i = 0; i < template->num_fields; i++) {
1061 		if (!strcmp(template->fields[i]->field_id, "modsig"))
1062 			has_modsig = true;
1063 		else if (!strcmp(template->fields[i]->field_id, "d-modsig"))
1064 			has_dmodsig = true;
1065 	}
1066 
1067 	if (has_modsig && !has_dmodsig)
1068 		pr_notice(MSG);
1069 
1070 	checked = true;
1071 #undef MSG
1072 }
1073 
1074 static bool ima_validate_rule(struct ima_rule_entry *entry)
1075 {
1076 	/* Ensure that the action is set and is compatible with the flags */
1077 	if (entry->action == UNKNOWN)
1078 		return false;
1079 
1080 	if (entry->action != MEASURE && entry->flags & IMA_PCR)
1081 		return false;
1082 
1083 	if (entry->action != APPRAISE &&
1084 	    entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST))
1085 		return false;
1086 
1087 	/*
1088 	 * The IMA_FUNC bit must be set if and only if there's a valid hook
1089 	 * function specified, and vice versa. Enforcing this property allows
1090 	 * for the NONE case below to validate a rule without an explicit hook
1091 	 * function.
1092 	 */
1093 	if (((entry->flags & IMA_FUNC) && entry->func == NONE) ||
1094 	    (!(entry->flags & IMA_FUNC) && entry->func != NONE))
1095 		return false;
1096 
1097 	/*
1098 	 * Ensure that the hook function is compatible with the other
1099 	 * components of the rule
1100 	 */
1101 	switch (entry->func) {
1102 	case NONE:
1103 	case FILE_CHECK:
1104 	case MMAP_CHECK:
1105 	case BPRM_CHECK:
1106 	case CREDS_CHECK:
1107 	case POST_SETATTR:
1108 	case FIRMWARE_CHECK:
1109 	case POLICY_CHECK:
1110 		if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1111 				     IMA_UID | IMA_FOWNER | IMA_FSUUID |
1112 				     IMA_INMASK | IMA_EUID | IMA_PCR |
1113 				     IMA_FSNAME | IMA_DIGSIG_REQUIRED |
1114 				     IMA_PERMIT_DIRECTIO))
1115 			return false;
1116 
1117 		break;
1118 	case MODULE_CHECK:
1119 	case KEXEC_KERNEL_CHECK:
1120 	case KEXEC_INITRAMFS_CHECK:
1121 		if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1122 				     IMA_UID | IMA_FOWNER | IMA_FSUUID |
1123 				     IMA_INMASK | IMA_EUID | IMA_PCR |
1124 				     IMA_FSNAME | IMA_DIGSIG_REQUIRED |
1125 				     IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED |
1126 				     IMA_CHECK_BLACKLIST))
1127 			return false;
1128 
1129 		break;
1130 	case KEXEC_CMDLINE:
1131 		if (entry->action & ~(MEASURE | DONT_MEASURE))
1132 			return false;
1133 
1134 		if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID |
1135 				     IMA_FOWNER | IMA_FSUUID | IMA_EUID |
1136 				     IMA_PCR | IMA_FSNAME))
1137 			return false;
1138 
1139 		break;
1140 	case KEY_CHECK:
1141 		if (entry->action & ~(MEASURE | DONT_MEASURE))
1142 			return false;
1143 
1144 		if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
1145 				     IMA_KEYRINGS))
1146 			return false;
1147 
1148 		if (ima_rule_contains_lsm_cond(entry))
1149 			return false;
1150 
1151 		break;
1152 	case CRITICAL_DATA:
1153 		if (entry->action & ~(MEASURE | DONT_MEASURE))
1154 			return false;
1155 
1156 		if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
1157 				     IMA_LABEL))
1158 			return false;
1159 
1160 		if (ima_rule_contains_lsm_cond(entry))
1161 			return false;
1162 
1163 		break;
1164 	default:
1165 		return false;
1166 	}
1167 
1168 	/* Ensure that combinations of flags are compatible with each other */
1169 	if (entry->flags & IMA_CHECK_BLACKLIST &&
1170 	    !(entry->flags & IMA_MODSIG_ALLOWED))
1171 		return false;
1172 
1173 	return true;
1174 }
1175 
1176 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
1177 {
1178 	struct audit_buffer *ab;
1179 	char *from;
1180 	char *p;
1181 	bool uid_token;
1182 	struct ima_template_desc *template_desc;
1183 	int result = 0;
1184 
1185 	ab = integrity_audit_log_start(audit_context(), GFP_KERNEL,
1186 				       AUDIT_INTEGRITY_POLICY_RULE);
1187 
1188 	entry->uid = INVALID_UID;
1189 	entry->fowner = INVALID_UID;
1190 	entry->uid_op = &uid_eq;
1191 	entry->fowner_op = &uid_eq;
1192 	entry->action = UNKNOWN;
1193 	while ((p = strsep(&rule, " \t")) != NULL) {
1194 		substring_t args[MAX_OPT_ARGS];
1195 		int token;
1196 		unsigned long lnum;
1197 
1198 		if (result < 0)
1199 			break;
1200 		if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
1201 			continue;
1202 		token = match_token(p, policy_tokens, args);
1203 		switch (token) {
1204 		case Opt_measure:
1205 			ima_log_string(ab, "action", "measure");
1206 
1207 			if (entry->action != UNKNOWN)
1208 				result = -EINVAL;
1209 
1210 			entry->action = MEASURE;
1211 			break;
1212 		case Opt_dont_measure:
1213 			ima_log_string(ab, "action", "dont_measure");
1214 
1215 			if (entry->action != UNKNOWN)
1216 				result = -EINVAL;
1217 
1218 			entry->action = DONT_MEASURE;
1219 			break;
1220 		case Opt_appraise:
1221 			ima_log_string(ab, "action", "appraise");
1222 
1223 			if (entry->action != UNKNOWN)
1224 				result = -EINVAL;
1225 
1226 			entry->action = APPRAISE;
1227 			break;
1228 		case Opt_dont_appraise:
1229 			ima_log_string(ab, "action", "dont_appraise");
1230 
1231 			if (entry->action != UNKNOWN)
1232 				result = -EINVAL;
1233 
1234 			entry->action = DONT_APPRAISE;
1235 			break;
1236 		case Opt_audit:
1237 			ima_log_string(ab, "action", "audit");
1238 
1239 			if (entry->action != UNKNOWN)
1240 				result = -EINVAL;
1241 
1242 			entry->action = AUDIT;
1243 			break;
1244 		case Opt_hash:
1245 			ima_log_string(ab, "action", "hash");
1246 
1247 			if (entry->action != UNKNOWN)
1248 				result = -EINVAL;
1249 
1250 			entry->action = HASH;
1251 			break;
1252 		case Opt_dont_hash:
1253 			ima_log_string(ab, "action", "dont_hash");
1254 
1255 			if (entry->action != UNKNOWN)
1256 				result = -EINVAL;
1257 
1258 			entry->action = DONT_HASH;
1259 			break;
1260 		case Opt_func:
1261 			ima_log_string(ab, "func", args[0].from);
1262 
1263 			if (entry->func)
1264 				result = -EINVAL;
1265 
1266 			if (strcmp(args[0].from, "FILE_CHECK") == 0)
1267 				entry->func = FILE_CHECK;
1268 			/* PATH_CHECK is for backwards compat */
1269 			else if (strcmp(args[0].from, "PATH_CHECK") == 0)
1270 				entry->func = FILE_CHECK;
1271 			else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
1272 				entry->func = MODULE_CHECK;
1273 			else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
1274 				entry->func = FIRMWARE_CHECK;
1275 			else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
1276 				|| (strcmp(args[0].from, "MMAP_CHECK") == 0))
1277 				entry->func = MMAP_CHECK;
1278 			else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
1279 				entry->func = BPRM_CHECK;
1280 			else if (strcmp(args[0].from, "CREDS_CHECK") == 0)
1281 				entry->func = CREDS_CHECK;
1282 			else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
1283 				 0)
1284 				entry->func = KEXEC_KERNEL_CHECK;
1285 			else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
1286 				 == 0)
1287 				entry->func = KEXEC_INITRAMFS_CHECK;
1288 			else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
1289 				entry->func = POLICY_CHECK;
1290 			else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
1291 				entry->func = KEXEC_CMDLINE;
1292 			else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) &&
1293 				 strcmp(args[0].from, "KEY_CHECK") == 0)
1294 				entry->func = KEY_CHECK;
1295 			else if (strcmp(args[0].from, "CRITICAL_DATA") == 0)
1296 				entry->func = CRITICAL_DATA;
1297 			else
1298 				result = -EINVAL;
1299 			if (!result)
1300 				entry->flags |= IMA_FUNC;
1301 			break;
1302 		case Opt_mask:
1303 			ima_log_string(ab, "mask", args[0].from);
1304 
1305 			if (entry->mask)
1306 				result = -EINVAL;
1307 
1308 			from = args[0].from;
1309 			if (*from == '^')
1310 				from++;
1311 
1312 			if ((strcmp(from, "MAY_EXEC")) == 0)
1313 				entry->mask = MAY_EXEC;
1314 			else if (strcmp(from, "MAY_WRITE") == 0)
1315 				entry->mask = MAY_WRITE;
1316 			else if (strcmp(from, "MAY_READ") == 0)
1317 				entry->mask = MAY_READ;
1318 			else if (strcmp(from, "MAY_APPEND") == 0)
1319 				entry->mask = MAY_APPEND;
1320 			else
1321 				result = -EINVAL;
1322 			if (!result)
1323 				entry->flags |= (*args[0].from == '^')
1324 				     ? IMA_INMASK : IMA_MASK;
1325 			break;
1326 		case Opt_fsmagic:
1327 			ima_log_string(ab, "fsmagic", args[0].from);
1328 
1329 			if (entry->fsmagic) {
1330 				result = -EINVAL;
1331 				break;
1332 			}
1333 
1334 			result = kstrtoul(args[0].from, 16, &entry->fsmagic);
1335 			if (!result)
1336 				entry->flags |= IMA_FSMAGIC;
1337 			break;
1338 		case Opt_fsname:
1339 			ima_log_string(ab, "fsname", args[0].from);
1340 
1341 			entry->fsname = kstrdup(args[0].from, GFP_KERNEL);
1342 			if (!entry->fsname) {
1343 				result = -ENOMEM;
1344 				break;
1345 			}
1346 			result = 0;
1347 			entry->flags |= IMA_FSNAME;
1348 			break;
1349 		case Opt_keyrings:
1350 			ima_log_string(ab, "keyrings", args[0].from);
1351 
1352 			if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) ||
1353 			    entry->keyrings) {
1354 				result = -EINVAL;
1355 				break;
1356 			}
1357 
1358 			entry->keyrings = ima_alloc_rule_opt_list(args);
1359 			if (IS_ERR(entry->keyrings)) {
1360 				result = PTR_ERR(entry->keyrings);
1361 				entry->keyrings = NULL;
1362 				break;
1363 			}
1364 
1365 			entry->flags |= IMA_KEYRINGS;
1366 			break;
1367 		case Opt_label:
1368 			ima_log_string(ab, "label", args[0].from);
1369 
1370 			if (entry->label) {
1371 				result = -EINVAL;
1372 				break;
1373 			}
1374 
1375 			entry->label = ima_alloc_rule_opt_list(args);
1376 			if (IS_ERR(entry->label)) {
1377 				result = PTR_ERR(entry->label);
1378 				entry->label = NULL;
1379 				break;
1380 			}
1381 
1382 			entry->flags |= IMA_LABEL;
1383 			break;
1384 		case Opt_fsuuid:
1385 			ima_log_string(ab, "fsuuid", args[0].from);
1386 
1387 			if (!uuid_is_null(&entry->fsuuid)) {
1388 				result = -EINVAL;
1389 				break;
1390 			}
1391 
1392 			result = uuid_parse(args[0].from, &entry->fsuuid);
1393 			if (!result)
1394 				entry->flags |= IMA_FSUUID;
1395 			break;
1396 		case Opt_uid_gt:
1397 		case Opt_euid_gt:
1398 			entry->uid_op = &uid_gt;
1399 			fallthrough;
1400 		case Opt_uid_lt:
1401 		case Opt_euid_lt:
1402 			if ((token == Opt_uid_lt) || (token == Opt_euid_lt))
1403 				entry->uid_op = &uid_lt;
1404 			fallthrough;
1405 		case Opt_uid_eq:
1406 		case Opt_euid_eq:
1407 			uid_token = (token == Opt_uid_eq) ||
1408 				    (token == Opt_uid_gt) ||
1409 				    (token == Opt_uid_lt);
1410 
1411 			ima_log_string_op(ab, uid_token ? "uid" : "euid",
1412 					  args[0].from, entry->uid_op);
1413 
1414 			if (uid_valid(entry->uid)) {
1415 				result = -EINVAL;
1416 				break;
1417 			}
1418 
1419 			result = kstrtoul(args[0].from, 10, &lnum);
1420 			if (!result) {
1421 				entry->uid = make_kuid(current_user_ns(),
1422 						       (uid_t) lnum);
1423 				if (!uid_valid(entry->uid) ||
1424 				    (uid_t)lnum != lnum)
1425 					result = -EINVAL;
1426 				else
1427 					entry->flags |= uid_token
1428 					    ? IMA_UID : IMA_EUID;
1429 			}
1430 			break;
1431 		case Opt_fowner_gt:
1432 			entry->fowner_op = &uid_gt;
1433 			fallthrough;
1434 		case Opt_fowner_lt:
1435 			if (token == Opt_fowner_lt)
1436 				entry->fowner_op = &uid_lt;
1437 			fallthrough;
1438 		case Opt_fowner_eq:
1439 			ima_log_string_op(ab, "fowner", args[0].from,
1440 					  entry->fowner_op);
1441 
1442 			if (uid_valid(entry->fowner)) {
1443 				result = -EINVAL;
1444 				break;
1445 			}
1446 
1447 			result = kstrtoul(args[0].from, 10, &lnum);
1448 			if (!result) {
1449 				entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
1450 				if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))
1451 					result = -EINVAL;
1452 				else
1453 					entry->flags |= IMA_FOWNER;
1454 			}
1455 			break;
1456 		case Opt_obj_user:
1457 			ima_log_string(ab, "obj_user", args[0].from);
1458 			result = ima_lsm_rule_init(entry, args,
1459 						   LSM_OBJ_USER,
1460 						   AUDIT_OBJ_USER);
1461 			break;
1462 		case Opt_obj_role:
1463 			ima_log_string(ab, "obj_role", args[0].from);
1464 			result = ima_lsm_rule_init(entry, args,
1465 						   LSM_OBJ_ROLE,
1466 						   AUDIT_OBJ_ROLE);
1467 			break;
1468 		case Opt_obj_type:
1469 			ima_log_string(ab, "obj_type", args[0].from);
1470 			result = ima_lsm_rule_init(entry, args,
1471 						   LSM_OBJ_TYPE,
1472 						   AUDIT_OBJ_TYPE);
1473 			break;
1474 		case Opt_subj_user:
1475 			ima_log_string(ab, "subj_user", args[0].from);
1476 			result = ima_lsm_rule_init(entry, args,
1477 						   LSM_SUBJ_USER,
1478 						   AUDIT_SUBJ_USER);
1479 			break;
1480 		case Opt_subj_role:
1481 			ima_log_string(ab, "subj_role", args[0].from);
1482 			result = ima_lsm_rule_init(entry, args,
1483 						   LSM_SUBJ_ROLE,
1484 						   AUDIT_SUBJ_ROLE);
1485 			break;
1486 		case Opt_subj_type:
1487 			ima_log_string(ab, "subj_type", args[0].from);
1488 			result = ima_lsm_rule_init(entry, args,
1489 						   LSM_SUBJ_TYPE,
1490 						   AUDIT_SUBJ_TYPE);
1491 			break;
1492 		case Opt_appraise_type:
1493 			ima_log_string(ab, "appraise_type", args[0].from);
1494 			if ((strcmp(args[0].from, "imasig")) == 0)
1495 				entry->flags |= IMA_DIGSIG_REQUIRED;
1496 			else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
1497 				 strcmp(args[0].from, "imasig|modsig") == 0)
1498 				entry->flags |= IMA_DIGSIG_REQUIRED |
1499 						IMA_MODSIG_ALLOWED;
1500 			else
1501 				result = -EINVAL;
1502 			break;
1503 		case Opt_appraise_flag:
1504 			ima_log_string(ab, "appraise_flag", args[0].from);
1505 			if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
1506 			    strstr(args[0].from, "blacklist"))
1507 				entry->flags |= IMA_CHECK_BLACKLIST;
1508 			else
1509 				result = -EINVAL;
1510 			break;
1511 		case Opt_permit_directio:
1512 			entry->flags |= IMA_PERMIT_DIRECTIO;
1513 			break;
1514 		case Opt_pcr:
1515 			ima_log_string(ab, "pcr", args[0].from);
1516 
1517 			result = kstrtoint(args[0].from, 10, &entry->pcr);
1518 			if (result || INVALID_PCR(entry->pcr))
1519 				result = -EINVAL;
1520 			else
1521 				entry->flags |= IMA_PCR;
1522 
1523 			break;
1524 		case Opt_template:
1525 			ima_log_string(ab, "template", args[0].from);
1526 			if (entry->action != MEASURE) {
1527 				result = -EINVAL;
1528 				break;
1529 			}
1530 			template_desc = lookup_template_desc(args[0].from);
1531 			if (!template_desc || entry->template) {
1532 				result = -EINVAL;
1533 				break;
1534 			}
1535 
1536 			/*
1537 			 * template_desc_init_fields() does nothing if
1538 			 * the template is already initialised, so
1539 			 * it's safe to do this unconditionally
1540 			 */
1541 			template_desc_init_fields(template_desc->fmt,
1542 						 &(template_desc->fields),
1543 						 &(template_desc->num_fields));
1544 			entry->template = template_desc;
1545 			break;
1546 		case Opt_err:
1547 			ima_log_string(ab, "UNKNOWN", p);
1548 			result = -EINVAL;
1549 			break;
1550 		}
1551 	}
1552 	if (!result && !ima_validate_rule(entry))
1553 		result = -EINVAL;
1554 	else if (entry->action == APPRAISE)
1555 		temp_ima_appraise |= ima_appraise_flag(entry->func);
1556 
1557 	if (!result && entry->flags & IMA_MODSIG_ALLOWED) {
1558 		template_desc = entry->template ? entry->template :
1559 						  ima_template_desc_current();
1560 		check_template_modsig(template_desc);
1561 	}
1562 
1563 	audit_log_format(ab, "res=%d", !result);
1564 	audit_log_end(ab);
1565 	return result;
1566 }
1567 
1568 /**
1569  * ima_parse_add_rule - add a rule to ima_policy_rules
1570  * @rule - ima measurement policy rule
1571  *
1572  * Avoid locking by allowing just one writer at a time in ima_write_policy()
1573  * Returns the length of the rule parsed, an error code on failure
1574  */
1575 ssize_t ima_parse_add_rule(char *rule)
1576 {
1577 	static const char op[] = "update_policy";
1578 	char *p;
1579 	struct ima_rule_entry *entry;
1580 	ssize_t result, len;
1581 	int audit_info = 0;
1582 
1583 	p = strsep(&rule, "\n");
1584 	len = strlen(p) + 1;
1585 	p += strspn(p, " \t");
1586 
1587 	if (*p == '#' || *p == '\0')
1588 		return len;
1589 
1590 	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1591 	if (!entry) {
1592 		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1593 				    NULL, op, "-ENOMEM", -ENOMEM, audit_info);
1594 		return -ENOMEM;
1595 	}
1596 
1597 	INIT_LIST_HEAD(&entry->list);
1598 
1599 	result = ima_parse_rule(p, entry);
1600 	if (result) {
1601 		ima_free_rule(entry);
1602 		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1603 				    NULL, op, "invalid-policy", result,
1604 				    audit_info);
1605 		return result;
1606 	}
1607 
1608 	list_add_tail(&entry->list, &ima_temp_rules);
1609 
1610 	return len;
1611 }
1612 
1613 /**
1614  * ima_delete_rules() called to cleanup invalid in-flight policy.
1615  * We don't need locking as we operate on the temp list, which is
1616  * different from the active one.  There is also only one user of
1617  * ima_delete_rules() at a time.
1618  */
1619 void ima_delete_rules(void)
1620 {
1621 	struct ima_rule_entry *entry, *tmp;
1622 
1623 	temp_ima_appraise = 0;
1624 	list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
1625 		list_del(&entry->list);
1626 		ima_free_rule(entry);
1627 	}
1628 }
1629 
1630 #define __ima_hook_stringify(func, str)	(#func),
1631 
1632 const char *const func_tokens[] = {
1633 	__ima_hooks(__ima_hook_stringify)
1634 };
1635 
1636 #ifdef	CONFIG_IMA_READ_POLICY
1637 enum {
1638 	mask_exec = 0, mask_write, mask_read, mask_append
1639 };
1640 
1641 static const char *const mask_tokens[] = {
1642 	"^MAY_EXEC",
1643 	"^MAY_WRITE",
1644 	"^MAY_READ",
1645 	"^MAY_APPEND"
1646 };
1647 
1648 void *ima_policy_start(struct seq_file *m, loff_t *pos)
1649 {
1650 	loff_t l = *pos;
1651 	struct ima_rule_entry *entry;
1652 
1653 	rcu_read_lock();
1654 	list_for_each_entry_rcu(entry, ima_rules, list) {
1655 		if (!l--) {
1656 			rcu_read_unlock();
1657 			return entry;
1658 		}
1659 	}
1660 	rcu_read_unlock();
1661 	return NULL;
1662 }
1663 
1664 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos)
1665 {
1666 	struct ima_rule_entry *entry = v;
1667 
1668 	rcu_read_lock();
1669 	entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list);
1670 	rcu_read_unlock();
1671 	(*pos)++;
1672 
1673 	return (&entry->list == ima_rules) ? NULL : entry;
1674 }
1675 
1676 void ima_policy_stop(struct seq_file *m, void *v)
1677 {
1678 }
1679 
1680 #define pt(token)	policy_tokens[token].pattern
1681 #define mt(token)	mask_tokens[token]
1682 
1683 /*
1684  * policy_func_show - display the ima_hooks policy rule
1685  */
1686 static void policy_func_show(struct seq_file *m, enum ima_hooks func)
1687 {
1688 	if (func > 0 && func < MAX_CHECK)
1689 		seq_printf(m, "func=%s ", func_tokens[func]);
1690 	else
1691 		seq_printf(m, "func=%d ", func);
1692 }
1693 
1694 static void ima_show_rule_opt_list(struct seq_file *m,
1695 				   const struct ima_rule_opt_list *opt_list)
1696 {
1697 	size_t i;
1698 
1699 	for (i = 0; i < opt_list->count; i++)
1700 		seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]);
1701 }
1702 
1703 int ima_policy_show(struct seq_file *m, void *v)
1704 {
1705 	struct ima_rule_entry *entry = v;
1706 	int i;
1707 	char tbuf[64] = {0,};
1708 	int offset = 0;
1709 
1710 	rcu_read_lock();
1711 
1712 	if (entry->action & MEASURE)
1713 		seq_puts(m, pt(Opt_measure));
1714 	if (entry->action & DONT_MEASURE)
1715 		seq_puts(m, pt(Opt_dont_measure));
1716 	if (entry->action & APPRAISE)
1717 		seq_puts(m, pt(Opt_appraise));
1718 	if (entry->action & DONT_APPRAISE)
1719 		seq_puts(m, pt(Opt_dont_appraise));
1720 	if (entry->action & AUDIT)
1721 		seq_puts(m, pt(Opt_audit));
1722 	if (entry->action & HASH)
1723 		seq_puts(m, pt(Opt_hash));
1724 	if (entry->action & DONT_HASH)
1725 		seq_puts(m, pt(Opt_dont_hash));
1726 
1727 	seq_puts(m, " ");
1728 
1729 	if (entry->flags & IMA_FUNC)
1730 		policy_func_show(m, entry->func);
1731 
1732 	if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) {
1733 		if (entry->flags & IMA_MASK)
1734 			offset = 1;
1735 		if (entry->mask & MAY_EXEC)
1736 			seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset);
1737 		if (entry->mask & MAY_WRITE)
1738 			seq_printf(m, pt(Opt_mask), mt(mask_write) + offset);
1739 		if (entry->mask & MAY_READ)
1740 			seq_printf(m, pt(Opt_mask), mt(mask_read) + offset);
1741 		if (entry->mask & MAY_APPEND)
1742 			seq_printf(m, pt(Opt_mask), mt(mask_append) + offset);
1743 		seq_puts(m, " ");
1744 	}
1745 
1746 	if (entry->flags & IMA_FSMAGIC) {
1747 		snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);
1748 		seq_printf(m, pt(Opt_fsmagic), tbuf);
1749 		seq_puts(m, " ");
1750 	}
1751 
1752 	if (entry->flags & IMA_FSNAME) {
1753 		snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname);
1754 		seq_printf(m, pt(Opt_fsname), tbuf);
1755 		seq_puts(m, " ");
1756 	}
1757 
1758 	if (entry->flags & IMA_KEYRINGS) {
1759 		seq_puts(m, "keyrings=");
1760 		ima_show_rule_opt_list(m, entry->keyrings);
1761 		seq_puts(m, " ");
1762 	}
1763 
1764 	if (entry->flags & IMA_LABEL) {
1765 		seq_puts(m, "label=");
1766 		ima_show_rule_opt_list(m, entry->label);
1767 		seq_puts(m, " ");
1768 	}
1769 
1770 	if (entry->flags & IMA_PCR) {
1771 		snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
1772 		seq_printf(m, pt(Opt_pcr), tbuf);
1773 		seq_puts(m, " ");
1774 	}
1775 
1776 	if (entry->flags & IMA_FSUUID) {
1777 		seq_printf(m, "fsuuid=%pU", &entry->fsuuid);
1778 		seq_puts(m, " ");
1779 	}
1780 
1781 	if (entry->flags & IMA_UID) {
1782 		snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1783 		if (entry->uid_op == &uid_gt)
1784 			seq_printf(m, pt(Opt_uid_gt), tbuf);
1785 		else if (entry->uid_op == &uid_lt)
1786 			seq_printf(m, pt(Opt_uid_lt), tbuf);
1787 		else
1788 			seq_printf(m, pt(Opt_uid_eq), tbuf);
1789 		seq_puts(m, " ");
1790 	}
1791 
1792 	if (entry->flags & IMA_EUID) {
1793 		snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1794 		if (entry->uid_op == &uid_gt)
1795 			seq_printf(m, pt(Opt_euid_gt), tbuf);
1796 		else if (entry->uid_op == &uid_lt)
1797 			seq_printf(m, pt(Opt_euid_lt), tbuf);
1798 		else
1799 			seq_printf(m, pt(Opt_euid_eq), tbuf);
1800 		seq_puts(m, " ");
1801 	}
1802 
1803 	if (entry->flags & IMA_FOWNER) {
1804 		snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
1805 		if (entry->fowner_op == &uid_gt)
1806 			seq_printf(m, pt(Opt_fowner_gt), tbuf);
1807 		else if (entry->fowner_op == &uid_lt)
1808 			seq_printf(m, pt(Opt_fowner_lt), tbuf);
1809 		else
1810 			seq_printf(m, pt(Opt_fowner_eq), tbuf);
1811 		seq_puts(m, " ");
1812 	}
1813 
1814 	for (i = 0; i < MAX_LSM_RULES; i++) {
1815 		if (entry->lsm[i].rule) {
1816 			switch (i) {
1817 			case LSM_OBJ_USER:
1818 				seq_printf(m, pt(Opt_obj_user),
1819 					   entry->lsm[i].args_p);
1820 				break;
1821 			case LSM_OBJ_ROLE:
1822 				seq_printf(m, pt(Opt_obj_role),
1823 					   entry->lsm[i].args_p);
1824 				break;
1825 			case LSM_OBJ_TYPE:
1826 				seq_printf(m, pt(Opt_obj_type),
1827 					   entry->lsm[i].args_p);
1828 				break;
1829 			case LSM_SUBJ_USER:
1830 				seq_printf(m, pt(Opt_subj_user),
1831 					   entry->lsm[i].args_p);
1832 				break;
1833 			case LSM_SUBJ_ROLE:
1834 				seq_printf(m, pt(Opt_subj_role),
1835 					   entry->lsm[i].args_p);
1836 				break;
1837 			case LSM_SUBJ_TYPE:
1838 				seq_printf(m, pt(Opt_subj_type),
1839 					   entry->lsm[i].args_p);
1840 				break;
1841 			}
1842 			seq_puts(m, " ");
1843 		}
1844 	}
1845 	if (entry->template)
1846 		seq_printf(m, "template=%s ", entry->template->name);
1847 	if (entry->flags & IMA_DIGSIG_REQUIRED) {
1848 		if (entry->flags & IMA_MODSIG_ALLOWED)
1849 			seq_puts(m, "appraise_type=imasig|modsig ");
1850 		else
1851 			seq_puts(m, "appraise_type=imasig ");
1852 	}
1853 	if (entry->flags & IMA_CHECK_BLACKLIST)
1854 		seq_puts(m, "appraise_flag=check_blacklist ");
1855 	if (entry->flags & IMA_PERMIT_DIRECTIO)
1856 		seq_puts(m, "permit_directio ");
1857 	rcu_read_unlock();
1858 	seq_puts(m, "\n");
1859 	return 0;
1860 }
1861 #endif	/* CONFIG_IMA_READ_POLICY */
1862 
1863 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
1864 /*
1865  * ima_appraise_signature: whether IMA will appraise a given function using
1866  * an IMA digital signature. This is restricted to cases where the kernel
1867  * has a set of built-in trusted keys in order to avoid an attacker simply
1868  * loading additional keys.
1869  */
1870 bool ima_appraise_signature(enum kernel_read_file_id id)
1871 {
1872 	struct ima_rule_entry *entry;
1873 	bool found = false;
1874 	enum ima_hooks func;
1875 
1876 	if (id >= READING_MAX_ID)
1877 		return false;
1878 
1879 	func = read_idmap[id] ?: FILE_CHECK;
1880 
1881 	rcu_read_lock();
1882 	list_for_each_entry_rcu(entry, ima_rules, list) {
1883 		if (entry->action != APPRAISE)
1884 			continue;
1885 
1886 		/*
1887 		 * A generic entry will match, but otherwise require that it
1888 		 * match the func we're looking for
1889 		 */
1890 		if (entry->func && entry->func != func)
1891 			continue;
1892 
1893 		/*
1894 		 * We require this to be a digital signature, not a raw IMA
1895 		 * hash.
1896 		 */
1897 		if (entry->flags & IMA_DIGSIG_REQUIRED)
1898 			found = true;
1899 
1900 		/*
1901 		 * We've found a rule that matches, so break now even if it
1902 		 * didn't require a digital signature - a later rule that does
1903 		 * won't override it, so would be a false positive.
1904 		 */
1905 		break;
1906 	}
1907 
1908 	rcu_read_unlock();
1909 	return found;
1910 }
1911 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
1912