1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2008 IBM Corporation 4 * Author: Mimi Zohar <zohar@us.ibm.com> 5 * 6 * ima_policy.c 7 * - initialize default measure policy rules 8 */ 9 10 #include <linux/init.h> 11 #include <linux/list.h> 12 #include <linux/kernel_read_file.h> 13 #include <linux/fs.h> 14 #include <linux/security.h> 15 #include <linux/magic.h> 16 #include <linux/parser.h> 17 #include <linux/slab.h> 18 #include <linux/rculist.h> 19 #include <linux/genhd.h> 20 #include <linux/seq_file.h> 21 #include <linux/ima.h> 22 23 #include "ima.h" 24 25 /* flags definitions */ 26 #define IMA_FUNC 0x0001 27 #define IMA_MASK 0x0002 28 #define IMA_FSMAGIC 0x0004 29 #define IMA_UID 0x0008 30 #define IMA_FOWNER 0x0010 31 #define IMA_FSUUID 0x0020 32 #define IMA_INMASK 0x0040 33 #define IMA_EUID 0x0080 34 #define IMA_PCR 0x0100 35 #define IMA_FSNAME 0x0200 36 #define IMA_KEYRINGS 0x0400 37 #define IMA_LABEL 0x0800 38 #define IMA_VALIDATE_ALGOS 0x1000 39 40 #define UNKNOWN 0 41 #define MEASURE 0x0001 /* same as IMA_MEASURE */ 42 #define DONT_MEASURE 0x0002 43 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 44 #define DONT_APPRAISE 0x0008 45 #define AUDIT 0x0040 46 #define HASH 0x0100 47 #define DONT_HASH 0x0200 48 49 #define INVALID_PCR(a) (((a) < 0) || \ 50 (a) >= (sizeof_field(struct integrity_iint_cache, measured_pcrs) * 8)) 51 52 int ima_policy_flag; 53 static int temp_ima_appraise; 54 static int build_ima_appraise __ro_after_init; 55 56 #define MAX_LSM_RULES 6 57 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, 58 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE 59 }; 60 61 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; 62 63 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY }; 64 65 struct ima_rule_opt_list { 66 size_t count; 67 char *items[]; 68 }; 69 70 struct ima_rule_entry { 71 struct list_head list; 72 int action; 73 unsigned int flags; 74 enum ima_hooks func; 75 int mask; 76 unsigned long fsmagic; 77 uuid_t fsuuid; 78 kuid_t uid; 79 kuid_t fowner; 80 bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ 81 bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ 82 int pcr; 83 unsigned int allowed_algos; /* bitfield of allowed hash algorithms */ 84 struct { 85 void *rule; /* LSM file metadata specific */ 86 char *args_p; /* audit value */ 87 int type; /* audit type */ 88 } lsm[MAX_LSM_RULES]; 89 char *fsname; 90 struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ 91 struct ima_rule_opt_list *label; /* Measure data grouped under this label */ 92 struct ima_template_desc *template; 93 }; 94 95 /* 96 * sanity check in case the kernels gains more hash algorithms that can 97 * fit in an unsigned int 98 */ 99 static_assert( 100 8 * sizeof(unsigned int) >= HASH_ALGO__LAST, 101 "The bitfield allowed_algos in ima_rule_entry is too small to contain all the supported hash algorithms, consider using a bigger type"); 102 103 /* 104 * Without LSM specific knowledge, the default policy can only be 105 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner 106 */ 107 108 /* 109 * The minimum rule set to allow for full TCB coverage. Measures all files 110 * opened or mmap for exec and everything read by root. Dangerous because 111 * normal users can easily run the machine out of memory simply building 112 * and running executables. 113 */ 114 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { 115 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 116 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 117 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 118 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 119 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 120 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 121 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 122 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 123 {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 124 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, 125 .flags = IMA_FSMAGIC}, 126 {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, 127 .flags = IMA_FSMAGIC}, 128 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 129 {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} 130 }; 131 132 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { 133 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 134 .flags = IMA_FUNC | IMA_MASK}, 135 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 136 .flags = IMA_FUNC | IMA_MASK}, 137 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 138 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 139 .flags = IMA_FUNC | IMA_MASK | IMA_UID}, 140 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 141 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 142 }; 143 144 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { 145 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 146 .flags = IMA_FUNC | IMA_MASK}, 147 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 148 .flags = IMA_FUNC | IMA_MASK}, 149 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 150 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 151 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, 152 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 153 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 154 .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, 155 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 156 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 157 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, 158 }; 159 160 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { 161 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 162 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 163 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 164 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 165 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC}, 166 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 167 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 168 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 169 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 170 {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 171 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 172 {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, 173 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 174 {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 175 #ifdef CONFIG_IMA_WRITE_POLICY 176 {.action = APPRAISE, .func = POLICY_CHECK, 177 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 178 #endif 179 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT 180 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 181 .flags = IMA_FOWNER}, 182 #else 183 /* force signature */ 184 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 185 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, 186 #endif 187 }; 188 189 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { 190 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS 191 {.action = APPRAISE, .func = MODULE_CHECK, 192 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 193 #endif 194 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS 195 {.action = APPRAISE, .func = FIRMWARE_CHECK, 196 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 197 #endif 198 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS 199 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 200 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 201 #endif 202 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS 203 {.action = APPRAISE, .func = POLICY_CHECK, 204 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 205 #endif 206 }; 207 208 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { 209 {.action = APPRAISE, .func = MODULE_CHECK, 210 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 211 {.action = APPRAISE, .func = FIRMWARE_CHECK, 212 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 213 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 214 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 215 {.action = APPRAISE, .func = POLICY_CHECK, 216 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 217 }; 218 219 static struct ima_rule_entry critical_data_rules[] __ro_after_init = { 220 {.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC}, 221 }; 222 223 /* An array of architecture specific rules */ 224 static struct ima_rule_entry *arch_policy_entry __ro_after_init; 225 226 static LIST_HEAD(ima_default_rules); 227 static LIST_HEAD(ima_policy_rules); 228 static LIST_HEAD(ima_temp_rules); 229 static struct list_head *ima_rules = &ima_default_rules; 230 231 static int ima_policy __initdata; 232 233 static int __init default_measure_policy_setup(char *str) 234 { 235 if (ima_policy) 236 return 1; 237 238 ima_policy = ORIGINAL_TCB; 239 return 1; 240 } 241 __setup("ima_tcb", default_measure_policy_setup); 242 243 static bool ima_use_appraise_tcb __initdata; 244 static bool ima_use_secure_boot __initdata; 245 static bool ima_use_critical_data __initdata; 246 static bool ima_fail_unverifiable_sigs __ro_after_init; 247 static int __init policy_setup(char *str) 248 { 249 char *p; 250 251 while ((p = strsep(&str, " |\n")) != NULL) { 252 if (*p == ' ') 253 continue; 254 if ((strcmp(p, "tcb") == 0) && !ima_policy) 255 ima_policy = DEFAULT_TCB; 256 else if (strcmp(p, "appraise_tcb") == 0) 257 ima_use_appraise_tcb = true; 258 else if (strcmp(p, "secure_boot") == 0) 259 ima_use_secure_boot = true; 260 else if (strcmp(p, "critical_data") == 0) 261 ima_use_critical_data = true; 262 else if (strcmp(p, "fail_securely") == 0) 263 ima_fail_unverifiable_sigs = true; 264 else 265 pr_err("policy \"%s\" not found", p); 266 } 267 268 return 1; 269 } 270 __setup("ima_policy=", policy_setup); 271 272 static int __init default_appraise_policy_setup(char *str) 273 { 274 ima_use_appraise_tcb = true; 275 return 1; 276 } 277 __setup("ima_appraise_tcb", default_appraise_policy_setup); 278 279 static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src) 280 { 281 struct ima_rule_opt_list *opt_list; 282 size_t count = 0; 283 char *src_copy; 284 char *cur, *next; 285 size_t i; 286 287 src_copy = match_strdup(src); 288 if (!src_copy) 289 return ERR_PTR(-ENOMEM); 290 291 next = src_copy; 292 while ((cur = strsep(&next, "|"))) { 293 /* Don't accept an empty list item */ 294 if (!(*cur)) { 295 kfree(src_copy); 296 return ERR_PTR(-EINVAL); 297 } 298 count++; 299 } 300 301 /* Don't accept an empty list */ 302 if (!count) { 303 kfree(src_copy); 304 return ERR_PTR(-EINVAL); 305 } 306 307 opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL); 308 if (!opt_list) { 309 kfree(src_copy); 310 return ERR_PTR(-ENOMEM); 311 } 312 313 /* 314 * strsep() has already replaced all instances of '|' with '\0', 315 * leaving a byte sequence of NUL-terminated strings. Reference each 316 * string with the array of items. 317 * 318 * IMPORTANT: Ownership of the allocated buffer is transferred from 319 * src_copy to the first element in the items array. To free the 320 * buffer, kfree() must only be called on the first element of the 321 * array. 322 */ 323 for (i = 0, cur = src_copy; i < count; i++) { 324 opt_list->items[i] = cur; 325 cur = strchr(cur, '\0') + 1; 326 } 327 opt_list->count = count; 328 329 return opt_list; 330 } 331 332 static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list) 333 { 334 if (!opt_list) 335 return; 336 337 if (opt_list->count) { 338 kfree(opt_list->items[0]); 339 opt_list->count = 0; 340 } 341 342 kfree(opt_list); 343 } 344 345 static void ima_lsm_free_rule(struct ima_rule_entry *entry) 346 { 347 int i; 348 349 for (i = 0; i < MAX_LSM_RULES; i++) { 350 ima_filter_rule_free(entry->lsm[i].rule); 351 kfree(entry->lsm[i].args_p); 352 } 353 } 354 355 static void ima_free_rule(struct ima_rule_entry *entry) 356 { 357 if (!entry) 358 return; 359 360 /* 361 * entry->template->fields may be allocated in ima_parse_rule() but that 362 * reference is owned by the corresponding ima_template_desc element in 363 * the defined_templates list and cannot be freed here 364 */ 365 kfree(entry->fsname); 366 ima_free_rule_opt_list(entry->keyrings); 367 ima_lsm_free_rule(entry); 368 kfree(entry); 369 } 370 371 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) 372 { 373 struct ima_rule_entry *nentry; 374 int i; 375 376 /* 377 * Immutable elements are copied over as pointers and data; only 378 * lsm rules can change 379 */ 380 nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); 381 if (!nentry) 382 return NULL; 383 384 memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm)); 385 386 for (i = 0; i < MAX_LSM_RULES; i++) { 387 if (!entry->lsm[i].args_p) 388 continue; 389 390 nentry->lsm[i].type = entry->lsm[i].type; 391 nentry->lsm[i].args_p = entry->lsm[i].args_p; 392 /* 393 * Remove the reference from entry so that the associated 394 * memory will not be freed during a later call to 395 * ima_lsm_free_rule(entry). 396 */ 397 entry->lsm[i].args_p = NULL; 398 399 ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, 400 nentry->lsm[i].args_p, 401 &nentry->lsm[i].rule); 402 if (!nentry->lsm[i].rule) 403 pr_warn("rule for LSM \'%s\' is undefined\n", 404 nentry->lsm[i].args_p); 405 } 406 return nentry; 407 } 408 409 static int ima_lsm_update_rule(struct ima_rule_entry *entry) 410 { 411 struct ima_rule_entry *nentry; 412 413 nentry = ima_lsm_copy_rule(entry); 414 if (!nentry) 415 return -ENOMEM; 416 417 list_replace_rcu(&entry->list, &nentry->list); 418 synchronize_rcu(); 419 /* 420 * ima_lsm_copy_rule() shallow copied all references, except for the 421 * LSM references, from entry to nentry so we only want to free the LSM 422 * references and the entry itself. All other memory refrences will now 423 * be owned by nentry. 424 */ 425 ima_lsm_free_rule(entry); 426 kfree(entry); 427 428 return 0; 429 } 430 431 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry) 432 { 433 int i; 434 435 for (i = 0; i < MAX_LSM_RULES; i++) 436 if (entry->lsm[i].args_p) 437 return true; 438 439 return false; 440 } 441 442 /* 443 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 444 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 445 * the reloaded LSM policy. 446 */ 447 static void ima_lsm_update_rules(void) 448 { 449 struct ima_rule_entry *entry, *e; 450 int result; 451 452 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { 453 if (!ima_rule_contains_lsm_cond(entry)) 454 continue; 455 456 result = ima_lsm_update_rule(entry); 457 if (result) { 458 pr_err("lsm rule update error %d\n", result); 459 return; 460 } 461 } 462 } 463 464 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, 465 void *lsm_data) 466 { 467 if (event != LSM_POLICY_CHANGE) 468 return NOTIFY_DONE; 469 470 ima_lsm_update_rules(); 471 return NOTIFY_OK; 472 } 473 474 /** 475 * ima_match_rule_data - determine whether func_data matches the policy rule 476 * @rule: a pointer to a rule 477 * @func_data: data to match against the measure rule data 478 * @cred: a pointer to a credentials structure for user validation 479 * 480 * Returns true if func_data matches one in the rule, false otherwise. 481 */ 482 static bool ima_match_rule_data(struct ima_rule_entry *rule, 483 const char *func_data, 484 const struct cred *cred) 485 { 486 const struct ima_rule_opt_list *opt_list = NULL; 487 bool matched = false; 488 size_t i; 489 490 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 491 return false; 492 493 switch (rule->func) { 494 case KEY_CHECK: 495 if (!rule->keyrings) 496 return true; 497 498 opt_list = rule->keyrings; 499 break; 500 case CRITICAL_DATA: 501 if (!rule->label) 502 return true; 503 504 opt_list = rule->label; 505 break; 506 default: 507 return false; 508 } 509 510 if (!func_data) 511 return false; 512 513 for (i = 0; i < opt_list->count; i++) { 514 if (!strcmp(opt_list->items[i], func_data)) { 515 matched = true; 516 break; 517 } 518 } 519 520 return matched; 521 } 522 523 /** 524 * ima_match_rules - determine whether an inode matches the policy rule. 525 * @rule: a pointer to a rule 526 * @mnt_userns: user namespace of the mount the inode was found from 527 * @inode: a pointer to an inode 528 * @cred: a pointer to a credentials structure for user validation 529 * @secid: the secid of the task to be validated 530 * @func: LIM hook identifier 531 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 532 * @func_data: func specific data, may be NULL 533 * 534 * Returns true on rule match, false on failure. 535 */ 536 static bool ima_match_rules(struct ima_rule_entry *rule, 537 struct user_namespace *mnt_userns, 538 struct inode *inode, const struct cred *cred, 539 u32 secid, enum ima_hooks func, int mask, 540 const char *func_data) 541 { 542 int i; 543 544 if ((rule->flags & IMA_FUNC) && 545 (rule->func != func && func != POST_SETATTR)) 546 return false; 547 548 switch (func) { 549 case KEY_CHECK: 550 case CRITICAL_DATA: 551 return ((rule->func == func) && 552 ima_match_rule_data(rule, func_data, cred)); 553 default: 554 break; 555 } 556 557 if ((rule->flags & IMA_MASK) && 558 (rule->mask != mask && func != POST_SETATTR)) 559 return false; 560 if ((rule->flags & IMA_INMASK) && 561 (!(rule->mask & mask) && func != POST_SETATTR)) 562 return false; 563 if ((rule->flags & IMA_FSMAGIC) 564 && rule->fsmagic != inode->i_sb->s_magic) 565 return false; 566 if ((rule->flags & IMA_FSNAME) 567 && strcmp(rule->fsname, inode->i_sb->s_type->name)) 568 return false; 569 if ((rule->flags & IMA_FSUUID) && 570 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 571 return false; 572 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 573 return false; 574 if (rule->flags & IMA_EUID) { 575 if (has_capability_noaudit(current, CAP_SETUID)) { 576 if (!rule->uid_op(cred->euid, rule->uid) 577 && !rule->uid_op(cred->suid, rule->uid) 578 && !rule->uid_op(cred->uid, rule->uid)) 579 return false; 580 } else if (!rule->uid_op(cred->euid, rule->uid)) 581 return false; 582 } 583 584 if ((rule->flags & IMA_FOWNER) && 585 !rule->fowner_op(i_uid_into_mnt(mnt_userns, inode), rule->fowner)) 586 return false; 587 for (i = 0; i < MAX_LSM_RULES; i++) { 588 int rc = 0; 589 u32 osid; 590 591 if (!rule->lsm[i].rule) { 592 if (!rule->lsm[i].args_p) 593 continue; 594 else 595 return false; 596 } 597 switch (i) { 598 case LSM_OBJ_USER: 599 case LSM_OBJ_ROLE: 600 case LSM_OBJ_TYPE: 601 security_inode_getsecid(inode, &osid); 602 rc = ima_filter_rule_match(osid, rule->lsm[i].type, 603 Audit_equal, 604 rule->lsm[i].rule); 605 break; 606 case LSM_SUBJ_USER: 607 case LSM_SUBJ_ROLE: 608 case LSM_SUBJ_TYPE: 609 rc = ima_filter_rule_match(secid, rule->lsm[i].type, 610 Audit_equal, 611 rule->lsm[i].rule); 612 break; 613 default: 614 break; 615 } 616 if (!rc) 617 return false; 618 } 619 return true; 620 } 621 622 /* 623 * In addition to knowing that we need to appraise the file in general, 624 * we need to differentiate between calling hooks, for hook specific rules. 625 */ 626 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) 627 { 628 if (!(rule->flags & IMA_FUNC)) 629 return IMA_FILE_APPRAISE; 630 631 switch (func) { 632 case MMAP_CHECK: 633 return IMA_MMAP_APPRAISE; 634 case BPRM_CHECK: 635 return IMA_BPRM_APPRAISE; 636 case CREDS_CHECK: 637 return IMA_CREDS_APPRAISE; 638 case FILE_CHECK: 639 case POST_SETATTR: 640 return IMA_FILE_APPRAISE; 641 case MODULE_CHECK ... MAX_CHECK - 1: 642 default: 643 return IMA_READ_APPRAISE; 644 } 645 } 646 647 /** 648 * ima_match_policy - decision based on LSM and other conditions 649 * @mnt_userns: user namespace of the mount the inode was found from 650 * @inode: pointer to an inode for which the policy decision is being made 651 * @cred: pointer to a credentials structure for which the policy decision is 652 * being made 653 * @secid: LSM secid of the task to be validated 654 * @func: IMA hook identifier 655 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 656 * @pcr: set the pcr to extend 657 * @template_desc: the template that should be used for this rule 658 * @func_data: func specific data, may be NULL 659 * @allowed_algos: allowlist of hash algorithms for the IMA xattr 660 * 661 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 662 * conditions. 663 * 664 * Since the IMA policy may be updated multiple times we need to lock the 665 * list when walking it. Reads are many orders of magnitude more numerous 666 * than writes so ima_match_policy() is classical RCU candidate. 667 */ 668 int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, 669 const struct cred *cred, u32 secid, enum ima_hooks func, 670 int mask, int flags, int *pcr, 671 struct ima_template_desc **template_desc, 672 const char *func_data, unsigned int *allowed_algos) 673 { 674 struct ima_rule_entry *entry; 675 int action = 0, actmask = flags | (flags << 1); 676 677 if (template_desc && !*template_desc) 678 *template_desc = ima_template_desc_current(); 679 680 rcu_read_lock(); 681 list_for_each_entry_rcu(entry, ima_rules, list) { 682 683 if (!(entry->action & actmask)) 684 continue; 685 686 if (!ima_match_rules(entry, mnt_userns, inode, cred, secid, 687 func, mask, func_data)) 688 continue; 689 690 action |= entry->flags & IMA_ACTION_FLAGS; 691 692 action |= entry->action & IMA_DO_MASK; 693 if (entry->action & IMA_APPRAISE) { 694 action |= get_subaction(entry, func); 695 action &= ~IMA_HASH; 696 if (ima_fail_unverifiable_sigs) 697 action |= IMA_FAIL_UNVERIFIABLE_SIGS; 698 699 if (allowed_algos && 700 entry->flags & IMA_VALIDATE_ALGOS) 701 *allowed_algos = entry->allowed_algos; 702 } 703 704 if (entry->action & IMA_DO_MASK) 705 actmask &= ~(entry->action | entry->action << 1); 706 else 707 actmask &= ~(entry->action | entry->action >> 1); 708 709 if ((pcr) && (entry->flags & IMA_PCR)) 710 *pcr = entry->pcr; 711 712 if (template_desc && entry->template) 713 *template_desc = entry->template; 714 715 if (!actmask) 716 break; 717 } 718 rcu_read_unlock(); 719 720 return action; 721 } 722 723 /* 724 * Initialize the ima_policy_flag variable based on the currently 725 * loaded policy. Based on this flag, the decision to short circuit 726 * out of a function or not call the function in the first place 727 * can be made earlier. 728 */ 729 void ima_update_policy_flag(void) 730 { 731 struct ima_rule_entry *entry; 732 733 list_for_each_entry(entry, ima_rules, list) { 734 if (entry->action & IMA_DO_MASK) 735 ima_policy_flag |= entry->action; 736 } 737 738 ima_appraise |= (build_ima_appraise | temp_ima_appraise); 739 if (!ima_appraise) 740 ima_policy_flag &= ~IMA_APPRAISE; 741 } 742 743 static int ima_appraise_flag(enum ima_hooks func) 744 { 745 if (func == MODULE_CHECK) 746 return IMA_APPRAISE_MODULES; 747 else if (func == FIRMWARE_CHECK) 748 return IMA_APPRAISE_FIRMWARE; 749 else if (func == POLICY_CHECK) 750 return IMA_APPRAISE_POLICY; 751 else if (func == KEXEC_KERNEL_CHECK) 752 return IMA_APPRAISE_KEXEC; 753 return 0; 754 } 755 756 static void add_rules(struct ima_rule_entry *entries, int count, 757 enum policy_rule_list policy_rule) 758 { 759 int i = 0; 760 761 for (i = 0; i < count; i++) { 762 struct ima_rule_entry *entry; 763 764 if (policy_rule & IMA_DEFAULT_POLICY) 765 list_add_tail(&entries[i].list, &ima_default_rules); 766 767 if (policy_rule & IMA_CUSTOM_POLICY) { 768 entry = kmemdup(&entries[i], sizeof(*entry), 769 GFP_KERNEL); 770 if (!entry) 771 continue; 772 773 list_add_tail(&entry->list, &ima_policy_rules); 774 } 775 if (entries[i].action == APPRAISE) { 776 if (entries != build_appraise_rules) 777 temp_ima_appraise |= 778 ima_appraise_flag(entries[i].func); 779 else 780 build_ima_appraise |= 781 ima_appraise_flag(entries[i].func); 782 } 783 } 784 } 785 786 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); 787 788 static int __init ima_init_arch_policy(void) 789 { 790 const char * const *arch_rules; 791 const char * const *rules; 792 int arch_entries = 0; 793 int i = 0; 794 795 arch_rules = arch_get_ima_policy(); 796 if (!arch_rules) 797 return arch_entries; 798 799 /* Get number of rules */ 800 for (rules = arch_rules; *rules != NULL; rules++) 801 arch_entries++; 802 803 arch_policy_entry = kcalloc(arch_entries + 1, 804 sizeof(*arch_policy_entry), GFP_KERNEL); 805 if (!arch_policy_entry) 806 return 0; 807 808 /* Convert each policy string rules to struct ima_rule_entry format */ 809 for (rules = arch_rules, i = 0; *rules != NULL; rules++) { 810 char rule[255]; 811 int result; 812 813 result = strlcpy(rule, *rules, sizeof(rule)); 814 815 INIT_LIST_HEAD(&arch_policy_entry[i].list); 816 result = ima_parse_rule(rule, &arch_policy_entry[i]); 817 if (result) { 818 pr_warn("Skipping unknown architecture policy rule: %s\n", 819 rule); 820 memset(&arch_policy_entry[i], 0, 821 sizeof(*arch_policy_entry)); 822 continue; 823 } 824 i++; 825 } 826 return i; 827 } 828 829 /** 830 * ima_init_policy - initialize the default measure rules. 831 * 832 * ima_rules points to either the ima_default_rules or the 833 * the new ima_policy_rules. 834 */ 835 void __init ima_init_policy(void) 836 { 837 int build_appraise_entries, arch_entries; 838 839 /* if !ima_policy, we load NO default rules */ 840 if (ima_policy) 841 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules), 842 IMA_DEFAULT_POLICY); 843 844 switch (ima_policy) { 845 case ORIGINAL_TCB: 846 add_rules(original_measurement_rules, 847 ARRAY_SIZE(original_measurement_rules), 848 IMA_DEFAULT_POLICY); 849 break; 850 case DEFAULT_TCB: 851 add_rules(default_measurement_rules, 852 ARRAY_SIZE(default_measurement_rules), 853 IMA_DEFAULT_POLICY); 854 break; 855 default: 856 break; 857 } 858 859 /* 860 * Based on runtime secure boot flags, insert arch specific measurement 861 * and appraise rules requiring file signatures for both the initial 862 * and custom policies, prior to other appraise rules. 863 * (Highest priority) 864 */ 865 arch_entries = ima_init_arch_policy(); 866 if (!arch_entries) 867 pr_info("No architecture policies found\n"); 868 else 869 add_rules(arch_policy_entry, arch_entries, 870 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 871 872 /* 873 * Insert the builtin "secure_boot" policy rules requiring file 874 * signatures, prior to other appraise rules. 875 */ 876 if (ima_use_secure_boot) 877 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules), 878 IMA_DEFAULT_POLICY); 879 880 /* 881 * Insert the build time appraise rules requiring file signatures 882 * for both the initial and custom policies, prior to other appraise 883 * rules. As the secure boot rules includes all of the build time 884 * rules, include either one or the other set of rules, but not both. 885 */ 886 build_appraise_entries = ARRAY_SIZE(build_appraise_rules); 887 if (build_appraise_entries) { 888 if (ima_use_secure_boot) 889 add_rules(build_appraise_rules, build_appraise_entries, 890 IMA_CUSTOM_POLICY); 891 else 892 add_rules(build_appraise_rules, build_appraise_entries, 893 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 894 } 895 896 if (ima_use_appraise_tcb) 897 add_rules(default_appraise_rules, 898 ARRAY_SIZE(default_appraise_rules), 899 IMA_DEFAULT_POLICY); 900 901 if (ima_use_critical_data) 902 add_rules(critical_data_rules, 903 ARRAY_SIZE(critical_data_rules), 904 IMA_DEFAULT_POLICY); 905 906 ima_update_policy_flag(); 907 } 908 909 /* Make sure we have a valid policy, at least containing some rules. */ 910 int ima_check_policy(void) 911 { 912 if (list_empty(&ima_temp_rules)) 913 return -EINVAL; 914 return 0; 915 } 916 917 /** 918 * ima_update_policy - update default_rules with new measure rules 919 * 920 * Called on file .release to update the default rules with a complete new 921 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so 922 * they make a queue. The policy may be updated multiple times and this is the 923 * RCU updater. 924 * 925 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 926 * we switch from the default policy to user defined. 927 */ 928 void ima_update_policy(void) 929 { 930 struct list_head *policy = &ima_policy_rules; 931 932 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); 933 934 if (ima_rules != policy) { 935 ima_policy_flag = 0; 936 ima_rules = policy; 937 938 /* 939 * IMA architecture specific policy rules are specified 940 * as strings and converted to an array of ima_entry_rules 941 * on boot. After loading a custom policy, free the 942 * architecture specific rules stored as an array. 943 */ 944 kfree(arch_policy_entry); 945 } 946 ima_update_policy_flag(); 947 948 /* Custom IMA policy has been loaded */ 949 ima_process_queued_keys(); 950 } 951 952 /* Keep the enumeration in sync with the policy_tokens! */ 953 enum { 954 Opt_measure, Opt_dont_measure, 955 Opt_appraise, Opt_dont_appraise, 956 Opt_audit, Opt_hash, Opt_dont_hash, 957 Opt_obj_user, Opt_obj_role, Opt_obj_type, 958 Opt_subj_user, Opt_subj_role, Opt_subj_type, 959 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, 960 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, 961 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, 962 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, 963 Opt_appraise_type, Opt_appraise_flag, Opt_appraise_algos, 964 Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, 965 Opt_label, Opt_err 966 }; 967 968 static const match_table_t policy_tokens = { 969 {Opt_measure, "measure"}, 970 {Opt_dont_measure, "dont_measure"}, 971 {Opt_appraise, "appraise"}, 972 {Opt_dont_appraise, "dont_appraise"}, 973 {Opt_audit, "audit"}, 974 {Opt_hash, "hash"}, 975 {Opt_dont_hash, "dont_hash"}, 976 {Opt_obj_user, "obj_user=%s"}, 977 {Opt_obj_role, "obj_role=%s"}, 978 {Opt_obj_type, "obj_type=%s"}, 979 {Opt_subj_user, "subj_user=%s"}, 980 {Opt_subj_role, "subj_role=%s"}, 981 {Opt_subj_type, "subj_type=%s"}, 982 {Opt_func, "func=%s"}, 983 {Opt_mask, "mask=%s"}, 984 {Opt_fsmagic, "fsmagic=%s"}, 985 {Opt_fsname, "fsname=%s"}, 986 {Opt_fsuuid, "fsuuid=%s"}, 987 {Opt_uid_eq, "uid=%s"}, 988 {Opt_euid_eq, "euid=%s"}, 989 {Opt_fowner_eq, "fowner=%s"}, 990 {Opt_uid_gt, "uid>%s"}, 991 {Opt_euid_gt, "euid>%s"}, 992 {Opt_fowner_gt, "fowner>%s"}, 993 {Opt_uid_lt, "uid<%s"}, 994 {Opt_euid_lt, "euid<%s"}, 995 {Opt_fowner_lt, "fowner<%s"}, 996 {Opt_appraise_type, "appraise_type=%s"}, 997 {Opt_appraise_flag, "appraise_flag=%s"}, 998 {Opt_appraise_algos, "appraise_algos=%s"}, 999 {Opt_permit_directio, "permit_directio"}, 1000 {Opt_pcr, "pcr=%s"}, 1001 {Opt_template, "template=%s"}, 1002 {Opt_keyrings, "keyrings=%s"}, 1003 {Opt_label, "label=%s"}, 1004 {Opt_err, NULL} 1005 }; 1006 1007 static int ima_lsm_rule_init(struct ima_rule_entry *entry, 1008 substring_t *args, int lsm_rule, int audit_type) 1009 { 1010 int result; 1011 1012 if (entry->lsm[lsm_rule].rule) 1013 return -EINVAL; 1014 1015 entry->lsm[lsm_rule].args_p = match_strdup(args); 1016 if (!entry->lsm[lsm_rule].args_p) 1017 return -ENOMEM; 1018 1019 entry->lsm[lsm_rule].type = audit_type; 1020 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, 1021 entry->lsm[lsm_rule].args_p, 1022 &entry->lsm[lsm_rule].rule); 1023 if (!entry->lsm[lsm_rule].rule) { 1024 pr_warn("rule for LSM \'%s\' is undefined\n", 1025 entry->lsm[lsm_rule].args_p); 1026 1027 if (ima_rules == &ima_default_rules) { 1028 kfree(entry->lsm[lsm_rule].args_p); 1029 entry->lsm[lsm_rule].args_p = NULL; 1030 result = -EINVAL; 1031 } else 1032 result = 0; 1033 } 1034 1035 return result; 1036 } 1037 1038 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, 1039 bool (*rule_operator)(kuid_t, kuid_t)) 1040 { 1041 if (!ab) 1042 return; 1043 1044 if (rule_operator == &uid_gt) 1045 audit_log_format(ab, "%s>", key); 1046 else if (rule_operator == &uid_lt) 1047 audit_log_format(ab, "%s<", key); 1048 else 1049 audit_log_format(ab, "%s=", key); 1050 audit_log_format(ab, "%s ", value); 1051 } 1052 static void ima_log_string(struct audit_buffer *ab, char *key, char *value) 1053 { 1054 ima_log_string_op(ab, key, value, NULL); 1055 } 1056 1057 /* 1058 * Validating the appended signature included in the measurement list requires 1059 * the file hash calculated without the appended signature (i.e., the 'd-modsig' 1060 * field). Therefore, notify the user if they have the 'modsig' field but not 1061 * the 'd-modsig' field in the template. 1062 */ 1063 static void check_template_modsig(const struct ima_template_desc *template) 1064 { 1065 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n" 1066 bool has_modsig, has_dmodsig; 1067 static bool checked; 1068 int i; 1069 1070 /* We only need to notify the user once. */ 1071 if (checked) 1072 return; 1073 1074 has_modsig = has_dmodsig = false; 1075 for (i = 0; i < template->num_fields; i++) { 1076 if (!strcmp(template->fields[i]->field_id, "modsig")) 1077 has_modsig = true; 1078 else if (!strcmp(template->fields[i]->field_id, "d-modsig")) 1079 has_dmodsig = true; 1080 } 1081 1082 if (has_modsig && !has_dmodsig) 1083 pr_notice(MSG); 1084 1085 checked = true; 1086 #undef MSG 1087 } 1088 1089 static bool ima_validate_rule(struct ima_rule_entry *entry) 1090 { 1091 /* Ensure that the action is set and is compatible with the flags */ 1092 if (entry->action == UNKNOWN) 1093 return false; 1094 1095 if (entry->action != MEASURE && entry->flags & IMA_PCR) 1096 return false; 1097 1098 if (entry->action != APPRAISE && 1099 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | 1100 IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) 1101 return false; 1102 1103 /* 1104 * The IMA_FUNC bit must be set if and only if there's a valid hook 1105 * function specified, and vice versa. Enforcing this property allows 1106 * for the NONE case below to validate a rule without an explicit hook 1107 * function. 1108 */ 1109 if (((entry->flags & IMA_FUNC) && entry->func == NONE) || 1110 (!(entry->flags & IMA_FUNC) && entry->func != NONE)) 1111 return false; 1112 1113 /* 1114 * Ensure that the hook function is compatible with the other 1115 * components of the rule 1116 */ 1117 switch (entry->func) { 1118 case NONE: 1119 case FILE_CHECK: 1120 case MMAP_CHECK: 1121 case BPRM_CHECK: 1122 case CREDS_CHECK: 1123 case POST_SETATTR: 1124 case FIRMWARE_CHECK: 1125 case POLICY_CHECK: 1126 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1127 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1128 IMA_INMASK | IMA_EUID | IMA_PCR | 1129 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1130 IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS)) 1131 return false; 1132 1133 break; 1134 case MODULE_CHECK: 1135 case KEXEC_KERNEL_CHECK: 1136 case KEXEC_INITRAMFS_CHECK: 1137 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1138 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1139 IMA_INMASK | IMA_EUID | IMA_PCR | 1140 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1141 IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | 1142 IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) 1143 return false; 1144 1145 break; 1146 case KEXEC_CMDLINE: 1147 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1148 return false; 1149 1150 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | 1151 IMA_FOWNER | IMA_FSUUID | IMA_EUID | 1152 IMA_PCR | IMA_FSNAME)) 1153 return false; 1154 1155 break; 1156 case KEY_CHECK: 1157 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1158 return false; 1159 1160 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | 1161 IMA_KEYRINGS)) 1162 return false; 1163 1164 if (ima_rule_contains_lsm_cond(entry)) 1165 return false; 1166 1167 break; 1168 case CRITICAL_DATA: 1169 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1170 return false; 1171 1172 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | 1173 IMA_LABEL)) 1174 return false; 1175 1176 if (ima_rule_contains_lsm_cond(entry)) 1177 return false; 1178 1179 break; 1180 default: 1181 return false; 1182 } 1183 1184 /* Ensure that combinations of flags are compatible with each other */ 1185 if (entry->flags & IMA_CHECK_BLACKLIST && 1186 !(entry->flags & IMA_MODSIG_ALLOWED)) 1187 return false; 1188 1189 return true; 1190 } 1191 1192 static unsigned int ima_parse_appraise_algos(char *arg) 1193 { 1194 unsigned int res = 0; 1195 int idx; 1196 char *token; 1197 1198 while ((token = strsep(&arg, ",")) != NULL) { 1199 idx = match_string(hash_algo_name, HASH_ALGO__LAST, token); 1200 1201 if (idx < 0) { 1202 pr_err("unknown hash algorithm \"%s\"", 1203 token); 1204 return 0; 1205 } 1206 1207 /* Add the hash algorithm to the 'allowed' bitfield */ 1208 res |= (1U << idx); 1209 } 1210 1211 return res; 1212 } 1213 1214 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 1215 { 1216 struct audit_buffer *ab; 1217 char *from; 1218 char *p; 1219 bool uid_token; 1220 struct ima_template_desc *template_desc; 1221 int result = 0; 1222 1223 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, 1224 AUDIT_INTEGRITY_POLICY_RULE); 1225 1226 entry->uid = INVALID_UID; 1227 entry->fowner = INVALID_UID; 1228 entry->uid_op = &uid_eq; 1229 entry->fowner_op = &uid_eq; 1230 entry->action = UNKNOWN; 1231 while ((p = strsep(&rule, " \t")) != NULL) { 1232 substring_t args[MAX_OPT_ARGS]; 1233 int token; 1234 unsigned long lnum; 1235 1236 if (result < 0) 1237 break; 1238 if ((*p == '\0') || (*p == ' ') || (*p == '\t')) 1239 continue; 1240 token = match_token(p, policy_tokens, args); 1241 switch (token) { 1242 case Opt_measure: 1243 ima_log_string(ab, "action", "measure"); 1244 1245 if (entry->action != UNKNOWN) 1246 result = -EINVAL; 1247 1248 entry->action = MEASURE; 1249 break; 1250 case Opt_dont_measure: 1251 ima_log_string(ab, "action", "dont_measure"); 1252 1253 if (entry->action != UNKNOWN) 1254 result = -EINVAL; 1255 1256 entry->action = DONT_MEASURE; 1257 break; 1258 case Opt_appraise: 1259 ima_log_string(ab, "action", "appraise"); 1260 1261 if (entry->action != UNKNOWN) 1262 result = -EINVAL; 1263 1264 entry->action = APPRAISE; 1265 break; 1266 case Opt_dont_appraise: 1267 ima_log_string(ab, "action", "dont_appraise"); 1268 1269 if (entry->action != UNKNOWN) 1270 result = -EINVAL; 1271 1272 entry->action = DONT_APPRAISE; 1273 break; 1274 case Opt_audit: 1275 ima_log_string(ab, "action", "audit"); 1276 1277 if (entry->action != UNKNOWN) 1278 result = -EINVAL; 1279 1280 entry->action = AUDIT; 1281 break; 1282 case Opt_hash: 1283 ima_log_string(ab, "action", "hash"); 1284 1285 if (entry->action != UNKNOWN) 1286 result = -EINVAL; 1287 1288 entry->action = HASH; 1289 break; 1290 case Opt_dont_hash: 1291 ima_log_string(ab, "action", "dont_hash"); 1292 1293 if (entry->action != UNKNOWN) 1294 result = -EINVAL; 1295 1296 entry->action = DONT_HASH; 1297 break; 1298 case Opt_func: 1299 ima_log_string(ab, "func", args[0].from); 1300 1301 if (entry->func) 1302 result = -EINVAL; 1303 1304 if (strcmp(args[0].from, "FILE_CHECK") == 0) 1305 entry->func = FILE_CHECK; 1306 /* PATH_CHECK is for backwards compat */ 1307 else if (strcmp(args[0].from, "PATH_CHECK") == 0) 1308 entry->func = FILE_CHECK; 1309 else if (strcmp(args[0].from, "MODULE_CHECK") == 0) 1310 entry->func = MODULE_CHECK; 1311 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0) 1312 entry->func = FIRMWARE_CHECK; 1313 else if ((strcmp(args[0].from, "FILE_MMAP") == 0) 1314 || (strcmp(args[0].from, "MMAP_CHECK") == 0)) 1315 entry->func = MMAP_CHECK; 1316 else if (strcmp(args[0].from, "BPRM_CHECK") == 0) 1317 entry->func = BPRM_CHECK; 1318 else if (strcmp(args[0].from, "CREDS_CHECK") == 0) 1319 entry->func = CREDS_CHECK; 1320 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == 1321 0) 1322 entry->func = KEXEC_KERNEL_CHECK; 1323 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK") 1324 == 0) 1325 entry->func = KEXEC_INITRAMFS_CHECK; 1326 else if (strcmp(args[0].from, "POLICY_CHECK") == 0) 1327 entry->func = POLICY_CHECK; 1328 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) 1329 entry->func = KEXEC_CMDLINE; 1330 else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && 1331 strcmp(args[0].from, "KEY_CHECK") == 0) 1332 entry->func = KEY_CHECK; 1333 else if (strcmp(args[0].from, "CRITICAL_DATA") == 0) 1334 entry->func = CRITICAL_DATA; 1335 else 1336 result = -EINVAL; 1337 if (!result) 1338 entry->flags |= IMA_FUNC; 1339 break; 1340 case Opt_mask: 1341 ima_log_string(ab, "mask", args[0].from); 1342 1343 if (entry->mask) 1344 result = -EINVAL; 1345 1346 from = args[0].from; 1347 if (*from == '^') 1348 from++; 1349 1350 if ((strcmp(from, "MAY_EXEC")) == 0) 1351 entry->mask = MAY_EXEC; 1352 else if (strcmp(from, "MAY_WRITE") == 0) 1353 entry->mask = MAY_WRITE; 1354 else if (strcmp(from, "MAY_READ") == 0) 1355 entry->mask = MAY_READ; 1356 else if (strcmp(from, "MAY_APPEND") == 0) 1357 entry->mask = MAY_APPEND; 1358 else 1359 result = -EINVAL; 1360 if (!result) 1361 entry->flags |= (*args[0].from == '^') 1362 ? IMA_INMASK : IMA_MASK; 1363 break; 1364 case Opt_fsmagic: 1365 ima_log_string(ab, "fsmagic", args[0].from); 1366 1367 if (entry->fsmagic) { 1368 result = -EINVAL; 1369 break; 1370 } 1371 1372 result = kstrtoul(args[0].from, 16, &entry->fsmagic); 1373 if (!result) 1374 entry->flags |= IMA_FSMAGIC; 1375 break; 1376 case Opt_fsname: 1377 ima_log_string(ab, "fsname", args[0].from); 1378 1379 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); 1380 if (!entry->fsname) { 1381 result = -ENOMEM; 1382 break; 1383 } 1384 result = 0; 1385 entry->flags |= IMA_FSNAME; 1386 break; 1387 case Opt_keyrings: 1388 ima_log_string(ab, "keyrings", args[0].from); 1389 1390 if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) || 1391 entry->keyrings) { 1392 result = -EINVAL; 1393 break; 1394 } 1395 1396 entry->keyrings = ima_alloc_rule_opt_list(args); 1397 if (IS_ERR(entry->keyrings)) { 1398 result = PTR_ERR(entry->keyrings); 1399 entry->keyrings = NULL; 1400 break; 1401 } 1402 1403 entry->flags |= IMA_KEYRINGS; 1404 break; 1405 case Opt_label: 1406 ima_log_string(ab, "label", args[0].from); 1407 1408 if (entry->label) { 1409 result = -EINVAL; 1410 break; 1411 } 1412 1413 entry->label = ima_alloc_rule_opt_list(args); 1414 if (IS_ERR(entry->label)) { 1415 result = PTR_ERR(entry->label); 1416 entry->label = NULL; 1417 break; 1418 } 1419 1420 entry->flags |= IMA_LABEL; 1421 break; 1422 case Opt_fsuuid: 1423 ima_log_string(ab, "fsuuid", args[0].from); 1424 1425 if (!uuid_is_null(&entry->fsuuid)) { 1426 result = -EINVAL; 1427 break; 1428 } 1429 1430 result = uuid_parse(args[0].from, &entry->fsuuid); 1431 if (!result) 1432 entry->flags |= IMA_FSUUID; 1433 break; 1434 case Opt_uid_gt: 1435 case Opt_euid_gt: 1436 entry->uid_op = &uid_gt; 1437 fallthrough; 1438 case Opt_uid_lt: 1439 case Opt_euid_lt: 1440 if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) 1441 entry->uid_op = &uid_lt; 1442 fallthrough; 1443 case Opt_uid_eq: 1444 case Opt_euid_eq: 1445 uid_token = (token == Opt_uid_eq) || 1446 (token == Opt_uid_gt) || 1447 (token == Opt_uid_lt); 1448 1449 ima_log_string_op(ab, uid_token ? "uid" : "euid", 1450 args[0].from, entry->uid_op); 1451 1452 if (uid_valid(entry->uid)) { 1453 result = -EINVAL; 1454 break; 1455 } 1456 1457 result = kstrtoul(args[0].from, 10, &lnum); 1458 if (!result) { 1459 entry->uid = make_kuid(current_user_ns(), 1460 (uid_t) lnum); 1461 if (!uid_valid(entry->uid) || 1462 (uid_t)lnum != lnum) 1463 result = -EINVAL; 1464 else 1465 entry->flags |= uid_token 1466 ? IMA_UID : IMA_EUID; 1467 } 1468 break; 1469 case Opt_fowner_gt: 1470 entry->fowner_op = &uid_gt; 1471 fallthrough; 1472 case Opt_fowner_lt: 1473 if (token == Opt_fowner_lt) 1474 entry->fowner_op = &uid_lt; 1475 fallthrough; 1476 case Opt_fowner_eq: 1477 ima_log_string_op(ab, "fowner", args[0].from, 1478 entry->fowner_op); 1479 1480 if (uid_valid(entry->fowner)) { 1481 result = -EINVAL; 1482 break; 1483 } 1484 1485 result = kstrtoul(args[0].from, 10, &lnum); 1486 if (!result) { 1487 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum); 1488 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum)) 1489 result = -EINVAL; 1490 else 1491 entry->flags |= IMA_FOWNER; 1492 } 1493 break; 1494 case Opt_obj_user: 1495 ima_log_string(ab, "obj_user", args[0].from); 1496 result = ima_lsm_rule_init(entry, args, 1497 LSM_OBJ_USER, 1498 AUDIT_OBJ_USER); 1499 break; 1500 case Opt_obj_role: 1501 ima_log_string(ab, "obj_role", args[0].from); 1502 result = ima_lsm_rule_init(entry, args, 1503 LSM_OBJ_ROLE, 1504 AUDIT_OBJ_ROLE); 1505 break; 1506 case Opt_obj_type: 1507 ima_log_string(ab, "obj_type", args[0].from); 1508 result = ima_lsm_rule_init(entry, args, 1509 LSM_OBJ_TYPE, 1510 AUDIT_OBJ_TYPE); 1511 break; 1512 case Opt_subj_user: 1513 ima_log_string(ab, "subj_user", args[0].from); 1514 result = ima_lsm_rule_init(entry, args, 1515 LSM_SUBJ_USER, 1516 AUDIT_SUBJ_USER); 1517 break; 1518 case Opt_subj_role: 1519 ima_log_string(ab, "subj_role", args[0].from); 1520 result = ima_lsm_rule_init(entry, args, 1521 LSM_SUBJ_ROLE, 1522 AUDIT_SUBJ_ROLE); 1523 break; 1524 case Opt_subj_type: 1525 ima_log_string(ab, "subj_type", args[0].from); 1526 result = ima_lsm_rule_init(entry, args, 1527 LSM_SUBJ_TYPE, 1528 AUDIT_SUBJ_TYPE); 1529 break; 1530 case Opt_appraise_type: 1531 ima_log_string(ab, "appraise_type", args[0].from); 1532 if ((strcmp(args[0].from, "imasig")) == 0) 1533 entry->flags |= IMA_DIGSIG_REQUIRED; 1534 else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1535 strcmp(args[0].from, "imasig|modsig") == 0) 1536 entry->flags |= IMA_DIGSIG_REQUIRED | 1537 IMA_MODSIG_ALLOWED; 1538 else 1539 result = -EINVAL; 1540 break; 1541 case Opt_appraise_flag: 1542 ima_log_string(ab, "appraise_flag", args[0].from); 1543 if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1544 strstr(args[0].from, "blacklist")) 1545 entry->flags |= IMA_CHECK_BLACKLIST; 1546 else 1547 result = -EINVAL; 1548 break; 1549 case Opt_appraise_algos: 1550 ima_log_string(ab, "appraise_algos", args[0].from); 1551 1552 if (entry->allowed_algos) { 1553 result = -EINVAL; 1554 break; 1555 } 1556 1557 entry->allowed_algos = 1558 ima_parse_appraise_algos(args[0].from); 1559 /* invalid or empty list of algorithms */ 1560 if (!entry->allowed_algos) { 1561 result = -EINVAL; 1562 break; 1563 } 1564 1565 entry->flags |= IMA_VALIDATE_ALGOS; 1566 1567 break; 1568 case Opt_permit_directio: 1569 entry->flags |= IMA_PERMIT_DIRECTIO; 1570 break; 1571 case Opt_pcr: 1572 ima_log_string(ab, "pcr", args[0].from); 1573 1574 result = kstrtoint(args[0].from, 10, &entry->pcr); 1575 if (result || INVALID_PCR(entry->pcr)) 1576 result = -EINVAL; 1577 else 1578 entry->flags |= IMA_PCR; 1579 1580 break; 1581 case Opt_template: 1582 ima_log_string(ab, "template", args[0].from); 1583 if (entry->action != MEASURE) { 1584 result = -EINVAL; 1585 break; 1586 } 1587 template_desc = lookup_template_desc(args[0].from); 1588 if (!template_desc || entry->template) { 1589 result = -EINVAL; 1590 break; 1591 } 1592 1593 /* 1594 * template_desc_init_fields() does nothing if 1595 * the template is already initialised, so 1596 * it's safe to do this unconditionally 1597 */ 1598 template_desc_init_fields(template_desc->fmt, 1599 &(template_desc->fields), 1600 &(template_desc->num_fields)); 1601 entry->template = template_desc; 1602 break; 1603 case Opt_err: 1604 ima_log_string(ab, "UNKNOWN", p); 1605 result = -EINVAL; 1606 break; 1607 } 1608 } 1609 if (!result && !ima_validate_rule(entry)) 1610 result = -EINVAL; 1611 else if (entry->action == APPRAISE) 1612 temp_ima_appraise |= ima_appraise_flag(entry->func); 1613 1614 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { 1615 template_desc = entry->template ? entry->template : 1616 ima_template_desc_current(); 1617 check_template_modsig(template_desc); 1618 } 1619 1620 audit_log_format(ab, "res=%d", !result); 1621 audit_log_end(ab); 1622 return result; 1623 } 1624 1625 /** 1626 * ima_parse_add_rule - add a rule to ima_policy_rules 1627 * @rule - ima measurement policy rule 1628 * 1629 * Avoid locking by allowing just one writer at a time in ima_write_policy() 1630 * Returns the length of the rule parsed, an error code on failure 1631 */ 1632 ssize_t ima_parse_add_rule(char *rule) 1633 { 1634 static const char op[] = "update_policy"; 1635 char *p; 1636 struct ima_rule_entry *entry; 1637 ssize_t result, len; 1638 int audit_info = 0; 1639 1640 p = strsep(&rule, "\n"); 1641 len = strlen(p) + 1; 1642 p += strspn(p, " \t"); 1643 1644 if (*p == '#' || *p == '\0') 1645 return len; 1646 1647 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1648 if (!entry) { 1649 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1650 NULL, op, "-ENOMEM", -ENOMEM, audit_info); 1651 return -ENOMEM; 1652 } 1653 1654 INIT_LIST_HEAD(&entry->list); 1655 1656 result = ima_parse_rule(p, entry); 1657 if (result) { 1658 ima_free_rule(entry); 1659 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1660 NULL, op, "invalid-policy", result, 1661 audit_info); 1662 return result; 1663 } 1664 1665 list_add_tail(&entry->list, &ima_temp_rules); 1666 1667 return len; 1668 } 1669 1670 /** 1671 * ima_delete_rules() called to cleanup invalid in-flight policy. 1672 * We don't need locking as we operate on the temp list, which is 1673 * different from the active one. There is also only one user of 1674 * ima_delete_rules() at a time. 1675 */ 1676 void ima_delete_rules(void) 1677 { 1678 struct ima_rule_entry *entry, *tmp; 1679 1680 temp_ima_appraise = 0; 1681 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { 1682 list_del(&entry->list); 1683 ima_free_rule(entry); 1684 } 1685 } 1686 1687 #define __ima_hook_stringify(func, str) (#func), 1688 1689 const char *const func_tokens[] = { 1690 __ima_hooks(__ima_hook_stringify) 1691 }; 1692 1693 #ifdef CONFIG_IMA_READ_POLICY 1694 enum { 1695 mask_exec = 0, mask_write, mask_read, mask_append 1696 }; 1697 1698 static const char *const mask_tokens[] = { 1699 "^MAY_EXEC", 1700 "^MAY_WRITE", 1701 "^MAY_READ", 1702 "^MAY_APPEND" 1703 }; 1704 1705 void *ima_policy_start(struct seq_file *m, loff_t *pos) 1706 { 1707 loff_t l = *pos; 1708 struct ima_rule_entry *entry; 1709 1710 rcu_read_lock(); 1711 list_for_each_entry_rcu(entry, ima_rules, list) { 1712 if (!l--) { 1713 rcu_read_unlock(); 1714 return entry; 1715 } 1716 } 1717 rcu_read_unlock(); 1718 return NULL; 1719 } 1720 1721 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) 1722 { 1723 struct ima_rule_entry *entry = v; 1724 1725 rcu_read_lock(); 1726 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); 1727 rcu_read_unlock(); 1728 (*pos)++; 1729 1730 return (&entry->list == ima_rules) ? NULL : entry; 1731 } 1732 1733 void ima_policy_stop(struct seq_file *m, void *v) 1734 { 1735 } 1736 1737 #define pt(token) policy_tokens[token].pattern 1738 #define mt(token) mask_tokens[token] 1739 1740 /* 1741 * policy_func_show - display the ima_hooks policy rule 1742 */ 1743 static void policy_func_show(struct seq_file *m, enum ima_hooks func) 1744 { 1745 if (func > 0 && func < MAX_CHECK) 1746 seq_printf(m, "func=%s ", func_tokens[func]); 1747 else 1748 seq_printf(m, "func=%d ", func); 1749 } 1750 1751 static void ima_show_rule_opt_list(struct seq_file *m, 1752 const struct ima_rule_opt_list *opt_list) 1753 { 1754 size_t i; 1755 1756 for (i = 0; i < opt_list->count; i++) 1757 seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]); 1758 } 1759 1760 static void ima_policy_show_appraise_algos(struct seq_file *m, 1761 unsigned int allowed_hashes) 1762 { 1763 int idx, list_size = 0; 1764 1765 for (idx = 0; idx < HASH_ALGO__LAST; idx++) { 1766 if (!(allowed_hashes & (1U << idx))) 1767 continue; 1768 1769 /* only add commas if the list contains multiple entries */ 1770 if (list_size++) 1771 seq_puts(m, ","); 1772 1773 seq_puts(m, hash_algo_name[idx]); 1774 } 1775 } 1776 1777 int ima_policy_show(struct seq_file *m, void *v) 1778 { 1779 struct ima_rule_entry *entry = v; 1780 int i; 1781 char tbuf[64] = {0,}; 1782 int offset = 0; 1783 1784 rcu_read_lock(); 1785 1786 if (entry->action & MEASURE) 1787 seq_puts(m, pt(Opt_measure)); 1788 if (entry->action & DONT_MEASURE) 1789 seq_puts(m, pt(Opt_dont_measure)); 1790 if (entry->action & APPRAISE) 1791 seq_puts(m, pt(Opt_appraise)); 1792 if (entry->action & DONT_APPRAISE) 1793 seq_puts(m, pt(Opt_dont_appraise)); 1794 if (entry->action & AUDIT) 1795 seq_puts(m, pt(Opt_audit)); 1796 if (entry->action & HASH) 1797 seq_puts(m, pt(Opt_hash)); 1798 if (entry->action & DONT_HASH) 1799 seq_puts(m, pt(Opt_dont_hash)); 1800 1801 seq_puts(m, " "); 1802 1803 if (entry->flags & IMA_FUNC) 1804 policy_func_show(m, entry->func); 1805 1806 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { 1807 if (entry->flags & IMA_MASK) 1808 offset = 1; 1809 if (entry->mask & MAY_EXEC) 1810 seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); 1811 if (entry->mask & MAY_WRITE) 1812 seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); 1813 if (entry->mask & MAY_READ) 1814 seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); 1815 if (entry->mask & MAY_APPEND) 1816 seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); 1817 seq_puts(m, " "); 1818 } 1819 1820 if (entry->flags & IMA_FSMAGIC) { 1821 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 1822 seq_printf(m, pt(Opt_fsmagic), tbuf); 1823 seq_puts(m, " "); 1824 } 1825 1826 if (entry->flags & IMA_FSNAME) { 1827 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); 1828 seq_printf(m, pt(Opt_fsname), tbuf); 1829 seq_puts(m, " "); 1830 } 1831 1832 if (entry->flags & IMA_KEYRINGS) { 1833 seq_puts(m, "keyrings="); 1834 ima_show_rule_opt_list(m, entry->keyrings); 1835 seq_puts(m, " "); 1836 } 1837 1838 if (entry->flags & IMA_LABEL) { 1839 seq_puts(m, "label="); 1840 ima_show_rule_opt_list(m, entry->label); 1841 seq_puts(m, " "); 1842 } 1843 1844 if (entry->flags & IMA_PCR) { 1845 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 1846 seq_printf(m, pt(Opt_pcr), tbuf); 1847 seq_puts(m, " "); 1848 } 1849 1850 if (entry->flags & IMA_FSUUID) { 1851 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); 1852 seq_puts(m, " "); 1853 } 1854 1855 if (entry->flags & IMA_UID) { 1856 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1857 if (entry->uid_op == &uid_gt) 1858 seq_printf(m, pt(Opt_uid_gt), tbuf); 1859 else if (entry->uid_op == &uid_lt) 1860 seq_printf(m, pt(Opt_uid_lt), tbuf); 1861 else 1862 seq_printf(m, pt(Opt_uid_eq), tbuf); 1863 seq_puts(m, " "); 1864 } 1865 1866 if (entry->flags & IMA_EUID) { 1867 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1868 if (entry->uid_op == &uid_gt) 1869 seq_printf(m, pt(Opt_euid_gt), tbuf); 1870 else if (entry->uid_op == &uid_lt) 1871 seq_printf(m, pt(Opt_euid_lt), tbuf); 1872 else 1873 seq_printf(m, pt(Opt_euid_eq), tbuf); 1874 seq_puts(m, " "); 1875 } 1876 1877 if (entry->flags & IMA_FOWNER) { 1878 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); 1879 if (entry->fowner_op == &uid_gt) 1880 seq_printf(m, pt(Opt_fowner_gt), tbuf); 1881 else if (entry->fowner_op == &uid_lt) 1882 seq_printf(m, pt(Opt_fowner_lt), tbuf); 1883 else 1884 seq_printf(m, pt(Opt_fowner_eq), tbuf); 1885 seq_puts(m, " "); 1886 } 1887 1888 if (entry->flags & IMA_VALIDATE_ALGOS) { 1889 seq_puts(m, "appraise_algos="); 1890 ima_policy_show_appraise_algos(m, entry->allowed_algos); 1891 seq_puts(m, " "); 1892 } 1893 1894 for (i = 0; i < MAX_LSM_RULES; i++) { 1895 if (entry->lsm[i].rule) { 1896 switch (i) { 1897 case LSM_OBJ_USER: 1898 seq_printf(m, pt(Opt_obj_user), 1899 entry->lsm[i].args_p); 1900 break; 1901 case LSM_OBJ_ROLE: 1902 seq_printf(m, pt(Opt_obj_role), 1903 entry->lsm[i].args_p); 1904 break; 1905 case LSM_OBJ_TYPE: 1906 seq_printf(m, pt(Opt_obj_type), 1907 entry->lsm[i].args_p); 1908 break; 1909 case LSM_SUBJ_USER: 1910 seq_printf(m, pt(Opt_subj_user), 1911 entry->lsm[i].args_p); 1912 break; 1913 case LSM_SUBJ_ROLE: 1914 seq_printf(m, pt(Opt_subj_role), 1915 entry->lsm[i].args_p); 1916 break; 1917 case LSM_SUBJ_TYPE: 1918 seq_printf(m, pt(Opt_subj_type), 1919 entry->lsm[i].args_p); 1920 break; 1921 } 1922 seq_puts(m, " "); 1923 } 1924 } 1925 if (entry->template) 1926 seq_printf(m, "template=%s ", entry->template->name); 1927 if (entry->flags & IMA_DIGSIG_REQUIRED) { 1928 if (entry->flags & IMA_MODSIG_ALLOWED) 1929 seq_puts(m, "appraise_type=imasig|modsig "); 1930 else 1931 seq_puts(m, "appraise_type=imasig "); 1932 } 1933 if (entry->flags & IMA_CHECK_BLACKLIST) 1934 seq_puts(m, "appraise_flag=check_blacklist "); 1935 if (entry->flags & IMA_PERMIT_DIRECTIO) 1936 seq_puts(m, "permit_directio "); 1937 rcu_read_unlock(); 1938 seq_puts(m, "\n"); 1939 return 0; 1940 } 1941 #endif /* CONFIG_IMA_READ_POLICY */ 1942 1943 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) 1944 /* 1945 * ima_appraise_signature: whether IMA will appraise a given function using 1946 * an IMA digital signature. This is restricted to cases where the kernel 1947 * has a set of built-in trusted keys in order to avoid an attacker simply 1948 * loading additional keys. 1949 */ 1950 bool ima_appraise_signature(enum kernel_read_file_id id) 1951 { 1952 struct ima_rule_entry *entry; 1953 bool found = false; 1954 enum ima_hooks func; 1955 1956 if (id >= READING_MAX_ID) 1957 return false; 1958 1959 func = read_idmap[id] ?: FILE_CHECK; 1960 1961 rcu_read_lock(); 1962 list_for_each_entry_rcu(entry, ima_rules, list) { 1963 if (entry->action != APPRAISE) 1964 continue; 1965 1966 /* 1967 * A generic entry will match, but otherwise require that it 1968 * match the func we're looking for 1969 */ 1970 if (entry->func && entry->func != func) 1971 continue; 1972 1973 /* 1974 * We require this to be a digital signature, not a raw IMA 1975 * hash. 1976 */ 1977 if (entry->flags & IMA_DIGSIG_REQUIRED) 1978 found = true; 1979 1980 /* 1981 * We've found a rule that matches, so break now even if it 1982 * didn't require a digital signature - a later rule that does 1983 * won't override it, so would be a false positive. 1984 */ 1985 break; 1986 } 1987 1988 rcu_read_unlock(); 1989 return found; 1990 } 1991 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ 1992