1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2008 IBM Corporation 4 * Author: Mimi Zohar <zohar@us.ibm.com> 5 * 6 * ima_policy.c 7 * - initialize default measure policy rules 8 */ 9 10 #include <linux/init.h> 11 #include <linux/list.h> 12 #include <linux/kernel_read_file.h> 13 #include <linux/fs.h> 14 #include <linux/security.h> 15 #include <linux/magic.h> 16 #include <linux/parser.h> 17 #include <linux/slab.h> 18 #include <linux/rculist.h> 19 #include <linux/genhd.h> 20 #include <linux/seq_file.h> 21 #include <linux/ima.h> 22 23 #include "ima.h" 24 25 /* flags definitions */ 26 #define IMA_FUNC 0x0001 27 #define IMA_MASK 0x0002 28 #define IMA_FSMAGIC 0x0004 29 #define IMA_UID 0x0008 30 #define IMA_FOWNER 0x0010 31 #define IMA_FSUUID 0x0020 32 #define IMA_INMASK 0x0040 33 #define IMA_EUID 0x0080 34 #define IMA_PCR 0x0100 35 #define IMA_FSNAME 0x0200 36 #define IMA_KEYRINGS 0x0400 37 38 #define UNKNOWN 0 39 #define MEASURE 0x0001 /* same as IMA_MEASURE */ 40 #define DONT_MEASURE 0x0002 41 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 42 #define DONT_APPRAISE 0x0008 43 #define AUDIT 0x0040 44 #define HASH 0x0100 45 #define DONT_HASH 0x0200 46 47 #define INVALID_PCR(a) (((a) < 0) || \ 48 (a) >= (sizeof_field(struct integrity_iint_cache, measured_pcrs) * 8)) 49 50 int ima_policy_flag; 51 static int temp_ima_appraise; 52 static int build_ima_appraise __ro_after_init; 53 54 #define MAX_LSM_RULES 6 55 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, 56 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE 57 }; 58 59 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; 60 61 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY }; 62 63 struct ima_rule_opt_list { 64 size_t count; 65 char *items[]; 66 }; 67 68 struct ima_rule_entry { 69 struct list_head list; 70 int action; 71 unsigned int flags; 72 enum ima_hooks func; 73 int mask; 74 unsigned long fsmagic; 75 uuid_t fsuuid; 76 kuid_t uid; 77 kuid_t fowner; 78 bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ 79 bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ 80 int pcr; 81 struct { 82 void *rule; /* LSM file metadata specific */ 83 char *args_p; /* audit value */ 84 int type; /* audit type */ 85 } lsm[MAX_LSM_RULES]; 86 char *fsname; 87 struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ 88 struct ima_template_desc *template; 89 }; 90 91 /* 92 * Without LSM specific knowledge, the default policy can only be 93 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner 94 */ 95 96 /* 97 * The minimum rule set to allow for full TCB coverage. Measures all files 98 * opened or mmap for exec and everything read by root. Dangerous because 99 * normal users can easily run the machine out of memory simply building 100 * and running executables. 101 */ 102 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { 103 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 104 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 105 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 106 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 107 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 108 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 109 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 110 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 111 {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 112 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, 113 .flags = IMA_FSMAGIC}, 114 {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, 115 .flags = IMA_FSMAGIC}, 116 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 117 {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} 118 }; 119 120 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { 121 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 122 .flags = IMA_FUNC | IMA_MASK}, 123 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 124 .flags = IMA_FUNC | IMA_MASK}, 125 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 126 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 127 .flags = IMA_FUNC | IMA_MASK | IMA_UID}, 128 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 129 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 130 }; 131 132 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { 133 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 134 .flags = IMA_FUNC | IMA_MASK}, 135 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 136 .flags = IMA_FUNC | IMA_MASK}, 137 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 138 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 139 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, 140 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 141 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 142 .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, 143 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 144 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 145 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, 146 }; 147 148 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { 149 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 150 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 151 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 152 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 153 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC}, 154 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 155 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 156 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 157 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 158 {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 159 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 160 {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, 161 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 162 {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 163 #ifdef CONFIG_IMA_WRITE_POLICY 164 {.action = APPRAISE, .func = POLICY_CHECK, 165 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 166 #endif 167 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT 168 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 169 .flags = IMA_FOWNER}, 170 #else 171 /* force signature */ 172 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 173 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, 174 #endif 175 }; 176 177 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { 178 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS 179 {.action = APPRAISE, .func = MODULE_CHECK, 180 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 181 #endif 182 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS 183 {.action = APPRAISE, .func = FIRMWARE_CHECK, 184 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 185 #endif 186 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS 187 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 188 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 189 #endif 190 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS 191 {.action = APPRAISE, .func = POLICY_CHECK, 192 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 193 #endif 194 }; 195 196 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { 197 {.action = APPRAISE, .func = MODULE_CHECK, 198 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 199 {.action = APPRAISE, .func = FIRMWARE_CHECK, 200 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 201 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 202 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 203 {.action = APPRAISE, .func = POLICY_CHECK, 204 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 205 }; 206 207 /* An array of architecture specific rules */ 208 static struct ima_rule_entry *arch_policy_entry __ro_after_init; 209 210 static LIST_HEAD(ima_default_rules); 211 static LIST_HEAD(ima_policy_rules); 212 static LIST_HEAD(ima_temp_rules); 213 static struct list_head *ima_rules = &ima_default_rules; 214 215 static int ima_policy __initdata; 216 217 static int __init default_measure_policy_setup(char *str) 218 { 219 if (ima_policy) 220 return 1; 221 222 ima_policy = ORIGINAL_TCB; 223 return 1; 224 } 225 __setup("ima_tcb", default_measure_policy_setup); 226 227 static bool ima_use_appraise_tcb __initdata; 228 static bool ima_use_secure_boot __initdata; 229 static bool ima_fail_unverifiable_sigs __ro_after_init; 230 static int __init policy_setup(char *str) 231 { 232 char *p; 233 234 while ((p = strsep(&str, " |\n")) != NULL) { 235 if (*p == ' ') 236 continue; 237 if ((strcmp(p, "tcb") == 0) && !ima_policy) 238 ima_policy = DEFAULT_TCB; 239 else if (strcmp(p, "appraise_tcb") == 0) 240 ima_use_appraise_tcb = true; 241 else if (strcmp(p, "secure_boot") == 0) 242 ima_use_secure_boot = true; 243 else if (strcmp(p, "fail_securely") == 0) 244 ima_fail_unverifiable_sigs = true; 245 else 246 pr_err("policy \"%s\" not found", p); 247 } 248 249 return 1; 250 } 251 __setup("ima_policy=", policy_setup); 252 253 static int __init default_appraise_policy_setup(char *str) 254 { 255 ima_use_appraise_tcb = true; 256 return 1; 257 } 258 __setup("ima_appraise_tcb", default_appraise_policy_setup); 259 260 static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src) 261 { 262 struct ima_rule_opt_list *opt_list; 263 size_t count = 0; 264 char *src_copy; 265 char *cur, *next; 266 size_t i; 267 268 src_copy = match_strdup(src); 269 if (!src_copy) 270 return ERR_PTR(-ENOMEM); 271 272 next = src_copy; 273 while ((cur = strsep(&next, "|"))) { 274 /* Don't accept an empty list item */ 275 if (!(*cur)) { 276 kfree(src_copy); 277 return ERR_PTR(-EINVAL); 278 } 279 count++; 280 } 281 282 /* Don't accept an empty list */ 283 if (!count) { 284 kfree(src_copy); 285 return ERR_PTR(-EINVAL); 286 } 287 288 opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL); 289 if (!opt_list) { 290 kfree(src_copy); 291 return ERR_PTR(-ENOMEM); 292 } 293 294 /* 295 * strsep() has already replaced all instances of '|' with '\0', 296 * leaving a byte sequence of NUL-terminated strings. Reference each 297 * string with the array of items. 298 * 299 * IMPORTANT: Ownership of the allocated buffer is transferred from 300 * src_copy to the first element in the items array. To free the 301 * buffer, kfree() must only be called on the first element of the 302 * array. 303 */ 304 for (i = 0, cur = src_copy; i < count; i++) { 305 opt_list->items[i] = cur; 306 cur = strchr(cur, '\0') + 1; 307 } 308 opt_list->count = count; 309 310 return opt_list; 311 } 312 313 static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list) 314 { 315 if (!opt_list) 316 return; 317 318 if (opt_list->count) { 319 kfree(opt_list->items[0]); 320 opt_list->count = 0; 321 } 322 323 kfree(opt_list); 324 } 325 326 static void ima_lsm_free_rule(struct ima_rule_entry *entry) 327 { 328 int i; 329 330 for (i = 0; i < MAX_LSM_RULES; i++) { 331 ima_filter_rule_free(entry->lsm[i].rule); 332 kfree(entry->lsm[i].args_p); 333 } 334 } 335 336 static void ima_free_rule(struct ima_rule_entry *entry) 337 { 338 if (!entry) 339 return; 340 341 /* 342 * entry->template->fields may be allocated in ima_parse_rule() but that 343 * reference is owned by the corresponding ima_template_desc element in 344 * the defined_templates list and cannot be freed here 345 */ 346 kfree(entry->fsname); 347 ima_free_rule_opt_list(entry->keyrings); 348 ima_lsm_free_rule(entry); 349 kfree(entry); 350 } 351 352 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) 353 { 354 struct ima_rule_entry *nentry; 355 int i; 356 357 /* 358 * Immutable elements are copied over as pointers and data; only 359 * lsm rules can change 360 */ 361 nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); 362 if (!nentry) 363 return NULL; 364 365 memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm)); 366 367 for (i = 0; i < MAX_LSM_RULES; i++) { 368 if (!entry->lsm[i].args_p) 369 continue; 370 371 nentry->lsm[i].type = entry->lsm[i].type; 372 nentry->lsm[i].args_p = entry->lsm[i].args_p; 373 /* 374 * Remove the reference from entry so that the associated 375 * memory will not be freed during a later call to 376 * ima_lsm_free_rule(entry). 377 */ 378 entry->lsm[i].args_p = NULL; 379 380 ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, 381 nentry->lsm[i].args_p, 382 &nentry->lsm[i].rule); 383 if (!nentry->lsm[i].rule) 384 pr_warn("rule for LSM \'%s\' is undefined\n", 385 nentry->lsm[i].args_p); 386 } 387 return nentry; 388 } 389 390 static int ima_lsm_update_rule(struct ima_rule_entry *entry) 391 { 392 struct ima_rule_entry *nentry; 393 394 nentry = ima_lsm_copy_rule(entry); 395 if (!nentry) 396 return -ENOMEM; 397 398 list_replace_rcu(&entry->list, &nentry->list); 399 synchronize_rcu(); 400 /* 401 * ima_lsm_copy_rule() shallow copied all references, except for the 402 * LSM references, from entry to nentry so we only want to free the LSM 403 * references and the entry itself. All other memory refrences will now 404 * be owned by nentry. 405 */ 406 ima_lsm_free_rule(entry); 407 kfree(entry); 408 409 return 0; 410 } 411 412 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry) 413 { 414 int i; 415 416 for (i = 0; i < MAX_LSM_RULES; i++) 417 if (entry->lsm[i].args_p) 418 return true; 419 420 return false; 421 } 422 423 /* 424 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 425 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 426 * the reloaded LSM policy. 427 */ 428 static void ima_lsm_update_rules(void) 429 { 430 struct ima_rule_entry *entry, *e; 431 int result; 432 433 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { 434 if (!ima_rule_contains_lsm_cond(entry)) 435 continue; 436 437 result = ima_lsm_update_rule(entry); 438 if (result) { 439 pr_err("lsm rule update error %d\n", result); 440 return; 441 } 442 } 443 } 444 445 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, 446 void *lsm_data) 447 { 448 if (event != LSM_POLICY_CHANGE) 449 return NOTIFY_DONE; 450 451 ima_lsm_update_rules(); 452 return NOTIFY_OK; 453 } 454 455 /** 456 * ima_match_keyring - determine whether the keyring matches the measure rule 457 * @rule: a pointer to a rule 458 * @keyring: name of the keyring to match against the measure rule 459 * @cred: a pointer to a credentials structure for user validation 460 * 461 * Returns true if keyring matches one in the rule, false otherwise. 462 */ 463 static bool ima_match_keyring(struct ima_rule_entry *rule, 464 const char *keyring, const struct cred *cred) 465 { 466 bool matched = false; 467 size_t i; 468 469 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 470 return false; 471 472 if (!rule->keyrings) 473 return true; 474 475 if (!keyring) 476 return false; 477 478 for (i = 0; i < rule->keyrings->count; i++) { 479 if (!strcmp(rule->keyrings->items[i], keyring)) { 480 matched = true; 481 break; 482 } 483 } 484 485 return matched; 486 } 487 488 /** 489 * ima_match_rules - determine whether an inode matches the policy rule. 490 * @rule: a pointer to a rule 491 * @mnt_userns: user namespace of the mount the inode was found from 492 * @inode: a pointer to an inode 493 * @cred: a pointer to a credentials structure for user validation 494 * @secid: the secid of the task to be validated 495 * @func: LIM hook identifier 496 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 497 * @keyring: keyring name to check in policy for KEY_CHECK func 498 * 499 * Returns true on rule match, false on failure. 500 */ 501 static bool ima_match_rules(struct ima_rule_entry *rule, 502 struct user_namespace *mnt_userns, 503 struct inode *inode, const struct cred *cred, 504 u32 secid, enum ima_hooks func, int mask, 505 const char *keyring) 506 { 507 int i; 508 509 if (func == KEY_CHECK) { 510 return (rule->flags & IMA_FUNC) && (rule->func == func) && 511 ima_match_keyring(rule, keyring, cred); 512 } 513 if ((rule->flags & IMA_FUNC) && 514 (rule->func != func && func != POST_SETATTR)) 515 return false; 516 if ((rule->flags & IMA_MASK) && 517 (rule->mask != mask && func != POST_SETATTR)) 518 return false; 519 if ((rule->flags & IMA_INMASK) && 520 (!(rule->mask & mask) && func != POST_SETATTR)) 521 return false; 522 if ((rule->flags & IMA_FSMAGIC) 523 && rule->fsmagic != inode->i_sb->s_magic) 524 return false; 525 if ((rule->flags & IMA_FSNAME) 526 && strcmp(rule->fsname, inode->i_sb->s_type->name)) 527 return false; 528 if ((rule->flags & IMA_FSUUID) && 529 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 530 return false; 531 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 532 return false; 533 if (rule->flags & IMA_EUID) { 534 if (has_capability_noaudit(current, CAP_SETUID)) { 535 if (!rule->uid_op(cred->euid, rule->uid) 536 && !rule->uid_op(cred->suid, rule->uid) 537 && !rule->uid_op(cred->uid, rule->uid)) 538 return false; 539 } else if (!rule->uid_op(cred->euid, rule->uid)) 540 return false; 541 } 542 543 if ((rule->flags & IMA_FOWNER) && 544 !rule->fowner_op(i_uid_into_mnt(mnt_userns, inode), rule->fowner)) 545 return false; 546 for (i = 0; i < MAX_LSM_RULES; i++) { 547 int rc = 0; 548 u32 osid; 549 550 if (!rule->lsm[i].rule) { 551 if (!rule->lsm[i].args_p) 552 continue; 553 else 554 return false; 555 } 556 switch (i) { 557 case LSM_OBJ_USER: 558 case LSM_OBJ_ROLE: 559 case LSM_OBJ_TYPE: 560 security_inode_getsecid(inode, &osid); 561 rc = ima_filter_rule_match(osid, rule->lsm[i].type, 562 Audit_equal, 563 rule->lsm[i].rule); 564 break; 565 case LSM_SUBJ_USER: 566 case LSM_SUBJ_ROLE: 567 case LSM_SUBJ_TYPE: 568 rc = ima_filter_rule_match(secid, rule->lsm[i].type, 569 Audit_equal, 570 rule->lsm[i].rule); 571 default: 572 break; 573 } 574 if (!rc) 575 return false; 576 } 577 return true; 578 } 579 580 /* 581 * In addition to knowing that we need to appraise the file in general, 582 * we need to differentiate between calling hooks, for hook specific rules. 583 */ 584 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) 585 { 586 if (!(rule->flags & IMA_FUNC)) 587 return IMA_FILE_APPRAISE; 588 589 switch (func) { 590 case MMAP_CHECK: 591 return IMA_MMAP_APPRAISE; 592 case BPRM_CHECK: 593 return IMA_BPRM_APPRAISE; 594 case CREDS_CHECK: 595 return IMA_CREDS_APPRAISE; 596 case FILE_CHECK: 597 case POST_SETATTR: 598 return IMA_FILE_APPRAISE; 599 case MODULE_CHECK ... MAX_CHECK - 1: 600 default: 601 return IMA_READ_APPRAISE; 602 } 603 } 604 605 /** 606 * ima_match_policy - decision based on LSM and other conditions 607 * @mnt_userns: user namespace of the mount the inode was found from 608 * @inode: pointer to an inode for which the policy decision is being made 609 * @cred: pointer to a credentials structure for which the policy decision is 610 * being made 611 * @secid: LSM secid of the task to be validated 612 * @func: IMA hook identifier 613 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 614 * @pcr: set the pcr to extend 615 * @template_desc: the template that should be used for this rule 616 * @keyring: the keyring name, if given, to be used to check in the policy. 617 * keyring can be NULL if func is anything other than KEY_CHECK. 618 * 619 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 620 * conditions. 621 * 622 * Since the IMA policy may be updated multiple times we need to lock the 623 * list when walking it. Reads are many orders of magnitude more numerous 624 * than writes so ima_match_policy() is classical RCU candidate. 625 */ 626 int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, 627 const struct cred *cred, u32 secid, enum ima_hooks func, 628 int mask, int flags, int *pcr, 629 struct ima_template_desc **template_desc, 630 const char *keyring) 631 { 632 struct ima_rule_entry *entry; 633 int action = 0, actmask = flags | (flags << 1); 634 635 if (template_desc && !*template_desc) 636 *template_desc = ima_template_desc_current(); 637 638 rcu_read_lock(); 639 list_for_each_entry_rcu(entry, ima_rules, list) { 640 641 if (!(entry->action & actmask)) 642 continue; 643 644 if (!ima_match_rules(entry, mnt_userns, inode, cred, secid, 645 func, mask, keyring)) 646 continue; 647 648 action |= entry->flags & IMA_ACTION_FLAGS; 649 650 action |= entry->action & IMA_DO_MASK; 651 if (entry->action & IMA_APPRAISE) { 652 action |= get_subaction(entry, func); 653 action &= ~IMA_HASH; 654 if (ima_fail_unverifiable_sigs) 655 action |= IMA_FAIL_UNVERIFIABLE_SIGS; 656 } 657 658 659 if (entry->action & IMA_DO_MASK) 660 actmask &= ~(entry->action | entry->action << 1); 661 else 662 actmask &= ~(entry->action | entry->action >> 1); 663 664 if ((pcr) && (entry->flags & IMA_PCR)) 665 *pcr = entry->pcr; 666 667 if (template_desc && entry->template) 668 *template_desc = entry->template; 669 670 if (!actmask) 671 break; 672 } 673 rcu_read_unlock(); 674 675 return action; 676 } 677 678 /* 679 * Initialize the ima_policy_flag variable based on the currently 680 * loaded policy. Based on this flag, the decision to short circuit 681 * out of a function or not call the function in the first place 682 * can be made earlier. 683 */ 684 void ima_update_policy_flag(void) 685 { 686 struct ima_rule_entry *entry; 687 688 list_for_each_entry(entry, ima_rules, list) { 689 if (entry->action & IMA_DO_MASK) 690 ima_policy_flag |= entry->action; 691 } 692 693 ima_appraise |= (build_ima_appraise | temp_ima_appraise); 694 if (!ima_appraise) 695 ima_policy_flag &= ~IMA_APPRAISE; 696 } 697 698 static int ima_appraise_flag(enum ima_hooks func) 699 { 700 if (func == MODULE_CHECK) 701 return IMA_APPRAISE_MODULES; 702 else if (func == FIRMWARE_CHECK) 703 return IMA_APPRAISE_FIRMWARE; 704 else if (func == POLICY_CHECK) 705 return IMA_APPRAISE_POLICY; 706 else if (func == KEXEC_KERNEL_CHECK) 707 return IMA_APPRAISE_KEXEC; 708 return 0; 709 } 710 711 static void add_rules(struct ima_rule_entry *entries, int count, 712 enum policy_rule_list policy_rule) 713 { 714 int i = 0; 715 716 for (i = 0; i < count; i++) { 717 struct ima_rule_entry *entry; 718 719 if (policy_rule & IMA_DEFAULT_POLICY) 720 list_add_tail(&entries[i].list, &ima_default_rules); 721 722 if (policy_rule & IMA_CUSTOM_POLICY) { 723 entry = kmemdup(&entries[i], sizeof(*entry), 724 GFP_KERNEL); 725 if (!entry) 726 continue; 727 728 list_add_tail(&entry->list, &ima_policy_rules); 729 } 730 if (entries[i].action == APPRAISE) { 731 if (entries != build_appraise_rules) 732 temp_ima_appraise |= 733 ima_appraise_flag(entries[i].func); 734 else 735 build_ima_appraise |= 736 ima_appraise_flag(entries[i].func); 737 } 738 } 739 } 740 741 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); 742 743 static int __init ima_init_arch_policy(void) 744 { 745 const char * const *arch_rules; 746 const char * const *rules; 747 int arch_entries = 0; 748 int i = 0; 749 750 arch_rules = arch_get_ima_policy(); 751 if (!arch_rules) 752 return arch_entries; 753 754 /* Get number of rules */ 755 for (rules = arch_rules; *rules != NULL; rules++) 756 arch_entries++; 757 758 arch_policy_entry = kcalloc(arch_entries + 1, 759 sizeof(*arch_policy_entry), GFP_KERNEL); 760 if (!arch_policy_entry) 761 return 0; 762 763 /* Convert each policy string rules to struct ima_rule_entry format */ 764 for (rules = arch_rules, i = 0; *rules != NULL; rules++) { 765 char rule[255]; 766 int result; 767 768 result = strlcpy(rule, *rules, sizeof(rule)); 769 770 INIT_LIST_HEAD(&arch_policy_entry[i].list); 771 result = ima_parse_rule(rule, &arch_policy_entry[i]); 772 if (result) { 773 pr_warn("Skipping unknown architecture policy rule: %s\n", 774 rule); 775 memset(&arch_policy_entry[i], 0, 776 sizeof(*arch_policy_entry)); 777 continue; 778 } 779 i++; 780 } 781 return i; 782 } 783 784 /** 785 * ima_init_policy - initialize the default measure rules. 786 * 787 * ima_rules points to either the ima_default_rules or the 788 * the new ima_policy_rules. 789 */ 790 void __init ima_init_policy(void) 791 { 792 int build_appraise_entries, arch_entries; 793 794 /* if !ima_policy, we load NO default rules */ 795 if (ima_policy) 796 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules), 797 IMA_DEFAULT_POLICY); 798 799 switch (ima_policy) { 800 case ORIGINAL_TCB: 801 add_rules(original_measurement_rules, 802 ARRAY_SIZE(original_measurement_rules), 803 IMA_DEFAULT_POLICY); 804 break; 805 case DEFAULT_TCB: 806 add_rules(default_measurement_rules, 807 ARRAY_SIZE(default_measurement_rules), 808 IMA_DEFAULT_POLICY); 809 default: 810 break; 811 } 812 813 /* 814 * Based on runtime secure boot flags, insert arch specific measurement 815 * and appraise rules requiring file signatures for both the initial 816 * and custom policies, prior to other appraise rules. 817 * (Highest priority) 818 */ 819 arch_entries = ima_init_arch_policy(); 820 if (!arch_entries) 821 pr_info("No architecture policies found\n"); 822 else 823 add_rules(arch_policy_entry, arch_entries, 824 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 825 826 /* 827 * Insert the builtin "secure_boot" policy rules requiring file 828 * signatures, prior to other appraise rules. 829 */ 830 if (ima_use_secure_boot) 831 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules), 832 IMA_DEFAULT_POLICY); 833 834 /* 835 * Insert the build time appraise rules requiring file signatures 836 * for both the initial and custom policies, prior to other appraise 837 * rules. As the secure boot rules includes all of the build time 838 * rules, include either one or the other set of rules, but not both. 839 */ 840 build_appraise_entries = ARRAY_SIZE(build_appraise_rules); 841 if (build_appraise_entries) { 842 if (ima_use_secure_boot) 843 add_rules(build_appraise_rules, build_appraise_entries, 844 IMA_CUSTOM_POLICY); 845 else 846 add_rules(build_appraise_rules, build_appraise_entries, 847 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 848 } 849 850 if (ima_use_appraise_tcb) 851 add_rules(default_appraise_rules, 852 ARRAY_SIZE(default_appraise_rules), 853 IMA_DEFAULT_POLICY); 854 855 ima_update_policy_flag(); 856 } 857 858 /* Make sure we have a valid policy, at least containing some rules. */ 859 int ima_check_policy(void) 860 { 861 if (list_empty(&ima_temp_rules)) 862 return -EINVAL; 863 return 0; 864 } 865 866 /** 867 * ima_update_policy - update default_rules with new measure rules 868 * 869 * Called on file .release to update the default rules with a complete new 870 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so 871 * they make a queue. The policy may be updated multiple times and this is the 872 * RCU updater. 873 * 874 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 875 * we switch from the default policy to user defined. 876 */ 877 void ima_update_policy(void) 878 { 879 struct list_head *policy = &ima_policy_rules; 880 881 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); 882 883 if (ima_rules != policy) { 884 ima_policy_flag = 0; 885 ima_rules = policy; 886 887 /* 888 * IMA architecture specific policy rules are specified 889 * as strings and converted to an array of ima_entry_rules 890 * on boot. After loading a custom policy, free the 891 * architecture specific rules stored as an array. 892 */ 893 kfree(arch_policy_entry); 894 } 895 ima_update_policy_flag(); 896 897 /* Custom IMA policy has been loaded */ 898 ima_process_queued_keys(); 899 } 900 901 /* Keep the enumeration in sync with the policy_tokens! */ 902 enum { 903 Opt_measure, Opt_dont_measure, 904 Opt_appraise, Opt_dont_appraise, 905 Opt_audit, Opt_hash, Opt_dont_hash, 906 Opt_obj_user, Opt_obj_role, Opt_obj_type, 907 Opt_subj_user, Opt_subj_role, Opt_subj_type, 908 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, 909 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, 910 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, 911 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, 912 Opt_appraise_type, Opt_appraise_flag, 913 Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, 914 Opt_err 915 }; 916 917 static const match_table_t policy_tokens = { 918 {Opt_measure, "measure"}, 919 {Opt_dont_measure, "dont_measure"}, 920 {Opt_appraise, "appraise"}, 921 {Opt_dont_appraise, "dont_appraise"}, 922 {Opt_audit, "audit"}, 923 {Opt_hash, "hash"}, 924 {Opt_dont_hash, "dont_hash"}, 925 {Opt_obj_user, "obj_user=%s"}, 926 {Opt_obj_role, "obj_role=%s"}, 927 {Opt_obj_type, "obj_type=%s"}, 928 {Opt_subj_user, "subj_user=%s"}, 929 {Opt_subj_role, "subj_role=%s"}, 930 {Opt_subj_type, "subj_type=%s"}, 931 {Opt_func, "func=%s"}, 932 {Opt_mask, "mask=%s"}, 933 {Opt_fsmagic, "fsmagic=%s"}, 934 {Opt_fsname, "fsname=%s"}, 935 {Opt_fsuuid, "fsuuid=%s"}, 936 {Opt_uid_eq, "uid=%s"}, 937 {Opt_euid_eq, "euid=%s"}, 938 {Opt_fowner_eq, "fowner=%s"}, 939 {Opt_uid_gt, "uid>%s"}, 940 {Opt_euid_gt, "euid>%s"}, 941 {Opt_fowner_gt, "fowner>%s"}, 942 {Opt_uid_lt, "uid<%s"}, 943 {Opt_euid_lt, "euid<%s"}, 944 {Opt_fowner_lt, "fowner<%s"}, 945 {Opt_appraise_type, "appraise_type=%s"}, 946 {Opt_appraise_flag, "appraise_flag=%s"}, 947 {Opt_permit_directio, "permit_directio"}, 948 {Opt_pcr, "pcr=%s"}, 949 {Opt_template, "template=%s"}, 950 {Opt_keyrings, "keyrings=%s"}, 951 {Opt_err, NULL} 952 }; 953 954 static int ima_lsm_rule_init(struct ima_rule_entry *entry, 955 substring_t *args, int lsm_rule, int audit_type) 956 { 957 int result; 958 959 if (entry->lsm[lsm_rule].rule) 960 return -EINVAL; 961 962 entry->lsm[lsm_rule].args_p = match_strdup(args); 963 if (!entry->lsm[lsm_rule].args_p) 964 return -ENOMEM; 965 966 entry->lsm[lsm_rule].type = audit_type; 967 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, 968 entry->lsm[lsm_rule].args_p, 969 &entry->lsm[lsm_rule].rule); 970 if (!entry->lsm[lsm_rule].rule) { 971 pr_warn("rule for LSM \'%s\' is undefined\n", 972 entry->lsm[lsm_rule].args_p); 973 974 if (ima_rules == &ima_default_rules) { 975 kfree(entry->lsm[lsm_rule].args_p); 976 entry->lsm[lsm_rule].args_p = NULL; 977 result = -EINVAL; 978 } else 979 result = 0; 980 } 981 982 return result; 983 } 984 985 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, 986 bool (*rule_operator)(kuid_t, kuid_t)) 987 { 988 if (!ab) 989 return; 990 991 if (rule_operator == &uid_gt) 992 audit_log_format(ab, "%s>", key); 993 else if (rule_operator == &uid_lt) 994 audit_log_format(ab, "%s<", key); 995 else 996 audit_log_format(ab, "%s=", key); 997 audit_log_format(ab, "%s ", value); 998 } 999 static void ima_log_string(struct audit_buffer *ab, char *key, char *value) 1000 { 1001 ima_log_string_op(ab, key, value, NULL); 1002 } 1003 1004 /* 1005 * Validating the appended signature included in the measurement list requires 1006 * the file hash calculated without the appended signature (i.e., the 'd-modsig' 1007 * field). Therefore, notify the user if they have the 'modsig' field but not 1008 * the 'd-modsig' field in the template. 1009 */ 1010 static void check_template_modsig(const struct ima_template_desc *template) 1011 { 1012 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n" 1013 bool has_modsig, has_dmodsig; 1014 static bool checked; 1015 int i; 1016 1017 /* We only need to notify the user once. */ 1018 if (checked) 1019 return; 1020 1021 has_modsig = has_dmodsig = false; 1022 for (i = 0; i < template->num_fields; i++) { 1023 if (!strcmp(template->fields[i]->field_id, "modsig")) 1024 has_modsig = true; 1025 else if (!strcmp(template->fields[i]->field_id, "d-modsig")) 1026 has_dmodsig = true; 1027 } 1028 1029 if (has_modsig && !has_dmodsig) 1030 pr_notice(MSG); 1031 1032 checked = true; 1033 #undef MSG 1034 } 1035 1036 static bool ima_validate_rule(struct ima_rule_entry *entry) 1037 { 1038 /* Ensure that the action is set and is compatible with the flags */ 1039 if (entry->action == UNKNOWN) 1040 return false; 1041 1042 if (entry->action != MEASURE && entry->flags & IMA_PCR) 1043 return false; 1044 1045 if (entry->action != APPRAISE && 1046 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST)) 1047 return false; 1048 1049 /* 1050 * The IMA_FUNC bit must be set if and only if there's a valid hook 1051 * function specified, and vice versa. Enforcing this property allows 1052 * for the NONE case below to validate a rule without an explicit hook 1053 * function. 1054 */ 1055 if (((entry->flags & IMA_FUNC) && entry->func == NONE) || 1056 (!(entry->flags & IMA_FUNC) && entry->func != NONE)) 1057 return false; 1058 1059 /* 1060 * Ensure that the hook function is compatible with the other 1061 * components of the rule 1062 */ 1063 switch (entry->func) { 1064 case NONE: 1065 case FILE_CHECK: 1066 case MMAP_CHECK: 1067 case BPRM_CHECK: 1068 case CREDS_CHECK: 1069 case POST_SETATTR: 1070 case FIRMWARE_CHECK: 1071 case POLICY_CHECK: 1072 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1073 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1074 IMA_INMASK | IMA_EUID | IMA_PCR | 1075 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1076 IMA_PERMIT_DIRECTIO)) 1077 return false; 1078 1079 break; 1080 case MODULE_CHECK: 1081 case KEXEC_KERNEL_CHECK: 1082 case KEXEC_INITRAMFS_CHECK: 1083 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1084 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1085 IMA_INMASK | IMA_EUID | IMA_PCR | 1086 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1087 IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | 1088 IMA_CHECK_BLACKLIST)) 1089 return false; 1090 1091 break; 1092 case KEXEC_CMDLINE: 1093 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1094 return false; 1095 1096 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | 1097 IMA_FOWNER | IMA_FSUUID | IMA_EUID | 1098 IMA_PCR | IMA_FSNAME)) 1099 return false; 1100 1101 break; 1102 case KEY_CHECK: 1103 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1104 return false; 1105 1106 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | 1107 IMA_KEYRINGS)) 1108 return false; 1109 1110 if (ima_rule_contains_lsm_cond(entry)) 1111 return false; 1112 1113 break; 1114 default: 1115 return false; 1116 } 1117 1118 /* Ensure that combinations of flags are compatible with each other */ 1119 if (entry->flags & IMA_CHECK_BLACKLIST && 1120 !(entry->flags & IMA_MODSIG_ALLOWED)) 1121 return false; 1122 1123 return true; 1124 } 1125 1126 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 1127 { 1128 struct audit_buffer *ab; 1129 char *from; 1130 char *p; 1131 bool uid_token; 1132 struct ima_template_desc *template_desc; 1133 int result = 0; 1134 1135 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, 1136 AUDIT_INTEGRITY_POLICY_RULE); 1137 1138 entry->uid = INVALID_UID; 1139 entry->fowner = INVALID_UID; 1140 entry->uid_op = &uid_eq; 1141 entry->fowner_op = &uid_eq; 1142 entry->action = UNKNOWN; 1143 while ((p = strsep(&rule, " \t")) != NULL) { 1144 substring_t args[MAX_OPT_ARGS]; 1145 int token; 1146 unsigned long lnum; 1147 1148 if (result < 0) 1149 break; 1150 if ((*p == '\0') || (*p == ' ') || (*p == '\t')) 1151 continue; 1152 token = match_token(p, policy_tokens, args); 1153 switch (token) { 1154 case Opt_measure: 1155 ima_log_string(ab, "action", "measure"); 1156 1157 if (entry->action != UNKNOWN) 1158 result = -EINVAL; 1159 1160 entry->action = MEASURE; 1161 break; 1162 case Opt_dont_measure: 1163 ima_log_string(ab, "action", "dont_measure"); 1164 1165 if (entry->action != UNKNOWN) 1166 result = -EINVAL; 1167 1168 entry->action = DONT_MEASURE; 1169 break; 1170 case Opt_appraise: 1171 ima_log_string(ab, "action", "appraise"); 1172 1173 if (entry->action != UNKNOWN) 1174 result = -EINVAL; 1175 1176 entry->action = APPRAISE; 1177 break; 1178 case Opt_dont_appraise: 1179 ima_log_string(ab, "action", "dont_appraise"); 1180 1181 if (entry->action != UNKNOWN) 1182 result = -EINVAL; 1183 1184 entry->action = DONT_APPRAISE; 1185 break; 1186 case Opt_audit: 1187 ima_log_string(ab, "action", "audit"); 1188 1189 if (entry->action != UNKNOWN) 1190 result = -EINVAL; 1191 1192 entry->action = AUDIT; 1193 break; 1194 case Opt_hash: 1195 ima_log_string(ab, "action", "hash"); 1196 1197 if (entry->action != UNKNOWN) 1198 result = -EINVAL; 1199 1200 entry->action = HASH; 1201 break; 1202 case Opt_dont_hash: 1203 ima_log_string(ab, "action", "dont_hash"); 1204 1205 if (entry->action != UNKNOWN) 1206 result = -EINVAL; 1207 1208 entry->action = DONT_HASH; 1209 break; 1210 case Opt_func: 1211 ima_log_string(ab, "func", args[0].from); 1212 1213 if (entry->func) 1214 result = -EINVAL; 1215 1216 if (strcmp(args[0].from, "FILE_CHECK") == 0) 1217 entry->func = FILE_CHECK; 1218 /* PATH_CHECK is for backwards compat */ 1219 else if (strcmp(args[0].from, "PATH_CHECK") == 0) 1220 entry->func = FILE_CHECK; 1221 else if (strcmp(args[0].from, "MODULE_CHECK") == 0) 1222 entry->func = MODULE_CHECK; 1223 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0) 1224 entry->func = FIRMWARE_CHECK; 1225 else if ((strcmp(args[0].from, "FILE_MMAP") == 0) 1226 || (strcmp(args[0].from, "MMAP_CHECK") == 0)) 1227 entry->func = MMAP_CHECK; 1228 else if (strcmp(args[0].from, "BPRM_CHECK") == 0) 1229 entry->func = BPRM_CHECK; 1230 else if (strcmp(args[0].from, "CREDS_CHECK") == 0) 1231 entry->func = CREDS_CHECK; 1232 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == 1233 0) 1234 entry->func = KEXEC_KERNEL_CHECK; 1235 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK") 1236 == 0) 1237 entry->func = KEXEC_INITRAMFS_CHECK; 1238 else if (strcmp(args[0].from, "POLICY_CHECK") == 0) 1239 entry->func = POLICY_CHECK; 1240 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) 1241 entry->func = KEXEC_CMDLINE; 1242 else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && 1243 strcmp(args[0].from, "KEY_CHECK") == 0) 1244 entry->func = KEY_CHECK; 1245 else 1246 result = -EINVAL; 1247 if (!result) 1248 entry->flags |= IMA_FUNC; 1249 break; 1250 case Opt_mask: 1251 ima_log_string(ab, "mask", args[0].from); 1252 1253 if (entry->mask) 1254 result = -EINVAL; 1255 1256 from = args[0].from; 1257 if (*from == '^') 1258 from++; 1259 1260 if ((strcmp(from, "MAY_EXEC")) == 0) 1261 entry->mask = MAY_EXEC; 1262 else if (strcmp(from, "MAY_WRITE") == 0) 1263 entry->mask = MAY_WRITE; 1264 else if (strcmp(from, "MAY_READ") == 0) 1265 entry->mask = MAY_READ; 1266 else if (strcmp(from, "MAY_APPEND") == 0) 1267 entry->mask = MAY_APPEND; 1268 else 1269 result = -EINVAL; 1270 if (!result) 1271 entry->flags |= (*args[0].from == '^') 1272 ? IMA_INMASK : IMA_MASK; 1273 break; 1274 case Opt_fsmagic: 1275 ima_log_string(ab, "fsmagic", args[0].from); 1276 1277 if (entry->fsmagic) { 1278 result = -EINVAL; 1279 break; 1280 } 1281 1282 result = kstrtoul(args[0].from, 16, &entry->fsmagic); 1283 if (!result) 1284 entry->flags |= IMA_FSMAGIC; 1285 break; 1286 case Opt_fsname: 1287 ima_log_string(ab, "fsname", args[0].from); 1288 1289 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); 1290 if (!entry->fsname) { 1291 result = -ENOMEM; 1292 break; 1293 } 1294 result = 0; 1295 entry->flags |= IMA_FSNAME; 1296 break; 1297 case Opt_keyrings: 1298 ima_log_string(ab, "keyrings", args[0].from); 1299 1300 if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) || 1301 entry->keyrings) { 1302 result = -EINVAL; 1303 break; 1304 } 1305 1306 entry->keyrings = ima_alloc_rule_opt_list(args); 1307 if (IS_ERR(entry->keyrings)) { 1308 result = PTR_ERR(entry->keyrings); 1309 entry->keyrings = NULL; 1310 break; 1311 } 1312 1313 entry->flags |= IMA_KEYRINGS; 1314 break; 1315 case Opt_fsuuid: 1316 ima_log_string(ab, "fsuuid", args[0].from); 1317 1318 if (!uuid_is_null(&entry->fsuuid)) { 1319 result = -EINVAL; 1320 break; 1321 } 1322 1323 result = uuid_parse(args[0].from, &entry->fsuuid); 1324 if (!result) 1325 entry->flags |= IMA_FSUUID; 1326 break; 1327 case Opt_uid_gt: 1328 case Opt_euid_gt: 1329 entry->uid_op = &uid_gt; 1330 fallthrough; 1331 case Opt_uid_lt: 1332 case Opt_euid_lt: 1333 if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) 1334 entry->uid_op = &uid_lt; 1335 fallthrough; 1336 case Opt_uid_eq: 1337 case Opt_euid_eq: 1338 uid_token = (token == Opt_uid_eq) || 1339 (token == Opt_uid_gt) || 1340 (token == Opt_uid_lt); 1341 1342 ima_log_string_op(ab, uid_token ? "uid" : "euid", 1343 args[0].from, entry->uid_op); 1344 1345 if (uid_valid(entry->uid)) { 1346 result = -EINVAL; 1347 break; 1348 } 1349 1350 result = kstrtoul(args[0].from, 10, &lnum); 1351 if (!result) { 1352 entry->uid = make_kuid(current_user_ns(), 1353 (uid_t) lnum); 1354 if (!uid_valid(entry->uid) || 1355 (uid_t)lnum != lnum) 1356 result = -EINVAL; 1357 else 1358 entry->flags |= uid_token 1359 ? IMA_UID : IMA_EUID; 1360 } 1361 break; 1362 case Opt_fowner_gt: 1363 entry->fowner_op = &uid_gt; 1364 fallthrough; 1365 case Opt_fowner_lt: 1366 if (token == Opt_fowner_lt) 1367 entry->fowner_op = &uid_lt; 1368 fallthrough; 1369 case Opt_fowner_eq: 1370 ima_log_string_op(ab, "fowner", args[0].from, 1371 entry->fowner_op); 1372 1373 if (uid_valid(entry->fowner)) { 1374 result = -EINVAL; 1375 break; 1376 } 1377 1378 result = kstrtoul(args[0].from, 10, &lnum); 1379 if (!result) { 1380 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum); 1381 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum)) 1382 result = -EINVAL; 1383 else 1384 entry->flags |= IMA_FOWNER; 1385 } 1386 break; 1387 case Opt_obj_user: 1388 ima_log_string(ab, "obj_user", args[0].from); 1389 result = ima_lsm_rule_init(entry, args, 1390 LSM_OBJ_USER, 1391 AUDIT_OBJ_USER); 1392 break; 1393 case Opt_obj_role: 1394 ima_log_string(ab, "obj_role", args[0].from); 1395 result = ima_lsm_rule_init(entry, args, 1396 LSM_OBJ_ROLE, 1397 AUDIT_OBJ_ROLE); 1398 break; 1399 case Opt_obj_type: 1400 ima_log_string(ab, "obj_type", args[0].from); 1401 result = ima_lsm_rule_init(entry, args, 1402 LSM_OBJ_TYPE, 1403 AUDIT_OBJ_TYPE); 1404 break; 1405 case Opt_subj_user: 1406 ima_log_string(ab, "subj_user", args[0].from); 1407 result = ima_lsm_rule_init(entry, args, 1408 LSM_SUBJ_USER, 1409 AUDIT_SUBJ_USER); 1410 break; 1411 case Opt_subj_role: 1412 ima_log_string(ab, "subj_role", args[0].from); 1413 result = ima_lsm_rule_init(entry, args, 1414 LSM_SUBJ_ROLE, 1415 AUDIT_SUBJ_ROLE); 1416 break; 1417 case Opt_subj_type: 1418 ima_log_string(ab, "subj_type", args[0].from); 1419 result = ima_lsm_rule_init(entry, args, 1420 LSM_SUBJ_TYPE, 1421 AUDIT_SUBJ_TYPE); 1422 break; 1423 case Opt_appraise_type: 1424 ima_log_string(ab, "appraise_type", args[0].from); 1425 if ((strcmp(args[0].from, "imasig")) == 0) 1426 entry->flags |= IMA_DIGSIG_REQUIRED; 1427 else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1428 strcmp(args[0].from, "imasig|modsig") == 0) 1429 entry->flags |= IMA_DIGSIG_REQUIRED | 1430 IMA_MODSIG_ALLOWED; 1431 else 1432 result = -EINVAL; 1433 break; 1434 case Opt_appraise_flag: 1435 ima_log_string(ab, "appraise_flag", args[0].from); 1436 if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1437 strstr(args[0].from, "blacklist")) 1438 entry->flags |= IMA_CHECK_BLACKLIST; 1439 else 1440 result = -EINVAL; 1441 break; 1442 case Opt_permit_directio: 1443 entry->flags |= IMA_PERMIT_DIRECTIO; 1444 break; 1445 case Opt_pcr: 1446 ima_log_string(ab, "pcr", args[0].from); 1447 1448 result = kstrtoint(args[0].from, 10, &entry->pcr); 1449 if (result || INVALID_PCR(entry->pcr)) 1450 result = -EINVAL; 1451 else 1452 entry->flags |= IMA_PCR; 1453 1454 break; 1455 case Opt_template: 1456 ima_log_string(ab, "template", args[0].from); 1457 if (entry->action != MEASURE) { 1458 result = -EINVAL; 1459 break; 1460 } 1461 template_desc = lookup_template_desc(args[0].from); 1462 if (!template_desc || entry->template) { 1463 result = -EINVAL; 1464 break; 1465 } 1466 1467 /* 1468 * template_desc_init_fields() does nothing if 1469 * the template is already initialised, so 1470 * it's safe to do this unconditionally 1471 */ 1472 template_desc_init_fields(template_desc->fmt, 1473 &(template_desc->fields), 1474 &(template_desc->num_fields)); 1475 entry->template = template_desc; 1476 break; 1477 case Opt_err: 1478 ima_log_string(ab, "UNKNOWN", p); 1479 result = -EINVAL; 1480 break; 1481 } 1482 } 1483 if (!result && !ima_validate_rule(entry)) 1484 result = -EINVAL; 1485 else if (entry->action == APPRAISE) 1486 temp_ima_appraise |= ima_appraise_flag(entry->func); 1487 1488 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { 1489 template_desc = entry->template ? entry->template : 1490 ima_template_desc_current(); 1491 check_template_modsig(template_desc); 1492 } 1493 1494 audit_log_format(ab, "res=%d", !result); 1495 audit_log_end(ab); 1496 return result; 1497 } 1498 1499 /** 1500 * ima_parse_add_rule - add a rule to ima_policy_rules 1501 * @rule - ima measurement policy rule 1502 * 1503 * Avoid locking by allowing just one writer at a time in ima_write_policy() 1504 * Returns the length of the rule parsed, an error code on failure 1505 */ 1506 ssize_t ima_parse_add_rule(char *rule) 1507 { 1508 static const char op[] = "update_policy"; 1509 char *p; 1510 struct ima_rule_entry *entry; 1511 ssize_t result, len; 1512 int audit_info = 0; 1513 1514 p = strsep(&rule, "\n"); 1515 len = strlen(p) + 1; 1516 p += strspn(p, " \t"); 1517 1518 if (*p == '#' || *p == '\0') 1519 return len; 1520 1521 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1522 if (!entry) { 1523 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1524 NULL, op, "-ENOMEM", -ENOMEM, audit_info); 1525 return -ENOMEM; 1526 } 1527 1528 INIT_LIST_HEAD(&entry->list); 1529 1530 result = ima_parse_rule(p, entry); 1531 if (result) { 1532 ima_free_rule(entry); 1533 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1534 NULL, op, "invalid-policy", result, 1535 audit_info); 1536 return result; 1537 } 1538 1539 list_add_tail(&entry->list, &ima_temp_rules); 1540 1541 return len; 1542 } 1543 1544 /** 1545 * ima_delete_rules() called to cleanup invalid in-flight policy. 1546 * We don't need locking as we operate on the temp list, which is 1547 * different from the active one. There is also only one user of 1548 * ima_delete_rules() at a time. 1549 */ 1550 void ima_delete_rules(void) 1551 { 1552 struct ima_rule_entry *entry, *tmp; 1553 1554 temp_ima_appraise = 0; 1555 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { 1556 list_del(&entry->list); 1557 ima_free_rule(entry); 1558 } 1559 } 1560 1561 #define __ima_hook_stringify(func, str) (#func), 1562 1563 const char *const func_tokens[] = { 1564 __ima_hooks(__ima_hook_stringify) 1565 }; 1566 1567 #ifdef CONFIG_IMA_READ_POLICY 1568 enum { 1569 mask_exec = 0, mask_write, mask_read, mask_append 1570 }; 1571 1572 static const char *const mask_tokens[] = { 1573 "^MAY_EXEC", 1574 "^MAY_WRITE", 1575 "^MAY_READ", 1576 "^MAY_APPEND" 1577 }; 1578 1579 void *ima_policy_start(struct seq_file *m, loff_t *pos) 1580 { 1581 loff_t l = *pos; 1582 struct ima_rule_entry *entry; 1583 1584 rcu_read_lock(); 1585 list_for_each_entry_rcu(entry, ima_rules, list) { 1586 if (!l--) { 1587 rcu_read_unlock(); 1588 return entry; 1589 } 1590 } 1591 rcu_read_unlock(); 1592 return NULL; 1593 } 1594 1595 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) 1596 { 1597 struct ima_rule_entry *entry = v; 1598 1599 rcu_read_lock(); 1600 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); 1601 rcu_read_unlock(); 1602 (*pos)++; 1603 1604 return (&entry->list == ima_rules) ? NULL : entry; 1605 } 1606 1607 void ima_policy_stop(struct seq_file *m, void *v) 1608 { 1609 } 1610 1611 #define pt(token) policy_tokens[token].pattern 1612 #define mt(token) mask_tokens[token] 1613 1614 /* 1615 * policy_func_show - display the ima_hooks policy rule 1616 */ 1617 static void policy_func_show(struct seq_file *m, enum ima_hooks func) 1618 { 1619 if (func > 0 && func < MAX_CHECK) 1620 seq_printf(m, "func=%s ", func_tokens[func]); 1621 else 1622 seq_printf(m, "func=%d ", func); 1623 } 1624 1625 static void ima_show_rule_opt_list(struct seq_file *m, 1626 const struct ima_rule_opt_list *opt_list) 1627 { 1628 size_t i; 1629 1630 for (i = 0; i < opt_list->count; i++) 1631 seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]); 1632 } 1633 1634 int ima_policy_show(struct seq_file *m, void *v) 1635 { 1636 struct ima_rule_entry *entry = v; 1637 int i; 1638 char tbuf[64] = {0,}; 1639 int offset = 0; 1640 1641 rcu_read_lock(); 1642 1643 if (entry->action & MEASURE) 1644 seq_puts(m, pt(Opt_measure)); 1645 if (entry->action & DONT_MEASURE) 1646 seq_puts(m, pt(Opt_dont_measure)); 1647 if (entry->action & APPRAISE) 1648 seq_puts(m, pt(Opt_appraise)); 1649 if (entry->action & DONT_APPRAISE) 1650 seq_puts(m, pt(Opt_dont_appraise)); 1651 if (entry->action & AUDIT) 1652 seq_puts(m, pt(Opt_audit)); 1653 if (entry->action & HASH) 1654 seq_puts(m, pt(Opt_hash)); 1655 if (entry->action & DONT_HASH) 1656 seq_puts(m, pt(Opt_dont_hash)); 1657 1658 seq_puts(m, " "); 1659 1660 if (entry->flags & IMA_FUNC) 1661 policy_func_show(m, entry->func); 1662 1663 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { 1664 if (entry->flags & IMA_MASK) 1665 offset = 1; 1666 if (entry->mask & MAY_EXEC) 1667 seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); 1668 if (entry->mask & MAY_WRITE) 1669 seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); 1670 if (entry->mask & MAY_READ) 1671 seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); 1672 if (entry->mask & MAY_APPEND) 1673 seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); 1674 seq_puts(m, " "); 1675 } 1676 1677 if (entry->flags & IMA_FSMAGIC) { 1678 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 1679 seq_printf(m, pt(Opt_fsmagic), tbuf); 1680 seq_puts(m, " "); 1681 } 1682 1683 if (entry->flags & IMA_FSNAME) { 1684 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); 1685 seq_printf(m, pt(Opt_fsname), tbuf); 1686 seq_puts(m, " "); 1687 } 1688 1689 if (entry->flags & IMA_KEYRINGS) { 1690 seq_puts(m, "keyrings="); 1691 ima_show_rule_opt_list(m, entry->keyrings); 1692 seq_puts(m, " "); 1693 } 1694 1695 if (entry->flags & IMA_PCR) { 1696 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 1697 seq_printf(m, pt(Opt_pcr), tbuf); 1698 seq_puts(m, " "); 1699 } 1700 1701 if (entry->flags & IMA_FSUUID) { 1702 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); 1703 seq_puts(m, " "); 1704 } 1705 1706 if (entry->flags & IMA_UID) { 1707 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1708 if (entry->uid_op == &uid_gt) 1709 seq_printf(m, pt(Opt_uid_gt), tbuf); 1710 else if (entry->uid_op == &uid_lt) 1711 seq_printf(m, pt(Opt_uid_lt), tbuf); 1712 else 1713 seq_printf(m, pt(Opt_uid_eq), tbuf); 1714 seq_puts(m, " "); 1715 } 1716 1717 if (entry->flags & IMA_EUID) { 1718 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1719 if (entry->uid_op == &uid_gt) 1720 seq_printf(m, pt(Opt_euid_gt), tbuf); 1721 else if (entry->uid_op == &uid_lt) 1722 seq_printf(m, pt(Opt_euid_lt), tbuf); 1723 else 1724 seq_printf(m, pt(Opt_euid_eq), tbuf); 1725 seq_puts(m, " "); 1726 } 1727 1728 if (entry->flags & IMA_FOWNER) { 1729 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); 1730 if (entry->fowner_op == &uid_gt) 1731 seq_printf(m, pt(Opt_fowner_gt), tbuf); 1732 else if (entry->fowner_op == &uid_lt) 1733 seq_printf(m, pt(Opt_fowner_lt), tbuf); 1734 else 1735 seq_printf(m, pt(Opt_fowner_eq), tbuf); 1736 seq_puts(m, " "); 1737 } 1738 1739 for (i = 0; i < MAX_LSM_RULES; i++) { 1740 if (entry->lsm[i].rule) { 1741 switch (i) { 1742 case LSM_OBJ_USER: 1743 seq_printf(m, pt(Opt_obj_user), 1744 entry->lsm[i].args_p); 1745 break; 1746 case LSM_OBJ_ROLE: 1747 seq_printf(m, pt(Opt_obj_role), 1748 entry->lsm[i].args_p); 1749 break; 1750 case LSM_OBJ_TYPE: 1751 seq_printf(m, pt(Opt_obj_type), 1752 entry->lsm[i].args_p); 1753 break; 1754 case LSM_SUBJ_USER: 1755 seq_printf(m, pt(Opt_subj_user), 1756 entry->lsm[i].args_p); 1757 break; 1758 case LSM_SUBJ_ROLE: 1759 seq_printf(m, pt(Opt_subj_role), 1760 entry->lsm[i].args_p); 1761 break; 1762 case LSM_SUBJ_TYPE: 1763 seq_printf(m, pt(Opt_subj_type), 1764 entry->lsm[i].args_p); 1765 break; 1766 } 1767 seq_puts(m, " "); 1768 } 1769 } 1770 if (entry->template) 1771 seq_printf(m, "template=%s ", entry->template->name); 1772 if (entry->flags & IMA_DIGSIG_REQUIRED) { 1773 if (entry->flags & IMA_MODSIG_ALLOWED) 1774 seq_puts(m, "appraise_type=imasig|modsig "); 1775 else 1776 seq_puts(m, "appraise_type=imasig "); 1777 } 1778 if (entry->flags & IMA_CHECK_BLACKLIST) 1779 seq_puts(m, "appraise_flag=check_blacklist "); 1780 if (entry->flags & IMA_PERMIT_DIRECTIO) 1781 seq_puts(m, "permit_directio "); 1782 rcu_read_unlock(); 1783 seq_puts(m, "\n"); 1784 return 0; 1785 } 1786 #endif /* CONFIG_IMA_READ_POLICY */ 1787 1788 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) 1789 /* 1790 * ima_appraise_signature: whether IMA will appraise a given function using 1791 * an IMA digital signature. This is restricted to cases where the kernel 1792 * has a set of built-in trusted keys in order to avoid an attacker simply 1793 * loading additional keys. 1794 */ 1795 bool ima_appraise_signature(enum kernel_read_file_id id) 1796 { 1797 struct ima_rule_entry *entry; 1798 bool found = false; 1799 enum ima_hooks func; 1800 1801 if (id >= READING_MAX_ID) 1802 return false; 1803 1804 func = read_idmap[id] ?: FILE_CHECK; 1805 1806 rcu_read_lock(); 1807 list_for_each_entry_rcu(entry, ima_rules, list) { 1808 if (entry->action != APPRAISE) 1809 continue; 1810 1811 /* 1812 * A generic entry will match, but otherwise require that it 1813 * match the func we're looking for 1814 */ 1815 if (entry->func && entry->func != func) 1816 continue; 1817 1818 /* 1819 * We require this to be a digital signature, not a raw IMA 1820 * hash. 1821 */ 1822 if (entry->flags & IMA_DIGSIG_REQUIRED) 1823 found = true; 1824 1825 /* 1826 * We've found a rule that matches, so break now even if it 1827 * didn't require a digital signature - a later rule that does 1828 * won't override it, so would be a false positive. 1829 */ 1830 break; 1831 } 1832 1833 rcu_read_unlock(); 1834 return found; 1835 } 1836 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ 1837