1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2008 IBM Corporation 4 * Author: Mimi Zohar <zohar@us.ibm.com> 5 * 6 * ima_policy.c 7 * - initialize default measure policy rules 8 */ 9 10 #include <linux/init.h> 11 #include <linux/list.h> 12 #include <linux/kernel_read_file.h> 13 #include <linux/fs.h> 14 #include <linux/security.h> 15 #include <linux/magic.h> 16 #include <linux/parser.h> 17 #include <linux/slab.h> 18 #include <linux/rculist.h> 19 #include <linux/seq_file.h> 20 #include <linux/ima.h> 21 22 #include "ima.h" 23 24 /* flags definitions */ 25 #define IMA_FUNC 0x0001 26 #define IMA_MASK 0x0002 27 #define IMA_FSMAGIC 0x0004 28 #define IMA_UID 0x0008 29 #define IMA_FOWNER 0x0010 30 #define IMA_FSUUID 0x0020 31 #define IMA_INMASK 0x0040 32 #define IMA_EUID 0x0080 33 #define IMA_PCR 0x0100 34 #define IMA_FSNAME 0x0200 35 #define IMA_KEYRINGS 0x0400 36 #define IMA_LABEL 0x0800 37 #define IMA_VALIDATE_ALGOS 0x1000 38 #define IMA_GID 0x2000 39 #define IMA_EGID 0x4000 40 #define IMA_FGROUP 0x8000 41 42 #define UNKNOWN 0 43 #define MEASURE 0x0001 /* same as IMA_MEASURE */ 44 #define DONT_MEASURE 0x0002 45 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 46 #define DONT_APPRAISE 0x0008 47 #define AUDIT 0x0040 48 #define HASH 0x0100 49 #define DONT_HASH 0x0200 50 51 #define INVALID_PCR(a) (((a) < 0) || \ 52 (a) >= (sizeof_field(struct integrity_iint_cache, measured_pcrs) * 8)) 53 54 int ima_policy_flag; 55 static int temp_ima_appraise; 56 static int build_ima_appraise __ro_after_init; 57 58 atomic_t ima_setxattr_allowed_hash_algorithms; 59 60 #define MAX_LSM_RULES 6 61 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, 62 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE 63 }; 64 65 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; 66 67 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY }; 68 69 struct ima_rule_opt_list { 70 size_t count; 71 char *items[]; 72 }; 73 74 struct ima_rule_entry { 75 struct list_head list; 76 int action; 77 unsigned int flags; 78 enum ima_hooks func; 79 int mask; 80 unsigned long fsmagic; 81 uuid_t fsuuid; 82 kuid_t uid; 83 kgid_t gid; 84 kuid_t fowner; 85 kgid_t fgroup; 86 bool (*uid_op)(kuid_t cred_uid, kuid_t rule_uid); /* Handlers for operators */ 87 bool (*gid_op)(kgid_t cred_gid, kgid_t rule_gid); 88 bool (*fowner_op)(vfsuid_t vfsuid, kuid_t rule_uid); /* vfsuid_eq_kuid(), vfsuid_gt_kuid(), vfsuid_lt_kuid() */ 89 bool (*fgroup_op)(vfsgid_t vfsgid, kgid_t rule_gid); /* vfsgid_eq_kgid(), vfsgid_gt_kgid(), vfsgid_lt_kgid() */ 90 int pcr; 91 unsigned int allowed_algos; /* bitfield of allowed hash algorithms */ 92 struct { 93 void *rule; /* LSM file metadata specific */ 94 char *args_p; /* audit value */ 95 int type; /* audit type */ 96 } lsm[MAX_LSM_RULES]; 97 char *fsname; 98 struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ 99 struct ima_rule_opt_list *label; /* Measure data grouped under this label */ 100 struct ima_template_desc *template; 101 }; 102 103 /* 104 * sanity check in case the kernels gains more hash algorithms that can 105 * fit in an unsigned int 106 */ 107 static_assert( 108 8 * sizeof(unsigned int) >= HASH_ALGO__LAST, 109 "The bitfield allowed_algos in ima_rule_entry is too small to contain all the supported hash algorithms, consider using a bigger type"); 110 111 /* 112 * Without LSM specific knowledge, the default policy can only be 113 * written in terms of .action, .func, .mask, .fsmagic, .uid, .gid, 114 * .fowner, and .fgroup 115 */ 116 117 /* 118 * The minimum rule set to allow for full TCB coverage. Measures all files 119 * opened or mmap for exec and everything read by root. Dangerous because 120 * normal users can easily run the machine out of memory simply building 121 * and running executables. 122 */ 123 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { 124 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 125 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 126 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 127 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 128 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 129 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 130 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 131 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 132 {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 133 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, 134 .flags = IMA_FSMAGIC}, 135 {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, 136 .flags = IMA_FSMAGIC}, 137 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 138 {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} 139 }; 140 141 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { 142 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 143 .flags = IMA_FUNC | IMA_MASK}, 144 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 145 .flags = IMA_FUNC | IMA_MASK}, 146 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 147 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 148 .flags = IMA_FUNC | IMA_MASK | IMA_UID}, 149 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 150 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 151 }; 152 153 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { 154 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 155 .flags = IMA_FUNC | IMA_MASK}, 156 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 157 .flags = IMA_FUNC | IMA_MASK}, 158 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 159 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 160 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, 161 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 162 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 163 .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, 164 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 165 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 166 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, 167 }; 168 169 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { 170 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 171 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 172 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 173 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 174 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC}, 175 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 176 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 177 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 178 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 179 {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 180 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 181 {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, 182 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 183 {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 184 #ifdef CONFIG_IMA_WRITE_POLICY 185 {.action = APPRAISE, .func = POLICY_CHECK, 186 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 187 #endif 188 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT 189 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid, 190 .flags = IMA_FOWNER}, 191 #else 192 /* force signature */ 193 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid, 194 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, 195 #endif 196 }; 197 198 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { 199 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS 200 {.action = APPRAISE, .func = MODULE_CHECK, 201 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 202 #endif 203 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS 204 {.action = APPRAISE, .func = FIRMWARE_CHECK, 205 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 206 #endif 207 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS 208 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 209 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 210 #endif 211 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS 212 {.action = APPRAISE, .func = POLICY_CHECK, 213 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 214 #endif 215 }; 216 217 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { 218 {.action = APPRAISE, .func = MODULE_CHECK, 219 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 220 {.action = APPRAISE, .func = FIRMWARE_CHECK, 221 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 222 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 223 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 224 {.action = APPRAISE, .func = POLICY_CHECK, 225 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 226 }; 227 228 static struct ima_rule_entry critical_data_rules[] __ro_after_init = { 229 {.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC}, 230 }; 231 232 /* An array of architecture specific rules */ 233 static struct ima_rule_entry *arch_policy_entry __ro_after_init; 234 235 static LIST_HEAD(ima_default_rules); 236 static LIST_HEAD(ima_policy_rules); 237 static LIST_HEAD(ima_temp_rules); 238 static struct list_head __rcu *ima_rules = (struct list_head __rcu *)(&ima_default_rules); 239 240 static int ima_policy __initdata; 241 242 static int __init default_measure_policy_setup(char *str) 243 { 244 if (ima_policy) 245 return 1; 246 247 ima_policy = ORIGINAL_TCB; 248 return 1; 249 } 250 __setup("ima_tcb", default_measure_policy_setup); 251 252 static bool ima_use_appraise_tcb __initdata; 253 static bool ima_use_secure_boot __initdata; 254 static bool ima_use_critical_data __initdata; 255 static bool ima_fail_unverifiable_sigs __ro_after_init; 256 static int __init policy_setup(char *str) 257 { 258 char *p; 259 260 while ((p = strsep(&str, " |\n")) != NULL) { 261 if (*p == ' ') 262 continue; 263 if ((strcmp(p, "tcb") == 0) && !ima_policy) 264 ima_policy = DEFAULT_TCB; 265 else if (strcmp(p, "appraise_tcb") == 0) 266 ima_use_appraise_tcb = true; 267 else if (strcmp(p, "secure_boot") == 0) 268 ima_use_secure_boot = true; 269 else if (strcmp(p, "critical_data") == 0) 270 ima_use_critical_data = true; 271 else if (strcmp(p, "fail_securely") == 0) 272 ima_fail_unverifiable_sigs = true; 273 else 274 pr_err("policy \"%s\" not found", p); 275 } 276 277 return 1; 278 } 279 __setup("ima_policy=", policy_setup); 280 281 static int __init default_appraise_policy_setup(char *str) 282 { 283 ima_use_appraise_tcb = true; 284 return 1; 285 } 286 __setup("ima_appraise_tcb", default_appraise_policy_setup); 287 288 static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src) 289 { 290 struct ima_rule_opt_list *opt_list; 291 size_t count = 0; 292 char *src_copy; 293 char *cur, *next; 294 size_t i; 295 296 src_copy = match_strdup(src); 297 if (!src_copy) 298 return ERR_PTR(-ENOMEM); 299 300 next = src_copy; 301 while ((cur = strsep(&next, "|"))) { 302 /* Don't accept an empty list item */ 303 if (!(*cur)) { 304 kfree(src_copy); 305 return ERR_PTR(-EINVAL); 306 } 307 count++; 308 } 309 310 /* Don't accept an empty list */ 311 if (!count) { 312 kfree(src_copy); 313 return ERR_PTR(-EINVAL); 314 } 315 316 opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL); 317 if (!opt_list) { 318 kfree(src_copy); 319 return ERR_PTR(-ENOMEM); 320 } 321 322 /* 323 * strsep() has already replaced all instances of '|' with '\0', 324 * leaving a byte sequence of NUL-terminated strings. Reference each 325 * string with the array of items. 326 * 327 * IMPORTANT: Ownership of the allocated buffer is transferred from 328 * src_copy to the first element in the items array. To free the 329 * buffer, kfree() must only be called on the first element of the 330 * array. 331 */ 332 for (i = 0, cur = src_copy; i < count; i++) { 333 opt_list->items[i] = cur; 334 cur = strchr(cur, '\0') + 1; 335 } 336 opt_list->count = count; 337 338 return opt_list; 339 } 340 341 static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list) 342 { 343 if (!opt_list) 344 return; 345 346 if (opt_list->count) { 347 kfree(opt_list->items[0]); 348 opt_list->count = 0; 349 } 350 351 kfree(opt_list); 352 } 353 354 static void ima_lsm_free_rule(struct ima_rule_entry *entry) 355 { 356 int i; 357 358 for (i = 0; i < MAX_LSM_RULES; i++) { 359 ima_filter_rule_free(entry->lsm[i].rule); 360 kfree(entry->lsm[i].args_p); 361 } 362 } 363 364 static void ima_free_rule(struct ima_rule_entry *entry) 365 { 366 if (!entry) 367 return; 368 369 /* 370 * entry->template->fields may be allocated in ima_parse_rule() but that 371 * reference is owned by the corresponding ima_template_desc element in 372 * the defined_templates list and cannot be freed here 373 */ 374 kfree(entry->fsname); 375 ima_free_rule_opt_list(entry->keyrings); 376 ima_lsm_free_rule(entry); 377 kfree(entry); 378 } 379 380 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) 381 { 382 struct ima_rule_entry *nentry; 383 int i; 384 385 /* 386 * Immutable elements are copied over as pointers and data; only 387 * lsm rules can change 388 */ 389 nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); 390 if (!nentry) 391 return NULL; 392 393 memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm)); 394 395 for (i = 0; i < MAX_LSM_RULES; i++) { 396 if (!entry->lsm[i].args_p) 397 continue; 398 399 nentry->lsm[i].type = entry->lsm[i].type; 400 nentry->lsm[i].args_p = entry->lsm[i].args_p; 401 /* 402 * Remove the reference from entry so that the associated 403 * memory will not be freed during a later call to 404 * ima_lsm_free_rule(entry). 405 */ 406 entry->lsm[i].args_p = NULL; 407 408 ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, 409 nentry->lsm[i].args_p, 410 &nentry->lsm[i].rule); 411 if (!nentry->lsm[i].rule) 412 pr_warn("rule for LSM \'%s\' is undefined\n", 413 nentry->lsm[i].args_p); 414 } 415 return nentry; 416 } 417 418 static int ima_lsm_update_rule(struct ima_rule_entry *entry) 419 { 420 struct ima_rule_entry *nentry; 421 422 nentry = ima_lsm_copy_rule(entry); 423 if (!nentry) 424 return -ENOMEM; 425 426 list_replace_rcu(&entry->list, &nentry->list); 427 synchronize_rcu(); 428 /* 429 * ima_lsm_copy_rule() shallow copied all references, except for the 430 * LSM references, from entry to nentry so we only want to free the LSM 431 * references and the entry itself. All other memory references will now 432 * be owned by nentry. 433 */ 434 ima_lsm_free_rule(entry); 435 kfree(entry); 436 437 return 0; 438 } 439 440 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry) 441 { 442 int i; 443 444 for (i = 0; i < MAX_LSM_RULES; i++) 445 if (entry->lsm[i].args_p) 446 return true; 447 448 return false; 449 } 450 451 /* 452 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 453 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 454 * the reloaded LSM policy. 455 */ 456 static void ima_lsm_update_rules(void) 457 { 458 struct ima_rule_entry *entry, *e; 459 int result; 460 461 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { 462 if (!ima_rule_contains_lsm_cond(entry)) 463 continue; 464 465 result = ima_lsm_update_rule(entry); 466 if (result) { 467 pr_err("lsm rule update error %d\n", result); 468 return; 469 } 470 } 471 } 472 473 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, 474 void *lsm_data) 475 { 476 if (event != LSM_POLICY_CHANGE) 477 return NOTIFY_DONE; 478 479 ima_lsm_update_rules(); 480 return NOTIFY_OK; 481 } 482 483 /** 484 * ima_match_rule_data - determine whether func_data matches the policy rule 485 * @rule: a pointer to a rule 486 * @func_data: data to match against the measure rule data 487 * @cred: a pointer to a credentials structure for user validation 488 * 489 * Returns true if func_data matches one in the rule, false otherwise. 490 */ 491 static bool ima_match_rule_data(struct ima_rule_entry *rule, 492 const char *func_data, 493 const struct cred *cred) 494 { 495 const struct ima_rule_opt_list *opt_list = NULL; 496 bool matched = false; 497 size_t i; 498 499 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 500 return false; 501 502 switch (rule->func) { 503 case KEY_CHECK: 504 if (!rule->keyrings) 505 return true; 506 507 opt_list = rule->keyrings; 508 break; 509 case CRITICAL_DATA: 510 if (!rule->label) 511 return true; 512 513 opt_list = rule->label; 514 break; 515 default: 516 return false; 517 } 518 519 if (!func_data) 520 return false; 521 522 for (i = 0; i < opt_list->count; i++) { 523 if (!strcmp(opt_list->items[i], func_data)) { 524 matched = true; 525 break; 526 } 527 } 528 529 return matched; 530 } 531 532 /** 533 * ima_match_rules - determine whether an inode matches the policy rule. 534 * @rule: a pointer to a rule 535 * @mnt_userns: user namespace of the mount the inode was found from 536 * @inode: a pointer to an inode 537 * @cred: a pointer to a credentials structure for user validation 538 * @secid: the secid of the task to be validated 539 * @func: LIM hook identifier 540 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 541 * @func_data: func specific data, may be NULL 542 * 543 * Returns true on rule match, false on failure. 544 */ 545 static bool ima_match_rules(struct ima_rule_entry *rule, 546 struct user_namespace *mnt_userns, 547 struct inode *inode, const struct cred *cred, 548 u32 secid, enum ima_hooks func, int mask, 549 const char *func_data) 550 { 551 int i; 552 553 if ((rule->flags & IMA_FUNC) && 554 (rule->func != func && func != POST_SETATTR)) 555 return false; 556 557 switch (func) { 558 case KEY_CHECK: 559 case CRITICAL_DATA: 560 return ((rule->func == func) && 561 ima_match_rule_data(rule, func_data, cred)); 562 default: 563 break; 564 } 565 566 if ((rule->flags & IMA_MASK) && 567 (rule->mask != mask && func != POST_SETATTR)) 568 return false; 569 if ((rule->flags & IMA_INMASK) && 570 (!(rule->mask & mask) && func != POST_SETATTR)) 571 return false; 572 if ((rule->flags & IMA_FSMAGIC) 573 && rule->fsmagic != inode->i_sb->s_magic) 574 return false; 575 if ((rule->flags & IMA_FSNAME) 576 && strcmp(rule->fsname, inode->i_sb->s_type->name)) 577 return false; 578 if ((rule->flags & IMA_FSUUID) && 579 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 580 return false; 581 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 582 return false; 583 if (rule->flags & IMA_EUID) { 584 if (has_capability_noaudit(current, CAP_SETUID)) { 585 if (!rule->uid_op(cred->euid, rule->uid) 586 && !rule->uid_op(cred->suid, rule->uid) 587 && !rule->uid_op(cred->uid, rule->uid)) 588 return false; 589 } else if (!rule->uid_op(cred->euid, rule->uid)) 590 return false; 591 } 592 if ((rule->flags & IMA_GID) && !rule->gid_op(cred->gid, rule->gid)) 593 return false; 594 if (rule->flags & IMA_EGID) { 595 if (has_capability_noaudit(current, CAP_SETGID)) { 596 if (!rule->gid_op(cred->egid, rule->gid) 597 && !rule->gid_op(cred->sgid, rule->gid) 598 && !rule->gid_op(cred->gid, rule->gid)) 599 return false; 600 } else if (!rule->gid_op(cred->egid, rule->gid)) 601 return false; 602 } 603 if ((rule->flags & IMA_FOWNER) && 604 !rule->fowner_op(i_uid_into_vfsuid(mnt_userns, inode), 605 rule->fowner)) 606 return false; 607 if ((rule->flags & IMA_FGROUP) && 608 !rule->fgroup_op(i_gid_into_vfsgid(mnt_userns, inode), 609 rule->fgroup)) 610 return false; 611 for (i = 0; i < MAX_LSM_RULES; i++) { 612 int rc = 0; 613 u32 osid; 614 615 if (!rule->lsm[i].rule) { 616 if (!rule->lsm[i].args_p) 617 continue; 618 else 619 return false; 620 } 621 switch (i) { 622 case LSM_OBJ_USER: 623 case LSM_OBJ_ROLE: 624 case LSM_OBJ_TYPE: 625 security_inode_getsecid(inode, &osid); 626 rc = ima_filter_rule_match(osid, rule->lsm[i].type, 627 Audit_equal, 628 rule->lsm[i].rule); 629 break; 630 case LSM_SUBJ_USER: 631 case LSM_SUBJ_ROLE: 632 case LSM_SUBJ_TYPE: 633 rc = ima_filter_rule_match(secid, rule->lsm[i].type, 634 Audit_equal, 635 rule->lsm[i].rule); 636 break; 637 default: 638 break; 639 } 640 if (!rc) 641 return false; 642 } 643 return true; 644 } 645 646 /* 647 * In addition to knowing that we need to appraise the file in general, 648 * we need to differentiate between calling hooks, for hook specific rules. 649 */ 650 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) 651 { 652 if (!(rule->flags & IMA_FUNC)) 653 return IMA_FILE_APPRAISE; 654 655 switch (func) { 656 case MMAP_CHECK: 657 return IMA_MMAP_APPRAISE; 658 case BPRM_CHECK: 659 return IMA_BPRM_APPRAISE; 660 case CREDS_CHECK: 661 return IMA_CREDS_APPRAISE; 662 case FILE_CHECK: 663 case POST_SETATTR: 664 return IMA_FILE_APPRAISE; 665 case MODULE_CHECK ... MAX_CHECK - 1: 666 default: 667 return IMA_READ_APPRAISE; 668 } 669 } 670 671 /** 672 * ima_match_policy - decision based on LSM and other conditions 673 * @mnt_userns: user namespace of the mount the inode was found from 674 * @inode: pointer to an inode for which the policy decision is being made 675 * @cred: pointer to a credentials structure for which the policy decision is 676 * being made 677 * @secid: LSM secid of the task to be validated 678 * @func: IMA hook identifier 679 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 680 * @pcr: set the pcr to extend 681 * @template_desc: the template that should be used for this rule 682 * @func_data: func specific data, may be NULL 683 * @allowed_algos: allowlist of hash algorithms for the IMA xattr 684 * 685 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 686 * conditions. 687 * 688 * Since the IMA policy may be updated multiple times we need to lock the 689 * list when walking it. Reads are many orders of magnitude more numerous 690 * than writes so ima_match_policy() is classical RCU candidate. 691 */ 692 int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, 693 const struct cred *cred, u32 secid, enum ima_hooks func, 694 int mask, int flags, int *pcr, 695 struct ima_template_desc **template_desc, 696 const char *func_data, unsigned int *allowed_algos) 697 { 698 struct ima_rule_entry *entry; 699 int action = 0, actmask = flags | (flags << 1); 700 struct list_head *ima_rules_tmp; 701 702 if (template_desc && !*template_desc) 703 *template_desc = ima_template_desc_current(); 704 705 rcu_read_lock(); 706 ima_rules_tmp = rcu_dereference(ima_rules); 707 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 708 709 if (!(entry->action & actmask)) 710 continue; 711 712 if (!ima_match_rules(entry, mnt_userns, inode, cred, secid, 713 func, mask, func_data)) 714 continue; 715 716 action |= entry->flags & IMA_NONACTION_FLAGS; 717 718 action |= entry->action & IMA_DO_MASK; 719 if (entry->action & IMA_APPRAISE) { 720 action |= get_subaction(entry, func); 721 action &= ~IMA_HASH; 722 if (ima_fail_unverifiable_sigs) 723 action |= IMA_FAIL_UNVERIFIABLE_SIGS; 724 725 if (allowed_algos && 726 entry->flags & IMA_VALIDATE_ALGOS) 727 *allowed_algos = entry->allowed_algos; 728 } 729 730 if (entry->action & IMA_DO_MASK) 731 actmask &= ~(entry->action | entry->action << 1); 732 else 733 actmask &= ~(entry->action | entry->action >> 1); 734 735 if ((pcr) && (entry->flags & IMA_PCR)) 736 *pcr = entry->pcr; 737 738 if (template_desc && entry->template) 739 *template_desc = entry->template; 740 741 if (!actmask) 742 break; 743 } 744 rcu_read_unlock(); 745 746 return action; 747 } 748 749 /** 750 * ima_update_policy_flags() - Update global IMA variables 751 * 752 * Update ima_policy_flag and ima_setxattr_allowed_hash_algorithms 753 * based on the currently loaded policy. 754 * 755 * With ima_policy_flag, the decision to short circuit out of a function 756 * or not call the function in the first place can be made earlier. 757 * 758 * With ima_setxattr_allowed_hash_algorithms, the policy can restrict the 759 * set of hash algorithms accepted when updating the security.ima xattr of 760 * a file. 761 * 762 * Context: called after a policy update and at system initialization. 763 */ 764 void ima_update_policy_flags(void) 765 { 766 struct ima_rule_entry *entry; 767 int new_policy_flag = 0; 768 struct list_head *ima_rules_tmp; 769 770 rcu_read_lock(); 771 ima_rules_tmp = rcu_dereference(ima_rules); 772 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 773 /* 774 * SETXATTR_CHECK rules do not implement a full policy check 775 * because rule checking would probably have an important 776 * performance impact on setxattr(). As a consequence, only one 777 * SETXATTR_CHECK can be active at a given time. 778 * Because we want to preserve that property, we set out to use 779 * atomic_cmpxchg. Either: 780 * - the atomic was non-zero: a setxattr hash policy is 781 * already enforced, we do nothing 782 * - the atomic was zero: no setxattr policy was set, enable 783 * the setxattr hash policy 784 */ 785 if (entry->func == SETXATTR_CHECK) { 786 atomic_cmpxchg(&ima_setxattr_allowed_hash_algorithms, 787 0, entry->allowed_algos); 788 /* SETXATTR_CHECK doesn't impact ima_policy_flag */ 789 continue; 790 } 791 792 if (entry->action & IMA_DO_MASK) 793 new_policy_flag |= entry->action; 794 } 795 rcu_read_unlock(); 796 797 ima_appraise |= (build_ima_appraise | temp_ima_appraise); 798 if (!ima_appraise) 799 new_policy_flag &= ~IMA_APPRAISE; 800 801 ima_policy_flag = new_policy_flag; 802 } 803 804 static int ima_appraise_flag(enum ima_hooks func) 805 { 806 if (func == MODULE_CHECK) 807 return IMA_APPRAISE_MODULES; 808 else if (func == FIRMWARE_CHECK) 809 return IMA_APPRAISE_FIRMWARE; 810 else if (func == POLICY_CHECK) 811 return IMA_APPRAISE_POLICY; 812 else if (func == KEXEC_KERNEL_CHECK) 813 return IMA_APPRAISE_KEXEC; 814 return 0; 815 } 816 817 static void add_rules(struct ima_rule_entry *entries, int count, 818 enum policy_rule_list policy_rule) 819 { 820 int i = 0; 821 822 for (i = 0; i < count; i++) { 823 struct ima_rule_entry *entry; 824 825 if (policy_rule & IMA_DEFAULT_POLICY) 826 list_add_tail(&entries[i].list, &ima_default_rules); 827 828 if (policy_rule & IMA_CUSTOM_POLICY) { 829 entry = kmemdup(&entries[i], sizeof(*entry), 830 GFP_KERNEL); 831 if (!entry) 832 continue; 833 834 list_add_tail(&entry->list, &ima_policy_rules); 835 } 836 if (entries[i].action == APPRAISE) { 837 if (entries != build_appraise_rules) 838 temp_ima_appraise |= 839 ima_appraise_flag(entries[i].func); 840 else 841 build_ima_appraise |= 842 ima_appraise_flag(entries[i].func); 843 } 844 } 845 } 846 847 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); 848 849 static int __init ima_init_arch_policy(void) 850 { 851 const char * const *arch_rules; 852 const char * const *rules; 853 int arch_entries = 0; 854 int i = 0; 855 856 arch_rules = arch_get_ima_policy(); 857 if (!arch_rules) 858 return arch_entries; 859 860 /* Get number of rules */ 861 for (rules = arch_rules; *rules != NULL; rules++) 862 arch_entries++; 863 864 arch_policy_entry = kcalloc(arch_entries + 1, 865 sizeof(*arch_policy_entry), GFP_KERNEL); 866 if (!arch_policy_entry) 867 return 0; 868 869 /* Convert each policy string rules to struct ima_rule_entry format */ 870 for (rules = arch_rules, i = 0; *rules != NULL; rules++) { 871 char rule[255]; 872 int result; 873 874 result = strscpy(rule, *rules, sizeof(rule)); 875 876 INIT_LIST_HEAD(&arch_policy_entry[i].list); 877 result = ima_parse_rule(rule, &arch_policy_entry[i]); 878 if (result) { 879 pr_warn("Skipping unknown architecture policy rule: %s\n", 880 rule); 881 memset(&arch_policy_entry[i], 0, 882 sizeof(*arch_policy_entry)); 883 continue; 884 } 885 i++; 886 } 887 return i; 888 } 889 890 /** 891 * ima_init_policy - initialize the default measure rules. 892 * 893 * ima_rules points to either the ima_default_rules or the new ima_policy_rules. 894 */ 895 void __init ima_init_policy(void) 896 { 897 int build_appraise_entries, arch_entries; 898 899 /* if !ima_policy, we load NO default rules */ 900 if (ima_policy) 901 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules), 902 IMA_DEFAULT_POLICY); 903 904 switch (ima_policy) { 905 case ORIGINAL_TCB: 906 add_rules(original_measurement_rules, 907 ARRAY_SIZE(original_measurement_rules), 908 IMA_DEFAULT_POLICY); 909 break; 910 case DEFAULT_TCB: 911 add_rules(default_measurement_rules, 912 ARRAY_SIZE(default_measurement_rules), 913 IMA_DEFAULT_POLICY); 914 break; 915 default: 916 break; 917 } 918 919 /* 920 * Based on runtime secure boot flags, insert arch specific measurement 921 * and appraise rules requiring file signatures for both the initial 922 * and custom policies, prior to other appraise rules. 923 * (Highest priority) 924 */ 925 arch_entries = ima_init_arch_policy(); 926 if (!arch_entries) 927 pr_info("No architecture policies found\n"); 928 else 929 add_rules(arch_policy_entry, arch_entries, 930 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 931 932 /* 933 * Insert the builtin "secure_boot" policy rules requiring file 934 * signatures, prior to other appraise rules. 935 */ 936 if (ima_use_secure_boot) 937 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules), 938 IMA_DEFAULT_POLICY); 939 940 /* 941 * Insert the build time appraise rules requiring file signatures 942 * for both the initial and custom policies, prior to other appraise 943 * rules. As the secure boot rules includes all of the build time 944 * rules, include either one or the other set of rules, but not both. 945 */ 946 build_appraise_entries = ARRAY_SIZE(build_appraise_rules); 947 if (build_appraise_entries) { 948 if (ima_use_secure_boot) 949 add_rules(build_appraise_rules, build_appraise_entries, 950 IMA_CUSTOM_POLICY); 951 else 952 add_rules(build_appraise_rules, build_appraise_entries, 953 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 954 } 955 956 if (ima_use_appraise_tcb) 957 add_rules(default_appraise_rules, 958 ARRAY_SIZE(default_appraise_rules), 959 IMA_DEFAULT_POLICY); 960 961 if (ima_use_critical_data) 962 add_rules(critical_data_rules, 963 ARRAY_SIZE(critical_data_rules), 964 IMA_DEFAULT_POLICY); 965 966 atomic_set(&ima_setxattr_allowed_hash_algorithms, 0); 967 968 ima_update_policy_flags(); 969 } 970 971 /* Make sure we have a valid policy, at least containing some rules. */ 972 int ima_check_policy(void) 973 { 974 if (list_empty(&ima_temp_rules)) 975 return -EINVAL; 976 return 0; 977 } 978 979 /** 980 * ima_update_policy - update default_rules with new measure rules 981 * 982 * Called on file .release to update the default rules with a complete new 983 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so 984 * they make a queue. The policy may be updated multiple times and this is the 985 * RCU updater. 986 * 987 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 988 * we switch from the default policy to user defined. 989 */ 990 void ima_update_policy(void) 991 { 992 struct list_head *policy = &ima_policy_rules; 993 994 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); 995 996 if (ima_rules != (struct list_head __rcu *)policy) { 997 ima_policy_flag = 0; 998 999 rcu_assign_pointer(ima_rules, policy); 1000 /* 1001 * IMA architecture specific policy rules are specified 1002 * as strings and converted to an array of ima_entry_rules 1003 * on boot. After loading a custom policy, free the 1004 * architecture specific rules stored as an array. 1005 */ 1006 kfree(arch_policy_entry); 1007 } 1008 ima_update_policy_flags(); 1009 1010 /* Custom IMA policy has been loaded */ 1011 ima_process_queued_keys(); 1012 } 1013 1014 /* Keep the enumeration in sync with the policy_tokens! */ 1015 enum policy_opt { 1016 Opt_measure, Opt_dont_measure, 1017 Opt_appraise, Opt_dont_appraise, 1018 Opt_audit, Opt_hash, Opt_dont_hash, 1019 Opt_obj_user, Opt_obj_role, Opt_obj_type, 1020 Opt_subj_user, Opt_subj_role, Opt_subj_type, 1021 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fsuuid, 1022 Opt_uid_eq, Opt_euid_eq, Opt_gid_eq, Opt_egid_eq, 1023 Opt_fowner_eq, Opt_fgroup_eq, 1024 Opt_uid_gt, Opt_euid_gt, Opt_gid_gt, Opt_egid_gt, 1025 Opt_fowner_gt, Opt_fgroup_gt, 1026 Opt_uid_lt, Opt_euid_lt, Opt_gid_lt, Opt_egid_lt, 1027 Opt_fowner_lt, Opt_fgroup_lt, 1028 Opt_digest_type, 1029 Opt_appraise_type, Opt_appraise_flag, Opt_appraise_algos, 1030 Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, 1031 Opt_label, Opt_err 1032 }; 1033 1034 static const match_table_t policy_tokens = { 1035 {Opt_measure, "measure"}, 1036 {Opt_dont_measure, "dont_measure"}, 1037 {Opt_appraise, "appraise"}, 1038 {Opt_dont_appraise, "dont_appraise"}, 1039 {Opt_audit, "audit"}, 1040 {Opt_hash, "hash"}, 1041 {Opt_dont_hash, "dont_hash"}, 1042 {Opt_obj_user, "obj_user=%s"}, 1043 {Opt_obj_role, "obj_role=%s"}, 1044 {Opt_obj_type, "obj_type=%s"}, 1045 {Opt_subj_user, "subj_user=%s"}, 1046 {Opt_subj_role, "subj_role=%s"}, 1047 {Opt_subj_type, "subj_type=%s"}, 1048 {Opt_func, "func=%s"}, 1049 {Opt_mask, "mask=%s"}, 1050 {Opt_fsmagic, "fsmagic=%s"}, 1051 {Opt_fsname, "fsname=%s"}, 1052 {Opt_fsuuid, "fsuuid=%s"}, 1053 {Opt_uid_eq, "uid=%s"}, 1054 {Opt_euid_eq, "euid=%s"}, 1055 {Opt_gid_eq, "gid=%s"}, 1056 {Opt_egid_eq, "egid=%s"}, 1057 {Opt_fowner_eq, "fowner=%s"}, 1058 {Opt_fgroup_eq, "fgroup=%s"}, 1059 {Opt_uid_gt, "uid>%s"}, 1060 {Opt_euid_gt, "euid>%s"}, 1061 {Opt_gid_gt, "gid>%s"}, 1062 {Opt_egid_gt, "egid>%s"}, 1063 {Opt_fowner_gt, "fowner>%s"}, 1064 {Opt_fgroup_gt, "fgroup>%s"}, 1065 {Opt_uid_lt, "uid<%s"}, 1066 {Opt_euid_lt, "euid<%s"}, 1067 {Opt_gid_lt, "gid<%s"}, 1068 {Opt_egid_lt, "egid<%s"}, 1069 {Opt_fowner_lt, "fowner<%s"}, 1070 {Opt_fgroup_lt, "fgroup<%s"}, 1071 {Opt_digest_type, "digest_type=%s"}, 1072 {Opt_appraise_type, "appraise_type=%s"}, 1073 {Opt_appraise_flag, "appraise_flag=%s"}, 1074 {Opt_appraise_algos, "appraise_algos=%s"}, 1075 {Opt_permit_directio, "permit_directio"}, 1076 {Opt_pcr, "pcr=%s"}, 1077 {Opt_template, "template=%s"}, 1078 {Opt_keyrings, "keyrings=%s"}, 1079 {Opt_label, "label=%s"}, 1080 {Opt_err, NULL} 1081 }; 1082 1083 static int ima_lsm_rule_init(struct ima_rule_entry *entry, 1084 substring_t *args, int lsm_rule, int audit_type) 1085 { 1086 int result; 1087 1088 if (entry->lsm[lsm_rule].rule) 1089 return -EINVAL; 1090 1091 entry->lsm[lsm_rule].args_p = match_strdup(args); 1092 if (!entry->lsm[lsm_rule].args_p) 1093 return -ENOMEM; 1094 1095 entry->lsm[lsm_rule].type = audit_type; 1096 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, 1097 entry->lsm[lsm_rule].args_p, 1098 &entry->lsm[lsm_rule].rule); 1099 if (!entry->lsm[lsm_rule].rule) { 1100 pr_warn("rule for LSM \'%s\' is undefined\n", 1101 entry->lsm[lsm_rule].args_p); 1102 1103 if (ima_rules == (struct list_head __rcu *)(&ima_default_rules)) { 1104 kfree(entry->lsm[lsm_rule].args_p); 1105 entry->lsm[lsm_rule].args_p = NULL; 1106 result = -EINVAL; 1107 } else 1108 result = 0; 1109 } 1110 1111 return result; 1112 } 1113 1114 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, 1115 enum policy_opt rule_operator) 1116 { 1117 if (!ab) 1118 return; 1119 1120 switch (rule_operator) { 1121 case Opt_uid_gt: 1122 case Opt_euid_gt: 1123 case Opt_gid_gt: 1124 case Opt_egid_gt: 1125 case Opt_fowner_gt: 1126 case Opt_fgroup_gt: 1127 audit_log_format(ab, "%s>", key); 1128 break; 1129 case Opt_uid_lt: 1130 case Opt_euid_lt: 1131 case Opt_gid_lt: 1132 case Opt_egid_lt: 1133 case Opt_fowner_lt: 1134 case Opt_fgroup_lt: 1135 audit_log_format(ab, "%s<", key); 1136 break; 1137 default: 1138 audit_log_format(ab, "%s=", key); 1139 } 1140 audit_log_format(ab, "%s ", value); 1141 } 1142 static void ima_log_string(struct audit_buffer *ab, char *key, char *value) 1143 { 1144 ima_log_string_op(ab, key, value, Opt_err); 1145 } 1146 1147 /* 1148 * Validating the appended signature included in the measurement list requires 1149 * the file hash calculated without the appended signature (i.e., the 'd-modsig' 1150 * field). Therefore, notify the user if they have the 'modsig' field but not 1151 * the 'd-modsig' field in the template. 1152 */ 1153 static void check_template_modsig(const struct ima_template_desc *template) 1154 { 1155 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n" 1156 bool has_modsig, has_dmodsig; 1157 static bool checked; 1158 int i; 1159 1160 /* We only need to notify the user once. */ 1161 if (checked) 1162 return; 1163 1164 has_modsig = has_dmodsig = false; 1165 for (i = 0; i < template->num_fields; i++) { 1166 if (!strcmp(template->fields[i]->field_id, "modsig")) 1167 has_modsig = true; 1168 else if (!strcmp(template->fields[i]->field_id, "d-modsig")) 1169 has_dmodsig = true; 1170 } 1171 1172 if (has_modsig && !has_dmodsig) 1173 pr_notice(MSG); 1174 1175 checked = true; 1176 #undef MSG 1177 } 1178 1179 /* 1180 * Warn if the template does not contain the given field. 1181 */ 1182 static void check_template_field(const struct ima_template_desc *template, 1183 const char *field, const char *msg) 1184 { 1185 int i; 1186 1187 for (i = 0; i < template->num_fields; i++) 1188 if (!strcmp(template->fields[i]->field_id, field)) 1189 return; 1190 1191 pr_notice_once("%s", msg); 1192 } 1193 1194 static bool ima_validate_rule(struct ima_rule_entry *entry) 1195 { 1196 /* Ensure that the action is set and is compatible with the flags */ 1197 if (entry->action == UNKNOWN) 1198 return false; 1199 1200 if (entry->action != MEASURE && entry->flags & IMA_PCR) 1201 return false; 1202 1203 if (entry->action != APPRAISE && 1204 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | 1205 IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) 1206 return false; 1207 1208 /* 1209 * The IMA_FUNC bit must be set if and only if there's a valid hook 1210 * function specified, and vice versa. Enforcing this property allows 1211 * for the NONE case below to validate a rule without an explicit hook 1212 * function. 1213 */ 1214 if (((entry->flags & IMA_FUNC) && entry->func == NONE) || 1215 (!(entry->flags & IMA_FUNC) && entry->func != NONE)) 1216 return false; 1217 1218 /* 1219 * Ensure that the hook function is compatible with the other 1220 * components of the rule 1221 */ 1222 switch (entry->func) { 1223 case NONE: 1224 case FILE_CHECK: 1225 case MMAP_CHECK: 1226 case BPRM_CHECK: 1227 case CREDS_CHECK: 1228 case POST_SETATTR: 1229 case FIRMWARE_CHECK: 1230 case POLICY_CHECK: 1231 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1232 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1233 IMA_INMASK | IMA_EUID | IMA_PCR | 1234 IMA_FSNAME | IMA_GID | IMA_EGID | 1235 IMA_FGROUP | IMA_DIGSIG_REQUIRED | 1236 IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS | 1237 IMA_VERITY_REQUIRED)) 1238 return false; 1239 1240 break; 1241 case MODULE_CHECK: 1242 case KEXEC_KERNEL_CHECK: 1243 case KEXEC_INITRAMFS_CHECK: 1244 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1245 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1246 IMA_INMASK | IMA_EUID | IMA_PCR | 1247 IMA_FSNAME | IMA_GID | IMA_EGID | 1248 IMA_FGROUP | IMA_DIGSIG_REQUIRED | 1249 IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | 1250 IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) 1251 return false; 1252 1253 break; 1254 case KEXEC_CMDLINE: 1255 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1256 return false; 1257 1258 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | 1259 IMA_FOWNER | IMA_FSUUID | IMA_EUID | 1260 IMA_PCR | IMA_FSNAME | IMA_GID | IMA_EGID | 1261 IMA_FGROUP)) 1262 return false; 1263 1264 break; 1265 case KEY_CHECK: 1266 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1267 return false; 1268 1269 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR | 1270 IMA_KEYRINGS)) 1271 return false; 1272 1273 if (ima_rule_contains_lsm_cond(entry)) 1274 return false; 1275 1276 break; 1277 case CRITICAL_DATA: 1278 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1279 return false; 1280 1281 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR | 1282 IMA_LABEL)) 1283 return false; 1284 1285 if (ima_rule_contains_lsm_cond(entry)) 1286 return false; 1287 1288 break; 1289 case SETXATTR_CHECK: 1290 /* any action other than APPRAISE is unsupported */ 1291 if (entry->action != APPRAISE) 1292 return false; 1293 1294 /* SETXATTR_CHECK requires an appraise_algos parameter */ 1295 if (!(entry->flags & IMA_VALIDATE_ALGOS)) 1296 return false; 1297 1298 /* 1299 * full policies are not supported, they would have too 1300 * much of a performance impact 1301 */ 1302 if (entry->flags & ~(IMA_FUNC | IMA_VALIDATE_ALGOS)) 1303 return false; 1304 1305 break; 1306 default: 1307 return false; 1308 } 1309 1310 /* Ensure that combinations of flags are compatible with each other */ 1311 if (entry->flags & IMA_CHECK_BLACKLIST && 1312 !(entry->flags & IMA_MODSIG_ALLOWED)) 1313 return false; 1314 1315 /* 1316 * Unlike for regular IMA 'appraise' policy rules where security.ima 1317 * xattr may contain either a file hash or signature, the security.ima 1318 * xattr for fsverity must contain a file signature (sigv3). Ensure 1319 * that 'appraise' rules for fsverity require file signatures by 1320 * checking the IMA_DIGSIG_REQUIRED flag is set. 1321 */ 1322 if (entry->action == APPRAISE && 1323 (entry->flags & IMA_VERITY_REQUIRED) && 1324 !(entry->flags & IMA_DIGSIG_REQUIRED)) 1325 return false; 1326 1327 return true; 1328 } 1329 1330 static unsigned int ima_parse_appraise_algos(char *arg) 1331 { 1332 unsigned int res = 0; 1333 int idx; 1334 char *token; 1335 1336 while ((token = strsep(&arg, ",")) != NULL) { 1337 idx = match_string(hash_algo_name, HASH_ALGO__LAST, token); 1338 1339 if (idx < 0) { 1340 pr_err("unknown hash algorithm \"%s\"", 1341 token); 1342 return 0; 1343 } 1344 1345 if (!crypto_has_alg(hash_algo_name[idx], 0, 0)) { 1346 pr_err("unavailable hash algorithm \"%s\", check your kernel configuration", 1347 token); 1348 return 0; 1349 } 1350 1351 /* Add the hash algorithm to the 'allowed' bitfield */ 1352 res |= (1U << idx); 1353 } 1354 1355 return res; 1356 } 1357 1358 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 1359 { 1360 struct audit_buffer *ab; 1361 char *from; 1362 char *p; 1363 bool eid_token; /* either euid or egid */ 1364 struct ima_template_desc *template_desc; 1365 int result = 0; 1366 1367 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, 1368 AUDIT_INTEGRITY_POLICY_RULE); 1369 1370 entry->uid = INVALID_UID; 1371 entry->gid = INVALID_GID; 1372 entry->fowner = INVALID_UID; 1373 entry->fgroup = INVALID_GID; 1374 entry->uid_op = &uid_eq; 1375 entry->gid_op = &gid_eq; 1376 entry->fowner_op = &vfsuid_eq_kuid; 1377 entry->fgroup_op = &vfsgid_eq_kgid; 1378 entry->action = UNKNOWN; 1379 while ((p = strsep(&rule, " \t")) != NULL) { 1380 substring_t args[MAX_OPT_ARGS]; 1381 int token; 1382 unsigned long lnum; 1383 1384 if (result < 0) 1385 break; 1386 if ((*p == '\0') || (*p == ' ') || (*p == '\t')) 1387 continue; 1388 token = match_token(p, policy_tokens, args); 1389 switch (token) { 1390 case Opt_measure: 1391 ima_log_string(ab, "action", "measure"); 1392 1393 if (entry->action != UNKNOWN) 1394 result = -EINVAL; 1395 1396 entry->action = MEASURE; 1397 break; 1398 case Opt_dont_measure: 1399 ima_log_string(ab, "action", "dont_measure"); 1400 1401 if (entry->action != UNKNOWN) 1402 result = -EINVAL; 1403 1404 entry->action = DONT_MEASURE; 1405 break; 1406 case Opt_appraise: 1407 ima_log_string(ab, "action", "appraise"); 1408 1409 if (entry->action != UNKNOWN) 1410 result = -EINVAL; 1411 1412 entry->action = APPRAISE; 1413 break; 1414 case Opt_dont_appraise: 1415 ima_log_string(ab, "action", "dont_appraise"); 1416 1417 if (entry->action != UNKNOWN) 1418 result = -EINVAL; 1419 1420 entry->action = DONT_APPRAISE; 1421 break; 1422 case Opt_audit: 1423 ima_log_string(ab, "action", "audit"); 1424 1425 if (entry->action != UNKNOWN) 1426 result = -EINVAL; 1427 1428 entry->action = AUDIT; 1429 break; 1430 case Opt_hash: 1431 ima_log_string(ab, "action", "hash"); 1432 1433 if (entry->action != UNKNOWN) 1434 result = -EINVAL; 1435 1436 entry->action = HASH; 1437 break; 1438 case Opt_dont_hash: 1439 ima_log_string(ab, "action", "dont_hash"); 1440 1441 if (entry->action != UNKNOWN) 1442 result = -EINVAL; 1443 1444 entry->action = DONT_HASH; 1445 break; 1446 case Opt_func: 1447 ima_log_string(ab, "func", args[0].from); 1448 1449 if (entry->func) 1450 result = -EINVAL; 1451 1452 if (strcmp(args[0].from, "FILE_CHECK") == 0) 1453 entry->func = FILE_CHECK; 1454 /* PATH_CHECK is for backwards compat */ 1455 else if (strcmp(args[0].from, "PATH_CHECK") == 0) 1456 entry->func = FILE_CHECK; 1457 else if (strcmp(args[0].from, "MODULE_CHECK") == 0) 1458 entry->func = MODULE_CHECK; 1459 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0) 1460 entry->func = FIRMWARE_CHECK; 1461 else if ((strcmp(args[0].from, "FILE_MMAP") == 0) 1462 || (strcmp(args[0].from, "MMAP_CHECK") == 0)) 1463 entry->func = MMAP_CHECK; 1464 else if (strcmp(args[0].from, "BPRM_CHECK") == 0) 1465 entry->func = BPRM_CHECK; 1466 else if (strcmp(args[0].from, "CREDS_CHECK") == 0) 1467 entry->func = CREDS_CHECK; 1468 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == 1469 0) 1470 entry->func = KEXEC_KERNEL_CHECK; 1471 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK") 1472 == 0) 1473 entry->func = KEXEC_INITRAMFS_CHECK; 1474 else if (strcmp(args[0].from, "POLICY_CHECK") == 0) 1475 entry->func = POLICY_CHECK; 1476 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) 1477 entry->func = KEXEC_CMDLINE; 1478 else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && 1479 strcmp(args[0].from, "KEY_CHECK") == 0) 1480 entry->func = KEY_CHECK; 1481 else if (strcmp(args[0].from, "CRITICAL_DATA") == 0) 1482 entry->func = CRITICAL_DATA; 1483 else if (strcmp(args[0].from, "SETXATTR_CHECK") == 0) 1484 entry->func = SETXATTR_CHECK; 1485 else 1486 result = -EINVAL; 1487 if (!result) 1488 entry->flags |= IMA_FUNC; 1489 break; 1490 case Opt_mask: 1491 ima_log_string(ab, "mask", args[0].from); 1492 1493 if (entry->mask) 1494 result = -EINVAL; 1495 1496 from = args[0].from; 1497 if (*from == '^') 1498 from++; 1499 1500 if ((strcmp(from, "MAY_EXEC")) == 0) 1501 entry->mask = MAY_EXEC; 1502 else if (strcmp(from, "MAY_WRITE") == 0) 1503 entry->mask = MAY_WRITE; 1504 else if (strcmp(from, "MAY_READ") == 0) 1505 entry->mask = MAY_READ; 1506 else if (strcmp(from, "MAY_APPEND") == 0) 1507 entry->mask = MAY_APPEND; 1508 else 1509 result = -EINVAL; 1510 if (!result) 1511 entry->flags |= (*args[0].from == '^') 1512 ? IMA_INMASK : IMA_MASK; 1513 break; 1514 case Opt_fsmagic: 1515 ima_log_string(ab, "fsmagic", args[0].from); 1516 1517 if (entry->fsmagic) { 1518 result = -EINVAL; 1519 break; 1520 } 1521 1522 result = kstrtoul(args[0].from, 16, &entry->fsmagic); 1523 if (!result) 1524 entry->flags |= IMA_FSMAGIC; 1525 break; 1526 case Opt_fsname: 1527 ima_log_string(ab, "fsname", args[0].from); 1528 1529 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); 1530 if (!entry->fsname) { 1531 result = -ENOMEM; 1532 break; 1533 } 1534 result = 0; 1535 entry->flags |= IMA_FSNAME; 1536 break; 1537 case Opt_keyrings: 1538 ima_log_string(ab, "keyrings", args[0].from); 1539 1540 if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) || 1541 entry->keyrings) { 1542 result = -EINVAL; 1543 break; 1544 } 1545 1546 entry->keyrings = ima_alloc_rule_opt_list(args); 1547 if (IS_ERR(entry->keyrings)) { 1548 result = PTR_ERR(entry->keyrings); 1549 entry->keyrings = NULL; 1550 break; 1551 } 1552 1553 entry->flags |= IMA_KEYRINGS; 1554 break; 1555 case Opt_label: 1556 ima_log_string(ab, "label", args[0].from); 1557 1558 if (entry->label) { 1559 result = -EINVAL; 1560 break; 1561 } 1562 1563 entry->label = ima_alloc_rule_opt_list(args); 1564 if (IS_ERR(entry->label)) { 1565 result = PTR_ERR(entry->label); 1566 entry->label = NULL; 1567 break; 1568 } 1569 1570 entry->flags |= IMA_LABEL; 1571 break; 1572 case Opt_fsuuid: 1573 ima_log_string(ab, "fsuuid", args[0].from); 1574 1575 if (!uuid_is_null(&entry->fsuuid)) { 1576 result = -EINVAL; 1577 break; 1578 } 1579 1580 result = uuid_parse(args[0].from, &entry->fsuuid); 1581 if (!result) 1582 entry->flags |= IMA_FSUUID; 1583 break; 1584 case Opt_uid_gt: 1585 case Opt_euid_gt: 1586 entry->uid_op = &uid_gt; 1587 fallthrough; 1588 case Opt_uid_lt: 1589 case Opt_euid_lt: 1590 if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) 1591 entry->uid_op = &uid_lt; 1592 fallthrough; 1593 case Opt_uid_eq: 1594 case Opt_euid_eq: 1595 eid_token = (token == Opt_euid_eq) || 1596 (token == Opt_euid_gt) || 1597 (token == Opt_euid_lt); 1598 1599 ima_log_string_op(ab, eid_token ? "euid" : "uid", 1600 args[0].from, token); 1601 1602 if (uid_valid(entry->uid)) { 1603 result = -EINVAL; 1604 break; 1605 } 1606 1607 result = kstrtoul(args[0].from, 10, &lnum); 1608 if (!result) { 1609 entry->uid = make_kuid(current_user_ns(), 1610 (uid_t) lnum); 1611 if (!uid_valid(entry->uid) || 1612 (uid_t)lnum != lnum) 1613 result = -EINVAL; 1614 else 1615 entry->flags |= eid_token 1616 ? IMA_EUID : IMA_UID; 1617 } 1618 break; 1619 case Opt_gid_gt: 1620 case Opt_egid_gt: 1621 entry->gid_op = &gid_gt; 1622 fallthrough; 1623 case Opt_gid_lt: 1624 case Opt_egid_lt: 1625 if ((token == Opt_gid_lt) || (token == Opt_egid_lt)) 1626 entry->gid_op = &gid_lt; 1627 fallthrough; 1628 case Opt_gid_eq: 1629 case Opt_egid_eq: 1630 eid_token = (token == Opt_egid_eq) || 1631 (token == Opt_egid_gt) || 1632 (token == Opt_egid_lt); 1633 1634 ima_log_string_op(ab, eid_token ? "egid" : "gid", 1635 args[0].from, token); 1636 1637 if (gid_valid(entry->gid)) { 1638 result = -EINVAL; 1639 break; 1640 } 1641 1642 result = kstrtoul(args[0].from, 10, &lnum); 1643 if (!result) { 1644 entry->gid = make_kgid(current_user_ns(), 1645 (gid_t)lnum); 1646 if (!gid_valid(entry->gid) || 1647 (((gid_t)lnum) != lnum)) 1648 result = -EINVAL; 1649 else 1650 entry->flags |= eid_token 1651 ? IMA_EGID : IMA_GID; 1652 } 1653 break; 1654 case Opt_fowner_gt: 1655 entry->fowner_op = &vfsuid_gt_kuid; 1656 fallthrough; 1657 case Opt_fowner_lt: 1658 if (token == Opt_fowner_lt) 1659 entry->fowner_op = &vfsuid_lt_kuid; 1660 fallthrough; 1661 case Opt_fowner_eq: 1662 ima_log_string_op(ab, "fowner", args[0].from, token); 1663 1664 if (uid_valid(entry->fowner)) { 1665 result = -EINVAL; 1666 break; 1667 } 1668 1669 result = kstrtoul(args[0].from, 10, &lnum); 1670 if (!result) { 1671 entry->fowner = make_kuid(current_user_ns(), 1672 (uid_t)lnum); 1673 if (!uid_valid(entry->fowner) || 1674 (((uid_t)lnum) != lnum)) 1675 result = -EINVAL; 1676 else 1677 entry->flags |= IMA_FOWNER; 1678 } 1679 break; 1680 case Opt_fgroup_gt: 1681 entry->fgroup_op = &vfsgid_gt_kgid; 1682 fallthrough; 1683 case Opt_fgroup_lt: 1684 if (token == Opt_fgroup_lt) 1685 entry->fgroup_op = &vfsgid_lt_kgid; 1686 fallthrough; 1687 case Opt_fgroup_eq: 1688 ima_log_string_op(ab, "fgroup", args[0].from, token); 1689 1690 if (gid_valid(entry->fgroup)) { 1691 result = -EINVAL; 1692 break; 1693 } 1694 1695 result = kstrtoul(args[0].from, 10, &lnum); 1696 if (!result) { 1697 entry->fgroup = make_kgid(current_user_ns(), 1698 (gid_t)lnum); 1699 if (!gid_valid(entry->fgroup) || 1700 (((gid_t)lnum) != lnum)) 1701 result = -EINVAL; 1702 else 1703 entry->flags |= IMA_FGROUP; 1704 } 1705 break; 1706 case Opt_obj_user: 1707 ima_log_string(ab, "obj_user", args[0].from); 1708 result = ima_lsm_rule_init(entry, args, 1709 LSM_OBJ_USER, 1710 AUDIT_OBJ_USER); 1711 break; 1712 case Opt_obj_role: 1713 ima_log_string(ab, "obj_role", args[0].from); 1714 result = ima_lsm_rule_init(entry, args, 1715 LSM_OBJ_ROLE, 1716 AUDIT_OBJ_ROLE); 1717 break; 1718 case Opt_obj_type: 1719 ima_log_string(ab, "obj_type", args[0].from); 1720 result = ima_lsm_rule_init(entry, args, 1721 LSM_OBJ_TYPE, 1722 AUDIT_OBJ_TYPE); 1723 break; 1724 case Opt_subj_user: 1725 ima_log_string(ab, "subj_user", args[0].from); 1726 result = ima_lsm_rule_init(entry, args, 1727 LSM_SUBJ_USER, 1728 AUDIT_SUBJ_USER); 1729 break; 1730 case Opt_subj_role: 1731 ima_log_string(ab, "subj_role", args[0].from); 1732 result = ima_lsm_rule_init(entry, args, 1733 LSM_SUBJ_ROLE, 1734 AUDIT_SUBJ_ROLE); 1735 break; 1736 case Opt_subj_type: 1737 ima_log_string(ab, "subj_type", args[0].from); 1738 result = ima_lsm_rule_init(entry, args, 1739 LSM_SUBJ_TYPE, 1740 AUDIT_SUBJ_TYPE); 1741 break; 1742 case Opt_digest_type: 1743 ima_log_string(ab, "digest_type", args[0].from); 1744 if (entry->flags & IMA_DIGSIG_REQUIRED) 1745 result = -EINVAL; 1746 else if ((strcmp(args[0].from, "verity")) == 0) 1747 entry->flags |= IMA_VERITY_REQUIRED; 1748 else 1749 result = -EINVAL; 1750 break; 1751 case Opt_appraise_type: 1752 ima_log_string(ab, "appraise_type", args[0].from); 1753 1754 if ((strcmp(args[0].from, "imasig")) == 0) { 1755 if (entry->flags & IMA_VERITY_REQUIRED) 1756 result = -EINVAL; 1757 else 1758 entry->flags |= IMA_DIGSIG_REQUIRED; 1759 } else if (strcmp(args[0].from, "sigv3") == 0) { 1760 /* Only fsverity supports sigv3 for now */ 1761 if (entry->flags & IMA_VERITY_REQUIRED) 1762 entry->flags |= IMA_DIGSIG_REQUIRED; 1763 else 1764 result = -EINVAL; 1765 } else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1766 strcmp(args[0].from, "imasig|modsig") == 0) { 1767 if (entry->flags & IMA_VERITY_REQUIRED) 1768 result = -EINVAL; 1769 else 1770 entry->flags |= IMA_DIGSIG_REQUIRED | 1771 IMA_MODSIG_ALLOWED; 1772 } else { 1773 result = -EINVAL; 1774 } 1775 break; 1776 case Opt_appraise_flag: 1777 ima_log_string(ab, "appraise_flag", args[0].from); 1778 if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1779 strstr(args[0].from, "blacklist")) 1780 entry->flags |= IMA_CHECK_BLACKLIST; 1781 else 1782 result = -EINVAL; 1783 break; 1784 case Opt_appraise_algos: 1785 ima_log_string(ab, "appraise_algos", args[0].from); 1786 1787 if (entry->allowed_algos) { 1788 result = -EINVAL; 1789 break; 1790 } 1791 1792 entry->allowed_algos = 1793 ima_parse_appraise_algos(args[0].from); 1794 /* invalid or empty list of algorithms */ 1795 if (!entry->allowed_algos) { 1796 result = -EINVAL; 1797 break; 1798 } 1799 1800 entry->flags |= IMA_VALIDATE_ALGOS; 1801 1802 break; 1803 case Opt_permit_directio: 1804 entry->flags |= IMA_PERMIT_DIRECTIO; 1805 break; 1806 case Opt_pcr: 1807 ima_log_string(ab, "pcr", args[0].from); 1808 1809 result = kstrtoint(args[0].from, 10, &entry->pcr); 1810 if (result || INVALID_PCR(entry->pcr)) 1811 result = -EINVAL; 1812 else 1813 entry->flags |= IMA_PCR; 1814 1815 break; 1816 case Opt_template: 1817 ima_log_string(ab, "template", args[0].from); 1818 if (entry->action != MEASURE) { 1819 result = -EINVAL; 1820 break; 1821 } 1822 template_desc = lookup_template_desc(args[0].from); 1823 if (!template_desc || entry->template) { 1824 result = -EINVAL; 1825 break; 1826 } 1827 1828 /* 1829 * template_desc_init_fields() does nothing if 1830 * the template is already initialised, so 1831 * it's safe to do this unconditionally 1832 */ 1833 template_desc_init_fields(template_desc->fmt, 1834 &(template_desc->fields), 1835 &(template_desc->num_fields)); 1836 entry->template = template_desc; 1837 break; 1838 case Opt_err: 1839 ima_log_string(ab, "UNKNOWN", p); 1840 result = -EINVAL; 1841 break; 1842 } 1843 } 1844 if (!result && !ima_validate_rule(entry)) 1845 result = -EINVAL; 1846 else if (entry->action == APPRAISE) 1847 temp_ima_appraise |= ima_appraise_flag(entry->func); 1848 1849 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { 1850 template_desc = entry->template ? entry->template : 1851 ima_template_desc_current(); 1852 check_template_modsig(template_desc); 1853 } 1854 1855 /* d-ngv2 template field recommended for unsigned fs-verity digests */ 1856 if (!result && entry->action == MEASURE && 1857 entry->flags & IMA_VERITY_REQUIRED) { 1858 template_desc = entry->template ? entry->template : 1859 ima_template_desc_current(); 1860 check_template_field(template_desc, "d-ngv2", 1861 "verity rules should include d-ngv2"); 1862 } 1863 1864 audit_log_format(ab, "res=%d", !result); 1865 audit_log_end(ab); 1866 return result; 1867 } 1868 1869 /** 1870 * ima_parse_add_rule - add a rule to ima_policy_rules 1871 * @rule - ima measurement policy rule 1872 * 1873 * Avoid locking by allowing just one writer at a time in ima_write_policy() 1874 * Returns the length of the rule parsed, an error code on failure 1875 */ 1876 ssize_t ima_parse_add_rule(char *rule) 1877 { 1878 static const char op[] = "update_policy"; 1879 char *p; 1880 struct ima_rule_entry *entry; 1881 ssize_t result, len; 1882 int audit_info = 0; 1883 1884 p = strsep(&rule, "\n"); 1885 len = strlen(p) + 1; 1886 p += strspn(p, " \t"); 1887 1888 if (*p == '#' || *p == '\0') 1889 return len; 1890 1891 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1892 if (!entry) { 1893 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1894 NULL, op, "-ENOMEM", -ENOMEM, audit_info); 1895 return -ENOMEM; 1896 } 1897 1898 INIT_LIST_HEAD(&entry->list); 1899 1900 result = ima_parse_rule(p, entry); 1901 if (result) { 1902 ima_free_rule(entry); 1903 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1904 NULL, op, "invalid-policy", result, 1905 audit_info); 1906 return result; 1907 } 1908 1909 list_add_tail(&entry->list, &ima_temp_rules); 1910 1911 return len; 1912 } 1913 1914 /** 1915 * ima_delete_rules() called to cleanup invalid in-flight policy. 1916 * We don't need locking as we operate on the temp list, which is 1917 * different from the active one. There is also only one user of 1918 * ima_delete_rules() at a time. 1919 */ 1920 void ima_delete_rules(void) 1921 { 1922 struct ima_rule_entry *entry, *tmp; 1923 1924 temp_ima_appraise = 0; 1925 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { 1926 list_del(&entry->list); 1927 ima_free_rule(entry); 1928 } 1929 } 1930 1931 #define __ima_hook_stringify(func, str) (#func), 1932 1933 const char *const func_tokens[] = { 1934 __ima_hooks(__ima_hook_stringify) 1935 }; 1936 1937 #ifdef CONFIG_IMA_READ_POLICY 1938 enum { 1939 mask_exec = 0, mask_write, mask_read, mask_append 1940 }; 1941 1942 static const char *const mask_tokens[] = { 1943 "^MAY_EXEC", 1944 "^MAY_WRITE", 1945 "^MAY_READ", 1946 "^MAY_APPEND" 1947 }; 1948 1949 void *ima_policy_start(struct seq_file *m, loff_t *pos) 1950 { 1951 loff_t l = *pos; 1952 struct ima_rule_entry *entry; 1953 struct list_head *ima_rules_tmp; 1954 1955 rcu_read_lock(); 1956 ima_rules_tmp = rcu_dereference(ima_rules); 1957 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 1958 if (!l--) { 1959 rcu_read_unlock(); 1960 return entry; 1961 } 1962 } 1963 rcu_read_unlock(); 1964 return NULL; 1965 } 1966 1967 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) 1968 { 1969 struct ima_rule_entry *entry = v; 1970 1971 rcu_read_lock(); 1972 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); 1973 rcu_read_unlock(); 1974 (*pos)++; 1975 1976 return (&entry->list == &ima_default_rules || 1977 &entry->list == &ima_policy_rules) ? NULL : entry; 1978 } 1979 1980 void ima_policy_stop(struct seq_file *m, void *v) 1981 { 1982 } 1983 1984 #define pt(token) policy_tokens[token].pattern 1985 #define mt(token) mask_tokens[token] 1986 1987 /* 1988 * policy_func_show - display the ima_hooks policy rule 1989 */ 1990 static void policy_func_show(struct seq_file *m, enum ima_hooks func) 1991 { 1992 if (func > 0 && func < MAX_CHECK) 1993 seq_printf(m, "func=%s ", func_tokens[func]); 1994 else 1995 seq_printf(m, "func=%d ", func); 1996 } 1997 1998 static void ima_show_rule_opt_list(struct seq_file *m, 1999 const struct ima_rule_opt_list *opt_list) 2000 { 2001 size_t i; 2002 2003 for (i = 0; i < opt_list->count; i++) 2004 seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]); 2005 } 2006 2007 static void ima_policy_show_appraise_algos(struct seq_file *m, 2008 unsigned int allowed_hashes) 2009 { 2010 int idx, list_size = 0; 2011 2012 for (idx = 0; idx < HASH_ALGO__LAST; idx++) { 2013 if (!(allowed_hashes & (1U << idx))) 2014 continue; 2015 2016 /* only add commas if the list contains multiple entries */ 2017 if (list_size++) 2018 seq_puts(m, ","); 2019 2020 seq_puts(m, hash_algo_name[idx]); 2021 } 2022 } 2023 2024 int ima_policy_show(struct seq_file *m, void *v) 2025 { 2026 struct ima_rule_entry *entry = v; 2027 int i; 2028 char tbuf[64] = {0,}; 2029 int offset = 0; 2030 2031 rcu_read_lock(); 2032 2033 /* Do not print rules with inactive LSM labels */ 2034 for (i = 0; i < MAX_LSM_RULES; i++) { 2035 if (entry->lsm[i].args_p && !entry->lsm[i].rule) { 2036 rcu_read_unlock(); 2037 return 0; 2038 } 2039 } 2040 2041 if (entry->action & MEASURE) 2042 seq_puts(m, pt(Opt_measure)); 2043 if (entry->action & DONT_MEASURE) 2044 seq_puts(m, pt(Opt_dont_measure)); 2045 if (entry->action & APPRAISE) 2046 seq_puts(m, pt(Opt_appraise)); 2047 if (entry->action & DONT_APPRAISE) 2048 seq_puts(m, pt(Opt_dont_appraise)); 2049 if (entry->action & AUDIT) 2050 seq_puts(m, pt(Opt_audit)); 2051 if (entry->action & HASH) 2052 seq_puts(m, pt(Opt_hash)); 2053 if (entry->action & DONT_HASH) 2054 seq_puts(m, pt(Opt_dont_hash)); 2055 2056 seq_puts(m, " "); 2057 2058 if (entry->flags & IMA_FUNC) 2059 policy_func_show(m, entry->func); 2060 2061 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { 2062 if (entry->flags & IMA_MASK) 2063 offset = 1; 2064 if (entry->mask & MAY_EXEC) 2065 seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); 2066 if (entry->mask & MAY_WRITE) 2067 seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); 2068 if (entry->mask & MAY_READ) 2069 seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); 2070 if (entry->mask & MAY_APPEND) 2071 seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); 2072 seq_puts(m, " "); 2073 } 2074 2075 if (entry->flags & IMA_FSMAGIC) { 2076 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 2077 seq_printf(m, pt(Opt_fsmagic), tbuf); 2078 seq_puts(m, " "); 2079 } 2080 2081 if (entry->flags & IMA_FSNAME) { 2082 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); 2083 seq_printf(m, pt(Opt_fsname), tbuf); 2084 seq_puts(m, " "); 2085 } 2086 2087 if (entry->flags & IMA_KEYRINGS) { 2088 seq_puts(m, "keyrings="); 2089 ima_show_rule_opt_list(m, entry->keyrings); 2090 seq_puts(m, " "); 2091 } 2092 2093 if (entry->flags & IMA_LABEL) { 2094 seq_puts(m, "label="); 2095 ima_show_rule_opt_list(m, entry->label); 2096 seq_puts(m, " "); 2097 } 2098 2099 if (entry->flags & IMA_PCR) { 2100 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 2101 seq_printf(m, pt(Opt_pcr), tbuf); 2102 seq_puts(m, " "); 2103 } 2104 2105 if (entry->flags & IMA_FSUUID) { 2106 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); 2107 seq_puts(m, " "); 2108 } 2109 2110 if (entry->flags & IMA_UID) { 2111 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 2112 if (entry->uid_op == &uid_gt) 2113 seq_printf(m, pt(Opt_uid_gt), tbuf); 2114 else if (entry->uid_op == &uid_lt) 2115 seq_printf(m, pt(Opt_uid_lt), tbuf); 2116 else 2117 seq_printf(m, pt(Opt_uid_eq), tbuf); 2118 seq_puts(m, " "); 2119 } 2120 2121 if (entry->flags & IMA_EUID) { 2122 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 2123 if (entry->uid_op == &uid_gt) 2124 seq_printf(m, pt(Opt_euid_gt), tbuf); 2125 else if (entry->uid_op == &uid_lt) 2126 seq_printf(m, pt(Opt_euid_lt), tbuf); 2127 else 2128 seq_printf(m, pt(Opt_euid_eq), tbuf); 2129 seq_puts(m, " "); 2130 } 2131 2132 if (entry->flags & IMA_GID) { 2133 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); 2134 if (entry->gid_op == &gid_gt) 2135 seq_printf(m, pt(Opt_gid_gt), tbuf); 2136 else if (entry->gid_op == &gid_lt) 2137 seq_printf(m, pt(Opt_gid_lt), tbuf); 2138 else 2139 seq_printf(m, pt(Opt_gid_eq), tbuf); 2140 seq_puts(m, " "); 2141 } 2142 2143 if (entry->flags & IMA_EGID) { 2144 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); 2145 if (entry->gid_op == &gid_gt) 2146 seq_printf(m, pt(Opt_egid_gt), tbuf); 2147 else if (entry->gid_op == &gid_lt) 2148 seq_printf(m, pt(Opt_egid_lt), tbuf); 2149 else 2150 seq_printf(m, pt(Opt_egid_eq), tbuf); 2151 seq_puts(m, " "); 2152 } 2153 2154 if (entry->flags & IMA_FOWNER) { 2155 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); 2156 if (entry->fowner_op == &vfsuid_gt_kuid) 2157 seq_printf(m, pt(Opt_fowner_gt), tbuf); 2158 else if (entry->fowner_op == &vfsuid_lt_kuid) 2159 seq_printf(m, pt(Opt_fowner_lt), tbuf); 2160 else 2161 seq_printf(m, pt(Opt_fowner_eq), tbuf); 2162 seq_puts(m, " "); 2163 } 2164 2165 if (entry->flags & IMA_FGROUP) { 2166 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->fgroup)); 2167 if (entry->fgroup_op == &vfsgid_gt_kgid) 2168 seq_printf(m, pt(Opt_fgroup_gt), tbuf); 2169 else if (entry->fgroup_op == &vfsgid_lt_kgid) 2170 seq_printf(m, pt(Opt_fgroup_lt), tbuf); 2171 else 2172 seq_printf(m, pt(Opt_fgroup_eq), tbuf); 2173 seq_puts(m, " "); 2174 } 2175 2176 if (entry->flags & IMA_VALIDATE_ALGOS) { 2177 seq_puts(m, "appraise_algos="); 2178 ima_policy_show_appraise_algos(m, entry->allowed_algos); 2179 seq_puts(m, " "); 2180 } 2181 2182 for (i = 0; i < MAX_LSM_RULES; i++) { 2183 if (entry->lsm[i].rule) { 2184 switch (i) { 2185 case LSM_OBJ_USER: 2186 seq_printf(m, pt(Opt_obj_user), 2187 entry->lsm[i].args_p); 2188 break; 2189 case LSM_OBJ_ROLE: 2190 seq_printf(m, pt(Opt_obj_role), 2191 entry->lsm[i].args_p); 2192 break; 2193 case LSM_OBJ_TYPE: 2194 seq_printf(m, pt(Opt_obj_type), 2195 entry->lsm[i].args_p); 2196 break; 2197 case LSM_SUBJ_USER: 2198 seq_printf(m, pt(Opt_subj_user), 2199 entry->lsm[i].args_p); 2200 break; 2201 case LSM_SUBJ_ROLE: 2202 seq_printf(m, pt(Opt_subj_role), 2203 entry->lsm[i].args_p); 2204 break; 2205 case LSM_SUBJ_TYPE: 2206 seq_printf(m, pt(Opt_subj_type), 2207 entry->lsm[i].args_p); 2208 break; 2209 } 2210 seq_puts(m, " "); 2211 } 2212 } 2213 if (entry->template) 2214 seq_printf(m, "template=%s ", entry->template->name); 2215 if (entry->flags & IMA_DIGSIG_REQUIRED) { 2216 if (entry->flags & IMA_VERITY_REQUIRED) 2217 seq_puts(m, "appraise_type=sigv3 "); 2218 else if (entry->flags & IMA_MODSIG_ALLOWED) 2219 seq_puts(m, "appraise_type=imasig|modsig "); 2220 else 2221 seq_puts(m, "appraise_type=imasig "); 2222 } 2223 if (entry->flags & IMA_VERITY_REQUIRED) 2224 seq_puts(m, "digest_type=verity "); 2225 if (entry->flags & IMA_CHECK_BLACKLIST) 2226 seq_puts(m, "appraise_flag=check_blacklist "); 2227 if (entry->flags & IMA_PERMIT_DIRECTIO) 2228 seq_puts(m, "permit_directio "); 2229 rcu_read_unlock(); 2230 seq_puts(m, "\n"); 2231 return 0; 2232 } 2233 #endif /* CONFIG_IMA_READ_POLICY */ 2234 2235 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) 2236 /* 2237 * ima_appraise_signature: whether IMA will appraise a given function using 2238 * an IMA digital signature. This is restricted to cases where the kernel 2239 * has a set of built-in trusted keys in order to avoid an attacker simply 2240 * loading additional keys. 2241 */ 2242 bool ima_appraise_signature(enum kernel_read_file_id id) 2243 { 2244 struct ima_rule_entry *entry; 2245 bool found = false; 2246 enum ima_hooks func; 2247 struct list_head *ima_rules_tmp; 2248 2249 if (id >= READING_MAX_ID) 2250 return false; 2251 2252 if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE) 2253 && security_locked_down(LOCKDOWN_KEXEC)) 2254 return false; 2255 2256 func = read_idmap[id] ?: FILE_CHECK; 2257 2258 rcu_read_lock(); 2259 ima_rules_tmp = rcu_dereference(ima_rules); 2260 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 2261 if (entry->action != APPRAISE) 2262 continue; 2263 2264 /* 2265 * A generic entry will match, but otherwise require that it 2266 * match the func we're looking for 2267 */ 2268 if (entry->func && entry->func != func) 2269 continue; 2270 2271 /* 2272 * We require this to be a digital signature, not a raw IMA 2273 * hash. 2274 */ 2275 if (entry->flags & IMA_DIGSIG_REQUIRED) 2276 found = true; 2277 2278 /* 2279 * We've found a rule that matches, so break now even if it 2280 * didn't require a digital signature - a later rule that does 2281 * won't override it, so would be a false positive. 2282 */ 2283 break; 2284 } 2285 2286 rcu_read_unlock(); 2287 return found; 2288 } 2289 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ 2290