1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2008 IBM Corporation 4 * Author: Mimi Zohar <zohar@us.ibm.com> 5 * 6 * ima_policy.c 7 * - initialize default measure policy rules 8 */ 9 10 #include <linux/init.h> 11 #include <linux/list.h> 12 #include <linux/kernel_read_file.h> 13 #include <linux/fs.h> 14 #include <linux/security.h> 15 #include <linux/magic.h> 16 #include <linux/parser.h> 17 #include <linux/slab.h> 18 #include <linux/rculist.h> 19 #include <linux/seq_file.h> 20 #include <linux/ima.h> 21 22 #include "ima.h" 23 24 /* flags definitions */ 25 #define IMA_FUNC 0x0001 26 #define IMA_MASK 0x0002 27 #define IMA_FSMAGIC 0x0004 28 #define IMA_UID 0x0008 29 #define IMA_FOWNER 0x0010 30 #define IMA_FSUUID 0x0020 31 #define IMA_INMASK 0x0040 32 #define IMA_EUID 0x0080 33 #define IMA_PCR 0x0100 34 #define IMA_FSNAME 0x0200 35 #define IMA_KEYRINGS 0x0400 36 #define IMA_LABEL 0x0800 37 #define IMA_VALIDATE_ALGOS 0x1000 38 #define IMA_GID 0x2000 39 #define IMA_EGID 0x4000 40 #define IMA_FGROUP 0x8000 41 #define IMA_FS_SUBTYPE 0x10000 42 43 #define UNKNOWN 0 44 #define MEASURE 0x0001 /* same as IMA_MEASURE */ 45 #define DONT_MEASURE 0x0002 46 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 47 #define DONT_APPRAISE 0x0008 48 #define AUDIT 0x0040 49 #define DONT_AUDIT 0x0080 50 #define HASH 0x0100 51 #define DONT_HASH 0x0200 52 53 #define INVALID_PCR(a) (((a) < 0) || \ 54 (a) >= (sizeof_field(struct ima_iint_cache, measured_pcrs) * 8)) 55 56 int ima_policy_flag; 57 static int temp_ima_appraise; 58 static int build_ima_appraise __ro_after_init; 59 60 atomic_t ima_setxattr_allowed_hash_algorithms; 61 62 #define MAX_LSM_RULES 6 63 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, 64 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE 65 }; 66 67 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; 68 69 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY }; 70 71 struct ima_rule_opt_list { 72 size_t count; 73 char *items[] __counted_by(count); 74 }; 75 76 /* 77 * These comparators are needed nowhere outside of ima so just define them here. 78 * This pattern should hopefully never be needed outside of ima. 79 */ 80 static inline bool vfsuid_gt_kuid(vfsuid_t vfsuid, kuid_t kuid) 81 { 82 return __vfsuid_val(vfsuid) > __kuid_val(kuid); 83 } 84 85 static inline bool vfsgid_gt_kgid(vfsgid_t vfsgid, kgid_t kgid) 86 { 87 return __vfsgid_val(vfsgid) > __kgid_val(kgid); 88 } 89 90 static inline bool vfsuid_lt_kuid(vfsuid_t vfsuid, kuid_t kuid) 91 { 92 return __vfsuid_val(vfsuid) < __kuid_val(kuid); 93 } 94 95 static inline bool vfsgid_lt_kgid(vfsgid_t vfsgid, kgid_t kgid) 96 { 97 return __vfsgid_val(vfsgid) < __kgid_val(kgid); 98 } 99 100 struct ima_rule_entry { 101 struct list_head list; 102 int action; 103 unsigned int flags; 104 enum ima_hooks func; 105 int mask; 106 unsigned long fsmagic; 107 uuid_t fsuuid; 108 kuid_t uid; 109 kgid_t gid; 110 kuid_t fowner; 111 kgid_t fgroup; 112 bool (*uid_op)(kuid_t cred_uid, kuid_t rule_uid); /* Handlers for operators */ 113 bool (*gid_op)(kgid_t cred_gid, kgid_t rule_gid); 114 bool (*fowner_op)(vfsuid_t vfsuid, kuid_t rule_uid); /* vfsuid_eq_kuid(), vfsuid_gt_kuid(), vfsuid_lt_kuid() */ 115 bool (*fgroup_op)(vfsgid_t vfsgid, kgid_t rule_gid); /* vfsgid_eq_kgid(), vfsgid_gt_kgid(), vfsgid_lt_kgid() */ 116 int pcr; 117 unsigned int allowed_algos; /* bitfield of allowed hash algorithms */ 118 struct { 119 void *rule; /* LSM file metadata specific */ 120 char *args_p; /* audit value */ 121 int type; /* audit type */ 122 } lsm[MAX_LSM_RULES]; 123 char *fsname; 124 char *fs_subtype; 125 struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ 126 struct ima_rule_opt_list *label; /* Measure data grouped under this label */ 127 struct ima_template_desc *template; 128 }; 129 130 /* 131 * sanity check in case the kernels gains more hash algorithms that can 132 * fit in an unsigned int 133 */ 134 static_assert( 135 8 * sizeof(unsigned int) >= HASH_ALGO__LAST, 136 "The bitfield allowed_algos in ima_rule_entry is too small to contain all the supported hash algorithms, consider using a bigger type"); 137 138 /* 139 * Without LSM specific knowledge, the default policy can only be 140 * written in terms of .action, .func, .mask, .fsmagic, .uid, .gid, 141 * .fowner, and .fgroup 142 */ 143 144 /* 145 * The minimum rule set to allow for full TCB coverage. Measures all files 146 * opened or mmap for exec and everything read by root. Dangerous because 147 * normal users can easily run the machine out of memory simply building 148 * and running executables. 149 */ 150 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { 151 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 152 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 153 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 154 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK, 155 .flags = IMA_FSMAGIC | IMA_FUNC}, 156 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 157 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 158 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 159 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 160 {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 161 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, 162 .flags = IMA_FSMAGIC}, 163 {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, 164 .flags = IMA_FSMAGIC}, 165 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 166 {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} 167 }; 168 169 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { 170 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 171 .flags = IMA_FUNC | IMA_MASK}, 172 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 173 .flags = IMA_FUNC | IMA_MASK}, 174 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 175 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 176 .flags = IMA_FUNC | IMA_MASK | IMA_UID}, 177 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 178 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 179 }; 180 181 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { 182 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 183 .flags = IMA_FUNC | IMA_MASK}, 184 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 185 .flags = IMA_FUNC | IMA_MASK}, 186 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 187 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 188 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, 189 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 190 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 191 .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, 192 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 193 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 194 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, 195 }; 196 197 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { 198 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 199 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 200 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 201 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 202 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC}, 203 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 204 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 205 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 206 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 207 {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 208 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 209 {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, 210 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 211 {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 212 #ifdef CONFIG_IMA_WRITE_POLICY 213 {.action = APPRAISE, .func = POLICY_CHECK, 214 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 215 #endif 216 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT 217 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid, 218 .flags = IMA_FOWNER}, 219 #else 220 /* force signature */ 221 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid, 222 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, 223 #endif 224 }; 225 226 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { 227 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS 228 {.action = APPRAISE, .func = MODULE_CHECK, 229 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 230 #endif 231 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS 232 {.action = APPRAISE, .func = FIRMWARE_CHECK, 233 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 234 #endif 235 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS 236 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 237 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 238 #endif 239 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS 240 {.action = APPRAISE, .func = POLICY_CHECK, 241 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 242 #endif 243 }; 244 245 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { 246 {.action = APPRAISE, .func = MODULE_CHECK, 247 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | 248 IMA_CHECK_BLACKLIST}, 249 {.action = APPRAISE, .func = FIRMWARE_CHECK, 250 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 251 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 252 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 253 {.action = APPRAISE, .func = POLICY_CHECK, 254 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 255 }; 256 257 static struct ima_rule_entry critical_data_rules[] __ro_after_init = { 258 {.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC}, 259 }; 260 261 /* An array of architecture specific rules */ 262 static struct ima_rule_entry *arch_policy_entry __ro_after_init; 263 264 static LIST_HEAD(ima_default_rules); 265 static LIST_HEAD(ima_policy_rules); 266 static LIST_HEAD(ima_temp_rules); 267 static struct list_head __rcu *ima_rules = (struct list_head __rcu *)(&ima_default_rules); 268 269 static int ima_policy __initdata; 270 271 static int __init default_measure_policy_setup(char *str) 272 { 273 if (ima_policy) 274 return 1; 275 276 ima_policy = ORIGINAL_TCB; 277 return 1; 278 } 279 __setup("ima_tcb", default_measure_policy_setup); 280 281 static bool ima_use_appraise_tcb __initdata; 282 static bool ima_use_secure_boot __initdata; 283 static bool ima_use_critical_data __initdata; 284 static bool ima_fail_unverifiable_sigs __ro_after_init; 285 static int __init policy_setup(char *str) 286 { 287 char *p; 288 289 while ((p = strsep(&str, " |\n")) != NULL) { 290 if (*p == ' ') 291 continue; 292 if ((strcmp(p, "tcb") == 0) && !ima_policy) 293 ima_policy = DEFAULT_TCB; 294 else if (strcmp(p, "appraise_tcb") == 0) 295 ima_use_appraise_tcb = true; 296 else if (strcmp(p, "secure_boot") == 0) 297 ima_use_secure_boot = true; 298 else if (strcmp(p, "critical_data") == 0) 299 ima_use_critical_data = true; 300 else if (strcmp(p, "fail_securely") == 0) 301 ima_fail_unverifiable_sigs = true; 302 else 303 pr_err("policy \"%s\" not found", p); 304 } 305 306 return 1; 307 } 308 __setup("ima_policy=", policy_setup); 309 310 static int __init default_appraise_policy_setup(char *str) 311 { 312 ima_use_appraise_tcb = true; 313 return 1; 314 } 315 __setup("ima_appraise_tcb", default_appraise_policy_setup); 316 317 static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src) 318 { 319 struct ima_rule_opt_list *opt_list; 320 size_t count = 0; 321 char *src_copy; 322 char *cur, *next; 323 size_t i; 324 325 src_copy = match_strdup(src); 326 if (!src_copy) 327 return ERR_PTR(-ENOMEM); 328 329 next = src_copy; 330 while ((cur = strsep(&next, "|"))) { 331 /* Don't accept an empty list item */ 332 if (!(*cur)) { 333 kfree(src_copy); 334 return ERR_PTR(-EINVAL); 335 } 336 count++; 337 } 338 339 /* Don't accept an empty list */ 340 if (!count) { 341 kfree(src_copy); 342 return ERR_PTR(-EINVAL); 343 } 344 345 opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL); 346 if (!opt_list) { 347 kfree(src_copy); 348 return ERR_PTR(-ENOMEM); 349 } 350 opt_list->count = count; 351 352 /* 353 * strsep() has already replaced all instances of '|' with '\0', 354 * leaving a byte sequence of NUL-terminated strings. Reference each 355 * string with the array of items. 356 * 357 * IMPORTANT: Ownership of the allocated buffer is transferred from 358 * src_copy to the first element in the items array. To free the 359 * buffer, kfree() must only be called on the first element of the 360 * array. 361 */ 362 for (i = 0, cur = src_copy; i < count; i++) { 363 opt_list->items[i] = cur; 364 cur = strchr(cur, '\0') + 1; 365 } 366 367 return opt_list; 368 } 369 370 static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list) 371 { 372 if (!opt_list) 373 return; 374 375 if (opt_list->count) { 376 kfree(opt_list->items[0]); 377 opt_list->count = 0; 378 } 379 380 kfree(opt_list); 381 } 382 383 static void ima_lsm_free_rule(struct ima_rule_entry *entry) 384 { 385 int i; 386 387 for (i = 0; i < MAX_LSM_RULES; i++) { 388 ima_filter_rule_free(entry->lsm[i].rule); 389 kfree(entry->lsm[i].args_p); 390 } 391 } 392 393 static void ima_free_rule(struct ima_rule_entry *entry) 394 { 395 if (!entry) 396 return; 397 398 /* 399 * entry->template->fields may be allocated in ima_parse_rule() but that 400 * reference is owned by the corresponding ima_template_desc element in 401 * the defined_templates list and cannot be freed here 402 */ 403 kfree(entry->fsname); 404 kfree(entry->fs_subtype); 405 ima_free_rule_opt_list(entry->keyrings); 406 ima_lsm_free_rule(entry); 407 kfree(entry); 408 } 409 410 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry, 411 gfp_t gfp) 412 { 413 struct ima_rule_entry *nentry; 414 int i; 415 416 /* 417 * Immutable elements are copied over as pointers and data; only 418 * lsm rules can change 419 */ 420 nentry = kmemdup(entry, sizeof(*nentry), gfp); 421 if (!nentry) 422 return NULL; 423 424 memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm)); 425 426 for (i = 0; i < MAX_LSM_RULES; i++) { 427 if (!entry->lsm[i].args_p) 428 continue; 429 430 nentry->lsm[i].type = entry->lsm[i].type; 431 nentry->lsm[i].args_p = entry->lsm[i].args_p; 432 433 ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, 434 nentry->lsm[i].args_p, 435 &nentry->lsm[i].rule, 436 gfp); 437 if (!nentry->lsm[i].rule) 438 pr_warn("rule for LSM \'%s\' is undefined\n", 439 nentry->lsm[i].args_p); 440 } 441 return nentry; 442 } 443 444 static int ima_lsm_update_rule(struct ima_rule_entry *entry) 445 { 446 int i; 447 struct ima_rule_entry *nentry; 448 449 nentry = ima_lsm_copy_rule(entry, GFP_KERNEL); 450 if (!nentry) 451 return -ENOMEM; 452 453 list_replace_rcu(&entry->list, &nentry->list); 454 synchronize_rcu(); 455 /* 456 * ima_lsm_copy_rule() shallow copied all references, except for the 457 * LSM references, from entry to nentry so we only want to free the LSM 458 * references and the entry itself. All other memory references will now 459 * be owned by nentry. 460 */ 461 for (i = 0; i < MAX_LSM_RULES; i++) 462 ima_filter_rule_free(entry->lsm[i].rule); 463 kfree(entry); 464 465 return 0; 466 } 467 468 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry) 469 { 470 int i; 471 472 for (i = 0; i < MAX_LSM_RULES; i++) 473 if (entry->lsm[i].args_p) 474 return true; 475 476 return false; 477 } 478 479 /* 480 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 481 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 482 * the reloaded LSM policy. 483 */ 484 static void ima_lsm_update_rules(void) 485 { 486 struct ima_rule_entry *entry, *e; 487 int result; 488 489 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { 490 if (!ima_rule_contains_lsm_cond(entry)) 491 continue; 492 493 result = ima_lsm_update_rule(entry); 494 if (result) { 495 pr_err("lsm rule update error %d\n", result); 496 return; 497 } 498 } 499 } 500 501 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, 502 void *lsm_data) 503 { 504 if (event != LSM_POLICY_CHANGE) 505 return NOTIFY_DONE; 506 507 ima_lsm_update_rules(); 508 return NOTIFY_OK; 509 } 510 511 /** 512 * ima_match_rule_data - determine whether func_data matches the policy rule 513 * @rule: a pointer to a rule 514 * @func_data: data to match against the measure rule data 515 * @cred: a pointer to a credentials structure for user validation 516 * 517 * Returns true if func_data matches one in the rule, false otherwise. 518 */ 519 static bool ima_match_rule_data(struct ima_rule_entry *rule, 520 const char *func_data, 521 const struct cred *cred) 522 { 523 const struct ima_rule_opt_list *opt_list = NULL; 524 bool matched = false; 525 size_t i; 526 527 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 528 return false; 529 530 switch (rule->func) { 531 case KEY_CHECK: 532 if (!rule->keyrings) 533 return true; 534 535 opt_list = rule->keyrings; 536 break; 537 case CRITICAL_DATA: 538 if (!rule->label) 539 return true; 540 541 opt_list = rule->label; 542 break; 543 default: 544 return false; 545 } 546 547 if (!func_data) 548 return false; 549 550 for (i = 0; i < opt_list->count; i++) { 551 if (!strcmp(opt_list->items[i], func_data)) { 552 matched = true; 553 break; 554 } 555 } 556 557 return matched; 558 } 559 560 /** 561 * ima_match_rules - determine whether an inode matches the policy rule. 562 * @rule: a pointer to a rule 563 * @idmap: idmap of the mount the inode was found from 564 * @inode: a pointer to an inode 565 * @cred: a pointer to a credentials structure for user validation 566 * @prop: LSM properties of the task to be validated 567 * @func: LIM hook identifier 568 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 569 * @func_data: func specific data, may be NULL 570 * 571 * Returns true on rule match, false on failure. 572 */ 573 static bool ima_match_rules(struct ima_rule_entry *rule, 574 struct mnt_idmap *idmap, 575 struct inode *inode, const struct cred *cred, 576 struct lsm_prop *prop, enum ima_hooks func, int mask, 577 const char *func_data) 578 { 579 int i; 580 bool result = false; 581 struct ima_rule_entry *lsm_rule = rule; 582 bool rule_reinitialized = false; 583 584 if ((rule->flags & IMA_FUNC) && 585 (rule->func != func && func != POST_SETATTR)) 586 return false; 587 588 switch (func) { 589 case KEY_CHECK: 590 case CRITICAL_DATA: 591 return ((rule->func == func) && 592 ima_match_rule_data(rule, func_data, cred)); 593 default: 594 break; 595 } 596 597 if ((rule->flags & IMA_MASK) && 598 (rule->mask != mask && func != POST_SETATTR)) 599 return false; 600 if ((rule->flags & IMA_INMASK) && 601 (!(rule->mask & mask) && func != POST_SETATTR)) 602 return false; 603 if ((rule->flags & IMA_FSMAGIC) 604 && rule->fsmagic != inode->i_sb->s_magic) 605 return false; 606 if ((rule->flags & IMA_FSNAME) 607 && strcmp(rule->fsname, inode->i_sb->s_type->name)) 608 return false; 609 if (rule->flags & IMA_FS_SUBTYPE) { 610 if (!inode->i_sb->s_subtype) 611 return false; 612 if (strcmp(rule->fs_subtype, inode->i_sb->s_subtype)) 613 return false; 614 } 615 if ((rule->flags & IMA_FSUUID) && 616 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 617 return false; 618 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 619 return false; 620 if (rule->flags & IMA_EUID) { 621 if (has_capability_noaudit(current, CAP_SETUID)) { 622 if (!rule->uid_op(cred->euid, rule->uid) 623 && !rule->uid_op(cred->suid, rule->uid) 624 && !rule->uid_op(cred->uid, rule->uid)) 625 return false; 626 } else if (!rule->uid_op(cred->euid, rule->uid)) 627 return false; 628 } 629 if ((rule->flags & IMA_GID) && !rule->gid_op(cred->gid, rule->gid)) 630 return false; 631 if (rule->flags & IMA_EGID) { 632 if (has_capability_noaudit(current, CAP_SETGID)) { 633 if (!rule->gid_op(cred->egid, rule->gid) 634 && !rule->gid_op(cred->sgid, rule->gid) 635 && !rule->gid_op(cred->gid, rule->gid)) 636 return false; 637 } else if (!rule->gid_op(cred->egid, rule->gid)) 638 return false; 639 } 640 if ((rule->flags & IMA_FOWNER) && 641 !rule->fowner_op(i_uid_into_vfsuid(idmap, inode), 642 rule->fowner)) 643 return false; 644 if ((rule->flags & IMA_FGROUP) && 645 !rule->fgroup_op(i_gid_into_vfsgid(idmap, inode), 646 rule->fgroup)) 647 return false; 648 for (i = 0; i < MAX_LSM_RULES; i++) { 649 int rc = 0; 650 struct lsm_prop inode_prop = { }; 651 652 if (!lsm_rule->lsm[i].rule) { 653 if (!lsm_rule->lsm[i].args_p) 654 continue; 655 else 656 return false; 657 } 658 659 retry: 660 switch (i) { 661 case LSM_OBJ_USER: 662 case LSM_OBJ_ROLE: 663 case LSM_OBJ_TYPE: 664 security_inode_getlsmprop(inode, &inode_prop); 665 rc = ima_filter_rule_match(&inode_prop, 666 lsm_rule->lsm[i].type, 667 Audit_equal, 668 lsm_rule->lsm[i].rule); 669 break; 670 case LSM_SUBJ_USER: 671 case LSM_SUBJ_ROLE: 672 case LSM_SUBJ_TYPE: 673 rc = ima_filter_rule_match(prop, lsm_rule->lsm[i].type, 674 Audit_equal, 675 lsm_rule->lsm[i].rule); 676 break; 677 default: 678 break; 679 } 680 681 if (rc == -ESTALE && !rule_reinitialized) { 682 lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC); 683 if (lsm_rule) { 684 rule_reinitialized = true; 685 goto retry; 686 } 687 } 688 if (rc <= 0) { 689 result = false; 690 goto out; 691 } 692 } 693 result = true; 694 695 out: 696 if (rule_reinitialized) { 697 for (i = 0; i < MAX_LSM_RULES; i++) 698 ima_filter_rule_free(lsm_rule->lsm[i].rule); 699 kfree(lsm_rule); 700 } 701 return result; 702 } 703 704 /* 705 * In addition to knowing that we need to appraise the file in general, 706 * we need to differentiate between calling hooks, for hook specific rules. 707 */ 708 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) 709 { 710 if (!(rule->flags & IMA_FUNC)) 711 return IMA_FILE_APPRAISE; 712 713 switch (func) { 714 case MMAP_CHECK: 715 case MMAP_CHECK_REQPROT: 716 return IMA_MMAP_APPRAISE; 717 case BPRM_CHECK: 718 return IMA_BPRM_APPRAISE; 719 case CREDS_CHECK: 720 return IMA_CREDS_APPRAISE; 721 case FILE_CHECK: 722 case POST_SETATTR: 723 return IMA_FILE_APPRAISE; 724 case MODULE_CHECK ... MAX_CHECK - 1: 725 default: 726 return IMA_READ_APPRAISE; 727 } 728 } 729 730 /** 731 * ima_match_policy - decision based on LSM and other conditions 732 * @idmap: idmap of the mount the inode was found from 733 * @inode: pointer to an inode for which the policy decision is being made 734 * @cred: pointer to a credentials structure for which the policy decision is 735 * being made 736 * @prop: LSM properties of the task to be validated 737 * @func: IMA hook identifier 738 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 739 * @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE) 740 * @pcr: set the pcr to extend 741 * @template_desc: the template that should be used for this rule 742 * @func_data: func specific data, may be NULL 743 * @allowed_algos: allowlist of hash algorithms for the IMA xattr 744 * 745 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 746 * conditions. 747 * 748 * Since the IMA policy may be updated multiple times we need to lock the 749 * list when walking it. Reads are many orders of magnitude more numerous 750 * than writes so ima_match_policy() is classical RCU candidate. 751 */ 752 int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode, 753 const struct cred *cred, struct lsm_prop *prop, 754 enum ima_hooks func, int mask, int flags, int *pcr, 755 struct ima_template_desc **template_desc, 756 const char *func_data, unsigned int *allowed_algos) 757 { 758 struct ima_rule_entry *entry; 759 int action = 0, actmask = flags | (flags << 1); 760 struct list_head *ima_rules_tmp; 761 762 if (template_desc && !*template_desc) 763 *template_desc = ima_template_desc_current(); 764 765 rcu_read_lock(); 766 ima_rules_tmp = rcu_dereference(ima_rules); 767 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 768 769 if (!(entry->action & actmask)) 770 continue; 771 772 if (!ima_match_rules(entry, idmap, inode, cred, prop, 773 func, mask, func_data)) 774 continue; 775 776 action |= entry->flags & IMA_NONACTION_FLAGS; 777 778 action |= entry->action & IMA_DO_MASK; 779 if (entry->action & IMA_APPRAISE) { 780 action |= get_subaction(entry, func); 781 action &= ~IMA_HASH; 782 if (ima_fail_unverifiable_sigs) 783 action |= IMA_FAIL_UNVERIFIABLE_SIGS; 784 785 if (allowed_algos && 786 entry->flags & IMA_VALIDATE_ALGOS) 787 *allowed_algos = entry->allowed_algos; 788 } 789 790 if (entry->action & IMA_DO_MASK) 791 actmask &= ~(entry->action | entry->action << 1); 792 else 793 actmask &= ~(entry->action | entry->action >> 1); 794 795 if ((pcr) && (entry->flags & IMA_PCR)) 796 *pcr = entry->pcr; 797 798 if (template_desc && entry->template) 799 *template_desc = entry->template; 800 801 if (!actmask) 802 break; 803 } 804 rcu_read_unlock(); 805 806 return action; 807 } 808 809 /** 810 * ima_update_policy_flags() - Update global IMA variables 811 * 812 * Update ima_policy_flag and ima_setxattr_allowed_hash_algorithms 813 * based on the currently loaded policy. 814 * 815 * With ima_policy_flag, the decision to short circuit out of a function 816 * or not call the function in the first place can be made earlier. 817 * 818 * With ima_setxattr_allowed_hash_algorithms, the policy can restrict the 819 * set of hash algorithms accepted when updating the security.ima xattr of 820 * a file. 821 * 822 * Context: called after a policy update and at system initialization. 823 */ 824 void ima_update_policy_flags(void) 825 { 826 struct ima_rule_entry *entry; 827 int new_policy_flag = 0; 828 struct list_head *ima_rules_tmp; 829 830 rcu_read_lock(); 831 ima_rules_tmp = rcu_dereference(ima_rules); 832 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 833 /* 834 * SETXATTR_CHECK rules do not implement a full policy check 835 * because rule checking would probably have an important 836 * performance impact on setxattr(). As a consequence, only one 837 * SETXATTR_CHECK can be active at a given time. 838 * Because we want to preserve that property, we set out to use 839 * atomic_cmpxchg. Either: 840 * - the atomic was non-zero: a setxattr hash policy is 841 * already enforced, we do nothing 842 * - the atomic was zero: no setxattr policy was set, enable 843 * the setxattr hash policy 844 */ 845 if (entry->func == SETXATTR_CHECK) { 846 atomic_cmpxchg(&ima_setxattr_allowed_hash_algorithms, 847 0, entry->allowed_algos); 848 /* SETXATTR_CHECK doesn't impact ima_policy_flag */ 849 continue; 850 } 851 852 if (entry->action & IMA_DO_MASK) 853 new_policy_flag |= entry->action; 854 } 855 rcu_read_unlock(); 856 857 ima_appraise |= (build_ima_appraise | temp_ima_appraise); 858 if (!ima_appraise) 859 new_policy_flag &= ~IMA_APPRAISE; 860 861 ima_policy_flag = new_policy_flag; 862 } 863 864 static int ima_appraise_flag(enum ima_hooks func) 865 { 866 if (func == MODULE_CHECK) 867 return IMA_APPRAISE_MODULES; 868 else if (func == FIRMWARE_CHECK) 869 return IMA_APPRAISE_FIRMWARE; 870 else if (func == POLICY_CHECK) 871 return IMA_APPRAISE_POLICY; 872 else if (func == KEXEC_KERNEL_CHECK) 873 return IMA_APPRAISE_KEXEC; 874 return 0; 875 } 876 877 static void add_rules(struct ima_rule_entry *entries, int count, 878 enum policy_rule_list policy_rule) 879 { 880 int i = 0; 881 882 for (i = 0; i < count; i++) { 883 struct ima_rule_entry *entry; 884 885 if (policy_rule & IMA_DEFAULT_POLICY) 886 list_add_tail(&entries[i].list, &ima_default_rules); 887 888 if (policy_rule & IMA_CUSTOM_POLICY) { 889 entry = kmemdup(&entries[i], sizeof(*entry), 890 GFP_KERNEL); 891 if (!entry) 892 continue; 893 894 list_add_tail(&entry->list, &ima_policy_rules); 895 } 896 if (entries[i].action == APPRAISE) { 897 if (entries != build_appraise_rules) 898 temp_ima_appraise |= 899 ima_appraise_flag(entries[i].func); 900 else 901 build_ima_appraise |= 902 ima_appraise_flag(entries[i].func); 903 } 904 } 905 } 906 907 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); 908 909 static int __init ima_init_arch_policy(void) 910 { 911 const char * const *arch_rules; 912 const char * const *rules; 913 int arch_entries = 0; 914 int i = 0; 915 916 arch_rules = arch_get_ima_policy(); 917 if (!arch_rules) 918 return arch_entries; 919 920 /* Get number of rules */ 921 for (rules = arch_rules; *rules != NULL; rules++) 922 arch_entries++; 923 924 arch_policy_entry = kcalloc(arch_entries + 1, 925 sizeof(*arch_policy_entry), GFP_KERNEL); 926 if (!arch_policy_entry) 927 return 0; 928 929 /* Convert each policy string rules to struct ima_rule_entry format */ 930 for (rules = arch_rules, i = 0; *rules != NULL; rules++) { 931 char rule[255]; 932 int result; 933 934 result = strscpy(rule, *rules, sizeof(rule)); 935 936 INIT_LIST_HEAD(&arch_policy_entry[i].list); 937 result = ima_parse_rule(rule, &arch_policy_entry[i]); 938 if (result) { 939 pr_warn("Skipping unknown architecture policy rule: %s\n", 940 rule); 941 memset(&arch_policy_entry[i], 0, 942 sizeof(*arch_policy_entry)); 943 continue; 944 } 945 i++; 946 } 947 return i; 948 } 949 950 /** 951 * ima_init_policy - initialize the default measure rules. 952 * 953 * ima_rules points to either the ima_default_rules or the new ima_policy_rules. 954 */ 955 void __init ima_init_policy(void) 956 { 957 int build_appraise_entries, arch_entries; 958 959 /* if !ima_policy, we load NO default rules */ 960 if (ima_policy) 961 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules), 962 IMA_DEFAULT_POLICY); 963 964 switch (ima_policy) { 965 case ORIGINAL_TCB: 966 add_rules(original_measurement_rules, 967 ARRAY_SIZE(original_measurement_rules), 968 IMA_DEFAULT_POLICY); 969 break; 970 case DEFAULT_TCB: 971 add_rules(default_measurement_rules, 972 ARRAY_SIZE(default_measurement_rules), 973 IMA_DEFAULT_POLICY); 974 break; 975 default: 976 break; 977 } 978 979 /* 980 * Based on runtime secure boot flags, insert arch specific measurement 981 * and appraise rules requiring file signatures for both the initial 982 * and custom policies, prior to other appraise rules. 983 * (Highest priority) 984 */ 985 arch_entries = ima_init_arch_policy(); 986 if (!arch_entries) 987 pr_info("No architecture policies found\n"); 988 else 989 add_rules(arch_policy_entry, arch_entries, 990 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 991 992 /* 993 * Insert the builtin "secure_boot" policy rules requiring file 994 * signatures, prior to other appraise rules. 995 */ 996 if (ima_use_secure_boot) 997 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules), 998 IMA_DEFAULT_POLICY); 999 1000 /* 1001 * Insert the build time appraise rules requiring file signatures 1002 * for both the initial and custom policies, prior to other appraise 1003 * rules. As the secure boot rules includes all of the build time 1004 * rules, include either one or the other set of rules, but not both. 1005 */ 1006 build_appraise_entries = ARRAY_SIZE(build_appraise_rules); 1007 if (build_appraise_entries) { 1008 if (ima_use_secure_boot) 1009 add_rules(build_appraise_rules, build_appraise_entries, 1010 IMA_CUSTOM_POLICY); 1011 else 1012 add_rules(build_appraise_rules, build_appraise_entries, 1013 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 1014 } 1015 1016 if (ima_use_appraise_tcb) 1017 add_rules(default_appraise_rules, 1018 ARRAY_SIZE(default_appraise_rules), 1019 IMA_DEFAULT_POLICY); 1020 1021 if (ima_use_critical_data) 1022 add_rules(critical_data_rules, 1023 ARRAY_SIZE(critical_data_rules), 1024 IMA_DEFAULT_POLICY); 1025 1026 atomic_set(&ima_setxattr_allowed_hash_algorithms, 0); 1027 1028 ima_update_policy_flags(); 1029 } 1030 1031 /* Make sure we have a valid policy, at least containing some rules. */ 1032 int ima_check_policy(void) 1033 { 1034 if (list_empty(&ima_temp_rules)) 1035 return -EINVAL; 1036 return 0; 1037 } 1038 1039 /** 1040 * ima_update_policy - update default_rules with new measure rules 1041 * 1042 * Called on file .release to update the default rules with a complete new 1043 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so 1044 * they make a queue. The policy may be updated multiple times and this is the 1045 * RCU updater. 1046 * 1047 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 1048 * we switch from the default policy to user defined. 1049 */ 1050 void ima_update_policy(void) 1051 { 1052 struct list_head *policy = &ima_policy_rules; 1053 1054 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); 1055 1056 if (ima_rules != (struct list_head __rcu *)policy) { 1057 ima_policy_flag = 0; 1058 1059 rcu_assign_pointer(ima_rules, policy); 1060 /* 1061 * IMA architecture specific policy rules are specified 1062 * as strings and converted to an array of ima_entry_rules 1063 * on boot. After loading a custom policy, free the 1064 * architecture specific rules stored as an array. 1065 */ 1066 kfree(arch_policy_entry); 1067 } 1068 ima_update_policy_flags(); 1069 1070 /* Custom IMA policy has been loaded */ 1071 ima_process_queued_keys(); 1072 } 1073 1074 /* Keep the enumeration in sync with the policy_tokens! */ 1075 enum policy_opt { 1076 Opt_measure, Opt_dont_measure, 1077 Opt_appraise, Opt_dont_appraise, 1078 Opt_audit, Opt_dont_audit, Opt_hash, Opt_dont_hash, 1079 Opt_obj_user, Opt_obj_role, Opt_obj_type, 1080 Opt_subj_user, Opt_subj_role, Opt_subj_type, 1081 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fs_subtype, Opt_fsuuid, 1082 Opt_uid_eq, Opt_euid_eq, Opt_gid_eq, Opt_egid_eq, 1083 Opt_fowner_eq, Opt_fgroup_eq, 1084 Opt_uid_gt, Opt_euid_gt, Opt_gid_gt, Opt_egid_gt, 1085 Opt_fowner_gt, Opt_fgroup_gt, 1086 Opt_uid_lt, Opt_euid_lt, Opt_gid_lt, Opt_egid_lt, 1087 Opt_fowner_lt, Opt_fgroup_lt, 1088 Opt_digest_type, 1089 Opt_appraise_type, Opt_appraise_flag, Opt_appraise_algos, 1090 Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, 1091 Opt_label, Opt_err 1092 }; 1093 1094 static const match_table_t policy_tokens = { 1095 {Opt_measure, "measure"}, 1096 {Opt_dont_measure, "dont_measure"}, 1097 {Opt_appraise, "appraise"}, 1098 {Opt_dont_appraise, "dont_appraise"}, 1099 {Opt_audit, "audit"}, 1100 {Opt_dont_audit, "dont_audit"}, 1101 {Opt_hash, "hash"}, 1102 {Opt_dont_hash, "dont_hash"}, 1103 {Opt_obj_user, "obj_user=%s"}, 1104 {Opt_obj_role, "obj_role=%s"}, 1105 {Opt_obj_type, "obj_type=%s"}, 1106 {Opt_subj_user, "subj_user=%s"}, 1107 {Opt_subj_role, "subj_role=%s"}, 1108 {Opt_subj_type, "subj_type=%s"}, 1109 {Opt_func, "func=%s"}, 1110 {Opt_mask, "mask=%s"}, 1111 {Opt_fsmagic, "fsmagic=%s"}, 1112 {Opt_fsname, "fsname=%s"}, 1113 {Opt_fs_subtype, "fs_subtype=%s"}, 1114 {Opt_fsuuid, "fsuuid=%s"}, 1115 {Opt_uid_eq, "uid=%s"}, 1116 {Opt_euid_eq, "euid=%s"}, 1117 {Opt_gid_eq, "gid=%s"}, 1118 {Opt_egid_eq, "egid=%s"}, 1119 {Opt_fowner_eq, "fowner=%s"}, 1120 {Opt_fgroup_eq, "fgroup=%s"}, 1121 {Opt_uid_gt, "uid>%s"}, 1122 {Opt_euid_gt, "euid>%s"}, 1123 {Opt_gid_gt, "gid>%s"}, 1124 {Opt_egid_gt, "egid>%s"}, 1125 {Opt_fowner_gt, "fowner>%s"}, 1126 {Opt_fgroup_gt, "fgroup>%s"}, 1127 {Opt_uid_lt, "uid<%s"}, 1128 {Opt_euid_lt, "euid<%s"}, 1129 {Opt_gid_lt, "gid<%s"}, 1130 {Opt_egid_lt, "egid<%s"}, 1131 {Opt_fowner_lt, "fowner<%s"}, 1132 {Opt_fgroup_lt, "fgroup<%s"}, 1133 {Opt_digest_type, "digest_type=%s"}, 1134 {Opt_appraise_type, "appraise_type=%s"}, 1135 {Opt_appraise_flag, "appraise_flag=%s"}, 1136 {Opt_appraise_algos, "appraise_algos=%s"}, 1137 {Opt_permit_directio, "permit_directio"}, 1138 {Opt_pcr, "pcr=%s"}, 1139 {Opt_template, "template=%s"}, 1140 {Opt_keyrings, "keyrings=%s"}, 1141 {Opt_label, "label=%s"}, 1142 {Opt_err, NULL} 1143 }; 1144 1145 static int ima_lsm_rule_init(struct ima_rule_entry *entry, 1146 substring_t *args, int lsm_rule, int audit_type) 1147 { 1148 int result; 1149 1150 if (entry->lsm[lsm_rule].rule) 1151 return -EINVAL; 1152 1153 entry->lsm[lsm_rule].args_p = match_strdup(args); 1154 if (!entry->lsm[lsm_rule].args_p) 1155 return -ENOMEM; 1156 1157 entry->lsm[lsm_rule].type = audit_type; 1158 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, 1159 entry->lsm[lsm_rule].args_p, 1160 &entry->lsm[lsm_rule].rule, 1161 GFP_KERNEL); 1162 if (!entry->lsm[lsm_rule].rule) { 1163 pr_warn("rule for LSM \'%s\' is undefined\n", 1164 entry->lsm[lsm_rule].args_p); 1165 1166 if (ima_rules == (struct list_head __rcu *)(&ima_default_rules)) { 1167 kfree(entry->lsm[lsm_rule].args_p); 1168 entry->lsm[lsm_rule].args_p = NULL; 1169 result = -EINVAL; 1170 } else 1171 result = 0; 1172 } 1173 1174 return result; 1175 } 1176 1177 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, 1178 enum policy_opt rule_operator) 1179 { 1180 if (!ab) 1181 return; 1182 1183 switch (rule_operator) { 1184 case Opt_uid_gt: 1185 case Opt_euid_gt: 1186 case Opt_gid_gt: 1187 case Opt_egid_gt: 1188 case Opt_fowner_gt: 1189 case Opt_fgroup_gt: 1190 audit_log_format(ab, "%s>", key); 1191 break; 1192 case Opt_uid_lt: 1193 case Opt_euid_lt: 1194 case Opt_gid_lt: 1195 case Opt_egid_lt: 1196 case Opt_fowner_lt: 1197 case Opt_fgroup_lt: 1198 audit_log_format(ab, "%s<", key); 1199 break; 1200 default: 1201 audit_log_format(ab, "%s=", key); 1202 } 1203 audit_log_format(ab, "%s ", value); 1204 } 1205 static void ima_log_string(struct audit_buffer *ab, char *key, char *value) 1206 { 1207 ima_log_string_op(ab, key, value, Opt_err); 1208 } 1209 1210 /* 1211 * Validating the appended signature included in the measurement list requires 1212 * the file hash calculated without the appended signature (i.e., the 'd-modsig' 1213 * field). Therefore, notify the user if they have the 'modsig' field but not 1214 * the 'd-modsig' field in the template. 1215 */ 1216 static void check_template_modsig(const struct ima_template_desc *template) 1217 { 1218 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n" 1219 bool has_modsig, has_dmodsig; 1220 static bool checked; 1221 int i; 1222 1223 /* We only need to notify the user once. */ 1224 if (checked) 1225 return; 1226 1227 has_modsig = has_dmodsig = false; 1228 for (i = 0; i < template->num_fields; i++) { 1229 if (!strcmp(template->fields[i]->field_id, "modsig")) 1230 has_modsig = true; 1231 else if (!strcmp(template->fields[i]->field_id, "d-modsig")) 1232 has_dmodsig = true; 1233 } 1234 1235 if (has_modsig && !has_dmodsig) 1236 pr_notice(MSG); 1237 1238 checked = true; 1239 #undef MSG 1240 } 1241 1242 /* 1243 * Warn if the template does not contain the given field. 1244 */ 1245 static void check_template_field(const struct ima_template_desc *template, 1246 const char *field, const char *msg) 1247 { 1248 int i; 1249 1250 for (i = 0; i < template->num_fields; i++) 1251 if (!strcmp(template->fields[i]->field_id, field)) 1252 return; 1253 1254 pr_notice_once("%s", msg); 1255 } 1256 1257 static bool ima_validate_rule(struct ima_rule_entry *entry) 1258 { 1259 /* Ensure that the action is set and is compatible with the flags */ 1260 if (entry->action == UNKNOWN) 1261 return false; 1262 1263 if (entry->action != MEASURE && entry->flags & IMA_PCR) 1264 return false; 1265 1266 if (entry->action != APPRAISE && 1267 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | 1268 IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) 1269 return false; 1270 1271 /* 1272 * The IMA_FUNC bit must be set if and only if there's a valid hook 1273 * function specified, and vice versa. Enforcing this property allows 1274 * for the NONE case below to validate a rule without an explicit hook 1275 * function. 1276 */ 1277 if (((entry->flags & IMA_FUNC) && entry->func == NONE) || 1278 (!(entry->flags & IMA_FUNC) && entry->func != NONE)) 1279 return false; 1280 1281 /* 1282 * Ensure that the hook function is compatible with the other 1283 * components of the rule 1284 */ 1285 switch (entry->func) { 1286 case NONE: 1287 case FILE_CHECK: 1288 case MMAP_CHECK: 1289 case MMAP_CHECK_REQPROT: 1290 case BPRM_CHECK: 1291 case CREDS_CHECK: 1292 case POST_SETATTR: 1293 case FIRMWARE_CHECK: 1294 case POLICY_CHECK: 1295 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1296 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1297 IMA_INMASK | IMA_EUID | IMA_PCR | 1298 IMA_FSNAME | IMA_FS_SUBTYPE | 1299 IMA_GID | IMA_EGID | 1300 IMA_FGROUP | IMA_DIGSIG_REQUIRED | 1301 IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS | 1302 IMA_CHECK_BLACKLIST | IMA_VERITY_REQUIRED)) 1303 return false; 1304 1305 break; 1306 case MODULE_CHECK: 1307 case KEXEC_KERNEL_CHECK: 1308 case KEXEC_INITRAMFS_CHECK: 1309 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1310 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1311 IMA_INMASK | IMA_EUID | IMA_PCR | 1312 IMA_FSNAME | IMA_FS_SUBTYPE | 1313 IMA_GID | IMA_EGID | 1314 IMA_FGROUP | IMA_DIGSIG_REQUIRED | 1315 IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | 1316 IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) 1317 return false; 1318 1319 break; 1320 case KEXEC_CMDLINE: 1321 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1322 return false; 1323 1324 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | 1325 IMA_FOWNER | IMA_FSUUID | IMA_EUID | 1326 IMA_PCR | IMA_FSNAME | IMA_FS_SUBTYPE | 1327 IMA_GID | IMA_EGID | 1328 IMA_FGROUP)) 1329 return false; 1330 1331 break; 1332 case KEY_CHECK: 1333 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1334 return false; 1335 1336 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR | 1337 IMA_KEYRINGS)) 1338 return false; 1339 1340 if (ima_rule_contains_lsm_cond(entry)) 1341 return false; 1342 1343 break; 1344 case CRITICAL_DATA: 1345 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1346 return false; 1347 1348 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR | 1349 IMA_LABEL)) 1350 return false; 1351 1352 if (ima_rule_contains_lsm_cond(entry)) 1353 return false; 1354 1355 break; 1356 case SETXATTR_CHECK: 1357 /* any action other than APPRAISE is unsupported */ 1358 if (entry->action != APPRAISE) 1359 return false; 1360 1361 /* SETXATTR_CHECK requires an appraise_algos parameter */ 1362 if (!(entry->flags & IMA_VALIDATE_ALGOS)) 1363 return false; 1364 1365 /* 1366 * full policies are not supported, they would have too 1367 * much of a performance impact 1368 */ 1369 if (entry->flags & ~(IMA_FUNC | IMA_VALIDATE_ALGOS)) 1370 return false; 1371 1372 break; 1373 default: 1374 return false; 1375 } 1376 1377 /* Ensure that combinations of flags are compatible with each other */ 1378 if (entry->flags & IMA_CHECK_BLACKLIST && 1379 !(entry->flags & IMA_DIGSIG_REQUIRED)) 1380 return false; 1381 1382 /* 1383 * Unlike for regular IMA 'appraise' policy rules where security.ima 1384 * xattr may contain either a file hash or signature, the security.ima 1385 * xattr for fsverity must contain a file signature (sigv3). Ensure 1386 * that 'appraise' rules for fsverity require file signatures by 1387 * checking the IMA_DIGSIG_REQUIRED flag is set. 1388 */ 1389 if (entry->action == APPRAISE && 1390 (entry->flags & IMA_VERITY_REQUIRED) && 1391 !(entry->flags & IMA_DIGSIG_REQUIRED)) 1392 return false; 1393 1394 return true; 1395 } 1396 1397 static unsigned int ima_parse_appraise_algos(char *arg) 1398 { 1399 unsigned int res = 0; 1400 int idx; 1401 char *token; 1402 1403 while ((token = strsep(&arg, ",")) != NULL) { 1404 idx = match_string(hash_algo_name, HASH_ALGO__LAST, token); 1405 1406 if (idx < 0) { 1407 pr_err("unknown hash algorithm \"%s\"", 1408 token); 1409 return 0; 1410 } 1411 1412 if (!crypto_has_alg(hash_algo_name[idx], 0, 0)) { 1413 pr_err("unavailable hash algorithm \"%s\", check your kernel configuration", 1414 token); 1415 return 0; 1416 } 1417 1418 /* Add the hash algorithm to the 'allowed' bitfield */ 1419 res |= (1U << idx); 1420 } 1421 1422 return res; 1423 } 1424 1425 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 1426 { 1427 struct audit_buffer *ab; 1428 char *from; 1429 char *p; 1430 bool eid_token; /* either euid or egid */ 1431 struct ima_template_desc *template_desc; 1432 int result = 0; 1433 1434 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, 1435 AUDIT_INTEGRITY_POLICY_RULE); 1436 1437 entry->uid = INVALID_UID; 1438 entry->gid = INVALID_GID; 1439 entry->fowner = INVALID_UID; 1440 entry->fgroup = INVALID_GID; 1441 entry->uid_op = &uid_eq; 1442 entry->gid_op = &gid_eq; 1443 entry->fowner_op = &vfsuid_eq_kuid; 1444 entry->fgroup_op = &vfsgid_eq_kgid; 1445 entry->action = UNKNOWN; 1446 while ((p = strsep(&rule, " \t")) != NULL) { 1447 substring_t args[MAX_OPT_ARGS]; 1448 int token; 1449 unsigned long lnum; 1450 1451 if (result < 0 || *p == '#') /* ignore suffixed comment */ 1452 break; 1453 if ((*p == '\0') || (*p == ' ') || (*p == '\t')) 1454 continue; 1455 token = match_token(p, policy_tokens, args); 1456 switch (token) { 1457 case Opt_measure: 1458 ima_log_string(ab, "action", "measure"); 1459 1460 if (entry->action != UNKNOWN) 1461 result = -EINVAL; 1462 1463 entry->action = MEASURE; 1464 break; 1465 case Opt_dont_measure: 1466 ima_log_string(ab, "action", "dont_measure"); 1467 1468 if (entry->action != UNKNOWN) 1469 result = -EINVAL; 1470 1471 entry->action = DONT_MEASURE; 1472 break; 1473 case Opt_appraise: 1474 ima_log_string(ab, "action", "appraise"); 1475 1476 if (entry->action != UNKNOWN) 1477 result = -EINVAL; 1478 1479 entry->action = APPRAISE; 1480 break; 1481 case Opt_dont_appraise: 1482 ima_log_string(ab, "action", "dont_appraise"); 1483 1484 if (entry->action != UNKNOWN) 1485 result = -EINVAL; 1486 1487 entry->action = DONT_APPRAISE; 1488 break; 1489 case Opt_audit: 1490 ima_log_string(ab, "action", "audit"); 1491 1492 if (entry->action != UNKNOWN) 1493 result = -EINVAL; 1494 1495 entry->action = AUDIT; 1496 break; 1497 case Opt_dont_audit: 1498 ima_log_string(ab, "action", "dont_audit"); 1499 1500 if (entry->action != UNKNOWN) 1501 result = -EINVAL; 1502 1503 entry->action = DONT_AUDIT; 1504 break; 1505 case Opt_hash: 1506 ima_log_string(ab, "action", "hash"); 1507 1508 if (entry->action != UNKNOWN) 1509 result = -EINVAL; 1510 1511 entry->action = HASH; 1512 break; 1513 case Opt_dont_hash: 1514 ima_log_string(ab, "action", "dont_hash"); 1515 1516 if (entry->action != UNKNOWN) 1517 result = -EINVAL; 1518 1519 entry->action = DONT_HASH; 1520 break; 1521 case Opt_func: 1522 ima_log_string(ab, "func", args[0].from); 1523 1524 if (entry->func) 1525 result = -EINVAL; 1526 1527 if (strcmp(args[0].from, "FILE_CHECK") == 0) 1528 entry->func = FILE_CHECK; 1529 /* PATH_CHECK is for backwards compat */ 1530 else if (strcmp(args[0].from, "PATH_CHECK") == 0) 1531 entry->func = FILE_CHECK; 1532 else if (strcmp(args[0].from, "MODULE_CHECK") == 0) 1533 entry->func = MODULE_CHECK; 1534 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0) 1535 entry->func = FIRMWARE_CHECK; 1536 else if ((strcmp(args[0].from, "FILE_MMAP") == 0) 1537 || (strcmp(args[0].from, "MMAP_CHECK") == 0)) 1538 entry->func = MMAP_CHECK; 1539 else if ((strcmp(args[0].from, "MMAP_CHECK_REQPROT") == 0)) 1540 entry->func = MMAP_CHECK_REQPROT; 1541 else if (strcmp(args[0].from, "BPRM_CHECK") == 0) 1542 entry->func = BPRM_CHECK; 1543 else if (strcmp(args[0].from, "CREDS_CHECK") == 0) 1544 entry->func = CREDS_CHECK; 1545 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == 1546 0) 1547 entry->func = KEXEC_KERNEL_CHECK; 1548 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK") 1549 == 0) 1550 entry->func = KEXEC_INITRAMFS_CHECK; 1551 else if (strcmp(args[0].from, "POLICY_CHECK") == 0) 1552 entry->func = POLICY_CHECK; 1553 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) 1554 entry->func = KEXEC_CMDLINE; 1555 else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && 1556 strcmp(args[0].from, "KEY_CHECK") == 0) 1557 entry->func = KEY_CHECK; 1558 else if (strcmp(args[0].from, "CRITICAL_DATA") == 0) 1559 entry->func = CRITICAL_DATA; 1560 else if (strcmp(args[0].from, "SETXATTR_CHECK") == 0) 1561 entry->func = SETXATTR_CHECK; 1562 else 1563 result = -EINVAL; 1564 if (!result) 1565 entry->flags |= IMA_FUNC; 1566 break; 1567 case Opt_mask: 1568 ima_log_string(ab, "mask", args[0].from); 1569 1570 if (entry->mask) 1571 result = -EINVAL; 1572 1573 from = args[0].from; 1574 if (*from == '^') 1575 from++; 1576 1577 if ((strcmp(from, "MAY_EXEC")) == 0) 1578 entry->mask = MAY_EXEC; 1579 else if (strcmp(from, "MAY_WRITE") == 0) 1580 entry->mask = MAY_WRITE; 1581 else if (strcmp(from, "MAY_READ") == 0) 1582 entry->mask = MAY_READ; 1583 else if (strcmp(from, "MAY_APPEND") == 0) 1584 entry->mask = MAY_APPEND; 1585 else 1586 result = -EINVAL; 1587 if (!result) 1588 entry->flags |= (*args[0].from == '^') 1589 ? IMA_INMASK : IMA_MASK; 1590 break; 1591 case Opt_fsmagic: 1592 ima_log_string(ab, "fsmagic", args[0].from); 1593 1594 if (entry->fsmagic) { 1595 result = -EINVAL; 1596 break; 1597 } 1598 1599 result = kstrtoul(args[0].from, 16, &entry->fsmagic); 1600 if (!result) 1601 entry->flags |= IMA_FSMAGIC; 1602 break; 1603 case Opt_fsname: 1604 ima_log_string(ab, "fsname", args[0].from); 1605 1606 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); 1607 if (!entry->fsname) { 1608 result = -ENOMEM; 1609 break; 1610 } 1611 result = 0; 1612 entry->flags |= IMA_FSNAME; 1613 break; 1614 case Opt_fs_subtype: 1615 ima_log_string(ab, "fs_subtype", args[0].from); 1616 1617 if (entry->fs_subtype) { 1618 result = -EINVAL; 1619 break; 1620 } 1621 1622 entry->fs_subtype = kstrdup(args[0].from, GFP_KERNEL); 1623 if (!entry->fs_subtype) { 1624 result = -ENOMEM; 1625 break; 1626 } 1627 result = 0; 1628 entry->flags |= IMA_FS_SUBTYPE; 1629 break; 1630 case Opt_keyrings: 1631 ima_log_string(ab, "keyrings", args[0].from); 1632 1633 if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) || 1634 entry->keyrings) { 1635 result = -EINVAL; 1636 break; 1637 } 1638 1639 entry->keyrings = ima_alloc_rule_opt_list(args); 1640 if (IS_ERR(entry->keyrings)) { 1641 result = PTR_ERR(entry->keyrings); 1642 entry->keyrings = NULL; 1643 break; 1644 } 1645 1646 entry->flags |= IMA_KEYRINGS; 1647 break; 1648 case Opt_label: 1649 ima_log_string(ab, "label", args[0].from); 1650 1651 if (entry->label) { 1652 result = -EINVAL; 1653 break; 1654 } 1655 1656 entry->label = ima_alloc_rule_opt_list(args); 1657 if (IS_ERR(entry->label)) { 1658 result = PTR_ERR(entry->label); 1659 entry->label = NULL; 1660 break; 1661 } 1662 1663 entry->flags |= IMA_LABEL; 1664 break; 1665 case Opt_fsuuid: 1666 ima_log_string(ab, "fsuuid", args[0].from); 1667 1668 if (!uuid_is_null(&entry->fsuuid)) { 1669 result = -EINVAL; 1670 break; 1671 } 1672 1673 result = uuid_parse(args[0].from, &entry->fsuuid); 1674 if (!result) 1675 entry->flags |= IMA_FSUUID; 1676 break; 1677 case Opt_uid_gt: 1678 case Opt_euid_gt: 1679 entry->uid_op = &uid_gt; 1680 fallthrough; 1681 case Opt_uid_lt: 1682 case Opt_euid_lt: 1683 if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) 1684 entry->uid_op = &uid_lt; 1685 fallthrough; 1686 case Opt_uid_eq: 1687 case Opt_euid_eq: 1688 eid_token = (token == Opt_euid_eq) || 1689 (token == Opt_euid_gt) || 1690 (token == Opt_euid_lt); 1691 1692 ima_log_string_op(ab, eid_token ? "euid" : "uid", 1693 args[0].from, token); 1694 1695 if (uid_valid(entry->uid)) { 1696 result = -EINVAL; 1697 break; 1698 } 1699 1700 result = kstrtoul(args[0].from, 10, &lnum); 1701 if (!result) { 1702 entry->uid = make_kuid(current_user_ns(), 1703 (uid_t) lnum); 1704 if (!uid_valid(entry->uid) || 1705 (uid_t)lnum != lnum) 1706 result = -EINVAL; 1707 else 1708 entry->flags |= eid_token 1709 ? IMA_EUID : IMA_UID; 1710 } 1711 break; 1712 case Opt_gid_gt: 1713 case Opt_egid_gt: 1714 entry->gid_op = &gid_gt; 1715 fallthrough; 1716 case Opt_gid_lt: 1717 case Opt_egid_lt: 1718 if ((token == Opt_gid_lt) || (token == Opt_egid_lt)) 1719 entry->gid_op = &gid_lt; 1720 fallthrough; 1721 case Opt_gid_eq: 1722 case Opt_egid_eq: 1723 eid_token = (token == Opt_egid_eq) || 1724 (token == Opt_egid_gt) || 1725 (token == Opt_egid_lt); 1726 1727 ima_log_string_op(ab, eid_token ? "egid" : "gid", 1728 args[0].from, token); 1729 1730 if (gid_valid(entry->gid)) { 1731 result = -EINVAL; 1732 break; 1733 } 1734 1735 result = kstrtoul(args[0].from, 10, &lnum); 1736 if (!result) { 1737 entry->gid = make_kgid(current_user_ns(), 1738 (gid_t)lnum); 1739 if (!gid_valid(entry->gid) || 1740 (((gid_t)lnum) != lnum)) 1741 result = -EINVAL; 1742 else 1743 entry->flags |= eid_token 1744 ? IMA_EGID : IMA_GID; 1745 } 1746 break; 1747 case Opt_fowner_gt: 1748 entry->fowner_op = &vfsuid_gt_kuid; 1749 fallthrough; 1750 case Opt_fowner_lt: 1751 if (token == Opt_fowner_lt) 1752 entry->fowner_op = &vfsuid_lt_kuid; 1753 fallthrough; 1754 case Opt_fowner_eq: 1755 ima_log_string_op(ab, "fowner", args[0].from, token); 1756 1757 if (uid_valid(entry->fowner)) { 1758 result = -EINVAL; 1759 break; 1760 } 1761 1762 result = kstrtoul(args[0].from, 10, &lnum); 1763 if (!result) { 1764 entry->fowner = make_kuid(current_user_ns(), 1765 (uid_t)lnum); 1766 if (!uid_valid(entry->fowner) || 1767 (((uid_t)lnum) != lnum)) 1768 result = -EINVAL; 1769 else 1770 entry->flags |= IMA_FOWNER; 1771 } 1772 break; 1773 case Opt_fgroup_gt: 1774 entry->fgroup_op = &vfsgid_gt_kgid; 1775 fallthrough; 1776 case Opt_fgroup_lt: 1777 if (token == Opt_fgroup_lt) 1778 entry->fgroup_op = &vfsgid_lt_kgid; 1779 fallthrough; 1780 case Opt_fgroup_eq: 1781 ima_log_string_op(ab, "fgroup", args[0].from, token); 1782 1783 if (gid_valid(entry->fgroup)) { 1784 result = -EINVAL; 1785 break; 1786 } 1787 1788 result = kstrtoul(args[0].from, 10, &lnum); 1789 if (!result) { 1790 entry->fgroup = make_kgid(current_user_ns(), 1791 (gid_t)lnum); 1792 if (!gid_valid(entry->fgroup) || 1793 (((gid_t)lnum) != lnum)) 1794 result = -EINVAL; 1795 else 1796 entry->flags |= IMA_FGROUP; 1797 } 1798 break; 1799 case Opt_obj_user: 1800 ima_log_string(ab, "obj_user", args[0].from); 1801 result = ima_lsm_rule_init(entry, args, 1802 LSM_OBJ_USER, 1803 AUDIT_OBJ_USER); 1804 break; 1805 case Opt_obj_role: 1806 ima_log_string(ab, "obj_role", args[0].from); 1807 result = ima_lsm_rule_init(entry, args, 1808 LSM_OBJ_ROLE, 1809 AUDIT_OBJ_ROLE); 1810 break; 1811 case Opt_obj_type: 1812 ima_log_string(ab, "obj_type", args[0].from); 1813 result = ima_lsm_rule_init(entry, args, 1814 LSM_OBJ_TYPE, 1815 AUDIT_OBJ_TYPE); 1816 break; 1817 case Opt_subj_user: 1818 ima_log_string(ab, "subj_user", args[0].from); 1819 result = ima_lsm_rule_init(entry, args, 1820 LSM_SUBJ_USER, 1821 AUDIT_SUBJ_USER); 1822 break; 1823 case Opt_subj_role: 1824 ima_log_string(ab, "subj_role", args[0].from); 1825 result = ima_lsm_rule_init(entry, args, 1826 LSM_SUBJ_ROLE, 1827 AUDIT_SUBJ_ROLE); 1828 break; 1829 case Opt_subj_type: 1830 ima_log_string(ab, "subj_type", args[0].from); 1831 result = ima_lsm_rule_init(entry, args, 1832 LSM_SUBJ_TYPE, 1833 AUDIT_SUBJ_TYPE); 1834 break; 1835 case Opt_digest_type: 1836 ima_log_string(ab, "digest_type", args[0].from); 1837 if (entry->flags & IMA_DIGSIG_REQUIRED) 1838 result = -EINVAL; 1839 else if ((strcmp(args[0].from, "verity")) == 0) 1840 entry->flags |= IMA_VERITY_REQUIRED; 1841 else 1842 result = -EINVAL; 1843 break; 1844 case Opt_appraise_type: 1845 ima_log_string(ab, "appraise_type", args[0].from); 1846 1847 if ((strcmp(args[0].from, "imasig")) == 0) { 1848 if (entry->flags & IMA_VERITY_REQUIRED) 1849 result = -EINVAL; 1850 else 1851 entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST; 1852 } else if (strcmp(args[0].from, "sigv3") == 0) { 1853 /* Only fsverity supports sigv3 for now */ 1854 if (entry->flags & IMA_VERITY_REQUIRED) 1855 entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST; 1856 else 1857 result = -EINVAL; 1858 } else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1859 strcmp(args[0].from, "imasig|modsig") == 0) { 1860 if (entry->flags & IMA_VERITY_REQUIRED) 1861 result = -EINVAL; 1862 else 1863 entry->flags |= IMA_DIGSIG_REQUIRED | 1864 IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST; 1865 } else { 1866 result = -EINVAL; 1867 } 1868 break; 1869 case Opt_appraise_flag: 1870 ima_log_string(ab, "appraise_flag", args[0].from); 1871 break; 1872 case Opt_appraise_algos: 1873 ima_log_string(ab, "appraise_algos", args[0].from); 1874 1875 if (entry->allowed_algos) { 1876 result = -EINVAL; 1877 break; 1878 } 1879 1880 entry->allowed_algos = 1881 ima_parse_appraise_algos(args[0].from); 1882 /* invalid or empty list of algorithms */ 1883 if (!entry->allowed_algos) { 1884 result = -EINVAL; 1885 break; 1886 } 1887 1888 entry->flags |= IMA_VALIDATE_ALGOS; 1889 1890 break; 1891 case Opt_permit_directio: 1892 entry->flags |= IMA_PERMIT_DIRECTIO; 1893 break; 1894 case Opt_pcr: 1895 ima_log_string(ab, "pcr", args[0].from); 1896 1897 result = kstrtoint(args[0].from, 10, &entry->pcr); 1898 if (result || INVALID_PCR(entry->pcr)) 1899 result = -EINVAL; 1900 else 1901 entry->flags |= IMA_PCR; 1902 1903 break; 1904 case Opt_template: 1905 ima_log_string(ab, "template", args[0].from); 1906 if (entry->action != MEASURE) { 1907 result = -EINVAL; 1908 break; 1909 } 1910 template_desc = lookup_template_desc(args[0].from); 1911 if (!template_desc || entry->template) { 1912 result = -EINVAL; 1913 break; 1914 } 1915 1916 /* 1917 * template_desc_init_fields() does nothing if 1918 * the template is already initialised, so 1919 * it's safe to do this unconditionally 1920 */ 1921 template_desc_init_fields(template_desc->fmt, 1922 &(template_desc->fields), 1923 &(template_desc->num_fields)); 1924 entry->template = template_desc; 1925 break; 1926 case Opt_err: 1927 ima_log_string(ab, "UNKNOWN", p); 1928 result = -EINVAL; 1929 break; 1930 } 1931 } 1932 if (!result && !ima_validate_rule(entry)) 1933 result = -EINVAL; 1934 else if (entry->action == APPRAISE) 1935 temp_ima_appraise |= ima_appraise_flag(entry->func); 1936 1937 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { 1938 template_desc = entry->template ? entry->template : 1939 ima_template_desc_current(); 1940 check_template_modsig(template_desc); 1941 } 1942 1943 /* d-ngv2 template field recommended for unsigned fs-verity digests */ 1944 if (!result && entry->action == MEASURE && 1945 entry->flags & IMA_VERITY_REQUIRED) { 1946 template_desc = entry->template ? entry->template : 1947 ima_template_desc_current(); 1948 check_template_field(template_desc, "d-ngv2", 1949 "verity rules should include d-ngv2"); 1950 } 1951 1952 audit_log_format(ab, "res=%d", !result); 1953 audit_log_end(ab); 1954 return result; 1955 } 1956 1957 /** 1958 * ima_parse_add_rule - add a rule to ima_policy_rules 1959 * @rule: ima measurement policy rule 1960 * 1961 * Avoid locking by allowing just one writer at a time in ima_write_policy() 1962 * Returns the length of the rule parsed, an error code on failure 1963 */ 1964 ssize_t ima_parse_add_rule(char *rule) 1965 { 1966 static const char op[] = "update_policy"; 1967 char *p; 1968 struct ima_rule_entry *entry; 1969 ssize_t result, len; 1970 int audit_info = 0; 1971 1972 p = strsep(&rule, "\n"); 1973 len = strlen(p) + 1; 1974 p += strspn(p, " \t"); 1975 1976 if (*p == '#' || *p == '\0') 1977 return len; 1978 1979 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1980 if (!entry) { 1981 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1982 NULL, op, "-ENOMEM", -ENOMEM, audit_info); 1983 return -ENOMEM; 1984 } 1985 1986 INIT_LIST_HEAD(&entry->list); 1987 1988 result = ima_parse_rule(p, entry); 1989 if (result) { 1990 ima_free_rule(entry); 1991 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1992 NULL, op, "invalid-policy", result, 1993 audit_info); 1994 return result; 1995 } 1996 1997 list_add_tail(&entry->list, &ima_temp_rules); 1998 1999 return len; 2000 } 2001 2002 /** 2003 * ima_delete_rules() - called to cleanup invalid in-flight policy. 2004 * 2005 * We don't need locking as we operate on the temp list, which is 2006 * different from the active one. There is also only one user of 2007 * ima_delete_rules() at a time. 2008 */ 2009 void ima_delete_rules(void) 2010 { 2011 struct ima_rule_entry *entry, *tmp; 2012 2013 temp_ima_appraise = 0; 2014 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { 2015 list_del(&entry->list); 2016 ima_free_rule(entry); 2017 } 2018 } 2019 2020 #define __ima_hook_stringify(func, str) (#func), 2021 2022 const char *const func_tokens[] = { 2023 __ima_hooks(__ima_hook_stringify) 2024 }; 2025 2026 #ifdef CONFIG_IMA_READ_POLICY 2027 enum { 2028 mask_exec = 0, mask_write, mask_read, mask_append 2029 }; 2030 2031 static const char *const mask_tokens[] = { 2032 "^MAY_EXEC", 2033 "^MAY_WRITE", 2034 "^MAY_READ", 2035 "^MAY_APPEND" 2036 }; 2037 2038 void *ima_policy_start(struct seq_file *m, loff_t *pos) 2039 { 2040 loff_t l = *pos; 2041 struct ima_rule_entry *entry; 2042 struct list_head *ima_rules_tmp; 2043 2044 rcu_read_lock(); 2045 ima_rules_tmp = rcu_dereference(ima_rules); 2046 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 2047 if (!l--) { 2048 rcu_read_unlock(); 2049 return entry; 2050 } 2051 } 2052 rcu_read_unlock(); 2053 return NULL; 2054 } 2055 2056 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) 2057 { 2058 struct ima_rule_entry *entry = v; 2059 2060 rcu_read_lock(); 2061 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); 2062 rcu_read_unlock(); 2063 (*pos)++; 2064 2065 return (&entry->list == &ima_default_rules || 2066 &entry->list == &ima_policy_rules) ? NULL : entry; 2067 } 2068 2069 void ima_policy_stop(struct seq_file *m, void *v) 2070 { 2071 } 2072 2073 #define pt(token) policy_tokens[token].pattern 2074 #define mt(token) mask_tokens[token] 2075 2076 /* 2077 * policy_func_show - display the ima_hooks policy rule 2078 */ 2079 static void policy_func_show(struct seq_file *m, enum ima_hooks func) 2080 { 2081 if (func > 0 && func < MAX_CHECK) 2082 seq_printf(m, "func=%s ", func_tokens[func]); 2083 else 2084 seq_printf(m, "func=%d ", func); 2085 } 2086 2087 static void ima_show_rule_opt_list(struct seq_file *m, 2088 const struct ima_rule_opt_list *opt_list) 2089 { 2090 size_t i; 2091 2092 for (i = 0; i < opt_list->count; i++) 2093 seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]); 2094 } 2095 2096 static void ima_policy_show_appraise_algos(struct seq_file *m, 2097 unsigned int allowed_hashes) 2098 { 2099 int idx, list_size = 0; 2100 2101 for (idx = 0; idx < HASH_ALGO__LAST; idx++) { 2102 if (!(allowed_hashes & (1U << idx))) 2103 continue; 2104 2105 /* only add commas if the list contains multiple entries */ 2106 if (list_size++) 2107 seq_puts(m, ","); 2108 2109 seq_puts(m, hash_algo_name[idx]); 2110 } 2111 } 2112 2113 int ima_policy_show(struct seq_file *m, void *v) 2114 { 2115 struct ima_rule_entry *entry = v; 2116 int i; 2117 char tbuf[64] = {0,}; 2118 int offset = 0; 2119 2120 rcu_read_lock(); 2121 2122 /* Do not print rules with inactive LSM labels */ 2123 for (i = 0; i < MAX_LSM_RULES; i++) { 2124 if (entry->lsm[i].args_p && !entry->lsm[i].rule) { 2125 rcu_read_unlock(); 2126 return 0; 2127 } 2128 } 2129 2130 if (entry->action & MEASURE) 2131 seq_puts(m, pt(Opt_measure)); 2132 if (entry->action & DONT_MEASURE) 2133 seq_puts(m, pt(Opt_dont_measure)); 2134 if (entry->action & APPRAISE) 2135 seq_puts(m, pt(Opt_appraise)); 2136 if (entry->action & DONT_APPRAISE) 2137 seq_puts(m, pt(Opt_dont_appraise)); 2138 if (entry->action & AUDIT) 2139 seq_puts(m, pt(Opt_audit)); 2140 if (entry->action & DONT_AUDIT) 2141 seq_puts(m, pt(Opt_dont_audit)); 2142 if (entry->action & HASH) 2143 seq_puts(m, pt(Opt_hash)); 2144 if (entry->action & DONT_HASH) 2145 seq_puts(m, pt(Opt_dont_hash)); 2146 2147 seq_puts(m, " "); 2148 2149 if (entry->flags & IMA_FUNC) 2150 policy_func_show(m, entry->func); 2151 2152 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { 2153 if (entry->flags & IMA_MASK) 2154 offset = 1; 2155 if (entry->mask & MAY_EXEC) 2156 seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); 2157 if (entry->mask & MAY_WRITE) 2158 seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); 2159 if (entry->mask & MAY_READ) 2160 seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); 2161 if (entry->mask & MAY_APPEND) 2162 seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); 2163 seq_puts(m, " "); 2164 } 2165 2166 if (entry->flags & IMA_FSMAGIC) { 2167 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 2168 seq_printf(m, pt(Opt_fsmagic), tbuf); 2169 seq_puts(m, " "); 2170 } 2171 2172 if (entry->flags & IMA_FSNAME) { 2173 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); 2174 seq_printf(m, pt(Opt_fsname), tbuf); 2175 seq_puts(m, " "); 2176 } 2177 2178 if (entry->flags & IMA_FS_SUBTYPE) { 2179 snprintf(tbuf, sizeof(tbuf), "%s", entry->fs_subtype); 2180 seq_printf(m, pt(Opt_fs_subtype), tbuf); 2181 seq_puts(m, " "); 2182 } 2183 2184 if (entry->flags & IMA_KEYRINGS) { 2185 seq_puts(m, "keyrings="); 2186 ima_show_rule_opt_list(m, entry->keyrings); 2187 seq_puts(m, " "); 2188 } 2189 2190 if (entry->flags & IMA_LABEL) { 2191 seq_puts(m, "label="); 2192 ima_show_rule_opt_list(m, entry->label); 2193 seq_puts(m, " "); 2194 } 2195 2196 if (entry->flags & IMA_PCR) { 2197 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 2198 seq_printf(m, pt(Opt_pcr), tbuf); 2199 seq_puts(m, " "); 2200 } 2201 2202 if (entry->flags & IMA_FSUUID) { 2203 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); 2204 seq_puts(m, " "); 2205 } 2206 2207 if (entry->flags & IMA_UID) { 2208 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 2209 if (entry->uid_op == &uid_gt) 2210 seq_printf(m, pt(Opt_uid_gt), tbuf); 2211 else if (entry->uid_op == &uid_lt) 2212 seq_printf(m, pt(Opt_uid_lt), tbuf); 2213 else 2214 seq_printf(m, pt(Opt_uid_eq), tbuf); 2215 seq_puts(m, " "); 2216 } 2217 2218 if (entry->flags & IMA_EUID) { 2219 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 2220 if (entry->uid_op == &uid_gt) 2221 seq_printf(m, pt(Opt_euid_gt), tbuf); 2222 else if (entry->uid_op == &uid_lt) 2223 seq_printf(m, pt(Opt_euid_lt), tbuf); 2224 else 2225 seq_printf(m, pt(Opt_euid_eq), tbuf); 2226 seq_puts(m, " "); 2227 } 2228 2229 if (entry->flags & IMA_GID) { 2230 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); 2231 if (entry->gid_op == &gid_gt) 2232 seq_printf(m, pt(Opt_gid_gt), tbuf); 2233 else if (entry->gid_op == &gid_lt) 2234 seq_printf(m, pt(Opt_gid_lt), tbuf); 2235 else 2236 seq_printf(m, pt(Opt_gid_eq), tbuf); 2237 seq_puts(m, " "); 2238 } 2239 2240 if (entry->flags & IMA_EGID) { 2241 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); 2242 if (entry->gid_op == &gid_gt) 2243 seq_printf(m, pt(Opt_egid_gt), tbuf); 2244 else if (entry->gid_op == &gid_lt) 2245 seq_printf(m, pt(Opt_egid_lt), tbuf); 2246 else 2247 seq_printf(m, pt(Opt_egid_eq), tbuf); 2248 seq_puts(m, " "); 2249 } 2250 2251 if (entry->flags & IMA_FOWNER) { 2252 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); 2253 if (entry->fowner_op == &vfsuid_gt_kuid) 2254 seq_printf(m, pt(Opt_fowner_gt), tbuf); 2255 else if (entry->fowner_op == &vfsuid_lt_kuid) 2256 seq_printf(m, pt(Opt_fowner_lt), tbuf); 2257 else 2258 seq_printf(m, pt(Opt_fowner_eq), tbuf); 2259 seq_puts(m, " "); 2260 } 2261 2262 if (entry->flags & IMA_FGROUP) { 2263 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->fgroup)); 2264 if (entry->fgroup_op == &vfsgid_gt_kgid) 2265 seq_printf(m, pt(Opt_fgroup_gt), tbuf); 2266 else if (entry->fgroup_op == &vfsgid_lt_kgid) 2267 seq_printf(m, pt(Opt_fgroup_lt), tbuf); 2268 else 2269 seq_printf(m, pt(Opt_fgroup_eq), tbuf); 2270 seq_puts(m, " "); 2271 } 2272 2273 if (entry->flags & IMA_VALIDATE_ALGOS) { 2274 seq_puts(m, "appraise_algos="); 2275 ima_policy_show_appraise_algos(m, entry->allowed_algos); 2276 seq_puts(m, " "); 2277 } 2278 2279 for (i = 0; i < MAX_LSM_RULES; i++) { 2280 if (entry->lsm[i].rule) { 2281 switch (i) { 2282 case LSM_OBJ_USER: 2283 seq_printf(m, pt(Opt_obj_user), 2284 entry->lsm[i].args_p); 2285 break; 2286 case LSM_OBJ_ROLE: 2287 seq_printf(m, pt(Opt_obj_role), 2288 entry->lsm[i].args_p); 2289 break; 2290 case LSM_OBJ_TYPE: 2291 seq_printf(m, pt(Opt_obj_type), 2292 entry->lsm[i].args_p); 2293 break; 2294 case LSM_SUBJ_USER: 2295 seq_printf(m, pt(Opt_subj_user), 2296 entry->lsm[i].args_p); 2297 break; 2298 case LSM_SUBJ_ROLE: 2299 seq_printf(m, pt(Opt_subj_role), 2300 entry->lsm[i].args_p); 2301 break; 2302 case LSM_SUBJ_TYPE: 2303 seq_printf(m, pt(Opt_subj_type), 2304 entry->lsm[i].args_p); 2305 break; 2306 } 2307 seq_puts(m, " "); 2308 } 2309 } 2310 if (entry->template) 2311 seq_printf(m, "template=%s ", entry->template->name); 2312 if (entry->flags & IMA_DIGSIG_REQUIRED) { 2313 if (entry->flags & IMA_VERITY_REQUIRED) 2314 seq_puts(m, "appraise_type=sigv3 "); 2315 else if (entry->flags & IMA_MODSIG_ALLOWED) 2316 seq_puts(m, "appraise_type=imasig|modsig "); 2317 else 2318 seq_puts(m, "appraise_type=imasig "); 2319 } 2320 if (entry->flags & IMA_VERITY_REQUIRED) 2321 seq_puts(m, "digest_type=verity "); 2322 if (entry->flags & IMA_PERMIT_DIRECTIO) 2323 seq_puts(m, "permit_directio "); 2324 rcu_read_unlock(); 2325 seq_puts(m, "\n"); 2326 return 0; 2327 } 2328 #endif /* CONFIG_IMA_READ_POLICY */ 2329 2330 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) 2331 /* 2332 * ima_appraise_signature: whether IMA will appraise a given function using 2333 * an IMA digital signature. This is restricted to cases where the kernel 2334 * has a set of built-in trusted keys in order to avoid an attacker simply 2335 * loading additional keys. 2336 */ 2337 bool ima_appraise_signature(enum kernel_read_file_id id) 2338 { 2339 struct ima_rule_entry *entry; 2340 bool found = false; 2341 enum ima_hooks func; 2342 struct list_head *ima_rules_tmp; 2343 2344 if (id >= READING_MAX_ID) 2345 return false; 2346 2347 if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE) 2348 && security_locked_down(LOCKDOWN_KEXEC)) 2349 return false; 2350 2351 func = read_idmap[id] ?: FILE_CHECK; 2352 2353 rcu_read_lock(); 2354 ima_rules_tmp = rcu_dereference(ima_rules); 2355 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 2356 if (entry->action != APPRAISE) 2357 continue; 2358 2359 /* 2360 * A generic entry will match, but otherwise require that it 2361 * match the func we're looking for 2362 */ 2363 if (entry->func && entry->func != func) 2364 continue; 2365 2366 /* 2367 * We require this to be a digital signature, not a raw IMA 2368 * hash. 2369 */ 2370 if (entry->flags & IMA_DIGSIG_REQUIRED) 2371 found = true; 2372 2373 /* 2374 * We've found a rule that matches, so break now even if it 2375 * didn't require a digital signature - a later rule that does 2376 * won't override it, so would be a false positive. 2377 */ 2378 break; 2379 } 2380 2381 rcu_read_unlock(); 2382 return found; 2383 } 2384 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ 2385