1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2008 IBM Corporation 4 * Author: Mimi Zohar <zohar@us.ibm.com> 5 * 6 * ima_policy.c 7 * - initialize default measure policy rules 8 */ 9 10 #include <linux/init.h> 11 #include <linux/list.h> 12 #include <linux/kernel_read_file.h> 13 #include <linux/fs.h> 14 #include <linux/security.h> 15 #include <linux/magic.h> 16 #include <linux/parser.h> 17 #include <linux/slab.h> 18 #include <linux/rculist.h> 19 #include <linux/genhd.h> 20 #include <linux/seq_file.h> 21 #include <linux/ima.h> 22 23 #include "ima.h" 24 25 /* flags definitions */ 26 #define IMA_FUNC 0x0001 27 #define IMA_MASK 0x0002 28 #define IMA_FSMAGIC 0x0004 29 #define IMA_UID 0x0008 30 #define IMA_FOWNER 0x0010 31 #define IMA_FSUUID 0x0020 32 #define IMA_INMASK 0x0040 33 #define IMA_EUID 0x0080 34 #define IMA_PCR 0x0100 35 #define IMA_FSNAME 0x0200 36 #define IMA_KEYRINGS 0x0400 37 38 #define UNKNOWN 0 39 #define MEASURE 0x0001 /* same as IMA_MEASURE */ 40 #define DONT_MEASURE 0x0002 41 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 42 #define DONT_APPRAISE 0x0008 43 #define AUDIT 0x0040 44 #define HASH 0x0100 45 #define DONT_HASH 0x0200 46 47 #define INVALID_PCR(a) (((a) < 0) || \ 48 (a) >= (sizeof_field(struct integrity_iint_cache, measured_pcrs) * 8)) 49 50 int ima_policy_flag; 51 static int temp_ima_appraise; 52 static int build_ima_appraise __ro_after_init; 53 54 #define MAX_LSM_RULES 6 55 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, 56 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE 57 }; 58 59 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; 60 61 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY }; 62 63 struct ima_rule_opt_list { 64 size_t count; 65 char *items[]; 66 }; 67 68 struct ima_rule_entry { 69 struct list_head list; 70 int action; 71 unsigned int flags; 72 enum ima_hooks func; 73 int mask; 74 unsigned long fsmagic; 75 uuid_t fsuuid; 76 kuid_t uid; 77 kuid_t fowner; 78 bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ 79 bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ 80 int pcr; 81 struct { 82 void *rule; /* LSM file metadata specific */ 83 char *args_p; /* audit value */ 84 int type; /* audit type */ 85 } lsm[MAX_LSM_RULES]; 86 char *fsname; 87 struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ 88 struct ima_template_desc *template; 89 }; 90 91 /* 92 * Without LSM specific knowledge, the default policy can only be 93 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner 94 */ 95 96 /* 97 * The minimum rule set to allow for full TCB coverage. Measures all files 98 * opened or mmap for exec and everything read by root. Dangerous because 99 * normal users can easily run the machine out of memory simply building 100 * and running executables. 101 */ 102 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { 103 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 104 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 105 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 106 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 107 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 108 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 109 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 110 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 111 {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 112 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, 113 .flags = IMA_FSMAGIC}, 114 {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, 115 .flags = IMA_FSMAGIC}, 116 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 117 {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} 118 }; 119 120 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { 121 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 122 .flags = IMA_FUNC | IMA_MASK}, 123 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 124 .flags = IMA_FUNC | IMA_MASK}, 125 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 126 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 127 .flags = IMA_FUNC | IMA_MASK | IMA_UID}, 128 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 129 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 130 }; 131 132 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { 133 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 134 .flags = IMA_FUNC | IMA_MASK}, 135 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 136 .flags = IMA_FUNC | IMA_MASK}, 137 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 138 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 139 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, 140 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 141 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 142 .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, 143 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 144 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 145 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, 146 }; 147 148 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { 149 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 150 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 151 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 152 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 153 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC}, 154 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 155 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 156 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 157 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 158 {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 159 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 160 {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, 161 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 162 {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 163 #ifdef CONFIG_IMA_WRITE_POLICY 164 {.action = APPRAISE, .func = POLICY_CHECK, 165 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 166 #endif 167 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT 168 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 169 .flags = IMA_FOWNER}, 170 #else 171 /* force signature */ 172 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 173 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, 174 #endif 175 }; 176 177 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { 178 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS 179 {.action = APPRAISE, .func = MODULE_CHECK, 180 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 181 #endif 182 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS 183 {.action = APPRAISE, .func = FIRMWARE_CHECK, 184 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 185 #endif 186 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS 187 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 188 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 189 #endif 190 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS 191 {.action = APPRAISE, .func = POLICY_CHECK, 192 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 193 #endif 194 }; 195 196 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { 197 {.action = APPRAISE, .func = MODULE_CHECK, 198 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 199 {.action = APPRAISE, .func = FIRMWARE_CHECK, 200 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 201 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 202 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 203 {.action = APPRAISE, .func = POLICY_CHECK, 204 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 205 }; 206 207 /* An array of architecture specific rules */ 208 static struct ima_rule_entry *arch_policy_entry __ro_after_init; 209 210 static LIST_HEAD(ima_default_rules); 211 static LIST_HEAD(ima_policy_rules); 212 static LIST_HEAD(ima_temp_rules); 213 static struct list_head *ima_rules = &ima_default_rules; 214 215 static int ima_policy __initdata; 216 217 static int __init default_measure_policy_setup(char *str) 218 { 219 if (ima_policy) 220 return 1; 221 222 ima_policy = ORIGINAL_TCB; 223 return 1; 224 } 225 __setup("ima_tcb", default_measure_policy_setup); 226 227 static bool ima_use_appraise_tcb __initdata; 228 static bool ima_use_secure_boot __initdata; 229 static bool ima_fail_unverifiable_sigs __ro_after_init; 230 static int __init policy_setup(char *str) 231 { 232 char *p; 233 234 while ((p = strsep(&str, " |\n")) != NULL) { 235 if (*p == ' ') 236 continue; 237 if ((strcmp(p, "tcb") == 0) && !ima_policy) 238 ima_policy = DEFAULT_TCB; 239 else if (strcmp(p, "appraise_tcb") == 0) 240 ima_use_appraise_tcb = true; 241 else if (strcmp(p, "secure_boot") == 0) 242 ima_use_secure_boot = true; 243 else if (strcmp(p, "fail_securely") == 0) 244 ima_fail_unverifiable_sigs = true; 245 else 246 pr_err("policy \"%s\" not found", p); 247 } 248 249 return 1; 250 } 251 __setup("ima_policy=", policy_setup); 252 253 static int __init default_appraise_policy_setup(char *str) 254 { 255 ima_use_appraise_tcb = true; 256 return 1; 257 } 258 __setup("ima_appraise_tcb", default_appraise_policy_setup); 259 260 static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src) 261 { 262 struct ima_rule_opt_list *opt_list; 263 size_t count = 0; 264 char *src_copy; 265 char *cur, *next; 266 size_t i; 267 268 src_copy = match_strdup(src); 269 if (!src_copy) 270 return ERR_PTR(-ENOMEM); 271 272 next = src_copy; 273 while ((cur = strsep(&next, "|"))) { 274 /* Don't accept an empty list item */ 275 if (!(*cur)) { 276 kfree(src_copy); 277 return ERR_PTR(-EINVAL); 278 } 279 count++; 280 } 281 282 /* Don't accept an empty list */ 283 if (!count) { 284 kfree(src_copy); 285 return ERR_PTR(-EINVAL); 286 } 287 288 opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL); 289 if (!opt_list) { 290 kfree(src_copy); 291 return ERR_PTR(-ENOMEM); 292 } 293 294 /* 295 * strsep() has already replaced all instances of '|' with '\0', 296 * leaving a byte sequence of NUL-terminated strings. Reference each 297 * string with the array of items. 298 * 299 * IMPORTANT: Ownership of the allocated buffer is transferred from 300 * src_copy to the first element in the items array. To free the 301 * buffer, kfree() must only be called on the first element of the 302 * array. 303 */ 304 for (i = 0, cur = src_copy; i < count; i++) { 305 opt_list->items[i] = cur; 306 cur = strchr(cur, '\0') + 1; 307 } 308 opt_list->count = count; 309 310 return opt_list; 311 } 312 313 static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list) 314 { 315 if (!opt_list) 316 return; 317 318 if (opt_list->count) { 319 kfree(opt_list->items[0]); 320 opt_list->count = 0; 321 } 322 323 kfree(opt_list); 324 } 325 326 static void ima_lsm_free_rule(struct ima_rule_entry *entry) 327 { 328 int i; 329 330 for (i = 0; i < MAX_LSM_RULES; i++) { 331 ima_filter_rule_free(entry->lsm[i].rule); 332 kfree(entry->lsm[i].args_p); 333 } 334 } 335 336 static void ima_free_rule(struct ima_rule_entry *entry) 337 { 338 if (!entry) 339 return; 340 341 /* 342 * entry->template->fields may be allocated in ima_parse_rule() but that 343 * reference is owned by the corresponding ima_template_desc element in 344 * the defined_templates list and cannot be freed here 345 */ 346 kfree(entry->fsname); 347 ima_free_rule_opt_list(entry->keyrings); 348 ima_lsm_free_rule(entry); 349 kfree(entry); 350 } 351 352 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) 353 { 354 struct ima_rule_entry *nentry; 355 int i; 356 357 /* 358 * Immutable elements are copied over as pointers and data; only 359 * lsm rules can change 360 */ 361 nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); 362 if (!nentry) 363 return NULL; 364 365 memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm)); 366 367 for (i = 0; i < MAX_LSM_RULES; i++) { 368 if (!entry->lsm[i].args_p) 369 continue; 370 371 nentry->lsm[i].type = entry->lsm[i].type; 372 nentry->lsm[i].args_p = entry->lsm[i].args_p; 373 /* 374 * Remove the reference from entry so that the associated 375 * memory will not be freed during a later call to 376 * ima_lsm_free_rule(entry). 377 */ 378 entry->lsm[i].args_p = NULL; 379 380 ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, 381 nentry->lsm[i].args_p, 382 &nentry->lsm[i].rule); 383 if (!nentry->lsm[i].rule) 384 pr_warn("rule for LSM \'%s\' is undefined\n", 385 nentry->lsm[i].args_p); 386 } 387 return nentry; 388 } 389 390 static int ima_lsm_update_rule(struct ima_rule_entry *entry) 391 { 392 struct ima_rule_entry *nentry; 393 394 nentry = ima_lsm_copy_rule(entry); 395 if (!nentry) 396 return -ENOMEM; 397 398 list_replace_rcu(&entry->list, &nentry->list); 399 synchronize_rcu(); 400 /* 401 * ima_lsm_copy_rule() shallow copied all references, except for the 402 * LSM references, from entry to nentry so we only want to free the LSM 403 * references and the entry itself. All other memory refrences will now 404 * be owned by nentry. 405 */ 406 ima_lsm_free_rule(entry); 407 kfree(entry); 408 409 return 0; 410 } 411 412 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry) 413 { 414 int i; 415 416 for (i = 0; i < MAX_LSM_RULES; i++) 417 if (entry->lsm[i].args_p) 418 return true; 419 420 return false; 421 } 422 423 /* 424 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 425 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 426 * the reloaded LSM policy. 427 */ 428 static void ima_lsm_update_rules(void) 429 { 430 struct ima_rule_entry *entry, *e; 431 int result; 432 433 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { 434 if (!ima_rule_contains_lsm_cond(entry)) 435 continue; 436 437 result = ima_lsm_update_rule(entry); 438 if (result) { 439 pr_err("lsm rule update error %d\n", result); 440 return; 441 } 442 } 443 } 444 445 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, 446 void *lsm_data) 447 { 448 if (event != LSM_POLICY_CHANGE) 449 return NOTIFY_DONE; 450 451 ima_lsm_update_rules(); 452 return NOTIFY_OK; 453 } 454 455 /** 456 * ima_match_rule_data - determine whether func_data matches the policy rule 457 * @rule: a pointer to a rule 458 * @func_data: data to match against the measure rule data 459 * @cred: a pointer to a credentials structure for user validation 460 * 461 * Returns true if func_data matches one in the rule, false otherwise. 462 */ 463 static bool ima_match_rule_data(struct ima_rule_entry *rule, 464 const char *func_data, 465 const struct cred *cred) 466 { 467 const struct ima_rule_opt_list *opt_list = NULL; 468 bool matched = false; 469 size_t i; 470 471 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 472 return false; 473 474 switch (rule->func) { 475 case KEY_CHECK: 476 if (!rule->keyrings) 477 return true; 478 479 opt_list = rule->keyrings; 480 break; 481 case CRITICAL_DATA: 482 return true; 483 default: 484 return false; 485 } 486 487 if (!func_data) 488 return false; 489 490 for (i = 0; i < opt_list->count; i++) { 491 if (!strcmp(opt_list->items[i], func_data)) { 492 matched = true; 493 break; 494 } 495 } 496 497 return matched; 498 } 499 500 /** 501 * ima_match_rules - determine whether an inode matches the policy rule. 502 * @rule: a pointer to a rule 503 * @inode: a pointer to an inode 504 * @cred: a pointer to a credentials structure for user validation 505 * @secid: the secid of the task to be validated 506 * @func: LIM hook identifier 507 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 508 * @func_data: func specific data, may be NULL 509 * 510 * Returns true on rule match, false on failure. 511 */ 512 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, 513 const struct cred *cred, u32 secid, 514 enum ima_hooks func, int mask, 515 const char *func_data) 516 { 517 int i; 518 519 if ((rule->flags & IMA_FUNC) && 520 (rule->func != func && func != POST_SETATTR)) 521 return false; 522 523 switch (func) { 524 case KEY_CHECK: 525 case CRITICAL_DATA: 526 return ((rule->func == func) && 527 ima_match_rule_data(rule, func_data, cred)); 528 default: 529 break; 530 } 531 532 if ((rule->flags & IMA_MASK) && 533 (rule->mask != mask && func != POST_SETATTR)) 534 return false; 535 if ((rule->flags & IMA_INMASK) && 536 (!(rule->mask & mask) && func != POST_SETATTR)) 537 return false; 538 if ((rule->flags & IMA_FSMAGIC) 539 && rule->fsmagic != inode->i_sb->s_magic) 540 return false; 541 if ((rule->flags & IMA_FSNAME) 542 && strcmp(rule->fsname, inode->i_sb->s_type->name)) 543 return false; 544 if ((rule->flags & IMA_FSUUID) && 545 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 546 return false; 547 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 548 return false; 549 if (rule->flags & IMA_EUID) { 550 if (has_capability_noaudit(current, CAP_SETUID)) { 551 if (!rule->uid_op(cred->euid, rule->uid) 552 && !rule->uid_op(cred->suid, rule->uid) 553 && !rule->uid_op(cred->uid, rule->uid)) 554 return false; 555 } else if (!rule->uid_op(cred->euid, rule->uid)) 556 return false; 557 } 558 559 if ((rule->flags & IMA_FOWNER) && 560 !rule->fowner_op(inode->i_uid, rule->fowner)) 561 return false; 562 for (i = 0; i < MAX_LSM_RULES; i++) { 563 int rc = 0; 564 u32 osid; 565 566 if (!rule->lsm[i].rule) { 567 if (!rule->lsm[i].args_p) 568 continue; 569 else 570 return false; 571 } 572 switch (i) { 573 case LSM_OBJ_USER: 574 case LSM_OBJ_ROLE: 575 case LSM_OBJ_TYPE: 576 security_inode_getsecid(inode, &osid); 577 rc = ima_filter_rule_match(osid, rule->lsm[i].type, 578 Audit_equal, 579 rule->lsm[i].rule); 580 break; 581 case LSM_SUBJ_USER: 582 case LSM_SUBJ_ROLE: 583 case LSM_SUBJ_TYPE: 584 rc = ima_filter_rule_match(secid, rule->lsm[i].type, 585 Audit_equal, 586 rule->lsm[i].rule); 587 default: 588 break; 589 } 590 if (!rc) 591 return false; 592 } 593 return true; 594 } 595 596 /* 597 * In addition to knowing that we need to appraise the file in general, 598 * we need to differentiate between calling hooks, for hook specific rules. 599 */ 600 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) 601 { 602 if (!(rule->flags & IMA_FUNC)) 603 return IMA_FILE_APPRAISE; 604 605 switch (func) { 606 case MMAP_CHECK: 607 return IMA_MMAP_APPRAISE; 608 case BPRM_CHECK: 609 return IMA_BPRM_APPRAISE; 610 case CREDS_CHECK: 611 return IMA_CREDS_APPRAISE; 612 case FILE_CHECK: 613 case POST_SETATTR: 614 return IMA_FILE_APPRAISE; 615 case MODULE_CHECK ... MAX_CHECK - 1: 616 default: 617 return IMA_READ_APPRAISE; 618 } 619 } 620 621 /** 622 * ima_match_policy - decision based on LSM and other conditions 623 * @inode: pointer to an inode for which the policy decision is being made 624 * @cred: pointer to a credentials structure for which the policy decision is 625 * being made 626 * @secid: LSM secid of the task to be validated 627 * @func: IMA hook identifier 628 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 629 * @pcr: set the pcr to extend 630 * @template_desc: the template that should be used for this rule 631 * @func_data: func specific data, may be NULL 632 * 633 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 634 * conditions. 635 * 636 * Since the IMA policy may be updated multiple times we need to lock the 637 * list when walking it. Reads are many orders of magnitude more numerous 638 * than writes so ima_match_policy() is classical RCU candidate. 639 */ 640 int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, 641 enum ima_hooks func, int mask, int flags, int *pcr, 642 struct ima_template_desc **template_desc, 643 const char *func_data) 644 { 645 struct ima_rule_entry *entry; 646 int action = 0, actmask = flags | (flags << 1); 647 648 if (template_desc && !*template_desc) 649 *template_desc = ima_template_desc_current(); 650 651 rcu_read_lock(); 652 list_for_each_entry_rcu(entry, ima_rules, list) { 653 654 if (!(entry->action & actmask)) 655 continue; 656 657 if (!ima_match_rules(entry, inode, cred, secid, func, mask, 658 func_data)) 659 continue; 660 661 action |= entry->flags & IMA_ACTION_FLAGS; 662 663 action |= entry->action & IMA_DO_MASK; 664 if (entry->action & IMA_APPRAISE) { 665 action |= get_subaction(entry, func); 666 action &= ~IMA_HASH; 667 if (ima_fail_unverifiable_sigs) 668 action |= IMA_FAIL_UNVERIFIABLE_SIGS; 669 } 670 671 672 if (entry->action & IMA_DO_MASK) 673 actmask &= ~(entry->action | entry->action << 1); 674 else 675 actmask &= ~(entry->action | entry->action >> 1); 676 677 if ((pcr) && (entry->flags & IMA_PCR)) 678 *pcr = entry->pcr; 679 680 if (template_desc && entry->template) 681 *template_desc = entry->template; 682 683 if (!actmask) 684 break; 685 } 686 rcu_read_unlock(); 687 688 return action; 689 } 690 691 /* 692 * Initialize the ima_policy_flag variable based on the currently 693 * loaded policy. Based on this flag, the decision to short circuit 694 * out of a function or not call the function in the first place 695 * can be made earlier. 696 */ 697 void ima_update_policy_flag(void) 698 { 699 struct ima_rule_entry *entry; 700 701 list_for_each_entry(entry, ima_rules, list) { 702 if (entry->action & IMA_DO_MASK) 703 ima_policy_flag |= entry->action; 704 } 705 706 ima_appraise |= (build_ima_appraise | temp_ima_appraise); 707 if (!ima_appraise) 708 ima_policy_flag &= ~IMA_APPRAISE; 709 } 710 711 static int ima_appraise_flag(enum ima_hooks func) 712 { 713 if (func == MODULE_CHECK) 714 return IMA_APPRAISE_MODULES; 715 else if (func == FIRMWARE_CHECK) 716 return IMA_APPRAISE_FIRMWARE; 717 else if (func == POLICY_CHECK) 718 return IMA_APPRAISE_POLICY; 719 else if (func == KEXEC_KERNEL_CHECK) 720 return IMA_APPRAISE_KEXEC; 721 return 0; 722 } 723 724 static void add_rules(struct ima_rule_entry *entries, int count, 725 enum policy_rule_list policy_rule) 726 { 727 int i = 0; 728 729 for (i = 0; i < count; i++) { 730 struct ima_rule_entry *entry; 731 732 if (policy_rule & IMA_DEFAULT_POLICY) 733 list_add_tail(&entries[i].list, &ima_default_rules); 734 735 if (policy_rule & IMA_CUSTOM_POLICY) { 736 entry = kmemdup(&entries[i], sizeof(*entry), 737 GFP_KERNEL); 738 if (!entry) 739 continue; 740 741 list_add_tail(&entry->list, &ima_policy_rules); 742 } 743 if (entries[i].action == APPRAISE) { 744 if (entries != build_appraise_rules) 745 temp_ima_appraise |= 746 ima_appraise_flag(entries[i].func); 747 else 748 build_ima_appraise |= 749 ima_appraise_flag(entries[i].func); 750 } 751 } 752 } 753 754 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); 755 756 static int __init ima_init_arch_policy(void) 757 { 758 const char * const *arch_rules; 759 const char * const *rules; 760 int arch_entries = 0; 761 int i = 0; 762 763 arch_rules = arch_get_ima_policy(); 764 if (!arch_rules) 765 return arch_entries; 766 767 /* Get number of rules */ 768 for (rules = arch_rules; *rules != NULL; rules++) 769 arch_entries++; 770 771 arch_policy_entry = kcalloc(arch_entries + 1, 772 sizeof(*arch_policy_entry), GFP_KERNEL); 773 if (!arch_policy_entry) 774 return 0; 775 776 /* Convert each policy string rules to struct ima_rule_entry format */ 777 for (rules = arch_rules, i = 0; *rules != NULL; rules++) { 778 char rule[255]; 779 int result; 780 781 result = strlcpy(rule, *rules, sizeof(rule)); 782 783 INIT_LIST_HEAD(&arch_policy_entry[i].list); 784 result = ima_parse_rule(rule, &arch_policy_entry[i]); 785 if (result) { 786 pr_warn("Skipping unknown architecture policy rule: %s\n", 787 rule); 788 memset(&arch_policy_entry[i], 0, 789 sizeof(*arch_policy_entry)); 790 continue; 791 } 792 i++; 793 } 794 return i; 795 } 796 797 /** 798 * ima_init_policy - initialize the default measure rules. 799 * 800 * ima_rules points to either the ima_default_rules or the 801 * the new ima_policy_rules. 802 */ 803 void __init ima_init_policy(void) 804 { 805 int build_appraise_entries, arch_entries; 806 807 /* if !ima_policy, we load NO default rules */ 808 if (ima_policy) 809 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules), 810 IMA_DEFAULT_POLICY); 811 812 switch (ima_policy) { 813 case ORIGINAL_TCB: 814 add_rules(original_measurement_rules, 815 ARRAY_SIZE(original_measurement_rules), 816 IMA_DEFAULT_POLICY); 817 break; 818 case DEFAULT_TCB: 819 add_rules(default_measurement_rules, 820 ARRAY_SIZE(default_measurement_rules), 821 IMA_DEFAULT_POLICY); 822 default: 823 break; 824 } 825 826 /* 827 * Based on runtime secure boot flags, insert arch specific measurement 828 * and appraise rules requiring file signatures for both the initial 829 * and custom policies, prior to other appraise rules. 830 * (Highest priority) 831 */ 832 arch_entries = ima_init_arch_policy(); 833 if (!arch_entries) 834 pr_info("No architecture policies found\n"); 835 else 836 add_rules(arch_policy_entry, arch_entries, 837 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 838 839 /* 840 * Insert the builtin "secure_boot" policy rules requiring file 841 * signatures, prior to other appraise rules. 842 */ 843 if (ima_use_secure_boot) 844 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules), 845 IMA_DEFAULT_POLICY); 846 847 /* 848 * Insert the build time appraise rules requiring file signatures 849 * for both the initial and custom policies, prior to other appraise 850 * rules. As the secure boot rules includes all of the build time 851 * rules, include either one or the other set of rules, but not both. 852 */ 853 build_appraise_entries = ARRAY_SIZE(build_appraise_rules); 854 if (build_appraise_entries) { 855 if (ima_use_secure_boot) 856 add_rules(build_appraise_rules, build_appraise_entries, 857 IMA_CUSTOM_POLICY); 858 else 859 add_rules(build_appraise_rules, build_appraise_entries, 860 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 861 } 862 863 if (ima_use_appraise_tcb) 864 add_rules(default_appraise_rules, 865 ARRAY_SIZE(default_appraise_rules), 866 IMA_DEFAULT_POLICY); 867 868 ima_update_policy_flag(); 869 } 870 871 /* Make sure we have a valid policy, at least containing some rules. */ 872 int ima_check_policy(void) 873 { 874 if (list_empty(&ima_temp_rules)) 875 return -EINVAL; 876 return 0; 877 } 878 879 /** 880 * ima_update_policy - update default_rules with new measure rules 881 * 882 * Called on file .release to update the default rules with a complete new 883 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so 884 * they make a queue. The policy may be updated multiple times and this is the 885 * RCU updater. 886 * 887 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 888 * we switch from the default policy to user defined. 889 */ 890 void ima_update_policy(void) 891 { 892 struct list_head *policy = &ima_policy_rules; 893 894 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); 895 896 if (ima_rules != policy) { 897 ima_policy_flag = 0; 898 ima_rules = policy; 899 900 /* 901 * IMA architecture specific policy rules are specified 902 * as strings and converted to an array of ima_entry_rules 903 * on boot. After loading a custom policy, free the 904 * architecture specific rules stored as an array. 905 */ 906 kfree(arch_policy_entry); 907 } 908 ima_update_policy_flag(); 909 910 /* Custom IMA policy has been loaded */ 911 ima_process_queued_keys(); 912 } 913 914 /* Keep the enumeration in sync with the policy_tokens! */ 915 enum { 916 Opt_measure, Opt_dont_measure, 917 Opt_appraise, Opt_dont_appraise, 918 Opt_audit, Opt_hash, Opt_dont_hash, 919 Opt_obj_user, Opt_obj_role, Opt_obj_type, 920 Opt_subj_user, Opt_subj_role, Opt_subj_type, 921 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, 922 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, 923 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, 924 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, 925 Opt_appraise_type, Opt_appraise_flag, 926 Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, 927 Opt_err 928 }; 929 930 static const match_table_t policy_tokens = { 931 {Opt_measure, "measure"}, 932 {Opt_dont_measure, "dont_measure"}, 933 {Opt_appraise, "appraise"}, 934 {Opt_dont_appraise, "dont_appraise"}, 935 {Opt_audit, "audit"}, 936 {Opt_hash, "hash"}, 937 {Opt_dont_hash, "dont_hash"}, 938 {Opt_obj_user, "obj_user=%s"}, 939 {Opt_obj_role, "obj_role=%s"}, 940 {Opt_obj_type, "obj_type=%s"}, 941 {Opt_subj_user, "subj_user=%s"}, 942 {Opt_subj_role, "subj_role=%s"}, 943 {Opt_subj_type, "subj_type=%s"}, 944 {Opt_func, "func=%s"}, 945 {Opt_mask, "mask=%s"}, 946 {Opt_fsmagic, "fsmagic=%s"}, 947 {Opt_fsname, "fsname=%s"}, 948 {Opt_fsuuid, "fsuuid=%s"}, 949 {Opt_uid_eq, "uid=%s"}, 950 {Opt_euid_eq, "euid=%s"}, 951 {Opt_fowner_eq, "fowner=%s"}, 952 {Opt_uid_gt, "uid>%s"}, 953 {Opt_euid_gt, "euid>%s"}, 954 {Opt_fowner_gt, "fowner>%s"}, 955 {Opt_uid_lt, "uid<%s"}, 956 {Opt_euid_lt, "euid<%s"}, 957 {Opt_fowner_lt, "fowner<%s"}, 958 {Opt_appraise_type, "appraise_type=%s"}, 959 {Opt_appraise_flag, "appraise_flag=%s"}, 960 {Opt_permit_directio, "permit_directio"}, 961 {Opt_pcr, "pcr=%s"}, 962 {Opt_template, "template=%s"}, 963 {Opt_keyrings, "keyrings=%s"}, 964 {Opt_err, NULL} 965 }; 966 967 static int ima_lsm_rule_init(struct ima_rule_entry *entry, 968 substring_t *args, int lsm_rule, int audit_type) 969 { 970 int result; 971 972 if (entry->lsm[lsm_rule].rule) 973 return -EINVAL; 974 975 entry->lsm[lsm_rule].args_p = match_strdup(args); 976 if (!entry->lsm[lsm_rule].args_p) 977 return -ENOMEM; 978 979 entry->lsm[lsm_rule].type = audit_type; 980 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, 981 entry->lsm[lsm_rule].args_p, 982 &entry->lsm[lsm_rule].rule); 983 if (!entry->lsm[lsm_rule].rule) { 984 pr_warn("rule for LSM \'%s\' is undefined\n", 985 entry->lsm[lsm_rule].args_p); 986 987 if (ima_rules == &ima_default_rules) { 988 kfree(entry->lsm[lsm_rule].args_p); 989 entry->lsm[lsm_rule].args_p = NULL; 990 result = -EINVAL; 991 } else 992 result = 0; 993 } 994 995 return result; 996 } 997 998 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, 999 bool (*rule_operator)(kuid_t, kuid_t)) 1000 { 1001 if (!ab) 1002 return; 1003 1004 if (rule_operator == &uid_gt) 1005 audit_log_format(ab, "%s>", key); 1006 else if (rule_operator == &uid_lt) 1007 audit_log_format(ab, "%s<", key); 1008 else 1009 audit_log_format(ab, "%s=", key); 1010 audit_log_format(ab, "%s ", value); 1011 } 1012 static void ima_log_string(struct audit_buffer *ab, char *key, char *value) 1013 { 1014 ima_log_string_op(ab, key, value, NULL); 1015 } 1016 1017 /* 1018 * Validating the appended signature included in the measurement list requires 1019 * the file hash calculated without the appended signature (i.e., the 'd-modsig' 1020 * field). Therefore, notify the user if they have the 'modsig' field but not 1021 * the 'd-modsig' field in the template. 1022 */ 1023 static void check_template_modsig(const struct ima_template_desc *template) 1024 { 1025 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n" 1026 bool has_modsig, has_dmodsig; 1027 static bool checked; 1028 int i; 1029 1030 /* We only need to notify the user once. */ 1031 if (checked) 1032 return; 1033 1034 has_modsig = has_dmodsig = false; 1035 for (i = 0; i < template->num_fields; i++) { 1036 if (!strcmp(template->fields[i]->field_id, "modsig")) 1037 has_modsig = true; 1038 else if (!strcmp(template->fields[i]->field_id, "d-modsig")) 1039 has_dmodsig = true; 1040 } 1041 1042 if (has_modsig && !has_dmodsig) 1043 pr_notice(MSG); 1044 1045 checked = true; 1046 #undef MSG 1047 } 1048 1049 static bool ima_validate_rule(struct ima_rule_entry *entry) 1050 { 1051 /* Ensure that the action is set and is compatible with the flags */ 1052 if (entry->action == UNKNOWN) 1053 return false; 1054 1055 if (entry->action != MEASURE && entry->flags & IMA_PCR) 1056 return false; 1057 1058 if (entry->action != APPRAISE && 1059 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST)) 1060 return false; 1061 1062 /* 1063 * The IMA_FUNC bit must be set if and only if there's a valid hook 1064 * function specified, and vice versa. Enforcing this property allows 1065 * for the NONE case below to validate a rule without an explicit hook 1066 * function. 1067 */ 1068 if (((entry->flags & IMA_FUNC) && entry->func == NONE) || 1069 (!(entry->flags & IMA_FUNC) && entry->func != NONE)) 1070 return false; 1071 1072 /* 1073 * Ensure that the hook function is compatible with the other 1074 * components of the rule 1075 */ 1076 switch (entry->func) { 1077 case NONE: 1078 case FILE_CHECK: 1079 case MMAP_CHECK: 1080 case BPRM_CHECK: 1081 case CREDS_CHECK: 1082 case POST_SETATTR: 1083 case FIRMWARE_CHECK: 1084 case POLICY_CHECK: 1085 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1086 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1087 IMA_INMASK | IMA_EUID | IMA_PCR | 1088 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1089 IMA_PERMIT_DIRECTIO)) 1090 return false; 1091 1092 break; 1093 case MODULE_CHECK: 1094 case KEXEC_KERNEL_CHECK: 1095 case KEXEC_INITRAMFS_CHECK: 1096 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1097 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1098 IMA_INMASK | IMA_EUID | IMA_PCR | 1099 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1100 IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | 1101 IMA_CHECK_BLACKLIST)) 1102 return false; 1103 1104 break; 1105 case KEXEC_CMDLINE: 1106 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1107 return false; 1108 1109 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | 1110 IMA_FOWNER | IMA_FSUUID | IMA_EUID | 1111 IMA_PCR | IMA_FSNAME)) 1112 return false; 1113 1114 break; 1115 case KEY_CHECK: 1116 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1117 return false; 1118 1119 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | 1120 IMA_KEYRINGS)) 1121 return false; 1122 1123 if (ima_rule_contains_lsm_cond(entry)) 1124 return false; 1125 1126 break; 1127 case CRITICAL_DATA: 1128 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1129 return false; 1130 1131 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR)) 1132 return false; 1133 1134 if (ima_rule_contains_lsm_cond(entry)) 1135 return false; 1136 1137 break; 1138 default: 1139 return false; 1140 } 1141 1142 /* Ensure that combinations of flags are compatible with each other */ 1143 if (entry->flags & IMA_CHECK_BLACKLIST && 1144 !(entry->flags & IMA_MODSIG_ALLOWED)) 1145 return false; 1146 1147 return true; 1148 } 1149 1150 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 1151 { 1152 struct audit_buffer *ab; 1153 char *from; 1154 char *p; 1155 bool uid_token; 1156 struct ima_template_desc *template_desc; 1157 int result = 0; 1158 1159 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, 1160 AUDIT_INTEGRITY_POLICY_RULE); 1161 1162 entry->uid = INVALID_UID; 1163 entry->fowner = INVALID_UID; 1164 entry->uid_op = &uid_eq; 1165 entry->fowner_op = &uid_eq; 1166 entry->action = UNKNOWN; 1167 while ((p = strsep(&rule, " \t")) != NULL) { 1168 substring_t args[MAX_OPT_ARGS]; 1169 int token; 1170 unsigned long lnum; 1171 1172 if (result < 0) 1173 break; 1174 if ((*p == '\0') || (*p == ' ') || (*p == '\t')) 1175 continue; 1176 token = match_token(p, policy_tokens, args); 1177 switch (token) { 1178 case Opt_measure: 1179 ima_log_string(ab, "action", "measure"); 1180 1181 if (entry->action != UNKNOWN) 1182 result = -EINVAL; 1183 1184 entry->action = MEASURE; 1185 break; 1186 case Opt_dont_measure: 1187 ima_log_string(ab, "action", "dont_measure"); 1188 1189 if (entry->action != UNKNOWN) 1190 result = -EINVAL; 1191 1192 entry->action = DONT_MEASURE; 1193 break; 1194 case Opt_appraise: 1195 ima_log_string(ab, "action", "appraise"); 1196 1197 if (entry->action != UNKNOWN) 1198 result = -EINVAL; 1199 1200 entry->action = APPRAISE; 1201 break; 1202 case Opt_dont_appraise: 1203 ima_log_string(ab, "action", "dont_appraise"); 1204 1205 if (entry->action != UNKNOWN) 1206 result = -EINVAL; 1207 1208 entry->action = DONT_APPRAISE; 1209 break; 1210 case Opt_audit: 1211 ima_log_string(ab, "action", "audit"); 1212 1213 if (entry->action != UNKNOWN) 1214 result = -EINVAL; 1215 1216 entry->action = AUDIT; 1217 break; 1218 case Opt_hash: 1219 ima_log_string(ab, "action", "hash"); 1220 1221 if (entry->action != UNKNOWN) 1222 result = -EINVAL; 1223 1224 entry->action = HASH; 1225 break; 1226 case Opt_dont_hash: 1227 ima_log_string(ab, "action", "dont_hash"); 1228 1229 if (entry->action != UNKNOWN) 1230 result = -EINVAL; 1231 1232 entry->action = DONT_HASH; 1233 break; 1234 case Opt_func: 1235 ima_log_string(ab, "func", args[0].from); 1236 1237 if (entry->func) 1238 result = -EINVAL; 1239 1240 if (strcmp(args[0].from, "FILE_CHECK") == 0) 1241 entry->func = FILE_CHECK; 1242 /* PATH_CHECK is for backwards compat */ 1243 else if (strcmp(args[0].from, "PATH_CHECK") == 0) 1244 entry->func = FILE_CHECK; 1245 else if (strcmp(args[0].from, "MODULE_CHECK") == 0) 1246 entry->func = MODULE_CHECK; 1247 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0) 1248 entry->func = FIRMWARE_CHECK; 1249 else if ((strcmp(args[0].from, "FILE_MMAP") == 0) 1250 || (strcmp(args[0].from, "MMAP_CHECK") == 0)) 1251 entry->func = MMAP_CHECK; 1252 else if (strcmp(args[0].from, "BPRM_CHECK") == 0) 1253 entry->func = BPRM_CHECK; 1254 else if (strcmp(args[0].from, "CREDS_CHECK") == 0) 1255 entry->func = CREDS_CHECK; 1256 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == 1257 0) 1258 entry->func = KEXEC_KERNEL_CHECK; 1259 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK") 1260 == 0) 1261 entry->func = KEXEC_INITRAMFS_CHECK; 1262 else if (strcmp(args[0].from, "POLICY_CHECK") == 0) 1263 entry->func = POLICY_CHECK; 1264 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) 1265 entry->func = KEXEC_CMDLINE; 1266 else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && 1267 strcmp(args[0].from, "KEY_CHECK") == 0) 1268 entry->func = KEY_CHECK; 1269 else if (strcmp(args[0].from, "CRITICAL_DATA") == 0) 1270 entry->func = CRITICAL_DATA; 1271 else 1272 result = -EINVAL; 1273 if (!result) 1274 entry->flags |= IMA_FUNC; 1275 break; 1276 case Opt_mask: 1277 ima_log_string(ab, "mask", args[0].from); 1278 1279 if (entry->mask) 1280 result = -EINVAL; 1281 1282 from = args[0].from; 1283 if (*from == '^') 1284 from++; 1285 1286 if ((strcmp(from, "MAY_EXEC")) == 0) 1287 entry->mask = MAY_EXEC; 1288 else if (strcmp(from, "MAY_WRITE") == 0) 1289 entry->mask = MAY_WRITE; 1290 else if (strcmp(from, "MAY_READ") == 0) 1291 entry->mask = MAY_READ; 1292 else if (strcmp(from, "MAY_APPEND") == 0) 1293 entry->mask = MAY_APPEND; 1294 else 1295 result = -EINVAL; 1296 if (!result) 1297 entry->flags |= (*args[0].from == '^') 1298 ? IMA_INMASK : IMA_MASK; 1299 break; 1300 case Opt_fsmagic: 1301 ima_log_string(ab, "fsmagic", args[0].from); 1302 1303 if (entry->fsmagic) { 1304 result = -EINVAL; 1305 break; 1306 } 1307 1308 result = kstrtoul(args[0].from, 16, &entry->fsmagic); 1309 if (!result) 1310 entry->flags |= IMA_FSMAGIC; 1311 break; 1312 case Opt_fsname: 1313 ima_log_string(ab, "fsname", args[0].from); 1314 1315 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); 1316 if (!entry->fsname) { 1317 result = -ENOMEM; 1318 break; 1319 } 1320 result = 0; 1321 entry->flags |= IMA_FSNAME; 1322 break; 1323 case Opt_keyrings: 1324 ima_log_string(ab, "keyrings", args[0].from); 1325 1326 if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) || 1327 entry->keyrings) { 1328 result = -EINVAL; 1329 break; 1330 } 1331 1332 entry->keyrings = ima_alloc_rule_opt_list(args); 1333 if (IS_ERR(entry->keyrings)) { 1334 result = PTR_ERR(entry->keyrings); 1335 entry->keyrings = NULL; 1336 break; 1337 } 1338 1339 entry->flags |= IMA_KEYRINGS; 1340 break; 1341 case Opt_fsuuid: 1342 ima_log_string(ab, "fsuuid", args[0].from); 1343 1344 if (!uuid_is_null(&entry->fsuuid)) { 1345 result = -EINVAL; 1346 break; 1347 } 1348 1349 result = uuid_parse(args[0].from, &entry->fsuuid); 1350 if (!result) 1351 entry->flags |= IMA_FSUUID; 1352 break; 1353 case Opt_uid_gt: 1354 case Opt_euid_gt: 1355 entry->uid_op = &uid_gt; 1356 fallthrough; 1357 case Opt_uid_lt: 1358 case Opt_euid_lt: 1359 if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) 1360 entry->uid_op = &uid_lt; 1361 fallthrough; 1362 case Opt_uid_eq: 1363 case Opt_euid_eq: 1364 uid_token = (token == Opt_uid_eq) || 1365 (token == Opt_uid_gt) || 1366 (token == Opt_uid_lt); 1367 1368 ima_log_string_op(ab, uid_token ? "uid" : "euid", 1369 args[0].from, entry->uid_op); 1370 1371 if (uid_valid(entry->uid)) { 1372 result = -EINVAL; 1373 break; 1374 } 1375 1376 result = kstrtoul(args[0].from, 10, &lnum); 1377 if (!result) { 1378 entry->uid = make_kuid(current_user_ns(), 1379 (uid_t) lnum); 1380 if (!uid_valid(entry->uid) || 1381 (uid_t)lnum != lnum) 1382 result = -EINVAL; 1383 else 1384 entry->flags |= uid_token 1385 ? IMA_UID : IMA_EUID; 1386 } 1387 break; 1388 case Opt_fowner_gt: 1389 entry->fowner_op = &uid_gt; 1390 fallthrough; 1391 case Opt_fowner_lt: 1392 if (token == Opt_fowner_lt) 1393 entry->fowner_op = &uid_lt; 1394 fallthrough; 1395 case Opt_fowner_eq: 1396 ima_log_string_op(ab, "fowner", args[0].from, 1397 entry->fowner_op); 1398 1399 if (uid_valid(entry->fowner)) { 1400 result = -EINVAL; 1401 break; 1402 } 1403 1404 result = kstrtoul(args[0].from, 10, &lnum); 1405 if (!result) { 1406 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum); 1407 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum)) 1408 result = -EINVAL; 1409 else 1410 entry->flags |= IMA_FOWNER; 1411 } 1412 break; 1413 case Opt_obj_user: 1414 ima_log_string(ab, "obj_user", args[0].from); 1415 result = ima_lsm_rule_init(entry, args, 1416 LSM_OBJ_USER, 1417 AUDIT_OBJ_USER); 1418 break; 1419 case Opt_obj_role: 1420 ima_log_string(ab, "obj_role", args[0].from); 1421 result = ima_lsm_rule_init(entry, args, 1422 LSM_OBJ_ROLE, 1423 AUDIT_OBJ_ROLE); 1424 break; 1425 case Opt_obj_type: 1426 ima_log_string(ab, "obj_type", args[0].from); 1427 result = ima_lsm_rule_init(entry, args, 1428 LSM_OBJ_TYPE, 1429 AUDIT_OBJ_TYPE); 1430 break; 1431 case Opt_subj_user: 1432 ima_log_string(ab, "subj_user", args[0].from); 1433 result = ima_lsm_rule_init(entry, args, 1434 LSM_SUBJ_USER, 1435 AUDIT_SUBJ_USER); 1436 break; 1437 case Opt_subj_role: 1438 ima_log_string(ab, "subj_role", args[0].from); 1439 result = ima_lsm_rule_init(entry, args, 1440 LSM_SUBJ_ROLE, 1441 AUDIT_SUBJ_ROLE); 1442 break; 1443 case Opt_subj_type: 1444 ima_log_string(ab, "subj_type", args[0].from); 1445 result = ima_lsm_rule_init(entry, args, 1446 LSM_SUBJ_TYPE, 1447 AUDIT_SUBJ_TYPE); 1448 break; 1449 case Opt_appraise_type: 1450 ima_log_string(ab, "appraise_type", args[0].from); 1451 if ((strcmp(args[0].from, "imasig")) == 0) 1452 entry->flags |= IMA_DIGSIG_REQUIRED; 1453 else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1454 strcmp(args[0].from, "imasig|modsig") == 0) 1455 entry->flags |= IMA_DIGSIG_REQUIRED | 1456 IMA_MODSIG_ALLOWED; 1457 else 1458 result = -EINVAL; 1459 break; 1460 case Opt_appraise_flag: 1461 ima_log_string(ab, "appraise_flag", args[0].from); 1462 if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1463 strstr(args[0].from, "blacklist")) 1464 entry->flags |= IMA_CHECK_BLACKLIST; 1465 else 1466 result = -EINVAL; 1467 break; 1468 case Opt_permit_directio: 1469 entry->flags |= IMA_PERMIT_DIRECTIO; 1470 break; 1471 case Opt_pcr: 1472 ima_log_string(ab, "pcr", args[0].from); 1473 1474 result = kstrtoint(args[0].from, 10, &entry->pcr); 1475 if (result || INVALID_PCR(entry->pcr)) 1476 result = -EINVAL; 1477 else 1478 entry->flags |= IMA_PCR; 1479 1480 break; 1481 case Opt_template: 1482 ima_log_string(ab, "template", args[0].from); 1483 if (entry->action != MEASURE) { 1484 result = -EINVAL; 1485 break; 1486 } 1487 template_desc = lookup_template_desc(args[0].from); 1488 if (!template_desc || entry->template) { 1489 result = -EINVAL; 1490 break; 1491 } 1492 1493 /* 1494 * template_desc_init_fields() does nothing if 1495 * the template is already initialised, so 1496 * it's safe to do this unconditionally 1497 */ 1498 template_desc_init_fields(template_desc->fmt, 1499 &(template_desc->fields), 1500 &(template_desc->num_fields)); 1501 entry->template = template_desc; 1502 break; 1503 case Opt_err: 1504 ima_log_string(ab, "UNKNOWN", p); 1505 result = -EINVAL; 1506 break; 1507 } 1508 } 1509 if (!result && !ima_validate_rule(entry)) 1510 result = -EINVAL; 1511 else if (entry->action == APPRAISE) 1512 temp_ima_appraise |= ima_appraise_flag(entry->func); 1513 1514 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { 1515 template_desc = entry->template ? entry->template : 1516 ima_template_desc_current(); 1517 check_template_modsig(template_desc); 1518 } 1519 1520 audit_log_format(ab, "res=%d", !result); 1521 audit_log_end(ab); 1522 return result; 1523 } 1524 1525 /** 1526 * ima_parse_add_rule - add a rule to ima_policy_rules 1527 * @rule - ima measurement policy rule 1528 * 1529 * Avoid locking by allowing just one writer at a time in ima_write_policy() 1530 * Returns the length of the rule parsed, an error code on failure 1531 */ 1532 ssize_t ima_parse_add_rule(char *rule) 1533 { 1534 static const char op[] = "update_policy"; 1535 char *p; 1536 struct ima_rule_entry *entry; 1537 ssize_t result, len; 1538 int audit_info = 0; 1539 1540 p = strsep(&rule, "\n"); 1541 len = strlen(p) + 1; 1542 p += strspn(p, " \t"); 1543 1544 if (*p == '#' || *p == '\0') 1545 return len; 1546 1547 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1548 if (!entry) { 1549 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1550 NULL, op, "-ENOMEM", -ENOMEM, audit_info); 1551 return -ENOMEM; 1552 } 1553 1554 INIT_LIST_HEAD(&entry->list); 1555 1556 result = ima_parse_rule(p, entry); 1557 if (result) { 1558 ima_free_rule(entry); 1559 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1560 NULL, op, "invalid-policy", result, 1561 audit_info); 1562 return result; 1563 } 1564 1565 list_add_tail(&entry->list, &ima_temp_rules); 1566 1567 return len; 1568 } 1569 1570 /** 1571 * ima_delete_rules() called to cleanup invalid in-flight policy. 1572 * We don't need locking as we operate on the temp list, which is 1573 * different from the active one. There is also only one user of 1574 * ima_delete_rules() at a time. 1575 */ 1576 void ima_delete_rules(void) 1577 { 1578 struct ima_rule_entry *entry, *tmp; 1579 1580 temp_ima_appraise = 0; 1581 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { 1582 list_del(&entry->list); 1583 ima_free_rule(entry); 1584 } 1585 } 1586 1587 #define __ima_hook_stringify(func, str) (#func), 1588 1589 const char *const func_tokens[] = { 1590 __ima_hooks(__ima_hook_stringify) 1591 }; 1592 1593 #ifdef CONFIG_IMA_READ_POLICY 1594 enum { 1595 mask_exec = 0, mask_write, mask_read, mask_append 1596 }; 1597 1598 static const char *const mask_tokens[] = { 1599 "^MAY_EXEC", 1600 "^MAY_WRITE", 1601 "^MAY_READ", 1602 "^MAY_APPEND" 1603 }; 1604 1605 void *ima_policy_start(struct seq_file *m, loff_t *pos) 1606 { 1607 loff_t l = *pos; 1608 struct ima_rule_entry *entry; 1609 1610 rcu_read_lock(); 1611 list_for_each_entry_rcu(entry, ima_rules, list) { 1612 if (!l--) { 1613 rcu_read_unlock(); 1614 return entry; 1615 } 1616 } 1617 rcu_read_unlock(); 1618 return NULL; 1619 } 1620 1621 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) 1622 { 1623 struct ima_rule_entry *entry = v; 1624 1625 rcu_read_lock(); 1626 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); 1627 rcu_read_unlock(); 1628 (*pos)++; 1629 1630 return (&entry->list == ima_rules) ? NULL : entry; 1631 } 1632 1633 void ima_policy_stop(struct seq_file *m, void *v) 1634 { 1635 } 1636 1637 #define pt(token) policy_tokens[token].pattern 1638 #define mt(token) mask_tokens[token] 1639 1640 /* 1641 * policy_func_show - display the ima_hooks policy rule 1642 */ 1643 static void policy_func_show(struct seq_file *m, enum ima_hooks func) 1644 { 1645 if (func > 0 && func < MAX_CHECK) 1646 seq_printf(m, "func=%s ", func_tokens[func]); 1647 else 1648 seq_printf(m, "func=%d ", func); 1649 } 1650 1651 static void ima_show_rule_opt_list(struct seq_file *m, 1652 const struct ima_rule_opt_list *opt_list) 1653 { 1654 size_t i; 1655 1656 for (i = 0; i < opt_list->count; i++) 1657 seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]); 1658 } 1659 1660 int ima_policy_show(struct seq_file *m, void *v) 1661 { 1662 struct ima_rule_entry *entry = v; 1663 int i; 1664 char tbuf[64] = {0,}; 1665 int offset = 0; 1666 1667 rcu_read_lock(); 1668 1669 if (entry->action & MEASURE) 1670 seq_puts(m, pt(Opt_measure)); 1671 if (entry->action & DONT_MEASURE) 1672 seq_puts(m, pt(Opt_dont_measure)); 1673 if (entry->action & APPRAISE) 1674 seq_puts(m, pt(Opt_appraise)); 1675 if (entry->action & DONT_APPRAISE) 1676 seq_puts(m, pt(Opt_dont_appraise)); 1677 if (entry->action & AUDIT) 1678 seq_puts(m, pt(Opt_audit)); 1679 if (entry->action & HASH) 1680 seq_puts(m, pt(Opt_hash)); 1681 if (entry->action & DONT_HASH) 1682 seq_puts(m, pt(Opt_dont_hash)); 1683 1684 seq_puts(m, " "); 1685 1686 if (entry->flags & IMA_FUNC) 1687 policy_func_show(m, entry->func); 1688 1689 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { 1690 if (entry->flags & IMA_MASK) 1691 offset = 1; 1692 if (entry->mask & MAY_EXEC) 1693 seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); 1694 if (entry->mask & MAY_WRITE) 1695 seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); 1696 if (entry->mask & MAY_READ) 1697 seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); 1698 if (entry->mask & MAY_APPEND) 1699 seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); 1700 seq_puts(m, " "); 1701 } 1702 1703 if (entry->flags & IMA_FSMAGIC) { 1704 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 1705 seq_printf(m, pt(Opt_fsmagic), tbuf); 1706 seq_puts(m, " "); 1707 } 1708 1709 if (entry->flags & IMA_FSNAME) { 1710 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); 1711 seq_printf(m, pt(Opt_fsname), tbuf); 1712 seq_puts(m, " "); 1713 } 1714 1715 if (entry->flags & IMA_KEYRINGS) { 1716 seq_puts(m, "keyrings="); 1717 ima_show_rule_opt_list(m, entry->keyrings); 1718 seq_puts(m, " "); 1719 } 1720 1721 if (entry->flags & IMA_PCR) { 1722 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 1723 seq_printf(m, pt(Opt_pcr), tbuf); 1724 seq_puts(m, " "); 1725 } 1726 1727 if (entry->flags & IMA_FSUUID) { 1728 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); 1729 seq_puts(m, " "); 1730 } 1731 1732 if (entry->flags & IMA_UID) { 1733 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1734 if (entry->uid_op == &uid_gt) 1735 seq_printf(m, pt(Opt_uid_gt), tbuf); 1736 else if (entry->uid_op == &uid_lt) 1737 seq_printf(m, pt(Opt_uid_lt), tbuf); 1738 else 1739 seq_printf(m, pt(Opt_uid_eq), tbuf); 1740 seq_puts(m, " "); 1741 } 1742 1743 if (entry->flags & IMA_EUID) { 1744 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1745 if (entry->uid_op == &uid_gt) 1746 seq_printf(m, pt(Opt_euid_gt), tbuf); 1747 else if (entry->uid_op == &uid_lt) 1748 seq_printf(m, pt(Opt_euid_lt), tbuf); 1749 else 1750 seq_printf(m, pt(Opt_euid_eq), tbuf); 1751 seq_puts(m, " "); 1752 } 1753 1754 if (entry->flags & IMA_FOWNER) { 1755 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); 1756 if (entry->fowner_op == &uid_gt) 1757 seq_printf(m, pt(Opt_fowner_gt), tbuf); 1758 else if (entry->fowner_op == &uid_lt) 1759 seq_printf(m, pt(Opt_fowner_lt), tbuf); 1760 else 1761 seq_printf(m, pt(Opt_fowner_eq), tbuf); 1762 seq_puts(m, " "); 1763 } 1764 1765 for (i = 0; i < MAX_LSM_RULES; i++) { 1766 if (entry->lsm[i].rule) { 1767 switch (i) { 1768 case LSM_OBJ_USER: 1769 seq_printf(m, pt(Opt_obj_user), 1770 entry->lsm[i].args_p); 1771 break; 1772 case LSM_OBJ_ROLE: 1773 seq_printf(m, pt(Opt_obj_role), 1774 entry->lsm[i].args_p); 1775 break; 1776 case LSM_OBJ_TYPE: 1777 seq_printf(m, pt(Opt_obj_type), 1778 entry->lsm[i].args_p); 1779 break; 1780 case LSM_SUBJ_USER: 1781 seq_printf(m, pt(Opt_subj_user), 1782 entry->lsm[i].args_p); 1783 break; 1784 case LSM_SUBJ_ROLE: 1785 seq_printf(m, pt(Opt_subj_role), 1786 entry->lsm[i].args_p); 1787 break; 1788 case LSM_SUBJ_TYPE: 1789 seq_printf(m, pt(Opt_subj_type), 1790 entry->lsm[i].args_p); 1791 break; 1792 } 1793 seq_puts(m, " "); 1794 } 1795 } 1796 if (entry->template) 1797 seq_printf(m, "template=%s ", entry->template->name); 1798 if (entry->flags & IMA_DIGSIG_REQUIRED) { 1799 if (entry->flags & IMA_MODSIG_ALLOWED) 1800 seq_puts(m, "appraise_type=imasig|modsig "); 1801 else 1802 seq_puts(m, "appraise_type=imasig "); 1803 } 1804 if (entry->flags & IMA_CHECK_BLACKLIST) 1805 seq_puts(m, "appraise_flag=check_blacklist "); 1806 if (entry->flags & IMA_PERMIT_DIRECTIO) 1807 seq_puts(m, "permit_directio "); 1808 rcu_read_unlock(); 1809 seq_puts(m, "\n"); 1810 return 0; 1811 } 1812 #endif /* CONFIG_IMA_READ_POLICY */ 1813 1814 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) 1815 /* 1816 * ima_appraise_signature: whether IMA will appraise a given function using 1817 * an IMA digital signature. This is restricted to cases where the kernel 1818 * has a set of built-in trusted keys in order to avoid an attacker simply 1819 * loading additional keys. 1820 */ 1821 bool ima_appraise_signature(enum kernel_read_file_id id) 1822 { 1823 struct ima_rule_entry *entry; 1824 bool found = false; 1825 enum ima_hooks func; 1826 1827 if (id >= READING_MAX_ID) 1828 return false; 1829 1830 func = read_idmap[id] ?: FILE_CHECK; 1831 1832 rcu_read_lock(); 1833 list_for_each_entry_rcu(entry, ima_rules, list) { 1834 if (entry->action != APPRAISE) 1835 continue; 1836 1837 /* 1838 * A generic entry will match, but otherwise require that it 1839 * match the func we're looking for 1840 */ 1841 if (entry->func && entry->func != func) 1842 continue; 1843 1844 /* 1845 * We require this to be a digital signature, not a raw IMA 1846 * hash. 1847 */ 1848 if (entry->flags & IMA_DIGSIG_REQUIRED) 1849 found = true; 1850 1851 /* 1852 * We've found a rule that matches, so break now even if it 1853 * didn't require a digital signature - a later rule that does 1854 * won't override it, so would be a false positive. 1855 */ 1856 break; 1857 } 1858 1859 rcu_read_unlock(); 1860 return found; 1861 } 1862 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ 1863