1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2008 IBM Corporation 4 * Author: Mimi Zohar <zohar@us.ibm.com> 5 * 6 * ima_policy.c 7 * - initialize default measure policy rules 8 */ 9 10 #include <linux/init.h> 11 #include <linux/list.h> 12 #include <linux/kernel_read_file.h> 13 #include <linux/fs.h> 14 #include <linux/security.h> 15 #include <linux/magic.h> 16 #include <linux/parser.h> 17 #include <linux/slab.h> 18 #include <linux/rculist.h> 19 #include <linux/seq_file.h> 20 #include <linux/ima.h> 21 22 #include "ima.h" 23 24 /* flags definitions */ 25 #define IMA_FUNC 0x0001 26 #define IMA_MASK 0x0002 27 #define IMA_FSMAGIC 0x0004 28 #define IMA_UID 0x0008 29 #define IMA_FOWNER 0x0010 30 #define IMA_FSUUID 0x0020 31 #define IMA_INMASK 0x0040 32 #define IMA_EUID 0x0080 33 #define IMA_PCR 0x0100 34 #define IMA_FSNAME 0x0200 35 #define IMA_KEYRINGS 0x0400 36 #define IMA_LABEL 0x0800 37 #define IMA_VALIDATE_ALGOS 0x1000 38 #define IMA_GID 0x2000 39 #define IMA_EGID 0x4000 40 #define IMA_FGROUP 0x8000 41 42 #define UNKNOWN 0 43 #define MEASURE 0x0001 /* same as IMA_MEASURE */ 44 #define DONT_MEASURE 0x0002 45 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 46 #define DONT_APPRAISE 0x0008 47 #define AUDIT 0x0040 48 #define HASH 0x0100 49 #define DONT_HASH 0x0200 50 51 #define INVALID_PCR(a) (((a) < 0) || \ 52 (a) >= (sizeof_field(struct ima_iint_cache, measured_pcrs) * 8)) 53 54 int ima_policy_flag; 55 static int temp_ima_appraise; 56 static int build_ima_appraise __ro_after_init; 57 58 atomic_t ima_setxattr_allowed_hash_algorithms; 59 60 #define MAX_LSM_RULES 6 61 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, 62 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE 63 }; 64 65 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; 66 67 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY }; 68 69 struct ima_rule_opt_list { 70 size_t count; 71 char *items[] __counted_by(count); 72 }; 73 74 /* 75 * These comparators are needed nowhere outside of ima so just define them here. 76 * This pattern should hopefully never be needed outside of ima. 77 */ 78 static inline bool vfsuid_gt_kuid(vfsuid_t vfsuid, kuid_t kuid) 79 { 80 return __vfsuid_val(vfsuid) > __kuid_val(kuid); 81 } 82 83 static inline bool vfsgid_gt_kgid(vfsgid_t vfsgid, kgid_t kgid) 84 { 85 return __vfsgid_val(vfsgid) > __kgid_val(kgid); 86 } 87 88 static inline bool vfsuid_lt_kuid(vfsuid_t vfsuid, kuid_t kuid) 89 { 90 return __vfsuid_val(vfsuid) < __kuid_val(kuid); 91 } 92 93 static inline bool vfsgid_lt_kgid(vfsgid_t vfsgid, kgid_t kgid) 94 { 95 return __vfsgid_val(vfsgid) < __kgid_val(kgid); 96 } 97 98 struct ima_rule_entry { 99 struct list_head list; 100 int action; 101 unsigned int flags; 102 enum ima_hooks func; 103 int mask; 104 unsigned long fsmagic; 105 uuid_t fsuuid; 106 kuid_t uid; 107 kgid_t gid; 108 kuid_t fowner; 109 kgid_t fgroup; 110 bool (*uid_op)(kuid_t cred_uid, kuid_t rule_uid); /* Handlers for operators */ 111 bool (*gid_op)(kgid_t cred_gid, kgid_t rule_gid); 112 bool (*fowner_op)(vfsuid_t vfsuid, kuid_t rule_uid); /* vfsuid_eq_kuid(), vfsuid_gt_kuid(), vfsuid_lt_kuid() */ 113 bool (*fgroup_op)(vfsgid_t vfsgid, kgid_t rule_gid); /* vfsgid_eq_kgid(), vfsgid_gt_kgid(), vfsgid_lt_kgid() */ 114 int pcr; 115 unsigned int allowed_algos; /* bitfield of allowed hash algorithms */ 116 struct { 117 void *rule; /* LSM file metadata specific */ 118 char *args_p; /* audit value */ 119 int type; /* audit type */ 120 } lsm[MAX_LSM_RULES]; 121 char *fsname; 122 struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ 123 struct ima_rule_opt_list *label; /* Measure data grouped under this label */ 124 struct ima_template_desc *template; 125 }; 126 127 /* 128 * sanity check in case the kernels gains more hash algorithms that can 129 * fit in an unsigned int 130 */ 131 static_assert( 132 8 * sizeof(unsigned int) >= HASH_ALGO__LAST, 133 "The bitfield allowed_algos in ima_rule_entry is too small to contain all the supported hash algorithms, consider using a bigger type"); 134 135 /* 136 * Without LSM specific knowledge, the default policy can only be 137 * written in terms of .action, .func, .mask, .fsmagic, .uid, .gid, 138 * .fowner, and .fgroup 139 */ 140 141 /* 142 * The minimum rule set to allow for full TCB coverage. Measures all files 143 * opened or mmap for exec and everything read by root. Dangerous because 144 * normal users can easily run the machine out of memory simply building 145 * and running executables. 146 */ 147 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { 148 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 149 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 150 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 151 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK, 152 .flags = IMA_FSMAGIC | IMA_FUNC}, 153 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 154 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 155 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 156 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 157 {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 158 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, 159 .flags = IMA_FSMAGIC}, 160 {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, 161 .flags = IMA_FSMAGIC}, 162 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 163 {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} 164 }; 165 166 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { 167 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 168 .flags = IMA_FUNC | IMA_MASK}, 169 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 170 .flags = IMA_FUNC | IMA_MASK}, 171 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 172 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 173 .flags = IMA_FUNC | IMA_MASK | IMA_UID}, 174 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 175 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 176 }; 177 178 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { 179 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 180 .flags = IMA_FUNC | IMA_MASK}, 181 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 182 .flags = IMA_FUNC | IMA_MASK}, 183 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 184 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 185 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, 186 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 187 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 188 .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, 189 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 190 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 191 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, 192 }; 193 194 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { 195 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 196 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 197 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 198 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 199 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC}, 200 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 201 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 202 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 203 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 204 {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 205 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 206 {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, 207 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 208 {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 209 #ifdef CONFIG_IMA_WRITE_POLICY 210 {.action = APPRAISE, .func = POLICY_CHECK, 211 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 212 #endif 213 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT 214 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid, 215 .flags = IMA_FOWNER}, 216 #else 217 /* force signature */ 218 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid, 219 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, 220 #endif 221 }; 222 223 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { 224 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS 225 {.action = APPRAISE, .func = MODULE_CHECK, 226 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 227 #endif 228 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS 229 {.action = APPRAISE, .func = FIRMWARE_CHECK, 230 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 231 #endif 232 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS 233 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 234 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 235 #endif 236 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS 237 {.action = APPRAISE, .func = POLICY_CHECK, 238 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 239 #endif 240 }; 241 242 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { 243 {.action = APPRAISE, .func = MODULE_CHECK, 244 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 245 {.action = APPRAISE, .func = FIRMWARE_CHECK, 246 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 247 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 248 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 249 {.action = APPRAISE, .func = POLICY_CHECK, 250 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 251 }; 252 253 static struct ima_rule_entry critical_data_rules[] __ro_after_init = { 254 {.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC}, 255 }; 256 257 /* An array of architecture specific rules */ 258 static struct ima_rule_entry *arch_policy_entry __ro_after_init; 259 260 static LIST_HEAD(ima_default_rules); 261 static LIST_HEAD(ima_policy_rules); 262 static LIST_HEAD(ima_temp_rules); 263 static struct list_head __rcu *ima_rules = (struct list_head __rcu *)(&ima_default_rules); 264 265 static int ima_policy __initdata; 266 267 static int __init default_measure_policy_setup(char *str) 268 { 269 if (ima_policy) 270 return 1; 271 272 ima_policy = ORIGINAL_TCB; 273 return 1; 274 } 275 __setup("ima_tcb", default_measure_policy_setup); 276 277 static bool ima_use_appraise_tcb __initdata; 278 static bool ima_use_secure_boot __initdata; 279 static bool ima_use_critical_data __initdata; 280 static bool ima_fail_unverifiable_sigs __ro_after_init; 281 static int __init policy_setup(char *str) 282 { 283 char *p; 284 285 while ((p = strsep(&str, " |\n")) != NULL) { 286 if (*p == ' ') 287 continue; 288 if ((strcmp(p, "tcb") == 0) && !ima_policy) 289 ima_policy = DEFAULT_TCB; 290 else if (strcmp(p, "appraise_tcb") == 0) 291 ima_use_appraise_tcb = true; 292 else if (strcmp(p, "secure_boot") == 0) 293 ima_use_secure_boot = true; 294 else if (strcmp(p, "critical_data") == 0) 295 ima_use_critical_data = true; 296 else if (strcmp(p, "fail_securely") == 0) 297 ima_fail_unverifiable_sigs = true; 298 else 299 pr_err("policy \"%s\" not found", p); 300 } 301 302 return 1; 303 } 304 __setup("ima_policy=", policy_setup); 305 306 static int __init default_appraise_policy_setup(char *str) 307 { 308 ima_use_appraise_tcb = true; 309 return 1; 310 } 311 __setup("ima_appraise_tcb", default_appraise_policy_setup); 312 313 static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src) 314 { 315 struct ima_rule_opt_list *opt_list; 316 size_t count = 0; 317 char *src_copy; 318 char *cur, *next; 319 size_t i; 320 321 src_copy = match_strdup(src); 322 if (!src_copy) 323 return ERR_PTR(-ENOMEM); 324 325 next = src_copy; 326 while ((cur = strsep(&next, "|"))) { 327 /* Don't accept an empty list item */ 328 if (!(*cur)) { 329 kfree(src_copy); 330 return ERR_PTR(-EINVAL); 331 } 332 count++; 333 } 334 335 /* Don't accept an empty list */ 336 if (!count) { 337 kfree(src_copy); 338 return ERR_PTR(-EINVAL); 339 } 340 341 opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL); 342 if (!opt_list) { 343 kfree(src_copy); 344 return ERR_PTR(-ENOMEM); 345 } 346 opt_list->count = count; 347 348 /* 349 * strsep() has already replaced all instances of '|' with '\0', 350 * leaving a byte sequence of NUL-terminated strings. Reference each 351 * string with the array of items. 352 * 353 * IMPORTANT: Ownership of the allocated buffer is transferred from 354 * src_copy to the first element in the items array. To free the 355 * buffer, kfree() must only be called on the first element of the 356 * array. 357 */ 358 for (i = 0, cur = src_copy; i < count; i++) { 359 opt_list->items[i] = cur; 360 cur = strchr(cur, '\0') + 1; 361 } 362 363 return opt_list; 364 } 365 366 static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list) 367 { 368 if (!opt_list) 369 return; 370 371 if (opt_list->count) { 372 kfree(opt_list->items[0]); 373 opt_list->count = 0; 374 } 375 376 kfree(opt_list); 377 } 378 379 static void ima_lsm_free_rule(struct ima_rule_entry *entry) 380 { 381 int i; 382 383 for (i = 0; i < MAX_LSM_RULES; i++) { 384 ima_filter_rule_free(entry->lsm[i].rule); 385 kfree(entry->lsm[i].args_p); 386 } 387 } 388 389 static void ima_free_rule(struct ima_rule_entry *entry) 390 { 391 if (!entry) 392 return; 393 394 /* 395 * entry->template->fields may be allocated in ima_parse_rule() but that 396 * reference is owned by the corresponding ima_template_desc element in 397 * the defined_templates list and cannot be freed here 398 */ 399 kfree(entry->fsname); 400 ima_free_rule_opt_list(entry->keyrings); 401 ima_lsm_free_rule(entry); 402 kfree(entry); 403 } 404 405 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry, 406 gfp_t gfp) 407 { 408 struct ima_rule_entry *nentry; 409 int i; 410 411 /* 412 * Immutable elements are copied over as pointers and data; only 413 * lsm rules can change 414 */ 415 nentry = kmemdup(entry, sizeof(*nentry), gfp); 416 if (!nentry) 417 return NULL; 418 419 memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm)); 420 421 for (i = 0; i < MAX_LSM_RULES; i++) { 422 if (!entry->lsm[i].args_p) 423 continue; 424 425 nentry->lsm[i].type = entry->lsm[i].type; 426 nentry->lsm[i].args_p = entry->lsm[i].args_p; 427 428 ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, 429 nentry->lsm[i].args_p, 430 &nentry->lsm[i].rule, 431 gfp); 432 if (!nentry->lsm[i].rule) 433 pr_warn("rule for LSM \'%s\' is undefined\n", 434 nentry->lsm[i].args_p); 435 } 436 return nentry; 437 } 438 439 static int ima_lsm_update_rule(struct ima_rule_entry *entry) 440 { 441 int i; 442 struct ima_rule_entry *nentry; 443 444 nentry = ima_lsm_copy_rule(entry, GFP_KERNEL); 445 if (!nentry) 446 return -ENOMEM; 447 448 list_replace_rcu(&entry->list, &nentry->list); 449 synchronize_rcu(); 450 /* 451 * ima_lsm_copy_rule() shallow copied all references, except for the 452 * LSM references, from entry to nentry so we only want to free the LSM 453 * references and the entry itself. All other memory references will now 454 * be owned by nentry. 455 */ 456 for (i = 0; i < MAX_LSM_RULES; i++) 457 ima_filter_rule_free(entry->lsm[i].rule); 458 kfree(entry); 459 460 return 0; 461 } 462 463 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry) 464 { 465 int i; 466 467 for (i = 0; i < MAX_LSM_RULES; i++) 468 if (entry->lsm[i].args_p) 469 return true; 470 471 return false; 472 } 473 474 /* 475 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 476 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 477 * the reloaded LSM policy. 478 */ 479 static void ima_lsm_update_rules(void) 480 { 481 struct ima_rule_entry *entry, *e; 482 int result; 483 484 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { 485 if (!ima_rule_contains_lsm_cond(entry)) 486 continue; 487 488 result = ima_lsm_update_rule(entry); 489 if (result) { 490 pr_err("lsm rule update error %d\n", result); 491 return; 492 } 493 } 494 } 495 496 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, 497 void *lsm_data) 498 { 499 if (event != LSM_POLICY_CHANGE) 500 return NOTIFY_DONE; 501 502 ima_lsm_update_rules(); 503 return NOTIFY_OK; 504 } 505 506 /** 507 * ima_match_rule_data - determine whether func_data matches the policy rule 508 * @rule: a pointer to a rule 509 * @func_data: data to match against the measure rule data 510 * @cred: a pointer to a credentials structure for user validation 511 * 512 * Returns true if func_data matches one in the rule, false otherwise. 513 */ 514 static bool ima_match_rule_data(struct ima_rule_entry *rule, 515 const char *func_data, 516 const struct cred *cred) 517 { 518 const struct ima_rule_opt_list *opt_list = NULL; 519 bool matched = false; 520 size_t i; 521 522 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 523 return false; 524 525 switch (rule->func) { 526 case KEY_CHECK: 527 if (!rule->keyrings) 528 return true; 529 530 opt_list = rule->keyrings; 531 break; 532 case CRITICAL_DATA: 533 if (!rule->label) 534 return true; 535 536 opt_list = rule->label; 537 break; 538 default: 539 return false; 540 } 541 542 if (!func_data) 543 return false; 544 545 for (i = 0; i < opt_list->count; i++) { 546 if (!strcmp(opt_list->items[i], func_data)) { 547 matched = true; 548 break; 549 } 550 } 551 552 return matched; 553 } 554 555 /** 556 * ima_match_rules - determine whether an inode matches the policy rule. 557 * @rule: a pointer to a rule 558 * @idmap: idmap of the mount the inode was found from 559 * @inode: a pointer to an inode 560 * @cred: a pointer to a credentials structure for user validation 561 * @prop: LSM properties of the task to be validated 562 * @func: LIM hook identifier 563 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 564 * @func_data: func specific data, may be NULL 565 * 566 * Returns true on rule match, false on failure. 567 */ 568 static bool ima_match_rules(struct ima_rule_entry *rule, 569 struct mnt_idmap *idmap, 570 struct inode *inode, const struct cred *cred, 571 struct lsm_prop *prop, enum ima_hooks func, int mask, 572 const char *func_data) 573 { 574 int i; 575 bool result = false; 576 struct ima_rule_entry *lsm_rule = rule; 577 bool rule_reinitialized = false; 578 579 if ((rule->flags & IMA_FUNC) && 580 (rule->func != func && func != POST_SETATTR)) 581 return false; 582 583 switch (func) { 584 case KEY_CHECK: 585 case CRITICAL_DATA: 586 return ((rule->func == func) && 587 ima_match_rule_data(rule, func_data, cred)); 588 default: 589 break; 590 } 591 592 if ((rule->flags & IMA_MASK) && 593 (rule->mask != mask && func != POST_SETATTR)) 594 return false; 595 if ((rule->flags & IMA_INMASK) && 596 (!(rule->mask & mask) && func != POST_SETATTR)) 597 return false; 598 if ((rule->flags & IMA_FSMAGIC) 599 && rule->fsmagic != inode->i_sb->s_magic) 600 return false; 601 if ((rule->flags & IMA_FSNAME) 602 && strcmp(rule->fsname, inode->i_sb->s_type->name)) 603 return false; 604 if ((rule->flags & IMA_FSUUID) && 605 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 606 return false; 607 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 608 return false; 609 if (rule->flags & IMA_EUID) { 610 if (has_capability_noaudit(current, CAP_SETUID)) { 611 if (!rule->uid_op(cred->euid, rule->uid) 612 && !rule->uid_op(cred->suid, rule->uid) 613 && !rule->uid_op(cred->uid, rule->uid)) 614 return false; 615 } else if (!rule->uid_op(cred->euid, rule->uid)) 616 return false; 617 } 618 if ((rule->flags & IMA_GID) && !rule->gid_op(cred->gid, rule->gid)) 619 return false; 620 if (rule->flags & IMA_EGID) { 621 if (has_capability_noaudit(current, CAP_SETGID)) { 622 if (!rule->gid_op(cred->egid, rule->gid) 623 && !rule->gid_op(cred->sgid, rule->gid) 624 && !rule->gid_op(cred->gid, rule->gid)) 625 return false; 626 } else if (!rule->gid_op(cred->egid, rule->gid)) 627 return false; 628 } 629 if ((rule->flags & IMA_FOWNER) && 630 !rule->fowner_op(i_uid_into_vfsuid(idmap, inode), 631 rule->fowner)) 632 return false; 633 if ((rule->flags & IMA_FGROUP) && 634 !rule->fgroup_op(i_gid_into_vfsgid(idmap, inode), 635 rule->fgroup)) 636 return false; 637 for (i = 0; i < MAX_LSM_RULES; i++) { 638 int rc = 0; 639 struct lsm_prop inode_prop = { }; 640 641 if (!lsm_rule->lsm[i].rule) { 642 if (!lsm_rule->lsm[i].args_p) 643 continue; 644 else 645 return false; 646 } 647 648 retry: 649 switch (i) { 650 case LSM_OBJ_USER: 651 case LSM_OBJ_ROLE: 652 case LSM_OBJ_TYPE: 653 security_inode_getlsmprop(inode, &inode_prop); 654 rc = ima_filter_rule_match(&inode_prop, 655 lsm_rule->lsm[i].type, 656 Audit_equal, 657 lsm_rule->lsm[i].rule); 658 break; 659 case LSM_SUBJ_USER: 660 case LSM_SUBJ_ROLE: 661 case LSM_SUBJ_TYPE: 662 rc = ima_filter_rule_match(prop, lsm_rule->lsm[i].type, 663 Audit_equal, 664 lsm_rule->lsm[i].rule); 665 break; 666 default: 667 break; 668 } 669 670 if (rc == -ESTALE && !rule_reinitialized) { 671 lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC); 672 if (lsm_rule) { 673 rule_reinitialized = true; 674 goto retry; 675 } 676 } 677 if (!rc) { 678 result = false; 679 goto out; 680 } 681 } 682 result = true; 683 684 out: 685 if (rule_reinitialized) { 686 for (i = 0; i < MAX_LSM_RULES; i++) 687 ima_filter_rule_free(lsm_rule->lsm[i].rule); 688 kfree(lsm_rule); 689 } 690 return result; 691 } 692 693 /* 694 * In addition to knowing that we need to appraise the file in general, 695 * we need to differentiate between calling hooks, for hook specific rules. 696 */ 697 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) 698 { 699 if (!(rule->flags & IMA_FUNC)) 700 return IMA_FILE_APPRAISE; 701 702 switch (func) { 703 case MMAP_CHECK: 704 case MMAP_CHECK_REQPROT: 705 return IMA_MMAP_APPRAISE; 706 case BPRM_CHECK: 707 return IMA_BPRM_APPRAISE; 708 case CREDS_CHECK: 709 return IMA_CREDS_APPRAISE; 710 case FILE_CHECK: 711 case POST_SETATTR: 712 return IMA_FILE_APPRAISE; 713 case MODULE_CHECK ... MAX_CHECK - 1: 714 default: 715 return IMA_READ_APPRAISE; 716 } 717 } 718 719 /** 720 * ima_match_policy - decision based on LSM and other conditions 721 * @idmap: idmap of the mount the inode was found from 722 * @inode: pointer to an inode for which the policy decision is being made 723 * @cred: pointer to a credentials structure for which the policy decision is 724 * being made 725 * @prop: LSM properties of the task to be validated 726 * @func: IMA hook identifier 727 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 728 * @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE) 729 * @pcr: set the pcr to extend 730 * @template_desc: the template that should be used for this rule 731 * @func_data: func specific data, may be NULL 732 * @allowed_algos: allowlist of hash algorithms for the IMA xattr 733 * 734 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 735 * conditions. 736 * 737 * Since the IMA policy may be updated multiple times we need to lock the 738 * list when walking it. Reads are many orders of magnitude more numerous 739 * than writes so ima_match_policy() is classical RCU candidate. 740 */ 741 int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode, 742 const struct cred *cred, struct lsm_prop *prop, 743 enum ima_hooks func, int mask, int flags, int *pcr, 744 struct ima_template_desc **template_desc, 745 const char *func_data, unsigned int *allowed_algos) 746 { 747 struct ima_rule_entry *entry; 748 int action = 0, actmask = flags | (flags << 1); 749 struct list_head *ima_rules_tmp; 750 751 if (template_desc && !*template_desc) 752 *template_desc = ima_template_desc_current(); 753 754 rcu_read_lock(); 755 ima_rules_tmp = rcu_dereference(ima_rules); 756 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 757 758 if (!(entry->action & actmask)) 759 continue; 760 761 if (!ima_match_rules(entry, idmap, inode, cred, prop, 762 func, mask, func_data)) 763 continue; 764 765 action |= entry->flags & IMA_NONACTION_FLAGS; 766 767 action |= entry->action & IMA_DO_MASK; 768 if (entry->action & IMA_APPRAISE) { 769 action |= get_subaction(entry, func); 770 action &= ~IMA_HASH; 771 if (ima_fail_unverifiable_sigs) 772 action |= IMA_FAIL_UNVERIFIABLE_SIGS; 773 774 if (allowed_algos && 775 entry->flags & IMA_VALIDATE_ALGOS) 776 *allowed_algos = entry->allowed_algos; 777 } 778 779 if (entry->action & IMA_DO_MASK) 780 actmask &= ~(entry->action | entry->action << 1); 781 else 782 actmask &= ~(entry->action | entry->action >> 1); 783 784 if ((pcr) && (entry->flags & IMA_PCR)) 785 *pcr = entry->pcr; 786 787 if (template_desc && entry->template) 788 *template_desc = entry->template; 789 790 if (!actmask) 791 break; 792 } 793 rcu_read_unlock(); 794 795 return action; 796 } 797 798 /** 799 * ima_update_policy_flags() - Update global IMA variables 800 * 801 * Update ima_policy_flag and ima_setxattr_allowed_hash_algorithms 802 * based on the currently loaded policy. 803 * 804 * With ima_policy_flag, the decision to short circuit out of a function 805 * or not call the function in the first place can be made earlier. 806 * 807 * With ima_setxattr_allowed_hash_algorithms, the policy can restrict the 808 * set of hash algorithms accepted when updating the security.ima xattr of 809 * a file. 810 * 811 * Context: called after a policy update and at system initialization. 812 */ 813 void ima_update_policy_flags(void) 814 { 815 struct ima_rule_entry *entry; 816 int new_policy_flag = 0; 817 struct list_head *ima_rules_tmp; 818 819 rcu_read_lock(); 820 ima_rules_tmp = rcu_dereference(ima_rules); 821 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 822 /* 823 * SETXATTR_CHECK rules do not implement a full policy check 824 * because rule checking would probably have an important 825 * performance impact on setxattr(). As a consequence, only one 826 * SETXATTR_CHECK can be active at a given time. 827 * Because we want to preserve that property, we set out to use 828 * atomic_cmpxchg. Either: 829 * - the atomic was non-zero: a setxattr hash policy is 830 * already enforced, we do nothing 831 * - the atomic was zero: no setxattr policy was set, enable 832 * the setxattr hash policy 833 */ 834 if (entry->func == SETXATTR_CHECK) { 835 atomic_cmpxchg(&ima_setxattr_allowed_hash_algorithms, 836 0, entry->allowed_algos); 837 /* SETXATTR_CHECK doesn't impact ima_policy_flag */ 838 continue; 839 } 840 841 if (entry->action & IMA_DO_MASK) 842 new_policy_flag |= entry->action; 843 } 844 rcu_read_unlock(); 845 846 ima_appraise |= (build_ima_appraise | temp_ima_appraise); 847 if (!ima_appraise) 848 new_policy_flag &= ~IMA_APPRAISE; 849 850 ima_policy_flag = new_policy_flag; 851 } 852 853 static int ima_appraise_flag(enum ima_hooks func) 854 { 855 if (func == MODULE_CHECK) 856 return IMA_APPRAISE_MODULES; 857 else if (func == FIRMWARE_CHECK) 858 return IMA_APPRAISE_FIRMWARE; 859 else if (func == POLICY_CHECK) 860 return IMA_APPRAISE_POLICY; 861 else if (func == KEXEC_KERNEL_CHECK) 862 return IMA_APPRAISE_KEXEC; 863 return 0; 864 } 865 866 static void add_rules(struct ima_rule_entry *entries, int count, 867 enum policy_rule_list policy_rule) 868 { 869 int i = 0; 870 871 for (i = 0; i < count; i++) { 872 struct ima_rule_entry *entry; 873 874 if (policy_rule & IMA_DEFAULT_POLICY) 875 list_add_tail(&entries[i].list, &ima_default_rules); 876 877 if (policy_rule & IMA_CUSTOM_POLICY) { 878 entry = kmemdup(&entries[i], sizeof(*entry), 879 GFP_KERNEL); 880 if (!entry) 881 continue; 882 883 list_add_tail(&entry->list, &ima_policy_rules); 884 } 885 if (entries[i].action == APPRAISE) { 886 if (entries != build_appraise_rules) 887 temp_ima_appraise |= 888 ima_appraise_flag(entries[i].func); 889 else 890 build_ima_appraise |= 891 ima_appraise_flag(entries[i].func); 892 } 893 } 894 } 895 896 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); 897 898 static int __init ima_init_arch_policy(void) 899 { 900 const char * const *arch_rules; 901 const char * const *rules; 902 int arch_entries = 0; 903 int i = 0; 904 905 arch_rules = arch_get_ima_policy(); 906 if (!arch_rules) 907 return arch_entries; 908 909 /* Get number of rules */ 910 for (rules = arch_rules; *rules != NULL; rules++) 911 arch_entries++; 912 913 arch_policy_entry = kcalloc(arch_entries + 1, 914 sizeof(*arch_policy_entry), GFP_KERNEL); 915 if (!arch_policy_entry) 916 return 0; 917 918 /* Convert each policy string rules to struct ima_rule_entry format */ 919 for (rules = arch_rules, i = 0; *rules != NULL; rules++) { 920 char rule[255]; 921 int result; 922 923 result = strscpy(rule, *rules, sizeof(rule)); 924 925 INIT_LIST_HEAD(&arch_policy_entry[i].list); 926 result = ima_parse_rule(rule, &arch_policy_entry[i]); 927 if (result) { 928 pr_warn("Skipping unknown architecture policy rule: %s\n", 929 rule); 930 memset(&arch_policy_entry[i], 0, 931 sizeof(*arch_policy_entry)); 932 continue; 933 } 934 i++; 935 } 936 return i; 937 } 938 939 /** 940 * ima_init_policy - initialize the default measure rules. 941 * 942 * ima_rules points to either the ima_default_rules or the new ima_policy_rules. 943 */ 944 void __init ima_init_policy(void) 945 { 946 int build_appraise_entries, arch_entries; 947 948 /* if !ima_policy, we load NO default rules */ 949 if (ima_policy) 950 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules), 951 IMA_DEFAULT_POLICY); 952 953 switch (ima_policy) { 954 case ORIGINAL_TCB: 955 add_rules(original_measurement_rules, 956 ARRAY_SIZE(original_measurement_rules), 957 IMA_DEFAULT_POLICY); 958 break; 959 case DEFAULT_TCB: 960 add_rules(default_measurement_rules, 961 ARRAY_SIZE(default_measurement_rules), 962 IMA_DEFAULT_POLICY); 963 break; 964 default: 965 break; 966 } 967 968 /* 969 * Based on runtime secure boot flags, insert arch specific measurement 970 * and appraise rules requiring file signatures for both the initial 971 * and custom policies, prior to other appraise rules. 972 * (Highest priority) 973 */ 974 arch_entries = ima_init_arch_policy(); 975 if (!arch_entries) 976 pr_info("No architecture policies found\n"); 977 else 978 add_rules(arch_policy_entry, arch_entries, 979 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 980 981 /* 982 * Insert the builtin "secure_boot" policy rules requiring file 983 * signatures, prior to other appraise rules. 984 */ 985 if (ima_use_secure_boot) 986 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules), 987 IMA_DEFAULT_POLICY); 988 989 /* 990 * Insert the build time appraise rules requiring file signatures 991 * for both the initial and custom policies, prior to other appraise 992 * rules. As the secure boot rules includes all of the build time 993 * rules, include either one or the other set of rules, but not both. 994 */ 995 build_appraise_entries = ARRAY_SIZE(build_appraise_rules); 996 if (build_appraise_entries) { 997 if (ima_use_secure_boot) 998 add_rules(build_appraise_rules, build_appraise_entries, 999 IMA_CUSTOM_POLICY); 1000 else 1001 add_rules(build_appraise_rules, build_appraise_entries, 1002 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 1003 } 1004 1005 if (ima_use_appraise_tcb) 1006 add_rules(default_appraise_rules, 1007 ARRAY_SIZE(default_appraise_rules), 1008 IMA_DEFAULT_POLICY); 1009 1010 if (ima_use_critical_data) 1011 add_rules(critical_data_rules, 1012 ARRAY_SIZE(critical_data_rules), 1013 IMA_DEFAULT_POLICY); 1014 1015 atomic_set(&ima_setxattr_allowed_hash_algorithms, 0); 1016 1017 ima_update_policy_flags(); 1018 } 1019 1020 /* Make sure we have a valid policy, at least containing some rules. */ 1021 int ima_check_policy(void) 1022 { 1023 if (list_empty(&ima_temp_rules)) 1024 return -EINVAL; 1025 return 0; 1026 } 1027 1028 /** 1029 * ima_update_policy - update default_rules with new measure rules 1030 * 1031 * Called on file .release to update the default rules with a complete new 1032 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so 1033 * they make a queue. The policy may be updated multiple times and this is the 1034 * RCU updater. 1035 * 1036 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 1037 * we switch from the default policy to user defined. 1038 */ 1039 void ima_update_policy(void) 1040 { 1041 struct list_head *policy = &ima_policy_rules; 1042 1043 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); 1044 1045 if (ima_rules != (struct list_head __rcu *)policy) { 1046 ima_policy_flag = 0; 1047 1048 rcu_assign_pointer(ima_rules, policy); 1049 /* 1050 * IMA architecture specific policy rules are specified 1051 * as strings and converted to an array of ima_entry_rules 1052 * on boot. After loading a custom policy, free the 1053 * architecture specific rules stored as an array. 1054 */ 1055 kfree(arch_policy_entry); 1056 } 1057 ima_update_policy_flags(); 1058 1059 /* Custom IMA policy has been loaded */ 1060 ima_process_queued_keys(); 1061 } 1062 1063 /* Keep the enumeration in sync with the policy_tokens! */ 1064 enum policy_opt { 1065 Opt_measure, Opt_dont_measure, 1066 Opt_appraise, Opt_dont_appraise, 1067 Opt_audit, Opt_hash, Opt_dont_hash, 1068 Opt_obj_user, Opt_obj_role, Opt_obj_type, 1069 Opt_subj_user, Opt_subj_role, Opt_subj_type, 1070 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fsuuid, 1071 Opt_uid_eq, Opt_euid_eq, Opt_gid_eq, Opt_egid_eq, 1072 Opt_fowner_eq, Opt_fgroup_eq, 1073 Opt_uid_gt, Opt_euid_gt, Opt_gid_gt, Opt_egid_gt, 1074 Opt_fowner_gt, Opt_fgroup_gt, 1075 Opt_uid_lt, Opt_euid_lt, Opt_gid_lt, Opt_egid_lt, 1076 Opt_fowner_lt, Opt_fgroup_lt, 1077 Opt_digest_type, 1078 Opt_appraise_type, Opt_appraise_flag, Opt_appraise_algos, 1079 Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, 1080 Opt_label, Opt_err 1081 }; 1082 1083 static const match_table_t policy_tokens = { 1084 {Opt_measure, "measure"}, 1085 {Opt_dont_measure, "dont_measure"}, 1086 {Opt_appraise, "appraise"}, 1087 {Opt_dont_appraise, "dont_appraise"}, 1088 {Opt_audit, "audit"}, 1089 {Opt_hash, "hash"}, 1090 {Opt_dont_hash, "dont_hash"}, 1091 {Opt_obj_user, "obj_user=%s"}, 1092 {Opt_obj_role, "obj_role=%s"}, 1093 {Opt_obj_type, "obj_type=%s"}, 1094 {Opt_subj_user, "subj_user=%s"}, 1095 {Opt_subj_role, "subj_role=%s"}, 1096 {Opt_subj_type, "subj_type=%s"}, 1097 {Opt_func, "func=%s"}, 1098 {Opt_mask, "mask=%s"}, 1099 {Opt_fsmagic, "fsmagic=%s"}, 1100 {Opt_fsname, "fsname=%s"}, 1101 {Opt_fsuuid, "fsuuid=%s"}, 1102 {Opt_uid_eq, "uid=%s"}, 1103 {Opt_euid_eq, "euid=%s"}, 1104 {Opt_gid_eq, "gid=%s"}, 1105 {Opt_egid_eq, "egid=%s"}, 1106 {Opt_fowner_eq, "fowner=%s"}, 1107 {Opt_fgroup_eq, "fgroup=%s"}, 1108 {Opt_uid_gt, "uid>%s"}, 1109 {Opt_euid_gt, "euid>%s"}, 1110 {Opt_gid_gt, "gid>%s"}, 1111 {Opt_egid_gt, "egid>%s"}, 1112 {Opt_fowner_gt, "fowner>%s"}, 1113 {Opt_fgroup_gt, "fgroup>%s"}, 1114 {Opt_uid_lt, "uid<%s"}, 1115 {Opt_euid_lt, "euid<%s"}, 1116 {Opt_gid_lt, "gid<%s"}, 1117 {Opt_egid_lt, "egid<%s"}, 1118 {Opt_fowner_lt, "fowner<%s"}, 1119 {Opt_fgroup_lt, "fgroup<%s"}, 1120 {Opt_digest_type, "digest_type=%s"}, 1121 {Opt_appraise_type, "appraise_type=%s"}, 1122 {Opt_appraise_flag, "appraise_flag=%s"}, 1123 {Opt_appraise_algos, "appraise_algos=%s"}, 1124 {Opt_permit_directio, "permit_directio"}, 1125 {Opt_pcr, "pcr=%s"}, 1126 {Opt_template, "template=%s"}, 1127 {Opt_keyrings, "keyrings=%s"}, 1128 {Opt_label, "label=%s"}, 1129 {Opt_err, NULL} 1130 }; 1131 1132 static int ima_lsm_rule_init(struct ima_rule_entry *entry, 1133 substring_t *args, int lsm_rule, int audit_type) 1134 { 1135 int result; 1136 1137 if (entry->lsm[lsm_rule].rule) 1138 return -EINVAL; 1139 1140 entry->lsm[lsm_rule].args_p = match_strdup(args); 1141 if (!entry->lsm[lsm_rule].args_p) 1142 return -ENOMEM; 1143 1144 entry->lsm[lsm_rule].type = audit_type; 1145 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, 1146 entry->lsm[lsm_rule].args_p, 1147 &entry->lsm[lsm_rule].rule, 1148 GFP_KERNEL); 1149 if (!entry->lsm[lsm_rule].rule) { 1150 pr_warn("rule for LSM \'%s\' is undefined\n", 1151 entry->lsm[lsm_rule].args_p); 1152 1153 if (ima_rules == (struct list_head __rcu *)(&ima_default_rules)) { 1154 kfree(entry->lsm[lsm_rule].args_p); 1155 entry->lsm[lsm_rule].args_p = NULL; 1156 result = -EINVAL; 1157 } else 1158 result = 0; 1159 } 1160 1161 return result; 1162 } 1163 1164 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, 1165 enum policy_opt rule_operator) 1166 { 1167 if (!ab) 1168 return; 1169 1170 switch (rule_operator) { 1171 case Opt_uid_gt: 1172 case Opt_euid_gt: 1173 case Opt_gid_gt: 1174 case Opt_egid_gt: 1175 case Opt_fowner_gt: 1176 case Opt_fgroup_gt: 1177 audit_log_format(ab, "%s>", key); 1178 break; 1179 case Opt_uid_lt: 1180 case Opt_euid_lt: 1181 case Opt_gid_lt: 1182 case Opt_egid_lt: 1183 case Opt_fowner_lt: 1184 case Opt_fgroup_lt: 1185 audit_log_format(ab, "%s<", key); 1186 break; 1187 default: 1188 audit_log_format(ab, "%s=", key); 1189 } 1190 audit_log_format(ab, "%s ", value); 1191 } 1192 static void ima_log_string(struct audit_buffer *ab, char *key, char *value) 1193 { 1194 ima_log_string_op(ab, key, value, Opt_err); 1195 } 1196 1197 /* 1198 * Validating the appended signature included in the measurement list requires 1199 * the file hash calculated without the appended signature (i.e., the 'd-modsig' 1200 * field). Therefore, notify the user if they have the 'modsig' field but not 1201 * the 'd-modsig' field in the template. 1202 */ 1203 static void check_template_modsig(const struct ima_template_desc *template) 1204 { 1205 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n" 1206 bool has_modsig, has_dmodsig; 1207 static bool checked; 1208 int i; 1209 1210 /* We only need to notify the user once. */ 1211 if (checked) 1212 return; 1213 1214 has_modsig = has_dmodsig = false; 1215 for (i = 0; i < template->num_fields; i++) { 1216 if (!strcmp(template->fields[i]->field_id, "modsig")) 1217 has_modsig = true; 1218 else if (!strcmp(template->fields[i]->field_id, "d-modsig")) 1219 has_dmodsig = true; 1220 } 1221 1222 if (has_modsig && !has_dmodsig) 1223 pr_notice(MSG); 1224 1225 checked = true; 1226 #undef MSG 1227 } 1228 1229 /* 1230 * Warn if the template does not contain the given field. 1231 */ 1232 static void check_template_field(const struct ima_template_desc *template, 1233 const char *field, const char *msg) 1234 { 1235 int i; 1236 1237 for (i = 0; i < template->num_fields; i++) 1238 if (!strcmp(template->fields[i]->field_id, field)) 1239 return; 1240 1241 pr_notice_once("%s", msg); 1242 } 1243 1244 static bool ima_validate_rule(struct ima_rule_entry *entry) 1245 { 1246 /* Ensure that the action is set and is compatible with the flags */ 1247 if (entry->action == UNKNOWN) 1248 return false; 1249 1250 if (entry->action != MEASURE && entry->flags & IMA_PCR) 1251 return false; 1252 1253 if (entry->action != APPRAISE && 1254 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | 1255 IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) 1256 return false; 1257 1258 /* 1259 * The IMA_FUNC bit must be set if and only if there's a valid hook 1260 * function specified, and vice versa. Enforcing this property allows 1261 * for the NONE case below to validate a rule without an explicit hook 1262 * function. 1263 */ 1264 if (((entry->flags & IMA_FUNC) && entry->func == NONE) || 1265 (!(entry->flags & IMA_FUNC) && entry->func != NONE)) 1266 return false; 1267 1268 /* 1269 * Ensure that the hook function is compatible with the other 1270 * components of the rule 1271 */ 1272 switch (entry->func) { 1273 case NONE: 1274 case FILE_CHECK: 1275 case MMAP_CHECK: 1276 case MMAP_CHECK_REQPROT: 1277 case BPRM_CHECK: 1278 case CREDS_CHECK: 1279 case POST_SETATTR: 1280 case FIRMWARE_CHECK: 1281 case POLICY_CHECK: 1282 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1283 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1284 IMA_INMASK | IMA_EUID | IMA_PCR | 1285 IMA_FSNAME | IMA_GID | IMA_EGID | 1286 IMA_FGROUP | IMA_DIGSIG_REQUIRED | 1287 IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS | 1288 IMA_CHECK_BLACKLIST | IMA_VERITY_REQUIRED)) 1289 return false; 1290 1291 break; 1292 case MODULE_CHECK: 1293 case KEXEC_KERNEL_CHECK: 1294 case KEXEC_INITRAMFS_CHECK: 1295 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1296 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1297 IMA_INMASK | IMA_EUID | IMA_PCR | 1298 IMA_FSNAME | IMA_GID | IMA_EGID | 1299 IMA_FGROUP | IMA_DIGSIG_REQUIRED | 1300 IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | 1301 IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) 1302 return false; 1303 1304 break; 1305 case KEXEC_CMDLINE: 1306 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1307 return false; 1308 1309 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | 1310 IMA_FOWNER | IMA_FSUUID | IMA_EUID | 1311 IMA_PCR | IMA_FSNAME | IMA_GID | IMA_EGID | 1312 IMA_FGROUP)) 1313 return false; 1314 1315 break; 1316 case KEY_CHECK: 1317 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1318 return false; 1319 1320 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR | 1321 IMA_KEYRINGS)) 1322 return false; 1323 1324 if (ima_rule_contains_lsm_cond(entry)) 1325 return false; 1326 1327 break; 1328 case CRITICAL_DATA: 1329 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1330 return false; 1331 1332 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR | 1333 IMA_LABEL)) 1334 return false; 1335 1336 if (ima_rule_contains_lsm_cond(entry)) 1337 return false; 1338 1339 break; 1340 case SETXATTR_CHECK: 1341 /* any action other than APPRAISE is unsupported */ 1342 if (entry->action != APPRAISE) 1343 return false; 1344 1345 /* SETXATTR_CHECK requires an appraise_algos parameter */ 1346 if (!(entry->flags & IMA_VALIDATE_ALGOS)) 1347 return false; 1348 1349 /* 1350 * full policies are not supported, they would have too 1351 * much of a performance impact 1352 */ 1353 if (entry->flags & ~(IMA_FUNC | IMA_VALIDATE_ALGOS)) 1354 return false; 1355 1356 break; 1357 default: 1358 return false; 1359 } 1360 1361 /* Ensure that combinations of flags are compatible with each other */ 1362 if (entry->flags & IMA_CHECK_BLACKLIST && 1363 !(entry->flags & IMA_DIGSIG_REQUIRED)) 1364 return false; 1365 1366 /* 1367 * Unlike for regular IMA 'appraise' policy rules where security.ima 1368 * xattr may contain either a file hash or signature, the security.ima 1369 * xattr for fsverity must contain a file signature (sigv3). Ensure 1370 * that 'appraise' rules for fsverity require file signatures by 1371 * checking the IMA_DIGSIG_REQUIRED flag is set. 1372 */ 1373 if (entry->action == APPRAISE && 1374 (entry->flags & IMA_VERITY_REQUIRED) && 1375 !(entry->flags & IMA_DIGSIG_REQUIRED)) 1376 return false; 1377 1378 return true; 1379 } 1380 1381 static unsigned int ima_parse_appraise_algos(char *arg) 1382 { 1383 unsigned int res = 0; 1384 int idx; 1385 char *token; 1386 1387 while ((token = strsep(&arg, ",")) != NULL) { 1388 idx = match_string(hash_algo_name, HASH_ALGO__LAST, token); 1389 1390 if (idx < 0) { 1391 pr_err("unknown hash algorithm \"%s\"", 1392 token); 1393 return 0; 1394 } 1395 1396 if (!crypto_has_alg(hash_algo_name[idx], 0, 0)) { 1397 pr_err("unavailable hash algorithm \"%s\", check your kernel configuration", 1398 token); 1399 return 0; 1400 } 1401 1402 /* Add the hash algorithm to the 'allowed' bitfield */ 1403 res |= (1U << idx); 1404 } 1405 1406 return res; 1407 } 1408 1409 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 1410 { 1411 struct audit_buffer *ab; 1412 char *from; 1413 char *p; 1414 bool eid_token; /* either euid or egid */ 1415 struct ima_template_desc *template_desc; 1416 int result = 0; 1417 1418 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, 1419 AUDIT_INTEGRITY_POLICY_RULE); 1420 1421 entry->uid = INVALID_UID; 1422 entry->gid = INVALID_GID; 1423 entry->fowner = INVALID_UID; 1424 entry->fgroup = INVALID_GID; 1425 entry->uid_op = &uid_eq; 1426 entry->gid_op = &gid_eq; 1427 entry->fowner_op = &vfsuid_eq_kuid; 1428 entry->fgroup_op = &vfsgid_eq_kgid; 1429 entry->action = UNKNOWN; 1430 while ((p = strsep(&rule, " \t")) != NULL) { 1431 substring_t args[MAX_OPT_ARGS]; 1432 int token; 1433 unsigned long lnum; 1434 1435 if (result < 0 || *p == '#') /* ignore suffixed comment */ 1436 break; 1437 if ((*p == '\0') || (*p == ' ') || (*p == '\t')) 1438 continue; 1439 token = match_token(p, policy_tokens, args); 1440 switch (token) { 1441 case Opt_measure: 1442 ima_log_string(ab, "action", "measure"); 1443 1444 if (entry->action != UNKNOWN) 1445 result = -EINVAL; 1446 1447 entry->action = MEASURE; 1448 break; 1449 case Opt_dont_measure: 1450 ima_log_string(ab, "action", "dont_measure"); 1451 1452 if (entry->action != UNKNOWN) 1453 result = -EINVAL; 1454 1455 entry->action = DONT_MEASURE; 1456 break; 1457 case Opt_appraise: 1458 ima_log_string(ab, "action", "appraise"); 1459 1460 if (entry->action != UNKNOWN) 1461 result = -EINVAL; 1462 1463 entry->action = APPRAISE; 1464 break; 1465 case Opt_dont_appraise: 1466 ima_log_string(ab, "action", "dont_appraise"); 1467 1468 if (entry->action != UNKNOWN) 1469 result = -EINVAL; 1470 1471 entry->action = DONT_APPRAISE; 1472 break; 1473 case Opt_audit: 1474 ima_log_string(ab, "action", "audit"); 1475 1476 if (entry->action != UNKNOWN) 1477 result = -EINVAL; 1478 1479 entry->action = AUDIT; 1480 break; 1481 case Opt_hash: 1482 ima_log_string(ab, "action", "hash"); 1483 1484 if (entry->action != UNKNOWN) 1485 result = -EINVAL; 1486 1487 entry->action = HASH; 1488 break; 1489 case Opt_dont_hash: 1490 ima_log_string(ab, "action", "dont_hash"); 1491 1492 if (entry->action != UNKNOWN) 1493 result = -EINVAL; 1494 1495 entry->action = DONT_HASH; 1496 break; 1497 case Opt_func: 1498 ima_log_string(ab, "func", args[0].from); 1499 1500 if (entry->func) 1501 result = -EINVAL; 1502 1503 if (strcmp(args[0].from, "FILE_CHECK") == 0) 1504 entry->func = FILE_CHECK; 1505 /* PATH_CHECK is for backwards compat */ 1506 else if (strcmp(args[0].from, "PATH_CHECK") == 0) 1507 entry->func = FILE_CHECK; 1508 else if (strcmp(args[0].from, "MODULE_CHECK") == 0) 1509 entry->func = MODULE_CHECK; 1510 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0) 1511 entry->func = FIRMWARE_CHECK; 1512 else if ((strcmp(args[0].from, "FILE_MMAP") == 0) 1513 || (strcmp(args[0].from, "MMAP_CHECK") == 0)) 1514 entry->func = MMAP_CHECK; 1515 else if ((strcmp(args[0].from, "MMAP_CHECK_REQPROT") == 0)) 1516 entry->func = MMAP_CHECK_REQPROT; 1517 else if (strcmp(args[0].from, "BPRM_CHECK") == 0) 1518 entry->func = BPRM_CHECK; 1519 else if (strcmp(args[0].from, "CREDS_CHECK") == 0) 1520 entry->func = CREDS_CHECK; 1521 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == 1522 0) 1523 entry->func = KEXEC_KERNEL_CHECK; 1524 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK") 1525 == 0) 1526 entry->func = KEXEC_INITRAMFS_CHECK; 1527 else if (strcmp(args[0].from, "POLICY_CHECK") == 0) 1528 entry->func = POLICY_CHECK; 1529 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) 1530 entry->func = KEXEC_CMDLINE; 1531 else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && 1532 strcmp(args[0].from, "KEY_CHECK") == 0) 1533 entry->func = KEY_CHECK; 1534 else if (strcmp(args[0].from, "CRITICAL_DATA") == 0) 1535 entry->func = CRITICAL_DATA; 1536 else if (strcmp(args[0].from, "SETXATTR_CHECK") == 0) 1537 entry->func = SETXATTR_CHECK; 1538 else 1539 result = -EINVAL; 1540 if (!result) 1541 entry->flags |= IMA_FUNC; 1542 break; 1543 case Opt_mask: 1544 ima_log_string(ab, "mask", args[0].from); 1545 1546 if (entry->mask) 1547 result = -EINVAL; 1548 1549 from = args[0].from; 1550 if (*from == '^') 1551 from++; 1552 1553 if ((strcmp(from, "MAY_EXEC")) == 0) 1554 entry->mask = MAY_EXEC; 1555 else if (strcmp(from, "MAY_WRITE") == 0) 1556 entry->mask = MAY_WRITE; 1557 else if (strcmp(from, "MAY_READ") == 0) 1558 entry->mask = MAY_READ; 1559 else if (strcmp(from, "MAY_APPEND") == 0) 1560 entry->mask = MAY_APPEND; 1561 else 1562 result = -EINVAL; 1563 if (!result) 1564 entry->flags |= (*args[0].from == '^') 1565 ? IMA_INMASK : IMA_MASK; 1566 break; 1567 case Opt_fsmagic: 1568 ima_log_string(ab, "fsmagic", args[0].from); 1569 1570 if (entry->fsmagic) { 1571 result = -EINVAL; 1572 break; 1573 } 1574 1575 result = kstrtoul(args[0].from, 16, &entry->fsmagic); 1576 if (!result) 1577 entry->flags |= IMA_FSMAGIC; 1578 break; 1579 case Opt_fsname: 1580 ima_log_string(ab, "fsname", args[0].from); 1581 1582 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); 1583 if (!entry->fsname) { 1584 result = -ENOMEM; 1585 break; 1586 } 1587 result = 0; 1588 entry->flags |= IMA_FSNAME; 1589 break; 1590 case Opt_keyrings: 1591 ima_log_string(ab, "keyrings", args[0].from); 1592 1593 if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) || 1594 entry->keyrings) { 1595 result = -EINVAL; 1596 break; 1597 } 1598 1599 entry->keyrings = ima_alloc_rule_opt_list(args); 1600 if (IS_ERR(entry->keyrings)) { 1601 result = PTR_ERR(entry->keyrings); 1602 entry->keyrings = NULL; 1603 break; 1604 } 1605 1606 entry->flags |= IMA_KEYRINGS; 1607 break; 1608 case Opt_label: 1609 ima_log_string(ab, "label", args[0].from); 1610 1611 if (entry->label) { 1612 result = -EINVAL; 1613 break; 1614 } 1615 1616 entry->label = ima_alloc_rule_opt_list(args); 1617 if (IS_ERR(entry->label)) { 1618 result = PTR_ERR(entry->label); 1619 entry->label = NULL; 1620 break; 1621 } 1622 1623 entry->flags |= IMA_LABEL; 1624 break; 1625 case Opt_fsuuid: 1626 ima_log_string(ab, "fsuuid", args[0].from); 1627 1628 if (!uuid_is_null(&entry->fsuuid)) { 1629 result = -EINVAL; 1630 break; 1631 } 1632 1633 result = uuid_parse(args[0].from, &entry->fsuuid); 1634 if (!result) 1635 entry->flags |= IMA_FSUUID; 1636 break; 1637 case Opt_uid_gt: 1638 case Opt_euid_gt: 1639 entry->uid_op = &uid_gt; 1640 fallthrough; 1641 case Opt_uid_lt: 1642 case Opt_euid_lt: 1643 if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) 1644 entry->uid_op = &uid_lt; 1645 fallthrough; 1646 case Opt_uid_eq: 1647 case Opt_euid_eq: 1648 eid_token = (token == Opt_euid_eq) || 1649 (token == Opt_euid_gt) || 1650 (token == Opt_euid_lt); 1651 1652 ima_log_string_op(ab, eid_token ? "euid" : "uid", 1653 args[0].from, token); 1654 1655 if (uid_valid(entry->uid)) { 1656 result = -EINVAL; 1657 break; 1658 } 1659 1660 result = kstrtoul(args[0].from, 10, &lnum); 1661 if (!result) { 1662 entry->uid = make_kuid(current_user_ns(), 1663 (uid_t) lnum); 1664 if (!uid_valid(entry->uid) || 1665 (uid_t)lnum != lnum) 1666 result = -EINVAL; 1667 else 1668 entry->flags |= eid_token 1669 ? IMA_EUID : IMA_UID; 1670 } 1671 break; 1672 case Opt_gid_gt: 1673 case Opt_egid_gt: 1674 entry->gid_op = &gid_gt; 1675 fallthrough; 1676 case Opt_gid_lt: 1677 case Opt_egid_lt: 1678 if ((token == Opt_gid_lt) || (token == Opt_egid_lt)) 1679 entry->gid_op = &gid_lt; 1680 fallthrough; 1681 case Opt_gid_eq: 1682 case Opt_egid_eq: 1683 eid_token = (token == Opt_egid_eq) || 1684 (token == Opt_egid_gt) || 1685 (token == Opt_egid_lt); 1686 1687 ima_log_string_op(ab, eid_token ? "egid" : "gid", 1688 args[0].from, token); 1689 1690 if (gid_valid(entry->gid)) { 1691 result = -EINVAL; 1692 break; 1693 } 1694 1695 result = kstrtoul(args[0].from, 10, &lnum); 1696 if (!result) { 1697 entry->gid = make_kgid(current_user_ns(), 1698 (gid_t)lnum); 1699 if (!gid_valid(entry->gid) || 1700 (((gid_t)lnum) != lnum)) 1701 result = -EINVAL; 1702 else 1703 entry->flags |= eid_token 1704 ? IMA_EGID : IMA_GID; 1705 } 1706 break; 1707 case Opt_fowner_gt: 1708 entry->fowner_op = &vfsuid_gt_kuid; 1709 fallthrough; 1710 case Opt_fowner_lt: 1711 if (token == Opt_fowner_lt) 1712 entry->fowner_op = &vfsuid_lt_kuid; 1713 fallthrough; 1714 case Opt_fowner_eq: 1715 ima_log_string_op(ab, "fowner", args[0].from, token); 1716 1717 if (uid_valid(entry->fowner)) { 1718 result = -EINVAL; 1719 break; 1720 } 1721 1722 result = kstrtoul(args[0].from, 10, &lnum); 1723 if (!result) { 1724 entry->fowner = make_kuid(current_user_ns(), 1725 (uid_t)lnum); 1726 if (!uid_valid(entry->fowner) || 1727 (((uid_t)lnum) != lnum)) 1728 result = -EINVAL; 1729 else 1730 entry->flags |= IMA_FOWNER; 1731 } 1732 break; 1733 case Opt_fgroup_gt: 1734 entry->fgroup_op = &vfsgid_gt_kgid; 1735 fallthrough; 1736 case Opt_fgroup_lt: 1737 if (token == Opt_fgroup_lt) 1738 entry->fgroup_op = &vfsgid_lt_kgid; 1739 fallthrough; 1740 case Opt_fgroup_eq: 1741 ima_log_string_op(ab, "fgroup", args[0].from, token); 1742 1743 if (gid_valid(entry->fgroup)) { 1744 result = -EINVAL; 1745 break; 1746 } 1747 1748 result = kstrtoul(args[0].from, 10, &lnum); 1749 if (!result) { 1750 entry->fgroup = make_kgid(current_user_ns(), 1751 (gid_t)lnum); 1752 if (!gid_valid(entry->fgroup) || 1753 (((gid_t)lnum) != lnum)) 1754 result = -EINVAL; 1755 else 1756 entry->flags |= IMA_FGROUP; 1757 } 1758 break; 1759 case Opt_obj_user: 1760 ima_log_string(ab, "obj_user", args[0].from); 1761 result = ima_lsm_rule_init(entry, args, 1762 LSM_OBJ_USER, 1763 AUDIT_OBJ_USER); 1764 break; 1765 case Opt_obj_role: 1766 ima_log_string(ab, "obj_role", args[0].from); 1767 result = ima_lsm_rule_init(entry, args, 1768 LSM_OBJ_ROLE, 1769 AUDIT_OBJ_ROLE); 1770 break; 1771 case Opt_obj_type: 1772 ima_log_string(ab, "obj_type", args[0].from); 1773 result = ima_lsm_rule_init(entry, args, 1774 LSM_OBJ_TYPE, 1775 AUDIT_OBJ_TYPE); 1776 break; 1777 case Opt_subj_user: 1778 ima_log_string(ab, "subj_user", args[0].from); 1779 result = ima_lsm_rule_init(entry, args, 1780 LSM_SUBJ_USER, 1781 AUDIT_SUBJ_USER); 1782 break; 1783 case Opt_subj_role: 1784 ima_log_string(ab, "subj_role", args[0].from); 1785 result = ima_lsm_rule_init(entry, args, 1786 LSM_SUBJ_ROLE, 1787 AUDIT_SUBJ_ROLE); 1788 break; 1789 case Opt_subj_type: 1790 ima_log_string(ab, "subj_type", args[0].from); 1791 result = ima_lsm_rule_init(entry, args, 1792 LSM_SUBJ_TYPE, 1793 AUDIT_SUBJ_TYPE); 1794 break; 1795 case Opt_digest_type: 1796 ima_log_string(ab, "digest_type", args[0].from); 1797 if (entry->flags & IMA_DIGSIG_REQUIRED) 1798 result = -EINVAL; 1799 else if ((strcmp(args[0].from, "verity")) == 0) 1800 entry->flags |= IMA_VERITY_REQUIRED; 1801 else 1802 result = -EINVAL; 1803 break; 1804 case Opt_appraise_type: 1805 ima_log_string(ab, "appraise_type", args[0].from); 1806 1807 if ((strcmp(args[0].from, "imasig")) == 0) { 1808 if (entry->flags & IMA_VERITY_REQUIRED) 1809 result = -EINVAL; 1810 else 1811 entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST; 1812 } else if (strcmp(args[0].from, "sigv3") == 0) { 1813 /* Only fsverity supports sigv3 for now */ 1814 if (entry->flags & IMA_VERITY_REQUIRED) 1815 entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST; 1816 else 1817 result = -EINVAL; 1818 } else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1819 strcmp(args[0].from, "imasig|modsig") == 0) { 1820 if (entry->flags & IMA_VERITY_REQUIRED) 1821 result = -EINVAL; 1822 else 1823 entry->flags |= IMA_DIGSIG_REQUIRED | 1824 IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST; 1825 } else { 1826 result = -EINVAL; 1827 } 1828 break; 1829 case Opt_appraise_flag: 1830 ima_log_string(ab, "appraise_flag", args[0].from); 1831 break; 1832 case Opt_appraise_algos: 1833 ima_log_string(ab, "appraise_algos", args[0].from); 1834 1835 if (entry->allowed_algos) { 1836 result = -EINVAL; 1837 break; 1838 } 1839 1840 entry->allowed_algos = 1841 ima_parse_appraise_algos(args[0].from); 1842 /* invalid or empty list of algorithms */ 1843 if (!entry->allowed_algos) { 1844 result = -EINVAL; 1845 break; 1846 } 1847 1848 entry->flags |= IMA_VALIDATE_ALGOS; 1849 1850 break; 1851 case Opt_permit_directio: 1852 entry->flags |= IMA_PERMIT_DIRECTIO; 1853 break; 1854 case Opt_pcr: 1855 ima_log_string(ab, "pcr", args[0].from); 1856 1857 result = kstrtoint(args[0].from, 10, &entry->pcr); 1858 if (result || INVALID_PCR(entry->pcr)) 1859 result = -EINVAL; 1860 else 1861 entry->flags |= IMA_PCR; 1862 1863 break; 1864 case Opt_template: 1865 ima_log_string(ab, "template", args[0].from); 1866 if (entry->action != MEASURE) { 1867 result = -EINVAL; 1868 break; 1869 } 1870 template_desc = lookup_template_desc(args[0].from); 1871 if (!template_desc || entry->template) { 1872 result = -EINVAL; 1873 break; 1874 } 1875 1876 /* 1877 * template_desc_init_fields() does nothing if 1878 * the template is already initialised, so 1879 * it's safe to do this unconditionally 1880 */ 1881 template_desc_init_fields(template_desc->fmt, 1882 &(template_desc->fields), 1883 &(template_desc->num_fields)); 1884 entry->template = template_desc; 1885 break; 1886 case Opt_err: 1887 ima_log_string(ab, "UNKNOWN", p); 1888 result = -EINVAL; 1889 break; 1890 } 1891 } 1892 if (!result && !ima_validate_rule(entry)) 1893 result = -EINVAL; 1894 else if (entry->action == APPRAISE) 1895 temp_ima_appraise |= ima_appraise_flag(entry->func); 1896 1897 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { 1898 template_desc = entry->template ? entry->template : 1899 ima_template_desc_current(); 1900 check_template_modsig(template_desc); 1901 } 1902 1903 /* d-ngv2 template field recommended for unsigned fs-verity digests */ 1904 if (!result && entry->action == MEASURE && 1905 entry->flags & IMA_VERITY_REQUIRED) { 1906 template_desc = entry->template ? entry->template : 1907 ima_template_desc_current(); 1908 check_template_field(template_desc, "d-ngv2", 1909 "verity rules should include d-ngv2"); 1910 } 1911 1912 audit_log_format(ab, "res=%d", !result); 1913 audit_log_end(ab); 1914 return result; 1915 } 1916 1917 /** 1918 * ima_parse_add_rule - add a rule to ima_policy_rules 1919 * @rule: ima measurement policy rule 1920 * 1921 * Avoid locking by allowing just one writer at a time in ima_write_policy() 1922 * Returns the length of the rule parsed, an error code on failure 1923 */ 1924 ssize_t ima_parse_add_rule(char *rule) 1925 { 1926 static const char op[] = "update_policy"; 1927 char *p; 1928 struct ima_rule_entry *entry; 1929 ssize_t result, len; 1930 int audit_info = 0; 1931 1932 p = strsep(&rule, "\n"); 1933 len = strlen(p) + 1; 1934 p += strspn(p, " \t"); 1935 1936 if (*p == '#' || *p == '\0') 1937 return len; 1938 1939 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1940 if (!entry) { 1941 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1942 NULL, op, "-ENOMEM", -ENOMEM, audit_info); 1943 return -ENOMEM; 1944 } 1945 1946 INIT_LIST_HEAD(&entry->list); 1947 1948 result = ima_parse_rule(p, entry); 1949 if (result) { 1950 ima_free_rule(entry); 1951 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1952 NULL, op, "invalid-policy", result, 1953 audit_info); 1954 return result; 1955 } 1956 1957 list_add_tail(&entry->list, &ima_temp_rules); 1958 1959 return len; 1960 } 1961 1962 /** 1963 * ima_delete_rules() - called to cleanup invalid in-flight policy. 1964 * 1965 * We don't need locking as we operate on the temp list, which is 1966 * different from the active one. There is also only one user of 1967 * ima_delete_rules() at a time. 1968 */ 1969 void ima_delete_rules(void) 1970 { 1971 struct ima_rule_entry *entry, *tmp; 1972 1973 temp_ima_appraise = 0; 1974 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { 1975 list_del(&entry->list); 1976 ima_free_rule(entry); 1977 } 1978 } 1979 1980 #define __ima_hook_stringify(func, str) (#func), 1981 1982 const char *const func_tokens[] = { 1983 __ima_hooks(__ima_hook_stringify) 1984 }; 1985 1986 #ifdef CONFIG_IMA_READ_POLICY 1987 enum { 1988 mask_exec = 0, mask_write, mask_read, mask_append 1989 }; 1990 1991 static const char *const mask_tokens[] = { 1992 "^MAY_EXEC", 1993 "^MAY_WRITE", 1994 "^MAY_READ", 1995 "^MAY_APPEND" 1996 }; 1997 1998 void *ima_policy_start(struct seq_file *m, loff_t *pos) 1999 { 2000 loff_t l = *pos; 2001 struct ima_rule_entry *entry; 2002 struct list_head *ima_rules_tmp; 2003 2004 rcu_read_lock(); 2005 ima_rules_tmp = rcu_dereference(ima_rules); 2006 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 2007 if (!l--) { 2008 rcu_read_unlock(); 2009 return entry; 2010 } 2011 } 2012 rcu_read_unlock(); 2013 return NULL; 2014 } 2015 2016 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) 2017 { 2018 struct ima_rule_entry *entry = v; 2019 2020 rcu_read_lock(); 2021 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); 2022 rcu_read_unlock(); 2023 (*pos)++; 2024 2025 return (&entry->list == &ima_default_rules || 2026 &entry->list == &ima_policy_rules) ? NULL : entry; 2027 } 2028 2029 void ima_policy_stop(struct seq_file *m, void *v) 2030 { 2031 } 2032 2033 #define pt(token) policy_tokens[token].pattern 2034 #define mt(token) mask_tokens[token] 2035 2036 /* 2037 * policy_func_show - display the ima_hooks policy rule 2038 */ 2039 static void policy_func_show(struct seq_file *m, enum ima_hooks func) 2040 { 2041 if (func > 0 && func < MAX_CHECK) 2042 seq_printf(m, "func=%s ", func_tokens[func]); 2043 else 2044 seq_printf(m, "func=%d ", func); 2045 } 2046 2047 static void ima_show_rule_opt_list(struct seq_file *m, 2048 const struct ima_rule_opt_list *opt_list) 2049 { 2050 size_t i; 2051 2052 for (i = 0; i < opt_list->count; i++) 2053 seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]); 2054 } 2055 2056 static void ima_policy_show_appraise_algos(struct seq_file *m, 2057 unsigned int allowed_hashes) 2058 { 2059 int idx, list_size = 0; 2060 2061 for (idx = 0; idx < HASH_ALGO__LAST; idx++) { 2062 if (!(allowed_hashes & (1U << idx))) 2063 continue; 2064 2065 /* only add commas if the list contains multiple entries */ 2066 if (list_size++) 2067 seq_puts(m, ","); 2068 2069 seq_puts(m, hash_algo_name[idx]); 2070 } 2071 } 2072 2073 int ima_policy_show(struct seq_file *m, void *v) 2074 { 2075 struct ima_rule_entry *entry = v; 2076 int i; 2077 char tbuf[64] = {0,}; 2078 int offset = 0; 2079 2080 rcu_read_lock(); 2081 2082 /* Do not print rules with inactive LSM labels */ 2083 for (i = 0; i < MAX_LSM_RULES; i++) { 2084 if (entry->lsm[i].args_p && !entry->lsm[i].rule) { 2085 rcu_read_unlock(); 2086 return 0; 2087 } 2088 } 2089 2090 if (entry->action & MEASURE) 2091 seq_puts(m, pt(Opt_measure)); 2092 if (entry->action & DONT_MEASURE) 2093 seq_puts(m, pt(Opt_dont_measure)); 2094 if (entry->action & APPRAISE) 2095 seq_puts(m, pt(Opt_appraise)); 2096 if (entry->action & DONT_APPRAISE) 2097 seq_puts(m, pt(Opt_dont_appraise)); 2098 if (entry->action & AUDIT) 2099 seq_puts(m, pt(Opt_audit)); 2100 if (entry->action & HASH) 2101 seq_puts(m, pt(Opt_hash)); 2102 if (entry->action & DONT_HASH) 2103 seq_puts(m, pt(Opt_dont_hash)); 2104 2105 seq_puts(m, " "); 2106 2107 if (entry->flags & IMA_FUNC) 2108 policy_func_show(m, entry->func); 2109 2110 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { 2111 if (entry->flags & IMA_MASK) 2112 offset = 1; 2113 if (entry->mask & MAY_EXEC) 2114 seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); 2115 if (entry->mask & MAY_WRITE) 2116 seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); 2117 if (entry->mask & MAY_READ) 2118 seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); 2119 if (entry->mask & MAY_APPEND) 2120 seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); 2121 seq_puts(m, " "); 2122 } 2123 2124 if (entry->flags & IMA_FSMAGIC) { 2125 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 2126 seq_printf(m, pt(Opt_fsmagic), tbuf); 2127 seq_puts(m, " "); 2128 } 2129 2130 if (entry->flags & IMA_FSNAME) { 2131 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); 2132 seq_printf(m, pt(Opt_fsname), tbuf); 2133 seq_puts(m, " "); 2134 } 2135 2136 if (entry->flags & IMA_KEYRINGS) { 2137 seq_puts(m, "keyrings="); 2138 ima_show_rule_opt_list(m, entry->keyrings); 2139 seq_puts(m, " "); 2140 } 2141 2142 if (entry->flags & IMA_LABEL) { 2143 seq_puts(m, "label="); 2144 ima_show_rule_opt_list(m, entry->label); 2145 seq_puts(m, " "); 2146 } 2147 2148 if (entry->flags & IMA_PCR) { 2149 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 2150 seq_printf(m, pt(Opt_pcr), tbuf); 2151 seq_puts(m, " "); 2152 } 2153 2154 if (entry->flags & IMA_FSUUID) { 2155 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); 2156 seq_puts(m, " "); 2157 } 2158 2159 if (entry->flags & IMA_UID) { 2160 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 2161 if (entry->uid_op == &uid_gt) 2162 seq_printf(m, pt(Opt_uid_gt), tbuf); 2163 else if (entry->uid_op == &uid_lt) 2164 seq_printf(m, pt(Opt_uid_lt), tbuf); 2165 else 2166 seq_printf(m, pt(Opt_uid_eq), tbuf); 2167 seq_puts(m, " "); 2168 } 2169 2170 if (entry->flags & IMA_EUID) { 2171 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 2172 if (entry->uid_op == &uid_gt) 2173 seq_printf(m, pt(Opt_euid_gt), tbuf); 2174 else if (entry->uid_op == &uid_lt) 2175 seq_printf(m, pt(Opt_euid_lt), tbuf); 2176 else 2177 seq_printf(m, pt(Opt_euid_eq), tbuf); 2178 seq_puts(m, " "); 2179 } 2180 2181 if (entry->flags & IMA_GID) { 2182 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); 2183 if (entry->gid_op == &gid_gt) 2184 seq_printf(m, pt(Opt_gid_gt), tbuf); 2185 else if (entry->gid_op == &gid_lt) 2186 seq_printf(m, pt(Opt_gid_lt), tbuf); 2187 else 2188 seq_printf(m, pt(Opt_gid_eq), tbuf); 2189 seq_puts(m, " "); 2190 } 2191 2192 if (entry->flags & IMA_EGID) { 2193 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); 2194 if (entry->gid_op == &gid_gt) 2195 seq_printf(m, pt(Opt_egid_gt), tbuf); 2196 else if (entry->gid_op == &gid_lt) 2197 seq_printf(m, pt(Opt_egid_lt), tbuf); 2198 else 2199 seq_printf(m, pt(Opt_egid_eq), tbuf); 2200 seq_puts(m, " "); 2201 } 2202 2203 if (entry->flags & IMA_FOWNER) { 2204 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); 2205 if (entry->fowner_op == &vfsuid_gt_kuid) 2206 seq_printf(m, pt(Opt_fowner_gt), tbuf); 2207 else if (entry->fowner_op == &vfsuid_lt_kuid) 2208 seq_printf(m, pt(Opt_fowner_lt), tbuf); 2209 else 2210 seq_printf(m, pt(Opt_fowner_eq), tbuf); 2211 seq_puts(m, " "); 2212 } 2213 2214 if (entry->flags & IMA_FGROUP) { 2215 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->fgroup)); 2216 if (entry->fgroup_op == &vfsgid_gt_kgid) 2217 seq_printf(m, pt(Opt_fgroup_gt), tbuf); 2218 else if (entry->fgroup_op == &vfsgid_lt_kgid) 2219 seq_printf(m, pt(Opt_fgroup_lt), tbuf); 2220 else 2221 seq_printf(m, pt(Opt_fgroup_eq), tbuf); 2222 seq_puts(m, " "); 2223 } 2224 2225 if (entry->flags & IMA_VALIDATE_ALGOS) { 2226 seq_puts(m, "appraise_algos="); 2227 ima_policy_show_appraise_algos(m, entry->allowed_algos); 2228 seq_puts(m, " "); 2229 } 2230 2231 for (i = 0; i < MAX_LSM_RULES; i++) { 2232 if (entry->lsm[i].rule) { 2233 switch (i) { 2234 case LSM_OBJ_USER: 2235 seq_printf(m, pt(Opt_obj_user), 2236 entry->lsm[i].args_p); 2237 break; 2238 case LSM_OBJ_ROLE: 2239 seq_printf(m, pt(Opt_obj_role), 2240 entry->lsm[i].args_p); 2241 break; 2242 case LSM_OBJ_TYPE: 2243 seq_printf(m, pt(Opt_obj_type), 2244 entry->lsm[i].args_p); 2245 break; 2246 case LSM_SUBJ_USER: 2247 seq_printf(m, pt(Opt_subj_user), 2248 entry->lsm[i].args_p); 2249 break; 2250 case LSM_SUBJ_ROLE: 2251 seq_printf(m, pt(Opt_subj_role), 2252 entry->lsm[i].args_p); 2253 break; 2254 case LSM_SUBJ_TYPE: 2255 seq_printf(m, pt(Opt_subj_type), 2256 entry->lsm[i].args_p); 2257 break; 2258 } 2259 seq_puts(m, " "); 2260 } 2261 } 2262 if (entry->template) 2263 seq_printf(m, "template=%s ", entry->template->name); 2264 if (entry->flags & IMA_DIGSIG_REQUIRED) { 2265 if (entry->flags & IMA_VERITY_REQUIRED) 2266 seq_puts(m, "appraise_type=sigv3 "); 2267 else if (entry->flags & IMA_MODSIG_ALLOWED) 2268 seq_puts(m, "appraise_type=imasig|modsig "); 2269 else 2270 seq_puts(m, "appraise_type=imasig "); 2271 } 2272 if (entry->flags & IMA_VERITY_REQUIRED) 2273 seq_puts(m, "digest_type=verity "); 2274 if (entry->flags & IMA_PERMIT_DIRECTIO) 2275 seq_puts(m, "permit_directio "); 2276 rcu_read_unlock(); 2277 seq_puts(m, "\n"); 2278 return 0; 2279 } 2280 #endif /* CONFIG_IMA_READ_POLICY */ 2281 2282 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) 2283 /* 2284 * ima_appraise_signature: whether IMA will appraise a given function using 2285 * an IMA digital signature. This is restricted to cases where the kernel 2286 * has a set of built-in trusted keys in order to avoid an attacker simply 2287 * loading additional keys. 2288 */ 2289 bool ima_appraise_signature(enum kernel_read_file_id id) 2290 { 2291 struct ima_rule_entry *entry; 2292 bool found = false; 2293 enum ima_hooks func; 2294 struct list_head *ima_rules_tmp; 2295 2296 if (id >= READING_MAX_ID) 2297 return false; 2298 2299 if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE) 2300 && security_locked_down(LOCKDOWN_KEXEC)) 2301 return false; 2302 2303 func = read_idmap[id] ?: FILE_CHECK; 2304 2305 rcu_read_lock(); 2306 ima_rules_tmp = rcu_dereference(ima_rules); 2307 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 2308 if (entry->action != APPRAISE) 2309 continue; 2310 2311 /* 2312 * A generic entry will match, but otherwise require that it 2313 * match the func we're looking for 2314 */ 2315 if (entry->func && entry->func != func) 2316 continue; 2317 2318 /* 2319 * We require this to be a digital signature, not a raw IMA 2320 * hash. 2321 */ 2322 if (entry->flags & IMA_DIGSIG_REQUIRED) 2323 found = true; 2324 2325 /* 2326 * We've found a rule that matches, so break now even if it 2327 * didn't require a digital signature - a later rule that does 2328 * won't override it, so would be a false positive. 2329 */ 2330 break; 2331 } 2332 2333 rcu_read_unlock(); 2334 return found; 2335 } 2336 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ 2337