1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2008 IBM Corporation 4 * Author: Mimi Zohar <zohar@us.ibm.com> 5 * 6 * ima_policy.c 7 * - initialize default measure policy rules 8 */ 9 10 #include <linux/init.h> 11 #include <linux/list.h> 12 #include <linux/kernel_read_file.h> 13 #include <linux/fs.h> 14 #include <linux/security.h> 15 #include <linux/magic.h> 16 #include <linux/parser.h> 17 #include <linux/slab.h> 18 #include <linux/rculist.h> 19 #include <linux/genhd.h> 20 #include <linux/seq_file.h> 21 #include <linux/ima.h> 22 23 #include "ima.h" 24 25 /* flags definitions */ 26 #define IMA_FUNC 0x0001 27 #define IMA_MASK 0x0002 28 #define IMA_FSMAGIC 0x0004 29 #define IMA_UID 0x0008 30 #define IMA_FOWNER 0x0010 31 #define IMA_FSUUID 0x0020 32 #define IMA_INMASK 0x0040 33 #define IMA_EUID 0x0080 34 #define IMA_PCR 0x0100 35 #define IMA_FSNAME 0x0200 36 #define IMA_KEYRINGS 0x0400 37 #define IMA_LABEL 0x0800 38 #define IMA_VALIDATE_ALGOS 0x1000 39 40 #define UNKNOWN 0 41 #define MEASURE 0x0001 /* same as IMA_MEASURE */ 42 #define DONT_MEASURE 0x0002 43 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 44 #define DONT_APPRAISE 0x0008 45 #define AUDIT 0x0040 46 #define HASH 0x0100 47 #define DONT_HASH 0x0200 48 49 #define INVALID_PCR(a) (((a) < 0) || \ 50 (a) >= (sizeof_field(struct integrity_iint_cache, measured_pcrs) * 8)) 51 52 int ima_policy_flag; 53 static int temp_ima_appraise; 54 static int build_ima_appraise __ro_after_init; 55 56 atomic_t ima_setxattr_allowed_hash_algorithms; 57 58 #define MAX_LSM_RULES 6 59 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, 60 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE 61 }; 62 63 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; 64 65 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY }; 66 67 struct ima_rule_opt_list { 68 size_t count; 69 char *items[]; 70 }; 71 72 struct ima_rule_entry { 73 struct list_head list; 74 int action; 75 unsigned int flags; 76 enum ima_hooks func; 77 int mask; 78 unsigned long fsmagic; 79 uuid_t fsuuid; 80 kuid_t uid; 81 kuid_t fowner; 82 bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ 83 bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ 84 int pcr; 85 unsigned int allowed_algos; /* bitfield of allowed hash algorithms */ 86 struct { 87 void *rule; /* LSM file metadata specific */ 88 char *args_p; /* audit value */ 89 int type; /* audit type */ 90 } lsm[MAX_LSM_RULES]; 91 char *fsname; 92 struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ 93 struct ima_rule_opt_list *label; /* Measure data grouped under this label */ 94 struct ima_template_desc *template; 95 }; 96 97 /* 98 * sanity check in case the kernels gains more hash algorithms that can 99 * fit in an unsigned int 100 */ 101 static_assert( 102 8 * sizeof(unsigned int) >= HASH_ALGO__LAST, 103 "The bitfield allowed_algos in ima_rule_entry is too small to contain all the supported hash algorithms, consider using a bigger type"); 104 105 /* 106 * Without LSM specific knowledge, the default policy can only be 107 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner 108 */ 109 110 /* 111 * The minimum rule set to allow for full TCB coverage. Measures all files 112 * opened or mmap for exec and everything read by root. Dangerous because 113 * normal users can easily run the machine out of memory simply building 114 * and running executables. 115 */ 116 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { 117 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 118 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 119 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 120 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 121 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 122 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 123 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 124 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 125 {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 126 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, 127 .flags = IMA_FSMAGIC}, 128 {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, 129 .flags = IMA_FSMAGIC}, 130 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 131 {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} 132 }; 133 134 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { 135 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 136 .flags = IMA_FUNC | IMA_MASK}, 137 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 138 .flags = IMA_FUNC | IMA_MASK}, 139 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 140 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 141 .flags = IMA_FUNC | IMA_MASK | IMA_UID}, 142 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 143 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 144 }; 145 146 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { 147 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 148 .flags = IMA_FUNC | IMA_MASK}, 149 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 150 .flags = IMA_FUNC | IMA_MASK}, 151 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 152 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 153 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, 154 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 155 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 156 .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, 157 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 158 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 159 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, 160 }; 161 162 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { 163 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 164 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 165 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 166 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 167 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC}, 168 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 169 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 170 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 171 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 172 {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 173 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 174 {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, 175 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 176 {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 177 #ifdef CONFIG_IMA_WRITE_POLICY 178 {.action = APPRAISE, .func = POLICY_CHECK, 179 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 180 #endif 181 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT 182 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 183 .flags = IMA_FOWNER}, 184 #else 185 /* force signature */ 186 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 187 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, 188 #endif 189 }; 190 191 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { 192 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS 193 {.action = APPRAISE, .func = MODULE_CHECK, 194 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 195 #endif 196 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS 197 {.action = APPRAISE, .func = FIRMWARE_CHECK, 198 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 199 #endif 200 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS 201 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 202 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 203 #endif 204 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS 205 {.action = APPRAISE, .func = POLICY_CHECK, 206 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 207 #endif 208 }; 209 210 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { 211 {.action = APPRAISE, .func = MODULE_CHECK, 212 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 213 {.action = APPRAISE, .func = FIRMWARE_CHECK, 214 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 215 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 216 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 217 {.action = APPRAISE, .func = POLICY_CHECK, 218 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 219 }; 220 221 static struct ima_rule_entry critical_data_rules[] __ro_after_init = { 222 {.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC}, 223 }; 224 225 /* An array of architecture specific rules */ 226 static struct ima_rule_entry *arch_policy_entry __ro_after_init; 227 228 static LIST_HEAD(ima_default_rules); 229 static LIST_HEAD(ima_policy_rules); 230 static LIST_HEAD(ima_temp_rules); 231 static struct list_head __rcu *ima_rules = (struct list_head __rcu *)(&ima_default_rules); 232 233 static int ima_policy __initdata; 234 235 static int __init default_measure_policy_setup(char *str) 236 { 237 if (ima_policy) 238 return 1; 239 240 ima_policy = ORIGINAL_TCB; 241 return 1; 242 } 243 __setup("ima_tcb", default_measure_policy_setup); 244 245 static bool ima_use_appraise_tcb __initdata; 246 static bool ima_use_secure_boot __initdata; 247 static bool ima_use_critical_data __initdata; 248 static bool ima_fail_unverifiable_sigs __ro_after_init; 249 static int __init policy_setup(char *str) 250 { 251 char *p; 252 253 while ((p = strsep(&str, " |\n")) != NULL) { 254 if (*p == ' ') 255 continue; 256 if ((strcmp(p, "tcb") == 0) && !ima_policy) 257 ima_policy = DEFAULT_TCB; 258 else if (strcmp(p, "appraise_tcb") == 0) 259 ima_use_appraise_tcb = true; 260 else if (strcmp(p, "secure_boot") == 0) 261 ima_use_secure_boot = true; 262 else if (strcmp(p, "critical_data") == 0) 263 ima_use_critical_data = true; 264 else if (strcmp(p, "fail_securely") == 0) 265 ima_fail_unverifiable_sigs = true; 266 else 267 pr_err("policy \"%s\" not found", p); 268 } 269 270 return 1; 271 } 272 __setup("ima_policy=", policy_setup); 273 274 static int __init default_appraise_policy_setup(char *str) 275 { 276 ima_use_appraise_tcb = true; 277 return 1; 278 } 279 __setup("ima_appraise_tcb", default_appraise_policy_setup); 280 281 static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src) 282 { 283 struct ima_rule_opt_list *opt_list; 284 size_t count = 0; 285 char *src_copy; 286 char *cur, *next; 287 size_t i; 288 289 src_copy = match_strdup(src); 290 if (!src_copy) 291 return ERR_PTR(-ENOMEM); 292 293 next = src_copy; 294 while ((cur = strsep(&next, "|"))) { 295 /* Don't accept an empty list item */ 296 if (!(*cur)) { 297 kfree(src_copy); 298 return ERR_PTR(-EINVAL); 299 } 300 count++; 301 } 302 303 /* Don't accept an empty list */ 304 if (!count) { 305 kfree(src_copy); 306 return ERR_PTR(-EINVAL); 307 } 308 309 opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL); 310 if (!opt_list) { 311 kfree(src_copy); 312 return ERR_PTR(-ENOMEM); 313 } 314 315 /* 316 * strsep() has already replaced all instances of '|' with '\0', 317 * leaving a byte sequence of NUL-terminated strings. Reference each 318 * string with the array of items. 319 * 320 * IMPORTANT: Ownership of the allocated buffer is transferred from 321 * src_copy to the first element in the items array. To free the 322 * buffer, kfree() must only be called on the first element of the 323 * array. 324 */ 325 for (i = 0, cur = src_copy; i < count; i++) { 326 opt_list->items[i] = cur; 327 cur = strchr(cur, '\0') + 1; 328 } 329 opt_list->count = count; 330 331 return opt_list; 332 } 333 334 static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list) 335 { 336 if (!opt_list) 337 return; 338 339 if (opt_list->count) { 340 kfree(opt_list->items[0]); 341 opt_list->count = 0; 342 } 343 344 kfree(opt_list); 345 } 346 347 static void ima_lsm_free_rule(struct ima_rule_entry *entry) 348 { 349 int i; 350 351 for (i = 0; i < MAX_LSM_RULES; i++) { 352 ima_filter_rule_free(entry->lsm[i].rule); 353 kfree(entry->lsm[i].args_p); 354 } 355 } 356 357 static void ima_free_rule(struct ima_rule_entry *entry) 358 { 359 if (!entry) 360 return; 361 362 /* 363 * entry->template->fields may be allocated in ima_parse_rule() but that 364 * reference is owned by the corresponding ima_template_desc element in 365 * the defined_templates list and cannot be freed here 366 */ 367 kfree(entry->fsname); 368 ima_free_rule_opt_list(entry->keyrings); 369 ima_lsm_free_rule(entry); 370 kfree(entry); 371 } 372 373 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) 374 { 375 struct ima_rule_entry *nentry; 376 int i; 377 378 /* 379 * Immutable elements are copied over as pointers and data; only 380 * lsm rules can change 381 */ 382 nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); 383 if (!nentry) 384 return NULL; 385 386 memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm)); 387 388 for (i = 0; i < MAX_LSM_RULES; i++) { 389 if (!entry->lsm[i].args_p) 390 continue; 391 392 nentry->lsm[i].type = entry->lsm[i].type; 393 nentry->lsm[i].args_p = entry->lsm[i].args_p; 394 /* 395 * Remove the reference from entry so that the associated 396 * memory will not be freed during a later call to 397 * ima_lsm_free_rule(entry). 398 */ 399 entry->lsm[i].args_p = NULL; 400 401 ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, 402 nentry->lsm[i].args_p, 403 &nentry->lsm[i].rule); 404 if (!nentry->lsm[i].rule) 405 pr_warn("rule for LSM \'%s\' is undefined\n", 406 nentry->lsm[i].args_p); 407 } 408 return nentry; 409 } 410 411 static int ima_lsm_update_rule(struct ima_rule_entry *entry) 412 { 413 struct ima_rule_entry *nentry; 414 415 nentry = ima_lsm_copy_rule(entry); 416 if (!nentry) 417 return -ENOMEM; 418 419 list_replace_rcu(&entry->list, &nentry->list); 420 synchronize_rcu(); 421 /* 422 * ima_lsm_copy_rule() shallow copied all references, except for the 423 * LSM references, from entry to nentry so we only want to free the LSM 424 * references and the entry itself. All other memory refrences will now 425 * be owned by nentry. 426 */ 427 ima_lsm_free_rule(entry); 428 kfree(entry); 429 430 return 0; 431 } 432 433 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry) 434 { 435 int i; 436 437 for (i = 0; i < MAX_LSM_RULES; i++) 438 if (entry->lsm[i].args_p) 439 return true; 440 441 return false; 442 } 443 444 /* 445 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 446 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 447 * the reloaded LSM policy. 448 */ 449 static void ima_lsm_update_rules(void) 450 { 451 struct ima_rule_entry *entry, *e; 452 int result; 453 454 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { 455 if (!ima_rule_contains_lsm_cond(entry)) 456 continue; 457 458 result = ima_lsm_update_rule(entry); 459 if (result) { 460 pr_err("lsm rule update error %d\n", result); 461 return; 462 } 463 } 464 } 465 466 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, 467 void *lsm_data) 468 { 469 if (event != LSM_POLICY_CHANGE) 470 return NOTIFY_DONE; 471 472 ima_lsm_update_rules(); 473 return NOTIFY_OK; 474 } 475 476 /** 477 * ima_match_rule_data - determine whether func_data matches the policy rule 478 * @rule: a pointer to a rule 479 * @func_data: data to match against the measure rule data 480 * @cred: a pointer to a credentials structure for user validation 481 * 482 * Returns true if func_data matches one in the rule, false otherwise. 483 */ 484 static bool ima_match_rule_data(struct ima_rule_entry *rule, 485 const char *func_data, 486 const struct cred *cred) 487 { 488 const struct ima_rule_opt_list *opt_list = NULL; 489 bool matched = false; 490 size_t i; 491 492 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 493 return false; 494 495 switch (rule->func) { 496 case KEY_CHECK: 497 if (!rule->keyrings) 498 return true; 499 500 opt_list = rule->keyrings; 501 break; 502 case CRITICAL_DATA: 503 if (!rule->label) 504 return true; 505 506 opt_list = rule->label; 507 break; 508 default: 509 return false; 510 } 511 512 if (!func_data) 513 return false; 514 515 for (i = 0; i < opt_list->count; i++) { 516 if (!strcmp(opt_list->items[i], func_data)) { 517 matched = true; 518 break; 519 } 520 } 521 522 return matched; 523 } 524 525 /** 526 * ima_match_rules - determine whether an inode matches the policy rule. 527 * @rule: a pointer to a rule 528 * @mnt_userns: user namespace of the mount the inode was found from 529 * @inode: a pointer to an inode 530 * @cred: a pointer to a credentials structure for user validation 531 * @secid: the secid of the task to be validated 532 * @func: LIM hook identifier 533 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 534 * @func_data: func specific data, may be NULL 535 * 536 * Returns true on rule match, false on failure. 537 */ 538 static bool ima_match_rules(struct ima_rule_entry *rule, 539 struct user_namespace *mnt_userns, 540 struct inode *inode, const struct cred *cred, 541 u32 secid, enum ima_hooks func, int mask, 542 const char *func_data) 543 { 544 int i; 545 546 if ((rule->flags & IMA_FUNC) && 547 (rule->func != func && func != POST_SETATTR)) 548 return false; 549 550 switch (func) { 551 case KEY_CHECK: 552 case CRITICAL_DATA: 553 return ((rule->func == func) && 554 ima_match_rule_data(rule, func_data, cred)); 555 default: 556 break; 557 } 558 559 if ((rule->flags & IMA_MASK) && 560 (rule->mask != mask && func != POST_SETATTR)) 561 return false; 562 if ((rule->flags & IMA_INMASK) && 563 (!(rule->mask & mask) && func != POST_SETATTR)) 564 return false; 565 if ((rule->flags & IMA_FSMAGIC) 566 && rule->fsmagic != inode->i_sb->s_magic) 567 return false; 568 if ((rule->flags & IMA_FSNAME) 569 && strcmp(rule->fsname, inode->i_sb->s_type->name)) 570 return false; 571 if ((rule->flags & IMA_FSUUID) && 572 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 573 return false; 574 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 575 return false; 576 if (rule->flags & IMA_EUID) { 577 if (has_capability_noaudit(current, CAP_SETUID)) { 578 if (!rule->uid_op(cred->euid, rule->uid) 579 && !rule->uid_op(cred->suid, rule->uid) 580 && !rule->uid_op(cred->uid, rule->uid)) 581 return false; 582 } else if (!rule->uid_op(cred->euid, rule->uid)) 583 return false; 584 } 585 586 if ((rule->flags & IMA_FOWNER) && 587 !rule->fowner_op(i_uid_into_mnt(mnt_userns, inode), rule->fowner)) 588 return false; 589 for (i = 0; i < MAX_LSM_RULES; i++) { 590 int rc = 0; 591 u32 osid; 592 593 if (!rule->lsm[i].rule) { 594 if (!rule->lsm[i].args_p) 595 continue; 596 else 597 return false; 598 } 599 switch (i) { 600 case LSM_OBJ_USER: 601 case LSM_OBJ_ROLE: 602 case LSM_OBJ_TYPE: 603 security_inode_getsecid(inode, &osid); 604 rc = ima_filter_rule_match(osid, rule->lsm[i].type, 605 Audit_equal, 606 rule->lsm[i].rule); 607 break; 608 case LSM_SUBJ_USER: 609 case LSM_SUBJ_ROLE: 610 case LSM_SUBJ_TYPE: 611 rc = ima_filter_rule_match(secid, rule->lsm[i].type, 612 Audit_equal, 613 rule->lsm[i].rule); 614 break; 615 default: 616 break; 617 } 618 if (!rc) 619 return false; 620 } 621 return true; 622 } 623 624 /* 625 * In addition to knowing that we need to appraise the file in general, 626 * we need to differentiate between calling hooks, for hook specific rules. 627 */ 628 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) 629 { 630 if (!(rule->flags & IMA_FUNC)) 631 return IMA_FILE_APPRAISE; 632 633 switch (func) { 634 case MMAP_CHECK: 635 return IMA_MMAP_APPRAISE; 636 case BPRM_CHECK: 637 return IMA_BPRM_APPRAISE; 638 case CREDS_CHECK: 639 return IMA_CREDS_APPRAISE; 640 case FILE_CHECK: 641 case POST_SETATTR: 642 return IMA_FILE_APPRAISE; 643 case MODULE_CHECK ... MAX_CHECK - 1: 644 default: 645 return IMA_READ_APPRAISE; 646 } 647 } 648 649 /** 650 * ima_match_policy - decision based on LSM and other conditions 651 * @mnt_userns: user namespace of the mount the inode was found from 652 * @inode: pointer to an inode for which the policy decision is being made 653 * @cred: pointer to a credentials structure for which the policy decision is 654 * being made 655 * @secid: LSM secid of the task to be validated 656 * @func: IMA hook identifier 657 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 658 * @pcr: set the pcr to extend 659 * @template_desc: the template that should be used for this rule 660 * @func_data: func specific data, may be NULL 661 * @allowed_algos: allowlist of hash algorithms for the IMA xattr 662 * 663 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 664 * conditions. 665 * 666 * Since the IMA policy may be updated multiple times we need to lock the 667 * list when walking it. Reads are many orders of magnitude more numerous 668 * than writes so ima_match_policy() is classical RCU candidate. 669 */ 670 int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, 671 const struct cred *cred, u32 secid, enum ima_hooks func, 672 int mask, int flags, int *pcr, 673 struct ima_template_desc **template_desc, 674 const char *func_data, unsigned int *allowed_algos) 675 { 676 struct ima_rule_entry *entry; 677 int action = 0, actmask = flags | (flags << 1); 678 struct list_head *ima_rules_tmp; 679 680 if (template_desc && !*template_desc) 681 *template_desc = ima_template_desc_current(); 682 683 rcu_read_lock(); 684 ima_rules_tmp = rcu_dereference(ima_rules); 685 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 686 687 if (!(entry->action & actmask)) 688 continue; 689 690 if (!ima_match_rules(entry, mnt_userns, inode, cred, secid, 691 func, mask, func_data)) 692 continue; 693 694 action |= entry->flags & IMA_ACTION_FLAGS; 695 696 action |= entry->action & IMA_DO_MASK; 697 if (entry->action & IMA_APPRAISE) { 698 action |= get_subaction(entry, func); 699 action &= ~IMA_HASH; 700 if (ima_fail_unverifiable_sigs) 701 action |= IMA_FAIL_UNVERIFIABLE_SIGS; 702 703 if (allowed_algos && 704 entry->flags & IMA_VALIDATE_ALGOS) 705 *allowed_algos = entry->allowed_algos; 706 } 707 708 if (entry->action & IMA_DO_MASK) 709 actmask &= ~(entry->action | entry->action << 1); 710 else 711 actmask &= ~(entry->action | entry->action >> 1); 712 713 if ((pcr) && (entry->flags & IMA_PCR)) 714 *pcr = entry->pcr; 715 716 if (template_desc && entry->template) 717 *template_desc = entry->template; 718 719 if (!actmask) 720 break; 721 } 722 rcu_read_unlock(); 723 724 return action; 725 } 726 727 /** 728 * ima_update_policy_flags() - Update global IMA variables 729 * 730 * Update ima_policy_flag and ima_setxattr_allowed_hash_algorithms 731 * based on the currently loaded policy. 732 * 733 * With ima_policy_flag, the decision to short circuit out of a function 734 * or not call the function in the first place can be made earlier. 735 * 736 * With ima_setxattr_allowed_hash_algorithms, the policy can restrict the 737 * set of hash algorithms accepted when updating the security.ima xattr of 738 * a file. 739 * 740 * Context: called after a policy update and at system initialization. 741 */ 742 void ima_update_policy_flags(void) 743 { 744 struct ima_rule_entry *entry; 745 int new_policy_flag = 0; 746 struct list_head *ima_rules_tmp; 747 748 rcu_read_lock(); 749 ima_rules_tmp = rcu_dereference(ima_rules); 750 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 751 /* 752 * SETXATTR_CHECK rules do not implement a full policy check 753 * because rule checking would probably have an important 754 * performance impact on setxattr(). As a consequence, only one 755 * SETXATTR_CHECK can be active at a given time. 756 * Because we want to preserve that property, we set out to use 757 * atomic_cmpxchg. Either: 758 * - the atomic was non-zero: a setxattr hash policy is 759 * already enforced, we do nothing 760 * - the atomic was zero: no setxattr policy was set, enable 761 * the setxattr hash policy 762 */ 763 if (entry->func == SETXATTR_CHECK) { 764 atomic_cmpxchg(&ima_setxattr_allowed_hash_algorithms, 765 0, entry->allowed_algos); 766 /* SETXATTR_CHECK doesn't impact ima_policy_flag */ 767 continue; 768 } 769 770 if (entry->action & IMA_DO_MASK) 771 new_policy_flag |= entry->action; 772 } 773 rcu_read_unlock(); 774 775 ima_appraise |= (build_ima_appraise | temp_ima_appraise); 776 if (!ima_appraise) 777 new_policy_flag &= ~IMA_APPRAISE; 778 779 ima_policy_flag = new_policy_flag; 780 } 781 782 static int ima_appraise_flag(enum ima_hooks func) 783 { 784 if (func == MODULE_CHECK) 785 return IMA_APPRAISE_MODULES; 786 else if (func == FIRMWARE_CHECK) 787 return IMA_APPRAISE_FIRMWARE; 788 else if (func == POLICY_CHECK) 789 return IMA_APPRAISE_POLICY; 790 else if (func == KEXEC_KERNEL_CHECK) 791 return IMA_APPRAISE_KEXEC; 792 return 0; 793 } 794 795 static void add_rules(struct ima_rule_entry *entries, int count, 796 enum policy_rule_list policy_rule) 797 { 798 int i = 0; 799 800 for (i = 0; i < count; i++) { 801 struct ima_rule_entry *entry; 802 803 if (policy_rule & IMA_DEFAULT_POLICY) 804 list_add_tail(&entries[i].list, &ima_default_rules); 805 806 if (policy_rule & IMA_CUSTOM_POLICY) { 807 entry = kmemdup(&entries[i], sizeof(*entry), 808 GFP_KERNEL); 809 if (!entry) 810 continue; 811 812 list_add_tail(&entry->list, &ima_policy_rules); 813 } 814 if (entries[i].action == APPRAISE) { 815 if (entries != build_appraise_rules) 816 temp_ima_appraise |= 817 ima_appraise_flag(entries[i].func); 818 else 819 build_ima_appraise |= 820 ima_appraise_flag(entries[i].func); 821 } 822 } 823 } 824 825 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); 826 827 static int __init ima_init_arch_policy(void) 828 { 829 const char * const *arch_rules; 830 const char * const *rules; 831 int arch_entries = 0; 832 int i = 0; 833 834 arch_rules = arch_get_ima_policy(); 835 if (!arch_rules) 836 return arch_entries; 837 838 /* Get number of rules */ 839 for (rules = arch_rules; *rules != NULL; rules++) 840 arch_entries++; 841 842 arch_policy_entry = kcalloc(arch_entries + 1, 843 sizeof(*arch_policy_entry), GFP_KERNEL); 844 if (!arch_policy_entry) 845 return 0; 846 847 /* Convert each policy string rules to struct ima_rule_entry format */ 848 for (rules = arch_rules, i = 0; *rules != NULL; rules++) { 849 char rule[255]; 850 int result; 851 852 result = strlcpy(rule, *rules, sizeof(rule)); 853 854 INIT_LIST_HEAD(&arch_policy_entry[i].list); 855 result = ima_parse_rule(rule, &arch_policy_entry[i]); 856 if (result) { 857 pr_warn("Skipping unknown architecture policy rule: %s\n", 858 rule); 859 memset(&arch_policy_entry[i], 0, 860 sizeof(*arch_policy_entry)); 861 continue; 862 } 863 i++; 864 } 865 return i; 866 } 867 868 /** 869 * ima_init_policy - initialize the default measure rules. 870 * 871 * ima_rules points to either the ima_default_rules or the 872 * the new ima_policy_rules. 873 */ 874 void __init ima_init_policy(void) 875 { 876 int build_appraise_entries, arch_entries; 877 878 /* if !ima_policy, we load NO default rules */ 879 if (ima_policy) 880 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules), 881 IMA_DEFAULT_POLICY); 882 883 switch (ima_policy) { 884 case ORIGINAL_TCB: 885 add_rules(original_measurement_rules, 886 ARRAY_SIZE(original_measurement_rules), 887 IMA_DEFAULT_POLICY); 888 break; 889 case DEFAULT_TCB: 890 add_rules(default_measurement_rules, 891 ARRAY_SIZE(default_measurement_rules), 892 IMA_DEFAULT_POLICY); 893 break; 894 default: 895 break; 896 } 897 898 /* 899 * Based on runtime secure boot flags, insert arch specific measurement 900 * and appraise rules requiring file signatures for both the initial 901 * and custom policies, prior to other appraise rules. 902 * (Highest priority) 903 */ 904 arch_entries = ima_init_arch_policy(); 905 if (!arch_entries) 906 pr_info("No architecture policies found\n"); 907 else 908 add_rules(arch_policy_entry, arch_entries, 909 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 910 911 /* 912 * Insert the builtin "secure_boot" policy rules requiring file 913 * signatures, prior to other appraise rules. 914 */ 915 if (ima_use_secure_boot) 916 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules), 917 IMA_DEFAULT_POLICY); 918 919 /* 920 * Insert the build time appraise rules requiring file signatures 921 * for both the initial and custom policies, prior to other appraise 922 * rules. As the secure boot rules includes all of the build time 923 * rules, include either one or the other set of rules, but not both. 924 */ 925 build_appraise_entries = ARRAY_SIZE(build_appraise_rules); 926 if (build_appraise_entries) { 927 if (ima_use_secure_boot) 928 add_rules(build_appraise_rules, build_appraise_entries, 929 IMA_CUSTOM_POLICY); 930 else 931 add_rules(build_appraise_rules, build_appraise_entries, 932 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 933 } 934 935 if (ima_use_appraise_tcb) 936 add_rules(default_appraise_rules, 937 ARRAY_SIZE(default_appraise_rules), 938 IMA_DEFAULT_POLICY); 939 940 if (ima_use_critical_data) 941 add_rules(critical_data_rules, 942 ARRAY_SIZE(critical_data_rules), 943 IMA_DEFAULT_POLICY); 944 945 atomic_set(&ima_setxattr_allowed_hash_algorithms, 0); 946 947 ima_update_policy_flags(); 948 } 949 950 /* Make sure we have a valid policy, at least containing some rules. */ 951 int ima_check_policy(void) 952 { 953 if (list_empty(&ima_temp_rules)) 954 return -EINVAL; 955 return 0; 956 } 957 958 /** 959 * ima_update_policy - update default_rules with new measure rules 960 * 961 * Called on file .release to update the default rules with a complete new 962 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so 963 * they make a queue. The policy may be updated multiple times and this is the 964 * RCU updater. 965 * 966 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 967 * we switch from the default policy to user defined. 968 */ 969 void ima_update_policy(void) 970 { 971 struct list_head *policy = &ima_policy_rules; 972 973 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); 974 975 if (ima_rules != (struct list_head __rcu *)policy) { 976 ima_policy_flag = 0; 977 978 rcu_assign_pointer(ima_rules, policy); 979 /* 980 * IMA architecture specific policy rules are specified 981 * as strings and converted to an array of ima_entry_rules 982 * on boot. After loading a custom policy, free the 983 * architecture specific rules stored as an array. 984 */ 985 kfree(arch_policy_entry); 986 } 987 ima_update_policy_flags(); 988 989 /* Custom IMA policy has been loaded */ 990 ima_process_queued_keys(); 991 } 992 993 /* Keep the enumeration in sync with the policy_tokens! */ 994 enum { 995 Opt_measure, Opt_dont_measure, 996 Opt_appraise, Opt_dont_appraise, 997 Opt_audit, Opt_hash, Opt_dont_hash, 998 Opt_obj_user, Opt_obj_role, Opt_obj_type, 999 Opt_subj_user, Opt_subj_role, Opt_subj_type, 1000 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, 1001 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, 1002 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, 1003 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, 1004 Opt_appraise_type, Opt_appraise_flag, Opt_appraise_algos, 1005 Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, 1006 Opt_label, Opt_err 1007 }; 1008 1009 static const match_table_t policy_tokens = { 1010 {Opt_measure, "measure"}, 1011 {Opt_dont_measure, "dont_measure"}, 1012 {Opt_appraise, "appraise"}, 1013 {Opt_dont_appraise, "dont_appraise"}, 1014 {Opt_audit, "audit"}, 1015 {Opt_hash, "hash"}, 1016 {Opt_dont_hash, "dont_hash"}, 1017 {Opt_obj_user, "obj_user=%s"}, 1018 {Opt_obj_role, "obj_role=%s"}, 1019 {Opt_obj_type, "obj_type=%s"}, 1020 {Opt_subj_user, "subj_user=%s"}, 1021 {Opt_subj_role, "subj_role=%s"}, 1022 {Opt_subj_type, "subj_type=%s"}, 1023 {Opt_func, "func=%s"}, 1024 {Opt_mask, "mask=%s"}, 1025 {Opt_fsmagic, "fsmagic=%s"}, 1026 {Opt_fsname, "fsname=%s"}, 1027 {Opt_fsuuid, "fsuuid=%s"}, 1028 {Opt_uid_eq, "uid=%s"}, 1029 {Opt_euid_eq, "euid=%s"}, 1030 {Opt_fowner_eq, "fowner=%s"}, 1031 {Opt_uid_gt, "uid>%s"}, 1032 {Opt_euid_gt, "euid>%s"}, 1033 {Opt_fowner_gt, "fowner>%s"}, 1034 {Opt_uid_lt, "uid<%s"}, 1035 {Opt_euid_lt, "euid<%s"}, 1036 {Opt_fowner_lt, "fowner<%s"}, 1037 {Opt_appraise_type, "appraise_type=%s"}, 1038 {Opt_appraise_flag, "appraise_flag=%s"}, 1039 {Opt_appraise_algos, "appraise_algos=%s"}, 1040 {Opt_permit_directio, "permit_directio"}, 1041 {Opt_pcr, "pcr=%s"}, 1042 {Opt_template, "template=%s"}, 1043 {Opt_keyrings, "keyrings=%s"}, 1044 {Opt_label, "label=%s"}, 1045 {Opt_err, NULL} 1046 }; 1047 1048 static int ima_lsm_rule_init(struct ima_rule_entry *entry, 1049 substring_t *args, int lsm_rule, int audit_type) 1050 { 1051 int result; 1052 1053 if (entry->lsm[lsm_rule].rule) 1054 return -EINVAL; 1055 1056 entry->lsm[lsm_rule].args_p = match_strdup(args); 1057 if (!entry->lsm[lsm_rule].args_p) 1058 return -ENOMEM; 1059 1060 entry->lsm[lsm_rule].type = audit_type; 1061 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, 1062 entry->lsm[lsm_rule].args_p, 1063 &entry->lsm[lsm_rule].rule); 1064 if (!entry->lsm[lsm_rule].rule) { 1065 pr_warn("rule for LSM \'%s\' is undefined\n", 1066 entry->lsm[lsm_rule].args_p); 1067 1068 if (ima_rules == (struct list_head __rcu *)(&ima_default_rules)) { 1069 kfree(entry->lsm[lsm_rule].args_p); 1070 entry->lsm[lsm_rule].args_p = NULL; 1071 result = -EINVAL; 1072 } else 1073 result = 0; 1074 } 1075 1076 return result; 1077 } 1078 1079 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, 1080 bool (*rule_operator)(kuid_t, kuid_t)) 1081 { 1082 if (!ab) 1083 return; 1084 1085 if (rule_operator == &uid_gt) 1086 audit_log_format(ab, "%s>", key); 1087 else if (rule_operator == &uid_lt) 1088 audit_log_format(ab, "%s<", key); 1089 else 1090 audit_log_format(ab, "%s=", key); 1091 audit_log_format(ab, "%s ", value); 1092 } 1093 static void ima_log_string(struct audit_buffer *ab, char *key, char *value) 1094 { 1095 ima_log_string_op(ab, key, value, NULL); 1096 } 1097 1098 /* 1099 * Validating the appended signature included in the measurement list requires 1100 * the file hash calculated without the appended signature (i.e., the 'd-modsig' 1101 * field). Therefore, notify the user if they have the 'modsig' field but not 1102 * the 'd-modsig' field in the template. 1103 */ 1104 static void check_template_modsig(const struct ima_template_desc *template) 1105 { 1106 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n" 1107 bool has_modsig, has_dmodsig; 1108 static bool checked; 1109 int i; 1110 1111 /* We only need to notify the user once. */ 1112 if (checked) 1113 return; 1114 1115 has_modsig = has_dmodsig = false; 1116 for (i = 0; i < template->num_fields; i++) { 1117 if (!strcmp(template->fields[i]->field_id, "modsig")) 1118 has_modsig = true; 1119 else if (!strcmp(template->fields[i]->field_id, "d-modsig")) 1120 has_dmodsig = true; 1121 } 1122 1123 if (has_modsig && !has_dmodsig) 1124 pr_notice(MSG); 1125 1126 checked = true; 1127 #undef MSG 1128 } 1129 1130 static bool ima_validate_rule(struct ima_rule_entry *entry) 1131 { 1132 /* Ensure that the action is set and is compatible with the flags */ 1133 if (entry->action == UNKNOWN) 1134 return false; 1135 1136 if (entry->action != MEASURE && entry->flags & IMA_PCR) 1137 return false; 1138 1139 if (entry->action != APPRAISE && 1140 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | 1141 IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) 1142 return false; 1143 1144 /* 1145 * The IMA_FUNC bit must be set if and only if there's a valid hook 1146 * function specified, and vice versa. Enforcing this property allows 1147 * for the NONE case below to validate a rule without an explicit hook 1148 * function. 1149 */ 1150 if (((entry->flags & IMA_FUNC) && entry->func == NONE) || 1151 (!(entry->flags & IMA_FUNC) && entry->func != NONE)) 1152 return false; 1153 1154 /* 1155 * Ensure that the hook function is compatible with the other 1156 * components of the rule 1157 */ 1158 switch (entry->func) { 1159 case NONE: 1160 case FILE_CHECK: 1161 case MMAP_CHECK: 1162 case BPRM_CHECK: 1163 case CREDS_CHECK: 1164 case POST_SETATTR: 1165 case FIRMWARE_CHECK: 1166 case POLICY_CHECK: 1167 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1168 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1169 IMA_INMASK | IMA_EUID | IMA_PCR | 1170 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1171 IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS)) 1172 return false; 1173 1174 break; 1175 case MODULE_CHECK: 1176 case KEXEC_KERNEL_CHECK: 1177 case KEXEC_INITRAMFS_CHECK: 1178 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1179 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1180 IMA_INMASK | IMA_EUID | IMA_PCR | 1181 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1182 IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | 1183 IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) 1184 return false; 1185 1186 break; 1187 case KEXEC_CMDLINE: 1188 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1189 return false; 1190 1191 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | 1192 IMA_FOWNER | IMA_FSUUID | IMA_EUID | 1193 IMA_PCR | IMA_FSNAME)) 1194 return false; 1195 1196 break; 1197 case KEY_CHECK: 1198 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1199 return false; 1200 1201 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | 1202 IMA_KEYRINGS)) 1203 return false; 1204 1205 if (ima_rule_contains_lsm_cond(entry)) 1206 return false; 1207 1208 break; 1209 case CRITICAL_DATA: 1210 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1211 return false; 1212 1213 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | 1214 IMA_LABEL)) 1215 return false; 1216 1217 if (ima_rule_contains_lsm_cond(entry)) 1218 return false; 1219 1220 break; 1221 case SETXATTR_CHECK: 1222 /* any action other than APPRAISE is unsupported */ 1223 if (entry->action != APPRAISE) 1224 return false; 1225 1226 /* SETXATTR_CHECK requires an appraise_algos parameter */ 1227 if (!(entry->flags & IMA_VALIDATE_ALGOS)) 1228 return false; 1229 1230 /* 1231 * full policies are not supported, they would have too 1232 * much of a performance impact 1233 */ 1234 if (entry->flags & ~(IMA_FUNC | IMA_VALIDATE_ALGOS)) 1235 return false; 1236 1237 break; 1238 default: 1239 return false; 1240 } 1241 1242 /* Ensure that combinations of flags are compatible with each other */ 1243 if (entry->flags & IMA_CHECK_BLACKLIST && 1244 !(entry->flags & IMA_MODSIG_ALLOWED)) 1245 return false; 1246 1247 return true; 1248 } 1249 1250 static unsigned int ima_parse_appraise_algos(char *arg) 1251 { 1252 unsigned int res = 0; 1253 int idx; 1254 char *token; 1255 1256 while ((token = strsep(&arg, ",")) != NULL) { 1257 idx = match_string(hash_algo_name, HASH_ALGO__LAST, token); 1258 1259 if (idx < 0) { 1260 pr_err("unknown hash algorithm \"%s\"", 1261 token); 1262 return 0; 1263 } 1264 1265 if (!crypto_has_alg(hash_algo_name[idx], 0, 0)) { 1266 pr_err("unavailable hash algorithm \"%s\", check your kernel configuration", 1267 token); 1268 return 0; 1269 } 1270 1271 /* Add the hash algorithm to the 'allowed' bitfield */ 1272 res |= (1U << idx); 1273 } 1274 1275 return res; 1276 } 1277 1278 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 1279 { 1280 struct audit_buffer *ab; 1281 char *from; 1282 char *p; 1283 bool uid_token; 1284 struct ima_template_desc *template_desc; 1285 int result = 0; 1286 1287 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, 1288 AUDIT_INTEGRITY_POLICY_RULE); 1289 1290 entry->uid = INVALID_UID; 1291 entry->fowner = INVALID_UID; 1292 entry->uid_op = &uid_eq; 1293 entry->fowner_op = &uid_eq; 1294 entry->action = UNKNOWN; 1295 while ((p = strsep(&rule, " \t")) != NULL) { 1296 substring_t args[MAX_OPT_ARGS]; 1297 int token; 1298 unsigned long lnum; 1299 1300 if (result < 0) 1301 break; 1302 if ((*p == '\0') || (*p == ' ') || (*p == '\t')) 1303 continue; 1304 token = match_token(p, policy_tokens, args); 1305 switch (token) { 1306 case Opt_measure: 1307 ima_log_string(ab, "action", "measure"); 1308 1309 if (entry->action != UNKNOWN) 1310 result = -EINVAL; 1311 1312 entry->action = MEASURE; 1313 break; 1314 case Opt_dont_measure: 1315 ima_log_string(ab, "action", "dont_measure"); 1316 1317 if (entry->action != UNKNOWN) 1318 result = -EINVAL; 1319 1320 entry->action = DONT_MEASURE; 1321 break; 1322 case Opt_appraise: 1323 ima_log_string(ab, "action", "appraise"); 1324 1325 if (entry->action != UNKNOWN) 1326 result = -EINVAL; 1327 1328 entry->action = APPRAISE; 1329 break; 1330 case Opt_dont_appraise: 1331 ima_log_string(ab, "action", "dont_appraise"); 1332 1333 if (entry->action != UNKNOWN) 1334 result = -EINVAL; 1335 1336 entry->action = DONT_APPRAISE; 1337 break; 1338 case Opt_audit: 1339 ima_log_string(ab, "action", "audit"); 1340 1341 if (entry->action != UNKNOWN) 1342 result = -EINVAL; 1343 1344 entry->action = AUDIT; 1345 break; 1346 case Opt_hash: 1347 ima_log_string(ab, "action", "hash"); 1348 1349 if (entry->action != UNKNOWN) 1350 result = -EINVAL; 1351 1352 entry->action = HASH; 1353 break; 1354 case Opt_dont_hash: 1355 ima_log_string(ab, "action", "dont_hash"); 1356 1357 if (entry->action != UNKNOWN) 1358 result = -EINVAL; 1359 1360 entry->action = DONT_HASH; 1361 break; 1362 case Opt_func: 1363 ima_log_string(ab, "func", args[0].from); 1364 1365 if (entry->func) 1366 result = -EINVAL; 1367 1368 if (strcmp(args[0].from, "FILE_CHECK") == 0) 1369 entry->func = FILE_CHECK; 1370 /* PATH_CHECK is for backwards compat */ 1371 else if (strcmp(args[0].from, "PATH_CHECK") == 0) 1372 entry->func = FILE_CHECK; 1373 else if (strcmp(args[0].from, "MODULE_CHECK") == 0) 1374 entry->func = MODULE_CHECK; 1375 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0) 1376 entry->func = FIRMWARE_CHECK; 1377 else if ((strcmp(args[0].from, "FILE_MMAP") == 0) 1378 || (strcmp(args[0].from, "MMAP_CHECK") == 0)) 1379 entry->func = MMAP_CHECK; 1380 else if (strcmp(args[0].from, "BPRM_CHECK") == 0) 1381 entry->func = BPRM_CHECK; 1382 else if (strcmp(args[0].from, "CREDS_CHECK") == 0) 1383 entry->func = CREDS_CHECK; 1384 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == 1385 0) 1386 entry->func = KEXEC_KERNEL_CHECK; 1387 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK") 1388 == 0) 1389 entry->func = KEXEC_INITRAMFS_CHECK; 1390 else if (strcmp(args[0].from, "POLICY_CHECK") == 0) 1391 entry->func = POLICY_CHECK; 1392 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) 1393 entry->func = KEXEC_CMDLINE; 1394 else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && 1395 strcmp(args[0].from, "KEY_CHECK") == 0) 1396 entry->func = KEY_CHECK; 1397 else if (strcmp(args[0].from, "CRITICAL_DATA") == 0) 1398 entry->func = CRITICAL_DATA; 1399 else if (strcmp(args[0].from, "SETXATTR_CHECK") == 0) 1400 entry->func = SETXATTR_CHECK; 1401 else 1402 result = -EINVAL; 1403 if (!result) 1404 entry->flags |= IMA_FUNC; 1405 break; 1406 case Opt_mask: 1407 ima_log_string(ab, "mask", args[0].from); 1408 1409 if (entry->mask) 1410 result = -EINVAL; 1411 1412 from = args[0].from; 1413 if (*from == '^') 1414 from++; 1415 1416 if ((strcmp(from, "MAY_EXEC")) == 0) 1417 entry->mask = MAY_EXEC; 1418 else if (strcmp(from, "MAY_WRITE") == 0) 1419 entry->mask = MAY_WRITE; 1420 else if (strcmp(from, "MAY_READ") == 0) 1421 entry->mask = MAY_READ; 1422 else if (strcmp(from, "MAY_APPEND") == 0) 1423 entry->mask = MAY_APPEND; 1424 else 1425 result = -EINVAL; 1426 if (!result) 1427 entry->flags |= (*args[0].from == '^') 1428 ? IMA_INMASK : IMA_MASK; 1429 break; 1430 case Opt_fsmagic: 1431 ima_log_string(ab, "fsmagic", args[0].from); 1432 1433 if (entry->fsmagic) { 1434 result = -EINVAL; 1435 break; 1436 } 1437 1438 result = kstrtoul(args[0].from, 16, &entry->fsmagic); 1439 if (!result) 1440 entry->flags |= IMA_FSMAGIC; 1441 break; 1442 case Opt_fsname: 1443 ima_log_string(ab, "fsname", args[0].from); 1444 1445 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); 1446 if (!entry->fsname) { 1447 result = -ENOMEM; 1448 break; 1449 } 1450 result = 0; 1451 entry->flags |= IMA_FSNAME; 1452 break; 1453 case Opt_keyrings: 1454 ima_log_string(ab, "keyrings", args[0].from); 1455 1456 if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) || 1457 entry->keyrings) { 1458 result = -EINVAL; 1459 break; 1460 } 1461 1462 entry->keyrings = ima_alloc_rule_opt_list(args); 1463 if (IS_ERR(entry->keyrings)) { 1464 result = PTR_ERR(entry->keyrings); 1465 entry->keyrings = NULL; 1466 break; 1467 } 1468 1469 entry->flags |= IMA_KEYRINGS; 1470 break; 1471 case Opt_label: 1472 ima_log_string(ab, "label", args[0].from); 1473 1474 if (entry->label) { 1475 result = -EINVAL; 1476 break; 1477 } 1478 1479 entry->label = ima_alloc_rule_opt_list(args); 1480 if (IS_ERR(entry->label)) { 1481 result = PTR_ERR(entry->label); 1482 entry->label = NULL; 1483 break; 1484 } 1485 1486 entry->flags |= IMA_LABEL; 1487 break; 1488 case Opt_fsuuid: 1489 ima_log_string(ab, "fsuuid", args[0].from); 1490 1491 if (!uuid_is_null(&entry->fsuuid)) { 1492 result = -EINVAL; 1493 break; 1494 } 1495 1496 result = uuid_parse(args[0].from, &entry->fsuuid); 1497 if (!result) 1498 entry->flags |= IMA_FSUUID; 1499 break; 1500 case Opt_uid_gt: 1501 case Opt_euid_gt: 1502 entry->uid_op = &uid_gt; 1503 fallthrough; 1504 case Opt_uid_lt: 1505 case Opt_euid_lt: 1506 if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) 1507 entry->uid_op = &uid_lt; 1508 fallthrough; 1509 case Opt_uid_eq: 1510 case Opt_euid_eq: 1511 uid_token = (token == Opt_uid_eq) || 1512 (token == Opt_uid_gt) || 1513 (token == Opt_uid_lt); 1514 1515 ima_log_string_op(ab, uid_token ? "uid" : "euid", 1516 args[0].from, entry->uid_op); 1517 1518 if (uid_valid(entry->uid)) { 1519 result = -EINVAL; 1520 break; 1521 } 1522 1523 result = kstrtoul(args[0].from, 10, &lnum); 1524 if (!result) { 1525 entry->uid = make_kuid(current_user_ns(), 1526 (uid_t) lnum); 1527 if (!uid_valid(entry->uid) || 1528 (uid_t)lnum != lnum) 1529 result = -EINVAL; 1530 else 1531 entry->flags |= uid_token 1532 ? IMA_UID : IMA_EUID; 1533 } 1534 break; 1535 case Opt_fowner_gt: 1536 entry->fowner_op = &uid_gt; 1537 fallthrough; 1538 case Opt_fowner_lt: 1539 if (token == Opt_fowner_lt) 1540 entry->fowner_op = &uid_lt; 1541 fallthrough; 1542 case Opt_fowner_eq: 1543 ima_log_string_op(ab, "fowner", args[0].from, 1544 entry->fowner_op); 1545 1546 if (uid_valid(entry->fowner)) { 1547 result = -EINVAL; 1548 break; 1549 } 1550 1551 result = kstrtoul(args[0].from, 10, &lnum); 1552 if (!result) { 1553 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum); 1554 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum)) 1555 result = -EINVAL; 1556 else 1557 entry->flags |= IMA_FOWNER; 1558 } 1559 break; 1560 case Opt_obj_user: 1561 ima_log_string(ab, "obj_user", args[0].from); 1562 result = ima_lsm_rule_init(entry, args, 1563 LSM_OBJ_USER, 1564 AUDIT_OBJ_USER); 1565 break; 1566 case Opt_obj_role: 1567 ima_log_string(ab, "obj_role", args[0].from); 1568 result = ima_lsm_rule_init(entry, args, 1569 LSM_OBJ_ROLE, 1570 AUDIT_OBJ_ROLE); 1571 break; 1572 case Opt_obj_type: 1573 ima_log_string(ab, "obj_type", args[0].from); 1574 result = ima_lsm_rule_init(entry, args, 1575 LSM_OBJ_TYPE, 1576 AUDIT_OBJ_TYPE); 1577 break; 1578 case Opt_subj_user: 1579 ima_log_string(ab, "subj_user", args[0].from); 1580 result = ima_lsm_rule_init(entry, args, 1581 LSM_SUBJ_USER, 1582 AUDIT_SUBJ_USER); 1583 break; 1584 case Opt_subj_role: 1585 ima_log_string(ab, "subj_role", args[0].from); 1586 result = ima_lsm_rule_init(entry, args, 1587 LSM_SUBJ_ROLE, 1588 AUDIT_SUBJ_ROLE); 1589 break; 1590 case Opt_subj_type: 1591 ima_log_string(ab, "subj_type", args[0].from); 1592 result = ima_lsm_rule_init(entry, args, 1593 LSM_SUBJ_TYPE, 1594 AUDIT_SUBJ_TYPE); 1595 break; 1596 case Opt_appraise_type: 1597 ima_log_string(ab, "appraise_type", args[0].from); 1598 if ((strcmp(args[0].from, "imasig")) == 0) 1599 entry->flags |= IMA_DIGSIG_REQUIRED; 1600 else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1601 strcmp(args[0].from, "imasig|modsig") == 0) 1602 entry->flags |= IMA_DIGSIG_REQUIRED | 1603 IMA_MODSIG_ALLOWED; 1604 else 1605 result = -EINVAL; 1606 break; 1607 case Opt_appraise_flag: 1608 ima_log_string(ab, "appraise_flag", args[0].from); 1609 if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1610 strstr(args[0].from, "blacklist")) 1611 entry->flags |= IMA_CHECK_BLACKLIST; 1612 else 1613 result = -EINVAL; 1614 break; 1615 case Opt_appraise_algos: 1616 ima_log_string(ab, "appraise_algos", args[0].from); 1617 1618 if (entry->allowed_algos) { 1619 result = -EINVAL; 1620 break; 1621 } 1622 1623 entry->allowed_algos = 1624 ima_parse_appraise_algos(args[0].from); 1625 /* invalid or empty list of algorithms */ 1626 if (!entry->allowed_algos) { 1627 result = -EINVAL; 1628 break; 1629 } 1630 1631 entry->flags |= IMA_VALIDATE_ALGOS; 1632 1633 break; 1634 case Opt_permit_directio: 1635 entry->flags |= IMA_PERMIT_DIRECTIO; 1636 break; 1637 case Opt_pcr: 1638 ima_log_string(ab, "pcr", args[0].from); 1639 1640 result = kstrtoint(args[0].from, 10, &entry->pcr); 1641 if (result || INVALID_PCR(entry->pcr)) 1642 result = -EINVAL; 1643 else 1644 entry->flags |= IMA_PCR; 1645 1646 break; 1647 case Opt_template: 1648 ima_log_string(ab, "template", args[0].from); 1649 if (entry->action != MEASURE) { 1650 result = -EINVAL; 1651 break; 1652 } 1653 template_desc = lookup_template_desc(args[0].from); 1654 if (!template_desc || entry->template) { 1655 result = -EINVAL; 1656 break; 1657 } 1658 1659 /* 1660 * template_desc_init_fields() does nothing if 1661 * the template is already initialised, so 1662 * it's safe to do this unconditionally 1663 */ 1664 template_desc_init_fields(template_desc->fmt, 1665 &(template_desc->fields), 1666 &(template_desc->num_fields)); 1667 entry->template = template_desc; 1668 break; 1669 case Opt_err: 1670 ima_log_string(ab, "UNKNOWN", p); 1671 result = -EINVAL; 1672 break; 1673 } 1674 } 1675 if (!result && !ima_validate_rule(entry)) 1676 result = -EINVAL; 1677 else if (entry->action == APPRAISE) 1678 temp_ima_appraise |= ima_appraise_flag(entry->func); 1679 1680 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { 1681 template_desc = entry->template ? entry->template : 1682 ima_template_desc_current(); 1683 check_template_modsig(template_desc); 1684 } 1685 1686 audit_log_format(ab, "res=%d", !result); 1687 audit_log_end(ab); 1688 return result; 1689 } 1690 1691 /** 1692 * ima_parse_add_rule - add a rule to ima_policy_rules 1693 * @rule - ima measurement policy rule 1694 * 1695 * Avoid locking by allowing just one writer at a time in ima_write_policy() 1696 * Returns the length of the rule parsed, an error code on failure 1697 */ 1698 ssize_t ima_parse_add_rule(char *rule) 1699 { 1700 static const char op[] = "update_policy"; 1701 char *p; 1702 struct ima_rule_entry *entry; 1703 ssize_t result, len; 1704 int audit_info = 0; 1705 1706 p = strsep(&rule, "\n"); 1707 len = strlen(p) + 1; 1708 p += strspn(p, " \t"); 1709 1710 if (*p == '#' || *p == '\0') 1711 return len; 1712 1713 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1714 if (!entry) { 1715 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1716 NULL, op, "-ENOMEM", -ENOMEM, audit_info); 1717 return -ENOMEM; 1718 } 1719 1720 INIT_LIST_HEAD(&entry->list); 1721 1722 result = ima_parse_rule(p, entry); 1723 if (result) { 1724 ima_free_rule(entry); 1725 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1726 NULL, op, "invalid-policy", result, 1727 audit_info); 1728 return result; 1729 } 1730 1731 list_add_tail(&entry->list, &ima_temp_rules); 1732 1733 return len; 1734 } 1735 1736 /** 1737 * ima_delete_rules() called to cleanup invalid in-flight policy. 1738 * We don't need locking as we operate on the temp list, which is 1739 * different from the active one. There is also only one user of 1740 * ima_delete_rules() at a time. 1741 */ 1742 void ima_delete_rules(void) 1743 { 1744 struct ima_rule_entry *entry, *tmp; 1745 1746 temp_ima_appraise = 0; 1747 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { 1748 list_del(&entry->list); 1749 ima_free_rule(entry); 1750 } 1751 } 1752 1753 #define __ima_hook_stringify(func, str) (#func), 1754 1755 const char *const func_tokens[] = { 1756 __ima_hooks(__ima_hook_stringify) 1757 }; 1758 1759 #ifdef CONFIG_IMA_READ_POLICY 1760 enum { 1761 mask_exec = 0, mask_write, mask_read, mask_append 1762 }; 1763 1764 static const char *const mask_tokens[] = { 1765 "^MAY_EXEC", 1766 "^MAY_WRITE", 1767 "^MAY_READ", 1768 "^MAY_APPEND" 1769 }; 1770 1771 void *ima_policy_start(struct seq_file *m, loff_t *pos) 1772 { 1773 loff_t l = *pos; 1774 struct ima_rule_entry *entry; 1775 struct list_head *ima_rules_tmp; 1776 1777 rcu_read_lock(); 1778 ima_rules_tmp = rcu_dereference(ima_rules); 1779 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 1780 if (!l--) { 1781 rcu_read_unlock(); 1782 return entry; 1783 } 1784 } 1785 rcu_read_unlock(); 1786 return NULL; 1787 } 1788 1789 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) 1790 { 1791 struct ima_rule_entry *entry = v; 1792 1793 rcu_read_lock(); 1794 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); 1795 rcu_read_unlock(); 1796 (*pos)++; 1797 1798 return (&entry->list == &ima_default_rules || 1799 &entry->list == &ima_policy_rules) ? NULL : entry; 1800 } 1801 1802 void ima_policy_stop(struct seq_file *m, void *v) 1803 { 1804 } 1805 1806 #define pt(token) policy_tokens[token].pattern 1807 #define mt(token) mask_tokens[token] 1808 1809 /* 1810 * policy_func_show - display the ima_hooks policy rule 1811 */ 1812 static void policy_func_show(struct seq_file *m, enum ima_hooks func) 1813 { 1814 if (func > 0 && func < MAX_CHECK) 1815 seq_printf(m, "func=%s ", func_tokens[func]); 1816 else 1817 seq_printf(m, "func=%d ", func); 1818 } 1819 1820 static void ima_show_rule_opt_list(struct seq_file *m, 1821 const struct ima_rule_opt_list *opt_list) 1822 { 1823 size_t i; 1824 1825 for (i = 0; i < opt_list->count; i++) 1826 seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]); 1827 } 1828 1829 static void ima_policy_show_appraise_algos(struct seq_file *m, 1830 unsigned int allowed_hashes) 1831 { 1832 int idx, list_size = 0; 1833 1834 for (idx = 0; idx < HASH_ALGO__LAST; idx++) { 1835 if (!(allowed_hashes & (1U << idx))) 1836 continue; 1837 1838 /* only add commas if the list contains multiple entries */ 1839 if (list_size++) 1840 seq_puts(m, ","); 1841 1842 seq_puts(m, hash_algo_name[idx]); 1843 } 1844 } 1845 1846 int ima_policy_show(struct seq_file *m, void *v) 1847 { 1848 struct ima_rule_entry *entry = v; 1849 int i; 1850 char tbuf[64] = {0,}; 1851 int offset = 0; 1852 1853 rcu_read_lock(); 1854 1855 if (entry->action & MEASURE) 1856 seq_puts(m, pt(Opt_measure)); 1857 if (entry->action & DONT_MEASURE) 1858 seq_puts(m, pt(Opt_dont_measure)); 1859 if (entry->action & APPRAISE) 1860 seq_puts(m, pt(Opt_appraise)); 1861 if (entry->action & DONT_APPRAISE) 1862 seq_puts(m, pt(Opt_dont_appraise)); 1863 if (entry->action & AUDIT) 1864 seq_puts(m, pt(Opt_audit)); 1865 if (entry->action & HASH) 1866 seq_puts(m, pt(Opt_hash)); 1867 if (entry->action & DONT_HASH) 1868 seq_puts(m, pt(Opt_dont_hash)); 1869 1870 seq_puts(m, " "); 1871 1872 if (entry->flags & IMA_FUNC) 1873 policy_func_show(m, entry->func); 1874 1875 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { 1876 if (entry->flags & IMA_MASK) 1877 offset = 1; 1878 if (entry->mask & MAY_EXEC) 1879 seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); 1880 if (entry->mask & MAY_WRITE) 1881 seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); 1882 if (entry->mask & MAY_READ) 1883 seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); 1884 if (entry->mask & MAY_APPEND) 1885 seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); 1886 seq_puts(m, " "); 1887 } 1888 1889 if (entry->flags & IMA_FSMAGIC) { 1890 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 1891 seq_printf(m, pt(Opt_fsmagic), tbuf); 1892 seq_puts(m, " "); 1893 } 1894 1895 if (entry->flags & IMA_FSNAME) { 1896 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); 1897 seq_printf(m, pt(Opt_fsname), tbuf); 1898 seq_puts(m, " "); 1899 } 1900 1901 if (entry->flags & IMA_KEYRINGS) { 1902 seq_puts(m, "keyrings="); 1903 ima_show_rule_opt_list(m, entry->keyrings); 1904 seq_puts(m, " "); 1905 } 1906 1907 if (entry->flags & IMA_LABEL) { 1908 seq_puts(m, "label="); 1909 ima_show_rule_opt_list(m, entry->label); 1910 seq_puts(m, " "); 1911 } 1912 1913 if (entry->flags & IMA_PCR) { 1914 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 1915 seq_printf(m, pt(Opt_pcr), tbuf); 1916 seq_puts(m, " "); 1917 } 1918 1919 if (entry->flags & IMA_FSUUID) { 1920 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); 1921 seq_puts(m, " "); 1922 } 1923 1924 if (entry->flags & IMA_UID) { 1925 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1926 if (entry->uid_op == &uid_gt) 1927 seq_printf(m, pt(Opt_uid_gt), tbuf); 1928 else if (entry->uid_op == &uid_lt) 1929 seq_printf(m, pt(Opt_uid_lt), tbuf); 1930 else 1931 seq_printf(m, pt(Opt_uid_eq), tbuf); 1932 seq_puts(m, " "); 1933 } 1934 1935 if (entry->flags & IMA_EUID) { 1936 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1937 if (entry->uid_op == &uid_gt) 1938 seq_printf(m, pt(Opt_euid_gt), tbuf); 1939 else if (entry->uid_op == &uid_lt) 1940 seq_printf(m, pt(Opt_euid_lt), tbuf); 1941 else 1942 seq_printf(m, pt(Opt_euid_eq), tbuf); 1943 seq_puts(m, " "); 1944 } 1945 1946 if (entry->flags & IMA_FOWNER) { 1947 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); 1948 if (entry->fowner_op == &uid_gt) 1949 seq_printf(m, pt(Opt_fowner_gt), tbuf); 1950 else if (entry->fowner_op == &uid_lt) 1951 seq_printf(m, pt(Opt_fowner_lt), tbuf); 1952 else 1953 seq_printf(m, pt(Opt_fowner_eq), tbuf); 1954 seq_puts(m, " "); 1955 } 1956 1957 if (entry->flags & IMA_VALIDATE_ALGOS) { 1958 seq_puts(m, "appraise_algos="); 1959 ima_policy_show_appraise_algos(m, entry->allowed_algos); 1960 seq_puts(m, " "); 1961 } 1962 1963 for (i = 0; i < MAX_LSM_RULES; i++) { 1964 if (entry->lsm[i].rule) { 1965 switch (i) { 1966 case LSM_OBJ_USER: 1967 seq_printf(m, pt(Opt_obj_user), 1968 entry->lsm[i].args_p); 1969 break; 1970 case LSM_OBJ_ROLE: 1971 seq_printf(m, pt(Opt_obj_role), 1972 entry->lsm[i].args_p); 1973 break; 1974 case LSM_OBJ_TYPE: 1975 seq_printf(m, pt(Opt_obj_type), 1976 entry->lsm[i].args_p); 1977 break; 1978 case LSM_SUBJ_USER: 1979 seq_printf(m, pt(Opt_subj_user), 1980 entry->lsm[i].args_p); 1981 break; 1982 case LSM_SUBJ_ROLE: 1983 seq_printf(m, pt(Opt_subj_role), 1984 entry->lsm[i].args_p); 1985 break; 1986 case LSM_SUBJ_TYPE: 1987 seq_printf(m, pt(Opt_subj_type), 1988 entry->lsm[i].args_p); 1989 break; 1990 } 1991 seq_puts(m, " "); 1992 } 1993 } 1994 if (entry->template) 1995 seq_printf(m, "template=%s ", entry->template->name); 1996 if (entry->flags & IMA_DIGSIG_REQUIRED) { 1997 if (entry->flags & IMA_MODSIG_ALLOWED) 1998 seq_puts(m, "appraise_type=imasig|modsig "); 1999 else 2000 seq_puts(m, "appraise_type=imasig "); 2001 } 2002 if (entry->flags & IMA_CHECK_BLACKLIST) 2003 seq_puts(m, "appraise_flag=check_blacklist "); 2004 if (entry->flags & IMA_PERMIT_DIRECTIO) 2005 seq_puts(m, "permit_directio "); 2006 rcu_read_unlock(); 2007 seq_puts(m, "\n"); 2008 return 0; 2009 } 2010 #endif /* CONFIG_IMA_READ_POLICY */ 2011 2012 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) 2013 /* 2014 * ima_appraise_signature: whether IMA will appraise a given function using 2015 * an IMA digital signature. This is restricted to cases where the kernel 2016 * has a set of built-in trusted keys in order to avoid an attacker simply 2017 * loading additional keys. 2018 */ 2019 bool ima_appraise_signature(enum kernel_read_file_id id) 2020 { 2021 struct ima_rule_entry *entry; 2022 bool found = false; 2023 enum ima_hooks func; 2024 struct list_head *ima_rules_tmp; 2025 2026 if (id >= READING_MAX_ID) 2027 return false; 2028 2029 func = read_idmap[id] ?: FILE_CHECK; 2030 2031 rcu_read_lock(); 2032 ima_rules_tmp = rcu_dereference(ima_rules); 2033 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { 2034 if (entry->action != APPRAISE) 2035 continue; 2036 2037 /* 2038 * A generic entry will match, but otherwise require that it 2039 * match the func we're looking for 2040 */ 2041 if (entry->func && entry->func != func) 2042 continue; 2043 2044 /* 2045 * We require this to be a digital signature, not a raw IMA 2046 * hash. 2047 */ 2048 if (entry->flags & IMA_DIGSIG_REQUIRED) 2049 found = true; 2050 2051 /* 2052 * We've found a rule that matches, so break now even if it 2053 * didn't require a digital signature - a later rule that does 2054 * won't override it, so would be a false positive. 2055 */ 2056 break; 2057 } 2058 2059 rcu_read_unlock(); 2060 return found; 2061 } 2062 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ 2063