xref: /linux/security/ipe/policy_parser.c (revision 9ac45d4628dec6d78b17846115f6df6c1d1de69e)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
4  */
5 
6 #include <linux/err.h>
7 #include <linux/slab.h>
8 #include <linux/parser.h>
9 #include <linux/types.h>
10 #include <linux/ctype.h>
11 
12 #include "policy.h"
13 #include "policy_parser.h"
14 #include "digest.h"
15 
16 #define START_COMMENT	'#'
17 #define IPE_POLICY_DELIM " \t"
18 #define IPE_LINE_DELIM "\n\r"
19 
20 /**
21  * new_parsed_policy() - Allocate and initialize a parsed policy.
22  *
23  * Return:
24  * * a pointer to the ipe_parsed_policy structure	- Success
25  * * %-ENOMEM						- Out of memory (OOM)
26  */
27 static struct ipe_parsed_policy *new_parsed_policy(void)
28 {
29 	struct ipe_parsed_policy *p = NULL;
30 	struct ipe_op_table *t = NULL;
31 	size_t i = 0;
32 
33 	p = kzalloc(sizeof(*p), GFP_KERNEL);
34 	if (!p)
35 		return ERR_PTR(-ENOMEM);
36 
37 	p->global_default_action = IPE_ACTION_INVALID;
38 
39 	for (i = 0; i < ARRAY_SIZE(p->rules); ++i) {
40 		t = &p->rules[i];
41 
42 		t->default_action = IPE_ACTION_INVALID;
43 		INIT_LIST_HEAD(&t->rules);
44 	}
45 
46 	return p;
47 }
48 
49 /**
50  * remove_comment() - Truncate all chars following START_COMMENT in a string.
51  *
52  * @line: Supplies a policy line string for preprocessing.
53  */
54 static void remove_comment(char *line)
55 {
56 	line = strchr(line, START_COMMENT);
57 
58 	if (line)
59 		*line = '\0';
60 }
61 
62 /**
63  * remove_trailing_spaces() - Truncate all trailing spaces in a string.
64  *
65  * @line: Supplies a policy line string for preprocessing.
66  *
67  * Return: The length of truncated string.
68  */
69 static size_t remove_trailing_spaces(char *line)
70 {
71 	size_t i = 0;
72 
73 	i = strlen(line);
74 	while (i > 0 && isspace(line[i - 1]))
75 		i--;
76 
77 	line[i] = '\0';
78 
79 	return i;
80 }
81 
82 /**
83  * parse_version() - Parse policy version.
84  * @ver: Supplies a version string to be parsed.
85  * @p: Supplies the partial parsed policy.
86  *
87  * Return:
88  * * %0		- Success
89  * * %-EBADMSG	- Version string is invalid
90  * * %-ERANGE	- Version number overflow
91  * * %-EINVAL	- Parsing error
92  */
93 static int parse_version(char *ver, struct ipe_parsed_policy *p)
94 {
95 	u16 *const cv[] = { &p->version.major, &p->version.minor, &p->version.rev };
96 	size_t sep_count = 0;
97 	char *token;
98 	int rc = 0;
99 
100 	while ((token = strsep(&ver, ".")) != NULL) {
101 		/* prevent overflow */
102 		if (sep_count >= ARRAY_SIZE(cv))
103 			return -EBADMSG;
104 
105 		rc = kstrtou16(token, 10, cv[sep_count]);
106 		if (rc)
107 			return rc;
108 
109 		++sep_count;
110 	}
111 
112 	/* prevent underflow */
113 	if (sep_count != ARRAY_SIZE(cv))
114 		return -EBADMSG;
115 
116 	return 0;
117 }
118 
119 enum header_opt {
120 	IPE_HEADER_POLICY_NAME = 0,
121 	IPE_HEADER_POLICY_VERSION,
122 	__IPE_HEADER_MAX
123 };
124 
125 static const match_table_t header_tokens = {
126 	{IPE_HEADER_POLICY_NAME,	"policy_name=%s"},
127 	{IPE_HEADER_POLICY_VERSION,	"policy_version=%s"},
128 	{__IPE_HEADER_MAX,		NULL}
129 };
130 
131 /**
132  * parse_header() - Parse policy header information.
133  * @line: Supplies header line to be parsed.
134  * @p: Supplies the partial parsed policy.
135  *
136  * Return:
137  * * %0		- Success
138  * * %-EBADMSG	- Header string is invalid
139  * * %-ENOMEM	- Out of memory (OOM)
140  * * %-ERANGE	- Version number overflow
141  * * %-EINVAL	- Version parsing error
142  */
143 static int parse_header(char *line, struct ipe_parsed_policy *p)
144 {
145 	substring_t args[MAX_OPT_ARGS];
146 	char *t, *ver = NULL;
147 	size_t idx = 0;
148 	int rc = 0;
149 
150 	while ((t = strsep(&line, IPE_POLICY_DELIM)) != NULL) {
151 		int token;
152 
153 		if (*t == '\0')
154 			continue;
155 		if (idx >= __IPE_HEADER_MAX) {
156 			rc = -EBADMSG;
157 			goto out;
158 		}
159 
160 		token = match_token(t, header_tokens, args);
161 		if (token != idx) {
162 			rc = -EBADMSG;
163 			goto out;
164 		}
165 
166 		switch (token) {
167 		case IPE_HEADER_POLICY_NAME:
168 			p->name = match_strdup(&args[0]);
169 			if (!p->name)
170 				rc = -ENOMEM;
171 			break;
172 		case IPE_HEADER_POLICY_VERSION:
173 			ver = match_strdup(&args[0]);
174 			if (!ver) {
175 				rc = -ENOMEM;
176 				break;
177 			}
178 			rc = parse_version(ver, p);
179 			break;
180 		default:
181 			rc = -EBADMSG;
182 		}
183 		if (rc)
184 			goto out;
185 		++idx;
186 	}
187 
188 	if (idx != __IPE_HEADER_MAX)
189 		rc = -EBADMSG;
190 
191 out:
192 	kfree(ver);
193 	return rc;
194 }
195 
196 /**
197  * token_default() - Determine if the given token is "DEFAULT".
198  * @token: Supplies the token string to be compared.
199  *
200  * Return:
201  * * %false	- The token is not "DEFAULT"
202  * * %true	- The token is "DEFAULT"
203  */
204 static bool token_default(char *token)
205 {
206 	return !strcmp(token, "DEFAULT");
207 }
208 
209 /**
210  * free_rule() - Free the supplied ipe_rule struct.
211  * @r: Supplies the ipe_rule struct to be freed.
212  *
213  * Free a ipe_rule struct @r. Note @r must be removed from any lists before
214  * calling this function.
215  */
216 static void free_rule(struct ipe_rule *r)
217 {
218 	struct ipe_prop *p, *t;
219 
220 	if (IS_ERR_OR_NULL(r))
221 		return;
222 
223 	list_for_each_entry_safe(p, t, &r->props, next) {
224 		list_del(&p->next);
225 		ipe_digest_free(p->value);
226 		kfree(p);
227 	}
228 
229 	kfree(r);
230 }
231 
232 static const match_table_t operation_tokens = {
233 	{IPE_OP_EXEC,			"op=EXECUTE"},
234 	{IPE_OP_FIRMWARE,		"op=FIRMWARE"},
235 	{IPE_OP_KERNEL_MODULE,		"op=KMODULE"},
236 	{IPE_OP_KEXEC_IMAGE,		"op=KEXEC_IMAGE"},
237 	{IPE_OP_KEXEC_INITRAMFS,	"op=KEXEC_INITRAMFS"},
238 	{IPE_OP_POLICY,			"op=POLICY"},
239 	{IPE_OP_X509,			"op=X509_CERT"},
240 	{IPE_OP_INVALID,		NULL}
241 };
242 
243 /**
244  * parse_operation() - Parse the operation type given a token string.
245  * @t: Supplies the token string to be parsed.
246  *
247  * Return: The parsed operation type.
248  */
249 static enum ipe_op_type parse_operation(char *t)
250 {
251 	substring_t args[MAX_OPT_ARGS];
252 
253 	return match_token(t, operation_tokens, args);
254 }
255 
256 static const match_table_t action_tokens = {
257 	{IPE_ACTION_ALLOW,	"action=ALLOW"},
258 	{IPE_ACTION_DENY,	"action=DENY"},
259 	{IPE_ACTION_INVALID,	NULL}
260 };
261 
262 /**
263  * parse_action() - Parse the action type given a token string.
264  * @t: Supplies the token string to be parsed.
265  *
266  * Return: The parsed action type.
267  */
268 static enum ipe_action_type parse_action(char *t)
269 {
270 	substring_t args[MAX_OPT_ARGS];
271 
272 	return match_token(t, action_tokens, args);
273 }
274 
275 static const match_table_t property_tokens = {
276 	{IPE_PROP_BOOT_VERIFIED_FALSE,	"boot_verified=FALSE"},
277 	{IPE_PROP_BOOT_VERIFIED_TRUE,	"boot_verified=TRUE"},
278 	{IPE_PROP_DMV_ROOTHASH,		"dmverity_roothash=%s"},
279 	{IPE_PROP_DMV_SIG_FALSE,	"dmverity_signature=FALSE"},
280 	{IPE_PROP_DMV_SIG_TRUE,		"dmverity_signature=TRUE"},
281 	{IPE_PROP_FSV_DIGEST,		"fsverity_digest=%s"},
282 	{IPE_PROP_FSV_SIG_FALSE,	"fsverity_signature=FALSE"},
283 	{IPE_PROP_FSV_SIG_TRUE,		"fsverity_signature=TRUE"},
284 	{IPE_PROP_INVALID,		NULL}
285 };
286 
287 /**
288  * parse_property() - Parse a rule property given a token string.
289  * @t: Supplies the token string to be parsed.
290  * @r: Supplies the ipe_rule the parsed property will be associated with.
291  *
292  * This function parses and associates a property with an IPE rule based
293  * on a token string.
294  *
295  * Return:
296  * * %0		- Success
297  * * %-ENOMEM	- Out of memory (OOM)
298  * * %-EBADMSG	- The supplied token cannot be parsed
299  */
300 static int parse_property(char *t, struct ipe_rule *r)
301 {
302 	substring_t args[MAX_OPT_ARGS];
303 	struct ipe_prop *p = NULL;
304 	int rc = 0;
305 	int token;
306 	char *dup = NULL;
307 
308 	p = kzalloc(sizeof(*p), GFP_KERNEL);
309 	if (!p)
310 		return -ENOMEM;
311 
312 	token = match_token(t, property_tokens, args);
313 
314 	switch (token) {
315 	case IPE_PROP_DMV_ROOTHASH:
316 	case IPE_PROP_FSV_DIGEST:
317 		dup = match_strdup(&args[0]);
318 		if (!dup) {
319 			rc = -ENOMEM;
320 			goto err;
321 		}
322 		p->value = ipe_digest_parse(dup);
323 		if (IS_ERR(p->value)) {
324 			rc = PTR_ERR(p->value);
325 			goto err;
326 		}
327 		fallthrough;
328 	case IPE_PROP_BOOT_VERIFIED_FALSE:
329 	case IPE_PROP_BOOT_VERIFIED_TRUE:
330 	case IPE_PROP_DMV_SIG_FALSE:
331 	case IPE_PROP_DMV_SIG_TRUE:
332 	case IPE_PROP_FSV_SIG_FALSE:
333 	case IPE_PROP_FSV_SIG_TRUE:
334 		p->type = token;
335 		break;
336 	default:
337 		rc = -EBADMSG;
338 		break;
339 	}
340 	if (rc)
341 		goto err;
342 	list_add_tail(&p->next, &r->props);
343 
344 out:
345 	kfree(dup);
346 	return rc;
347 err:
348 	kfree(p);
349 	goto out;
350 }
351 
352 /**
353  * parse_rule() - parse a policy rule line.
354  * @line: Supplies rule line to be parsed.
355  * @p: Supplies the partial parsed policy.
356  *
357  * Return:
358  * * 0		- Success
359  * * %-ENOMEM	- Out of memory (OOM)
360  * * %-EBADMSG	- Policy syntax error
361  */
362 static int parse_rule(char *line, struct ipe_parsed_policy *p)
363 {
364 	enum ipe_action_type action = IPE_ACTION_INVALID;
365 	enum ipe_op_type op = IPE_OP_INVALID;
366 	bool is_default_rule = false;
367 	struct ipe_rule *r = NULL;
368 	bool first_token = true;
369 	bool op_parsed = false;
370 	int rc = 0;
371 	char *t;
372 
373 	if (IS_ERR_OR_NULL(line))
374 		return -EBADMSG;
375 
376 	r = kzalloc(sizeof(*r), GFP_KERNEL);
377 	if (!r)
378 		return -ENOMEM;
379 
380 	INIT_LIST_HEAD(&r->next);
381 	INIT_LIST_HEAD(&r->props);
382 
383 	while (t = strsep(&line, IPE_POLICY_DELIM), line) {
384 		if (*t == '\0')
385 			continue;
386 		if (first_token && token_default(t)) {
387 			is_default_rule = true;
388 		} else {
389 			if (!op_parsed) {
390 				op = parse_operation(t);
391 				if (op == IPE_OP_INVALID)
392 					rc = -EBADMSG;
393 				else
394 					op_parsed = true;
395 			} else {
396 				rc = parse_property(t, r);
397 			}
398 		}
399 
400 		if (rc)
401 			goto err;
402 		first_token = false;
403 	}
404 
405 	action = parse_action(t);
406 	if (action == IPE_ACTION_INVALID) {
407 		rc = -EBADMSG;
408 		goto err;
409 	}
410 
411 	if (is_default_rule) {
412 		if (!list_empty(&r->props)) {
413 			rc = -EBADMSG;
414 		} else if (op == IPE_OP_INVALID) {
415 			if (p->global_default_action != IPE_ACTION_INVALID)
416 				rc = -EBADMSG;
417 			else
418 				p->global_default_action = action;
419 		} else {
420 			if (p->rules[op].default_action != IPE_ACTION_INVALID)
421 				rc = -EBADMSG;
422 			else
423 				p->rules[op].default_action = action;
424 		}
425 	} else if (op != IPE_OP_INVALID && action != IPE_ACTION_INVALID) {
426 		r->op = op;
427 		r->action = action;
428 	} else {
429 		rc = -EBADMSG;
430 	}
431 
432 	if (rc)
433 		goto err;
434 	if (!is_default_rule)
435 		list_add_tail(&r->next, &p->rules[op].rules);
436 	else
437 		free_rule(r);
438 
439 	return rc;
440 err:
441 	free_rule(r);
442 	return rc;
443 }
444 
445 /**
446  * ipe_free_parsed_policy() - free a parsed policy structure.
447  * @p: Supplies the parsed policy.
448  */
449 void ipe_free_parsed_policy(struct ipe_parsed_policy *p)
450 {
451 	struct ipe_rule *pp, *t;
452 	size_t i = 0;
453 
454 	if (IS_ERR_OR_NULL(p))
455 		return;
456 
457 	for (i = 0; i < ARRAY_SIZE(p->rules); ++i)
458 		list_for_each_entry_safe(pp, t, &p->rules[i].rules, next) {
459 			list_del(&pp->next);
460 			free_rule(pp);
461 		}
462 
463 	kfree(p->name);
464 	kfree(p);
465 }
466 
467 /**
468  * validate_policy() - validate a parsed policy.
469  * @p: Supplies the fully parsed policy.
470  *
471  * Given a policy structure that was just parsed, validate that all
472  * operations have their default rules or a global default rule is set.
473  *
474  * Return:
475  * * %0		- Success
476  * * %-EBADMSG	- Policy is invalid
477  */
478 static int validate_policy(const struct ipe_parsed_policy *p)
479 {
480 	size_t i = 0;
481 
482 	if (p->global_default_action != IPE_ACTION_INVALID)
483 		return 0;
484 
485 	for (i = 0; i < ARRAY_SIZE(p->rules); ++i) {
486 		if (p->rules[i].default_action == IPE_ACTION_INVALID)
487 			return -EBADMSG;
488 	}
489 
490 	return 0;
491 }
492 
493 /**
494  * ipe_parse_policy() - Given a string, parse the string into an IPE policy.
495  * @p: partially filled ipe_policy structure to populate with the result.
496  *     it must have text and textlen set.
497  *
498  * Return:
499  * * %0		- Success
500  * * %-EBADMSG	- Policy is invalid
501  * * %-ENOMEM	- Out of Memory
502  * * %-ERANGE	- Policy version number overflow
503  * * %-EINVAL	- Policy version parsing error
504  */
505 int ipe_parse_policy(struct ipe_policy *p)
506 {
507 	struct ipe_parsed_policy *pp = NULL;
508 	char *policy = NULL, *dup = NULL;
509 	bool header_parsed = false;
510 	char *line = NULL;
511 	size_t len;
512 	int rc = 0;
513 
514 	if (!p->textlen)
515 		return -EBADMSG;
516 
517 	policy = kmemdup_nul(p->text, p->textlen, GFP_KERNEL);
518 	if (!policy)
519 		return -ENOMEM;
520 	dup = policy;
521 
522 	pp = new_parsed_policy();
523 	if (IS_ERR(pp)) {
524 		rc = PTR_ERR(pp);
525 		goto out;
526 	}
527 
528 	while ((line = strsep(&policy, IPE_LINE_DELIM)) != NULL) {
529 		remove_comment(line);
530 		len = remove_trailing_spaces(line);
531 		if (!len)
532 			continue;
533 
534 		if (!header_parsed) {
535 			rc = parse_header(line, pp);
536 			if (rc)
537 				goto err;
538 			header_parsed = true;
539 		} else {
540 			rc = parse_rule(line, pp);
541 			if (rc)
542 				goto err;
543 		}
544 	}
545 
546 	if (!header_parsed || validate_policy(pp)) {
547 		rc = -EBADMSG;
548 		goto err;
549 	}
550 
551 	p->parsed = pp;
552 
553 out:
554 	kfree(dup);
555 	return rc;
556 err:
557 	ipe_free_parsed_policy(pp);
558 	goto out;
559 }
560