1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2008 IBM Corporation 4 * Author: Mimi Zohar <zohar@us.ibm.com> 5 * 6 * ima_policy.c 7 * - initialize default measure policy rules 8 */ 9 10 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 11 12 #include <linux/init.h> 13 #include <linux/list.h> 14 #include <linux/fs.h> 15 #include <linux/security.h> 16 #include <linux/magic.h> 17 #include <linux/parser.h> 18 #include <linux/slab.h> 19 #include <linux/rculist.h> 20 #include <linux/genhd.h> 21 #include <linux/seq_file.h> 22 #include <linux/ima.h> 23 24 #include "ima.h" 25 26 /* flags definitions */ 27 #define IMA_FUNC 0x0001 28 #define IMA_MASK 0x0002 29 #define IMA_FSMAGIC 0x0004 30 #define IMA_UID 0x0008 31 #define IMA_FOWNER 0x0010 32 #define IMA_FSUUID 0x0020 33 #define IMA_INMASK 0x0040 34 #define IMA_EUID 0x0080 35 #define IMA_PCR 0x0100 36 #define IMA_FSNAME 0x0200 37 38 #define UNKNOWN 0 39 #define MEASURE 0x0001 /* same as IMA_MEASURE */ 40 #define DONT_MEASURE 0x0002 41 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 42 #define DONT_APPRAISE 0x0008 43 #define AUDIT 0x0040 44 #define HASH 0x0100 45 #define DONT_HASH 0x0200 46 47 #define INVALID_PCR(a) (((a) < 0) || \ 48 (a) >= (sizeof_field(struct integrity_iint_cache, measured_pcrs) * 8)) 49 50 int ima_policy_flag; 51 static int temp_ima_appraise; 52 static int build_ima_appraise __ro_after_init; 53 54 #define MAX_LSM_RULES 6 55 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, 56 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE 57 }; 58 59 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; 60 61 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY }; 62 63 struct ima_rule_entry { 64 struct list_head list; 65 int action; 66 unsigned int flags; 67 enum ima_hooks func; 68 int mask; 69 unsigned long fsmagic; 70 uuid_t fsuuid; 71 kuid_t uid; 72 kuid_t fowner; 73 bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ 74 bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ 75 int pcr; 76 struct { 77 void *rule; /* LSM file metadata specific */ 78 void *args_p; /* audit value */ 79 int type; /* audit type */ 80 } lsm[MAX_LSM_RULES]; 81 char *fsname; 82 struct ima_template_desc *template; 83 }; 84 85 /* 86 * Without LSM specific knowledge, the default policy can only be 87 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner 88 */ 89 90 /* 91 * The minimum rule set to allow for full TCB coverage. Measures all files 92 * opened or mmap for exec and everything read by root. Dangerous because 93 * normal users can easily run the machine out of memory simply building 94 * and running executables. 95 */ 96 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { 97 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 98 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 99 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 100 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 101 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 102 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 103 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 104 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 105 {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 106 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, 107 .flags = IMA_FSMAGIC}, 108 {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, 109 .flags = IMA_FSMAGIC}, 110 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 111 {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} 112 }; 113 114 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { 115 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 116 .flags = IMA_FUNC | IMA_MASK}, 117 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 118 .flags = IMA_FUNC | IMA_MASK}, 119 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 120 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 121 .flags = IMA_FUNC | IMA_MASK | IMA_UID}, 122 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 123 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 124 }; 125 126 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { 127 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 128 .flags = IMA_FUNC | IMA_MASK}, 129 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 130 .flags = IMA_FUNC | IMA_MASK}, 131 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 132 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 133 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, 134 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 135 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 136 .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, 137 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 138 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 139 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, 140 }; 141 142 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { 143 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 144 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 145 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 146 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 147 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC}, 148 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 149 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 150 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 151 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 152 {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 153 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 154 {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, 155 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 156 {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 157 #ifdef CONFIG_IMA_WRITE_POLICY 158 {.action = APPRAISE, .func = POLICY_CHECK, 159 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 160 #endif 161 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT 162 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 163 .flags = IMA_FOWNER}, 164 #else 165 /* force signature */ 166 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 167 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, 168 #endif 169 }; 170 171 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { 172 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS 173 {.action = APPRAISE, .func = MODULE_CHECK, 174 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 175 #endif 176 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS 177 {.action = APPRAISE, .func = FIRMWARE_CHECK, 178 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 179 #endif 180 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS 181 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 182 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 183 #endif 184 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS 185 {.action = APPRAISE, .func = POLICY_CHECK, 186 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 187 #endif 188 }; 189 190 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { 191 {.action = APPRAISE, .func = MODULE_CHECK, 192 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 193 {.action = APPRAISE, .func = FIRMWARE_CHECK, 194 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 195 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 196 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 197 {.action = APPRAISE, .func = POLICY_CHECK, 198 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 199 }; 200 201 /* An array of architecture specific rules */ 202 static struct ima_rule_entry *arch_policy_entry __ro_after_init; 203 204 static LIST_HEAD(ima_default_rules); 205 static LIST_HEAD(ima_policy_rules); 206 static LIST_HEAD(ima_temp_rules); 207 static struct list_head *ima_rules; 208 209 static int ima_policy __initdata; 210 211 static int __init default_measure_policy_setup(char *str) 212 { 213 if (ima_policy) 214 return 1; 215 216 ima_policy = ORIGINAL_TCB; 217 return 1; 218 } 219 __setup("ima_tcb", default_measure_policy_setup); 220 221 static bool ima_use_appraise_tcb __initdata; 222 static bool ima_use_secure_boot __initdata; 223 static bool ima_fail_unverifiable_sigs __ro_after_init; 224 static int __init policy_setup(char *str) 225 { 226 char *p; 227 228 while ((p = strsep(&str, " |\n")) != NULL) { 229 if (*p == ' ') 230 continue; 231 if ((strcmp(p, "tcb") == 0) && !ima_policy) 232 ima_policy = DEFAULT_TCB; 233 else if (strcmp(p, "appraise_tcb") == 0) 234 ima_use_appraise_tcb = true; 235 else if (strcmp(p, "secure_boot") == 0) 236 ima_use_secure_boot = true; 237 else if (strcmp(p, "fail_securely") == 0) 238 ima_fail_unverifiable_sigs = true; 239 } 240 241 return 1; 242 } 243 __setup("ima_policy=", policy_setup); 244 245 static int __init default_appraise_policy_setup(char *str) 246 { 247 ima_use_appraise_tcb = true; 248 return 1; 249 } 250 __setup("ima_appraise_tcb", default_appraise_policy_setup); 251 252 static void ima_lsm_free_rule(struct ima_rule_entry *entry) 253 { 254 int i; 255 256 for (i = 0; i < MAX_LSM_RULES; i++) { 257 kfree(entry->lsm[i].rule); 258 kfree(entry->lsm[i].args_p); 259 } 260 kfree(entry); 261 } 262 263 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) 264 { 265 struct ima_rule_entry *nentry; 266 int i, result; 267 268 nentry = kmalloc(sizeof(*nentry), GFP_KERNEL); 269 if (!nentry) 270 return NULL; 271 272 /* 273 * Immutable elements are copied over as pointers and data; only 274 * lsm rules can change 275 */ 276 memcpy(nentry, entry, sizeof(*nentry)); 277 memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm)); 278 279 for (i = 0; i < MAX_LSM_RULES; i++) { 280 if (!entry->lsm[i].rule) 281 continue; 282 283 nentry->lsm[i].type = entry->lsm[i].type; 284 nentry->lsm[i].args_p = kstrdup(entry->lsm[i].args_p, 285 GFP_KERNEL); 286 if (!nentry->lsm[i].args_p) 287 goto out_err; 288 289 result = security_filter_rule_init(nentry->lsm[i].type, 290 Audit_equal, 291 nentry->lsm[i].args_p, 292 &nentry->lsm[i].rule); 293 if (result == -EINVAL) 294 pr_warn("ima: rule for LSM \'%d\' is undefined\n", 295 entry->lsm[i].type); 296 } 297 return nentry; 298 299 out_err: 300 ima_lsm_free_rule(nentry); 301 return NULL; 302 } 303 304 static int ima_lsm_update_rule(struct ima_rule_entry *entry) 305 { 306 struct ima_rule_entry *nentry; 307 308 nentry = ima_lsm_copy_rule(entry); 309 if (!nentry) 310 return -ENOMEM; 311 312 list_replace_rcu(&entry->list, &nentry->list); 313 synchronize_rcu(); 314 ima_lsm_free_rule(entry); 315 316 return 0; 317 } 318 319 /* 320 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 321 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 322 * the reloaded LSM policy. 323 */ 324 static void ima_lsm_update_rules(void) 325 { 326 struct ima_rule_entry *entry, *e; 327 int i, result, needs_update; 328 329 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { 330 needs_update = 0; 331 for (i = 0; i < MAX_LSM_RULES; i++) { 332 if (entry->lsm[i].rule) { 333 needs_update = 1; 334 break; 335 } 336 } 337 if (!needs_update) 338 continue; 339 340 result = ima_lsm_update_rule(entry); 341 if (result) { 342 pr_err("ima: lsm rule update error %d\n", 343 result); 344 return; 345 } 346 } 347 } 348 349 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, 350 void *lsm_data) 351 { 352 if (event != LSM_POLICY_CHANGE) 353 return NOTIFY_DONE; 354 355 ima_lsm_update_rules(); 356 return NOTIFY_OK; 357 } 358 359 /** 360 * ima_match_rules - determine whether an inode matches the measure rule. 361 * @rule: a pointer to a rule 362 * @inode: a pointer to an inode 363 * @cred: a pointer to a credentials structure for user validation 364 * @secid: the secid of the task to be validated 365 * @func: LIM hook identifier 366 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 367 * 368 * Returns true on rule match, false on failure. 369 */ 370 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, 371 const struct cred *cred, u32 secid, 372 enum ima_hooks func, int mask) 373 { 374 int i; 375 376 if (func == KEXEC_CMDLINE) { 377 if ((rule->flags & IMA_FUNC) && (rule->func == func)) 378 return true; 379 return false; 380 } 381 if ((rule->flags & IMA_FUNC) && 382 (rule->func != func && func != POST_SETATTR)) 383 return false; 384 if ((rule->flags & IMA_MASK) && 385 (rule->mask != mask && func != POST_SETATTR)) 386 return false; 387 if ((rule->flags & IMA_INMASK) && 388 (!(rule->mask & mask) && func != POST_SETATTR)) 389 return false; 390 if ((rule->flags & IMA_FSMAGIC) 391 && rule->fsmagic != inode->i_sb->s_magic) 392 return false; 393 if ((rule->flags & IMA_FSNAME) 394 && strcmp(rule->fsname, inode->i_sb->s_type->name)) 395 return false; 396 if ((rule->flags & IMA_FSUUID) && 397 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 398 return false; 399 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 400 return false; 401 if (rule->flags & IMA_EUID) { 402 if (has_capability_noaudit(current, CAP_SETUID)) { 403 if (!rule->uid_op(cred->euid, rule->uid) 404 && !rule->uid_op(cred->suid, rule->uid) 405 && !rule->uid_op(cred->uid, rule->uid)) 406 return false; 407 } else if (!rule->uid_op(cred->euid, rule->uid)) 408 return false; 409 } 410 411 if ((rule->flags & IMA_FOWNER) && 412 !rule->fowner_op(inode->i_uid, rule->fowner)) 413 return false; 414 for (i = 0; i < MAX_LSM_RULES; i++) { 415 int rc = 0; 416 u32 osid; 417 418 if (!rule->lsm[i].rule) 419 continue; 420 421 switch (i) { 422 case LSM_OBJ_USER: 423 case LSM_OBJ_ROLE: 424 case LSM_OBJ_TYPE: 425 security_inode_getsecid(inode, &osid); 426 rc = security_filter_rule_match(osid, 427 rule->lsm[i].type, 428 Audit_equal, 429 rule->lsm[i].rule); 430 break; 431 case LSM_SUBJ_USER: 432 case LSM_SUBJ_ROLE: 433 case LSM_SUBJ_TYPE: 434 rc = security_filter_rule_match(secid, 435 rule->lsm[i].type, 436 Audit_equal, 437 rule->lsm[i].rule); 438 default: 439 break; 440 } 441 if (!rc) 442 return false; 443 } 444 return true; 445 } 446 447 /* 448 * In addition to knowing that we need to appraise the file in general, 449 * we need to differentiate between calling hooks, for hook specific rules. 450 */ 451 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) 452 { 453 if (!(rule->flags & IMA_FUNC)) 454 return IMA_FILE_APPRAISE; 455 456 switch (func) { 457 case MMAP_CHECK: 458 return IMA_MMAP_APPRAISE; 459 case BPRM_CHECK: 460 return IMA_BPRM_APPRAISE; 461 case CREDS_CHECK: 462 return IMA_CREDS_APPRAISE; 463 case FILE_CHECK: 464 case POST_SETATTR: 465 return IMA_FILE_APPRAISE; 466 case MODULE_CHECK ... MAX_CHECK - 1: 467 default: 468 return IMA_READ_APPRAISE; 469 } 470 } 471 472 /** 473 * ima_match_policy - decision based on LSM and other conditions 474 * @inode: pointer to an inode for which the policy decision is being made 475 * @cred: pointer to a credentials structure for which the policy decision is 476 * being made 477 * @secid: LSM secid of the task to be validated 478 * @func: IMA hook identifier 479 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 480 * @pcr: set the pcr to extend 481 * @template_desc: the template that should be used for this rule 482 * 483 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 484 * conditions. 485 * 486 * Since the IMA policy may be updated multiple times we need to lock the 487 * list when walking it. Reads are many orders of magnitude more numerous 488 * than writes so ima_match_policy() is classical RCU candidate. 489 */ 490 int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, 491 enum ima_hooks func, int mask, int flags, int *pcr, 492 struct ima_template_desc **template_desc) 493 { 494 struct ima_rule_entry *entry; 495 int action = 0, actmask = flags | (flags << 1); 496 497 if (template_desc) 498 *template_desc = ima_template_desc_current(); 499 500 rcu_read_lock(); 501 list_for_each_entry_rcu(entry, ima_rules, list) { 502 503 if (!(entry->action & actmask)) 504 continue; 505 506 if (!ima_match_rules(entry, inode, cred, secid, func, mask)) 507 continue; 508 509 action |= entry->flags & IMA_ACTION_FLAGS; 510 511 action |= entry->action & IMA_DO_MASK; 512 if (entry->action & IMA_APPRAISE) { 513 action |= get_subaction(entry, func); 514 action &= ~IMA_HASH; 515 if (ima_fail_unverifiable_sigs) 516 action |= IMA_FAIL_UNVERIFIABLE_SIGS; 517 } 518 519 520 if (entry->action & IMA_DO_MASK) 521 actmask &= ~(entry->action | entry->action << 1); 522 else 523 actmask &= ~(entry->action | entry->action >> 1); 524 525 if ((pcr) && (entry->flags & IMA_PCR)) 526 *pcr = entry->pcr; 527 528 if (template_desc && entry->template) 529 *template_desc = entry->template; 530 531 if (!actmask) 532 break; 533 } 534 rcu_read_unlock(); 535 536 return action; 537 } 538 539 /* 540 * Initialize the ima_policy_flag variable based on the currently 541 * loaded policy. Based on this flag, the decision to short circuit 542 * out of a function or not call the function in the first place 543 * can be made earlier. 544 */ 545 void ima_update_policy_flag(void) 546 { 547 struct ima_rule_entry *entry; 548 549 list_for_each_entry(entry, ima_rules, list) { 550 if (entry->action & IMA_DO_MASK) 551 ima_policy_flag |= entry->action; 552 } 553 554 ima_appraise |= (build_ima_appraise | temp_ima_appraise); 555 if (!ima_appraise) 556 ima_policy_flag &= ~IMA_APPRAISE; 557 } 558 559 static int ima_appraise_flag(enum ima_hooks func) 560 { 561 if (func == MODULE_CHECK) 562 return IMA_APPRAISE_MODULES; 563 else if (func == FIRMWARE_CHECK) 564 return IMA_APPRAISE_FIRMWARE; 565 else if (func == POLICY_CHECK) 566 return IMA_APPRAISE_POLICY; 567 else if (func == KEXEC_KERNEL_CHECK) 568 return IMA_APPRAISE_KEXEC; 569 return 0; 570 } 571 572 static void add_rules(struct ima_rule_entry *entries, int count, 573 enum policy_rule_list policy_rule) 574 { 575 int i = 0; 576 577 for (i = 0; i < count; i++) { 578 struct ima_rule_entry *entry; 579 580 if (policy_rule & IMA_DEFAULT_POLICY) 581 list_add_tail(&entries[i].list, &ima_default_rules); 582 583 if (policy_rule & IMA_CUSTOM_POLICY) { 584 entry = kmemdup(&entries[i], sizeof(*entry), 585 GFP_KERNEL); 586 if (!entry) 587 continue; 588 589 list_add_tail(&entry->list, &ima_policy_rules); 590 } 591 if (entries[i].action == APPRAISE) { 592 temp_ima_appraise |= ima_appraise_flag(entries[i].func); 593 if (entries[i].func == POLICY_CHECK) 594 temp_ima_appraise |= IMA_APPRAISE_POLICY; 595 } 596 } 597 } 598 599 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); 600 601 static int __init ima_init_arch_policy(void) 602 { 603 const char * const *arch_rules; 604 const char * const *rules; 605 int arch_entries = 0; 606 int i = 0; 607 608 arch_rules = arch_get_ima_policy(); 609 if (!arch_rules) 610 return arch_entries; 611 612 /* Get number of rules */ 613 for (rules = arch_rules; *rules != NULL; rules++) 614 arch_entries++; 615 616 arch_policy_entry = kcalloc(arch_entries + 1, 617 sizeof(*arch_policy_entry), GFP_KERNEL); 618 if (!arch_policy_entry) 619 return 0; 620 621 /* Convert each policy string rules to struct ima_rule_entry format */ 622 for (rules = arch_rules, i = 0; *rules != NULL; rules++) { 623 char rule[255]; 624 int result; 625 626 result = strlcpy(rule, *rules, sizeof(rule)); 627 628 INIT_LIST_HEAD(&arch_policy_entry[i].list); 629 result = ima_parse_rule(rule, &arch_policy_entry[i]); 630 if (result) { 631 pr_warn("Skipping unknown architecture policy rule: %s\n", 632 rule); 633 memset(&arch_policy_entry[i], 0, 634 sizeof(*arch_policy_entry)); 635 continue; 636 } 637 i++; 638 } 639 return i; 640 } 641 642 /** 643 * ima_init_policy - initialize the default measure rules. 644 * 645 * ima_rules points to either the ima_default_rules or the 646 * the new ima_policy_rules. 647 */ 648 void __init ima_init_policy(void) 649 { 650 int build_appraise_entries, arch_entries; 651 652 /* if !ima_policy, we load NO default rules */ 653 if (ima_policy) 654 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules), 655 IMA_DEFAULT_POLICY); 656 657 switch (ima_policy) { 658 case ORIGINAL_TCB: 659 add_rules(original_measurement_rules, 660 ARRAY_SIZE(original_measurement_rules), 661 IMA_DEFAULT_POLICY); 662 break; 663 case DEFAULT_TCB: 664 add_rules(default_measurement_rules, 665 ARRAY_SIZE(default_measurement_rules), 666 IMA_DEFAULT_POLICY); 667 default: 668 break; 669 } 670 671 /* 672 * Based on runtime secure boot flags, insert arch specific measurement 673 * and appraise rules requiring file signatures for both the initial 674 * and custom policies, prior to other appraise rules. 675 * (Highest priority) 676 */ 677 arch_entries = ima_init_arch_policy(); 678 if (!arch_entries) 679 pr_info("No architecture policies found\n"); 680 else 681 add_rules(arch_policy_entry, arch_entries, 682 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 683 684 /* 685 * Insert the builtin "secure_boot" policy rules requiring file 686 * signatures, prior to other appraise rules. 687 */ 688 if (ima_use_secure_boot) 689 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules), 690 IMA_DEFAULT_POLICY); 691 692 /* 693 * Insert the build time appraise rules requiring file signatures 694 * for both the initial and custom policies, prior to other appraise 695 * rules. As the secure boot rules includes all of the build time 696 * rules, include either one or the other set of rules, but not both. 697 */ 698 build_appraise_entries = ARRAY_SIZE(build_appraise_rules); 699 if (build_appraise_entries) { 700 if (ima_use_secure_boot) 701 add_rules(build_appraise_rules, build_appraise_entries, 702 IMA_CUSTOM_POLICY); 703 else 704 add_rules(build_appraise_rules, build_appraise_entries, 705 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 706 } 707 708 if (ima_use_appraise_tcb) 709 add_rules(default_appraise_rules, 710 ARRAY_SIZE(default_appraise_rules), 711 IMA_DEFAULT_POLICY); 712 713 ima_rules = &ima_default_rules; 714 ima_update_policy_flag(); 715 } 716 717 /* Make sure we have a valid policy, at least containing some rules. */ 718 int ima_check_policy(void) 719 { 720 if (list_empty(&ima_temp_rules)) 721 return -EINVAL; 722 return 0; 723 } 724 725 /** 726 * ima_update_policy - update default_rules with new measure rules 727 * 728 * Called on file .release to update the default rules with a complete new 729 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so 730 * they make a queue. The policy may be updated multiple times and this is the 731 * RCU updater. 732 * 733 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 734 * we switch from the default policy to user defined. 735 */ 736 void ima_update_policy(void) 737 { 738 struct list_head *policy = &ima_policy_rules; 739 740 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); 741 742 if (ima_rules != policy) { 743 ima_policy_flag = 0; 744 ima_rules = policy; 745 746 /* 747 * IMA architecture specific policy rules are specified 748 * as strings and converted to an array of ima_entry_rules 749 * on boot. After loading a custom policy, free the 750 * architecture specific rules stored as an array. 751 */ 752 kfree(arch_policy_entry); 753 } 754 ima_update_policy_flag(); 755 } 756 757 /* Keep the enumeration in sync with the policy_tokens! */ 758 enum { 759 Opt_measure, Opt_dont_measure, 760 Opt_appraise, Opt_dont_appraise, 761 Opt_audit, Opt_hash, Opt_dont_hash, 762 Opt_obj_user, Opt_obj_role, Opt_obj_type, 763 Opt_subj_user, Opt_subj_role, Opt_subj_type, 764 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, 765 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, 766 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, 767 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, 768 Opt_appraise_type, Opt_appraise_flag, 769 Opt_permit_directio, Opt_pcr, Opt_template, Opt_err 770 }; 771 772 static const match_table_t policy_tokens = { 773 {Opt_measure, "measure"}, 774 {Opt_dont_measure, "dont_measure"}, 775 {Opt_appraise, "appraise"}, 776 {Opt_dont_appraise, "dont_appraise"}, 777 {Opt_audit, "audit"}, 778 {Opt_hash, "hash"}, 779 {Opt_dont_hash, "dont_hash"}, 780 {Opt_obj_user, "obj_user=%s"}, 781 {Opt_obj_role, "obj_role=%s"}, 782 {Opt_obj_type, "obj_type=%s"}, 783 {Opt_subj_user, "subj_user=%s"}, 784 {Opt_subj_role, "subj_role=%s"}, 785 {Opt_subj_type, "subj_type=%s"}, 786 {Opt_func, "func=%s"}, 787 {Opt_mask, "mask=%s"}, 788 {Opt_fsmagic, "fsmagic=%s"}, 789 {Opt_fsname, "fsname=%s"}, 790 {Opt_fsuuid, "fsuuid=%s"}, 791 {Opt_uid_eq, "uid=%s"}, 792 {Opt_euid_eq, "euid=%s"}, 793 {Opt_fowner_eq, "fowner=%s"}, 794 {Opt_uid_gt, "uid>%s"}, 795 {Opt_euid_gt, "euid>%s"}, 796 {Opt_fowner_gt, "fowner>%s"}, 797 {Opt_uid_lt, "uid<%s"}, 798 {Opt_euid_lt, "euid<%s"}, 799 {Opt_fowner_lt, "fowner<%s"}, 800 {Opt_appraise_type, "appraise_type=%s"}, 801 {Opt_appraise_flag, "appraise_flag=%s"}, 802 {Opt_permit_directio, "permit_directio"}, 803 {Opt_pcr, "pcr=%s"}, 804 {Opt_template, "template=%s"}, 805 {Opt_err, NULL} 806 }; 807 808 static int ima_lsm_rule_init(struct ima_rule_entry *entry, 809 substring_t *args, int lsm_rule, int audit_type) 810 { 811 int result; 812 813 if (entry->lsm[lsm_rule].rule) 814 return -EINVAL; 815 816 entry->lsm[lsm_rule].args_p = match_strdup(args); 817 if (!entry->lsm[lsm_rule].args_p) 818 return -ENOMEM; 819 820 entry->lsm[lsm_rule].type = audit_type; 821 result = security_filter_rule_init(entry->lsm[lsm_rule].type, 822 Audit_equal, 823 entry->lsm[lsm_rule].args_p, 824 &entry->lsm[lsm_rule].rule); 825 if (!entry->lsm[lsm_rule].rule) { 826 kfree(entry->lsm[lsm_rule].args_p); 827 return -EINVAL; 828 } 829 830 return result; 831 } 832 833 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, 834 bool (*rule_operator)(kuid_t, kuid_t)) 835 { 836 if (!ab) 837 return; 838 839 if (rule_operator == &uid_gt) 840 audit_log_format(ab, "%s>", key); 841 else if (rule_operator == &uid_lt) 842 audit_log_format(ab, "%s<", key); 843 else 844 audit_log_format(ab, "%s=", key); 845 audit_log_format(ab, "%s ", value); 846 } 847 static void ima_log_string(struct audit_buffer *ab, char *key, char *value) 848 { 849 ima_log_string_op(ab, key, value, NULL); 850 } 851 852 /* 853 * Validating the appended signature included in the measurement list requires 854 * the file hash calculated without the appended signature (i.e., the 'd-modsig' 855 * field). Therefore, notify the user if they have the 'modsig' field but not 856 * the 'd-modsig' field in the template. 857 */ 858 static void check_template_modsig(const struct ima_template_desc *template) 859 { 860 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n" 861 bool has_modsig, has_dmodsig; 862 static bool checked; 863 int i; 864 865 /* We only need to notify the user once. */ 866 if (checked) 867 return; 868 869 has_modsig = has_dmodsig = false; 870 for (i = 0; i < template->num_fields; i++) { 871 if (!strcmp(template->fields[i]->field_id, "modsig")) 872 has_modsig = true; 873 else if (!strcmp(template->fields[i]->field_id, "d-modsig")) 874 has_dmodsig = true; 875 } 876 877 if (has_modsig && !has_dmodsig) 878 pr_notice(MSG); 879 880 checked = true; 881 #undef MSG 882 } 883 884 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 885 { 886 struct audit_buffer *ab; 887 char *from; 888 char *p; 889 bool uid_token; 890 struct ima_template_desc *template_desc; 891 int result = 0; 892 893 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, 894 AUDIT_INTEGRITY_POLICY_RULE); 895 896 entry->uid = INVALID_UID; 897 entry->fowner = INVALID_UID; 898 entry->uid_op = &uid_eq; 899 entry->fowner_op = &uid_eq; 900 entry->action = UNKNOWN; 901 while ((p = strsep(&rule, " \t")) != NULL) { 902 substring_t args[MAX_OPT_ARGS]; 903 int token; 904 unsigned long lnum; 905 906 if (result < 0) 907 break; 908 if ((*p == '\0') || (*p == ' ') || (*p == '\t')) 909 continue; 910 token = match_token(p, policy_tokens, args); 911 switch (token) { 912 case Opt_measure: 913 ima_log_string(ab, "action", "measure"); 914 915 if (entry->action != UNKNOWN) 916 result = -EINVAL; 917 918 entry->action = MEASURE; 919 break; 920 case Opt_dont_measure: 921 ima_log_string(ab, "action", "dont_measure"); 922 923 if (entry->action != UNKNOWN) 924 result = -EINVAL; 925 926 entry->action = DONT_MEASURE; 927 break; 928 case Opt_appraise: 929 ima_log_string(ab, "action", "appraise"); 930 931 if (entry->action != UNKNOWN) 932 result = -EINVAL; 933 934 entry->action = APPRAISE; 935 break; 936 case Opt_dont_appraise: 937 ima_log_string(ab, "action", "dont_appraise"); 938 939 if (entry->action != UNKNOWN) 940 result = -EINVAL; 941 942 entry->action = DONT_APPRAISE; 943 break; 944 case Opt_audit: 945 ima_log_string(ab, "action", "audit"); 946 947 if (entry->action != UNKNOWN) 948 result = -EINVAL; 949 950 entry->action = AUDIT; 951 break; 952 case Opt_hash: 953 ima_log_string(ab, "action", "hash"); 954 955 if (entry->action != UNKNOWN) 956 result = -EINVAL; 957 958 entry->action = HASH; 959 break; 960 case Opt_dont_hash: 961 ima_log_string(ab, "action", "dont_hash"); 962 963 if (entry->action != UNKNOWN) 964 result = -EINVAL; 965 966 entry->action = DONT_HASH; 967 break; 968 case Opt_func: 969 ima_log_string(ab, "func", args[0].from); 970 971 if (entry->func) 972 result = -EINVAL; 973 974 if (strcmp(args[0].from, "FILE_CHECK") == 0) 975 entry->func = FILE_CHECK; 976 /* PATH_CHECK is for backwards compat */ 977 else if (strcmp(args[0].from, "PATH_CHECK") == 0) 978 entry->func = FILE_CHECK; 979 else if (strcmp(args[0].from, "MODULE_CHECK") == 0) 980 entry->func = MODULE_CHECK; 981 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0) 982 entry->func = FIRMWARE_CHECK; 983 else if ((strcmp(args[0].from, "FILE_MMAP") == 0) 984 || (strcmp(args[0].from, "MMAP_CHECK") == 0)) 985 entry->func = MMAP_CHECK; 986 else if (strcmp(args[0].from, "BPRM_CHECK") == 0) 987 entry->func = BPRM_CHECK; 988 else if (strcmp(args[0].from, "CREDS_CHECK") == 0) 989 entry->func = CREDS_CHECK; 990 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == 991 0) 992 entry->func = KEXEC_KERNEL_CHECK; 993 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK") 994 == 0) 995 entry->func = KEXEC_INITRAMFS_CHECK; 996 else if (strcmp(args[0].from, "POLICY_CHECK") == 0) 997 entry->func = POLICY_CHECK; 998 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) 999 entry->func = KEXEC_CMDLINE; 1000 else 1001 result = -EINVAL; 1002 if (!result) 1003 entry->flags |= IMA_FUNC; 1004 break; 1005 case Opt_mask: 1006 ima_log_string(ab, "mask", args[0].from); 1007 1008 if (entry->mask) 1009 result = -EINVAL; 1010 1011 from = args[0].from; 1012 if (*from == '^') 1013 from++; 1014 1015 if ((strcmp(from, "MAY_EXEC")) == 0) 1016 entry->mask = MAY_EXEC; 1017 else if (strcmp(from, "MAY_WRITE") == 0) 1018 entry->mask = MAY_WRITE; 1019 else if (strcmp(from, "MAY_READ") == 0) 1020 entry->mask = MAY_READ; 1021 else if (strcmp(from, "MAY_APPEND") == 0) 1022 entry->mask = MAY_APPEND; 1023 else 1024 result = -EINVAL; 1025 if (!result) 1026 entry->flags |= (*args[0].from == '^') 1027 ? IMA_INMASK : IMA_MASK; 1028 break; 1029 case Opt_fsmagic: 1030 ima_log_string(ab, "fsmagic", args[0].from); 1031 1032 if (entry->fsmagic) { 1033 result = -EINVAL; 1034 break; 1035 } 1036 1037 result = kstrtoul(args[0].from, 16, &entry->fsmagic); 1038 if (!result) 1039 entry->flags |= IMA_FSMAGIC; 1040 break; 1041 case Opt_fsname: 1042 ima_log_string(ab, "fsname", args[0].from); 1043 1044 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); 1045 if (!entry->fsname) { 1046 result = -ENOMEM; 1047 break; 1048 } 1049 result = 0; 1050 entry->flags |= IMA_FSNAME; 1051 break; 1052 case Opt_fsuuid: 1053 ima_log_string(ab, "fsuuid", args[0].from); 1054 1055 if (!uuid_is_null(&entry->fsuuid)) { 1056 result = -EINVAL; 1057 break; 1058 } 1059 1060 result = uuid_parse(args[0].from, &entry->fsuuid); 1061 if (!result) 1062 entry->flags |= IMA_FSUUID; 1063 break; 1064 case Opt_uid_gt: 1065 case Opt_euid_gt: 1066 entry->uid_op = &uid_gt; 1067 /* fall through */ 1068 case Opt_uid_lt: 1069 case Opt_euid_lt: 1070 if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) 1071 entry->uid_op = &uid_lt; 1072 /* fall through */ 1073 case Opt_uid_eq: 1074 case Opt_euid_eq: 1075 uid_token = (token == Opt_uid_eq) || 1076 (token == Opt_uid_gt) || 1077 (token == Opt_uid_lt); 1078 1079 ima_log_string_op(ab, uid_token ? "uid" : "euid", 1080 args[0].from, entry->uid_op); 1081 1082 if (uid_valid(entry->uid)) { 1083 result = -EINVAL; 1084 break; 1085 } 1086 1087 result = kstrtoul(args[0].from, 10, &lnum); 1088 if (!result) { 1089 entry->uid = make_kuid(current_user_ns(), 1090 (uid_t) lnum); 1091 if (!uid_valid(entry->uid) || 1092 (uid_t)lnum != lnum) 1093 result = -EINVAL; 1094 else 1095 entry->flags |= uid_token 1096 ? IMA_UID : IMA_EUID; 1097 } 1098 break; 1099 case Opt_fowner_gt: 1100 entry->fowner_op = &uid_gt; 1101 /* fall through */ 1102 case Opt_fowner_lt: 1103 if (token == Opt_fowner_lt) 1104 entry->fowner_op = &uid_lt; 1105 /* fall through */ 1106 case Opt_fowner_eq: 1107 ima_log_string_op(ab, "fowner", args[0].from, 1108 entry->fowner_op); 1109 1110 if (uid_valid(entry->fowner)) { 1111 result = -EINVAL; 1112 break; 1113 } 1114 1115 result = kstrtoul(args[0].from, 10, &lnum); 1116 if (!result) { 1117 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum); 1118 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum)) 1119 result = -EINVAL; 1120 else 1121 entry->flags |= IMA_FOWNER; 1122 } 1123 break; 1124 case Opt_obj_user: 1125 ima_log_string(ab, "obj_user", args[0].from); 1126 result = ima_lsm_rule_init(entry, args, 1127 LSM_OBJ_USER, 1128 AUDIT_OBJ_USER); 1129 break; 1130 case Opt_obj_role: 1131 ima_log_string(ab, "obj_role", args[0].from); 1132 result = ima_lsm_rule_init(entry, args, 1133 LSM_OBJ_ROLE, 1134 AUDIT_OBJ_ROLE); 1135 break; 1136 case Opt_obj_type: 1137 ima_log_string(ab, "obj_type", args[0].from); 1138 result = ima_lsm_rule_init(entry, args, 1139 LSM_OBJ_TYPE, 1140 AUDIT_OBJ_TYPE); 1141 break; 1142 case Opt_subj_user: 1143 ima_log_string(ab, "subj_user", args[0].from); 1144 result = ima_lsm_rule_init(entry, args, 1145 LSM_SUBJ_USER, 1146 AUDIT_SUBJ_USER); 1147 break; 1148 case Opt_subj_role: 1149 ima_log_string(ab, "subj_role", args[0].from); 1150 result = ima_lsm_rule_init(entry, args, 1151 LSM_SUBJ_ROLE, 1152 AUDIT_SUBJ_ROLE); 1153 break; 1154 case Opt_subj_type: 1155 ima_log_string(ab, "subj_type", args[0].from); 1156 result = ima_lsm_rule_init(entry, args, 1157 LSM_SUBJ_TYPE, 1158 AUDIT_SUBJ_TYPE); 1159 break; 1160 case Opt_appraise_type: 1161 if (entry->action != APPRAISE) { 1162 result = -EINVAL; 1163 break; 1164 } 1165 1166 ima_log_string(ab, "appraise_type", args[0].from); 1167 if ((strcmp(args[0].from, "imasig")) == 0) 1168 entry->flags |= IMA_DIGSIG_REQUIRED; 1169 else if (ima_hook_supports_modsig(entry->func) && 1170 strcmp(args[0].from, "imasig|modsig") == 0) 1171 entry->flags |= IMA_DIGSIG_REQUIRED | 1172 IMA_MODSIG_ALLOWED; 1173 else 1174 result = -EINVAL; 1175 break; 1176 case Opt_appraise_flag: 1177 ima_log_string(ab, "appraise_flag", args[0].from); 1178 if (strstr(args[0].from, "blacklist")) 1179 entry->flags |= IMA_CHECK_BLACKLIST; 1180 break; 1181 case Opt_permit_directio: 1182 entry->flags |= IMA_PERMIT_DIRECTIO; 1183 break; 1184 case Opt_pcr: 1185 if (entry->action != MEASURE) { 1186 result = -EINVAL; 1187 break; 1188 } 1189 ima_log_string(ab, "pcr", args[0].from); 1190 1191 result = kstrtoint(args[0].from, 10, &entry->pcr); 1192 if (result || INVALID_PCR(entry->pcr)) 1193 result = -EINVAL; 1194 else 1195 entry->flags |= IMA_PCR; 1196 1197 break; 1198 case Opt_template: 1199 ima_log_string(ab, "template", args[0].from); 1200 if (entry->action != MEASURE) { 1201 result = -EINVAL; 1202 break; 1203 } 1204 template_desc = lookup_template_desc(args[0].from); 1205 if (!template_desc || entry->template) { 1206 result = -EINVAL; 1207 break; 1208 } 1209 1210 /* 1211 * template_desc_init_fields() does nothing if 1212 * the template is already initialised, so 1213 * it's safe to do this unconditionally 1214 */ 1215 template_desc_init_fields(template_desc->fmt, 1216 &(template_desc->fields), 1217 &(template_desc->num_fields)); 1218 entry->template = template_desc; 1219 break; 1220 case Opt_err: 1221 ima_log_string(ab, "UNKNOWN", p); 1222 result = -EINVAL; 1223 break; 1224 } 1225 } 1226 if (!result && (entry->action == UNKNOWN)) 1227 result = -EINVAL; 1228 else if (entry->action == APPRAISE) 1229 temp_ima_appraise |= ima_appraise_flag(entry->func); 1230 1231 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { 1232 template_desc = entry->template ? entry->template : 1233 ima_template_desc_current(); 1234 check_template_modsig(template_desc); 1235 } 1236 1237 audit_log_format(ab, "res=%d", !result); 1238 audit_log_end(ab); 1239 return result; 1240 } 1241 1242 /** 1243 * ima_parse_add_rule - add a rule to ima_policy_rules 1244 * @rule - ima measurement policy rule 1245 * 1246 * Avoid locking by allowing just one writer at a time in ima_write_policy() 1247 * Returns the length of the rule parsed, an error code on failure 1248 */ 1249 ssize_t ima_parse_add_rule(char *rule) 1250 { 1251 static const char op[] = "update_policy"; 1252 char *p; 1253 struct ima_rule_entry *entry; 1254 ssize_t result, len; 1255 int audit_info = 0; 1256 1257 p = strsep(&rule, "\n"); 1258 len = strlen(p) + 1; 1259 p += strspn(p, " \t"); 1260 1261 if (*p == '#' || *p == '\0') 1262 return len; 1263 1264 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1265 if (!entry) { 1266 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1267 NULL, op, "-ENOMEM", -ENOMEM, audit_info); 1268 return -ENOMEM; 1269 } 1270 1271 INIT_LIST_HEAD(&entry->list); 1272 1273 result = ima_parse_rule(p, entry); 1274 if (result) { 1275 kfree(entry); 1276 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1277 NULL, op, "invalid-policy", result, 1278 audit_info); 1279 return result; 1280 } 1281 1282 list_add_tail(&entry->list, &ima_temp_rules); 1283 1284 return len; 1285 } 1286 1287 /** 1288 * ima_delete_rules() called to cleanup invalid in-flight policy. 1289 * We don't need locking as we operate on the temp list, which is 1290 * different from the active one. There is also only one user of 1291 * ima_delete_rules() at a time. 1292 */ 1293 void ima_delete_rules(void) 1294 { 1295 struct ima_rule_entry *entry, *tmp; 1296 int i; 1297 1298 temp_ima_appraise = 0; 1299 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { 1300 for (i = 0; i < MAX_LSM_RULES; i++) 1301 kfree(entry->lsm[i].args_p); 1302 1303 list_del(&entry->list); 1304 kfree(entry); 1305 } 1306 } 1307 1308 #define __ima_hook_stringify(str) (#str), 1309 1310 const char *const func_tokens[] = { 1311 __ima_hooks(__ima_hook_stringify) 1312 }; 1313 1314 #ifdef CONFIG_IMA_READ_POLICY 1315 enum { 1316 mask_exec = 0, mask_write, mask_read, mask_append 1317 }; 1318 1319 static const char *const mask_tokens[] = { 1320 "^MAY_EXEC", 1321 "^MAY_WRITE", 1322 "^MAY_READ", 1323 "^MAY_APPEND" 1324 }; 1325 1326 void *ima_policy_start(struct seq_file *m, loff_t *pos) 1327 { 1328 loff_t l = *pos; 1329 struct ima_rule_entry *entry; 1330 1331 rcu_read_lock(); 1332 list_for_each_entry_rcu(entry, ima_rules, list) { 1333 if (!l--) { 1334 rcu_read_unlock(); 1335 return entry; 1336 } 1337 } 1338 rcu_read_unlock(); 1339 return NULL; 1340 } 1341 1342 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) 1343 { 1344 struct ima_rule_entry *entry = v; 1345 1346 rcu_read_lock(); 1347 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); 1348 rcu_read_unlock(); 1349 (*pos)++; 1350 1351 return (&entry->list == ima_rules) ? NULL : entry; 1352 } 1353 1354 void ima_policy_stop(struct seq_file *m, void *v) 1355 { 1356 } 1357 1358 #define pt(token) policy_tokens[token].pattern 1359 #define mt(token) mask_tokens[token] 1360 1361 /* 1362 * policy_func_show - display the ima_hooks policy rule 1363 */ 1364 static void policy_func_show(struct seq_file *m, enum ima_hooks func) 1365 { 1366 if (func > 0 && func < MAX_CHECK) 1367 seq_printf(m, "func=%s ", func_tokens[func]); 1368 else 1369 seq_printf(m, "func=%d ", func); 1370 } 1371 1372 int ima_policy_show(struct seq_file *m, void *v) 1373 { 1374 struct ima_rule_entry *entry = v; 1375 int i; 1376 char tbuf[64] = {0,}; 1377 int offset = 0; 1378 1379 rcu_read_lock(); 1380 1381 if (entry->action & MEASURE) 1382 seq_puts(m, pt(Opt_measure)); 1383 if (entry->action & DONT_MEASURE) 1384 seq_puts(m, pt(Opt_dont_measure)); 1385 if (entry->action & APPRAISE) 1386 seq_puts(m, pt(Opt_appraise)); 1387 if (entry->action & DONT_APPRAISE) 1388 seq_puts(m, pt(Opt_dont_appraise)); 1389 if (entry->action & AUDIT) 1390 seq_puts(m, pt(Opt_audit)); 1391 if (entry->action & HASH) 1392 seq_puts(m, pt(Opt_hash)); 1393 if (entry->action & DONT_HASH) 1394 seq_puts(m, pt(Opt_dont_hash)); 1395 1396 seq_puts(m, " "); 1397 1398 if (entry->flags & IMA_FUNC) 1399 policy_func_show(m, entry->func); 1400 1401 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { 1402 if (entry->flags & IMA_MASK) 1403 offset = 1; 1404 if (entry->mask & MAY_EXEC) 1405 seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); 1406 if (entry->mask & MAY_WRITE) 1407 seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); 1408 if (entry->mask & MAY_READ) 1409 seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); 1410 if (entry->mask & MAY_APPEND) 1411 seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); 1412 seq_puts(m, " "); 1413 } 1414 1415 if (entry->flags & IMA_FSMAGIC) { 1416 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 1417 seq_printf(m, pt(Opt_fsmagic), tbuf); 1418 seq_puts(m, " "); 1419 } 1420 1421 if (entry->flags & IMA_FSNAME) { 1422 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); 1423 seq_printf(m, pt(Opt_fsname), tbuf); 1424 seq_puts(m, " "); 1425 } 1426 1427 if (entry->flags & IMA_PCR) { 1428 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 1429 seq_printf(m, pt(Opt_pcr), tbuf); 1430 seq_puts(m, " "); 1431 } 1432 1433 if (entry->flags & IMA_FSUUID) { 1434 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); 1435 seq_puts(m, " "); 1436 } 1437 1438 if (entry->flags & IMA_UID) { 1439 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1440 if (entry->uid_op == &uid_gt) 1441 seq_printf(m, pt(Opt_uid_gt), tbuf); 1442 else if (entry->uid_op == &uid_lt) 1443 seq_printf(m, pt(Opt_uid_lt), tbuf); 1444 else 1445 seq_printf(m, pt(Opt_uid_eq), tbuf); 1446 seq_puts(m, " "); 1447 } 1448 1449 if (entry->flags & IMA_EUID) { 1450 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1451 if (entry->uid_op == &uid_gt) 1452 seq_printf(m, pt(Opt_euid_gt), tbuf); 1453 else if (entry->uid_op == &uid_lt) 1454 seq_printf(m, pt(Opt_euid_lt), tbuf); 1455 else 1456 seq_printf(m, pt(Opt_euid_eq), tbuf); 1457 seq_puts(m, " "); 1458 } 1459 1460 if (entry->flags & IMA_FOWNER) { 1461 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); 1462 if (entry->fowner_op == &uid_gt) 1463 seq_printf(m, pt(Opt_fowner_gt), tbuf); 1464 else if (entry->fowner_op == &uid_lt) 1465 seq_printf(m, pt(Opt_fowner_lt), tbuf); 1466 else 1467 seq_printf(m, pt(Opt_fowner_eq), tbuf); 1468 seq_puts(m, " "); 1469 } 1470 1471 for (i = 0; i < MAX_LSM_RULES; i++) { 1472 if (entry->lsm[i].rule) { 1473 switch (i) { 1474 case LSM_OBJ_USER: 1475 seq_printf(m, pt(Opt_obj_user), 1476 (char *)entry->lsm[i].args_p); 1477 break; 1478 case LSM_OBJ_ROLE: 1479 seq_printf(m, pt(Opt_obj_role), 1480 (char *)entry->lsm[i].args_p); 1481 break; 1482 case LSM_OBJ_TYPE: 1483 seq_printf(m, pt(Opt_obj_type), 1484 (char *)entry->lsm[i].args_p); 1485 break; 1486 case LSM_SUBJ_USER: 1487 seq_printf(m, pt(Opt_subj_user), 1488 (char *)entry->lsm[i].args_p); 1489 break; 1490 case LSM_SUBJ_ROLE: 1491 seq_printf(m, pt(Opt_subj_role), 1492 (char *)entry->lsm[i].args_p); 1493 break; 1494 case LSM_SUBJ_TYPE: 1495 seq_printf(m, pt(Opt_subj_type), 1496 (char *)entry->lsm[i].args_p); 1497 break; 1498 } 1499 } 1500 } 1501 if (entry->template) 1502 seq_printf(m, "template=%s ", entry->template->name); 1503 if (entry->flags & IMA_DIGSIG_REQUIRED) { 1504 if (entry->flags & IMA_MODSIG_ALLOWED) 1505 seq_puts(m, "appraise_type=imasig|modsig "); 1506 else 1507 seq_puts(m, "appraise_type=imasig "); 1508 } 1509 if (entry->flags & IMA_CHECK_BLACKLIST) 1510 seq_puts(m, "appraise_flag=check_blacklist "); 1511 if (entry->flags & IMA_PERMIT_DIRECTIO) 1512 seq_puts(m, "permit_directio "); 1513 rcu_read_unlock(); 1514 seq_puts(m, "\n"); 1515 return 0; 1516 } 1517 #endif /* CONFIG_IMA_READ_POLICY */ 1518 1519 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) 1520 /* 1521 * ima_appraise_signature: whether IMA will appraise a given function using 1522 * an IMA digital signature. This is restricted to cases where the kernel 1523 * has a set of built-in trusted keys in order to avoid an attacker simply 1524 * loading additional keys. 1525 */ 1526 bool ima_appraise_signature(enum kernel_read_file_id id) 1527 { 1528 struct ima_rule_entry *entry; 1529 bool found = false; 1530 enum ima_hooks func; 1531 1532 if (id >= READING_MAX_ID) 1533 return false; 1534 1535 func = read_idmap[id] ?: FILE_CHECK; 1536 1537 rcu_read_lock(); 1538 list_for_each_entry_rcu(entry, ima_rules, list) { 1539 if (entry->action != APPRAISE) 1540 continue; 1541 1542 /* 1543 * A generic entry will match, but otherwise require that it 1544 * match the func we're looking for 1545 */ 1546 if (entry->func && entry->func != func) 1547 continue; 1548 1549 /* 1550 * We require this to be a digital signature, not a raw IMA 1551 * hash. 1552 */ 1553 if (entry->flags & IMA_DIGSIG_REQUIRED) 1554 found = true; 1555 1556 /* 1557 * We've found a rule that matches, so break now even if it 1558 * didn't require a digital signature - a later rule that does 1559 * won't override it, so would be a false positive. 1560 */ 1561 break; 1562 } 1563 1564 rcu_read_unlock(); 1565 return found; 1566 } 1567 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ 1568