1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (C) 2008 IBM Corporation
4 * Author: Mimi Zohar <zohar@us.ibm.com>
7 * - initialize default measure policy rules
10 #include <linux/init.h>
11 #include <linux/list.h>
12 #include <linux/kernel_read_file.h>
14 #include <linux/security.h>
15 #include <linux/magic.h>
16 #include <linux/parser.h>
17 #include <linux/slab.h>
18 #include <linux/rculist.h>
19 #include <linux/genhd.h>
20 #include <linux/seq_file.h>
21 #include <linux/ima.h>
25 /* flags definitions */
26 #define IMA_FUNC 0x0001
27 #define IMA_MASK 0x0002
28 #define IMA_FSMAGIC 0x0004
29 #define IMA_UID 0x0008
30 #define IMA_FOWNER 0x0010
31 #define IMA_FSUUID 0x0020
32 #define IMA_INMASK 0x0040
33 #define IMA_EUID 0x0080
34 #define IMA_PCR 0x0100
35 #define IMA_FSNAME 0x0200
36 #define IMA_KEYRINGS 0x0400
37 #define IMA_LABEL 0x0800
38 #define IMA_VALIDATE_ALGOS 0x1000
41 #define MEASURE 0x0001 /* same as IMA_MEASURE */
42 #define DONT_MEASURE 0x0002
43 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */
44 #define DONT_APPRAISE 0x0008
47 #define DONT_HASH 0x0200
49 #define INVALID_PCR(a) (((a) < 0) || \
50 (a) >= (sizeof_field(struct integrity_iint_cache, measured_pcrs) * 8))
53 static int temp_ima_appraise
;
54 static int build_ima_appraise __ro_after_init
;
56 atomic_t ima_setxattr_allowed_hash_algorithms
;
58 #define MAX_LSM_RULES 6
59 enum lsm_rule_types
{ LSM_OBJ_USER
, LSM_OBJ_ROLE
, LSM_OBJ_TYPE
,
60 LSM_SUBJ_USER
, LSM_SUBJ_ROLE
, LSM_SUBJ_TYPE
63 enum policy_types
{ ORIGINAL_TCB
= 1, DEFAULT_TCB
};
65 enum policy_rule_list
{ IMA_DEFAULT_POLICY
= 1, IMA_CUSTOM_POLICY
};
67 struct ima_rule_opt_list
{
72 struct ima_rule_entry
{
73 struct list_head list
;
78 unsigned long fsmagic
;
82 bool (*uid_op
)(kuid_t
, kuid_t
); /* Handlers for operators */
83 bool (*fowner_op
)(kuid_t
, kuid_t
); /* uid_eq(), uid_gt(), uid_lt() */
85 unsigned int allowed_algos
; /* bitfield of allowed hash algorithms */
87 void *rules
[LSMBLOB_ENTRIES
]; /* LSM file metadata specific */
88 char *args_p
; /* audit value */
89 int type
; /* audit type */
92 struct ima_rule_opt_list
*keyrings
; /* Measure keys added to these keyrings */
93 struct ima_rule_opt_list
*label
; /* Measure data grouped under this label */
94 struct ima_template_desc
*template;
98 * ima_lsm_isset - Is a rule set for any of the active security modules
99 * @rules: The set of IMA rules to check.
101 * If a rule is set for any LSM return true, otherwise return false.
103 static inline bool ima_lsm_isset(void *rules
[])
107 for (i
= 0; i
< LSMBLOB_ENTRIES
; i
++)
114 * sanity check in case the kernels gains more hash algorithms that can
115 * fit in an unsigned int
118 8 * sizeof(unsigned int) >= HASH_ALGO__LAST
,
119 "The bitfield allowed_algos in ima_rule_entry is too small to contain all the supported hash algorithms, consider using a bigger type");
122 * Without LSM specific knowledge, the default policy can only be
123 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
127 * The minimum rule set to allow for full TCB coverage. Measures all files
128 * opened or mmap for exec and everything read by root. Dangerous because
129 * normal users can easily run the machine out of memory simply building
130 * and running executables.
132 static struct ima_rule_entry dont_measure_rules
[] __ro_after_init
= {
133 {.action
= DONT_MEASURE
, .fsmagic
= PROC_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
134 {.action
= DONT_MEASURE
, .fsmagic
= SYSFS_MAGIC
, .flags
= IMA_FSMAGIC
},
135 {.action
= DONT_MEASURE
, .fsmagic
= DEBUGFS_MAGIC
, .flags
= IMA_FSMAGIC
},
136 {.action
= DONT_MEASURE
, .fsmagic
= TMPFS_MAGIC
, .flags
= IMA_FSMAGIC
},
137 {.action
= DONT_MEASURE
, .fsmagic
= DEVPTS_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
138 {.action
= DONT_MEASURE
, .fsmagic
= BINFMTFS_MAGIC
, .flags
= IMA_FSMAGIC
},
139 {.action
= DONT_MEASURE
, .fsmagic
= SECURITYFS_MAGIC
, .flags
= IMA_FSMAGIC
},
140 {.action
= DONT_MEASURE
, .fsmagic
= SELINUX_MAGIC
, .flags
= IMA_FSMAGIC
},
141 {.action
= DONT_MEASURE
, .fsmagic
= SMACK_MAGIC
, .flags
= IMA_FSMAGIC
},
142 {.action
= DONT_MEASURE
, .fsmagic
= CGROUP_SUPER_MAGIC
,
143 .flags
= IMA_FSMAGIC
},
144 {.action
= DONT_MEASURE
, .fsmagic
= CGROUP2_SUPER_MAGIC
,
145 .flags
= IMA_FSMAGIC
},
146 {.action
= DONT_MEASURE
, .fsmagic
= NSFS_MAGIC
, .flags
= IMA_FSMAGIC
},
147 {.action
= DONT_MEASURE
, .fsmagic
= EFIVARFS_MAGIC
, .flags
= IMA_FSMAGIC
}
150 static struct ima_rule_entry original_measurement_rules
[] __ro_after_init
= {
151 {.action
= MEASURE
, .func
= MMAP_CHECK
, .mask
= MAY_EXEC
,
152 .flags
= IMA_FUNC
| IMA_MASK
},
153 {.action
= MEASURE
, .func
= BPRM_CHECK
, .mask
= MAY_EXEC
,
154 .flags
= IMA_FUNC
| IMA_MASK
},
155 {.action
= MEASURE
, .func
= FILE_CHECK
, .mask
= MAY_READ
,
156 .uid
= GLOBAL_ROOT_UID
, .uid_op
= &uid_eq
,
157 .flags
= IMA_FUNC
| IMA_MASK
| IMA_UID
},
158 {.action
= MEASURE
, .func
= MODULE_CHECK
, .flags
= IMA_FUNC
},
159 {.action
= MEASURE
, .func
= FIRMWARE_CHECK
, .flags
= IMA_FUNC
},
162 static struct ima_rule_entry default_measurement_rules
[] __ro_after_init
= {
163 {.action
= MEASURE
, .func
= MMAP_CHECK
, .mask
= MAY_EXEC
,
164 .flags
= IMA_FUNC
| IMA_MASK
},
165 {.action
= MEASURE
, .func
= BPRM_CHECK
, .mask
= MAY_EXEC
,
166 .flags
= IMA_FUNC
| IMA_MASK
},
167 {.action
= MEASURE
, .func
= FILE_CHECK
, .mask
= MAY_READ
,
168 .uid
= GLOBAL_ROOT_UID
, .uid_op
= &uid_eq
,
169 .flags
= IMA_FUNC
| IMA_INMASK
| IMA_EUID
},
170 {.action
= MEASURE
, .func
= FILE_CHECK
, .mask
= MAY_READ
,
171 .uid
= GLOBAL_ROOT_UID
, .uid_op
= &uid_eq
,
172 .flags
= IMA_FUNC
| IMA_INMASK
| IMA_UID
},
173 {.action
= MEASURE
, .func
= MODULE_CHECK
, .flags
= IMA_FUNC
},
174 {.action
= MEASURE
, .func
= FIRMWARE_CHECK
, .flags
= IMA_FUNC
},
175 {.action
= MEASURE
, .func
= POLICY_CHECK
, .flags
= IMA_FUNC
},
178 static struct ima_rule_entry default_appraise_rules
[] __ro_after_init
= {
179 {.action
= DONT_APPRAISE
, .fsmagic
= PROC_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
180 {.action
= DONT_APPRAISE
, .fsmagic
= SYSFS_MAGIC
, .flags
= IMA_FSMAGIC
},
181 {.action
= DONT_APPRAISE
, .fsmagic
= DEBUGFS_MAGIC
, .flags
= IMA_FSMAGIC
},
182 {.action
= DONT_APPRAISE
, .fsmagic
= TMPFS_MAGIC
, .flags
= IMA_FSMAGIC
},
183 {.action
= DONT_APPRAISE
, .fsmagic
= RAMFS_MAGIC
, .flags
= IMA_FSMAGIC
},
184 {.action
= DONT_APPRAISE
, .fsmagic
= DEVPTS_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
185 {.action
= DONT_APPRAISE
, .fsmagic
= BINFMTFS_MAGIC
, .flags
= IMA_FSMAGIC
},
186 {.action
= DONT_APPRAISE
, .fsmagic
= SECURITYFS_MAGIC
, .flags
= IMA_FSMAGIC
},
187 {.action
= DONT_APPRAISE
, .fsmagic
= SELINUX_MAGIC
, .flags
= IMA_FSMAGIC
},
188 {.action
= DONT_APPRAISE
, .fsmagic
= SMACK_MAGIC
, .flags
= IMA_FSMAGIC
},
189 {.action
= DONT_APPRAISE
, .fsmagic
= NSFS_MAGIC
, .flags
= IMA_FSMAGIC
},
190 {.action
= DONT_APPRAISE
, .fsmagic
= EFIVARFS_MAGIC
, .flags
= IMA_FSMAGIC
},
191 {.action
= DONT_APPRAISE
, .fsmagic
= CGROUP_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
192 {.action
= DONT_APPRAISE
, .fsmagic
= CGROUP2_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
193 #ifdef CONFIG_IMA_WRITE_POLICY
194 {.action
= APPRAISE
, .func
= POLICY_CHECK
,
195 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
197 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
198 {.action
= APPRAISE
, .fowner
= GLOBAL_ROOT_UID
, .fowner_op
= &uid_eq
,
199 .flags
= IMA_FOWNER
},
201 /* force signature */
202 {.action
= APPRAISE
, .fowner
= GLOBAL_ROOT_UID
, .fowner_op
= &uid_eq
,
203 .flags
= IMA_FOWNER
| IMA_DIGSIG_REQUIRED
},
207 static struct ima_rule_entry build_appraise_rules
[] __ro_after_init
= {
208 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS
209 {.action
= APPRAISE
, .func
= MODULE_CHECK
,
210 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
212 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
213 {.action
= APPRAISE
, .func
= FIRMWARE_CHECK
,
214 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
216 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS
217 {.action
= APPRAISE
, .func
= KEXEC_KERNEL_CHECK
,
218 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
220 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS
221 {.action
= APPRAISE
, .func
= POLICY_CHECK
,
222 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
226 static struct ima_rule_entry secure_boot_rules
[] __ro_after_init
= {
227 {.action
= APPRAISE
, .func
= MODULE_CHECK
,
228 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
229 {.action
= APPRAISE
, .func
= FIRMWARE_CHECK
,
230 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
231 {.action
= APPRAISE
, .func
= KEXEC_KERNEL_CHECK
,
232 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
233 {.action
= APPRAISE
, .func
= POLICY_CHECK
,
234 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
237 static struct ima_rule_entry critical_data_rules
[] __ro_after_init
= {
238 {.action
= MEASURE
, .func
= CRITICAL_DATA
, .flags
= IMA_FUNC
},
241 /* An array of architecture specific rules */
242 static struct ima_rule_entry
*arch_policy_entry __ro_after_init
;
244 static LIST_HEAD(ima_default_rules
);
245 static LIST_HEAD(ima_policy_rules
);
246 static LIST_HEAD(ima_temp_rules
);
247 static struct list_head
*ima_rules
= &ima_default_rules
;
249 static int ima_policy __initdata
;
251 static int __init
default_measure_policy_setup(char *str
)
256 ima_policy
= ORIGINAL_TCB
;
259 __setup("ima_tcb", default_measure_policy_setup
);
261 static bool ima_use_appraise_tcb __initdata
;
262 static bool ima_use_secure_boot __initdata
;
263 static bool ima_use_critical_data __initdata
;
264 static bool ima_fail_unverifiable_sigs __ro_after_init
;
265 static int __init
policy_setup(char *str
)
269 while ((p
= strsep(&str
, " |\n")) != NULL
) {
272 if ((strcmp(p
, "tcb") == 0) && !ima_policy
)
273 ima_policy
= DEFAULT_TCB
;
274 else if (strcmp(p
, "appraise_tcb") == 0)
275 ima_use_appraise_tcb
= true;
276 else if (strcmp(p
, "secure_boot") == 0)
277 ima_use_secure_boot
= true;
278 else if (strcmp(p
, "critical_data") == 0)
279 ima_use_critical_data
= true;
280 else if (strcmp(p
, "fail_securely") == 0)
281 ima_fail_unverifiable_sigs
= true;
283 pr_err("policy \"%s\" not found", p
);
288 __setup("ima_policy=", policy_setup
);
290 static int __init
default_appraise_policy_setup(char *str
)
292 ima_use_appraise_tcb
= true;
295 __setup("ima_appraise_tcb", default_appraise_policy_setup
);
297 static struct ima_rule_opt_list
*ima_alloc_rule_opt_list(const substring_t
*src
)
299 struct ima_rule_opt_list
*opt_list
;
305 src_copy
= match_strdup(src
);
307 return ERR_PTR(-ENOMEM
);
310 while ((cur
= strsep(&next
, "|"))) {
311 /* Don't accept an empty list item */
314 return ERR_PTR(-EINVAL
);
319 /* Don't accept an empty list */
322 return ERR_PTR(-EINVAL
);
325 opt_list
= kzalloc(struct_size(opt_list
, items
, count
), GFP_KERNEL
);
328 return ERR_PTR(-ENOMEM
);
332 * strsep() has already replaced all instances of '|' with '\0',
333 * leaving a byte sequence of NUL-terminated strings. Reference each
334 * string with the array of items.
336 * IMPORTANT: Ownership of the allocated buffer is transferred from
337 * src_copy to the first element in the items array. To free the
338 * buffer, kfree() must only be called on the first element of the
341 for (i
= 0, cur
= src_copy
; i
< count
; i
++) {
342 opt_list
->items
[i
] = cur
;
343 cur
= strchr(cur
, '\0') + 1;
345 opt_list
->count
= count
;
350 static void ima_free_rule_opt_list(struct ima_rule_opt_list
*opt_list
)
355 if (opt_list
->count
) {
356 kfree(opt_list
->items
[0]);
363 static void ima_lsm_free_rule(struct ima_rule_entry
*entry
)
368 for (i
= 0; i
< MAX_LSM_RULES
; i
++) {
369 for (r
= 0; r
< LSMBLOB_ENTRIES
; r
++)
370 ima_filter_rule_free(entry
->lsm
[i
].rules
);
371 kfree(entry
->lsm
[i
].args_p
);
375 static void ima_free_rule(struct ima_rule_entry
*entry
)
381 * entry->template->fields may be allocated in ima_parse_rule() but that
382 * reference is owned by the corresponding ima_template_desc element in
383 * the defined_templates list and cannot be freed here
385 kfree(entry
->fsname
);
386 ima_free_rule_opt_list(entry
->keyrings
);
387 ima_lsm_free_rule(entry
);
391 static struct ima_rule_entry
*ima_lsm_copy_rule(struct ima_rule_entry
*entry
)
393 struct ima_rule_entry
*nentry
;
397 * Immutable elements are copied over as pointers and data; only
398 * lsm rules can change
400 nentry
= kmemdup(entry
, sizeof(*nentry
), GFP_KERNEL
);
404 memset(nentry
->lsm
, 0, sizeof_field(struct ima_rule_entry
, lsm
));
406 for (i
= 0; i
< MAX_LSM_RULES
; i
++) {
407 if (!entry
->lsm
[i
].args_p
)
410 nentry
->lsm
[i
].type
= entry
->lsm
[i
].type
;
411 nentry
->lsm
[i
].args_p
= entry
->lsm
[i
].args_p
;
413 * Remove the reference from entry so that the associated
414 * memory will not be freed during a later call to
415 * ima_lsm_free_rule(entry).
417 entry
->lsm
[i
].args_p
= NULL
;
419 ima_filter_rule_init(nentry
->lsm
[i
].type
, Audit_equal
,
420 nentry
->lsm
[i
].args_p
,
421 &nentry
->lsm
[i
].rules
[0]);
422 if (!ima_lsm_isset(nentry
->lsm
[i
].rules
))
423 pr_warn("rule for LSM \'%s\' is undefined\n",
424 nentry
->lsm
[i
].args_p
);
429 static int ima_lsm_update_rule(struct ima_rule_entry
*entry
)
431 struct ima_rule_entry
*nentry
;
433 nentry
= ima_lsm_copy_rule(entry
);
437 list_replace_rcu(&entry
->list
, &nentry
->list
);
440 * ima_lsm_copy_rule() shallow copied all references, except for the
441 * LSM references, from entry to nentry so we only want to free the LSM
442 * references and the entry itself. All other memory refrences will now
443 * be owned by nentry.
445 ima_lsm_free_rule(entry
);
451 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry
*entry
)
455 for (i
= 0; i
< MAX_LSM_RULES
; i
++)
456 if (entry
->lsm
[i
].args_p
)
463 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
464 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect
465 * the reloaded LSM policy.
467 static void ima_lsm_update_rules(void)
469 struct ima_rule_entry
*entry
, *e
;
472 list_for_each_entry_safe(entry
, e
, &ima_policy_rules
, list
) {
473 if (!ima_rule_contains_lsm_cond(entry
))
476 result
= ima_lsm_update_rule(entry
);
478 pr_err("lsm rule update error %d\n", result
);
484 int ima_lsm_policy_change(struct notifier_block
*nb
, unsigned long event
,
487 if (event
!= LSM_POLICY_CHANGE
)
490 ima_lsm_update_rules();
495 * ima_match_rule_data - determine whether func_data matches the policy rule
496 * @rule: a pointer to a rule
497 * @func_data: data to match against the measure rule data
498 * @cred: a pointer to a credentials structure for user validation
500 * Returns true if func_data matches one in the rule, false otherwise.
502 static bool ima_match_rule_data(struct ima_rule_entry
*rule
,
503 const char *func_data
,
504 const struct cred
*cred
)
506 const struct ima_rule_opt_list
*opt_list
= NULL
;
507 bool matched
= false;
510 if ((rule
->flags
& IMA_UID
) && !rule
->uid_op(cred
->uid
, rule
->uid
))
513 switch (rule
->func
) {
518 opt_list
= rule
->keyrings
;
524 opt_list
= rule
->label
;
533 for (i
= 0; i
< opt_list
->count
; i
++) {
534 if (!strcmp(opt_list
->items
[i
], func_data
)) {
544 * ima_match_rules - determine whether an inode matches the policy rule.
545 * @rule: a pointer to a rule
546 * @mnt_userns: user namespace of the mount the inode was found from
547 * @inode: a pointer to an inode
548 * @cred: a pointer to a credentials structure for user validation
549 * @secid: the secid of the task to be validated
550 * @func: LIM hook identifier
551 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
552 * @func_data: func specific data, may be NULL
554 * Returns true on rule match, false on failure.
556 static bool ima_match_rules(struct ima_rule_entry
*rule
,
557 struct user_namespace
*mnt_userns
,
558 struct inode
*inode
, const struct cred
*cred
,
559 u32 secid
, enum ima_hooks func
, int mask
,
560 const char *func_data
)
564 if ((rule
->flags
& IMA_FUNC
) &&
565 (rule
->func
!= func
&& func
!= POST_SETATTR
))
571 return ((rule
->func
== func
) &&
572 ima_match_rule_data(rule
, func_data
, cred
));
577 if ((rule
->flags
& IMA_MASK
) &&
578 (rule
->mask
!= mask
&& func
!= POST_SETATTR
))
580 if ((rule
->flags
& IMA_INMASK
) &&
581 (!(rule
->mask
& mask
) && func
!= POST_SETATTR
))
583 if ((rule
->flags
& IMA_FSMAGIC
)
584 && rule
->fsmagic
!= inode
->i_sb
->s_magic
)
586 if ((rule
->flags
& IMA_FSNAME
)
587 && strcmp(rule
->fsname
, inode
->i_sb
->s_type
->name
))
589 if ((rule
->flags
& IMA_FSUUID
) &&
590 !uuid_equal(&rule
->fsuuid
, &inode
->i_sb
->s_uuid
))
592 if ((rule
->flags
& IMA_UID
) && !rule
->uid_op(cred
->uid
, rule
->uid
))
594 if (rule
->flags
& IMA_EUID
) {
595 if (has_capability_noaudit(current
, CAP_SETUID
)) {
596 if (!rule
->uid_op(cred
->euid
, rule
->uid
)
597 && !rule
->uid_op(cred
->suid
, rule
->uid
)
598 && !rule
->uid_op(cred
->uid
, rule
->uid
))
600 } else if (!rule
->uid_op(cred
->euid
, rule
->uid
))
604 if ((rule
->flags
& IMA_FOWNER
) &&
605 !rule
->fowner_op(i_uid_into_mnt(mnt_userns
, inode
), rule
->fowner
))
607 for (i
= 0; i
< MAX_LSM_RULES
; i
++) {
610 struct lsmblob lsmdata
;
612 if (!ima_lsm_isset(rule
->lsm
[i
].rules
)) {
613 if (!rule
->lsm
[i
].args_p
)
622 security_inode_getsecid(inode
, &osid
);
623 lsmblob_init(&lsmdata
, osid
);
624 rc
= ima_filter_rule_match(&lsmdata
, rule
->lsm
[i
].type
,
631 lsmblob_init(&lsmdata
, secid
);
632 rc
= ima_filter_rule_match(&lsmdata
, rule
->lsm
[i
].type
,
646 * In addition to knowing that we need to appraise the file in general,
647 * we need to differentiate between calling hooks, for hook specific rules.
649 static int get_subaction(struct ima_rule_entry
*rule
, enum ima_hooks func
)
651 if (!(rule
->flags
& IMA_FUNC
))
652 return IMA_FILE_APPRAISE
;
656 return IMA_MMAP_APPRAISE
;
658 return IMA_BPRM_APPRAISE
;
660 return IMA_CREDS_APPRAISE
;
663 return IMA_FILE_APPRAISE
;
664 case MODULE_CHECK
... MAX_CHECK
- 1:
666 return IMA_READ_APPRAISE
;
671 * ima_match_policy - decision based on LSM and other conditions
672 * @mnt_userns: user namespace of the mount the inode was found from
673 * @inode: pointer to an inode for which the policy decision is being made
674 * @cred: pointer to a credentials structure for which the policy decision is
676 * @secid: LSM secid of the task to be validated
677 * @func: IMA hook identifier
678 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
679 * @pcr: set the pcr to extend
680 * @template_desc: the template that should be used for this rule
681 * @func_data: func specific data, may be NULL
682 * @allowed_algos: allowlist of hash algorithms for the IMA xattr
684 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
687 * Since the IMA policy may be updated multiple times we need to lock the
688 * list when walking it. Reads are many orders of magnitude more numerous
689 * than writes so ima_match_policy() is classical RCU candidate.
691 int ima_match_policy(struct user_namespace
*mnt_userns
, struct inode
*inode
,
692 const struct cred
*cred
, u32 secid
, enum ima_hooks func
,
693 int mask
, int flags
, int *pcr
,
694 struct ima_template_desc
**template_desc
,
695 const char *func_data
, unsigned int *allowed_algos
)
697 struct ima_rule_entry
*entry
;
698 int action
= 0, actmask
= flags
| (flags
<< 1);
700 if (template_desc
&& !*template_desc
)
701 *template_desc
= ima_template_desc_current();
704 list_for_each_entry_rcu(entry
, ima_rules
, list
) {
706 if (!(entry
->action
& actmask
))
709 if (!ima_match_rules(entry
, mnt_userns
, inode
, cred
, secid
,
710 func
, mask
, func_data
))
713 action
|= entry
->flags
& IMA_ACTION_FLAGS
;
715 action
|= entry
->action
& IMA_DO_MASK
;
716 if (entry
->action
& IMA_APPRAISE
) {
717 action
|= get_subaction(entry
, func
);
719 if (ima_fail_unverifiable_sigs
)
720 action
|= IMA_FAIL_UNVERIFIABLE_SIGS
;
723 entry
->flags
& IMA_VALIDATE_ALGOS
)
724 *allowed_algos
= entry
->allowed_algos
;
727 if (entry
->action
& IMA_DO_MASK
)
728 actmask
&= ~(entry
->action
| entry
->action
<< 1);
730 actmask
&= ~(entry
->action
| entry
->action
>> 1);
732 if ((pcr
) && (entry
->flags
& IMA_PCR
))
735 if (template_desc
&& entry
->template)
736 *template_desc
= entry
->template;
747 * ima_update_policy_flags() - Update global IMA variables
749 * Update ima_policy_flag and ima_setxattr_allowed_hash_algorithms
750 * based on the currently loaded policy.
752 * With ima_policy_flag, the decision to short circuit out of a function
753 * or not call the function in the first place can be made earlier.
755 * With ima_setxattr_allowed_hash_algorithms, the policy can restrict the
756 * set of hash algorithms accepted when updating the security.ima xattr of
759 * Context: called after a policy update and at system initialization.
761 void ima_update_policy_flags(void)
763 struct ima_rule_entry
*entry
;
764 int new_policy_flag
= 0;
767 list_for_each_entry(entry
, ima_rules
, list
) {
769 * SETXATTR_CHECK rules do not implement a full policy check
770 * because rule checking would probably have an important
771 * performance impact on setxattr(). As a consequence, only one
772 * SETXATTR_CHECK can be active at a given time.
773 * Because we want to preserve that property, we set out to use
774 * atomic_cmpxchg. Either:
775 * - the atomic was non-zero: a setxattr hash policy is
776 * already enforced, we do nothing
777 * - the atomic was zero: no setxattr policy was set, enable
778 * the setxattr hash policy
780 if (entry
->func
== SETXATTR_CHECK
) {
781 atomic_cmpxchg(&ima_setxattr_allowed_hash_algorithms
,
782 0, entry
->allowed_algos
);
783 /* SETXATTR_CHECK doesn't impact ima_policy_flag */
787 if (entry
->action
& IMA_DO_MASK
)
788 new_policy_flag
|= entry
->action
;
792 ima_appraise
|= (build_ima_appraise
| temp_ima_appraise
);
794 new_policy_flag
&= ~IMA_APPRAISE
;
796 ima_policy_flag
= new_policy_flag
;
799 static int ima_appraise_flag(enum ima_hooks func
)
801 if (func
== MODULE_CHECK
)
802 return IMA_APPRAISE_MODULES
;
803 else if (func
== FIRMWARE_CHECK
)
804 return IMA_APPRAISE_FIRMWARE
;
805 else if (func
== POLICY_CHECK
)
806 return IMA_APPRAISE_POLICY
;
807 else if (func
== KEXEC_KERNEL_CHECK
)
808 return IMA_APPRAISE_KEXEC
;
812 static void add_rules(struct ima_rule_entry
*entries
, int count
,
813 enum policy_rule_list policy_rule
)
817 for (i
= 0; i
< count
; i
++) {
818 struct ima_rule_entry
*entry
;
820 if (policy_rule
& IMA_DEFAULT_POLICY
)
821 list_add_tail(&entries
[i
].list
, &ima_default_rules
);
823 if (policy_rule
& IMA_CUSTOM_POLICY
) {
824 entry
= kmemdup(&entries
[i
], sizeof(*entry
),
829 list_add_tail(&entry
->list
, &ima_policy_rules
);
831 if (entries
[i
].action
== APPRAISE
) {
832 if (entries
!= build_appraise_rules
)
834 ima_appraise_flag(entries
[i
].func
);
836 build_ima_appraise
|=
837 ima_appraise_flag(entries
[i
].func
);
842 static int ima_parse_rule(char *rule
, struct ima_rule_entry
*entry
);
844 static int __init
ima_init_arch_policy(void)
846 const char * const *arch_rules
;
847 const char * const *rules
;
848 int arch_entries
= 0;
851 arch_rules
= arch_get_ima_policy();
855 /* Get number of rules */
856 for (rules
= arch_rules
; *rules
!= NULL
; rules
++)
859 arch_policy_entry
= kcalloc(arch_entries
+ 1,
860 sizeof(*arch_policy_entry
), GFP_KERNEL
);
861 if (!arch_policy_entry
)
864 /* Convert each policy string rules to struct ima_rule_entry format */
865 for (rules
= arch_rules
, i
= 0; *rules
!= NULL
; rules
++) {
869 result
= strlcpy(rule
, *rules
, sizeof(rule
));
871 INIT_LIST_HEAD(&arch_policy_entry
[i
].list
);
872 result
= ima_parse_rule(rule
, &arch_policy_entry
[i
]);
874 pr_warn("Skipping unknown architecture policy rule: %s\n",
876 memset(&arch_policy_entry
[i
], 0,
877 sizeof(*arch_policy_entry
));
886 * ima_init_policy - initialize the default measure rules.
888 * ima_rules points to either the ima_default_rules or the
889 * the new ima_policy_rules.
891 void __init
ima_init_policy(void)
893 int build_appraise_entries
, arch_entries
;
895 /* if !ima_policy, we load NO default rules */
897 add_rules(dont_measure_rules
, ARRAY_SIZE(dont_measure_rules
),
900 switch (ima_policy
) {
902 add_rules(original_measurement_rules
,
903 ARRAY_SIZE(original_measurement_rules
),
907 add_rules(default_measurement_rules
,
908 ARRAY_SIZE(default_measurement_rules
),
916 * Based on runtime secure boot flags, insert arch specific measurement
917 * and appraise rules requiring file signatures for both the initial
918 * and custom policies, prior to other appraise rules.
921 arch_entries
= ima_init_arch_policy();
923 pr_info("No architecture policies found\n");
925 add_rules(arch_policy_entry
, arch_entries
,
926 IMA_DEFAULT_POLICY
| IMA_CUSTOM_POLICY
);
929 * Insert the builtin "secure_boot" policy rules requiring file
930 * signatures, prior to other appraise rules.
932 if (ima_use_secure_boot
)
933 add_rules(secure_boot_rules
, ARRAY_SIZE(secure_boot_rules
),
937 * Insert the build time appraise rules requiring file signatures
938 * for both the initial and custom policies, prior to other appraise
939 * rules. As the secure boot rules includes all of the build time
940 * rules, include either one or the other set of rules, but not both.
942 build_appraise_entries
= ARRAY_SIZE(build_appraise_rules
);
943 if (build_appraise_entries
) {
944 if (ima_use_secure_boot
)
945 add_rules(build_appraise_rules
, build_appraise_entries
,
948 add_rules(build_appraise_rules
, build_appraise_entries
,
949 IMA_DEFAULT_POLICY
| IMA_CUSTOM_POLICY
);
952 if (ima_use_appraise_tcb
)
953 add_rules(default_appraise_rules
,
954 ARRAY_SIZE(default_appraise_rules
),
957 if (ima_use_critical_data
)
958 add_rules(critical_data_rules
,
959 ARRAY_SIZE(critical_data_rules
),
962 atomic_set(&ima_setxattr_allowed_hash_algorithms
, 0);
964 ima_update_policy_flags();
967 /* Make sure we have a valid policy, at least containing some rules. */
968 int ima_check_policy(void)
970 if (list_empty(&ima_temp_rules
))
976 * ima_update_policy - update default_rules with new measure rules
978 * Called on file .release to update the default rules with a complete new
979 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so
980 * they make a queue. The policy may be updated multiple times and this is the
983 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
984 * we switch from the default policy to user defined.
986 void ima_update_policy(void)
988 struct list_head
*policy
= &ima_policy_rules
;
990 list_splice_tail_init_rcu(&ima_temp_rules
, policy
, synchronize_rcu
);
992 if (ima_rules
!= policy
) {
997 * IMA architecture specific policy rules are specified
998 * as strings and converted to an array of ima_entry_rules
999 * on boot. After loading a custom policy, free the
1000 * architecture specific rules stored as an array.
1002 kfree(arch_policy_entry
);
1004 ima_update_policy_flags();
1006 /* Custom IMA policy has been loaded */
1007 ima_process_queued_keys();
1010 /* Keep the enumeration in sync with the policy_tokens! */
1012 Opt_measure
, Opt_dont_measure
,
1013 Opt_appraise
, Opt_dont_appraise
,
1014 Opt_audit
, Opt_hash
, Opt_dont_hash
,
1015 Opt_obj_user
, Opt_obj_role
, Opt_obj_type
,
1016 Opt_subj_user
, Opt_subj_role
, Opt_subj_type
,
1017 Opt_func
, Opt_mask
, Opt_fsmagic
, Opt_fsname
,
1018 Opt_fsuuid
, Opt_uid_eq
, Opt_euid_eq
, Opt_fowner_eq
,
1019 Opt_uid_gt
, Opt_euid_gt
, Opt_fowner_gt
,
1020 Opt_uid_lt
, Opt_euid_lt
, Opt_fowner_lt
,
1021 Opt_appraise_type
, Opt_appraise_flag
, Opt_appraise_algos
,
1022 Opt_permit_directio
, Opt_pcr
, Opt_template
, Opt_keyrings
,
1026 static const match_table_t policy_tokens
= {
1027 {Opt_measure
, "measure"},
1028 {Opt_dont_measure
, "dont_measure"},
1029 {Opt_appraise
, "appraise"},
1030 {Opt_dont_appraise
, "dont_appraise"},
1031 {Opt_audit
, "audit"},
1033 {Opt_dont_hash
, "dont_hash"},
1034 {Opt_obj_user
, "obj_user=%s"},
1035 {Opt_obj_role
, "obj_role=%s"},
1036 {Opt_obj_type
, "obj_type=%s"},
1037 {Opt_subj_user
, "subj_user=%s"},
1038 {Opt_subj_role
, "subj_role=%s"},
1039 {Opt_subj_type
, "subj_type=%s"},
1040 {Opt_func
, "func=%s"},
1041 {Opt_mask
, "mask=%s"},
1042 {Opt_fsmagic
, "fsmagic=%s"},
1043 {Opt_fsname
, "fsname=%s"},
1044 {Opt_fsuuid
, "fsuuid=%s"},
1045 {Opt_uid_eq
, "uid=%s"},
1046 {Opt_euid_eq
, "euid=%s"},
1047 {Opt_fowner_eq
, "fowner=%s"},
1048 {Opt_uid_gt
, "uid>%s"},
1049 {Opt_euid_gt
, "euid>%s"},
1050 {Opt_fowner_gt
, "fowner>%s"},
1051 {Opt_uid_lt
, "uid<%s"},
1052 {Opt_euid_lt
, "euid<%s"},
1053 {Opt_fowner_lt
, "fowner<%s"},
1054 {Opt_appraise_type
, "appraise_type=%s"},
1055 {Opt_appraise_flag
, "appraise_flag=%s"},
1056 {Opt_appraise_algos
, "appraise_algos=%s"},
1057 {Opt_permit_directio
, "permit_directio"},
1058 {Opt_pcr
, "pcr=%s"},
1059 {Opt_template
, "template=%s"},
1060 {Opt_keyrings
, "keyrings=%s"},
1061 {Opt_label
, "label=%s"},
1065 static int ima_lsm_rule_init(struct ima_rule_entry
*entry
,
1066 substring_t
*args
, int lsm_rule
, int audit_type
)
1070 if (ima_lsm_isset(entry
->lsm
[lsm_rule
].rules
))
1073 entry
->lsm
[lsm_rule
].args_p
= match_strdup(args
);
1074 if (!entry
->lsm
[lsm_rule
].args_p
)
1077 entry
->lsm
[lsm_rule
].type
= audit_type
;
1078 result
= ima_filter_rule_init(entry
->lsm
[lsm_rule
].type
, Audit_equal
,
1079 entry
->lsm
[lsm_rule
].args_p
,
1080 &entry
->lsm
[lsm_rule
].rules
[0]);
1081 if (!ima_lsm_isset(entry
->lsm
[lsm_rule
].rules
)) {
1082 pr_warn("rule for LSM \'%s\' is undefined\n",
1083 entry
->lsm
[lsm_rule
].args_p
);
1085 if (ima_rules
== &ima_default_rules
) {
1086 kfree(entry
->lsm
[lsm_rule
].args_p
);
1087 entry
->lsm
[lsm_rule
].args_p
= NULL
;
1096 static void ima_log_string_op(struct audit_buffer
*ab
, char *key
, char *value
,
1097 bool (*rule_operator
)(kuid_t
, kuid_t
))
1102 if (rule_operator
== &uid_gt
)
1103 audit_log_format(ab
, "%s>", key
);
1104 else if (rule_operator
== &uid_lt
)
1105 audit_log_format(ab
, "%s<", key
);
1107 audit_log_format(ab
, "%s=", key
);
1108 audit_log_format(ab
, "%s ", value
);
1110 static void ima_log_string(struct audit_buffer
*ab
, char *key
, char *value
)
1112 ima_log_string_op(ab
, key
, value
, NULL
);
1116 * Validating the appended signature included in the measurement list requires
1117 * the file hash calculated without the appended signature (i.e., the 'd-modsig'
1118 * field). Therefore, notify the user if they have the 'modsig' field but not
1119 * the 'd-modsig' field in the template.
1121 static void check_template_modsig(const struct ima_template_desc
*template)
1123 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n"
1124 bool has_modsig
, has_dmodsig
;
1125 static bool checked
;
1128 /* We only need to notify the user once. */
1132 has_modsig
= has_dmodsig
= false;
1133 for (i
= 0; i
< template->num_fields
; i
++) {
1134 if (!strcmp(template->fields
[i
]->field_id
, "modsig"))
1136 else if (!strcmp(template->fields
[i
]->field_id
, "d-modsig"))
1140 if (has_modsig
&& !has_dmodsig
)
1147 static bool ima_validate_rule(struct ima_rule_entry
*entry
)
1149 /* Ensure that the action is set and is compatible with the flags */
1150 if (entry
->action
== UNKNOWN
)
1153 if (entry
->action
!= MEASURE
&& entry
->flags
& IMA_PCR
)
1156 if (entry
->action
!= APPRAISE
&&
1157 entry
->flags
& (IMA_DIGSIG_REQUIRED
| IMA_MODSIG_ALLOWED
|
1158 IMA_CHECK_BLACKLIST
| IMA_VALIDATE_ALGOS
))
1162 * The IMA_FUNC bit must be set if and only if there's a valid hook
1163 * function specified, and vice versa. Enforcing this property allows
1164 * for the NONE case below to validate a rule without an explicit hook
1167 if (((entry
->flags
& IMA_FUNC
) && entry
->func
== NONE
) ||
1168 (!(entry
->flags
& IMA_FUNC
) && entry
->func
!= NONE
))
1172 * Ensure that the hook function is compatible with the other
1173 * components of the rule
1175 switch (entry
->func
) {
1182 case FIRMWARE_CHECK
:
1184 if (entry
->flags
& ~(IMA_FUNC
| IMA_MASK
| IMA_FSMAGIC
|
1185 IMA_UID
| IMA_FOWNER
| IMA_FSUUID
|
1186 IMA_INMASK
| IMA_EUID
| IMA_PCR
|
1187 IMA_FSNAME
| IMA_DIGSIG_REQUIRED
|
1188 IMA_PERMIT_DIRECTIO
| IMA_VALIDATE_ALGOS
))
1193 case KEXEC_KERNEL_CHECK
:
1194 case KEXEC_INITRAMFS_CHECK
:
1195 if (entry
->flags
& ~(IMA_FUNC
| IMA_MASK
| IMA_FSMAGIC
|
1196 IMA_UID
| IMA_FOWNER
| IMA_FSUUID
|
1197 IMA_INMASK
| IMA_EUID
| IMA_PCR
|
1198 IMA_FSNAME
| IMA_DIGSIG_REQUIRED
|
1199 IMA_PERMIT_DIRECTIO
| IMA_MODSIG_ALLOWED
|
1200 IMA_CHECK_BLACKLIST
| IMA_VALIDATE_ALGOS
))
1205 if (entry
->action
& ~(MEASURE
| DONT_MEASURE
))
1208 if (entry
->flags
& ~(IMA_FUNC
| IMA_FSMAGIC
| IMA_UID
|
1209 IMA_FOWNER
| IMA_FSUUID
| IMA_EUID
|
1210 IMA_PCR
| IMA_FSNAME
))
1215 if (entry
->action
& ~(MEASURE
| DONT_MEASURE
))
1218 if (entry
->flags
& ~(IMA_FUNC
| IMA_UID
| IMA_PCR
|
1222 if (ima_rule_contains_lsm_cond(entry
))
1227 if (entry
->action
& ~(MEASURE
| DONT_MEASURE
))
1230 if (entry
->flags
& ~(IMA_FUNC
| IMA_UID
| IMA_PCR
|
1234 if (ima_rule_contains_lsm_cond(entry
))
1238 case SETXATTR_CHECK
:
1239 /* any action other than APPRAISE is unsupported */
1240 if (entry
->action
!= APPRAISE
)
1243 /* SETXATTR_CHECK requires an appraise_algos parameter */
1244 if (!(entry
->flags
& IMA_VALIDATE_ALGOS
))
1248 * full policies are not supported, they would have too
1249 * much of a performance impact
1251 if (entry
->flags
& ~(IMA_FUNC
| IMA_VALIDATE_ALGOS
))
1259 /* Ensure that combinations of flags are compatible with each other */
1260 if (entry
->flags
& IMA_CHECK_BLACKLIST
&&
1261 !(entry
->flags
& IMA_MODSIG_ALLOWED
))
1267 static unsigned int ima_parse_appraise_algos(char *arg
)
1269 unsigned int res
= 0;
1273 while ((token
= strsep(&arg
, ",")) != NULL
) {
1274 idx
= match_string(hash_algo_name
, HASH_ALGO__LAST
, token
);
1277 pr_err("unknown hash algorithm \"%s\"",
1282 if (!crypto_has_alg(hash_algo_name
[idx
], 0, 0)) {
1283 pr_err("unavailable hash algorithm \"%s\", check your kernel configuration",
1288 /* Add the hash algorithm to the 'allowed' bitfield */
1295 static int ima_parse_rule(char *rule
, struct ima_rule_entry
*entry
)
1297 struct audit_buffer
*ab
;
1301 struct ima_template_desc
*template_desc
;
1304 ab
= integrity_audit_log_start(audit_context(), GFP_KERNEL
,
1305 AUDIT_INTEGRITY_POLICY_RULE
);
1307 entry
->uid
= INVALID_UID
;
1308 entry
->fowner
= INVALID_UID
;
1309 entry
->uid_op
= &uid_eq
;
1310 entry
->fowner_op
= &uid_eq
;
1311 entry
->action
= UNKNOWN
;
1312 while ((p
= strsep(&rule
, " \t")) != NULL
) {
1313 substring_t args
[MAX_OPT_ARGS
];
1319 if ((*p
== '\0') || (*p
== ' ') || (*p
== '\t'))
1321 token
= match_token(p
, policy_tokens
, args
);
1324 ima_log_string(ab
, "action", "measure");
1326 if (entry
->action
!= UNKNOWN
)
1329 entry
->action
= MEASURE
;
1331 case Opt_dont_measure
:
1332 ima_log_string(ab
, "action", "dont_measure");
1334 if (entry
->action
!= UNKNOWN
)
1337 entry
->action
= DONT_MEASURE
;
1340 ima_log_string(ab
, "action", "appraise");
1342 if (entry
->action
!= UNKNOWN
)
1345 entry
->action
= APPRAISE
;
1347 case Opt_dont_appraise
:
1348 ima_log_string(ab
, "action", "dont_appraise");
1350 if (entry
->action
!= UNKNOWN
)
1353 entry
->action
= DONT_APPRAISE
;
1356 ima_log_string(ab
, "action", "audit");
1358 if (entry
->action
!= UNKNOWN
)
1361 entry
->action
= AUDIT
;
1364 ima_log_string(ab
, "action", "hash");
1366 if (entry
->action
!= UNKNOWN
)
1369 entry
->action
= HASH
;
1372 ima_log_string(ab
, "action", "dont_hash");
1374 if (entry
->action
!= UNKNOWN
)
1377 entry
->action
= DONT_HASH
;
1380 ima_log_string(ab
, "func", args
[0].from
);
1385 if (strcmp(args
[0].from
, "FILE_CHECK") == 0)
1386 entry
->func
= FILE_CHECK
;
1387 /* PATH_CHECK is for backwards compat */
1388 else if (strcmp(args
[0].from
, "PATH_CHECK") == 0)
1389 entry
->func
= FILE_CHECK
;
1390 else if (strcmp(args
[0].from
, "MODULE_CHECK") == 0)
1391 entry
->func
= MODULE_CHECK
;
1392 else if (strcmp(args
[0].from
, "FIRMWARE_CHECK") == 0)
1393 entry
->func
= FIRMWARE_CHECK
;
1394 else if ((strcmp(args
[0].from
, "FILE_MMAP") == 0)
1395 || (strcmp(args
[0].from
, "MMAP_CHECK") == 0))
1396 entry
->func
= MMAP_CHECK
;
1397 else if (strcmp(args
[0].from
, "BPRM_CHECK") == 0)
1398 entry
->func
= BPRM_CHECK
;
1399 else if (strcmp(args
[0].from
, "CREDS_CHECK") == 0)
1400 entry
->func
= CREDS_CHECK
;
1401 else if (strcmp(args
[0].from
, "KEXEC_KERNEL_CHECK") ==
1403 entry
->func
= KEXEC_KERNEL_CHECK
;
1404 else if (strcmp(args
[0].from
, "KEXEC_INITRAMFS_CHECK")
1406 entry
->func
= KEXEC_INITRAMFS_CHECK
;
1407 else if (strcmp(args
[0].from
, "POLICY_CHECK") == 0)
1408 entry
->func
= POLICY_CHECK
;
1409 else if (strcmp(args
[0].from
, "KEXEC_CMDLINE") == 0)
1410 entry
->func
= KEXEC_CMDLINE
;
1411 else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS
) &&
1412 strcmp(args
[0].from
, "KEY_CHECK") == 0)
1413 entry
->func
= KEY_CHECK
;
1414 else if (strcmp(args
[0].from
, "CRITICAL_DATA") == 0)
1415 entry
->func
= CRITICAL_DATA
;
1416 else if (strcmp(args
[0].from
, "SETXATTR_CHECK") == 0)
1417 entry
->func
= SETXATTR_CHECK
;
1421 entry
->flags
|= IMA_FUNC
;
1424 ima_log_string(ab
, "mask", args
[0].from
);
1429 from
= args
[0].from
;
1433 if ((strcmp(from
, "MAY_EXEC")) == 0)
1434 entry
->mask
= MAY_EXEC
;
1435 else if (strcmp(from
, "MAY_WRITE") == 0)
1436 entry
->mask
= MAY_WRITE
;
1437 else if (strcmp(from
, "MAY_READ") == 0)
1438 entry
->mask
= MAY_READ
;
1439 else if (strcmp(from
, "MAY_APPEND") == 0)
1440 entry
->mask
= MAY_APPEND
;
1444 entry
->flags
|= (*args
[0].from
== '^')
1445 ? IMA_INMASK
: IMA_MASK
;
1448 ima_log_string(ab
, "fsmagic", args
[0].from
);
1450 if (entry
->fsmagic
) {
1455 result
= kstrtoul(args
[0].from
, 16, &entry
->fsmagic
);
1457 entry
->flags
|= IMA_FSMAGIC
;
1460 ima_log_string(ab
, "fsname", args
[0].from
);
1462 entry
->fsname
= kstrdup(args
[0].from
, GFP_KERNEL
);
1463 if (!entry
->fsname
) {
1468 entry
->flags
|= IMA_FSNAME
;
1471 ima_log_string(ab
, "keyrings", args
[0].from
);
1473 if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS
) ||
1479 entry
->keyrings
= ima_alloc_rule_opt_list(args
);
1480 if (IS_ERR(entry
->keyrings
)) {
1481 result
= PTR_ERR(entry
->keyrings
);
1482 entry
->keyrings
= NULL
;
1486 entry
->flags
|= IMA_KEYRINGS
;
1489 ima_log_string(ab
, "label", args
[0].from
);
1496 entry
->label
= ima_alloc_rule_opt_list(args
);
1497 if (IS_ERR(entry
->label
)) {
1498 result
= PTR_ERR(entry
->label
);
1499 entry
->label
= NULL
;
1503 entry
->flags
|= IMA_LABEL
;
1506 ima_log_string(ab
, "fsuuid", args
[0].from
);
1508 if (!uuid_is_null(&entry
->fsuuid
)) {
1513 result
= uuid_parse(args
[0].from
, &entry
->fsuuid
);
1515 entry
->flags
|= IMA_FSUUID
;
1519 entry
->uid_op
= &uid_gt
;
1523 if ((token
== Opt_uid_lt
) || (token
== Opt_euid_lt
))
1524 entry
->uid_op
= &uid_lt
;
1528 uid_token
= (token
== Opt_uid_eq
) ||
1529 (token
== Opt_uid_gt
) ||
1530 (token
== Opt_uid_lt
);
1532 ima_log_string_op(ab
, uid_token
? "uid" : "euid",
1533 args
[0].from
, entry
->uid_op
);
1535 if (uid_valid(entry
->uid
)) {
1540 result
= kstrtoul(args
[0].from
, 10, &lnum
);
1542 entry
->uid
= make_kuid(current_user_ns(),
1544 if (!uid_valid(entry
->uid
) ||
1545 (uid_t
)lnum
!= lnum
)
1548 entry
->flags
|= uid_token
1549 ? IMA_UID
: IMA_EUID
;
1553 entry
->fowner_op
= &uid_gt
;
1556 if (token
== Opt_fowner_lt
)
1557 entry
->fowner_op
= &uid_lt
;
1560 ima_log_string_op(ab
, "fowner", args
[0].from
,
1563 if (uid_valid(entry
->fowner
)) {
1568 result
= kstrtoul(args
[0].from
, 10, &lnum
);
1570 entry
->fowner
= make_kuid(current_user_ns(), (uid_t
)lnum
);
1571 if (!uid_valid(entry
->fowner
) || (((uid_t
)lnum
) != lnum
))
1574 entry
->flags
|= IMA_FOWNER
;
1578 ima_log_string(ab
, "obj_user", args
[0].from
);
1579 result
= ima_lsm_rule_init(entry
, args
,
1584 ima_log_string(ab
, "obj_role", args
[0].from
);
1585 result
= ima_lsm_rule_init(entry
, args
,
1590 ima_log_string(ab
, "obj_type", args
[0].from
);
1591 result
= ima_lsm_rule_init(entry
, args
,
1596 ima_log_string(ab
, "subj_user", args
[0].from
);
1597 result
= ima_lsm_rule_init(entry
, args
,
1602 ima_log_string(ab
, "subj_role", args
[0].from
);
1603 result
= ima_lsm_rule_init(entry
, args
,
1608 ima_log_string(ab
, "subj_type", args
[0].from
);
1609 result
= ima_lsm_rule_init(entry
, args
,
1613 case Opt_appraise_type
:
1614 ima_log_string(ab
, "appraise_type", args
[0].from
);
1615 if ((strcmp(args
[0].from
, "imasig")) == 0)
1616 entry
->flags
|= IMA_DIGSIG_REQUIRED
;
1617 else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG
) &&
1618 strcmp(args
[0].from
, "imasig|modsig") == 0)
1619 entry
->flags
|= IMA_DIGSIG_REQUIRED
|
1624 case Opt_appraise_flag
:
1625 ima_log_string(ab
, "appraise_flag", args
[0].from
);
1626 if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG
) &&
1627 strstr(args
[0].from
, "blacklist"))
1628 entry
->flags
|= IMA_CHECK_BLACKLIST
;
1632 case Opt_appraise_algos
:
1633 ima_log_string(ab
, "appraise_algos", args
[0].from
);
1635 if (entry
->allowed_algos
) {
1640 entry
->allowed_algos
=
1641 ima_parse_appraise_algos(args
[0].from
);
1642 /* invalid or empty list of algorithms */
1643 if (!entry
->allowed_algos
) {
1648 entry
->flags
|= IMA_VALIDATE_ALGOS
;
1651 case Opt_permit_directio
:
1652 entry
->flags
|= IMA_PERMIT_DIRECTIO
;
1655 ima_log_string(ab
, "pcr", args
[0].from
);
1657 result
= kstrtoint(args
[0].from
, 10, &entry
->pcr
);
1658 if (result
|| INVALID_PCR(entry
->pcr
))
1661 entry
->flags
|= IMA_PCR
;
1665 ima_log_string(ab
, "template", args
[0].from
);
1666 if (entry
->action
!= MEASURE
) {
1670 template_desc
= lookup_template_desc(args
[0].from
);
1671 if (!template_desc
|| entry
->template) {
1677 * template_desc_init_fields() does nothing if
1678 * the template is already initialised, so
1679 * it's safe to do this unconditionally
1681 template_desc_init_fields(template_desc
->fmt
,
1682 &(template_desc
->fields
),
1683 &(template_desc
->num_fields
));
1684 entry
->template = template_desc
;
1687 ima_log_string(ab
, "UNKNOWN", p
);
1692 if (!result
&& !ima_validate_rule(entry
))
1694 else if (entry
->action
== APPRAISE
)
1695 temp_ima_appraise
|= ima_appraise_flag(entry
->func
);
1697 if (!result
&& entry
->flags
& IMA_MODSIG_ALLOWED
) {
1698 template_desc
= entry
->template ? entry
->template :
1699 ima_template_desc_current();
1700 check_template_modsig(template_desc
);
1703 audit_log_format(ab
, "res=%d", !result
);
1709 * ima_parse_add_rule - add a rule to ima_policy_rules
1710 * @rule - ima measurement policy rule
1712 * Avoid locking by allowing just one writer at a time in ima_write_policy()
1713 * Returns the length of the rule parsed, an error code on failure
1715 ssize_t
ima_parse_add_rule(char *rule
)
1717 static const char op
[] = "update_policy";
1719 struct ima_rule_entry
*entry
;
1720 ssize_t result
, len
;
1723 p
= strsep(&rule
, "\n");
1724 len
= strlen(p
) + 1;
1725 p
+= strspn(p
, " \t");
1727 if (*p
== '#' || *p
== '\0')
1730 entry
= kzalloc(sizeof(*entry
), GFP_KERNEL
);
1732 integrity_audit_msg(AUDIT_INTEGRITY_STATUS
, NULL
,
1733 NULL
, op
, "-ENOMEM", -ENOMEM
, audit_info
);
1737 INIT_LIST_HEAD(&entry
->list
);
1739 result
= ima_parse_rule(p
, entry
);
1741 ima_free_rule(entry
);
1742 integrity_audit_msg(AUDIT_INTEGRITY_STATUS
, NULL
,
1743 NULL
, op
, "invalid-policy", result
,
1748 list_add_tail(&entry
->list
, &ima_temp_rules
);
1754 * ima_delete_rules() called to cleanup invalid in-flight policy.
1755 * We don't need locking as we operate on the temp list, which is
1756 * different from the active one. There is also only one user of
1757 * ima_delete_rules() at a time.
1759 void ima_delete_rules(void)
1761 struct ima_rule_entry
*entry
, *tmp
;
1763 temp_ima_appraise
= 0;
1764 list_for_each_entry_safe(entry
, tmp
, &ima_temp_rules
, list
) {
1765 list_del(&entry
->list
);
1766 ima_free_rule(entry
);
1770 #define __ima_hook_stringify(func, str) (#func),
1772 const char *const func_tokens
[] = {
1773 __ima_hooks(__ima_hook_stringify
)
1776 #ifdef CONFIG_IMA_READ_POLICY
1778 mask_exec
= 0, mask_write
, mask_read
, mask_append
1781 static const char *const mask_tokens
[] = {
1788 void *ima_policy_start(struct seq_file
*m
, loff_t
*pos
)
1791 struct ima_rule_entry
*entry
;
1794 list_for_each_entry_rcu(entry
, ima_rules
, list
) {
1804 void *ima_policy_next(struct seq_file
*m
, void *v
, loff_t
*pos
)
1806 struct ima_rule_entry
*entry
= v
;
1809 entry
= list_entry_rcu(entry
->list
.next
, struct ima_rule_entry
, list
);
1813 return (&entry
->list
== ima_rules
) ? NULL
: entry
;
1816 void ima_policy_stop(struct seq_file
*m
, void *v
)
1820 #define pt(token) policy_tokens[token].pattern
1821 #define mt(token) mask_tokens[token]
1824 * policy_func_show - display the ima_hooks policy rule
1826 static void policy_func_show(struct seq_file
*m
, enum ima_hooks func
)
1828 if (func
> 0 && func
< MAX_CHECK
)
1829 seq_printf(m
, "func=%s ", func_tokens
[func
]);
1831 seq_printf(m
, "func=%d ", func
);
1834 static void ima_show_rule_opt_list(struct seq_file
*m
,
1835 const struct ima_rule_opt_list
*opt_list
)
1839 for (i
= 0; i
< opt_list
->count
; i
++)
1840 seq_printf(m
, "%s%s", i
? "|" : "", opt_list
->items
[i
]);
1843 static void ima_policy_show_appraise_algos(struct seq_file
*m
,
1844 unsigned int allowed_hashes
)
1846 int idx
, list_size
= 0;
1848 for (idx
= 0; idx
< HASH_ALGO__LAST
; idx
++) {
1849 if (!(allowed_hashes
& (1U << idx
)))
1852 /* only add commas if the list contains multiple entries */
1856 seq_puts(m
, hash_algo_name
[idx
]);
1860 int ima_policy_show(struct seq_file
*m
, void *v
)
1862 struct ima_rule_entry
*entry
= v
;
1864 char tbuf
[64] = {0,};
1869 if (entry
->action
& MEASURE
)
1870 seq_puts(m
, pt(Opt_measure
));
1871 if (entry
->action
& DONT_MEASURE
)
1872 seq_puts(m
, pt(Opt_dont_measure
));
1873 if (entry
->action
& APPRAISE
)
1874 seq_puts(m
, pt(Opt_appraise
));
1875 if (entry
->action
& DONT_APPRAISE
)
1876 seq_puts(m
, pt(Opt_dont_appraise
));
1877 if (entry
->action
& AUDIT
)
1878 seq_puts(m
, pt(Opt_audit
));
1879 if (entry
->action
& HASH
)
1880 seq_puts(m
, pt(Opt_hash
));
1881 if (entry
->action
& DONT_HASH
)
1882 seq_puts(m
, pt(Opt_dont_hash
));
1886 if (entry
->flags
& IMA_FUNC
)
1887 policy_func_show(m
, entry
->func
);
1889 if ((entry
->flags
& IMA_MASK
) || (entry
->flags
& IMA_INMASK
)) {
1890 if (entry
->flags
& IMA_MASK
)
1892 if (entry
->mask
& MAY_EXEC
)
1893 seq_printf(m
, pt(Opt_mask
), mt(mask_exec
) + offset
);
1894 if (entry
->mask
& MAY_WRITE
)
1895 seq_printf(m
, pt(Opt_mask
), mt(mask_write
) + offset
);
1896 if (entry
->mask
& MAY_READ
)
1897 seq_printf(m
, pt(Opt_mask
), mt(mask_read
) + offset
);
1898 if (entry
->mask
& MAY_APPEND
)
1899 seq_printf(m
, pt(Opt_mask
), mt(mask_append
) + offset
);
1903 if (entry
->flags
& IMA_FSMAGIC
) {
1904 snprintf(tbuf
, sizeof(tbuf
), "0x%lx", entry
->fsmagic
);
1905 seq_printf(m
, pt(Opt_fsmagic
), tbuf
);
1909 if (entry
->flags
& IMA_FSNAME
) {
1910 snprintf(tbuf
, sizeof(tbuf
), "%s", entry
->fsname
);
1911 seq_printf(m
, pt(Opt_fsname
), tbuf
);
1915 if (entry
->flags
& IMA_KEYRINGS
) {
1916 seq_puts(m
, "keyrings=");
1917 ima_show_rule_opt_list(m
, entry
->keyrings
);
1921 if (entry
->flags
& IMA_LABEL
) {
1922 seq_puts(m
, "label=");
1923 ima_show_rule_opt_list(m
, entry
->label
);
1927 if (entry
->flags
& IMA_PCR
) {
1928 snprintf(tbuf
, sizeof(tbuf
), "%d", entry
->pcr
);
1929 seq_printf(m
, pt(Opt_pcr
), tbuf
);
1933 if (entry
->flags
& IMA_FSUUID
) {
1934 seq_printf(m
, "fsuuid=%pU", &entry
->fsuuid
);
1938 if (entry
->flags
& IMA_UID
) {
1939 snprintf(tbuf
, sizeof(tbuf
), "%d", __kuid_val(entry
->uid
));
1940 if (entry
->uid_op
== &uid_gt
)
1941 seq_printf(m
, pt(Opt_uid_gt
), tbuf
);
1942 else if (entry
->uid_op
== &uid_lt
)
1943 seq_printf(m
, pt(Opt_uid_lt
), tbuf
);
1945 seq_printf(m
, pt(Opt_uid_eq
), tbuf
);
1949 if (entry
->flags
& IMA_EUID
) {
1950 snprintf(tbuf
, sizeof(tbuf
), "%d", __kuid_val(entry
->uid
));
1951 if (entry
->uid_op
== &uid_gt
)
1952 seq_printf(m
, pt(Opt_euid_gt
), tbuf
);
1953 else if (entry
->uid_op
== &uid_lt
)
1954 seq_printf(m
, pt(Opt_euid_lt
), tbuf
);
1956 seq_printf(m
, pt(Opt_euid_eq
), tbuf
);
1960 if (entry
->flags
& IMA_FOWNER
) {
1961 snprintf(tbuf
, sizeof(tbuf
), "%d", __kuid_val(entry
->fowner
));
1962 if (entry
->fowner_op
== &uid_gt
)
1963 seq_printf(m
, pt(Opt_fowner_gt
), tbuf
);
1964 else if (entry
->fowner_op
== &uid_lt
)
1965 seq_printf(m
, pt(Opt_fowner_lt
), tbuf
);
1967 seq_printf(m
, pt(Opt_fowner_eq
), tbuf
);
1971 if (entry
->flags
& IMA_VALIDATE_ALGOS
) {
1972 seq_puts(m
, "appraise_algos=");
1973 ima_policy_show_appraise_algos(m
, entry
->allowed_algos
);
1977 for (i
= 0; i
< MAX_LSM_RULES
; i
++) {
1978 if (ima_lsm_isset(entry
->lsm
[i
].rules
)) {
1981 seq_printf(m
, pt(Opt_obj_user
),
1982 entry
->lsm
[i
].args_p
);
1985 seq_printf(m
, pt(Opt_obj_role
),
1986 entry
->lsm
[i
].args_p
);
1989 seq_printf(m
, pt(Opt_obj_type
),
1990 entry
->lsm
[i
].args_p
);
1993 seq_printf(m
, pt(Opt_subj_user
),
1994 entry
->lsm
[i
].args_p
);
1997 seq_printf(m
, pt(Opt_subj_role
),
1998 entry
->lsm
[i
].args_p
);
2001 seq_printf(m
, pt(Opt_subj_type
),
2002 entry
->lsm
[i
].args_p
);
2008 if (entry
->template)
2009 seq_printf(m
, "template=%s ", entry
->template->name
);
2010 if (entry
->flags
& IMA_DIGSIG_REQUIRED
) {
2011 if (entry
->flags
& IMA_MODSIG_ALLOWED
)
2012 seq_puts(m
, "appraise_type=imasig|modsig ");
2014 seq_puts(m
, "appraise_type=imasig ");
2016 if (entry
->flags
& IMA_CHECK_BLACKLIST
)
2017 seq_puts(m
, "appraise_flag=check_blacklist ");
2018 if (entry
->flags
& IMA_PERMIT_DIRECTIO
)
2019 seq_puts(m
, "permit_directio ");
2024 #endif /* CONFIG_IMA_READ_POLICY */
2026 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
2028 * ima_appraise_signature: whether IMA will appraise a given function using
2029 * an IMA digital signature. This is restricted to cases where the kernel
2030 * has a set of built-in trusted keys in order to avoid an attacker simply
2031 * loading additional keys.
2033 bool ima_appraise_signature(enum kernel_read_file_id id
)
2035 struct ima_rule_entry
*entry
;
2037 enum ima_hooks func
;
2039 if (id
>= READING_MAX_ID
)
2042 func
= read_idmap
[id
] ?: FILE_CHECK
;
2045 list_for_each_entry_rcu(entry
, ima_rules
, list
) {
2046 if (entry
->action
!= APPRAISE
)
2050 * A generic entry will match, but otherwise require that it
2051 * match the func we're looking for
2053 if (entry
->func
&& entry
->func
!= func
)
2057 * We require this to be a digital signature, not a raw IMA
2060 if (entry
->flags
& IMA_DIGSIG_REQUIRED
)
2064 * We've found a rule that matches, so break now even if it
2065 * didn't require a digital signature - a later rule that does
2066 * won't override it, so would be a false positive.
2074 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */