2 * Copyright (C) 2008 IBM Corporation
3 * Author: Mimi Zohar <zohar@us.ibm.com>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, version 2 of the License.
10 * - initialize default measure policy rules
13 #include <linux/module.h>
14 #include <linux/list.h>
16 #include <linux/security.h>
17 #include <linux/magic.h>
18 #include <linux/parser.h>
19 #include <linux/slab.h>
20 #include <linux/rculist.h>
21 #include <linux/genhd.h>
22 #include <linux/seq_file.h>
26 /* flags definitions */
27 #define IMA_FUNC 0x0001
28 #define IMA_MASK 0x0002
29 #define IMA_FSMAGIC 0x0004
30 #define IMA_UID 0x0008
31 #define IMA_FOWNER 0x0010
32 #define IMA_FSUUID 0x0020
33 #define IMA_INMASK 0x0040
34 #define IMA_EUID 0x0080
35 #define IMA_PCR 0x0100
38 #define MEASURE 0x0001 /* same as IMA_MEASURE */
39 #define DONT_MEASURE 0x0002
40 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */
41 #define DONT_APPRAISE 0x0008
44 #define INVALID_PCR(a) (((a) < 0) || \
45 (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
48 static int temp_ima_appraise
;
50 #define MAX_LSM_RULES 6
51 enum lsm_rule_types
{ LSM_OBJ_USER
, LSM_OBJ_ROLE
, LSM_OBJ_TYPE
,
52 LSM_SUBJ_USER
, LSM_SUBJ_ROLE
, LSM_SUBJ_TYPE
55 enum policy_types
{ ORIGINAL_TCB
= 1, DEFAULT_TCB
};
57 struct ima_rule_entry
{
58 struct list_head list
;
63 unsigned long fsmagic
;
67 bool (*uid_op
)(kuid_t
, kuid_t
); /* Handlers for operators */
68 bool (*fowner_op
)(kuid_t
, kuid_t
); /* uid_eq(), uid_gt(), uid_lt() */
71 void *rule
; /* LSM file metadata specific */
72 void *args_p
; /* audit value */
73 int type
; /* audit type */
78 * Without LSM specific knowledge, the default policy can only be
79 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
83 * The minimum rule set to allow for full TCB coverage. Measures all files
84 * opened or mmap for exec and everything read by root. Dangerous because
85 * normal users can easily run the machine out of memory simply building
86 * and running executables.
88 static struct ima_rule_entry dont_measure_rules
[] __ro_after_init
= {
89 {.action
= DONT_MEASURE
, .fsmagic
= PROC_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
90 {.action
= DONT_MEASURE
, .fsmagic
= SYSFS_MAGIC
, .flags
= IMA_FSMAGIC
},
91 {.action
= DONT_MEASURE
, .fsmagic
= DEBUGFS_MAGIC
, .flags
= IMA_FSMAGIC
},
92 {.action
= DONT_MEASURE
, .fsmagic
= TMPFS_MAGIC
, .flags
= IMA_FSMAGIC
},
93 {.action
= DONT_MEASURE
, .fsmagic
= DEVPTS_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
94 {.action
= DONT_MEASURE
, .fsmagic
= BINFMTFS_MAGIC
, .flags
= IMA_FSMAGIC
},
95 {.action
= DONT_MEASURE
, .fsmagic
= SECURITYFS_MAGIC
, .flags
= IMA_FSMAGIC
},
96 {.action
= DONT_MEASURE
, .fsmagic
= SELINUX_MAGIC
, .flags
= IMA_FSMAGIC
},
97 {.action
= DONT_MEASURE
, .fsmagic
= CGROUP_SUPER_MAGIC
,
98 .flags
= IMA_FSMAGIC
},
99 {.action
= DONT_MEASURE
, .fsmagic
= NSFS_MAGIC
, .flags
= IMA_FSMAGIC
}
102 static struct ima_rule_entry original_measurement_rules
[] __ro_after_init
= {
103 {.action
= MEASURE
, .func
= MMAP_CHECK
, .mask
= MAY_EXEC
,
104 .flags
= IMA_FUNC
| IMA_MASK
},
105 {.action
= MEASURE
, .func
= BPRM_CHECK
, .mask
= MAY_EXEC
,
106 .flags
= IMA_FUNC
| IMA_MASK
},
107 {.action
= MEASURE
, .func
= FILE_CHECK
, .mask
= MAY_READ
,
108 .uid
= GLOBAL_ROOT_UID
, .uid_op
= &uid_eq
,
109 .flags
= IMA_FUNC
| IMA_MASK
| IMA_UID
},
110 {.action
= MEASURE
, .func
= MODULE_CHECK
, .flags
= IMA_FUNC
},
111 {.action
= MEASURE
, .func
= FIRMWARE_CHECK
, .flags
= IMA_FUNC
},
114 static struct ima_rule_entry default_measurement_rules
[] __ro_after_init
= {
115 {.action
= MEASURE
, .func
= MMAP_CHECK
, .mask
= MAY_EXEC
,
116 .flags
= IMA_FUNC
| IMA_MASK
},
117 {.action
= MEASURE
, .func
= BPRM_CHECK
, .mask
= MAY_EXEC
,
118 .flags
= IMA_FUNC
| IMA_MASK
},
119 {.action
= MEASURE
, .func
= FILE_CHECK
, .mask
= MAY_READ
,
120 .uid
= GLOBAL_ROOT_UID
, .uid_op
= &uid_eq
,
121 .flags
= IMA_FUNC
| IMA_INMASK
| IMA_EUID
},
122 {.action
= MEASURE
, .func
= FILE_CHECK
, .mask
= MAY_READ
,
123 .uid
= GLOBAL_ROOT_UID
, .uid_op
= &uid_eq
,
124 .flags
= IMA_FUNC
| IMA_INMASK
| IMA_UID
},
125 {.action
= MEASURE
, .func
= MODULE_CHECK
, .flags
= IMA_FUNC
},
126 {.action
= MEASURE
, .func
= FIRMWARE_CHECK
, .flags
= IMA_FUNC
},
127 {.action
= MEASURE
, .func
= POLICY_CHECK
, .flags
= IMA_FUNC
},
130 static struct ima_rule_entry default_appraise_rules
[] __ro_after_init
= {
131 {.action
= DONT_APPRAISE
, .fsmagic
= PROC_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
132 {.action
= DONT_APPRAISE
, .fsmagic
= SYSFS_MAGIC
, .flags
= IMA_FSMAGIC
},
133 {.action
= DONT_APPRAISE
, .fsmagic
= DEBUGFS_MAGIC
, .flags
= IMA_FSMAGIC
},
134 {.action
= DONT_APPRAISE
, .fsmagic
= TMPFS_MAGIC
, .flags
= IMA_FSMAGIC
},
135 {.action
= DONT_APPRAISE
, .fsmagic
= RAMFS_MAGIC
, .flags
= IMA_FSMAGIC
},
136 {.action
= DONT_APPRAISE
, .fsmagic
= DEVPTS_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
137 {.action
= DONT_APPRAISE
, .fsmagic
= BINFMTFS_MAGIC
, .flags
= IMA_FSMAGIC
},
138 {.action
= DONT_APPRAISE
, .fsmagic
= SECURITYFS_MAGIC
, .flags
= IMA_FSMAGIC
},
139 {.action
= DONT_APPRAISE
, .fsmagic
= SELINUX_MAGIC
, .flags
= IMA_FSMAGIC
},
140 {.action
= DONT_APPRAISE
, .fsmagic
= NSFS_MAGIC
, .flags
= IMA_FSMAGIC
},
141 {.action
= DONT_APPRAISE
, .fsmagic
= CGROUP_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
142 #ifdef CONFIG_IMA_WRITE_POLICY
143 {.action
= APPRAISE
, .func
= POLICY_CHECK
,
144 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
146 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
147 {.action
= APPRAISE
, .fowner
= GLOBAL_ROOT_UID
, .fowner_op
= &uid_eq
,
148 .flags
= IMA_FOWNER
},
150 /* force signature */
151 {.action
= APPRAISE
, .fowner
= GLOBAL_ROOT_UID
, .fowner_op
= &uid_eq
,
152 .flags
= IMA_FOWNER
| IMA_DIGSIG_REQUIRED
},
156 static LIST_HEAD(ima_default_rules
);
157 static LIST_HEAD(ima_policy_rules
);
158 static LIST_HEAD(ima_temp_rules
);
159 static struct list_head
*ima_rules
;
161 static int ima_policy __initdata
;
163 static int __init
default_measure_policy_setup(char *str
)
168 ima_policy
= ORIGINAL_TCB
;
171 __setup("ima_tcb", default_measure_policy_setup
);
173 static int __init
policy_setup(char *str
)
178 if (strcmp(str
, "tcb") == 0)
179 ima_policy
= DEFAULT_TCB
;
183 __setup("ima_policy=", policy_setup
);
185 static bool ima_use_appraise_tcb __initdata
;
186 static int __init
default_appraise_policy_setup(char *str
)
188 ima_use_appraise_tcb
= 1;
191 __setup("ima_appraise_tcb", default_appraise_policy_setup
);
194 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
195 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect
196 * the reloaded LSM policy. We assume the rules still exist; and BUG_ON() if
199 static void ima_lsm_update_rules(void)
201 struct ima_rule_entry
*entry
;
205 list_for_each_entry(entry
, &ima_policy_rules
, list
) {
206 for (i
= 0; i
< MAX_LSM_RULES
; i
++) {
207 if (!entry
->lsm
[i
].rule
)
209 result
= security_filter_rule_init(entry
->lsm
[i
].type
,
211 entry
->lsm
[i
].args_p
,
212 &entry
->lsm
[i
].rule
);
213 BUG_ON(!entry
->lsm
[i
].rule
);
219 * ima_match_rules - determine whether an inode matches the measure rule.
220 * @rule: a pointer to a rule
221 * @inode: a pointer to an inode
222 * @func: LIM hook identifier
223 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
225 * Returns true on rule match, false on failure.
227 static bool ima_match_rules(struct ima_rule_entry
*rule
, struct inode
*inode
,
228 enum ima_hooks func
, int mask
)
230 struct task_struct
*tsk
= current
;
231 const struct cred
*cred
= current_cred();
234 if ((rule
->flags
& IMA_FUNC
) &&
235 (rule
->func
!= func
&& func
!= POST_SETATTR
))
237 if ((rule
->flags
& IMA_MASK
) &&
238 (rule
->mask
!= mask
&& func
!= POST_SETATTR
))
240 if ((rule
->flags
& IMA_INMASK
) &&
241 (!(rule
->mask
& mask
) && func
!= POST_SETATTR
))
243 if ((rule
->flags
& IMA_FSMAGIC
)
244 && rule
->fsmagic
!= inode
->i_sb
->s_magic
)
246 if ((rule
->flags
& IMA_FSUUID
) &&
247 !uuid_equal(&rule
->fsuuid
, &inode
->i_sb
->s_uuid
))
249 if ((rule
->flags
& IMA_UID
) && !rule
->uid_op(cred
->uid
, rule
->uid
))
251 if (rule
->flags
& IMA_EUID
) {
252 if (has_capability_noaudit(current
, CAP_SETUID
)) {
253 if (!rule
->uid_op(cred
->euid
, rule
->uid
)
254 && !rule
->uid_op(cred
->suid
, rule
->uid
)
255 && !rule
->uid_op(cred
->uid
, rule
->uid
))
257 } else if (!rule
->uid_op(cred
->euid
, rule
->uid
))
261 if ((rule
->flags
& IMA_FOWNER
) &&
262 !rule
->fowner_op(inode
->i_uid
, rule
->fowner
))
264 for (i
= 0; i
< MAX_LSM_RULES
; i
++) {
269 if (!rule
->lsm
[i
].rule
)
276 security_inode_getsecid(inode
, &osid
);
277 rc
= security_filter_rule_match(osid
,
286 security_task_getsecid(tsk
, &sid
);
287 rc
= security_filter_rule_match(sid
,
295 if ((rc
< 0) && (!retried
)) {
297 ima_lsm_update_rules();
307 * In addition to knowing that we need to appraise the file in general,
308 * we need to differentiate between calling hooks, for hook specific rules.
310 static int get_subaction(struct ima_rule_entry
*rule
, enum ima_hooks func
)
312 if (!(rule
->flags
& IMA_FUNC
))
313 return IMA_FILE_APPRAISE
;
317 return IMA_MMAP_APPRAISE
;
319 return IMA_BPRM_APPRAISE
;
322 return IMA_FILE_APPRAISE
;
323 case MODULE_CHECK
... MAX_CHECK
- 1:
325 return IMA_READ_APPRAISE
;
330 * ima_match_policy - decision based on LSM and other conditions
331 * @inode: pointer to an inode for which the policy decision is being made
332 * @func: IMA hook identifier
333 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
334 * @pcr: set the pcr to extend
336 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
339 * Since the IMA policy may be updated multiple times we need to lock the
340 * list when walking it. Reads are many orders of magnitude more numerous
341 * than writes so ima_match_policy() is classical RCU candidate.
343 int ima_match_policy(struct inode
*inode
, enum ima_hooks func
, int mask
,
346 struct ima_rule_entry
*entry
;
347 int action
= 0, actmask
= flags
| (flags
<< 1);
350 list_for_each_entry_rcu(entry
, ima_rules
, list
) {
352 if (!(entry
->action
& actmask
))
355 if (!ima_match_rules(entry
, inode
, func
, mask
))
358 action
|= entry
->flags
& IMA_ACTION_FLAGS
;
360 action
|= entry
->action
& IMA_DO_MASK
;
361 if (entry
->action
& IMA_APPRAISE
)
362 action
|= get_subaction(entry
, func
);
364 if (entry
->action
& IMA_DO_MASK
)
365 actmask
&= ~(entry
->action
| entry
->action
<< 1);
367 actmask
&= ~(entry
->action
| entry
->action
>> 1);
369 if ((pcr
) && (entry
->flags
& IMA_PCR
))
381 * Initialize the ima_policy_flag variable based on the currently
382 * loaded policy. Based on this flag, the decision to short circuit
383 * out of a function or not call the function in the first place
384 * can be made earlier.
386 void ima_update_policy_flag(void)
388 struct ima_rule_entry
*entry
;
390 list_for_each_entry(entry
, ima_rules
, list
) {
391 if (entry
->action
& IMA_DO_MASK
)
392 ima_policy_flag
|= entry
->action
;
395 ima_appraise
|= temp_ima_appraise
;
397 ima_policy_flag
&= ~IMA_APPRAISE
;
401 * ima_init_policy - initialize the default measure rules.
403 * ima_rules points to either the ima_default_rules or the
404 * the new ima_policy_rules.
406 void __init
ima_init_policy(void)
408 int i
, measure_entries
, appraise_entries
;
410 /* if !ima_policy set entries = 0 so we load NO default rules */
411 measure_entries
= ima_policy
? ARRAY_SIZE(dont_measure_rules
) : 0;
412 appraise_entries
= ima_use_appraise_tcb
?
413 ARRAY_SIZE(default_appraise_rules
) : 0;
415 for (i
= 0; i
< measure_entries
; i
++)
416 list_add_tail(&dont_measure_rules
[i
].list
, &ima_default_rules
);
418 switch (ima_policy
) {
420 for (i
= 0; i
< ARRAY_SIZE(original_measurement_rules
); i
++)
421 list_add_tail(&original_measurement_rules
[i
].list
,
425 for (i
= 0; i
< ARRAY_SIZE(default_measurement_rules
); i
++)
426 list_add_tail(&default_measurement_rules
[i
].list
,
432 for (i
= 0; i
< appraise_entries
; i
++) {
433 list_add_tail(&default_appraise_rules
[i
].list
,
435 if (default_appraise_rules
[i
].func
== POLICY_CHECK
)
436 temp_ima_appraise
|= IMA_APPRAISE_POLICY
;
439 ima_rules
= &ima_default_rules
;
440 ima_update_policy_flag();
443 /* Make sure we have a valid policy, at least containing some rules. */
444 int ima_check_policy(void)
446 if (list_empty(&ima_temp_rules
))
452 * ima_update_policy - update default_rules with new measure rules
454 * Called on file .release to update the default rules with a complete new
455 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so
456 * they make a queue. The policy may be updated multiple times and this is the
459 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
460 * we switch from the default policy to user defined.
462 void ima_update_policy(void)
464 struct list_head
*first
, *last
, *policy
;
466 /* append current policy with the new rules */
467 first
= (&ima_temp_rules
)->next
;
468 last
= (&ima_temp_rules
)->prev
;
469 policy
= &ima_policy_rules
;
474 rcu_assign_pointer(list_next_rcu(policy
->prev
), first
);
475 first
->prev
= policy
->prev
;
478 /* prepare for the next policy rules addition */
479 INIT_LIST_HEAD(&ima_temp_rules
);
481 if (ima_rules
!= policy
) {
485 ima_update_policy_flag();
490 Opt_measure
= 1, Opt_dont_measure
,
491 Opt_appraise
, Opt_dont_appraise
,
493 Opt_obj_user
, Opt_obj_role
, Opt_obj_type
,
494 Opt_subj_user
, Opt_subj_role
, Opt_subj_type
,
495 Opt_func
, Opt_mask
, Opt_fsmagic
,
496 Opt_fsuuid
, Opt_uid_eq
, Opt_euid_eq
, Opt_fowner_eq
,
497 Opt_uid_gt
, Opt_euid_gt
, Opt_fowner_gt
,
498 Opt_uid_lt
, Opt_euid_lt
, Opt_fowner_lt
,
499 Opt_appraise_type
, Opt_permit_directio
,
503 static match_table_t policy_tokens
= {
504 {Opt_measure
, "measure"},
505 {Opt_dont_measure
, "dont_measure"},
506 {Opt_appraise
, "appraise"},
507 {Opt_dont_appraise
, "dont_appraise"},
508 {Opt_audit
, "audit"},
509 {Opt_obj_user
, "obj_user=%s"},
510 {Opt_obj_role
, "obj_role=%s"},
511 {Opt_obj_type
, "obj_type=%s"},
512 {Opt_subj_user
, "subj_user=%s"},
513 {Opt_subj_role
, "subj_role=%s"},
514 {Opt_subj_type
, "subj_type=%s"},
515 {Opt_func
, "func=%s"},
516 {Opt_mask
, "mask=%s"},
517 {Opt_fsmagic
, "fsmagic=%s"},
518 {Opt_fsuuid
, "fsuuid=%s"},
519 {Opt_uid_eq
, "uid=%s"},
520 {Opt_euid_eq
, "euid=%s"},
521 {Opt_fowner_eq
, "fowner=%s"},
522 {Opt_uid_gt
, "uid>%s"},
523 {Opt_euid_gt
, "euid>%s"},
524 {Opt_fowner_gt
, "fowner>%s"},
525 {Opt_uid_lt
, "uid<%s"},
526 {Opt_euid_lt
, "euid<%s"},
527 {Opt_fowner_lt
, "fowner<%s"},
528 {Opt_appraise_type
, "appraise_type=%s"},
529 {Opt_permit_directio
, "permit_directio"},
534 static int ima_lsm_rule_init(struct ima_rule_entry
*entry
,
535 substring_t
*args
, int lsm_rule
, int audit_type
)
539 if (entry
->lsm
[lsm_rule
].rule
)
542 entry
->lsm
[lsm_rule
].args_p
= match_strdup(args
);
543 if (!entry
->lsm
[lsm_rule
].args_p
)
546 entry
->lsm
[lsm_rule
].type
= audit_type
;
547 result
= security_filter_rule_init(entry
->lsm
[lsm_rule
].type
,
549 entry
->lsm
[lsm_rule
].args_p
,
550 &entry
->lsm
[lsm_rule
].rule
);
551 if (!entry
->lsm
[lsm_rule
].rule
) {
552 kfree(entry
->lsm
[lsm_rule
].args_p
);
559 static void ima_log_string_op(struct audit_buffer
*ab
, char *key
, char *value
,
560 bool (*rule_operator
)(kuid_t
, kuid_t
))
562 if (rule_operator
== &uid_gt
)
563 audit_log_format(ab
, "%s>", key
);
564 else if (rule_operator
== &uid_lt
)
565 audit_log_format(ab
, "%s<", key
);
567 audit_log_format(ab
, "%s=", key
);
568 audit_log_untrustedstring(ab
, value
);
569 audit_log_format(ab
, " ");
571 static void ima_log_string(struct audit_buffer
*ab
, char *key
, char *value
)
573 ima_log_string_op(ab
, key
, value
, NULL
);
576 static int ima_parse_rule(char *rule
, struct ima_rule_entry
*entry
)
578 struct audit_buffer
*ab
;
584 ab
= audit_log_start(NULL
, GFP_KERNEL
, AUDIT_INTEGRITY_RULE
);
586 entry
->uid
= INVALID_UID
;
587 entry
->fowner
= INVALID_UID
;
588 entry
->uid_op
= &uid_eq
;
589 entry
->fowner_op
= &uid_eq
;
590 entry
->action
= UNKNOWN
;
591 while ((p
= strsep(&rule
, " \t")) != NULL
) {
592 substring_t args
[MAX_OPT_ARGS
];
598 if ((*p
== '\0') || (*p
== ' ') || (*p
== '\t'))
600 token
= match_token(p
, policy_tokens
, args
);
603 ima_log_string(ab
, "action", "measure");
605 if (entry
->action
!= UNKNOWN
)
608 entry
->action
= MEASURE
;
610 case Opt_dont_measure
:
611 ima_log_string(ab
, "action", "dont_measure");
613 if (entry
->action
!= UNKNOWN
)
616 entry
->action
= DONT_MEASURE
;
619 ima_log_string(ab
, "action", "appraise");
621 if (entry
->action
!= UNKNOWN
)
624 entry
->action
= APPRAISE
;
626 case Opt_dont_appraise
:
627 ima_log_string(ab
, "action", "dont_appraise");
629 if (entry
->action
!= UNKNOWN
)
632 entry
->action
= DONT_APPRAISE
;
635 ima_log_string(ab
, "action", "audit");
637 if (entry
->action
!= UNKNOWN
)
640 entry
->action
= AUDIT
;
643 ima_log_string(ab
, "func", args
[0].from
);
648 if (strcmp(args
[0].from
, "FILE_CHECK") == 0)
649 entry
->func
= FILE_CHECK
;
650 /* PATH_CHECK is for backwards compat */
651 else if (strcmp(args
[0].from
, "PATH_CHECK") == 0)
652 entry
->func
= FILE_CHECK
;
653 else if (strcmp(args
[0].from
, "MODULE_CHECK") == 0)
654 entry
->func
= MODULE_CHECK
;
655 else if (strcmp(args
[0].from
, "FIRMWARE_CHECK") == 0)
656 entry
->func
= FIRMWARE_CHECK
;
657 else if ((strcmp(args
[0].from
, "FILE_MMAP") == 0)
658 || (strcmp(args
[0].from
, "MMAP_CHECK") == 0))
659 entry
->func
= MMAP_CHECK
;
660 else if (strcmp(args
[0].from
, "BPRM_CHECK") == 0)
661 entry
->func
= BPRM_CHECK
;
662 else if (strcmp(args
[0].from
, "KEXEC_KERNEL_CHECK") ==
664 entry
->func
= KEXEC_KERNEL_CHECK
;
665 else if (strcmp(args
[0].from
, "KEXEC_INITRAMFS_CHECK")
667 entry
->func
= KEXEC_INITRAMFS_CHECK
;
668 else if (strcmp(args
[0].from
, "POLICY_CHECK") == 0)
669 entry
->func
= POLICY_CHECK
;
673 entry
->flags
|= IMA_FUNC
;
676 ima_log_string(ab
, "mask", args
[0].from
);
685 if ((strcmp(from
, "MAY_EXEC")) == 0)
686 entry
->mask
= MAY_EXEC
;
687 else if (strcmp(from
, "MAY_WRITE") == 0)
688 entry
->mask
= MAY_WRITE
;
689 else if (strcmp(from
, "MAY_READ") == 0)
690 entry
->mask
= MAY_READ
;
691 else if (strcmp(from
, "MAY_APPEND") == 0)
692 entry
->mask
= MAY_APPEND
;
696 entry
->flags
|= (*args
[0].from
== '^')
697 ? IMA_INMASK
: IMA_MASK
;
700 ima_log_string(ab
, "fsmagic", args
[0].from
);
702 if (entry
->fsmagic
) {
707 result
= kstrtoul(args
[0].from
, 16, &entry
->fsmagic
);
709 entry
->flags
|= IMA_FSMAGIC
;
712 ima_log_string(ab
, "fsuuid", args
[0].from
);
714 if (uuid_is_null(&entry
->fsuuid
)) {
719 result
= uuid_parse(args
[0].from
, &entry
->fsuuid
);
721 entry
->flags
|= IMA_FSUUID
;
725 entry
->uid_op
= &uid_gt
;
728 if ((token
== Opt_uid_lt
) || (token
== Opt_euid_lt
))
729 entry
->uid_op
= &uid_lt
;
732 uid_token
= (token
== Opt_uid_eq
) ||
733 (token
== Opt_uid_gt
) ||
734 (token
== Opt_uid_lt
);
736 ima_log_string_op(ab
, uid_token
? "uid" : "euid",
737 args
[0].from
, entry
->uid_op
);
739 if (uid_valid(entry
->uid
)) {
744 result
= kstrtoul(args
[0].from
, 10, &lnum
);
746 entry
->uid
= make_kuid(current_user_ns(),
748 if (!uid_valid(entry
->uid
) ||
752 entry
->flags
|= uid_token
753 ? IMA_UID
: IMA_EUID
;
757 entry
->fowner_op
= &uid_gt
;
759 if (token
== Opt_fowner_lt
)
760 entry
->fowner_op
= &uid_lt
;
762 ima_log_string_op(ab
, "fowner", args
[0].from
,
765 if (uid_valid(entry
->fowner
)) {
770 result
= kstrtoul(args
[0].from
, 10, &lnum
);
772 entry
->fowner
= make_kuid(current_user_ns(), (uid_t
)lnum
);
773 if (!uid_valid(entry
->fowner
) || (((uid_t
)lnum
) != lnum
))
776 entry
->flags
|= IMA_FOWNER
;
780 ima_log_string(ab
, "obj_user", args
[0].from
);
781 result
= ima_lsm_rule_init(entry
, args
,
786 ima_log_string(ab
, "obj_role", args
[0].from
);
787 result
= ima_lsm_rule_init(entry
, args
,
792 ima_log_string(ab
, "obj_type", args
[0].from
);
793 result
= ima_lsm_rule_init(entry
, args
,
798 ima_log_string(ab
, "subj_user", args
[0].from
);
799 result
= ima_lsm_rule_init(entry
, args
,
804 ima_log_string(ab
, "subj_role", args
[0].from
);
805 result
= ima_lsm_rule_init(entry
, args
,
810 ima_log_string(ab
, "subj_type", args
[0].from
);
811 result
= ima_lsm_rule_init(entry
, args
,
815 case Opt_appraise_type
:
816 if (entry
->action
!= APPRAISE
) {
821 ima_log_string(ab
, "appraise_type", args
[0].from
);
822 if ((strcmp(args
[0].from
, "imasig")) == 0)
823 entry
->flags
|= IMA_DIGSIG_REQUIRED
;
827 case Opt_permit_directio
:
828 entry
->flags
|= IMA_PERMIT_DIRECTIO
;
831 if (entry
->action
!= MEASURE
) {
835 ima_log_string(ab
, "pcr", args
[0].from
);
837 result
= kstrtoint(args
[0].from
, 10, &entry
->pcr
);
838 if (result
|| INVALID_PCR(entry
->pcr
))
841 entry
->flags
|= IMA_PCR
;
845 ima_log_string(ab
, "UNKNOWN", p
);
850 if (!result
&& (entry
->action
== UNKNOWN
))
852 else if (entry
->func
== MODULE_CHECK
)
853 temp_ima_appraise
|= IMA_APPRAISE_MODULES
;
854 else if (entry
->func
== FIRMWARE_CHECK
)
855 temp_ima_appraise
|= IMA_APPRAISE_FIRMWARE
;
856 else if (entry
->func
== POLICY_CHECK
)
857 temp_ima_appraise
|= IMA_APPRAISE_POLICY
;
858 audit_log_format(ab
, "res=%d", !result
);
864 * ima_parse_add_rule - add a rule to ima_policy_rules
865 * @rule - ima measurement policy rule
867 * Avoid locking by allowing just one writer at a time in ima_write_policy()
868 * Returns the length of the rule parsed, an error code on failure
870 ssize_t
ima_parse_add_rule(char *rule
)
872 static const char op
[] = "update_policy";
874 struct ima_rule_entry
*entry
;
878 p
= strsep(&rule
, "\n");
880 p
+= strspn(p
, " \t");
882 if (*p
== '#' || *p
== '\0')
885 entry
= kzalloc(sizeof(*entry
), GFP_KERNEL
);
887 integrity_audit_msg(AUDIT_INTEGRITY_STATUS
, NULL
,
888 NULL
, op
, "-ENOMEM", -ENOMEM
, audit_info
);
892 INIT_LIST_HEAD(&entry
->list
);
894 result
= ima_parse_rule(p
, entry
);
897 integrity_audit_msg(AUDIT_INTEGRITY_STATUS
, NULL
,
898 NULL
, op
, "invalid-policy", result
,
903 list_add_tail(&entry
->list
, &ima_temp_rules
);
909 * ima_delete_rules() called to cleanup invalid in-flight policy.
910 * We don't need locking as we operate on the temp list, which is
911 * different from the active one. There is also only one user of
912 * ima_delete_rules() at a time.
914 void ima_delete_rules(void)
916 struct ima_rule_entry
*entry
, *tmp
;
919 temp_ima_appraise
= 0;
920 list_for_each_entry_safe(entry
, tmp
, &ima_temp_rules
, list
) {
921 for (i
= 0; i
< MAX_LSM_RULES
; i
++)
922 kfree(entry
->lsm
[i
].args_p
);
924 list_del(&entry
->list
);
929 #ifdef CONFIG_IMA_READ_POLICY
931 mask_exec
= 0, mask_write
, mask_read
, mask_append
934 static char *mask_tokens
[] = {
942 func_file
= 0, func_mmap
, func_bprm
,
943 func_module
, func_firmware
, func_post
,
944 func_kexec_kernel
, func_kexec_initramfs
,
948 static char *func_tokens
[] = {
955 "KEXEC_KERNEL_CHECK",
956 "KEXEC_INITRAMFS_CHECK",
960 void *ima_policy_start(struct seq_file
*m
, loff_t
*pos
)
963 struct ima_rule_entry
*entry
;
966 list_for_each_entry_rcu(entry
, ima_rules
, list
) {
976 void *ima_policy_next(struct seq_file
*m
, void *v
, loff_t
*pos
)
978 struct ima_rule_entry
*entry
= v
;
981 entry
= list_entry_rcu(entry
->list
.next
, struct ima_rule_entry
, list
);
985 return (&entry
->list
== ima_rules
) ? NULL
: entry
;
988 void ima_policy_stop(struct seq_file
*m
, void *v
)
992 #define pt(token) policy_tokens[token + Opt_err].pattern
993 #define mt(token) mask_tokens[token]
994 #define ft(token) func_tokens[token]
997 * policy_func_show - display the ima_hooks policy rule
999 static void policy_func_show(struct seq_file
*m
, enum ima_hooks func
)
1001 char tbuf
[64] = {0,};
1005 seq_printf(m
, pt(Opt_func
), ft(func_file
));
1008 seq_printf(m
, pt(Opt_func
), ft(func_mmap
));
1011 seq_printf(m
, pt(Opt_func
), ft(func_bprm
));
1014 seq_printf(m
, pt(Opt_func
), ft(func_module
));
1016 case FIRMWARE_CHECK
:
1017 seq_printf(m
, pt(Opt_func
), ft(func_firmware
));
1020 seq_printf(m
, pt(Opt_func
), ft(func_post
));
1022 case KEXEC_KERNEL_CHECK
:
1023 seq_printf(m
, pt(Opt_func
), ft(func_kexec_kernel
));
1025 case KEXEC_INITRAMFS_CHECK
:
1026 seq_printf(m
, pt(Opt_func
), ft(func_kexec_initramfs
));
1029 seq_printf(m
, pt(Opt_func
), ft(func_policy
));
1032 snprintf(tbuf
, sizeof(tbuf
), "%d", func
);
1033 seq_printf(m
, pt(Opt_func
), tbuf
);
1039 int ima_policy_show(struct seq_file
*m
, void *v
)
1041 struct ima_rule_entry
*entry
= v
;
1043 char tbuf
[64] = {0,};
1047 if (entry
->action
& MEASURE
)
1048 seq_puts(m
, pt(Opt_measure
));
1049 if (entry
->action
& DONT_MEASURE
)
1050 seq_puts(m
, pt(Opt_dont_measure
));
1051 if (entry
->action
& APPRAISE
)
1052 seq_puts(m
, pt(Opt_appraise
));
1053 if (entry
->action
& DONT_APPRAISE
)
1054 seq_puts(m
, pt(Opt_dont_appraise
));
1055 if (entry
->action
& AUDIT
)
1056 seq_puts(m
, pt(Opt_audit
));
1060 if (entry
->flags
& IMA_FUNC
)
1061 policy_func_show(m
, entry
->func
);
1063 if (entry
->flags
& IMA_MASK
) {
1064 if (entry
->mask
& MAY_EXEC
)
1065 seq_printf(m
, pt(Opt_mask
), mt(mask_exec
));
1066 if (entry
->mask
& MAY_WRITE
)
1067 seq_printf(m
, pt(Opt_mask
), mt(mask_write
));
1068 if (entry
->mask
& MAY_READ
)
1069 seq_printf(m
, pt(Opt_mask
), mt(mask_read
));
1070 if (entry
->mask
& MAY_APPEND
)
1071 seq_printf(m
, pt(Opt_mask
), mt(mask_append
));
1075 if (entry
->flags
& IMA_FSMAGIC
) {
1076 snprintf(tbuf
, sizeof(tbuf
), "0x%lx", entry
->fsmagic
);
1077 seq_printf(m
, pt(Opt_fsmagic
), tbuf
);
1081 if (entry
->flags
& IMA_PCR
) {
1082 snprintf(tbuf
, sizeof(tbuf
), "%d", entry
->pcr
);
1083 seq_printf(m
, pt(Opt_pcr
), tbuf
);
1087 if (entry
->flags
& IMA_FSUUID
) {
1088 seq_printf(m
, "fsuuid=%pU", &entry
->fsuuid
);
1092 if (entry
->flags
& IMA_UID
) {
1093 snprintf(tbuf
, sizeof(tbuf
), "%d", __kuid_val(entry
->uid
));
1094 if (entry
->uid_op
== &uid_gt
)
1095 seq_printf(m
, pt(Opt_uid_gt
), tbuf
);
1096 else if (entry
->uid_op
== &uid_lt
)
1097 seq_printf(m
, pt(Opt_uid_lt
), tbuf
);
1099 seq_printf(m
, pt(Opt_uid_eq
), tbuf
);
1103 if (entry
->flags
& IMA_EUID
) {
1104 snprintf(tbuf
, sizeof(tbuf
), "%d", __kuid_val(entry
->uid
));
1105 if (entry
->uid_op
== &uid_gt
)
1106 seq_printf(m
, pt(Opt_euid_gt
), tbuf
);
1107 else if (entry
->uid_op
== &uid_lt
)
1108 seq_printf(m
, pt(Opt_euid_lt
), tbuf
);
1110 seq_printf(m
, pt(Opt_euid_eq
), tbuf
);
1114 if (entry
->flags
& IMA_FOWNER
) {
1115 snprintf(tbuf
, sizeof(tbuf
), "%d", __kuid_val(entry
->fowner
));
1116 if (entry
->fowner_op
== &uid_gt
)
1117 seq_printf(m
, pt(Opt_fowner_gt
), tbuf
);
1118 else if (entry
->fowner_op
== &uid_lt
)
1119 seq_printf(m
, pt(Opt_fowner_lt
), tbuf
);
1121 seq_printf(m
, pt(Opt_fowner_eq
), tbuf
);
1125 for (i
= 0; i
< MAX_LSM_RULES
; i
++) {
1126 if (entry
->lsm
[i
].rule
) {
1129 seq_printf(m
, pt(Opt_obj_user
),
1130 (char *)entry
->lsm
[i
].args_p
);
1133 seq_printf(m
, pt(Opt_obj_role
),
1134 (char *)entry
->lsm
[i
].args_p
);
1137 seq_printf(m
, pt(Opt_obj_type
),
1138 (char *)entry
->lsm
[i
].args_p
);
1141 seq_printf(m
, pt(Opt_subj_user
),
1142 (char *)entry
->lsm
[i
].args_p
);
1145 seq_printf(m
, pt(Opt_subj_role
),
1146 (char *)entry
->lsm
[i
].args_p
);
1149 seq_printf(m
, pt(Opt_subj_type
),
1150 (char *)entry
->lsm
[i
].args_p
);
1155 if (entry
->flags
& IMA_DIGSIG_REQUIRED
)
1156 seq_puts(m
, "appraise_type=imasig ");
1157 if (entry
->flags
& IMA_PERMIT_DIRECTIO
)
1158 seq_puts(m
, "permit_directio ");
1163 #endif /* CONFIG_IMA_READ_POLICY */