]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - security/integrity/ima/ima_policy.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branches 'pm-domains', 'pm-sleep' and 'pm-cpufreq'
[mirror_ubuntu-artful-kernel.git] / security / integrity / ima / ima_policy.c
1 /*
2 * Copyright (C) 2008 IBM Corporation
3 * Author: Mimi Zohar <zohar@us.ibm.com>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, version 2 of the License.
8 *
9 * ima_policy.c
10 * - initialize default measure policy rules
11 *
12 */
13 #include <linux/module.h>
14 #include <linux/list.h>
15 #include <linux/fs.h>
16 #include <linux/security.h>
17 #include <linux/magic.h>
18 #include <linux/parser.h>
19 #include <linux/slab.h>
20 #include <linux/rculist.h>
21 #include <linux/genhd.h>
22 #include <linux/seq_file.h>
23
24 #include "ima.h"
25
26 /* flags definitions */
27 #define IMA_FUNC 0x0001
28 #define IMA_MASK 0x0002
29 #define IMA_FSMAGIC 0x0004
30 #define IMA_UID 0x0008
31 #define IMA_FOWNER 0x0010
32 #define IMA_FSUUID 0x0020
33 #define IMA_INMASK 0x0040
34 #define IMA_EUID 0x0080
35 #define IMA_PCR 0x0100
36
37 #define UNKNOWN 0
38 #define MEASURE 0x0001 /* same as IMA_MEASURE */
39 #define DONT_MEASURE 0x0002
40 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */
41 #define DONT_APPRAISE 0x0008
42 #define AUDIT 0x0040
43
44 #define INVALID_PCR(a) (((a) < 0) || \
45 (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
46
47 int ima_policy_flag;
48 static int temp_ima_appraise;
49
50 #define MAX_LSM_RULES 6
51 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
52 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
53 };
54
55 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
56
57 struct ima_rule_entry {
58 struct list_head list;
59 int action;
60 unsigned int flags;
61 enum ima_hooks func;
62 int mask;
63 unsigned long fsmagic;
64 uuid_t fsuuid;
65 kuid_t uid;
66 kuid_t fowner;
67 bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */
68 bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
69 int pcr;
70 struct {
71 void *rule; /* LSM file metadata specific */
72 void *args_p; /* audit value */
73 int type; /* audit type */
74 } lsm[MAX_LSM_RULES];
75 };
76
77 /*
78 * Without LSM specific knowledge, the default policy can only be
79 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
80 */
81
82 /*
83 * The minimum rule set to allow for full TCB coverage. Measures all files
84 * opened or mmap for exec and everything read by root. Dangerous because
85 * normal users can easily run the machine out of memory simply building
86 * and running executables.
87 */
88 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
89 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
90 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
91 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
92 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
93 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
94 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
95 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
96 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
97 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
98 .flags = IMA_FSMAGIC},
99 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
100 };
101
102 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
103 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
104 .flags = IMA_FUNC | IMA_MASK},
105 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
106 .flags = IMA_FUNC | IMA_MASK},
107 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
108 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
109 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
110 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
111 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
112 };
113
114 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
115 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
116 .flags = IMA_FUNC | IMA_MASK},
117 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
118 .flags = IMA_FUNC | IMA_MASK},
119 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
120 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
121 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
122 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
123 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
124 .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
125 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
126 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
127 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
128 };
129
130 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
131 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
132 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
133 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
134 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
135 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
136 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
137 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
138 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
139 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
140 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
141 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
142 #ifdef CONFIG_IMA_WRITE_POLICY
143 {.action = APPRAISE, .func = POLICY_CHECK,
144 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
145 #endif
146 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
147 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
148 .flags = IMA_FOWNER},
149 #else
150 /* force signature */
151 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
152 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
153 #endif
154 };
155
156 static LIST_HEAD(ima_default_rules);
157 static LIST_HEAD(ima_policy_rules);
158 static LIST_HEAD(ima_temp_rules);
159 static struct list_head *ima_rules;
160
161 static int ima_policy __initdata;
162
163 static int __init default_measure_policy_setup(char *str)
164 {
165 if (ima_policy)
166 return 1;
167
168 ima_policy = ORIGINAL_TCB;
169 return 1;
170 }
171 __setup("ima_tcb", default_measure_policy_setup);
172
173 static int __init policy_setup(char *str)
174 {
175 if (ima_policy)
176 return 1;
177
178 if (strcmp(str, "tcb") == 0)
179 ima_policy = DEFAULT_TCB;
180
181 return 1;
182 }
183 __setup("ima_policy=", policy_setup);
184
185 static bool ima_use_appraise_tcb __initdata;
186 static int __init default_appraise_policy_setup(char *str)
187 {
188 ima_use_appraise_tcb = 1;
189 return 1;
190 }
191 __setup("ima_appraise_tcb", default_appraise_policy_setup);
192
193 /*
194 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
195 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect
196 * the reloaded LSM policy. We assume the rules still exist; and BUG_ON() if
197 * they don't.
198 */
199 static void ima_lsm_update_rules(void)
200 {
201 struct ima_rule_entry *entry;
202 int result;
203 int i;
204
205 list_for_each_entry(entry, &ima_policy_rules, list) {
206 for (i = 0; i < MAX_LSM_RULES; i++) {
207 if (!entry->lsm[i].rule)
208 continue;
209 result = security_filter_rule_init(entry->lsm[i].type,
210 Audit_equal,
211 entry->lsm[i].args_p,
212 &entry->lsm[i].rule);
213 BUG_ON(!entry->lsm[i].rule);
214 }
215 }
216 }
217
218 /**
219 * ima_match_rules - determine whether an inode matches the measure rule.
220 * @rule: a pointer to a rule
221 * @inode: a pointer to an inode
222 * @func: LIM hook identifier
223 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
224 *
225 * Returns true on rule match, false on failure.
226 */
227 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
228 enum ima_hooks func, int mask)
229 {
230 struct task_struct *tsk = current;
231 const struct cred *cred = current_cred();
232 int i;
233
234 if ((rule->flags & IMA_FUNC) &&
235 (rule->func != func && func != POST_SETATTR))
236 return false;
237 if ((rule->flags & IMA_MASK) &&
238 (rule->mask != mask && func != POST_SETATTR))
239 return false;
240 if ((rule->flags & IMA_INMASK) &&
241 (!(rule->mask & mask) && func != POST_SETATTR))
242 return false;
243 if ((rule->flags & IMA_FSMAGIC)
244 && rule->fsmagic != inode->i_sb->s_magic)
245 return false;
246 if ((rule->flags & IMA_FSUUID) &&
247 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
248 return false;
249 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
250 return false;
251 if (rule->flags & IMA_EUID) {
252 if (has_capability_noaudit(current, CAP_SETUID)) {
253 if (!rule->uid_op(cred->euid, rule->uid)
254 && !rule->uid_op(cred->suid, rule->uid)
255 && !rule->uid_op(cred->uid, rule->uid))
256 return false;
257 } else if (!rule->uid_op(cred->euid, rule->uid))
258 return false;
259 }
260
261 if ((rule->flags & IMA_FOWNER) &&
262 !rule->fowner_op(inode->i_uid, rule->fowner))
263 return false;
264 for (i = 0; i < MAX_LSM_RULES; i++) {
265 int rc = 0;
266 u32 osid, sid;
267 int retried = 0;
268
269 if (!rule->lsm[i].rule)
270 continue;
271 retry:
272 switch (i) {
273 case LSM_OBJ_USER:
274 case LSM_OBJ_ROLE:
275 case LSM_OBJ_TYPE:
276 security_inode_getsecid(inode, &osid);
277 rc = security_filter_rule_match(osid,
278 rule->lsm[i].type,
279 Audit_equal,
280 rule->lsm[i].rule,
281 NULL);
282 break;
283 case LSM_SUBJ_USER:
284 case LSM_SUBJ_ROLE:
285 case LSM_SUBJ_TYPE:
286 security_task_getsecid(tsk, &sid);
287 rc = security_filter_rule_match(sid,
288 rule->lsm[i].type,
289 Audit_equal,
290 rule->lsm[i].rule,
291 NULL);
292 default:
293 break;
294 }
295 if ((rc < 0) && (!retried)) {
296 retried = 1;
297 ima_lsm_update_rules();
298 goto retry;
299 }
300 if (!rc)
301 return false;
302 }
303 return true;
304 }
305
306 /*
307 * In addition to knowing that we need to appraise the file in general,
308 * we need to differentiate between calling hooks, for hook specific rules.
309 */
310 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
311 {
312 if (!(rule->flags & IMA_FUNC))
313 return IMA_FILE_APPRAISE;
314
315 switch (func) {
316 case MMAP_CHECK:
317 return IMA_MMAP_APPRAISE;
318 case BPRM_CHECK:
319 return IMA_BPRM_APPRAISE;
320 case FILE_CHECK:
321 case POST_SETATTR:
322 return IMA_FILE_APPRAISE;
323 case MODULE_CHECK ... MAX_CHECK - 1:
324 default:
325 return IMA_READ_APPRAISE;
326 }
327 }
328
329 /**
330 * ima_match_policy - decision based on LSM and other conditions
331 * @inode: pointer to an inode for which the policy decision is being made
332 * @func: IMA hook identifier
333 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
334 * @pcr: set the pcr to extend
335 *
336 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
337 * conditions.
338 *
339 * Since the IMA policy may be updated multiple times we need to lock the
340 * list when walking it. Reads are many orders of magnitude more numerous
341 * than writes so ima_match_policy() is classical RCU candidate.
342 */
343 int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
344 int flags, int *pcr)
345 {
346 struct ima_rule_entry *entry;
347 int action = 0, actmask = flags | (flags << 1);
348
349 rcu_read_lock();
350 list_for_each_entry_rcu(entry, ima_rules, list) {
351
352 if (!(entry->action & actmask))
353 continue;
354
355 if (!ima_match_rules(entry, inode, func, mask))
356 continue;
357
358 action |= entry->flags & IMA_ACTION_FLAGS;
359
360 action |= entry->action & IMA_DO_MASK;
361 if (entry->action & IMA_APPRAISE)
362 action |= get_subaction(entry, func);
363
364 if (entry->action & IMA_DO_MASK)
365 actmask &= ~(entry->action | entry->action << 1);
366 else
367 actmask &= ~(entry->action | entry->action >> 1);
368
369 if ((pcr) && (entry->flags & IMA_PCR))
370 *pcr = entry->pcr;
371
372 if (!actmask)
373 break;
374 }
375 rcu_read_unlock();
376
377 return action;
378 }
379
380 /*
381 * Initialize the ima_policy_flag variable based on the currently
382 * loaded policy. Based on this flag, the decision to short circuit
383 * out of a function or not call the function in the first place
384 * can be made earlier.
385 */
386 void ima_update_policy_flag(void)
387 {
388 struct ima_rule_entry *entry;
389
390 list_for_each_entry(entry, ima_rules, list) {
391 if (entry->action & IMA_DO_MASK)
392 ima_policy_flag |= entry->action;
393 }
394
395 ima_appraise |= temp_ima_appraise;
396 if (!ima_appraise)
397 ima_policy_flag &= ~IMA_APPRAISE;
398 }
399
400 /**
401 * ima_init_policy - initialize the default measure rules.
402 *
403 * ima_rules points to either the ima_default_rules or the
404 * the new ima_policy_rules.
405 */
406 void __init ima_init_policy(void)
407 {
408 int i, measure_entries, appraise_entries;
409
410 /* if !ima_policy set entries = 0 so we load NO default rules */
411 measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
412 appraise_entries = ima_use_appraise_tcb ?
413 ARRAY_SIZE(default_appraise_rules) : 0;
414
415 for (i = 0; i < measure_entries; i++)
416 list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
417
418 switch (ima_policy) {
419 case ORIGINAL_TCB:
420 for (i = 0; i < ARRAY_SIZE(original_measurement_rules); i++)
421 list_add_tail(&original_measurement_rules[i].list,
422 &ima_default_rules);
423 break;
424 case DEFAULT_TCB:
425 for (i = 0; i < ARRAY_SIZE(default_measurement_rules); i++)
426 list_add_tail(&default_measurement_rules[i].list,
427 &ima_default_rules);
428 default:
429 break;
430 }
431
432 for (i = 0; i < appraise_entries; i++) {
433 list_add_tail(&default_appraise_rules[i].list,
434 &ima_default_rules);
435 if (default_appraise_rules[i].func == POLICY_CHECK)
436 temp_ima_appraise |= IMA_APPRAISE_POLICY;
437 }
438
439 ima_rules = &ima_default_rules;
440 ima_update_policy_flag();
441 }
442
443 /* Make sure we have a valid policy, at least containing some rules. */
444 int ima_check_policy(void)
445 {
446 if (list_empty(&ima_temp_rules))
447 return -EINVAL;
448 return 0;
449 }
450
451 /**
452 * ima_update_policy - update default_rules with new measure rules
453 *
454 * Called on file .release to update the default rules with a complete new
455 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so
456 * they make a queue. The policy may be updated multiple times and this is the
457 * RCU updater.
458 *
459 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
460 * we switch from the default policy to user defined.
461 */
462 void ima_update_policy(void)
463 {
464 struct list_head *first, *last, *policy;
465
466 /* append current policy with the new rules */
467 first = (&ima_temp_rules)->next;
468 last = (&ima_temp_rules)->prev;
469 policy = &ima_policy_rules;
470
471 synchronize_rcu();
472
473 last->next = policy;
474 rcu_assign_pointer(list_next_rcu(policy->prev), first);
475 first->prev = policy->prev;
476 policy->prev = last;
477
478 /* prepare for the next policy rules addition */
479 INIT_LIST_HEAD(&ima_temp_rules);
480
481 if (ima_rules != policy) {
482 ima_policy_flag = 0;
483 ima_rules = policy;
484 }
485 ima_update_policy_flag();
486 }
487
488 enum {
489 Opt_err = -1,
490 Opt_measure = 1, Opt_dont_measure,
491 Opt_appraise, Opt_dont_appraise,
492 Opt_audit,
493 Opt_obj_user, Opt_obj_role, Opt_obj_type,
494 Opt_subj_user, Opt_subj_role, Opt_subj_type,
495 Opt_func, Opt_mask, Opt_fsmagic,
496 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
497 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
498 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
499 Opt_appraise_type, Opt_permit_directio,
500 Opt_pcr
501 };
502
503 static match_table_t policy_tokens = {
504 {Opt_measure, "measure"},
505 {Opt_dont_measure, "dont_measure"},
506 {Opt_appraise, "appraise"},
507 {Opt_dont_appraise, "dont_appraise"},
508 {Opt_audit, "audit"},
509 {Opt_obj_user, "obj_user=%s"},
510 {Opt_obj_role, "obj_role=%s"},
511 {Opt_obj_type, "obj_type=%s"},
512 {Opt_subj_user, "subj_user=%s"},
513 {Opt_subj_role, "subj_role=%s"},
514 {Opt_subj_type, "subj_type=%s"},
515 {Opt_func, "func=%s"},
516 {Opt_mask, "mask=%s"},
517 {Opt_fsmagic, "fsmagic=%s"},
518 {Opt_fsuuid, "fsuuid=%s"},
519 {Opt_uid_eq, "uid=%s"},
520 {Opt_euid_eq, "euid=%s"},
521 {Opt_fowner_eq, "fowner=%s"},
522 {Opt_uid_gt, "uid>%s"},
523 {Opt_euid_gt, "euid>%s"},
524 {Opt_fowner_gt, "fowner>%s"},
525 {Opt_uid_lt, "uid<%s"},
526 {Opt_euid_lt, "euid<%s"},
527 {Opt_fowner_lt, "fowner<%s"},
528 {Opt_appraise_type, "appraise_type=%s"},
529 {Opt_permit_directio, "permit_directio"},
530 {Opt_pcr, "pcr=%s"},
531 {Opt_err, NULL}
532 };
533
534 static int ima_lsm_rule_init(struct ima_rule_entry *entry,
535 substring_t *args, int lsm_rule, int audit_type)
536 {
537 int result;
538
539 if (entry->lsm[lsm_rule].rule)
540 return -EINVAL;
541
542 entry->lsm[lsm_rule].args_p = match_strdup(args);
543 if (!entry->lsm[lsm_rule].args_p)
544 return -ENOMEM;
545
546 entry->lsm[lsm_rule].type = audit_type;
547 result = security_filter_rule_init(entry->lsm[lsm_rule].type,
548 Audit_equal,
549 entry->lsm[lsm_rule].args_p,
550 &entry->lsm[lsm_rule].rule);
551 if (!entry->lsm[lsm_rule].rule) {
552 kfree(entry->lsm[lsm_rule].args_p);
553 return -EINVAL;
554 }
555
556 return result;
557 }
558
559 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
560 bool (*rule_operator)(kuid_t, kuid_t))
561 {
562 if (rule_operator == &uid_gt)
563 audit_log_format(ab, "%s>", key);
564 else if (rule_operator == &uid_lt)
565 audit_log_format(ab, "%s<", key);
566 else
567 audit_log_format(ab, "%s=", key);
568 audit_log_untrustedstring(ab, value);
569 audit_log_format(ab, " ");
570 }
571 static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
572 {
573 ima_log_string_op(ab, key, value, NULL);
574 }
575
576 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
577 {
578 struct audit_buffer *ab;
579 char *from;
580 char *p;
581 bool uid_token;
582 int result = 0;
583
584 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
585
586 entry->uid = INVALID_UID;
587 entry->fowner = INVALID_UID;
588 entry->uid_op = &uid_eq;
589 entry->fowner_op = &uid_eq;
590 entry->action = UNKNOWN;
591 while ((p = strsep(&rule, " \t")) != NULL) {
592 substring_t args[MAX_OPT_ARGS];
593 int token;
594 unsigned long lnum;
595
596 if (result < 0)
597 break;
598 if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
599 continue;
600 token = match_token(p, policy_tokens, args);
601 switch (token) {
602 case Opt_measure:
603 ima_log_string(ab, "action", "measure");
604
605 if (entry->action != UNKNOWN)
606 result = -EINVAL;
607
608 entry->action = MEASURE;
609 break;
610 case Opt_dont_measure:
611 ima_log_string(ab, "action", "dont_measure");
612
613 if (entry->action != UNKNOWN)
614 result = -EINVAL;
615
616 entry->action = DONT_MEASURE;
617 break;
618 case Opt_appraise:
619 ima_log_string(ab, "action", "appraise");
620
621 if (entry->action != UNKNOWN)
622 result = -EINVAL;
623
624 entry->action = APPRAISE;
625 break;
626 case Opt_dont_appraise:
627 ima_log_string(ab, "action", "dont_appraise");
628
629 if (entry->action != UNKNOWN)
630 result = -EINVAL;
631
632 entry->action = DONT_APPRAISE;
633 break;
634 case Opt_audit:
635 ima_log_string(ab, "action", "audit");
636
637 if (entry->action != UNKNOWN)
638 result = -EINVAL;
639
640 entry->action = AUDIT;
641 break;
642 case Opt_func:
643 ima_log_string(ab, "func", args[0].from);
644
645 if (entry->func)
646 result = -EINVAL;
647
648 if (strcmp(args[0].from, "FILE_CHECK") == 0)
649 entry->func = FILE_CHECK;
650 /* PATH_CHECK is for backwards compat */
651 else if (strcmp(args[0].from, "PATH_CHECK") == 0)
652 entry->func = FILE_CHECK;
653 else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
654 entry->func = MODULE_CHECK;
655 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
656 entry->func = FIRMWARE_CHECK;
657 else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
658 || (strcmp(args[0].from, "MMAP_CHECK") == 0))
659 entry->func = MMAP_CHECK;
660 else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
661 entry->func = BPRM_CHECK;
662 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
663 0)
664 entry->func = KEXEC_KERNEL_CHECK;
665 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
666 == 0)
667 entry->func = KEXEC_INITRAMFS_CHECK;
668 else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
669 entry->func = POLICY_CHECK;
670 else
671 result = -EINVAL;
672 if (!result)
673 entry->flags |= IMA_FUNC;
674 break;
675 case Opt_mask:
676 ima_log_string(ab, "mask", args[0].from);
677
678 if (entry->mask)
679 result = -EINVAL;
680
681 from = args[0].from;
682 if (*from == '^')
683 from++;
684
685 if ((strcmp(from, "MAY_EXEC")) == 0)
686 entry->mask = MAY_EXEC;
687 else if (strcmp(from, "MAY_WRITE") == 0)
688 entry->mask = MAY_WRITE;
689 else if (strcmp(from, "MAY_READ") == 0)
690 entry->mask = MAY_READ;
691 else if (strcmp(from, "MAY_APPEND") == 0)
692 entry->mask = MAY_APPEND;
693 else
694 result = -EINVAL;
695 if (!result)
696 entry->flags |= (*args[0].from == '^')
697 ? IMA_INMASK : IMA_MASK;
698 break;
699 case Opt_fsmagic:
700 ima_log_string(ab, "fsmagic", args[0].from);
701
702 if (entry->fsmagic) {
703 result = -EINVAL;
704 break;
705 }
706
707 result = kstrtoul(args[0].from, 16, &entry->fsmagic);
708 if (!result)
709 entry->flags |= IMA_FSMAGIC;
710 break;
711 case Opt_fsuuid:
712 ima_log_string(ab, "fsuuid", args[0].from);
713
714 if (uuid_is_null(&entry->fsuuid)) {
715 result = -EINVAL;
716 break;
717 }
718
719 result = uuid_parse(args[0].from, &entry->fsuuid);
720 if (!result)
721 entry->flags |= IMA_FSUUID;
722 break;
723 case Opt_uid_gt:
724 case Opt_euid_gt:
725 entry->uid_op = &uid_gt;
726 case Opt_uid_lt:
727 case Opt_euid_lt:
728 if ((token == Opt_uid_lt) || (token == Opt_euid_lt))
729 entry->uid_op = &uid_lt;
730 case Opt_uid_eq:
731 case Opt_euid_eq:
732 uid_token = (token == Opt_uid_eq) ||
733 (token == Opt_uid_gt) ||
734 (token == Opt_uid_lt);
735
736 ima_log_string_op(ab, uid_token ? "uid" : "euid",
737 args[0].from, entry->uid_op);
738
739 if (uid_valid(entry->uid)) {
740 result = -EINVAL;
741 break;
742 }
743
744 result = kstrtoul(args[0].from, 10, &lnum);
745 if (!result) {
746 entry->uid = make_kuid(current_user_ns(),
747 (uid_t) lnum);
748 if (!uid_valid(entry->uid) ||
749 (uid_t)lnum != lnum)
750 result = -EINVAL;
751 else
752 entry->flags |= uid_token
753 ? IMA_UID : IMA_EUID;
754 }
755 break;
756 case Opt_fowner_gt:
757 entry->fowner_op = &uid_gt;
758 case Opt_fowner_lt:
759 if (token == Opt_fowner_lt)
760 entry->fowner_op = &uid_lt;
761 case Opt_fowner_eq:
762 ima_log_string_op(ab, "fowner", args[0].from,
763 entry->fowner_op);
764
765 if (uid_valid(entry->fowner)) {
766 result = -EINVAL;
767 break;
768 }
769
770 result = kstrtoul(args[0].from, 10, &lnum);
771 if (!result) {
772 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
773 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))
774 result = -EINVAL;
775 else
776 entry->flags |= IMA_FOWNER;
777 }
778 break;
779 case Opt_obj_user:
780 ima_log_string(ab, "obj_user", args[0].from);
781 result = ima_lsm_rule_init(entry, args,
782 LSM_OBJ_USER,
783 AUDIT_OBJ_USER);
784 break;
785 case Opt_obj_role:
786 ima_log_string(ab, "obj_role", args[0].from);
787 result = ima_lsm_rule_init(entry, args,
788 LSM_OBJ_ROLE,
789 AUDIT_OBJ_ROLE);
790 break;
791 case Opt_obj_type:
792 ima_log_string(ab, "obj_type", args[0].from);
793 result = ima_lsm_rule_init(entry, args,
794 LSM_OBJ_TYPE,
795 AUDIT_OBJ_TYPE);
796 break;
797 case Opt_subj_user:
798 ima_log_string(ab, "subj_user", args[0].from);
799 result = ima_lsm_rule_init(entry, args,
800 LSM_SUBJ_USER,
801 AUDIT_SUBJ_USER);
802 break;
803 case Opt_subj_role:
804 ima_log_string(ab, "subj_role", args[0].from);
805 result = ima_lsm_rule_init(entry, args,
806 LSM_SUBJ_ROLE,
807 AUDIT_SUBJ_ROLE);
808 break;
809 case Opt_subj_type:
810 ima_log_string(ab, "subj_type", args[0].from);
811 result = ima_lsm_rule_init(entry, args,
812 LSM_SUBJ_TYPE,
813 AUDIT_SUBJ_TYPE);
814 break;
815 case Opt_appraise_type:
816 if (entry->action != APPRAISE) {
817 result = -EINVAL;
818 break;
819 }
820
821 ima_log_string(ab, "appraise_type", args[0].from);
822 if ((strcmp(args[0].from, "imasig")) == 0)
823 entry->flags |= IMA_DIGSIG_REQUIRED;
824 else
825 result = -EINVAL;
826 break;
827 case Opt_permit_directio:
828 entry->flags |= IMA_PERMIT_DIRECTIO;
829 break;
830 case Opt_pcr:
831 if (entry->action != MEASURE) {
832 result = -EINVAL;
833 break;
834 }
835 ima_log_string(ab, "pcr", args[0].from);
836
837 result = kstrtoint(args[0].from, 10, &entry->pcr);
838 if (result || INVALID_PCR(entry->pcr))
839 result = -EINVAL;
840 else
841 entry->flags |= IMA_PCR;
842
843 break;
844 case Opt_err:
845 ima_log_string(ab, "UNKNOWN", p);
846 result = -EINVAL;
847 break;
848 }
849 }
850 if (!result && (entry->action == UNKNOWN))
851 result = -EINVAL;
852 else if (entry->func == MODULE_CHECK)
853 temp_ima_appraise |= IMA_APPRAISE_MODULES;
854 else if (entry->func == FIRMWARE_CHECK)
855 temp_ima_appraise |= IMA_APPRAISE_FIRMWARE;
856 else if (entry->func == POLICY_CHECK)
857 temp_ima_appraise |= IMA_APPRAISE_POLICY;
858 audit_log_format(ab, "res=%d", !result);
859 audit_log_end(ab);
860 return result;
861 }
862
863 /**
864 * ima_parse_add_rule - add a rule to ima_policy_rules
865 * @rule - ima measurement policy rule
866 *
867 * Avoid locking by allowing just one writer at a time in ima_write_policy()
868 * Returns the length of the rule parsed, an error code on failure
869 */
870 ssize_t ima_parse_add_rule(char *rule)
871 {
872 static const char op[] = "update_policy";
873 char *p;
874 struct ima_rule_entry *entry;
875 ssize_t result, len;
876 int audit_info = 0;
877
878 p = strsep(&rule, "\n");
879 len = strlen(p) + 1;
880 p += strspn(p, " \t");
881
882 if (*p == '#' || *p == '\0')
883 return len;
884
885 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
886 if (!entry) {
887 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
888 NULL, op, "-ENOMEM", -ENOMEM, audit_info);
889 return -ENOMEM;
890 }
891
892 INIT_LIST_HEAD(&entry->list);
893
894 result = ima_parse_rule(p, entry);
895 if (result) {
896 kfree(entry);
897 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
898 NULL, op, "invalid-policy", result,
899 audit_info);
900 return result;
901 }
902
903 list_add_tail(&entry->list, &ima_temp_rules);
904
905 return len;
906 }
907
908 /**
909 * ima_delete_rules() called to cleanup invalid in-flight policy.
910 * We don't need locking as we operate on the temp list, which is
911 * different from the active one. There is also only one user of
912 * ima_delete_rules() at a time.
913 */
914 void ima_delete_rules(void)
915 {
916 struct ima_rule_entry *entry, *tmp;
917 int i;
918
919 temp_ima_appraise = 0;
920 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
921 for (i = 0; i < MAX_LSM_RULES; i++)
922 kfree(entry->lsm[i].args_p);
923
924 list_del(&entry->list);
925 kfree(entry);
926 }
927 }
928
929 #ifdef CONFIG_IMA_READ_POLICY
930 enum {
931 mask_exec = 0, mask_write, mask_read, mask_append
932 };
933
934 static char *mask_tokens[] = {
935 "MAY_EXEC",
936 "MAY_WRITE",
937 "MAY_READ",
938 "MAY_APPEND"
939 };
940
941 enum {
942 func_file = 0, func_mmap, func_bprm,
943 func_module, func_firmware, func_post,
944 func_kexec_kernel, func_kexec_initramfs,
945 func_policy
946 };
947
948 static char *func_tokens[] = {
949 "FILE_CHECK",
950 "MMAP_CHECK",
951 "BPRM_CHECK",
952 "MODULE_CHECK",
953 "FIRMWARE_CHECK",
954 "POST_SETATTR",
955 "KEXEC_KERNEL_CHECK",
956 "KEXEC_INITRAMFS_CHECK",
957 "POLICY_CHECK"
958 };
959
960 void *ima_policy_start(struct seq_file *m, loff_t *pos)
961 {
962 loff_t l = *pos;
963 struct ima_rule_entry *entry;
964
965 rcu_read_lock();
966 list_for_each_entry_rcu(entry, ima_rules, list) {
967 if (!l--) {
968 rcu_read_unlock();
969 return entry;
970 }
971 }
972 rcu_read_unlock();
973 return NULL;
974 }
975
976 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos)
977 {
978 struct ima_rule_entry *entry = v;
979
980 rcu_read_lock();
981 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list);
982 rcu_read_unlock();
983 (*pos)++;
984
985 return (&entry->list == ima_rules) ? NULL : entry;
986 }
987
988 void ima_policy_stop(struct seq_file *m, void *v)
989 {
990 }
991
992 #define pt(token) policy_tokens[token + Opt_err].pattern
993 #define mt(token) mask_tokens[token]
994 #define ft(token) func_tokens[token]
995
996 /*
997 * policy_func_show - display the ima_hooks policy rule
998 */
999 static void policy_func_show(struct seq_file *m, enum ima_hooks func)
1000 {
1001 char tbuf[64] = {0,};
1002
1003 switch (func) {
1004 case FILE_CHECK:
1005 seq_printf(m, pt(Opt_func), ft(func_file));
1006 break;
1007 case MMAP_CHECK:
1008 seq_printf(m, pt(Opt_func), ft(func_mmap));
1009 break;
1010 case BPRM_CHECK:
1011 seq_printf(m, pt(Opt_func), ft(func_bprm));
1012 break;
1013 case MODULE_CHECK:
1014 seq_printf(m, pt(Opt_func), ft(func_module));
1015 break;
1016 case FIRMWARE_CHECK:
1017 seq_printf(m, pt(Opt_func), ft(func_firmware));
1018 break;
1019 case POST_SETATTR:
1020 seq_printf(m, pt(Opt_func), ft(func_post));
1021 break;
1022 case KEXEC_KERNEL_CHECK:
1023 seq_printf(m, pt(Opt_func), ft(func_kexec_kernel));
1024 break;
1025 case KEXEC_INITRAMFS_CHECK:
1026 seq_printf(m, pt(Opt_func), ft(func_kexec_initramfs));
1027 break;
1028 case POLICY_CHECK:
1029 seq_printf(m, pt(Opt_func), ft(func_policy));
1030 break;
1031 default:
1032 snprintf(tbuf, sizeof(tbuf), "%d", func);
1033 seq_printf(m, pt(Opt_func), tbuf);
1034 break;
1035 }
1036 seq_puts(m, " ");
1037 }
1038
1039 int ima_policy_show(struct seq_file *m, void *v)
1040 {
1041 struct ima_rule_entry *entry = v;
1042 int i;
1043 char tbuf[64] = {0,};
1044
1045 rcu_read_lock();
1046
1047 if (entry->action & MEASURE)
1048 seq_puts(m, pt(Opt_measure));
1049 if (entry->action & DONT_MEASURE)
1050 seq_puts(m, pt(Opt_dont_measure));
1051 if (entry->action & APPRAISE)
1052 seq_puts(m, pt(Opt_appraise));
1053 if (entry->action & DONT_APPRAISE)
1054 seq_puts(m, pt(Opt_dont_appraise));
1055 if (entry->action & AUDIT)
1056 seq_puts(m, pt(Opt_audit));
1057
1058 seq_puts(m, " ");
1059
1060 if (entry->flags & IMA_FUNC)
1061 policy_func_show(m, entry->func);
1062
1063 if (entry->flags & IMA_MASK) {
1064 if (entry->mask & MAY_EXEC)
1065 seq_printf(m, pt(Opt_mask), mt(mask_exec));
1066 if (entry->mask & MAY_WRITE)
1067 seq_printf(m, pt(Opt_mask), mt(mask_write));
1068 if (entry->mask & MAY_READ)
1069 seq_printf(m, pt(Opt_mask), mt(mask_read));
1070 if (entry->mask & MAY_APPEND)
1071 seq_printf(m, pt(Opt_mask), mt(mask_append));
1072 seq_puts(m, " ");
1073 }
1074
1075 if (entry->flags & IMA_FSMAGIC) {
1076 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);
1077 seq_printf(m, pt(Opt_fsmagic), tbuf);
1078 seq_puts(m, " ");
1079 }
1080
1081 if (entry->flags & IMA_PCR) {
1082 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
1083 seq_printf(m, pt(Opt_pcr), tbuf);
1084 seq_puts(m, " ");
1085 }
1086
1087 if (entry->flags & IMA_FSUUID) {
1088 seq_printf(m, "fsuuid=%pU", &entry->fsuuid);
1089 seq_puts(m, " ");
1090 }
1091
1092 if (entry->flags & IMA_UID) {
1093 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1094 if (entry->uid_op == &uid_gt)
1095 seq_printf(m, pt(Opt_uid_gt), tbuf);
1096 else if (entry->uid_op == &uid_lt)
1097 seq_printf(m, pt(Opt_uid_lt), tbuf);
1098 else
1099 seq_printf(m, pt(Opt_uid_eq), tbuf);
1100 seq_puts(m, " ");
1101 }
1102
1103 if (entry->flags & IMA_EUID) {
1104 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1105 if (entry->uid_op == &uid_gt)
1106 seq_printf(m, pt(Opt_euid_gt), tbuf);
1107 else if (entry->uid_op == &uid_lt)
1108 seq_printf(m, pt(Opt_euid_lt), tbuf);
1109 else
1110 seq_printf(m, pt(Opt_euid_eq), tbuf);
1111 seq_puts(m, " ");
1112 }
1113
1114 if (entry->flags & IMA_FOWNER) {
1115 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
1116 if (entry->fowner_op == &uid_gt)
1117 seq_printf(m, pt(Opt_fowner_gt), tbuf);
1118 else if (entry->fowner_op == &uid_lt)
1119 seq_printf(m, pt(Opt_fowner_lt), tbuf);
1120 else
1121 seq_printf(m, pt(Opt_fowner_eq), tbuf);
1122 seq_puts(m, " ");
1123 }
1124
1125 for (i = 0; i < MAX_LSM_RULES; i++) {
1126 if (entry->lsm[i].rule) {
1127 switch (i) {
1128 case LSM_OBJ_USER:
1129 seq_printf(m, pt(Opt_obj_user),
1130 (char *)entry->lsm[i].args_p);
1131 break;
1132 case LSM_OBJ_ROLE:
1133 seq_printf(m, pt(Opt_obj_role),
1134 (char *)entry->lsm[i].args_p);
1135 break;
1136 case LSM_OBJ_TYPE:
1137 seq_printf(m, pt(Opt_obj_type),
1138 (char *)entry->lsm[i].args_p);
1139 break;
1140 case LSM_SUBJ_USER:
1141 seq_printf(m, pt(Opt_subj_user),
1142 (char *)entry->lsm[i].args_p);
1143 break;
1144 case LSM_SUBJ_ROLE:
1145 seq_printf(m, pt(Opt_subj_role),
1146 (char *)entry->lsm[i].args_p);
1147 break;
1148 case LSM_SUBJ_TYPE:
1149 seq_printf(m, pt(Opt_subj_type),
1150 (char *)entry->lsm[i].args_p);
1151 break;
1152 }
1153 }
1154 }
1155 if (entry->flags & IMA_DIGSIG_REQUIRED)
1156 seq_puts(m, "appraise_type=imasig ");
1157 if (entry->flags & IMA_PERMIT_DIRECTIO)
1158 seq_puts(m, "permit_directio ");
1159 rcu_read_unlock();
1160 seq_puts(m, "\n");
1161 return 0;
1162 }
1163 #endif /* CONFIG_IMA_READ_POLICY */
Ubuntu Artful kernel mirror