1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * Copyright (C) 2008 IBM Corporation |
4 | * Author: Mimi Zohar <zohar@us.ibm.com> |
5 | * |
6 | * ima_policy.c |
7 | * - initialize default measure policy rules |
8 | */ |
9 | |
10 | #include <linux/init.h> |
11 | #include <linux/list.h> |
12 | #include <linux/kernel_read_file.h> |
13 | #include <linux/fs.h> |
14 | #include <linux/security.h> |
15 | #include <linux/magic.h> |
16 | #include <linux/parser.h> |
17 | #include <linux/slab.h> |
18 | #include <linux/rculist.h> |
19 | #include <linux/seq_file.h> |
20 | #include <linux/ima.h> |
21 | |
22 | #include "ima.h" |
23 | |
24 | /* flags definitions */ |
25 | #define IMA_FUNC 0x0001 |
26 | #define IMA_MASK 0x0002 |
27 | #define IMA_FSMAGIC 0x0004 |
28 | #define IMA_UID 0x0008 |
29 | #define IMA_FOWNER 0x0010 |
30 | #define IMA_FSUUID 0x0020 |
31 | #define IMA_INMASK 0x0040 |
32 | #define IMA_EUID 0x0080 |
33 | #define IMA_PCR 0x0100 |
34 | #define IMA_FSNAME 0x0200 |
35 | #define IMA_KEYRINGS 0x0400 |
36 | #define IMA_LABEL 0x0800 |
37 | #define IMA_VALIDATE_ALGOS 0x1000 |
38 | #define IMA_GID 0x2000 |
39 | #define IMA_EGID 0x4000 |
40 | #define IMA_FGROUP 0x8000 |
41 | |
42 | #define UNKNOWN 0 |
43 | #define MEASURE 0x0001 /* same as IMA_MEASURE */ |
44 | #define DONT_MEASURE 0x0002 |
45 | #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ |
46 | #define DONT_APPRAISE 0x0008 |
47 | #define AUDIT 0x0040 |
48 | #define HASH 0x0100 |
49 | #define DONT_HASH 0x0200 |
50 | |
51 | #define INVALID_PCR(a) (((a) < 0) || \ |
52 | (a) >= (sizeof_field(struct ima_iint_cache, measured_pcrs) * 8)) |
53 | |
54 | int ima_policy_flag; |
55 | static int temp_ima_appraise; |
56 | static int build_ima_appraise __ro_after_init; |
57 | |
58 | atomic_t ima_setxattr_allowed_hash_algorithms; |
59 | |
60 | #define MAX_LSM_RULES 6 |
61 | enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, |
62 | LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE |
63 | }; |
64 | |
65 | enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; |
66 | |
67 | enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY }; |
68 | |
69 | struct ima_rule_opt_list { |
70 | size_t count; |
71 | char *items[] __counted_by(count); |
72 | }; |
73 | |
74 | /* |
75 | * These comparators are needed nowhere outside of ima so just define them here. |
76 | * This pattern should hopefully never be needed outside of ima. |
77 | */ |
78 | static inline bool vfsuid_gt_kuid(vfsuid_t vfsuid, kuid_t kuid) |
79 | { |
80 | return __vfsuid_val(uid: vfsuid) > __kuid_val(uid: kuid); |
81 | } |
82 | |
83 | static inline bool vfsgid_gt_kgid(vfsgid_t vfsgid, kgid_t kgid) |
84 | { |
85 | return __vfsgid_val(gid: vfsgid) > __kgid_val(gid: kgid); |
86 | } |
87 | |
88 | static inline bool vfsuid_lt_kuid(vfsuid_t vfsuid, kuid_t kuid) |
89 | { |
90 | return __vfsuid_val(uid: vfsuid) < __kuid_val(uid: kuid); |
91 | } |
92 | |
93 | static inline bool vfsgid_lt_kgid(vfsgid_t vfsgid, kgid_t kgid) |
94 | { |
95 | return __vfsgid_val(gid: vfsgid) < __kgid_val(gid: kgid); |
96 | } |
97 | |
98 | struct ima_rule_entry { |
99 | struct list_head list; |
100 | int action; |
101 | unsigned int flags; |
102 | enum ima_hooks func; |
103 | int mask; |
104 | unsigned long fsmagic; |
105 | uuid_t fsuuid; |
106 | kuid_t uid; |
107 | kgid_t gid; |
108 | kuid_t fowner; |
109 | kgid_t fgroup; |
110 | bool (*uid_op)(kuid_t cred_uid, kuid_t rule_uid); /* Handlers for operators */ |
111 | bool (*gid_op)(kgid_t cred_gid, kgid_t rule_gid); |
112 | bool (*fowner_op)(vfsuid_t vfsuid, kuid_t rule_uid); /* vfsuid_eq_kuid(), vfsuid_gt_kuid(), vfsuid_lt_kuid() */ |
113 | bool (*fgroup_op)(vfsgid_t vfsgid, kgid_t rule_gid); /* vfsgid_eq_kgid(), vfsgid_gt_kgid(), vfsgid_lt_kgid() */ |
114 | int pcr; |
115 | unsigned int allowed_algos; /* bitfield of allowed hash algorithms */ |
116 | struct { |
117 | void *rule; /* LSM file metadata specific */ |
118 | char *args_p; /* audit value */ |
119 | int type; /* audit type */ |
120 | } lsm[MAX_LSM_RULES]; |
121 | char *fsname; |
122 | struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ |
123 | struct ima_rule_opt_list *label; /* Measure data grouped under this label */ |
124 | struct ima_template_desc *template; |
125 | }; |
126 | |
127 | /* |
128 | * sanity check in case the kernels gains more hash algorithms that can |
129 | * fit in an unsigned int |
130 | */ |
131 | static_assert( |
132 | 8 * sizeof(unsigned int) >= HASH_ALGO__LAST, |
133 | "The bitfield allowed_algos in ima_rule_entry is too small to contain all the supported hash algorithms, consider using a bigger type" ); |
134 | |
135 | /* |
136 | * Without LSM specific knowledge, the default policy can only be |
137 | * written in terms of .action, .func, .mask, .fsmagic, .uid, .gid, |
138 | * .fowner, and .fgroup |
139 | */ |
140 | |
141 | /* |
142 | * The minimum rule set to allow for full TCB coverage. Measures all files |
143 | * opened or mmap for exec and everything read by root. Dangerous because |
144 | * normal users can easily run the machine out of memory simply building |
145 | * and running executables. |
146 | */ |
147 | static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { |
148 | {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, |
149 | {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, |
150 | {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, |
151 | {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, |
152 | {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, |
153 | {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, |
154 | {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, |
155 | {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, |
156 | {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, |
157 | {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, |
158 | .flags = IMA_FSMAGIC}, |
159 | {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, |
160 | .flags = IMA_FSMAGIC}, |
161 | {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, |
162 | {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} |
163 | }; |
164 | |
165 | static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { |
166 | {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, |
167 | .flags = IMA_FUNC | IMA_MASK}, |
168 | {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, |
169 | .flags = IMA_FUNC | IMA_MASK}, |
170 | {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, |
171 | .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, |
172 | .flags = IMA_FUNC | IMA_MASK | IMA_UID}, |
173 | {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, |
174 | {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, |
175 | }; |
176 | |
177 | static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { |
178 | {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, |
179 | .flags = IMA_FUNC | IMA_MASK}, |
180 | {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, |
181 | .flags = IMA_FUNC | IMA_MASK}, |
182 | {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, |
183 | .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, |
184 | .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, |
185 | {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, |
186 | .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, |
187 | .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, |
188 | {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, |
189 | {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, |
190 | {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, |
191 | }; |
192 | |
193 | static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { |
194 | {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, |
195 | {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, |
196 | {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, |
197 | {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, |
198 | {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC}, |
199 | {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, |
200 | {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, |
201 | {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, |
202 | {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, |
203 | {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, |
204 | {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, |
205 | {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, |
206 | {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, |
207 | {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, |
208 | #ifdef CONFIG_IMA_WRITE_POLICY |
209 | {.action = APPRAISE, .func = POLICY_CHECK, |
210 | .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, |
211 | #endif |
212 | #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT |
213 | {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid, |
214 | .flags = IMA_FOWNER}, |
215 | #else |
216 | /* force signature */ |
217 | {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid, |
218 | .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, |
219 | #endif |
220 | }; |
221 | |
222 | static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { |
223 | #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS |
224 | {.action = APPRAISE, .func = MODULE_CHECK, |
225 | .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, |
226 | #endif |
227 | #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS |
228 | {.action = APPRAISE, .func = FIRMWARE_CHECK, |
229 | .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, |
230 | #endif |
231 | #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS |
232 | {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, |
233 | .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, |
234 | #endif |
235 | #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS |
236 | {.action = APPRAISE, .func = POLICY_CHECK, |
237 | .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, |
238 | #endif |
239 | }; |
240 | |
241 | static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { |
242 | {.action = APPRAISE, .func = MODULE_CHECK, |
243 | .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, |
244 | {.action = APPRAISE, .func = FIRMWARE_CHECK, |
245 | .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, |
246 | {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, |
247 | .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, |
248 | {.action = APPRAISE, .func = POLICY_CHECK, |
249 | .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, |
250 | }; |
251 | |
252 | static struct ima_rule_entry critical_data_rules[] __ro_after_init = { |
253 | {.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC}, |
254 | }; |
255 | |
256 | /* An array of architecture specific rules */ |
257 | static struct ima_rule_entry *arch_policy_entry __ro_after_init; |
258 | |
259 | static LIST_HEAD(ima_default_rules); |
260 | static LIST_HEAD(ima_policy_rules); |
261 | static LIST_HEAD(ima_temp_rules); |
262 | static struct list_head __rcu *ima_rules = (struct list_head __rcu *)(&ima_default_rules); |
263 | |
264 | static int ima_policy __initdata; |
265 | |
266 | static int __init default_measure_policy_setup(char *str) |
267 | { |
268 | if (ima_policy) |
269 | return 1; |
270 | |
271 | ima_policy = ORIGINAL_TCB; |
272 | return 1; |
273 | } |
274 | __setup("ima_tcb" , default_measure_policy_setup); |
275 | |
276 | static bool ima_use_appraise_tcb __initdata; |
277 | static bool ima_use_secure_boot __initdata; |
278 | static bool ima_use_critical_data __initdata; |
279 | static bool ima_fail_unverifiable_sigs __ro_after_init; |
280 | static int __init policy_setup(char *str) |
281 | { |
282 | char *p; |
283 | |
284 | while ((p = strsep(&str, " |\n" )) != NULL) { |
285 | if (*p == ' ') |
286 | continue; |
287 | if ((strcmp(p, "tcb" ) == 0) && !ima_policy) |
288 | ima_policy = DEFAULT_TCB; |
289 | else if (strcmp(p, "appraise_tcb" ) == 0) |
290 | ima_use_appraise_tcb = true; |
291 | else if (strcmp(p, "secure_boot" ) == 0) |
292 | ima_use_secure_boot = true; |
293 | else if (strcmp(p, "critical_data" ) == 0) |
294 | ima_use_critical_data = true; |
295 | else if (strcmp(p, "fail_securely" ) == 0) |
296 | ima_fail_unverifiable_sigs = true; |
297 | else |
298 | pr_err("policy \"%s\" not found" , p); |
299 | } |
300 | |
301 | return 1; |
302 | } |
303 | __setup("ima_policy=" , policy_setup); |
304 | |
305 | static int __init default_appraise_policy_setup(char *str) |
306 | { |
307 | ima_use_appraise_tcb = true; |
308 | return 1; |
309 | } |
310 | __setup("ima_appraise_tcb" , default_appraise_policy_setup); |
311 | |
312 | static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src) |
313 | { |
314 | struct ima_rule_opt_list *opt_list; |
315 | size_t count = 0; |
316 | char *src_copy; |
317 | char *cur, *next; |
318 | size_t i; |
319 | |
320 | src_copy = match_strdup(src); |
321 | if (!src_copy) |
322 | return ERR_PTR(error: -ENOMEM); |
323 | |
324 | next = src_copy; |
325 | while ((cur = strsep(&next, "|" ))) { |
326 | /* Don't accept an empty list item */ |
327 | if (!(*cur)) { |
328 | kfree(objp: src_copy); |
329 | return ERR_PTR(error: -EINVAL); |
330 | } |
331 | count++; |
332 | } |
333 | |
334 | /* Don't accept an empty list */ |
335 | if (!count) { |
336 | kfree(objp: src_copy); |
337 | return ERR_PTR(error: -EINVAL); |
338 | } |
339 | |
340 | opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL); |
341 | if (!opt_list) { |
342 | kfree(objp: src_copy); |
343 | return ERR_PTR(error: -ENOMEM); |
344 | } |
345 | opt_list->count = count; |
346 | |
347 | /* |
348 | * strsep() has already replaced all instances of '|' with '\0', |
349 | * leaving a byte sequence of NUL-terminated strings. Reference each |
350 | * string with the array of items. |
351 | * |
352 | * IMPORTANT: Ownership of the allocated buffer is transferred from |
353 | * src_copy to the first element in the items array. To free the |
354 | * buffer, kfree() must only be called on the first element of the |
355 | * array. |
356 | */ |
357 | for (i = 0, cur = src_copy; i < count; i++) { |
358 | opt_list->items[i] = cur; |
359 | cur = strchr(cur, '\0') + 1; |
360 | } |
361 | |
362 | return opt_list; |
363 | } |
364 | |
365 | static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list) |
366 | { |
367 | if (!opt_list) |
368 | return; |
369 | |
370 | if (opt_list->count) { |
371 | kfree(objp: opt_list->items[0]); |
372 | opt_list->count = 0; |
373 | } |
374 | |
375 | kfree(objp: opt_list); |
376 | } |
377 | |
378 | static void ima_lsm_free_rule(struct ima_rule_entry *entry) |
379 | { |
380 | int i; |
381 | |
382 | for (i = 0; i < MAX_LSM_RULES; i++) { |
383 | ima_filter_rule_free(lsmrule: entry->lsm[i].rule); |
384 | kfree(objp: entry->lsm[i].args_p); |
385 | } |
386 | } |
387 | |
388 | static void ima_free_rule(struct ima_rule_entry *entry) |
389 | { |
390 | if (!entry) |
391 | return; |
392 | |
393 | /* |
394 | * entry->template->fields may be allocated in ima_parse_rule() but that |
395 | * reference is owned by the corresponding ima_template_desc element in |
396 | * the defined_templates list and cannot be freed here |
397 | */ |
398 | kfree(objp: entry->fsname); |
399 | ima_free_rule_opt_list(opt_list: entry->keyrings); |
400 | ima_lsm_free_rule(entry); |
401 | kfree(objp: entry); |
402 | } |
403 | |
404 | static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) |
405 | { |
406 | struct ima_rule_entry *nentry; |
407 | int i; |
408 | |
409 | /* |
410 | * Immutable elements are copied over as pointers and data; only |
411 | * lsm rules can change |
412 | */ |
413 | nentry = kmemdup(p: entry, size: sizeof(*nentry), GFP_KERNEL); |
414 | if (!nentry) |
415 | return NULL; |
416 | |
417 | memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm)); |
418 | |
419 | for (i = 0; i < MAX_LSM_RULES; i++) { |
420 | if (!entry->lsm[i].args_p) |
421 | continue; |
422 | |
423 | nentry->lsm[i].type = entry->lsm[i].type; |
424 | nentry->lsm[i].args_p = entry->lsm[i].args_p; |
425 | |
426 | ima_filter_rule_init(field: nentry->lsm[i].type, op: Audit_equal, |
427 | rulestr: nentry->lsm[i].args_p, |
428 | lsmrule: &nentry->lsm[i].rule); |
429 | if (!nentry->lsm[i].rule) |
430 | pr_warn("rule for LSM \'%s\' is undefined\n" , |
431 | nentry->lsm[i].args_p); |
432 | } |
433 | return nentry; |
434 | } |
435 | |
436 | static int ima_lsm_update_rule(struct ima_rule_entry *entry) |
437 | { |
438 | int i; |
439 | struct ima_rule_entry *nentry; |
440 | |
441 | nentry = ima_lsm_copy_rule(entry); |
442 | if (!nentry) |
443 | return -ENOMEM; |
444 | |
445 | list_replace_rcu(old: &entry->list, new: &nentry->list); |
446 | synchronize_rcu(); |
447 | /* |
448 | * ima_lsm_copy_rule() shallow copied all references, except for the |
449 | * LSM references, from entry to nentry so we only want to free the LSM |
450 | * references and the entry itself. All other memory references will now |
451 | * be owned by nentry. |
452 | */ |
453 | for (i = 0; i < MAX_LSM_RULES; i++) |
454 | ima_filter_rule_free(lsmrule: entry->lsm[i].rule); |
455 | kfree(objp: entry); |
456 | |
457 | return 0; |
458 | } |
459 | |
460 | static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry) |
461 | { |
462 | int i; |
463 | |
464 | for (i = 0; i < MAX_LSM_RULES; i++) |
465 | if (entry->lsm[i].args_p) |
466 | return true; |
467 | |
468 | return false; |
469 | } |
470 | |
471 | /* |
472 | * The LSM policy can be reloaded, leaving the IMA LSM based rules referring |
473 | * to the old, stale LSM policy. Update the IMA LSM based rules to reflect |
474 | * the reloaded LSM policy. |
475 | */ |
476 | static void ima_lsm_update_rules(void) |
477 | { |
478 | struct ima_rule_entry *entry, *e; |
479 | int result; |
480 | |
481 | list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { |
482 | if (!ima_rule_contains_lsm_cond(entry)) |
483 | continue; |
484 | |
485 | result = ima_lsm_update_rule(entry); |
486 | if (result) { |
487 | pr_err("lsm rule update error %d\n" , result); |
488 | return; |
489 | } |
490 | } |
491 | } |
492 | |
493 | int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, |
494 | void *lsm_data) |
495 | { |
496 | if (event != LSM_POLICY_CHANGE) |
497 | return NOTIFY_DONE; |
498 | |
499 | ima_lsm_update_rules(); |
500 | return NOTIFY_OK; |
501 | } |
502 | |
503 | /** |
504 | * ima_match_rule_data - determine whether func_data matches the policy rule |
505 | * @rule: a pointer to a rule |
506 | * @func_data: data to match against the measure rule data |
507 | * @cred: a pointer to a credentials structure for user validation |
508 | * |
509 | * Returns true if func_data matches one in the rule, false otherwise. |
510 | */ |
511 | static bool ima_match_rule_data(struct ima_rule_entry *rule, |
512 | const char *func_data, |
513 | const struct cred *cred) |
514 | { |
515 | const struct ima_rule_opt_list *opt_list = NULL; |
516 | bool matched = false; |
517 | size_t i; |
518 | |
519 | if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) |
520 | return false; |
521 | |
522 | switch (rule->func) { |
523 | case KEY_CHECK: |
524 | if (!rule->keyrings) |
525 | return true; |
526 | |
527 | opt_list = rule->keyrings; |
528 | break; |
529 | case CRITICAL_DATA: |
530 | if (!rule->label) |
531 | return true; |
532 | |
533 | opt_list = rule->label; |
534 | break; |
535 | default: |
536 | return false; |
537 | } |
538 | |
539 | if (!func_data) |
540 | return false; |
541 | |
542 | for (i = 0; i < opt_list->count; i++) { |
543 | if (!strcmp(opt_list->items[i], func_data)) { |
544 | matched = true; |
545 | break; |
546 | } |
547 | } |
548 | |
549 | return matched; |
550 | } |
551 | |
552 | /** |
553 | * ima_match_rules - determine whether an inode matches the policy rule. |
554 | * @rule: a pointer to a rule |
555 | * @idmap: idmap of the mount the inode was found from |
556 | * @inode: a pointer to an inode |
557 | * @cred: a pointer to a credentials structure for user validation |
558 | * @secid: the secid of the task to be validated |
559 | * @func: LIM hook identifier |
560 | * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) |
561 | * @func_data: func specific data, may be NULL |
562 | * |
563 | * Returns true on rule match, false on failure. |
564 | */ |
565 | static bool ima_match_rules(struct ima_rule_entry *rule, |
566 | struct mnt_idmap *idmap, |
567 | struct inode *inode, const struct cred *cred, |
568 | u32 secid, enum ima_hooks func, int mask, |
569 | const char *func_data) |
570 | { |
571 | int i; |
572 | bool result = false; |
573 | struct ima_rule_entry *lsm_rule = rule; |
574 | bool rule_reinitialized = false; |
575 | |
576 | if ((rule->flags & IMA_FUNC) && |
577 | (rule->func != func && func != POST_SETATTR)) |
578 | return false; |
579 | |
580 | switch (func) { |
581 | case KEY_CHECK: |
582 | case CRITICAL_DATA: |
583 | return ((rule->func == func) && |
584 | ima_match_rule_data(rule, func_data, cred)); |
585 | default: |
586 | break; |
587 | } |
588 | |
589 | if ((rule->flags & IMA_MASK) && |
590 | (rule->mask != mask && func != POST_SETATTR)) |
591 | return false; |
592 | if ((rule->flags & IMA_INMASK) && |
593 | (!(rule->mask & mask) && func != POST_SETATTR)) |
594 | return false; |
595 | if ((rule->flags & IMA_FSMAGIC) |
596 | && rule->fsmagic != inode->i_sb->s_magic) |
597 | return false; |
598 | if ((rule->flags & IMA_FSNAME) |
599 | && strcmp(rule->fsname, inode->i_sb->s_type->name)) |
600 | return false; |
601 | if ((rule->flags & IMA_FSUUID) && |
602 | !uuid_equal(u1: &rule->fsuuid, u2: &inode->i_sb->s_uuid)) |
603 | return false; |
604 | if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) |
605 | return false; |
606 | if (rule->flags & IMA_EUID) { |
607 | if (has_capability_noaudit(current, CAP_SETUID)) { |
608 | if (!rule->uid_op(cred->euid, rule->uid) |
609 | && !rule->uid_op(cred->suid, rule->uid) |
610 | && !rule->uid_op(cred->uid, rule->uid)) |
611 | return false; |
612 | } else if (!rule->uid_op(cred->euid, rule->uid)) |
613 | return false; |
614 | } |
615 | if ((rule->flags & IMA_GID) && !rule->gid_op(cred->gid, rule->gid)) |
616 | return false; |
617 | if (rule->flags & IMA_EGID) { |
618 | if (has_capability_noaudit(current, CAP_SETGID)) { |
619 | if (!rule->gid_op(cred->egid, rule->gid) |
620 | && !rule->gid_op(cred->sgid, rule->gid) |
621 | && !rule->gid_op(cred->gid, rule->gid)) |
622 | return false; |
623 | } else if (!rule->gid_op(cred->egid, rule->gid)) |
624 | return false; |
625 | } |
626 | if ((rule->flags & IMA_FOWNER) && |
627 | !rule->fowner_op(i_uid_into_vfsuid(idmap, inode), |
628 | rule->fowner)) |
629 | return false; |
630 | if ((rule->flags & IMA_FGROUP) && |
631 | !rule->fgroup_op(i_gid_into_vfsgid(idmap, inode), |
632 | rule->fgroup)) |
633 | return false; |
634 | for (i = 0; i < MAX_LSM_RULES; i++) { |
635 | int rc = 0; |
636 | u32 osid; |
637 | |
638 | if (!lsm_rule->lsm[i].rule) { |
639 | if (!lsm_rule->lsm[i].args_p) |
640 | continue; |
641 | else |
642 | return false; |
643 | } |
644 | |
645 | retry: |
646 | switch (i) { |
647 | case LSM_OBJ_USER: |
648 | case LSM_OBJ_ROLE: |
649 | case LSM_OBJ_TYPE: |
650 | security_inode_getsecid(inode, secid: &osid); |
651 | rc = ima_filter_rule_match(secid: osid, field: lsm_rule->lsm[i].type, |
652 | op: Audit_equal, |
653 | lsmrule: lsm_rule->lsm[i].rule); |
654 | break; |
655 | case LSM_SUBJ_USER: |
656 | case LSM_SUBJ_ROLE: |
657 | case LSM_SUBJ_TYPE: |
658 | rc = ima_filter_rule_match(secid, field: lsm_rule->lsm[i].type, |
659 | op: Audit_equal, |
660 | lsmrule: lsm_rule->lsm[i].rule); |
661 | break; |
662 | default: |
663 | break; |
664 | } |
665 | |
666 | if (rc == -ESTALE && !rule_reinitialized) { |
667 | lsm_rule = ima_lsm_copy_rule(entry: rule); |
668 | if (lsm_rule) { |
669 | rule_reinitialized = true; |
670 | goto retry; |
671 | } |
672 | } |
673 | if (!rc) { |
674 | result = false; |
675 | goto out; |
676 | } |
677 | } |
678 | result = true; |
679 | |
680 | out: |
681 | if (rule_reinitialized) { |
682 | for (i = 0; i < MAX_LSM_RULES; i++) |
683 | ima_filter_rule_free(lsmrule: lsm_rule->lsm[i].rule); |
684 | kfree(objp: lsm_rule); |
685 | } |
686 | return result; |
687 | } |
688 | |
689 | /* |
690 | * In addition to knowing that we need to appraise the file in general, |
691 | * we need to differentiate between calling hooks, for hook specific rules. |
692 | */ |
693 | static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) |
694 | { |
695 | if (!(rule->flags & IMA_FUNC)) |
696 | return IMA_FILE_APPRAISE; |
697 | |
698 | switch (func) { |
699 | case MMAP_CHECK: |
700 | case MMAP_CHECK_REQPROT: |
701 | return IMA_MMAP_APPRAISE; |
702 | case BPRM_CHECK: |
703 | return IMA_BPRM_APPRAISE; |
704 | case CREDS_CHECK: |
705 | return IMA_CREDS_APPRAISE; |
706 | case FILE_CHECK: |
707 | case POST_SETATTR: |
708 | return IMA_FILE_APPRAISE; |
709 | case MODULE_CHECK ... MAX_CHECK - 1: |
710 | default: |
711 | return IMA_READ_APPRAISE; |
712 | } |
713 | } |
714 | |
715 | /** |
716 | * ima_match_policy - decision based on LSM and other conditions |
717 | * @idmap: idmap of the mount the inode was found from |
718 | * @inode: pointer to an inode for which the policy decision is being made |
719 | * @cred: pointer to a credentials structure for which the policy decision is |
720 | * being made |
721 | * @secid: LSM secid of the task to be validated |
722 | * @func: IMA hook identifier |
723 | * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) |
724 | * @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE) |
725 | * @pcr: set the pcr to extend |
726 | * @template_desc: the template that should be used for this rule |
727 | * @func_data: func specific data, may be NULL |
728 | * @allowed_algos: allowlist of hash algorithms for the IMA xattr |
729 | * |
730 | * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) |
731 | * conditions. |
732 | * |
733 | * Since the IMA policy may be updated multiple times we need to lock the |
734 | * list when walking it. Reads are many orders of magnitude more numerous |
735 | * than writes so ima_match_policy() is classical RCU candidate. |
736 | */ |
737 | int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode, |
738 | const struct cred *cred, u32 secid, enum ima_hooks func, |
739 | int mask, int flags, int *pcr, |
740 | struct ima_template_desc **template_desc, |
741 | const char *func_data, unsigned int *allowed_algos) |
742 | { |
743 | struct ima_rule_entry *entry; |
744 | int action = 0, actmask = flags | (flags << 1); |
745 | struct list_head *ima_rules_tmp; |
746 | |
747 | if (template_desc && !*template_desc) |
748 | *template_desc = ima_template_desc_current(); |
749 | |
750 | rcu_read_lock(); |
751 | ima_rules_tmp = rcu_dereference(ima_rules); |
752 | list_for_each_entry_rcu(entry, ima_rules_tmp, list) { |
753 | |
754 | if (!(entry->action & actmask)) |
755 | continue; |
756 | |
757 | if (!ima_match_rules(rule: entry, idmap, inode, cred, secid, |
758 | func, mask, func_data)) |
759 | continue; |
760 | |
761 | action |= entry->flags & IMA_NONACTION_FLAGS; |
762 | |
763 | action |= entry->action & IMA_DO_MASK; |
764 | if (entry->action & IMA_APPRAISE) { |
765 | action |= get_subaction(rule: entry, func); |
766 | action &= ~IMA_HASH; |
767 | if (ima_fail_unverifiable_sigs) |
768 | action |= IMA_FAIL_UNVERIFIABLE_SIGS; |
769 | |
770 | if (allowed_algos && |
771 | entry->flags & IMA_VALIDATE_ALGOS) |
772 | *allowed_algos = entry->allowed_algos; |
773 | } |
774 | |
775 | if (entry->action & IMA_DO_MASK) |
776 | actmask &= ~(entry->action | entry->action << 1); |
777 | else |
778 | actmask &= ~(entry->action | entry->action >> 1); |
779 | |
780 | if ((pcr) && (entry->flags & IMA_PCR)) |
781 | *pcr = entry->pcr; |
782 | |
783 | if (template_desc && entry->template) |
784 | *template_desc = entry->template; |
785 | |
786 | if (!actmask) |
787 | break; |
788 | } |
789 | rcu_read_unlock(); |
790 | |
791 | return action; |
792 | } |
793 | |
794 | /** |
795 | * ima_update_policy_flags() - Update global IMA variables |
796 | * |
797 | * Update ima_policy_flag and ima_setxattr_allowed_hash_algorithms |
798 | * based on the currently loaded policy. |
799 | * |
800 | * With ima_policy_flag, the decision to short circuit out of a function |
801 | * or not call the function in the first place can be made earlier. |
802 | * |
803 | * With ima_setxattr_allowed_hash_algorithms, the policy can restrict the |
804 | * set of hash algorithms accepted when updating the security.ima xattr of |
805 | * a file. |
806 | * |
807 | * Context: called after a policy update and at system initialization. |
808 | */ |
809 | void ima_update_policy_flags(void) |
810 | { |
811 | struct ima_rule_entry *entry; |
812 | int new_policy_flag = 0; |
813 | struct list_head *ima_rules_tmp; |
814 | |
815 | rcu_read_lock(); |
816 | ima_rules_tmp = rcu_dereference(ima_rules); |
817 | list_for_each_entry_rcu(entry, ima_rules_tmp, list) { |
818 | /* |
819 | * SETXATTR_CHECK rules do not implement a full policy check |
820 | * because rule checking would probably have an important |
821 | * performance impact on setxattr(). As a consequence, only one |
822 | * SETXATTR_CHECK can be active at a given time. |
823 | * Because we want to preserve that property, we set out to use |
824 | * atomic_cmpxchg. Either: |
825 | * - the atomic was non-zero: a setxattr hash policy is |
826 | * already enforced, we do nothing |
827 | * - the atomic was zero: no setxattr policy was set, enable |
828 | * the setxattr hash policy |
829 | */ |
830 | if (entry->func == SETXATTR_CHECK) { |
831 | atomic_cmpxchg(v: &ima_setxattr_allowed_hash_algorithms, |
832 | old: 0, new: entry->allowed_algos); |
833 | /* SETXATTR_CHECK doesn't impact ima_policy_flag */ |
834 | continue; |
835 | } |
836 | |
837 | if (entry->action & IMA_DO_MASK) |
838 | new_policy_flag |= entry->action; |
839 | } |
840 | rcu_read_unlock(); |
841 | |
842 | ima_appraise |= (build_ima_appraise | temp_ima_appraise); |
843 | if (!ima_appraise) |
844 | new_policy_flag &= ~IMA_APPRAISE; |
845 | |
846 | ima_policy_flag = new_policy_flag; |
847 | } |
848 | |
849 | static int ima_appraise_flag(enum ima_hooks func) |
850 | { |
851 | if (func == MODULE_CHECK) |
852 | return IMA_APPRAISE_MODULES; |
853 | else if (func == FIRMWARE_CHECK) |
854 | return IMA_APPRAISE_FIRMWARE; |
855 | else if (func == POLICY_CHECK) |
856 | return IMA_APPRAISE_POLICY; |
857 | else if (func == KEXEC_KERNEL_CHECK) |
858 | return IMA_APPRAISE_KEXEC; |
859 | return 0; |
860 | } |
861 | |
862 | static void add_rules(struct ima_rule_entry *entries, int count, |
863 | enum policy_rule_list policy_rule) |
864 | { |
865 | int i = 0; |
866 | |
867 | for (i = 0; i < count; i++) { |
868 | struct ima_rule_entry *entry; |
869 | |
870 | if (policy_rule & IMA_DEFAULT_POLICY) |
871 | list_add_tail(new: &entries[i].list, head: &ima_default_rules); |
872 | |
873 | if (policy_rule & IMA_CUSTOM_POLICY) { |
874 | entry = kmemdup(p: &entries[i], size: sizeof(*entry), |
875 | GFP_KERNEL); |
876 | if (!entry) |
877 | continue; |
878 | |
879 | list_add_tail(new: &entry->list, head: &ima_policy_rules); |
880 | } |
881 | if (entries[i].action == APPRAISE) { |
882 | if (entries != build_appraise_rules) |
883 | temp_ima_appraise |= |
884 | ima_appraise_flag(func: entries[i].func); |
885 | else |
886 | build_ima_appraise |= |
887 | ima_appraise_flag(func: entries[i].func); |
888 | } |
889 | } |
890 | } |
891 | |
892 | static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); |
893 | |
894 | static int __init ima_init_arch_policy(void) |
895 | { |
896 | const char * const *arch_rules; |
897 | const char * const *rules; |
898 | int arch_entries = 0; |
899 | int i = 0; |
900 | |
901 | arch_rules = arch_get_ima_policy(); |
902 | if (!arch_rules) |
903 | return arch_entries; |
904 | |
905 | /* Get number of rules */ |
906 | for (rules = arch_rules; *rules != NULL; rules++) |
907 | arch_entries++; |
908 | |
909 | arch_policy_entry = kcalloc(n: arch_entries + 1, |
910 | size: sizeof(*arch_policy_entry), GFP_KERNEL); |
911 | if (!arch_policy_entry) |
912 | return 0; |
913 | |
914 | /* Convert each policy string rules to struct ima_rule_entry format */ |
915 | for (rules = arch_rules, i = 0; *rules != NULL; rules++) { |
916 | char rule[255]; |
917 | int result; |
918 | |
919 | result = strscpy(rule, *rules, sizeof(rule)); |
920 | |
921 | INIT_LIST_HEAD(list: &arch_policy_entry[i].list); |
922 | result = ima_parse_rule(rule, entry: &arch_policy_entry[i]); |
923 | if (result) { |
924 | pr_warn("Skipping unknown architecture policy rule: %s\n" , |
925 | rule); |
926 | memset(&arch_policy_entry[i], 0, |
927 | sizeof(*arch_policy_entry)); |
928 | continue; |
929 | } |
930 | i++; |
931 | } |
932 | return i; |
933 | } |
934 | |
935 | /** |
936 | * ima_init_policy - initialize the default measure rules. |
937 | * |
938 | * ima_rules points to either the ima_default_rules or the new ima_policy_rules. |
939 | */ |
940 | void __init ima_init_policy(void) |
941 | { |
942 | int build_appraise_entries, arch_entries; |
943 | |
944 | /* if !ima_policy, we load NO default rules */ |
945 | if (ima_policy) |
946 | add_rules(entries: dont_measure_rules, ARRAY_SIZE(dont_measure_rules), |
947 | policy_rule: IMA_DEFAULT_POLICY); |
948 | |
949 | switch (ima_policy) { |
950 | case ORIGINAL_TCB: |
951 | add_rules(entries: original_measurement_rules, |
952 | ARRAY_SIZE(original_measurement_rules), |
953 | policy_rule: IMA_DEFAULT_POLICY); |
954 | break; |
955 | case DEFAULT_TCB: |
956 | add_rules(entries: default_measurement_rules, |
957 | ARRAY_SIZE(default_measurement_rules), |
958 | policy_rule: IMA_DEFAULT_POLICY); |
959 | break; |
960 | default: |
961 | break; |
962 | } |
963 | |
964 | /* |
965 | * Based on runtime secure boot flags, insert arch specific measurement |
966 | * and appraise rules requiring file signatures for both the initial |
967 | * and custom policies, prior to other appraise rules. |
968 | * (Highest priority) |
969 | */ |
970 | arch_entries = ima_init_arch_policy(); |
971 | if (!arch_entries) |
972 | pr_info("No architecture policies found\n" ); |
973 | else |
974 | add_rules(entries: arch_policy_entry, count: arch_entries, |
975 | policy_rule: IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); |
976 | |
977 | /* |
978 | * Insert the builtin "secure_boot" policy rules requiring file |
979 | * signatures, prior to other appraise rules. |
980 | */ |
981 | if (ima_use_secure_boot) |
982 | add_rules(entries: secure_boot_rules, ARRAY_SIZE(secure_boot_rules), |
983 | policy_rule: IMA_DEFAULT_POLICY); |
984 | |
985 | /* |
986 | * Insert the build time appraise rules requiring file signatures |
987 | * for both the initial and custom policies, prior to other appraise |
988 | * rules. As the secure boot rules includes all of the build time |
989 | * rules, include either one or the other set of rules, but not both. |
990 | */ |
991 | build_appraise_entries = ARRAY_SIZE(build_appraise_rules); |
992 | if (build_appraise_entries) { |
993 | if (ima_use_secure_boot) |
994 | add_rules(entries: build_appraise_rules, count: build_appraise_entries, |
995 | policy_rule: IMA_CUSTOM_POLICY); |
996 | else |
997 | add_rules(entries: build_appraise_rules, count: build_appraise_entries, |
998 | policy_rule: IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); |
999 | } |
1000 | |
1001 | if (ima_use_appraise_tcb) |
1002 | add_rules(entries: default_appraise_rules, |
1003 | ARRAY_SIZE(default_appraise_rules), |
1004 | policy_rule: IMA_DEFAULT_POLICY); |
1005 | |
1006 | if (ima_use_critical_data) |
1007 | add_rules(entries: critical_data_rules, |
1008 | ARRAY_SIZE(critical_data_rules), |
1009 | policy_rule: IMA_DEFAULT_POLICY); |
1010 | |
1011 | atomic_set(v: &ima_setxattr_allowed_hash_algorithms, i: 0); |
1012 | |
1013 | ima_update_policy_flags(); |
1014 | } |
1015 | |
1016 | /* Make sure we have a valid policy, at least containing some rules. */ |
1017 | int ima_check_policy(void) |
1018 | { |
1019 | if (list_empty(head: &ima_temp_rules)) |
1020 | return -EINVAL; |
1021 | return 0; |
1022 | } |
1023 | |
1024 | /** |
1025 | * ima_update_policy - update default_rules with new measure rules |
1026 | * |
1027 | * Called on file .release to update the default rules with a complete new |
1028 | * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so |
1029 | * they make a queue. The policy may be updated multiple times and this is the |
1030 | * RCU updater. |
1031 | * |
1032 | * Policy rules are never deleted so ima_policy_flag gets zeroed only once when |
1033 | * we switch from the default policy to user defined. |
1034 | */ |
1035 | void ima_update_policy(void) |
1036 | { |
1037 | struct list_head *policy = &ima_policy_rules; |
1038 | |
1039 | list_splice_tail_init_rcu(list: &ima_temp_rules, head: policy, sync: synchronize_rcu); |
1040 | |
1041 | if (ima_rules != (struct list_head __rcu *)policy) { |
1042 | ima_policy_flag = 0; |
1043 | |
1044 | rcu_assign_pointer(ima_rules, policy); |
1045 | /* |
1046 | * IMA architecture specific policy rules are specified |
1047 | * as strings and converted to an array of ima_entry_rules |
1048 | * on boot. After loading a custom policy, free the |
1049 | * architecture specific rules stored as an array. |
1050 | */ |
1051 | kfree(objp: arch_policy_entry); |
1052 | } |
1053 | ima_update_policy_flags(); |
1054 | |
1055 | /* Custom IMA policy has been loaded */ |
1056 | ima_process_queued_keys(); |
1057 | } |
1058 | |
1059 | /* Keep the enumeration in sync with the policy_tokens! */ |
1060 | enum policy_opt { |
1061 | Opt_measure, Opt_dont_measure, |
1062 | Opt_appraise, Opt_dont_appraise, |
1063 | Opt_audit, Opt_hash, Opt_dont_hash, |
1064 | Opt_obj_user, Opt_obj_role, Opt_obj_type, |
1065 | Opt_subj_user, Opt_subj_role, Opt_subj_type, |
1066 | Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fsuuid, |
1067 | Opt_uid_eq, Opt_euid_eq, Opt_gid_eq, Opt_egid_eq, |
1068 | Opt_fowner_eq, Opt_fgroup_eq, |
1069 | Opt_uid_gt, Opt_euid_gt, Opt_gid_gt, Opt_egid_gt, |
1070 | Opt_fowner_gt, Opt_fgroup_gt, |
1071 | Opt_uid_lt, Opt_euid_lt, Opt_gid_lt, Opt_egid_lt, |
1072 | Opt_fowner_lt, Opt_fgroup_lt, |
1073 | Opt_digest_type, |
1074 | Opt_appraise_type, Opt_appraise_flag, Opt_appraise_algos, |
1075 | Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, |
1076 | Opt_label, Opt_err |
1077 | }; |
1078 | |
1079 | static const match_table_t policy_tokens = { |
1080 | {Opt_measure, "measure" }, |
1081 | {Opt_dont_measure, "dont_measure" }, |
1082 | {Opt_appraise, "appraise" }, |
1083 | {Opt_dont_appraise, "dont_appraise" }, |
1084 | {Opt_audit, "audit" }, |
1085 | {Opt_hash, "hash" }, |
1086 | {Opt_dont_hash, "dont_hash" }, |
1087 | {Opt_obj_user, "obj_user=%s" }, |
1088 | {Opt_obj_role, "obj_role=%s" }, |
1089 | {Opt_obj_type, "obj_type=%s" }, |
1090 | {Opt_subj_user, "subj_user=%s" }, |
1091 | {Opt_subj_role, "subj_role=%s" }, |
1092 | {Opt_subj_type, "subj_type=%s" }, |
1093 | {Opt_func, "func=%s" }, |
1094 | {Opt_mask, "mask=%s" }, |
1095 | {Opt_fsmagic, "fsmagic=%s" }, |
1096 | {Opt_fsname, "fsname=%s" }, |
1097 | {Opt_fsuuid, "fsuuid=%s" }, |
1098 | {Opt_uid_eq, "uid=%s" }, |
1099 | {Opt_euid_eq, "euid=%s" }, |
1100 | {Opt_gid_eq, "gid=%s" }, |
1101 | {Opt_egid_eq, "egid=%s" }, |
1102 | {Opt_fowner_eq, "fowner=%s" }, |
1103 | {Opt_fgroup_eq, "fgroup=%s" }, |
1104 | {Opt_uid_gt, "uid>%s" }, |
1105 | {Opt_euid_gt, "euid>%s" }, |
1106 | {Opt_gid_gt, "gid>%s" }, |
1107 | {Opt_egid_gt, "egid>%s" }, |
1108 | {Opt_fowner_gt, "fowner>%s" }, |
1109 | {Opt_fgroup_gt, "fgroup>%s" }, |
1110 | {Opt_uid_lt, "uid<%s" }, |
1111 | {Opt_euid_lt, "euid<%s" }, |
1112 | {Opt_gid_lt, "gid<%s" }, |
1113 | {Opt_egid_lt, "egid<%s" }, |
1114 | {Opt_fowner_lt, "fowner<%s" }, |
1115 | {Opt_fgroup_lt, "fgroup<%s" }, |
1116 | {Opt_digest_type, "digest_type=%s" }, |
1117 | {Opt_appraise_type, "appraise_type=%s" }, |
1118 | {Opt_appraise_flag, "appraise_flag=%s" }, |
1119 | {Opt_appraise_algos, "appraise_algos=%s" }, |
1120 | {Opt_permit_directio, "permit_directio" }, |
1121 | {Opt_pcr, "pcr=%s" }, |
1122 | {Opt_template, "template=%s" }, |
1123 | {Opt_keyrings, "keyrings=%s" }, |
1124 | {Opt_label, "label=%s" }, |
1125 | {Opt_err, NULL} |
1126 | }; |
1127 | |
1128 | static int ima_lsm_rule_init(struct ima_rule_entry *entry, |
1129 | substring_t *args, int lsm_rule, int audit_type) |
1130 | { |
1131 | int result; |
1132 | |
1133 | if (entry->lsm[lsm_rule].rule) |
1134 | return -EINVAL; |
1135 | |
1136 | entry->lsm[lsm_rule].args_p = match_strdup(args); |
1137 | if (!entry->lsm[lsm_rule].args_p) |
1138 | return -ENOMEM; |
1139 | |
1140 | entry->lsm[lsm_rule].type = audit_type; |
1141 | result = ima_filter_rule_init(field: entry->lsm[lsm_rule].type, op: Audit_equal, |
1142 | rulestr: entry->lsm[lsm_rule].args_p, |
1143 | lsmrule: &entry->lsm[lsm_rule].rule); |
1144 | if (!entry->lsm[lsm_rule].rule) { |
1145 | pr_warn("rule for LSM \'%s\' is undefined\n" , |
1146 | entry->lsm[lsm_rule].args_p); |
1147 | |
1148 | if (ima_rules == (struct list_head __rcu *)(&ima_default_rules)) { |
1149 | kfree(objp: entry->lsm[lsm_rule].args_p); |
1150 | entry->lsm[lsm_rule].args_p = NULL; |
1151 | result = -EINVAL; |
1152 | } else |
1153 | result = 0; |
1154 | } |
1155 | |
1156 | return result; |
1157 | } |
1158 | |
1159 | static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, |
1160 | enum policy_opt rule_operator) |
1161 | { |
1162 | if (!ab) |
1163 | return; |
1164 | |
1165 | switch (rule_operator) { |
1166 | case Opt_uid_gt: |
1167 | case Opt_euid_gt: |
1168 | case Opt_gid_gt: |
1169 | case Opt_egid_gt: |
1170 | case Opt_fowner_gt: |
1171 | case Opt_fgroup_gt: |
1172 | audit_log_format(ab, fmt: "%s>" , key); |
1173 | break; |
1174 | case Opt_uid_lt: |
1175 | case Opt_euid_lt: |
1176 | case Opt_gid_lt: |
1177 | case Opt_egid_lt: |
1178 | case Opt_fowner_lt: |
1179 | case Opt_fgroup_lt: |
1180 | audit_log_format(ab, fmt: "%s<" , key); |
1181 | break; |
1182 | default: |
1183 | audit_log_format(ab, fmt: "%s=" , key); |
1184 | } |
1185 | audit_log_format(ab, fmt: "%s " , value); |
1186 | } |
1187 | static void ima_log_string(struct audit_buffer *ab, char *key, char *value) |
1188 | { |
1189 | ima_log_string_op(ab, key, value, rule_operator: Opt_err); |
1190 | } |
1191 | |
1192 | /* |
1193 | * Validating the appended signature included in the measurement list requires |
1194 | * the file hash calculated without the appended signature (i.e., the 'd-modsig' |
1195 | * field). Therefore, notify the user if they have the 'modsig' field but not |
1196 | * the 'd-modsig' field in the template. |
1197 | */ |
1198 | static void check_template_modsig(const struct ima_template_desc *template) |
1199 | { |
1200 | #define MSG "template with 'modsig' field also needs 'd-modsig' field\n" |
1201 | bool has_modsig, has_dmodsig; |
1202 | static bool checked; |
1203 | int i; |
1204 | |
1205 | /* We only need to notify the user once. */ |
1206 | if (checked) |
1207 | return; |
1208 | |
1209 | has_modsig = has_dmodsig = false; |
1210 | for (i = 0; i < template->num_fields; i++) { |
1211 | if (!strcmp(template->fields[i]->field_id, "modsig" )) |
1212 | has_modsig = true; |
1213 | else if (!strcmp(template->fields[i]->field_id, "d-modsig" )) |
1214 | has_dmodsig = true; |
1215 | } |
1216 | |
1217 | if (has_modsig && !has_dmodsig) |
1218 | pr_notice(MSG); |
1219 | |
1220 | checked = true; |
1221 | #undef MSG |
1222 | } |
1223 | |
1224 | /* |
1225 | * Warn if the template does not contain the given field. |
1226 | */ |
1227 | static void check_template_field(const struct ima_template_desc *template, |
1228 | const char *field, const char *msg) |
1229 | { |
1230 | int i; |
1231 | |
1232 | for (i = 0; i < template->num_fields; i++) |
1233 | if (!strcmp(template->fields[i]->field_id, field)) |
1234 | return; |
1235 | |
1236 | pr_notice_once("%s" , msg); |
1237 | } |
1238 | |
1239 | static bool ima_validate_rule(struct ima_rule_entry *entry) |
1240 | { |
1241 | /* Ensure that the action is set and is compatible with the flags */ |
1242 | if (entry->action == UNKNOWN) |
1243 | return false; |
1244 | |
1245 | if (entry->action != MEASURE && entry->flags & IMA_PCR) |
1246 | return false; |
1247 | |
1248 | if (entry->action != APPRAISE && |
1249 | entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | |
1250 | IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) |
1251 | return false; |
1252 | |
1253 | /* |
1254 | * The IMA_FUNC bit must be set if and only if there's a valid hook |
1255 | * function specified, and vice versa. Enforcing this property allows |
1256 | * for the NONE case below to validate a rule without an explicit hook |
1257 | * function. |
1258 | */ |
1259 | if (((entry->flags & IMA_FUNC) && entry->func == NONE) || |
1260 | (!(entry->flags & IMA_FUNC) && entry->func != NONE)) |
1261 | return false; |
1262 | |
1263 | /* |
1264 | * Ensure that the hook function is compatible with the other |
1265 | * components of the rule |
1266 | */ |
1267 | switch (entry->func) { |
1268 | case NONE: |
1269 | case FILE_CHECK: |
1270 | case MMAP_CHECK: |
1271 | case MMAP_CHECK_REQPROT: |
1272 | case BPRM_CHECK: |
1273 | case CREDS_CHECK: |
1274 | case POST_SETATTR: |
1275 | case FIRMWARE_CHECK: |
1276 | case POLICY_CHECK: |
1277 | if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | |
1278 | IMA_UID | IMA_FOWNER | IMA_FSUUID | |
1279 | IMA_INMASK | IMA_EUID | IMA_PCR | |
1280 | IMA_FSNAME | IMA_GID | IMA_EGID | |
1281 | IMA_FGROUP | IMA_DIGSIG_REQUIRED | |
1282 | IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS | |
1283 | IMA_CHECK_BLACKLIST | IMA_VERITY_REQUIRED)) |
1284 | return false; |
1285 | |
1286 | break; |
1287 | case MODULE_CHECK: |
1288 | case KEXEC_KERNEL_CHECK: |
1289 | case KEXEC_INITRAMFS_CHECK: |
1290 | if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | |
1291 | IMA_UID | IMA_FOWNER | IMA_FSUUID | |
1292 | IMA_INMASK | IMA_EUID | IMA_PCR | |
1293 | IMA_FSNAME | IMA_GID | IMA_EGID | |
1294 | IMA_FGROUP | IMA_DIGSIG_REQUIRED | |
1295 | IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | |
1296 | IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) |
1297 | return false; |
1298 | |
1299 | break; |
1300 | case KEXEC_CMDLINE: |
1301 | if (entry->action & ~(MEASURE | DONT_MEASURE)) |
1302 | return false; |
1303 | |
1304 | if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | |
1305 | IMA_FOWNER | IMA_FSUUID | IMA_EUID | |
1306 | IMA_PCR | IMA_FSNAME | IMA_GID | IMA_EGID | |
1307 | IMA_FGROUP)) |
1308 | return false; |
1309 | |
1310 | break; |
1311 | case KEY_CHECK: |
1312 | if (entry->action & ~(MEASURE | DONT_MEASURE)) |
1313 | return false; |
1314 | |
1315 | if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR | |
1316 | IMA_KEYRINGS)) |
1317 | return false; |
1318 | |
1319 | if (ima_rule_contains_lsm_cond(entry)) |
1320 | return false; |
1321 | |
1322 | break; |
1323 | case CRITICAL_DATA: |
1324 | if (entry->action & ~(MEASURE | DONT_MEASURE)) |
1325 | return false; |
1326 | |
1327 | if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR | |
1328 | IMA_LABEL)) |
1329 | return false; |
1330 | |
1331 | if (ima_rule_contains_lsm_cond(entry)) |
1332 | return false; |
1333 | |
1334 | break; |
1335 | case SETXATTR_CHECK: |
1336 | /* any action other than APPRAISE is unsupported */ |
1337 | if (entry->action != APPRAISE) |
1338 | return false; |
1339 | |
1340 | /* SETXATTR_CHECK requires an appraise_algos parameter */ |
1341 | if (!(entry->flags & IMA_VALIDATE_ALGOS)) |
1342 | return false; |
1343 | |
1344 | /* |
1345 | * full policies are not supported, they would have too |
1346 | * much of a performance impact |
1347 | */ |
1348 | if (entry->flags & ~(IMA_FUNC | IMA_VALIDATE_ALGOS)) |
1349 | return false; |
1350 | |
1351 | break; |
1352 | default: |
1353 | return false; |
1354 | } |
1355 | |
1356 | /* Ensure that combinations of flags are compatible with each other */ |
1357 | if (entry->flags & IMA_CHECK_BLACKLIST && |
1358 | !(entry->flags & IMA_DIGSIG_REQUIRED)) |
1359 | return false; |
1360 | |
1361 | /* |
1362 | * Unlike for regular IMA 'appraise' policy rules where security.ima |
1363 | * xattr may contain either a file hash or signature, the security.ima |
1364 | * xattr for fsverity must contain a file signature (sigv3). Ensure |
1365 | * that 'appraise' rules for fsverity require file signatures by |
1366 | * checking the IMA_DIGSIG_REQUIRED flag is set. |
1367 | */ |
1368 | if (entry->action == APPRAISE && |
1369 | (entry->flags & IMA_VERITY_REQUIRED) && |
1370 | !(entry->flags & IMA_DIGSIG_REQUIRED)) |
1371 | return false; |
1372 | |
1373 | return true; |
1374 | } |
1375 | |
1376 | static unsigned int ima_parse_appraise_algos(char *arg) |
1377 | { |
1378 | unsigned int res = 0; |
1379 | int idx; |
1380 | char *token; |
1381 | |
1382 | while ((token = strsep(&arg, "," )) != NULL) { |
1383 | idx = match_string(array: hash_algo_name, n: HASH_ALGO__LAST, string: token); |
1384 | |
1385 | if (idx < 0) { |
1386 | pr_err("unknown hash algorithm \"%s\"" , |
1387 | token); |
1388 | return 0; |
1389 | } |
1390 | |
1391 | if (!crypto_has_alg(name: hash_algo_name[idx], type: 0, mask: 0)) { |
1392 | pr_err("unavailable hash algorithm \"%s\", check your kernel configuration" , |
1393 | token); |
1394 | return 0; |
1395 | } |
1396 | |
1397 | /* Add the hash algorithm to the 'allowed' bitfield */ |
1398 | res |= (1U << idx); |
1399 | } |
1400 | |
1401 | return res; |
1402 | } |
1403 | |
1404 | static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) |
1405 | { |
1406 | struct audit_buffer *ab; |
1407 | char *from; |
1408 | char *p; |
1409 | bool eid_token; /* either euid or egid */ |
1410 | struct ima_template_desc *template_desc; |
1411 | int result = 0; |
1412 | |
1413 | ab = integrity_audit_log_start(ctx: audit_context(), GFP_KERNEL, |
1414 | AUDIT_INTEGRITY_POLICY_RULE); |
1415 | |
1416 | entry->uid = INVALID_UID; |
1417 | entry->gid = INVALID_GID; |
1418 | entry->fowner = INVALID_UID; |
1419 | entry->fgroup = INVALID_GID; |
1420 | entry->uid_op = &uid_eq; |
1421 | entry->gid_op = &gid_eq; |
1422 | entry->fowner_op = &vfsuid_eq_kuid; |
1423 | entry->fgroup_op = &vfsgid_eq_kgid; |
1424 | entry->action = UNKNOWN; |
1425 | while ((p = strsep(&rule, " \t" )) != NULL) { |
1426 | substring_t args[MAX_OPT_ARGS]; |
1427 | int token; |
1428 | unsigned long lnum; |
1429 | |
1430 | if (result < 0) |
1431 | break; |
1432 | if ((*p == '\0') || (*p == ' ') || (*p == '\t')) |
1433 | continue; |
1434 | token = match_token(p, table: policy_tokens, args); |
1435 | switch (token) { |
1436 | case Opt_measure: |
1437 | ima_log_string(ab, key: "action" , value: "measure" ); |
1438 | |
1439 | if (entry->action != UNKNOWN) |
1440 | result = -EINVAL; |
1441 | |
1442 | entry->action = MEASURE; |
1443 | break; |
1444 | case Opt_dont_measure: |
1445 | ima_log_string(ab, key: "action" , value: "dont_measure" ); |
1446 | |
1447 | if (entry->action != UNKNOWN) |
1448 | result = -EINVAL; |
1449 | |
1450 | entry->action = DONT_MEASURE; |
1451 | break; |
1452 | case Opt_appraise: |
1453 | ima_log_string(ab, key: "action" , value: "appraise" ); |
1454 | |
1455 | if (entry->action != UNKNOWN) |
1456 | result = -EINVAL; |
1457 | |
1458 | entry->action = APPRAISE; |
1459 | break; |
1460 | case Opt_dont_appraise: |
1461 | ima_log_string(ab, key: "action" , value: "dont_appraise" ); |
1462 | |
1463 | if (entry->action != UNKNOWN) |
1464 | result = -EINVAL; |
1465 | |
1466 | entry->action = DONT_APPRAISE; |
1467 | break; |
1468 | case Opt_audit: |
1469 | ima_log_string(ab, key: "action" , value: "audit" ); |
1470 | |
1471 | if (entry->action != UNKNOWN) |
1472 | result = -EINVAL; |
1473 | |
1474 | entry->action = AUDIT; |
1475 | break; |
1476 | case Opt_hash: |
1477 | ima_log_string(ab, key: "action" , value: "hash" ); |
1478 | |
1479 | if (entry->action != UNKNOWN) |
1480 | result = -EINVAL; |
1481 | |
1482 | entry->action = HASH; |
1483 | break; |
1484 | case Opt_dont_hash: |
1485 | ima_log_string(ab, key: "action" , value: "dont_hash" ); |
1486 | |
1487 | if (entry->action != UNKNOWN) |
1488 | result = -EINVAL; |
1489 | |
1490 | entry->action = DONT_HASH; |
1491 | break; |
1492 | case Opt_func: |
1493 | ima_log_string(ab, key: "func" , value: args[0].from); |
1494 | |
1495 | if (entry->func) |
1496 | result = -EINVAL; |
1497 | |
1498 | if (strcmp(args[0].from, "FILE_CHECK" ) == 0) |
1499 | entry->func = FILE_CHECK; |
1500 | /* PATH_CHECK is for backwards compat */ |
1501 | else if (strcmp(args[0].from, "PATH_CHECK" ) == 0) |
1502 | entry->func = FILE_CHECK; |
1503 | else if (strcmp(args[0].from, "MODULE_CHECK" ) == 0) |
1504 | entry->func = MODULE_CHECK; |
1505 | else if (strcmp(args[0].from, "FIRMWARE_CHECK" ) == 0) |
1506 | entry->func = FIRMWARE_CHECK; |
1507 | else if ((strcmp(args[0].from, "FILE_MMAP" ) == 0) |
1508 | || (strcmp(args[0].from, "MMAP_CHECK" ) == 0)) |
1509 | entry->func = MMAP_CHECK; |
1510 | else if ((strcmp(args[0].from, "MMAP_CHECK_REQPROT" ) == 0)) |
1511 | entry->func = MMAP_CHECK_REQPROT; |
1512 | else if (strcmp(args[0].from, "BPRM_CHECK" ) == 0) |
1513 | entry->func = BPRM_CHECK; |
1514 | else if (strcmp(args[0].from, "CREDS_CHECK" ) == 0) |
1515 | entry->func = CREDS_CHECK; |
1516 | else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK" ) == |
1517 | 0) |
1518 | entry->func = KEXEC_KERNEL_CHECK; |
1519 | else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK" ) |
1520 | == 0) |
1521 | entry->func = KEXEC_INITRAMFS_CHECK; |
1522 | else if (strcmp(args[0].from, "POLICY_CHECK" ) == 0) |
1523 | entry->func = POLICY_CHECK; |
1524 | else if (strcmp(args[0].from, "KEXEC_CMDLINE" ) == 0) |
1525 | entry->func = KEXEC_CMDLINE; |
1526 | else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && |
1527 | strcmp(args[0].from, "KEY_CHECK" ) == 0) |
1528 | entry->func = KEY_CHECK; |
1529 | else if (strcmp(args[0].from, "CRITICAL_DATA" ) == 0) |
1530 | entry->func = CRITICAL_DATA; |
1531 | else if (strcmp(args[0].from, "SETXATTR_CHECK" ) == 0) |
1532 | entry->func = SETXATTR_CHECK; |
1533 | else |
1534 | result = -EINVAL; |
1535 | if (!result) |
1536 | entry->flags |= IMA_FUNC; |
1537 | break; |
1538 | case Opt_mask: |
1539 | ima_log_string(ab, key: "mask" , value: args[0].from); |
1540 | |
1541 | if (entry->mask) |
1542 | result = -EINVAL; |
1543 | |
1544 | from = args[0].from; |
1545 | if (*from == '^') |
1546 | from++; |
1547 | |
1548 | if ((strcmp(from, "MAY_EXEC" )) == 0) |
1549 | entry->mask = MAY_EXEC; |
1550 | else if (strcmp(from, "MAY_WRITE" ) == 0) |
1551 | entry->mask = MAY_WRITE; |
1552 | else if (strcmp(from, "MAY_READ" ) == 0) |
1553 | entry->mask = MAY_READ; |
1554 | else if (strcmp(from, "MAY_APPEND" ) == 0) |
1555 | entry->mask = MAY_APPEND; |
1556 | else |
1557 | result = -EINVAL; |
1558 | if (!result) |
1559 | entry->flags |= (*args[0].from == '^') |
1560 | ? IMA_INMASK : IMA_MASK; |
1561 | break; |
1562 | case Opt_fsmagic: |
1563 | ima_log_string(ab, key: "fsmagic" , value: args[0].from); |
1564 | |
1565 | if (entry->fsmagic) { |
1566 | result = -EINVAL; |
1567 | break; |
1568 | } |
1569 | |
1570 | result = kstrtoul(s: args[0].from, base: 16, res: &entry->fsmagic); |
1571 | if (!result) |
1572 | entry->flags |= IMA_FSMAGIC; |
1573 | break; |
1574 | case Opt_fsname: |
1575 | ima_log_string(ab, key: "fsname" , value: args[0].from); |
1576 | |
1577 | entry->fsname = kstrdup(s: args[0].from, GFP_KERNEL); |
1578 | if (!entry->fsname) { |
1579 | result = -ENOMEM; |
1580 | break; |
1581 | } |
1582 | result = 0; |
1583 | entry->flags |= IMA_FSNAME; |
1584 | break; |
1585 | case Opt_keyrings: |
1586 | ima_log_string(ab, key: "keyrings" , value: args[0].from); |
1587 | |
1588 | if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) || |
1589 | entry->keyrings) { |
1590 | result = -EINVAL; |
1591 | break; |
1592 | } |
1593 | |
1594 | entry->keyrings = ima_alloc_rule_opt_list(src: args); |
1595 | if (IS_ERR(ptr: entry->keyrings)) { |
1596 | result = PTR_ERR(ptr: entry->keyrings); |
1597 | entry->keyrings = NULL; |
1598 | break; |
1599 | } |
1600 | |
1601 | entry->flags |= IMA_KEYRINGS; |
1602 | break; |
1603 | case Opt_label: |
1604 | ima_log_string(ab, key: "label" , value: args[0].from); |
1605 | |
1606 | if (entry->label) { |
1607 | result = -EINVAL; |
1608 | break; |
1609 | } |
1610 | |
1611 | entry->label = ima_alloc_rule_opt_list(src: args); |
1612 | if (IS_ERR(ptr: entry->label)) { |
1613 | result = PTR_ERR(ptr: entry->label); |
1614 | entry->label = NULL; |
1615 | break; |
1616 | } |
1617 | |
1618 | entry->flags |= IMA_LABEL; |
1619 | break; |
1620 | case Opt_fsuuid: |
1621 | ima_log_string(ab, key: "fsuuid" , value: args[0].from); |
1622 | |
1623 | if (!uuid_is_null(uuid: &entry->fsuuid)) { |
1624 | result = -EINVAL; |
1625 | break; |
1626 | } |
1627 | |
1628 | result = uuid_parse(uuid: args[0].from, u: &entry->fsuuid); |
1629 | if (!result) |
1630 | entry->flags |= IMA_FSUUID; |
1631 | break; |
1632 | case Opt_uid_gt: |
1633 | case Opt_euid_gt: |
1634 | entry->uid_op = &uid_gt; |
1635 | fallthrough; |
1636 | case Opt_uid_lt: |
1637 | case Opt_euid_lt: |
1638 | if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) |
1639 | entry->uid_op = &uid_lt; |
1640 | fallthrough; |
1641 | case Opt_uid_eq: |
1642 | case Opt_euid_eq: |
1643 | eid_token = (token == Opt_euid_eq) || |
1644 | (token == Opt_euid_gt) || |
1645 | (token == Opt_euid_lt); |
1646 | |
1647 | ima_log_string_op(ab, key: eid_token ? "euid" : "uid" , |
1648 | value: args[0].from, rule_operator: token); |
1649 | |
1650 | if (uid_valid(uid: entry->uid)) { |
1651 | result = -EINVAL; |
1652 | break; |
1653 | } |
1654 | |
1655 | result = kstrtoul(s: args[0].from, base: 10, res: &lnum); |
1656 | if (!result) { |
1657 | entry->uid = make_kuid(current_user_ns(), |
1658 | uid: (uid_t) lnum); |
1659 | if (!uid_valid(uid: entry->uid) || |
1660 | (uid_t)lnum != lnum) |
1661 | result = -EINVAL; |
1662 | else |
1663 | entry->flags |= eid_token |
1664 | ? IMA_EUID : IMA_UID; |
1665 | } |
1666 | break; |
1667 | case Opt_gid_gt: |
1668 | case Opt_egid_gt: |
1669 | entry->gid_op = &gid_gt; |
1670 | fallthrough; |
1671 | case Opt_gid_lt: |
1672 | case Opt_egid_lt: |
1673 | if ((token == Opt_gid_lt) || (token == Opt_egid_lt)) |
1674 | entry->gid_op = &gid_lt; |
1675 | fallthrough; |
1676 | case Opt_gid_eq: |
1677 | case Opt_egid_eq: |
1678 | eid_token = (token == Opt_egid_eq) || |
1679 | (token == Opt_egid_gt) || |
1680 | (token == Opt_egid_lt); |
1681 | |
1682 | ima_log_string_op(ab, key: eid_token ? "egid" : "gid" , |
1683 | value: args[0].from, rule_operator: token); |
1684 | |
1685 | if (gid_valid(gid: entry->gid)) { |
1686 | result = -EINVAL; |
1687 | break; |
1688 | } |
1689 | |
1690 | result = kstrtoul(s: args[0].from, base: 10, res: &lnum); |
1691 | if (!result) { |
1692 | entry->gid = make_kgid(current_user_ns(), |
1693 | gid: (gid_t)lnum); |
1694 | if (!gid_valid(gid: entry->gid) || |
1695 | (((gid_t)lnum) != lnum)) |
1696 | result = -EINVAL; |
1697 | else |
1698 | entry->flags |= eid_token |
1699 | ? IMA_EGID : IMA_GID; |
1700 | } |
1701 | break; |
1702 | case Opt_fowner_gt: |
1703 | entry->fowner_op = &vfsuid_gt_kuid; |
1704 | fallthrough; |
1705 | case Opt_fowner_lt: |
1706 | if (token == Opt_fowner_lt) |
1707 | entry->fowner_op = &vfsuid_lt_kuid; |
1708 | fallthrough; |
1709 | case Opt_fowner_eq: |
1710 | ima_log_string_op(ab, key: "fowner" , value: args[0].from, rule_operator: token); |
1711 | |
1712 | if (uid_valid(uid: entry->fowner)) { |
1713 | result = -EINVAL; |
1714 | break; |
1715 | } |
1716 | |
1717 | result = kstrtoul(s: args[0].from, base: 10, res: &lnum); |
1718 | if (!result) { |
1719 | entry->fowner = make_kuid(current_user_ns(), |
1720 | uid: (uid_t)lnum); |
1721 | if (!uid_valid(uid: entry->fowner) || |
1722 | (((uid_t)lnum) != lnum)) |
1723 | result = -EINVAL; |
1724 | else |
1725 | entry->flags |= IMA_FOWNER; |
1726 | } |
1727 | break; |
1728 | case Opt_fgroup_gt: |
1729 | entry->fgroup_op = &vfsgid_gt_kgid; |
1730 | fallthrough; |
1731 | case Opt_fgroup_lt: |
1732 | if (token == Opt_fgroup_lt) |
1733 | entry->fgroup_op = &vfsgid_lt_kgid; |
1734 | fallthrough; |
1735 | case Opt_fgroup_eq: |
1736 | ima_log_string_op(ab, key: "fgroup" , value: args[0].from, rule_operator: token); |
1737 | |
1738 | if (gid_valid(gid: entry->fgroup)) { |
1739 | result = -EINVAL; |
1740 | break; |
1741 | } |
1742 | |
1743 | result = kstrtoul(s: args[0].from, base: 10, res: &lnum); |
1744 | if (!result) { |
1745 | entry->fgroup = make_kgid(current_user_ns(), |
1746 | gid: (gid_t)lnum); |
1747 | if (!gid_valid(gid: entry->fgroup) || |
1748 | (((gid_t)lnum) != lnum)) |
1749 | result = -EINVAL; |
1750 | else |
1751 | entry->flags |= IMA_FGROUP; |
1752 | } |
1753 | break; |
1754 | case Opt_obj_user: |
1755 | ima_log_string(ab, key: "obj_user" , value: args[0].from); |
1756 | result = ima_lsm_rule_init(entry, args, |
1757 | lsm_rule: LSM_OBJ_USER, |
1758 | AUDIT_OBJ_USER); |
1759 | break; |
1760 | case Opt_obj_role: |
1761 | ima_log_string(ab, key: "obj_role" , value: args[0].from); |
1762 | result = ima_lsm_rule_init(entry, args, |
1763 | lsm_rule: LSM_OBJ_ROLE, |
1764 | AUDIT_OBJ_ROLE); |
1765 | break; |
1766 | case Opt_obj_type: |
1767 | ima_log_string(ab, key: "obj_type" , value: args[0].from); |
1768 | result = ima_lsm_rule_init(entry, args, |
1769 | lsm_rule: LSM_OBJ_TYPE, |
1770 | AUDIT_OBJ_TYPE); |
1771 | break; |
1772 | case Opt_subj_user: |
1773 | ima_log_string(ab, key: "subj_user" , value: args[0].from); |
1774 | result = ima_lsm_rule_init(entry, args, |
1775 | lsm_rule: LSM_SUBJ_USER, |
1776 | AUDIT_SUBJ_USER); |
1777 | break; |
1778 | case Opt_subj_role: |
1779 | ima_log_string(ab, key: "subj_role" , value: args[0].from); |
1780 | result = ima_lsm_rule_init(entry, args, |
1781 | lsm_rule: LSM_SUBJ_ROLE, |
1782 | AUDIT_SUBJ_ROLE); |
1783 | break; |
1784 | case Opt_subj_type: |
1785 | ima_log_string(ab, key: "subj_type" , value: args[0].from); |
1786 | result = ima_lsm_rule_init(entry, args, |
1787 | lsm_rule: LSM_SUBJ_TYPE, |
1788 | AUDIT_SUBJ_TYPE); |
1789 | break; |
1790 | case Opt_digest_type: |
1791 | ima_log_string(ab, key: "digest_type" , value: args[0].from); |
1792 | if (entry->flags & IMA_DIGSIG_REQUIRED) |
1793 | result = -EINVAL; |
1794 | else if ((strcmp(args[0].from, "verity" )) == 0) |
1795 | entry->flags |= IMA_VERITY_REQUIRED; |
1796 | else |
1797 | result = -EINVAL; |
1798 | break; |
1799 | case Opt_appraise_type: |
1800 | ima_log_string(ab, key: "appraise_type" , value: args[0].from); |
1801 | |
1802 | if ((strcmp(args[0].from, "imasig" )) == 0) { |
1803 | if (entry->flags & IMA_VERITY_REQUIRED) |
1804 | result = -EINVAL; |
1805 | else |
1806 | entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST; |
1807 | } else if (strcmp(args[0].from, "sigv3" ) == 0) { |
1808 | /* Only fsverity supports sigv3 for now */ |
1809 | if (entry->flags & IMA_VERITY_REQUIRED) |
1810 | entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST; |
1811 | else |
1812 | result = -EINVAL; |
1813 | } else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && |
1814 | strcmp(args[0].from, "imasig|modsig" ) == 0) { |
1815 | if (entry->flags & IMA_VERITY_REQUIRED) |
1816 | result = -EINVAL; |
1817 | else |
1818 | entry->flags |= IMA_DIGSIG_REQUIRED | |
1819 | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST; |
1820 | } else { |
1821 | result = -EINVAL; |
1822 | } |
1823 | break; |
1824 | case Opt_appraise_flag: |
1825 | ima_log_string(ab, key: "appraise_flag" , value: args[0].from); |
1826 | break; |
1827 | case Opt_appraise_algos: |
1828 | ima_log_string(ab, key: "appraise_algos" , value: args[0].from); |
1829 | |
1830 | if (entry->allowed_algos) { |
1831 | result = -EINVAL; |
1832 | break; |
1833 | } |
1834 | |
1835 | entry->allowed_algos = |
1836 | ima_parse_appraise_algos(arg: args[0].from); |
1837 | /* invalid or empty list of algorithms */ |
1838 | if (!entry->allowed_algos) { |
1839 | result = -EINVAL; |
1840 | break; |
1841 | } |
1842 | |
1843 | entry->flags |= IMA_VALIDATE_ALGOS; |
1844 | |
1845 | break; |
1846 | case Opt_permit_directio: |
1847 | entry->flags |= IMA_PERMIT_DIRECTIO; |
1848 | break; |
1849 | case Opt_pcr: |
1850 | ima_log_string(ab, key: "pcr" , value: args[0].from); |
1851 | |
1852 | result = kstrtoint(s: args[0].from, base: 10, res: &entry->pcr); |
1853 | if (result || INVALID_PCR(entry->pcr)) |
1854 | result = -EINVAL; |
1855 | else |
1856 | entry->flags |= IMA_PCR; |
1857 | |
1858 | break; |
1859 | case Opt_template: |
1860 | ima_log_string(ab, key: "template" , value: args[0].from); |
1861 | if (entry->action != MEASURE) { |
1862 | result = -EINVAL; |
1863 | break; |
1864 | } |
1865 | template_desc = lookup_template_desc(name: args[0].from); |
1866 | if (!template_desc || entry->template) { |
1867 | result = -EINVAL; |
1868 | break; |
1869 | } |
1870 | |
1871 | /* |
1872 | * template_desc_init_fields() does nothing if |
1873 | * the template is already initialised, so |
1874 | * it's safe to do this unconditionally |
1875 | */ |
1876 | template_desc_init_fields(template_fmt: template_desc->fmt, |
1877 | fields: &(template_desc->fields), |
1878 | num_fields: &(template_desc->num_fields)); |
1879 | entry->template = template_desc; |
1880 | break; |
1881 | case Opt_err: |
1882 | ima_log_string(ab, key: "UNKNOWN" , value: p); |
1883 | result = -EINVAL; |
1884 | break; |
1885 | } |
1886 | } |
1887 | if (!result && !ima_validate_rule(entry)) |
1888 | result = -EINVAL; |
1889 | else if (entry->action == APPRAISE) |
1890 | temp_ima_appraise |= ima_appraise_flag(func: entry->func); |
1891 | |
1892 | if (!result && entry->flags & IMA_MODSIG_ALLOWED) { |
1893 | template_desc = entry->template ? entry->template : |
1894 | ima_template_desc_current(); |
1895 | check_template_modsig(template: template_desc); |
1896 | } |
1897 | |
1898 | /* d-ngv2 template field recommended for unsigned fs-verity digests */ |
1899 | if (!result && entry->action == MEASURE && |
1900 | entry->flags & IMA_VERITY_REQUIRED) { |
1901 | template_desc = entry->template ? entry->template : |
1902 | ima_template_desc_current(); |
1903 | check_template_field(template: template_desc, field: "d-ngv2" , |
1904 | msg: "verity rules should include d-ngv2" ); |
1905 | } |
1906 | |
1907 | audit_log_format(ab, fmt: "res=%d" , !result); |
1908 | audit_log_end(ab); |
1909 | return result; |
1910 | } |
1911 | |
1912 | /** |
1913 | * ima_parse_add_rule - add a rule to ima_policy_rules |
1914 | * @rule: ima measurement policy rule |
1915 | * |
1916 | * Avoid locking by allowing just one writer at a time in ima_write_policy() |
1917 | * Returns the length of the rule parsed, an error code on failure |
1918 | */ |
1919 | ssize_t ima_parse_add_rule(char *rule) |
1920 | { |
1921 | static const char op[] = "update_policy" ; |
1922 | char *p; |
1923 | struct ima_rule_entry *entry; |
1924 | ssize_t result, len; |
1925 | int audit_info = 0; |
1926 | |
1927 | p = strsep(&rule, "\n" ); |
1928 | len = strlen(p) + 1; |
1929 | p += strspn(p, " \t" ); |
1930 | |
1931 | if (*p == '#' || *p == '\0') |
1932 | return len; |
1933 | |
1934 | entry = kzalloc(size: sizeof(*entry), GFP_KERNEL); |
1935 | if (!entry) { |
1936 | integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, |
1937 | NULL, op, cause: "-ENOMEM" , result: -ENOMEM, info: audit_info); |
1938 | return -ENOMEM; |
1939 | } |
1940 | |
1941 | INIT_LIST_HEAD(list: &entry->list); |
1942 | |
1943 | result = ima_parse_rule(rule: p, entry); |
1944 | if (result) { |
1945 | ima_free_rule(entry); |
1946 | integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, |
1947 | NULL, op, cause: "invalid-policy" , result, |
1948 | info: audit_info); |
1949 | return result; |
1950 | } |
1951 | |
1952 | list_add_tail(new: &entry->list, head: &ima_temp_rules); |
1953 | |
1954 | return len; |
1955 | } |
1956 | |
1957 | /** |
1958 | * ima_delete_rules() - called to cleanup invalid in-flight policy. |
1959 | * |
1960 | * We don't need locking as we operate on the temp list, which is |
1961 | * different from the active one. There is also only one user of |
1962 | * ima_delete_rules() at a time. |
1963 | */ |
1964 | void ima_delete_rules(void) |
1965 | { |
1966 | struct ima_rule_entry *entry, *tmp; |
1967 | |
1968 | temp_ima_appraise = 0; |
1969 | list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { |
1970 | list_del(entry: &entry->list); |
1971 | ima_free_rule(entry); |
1972 | } |
1973 | } |
1974 | |
1975 | #define __ima_hook_stringify(func, str) (#func), |
1976 | |
1977 | const char *const func_tokens[] = { |
1978 | __ima_hooks(__ima_hook_stringify) |
1979 | }; |
1980 | |
1981 | #ifdef CONFIG_IMA_READ_POLICY |
1982 | enum { |
1983 | mask_exec = 0, mask_write, mask_read, mask_append |
1984 | }; |
1985 | |
1986 | static const char *const mask_tokens[] = { |
1987 | "^MAY_EXEC" , |
1988 | "^MAY_WRITE" , |
1989 | "^MAY_READ" , |
1990 | "^MAY_APPEND" |
1991 | }; |
1992 | |
1993 | void *ima_policy_start(struct seq_file *m, loff_t *pos) |
1994 | { |
1995 | loff_t l = *pos; |
1996 | struct ima_rule_entry *entry; |
1997 | struct list_head *ima_rules_tmp; |
1998 | |
1999 | rcu_read_lock(); |
2000 | ima_rules_tmp = rcu_dereference(ima_rules); |
2001 | list_for_each_entry_rcu(entry, ima_rules_tmp, list) { |
2002 | if (!l--) { |
2003 | rcu_read_unlock(); |
2004 | return entry; |
2005 | } |
2006 | } |
2007 | rcu_read_unlock(); |
2008 | return NULL; |
2009 | } |
2010 | |
2011 | void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) |
2012 | { |
2013 | struct ima_rule_entry *entry = v; |
2014 | |
2015 | rcu_read_lock(); |
2016 | entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); |
2017 | rcu_read_unlock(); |
2018 | (*pos)++; |
2019 | |
2020 | return (&entry->list == &ima_default_rules || |
2021 | &entry->list == &ima_policy_rules) ? NULL : entry; |
2022 | } |
2023 | |
2024 | void ima_policy_stop(struct seq_file *m, void *v) |
2025 | { |
2026 | } |
2027 | |
2028 | #define pt(token) policy_tokens[token].pattern |
2029 | #define mt(token) mask_tokens[token] |
2030 | |
2031 | /* |
2032 | * policy_func_show - display the ima_hooks policy rule |
2033 | */ |
2034 | static void policy_func_show(struct seq_file *m, enum ima_hooks func) |
2035 | { |
2036 | if (func > 0 && func < MAX_CHECK) |
2037 | seq_printf(m, fmt: "func=%s " , func_tokens[func]); |
2038 | else |
2039 | seq_printf(m, fmt: "func=%d " , func); |
2040 | } |
2041 | |
2042 | static void ima_show_rule_opt_list(struct seq_file *m, |
2043 | const struct ima_rule_opt_list *opt_list) |
2044 | { |
2045 | size_t i; |
2046 | |
2047 | for (i = 0; i < opt_list->count; i++) |
2048 | seq_printf(m, fmt: "%s%s" , i ? "|" : "" , opt_list->items[i]); |
2049 | } |
2050 | |
2051 | static void ima_policy_show_appraise_algos(struct seq_file *m, |
2052 | unsigned int allowed_hashes) |
2053 | { |
2054 | int idx, list_size = 0; |
2055 | |
2056 | for (idx = 0; idx < HASH_ALGO__LAST; idx++) { |
2057 | if (!(allowed_hashes & (1U << idx))) |
2058 | continue; |
2059 | |
2060 | /* only add commas if the list contains multiple entries */ |
2061 | if (list_size++) |
2062 | seq_puts(m, s: "," ); |
2063 | |
2064 | seq_puts(m, s: hash_algo_name[idx]); |
2065 | } |
2066 | } |
2067 | |
2068 | int ima_policy_show(struct seq_file *m, void *v) |
2069 | { |
2070 | struct ima_rule_entry *entry = v; |
2071 | int i; |
2072 | char tbuf[64] = {0,}; |
2073 | int offset = 0; |
2074 | |
2075 | rcu_read_lock(); |
2076 | |
2077 | /* Do not print rules with inactive LSM labels */ |
2078 | for (i = 0; i < MAX_LSM_RULES; i++) { |
2079 | if (entry->lsm[i].args_p && !entry->lsm[i].rule) { |
2080 | rcu_read_unlock(); |
2081 | return 0; |
2082 | } |
2083 | } |
2084 | |
2085 | if (entry->action & MEASURE) |
2086 | seq_puts(m, pt(Opt_measure)); |
2087 | if (entry->action & DONT_MEASURE) |
2088 | seq_puts(m, pt(Opt_dont_measure)); |
2089 | if (entry->action & APPRAISE) |
2090 | seq_puts(m, pt(Opt_appraise)); |
2091 | if (entry->action & DONT_APPRAISE) |
2092 | seq_puts(m, pt(Opt_dont_appraise)); |
2093 | if (entry->action & AUDIT) |
2094 | seq_puts(m, pt(Opt_audit)); |
2095 | if (entry->action & HASH) |
2096 | seq_puts(m, pt(Opt_hash)); |
2097 | if (entry->action & DONT_HASH) |
2098 | seq_puts(m, pt(Opt_dont_hash)); |
2099 | |
2100 | seq_puts(m, s: " " ); |
2101 | |
2102 | if (entry->flags & IMA_FUNC) |
2103 | policy_func_show(m, func: entry->func); |
2104 | |
2105 | if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { |
2106 | if (entry->flags & IMA_MASK) |
2107 | offset = 1; |
2108 | if (entry->mask & MAY_EXEC) |
2109 | seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); |
2110 | if (entry->mask & MAY_WRITE) |
2111 | seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); |
2112 | if (entry->mask & MAY_READ) |
2113 | seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); |
2114 | if (entry->mask & MAY_APPEND) |
2115 | seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); |
2116 | seq_puts(m, s: " " ); |
2117 | } |
2118 | |
2119 | if (entry->flags & IMA_FSMAGIC) { |
2120 | snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "0x%lx" , entry->fsmagic); |
2121 | seq_printf(m, pt(Opt_fsmagic), tbuf); |
2122 | seq_puts(m, s: " " ); |
2123 | } |
2124 | |
2125 | if (entry->flags & IMA_FSNAME) { |
2126 | snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "%s" , entry->fsname); |
2127 | seq_printf(m, pt(Opt_fsname), tbuf); |
2128 | seq_puts(m, s: " " ); |
2129 | } |
2130 | |
2131 | if (entry->flags & IMA_KEYRINGS) { |
2132 | seq_puts(m, s: "keyrings=" ); |
2133 | ima_show_rule_opt_list(m, opt_list: entry->keyrings); |
2134 | seq_puts(m, s: " " ); |
2135 | } |
2136 | |
2137 | if (entry->flags & IMA_LABEL) { |
2138 | seq_puts(m, s: "label=" ); |
2139 | ima_show_rule_opt_list(m, opt_list: entry->label); |
2140 | seq_puts(m, s: " " ); |
2141 | } |
2142 | |
2143 | if (entry->flags & IMA_PCR) { |
2144 | snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "%d" , entry->pcr); |
2145 | seq_printf(m, pt(Opt_pcr), tbuf); |
2146 | seq_puts(m, s: " " ); |
2147 | } |
2148 | |
2149 | if (entry->flags & IMA_FSUUID) { |
2150 | seq_printf(m, fmt: "fsuuid=%pU" , &entry->fsuuid); |
2151 | seq_puts(m, s: " " ); |
2152 | } |
2153 | |
2154 | if (entry->flags & IMA_UID) { |
2155 | snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "%d" , __kuid_val(uid: entry->uid)); |
2156 | if (entry->uid_op == &uid_gt) |
2157 | seq_printf(m, pt(Opt_uid_gt), tbuf); |
2158 | else if (entry->uid_op == &uid_lt) |
2159 | seq_printf(m, pt(Opt_uid_lt), tbuf); |
2160 | else |
2161 | seq_printf(m, pt(Opt_uid_eq), tbuf); |
2162 | seq_puts(m, s: " " ); |
2163 | } |
2164 | |
2165 | if (entry->flags & IMA_EUID) { |
2166 | snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "%d" , __kuid_val(uid: entry->uid)); |
2167 | if (entry->uid_op == &uid_gt) |
2168 | seq_printf(m, pt(Opt_euid_gt), tbuf); |
2169 | else if (entry->uid_op == &uid_lt) |
2170 | seq_printf(m, pt(Opt_euid_lt), tbuf); |
2171 | else |
2172 | seq_printf(m, pt(Opt_euid_eq), tbuf); |
2173 | seq_puts(m, s: " " ); |
2174 | } |
2175 | |
2176 | if (entry->flags & IMA_GID) { |
2177 | snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "%d" , __kgid_val(gid: entry->gid)); |
2178 | if (entry->gid_op == &gid_gt) |
2179 | seq_printf(m, pt(Opt_gid_gt), tbuf); |
2180 | else if (entry->gid_op == &gid_lt) |
2181 | seq_printf(m, pt(Opt_gid_lt), tbuf); |
2182 | else |
2183 | seq_printf(m, pt(Opt_gid_eq), tbuf); |
2184 | seq_puts(m, s: " " ); |
2185 | } |
2186 | |
2187 | if (entry->flags & IMA_EGID) { |
2188 | snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "%d" , __kgid_val(gid: entry->gid)); |
2189 | if (entry->gid_op == &gid_gt) |
2190 | seq_printf(m, pt(Opt_egid_gt), tbuf); |
2191 | else if (entry->gid_op == &gid_lt) |
2192 | seq_printf(m, pt(Opt_egid_lt), tbuf); |
2193 | else |
2194 | seq_printf(m, pt(Opt_egid_eq), tbuf); |
2195 | seq_puts(m, s: " " ); |
2196 | } |
2197 | |
2198 | if (entry->flags & IMA_FOWNER) { |
2199 | snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "%d" , __kuid_val(uid: entry->fowner)); |
2200 | if (entry->fowner_op == &vfsuid_gt_kuid) |
2201 | seq_printf(m, pt(Opt_fowner_gt), tbuf); |
2202 | else if (entry->fowner_op == &vfsuid_lt_kuid) |
2203 | seq_printf(m, pt(Opt_fowner_lt), tbuf); |
2204 | else |
2205 | seq_printf(m, pt(Opt_fowner_eq), tbuf); |
2206 | seq_puts(m, s: " " ); |
2207 | } |
2208 | |
2209 | if (entry->flags & IMA_FGROUP) { |
2210 | snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "%d" , __kgid_val(gid: entry->fgroup)); |
2211 | if (entry->fgroup_op == &vfsgid_gt_kgid) |
2212 | seq_printf(m, pt(Opt_fgroup_gt), tbuf); |
2213 | else if (entry->fgroup_op == &vfsgid_lt_kgid) |
2214 | seq_printf(m, pt(Opt_fgroup_lt), tbuf); |
2215 | else |
2216 | seq_printf(m, pt(Opt_fgroup_eq), tbuf); |
2217 | seq_puts(m, s: " " ); |
2218 | } |
2219 | |
2220 | if (entry->flags & IMA_VALIDATE_ALGOS) { |
2221 | seq_puts(m, s: "appraise_algos=" ); |
2222 | ima_policy_show_appraise_algos(m, allowed_hashes: entry->allowed_algos); |
2223 | seq_puts(m, s: " " ); |
2224 | } |
2225 | |
2226 | for (i = 0; i < MAX_LSM_RULES; i++) { |
2227 | if (entry->lsm[i].rule) { |
2228 | switch (i) { |
2229 | case LSM_OBJ_USER: |
2230 | seq_printf(m, pt(Opt_obj_user), |
2231 | entry->lsm[i].args_p); |
2232 | break; |
2233 | case LSM_OBJ_ROLE: |
2234 | seq_printf(m, pt(Opt_obj_role), |
2235 | entry->lsm[i].args_p); |
2236 | break; |
2237 | case LSM_OBJ_TYPE: |
2238 | seq_printf(m, pt(Opt_obj_type), |
2239 | entry->lsm[i].args_p); |
2240 | break; |
2241 | case LSM_SUBJ_USER: |
2242 | seq_printf(m, pt(Opt_subj_user), |
2243 | entry->lsm[i].args_p); |
2244 | break; |
2245 | case LSM_SUBJ_ROLE: |
2246 | seq_printf(m, pt(Opt_subj_role), |
2247 | entry->lsm[i].args_p); |
2248 | break; |
2249 | case LSM_SUBJ_TYPE: |
2250 | seq_printf(m, pt(Opt_subj_type), |
2251 | entry->lsm[i].args_p); |
2252 | break; |
2253 | } |
2254 | seq_puts(m, s: " " ); |
2255 | } |
2256 | } |
2257 | if (entry->template) |
2258 | seq_printf(m, fmt: "template=%s " , entry->template->name); |
2259 | if (entry->flags & IMA_DIGSIG_REQUIRED) { |
2260 | if (entry->flags & IMA_VERITY_REQUIRED) |
2261 | seq_puts(m, s: "appraise_type=sigv3 " ); |
2262 | else if (entry->flags & IMA_MODSIG_ALLOWED) |
2263 | seq_puts(m, s: "appraise_type=imasig|modsig " ); |
2264 | else |
2265 | seq_puts(m, s: "appraise_type=imasig " ); |
2266 | } |
2267 | if (entry->flags & IMA_VERITY_REQUIRED) |
2268 | seq_puts(m, s: "digest_type=verity " ); |
2269 | if (entry->flags & IMA_PERMIT_DIRECTIO) |
2270 | seq_puts(m, s: "permit_directio " ); |
2271 | rcu_read_unlock(); |
2272 | seq_puts(m, s: "\n" ); |
2273 | return 0; |
2274 | } |
2275 | #endif /* CONFIG_IMA_READ_POLICY */ |
2276 | |
2277 | #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) |
2278 | /* |
2279 | * ima_appraise_signature: whether IMA will appraise a given function using |
2280 | * an IMA digital signature. This is restricted to cases where the kernel |
2281 | * has a set of built-in trusted keys in order to avoid an attacker simply |
2282 | * loading additional keys. |
2283 | */ |
2284 | bool ima_appraise_signature(enum kernel_read_file_id id) |
2285 | { |
2286 | struct ima_rule_entry *entry; |
2287 | bool found = false; |
2288 | enum ima_hooks func; |
2289 | struct list_head *ima_rules_tmp; |
2290 | |
2291 | if (id >= READING_MAX_ID) |
2292 | return false; |
2293 | |
2294 | if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE) |
2295 | && security_locked_down(what: LOCKDOWN_KEXEC)) |
2296 | return false; |
2297 | |
2298 | func = read_idmap[id] ?: FILE_CHECK; |
2299 | |
2300 | rcu_read_lock(); |
2301 | ima_rules_tmp = rcu_dereference(ima_rules); |
2302 | list_for_each_entry_rcu(entry, ima_rules_tmp, list) { |
2303 | if (entry->action != APPRAISE) |
2304 | continue; |
2305 | |
2306 | /* |
2307 | * A generic entry will match, but otherwise require that it |
2308 | * match the func we're looking for |
2309 | */ |
2310 | if (entry->func && entry->func != func) |
2311 | continue; |
2312 | |
2313 | /* |
2314 | * We require this to be a digital signature, not a raw IMA |
2315 | * hash. |
2316 | */ |
2317 | if (entry->flags & IMA_DIGSIG_REQUIRED) |
2318 | found = true; |
2319 | |
2320 | /* |
2321 | * We've found a rule that matches, so break now even if it |
2322 | * didn't require a digital signature - a later rule that does |
2323 | * won't override it, so would be a false positive. |
2324 | */ |
2325 | break; |
2326 | } |
2327 | |
2328 | rcu_read_unlock(); |
2329 | return found; |
2330 | } |
2331 | #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ |
2332 | |