1	// SPDX-License-Identifier: GPL-2.0-only
2	/*
3	* Copyright (C) 2008 IBM Corporation
4	* Author: Mimi Zohar <zohar@us.ibm.com>
5	*
6	* ima_policy.c
7	* - initialize default measure policy rules
8	*/
9
10	#include <linux/init.h>
11	#include <linux/list.h>
12	#include <linux/kernel_read_file.h>
13	#include <linux/fs.h>
14	#include <linux/security.h>
15	#include <linux/magic.h>
16	#include <linux/parser.h>
17	#include <linux/slab.h>
18	#include <linux/rculist.h>
19	#include <linux/seq_file.h>
20	#include <linux/ima.h>
21
22	#include "ima.h"
23
24	/* flags definitions */
25	#define IMA_FUNC 0x0001
26	#define IMA_MASK 0x0002
27	#define IMA_FSMAGIC 0x0004
28	#define IMA_UID 0x0008
29	#define IMA_FOWNER 0x0010
30	#define IMA_FSUUID 0x0020
31	#define IMA_INMASK 0x0040
32	#define IMA_EUID 0x0080
33	#define IMA_PCR 0x0100
34	#define IMA_FSNAME 0x0200
35	#define IMA_KEYRINGS 0x0400
36	#define IMA_LABEL 0x0800
37	#define IMA_VALIDATE_ALGOS 0x1000
38	#define IMA_GID 0x2000
39	#define IMA_EGID 0x4000
40	#define IMA_FGROUP 0x8000
41
42	#define UNKNOWN 0
43	#define MEASURE 0x0001 /* same as IMA_MEASURE */
44	#define DONT_MEASURE 0x0002
45	#define APPRAISE 0x0004 /* same as IMA_APPRAISE */
46	#define DONT_APPRAISE 0x0008
47	#define AUDIT 0x0040
48	#define HASH 0x0100
49	#define DONT_HASH 0x0200
50
51	#define INVALID_PCR(a) (((a) < 0) || \
52	(a) >= (sizeof_field(struct ima_iint_cache, measured_pcrs) * 8))
53
54	int ima_policy_flag;
55	static int temp_ima_appraise;
56	static int build_ima_appraise __ro_after_init;
57
58	atomic_t ima_setxattr_allowed_hash_algorithms;
59
60	#define MAX_LSM_RULES 6
61	enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
62	LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
63	};
64
65	enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
66
67	enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY };
68
69	struct ima_rule_opt_list {
70	size_t count;
71	char *items[] __counted_by(count);
72	};
73
74	/*
75	* These comparators are needed nowhere outside of ima so just define them here.
76	* This pattern should hopefully never be needed outside of ima.
77	*/
78	static inline bool vfsuid_gt_kuid(vfsuid_t vfsuid, kuid_t kuid)
79	{
80	return __vfsuid_val(uid: vfsuid) > __kuid_val(uid: kuid);
81	}
82
83	static inline bool vfsgid_gt_kgid(vfsgid_t vfsgid, kgid_t kgid)
84	{
85	return __vfsgid_val(gid: vfsgid) > __kgid_val(gid: kgid);
86	}
87
88	static inline bool vfsuid_lt_kuid(vfsuid_t vfsuid, kuid_t kuid)
89	{
90	return __vfsuid_val(uid: vfsuid) < __kuid_val(uid: kuid);
91	}
92
93	static inline bool vfsgid_lt_kgid(vfsgid_t vfsgid, kgid_t kgid)
94	{
95	return __vfsgid_val(gid: vfsgid) < __kgid_val(gid: kgid);
96	}
97
98	struct ima_rule_entry {
99	struct list_head list;
100	int action;
101	unsigned int flags;
102	enum ima_hooks func;
103	int mask;
104	unsigned long fsmagic;
105	uuid_t fsuuid;
106	kuid_t uid;
107	kgid_t gid;
108	kuid_t fowner;
109	kgid_t fgroup;
110	bool (*uid_op)(kuid_t cred_uid, kuid_t rule_uid); /* Handlers for operators */
111	bool (*gid_op)(kgid_t cred_gid, kgid_t rule_gid);
112	bool (*fowner_op)(vfsuid_t vfsuid, kuid_t rule_uid); /* vfsuid_eq_kuid(), vfsuid_gt_kuid(), vfsuid_lt_kuid() */
113	bool (*fgroup_op)(vfsgid_t vfsgid, kgid_t rule_gid); /* vfsgid_eq_kgid(), vfsgid_gt_kgid(), vfsgid_lt_kgid() */
114	int pcr;
115	unsigned int allowed_algos; /* bitfield of allowed hash algorithms */
116	struct {
117	void *rule; /* LSM file metadata specific */
118	char *args_p; /* audit value */
119	int type; /* audit type */
120	} lsm[MAX_LSM_RULES];
121	char *fsname;
122	struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */
123	struct ima_rule_opt_list *label; /* Measure data grouped under this label */
124	struct ima_template_desc *template;
125	};
126
127	/*
128	* sanity check in case the kernels gains more hash algorithms that can
129	* fit in an unsigned int
130	*/
131	static_assert(
132	8 * sizeof(unsigned int) >= HASH_ALGO__LAST,
133	"The bitfield allowed_algos in ima_rule_entry is too small to contain all the supported hash algorithms, consider using a bigger type");
134
135	/*
136	* Without LSM specific knowledge, the default policy can only be
137	* written in terms of .action, .func, .mask, .fsmagic, .uid, .gid,
138	* .fowner, and .fgroup
139	*/
140
141	/*
142	* The minimum rule set to allow for full TCB coverage. Measures all files
143	* opened or mmap for exec and everything read by root. Dangerous because
144	* normal users can easily run the machine out of memory simply building
145	* and running executables.
146	*/
147	static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
148	{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
149	{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
150	{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
151	{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
152	{.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
153	{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
154	{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
155	{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
156	{.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
157	{.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
158	.flags = IMA_FSMAGIC},
159	{.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC,
160	.flags = IMA_FSMAGIC},
161	{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
162	{.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}
163	};
164
165	static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
166	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
167	.flags = IMA_FUNC | IMA_MASK},
168	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
169	.flags = IMA_FUNC | IMA_MASK},
170	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
171	.uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
172	.flags = IMA_FUNC | IMA_MASK | IMA_UID},
173	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
174	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
175	};
176
177	static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
178	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
179	.flags = IMA_FUNC | IMA_MASK},
180	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
181	.flags = IMA_FUNC | IMA_MASK},
182	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
183	.uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
184	.flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
185	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
186	.uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
187	.flags = IMA_FUNC | IMA_INMASK | IMA_UID},
188	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
189	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
190	{.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
191	};
192
193	static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
194	{.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
195	{.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
196	{.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
197	{.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
198	{.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
199	{.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
200	{.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
201	{.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
202	{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
203	{.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
204	{.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
205	{.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC},
206	{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
207	{.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
208	#ifdef CONFIG_IMA_WRITE_POLICY
209	{.action = APPRAISE, .func = POLICY_CHECK,
210	.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
211	#endif
212	#ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
213	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid,
214	.flags = IMA_FOWNER},
215	#else
216	/* force signature */
217	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid,
218	.flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
219	#endif
220	};
221
222	static struct ima_rule_entry build_appraise_rules[] __ro_after_init = {
223	#ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS
224	{.action = APPRAISE, .func = MODULE_CHECK,
225	.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
226	#endif
227	#ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
228	{.action = APPRAISE, .func = FIRMWARE_CHECK,
229	.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
230	#endif
231	#ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS
232	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
233	.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
234	#endif
235	#ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS
236	{.action = APPRAISE, .func = POLICY_CHECK,
237	.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
238	#endif
239	};
240
241	static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
242	{.action = APPRAISE, .func = MODULE_CHECK,
243	.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
244	{.action = APPRAISE, .func = FIRMWARE_CHECK,
245	.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
246	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
247	.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
248	{.action = APPRAISE, .func = POLICY_CHECK,
249	.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
250	};
251
252	static struct ima_rule_entry critical_data_rules[] __ro_after_init = {
253	{.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC},
254	};
255
256	/* An array of architecture specific rules */
257	static struct ima_rule_entry *arch_policy_entry __ro_after_init;
258
259	static LIST_HEAD(ima_default_rules);
260	static LIST_HEAD(ima_policy_rules);
261	static LIST_HEAD(ima_temp_rules);
262	static struct list_head __rcu *ima_rules = (struct list_head __rcu *)(&ima_default_rules);
263
264	static int ima_policy __initdata;
265
266	static int __init default_measure_policy_setup(char *str)
267	{
268	if (ima_policy)
269	return 1;
270
271	ima_policy = ORIGINAL_TCB;
272	return 1;
273	}
274	__setup("ima_tcb", default_measure_policy_setup);
275
276	static bool ima_use_appraise_tcb __initdata;
277	static bool ima_use_secure_boot __initdata;
278	static bool ima_use_critical_data __initdata;
279	static bool ima_fail_unverifiable_sigs __ro_after_init;
280	static int __init policy_setup(char *str)
281	{
282	char *p;
283
284	while ((p = strsep(&str, " |\n")) != NULL) {
285	if (*p == ' ')
286	continue;
287	if ((strcmp(p, "tcb") == 0) && !ima_policy)
288	ima_policy = DEFAULT_TCB;
289	else if (strcmp(p, "appraise_tcb") == 0)
290	ima_use_appraise_tcb = true;
291	else if (strcmp(p, "secure_boot") == 0)
292	ima_use_secure_boot = true;
293	else if (strcmp(p, "critical_data") == 0)
294	ima_use_critical_data = true;
295	else if (strcmp(p, "fail_securely") == 0)
296	ima_fail_unverifiable_sigs = true;
297	else
298	pr_err("policy \"%s\" not found", p);
299	}
300
301	return 1;
302	}
303	__setup("ima_policy=", policy_setup);
304
305	static int __init default_appraise_policy_setup(char *str)
306	{
307	ima_use_appraise_tcb = true;
308	return 1;
309	}
310	__setup("ima_appraise_tcb", default_appraise_policy_setup);
311
312	static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src)
313	{
314	struct ima_rule_opt_list *opt_list;
315	size_t count = 0;
316	char *src_copy;
317	char *cur, *next;
318	size_t i;
319
320	src_copy = match_strdup(src);
321	if (!src_copy)
322	return ERR_PTR(error: -ENOMEM);
323
324	next = src_copy;
325	while ((cur = strsep(&next, "|"))) {
326	/* Don't accept an empty list item */
327	if (!(*cur)) {
328	kfree(objp: src_copy);
329	return ERR_PTR(error: -EINVAL);
330	}
331	count++;
332	}
333
334	/* Don't accept an empty list */
335	if (!count) {
336	kfree(objp: src_copy);
337	return ERR_PTR(error: -EINVAL);
338	}
339
340	opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL);
341	if (!opt_list) {
342	kfree(objp: src_copy);
343	return ERR_PTR(error: -ENOMEM);
344	}
345	opt_list->count = count;
346
347	/*
348	* strsep() has already replaced all instances of '|' with '\0',
349	* leaving a byte sequence of NUL-terminated strings. Reference each
350	* string with the array of items.
351	*
352	* IMPORTANT: Ownership of the allocated buffer is transferred from
353	* src_copy to the first element in the items array. To free the
354	* buffer, kfree() must only be called on the first element of the
355	* array.
356	*/
357	for (i = 0, cur = src_copy; i < count; i++) {
358	opt_list->items[i] = cur;
359	cur = strchr(cur, '\0') + 1;
360	}
361
362	return opt_list;
363	}
364
365	static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list)
366	{
367	if (!opt_list)
368	return;
369
370	if (opt_list->count) {
371	kfree(objp: opt_list->items[0]);
372	opt_list->count = 0;
373	}
374
375	kfree(objp: opt_list);
376	}
377
378	static void ima_lsm_free_rule(struct ima_rule_entry *entry)
379	{
380	int i;
381
382	for (i = 0; i < MAX_LSM_RULES; i++) {
383	ima_filter_rule_free(lsmrule: entry->lsm[i].rule);
384	kfree(objp: entry->lsm[i].args_p);
385	}
386	}
387
388	static void ima_free_rule(struct ima_rule_entry *entry)
389	{
390	if (!entry)
391	return;
392
393	/*
394	* entry->template->fields may be allocated in ima_parse_rule() but that
395	* reference is owned by the corresponding ima_template_desc element in
396	* the defined_templates list and cannot be freed here
397	*/
398	kfree(objp: entry->fsname);
399	ima_free_rule_opt_list(opt_list: entry->keyrings);
400	ima_lsm_free_rule(entry);
401	kfree(objp: entry);
402	}
403
404	static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
405	{
406	struct ima_rule_entry *nentry;
407	int i;
408
409	/*
410	* Immutable elements are copied over as pointers and data; only
411	* lsm rules can change
412	*/
413	nentry = kmemdup(p: entry, size: sizeof(*nentry), GFP_KERNEL);
414	if (!nentry)
415	return NULL;
416
417	memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm));
418
419	for (i = 0; i < MAX_LSM_RULES; i++) {
420	if (!entry->lsm[i].args_p)
421	continue;
422
423	nentry->lsm[i].type = entry->lsm[i].type;
424	nentry->lsm[i].args_p = entry->lsm[i].args_p;
425
426	ima_filter_rule_init(field: nentry->lsm[i].type, op: Audit_equal,
427	rulestr: nentry->lsm[i].args_p,
428	lsmrule: &nentry->lsm[i].rule);
429	if (!nentry->lsm[i].rule)
430	pr_warn("rule for LSM \'%s\' is undefined\n",
431	nentry->lsm[i].args_p);
432	}
433	return nentry;
434	}
435
436	static int ima_lsm_update_rule(struct ima_rule_entry *entry)
437	{
438	int i;
439	struct ima_rule_entry *nentry;
440
441	nentry = ima_lsm_copy_rule(entry);
442	if (!nentry)
443	return -ENOMEM;
444
445	list_replace_rcu(old: &entry->list, new: &nentry->list);
446	synchronize_rcu();
447	/*
448	* ima_lsm_copy_rule() shallow copied all references, except for the
449	* LSM references, from entry to nentry so we only want to free the LSM
450	* references and the entry itself. All other memory references will now
451	* be owned by nentry.
452	*/
453	for (i = 0; i < MAX_LSM_RULES; i++)
454	ima_filter_rule_free(lsmrule: entry->lsm[i].rule);
455	kfree(objp: entry);
456
457	return 0;
458	}
459
460	static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry)
461	{
462	int i;
463
464	for (i = 0; i < MAX_LSM_RULES; i++)
465	if (entry->lsm[i].args_p)
466	return true;
467
468	return false;
469	}
470
471	/*
472	* The LSM policy can be reloaded, leaving the IMA LSM based rules referring
473	* to the old, stale LSM policy. Update the IMA LSM based rules to reflect
474	* the reloaded LSM policy.
475	*/
476	static void ima_lsm_update_rules(void)
477	{
478	struct ima_rule_entry *entry, *e;
479	int result;
480
481	list_for_each_entry_safe(entry, e, &ima_policy_rules, list) {
482	if (!ima_rule_contains_lsm_cond(entry))
483	continue;
484
485	result = ima_lsm_update_rule(entry);
486	if (result) {
487	pr_err("lsm rule update error %d\n", result);
488	return;
489	}
490	}
491	}
492
493	int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
494	void *lsm_data)
495	{
496	if (event != LSM_POLICY_CHANGE)
497	return NOTIFY_DONE;
498
499	ima_lsm_update_rules();
500	return NOTIFY_OK;
501	}
502
503	/**
504	* ima_match_rule_data - determine whether func_data matches the policy rule
505	* @rule: a pointer to a rule
506	* @func_data: data to match against the measure rule data
507	* @cred: a pointer to a credentials structure for user validation
508	*
509	* Returns true if func_data matches one in the rule, false otherwise.
510	*/
511	static bool ima_match_rule_data(struct ima_rule_entry *rule,
512	const char *func_data,
513	const struct cred *cred)
514	{
515	const struct ima_rule_opt_list *opt_list = NULL;
516	bool matched = false;
517	size_t i;
518
519	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
520	return false;
521
522	switch (rule->func) {
523	case KEY_CHECK:
524	if (!rule->keyrings)
525	return true;
526
527	opt_list = rule->keyrings;
528	break;
529	case CRITICAL_DATA:
530	if (!rule->label)
531	return true;
532
533	opt_list = rule->label;
534	break;
535	default:
536	return false;
537	}
538
539	if (!func_data)
540	return false;
541
542	for (i = 0; i < opt_list->count; i++) {
543	if (!strcmp(opt_list->items[i], func_data)) {
544	matched = true;
545	break;
546	}
547	}
548
549	return matched;
550	}
551
552	/**
553	* ima_match_rules - determine whether an inode matches the policy rule.
554	* @rule: a pointer to a rule
555	* @idmap: idmap of the mount the inode was found from
556	* @inode: a pointer to an inode
557	* @cred: a pointer to a credentials structure for user validation
558	* @secid: the secid of the task to be validated
559	* @func: LIM hook identifier
560	* @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
561	* @func_data: func specific data, may be NULL
562	*
563	* Returns true on rule match, false on failure.
564	*/
565	static bool ima_match_rules(struct ima_rule_entry *rule,
566	struct mnt_idmap *idmap,
567	struct inode *inode, const struct cred *cred,
568	u32 secid, enum ima_hooks func, int mask,
569	const char *func_data)
570	{
571	int i;
572	bool result = false;
573	struct ima_rule_entry *lsm_rule = rule;
574	bool rule_reinitialized = false;
575
576	if ((rule->flags & IMA_FUNC) &&
577	(rule->func != func && func != POST_SETATTR))
578	return false;
579
580	switch (func) {
581	case KEY_CHECK:
582	case CRITICAL_DATA:
583	return ((rule->func == func) &&
584	ima_match_rule_data(rule, func_data, cred));
585	default:
586	break;
587	}
588
589	if ((rule->flags & IMA_MASK) &&
590	(rule->mask != mask && func != POST_SETATTR))
591	return false;
592	if ((rule->flags & IMA_INMASK) &&
593	(!(rule->mask & mask) && func != POST_SETATTR))
594	return false;
595	if ((rule->flags & IMA_FSMAGIC)
596	&& rule->fsmagic != inode->i_sb->s_magic)
597	return false;
598	if ((rule->flags & IMA_FSNAME)
599	&& strcmp(rule->fsname, inode->i_sb->s_type->name))
600	return false;
601	if ((rule->flags & IMA_FSUUID) &&
602	!uuid_equal(u1: &rule->fsuuid, u2: &inode->i_sb->s_uuid))
603	return false;
604	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
605	return false;
606	if (rule->flags & IMA_EUID) {
607	if (has_capability_noaudit(current, CAP_SETUID)) {
608	if (!rule->uid_op(cred->euid, rule->uid)
609	&& !rule->uid_op(cred->suid, rule->uid)
610	&& !rule->uid_op(cred->uid, rule->uid))
611	return false;
612	} else if (!rule->uid_op(cred->euid, rule->uid))
613	return false;
614	}
615	if ((rule->flags & IMA_GID) && !rule->gid_op(cred->gid, rule->gid))
616	return false;
617	if (rule->flags & IMA_EGID) {
618	if (has_capability_noaudit(current, CAP_SETGID)) {
619	if (!rule->gid_op(cred->egid, rule->gid)
620	&& !rule->gid_op(cred->sgid, rule->gid)
621	&& !rule->gid_op(cred->gid, rule->gid))
622	return false;
623	} else if (!rule->gid_op(cred->egid, rule->gid))
624	return false;
625	}
626	if ((rule->flags & IMA_FOWNER) &&
627	!rule->fowner_op(i_uid_into_vfsuid(idmap, inode),
628	rule->fowner))
629	return false;
630	if ((rule->flags & IMA_FGROUP) &&
631	!rule->fgroup_op(i_gid_into_vfsgid(idmap, inode),
632	rule->fgroup))
633	return false;
634	for (i = 0; i < MAX_LSM_RULES; i++) {
635	int rc = 0;
636	u32 osid;
637
638	if (!lsm_rule->lsm[i].rule) {
639	if (!lsm_rule->lsm[i].args_p)
640	continue;
641	else
642	return false;
643	}
644
645	retry:
646	switch (i) {
647	case LSM_OBJ_USER:
648	case LSM_OBJ_ROLE:
649	case LSM_OBJ_TYPE:
650	security_inode_getsecid(inode, secid: &osid);
651	rc = ima_filter_rule_match(secid: osid, field: lsm_rule->lsm[i].type,
652	op: Audit_equal,
653	lsmrule: lsm_rule->lsm[i].rule);
654	break;
655	case LSM_SUBJ_USER:
656	case LSM_SUBJ_ROLE:
657	case LSM_SUBJ_TYPE:
658	rc = ima_filter_rule_match(secid, field: lsm_rule->lsm[i].type,
659	op: Audit_equal,
660	lsmrule: lsm_rule->lsm[i].rule);
661	break;
662	default:
663	break;
664	}
665
666	if (rc == -ESTALE && !rule_reinitialized) {
667	lsm_rule = ima_lsm_copy_rule(entry: rule);
668	if (lsm_rule) {
669	rule_reinitialized = true;
670	goto retry;
671	}
672	}
673	if (!rc) {
674	result = false;
675	goto out;
676	}
677	}
678	result = true;
679
680	out:
681	if (rule_reinitialized) {
682	for (i = 0; i < MAX_LSM_RULES; i++)
683	ima_filter_rule_free(lsmrule: lsm_rule->lsm[i].rule);
684	kfree(objp: lsm_rule);
685	}
686	return result;
687	}
688
689	/*
690	* In addition to knowing that we need to appraise the file in general,
691	* we need to differentiate between calling hooks, for hook specific rules.
692	*/
693	static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
694	{
695	if (!(rule->flags & IMA_FUNC))
696	return IMA_FILE_APPRAISE;
697
698	switch (func) {
699	case MMAP_CHECK:
700	case MMAP_CHECK_REQPROT:
701	return IMA_MMAP_APPRAISE;
702	case BPRM_CHECK:
703	return IMA_BPRM_APPRAISE;
704	case CREDS_CHECK:
705	return IMA_CREDS_APPRAISE;
706	case FILE_CHECK:
707	case POST_SETATTR:
708	return IMA_FILE_APPRAISE;
709	case MODULE_CHECK ... MAX_CHECK - 1:
710	default:
711	return IMA_READ_APPRAISE;
712	}
713	}
714
715	/**
716	* ima_match_policy - decision based on LSM and other conditions
717	* @idmap: idmap of the mount the inode was found from
718	* @inode: pointer to an inode for which the policy decision is being made
719	* @cred: pointer to a credentials structure for which the policy decision is
720	* being made
721	* @secid: LSM secid of the task to be validated
722	* @func: IMA hook identifier
723	* @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
724	* @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE)
725	* @pcr: set the pcr to extend
726	* @template_desc: the template that should be used for this rule
727	* @func_data: func specific data, may be NULL
728	* @allowed_algos: allowlist of hash algorithms for the IMA xattr
729	*
730	* Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
731	* conditions.
732	*
733	* Since the IMA policy may be updated multiple times we need to lock the
734	* list when walking it. Reads are many orders of magnitude more numerous
735	* than writes so ima_match_policy() is classical RCU candidate.
736	*/
737	int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode,
738	const struct cred *cred, u32 secid, enum ima_hooks func,
739	int mask, int flags, int *pcr,
740	struct ima_template_desc **template_desc,
741	const char *func_data, unsigned int *allowed_algos)
742	{
743	struct ima_rule_entry *entry;
744	int action = 0, actmask = flags | (flags << 1);
745	struct list_head *ima_rules_tmp;
746
747	if (template_desc && !*template_desc)
748	*template_desc = ima_template_desc_current();
749
750	rcu_read_lock();
751	ima_rules_tmp = rcu_dereference(ima_rules);
752	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
753
754	if (!(entry->action & actmask))
755	continue;
756
757	if (!ima_match_rules(rule: entry, idmap, inode, cred, secid,
758	func, mask, func_data))
759	continue;
760
761	action |= entry->flags & IMA_NONACTION_FLAGS;
762
763	action |= entry->action & IMA_DO_MASK;
764	if (entry->action & IMA_APPRAISE) {
765	action |= get_subaction(rule: entry, func);
766	action &= ~IMA_HASH;
767	if (ima_fail_unverifiable_sigs)
768	action |= IMA_FAIL_UNVERIFIABLE_SIGS;
769
770	if (allowed_algos &&
771	entry->flags & IMA_VALIDATE_ALGOS)
772	*allowed_algos = entry->allowed_algos;
773	}
774
775	if (entry->action & IMA_DO_MASK)
776	actmask &= ~(entry->action | entry->action << 1);
777	else
778	actmask &= ~(entry->action | entry->action >> 1);
779
780	if ((pcr) && (entry->flags & IMA_PCR))
781	*pcr = entry->pcr;
782
783	if (template_desc && entry->template)
784	*template_desc = entry->template;
785
786	if (!actmask)
787	break;
788	}
789	rcu_read_unlock();
790
791	return action;
792	}
793
794	/**
795	* ima_update_policy_flags() - Update global IMA variables
796	*
797	* Update ima_policy_flag and ima_setxattr_allowed_hash_algorithms
798	* based on the currently loaded policy.
799	*
800	* With ima_policy_flag, the decision to short circuit out of a function
801	* or not call the function in the first place can be made earlier.
802	*
803	* With ima_setxattr_allowed_hash_algorithms, the policy can restrict the
804	* set of hash algorithms accepted when updating the security.ima xattr of
805	* a file.
806	*
807	* Context: called after a policy update and at system initialization.
808	*/
809	void ima_update_policy_flags(void)
810	{
811	struct ima_rule_entry *entry;
812	int new_policy_flag = 0;
813	struct list_head *ima_rules_tmp;
814
815	rcu_read_lock();
816	ima_rules_tmp = rcu_dereference(ima_rules);
817	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
818	/*
819	* SETXATTR_CHECK rules do not implement a full policy check
820	* because rule checking would probably have an important
821	* performance impact on setxattr(). As a consequence, only one
822	* SETXATTR_CHECK can be active at a given time.
823	* Because we want to preserve that property, we set out to use
824	* atomic_cmpxchg. Either:
825	* - the atomic was non-zero: a setxattr hash policy is
826	* already enforced, we do nothing
827	* - the atomic was zero: no setxattr policy was set, enable
828	* the setxattr hash policy
829	*/
830	if (entry->func == SETXATTR_CHECK) {
831	atomic_cmpxchg(v: &ima_setxattr_allowed_hash_algorithms,
832	old: 0, new: entry->allowed_algos);
833	/* SETXATTR_CHECK doesn't impact ima_policy_flag */
834	continue;
835	}
836
837	if (entry->action & IMA_DO_MASK)
838	new_policy_flag |= entry->action;
839	}
840	rcu_read_unlock();
841
842	ima_appraise |= (build_ima_appraise | temp_ima_appraise);
843	if (!ima_appraise)
844	new_policy_flag &= ~IMA_APPRAISE;
845
846	ima_policy_flag = new_policy_flag;
847	}
848
849	static int ima_appraise_flag(enum ima_hooks func)
850	{
851	if (func == MODULE_CHECK)
852	return IMA_APPRAISE_MODULES;
853	else if (func == FIRMWARE_CHECK)
854	return IMA_APPRAISE_FIRMWARE;
855	else if (func == POLICY_CHECK)
856	return IMA_APPRAISE_POLICY;
857	else if (func == KEXEC_KERNEL_CHECK)
858	return IMA_APPRAISE_KEXEC;
859	return 0;
860	}
861
862	static void add_rules(struct ima_rule_entry *entries, int count,
863	enum policy_rule_list policy_rule)
864	{
865	int i = 0;
866
867	for (i = 0; i < count; i++) {
868	struct ima_rule_entry *entry;
869
870	if (policy_rule & IMA_DEFAULT_POLICY)
871	list_add_tail(new: &entries[i].list, head: &ima_default_rules);
872
873	if (policy_rule & IMA_CUSTOM_POLICY) {
874	entry = kmemdup(p: &entries[i], size: sizeof(*entry),
875	GFP_KERNEL);
876	if (!entry)
877	continue;
878
879	list_add_tail(new: &entry->list, head: &ima_policy_rules);
880	}
881	if (entries[i].action == APPRAISE) {
882	if (entries != build_appraise_rules)
883	temp_ima_appraise |=
884	ima_appraise_flag(func: entries[i].func);
885	else
886	build_ima_appraise |=
887	ima_appraise_flag(func: entries[i].func);
888	}
889	}
890	}
891
892	static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
893
894	static int __init ima_init_arch_policy(void)
895	{
896	const char * const *arch_rules;
897	const char * const *rules;
898	int arch_entries = 0;
899	int i = 0;
900
901	arch_rules = arch_get_ima_policy();
902	if (!arch_rules)
903	return arch_entries;
904
905	/* Get number of rules */
906	for (rules = arch_rules; *rules != NULL; rules++)
907	arch_entries++;
908
909	arch_policy_entry = kcalloc(n: arch_entries + 1,
910	size: sizeof(*arch_policy_entry), GFP_KERNEL);
911	if (!arch_policy_entry)
912	return 0;
913
914	/* Convert each policy string rules to struct ima_rule_entry format */
915	for (rules = arch_rules, i = 0; *rules != NULL; rules++) {
916	char rule[255];
917	int result;
918
919	result = strscpy(rule, *rules, sizeof(rule));
920
921	INIT_LIST_HEAD(list: &arch_policy_entry[i].list);
922	result = ima_parse_rule(rule, entry: &arch_policy_entry[i]);
923	if (result) {
924	pr_warn("Skipping unknown architecture policy rule: %s\n",
925	rule);
926	memset(&arch_policy_entry[i], 0,
927	sizeof(*arch_policy_entry));
928	continue;
929	}
930	i++;
931	}
932	return i;
933	}
934
935	/**
936	* ima_init_policy - initialize the default measure rules.
937	*
938	* ima_rules points to either the ima_default_rules or the new ima_policy_rules.
939	*/
940	void __init ima_init_policy(void)
941	{
942	int build_appraise_entries, arch_entries;
943
944	/* if !ima_policy, we load NO default rules */
945	if (ima_policy)
946	add_rules(entries: dont_measure_rules, ARRAY_SIZE(dont_measure_rules),
947	policy_rule: IMA_DEFAULT_POLICY);
948
949	switch (ima_policy) {
950	case ORIGINAL_TCB:
951	add_rules(entries: original_measurement_rules,
952	ARRAY_SIZE(original_measurement_rules),
953	policy_rule: IMA_DEFAULT_POLICY);
954	break;
955	case DEFAULT_TCB:
956	add_rules(entries: default_measurement_rules,
957	ARRAY_SIZE(default_measurement_rules),
958	policy_rule: IMA_DEFAULT_POLICY);
959	break;
960	default:
961	break;
962	}
963
964	/*
965	* Based on runtime secure boot flags, insert arch specific measurement
966	* and appraise rules requiring file signatures for both the initial
967	* and custom policies, prior to other appraise rules.
968	* (Highest priority)
969	*/
970	arch_entries = ima_init_arch_policy();
971	if (!arch_entries)
972	pr_info("No architecture policies found\n");
973	else
974	add_rules(entries: arch_policy_entry, count: arch_entries,
975	policy_rule: IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
976
977	/*
978	* Insert the builtin "secure_boot" policy rules requiring file
979	* signatures, prior to other appraise rules.
980	*/
981	if (ima_use_secure_boot)
982	add_rules(entries: secure_boot_rules, ARRAY_SIZE(secure_boot_rules),
983	policy_rule: IMA_DEFAULT_POLICY);
984
985	/*
986	* Insert the build time appraise rules requiring file signatures
987	* for both the initial and custom policies, prior to other appraise
988	* rules. As the secure boot rules includes all of the build time
989	* rules, include either one or the other set of rules, but not both.
990	*/
991	build_appraise_entries = ARRAY_SIZE(build_appraise_rules);
992	if (build_appraise_entries) {
993	if (ima_use_secure_boot)
994	add_rules(entries: build_appraise_rules, count: build_appraise_entries,
995	policy_rule: IMA_CUSTOM_POLICY);
996	else
997	add_rules(entries: build_appraise_rules, count: build_appraise_entries,
998	policy_rule: IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
999	}
1000
1001	if (ima_use_appraise_tcb)
1002	add_rules(entries: default_appraise_rules,
1003	ARRAY_SIZE(default_appraise_rules),
1004	policy_rule: IMA_DEFAULT_POLICY);
1005
1006	if (ima_use_critical_data)
1007	add_rules(entries: critical_data_rules,
1008	ARRAY_SIZE(critical_data_rules),
1009	policy_rule: IMA_DEFAULT_POLICY);
1010
1011	atomic_set(v: &ima_setxattr_allowed_hash_algorithms, i: 0);
1012
1013	ima_update_policy_flags();
1014	}
1015
1016	/* Make sure we have a valid policy, at least containing some rules. */
1017	int ima_check_policy(void)
1018	{
1019	if (list_empty(head: &ima_temp_rules))
1020	return -EINVAL;
1021	return 0;
1022	}
1023
1024	/**
1025	* ima_update_policy - update default_rules with new measure rules
1026	*
1027	* Called on file .release to update the default rules with a complete new
1028	* policy. What we do here is to splice ima_policy_rules and ima_temp_rules so
1029	* they make a queue. The policy may be updated multiple times and this is the
1030	* RCU updater.
1031	*
1032	* Policy rules are never deleted so ima_policy_flag gets zeroed only once when
1033	* we switch from the default policy to user defined.
1034	*/
1035	void ima_update_policy(void)
1036	{
1037	struct list_head *policy = &ima_policy_rules;
1038
1039	list_splice_tail_init_rcu(list: &ima_temp_rules, head: policy, sync: synchronize_rcu);
1040
1041	if (ima_rules != (struct list_head __rcu *)policy) {
1042	ima_policy_flag = 0;
1043
1044	rcu_assign_pointer(ima_rules, policy);
1045	/*
1046	* IMA architecture specific policy rules are specified
1047	* as strings and converted to an array of ima_entry_rules
1048	* on boot. After loading a custom policy, free the
1049	* architecture specific rules stored as an array.
1050	*/
1051	kfree(objp: arch_policy_entry);
1052	}
1053	ima_update_policy_flags();
1054
1055	/* Custom IMA policy has been loaded */
1056	ima_process_queued_keys();
1057	}
1058
1059	/* Keep the enumeration in sync with the policy_tokens! */
1060	enum policy_opt {
1061	Opt_measure, Opt_dont_measure,
1062	Opt_appraise, Opt_dont_appraise,
1063	Opt_audit, Opt_hash, Opt_dont_hash,
1064	Opt_obj_user, Opt_obj_role, Opt_obj_type,
1065	Opt_subj_user, Opt_subj_role, Opt_subj_type,
1066	Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fsuuid,
1067	Opt_uid_eq, Opt_euid_eq, Opt_gid_eq, Opt_egid_eq,
1068	Opt_fowner_eq, Opt_fgroup_eq,
1069	Opt_uid_gt, Opt_euid_gt, Opt_gid_gt, Opt_egid_gt,
1070	Opt_fowner_gt, Opt_fgroup_gt,
1071	Opt_uid_lt, Opt_euid_lt, Opt_gid_lt, Opt_egid_lt,
1072	Opt_fowner_lt, Opt_fgroup_lt,
1073	Opt_digest_type,
1074	Opt_appraise_type, Opt_appraise_flag, Opt_appraise_algos,
1075	Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings,
1076	Opt_label, Opt_err
1077	};
1078
1079	static const match_table_t policy_tokens = {
1080	{Opt_measure, "measure"},
1081	{Opt_dont_measure, "dont_measure"},
1082	{Opt_appraise, "appraise"},
1083	{Opt_dont_appraise, "dont_appraise"},
1084	{Opt_audit, "audit"},
1085	{Opt_hash, "hash"},
1086	{Opt_dont_hash, "dont_hash"},
1087	{Opt_obj_user, "obj_user=%s"},
1088	{Opt_obj_role, "obj_role=%s"},
1089	{Opt_obj_type, "obj_type=%s"},
1090	{Opt_subj_user, "subj_user=%s"},
1091	{Opt_subj_role, "subj_role=%s"},
1092	{Opt_subj_type, "subj_type=%s"},
1093	{Opt_func, "func=%s"},
1094	{Opt_mask, "mask=%s"},
1095	{Opt_fsmagic, "fsmagic=%s"},
1096	{Opt_fsname, "fsname=%s"},
1097	{Opt_fsuuid, "fsuuid=%s"},
1098	{Opt_uid_eq, "uid=%s"},
1099	{Opt_euid_eq, "euid=%s"},
1100	{Opt_gid_eq, "gid=%s"},
1101	{Opt_egid_eq, "egid=%s"},
1102	{Opt_fowner_eq, "fowner=%s"},
1103	{Opt_fgroup_eq, "fgroup=%s"},
1104	{Opt_uid_gt, "uid>%s"},
1105	{Opt_euid_gt, "euid>%s"},
1106	{Opt_gid_gt, "gid>%s"},
1107	{Opt_egid_gt, "egid>%s"},
1108	{Opt_fowner_gt, "fowner>%s"},
1109	{Opt_fgroup_gt, "fgroup>%s"},
1110	{Opt_uid_lt, "uid<%s"},
1111	{Opt_euid_lt, "euid<%s"},
1112	{Opt_gid_lt, "gid<%s"},
1113	{Opt_egid_lt, "egid<%s"},
1114	{Opt_fowner_lt, "fowner<%s"},
1115	{Opt_fgroup_lt, "fgroup<%s"},
1116	{Opt_digest_type, "digest_type=%s"},
1117	{Opt_appraise_type, "appraise_type=%s"},
1118	{Opt_appraise_flag, "appraise_flag=%s"},
1119	{Opt_appraise_algos, "appraise_algos=%s"},
1120	{Opt_permit_directio, "permit_directio"},
1121	{Opt_pcr, "pcr=%s"},
1122	{Opt_template, "template=%s"},
1123	{Opt_keyrings, "keyrings=%s"},
1124	{Opt_label, "label=%s"},
1125	{Opt_err, NULL}
1126	};
1127
1128	static int ima_lsm_rule_init(struct ima_rule_entry *entry,
1129	substring_t *args, int lsm_rule, int audit_type)
1130	{
1131	int result;
1132
1133	if (entry->lsm[lsm_rule].rule)
1134	return -EINVAL;
1135
1136	entry->lsm[lsm_rule].args_p = match_strdup(args);
1137	if (!entry->lsm[lsm_rule].args_p)
1138	return -ENOMEM;
1139
1140	entry->lsm[lsm_rule].type = audit_type;
1141	result = ima_filter_rule_init(field: entry->lsm[lsm_rule].type, op: Audit_equal,
1142	rulestr: entry->lsm[lsm_rule].args_p,
1143	lsmrule: &entry->lsm[lsm_rule].rule);
1144	if (!entry->lsm[lsm_rule].rule) {
1145	pr_warn("rule for LSM \'%s\' is undefined\n",
1146	entry->lsm[lsm_rule].args_p);
1147
1148	if (ima_rules == (struct list_head __rcu *)(&ima_default_rules)) {
1149	kfree(objp: entry->lsm[lsm_rule].args_p);
1150	entry->lsm[lsm_rule].args_p = NULL;
1151	result = -EINVAL;
1152	} else
1153	result = 0;
1154	}
1155
1156	return result;
1157	}
1158
1159	static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
1160	enum policy_opt rule_operator)
1161	{
1162	if (!ab)
1163	return;
1164
1165	switch (rule_operator) {
1166	case Opt_uid_gt:
1167	case Opt_euid_gt:
1168	case Opt_gid_gt:
1169	case Opt_egid_gt:
1170	case Opt_fowner_gt:
1171	case Opt_fgroup_gt:
1172	audit_log_format(ab, fmt: "%s>", key);
1173	break;
1174	case Opt_uid_lt:
1175	case Opt_euid_lt:
1176	case Opt_gid_lt:
1177	case Opt_egid_lt:
1178	case Opt_fowner_lt:
1179	case Opt_fgroup_lt:
1180	audit_log_format(ab, fmt: "%s<", key);
1181	break;
1182	default:
1183	audit_log_format(ab, fmt: "%s=", key);
1184	}
1185	audit_log_format(ab, fmt: "%s ", value);
1186	}
1187	static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
1188	{
1189	ima_log_string_op(ab, key, value, rule_operator: Opt_err);
1190	}
1191
1192	/*
1193	* Validating the appended signature included in the measurement list requires
1194	* the file hash calculated without the appended signature (i.e., the 'd-modsig'
1195	* field). Therefore, notify the user if they have the 'modsig' field but not
1196	* the 'd-modsig' field in the template.
1197	*/
1198	static void check_template_modsig(const struct ima_template_desc *template)
1199	{
1200	#define MSG "template with 'modsig' field also needs 'd-modsig' field\n"
1201	bool has_modsig, has_dmodsig;
1202	static bool checked;
1203	int i;
1204
1205	/* We only need to notify the user once. */
1206	if (checked)
1207	return;
1208
1209	has_modsig = has_dmodsig = false;
1210	for (i = 0; i < template->num_fields; i++) {
1211	if (!strcmp(template->fields[i]->field_id, "modsig"))
1212	has_modsig = true;
1213	else if (!strcmp(template->fields[i]->field_id, "d-modsig"))
1214	has_dmodsig = true;
1215	}
1216
1217	if (has_modsig && !has_dmodsig)
1218	pr_notice(MSG);
1219
1220	checked = true;
1221	#undef MSG
1222	}
1223
1224	/*
1225	* Warn if the template does not contain the given field.
1226	*/
1227	static void check_template_field(const struct ima_template_desc *template,
1228	const char *field, const char *msg)
1229	{
1230	int i;
1231
1232	for (i = 0; i < template->num_fields; i++)
1233	if (!strcmp(template->fields[i]->field_id, field))
1234	return;
1235
1236	pr_notice_once("%s", msg);
1237	}
1238
1239	static bool ima_validate_rule(struct ima_rule_entry *entry)
1240	{
1241	/* Ensure that the action is set and is compatible with the flags */
1242	if (entry->action == UNKNOWN)
1243	return false;
1244
1245	if (entry->action != MEASURE && entry->flags & IMA_PCR)
1246	return false;
1247
1248	if (entry->action != APPRAISE &&
1249	entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED |
1250	IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS))
1251	return false;
1252
1253	/*
1254	* The IMA_FUNC bit must be set if and only if there's a valid hook
1255	* function specified, and vice versa. Enforcing this property allows
1256	* for the NONE case below to validate a rule without an explicit hook
1257	* function.
1258	*/
1259	if (((entry->flags & IMA_FUNC) && entry->func == NONE) ||
1260	(!(entry->flags & IMA_FUNC) && entry->func != NONE))
1261	return false;
1262
1263	/*
1264	* Ensure that the hook function is compatible with the other
1265	* components of the rule
1266	*/
1267	switch (entry->func) {
1268	case NONE:
1269	case FILE_CHECK:
1270	case MMAP_CHECK:
1271	case MMAP_CHECK_REQPROT:
1272	case BPRM_CHECK:
1273	case CREDS_CHECK:
1274	case POST_SETATTR:
1275	case FIRMWARE_CHECK:
1276	case POLICY_CHECK:
1277	if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1278	IMA_UID | IMA_FOWNER | IMA_FSUUID |
1279	IMA_INMASK | IMA_EUID | IMA_PCR |
1280	IMA_FSNAME | IMA_GID | IMA_EGID |
1281	IMA_FGROUP | IMA_DIGSIG_REQUIRED |
1282	IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS |
1283	IMA_CHECK_BLACKLIST | IMA_VERITY_REQUIRED))
1284	return false;
1285
1286	break;
1287	case MODULE_CHECK:
1288	case KEXEC_KERNEL_CHECK:
1289	case KEXEC_INITRAMFS_CHECK:
1290	if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1291	IMA_UID | IMA_FOWNER | IMA_FSUUID |
1292	IMA_INMASK | IMA_EUID | IMA_PCR |
1293	IMA_FSNAME | IMA_GID | IMA_EGID |
1294	IMA_FGROUP | IMA_DIGSIG_REQUIRED |
1295	IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED |
1296	IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS))
1297	return false;
1298
1299	break;
1300	case KEXEC_CMDLINE:
1301	if (entry->action & ~(MEASURE | DONT_MEASURE))
1302	return false;
1303
1304	if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID |
1305	IMA_FOWNER | IMA_FSUUID | IMA_EUID |
1306	IMA_PCR | IMA_FSNAME | IMA_GID | IMA_EGID |
1307	IMA_FGROUP))
1308	return false;
1309
1310	break;
1311	case KEY_CHECK:
1312	if (entry->action & ~(MEASURE | DONT_MEASURE))
1313	return false;
1314
1315	if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR |
1316	IMA_KEYRINGS))
1317	return false;
1318
1319	if (ima_rule_contains_lsm_cond(entry))
1320	return false;
1321
1322	break;
1323	case CRITICAL_DATA:
1324	if (entry->action & ~(MEASURE | DONT_MEASURE))
1325	return false;
1326
1327	if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR |
1328	IMA_LABEL))
1329	return false;
1330
1331	if (ima_rule_contains_lsm_cond(entry))
1332	return false;
1333
1334	break;
1335	case SETXATTR_CHECK:
1336	/* any action other than APPRAISE is unsupported */
1337	if (entry->action != APPRAISE)
1338	return false;
1339
1340	/* SETXATTR_CHECK requires an appraise_algos parameter */
1341	if (!(entry->flags & IMA_VALIDATE_ALGOS))
1342	return false;
1343
1344	/*
1345	* full policies are not supported, they would have too
1346	* much of a performance impact
1347	*/
1348	if (entry->flags & ~(IMA_FUNC | IMA_VALIDATE_ALGOS))
1349	return false;
1350
1351	break;
1352	default:
1353	return false;
1354	}
1355
1356	/* Ensure that combinations of flags are compatible with each other */
1357	if (entry->flags & IMA_CHECK_BLACKLIST &&
1358	!(entry->flags & IMA_DIGSIG_REQUIRED))
1359	return false;
1360
1361	/*
1362	* Unlike for regular IMA 'appraise' policy rules where security.ima
1363	* xattr may contain either a file hash or signature, the security.ima
1364	* xattr for fsverity must contain a file signature (sigv3). Ensure
1365	* that 'appraise' rules for fsverity require file signatures by
1366	* checking the IMA_DIGSIG_REQUIRED flag is set.
1367	*/
1368	if (entry->action == APPRAISE &&
1369	(entry->flags & IMA_VERITY_REQUIRED) &&
1370	!(entry->flags & IMA_DIGSIG_REQUIRED))
1371	return false;
1372
1373	return true;
1374	}
1375
1376	static unsigned int ima_parse_appraise_algos(char *arg)
1377	{
1378	unsigned int res = 0;
1379	int idx;
1380	char *token;
1381
1382	while ((token = strsep(&arg, ",")) != NULL) {
1383	idx = match_string(array: hash_algo_name, n: HASH_ALGO__LAST, string: token);
1384
1385	if (idx < 0) {
1386	pr_err("unknown hash algorithm \"%s\"",
1387	token);
1388	return 0;
1389	}
1390
1391	if (!crypto_has_alg(name: hash_algo_name[idx], type: 0, mask: 0)) {
1392	pr_err("unavailable hash algorithm \"%s\", check your kernel configuration",
1393	token);
1394	return 0;
1395	}
1396
1397	/* Add the hash algorithm to the 'allowed' bitfield */
1398	res |= (1U << idx);
1399	}
1400
1401	return res;
1402	}
1403
1404	static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
1405	{
1406	struct audit_buffer *ab;
1407	char *from;
1408	char *p;
1409	bool eid_token; /* either euid or egid */
1410	struct ima_template_desc *template_desc;
1411	int result = 0;
1412
1413	ab = integrity_audit_log_start(ctx: audit_context(), GFP_KERNEL,
1414	AUDIT_INTEGRITY_POLICY_RULE);
1415
1416	entry->uid = INVALID_UID;
1417	entry->gid = INVALID_GID;
1418	entry->fowner = INVALID_UID;
1419	entry->fgroup = INVALID_GID;
1420	entry->uid_op = &uid_eq;
1421	entry->gid_op = &gid_eq;
1422	entry->fowner_op = &vfsuid_eq_kuid;
1423	entry->fgroup_op = &vfsgid_eq_kgid;
1424	entry->action = UNKNOWN;
1425	while ((p = strsep(&rule, " \t")) != NULL) {
1426	substring_t args[MAX_OPT_ARGS];
1427	int token;
1428	unsigned long lnum;
1429
1430	if (result < 0)
1431	break;
1432	if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
1433	continue;
1434	token = match_token(p, table: policy_tokens, args);
1435	switch (token) {
1436	case Opt_measure:
1437	ima_log_string(ab, key: "action", value: "measure");
1438
1439	if (entry->action != UNKNOWN)
1440	result = -EINVAL;
1441
1442	entry->action = MEASURE;
1443	break;
1444	case Opt_dont_measure:
1445	ima_log_string(ab, key: "action", value: "dont_measure");
1446
1447	if (entry->action != UNKNOWN)
1448	result = -EINVAL;
1449
1450	entry->action = DONT_MEASURE;
1451	break;
1452	case Opt_appraise:
1453	ima_log_string(ab, key: "action", value: "appraise");
1454
1455	if (entry->action != UNKNOWN)
1456	result = -EINVAL;
1457
1458	entry->action = APPRAISE;
1459	break;
1460	case Opt_dont_appraise:
1461	ima_log_string(ab, key: "action", value: "dont_appraise");
1462
1463	if (entry->action != UNKNOWN)
1464	result = -EINVAL;
1465
1466	entry->action = DONT_APPRAISE;
1467	break;
1468	case Opt_audit:
1469	ima_log_string(ab, key: "action", value: "audit");
1470
1471	if (entry->action != UNKNOWN)
1472	result = -EINVAL;
1473
1474	entry->action = AUDIT;
1475	break;
1476	case Opt_hash:
1477	ima_log_string(ab, key: "action", value: "hash");
1478
1479	if (entry->action != UNKNOWN)
1480	result = -EINVAL;
1481
1482	entry->action = HASH;
1483	break;
1484	case Opt_dont_hash:
1485	ima_log_string(ab, key: "action", value: "dont_hash");
1486
1487	if (entry->action != UNKNOWN)
1488	result = -EINVAL;
1489
1490	entry->action = DONT_HASH;
1491	break;
1492	case Opt_func:
1493	ima_log_string(ab, key: "func", value: args[0].from);
1494
1495	if (entry->func)
1496	result = -EINVAL;
1497
1498	if (strcmp(args[0].from, "FILE_CHECK") == 0)
1499	entry->func = FILE_CHECK;
1500	/* PATH_CHECK is for backwards compat */
1501	else if (strcmp(args[0].from, "PATH_CHECK") == 0)
1502	entry->func = FILE_CHECK;
1503	else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
1504	entry->func = MODULE_CHECK;
1505	else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
1506	entry->func = FIRMWARE_CHECK;
1507	else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
1508	|| (strcmp(args[0].from, "MMAP_CHECK") == 0))
1509	entry->func = MMAP_CHECK;
1510	else if ((strcmp(args[0].from, "MMAP_CHECK_REQPROT") == 0))
1511	entry->func = MMAP_CHECK_REQPROT;
1512	else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
1513	entry->func = BPRM_CHECK;
1514	else if (strcmp(args[0].from, "CREDS_CHECK") == 0)
1515	entry->func = CREDS_CHECK;
1516	else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
1517	0)
1518	entry->func = KEXEC_KERNEL_CHECK;
1519	else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
1520	== 0)
1521	entry->func = KEXEC_INITRAMFS_CHECK;
1522	else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
1523	entry->func = POLICY_CHECK;
1524	else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
1525	entry->func = KEXEC_CMDLINE;
1526	else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) &&
1527	strcmp(args[0].from, "KEY_CHECK") == 0)
1528	entry->func = KEY_CHECK;
1529	else if (strcmp(args[0].from, "CRITICAL_DATA") == 0)
1530	entry->func = CRITICAL_DATA;
1531	else if (strcmp(args[0].from, "SETXATTR_CHECK") == 0)
1532	entry->func = SETXATTR_CHECK;
1533	else
1534	result = -EINVAL;
1535	if (!result)
1536	entry->flags |= IMA_FUNC;
1537	break;
1538	case Opt_mask:
1539	ima_log_string(ab, key: "mask", value: args[0].from);
1540
1541	if (entry->mask)
1542	result = -EINVAL;
1543
1544	from = args[0].from;
1545	if (*from == '^')
1546	from++;
1547
1548	if ((strcmp(from, "MAY_EXEC")) == 0)
1549	entry->mask = MAY_EXEC;
1550	else if (strcmp(from, "MAY_WRITE") == 0)
1551	entry->mask = MAY_WRITE;
1552	else if (strcmp(from, "MAY_READ") == 0)
1553	entry->mask = MAY_READ;
1554	else if (strcmp(from, "MAY_APPEND") == 0)
1555	entry->mask = MAY_APPEND;
1556	else
1557	result = -EINVAL;
1558	if (!result)
1559	entry->flags |= (*args[0].from == '^')
1560	? IMA_INMASK : IMA_MASK;
1561	break;
1562	case Opt_fsmagic:
1563	ima_log_string(ab, key: "fsmagic", value: args[0].from);
1564
1565	if (entry->fsmagic) {
1566	result = -EINVAL;
1567	break;
1568	}
1569
1570	result = kstrtoul(s: args[0].from, base: 16, res: &entry->fsmagic);
1571	if (!result)
1572	entry->flags |= IMA_FSMAGIC;
1573	break;
1574	case Opt_fsname:
1575	ima_log_string(ab, key: "fsname", value: args[0].from);
1576
1577	entry->fsname = kstrdup(s: args[0].from, GFP_KERNEL);
1578	if (!entry->fsname) {
1579	result = -ENOMEM;
1580	break;
1581	}
1582	result = 0;
1583	entry->flags |= IMA_FSNAME;
1584	break;
1585	case Opt_keyrings:
1586	ima_log_string(ab, key: "keyrings", value: args[0].from);
1587
1588	if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) ||
1589	entry->keyrings) {
1590	result = -EINVAL;
1591	break;
1592	}
1593
1594	entry->keyrings = ima_alloc_rule_opt_list(src: args);
1595	if (IS_ERR(ptr: entry->keyrings)) {
1596	result = PTR_ERR(ptr: entry->keyrings);
1597	entry->keyrings = NULL;
1598	break;
1599	}
1600
1601	entry->flags |= IMA_KEYRINGS;
1602	break;
1603	case Opt_label:
1604	ima_log_string(ab, key: "label", value: args[0].from);
1605
1606	if (entry->label) {
1607	result = -EINVAL;
1608	break;
1609	}
1610
1611	entry->label = ima_alloc_rule_opt_list(src: args);
1612	if (IS_ERR(ptr: entry->label)) {
1613	result = PTR_ERR(ptr: entry->label);
1614	entry->label = NULL;
1615	break;
1616	}
1617
1618	entry->flags |= IMA_LABEL;
1619	break;
1620	case Opt_fsuuid:
1621	ima_log_string(ab, key: "fsuuid", value: args[0].from);
1622
1623	if (!uuid_is_null(uuid: &entry->fsuuid)) {
1624	result = -EINVAL;
1625	break;
1626	}
1627
1628	result = uuid_parse(uuid: args[0].from, u: &entry->fsuuid);
1629	if (!result)
1630	entry->flags |= IMA_FSUUID;
1631	break;
1632	case Opt_uid_gt:
1633	case Opt_euid_gt:
1634	entry->uid_op = &uid_gt;
1635	fallthrough;
1636	case Opt_uid_lt:
1637	case Opt_euid_lt:
1638	if ((token == Opt_uid_lt) || (token == Opt_euid_lt))
1639	entry->uid_op = &uid_lt;
1640	fallthrough;
1641	case Opt_uid_eq:
1642	case Opt_euid_eq:
1643	eid_token = (token == Opt_euid_eq) ||
1644	(token == Opt_euid_gt) ||
1645	(token == Opt_euid_lt);
1646
1647	ima_log_string_op(ab, key: eid_token ? "euid" : "uid",
1648	value: args[0].from, rule_operator: token);
1649
1650	if (uid_valid(uid: entry->uid)) {
1651	result = -EINVAL;
1652	break;
1653	}
1654
1655	result = kstrtoul(s: args[0].from, base: 10, res: &lnum);
1656	if (!result) {
1657	entry->uid = make_kuid(current_user_ns(),
1658	uid: (uid_t) lnum);
1659	if (!uid_valid(uid: entry->uid) ||
1660	(uid_t)lnum != lnum)
1661	result = -EINVAL;
1662	else
1663	entry->flags |= eid_token
1664	? IMA_EUID : IMA_UID;
1665	}
1666	break;
1667	case Opt_gid_gt:
1668	case Opt_egid_gt:
1669	entry->gid_op = &gid_gt;
1670	fallthrough;
1671	case Opt_gid_lt:
1672	case Opt_egid_lt:
1673	if ((token == Opt_gid_lt) || (token == Opt_egid_lt))
1674	entry->gid_op = &gid_lt;
1675	fallthrough;
1676	case Opt_gid_eq:
1677	case Opt_egid_eq:
1678	eid_token = (token == Opt_egid_eq) ||
1679	(token == Opt_egid_gt) ||
1680	(token == Opt_egid_lt);
1681
1682	ima_log_string_op(ab, key: eid_token ? "egid" : "gid",
1683	value: args[0].from, rule_operator: token);
1684
1685	if (gid_valid(gid: entry->gid)) {
1686	result = -EINVAL;
1687	break;
1688	}
1689
1690	result = kstrtoul(s: args[0].from, base: 10, res: &lnum);
1691	if (!result) {
1692	entry->gid = make_kgid(current_user_ns(),
1693	gid: (gid_t)lnum);
1694	if (!gid_valid(gid: entry->gid) ||
1695	(((gid_t)lnum) != lnum))
1696	result = -EINVAL;
1697	else
1698	entry->flags |= eid_token
1699	? IMA_EGID : IMA_GID;
1700	}
1701	break;
1702	case Opt_fowner_gt:
1703	entry->fowner_op = &vfsuid_gt_kuid;
1704	fallthrough;
1705	case Opt_fowner_lt:
1706	if (token == Opt_fowner_lt)
1707	entry->fowner_op = &vfsuid_lt_kuid;
1708	fallthrough;
1709	case Opt_fowner_eq:
1710	ima_log_string_op(ab, key: "fowner", value: args[0].from, rule_operator: token);
1711
1712	if (uid_valid(uid: entry->fowner)) {
1713	result = -EINVAL;
1714	break;
1715	}
1716
1717	result = kstrtoul(s: args[0].from, base: 10, res: &lnum);
1718	if (!result) {
1719	entry->fowner = make_kuid(current_user_ns(),
1720	uid: (uid_t)lnum);
1721	if (!uid_valid(uid: entry->fowner) ||
1722	(((uid_t)lnum) != lnum))
1723	result = -EINVAL;
1724	else
1725	entry->flags |= IMA_FOWNER;
1726	}
1727	break;
1728	case Opt_fgroup_gt:
1729	entry->fgroup_op = &vfsgid_gt_kgid;
1730	fallthrough;
1731	case Opt_fgroup_lt:
1732	if (token == Opt_fgroup_lt)
1733	entry->fgroup_op = &vfsgid_lt_kgid;
1734	fallthrough;
1735	case Opt_fgroup_eq:
1736	ima_log_string_op(ab, key: "fgroup", value: args[0].from, rule_operator: token);
1737
1738	if (gid_valid(gid: entry->fgroup)) {
1739	result = -EINVAL;
1740	break;
1741	}
1742
1743	result = kstrtoul(s: args[0].from, base: 10, res: &lnum);
1744	if (!result) {
1745	entry->fgroup = make_kgid(current_user_ns(),
1746	gid: (gid_t)lnum);
1747	if (!gid_valid(gid: entry->fgroup) ||
1748	(((gid_t)lnum) != lnum))
1749	result = -EINVAL;
1750	else
1751	entry->flags |= IMA_FGROUP;
1752	}
1753	break;
1754	case Opt_obj_user:
1755	ima_log_string(ab, key: "obj_user", value: args[0].from);
1756	result = ima_lsm_rule_init(entry, args,
1757	lsm_rule: LSM_OBJ_USER,
1758	AUDIT_OBJ_USER);
1759	break;
1760	case Opt_obj_role:
1761	ima_log_string(ab, key: "obj_role", value: args[0].from);
1762	result = ima_lsm_rule_init(entry, args,
1763	lsm_rule: LSM_OBJ_ROLE,
1764	AUDIT_OBJ_ROLE);
1765	break;
1766	case Opt_obj_type:
1767	ima_log_string(ab, key: "obj_type", value: args[0].from);
1768	result = ima_lsm_rule_init(entry, args,
1769	lsm_rule: LSM_OBJ_TYPE,
1770	AUDIT_OBJ_TYPE);
1771	break;
1772	case Opt_subj_user:
1773	ima_log_string(ab, key: "subj_user", value: args[0].from);
1774	result = ima_lsm_rule_init(entry, args,
1775	lsm_rule: LSM_SUBJ_USER,
1776	AUDIT_SUBJ_USER);
1777	break;
1778	case Opt_subj_role:
1779	ima_log_string(ab, key: "subj_role", value: args[0].from);
1780	result = ima_lsm_rule_init(entry, args,
1781	lsm_rule: LSM_SUBJ_ROLE,
1782	AUDIT_SUBJ_ROLE);
1783	break;
1784	case Opt_subj_type:
1785	ima_log_string(ab, key: "subj_type", value: args[0].from);
1786	result = ima_lsm_rule_init(entry, args,
1787	lsm_rule: LSM_SUBJ_TYPE,
1788	AUDIT_SUBJ_TYPE);
1789	break;
1790	case Opt_digest_type:
1791	ima_log_string(ab, key: "digest_type", value: args[0].from);
1792	if (entry->flags & IMA_DIGSIG_REQUIRED)
1793	result = -EINVAL;
1794	else if ((strcmp(args[0].from, "verity")) == 0)
1795	entry->flags |= IMA_VERITY_REQUIRED;
1796	else
1797	result = -EINVAL;
1798	break;
1799	case Opt_appraise_type:
1800	ima_log_string(ab, key: "appraise_type", value: args[0].from);
1801
1802	if ((strcmp(args[0].from, "imasig")) == 0) {
1803	if (entry->flags & IMA_VERITY_REQUIRED)
1804	result = -EINVAL;
1805	else
1806	entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
1807	} else if (strcmp(args[0].from, "sigv3") == 0) {
1808	/* Only fsverity supports sigv3 for now */
1809	if (entry->flags & IMA_VERITY_REQUIRED)
1810	entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
1811	else
1812	result = -EINVAL;
1813	} else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
1814	strcmp(args[0].from, "imasig|modsig") == 0) {
1815	if (entry->flags & IMA_VERITY_REQUIRED)
1816	result = -EINVAL;
1817	else
1818	entry->flags |= IMA_DIGSIG_REQUIRED |
1819	IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST;
1820	} else {
1821	result = -EINVAL;
1822	}
1823	break;
1824	case Opt_appraise_flag:
1825	ima_log_string(ab, key: "appraise_flag", value: args[0].from);
1826	break;
1827	case Opt_appraise_algos:
1828	ima_log_string(ab, key: "appraise_algos", value: args[0].from);
1829
1830	if (entry->allowed_algos) {
1831	result = -EINVAL;
1832	break;
1833	}
1834
1835	entry->allowed_algos =
1836	ima_parse_appraise_algos(arg: args[0].from);
1837	/* invalid or empty list of algorithms */
1838	if (!entry->allowed_algos) {
1839	result = -EINVAL;
1840	break;
1841	}
1842
1843	entry->flags |= IMA_VALIDATE_ALGOS;
1844
1845	break;
1846	case Opt_permit_directio:
1847	entry->flags |= IMA_PERMIT_DIRECTIO;
1848	break;
1849	case Opt_pcr:
1850	ima_log_string(ab, key: "pcr", value: args[0].from);
1851
1852	result = kstrtoint(s: args[0].from, base: 10, res: &entry->pcr);
1853	if (result || INVALID_PCR(entry->pcr))
1854	result = -EINVAL;
1855	else
1856	entry->flags |= IMA_PCR;
1857
1858	break;
1859	case Opt_template:
1860	ima_log_string(ab, key: "template", value: args[0].from);
1861	if (entry->action != MEASURE) {
1862	result = -EINVAL;
1863	break;
1864	}
1865	template_desc = lookup_template_desc(name: args[0].from);
1866	if (!template_desc || entry->template) {
1867	result = -EINVAL;
1868	break;
1869	}
1870
1871	/*
1872	* template_desc_init_fields() does nothing if
1873	* the template is already initialised, so
1874	* it's safe to do this unconditionally
1875	*/
1876	template_desc_init_fields(template_fmt: template_desc->fmt,
1877	fields: &(template_desc->fields),
1878	num_fields: &(template_desc->num_fields));
1879	entry->template = template_desc;
1880	break;
1881	case Opt_err:
1882	ima_log_string(ab, key: "UNKNOWN", value: p);
1883	result = -EINVAL;
1884	break;
1885	}
1886	}
1887	if (!result && !ima_validate_rule(entry))
1888	result = -EINVAL;
1889	else if (entry->action == APPRAISE)
1890	temp_ima_appraise |= ima_appraise_flag(func: entry->func);
1891
1892	if (!result && entry->flags & IMA_MODSIG_ALLOWED) {
1893	template_desc = entry->template ? entry->template :
1894	ima_template_desc_current();
1895	check_template_modsig(template: template_desc);
1896	}
1897
1898	/* d-ngv2 template field recommended for unsigned fs-verity digests */
1899	if (!result && entry->action == MEASURE &&
1900	entry->flags & IMA_VERITY_REQUIRED) {
1901	template_desc = entry->template ? entry->template :
1902	ima_template_desc_current();
1903	check_template_field(template: template_desc, field: "d-ngv2",
1904	msg: "verity rules should include d-ngv2");
1905	}
1906
1907	audit_log_format(ab, fmt: "res=%d", !result);
1908	audit_log_end(ab);
1909	return result;
1910	}
1911
1912	/**
1913	* ima_parse_add_rule - add a rule to ima_policy_rules
1914	* @rule: ima measurement policy rule
1915	*
1916	* Avoid locking by allowing just one writer at a time in ima_write_policy()
1917	* Returns the length of the rule parsed, an error code on failure
1918	*/
1919	ssize_t ima_parse_add_rule(char *rule)
1920	{
1921	static const char op[] = "update_policy";
1922	char *p;
1923	struct ima_rule_entry *entry;
1924	ssize_t result, len;
1925	int audit_info = 0;
1926
1927	p = strsep(&rule, "\n");
1928	len = strlen(p) + 1;
1929	p += strspn(p, " \t");
1930
1931	if (*p == '#' || *p == '\0')
1932	return len;
1933
1934	entry = kzalloc(size: sizeof(*entry), GFP_KERNEL);
1935	if (!entry) {
1936	integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1937	NULL, op, cause: "-ENOMEM", result: -ENOMEM, info: audit_info);
1938	return -ENOMEM;
1939	}
1940
1941	INIT_LIST_HEAD(list: &entry->list);
1942
1943	result = ima_parse_rule(rule: p, entry);
1944	if (result) {
1945	ima_free_rule(entry);
1946	integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1947	NULL, op, cause: "invalid-policy", result,
1948	info: audit_info);
1949	return result;
1950	}
1951
1952	list_add_tail(new: &entry->list, head: &ima_temp_rules);
1953
1954	return len;
1955	}
1956
1957	/**
1958	* ima_delete_rules() - called to cleanup invalid in-flight policy.
1959	*
1960	* We don't need locking as we operate on the temp list, which is
1961	* different from the active one. There is also only one user of
1962	* ima_delete_rules() at a time.
1963	*/
1964	void ima_delete_rules(void)
1965	{
1966	struct ima_rule_entry *entry, *tmp;
1967
1968	temp_ima_appraise = 0;
1969	list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
1970	list_del(entry: &entry->list);
1971	ima_free_rule(entry);
1972	}
1973	}
1974
1975	#define __ima_hook_stringify(func, str) (#func),
1976
1977	const char *const func_tokens[] = {
1978	__ima_hooks(__ima_hook_stringify)
1979	};
1980
1981	#ifdef CONFIG_IMA_READ_POLICY
1982	enum {
1983	mask_exec = 0, mask_write, mask_read, mask_append
1984	};
1985
1986	static const char *const mask_tokens[] = {
1987	"^MAY_EXEC",
1988	"^MAY_WRITE",
1989	"^MAY_READ",
1990	"^MAY_APPEND"
1991	};
1992
1993	void *ima_policy_start(struct seq_file *m, loff_t *pos)
1994	{
1995	loff_t l = *pos;
1996	struct ima_rule_entry *entry;
1997	struct list_head *ima_rules_tmp;
1998
1999	rcu_read_lock();
2000	ima_rules_tmp = rcu_dereference(ima_rules);
2001	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
2002	if (!l--) {
2003	rcu_read_unlock();
2004	return entry;
2005	}
2006	}
2007	rcu_read_unlock();
2008	return NULL;
2009	}
2010
2011	void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos)
2012	{
2013	struct ima_rule_entry *entry = v;
2014
2015	rcu_read_lock();
2016	entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list);
2017	rcu_read_unlock();
2018	(*pos)++;
2019
2020	return (&entry->list == &ima_default_rules ||
2021	&entry->list == &ima_policy_rules) ? NULL : entry;
2022	}
2023
2024	void ima_policy_stop(struct seq_file *m, void *v)
2025	{
2026	}
2027
2028	#define pt(token) policy_tokens[token].pattern
2029	#define mt(token) mask_tokens[token]
2030
2031	/*
2032	* policy_func_show - display the ima_hooks policy rule
2033	*/
2034	static void policy_func_show(struct seq_file *m, enum ima_hooks func)
2035	{
2036	if (func > 0 && func < MAX_CHECK)
2037	seq_printf(m, fmt: "func=%s ", func_tokens[func]);
2038	else
2039	seq_printf(m, fmt: "func=%d ", func);
2040	}
2041
2042	static void ima_show_rule_opt_list(struct seq_file *m,
2043	const struct ima_rule_opt_list *opt_list)
2044	{
2045	size_t i;
2046
2047	for (i = 0; i < opt_list->count; i++)
2048	seq_printf(m, fmt: "%s%s", i ? "|" : "", opt_list->items[i]);
2049	}
2050
2051	static void ima_policy_show_appraise_algos(struct seq_file *m,
2052	unsigned int allowed_hashes)
2053	{
2054	int idx, list_size = 0;
2055
2056	for (idx = 0; idx < HASH_ALGO__LAST; idx++) {
2057	if (!(allowed_hashes & (1U << idx)))
2058	continue;
2059
2060	/* only add commas if the list contains multiple entries */
2061	if (list_size++)
2062	seq_puts(m, s: ",");
2063
2064	seq_puts(m, s: hash_algo_name[idx]);
2065	}
2066	}
2067
2068	int ima_policy_show(struct seq_file *m, void *v)
2069	{
2070	struct ima_rule_entry *entry = v;
2071	int i;
2072	char tbuf[64] = {0,};
2073	int offset = 0;
2074
2075	rcu_read_lock();
2076
2077	/* Do not print rules with inactive LSM labels */
2078	for (i = 0; i < MAX_LSM_RULES; i++) {
2079	if (entry->lsm[i].args_p && !entry->lsm[i].rule) {
2080	rcu_read_unlock();
2081	return 0;
2082	}
2083	}
2084
2085	if (entry->action & MEASURE)
2086	seq_puts(m, pt(Opt_measure));
2087	if (entry->action & DONT_MEASURE)
2088	seq_puts(m, pt(Opt_dont_measure));
2089	if (entry->action & APPRAISE)
2090	seq_puts(m, pt(Opt_appraise));
2091	if (entry->action & DONT_APPRAISE)
2092	seq_puts(m, pt(Opt_dont_appraise));
2093	if (entry->action & AUDIT)
2094	seq_puts(m, pt(Opt_audit));
2095	if (entry->action & HASH)
2096	seq_puts(m, pt(Opt_hash));
2097	if (entry->action & DONT_HASH)
2098	seq_puts(m, pt(Opt_dont_hash));
2099
2100	seq_puts(m, s: " ");
2101
2102	if (entry->flags & IMA_FUNC)
2103	policy_func_show(m, func: entry->func);
2104
2105	if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) {
2106	if (entry->flags & IMA_MASK)
2107	offset = 1;
2108	if (entry->mask & MAY_EXEC)
2109	seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset);
2110	if (entry->mask & MAY_WRITE)
2111	seq_printf(m, pt(Opt_mask), mt(mask_write) + offset);
2112	if (entry->mask & MAY_READ)
2113	seq_printf(m, pt(Opt_mask), mt(mask_read) + offset);
2114	if (entry->mask & MAY_APPEND)
2115	seq_printf(m, pt(Opt_mask), mt(mask_append) + offset);
2116	seq_puts(m, s: " ");
2117	}
2118
2119	if (entry->flags & IMA_FSMAGIC) {
2120	snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "0x%lx", entry->fsmagic);
2121	seq_printf(m, pt(Opt_fsmagic), tbuf);
2122	seq_puts(m, s: " ");
2123	}
2124
2125	if (entry->flags & IMA_FSNAME) {
2126	snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "%s", entry->fsname);
2127	seq_printf(m, pt(Opt_fsname), tbuf);
2128	seq_puts(m, s: " ");
2129	}
2130
2131	if (entry->flags & IMA_KEYRINGS) {
2132	seq_puts(m, s: "keyrings=");
2133	ima_show_rule_opt_list(m, opt_list: entry->keyrings);
2134	seq_puts(m, s: " ");
2135	}
2136
2137	if (entry->flags & IMA_LABEL) {
2138	seq_puts(m, s: "label=");
2139	ima_show_rule_opt_list(m, opt_list: entry->label);
2140	seq_puts(m, s: " ");
2141	}
2142
2143	if (entry->flags & IMA_PCR) {
2144	snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "%d", entry->pcr);
2145	seq_printf(m, pt(Opt_pcr), tbuf);
2146	seq_puts(m, s: " ");
2147	}
2148
2149	if (entry->flags & IMA_FSUUID) {
2150	seq_printf(m, fmt: "fsuuid=%pU", &entry->fsuuid);
2151	seq_puts(m, s: " ");
2152	}
2153
2154	if (entry->flags & IMA_UID) {
2155	snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "%d", __kuid_val(uid: entry->uid));
2156	if (entry->uid_op == &uid_gt)
2157	seq_printf(m, pt(Opt_uid_gt), tbuf);
2158	else if (entry->uid_op == &uid_lt)
2159	seq_printf(m, pt(Opt_uid_lt), tbuf);
2160	else
2161	seq_printf(m, pt(Opt_uid_eq), tbuf);
2162	seq_puts(m, s: " ");
2163	}
2164
2165	if (entry->flags & IMA_EUID) {
2166	snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "%d", __kuid_val(uid: entry->uid));
2167	if (entry->uid_op == &uid_gt)
2168	seq_printf(m, pt(Opt_euid_gt), tbuf);
2169	else if (entry->uid_op == &uid_lt)
2170	seq_printf(m, pt(Opt_euid_lt), tbuf);
2171	else
2172	seq_printf(m, pt(Opt_euid_eq), tbuf);
2173	seq_puts(m, s: " ");
2174	}
2175
2176	if (entry->flags & IMA_GID) {
2177	snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "%d", __kgid_val(gid: entry->gid));
2178	if (entry->gid_op == &gid_gt)
2179	seq_printf(m, pt(Opt_gid_gt), tbuf);
2180	else if (entry->gid_op == &gid_lt)
2181	seq_printf(m, pt(Opt_gid_lt), tbuf);
2182	else
2183	seq_printf(m, pt(Opt_gid_eq), tbuf);
2184	seq_puts(m, s: " ");
2185	}
2186
2187	if (entry->flags & IMA_EGID) {
2188	snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "%d", __kgid_val(gid: entry->gid));
2189	if (entry->gid_op == &gid_gt)
2190	seq_printf(m, pt(Opt_egid_gt), tbuf);
2191	else if (entry->gid_op == &gid_lt)
2192	seq_printf(m, pt(Opt_egid_lt), tbuf);
2193	else
2194	seq_printf(m, pt(Opt_egid_eq), tbuf);
2195	seq_puts(m, s: " ");
2196	}
2197
2198	if (entry->flags & IMA_FOWNER) {
2199	snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "%d", __kuid_val(uid: entry->fowner));
2200	if (entry->fowner_op == &vfsuid_gt_kuid)
2201	seq_printf(m, pt(Opt_fowner_gt), tbuf);
2202	else if (entry->fowner_op == &vfsuid_lt_kuid)
2203	seq_printf(m, pt(Opt_fowner_lt), tbuf);
2204	else
2205	seq_printf(m, pt(Opt_fowner_eq), tbuf);
2206	seq_puts(m, s: " ");
2207	}
2208
2209	if (entry->flags & IMA_FGROUP) {
2210	snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "%d", __kgid_val(gid: entry->fgroup));
2211	if (entry->fgroup_op == &vfsgid_gt_kgid)
2212	seq_printf(m, pt(Opt_fgroup_gt), tbuf);
2213	else if (entry->fgroup_op == &vfsgid_lt_kgid)
2214	seq_printf(m, pt(Opt_fgroup_lt), tbuf);
2215	else
2216	seq_printf(m, pt(Opt_fgroup_eq), tbuf);
2217	seq_puts(m, s: " ");
2218	}
2219
2220	if (entry->flags & IMA_VALIDATE_ALGOS) {
2221	seq_puts(m, s: "appraise_algos=");
2222	ima_policy_show_appraise_algos(m, allowed_hashes: entry->allowed_algos);
2223	seq_puts(m, s: " ");
2224	}
2225
2226	for (i = 0; i < MAX_LSM_RULES; i++) {
2227	if (entry->lsm[i].rule) {
2228	switch (i) {
2229	case LSM_OBJ_USER:
2230	seq_printf(m, pt(Opt_obj_user),
2231	entry->lsm[i].args_p);
2232	break;
2233	case LSM_OBJ_ROLE:
2234	seq_printf(m, pt(Opt_obj_role),
2235	entry->lsm[i].args_p);
2236	break;
2237	case LSM_OBJ_TYPE:
2238	seq_printf(m, pt(Opt_obj_type),
2239	entry->lsm[i].args_p);
2240	break;
2241	case LSM_SUBJ_USER:
2242	seq_printf(m, pt(Opt_subj_user),
2243	entry->lsm[i].args_p);
2244	break;
2245	case LSM_SUBJ_ROLE:
2246	seq_printf(m, pt(Opt_subj_role),
2247	entry->lsm[i].args_p);
2248	break;
2249	case LSM_SUBJ_TYPE:
2250	seq_printf(m, pt(Opt_subj_type),
2251	entry->lsm[i].args_p);
2252	break;
2253	}
2254	seq_puts(m, s: " ");
2255	}
2256	}
2257	if (entry->template)
2258	seq_printf(m, fmt: "template=%s ", entry->template->name);
2259	if (entry->flags & IMA_DIGSIG_REQUIRED) {
2260	if (entry->flags & IMA_VERITY_REQUIRED)
2261	seq_puts(m, s: "appraise_type=sigv3 ");
2262	else if (entry->flags & IMA_MODSIG_ALLOWED)
2263	seq_puts(m, s: "appraise_type=imasig|modsig ");
2264	else
2265	seq_puts(m, s: "appraise_type=imasig ");
2266	}
2267	if (entry->flags & IMA_VERITY_REQUIRED)
2268	seq_puts(m, s: "digest_type=verity ");
2269	if (entry->flags & IMA_PERMIT_DIRECTIO)
2270	seq_puts(m, s: "permit_directio ");
2271	rcu_read_unlock();
2272	seq_puts(m, s: "\n");
2273	return 0;
2274	}
2275	#endif /* CONFIG_IMA_READ_POLICY */
2276
2277	#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
2278	/*
2279	* ima_appraise_signature: whether IMA will appraise a given function using
2280	* an IMA digital signature. This is restricted to cases where the kernel
2281	* has a set of built-in trusted keys in order to avoid an attacker simply
2282	* loading additional keys.
2283	*/
2284	bool ima_appraise_signature(enum kernel_read_file_id id)
2285	{
2286	struct ima_rule_entry *entry;
2287	bool found = false;
2288	enum ima_hooks func;
2289	struct list_head *ima_rules_tmp;
2290
2291	if (id >= READING_MAX_ID)
2292	return false;
2293
2294	if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE)
2295	&& security_locked_down(what: LOCKDOWN_KEXEC))
2296	return false;
2297
2298	func = read_idmap[id] ?: FILE_CHECK;
2299
2300	rcu_read_lock();
2301	ima_rules_tmp = rcu_dereference(ima_rules);
2302	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
2303	if (entry->action != APPRAISE)
2304	continue;
2305
2306	/*
2307	* A generic entry will match, but otherwise require that it
2308	* match the func we're looking for
2309	*/
2310	if (entry->func && entry->func != func)
2311	continue;
2312
2313	/*
2314	* We require this to be a digital signature, not a raw IMA
2315	* hash.
2316	*/
2317	if (entry->flags & IMA_DIGSIG_REQUIRED)
2318	found = true;
2319
2320	/*
2321	* We've found a rule that matches, so break now even if it
2322	* didn't require a digital signature - a later rule that does
2323	* won't override it, so would be a false positive.
2324	*/
2325	break;
2326	}
2327
2328	rcu_read_unlock();
2329	return found;
2330	}
2331	#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
2332