82 		void *rule;	/* LSM file metadata specific */  member
97  * The minimum rule set to allow for full TCB coverage.  Measures all files
331 		ima_filter_rule_free(entry->lsm[i].rule);  in ima_lsm_free_rule()
382 				     &nentry->lsm[i].rule);  in ima_lsm_copy_rule()
383 		if (!nentry->lsm[i].rule)  in ima_lsm_copy_rule()
384 			pr_warn("rule for LSM \'%s\' is undefined\n",  in ima_lsm_copy_rule()
439 			pr_err("lsm rule update error %d\n", result);  in ima_lsm_update_rules()
456  * ima_match_keyring - determine whether the keyring matches the measure rule
457  * @rule: a pointer to a rule
458  * @keyring: name of the keyring to match against the measure rule
461  * Returns true if keyring matches one in the rule, false otherwise.
463 static bool ima_match_keyring(struct ima_rule_entry *rule,  in ima_match_keyring()  argument
469 	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))  in ima_match_keyring()
472 	if (!rule->keyrings)  in ima_match_keyring()
478 	for (i = 0; i < rule->keyrings->count; i++) {  in ima_match_keyring()
479 		if (!strcmp(rule->keyrings->items[i], keyring)) {  in ima_match_keyring()
489  * ima_match_rules - determine whether an inode matches the policy rule.
490  * @rule: a pointer to a rule
498  * Returns true on rule match, false on failure.
500 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,  in ima_match_rules()  argument
508 		return (rule->flags & IMA_FUNC) && (rule->func == func) &&  in ima_match_rules()
509 		       ima_match_keyring(rule, keyring, cred);  in ima_match_rules()
511 	if ((rule->flags & IMA_FUNC) &&  in ima_match_rules()
512 	    (rule->func != func && func != POST_SETATTR))  in ima_match_rules()
514 	if ((rule->flags & IMA_MASK) &&  in ima_match_rules()
515 	    (rule->mask != mask && func != POST_SETATTR))  in ima_match_rules()
517 	if ((rule->flags & IMA_INMASK) &&  in ima_match_rules()
518 	    (!(rule->mask & mask) && func != POST_SETATTR))  in ima_match_rules()
520 	if ((rule->flags & IMA_FSMAGIC)  in ima_match_rules()
521 	    && rule->fsmagic != inode->i_sb->s_magic)  in ima_match_rules()
523 	if ((rule->flags & IMA_FSNAME)  in ima_match_rules()
524 	    && strcmp(rule->fsname, inode->i_sb->s_type->name))  in ima_match_rules()
526 	if ((rule->flags & IMA_FSUUID) &&  in ima_match_rules()
527 	    !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))  in ima_match_rules()
529 	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))  in ima_match_rules()
531 	if (rule->flags & IMA_EUID) {  in ima_match_rules()
533 			if (!rule->uid_op(cred->euid, rule->uid)  in ima_match_rules()
534 			    && !rule->uid_op(cred->suid, rule->uid)  in ima_match_rules()
535 			    && !rule->uid_op(cred->uid, rule->uid))  in ima_match_rules()
537 		} else if (!rule->uid_op(cred->euid, rule->uid))  in ima_match_rules()
541 	if ((rule->flags & IMA_FOWNER) &&  in ima_match_rules()
542 	    !rule->fowner_op(inode->i_uid, rule->fowner))  in ima_match_rules()
548 		if (!rule->lsm[i].rule) {  in ima_match_rules()
549 			if (!rule->lsm[i].args_p)  in ima_match_rules()
559 			rc = ima_filter_rule_match(osid, rule->lsm[i].type,  in ima_match_rules()
561 						   rule->lsm[i].rule);  in ima_match_rules()
566 			rc = ima_filter_rule_match(secid, rule->lsm[i].type,  in ima_match_rules()
568 						   rule->lsm[i].rule);  in ima_match_rules()
582 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)  in get_subaction()  argument
584 	if (!(rule->flags & IMA_FUNC))  in get_subaction()
612  * @template_desc: the template that should be used for this rule
737 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
761 		char rule[255];  in ima_init_arch_policy()  local
764 		result = strlcpy(rule, *rules, sizeof(rule));  in ima_init_arch_policy()
767 		result = ima_parse_rule(rule, &arch_policy_entry[i]);  in ima_init_arch_policy()
769 			pr_warn("Skipping unknown architecture policy rule: %s\n",  in ima_init_arch_policy()
770 				rule);  in ima_init_arch_policy()
955 	if (entry->lsm[lsm_rule].rule)  in ima_lsm_rule_init()
965 				      &entry->lsm[lsm_rule].rule);  in ima_lsm_rule_init()
966 	if (!entry->lsm[lsm_rule].rule) {  in ima_lsm_rule_init()
967 		pr_warn("rule for LSM \'%s\' is undefined\n",  in ima_lsm_rule_init()
1048 	 * for the NONE case below to validate a rule without an explicit hook  in ima_validate_rule()
1057 	 * components of the rule  in ima_validate_rule()
1122 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)  in ima_parse_rule()  argument
1139 	while ((p = strsep(&rule, " \t")) != NULL) {  in ima_parse_rule()
1496  * ima_parse_add_rule - add a rule to ima_policy_rules
1497  * @rule - ima measurement policy rule
1500  * Returns the length of the rule parsed, an error code on failure
1502 ssize_t ima_parse_add_rule(char *rule)  in ima_parse_add_rule()  argument
1510 	p = strsep(&rule, "\n");  in ima_parse_add_rule()
1611  * policy_func_show - display the ima_hooks policy rule
1736 		if (entry->lsm[i].rule) {  in ima_policy_show()
1826 		 * We've found a rule that matches, so break now even if it  in ima_appraise_signature()
1827 		 * didn't require a digital signature - a later rule that does  in ima_appraise_signature()