Lines Matching full:entry
326 static void ima_lsm_free_rule(struct ima_rule_entry *entry) in ima_lsm_free_rule() argument
331 ima_filter_rule_free(entry->lsm[i].rule); in ima_lsm_free_rule()
332 kfree(entry->lsm[i].args_p); in ima_lsm_free_rule()
336 static void ima_free_rule(struct ima_rule_entry *entry) in ima_free_rule() argument
338 if (!entry) in ima_free_rule()
342 * entry->template->fields may be allocated in ima_parse_rule() but that in ima_free_rule()
346 kfree(entry->fsname); in ima_free_rule()
347 ima_free_rule_opt_list(entry->keyrings); in ima_free_rule()
348 ima_lsm_free_rule(entry); in ima_free_rule()
349 kfree(entry); in ima_free_rule()
352 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) in ima_lsm_copy_rule() argument
361 nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); in ima_lsm_copy_rule()
368 if (!entry->lsm[i].args_p) in ima_lsm_copy_rule()
371 nentry->lsm[i].type = entry->lsm[i].type; in ima_lsm_copy_rule()
372 nentry->lsm[i].args_p = entry->lsm[i].args_p; in ima_lsm_copy_rule()
384 static int ima_lsm_update_rule(struct ima_rule_entry *entry) in ima_lsm_update_rule() argument
389 nentry = ima_lsm_copy_rule(entry); in ima_lsm_update_rule()
393 list_replace_rcu(&entry->list, &nentry->list); in ima_lsm_update_rule()
397 * LSM references, from entry to nentry so we only want to free the LSM in ima_lsm_update_rule()
398 * references and the entry itself. All other memory refrences will now in ima_lsm_update_rule()
402 ima_filter_rule_free(entry->lsm[i].rule); in ima_lsm_update_rule()
403 kfree(entry); in ima_lsm_update_rule()
408 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry) in ima_rule_contains_lsm_cond() argument
413 if (entry->lsm[i].args_p) in ima_rule_contains_lsm_cond()
426 struct ima_rule_entry *entry, *e; in ima_lsm_update_rules() local
429 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { in ima_lsm_update_rules()
430 if (!ima_rule_contains_lsm_cond(entry)) in ima_lsm_update_rules()
433 result = ima_lsm_update_rule(entry); in ima_lsm_update_rules()
648 struct ima_rule_entry *entry; in ima_match_policy() local
655 list_for_each_entry_rcu(entry, ima_rules, list) { in ima_match_policy()
657 if (!(entry->action & actmask)) in ima_match_policy()
660 if (!ima_match_rules(entry, inode, cred, secid, func, mask, in ima_match_policy()
664 action |= entry->flags & IMA_ACTION_FLAGS; in ima_match_policy()
666 action |= entry->action & IMA_DO_MASK; in ima_match_policy()
667 if (entry->action & IMA_APPRAISE) { in ima_match_policy()
668 action |= get_subaction(entry, func); in ima_match_policy()
675 if (entry->action & IMA_DO_MASK) in ima_match_policy()
676 actmask &= ~(entry->action | entry->action << 1); in ima_match_policy()
678 actmask &= ~(entry->action | entry->action >> 1); in ima_match_policy()
680 if ((pcr) && (entry->flags & IMA_PCR)) in ima_match_policy()
681 *pcr = entry->pcr; in ima_match_policy()
683 if (template_desc && entry->template) in ima_match_policy()
684 *template_desc = entry->template; in ima_match_policy()
702 struct ima_rule_entry *entry; in ima_update_policy_flag() local
704 list_for_each_entry(entry, ima_rules, list) { in ima_update_policy_flag()
705 if (entry->action & IMA_DO_MASK) in ima_update_policy_flag()
706 ima_policy_flag |= entry->action; in ima_update_policy_flag()
733 struct ima_rule_entry *entry; in add_rules() local
739 entry = kmemdup(&entries[i], sizeof(*entry), in add_rules()
741 if (!entry) in add_rules()
744 list_add_tail(&entry->list, &ima_policy_rules); in add_rules()
757 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
971 static int ima_lsm_rule_init(struct ima_rule_entry *entry, in ima_lsm_rule_init() argument
976 if (entry->lsm[lsm_rule].rule) in ima_lsm_rule_init()
979 entry->lsm[lsm_rule].args_p = match_strdup(args); in ima_lsm_rule_init()
980 if (!entry->lsm[lsm_rule].args_p) in ima_lsm_rule_init()
983 entry->lsm[lsm_rule].type = audit_type; in ima_lsm_rule_init()
984 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, in ima_lsm_rule_init()
985 entry->lsm[lsm_rule].args_p, in ima_lsm_rule_init()
986 &entry->lsm[lsm_rule].rule); in ima_lsm_rule_init()
987 if (!entry->lsm[lsm_rule].rule) { in ima_lsm_rule_init()
989 entry->lsm[lsm_rule].args_p); in ima_lsm_rule_init()
992 kfree(entry->lsm[lsm_rule].args_p); in ima_lsm_rule_init()
993 entry->lsm[lsm_rule].args_p = NULL; in ima_lsm_rule_init()
1053 static bool ima_validate_rule(struct ima_rule_entry *entry) in ima_validate_rule() argument
1056 if (entry->action == UNKNOWN) in ima_validate_rule()
1059 if (entry->action != MEASURE && entry->flags & IMA_PCR) in ima_validate_rule()
1062 if (entry->action != APPRAISE && in ima_validate_rule()
1063 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST)) in ima_validate_rule()
1072 if (((entry->flags & IMA_FUNC) && entry->func == NONE) || in ima_validate_rule()
1073 (!(entry->flags & IMA_FUNC) && entry->func != NONE)) in ima_validate_rule()
1080 switch (entry->func) { in ima_validate_rule()
1089 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | in ima_validate_rule()
1100 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | in ima_validate_rule()
1110 if (entry->action & ~(MEASURE | DONT_MEASURE)) in ima_validate_rule()
1113 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | in ima_validate_rule()
1120 if (entry->action & ~(MEASURE | DONT_MEASURE)) in ima_validate_rule()
1123 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | in ima_validate_rule()
1127 if (ima_rule_contains_lsm_cond(entry)) in ima_validate_rule()
1136 if (entry->flags & IMA_CHECK_BLACKLIST && in ima_validate_rule()
1137 !(entry->flags & IMA_MODSIG_ALLOWED)) in ima_validate_rule()
1143 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) in ima_parse_rule() argument
1155 entry->uid = INVALID_UID; in ima_parse_rule()
1156 entry->fowner = INVALID_UID; in ima_parse_rule()
1157 entry->uid_op = &uid_eq; in ima_parse_rule()
1158 entry->fowner_op = &uid_eq; in ima_parse_rule()
1159 entry->action = UNKNOWN; in ima_parse_rule()
1174 if (entry->action != UNKNOWN) in ima_parse_rule()
1177 entry->action = MEASURE; in ima_parse_rule()
1182 if (entry->action != UNKNOWN) in ima_parse_rule()
1185 entry->action = DONT_MEASURE; in ima_parse_rule()
1190 if (entry->action != UNKNOWN) in ima_parse_rule()
1193 entry->action = APPRAISE; in ima_parse_rule()
1198 if (entry->action != UNKNOWN) in ima_parse_rule()
1201 entry->action = DONT_APPRAISE; in ima_parse_rule()
1206 if (entry->action != UNKNOWN) in ima_parse_rule()
1209 entry->action = AUDIT; in ima_parse_rule()
1214 if (entry->action != UNKNOWN) in ima_parse_rule()
1217 entry->action = HASH; in ima_parse_rule()
1222 if (entry->action != UNKNOWN) in ima_parse_rule()
1225 entry->action = DONT_HASH; in ima_parse_rule()
1230 if (entry->func) in ima_parse_rule()
1234 entry->func = FILE_CHECK; in ima_parse_rule()
1237 entry->func = FILE_CHECK; in ima_parse_rule()
1239 entry->func = MODULE_CHECK; in ima_parse_rule()
1241 entry->func = FIRMWARE_CHECK; in ima_parse_rule()
1244 entry->func = MMAP_CHECK; in ima_parse_rule()
1246 entry->func = BPRM_CHECK; in ima_parse_rule()
1248 entry->func = CREDS_CHECK; in ima_parse_rule()
1251 entry->func = KEXEC_KERNEL_CHECK; in ima_parse_rule()
1254 entry->func = KEXEC_INITRAMFS_CHECK; in ima_parse_rule()
1256 entry->func = POLICY_CHECK; in ima_parse_rule()
1258 entry->func = KEXEC_CMDLINE; in ima_parse_rule()
1261 entry->func = KEY_CHECK; in ima_parse_rule()
1265 entry->flags |= IMA_FUNC; in ima_parse_rule()
1270 if (entry->mask) in ima_parse_rule()
1278 entry->mask = MAY_EXEC; in ima_parse_rule()
1280 entry->mask = MAY_WRITE; in ima_parse_rule()
1282 entry->mask = MAY_READ; in ima_parse_rule()
1284 entry->mask = MAY_APPEND; in ima_parse_rule()
1288 entry->flags |= (*args[0].from == '^') in ima_parse_rule()
1294 if (entry->fsmagic) { in ima_parse_rule()
1299 result = kstrtoul(args[0].from, 16, &entry->fsmagic); in ima_parse_rule()
1301 entry->flags |= IMA_FSMAGIC; in ima_parse_rule()
1306 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); in ima_parse_rule()
1307 if (!entry->fsname) { in ima_parse_rule()
1312 entry->flags |= IMA_FSNAME; in ima_parse_rule()
1318 entry->keyrings) { in ima_parse_rule()
1323 entry->keyrings = ima_alloc_rule_opt_list(args); in ima_parse_rule()
1324 if (IS_ERR(entry->keyrings)) { in ima_parse_rule()
1325 result = PTR_ERR(entry->keyrings); in ima_parse_rule()
1326 entry->keyrings = NULL; in ima_parse_rule()
1330 entry->flags |= IMA_KEYRINGS; in ima_parse_rule()
1335 if (!uuid_is_null(&entry->fsuuid)) { in ima_parse_rule()
1340 result = uuid_parse(args[0].from, &entry->fsuuid); in ima_parse_rule()
1342 entry->flags |= IMA_FSUUID; in ima_parse_rule()
1346 entry->uid_op = &uid_gt; in ima_parse_rule()
1351 entry->uid_op = &uid_lt; in ima_parse_rule()
1360 args[0].from, entry->uid_op); in ima_parse_rule()
1362 if (uid_valid(entry->uid)) { in ima_parse_rule()
1369 entry->uid = make_kuid(current_user_ns(), in ima_parse_rule()
1371 if (!uid_valid(entry->uid) || in ima_parse_rule()
1375 entry->flags |= uid_token in ima_parse_rule()
1380 entry->fowner_op = &uid_gt; in ima_parse_rule()
1384 entry->fowner_op = &uid_lt; in ima_parse_rule()
1388 entry->fowner_op); in ima_parse_rule()
1390 if (uid_valid(entry->fowner)) { in ima_parse_rule()
1397 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum); in ima_parse_rule()
1398 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum)) in ima_parse_rule()
1401 entry->flags |= IMA_FOWNER; in ima_parse_rule()
1406 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1412 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1418 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1424 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1430 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1436 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1443 entry->flags |= IMA_DIGSIG_REQUIRED; in ima_parse_rule()
1446 entry->flags |= IMA_DIGSIG_REQUIRED | in ima_parse_rule()
1455 entry->flags |= IMA_CHECK_BLACKLIST; in ima_parse_rule()
1460 entry->flags |= IMA_PERMIT_DIRECTIO; in ima_parse_rule()
1465 result = kstrtoint(args[0].from, 10, &entry->pcr); in ima_parse_rule()
1466 if (result || INVALID_PCR(entry->pcr)) in ima_parse_rule()
1469 entry->flags |= IMA_PCR; in ima_parse_rule()
1474 if (entry->action != MEASURE) { in ima_parse_rule()
1479 if (!template_desc || entry->template) { in ima_parse_rule()
1492 entry->template = template_desc; in ima_parse_rule()
1500 if (!result && !ima_validate_rule(entry)) in ima_parse_rule()
1502 else if (entry->action == APPRAISE) in ima_parse_rule()
1503 temp_ima_appraise |= ima_appraise_flag(entry->func); in ima_parse_rule()
1505 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { in ima_parse_rule()
1506 template_desc = entry->template ? entry->template : in ima_parse_rule()
1527 struct ima_rule_entry *entry; in ima_parse_add_rule() local
1538 entry = kzalloc(sizeof(*entry), GFP_KERNEL); in ima_parse_add_rule()
1539 if (!entry) { in ima_parse_add_rule()
1545 INIT_LIST_HEAD(&entry->list); in ima_parse_add_rule()
1547 result = ima_parse_rule(p, entry); in ima_parse_add_rule()
1549 ima_free_rule(entry); in ima_parse_add_rule()
1556 list_add_tail(&entry->list, &ima_temp_rules); in ima_parse_add_rule()
1569 struct ima_rule_entry *entry, *tmp; in ima_delete_rules() local
1572 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { in ima_delete_rules()
1573 list_del(&entry->list); in ima_delete_rules()
1574 ima_free_rule(entry); in ima_delete_rules()
1599 struct ima_rule_entry *entry; in ima_policy_start() local
1602 list_for_each_entry_rcu(entry, ima_rules, list) { in ima_policy_start()
1605 return entry; in ima_policy_start()
1614 struct ima_rule_entry *entry = v; in ima_policy_next() local
1617 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); in ima_policy_next()
1621 return (&entry->list == ima_rules) ? NULL : entry; in ima_policy_next()
1653 struct ima_rule_entry *entry = v; in ima_policy_show() local
1662 if (entry->lsm[i].args_p && !entry->lsm[i].rule) { in ima_policy_show()
1668 if (entry->action & MEASURE) in ima_policy_show()
1670 if (entry->action & DONT_MEASURE) in ima_policy_show()
1672 if (entry->action & APPRAISE) in ima_policy_show()
1674 if (entry->action & DONT_APPRAISE) in ima_policy_show()
1676 if (entry->action & AUDIT) in ima_policy_show()
1678 if (entry->action & HASH) in ima_policy_show()
1680 if (entry->action & DONT_HASH) in ima_policy_show()
1685 if (entry->flags & IMA_FUNC) in ima_policy_show()
1686 policy_func_show(m, entry->func); in ima_policy_show()
1688 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { in ima_policy_show()
1689 if (entry->flags & IMA_MASK) in ima_policy_show()
1691 if (entry->mask & MAY_EXEC) in ima_policy_show()
1693 if (entry->mask & MAY_WRITE) in ima_policy_show()
1695 if (entry->mask & MAY_READ) in ima_policy_show()
1697 if (entry->mask & MAY_APPEND) in ima_policy_show()
1702 if (entry->flags & IMA_FSMAGIC) { in ima_policy_show()
1703 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); in ima_policy_show()
1708 if (entry->flags & IMA_FSNAME) { in ima_policy_show()
1709 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); in ima_policy_show()
1714 if (entry->flags & IMA_KEYRINGS) { in ima_policy_show()
1716 ima_show_rule_opt_list(m, entry->keyrings); in ima_policy_show()
1720 if (entry->flags & IMA_PCR) { in ima_policy_show()
1721 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); in ima_policy_show()
1726 if (entry->flags & IMA_FSUUID) { in ima_policy_show()
1727 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); in ima_policy_show()
1731 if (entry->flags & IMA_UID) { in ima_policy_show()
1732 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); in ima_policy_show()
1733 if (entry->uid_op == &uid_gt) in ima_policy_show()
1735 else if (entry->uid_op == &uid_lt) in ima_policy_show()
1742 if (entry->flags & IMA_EUID) { in ima_policy_show()
1743 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); in ima_policy_show()
1744 if (entry->uid_op == &uid_gt) in ima_policy_show()
1746 else if (entry->uid_op == &uid_lt) in ima_policy_show()
1753 if (entry->flags & IMA_FOWNER) { in ima_policy_show()
1754 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); in ima_policy_show()
1755 if (entry->fowner_op == &uid_gt) in ima_policy_show()
1757 else if (entry->fowner_op == &uid_lt) in ima_policy_show()
1765 if (entry->lsm[i].rule) { in ima_policy_show()
1769 entry->lsm[i].args_p); in ima_policy_show()
1773 entry->lsm[i].args_p); in ima_policy_show()
1777 entry->lsm[i].args_p); in ima_policy_show()
1781 entry->lsm[i].args_p); in ima_policy_show()
1785 entry->lsm[i].args_p); in ima_policy_show()
1789 entry->lsm[i].args_p); in ima_policy_show()
1795 if (entry->template) in ima_policy_show()
1796 seq_printf(m, "template=%s ", entry->template->name); in ima_policy_show()
1797 if (entry->flags & IMA_DIGSIG_REQUIRED) { in ima_policy_show()
1798 if (entry->flags & IMA_MODSIG_ALLOWED) in ima_policy_show()
1803 if (entry->flags & IMA_CHECK_BLACKLIST) in ima_policy_show()
1805 if (entry->flags & IMA_PERMIT_DIRECTIO) in ima_policy_show()
1822 struct ima_rule_entry *entry; in ima_appraise_signature() local
1836 list_for_each_entry_rcu(entry, ima_rules, list) { in ima_appraise_signature()
1837 if (entry->action != APPRAISE) in ima_appraise_signature()
1841 * A generic entry will match, but otherwise require that it in ima_appraise_signature()
1844 if (entry->func && entry->func != func) in ima_appraise_signature()
1851 if (entry->flags & IMA_DIGSIG_REQUIRED) in ima_appraise_signature()