1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (C) 2008 IBM Corporation
4 * Author: Mimi Zohar <zohar@us.ibm.com>
5 *
6 * ima_policy.c
7 * - initialize default measure policy rules
8 */
9
10 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/fs.h>
15 #include <linux/security.h>
16 #include <linux/magic.h>
17 #include <linux/parser.h>
18 #include <linux/slab.h>
19 #include <linux/rculist.h>
20 #include <linux/genhd.h>
21 #include <linux/seq_file.h>
22 #include <linux/ima.h>
23
24 #include "ima.h"
25
26 /* flags definitions */
27 #define IMA_FUNC 0x0001
28 #define IMA_MASK 0x0002
29 #define IMA_FSMAGIC 0x0004
30 #define IMA_UID 0x0008
31 #define IMA_FOWNER 0x0010
32 #define IMA_FSUUID 0x0020
33 #define IMA_INMASK 0x0040
34 #define IMA_EUID 0x0080
35 #define IMA_PCR 0x0100
36 #define IMA_FSNAME 0x0200
37
38 #define UNKNOWN 0
39 #define MEASURE 0x0001 /* same as IMA_MEASURE */
40 #define DONT_MEASURE 0x0002
41 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */
42 #define DONT_APPRAISE 0x0008
43 #define AUDIT 0x0040
44 #define HASH 0x0100
45 #define DONT_HASH 0x0200
46
47 #define INVALID_PCR(a) (((a) < 0) || \
48 (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
49
50 int ima_policy_flag;
51 static int temp_ima_appraise;
52 static int build_ima_appraise __ro_after_init;
53
54 #define MAX_LSM_RULES 6
55 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
56 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
57 };
58
59 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
60
61 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY };
62
63 struct ima_rule_entry {
64 struct list_head list;
65 int action;
66 unsigned int flags;
67 enum ima_hooks func;
68 int mask;
69 unsigned long fsmagic;
70 uuid_t fsuuid;
71 kuid_t uid;
72 kuid_t fowner;
73 bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */
74 bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
75 int pcr;
76 struct {
77 void *rule; /* LSM file metadata specific */
78 void *args_p; /* audit value */
79 int type; /* audit type */
80 } lsm[MAX_LSM_RULES];
81 char *fsname;
82 struct ima_template_desc *template;
83 };
84
85 /*
86 * Without LSM specific knowledge, the default policy can only be
87 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
88 */
89
90 /*
91 * The minimum rule set to allow for full TCB coverage. Measures all files
92 * opened or mmap for exec and everything read by root. Dangerous because
93 * normal users can easily run the machine out of memory simply building
94 * and running executables.
95 */
96 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
97 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
98 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
99 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
100 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
101 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
102 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
103 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
104 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
105 {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
106 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
107 .flags = IMA_FSMAGIC},
108 {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC,
109 .flags = IMA_FSMAGIC},
110 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
111 {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}
112 };
113
114 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
115 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
116 .flags = IMA_FUNC | IMA_MASK},
117 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
118 .flags = IMA_FUNC | IMA_MASK},
119 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
120 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
121 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
122 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
123 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
124 };
125
126 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
127 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
128 .flags = IMA_FUNC | IMA_MASK},
129 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
130 .flags = IMA_FUNC | IMA_MASK},
131 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
132 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
133 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
134 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
135 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
136 .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
137 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
138 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
139 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
140 };
141
142 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
143 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
144 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
145 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
146 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
147 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
148 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
149 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
150 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
151 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
152 {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
153 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
154 {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC},
155 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
156 {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
157 #ifdef CONFIG_IMA_WRITE_POLICY
158 {.action = APPRAISE, .func = POLICY_CHECK,
159 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
160 #endif
161 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
162 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
163 .flags = IMA_FOWNER},
164 #else
165 /* force signature */
166 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
167 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
168 #endif
169 };
170
171 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = {
172 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS
173 {.action = APPRAISE, .func = MODULE_CHECK,
174 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
175 #endif
176 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
177 {.action = APPRAISE, .func = FIRMWARE_CHECK,
178 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
179 #endif
180 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS
181 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
182 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
183 #endif
184 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS
185 {.action = APPRAISE, .func = POLICY_CHECK,
186 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
187 #endif
188 };
189
190 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
191 {.action = APPRAISE, .func = MODULE_CHECK,
192 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
193 {.action = APPRAISE, .func = FIRMWARE_CHECK,
194 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
195 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
196 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
197 {.action = APPRAISE, .func = POLICY_CHECK,
198 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
199 };
200
201 /* An array of architecture specific rules */
202 static struct ima_rule_entry *arch_policy_entry __ro_after_init;
203
204 static LIST_HEAD(ima_default_rules);
205 static LIST_HEAD(ima_policy_rules);
206 static LIST_HEAD(ima_temp_rules);
207 static struct list_head *ima_rules;
208
209 static int ima_policy __initdata;
210
default_measure_policy_setup(char * str)211 static int __init default_measure_policy_setup(char *str)
212 {
213 if (ima_policy)
214 return 1;
215
216 ima_policy = ORIGINAL_TCB;
217 return 1;
218 }
219 __setup("ima_tcb", default_measure_policy_setup);
220
221 static bool ima_use_appraise_tcb __initdata;
222 static bool ima_use_secure_boot __initdata;
223 static bool ima_fail_unverifiable_sigs __ro_after_init;
policy_setup(char * str)224 static int __init policy_setup(char *str)
225 {
226 char *p;
227
228 while ((p = strsep(&str, " |\n")) != NULL) {
229 if (*p == ' ')
230 continue;
231 if ((strcmp(p, "tcb") == 0) && !ima_policy)
232 ima_policy = DEFAULT_TCB;
233 else if (strcmp(p, "appraise_tcb") == 0)
234 ima_use_appraise_tcb = true;
235 else if (strcmp(p, "secure_boot") == 0)
236 ima_use_secure_boot = true;
237 else if (strcmp(p, "fail_securely") == 0)
238 ima_fail_unverifiable_sigs = true;
239 }
240
241 return 1;
242 }
243 __setup("ima_policy=", policy_setup);
244
default_appraise_policy_setup(char * str)245 static int __init default_appraise_policy_setup(char *str)
246 {
247 ima_use_appraise_tcb = true;
248 return 1;
249 }
250 __setup("ima_appraise_tcb", default_appraise_policy_setup);
251
ima_lsm_free_rule(struct ima_rule_entry * entry)252 static void ima_lsm_free_rule(struct ima_rule_entry *entry)
253 {
254 int i;
255
256 for (i = 0; i < MAX_LSM_RULES; i++) {
257 kfree(entry->lsm[i].rule);
258 kfree(entry->lsm[i].args_p);
259 }
260 kfree(entry);
261 }
262
ima_lsm_copy_rule(struct ima_rule_entry * entry)263 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
264 {
265 struct ima_rule_entry *nentry;
266 int i, result;
267
268 nentry = kmalloc(sizeof(*nentry), GFP_KERNEL);
269 if (!nentry)
270 return NULL;
271
272 /*
273 * Immutable elements are copied over as pointers and data; only
274 * lsm rules can change
275 */
276 memcpy(nentry, entry, sizeof(*nentry));
277 memset(nentry->lsm, 0, FIELD_SIZEOF(struct ima_rule_entry, lsm));
278
279 for (i = 0; i < MAX_LSM_RULES; i++) {
280 if (!entry->lsm[i].rule)
281 continue;
282
283 nentry->lsm[i].type = entry->lsm[i].type;
284 nentry->lsm[i].args_p = kstrdup(entry->lsm[i].args_p,
285 GFP_KERNEL);
286 if (!nentry->lsm[i].args_p)
287 goto out_err;
288
289 result = security_filter_rule_init(nentry->lsm[i].type,
290 Audit_equal,
291 nentry->lsm[i].args_p,
292 &nentry->lsm[i].rule);
293 if (result == -EINVAL)
294 pr_warn("ima: rule for LSM \'%d\' is undefined\n",
295 entry->lsm[i].type);
296 }
297 return nentry;
298
299 out_err:
300 ima_lsm_free_rule(nentry);
301 return NULL;
302 }
303
ima_lsm_update_rule(struct ima_rule_entry * entry)304 static int ima_lsm_update_rule(struct ima_rule_entry *entry)
305 {
306 struct ima_rule_entry *nentry;
307
308 nentry = ima_lsm_copy_rule(entry);
309 if (!nentry)
310 return -ENOMEM;
311
312 list_replace_rcu(&entry->list, &nentry->list);
313 synchronize_rcu();
314 ima_lsm_free_rule(entry);
315
316 return 0;
317 }
318
319 /*
320 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
321 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect
322 * the reloaded LSM policy.
323 */
ima_lsm_update_rules(void)324 static void ima_lsm_update_rules(void)
325 {
326 struct ima_rule_entry *entry, *e;
327 int i, result, needs_update;
328
329 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) {
330 needs_update = 0;
331 for (i = 0; i < MAX_LSM_RULES; i++) {
332 if (entry->lsm[i].rule) {
333 needs_update = 1;
334 break;
335 }
336 }
337 if (!needs_update)
338 continue;
339
340 result = ima_lsm_update_rule(entry);
341 if (result) {
342 pr_err("ima: lsm rule update error %d\n",
343 result);
344 return;
345 }
346 }
347 }
348
ima_lsm_policy_change(struct notifier_block * nb,unsigned long event,void * lsm_data)349 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
350 void *lsm_data)
351 {
352 if (event != LSM_POLICY_CHANGE)
353 return NOTIFY_DONE;
354
355 ima_lsm_update_rules();
356 return NOTIFY_OK;
357 }
358
359 /**
360 * ima_match_rules - determine whether an inode matches the measure rule.
361 * @rule: a pointer to a rule
362 * @inode: a pointer to an inode
363 * @cred: a pointer to a credentials structure for user validation
364 * @secid: the secid of the task to be validated
365 * @func: LIM hook identifier
366 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
367 *
368 * Returns true on rule match, false on failure.
369 */
ima_match_rules(struct ima_rule_entry * rule,struct inode * inode,const struct cred * cred,u32 secid,enum ima_hooks func,int mask)370 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
371 const struct cred *cred, u32 secid,
372 enum ima_hooks func, int mask)
373 {
374 int i;
375
376 if (func == KEXEC_CMDLINE) {
377 if ((rule->flags & IMA_FUNC) && (rule->func == func))
378 return true;
379 return false;
380 }
381 if ((rule->flags & IMA_FUNC) &&
382 (rule->func != func && func != POST_SETATTR))
383 return false;
384 if ((rule->flags & IMA_MASK) &&
385 (rule->mask != mask && func != POST_SETATTR))
386 return false;
387 if ((rule->flags & IMA_INMASK) &&
388 (!(rule->mask & mask) && func != POST_SETATTR))
389 return false;
390 if ((rule->flags & IMA_FSMAGIC)
391 && rule->fsmagic != inode->i_sb->s_magic)
392 return false;
393 if ((rule->flags & IMA_FSNAME)
394 && strcmp(rule->fsname, inode->i_sb->s_type->name))
395 return false;
396 if ((rule->flags & IMA_FSUUID) &&
397 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
398 return false;
399 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
400 return false;
401 if (rule->flags & IMA_EUID) {
402 if (has_capability_noaudit(current, CAP_SETUID)) {
403 if (!rule->uid_op(cred->euid, rule->uid)
404 && !rule->uid_op(cred->suid, rule->uid)
405 && !rule->uid_op(cred->uid, rule->uid))
406 return false;
407 } else if (!rule->uid_op(cred->euid, rule->uid))
408 return false;
409 }
410
411 if ((rule->flags & IMA_FOWNER) &&
412 !rule->fowner_op(inode->i_uid, rule->fowner))
413 return false;
414 for (i = 0; i < MAX_LSM_RULES; i++) {
415 int rc = 0;
416 u32 osid;
417
418 if (!rule->lsm[i].rule)
419 continue;
420
421 switch (i) {
422 case LSM_OBJ_USER:
423 case LSM_OBJ_ROLE:
424 case LSM_OBJ_TYPE:
425 security_inode_getsecid(inode, &osid);
426 rc = security_filter_rule_match(osid,
427 rule->lsm[i].type,
428 Audit_equal,
429 rule->lsm[i].rule);
430 break;
431 case LSM_SUBJ_USER:
432 case LSM_SUBJ_ROLE:
433 case LSM_SUBJ_TYPE:
434 rc = security_filter_rule_match(secid,
435 rule->lsm[i].type,
436 Audit_equal,
437 rule->lsm[i].rule);
438 default:
439 break;
440 }
441 if (!rc)
442 return false;
443 }
444 return true;
445 }
446
447 /*
448 * In addition to knowing that we need to appraise the file in general,
449 * we need to differentiate between calling hooks, for hook specific rules.
450 */
get_subaction(struct ima_rule_entry * rule,enum ima_hooks func)451 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
452 {
453 if (!(rule->flags & IMA_FUNC))
454 return IMA_FILE_APPRAISE;
455
456 switch (func) {
457 case MMAP_CHECK:
458 return IMA_MMAP_APPRAISE;
459 case BPRM_CHECK:
460 return IMA_BPRM_APPRAISE;
461 case CREDS_CHECK:
462 return IMA_CREDS_APPRAISE;
463 case FILE_CHECK:
464 case POST_SETATTR:
465 return IMA_FILE_APPRAISE;
466 case MODULE_CHECK ... MAX_CHECK - 1:
467 default:
468 return IMA_READ_APPRAISE;
469 }
470 }
471
472 /**
473 * ima_match_policy - decision based on LSM and other conditions
474 * @inode: pointer to an inode for which the policy decision is being made
475 * @cred: pointer to a credentials structure for which the policy decision is
476 * being made
477 * @secid: LSM secid of the task to be validated
478 * @func: IMA hook identifier
479 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
480 * @pcr: set the pcr to extend
481 * @template_desc: the template that should be used for this rule
482 *
483 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
484 * conditions.
485 *
486 * Since the IMA policy may be updated multiple times we need to lock the
487 * list when walking it. Reads are many orders of magnitude more numerous
488 * than writes so ima_match_policy() is classical RCU candidate.
489 */
ima_match_policy(struct inode * inode,const struct cred * cred,u32 secid,enum ima_hooks func,int mask,int flags,int * pcr,struct ima_template_desc ** template_desc)490 int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
491 enum ima_hooks func, int mask, int flags, int *pcr,
492 struct ima_template_desc **template_desc)
493 {
494 struct ima_rule_entry *entry;
495 int action = 0, actmask = flags | (flags << 1);
496
497 if (template_desc)
498 *template_desc = ima_template_desc_current();
499
500 rcu_read_lock();
501 list_for_each_entry_rcu(entry, ima_rules, list) {
502
503 if (!(entry->action & actmask))
504 continue;
505
506 if (!ima_match_rules(entry, inode, cred, secid, func, mask))
507 continue;
508
509 action |= entry->flags & IMA_ACTION_FLAGS;
510
511 action |= entry->action & IMA_DO_MASK;
512 if (entry->action & IMA_APPRAISE) {
513 action |= get_subaction(entry, func);
514 action &= ~IMA_HASH;
515 if (ima_fail_unverifiable_sigs)
516 action |= IMA_FAIL_UNVERIFIABLE_SIGS;
517 }
518
519
520 if (entry->action & IMA_DO_MASK)
521 actmask &= ~(entry->action | entry->action << 1);
522 else
523 actmask &= ~(entry->action | entry->action >> 1);
524
525 if ((pcr) && (entry->flags & IMA_PCR))
526 *pcr = entry->pcr;
527
528 if (template_desc && entry->template)
529 *template_desc = entry->template;
530
531 if (!actmask)
532 break;
533 }
534 rcu_read_unlock();
535
536 return action;
537 }
538
539 /*
540 * Initialize the ima_policy_flag variable based on the currently
541 * loaded policy. Based on this flag, the decision to short circuit
542 * out of a function or not call the function in the first place
543 * can be made earlier.
544 */
ima_update_policy_flag(void)545 void ima_update_policy_flag(void)
546 {
547 struct ima_rule_entry *entry;
548
549 list_for_each_entry(entry, ima_rules, list) {
550 if (entry->action & IMA_DO_MASK)
551 ima_policy_flag |= entry->action;
552 }
553
554 ima_appraise |= (build_ima_appraise | temp_ima_appraise);
555 if (!ima_appraise)
556 ima_policy_flag &= ~IMA_APPRAISE;
557 }
558
ima_appraise_flag(enum ima_hooks func)559 static int ima_appraise_flag(enum ima_hooks func)
560 {
561 if (func == MODULE_CHECK)
562 return IMA_APPRAISE_MODULES;
563 else if (func == FIRMWARE_CHECK)
564 return IMA_APPRAISE_FIRMWARE;
565 else if (func == POLICY_CHECK)
566 return IMA_APPRAISE_POLICY;
567 else if (func == KEXEC_KERNEL_CHECK)
568 return IMA_APPRAISE_KEXEC;
569 return 0;
570 }
571
add_rules(struct ima_rule_entry * entries,int count,enum policy_rule_list policy_rule)572 static void add_rules(struct ima_rule_entry *entries, int count,
573 enum policy_rule_list policy_rule)
574 {
575 int i = 0;
576
577 for (i = 0; i < count; i++) {
578 struct ima_rule_entry *entry;
579
580 if (policy_rule & IMA_DEFAULT_POLICY)
581 list_add_tail(&entries[i].list, &ima_default_rules);
582
583 if (policy_rule & IMA_CUSTOM_POLICY) {
584 entry = kmemdup(&entries[i], sizeof(*entry),
585 GFP_KERNEL);
586 if (!entry)
587 continue;
588
589 list_add_tail(&entry->list, &ima_policy_rules);
590 }
591 if (entries[i].action == APPRAISE) {
592 temp_ima_appraise |= ima_appraise_flag(entries[i].func);
593 if (entries[i].func == POLICY_CHECK)
594 temp_ima_appraise |= IMA_APPRAISE_POLICY;
595 }
596 }
597 }
598
599 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
600
ima_init_arch_policy(void)601 static int __init ima_init_arch_policy(void)
602 {
603 const char * const *arch_rules;
604 const char * const *rules;
605 int arch_entries = 0;
606 int i = 0;
607
608 arch_rules = arch_get_ima_policy();
609 if (!arch_rules)
610 return arch_entries;
611
612 /* Get number of rules */
613 for (rules = arch_rules; *rules != NULL; rules++)
614 arch_entries++;
615
616 arch_policy_entry = kcalloc(arch_entries + 1,
617 sizeof(*arch_policy_entry), GFP_KERNEL);
618 if (!arch_policy_entry)
619 return 0;
620
621 /* Convert each policy string rules to struct ima_rule_entry format */
622 for (rules = arch_rules, i = 0; *rules != NULL; rules++) {
623 char rule[255];
624 int result;
625
626 result = strlcpy(rule, *rules, sizeof(rule));
627
628 INIT_LIST_HEAD(&arch_policy_entry[i].list);
629 result = ima_parse_rule(rule, &arch_policy_entry[i]);
630 if (result) {
631 pr_warn("Skipping unknown architecture policy rule: %s\n",
632 rule);
633 memset(&arch_policy_entry[i], 0,
634 sizeof(*arch_policy_entry));
635 continue;
636 }
637 i++;
638 }
639 return i;
640 }
641
642 /**
643 * ima_init_policy - initialize the default measure rules.
644 *
645 * ima_rules points to either the ima_default_rules or the
646 * the new ima_policy_rules.
647 */
ima_init_policy(void)648 void __init ima_init_policy(void)
649 {
650 int build_appraise_entries, arch_entries;
651
652 /* if !ima_policy, we load NO default rules */
653 if (ima_policy)
654 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules),
655 IMA_DEFAULT_POLICY);
656
657 switch (ima_policy) {
658 case ORIGINAL_TCB:
659 add_rules(original_measurement_rules,
660 ARRAY_SIZE(original_measurement_rules),
661 IMA_DEFAULT_POLICY);
662 break;
663 case DEFAULT_TCB:
664 add_rules(default_measurement_rules,
665 ARRAY_SIZE(default_measurement_rules),
666 IMA_DEFAULT_POLICY);
667 default:
668 break;
669 }
670
671 /*
672 * Based on runtime secure boot flags, insert arch specific measurement
673 * and appraise rules requiring file signatures for both the initial
674 * and custom policies, prior to other appraise rules.
675 * (Highest priority)
676 */
677 arch_entries = ima_init_arch_policy();
678 if (!arch_entries)
679 pr_info("No architecture policies found\n");
680 else
681 add_rules(arch_policy_entry, arch_entries,
682 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
683
684 /*
685 * Insert the builtin "secure_boot" policy rules requiring file
686 * signatures, prior to other appraise rules.
687 */
688 if (ima_use_secure_boot)
689 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules),
690 IMA_DEFAULT_POLICY);
691
692 /*
693 * Insert the build time appraise rules requiring file signatures
694 * for both the initial and custom policies, prior to other appraise
695 * rules. As the secure boot rules includes all of the build time
696 * rules, include either one or the other set of rules, but not both.
697 */
698 build_appraise_entries = ARRAY_SIZE(build_appraise_rules);
699 if (build_appraise_entries) {
700 if (ima_use_secure_boot)
701 add_rules(build_appraise_rules, build_appraise_entries,
702 IMA_CUSTOM_POLICY);
703 else
704 add_rules(build_appraise_rules, build_appraise_entries,
705 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
706 }
707
708 if (ima_use_appraise_tcb)
709 add_rules(default_appraise_rules,
710 ARRAY_SIZE(default_appraise_rules),
711 IMA_DEFAULT_POLICY);
712
713 ima_rules = &ima_default_rules;
714 ima_update_policy_flag();
715 }
716
717 /* Make sure we have a valid policy, at least containing some rules. */
ima_check_policy(void)718 int ima_check_policy(void)
719 {
720 if (list_empty(&ima_temp_rules))
721 return -EINVAL;
722 return 0;
723 }
724
725 /**
726 * ima_update_policy - update default_rules with new measure rules
727 *
728 * Called on file .release to update the default rules with a complete new
729 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so
730 * they make a queue. The policy may be updated multiple times and this is the
731 * RCU updater.
732 *
733 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
734 * we switch from the default policy to user defined.
735 */
ima_update_policy(void)736 void ima_update_policy(void)
737 {
738 struct list_head *policy = &ima_policy_rules;
739
740 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu);
741
742 if (ima_rules != policy) {
743 ima_policy_flag = 0;
744 ima_rules = policy;
745
746 /*
747 * IMA architecture specific policy rules are specified
748 * as strings and converted to an array of ima_entry_rules
749 * on boot. After loading a custom policy, free the
750 * architecture specific rules stored as an array.
751 */
752 kfree(arch_policy_entry);
753 }
754 ima_update_policy_flag();
755 }
756
757 /* Keep the enumeration in sync with the policy_tokens! */
758 enum {
759 Opt_measure, Opt_dont_measure,
760 Opt_appraise, Opt_dont_appraise,
761 Opt_audit, Opt_hash, Opt_dont_hash,
762 Opt_obj_user, Opt_obj_role, Opt_obj_type,
763 Opt_subj_user, Opt_subj_role, Opt_subj_type,
764 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname,
765 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
766 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
767 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
768 Opt_appraise_type, Opt_permit_directio,
769 Opt_pcr, Opt_template, Opt_err
770 };
771
772 static const match_table_t policy_tokens = {
773 {Opt_measure, "measure"},
774 {Opt_dont_measure, "dont_measure"},
775 {Opt_appraise, "appraise"},
776 {Opt_dont_appraise, "dont_appraise"},
777 {Opt_audit, "audit"},
778 {Opt_hash, "hash"},
779 {Opt_dont_hash, "dont_hash"},
780 {Opt_obj_user, "obj_user=%s"},
781 {Opt_obj_role, "obj_role=%s"},
782 {Opt_obj_type, "obj_type=%s"},
783 {Opt_subj_user, "subj_user=%s"},
784 {Opt_subj_role, "subj_role=%s"},
785 {Opt_subj_type, "subj_type=%s"},
786 {Opt_func, "func=%s"},
787 {Opt_mask, "mask=%s"},
788 {Opt_fsmagic, "fsmagic=%s"},
789 {Opt_fsname, "fsname=%s"},
790 {Opt_fsuuid, "fsuuid=%s"},
791 {Opt_uid_eq, "uid=%s"},
792 {Opt_euid_eq, "euid=%s"},
793 {Opt_fowner_eq, "fowner=%s"},
794 {Opt_uid_gt, "uid>%s"},
795 {Opt_euid_gt, "euid>%s"},
796 {Opt_fowner_gt, "fowner>%s"},
797 {Opt_uid_lt, "uid<%s"},
798 {Opt_euid_lt, "euid<%s"},
799 {Opt_fowner_lt, "fowner<%s"},
800 {Opt_appraise_type, "appraise_type=%s"},
801 {Opt_permit_directio, "permit_directio"},
802 {Opt_pcr, "pcr=%s"},
803 {Opt_template, "template=%s"},
804 {Opt_err, NULL}
805 };
806
ima_lsm_rule_init(struct ima_rule_entry * entry,substring_t * args,int lsm_rule,int audit_type)807 static int ima_lsm_rule_init(struct ima_rule_entry *entry,
808 substring_t *args, int lsm_rule, int audit_type)
809 {
810 int result;
811
812 if (entry->lsm[lsm_rule].rule)
813 return -EINVAL;
814
815 entry->lsm[lsm_rule].args_p = match_strdup(args);
816 if (!entry->lsm[lsm_rule].args_p)
817 return -ENOMEM;
818
819 entry->lsm[lsm_rule].type = audit_type;
820 result = security_filter_rule_init(entry->lsm[lsm_rule].type,
821 Audit_equal,
822 entry->lsm[lsm_rule].args_p,
823 &entry->lsm[lsm_rule].rule);
824 if (!entry->lsm[lsm_rule].rule) {
825 kfree(entry->lsm[lsm_rule].args_p);
826 return -EINVAL;
827 }
828
829 return result;
830 }
831
ima_log_string_op(struct audit_buffer * ab,char * key,char * value,bool (* rule_operator)(kuid_t,kuid_t))832 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
833 bool (*rule_operator)(kuid_t, kuid_t))
834 {
835 if (!ab)
836 return;
837
838 if (rule_operator == &uid_gt)
839 audit_log_format(ab, "%s>", key);
840 else if (rule_operator == &uid_lt)
841 audit_log_format(ab, "%s<", key);
842 else
843 audit_log_format(ab, "%s=", key);
844 audit_log_format(ab, "%s ", value);
845 }
ima_log_string(struct audit_buffer * ab,char * key,char * value)846 static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
847 {
848 ima_log_string_op(ab, key, value, NULL);
849 }
850
851 /*
852 * Validating the appended signature included in the measurement list requires
853 * the file hash calculated without the appended signature (i.e., the 'd-modsig'
854 * field). Therefore, notify the user if they have the 'modsig' field but not
855 * the 'd-modsig' field in the template.
856 */
check_template_modsig(const struct ima_template_desc * template)857 static void check_template_modsig(const struct ima_template_desc *template)
858 {
859 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n"
860 bool has_modsig, has_dmodsig;
861 static bool checked;
862 int i;
863
864 /* We only need to notify the user once. */
865 if (checked)
866 return;
867
868 has_modsig = has_dmodsig = false;
869 for (i = 0; i < template->num_fields; i++) {
870 if (!strcmp(template->fields[i]->field_id, "modsig"))
871 has_modsig = true;
872 else if (!strcmp(template->fields[i]->field_id, "d-modsig"))
873 has_dmodsig = true;
874 }
875
876 if (has_modsig && !has_dmodsig)
877 pr_notice(MSG);
878
879 checked = true;
880 #undef MSG
881 }
882
ima_parse_rule(char * rule,struct ima_rule_entry * entry)883 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
884 {
885 struct audit_buffer *ab;
886 char *from;
887 char *p;
888 bool uid_token;
889 struct ima_template_desc *template_desc;
890 int result = 0;
891
892 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL,
893 AUDIT_INTEGRITY_POLICY_RULE);
894
895 entry->uid = INVALID_UID;
896 entry->fowner = INVALID_UID;
897 entry->uid_op = &uid_eq;
898 entry->fowner_op = &uid_eq;
899 entry->action = UNKNOWN;
900 while ((p = strsep(&rule, " \t")) != NULL) {
901 substring_t args[MAX_OPT_ARGS];
902 int token;
903 unsigned long lnum;
904
905 if (result < 0)
906 break;
907 if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
908 continue;
909 token = match_token(p, policy_tokens, args);
910 switch (token) {
911 case Opt_measure:
912 ima_log_string(ab, "action", "measure");
913
914 if (entry->action != UNKNOWN)
915 result = -EINVAL;
916
917 entry->action = MEASURE;
918 break;
919 case Opt_dont_measure:
920 ima_log_string(ab, "action", "dont_measure");
921
922 if (entry->action != UNKNOWN)
923 result = -EINVAL;
924
925 entry->action = DONT_MEASURE;
926 break;
927 case Opt_appraise:
928 ima_log_string(ab, "action", "appraise");
929
930 if (entry->action != UNKNOWN)
931 result = -EINVAL;
932
933 entry->action = APPRAISE;
934 break;
935 case Opt_dont_appraise:
936 ima_log_string(ab, "action", "dont_appraise");
937
938 if (entry->action != UNKNOWN)
939 result = -EINVAL;
940
941 entry->action = DONT_APPRAISE;
942 break;
943 case Opt_audit:
944 ima_log_string(ab, "action", "audit");
945
946 if (entry->action != UNKNOWN)
947 result = -EINVAL;
948
949 entry->action = AUDIT;
950 break;
951 case Opt_hash:
952 ima_log_string(ab, "action", "hash");
953
954 if (entry->action != UNKNOWN)
955 result = -EINVAL;
956
957 entry->action = HASH;
958 break;
959 case Opt_dont_hash:
960 ima_log_string(ab, "action", "dont_hash");
961
962 if (entry->action != UNKNOWN)
963 result = -EINVAL;
964
965 entry->action = DONT_HASH;
966 break;
967 case Opt_func:
968 ima_log_string(ab, "func", args[0].from);
969
970 if (entry->func)
971 result = -EINVAL;
972
973 if (strcmp(args[0].from, "FILE_CHECK") == 0)
974 entry->func = FILE_CHECK;
975 /* PATH_CHECK is for backwards compat */
976 else if (strcmp(args[0].from, "PATH_CHECK") == 0)
977 entry->func = FILE_CHECK;
978 else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
979 entry->func = MODULE_CHECK;
980 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
981 entry->func = FIRMWARE_CHECK;
982 else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
983 || (strcmp(args[0].from, "MMAP_CHECK") == 0))
984 entry->func = MMAP_CHECK;
985 else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
986 entry->func = BPRM_CHECK;
987 else if (strcmp(args[0].from, "CREDS_CHECK") == 0)
988 entry->func = CREDS_CHECK;
989 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
990 0)
991 entry->func = KEXEC_KERNEL_CHECK;
992 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
993 == 0)
994 entry->func = KEXEC_INITRAMFS_CHECK;
995 else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
996 entry->func = POLICY_CHECK;
997 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
998 entry->func = KEXEC_CMDLINE;
999 else
1000 result = -EINVAL;
1001 if (!result)
1002 entry->flags |= IMA_FUNC;
1003 break;
1004 case Opt_mask:
1005 ima_log_string(ab, "mask", args[0].from);
1006
1007 if (entry->mask)
1008 result = -EINVAL;
1009
1010 from = args[0].from;
1011 if (*from == '^')
1012 from++;
1013
1014 if ((strcmp(from, "MAY_EXEC")) == 0)
1015 entry->mask = MAY_EXEC;
1016 else if (strcmp(from, "MAY_WRITE") == 0)
1017 entry->mask = MAY_WRITE;
1018 else if (strcmp(from, "MAY_READ") == 0)
1019 entry->mask = MAY_READ;
1020 else if (strcmp(from, "MAY_APPEND") == 0)
1021 entry->mask = MAY_APPEND;
1022 else
1023 result = -EINVAL;
1024 if (!result)
1025 entry->flags |= (*args[0].from == '^')
1026 ? IMA_INMASK : IMA_MASK;
1027 break;
1028 case Opt_fsmagic:
1029 ima_log_string(ab, "fsmagic", args[0].from);
1030
1031 if (entry->fsmagic) {
1032 result = -EINVAL;
1033 break;
1034 }
1035
1036 result = kstrtoul(args[0].from, 16, &entry->fsmagic);
1037 if (!result)
1038 entry->flags |= IMA_FSMAGIC;
1039 break;
1040 case Opt_fsname:
1041 ima_log_string(ab, "fsname", args[0].from);
1042
1043 entry->fsname = kstrdup(args[0].from, GFP_KERNEL);
1044 if (!entry->fsname) {
1045 result = -ENOMEM;
1046 break;
1047 }
1048 result = 0;
1049 entry->flags |= IMA_FSNAME;
1050 break;
1051 case Opt_fsuuid:
1052 ima_log_string(ab, "fsuuid", args[0].from);
1053
1054 if (!uuid_is_null(&entry->fsuuid)) {
1055 result = -EINVAL;
1056 break;
1057 }
1058
1059 result = uuid_parse(args[0].from, &entry->fsuuid);
1060 if (!result)
1061 entry->flags |= IMA_FSUUID;
1062 break;
1063 case Opt_uid_gt:
1064 case Opt_euid_gt:
1065 entry->uid_op = &uid_gt;
1066 /* fall through */
1067 case Opt_uid_lt:
1068 case Opt_euid_lt:
1069 if ((token == Opt_uid_lt) || (token == Opt_euid_lt))
1070 entry->uid_op = &uid_lt;
1071 /* fall through */
1072 case Opt_uid_eq:
1073 case Opt_euid_eq:
1074 uid_token = (token == Opt_uid_eq) ||
1075 (token == Opt_uid_gt) ||
1076 (token == Opt_uid_lt);
1077
1078 ima_log_string_op(ab, uid_token ? "uid" : "euid",
1079 args[0].from, entry->uid_op);
1080
1081 if (uid_valid(entry->uid)) {
1082 result = -EINVAL;
1083 break;
1084 }
1085
1086 result = kstrtoul(args[0].from, 10, &lnum);
1087 if (!result) {
1088 entry->uid = make_kuid(current_user_ns(),
1089 (uid_t) lnum);
1090 if (!uid_valid(entry->uid) ||
1091 (uid_t)lnum != lnum)
1092 result = -EINVAL;
1093 else
1094 entry->flags |= uid_token
1095 ? IMA_UID : IMA_EUID;
1096 }
1097 break;
1098 case Opt_fowner_gt:
1099 entry->fowner_op = &uid_gt;
1100 /* fall through */
1101 case Opt_fowner_lt:
1102 if (token == Opt_fowner_lt)
1103 entry->fowner_op = &uid_lt;
1104 /* fall through */
1105 case Opt_fowner_eq:
1106 ima_log_string_op(ab, "fowner", args[0].from,
1107 entry->fowner_op);
1108
1109 if (uid_valid(entry->fowner)) {
1110 result = -EINVAL;
1111 break;
1112 }
1113
1114 result = kstrtoul(args[0].from, 10, &lnum);
1115 if (!result) {
1116 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
1117 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))
1118 result = -EINVAL;
1119 else
1120 entry->flags |= IMA_FOWNER;
1121 }
1122 break;
1123 case Opt_obj_user:
1124 ima_log_string(ab, "obj_user", args[0].from);
1125 result = ima_lsm_rule_init(entry, args,
1126 LSM_OBJ_USER,
1127 AUDIT_OBJ_USER);
1128 break;
1129 case Opt_obj_role:
1130 ima_log_string(ab, "obj_role", args[0].from);
1131 result = ima_lsm_rule_init(entry, args,
1132 LSM_OBJ_ROLE,
1133 AUDIT_OBJ_ROLE);
1134 break;
1135 case Opt_obj_type:
1136 ima_log_string(ab, "obj_type", args[0].from);
1137 result = ima_lsm_rule_init(entry, args,
1138 LSM_OBJ_TYPE,
1139 AUDIT_OBJ_TYPE);
1140 break;
1141 case Opt_subj_user:
1142 ima_log_string(ab, "subj_user", args[0].from);
1143 result = ima_lsm_rule_init(entry, args,
1144 LSM_SUBJ_USER,
1145 AUDIT_SUBJ_USER);
1146 break;
1147 case Opt_subj_role:
1148 ima_log_string(ab, "subj_role", args[0].from);
1149 result = ima_lsm_rule_init(entry, args,
1150 LSM_SUBJ_ROLE,
1151 AUDIT_SUBJ_ROLE);
1152 break;
1153 case Opt_subj_type:
1154 ima_log_string(ab, "subj_type", args[0].from);
1155 result = ima_lsm_rule_init(entry, args,
1156 LSM_SUBJ_TYPE,
1157 AUDIT_SUBJ_TYPE);
1158 break;
1159 case Opt_appraise_type:
1160 if (entry->action != APPRAISE) {
1161 result = -EINVAL;
1162 break;
1163 }
1164
1165 ima_log_string(ab, "appraise_type", args[0].from);
1166 if ((strcmp(args[0].from, "imasig")) == 0)
1167 entry->flags |= IMA_DIGSIG_REQUIRED;
1168 else if (ima_hook_supports_modsig(entry->func) &&
1169 strcmp(args[0].from, "imasig|modsig") == 0)
1170 entry->flags |= IMA_DIGSIG_REQUIRED |
1171 IMA_MODSIG_ALLOWED;
1172 else
1173 result = -EINVAL;
1174 break;
1175 case Opt_permit_directio:
1176 entry->flags |= IMA_PERMIT_DIRECTIO;
1177 break;
1178 case Opt_pcr:
1179 if (entry->action != MEASURE) {
1180 result = -EINVAL;
1181 break;
1182 }
1183 ima_log_string(ab, "pcr", args[0].from);
1184
1185 result = kstrtoint(args[0].from, 10, &entry->pcr);
1186 if (result || INVALID_PCR(entry->pcr))
1187 result = -EINVAL;
1188 else
1189 entry->flags |= IMA_PCR;
1190
1191 break;
1192 case Opt_template:
1193 ima_log_string(ab, "template", args[0].from);
1194 if (entry->action != MEASURE) {
1195 result = -EINVAL;
1196 break;
1197 }
1198 template_desc = lookup_template_desc(args[0].from);
1199 if (!template_desc || entry->template) {
1200 result = -EINVAL;
1201 break;
1202 }
1203
1204 /*
1205 * template_desc_init_fields() does nothing if
1206 * the template is already initialised, so
1207 * it's safe to do this unconditionally
1208 */
1209 template_desc_init_fields(template_desc->fmt,
1210 &(template_desc->fields),
1211 &(template_desc->num_fields));
1212 entry->template = template_desc;
1213 break;
1214 case Opt_err:
1215 ima_log_string(ab, "UNKNOWN", p);
1216 result = -EINVAL;
1217 break;
1218 }
1219 }
1220 if (!result && (entry->action == UNKNOWN))
1221 result = -EINVAL;
1222 else if (entry->action == APPRAISE)
1223 temp_ima_appraise |= ima_appraise_flag(entry->func);
1224
1225 if (!result && entry->flags & IMA_MODSIG_ALLOWED) {
1226 template_desc = entry->template ? entry->template :
1227 ima_template_desc_current();
1228 check_template_modsig(template_desc);
1229 }
1230
1231 audit_log_format(ab, "res=%d", !result);
1232 audit_log_end(ab);
1233 return result;
1234 }
1235
1236 /**
1237 * ima_parse_add_rule - add a rule to ima_policy_rules
1238 * @rule - ima measurement policy rule
1239 *
1240 * Avoid locking by allowing just one writer at a time in ima_write_policy()
1241 * Returns the length of the rule parsed, an error code on failure
1242 */
ima_parse_add_rule(char * rule)1243 ssize_t ima_parse_add_rule(char *rule)
1244 {
1245 static const char op[] = "update_policy";
1246 char *p;
1247 struct ima_rule_entry *entry;
1248 ssize_t result, len;
1249 int audit_info = 0;
1250
1251 p = strsep(&rule, "\n");
1252 len = strlen(p) + 1;
1253 p += strspn(p, " \t");
1254
1255 if (*p == '#' || *p == '\0')
1256 return len;
1257
1258 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1259 if (!entry) {
1260 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1261 NULL, op, "-ENOMEM", -ENOMEM, audit_info);
1262 return -ENOMEM;
1263 }
1264
1265 INIT_LIST_HEAD(&entry->list);
1266
1267 result = ima_parse_rule(p, entry);
1268 if (result) {
1269 kfree(entry);
1270 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1271 NULL, op, "invalid-policy", result,
1272 audit_info);
1273 return result;
1274 }
1275
1276 list_add_tail(&entry->list, &ima_temp_rules);
1277
1278 return len;
1279 }
1280
1281 /**
1282 * ima_delete_rules() called to cleanup invalid in-flight policy.
1283 * We don't need locking as we operate on the temp list, which is
1284 * different from the active one. There is also only one user of
1285 * ima_delete_rules() at a time.
1286 */
ima_delete_rules(void)1287 void ima_delete_rules(void)
1288 {
1289 struct ima_rule_entry *entry, *tmp;
1290 int i;
1291
1292 temp_ima_appraise = 0;
1293 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
1294 for (i = 0; i < MAX_LSM_RULES; i++)
1295 kfree(entry->lsm[i].args_p);
1296
1297 list_del(&entry->list);
1298 kfree(entry);
1299 }
1300 }
1301
1302 #define __ima_hook_stringify(str) (#str),
1303
1304 const char *const func_tokens[] = {
1305 __ima_hooks(__ima_hook_stringify)
1306 };
1307
1308 #ifdef CONFIG_IMA_READ_POLICY
1309 enum {
1310 mask_exec = 0, mask_write, mask_read, mask_append
1311 };
1312
1313 static const char *const mask_tokens[] = {
1314 "^MAY_EXEC",
1315 "^MAY_WRITE",
1316 "^MAY_READ",
1317 "^MAY_APPEND"
1318 };
1319
ima_policy_start(struct seq_file * m,loff_t * pos)1320 void *ima_policy_start(struct seq_file *m, loff_t *pos)
1321 {
1322 loff_t l = *pos;
1323 struct ima_rule_entry *entry;
1324
1325 rcu_read_lock();
1326 list_for_each_entry_rcu(entry, ima_rules, list) {
1327 if (!l--) {
1328 rcu_read_unlock();
1329 return entry;
1330 }
1331 }
1332 rcu_read_unlock();
1333 return NULL;
1334 }
1335
ima_policy_next(struct seq_file * m,void * v,loff_t * pos)1336 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos)
1337 {
1338 struct ima_rule_entry *entry = v;
1339
1340 rcu_read_lock();
1341 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list);
1342 rcu_read_unlock();
1343 (*pos)++;
1344
1345 return (&entry->list == ima_rules) ? NULL : entry;
1346 }
1347
ima_policy_stop(struct seq_file * m,void * v)1348 void ima_policy_stop(struct seq_file *m, void *v)
1349 {
1350 }
1351
1352 #define pt(token) policy_tokens[token].pattern
1353 #define mt(token) mask_tokens[token]
1354
1355 /*
1356 * policy_func_show - display the ima_hooks policy rule
1357 */
policy_func_show(struct seq_file * m,enum ima_hooks func)1358 static void policy_func_show(struct seq_file *m, enum ima_hooks func)
1359 {
1360 if (func > 0 && func < MAX_CHECK)
1361 seq_printf(m, "func=%s ", func_tokens[func]);
1362 else
1363 seq_printf(m, "func=%d ", func);
1364 }
1365
ima_policy_show(struct seq_file * m,void * v)1366 int ima_policy_show(struct seq_file *m, void *v)
1367 {
1368 struct ima_rule_entry *entry = v;
1369 int i;
1370 char tbuf[64] = {0,};
1371 int offset = 0;
1372
1373 rcu_read_lock();
1374
1375 if (entry->action & MEASURE)
1376 seq_puts(m, pt(Opt_measure));
1377 if (entry->action & DONT_MEASURE)
1378 seq_puts(m, pt(Opt_dont_measure));
1379 if (entry->action & APPRAISE)
1380 seq_puts(m, pt(Opt_appraise));
1381 if (entry->action & DONT_APPRAISE)
1382 seq_puts(m, pt(Opt_dont_appraise));
1383 if (entry->action & AUDIT)
1384 seq_puts(m, pt(Opt_audit));
1385 if (entry->action & HASH)
1386 seq_puts(m, pt(Opt_hash));
1387 if (entry->action & DONT_HASH)
1388 seq_puts(m, pt(Opt_dont_hash));
1389
1390 seq_puts(m, " ");
1391
1392 if (entry->flags & IMA_FUNC)
1393 policy_func_show(m, entry->func);
1394
1395 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) {
1396 if (entry->flags & IMA_MASK)
1397 offset = 1;
1398 if (entry->mask & MAY_EXEC)
1399 seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset);
1400 if (entry->mask & MAY_WRITE)
1401 seq_printf(m, pt(Opt_mask), mt(mask_write) + offset);
1402 if (entry->mask & MAY_READ)
1403 seq_printf(m, pt(Opt_mask), mt(mask_read) + offset);
1404 if (entry->mask & MAY_APPEND)
1405 seq_printf(m, pt(Opt_mask), mt(mask_append) + offset);
1406 seq_puts(m, " ");
1407 }
1408
1409 if (entry->flags & IMA_FSMAGIC) {
1410 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);
1411 seq_printf(m, pt(Opt_fsmagic), tbuf);
1412 seq_puts(m, " ");
1413 }
1414
1415 if (entry->flags & IMA_FSNAME) {
1416 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname);
1417 seq_printf(m, pt(Opt_fsname), tbuf);
1418 seq_puts(m, " ");
1419 }
1420
1421 if (entry->flags & IMA_PCR) {
1422 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
1423 seq_printf(m, pt(Opt_pcr), tbuf);
1424 seq_puts(m, " ");
1425 }
1426
1427 if (entry->flags & IMA_FSUUID) {
1428 seq_printf(m, "fsuuid=%pU", &entry->fsuuid);
1429 seq_puts(m, " ");
1430 }
1431
1432 if (entry->flags & IMA_UID) {
1433 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1434 if (entry->uid_op == &uid_gt)
1435 seq_printf(m, pt(Opt_uid_gt), tbuf);
1436 else if (entry->uid_op == &uid_lt)
1437 seq_printf(m, pt(Opt_uid_lt), tbuf);
1438 else
1439 seq_printf(m, pt(Opt_uid_eq), tbuf);
1440 seq_puts(m, " ");
1441 }
1442
1443 if (entry->flags & IMA_EUID) {
1444 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1445 if (entry->uid_op == &uid_gt)
1446 seq_printf(m, pt(Opt_euid_gt), tbuf);
1447 else if (entry->uid_op == &uid_lt)
1448 seq_printf(m, pt(Opt_euid_lt), tbuf);
1449 else
1450 seq_printf(m, pt(Opt_euid_eq), tbuf);
1451 seq_puts(m, " ");
1452 }
1453
1454 if (entry->flags & IMA_FOWNER) {
1455 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
1456 if (entry->fowner_op == &uid_gt)
1457 seq_printf(m, pt(Opt_fowner_gt), tbuf);
1458 else if (entry->fowner_op == &uid_lt)
1459 seq_printf(m, pt(Opt_fowner_lt), tbuf);
1460 else
1461 seq_printf(m, pt(Opt_fowner_eq), tbuf);
1462 seq_puts(m, " ");
1463 }
1464
1465 for (i = 0; i < MAX_LSM_RULES; i++) {
1466 if (entry->lsm[i].rule) {
1467 switch (i) {
1468 case LSM_OBJ_USER:
1469 seq_printf(m, pt(Opt_obj_user),
1470 (char *)entry->lsm[i].args_p);
1471 break;
1472 case LSM_OBJ_ROLE:
1473 seq_printf(m, pt(Opt_obj_role),
1474 (char *)entry->lsm[i].args_p);
1475 break;
1476 case LSM_OBJ_TYPE:
1477 seq_printf(m, pt(Opt_obj_type),
1478 (char *)entry->lsm[i].args_p);
1479 break;
1480 case LSM_SUBJ_USER:
1481 seq_printf(m, pt(Opt_subj_user),
1482 (char *)entry->lsm[i].args_p);
1483 break;
1484 case LSM_SUBJ_ROLE:
1485 seq_printf(m, pt(Opt_subj_role),
1486 (char *)entry->lsm[i].args_p);
1487 break;
1488 case LSM_SUBJ_TYPE:
1489 seq_printf(m, pt(Opt_subj_type),
1490 (char *)entry->lsm[i].args_p);
1491 break;
1492 }
1493 }
1494 }
1495 if (entry->template)
1496 seq_printf(m, "template=%s ", entry->template->name);
1497 if (entry->flags & IMA_DIGSIG_REQUIRED) {
1498 if (entry->flags & IMA_MODSIG_ALLOWED)
1499 seq_puts(m, "appraise_type=imasig|modsig ");
1500 else
1501 seq_puts(m, "appraise_type=imasig ");
1502 }
1503 if (entry->flags & IMA_PERMIT_DIRECTIO)
1504 seq_puts(m, "permit_directio ");
1505 rcu_read_unlock();
1506 seq_puts(m, "\n");
1507 return 0;
1508 }
1509 #endif /* CONFIG_IMA_READ_POLICY */
1510
1511 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
1512 /*
1513 * ima_appraise_signature: whether IMA will appraise a given function using
1514 * an IMA digital signature. This is restricted to cases where the kernel
1515 * has a set of built-in trusted keys in order to avoid an attacker simply
1516 * loading additional keys.
1517 */
ima_appraise_signature(enum kernel_read_file_id id)1518 bool ima_appraise_signature(enum kernel_read_file_id id)
1519 {
1520 struct ima_rule_entry *entry;
1521 bool found = false;
1522 enum ima_hooks func;
1523
1524 if (id >= READING_MAX_ID)
1525 return false;
1526
1527 func = read_idmap[id] ?: FILE_CHECK;
1528
1529 rcu_read_lock();
1530 list_for_each_entry_rcu(entry, ima_rules, list) {
1531 if (entry->action != APPRAISE)
1532 continue;
1533
1534 /*
1535 * A generic entry will match, but otherwise require that it
1536 * match the func we're looking for
1537 */
1538 if (entry->func && entry->func != func)
1539 continue;
1540
1541 /*
1542 * We require this to be a digital signature, not a raw IMA
1543 * hash.
1544 */
1545 if (entry->flags & IMA_DIGSIG_REQUIRED)
1546 found = true;
1547
1548 /*
1549 * We've found a rule that matches, so break now even if it
1550 * didn't require a digital signature - a later rule that does
1551 * won't override it, so would be a false positive.
1552 */
1553 break;
1554 }
1555
1556 rcu_read_unlock();
1557 return found;
1558 }
1559 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
1560