1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (C) 2008 IBM Corporation
4 * Author: Mimi Zohar <zohar@us.ibm.com>
5 *
6 * ima_policy.c
7 * - initialize default measure policy rules
8 */
9
10 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/fs.h>
15 #include <linux/security.h>
16 #include <linux/magic.h>
17 #include <linux/parser.h>
18 #include <linux/slab.h>
19 #include <linux/rculist.h>
20 #include <linux/genhd.h>
21 #include <linux/seq_file.h>
22 #include <linux/ima.h>
23
24 #include "ima.h"
25
26 /* flags definitions */
27 #define IMA_FUNC 0x0001
28 #define IMA_MASK 0x0002
29 #define IMA_FSMAGIC 0x0004
30 #define IMA_UID 0x0008
31 #define IMA_FOWNER 0x0010
32 #define IMA_FSUUID 0x0020
33 #define IMA_INMASK 0x0040
34 #define IMA_EUID 0x0080
35 #define IMA_PCR 0x0100
36 #define IMA_FSNAME 0x0200
37
38 #define UNKNOWN 0
39 #define MEASURE 0x0001 /* same as IMA_MEASURE */
40 #define DONT_MEASURE 0x0002
41 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */
42 #define DONT_APPRAISE 0x0008
43 #define AUDIT 0x0040
44 #define HASH 0x0100
45 #define DONT_HASH 0x0200
46
47 #define INVALID_PCR(a) (((a) < 0) || \
48 (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
49
50 int ima_policy_flag;
51 static int temp_ima_appraise;
52 static int build_ima_appraise __ro_after_init;
53
54 #define MAX_LSM_RULES 6
55 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
56 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
57 };
58
59 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
60
61 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY };
62
63 struct ima_rule_entry {
64 struct list_head list;
65 int action;
66 unsigned int flags;
67 enum ima_hooks func;
68 int mask;
69 unsigned long fsmagic;
70 uuid_t fsuuid;
71 kuid_t uid;
72 kuid_t fowner;
73 bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */
74 bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
75 int pcr;
76 struct {
77 void *rule; /* LSM file metadata specific */
78 void *args_p; /* audit value */
79 int type; /* audit type */
80 } lsm[MAX_LSM_RULES];
81 char *fsname;
82 struct ima_template_desc *template;
83 };
84
85 /*
86 * Without LSM specific knowledge, the default policy can only be
87 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
88 */
89
90 /*
91 * The minimum rule set to allow for full TCB coverage. Measures all files
92 * opened or mmap for exec and everything read by root. Dangerous because
93 * normal users can easily run the machine out of memory simply building
94 * and running executables.
95 */
96 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
97 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
98 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
99 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
100 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
101 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
102 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
103 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
104 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
105 {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
106 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
107 .flags = IMA_FSMAGIC},
108 {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC,
109 .flags = IMA_FSMAGIC},
110 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
111 {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}
112 };
113
114 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
115 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
116 .flags = IMA_FUNC | IMA_MASK},
117 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
118 .flags = IMA_FUNC | IMA_MASK},
119 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
120 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
121 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
122 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
123 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
124 };
125
126 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
127 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
128 .flags = IMA_FUNC | IMA_MASK},
129 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
130 .flags = IMA_FUNC | IMA_MASK},
131 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
132 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
133 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
134 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
135 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
136 .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
137 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
138 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
139 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
140 };
141
142 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
143 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
144 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
145 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
146 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
147 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
148 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
149 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
150 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
151 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
152 {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
153 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
154 {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC},
155 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
156 {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
157 #ifdef CONFIG_IMA_WRITE_POLICY
158 {.action = APPRAISE, .func = POLICY_CHECK,
159 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
160 #endif
161 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
162 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
163 .flags = IMA_FOWNER},
164 #else
165 /* force signature */
166 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
167 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
168 #endif
169 };
170
171 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = {
172 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS
173 {.action = APPRAISE, .func = MODULE_CHECK,
174 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
175 #endif
176 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
177 {.action = APPRAISE, .func = FIRMWARE_CHECK,
178 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
179 #endif
180 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS
181 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
182 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
183 #endif
184 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS
185 {.action = APPRAISE, .func = POLICY_CHECK,
186 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
187 #endif
188 };
189
190 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
191 {.action = APPRAISE, .func = MODULE_CHECK,
192 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
193 {.action = APPRAISE, .func = FIRMWARE_CHECK,
194 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
195 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
196 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
197 {.action = APPRAISE, .func = POLICY_CHECK,
198 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
199 };
200
201 /* An array of architecture specific rules */
202 static struct ima_rule_entry *arch_policy_entry __ro_after_init;
203
204 static LIST_HEAD(ima_default_rules);
205 static LIST_HEAD(ima_policy_rules);
206 static LIST_HEAD(ima_temp_rules);
207 static struct list_head *ima_rules = &ima_default_rules;
208
209 static int ima_policy __initdata;
210
default_measure_policy_setup(char * str)211 static int __init default_measure_policy_setup(char *str)
212 {
213 if (ima_policy)
214 return 1;
215
216 ima_policy = ORIGINAL_TCB;
217 return 1;
218 }
219 __setup("ima_tcb", default_measure_policy_setup);
220
221 static bool ima_use_appraise_tcb __initdata;
222 static bool ima_use_secure_boot __initdata;
223 static bool ima_fail_unverifiable_sigs __ro_after_init;
policy_setup(char * str)224 static int __init policy_setup(char *str)
225 {
226 char *p;
227
228 while ((p = strsep(&str, " |\n")) != NULL) {
229 if (*p == ' ')
230 continue;
231 if ((strcmp(p, "tcb") == 0) && !ima_policy)
232 ima_policy = DEFAULT_TCB;
233 else if (strcmp(p, "appraise_tcb") == 0)
234 ima_use_appraise_tcb = true;
235 else if (strcmp(p, "secure_boot") == 0)
236 ima_use_secure_boot = true;
237 else if (strcmp(p, "fail_securely") == 0)
238 ima_fail_unverifiable_sigs = true;
239 }
240
241 return 1;
242 }
243 __setup("ima_policy=", policy_setup);
244
default_appraise_policy_setup(char * str)245 static int __init default_appraise_policy_setup(char *str)
246 {
247 ima_use_appraise_tcb = true;
248 return 1;
249 }
250 __setup("ima_appraise_tcb", default_appraise_policy_setup);
251
ima_lsm_free_rule(struct ima_rule_entry * entry)252 static void ima_lsm_free_rule(struct ima_rule_entry *entry)
253 {
254 int i;
255
256 for (i = 0; i < MAX_LSM_RULES; i++) {
257 ima_filter_rule_free(entry->lsm[i].rule);
258 kfree(entry->lsm[i].args_p);
259 }
260 kfree(entry);
261 }
262
ima_lsm_copy_rule(struct ima_rule_entry * entry)263 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
264 {
265 struct ima_rule_entry *nentry;
266 int i;
267
268 nentry = kmalloc(sizeof(*nentry), GFP_KERNEL);
269 if (!nentry)
270 return NULL;
271
272 /*
273 * Immutable elements are copied over as pointers and data; only
274 * lsm rules can change
275 */
276 memcpy(nentry, entry, sizeof(*nentry));
277 memset(nentry->lsm, 0, FIELD_SIZEOF(struct ima_rule_entry, lsm));
278
279 for (i = 0; i < MAX_LSM_RULES; i++) {
280 if (!entry->lsm[i].args_p)
281 continue;
282
283 nentry->lsm[i].type = entry->lsm[i].type;
284 nentry->lsm[i].args_p = kstrdup(entry->lsm[i].args_p,
285 GFP_KERNEL);
286 if (!nentry->lsm[i].args_p)
287 goto out_err;
288
289 ima_filter_rule_init(nentry->lsm[i].type, Audit_equal,
290 nentry->lsm[i].args_p,
291 &nentry->lsm[i].rule);
292 if (!nentry->lsm[i].rule)
293 pr_warn("rule for LSM \'%s\' is undefined\n",
294 (char *)entry->lsm[i].args_p);
295 }
296 return nentry;
297
298 out_err:
299 ima_lsm_free_rule(nentry);
300 return NULL;
301 }
302
ima_lsm_update_rule(struct ima_rule_entry * entry)303 static int ima_lsm_update_rule(struct ima_rule_entry *entry)
304 {
305 struct ima_rule_entry *nentry;
306
307 nentry = ima_lsm_copy_rule(entry);
308 if (!nentry)
309 return -ENOMEM;
310
311 list_replace_rcu(&entry->list, &nentry->list);
312 synchronize_rcu();
313 ima_lsm_free_rule(entry);
314
315 return 0;
316 }
317
318 /*
319 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
320 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect
321 * the reloaded LSM policy.
322 */
ima_lsm_update_rules(void)323 static void ima_lsm_update_rules(void)
324 {
325 struct ima_rule_entry *entry, *e;
326 int i, result, needs_update;
327
328 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) {
329 needs_update = 0;
330 for (i = 0; i < MAX_LSM_RULES; i++) {
331 if (entry->lsm[i].args_p) {
332 needs_update = 1;
333 break;
334 }
335 }
336 if (!needs_update)
337 continue;
338
339 result = ima_lsm_update_rule(entry);
340 if (result) {
341 pr_err("lsm rule update error %d\n", result);
342 return;
343 }
344 }
345 }
346
ima_lsm_policy_change(struct notifier_block * nb,unsigned long event,void * lsm_data)347 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
348 void *lsm_data)
349 {
350 if (event != LSM_POLICY_CHANGE)
351 return NOTIFY_DONE;
352
353 ima_lsm_update_rules();
354 return NOTIFY_OK;
355 }
356
357 /**
358 * ima_match_rules - determine whether an inode matches the policy rule.
359 * @rule: a pointer to a rule
360 * @inode: a pointer to an inode
361 * @cred: a pointer to a credentials structure for user validation
362 * @secid: the secid of the task to be validated
363 * @func: LIM hook identifier
364 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
365 *
366 * Returns true on rule match, false on failure.
367 */
ima_match_rules(struct ima_rule_entry * rule,struct inode * inode,const struct cred * cred,u32 secid,enum ima_hooks func,int mask)368 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
369 const struct cred *cred, u32 secid,
370 enum ima_hooks func, int mask)
371 {
372 int i;
373 bool result = false;
374 struct ima_rule_entry *lsm_rule = rule;
375 bool rule_reinitialized = false;
376
377 if (func == KEXEC_CMDLINE) {
378 if ((rule->flags & IMA_FUNC) && (rule->func == func))
379 return true;
380 return false;
381 }
382 if ((rule->flags & IMA_FUNC) &&
383 (rule->func != func && func != POST_SETATTR))
384 return false;
385 if ((rule->flags & IMA_MASK) &&
386 (rule->mask != mask && func != POST_SETATTR))
387 return false;
388 if ((rule->flags & IMA_INMASK) &&
389 (!(rule->mask & mask) && func != POST_SETATTR))
390 return false;
391 if ((rule->flags & IMA_FSMAGIC)
392 && rule->fsmagic != inode->i_sb->s_magic)
393 return false;
394 if ((rule->flags & IMA_FSNAME)
395 && strcmp(rule->fsname, inode->i_sb->s_type->name))
396 return false;
397 if ((rule->flags & IMA_FSUUID) &&
398 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
399 return false;
400 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
401 return false;
402 if (rule->flags & IMA_EUID) {
403 if (has_capability_noaudit(current, CAP_SETUID)) {
404 if (!rule->uid_op(cred->euid, rule->uid)
405 && !rule->uid_op(cred->suid, rule->uid)
406 && !rule->uid_op(cred->uid, rule->uid))
407 return false;
408 } else if (!rule->uid_op(cred->euid, rule->uid))
409 return false;
410 }
411
412 if ((rule->flags & IMA_FOWNER) &&
413 !rule->fowner_op(inode->i_uid, rule->fowner))
414 return false;
415 for (i = 0; i < MAX_LSM_RULES; i++) {
416 int rc = 0;
417 u32 osid;
418
419 if (!lsm_rule->lsm[i].rule) {
420 if (!lsm_rule->lsm[i].args_p)
421 continue;
422 else
423 return false;
424 }
425
426 retry:
427 switch (i) {
428 case LSM_OBJ_USER:
429 case LSM_OBJ_ROLE:
430 case LSM_OBJ_TYPE:
431 security_inode_getsecid(inode, &osid);
432 rc = ima_filter_rule_match(osid, lsm_rule->lsm[i].type,
433 Audit_equal,
434 lsm_rule->lsm[i].rule);
435 break;
436 case LSM_SUBJ_USER:
437 case LSM_SUBJ_ROLE:
438 case LSM_SUBJ_TYPE:
439 rc = ima_filter_rule_match(secid, lsm_rule->lsm[i].type,
440 Audit_equal,
441 lsm_rule->lsm[i].rule);
442 break;
443 default:
444 break;
445 }
446
447 if (rc == -ESTALE && !rule_reinitialized) {
448 lsm_rule = ima_lsm_copy_rule(rule);
449 if (lsm_rule) {
450 rule_reinitialized = true;
451 goto retry;
452 }
453 }
454 if (!rc) {
455 result = false;
456 goto out;
457 }
458 }
459 result = true;
460
461 out:
462 if (rule_reinitialized) {
463 for (i = 0; i < MAX_LSM_RULES; i++)
464 ima_filter_rule_free(lsm_rule->lsm[i].rule);
465 kfree(lsm_rule);
466 }
467 return result;
468 }
469
470 /*
471 * In addition to knowing that we need to appraise the file in general,
472 * we need to differentiate between calling hooks, for hook specific rules.
473 */
get_subaction(struct ima_rule_entry * rule,enum ima_hooks func)474 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
475 {
476 if (!(rule->flags & IMA_FUNC))
477 return IMA_FILE_APPRAISE;
478
479 switch (func) {
480 case MMAP_CHECK:
481 return IMA_MMAP_APPRAISE;
482 case BPRM_CHECK:
483 return IMA_BPRM_APPRAISE;
484 case CREDS_CHECK:
485 return IMA_CREDS_APPRAISE;
486 case FILE_CHECK:
487 case POST_SETATTR:
488 return IMA_FILE_APPRAISE;
489 case MODULE_CHECK ... MAX_CHECK - 1:
490 default:
491 return IMA_READ_APPRAISE;
492 }
493 }
494
495 /**
496 * ima_match_policy - decision based on LSM and other conditions
497 * @inode: pointer to an inode for which the policy decision is being made
498 * @cred: pointer to a credentials structure for which the policy decision is
499 * being made
500 * @secid: LSM secid of the task to be validated
501 * @func: IMA hook identifier
502 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
503 * @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE)
504 * @pcr: set the pcr to extend
505 * @template_desc: the template that should be used for this rule
506 *
507 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
508 * conditions.
509 *
510 * Since the IMA policy may be updated multiple times we need to lock the
511 * list when walking it. Reads are many orders of magnitude more numerous
512 * than writes so ima_match_policy() is classical RCU candidate.
513 */
ima_match_policy(struct inode * inode,const struct cred * cred,u32 secid,enum ima_hooks func,int mask,int flags,int * pcr,struct ima_template_desc ** template_desc)514 int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
515 enum ima_hooks func, int mask, int flags, int *pcr,
516 struct ima_template_desc **template_desc)
517 {
518 struct ima_rule_entry *entry;
519 int action = 0, actmask = flags | (flags << 1);
520
521 if (template_desc)
522 *template_desc = ima_template_desc_current();
523
524 rcu_read_lock();
525 list_for_each_entry_rcu(entry, ima_rules, list) {
526
527 if (!(entry->action & actmask))
528 continue;
529
530 if (!ima_match_rules(entry, inode, cred, secid, func, mask))
531 continue;
532
533 action |= entry->flags & IMA_ACTION_FLAGS;
534
535 action |= entry->action & IMA_DO_MASK;
536 if (entry->action & IMA_APPRAISE) {
537 action |= get_subaction(entry, func);
538 action &= ~IMA_HASH;
539 if (ima_fail_unverifiable_sigs)
540 action |= IMA_FAIL_UNVERIFIABLE_SIGS;
541 }
542
543
544 if (entry->action & IMA_DO_MASK)
545 actmask &= ~(entry->action | entry->action << 1);
546 else
547 actmask &= ~(entry->action | entry->action >> 1);
548
549 if ((pcr) && (entry->flags & IMA_PCR))
550 *pcr = entry->pcr;
551
552 if (template_desc && entry->template)
553 *template_desc = entry->template;
554
555 if (!actmask)
556 break;
557 }
558 rcu_read_unlock();
559
560 return action;
561 }
562
563 /*
564 * Initialize the ima_policy_flag variable based on the currently
565 * loaded policy. Based on this flag, the decision to short circuit
566 * out of a function or not call the function in the first place
567 * can be made earlier.
568 */
ima_update_policy_flag(void)569 void ima_update_policy_flag(void)
570 {
571 struct ima_rule_entry *entry;
572
573 list_for_each_entry(entry, ima_rules, list) {
574 if (entry->action & IMA_DO_MASK)
575 ima_policy_flag |= entry->action;
576 }
577
578 ima_appraise |= (build_ima_appraise | temp_ima_appraise);
579 if (!ima_appraise)
580 ima_policy_flag &= ~IMA_APPRAISE;
581 }
582
ima_appraise_flag(enum ima_hooks func)583 static int ima_appraise_flag(enum ima_hooks func)
584 {
585 if (func == MODULE_CHECK)
586 return IMA_APPRAISE_MODULES;
587 else if (func == FIRMWARE_CHECK)
588 return IMA_APPRAISE_FIRMWARE;
589 else if (func == POLICY_CHECK)
590 return IMA_APPRAISE_POLICY;
591 else if (func == KEXEC_KERNEL_CHECK)
592 return IMA_APPRAISE_KEXEC;
593 return 0;
594 }
595
add_rules(struct ima_rule_entry * entries,int count,enum policy_rule_list policy_rule)596 static void add_rules(struct ima_rule_entry *entries, int count,
597 enum policy_rule_list policy_rule)
598 {
599 int i = 0;
600
601 for (i = 0; i < count; i++) {
602 struct ima_rule_entry *entry;
603
604 if (policy_rule & IMA_DEFAULT_POLICY)
605 list_add_tail(&entries[i].list, &ima_default_rules);
606
607 if (policy_rule & IMA_CUSTOM_POLICY) {
608 entry = kmemdup(&entries[i], sizeof(*entry),
609 GFP_KERNEL);
610 if (!entry)
611 continue;
612
613 list_add_tail(&entry->list, &ima_policy_rules);
614 }
615 if (entries[i].action == APPRAISE) {
616 if (entries != build_appraise_rules)
617 temp_ima_appraise |=
618 ima_appraise_flag(entries[i].func);
619 else
620 build_ima_appraise |=
621 ima_appraise_flag(entries[i].func);
622 }
623 }
624 }
625
626 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
627
ima_init_arch_policy(void)628 static int __init ima_init_arch_policy(void)
629 {
630 const char * const *arch_rules;
631 const char * const *rules;
632 int arch_entries = 0;
633 int i = 0;
634
635 arch_rules = arch_get_ima_policy();
636 if (!arch_rules)
637 return arch_entries;
638
639 /* Get number of rules */
640 for (rules = arch_rules; *rules != NULL; rules++)
641 arch_entries++;
642
643 arch_policy_entry = kcalloc(arch_entries + 1,
644 sizeof(*arch_policy_entry), GFP_KERNEL);
645 if (!arch_policy_entry)
646 return 0;
647
648 /* Convert each policy string rules to struct ima_rule_entry format */
649 for (rules = arch_rules, i = 0; *rules != NULL; rules++) {
650 char rule[255];
651 int result;
652
653 result = strlcpy(rule, *rules, sizeof(rule));
654
655 INIT_LIST_HEAD(&arch_policy_entry[i].list);
656 result = ima_parse_rule(rule, &arch_policy_entry[i]);
657 if (result) {
658 pr_warn("Skipping unknown architecture policy rule: %s\n",
659 rule);
660 memset(&arch_policy_entry[i], 0,
661 sizeof(*arch_policy_entry));
662 continue;
663 }
664 i++;
665 }
666 return i;
667 }
668
669 /**
670 * ima_init_policy - initialize the default measure rules.
671 *
672 * ima_rules points to either the ima_default_rules or the
673 * the new ima_policy_rules.
674 */
ima_init_policy(void)675 void __init ima_init_policy(void)
676 {
677 int build_appraise_entries, arch_entries;
678
679 /* if !ima_policy, we load NO default rules */
680 if (ima_policy)
681 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules),
682 IMA_DEFAULT_POLICY);
683
684 switch (ima_policy) {
685 case ORIGINAL_TCB:
686 add_rules(original_measurement_rules,
687 ARRAY_SIZE(original_measurement_rules),
688 IMA_DEFAULT_POLICY);
689 break;
690 case DEFAULT_TCB:
691 add_rules(default_measurement_rules,
692 ARRAY_SIZE(default_measurement_rules),
693 IMA_DEFAULT_POLICY);
694 break;
695 default:
696 break;
697 }
698
699 /*
700 * Based on runtime secure boot flags, insert arch specific measurement
701 * and appraise rules requiring file signatures for both the initial
702 * and custom policies, prior to other appraise rules.
703 * (Highest priority)
704 */
705 arch_entries = ima_init_arch_policy();
706 if (!arch_entries)
707 pr_info("No architecture policies found\n");
708 else
709 add_rules(arch_policy_entry, arch_entries,
710 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
711
712 /*
713 * Insert the builtin "secure_boot" policy rules requiring file
714 * signatures, prior to other appraise rules.
715 */
716 if (ima_use_secure_boot)
717 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules),
718 IMA_DEFAULT_POLICY);
719
720 /*
721 * Insert the build time appraise rules requiring file signatures
722 * for both the initial and custom policies, prior to other appraise
723 * rules. As the secure boot rules includes all of the build time
724 * rules, include either one or the other set of rules, but not both.
725 */
726 build_appraise_entries = ARRAY_SIZE(build_appraise_rules);
727 if (build_appraise_entries) {
728 if (ima_use_secure_boot)
729 add_rules(build_appraise_rules, build_appraise_entries,
730 IMA_CUSTOM_POLICY);
731 else
732 add_rules(build_appraise_rules, build_appraise_entries,
733 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
734 }
735
736 if (ima_use_appraise_tcb)
737 add_rules(default_appraise_rules,
738 ARRAY_SIZE(default_appraise_rules),
739 IMA_DEFAULT_POLICY);
740
741 ima_update_policy_flag();
742 }
743
744 /* Make sure we have a valid policy, at least containing some rules. */
ima_check_policy(void)745 int ima_check_policy(void)
746 {
747 if (list_empty(&ima_temp_rules))
748 return -EINVAL;
749 return 0;
750 }
751
752 /**
753 * ima_update_policy - update default_rules with new measure rules
754 *
755 * Called on file .release to update the default rules with a complete new
756 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so
757 * they make a queue. The policy may be updated multiple times and this is the
758 * RCU updater.
759 *
760 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
761 * we switch from the default policy to user defined.
762 */
ima_update_policy(void)763 void ima_update_policy(void)
764 {
765 struct list_head *policy = &ima_policy_rules;
766
767 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu);
768
769 if (ima_rules != policy) {
770 ima_policy_flag = 0;
771 ima_rules = policy;
772
773 /*
774 * IMA architecture specific policy rules are specified
775 * as strings and converted to an array of ima_entry_rules
776 * on boot. After loading a custom policy, free the
777 * architecture specific rules stored as an array.
778 */
779 kfree(arch_policy_entry);
780 }
781 ima_update_policy_flag();
782 }
783
784 /* Keep the enumeration in sync with the policy_tokens! */
785 enum {
786 Opt_measure, Opt_dont_measure,
787 Opt_appraise, Opt_dont_appraise,
788 Opt_audit, Opt_hash, Opt_dont_hash,
789 Opt_obj_user, Opt_obj_role, Opt_obj_type,
790 Opt_subj_user, Opt_subj_role, Opt_subj_type,
791 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname,
792 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
793 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
794 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
795 Opt_appraise_type, Opt_permit_directio,
796 Opt_pcr, Opt_template, Opt_err
797 };
798
799 static const match_table_t policy_tokens = {
800 {Opt_measure, "measure"},
801 {Opt_dont_measure, "dont_measure"},
802 {Opt_appraise, "appraise"},
803 {Opt_dont_appraise, "dont_appraise"},
804 {Opt_audit, "audit"},
805 {Opt_hash, "hash"},
806 {Opt_dont_hash, "dont_hash"},
807 {Opt_obj_user, "obj_user=%s"},
808 {Opt_obj_role, "obj_role=%s"},
809 {Opt_obj_type, "obj_type=%s"},
810 {Opt_subj_user, "subj_user=%s"},
811 {Opt_subj_role, "subj_role=%s"},
812 {Opt_subj_type, "subj_type=%s"},
813 {Opt_func, "func=%s"},
814 {Opt_mask, "mask=%s"},
815 {Opt_fsmagic, "fsmagic=%s"},
816 {Opt_fsname, "fsname=%s"},
817 {Opt_fsuuid, "fsuuid=%s"},
818 {Opt_uid_eq, "uid=%s"},
819 {Opt_euid_eq, "euid=%s"},
820 {Opt_fowner_eq, "fowner=%s"},
821 {Opt_uid_gt, "uid>%s"},
822 {Opt_euid_gt, "euid>%s"},
823 {Opt_fowner_gt, "fowner>%s"},
824 {Opt_uid_lt, "uid<%s"},
825 {Opt_euid_lt, "euid<%s"},
826 {Opt_fowner_lt, "fowner<%s"},
827 {Opt_appraise_type, "appraise_type=%s"},
828 {Opt_permit_directio, "permit_directio"},
829 {Opt_pcr, "pcr=%s"},
830 {Opt_template, "template=%s"},
831 {Opt_err, NULL}
832 };
833
ima_lsm_rule_init(struct ima_rule_entry * entry,substring_t * args,int lsm_rule,int audit_type)834 static int ima_lsm_rule_init(struct ima_rule_entry *entry,
835 substring_t *args, int lsm_rule, int audit_type)
836 {
837 int result;
838
839 if (entry->lsm[lsm_rule].rule)
840 return -EINVAL;
841
842 entry->lsm[lsm_rule].args_p = match_strdup(args);
843 if (!entry->lsm[lsm_rule].args_p)
844 return -ENOMEM;
845
846 entry->lsm[lsm_rule].type = audit_type;
847 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal,
848 entry->lsm[lsm_rule].args_p,
849 &entry->lsm[lsm_rule].rule);
850 if (!entry->lsm[lsm_rule].rule) {
851 pr_warn("rule for LSM \'%s\' is undefined\n",
852 (char *)entry->lsm[lsm_rule].args_p);
853
854 if (ima_rules == &ima_default_rules) {
855 kfree(entry->lsm[lsm_rule].args_p);
856 result = -EINVAL;
857 } else
858 result = 0;
859 }
860
861 return result;
862 }
863
ima_log_string_op(struct audit_buffer * ab,char * key,char * value,bool (* rule_operator)(kuid_t,kuid_t))864 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
865 bool (*rule_operator)(kuid_t, kuid_t))
866 {
867 if (!ab)
868 return;
869
870 if (rule_operator == &uid_gt)
871 audit_log_format(ab, "%s>", key);
872 else if (rule_operator == &uid_lt)
873 audit_log_format(ab, "%s<", key);
874 else
875 audit_log_format(ab, "%s=", key);
876 audit_log_format(ab, "%s ", value);
877 }
ima_log_string(struct audit_buffer * ab,char * key,char * value)878 static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
879 {
880 ima_log_string_op(ab, key, value, NULL);
881 }
882
883 /*
884 * Validating the appended signature included in the measurement list requires
885 * the file hash calculated without the appended signature (i.e., the 'd-modsig'
886 * field). Therefore, notify the user if they have the 'modsig' field but not
887 * the 'd-modsig' field in the template.
888 */
check_template_modsig(const struct ima_template_desc * template)889 static void check_template_modsig(const struct ima_template_desc *template)
890 {
891 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n"
892 bool has_modsig, has_dmodsig;
893 static bool checked;
894 int i;
895
896 /* We only need to notify the user once. */
897 if (checked)
898 return;
899
900 has_modsig = has_dmodsig = false;
901 for (i = 0; i < template->num_fields; i++) {
902 if (!strcmp(template->fields[i]->field_id, "modsig"))
903 has_modsig = true;
904 else if (!strcmp(template->fields[i]->field_id, "d-modsig"))
905 has_dmodsig = true;
906 }
907
908 if (has_modsig && !has_dmodsig)
909 pr_notice(MSG);
910
911 checked = true;
912 #undef MSG
913 }
914
ima_parse_rule(char * rule,struct ima_rule_entry * entry)915 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
916 {
917 struct audit_buffer *ab;
918 char *from;
919 char *p;
920 bool uid_token;
921 struct ima_template_desc *template_desc;
922 int result = 0;
923
924 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL,
925 AUDIT_INTEGRITY_POLICY_RULE);
926
927 entry->uid = INVALID_UID;
928 entry->fowner = INVALID_UID;
929 entry->uid_op = &uid_eq;
930 entry->fowner_op = &uid_eq;
931 entry->action = UNKNOWN;
932 while ((p = strsep(&rule, " \t")) != NULL) {
933 substring_t args[MAX_OPT_ARGS];
934 int token;
935 unsigned long lnum;
936
937 if (result < 0)
938 break;
939 if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
940 continue;
941 token = match_token(p, policy_tokens, args);
942 switch (token) {
943 case Opt_measure:
944 ima_log_string(ab, "action", "measure");
945
946 if (entry->action != UNKNOWN)
947 result = -EINVAL;
948
949 entry->action = MEASURE;
950 break;
951 case Opt_dont_measure:
952 ima_log_string(ab, "action", "dont_measure");
953
954 if (entry->action != UNKNOWN)
955 result = -EINVAL;
956
957 entry->action = DONT_MEASURE;
958 break;
959 case Opt_appraise:
960 ima_log_string(ab, "action", "appraise");
961
962 if (entry->action != UNKNOWN)
963 result = -EINVAL;
964
965 entry->action = APPRAISE;
966 break;
967 case Opt_dont_appraise:
968 ima_log_string(ab, "action", "dont_appraise");
969
970 if (entry->action != UNKNOWN)
971 result = -EINVAL;
972
973 entry->action = DONT_APPRAISE;
974 break;
975 case Opt_audit:
976 ima_log_string(ab, "action", "audit");
977
978 if (entry->action != UNKNOWN)
979 result = -EINVAL;
980
981 entry->action = AUDIT;
982 break;
983 case Opt_hash:
984 ima_log_string(ab, "action", "hash");
985
986 if (entry->action != UNKNOWN)
987 result = -EINVAL;
988
989 entry->action = HASH;
990 break;
991 case Opt_dont_hash:
992 ima_log_string(ab, "action", "dont_hash");
993
994 if (entry->action != UNKNOWN)
995 result = -EINVAL;
996
997 entry->action = DONT_HASH;
998 break;
999 case Opt_func:
1000 ima_log_string(ab, "func", args[0].from);
1001
1002 if (entry->func)
1003 result = -EINVAL;
1004
1005 if (strcmp(args[0].from, "FILE_CHECK") == 0)
1006 entry->func = FILE_CHECK;
1007 /* PATH_CHECK is for backwards compat */
1008 else if (strcmp(args[0].from, "PATH_CHECK") == 0)
1009 entry->func = FILE_CHECK;
1010 else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
1011 entry->func = MODULE_CHECK;
1012 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
1013 entry->func = FIRMWARE_CHECK;
1014 else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
1015 || (strcmp(args[0].from, "MMAP_CHECK") == 0))
1016 entry->func = MMAP_CHECK;
1017 else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
1018 entry->func = BPRM_CHECK;
1019 else if (strcmp(args[0].from, "CREDS_CHECK") == 0)
1020 entry->func = CREDS_CHECK;
1021 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
1022 0)
1023 entry->func = KEXEC_KERNEL_CHECK;
1024 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
1025 == 0)
1026 entry->func = KEXEC_INITRAMFS_CHECK;
1027 else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
1028 entry->func = POLICY_CHECK;
1029 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
1030 entry->func = KEXEC_CMDLINE;
1031 else
1032 result = -EINVAL;
1033 if (!result)
1034 entry->flags |= IMA_FUNC;
1035 break;
1036 case Opt_mask:
1037 ima_log_string(ab, "mask", args[0].from);
1038
1039 if (entry->mask)
1040 result = -EINVAL;
1041
1042 from = args[0].from;
1043 if (*from == '^')
1044 from++;
1045
1046 if ((strcmp(from, "MAY_EXEC")) == 0)
1047 entry->mask = MAY_EXEC;
1048 else if (strcmp(from, "MAY_WRITE") == 0)
1049 entry->mask = MAY_WRITE;
1050 else if (strcmp(from, "MAY_READ") == 0)
1051 entry->mask = MAY_READ;
1052 else if (strcmp(from, "MAY_APPEND") == 0)
1053 entry->mask = MAY_APPEND;
1054 else
1055 result = -EINVAL;
1056 if (!result)
1057 entry->flags |= (*args[0].from == '^')
1058 ? IMA_INMASK : IMA_MASK;
1059 break;
1060 case Opt_fsmagic:
1061 ima_log_string(ab, "fsmagic", args[0].from);
1062
1063 if (entry->fsmagic) {
1064 result = -EINVAL;
1065 break;
1066 }
1067
1068 result = kstrtoul(args[0].from, 16, &entry->fsmagic);
1069 if (!result)
1070 entry->flags |= IMA_FSMAGIC;
1071 break;
1072 case Opt_fsname:
1073 ima_log_string(ab, "fsname", args[0].from);
1074
1075 entry->fsname = kstrdup(args[0].from, GFP_KERNEL);
1076 if (!entry->fsname) {
1077 result = -ENOMEM;
1078 break;
1079 }
1080 result = 0;
1081 entry->flags |= IMA_FSNAME;
1082 break;
1083 case Opt_fsuuid:
1084 ima_log_string(ab, "fsuuid", args[0].from);
1085
1086 if (!uuid_is_null(&entry->fsuuid)) {
1087 result = -EINVAL;
1088 break;
1089 }
1090
1091 result = uuid_parse(args[0].from, &entry->fsuuid);
1092 if (!result)
1093 entry->flags |= IMA_FSUUID;
1094 break;
1095 case Opt_uid_gt:
1096 case Opt_euid_gt:
1097 entry->uid_op = &uid_gt;
1098 /* fall through */
1099 case Opt_uid_lt:
1100 case Opt_euid_lt:
1101 if ((token == Opt_uid_lt) || (token == Opt_euid_lt))
1102 entry->uid_op = &uid_lt;
1103 /* fall through */
1104 case Opt_uid_eq:
1105 case Opt_euid_eq:
1106 uid_token = (token == Opt_uid_eq) ||
1107 (token == Opt_uid_gt) ||
1108 (token == Opt_uid_lt);
1109
1110 ima_log_string_op(ab, uid_token ? "uid" : "euid",
1111 args[0].from, entry->uid_op);
1112
1113 if (uid_valid(entry->uid)) {
1114 result = -EINVAL;
1115 break;
1116 }
1117
1118 result = kstrtoul(args[0].from, 10, &lnum);
1119 if (!result) {
1120 entry->uid = make_kuid(current_user_ns(),
1121 (uid_t) lnum);
1122 if (!uid_valid(entry->uid) ||
1123 (uid_t)lnum != lnum)
1124 result = -EINVAL;
1125 else
1126 entry->flags |= uid_token
1127 ? IMA_UID : IMA_EUID;
1128 }
1129 break;
1130 case Opt_fowner_gt:
1131 entry->fowner_op = &uid_gt;
1132 /* fall through */
1133 case Opt_fowner_lt:
1134 if (token == Opt_fowner_lt)
1135 entry->fowner_op = &uid_lt;
1136 /* fall through */
1137 case Opt_fowner_eq:
1138 ima_log_string_op(ab, "fowner", args[0].from,
1139 entry->fowner_op);
1140
1141 if (uid_valid(entry->fowner)) {
1142 result = -EINVAL;
1143 break;
1144 }
1145
1146 result = kstrtoul(args[0].from, 10, &lnum);
1147 if (!result) {
1148 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
1149 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))
1150 result = -EINVAL;
1151 else
1152 entry->flags |= IMA_FOWNER;
1153 }
1154 break;
1155 case Opt_obj_user:
1156 ima_log_string(ab, "obj_user", args[0].from);
1157 result = ima_lsm_rule_init(entry, args,
1158 LSM_OBJ_USER,
1159 AUDIT_OBJ_USER);
1160 break;
1161 case Opt_obj_role:
1162 ima_log_string(ab, "obj_role", args[0].from);
1163 result = ima_lsm_rule_init(entry, args,
1164 LSM_OBJ_ROLE,
1165 AUDIT_OBJ_ROLE);
1166 break;
1167 case Opt_obj_type:
1168 ima_log_string(ab, "obj_type", args[0].from);
1169 result = ima_lsm_rule_init(entry, args,
1170 LSM_OBJ_TYPE,
1171 AUDIT_OBJ_TYPE);
1172 break;
1173 case Opt_subj_user:
1174 ima_log_string(ab, "subj_user", args[0].from);
1175 result = ima_lsm_rule_init(entry, args,
1176 LSM_SUBJ_USER,
1177 AUDIT_SUBJ_USER);
1178 break;
1179 case Opt_subj_role:
1180 ima_log_string(ab, "subj_role", args[0].from);
1181 result = ima_lsm_rule_init(entry, args,
1182 LSM_SUBJ_ROLE,
1183 AUDIT_SUBJ_ROLE);
1184 break;
1185 case Opt_subj_type:
1186 ima_log_string(ab, "subj_type", args[0].from);
1187 result = ima_lsm_rule_init(entry, args,
1188 LSM_SUBJ_TYPE,
1189 AUDIT_SUBJ_TYPE);
1190 break;
1191 case Opt_appraise_type:
1192 if (entry->action != APPRAISE) {
1193 result = -EINVAL;
1194 break;
1195 }
1196
1197 ima_log_string(ab, "appraise_type", args[0].from);
1198 if ((strcmp(args[0].from, "imasig")) == 0)
1199 entry->flags |= IMA_DIGSIG_REQUIRED;
1200 else if (ima_hook_supports_modsig(entry->func) &&
1201 strcmp(args[0].from, "imasig|modsig") == 0)
1202 entry->flags |= IMA_DIGSIG_REQUIRED |
1203 IMA_MODSIG_ALLOWED;
1204 else
1205 result = -EINVAL;
1206 break;
1207 case Opt_permit_directio:
1208 entry->flags |= IMA_PERMIT_DIRECTIO;
1209 break;
1210 case Opt_pcr:
1211 if (entry->action != MEASURE) {
1212 result = -EINVAL;
1213 break;
1214 }
1215 ima_log_string(ab, "pcr", args[0].from);
1216
1217 result = kstrtoint(args[0].from, 10, &entry->pcr);
1218 if (result || INVALID_PCR(entry->pcr))
1219 result = -EINVAL;
1220 else
1221 entry->flags |= IMA_PCR;
1222
1223 break;
1224 case Opt_template:
1225 ima_log_string(ab, "template", args[0].from);
1226 if (entry->action != MEASURE) {
1227 result = -EINVAL;
1228 break;
1229 }
1230 template_desc = lookup_template_desc(args[0].from);
1231 if (!template_desc || entry->template) {
1232 result = -EINVAL;
1233 break;
1234 }
1235
1236 /*
1237 * template_desc_init_fields() does nothing if
1238 * the template is already initialised, so
1239 * it's safe to do this unconditionally
1240 */
1241 template_desc_init_fields(template_desc->fmt,
1242 &(template_desc->fields),
1243 &(template_desc->num_fields));
1244 entry->template = template_desc;
1245 break;
1246 case Opt_err:
1247 ima_log_string(ab, "UNKNOWN", p);
1248 result = -EINVAL;
1249 break;
1250 }
1251 }
1252 if (!result && (entry->action == UNKNOWN))
1253 result = -EINVAL;
1254 else if (entry->action == APPRAISE)
1255 temp_ima_appraise |= ima_appraise_flag(entry->func);
1256
1257 if (!result && entry->flags & IMA_MODSIG_ALLOWED) {
1258 template_desc = entry->template ? entry->template :
1259 ima_template_desc_current();
1260 check_template_modsig(template_desc);
1261 }
1262
1263 audit_log_format(ab, "res=%d", !result);
1264 audit_log_end(ab);
1265 return result;
1266 }
1267
1268 /**
1269 * ima_parse_add_rule - add a rule to ima_policy_rules
1270 * @rule: ima measurement policy rule
1271 *
1272 * Avoid locking by allowing just one writer at a time in ima_write_policy()
1273 * Returns the length of the rule parsed, an error code on failure
1274 */
ima_parse_add_rule(char * rule)1275 ssize_t ima_parse_add_rule(char *rule)
1276 {
1277 static const char op[] = "update_policy";
1278 char *p;
1279 struct ima_rule_entry *entry;
1280 ssize_t result, len;
1281 int audit_info = 0;
1282
1283 p = strsep(&rule, "\n");
1284 len = strlen(p) + 1;
1285 p += strspn(p, " \t");
1286
1287 if (*p == '#' || *p == '\0')
1288 return len;
1289
1290 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1291 if (!entry) {
1292 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1293 NULL, op, "-ENOMEM", -ENOMEM, audit_info);
1294 return -ENOMEM;
1295 }
1296
1297 INIT_LIST_HEAD(&entry->list);
1298
1299 result = ima_parse_rule(p, entry);
1300 if (result) {
1301 kfree(entry);
1302 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1303 NULL, op, "invalid-policy", result,
1304 audit_info);
1305 return result;
1306 }
1307
1308 list_add_tail(&entry->list, &ima_temp_rules);
1309
1310 return len;
1311 }
1312
1313 /**
1314 * ima_delete_rules() called to cleanup invalid in-flight policy.
1315 * We don't need locking as we operate on the temp list, which is
1316 * different from the active one. There is also only one user of
1317 * ima_delete_rules() at a time.
1318 */
ima_delete_rules(void)1319 void ima_delete_rules(void)
1320 {
1321 struct ima_rule_entry *entry, *tmp;
1322 int i;
1323
1324 temp_ima_appraise = 0;
1325 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
1326 for (i = 0; i < MAX_LSM_RULES; i++)
1327 kfree(entry->lsm[i].args_p);
1328
1329 list_del(&entry->list);
1330 kfree(entry);
1331 }
1332 }
1333
1334 #define __ima_hook_stringify(str) (#str),
1335
1336 const char *const func_tokens[] = {
1337 __ima_hooks(__ima_hook_stringify)
1338 };
1339
1340 #ifdef CONFIG_IMA_READ_POLICY
1341 enum {
1342 mask_exec = 0, mask_write, mask_read, mask_append
1343 };
1344
1345 static const char *const mask_tokens[] = {
1346 "^MAY_EXEC",
1347 "^MAY_WRITE",
1348 "^MAY_READ",
1349 "^MAY_APPEND"
1350 };
1351
ima_policy_start(struct seq_file * m,loff_t * pos)1352 void *ima_policy_start(struct seq_file *m, loff_t *pos)
1353 {
1354 loff_t l = *pos;
1355 struct ima_rule_entry *entry;
1356
1357 rcu_read_lock();
1358 list_for_each_entry_rcu(entry, ima_rules, list) {
1359 if (!l--) {
1360 rcu_read_unlock();
1361 return entry;
1362 }
1363 }
1364 rcu_read_unlock();
1365 return NULL;
1366 }
1367
ima_policy_next(struct seq_file * m,void * v,loff_t * pos)1368 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos)
1369 {
1370 struct ima_rule_entry *entry = v;
1371
1372 rcu_read_lock();
1373 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list);
1374 rcu_read_unlock();
1375 (*pos)++;
1376
1377 return (&entry->list == ima_rules) ? NULL : entry;
1378 }
1379
ima_policy_stop(struct seq_file * m,void * v)1380 void ima_policy_stop(struct seq_file *m, void *v)
1381 {
1382 }
1383
1384 #define pt(token) policy_tokens[token].pattern
1385 #define mt(token) mask_tokens[token]
1386
1387 /*
1388 * policy_func_show - display the ima_hooks policy rule
1389 */
policy_func_show(struct seq_file * m,enum ima_hooks func)1390 static void policy_func_show(struct seq_file *m, enum ima_hooks func)
1391 {
1392 if (func > 0 && func < MAX_CHECK)
1393 seq_printf(m, "func=%s ", func_tokens[func]);
1394 else
1395 seq_printf(m, "func=%d ", func);
1396 }
1397
ima_policy_show(struct seq_file * m,void * v)1398 int ima_policy_show(struct seq_file *m, void *v)
1399 {
1400 struct ima_rule_entry *entry = v;
1401 int i;
1402 char tbuf[64] = {0,};
1403 int offset = 0;
1404
1405 rcu_read_lock();
1406
1407 /* Do not print rules with inactive LSM labels */
1408 for (i = 0; i < MAX_LSM_RULES; i++) {
1409 if (entry->lsm[i].args_p && !entry->lsm[i].rule) {
1410 rcu_read_unlock();
1411 return 0;
1412 }
1413 }
1414
1415 if (entry->action & MEASURE)
1416 seq_puts(m, pt(Opt_measure));
1417 if (entry->action & DONT_MEASURE)
1418 seq_puts(m, pt(Opt_dont_measure));
1419 if (entry->action & APPRAISE)
1420 seq_puts(m, pt(Opt_appraise));
1421 if (entry->action & DONT_APPRAISE)
1422 seq_puts(m, pt(Opt_dont_appraise));
1423 if (entry->action & AUDIT)
1424 seq_puts(m, pt(Opt_audit));
1425 if (entry->action & HASH)
1426 seq_puts(m, pt(Opt_hash));
1427 if (entry->action & DONT_HASH)
1428 seq_puts(m, pt(Opt_dont_hash));
1429
1430 seq_puts(m, " ");
1431
1432 if (entry->flags & IMA_FUNC)
1433 policy_func_show(m, entry->func);
1434
1435 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) {
1436 if (entry->flags & IMA_MASK)
1437 offset = 1;
1438 if (entry->mask & MAY_EXEC)
1439 seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset);
1440 if (entry->mask & MAY_WRITE)
1441 seq_printf(m, pt(Opt_mask), mt(mask_write) + offset);
1442 if (entry->mask & MAY_READ)
1443 seq_printf(m, pt(Opt_mask), mt(mask_read) + offset);
1444 if (entry->mask & MAY_APPEND)
1445 seq_printf(m, pt(Opt_mask), mt(mask_append) + offset);
1446 seq_puts(m, " ");
1447 }
1448
1449 if (entry->flags & IMA_FSMAGIC) {
1450 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);
1451 seq_printf(m, pt(Opt_fsmagic), tbuf);
1452 seq_puts(m, " ");
1453 }
1454
1455 if (entry->flags & IMA_FSNAME) {
1456 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname);
1457 seq_printf(m, pt(Opt_fsname), tbuf);
1458 seq_puts(m, " ");
1459 }
1460
1461 if (entry->flags & IMA_PCR) {
1462 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
1463 seq_printf(m, pt(Opt_pcr), tbuf);
1464 seq_puts(m, " ");
1465 }
1466
1467 if (entry->flags & IMA_FSUUID) {
1468 seq_printf(m, "fsuuid=%pU", &entry->fsuuid);
1469 seq_puts(m, " ");
1470 }
1471
1472 if (entry->flags & IMA_UID) {
1473 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1474 if (entry->uid_op == &uid_gt)
1475 seq_printf(m, pt(Opt_uid_gt), tbuf);
1476 else if (entry->uid_op == &uid_lt)
1477 seq_printf(m, pt(Opt_uid_lt), tbuf);
1478 else
1479 seq_printf(m, pt(Opt_uid_eq), tbuf);
1480 seq_puts(m, " ");
1481 }
1482
1483 if (entry->flags & IMA_EUID) {
1484 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1485 if (entry->uid_op == &uid_gt)
1486 seq_printf(m, pt(Opt_euid_gt), tbuf);
1487 else if (entry->uid_op == &uid_lt)
1488 seq_printf(m, pt(Opt_euid_lt), tbuf);
1489 else
1490 seq_printf(m, pt(Opt_euid_eq), tbuf);
1491 seq_puts(m, " ");
1492 }
1493
1494 if (entry->flags & IMA_FOWNER) {
1495 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
1496 if (entry->fowner_op == &uid_gt)
1497 seq_printf(m, pt(Opt_fowner_gt), tbuf);
1498 else if (entry->fowner_op == &uid_lt)
1499 seq_printf(m, pt(Opt_fowner_lt), tbuf);
1500 else
1501 seq_printf(m, pt(Opt_fowner_eq), tbuf);
1502 seq_puts(m, " ");
1503 }
1504
1505 for (i = 0; i < MAX_LSM_RULES; i++) {
1506 if (entry->lsm[i].rule) {
1507 switch (i) {
1508 case LSM_OBJ_USER:
1509 seq_printf(m, pt(Opt_obj_user),
1510 (char *)entry->lsm[i].args_p);
1511 break;
1512 case LSM_OBJ_ROLE:
1513 seq_printf(m, pt(Opt_obj_role),
1514 (char *)entry->lsm[i].args_p);
1515 break;
1516 case LSM_OBJ_TYPE:
1517 seq_printf(m, pt(Opt_obj_type),
1518 (char *)entry->lsm[i].args_p);
1519 break;
1520 case LSM_SUBJ_USER:
1521 seq_printf(m, pt(Opt_subj_user),
1522 (char *)entry->lsm[i].args_p);
1523 break;
1524 case LSM_SUBJ_ROLE:
1525 seq_printf(m, pt(Opt_subj_role),
1526 (char *)entry->lsm[i].args_p);
1527 break;
1528 case LSM_SUBJ_TYPE:
1529 seq_printf(m, pt(Opt_subj_type),
1530 (char *)entry->lsm[i].args_p);
1531 break;
1532 }
1533 }
1534 }
1535 if (entry->template)
1536 seq_printf(m, "template=%s ", entry->template->name);
1537 if (entry->flags & IMA_DIGSIG_REQUIRED) {
1538 if (entry->flags & IMA_MODSIG_ALLOWED)
1539 seq_puts(m, "appraise_type=imasig|modsig ");
1540 else
1541 seq_puts(m, "appraise_type=imasig ");
1542 }
1543 if (entry->flags & IMA_PERMIT_DIRECTIO)
1544 seq_puts(m, "permit_directio ");
1545 rcu_read_unlock();
1546 seq_puts(m, "\n");
1547 return 0;
1548 }
1549 #endif /* CONFIG_IMA_READ_POLICY */
1550
1551 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
1552 /*
1553 * ima_appraise_signature: whether IMA will appraise a given function using
1554 * an IMA digital signature. This is restricted to cases where the kernel
1555 * has a set of built-in trusted keys in order to avoid an attacker simply
1556 * loading additional keys.
1557 */
ima_appraise_signature(enum kernel_read_file_id id)1558 bool ima_appraise_signature(enum kernel_read_file_id id)
1559 {
1560 struct ima_rule_entry *entry;
1561 bool found = false;
1562 enum ima_hooks func;
1563
1564 if (id >= READING_MAX_ID)
1565 return false;
1566
1567 if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE)
1568 && security_locked_down(LOCKDOWN_KEXEC))
1569 return false;
1570
1571 func = read_idmap[id] ?: FILE_CHECK;
1572
1573 rcu_read_lock();
1574 list_for_each_entry_rcu(entry, ima_rules, list) {
1575 if (entry->action != APPRAISE)
1576 continue;
1577
1578 /*
1579 * A generic entry will match, but otherwise require that it
1580 * match the func we're looking for
1581 */
1582 if (entry->func && entry->func != func)
1583 continue;
1584
1585 /*
1586 * We require this to be a digital signature, not a raw IMA
1587 * hash.
1588 */
1589 if (entry->flags & IMA_DIGSIG_REQUIRED)
1590 found = true;
1591
1592 /*
1593 * We've found a rule that matches, so break now even if it
1594 * didn't require a digital signature - a later rule that does
1595 * won't override it, so would be a false positive.
1596 */
1597 break;
1598 }
1599
1600 rcu_read_unlock();
1601 return found;
1602 }
1603 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
1604