82 		void *rule;	/* LSM file metadata specific */  member
97  * The minimum rule set to allow for full TCB coverage.  Measures all files
331 		ima_filter_rule_free(entry->lsm[i].rule);  in ima_lsm_free_rule()
376 				     &nentry->lsm[i].rule);  in ima_lsm_copy_rule()
377 		if (!nentry->lsm[i].rule)  in ima_lsm_copy_rule()
378 			pr_warn("rule for LSM \'%s\' is undefined\n",  in ima_lsm_copy_rule()
402 		ima_filter_rule_free(entry->lsm[i].rule);  in ima_lsm_update_rule()
435 			pr_err("lsm rule update error %d\n", result);  in ima_lsm_update_rules()
452  * ima_match_keyring - determine whether the keyring matches the measure rule
453  * @rule: a pointer to a rule
454  * @keyring: name of the keyring to match against the measure rule
457  * Returns true if keyring matches one in the rule, false otherwise.
459 static bool ima_match_keyring(struct ima_rule_entry *rule,  in ima_match_keyring()  argument
465 	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))  in ima_match_keyring()
468 	if (!rule->keyrings)  in ima_match_keyring()
474 	for (i = 0; i < rule->keyrings->count; i++) {  in ima_match_keyring()
475 		if (!strcmp(rule->keyrings->items[i], keyring)) {  in ima_match_keyring()
485  * ima_match_rules - determine whether an inode matches the policy rule.
486  * @rule: a pointer to a rule
494  * Returns true on rule match, false on failure.
496 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,  in ima_match_rules()  argument
503 	struct ima_rule_entry *lsm_rule = rule;  in ima_match_rules()
507 		return (rule->flags & IMA_FUNC) && (rule->func == func) &&  in ima_match_rules()
508 		       ima_match_keyring(rule, keyring, cred);  in ima_match_rules()
510 	if ((rule->flags & IMA_FUNC) &&  in ima_match_rules()
511 	    (rule->func != func && func != POST_SETATTR))  in ima_match_rules()
513 	if ((rule->flags & IMA_MASK) &&  in ima_match_rules()
514 	    (rule->mask != mask && func != POST_SETATTR))  in ima_match_rules()
516 	if ((rule->flags & IMA_INMASK) &&  in ima_match_rules()
517 	    (!(rule->mask & mask) && func != POST_SETATTR))  in ima_match_rules()
519 	if ((rule->flags & IMA_FSMAGIC)  in ima_match_rules()
520 	    && rule->fsmagic != inode->i_sb->s_magic)  in ima_match_rules()
522 	if ((rule->flags & IMA_FSNAME)  in ima_match_rules()
523 	    && strcmp(rule->fsname, inode->i_sb->s_type->name))  in ima_match_rules()
525 	if ((rule->flags & IMA_FSUUID) &&  in ima_match_rules()
526 	    !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))  in ima_match_rules()
528 	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))  in ima_match_rules()
530 	if (rule->flags & IMA_EUID) {  in ima_match_rules()
532 			if (!rule->uid_op(cred->euid, rule->uid)  in ima_match_rules()
533 			    && !rule->uid_op(cred->suid, rule->uid)  in ima_match_rules()
534 			    && !rule->uid_op(cred->uid, rule->uid))  in ima_match_rules()
536 		} else if (!rule->uid_op(cred->euid, rule->uid))  in ima_match_rules()
540 	if ((rule->flags & IMA_FOWNER) &&  in ima_match_rules()
541 	    !rule->fowner_op(inode->i_uid, rule->fowner))  in ima_match_rules()
547 		if (!lsm_rule->lsm[i].rule) {  in ima_match_rules()
562 						   lsm_rule->lsm[i].rule);  in ima_match_rules()
569 						   lsm_rule->lsm[i].rule);  in ima_match_rules()
576 			lsm_rule = ima_lsm_copy_rule(rule);  in ima_match_rules()
592 			ima_filter_rule_free(lsm_rule->lsm[i].rule);  in ima_match_rules()
602 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)  in get_subaction()  argument
604 	if (!(rule->flags & IMA_FUNC))  in get_subaction()
632  * @template_desc: the template that should be used for this rule
757 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
781 		char rule[255];  in ima_init_arch_policy()  local
784 		result = strlcpy(rule, *rules, sizeof(rule));  in ima_init_arch_policy()
787 		result = ima_parse_rule(rule, &arch_policy_entry[i]);  in ima_init_arch_policy()
789 			pr_warn("Skipping unknown architecture policy rule: %s\n",  in ima_init_arch_policy()
790 				rule);  in ima_init_arch_policy()
976 	if (entry->lsm[lsm_rule].rule)  in ima_lsm_rule_init()
986 				      &entry->lsm[lsm_rule].rule);  in ima_lsm_rule_init()
987 	if (!entry->lsm[lsm_rule].rule) {  in ima_lsm_rule_init()
988 		pr_warn("rule for LSM \'%s\' is undefined\n",  in ima_lsm_rule_init()
1069 	 * for the NONE case below to validate a rule without an explicit hook  in ima_validate_rule()
1078 	 * components of the rule  in ima_validate_rule()
1143 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)  in ima_parse_rule()  argument
1160 	while ((p = strsep(&rule, " \t")) != NULL) {  in ima_parse_rule()
1517  * ima_parse_add_rule - add a rule to ima_policy_rules
1518  * @rule - ima measurement policy rule
1521  * Returns the length of the rule parsed, an error code on failure
1523 ssize_t ima_parse_add_rule(char *rule)  in ima_parse_add_rule()  argument
1531 	p = strsep(&rule, "\n");  in ima_parse_add_rule()
1632  * policy_func_show - display the ima_hooks policy rule
1662 		if (entry->lsm[i].args_p && !entry->lsm[i].rule) {  in ima_policy_show()
1765 		if (entry->lsm[i].rule) {  in ima_policy_show()
1855 		 * We've found a rule that matches, so break now even if it  in ima_appraise_signature()
1856 		 * didn't require a digital signature - a later rule that does  in ima_appraise_signature()