Lines Matching refs:entry
326 static void ima_lsm_free_rule(struct ima_rule_entry *entry)
331 ima_filter_rule_free(entry->lsm[i].rule);
332 kfree(entry->lsm[i].args_p);
336 static void ima_free_rule(struct ima_rule_entry *entry)
338 if (!entry)
342 * entry->template->fields may be allocated in ima_parse_rule() but that
346 kfree(entry->fsname);
347 ima_free_rule_opt_list(entry->keyrings);
348 ima_lsm_free_rule(entry);
349 kfree(entry);
352 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
361 nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL);
368 if (!entry->lsm[i].args_p)
371 nentry->lsm[i].type = entry->lsm[i].type;
372 nentry->lsm[i].args_p = entry->lsm[i].args_p;
384 static int ima_lsm_update_rule(struct ima_rule_entry *entry)
389 nentry = ima_lsm_copy_rule(entry);
393 list_replace_rcu(&entry->list, &nentry->list);
397 * LSM references, from entry to nentry so we only want to free the LSM
398 * references and the entry itself. All other memory refrences will now
402 ima_filter_rule_free(entry->lsm[i].rule);
403 kfree(entry);
408 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry)
413 if (entry->lsm[i].args_p)
426 struct ima_rule_entry *entry, *e;
429 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) {
430 if (!ima_rule_contains_lsm_cond(entry))
433 result = ima_lsm_update_rule(entry);
649 struct ima_rule_entry *entry;
656 list_for_each_entry_rcu(entry, ima_rules, list) {
658 if (!(entry->action & actmask))
661 if (!ima_match_rules(entry, inode, cred, secid, func, mask,
665 action |= entry->flags & IMA_ACTION_FLAGS;
667 action |= entry->action & IMA_DO_MASK;
668 if (entry->action & IMA_APPRAISE) {
669 action |= get_subaction(entry, func);
676 if (entry->action & IMA_DO_MASK)
677 actmask &= ~(entry->action | entry->action << 1);
679 actmask &= ~(entry->action | entry->action >> 1);
681 if ((pcr) && (entry->flags & IMA_PCR))
682 *pcr = entry->pcr;
684 if (template_desc && entry->template)
685 *template_desc = entry->template;
703 struct ima_rule_entry *entry;
705 list_for_each_entry(entry, ima_rules, list) {
706 if (entry->action & IMA_DO_MASK)
707 ima_policy_flag |= entry->action;
734 struct ima_rule_entry *entry;
740 entry = kmemdup(&entries[i], sizeof(*entry),
742 if (!entry)
745 list_add_tail(&entry->list, &ima_policy_rules);
758 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
972 static int ima_lsm_rule_init(struct ima_rule_entry *entry,
977 if (entry->lsm[lsm_rule].rule)
980 entry->lsm[lsm_rule].args_p = match_strdup(args);
981 if (!entry->lsm[lsm_rule].args_p)
984 entry->lsm[lsm_rule].type = audit_type;
985 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal,
986 entry->lsm[lsm_rule].args_p,
987 &entry->lsm[lsm_rule].rule);
988 if (!entry->lsm[lsm_rule].rule) {
990 entry->lsm[lsm_rule].args_p);
993 kfree(entry->lsm[lsm_rule].args_p);
994 entry->lsm[lsm_rule].args_p = NULL;
1054 static bool ima_validate_rule(struct ima_rule_entry *entry)
1057 if (entry->action == UNKNOWN)
1060 if (entry->action != MEASURE && entry->flags & IMA_PCR)
1063 if (entry->action != APPRAISE &&
1064 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST))
1073 if (((entry->flags & IMA_FUNC) && entry->func == NONE) ||
1074 (!(entry->flags & IMA_FUNC) && entry->func != NONE))
1081 switch (entry->func) {
1090 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1101 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1111 if (entry->action & ~(MEASURE | DONT_MEASURE))
1114 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID |
1121 if (entry->action & ~(MEASURE | DONT_MEASURE))
1124 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
1128 if (ima_rule_contains_lsm_cond(entry))
1137 if (entry->flags & IMA_CHECK_BLACKLIST &&
1138 !(entry->flags & IMA_MODSIG_ALLOWED))
1144 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
1156 entry->uid = INVALID_UID;
1157 entry->fowner = INVALID_UID;
1158 entry->uid_op = &uid_eq;
1159 entry->fowner_op = &uid_eq;
1160 entry->action = UNKNOWN;
1175 if (entry->action != UNKNOWN)
1178 entry->action = MEASURE;
1183 if (entry->action != UNKNOWN)
1186 entry->action = DONT_MEASURE;
1191 if (entry->action != UNKNOWN)
1194 entry->action = APPRAISE;
1199 if (entry->action != UNKNOWN)
1202 entry->action = DONT_APPRAISE;
1207 if (entry->action != UNKNOWN)
1210 entry->action = AUDIT;
1215 if (entry->action != UNKNOWN)
1218 entry->action = HASH;
1223 if (entry->action != UNKNOWN)
1226 entry->action = DONT_HASH;
1231 if (entry->func)
1235 entry->func = FILE_CHECK;
1238 entry->func = FILE_CHECK;
1240 entry->func = MODULE_CHECK;
1242 entry->func = FIRMWARE_CHECK;
1245 entry->func = MMAP_CHECK;
1247 entry->func = BPRM_CHECK;
1249 entry->func = CREDS_CHECK;
1252 entry->func = KEXEC_KERNEL_CHECK;
1255 entry->func = KEXEC_INITRAMFS_CHECK;
1257 entry->func = POLICY_CHECK;
1259 entry->func = KEXEC_CMDLINE;
1262 entry->func = KEY_CHECK;
1266 entry->flags |= IMA_FUNC;
1271 if (entry->mask)
1279 entry->mask = MAY_EXEC;
1281 entry->mask = MAY_WRITE;
1283 entry->mask = MAY_READ;
1285 entry->mask = MAY_APPEND;
1289 entry->flags |= (*args[0].from == '^')
1295 if (entry->fsmagic) {
1300 result = kstrtoul(args[0].from, 16, &entry->fsmagic);
1302 entry->flags |= IMA_FSMAGIC;
1307 entry->fsname = kstrdup(args[0].from, GFP_KERNEL);
1308 if (!entry->fsname) {
1313 entry->flags |= IMA_FSNAME;
1319 entry->keyrings) {
1324 entry->keyrings = ima_alloc_rule_opt_list(args);
1325 if (IS_ERR(entry->keyrings)) {
1326 result = PTR_ERR(entry->keyrings);
1327 entry->keyrings = NULL;
1331 entry->flags |= IMA_KEYRINGS;
1336 if (!uuid_is_null(&entry->fsuuid)) {
1341 result = uuid_parse(args[0].from, &entry->fsuuid);
1343 entry->flags |= IMA_FSUUID;
1347 entry->uid_op = &uid_gt;
1352 entry->uid_op = &uid_lt;
1361 args[0].from, entry->uid_op);
1363 if (uid_valid(entry->uid)) {
1370 entry->uid = make_kuid(current_user_ns(),
1372 if (!uid_valid(entry->uid) ||
1376 entry->flags |= uid_token
1381 entry->fowner_op = &uid_gt;
1385 entry->fowner_op = &uid_lt;
1389 entry->fowner_op);
1391 if (uid_valid(entry->fowner)) {
1398 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
1399 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))
1402 entry->flags |= IMA_FOWNER;
1407 result = ima_lsm_rule_init(entry, args,
1413 result = ima_lsm_rule_init(entry, args,
1419 result = ima_lsm_rule_init(entry, args,
1425 result = ima_lsm_rule_init(entry, args,
1431 result = ima_lsm_rule_init(entry, args,
1437 result = ima_lsm_rule_init(entry, args,
1444 entry->flags |= IMA_DIGSIG_REQUIRED;
1447 entry->flags |= IMA_DIGSIG_REQUIRED |
1456 entry->flags |= IMA_CHECK_BLACKLIST;
1461 entry->flags |= IMA_PERMIT_DIRECTIO;
1466 result = kstrtoint(args[0].from, 10, &entry->pcr);
1467 if (result || INVALID_PCR(entry->pcr))
1470 entry->flags |= IMA_PCR;
1475 if (entry->action != MEASURE) {
1480 if (!template_desc || entry->template) {
1493 entry->template = template_desc;
1501 if (!result && !ima_validate_rule(entry))
1503 else if (entry->action == APPRAISE)
1504 temp_ima_appraise |= ima_appraise_flag(entry->func);
1506 if (!result && entry->flags & IMA_MODSIG_ALLOWED) {
1507 template_desc = entry->template ? entry->template :
1528 struct ima_rule_entry *entry;
1539 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1540 if (!entry) {
1546 INIT_LIST_HEAD(&entry->list);
1548 result = ima_parse_rule(p, entry);
1550 ima_free_rule(entry);
1557 list_add_tail(&entry->list, &ima_temp_rules);
1570 struct ima_rule_entry *entry, *tmp;
1573 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
1574 list_del(&entry->list);
1575 ima_free_rule(entry);
1600 struct ima_rule_entry *entry;
1603 list_for_each_entry_rcu(entry, ima_rules, list) {
1606 return entry;
1615 struct ima_rule_entry *entry = v;
1618 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list);
1622 return (&entry->list == ima_rules) ? NULL : entry;
1654 struct ima_rule_entry *entry = v;
1663 if (entry->lsm[i].args_p && !entry->lsm[i].rule) {
1669 if (entry->action & MEASURE)
1671 if (entry->action & DONT_MEASURE)
1673 if (entry->action & APPRAISE)
1675 if (entry->action & DONT_APPRAISE)
1677 if (entry->action & AUDIT)
1679 if (entry->action & HASH)
1681 if (entry->action & DONT_HASH)
1686 if (entry->flags & IMA_FUNC)
1687 policy_func_show(m, entry->func);
1689 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) {
1690 if (entry->flags & IMA_MASK)
1692 if (entry->mask & MAY_EXEC)
1694 if (entry->mask & MAY_WRITE)
1696 if (entry->mask & MAY_READ)
1698 if (entry->mask & MAY_APPEND)
1703 if (entry->flags & IMA_FSMAGIC) {
1704 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);
1709 if (entry->flags & IMA_FSNAME) {
1710 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname);
1715 if (entry->flags & IMA_KEYRINGS) {
1717 ima_show_rule_opt_list(m, entry->keyrings);
1721 if (entry->flags & IMA_PCR) {
1722 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
1727 if (entry->flags & IMA_FSUUID) {
1728 seq_printf(m, "fsuuid=%pU", &entry->fsuuid);
1732 if (entry->flags & IMA_UID) {
1733 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1734 if (entry->uid_op == &uid_gt)
1736 else if (entry->uid_op == &uid_lt)
1743 if (entry->flags & IMA_EUID) {
1744 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1745 if (entry->uid_op == &uid_gt)
1747 else if (entry->uid_op == &uid_lt)
1754 if (entry->flags & IMA_FOWNER) {
1755 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
1756 if (entry->fowner_op == &uid_gt)
1758 else if (entry->fowner_op == &uid_lt)
1766 if (entry->lsm[i].rule) {
1770 entry->lsm[i].args_p);
1774 entry->lsm[i].args_p);
1778 entry->lsm[i].args_p);
1782 entry->lsm[i].args_p);
1786 entry->lsm[i].args_p);
1790 entry->lsm[i].args_p);
1796 if (entry->template)
1797 seq_printf(m, "template=%s ", entry->template->name);
1798 if (entry->flags & IMA_DIGSIG_REQUIRED) {
1799 if (entry->flags & IMA_MODSIG_ALLOWED)
1804 if (entry->flags & IMA_CHECK_BLACKLIST)
1806 if (entry->flags & IMA_PERMIT_DIRECTIO)
1823 struct ima_rule_entry *entry;
1837 list_for_each_entry_rcu(entry, ima_rules, list) {
1838 if (entry->action != APPRAISE)
1842 * A generic entry will match, but otherwise require that it
1845 if (entry->func && entry->func != func)
1852 if (entry->flags & IMA_DIGSIG_REQUIRED)