xref: /kernel/linux/linux-6.6/security/integrity/ima/ima_policy.c

117 		void *rule;	/* LSM file metadata specific */
142  * The minimum rule set to allow for full TCB coverage.  Measures all files
383 		ima_filter_rule_free(entry->lsm[i].rule);
428 				     &nentry->lsm[i].rule);
429 		if (!nentry->lsm[i].rule)
430 			pr_warn("rule for LSM \'%s\' is undefined\n",
454 		ima_filter_rule_free(entry->lsm[i].rule);
487 			pr_err("lsm rule update error %d\n", result);
504  * ima_match_rule_data - determine whether func_data matches the policy rule
505  * @rule: a pointer to a rule
506  * @func_data: data to match against the measure rule data
509  * Returns true if func_data matches one in the rule, false otherwise.
511 static bool ima_match_rule_data(struct ima_rule_entry *rule,
519 	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
522 	switch (rule->func) {
524 		if (!rule->keyrings)
527 		opt_list = rule->keyrings;
530 		if (!rule->label)
533 		opt_list = rule->label;
553  * ima_match_rules - determine whether an inode matches the policy rule.
554  * @rule: a pointer to a rule
563  * Returns true on rule match, false on failure.
565 static bool ima_match_rules(struct ima_rule_entry *rule,
573 	struct ima_rule_entry *lsm_rule = rule;
576 	if ((rule->flags & IMA_FUNC) &&
577 	    (rule->func != func && func != POST_SETATTR))
583 		return ((rule->func == func) &&
584 			ima_match_rule_data(rule, func_data, cred));
589 	if ((rule->flags & IMA_MASK) &&
590 	    (rule->mask != mask && func != POST_SETATTR))
592 	if ((rule->flags & IMA_INMASK) &&
593 	    (!(rule->mask & mask) && func != POST_SETATTR))
595 	if ((rule->flags & IMA_FSMAGIC)
596 	    && rule->fsmagic != inode->i_sb->s_magic)
598 	if ((rule->flags & IMA_FSNAME)
599 	    && strcmp(rule->fsname, inode->i_sb->s_type->name))
601 	if ((rule->flags & IMA_FSUUID) &&
602 	    !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
604 	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
606 	if (rule->flags & IMA_EUID) {
608 			if (!rule->uid_op(cred->euid, rule->uid)
609 			    && !rule->uid_op(cred->suid, rule->uid)
610 			    && !rule->uid_op(cred->uid, rule->uid))
612 		} else if (!rule->uid_op(cred->euid, rule->uid))
615 	if ((rule->flags & IMA_GID) && !rule->gid_op(cred->gid, rule->gid))
617 	if (rule->flags & IMA_EGID) {
619 			if (!rule->gid_op(cred->egid, rule->gid)
620 			    && !rule->gid_op(cred->sgid, rule->gid)
621 			    && !rule->gid_op(cred->gid, rule->gid))
623 		} else if (!rule->gid_op(cred->egid, rule->gid))
626 	if ((rule->flags & IMA_FOWNER) &&
627 	    !rule->fowner_op(i_uid_into_vfsuid(idmap, inode),
628 			     rule->fowner))
630 	if ((rule->flags & IMA_FGROUP) &&
631 	    !rule->fgroup_op(i_gid_into_vfsgid(idmap, inode),
632 			     rule->fgroup))
638 		if (!lsm_rule->lsm[i].rule) {
653 						   lsm_rule->lsm[i].rule);
660 						   lsm_rule->lsm[i].rule);
667 			lsm_rule = ima_lsm_copy_rule(rule);
683 			ima_filter_rule_free(lsm_rule->lsm[i].rule);
693 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
695 	if (!(rule->flags & IMA_FUNC))
726  * @template_desc: the template that should be used for this rule
820 		 * because rule checking would probably have an important
892 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
916 		char rule[255];
919 		result = strscpy(rule, *rules, sizeof(rule));
922 		result = ima_parse_rule(rule, &arch_policy_entry[i]);
924 			pr_warn("Skipping unknown architecture policy rule: %s\n",
925 				rule);
1133 	if (entry->lsm[lsm_rule].rule)
1143 				      &entry->lsm[lsm_rule].rule);
1144 	if (!entry->lsm[lsm_rule].rule) {
1145 		pr_warn("rule for LSM \'%s\' is undefined\n",
1256 	 * for the NONE case below to validate a rule without an explicit hook
1265 	 * components of the rule
1404 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
1425 	while ((p = strsep(&rule, " \t")) != NULL) {
1913  * ima_parse_add_rule - add a rule to ima_policy_rules
1914  * @rule: ima measurement policy rule
1917  * Returns the length of the rule parsed, an error code on failure
1919 ssize_t ima_parse_add_rule(char *rule)
1927 	p = strsep(&rule, "\n");
2032  * policy_func_show - display the ima_hooks policy rule
2079 		if (entry->lsm[i].args_p && !entry->lsm[i].rule) {
2227 		if (entry->lsm[i].rule) {
2321 		 * We've found a rule that matches, so break now even if it
2322 		 * didn't require a digital signature - a later rule that does

Indexes created Thu Nov 07 10:32:03 CST 2024