Lines Matching refs:entry
378 static void ima_lsm_free_rule(struct ima_rule_entry *entry)
383 ima_filter_rule_free(entry->lsm[i].rule);
384 kfree(entry->lsm[i].args_p);
388 static void ima_free_rule(struct ima_rule_entry *entry)
390 if (!entry)
394 * entry->template->fields may be allocated in ima_parse_rule() but that
398 kfree(entry->fsname);
399 ima_free_rule_opt_list(entry->keyrings);
400 ima_lsm_free_rule(entry);
401 kfree(entry);
404 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
413 nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL);
420 if (!entry->lsm[i].args_p)
423 nentry->lsm[i].type = entry->lsm[i].type;
424 nentry->lsm[i].args_p = entry->lsm[i].args_p;
436 static int ima_lsm_update_rule(struct ima_rule_entry *entry)
441 nentry = ima_lsm_copy_rule(entry);
445 list_replace_rcu(&entry->list, &nentry->list);
449 * LSM references, from entry to nentry so we only want to free the LSM
450 * references and the entry itself. All other memory references will now
454 ima_filter_rule_free(entry->lsm[i].rule);
455 kfree(entry);
460 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry)
465 if (entry->lsm[i].args_p)
478 struct ima_rule_entry *entry, *e;
481 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) {
482 if (!ima_rule_contains_lsm_cond(entry))
485 result = ima_lsm_update_rule(entry);
743 struct ima_rule_entry *entry;
752 list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
754 if (!(entry->action & actmask))
757 if (!ima_match_rules(entry, idmap, inode, cred, secid,
761 action |= entry->flags & IMA_NONACTION_FLAGS;
763 action |= entry->action & IMA_DO_MASK;
764 if (entry->action & IMA_APPRAISE) {
765 action |= get_subaction(entry, func);
771 entry->flags & IMA_VALIDATE_ALGOS)
772 *allowed_algos = entry->allowed_algos;
775 if (entry->action & IMA_DO_MASK)
776 actmask &= ~(entry->action | entry->action << 1);
778 actmask &= ~(entry->action | entry->action >> 1);
780 if ((pcr) && (entry->flags & IMA_PCR))
781 *pcr = entry->pcr;
783 if (template_desc && entry->template)
784 *template_desc = entry->template;
811 struct ima_rule_entry *entry;
817 list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
830 if (entry->func == SETXATTR_CHECK) {
832 0, entry->allowed_algos);
837 if (entry->action & IMA_DO_MASK)
838 new_policy_flag |= entry->action;
868 struct ima_rule_entry *entry;
874 entry = kmemdup(&entries[i], sizeof(*entry),
876 if (!entry)
879 list_add_tail(&entry->list, &ima_policy_rules);
892 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
1128 static int ima_lsm_rule_init(struct ima_rule_entry *entry,
1133 if (entry->lsm[lsm_rule].rule)
1136 entry->lsm[lsm_rule].args_p = match_strdup(args);
1137 if (!entry->lsm[lsm_rule].args_p)
1140 entry->lsm[lsm_rule].type = audit_type;
1141 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal,
1142 entry->lsm[lsm_rule].args_p,
1143 &entry->lsm[lsm_rule].rule);
1144 if (!entry->lsm[lsm_rule].rule) {
1146 entry->lsm[lsm_rule].args_p);
1149 kfree(entry->lsm[lsm_rule].args_p);
1150 entry->lsm[lsm_rule].args_p = NULL;
1239 static bool ima_validate_rule(struct ima_rule_entry *entry)
1242 if (entry->action == UNKNOWN)
1245 if (entry->action != MEASURE && entry->flags & IMA_PCR)
1248 if (entry->action != APPRAISE &&
1249 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED |
1259 if (((entry->flags & IMA_FUNC) && entry->func == NONE) ||
1260 (!(entry->flags & IMA_FUNC) && entry->func != NONE))
1267 switch (entry->func) {
1277 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1290 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1301 if (entry->action & ~(MEASURE | DONT_MEASURE))
1304 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID |
1312 if (entry->action & ~(MEASURE | DONT_MEASURE))
1315 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR |
1319 if (ima_rule_contains_lsm_cond(entry))
1324 if (entry->action & ~(MEASURE | DONT_MEASURE))
1327 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR |
1331 if (ima_rule_contains_lsm_cond(entry))
1337 if (entry->action != APPRAISE)
1341 if (!(entry->flags & IMA_VALIDATE_ALGOS))
1348 if (entry->flags & ~(IMA_FUNC | IMA_VALIDATE_ALGOS))
1357 if (entry->flags & IMA_CHECK_BLACKLIST &&
1358 !(entry->flags & IMA_DIGSIG_REQUIRED))
1368 if (entry->action == APPRAISE &&
1369 (entry->flags & IMA_VERITY_REQUIRED) &&
1370 !(entry->flags & IMA_DIGSIG_REQUIRED))
1404 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
1416 entry->uid = INVALID_UID;
1417 entry->gid = INVALID_GID;
1418 entry->fowner = INVALID_UID;
1419 entry->fgroup = INVALID_GID;
1420 entry->uid_op = &uid_eq;
1421 entry->gid_op = &gid_eq;
1422 entry->fowner_op = &vfsuid_eq_kuid;
1423 entry->fgroup_op = &vfsgid_eq_kgid;
1424 entry->action = UNKNOWN;
1439 if (entry->action != UNKNOWN)
1442 entry->action = MEASURE;
1447 if (entry->action != UNKNOWN)
1450 entry->action = DONT_MEASURE;
1455 if (entry->action != UNKNOWN)
1458 entry->action = APPRAISE;
1463 if (entry->action != UNKNOWN)
1466 entry->action = DONT_APPRAISE;
1471 if (entry->action != UNKNOWN)
1474 entry->action = AUDIT;
1479 if (entry->action != UNKNOWN)
1482 entry->action = HASH;
1487 if (entry->action != UNKNOWN)
1490 entry->action = DONT_HASH;
1495 if (entry->func)
1499 entry->func = FILE_CHECK;
1502 entry->func = FILE_CHECK;
1504 entry->func = MODULE_CHECK;
1506 entry->func = FIRMWARE_CHECK;
1509 entry->func = MMAP_CHECK;
1511 entry->func = MMAP_CHECK_REQPROT;
1513 entry->func = BPRM_CHECK;
1515 entry->func = CREDS_CHECK;
1518 entry->func = KEXEC_KERNEL_CHECK;
1521 entry->func = KEXEC_INITRAMFS_CHECK;
1523 entry->func = POLICY_CHECK;
1525 entry->func = KEXEC_CMDLINE;
1528 entry->func = KEY_CHECK;
1530 entry->func = CRITICAL_DATA;
1532 entry->func = SETXATTR_CHECK;
1536 entry->flags |= IMA_FUNC;
1541 if (entry->mask)
1549 entry->mask = MAY_EXEC;
1551 entry->mask = MAY_WRITE;
1553 entry->mask = MAY_READ;
1555 entry->mask = MAY_APPEND;
1559 entry->flags |= (*args[0].from == '^')
1565 if (entry->fsmagic) {
1570 result = kstrtoul(args[0].from, 16, &entry->fsmagic);
1572 entry->flags |= IMA_FSMAGIC;
1577 entry->fsname = kstrdup(args[0].from, GFP_KERNEL);
1578 if (!entry->fsname) {
1583 entry->flags |= IMA_FSNAME;
1589 entry->keyrings) {
1594 entry->keyrings = ima_alloc_rule_opt_list(args);
1595 if (IS_ERR(entry->keyrings)) {
1596 result = PTR_ERR(entry->keyrings);
1597 entry->keyrings = NULL;
1601 entry->flags |= IMA_KEYRINGS;
1606 if (entry->label) {
1611 entry->label = ima_alloc_rule_opt_list(args);
1612 if (IS_ERR(entry->label)) {
1613 result = PTR_ERR(entry->label);
1614 entry->label = NULL;
1618 entry->flags |= IMA_LABEL;
1623 if (!uuid_is_null(&entry->fsuuid)) {
1628 result = uuid_parse(args[0].from, &entry->fsuuid);
1630 entry->flags |= IMA_FSUUID;
1634 entry->uid_op = &uid_gt;
1639 entry->uid_op = &uid_lt;
1650 if (uid_valid(entry->uid)) {
1657 entry->uid = make_kuid(current_user_ns(),
1659 if (!uid_valid(entry->uid) ||
1663 entry->flags |= eid_token
1669 entry->gid_op = &gid_gt;
1674 entry->gid_op = &gid_lt;
1685 if (gid_valid(entry->gid)) {
1692 entry->gid = make_kgid(current_user_ns(),
1694 if (!gid_valid(entry->gid) ||
1698 entry->flags |= eid_token
1703 entry->fowner_op = &vfsuid_gt_kuid;
1707 entry->fowner_op = &vfsuid_lt_kuid;
1712 if (uid_valid(entry->fowner)) {
1719 entry->fowner = make_kuid(current_user_ns(),
1721 if (!uid_valid(entry->fowner) ||
1725 entry->flags |= IMA_FOWNER;
1729 entry->fgroup_op = &vfsgid_gt_kgid;
1733 entry->fgroup_op = &vfsgid_lt_kgid;
1738 if (gid_valid(entry->fgroup)) {
1745 entry->fgroup = make_kgid(current_user_ns(),
1747 if (!gid_valid(entry->fgroup) ||
1751 entry->flags |= IMA_FGROUP;
1756 result = ima_lsm_rule_init(entry, args,
1762 result = ima_lsm_rule_init(entry, args,
1768 result = ima_lsm_rule_init(entry, args,
1774 result = ima_lsm_rule_init(entry, args,
1780 result = ima_lsm_rule_init(entry, args,
1786 result = ima_lsm_rule_init(entry, args,
1792 if (entry->flags & IMA_DIGSIG_REQUIRED)
1795 entry->flags |= IMA_VERITY_REQUIRED;
1803 if (entry->flags & IMA_VERITY_REQUIRED)
1806 entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
1809 if (entry->flags & IMA_VERITY_REQUIRED)
1810 entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
1815 if (entry->flags & IMA_VERITY_REQUIRED)
1818 entry->flags |= IMA_DIGSIG_REQUIRED |
1830 if (entry->allowed_algos) {
1835 entry->allowed_algos =
1838 if (!entry->allowed_algos) {
1843 entry->flags |= IMA_VALIDATE_ALGOS;
1847 entry->flags |= IMA_PERMIT_DIRECTIO;
1852 result = kstrtoint(args[0].from, 10, &entry->pcr);
1853 if (result || INVALID_PCR(entry->pcr))
1856 entry->flags |= IMA_PCR;
1861 if (entry->action != MEASURE) {
1866 if (!template_desc || entry->template) {
1879 entry->template = template_desc;
1887 if (!result && !ima_validate_rule(entry))
1889 else if (entry->action == APPRAISE)
1890 temp_ima_appraise |= ima_appraise_flag(entry->func);
1892 if (!result && entry->flags & IMA_MODSIG_ALLOWED) {
1893 template_desc = entry->template ? entry->template :
1899 if (!result && entry->action == MEASURE &&
1900 entry->flags & IMA_VERITY_REQUIRED) {
1901 template_desc = entry->template ? entry->template :
1923 struct ima_rule_entry *entry;
1934 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1935 if (!entry) {
1941 INIT_LIST_HEAD(&entry->list);
1943 result = ima_parse_rule(p, entry);
1945 ima_free_rule(entry);
1952 list_add_tail(&entry->list, &ima_temp_rules);
1966 struct ima_rule_entry *entry, *tmp;
1969 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
1970 list_del(&entry->list);
1971 ima_free_rule(entry);
1996 struct ima_rule_entry *entry;
2001 list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
2004 return entry;
2013 struct ima_rule_entry *entry = v;
2016 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list);
2020 return (&entry->list == &ima_default_rules ||
2021 &entry->list == &ima_policy_rules) ? NULL : entry;
2070 struct ima_rule_entry *entry = v;
2079 if (entry->lsm[i].args_p && !entry->lsm[i].rule) {
2085 if (entry->action & MEASURE)
2087 if (entry->action & DONT_MEASURE)
2089 if (entry->action & APPRAISE)
2091 if (entry->action & DONT_APPRAISE)
2093 if (entry->action & AUDIT)
2095 if (entry->action & HASH)
2097 if (entry->action & DONT_HASH)
2102 if (entry->flags & IMA_FUNC)
2103 policy_func_show(m, entry->func);
2105 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) {
2106 if (entry->flags & IMA_MASK)
2108 if (entry->mask & MAY_EXEC)
2110 if (entry->mask & MAY_WRITE)
2112 if (entry->mask & MAY_READ)
2114 if (entry->mask & MAY_APPEND)
2119 if (entry->flags & IMA_FSMAGIC) {
2120 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);
2125 if (entry->flags & IMA_FSNAME) {
2126 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname);
2131 if (entry->flags & IMA_KEYRINGS) {
2133 ima_show_rule_opt_list(m, entry->keyrings);
2137 if (entry->flags & IMA_LABEL) {
2139 ima_show_rule_opt_list(m, entry->label);
2143 if (entry->flags & IMA_PCR) {
2144 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
2149 if (entry->flags & IMA_FSUUID) {
2150 seq_printf(m, "fsuuid=%pU", &entry->fsuuid);
2154 if (entry->flags & IMA_UID) {
2155 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
2156 if (entry->uid_op == &uid_gt)
2158 else if (entry->uid_op == &uid_lt)
2165 if (entry->flags & IMA_EUID) {
2166 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
2167 if (entry->uid_op == &uid_gt)
2169 else if (entry->uid_op == &uid_lt)
2176 if (entry->flags & IMA_GID) {
2177 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid));
2178 if (entry->gid_op == &gid_gt)
2180 else if (entry->gid_op == &gid_lt)
2187 if (entry->flags & IMA_EGID) {
2188 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid));
2189 if (entry->gid_op == &gid_gt)
2191 else if (entry->gid_op == &gid_lt)
2198 if (entry->flags & IMA_FOWNER) {
2199 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
2200 if (entry->fowner_op == &vfsuid_gt_kuid)
2202 else if (entry->fowner_op == &vfsuid_lt_kuid)
2209 if (entry->flags & IMA_FGROUP) {
2210 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->fgroup));
2211 if (entry->fgroup_op == &vfsgid_gt_kgid)
2213 else if (entry->fgroup_op == &vfsgid_lt_kgid)
2220 if (entry->flags & IMA_VALIDATE_ALGOS) {
2222 ima_policy_show_appraise_algos(m, entry->allowed_algos);
2227 if (entry->lsm[i].rule) {
2231 entry->lsm[i].args_p);
2235 entry->lsm[i].args_p);
2239 entry->lsm[i].args_p);
2243 entry->lsm[i].args_p);
2247 entry->lsm[i].args_p);
2251 entry->lsm[i].args_p);
2257 if (entry->template)
2258 seq_printf(m, "template=%s ", entry->template->name);
2259 if (entry->flags & IMA_DIGSIG_REQUIRED) {
2260 if (entry->flags & IMA_VERITY_REQUIRED)
2262 else if (entry->flags & IMA_MODSIG_ALLOWED)
2267 if (entry->flags & IMA_VERITY_REQUIRED)
2269 if (entry->flags & IMA_PERMIT_DIRECTIO)
2286 struct ima_rule_entry *entry;
2302 list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
2303 if (entry->action != APPRAISE)
2307 * A generic entry will match, but otherwise require that it
2310 if (entry->func && entry->func != func)
2317 if (entry->flags & IMA_DIGSIG_REQUIRED)