1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Copyright (C) 2008 IBM Corporation 4 * Author: Mimi Zohar <zohar@us.ibm.com> 5 * 6 * ima_policy.c 7 * - initialize default measure policy rules 8 */ 9 10#include <linux/init.h> 11#include <linux/list.h> 12#include <linux/kernel_read_file.h> 13#include <linux/fs.h> 14#include <linux/security.h> 15#include <linux/magic.h> 16#include <linux/parser.h> 17#include <linux/slab.h> 18#include <linux/rculist.h> 19#include <linux/genhd.h> 20#include <linux/seq_file.h> 21#include <linux/ima.h> 22 23#include "ima.h" 24 25/* flags definitions */ 26#define IMA_FUNC 0x0001 27#define IMA_MASK 0x0002 28#define IMA_FSMAGIC 0x0004 29#define IMA_UID 0x0008 30#define IMA_FOWNER 0x0010 31#define IMA_FSUUID 0x0020 32#define IMA_INMASK 0x0040 33#define IMA_EUID 0x0080 34#define IMA_PCR 0x0100 35#define IMA_FSNAME 0x0200 36#define IMA_KEYRINGS 0x0400 37 38#define UNKNOWN 0 39#define MEASURE 0x0001 /* same as IMA_MEASURE */ 40#define DONT_MEASURE 0x0002 41#define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 42#define DONT_APPRAISE 0x0008 43#define AUDIT 0x0040 44#define HASH 0x0100 45#define DONT_HASH 0x0200 46 47#define INVALID_PCR(a) (((a) < 0) || \ 48 (a) >= (sizeof_field(struct integrity_iint_cache, measured_pcrs) * 8)) 49 50int ima_policy_flag; 51static int temp_ima_appraise; 52static int build_ima_appraise __ro_after_init; 53 54#define MAX_LSM_RULES 6 55enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, 56 LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE 57}; 58 59enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; 60 61enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY }; 62 63struct ima_rule_opt_list { 64 size_t count; 65 char *items[]; 66}; 67 68struct ima_rule_entry { 69 struct list_head list; 70 int action; 71 unsigned int flags; 72 enum ima_hooks func; 73 int mask; 74 unsigned long fsmagic; 75 uuid_t fsuuid; 76 kuid_t uid; 77 kuid_t fowner; 78 bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ 79 bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ 80 int pcr; 81 struct { 82 void *rule; /* LSM file metadata specific */ 83 char *args_p; /* audit value */ 84 int type; /* audit type */ 85 } lsm[MAX_LSM_RULES]; 86 char *fsname; 87 struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ 88 struct ima_template_desc *template; 89}; 90 91/* 92 * Without LSM specific knowledge, the default policy can only be 93 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner 94 */ 95 96/* 97 * The minimum rule set to allow for full TCB coverage. Measures all files 98 * opened or mmap for exec and everything read by root. Dangerous because 99 * normal users can easily run the machine out of memory simply building 100 * and running executables. 101 */ 102static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { 103 {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 104 {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 105 {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 106 {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 107 {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 108 {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 109 {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 110 {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 111 {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 112 {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, 113 .flags = IMA_FSMAGIC}, 114 {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC, 115 .flags = IMA_FSMAGIC}, 116 {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 117 {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC} 118}; 119 120static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { 121 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 122 .flags = IMA_FUNC | IMA_MASK}, 123 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 124 .flags = IMA_FUNC | IMA_MASK}, 125 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 126 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 127 .flags = IMA_FUNC | IMA_MASK | IMA_UID}, 128 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 129 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 130}; 131 132static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { 133 {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, 134 .flags = IMA_FUNC | IMA_MASK}, 135 {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, 136 .flags = IMA_FUNC | IMA_MASK}, 137 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 138 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 139 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, 140 {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, 141 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, 142 .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, 143 {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, 144 {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, 145 {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, 146}; 147 148static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { 149 {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 150 {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, 151 {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, 152 {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, 153 {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC}, 154 {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 155 {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, 156 {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, 157 {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, 158 {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC}, 159 {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, 160 {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}, 161 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 162 {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, 163#ifdef CONFIG_IMA_WRITE_POLICY 164 {.action = APPRAISE, .func = POLICY_CHECK, 165 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 166#endif 167#ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT 168 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 169 .flags = IMA_FOWNER}, 170#else 171 /* force signature */ 172 {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, 173 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, 174#endif 175}; 176 177static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { 178#ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS 179 {.action = APPRAISE, .func = MODULE_CHECK, 180 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 181#endif 182#ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS 183 {.action = APPRAISE, .func = FIRMWARE_CHECK, 184 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 185#endif 186#ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS 187 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 188 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 189#endif 190#ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS 191 {.action = APPRAISE, .func = POLICY_CHECK, 192 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 193#endif 194}; 195 196static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { 197 {.action = APPRAISE, .func = MODULE_CHECK, 198 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 199 {.action = APPRAISE, .func = FIRMWARE_CHECK, 200 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 201 {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, 202 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 203 {.action = APPRAISE, .func = POLICY_CHECK, 204 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, 205}; 206 207/* An array of architecture specific rules */ 208static struct ima_rule_entry *arch_policy_entry __ro_after_init; 209 210static LIST_HEAD(ima_default_rules); 211static LIST_HEAD(ima_policy_rules); 212static LIST_HEAD(ima_temp_rules); 213static struct list_head *ima_rules = &ima_default_rules; 214 215static int ima_policy __initdata; 216 217static int __init default_measure_policy_setup(char *str) 218{ 219 if (ima_policy) 220 return 1; 221 222 ima_policy = ORIGINAL_TCB; 223 return 1; 224} 225__setup("ima_tcb", default_measure_policy_setup); 226 227static bool ima_use_appraise_tcb __initdata; 228static bool ima_use_secure_boot __initdata; 229static bool ima_fail_unverifiable_sigs __ro_after_init; 230static int __init policy_setup(char *str) 231{ 232 char *p; 233 234 while ((p = strsep(&str, " |\n")) != NULL) { 235 if (*p == ' ') 236 continue; 237 if ((strcmp(p, "tcb") == 0) && !ima_policy) 238 ima_policy = DEFAULT_TCB; 239 else if (strcmp(p, "appraise_tcb") == 0) 240 ima_use_appraise_tcb = true; 241 else if (strcmp(p, "secure_boot") == 0) 242 ima_use_secure_boot = true; 243 else if (strcmp(p, "fail_securely") == 0) 244 ima_fail_unverifiable_sigs = true; 245 else 246 pr_err("policy \"%s\" not found", p); 247 } 248 249 return 1; 250} 251__setup("ima_policy=", policy_setup); 252 253static int __init default_appraise_policy_setup(char *str) 254{ 255 ima_use_appraise_tcb = true; 256 return 1; 257} 258__setup("ima_appraise_tcb", default_appraise_policy_setup); 259 260static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src) 261{ 262 struct ima_rule_opt_list *opt_list; 263 size_t count = 0; 264 char *src_copy; 265 char *cur, *next; 266 size_t i; 267 268 src_copy = match_strdup(src); 269 if (!src_copy) 270 return ERR_PTR(-ENOMEM); 271 272 next = src_copy; 273 while ((cur = strsep(&next, "|"))) { 274 /* Don't accept an empty list item */ 275 if (!(*cur)) { 276 kfree(src_copy); 277 return ERR_PTR(-EINVAL); 278 } 279 count++; 280 } 281 282 /* Don't accept an empty list */ 283 if (!count) { 284 kfree(src_copy); 285 return ERR_PTR(-EINVAL); 286 } 287 288 opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL); 289 if (!opt_list) { 290 kfree(src_copy); 291 return ERR_PTR(-ENOMEM); 292 } 293 294 /* 295 * strsep() has already replaced all instances of '|' with '\0', 296 * leaving a byte sequence of NUL-terminated strings. Reference each 297 * string with the array of items. 298 * 299 * IMPORTANT: Ownership of the allocated buffer is transferred from 300 * src_copy to the first element in the items array. To free the 301 * buffer, kfree() must only be called on the first element of the 302 * array. 303 */ 304 for (i = 0, cur = src_copy; i < count; i++) { 305 opt_list->items[i] = cur; 306 cur = strchr(cur, '\0') + 1; 307 } 308 opt_list->count = count; 309 310 return opt_list; 311} 312 313static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list) 314{ 315 if (!opt_list) 316 return; 317 318 if (opt_list->count) { 319 kfree(opt_list->items[0]); 320 opt_list->count = 0; 321 } 322 323 kfree(opt_list); 324} 325 326static void ima_lsm_free_rule(struct ima_rule_entry *entry) 327{ 328 int i; 329 330 for (i = 0; i < MAX_LSM_RULES; i++) { 331 ima_filter_rule_free(entry->lsm[i].rule); 332 kfree(entry->lsm[i].args_p); 333 } 334} 335 336static void ima_free_rule(struct ima_rule_entry *entry) 337{ 338 if (!entry) 339 return; 340 341 /* 342 * entry->template->fields may be allocated in ima_parse_rule() but that 343 * reference is owned by the corresponding ima_template_desc element in 344 * the defined_templates list and cannot be freed here 345 */ 346 kfree(entry->fsname); 347 ima_free_rule_opt_list(entry->keyrings); 348 ima_lsm_free_rule(entry); 349 kfree(entry); 350} 351 352static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) 353{ 354 struct ima_rule_entry *nentry; 355 int i; 356 357 /* 358 * Immutable elements are copied over as pointers and data; only 359 * lsm rules can change 360 */ 361 nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); 362 if (!nentry) 363 return NULL; 364 365 memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm)); 366 367 for (i = 0; i < MAX_LSM_RULES; i++) { 368 if (!entry->lsm[i].args_p) 369 continue; 370 371 nentry->lsm[i].type = entry->lsm[i].type; 372 nentry->lsm[i].args_p = entry->lsm[i].args_p; 373 374 ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, 375 nentry->lsm[i].args_p, 376 &nentry->lsm[i].rule); 377 if (!nentry->lsm[i].rule) 378 pr_warn("rule for LSM \'%s\' is undefined\n", 379 nentry->lsm[i].args_p); 380 } 381 return nentry; 382} 383 384static int ima_lsm_update_rule(struct ima_rule_entry *entry) 385{ 386 int i; 387 struct ima_rule_entry *nentry; 388 389 nentry = ima_lsm_copy_rule(entry); 390 if (!nentry) 391 return -ENOMEM; 392 393 list_replace_rcu(&entry->list, &nentry->list); 394 synchronize_rcu(); 395 /* 396 * ima_lsm_copy_rule() shallow copied all references, except for the 397 * LSM references, from entry to nentry so we only want to free the LSM 398 * references and the entry itself. All other memory refrences will now 399 * be owned by nentry. 400 */ 401 for (i = 0; i < MAX_LSM_RULES; i++) 402 ima_filter_rule_free(entry->lsm[i].rule); 403 kfree(entry); 404 405 return 0; 406} 407 408static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry) 409{ 410 int i; 411 412 for (i = 0; i < MAX_LSM_RULES; i++) 413 if (entry->lsm[i].args_p) 414 return true; 415 416 return false; 417} 418 419/* 420 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 421 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 422 * the reloaded LSM policy. 423 */ 424static void ima_lsm_update_rules(void) 425{ 426 struct ima_rule_entry *entry, *e; 427 int result; 428 429 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { 430 if (!ima_rule_contains_lsm_cond(entry)) 431 continue; 432 433 result = ima_lsm_update_rule(entry); 434 if (result) { 435 pr_err("lsm rule update error %d\n", result); 436 return; 437 } 438 } 439} 440 441int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, 442 void *lsm_data) 443{ 444 if (event != LSM_POLICY_CHANGE) 445 return NOTIFY_DONE; 446 447 ima_lsm_update_rules(); 448 return NOTIFY_OK; 449} 450 451/** 452 * ima_match_keyring - determine whether the keyring matches the measure rule 453 * @rule: a pointer to a rule 454 * @keyring: name of the keyring to match against the measure rule 455 * @cred: a pointer to a credentials structure for user validation 456 * 457 * Returns true if keyring matches one in the rule, false otherwise. 458 */ 459static bool ima_match_keyring(struct ima_rule_entry *rule, 460 const char *keyring, const struct cred *cred) 461{ 462 bool matched = false; 463 size_t i; 464 465 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 466 return false; 467 468 if (!rule->keyrings) 469 return true; 470 471 if (!keyring) 472 return false; 473 474 for (i = 0; i < rule->keyrings->count; i++) { 475 if (!strcmp(rule->keyrings->items[i], keyring)) { 476 matched = true; 477 break; 478 } 479 } 480 481 return matched; 482} 483 484/** 485 * ima_match_rules - determine whether an inode matches the policy rule. 486 * @rule: a pointer to a rule 487 * @inode: a pointer to an inode 488 * @cred: a pointer to a credentials structure for user validation 489 * @secid: the secid of the task to be validated 490 * @func: LIM hook identifier 491 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 492 * @keyring: keyring name to check in policy for KEY_CHECK func 493 * 494 * Returns true on rule match, false on failure. 495 */ 496static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, 497 const struct cred *cred, u32 secid, 498 enum ima_hooks func, int mask, 499 const char *keyring) 500{ 501 int i; 502 bool result = false; 503 struct ima_rule_entry *lsm_rule = rule; 504 bool rule_reinitialized = false; 505 506 if (func == KEY_CHECK) { 507 return (rule->flags & IMA_FUNC) && (rule->func == func) && 508 ima_match_keyring(rule, keyring, cred); 509 } 510 if ((rule->flags & IMA_FUNC) && 511 (rule->func != func && func != POST_SETATTR)) 512 return false; 513 if ((rule->flags & IMA_MASK) && 514 (rule->mask != mask && func != POST_SETATTR)) 515 return false; 516 if ((rule->flags & IMA_INMASK) && 517 (!(rule->mask & mask) && func != POST_SETATTR)) 518 return false; 519 if ((rule->flags & IMA_FSMAGIC) 520 && rule->fsmagic != inode->i_sb->s_magic) 521 return false; 522 if ((rule->flags & IMA_FSNAME) 523 && strcmp(rule->fsname, inode->i_sb->s_type->name)) 524 return false; 525 if ((rule->flags & IMA_FSUUID) && 526 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 527 return false; 528 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 529 return false; 530 if (rule->flags & IMA_EUID) { 531 if (has_capability_noaudit(current, CAP_SETUID)) { 532 if (!rule->uid_op(cred->euid, rule->uid) 533 && !rule->uid_op(cred->suid, rule->uid) 534 && !rule->uid_op(cred->uid, rule->uid)) 535 return false; 536 } else if (!rule->uid_op(cred->euid, rule->uid)) 537 return false; 538 } 539 540 if ((rule->flags & IMA_FOWNER) && 541 !rule->fowner_op(inode->i_uid, rule->fowner)) 542 return false; 543 for (i = 0; i < MAX_LSM_RULES; i++) { 544 int rc = 0; 545 u32 osid; 546 547 if (!lsm_rule->lsm[i].rule) { 548 if (!lsm_rule->lsm[i].args_p) 549 continue; 550 else 551 return false; 552 } 553 554retry: 555 switch (i) { 556 case LSM_OBJ_USER: 557 case LSM_OBJ_ROLE: 558 case LSM_OBJ_TYPE: 559 security_inode_getsecid(inode, &osid); 560 rc = ima_filter_rule_match(osid, lsm_rule->lsm[i].type, 561 Audit_equal, 562 lsm_rule->lsm[i].rule); 563 break; 564 case LSM_SUBJ_USER: 565 case LSM_SUBJ_ROLE: 566 case LSM_SUBJ_TYPE: 567 rc = ima_filter_rule_match(secid, lsm_rule->lsm[i].type, 568 Audit_equal, 569 lsm_rule->lsm[i].rule); 570 break; 571 default: 572 break; 573 } 574 575 if (rc == -ESTALE && !rule_reinitialized) { 576 lsm_rule = ima_lsm_copy_rule(rule); 577 if (lsm_rule) { 578 rule_reinitialized = true; 579 goto retry; 580 } 581 } 582 if (!rc) { 583 result = false; 584 goto out; 585 } 586 } 587 result = true; 588 589out: 590 if (rule_reinitialized) { 591 for (i = 0; i < MAX_LSM_RULES; i++) 592 ima_filter_rule_free(lsm_rule->lsm[i].rule); 593 kfree(lsm_rule); 594 } 595 return result; 596} 597 598/* 599 * In addition to knowing that we need to appraise the file in general, 600 * we need to differentiate between calling hooks, for hook specific rules. 601 */ 602static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) 603{ 604 if (!(rule->flags & IMA_FUNC)) 605 return IMA_FILE_APPRAISE; 606 607 switch (func) { 608 case MMAP_CHECK: 609 return IMA_MMAP_APPRAISE; 610 case BPRM_CHECK: 611 return IMA_BPRM_APPRAISE; 612 case CREDS_CHECK: 613 return IMA_CREDS_APPRAISE; 614 case FILE_CHECK: 615 case POST_SETATTR: 616 return IMA_FILE_APPRAISE; 617 case MODULE_CHECK ... MAX_CHECK - 1: 618 default: 619 return IMA_READ_APPRAISE; 620 } 621} 622 623/** 624 * ima_match_policy - decision based on LSM and other conditions 625 * @inode: pointer to an inode for which the policy decision is being made 626 * @cred: pointer to a credentials structure for which the policy decision is 627 * being made 628 * @secid: LSM secid of the task to be validated 629 * @func: IMA hook identifier 630 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 631 * @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE) 632 * @pcr: set the pcr to extend 633 * @template_desc: the template that should be used for this rule 634 * @keyring: the keyring name, if given, to be used to check in the policy. 635 * keyring can be NULL if func is anything other than KEY_CHECK. 636 * 637 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 638 * conditions. 639 * 640 * Since the IMA policy may be updated multiple times we need to lock the 641 * list when walking it. Reads are many orders of magnitude more numerous 642 * than writes so ima_match_policy() is classical RCU candidate. 643 */ 644int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, 645 enum ima_hooks func, int mask, int flags, int *pcr, 646 struct ima_template_desc **template_desc, 647 const char *keyring) 648{ 649 struct ima_rule_entry *entry; 650 int action = 0, actmask = flags | (flags << 1); 651 652 if (template_desc) 653 *template_desc = ima_template_desc_current(); 654 655 rcu_read_lock(); 656 list_for_each_entry_rcu(entry, ima_rules, list) { 657 658 if (!(entry->action & actmask)) 659 continue; 660 661 if (!ima_match_rules(entry, inode, cred, secid, func, mask, 662 keyring)) 663 continue; 664 665 action |= entry->flags & IMA_ACTION_FLAGS; 666 667 action |= entry->action & IMA_DO_MASK; 668 if (entry->action & IMA_APPRAISE) { 669 action |= get_subaction(entry, func); 670 action &= ~IMA_HASH; 671 if (ima_fail_unverifiable_sigs) 672 action |= IMA_FAIL_UNVERIFIABLE_SIGS; 673 } 674 675 676 if (entry->action & IMA_DO_MASK) 677 actmask &= ~(entry->action | entry->action << 1); 678 else 679 actmask &= ~(entry->action | entry->action >> 1); 680 681 if ((pcr) && (entry->flags & IMA_PCR)) 682 *pcr = entry->pcr; 683 684 if (template_desc && entry->template) 685 *template_desc = entry->template; 686 687 if (!actmask) 688 break; 689 } 690 rcu_read_unlock(); 691 692 return action; 693} 694 695/* 696 * Initialize the ima_policy_flag variable based on the currently 697 * loaded policy. Based on this flag, the decision to short circuit 698 * out of a function or not call the function in the first place 699 * can be made earlier. 700 */ 701void ima_update_policy_flag(void) 702{ 703 struct ima_rule_entry *entry; 704 705 list_for_each_entry(entry, ima_rules, list) { 706 if (entry->action & IMA_DO_MASK) 707 ima_policy_flag |= entry->action; 708 } 709 710 ima_appraise |= (build_ima_appraise | temp_ima_appraise); 711 if (!ima_appraise) 712 ima_policy_flag &= ~IMA_APPRAISE; 713} 714 715static int ima_appraise_flag(enum ima_hooks func) 716{ 717 if (func == MODULE_CHECK) 718 return IMA_APPRAISE_MODULES; 719 else if (func == FIRMWARE_CHECK) 720 return IMA_APPRAISE_FIRMWARE; 721 else if (func == POLICY_CHECK) 722 return IMA_APPRAISE_POLICY; 723 else if (func == KEXEC_KERNEL_CHECK) 724 return IMA_APPRAISE_KEXEC; 725 return 0; 726} 727 728static void add_rules(struct ima_rule_entry *entries, int count, 729 enum policy_rule_list policy_rule) 730{ 731 int i = 0; 732 733 for (i = 0; i < count; i++) { 734 struct ima_rule_entry *entry; 735 736 if (policy_rule & IMA_DEFAULT_POLICY) 737 list_add_tail(&entries[i].list, &ima_default_rules); 738 739 if (policy_rule & IMA_CUSTOM_POLICY) { 740 entry = kmemdup(&entries[i], sizeof(*entry), 741 GFP_KERNEL); 742 if (!entry) 743 continue; 744 745 list_add_tail(&entry->list, &ima_policy_rules); 746 } 747 if (entries[i].action == APPRAISE) { 748 if (entries != build_appraise_rules) 749 temp_ima_appraise |= 750 ima_appraise_flag(entries[i].func); 751 else 752 build_ima_appraise |= 753 ima_appraise_flag(entries[i].func); 754 } 755 } 756} 757 758static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); 759 760static int __init ima_init_arch_policy(void) 761{ 762 const char * const *arch_rules; 763 const char * const *rules; 764 int arch_entries = 0; 765 int i = 0; 766 767 arch_rules = arch_get_ima_policy(); 768 if (!arch_rules) 769 return arch_entries; 770 771 /* Get number of rules */ 772 for (rules = arch_rules; *rules != NULL; rules++) 773 arch_entries++; 774 775 arch_policy_entry = kcalloc(arch_entries + 1, 776 sizeof(*arch_policy_entry), GFP_KERNEL); 777 if (!arch_policy_entry) 778 return 0; 779 780 /* Convert each policy string rules to struct ima_rule_entry format */ 781 for (rules = arch_rules, i = 0; *rules != NULL; rules++) { 782 char rule[255]; 783 int result; 784 785 result = strlcpy(rule, *rules, sizeof(rule)); 786 787 INIT_LIST_HEAD(&arch_policy_entry[i].list); 788 result = ima_parse_rule(rule, &arch_policy_entry[i]); 789 if (result) { 790 pr_warn("Skipping unknown architecture policy rule: %s\n", 791 rule); 792 memset(&arch_policy_entry[i], 0, 793 sizeof(*arch_policy_entry)); 794 continue; 795 } 796 i++; 797 } 798 return i; 799} 800 801/** 802 * ima_init_policy - initialize the default measure rules. 803 * 804 * ima_rules points to either the ima_default_rules or the 805 * the new ima_policy_rules. 806 */ 807void __init ima_init_policy(void) 808{ 809 int build_appraise_entries, arch_entries; 810 811 /* if !ima_policy, we load NO default rules */ 812 if (ima_policy) 813 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules), 814 IMA_DEFAULT_POLICY); 815 816 switch (ima_policy) { 817 case ORIGINAL_TCB: 818 add_rules(original_measurement_rules, 819 ARRAY_SIZE(original_measurement_rules), 820 IMA_DEFAULT_POLICY); 821 break; 822 case DEFAULT_TCB: 823 add_rules(default_measurement_rules, 824 ARRAY_SIZE(default_measurement_rules), 825 IMA_DEFAULT_POLICY); 826 break; 827 default: 828 break; 829 } 830 831 /* 832 * Based on runtime secure boot flags, insert arch specific measurement 833 * and appraise rules requiring file signatures for both the initial 834 * and custom policies, prior to other appraise rules. 835 * (Highest priority) 836 */ 837 arch_entries = ima_init_arch_policy(); 838 if (!arch_entries) 839 pr_info("No architecture policies found\n"); 840 else 841 add_rules(arch_policy_entry, arch_entries, 842 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 843 844 /* 845 * Insert the builtin "secure_boot" policy rules requiring file 846 * signatures, prior to other appraise rules. 847 */ 848 if (ima_use_secure_boot) 849 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules), 850 IMA_DEFAULT_POLICY); 851 852 /* 853 * Insert the build time appraise rules requiring file signatures 854 * for both the initial and custom policies, prior to other appraise 855 * rules. As the secure boot rules includes all of the build time 856 * rules, include either one or the other set of rules, but not both. 857 */ 858 build_appraise_entries = ARRAY_SIZE(build_appraise_rules); 859 if (build_appraise_entries) { 860 if (ima_use_secure_boot) 861 add_rules(build_appraise_rules, build_appraise_entries, 862 IMA_CUSTOM_POLICY); 863 else 864 add_rules(build_appraise_rules, build_appraise_entries, 865 IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); 866 } 867 868 if (ima_use_appraise_tcb) 869 add_rules(default_appraise_rules, 870 ARRAY_SIZE(default_appraise_rules), 871 IMA_DEFAULT_POLICY); 872 873 ima_update_policy_flag(); 874} 875 876/* Make sure we have a valid policy, at least containing some rules. */ 877int ima_check_policy(void) 878{ 879 if (list_empty(&ima_temp_rules)) 880 return -EINVAL; 881 return 0; 882} 883 884/** 885 * ima_update_policy - update default_rules with new measure rules 886 * 887 * Called on file .release to update the default rules with a complete new 888 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so 889 * they make a queue. The policy may be updated multiple times and this is the 890 * RCU updater. 891 * 892 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 893 * we switch from the default policy to user defined. 894 */ 895void ima_update_policy(void) 896{ 897 struct list_head *policy = &ima_policy_rules; 898 899 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); 900 901 if (ima_rules != policy) { 902 ima_policy_flag = 0; 903 ima_rules = policy; 904 905 /* 906 * IMA architecture specific policy rules are specified 907 * as strings and converted to an array of ima_entry_rules 908 * on boot. After loading a custom policy, free the 909 * architecture specific rules stored as an array. 910 */ 911 kfree(arch_policy_entry); 912 } 913 ima_update_policy_flag(); 914 915 /* Custom IMA policy has been loaded */ 916 ima_process_queued_keys(); 917} 918 919/* Keep the enumeration in sync with the policy_tokens! */ 920enum { 921 Opt_measure, Opt_dont_measure, 922 Opt_appraise, Opt_dont_appraise, 923 Opt_audit, Opt_hash, Opt_dont_hash, 924 Opt_obj_user, Opt_obj_role, Opt_obj_type, 925 Opt_subj_user, Opt_subj_role, Opt_subj_type, 926 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, 927 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, 928 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, 929 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, 930 Opt_appraise_type, Opt_appraise_flag, 931 Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, 932 Opt_err 933}; 934 935static const match_table_t policy_tokens = { 936 {Opt_measure, "measure"}, 937 {Opt_dont_measure, "dont_measure"}, 938 {Opt_appraise, "appraise"}, 939 {Opt_dont_appraise, "dont_appraise"}, 940 {Opt_audit, "audit"}, 941 {Opt_hash, "hash"}, 942 {Opt_dont_hash, "dont_hash"}, 943 {Opt_obj_user, "obj_user=%s"}, 944 {Opt_obj_role, "obj_role=%s"}, 945 {Opt_obj_type, "obj_type=%s"}, 946 {Opt_subj_user, "subj_user=%s"}, 947 {Opt_subj_role, "subj_role=%s"}, 948 {Opt_subj_type, "subj_type=%s"}, 949 {Opt_func, "func=%s"}, 950 {Opt_mask, "mask=%s"}, 951 {Opt_fsmagic, "fsmagic=%s"}, 952 {Opt_fsname, "fsname=%s"}, 953 {Opt_fsuuid, "fsuuid=%s"}, 954 {Opt_uid_eq, "uid=%s"}, 955 {Opt_euid_eq, "euid=%s"}, 956 {Opt_fowner_eq, "fowner=%s"}, 957 {Opt_uid_gt, "uid>%s"}, 958 {Opt_euid_gt, "euid>%s"}, 959 {Opt_fowner_gt, "fowner>%s"}, 960 {Opt_uid_lt, "uid<%s"}, 961 {Opt_euid_lt, "euid<%s"}, 962 {Opt_fowner_lt, "fowner<%s"}, 963 {Opt_appraise_type, "appraise_type=%s"}, 964 {Opt_appraise_flag, "appraise_flag=%s"}, 965 {Opt_permit_directio, "permit_directio"}, 966 {Opt_pcr, "pcr=%s"}, 967 {Opt_template, "template=%s"}, 968 {Opt_keyrings, "keyrings=%s"}, 969 {Opt_err, NULL} 970}; 971 972static int ima_lsm_rule_init(struct ima_rule_entry *entry, 973 substring_t *args, int lsm_rule, int audit_type) 974{ 975 int result; 976 977 if (entry->lsm[lsm_rule].rule) 978 return -EINVAL; 979 980 entry->lsm[lsm_rule].args_p = match_strdup(args); 981 if (!entry->lsm[lsm_rule].args_p) 982 return -ENOMEM; 983 984 entry->lsm[lsm_rule].type = audit_type; 985 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, 986 entry->lsm[lsm_rule].args_p, 987 &entry->lsm[lsm_rule].rule); 988 if (!entry->lsm[lsm_rule].rule) { 989 pr_warn("rule for LSM \'%s\' is undefined\n", 990 entry->lsm[lsm_rule].args_p); 991 992 if (ima_rules == &ima_default_rules) { 993 kfree(entry->lsm[lsm_rule].args_p); 994 entry->lsm[lsm_rule].args_p = NULL; 995 result = -EINVAL; 996 } else 997 result = 0; 998 } 999 1000 return result; 1001} 1002 1003static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, 1004 bool (*rule_operator)(kuid_t, kuid_t)) 1005{ 1006 if (!ab) 1007 return; 1008 1009 if (rule_operator == &uid_gt) 1010 audit_log_format(ab, "%s>", key); 1011 else if (rule_operator == &uid_lt) 1012 audit_log_format(ab, "%s<", key); 1013 else 1014 audit_log_format(ab, "%s=", key); 1015 audit_log_format(ab, "%s ", value); 1016} 1017static void ima_log_string(struct audit_buffer *ab, char *key, char *value) 1018{ 1019 ima_log_string_op(ab, key, value, NULL); 1020} 1021 1022/* 1023 * Validating the appended signature included in the measurement list requires 1024 * the file hash calculated without the appended signature (i.e., the 'd-modsig' 1025 * field). Therefore, notify the user if they have the 'modsig' field but not 1026 * the 'd-modsig' field in the template. 1027 */ 1028static void check_template_modsig(const struct ima_template_desc *template) 1029{ 1030#define MSG "template with 'modsig' field also needs 'd-modsig' field\n" 1031 bool has_modsig, has_dmodsig; 1032 static bool checked; 1033 int i; 1034 1035 /* We only need to notify the user once. */ 1036 if (checked) 1037 return; 1038 1039 has_modsig = has_dmodsig = false; 1040 for (i = 0; i < template->num_fields; i++) { 1041 if (!strcmp(template->fields[i]->field_id, "modsig")) 1042 has_modsig = true; 1043 else if (!strcmp(template->fields[i]->field_id, "d-modsig")) 1044 has_dmodsig = true; 1045 } 1046 1047 if (has_modsig && !has_dmodsig) 1048 pr_notice(MSG); 1049 1050 checked = true; 1051#undef MSG 1052} 1053 1054static bool ima_validate_rule(struct ima_rule_entry *entry) 1055{ 1056 /* Ensure that the action is set and is compatible with the flags */ 1057 if (entry->action == UNKNOWN) 1058 return false; 1059 1060 if (entry->action != MEASURE && entry->flags & IMA_PCR) 1061 return false; 1062 1063 if (entry->action != APPRAISE && 1064 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST)) 1065 return false; 1066 1067 /* 1068 * The IMA_FUNC bit must be set if and only if there's a valid hook 1069 * function specified, and vice versa. Enforcing this property allows 1070 * for the NONE case below to validate a rule without an explicit hook 1071 * function. 1072 */ 1073 if (((entry->flags & IMA_FUNC) && entry->func == NONE) || 1074 (!(entry->flags & IMA_FUNC) && entry->func != NONE)) 1075 return false; 1076 1077 /* 1078 * Ensure that the hook function is compatible with the other 1079 * components of the rule 1080 */ 1081 switch (entry->func) { 1082 case NONE: 1083 case FILE_CHECK: 1084 case MMAP_CHECK: 1085 case BPRM_CHECK: 1086 case CREDS_CHECK: 1087 case POST_SETATTR: 1088 case FIRMWARE_CHECK: 1089 case POLICY_CHECK: 1090 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1091 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1092 IMA_INMASK | IMA_EUID | IMA_PCR | 1093 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1094 IMA_PERMIT_DIRECTIO)) 1095 return false; 1096 1097 break; 1098 case MODULE_CHECK: 1099 case KEXEC_KERNEL_CHECK: 1100 case KEXEC_INITRAMFS_CHECK: 1101 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | 1102 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1103 IMA_INMASK | IMA_EUID | IMA_PCR | 1104 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1105 IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | 1106 IMA_CHECK_BLACKLIST)) 1107 return false; 1108 1109 break; 1110 case KEXEC_CMDLINE: 1111 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1112 return false; 1113 1114 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | 1115 IMA_FOWNER | IMA_FSUUID | IMA_EUID | 1116 IMA_PCR | IMA_FSNAME)) 1117 return false; 1118 1119 break; 1120 case KEY_CHECK: 1121 if (entry->action & ~(MEASURE | DONT_MEASURE)) 1122 return false; 1123 1124 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | 1125 IMA_KEYRINGS)) 1126 return false; 1127 1128 if (ima_rule_contains_lsm_cond(entry)) 1129 return false; 1130 1131 break; 1132 default: 1133 return false; 1134 } 1135 1136 /* Ensure that combinations of flags are compatible with each other */ 1137 if (entry->flags & IMA_CHECK_BLACKLIST && 1138 !(entry->flags & IMA_MODSIG_ALLOWED)) 1139 return false; 1140 1141 return true; 1142} 1143 1144static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 1145{ 1146 struct audit_buffer *ab; 1147 char *from; 1148 char *p; 1149 bool uid_token; 1150 struct ima_template_desc *template_desc; 1151 int result = 0; 1152 1153 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, 1154 AUDIT_INTEGRITY_POLICY_RULE); 1155 1156 entry->uid = INVALID_UID; 1157 entry->fowner = INVALID_UID; 1158 entry->uid_op = &uid_eq; 1159 entry->fowner_op = &uid_eq; 1160 entry->action = UNKNOWN; 1161 while ((p = strsep(&rule, " \t")) != NULL) { 1162 substring_t args[MAX_OPT_ARGS]; 1163 int token; 1164 unsigned long lnum; 1165 1166 if (result < 0) 1167 break; 1168 if ((*p == '\0') || (*p == ' ') || (*p == '\t')) 1169 continue; 1170 token = match_token(p, policy_tokens, args); 1171 switch (token) { 1172 case Opt_measure: 1173 ima_log_string(ab, "action", "measure"); 1174 1175 if (entry->action != UNKNOWN) 1176 result = -EINVAL; 1177 1178 entry->action = MEASURE; 1179 break; 1180 case Opt_dont_measure: 1181 ima_log_string(ab, "action", "dont_measure"); 1182 1183 if (entry->action != UNKNOWN) 1184 result = -EINVAL; 1185 1186 entry->action = DONT_MEASURE; 1187 break; 1188 case Opt_appraise: 1189 ima_log_string(ab, "action", "appraise"); 1190 1191 if (entry->action != UNKNOWN) 1192 result = -EINVAL; 1193 1194 entry->action = APPRAISE; 1195 break; 1196 case Opt_dont_appraise: 1197 ima_log_string(ab, "action", "dont_appraise"); 1198 1199 if (entry->action != UNKNOWN) 1200 result = -EINVAL; 1201 1202 entry->action = DONT_APPRAISE; 1203 break; 1204 case Opt_audit: 1205 ima_log_string(ab, "action", "audit"); 1206 1207 if (entry->action != UNKNOWN) 1208 result = -EINVAL; 1209 1210 entry->action = AUDIT; 1211 break; 1212 case Opt_hash: 1213 ima_log_string(ab, "action", "hash"); 1214 1215 if (entry->action != UNKNOWN) 1216 result = -EINVAL; 1217 1218 entry->action = HASH; 1219 break; 1220 case Opt_dont_hash: 1221 ima_log_string(ab, "action", "dont_hash"); 1222 1223 if (entry->action != UNKNOWN) 1224 result = -EINVAL; 1225 1226 entry->action = DONT_HASH; 1227 break; 1228 case Opt_func: 1229 ima_log_string(ab, "func", args[0].from); 1230 1231 if (entry->func) 1232 result = -EINVAL; 1233 1234 if (strcmp(args[0].from, "FILE_CHECK") == 0) 1235 entry->func = FILE_CHECK; 1236 /* PATH_CHECK is for backwards compat */ 1237 else if (strcmp(args[0].from, "PATH_CHECK") == 0) 1238 entry->func = FILE_CHECK; 1239 else if (strcmp(args[0].from, "MODULE_CHECK") == 0) 1240 entry->func = MODULE_CHECK; 1241 else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0) 1242 entry->func = FIRMWARE_CHECK; 1243 else if ((strcmp(args[0].from, "FILE_MMAP") == 0) 1244 || (strcmp(args[0].from, "MMAP_CHECK") == 0)) 1245 entry->func = MMAP_CHECK; 1246 else if (strcmp(args[0].from, "BPRM_CHECK") == 0) 1247 entry->func = BPRM_CHECK; 1248 else if (strcmp(args[0].from, "CREDS_CHECK") == 0) 1249 entry->func = CREDS_CHECK; 1250 else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == 1251 0) 1252 entry->func = KEXEC_KERNEL_CHECK; 1253 else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK") 1254 == 0) 1255 entry->func = KEXEC_INITRAMFS_CHECK; 1256 else if (strcmp(args[0].from, "POLICY_CHECK") == 0) 1257 entry->func = POLICY_CHECK; 1258 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) 1259 entry->func = KEXEC_CMDLINE; 1260 else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && 1261 strcmp(args[0].from, "KEY_CHECK") == 0) 1262 entry->func = KEY_CHECK; 1263 else 1264 result = -EINVAL; 1265 if (!result) 1266 entry->flags |= IMA_FUNC; 1267 break; 1268 case Opt_mask: 1269 ima_log_string(ab, "mask", args[0].from); 1270 1271 if (entry->mask) 1272 result = -EINVAL; 1273 1274 from = args[0].from; 1275 if (*from == '^') 1276 from++; 1277 1278 if ((strcmp(from, "MAY_EXEC")) == 0) 1279 entry->mask = MAY_EXEC; 1280 else if (strcmp(from, "MAY_WRITE") == 0) 1281 entry->mask = MAY_WRITE; 1282 else if (strcmp(from, "MAY_READ") == 0) 1283 entry->mask = MAY_READ; 1284 else if (strcmp(from, "MAY_APPEND") == 0) 1285 entry->mask = MAY_APPEND; 1286 else 1287 result = -EINVAL; 1288 if (!result) 1289 entry->flags |= (*args[0].from == '^') 1290 ? IMA_INMASK : IMA_MASK; 1291 break; 1292 case Opt_fsmagic: 1293 ima_log_string(ab, "fsmagic", args[0].from); 1294 1295 if (entry->fsmagic) { 1296 result = -EINVAL; 1297 break; 1298 } 1299 1300 result = kstrtoul(args[0].from, 16, &entry->fsmagic); 1301 if (!result) 1302 entry->flags |= IMA_FSMAGIC; 1303 break; 1304 case Opt_fsname: 1305 ima_log_string(ab, "fsname", args[0].from); 1306 1307 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); 1308 if (!entry->fsname) { 1309 result = -ENOMEM; 1310 break; 1311 } 1312 result = 0; 1313 entry->flags |= IMA_FSNAME; 1314 break; 1315 case Opt_keyrings: 1316 ima_log_string(ab, "keyrings", args[0].from); 1317 1318 if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) || 1319 entry->keyrings) { 1320 result = -EINVAL; 1321 break; 1322 } 1323 1324 entry->keyrings = ima_alloc_rule_opt_list(args); 1325 if (IS_ERR(entry->keyrings)) { 1326 result = PTR_ERR(entry->keyrings); 1327 entry->keyrings = NULL; 1328 break; 1329 } 1330 1331 entry->flags |= IMA_KEYRINGS; 1332 break; 1333 case Opt_fsuuid: 1334 ima_log_string(ab, "fsuuid", args[0].from); 1335 1336 if (!uuid_is_null(&entry->fsuuid)) { 1337 result = -EINVAL; 1338 break; 1339 } 1340 1341 result = uuid_parse(args[0].from, &entry->fsuuid); 1342 if (!result) 1343 entry->flags |= IMA_FSUUID; 1344 break; 1345 case Opt_uid_gt: 1346 case Opt_euid_gt: 1347 entry->uid_op = &uid_gt; 1348 fallthrough; 1349 case Opt_uid_lt: 1350 case Opt_euid_lt: 1351 if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) 1352 entry->uid_op = &uid_lt; 1353 fallthrough; 1354 case Opt_uid_eq: 1355 case Opt_euid_eq: 1356 uid_token = (token == Opt_uid_eq) || 1357 (token == Opt_uid_gt) || 1358 (token == Opt_uid_lt); 1359 1360 ima_log_string_op(ab, uid_token ? "uid" : "euid", 1361 args[0].from, entry->uid_op); 1362 1363 if (uid_valid(entry->uid)) { 1364 result = -EINVAL; 1365 break; 1366 } 1367 1368 result = kstrtoul(args[0].from, 10, &lnum); 1369 if (!result) { 1370 entry->uid = make_kuid(current_user_ns(), 1371 (uid_t) lnum); 1372 if (!uid_valid(entry->uid) || 1373 (uid_t)lnum != lnum) 1374 result = -EINVAL; 1375 else 1376 entry->flags |= uid_token 1377 ? IMA_UID : IMA_EUID; 1378 } 1379 break; 1380 case Opt_fowner_gt: 1381 entry->fowner_op = &uid_gt; 1382 fallthrough; 1383 case Opt_fowner_lt: 1384 if (token == Opt_fowner_lt) 1385 entry->fowner_op = &uid_lt; 1386 fallthrough; 1387 case Opt_fowner_eq: 1388 ima_log_string_op(ab, "fowner", args[0].from, 1389 entry->fowner_op); 1390 1391 if (uid_valid(entry->fowner)) { 1392 result = -EINVAL; 1393 break; 1394 } 1395 1396 result = kstrtoul(args[0].from, 10, &lnum); 1397 if (!result) { 1398 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum); 1399 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum)) 1400 result = -EINVAL; 1401 else 1402 entry->flags |= IMA_FOWNER; 1403 } 1404 break; 1405 case Opt_obj_user: 1406 ima_log_string(ab, "obj_user", args[0].from); 1407 result = ima_lsm_rule_init(entry, args, 1408 LSM_OBJ_USER, 1409 AUDIT_OBJ_USER); 1410 break; 1411 case Opt_obj_role: 1412 ima_log_string(ab, "obj_role", args[0].from); 1413 result = ima_lsm_rule_init(entry, args, 1414 LSM_OBJ_ROLE, 1415 AUDIT_OBJ_ROLE); 1416 break; 1417 case Opt_obj_type: 1418 ima_log_string(ab, "obj_type", args[0].from); 1419 result = ima_lsm_rule_init(entry, args, 1420 LSM_OBJ_TYPE, 1421 AUDIT_OBJ_TYPE); 1422 break; 1423 case Opt_subj_user: 1424 ima_log_string(ab, "subj_user", args[0].from); 1425 result = ima_lsm_rule_init(entry, args, 1426 LSM_SUBJ_USER, 1427 AUDIT_SUBJ_USER); 1428 break; 1429 case Opt_subj_role: 1430 ima_log_string(ab, "subj_role", args[0].from); 1431 result = ima_lsm_rule_init(entry, args, 1432 LSM_SUBJ_ROLE, 1433 AUDIT_SUBJ_ROLE); 1434 break; 1435 case Opt_subj_type: 1436 ima_log_string(ab, "subj_type", args[0].from); 1437 result = ima_lsm_rule_init(entry, args, 1438 LSM_SUBJ_TYPE, 1439 AUDIT_SUBJ_TYPE); 1440 break; 1441 case Opt_appraise_type: 1442 ima_log_string(ab, "appraise_type", args[0].from); 1443 if ((strcmp(args[0].from, "imasig")) == 0) 1444 entry->flags |= IMA_DIGSIG_REQUIRED; 1445 else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1446 strcmp(args[0].from, "imasig|modsig") == 0) 1447 entry->flags |= IMA_DIGSIG_REQUIRED | 1448 IMA_MODSIG_ALLOWED; 1449 else 1450 result = -EINVAL; 1451 break; 1452 case Opt_appraise_flag: 1453 ima_log_string(ab, "appraise_flag", args[0].from); 1454 if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && 1455 strstr(args[0].from, "blacklist")) 1456 entry->flags |= IMA_CHECK_BLACKLIST; 1457 else 1458 result = -EINVAL; 1459 break; 1460 case Opt_permit_directio: 1461 entry->flags |= IMA_PERMIT_DIRECTIO; 1462 break; 1463 case Opt_pcr: 1464 ima_log_string(ab, "pcr", args[0].from); 1465 1466 result = kstrtoint(args[0].from, 10, &entry->pcr); 1467 if (result || INVALID_PCR(entry->pcr)) 1468 result = -EINVAL; 1469 else 1470 entry->flags |= IMA_PCR; 1471 1472 break; 1473 case Opt_template: 1474 ima_log_string(ab, "template", args[0].from); 1475 if (entry->action != MEASURE) { 1476 result = -EINVAL; 1477 break; 1478 } 1479 template_desc = lookup_template_desc(args[0].from); 1480 if (!template_desc || entry->template) { 1481 result = -EINVAL; 1482 break; 1483 } 1484 1485 /* 1486 * template_desc_init_fields() does nothing if 1487 * the template is already initialised, so 1488 * it's safe to do this unconditionally 1489 */ 1490 template_desc_init_fields(template_desc->fmt, 1491 &(template_desc->fields), 1492 &(template_desc->num_fields)); 1493 entry->template = template_desc; 1494 break; 1495 case Opt_err: 1496 ima_log_string(ab, "UNKNOWN", p); 1497 result = -EINVAL; 1498 break; 1499 } 1500 } 1501 if (!result && !ima_validate_rule(entry)) 1502 result = -EINVAL; 1503 else if (entry->action == APPRAISE) 1504 temp_ima_appraise |= ima_appraise_flag(entry->func); 1505 1506 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { 1507 template_desc = entry->template ? entry->template : 1508 ima_template_desc_current(); 1509 check_template_modsig(template_desc); 1510 } 1511 1512 audit_log_format(ab, "res=%d", !result); 1513 audit_log_end(ab); 1514 return result; 1515} 1516 1517/** 1518 * ima_parse_add_rule - add a rule to ima_policy_rules 1519 * @rule: ima measurement policy rule 1520 * 1521 * Avoid locking by allowing just one writer at a time in ima_write_policy() 1522 * Returns the length of the rule parsed, an error code on failure 1523 */ 1524ssize_t ima_parse_add_rule(char *rule) 1525{ 1526 static const char op[] = "update_policy"; 1527 char *p; 1528 struct ima_rule_entry *entry; 1529 ssize_t result, len; 1530 int audit_info = 0; 1531 1532 p = strsep(&rule, "\n"); 1533 len = strlen(p) + 1; 1534 p += strspn(p, " \t"); 1535 1536 if (*p == '#' || *p == '\0') 1537 return len; 1538 1539 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1540 if (!entry) { 1541 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1542 NULL, op, "-ENOMEM", -ENOMEM, audit_info); 1543 return -ENOMEM; 1544 } 1545 1546 INIT_LIST_HEAD(&entry->list); 1547 1548 result = ima_parse_rule(p, entry); 1549 if (result) { 1550 ima_free_rule(entry); 1551 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, 1552 NULL, op, "invalid-policy", result, 1553 audit_info); 1554 return result; 1555 } 1556 1557 list_add_tail(&entry->list, &ima_temp_rules); 1558 1559 return len; 1560} 1561 1562/** 1563 * ima_delete_rules() called to cleanup invalid in-flight policy. 1564 * We don't need locking as we operate on the temp list, which is 1565 * different from the active one. There is also only one user of 1566 * ima_delete_rules() at a time. 1567 */ 1568void ima_delete_rules(void) 1569{ 1570 struct ima_rule_entry *entry, *tmp; 1571 1572 temp_ima_appraise = 0; 1573 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { 1574 list_del(&entry->list); 1575 ima_free_rule(entry); 1576 } 1577} 1578 1579#define __ima_hook_stringify(func, str) (#func), 1580 1581const char *const func_tokens[] = { 1582 __ima_hooks(__ima_hook_stringify) 1583}; 1584 1585#ifdef CONFIG_IMA_READ_POLICY 1586enum { 1587 mask_exec = 0, mask_write, mask_read, mask_append 1588}; 1589 1590static const char *const mask_tokens[] = { 1591 "^MAY_EXEC", 1592 "^MAY_WRITE", 1593 "^MAY_READ", 1594 "^MAY_APPEND" 1595}; 1596 1597void *ima_policy_start(struct seq_file *m, loff_t *pos) 1598{ 1599 loff_t l = *pos; 1600 struct ima_rule_entry *entry; 1601 1602 rcu_read_lock(); 1603 list_for_each_entry_rcu(entry, ima_rules, list) { 1604 if (!l--) { 1605 rcu_read_unlock(); 1606 return entry; 1607 } 1608 } 1609 rcu_read_unlock(); 1610 return NULL; 1611} 1612 1613void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) 1614{ 1615 struct ima_rule_entry *entry = v; 1616 1617 rcu_read_lock(); 1618 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); 1619 rcu_read_unlock(); 1620 (*pos)++; 1621 1622 return (&entry->list == ima_rules) ? NULL : entry; 1623} 1624 1625void ima_policy_stop(struct seq_file *m, void *v) 1626{ 1627} 1628 1629#define pt(token) policy_tokens[token].pattern 1630#define mt(token) mask_tokens[token] 1631 1632/* 1633 * policy_func_show - display the ima_hooks policy rule 1634 */ 1635static void policy_func_show(struct seq_file *m, enum ima_hooks func) 1636{ 1637 if (func > 0 && func < MAX_CHECK) 1638 seq_printf(m, "func=%s ", func_tokens[func]); 1639 else 1640 seq_printf(m, "func=%d ", func); 1641} 1642 1643static void ima_show_rule_opt_list(struct seq_file *m, 1644 const struct ima_rule_opt_list *opt_list) 1645{ 1646 size_t i; 1647 1648 for (i = 0; i < opt_list->count; i++) 1649 seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]); 1650} 1651 1652int ima_policy_show(struct seq_file *m, void *v) 1653{ 1654 struct ima_rule_entry *entry = v; 1655 int i; 1656 char tbuf[64] = {0,}; 1657 int offset = 0; 1658 1659 rcu_read_lock(); 1660 1661 /* Do not print rules with inactive LSM labels */ 1662 for (i = 0; i < MAX_LSM_RULES; i++) { 1663 if (entry->lsm[i].args_p && !entry->lsm[i].rule) { 1664 rcu_read_unlock(); 1665 return 0; 1666 } 1667 } 1668 1669 if (entry->action & MEASURE) 1670 seq_puts(m, pt(Opt_measure)); 1671 if (entry->action & DONT_MEASURE) 1672 seq_puts(m, pt(Opt_dont_measure)); 1673 if (entry->action & APPRAISE) 1674 seq_puts(m, pt(Opt_appraise)); 1675 if (entry->action & DONT_APPRAISE) 1676 seq_puts(m, pt(Opt_dont_appraise)); 1677 if (entry->action & AUDIT) 1678 seq_puts(m, pt(Opt_audit)); 1679 if (entry->action & HASH) 1680 seq_puts(m, pt(Opt_hash)); 1681 if (entry->action & DONT_HASH) 1682 seq_puts(m, pt(Opt_dont_hash)); 1683 1684 seq_puts(m, " "); 1685 1686 if (entry->flags & IMA_FUNC) 1687 policy_func_show(m, entry->func); 1688 1689 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { 1690 if (entry->flags & IMA_MASK) 1691 offset = 1; 1692 if (entry->mask & MAY_EXEC) 1693 seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); 1694 if (entry->mask & MAY_WRITE) 1695 seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); 1696 if (entry->mask & MAY_READ) 1697 seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); 1698 if (entry->mask & MAY_APPEND) 1699 seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); 1700 seq_puts(m, " "); 1701 } 1702 1703 if (entry->flags & IMA_FSMAGIC) { 1704 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 1705 seq_printf(m, pt(Opt_fsmagic), tbuf); 1706 seq_puts(m, " "); 1707 } 1708 1709 if (entry->flags & IMA_FSNAME) { 1710 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); 1711 seq_printf(m, pt(Opt_fsname), tbuf); 1712 seq_puts(m, " "); 1713 } 1714 1715 if (entry->flags & IMA_KEYRINGS) { 1716 seq_puts(m, "keyrings="); 1717 ima_show_rule_opt_list(m, entry->keyrings); 1718 seq_puts(m, " "); 1719 } 1720 1721 if (entry->flags & IMA_PCR) { 1722 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 1723 seq_printf(m, pt(Opt_pcr), tbuf); 1724 seq_puts(m, " "); 1725 } 1726 1727 if (entry->flags & IMA_FSUUID) { 1728 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); 1729 seq_puts(m, " "); 1730 } 1731 1732 if (entry->flags & IMA_UID) { 1733 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1734 if (entry->uid_op == &uid_gt) 1735 seq_printf(m, pt(Opt_uid_gt), tbuf); 1736 else if (entry->uid_op == &uid_lt) 1737 seq_printf(m, pt(Opt_uid_lt), tbuf); 1738 else 1739 seq_printf(m, pt(Opt_uid_eq), tbuf); 1740 seq_puts(m, " "); 1741 } 1742 1743 if (entry->flags & IMA_EUID) { 1744 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 1745 if (entry->uid_op == &uid_gt) 1746 seq_printf(m, pt(Opt_euid_gt), tbuf); 1747 else if (entry->uid_op == &uid_lt) 1748 seq_printf(m, pt(Opt_euid_lt), tbuf); 1749 else 1750 seq_printf(m, pt(Opt_euid_eq), tbuf); 1751 seq_puts(m, " "); 1752 } 1753 1754 if (entry->flags & IMA_FOWNER) { 1755 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); 1756 if (entry->fowner_op == &uid_gt) 1757 seq_printf(m, pt(Opt_fowner_gt), tbuf); 1758 else if (entry->fowner_op == &uid_lt) 1759 seq_printf(m, pt(Opt_fowner_lt), tbuf); 1760 else 1761 seq_printf(m, pt(Opt_fowner_eq), tbuf); 1762 seq_puts(m, " "); 1763 } 1764 1765 for (i = 0; i < MAX_LSM_RULES; i++) { 1766 if (entry->lsm[i].rule) { 1767 switch (i) { 1768 case LSM_OBJ_USER: 1769 seq_printf(m, pt(Opt_obj_user), 1770 entry->lsm[i].args_p); 1771 break; 1772 case LSM_OBJ_ROLE: 1773 seq_printf(m, pt(Opt_obj_role), 1774 entry->lsm[i].args_p); 1775 break; 1776 case LSM_OBJ_TYPE: 1777 seq_printf(m, pt(Opt_obj_type), 1778 entry->lsm[i].args_p); 1779 break; 1780 case LSM_SUBJ_USER: 1781 seq_printf(m, pt(Opt_subj_user), 1782 entry->lsm[i].args_p); 1783 break; 1784 case LSM_SUBJ_ROLE: 1785 seq_printf(m, pt(Opt_subj_role), 1786 entry->lsm[i].args_p); 1787 break; 1788 case LSM_SUBJ_TYPE: 1789 seq_printf(m, pt(Opt_subj_type), 1790 entry->lsm[i].args_p); 1791 break; 1792 } 1793 seq_puts(m, " "); 1794 } 1795 } 1796 if (entry->template) 1797 seq_printf(m, "template=%s ", entry->template->name); 1798 if (entry->flags & IMA_DIGSIG_REQUIRED) { 1799 if (entry->flags & IMA_MODSIG_ALLOWED) 1800 seq_puts(m, "appraise_type=imasig|modsig "); 1801 else 1802 seq_puts(m, "appraise_type=imasig "); 1803 } 1804 if (entry->flags & IMA_CHECK_BLACKLIST) 1805 seq_puts(m, "appraise_flag=check_blacklist "); 1806 if (entry->flags & IMA_PERMIT_DIRECTIO) 1807 seq_puts(m, "permit_directio "); 1808 rcu_read_unlock(); 1809 seq_puts(m, "\n"); 1810 return 0; 1811} 1812#endif /* CONFIG_IMA_READ_POLICY */ 1813 1814#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) 1815/* 1816 * ima_appraise_signature: whether IMA will appraise a given function using 1817 * an IMA digital signature. This is restricted to cases where the kernel 1818 * has a set of built-in trusted keys in order to avoid an attacker simply 1819 * loading additional keys. 1820 */ 1821bool ima_appraise_signature(enum kernel_read_file_id id) 1822{ 1823 struct ima_rule_entry *entry; 1824 bool found = false; 1825 enum ima_hooks func; 1826 1827 if (id >= READING_MAX_ID) 1828 return false; 1829 1830 if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE) 1831 && security_locked_down(LOCKDOWN_KEXEC)) 1832 return false; 1833 1834 func = read_idmap[id] ?: FILE_CHECK; 1835 1836 rcu_read_lock(); 1837 list_for_each_entry_rcu(entry, ima_rules, list) { 1838 if (entry->action != APPRAISE) 1839 continue; 1840 1841 /* 1842 * A generic entry will match, but otherwise require that it 1843 * match the func we're looking for 1844 */ 1845 if (entry->func && entry->func != func) 1846 continue; 1847 1848 /* 1849 * We require this to be a digital signature, not a raw IMA 1850 * hash. 1851 */ 1852 if (entry->flags & IMA_DIGSIG_REQUIRED) 1853 found = true; 1854 1855 /* 1856 * We've found a rule that matches, so break now even if it 1857 * didn't require a digital signature - a later rule that does 1858 * won't override it, so would be a false positive. 1859 */ 1860 break; 1861 } 1862 1863 rcu_read_unlock(); 1864 return found; 1865} 1866#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ 1867