2 * Copyright (C) 2008 IBM Corporation
3 * Author: Mimi Zohar <zohar@us.ibm.com>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, version 2 of the License.
10 * - initialize default measure policy rules
13 #include <linux/init.h>
14 #include <linux/list.h>
16 #include <linux/security.h>
17 #include <linux/magic.h>
18 #include <linux/parser.h>
19 #include <linux/slab.h>
20 #include <linux/rculist.h>
21 #include <linux/genhd.h>
22 #include <linux/seq_file.h>
23 #include <linux/ima.h>
27 /* flags definitions */
28 #define IMA_FUNC 0x0001
29 #define IMA_MASK 0x0002
30 #define IMA_FSMAGIC 0x0004
31 #define IMA_UID 0x0008
32 #define IMA_FOWNER 0x0010
33 #define IMA_FSUUID 0x0020
34 #define IMA_INMASK 0x0040
35 #define IMA_EUID 0x0080
36 #define IMA_PCR 0x0100
37 #define IMA_FSNAME 0x0200
40 #define MEASURE 0x0001 /* same as IMA_MEASURE */
41 #define DONT_MEASURE 0x0002
42 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */
43 #define DONT_APPRAISE 0x0008
46 #define DONT_HASH 0x0200
48 #define INVALID_PCR(a) (((a) < 0) || \
49 (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
52 static int temp_ima_appraise
;
53 static int build_ima_appraise __ro_after_init
;
55 #define MAX_LSM_RULES 6
56 enum lsm_rule_types
{ LSM_OBJ_USER
, LSM_OBJ_ROLE
, LSM_OBJ_TYPE
,
57 LSM_SUBJ_USER
, LSM_SUBJ_ROLE
, LSM_SUBJ_TYPE
60 enum policy_types
{ ORIGINAL_TCB
= 1, DEFAULT_TCB
};
62 enum policy_rule_list
{ IMA_DEFAULT_POLICY
= 1, IMA_CUSTOM_POLICY
};
64 struct ima_rule_entry
{
65 struct list_head list
;
70 unsigned long fsmagic
;
74 bool (*uid_op
)(kuid_t
, kuid_t
); /* Handlers for operators */
75 bool (*fowner_op
)(kuid_t
, kuid_t
); /* uid_eq(), uid_gt(), uid_lt() */
78 void *rule
; /* LSM file metadata specific */
79 void *args_p
; /* audit value */
80 int type
; /* audit type */
86 * Without LSM specific knowledge, the default policy can only be
87 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
91 * The minimum rule set to allow for full TCB coverage. Measures all files
92 * opened or mmap for exec and everything read by root. Dangerous because
93 * normal users can easily run the machine out of memory simply building
94 * and running executables.
96 static struct ima_rule_entry dont_measure_rules
[] __ro_after_init
= {
97 {.action
= DONT_MEASURE
, .fsmagic
= PROC_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
98 {.action
= DONT_MEASURE
, .fsmagic
= SYSFS_MAGIC
, .flags
= IMA_FSMAGIC
},
99 {.action
= DONT_MEASURE
, .fsmagic
= DEBUGFS_MAGIC
, .flags
= IMA_FSMAGIC
},
100 {.action
= DONT_MEASURE
, .fsmagic
= TMPFS_MAGIC
, .flags
= IMA_FSMAGIC
},
101 {.action
= DONT_MEASURE
, .fsmagic
= DEVPTS_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
102 {.action
= DONT_MEASURE
, .fsmagic
= BINFMTFS_MAGIC
, .flags
= IMA_FSMAGIC
},
103 {.action
= DONT_MEASURE
, .fsmagic
= SECURITYFS_MAGIC
, .flags
= IMA_FSMAGIC
},
104 {.action
= DONT_MEASURE
, .fsmagic
= SELINUX_MAGIC
, .flags
= IMA_FSMAGIC
},
105 {.action
= DONT_MEASURE
, .fsmagic
= SMACK_MAGIC
, .flags
= IMA_FSMAGIC
},
106 {.action
= DONT_MEASURE
, .fsmagic
= CGROUP_SUPER_MAGIC
,
107 .flags
= IMA_FSMAGIC
},
108 {.action
= DONT_MEASURE
, .fsmagic
= CGROUP2_SUPER_MAGIC
,
109 .flags
= IMA_FSMAGIC
},
110 {.action
= DONT_MEASURE
, .fsmagic
= NSFS_MAGIC
, .flags
= IMA_FSMAGIC
},
111 {.action
= DONT_MEASURE
, .fsmagic
= EFIVARFS_MAGIC
, .flags
= IMA_FSMAGIC
}
114 static struct ima_rule_entry original_measurement_rules
[] __ro_after_init
= {
115 {.action
= MEASURE
, .func
= MMAP_CHECK
, .mask
= MAY_EXEC
,
116 .flags
= IMA_FUNC
| IMA_MASK
},
117 {.action
= MEASURE
, .func
= BPRM_CHECK
, .mask
= MAY_EXEC
,
118 .flags
= IMA_FUNC
| IMA_MASK
},
119 {.action
= MEASURE
, .func
= FILE_CHECK
, .mask
= MAY_READ
,
120 .uid
= GLOBAL_ROOT_UID
, .uid_op
= &uid_eq
,
121 .flags
= IMA_FUNC
| IMA_MASK
| IMA_UID
},
122 {.action
= MEASURE
, .func
= MODULE_CHECK
, .flags
= IMA_FUNC
},
123 {.action
= MEASURE
, .func
= FIRMWARE_CHECK
, .flags
= IMA_FUNC
},
126 static struct ima_rule_entry default_measurement_rules
[] __ro_after_init
= {
127 {.action
= MEASURE
, .func
= MMAP_CHECK
, .mask
= MAY_EXEC
,
128 .flags
= IMA_FUNC
| IMA_MASK
},
129 {.action
= MEASURE
, .func
= BPRM_CHECK
, .mask
= MAY_EXEC
,
130 .flags
= IMA_FUNC
| IMA_MASK
},
131 {.action
= MEASURE
, .func
= FILE_CHECK
, .mask
= MAY_READ
,
132 .uid
= GLOBAL_ROOT_UID
, .uid_op
= &uid_eq
,
133 .flags
= IMA_FUNC
| IMA_INMASK
| IMA_EUID
},
134 {.action
= MEASURE
, .func
= FILE_CHECK
, .mask
= MAY_READ
,
135 .uid
= GLOBAL_ROOT_UID
, .uid_op
= &uid_eq
,
136 .flags
= IMA_FUNC
| IMA_INMASK
| IMA_UID
},
137 {.action
= MEASURE
, .func
= MODULE_CHECK
, .flags
= IMA_FUNC
},
138 {.action
= MEASURE
, .func
= FIRMWARE_CHECK
, .flags
= IMA_FUNC
},
139 {.action
= MEASURE
, .func
= POLICY_CHECK
, .flags
= IMA_FUNC
},
142 static struct ima_rule_entry default_appraise_rules
[] __ro_after_init
= {
143 {.action
= DONT_APPRAISE
, .fsmagic
= PROC_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
144 {.action
= DONT_APPRAISE
, .fsmagic
= SYSFS_MAGIC
, .flags
= IMA_FSMAGIC
},
145 {.action
= DONT_APPRAISE
, .fsmagic
= DEBUGFS_MAGIC
, .flags
= IMA_FSMAGIC
},
146 {.action
= DONT_APPRAISE
, .fsmagic
= TMPFS_MAGIC
, .flags
= IMA_FSMAGIC
},
147 {.action
= DONT_APPRAISE
, .fsmagic
= RAMFS_MAGIC
, .flags
= IMA_FSMAGIC
},
148 {.action
= DONT_APPRAISE
, .fsmagic
= DEVPTS_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
149 {.action
= DONT_APPRAISE
, .fsmagic
= BINFMTFS_MAGIC
, .flags
= IMA_FSMAGIC
},
150 {.action
= DONT_APPRAISE
, .fsmagic
= SECURITYFS_MAGIC
, .flags
= IMA_FSMAGIC
},
151 {.action
= DONT_APPRAISE
, .fsmagic
= SELINUX_MAGIC
, .flags
= IMA_FSMAGIC
},
152 {.action
= DONT_APPRAISE
, .fsmagic
= SMACK_MAGIC
, .flags
= IMA_FSMAGIC
},
153 {.action
= DONT_APPRAISE
, .fsmagic
= NSFS_MAGIC
, .flags
= IMA_FSMAGIC
},
154 {.action
= DONT_APPRAISE
, .fsmagic
= EFIVARFS_MAGIC
, .flags
= IMA_FSMAGIC
},
155 {.action
= DONT_APPRAISE
, .fsmagic
= CGROUP_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
156 {.action
= DONT_APPRAISE
, .fsmagic
= CGROUP2_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
157 #ifdef CONFIG_IMA_WRITE_POLICY
158 {.action
= APPRAISE
, .func
= POLICY_CHECK
,
159 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
161 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
162 {.action
= APPRAISE
, .fowner
= GLOBAL_ROOT_UID
, .fowner_op
= &uid_eq
,
163 .flags
= IMA_FOWNER
},
165 /* force signature */
166 {.action
= APPRAISE
, .fowner
= GLOBAL_ROOT_UID
, .fowner_op
= &uid_eq
,
167 .flags
= IMA_FOWNER
| IMA_DIGSIG_REQUIRED
},
171 static struct ima_rule_entry build_appraise_rules
[] __ro_after_init
= {
172 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS
173 {.action
= APPRAISE
, .func
= MODULE_CHECK
,
174 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
176 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
177 {.action
= APPRAISE
, .func
= FIRMWARE_CHECK
,
178 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
180 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS
181 {.action
= APPRAISE
, .func
= KEXEC_KERNEL_CHECK
,
182 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
184 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS
185 {.action
= APPRAISE
, .func
= POLICY_CHECK
,
186 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
190 static struct ima_rule_entry secure_boot_rules
[] __ro_after_init
= {
191 {.action
= APPRAISE
, .func
= MODULE_CHECK
,
192 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
193 {.action
= APPRAISE
, .func
= FIRMWARE_CHECK
,
194 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
195 {.action
= APPRAISE
, .func
= KEXEC_KERNEL_CHECK
,
196 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
197 {.action
= APPRAISE
, .func
= POLICY_CHECK
,
198 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
201 /* An array of architecture specific rules */
202 struct ima_rule_entry
*arch_policy_entry __ro_after_init
;
204 static LIST_HEAD(ima_default_rules
);
205 static LIST_HEAD(ima_policy_rules
);
206 static LIST_HEAD(ima_temp_rules
);
207 static struct list_head
*ima_rules
;
209 static int ima_policy __initdata
;
211 static int __init
default_measure_policy_setup(char *str
)
216 ima_policy
= ORIGINAL_TCB
;
219 __setup("ima_tcb", default_measure_policy_setup
);
221 static bool ima_use_appraise_tcb __initdata
;
222 static bool ima_use_secure_boot __initdata
;
223 static bool ima_fail_unverifiable_sigs __ro_after_init
;
224 static int __init
policy_setup(char *str
)
228 while ((p
= strsep(&str
, " |\n")) != NULL
) {
231 if ((strcmp(p
, "tcb") == 0) && !ima_policy
)
232 ima_policy
= DEFAULT_TCB
;
233 else if (strcmp(p
, "appraise_tcb") == 0)
234 ima_use_appraise_tcb
= true;
235 else if (strcmp(p
, "secure_boot") == 0)
236 ima_use_secure_boot
= true;
237 else if (strcmp(p
, "fail_securely") == 0)
238 ima_fail_unverifiable_sigs
= true;
243 __setup("ima_policy=", policy_setup
);
245 static int __init
default_appraise_policy_setup(char *str
)
247 ima_use_appraise_tcb
= true;
250 __setup("ima_appraise_tcb", default_appraise_policy_setup
);
253 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
254 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect
255 * the reloaded LSM policy. We assume the rules still exist; and BUG_ON() if
258 static void ima_lsm_update_rules(void)
260 struct ima_rule_entry
*entry
;
264 list_for_each_entry(entry
, &ima_policy_rules
, list
) {
265 for (i
= 0; i
< MAX_LSM_RULES
; i
++) {
266 if (!entry
->lsm
[i
].rule
)
268 result
= security_filter_rule_init(entry
->lsm
[i
].type
,
270 entry
->lsm
[i
].args_p
,
271 &entry
->lsm
[i
].rule
);
272 BUG_ON(!entry
->lsm
[i
].rule
);
278 * ima_match_rules - determine whether an inode matches the measure rule.
279 * @rule: a pointer to a rule
280 * @inode: a pointer to an inode
281 * @cred: a pointer to a credentials structure for user validation
282 * @secid: the secid of the task to be validated
283 * @func: LIM hook identifier
284 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
286 * Returns true on rule match, false on failure.
288 static bool ima_match_rules(struct ima_rule_entry
*rule
, struct inode
*inode
,
289 const struct cred
*cred
, u32 secid
,
290 enum ima_hooks func
, int mask
)
294 if ((rule
->flags
& IMA_FUNC
) &&
295 (rule
->func
!= func
&& func
!= POST_SETATTR
))
297 if ((rule
->flags
& IMA_MASK
) &&
298 (rule
->mask
!= mask
&& func
!= POST_SETATTR
))
300 if ((rule
->flags
& IMA_INMASK
) &&
301 (!(rule
->mask
& mask
) && func
!= POST_SETATTR
))
303 if ((rule
->flags
& IMA_FSMAGIC
)
304 && rule
->fsmagic
!= inode
->i_sb
->s_magic
)
306 if ((rule
->flags
& IMA_FSNAME
)
307 && strcmp(rule
->fsname
, inode
->i_sb
->s_type
->name
))
309 if ((rule
->flags
& IMA_FSUUID
) &&
310 !uuid_equal(&rule
->fsuuid
, &inode
->i_sb
->s_uuid
))
312 if ((rule
->flags
& IMA_UID
) && !rule
->uid_op(cred
->uid
, rule
->uid
))
314 if (rule
->flags
& IMA_EUID
) {
315 if (has_capability_noaudit(current
, CAP_SETUID
)) {
316 if (!rule
->uid_op(cred
->euid
, rule
->uid
)
317 && !rule
->uid_op(cred
->suid
, rule
->uid
)
318 && !rule
->uid_op(cred
->uid
, rule
->uid
))
320 } else if (!rule
->uid_op(cred
->euid
, rule
->uid
))
324 if ((rule
->flags
& IMA_FOWNER
) &&
325 !rule
->fowner_op(inode
->i_uid
, rule
->fowner
))
327 for (i
= 0; i
< MAX_LSM_RULES
; i
++) {
332 if (!rule
->lsm
[i
].rule
)
339 security_inode_getsecid(inode
, &osid
);
340 rc
= security_filter_rule_match(osid
,
348 rc
= security_filter_rule_match(secid
,
355 if ((rc
< 0) && (!retried
)) {
357 ima_lsm_update_rules();
367 * In addition to knowing that we need to appraise the file in general,
368 * we need to differentiate between calling hooks, for hook specific rules.
370 static int get_subaction(struct ima_rule_entry
*rule
, enum ima_hooks func
)
372 if (!(rule
->flags
& IMA_FUNC
))
373 return IMA_FILE_APPRAISE
;
377 return IMA_MMAP_APPRAISE
;
379 return IMA_BPRM_APPRAISE
;
381 return IMA_CREDS_APPRAISE
;
384 return IMA_FILE_APPRAISE
;
385 case MODULE_CHECK
... MAX_CHECK
- 1:
387 return IMA_READ_APPRAISE
;
392 * ima_match_policy - decision based on LSM and other conditions
393 * @inode: pointer to an inode for which the policy decision is being made
394 * @cred: pointer to a credentials structure for which the policy decision is
396 * @secid: LSM secid of the task to be validated
397 * @func: IMA hook identifier
398 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
399 * @pcr: set the pcr to extend
401 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
404 * Since the IMA policy may be updated multiple times we need to lock the
405 * list when walking it. Reads are many orders of magnitude more numerous
406 * than writes so ima_match_policy() is classical RCU candidate.
408 int ima_match_policy(struct inode
*inode
, const struct cred
*cred
, u32 secid
,
409 enum ima_hooks func
, int mask
, int flags
, int *pcr
)
411 struct ima_rule_entry
*entry
;
412 int action
= 0, actmask
= flags
| (flags
<< 1);
415 list_for_each_entry_rcu(entry
, ima_rules
, list
) {
417 if (!(entry
->action
& actmask
))
420 if (!ima_match_rules(entry
, inode
, cred
, secid
, func
, mask
))
423 action
|= entry
->flags
& IMA_ACTION_FLAGS
;
425 action
|= entry
->action
& IMA_DO_MASK
;
426 if (entry
->action
& IMA_APPRAISE
) {
427 action
|= get_subaction(entry
, func
);
429 if (ima_fail_unverifiable_sigs
)
430 action
|= IMA_FAIL_UNVERIFIABLE_SIGS
;
433 if (entry
->action
& IMA_DO_MASK
)
434 actmask
&= ~(entry
->action
| entry
->action
<< 1);
436 actmask
&= ~(entry
->action
| entry
->action
>> 1);
438 if ((pcr
) && (entry
->flags
& IMA_PCR
))
450 * Initialize the ima_policy_flag variable based on the currently
451 * loaded policy. Based on this flag, the decision to short circuit
452 * out of a function or not call the function in the first place
453 * can be made earlier.
455 void ima_update_policy_flag(void)
457 struct ima_rule_entry
*entry
;
459 list_for_each_entry(entry
, ima_rules
, list
) {
460 if (entry
->action
& IMA_DO_MASK
)
461 ima_policy_flag
|= entry
->action
;
464 ima_appraise
|= (build_ima_appraise
| temp_ima_appraise
);
466 ima_policy_flag
&= ~IMA_APPRAISE
;
469 static int ima_appraise_flag(enum ima_hooks func
)
471 if (func
== MODULE_CHECK
)
472 return IMA_APPRAISE_MODULES
;
473 else if (func
== FIRMWARE_CHECK
)
474 return IMA_APPRAISE_FIRMWARE
;
475 else if (func
== POLICY_CHECK
)
476 return IMA_APPRAISE_POLICY
;
477 else if (func
== KEXEC_KERNEL_CHECK
)
478 return IMA_APPRAISE_KEXEC
;
482 static void add_rules(struct ima_rule_entry
*entries
, int count
,
483 enum policy_rule_list policy_rule
)
487 for (i
= 0; i
< count
; i
++) {
488 struct ima_rule_entry
*entry
;
490 if (policy_rule
& IMA_DEFAULT_POLICY
)
491 list_add_tail(&entries
[i
].list
, &ima_default_rules
);
493 if (policy_rule
& IMA_CUSTOM_POLICY
) {
494 entry
= kmemdup(&entries
[i
], sizeof(*entry
),
499 list_add_tail(&entry
->list
, &ima_policy_rules
);
501 if (entries
[i
].action
== APPRAISE
) {
502 temp_ima_appraise
|= ima_appraise_flag(entries
[i
].func
);
503 if (entries
[i
].func
== POLICY_CHECK
)
504 temp_ima_appraise
|= IMA_APPRAISE_POLICY
;
509 static int ima_parse_rule(char *rule
, struct ima_rule_entry
*entry
);
511 static int __init
ima_init_arch_policy(void)
513 const char * const *arch_rules
;
514 const char * const *rules
;
515 int arch_entries
= 0;
518 arch_rules
= arch_get_ima_policy();
522 /* Get number of rules */
523 for (rules
= arch_rules
; *rules
!= NULL
; rules
++)
526 arch_policy_entry
= kcalloc(arch_entries
+ 1,
527 sizeof(*arch_policy_entry
), GFP_KERNEL
);
528 if (!arch_policy_entry
)
531 /* Convert each policy string rules to struct ima_rule_entry format */
532 for (rules
= arch_rules
, i
= 0; *rules
!= NULL
; rules
++) {
536 result
= strlcpy(rule
, *rules
, sizeof(rule
));
538 INIT_LIST_HEAD(&arch_policy_entry
[i
].list
);
539 result
= ima_parse_rule(rule
, &arch_policy_entry
[i
]);
541 pr_warn("Skipping unknown architecture policy rule: %s\n",
543 memset(&arch_policy_entry
[i
], 0,
544 sizeof(*arch_policy_entry
));
553 * ima_init_policy - initialize the default measure rules.
555 * ima_rules points to either the ima_default_rules or the
556 * the new ima_policy_rules.
558 void __init
ima_init_policy(void)
560 int build_appraise_entries
, arch_entries
;
562 /* if !ima_policy, we load NO default rules */
564 add_rules(dont_measure_rules
, ARRAY_SIZE(dont_measure_rules
),
567 switch (ima_policy
) {
569 add_rules(original_measurement_rules
,
570 ARRAY_SIZE(original_measurement_rules
),
574 add_rules(default_measurement_rules
,
575 ARRAY_SIZE(default_measurement_rules
),
582 * Based on runtime secure boot flags, insert arch specific measurement
583 * and appraise rules requiring file signatures for both the initial
584 * and custom policies, prior to other appraise rules.
587 arch_entries
= ima_init_arch_policy();
589 pr_info("No architecture policies found\n");
591 add_rules(arch_policy_entry
, arch_entries
,
592 IMA_DEFAULT_POLICY
| IMA_CUSTOM_POLICY
);
595 * Insert the builtin "secure_boot" policy rules requiring file
596 * signatures, prior to other appraise rules.
598 if (ima_use_secure_boot
)
599 add_rules(secure_boot_rules
, ARRAY_SIZE(secure_boot_rules
),
603 * Insert the build time appraise rules requiring file signatures
604 * for both the initial and custom policies, prior to other appraise
605 * rules. As the secure boot rules includes all of the build time
606 * rules, include either one or the other set of rules, but not both.
608 build_appraise_entries
= ARRAY_SIZE(build_appraise_rules
);
609 if (build_appraise_entries
) {
610 if (ima_use_secure_boot
)
611 add_rules(build_appraise_rules
, build_appraise_entries
,
614 add_rules(build_appraise_rules
, build_appraise_entries
,
615 IMA_DEFAULT_POLICY
| IMA_CUSTOM_POLICY
);
618 if (ima_use_appraise_tcb
)
619 add_rules(default_appraise_rules
,
620 ARRAY_SIZE(default_appraise_rules
),
623 ima_rules
= &ima_default_rules
;
624 ima_update_policy_flag();
627 /* Make sure we have a valid policy, at least containing some rules. */
628 int ima_check_policy(void)
630 if (list_empty(&ima_temp_rules
))
636 * ima_update_policy - update default_rules with new measure rules
638 * Called on file .release to update the default rules with a complete new
639 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so
640 * they make a queue. The policy may be updated multiple times and this is the
643 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
644 * we switch from the default policy to user defined.
646 void ima_update_policy(void)
648 struct list_head
*policy
= &ima_policy_rules
;
650 list_splice_tail_init_rcu(&ima_temp_rules
, policy
, synchronize_rcu
);
652 if (ima_rules
!= policy
) {
657 * IMA architecture specific policy rules are specified
658 * as strings and converted to an array of ima_entry_rules
659 * on boot. After loading a custom policy, free the
660 * architecture specific rules stored as an array.
662 kfree(arch_policy_entry
);
664 ima_update_policy_flag();
667 /* Keep the enumeration in sync with the policy_tokens! */
669 Opt_measure
, Opt_dont_measure
,
670 Opt_appraise
, Opt_dont_appraise
,
671 Opt_audit
, Opt_hash
, Opt_dont_hash
,
672 Opt_obj_user
, Opt_obj_role
, Opt_obj_type
,
673 Opt_subj_user
, Opt_subj_role
, Opt_subj_type
,
674 Opt_func
, Opt_mask
, Opt_fsmagic
, Opt_fsname
,
675 Opt_fsuuid
, Opt_uid_eq
, Opt_euid_eq
, Opt_fowner_eq
,
676 Opt_uid_gt
, Opt_euid_gt
, Opt_fowner_gt
,
677 Opt_uid_lt
, Opt_euid_lt
, Opt_fowner_lt
,
678 Opt_appraise_type
, Opt_permit_directio
,
682 static const match_table_t policy_tokens
= {
683 {Opt_measure
, "measure"},
684 {Opt_dont_measure
, "dont_measure"},
685 {Opt_appraise
, "appraise"},
686 {Opt_dont_appraise
, "dont_appraise"},
687 {Opt_audit
, "audit"},
689 {Opt_dont_hash
, "dont_hash"},
690 {Opt_obj_user
, "obj_user=%s"},
691 {Opt_obj_role
, "obj_role=%s"},
692 {Opt_obj_type
, "obj_type=%s"},
693 {Opt_subj_user
, "subj_user=%s"},
694 {Opt_subj_role
, "subj_role=%s"},
695 {Opt_subj_type
, "subj_type=%s"},
696 {Opt_func
, "func=%s"},
697 {Opt_mask
, "mask=%s"},
698 {Opt_fsmagic
, "fsmagic=%s"},
699 {Opt_fsname
, "fsname=%s"},
700 {Opt_fsuuid
, "fsuuid=%s"},
701 {Opt_uid_eq
, "uid=%s"},
702 {Opt_euid_eq
, "euid=%s"},
703 {Opt_fowner_eq
, "fowner=%s"},
704 {Opt_uid_gt
, "uid>%s"},
705 {Opt_euid_gt
, "euid>%s"},
706 {Opt_fowner_gt
, "fowner>%s"},
707 {Opt_uid_lt
, "uid<%s"},
708 {Opt_euid_lt
, "euid<%s"},
709 {Opt_fowner_lt
, "fowner<%s"},
710 {Opt_appraise_type
, "appraise_type=%s"},
711 {Opt_permit_directio
, "permit_directio"},
716 static int ima_lsm_rule_init(struct ima_rule_entry
*entry
,
717 substring_t
*args
, int lsm_rule
, int audit_type
)
721 if (entry
->lsm
[lsm_rule
].rule
)
724 entry
->lsm
[lsm_rule
].args_p
= match_strdup(args
);
725 if (!entry
->lsm
[lsm_rule
].args_p
)
728 entry
->lsm
[lsm_rule
].type
= audit_type
;
729 result
= security_filter_rule_init(entry
->lsm
[lsm_rule
].type
,
731 entry
->lsm
[lsm_rule
].args_p
,
732 &entry
->lsm
[lsm_rule
].rule
);
733 if (!entry
->lsm
[lsm_rule
].rule
) {
734 kfree(entry
->lsm
[lsm_rule
].args_p
);
741 static void ima_log_string_op(struct audit_buffer
*ab
, char *key
, char *value
,
742 bool (*rule_operator
)(kuid_t
, kuid_t
))
747 if (rule_operator
== &uid_gt
)
748 audit_log_format(ab
, "%s>", key
);
749 else if (rule_operator
== &uid_lt
)
750 audit_log_format(ab
, "%s<", key
);
752 audit_log_format(ab
, "%s=", key
);
753 audit_log_format(ab
, "%s ", value
);
755 static void ima_log_string(struct audit_buffer
*ab
, char *key
, char *value
)
757 ima_log_string_op(ab
, key
, value
, NULL
);
760 static int ima_parse_rule(char *rule
, struct ima_rule_entry
*entry
)
762 struct audit_buffer
*ab
;
768 ab
= integrity_audit_log_start(audit_context(), GFP_KERNEL
,
769 AUDIT_INTEGRITY_POLICY_RULE
);
771 entry
->uid
= INVALID_UID
;
772 entry
->fowner
= INVALID_UID
;
773 entry
->uid_op
= &uid_eq
;
774 entry
->fowner_op
= &uid_eq
;
775 entry
->action
= UNKNOWN
;
776 while ((p
= strsep(&rule
, " \t")) != NULL
) {
777 substring_t args
[MAX_OPT_ARGS
];
783 if ((*p
== '\0') || (*p
== ' ') || (*p
== '\t'))
785 token
= match_token(p
, policy_tokens
, args
);
788 ima_log_string(ab
, "action", "measure");
790 if (entry
->action
!= UNKNOWN
)
793 entry
->action
= MEASURE
;
795 case Opt_dont_measure
:
796 ima_log_string(ab
, "action", "dont_measure");
798 if (entry
->action
!= UNKNOWN
)
801 entry
->action
= DONT_MEASURE
;
804 ima_log_string(ab
, "action", "appraise");
806 if (entry
->action
!= UNKNOWN
)
809 entry
->action
= APPRAISE
;
811 case Opt_dont_appraise
:
812 ima_log_string(ab
, "action", "dont_appraise");
814 if (entry
->action
!= UNKNOWN
)
817 entry
->action
= DONT_APPRAISE
;
820 ima_log_string(ab
, "action", "audit");
822 if (entry
->action
!= UNKNOWN
)
825 entry
->action
= AUDIT
;
828 ima_log_string(ab
, "action", "hash");
830 if (entry
->action
!= UNKNOWN
)
833 entry
->action
= HASH
;
836 ima_log_string(ab
, "action", "dont_hash");
838 if (entry
->action
!= UNKNOWN
)
841 entry
->action
= DONT_HASH
;
844 ima_log_string(ab
, "func", args
[0].from
);
849 if (strcmp(args
[0].from
, "FILE_CHECK") == 0)
850 entry
->func
= FILE_CHECK
;
851 /* PATH_CHECK is for backwards compat */
852 else if (strcmp(args
[0].from
, "PATH_CHECK") == 0)
853 entry
->func
= FILE_CHECK
;
854 else if (strcmp(args
[0].from
, "MODULE_CHECK") == 0)
855 entry
->func
= MODULE_CHECK
;
856 else if (strcmp(args
[0].from
, "FIRMWARE_CHECK") == 0)
857 entry
->func
= FIRMWARE_CHECK
;
858 else if ((strcmp(args
[0].from
, "FILE_MMAP") == 0)
859 || (strcmp(args
[0].from
, "MMAP_CHECK") == 0))
860 entry
->func
= MMAP_CHECK
;
861 else if (strcmp(args
[0].from
, "BPRM_CHECK") == 0)
862 entry
->func
= BPRM_CHECK
;
863 else if (strcmp(args
[0].from
, "CREDS_CHECK") == 0)
864 entry
->func
= CREDS_CHECK
;
865 else if (strcmp(args
[0].from
, "KEXEC_KERNEL_CHECK") ==
867 entry
->func
= KEXEC_KERNEL_CHECK
;
868 else if (strcmp(args
[0].from
, "KEXEC_INITRAMFS_CHECK")
870 entry
->func
= KEXEC_INITRAMFS_CHECK
;
871 else if (strcmp(args
[0].from
, "POLICY_CHECK") == 0)
872 entry
->func
= POLICY_CHECK
;
876 entry
->flags
|= IMA_FUNC
;
879 ima_log_string(ab
, "mask", args
[0].from
);
888 if ((strcmp(from
, "MAY_EXEC")) == 0)
889 entry
->mask
= MAY_EXEC
;
890 else if (strcmp(from
, "MAY_WRITE") == 0)
891 entry
->mask
= MAY_WRITE
;
892 else if (strcmp(from
, "MAY_READ") == 0)
893 entry
->mask
= MAY_READ
;
894 else if (strcmp(from
, "MAY_APPEND") == 0)
895 entry
->mask
= MAY_APPEND
;
899 entry
->flags
|= (*args
[0].from
== '^')
900 ? IMA_INMASK
: IMA_MASK
;
903 ima_log_string(ab
, "fsmagic", args
[0].from
);
905 if (entry
->fsmagic
) {
910 result
= kstrtoul(args
[0].from
, 16, &entry
->fsmagic
);
912 entry
->flags
|= IMA_FSMAGIC
;
915 ima_log_string(ab
, "fsname", args
[0].from
);
917 entry
->fsname
= kstrdup(args
[0].from
, GFP_KERNEL
);
918 if (!entry
->fsname
) {
923 entry
->flags
|= IMA_FSNAME
;
926 ima_log_string(ab
, "fsuuid", args
[0].from
);
928 if (!uuid_is_null(&entry
->fsuuid
)) {
933 result
= uuid_parse(args
[0].from
, &entry
->fsuuid
);
935 entry
->flags
|= IMA_FSUUID
;
939 entry
->uid_op
= &uid_gt
;
943 if ((token
== Opt_uid_lt
) || (token
== Opt_euid_lt
))
944 entry
->uid_op
= &uid_lt
;
948 uid_token
= (token
== Opt_uid_eq
) ||
949 (token
== Opt_uid_gt
) ||
950 (token
== Opt_uid_lt
);
952 ima_log_string_op(ab
, uid_token
? "uid" : "euid",
953 args
[0].from
, entry
->uid_op
);
955 if (uid_valid(entry
->uid
)) {
960 result
= kstrtoul(args
[0].from
, 10, &lnum
);
962 entry
->uid
= make_kuid(current_user_ns(),
964 if (!uid_valid(entry
->uid
) ||
968 entry
->flags
|= uid_token
969 ? IMA_UID
: IMA_EUID
;
973 entry
->fowner_op
= &uid_gt
;
976 if (token
== Opt_fowner_lt
)
977 entry
->fowner_op
= &uid_lt
;
980 ima_log_string_op(ab
, "fowner", args
[0].from
,
983 if (uid_valid(entry
->fowner
)) {
988 result
= kstrtoul(args
[0].from
, 10, &lnum
);
990 entry
->fowner
= make_kuid(current_user_ns(), (uid_t
)lnum
);
991 if (!uid_valid(entry
->fowner
) || (((uid_t
)lnum
) != lnum
))
994 entry
->flags
|= IMA_FOWNER
;
998 ima_log_string(ab
, "obj_user", args
[0].from
);
999 result
= ima_lsm_rule_init(entry
, args
,
1004 ima_log_string(ab
, "obj_role", args
[0].from
);
1005 result
= ima_lsm_rule_init(entry
, args
,
1010 ima_log_string(ab
, "obj_type", args
[0].from
);
1011 result
= ima_lsm_rule_init(entry
, args
,
1016 ima_log_string(ab
, "subj_user", args
[0].from
);
1017 result
= ima_lsm_rule_init(entry
, args
,
1022 ima_log_string(ab
, "subj_role", args
[0].from
);
1023 result
= ima_lsm_rule_init(entry
, args
,
1028 ima_log_string(ab
, "subj_type", args
[0].from
);
1029 result
= ima_lsm_rule_init(entry
, args
,
1033 case Opt_appraise_type
:
1034 if (entry
->action
!= APPRAISE
) {
1039 ima_log_string(ab
, "appraise_type", args
[0].from
);
1040 if ((strcmp(args
[0].from
, "imasig")) == 0)
1041 entry
->flags
|= IMA_DIGSIG_REQUIRED
;
1045 case Opt_permit_directio
:
1046 entry
->flags
|= IMA_PERMIT_DIRECTIO
;
1049 if (entry
->action
!= MEASURE
) {
1053 ima_log_string(ab
, "pcr", args
[0].from
);
1055 result
= kstrtoint(args
[0].from
, 10, &entry
->pcr
);
1056 if (result
|| INVALID_PCR(entry
->pcr
))
1059 entry
->flags
|= IMA_PCR
;
1063 ima_log_string(ab
, "UNKNOWN", p
);
1068 if (!result
&& (entry
->action
== UNKNOWN
))
1070 else if (entry
->action
== APPRAISE
)
1071 temp_ima_appraise
|= ima_appraise_flag(entry
->func
);
1073 audit_log_format(ab
, "res=%d", !result
);
1079 * ima_parse_add_rule - add a rule to ima_policy_rules
1080 * @rule - ima measurement policy rule
1082 * Avoid locking by allowing just one writer at a time in ima_write_policy()
1083 * Returns the length of the rule parsed, an error code on failure
1085 ssize_t
ima_parse_add_rule(char *rule
)
1087 static const char op
[] = "update_policy";
1089 struct ima_rule_entry
*entry
;
1090 ssize_t result
, len
;
1093 p
= strsep(&rule
, "\n");
1094 len
= strlen(p
) + 1;
1095 p
+= strspn(p
, " \t");
1097 if (*p
== '#' || *p
== '\0')
1100 entry
= kzalloc(sizeof(*entry
), GFP_KERNEL
);
1102 integrity_audit_msg(AUDIT_INTEGRITY_STATUS
, NULL
,
1103 NULL
, op
, "-ENOMEM", -ENOMEM
, audit_info
);
1107 INIT_LIST_HEAD(&entry
->list
);
1109 result
= ima_parse_rule(p
, entry
);
1112 integrity_audit_msg(AUDIT_INTEGRITY_STATUS
, NULL
,
1113 NULL
, op
, "invalid-policy", result
,
1118 list_add_tail(&entry
->list
, &ima_temp_rules
);
1124 * ima_delete_rules() called to cleanup invalid in-flight policy.
1125 * We don't need locking as we operate on the temp list, which is
1126 * different from the active one. There is also only one user of
1127 * ima_delete_rules() at a time.
1129 void ima_delete_rules(void)
1131 struct ima_rule_entry
*entry
, *tmp
;
1134 temp_ima_appraise
= 0;
1135 list_for_each_entry_safe(entry
, tmp
, &ima_temp_rules
, list
) {
1136 for (i
= 0; i
< MAX_LSM_RULES
; i
++)
1137 kfree(entry
->lsm
[i
].args_p
);
1139 list_del(&entry
->list
);
1144 #ifdef CONFIG_IMA_READ_POLICY
1146 mask_exec
= 0, mask_write
, mask_read
, mask_append
1149 static const char *const mask_tokens
[] = {
1156 #define __ima_hook_stringify(str) (#str),
1158 static const char *const func_tokens
[] = {
1159 __ima_hooks(__ima_hook_stringify
)
1162 void *ima_policy_start(struct seq_file
*m
, loff_t
*pos
)
1165 struct ima_rule_entry
*entry
;
1168 list_for_each_entry_rcu(entry
, ima_rules
, list
) {
1178 void *ima_policy_next(struct seq_file
*m
, void *v
, loff_t
*pos
)
1180 struct ima_rule_entry
*entry
= v
;
1183 entry
= list_entry_rcu(entry
->list
.next
, struct ima_rule_entry
, list
);
1187 return (&entry
->list
== ima_rules
) ? NULL
: entry
;
1190 void ima_policy_stop(struct seq_file
*m
, void *v
)
1194 #define pt(token) policy_tokens[token].pattern
1195 #define mt(token) mask_tokens[token]
1198 * policy_func_show - display the ima_hooks policy rule
1200 static void policy_func_show(struct seq_file
*m
, enum ima_hooks func
)
1202 if (func
> 0 && func
< MAX_CHECK
)
1203 seq_printf(m
, "func=%s ", func_tokens
[func
]);
1205 seq_printf(m
, "func=%d ", func
);
1208 int ima_policy_show(struct seq_file
*m
, void *v
)
1210 struct ima_rule_entry
*entry
= v
;
1212 char tbuf
[64] = {0,};
1217 if (entry
->action
& MEASURE
)
1218 seq_puts(m
, pt(Opt_measure
));
1219 if (entry
->action
& DONT_MEASURE
)
1220 seq_puts(m
, pt(Opt_dont_measure
));
1221 if (entry
->action
& APPRAISE
)
1222 seq_puts(m
, pt(Opt_appraise
));
1223 if (entry
->action
& DONT_APPRAISE
)
1224 seq_puts(m
, pt(Opt_dont_appraise
));
1225 if (entry
->action
& AUDIT
)
1226 seq_puts(m
, pt(Opt_audit
));
1227 if (entry
->action
& HASH
)
1228 seq_puts(m
, pt(Opt_hash
));
1229 if (entry
->action
& DONT_HASH
)
1230 seq_puts(m
, pt(Opt_dont_hash
));
1234 if (entry
->flags
& IMA_FUNC
)
1235 policy_func_show(m
, entry
->func
);
1237 if ((entry
->flags
& IMA_MASK
) || (entry
->flags
& IMA_INMASK
)) {
1238 if (entry
->flags
& IMA_MASK
)
1240 if (entry
->mask
& MAY_EXEC
)
1241 seq_printf(m
, pt(Opt_mask
), mt(mask_exec
) + offset
);
1242 if (entry
->mask
& MAY_WRITE
)
1243 seq_printf(m
, pt(Opt_mask
), mt(mask_write
) + offset
);
1244 if (entry
->mask
& MAY_READ
)
1245 seq_printf(m
, pt(Opt_mask
), mt(mask_read
) + offset
);
1246 if (entry
->mask
& MAY_APPEND
)
1247 seq_printf(m
, pt(Opt_mask
), mt(mask_append
) + offset
);
1251 if (entry
->flags
& IMA_FSMAGIC
) {
1252 snprintf(tbuf
, sizeof(tbuf
), "0x%lx", entry
->fsmagic
);
1253 seq_printf(m
, pt(Opt_fsmagic
), tbuf
);
1257 if (entry
->flags
& IMA_FSNAME
) {
1258 snprintf(tbuf
, sizeof(tbuf
), "%s", entry
->fsname
);
1259 seq_printf(m
, pt(Opt_fsname
), tbuf
);
1263 if (entry
->flags
& IMA_PCR
) {
1264 snprintf(tbuf
, sizeof(tbuf
), "%d", entry
->pcr
);
1265 seq_printf(m
, pt(Opt_pcr
), tbuf
);
1269 if (entry
->flags
& IMA_FSUUID
) {
1270 seq_printf(m
, "fsuuid=%pU", &entry
->fsuuid
);
1274 if (entry
->flags
& IMA_UID
) {
1275 snprintf(tbuf
, sizeof(tbuf
), "%d", __kuid_val(entry
->uid
));
1276 if (entry
->uid_op
== &uid_gt
)
1277 seq_printf(m
, pt(Opt_uid_gt
), tbuf
);
1278 else if (entry
->uid_op
== &uid_lt
)
1279 seq_printf(m
, pt(Opt_uid_lt
), tbuf
);
1281 seq_printf(m
, pt(Opt_uid_eq
), tbuf
);
1285 if (entry
->flags
& IMA_EUID
) {
1286 snprintf(tbuf
, sizeof(tbuf
), "%d", __kuid_val(entry
->uid
));
1287 if (entry
->uid_op
== &uid_gt
)
1288 seq_printf(m
, pt(Opt_euid_gt
), tbuf
);
1289 else if (entry
->uid_op
== &uid_lt
)
1290 seq_printf(m
, pt(Opt_euid_lt
), tbuf
);
1292 seq_printf(m
, pt(Opt_euid_eq
), tbuf
);
1296 if (entry
->flags
& IMA_FOWNER
) {
1297 snprintf(tbuf
, sizeof(tbuf
), "%d", __kuid_val(entry
->fowner
));
1298 if (entry
->fowner_op
== &uid_gt
)
1299 seq_printf(m
, pt(Opt_fowner_gt
), tbuf
);
1300 else if (entry
->fowner_op
== &uid_lt
)
1301 seq_printf(m
, pt(Opt_fowner_lt
), tbuf
);
1303 seq_printf(m
, pt(Opt_fowner_eq
), tbuf
);
1307 for (i
= 0; i
< MAX_LSM_RULES
; i
++) {
1308 if (entry
->lsm
[i
].rule
) {
1311 seq_printf(m
, pt(Opt_obj_user
),
1312 (char *)entry
->lsm
[i
].args_p
);
1315 seq_printf(m
, pt(Opt_obj_role
),
1316 (char *)entry
->lsm
[i
].args_p
);
1319 seq_printf(m
, pt(Opt_obj_type
),
1320 (char *)entry
->lsm
[i
].args_p
);
1323 seq_printf(m
, pt(Opt_subj_user
),
1324 (char *)entry
->lsm
[i
].args_p
);
1327 seq_printf(m
, pt(Opt_subj_role
),
1328 (char *)entry
->lsm
[i
].args_p
);
1331 seq_printf(m
, pt(Opt_subj_type
),
1332 (char *)entry
->lsm
[i
].args_p
);
1337 if (entry
->flags
& IMA_DIGSIG_REQUIRED
)
1338 seq_puts(m
, "appraise_type=imasig ");
1339 if (entry
->flags
& IMA_PERMIT_DIRECTIO
)
1340 seq_puts(m
, "permit_directio ");
1345 #endif /* CONFIG_IMA_READ_POLICY */