1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (C) 2008 IBM Corporation
4 * Author: Mimi Zohar <zohar@us.ibm.com>
7 * - initialize default measure policy rules
9 #include <linux/init.h>
10 #include <linux/list.h>
12 #include <linux/security.h>
13 #include <linux/magic.h>
14 #include <linux/parser.h>
15 #include <linux/slab.h>
16 #include <linux/rculist.h>
17 #include <linux/genhd.h>
18 #include <linux/seq_file.h>
19 #include <linux/ima.h>
23 /* flags definitions */
24 #define IMA_FUNC 0x0001
25 #define IMA_MASK 0x0002
26 #define IMA_FSMAGIC 0x0004
27 #define IMA_UID 0x0008
28 #define IMA_FOWNER 0x0010
29 #define IMA_FSUUID 0x0020
30 #define IMA_INMASK 0x0040
31 #define IMA_EUID 0x0080
32 #define IMA_PCR 0x0100
33 #define IMA_FSNAME 0x0200
36 #define MEASURE 0x0001 /* same as IMA_MEASURE */
37 #define DONT_MEASURE 0x0002
38 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */
39 #define DONT_APPRAISE 0x0008
42 #define DONT_HASH 0x0200
44 #define INVALID_PCR(a) (((a) < 0) || \
45 (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
48 static int temp_ima_appraise
;
49 static int build_ima_appraise __ro_after_init
;
51 #define MAX_LSM_RULES 6
52 enum lsm_rule_types
{ LSM_OBJ_USER
, LSM_OBJ_ROLE
, LSM_OBJ_TYPE
,
53 LSM_SUBJ_USER
, LSM_SUBJ_ROLE
, LSM_SUBJ_TYPE
56 enum policy_types
{ ORIGINAL_TCB
= 1, DEFAULT_TCB
};
58 enum policy_rule_list
{ IMA_DEFAULT_POLICY
= 1, IMA_CUSTOM_POLICY
};
60 struct ima_rule_entry
{
61 struct list_head list
;
66 unsigned long fsmagic
;
70 bool (*uid_op
)(kuid_t
, kuid_t
); /* Handlers for operators */
71 bool (*fowner_op
)(kuid_t
, kuid_t
); /* uid_eq(), uid_gt(), uid_lt() */
74 void *rule
; /* LSM file metadata specific */
75 void *args_p
; /* audit value */
76 int type
; /* audit type */
82 * Without LSM specific knowledge, the default policy can only be
83 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
87 * The minimum rule set to allow for full TCB coverage. Measures all files
88 * opened or mmap for exec and everything read by root. Dangerous because
89 * normal users can easily run the machine out of memory simply building
90 * and running executables.
92 static struct ima_rule_entry dont_measure_rules
[] __ro_after_init
= {
93 {.action
= DONT_MEASURE
, .fsmagic
= PROC_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
94 {.action
= DONT_MEASURE
, .fsmagic
= SYSFS_MAGIC
, .flags
= IMA_FSMAGIC
},
95 {.action
= DONT_MEASURE
, .fsmagic
= DEBUGFS_MAGIC
, .flags
= IMA_FSMAGIC
},
96 {.action
= DONT_MEASURE
, .fsmagic
= TMPFS_MAGIC
, .flags
= IMA_FSMAGIC
},
97 {.action
= DONT_MEASURE
, .fsmagic
= DEVPTS_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
98 {.action
= DONT_MEASURE
, .fsmagic
= BINFMTFS_MAGIC
, .flags
= IMA_FSMAGIC
},
99 {.action
= DONT_MEASURE
, .fsmagic
= SECURITYFS_MAGIC
, .flags
= IMA_FSMAGIC
},
100 {.action
= DONT_MEASURE
, .fsmagic
= SELINUX_MAGIC
, .flags
= IMA_FSMAGIC
},
101 {.action
= DONT_MEASURE
, .fsmagic
= SMACK_MAGIC
, .flags
= IMA_FSMAGIC
},
102 {.action
= DONT_MEASURE
, .fsmagic
= CGROUP_SUPER_MAGIC
,
103 .flags
= IMA_FSMAGIC
},
104 {.action
= DONT_MEASURE
, .fsmagic
= CGROUP2_SUPER_MAGIC
,
105 .flags
= IMA_FSMAGIC
},
106 {.action
= DONT_MEASURE
, .fsmagic
= NSFS_MAGIC
, .flags
= IMA_FSMAGIC
},
107 {.action
= DONT_MEASURE
, .fsmagic
= EFIVARFS_MAGIC
, .flags
= IMA_FSMAGIC
}
110 static struct ima_rule_entry original_measurement_rules
[] __ro_after_init
= {
111 {.action
= MEASURE
, .func
= MMAP_CHECK
, .mask
= MAY_EXEC
,
112 .flags
= IMA_FUNC
| IMA_MASK
},
113 {.action
= MEASURE
, .func
= BPRM_CHECK
, .mask
= MAY_EXEC
,
114 .flags
= IMA_FUNC
| IMA_MASK
},
115 {.action
= MEASURE
, .func
= FILE_CHECK
, .mask
= MAY_READ
,
116 .uid
= GLOBAL_ROOT_UID
, .uid_op
= &uid_eq
,
117 .flags
= IMA_FUNC
| IMA_MASK
| IMA_UID
},
118 {.action
= MEASURE
, .func
= MODULE_CHECK
, .flags
= IMA_FUNC
},
119 {.action
= MEASURE
, .func
= FIRMWARE_CHECK
, .flags
= IMA_FUNC
},
122 static struct ima_rule_entry default_measurement_rules
[] __ro_after_init
= {
123 {.action
= MEASURE
, .func
= MMAP_CHECK
, .mask
= MAY_EXEC
,
124 .flags
= IMA_FUNC
| IMA_MASK
},
125 {.action
= MEASURE
, .func
= BPRM_CHECK
, .mask
= MAY_EXEC
,
126 .flags
= IMA_FUNC
| IMA_MASK
},
127 {.action
= MEASURE
, .func
= FILE_CHECK
, .mask
= MAY_READ
,
128 .uid
= GLOBAL_ROOT_UID
, .uid_op
= &uid_eq
,
129 .flags
= IMA_FUNC
| IMA_INMASK
| IMA_EUID
},
130 {.action
= MEASURE
, .func
= FILE_CHECK
, .mask
= MAY_READ
,
131 .uid
= GLOBAL_ROOT_UID
, .uid_op
= &uid_eq
,
132 .flags
= IMA_FUNC
| IMA_INMASK
| IMA_UID
},
133 {.action
= MEASURE
, .func
= MODULE_CHECK
, .flags
= IMA_FUNC
},
134 {.action
= MEASURE
, .func
= FIRMWARE_CHECK
, .flags
= IMA_FUNC
},
135 {.action
= MEASURE
, .func
= POLICY_CHECK
, .flags
= IMA_FUNC
},
138 static struct ima_rule_entry default_appraise_rules
[] __ro_after_init
= {
139 {.action
= DONT_APPRAISE
, .fsmagic
= PROC_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
140 {.action
= DONT_APPRAISE
, .fsmagic
= SYSFS_MAGIC
, .flags
= IMA_FSMAGIC
},
141 {.action
= DONT_APPRAISE
, .fsmagic
= DEBUGFS_MAGIC
, .flags
= IMA_FSMAGIC
},
142 {.action
= DONT_APPRAISE
, .fsmagic
= TMPFS_MAGIC
, .flags
= IMA_FSMAGIC
},
143 {.action
= DONT_APPRAISE
, .fsmagic
= RAMFS_MAGIC
, .flags
= IMA_FSMAGIC
},
144 {.action
= DONT_APPRAISE
, .fsmagic
= DEVPTS_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
145 {.action
= DONT_APPRAISE
, .fsmagic
= BINFMTFS_MAGIC
, .flags
= IMA_FSMAGIC
},
146 {.action
= DONT_APPRAISE
, .fsmagic
= SECURITYFS_MAGIC
, .flags
= IMA_FSMAGIC
},
147 {.action
= DONT_APPRAISE
, .fsmagic
= SELINUX_MAGIC
, .flags
= IMA_FSMAGIC
},
148 {.action
= DONT_APPRAISE
, .fsmagic
= SMACK_MAGIC
, .flags
= IMA_FSMAGIC
},
149 {.action
= DONT_APPRAISE
, .fsmagic
= NSFS_MAGIC
, .flags
= IMA_FSMAGIC
},
150 {.action
= DONT_APPRAISE
, .fsmagic
= EFIVARFS_MAGIC
, .flags
= IMA_FSMAGIC
},
151 {.action
= DONT_APPRAISE
, .fsmagic
= CGROUP_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
152 {.action
= DONT_APPRAISE
, .fsmagic
= CGROUP2_SUPER_MAGIC
, .flags
= IMA_FSMAGIC
},
153 #ifdef CONFIG_IMA_WRITE_POLICY
154 {.action
= APPRAISE
, .func
= POLICY_CHECK
,
155 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
157 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
158 {.action
= APPRAISE
, .fowner
= GLOBAL_ROOT_UID
, .fowner_op
= &uid_eq
,
159 .flags
= IMA_FOWNER
},
161 /* force signature */
162 {.action
= APPRAISE
, .fowner
= GLOBAL_ROOT_UID
, .fowner_op
= &uid_eq
,
163 .flags
= IMA_FOWNER
| IMA_DIGSIG_REQUIRED
},
167 static struct ima_rule_entry build_appraise_rules
[] __ro_after_init
= {
168 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS
169 {.action
= APPRAISE
, .func
= MODULE_CHECK
,
170 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
172 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
173 {.action
= APPRAISE
, .func
= FIRMWARE_CHECK
,
174 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
176 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS
177 {.action
= APPRAISE
, .func
= KEXEC_KERNEL_CHECK
,
178 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
180 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS
181 {.action
= APPRAISE
, .func
= POLICY_CHECK
,
182 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
186 static struct ima_rule_entry secure_boot_rules
[] __ro_after_init
= {
187 {.action
= APPRAISE
, .func
= MODULE_CHECK
,
188 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
189 {.action
= APPRAISE
, .func
= FIRMWARE_CHECK
,
190 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
191 {.action
= APPRAISE
, .func
= KEXEC_KERNEL_CHECK
,
192 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
193 {.action
= APPRAISE
, .func
= POLICY_CHECK
,
194 .flags
= IMA_FUNC
| IMA_DIGSIG_REQUIRED
},
197 /* An array of architecture specific rules */
198 struct ima_rule_entry
*arch_policy_entry __ro_after_init
;
200 static LIST_HEAD(ima_default_rules
);
201 static LIST_HEAD(ima_policy_rules
);
202 static LIST_HEAD(ima_temp_rules
);
203 static struct list_head
*ima_rules
;
205 static int ima_policy __initdata
;
207 static int __init
default_measure_policy_setup(char *str
)
212 ima_policy
= ORIGINAL_TCB
;
215 __setup("ima_tcb", default_measure_policy_setup
);
217 static bool ima_use_appraise_tcb __initdata
;
218 static bool ima_use_secure_boot __initdata
;
219 static bool ima_fail_unverifiable_sigs __ro_after_init
;
220 static int __init
policy_setup(char *str
)
224 while ((p
= strsep(&str
, " |\n")) != NULL
) {
227 if ((strcmp(p
, "tcb") == 0) && !ima_policy
)
228 ima_policy
= DEFAULT_TCB
;
229 else if (strcmp(p
, "appraise_tcb") == 0)
230 ima_use_appraise_tcb
= true;
231 else if (strcmp(p
, "secure_boot") == 0)
232 ima_use_secure_boot
= true;
233 else if (strcmp(p
, "fail_securely") == 0)
234 ima_fail_unverifiable_sigs
= true;
239 __setup("ima_policy=", policy_setup
);
241 static int __init
default_appraise_policy_setup(char *str
)
243 ima_use_appraise_tcb
= true;
246 __setup("ima_appraise_tcb", default_appraise_policy_setup
);
249 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
250 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect
251 * the reloaded LSM policy. We assume the rules still exist; and BUG_ON() if
254 static void ima_lsm_update_rules(void)
256 struct ima_rule_entry
*entry
;
260 list_for_each_entry(entry
, &ima_policy_rules
, list
) {
261 for (i
= 0; i
< MAX_LSM_RULES
; i
++) {
262 if (!entry
->lsm
[i
].rule
)
264 result
= security_filter_rule_init(entry
->lsm
[i
].type
,
266 entry
->lsm
[i
].args_p
,
267 &entry
->lsm
[i
].rule
);
268 BUG_ON(!entry
->lsm
[i
].rule
);
274 * ima_match_rules - determine whether an inode matches the measure rule.
275 * @rule: a pointer to a rule
276 * @inode: a pointer to an inode
277 * @cred: a pointer to a credentials structure for user validation
278 * @secid: the secid of the task to be validated
279 * @func: LIM hook identifier
280 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
282 * Returns true on rule match, false on failure.
284 static bool ima_match_rules(struct ima_rule_entry
*rule
, struct inode
*inode
,
285 const struct cred
*cred
, u32 secid
,
286 enum ima_hooks func
, int mask
)
290 if ((rule
->flags
& IMA_FUNC
) &&
291 (rule
->func
!= func
&& func
!= POST_SETATTR
))
293 if ((rule
->flags
& IMA_MASK
) &&
294 (rule
->mask
!= mask
&& func
!= POST_SETATTR
))
296 if ((rule
->flags
& IMA_INMASK
) &&
297 (!(rule
->mask
& mask
) && func
!= POST_SETATTR
))
299 if ((rule
->flags
& IMA_FSMAGIC
)
300 && rule
->fsmagic
!= inode
->i_sb
->s_magic
)
302 if ((rule
->flags
& IMA_FSNAME
)
303 && strcmp(rule
->fsname
, inode
->i_sb
->s_type
->name
))
305 if ((rule
->flags
& IMA_FSUUID
) &&
306 !uuid_equal(&rule
->fsuuid
, &inode
->i_sb
->s_uuid
))
308 if ((rule
->flags
& IMA_UID
) && !rule
->uid_op(cred
->uid
, rule
->uid
))
310 if (rule
->flags
& IMA_EUID
) {
311 if (has_capability_noaudit(current
, CAP_SETUID
)) {
312 if (!rule
->uid_op(cred
->euid
, rule
->uid
)
313 && !rule
->uid_op(cred
->suid
, rule
->uid
)
314 && !rule
->uid_op(cred
->uid
, rule
->uid
))
316 } else if (!rule
->uid_op(cred
->euid
, rule
->uid
))
320 if ((rule
->flags
& IMA_FOWNER
) &&
321 !rule
->fowner_op(inode
->i_uid
, rule
->fowner
))
323 for (i
= 0; i
< MAX_LSM_RULES
; i
++) {
328 if (!rule
->lsm
[i
].rule
)
335 security_inode_getsecid(inode
, &osid
);
336 rc
= security_filter_rule_match(osid
,
344 rc
= security_filter_rule_match(secid
,
351 if ((rc
< 0) && (!retried
)) {
353 ima_lsm_update_rules();
363 * In addition to knowing that we need to appraise the file in general,
364 * we need to differentiate between calling hooks, for hook specific rules.
366 static int get_subaction(struct ima_rule_entry
*rule
, enum ima_hooks func
)
368 if (!(rule
->flags
& IMA_FUNC
))
369 return IMA_FILE_APPRAISE
;
373 return IMA_MMAP_APPRAISE
;
375 return IMA_BPRM_APPRAISE
;
377 return IMA_CREDS_APPRAISE
;
380 return IMA_FILE_APPRAISE
;
381 case MODULE_CHECK
... MAX_CHECK
- 1:
383 return IMA_READ_APPRAISE
;
388 * ima_match_policy - decision based on LSM and other conditions
389 * @inode: pointer to an inode for which the policy decision is being made
390 * @cred: pointer to a credentials structure for which the policy decision is
392 * @secid: LSM secid of the task to be validated
393 * @func: IMA hook identifier
394 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
395 * @pcr: set the pcr to extend
397 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
400 * Since the IMA policy may be updated multiple times we need to lock the
401 * list when walking it. Reads are many orders of magnitude more numerous
402 * than writes so ima_match_policy() is classical RCU candidate.
404 int ima_match_policy(struct inode
*inode
, const struct cred
*cred
, u32 secid
,
405 enum ima_hooks func
, int mask
, int flags
, int *pcr
)
407 struct ima_rule_entry
*entry
;
408 int action
= 0, actmask
= flags
| (flags
<< 1);
411 list_for_each_entry_rcu(entry
, ima_rules
, list
) {
413 if (!(entry
->action
& actmask
))
416 if (!ima_match_rules(entry
, inode
, cred
, secid
, func
, mask
))
419 action
|= entry
->flags
& IMA_ACTION_FLAGS
;
421 action
|= entry
->action
& IMA_DO_MASK
;
422 if (entry
->action
& IMA_APPRAISE
) {
423 action
|= get_subaction(entry
, func
);
425 if (ima_fail_unverifiable_sigs
)
426 action
|= IMA_FAIL_UNVERIFIABLE_SIGS
;
429 if (entry
->action
& IMA_DO_MASK
)
430 actmask
&= ~(entry
->action
| entry
->action
<< 1);
432 actmask
&= ~(entry
->action
| entry
->action
>> 1);
434 if ((pcr
) && (entry
->flags
& IMA_PCR
))
446 * Initialize the ima_policy_flag variable based on the currently
447 * loaded policy. Based on this flag, the decision to short circuit
448 * out of a function or not call the function in the first place
449 * can be made earlier.
451 void ima_update_policy_flag(void)
453 struct ima_rule_entry
*entry
;
455 list_for_each_entry(entry
, ima_rules
, list
) {
456 if (entry
->action
& IMA_DO_MASK
)
457 ima_policy_flag
|= entry
->action
;
460 ima_appraise
|= (build_ima_appraise
| temp_ima_appraise
);
462 ima_policy_flag
&= ~IMA_APPRAISE
;
465 static int ima_appraise_flag(enum ima_hooks func
)
467 if (func
== MODULE_CHECK
)
468 return IMA_APPRAISE_MODULES
;
469 else if (func
== FIRMWARE_CHECK
)
470 return IMA_APPRAISE_FIRMWARE
;
471 else if (func
== POLICY_CHECK
)
472 return IMA_APPRAISE_POLICY
;
473 else if (func
== KEXEC_KERNEL_CHECK
)
474 return IMA_APPRAISE_KEXEC
;
478 static void add_rules(struct ima_rule_entry
*entries
, int count
,
479 enum policy_rule_list policy_rule
)
483 for (i
= 0; i
< count
; i
++) {
484 struct ima_rule_entry
*entry
;
486 if (policy_rule
& IMA_DEFAULT_POLICY
)
487 list_add_tail(&entries
[i
].list
, &ima_default_rules
);
489 if (policy_rule
& IMA_CUSTOM_POLICY
) {
490 entry
= kmemdup(&entries
[i
], sizeof(*entry
),
495 list_add_tail(&entry
->list
, &ima_policy_rules
);
497 if (entries
[i
].action
== APPRAISE
) {
498 temp_ima_appraise
|= ima_appraise_flag(entries
[i
].func
);
499 if (entries
[i
].func
== POLICY_CHECK
)
500 temp_ima_appraise
|= IMA_APPRAISE_POLICY
;
505 static int ima_parse_rule(char *rule
, struct ima_rule_entry
*entry
);
507 static int __init
ima_init_arch_policy(void)
509 const char * const *arch_rules
;
510 const char * const *rules
;
511 int arch_entries
= 0;
514 arch_rules
= arch_get_ima_policy();
518 /* Get number of rules */
519 for (rules
= arch_rules
; *rules
!= NULL
; rules
++)
522 arch_policy_entry
= kcalloc(arch_entries
+ 1,
523 sizeof(*arch_policy_entry
), GFP_KERNEL
);
524 if (!arch_policy_entry
)
527 /* Convert each policy string rules to struct ima_rule_entry format */
528 for (rules
= arch_rules
, i
= 0; *rules
!= NULL
; rules
++) {
532 result
= strlcpy(rule
, *rules
, sizeof(rule
));
534 INIT_LIST_HEAD(&arch_policy_entry
[i
].list
);
535 result
= ima_parse_rule(rule
, &arch_policy_entry
[i
]);
537 pr_warn("Skipping unknown architecture policy rule: %s\n",
539 memset(&arch_policy_entry
[i
], 0,
540 sizeof(*arch_policy_entry
));
549 * ima_init_policy - initialize the default measure rules.
551 * ima_rules points to either the ima_default_rules or the
552 * the new ima_policy_rules.
554 void __init
ima_init_policy(void)
556 int build_appraise_entries
, arch_entries
;
558 /* if !ima_policy, we load NO default rules */
560 add_rules(dont_measure_rules
, ARRAY_SIZE(dont_measure_rules
),
563 switch (ima_policy
) {
565 add_rules(original_measurement_rules
,
566 ARRAY_SIZE(original_measurement_rules
),
570 add_rules(default_measurement_rules
,
571 ARRAY_SIZE(default_measurement_rules
),
578 * Based on runtime secure boot flags, insert arch specific measurement
579 * and appraise rules requiring file signatures for both the initial
580 * and custom policies, prior to other appraise rules.
583 arch_entries
= ima_init_arch_policy();
585 pr_info("No architecture policies found\n");
587 add_rules(arch_policy_entry
, arch_entries
,
588 IMA_DEFAULT_POLICY
| IMA_CUSTOM_POLICY
);
591 * Insert the builtin "secure_boot" policy rules requiring file
592 * signatures, prior to other appraise rules.
594 if (ima_use_secure_boot
)
595 add_rules(secure_boot_rules
, ARRAY_SIZE(secure_boot_rules
),
599 * Insert the build time appraise rules requiring file signatures
600 * for both the initial and custom policies, prior to other appraise
601 * rules. As the secure boot rules includes all of the build time
602 * rules, include either one or the other set of rules, but not both.
604 build_appraise_entries
= ARRAY_SIZE(build_appraise_rules
);
605 if (build_appraise_entries
) {
606 if (ima_use_secure_boot
)
607 add_rules(build_appraise_rules
, build_appraise_entries
,
610 add_rules(build_appraise_rules
, build_appraise_entries
,
611 IMA_DEFAULT_POLICY
| IMA_CUSTOM_POLICY
);
614 if (ima_use_appraise_tcb
)
615 add_rules(default_appraise_rules
,
616 ARRAY_SIZE(default_appraise_rules
),
619 ima_rules
= &ima_default_rules
;
620 ima_update_policy_flag();
623 /* Make sure we have a valid policy, at least containing some rules. */
624 int ima_check_policy(void)
626 if (list_empty(&ima_temp_rules
))
632 * ima_update_policy - update default_rules with new measure rules
634 * Called on file .release to update the default rules with a complete new
635 * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so
636 * they make a queue. The policy may be updated multiple times and this is the
639 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
640 * we switch from the default policy to user defined.
642 void ima_update_policy(void)
644 struct list_head
*policy
= &ima_policy_rules
;
646 list_splice_tail_init_rcu(&ima_temp_rules
, policy
, synchronize_rcu
);
648 if (ima_rules
!= policy
) {
653 * IMA architecture specific policy rules are specified
654 * as strings and converted to an array of ima_entry_rules
655 * on boot. After loading a custom policy, free the
656 * architecture specific rules stored as an array.
658 kfree(arch_policy_entry
);
660 ima_update_policy_flag();
663 /* Keep the enumeration in sync with the policy_tokens! */
665 Opt_measure
, Opt_dont_measure
,
666 Opt_appraise
, Opt_dont_appraise
,
667 Opt_audit
, Opt_hash
, Opt_dont_hash
,
668 Opt_obj_user
, Opt_obj_role
, Opt_obj_type
,
669 Opt_subj_user
, Opt_subj_role
, Opt_subj_type
,
670 Opt_func
, Opt_mask
, Opt_fsmagic
, Opt_fsname
,
671 Opt_fsuuid
, Opt_uid_eq
, Opt_euid_eq
, Opt_fowner_eq
,
672 Opt_uid_gt
, Opt_euid_gt
, Opt_fowner_gt
,
673 Opt_uid_lt
, Opt_euid_lt
, Opt_fowner_lt
,
674 Opt_appraise_type
, Opt_permit_directio
,
678 static const match_table_t policy_tokens
= {
679 {Opt_measure
, "measure"},
680 {Opt_dont_measure
, "dont_measure"},
681 {Opt_appraise
, "appraise"},
682 {Opt_dont_appraise
, "dont_appraise"},
683 {Opt_audit
, "audit"},
685 {Opt_dont_hash
, "dont_hash"},
686 {Opt_obj_user
, "obj_user=%s"},
687 {Opt_obj_role
, "obj_role=%s"},
688 {Opt_obj_type
, "obj_type=%s"},
689 {Opt_subj_user
, "subj_user=%s"},
690 {Opt_subj_role
, "subj_role=%s"},
691 {Opt_subj_type
, "subj_type=%s"},
692 {Opt_func
, "func=%s"},
693 {Opt_mask
, "mask=%s"},
694 {Opt_fsmagic
, "fsmagic=%s"},
695 {Opt_fsname
, "fsname=%s"},
696 {Opt_fsuuid
, "fsuuid=%s"},
697 {Opt_uid_eq
, "uid=%s"},
698 {Opt_euid_eq
, "euid=%s"},
699 {Opt_fowner_eq
, "fowner=%s"},
700 {Opt_uid_gt
, "uid>%s"},
701 {Opt_euid_gt
, "euid>%s"},
702 {Opt_fowner_gt
, "fowner>%s"},
703 {Opt_uid_lt
, "uid<%s"},
704 {Opt_euid_lt
, "euid<%s"},
705 {Opt_fowner_lt
, "fowner<%s"},
706 {Opt_appraise_type
, "appraise_type=%s"},
707 {Opt_permit_directio
, "permit_directio"},
712 static int ima_lsm_rule_init(struct ima_rule_entry
*entry
,
713 substring_t
*args
, int lsm_rule
, int audit_type
)
717 if (entry
->lsm
[lsm_rule
].rule
)
720 entry
->lsm
[lsm_rule
].args_p
= match_strdup(args
);
721 if (!entry
->lsm
[lsm_rule
].args_p
)
724 entry
->lsm
[lsm_rule
].type
= audit_type
;
725 result
= security_filter_rule_init(entry
->lsm
[lsm_rule
].type
,
727 entry
->lsm
[lsm_rule
].args_p
,
728 &entry
->lsm
[lsm_rule
].rule
);
729 if (!entry
->lsm
[lsm_rule
].rule
) {
730 kfree(entry
->lsm
[lsm_rule
].args_p
);
737 static void ima_log_string_op(struct audit_buffer
*ab
, char *key
, char *value
,
738 bool (*rule_operator
)(kuid_t
, kuid_t
))
743 if (rule_operator
== &uid_gt
)
744 audit_log_format(ab
, "%s>", key
);
745 else if (rule_operator
== &uid_lt
)
746 audit_log_format(ab
, "%s<", key
);
748 audit_log_format(ab
, "%s=", key
);
749 audit_log_format(ab
, "%s ", value
);
751 static void ima_log_string(struct audit_buffer
*ab
, char *key
, char *value
)
753 ima_log_string_op(ab
, key
, value
, NULL
);
756 static int ima_parse_rule(char *rule
, struct ima_rule_entry
*entry
)
758 struct audit_buffer
*ab
;
764 ab
= integrity_audit_log_start(audit_context(), GFP_KERNEL
,
765 AUDIT_INTEGRITY_POLICY_RULE
);
767 entry
->uid
= INVALID_UID
;
768 entry
->fowner
= INVALID_UID
;
769 entry
->uid_op
= &uid_eq
;
770 entry
->fowner_op
= &uid_eq
;
771 entry
->action
= UNKNOWN
;
772 while ((p
= strsep(&rule
, " \t")) != NULL
) {
773 substring_t args
[MAX_OPT_ARGS
];
779 if ((*p
== '\0') || (*p
== ' ') || (*p
== '\t'))
781 token
= match_token(p
, policy_tokens
, args
);
784 ima_log_string(ab
, "action", "measure");
786 if (entry
->action
!= UNKNOWN
)
789 entry
->action
= MEASURE
;
791 case Opt_dont_measure
:
792 ima_log_string(ab
, "action", "dont_measure");
794 if (entry
->action
!= UNKNOWN
)
797 entry
->action
= DONT_MEASURE
;
800 ima_log_string(ab
, "action", "appraise");
802 if (entry
->action
!= UNKNOWN
)
805 entry
->action
= APPRAISE
;
807 case Opt_dont_appraise
:
808 ima_log_string(ab
, "action", "dont_appraise");
810 if (entry
->action
!= UNKNOWN
)
813 entry
->action
= DONT_APPRAISE
;
816 ima_log_string(ab
, "action", "audit");
818 if (entry
->action
!= UNKNOWN
)
821 entry
->action
= AUDIT
;
824 ima_log_string(ab
, "action", "hash");
826 if (entry
->action
!= UNKNOWN
)
829 entry
->action
= HASH
;
832 ima_log_string(ab
, "action", "dont_hash");
834 if (entry
->action
!= UNKNOWN
)
837 entry
->action
= DONT_HASH
;
840 ima_log_string(ab
, "func", args
[0].from
);
845 if (strcmp(args
[0].from
, "FILE_CHECK") == 0)
846 entry
->func
= FILE_CHECK
;
847 /* PATH_CHECK is for backwards compat */
848 else if (strcmp(args
[0].from
, "PATH_CHECK") == 0)
849 entry
->func
= FILE_CHECK
;
850 else if (strcmp(args
[0].from
, "MODULE_CHECK") == 0)
851 entry
->func
= MODULE_CHECK
;
852 else if (strcmp(args
[0].from
, "FIRMWARE_CHECK") == 0)
853 entry
->func
= FIRMWARE_CHECK
;
854 else if ((strcmp(args
[0].from
, "FILE_MMAP") == 0)
855 || (strcmp(args
[0].from
, "MMAP_CHECK") == 0))
856 entry
->func
= MMAP_CHECK
;
857 else if (strcmp(args
[0].from
, "BPRM_CHECK") == 0)
858 entry
->func
= BPRM_CHECK
;
859 else if (strcmp(args
[0].from
, "CREDS_CHECK") == 0)
860 entry
->func
= CREDS_CHECK
;
861 else if (strcmp(args
[0].from
, "KEXEC_KERNEL_CHECK") ==
863 entry
->func
= KEXEC_KERNEL_CHECK
;
864 else if (strcmp(args
[0].from
, "KEXEC_INITRAMFS_CHECK")
866 entry
->func
= KEXEC_INITRAMFS_CHECK
;
867 else if (strcmp(args
[0].from
, "POLICY_CHECK") == 0)
868 entry
->func
= POLICY_CHECK
;
872 entry
->flags
|= IMA_FUNC
;
875 ima_log_string(ab
, "mask", args
[0].from
);
884 if ((strcmp(from
, "MAY_EXEC")) == 0)
885 entry
->mask
= MAY_EXEC
;
886 else if (strcmp(from
, "MAY_WRITE") == 0)
887 entry
->mask
= MAY_WRITE
;
888 else if (strcmp(from
, "MAY_READ") == 0)
889 entry
->mask
= MAY_READ
;
890 else if (strcmp(from
, "MAY_APPEND") == 0)
891 entry
->mask
= MAY_APPEND
;
895 entry
->flags
|= (*args
[0].from
== '^')
896 ? IMA_INMASK
: IMA_MASK
;
899 ima_log_string(ab
, "fsmagic", args
[0].from
);
901 if (entry
->fsmagic
) {
906 result
= kstrtoul(args
[0].from
, 16, &entry
->fsmagic
);
908 entry
->flags
|= IMA_FSMAGIC
;
911 ima_log_string(ab
, "fsname", args
[0].from
);
913 entry
->fsname
= kstrdup(args
[0].from
, GFP_KERNEL
);
914 if (!entry
->fsname
) {
919 entry
->flags
|= IMA_FSNAME
;
922 ima_log_string(ab
, "fsuuid", args
[0].from
);
924 if (!uuid_is_null(&entry
->fsuuid
)) {
929 result
= uuid_parse(args
[0].from
, &entry
->fsuuid
);
931 entry
->flags
|= IMA_FSUUID
;
935 entry
->uid_op
= &uid_gt
;
939 if ((token
== Opt_uid_lt
) || (token
== Opt_euid_lt
))
940 entry
->uid_op
= &uid_lt
;
944 uid_token
= (token
== Opt_uid_eq
) ||
945 (token
== Opt_uid_gt
) ||
946 (token
== Opt_uid_lt
);
948 ima_log_string_op(ab
, uid_token
? "uid" : "euid",
949 args
[0].from
, entry
->uid_op
);
951 if (uid_valid(entry
->uid
)) {
956 result
= kstrtoul(args
[0].from
, 10, &lnum
);
958 entry
->uid
= make_kuid(current_user_ns(),
960 if (!uid_valid(entry
->uid
) ||
964 entry
->flags
|= uid_token
965 ? IMA_UID
: IMA_EUID
;
969 entry
->fowner_op
= &uid_gt
;
972 if (token
== Opt_fowner_lt
)
973 entry
->fowner_op
= &uid_lt
;
976 ima_log_string_op(ab
, "fowner", args
[0].from
,
979 if (uid_valid(entry
->fowner
)) {
984 result
= kstrtoul(args
[0].from
, 10, &lnum
);
986 entry
->fowner
= make_kuid(current_user_ns(), (uid_t
)lnum
);
987 if (!uid_valid(entry
->fowner
) || (((uid_t
)lnum
) != lnum
))
990 entry
->flags
|= IMA_FOWNER
;
994 ima_log_string(ab
, "obj_user", args
[0].from
);
995 result
= ima_lsm_rule_init(entry
, args
,
1000 ima_log_string(ab
, "obj_role", args
[0].from
);
1001 result
= ima_lsm_rule_init(entry
, args
,
1006 ima_log_string(ab
, "obj_type", args
[0].from
);
1007 result
= ima_lsm_rule_init(entry
, args
,
1012 ima_log_string(ab
, "subj_user", args
[0].from
);
1013 result
= ima_lsm_rule_init(entry
, args
,
1018 ima_log_string(ab
, "subj_role", args
[0].from
);
1019 result
= ima_lsm_rule_init(entry
, args
,
1024 ima_log_string(ab
, "subj_type", args
[0].from
);
1025 result
= ima_lsm_rule_init(entry
, args
,
1029 case Opt_appraise_type
:
1030 if (entry
->action
!= APPRAISE
) {
1035 ima_log_string(ab
, "appraise_type", args
[0].from
);
1036 if ((strcmp(args
[0].from
, "imasig")) == 0)
1037 entry
->flags
|= IMA_DIGSIG_REQUIRED
;
1041 case Opt_permit_directio
:
1042 entry
->flags
|= IMA_PERMIT_DIRECTIO
;
1045 if (entry
->action
!= MEASURE
) {
1049 ima_log_string(ab
, "pcr", args
[0].from
);
1051 result
= kstrtoint(args
[0].from
, 10, &entry
->pcr
);
1052 if (result
|| INVALID_PCR(entry
->pcr
))
1055 entry
->flags
|= IMA_PCR
;
1059 ima_log_string(ab
, "UNKNOWN", p
);
1064 if (!result
&& (entry
->action
== UNKNOWN
))
1066 else if (entry
->action
== APPRAISE
)
1067 temp_ima_appraise
|= ima_appraise_flag(entry
->func
);
1069 audit_log_format(ab
, "res=%d", !result
);
1075 * ima_parse_add_rule - add a rule to ima_policy_rules
1076 * @rule - ima measurement policy rule
1078 * Avoid locking by allowing just one writer at a time in ima_write_policy()
1079 * Returns the length of the rule parsed, an error code on failure
1081 ssize_t
ima_parse_add_rule(char *rule
)
1083 static const char op
[] = "update_policy";
1085 struct ima_rule_entry
*entry
;
1086 ssize_t result
, len
;
1089 p
= strsep(&rule
, "\n");
1090 len
= strlen(p
) + 1;
1091 p
+= strspn(p
, " \t");
1093 if (*p
== '#' || *p
== '\0')
1096 entry
= kzalloc(sizeof(*entry
), GFP_KERNEL
);
1098 integrity_audit_msg(AUDIT_INTEGRITY_STATUS
, NULL
,
1099 NULL
, op
, "-ENOMEM", -ENOMEM
, audit_info
);
1103 INIT_LIST_HEAD(&entry
->list
);
1105 result
= ima_parse_rule(p
, entry
);
1108 integrity_audit_msg(AUDIT_INTEGRITY_STATUS
, NULL
,
1109 NULL
, op
, "invalid-policy", result
,
1114 list_add_tail(&entry
->list
, &ima_temp_rules
);
1120 * ima_delete_rules() called to cleanup invalid in-flight policy.
1121 * We don't need locking as we operate on the temp list, which is
1122 * different from the active one. There is also only one user of
1123 * ima_delete_rules() at a time.
1125 void ima_delete_rules(void)
1127 struct ima_rule_entry
*entry
, *tmp
;
1130 temp_ima_appraise
= 0;
1131 list_for_each_entry_safe(entry
, tmp
, &ima_temp_rules
, list
) {
1132 for (i
= 0; i
< MAX_LSM_RULES
; i
++)
1133 kfree(entry
->lsm
[i
].args_p
);
1135 list_del(&entry
->list
);
1140 #ifdef CONFIG_IMA_READ_POLICY
1142 mask_exec
= 0, mask_write
, mask_read
, mask_append
1145 static const char *const mask_tokens
[] = {
1152 #define __ima_hook_stringify(str) (#str),
1154 static const char *const func_tokens
[] = {
1155 __ima_hooks(__ima_hook_stringify
)
1158 void *ima_policy_start(struct seq_file
*m
, loff_t
*pos
)
1161 struct ima_rule_entry
*entry
;
1164 list_for_each_entry_rcu(entry
, ima_rules
, list
) {
1174 void *ima_policy_next(struct seq_file
*m
, void *v
, loff_t
*pos
)
1176 struct ima_rule_entry
*entry
= v
;
1179 entry
= list_entry_rcu(entry
->list
.next
, struct ima_rule_entry
, list
);
1183 return (&entry
->list
== ima_rules
) ? NULL
: entry
;
1186 void ima_policy_stop(struct seq_file
*m
, void *v
)
1190 #define pt(token) policy_tokens[token].pattern
1191 #define mt(token) mask_tokens[token]
1194 * policy_func_show - display the ima_hooks policy rule
1196 static void policy_func_show(struct seq_file
*m
, enum ima_hooks func
)
1198 if (func
> 0 && func
< MAX_CHECK
)
1199 seq_printf(m
, "func=%s ", func_tokens
[func
]);
1201 seq_printf(m
, "func=%d ", func
);
1204 int ima_policy_show(struct seq_file
*m
, void *v
)
1206 struct ima_rule_entry
*entry
= v
;
1208 char tbuf
[64] = {0,};
1213 if (entry
->action
& MEASURE
)
1214 seq_puts(m
, pt(Opt_measure
));
1215 if (entry
->action
& DONT_MEASURE
)
1216 seq_puts(m
, pt(Opt_dont_measure
));
1217 if (entry
->action
& APPRAISE
)
1218 seq_puts(m
, pt(Opt_appraise
));
1219 if (entry
->action
& DONT_APPRAISE
)
1220 seq_puts(m
, pt(Opt_dont_appraise
));
1221 if (entry
->action
& AUDIT
)
1222 seq_puts(m
, pt(Opt_audit
));
1223 if (entry
->action
& HASH
)
1224 seq_puts(m
, pt(Opt_hash
));
1225 if (entry
->action
& DONT_HASH
)
1226 seq_puts(m
, pt(Opt_dont_hash
));
1230 if (entry
->flags
& IMA_FUNC
)
1231 policy_func_show(m
, entry
->func
);
1233 if ((entry
->flags
& IMA_MASK
) || (entry
->flags
& IMA_INMASK
)) {
1234 if (entry
->flags
& IMA_MASK
)
1236 if (entry
->mask
& MAY_EXEC
)
1237 seq_printf(m
, pt(Opt_mask
), mt(mask_exec
) + offset
);
1238 if (entry
->mask
& MAY_WRITE
)
1239 seq_printf(m
, pt(Opt_mask
), mt(mask_write
) + offset
);
1240 if (entry
->mask
& MAY_READ
)
1241 seq_printf(m
, pt(Opt_mask
), mt(mask_read
) + offset
);
1242 if (entry
->mask
& MAY_APPEND
)
1243 seq_printf(m
, pt(Opt_mask
), mt(mask_append
) + offset
);
1247 if (entry
->flags
& IMA_FSMAGIC
) {
1248 snprintf(tbuf
, sizeof(tbuf
), "0x%lx", entry
->fsmagic
);
1249 seq_printf(m
, pt(Opt_fsmagic
), tbuf
);
1253 if (entry
->flags
& IMA_FSNAME
) {
1254 snprintf(tbuf
, sizeof(tbuf
), "%s", entry
->fsname
);
1255 seq_printf(m
, pt(Opt_fsname
), tbuf
);
1259 if (entry
->flags
& IMA_PCR
) {
1260 snprintf(tbuf
, sizeof(tbuf
), "%d", entry
->pcr
);
1261 seq_printf(m
, pt(Opt_pcr
), tbuf
);
1265 if (entry
->flags
& IMA_FSUUID
) {
1266 seq_printf(m
, "fsuuid=%pU", &entry
->fsuuid
);
1270 if (entry
->flags
& IMA_UID
) {
1271 snprintf(tbuf
, sizeof(tbuf
), "%d", __kuid_val(entry
->uid
));
1272 if (entry
->uid_op
== &uid_gt
)
1273 seq_printf(m
, pt(Opt_uid_gt
), tbuf
);
1274 else if (entry
->uid_op
== &uid_lt
)
1275 seq_printf(m
, pt(Opt_uid_lt
), tbuf
);
1277 seq_printf(m
, pt(Opt_uid_eq
), tbuf
);
1281 if (entry
->flags
& IMA_EUID
) {
1282 snprintf(tbuf
, sizeof(tbuf
), "%d", __kuid_val(entry
->uid
));
1283 if (entry
->uid_op
== &uid_gt
)
1284 seq_printf(m
, pt(Opt_euid_gt
), tbuf
);
1285 else if (entry
->uid_op
== &uid_lt
)
1286 seq_printf(m
, pt(Opt_euid_lt
), tbuf
);
1288 seq_printf(m
, pt(Opt_euid_eq
), tbuf
);
1292 if (entry
->flags
& IMA_FOWNER
) {
1293 snprintf(tbuf
, sizeof(tbuf
), "%d", __kuid_val(entry
->fowner
));
1294 if (entry
->fowner_op
== &uid_gt
)
1295 seq_printf(m
, pt(Opt_fowner_gt
), tbuf
);
1296 else if (entry
->fowner_op
== &uid_lt
)
1297 seq_printf(m
, pt(Opt_fowner_lt
), tbuf
);
1299 seq_printf(m
, pt(Opt_fowner_eq
), tbuf
);
1303 for (i
= 0; i
< MAX_LSM_RULES
; i
++) {
1304 if (entry
->lsm
[i
].rule
) {
1307 seq_printf(m
, pt(Opt_obj_user
),
1308 (char *)entry
->lsm
[i
].args_p
);
1311 seq_printf(m
, pt(Opt_obj_role
),
1312 (char *)entry
->lsm
[i
].args_p
);
1315 seq_printf(m
, pt(Opt_obj_type
),
1316 (char *)entry
->lsm
[i
].args_p
);
1319 seq_printf(m
, pt(Opt_subj_user
),
1320 (char *)entry
->lsm
[i
].args_p
);
1323 seq_printf(m
, pt(Opt_subj_role
),
1324 (char *)entry
->lsm
[i
].args_p
);
1327 seq_printf(m
, pt(Opt_subj_type
),
1328 (char *)entry
->lsm
[i
].args_p
);
1333 if (entry
->flags
& IMA_DIGSIG_REQUIRED
)
1334 seq_puts(m
, "appraise_type=imasig ");
1335 if (entry
->flags
& IMA_PERMIT_DIRECTIO
)
1336 seq_puts(m
, "permit_directio ");
1341 #endif /* CONFIG_IMA_READ_POLICY */