Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
awilliam
GitHub Repository: awilliam/linux-vfio
 Path: blob/master/security/integrity/ima/ima_policy.c
10818 views
1
/*

2
 * Copyright (C) 2008 IBM Corporation

3
 * Author: Mimi Zohar <[email protected]>

4
 *

5
 * This program is free software; you can redistribute it and/or modify

6
 * it under the terms of the GNU General Public License as published by

7
 * the Free Software Foundation, version 2 of the License.

8
 *

9
 * ima_policy.c

10
 * 	- initialize default measure policy rules

11
 *

12
 */

13
#include <linux/module.h>

14
#include <linux/list.h>

15
#include <linux/security.h>

16
#include <linux/magic.h>

17
#include <linux/parser.h>

18
#include <linux/slab.h>

19


20
#include "ima.h"

21


22
/* flags definitions */

23
#define IMA_FUNC 	0x0001

24
#define IMA_MASK 	0x0002

25
#define IMA_FSMAGIC	0x0004

26
#define IMA_UID		0x0008

27


28
enum ima_action { UNKNOWN = -1, DONT_MEASURE = 0, MEASURE };

29


30
#define MAX_LSM_RULES 6

31
enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,

32
	LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE

33
};

34


35
struct ima_measure_rule_entry {

36
	struct list_head list;

37
	enum ima_action action;

38
	unsigned int flags;

39
	enum ima_hooks func;

40
	int mask;

41
	unsigned long fsmagic;

42
	uid_t uid;

43
	struct {

44
		void *rule;	/* LSM file metadata specific */

45
		int type;	/* audit type */

46
	} lsm[MAX_LSM_RULES];

47
};

48


49
/*

50
 * Without LSM specific knowledge, the default policy can only be

51
 * written in terms of .action, .func, .mask, .fsmagic, and .uid

52
 */

53


54
/*

55
 * The minimum rule set to allow for full TCB coverage.  Measures all files

56
 * opened or mmap for exec and everything read by root.  Dangerous because

57
 * normal users can easily run the machine out of memory simply building

58
 * and running executables.

59
 */

60
static struct ima_measure_rule_entry default_rules[] = {

61
	{.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC},

62
	{.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},

63
	{.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},

64
	{.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},

65
	{.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},

66
	{.action = DONT_MEASURE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},

67
	{.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC,

68
	 .flags = IMA_FUNC | IMA_MASK},

69
	{.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,

70
	 .flags = IMA_FUNC | IMA_MASK},

71
	{.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = 0,

72
	 .flags = IMA_FUNC | IMA_MASK | IMA_UID},

73
};

74


75
static LIST_HEAD(measure_default_rules);

76
static LIST_HEAD(measure_policy_rules);

77
static struct list_head *ima_measure;

78


79
static DEFINE_MUTEX(ima_measure_mutex);

80


81
static bool ima_use_tcb __initdata;

82
static int __init default_policy_setup(char *str)

83
{

84
	ima_use_tcb = 1;

85
	return 1;

86
}

87
__setup("ima_tcb", default_policy_setup);

88


89
/**

90
 * ima_match_rules - determine whether an inode matches the measure rule.

91
 * @rule: a pointer to a rule

92
 * @inode: a pointer to an inode

93
 * @func: LIM hook identifier

94
 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)

95
 *

96
 * Returns true on rule match, false on failure.

97
 */

98
static bool ima_match_rules(struct ima_measure_rule_entry *rule,

99
			    struct inode *inode, enum ima_hooks func, int mask)

100
{

101
	struct task_struct *tsk = current;

102
	int i;

103


104
	if ((rule->flags & IMA_FUNC) && rule->func != func)

105
		return false;

106
	if ((rule->flags & IMA_MASK) && rule->mask != mask)

107
		return false;

108
	if ((rule->flags & IMA_FSMAGIC)

109
	    && rule->fsmagic != inode->i_sb->s_magic)

110
		return false;

111
	if ((rule->flags & IMA_UID) && rule->uid != tsk->cred->uid)

112
		return false;

113
	for (i = 0; i < MAX_LSM_RULES; i++) {

114
		int rc = 0;

115
		u32 osid, sid;

116


117
		if (!rule->lsm[i].rule)

118
			continue;

119


120
		switch (i) {

121
		case LSM_OBJ_USER:

122
		case LSM_OBJ_ROLE:

123
		case LSM_OBJ_TYPE:

124
			security_inode_getsecid(inode, &osid);

125
			rc = security_filter_rule_match(osid,

126
							rule->lsm[i].type,

127
							Audit_equal,

128
							rule->lsm[i].rule,

129
							NULL);

130
			break;

131
		case LSM_SUBJ_USER:

132
		case LSM_SUBJ_ROLE:

133
		case LSM_SUBJ_TYPE:

134
			security_task_getsecid(tsk, &sid);

135
			rc = security_filter_rule_match(sid,

136
							rule->lsm[i].type,

137
							Audit_equal,

138
							rule->lsm[i].rule,

139
							NULL);

140
		default:

141
			break;

142
		}

143
		if (!rc)

144
			return false;

145
	}

146
	return true;

147
}

148


149
/**

150
 * ima_match_policy - decision based on LSM and other conditions

151
 * @inode: pointer to an inode for which the policy decision is being made

152
 * @func: IMA hook identifier

153
 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)

154
 *

155
 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)

156
 * conditions.

157
 *

158
 * (There is no need for locking when walking the policy list,

159
 * as elements in the list are never deleted, nor does the list

160
 * change.)

161
 */

162
int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask)

163
{

164
	struct ima_measure_rule_entry *entry;

165


166
	list_for_each_entry(entry, ima_measure, list) {

167
		bool rc;

168


169
		rc = ima_match_rules(entry, inode, func, mask);

170
		if (rc)

171
			return entry->action;

172
	}

173
	return 0;

174
}

175


176
/**

177
 * ima_init_policy - initialize the default measure rules.

178
 *

179
 * ima_measure points to either the measure_default_rules or the

180
 * the new measure_policy_rules.

181
 */

182
void __init ima_init_policy(void)

183
{

184
	int i, entries;

185


186
	/* if !ima_use_tcb set entries = 0 so we load NO default rules */

187
	if (ima_use_tcb)

188
		entries = ARRAY_SIZE(default_rules);

189
	else

190
		entries = 0;

191


192
	for (i = 0; i < entries; i++)

193
		list_add_tail(&default_rules[i].list, &measure_default_rules);

194
	ima_measure = &measure_default_rules;

195
}

196


197
/**

198
 * ima_update_policy - update default_rules with new measure rules

199
 *

200
 * Called on file .release to update the default rules with a complete new

201
 * policy.  Once updated, the policy is locked, no additional rules can be

202
 * added to the policy.

203
 */

204
void ima_update_policy(void)

205
{

206
	const char *op = "policy_update";

207
	const char *cause = "already exists";

208
	int result = 1;

209
	int audit_info = 0;

210


211
	if (ima_measure == &measure_default_rules) {

212
		ima_measure = &measure_policy_rules;

213
		cause = "complete";

214
		result = 0;

215
	}

216
	integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,

217
			    NULL, op, cause, result, audit_info);

218
}

219


220
enum {

221
	Opt_err = -1,

222
	Opt_measure = 1, Opt_dont_measure,

223
	Opt_obj_user, Opt_obj_role, Opt_obj_type,

224
	Opt_subj_user, Opt_subj_role, Opt_subj_type,

225
	Opt_func, Opt_mask, Opt_fsmagic, Opt_uid

226
};

227


228
static match_table_t policy_tokens = {

229
	{Opt_measure, "measure"},

230
	{Opt_dont_measure, "dont_measure"},

231
	{Opt_obj_user, "obj_user=%s"},

232
	{Opt_obj_role, "obj_role=%s"},

233
	{Opt_obj_type, "obj_type=%s"},

234
	{Opt_subj_user, "subj_user=%s"},

235
	{Opt_subj_role, "subj_role=%s"},

236
	{Opt_subj_type, "subj_type=%s"},

237
	{Opt_func, "func=%s"},

238
	{Opt_mask, "mask=%s"},

239
	{Opt_fsmagic, "fsmagic=%s"},

240
	{Opt_uid, "uid=%s"},

241
	{Opt_err, NULL}

242
};

243


244
static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry,

245
			     char *args, int lsm_rule, int audit_type)

246
{

247
	int result;

248


249
	if (entry->lsm[lsm_rule].rule)

250
		return -EINVAL;

251


252
	entry->lsm[lsm_rule].type = audit_type;

253
	result = security_filter_rule_init(entry->lsm[lsm_rule].type,

254
					   Audit_equal, args,

255
					   &entry->lsm[lsm_rule].rule);

256
	if (!entry->lsm[lsm_rule].rule)

257
		return -EINVAL;

258
	return result;

259
}

260


261
static void ima_log_string(struct audit_buffer *ab, char *key, char *value)

262
{

263
	audit_log_format(ab, "%s=", key);

264
	audit_log_untrustedstring(ab, value);

265
	audit_log_format(ab, " ");

266
}

267


268
static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)

269
{

270
	struct audit_buffer *ab;

271
	char *p;

272
	int result = 0;

273


274
	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);

275


276
	entry->uid = -1;

277
	entry->action = UNKNOWN;

278
	while ((p = strsep(&rule, " \t")) != NULL) {

279
		substring_t args[MAX_OPT_ARGS];

280
		int token;

281
		unsigned long lnum;

282


283
		if (result < 0)

284
			break;

285
		if ((*p == '\0') || (*p == ' ') || (*p == '\t'))

286
			continue;

287
		token = match_token(p, policy_tokens, args);

288
		switch (token) {

289
		case Opt_measure:

290
			ima_log_string(ab, "action", "measure");

291


292
			if (entry->action != UNKNOWN)

293
				result = -EINVAL;

294


295
			entry->action = MEASURE;

296
			break;

297
		case Opt_dont_measure:

298
			ima_log_string(ab, "action", "dont_measure");

299


300
			if (entry->action != UNKNOWN)

301
				result = -EINVAL;

302


303
			entry->action = DONT_MEASURE;

304
			break;

305
		case Opt_func:

306
			ima_log_string(ab, "func", args[0].from);

307


308
			if (entry->func)

309
				result  = -EINVAL;

310


311
			if (strcmp(args[0].from, "FILE_CHECK") == 0)

312
				entry->func = FILE_CHECK;

313
			/* PATH_CHECK is for backwards compat */

314
			else if (strcmp(args[0].from, "PATH_CHECK") == 0)

315
				entry->func = FILE_CHECK;

316
			else if (strcmp(args[0].from, "FILE_MMAP") == 0)

317
				entry->func = FILE_MMAP;

318
			else if (strcmp(args[0].from, "BPRM_CHECK") == 0)

319
				entry->func = BPRM_CHECK;

320
			else

321
				result = -EINVAL;

322
			if (!result)

323
				entry->flags |= IMA_FUNC;

324
			break;

325
		case Opt_mask:

326
			ima_log_string(ab, "mask", args[0].from);

327


328
			if (entry->mask)

329
				result = -EINVAL;

330


331
			if ((strcmp(args[0].from, "MAY_EXEC")) == 0)

332
				entry->mask = MAY_EXEC;

333
			else if (strcmp(args[0].from, "MAY_WRITE") == 0)

334
				entry->mask = MAY_WRITE;

335
			else if (strcmp(args[0].from, "MAY_READ") == 0)

336
				entry->mask = MAY_READ;

337
			else if (strcmp(args[0].from, "MAY_APPEND") == 0)

338
				entry->mask = MAY_APPEND;

339
			else

340
				result = -EINVAL;

341
			if (!result)

342
				entry->flags |= IMA_MASK;

343
			break;

344
		case Opt_fsmagic:

345
			ima_log_string(ab, "fsmagic", args[0].from);

346


347
			if (entry->fsmagic) {

348
				result = -EINVAL;

349
				break;

350
			}

351


352
			result = strict_strtoul(args[0].from, 16,

353
						&entry->fsmagic);

354
			if (!result)

355
				entry->flags |= IMA_FSMAGIC;

356
			break;

357
		case Opt_uid:

358
			ima_log_string(ab, "uid", args[0].from);

359


360
			if (entry->uid != -1) {

361
				result = -EINVAL;

362
				break;

363
			}

364


365
			result = strict_strtoul(args[0].from, 10, &lnum);

366
			if (!result) {

367
				entry->uid = (uid_t) lnum;

368
				if (entry->uid != lnum)

369
					result = -EINVAL;

370
				else

371
					entry->flags |= IMA_UID;

372
			}

373
			break;

374
		case Opt_obj_user:

375
			ima_log_string(ab, "obj_user", args[0].from);

376
			result = ima_lsm_rule_init(entry, args[0].from,

377
						   LSM_OBJ_USER,

378
						   AUDIT_OBJ_USER);

379
			break;

380
		case Opt_obj_role:

381
			ima_log_string(ab, "obj_role", args[0].from);

382
			result = ima_lsm_rule_init(entry, args[0].from,

383
						   LSM_OBJ_ROLE,

384
						   AUDIT_OBJ_ROLE);

385
			break;

386
		case Opt_obj_type:

387
			ima_log_string(ab, "obj_type", args[0].from);

388
			result = ima_lsm_rule_init(entry, args[0].from,

389
						   LSM_OBJ_TYPE,

390
						   AUDIT_OBJ_TYPE);

391
			break;

392
		case Opt_subj_user:

393
			ima_log_string(ab, "subj_user", args[0].from);

394
			result = ima_lsm_rule_init(entry, args[0].from,

395
						   LSM_SUBJ_USER,

396
						   AUDIT_SUBJ_USER);

397
			break;

398
		case Opt_subj_role:

399
			ima_log_string(ab, "subj_role", args[0].from);

400
			result = ima_lsm_rule_init(entry, args[0].from,

401
						   LSM_SUBJ_ROLE,

402
						   AUDIT_SUBJ_ROLE);

403
			break;

404
		case Opt_subj_type:

405
			ima_log_string(ab, "subj_type", args[0].from);

406
			result = ima_lsm_rule_init(entry, args[0].from,

407
						   LSM_SUBJ_TYPE,

408
						   AUDIT_SUBJ_TYPE);

409
			break;

410
		case Opt_err:

411
			ima_log_string(ab, "UNKNOWN", p);

412
			result = -EINVAL;

413
			break;

414
		}

415
	}

416
	if (!result && (entry->action == UNKNOWN))

417
		result = -EINVAL;

418


419
	audit_log_format(ab, "res=%d", !!result);

420
	audit_log_end(ab);

421
	return result;

422
}

423


424
/**

425
 * ima_parse_add_rule - add a rule to measure_policy_rules

426
 * @rule - ima measurement policy rule

427
 *

428
 * Uses a mutex to protect the policy list from multiple concurrent writers.

429
 * Returns the length of the rule parsed, an error code on failure

430
 */

431
ssize_t ima_parse_add_rule(char *rule)

432
{

433
	const char *op = "update_policy";

434
	char *p;

435
	struct ima_measure_rule_entry *entry;

436
	ssize_t result, len;

437
	int audit_info = 0;

438


439
	/* Prevent installed policy from changing */

440
	if (ima_measure != &measure_default_rules) {

441
		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,

442
				    NULL, op, "already exists",

443
				    -EACCES, audit_info);

444
		return -EACCES;

445
	}

446


447
	entry = kzalloc(sizeof(*entry), GFP_KERNEL);

448
	if (!entry) {

449
		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,

450
				    NULL, op, "-ENOMEM", -ENOMEM, audit_info);

451
		return -ENOMEM;

452
	}

453


454
	INIT_LIST_HEAD(&entry->list);

455


456
	p = strsep(&rule, "\n");

457
	len = strlen(p) + 1;

458


459
	if (*p == '#') {

460
		kfree(entry);

461
		return len;

462
	}

463


464
	result = ima_parse_rule(p, entry);

465
	if (result) {

466
		kfree(entry);

467
		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,

468
				    NULL, op, "invalid policy", result,

469
				    audit_info);

470
		return result;

471
	}

472


473
	mutex_lock(&ima_measure_mutex);

474
	list_add_tail(&entry->list, &measure_policy_rules);

475
	mutex_unlock(&ima_measure_mutex);

476


477
	return len;

478
}

479


480
/* ima_delete_rules called to cleanup invalid policy */

481
void ima_delete_rules(void)

482
{

483
	struct ima_measure_rule_entry *entry, *tmp;

484


485
	mutex_lock(&ima_measure_mutex);

486
	list_for_each_entry_safe(entry, tmp, &measure_policy_rules, list) {

487
		list_del(&entry->list);

488
		kfree(entry);

489
	}

490
	mutex_unlock(&ima_measure_mutex);

491
}

492


493