1
// SPDX-License-Identifier: GPL-2.0-only
2
/*
3
 * Copyright (C) 2008 IBM Corporation
4
 * Author: Mimi Zohar <[email protected]>
5
 *
6
 * ima_policy.c
7
 *	- initialize default measure policy rules
8
 */
9

10
#include <linux/init.h>
11
#include <linux/list.h>
12
#include <linux/kernel_read_file.h>
13
#include <linux/fs.h>
14
#include <linux/security.h>
15
#include <linux/magic.h>
16
#include <linux/parser.h>
17
#include <linux/slab.h>
18
#include <linux/rculist.h>
19
#include <linux/seq_file.h>
20
#include <linux/ima.h>
21

22
#include "ima.h"
23

24
/* flags definitions */
25
#define IMA_FUNC	0x0001
26
#define IMA_MASK	0x0002
27
#define IMA_FSMAGIC	0x0004
28
#define IMA_UID		0x0008
29
#define IMA_FOWNER	0x0010
30
#define IMA_FSUUID	0x0020
31
#define IMA_INMASK	0x0040
32
#define IMA_EUID	0x0080
33
#define IMA_PCR		0x0100
34
#define IMA_FSNAME	0x0200
35
#define IMA_KEYRINGS	0x0400
36
#define IMA_LABEL	0x0800
37
#define IMA_VALIDATE_ALGOS	0x1000
38
#define IMA_GID		0x2000
39
#define IMA_EGID	0x4000
40
#define IMA_FGROUP	0x8000
41

42
#define UNKNOWN		0
43
#define MEASURE		0x0001	/* same as IMA_MEASURE */
44
#define DONT_MEASURE	0x0002
45
#define APPRAISE	0x0004	/* same as IMA_APPRAISE */
46
#define DONT_APPRAISE	0x0008
47
#define AUDIT		0x0040
48
#define HASH		0x0100
49
#define DONT_HASH	0x0200
50

51
#define INVALID_PCR(a) (((a) < 0) || \
52
	(a) >= (sizeof_field(struct ima_iint_cache, measured_pcrs) * 8))
53

54
int ima_policy_flag;
55
static int temp_ima_appraise;
56
static int build_ima_appraise __ro_after_init;
57

58
atomic_t ima_setxattr_allowed_hash_algorithms;
59

60
#define MAX_LSM_RULES 6
61
enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
62
	LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
63
};
64

65
enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
66

67
enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY };
68

69
struct ima_rule_opt_list {
70
	size_t count;
71
	char *items[] __counted_by(count);
72
};
73

74
/*
75
 * These comparators are needed nowhere outside of ima so just define them here.
76
 * This pattern should hopefully never be needed outside of ima.
77
 */
78
static inline bool vfsuid_gt_kuid(vfsuid_t vfsuid, kuid_t kuid)
79
{
80
	return __vfsuid_val(vfsuid) > __kuid_val(kuid);
81
}
82

83
static inline bool vfsgid_gt_kgid(vfsgid_t vfsgid, kgid_t kgid)
84
{
85
	return __vfsgid_val(vfsgid) > __kgid_val(kgid);
86
}
87

88
static inline bool vfsuid_lt_kuid(vfsuid_t vfsuid, kuid_t kuid)
89
{
90
	return __vfsuid_val(vfsuid) < __kuid_val(kuid);
91
}
92

93
static inline bool vfsgid_lt_kgid(vfsgid_t vfsgid, kgid_t kgid)
94
{
95
	return __vfsgid_val(vfsgid) < __kgid_val(kgid);
96
}
97

98
struct ima_rule_entry {
99
	struct list_head list;
100
	int action;
101
	unsigned int flags;
102
	enum ima_hooks func;
103
	int mask;
104
	unsigned long fsmagic;
105
	uuid_t fsuuid;
106
	kuid_t uid;
107
	kgid_t gid;
108
	kuid_t fowner;
109
	kgid_t fgroup;
110
	bool (*uid_op)(kuid_t cred_uid, kuid_t rule_uid);    /* Handlers for operators       */
111
	bool (*gid_op)(kgid_t cred_gid, kgid_t rule_gid);
112
	bool (*fowner_op)(vfsuid_t vfsuid, kuid_t rule_uid); /* vfsuid_eq_kuid(), vfsuid_gt_kuid(), vfsuid_lt_kuid() */
113
	bool (*fgroup_op)(vfsgid_t vfsgid, kgid_t rule_gid); /* vfsgid_eq_kgid(), vfsgid_gt_kgid(), vfsgid_lt_kgid() */
114
	int pcr;
115
	unsigned int allowed_algos; /* bitfield of allowed hash algorithms */
116
	struct {
117
		void *rule;	/* LSM file metadata specific */
118
		char *args_p;	/* audit value */
119
		int type;	/* audit type */
120
	} lsm[MAX_LSM_RULES];
121
	char *fsname;
122
	struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */
123
	struct ima_rule_opt_list *label; /* Measure data grouped under this label */
124
	struct ima_template_desc *template;
125
};
126

127
/*
128
 * sanity check in case the kernels gains more hash algorithms that can
129
 * fit in an unsigned int
130
 */
131
static_assert(
132
	8 * sizeof(unsigned int) >= HASH_ALGO__LAST,
133
	"The bitfield allowed_algos in ima_rule_entry is too small to contain all the supported hash algorithms, consider using a bigger type");
134

135
/*
136
 * Without LSM specific knowledge, the default policy can only be
137
 * written in terms of .action, .func, .mask, .fsmagic, .uid, .gid,
138
 * .fowner, and .fgroup
139
 */
140

141
/*
142
 * The minimum rule set to allow for full TCB coverage.  Measures all files
143
 * opened or mmap for exec and everything read by root.  Dangerous because
144
 * normal users can easily run the machine out of memory simply building
145
 * and running executables.
146
 */
147
static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
148
	{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
149
	{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
150
	{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
151
	{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK,
152
	 .flags = IMA_FSMAGIC | IMA_FUNC},
153
	{.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
154
	{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
155
	{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
156
	{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
157
	{.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
158
	{.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
159
	 .flags = IMA_FSMAGIC},
160
	{.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC,
161
	 .flags = IMA_FSMAGIC},
162
	{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
163
	{.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}
164
};
165

166
static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
167
	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
168
	 .flags = IMA_FUNC | IMA_MASK},
169
	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
170
	 .flags = IMA_FUNC | IMA_MASK},
171
	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
172
	 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
173
	 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
174
	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
175
	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
176
};
177

178
static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
179
	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
180
	 .flags = IMA_FUNC | IMA_MASK},
181
	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
182
	 .flags = IMA_FUNC | IMA_MASK},
183
	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
184
	 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
185
	 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
186
	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
187
	 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
188
	 .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
189
	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
190
	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
191
	{.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
192
};
193

194
static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
195
	{.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
196
	{.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
197
	{.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
198
	{.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
199
	{.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
200
	{.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
201
	{.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
202
	{.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
203
	{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
204
	{.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
205
	{.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
206
	{.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC},
207
	{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
208
	{.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
209
#ifdef CONFIG_IMA_WRITE_POLICY
210
	{.action = APPRAISE, .func = POLICY_CHECK,
211
	.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
212
#endif
213
#ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
214
	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid,
215
	 .flags = IMA_FOWNER},
216
#else
217
	/* force signature */
218
	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid,
219
	 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
220
#endif
221
};
222

223
static struct ima_rule_entry build_appraise_rules[] __ro_after_init = {
224
#ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS
225
	{.action = APPRAISE, .func = MODULE_CHECK,
226
	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
227
#endif
228
#ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
229
	{.action = APPRAISE, .func = FIRMWARE_CHECK,
230
	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
231
#endif
232
#ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS
233
	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
234
	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
235
#endif
236
#ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS
237
	{.action = APPRAISE, .func = POLICY_CHECK,
238
	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
239
#endif
240
};
241

242
static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
243
	{.action = APPRAISE, .func = MODULE_CHECK,
244
	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
245
	{.action = APPRAISE, .func = FIRMWARE_CHECK,
246
	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
247
	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
248
	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
249
	{.action = APPRAISE, .func = POLICY_CHECK,
250
	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
251
};
252

253
static struct ima_rule_entry critical_data_rules[] __ro_after_init = {
254
	{.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC},
255
};
256

257
/* An array of architecture specific rules */
258
static struct ima_rule_entry *arch_policy_entry __ro_after_init;
259

260
static LIST_HEAD(ima_default_rules);
261
static LIST_HEAD(ima_policy_rules);
262
static LIST_HEAD(ima_temp_rules);
263
static struct list_head __rcu *ima_rules = (struct list_head __rcu *)(&ima_default_rules);
264

265
static int ima_policy __initdata;
266

267
static int __init default_measure_policy_setup(char *str)
268
{
269
	if (ima_policy)
270
		return 1;
271

272
	ima_policy = ORIGINAL_TCB;
273
	return 1;
274
}
275
__setup("ima_tcb", default_measure_policy_setup);
276

277
static bool ima_use_appraise_tcb __initdata;
278
static bool ima_use_secure_boot __initdata;
279
static bool ima_use_critical_data __initdata;
280
static bool ima_fail_unverifiable_sigs __ro_after_init;
281
static int __init policy_setup(char *str)
282
{
283
	char *p;
284

285
	while ((p = strsep(&str, " |\n")) != NULL) {
286
		if (*p == ' ')
287
			continue;
288
		if ((strcmp(p, "tcb") == 0) && !ima_policy)
289
			ima_policy = DEFAULT_TCB;
290
		else if (strcmp(p, "appraise_tcb") == 0)
291
			ima_use_appraise_tcb = true;
292
		else if (strcmp(p, "secure_boot") == 0)
293
			ima_use_secure_boot = true;
294
		else if (strcmp(p, "critical_data") == 0)
295
			ima_use_critical_data = true;
296
		else if (strcmp(p, "fail_securely") == 0)
297
			ima_fail_unverifiable_sigs = true;
298
		else
299
			pr_err("policy \"%s\" not found", p);
300
	}
301

302
	return 1;
303
}
304
__setup("ima_policy=", policy_setup);
305

306
static int __init default_appraise_policy_setup(char *str)
307
{
308
	ima_use_appraise_tcb = true;
309
	return 1;
310
}
311
__setup("ima_appraise_tcb", default_appraise_policy_setup);
312

313
static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src)
314
{
315
	struct ima_rule_opt_list *opt_list;
316
	size_t count = 0;
317
	char *src_copy;
318
	char *cur, *next;
319
	size_t i;
320

321
	src_copy = match_strdup(src);
322
	if (!src_copy)
323
		return ERR_PTR(-ENOMEM);
324

325
	next = src_copy;
326
	while ((cur = strsep(&next, "|"))) {
327
		/* Don't accept an empty list item */
328
		if (!(*cur)) {
329
			kfree(src_copy);
330
			return ERR_PTR(-EINVAL);
331
		}
332
		count++;
333
	}
334

335
	/* Don't accept an empty list */
336
	if (!count) {
337
		kfree(src_copy);
338
		return ERR_PTR(-EINVAL);
339
	}
340

341
	opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL);
342
	if (!opt_list) {
343
		kfree(src_copy);
344
		return ERR_PTR(-ENOMEM);
345
	}
346
	opt_list->count = count;
347

348
	/*
349
	 * strsep() has already replaced all instances of '|' with '\0',
350
	 * leaving a byte sequence of NUL-terminated strings. Reference each
351
	 * string with the array of items.
352
	 *
353
	 * IMPORTANT: Ownership of the allocated buffer is transferred from
354
	 * src_copy to the first element in the items array. To free the
355
	 * buffer, kfree() must only be called on the first element of the
356
	 * array.
357
	 */
358
	for (i = 0, cur = src_copy; i < count; i++) {
359
		opt_list->items[i] = cur;
360
		cur = strchr(cur, '\0') + 1;
361
	}
362

363
	return opt_list;
364
}
365

366
static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list)
367
{
368
	if (!opt_list)
369
		return;
370

371
	if (opt_list->count) {
372
		kfree(opt_list->items[0]);
373
		opt_list->count = 0;
374
	}
375

376
	kfree(opt_list);
377
}
378

379
static void ima_lsm_free_rule(struct ima_rule_entry *entry)
380
{
381
	int i;
382

383
	for (i = 0; i < MAX_LSM_RULES; i++) {
384
		ima_filter_rule_free(entry->lsm[i].rule);
385
		kfree(entry->lsm[i].args_p);
386
	}
387
}
388

389
static void ima_free_rule(struct ima_rule_entry *entry)
390
{
391
	if (!entry)
392
		return;
393

394
	/*
395
	 * entry->template->fields may be allocated in ima_parse_rule() but that
396
	 * reference is owned by the corresponding ima_template_desc element in
397
	 * the defined_templates list and cannot be freed here
398
	 */
399
	kfree(entry->fsname);
400
	ima_free_rule_opt_list(entry->keyrings);
401
	ima_lsm_free_rule(entry);
402
	kfree(entry);
403
}
404

405
static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry,
406
						gfp_t gfp)
407
{
408
	struct ima_rule_entry *nentry;
409
	int i;
410

411
	/*
412
	 * Immutable elements are copied over as pointers and data; only
413
	 * lsm rules can change
414
	 */
415
	nentry = kmemdup(entry, sizeof(*nentry), gfp);
416
	if (!nentry)
417
		return NULL;
418

419
	memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm));
420

421
	for (i = 0; i < MAX_LSM_RULES; i++) {
422
		if (!entry->lsm[i].args_p)
423
			continue;
424

425
		nentry->lsm[i].type = entry->lsm[i].type;
426
		nentry->lsm[i].args_p = entry->lsm[i].args_p;
427

428
		ima_filter_rule_init(nentry->lsm[i].type, Audit_equal,
429
				     nentry->lsm[i].args_p,
430
				     &nentry->lsm[i].rule,
431
				     gfp);
432
		if (!nentry->lsm[i].rule)
433
			pr_warn("rule for LSM \'%s\' is undefined\n",
434
				nentry->lsm[i].args_p);
435
	}
436
	return nentry;
437
}
438

439
static int ima_lsm_update_rule(struct ima_rule_entry *entry)
440
{
441
	int i;
442
	struct ima_rule_entry *nentry;
443

444
	nentry = ima_lsm_copy_rule(entry, GFP_KERNEL);
445
	if (!nentry)
446
		return -ENOMEM;
447

448
	list_replace_rcu(&entry->list, &nentry->list);
449
	synchronize_rcu();
450
	/*
451
	 * ima_lsm_copy_rule() shallow copied all references, except for the
452
	 * LSM references, from entry to nentry so we only want to free the LSM
453
	 * references and the entry itself. All other memory references will now
454
	 * be owned by nentry.
455
	 */
456
	for (i = 0; i < MAX_LSM_RULES; i++)
457
		ima_filter_rule_free(entry->lsm[i].rule);
458
	kfree(entry);
459

460
	return 0;
461
}
462

463
static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry)
464
{
465
	int i;
466

467
	for (i = 0; i < MAX_LSM_RULES; i++)
468
		if (entry->lsm[i].args_p)
469
			return true;
470

471
	return false;
472
}
473

474
/*
475
 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
476
 * to the old, stale LSM policy.  Update the IMA LSM based rules to reflect
477
 * the reloaded LSM policy.
478
 */
479
static void ima_lsm_update_rules(void)
480
{
481
	struct ima_rule_entry *entry, *e;
482
	int result;
483

484
	list_for_each_entry_safe(entry, e, &ima_policy_rules, list) {
485
		if (!ima_rule_contains_lsm_cond(entry))
486
			continue;
487

488
		result = ima_lsm_update_rule(entry);
489
		if (result) {
490
			pr_err("lsm rule update error %d\n", result);
491
			return;
492
		}
493
	}
494
}
495

496
int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
497
			  void *lsm_data)
498
{
499
	if (event != LSM_POLICY_CHANGE)
500
		return NOTIFY_DONE;
501

502
	ima_lsm_update_rules();
503
	return NOTIFY_OK;
504
}
505

506
/**
507
 * ima_match_rule_data - determine whether func_data matches the policy rule
508
 * @rule: a pointer to a rule
509
 * @func_data: data to match against the measure rule data
510
 * @cred: a pointer to a credentials structure for user validation
511
 *
512
 * Returns true if func_data matches one in the rule, false otherwise.
513
 */
514
static bool ima_match_rule_data(struct ima_rule_entry *rule,
515
				const char *func_data,
516
				const struct cred *cred)
517
{
518
	const struct ima_rule_opt_list *opt_list = NULL;
519
	bool matched = false;
520
	size_t i;
521

522
	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
523
		return false;
524

525
	switch (rule->func) {
526
	case KEY_CHECK:
527
		if (!rule->keyrings)
528
			return true;
529

530
		opt_list = rule->keyrings;
531
		break;
532
	case CRITICAL_DATA:
533
		if (!rule->label)
534
			return true;
535

536
		opt_list = rule->label;
537
		break;
538
	default:
539
		return false;
540
	}
541

542
	if (!func_data)
543
		return false;
544

545
	for (i = 0; i < opt_list->count; i++) {
546
		if (!strcmp(opt_list->items[i], func_data)) {
547
			matched = true;
548
			break;
549
		}
550
	}
551

552
	return matched;
553
}
554

555
/**
556
 * ima_match_rules - determine whether an inode matches the policy rule.
557
 * @rule: a pointer to a rule
558
 * @idmap: idmap of the mount the inode was found from
559
 * @inode: a pointer to an inode
560
 * @cred: a pointer to a credentials structure for user validation
561
 * @prop: LSM properties of the task to be validated
562
 * @func: LIM hook identifier
563
 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
564
 * @func_data: func specific data, may be NULL
565
 *
566
 * Returns true on rule match, false on failure.
567
 */
568
static bool ima_match_rules(struct ima_rule_entry *rule,
569
			    struct mnt_idmap *idmap,
570
			    struct inode *inode, const struct cred *cred,
571
			    struct lsm_prop *prop, enum ima_hooks func, int mask,
572
			    const char *func_data)
573
{
574
	int i;
575
	bool result = false;
576
	struct ima_rule_entry *lsm_rule = rule;
577
	bool rule_reinitialized = false;
578

579
	if ((rule->flags & IMA_FUNC) &&
580
	    (rule->func != func && func != POST_SETATTR))
581
		return false;
582

583
	switch (func) {
584
	case KEY_CHECK:
585
	case CRITICAL_DATA:
586
		return ((rule->func == func) &&
587
			ima_match_rule_data(rule, func_data, cred));
588
	default:
589
		break;
590
	}
591

592
	if ((rule->flags & IMA_MASK) &&
593
	    (rule->mask != mask && func != POST_SETATTR))
594
		return false;
595
	if ((rule->flags & IMA_INMASK) &&
596
	    (!(rule->mask & mask) && func != POST_SETATTR))
597
		return false;
598
	if ((rule->flags & IMA_FSMAGIC)
599
	    && rule->fsmagic != inode->i_sb->s_magic)
600
		return false;
601
	if ((rule->flags & IMA_FSNAME)
602
	    && strcmp(rule->fsname, inode->i_sb->s_type->name))
603
		return false;
604
	if ((rule->flags & IMA_FSUUID) &&
605
	    !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
606
		return false;
607
	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
608
		return false;
609
	if (rule->flags & IMA_EUID) {
610
		if (has_capability_noaudit(current, CAP_SETUID)) {
611
			if (!rule->uid_op(cred->euid, rule->uid)
612
			    && !rule->uid_op(cred->suid, rule->uid)
613
			    && !rule->uid_op(cred->uid, rule->uid))
614
				return false;
615
		} else if (!rule->uid_op(cred->euid, rule->uid))
616
			return false;
617
	}
618
	if ((rule->flags & IMA_GID) && !rule->gid_op(cred->gid, rule->gid))
619
		return false;
620
	if (rule->flags & IMA_EGID) {
621
		if (has_capability_noaudit(current, CAP_SETGID)) {
622
			if (!rule->gid_op(cred->egid, rule->gid)
623
			    && !rule->gid_op(cred->sgid, rule->gid)
624
			    && !rule->gid_op(cred->gid, rule->gid))
625
				return false;
626
		} else if (!rule->gid_op(cred->egid, rule->gid))
627
			return false;
628
	}
629
	if ((rule->flags & IMA_FOWNER) &&
630
	    !rule->fowner_op(i_uid_into_vfsuid(idmap, inode),
631
			     rule->fowner))
632
		return false;
633
	if ((rule->flags & IMA_FGROUP) &&
634
	    !rule->fgroup_op(i_gid_into_vfsgid(idmap, inode),
635
			     rule->fgroup))
636
		return false;
637
	for (i = 0; i < MAX_LSM_RULES; i++) {
638
		int rc = 0;
639
		struct lsm_prop inode_prop = { };
640

641
		if (!lsm_rule->lsm[i].rule) {
642
			if (!lsm_rule->lsm[i].args_p)
643
				continue;
644
			else
645
				return false;
646
		}
647

648
retry:
649
		switch (i) {
650
		case LSM_OBJ_USER:
651
		case LSM_OBJ_ROLE:
652
		case LSM_OBJ_TYPE:
653
			security_inode_getlsmprop(inode, &inode_prop);
654
			rc = ima_filter_rule_match(&inode_prop,
655
						   lsm_rule->lsm[i].type,
656
						   Audit_equal,
657
						   lsm_rule->lsm[i].rule);
658
			break;
659
		case LSM_SUBJ_USER:
660
		case LSM_SUBJ_ROLE:
661
		case LSM_SUBJ_TYPE:
662
			rc = ima_filter_rule_match(prop, lsm_rule->lsm[i].type,
663
						   Audit_equal,
664
						   lsm_rule->lsm[i].rule);
665
			break;
666
		default:
667
			break;
668
		}
669

670
		if (rc == -ESTALE && !rule_reinitialized) {
671
			lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC);
672
			if (lsm_rule) {
673
				rule_reinitialized = true;
674
				goto retry;
675
			}
676
		}
677
		if (!rc) {
678
			result = false;
679
			goto out;
680
		}
681
	}
682
	result = true;
683

684
out:
685
	if (rule_reinitialized) {
686
		for (i = 0; i < MAX_LSM_RULES; i++)
687
			ima_filter_rule_free(lsm_rule->lsm[i].rule);
688
		kfree(lsm_rule);
689
	}
690
	return result;
691
}
692

693
/*
694
 * In addition to knowing that we need to appraise the file in general,
695
 * we need to differentiate between calling hooks, for hook specific rules.
696
 */
697
static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
698
{
699
	if (!(rule->flags & IMA_FUNC))
700
		return IMA_FILE_APPRAISE;
701

702
	switch (func) {
703
	case MMAP_CHECK:
704
	case MMAP_CHECK_REQPROT:
705
		return IMA_MMAP_APPRAISE;
706
	case BPRM_CHECK:
707
		return IMA_BPRM_APPRAISE;
708
	case CREDS_CHECK:
709
		return IMA_CREDS_APPRAISE;
710
	case FILE_CHECK:
711
	case POST_SETATTR:
712
		return IMA_FILE_APPRAISE;
713
	case MODULE_CHECK ... MAX_CHECK - 1:
714
	default:
715
		return IMA_READ_APPRAISE;
716
	}
717
}
718

719
/**
720
 * ima_match_policy - decision based on LSM and other conditions
721
 * @idmap: idmap of the mount the inode was found from
722
 * @inode: pointer to an inode for which the policy decision is being made
723
 * @cred: pointer to a credentials structure for which the policy decision is
724
 *        being made
725
 * @prop: LSM properties of the task to be validated
726
 * @func: IMA hook identifier
727
 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
728
 * @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE)
729
 * @pcr: set the pcr to extend
730
 * @template_desc: the template that should be used for this rule
731
 * @func_data: func specific data, may be NULL
732
 * @allowed_algos: allowlist of hash algorithms for the IMA xattr
733
 *
734
 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
735
 * conditions.
736
 *
737
 * Since the IMA policy may be updated multiple times we need to lock the
738
 * list when walking it.  Reads are many orders of magnitude more numerous
739
 * than writes so ima_match_policy() is classical RCU candidate.
740
 */
741
int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode,
742
		     const struct cred *cred, struct lsm_prop *prop,
743
		     enum ima_hooks func, int mask, int flags, int *pcr,
744
		     struct ima_template_desc **template_desc,
745
		     const char *func_data, unsigned int *allowed_algos)
746
{
747
	struct ima_rule_entry *entry;
748
	int action = 0, actmask = flags | (flags << 1);
749
	struct list_head *ima_rules_tmp;
750

751
	if (template_desc && !*template_desc)
752
		*template_desc = ima_template_desc_current();
753

754
	rcu_read_lock();
755
	ima_rules_tmp = rcu_dereference(ima_rules);
756
	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
757

758
		if (!(entry->action & actmask))
759
			continue;
760

761
		if (!ima_match_rules(entry, idmap, inode, cred, prop,
762
				     func, mask, func_data))
763
			continue;
764

765
		action |= entry->flags & IMA_NONACTION_FLAGS;
766

767
		action |= entry->action & IMA_DO_MASK;
768
		if (entry->action & IMA_APPRAISE) {
769
			action |= get_subaction(entry, func);
770
			action &= ~IMA_HASH;
771
			if (ima_fail_unverifiable_sigs)
772
				action |= IMA_FAIL_UNVERIFIABLE_SIGS;
773

774
			if (allowed_algos &&
775
			    entry->flags & IMA_VALIDATE_ALGOS)
776
				*allowed_algos = entry->allowed_algos;
777
		}
778

779
		if (entry->action & IMA_DO_MASK)
780
			actmask &= ~(entry->action | entry->action << 1);
781
		else
782
			actmask &= ~(entry->action | entry->action >> 1);
783

784
		if ((pcr) && (entry->flags & IMA_PCR))
785
			*pcr = entry->pcr;
786

787
		if (template_desc && entry->template)
788
			*template_desc = entry->template;
789

790
		if (!actmask)
791
			break;
792
	}
793
	rcu_read_unlock();
794

795
	return action;
796
}
797

798
/**
799
 * ima_update_policy_flags() - Update global IMA variables
800
 *
801
 * Update ima_policy_flag and ima_setxattr_allowed_hash_algorithms
802
 * based on the currently loaded policy.
803
 *
804
 * With ima_policy_flag, the decision to short circuit out of a function
805
 * or not call the function in the first place can be made earlier.
806
 *
807
 * With ima_setxattr_allowed_hash_algorithms, the policy can restrict the
808
 * set of hash algorithms accepted when updating the security.ima xattr of
809
 * a file.
810
 *
811
 * Context: called after a policy update and at system initialization.
812
 */
813
void ima_update_policy_flags(void)
814
{
815
	struct ima_rule_entry *entry;
816
	int new_policy_flag = 0;
817
	struct list_head *ima_rules_tmp;
818

819
	rcu_read_lock();
820
	ima_rules_tmp = rcu_dereference(ima_rules);
821
	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
822
		/*
823
		 * SETXATTR_CHECK rules do not implement a full policy check
824
		 * because rule checking would probably have an important
825
		 * performance impact on setxattr(). As a consequence, only one
826
		 * SETXATTR_CHECK can be active at a given time.
827
		 * Because we want to preserve that property, we set out to use
828
		 * atomic_cmpxchg. Either:
829
		 * - the atomic was non-zero: a setxattr hash policy is
830
		 *   already enforced, we do nothing
831
		 * - the atomic was zero: no setxattr policy was set, enable
832
		 *   the setxattr hash policy
833
		 */
834
		if (entry->func == SETXATTR_CHECK) {
835
			atomic_cmpxchg(&ima_setxattr_allowed_hash_algorithms,
836
				       0, entry->allowed_algos);
837
			/* SETXATTR_CHECK doesn't impact ima_policy_flag */
838
			continue;
839
		}
840

841
		if (entry->action & IMA_DO_MASK)
842
			new_policy_flag |= entry->action;
843
	}
844
	rcu_read_unlock();
845

846
	ima_appraise |= (build_ima_appraise | temp_ima_appraise);
847
	if (!ima_appraise)
848
		new_policy_flag &= ~IMA_APPRAISE;
849

850
	ima_policy_flag = new_policy_flag;
851
}
852

853
static int ima_appraise_flag(enum ima_hooks func)
854
{
855
	if (func == MODULE_CHECK)
856
		return IMA_APPRAISE_MODULES;
857
	else if (func == FIRMWARE_CHECK)
858
		return IMA_APPRAISE_FIRMWARE;
859
	else if (func == POLICY_CHECK)
860
		return IMA_APPRAISE_POLICY;
861
	else if (func == KEXEC_KERNEL_CHECK)
862
		return IMA_APPRAISE_KEXEC;
863
	return 0;
864
}
865

866
static void add_rules(struct ima_rule_entry *entries, int count,
867
		      enum policy_rule_list policy_rule)
868
{
869
	int i = 0;
870

871
	for (i = 0; i < count; i++) {
872
		struct ima_rule_entry *entry;
873

874
		if (policy_rule & IMA_DEFAULT_POLICY)
875
			list_add_tail(&entries[i].list, &ima_default_rules);
876

877
		if (policy_rule & IMA_CUSTOM_POLICY) {
878
			entry = kmemdup(&entries[i], sizeof(*entry),
879
					GFP_KERNEL);
880
			if (!entry)
881
				continue;
882

883
			list_add_tail(&entry->list, &ima_policy_rules);
884
		}
885
		if (entries[i].action == APPRAISE) {
886
			if (entries != build_appraise_rules)
887
				temp_ima_appraise |=
888
					ima_appraise_flag(entries[i].func);
889
			else
890
				build_ima_appraise |=
891
					ima_appraise_flag(entries[i].func);
892
		}
893
	}
894
}
895

896
static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
897

898
static int __init ima_init_arch_policy(void)
899
{
900
	const char * const *arch_rules;
901
	const char * const *rules;
902
	int arch_entries = 0;
903
	int i = 0;
904

905
	arch_rules = arch_get_ima_policy();
906
	if (!arch_rules)
907
		return arch_entries;
908

909
	/* Get number of rules */
910
	for (rules = arch_rules; *rules != NULL; rules++)
911
		arch_entries++;
912

913
	arch_policy_entry = kcalloc(arch_entries + 1,
914
				    sizeof(*arch_policy_entry), GFP_KERNEL);
915
	if (!arch_policy_entry)
916
		return 0;
917

918
	/* Convert each policy string rules to struct ima_rule_entry format */
919
	for (rules = arch_rules, i = 0; *rules != NULL; rules++) {
920
		char rule[255];
921
		int result;
922

923
		result = strscpy(rule, *rules, sizeof(rule));
924

925
		INIT_LIST_HEAD(&arch_policy_entry[i].list);
926
		result = ima_parse_rule(rule, &arch_policy_entry[i]);
927
		if (result) {
928
			pr_warn("Skipping unknown architecture policy rule: %s\n",
929
				rule);
930
			memset(&arch_policy_entry[i], 0,
931
			       sizeof(*arch_policy_entry));
932
			continue;
933
		}
934
		i++;
935
	}
936
	return i;
937
}
938

939
/**
940
 * ima_init_policy - initialize the default measure rules.
941
 *
942
 * ima_rules points to either the ima_default_rules or the new ima_policy_rules.
943
 */
944
void __init ima_init_policy(void)
945
{
946
	int build_appraise_entries, arch_entries;
947

948
	/* if !ima_policy, we load NO default rules */
949
	if (ima_policy)
950
		add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules),
951
			  IMA_DEFAULT_POLICY);
952

953
	switch (ima_policy) {
954
	case ORIGINAL_TCB:
955
		add_rules(original_measurement_rules,
956
			  ARRAY_SIZE(original_measurement_rules),
957
			  IMA_DEFAULT_POLICY);
958
		break;
959
	case DEFAULT_TCB:
960
		add_rules(default_measurement_rules,
961
			  ARRAY_SIZE(default_measurement_rules),
962
			  IMA_DEFAULT_POLICY);
963
		break;
964
	default:
965
		break;
966
	}
967

968
	/*
969
	 * Based on runtime secure boot flags, insert arch specific measurement
970
	 * and appraise rules requiring file signatures for both the initial
971
	 * and custom policies, prior to other appraise rules.
972
	 * (Highest priority)
973
	 */
974
	arch_entries = ima_init_arch_policy();
975
	if (!arch_entries)
976
		pr_info("No architecture policies found\n");
977
	else
978
		add_rules(arch_policy_entry, arch_entries,
979
			  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
980

981
	/*
982
	 * Insert the builtin "secure_boot" policy rules requiring file
983
	 * signatures, prior to other appraise rules.
984
	 */
985
	if (ima_use_secure_boot)
986
		add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules),
987
			  IMA_DEFAULT_POLICY);
988

989
	/*
990
	 * Insert the build time appraise rules requiring file signatures
991
	 * for both the initial and custom policies, prior to other appraise
992
	 * rules. As the secure boot rules includes all of the build time
993
	 * rules, include either one or the other set of rules, but not both.
994
	 */
995
	build_appraise_entries = ARRAY_SIZE(build_appraise_rules);
996
	if (build_appraise_entries) {
997
		if (ima_use_secure_boot)
998
			add_rules(build_appraise_rules, build_appraise_entries,
999
				  IMA_CUSTOM_POLICY);
1000
		else
1001
			add_rules(build_appraise_rules, build_appraise_entries,
1002
				  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
1003
	}
1004

1005
	if (ima_use_appraise_tcb)
1006
		add_rules(default_appraise_rules,
1007
			  ARRAY_SIZE(default_appraise_rules),
1008
			  IMA_DEFAULT_POLICY);
1009

1010
	if (ima_use_critical_data)
1011
		add_rules(critical_data_rules,
1012
			  ARRAY_SIZE(critical_data_rules),
1013
			  IMA_DEFAULT_POLICY);
1014

1015
	atomic_set(&ima_setxattr_allowed_hash_algorithms, 0);
1016

1017
	ima_update_policy_flags();
1018
}
1019

1020
/* Make sure we have a valid policy, at least containing some rules. */
1021
int ima_check_policy(void)
1022
{
1023
	if (list_empty(&ima_temp_rules))
1024
		return -EINVAL;
1025
	return 0;
1026
}
1027

1028
/**
1029
 * ima_update_policy - update default_rules with new measure rules
1030
 *
1031
 * Called on file .release to update the default rules with a complete new
1032
 * policy.  What we do here is to splice ima_policy_rules and ima_temp_rules so
1033
 * they make a queue.  The policy may be updated multiple times and this is the
1034
 * RCU updater.
1035
 *
1036
 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
1037
 * we switch from the default policy to user defined.
1038
 */
1039
void ima_update_policy(void)
1040
{
1041
	struct list_head *policy = &ima_policy_rules;
1042

1043
	list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu);
1044

1045
	if (ima_rules != (struct list_head __rcu *)policy) {
1046
		ima_policy_flag = 0;
1047

1048
		rcu_assign_pointer(ima_rules, policy);
1049
		/*
1050
		 * IMA architecture specific policy rules are specified
1051
		 * as strings and converted to an array of ima_entry_rules
1052
		 * on boot.  After loading a custom policy, free the
1053
		 * architecture specific rules stored as an array.
1054
		 */
1055
		kfree(arch_policy_entry);
1056
	}
1057
	ima_update_policy_flags();
1058

1059
	/* Custom IMA policy has been loaded */
1060
	ima_process_queued_keys();
1061
}
1062

1063
/* Keep the enumeration in sync with the policy_tokens! */
1064
enum policy_opt {
1065
	Opt_measure, Opt_dont_measure,
1066
	Opt_appraise, Opt_dont_appraise,
1067
	Opt_audit, Opt_hash, Opt_dont_hash,
1068
	Opt_obj_user, Opt_obj_role, Opt_obj_type,
1069
	Opt_subj_user, Opt_subj_role, Opt_subj_type,
1070
	Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fsuuid,
1071
	Opt_uid_eq, Opt_euid_eq, Opt_gid_eq, Opt_egid_eq,
1072
	Opt_fowner_eq, Opt_fgroup_eq,
1073
	Opt_uid_gt, Opt_euid_gt, Opt_gid_gt, Opt_egid_gt,
1074
	Opt_fowner_gt, Opt_fgroup_gt,
1075
	Opt_uid_lt, Opt_euid_lt, Opt_gid_lt, Opt_egid_lt,
1076
	Opt_fowner_lt, Opt_fgroup_lt,
1077
	Opt_digest_type,
1078
	Opt_appraise_type, Opt_appraise_flag, Opt_appraise_algos,
1079
	Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings,
1080
	Opt_label, Opt_err
1081
};
1082

1083
static const match_table_t policy_tokens = {
1084
	{Opt_measure, "measure"},
1085
	{Opt_dont_measure, "dont_measure"},
1086
	{Opt_appraise, "appraise"},
1087
	{Opt_dont_appraise, "dont_appraise"},
1088
	{Opt_audit, "audit"},
1089
	{Opt_hash, "hash"},
1090
	{Opt_dont_hash, "dont_hash"},
1091
	{Opt_obj_user, "obj_user=%s"},
1092
	{Opt_obj_role, "obj_role=%s"},
1093
	{Opt_obj_type, "obj_type=%s"},
1094
	{Opt_subj_user, "subj_user=%s"},
1095
	{Opt_subj_role, "subj_role=%s"},
1096
	{Opt_subj_type, "subj_type=%s"},
1097
	{Opt_func, "func=%s"},
1098
	{Opt_mask, "mask=%s"},
1099
	{Opt_fsmagic, "fsmagic=%s"},
1100
	{Opt_fsname, "fsname=%s"},
1101
	{Opt_fsuuid, "fsuuid=%s"},
1102
	{Opt_uid_eq, "uid=%s"},
1103
	{Opt_euid_eq, "euid=%s"},
1104
	{Opt_gid_eq, "gid=%s"},
1105
	{Opt_egid_eq, "egid=%s"},
1106
	{Opt_fowner_eq, "fowner=%s"},
1107
	{Opt_fgroup_eq, "fgroup=%s"},
1108
	{Opt_uid_gt, "uid>%s"},
1109
	{Opt_euid_gt, "euid>%s"},
1110
	{Opt_gid_gt, "gid>%s"},
1111
	{Opt_egid_gt, "egid>%s"},
1112
	{Opt_fowner_gt, "fowner>%s"},
1113
	{Opt_fgroup_gt, "fgroup>%s"},
1114
	{Opt_uid_lt, "uid<%s"},
1115
	{Opt_euid_lt, "euid<%s"},
1116
	{Opt_gid_lt, "gid<%s"},
1117
	{Opt_egid_lt, "egid<%s"},
1118
	{Opt_fowner_lt, "fowner<%s"},
1119
	{Opt_fgroup_lt, "fgroup<%s"},
1120
	{Opt_digest_type, "digest_type=%s"},
1121
	{Opt_appraise_type, "appraise_type=%s"},
1122
	{Opt_appraise_flag, "appraise_flag=%s"},
1123
	{Opt_appraise_algos, "appraise_algos=%s"},
1124
	{Opt_permit_directio, "permit_directio"},
1125
	{Opt_pcr, "pcr=%s"},
1126
	{Opt_template, "template=%s"},
1127
	{Opt_keyrings, "keyrings=%s"},
1128
	{Opt_label, "label=%s"},
1129
	{Opt_err, NULL}
1130
};
1131

1132
static int ima_lsm_rule_init(struct ima_rule_entry *entry,
1133
			     substring_t *args, int lsm_rule, int audit_type)
1134
{
1135
	int result;
1136

1137
	if (entry->lsm[lsm_rule].rule)
1138
		return -EINVAL;
1139

1140
	entry->lsm[lsm_rule].args_p = match_strdup(args);
1141
	if (!entry->lsm[lsm_rule].args_p)
1142
		return -ENOMEM;
1143

1144
	entry->lsm[lsm_rule].type = audit_type;
1145
	result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal,
1146
				      entry->lsm[lsm_rule].args_p,
1147
				      &entry->lsm[lsm_rule].rule,
1148
				      GFP_KERNEL);
1149
	if (!entry->lsm[lsm_rule].rule) {
1150
		pr_warn("rule for LSM \'%s\' is undefined\n",
1151
			entry->lsm[lsm_rule].args_p);
1152

1153
		if (ima_rules == (struct list_head __rcu *)(&ima_default_rules)) {
1154
			kfree(entry->lsm[lsm_rule].args_p);
1155
			entry->lsm[lsm_rule].args_p = NULL;
1156
			result = -EINVAL;
1157
		} else
1158
			result = 0;
1159
	}
1160

1161
	return result;
1162
}
1163

1164
static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
1165
			      enum policy_opt rule_operator)
1166
{
1167
	if (!ab)
1168
		return;
1169

1170
	switch (rule_operator) {
1171
	case Opt_uid_gt:
1172
	case Opt_euid_gt:
1173
	case Opt_gid_gt:
1174
	case Opt_egid_gt:
1175
	case Opt_fowner_gt:
1176
	case Opt_fgroup_gt:
1177
		audit_log_format(ab, "%s>", key);
1178
		break;
1179
	case Opt_uid_lt:
1180
	case Opt_euid_lt:
1181
	case Opt_gid_lt:
1182
	case Opt_egid_lt:
1183
	case Opt_fowner_lt:
1184
	case Opt_fgroup_lt:
1185
		audit_log_format(ab, "%s<", key);
1186
		break;
1187
	default:
1188
		audit_log_format(ab, "%s=", key);
1189
	}
1190
	audit_log_format(ab, "%s ", value);
1191
}
1192
static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
1193
{
1194
	ima_log_string_op(ab, key, value, Opt_err);
1195
}
1196

1197
/*
1198
 * Validating the appended signature included in the measurement list requires
1199
 * the file hash calculated without the appended signature (i.e., the 'd-modsig'
1200
 * field). Therefore, notify the user if they have the 'modsig' field but not
1201
 * the 'd-modsig' field in the template.
1202
 */
1203
static void check_template_modsig(const struct ima_template_desc *template)
1204
{
1205
#define MSG "template with 'modsig' field also needs 'd-modsig' field\n"
1206
	bool has_modsig, has_dmodsig;
1207
	static bool checked;
1208
	int i;
1209

1210
	/* We only need to notify the user once. */
1211
	if (checked)
1212
		return;
1213

1214
	has_modsig = has_dmodsig = false;
1215
	for (i = 0; i < template->num_fields; i++) {
1216
		if (!strcmp(template->fields[i]->field_id, "modsig"))
1217
			has_modsig = true;
1218
		else if (!strcmp(template->fields[i]->field_id, "d-modsig"))
1219
			has_dmodsig = true;
1220
	}
1221

1222
	if (has_modsig && !has_dmodsig)
1223
		pr_notice(MSG);
1224

1225
	checked = true;
1226
#undef MSG
1227
}
1228

1229
/*
1230
 * Warn if the template does not contain the given field.
1231
 */
1232
static void check_template_field(const struct ima_template_desc *template,
1233
				 const char *field, const char *msg)
1234
{
1235
	int i;
1236

1237
	for (i = 0; i < template->num_fields; i++)
1238
		if (!strcmp(template->fields[i]->field_id, field))
1239
			return;
1240

1241
	pr_notice_once("%s", msg);
1242
}
1243

1244
static bool ima_validate_rule(struct ima_rule_entry *entry)
1245
{
1246
	/* Ensure that the action is set and is compatible with the flags */
1247
	if (entry->action == UNKNOWN)
1248
		return false;
1249

1250
	if (entry->action != MEASURE && entry->flags & IMA_PCR)
1251
		return false;
1252

1253
	if (entry->action != APPRAISE &&
1254
	    entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED |
1255
			    IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS))
1256
		return false;
1257

1258
	/*
1259
	 * The IMA_FUNC bit must be set if and only if there's a valid hook
1260
	 * function specified, and vice versa. Enforcing this property allows
1261
	 * for the NONE case below to validate a rule without an explicit hook
1262
	 * function.
1263
	 */
1264
	if (((entry->flags & IMA_FUNC) && entry->func == NONE) ||
1265
	    (!(entry->flags & IMA_FUNC) && entry->func != NONE))
1266
		return false;
1267

1268
	/*
1269
	 * Ensure that the hook function is compatible with the other
1270
	 * components of the rule
1271
	 */
1272
	switch (entry->func) {
1273
	case NONE:
1274
	case FILE_CHECK:
1275
	case MMAP_CHECK:
1276
	case MMAP_CHECK_REQPROT:
1277
	case BPRM_CHECK:
1278
	case CREDS_CHECK:
1279
	case POST_SETATTR:
1280
	case FIRMWARE_CHECK:
1281
	case POLICY_CHECK:
1282
		if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1283
				     IMA_UID | IMA_FOWNER | IMA_FSUUID |
1284
				     IMA_INMASK | IMA_EUID | IMA_PCR |
1285
				     IMA_FSNAME | IMA_GID | IMA_EGID |
1286
				     IMA_FGROUP | IMA_DIGSIG_REQUIRED |
1287
				     IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS |
1288
				     IMA_CHECK_BLACKLIST | IMA_VERITY_REQUIRED))
1289
			return false;
1290

1291
		break;
1292
	case MODULE_CHECK:
1293
	case KEXEC_KERNEL_CHECK:
1294
	case KEXEC_INITRAMFS_CHECK:
1295
		if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1296
				     IMA_UID | IMA_FOWNER | IMA_FSUUID |
1297
				     IMA_INMASK | IMA_EUID | IMA_PCR |
1298
				     IMA_FSNAME | IMA_GID | IMA_EGID |
1299
				     IMA_FGROUP | IMA_DIGSIG_REQUIRED |
1300
				     IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED |
1301
				     IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS))
1302
			return false;
1303

1304
		break;
1305
	case KEXEC_CMDLINE:
1306
		if (entry->action & ~(MEASURE | DONT_MEASURE))
1307
			return false;
1308

1309
		if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID |
1310
				     IMA_FOWNER | IMA_FSUUID | IMA_EUID |
1311
				     IMA_PCR | IMA_FSNAME | IMA_GID | IMA_EGID |
1312
				     IMA_FGROUP))
1313
			return false;
1314

1315
		break;
1316
	case KEY_CHECK:
1317
		if (entry->action & ~(MEASURE | DONT_MEASURE))
1318
			return false;
1319

1320
		if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR |
1321
				     IMA_KEYRINGS))
1322
			return false;
1323

1324
		if (ima_rule_contains_lsm_cond(entry))
1325
			return false;
1326

1327
		break;
1328
	case CRITICAL_DATA:
1329
		if (entry->action & ~(MEASURE | DONT_MEASURE))
1330
			return false;
1331

1332
		if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR |
1333
				     IMA_LABEL))
1334
			return false;
1335

1336
		if (ima_rule_contains_lsm_cond(entry))
1337
			return false;
1338

1339
		break;
1340
	case SETXATTR_CHECK:
1341
		/* any action other than APPRAISE is unsupported */
1342
		if (entry->action != APPRAISE)
1343
			return false;
1344

1345
		/* SETXATTR_CHECK requires an appraise_algos parameter */
1346
		if (!(entry->flags & IMA_VALIDATE_ALGOS))
1347
			return false;
1348

1349
		/*
1350
		 * full policies are not supported, they would have too
1351
		 * much of a performance impact
1352
		 */
1353
		if (entry->flags & ~(IMA_FUNC | IMA_VALIDATE_ALGOS))
1354
			return false;
1355

1356
		break;
1357
	default:
1358
		return false;
1359
	}
1360

1361
	/* Ensure that combinations of flags are compatible with each other */
1362
	if (entry->flags & IMA_CHECK_BLACKLIST &&
1363
	    !(entry->flags & IMA_DIGSIG_REQUIRED))
1364
		return false;
1365

1366
	/*
1367
	 * Unlike for regular IMA 'appraise' policy rules where security.ima
1368
	 * xattr may contain either a file hash or signature, the security.ima
1369
	 * xattr for fsverity must contain a file signature (sigv3).  Ensure
1370
	 * that 'appraise' rules for fsverity require file signatures by
1371
	 * checking the IMA_DIGSIG_REQUIRED flag is set.
1372
	 */
1373
	if (entry->action == APPRAISE &&
1374
	    (entry->flags & IMA_VERITY_REQUIRED) &&
1375
	    !(entry->flags & IMA_DIGSIG_REQUIRED))
1376
		return false;
1377

1378
	return true;
1379
}
1380

1381
static unsigned int ima_parse_appraise_algos(char *arg)
1382
{
1383
	unsigned int res = 0;
1384
	int idx;
1385
	char *token;
1386

1387
	while ((token = strsep(&arg, ",")) != NULL) {
1388
		idx = match_string(hash_algo_name, HASH_ALGO__LAST, token);
1389

1390
		if (idx < 0) {
1391
			pr_err("unknown hash algorithm \"%s\"",
1392
			       token);
1393
			return 0;
1394
		}
1395

1396
		if (!crypto_has_alg(hash_algo_name[idx], 0, 0)) {
1397
			pr_err("unavailable hash algorithm \"%s\", check your kernel configuration",
1398
			       token);
1399
			return 0;
1400
		}
1401

1402
		/* Add the hash algorithm to the 'allowed' bitfield */
1403
		res |= (1U << idx);
1404
	}
1405

1406
	return res;
1407
}
1408

1409
static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
1410
{
1411
	struct audit_buffer *ab;
1412
	char *from;
1413
	char *p;
1414
	bool eid_token; /* either euid or egid */
1415
	struct ima_template_desc *template_desc;
1416
	int result = 0;
1417

1418
	ab = integrity_audit_log_start(audit_context(), GFP_KERNEL,
1419
				       AUDIT_INTEGRITY_POLICY_RULE);
1420

1421
	entry->uid = INVALID_UID;
1422
	entry->gid = INVALID_GID;
1423
	entry->fowner = INVALID_UID;
1424
	entry->fgroup = INVALID_GID;
1425
	entry->uid_op = &uid_eq;
1426
	entry->gid_op = &gid_eq;
1427
	entry->fowner_op = &vfsuid_eq_kuid;
1428
	entry->fgroup_op = &vfsgid_eq_kgid;
1429
	entry->action = UNKNOWN;
1430
	while ((p = strsep(&rule, " \t")) != NULL) {
1431
		substring_t args[MAX_OPT_ARGS];
1432
		int token;
1433
		unsigned long lnum;
1434

1435
		if (result < 0 || *p == '#')  /* ignore suffixed comment */
1436
			break;
1437
		if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
1438
			continue;
1439
		token = match_token(p, policy_tokens, args);
1440
		switch (token) {
1441
		case Opt_measure:
1442
			ima_log_string(ab, "action", "measure");
1443

1444
			if (entry->action != UNKNOWN)
1445
				result = -EINVAL;
1446

1447
			entry->action = MEASURE;
1448
			break;
1449
		case Opt_dont_measure:
1450
			ima_log_string(ab, "action", "dont_measure");
1451

1452
			if (entry->action != UNKNOWN)
1453
				result = -EINVAL;
1454

1455
			entry->action = DONT_MEASURE;
1456
			break;
1457
		case Opt_appraise:
1458
			ima_log_string(ab, "action", "appraise");
1459

1460
			if (entry->action != UNKNOWN)
1461
				result = -EINVAL;
1462

1463
			entry->action = APPRAISE;
1464
			break;
1465
		case Opt_dont_appraise:
1466
			ima_log_string(ab, "action", "dont_appraise");
1467

1468
			if (entry->action != UNKNOWN)
1469
				result = -EINVAL;
1470

1471
			entry->action = DONT_APPRAISE;
1472
			break;
1473
		case Opt_audit:
1474
			ima_log_string(ab, "action", "audit");
1475

1476
			if (entry->action != UNKNOWN)
1477
				result = -EINVAL;
1478

1479
			entry->action = AUDIT;
1480
			break;
1481
		case Opt_hash:
1482
			ima_log_string(ab, "action", "hash");
1483

1484
			if (entry->action != UNKNOWN)
1485
				result = -EINVAL;
1486

1487
			entry->action = HASH;
1488
			break;
1489
		case Opt_dont_hash:
1490
			ima_log_string(ab, "action", "dont_hash");
1491

1492
			if (entry->action != UNKNOWN)
1493
				result = -EINVAL;
1494

1495
			entry->action = DONT_HASH;
1496
			break;
1497
		case Opt_func:
1498
			ima_log_string(ab, "func", args[0].from);
1499

1500
			if (entry->func)
1501
				result = -EINVAL;
1502

1503
			if (strcmp(args[0].from, "FILE_CHECK") == 0)
1504
				entry->func = FILE_CHECK;
1505
			/* PATH_CHECK is for backwards compat */
1506
			else if (strcmp(args[0].from, "PATH_CHECK") == 0)
1507
				entry->func = FILE_CHECK;
1508
			else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
1509
				entry->func = MODULE_CHECK;
1510
			else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
1511
				entry->func = FIRMWARE_CHECK;
1512
			else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
1513
				|| (strcmp(args[0].from, "MMAP_CHECK") == 0))
1514
				entry->func = MMAP_CHECK;
1515
			else if ((strcmp(args[0].from, "MMAP_CHECK_REQPROT") == 0))
1516
				entry->func = MMAP_CHECK_REQPROT;
1517
			else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
1518
				entry->func = BPRM_CHECK;
1519
			else if (strcmp(args[0].from, "CREDS_CHECK") == 0)
1520
				entry->func = CREDS_CHECK;
1521
			else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
1522
				 0)
1523
				entry->func = KEXEC_KERNEL_CHECK;
1524
			else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
1525
				 == 0)
1526
				entry->func = KEXEC_INITRAMFS_CHECK;
1527
			else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
1528
				entry->func = POLICY_CHECK;
1529
			else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
1530
				entry->func = KEXEC_CMDLINE;
1531
			else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) &&
1532
				 strcmp(args[0].from, "KEY_CHECK") == 0)
1533
				entry->func = KEY_CHECK;
1534
			else if (strcmp(args[0].from, "CRITICAL_DATA") == 0)
1535
				entry->func = CRITICAL_DATA;
1536
			else if (strcmp(args[0].from, "SETXATTR_CHECK") == 0)
1537
				entry->func = SETXATTR_CHECK;
1538
			else
1539
				result = -EINVAL;
1540
			if (!result)
1541
				entry->flags |= IMA_FUNC;
1542
			break;
1543
		case Opt_mask:
1544
			ima_log_string(ab, "mask", args[0].from);
1545

1546
			if (entry->mask)
1547
				result = -EINVAL;
1548

1549
			from = args[0].from;
1550
			if (*from == '^')
1551
				from++;
1552

1553
			if ((strcmp(from, "MAY_EXEC")) == 0)
1554
				entry->mask = MAY_EXEC;
1555
			else if (strcmp(from, "MAY_WRITE") == 0)
1556
				entry->mask = MAY_WRITE;
1557
			else if (strcmp(from, "MAY_READ") == 0)
1558
				entry->mask = MAY_READ;
1559
			else if (strcmp(from, "MAY_APPEND") == 0)
1560
				entry->mask = MAY_APPEND;
1561
			else
1562
				result = -EINVAL;
1563
			if (!result)
1564
				entry->flags |= (*args[0].from == '^')
1565
				     ? IMA_INMASK : IMA_MASK;
1566
			break;
1567
		case Opt_fsmagic:
1568
			ima_log_string(ab, "fsmagic", args[0].from);
1569

1570
			if (entry->fsmagic) {
1571
				result = -EINVAL;
1572
				break;
1573
			}
1574

1575
			result = kstrtoul(args[0].from, 16, &entry->fsmagic);
1576
			if (!result)
1577
				entry->flags |= IMA_FSMAGIC;
1578
			break;
1579
		case Opt_fsname:
1580
			ima_log_string(ab, "fsname", args[0].from);
1581

1582
			entry->fsname = kstrdup(args[0].from, GFP_KERNEL);
1583
			if (!entry->fsname) {
1584
				result = -ENOMEM;
1585
				break;
1586
			}
1587
			result = 0;
1588
			entry->flags |= IMA_FSNAME;
1589
			break;
1590
		case Opt_keyrings:
1591
			ima_log_string(ab, "keyrings", args[0].from);
1592

1593
			if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) ||
1594
			    entry->keyrings) {
1595
				result = -EINVAL;
1596
				break;
1597
			}
1598

1599
			entry->keyrings = ima_alloc_rule_opt_list(args);
1600
			if (IS_ERR(entry->keyrings)) {
1601
				result = PTR_ERR(entry->keyrings);
1602
				entry->keyrings = NULL;
1603
				break;
1604
			}
1605

1606
			entry->flags |= IMA_KEYRINGS;
1607
			break;
1608
		case Opt_label:
1609
			ima_log_string(ab, "label", args[0].from);
1610

1611
			if (entry->label) {
1612
				result = -EINVAL;
1613
				break;
1614
			}
1615

1616
			entry->label = ima_alloc_rule_opt_list(args);
1617
			if (IS_ERR(entry->label)) {
1618
				result = PTR_ERR(entry->label);
1619
				entry->label = NULL;
1620
				break;
1621
			}
1622

1623
			entry->flags |= IMA_LABEL;
1624
			break;
1625
		case Opt_fsuuid:
1626
			ima_log_string(ab, "fsuuid", args[0].from);
1627

1628
			if (!uuid_is_null(&entry->fsuuid)) {
1629
				result = -EINVAL;
1630
				break;
1631
			}
1632

1633
			result = uuid_parse(args[0].from, &entry->fsuuid);
1634
			if (!result)
1635
				entry->flags |= IMA_FSUUID;
1636
			break;
1637
		case Opt_uid_gt:
1638
		case Opt_euid_gt:
1639
			entry->uid_op = &uid_gt;
1640
			fallthrough;
1641
		case Opt_uid_lt:
1642
		case Opt_euid_lt:
1643
			if ((token == Opt_uid_lt) || (token == Opt_euid_lt))
1644
				entry->uid_op = &uid_lt;
1645
			fallthrough;
1646
		case Opt_uid_eq:
1647
		case Opt_euid_eq:
1648
			eid_token = (token == Opt_euid_eq) ||
1649
				    (token == Opt_euid_gt) ||
1650
				    (token == Opt_euid_lt);
1651

1652
			ima_log_string_op(ab, eid_token ? "euid" : "uid",
1653
					  args[0].from, token);
1654

1655
			if (uid_valid(entry->uid)) {
1656
				result = -EINVAL;
1657
				break;
1658
			}
1659

1660
			result = kstrtoul(args[0].from, 10, &lnum);
1661
			if (!result) {
1662
				entry->uid = make_kuid(current_user_ns(),
1663
						       (uid_t) lnum);
1664
				if (!uid_valid(entry->uid) ||
1665
				    (uid_t)lnum != lnum)
1666
					result = -EINVAL;
1667
				else
1668
					entry->flags |= eid_token
1669
					    ? IMA_EUID : IMA_UID;
1670
			}
1671
			break;
1672
		case Opt_gid_gt:
1673
		case Opt_egid_gt:
1674
			entry->gid_op = &gid_gt;
1675
			fallthrough;
1676
		case Opt_gid_lt:
1677
		case Opt_egid_lt:
1678
			if ((token == Opt_gid_lt) || (token == Opt_egid_lt))
1679
				entry->gid_op = &gid_lt;
1680
			fallthrough;
1681
		case Opt_gid_eq:
1682
		case Opt_egid_eq:
1683
			eid_token = (token == Opt_egid_eq) ||
1684
				    (token == Opt_egid_gt) ||
1685
				    (token == Opt_egid_lt);
1686

1687
			ima_log_string_op(ab, eid_token ? "egid" : "gid",
1688
					  args[0].from, token);
1689

1690
			if (gid_valid(entry->gid)) {
1691
				result = -EINVAL;
1692
				break;
1693
			}
1694

1695
			result = kstrtoul(args[0].from, 10, &lnum);
1696
			if (!result) {
1697
				entry->gid = make_kgid(current_user_ns(),
1698
						       (gid_t)lnum);
1699
				if (!gid_valid(entry->gid) ||
1700
				    (((gid_t)lnum) != lnum))
1701
					result = -EINVAL;
1702
				else
1703
					entry->flags |= eid_token
1704
					    ? IMA_EGID : IMA_GID;
1705
			}
1706
			break;
1707
		case Opt_fowner_gt:
1708
			entry->fowner_op = &vfsuid_gt_kuid;
1709
			fallthrough;
1710
		case Opt_fowner_lt:
1711
			if (token == Opt_fowner_lt)
1712
				entry->fowner_op = &vfsuid_lt_kuid;
1713
			fallthrough;
1714
		case Opt_fowner_eq:
1715
			ima_log_string_op(ab, "fowner", args[0].from, token);
1716

1717
			if (uid_valid(entry->fowner)) {
1718
				result = -EINVAL;
1719
				break;
1720
			}
1721

1722
			result = kstrtoul(args[0].from, 10, &lnum);
1723
			if (!result) {
1724
				entry->fowner = make_kuid(current_user_ns(),
1725
							  (uid_t)lnum);
1726
				if (!uid_valid(entry->fowner) ||
1727
				    (((uid_t)lnum) != lnum))
1728
					result = -EINVAL;
1729
				else
1730
					entry->flags |= IMA_FOWNER;
1731
			}
1732
			break;
1733
		case Opt_fgroup_gt:
1734
			entry->fgroup_op = &vfsgid_gt_kgid;
1735
			fallthrough;
1736
		case Opt_fgroup_lt:
1737
			if (token == Opt_fgroup_lt)
1738
				entry->fgroup_op = &vfsgid_lt_kgid;
1739
			fallthrough;
1740
		case Opt_fgroup_eq:
1741
			ima_log_string_op(ab, "fgroup", args[0].from, token);
1742

1743
			if (gid_valid(entry->fgroup)) {
1744
				result = -EINVAL;
1745
				break;
1746
			}
1747

1748
			result = kstrtoul(args[0].from, 10, &lnum);
1749
			if (!result) {
1750
				entry->fgroup = make_kgid(current_user_ns(),
1751
							  (gid_t)lnum);
1752
				if (!gid_valid(entry->fgroup) ||
1753
				    (((gid_t)lnum) != lnum))
1754
					result = -EINVAL;
1755
				else
1756
					entry->flags |= IMA_FGROUP;
1757
			}
1758
			break;
1759
		case Opt_obj_user:
1760
			ima_log_string(ab, "obj_user", args[0].from);
1761
			result = ima_lsm_rule_init(entry, args,
1762
						   LSM_OBJ_USER,
1763
						   AUDIT_OBJ_USER);
1764
			break;
1765
		case Opt_obj_role:
1766
			ima_log_string(ab, "obj_role", args[0].from);
1767
			result = ima_lsm_rule_init(entry, args,
1768
						   LSM_OBJ_ROLE,
1769
						   AUDIT_OBJ_ROLE);
1770
			break;
1771
		case Opt_obj_type:
1772
			ima_log_string(ab, "obj_type", args[0].from);
1773
			result = ima_lsm_rule_init(entry, args,
1774
						   LSM_OBJ_TYPE,
1775
						   AUDIT_OBJ_TYPE);
1776
			break;
1777
		case Opt_subj_user:
1778
			ima_log_string(ab, "subj_user", args[0].from);
1779
			result = ima_lsm_rule_init(entry, args,
1780
						   LSM_SUBJ_USER,
1781
						   AUDIT_SUBJ_USER);
1782
			break;
1783
		case Opt_subj_role:
1784
			ima_log_string(ab, "subj_role", args[0].from);
1785
			result = ima_lsm_rule_init(entry, args,
1786
						   LSM_SUBJ_ROLE,
1787
						   AUDIT_SUBJ_ROLE);
1788
			break;
1789
		case Opt_subj_type:
1790
			ima_log_string(ab, "subj_type", args[0].from);
1791
			result = ima_lsm_rule_init(entry, args,
1792
						   LSM_SUBJ_TYPE,
1793
						   AUDIT_SUBJ_TYPE);
1794
			break;
1795
		case Opt_digest_type:
1796
			ima_log_string(ab, "digest_type", args[0].from);
1797
			if (entry->flags & IMA_DIGSIG_REQUIRED)
1798
				result = -EINVAL;
1799
			else if ((strcmp(args[0].from, "verity")) == 0)
1800
				entry->flags |= IMA_VERITY_REQUIRED;
1801
			else
1802
				result = -EINVAL;
1803
			break;
1804
		case Opt_appraise_type:
1805
			ima_log_string(ab, "appraise_type", args[0].from);
1806

1807
			if ((strcmp(args[0].from, "imasig")) == 0) {
1808
				if (entry->flags & IMA_VERITY_REQUIRED)
1809
					result = -EINVAL;
1810
				else
1811
					entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
1812
			} else if (strcmp(args[0].from, "sigv3") == 0) {
1813
				/* Only fsverity supports sigv3 for now */
1814
				if (entry->flags & IMA_VERITY_REQUIRED)
1815
					entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
1816
				else
1817
					result = -EINVAL;
1818
			} else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
1819
				 strcmp(args[0].from, "imasig|modsig") == 0) {
1820
				if (entry->flags & IMA_VERITY_REQUIRED)
1821
					result = -EINVAL;
1822
				else
1823
					entry->flags |= IMA_DIGSIG_REQUIRED |
1824
						IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST;
1825
			} else {
1826
				result = -EINVAL;
1827
			}
1828
			break;
1829
		case Opt_appraise_flag:
1830
			ima_log_string(ab, "appraise_flag", args[0].from);
1831
			break;
1832
		case Opt_appraise_algos:
1833
			ima_log_string(ab, "appraise_algos", args[0].from);
1834

1835
			if (entry->allowed_algos) {
1836
				result = -EINVAL;
1837
				break;
1838
			}
1839

1840
			entry->allowed_algos =
1841
				ima_parse_appraise_algos(args[0].from);
1842
			/* invalid or empty list of algorithms */
1843
			if (!entry->allowed_algos) {
1844
				result = -EINVAL;
1845
				break;
1846
			}
1847

1848
			entry->flags |= IMA_VALIDATE_ALGOS;
1849

1850
			break;
1851
		case Opt_permit_directio:
1852
			entry->flags |= IMA_PERMIT_DIRECTIO;
1853
			break;
1854
		case Opt_pcr:
1855
			ima_log_string(ab, "pcr", args[0].from);
1856

1857
			result = kstrtoint(args[0].from, 10, &entry->pcr);
1858
			if (result || INVALID_PCR(entry->pcr))
1859
				result = -EINVAL;
1860
			else
1861
				entry->flags |= IMA_PCR;
1862

1863
			break;
1864
		case Opt_template:
1865
			ima_log_string(ab, "template", args[0].from);
1866
			if (entry->action != MEASURE) {
1867
				result = -EINVAL;
1868
				break;
1869
			}
1870
			template_desc = lookup_template_desc(args[0].from);
1871
			if (!template_desc || entry->template) {
1872
				result = -EINVAL;
1873
				break;
1874
			}
1875

1876
			/*
1877
			 * template_desc_init_fields() does nothing if
1878
			 * the template is already initialised, so
1879
			 * it's safe to do this unconditionally
1880
			 */
1881
			template_desc_init_fields(template_desc->fmt,
1882
						 &(template_desc->fields),
1883
						 &(template_desc->num_fields));
1884
			entry->template = template_desc;
1885
			break;
1886
		case Opt_err:
1887
			ima_log_string(ab, "UNKNOWN", p);
1888
			result = -EINVAL;
1889
			break;
1890
		}
1891
	}
1892
	if (!result && !ima_validate_rule(entry))
1893
		result = -EINVAL;
1894
	else if (entry->action == APPRAISE)
1895
		temp_ima_appraise |= ima_appraise_flag(entry->func);
1896

1897
	if (!result && entry->flags & IMA_MODSIG_ALLOWED) {
1898
		template_desc = entry->template ? entry->template :
1899
						  ima_template_desc_current();
1900
		check_template_modsig(template_desc);
1901
	}
1902

1903
	/* d-ngv2 template field recommended for unsigned fs-verity digests */
1904
	if (!result && entry->action == MEASURE &&
1905
	    entry->flags & IMA_VERITY_REQUIRED) {
1906
		template_desc = entry->template ? entry->template :
1907
						  ima_template_desc_current();
1908
		check_template_field(template_desc, "d-ngv2",
1909
				     "verity rules should include d-ngv2");
1910
	}
1911

1912
	audit_log_format(ab, "res=%d", !result);
1913
	audit_log_end(ab);
1914
	return result;
1915
}
1916

1917
/**
1918
 * ima_parse_add_rule - add a rule to ima_policy_rules
1919
 * @rule: ima measurement policy rule
1920
 *
1921
 * Avoid locking by allowing just one writer at a time in ima_write_policy()
1922
 * Returns the length of the rule parsed, an error code on failure
1923
 */
1924
ssize_t ima_parse_add_rule(char *rule)
1925
{
1926
	static const char op[] = "update_policy";
1927
	char *p;
1928
	struct ima_rule_entry *entry;
1929
	ssize_t result, len;
1930
	int audit_info = 0;
1931

1932
	p = strsep(&rule, "\n");
1933
	len = strlen(p) + 1;
1934
	p += strspn(p, " \t");
1935

1936
	if (*p == '#' || *p == '\0')
1937
		return len;
1938

1939
	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1940
	if (!entry) {
1941
		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1942
				    NULL, op, "-ENOMEM", -ENOMEM, audit_info);
1943
		return -ENOMEM;
1944
	}
1945

1946
	INIT_LIST_HEAD(&entry->list);
1947

1948
	result = ima_parse_rule(p, entry);
1949
	if (result) {
1950
		ima_free_rule(entry);
1951
		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1952
				    NULL, op, "invalid-policy", result,
1953
				    audit_info);
1954
		return result;
1955
	}
1956

1957
	list_add_tail(&entry->list, &ima_temp_rules);
1958

1959
	return len;
1960
}
1961

1962
/**
1963
 * ima_delete_rules() - called to cleanup invalid in-flight policy.
1964
 *
1965
 * We don't need locking as we operate on the temp list, which is
1966
 * different from the active one.  There is also only one user of
1967
 * ima_delete_rules() at a time.
1968
 */
1969
void ima_delete_rules(void)
1970
{
1971
	struct ima_rule_entry *entry, *tmp;
1972

1973
	temp_ima_appraise = 0;
1974
	list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
1975
		list_del(&entry->list);
1976
		ima_free_rule(entry);
1977
	}
1978
}
1979

1980
#define __ima_hook_stringify(func, str)	(#func),
1981

1982
const char *const func_tokens[] = {
1983
	__ima_hooks(__ima_hook_stringify)
1984
};
1985

1986
#ifdef	CONFIG_IMA_READ_POLICY
1987
enum {
1988
	mask_exec = 0, mask_write, mask_read, mask_append
1989
};
1990

1991
static const char *const mask_tokens[] = {
1992
	"^MAY_EXEC",
1993
	"^MAY_WRITE",
1994
	"^MAY_READ",
1995
	"^MAY_APPEND"
1996
};
1997

1998
void *ima_policy_start(struct seq_file *m, loff_t *pos)
1999
{
2000
	loff_t l = *pos;
2001
	struct ima_rule_entry *entry;
2002
	struct list_head *ima_rules_tmp;
2003

2004
	rcu_read_lock();
2005
	ima_rules_tmp = rcu_dereference(ima_rules);
2006
	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
2007
		if (!l--) {
2008
			rcu_read_unlock();
2009
			return entry;
2010
		}
2011
	}
2012
	rcu_read_unlock();
2013
	return NULL;
2014
}
2015

2016
void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos)
2017
{
2018
	struct ima_rule_entry *entry = v;
2019

2020
	rcu_read_lock();
2021
	entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list);
2022
	rcu_read_unlock();
2023
	(*pos)++;
2024

2025
	return (&entry->list == &ima_default_rules ||
2026
		&entry->list == &ima_policy_rules) ? NULL : entry;
2027
}
2028

2029
void ima_policy_stop(struct seq_file *m, void *v)
2030
{
2031
}
2032

2033
#define pt(token)	policy_tokens[token].pattern
2034
#define mt(token)	mask_tokens[token]
2035

2036
/*
2037
 * policy_func_show - display the ima_hooks policy rule
2038
 */
2039
static void policy_func_show(struct seq_file *m, enum ima_hooks func)
2040
{
2041
	if (func > 0 && func < MAX_CHECK)
2042
		seq_printf(m, "func=%s ", func_tokens[func]);
2043
	else
2044
		seq_printf(m, "func=%d ", func);
2045
}
2046

2047
static void ima_show_rule_opt_list(struct seq_file *m,
2048
				   const struct ima_rule_opt_list *opt_list)
2049
{
2050
	size_t i;
2051

2052
	for (i = 0; i < opt_list->count; i++)
2053
		seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]);
2054
}
2055

2056
static void ima_policy_show_appraise_algos(struct seq_file *m,
2057
					   unsigned int allowed_hashes)
2058
{
2059
	int idx, list_size = 0;
2060

2061
	for (idx = 0; idx < HASH_ALGO__LAST; idx++) {
2062
		if (!(allowed_hashes & (1U << idx)))
2063
			continue;
2064

2065
		/* only add commas if the list contains multiple entries */
2066
		if (list_size++)
2067
			seq_puts(m, ",");
2068

2069
		seq_puts(m, hash_algo_name[idx]);
2070
	}
2071
}
2072

2073
int ima_policy_show(struct seq_file *m, void *v)
2074
{
2075
	struct ima_rule_entry *entry = v;
2076
	int i;
2077
	char tbuf[64] = {0,};
2078
	int offset = 0;
2079

2080
	rcu_read_lock();
2081

2082
	/* Do not print rules with inactive LSM labels */
2083
	for (i = 0; i < MAX_LSM_RULES; i++) {
2084
		if (entry->lsm[i].args_p && !entry->lsm[i].rule) {
2085
			rcu_read_unlock();
2086
			return 0;
2087
		}
2088
	}
2089

2090
	if (entry->action & MEASURE)
2091
		seq_puts(m, pt(Opt_measure));
2092
	if (entry->action & DONT_MEASURE)
2093
		seq_puts(m, pt(Opt_dont_measure));
2094
	if (entry->action & APPRAISE)
2095
		seq_puts(m, pt(Opt_appraise));
2096
	if (entry->action & DONT_APPRAISE)
2097
		seq_puts(m, pt(Opt_dont_appraise));
2098
	if (entry->action & AUDIT)
2099
		seq_puts(m, pt(Opt_audit));
2100
	if (entry->action & HASH)
2101
		seq_puts(m, pt(Opt_hash));
2102
	if (entry->action & DONT_HASH)
2103
		seq_puts(m, pt(Opt_dont_hash));
2104

2105
	seq_puts(m, " ");
2106

2107
	if (entry->flags & IMA_FUNC)
2108
		policy_func_show(m, entry->func);
2109

2110
	if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) {
2111
		if (entry->flags & IMA_MASK)
2112
			offset = 1;
2113
		if (entry->mask & MAY_EXEC)
2114
			seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset);
2115
		if (entry->mask & MAY_WRITE)
2116
			seq_printf(m, pt(Opt_mask), mt(mask_write) + offset);
2117
		if (entry->mask & MAY_READ)
2118
			seq_printf(m, pt(Opt_mask), mt(mask_read) + offset);
2119
		if (entry->mask & MAY_APPEND)
2120
			seq_printf(m, pt(Opt_mask), mt(mask_append) + offset);
2121
		seq_puts(m, " ");
2122
	}
2123

2124
	if (entry->flags & IMA_FSMAGIC) {
2125
		snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);
2126
		seq_printf(m, pt(Opt_fsmagic), tbuf);
2127
		seq_puts(m, " ");
2128
	}
2129

2130
	if (entry->flags & IMA_FSNAME) {
2131
		snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname);
2132
		seq_printf(m, pt(Opt_fsname), tbuf);
2133
		seq_puts(m, " ");
2134
	}
2135

2136
	if (entry->flags & IMA_KEYRINGS) {
2137
		seq_puts(m, "keyrings=");
2138
		ima_show_rule_opt_list(m, entry->keyrings);
2139
		seq_puts(m, " ");
2140
	}
2141

2142
	if (entry->flags & IMA_LABEL) {
2143
		seq_puts(m, "label=");
2144
		ima_show_rule_opt_list(m, entry->label);
2145
		seq_puts(m, " ");
2146
	}
2147

2148
	if (entry->flags & IMA_PCR) {
2149
		snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
2150
		seq_printf(m, pt(Opt_pcr), tbuf);
2151
		seq_puts(m, " ");
2152
	}
2153

2154
	if (entry->flags & IMA_FSUUID) {
2155
		seq_printf(m, "fsuuid=%pU", &entry->fsuuid);
2156
		seq_puts(m, " ");
2157
	}
2158

2159
	if (entry->flags & IMA_UID) {
2160
		snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
2161
		if (entry->uid_op == &uid_gt)
2162
			seq_printf(m, pt(Opt_uid_gt), tbuf);
2163
		else if (entry->uid_op == &uid_lt)
2164
			seq_printf(m, pt(Opt_uid_lt), tbuf);
2165
		else
2166
			seq_printf(m, pt(Opt_uid_eq), tbuf);
2167
		seq_puts(m, " ");
2168
	}
2169

2170
	if (entry->flags & IMA_EUID) {
2171
		snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
2172
		if (entry->uid_op == &uid_gt)
2173
			seq_printf(m, pt(Opt_euid_gt), tbuf);
2174
		else if (entry->uid_op == &uid_lt)
2175
			seq_printf(m, pt(Opt_euid_lt), tbuf);
2176
		else
2177
			seq_printf(m, pt(Opt_euid_eq), tbuf);
2178
		seq_puts(m, " ");
2179
	}
2180

2181
	if (entry->flags & IMA_GID) {
2182
		snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid));
2183
		if (entry->gid_op == &gid_gt)
2184
			seq_printf(m, pt(Opt_gid_gt), tbuf);
2185
		else if (entry->gid_op == &gid_lt)
2186
			seq_printf(m, pt(Opt_gid_lt), tbuf);
2187
		else
2188
			seq_printf(m, pt(Opt_gid_eq), tbuf);
2189
		seq_puts(m, " ");
2190
	}
2191

2192
	if (entry->flags & IMA_EGID) {
2193
		snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid));
2194
		if (entry->gid_op == &gid_gt)
2195
			seq_printf(m, pt(Opt_egid_gt), tbuf);
2196
		else if (entry->gid_op == &gid_lt)
2197
			seq_printf(m, pt(Opt_egid_lt), tbuf);
2198
		else
2199
			seq_printf(m, pt(Opt_egid_eq), tbuf);
2200
		seq_puts(m, " ");
2201
	}
2202

2203
	if (entry->flags & IMA_FOWNER) {
2204
		snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
2205
		if (entry->fowner_op == &vfsuid_gt_kuid)
2206
			seq_printf(m, pt(Opt_fowner_gt), tbuf);
2207
		else if (entry->fowner_op == &vfsuid_lt_kuid)
2208
			seq_printf(m, pt(Opt_fowner_lt), tbuf);
2209
		else
2210
			seq_printf(m, pt(Opt_fowner_eq), tbuf);
2211
		seq_puts(m, " ");
2212
	}
2213

2214
	if (entry->flags & IMA_FGROUP) {
2215
		snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->fgroup));
2216
		if (entry->fgroup_op == &vfsgid_gt_kgid)
2217
			seq_printf(m, pt(Opt_fgroup_gt), tbuf);
2218
		else if (entry->fgroup_op == &vfsgid_lt_kgid)
2219
			seq_printf(m, pt(Opt_fgroup_lt), tbuf);
2220
		else
2221
			seq_printf(m, pt(Opt_fgroup_eq), tbuf);
2222
		seq_puts(m, " ");
2223
	}
2224

2225
	if (entry->flags & IMA_VALIDATE_ALGOS) {
2226
		seq_puts(m, "appraise_algos=");
2227
		ima_policy_show_appraise_algos(m, entry->allowed_algos);
2228
		seq_puts(m, " ");
2229
	}
2230

2231
	for (i = 0; i < MAX_LSM_RULES; i++) {
2232
		if (entry->lsm[i].rule) {
2233
			switch (i) {
2234
			case LSM_OBJ_USER:
2235
				seq_printf(m, pt(Opt_obj_user),
2236
					   entry->lsm[i].args_p);
2237
				break;
2238
			case LSM_OBJ_ROLE:
2239
				seq_printf(m, pt(Opt_obj_role),
2240
					   entry->lsm[i].args_p);
2241
				break;
2242
			case LSM_OBJ_TYPE:
2243
				seq_printf(m, pt(Opt_obj_type),
2244
					   entry->lsm[i].args_p);
2245
				break;
2246
			case LSM_SUBJ_USER:
2247
				seq_printf(m, pt(Opt_subj_user),
2248
					   entry->lsm[i].args_p);
2249
				break;
2250
			case LSM_SUBJ_ROLE:
2251
				seq_printf(m, pt(Opt_subj_role),
2252
					   entry->lsm[i].args_p);
2253
				break;
2254
			case LSM_SUBJ_TYPE:
2255
				seq_printf(m, pt(Opt_subj_type),
2256
					   entry->lsm[i].args_p);
2257
				break;
2258
			}
2259
			seq_puts(m, " ");
2260
		}
2261
	}
2262
	if (entry->template)
2263
		seq_printf(m, "template=%s ", entry->template->name);
2264
	if (entry->flags & IMA_DIGSIG_REQUIRED) {
2265
		if (entry->flags & IMA_VERITY_REQUIRED)
2266
			seq_puts(m, "appraise_type=sigv3 ");
2267
		else if (entry->flags & IMA_MODSIG_ALLOWED)
2268
			seq_puts(m, "appraise_type=imasig|modsig ");
2269
		else
2270
			seq_puts(m, "appraise_type=imasig ");
2271
	}
2272
	if (entry->flags & IMA_VERITY_REQUIRED)
2273
		seq_puts(m, "digest_type=verity ");
2274
	if (entry->flags & IMA_PERMIT_DIRECTIO)
2275
		seq_puts(m, "permit_directio ");
2276
	rcu_read_unlock();
2277
	seq_puts(m, "\n");
2278
	return 0;
2279
}
2280
#endif	/* CONFIG_IMA_READ_POLICY */
2281

2282
#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
2283
/*
2284
 * ima_appraise_signature: whether IMA will appraise a given function using
2285
 * an IMA digital signature. This is restricted to cases where the kernel
2286
 * has a set of built-in trusted keys in order to avoid an attacker simply
2287
 * loading additional keys.
2288
 */
2289
bool ima_appraise_signature(enum kernel_read_file_id id)
2290
{
2291
	struct ima_rule_entry *entry;
2292
	bool found = false;
2293
	enum ima_hooks func;
2294
	struct list_head *ima_rules_tmp;
2295

2296
	if (id >= READING_MAX_ID)
2297
		return false;
2298

2299
	if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE)
2300
	    && security_locked_down(LOCKDOWN_KEXEC))
2301
		return false;
2302

2303
	func = read_idmap[id] ?: FILE_CHECK;
2304

2305
	rcu_read_lock();
2306
	ima_rules_tmp = rcu_dereference(ima_rules);
2307
	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
2308
		if (entry->action != APPRAISE)
2309
			continue;
2310

2311
		/*
2312
		 * A generic entry will match, but otherwise require that it
2313
		 * match the func we're looking for
2314
		 */
2315
		if (entry->func && entry->func != func)
2316
			continue;
2317

2318
		/*
2319
		 * We require this to be a digital signature, not a raw IMA
2320
		 * hash.
2321
		 */
2322
		if (entry->flags & IMA_DIGSIG_REQUIRED)
2323
			found = true;
2324

2325
		/*
2326
		 * We've found a rule that matches, so break now even if it
2327
		 * didn't require a digital signature - a later rule that does
2328
		 * won't override it, so would be a false positive.
2329
		 */
2330
		break;
2331
	}
2332

2333
	rcu_read_unlock();
2334
	return found;
2335
}
2336
#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
2337

2338