1
// SPDX-License-Identifier: GPL-2.0-only
2
/*
3
 * Copyright (C) 2008 IBM Corporation
4
 * Author: Mimi Zohar <[email protected]>
5
 *
6
 * ima_policy.c
7
 *	- initialize default measure policy rules
8
 */
9

10
#include <linux/init.h>
11
#include <linux/list.h>
12
#include <linux/kernel_read_file.h>
13
#include <linux/fs.h>
14
#include <linux/security.h>
15
#include <linux/magic.h>
16
#include <linux/parser.h>
17
#include <linux/slab.h>
18
#include <linux/rculist.h>
19
#include <linux/seq_file.h>
20
#include <linux/ima.h>
21

22
#include "ima.h"
23

24
/* flags definitions */
25
#define IMA_FUNC	0x0001
26
#define IMA_MASK	0x0002
27
#define IMA_FSMAGIC	0x0004
28
#define IMA_UID		0x0008
29
#define IMA_FOWNER	0x0010
30
#define IMA_FSUUID	0x0020
31
#define IMA_INMASK	0x0040
32
#define IMA_EUID	0x0080
33
#define IMA_PCR		0x0100
34
#define IMA_FSNAME	0x0200
35
#define IMA_KEYRINGS	0x0400
36
#define IMA_LABEL	0x0800
37
#define IMA_VALIDATE_ALGOS	0x1000
38
#define IMA_GID		0x2000
39
#define IMA_EGID	0x4000
40
#define IMA_FGROUP	0x8000
41
#define IMA_FS_SUBTYPE	0x10000
42

43
#define UNKNOWN		0
44
#define MEASURE		0x0001	/* same as IMA_MEASURE */
45
#define DONT_MEASURE	0x0002
46
#define APPRAISE	0x0004	/* same as IMA_APPRAISE */
47
#define DONT_APPRAISE	0x0008
48
#define AUDIT		0x0040
49
#define DONT_AUDIT	0x0080
50
#define HASH		0x0100
51
#define DONT_HASH	0x0200
52

53
#define INVALID_PCR(a) (((a) < 0) || \
54
	(a) >= (sizeof_field(struct ima_iint_cache, measured_pcrs) * 8))
55

56
int ima_policy_flag;
57
static int temp_ima_appraise;
58
static int build_ima_appraise __ro_after_init;
59

60
atomic_t ima_setxattr_allowed_hash_algorithms;
61

62
#define MAX_LSM_RULES 6
63
enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
64
	LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
65
};
66

67
enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
68

69
enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY };
70

71
struct ima_rule_opt_list {
72
	size_t count;
73
	char *items[] __counted_by(count);
74
};
75

76
/*
77
 * These comparators are needed nowhere outside of ima so just define them here.
78
 * This pattern should hopefully never be needed outside of ima.
79
 */
80
static inline bool vfsuid_gt_kuid(vfsuid_t vfsuid, kuid_t kuid)
81
{
82
	return __vfsuid_val(vfsuid) > __kuid_val(kuid);
83
}
84

85
static inline bool vfsgid_gt_kgid(vfsgid_t vfsgid, kgid_t kgid)
86
{
87
	return __vfsgid_val(vfsgid) > __kgid_val(kgid);
88
}
89

90
static inline bool vfsuid_lt_kuid(vfsuid_t vfsuid, kuid_t kuid)
91
{
92
	return __vfsuid_val(vfsuid) < __kuid_val(kuid);
93
}
94

95
static inline bool vfsgid_lt_kgid(vfsgid_t vfsgid, kgid_t kgid)
96
{
97
	return __vfsgid_val(vfsgid) < __kgid_val(kgid);
98
}
99

100
struct ima_rule_entry {
101
	struct list_head list;
102
	int action;
103
	unsigned int flags;
104
	enum ima_hooks func;
105
	int mask;
106
	unsigned long fsmagic;
107
	uuid_t fsuuid;
108
	kuid_t uid;
109
	kgid_t gid;
110
	kuid_t fowner;
111
	kgid_t fgroup;
112
	bool (*uid_op)(kuid_t cred_uid, kuid_t rule_uid);    /* Handlers for operators       */
113
	bool (*gid_op)(kgid_t cred_gid, kgid_t rule_gid);
114
	bool (*fowner_op)(vfsuid_t vfsuid, kuid_t rule_uid); /* vfsuid_eq_kuid(), vfsuid_gt_kuid(), vfsuid_lt_kuid() */
115
	bool (*fgroup_op)(vfsgid_t vfsgid, kgid_t rule_gid); /* vfsgid_eq_kgid(), vfsgid_gt_kgid(), vfsgid_lt_kgid() */
116
	int pcr;
117
	unsigned int allowed_algos; /* bitfield of allowed hash algorithms */
118
	struct {
119
		void *rule;	/* LSM file metadata specific */
120
		char *args_p;	/* audit value */
121
		int type;	/* audit type */
122
	} lsm[MAX_LSM_RULES];
123
	char *fsname;
124
	char *fs_subtype;
125
	struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */
126
	struct ima_rule_opt_list *label; /* Measure data grouped under this label */
127
	struct ima_template_desc *template;
128
};
129

130
/*
131
 * sanity check in case the kernels gains more hash algorithms that can
132
 * fit in an unsigned int
133
 */
134
static_assert(
135
	8 * sizeof(unsigned int) >= HASH_ALGO__LAST,
136
	"The bitfield allowed_algos in ima_rule_entry is too small to contain all the supported hash algorithms, consider using a bigger type");
137

138
/*
139
 * Without LSM specific knowledge, the default policy can only be
140
 * written in terms of .action, .func, .mask, .fsmagic, .uid, .gid,
141
 * .fowner, and .fgroup
142
 */
143

144
/*
145
 * The minimum rule set to allow for full TCB coverage.  Measures all files
146
 * opened or mmap for exec and everything read by root.  Dangerous because
147
 * normal users can easily run the machine out of memory simply building
148
 * and running executables.
149
 */
150
static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
151
	{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
152
	{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
153
	{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
154
	{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK,
155
	 .flags = IMA_FSMAGIC | IMA_FUNC},
156
	{.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
157
	{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
158
	{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
159
	{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
160
	{.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
161
	{.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
162
	 .flags = IMA_FSMAGIC},
163
	{.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC,
164
	 .flags = IMA_FSMAGIC},
165
	{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
166
	{.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}
167
};
168

169
static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
170
	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
171
	 .flags = IMA_FUNC | IMA_MASK},
172
	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
173
	 .flags = IMA_FUNC | IMA_MASK},
174
	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
175
	 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
176
	 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
177
	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
178
	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
179
};
180

181
static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
182
	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
183
	 .flags = IMA_FUNC | IMA_MASK},
184
	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
185
	 .flags = IMA_FUNC | IMA_MASK},
186
	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
187
	 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
188
	 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
189
	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
190
	 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
191
	 .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
192
	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
193
	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
194
	{.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
195
};
196

197
static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
198
	{.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
199
	{.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
200
	{.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
201
	{.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
202
	{.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
203
	{.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
204
	{.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
205
	{.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
206
	{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
207
	{.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
208
	{.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
209
	{.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC},
210
	{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
211
	{.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
212
#ifdef CONFIG_IMA_WRITE_POLICY
213
	{.action = APPRAISE, .func = POLICY_CHECK,
214
	.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
215
#endif
216
#ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
217
	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid,
218
	 .flags = IMA_FOWNER},
219
#else
220
	/* force signature */
221
	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid,
222
	 .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
223
#endif
224
};
225

226
static struct ima_rule_entry build_appraise_rules[] __ro_after_init = {
227
#ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS
228
	{.action = APPRAISE, .func = MODULE_CHECK,
229
	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
230
#endif
231
#ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
232
	{.action = APPRAISE, .func = FIRMWARE_CHECK,
233
	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
234
#endif
235
#ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS
236
	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
237
	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
238
#endif
239
#ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS
240
	{.action = APPRAISE, .func = POLICY_CHECK,
241
	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
242
#endif
243
};
244

245
static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
246
	{.action = APPRAISE, .func = MODULE_CHECK,
247
	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED |
248
		  IMA_CHECK_BLACKLIST},
249
	{.action = APPRAISE, .func = FIRMWARE_CHECK,
250
	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
251
	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
252
	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
253
	{.action = APPRAISE, .func = POLICY_CHECK,
254
	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
255
};
256

257
static struct ima_rule_entry critical_data_rules[] __ro_after_init = {
258
	{.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC},
259
};
260

261
/* An array of architecture specific rules */
262
static struct ima_rule_entry *arch_policy_entry __ro_after_init;
263

264
static LIST_HEAD(ima_default_rules);
265
static LIST_HEAD(ima_policy_rules);
266
static LIST_HEAD(ima_temp_rules);
267
static struct list_head __rcu *ima_rules = (struct list_head __rcu *)(&ima_default_rules);
268

269
static int ima_policy __initdata;
270

271
static int __init default_measure_policy_setup(char *str)
272
{
273
	if (ima_policy)
274
		return 1;
275

276
	ima_policy = ORIGINAL_TCB;
277
	return 1;
278
}
279
__setup("ima_tcb", default_measure_policy_setup);
280

281
static bool ima_use_appraise_tcb __initdata;
282
static bool ima_use_secure_boot __initdata;
283
static bool ima_use_critical_data __initdata;
284
static bool ima_fail_unverifiable_sigs __ro_after_init;
285
static int __init policy_setup(char *str)
286
{
287
	char *p;
288

289
	while ((p = strsep(&str, " |\n")) != NULL) {
290
		if (*p == ' ')
291
			continue;
292
		if ((strcmp(p, "tcb") == 0) && !ima_policy)
293
			ima_policy = DEFAULT_TCB;
294
		else if (strcmp(p, "appraise_tcb") == 0)
295
			ima_use_appraise_tcb = true;
296
		else if (strcmp(p, "secure_boot") == 0)
297
			ima_use_secure_boot = true;
298
		else if (strcmp(p, "critical_data") == 0)
299
			ima_use_critical_data = true;
300
		else if (strcmp(p, "fail_securely") == 0)
301
			ima_fail_unverifiable_sigs = true;
302
		else
303
			pr_err("policy \"%s\" not found", p);
304
	}
305

306
	return 1;
307
}
308
__setup("ima_policy=", policy_setup);
309

310
static int __init default_appraise_policy_setup(char *str)
311
{
312
	ima_use_appraise_tcb = true;
313
	return 1;
314
}
315
__setup("ima_appraise_tcb", default_appraise_policy_setup);
316

317
static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src)
318
{
319
	struct ima_rule_opt_list *opt_list;
320
	size_t count = 0;
321
	char *src_copy;
322
	char *cur, *next;
323
	size_t i;
324

325
	src_copy = match_strdup(src);
326
	if (!src_copy)
327
		return ERR_PTR(-ENOMEM);
328

329
	next = src_copy;
330
	while ((cur = strsep(&next, "|"))) {
331
		/* Don't accept an empty list item */
332
		if (!(*cur)) {
333
			kfree(src_copy);
334
			return ERR_PTR(-EINVAL);
335
		}
336
		count++;
337
	}
338

339
	/* Don't accept an empty list */
340
	if (!count) {
341
		kfree(src_copy);
342
		return ERR_PTR(-EINVAL);
343
	}
344

345
	opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL);
346
	if (!opt_list) {
347
		kfree(src_copy);
348
		return ERR_PTR(-ENOMEM);
349
	}
350
	opt_list->count = count;
351

352
	/*
353
	 * strsep() has already replaced all instances of '|' with '\0',
354
	 * leaving a byte sequence of NUL-terminated strings. Reference each
355
	 * string with the array of items.
356
	 *
357
	 * IMPORTANT: Ownership of the allocated buffer is transferred from
358
	 * src_copy to the first element in the items array. To free the
359
	 * buffer, kfree() must only be called on the first element of the
360
	 * array.
361
	 */
362
	for (i = 0, cur = src_copy; i < count; i++) {
363
		opt_list->items[i] = cur;
364
		cur = strchr(cur, '\0') + 1;
365
	}
366

367
	return opt_list;
368
}
369

370
static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list)
371
{
372
	if (!opt_list)
373
		return;
374

375
	if (opt_list->count) {
376
		kfree(opt_list->items[0]);
377
		opt_list->count = 0;
378
	}
379

380
	kfree(opt_list);
381
}
382

383
static void ima_lsm_free_rule(struct ima_rule_entry *entry)
384
{
385
	int i;
386

387
	for (i = 0; i < MAX_LSM_RULES; i++) {
388
		ima_filter_rule_free(entry->lsm[i].rule);
389
		kfree(entry->lsm[i].args_p);
390
	}
391
}
392

393
static void ima_free_rule(struct ima_rule_entry *entry)
394
{
395
	if (!entry)
396
		return;
397

398
	/*
399
	 * entry->template->fields may be allocated in ima_parse_rule() but that
400
	 * reference is owned by the corresponding ima_template_desc element in
401
	 * the defined_templates list and cannot be freed here
402
	 */
403
	kfree(entry->fsname);
404
	kfree(entry->fs_subtype);
405
	ima_free_rule_opt_list(entry->keyrings);
406
	ima_lsm_free_rule(entry);
407
	kfree(entry);
408
}
409

410
static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry,
411
						gfp_t gfp)
412
{
413
	struct ima_rule_entry *nentry;
414
	int i;
415

416
	/*
417
	 * Immutable elements are copied over as pointers and data; only
418
	 * lsm rules can change
419
	 */
420
	nentry = kmemdup(entry, sizeof(*nentry), gfp);
421
	if (!nentry)
422
		return NULL;
423

424
	memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm));
425

426
	for (i = 0; i < MAX_LSM_RULES; i++) {
427
		if (!entry->lsm[i].args_p)
428
			continue;
429

430
		nentry->lsm[i].type = entry->lsm[i].type;
431
		nentry->lsm[i].args_p = entry->lsm[i].args_p;
432

433
		ima_filter_rule_init(nentry->lsm[i].type, Audit_equal,
434
				     nentry->lsm[i].args_p,
435
				     &nentry->lsm[i].rule,
436
				     gfp);
437
		if (!nentry->lsm[i].rule)
438
			pr_warn("rule for LSM \'%s\' is undefined\n",
439
				nentry->lsm[i].args_p);
440
	}
441
	return nentry;
442
}
443

444
static int ima_lsm_update_rule(struct ima_rule_entry *entry)
445
{
446
	int i;
447
	struct ima_rule_entry *nentry;
448

449
	nentry = ima_lsm_copy_rule(entry, GFP_KERNEL);
450
	if (!nentry)
451
		return -ENOMEM;
452

453
	list_replace_rcu(&entry->list, &nentry->list);
454
	synchronize_rcu();
455
	/*
456
	 * ima_lsm_copy_rule() shallow copied all references, except for the
457
	 * LSM references, from entry to nentry so we only want to free the LSM
458
	 * references and the entry itself. All other memory references will now
459
	 * be owned by nentry.
460
	 */
461
	for (i = 0; i < MAX_LSM_RULES; i++)
462
		ima_filter_rule_free(entry->lsm[i].rule);
463
	kfree(entry);
464

465
	return 0;
466
}
467

468
static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry)
469
{
470
	int i;
471

472
	for (i = 0; i < MAX_LSM_RULES; i++)
473
		if (entry->lsm[i].args_p)
474
			return true;
475

476
	return false;
477
}
478

479
/*
480
 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
481
 * to the old, stale LSM policy.  Update the IMA LSM based rules to reflect
482
 * the reloaded LSM policy.
483
 */
484
static void ima_lsm_update_rules(void)
485
{
486
	struct ima_rule_entry *entry, *e;
487
	int result;
488

489
	list_for_each_entry_safe(entry, e, &ima_policy_rules, list) {
490
		if (!ima_rule_contains_lsm_cond(entry))
491
			continue;
492

493
		result = ima_lsm_update_rule(entry);
494
		if (result) {
495
			pr_err("lsm rule update error %d\n", result);
496
			return;
497
		}
498
	}
499
}
500

501
int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
502
			  void *lsm_data)
503
{
504
	if (event != LSM_POLICY_CHANGE)
505
		return NOTIFY_DONE;
506

507
	ima_lsm_update_rules();
508
	return NOTIFY_OK;
509
}
510

511
/**
512
 * ima_match_rule_data - determine whether func_data matches the policy rule
513
 * @rule: a pointer to a rule
514
 * @func_data: data to match against the measure rule data
515
 * @cred: a pointer to a credentials structure for user validation
516
 *
517
 * Returns true if func_data matches one in the rule, false otherwise.
518
 */
519
static bool ima_match_rule_data(struct ima_rule_entry *rule,
520
				const char *func_data,
521
				const struct cred *cred)
522
{
523
	const struct ima_rule_opt_list *opt_list = NULL;
524
	bool matched = false;
525
	size_t i;
526

527
	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
528
		return false;
529

530
	switch (rule->func) {
531
	case KEY_CHECK:
532
		if (!rule->keyrings)
533
			return true;
534

535
		opt_list = rule->keyrings;
536
		break;
537
	case CRITICAL_DATA:
538
		if (!rule->label)
539
			return true;
540

541
		opt_list = rule->label;
542
		break;
543
	default:
544
		return false;
545
	}
546

547
	if (!func_data)
548
		return false;
549

550
	for (i = 0; i < opt_list->count; i++) {
551
		if (!strcmp(opt_list->items[i], func_data)) {
552
			matched = true;
553
			break;
554
		}
555
	}
556

557
	return matched;
558
}
559

560
/**
561
 * ima_match_rules - determine whether an inode matches the policy rule.
562
 * @rule: a pointer to a rule
563
 * @idmap: idmap of the mount the inode was found from
564
 * @inode: a pointer to an inode
565
 * @cred: a pointer to a credentials structure for user validation
566
 * @prop: LSM properties of the task to be validated
567
 * @func: LIM hook identifier
568
 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
569
 * @func_data: func specific data, may be NULL
570
 *
571
 * Returns true on rule match, false on failure.
572
 */
573
static bool ima_match_rules(struct ima_rule_entry *rule,
574
			    struct mnt_idmap *idmap,
575
			    struct inode *inode, const struct cred *cred,
576
			    struct lsm_prop *prop, enum ima_hooks func, int mask,
577
			    const char *func_data)
578
{
579
	int i;
580
	bool result = false;
581
	struct ima_rule_entry *lsm_rule = rule;
582
	bool rule_reinitialized = false;
583

584
	if ((rule->flags & IMA_FUNC) &&
585
	    (rule->func != func && func != POST_SETATTR))
586
		return false;
587

588
	switch (func) {
589
	case KEY_CHECK:
590
	case CRITICAL_DATA:
591
		return ((rule->func == func) &&
592
			ima_match_rule_data(rule, func_data, cred));
593
	default:
594
		break;
595
	}
596

597
	if ((rule->flags & IMA_MASK) &&
598
	    (rule->mask != mask && func != POST_SETATTR))
599
		return false;
600
	if ((rule->flags & IMA_INMASK) &&
601
	    (!(rule->mask & mask) && func != POST_SETATTR))
602
		return false;
603
	if ((rule->flags & IMA_FSMAGIC)
604
	    && rule->fsmagic != inode->i_sb->s_magic)
605
		return false;
606
	if ((rule->flags & IMA_FSNAME)
607
	    && strcmp(rule->fsname, inode->i_sb->s_type->name))
608
		return false;
609
	if (rule->flags & IMA_FS_SUBTYPE) {
610
		if (!inode->i_sb->s_subtype)
611
			return false;
612
		if (strcmp(rule->fs_subtype, inode->i_sb->s_subtype))
613
			return false;
614
	}
615
	if ((rule->flags & IMA_FSUUID) &&
616
	    !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
617
		return false;
618
	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
619
		return false;
620
	if (rule->flags & IMA_EUID) {
621
		if (has_capability_noaudit(current, CAP_SETUID)) {
622
			if (!rule->uid_op(cred->euid, rule->uid)
623
			    && !rule->uid_op(cred->suid, rule->uid)
624
			    && !rule->uid_op(cred->uid, rule->uid))
625
				return false;
626
		} else if (!rule->uid_op(cred->euid, rule->uid))
627
			return false;
628
	}
629
	if ((rule->flags & IMA_GID) && !rule->gid_op(cred->gid, rule->gid))
630
		return false;
631
	if (rule->flags & IMA_EGID) {
632
		if (has_capability_noaudit(current, CAP_SETGID)) {
633
			if (!rule->gid_op(cred->egid, rule->gid)
634
			    && !rule->gid_op(cred->sgid, rule->gid)
635
			    && !rule->gid_op(cred->gid, rule->gid))
636
				return false;
637
		} else if (!rule->gid_op(cred->egid, rule->gid))
638
			return false;
639
	}
640
	if ((rule->flags & IMA_FOWNER) &&
641
	    !rule->fowner_op(i_uid_into_vfsuid(idmap, inode),
642
			     rule->fowner))
643
		return false;
644
	if ((rule->flags & IMA_FGROUP) &&
645
	    !rule->fgroup_op(i_gid_into_vfsgid(idmap, inode),
646
			     rule->fgroup))
647
		return false;
648
	for (i = 0; i < MAX_LSM_RULES; i++) {
649
		int rc = 0;
650
		struct lsm_prop inode_prop = { };
651

652
		if (!lsm_rule->lsm[i].rule) {
653
			if (!lsm_rule->lsm[i].args_p)
654
				continue;
655
			else
656
				return false;
657
		}
658

659
retry:
660
		switch (i) {
661
		case LSM_OBJ_USER:
662
		case LSM_OBJ_ROLE:
663
		case LSM_OBJ_TYPE:
664
			security_inode_getlsmprop(inode, &inode_prop);
665
			rc = ima_filter_rule_match(&inode_prop,
666
						   lsm_rule->lsm[i].type,
667
						   Audit_equal,
668
						   lsm_rule->lsm[i].rule);
669
			break;
670
		case LSM_SUBJ_USER:
671
		case LSM_SUBJ_ROLE:
672
		case LSM_SUBJ_TYPE:
673
			rc = ima_filter_rule_match(prop, lsm_rule->lsm[i].type,
674
						   Audit_equal,
675
						   lsm_rule->lsm[i].rule);
676
			break;
677
		default:
678
			break;
679
		}
680

681
		if (rc == -ESTALE && !rule_reinitialized) {
682
			lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC);
683
			if (lsm_rule) {
684
				rule_reinitialized = true;
685
				goto retry;
686
			}
687
		}
688
		if (rc <= 0) {
689
			result = false;
690
			goto out;
691
		}
692
	}
693
	result = true;
694

695
out:
696
	if (rule_reinitialized) {
697
		for (i = 0; i < MAX_LSM_RULES; i++)
698
			ima_filter_rule_free(lsm_rule->lsm[i].rule);
699
		kfree(lsm_rule);
700
	}
701
	return result;
702
}
703

704
/*
705
 * In addition to knowing that we need to appraise the file in general,
706
 * we need to differentiate between calling hooks, for hook specific rules.
707
 */
708
static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
709
{
710
	if (!(rule->flags & IMA_FUNC))
711
		return IMA_FILE_APPRAISE;
712

713
	switch (func) {
714
	case MMAP_CHECK:
715
	case MMAP_CHECK_REQPROT:
716
		return IMA_MMAP_APPRAISE;
717
	case BPRM_CHECK:
718
		return IMA_BPRM_APPRAISE;
719
	case CREDS_CHECK:
720
		return IMA_CREDS_APPRAISE;
721
	case FILE_CHECK:
722
	case POST_SETATTR:
723
		return IMA_FILE_APPRAISE;
724
	case MODULE_CHECK ... MAX_CHECK - 1:
725
	default:
726
		return IMA_READ_APPRAISE;
727
	}
728
}
729

730
/**
731
 * ima_match_policy - decision based on LSM and other conditions
732
 * @idmap: idmap of the mount the inode was found from
733
 * @inode: pointer to an inode for which the policy decision is being made
734
 * @cred: pointer to a credentials structure for which the policy decision is
735
 *        being made
736
 * @prop: LSM properties of the task to be validated
737
 * @func: IMA hook identifier
738
 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
739
 * @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE)
740
 * @pcr: set the pcr to extend
741
 * @template_desc: the template that should be used for this rule
742
 * @func_data: func specific data, may be NULL
743
 * @allowed_algos: allowlist of hash algorithms for the IMA xattr
744
 *
745
 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
746
 * conditions.
747
 *
748
 * Since the IMA policy may be updated multiple times we need to lock the
749
 * list when walking it.  Reads are many orders of magnitude more numerous
750
 * than writes so ima_match_policy() is classical RCU candidate.
751
 */
752
int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode,
753
		     const struct cred *cred, struct lsm_prop *prop,
754
		     enum ima_hooks func, int mask, int flags, int *pcr,
755
		     struct ima_template_desc **template_desc,
756
		     const char *func_data, unsigned int *allowed_algos)
757
{
758
	struct ima_rule_entry *entry;
759
	int action = 0, actmask = flags | (flags << 1);
760
	struct list_head *ima_rules_tmp;
761

762
	if (template_desc && !*template_desc)
763
		*template_desc = ima_template_desc_current();
764

765
	rcu_read_lock();
766
	ima_rules_tmp = rcu_dereference(ima_rules);
767
	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
768

769
		if (!(entry->action & actmask))
770
			continue;
771

772
		if (!ima_match_rules(entry, idmap, inode, cred, prop,
773
				     func, mask, func_data))
774
			continue;
775

776
		action |= entry->flags & IMA_NONACTION_FLAGS;
777

778
		action |= entry->action & IMA_DO_MASK;
779
		if (entry->action & IMA_APPRAISE) {
780
			action |= get_subaction(entry, func);
781
			action &= ~IMA_HASH;
782
			if (ima_fail_unverifiable_sigs)
783
				action |= IMA_FAIL_UNVERIFIABLE_SIGS;
784

785
			if (allowed_algos &&
786
			    entry->flags & IMA_VALIDATE_ALGOS)
787
				*allowed_algos = entry->allowed_algos;
788
		}
789

790
		if (entry->action & IMA_DO_MASK)
791
			actmask &= ~(entry->action | entry->action << 1);
792
		else
793
			actmask &= ~(entry->action | entry->action >> 1);
794

795
		if ((pcr) && (entry->flags & IMA_PCR))
796
			*pcr = entry->pcr;
797

798
		if (template_desc && entry->template)
799
			*template_desc = entry->template;
800

801
		if (!actmask)
802
			break;
803
	}
804
	rcu_read_unlock();
805

806
	return action;
807
}
808

809
/**
810
 * ima_update_policy_flags() - Update global IMA variables
811
 *
812
 * Update ima_policy_flag and ima_setxattr_allowed_hash_algorithms
813
 * based on the currently loaded policy.
814
 *
815
 * With ima_policy_flag, the decision to short circuit out of a function
816
 * or not call the function in the first place can be made earlier.
817
 *
818
 * With ima_setxattr_allowed_hash_algorithms, the policy can restrict the
819
 * set of hash algorithms accepted when updating the security.ima xattr of
820
 * a file.
821
 *
822
 * Context: called after a policy update and at system initialization.
823
 */
824
void ima_update_policy_flags(void)
825
{
826
	struct ima_rule_entry *entry;
827
	int new_policy_flag = 0;
828
	struct list_head *ima_rules_tmp;
829

830
	rcu_read_lock();
831
	ima_rules_tmp = rcu_dereference(ima_rules);
832
	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
833
		/*
834
		 * SETXATTR_CHECK rules do not implement a full policy check
835
		 * because rule checking would probably have an important
836
		 * performance impact on setxattr(). As a consequence, only one
837
		 * SETXATTR_CHECK can be active at a given time.
838
		 * Because we want to preserve that property, we set out to use
839
		 * atomic_cmpxchg. Either:
840
		 * - the atomic was non-zero: a setxattr hash policy is
841
		 *   already enforced, we do nothing
842
		 * - the atomic was zero: no setxattr policy was set, enable
843
		 *   the setxattr hash policy
844
		 */
845
		if (entry->func == SETXATTR_CHECK) {
846
			atomic_cmpxchg(&ima_setxattr_allowed_hash_algorithms,
847
				       0, entry->allowed_algos);
848
			/* SETXATTR_CHECK doesn't impact ima_policy_flag */
849
			continue;
850
		}
851

852
		if (entry->action & IMA_DO_MASK)
853
			new_policy_flag |= entry->action;
854
	}
855
	rcu_read_unlock();
856

857
	ima_appraise |= (build_ima_appraise | temp_ima_appraise);
858
	if (!ima_appraise)
859
		new_policy_flag &= ~IMA_APPRAISE;
860

861
	ima_policy_flag = new_policy_flag;
862
}
863

864
static int ima_appraise_flag(enum ima_hooks func)
865
{
866
	if (func == MODULE_CHECK)
867
		return IMA_APPRAISE_MODULES;
868
	else if (func == FIRMWARE_CHECK)
869
		return IMA_APPRAISE_FIRMWARE;
870
	else if (func == POLICY_CHECK)
871
		return IMA_APPRAISE_POLICY;
872
	else if (func == KEXEC_KERNEL_CHECK)
873
		return IMA_APPRAISE_KEXEC;
874
	return 0;
875
}
876

877
static void add_rules(struct ima_rule_entry *entries, int count,
878
		      enum policy_rule_list policy_rule)
879
{
880
	int i = 0;
881

882
	for (i = 0; i < count; i++) {
883
		struct ima_rule_entry *entry;
884

885
		if (policy_rule & IMA_DEFAULT_POLICY)
886
			list_add_tail(&entries[i].list, &ima_default_rules);
887

888
		if (policy_rule & IMA_CUSTOM_POLICY) {
889
			entry = kmemdup(&entries[i], sizeof(*entry),
890
					GFP_KERNEL);
891
			if (!entry)
892
				continue;
893

894
			list_add_tail(&entry->list, &ima_policy_rules);
895
		}
896
		if (entries[i].action == APPRAISE) {
897
			if (entries != build_appraise_rules)
898
				temp_ima_appraise |=
899
					ima_appraise_flag(entries[i].func);
900
			else
901
				build_ima_appraise |=
902
					ima_appraise_flag(entries[i].func);
903
		}
904
	}
905
}
906

907
static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
908

909
static int __init ima_init_arch_policy(void)
910
{
911
	const char * const *arch_rules;
912
	const char * const *rules;
913
	int arch_entries = 0;
914
	int i = 0;
915

916
	arch_rules = arch_get_ima_policy();
917
	if (!arch_rules)
918
		return arch_entries;
919

920
	/* Get number of rules */
921
	for (rules = arch_rules; *rules != NULL; rules++)
922
		arch_entries++;
923

924
	arch_policy_entry = kcalloc(arch_entries + 1,
925
				    sizeof(*arch_policy_entry), GFP_KERNEL);
926
	if (!arch_policy_entry)
927
		return 0;
928

929
	/* Convert each policy string rules to struct ima_rule_entry format */
930
	for (rules = arch_rules, i = 0; *rules != NULL; rules++) {
931
		char rule[255];
932
		int result;
933

934
		result = strscpy(rule, *rules, sizeof(rule));
935

936
		INIT_LIST_HEAD(&arch_policy_entry[i].list);
937
		result = ima_parse_rule(rule, &arch_policy_entry[i]);
938
		if (result) {
939
			pr_warn("Skipping unknown architecture policy rule: %s\n",
940
				rule);
941
			memset(&arch_policy_entry[i], 0,
942
			       sizeof(*arch_policy_entry));
943
			continue;
944
		}
945
		i++;
946
	}
947
	return i;
948
}
949

950
/**
951
 * ima_init_policy - initialize the default measure rules.
952
 *
953
 * ima_rules points to either the ima_default_rules or the new ima_policy_rules.
954
 */
955
void __init ima_init_policy(void)
956
{
957
	int build_appraise_entries, arch_entries;
958

959
	/* if !ima_policy, we load NO default rules */
960
	if (ima_policy)
961
		add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules),
962
			  IMA_DEFAULT_POLICY);
963

964
	switch (ima_policy) {
965
	case ORIGINAL_TCB:
966
		add_rules(original_measurement_rules,
967
			  ARRAY_SIZE(original_measurement_rules),
968
			  IMA_DEFAULT_POLICY);
969
		break;
970
	case DEFAULT_TCB:
971
		add_rules(default_measurement_rules,
972
			  ARRAY_SIZE(default_measurement_rules),
973
			  IMA_DEFAULT_POLICY);
974
		break;
975
	default:
976
		break;
977
	}
978

979
	/*
980
	 * Based on runtime secure boot flags, insert arch specific measurement
981
	 * and appraise rules requiring file signatures for both the initial
982
	 * and custom policies, prior to other appraise rules.
983
	 * (Highest priority)
984
	 */
985
	arch_entries = ima_init_arch_policy();
986
	if (!arch_entries)
987
		pr_info("No architecture policies found\n");
988
	else
989
		add_rules(arch_policy_entry, arch_entries,
990
			  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
991

992
	/*
993
	 * Insert the builtin "secure_boot" policy rules requiring file
994
	 * signatures, prior to other appraise rules.
995
	 */
996
	if (ima_use_secure_boot)
997
		add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules),
998
			  IMA_DEFAULT_POLICY);
999

1000
	/*
1001
	 * Insert the build time appraise rules requiring file signatures
1002
	 * for both the initial and custom policies, prior to other appraise
1003
	 * rules. As the secure boot rules includes all of the build time
1004
	 * rules, include either one or the other set of rules, but not both.
1005
	 */
1006
	build_appraise_entries = ARRAY_SIZE(build_appraise_rules);
1007
	if (build_appraise_entries) {
1008
		if (ima_use_secure_boot)
1009
			add_rules(build_appraise_rules, build_appraise_entries,
1010
				  IMA_CUSTOM_POLICY);
1011
		else
1012
			add_rules(build_appraise_rules, build_appraise_entries,
1013
				  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
1014
	}
1015

1016
	if (ima_use_appraise_tcb)
1017
		add_rules(default_appraise_rules,
1018
			  ARRAY_SIZE(default_appraise_rules),
1019
			  IMA_DEFAULT_POLICY);
1020

1021
	if (ima_use_critical_data)
1022
		add_rules(critical_data_rules,
1023
			  ARRAY_SIZE(critical_data_rules),
1024
			  IMA_DEFAULT_POLICY);
1025

1026
	atomic_set(&ima_setxattr_allowed_hash_algorithms, 0);
1027

1028
	ima_update_policy_flags();
1029
}
1030

1031
/* Make sure we have a valid policy, at least containing some rules. */
1032
int ima_check_policy(void)
1033
{
1034
	if (list_empty(&ima_temp_rules))
1035
		return -EINVAL;
1036
	return 0;
1037
}
1038

1039
/**
1040
 * ima_update_policy - update default_rules with new measure rules
1041
 *
1042
 * Called on file .release to update the default rules with a complete new
1043
 * policy.  What we do here is to splice ima_policy_rules and ima_temp_rules so
1044
 * they make a queue.  The policy may be updated multiple times and this is the
1045
 * RCU updater.
1046
 *
1047
 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
1048
 * we switch from the default policy to user defined.
1049
 */
1050
void ima_update_policy(void)
1051
{
1052
	struct list_head *policy = &ima_policy_rules;
1053

1054
	list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu);
1055

1056
	if (ima_rules != (struct list_head __rcu *)policy) {
1057
		ima_policy_flag = 0;
1058

1059
		rcu_assign_pointer(ima_rules, policy);
1060
		/*
1061
		 * IMA architecture specific policy rules are specified
1062
		 * as strings and converted to an array of ima_entry_rules
1063
		 * on boot.  After loading a custom policy, free the
1064
		 * architecture specific rules stored as an array.
1065
		 */
1066
		kfree(arch_policy_entry);
1067
	}
1068
	ima_update_policy_flags();
1069

1070
	/* Custom IMA policy has been loaded */
1071
	ima_process_queued_keys();
1072
}
1073

1074
/* Keep the enumeration in sync with the policy_tokens! */
1075
enum policy_opt {
1076
	Opt_measure, Opt_dont_measure,
1077
	Opt_appraise, Opt_dont_appraise,
1078
	Opt_audit, Opt_dont_audit, Opt_hash, Opt_dont_hash,
1079
	Opt_obj_user, Opt_obj_role, Opt_obj_type,
1080
	Opt_subj_user, Opt_subj_role, Opt_subj_type,
1081
	Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fs_subtype, Opt_fsuuid,
1082
	Opt_uid_eq, Opt_euid_eq, Opt_gid_eq, Opt_egid_eq,
1083
	Opt_fowner_eq, Opt_fgroup_eq,
1084
	Opt_uid_gt, Opt_euid_gt, Opt_gid_gt, Opt_egid_gt,
1085
	Opt_fowner_gt, Opt_fgroup_gt,
1086
	Opt_uid_lt, Opt_euid_lt, Opt_gid_lt, Opt_egid_lt,
1087
	Opt_fowner_lt, Opt_fgroup_lt,
1088
	Opt_digest_type,
1089
	Opt_appraise_type, Opt_appraise_flag, Opt_appraise_algos,
1090
	Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings,
1091
	Opt_label, Opt_err
1092
};
1093

1094
static const match_table_t policy_tokens = {
1095
	{Opt_measure, "measure"},
1096
	{Opt_dont_measure, "dont_measure"},
1097
	{Opt_appraise, "appraise"},
1098
	{Opt_dont_appraise, "dont_appraise"},
1099
	{Opt_audit, "audit"},
1100
	{Opt_dont_audit, "dont_audit"},
1101
	{Opt_hash, "hash"},
1102
	{Opt_dont_hash, "dont_hash"},
1103
	{Opt_obj_user, "obj_user=%s"},
1104
	{Opt_obj_role, "obj_role=%s"},
1105
	{Opt_obj_type, "obj_type=%s"},
1106
	{Opt_subj_user, "subj_user=%s"},
1107
	{Opt_subj_role, "subj_role=%s"},
1108
	{Opt_subj_type, "subj_type=%s"},
1109
	{Opt_func, "func=%s"},
1110
	{Opt_mask, "mask=%s"},
1111
	{Opt_fsmagic, "fsmagic=%s"},
1112
	{Opt_fsname, "fsname=%s"},
1113
	{Opt_fs_subtype, "fs_subtype=%s"},
1114
	{Opt_fsuuid, "fsuuid=%s"},
1115
	{Opt_uid_eq, "uid=%s"},
1116
	{Opt_euid_eq, "euid=%s"},
1117
	{Opt_gid_eq, "gid=%s"},
1118
	{Opt_egid_eq, "egid=%s"},
1119
	{Opt_fowner_eq, "fowner=%s"},
1120
	{Opt_fgroup_eq, "fgroup=%s"},
1121
	{Opt_uid_gt, "uid>%s"},
1122
	{Opt_euid_gt, "euid>%s"},
1123
	{Opt_gid_gt, "gid>%s"},
1124
	{Opt_egid_gt, "egid>%s"},
1125
	{Opt_fowner_gt, "fowner>%s"},
1126
	{Opt_fgroup_gt, "fgroup>%s"},
1127
	{Opt_uid_lt, "uid<%s"},
1128
	{Opt_euid_lt, "euid<%s"},
1129
	{Opt_gid_lt, "gid<%s"},
1130
	{Opt_egid_lt, "egid<%s"},
1131
	{Opt_fowner_lt, "fowner<%s"},
1132
	{Opt_fgroup_lt, "fgroup<%s"},
1133
	{Opt_digest_type, "digest_type=%s"},
1134
	{Opt_appraise_type, "appraise_type=%s"},
1135
	{Opt_appraise_flag, "appraise_flag=%s"},
1136
	{Opt_appraise_algos, "appraise_algos=%s"},
1137
	{Opt_permit_directio, "permit_directio"},
1138
	{Opt_pcr, "pcr=%s"},
1139
	{Opt_template, "template=%s"},
1140
	{Opt_keyrings, "keyrings=%s"},
1141
	{Opt_label, "label=%s"},
1142
	{Opt_err, NULL}
1143
};
1144

1145
static int ima_lsm_rule_init(struct ima_rule_entry *entry,
1146
			     substring_t *args, int lsm_rule, int audit_type)
1147
{
1148
	int result;
1149

1150
	if (entry->lsm[lsm_rule].rule)
1151
		return -EINVAL;
1152

1153
	entry->lsm[lsm_rule].args_p = match_strdup(args);
1154
	if (!entry->lsm[lsm_rule].args_p)
1155
		return -ENOMEM;
1156

1157
	entry->lsm[lsm_rule].type = audit_type;
1158
	result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal,
1159
				      entry->lsm[lsm_rule].args_p,
1160
				      &entry->lsm[lsm_rule].rule,
1161
				      GFP_KERNEL);
1162
	if (!entry->lsm[lsm_rule].rule) {
1163
		pr_warn("rule for LSM \'%s\' is undefined\n",
1164
			entry->lsm[lsm_rule].args_p);
1165

1166
		if (ima_rules == (struct list_head __rcu *)(&ima_default_rules)) {
1167
			kfree(entry->lsm[lsm_rule].args_p);
1168
			entry->lsm[lsm_rule].args_p = NULL;
1169
			result = -EINVAL;
1170
		} else
1171
			result = 0;
1172
	}
1173

1174
	return result;
1175
}
1176

1177
static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
1178
			      enum policy_opt rule_operator)
1179
{
1180
	if (!ab)
1181
		return;
1182

1183
	switch (rule_operator) {
1184
	case Opt_uid_gt:
1185
	case Opt_euid_gt:
1186
	case Opt_gid_gt:
1187
	case Opt_egid_gt:
1188
	case Opt_fowner_gt:
1189
	case Opt_fgroup_gt:
1190
		audit_log_format(ab, "%s>", key);
1191
		break;
1192
	case Opt_uid_lt:
1193
	case Opt_euid_lt:
1194
	case Opt_gid_lt:
1195
	case Opt_egid_lt:
1196
	case Opt_fowner_lt:
1197
	case Opt_fgroup_lt:
1198
		audit_log_format(ab, "%s<", key);
1199
		break;
1200
	default:
1201
		audit_log_format(ab, "%s=", key);
1202
	}
1203
	audit_log_format(ab, "%s ", value);
1204
}
1205
static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
1206
{
1207
	ima_log_string_op(ab, key, value, Opt_err);
1208
}
1209

1210
/*
1211
 * Validating the appended signature included in the measurement list requires
1212
 * the file hash calculated without the appended signature (i.e., the 'd-modsig'
1213
 * field). Therefore, notify the user if they have the 'modsig' field but not
1214
 * the 'd-modsig' field in the template.
1215
 */
1216
static void check_template_modsig(const struct ima_template_desc *template)
1217
{
1218
#define MSG "template with 'modsig' field also needs 'd-modsig' field\n"
1219
	bool has_modsig, has_dmodsig;
1220
	static bool checked;
1221
	int i;
1222

1223
	/* We only need to notify the user once. */
1224
	if (checked)
1225
		return;
1226

1227
	has_modsig = has_dmodsig = false;
1228
	for (i = 0; i < template->num_fields; i++) {
1229
		if (!strcmp(template->fields[i]->field_id, "modsig"))
1230
			has_modsig = true;
1231
		else if (!strcmp(template->fields[i]->field_id, "d-modsig"))
1232
			has_dmodsig = true;
1233
	}
1234

1235
	if (has_modsig && !has_dmodsig)
1236
		pr_notice(MSG);
1237

1238
	checked = true;
1239
#undef MSG
1240
}
1241

1242
/*
1243
 * Warn if the template does not contain the given field.
1244
 */
1245
static void check_template_field(const struct ima_template_desc *template,
1246
				 const char *field, const char *msg)
1247
{
1248
	int i;
1249

1250
	for (i = 0; i < template->num_fields; i++)
1251
		if (!strcmp(template->fields[i]->field_id, field))
1252
			return;
1253

1254
	pr_notice_once("%s", msg);
1255
}
1256

1257
static bool ima_validate_rule(struct ima_rule_entry *entry)
1258
{
1259
	/* Ensure that the action is set and is compatible with the flags */
1260
	if (entry->action == UNKNOWN)
1261
		return false;
1262

1263
	if (entry->action != MEASURE && entry->flags & IMA_PCR)
1264
		return false;
1265

1266
	if (entry->action != APPRAISE &&
1267
	    entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED |
1268
			    IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS))
1269
		return false;
1270

1271
	/*
1272
	 * The IMA_FUNC bit must be set if and only if there's a valid hook
1273
	 * function specified, and vice versa. Enforcing this property allows
1274
	 * for the NONE case below to validate a rule without an explicit hook
1275
	 * function.
1276
	 */
1277
	if (((entry->flags & IMA_FUNC) && entry->func == NONE) ||
1278
	    (!(entry->flags & IMA_FUNC) && entry->func != NONE))
1279
		return false;
1280

1281
	/*
1282
	 * Ensure that the hook function is compatible with the other
1283
	 * components of the rule
1284
	 */
1285
	switch (entry->func) {
1286
	case NONE:
1287
	case FILE_CHECK:
1288
	case MMAP_CHECK:
1289
	case MMAP_CHECK_REQPROT:
1290
	case BPRM_CHECK:
1291
	case CREDS_CHECK:
1292
	case POST_SETATTR:
1293
	case FIRMWARE_CHECK:
1294
	case POLICY_CHECK:
1295
		if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1296
				     IMA_UID | IMA_FOWNER | IMA_FSUUID |
1297
				     IMA_INMASK | IMA_EUID | IMA_PCR |
1298
				     IMA_FSNAME | IMA_FS_SUBTYPE |
1299
				     IMA_GID | IMA_EGID |
1300
				     IMA_FGROUP | IMA_DIGSIG_REQUIRED |
1301
				     IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS |
1302
				     IMA_CHECK_BLACKLIST | IMA_VERITY_REQUIRED))
1303
			return false;
1304

1305
		break;
1306
	case MODULE_CHECK:
1307
	case KEXEC_KERNEL_CHECK:
1308
	case KEXEC_INITRAMFS_CHECK:
1309
		if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1310
				     IMA_UID | IMA_FOWNER | IMA_FSUUID |
1311
				     IMA_INMASK | IMA_EUID | IMA_PCR |
1312
				     IMA_FSNAME | IMA_FS_SUBTYPE |
1313
				     IMA_GID | IMA_EGID |
1314
				     IMA_FGROUP | IMA_DIGSIG_REQUIRED |
1315
				     IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED |
1316
				     IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS))
1317
			return false;
1318

1319
		break;
1320
	case KEXEC_CMDLINE:
1321
		if (entry->action & ~(MEASURE | DONT_MEASURE))
1322
			return false;
1323

1324
		if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID |
1325
				     IMA_FOWNER | IMA_FSUUID | IMA_EUID |
1326
				     IMA_PCR | IMA_FSNAME | IMA_FS_SUBTYPE |
1327
				     IMA_GID | IMA_EGID |
1328
				     IMA_FGROUP))
1329
			return false;
1330

1331
		break;
1332
	case KEY_CHECK:
1333
		if (entry->action & ~(MEASURE | DONT_MEASURE))
1334
			return false;
1335

1336
		if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR |
1337
				     IMA_KEYRINGS))
1338
			return false;
1339

1340
		if (ima_rule_contains_lsm_cond(entry))
1341
			return false;
1342

1343
		break;
1344
	case CRITICAL_DATA:
1345
		if (entry->action & ~(MEASURE | DONT_MEASURE))
1346
			return false;
1347

1348
		if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR |
1349
				     IMA_LABEL))
1350
			return false;
1351

1352
		if (ima_rule_contains_lsm_cond(entry))
1353
			return false;
1354

1355
		break;
1356
	case SETXATTR_CHECK:
1357
		/* any action other than APPRAISE is unsupported */
1358
		if (entry->action != APPRAISE)
1359
			return false;
1360

1361
		/* SETXATTR_CHECK requires an appraise_algos parameter */
1362
		if (!(entry->flags & IMA_VALIDATE_ALGOS))
1363
			return false;
1364

1365
		/*
1366
		 * full policies are not supported, they would have too
1367
		 * much of a performance impact
1368
		 */
1369
		if (entry->flags & ~(IMA_FUNC | IMA_VALIDATE_ALGOS))
1370
			return false;
1371

1372
		break;
1373
	default:
1374
		return false;
1375
	}
1376

1377
	/* Ensure that combinations of flags are compatible with each other */
1378
	if (entry->flags & IMA_CHECK_BLACKLIST &&
1379
	    !(entry->flags & IMA_DIGSIG_REQUIRED))
1380
		return false;
1381

1382
	/*
1383
	 * Unlike for regular IMA 'appraise' policy rules where security.ima
1384
	 * xattr may contain either a file hash or signature, the security.ima
1385
	 * xattr for fsverity must contain a file signature (sigv3).  Ensure
1386
	 * that 'appraise' rules for fsverity require file signatures by
1387
	 * checking the IMA_DIGSIG_REQUIRED flag is set.
1388
	 */
1389
	if (entry->action == APPRAISE &&
1390
	    (entry->flags & IMA_VERITY_REQUIRED) &&
1391
	    !(entry->flags & IMA_DIGSIG_REQUIRED))
1392
		return false;
1393

1394
	return true;
1395
}
1396

1397
static unsigned int ima_parse_appraise_algos(char *arg)
1398
{
1399
	unsigned int res = 0;
1400
	int idx;
1401
	char *token;
1402

1403
	while ((token = strsep(&arg, ",")) != NULL) {
1404
		idx = match_string(hash_algo_name, HASH_ALGO__LAST, token);
1405

1406
		if (idx < 0) {
1407
			pr_err("unknown hash algorithm \"%s\"",
1408
			       token);
1409
			return 0;
1410
		}
1411

1412
		if (!crypto_has_alg(hash_algo_name[idx], 0, 0)) {
1413
			pr_err("unavailable hash algorithm \"%s\", check your kernel configuration",
1414
			       token);
1415
			return 0;
1416
		}
1417

1418
		/* Add the hash algorithm to the 'allowed' bitfield */
1419
		res |= (1U << idx);
1420
	}
1421

1422
	return res;
1423
}
1424

1425
static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
1426
{
1427
	struct audit_buffer *ab;
1428
	char *from;
1429
	char *p;
1430
	bool eid_token; /* either euid or egid */
1431
	struct ima_template_desc *template_desc;
1432
	int result = 0;
1433

1434
	ab = integrity_audit_log_start(audit_context(), GFP_KERNEL,
1435
				       AUDIT_INTEGRITY_POLICY_RULE);
1436

1437
	entry->uid = INVALID_UID;
1438
	entry->gid = INVALID_GID;
1439
	entry->fowner = INVALID_UID;
1440
	entry->fgroup = INVALID_GID;
1441
	entry->uid_op = &uid_eq;
1442
	entry->gid_op = &gid_eq;
1443
	entry->fowner_op = &vfsuid_eq_kuid;
1444
	entry->fgroup_op = &vfsgid_eq_kgid;
1445
	entry->action = UNKNOWN;
1446
	while ((p = strsep(&rule, " \t")) != NULL) {
1447
		substring_t args[MAX_OPT_ARGS];
1448
		int token;
1449
		unsigned long lnum;
1450

1451
		if (result < 0 || *p == '#')  /* ignore suffixed comment */
1452
			break;
1453
		if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
1454
			continue;
1455
		token = match_token(p, policy_tokens, args);
1456
		switch (token) {
1457
		case Opt_measure:
1458
			ima_log_string(ab, "action", "measure");
1459

1460
			if (entry->action != UNKNOWN)
1461
				result = -EINVAL;
1462

1463
			entry->action = MEASURE;
1464
			break;
1465
		case Opt_dont_measure:
1466
			ima_log_string(ab, "action", "dont_measure");
1467

1468
			if (entry->action != UNKNOWN)
1469
				result = -EINVAL;
1470

1471
			entry->action = DONT_MEASURE;
1472
			break;
1473
		case Opt_appraise:
1474
			ima_log_string(ab, "action", "appraise");
1475

1476
			if (entry->action != UNKNOWN)
1477
				result = -EINVAL;
1478

1479
			entry->action = APPRAISE;
1480
			break;
1481
		case Opt_dont_appraise:
1482
			ima_log_string(ab, "action", "dont_appraise");
1483

1484
			if (entry->action != UNKNOWN)
1485
				result = -EINVAL;
1486

1487
			entry->action = DONT_APPRAISE;
1488
			break;
1489
		case Opt_audit:
1490
			ima_log_string(ab, "action", "audit");
1491

1492
			if (entry->action != UNKNOWN)
1493
				result = -EINVAL;
1494

1495
			entry->action = AUDIT;
1496
			break;
1497
		case Opt_dont_audit:
1498
			ima_log_string(ab, "action", "dont_audit");
1499

1500
			if (entry->action != UNKNOWN)
1501
				result = -EINVAL;
1502

1503
			entry->action = DONT_AUDIT;
1504
			break;
1505
		case Opt_hash:
1506
			ima_log_string(ab, "action", "hash");
1507

1508
			if (entry->action != UNKNOWN)
1509
				result = -EINVAL;
1510

1511
			entry->action = HASH;
1512
			break;
1513
		case Opt_dont_hash:
1514
			ima_log_string(ab, "action", "dont_hash");
1515

1516
			if (entry->action != UNKNOWN)
1517
				result = -EINVAL;
1518

1519
			entry->action = DONT_HASH;
1520
			break;
1521
		case Opt_func:
1522
			ima_log_string(ab, "func", args[0].from);
1523

1524
			if (entry->func)
1525
				result = -EINVAL;
1526

1527
			if (strcmp(args[0].from, "FILE_CHECK") == 0)
1528
				entry->func = FILE_CHECK;
1529
			/* PATH_CHECK is for backwards compat */
1530
			else if (strcmp(args[0].from, "PATH_CHECK") == 0)
1531
				entry->func = FILE_CHECK;
1532
			else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
1533
				entry->func = MODULE_CHECK;
1534
			else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
1535
				entry->func = FIRMWARE_CHECK;
1536
			else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
1537
				|| (strcmp(args[0].from, "MMAP_CHECK") == 0))
1538
				entry->func = MMAP_CHECK;
1539
			else if ((strcmp(args[0].from, "MMAP_CHECK_REQPROT") == 0))
1540
				entry->func = MMAP_CHECK_REQPROT;
1541
			else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
1542
				entry->func = BPRM_CHECK;
1543
			else if (strcmp(args[0].from, "CREDS_CHECK") == 0)
1544
				entry->func = CREDS_CHECK;
1545
			else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
1546
				 0)
1547
				entry->func = KEXEC_KERNEL_CHECK;
1548
			else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
1549
				 == 0)
1550
				entry->func = KEXEC_INITRAMFS_CHECK;
1551
			else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
1552
				entry->func = POLICY_CHECK;
1553
			else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
1554
				entry->func = KEXEC_CMDLINE;
1555
			else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) &&
1556
				 strcmp(args[0].from, "KEY_CHECK") == 0)
1557
				entry->func = KEY_CHECK;
1558
			else if (strcmp(args[0].from, "CRITICAL_DATA") == 0)
1559
				entry->func = CRITICAL_DATA;
1560
			else if (strcmp(args[0].from, "SETXATTR_CHECK") == 0)
1561
				entry->func = SETXATTR_CHECK;
1562
			else
1563
				result = -EINVAL;
1564
			if (!result)
1565
				entry->flags |= IMA_FUNC;
1566
			break;
1567
		case Opt_mask:
1568
			ima_log_string(ab, "mask", args[0].from);
1569

1570
			if (entry->mask)
1571
				result = -EINVAL;
1572

1573
			from = args[0].from;
1574
			if (*from == '^')
1575
				from++;
1576

1577
			if ((strcmp(from, "MAY_EXEC")) == 0)
1578
				entry->mask = MAY_EXEC;
1579
			else if (strcmp(from, "MAY_WRITE") == 0)
1580
				entry->mask = MAY_WRITE;
1581
			else if (strcmp(from, "MAY_READ") == 0)
1582
				entry->mask = MAY_READ;
1583
			else if (strcmp(from, "MAY_APPEND") == 0)
1584
				entry->mask = MAY_APPEND;
1585
			else
1586
				result = -EINVAL;
1587
			if (!result)
1588
				entry->flags |= (*args[0].from == '^')
1589
				     ? IMA_INMASK : IMA_MASK;
1590
			break;
1591
		case Opt_fsmagic:
1592
			ima_log_string(ab, "fsmagic", args[0].from);
1593

1594
			if (entry->fsmagic) {
1595
				result = -EINVAL;
1596
				break;
1597
			}
1598

1599
			result = kstrtoul(args[0].from, 16, &entry->fsmagic);
1600
			if (!result)
1601
				entry->flags |= IMA_FSMAGIC;
1602
			break;
1603
		case Opt_fsname:
1604
			ima_log_string(ab, "fsname", args[0].from);
1605

1606
			entry->fsname = kstrdup(args[0].from, GFP_KERNEL);
1607
			if (!entry->fsname) {
1608
				result = -ENOMEM;
1609
				break;
1610
			}
1611
			result = 0;
1612
			entry->flags |= IMA_FSNAME;
1613
			break;
1614
		case Opt_fs_subtype:
1615
			ima_log_string(ab, "fs_subtype", args[0].from);
1616

1617
			if (entry->fs_subtype) {
1618
				result = -EINVAL;
1619
				break;
1620
			}
1621

1622
			entry->fs_subtype = kstrdup(args[0].from, GFP_KERNEL);
1623
			if (!entry->fs_subtype) {
1624
				result = -ENOMEM;
1625
				break;
1626
			}
1627
			result = 0;
1628
			entry->flags |= IMA_FS_SUBTYPE;
1629
			break;
1630
		case Opt_keyrings:
1631
			ima_log_string(ab, "keyrings", args[0].from);
1632

1633
			if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) ||
1634
			    entry->keyrings) {
1635
				result = -EINVAL;
1636
				break;
1637
			}
1638

1639
			entry->keyrings = ima_alloc_rule_opt_list(args);
1640
			if (IS_ERR(entry->keyrings)) {
1641
				result = PTR_ERR(entry->keyrings);
1642
				entry->keyrings = NULL;
1643
				break;
1644
			}
1645

1646
			entry->flags |= IMA_KEYRINGS;
1647
			break;
1648
		case Opt_label:
1649
			ima_log_string(ab, "label", args[0].from);
1650

1651
			if (entry->label) {
1652
				result = -EINVAL;
1653
				break;
1654
			}
1655

1656
			entry->label = ima_alloc_rule_opt_list(args);
1657
			if (IS_ERR(entry->label)) {
1658
				result = PTR_ERR(entry->label);
1659
				entry->label = NULL;
1660
				break;
1661
			}
1662

1663
			entry->flags |= IMA_LABEL;
1664
			break;
1665
		case Opt_fsuuid:
1666
			ima_log_string(ab, "fsuuid", args[0].from);
1667

1668
			if (!uuid_is_null(&entry->fsuuid)) {
1669
				result = -EINVAL;
1670
				break;
1671
			}
1672

1673
			result = uuid_parse(args[0].from, &entry->fsuuid);
1674
			if (!result)
1675
				entry->flags |= IMA_FSUUID;
1676
			break;
1677
		case Opt_uid_gt:
1678
		case Opt_euid_gt:
1679
			entry->uid_op = &uid_gt;
1680
			fallthrough;
1681
		case Opt_uid_lt:
1682
		case Opt_euid_lt:
1683
			if ((token == Opt_uid_lt) || (token == Opt_euid_lt))
1684
				entry->uid_op = &uid_lt;
1685
			fallthrough;
1686
		case Opt_uid_eq:
1687
		case Opt_euid_eq:
1688
			eid_token = (token == Opt_euid_eq) ||
1689
				    (token == Opt_euid_gt) ||
1690
				    (token == Opt_euid_lt);
1691

1692
			ima_log_string_op(ab, eid_token ? "euid" : "uid",
1693
					  args[0].from, token);
1694

1695
			if (uid_valid(entry->uid)) {
1696
				result = -EINVAL;
1697
				break;
1698
			}
1699

1700
			result = kstrtoul(args[0].from, 10, &lnum);
1701
			if (!result) {
1702
				entry->uid = make_kuid(current_user_ns(),
1703
						       (uid_t) lnum);
1704
				if (!uid_valid(entry->uid) ||
1705
				    (uid_t)lnum != lnum)
1706
					result = -EINVAL;
1707
				else
1708
					entry->flags |= eid_token
1709
					    ? IMA_EUID : IMA_UID;
1710
			}
1711
			break;
1712
		case Opt_gid_gt:
1713
		case Opt_egid_gt:
1714
			entry->gid_op = &gid_gt;
1715
			fallthrough;
1716
		case Opt_gid_lt:
1717
		case Opt_egid_lt:
1718
			if ((token == Opt_gid_lt) || (token == Opt_egid_lt))
1719
				entry->gid_op = &gid_lt;
1720
			fallthrough;
1721
		case Opt_gid_eq:
1722
		case Opt_egid_eq:
1723
			eid_token = (token == Opt_egid_eq) ||
1724
				    (token == Opt_egid_gt) ||
1725
				    (token == Opt_egid_lt);
1726

1727
			ima_log_string_op(ab, eid_token ? "egid" : "gid",
1728
					  args[0].from, token);
1729

1730
			if (gid_valid(entry->gid)) {
1731
				result = -EINVAL;
1732
				break;
1733
			}
1734

1735
			result = kstrtoul(args[0].from, 10, &lnum);
1736
			if (!result) {
1737
				entry->gid = make_kgid(current_user_ns(),
1738
						       (gid_t)lnum);
1739
				if (!gid_valid(entry->gid) ||
1740
				    (((gid_t)lnum) != lnum))
1741
					result = -EINVAL;
1742
				else
1743
					entry->flags |= eid_token
1744
					    ? IMA_EGID : IMA_GID;
1745
			}
1746
			break;
1747
		case Opt_fowner_gt:
1748
			entry->fowner_op = &vfsuid_gt_kuid;
1749
			fallthrough;
1750
		case Opt_fowner_lt:
1751
			if (token == Opt_fowner_lt)
1752
				entry->fowner_op = &vfsuid_lt_kuid;
1753
			fallthrough;
1754
		case Opt_fowner_eq:
1755
			ima_log_string_op(ab, "fowner", args[0].from, token);
1756

1757
			if (uid_valid(entry->fowner)) {
1758
				result = -EINVAL;
1759
				break;
1760
			}
1761

1762
			result = kstrtoul(args[0].from, 10, &lnum);
1763
			if (!result) {
1764
				entry->fowner = make_kuid(current_user_ns(),
1765
							  (uid_t)lnum);
1766
				if (!uid_valid(entry->fowner) ||
1767
				    (((uid_t)lnum) != lnum))
1768
					result = -EINVAL;
1769
				else
1770
					entry->flags |= IMA_FOWNER;
1771
			}
1772
			break;
1773
		case Opt_fgroup_gt:
1774
			entry->fgroup_op = &vfsgid_gt_kgid;
1775
			fallthrough;
1776
		case Opt_fgroup_lt:
1777
			if (token == Opt_fgroup_lt)
1778
				entry->fgroup_op = &vfsgid_lt_kgid;
1779
			fallthrough;
1780
		case Opt_fgroup_eq:
1781
			ima_log_string_op(ab, "fgroup", args[0].from, token);
1782

1783
			if (gid_valid(entry->fgroup)) {
1784
				result = -EINVAL;
1785
				break;
1786
			}
1787

1788
			result = kstrtoul(args[0].from, 10, &lnum);
1789
			if (!result) {
1790
				entry->fgroup = make_kgid(current_user_ns(),
1791
							  (gid_t)lnum);
1792
				if (!gid_valid(entry->fgroup) ||
1793
				    (((gid_t)lnum) != lnum))
1794
					result = -EINVAL;
1795
				else
1796
					entry->flags |= IMA_FGROUP;
1797
			}
1798
			break;
1799
		case Opt_obj_user:
1800
			ima_log_string(ab, "obj_user", args[0].from);
1801
			result = ima_lsm_rule_init(entry, args,
1802
						   LSM_OBJ_USER,
1803
						   AUDIT_OBJ_USER);
1804
			break;
1805
		case Opt_obj_role:
1806
			ima_log_string(ab, "obj_role", args[0].from);
1807
			result = ima_lsm_rule_init(entry, args,
1808
						   LSM_OBJ_ROLE,
1809
						   AUDIT_OBJ_ROLE);
1810
			break;
1811
		case Opt_obj_type:
1812
			ima_log_string(ab, "obj_type", args[0].from);
1813
			result = ima_lsm_rule_init(entry, args,
1814
						   LSM_OBJ_TYPE,
1815
						   AUDIT_OBJ_TYPE);
1816
			break;
1817
		case Opt_subj_user:
1818
			ima_log_string(ab, "subj_user", args[0].from);
1819
			result = ima_lsm_rule_init(entry, args,
1820
						   LSM_SUBJ_USER,
1821
						   AUDIT_SUBJ_USER);
1822
			break;
1823
		case Opt_subj_role:
1824
			ima_log_string(ab, "subj_role", args[0].from);
1825
			result = ima_lsm_rule_init(entry, args,
1826
						   LSM_SUBJ_ROLE,
1827
						   AUDIT_SUBJ_ROLE);
1828
			break;
1829
		case Opt_subj_type:
1830
			ima_log_string(ab, "subj_type", args[0].from);
1831
			result = ima_lsm_rule_init(entry, args,
1832
						   LSM_SUBJ_TYPE,
1833
						   AUDIT_SUBJ_TYPE);
1834
			break;
1835
		case Opt_digest_type:
1836
			ima_log_string(ab, "digest_type", args[0].from);
1837
			if (entry->flags & IMA_DIGSIG_REQUIRED)
1838
				result = -EINVAL;
1839
			else if ((strcmp(args[0].from, "verity")) == 0)
1840
				entry->flags |= IMA_VERITY_REQUIRED;
1841
			else
1842
				result = -EINVAL;
1843
			break;
1844
		case Opt_appraise_type:
1845
			ima_log_string(ab, "appraise_type", args[0].from);
1846

1847
			if ((strcmp(args[0].from, "imasig")) == 0) {
1848
				if (entry->flags & IMA_VERITY_REQUIRED)
1849
					result = -EINVAL;
1850
				else
1851
					entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
1852
			} else if (strcmp(args[0].from, "sigv3") == 0) {
1853
				/* Only fsverity supports sigv3 for now */
1854
				if (entry->flags & IMA_VERITY_REQUIRED)
1855
					entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
1856
				else
1857
					result = -EINVAL;
1858
			} else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
1859
				 strcmp(args[0].from, "imasig|modsig") == 0) {
1860
				if (entry->flags & IMA_VERITY_REQUIRED)
1861
					result = -EINVAL;
1862
				else
1863
					entry->flags |= IMA_DIGSIG_REQUIRED |
1864
						IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST;
1865
			} else {
1866
				result = -EINVAL;
1867
			}
1868
			break;
1869
		case Opt_appraise_flag:
1870
			ima_log_string(ab, "appraise_flag", args[0].from);
1871
			break;
1872
		case Opt_appraise_algos:
1873
			ima_log_string(ab, "appraise_algos", args[0].from);
1874

1875
			if (entry->allowed_algos) {
1876
				result = -EINVAL;
1877
				break;
1878
			}
1879

1880
			entry->allowed_algos =
1881
				ima_parse_appraise_algos(args[0].from);
1882
			/* invalid or empty list of algorithms */
1883
			if (!entry->allowed_algos) {
1884
				result = -EINVAL;
1885
				break;
1886
			}
1887

1888
			entry->flags |= IMA_VALIDATE_ALGOS;
1889

1890
			break;
1891
		case Opt_permit_directio:
1892
			entry->flags |= IMA_PERMIT_DIRECTIO;
1893
			break;
1894
		case Opt_pcr:
1895
			ima_log_string(ab, "pcr", args[0].from);
1896

1897
			result = kstrtoint(args[0].from, 10, &entry->pcr);
1898
			if (result || INVALID_PCR(entry->pcr))
1899
				result = -EINVAL;
1900
			else
1901
				entry->flags |= IMA_PCR;
1902

1903
			break;
1904
		case Opt_template:
1905
			ima_log_string(ab, "template", args[0].from);
1906
			if (entry->action != MEASURE) {
1907
				result = -EINVAL;
1908
				break;
1909
			}
1910
			template_desc = lookup_template_desc(args[0].from);
1911
			if (!template_desc || entry->template) {
1912
				result = -EINVAL;
1913
				break;
1914
			}
1915

1916
			/*
1917
			 * template_desc_init_fields() does nothing if
1918
			 * the template is already initialised, so
1919
			 * it's safe to do this unconditionally
1920
			 */
1921
			template_desc_init_fields(template_desc->fmt,
1922
						 &(template_desc->fields),
1923
						 &(template_desc->num_fields));
1924
			entry->template = template_desc;
1925
			break;
1926
		case Opt_err:
1927
			ima_log_string(ab, "UNKNOWN", p);
1928
			result = -EINVAL;
1929
			break;
1930
		}
1931
	}
1932
	if (!result && !ima_validate_rule(entry))
1933
		result = -EINVAL;
1934
	else if (entry->action == APPRAISE)
1935
		temp_ima_appraise |= ima_appraise_flag(entry->func);
1936

1937
	if (!result && entry->flags & IMA_MODSIG_ALLOWED) {
1938
		template_desc = entry->template ? entry->template :
1939
						  ima_template_desc_current();
1940
		check_template_modsig(template_desc);
1941
	}
1942

1943
	/* d-ngv2 template field recommended for unsigned fs-verity digests */
1944
	if (!result && entry->action == MEASURE &&
1945
	    entry->flags & IMA_VERITY_REQUIRED) {
1946
		template_desc = entry->template ? entry->template :
1947
						  ima_template_desc_current();
1948
		check_template_field(template_desc, "d-ngv2",
1949
				     "verity rules should include d-ngv2");
1950
	}
1951

1952
	audit_log_format(ab, "res=%d", !result);
1953
	audit_log_end(ab);
1954
	return result;
1955
}
1956

1957
/**
1958
 * ima_parse_add_rule - add a rule to ima_policy_rules
1959
 * @rule: ima measurement policy rule
1960
 *
1961
 * Avoid locking by allowing just one writer at a time in ima_write_policy()
1962
 * Returns the length of the rule parsed, an error code on failure
1963
 */
1964
ssize_t ima_parse_add_rule(char *rule)
1965
{
1966
	static const char op[] = "update_policy";
1967
	char *p;
1968
	struct ima_rule_entry *entry;
1969
	ssize_t result, len;
1970
	int audit_info = 0;
1971

1972
	p = strsep(&rule, "\n");
1973
	len = strlen(p) + 1;
1974
	p += strspn(p, " \t");
1975

1976
	if (*p == '#' || *p == '\0')
1977
		return len;
1978

1979
	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1980
	if (!entry) {
1981
		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1982
				    NULL, op, "-ENOMEM", -ENOMEM, audit_info);
1983
		return -ENOMEM;
1984
	}
1985

1986
	INIT_LIST_HEAD(&entry->list);
1987

1988
	result = ima_parse_rule(p, entry);
1989
	if (result) {
1990
		ima_free_rule(entry);
1991
		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1992
				    NULL, op, "invalid-policy", result,
1993
				    audit_info);
1994
		return result;
1995
	}
1996

1997
	list_add_tail(&entry->list, &ima_temp_rules);
1998

1999
	return len;
2000
}
2001

2002
/**
2003
 * ima_delete_rules() - called to cleanup invalid in-flight policy.
2004
 *
2005
 * We don't need locking as we operate on the temp list, which is
2006
 * different from the active one.  There is also only one user of
2007
 * ima_delete_rules() at a time.
2008
 */
2009
void ima_delete_rules(void)
2010
{
2011
	struct ima_rule_entry *entry, *tmp;
2012

2013
	temp_ima_appraise = 0;
2014
	list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
2015
		list_del(&entry->list);
2016
		ima_free_rule(entry);
2017
	}
2018
}
2019

2020
#define __ima_hook_stringify(func, str)	(#func),
2021

2022
const char *const func_tokens[] = {
2023
	__ima_hooks(__ima_hook_stringify)
2024
};
2025

2026
#ifdef	CONFIG_IMA_READ_POLICY
2027
enum {
2028
	mask_exec = 0, mask_write, mask_read, mask_append
2029
};
2030

2031
static const char *const mask_tokens[] = {
2032
	"^MAY_EXEC",
2033
	"^MAY_WRITE",
2034
	"^MAY_READ",
2035
	"^MAY_APPEND"
2036
};
2037

2038
void *ima_policy_start(struct seq_file *m, loff_t *pos)
2039
{
2040
	loff_t l = *pos;
2041
	struct ima_rule_entry *entry;
2042
	struct list_head *ima_rules_tmp;
2043

2044
	rcu_read_lock();
2045
	ima_rules_tmp = rcu_dereference(ima_rules);
2046
	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
2047
		if (!l--) {
2048
			rcu_read_unlock();
2049
			return entry;
2050
		}
2051
	}
2052
	rcu_read_unlock();
2053
	return NULL;
2054
}
2055

2056
void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos)
2057
{
2058
	struct ima_rule_entry *entry = v;
2059

2060
	rcu_read_lock();
2061
	entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list);
2062
	rcu_read_unlock();
2063
	(*pos)++;
2064

2065
	return (&entry->list == &ima_default_rules ||
2066
		&entry->list == &ima_policy_rules) ? NULL : entry;
2067
}
2068

2069
void ima_policy_stop(struct seq_file *m, void *v)
2070
{
2071
}
2072

2073
#define pt(token)	policy_tokens[token].pattern
2074
#define mt(token)	mask_tokens[token]
2075

2076
/*
2077
 * policy_func_show - display the ima_hooks policy rule
2078
 */
2079
static void policy_func_show(struct seq_file *m, enum ima_hooks func)
2080
{
2081
	if (func > 0 && func < MAX_CHECK)
2082
		seq_printf(m, "func=%s ", func_tokens[func]);
2083
	else
2084
		seq_printf(m, "func=%d ", func);
2085
}
2086

2087
static void ima_show_rule_opt_list(struct seq_file *m,
2088
				   const struct ima_rule_opt_list *opt_list)
2089
{
2090
	size_t i;
2091

2092
	for (i = 0; i < opt_list->count; i++)
2093
		seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]);
2094
}
2095

2096
static void ima_policy_show_appraise_algos(struct seq_file *m,
2097
					   unsigned int allowed_hashes)
2098
{
2099
	int idx, list_size = 0;
2100

2101
	for (idx = 0; idx < HASH_ALGO__LAST; idx++) {
2102
		if (!(allowed_hashes & (1U << idx)))
2103
			continue;
2104

2105
		/* only add commas if the list contains multiple entries */
2106
		if (list_size++)
2107
			seq_puts(m, ",");
2108

2109
		seq_puts(m, hash_algo_name[idx]);
2110
	}
2111
}
2112

2113
int ima_policy_show(struct seq_file *m, void *v)
2114
{
2115
	struct ima_rule_entry *entry = v;
2116
	int i;
2117
	char tbuf[64] = {0,};
2118
	int offset = 0;
2119

2120
	rcu_read_lock();
2121

2122
	/* Do not print rules with inactive LSM labels */
2123
	for (i = 0; i < MAX_LSM_RULES; i++) {
2124
		if (entry->lsm[i].args_p && !entry->lsm[i].rule) {
2125
			rcu_read_unlock();
2126
			return 0;
2127
		}
2128
	}
2129

2130
	if (entry->action & MEASURE)
2131
		seq_puts(m, pt(Opt_measure));
2132
	if (entry->action & DONT_MEASURE)
2133
		seq_puts(m, pt(Opt_dont_measure));
2134
	if (entry->action & APPRAISE)
2135
		seq_puts(m, pt(Opt_appraise));
2136
	if (entry->action & DONT_APPRAISE)
2137
		seq_puts(m, pt(Opt_dont_appraise));
2138
	if (entry->action & AUDIT)
2139
		seq_puts(m, pt(Opt_audit));
2140
	if (entry->action & DONT_AUDIT)
2141
		seq_puts(m, pt(Opt_dont_audit));
2142
	if (entry->action & HASH)
2143
		seq_puts(m, pt(Opt_hash));
2144
	if (entry->action & DONT_HASH)
2145
		seq_puts(m, pt(Opt_dont_hash));
2146

2147
	seq_puts(m, " ");
2148

2149
	if (entry->flags & IMA_FUNC)
2150
		policy_func_show(m, entry->func);
2151

2152
	if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) {
2153
		if (entry->flags & IMA_MASK)
2154
			offset = 1;
2155
		if (entry->mask & MAY_EXEC)
2156
			seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset);
2157
		if (entry->mask & MAY_WRITE)
2158
			seq_printf(m, pt(Opt_mask), mt(mask_write) + offset);
2159
		if (entry->mask & MAY_READ)
2160
			seq_printf(m, pt(Opt_mask), mt(mask_read) + offset);
2161
		if (entry->mask & MAY_APPEND)
2162
			seq_printf(m, pt(Opt_mask), mt(mask_append) + offset);
2163
		seq_puts(m, " ");
2164
	}
2165

2166
	if (entry->flags & IMA_FSMAGIC) {
2167
		snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);
2168
		seq_printf(m, pt(Opt_fsmagic), tbuf);
2169
		seq_puts(m, " ");
2170
	}
2171

2172
	if (entry->flags & IMA_FSNAME) {
2173
		snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname);
2174
		seq_printf(m, pt(Opt_fsname), tbuf);
2175
		seq_puts(m, " ");
2176
	}
2177

2178
	if (entry->flags & IMA_FS_SUBTYPE) {
2179
		snprintf(tbuf, sizeof(tbuf), "%s", entry->fs_subtype);
2180
		seq_printf(m, pt(Opt_fs_subtype), tbuf);
2181
		seq_puts(m, " ");
2182
	}
2183

2184
	if (entry->flags & IMA_KEYRINGS) {
2185
		seq_puts(m, "keyrings=");
2186
		ima_show_rule_opt_list(m, entry->keyrings);
2187
		seq_puts(m, " ");
2188
	}
2189

2190
	if (entry->flags & IMA_LABEL) {
2191
		seq_puts(m, "label=");
2192
		ima_show_rule_opt_list(m, entry->label);
2193
		seq_puts(m, " ");
2194
	}
2195

2196
	if (entry->flags & IMA_PCR) {
2197
		snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
2198
		seq_printf(m, pt(Opt_pcr), tbuf);
2199
		seq_puts(m, " ");
2200
	}
2201

2202
	if (entry->flags & IMA_FSUUID) {
2203
		seq_printf(m, "fsuuid=%pU", &entry->fsuuid);
2204
		seq_puts(m, " ");
2205
	}
2206

2207
	if (entry->flags & IMA_UID) {
2208
		snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
2209
		if (entry->uid_op == &uid_gt)
2210
			seq_printf(m, pt(Opt_uid_gt), tbuf);
2211
		else if (entry->uid_op == &uid_lt)
2212
			seq_printf(m, pt(Opt_uid_lt), tbuf);
2213
		else
2214
			seq_printf(m, pt(Opt_uid_eq), tbuf);
2215
		seq_puts(m, " ");
2216
	}
2217

2218
	if (entry->flags & IMA_EUID) {
2219
		snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
2220
		if (entry->uid_op == &uid_gt)
2221
			seq_printf(m, pt(Opt_euid_gt), tbuf);
2222
		else if (entry->uid_op == &uid_lt)
2223
			seq_printf(m, pt(Opt_euid_lt), tbuf);
2224
		else
2225
			seq_printf(m, pt(Opt_euid_eq), tbuf);
2226
		seq_puts(m, " ");
2227
	}
2228

2229
	if (entry->flags & IMA_GID) {
2230
		snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid));
2231
		if (entry->gid_op == &gid_gt)
2232
			seq_printf(m, pt(Opt_gid_gt), tbuf);
2233
		else if (entry->gid_op == &gid_lt)
2234
			seq_printf(m, pt(Opt_gid_lt), tbuf);
2235
		else
2236
			seq_printf(m, pt(Opt_gid_eq), tbuf);
2237
		seq_puts(m, " ");
2238
	}
2239

2240
	if (entry->flags & IMA_EGID) {
2241
		snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid));
2242
		if (entry->gid_op == &gid_gt)
2243
			seq_printf(m, pt(Opt_egid_gt), tbuf);
2244
		else if (entry->gid_op == &gid_lt)
2245
			seq_printf(m, pt(Opt_egid_lt), tbuf);
2246
		else
2247
			seq_printf(m, pt(Opt_egid_eq), tbuf);
2248
		seq_puts(m, " ");
2249
	}
2250

2251
	if (entry->flags & IMA_FOWNER) {
2252
		snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
2253
		if (entry->fowner_op == &vfsuid_gt_kuid)
2254
			seq_printf(m, pt(Opt_fowner_gt), tbuf);
2255
		else if (entry->fowner_op == &vfsuid_lt_kuid)
2256
			seq_printf(m, pt(Opt_fowner_lt), tbuf);
2257
		else
2258
			seq_printf(m, pt(Opt_fowner_eq), tbuf);
2259
		seq_puts(m, " ");
2260
	}
2261

2262
	if (entry->flags & IMA_FGROUP) {
2263
		snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->fgroup));
2264
		if (entry->fgroup_op == &vfsgid_gt_kgid)
2265
			seq_printf(m, pt(Opt_fgroup_gt), tbuf);
2266
		else if (entry->fgroup_op == &vfsgid_lt_kgid)
2267
			seq_printf(m, pt(Opt_fgroup_lt), tbuf);
2268
		else
2269
			seq_printf(m, pt(Opt_fgroup_eq), tbuf);
2270
		seq_puts(m, " ");
2271
	}
2272

2273
	if (entry->flags & IMA_VALIDATE_ALGOS) {
2274
		seq_puts(m, "appraise_algos=");
2275
		ima_policy_show_appraise_algos(m, entry->allowed_algos);
2276
		seq_puts(m, " ");
2277
	}
2278

2279
	for (i = 0; i < MAX_LSM_RULES; i++) {
2280
		if (entry->lsm[i].rule) {
2281
			switch (i) {
2282
			case LSM_OBJ_USER:
2283
				seq_printf(m, pt(Opt_obj_user),
2284
					   entry->lsm[i].args_p);
2285
				break;
2286
			case LSM_OBJ_ROLE:
2287
				seq_printf(m, pt(Opt_obj_role),
2288
					   entry->lsm[i].args_p);
2289
				break;
2290
			case LSM_OBJ_TYPE:
2291
				seq_printf(m, pt(Opt_obj_type),
2292
					   entry->lsm[i].args_p);
2293
				break;
2294
			case LSM_SUBJ_USER:
2295
				seq_printf(m, pt(Opt_subj_user),
2296
					   entry->lsm[i].args_p);
2297
				break;
2298
			case LSM_SUBJ_ROLE:
2299
				seq_printf(m, pt(Opt_subj_role),
2300
					   entry->lsm[i].args_p);
2301
				break;
2302
			case LSM_SUBJ_TYPE:
2303
				seq_printf(m, pt(Opt_subj_type),
2304
					   entry->lsm[i].args_p);
2305
				break;
2306
			}
2307
			seq_puts(m, " ");
2308
		}
2309
	}
2310
	if (entry->template)
2311
		seq_printf(m, "template=%s ", entry->template->name);
2312
	if (entry->flags & IMA_DIGSIG_REQUIRED) {
2313
		if (entry->flags & IMA_VERITY_REQUIRED)
2314
			seq_puts(m, "appraise_type=sigv3 ");
2315
		else if (entry->flags & IMA_MODSIG_ALLOWED)
2316
			seq_puts(m, "appraise_type=imasig|modsig ");
2317
		else
2318
			seq_puts(m, "appraise_type=imasig ");
2319
	}
2320
	if (entry->flags & IMA_VERITY_REQUIRED)
2321
		seq_puts(m, "digest_type=verity ");
2322
	if (entry->flags & IMA_PERMIT_DIRECTIO)
2323
		seq_puts(m, "permit_directio ");
2324
	rcu_read_unlock();
2325
	seq_puts(m, "\n");
2326
	return 0;
2327
}
2328
#endif	/* CONFIG_IMA_READ_POLICY */
2329

2330
#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
2331
/*
2332
 * ima_appraise_signature: whether IMA will appraise a given function using
2333
 * an IMA digital signature. This is restricted to cases where the kernel
2334
 * has a set of built-in trusted keys in order to avoid an attacker simply
2335
 * loading additional keys.
2336
 */
2337
bool ima_appraise_signature(enum kernel_read_file_id id)
2338
{
2339
	struct ima_rule_entry *entry;
2340
	bool found = false;
2341
	enum ima_hooks func;
2342
	struct list_head *ima_rules_tmp;
2343

2344
	if (id >= READING_MAX_ID)
2345
		return false;
2346

2347
	if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE)
2348
	    && security_locked_down(LOCKDOWN_KEXEC))
2349
		return false;
2350

2351
	func = read_idmap[id] ?: FILE_CHECK;
2352

2353
	rcu_read_lock();
2354
	ima_rules_tmp = rcu_dereference(ima_rules);
2355
	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
2356
		if (entry->action != APPRAISE)
2357
			continue;
2358

2359
		/*
2360
		 * A generic entry will match, but otherwise require that it
2361
		 * match the func we're looking for
2362
		 */
2363
		if (entry->func && entry->func != func)
2364
			continue;
2365

2366
		/*
2367
		 * We require this to be a digital signature, not a raw IMA
2368
		 * hash.
2369
		 */
2370
		if (entry->flags & IMA_DIGSIG_REQUIRED)
2371
			found = true;
2372

2373
		/*
2374
		 * We've found a rule that matches, so break now even if it
2375
		 * didn't require a digital signature - a later rule that does
2376
		 * won't override it, so would be a false positive.
2377
		 */
2378
		break;
2379
	}
2380

2381
	rcu_read_unlock();
2382
	return found;
2383
}
2384
#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
2385

2386