linux/security/integrity/ima/ima_policy.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * Copyright (C) 2008 IBM Corporation
   4 * Author: Mimi Zohar <zohar@us.ibm.com>
   5 *
   6 * ima_policy.c
   7 *      - initialize default measure policy rules
   8 */
   9
  10#include <linux/init.h>
  11#include <linux/list.h>
  12#include <linux/kernel_read_file.h>
  13#include <linux/fs.h>
  14#include <linux/security.h>
  15#include <linux/magic.h>
  16#include <linux/parser.h>
  17#include <linux/slab.h>
  18#include <linux/rculist.h>
  19#include <linux/genhd.h>
  20#include <linux/seq_file.h>
  21#include <linux/ima.h>
  22
  23#include "ima.h"
  24
  25/* flags definitions */
  26#define IMA_FUNC        0x0001
  27#define IMA_MASK        0x0002
  28#define IMA_FSMAGIC     0x0004
  29#define IMA_UID         0x0008
  30#define IMA_FOWNER      0x0010
  31#define IMA_FSUUID      0x0020
  32#define IMA_INMASK      0x0040
  33#define IMA_EUID        0x0080
  34#define IMA_PCR         0x0100
  35#define IMA_FSNAME      0x0200
  36#define IMA_KEYRINGS    0x0400
  37#define IMA_LABEL       0x0800
  38
  39#define UNKNOWN         0
  40#define MEASURE         0x0001  /* same as IMA_MEASURE */
  41#define DONT_MEASURE    0x0002
  42#define APPRAISE        0x0004  /* same as IMA_APPRAISE */
  43#define DONT_APPRAISE   0x0008
  44#define AUDIT           0x0040
  45#define HASH            0x0100
  46#define DONT_HASH       0x0200
  47
  48#define INVALID_PCR(a) (((a) < 0) || \
  49        (a) >= (sizeof_field(struct integrity_iint_cache, measured_pcrs) * 8))
  50
  51int ima_policy_flag;
  52static int temp_ima_appraise;
  53static int build_ima_appraise __ro_after_init;
  54
  55#define MAX_LSM_RULES 6
  56enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
  57        LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
  58};
  59
  60enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
  61
  62enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY };
  63
  64struct ima_rule_opt_list {
  65        size_t count;
  66        char *items[];
  67};
  68
  69struct ima_rule_entry {
  70        struct list_head list;
  71        int action;
  72        unsigned int flags;
  73        enum ima_hooks func;
  74        int mask;
  75        unsigned long fsmagic;
  76        uuid_t fsuuid;
  77        kuid_t uid;
  78        kuid_t fowner;
  79        bool (*uid_op)(kuid_t, kuid_t);    /* Handlers for operators       */
  80        bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
  81        int pcr;
  82        struct {
  83                void *rule;     /* LSM file metadata specific */
  84                char *args_p;   /* audit value */
  85                int type;       /* audit type */
  86        } lsm[MAX_LSM_RULES];
  87        char *fsname;
  88        struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */
  89        struct ima_rule_opt_list *label; /* Measure data grouped under this label */
  90        struct ima_template_desc *template;
  91};
  92
  93/*
  94 * Without LSM specific knowledge, the default policy can only be
  95 * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
  96 */
  97
  98/*
  99 * The minimum rule set to allow for full TCB coverage.  Measures all files
 100 * opened or mmap for exec and everything read by root.  Dangerous because
 101 * normal users can easily run the machine out of memory simply building
 102 * and running executables.
 103 */
 104static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
 105        {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 106        {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
 107        {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
 108        {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
 109        {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 110        {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
 111        {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
 112        {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
 113        {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
 114        {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
 115         .flags = IMA_FSMAGIC},
 116        {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC,
 117         .flags = IMA_FSMAGIC},
 118        {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
 119        {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}
 120};
 121
 122static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
 123        {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
 124         .flags = IMA_FUNC | IMA_MASK},
 125        {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
 126         .flags = IMA_FUNC | IMA_MASK},
 127        {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
 128         .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
 129         .flags = IMA_FUNC | IMA_MASK | IMA_UID},
 130        {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
 131        {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
 132};
 133
 134static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
 135        {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
 136         .flags = IMA_FUNC | IMA_MASK},
 137        {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
 138         .flags = IMA_FUNC | IMA_MASK},
 139        {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
 140         .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
 141         .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
 142        {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
 143         .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
 144         .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
 145        {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
 146        {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
 147        {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
 148};
 149
 150static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
 151        {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 152        {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
 153        {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
 154        {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
 155        {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
 156        {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 157        {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
 158        {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
 159        {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
 160        {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
 161        {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
 162        {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC},
 163        {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 164        {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 165#ifdef CONFIG_IMA_WRITE_POLICY
 166        {.action = APPRAISE, .func = POLICY_CHECK,
 167        .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 168#endif
 169#ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
 170        {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
 171         .flags = IMA_FOWNER},
 172#else
 173        /* force signature */
 174        {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
 175         .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
 176#endif
 177};
 178
 179static struct ima_rule_entry build_appraise_rules[] __ro_after_init = {
 180#ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS
 181        {.action = APPRAISE, .func = MODULE_CHECK,
 182         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 183#endif
 184#ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
 185        {.action = APPRAISE, .func = FIRMWARE_CHECK,
 186         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 187#endif
 188#ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS
 189        {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
 190         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 191#endif
 192#ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS
 193        {.action = APPRAISE, .func = POLICY_CHECK,
 194         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 195#endif
 196};
 197
 198static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
 199        {.action = APPRAISE, .func = MODULE_CHECK,
 200         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 201        {.action = APPRAISE, .func = FIRMWARE_CHECK,
 202         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 203        {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
 204         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 205        {.action = APPRAISE, .func = POLICY_CHECK,
 206         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 207};
 208
 209static struct ima_rule_entry critical_data_rules[] __ro_after_init = {
 210        {.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC},
 211};
 212
 213/* An array of architecture specific rules */
 214static struct ima_rule_entry *arch_policy_entry __ro_after_init;
 215
 216static LIST_HEAD(ima_default_rules);
 217static LIST_HEAD(ima_policy_rules);
 218static LIST_HEAD(ima_temp_rules);
 219static struct list_head *ima_rules = &ima_default_rules;
 220
 221static int ima_policy __initdata;
 222
 223static int __init default_measure_policy_setup(char *str)
 224{
 225        if (ima_policy)
 226                return 1;
 227
 228        ima_policy = ORIGINAL_TCB;
 229        return 1;
 230}
 231__setup("ima_tcb", default_measure_policy_setup);
 232
 233static bool ima_use_appraise_tcb __initdata;
 234static bool ima_use_secure_boot __initdata;
 235static bool ima_use_critical_data __initdata;
 236static bool ima_fail_unverifiable_sigs __ro_after_init;
 237static int __init policy_setup(char *str)
 238{
 239        char *p;
 240
 241        while ((p = strsep(&str, " |\n")) != NULL) {
 242                if (*p == ' ')
 243                        continue;
 244                if ((strcmp(p, "tcb") == 0) && !ima_policy)
 245                        ima_policy = DEFAULT_TCB;
 246                else if (strcmp(p, "appraise_tcb") == 0)
 247                        ima_use_appraise_tcb = true;
 248                else if (strcmp(p, "secure_boot") == 0)
 249                        ima_use_secure_boot = true;
 250                else if (strcmp(p, "critical_data") == 0)
 251                        ima_use_critical_data = true;
 252                else if (strcmp(p, "fail_securely") == 0)
 253                        ima_fail_unverifiable_sigs = true;
 254                else
 255                        pr_err("policy \"%s\" not found", p);
 256        }
 257
 258        return 1;
 259}
 260__setup("ima_policy=", policy_setup);
 261
 262static int __init default_appraise_policy_setup(char *str)
 263{
 264        ima_use_appraise_tcb = true;
 265        return 1;
 266}
 267__setup("ima_appraise_tcb", default_appraise_policy_setup);
 268
 269static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src)
 270{
 271        struct ima_rule_opt_list *opt_list;
 272        size_t count = 0;
 273        char *src_copy;
 274        char *cur, *next;
 275        size_t i;
 276
 277        src_copy = match_strdup(src);
 278        if (!src_copy)
 279                return ERR_PTR(-ENOMEM);
 280
 281        next = src_copy;
 282        while ((cur = strsep(&next, "|"))) {
 283                /* Don't accept an empty list item */
 284                if (!(*cur)) {
 285                        kfree(src_copy);
 286                        return ERR_PTR(-EINVAL);
 287                }
 288                count++;
 289        }
 290
 291        /* Don't accept an empty list */
 292        if (!count) {
 293                kfree(src_copy);
 294                return ERR_PTR(-EINVAL);
 295        }
 296
 297        opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL);
 298        if (!opt_list) {
 299                kfree(src_copy);
 300                return ERR_PTR(-ENOMEM);
 301        }
 302
 303        /*
 304         * strsep() has already replaced all instances of '|' with '\0',
 305         * leaving a byte sequence of NUL-terminated strings. Reference each
 306         * string with the array of items.
 307         *
 308         * IMPORTANT: Ownership of the allocated buffer is transferred from
 309         * src_copy to the first element in the items array. To free the
 310         * buffer, kfree() must only be called on the first element of the
 311         * array.
 312         */
 313        for (i = 0, cur = src_copy; i < count; i++) {
 314                opt_list->items[i] = cur;
 315                cur = strchr(cur, '\0') + 1;
 316        }
 317        opt_list->count = count;
 318
 319        return opt_list;
 320}
 321
 322static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list)
 323{
 324        if (!opt_list)
 325                return;
 326
 327        if (opt_list->count) {
 328                kfree(opt_list->items[0]);
 329                opt_list->count = 0;
 330        }
 331
 332        kfree(opt_list);
 333}
 334
 335static void ima_lsm_free_rule(struct ima_rule_entry *entry)
 336{
 337        int i;
 338
 339        for (i = 0; i < MAX_LSM_RULES; i++) {
 340                ima_filter_rule_free(entry->lsm[i].rule);
 341                kfree(entry->lsm[i].args_p);
 342        }
 343}
 344
 345static void ima_free_rule(struct ima_rule_entry *entry)
 346{
 347        if (!entry)
 348                return;
 349
 350        /*
 351         * entry->template->fields may be allocated in ima_parse_rule() but that
 352         * reference is owned by the corresponding ima_template_desc element in
 353         * the defined_templates list and cannot be freed here
 354         */
 355        kfree(entry->fsname);
 356        ima_free_rule_opt_list(entry->keyrings);
 357        ima_lsm_free_rule(entry);
 358        kfree(entry);
 359}
 360
 361static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
 362{
 363        struct ima_rule_entry *nentry;
 364        int i;
 365
 366        /*
 367         * Immutable elements are copied over as pointers and data; only
 368         * lsm rules can change
 369         */
 370        nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL);
 371        if (!nentry)
 372                return NULL;
 373
 374        memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm));
 375
 376        for (i = 0; i < MAX_LSM_RULES; i++) {
 377                if (!entry->lsm[i].args_p)
 378                        continue;
 379
 380                nentry->lsm[i].type = entry->lsm[i].type;
 381                nentry->lsm[i].args_p = entry->lsm[i].args_p;
 382                /*
 383                 * Remove the reference from entry so that the associated
 384                 * memory will not be freed during a later call to
 385                 * ima_lsm_free_rule(entry).
 386                 */
 387                entry->lsm[i].args_p = NULL;
 388
 389                ima_filter_rule_init(nentry->lsm[i].type, Audit_equal,
 390                                     nentry->lsm[i].args_p,
 391                                     &nentry->lsm[i].rule);
 392                if (!nentry->lsm[i].rule)
 393                        pr_warn("rule for LSM \'%s\' is undefined\n",
 394                                nentry->lsm[i].args_p);
 395        }
 396        return nentry;
 397}
 398
 399static int ima_lsm_update_rule(struct ima_rule_entry *entry)
 400{
 401        struct ima_rule_entry *nentry;
 402
 403        nentry = ima_lsm_copy_rule(entry);
 404        if (!nentry)
 405                return -ENOMEM;
 406
 407        list_replace_rcu(&entry->list, &nentry->list);
 408        synchronize_rcu();
 409        /*
 410         * ima_lsm_copy_rule() shallow copied all references, except for the
 411         * LSM references, from entry to nentry so we only want to free the LSM
 412         * references and the entry itself. All other memory refrences will now
 413         * be owned by nentry.
 414         */
 415        ima_lsm_free_rule(entry);
 416        kfree(entry);
 417
 418        return 0;
 419}
 420
 421static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry)
 422{
 423        int i;
 424
 425        for (i = 0; i < MAX_LSM_RULES; i++)
 426                if (entry->lsm[i].args_p)
 427                        return true;
 428
 429        return false;
 430}
 431
 432/*
 433 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
 434 * to the old, stale LSM policy.  Update the IMA LSM based rules to reflect
 435 * the reloaded LSM policy.
 436 */
 437static void ima_lsm_update_rules(void)
 438{
 439        struct ima_rule_entry *entry, *e;
 440        int result;
 441
 442        list_for_each_entry_safe(entry, e, &ima_policy_rules, list) {
 443                if (!ima_rule_contains_lsm_cond(entry))
 444                        continue;
 445
 446                result = ima_lsm_update_rule(entry);
 447                if (result) {
 448                        pr_err("lsm rule update error %d\n", result);
 449                        return;
 450                }
 451        }
 452}
 453
 454int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
 455                          void *lsm_data)
 456{
 457        if (event != LSM_POLICY_CHANGE)
 458                return NOTIFY_DONE;
 459
 460        ima_lsm_update_rules();
 461        return NOTIFY_OK;
 462}
 463
 464/**
 465 * ima_match_rule_data - determine whether func_data matches the policy rule
 466 * @rule: a pointer to a rule
 467 * @func_data: data to match against the measure rule data
 468 * @cred: a pointer to a credentials structure for user validation
 469 *
 470 * Returns true if func_data matches one in the rule, false otherwise.
 471 */
 472static bool ima_match_rule_data(struct ima_rule_entry *rule,
 473                                const char *func_data,
 474                                const struct cred *cred)
 475{
 476        const struct ima_rule_opt_list *opt_list = NULL;
 477        bool matched = false;
 478        size_t i;
 479
 480        if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
 481                return false;
 482
 483        switch (rule->func) {
 484        case KEY_CHECK:
 485                if (!rule->keyrings)
 486                        return true;
 487
 488                opt_list = rule->keyrings;
 489                break;
 490        case CRITICAL_DATA:
 491                if (!rule->label)
 492                        return true;
 493
 494                opt_list = rule->label;
 495                break;
 496        default:
 497                return false;
 498        }
 499
 500        if (!func_data)
 501                return false;
 502
 503        for (i = 0; i < opt_list->count; i++) {
 504                if (!strcmp(opt_list->items[i], func_data)) {
 505                        matched = true;
 506                        break;
 507                }
 508        }
 509
 510        return matched;
 511}
 512
 513/**
 514 * ima_match_rules - determine whether an inode matches the policy rule.
 515 * @rule: a pointer to a rule
 516 * @mnt_userns: user namespace of the mount the inode was found from
 517 * @inode: a pointer to an inode
 518 * @cred: a pointer to a credentials structure for user validation
 519 * @secid: the secid of the task to be validated
 520 * @func: LIM hook identifier
 521 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
 522 * @func_data: func specific data, may be NULL
 523 *
 524 * Returns true on rule match, false on failure.
 525 */
 526static bool ima_match_rules(struct ima_rule_entry *rule,
 527                            struct user_namespace *mnt_userns,
 528                            struct inode *inode, const struct cred *cred,
 529                            u32 secid, enum ima_hooks func, int mask,
 530                            const char *func_data)
 531{
 532        int i;
 533
 534        if ((rule->flags & IMA_FUNC) &&
 535            (rule->func != func && func != POST_SETATTR))
 536                return false;
 537
 538        switch (func) {
 539        case KEY_CHECK:
 540        case CRITICAL_DATA:
 541                return ((rule->func == func) &&
 542                        ima_match_rule_data(rule, func_data, cred));
 543        default:
 544                break;
 545        }
 546
 547        if ((rule->flags & IMA_MASK) &&
 548            (rule->mask != mask && func != POST_SETATTR))
 549                return false;
 550        if ((rule->flags & IMA_INMASK) &&
 551            (!(rule->mask & mask) && func != POST_SETATTR))
 552                return false;
 553        if ((rule->flags & IMA_FSMAGIC)
 554            && rule->fsmagic != inode->i_sb->s_magic)
 555                return false;
 556        if ((rule->flags & IMA_FSNAME)
 557            && strcmp(rule->fsname, inode->i_sb->s_type->name))
 558                return false;
 559        if ((rule->flags & IMA_FSUUID) &&
 560            !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
 561                return false;
 562        if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
 563                return false;
 564        if (rule->flags & IMA_EUID) {
 565                if (has_capability_noaudit(current, CAP_SETUID)) {
 566                        if (!rule->uid_op(cred->euid, rule->uid)
 567                            && !rule->uid_op(cred->suid, rule->uid)
 568                            && !rule->uid_op(cred->uid, rule->uid))
 569                                return false;
 570                } else if (!rule->uid_op(cred->euid, rule->uid))
 571                        return false;
 572        }
 573
 574        if ((rule->flags & IMA_FOWNER) &&
 575            !rule->fowner_op(i_uid_into_mnt(mnt_userns, inode), rule->fowner))
 576                return false;
 577        for (i = 0; i < MAX_LSM_RULES; i++) {
 578                int rc = 0;
 579                u32 osid;
 580
 581                if (!rule->lsm[i].rule) {
 582                        if (!rule->lsm[i].args_p)
 583                                continue;
 584                        else
 585                                return false;
 586                }
 587                switch (i) {
 588                case LSM_OBJ_USER:
 589                case LSM_OBJ_ROLE:
 590                case LSM_OBJ_TYPE:
 591                        security_inode_getsecid(inode, &osid);
 592                        rc = ima_filter_rule_match(osid, rule->lsm[i].type,
 593                                                   Audit_equal,
 594                                                   rule->lsm[i].rule);
 595                        break;
 596                case LSM_SUBJ_USER:
 597                case LSM_SUBJ_ROLE:
 598                case LSM_SUBJ_TYPE:
 599                        rc = ima_filter_rule_match(secid, rule->lsm[i].type,
 600                                                   Audit_equal,
 601                                                   rule->lsm[i].rule);
 602                        break;
 603                default:
 604                        break;
 605                }
 606                if (!rc)
 607                        return false;
 608        }
 609        return true;
 610}
 611
 612/*
 613 * In addition to knowing that we need to appraise the file in general,
 614 * we need to differentiate between calling hooks, for hook specific rules.
 615 */
 616static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
 617{
 618        if (!(rule->flags & IMA_FUNC))
 619                return IMA_FILE_APPRAISE;
 620
 621        switch (func) {
 622        case MMAP_CHECK:
 623                return IMA_MMAP_APPRAISE;
 624        case BPRM_CHECK:
 625                return IMA_BPRM_APPRAISE;
 626        case CREDS_CHECK:
 627                return IMA_CREDS_APPRAISE;
 628        case FILE_CHECK:
 629        case POST_SETATTR:
 630                return IMA_FILE_APPRAISE;
 631        case MODULE_CHECK ... MAX_CHECK - 1:
 632        default:
 633                return IMA_READ_APPRAISE;
 634        }
 635}
 636
 637/**
 638 * ima_match_policy - decision based on LSM and other conditions
 639 * @mnt_userns: user namespace of the mount the inode was found from
 640 * @inode: pointer to an inode for which the policy decision is being made
 641 * @cred: pointer to a credentials structure for which the policy decision is
 642 *        being made
 643 * @secid: LSM secid of the task to be validated
 644 * @func: IMA hook identifier
 645 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
 646 * @pcr: set the pcr to extend
 647 * @template_desc: the template that should be used for this rule
 648 * @func_data: func specific data, may be NULL
 649 *
 650 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
 651 * conditions.
 652 *
 653 * Since the IMA policy may be updated multiple times we need to lock the
 654 * list when walking it.  Reads are many orders of magnitude more numerous
 655 * than writes so ima_match_policy() is classical RCU candidate.
 656 */
 657int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode,
 658                     const struct cred *cred, u32 secid, enum ima_hooks func,
 659                     int mask, int flags, int *pcr,
 660                     struct ima_template_desc **template_desc,
 661                     const char *func_data)
 662{
 663        struct ima_rule_entry *entry;
 664        int action = 0, actmask = flags | (flags << 1);
 665
 666        if (template_desc && !*template_desc)
 667                *template_desc = ima_template_desc_current();
 668
 669        rcu_read_lock();
 670        list_for_each_entry_rcu(entry, ima_rules, list) {
 671
 672                if (!(entry->action & actmask))
 673                        continue;
 674
 675                if (!ima_match_rules(entry, mnt_userns, inode, cred, secid,
 676                                     func, mask, func_data))
 677                        continue;
 678
 679                action |= entry->flags & IMA_ACTION_FLAGS;
 680
 681                action |= entry->action & IMA_DO_MASK;
 682                if (entry->action & IMA_APPRAISE) {
 683                        action |= get_subaction(entry, func);
 684                        action &= ~IMA_HASH;
 685                        if (ima_fail_unverifiable_sigs)
 686                                action |= IMA_FAIL_UNVERIFIABLE_SIGS;
 687                }
 688
 689
 690                if (entry->action & IMA_DO_MASK)
 691                        actmask &= ~(entry->action | entry->action << 1);
 692                else
 693                        actmask &= ~(entry->action | entry->action >> 1);
 694
 695                if ((pcr) && (entry->flags & IMA_PCR))
 696                        *pcr = entry->pcr;
 697
 698                if (template_desc && entry->template)
 699                        *template_desc = entry->template;
 700
 701                if (!actmask)
 702                        break;
 703        }
 704        rcu_read_unlock();
 705
 706        return action;
 707}
 708
 709/*
 710 * Initialize the ima_policy_flag variable based on the currently
 711 * loaded policy.  Based on this flag, the decision to short circuit
 712 * out of a function or not call the function in the first place
 713 * can be made earlier.
 714 */
 715void ima_update_policy_flag(void)
 716{
 717        struct ima_rule_entry *entry;
 718
 719        list_for_each_entry(entry, ima_rules, list) {
 720                if (entry->action & IMA_DO_MASK)
 721                        ima_policy_flag |= entry->action;
 722        }
 723
 724        ima_appraise |= (build_ima_appraise | temp_ima_appraise);
 725        if (!ima_appraise)
 726                ima_policy_flag &= ~IMA_APPRAISE;
 727}
 728
 729static int ima_appraise_flag(enum ima_hooks func)
 730{
 731        if (func == MODULE_CHECK)
 732                return IMA_APPRAISE_MODULES;
 733        else if (func == FIRMWARE_CHECK)
 734                return IMA_APPRAISE_FIRMWARE;
 735        else if (func == POLICY_CHECK)
 736                return IMA_APPRAISE_POLICY;
 737        else if (func == KEXEC_KERNEL_CHECK)
 738                return IMA_APPRAISE_KEXEC;
 739        return 0;
 740}
 741
 742static void add_rules(struct ima_rule_entry *entries, int count,
 743                      enum policy_rule_list policy_rule)
 744{
 745        int i = 0;
 746
 747        for (i = 0; i < count; i++) {
 748                struct ima_rule_entry *entry;
 749
 750                if (policy_rule & IMA_DEFAULT_POLICY)
 751                        list_add_tail(&entries[i].list, &ima_default_rules);
 752
 753                if (policy_rule & IMA_CUSTOM_POLICY) {
 754                        entry = kmemdup(&entries[i], sizeof(*entry),
 755                                        GFP_KERNEL);
 756                        if (!entry)
 757                                continue;
 758
 759                        list_add_tail(&entry->list, &ima_policy_rules);
 760                }
 761                if (entries[i].action == APPRAISE) {
 762                        if (entries != build_appraise_rules)
 763                                temp_ima_appraise |=
 764                                        ima_appraise_flag(entries[i].func);
 765                        else
 766                                build_ima_appraise |=
 767                                        ima_appraise_flag(entries[i].func);
 768                }
 769        }
 770}
 771
 772static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
 773
 774static int __init ima_init_arch_policy(void)
 775{
 776        const char * const *arch_rules;
 777        const char * const *rules;
 778        int arch_entries = 0;
 779        int i = 0;
 780
 781        arch_rules = arch_get_ima_policy();
 782        if (!arch_rules)
 783                return arch_entries;
 784
 785        /* Get number of rules */
 786        for (rules = arch_rules; *rules != NULL; rules++)
 787                arch_entries++;
 788
 789        arch_policy_entry = kcalloc(arch_entries + 1,
 790                                    sizeof(*arch_policy_entry), GFP_KERNEL);
 791        if (!arch_policy_entry)
 792                return 0;
 793
 794        /* Convert each policy string rules to struct ima_rule_entry format */
 795        for (rules = arch_rules, i = 0; *rules != NULL; rules++) {
 796                char rule[255];
 797                int result;
 798
 799                result = strlcpy(rule, *rules, sizeof(rule));
 800
 801                INIT_LIST_HEAD(&arch_policy_entry[i].list);
 802                result = ima_parse_rule(rule, &arch_policy_entry[i]);
 803                if (result) {
 804                        pr_warn("Skipping unknown architecture policy rule: %s\n",
 805                                rule);
 806                        memset(&arch_policy_entry[i], 0,
 807                               sizeof(*arch_policy_entry));
 808                        continue;
 809                }
 810                i++;
 811        }
 812        return i;
 813}
 814
 815/**
 816 * ima_init_policy - initialize the default measure rules.
 817 *
 818 * ima_rules points to either the ima_default_rules or the
 819 * the new ima_policy_rules.
 820 */
 821void __init ima_init_policy(void)
 822{
 823        int build_appraise_entries, arch_entries;
 824
 825        /* if !ima_policy, we load NO default rules */
 826        if (ima_policy)
 827                add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules),
 828                          IMA_DEFAULT_POLICY);
 829
 830        switch (ima_policy) {
 831        case ORIGINAL_TCB:
 832                add_rules(original_measurement_rules,
 833                          ARRAY_SIZE(original_measurement_rules),
 834                          IMA_DEFAULT_POLICY);
 835                break;
 836        case DEFAULT_TCB:
 837                add_rules(default_measurement_rules,
 838                          ARRAY_SIZE(default_measurement_rules),
 839                          IMA_DEFAULT_POLICY);
 840                break;
 841        default:
 842                break;
 843        }
 844
 845        /*
 846         * Based on runtime secure boot flags, insert arch specific measurement
 847         * and appraise rules requiring file signatures for both the initial
 848         * and custom policies, prior to other appraise rules.
 849         * (Highest priority)
 850         */
 851        arch_entries = ima_init_arch_policy();
 852        if (!arch_entries)
 853                pr_info("No architecture policies found\n");
 854        else
 855                add_rules(arch_policy_entry, arch_entries,
 856                          IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
 857
 858        /*
 859         * Insert the builtin "secure_boot" policy rules requiring file
 860         * signatures, prior to other appraise rules.
 861         */
 862        if (ima_use_secure_boot)
 863                add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules),
 864                          IMA_DEFAULT_POLICY);
 865
 866        /*
 867         * Insert the build time appraise rules requiring file signatures
 868         * for both the initial and custom policies, prior to other appraise
 869         * rules. As the secure boot rules includes all of the build time
 870         * rules, include either one or the other set of rules, but not both.
 871         */
 872        build_appraise_entries = ARRAY_SIZE(build_appraise_rules);
 873        if (build_appraise_entries) {
 874                if (ima_use_secure_boot)
 875                        add_rules(build_appraise_rules, build_appraise_entries,
 876                                  IMA_CUSTOM_POLICY);
 877                else
 878                        add_rules(build_appraise_rules, build_appraise_entries,
 879                                  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
 880        }
 881
 882        if (ima_use_appraise_tcb)
 883                add_rules(default_appraise_rules,
 884                          ARRAY_SIZE(default_appraise_rules),
 885                          IMA_DEFAULT_POLICY);
 886
 887        if (ima_use_critical_data)
 888                add_rules(critical_data_rules,
 889                          ARRAY_SIZE(critical_data_rules),
 890                          IMA_DEFAULT_POLICY);
 891
 892        ima_update_policy_flag();
 893}
 894
 895/* Make sure we have a valid policy, at least containing some rules. */
 896int ima_check_policy(void)
 897{
 898        if (list_empty(&ima_temp_rules))
 899                return -EINVAL;
 900        return 0;
 901}
 902
 903/**
 904 * ima_update_policy - update default_rules with new measure rules
 905 *
 906 * Called on file .release to update the default rules with a complete new
 907 * policy.  What we do here is to splice ima_policy_rules and ima_temp_rules so
 908 * they make a queue.  The policy may be updated multiple times and this is the
 909 * RCU updater.
 910 *
 911 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
 912 * we switch from the default policy to user defined.
 913 */
 914void ima_update_policy(void)
 915{
 916        struct list_head *policy = &ima_policy_rules;
 917
 918        list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu);
 919
 920        if (ima_rules != policy) {
 921                ima_policy_flag = 0;
 922                ima_rules = policy;
 923
 924                /*
 925                 * IMA architecture specific policy rules are specified
 926                 * as strings and converted to an array of ima_entry_rules
 927                 * on boot.  After loading a custom policy, free the
 928                 * architecture specific rules stored as an array.
 929                 */
 930                kfree(arch_policy_entry);
 931        }
 932        ima_update_policy_flag();
 933
 934        /* Custom IMA policy has been loaded */
 935        ima_process_queued_keys();
 936}
 937
 938/* Keep the enumeration in sync with the policy_tokens! */
 939enum {
 940        Opt_measure, Opt_dont_measure,
 941        Opt_appraise, Opt_dont_appraise,
 942        Opt_audit, Opt_hash, Opt_dont_hash,
 943        Opt_obj_user, Opt_obj_role, Opt_obj_type,
 944        Opt_subj_user, Opt_subj_role, Opt_subj_type,
 945        Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname,
 946        Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
 947        Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
 948        Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
 949        Opt_appraise_type, Opt_appraise_flag,
 950        Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings,
 951        Opt_label, Opt_err
 952};
 953
 954static const match_table_t policy_tokens = {
 955        {Opt_measure, "measure"},
 956        {Opt_dont_measure, "dont_measure"},
 957        {Opt_appraise, "appraise"},
 958        {Opt_dont_appraise, "dont_appraise"},
 959        {Opt_audit, "audit"},
 960        {Opt_hash, "hash"},
 961        {Opt_dont_hash, "dont_hash"},
 962        {Opt_obj_user, "obj_user=%s"},
 963        {Opt_obj_role, "obj_role=%s"},
 964        {Opt_obj_type, "obj_type=%s"},
 965        {Opt_subj_user, "subj_user=%s"},
 966        {Opt_subj_role, "subj_role=%s"},
 967        {Opt_subj_type, "subj_type=%s"},
 968        {Opt_func, "func=%s"},
 969        {Opt_mask, "mask=%s"},
 970        {Opt_fsmagic, "fsmagic=%s"},
 971        {Opt_fsname, "fsname=%s"},
 972        {Opt_fsuuid, "fsuuid=%s"},
 973        {Opt_uid_eq, "uid=%s"},
 974        {Opt_euid_eq, "euid=%s"},
 975        {Opt_fowner_eq, "fowner=%s"},
 976        {Opt_uid_gt, "uid>%s"},
 977        {Opt_euid_gt, "euid>%s"},
 978        {Opt_fowner_gt, "fowner>%s"},
 979        {Opt_uid_lt, "uid<%s"},
 980        {Opt_euid_lt, "euid<%s"},
 981        {Opt_fowner_lt, "fowner<%s"},
 982        {Opt_appraise_type, "appraise_type=%s"},
 983        {Opt_appraise_flag, "appraise_flag=%s"},
 984        {Opt_permit_directio, "permit_directio"},
 985        {Opt_pcr, "pcr=%s"},
 986        {Opt_template, "template=%s"},
 987        {Opt_keyrings, "keyrings=%s"},
 988        {Opt_label, "label=%s"},
 989        {Opt_err, NULL}
 990};
 991
 992static int ima_lsm_rule_init(struct ima_rule_entry *entry,
 993                             substring_t *args, int lsm_rule, int audit_type)
 994{
 995        int result;
 996
 997        if (entry->lsm[lsm_rule].rule)
 998                return -EINVAL;
 999
1000        entry->lsm[lsm_rule].args_p = match_strdup(args);
1001        if (!entry->lsm[lsm_rule].args_p)
1002                return -ENOMEM;
1003
1004        entry->lsm[lsm_rule].type = audit_type;
1005        result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal,
1006                                      entry->lsm[lsm_rule].args_p,
1007                                      &entry->lsm[lsm_rule].rule);
1008        if (!entry->lsm[lsm_rule].rule) {
1009                pr_warn("rule for LSM \'%s\' is undefined\n",
1010                        entry->lsm[lsm_rule].args_p);
1011
1012                if (ima_rules == &ima_default_rules) {
1013                        kfree(entry->lsm[lsm_rule].args_p);
1014                        entry->lsm[lsm_rule].args_p = NULL;
1015                        result = -EINVAL;
1016                } else
1017                        result = 0;
1018        }
1019
1020        return result;
1021}
1022
1023static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
1024                              bool (*rule_operator)(kuid_t, kuid_t))
1025{
1026        if (!ab)
1027                return;
1028
1029        if (rule_operator == &uid_gt)
1030                audit_log_format(ab, "%s>", key);
1031        else if (rule_operator == &uid_lt)
1032                audit_log_format(ab, "%s<", key);
1033        else
1034                audit_log_format(ab, "%s=", key);
1035        audit_log_format(ab, "%s ", value);
1036}
1037static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
1038{
1039        ima_log_string_op(ab, key, value, NULL);
1040}
1041
1042/*
1043 * Validating the appended signature included in the measurement list requires
1044 * the file hash calculated without the appended signature (i.e., the 'd-modsig'
1045 * field). Therefore, notify the user if they have the 'modsig' field but not
1046 * the 'd-modsig' field in the template.
1047 */
1048static void check_template_modsig(const struct ima_template_desc *template)
1049{
1050#define MSG "template with 'modsig' field also needs 'd-modsig' field\n"
1051        bool has_modsig, has_dmodsig;
1052        static bool checked;
1053        int i;
1054
1055        /* We only need to notify the user once. */
1056        if (checked)
1057                return;
1058
1059        has_modsig = has_dmodsig = false;
1060        for (i = 0; i < template->num_fields; i++) {
1061                if (!strcmp(template->fields[i]->field_id, "modsig"))
1062                        has_modsig = true;
1063                else if (!strcmp(template->fields[i]->field_id, "d-modsig"))
1064                        has_dmodsig = true;
1065        }
1066
1067        if (has_modsig && !has_dmodsig)
1068                pr_notice(MSG);
1069
1070        checked = true;
1071#undef MSG
1072}
1073
1074static bool ima_validate_rule(struct ima_rule_entry *entry)
1075{
1076        /* Ensure that the action is set and is compatible with the flags */
1077        if (entry->action == UNKNOWN)
1078                return false;
1079
1080        if (entry->action != MEASURE && entry->flags & IMA_PCR)
1081                return false;
1082
1083        if (entry->action != APPRAISE &&
1084            entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST))
1085                return false;
1086
1087        /*
1088         * The IMA_FUNC bit must be set if and only if there's a valid hook
1089         * function specified, and vice versa. Enforcing this property allows
1090         * for the NONE case below to validate a rule without an explicit hook
1091         * function.
1092         */
1093        if (((entry->flags & IMA_FUNC) && entry->func == NONE) ||
1094            (!(entry->flags & IMA_FUNC) && entry->func != NONE))
1095                return false;
1096
1097        /*
1098         * Ensure that the hook function is compatible with the other
1099         * components of the rule
1100         */
1101        switch (entry->func) {
1102        case NONE:
1103        case FILE_CHECK:
1104        case MMAP_CHECK:
1105        case BPRM_CHECK:
1106        case CREDS_CHECK:
1107        case POST_SETATTR:
1108        case FIRMWARE_CHECK:
1109        case POLICY_CHECK:
1110                if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1111                                     IMA_UID | IMA_FOWNER | IMA_FSUUID |
1112                                     IMA_INMASK | IMA_EUID | IMA_PCR |
1113                                     IMA_FSNAME | IMA_DIGSIG_REQUIRED |
1114                                     IMA_PERMIT_DIRECTIO))
1115                        return false;
1116
1117                break;
1118        case MODULE_CHECK:
1119        case KEXEC_KERNEL_CHECK:
1120        case KEXEC_INITRAMFS_CHECK:
1121                if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1122                                     IMA_UID | IMA_FOWNER | IMA_FSUUID |
1123                                     IMA_INMASK | IMA_EUID | IMA_PCR |
1124                                     IMA_FSNAME | IMA_DIGSIG_REQUIRED |
1125                                     IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED |
1126                                     IMA_CHECK_BLACKLIST))
1127                        return false;
1128
1129                break;
1130        case KEXEC_CMDLINE:
1131                if (entry->action & ~(MEASURE | DONT_MEASURE))
1132                        return false;
1133
1134                if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID |
1135                                     IMA_FOWNER | IMA_FSUUID | IMA_EUID |
1136                                     IMA_PCR | IMA_FSNAME))
1137                        return false;
1138
1139                break;
1140        case KEY_CHECK:
1141                if (entry->action & ~(MEASURE | DONT_MEASURE))
1142                        return false;
1143
1144                if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
1145                                     IMA_KEYRINGS))
1146                        return false;
1147
1148                if (ima_rule_contains_lsm_cond(entry))
1149                        return false;
1150
1151                break;
1152        case CRITICAL_DATA:
1153                if (entry->action & ~(MEASURE | DONT_MEASURE))
1154                        return false;
1155
1156                if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
1157                                     IMA_LABEL))
1158                        return false;
1159
1160                if (ima_rule_contains_lsm_cond(entry))
1161                        return false;
1162
1163                break;
1164        default:
1165                return false;
1166        }
1167
1168        /* Ensure that combinations of flags are compatible with each other */
1169        if (entry->flags & IMA_CHECK_BLACKLIST &&
1170            !(entry->flags & IMA_MODSIG_ALLOWED))
1171                return false;
1172
1173        return true;
1174}
1175
1176static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
1177{
1178        struct audit_buffer *ab;
1179        char *from;
1180        char *p;
1181        bool uid_token;
1182        struct ima_template_desc *template_desc;
1183        int result = 0;
1184
1185        ab = integrity_audit_log_start(audit_context(), GFP_KERNEL,
1186                                       AUDIT_INTEGRITY_POLICY_RULE);
1187
1188        entry->uid = INVALID_UID;
1189        entry->fowner = INVALID_UID;
1190        entry->uid_op = &uid_eq;
1191        entry->fowner_op = &uid_eq;
1192        entry->action = UNKNOWN;
1193        while ((p = strsep(&rule, " \t")) != NULL) {
1194                substring_t args[MAX_OPT_ARGS];
1195                int token;
1196                unsigned long lnum;
1197
1198                if (result < 0)
1199                        break;
1200                if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
1201                        continue;
1202                token = match_token(p, policy_tokens, args);
1203                switch (token) {
1204                case Opt_measure:
1205                        ima_log_string(ab, "action", "measure");
1206
1207                        if (entry->action != UNKNOWN)
1208                                result = -EINVAL;
1209
1210                        entry->action = MEASURE;
1211                        break;
1212                case Opt_dont_measure:
1213                        ima_log_string(ab, "action", "dont_measure");
1214
1215                        if (entry->action != UNKNOWN)
1216                                result = -EINVAL;
1217
1218                        entry->action = DONT_MEASURE;
1219                        break;
1220                case Opt_appraise:
1221                        ima_log_string(ab, "action", "appraise");
1222
1223                        if (entry->action != UNKNOWN)
1224                                result = -EINVAL;
1225
1226                        entry->action = APPRAISE;
1227                        break;
1228                case Opt_dont_appraise:
1229                        ima_log_string(ab, "action", "dont_appraise");
1230
1231                        if (entry->action != UNKNOWN)
1232                                result = -EINVAL;
1233
1234                        entry->action = DONT_APPRAISE;
1235                        break;
1236                case Opt_audit:
1237                        ima_log_string(ab, "action", "audit");
1238
1239                        if (entry->action != UNKNOWN)
1240                                result = -EINVAL;
1241
1242                        entry->action = AUDIT;
1243                        break;
1244                case Opt_hash:
1245                        ima_log_string(ab, "action", "hash");
1246
1247                        if (entry->action != UNKNOWN)
1248                                result = -EINVAL;
1249
1250                        entry->action = HASH;
1251                        break;
1252                case Opt_dont_hash:
1253                        ima_log_string(ab, "action", "dont_hash");
1254
1255                        if (entry->action != UNKNOWN)
1256                                result = -EINVAL;
1257
1258                        entry->action = DONT_HASH;
1259                        break;
1260                case Opt_func:
1261                        ima_log_string(ab, "func", args[0].from);
1262
1263                        if (entry->func)
1264                                result = -EINVAL;
1265
1266                        if (strcmp(args[0].from, "FILE_CHECK") == 0)
1267                                entry->func = FILE_CHECK;
1268                        /* PATH_CHECK is for backwards compat */
1269                        else if (strcmp(args[0].from, "PATH_CHECK") == 0)
1270                                entry->func = FILE_CHECK;
1271                        else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
1272                                entry->func = MODULE_CHECK;
1273                        else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
1274                                entry->func = FIRMWARE_CHECK;
1275                        else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
1276                                || (strcmp(args[0].from, "MMAP_CHECK") == 0))
1277                                entry->func = MMAP_CHECK;
1278                        else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
1279                                entry->func = BPRM_CHECK;
1280                        else if (strcmp(args[0].from, "CREDS_CHECK") == 0)
1281                                entry->func = CREDS_CHECK;
1282                        else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
1283                                 0)
1284                                entry->func = KEXEC_KERNEL_CHECK;
1285                        else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
1286                                 == 0)
1287                                entry->func = KEXEC_INITRAMFS_CHECK;
1288                        else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
1289                                entry->func = POLICY_CHECK;
1290                        else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
1291                                entry->func = KEXEC_CMDLINE;
1292                        else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) &&
1293                                 strcmp(args[0].from, "KEY_CHECK") == 0)
1294                                entry->func = KEY_CHECK;
1295                        else if (strcmp(args[0].from, "CRITICAL_DATA") == 0)
1296                                entry->func = CRITICAL_DATA;
1297                        else
1298                                result = -EINVAL;
1299                        if (!result)
1300                                entry->flags |= IMA_FUNC;
1301                        break;
1302                case Opt_mask:
1303                        ima_log_string(ab, "mask", args[0].from);
1304
1305                        if (entry->mask)
1306                                result = -EINVAL;
1307
1308                        from = args[0].from;
1309                        if (*from == '^')
1310                                from++;
1311
1312                        if ((strcmp(from, "MAY_EXEC")) == 0)
1313                                entry->mask = MAY_EXEC;
1314                        else if (strcmp(from, "MAY_WRITE") == 0)
1315                                entry->mask = MAY_WRITE;
1316                        else if (strcmp(from, "MAY_READ") == 0)
1317                                entry->mask = MAY_READ;
1318                        else if (strcmp(from, "MAY_APPEND") == 0)
1319                                entry->mask = MAY_APPEND;
1320                        else
1321                                result = -EINVAL;
1322                        if (!result)
1323                                entry->flags |= (*args[0].from == '^')
1324                                     ? IMA_INMASK : IMA_MASK;
1325                        break;
1326                case Opt_fsmagic:
1327                        ima_log_string(ab, "fsmagic", args[0].from);
1328
1329                        if (entry->fsmagic) {
1330                                result = -EINVAL;
1331                                break;
1332                        }
1333
1334                        result = kstrtoul(args[0].from, 16, &entry->fsmagic);
1335                        if (!result)
1336                                entry->flags |= IMA_FSMAGIC;
1337                        break;
1338                case Opt_fsname:
1339                        ima_log_string(ab, "fsname", args[0].from);
1340
1341                        entry->fsname = kstrdup(args[0].from, GFP_KERNEL);
1342                        if (!entry->fsname) {
1343                                result = -ENOMEM;
1344                                break;
1345                        }
1346                        result = 0;
1347                        entry->flags |= IMA_FSNAME;
1348                        break;
1349                case Opt_keyrings:
1350                        ima_log_string(ab, "keyrings", args[0].from);
1351
1352                        if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) ||
1353                            entry->keyrings) {
1354                                result = -EINVAL;
1355                                break;
1356                        }
1357
1358                        entry->keyrings = ima_alloc_rule_opt_list(args);
1359                        if (IS_ERR(entry->keyrings)) {
1360                                result = PTR_ERR(entry->keyrings);
1361                                entry->keyrings = NULL;
1362                                break;
1363                        }
1364
1365                        entry->flags |= IMA_KEYRINGS;
1366                        break;
1367                case Opt_label:
1368                        ima_log_string(ab, "label", args[0].from);
1369
1370                        if (entry->label) {
1371                                result = -EINVAL;
1372                                break;
1373                        }
1374
1375                        entry->label = ima_alloc_rule_opt_list(args);
1376                        if (IS_ERR(entry->label)) {
1377                                result = PTR_ERR(entry->label);
1378                                entry->label = NULL;
1379                                break;
1380                        }
1381
1382                        entry->flags |= IMA_LABEL;
1383                        break;
1384                case Opt_fsuuid:
1385                        ima_log_string(ab, "fsuuid", args[0].from);
1386
1387                        if (!uuid_is_null(&entry->fsuuid)) {
1388                                result = -EINVAL;
1389                                break;
1390                        }
1391
1392                        result = uuid_parse(args[0].from, &entry->fsuuid);
1393                        if (!result)
1394                                entry->flags |= IMA_FSUUID;
1395                        break;
1396                case Opt_uid_gt:
1397                case Opt_euid_gt:
1398                        entry->uid_op = &uid_gt;
1399                        fallthrough;
1400                case Opt_uid_lt:
1401                case Opt_euid_lt:
1402                        if ((token == Opt_uid_lt) || (token == Opt_euid_lt))
1403                                entry->uid_op = &uid_lt;
1404                        fallthrough;
1405                case Opt_uid_eq:
1406                case Opt_euid_eq:
1407                        uid_token = (token == Opt_uid_eq) ||
1408                                    (token == Opt_uid_gt) ||
1409                                    (token == Opt_uid_lt);
1410
1411                        ima_log_string_op(ab, uid_token ? "uid" : "euid",
1412                                          args[0].from, entry->uid_op);
1413
1414                        if (uid_valid(entry->uid)) {
1415                                result = -EINVAL;
1416                                break;
1417                        }
1418
1419                        result = kstrtoul(args[0].from, 10, &lnum);
1420                        if (!result) {
1421                                entry->uid = make_kuid(current_user_ns(),
1422                                                       (uid_t) lnum);
1423                                if (!uid_valid(entry->uid) ||
1424                                    (uid_t)lnum != lnum)
1425                                        result = -EINVAL;
1426                                else
1427                                        entry->flags |= uid_token
1428                                            ? IMA_UID : IMA_EUID;
1429                        }
1430                        break;
1431                case Opt_fowner_gt:
1432                        entry->fowner_op = &uid_gt;
1433                        fallthrough;
1434                case Opt_fowner_lt:
1435                        if (token == Opt_fowner_lt)
1436                                entry->fowner_op = &uid_lt;
1437                        fallthrough;
1438                case Opt_fowner_eq:
1439                        ima_log_string_op(ab, "fowner", args[0].from,
1440                                          entry->fowner_op);
1441
1442                        if (uid_valid(entry->fowner)) {
1443                                result = -EINVAL;
1444                                break;
1445                        }
1446
1447                        result = kstrtoul(args[0].from, 10, &lnum);
1448                        if (!result) {
1449                                entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
1450                                if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))
1451                                        result = -EINVAL;
1452                                else
1453                                        entry->flags |= IMA_FOWNER;
1454                        }
1455                        break;
1456                case Opt_obj_user:
1457                        ima_log_string(ab, "obj_user", args[0].from);
1458                        result = ima_lsm_rule_init(entry, args,
1459                                                   LSM_OBJ_USER,
1460                                                   AUDIT_OBJ_USER);
1461                        break;
1462                case Opt_obj_role:
1463                        ima_log_string(ab, "obj_role", args[0].from);
1464                        result = ima_lsm_rule_init(entry, args,
1465                                                   LSM_OBJ_ROLE,
1466                                                   AUDIT_OBJ_ROLE);
1467                        break;
1468                case Opt_obj_type:
1469                        ima_log_string(ab, "obj_type", args[0].from);
1470                        result = ima_lsm_rule_init(entry, args,
1471                                                   LSM_OBJ_TYPE,
1472                                                   AUDIT_OBJ_TYPE);
1473                        break;
1474                case Opt_subj_user:
1475                        ima_log_string(ab, "subj_user", args[0].from);
1476                        result = ima_lsm_rule_init(entry, args,
1477                                                   LSM_SUBJ_USER,
1478                                                   AUDIT_SUBJ_USER);
1479                        break;
1480                case Opt_subj_role:
1481                        ima_log_string(ab, "subj_role", args[0].from);
1482                        result = ima_lsm_rule_init(entry, args,
1483                                                   LSM_SUBJ_ROLE,
1484                                                   AUDIT_SUBJ_ROLE);
1485                        break;
1486                case Opt_subj_type:
1487                        ima_log_string(ab, "subj_type", args[0].from);
1488                        result = ima_lsm_rule_init(entry, args,
1489                                                   LSM_SUBJ_TYPE,
1490                                                   AUDIT_SUBJ_TYPE);
1491                        break;
1492                case Opt_appraise_type:
1493                        ima_log_string(ab, "appraise_type", args[0].from);
1494                        if ((strcmp(args[0].from, "imasig")) == 0)
1495                                entry->flags |= IMA_DIGSIG_REQUIRED;
1496                        else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
1497                                 strcmp(args[0].from, "imasig|modsig") == 0)
1498                                entry->flags |= IMA_DIGSIG_REQUIRED |
1499                                                IMA_MODSIG_ALLOWED;
1500                        else
1501                                result = -EINVAL;
1502                        break;
1503                case Opt_appraise_flag:
1504                        ima_log_string(ab, "appraise_flag", args[0].from);
1505                        if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
1506                            strstr(args[0].from, "blacklist"))
1507                                entry->flags |= IMA_CHECK_BLACKLIST;
1508                        else
1509                                result = -EINVAL;
1510                        break;
1511                case Opt_permit_directio:
1512                        entry->flags |= IMA_PERMIT_DIRECTIO;
1513                        break;
1514                case Opt_pcr:
1515                        ima_log_string(ab, "pcr", args[0].from);
1516
1517                        result = kstrtoint(args[0].from, 10, &entry->pcr);
1518                        if (result || INVALID_PCR(entry->pcr))
1519                                result = -EINVAL;
1520                        else
1521                                entry->flags |= IMA_PCR;
1522
1523                        break;
1524                case Opt_template:
1525                        ima_log_string(ab, "template", args[0].from);
1526                        if (entry->action != MEASURE) {
1527                                result = -EINVAL;
1528                                break;
1529                        }
1530                        template_desc = lookup_template_desc(args[0].from);
1531                        if (!template_desc || entry->template) {
1532                                result = -EINVAL;
1533                                break;
1534                        }
1535
1536                        /*
1537                         * template_desc_init_fields() does nothing if
1538                         * the template is already initialised, so
1539                         * it's safe to do this unconditionally
1540                         */
1541                        template_desc_init_fields(template_desc->fmt,
1542                                                 &(template_desc->fields),
1543                                                 &(template_desc->num_fields));
1544                        entry->template = template_desc;
1545                        break;
1546                case Opt_err:
1547                        ima_log_string(ab, "UNKNOWN", p);
1548                        result = -EINVAL;
1549                        break;
1550                }
1551        }
1552        if (!result && !ima_validate_rule(entry))
1553                result = -EINVAL;
1554        else if (entry->action == APPRAISE)
1555                temp_ima_appraise |= ima_appraise_flag(entry->func);
1556
1557        if (!result && entry->flags & IMA_MODSIG_ALLOWED) {
1558                template_desc = entry->template ? entry->template :
1559                                                  ima_template_desc_current();
1560                check_template_modsig(template_desc);
1561        }
1562
1563        audit_log_format(ab, "res=%d", !result);
1564        audit_log_end(ab);
1565        return result;
1566}
1567
1568/**
1569 * ima_parse_add_rule - add a rule to ima_policy_rules
1570 * @rule - ima measurement policy rule
1571 *
1572 * Avoid locking by allowing just one writer at a time in ima_write_policy()
1573 * Returns the length of the rule parsed, an error code on failure
1574 */
1575ssize_t ima_parse_add_rule(char *rule)
1576{
1577        static const char op[] = "update_policy";
1578        char *p;
1579        struct ima_rule_entry *entry;
1580        ssize_t result, len;
1581        int audit_info = 0;
1582
1583        p = strsep(&rule, "\n");
1584        len = strlen(p) + 1;
1585        p += strspn(p, " \t");
1586
1587        if (*p == '#' || *p == '\0')
1588                return len;
1589
1590        entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1591        if (!entry) {
1592                integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1593                                    NULL, op, "-ENOMEM", -ENOMEM, audit_info);
1594                return -ENOMEM;
1595        }
1596
1597        INIT_LIST_HEAD(&entry->list);
1598
1599        result = ima_parse_rule(p, entry);
1600        if (result) {
1601                ima_free_rule(entry);
1602                integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1603                                    NULL, op, "invalid-policy", result,
1604                                    audit_info);
1605                return result;
1606        }
1607
1608        list_add_tail(&entry->list, &ima_temp_rules);
1609
1610        return len;
1611}
1612
1613/**
1614 * ima_delete_rules() called to cleanup invalid in-flight policy.
1615 * We don't need locking as we operate on the temp list, which is
1616 * different from the active one.  There is also only one user of
1617 * ima_delete_rules() at a time.
1618 */
1619void ima_delete_rules(void)
1620{
1621        struct ima_rule_entry *entry, *tmp;
1622
1623        temp_ima_appraise = 0;
1624        list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
1625                list_del(&entry->list);
1626                ima_free_rule(entry);
1627        }
1628}
1629
1630#define __ima_hook_stringify(func, str) (#func),
1631
1632const char *const func_tokens[] = {
1633        __ima_hooks(__ima_hook_stringify)
1634};
1635
1636#ifdef  CONFIG_IMA_READ_POLICY
1637enum {
1638        mask_exec = 0, mask_write, mask_read, mask_append
1639};
1640
1641static const char *const mask_tokens[] = {
1642        "^MAY_EXEC",
1643        "^MAY_WRITE",
1644        "^MAY_READ",
1645        "^MAY_APPEND"
1646};
1647
1648void *ima_policy_start(struct seq_file *m, loff_t *pos)
1649{
1650        loff_t l = *pos;
1651        struct ima_rule_entry *entry;
1652
1653        rcu_read_lock();
1654        list_for_each_entry_rcu(entry, ima_rules, list) {
1655                if (!l--) {
1656                        rcu_read_unlock();
1657                        return entry;
1658                }
1659        }
1660        rcu_read_unlock();
1661        return NULL;
1662}
1663
1664void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos)
1665{
1666        struct ima_rule_entry *entry = v;
1667
1668        rcu_read_lock();
1669        entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list);
1670        rcu_read_unlock();
1671        (*pos)++;
1672
1673        return (&entry->list == ima_rules) ? NULL : entry;
1674}
1675
1676void ima_policy_stop(struct seq_file *m, void *v)
1677{
1678}
1679
1680#define pt(token)       policy_tokens[token].pattern
1681#define mt(token)       mask_tokens[token]
1682
1683/*
1684 * policy_func_show - display the ima_hooks policy rule
1685 */
1686static void policy_func_show(struct seq_file *m, enum ima_hooks func)
1687{
1688        if (func > 0 && func < MAX_CHECK)
1689                seq_printf(m, "func=%s ", func_tokens[func]);
1690        else
1691                seq_printf(m, "func=%d ", func);
1692}
1693
1694static void ima_show_rule_opt_list(struct seq_file *m,
1695                                   const struct ima_rule_opt_list *opt_list)
1696{
1697        size_t i;
1698
1699        for (i = 0; i < opt_list->count; i++)
1700                seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]);
1701}
1702
1703int ima_policy_show(struct seq_file *m, void *v)
1704{
1705        struct ima_rule_entry *entry = v;
1706        int i;
1707        char tbuf[64] = {0,};
1708        int offset = 0;
1709
1710        rcu_read_lock();
1711
1712        if (entry->action & MEASURE)
1713                seq_puts(m, pt(Opt_measure));
1714        if (entry->action & DONT_MEASURE)
1715                seq_puts(m, pt(Opt_dont_measure));
1716        if (entry->action & APPRAISE)
1717                seq_puts(m, pt(Opt_appraise));
1718        if (entry->action & DONT_APPRAISE)
1719                seq_puts(m, pt(Opt_dont_appraise));
1720        if (entry->action & AUDIT)
1721                seq_puts(m, pt(Opt_audit));
1722        if (entry->action & HASH)
1723                seq_puts(m, pt(Opt_hash));
1724        if (entry->action & DONT_HASH)
1725                seq_puts(m, pt(Opt_dont_hash));
1726
1727        seq_puts(m, " ");
1728
1729        if (entry->flags & IMA_FUNC)
1730                policy_func_show(m, entry->func);
1731
1732        if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) {
1733                if (entry->flags & IMA_MASK)
1734                        offset = 1;
1735                if (entry->mask & MAY_EXEC)
1736                        seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset);
1737                if (entry->mask & MAY_WRITE)
1738                        seq_printf(m, pt(Opt_mask), mt(mask_write) + offset);
1739                if (entry->mask & MAY_READ)
1740                        seq_printf(m, pt(Opt_mask), mt(mask_read) + offset);
1741                if (entry->mask & MAY_APPEND)
1742                        seq_printf(m, pt(Opt_mask), mt(mask_append) + offset);
1743                seq_puts(m, " ");
1744        }
1745
1746        if (entry->flags & IMA_FSMAGIC) {
1747                snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);
1748                seq_printf(m, pt(Opt_fsmagic), tbuf);
1749                seq_puts(m, " ");
1750        }
1751
1752        if (entry->flags & IMA_FSNAME) {
1753                snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname);
1754                seq_printf(m, pt(Opt_fsname), tbuf);
1755                seq_puts(m, " ");
1756        }
1757
1758        if (entry->flags & IMA_KEYRINGS) {
1759                seq_puts(m, "keyrings=");
1760                ima_show_rule_opt_list(m, entry->keyrings);
1761                seq_puts(m, " ");
1762        }
1763
1764        if (entry->flags & IMA_LABEL) {
1765                seq_puts(m, "label=");
1766                ima_show_rule_opt_list(m, entry->label);
1767                seq_puts(m, " ");
1768        }
1769
1770        if (entry->flags & IMA_PCR) {
1771                snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
1772                seq_printf(m, pt(Opt_pcr), tbuf);
1773                seq_puts(m, " ");
1774        }
1775
1776        if (entry->flags & IMA_FSUUID) {
1777                seq_printf(m, "fsuuid=%pU", &entry->fsuuid);
1778                seq_puts(m, " ");
1779        }
1780
1781        if (entry->flags & IMA_UID) {
1782                snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1783                if (entry->uid_op == &uid_gt)
1784                        seq_printf(m, pt(Opt_uid_gt), tbuf);
1785                else if (entry->uid_op == &uid_lt)
1786                        seq_printf(m, pt(Opt_uid_lt), tbuf);
1787                else
1788                        seq_printf(m, pt(Opt_uid_eq), tbuf);
1789                seq_puts(m, " ");
1790        }
1791
1792        if (entry->flags & IMA_EUID) {
1793                snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1794                if (entry->uid_op == &uid_gt)
1795                        seq_printf(m, pt(Opt_euid_gt), tbuf);
1796                else if (entry->uid_op == &uid_lt)
1797                        seq_printf(m, pt(Opt_euid_lt), tbuf);
1798                else
1799                        seq_printf(m, pt(Opt_euid_eq), tbuf);
1800                seq_puts(m, " ");
1801        }
1802
1803        if (entry->flags & IMA_FOWNER) {
1804                snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
1805                if (entry->fowner_op == &uid_gt)
1806                        seq_printf(m, pt(Opt_fowner_gt), tbuf);
1807                else if (entry->fowner_op == &uid_lt)
1808                        seq_printf(m, pt(Opt_fowner_lt), tbuf);
1809                else
1810                        seq_printf(m, pt(Opt_fowner_eq), tbuf);
1811                seq_puts(m, " ");
1812        }
1813
1814        for (i = 0; i < MAX_LSM_RULES; i++) {
1815                if (entry->lsm[i].rule) {
1816                        switch (i) {
1817                        case LSM_OBJ_USER:
1818                                seq_printf(m, pt(Opt_obj_user),
1819                                           entry->lsm[i].args_p);
1820                                break;
1821                        case LSM_OBJ_ROLE:
1822                                seq_printf(m, pt(Opt_obj_role),
1823                                           entry->lsm[i].args_p);
1824                                break;
1825                        case LSM_OBJ_TYPE:
1826                                seq_printf(m, pt(Opt_obj_type),
1827                                           entry->lsm[i].args_p);
1828                                break;
1829                        case LSM_SUBJ_USER:
1830                                seq_printf(m, pt(Opt_subj_user),
1831                                           entry->lsm[i].args_p);
1832                                break;
1833                        case LSM_SUBJ_ROLE:
1834                                seq_printf(m, pt(Opt_subj_role),
1835                                           entry->lsm[i].args_p);
1836                                break;
1837                        case LSM_SUBJ_TYPE:
1838                                seq_printf(m, pt(Opt_subj_type),
1839                                           entry->lsm[i].args_p);
1840                                break;
1841                        }
1842                        seq_puts(m, " ");
1843                }
1844        }
1845        if (entry->template)
1846                seq_printf(m, "template=%s ", entry->template->name);
1847        if (entry->flags & IMA_DIGSIG_REQUIRED) {
1848                if (entry->flags & IMA_MODSIG_ALLOWED)
1849                        seq_puts(m, "appraise_type=imasig|modsig ");
1850                else
1851                        seq_puts(m, "appraise_type=imasig ");
1852        }
1853        if (entry->flags & IMA_CHECK_BLACKLIST)
1854                seq_puts(m, "appraise_flag=check_blacklist ");
1855        if (entry->flags & IMA_PERMIT_DIRECTIO)
1856                seq_puts(m, "permit_directio ");
1857        rcu_read_unlock();
1858        seq_puts(m, "\n");
1859        return 0;
1860}
1861#endif  /* CONFIG_IMA_READ_POLICY */
1862
1863#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
1864/*
1865 * ima_appraise_signature: whether IMA will appraise a given function using
1866 * an IMA digital signature. This is restricted to cases where the kernel
1867 * has a set of built-in trusted keys in order to avoid an attacker simply
1868 * loading additional keys.
1869 */
1870bool ima_appraise_signature(enum kernel_read_file_id id)
1871{
1872        struct ima_rule_entry *entry;
1873        bool found = false;
1874        enum ima_hooks func;
1875
1876        if (id >= READING_MAX_ID)
1877                return false;
1878
1879        func = read_idmap[id] ?: FILE_CHECK;
1880
1881        rcu_read_lock();
1882        list_for_each_entry_rcu(entry, ima_rules, list) {
1883                if (entry->action != APPRAISE)
1884                        continue;
1885
1886                /*
1887                 * A generic entry will match, but otherwise require that it
1888                 * match the func we're looking for
1889                 */
1890                if (entry->func && entry->func != func)
1891                        continue;
1892
1893                /*
1894                 * We require this to be a digital signature, not a raw IMA
1895                 * hash.
1896                 */
1897                if (entry->flags & IMA_DIGSIG_REQUIRED)
1898                        found = true;
1899
1900                /*
1901                 * We've found a rule that matches, so break now even if it
1902                 * didn't require a digital signature - a later rule that does
1903                 * won't override it, so would be a false positive.
1904                 */
1905                break;
1906        }
1907
1908        rcu_read_unlock();
1909        return found;
1910}
1911#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
1912