Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorri...
[muen/linux.git] / security / integrity / ima / ima_policy.c
1 /*
2  * Copyright (C) 2008 IBM Corporation
3  * Author: Mimi Zohar <zohar@us.ibm.com>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License as published by
7  * the Free Software Foundation, version 2 of the License.
8  *
9  * ima_policy.c
10  *      - initialize default measure policy rules
11  *
12  */
13 #include <linux/module.h>
14 #include <linux/list.h>
15 #include <linux/fs.h>
16 #include <linux/security.h>
17 #include <linux/magic.h>
18 #include <linux/parser.h>
19 #include <linux/slab.h>
20 #include <linux/rculist.h>
21 #include <linux/genhd.h>
22 #include <linux/seq_file.h>
23
24 #include "ima.h"
25
26 /* flags definitions */
27 #define IMA_FUNC        0x0001
28 #define IMA_MASK        0x0002
29 #define IMA_FSMAGIC     0x0004
30 #define IMA_UID         0x0008
31 #define IMA_FOWNER      0x0010
32 #define IMA_FSUUID      0x0020
33 #define IMA_INMASK      0x0040
34 #define IMA_EUID        0x0080
35 #define IMA_PCR         0x0100
36
37 #define UNKNOWN         0
38 #define MEASURE         0x0001  /* same as IMA_MEASURE */
39 #define DONT_MEASURE    0x0002
40 #define APPRAISE        0x0004  /* same as IMA_APPRAISE */
41 #define DONT_APPRAISE   0x0008
42 #define AUDIT           0x0040
43 #define HASH            0x0100
44 #define DONT_HASH       0x0200
45
46 #define INVALID_PCR(a) (((a) < 0) || \
47         (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
48
49 int ima_policy_flag;
50 static int temp_ima_appraise;
51
52 #define MAX_LSM_RULES 6
53 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
54         LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
55 };
56
57 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
58
59 struct ima_rule_entry {
60         struct list_head list;
61         int action;
62         unsigned int flags;
63         enum ima_hooks func;
64         int mask;
65         unsigned long fsmagic;
66         uuid_t fsuuid;
67         kuid_t uid;
68         kuid_t fowner;
69         bool (*uid_op)(kuid_t, kuid_t);    /* Handlers for operators       */
70         bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
71         int pcr;
72         struct {
73                 void *rule;     /* LSM file metadata specific */
74                 void *args_p;   /* audit value */
75                 int type;       /* audit type */
76         } lsm[MAX_LSM_RULES];
77 };
78
79 /*
80  * Without LSM specific knowledge, the default policy can only be
81  * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
82  */
83
84 /*
85  * The minimum rule set to allow for full TCB coverage.  Measures all files
86  * opened or mmap for exec and everything read by root.  Dangerous because
87  * normal users can easily run the machine out of memory simply building
88  * and running executables.
89  */
90 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
91         {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
92         {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
93         {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
94         {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
95         {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
96         {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
97         {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
98         {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
99         {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
100         {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
101          .flags = IMA_FSMAGIC},
102         {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC,
103          .flags = IMA_FSMAGIC},
104         {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
105 };
106
107 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
108         {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
109          .flags = IMA_FUNC | IMA_MASK},
110         {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
111          .flags = IMA_FUNC | IMA_MASK},
112         {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
113          .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
114          .flags = IMA_FUNC | IMA_MASK | IMA_UID},
115         {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
116         {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
117 };
118
119 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
120         {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
121          .flags = IMA_FUNC | IMA_MASK},
122         {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
123          .flags = IMA_FUNC | IMA_MASK},
124         {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
125          .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
126          .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
127         {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
128          .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
129          .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
130         {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
131         {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
132         {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
133 };
134
135 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
136         {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
137         {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
138         {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
139         {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
140         {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
141         {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
142         {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
143         {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
144         {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
145         {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
146         {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
147         {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
148         {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
149 #ifdef CONFIG_IMA_WRITE_POLICY
150         {.action = APPRAISE, .func = POLICY_CHECK,
151         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
152 #endif
153 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
154         {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
155          .flags = IMA_FOWNER},
156 #else
157         /* force signature */
158         {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
159          .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
160 #endif
161 };
162
163 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
164         {.action = APPRAISE, .func = MODULE_CHECK,
165          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
166         {.action = APPRAISE, .func = FIRMWARE_CHECK,
167          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
168         {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
169          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
170         {.action = APPRAISE, .func = POLICY_CHECK,
171          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
172 };
173
174 static LIST_HEAD(ima_default_rules);
175 static LIST_HEAD(ima_policy_rules);
176 static LIST_HEAD(ima_temp_rules);
177 static struct list_head *ima_rules;
178
179 static int ima_policy __initdata;
180
181 static int __init default_measure_policy_setup(char *str)
182 {
183         if (ima_policy)
184                 return 1;
185
186         ima_policy = ORIGINAL_TCB;
187         return 1;
188 }
189 __setup("ima_tcb", default_measure_policy_setup);
190
191 static bool ima_use_appraise_tcb __initdata;
192 static bool ima_use_secure_boot __initdata;
193 static bool ima_fail_unverifiable_sigs __ro_after_init;
194 static int __init policy_setup(char *str)
195 {
196         char *p;
197
198         while ((p = strsep(&str, " |\n")) != NULL) {
199                 if (*p == ' ')
200                         continue;
201                 if ((strcmp(p, "tcb") == 0) && !ima_policy)
202                         ima_policy = DEFAULT_TCB;
203                 else if (strcmp(p, "appraise_tcb") == 0)
204                         ima_use_appraise_tcb = true;
205                 else if (strcmp(p, "secure_boot") == 0)
206                         ima_use_secure_boot = true;
207                 else if (strcmp(p, "fail_securely") == 0)
208                         ima_fail_unverifiable_sigs = true;
209         }
210
211         return 1;
212 }
213 __setup("ima_policy=", policy_setup);
214
215 static int __init default_appraise_policy_setup(char *str)
216 {
217         ima_use_appraise_tcb = true;
218         return 1;
219 }
220 __setup("ima_appraise_tcb", default_appraise_policy_setup);
221
222 /*
223  * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
224  * to the old, stale LSM policy.  Update the IMA LSM based rules to reflect
225  * the reloaded LSM policy.  We assume the rules still exist; and BUG_ON() if
226  * they don't.
227  */
228 static void ima_lsm_update_rules(void)
229 {
230         struct ima_rule_entry *entry;
231         int result;
232         int i;
233
234         list_for_each_entry(entry, &ima_policy_rules, list) {
235                 for (i = 0; i < MAX_LSM_RULES; i++) {
236                         if (!entry->lsm[i].rule)
237                                 continue;
238                         result = security_filter_rule_init(entry->lsm[i].type,
239                                                            Audit_equal,
240                                                            entry->lsm[i].args_p,
241                                                            &entry->lsm[i].rule);
242                         BUG_ON(!entry->lsm[i].rule);
243                 }
244         }
245 }
246
247 /**
248  * ima_match_rules - determine whether an inode matches the measure rule.
249  * @rule: a pointer to a rule
250  * @inode: a pointer to an inode
251  * @cred: a pointer to a credentials structure for user validation
252  * @secid: the secid of the task to be validated
253  * @func: LIM hook identifier
254  * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
255  *
256  * Returns true on rule match, false on failure.
257  */
258 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
259                             const struct cred *cred, u32 secid,
260                             enum ima_hooks func, int mask)
261 {
262         int i;
263
264         if ((rule->flags & IMA_FUNC) &&
265             (rule->func != func && func != POST_SETATTR))
266                 return false;
267         if ((rule->flags & IMA_MASK) &&
268             (rule->mask != mask && func != POST_SETATTR))
269                 return false;
270         if ((rule->flags & IMA_INMASK) &&
271             (!(rule->mask & mask) && func != POST_SETATTR))
272                 return false;
273         if ((rule->flags & IMA_FSMAGIC)
274             && rule->fsmagic != inode->i_sb->s_magic)
275                 return false;
276         if ((rule->flags & IMA_FSUUID) &&
277             !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
278                 return false;
279         if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
280                 return false;
281         if (rule->flags & IMA_EUID) {
282                 if (has_capability_noaudit(current, CAP_SETUID)) {
283                         if (!rule->uid_op(cred->euid, rule->uid)
284                             && !rule->uid_op(cred->suid, rule->uid)
285                             && !rule->uid_op(cred->uid, rule->uid))
286                                 return false;
287                 } else if (!rule->uid_op(cred->euid, rule->uid))
288                         return false;
289         }
290
291         if ((rule->flags & IMA_FOWNER) &&
292             !rule->fowner_op(inode->i_uid, rule->fowner))
293                 return false;
294         for (i = 0; i < MAX_LSM_RULES; i++) {
295                 int rc = 0;
296                 u32 osid;
297                 int retried = 0;
298
299                 if (!rule->lsm[i].rule)
300                         continue;
301 retry:
302                 switch (i) {
303                 case LSM_OBJ_USER:
304                 case LSM_OBJ_ROLE:
305                 case LSM_OBJ_TYPE:
306                         security_inode_getsecid(inode, &osid);
307                         rc = security_filter_rule_match(osid,
308                                                         rule->lsm[i].type,
309                                                         Audit_equal,
310                                                         rule->lsm[i].rule,
311                                                         NULL);
312                         break;
313                 case LSM_SUBJ_USER:
314                 case LSM_SUBJ_ROLE:
315                 case LSM_SUBJ_TYPE:
316                         rc = security_filter_rule_match(secid,
317                                                         rule->lsm[i].type,
318                                                         Audit_equal,
319                                                         rule->lsm[i].rule,
320                                                         NULL);
321                 default:
322                         break;
323                 }
324                 if ((rc < 0) && (!retried)) {
325                         retried = 1;
326                         ima_lsm_update_rules();
327                         goto retry;
328                 }
329                 if (!rc)
330                         return false;
331         }
332         return true;
333 }
334
335 /*
336  * In addition to knowing that we need to appraise the file in general,
337  * we need to differentiate between calling hooks, for hook specific rules.
338  */
339 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
340 {
341         if (!(rule->flags & IMA_FUNC))
342                 return IMA_FILE_APPRAISE;
343
344         switch (func) {
345         case MMAP_CHECK:
346                 return IMA_MMAP_APPRAISE;
347         case BPRM_CHECK:
348                 return IMA_BPRM_APPRAISE;
349         case CREDS_CHECK:
350                 return IMA_CREDS_APPRAISE;
351         case FILE_CHECK:
352         case POST_SETATTR:
353                 return IMA_FILE_APPRAISE;
354         case MODULE_CHECK ... MAX_CHECK - 1:
355         default:
356                 return IMA_READ_APPRAISE;
357         }
358 }
359
360 /**
361  * ima_match_policy - decision based on LSM and other conditions
362  * @inode: pointer to an inode for which the policy decision is being made
363  * @cred: pointer to a credentials structure for which the policy decision is
364  *        being made
365  * @secid: LSM secid of the task to be validated
366  * @func: IMA hook identifier
367  * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
368  * @pcr: set the pcr to extend
369  *
370  * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
371  * conditions.
372  *
373  * Since the IMA policy may be updated multiple times we need to lock the
374  * list when walking it.  Reads are many orders of magnitude more numerous
375  * than writes so ima_match_policy() is classical RCU candidate.
376  */
377 int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
378                      enum ima_hooks func, int mask, int flags, int *pcr)
379 {
380         struct ima_rule_entry *entry;
381         int action = 0, actmask = flags | (flags << 1);
382
383         rcu_read_lock();
384         list_for_each_entry_rcu(entry, ima_rules, list) {
385
386                 if (!(entry->action & actmask))
387                         continue;
388
389                 if (!ima_match_rules(entry, inode, cred, secid, func, mask))
390                         continue;
391
392                 action |= entry->flags & IMA_ACTION_FLAGS;
393
394                 action |= entry->action & IMA_DO_MASK;
395                 if (entry->action & IMA_APPRAISE) {
396                         action |= get_subaction(entry, func);
397                         action &= ~IMA_HASH;
398                         if (ima_fail_unverifiable_sigs)
399                                 action |= IMA_FAIL_UNVERIFIABLE_SIGS;
400                 }
401
402                 if (entry->action & IMA_DO_MASK)
403                         actmask &= ~(entry->action | entry->action << 1);
404                 else
405                         actmask &= ~(entry->action | entry->action >> 1);
406
407                 if ((pcr) && (entry->flags & IMA_PCR))
408                         *pcr = entry->pcr;
409
410                 if (!actmask)
411                         break;
412         }
413         rcu_read_unlock();
414
415         return action;
416 }
417
418 /*
419  * Initialize the ima_policy_flag variable based on the currently
420  * loaded policy.  Based on this flag, the decision to short circuit
421  * out of a function or not call the function in the first place
422  * can be made earlier.
423  */
424 void ima_update_policy_flag(void)
425 {
426         struct ima_rule_entry *entry;
427
428         list_for_each_entry(entry, ima_rules, list) {
429                 if (entry->action & IMA_DO_MASK)
430                         ima_policy_flag |= entry->action;
431         }
432
433         ima_appraise |= temp_ima_appraise;
434         if (!ima_appraise)
435                 ima_policy_flag &= ~IMA_APPRAISE;
436 }
437
438 /**
439  * ima_init_policy - initialize the default measure rules.
440  *
441  * ima_rules points to either the ima_default_rules or the
442  * the new ima_policy_rules.
443  */
444 void __init ima_init_policy(void)
445 {
446         int i, measure_entries, appraise_entries, secure_boot_entries;
447
448         /* if !ima_policy set entries = 0 so we load NO default rules */
449         measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
450         appraise_entries = ima_use_appraise_tcb ?
451                          ARRAY_SIZE(default_appraise_rules) : 0;
452         secure_boot_entries = ima_use_secure_boot ?
453                         ARRAY_SIZE(secure_boot_rules) : 0;
454
455         for (i = 0; i < measure_entries; i++)
456                 list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
457
458         switch (ima_policy) {
459         case ORIGINAL_TCB:
460                 for (i = 0; i < ARRAY_SIZE(original_measurement_rules); i++)
461                         list_add_tail(&original_measurement_rules[i].list,
462                                       &ima_default_rules);
463                 break;
464         case DEFAULT_TCB:
465                 for (i = 0; i < ARRAY_SIZE(default_measurement_rules); i++)
466                         list_add_tail(&default_measurement_rules[i].list,
467                                       &ima_default_rules);
468         default:
469                 break;
470         }
471
472         /*
473          * Insert the appraise rules requiring file signatures, prior to
474          * any other appraise rules.
475          */
476         for (i = 0; i < secure_boot_entries; i++)
477                 list_add_tail(&secure_boot_rules[i].list,
478                               &ima_default_rules);
479
480         for (i = 0; i < appraise_entries; i++) {
481                 list_add_tail(&default_appraise_rules[i].list,
482                               &ima_default_rules);
483                 if (default_appraise_rules[i].func == POLICY_CHECK)
484                         temp_ima_appraise |= IMA_APPRAISE_POLICY;
485         }
486
487         ima_rules = &ima_default_rules;
488         ima_update_policy_flag();
489 }
490
491 /* Make sure we have a valid policy, at least containing some rules. */
492 int ima_check_policy(void)
493 {
494         if (list_empty(&ima_temp_rules))
495                 return -EINVAL;
496         return 0;
497 }
498
499 /**
500  * ima_update_policy - update default_rules with new measure rules
501  *
502  * Called on file .release to update the default rules with a complete new
503  * policy.  What we do here is to splice ima_policy_rules and ima_temp_rules so
504  * they make a queue.  The policy may be updated multiple times and this is the
505  * RCU updater.
506  *
507  * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
508  * we switch from the default policy to user defined.
509  */
510 void ima_update_policy(void)
511 {
512         struct list_head *first, *last, *policy;
513
514         /* append current policy with the new rules */
515         first = (&ima_temp_rules)->next;
516         last = (&ima_temp_rules)->prev;
517         policy = &ima_policy_rules;
518
519         synchronize_rcu();
520
521         last->next = policy;
522         rcu_assign_pointer(list_next_rcu(policy->prev), first);
523         first->prev = policy->prev;
524         policy->prev = last;
525
526         /* prepare for the next policy rules addition */
527         INIT_LIST_HEAD(&ima_temp_rules);
528
529         if (ima_rules != policy) {
530                 ima_policy_flag = 0;
531                 ima_rules = policy;
532         }
533         ima_update_policy_flag();
534 }
535
536 enum {
537         Opt_err = -1,
538         Opt_measure = 1, Opt_dont_measure,
539         Opt_appraise, Opt_dont_appraise,
540         Opt_audit, Opt_hash, Opt_dont_hash,
541         Opt_obj_user, Opt_obj_role, Opt_obj_type,
542         Opt_subj_user, Opt_subj_role, Opt_subj_type,
543         Opt_func, Opt_mask, Opt_fsmagic,
544         Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
545         Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
546         Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
547         Opt_appraise_type, Opt_permit_directio,
548         Opt_pcr
549 };
550
551 static match_table_t policy_tokens = {
552         {Opt_measure, "measure"},
553         {Opt_dont_measure, "dont_measure"},
554         {Opt_appraise, "appraise"},
555         {Opt_dont_appraise, "dont_appraise"},
556         {Opt_audit, "audit"},
557         {Opt_hash, "hash"},
558         {Opt_dont_hash, "dont_hash"},
559         {Opt_obj_user, "obj_user=%s"},
560         {Opt_obj_role, "obj_role=%s"},
561         {Opt_obj_type, "obj_type=%s"},
562         {Opt_subj_user, "subj_user=%s"},
563         {Opt_subj_role, "subj_role=%s"},
564         {Opt_subj_type, "subj_type=%s"},
565         {Opt_func, "func=%s"},
566         {Opt_mask, "mask=%s"},
567         {Opt_fsmagic, "fsmagic=%s"},
568         {Opt_fsuuid, "fsuuid=%s"},
569         {Opt_uid_eq, "uid=%s"},
570         {Opt_euid_eq, "euid=%s"},
571         {Opt_fowner_eq, "fowner=%s"},
572         {Opt_uid_gt, "uid>%s"},
573         {Opt_euid_gt, "euid>%s"},
574         {Opt_fowner_gt, "fowner>%s"},
575         {Opt_uid_lt, "uid<%s"},
576         {Opt_euid_lt, "euid<%s"},
577         {Opt_fowner_lt, "fowner<%s"},
578         {Opt_appraise_type, "appraise_type=%s"},
579         {Opt_permit_directio, "permit_directio"},
580         {Opt_pcr, "pcr=%s"},
581         {Opt_err, NULL}
582 };
583
584 static int ima_lsm_rule_init(struct ima_rule_entry *entry,
585                              substring_t *args, int lsm_rule, int audit_type)
586 {
587         int result;
588
589         if (entry->lsm[lsm_rule].rule)
590                 return -EINVAL;
591
592         entry->lsm[lsm_rule].args_p = match_strdup(args);
593         if (!entry->lsm[lsm_rule].args_p)
594                 return -ENOMEM;
595
596         entry->lsm[lsm_rule].type = audit_type;
597         result = security_filter_rule_init(entry->lsm[lsm_rule].type,
598                                            Audit_equal,
599                                            entry->lsm[lsm_rule].args_p,
600                                            &entry->lsm[lsm_rule].rule);
601         if (!entry->lsm[lsm_rule].rule) {
602                 kfree(entry->lsm[lsm_rule].args_p);
603                 return -EINVAL;
604         }
605
606         return result;
607 }
608
609 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
610                               bool (*rule_operator)(kuid_t, kuid_t))
611 {
612         if (rule_operator == &uid_gt)
613                 audit_log_format(ab, "%s>", key);
614         else if (rule_operator == &uid_lt)
615                 audit_log_format(ab, "%s<", key);
616         else
617                 audit_log_format(ab, "%s=", key);
618         audit_log_untrustedstring(ab, value);
619         audit_log_format(ab, " ");
620 }
621 static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
622 {
623         ima_log_string_op(ab, key, value, NULL);
624 }
625
626 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
627 {
628         struct audit_buffer *ab;
629         char *from;
630         char *p;
631         bool uid_token;
632         int result = 0;
633
634         ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
635
636         entry->uid = INVALID_UID;
637         entry->fowner = INVALID_UID;
638         entry->uid_op = &uid_eq;
639         entry->fowner_op = &uid_eq;
640         entry->action = UNKNOWN;
641         while ((p = strsep(&rule, " \t")) != NULL) {
642                 substring_t args[MAX_OPT_ARGS];
643                 int token;
644                 unsigned long lnum;
645
646                 if (result < 0)
647                         break;
648                 if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
649                         continue;
650                 token = match_token(p, policy_tokens, args);
651                 switch (token) {
652                 case Opt_measure:
653                         ima_log_string(ab, "action", "measure");
654
655                         if (entry->action != UNKNOWN)
656                                 result = -EINVAL;
657
658                         entry->action = MEASURE;
659                         break;
660                 case Opt_dont_measure:
661                         ima_log_string(ab, "action", "dont_measure");
662
663                         if (entry->action != UNKNOWN)
664                                 result = -EINVAL;
665
666                         entry->action = DONT_MEASURE;
667                         break;
668                 case Opt_appraise:
669                         ima_log_string(ab, "action", "appraise");
670
671                         if (entry->action != UNKNOWN)
672                                 result = -EINVAL;
673
674                         entry->action = APPRAISE;
675                         break;
676                 case Opt_dont_appraise:
677                         ima_log_string(ab, "action", "dont_appraise");
678
679                         if (entry->action != UNKNOWN)
680                                 result = -EINVAL;
681
682                         entry->action = DONT_APPRAISE;
683                         break;
684                 case Opt_audit:
685                         ima_log_string(ab, "action", "audit");
686
687                         if (entry->action != UNKNOWN)
688                                 result = -EINVAL;
689
690                         entry->action = AUDIT;
691                         break;
692                 case Opt_hash:
693                         ima_log_string(ab, "action", "hash");
694
695                         if (entry->action != UNKNOWN)
696                                 result = -EINVAL;
697
698                         entry->action = HASH;
699                         break;
700                 case Opt_dont_hash:
701                         ima_log_string(ab, "action", "dont_hash");
702
703                         if (entry->action != UNKNOWN)
704                                 result = -EINVAL;
705
706                         entry->action = DONT_HASH;
707                         break;
708                 case Opt_func:
709                         ima_log_string(ab, "func", args[0].from);
710
711                         if (entry->func)
712                                 result = -EINVAL;
713
714                         if (strcmp(args[0].from, "FILE_CHECK") == 0)
715                                 entry->func = FILE_CHECK;
716                         /* PATH_CHECK is for backwards compat */
717                         else if (strcmp(args[0].from, "PATH_CHECK") == 0)
718                                 entry->func = FILE_CHECK;
719                         else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
720                                 entry->func = MODULE_CHECK;
721                         else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
722                                 entry->func = FIRMWARE_CHECK;
723                         else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
724                                 || (strcmp(args[0].from, "MMAP_CHECK") == 0))
725                                 entry->func = MMAP_CHECK;
726                         else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
727                                 entry->func = BPRM_CHECK;
728                         else if (strcmp(args[0].from, "CREDS_CHECK") == 0)
729                                 entry->func = CREDS_CHECK;
730                         else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
731                                  0)
732                                 entry->func = KEXEC_KERNEL_CHECK;
733                         else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
734                                  == 0)
735                                 entry->func = KEXEC_INITRAMFS_CHECK;
736                         else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
737                                 entry->func = POLICY_CHECK;
738                         else
739                                 result = -EINVAL;
740                         if (!result)
741                                 entry->flags |= IMA_FUNC;
742                         break;
743                 case Opt_mask:
744                         ima_log_string(ab, "mask", args[0].from);
745
746                         if (entry->mask)
747                                 result = -EINVAL;
748
749                         from = args[0].from;
750                         if (*from == '^')
751                                 from++;
752
753                         if ((strcmp(from, "MAY_EXEC")) == 0)
754                                 entry->mask = MAY_EXEC;
755                         else if (strcmp(from, "MAY_WRITE") == 0)
756                                 entry->mask = MAY_WRITE;
757                         else if (strcmp(from, "MAY_READ") == 0)
758                                 entry->mask = MAY_READ;
759                         else if (strcmp(from, "MAY_APPEND") == 0)
760                                 entry->mask = MAY_APPEND;
761                         else
762                                 result = -EINVAL;
763                         if (!result)
764                                 entry->flags |= (*args[0].from == '^')
765                                      ? IMA_INMASK : IMA_MASK;
766                         break;
767                 case Opt_fsmagic:
768                         ima_log_string(ab, "fsmagic", args[0].from);
769
770                         if (entry->fsmagic) {
771                                 result = -EINVAL;
772                                 break;
773                         }
774
775                         result = kstrtoul(args[0].from, 16, &entry->fsmagic);
776                         if (!result)
777                                 entry->flags |= IMA_FSMAGIC;
778                         break;
779                 case Opt_fsuuid:
780                         ima_log_string(ab, "fsuuid", args[0].from);
781
782                         if (!uuid_is_null(&entry->fsuuid)) {
783                                 result = -EINVAL;
784                                 break;
785                         }
786
787                         result = uuid_parse(args[0].from, &entry->fsuuid);
788                         if (!result)
789                                 entry->flags |= IMA_FSUUID;
790                         break;
791                 case Opt_uid_gt:
792                 case Opt_euid_gt:
793                         entry->uid_op = &uid_gt;
794                 case Opt_uid_lt:
795                 case Opt_euid_lt:
796                         if ((token == Opt_uid_lt) || (token == Opt_euid_lt))
797                                 entry->uid_op = &uid_lt;
798                 case Opt_uid_eq:
799                 case Opt_euid_eq:
800                         uid_token = (token == Opt_uid_eq) ||
801                                     (token == Opt_uid_gt) ||
802                                     (token == Opt_uid_lt);
803
804                         ima_log_string_op(ab, uid_token ? "uid" : "euid",
805                                           args[0].from, entry->uid_op);
806
807                         if (uid_valid(entry->uid)) {
808                                 result = -EINVAL;
809                                 break;
810                         }
811
812                         result = kstrtoul(args[0].from, 10, &lnum);
813                         if (!result) {
814                                 entry->uid = make_kuid(current_user_ns(),
815                                                        (uid_t) lnum);
816                                 if (!uid_valid(entry->uid) ||
817                                     (uid_t)lnum != lnum)
818                                         result = -EINVAL;
819                                 else
820                                         entry->flags |= uid_token
821                                             ? IMA_UID : IMA_EUID;
822                         }
823                         break;
824                 case Opt_fowner_gt:
825                         entry->fowner_op = &uid_gt;
826                 case Opt_fowner_lt:
827                         if (token == Opt_fowner_lt)
828                                 entry->fowner_op = &uid_lt;
829                 case Opt_fowner_eq:
830                         ima_log_string_op(ab, "fowner", args[0].from,
831                                           entry->fowner_op);
832
833                         if (uid_valid(entry->fowner)) {
834                                 result = -EINVAL;
835                                 break;
836                         }
837
838                         result = kstrtoul(args[0].from, 10, &lnum);
839                         if (!result) {
840                                 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
841                                 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))
842                                         result = -EINVAL;
843                                 else
844                                         entry->flags |= IMA_FOWNER;
845                         }
846                         break;
847                 case Opt_obj_user:
848                         ima_log_string(ab, "obj_user", args[0].from);
849                         result = ima_lsm_rule_init(entry, args,
850                                                    LSM_OBJ_USER,
851                                                    AUDIT_OBJ_USER);
852                         break;
853                 case Opt_obj_role:
854                         ima_log_string(ab, "obj_role", args[0].from);
855                         result = ima_lsm_rule_init(entry, args,
856                                                    LSM_OBJ_ROLE,
857                                                    AUDIT_OBJ_ROLE);
858                         break;
859                 case Opt_obj_type:
860                         ima_log_string(ab, "obj_type", args[0].from);
861                         result = ima_lsm_rule_init(entry, args,
862                                                    LSM_OBJ_TYPE,
863                                                    AUDIT_OBJ_TYPE);
864                         break;
865                 case Opt_subj_user:
866                         ima_log_string(ab, "subj_user", args[0].from);
867                         result = ima_lsm_rule_init(entry, args,
868                                                    LSM_SUBJ_USER,
869                                                    AUDIT_SUBJ_USER);
870                         break;
871                 case Opt_subj_role:
872                         ima_log_string(ab, "subj_role", args[0].from);
873                         result = ima_lsm_rule_init(entry, args,
874                                                    LSM_SUBJ_ROLE,
875                                                    AUDIT_SUBJ_ROLE);
876                         break;
877                 case Opt_subj_type:
878                         ima_log_string(ab, "subj_type", args[0].from);
879                         result = ima_lsm_rule_init(entry, args,
880                                                    LSM_SUBJ_TYPE,
881                                                    AUDIT_SUBJ_TYPE);
882                         break;
883                 case Opt_appraise_type:
884                         if (entry->action != APPRAISE) {
885                                 result = -EINVAL;
886                                 break;
887                         }
888
889                         ima_log_string(ab, "appraise_type", args[0].from);
890                         if ((strcmp(args[0].from, "imasig")) == 0)
891                                 entry->flags |= IMA_DIGSIG_REQUIRED;
892                         else
893                                 result = -EINVAL;
894                         break;
895                 case Opt_permit_directio:
896                         entry->flags |= IMA_PERMIT_DIRECTIO;
897                         break;
898                 case Opt_pcr:
899                         if (entry->action != MEASURE) {
900                                 result = -EINVAL;
901                                 break;
902                         }
903                         ima_log_string(ab, "pcr", args[0].from);
904
905                         result = kstrtoint(args[0].from, 10, &entry->pcr);
906                         if (result || INVALID_PCR(entry->pcr))
907                                 result = -EINVAL;
908                         else
909                                 entry->flags |= IMA_PCR;
910
911                         break;
912                 case Opt_err:
913                         ima_log_string(ab, "UNKNOWN", p);
914                         result = -EINVAL;
915                         break;
916                 }
917         }
918         if (!result && (entry->action == UNKNOWN))
919                 result = -EINVAL;
920         else if (entry->func == MODULE_CHECK)
921                 temp_ima_appraise |= IMA_APPRAISE_MODULES;
922         else if (entry->func == FIRMWARE_CHECK)
923                 temp_ima_appraise |= IMA_APPRAISE_FIRMWARE;
924         else if (entry->func == POLICY_CHECK)
925                 temp_ima_appraise |= IMA_APPRAISE_POLICY;
926         audit_log_format(ab, "res=%d", !result);
927         audit_log_end(ab);
928         return result;
929 }
930
931 /**
932  * ima_parse_add_rule - add a rule to ima_policy_rules
933  * @rule - ima measurement policy rule
934  *
935  * Avoid locking by allowing just one writer at a time in ima_write_policy()
936  * Returns the length of the rule parsed, an error code on failure
937  */
938 ssize_t ima_parse_add_rule(char *rule)
939 {
940         static const char op[] = "update_policy";
941         char *p;
942         struct ima_rule_entry *entry;
943         ssize_t result, len;
944         int audit_info = 0;
945
946         p = strsep(&rule, "\n");
947         len = strlen(p) + 1;
948         p += strspn(p, " \t");
949
950         if (*p == '#' || *p == '\0')
951                 return len;
952
953         entry = kzalloc(sizeof(*entry), GFP_KERNEL);
954         if (!entry) {
955                 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
956                                     NULL, op, "-ENOMEM", -ENOMEM, audit_info);
957                 return -ENOMEM;
958         }
959
960         INIT_LIST_HEAD(&entry->list);
961
962         result = ima_parse_rule(p, entry);
963         if (result) {
964                 kfree(entry);
965                 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
966                                     NULL, op, "invalid-policy", result,
967                                     audit_info);
968                 return result;
969         }
970
971         list_add_tail(&entry->list, &ima_temp_rules);
972
973         return len;
974 }
975
976 /**
977  * ima_delete_rules() called to cleanup invalid in-flight policy.
978  * We don't need locking as we operate on the temp list, which is
979  * different from the active one.  There is also only one user of
980  * ima_delete_rules() at a time.
981  */
982 void ima_delete_rules(void)
983 {
984         struct ima_rule_entry *entry, *tmp;
985         int i;
986
987         temp_ima_appraise = 0;
988         list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
989                 for (i = 0; i < MAX_LSM_RULES; i++)
990                         kfree(entry->lsm[i].args_p);
991
992                 list_del(&entry->list);
993                 kfree(entry);
994         }
995 }
996
997 #ifdef  CONFIG_IMA_READ_POLICY
998 enum {
999         mask_exec = 0, mask_write, mask_read, mask_append
1000 };
1001
1002 static const char *const mask_tokens[] = {
1003         "MAY_EXEC",
1004         "MAY_WRITE",
1005         "MAY_READ",
1006         "MAY_APPEND"
1007 };
1008
1009 #define __ima_hook_stringify(str)       (#str),
1010
1011 static const char *const func_tokens[] = {
1012         __ima_hooks(__ima_hook_stringify)
1013 };
1014
1015 void *ima_policy_start(struct seq_file *m, loff_t *pos)
1016 {
1017         loff_t l = *pos;
1018         struct ima_rule_entry *entry;
1019
1020         rcu_read_lock();
1021         list_for_each_entry_rcu(entry, ima_rules, list) {
1022                 if (!l--) {
1023                         rcu_read_unlock();
1024                         return entry;
1025                 }
1026         }
1027         rcu_read_unlock();
1028         return NULL;
1029 }
1030
1031 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos)
1032 {
1033         struct ima_rule_entry *entry = v;
1034
1035         rcu_read_lock();
1036         entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list);
1037         rcu_read_unlock();
1038         (*pos)++;
1039
1040         return (&entry->list == ima_rules) ? NULL : entry;
1041 }
1042
1043 void ima_policy_stop(struct seq_file *m, void *v)
1044 {
1045 }
1046
1047 #define pt(token)       policy_tokens[token + Opt_err].pattern
1048 #define mt(token)       mask_tokens[token]
1049
1050 /*
1051  * policy_func_show - display the ima_hooks policy rule
1052  */
1053 static void policy_func_show(struct seq_file *m, enum ima_hooks func)
1054 {
1055         if (func > 0 && func < MAX_CHECK)
1056                 seq_printf(m, "func=%s ", func_tokens[func]);
1057         else
1058                 seq_printf(m, "func=%d ", func);
1059 }
1060
1061 int ima_policy_show(struct seq_file *m, void *v)
1062 {
1063         struct ima_rule_entry *entry = v;
1064         int i;
1065         char tbuf[64] = {0,};
1066
1067         rcu_read_lock();
1068
1069         if (entry->action & MEASURE)
1070                 seq_puts(m, pt(Opt_measure));
1071         if (entry->action & DONT_MEASURE)
1072                 seq_puts(m, pt(Opt_dont_measure));
1073         if (entry->action & APPRAISE)
1074                 seq_puts(m, pt(Opt_appraise));
1075         if (entry->action & DONT_APPRAISE)
1076                 seq_puts(m, pt(Opt_dont_appraise));
1077         if (entry->action & AUDIT)
1078                 seq_puts(m, pt(Opt_audit));
1079         if (entry->action & HASH)
1080                 seq_puts(m, pt(Opt_hash));
1081         if (entry->action & DONT_HASH)
1082                 seq_puts(m, pt(Opt_dont_hash));
1083
1084         seq_puts(m, " ");
1085
1086         if (entry->flags & IMA_FUNC)
1087                 policy_func_show(m, entry->func);
1088
1089         if (entry->flags & IMA_MASK) {
1090                 if (entry->mask & MAY_EXEC)
1091                         seq_printf(m, pt(Opt_mask), mt(mask_exec));
1092                 if (entry->mask & MAY_WRITE)
1093                         seq_printf(m, pt(Opt_mask), mt(mask_write));
1094                 if (entry->mask & MAY_READ)
1095                         seq_printf(m, pt(Opt_mask), mt(mask_read));
1096                 if (entry->mask & MAY_APPEND)
1097                         seq_printf(m, pt(Opt_mask), mt(mask_append));
1098                 seq_puts(m, " ");
1099         }
1100
1101         if (entry->flags & IMA_FSMAGIC) {
1102                 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);
1103                 seq_printf(m, pt(Opt_fsmagic), tbuf);
1104                 seq_puts(m, " ");
1105         }
1106
1107         if (entry->flags & IMA_PCR) {
1108                 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
1109                 seq_printf(m, pt(Opt_pcr), tbuf);
1110                 seq_puts(m, " ");
1111         }
1112
1113         if (entry->flags & IMA_FSUUID) {
1114                 seq_printf(m, "fsuuid=%pU", &entry->fsuuid);
1115                 seq_puts(m, " ");
1116         }
1117
1118         if (entry->flags & IMA_UID) {
1119                 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1120                 if (entry->uid_op == &uid_gt)
1121                         seq_printf(m, pt(Opt_uid_gt), tbuf);
1122                 else if (entry->uid_op == &uid_lt)
1123                         seq_printf(m, pt(Opt_uid_lt), tbuf);
1124                 else
1125                         seq_printf(m, pt(Opt_uid_eq), tbuf);
1126                 seq_puts(m, " ");
1127         }
1128
1129         if (entry->flags & IMA_EUID) {
1130                 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1131                 if (entry->uid_op == &uid_gt)
1132                         seq_printf(m, pt(Opt_euid_gt), tbuf);
1133                 else if (entry->uid_op == &uid_lt)
1134                         seq_printf(m, pt(Opt_euid_lt), tbuf);
1135                 else
1136                         seq_printf(m, pt(Opt_euid_eq), tbuf);
1137                 seq_puts(m, " ");
1138         }
1139
1140         if (entry->flags & IMA_FOWNER) {
1141                 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
1142                 if (entry->fowner_op == &uid_gt)
1143                         seq_printf(m, pt(Opt_fowner_gt), tbuf);
1144                 else if (entry->fowner_op == &uid_lt)
1145                         seq_printf(m, pt(Opt_fowner_lt), tbuf);
1146                 else
1147                         seq_printf(m, pt(Opt_fowner_eq), tbuf);
1148                 seq_puts(m, " ");
1149         }
1150
1151         for (i = 0; i < MAX_LSM_RULES; i++) {
1152                 if (entry->lsm[i].rule) {
1153                         switch (i) {
1154                         case LSM_OBJ_USER:
1155                                 seq_printf(m, pt(Opt_obj_user),
1156                                            (char *)entry->lsm[i].args_p);
1157                                 break;
1158                         case LSM_OBJ_ROLE:
1159                                 seq_printf(m, pt(Opt_obj_role),
1160                                            (char *)entry->lsm[i].args_p);
1161                                 break;
1162                         case LSM_OBJ_TYPE:
1163                                 seq_printf(m, pt(Opt_obj_type),
1164                                            (char *)entry->lsm[i].args_p);
1165                                 break;
1166                         case LSM_SUBJ_USER:
1167                                 seq_printf(m, pt(Opt_subj_user),
1168                                            (char *)entry->lsm[i].args_p);
1169                                 break;
1170                         case LSM_SUBJ_ROLE:
1171                                 seq_printf(m, pt(Opt_subj_role),
1172                                            (char *)entry->lsm[i].args_p);
1173                                 break;
1174                         case LSM_SUBJ_TYPE:
1175                                 seq_printf(m, pt(Opt_subj_type),
1176                                            (char *)entry->lsm[i].args_p);
1177                                 break;
1178                         }
1179                 }
1180         }
1181         if (entry->flags & IMA_DIGSIG_REQUIRED)
1182                 seq_puts(m, "appraise_type=imasig ");
1183         if (entry->flags & IMA_PERMIT_DIRECTIO)
1184                 seq_puts(m, "permit_directio ");
1185         rcu_read_unlock();
1186         seq_puts(m, "\n");
1187         return 0;
1188 }
1189 #endif  /* CONFIG_IMA_READ_POLICY */