Lines Matching +full:sync +full:- +full:token
1 // SPDX-License-Identifier: GPL-2.0-only
7 * - initialize default measure policy rules
323 return ERR_PTR(-ENOMEM); in ima_alloc_rule_opt_list()
330 return ERR_PTR(-EINVAL); in ima_alloc_rule_opt_list()
338 return ERR_PTR(-EINVAL); in ima_alloc_rule_opt_list()
344 return ERR_PTR(-ENOMEM); in ima_alloc_rule_opt_list()
346 opt_list->count = count; in ima_alloc_rule_opt_list()
350 * leaving a byte sequence of NUL-terminated strings. Reference each in ima_alloc_rule_opt_list()
359 opt_list->items[i] = cur; in ima_alloc_rule_opt_list()
371 if (opt_list->count) { in ima_free_rule_opt_list()
372 kfree(opt_list->items[0]); in ima_free_rule_opt_list()
373 opt_list->count = 0; in ima_free_rule_opt_list()
384 ima_filter_rule_free(entry->lsm[i].rule); in ima_lsm_free_rule()
385 kfree(entry->lsm[i].args_p); in ima_lsm_free_rule()
395 * entry->template->fields may be allocated in ima_parse_rule() but that in ima_free_rule()
399 kfree(entry->fsname); in ima_free_rule()
400 ima_free_rule_opt_list(entry->keyrings); in ima_free_rule()
419 memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm)); in ima_lsm_copy_rule()
422 if (!entry->lsm[i].args_p) in ima_lsm_copy_rule()
425 nentry->lsm[i].type = entry->lsm[i].type; in ima_lsm_copy_rule()
426 nentry->lsm[i].args_p = entry->lsm[i].args_p; in ima_lsm_copy_rule()
428 ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, in ima_lsm_copy_rule()
429 nentry->lsm[i].args_p, in ima_lsm_copy_rule()
430 &nentry->lsm[i].rule, in ima_lsm_copy_rule()
432 if (!nentry->lsm[i].rule) in ima_lsm_copy_rule()
434 nentry->lsm[i].args_p); in ima_lsm_copy_rule()
446 return -ENOMEM; in ima_lsm_update_rule()
448 list_replace_rcu(&entry->list, &nentry->list); in ima_lsm_update_rule()
457 ima_filter_rule_free(entry->lsm[i].rule); in ima_lsm_update_rule()
468 if (entry->lsm[i].args_p) in ima_rule_contains_lsm_cond()
507 * ima_match_rule_data - determine whether func_data matches the policy rule
522 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) in ima_match_rule_data()
525 switch (rule->func) { in ima_match_rule_data()
527 if (!rule->keyrings) in ima_match_rule_data()
530 opt_list = rule->keyrings; in ima_match_rule_data()
533 if (!rule->label) in ima_match_rule_data()
536 opt_list = rule->label; in ima_match_rule_data()
545 for (i = 0; i < opt_list->count; i++) { in ima_match_rule_data()
546 if (!strcmp(opt_list->items[i], func_data)) { in ima_match_rule_data()
556 * ima_match_rules - determine whether an inode matches the policy rule.
579 if ((rule->flags & IMA_FUNC) && in ima_match_rules()
580 (rule->func != func && func != POST_SETATTR)) in ima_match_rules()
586 return ((rule->func == func) && in ima_match_rules()
592 if ((rule->flags & IMA_MASK) && in ima_match_rules()
593 (rule->mask != mask && func != POST_SETATTR)) in ima_match_rules()
595 if ((rule->flags & IMA_INMASK) && in ima_match_rules()
596 (!(rule->mask & mask) && func != POST_SETATTR)) in ima_match_rules()
598 if ((rule->flags & IMA_FSMAGIC) in ima_match_rules()
599 && rule->fsmagic != inode->i_sb->s_magic) in ima_match_rules()
601 if ((rule->flags & IMA_FSNAME) in ima_match_rules()
602 && strcmp(rule->fsname, inode->i_sb->s_type->name)) in ima_match_rules()
604 if ((rule->flags & IMA_FSUUID) && in ima_match_rules()
605 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) in ima_match_rules()
607 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) in ima_match_rules()
609 if (rule->flags & IMA_EUID) { in ima_match_rules()
611 if (!rule->uid_op(cred->euid, rule->uid) in ima_match_rules()
612 && !rule->uid_op(cred->suid, rule->uid) in ima_match_rules()
613 && !rule->uid_op(cred->uid, rule->uid)) in ima_match_rules()
615 } else if (!rule->uid_op(cred->euid, rule->uid)) in ima_match_rules()
618 if ((rule->flags & IMA_GID) && !rule->gid_op(cred->gid, rule->gid)) in ima_match_rules()
620 if (rule->flags & IMA_EGID) { in ima_match_rules()
622 if (!rule->gid_op(cred->egid, rule->gid) in ima_match_rules()
623 && !rule->gid_op(cred->sgid, rule->gid) in ima_match_rules()
624 && !rule->gid_op(cred->gid, rule->gid)) in ima_match_rules()
626 } else if (!rule->gid_op(cred->egid, rule->gid)) in ima_match_rules()
629 if ((rule->flags & IMA_FOWNER) && in ima_match_rules()
630 !rule->fowner_op(i_uid_into_vfsuid(idmap, inode), in ima_match_rules()
631 rule->fowner)) in ima_match_rules()
633 if ((rule->flags & IMA_FGROUP) && in ima_match_rules()
634 !rule->fgroup_op(i_gid_into_vfsgid(idmap, inode), in ima_match_rules()
635 rule->fgroup)) in ima_match_rules()
641 if (!lsm_rule->lsm[i].rule) { in ima_match_rules()
642 if (!lsm_rule->lsm[i].args_p) in ima_match_rules()
655 lsm_rule->lsm[i].type, in ima_match_rules()
657 lsm_rule->lsm[i].rule); in ima_match_rules()
662 rc = ima_filter_rule_match(prop, lsm_rule->lsm[i].type, in ima_match_rules()
664 lsm_rule->lsm[i].rule); in ima_match_rules()
670 if (rc == -ESTALE && !rule_reinitialized) { in ima_match_rules()
687 ima_filter_rule_free(lsm_rule->lsm[i].rule); in ima_match_rules()
699 if (!(rule->flags & IMA_FUNC)) in get_subaction()
713 case MODULE_CHECK ... MAX_CHECK - 1: in get_subaction()
720 * ima_match_policy - decision based on LSM and other conditions
758 if (!(entry->action & actmask)) in ima_match_policy()
765 action |= entry->flags & IMA_NONACTION_FLAGS; in ima_match_policy()
767 action |= entry->action & IMA_DO_MASK; in ima_match_policy()
768 if (entry->action & IMA_APPRAISE) { in ima_match_policy()
775 entry->flags & IMA_VALIDATE_ALGOS) in ima_match_policy()
776 *allowed_algos = entry->allowed_algos; in ima_match_policy()
779 if (entry->action & IMA_DO_MASK) in ima_match_policy()
780 actmask &= ~(entry->action | entry->action << 1); in ima_match_policy()
782 actmask &= ~(entry->action | entry->action >> 1); in ima_match_policy()
784 if ((pcr) && (entry->flags & IMA_PCR)) in ima_match_policy()
785 *pcr = entry->pcr; in ima_match_policy()
787 if (template_desc && entry->template) in ima_match_policy()
788 *template_desc = entry->template; in ima_match_policy()
799 * ima_update_policy_flags() - Update global IMA variables
829 * - the atomic was non-zero: a setxattr hash policy is in ima_update_policy_flags()
831 * - the atomic was zero: no setxattr policy was set, enable in ima_update_policy_flags()
834 if (entry->func == SETXATTR_CHECK) { in ima_update_policy_flags()
836 0, entry->allowed_algos); in ima_update_policy_flags()
841 if (entry->action & IMA_DO_MASK) in ima_update_policy_flags()
842 new_policy_flag |= entry->action; in ima_update_policy_flags()
883 list_add_tail(&entry->list, &ima_policy_rules); in add_rules()
940 * ima_init_policy - initialize the default measure rules.
1024 return -EINVAL; in ima_check_policy()
1029 * ima_update_policy - update default_rules with new measure rules
1063 /* Keep the enumeration in sync with the policy_tokens! */
1137 if (entry->lsm[lsm_rule].rule) in ima_lsm_rule_init()
1138 return -EINVAL; in ima_lsm_rule_init()
1140 entry->lsm[lsm_rule].args_p = match_strdup(args); in ima_lsm_rule_init()
1141 if (!entry->lsm[lsm_rule].args_p) in ima_lsm_rule_init()
1142 return -ENOMEM; in ima_lsm_rule_init()
1144 entry->lsm[lsm_rule].type = audit_type; in ima_lsm_rule_init()
1145 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, in ima_lsm_rule_init()
1146 entry->lsm[lsm_rule].args_p, in ima_lsm_rule_init()
1147 &entry->lsm[lsm_rule].rule, in ima_lsm_rule_init()
1149 if (!entry->lsm[lsm_rule].rule) { in ima_lsm_rule_init()
1151 entry->lsm[lsm_rule].args_p); in ima_lsm_rule_init()
1154 kfree(entry->lsm[lsm_rule].args_p); in ima_lsm_rule_init()
1155 entry->lsm[lsm_rule].args_p = NULL; in ima_lsm_rule_init()
1156 result = -EINVAL; in ima_lsm_rule_init()
1199 * the file hash calculated without the appended signature (i.e., the 'd-modsig'
1201 * the 'd-modsig' field in the template.
1205 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n" in check_template_modsig()
1215 for (i = 0; i < template->num_fields; i++) { in check_template_modsig()
1216 if (!strcmp(template->fields[i]->field_id, "modsig")) in check_template_modsig()
1218 else if (!strcmp(template->fields[i]->field_id, "d-modsig")) in check_template_modsig()
1237 for (i = 0; i < template->num_fields; i++) in check_template_field()
1238 if (!strcmp(template->fields[i]->field_id, field)) in check_template_field()
1247 if (entry->action == UNKNOWN) in ima_validate_rule()
1250 if (entry->action != MEASURE && entry->flags & IMA_PCR) in ima_validate_rule()
1253 if (entry->action != APPRAISE && in ima_validate_rule()
1254 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | in ima_validate_rule()
1264 if (((entry->flags & IMA_FUNC) && entry->func == NONE) || in ima_validate_rule()
1265 (!(entry->flags & IMA_FUNC) && entry->func != NONE)) in ima_validate_rule()
1272 switch (entry->func) { in ima_validate_rule()
1282 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | in ima_validate_rule()
1295 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | in ima_validate_rule()
1306 if (entry->action & ~(MEASURE | DONT_MEASURE)) in ima_validate_rule()
1309 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | in ima_validate_rule()
1317 if (entry->action & ~(MEASURE | DONT_MEASURE)) in ima_validate_rule()
1320 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR | in ima_validate_rule()
1329 if (entry->action & ~(MEASURE | DONT_MEASURE)) in ima_validate_rule()
1332 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR | in ima_validate_rule()
1342 if (entry->action != APPRAISE) in ima_validate_rule()
1346 if (!(entry->flags & IMA_VALIDATE_ALGOS)) in ima_validate_rule()
1353 if (entry->flags & ~(IMA_FUNC | IMA_VALIDATE_ALGOS)) in ima_validate_rule()
1362 if (entry->flags & IMA_CHECK_BLACKLIST && in ima_validate_rule()
1363 !(entry->flags & IMA_DIGSIG_REQUIRED)) in ima_validate_rule()
1373 if (entry->action == APPRAISE && in ima_validate_rule()
1374 (entry->flags & IMA_VERITY_REQUIRED) && in ima_validate_rule()
1375 !(entry->flags & IMA_DIGSIG_REQUIRED)) in ima_validate_rule()
1385 char *token; in ima_parse_appraise_algos() local
1387 while ((token = strsep(&arg, ",")) != NULL) { in ima_parse_appraise_algos()
1388 idx = match_string(hash_algo_name, HASH_ALGO__LAST, token); in ima_parse_appraise_algos()
1392 token); in ima_parse_appraise_algos()
1398 token); in ima_parse_appraise_algos()
1421 entry->uid = INVALID_UID; in ima_parse_rule()
1422 entry->gid = INVALID_GID; in ima_parse_rule()
1423 entry->fowner = INVALID_UID; in ima_parse_rule()
1424 entry->fgroup = INVALID_GID; in ima_parse_rule()
1425 entry->uid_op = &uid_eq; in ima_parse_rule()
1426 entry->gid_op = &gid_eq; in ima_parse_rule()
1427 entry->fowner_op = &vfsuid_eq_kuid; in ima_parse_rule()
1428 entry->fgroup_op = &vfsgid_eq_kgid; in ima_parse_rule()
1429 entry->action = UNKNOWN; in ima_parse_rule()
1432 int token; in ima_parse_rule() local
1439 token = match_token(p, policy_tokens, args); in ima_parse_rule()
1440 switch (token) { in ima_parse_rule()
1444 if (entry->action != UNKNOWN) in ima_parse_rule()
1445 result = -EINVAL; in ima_parse_rule()
1447 entry->action = MEASURE; in ima_parse_rule()
1452 if (entry->action != UNKNOWN) in ima_parse_rule()
1453 result = -EINVAL; in ima_parse_rule()
1455 entry->action = DONT_MEASURE; in ima_parse_rule()
1460 if (entry->action != UNKNOWN) in ima_parse_rule()
1461 result = -EINVAL; in ima_parse_rule()
1463 entry->action = APPRAISE; in ima_parse_rule()
1468 if (entry->action != UNKNOWN) in ima_parse_rule()
1469 result = -EINVAL; in ima_parse_rule()
1471 entry->action = DONT_APPRAISE; in ima_parse_rule()
1476 if (entry->action != UNKNOWN) in ima_parse_rule()
1477 result = -EINVAL; in ima_parse_rule()
1479 entry->action = AUDIT; in ima_parse_rule()
1484 if (entry->action != UNKNOWN) in ima_parse_rule()
1485 result = -EINVAL; in ima_parse_rule()
1487 entry->action = HASH; in ima_parse_rule()
1492 if (entry->action != UNKNOWN) in ima_parse_rule()
1493 result = -EINVAL; in ima_parse_rule()
1495 entry->action = DONT_HASH; in ima_parse_rule()
1500 if (entry->func) in ima_parse_rule()
1501 result = -EINVAL; in ima_parse_rule()
1504 entry->func = FILE_CHECK; in ima_parse_rule()
1507 entry->func = FILE_CHECK; in ima_parse_rule()
1509 entry->func = MODULE_CHECK; in ima_parse_rule()
1511 entry->func = FIRMWARE_CHECK; in ima_parse_rule()
1514 entry->func = MMAP_CHECK; in ima_parse_rule()
1516 entry->func = MMAP_CHECK_REQPROT; in ima_parse_rule()
1518 entry->func = BPRM_CHECK; in ima_parse_rule()
1520 entry->func = CREDS_CHECK; in ima_parse_rule()
1523 entry->func = KEXEC_KERNEL_CHECK; in ima_parse_rule()
1526 entry->func = KEXEC_INITRAMFS_CHECK; in ima_parse_rule()
1528 entry->func = POLICY_CHECK; in ima_parse_rule()
1530 entry->func = KEXEC_CMDLINE; in ima_parse_rule()
1533 entry->func = KEY_CHECK; in ima_parse_rule()
1535 entry->func = CRITICAL_DATA; in ima_parse_rule()
1537 entry->func = SETXATTR_CHECK; in ima_parse_rule()
1539 result = -EINVAL; in ima_parse_rule()
1541 entry->flags |= IMA_FUNC; in ima_parse_rule()
1546 if (entry->mask) in ima_parse_rule()
1547 result = -EINVAL; in ima_parse_rule()
1554 entry->mask = MAY_EXEC; in ima_parse_rule()
1556 entry->mask = MAY_WRITE; in ima_parse_rule()
1558 entry->mask = MAY_READ; in ima_parse_rule()
1560 entry->mask = MAY_APPEND; in ima_parse_rule()
1562 result = -EINVAL; in ima_parse_rule()
1564 entry->flags |= (*args[0].from == '^') in ima_parse_rule()
1570 if (entry->fsmagic) { in ima_parse_rule()
1571 result = -EINVAL; in ima_parse_rule()
1575 result = kstrtoul(args[0].from, 16, &entry->fsmagic); in ima_parse_rule()
1577 entry->flags |= IMA_FSMAGIC; in ima_parse_rule()
1582 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); in ima_parse_rule()
1583 if (!entry->fsname) { in ima_parse_rule()
1584 result = -ENOMEM; in ima_parse_rule()
1588 entry->flags |= IMA_FSNAME; in ima_parse_rule()
1594 entry->keyrings) { in ima_parse_rule()
1595 result = -EINVAL; in ima_parse_rule()
1599 entry->keyrings = ima_alloc_rule_opt_list(args); in ima_parse_rule()
1600 if (IS_ERR(entry->keyrings)) { in ima_parse_rule()
1601 result = PTR_ERR(entry->keyrings); in ima_parse_rule()
1602 entry->keyrings = NULL; in ima_parse_rule()
1606 entry->flags |= IMA_KEYRINGS; in ima_parse_rule()
1611 if (entry->label) { in ima_parse_rule()
1612 result = -EINVAL; in ima_parse_rule()
1616 entry->label = ima_alloc_rule_opt_list(args); in ima_parse_rule()
1617 if (IS_ERR(entry->label)) { in ima_parse_rule()
1618 result = PTR_ERR(entry->label); in ima_parse_rule()
1619 entry->label = NULL; in ima_parse_rule()
1623 entry->flags |= IMA_LABEL; in ima_parse_rule()
1628 if (!uuid_is_null(&entry->fsuuid)) { in ima_parse_rule()
1629 result = -EINVAL; in ima_parse_rule()
1633 result = uuid_parse(args[0].from, &entry->fsuuid); in ima_parse_rule()
1635 entry->flags |= IMA_FSUUID; in ima_parse_rule()
1639 entry->uid_op = &uid_gt; in ima_parse_rule()
1643 if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) in ima_parse_rule()
1644 entry->uid_op = &uid_lt; in ima_parse_rule()
1648 eid_token = (token == Opt_euid_eq) || in ima_parse_rule()
1649 (token == Opt_euid_gt) || in ima_parse_rule()
1650 (token == Opt_euid_lt); in ima_parse_rule()
1653 args[0].from, token); in ima_parse_rule()
1655 if (uid_valid(entry->uid)) { in ima_parse_rule()
1656 result = -EINVAL; in ima_parse_rule()
1662 entry->uid = make_kuid(current_user_ns(), in ima_parse_rule()
1664 if (!uid_valid(entry->uid) || in ima_parse_rule()
1666 result = -EINVAL; in ima_parse_rule()
1668 entry->flags |= eid_token in ima_parse_rule()
1674 entry->gid_op = &gid_gt; in ima_parse_rule()
1678 if ((token == Opt_gid_lt) || (token == Opt_egid_lt)) in ima_parse_rule()
1679 entry->gid_op = &gid_lt; in ima_parse_rule()
1683 eid_token = (token == Opt_egid_eq) || in ima_parse_rule()
1684 (token == Opt_egid_gt) || in ima_parse_rule()
1685 (token == Opt_egid_lt); in ima_parse_rule()
1688 args[0].from, token); in ima_parse_rule()
1690 if (gid_valid(entry->gid)) { in ima_parse_rule()
1691 result = -EINVAL; in ima_parse_rule()
1697 entry->gid = make_kgid(current_user_ns(), in ima_parse_rule()
1699 if (!gid_valid(entry->gid) || in ima_parse_rule()
1701 result = -EINVAL; in ima_parse_rule()
1703 entry->flags |= eid_token in ima_parse_rule()
1708 entry->fowner_op = &vfsuid_gt_kuid; in ima_parse_rule()
1711 if (token == Opt_fowner_lt) in ima_parse_rule()
1712 entry->fowner_op = &vfsuid_lt_kuid; in ima_parse_rule()
1715 ima_log_string_op(ab, "fowner", args[0].from, token); in ima_parse_rule()
1717 if (uid_valid(entry->fowner)) { in ima_parse_rule()
1718 result = -EINVAL; in ima_parse_rule()
1724 entry->fowner = make_kuid(current_user_ns(), in ima_parse_rule()
1726 if (!uid_valid(entry->fowner) || in ima_parse_rule()
1728 result = -EINVAL; in ima_parse_rule()
1730 entry->flags |= IMA_FOWNER; in ima_parse_rule()
1734 entry->fgroup_op = &vfsgid_gt_kgid; in ima_parse_rule()
1737 if (token == Opt_fgroup_lt) in ima_parse_rule()
1738 entry->fgroup_op = &vfsgid_lt_kgid; in ima_parse_rule()
1741 ima_log_string_op(ab, "fgroup", args[0].from, token); in ima_parse_rule()
1743 if (gid_valid(entry->fgroup)) { in ima_parse_rule()
1744 result = -EINVAL; in ima_parse_rule()
1750 entry->fgroup = make_kgid(current_user_ns(), in ima_parse_rule()
1752 if (!gid_valid(entry->fgroup) || in ima_parse_rule()
1754 result = -EINVAL; in ima_parse_rule()
1756 entry->flags |= IMA_FGROUP; in ima_parse_rule()
1797 if (entry->flags & IMA_DIGSIG_REQUIRED) in ima_parse_rule()
1798 result = -EINVAL; in ima_parse_rule()
1800 entry->flags |= IMA_VERITY_REQUIRED; in ima_parse_rule()
1802 result = -EINVAL; in ima_parse_rule()
1808 if (entry->flags & IMA_VERITY_REQUIRED) in ima_parse_rule()
1809 result = -EINVAL; in ima_parse_rule()
1811 entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST; in ima_parse_rule()
1814 if (entry->flags & IMA_VERITY_REQUIRED) in ima_parse_rule()
1815 entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST; in ima_parse_rule()
1817 result = -EINVAL; in ima_parse_rule()
1820 if (entry->flags & IMA_VERITY_REQUIRED) in ima_parse_rule()
1821 result = -EINVAL; in ima_parse_rule()
1823 entry->flags |= IMA_DIGSIG_REQUIRED | in ima_parse_rule()
1826 result = -EINVAL; in ima_parse_rule()
1835 if (entry->allowed_algos) { in ima_parse_rule()
1836 result = -EINVAL; in ima_parse_rule()
1840 entry->allowed_algos = in ima_parse_rule()
1843 if (!entry->allowed_algos) { in ima_parse_rule()
1844 result = -EINVAL; in ima_parse_rule()
1848 entry->flags |= IMA_VALIDATE_ALGOS; in ima_parse_rule()
1852 entry->flags |= IMA_PERMIT_DIRECTIO; in ima_parse_rule()
1857 result = kstrtoint(args[0].from, 10, &entry->pcr); in ima_parse_rule()
1858 if (result || INVALID_PCR(entry->pcr)) in ima_parse_rule()
1859 result = -EINVAL; in ima_parse_rule()
1861 entry->flags |= IMA_PCR; in ima_parse_rule()
1866 if (entry->action != MEASURE) { in ima_parse_rule()
1867 result = -EINVAL; in ima_parse_rule()
1871 if (!template_desc || entry->template) { in ima_parse_rule()
1872 result = -EINVAL; in ima_parse_rule()
1881 template_desc_init_fields(template_desc->fmt, in ima_parse_rule()
1882 &(template_desc->fields), in ima_parse_rule()
1883 &(template_desc->num_fields)); in ima_parse_rule()
1884 entry->template = template_desc; in ima_parse_rule()
1888 result = -EINVAL; in ima_parse_rule()
1893 result = -EINVAL; in ima_parse_rule()
1894 else if (entry->action == APPRAISE) in ima_parse_rule()
1895 temp_ima_appraise |= ima_appraise_flag(entry->func); in ima_parse_rule()
1897 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { in ima_parse_rule()
1898 template_desc = entry->template ? entry->template : in ima_parse_rule()
1903 /* d-ngv2 template field recommended for unsigned fs-verity digests */ in ima_parse_rule()
1904 if (!result && entry->action == MEASURE && in ima_parse_rule()
1905 entry->flags & IMA_VERITY_REQUIRED) { in ima_parse_rule()
1906 template_desc = entry->template ? entry->template : in ima_parse_rule()
1908 check_template_field(template_desc, "d-ngv2", in ima_parse_rule()
1909 "verity rules should include d-ngv2"); in ima_parse_rule()
1918 * ima_parse_add_rule - add a rule to ima_policy_rules
1942 NULL, op, "-ENOMEM", -ENOMEM, audit_info); in ima_parse_add_rule()
1943 return -ENOMEM; in ima_parse_add_rule()
1946 INIT_LIST_HEAD(&entry->list); in ima_parse_add_rule()
1952 NULL, op, "invalid-policy", result, in ima_parse_add_rule()
1957 list_add_tail(&entry->list, &ima_temp_rules); in ima_parse_add_rule()
1963 * ima_delete_rules() - called to cleanup invalid in-flight policy.
1975 list_del(&entry->list); in ima_delete_rules()
2007 if (!l--) { in ima_policy_start()
2021 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); in ima_policy_next()
2025 return (&entry->list == &ima_default_rules || in ima_policy_next()
2026 &entry->list == &ima_policy_rules) ? NULL : entry; in ima_policy_next()
2033 #define pt(token) policy_tokens[token].pattern argument
2034 #define mt(token) mask_tokens[token] argument
2037 * policy_func_show - display the ima_hooks policy rule
2052 for (i = 0; i < opt_list->count; i++) in ima_show_rule_opt_list()
2053 seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]); in ima_show_rule_opt_list()
2084 if (entry->lsm[i].args_p && !entry->lsm[i].rule) { in ima_policy_show()
2090 if (entry->action & MEASURE) in ima_policy_show()
2092 if (entry->action & DONT_MEASURE) in ima_policy_show()
2094 if (entry->action & APPRAISE) in ima_policy_show()
2096 if (entry->action & DONT_APPRAISE) in ima_policy_show()
2098 if (entry->action & AUDIT) in ima_policy_show()
2100 if (entry->action & HASH) in ima_policy_show()
2102 if (entry->action & DONT_HASH) in ima_policy_show()
2107 if (entry->flags & IMA_FUNC) in ima_policy_show()
2108 policy_func_show(m, entry->func); in ima_policy_show()
2110 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { in ima_policy_show()
2111 if (entry->flags & IMA_MASK) in ima_policy_show()
2113 if (entry->mask & MAY_EXEC) in ima_policy_show()
2115 if (entry->mask & MAY_WRITE) in ima_policy_show()
2117 if (entry->mask & MAY_READ) in ima_policy_show()
2119 if (entry->mask & MAY_APPEND) in ima_policy_show()
2124 if (entry->flags & IMA_FSMAGIC) { in ima_policy_show()
2125 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); in ima_policy_show()
2130 if (entry->flags & IMA_FSNAME) { in ima_policy_show()
2131 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); in ima_policy_show()
2136 if (entry->flags & IMA_KEYRINGS) { in ima_policy_show()
2138 ima_show_rule_opt_list(m, entry->keyrings); in ima_policy_show()
2142 if (entry->flags & IMA_LABEL) { in ima_policy_show()
2144 ima_show_rule_opt_list(m, entry->label); in ima_policy_show()
2148 if (entry->flags & IMA_PCR) { in ima_policy_show()
2149 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); in ima_policy_show()
2154 if (entry->flags & IMA_FSUUID) { in ima_policy_show()
2155 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); in ima_policy_show()
2159 if (entry->flags & IMA_UID) { in ima_policy_show()
2160 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); in ima_policy_show()
2161 if (entry->uid_op == &uid_gt) in ima_policy_show()
2163 else if (entry->uid_op == &uid_lt) in ima_policy_show()
2170 if (entry->flags & IMA_EUID) { in ima_policy_show()
2171 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); in ima_policy_show()
2172 if (entry->uid_op == &uid_gt) in ima_policy_show()
2174 else if (entry->uid_op == &uid_lt) in ima_policy_show()
2181 if (entry->flags & IMA_GID) { in ima_policy_show()
2182 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); in ima_policy_show()
2183 if (entry->gid_op == &gid_gt) in ima_policy_show()
2185 else if (entry->gid_op == &gid_lt) in ima_policy_show()
2192 if (entry->flags & IMA_EGID) { in ima_policy_show()
2193 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); in ima_policy_show()
2194 if (entry->gid_op == &gid_gt) in ima_policy_show()
2196 else if (entry->gid_op == &gid_lt) in ima_policy_show()
2203 if (entry->flags & IMA_FOWNER) { in ima_policy_show()
2204 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); in ima_policy_show()
2205 if (entry->fowner_op == &vfsuid_gt_kuid) in ima_policy_show()
2207 else if (entry->fowner_op == &vfsuid_lt_kuid) in ima_policy_show()
2214 if (entry->flags & IMA_FGROUP) { in ima_policy_show()
2215 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->fgroup)); in ima_policy_show()
2216 if (entry->fgroup_op == &vfsgid_gt_kgid) in ima_policy_show()
2218 else if (entry->fgroup_op == &vfsgid_lt_kgid) in ima_policy_show()
2225 if (entry->flags & IMA_VALIDATE_ALGOS) { in ima_policy_show()
2227 ima_policy_show_appraise_algos(m, entry->allowed_algos); in ima_policy_show()
2232 if (entry->lsm[i].rule) { in ima_policy_show()
2236 entry->lsm[i].args_p); in ima_policy_show()
2240 entry->lsm[i].args_p); in ima_policy_show()
2244 entry->lsm[i].args_p); in ima_policy_show()
2248 entry->lsm[i].args_p); in ima_policy_show()
2252 entry->lsm[i].args_p); in ima_policy_show()
2256 entry->lsm[i].args_p); in ima_policy_show()
2262 if (entry->template) in ima_policy_show()
2263 seq_printf(m, "template=%s ", entry->template->name); in ima_policy_show()
2264 if (entry->flags & IMA_DIGSIG_REQUIRED) { in ima_policy_show()
2265 if (entry->flags & IMA_VERITY_REQUIRED) in ima_policy_show()
2267 else if (entry->flags & IMA_MODSIG_ALLOWED) in ima_policy_show()
2272 if (entry->flags & IMA_VERITY_REQUIRED) in ima_policy_show()
2274 if (entry->flags & IMA_PERMIT_DIRECTIO) in ima_policy_show()
2286 * has a set of built-in trusted keys in order to avoid an attacker simply
2308 if (entry->action != APPRAISE) in ima_appraise_signature()
2315 if (entry->func && entry->func != func) in ima_appraise_signature()
2322 if (entry->flags & IMA_DIGSIG_REQUIRED) in ima_appraise_signature()
2327 * didn't require a digital signature - a later rule that does in ima_appraise_signature()