252 	struct ima_rule_entry *entry;  in ima_lsm_update_rules()  local
256 	list_for_each_entry(entry, &ima_policy_rules, list) {  in ima_lsm_update_rules()
258 			if (!entry->lsm[i].rule)  in ima_lsm_update_rules()
260 			result = security_filter_rule_init(entry->lsm[i].type,  in ima_lsm_update_rules()
262 							   entry->lsm[i].args_p,  in ima_lsm_update_rules()
263 							   &entry->lsm[i].rule);  in ima_lsm_update_rules()
264 			BUG_ON(!entry->lsm[i].rule);  in ima_lsm_update_rules()
405 	struct ima_rule_entry *entry;  in ima_match_policy()  local
409 	list_for_each_entry_rcu(entry, ima_rules, list) {  in ima_match_policy()
411 		if (!(entry->action & actmask))  in ima_match_policy()
414 		if (!ima_match_rules(entry, inode, cred, secid, func, mask))  in ima_match_policy()
417 		action |= entry->flags & IMA_ACTION_FLAGS;  in ima_match_policy()
419 		action |= entry->action & IMA_DO_MASK;  in ima_match_policy()
420 		if (entry->action & IMA_APPRAISE) {  in ima_match_policy()
421 			action |= get_subaction(entry, func);  in ima_match_policy()
427 		if (entry->action & IMA_DO_MASK)  in ima_match_policy()
428 			actmask &= ~(entry->action | entry->action << 1);  in ima_match_policy()
430 			actmask &= ~(entry->action | entry->action >> 1);  in ima_match_policy()
432 		if ((pcr) && (entry->flags & IMA_PCR))  in ima_match_policy()
433 			*pcr = entry->pcr;  in ima_match_policy()
451 	struct ima_rule_entry *entry;  in ima_update_policy_flag()  local
453 	list_for_each_entry(entry, ima_rules, list) {  in ima_update_policy_flag()
454 		if (entry->action & IMA_DO_MASK)  in ima_update_policy_flag()
455 			ima_policy_flag |= entry->action;  in ima_update_policy_flag()
526 		struct ima_rule_entry *entry;  in ima_init_policy()  local
532 		entry = kmemdup(&build_appraise_rules[i], sizeof(*entry),  in ima_init_policy()
534 		if (entry)  in ima_init_policy()
535 			list_add_tail(&entry->list, &ima_policy_rules);  in ima_init_policy()
632 static int ima_lsm_rule_init(struct ima_rule_entry *entry,  in ima_lsm_rule_init()  argument
637 	if (entry->lsm[lsm_rule].rule)  in ima_lsm_rule_init()
640 	entry->lsm[lsm_rule].args_p = match_strdup(args);  in ima_lsm_rule_init()
641 	if (!entry->lsm[lsm_rule].args_p)  in ima_lsm_rule_init()
644 	entry->lsm[lsm_rule].type = audit_type;  in ima_lsm_rule_init()
645 	result = security_filter_rule_init(entry->lsm[lsm_rule].type,  in ima_lsm_rule_init()
647 					   entry->lsm[lsm_rule].args_p,  in ima_lsm_rule_init()
648 					   &entry->lsm[lsm_rule].rule);  in ima_lsm_rule_init()
649 	if (!entry->lsm[lsm_rule].rule) {  in ima_lsm_rule_init()
650 		kfree(entry->lsm[lsm_rule].args_p);  in ima_lsm_rule_init()
676 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)  in ima_parse_rule()  argument
687 	entry->uid = INVALID_UID;  in ima_parse_rule()
688 	entry->fowner = INVALID_UID;  in ima_parse_rule()
689 	entry->uid_op = &uid_eq;  in ima_parse_rule()
690 	entry->fowner_op = &uid_eq;  in ima_parse_rule()
691 	entry->action = UNKNOWN;  in ima_parse_rule()
706 			if (entry->action != UNKNOWN)  in ima_parse_rule()
709 			entry->action = MEASURE;  in ima_parse_rule()
714 			if (entry->action != UNKNOWN)  in ima_parse_rule()
717 			entry->action = DONT_MEASURE;  in ima_parse_rule()
722 			if (entry->action != UNKNOWN)  in ima_parse_rule()
725 			entry->action = APPRAISE;  in ima_parse_rule()
730 			if (entry->action != UNKNOWN)  in ima_parse_rule()
733 			entry->action = DONT_APPRAISE;  in ima_parse_rule()
738 			if (entry->action != UNKNOWN)  in ima_parse_rule()
741 			entry->action = AUDIT;  in ima_parse_rule()
746 			if (entry->action != UNKNOWN)  in ima_parse_rule()
749 			entry->action = HASH;  in ima_parse_rule()
754 			if (entry->action != UNKNOWN)  in ima_parse_rule()
757 			entry->action = DONT_HASH;  in ima_parse_rule()
762 			if (entry->func)  in ima_parse_rule()
766 				entry->func = FILE_CHECK;  in ima_parse_rule()
769 				entry->func = FILE_CHECK;  in ima_parse_rule()
771 				entry->func = MODULE_CHECK;  in ima_parse_rule()
773 				entry->func = FIRMWARE_CHECK;  in ima_parse_rule()
776 				entry->func = MMAP_CHECK;  in ima_parse_rule()
778 				entry->func = BPRM_CHECK;  in ima_parse_rule()
780 				entry->func = CREDS_CHECK;  in ima_parse_rule()
783 				entry->func = KEXEC_KERNEL_CHECK;  in ima_parse_rule()
786 				entry->func = KEXEC_INITRAMFS_CHECK;  in ima_parse_rule()
788 				entry->func = POLICY_CHECK;  in ima_parse_rule()
792 				entry->flags |= IMA_FUNC;  in ima_parse_rule()
797 			if (entry->mask)  in ima_parse_rule()
805 				entry->mask = MAY_EXEC;  in ima_parse_rule()
807 				entry->mask = MAY_WRITE;  in ima_parse_rule()
809 				entry->mask = MAY_READ;  in ima_parse_rule()
811 				entry->mask = MAY_APPEND;  in ima_parse_rule()
815 				entry->flags |= (*args[0].from == '^')  in ima_parse_rule()
821 			if (entry->fsmagic) {  in ima_parse_rule()
826 			result = kstrtoul(args[0].from, 16, &entry->fsmagic);  in ima_parse_rule()
828 				entry->flags |= IMA_FSMAGIC;  in ima_parse_rule()
833 			entry->fsname = kstrdup(args[0].from, GFP_KERNEL);  in ima_parse_rule()
834 			if (!entry->fsname) {  in ima_parse_rule()
839 			entry->flags |= IMA_FSNAME;  in ima_parse_rule()
844 			if (!uuid_is_null(&entry->fsuuid)) {  in ima_parse_rule()
849 			result = uuid_parse(args[0].from, &entry->fsuuid);  in ima_parse_rule()
851 				entry->flags |= IMA_FSUUID;  in ima_parse_rule()
855 			entry->uid_op = &uid_gt;  in ima_parse_rule()
859 				entry->uid_op = &uid_lt;  in ima_parse_rule()
867 					  args[0].from, entry->uid_op);  in ima_parse_rule()
869 			if (uid_valid(entry->uid)) {  in ima_parse_rule()
876 				entry->uid = make_kuid(current_user_ns(),  in ima_parse_rule()
878 				if (!uid_valid(entry->uid) ||  in ima_parse_rule()
882 					entry->flags |= uid_token  in ima_parse_rule()
887 			entry->fowner_op = &uid_gt;  in ima_parse_rule()
890 				entry->fowner_op = &uid_lt;  in ima_parse_rule()
893 					  entry->fowner_op);  in ima_parse_rule()
895 			if (uid_valid(entry->fowner)) {  in ima_parse_rule()
902 				entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);  in ima_parse_rule()
903 				if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))  in ima_parse_rule()
906 					entry->flags |= IMA_FOWNER;  in ima_parse_rule()
911 			result = ima_lsm_rule_init(entry, args,  in ima_parse_rule()
917 			result = ima_lsm_rule_init(entry, args,  in ima_parse_rule()
923 			result = ima_lsm_rule_init(entry, args,  in ima_parse_rule()
929 			result = ima_lsm_rule_init(entry, args,  in ima_parse_rule()
935 			result = ima_lsm_rule_init(entry, args,  in ima_parse_rule()
941 			result = ima_lsm_rule_init(entry, args,  in ima_parse_rule()
946 			if (entry->action != APPRAISE) {  in ima_parse_rule()
953 				entry->flags |= IMA_DIGSIG_REQUIRED;  in ima_parse_rule()
958 			entry->flags |= IMA_PERMIT_DIRECTIO;  in ima_parse_rule()
961 			if (entry->action != MEASURE) {  in ima_parse_rule()
967 			result = kstrtoint(args[0].from, 10, &entry->pcr);  in ima_parse_rule()
968 			if (result || INVALID_PCR(entry->pcr))  in ima_parse_rule()
971 				entry->flags |= IMA_PCR;  in ima_parse_rule()
980 	if (!result && (entry->action == UNKNOWN))  in ima_parse_rule()
982 	else if (entry->action == APPRAISE)  in ima_parse_rule()
983 		temp_ima_appraise |= ima_appraise_flag(entry->func);  in ima_parse_rule()
1001 	struct ima_rule_entry *entry;  in ima_parse_add_rule()  local
1012 	entry = kzalloc(sizeof(*entry), GFP_KERNEL);  in ima_parse_add_rule()
1013 	if (!entry) {  in ima_parse_add_rule()
1019 	INIT_LIST_HEAD(&entry->list);  in ima_parse_add_rule()
1021 	result = ima_parse_rule(p, entry);  in ima_parse_add_rule()
1023 		kfree(entry);  in ima_parse_add_rule()
1030 	list_add_tail(&entry->list, &ima_temp_rules);  in ima_parse_add_rule()
1043 	struct ima_rule_entry *entry, *tmp;  in ima_delete_rules()  local
1047 	list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {  in ima_delete_rules()
1049 			kfree(entry->lsm[i].args_p);  in ima_delete_rules()
1051 		list_del(&entry->list);  in ima_delete_rules()
1052 		kfree(entry);  in ima_delete_rules()
1077 	struct ima_rule_entry *entry;  in ima_policy_start()  local
1080 	list_for_each_entry_rcu(entry, ima_rules, list) {  in ima_policy_start()
1083 			return entry;  in ima_policy_start()
1092 	struct ima_rule_entry *entry = v;  in ima_policy_next()  local
1095 	entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list);  in ima_policy_next()
1099 	return (&entry->list == ima_rules) ? NULL : entry;  in ima_policy_next()
1122 	struct ima_rule_entry *entry = v;  in ima_policy_show()  local
1128 	if (entry->action & MEASURE)  in ima_policy_show()
1130 	if (entry->action & DONT_MEASURE)  in ima_policy_show()
1132 	if (entry->action & APPRAISE)  in ima_policy_show()
1134 	if (entry->action & DONT_APPRAISE)  in ima_policy_show()
1136 	if (entry->action & AUDIT)  in ima_policy_show()
1138 	if (entry->action & HASH)  in ima_policy_show()
1140 	if (entry->action & DONT_HASH)  in ima_policy_show()
1145 	if (entry->flags & IMA_FUNC)  in ima_policy_show()
1146 		policy_func_show(m, entry->func);  in ima_policy_show()
1148 	if (entry->flags & IMA_MASK) {  in ima_policy_show()
1149 		if (entry->mask & MAY_EXEC)  in ima_policy_show()
1151 		if (entry->mask & MAY_WRITE)  in ima_policy_show()
1153 		if (entry->mask & MAY_READ)  in ima_policy_show()
1155 		if (entry->mask & MAY_APPEND)  in ima_policy_show()
1160 	if (entry->flags & IMA_FSMAGIC) {  in ima_policy_show()
1161 		snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);  in ima_policy_show()
1166 	if (entry->flags & IMA_FSNAME) {  in ima_policy_show()
1167 		snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname);  in ima_policy_show()
1172 	if (entry->flags & IMA_PCR) {  in ima_policy_show()
1173 		snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);  in ima_policy_show()
1178 	if (entry->flags & IMA_FSUUID) {  in ima_policy_show()
1179 		seq_printf(m, "fsuuid=%pU", &entry->fsuuid);  in ima_policy_show()
1183 	if (entry->flags & IMA_UID) {  in ima_policy_show()
1184 		snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));  in ima_policy_show()
1185 		if (entry->uid_op == &uid_gt)  in ima_policy_show()
1187 		else if (entry->uid_op == &uid_lt)  in ima_policy_show()
1194 	if (entry->flags & IMA_EUID) {  in ima_policy_show()
1195 		snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));  in ima_policy_show()
1196 		if (entry->uid_op == &uid_gt)  in ima_policy_show()
1198 		else if (entry->uid_op == &uid_lt)  in ima_policy_show()
1205 	if (entry->flags & IMA_FOWNER) {  in ima_policy_show()
1206 		snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));  in ima_policy_show()
1207 		if (entry->fowner_op == &uid_gt)  in ima_policy_show()
1209 		else if (entry->fowner_op == &uid_lt)  in ima_policy_show()
1217 		if (entry->lsm[i].rule) {  in ima_policy_show()
1221 					   (char *)entry->lsm[i].args_p);  in ima_policy_show()
1225 					   (char *)entry->lsm[i].args_p);  in ima_policy_show()
1229 					   (char *)entry->lsm[i].args_p);  in ima_policy_show()
1233 					   (char *)entry->lsm[i].args_p);  in ima_policy_show()
1237 					   (char *)entry->lsm[i].args_p);  in ima_policy_show()
1241 					   (char *)entry->lsm[i].args_p);  in ima_policy_show()
1246 	if (entry->flags & IMA_DIGSIG_REQUIRED)  in ima_policy_show()
1248 	if (entry->flags & IMA_PERMIT_DIRECTIO)  in ima_policy_show()