Lines Matching full:entry
347 static void ima_lsm_free_rule(struct ima_rule_entry *entry) in ima_lsm_free_rule() argument
352 ima_filter_rule_free(entry->lsm[i].rule); in ima_lsm_free_rule()
353 kfree(entry->lsm[i].args_p); in ima_lsm_free_rule()
357 static void ima_free_rule(struct ima_rule_entry *entry) in ima_free_rule() argument
359 if (!entry) in ima_free_rule()
363 * entry->template->fields may be allocated in ima_parse_rule() but that in ima_free_rule()
367 kfree(entry->fsname); in ima_free_rule()
368 ima_free_rule_opt_list(entry->keyrings); in ima_free_rule()
369 ima_lsm_free_rule(entry); in ima_free_rule()
370 kfree(entry); in ima_free_rule()
373 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) in ima_lsm_copy_rule() argument
382 nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); in ima_lsm_copy_rule()
389 if (!entry->lsm[i].args_p) in ima_lsm_copy_rule()
392 nentry->lsm[i].type = entry->lsm[i].type; in ima_lsm_copy_rule()
393 nentry->lsm[i].args_p = entry->lsm[i].args_p; in ima_lsm_copy_rule()
395 * Remove the reference from entry so that the associated in ima_lsm_copy_rule()
397 * ima_lsm_free_rule(entry). in ima_lsm_copy_rule()
399 entry->lsm[i].args_p = NULL; in ima_lsm_copy_rule()
411 static int ima_lsm_update_rule(struct ima_rule_entry *entry) in ima_lsm_update_rule() argument
415 nentry = ima_lsm_copy_rule(entry); in ima_lsm_update_rule()
419 list_replace_rcu(&entry->list, &nentry->list); in ima_lsm_update_rule()
423 * LSM references, from entry to nentry so we only want to free the LSM in ima_lsm_update_rule()
424 * references and the entry itself. All other memory refrences will now in ima_lsm_update_rule()
427 ima_lsm_free_rule(entry); in ima_lsm_update_rule()
428 kfree(entry); in ima_lsm_update_rule()
433 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry) in ima_rule_contains_lsm_cond() argument
438 if (entry->lsm[i].args_p) in ima_rule_contains_lsm_cond()
451 struct ima_rule_entry *entry, *e; in ima_lsm_update_rules() local
454 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { in ima_lsm_update_rules()
455 if (!ima_rule_contains_lsm_cond(entry)) in ima_lsm_update_rules()
458 result = ima_lsm_update_rule(entry); in ima_lsm_update_rules()
676 struct ima_rule_entry *entry; in ima_match_policy() local
683 list_for_each_entry_rcu(entry, ima_rules, list) { in ima_match_policy()
685 if (!(entry->action & actmask)) in ima_match_policy()
688 if (!ima_match_rules(entry, mnt_userns, inode, cred, secid, in ima_match_policy()
692 action |= entry->flags & IMA_ACTION_FLAGS; in ima_match_policy()
694 action |= entry->action & IMA_DO_MASK; in ima_match_policy()
695 if (entry->action & IMA_APPRAISE) { in ima_match_policy()
696 action |= get_subaction(entry, func); in ima_match_policy()
702 entry->flags & IMA_VALIDATE_ALGOS) in ima_match_policy()
703 *allowed_algos = entry->allowed_algos; in ima_match_policy()
706 if (entry->action & IMA_DO_MASK) in ima_match_policy()
707 actmask &= ~(entry->action | entry->action << 1); in ima_match_policy()
709 actmask &= ~(entry->action | entry->action >> 1); in ima_match_policy()
711 if ((pcr) && (entry->flags & IMA_PCR)) in ima_match_policy()
712 *pcr = entry->pcr; in ima_match_policy()
714 if (template_desc && entry->template) in ima_match_policy()
715 *template_desc = entry->template; in ima_match_policy()
742 struct ima_rule_entry *entry; in ima_update_policy_flags() local
746 list_for_each_entry(entry, ima_rules, list) { in ima_update_policy_flags()
759 if (entry->func == SETXATTR_CHECK) { in ima_update_policy_flags()
761 0, entry->allowed_algos); in ima_update_policy_flags()
766 if (entry->action & IMA_DO_MASK) in ima_update_policy_flags()
767 new_policy_flag |= entry->action; in ima_update_policy_flags()
797 struct ima_rule_entry *entry; in add_rules() local
803 entry = kmemdup(&entries[i], sizeof(*entry), in add_rules()
805 if (!entry) in add_rules()
808 list_add_tail(&entry->list, &ima_policy_rules); in add_rules()
821 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
1044 static int ima_lsm_rule_init(struct ima_rule_entry *entry, in ima_lsm_rule_init() argument
1049 if (entry->lsm[lsm_rule].rule) in ima_lsm_rule_init()
1052 entry->lsm[lsm_rule].args_p = match_strdup(args); in ima_lsm_rule_init()
1053 if (!entry->lsm[lsm_rule].args_p) in ima_lsm_rule_init()
1056 entry->lsm[lsm_rule].type = audit_type; in ima_lsm_rule_init()
1057 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, in ima_lsm_rule_init()
1058 entry->lsm[lsm_rule].args_p, in ima_lsm_rule_init()
1059 &entry->lsm[lsm_rule].rule); in ima_lsm_rule_init()
1060 if (!entry->lsm[lsm_rule].rule) { in ima_lsm_rule_init()
1062 entry->lsm[lsm_rule].args_p); in ima_lsm_rule_init()
1065 kfree(entry->lsm[lsm_rule].args_p); in ima_lsm_rule_init()
1066 entry->lsm[lsm_rule].args_p = NULL; in ima_lsm_rule_init()
1126 static bool ima_validate_rule(struct ima_rule_entry *entry) in ima_validate_rule() argument
1129 if (entry->action == UNKNOWN) in ima_validate_rule()
1132 if (entry->action != MEASURE && entry->flags & IMA_PCR) in ima_validate_rule()
1135 if (entry->action != APPRAISE && in ima_validate_rule()
1136 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | in ima_validate_rule()
1146 if (((entry->flags & IMA_FUNC) && entry->func == NONE) || in ima_validate_rule()
1147 (!(entry->flags & IMA_FUNC) && entry->func != NONE)) in ima_validate_rule()
1154 switch (entry->func) { in ima_validate_rule()
1163 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | in ima_validate_rule()
1174 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | in ima_validate_rule()
1184 if (entry->action & ~(MEASURE | DONT_MEASURE)) in ima_validate_rule()
1187 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | in ima_validate_rule()
1194 if (entry->action & ~(MEASURE | DONT_MEASURE)) in ima_validate_rule()
1197 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | in ima_validate_rule()
1201 if (ima_rule_contains_lsm_cond(entry)) in ima_validate_rule()
1206 if (entry->action & ~(MEASURE | DONT_MEASURE)) in ima_validate_rule()
1209 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | in ima_validate_rule()
1213 if (ima_rule_contains_lsm_cond(entry)) in ima_validate_rule()
1219 if (entry->action != APPRAISE) in ima_validate_rule()
1223 if (!(entry->flags & IMA_VALIDATE_ALGOS)) in ima_validate_rule()
1230 if (entry->flags & ~(IMA_FUNC | IMA_VALIDATE_ALGOS)) in ima_validate_rule()
1239 if (entry->flags & IMA_CHECK_BLACKLIST && in ima_validate_rule()
1240 !(entry->flags & IMA_MODSIG_ALLOWED)) in ima_validate_rule()
1274 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) in ima_parse_rule() argument
1286 entry->uid = INVALID_UID; in ima_parse_rule()
1287 entry->fowner = INVALID_UID; in ima_parse_rule()
1288 entry->uid_op = &uid_eq; in ima_parse_rule()
1289 entry->fowner_op = &uid_eq; in ima_parse_rule()
1290 entry->action = UNKNOWN; in ima_parse_rule()
1305 if (entry->action != UNKNOWN) in ima_parse_rule()
1308 entry->action = MEASURE; in ima_parse_rule()
1313 if (entry->action != UNKNOWN) in ima_parse_rule()
1316 entry->action = DONT_MEASURE; in ima_parse_rule()
1321 if (entry->action != UNKNOWN) in ima_parse_rule()
1324 entry->action = APPRAISE; in ima_parse_rule()
1329 if (entry->action != UNKNOWN) in ima_parse_rule()
1332 entry->action = DONT_APPRAISE; in ima_parse_rule()
1337 if (entry->action != UNKNOWN) in ima_parse_rule()
1340 entry->action = AUDIT; in ima_parse_rule()
1345 if (entry->action != UNKNOWN) in ima_parse_rule()
1348 entry->action = HASH; in ima_parse_rule()
1353 if (entry->action != UNKNOWN) in ima_parse_rule()
1356 entry->action = DONT_HASH; in ima_parse_rule()
1361 if (entry->func) in ima_parse_rule()
1365 entry->func = FILE_CHECK; in ima_parse_rule()
1368 entry->func = FILE_CHECK; in ima_parse_rule()
1370 entry->func = MODULE_CHECK; in ima_parse_rule()
1372 entry->func = FIRMWARE_CHECK; in ima_parse_rule()
1375 entry->func = MMAP_CHECK; in ima_parse_rule()
1377 entry->func = BPRM_CHECK; in ima_parse_rule()
1379 entry->func = CREDS_CHECK; in ima_parse_rule()
1382 entry->func = KEXEC_KERNEL_CHECK; in ima_parse_rule()
1385 entry->func = KEXEC_INITRAMFS_CHECK; in ima_parse_rule()
1387 entry->func = POLICY_CHECK; in ima_parse_rule()
1389 entry->func = KEXEC_CMDLINE; in ima_parse_rule()
1392 entry->func = KEY_CHECK; in ima_parse_rule()
1394 entry->func = CRITICAL_DATA; in ima_parse_rule()
1396 entry->func = SETXATTR_CHECK; in ima_parse_rule()
1400 entry->flags |= IMA_FUNC; in ima_parse_rule()
1405 if (entry->mask) in ima_parse_rule()
1413 entry->mask = MAY_EXEC; in ima_parse_rule()
1415 entry->mask = MAY_WRITE; in ima_parse_rule()
1417 entry->mask = MAY_READ; in ima_parse_rule()
1419 entry->mask = MAY_APPEND; in ima_parse_rule()
1423 entry->flags |= (*args[0].from == '^') in ima_parse_rule()
1429 if (entry->fsmagic) { in ima_parse_rule()
1434 result = kstrtoul(args[0].from, 16, &entry->fsmagic); in ima_parse_rule()
1436 entry->flags |= IMA_FSMAGIC; in ima_parse_rule()
1441 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); in ima_parse_rule()
1442 if (!entry->fsname) { in ima_parse_rule()
1447 entry->flags |= IMA_FSNAME; in ima_parse_rule()
1453 entry->keyrings) { in ima_parse_rule()
1458 entry->keyrings = ima_alloc_rule_opt_list(args); in ima_parse_rule()
1459 if (IS_ERR(entry->keyrings)) { in ima_parse_rule()
1460 result = PTR_ERR(entry->keyrings); in ima_parse_rule()
1461 entry->keyrings = NULL; in ima_parse_rule()
1465 entry->flags |= IMA_KEYRINGS; in ima_parse_rule()
1470 if (entry->label) { in ima_parse_rule()
1475 entry->label = ima_alloc_rule_opt_list(args); in ima_parse_rule()
1476 if (IS_ERR(entry->label)) { in ima_parse_rule()
1477 result = PTR_ERR(entry->label); in ima_parse_rule()
1478 entry->label = NULL; in ima_parse_rule()
1482 entry->flags |= IMA_LABEL; in ima_parse_rule()
1487 if (!uuid_is_null(&entry->fsuuid)) { in ima_parse_rule()
1492 result = uuid_parse(args[0].from, &entry->fsuuid); in ima_parse_rule()
1494 entry->flags |= IMA_FSUUID; in ima_parse_rule()
1498 entry->uid_op = &uid_gt; in ima_parse_rule()
1503 entry->uid_op = &uid_lt; in ima_parse_rule()
1512 args[0].from, entry->uid_op); in ima_parse_rule()
1514 if (uid_valid(entry->uid)) { in ima_parse_rule()
1521 entry->uid = make_kuid(current_user_ns(), in ima_parse_rule()
1523 if (!uid_valid(entry->uid) || in ima_parse_rule()
1527 entry->flags |= uid_token in ima_parse_rule()
1532 entry->fowner_op = &uid_gt; in ima_parse_rule()
1536 entry->fowner_op = &uid_lt; in ima_parse_rule()
1540 entry->fowner_op); in ima_parse_rule()
1542 if (uid_valid(entry->fowner)) { in ima_parse_rule()
1549 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum); in ima_parse_rule()
1550 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum)) in ima_parse_rule()
1553 entry->flags |= IMA_FOWNER; in ima_parse_rule()
1558 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1564 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1570 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1576 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1582 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1588 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1595 entry->flags |= IMA_DIGSIG_REQUIRED; in ima_parse_rule()
1598 entry->flags |= IMA_DIGSIG_REQUIRED | in ima_parse_rule()
1607 entry->flags |= IMA_CHECK_BLACKLIST; in ima_parse_rule()
1614 if (entry->allowed_algos) { in ima_parse_rule()
1619 entry->allowed_algos = in ima_parse_rule()
1622 if (!entry->allowed_algos) { in ima_parse_rule()
1627 entry->flags |= IMA_VALIDATE_ALGOS; in ima_parse_rule()
1631 entry->flags |= IMA_PERMIT_DIRECTIO; in ima_parse_rule()
1636 result = kstrtoint(args[0].from, 10, &entry->pcr); in ima_parse_rule()
1637 if (result || INVALID_PCR(entry->pcr)) in ima_parse_rule()
1640 entry->flags |= IMA_PCR; in ima_parse_rule()
1645 if (entry->action != MEASURE) { in ima_parse_rule()
1650 if (!template_desc || entry->template) { in ima_parse_rule()
1663 entry->template = template_desc; in ima_parse_rule()
1671 if (!result && !ima_validate_rule(entry)) in ima_parse_rule()
1673 else if (entry->action == APPRAISE) in ima_parse_rule()
1674 temp_ima_appraise |= ima_appraise_flag(entry->func); in ima_parse_rule()
1676 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { in ima_parse_rule()
1677 template_desc = entry->template ? entry->template : in ima_parse_rule()
1698 struct ima_rule_entry *entry; in ima_parse_add_rule() local
1709 entry = kzalloc(sizeof(*entry), GFP_KERNEL); in ima_parse_add_rule()
1710 if (!entry) { in ima_parse_add_rule()
1716 INIT_LIST_HEAD(&entry->list); in ima_parse_add_rule()
1718 result = ima_parse_rule(p, entry); in ima_parse_add_rule()
1720 ima_free_rule(entry); in ima_parse_add_rule()
1727 list_add_tail(&entry->list, &ima_temp_rules); in ima_parse_add_rule()
1740 struct ima_rule_entry *entry, *tmp; in ima_delete_rules() local
1743 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { in ima_delete_rules()
1744 list_del(&entry->list); in ima_delete_rules()
1745 ima_free_rule(entry); in ima_delete_rules()
1770 struct ima_rule_entry *entry; in ima_policy_start() local
1773 list_for_each_entry_rcu(entry, ima_rules, list) { in ima_policy_start()
1776 return entry; in ima_policy_start()
1785 struct ima_rule_entry *entry = v; in ima_policy_next() local
1788 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); in ima_policy_next()
1792 return (&entry->list == ima_rules) ? NULL : entry; in ima_policy_next()
1841 struct ima_rule_entry *entry = v; in ima_policy_show() local
1848 if (entry->action & MEASURE) in ima_policy_show()
1850 if (entry->action & DONT_MEASURE) in ima_policy_show()
1852 if (entry->action & APPRAISE) in ima_policy_show()
1854 if (entry->action & DONT_APPRAISE) in ima_policy_show()
1856 if (entry->action & AUDIT) in ima_policy_show()
1858 if (entry->action & HASH) in ima_policy_show()
1860 if (entry->action & DONT_HASH) in ima_policy_show()
1865 if (entry->flags & IMA_FUNC) in ima_policy_show()
1866 policy_func_show(m, entry->func); in ima_policy_show()
1868 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { in ima_policy_show()
1869 if (entry->flags & IMA_MASK) in ima_policy_show()
1871 if (entry->mask & MAY_EXEC) in ima_policy_show()
1873 if (entry->mask & MAY_WRITE) in ima_policy_show()
1875 if (entry->mask & MAY_READ) in ima_policy_show()
1877 if (entry->mask & MAY_APPEND) in ima_policy_show()
1882 if (entry->flags & IMA_FSMAGIC) { in ima_policy_show()
1883 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); in ima_policy_show()
1888 if (entry->flags & IMA_FSNAME) { in ima_policy_show()
1889 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); in ima_policy_show()
1894 if (entry->flags & IMA_KEYRINGS) { in ima_policy_show()
1896 ima_show_rule_opt_list(m, entry->keyrings); in ima_policy_show()
1900 if (entry->flags & IMA_LABEL) { in ima_policy_show()
1902 ima_show_rule_opt_list(m, entry->label); in ima_policy_show()
1906 if (entry->flags & IMA_PCR) { in ima_policy_show()
1907 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); in ima_policy_show()
1912 if (entry->flags & IMA_FSUUID) { in ima_policy_show()
1913 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); in ima_policy_show()
1917 if (entry->flags & IMA_UID) { in ima_policy_show()
1918 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); in ima_policy_show()
1919 if (entry->uid_op == &uid_gt) in ima_policy_show()
1921 else if (entry->uid_op == &uid_lt) in ima_policy_show()
1928 if (entry->flags & IMA_EUID) { in ima_policy_show()
1929 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); in ima_policy_show()
1930 if (entry->uid_op == &uid_gt) in ima_policy_show()
1932 else if (entry->uid_op == &uid_lt) in ima_policy_show()
1939 if (entry->flags & IMA_FOWNER) { in ima_policy_show()
1940 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); in ima_policy_show()
1941 if (entry->fowner_op == &uid_gt) in ima_policy_show()
1943 else if (entry->fowner_op == &uid_lt) in ima_policy_show()
1950 if (entry->flags & IMA_VALIDATE_ALGOS) { in ima_policy_show()
1952 ima_policy_show_appraise_algos(m, entry->allowed_algos); in ima_policy_show()
1957 if (entry->lsm[i].rule) { in ima_policy_show()
1961 entry->lsm[i].args_p); in ima_policy_show()
1965 entry->lsm[i].args_p); in ima_policy_show()
1969 entry->lsm[i].args_p); in ima_policy_show()
1973 entry->lsm[i].args_p); in ima_policy_show()
1977 entry->lsm[i].args_p); in ima_policy_show()
1981 entry->lsm[i].args_p); in ima_policy_show()
1987 if (entry->template) in ima_policy_show()
1988 seq_printf(m, "template=%s ", entry->template->name); in ima_policy_show()
1989 if (entry->flags & IMA_DIGSIG_REQUIRED) { in ima_policy_show()
1990 if (entry->flags & IMA_MODSIG_ALLOWED) in ima_policy_show()
1995 if (entry->flags & IMA_CHECK_BLACKLIST) in ima_policy_show()
1997 if (entry->flags & IMA_PERMIT_DIRECTIO) in ima_policy_show()
2014 struct ima_rule_entry *entry; in ima_appraise_signature() local
2024 list_for_each_entry_rcu(entry, ima_rules, list) { in ima_appraise_signature()
2025 if (entry->action != APPRAISE) in ima_appraise_signature()
2029 * A generic entry will match, but otherwise require that it in ima_appraise_signature()
2032 if (entry->func && entry->func != func) in ima_appraise_signature()
2039 if (entry->flags & IMA_DIGSIG_REQUIRED) in ima_appraise_signature()