Lines Matching +full:sync +full:- +full:token
1 // SPDX-License-Identifier: GPL-2.0-only
7 * - initialize default measure policy rules
298 return ERR_PTR(-ENOMEM); in ima_alloc_rule_opt_list()
305 return ERR_PTR(-EINVAL); in ima_alloc_rule_opt_list()
313 return ERR_PTR(-EINVAL); in ima_alloc_rule_opt_list()
319 return ERR_PTR(-ENOMEM); in ima_alloc_rule_opt_list()
324 * leaving a byte sequence of NUL-terminated strings. Reference each in ima_alloc_rule_opt_list()
333 opt_list->items[i] = cur; in ima_alloc_rule_opt_list()
336 opt_list->count = count; in ima_alloc_rule_opt_list()
346 if (opt_list->count) { in ima_free_rule_opt_list()
347 kfree(opt_list->items[0]); in ima_free_rule_opt_list()
348 opt_list->count = 0; in ima_free_rule_opt_list()
359 ima_filter_rule_free(entry->lsm[i].rule); in ima_lsm_free_rule()
360 kfree(entry->lsm[i].args_p); in ima_lsm_free_rule()
370 * entry->template->fields may be allocated in ima_parse_rule() but that in ima_free_rule()
374 kfree(entry->fsname); in ima_free_rule()
375 ima_free_rule_opt_list(entry->keyrings); in ima_free_rule()
393 memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm)); in ima_lsm_copy_rule()
396 if (!entry->lsm[i].args_p) in ima_lsm_copy_rule()
399 nentry->lsm[i].type = entry->lsm[i].type; in ima_lsm_copy_rule()
400 nentry->lsm[i].args_p = entry->lsm[i].args_p; in ima_lsm_copy_rule()
406 entry->lsm[i].args_p = NULL; in ima_lsm_copy_rule()
408 ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, in ima_lsm_copy_rule()
409 nentry->lsm[i].args_p, in ima_lsm_copy_rule()
410 &nentry->lsm[i].rule); in ima_lsm_copy_rule()
411 if (!nentry->lsm[i].rule) in ima_lsm_copy_rule()
413 nentry->lsm[i].args_p); in ima_lsm_copy_rule()
424 return -ENOMEM; in ima_lsm_update_rule()
426 list_replace_rcu(&entry->list, &nentry->list); in ima_lsm_update_rule()
445 if (entry->lsm[i].args_p) in ima_rule_contains_lsm_cond()
484 * ima_match_rule_data - determine whether func_data matches the policy rule
499 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) in ima_match_rule_data()
502 switch (rule->func) { in ima_match_rule_data()
504 if (!rule->keyrings) in ima_match_rule_data()
507 opt_list = rule->keyrings; in ima_match_rule_data()
510 if (!rule->label) in ima_match_rule_data()
513 opt_list = rule->label; in ima_match_rule_data()
522 for (i = 0; i < opt_list->count; i++) { in ima_match_rule_data()
523 if (!strcmp(opt_list->items[i], func_data)) { in ima_match_rule_data()
533 * ima_match_rules - determine whether an inode matches the policy rule.
553 if ((rule->flags & IMA_FUNC) && in ima_match_rules()
554 (rule->func != func && func != POST_SETATTR)) in ima_match_rules()
560 return ((rule->func == func) && in ima_match_rules()
566 if ((rule->flags & IMA_MASK) && in ima_match_rules()
567 (rule->mask != mask && func != POST_SETATTR)) in ima_match_rules()
569 if ((rule->flags & IMA_INMASK) && in ima_match_rules()
570 (!(rule->mask & mask) && func != POST_SETATTR)) in ima_match_rules()
572 if ((rule->flags & IMA_FSMAGIC) in ima_match_rules()
573 && rule->fsmagic != inode->i_sb->s_magic) in ima_match_rules()
575 if ((rule->flags & IMA_FSNAME) in ima_match_rules()
576 && strcmp(rule->fsname, inode->i_sb->s_type->name)) in ima_match_rules()
578 if ((rule->flags & IMA_FSUUID) && in ima_match_rules()
579 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) in ima_match_rules()
581 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) in ima_match_rules()
583 if (rule->flags & IMA_EUID) { in ima_match_rules()
585 if (!rule->uid_op(cred->euid, rule->uid) in ima_match_rules()
586 && !rule->uid_op(cred->suid, rule->uid) in ima_match_rules()
587 && !rule->uid_op(cred->uid, rule->uid)) in ima_match_rules()
589 } else if (!rule->uid_op(cred->euid, rule->uid)) in ima_match_rules()
592 if ((rule->flags & IMA_GID) && !rule->gid_op(cred->gid, rule->gid)) in ima_match_rules()
594 if (rule->flags & IMA_EGID) { in ima_match_rules()
596 if (!rule->gid_op(cred->egid, rule->gid) in ima_match_rules()
597 && !rule->gid_op(cred->sgid, rule->gid) in ima_match_rules()
598 && !rule->gid_op(cred->gid, rule->gid)) in ima_match_rules()
600 } else if (!rule->gid_op(cred->egid, rule->gid)) in ima_match_rules()
603 if ((rule->flags & IMA_FOWNER) && in ima_match_rules()
604 !rule->fowner_op(i_uid_into_mnt(mnt_userns, inode), rule->fowner)) in ima_match_rules()
606 if ((rule->flags & IMA_FGROUP) && in ima_match_rules()
607 !rule->fgroup_op(i_gid_into_mnt(mnt_userns, inode), rule->fgroup)) in ima_match_rules()
613 if (!rule->lsm[i].rule) { in ima_match_rules()
614 if (!rule->lsm[i].args_p) in ima_match_rules()
624 rc = ima_filter_rule_match(osid, rule->lsm[i].type, in ima_match_rules()
626 rule->lsm[i].rule); in ima_match_rules()
631 rc = ima_filter_rule_match(secid, rule->lsm[i].type, in ima_match_rules()
633 rule->lsm[i].rule); in ima_match_rules()
650 if (!(rule->flags & IMA_FUNC)) in get_subaction()
663 case MODULE_CHECK ... MAX_CHECK - 1: in get_subaction()
670 * ima_match_policy - decision based on LSM and other conditions
707 if (!(entry->action & actmask)) in ima_match_policy()
714 action |= entry->flags & IMA_NONACTION_FLAGS; in ima_match_policy()
716 action |= entry->action & IMA_DO_MASK; in ima_match_policy()
717 if (entry->action & IMA_APPRAISE) { in ima_match_policy()
724 entry->flags & IMA_VALIDATE_ALGOS) in ima_match_policy()
725 *allowed_algos = entry->allowed_algos; in ima_match_policy()
728 if (entry->action & IMA_DO_MASK) in ima_match_policy()
729 actmask &= ~(entry->action | entry->action << 1); in ima_match_policy()
731 actmask &= ~(entry->action | entry->action >> 1); in ima_match_policy()
733 if ((pcr) && (entry->flags & IMA_PCR)) in ima_match_policy()
734 *pcr = entry->pcr; in ima_match_policy()
736 if (template_desc && entry->template) in ima_match_policy()
737 *template_desc = entry->template; in ima_match_policy()
748 * ima_update_policy_flags() - Update global IMA variables
778 * - the atomic was non-zero: a setxattr hash policy is in ima_update_policy_flags()
780 * - the atomic was zero: no setxattr policy was set, enable in ima_update_policy_flags()
783 if (entry->func == SETXATTR_CHECK) { in ima_update_policy_flags()
785 0, entry->allowed_algos); in ima_update_policy_flags()
790 if (entry->action & IMA_DO_MASK) in ima_update_policy_flags()
791 new_policy_flag |= entry->action; in ima_update_policy_flags()
832 list_add_tail(&entry->list, &ima_policy_rules); in add_rules()
889 * ima_init_policy - initialize the default measure rules.
973 return -EINVAL; in ima_check_policy()
978 * ima_update_policy - update default_rules with new measure rules
1012 /* Keep the enumeration in sync with the policy_tokens! */
1086 if (entry->lsm[lsm_rule].rule) in ima_lsm_rule_init()
1087 return -EINVAL; in ima_lsm_rule_init()
1089 entry->lsm[lsm_rule].args_p = match_strdup(args); in ima_lsm_rule_init()
1090 if (!entry->lsm[lsm_rule].args_p) in ima_lsm_rule_init()
1091 return -ENOMEM; in ima_lsm_rule_init()
1093 entry->lsm[lsm_rule].type = audit_type; in ima_lsm_rule_init()
1094 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, in ima_lsm_rule_init()
1095 entry->lsm[lsm_rule].args_p, in ima_lsm_rule_init()
1096 &entry->lsm[lsm_rule].rule); in ima_lsm_rule_init()
1097 if (!entry->lsm[lsm_rule].rule) { in ima_lsm_rule_init()
1099 entry->lsm[lsm_rule].args_p); in ima_lsm_rule_init()
1102 kfree(entry->lsm[lsm_rule].args_p); in ima_lsm_rule_init()
1103 entry->lsm[lsm_rule].args_p = NULL; in ima_lsm_rule_init()
1104 result = -EINVAL; in ima_lsm_rule_init()
1147 * the file hash calculated without the appended signature (i.e., the 'd-modsig'
1149 * the 'd-modsig' field in the template.
1153 #define MSG "template with 'modsig' field also needs 'd-modsig' field\n" in check_template_modsig()
1163 for (i = 0; i < template->num_fields; i++) { in check_template_modsig()
1164 if (!strcmp(template->fields[i]->field_id, "modsig")) in check_template_modsig()
1166 else if (!strcmp(template->fields[i]->field_id, "d-modsig")) in check_template_modsig()
1185 for (i = 0; i < template->num_fields; i++) in check_template_field()
1186 if (!strcmp(template->fields[i]->field_id, field)) in check_template_field()
1195 if (entry->action == UNKNOWN) in ima_validate_rule()
1198 if (entry->action != MEASURE && entry->flags & IMA_PCR) in ima_validate_rule()
1201 if (entry->action != APPRAISE && in ima_validate_rule()
1202 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | in ima_validate_rule()
1212 if (((entry->flags & IMA_FUNC) && entry->func == NONE) || in ima_validate_rule()
1213 (!(entry->flags & IMA_FUNC) && entry->func != NONE)) in ima_validate_rule()
1220 switch (entry->func) { in ima_validate_rule()
1229 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | in ima_validate_rule()
1242 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | in ima_validate_rule()
1253 if (entry->action & ~(MEASURE | DONT_MEASURE)) in ima_validate_rule()
1256 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | in ima_validate_rule()
1264 if (entry->action & ~(MEASURE | DONT_MEASURE)) in ima_validate_rule()
1267 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR | in ima_validate_rule()
1276 if (entry->action & ~(MEASURE | DONT_MEASURE)) in ima_validate_rule()
1279 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR | in ima_validate_rule()
1289 if (entry->action != APPRAISE) in ima_validate_rule()
1293 if (!(entry->flags & IMA_VALIDATE_ALGOS)) in ima_validate_rule()
1300 if (entry->flags & ~(IMA_FUNC | IMA_VALIDATE_ALGOS)) in ima_validate_rule()
1309 if (entry->flags & IMA_CHECK_BLACKLIST && in ima_validate_rule()
1310 !(entry->flags & IMA_MODSIG_ALLOWED)) in ima_validate_rule()
1320 if (entry->action == APPRAISE && in ima_validate_rule()
1321 (entry->flags & IMA_VERITY_REQUIRED) && in ima_validate_rule()
1322 !(entry->flags & IMA_DIGSIG_REQUIRED)) in ima_validate_rule()
1332 char *token; in ima_parse_appraise_algos() local
1334 while ((token = strsep(&arg, ",")) != NULL) { in ima_parse_appraise_algos()
1335 idx = match_string(hash_algo_name, HASH_ALGO__LAST, token); in ima_parse_appraise_algos()
1339 token); in ima_parse_appraise_algos()
1345 token); in ima_parse_appraise_algos()
1368 entry->uid = INVALID_UID; in ima_parse_rule()
1369 entry->gid = INVALID_GID; in ima_parse_rule()
1370 entry->fowner = INVALID_UID; in ima_parse_rule()
1371 entry->fgroup = INVALID_GID; in ima_parse_rule()
1372 entry->uid_op = &uid_eq; in ima_parse_rule()
1373 entry->gid_op = &gid_eq; in ima_parse_rule()
1374 entry->fowner_op = &uid_eq; in ima_parse_rule()
1375 entry->fgroup_op = &gid_eq; in ima_parse_rule()
1376 entry->action = UNKNOWN; in ima_parse_rule()
1379 int token; in ima_parse_rule() local
1386 token = match_token(p, policy_tokens, args); in ima_parse_rule()
1387 switch (token) { in ima_parse_rule()
1391 if (entry->action != UNKNOWN) in ima_parse_rule()
1392 result = -EINVAL; in ima_parse_rule()
1394 entry->action = MEASURE; in ima_parse_rule()
1399 if (entry->action != UNKNOWN) in ima_parse_rule()
1400 result = -EINVAL; in ima_parse_rule()
1402 entry->action = DONT_MEASURE; in ima_parse_rule()
1407 if (entry->action != UNKNOWN) in ima_parse_rule()
1408 result = -EINVAL; in ima_parse_rule()
1410 entry->action = APPRAISE; in ima_parse_rule()
1415 if (entry->action != UNKNOWN) in ima_parse_rule()
1416 result = -EINVAL; in ima_parse_rule()
1418 entry->action = DONT_APPRAISE; in ima_parse_rule()
1423 if (entry->action != UNKNOWN) in ima_parse_rule()
1424 result = -EINVAL; in ima_parse_rule()
1426 entry->action = AUDIT; in ima_parse_rule()
1431 if (entry->action != UNKNOWN) in ima_parse_rule()
1432 result = -EINVAL; in ima_parse_rule()
1434 entry->action = HASH; in ima_parse_rule()
1439 if (entry->action != UNKNOWN) in ima_parse_rule()
1440 result = -EINVAL; in ima_parse_rule()
1442 entry->action = DONT_HASH; in ima_parse_rule()
1447 if (entry->func) in ima_parse_rule()
1448 result = -EINVAL; in ima_parse_rule()
1451 entry->func = FILE_CHECK; in ima_parse_rule()
1454 entry->func = FILE_CHECK; in ima_parse_rule()
1456 entry->func = MODULE_CHECK; in ima_parse_rule()
1458 entry->func = FIRMWARE_CHECK; in ima_parse_rule()
1461 entry->func = MMAP_CHECK; in ima_parse_rule()
1463 entry->func = BPRM_CHECK; in ima_parse_rule()
1465 entry->func = CREDS_CHECK; in ima_parse_rule()
1468 entry->func = KEXEC_KERNEL_CHECK; in ima_parse_rule()
1471 entry->func = KEXEC_INITRAMFS_CHECK; in ima_parse_rule()
1473 entry->func = POLICY_CHECK; in ima_parse_rule()
1475 entry->func = KEXEC_CMDLINE; in ima_parse_rule()
1478 entry->func = KEY_CHECK; in ima_parse_rule()
1480 entry->func = CRITICAL_DATA; in ima_parse_rule()
1482 entry->func = SETXATTR_CHECK; in ima_parse_rule()
1484 result = -EINVAL; in ima_parse_rule()
1486 entry->flags |= IMA_FUNC; in ima_parse_rule()
1491 if (entry->mask) in ima_parse_rule()
1492 result = -EINVAL; in ima_parse_rule()
1499 entry->mask = MAY_EXEC; in ima_parse_rule()
1501 entry->mask = MAY_WRITE; in ima_parse_rule()
1503 entry->mask = MAY_READ; in ima_parse_rule()
1505 entry->mask = MAY_APPEND; in ima_parse_rule()
1507 result = -EINVAL; in ima_parse_rule()
1509 entry->flags |= (*args[0].from == '^') in ima_parse_rule()
1515 if (entry->fsmagic) { in ima_parse_rule()
1516 result = -EINVAL; in ima_parse_rule()
1520 result = kstrtoul(args[0].from, 16, &entry->fsmagic); in ima_parse_rule()
1522 entry->flags |= IMA_FSMAGIC; in ima_parse_rule()
1527 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); in ima_parse_rule()
1528 if (!entry->fsname) { in ima_parse_rule()
1529 result = -ENOMEM; in ima_parse_rule()
1533 entry->flags |= IMA_FSNAME; in ima_parse_rule()
1539 entry->keyrings) { in ima_parse_rule()
1540 result = -EINVAL; in ima_parse_rule()
1544 entry->keyrings = ima_alloc_rule_opt_list(args); in ima_parse_rule()
1545 if (IS_ERR(entry->keyrings)) { in ima_parse_rule()
1546 result = PTR_ERR(entry->keyrings); in ima_parse_rule()
1547 entry->keyrings = NULL; in ima_parse_rule()
1551 entry->flags |= IMA_KEYRINGS; in ima_parse_rule()
1556 if (entry->label) { in ima_parse_rule()
1557 result = -EINVAL; in ima_parse_rule()
1561 entry->label = ima_alloc_rule_opt_list(args); in ima_parse_rule()
1562 if (IS_ERR(entry->label)) { in ima_parse_rule()
1563 result = PTR_ERR(entry->label); in ima_parse_rule()
1564 entry->label = NULL; in ima_parse_rule()
1568 entry->flags |= IMA_LABEL; in ima_parse_rule()
1573 if (!uuid_is_null(&entry->fsuuid)) { in ima_parse_rule()
1574 result = -EINVAL; in ima_parse_rule()
1578 result = uuid_parse(args[0].from, &entry->fsuuid); in ima_parse_rule()
1580 entry->flags |= IMA_FSUUID; in ima_parse_rule()
1584 entry->uid_op = &uid_gt; in ima_parse_rule()
1588 if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) in ima_parse_rule()
1589 entry->uid_op = &uid_lt; in ima_parse_rule()
1593 eid_token = (token == Opt_euid_eq) || in ima_parse_rule()
1594 (token == Opt_euid_gt) || in ima_parse_rule()
1595 (token == Opt_euid_lt); in ima_parse_rule()
1598 args[0].from, token); in ima_parse_rule()
1600 if (uid_valid(entry->uid)) { in ima_parse_rule()
1601 result = -EINVAL; in ima_parse_rule()
1607 entry->uid = make_kuid(current_user_ns(), in ima_parse_rule()
1609 if (!uid_valid(entry->uid) || in ima_parse_rule()
1611 result = -EINVAL; in ima_parse_rule()
1613 entry->flags |= eid_token in ima_parse_rule()
1619 entry->gid_op = &gid_gt; in ima_parse_rule()
1623 if ((token == Opt_gid_lt) || (token == Opt_egid_lt)) in ima_parse_rule()
1624 entry->gid_op = &gid_lt; in ima_parse_rule()
1628 eid_token = (token == Opt_egid_eq) || in ima_parse_rule()
1629 (token == Opt_egid_gt) || in ima_parse_rule()
1630 (token == Opt_egid_lt); in ima_parse_rule()
1633 args[0].from, token); in ima_parse_rule()
1635 if (gid_valid(entry->gid)) { in ima_parse_rule()
1636 result = -EINVAL; in ima_parse_rule()
1642 entry->gid = make_kgid(current_user_ns(), in ima_parse_rule()
1644 if (!gid_valid(entry->gid) || in ima_parse_rule()
1646 result = -EINVAL; in ima_parse_rule()
1648 entry->flags |= eid_token in ima_parse_rule()
1653 entry->fowner_op = &uid_gt; in ima_parse_rule()
1656 if (token == Opt_fowner_lt) in ima_parse_rule()
1657 entry->fowner_op = &uid_lt; in ima_parse_rule()
1660 ima_log_string_op(ab, "fowner", args[0].from, token); in ima_parse_rule()
1662 if (uid_valid(entry->fowner)) { in ima_parse_rule()
1663 result = -EINVAL; in ima_parse_rule()
1669 entry->fowner = make_kuid(current_user_ns(), in ima_parse_rule()
1671 if (!uid_valid(entry->fowner) || in ima_parse_rule()
1673 result = -EINVAL; in ima_parse_rule()
1675 entry->flags |= IMA_FOWNER; in ima_parse_rule()
1679 entry->fgroup_op = &gid_gt; in ima_parse_rule()
1682 if (token == Opt_fgroup_lt) in ima_parse_rule()
1683 entry->fgroup_op = &gid_lt; in ima_parse_rule()
1686 ima_log_string_op(ab, "fgroup", args[0].from, token); in ima_parse_rule()
1688 if (gid_valid(entry->fgroup)) { in ima_parse_rule()
1689 result = -EINVAL; in ima_parse_rule()
1695 entry->fgroup = make_kgid(current_user_ns(), in ima_parse_rule()
1697 if (!gid_valid(entry->fgroup) || in ima_parse_rule()
1699 result = -EINVAL; in ima_parse_rule()
1701 entry->flags |= IMA_FGROUP; in ima_parse_rule()
1742 if (entry->flags & IMA_DIGSIG_REQUIRED) in ima_parse_rule()
1743 result = -EINVAL; in ima_parse_rule()
1745 entry->flags |= IMA_VERITY_REQUIRED; in ima_parse_rule()
1747 result = -EINVAL; in ima_parse_rule()
1753 if (entry->flags & IMA_VERITY_REQUIRED) in ima_parse_rule()
1754 result = -EINVAL; in ima_parse_rule()
1756 entry->flags |= IMA_DIGSIG_REQUIRED; in ima_parse_rule()
1759 if (entry->flags & IMA_VERITY_REQUIRED) in ima_parse_rule()
1760 entry->flags |= IMA_DIGSIG_REQUIRED; in ima_parse_rule()
1762 result = -EINVAL; in ima_parse_rule()
1765 if (entry->flags & IMA_VERITY_REQUIRED) in ima_parse_rule()
1766 result = -EINVAL; in ima_parse_rule()
1768 entry->flags |= IMA_DIGSIG_REQUIRED | in ima_parse_rule()
1771 result = -EINVAL; in ima_parse_rule()
1778 entry->flags |= IMA_CHECK_BLACKLIST; in ima_parse_rule()
1780 result = -EINVAL; in ima_parse_rule()
1785 if (entry->allowed_algos) { in ima_parse_rule()
1786 result = -EINVAL; in ima_parse_rule()
1790 entry->allowed_algos = in ima_parse_rule()
1793 if (!entry->allowed_algos) { in ima_parse_rule()
1794 result = -EINVAL; in ima_parse_rule()
1798 entry->flags |= IMA_VALIDATE_ALGOS; in ima_parse_rule()
1802 entry->flags |= IMA_PERMIT_DIRECTIO; in ima_parse_rule()
1807 result = kstrtoint(args[0].from, 10, &entry->pcr); in ima_parse_rule()
1808 if (result || INVALID_PCR(entry->pcr)) in ima_parse_rule()
1809 result = -EINVAL; in ima_parse_rule()
1811 entry->flags |= IMA_PCR; in ima_parse_rule()
1816 if (entry->action != MEASURE) { in ima_parse_rule()
1817 result = -EINVAL; in ima_parse_rule()
1821 if (!template_desc || entry->template) { in ima_parse_rule()
1822 result = -EINVAL; in ima_parse_rule()
1831 template_desc_init_fields(template_desc->fmt, in ima_parse_rule()
1832 &(template_desc->fields), in ima_parse_rule()
1833 &(template_desc->num_fields)); in ima_parse_rule()
1834 entry->template = template_desc; in ima_parse_rule()
1838 result = -EINVAL; in ima_parse_rule()
1843 result = -EINVAL; in ima_parse_rule()
1844 else if (entry->action == APPRAISE) in ima_parse_rule()
1845 temp_ima_appraise |= ima_appraise_flag(entry->func); in ima_parse_rule()
1847 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { in ima_parse_rule()
1848 template_desc = entry->template ? entry->template : in ima_parse_rule()
1853 /* d-ngv2 template field recommended for unsigned fs-verity digests */ in ima_parse_rule()
1854 if (!result && entry->action == MEASURE && in ima_parse_rule()
1855 entry->flags & IMA_VERITY_REQUIRED) { in ima_parse_rule()
1856 template_desc = entry->template ? entry->template : in ima_parse_rule()
1858 check_template_field(template_desc, "d-ngv2", in ima_parse_rule()
1859 "verity rules should include d-ngv2"); in ima_parse_rule()
1868 * ima_parse_add_rule - add a rule to ima_policy_rules
1869 * @rule - ima measurement policy rule
1892 NULL, op, "-ENOMEM", -ENOMEM, audit_info); in ima_parse_add_rule()
1893 return -ENOMEM; in ima_parse_add_rule()
1896 INIT_LIST_HEAD(&entry->list); in ima_parse_add_rule()
1902 NULL, op, "invalid-policy", result, in ima_parse_add_rule()
1907 list_add_tail(&entry->list, &ima_temp_rules); in ima_parse_add_rule()
1913 * ima_delete_rules() called to cleanup invalid in-flight policy.
1924 list_del(&entry->list); in ima_delete_rules()
1956 if (!l--) { in ima_policy_start()
1970 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); in ima_policy_next()
1974 return (&entry->list == &ima_default_rules || in ima_policy_next()
1975 &entry->list == &ima_policy_rules) ? NULL : entry; in ima_policy_next()
1982 #define pt(token) policy_tokens[token].pattern argument
1983 #define mt(token) mask_tokens[token] argument
1986 * policy_func_show - display the ima_hooks policy rule
2001 for (i = 0; i < opt_list->count; i++) in ima_show_rule_opt_list()
2002 seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]); in ima_show_rule_opt_list()
2033 if (entry->lsm[i].args_p && !entry->lsm[i].rule) { in ima_policy_show()
2039 if (entry->action & MEASURE) in ima_policy_show()
2041 if (entry->action & DONT_MEASURE) in ima_policy_show()
2043 if (entry->action & APPRAISE) in ima_policy_show()
2045 if (entry->action & DONT_APPRAISE) in ima_policy_show()
2047 if (entry->action & AUDIT) in ima_policy_show()
2049 if (entry->action & HASH) in ima_policy_show()
2051 if (entry->action & DONT_HASH) in ima_policy_show()
2056 if (entry->flags & IMA_FUNC) in ima_policy_show()
2057 policy_func_show(m, entry->func); in ima_policy_show()
2059 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { in ima_policy_show()
2060 if (entry->flags & IMA_MASK) in ima_policy_show()
2062 if (entry->mask & MAY_EXEC) in ima_policy_show()
2064 if (entry->mask & MAY_WRITE) in ima_policy_show()
2066 if (entry->mask & MAY_READ) in ima_policy_show()
2068 if (entry->mask & MAY_APPEND) in ima_policy_show()
2073 if (entry->flags & IMA_FSMAGIC) { in ima_policy_show()
2074 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); in ima_policy_show()
2079 if (entry->flags & IMA_FSNAME) { in ima_policy_show()
2080 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); in ima_policy_show()
2085 if (entry->flags & IMA_KEYRINGS) { in ima_policy_show()
2087 ima_show_rule_opt_list(m, entry->keyrings); in ima_policy_show()
2091 if (entry->flags & IMA_LABEL) { in ima_policy_show()
2093 ima_show_rule_opt_list(m, entry->label); in ima_policy_show()
2097 if (entry->flags & IMA_PCR) { in ima_policy_show()
2098 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); in ima_policy_show()
2103 if (entry->flags & IMA_FSUUID) { in ima_policy_show()
2104 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); in ima_policy_show()
2108 if (entry->flags & IMA_UID) { in ima_policy_show()
2109 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); in ima_policy_show()
2110 if (entry->uid_op == &uid_gt) in ima_policy_show()
2112 else if (entry->uid_op == &uid_lt) in ima_policy_show()
2119 if (entry->flags & IMA_EUID) { in ima_policy_show()
2120 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); in ima_policy_show()
2121 if (entry->uid_op == &uid_gt) in ima_policy_show()
2123 else if (entry->uid_op == &uid_lt) in ima_policy_show()
2130 if (entry->flags & IMA_GID) { in ima_policy_show()
2131 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); in ima_policy_show()
2132 if (entry->gid_op == &gid_gt) in ima_policy_show()
2134 else if (entry->gid_op == &gid_lt) in ima_policy_show()
2141 if (entry->flags & IMA_EGID) { in ima_policy_show()
2142 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); in ima_policy_show()
2143 if (entry->gid_op == &gid_gt) in ima_policy_show()
2145 else if (entry->gid_op == &gid_lt) in ima_policy_show()
2152 if (entry->flags & IMA_FOWNER) { in ima_policy_show()
2153 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); in ima_policy_show()
2154 if (entry->fowner_op == &uid_gt) in ima_policy_show()
2156 else if (entry->fowner_op == &uid_lt) in ima_policy_show()
2163 if (entry->flags & IMA_FGROUP) { in ima_policy_show()
2164 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->fgroup)); in ima_policy_show()
2165 if (entry->fgroup_op == &gid_gt) in ima_policy_show()
2167 else if (entry->fgroup_op == &gid_lt) in ima_policy_show()
2174 if (entry->flags & IMA_VALIDATE_ALGOS) { in ima_policy_show()
2176 ima_policy_show_appraise_algos(m, entry->allowed_algos); in ima_policy_show()
2181 if (entry->lsm[i].rule) { in ima_policy_show()
2185 entry->lsm[i].args_p); in ima_policy_show()
2189 entry->lsm[i].args_p); in ima_policy_show()
2193 entry->lsm[i].args_p); in ima_policy_show()
2197 entry->lsm[i].args_p); in ima_policy_show()
2201 entry->lsm[i].args_p); in ima_policy_show()
2205 entry->lsm[i].args_p); in ima_policy_show()
2211 if (entry->template) in ima_policy_show()
2212 seq_printf(m, "template=%s ", entry->template->name); in ima_policy_show()
2213 if (entry->flags & IMA_DIGSIG_REQUIRED) { in ima_policy_show()
2214 if (entry->flags & IMA_VERITY_REQUIRED) in ima_policy_show()
2216 else if (entry->flags & IMA_MODSIG_ALLOWED) in ima_policy_show()
2221 if (entry->flags & IMA_VERITY_REQUIRED) in ima_policy_show()
2223 if (entry->flags & IMA_CHECK_BLACKLIST) in ima_policy_show()
2225 if (entry->flags & IMA_PERMIT_DIRECTIO) in ima_policy_show()
2237 * has a set of built-in trusted keys in order to avoid an attacker simply
2259 if (entry->action != APPRAISE) in ima_appraise_signature()
2266 if (entry->func && entry->func != func) in ima_appraise_signature()
2273 if (entry->flags & IMA_DIGSIG_REQUIRED) in ima_appraise_signature()
2278 * didn't require a digital signature - a later rule that does in ima_appraise_signature()