Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ima_policy.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2008 IBM Corporation
3  * Author: Mimi Zohar <[email protected]>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License as published by
7  * the Free Software Foundation, version 2 of the License.
8  *
9  * ima_policy.c
10  * - initialize default measure policy rules
11  *
12  */
13 #include <linux/module.h>
14 #include <linux/list.h>
15 #include <linux/security.h>
16 #include <linux/magic.h>
17 #include <linux/parser.h>
18 #include <linux/slab.h>
19 
20 #include "ima.h"
21 
22 /* flags definitions */
23 #define IMA_FUNC 0x0001
24 #define IMA_MASK 0x0002
25 #define IMA_FSMAGIC 0x0004
26 #define IMA_UID 0x0008
27 #define IMA_FOWNER 0x0010
28 
29 #define UNKNOWN 0
30 #define MEASURE 0x0001 /* same as IMA_MEASURE */
31 #define DONT_MEASURE 0x0002
32 #define APPRAISE 0x0004 /* same as IMA_APPRAISE */
33 #define DONT_APPRAISE 0x0008
34 #define AUDIT 0x0040
35 
36 #define MAX_LSM_RULES 6
39 };
40 
42  struct list_head list;
43  int action;
44  unsigned int flags;
46  int mask;
47  unsigned long fsmagic;
50  struct {
51  void *rule; /* LSM file metadata specific */
52  int type; /* audit type */
53  } lsm[MAX_LSM_RULES];
54 };
55 
56 /*
57  * Without LSM specific knowledge, the default policy can only be
58  * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
59  */
60 
61 /*
62  * The minimum rule set to allow for full TCB coverage. Measures all files
63  * opened or mmap for exec and everything read by root. Dangerous because
64  * normal users can easily run the machine out of memory simply building
65  * and running executables.
66  */
67 static struct ima_rule_entry default_rules[] = {
68  {.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC},
69  {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
70  {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
71  {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
72  {.action = DONT_MEASURE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
73  {.action = DONT_MEASURE,.fsmagic = DEVPTS_SUPER_MAGIC,.flags = IMA_FSMAGIC},
74  {.action = DONT_MEASURE,.fsmagic = BINFMTFS_MAGIC,.flags = IMA_FSMAGIC},
75  {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
76  {.action = DONT_MEASURE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
77  {.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC,
78  .flags = IMA_FUNC | IMA_MASK},
79  {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
80  .flags = IMA_FUNC | IMA_MASK},
81  {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = GLOBAL_ROOT_UID,
82  .flags = IMA_FUNC | IMA_MASK | IMA_UID},
83 };
84 
85 static struct ima_rule_entry default_appraise_rules[] = {
86  {.action = DONT_APPRAISE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC},
87  {.action = DONT_APPRAISE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
88  {.action = DONT_APPRAISE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
89  {.action = DONT_APPRAISE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
90  {.action = DONT_APPRAISE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
91  {.action = DONT_APPRAISE,.fsmagic = DEVPTS_SUPER_MAGIC,.flags = IMA_FSMAGIC},
92  {.action = DONT_APPRAISE,.fsmagic = BINFMTFS_MAGIC,.flags = IMA_FSMAGIC},
93  {.action = DONT_APPRAISE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
94  {.action = DONT_APPRAISE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
95  {.action = DONT_APPRAISE,.fsmagic = CGROUP_SUPER_MAGIC,.flags = IMA_FSMAGIC},
96  {.action = APPRAISE,.fowner = GLOBAL_ROOT_UID,.flags = IMA_FOWNER},
97 };
98 
99 static LIST_HEAD(ima_default_rules);
100 static LIST_HEAD(ima_policy_rules);
101 static struct list_head *ima_rules;
102 
103 static DEFINE_MUTEX(ima_rules_mutex);
104 
105 static bool ima_use_tcb __initdata;
106 static int __init default_measure_policy_setup(char *str)
107 {
108  ima_use_tcb = 1;
109  return 1;
110 }
111 __setup("ima_tcb", default_measure_policy_setup);
112 
113 static bool ima_use_appraise_tcb __initdata;
114 static int __init default_appraise_policy_setup(char *str)
115 {
116  ima_use_appraise_tcb = 1;
117  return 1;
118 }
119 __setup("ima_appraise_tcb", default_appraise_policy_setup);
120 
130 static bool ima_match_rules(struct ima_rule_entry *rule,
131  struct inode *inode, enum ima_hooks func, int mask)
132 {
133  struct task_struct *tsk = current;
134  const struct cred *cred = current_cred();
135  int i;
136 
137  if ((rule->flags & IMA_FUNC) && rule->func != func)
138  return false;
139  if ((rule->flags & IMA_MASK) && rule->mask != mask)
140  return false;
141  if ((rule->flags & IMA_FSMAGIC)
142  && rule->fsmagic != inode->i_sb->s_magic)
143  return false;
144  if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
145  return false;
146  if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid))
147  return false;
148  for (i = 0; i < MAX_LSM_RULES; i++) {
149  int rc = 0;
150  u32 osid, sid;
151 
152  if (!rule->lsm[i].rule)
153  continue;
154 
155  switch (i) {
156  case LSM_OBJ_USER:
157  case LSM_OBJ_ROLE:
158  case LSM_OBJ_TYPE:
159  security_inode_getsecid(inode, &osid);
160  rc = security_filter_rule_match(osid,
161  rule->lsm[i].type,
162  Audit_equal,
163  rule->lsm[i].rule,
164  NULL);
165  break;
166  case LSM_SUBJ_USER:
167  case LSM_SUBJ_ROLE:
168  case LSM_SUBJ_TYPE:
169  security_task_getsecid(tsk, &sid);
170  rc = security_filter_rule_match(sid,
171  rule->lsm[i].type,
172  Audit_equal,
173  rule->lsm[i].rule,
174  NULL);
175  default:
176  break;
177  }
178  if (!rc)
179  return false;
180  }
181  return true;
182 }
183 
197 int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
198  int flags)
199 {
200  struct ima_rule_entry *entry;
201  int action = 0, actmask = flags | (flags << 1);
202 
203  list_for_each_entry(entry, ima_rules, list) {
204 
205  if (!(entry->action & actmask))
206  continue;
207 
208  if (!ima_match_rules(entry, inode, func, mask))
209  continue;
210 
211  action |= entry->action & IMA_DO_MASK;
212  if (entry->action & IMA_DO_MASK)
213  actmask &= ~(entry->action | entry->action << 1);
214  else
215  actmask &= ~(entry->action | entry->action >> 1);
216 
217  if (!actmask)
218  break;
219  }
220 
221  return action;
222 }
223 
231 {
232  int i, measure_entries, appraise_entries;
233 
234  /* if !ima_use_tcb set entries = 0 so we load NO default rules */
235  measure_entries = ima_use_tcb ? ARRAY_SIZE(default_rules) : 0;
236  appraise_entries = ima_use_appraise_tcb ?
237  ARRAY_SIZE(default_appraise_rules) : 0;
238 
239  for (i = 0; i < measure_entries + appraise_entries; i++) {
240  if (i < measure_entries)
241  list_add_tail(&default_rules[i].list,
242  &ima_default_rules);
243  else {
244  int j = i - measure_entries;
245 
246  list_add_tail(&default_appraise_rules[j].list,
247  &ima_default_rules);
248  }
249  }
250 
251  ima_rules = &ima_default_rules;
252 }
253 
262 {
263  const char *op = "policy_update";
264  const char *cause = "already exists";
265  int result = 1;
266  int audit_info = 0;
267 
268  if (ima_rules == &ima_default_rules) {
269  ima_rules = &ima_policy_rules;
270  cause = "complete";
271  result = 0;
272  }
274  NULL, op, cause, result, audit_info);
275 }
276 
277 enum {
278  Opt_err = -1,
285 };
286 
287 static match_table_t policy_tokens = {
288  {Opt_measure, "measure"},
289  {Opt_dont_measure, "dont_measure"},
290  {Opt_appraise, "appraise"},
291  {Opt_dont_appraise, "dont_appraise"},
292  {Opt_audit, "audit"},
293  {Opt_obj_user, "obj_user=%s"},
294  {Opt_obj_role, "obj_role=%s"},
295  {Opt_obj_type, "obj_type=%s"},
296  {Opt_subj_user, "subj_user=%s"},
297  {Opt_subj_role, "subj_role=%s"},
298  {Opt_subj_type, "subj_type=%s"},
299  {Opt_func, "func=%s"},
300  {Opt_mask, "mask=%s"},
301  {Opt_fsmagic, "fsmagic=%s"},
302  {Opt_uid, "uid=%s"},
303  {Opt_fowner, "fowner=%s"},
304  {Opt_err, NULL}
305 };
306 
307 static int ima_lsm_rule_init(struct ima_rule_entry *entry,
308  char *args, int lsm_rule, int audit_type)
309 {
310  int result;
311 
312  if (entry->lsm[lsm_rule].rule)
313  return -EINVAL;
314 
315  entry->lsm[lsm_rule].type = audit_type;
316  result = security_filter_rule_init(entry->lsm[lsm_rule].type,
317  Audit_equal, args,
318  &entry->lsm[lsm_rule].rule);
319  if (!entry->lsm[lsm_rule].rule)
320  return -EINVAL;
321  return result;
322 }
323 
324 static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
325 {
326  audit_log_format(ab, "%s=", key);
327  audit_log_untrustedstring(ab, value);
328  audit_log_format(ab, " ");
329 }
330 
331 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
332 {
333  struct audit_buffer *ab;
334  char *p;
335  int result = 0;
336 
338 
339  entry->uid = INVALID_UID;
340  entry->fowner = INVALID_UID;
341  entry->action = UNKNOWN;
342  while ((p = strsep(&rule, " \t")) != NULL) {
344  int token;
345  unsigned long lnum;
346 
347  if (result < 0)
348  break;
349  if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
350  continue;
351  token = match_token(p, policy_tokens, args);
352  switch (token) {
353  case Opt_measure:
354  ima_log_string(ab, "action", "measure");
355 
356  if (entry->action != UNKNOWN)
357  result = -EINVAL;
358 
359  entry->action = MEASURE;
360  break;
361  case Opt_dont_measure:
362  ima_log_string(ab, "action", "dont_measure");
363 
364  if (entry->action != UNKNOWN)
365  result = -EINVAL;
366 
367  entry->action = DONT_MEASURE;
368  break;
369  case Opt_appraise:
370  ima_log_string(ab, "action", "appraise");
371 
372  if (entry->action != UNKNOWN)
373  result = -EINVAL;
374 
375  entry->action = APPRAISE;
376  break;
377  case Opt_dont_appraise:
378  ima_log_string(ab, "action", "dont_appraise");
379 
380  if (entry->action != UNKNOWN)
381  result = -EINVAL;
382 
383  entry->action = DONT_APPRAISE;
384  break;
385  case Opt_audit:
386  ima_log_string(ab, "action", "audit");
387 
388  if (entry->action != UNKNOWN)
389  result = -EINVAL;
390 
391  entry->action = AUDIT;
392  break;
393  case Opt_func:
394  ima_log_string(ab, "func", args[0].from);
395 
396  if (entry->func)
397  result = -EINVAL;
398 
399  if (strcmp(args[0].from, "FILE_CHECK") == 0)
400  entry->func = FILE_CHECK;
401  /* PATH_CHECK is for backwards compat */
402  else if (strcmp(args[0].from, "PATH_CHECK") == 0)
403  entry->func = FILE_CHECK;
404  else if (strcmp(args[0].from, "FILE_MMAP") == 0)
405  entry->func = FILE_MMAP;
406  else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
407  entry->func = BPRM_CHECK;
408  else
409  result = -EINVAL;
410  if (!result)
411  entry->flags |= IMA_FUNC;
412  break;
413  case Opt_mask:
414  ima_log_string(ab, "mask", args[0].from);
415 
416  if (entry->mask)
417  result = -EINVAL;
418 
419  if ((strcmp(args[0].from, "MAY_EXEC")) == 0)
420  entry->mask = MAY_EXEC;
421  else if (strcmp(args[0].from, "MAY_WRITE") == 0)
422  entry->mask = MAY_WRITE;
423  else if (strcmp(args[0].from, "MAY_READ") == 0)
424  entry->mask = MAY_READ;
425  else if (strcmp(args[0].from, "MAY_APPEND") == 0)
426  entry->mask = MAY_APPEND;
427  else
428  result = -EINVAL;
429  if (!result)
430  entry->flags |= IMA_MASK;
431  break;
432  case Opt_fsmagic:
433  ima_log_string(ab, "fsmagic", args[0].from);
434 
435  if (entry->fsmagic) {
436  result = -EINVAL;
437  break;
438  }
439 
440  result = strict_strtoul(args[0].from, 16,
441  &entry->fsmagic);
442  if (!result)
443  entry->flags |= IMA_FSMAGIC;
444  break;
445  case Opt_uid:
446  ima_log_string(ab, "uid", args[0].from);
447 
448  if (uid_valid(entry->uid)) {
449  result = -EINVAL;
450  break;
451  }
452 
453  result = strict_strtoul(args[0].from, 10, &lnum);
454  if (!result) {
455  entry->uid = make_kuid(current_user_ns(), (uid_t)lnum);
456  if (!uid_valid(entry->uid) || (((uid_t)lnum) != lnum))
457  result = -EINVAL;
458  else
459  entry->flags |= IMA_UID;
460  }
461  break;
462  case Opt_fowner:
463  ima_log_string(ab, "fowner", args[0].from);
464 
465  if (uid_valid(entry->fowner)) {
466  result = -EINVAL;
467  break;
468  }
469 
470  result = strict_strtoul(args[0].from, 10, &lnum);
471  if (!result) {
472  entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
473  if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))
474  result = -EINVAL;
475  else
476  entry->flags |= IMA_FOWNER;
477  }
478  break;
479  case Opt_obj_user:
480  ima_log_string(ab, "obj_user", args[0].from);
481  result = ima_lsm_rule_init(entry, args[0].from,
482  LSM_OBJ_USER,
484  break;
485  case Opt_obj_role:
486  ima_log_string(ab, "obj_role", args[0].from);
487  result = ima_lsm_rule_init(entry, args[0].from,
488  LSM_OBJ_ROLE,
490  break;
491  case Opt_obj_type:
492  ima_log_string(ab, "obj_type", args[0].from);
493  result = ima_lsm_rule_init(entry, args[0].from,
494  LSM_OBJ_TYPE,
496  break;
497  case Opt_subj_user:
498  ima_log_string(ab, "subj_user", args[0].from);
499  result = ima_lsm_rule_init(entry, args[0].from,
502  break;
503  case Opt_subj_role:
504  ima_log_string(ab, "subj_role", args[0].from);
505  result = ima_lsm_rule_init(entry, args[0].from,
508  break;
509  case Opt_subj_type:
510  ima_log_string(ab, "subj_type", args[0].from);
511  result = ima_lsm_rule_init(entry, args[0].from,
514  break;
515  case Opt_err:
516  ima_log_string(ab, "UNKNOWN", p);
517  result = -EINVAL;
518  break;
519  }
520  }
521  if (!result && (entry->action == UNKNOWN))
522  result = -EINVAL;
523 
524  audit_log_format(ab, "res=%d", !result);
525  audit_log_end(ab);
526  return result;
527 }
528 
537 {
538  const char *op = "update_policy";
539  char *p;
540  struct ima_rule_entry *entry;
541  ssize_t result, len;
542  int audit_info = 0;
543 
544  /* Prevent installed policy from changing */
545  if (ima_rules != &ima_default_rules) {
547  NULL, op, "already exists",
548  -EACCES, audit_info);
549  return -EACCES;
550  }
551 
552  entry = kzalloc(sizeof(*entry), GFP_KERNEL);
553  if (!entry) {
555  NULL, op, "-ENOMEM", -ENOMEM, audit_info);
556  return -ENOMEM;
557  }
558 
559  INIT_LIST_HEAD(&entry->list);
560 
561  p = strsep(&rule, "\n");
562  len = strlen(p) + 1;
563 
564  if (*p == '#') {
565  kfree(entry);
566  return len;
567  }
568 
569  result = ima_parse_rule(p, entry);
570  if (result) {
571  kfree(entry);
573  NULL, op, "invalid policy", result,
574  audit_info);
575  return result;
576  }
577 
578  mutex_lock(&ima_rules_mutex);
579  list_add_tail(&entry->list, &ima_policy_rules);
580  mutex_unlock(&ima_rules_mutex);
581 
582  return len;
583 }
584 
585 /* ima_delete_rules called to cleanup invalid policy */
587 {
588  struct ima_rule_entry *entry, *tmp;
589 
590  mutex_lock(&ima_rules_mutex);
591  list_for_each_entry_safe(entry, tmp, &ima_policy_rules, list) {
592  list_del(&entry->list);
593  kfree(entry);
594  }
595  mutex_unlock(&ima_rules_mutex);
596 }