update kernel to 5.10.198

hc

2024-01-03 2f7c68cb55ecb7331f2381deb497c27155f32faf

 kernel/security/integrity/ima/ima_policy.c
..
..
@@ -1,17 +1,15 @@
1
+// SPDX-License-Identifier: GPL-2.0-only
1
2
 /*
2
3
  * Copyright (C) 2008 IBM Corporation
3
4
  * Author: Mimi Zohar <zohar@us.ibm.com>
4
5
  *
5
- * This program is free software; you can redistribute it and/or modify
6
- * it under the terms of the GNU General Public License as published by
7
- * the Free Software Foundation, version 2 of the License.
8
- *
9
6
  * ima_policy.c
10
7
  *	- initialize default measure policy rules
11
- *
12
8
  */
13
-#include <linux/module.h>
9
+
10
+#include <linux/init.h>
14
11
 #include <linux/list.h>
12
+#include <linux/kernel_read_file.h>
15
13
 #include <linux/fs.h>
16
14
 #include <linux/security.h>
17
15
 #include <linux/magic.h>
..
..
@@ -20,6 +18,7 @@
20
18
 #include <linux/rculist.h>
21
19
 #include <linux/genhd.h>
22
20
 #include <linux/seq_file.h>
21
+#include <linux/ima.h>
23
22
 
24
23
 #include "ima.h"
25
24
 
..
..
@@ -34,6 +33,7 @@
34
33
 #define IMA_EUID	0x0080
35
34
 #define IMA_PCR		0x0100
36
35
 #define IMA_FSNAME	0x0200
36
+#define IMA_KEYRINGS	0x0400
37
37
 
38
38
 #define UNKNOWN		0
39
39
 #define MEASURE		0x0001	/* same as IMA_MEASURE */
..
..
@@ -45,7 +45,7 @@
45
45
 #define DONT_HASH	0x0200
46
46
 
47
47
 #define INVALID_PCR(a) (((a) < 0) || \
48
-	(a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
48
+	(a) >= (sizeof_field(struct integrity_iint_cache, measured_pcrs) * 8))
49
49
 
50
50
 int ima_policy_flag;
51
51
 static int temp_ima_appraise;
..
..
@@ -57,6 +57,13 @@
57
57
 };
58
58
 
59
59
 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
60
+
61
+enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY };
62
+
63
+struct ima_rule_opt_list {
64
+	size_t count;
65
+	char *items[];
66
+};
60
67
 
61
68
 struct ima_rule_entry {
62
69
 	struct list_head list;
..
..
@@ -73,10 +80,12 @@
73
80
 	int pcr;
74
81
 	struct {
75
82
 		void *rule;	/* LSM file metadata specific */
76
-		void *args_p;	/* audit value */
83
+		char *args_p;	/* audit value */
77
84
 		int type;	/* audit type */
78
85
 	} lsm[MAX_LSM_RULES];
79
86
 	char *fsname;
87
+	struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */
88
+	struct ima_template_desc *template;
80
89
 };
81
90
 
82
91
 /*
..
..
@@ -104,7 +113,8 @@
104
113
 	 .flags = IMA_FSMAGIC},
105
114
 	{.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC,
106
115
 	 .flags = IMA_FSMAGIC},
107
-	{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
116
+	{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
117
+	{.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}
108
118
 };
109
119
 
110
120
 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
..
..
@@ -147,6 +157,7 @@
147
157
 	{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
148
158
 	{.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
149
159
 	{.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
160
+	{.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC},
150
161
 	{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
151
162
 	{.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
152
163
 #ifdef CONFIG_IMA_WRITE_POLICY
..
..
@@ -193,6 +204,9 @@
193
204
 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
194
205
 };
195
206
 
207
+/* An array of architecture specific rules */
208
+static struct ima_rule_entry *arch_policy_entry __ro_after_init;
209
+
196
210
 static LIST_HEAD(ima_default_rules);
197
211
 static LIST_HEAD(ima_policy_rules);
198
212
 static LIST_HEAD(ima_temp_rules);
..
..
@@ -228,6 +242,8 @@
228
242
 			ima_use_secure_boot = true;
229
243
 		else if (strcmp(p, "fail_securely") == 0)
230
244
 			ima_fail_unverifiable_sigs = true;
245
+		else
246
+			pr_err("policy \"%s\" not found", p);
231
247
 	}
232
248
 
233
249
 	return 1;
..
..
@@ -241,48 +257,256 @@
241
257
 }
242
258
 __setup("ima_appraise_tcb", default_appraise_policy_setup);
243
259
 
260
+static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src)
261
+{
262
+	struct ima_rule_opt_list *opt_list;
263
+	size_t count = 0;
264
+	char *src_copy;
265
+	char *cur, *next;
266
+	size_t i;
267
+
268
+	src_copy = match_strdup(src);
269
+	if (!src_copy)
270
+		return ERR_PTR(-ENOMEM);
271
+
272
+	next = src_copy;
273
+	while ((cur = strsep(&next, "|"))) {
274
+		/* Don't accept an empty list item */
275
+		if (!(*cur)) {
276
+			kfree(src_copy);
277
+			return ERR_PTR(-EINVAL);
278
+		}
279
+		count++;
280
+	}
281
+
282
+	/* Don't accept an empty list */
283
+	if (!count) {
284
+		kfree(src_copy);
285
+		return ERR_PTR(-EINVAL);
286
+	}
287
+
288
+	opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL);
289
+	if (!opt_list) {
290
+		kfree(src_copy);
291
+		return ERR_PTR(-ENOMEM);
292
+	}
293
+
294
+	/*
295
+	 * strsep() has already replaced all instances of '|' with '\0',
296
+	 * leaving a byte sequence of NUL-terminated strings. Reference each
297
+	 * string with the array of items.
298
+	 *
299
+	 * IMPORTANT: Ownership of the allocated buffer is transferred from
300
+	 * src_copy to the first element in the items array. To free the
301
+	 * buffer, kfree() must only be called on the first element of the
302
+	 * array.
303
+	 */
304
+	for (i = 0, cur = src_copy; i < count; i++) {
305
+		opt_list->items[i] = cur;
306
+		cur = strchr(cur, '\0') + 1;
307
+	}
308
+	opt_list->count = count;
309
+
310
+	return opt_list;
311
+}
312
+
313
+static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list)
314
+{
315
+	if (!opt_list)
316
+		return;
317
+
318
+	if (opt_list->count) {
319
+		kfree(opt_list->items[0]);
320
+		opt_list->count = 0;
321
+	}
322
+
323
+	kfree(opt_list);
324
+}
325
+
326
+static void ima_lsm_free_rule(struct ima_rule_entry *entry)
327
+{
328
+	int i;
329
+
330
+	for (i = 0; i < MAX_LSM_RULES; i++) {
331
+		ima_filter_rule_free(entry->lsm[i].rule);
332
+		kfree(entry->lsm[i].args_p);
333
+	}
334
+}
335
+
336
+static void ima_free_rule(struct ima_rule_entry *entry)
337
+{
338
+	if (!entry)
339
+		return;
340
+
341
+	/*
342
+	 * entry->template->fields may be allocated in ima_parse_rule() but that
343
+	 * reference is owned by the corresponding ima_template_desc element in
344
+	 * the defined_templates list and cannot be freed here
345
+	 */
346
+	kfree(entry->fsname);
347
+	ima_free_rule_opt_list(entry->keyrings);
348
+	ima_lsm_free_rule(entry);
349
+	kfree(entry);
350
+}
351
+
352
+static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
353
+{
354
+	struct ima_rule_entry *nentry;
355
+	int i;
356
+
357
+	/*
358
+	 * Immutable elements are copied over as pointers and data; only
359
+	 * lsm rules can change
360
+	 */
361
+	nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL);
362
+	if (!nentry)
363
+		return NULL;
364
+
365
+	memset(nentry->lsm, 0, sizeof_field(struct ima_rule_entry, lsm));
366
+
367
+	for (i = 0; i < MAX_LSM_RULES; i++) {
368
+		if (!entry->lsm[i].args_p)
369
+			continue;
370
+
371
+		nentry->lsm[i].type = entry->lsm[i].type;
372
+		nentry->lsm[i].args_p = entry->lsm[i].args_p;
373
+
374
+		ima_filter_rule_init(nentry->lsm[i].type, Audit_equal,
375
+				     nentry->lsm[i].args_p,
376
+				     &nentry->lsm[i].rule);
377
+		if (!nentry->lsm[i].rule)
378
+			pr_warn("rule for LSM \'%s\' is undefined\n",
379
+				nentry->lsm[i].args_p);
380
+	}
381
+	return nentry;
382
+}
383
+
384
+static int ima_lsm_update_rule(struct ima_rule_entry *entry)
385
+{
386
+	int i;
387
+	struct ima_rule_entry *nentry;
388
+
389
+	nentry = ima_lsm_copy_rule(entry);
390
+	if (!nentry)
391
+		return -ENOMEM;
392
+
393
+	list_replace_rcu(&entry->list, &nentry->list);
394
+	synchronize_rcu();
395
+	/*
396
+	 * ima_lsm_copy_rule() shallow copied all references, except for the
397
+	 * LSM references, from entry to nentry so we only want to free the LSM
398
+	 * references and the entry itself. All other memory refrences will now
399
+	 * be owned by nentry.
400
+	 */
401
+	for (i = 0; i < MAX_LSM_RULES; i++)
402
+		ima_filter_rule_free(entry->lsm[i].rule);
403
+	kfree(entry);
404
+
405
+	return 0;
406
+}
407
+
408
+static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry)
409
+{
410
+	int i;
411
+
412
+	for (i = 0; i < MAX_LSM_RULES; i++)
413
+		if (entry->lsm[i].args_p)
414
+			return true;
415
+
416
+	return false;
417
+}
418
+
244
419
 /*
245
420
  * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
246
421
  * to the old, stale LSM policy.  Update the IMA LSM based rules to reflect
247
- * the reloaded LSM policy.  We assume the rules still exist; and BUG_ON() if
248
- * they don't.
422
+ * the reloaded LSM policy.
249
423
  */
250
424
 static void ima_lsm_update_rules(void)
251
425
 {
252
-	struct ima_rule_entry *entry;
426
+	struct ima_rule_entry *entry, *e;
253
427
 	int result;
254
-	int i;
255
428
 
256
-	list_for_each_entry(entry, &ima_policy_rules, list) {
257
-		for (i = 0; i < MAX_LSM_RULES; i++) {
258
-			if (!entry->lsm[i].rule)
259
-				continue;
260
-			result = security_filter_rule_init(entry->lsm[i].type,
261
-							   Audit_equal,
262
-							   entry->lsm[i].args_p,
263
-							   &entry->lsm[i].rule);
264
-			BUG_ON(!entry->lsm[i].rule);
429
+	list_for_each_entry_safe(entry, e, &ima_policy_rules, list) {
430
+		if (!ima_rule_contains_lsm_cond(entry))
431
+			continue;
432
+
433
+		result = ima_lsm_update_rule(entry);
434
+		if (result) {
435
+			pr_err("lsm rule update error %d\n", result);
436
+			return;
265
437
 		}
266
438
 	}
267
439
 }
268
440
 
441
+int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
442
+			  void *lsm_data)
443
+{
444
+	if (event != LSM_POLICY_CHANGE)
445
+		return NOTIFY_DONE;
446
+
447
+	ima_lsm_update_rules();
448
+	return NOTIFY_OK;
449
+}
450
+
269
451
 /**
270
- * ima_match_rules - determine whether an inode matches the measure rule.
452
+ * ima_match_keyring - determine whether the keyring matches the measure rule
453
+ * @rule: a pointer to a rule
454
+ * @keyring: name of the keyring to match against the measure rule
455
+ * @cred: a pointer to a credentials structure for user validation
456
+ *
457
+ * Returns true if keyring matches one in the rule, false otherwise.
458
+ */
459
+static bool ima_match_keyring(struct ima_rule_entry *rule,
460
+			      const char *keyring, const struct cred *cred)
461
+{
462
+	bool matched = false;
463
+	size_t i;
464
+
465
+	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
466
+		return false;
467
+
468
+	if (!rule->keyrings)
469
+		return true;
470
+
471
+	if (!keyring)
472
+		return false;
473
+
474
+	for (i = 0; i < rule->keyrings->count; i++) {
475
+		if (!strcmp(rule->keyrings->items[i], keyring)) {
476
+			matched = true;
477
+			break;
478
+		}
479
+	}
480
+
481
+	return matched;
482
+}
483
+
484
+/**
485
+ * ima_match_rules - determine whether an inode matches the policy rule.
271
486
  * @rule: a pointer to a rule
272
487
  * @inode: a pointer to an inode
273
488
  * @cred: a pointer to a credentials structure for user validation
274
489
  * @secid: the secid of the task to be validated
275
490
  * @func: LIM hook identifier
276
491
  * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
492
+ * @keyring: keyring name to check in policy for KEY_CHECK func
277
493
  *
278
494
  * Returns true on rule match, false on failure.
279
495
  */
280
496
 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
281
497
 			    const struct cred *cred, u32 secid,
282
-			    enum ima_hooks func, int mask)
498
+			    enum ima_hooks func, int mask,
499
+			    const char *keyring)
283
500
 {
284
501
 	int i;
502
+	bool result = false;
503
+	struct ima_rule_entry *lsm_rule = rule;
504
+	bool rule_reinitialized = false;
285
505
 
506
+	if (func == KEY_CHECK) {
507
+		return (rule->flags & IMA_FUNC) && (rule->func == func) &&
508
+		       ima_match_keyring(rule, keyring, cred);
509
+	}
286
510
 	if ((rule->flags & IMA_FUNC) &&
287
511
 	    (rule->func != func && func != POST_SETATTR))
288
512
 		return false;
..
..
@@ -319,42 +543,56 @@
319
543
 	for (i = 0; i < MAX_LSM_RULES; i++) {
320
544
 		int rc = 0;
321
545
 		u32 osid;
322
-		int retried = 0;
323
546
 
324
-		if (!rule->lsm[i].rule)
325
-			continue;
547
+		if (!lsm_rule->lsm[i].rule) {
548
+			if (!lsm_rule->lsm[i].args_p)
549
+				continue;
550
+			else
551
+				return false;
552
+		}
553
+
326
554
 retry:
327
555
 		switch (i) {
328
556
 		case LSM_OBJ_USER:
329
557
 		case LSM_OBJ_ROLE:
330
558
 		case LSM_OBJ_TYPE:
331
559
 			security_inode_getsecid(inode, &osid);
332
-			rc = security_filter_rule_match(osid,
333
-							rule->lsm[i].type,
334
-							Audit_equal,
335
-							rule->lsm[i].rule,
336
-							NULL);
560
+			rc = ima_filter_rule_match(osid, lsm_rule->lsm[i].type,
561
+						   Audit_equal,
562
+						   lsm_rule->lsm[i].rule);
337
563
 			break;
338
564
 		case LSM_SUBJ_USER:
339
565
 		case LSM_SUBJ_ROLE:
340
566
 		case LSM_SUBJ_TYPE:
341
-			rc = security_filter_rule_match(secid,
342
-							rule->lsm[i].type,
343
-							Audit_equal,
344
-							rule->lsm[i].rule,
345
-							NULL);
567
+			rc = ima_filter_rule_match(secid, lsm_rule->lsm[i].type,
568
+						   Audit_equal,
569
+						   lsm_rule->lsm[i].rule);
570
+			break;
346
571
 		default:
347
572
 			break;
348
573
 		}
349
-		if ((rc < 0) && (!retried)) {
350
-			retried = 1;
351
-			ima_lsm_update_rules();
352
-			goto retry;
574
+
575
+		if (rc == -ESTALE && !rule_reinitialized) {
576
+			lsm_rule = ima_lsm_copy_rule(rule);
577
+			if (lsm_rule) {
578
+				rule_reinitialized = true;
579
+				goto retry;
580
+			}
353
581
 		}
354
-		if (!rc)
355
-			return false;
582
+		if (!rc) {
583
+			result = false;
584
+			goto out;
585
+		}
356
586
 	}
357
-	return true;
587
+	result = true;
588
+
589
+out:
590
+	if (rule_reinitialized) {
591
+		for (i = 0; i < MAX_LSM_RULES; i++)
592
+			ima_filter_rule_free(lsm_rule->lsm[i].rule);
593
+		kfree(lsm_rule);
594
+	}
595
+	return result;
358
596
 }
359
597
 
360
598
 /*
..
..
@@ -390,7 +628,11 @@
390
628
  * @secid: LSM secid of the task to be validated
391
629
  * @func: IMA hook identifier
392
630
  * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
631
+ * @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE)
393
632
  * @pcr: set the pcr to extend
633
+ * @template_desc: the template that should be used for this rule
634
+ * @keyring: the keyring name, if given, to be used to check in the policy.
635
+ *           keyring can be NULL if func is anything other than KEY_CHECK.
394
636
  *
395
637
  * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
396
638
  * conditions.
..
..
@@ -400,10 +642,15 @@
400
642
  * than writes so ima_match_policy() is classical RCU candidate.
401
643
  */
402
644
 int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
403
-		     enum ima_hooks func, int mask, int flags, int *pcr)
645
+		     enum ima_hooks func, int mask, int flags, int *pcr,
646
+		     struct ima_template_desc **template_desc,
647
+		     const char *keyring)
404
648
 {
405
649
 	struct ima_rule_entry *entry;
406
650
 	int action = 0, actmask = flags | (flags << 1);
651
+
652
+	if (template_desc)
653
+		*template_desc = ima_template_desc_current();
407
654
 
408
655
 	rcu_read_lock();
409
656
 	list_for_each_entry_rcu(entry, ima_rules, list) {
..
..
@@ -411,7 +658,8 @@
411
658
 		if (!(entry->action & actmask))
412
659
 			continue;
413
660
 
414
-		if (!ima_match_rules(entry, inode, cred, secid, func, mask))
661
+		if (!ima_match_rules(entry, inode, cred, secid, func, mask,
662
+				     keyring))
415
663
 			continue;
416
664
 
417
665
 		action |= entry->flags & IMA_ACTION_FLAGS;
..
..
@@ -424,6 +672,7 @@
424
672
 				action |= IMA_FAIL_UNVERIFIABLE_SIGS;
425
673
 		}
426
674
 
675
+
427
676
 		if (entry->action & IMA_DO_MASK)
428
677
 			actmask &= ~(entry->action | entry->action << 1);
429
678
 		else
..
..
@@ -431,6 +680,9 @@
431
680
 
432
681
 		if ((pcr) && (entry->flags & IMA_PCR))
433
682
 			*pcr = entry->pcr;
683
+
684
+		if (template_desc && entry->template)
685
+			*template_desc = entry->template;
434
686
 
435
687
 		if (!actmask)
436
688
 			break;
..
..
@@ -473,6 +725,79 @@
473
725
 	return 0;
474
726
 }
475
727
 
728
+static void add_rules(struct ima_rule_entry *entries, int count,
729
+		      enum policy_rule_list policy_rule)
730
+{
731
+	int i = 0;
732
+
733
+	for (i = 0; i < count; i++) {
734
+		struct ima_rule_entry *entry;
735
+
736
+		if (policy_rule & IMA_DEFAULT_POLICY)
737
+			list_add_tail(&entries[i].list, &ima_default_rules);
738
+
739
+		if (policy_rule & IMA_CUSTOM_POLICY) {
740
+			entry = kmemdup(&entries[i], sizeof(*entry),
741
+					GFP_KERNEL);
742
+			if (!entry)
743
+				continue;
744
+
745
+			list_add_tail(&entry->list, &ima_policy_rules);
746
+		}
747
+		if (entries[i].action == APPRAISE) {
748
+			if (entries != build_appraise_rules)
749
+				temp_ima_appraise |=
750
+					ima_appraise_flag(entries[i].func);
751
+			else
752
+				build_ima_appraise |=
753
+					ima_appraise_flag(entries[i].func);
754
+		}
755
+	}
756
+}
757
+
758
+static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
759
+
760
+static int __init ima_init_arch_policy(void)
761
+{
762
+	const char * const *arch_rules;
763
+	const char * const *rules;
764
+	int arch_entries = 0;
765
+	int i = 0;
766
+
767
+	arch_rules = arch_get_ima_policy();
768
+	if (!arch_rules)
769
+		return arch_entries;
770
+
771
+	/* Get number of rules */
772
+	for (rules = arch_rules; *rules != NULL; rules++)
773
+		arch_entries++;
774
+
775
+	arch_policy_entry = kcalloc(arch_entries + 1,
776
+				    sizeof(*arch_policy_entry), GFP_KERNEL);
777
+	if (!arch_policy_entry)
778
+		return 0;
779
+
780
+	/* Convert each policy string rules to struct ima_rule_entry format */
781
+	for (rules = arch_rules, i = 0; *rules != NULL; rules++) {
782
+		char rule[255];
783
+		int result;
784
+
785
+		result = strlcpy(rule, *rules, sizeof(rule));
786
+
787
+		INIT_LIST_HEAD(&arch_policy_entry[i].list);
788
+		result = ima_parse_rule(rule, &arch_policy_entry[i]);
789
+		if (result) {
790
+			pr_warn("Skipping unknown architecture policy rule: %s\n",
791
+				rule);
792
+			memset(&arch_policy_entry[i], 0,
793
+			       sizeof(*arch_policy_entry));
794
+			continue;
795
+		}
796
+		i++;
797
+	}
798
+	return i;
799
+}
800
+
476
801
 /**
477
802
  * ima_init_policy - initialize the default measure rules.
478
803
  *
..
..
@@ -481,68 +806,69 @@
481
806
  */
482
807
 void __init ima_init_policy(void)
483
808
 {
484
-	int i, measure_entries, appraise_entries, secure_boot_entries;
809
+	int build_appraise_entries, arch_entries;
485
810
 
486
-	/* if !ima_policy set entries = 0 so we load NO default rules */
487
-	measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
488
-	appraise_entries = ima_use_appraise_tcb ?
489
-			 ARRAY_SIZE(default_appraise_rules) : 0;
490
-	secure_boot_entries = ima_use_secure_boot ?
491
-			ARRAY_SIZE(secure_boot_rules) : 0;
492
-
493
-	for (i = 0; i < measure_entries; i++)
494
-		list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
811
+	/* if !ima_policy, we load NO default rules */
812
+	if (ima_policy)
813
+		add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules),
814
+			  IMA_DEFAULT_POLICY);
495
815
 
496
816
 	switch (ima_policy) {
497
817
 	case ORIGINAL_TCB:
498
-		for (i = 0; i < ARRAY_SIZE(original_measurement_rules); i++)
499
-			list_add_tail(&original_measurement_rules[i].list,
500
-				      &ima_default_rules);
818
+		add_rules(original_measurement_rules,
819
+			  ARRAY_SIZE(original_measurement_rules),
820
+			  IMA_DEFAULT_POLICY);
501
821
 		break;
502
822
 	case DEFAULT_TCB:
503
-		for (i = 0; i < ARRAY_SIZE(default_measurement_rules); i++)
504
-			list_add_tail(&default_measurement_rules[i].list,
505
-				      &ima_default_rules);
823
+		add_rules(default_measurement_rules,
824
+			  ARRAY_SIZE(default_measurement_rules),
825
+			  IMA_DEFAULT_POLICY);
826
+		break;
506
827
 	default:
507
828
 		break;
508
829
 	}
509
830
 
510
831
 	/*
511
-	 * Insert the builtin "secure_boot" policy rules requiring file
512
-	 * signatures, prior to any other appraise rules.
832
+	 * Based on runtime secure boot flags, insert arch specific measurement
833
+	 * and appraise rules requiring file signatures for both the initial
834
+	 * and custom policies, prior to other appraise rules.
835
+	 * (Highest priority)
513
836
 	 */
514
-	for (i = 0; i < secure_boot_entries; i++) {
515
-		list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
516
-		temp_ima_appraise |=
517
-		    ima_appraise_flag(secure_boot_rules[i].func);
518
-	}
837
+	arch_entries = ima_init_arch_policy();
838
+	if (!arch_entries)
839
+		pr_info("No architecture policies found\n");
840
+	else
841
+		add_rules(arch_policy_entry, arch_entries,
842
+			  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
843
+
844
+	/*
845
+	 * Insert the builtin "secure_boot" policy rules requiring file
846
+	 * signatures, prior to other appraise rules.
847
+	 */
848
+	if (ima_use_secure_boot)
849
+		add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules),
850
+			  IMA_DEFAULT_POLICY);
519
851
 
520
852
 	/*
521
853
 	 * Insert the build time appraise rules requiring file signatures
522
854
 	 * for both the initial and custom policies, prior to other appraise
523
-	 * rules.
855
+	 * rules. As the secure boot rules includes all of the build time
856
+	 * rules, include either one or the other set of rules, but not both.
524
857
 	 */
525
-	for (i = 0; i < ARRAY_SIZE(build_appraise_rules); i++) {
526
-		struct ima_rule_entry *entry;
527
-
528
-		if (!secure_boot_entries)
529
-			list_add_tail(&build_appraise_rules[i].list,
530
-				      &ima_default_rules);
531
-
532
-		entry = kmemdup(&build_appraise_rules[i], sizeof(*entry),
533
-				GFP_KERNEL);
534
-		if (entry)
535
-			list_add_tail(&entry->list, &ima_policy_rules);
536
-		build_ima_appraise |=
537
-			ima_appraise_flag(build_appraise_rules[i].func);
858
+	build_appraise_entries = ARRAY_SIZE(build_appraise_rules);
859
+	if (build_appraise_entries) {
860
+		if (ima_use_secure_boot)
861
+			add_rules(build_appraise_rules, build_appraise_entries,
862
+				  IMA_CUSTOM_POLICY);
863
+		else
864
+			add_rules(build_appraise_rules, build_appraise_entries,
865
+				  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
538
866
 	}
539
867
 
540
-	for (i = 0; i < appraise_entries; i++) {
541
-		list_add_tail(&default_appraise_rules[i].list,
542
-			      &ima_default_rules);
543
-		if (default_appraise_rules[i].func == POLICY_CHECK)
544
-			temp_ima_appraise |= IMA_APPRAISE_POLICY;
545
-	}
868
+	if (ima_use_appraise_tcb)
869
+		add_rules(default_appraise_rules,
870
+			  ARRAY_SIZE(default_appraise_rules),
871
+			  IMA_DEFAULT_POLICY);
546
872
 
547
873
 	ima_update_policy_flag();
548
874
 }
..
..
@@ -575,13 +901,24 @@
575
901
 	if (ima_rules != policy) {
576
902
 		ima_policy_flag = 0;
577
903
 		ima_rules = policy;
904
+
905
+		/*
906
+		 * IMA architecture specific policy rules are specified
907
+		 * as strings and converted to an array of ima_entry_rules
908
+		 * on boot.  After loading a custom policy, free the
909
+		 * architecture specific rules stored as an array.
910
+		 */
911
+		kfree(arch_policy_entry);
578
912
 	}
579
913
 	ima_update_policy_flag();
914
+
915
+	/* Custom IMA policy has been loaded */
916
+	ima_process_queued_keys();
580
917
 }
581
918
 
919
+/* Keep the enumeration in sync with the policy_tokens! */
582
920
 enum {
583
-	Opt_err = -1,
584
-	Opt_measure = 1, Opt_dont_measure,
921
+	Opt_measure, Opt_dont_measure,
585
922
 	Opt_appraise, Opt_dont_appraise,
586
923
 	Opt_audit, Opt_hash, Opt_dont_hash,
587
924
 	Opt_obj_user, Opt_obj_role, Opt_obj_type,
..
..
@@ -590,11 +927,12 @@
590
927
 	Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
591
928
 	Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
592
929
 	Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
593
-	Opt_appraise_type, Opt_permit_directio,
594
-	Opt_pcr
930
+	Opt_appraise_type, Opt_appraise_flag,
931
+	Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings,
932
+	Opt_err
595
933
 };
596
934
 
597
-static match_table_t policy_tokens = {
935
+static const match_table_t policy_tokens = {
598
936
 	{Opt_measure, "measure"},
599
937
 	{Opt_dont_measure, "dont_measure"},
600
938
 	{Opt_appraise, "appraise"},
..
..
@@ -623,8 +961,11 @@
623
961
 	{Opt_euid_lt, "euid<%s"},
624
962
 	{Opt_fowner_lt, "fowner<%s"},
625
963
 	{Opt_appraise_type, "appraise_type=%s"},
964
+	{Opt_appraise_flag, "appraise_flag=%s"},
626
965
 	{Opt_permit_directio, "permit_directio"},
627
966
 	{Opt_pcr, "pcr=%s"},
967
+	{Opt_template, "template=%s"},
968
+	{Opt_keyrings, "keyrings=%s"},
628
969
 	{Opt_err, NULL}
629
970
 };
630
971
 
..
..
@@ -641,13 +982,19 @@
641
982
 		return -ENOMEM;
642
983
 
643
984
 	entry->lsm[lsm_rule].type = audit_type;
644
-	result = security_filter_rule_init(entry->lsm[lsm_rule].type,
645
-					   Audit_equal,
646
-					   entry->lsm[lsm_rule].args_p,
647
-					   &entry->lsm[lsm_rule].rule);
985
+	result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal,
986
+				      entry->lsm[lsm_rule].args_p,
987
+				      &entry->lsm[lsm_rule].rule);
648
988
 	if (!entry->lsm[lsm_rule].rule) {
649
-		kfree(entry->lsm[lsm_rule].args_p);
650
-		return -EINVAL;
989
+		pr_warn("rule for LSM \'%s\' is undefined\n",
990
+			entry->lsm[lsm_rule].args_p);
991
+
992
+		if (ima_rules == &ima_default_rules) {
993
+			kfree(entry->lsm[lsm_rule].args_p);
994
+			entry->lsm[lsm_rule].args_p = NULL;
995
+			result = -EINVAL;
996
+		} else
997
+			result = 0;
651
998
 	}
652
999
 
653
1000
 	return result;
..
..
@@ -672,12 +1019,135 @@
672
1019
 	ima_log_string_op(ab, key, value, NULL);
673
1020
 }
674
1021
 
1022
+/*
1023
+ * Validating the appended signature included in the measurement list requires
1024
+ * the file hash calculated without the appended signature (i.e., the 'd-modsig'
1025
+ * field). Therefore, notify the user if they have the 'modsig' field but not
1026
+ * the 'd-modsig' field in the template.
1027
+ */
1028
+static void check_template_modsig(const struct ima_template_desc *template)
1029
+{
1030
+#define MSG "template with 'modsig' field also needs 'd-modsig' field\n"
1031
+	bool has_modsig, has_dmodsig;
1032
+	static bool checked;
1033
+	int i;
1034
+
1035
+	/* We only need to notify the user once. */
1036
+	if (checked)
1037
+		return;
1038
+
1039
+	has_modsig = has_dmodsig = false;
1040
+	for (i = 0; i < template->num_fields; i++) {
1041
+		if (!strcmp(template->fields[i]->field_id, "modsig"))
1042
+			has_modsig = true;
1043
+		else if (!strcmp(template->fields[i]->field_id, "d-modsig"))
1044
+			has_dmodsig = true;
1045
+	}
1046
+
1047
+	if (has_modsig && !has_dmodsig)
1048
+		pr_notice(MSG);
1049
+
1050
+	checked = true;
1051
+#undef MSG
1052
+}
1053
+
1054
+static bool ima_validate_rule(struct ima_rule_entry *entry)
1055
+{
1056
+	/* Ensure that the action is set and is compatible with the flags */
1057
+	if (entry->action == UNKNOWN)
1058
+		return false;
1059
+
1060
+	if (entry->action != MEASURE && entry->flags & IMA_PCR)
1061
+		return false;
1062
+
1063
+	if (entry->action != APPRAISE &&
1064
+	    entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST))
1065
+		return false;
1066
+
1067
+	/*
1068
+	 * The IMA_FUNC bit must be set if and only if there's a valid hook
1069
+	 * function specified, and vice versa. Enforcing this property allows
1070
+	 * for the NONE case below to validate a rule without an explicit hook
1071
+	 * function.
1072
+	 */
1073
+	if (((entry->flags & IMA_FUNC) && entry->func == NONE) ||
1074
+	    (!(entry->flags & IMA_FUNC) && entry->func != NONE))
1075
+		return false;
1076
+
1077
+	/*
1078
+	 * Ensure that the hook function is compatible with the other
1079
+	 * components of the rule
1080
+	 */
1081
+	switch (entry->func) {
1082
+	case NONE:
1083
+	case FILE_CHECK:
1084
+	case MMAP_CHECK:
1085
+	case BPRM_CHECK:
1086
+	case CREDS_CHECK:
1087
+	case POST_SETATTR:
1088
+	case FIRMWARE_CHECK:
1089
+	case POLICY_CHECK:
1090
+		if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1091
+				     IMA_UID | IMA_FOWNER | IMA_FSUUID |
1092
+				     IMA_INMASK | IMA_EUID | IMA_PCR |
1093
+				     IMA_FSNAME | IMA_DIGSIG_REQUIRED |
1094
+				     IMA_PERMIT_DIRECTIO))
1095
+			return false;
1096
+
1097
+		break;
1098
+	case MODULE_CHECK:
1099
+	case KEXEC_KERNEL_CHECK:
1100
+	case KEXEC_INITRAMFS_CHECK:
1101
+		if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
1102
+				     IMA_UID | IMA_FOWNER | IMA_FSUUID |
1103
+				     IMA_INMASK | IMA_EUID | IMA_PCR |
1104
+				     IMA_FSNAME | IMA_DIGSIG_REQUIRED |
1105
+				     IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED |
1106
+				     IMA_CHECK_BLACKLIST))
1107
+			return false;
1108
+
1109
+		break;
1110
+	case KEXEC_CMDLINE:
1111
+		if (entry->action & ~(MEASURE | DONT_MEASURE))
1112
+			return false;
1113
+
1114
+		if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID |
1115
+				     IMA_FOWNER | IMA_FSUUID | IMA_EUID |
1116
+				     IMA_PCR | IMA_FSNAME))
1117
+			return false;
1118
+
1119
+		break;
1120
+	case KEY_CHECK:
1121
+		if (entry->action & ~(MEASURE | DONT_MEASURE))
1122
+			return false;
1123
+
1124
+		if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
1125
+				     IMA_KEYRINGS))
1126
+			return false;
1127
+
1128
+		if (ima_rule_contains_lsm_cond(entry))
1129
+			return false;
1130
+
1131
+		break;
1132
+	default:
1133
+		return false;
1134
+	}
1135
+
1136
+	/* Ensure that combinations of flags are compatible with each other */
1137
+	if (entry->flags & IMA_CHECK_BLACKLIST &&
1138
+	    !(entry->flags & IMA_MODSIG_ALLOWED))
1139
+		return false;
1140
+
1141
+	return true;
1142
+}
1143
+
675
1144
 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
676
1145
 {
677
1146
 	struct audit_buffer *ab;
678
1147
 	char *from;
679
1148
 	char *p;
680
1149
 	bool uid_token;
1150
+	struct ima_template_desc *template_desc;
681
1151
 	int result = 0;
682
1152
 
683
1153
 	ab = integrity_audit_log_start(audit_context(), GFP_KERNEL,
..
..
@@ -785,6 +1255,11 @@
785
1255
 				entry->func = KEXEC_INITRAMFS_CHECK;
786
1256
 			else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
787
1257
 				entry->func = POLICY_CHECK;
1258
+			else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
1259
+				entry->func = KEXEC_CMDLINE;
1260
+			else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) &&
1261
+				 strcmp(args[0].from, "KEY_CHECK") == 0)
1262
+				entry->func = KEY_CHECK;
788
1263
 			else
789
1264
 				result = -EINVAL;
790
1265
 			if (!result)
..
..
@@ -837,6 +1312,24 @@
837
1312
 			result = 0;
838
1313
 			entry->flags |= IMA_FSNAME;
839
1314
 			break;
1315
+		case Opt_keyrings:
1316
+			ima_log_string(ab, "keyrings", args[0].from);
1317
+
1318
+			if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) ||
1319
+			    entry->keyrings) {
1320
+				result = -EINVAL;
1321
+				break;
1322
+			}
1323
+
1324
+			entry->keyrings = ima_alloc_rule_opt_list(args);
1325
+			if (IS_ERR(entry->keyrings)) {
1326
+				result = PTR_ERR(entry->keyrings);
1327
+				entry->keyrings = NULL;
1328
+				break;
1329
+			}
1330
+
1331
+			entry->flags |= IMA_KEYRINGS;
1332
+			break;
840
1333
 		case Opt_fsuuid:
841
1334
 			ima_log_string(ab, "fsuuid", args[0].from);
842
1335
 
..
..
@@ -852,10 +1345,12 @@
852
1345
 		case Opt_uid_gt:
853
1346
 		case Opt_euid_gt:
854
1347
 			entry->uid_op = &uid_gt;
1348
+			fallthrough;
855
1349
 		case Opt_uid_lt:
856
1350
 		case Opt_euid_lt:
857
1351
 			if ((token == Opt_uid_lt) || (token == Opt_euid_lt))
858
1352
 				entry->uid_op = &uid_lt;
1353
+			fallthrough;
859
1354
 		case Opt_uid_eq:
860
1355
 		case Opt_euid_eq:
861
1356
 			uid_token = (token == Opt_uid_eq) ||
..
..
@@ -884,9 +1379,11 @@
884
1379
 			break;
885
1380
 		case Opt_fowner_gt:
886
1381
 			entry->fowner_op = &uid_gt;
1382
+			fallthrough;
887
1383
 		case Opt_fowner_lt:
888
1384
 			if (token == Opt_fowner_lt)
889
1385
 				entry->fowner_op = &uid_lt;
1386
+			fallthrough;
890
1387
 		case Opt_fowner_eq:
891
1388
 			ima_log_string_op(ab, "fowner", args[0].from,
892
1389
 					  entry->fowner_op);
..
..
@@ -942,14 +1439,21 @@
942
1439
 						   AUDIT_SUBJ_TYPE);
943
1440
 			break;
944
1441
 		case Opt_appraise_type:
945
-			if (entry->action != APPRAISE) {
946
-				result = -EINVAL;
947
-				break;
948
-			}
949
-
950
1442
 			ima_log_string(ab, "appraise_type", args[0].from);
951
1443
 			if ((strcmp(args[0].from, "imasig")) == 0)
952
1444
 				entry->flags |= IMA_DIGSIG_REQUIRED;
1445
+			else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
1446
+				 strcmp(args[0].from, "imasig|modsig") == 0)
1447
+				entry->flags |= IMA_DIGSIG_REQUIRED |
1448
+						IMA_MODSIG_ALLOWED;
1449
+			else
1450
+				result = -EINVAL;
1451
+			break;
1452
+		case Opt_appraise_flag:
1453
+			ima_log_string(ab, "appraise_flag", args[0].from);
1454
+			if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
1455
+			    strstr(args[0].from, "blacklist"))
1456
+				entry->flags |= IMA_CHECK_BLACKLIST;
953
1457
 			else
954
1458
 				result = -EINVAL;
955
1459
 			break;
..
..
@@ -957,10 +1461,6 @@
957
1461
 			entry->flags |= IMA_PERMIT_DIRECTIO;
958
1462
 			break;
959
1463
 		case Opt_pcr:
960
-			if (entry->action != MEASURE) {
961
-				result = -EINVAL;
962
-				break;
963
-			}
964
1464
 			ima_log_string(ab, "pcr", args[0].from);
965
1465
 
966
1466
 			result = kstrtoint(args[0].from, 10, &entry->pcr);
..
..
@@ -970,16 +1470,44 @@
970
1470
 				entry->flags |= IMA_PCR;
971
1471
 
972
1472
 			break;
1473
+		case Opt_template:
1474
+			ima_log_string(ab, "template", args[0].from);
1475
+			if (entry->action != MEASURE) {
1476
+				result = -EINVAL;
1477
+				break;
1478
+			}
1479
+			template_desc = lookup_template_desc(args[0].from);
1480
+			if (!template_desc || entry->template) {
1481
+				result = -EINVAL;
1482
+				break;
1483
+			}
1484
+
1485
+			/*
1486
+			 * template_desc_init_fields() does nothing if
1487
+			 * the template is already initialised, so
1488
+			 * it's safe to do this unconditionally
1489
+			 */
1490
+			template_desc_init_fields(template_desc->fmt,
1491
+						 &(template_desc->fields),
1492
+						 &(template_desc->num_fields));
1493
+			entry->template = template_desc;
1494
+			break;
973
1495
 		case Opt_err:
974
1496
 			ima_log_string(ab, "UNKNOWN", p);
975
1497
 			result = -EINVAL;
976
1498
 			break;
977
1499
 		}
978
1500
 	}
979
-	if (!result && (entry->action == UNKNOWN))
1501
+	if (!result && !ima_validate_rule(entry))
980
1502
 		result = -EINVAL;
981
1503
 	else if (entry->action == APPRAISE)
982
1504
 		temp_ima_appraise |= ima_appraise_flag(entry->func);
1505
+
1506
+	if (!result && entry->flags & IMA_MODSIG_ALLOWED) {
1507
+		template_desc = entry->template ? entry->template :
1508
+						  ima_template_desc_current();
1509
+		check_template_modsig(template_desc);
1510
+	}
983
1511
 
984
1512
 	audit_log_format(ab, "res=%d", !result);
985
1513
 	audit_log_end(ab);
..
..
@@ -988,7 +1516,7 @@
988
1516
 
989
1517
 /**
990
1518
  * ima_parse_add_rule - add a rule to ima_policy_rules
991
- * @rule - ima measurement policy rule
1519
+ * @rule: ima measurement policy rule
992
1520
  *
993
1521
  * Avoid locking by allowing just one writer at a time in ima_write_policy()
994
1522
  * Returns the length of the rule parsed, an error code on failure
..
..
@@ -1019,7 +1547,7 @@
1019
1547
 
1020
1548
 	result = ima_parse_rule(p, entry);
1021
1549
 	if (result) {
1022
-		kfree(entry);
1550
+		ima_free_rule(entry);
1023
1551
 		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1024
1552
 				    NULL, op, "invalid-policy", result,
1025
1553
 				    audit_info);
..
..
@@ -1040,17 +1568,19 @@
1040
1568
 void ima_delete_rules(void)
1041
1569
 {
1042
1570
 	struct ima_rule_entry *entry, *tmp;
1043
-	int i;
1044
1571
 
1045
1572
 	temp_ima_appraise = 0;
1046
1573
 	list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
1047
-		for (i = 0; i < MAX_LSM_RULES; i++)
1048
-			kfree(entry->lsm[i].args_p);
1049
-
1050
1574
 		list_del(&entry->list);
1051
-		kfree(entry);
1575
+		ima_free_rule(entry);
1052
1576
 	}
1053
1577
 }
1578
+
1579
+#define __ima_hook_stringify(func, str)	(#func),
1580
+
1581
+const char *const func_tokens[] = {
1582
+	__ima_hooks(__ima_hook_stringify)
1583
+};
1054
1584
 
1055
1585
 #ifdef	CONFIG_IMA_READ_POLICY
1056
1586
 enum {
..
..
@@ -1062,12 +1592,6 @@
1062
1592
 	"^MAY_WRITE",
1063
1593
 	"^MAY_READ",
1064
1594
 	"^MAY_APPEND"
1065
-};
1066
-
1067
-#define __ima_hook_stringify(str)	(#str),
1068
-
1069
-static const char *const func_tokens[] = {
1070
-	__ima_hooks(__ima_hook_stringify)
1071
1595
 };
1072
1596
 
1073
1597
 void *ima_policy_start(struct seq_file *m, loff_t *pos)
..
..
@@ -1102,7 +1626,7 @@
1102
1626
 {
1103
1627
 }
1104
1628
 
1105
-#define pt(token)	policy_tokens[token + Opt_err].pattern
1629
+#define pt(token)	policy_tokens[token].pattern
1106
1630
 #define mt(token)	mask_tokens[token]
1107
1631
 
1108
1632
 /*
..
..
@@ -1116,6 +1640,15 @@
1116
1640
 		seq_printf(m, "func=%d ", func);
1117
1641
 }
1118
1642
 
1643
+static void ima_show_rule_opt_list(struct seq_file *m,
1644
+				   const struct ima_rule_opt_list *opt_list)
1645
+{
1646
+	size_t i;
1647
+
1648
+	for (i = 0; i < opt_list->count; i++)
1649
+		seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]);
1650
+}
1651
+
1119
1652
 int ima_policy_show(struct seq_file *m, void *v)
1120
1653
 {
1121
1654
 	struct ima_rule_entry *entry = v;
..
..
@@ -1124,6 +1657,14 @@
1124
1657
 	int offset = 0;
1125
1658
 
1126
1659
 	rcu_read_lock();
1660
+
1661
+	/* Do not print rules with inactive LSM labels */
1662
+	for (i = 0; i < MAX_LSM_RULES; i++) {
1663
+		if (entry->lsm[i].args_p && !entry->lsm[i].rule) {
1664
+			rcu_read_unlock();
1665
+			return 0;
1666
+		}
1667
+	}
1127
1668
 
1128
1669
 	if (entry->action & MEASURE)
1129
1670
 		seq_puts(m, pt(Opt_measure));
..
..
@@ -1168,6 +1709,12 @@
1168
1709
 	if (entry->flags & IMA_FSNAME) {
1169
1710
 		snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname);
1170
1711
 		seq_printf(m, pt(Opt_fsname), tbuf);
1712
+		seq_puts(m, " ");
1713
+	}
1714
+
1715
+	if (entry->flags & IMA_KEYRINGS) {
1716
+		seq_puts(m, "keyrings=");
1717
+		ima_show_rule_opt_list(m, entry->keyrings);
1171
1718
 		seq_puts(m, " ");
1172
1719
 	}
1173
1720
 
..
..
@@ -1220,33 +1767,42 @@
1220
1767
 			switch (i) {
1221
1768
 			case LSM_OBJ_USER:
1222
1769
 				seq_printf(m, pt(Opt_obj_user),
1223
-					   (char *)entry->lsm[i].args_p);
1770
+					   entry->lsm[i].args_p);
1224
1771
 				break;
1225
1772
 			case LSM_OBJ_ROLE:
1226
1773
 				seq_printf(m, pt(Opt_obj_role),
1227
-					   (char *)entry->lsm[i].args_p);
1774
+					   entry->lsm[i].args_p);
1228
1775
 				break;
1229
1776
 			case LSM_OBJ_TYPE:
1230
1777
 				seq_printf(m, pt(Opt_obj_type),
1231
-					   (char *)entry->lsm[i].args_p);
1778
+					   entry->lsm[i].args_p);
1232
1779
 				break;
1233
1780
 			case LSM_SUBJ_USER:
1234
1781
 				seq_printf(m, pt(Opt_subj_user),
1235
-					   (char *)entry->lsm[i].args_p);
1782
+					   entry->lsm[i].args_p);
1236
1783
 				break;
1237
1784
 			case LSM_SUBJ_ROLE:
1238
1785
 				seq_printf(m, pt(Opt_subj_role),
1239
-					   (char *)entry->lsm[i].args_p);
1786
+					   entry->lsm[i].args_p);
1240
1787
 				break;
1241
1788
 			case LSM_SUBJ_TYPE:
1242
1789
 				seq_printf(m, pt(Opt_subj_type),
1243
-					   (char *)entry->lsm[i].args_p);
1790
+					   entry->lsm[i].args_p);
1244
1791
 				break;
1245
1792
 			}
1793
+			seq_puts(m, " ");
1246
1794
 		}
1247
1795
 	}
1248
-	if (entry->flags & IMA_DIGSIG_REQUIRED)
1249
-		seq_puts(m, "appraise_type=imasig ");
1796
+	if (entry->template)
1797
+		seq_printf(m, "template=%s ", entry->template->name);
1798
+	if (entry->flags & IMA_DIGSIG_REQUIRED) {
1799
+		if (entry->flags & IMA_MODSIG_ALLOWED)
1800
+			seq_puts(m, "appraise_type=imasig|modsig ");
1801
+		else
1802
+			seq_puts(m, "appraise_type=imasig ");
1803
+	}
1804
+	if (entry->flags & IMA_CHECK_BLACKLIST)
1805
+		seq_puts(m, "appraise_flag=check_blacklist ");
1250
1806
 	if (entry->flags & IMA_PERMIT_DIRECTIO)
1251
1807
 		seq_puts(m, "permit_directio ");
1252
1808
 	rcu_read_unlock();
..
..
@@ -1254,3 +1810,57 @@
1254
1810
 	return 0;
1255
1811
 }
1256
1812
 #endif	/* CONFIG_IMA_READ_POLICY */
1813
+
1814
+#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
1815
+/*
1816
+ * ima_appraise_signature: whether IMA will appraise a given function using
1817
+ * an IMA digital signature. This is restricted to cases where the kernel
1818
+ * has a set of built-in trusted keys in order to avoid an attacker simply
1819
+ * loading additional keys.
1820
+ */
1821
+bool ima_appraise_signature(enum kernel_read_file_id id)
1822
+{
1823
+	struct ima_rule_entry *entry;
1824
+	bool found = false;
1825
+	enum ima_hooks func;
1826
+
1827
+	if (id >= READING_MAX_ID)
1828
+		return false;
1829
+
1830
+	if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE)
1831
+	    && security_locked_down(LOCKDOWN_KEXEC))
1832
+		return false;
1833
+
1834
+	func = read_idmap[id] ?: FILE_CHECK;
1835
+
1836
+	rcu_read_lock();
1837
+	list_for_each_entry_rcu(entry, ima_rules, list) {
1838
+		if (entry->action != APPRAISE)
1839
+			continue;
1840
+
1841
+		/*
1842
+		 * A generic entry will match, but otherwise require that it
1843
+		 * match the func we're looking for
1844
+		 */
1845
+		if (entry->func && entry->func != func)
1846
+			continue;
1847
+
1848
+		/*
1849
+		 * We require this to be a digital signature, not a raw IMA
1850
+		 * hash.
1851
+		 */
1852
+		if (entry->flags & IMA_DIGSIG_REQUIRED)
1853
+			found = true;
1854
+
1855
+		/*
1856
+		 * We've found a rule that matches, so break now even if it
1857
+		 * didn't require a digital signature - a later rule that does
1858
+		 * won't override it, so would be a false positive.
1859
+		 */
1860
+		break;
1861
+	}
1862
+
1863
+	rcu_read_unlock();
1864
+	return found;
1865
+}
1866
+#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */