Signed-off-by: NChristoph Hellwig <hch@lst.de>
Reviewed-by: NAmir Goldstein <amir73il@gmail.com>
Acked-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Reviewed-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>

This helper was only used by IMA of all things, which would get spurious
errors if CONFIG_BLOCK is disabled.  Just opencode the call there.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Reviewed-by: NAmir Goldstein <amir73il@gmail.com>
Acked-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Reviewed-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>

For now we have only "=" operator for fowner/uid/euid rules. This
patch provide two more operators - ">" and "<" in order to make
fowner/uid/euid rules more flexible.

Examples of usage.

 Appraise all files owned by special and system users (SYS_UID_MAX 999):
    appraise fowner<1000
 Don't appraise files owned by normal users (UID_MIN 1000):
    dont_appraise fowner>999
 Appraise all files owned by users with UID 1000-1010:
    dont_appraise fowner>1010
    appraise fowner>999

Changelog v3:
- Removed code duplication in ima_parse_rule().
- Fix ima_policy_show() - (Mimi)

Changelog v2:
- Fixed default policy rules.
Signed-off-by: NMikhail Kurinnoi <viewizard@viewizard.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

 security/integrity/ima/ima_policy.c | 115 +++++++++++++++++++++++++++---------
 1 file changed, 87 insertions(+), 28 deletions(-)

The default IMA rules are loaded during init and then do not
change, so mark them as __ro_after_init.
Signed-off-by: NJames Morris <james.l.morris@oracle.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

Different policy rules may extend different PCRs. This patch retrieves
the specific PCR for the matched rule.  Subsequent patches will include
the rule specific PCR in the measurement list and extend the appropriate
PCR.
Signed-off-by: NEric Richter <erichte@linux.vnet.ibm.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

This patch defines a new IMA measurement policy rule option "pcr=",
which allows extending different PCRs on a per rule basis. For example,
the system independent files could extend the default IMA Kconfig
specified PCR, while the system dependent files could extend a different
PCR.

The following is an example of this usage with an SELinux policy; the
rule would extend PCR 11 with system configuration files:

  measure func=FILE_CHECK mask=MAY_READ obj_type=system_conf_t pcr=11

Changelog v3:
- FIELD_SIZEOF returns bytes, not bits. Fixed INVALID_PCR
Signed-off-by: NEric Richter <erichte@linux.vnet.ibm.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

Instead of open coded variant re-use extension that vsprintf.c provides
us for ages.
Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: NMatt Fleming <matt@codeblueprint.co.uk>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: "Theodore Ts'o" <tytso@mit.edu>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

This patch fixes the string representation of the LSM/IMA hook enumeration
ordering used for displaying the IMA policy.

Fixes: d9ddf077 ("ima: support for kexec image and initramfs")
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Tested-by: NEric Richter <erichte@linux.vnet.ibm.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

Require the IMA policy to be signed when additional rules can be added.

v1:
- initialize the policy flag
- include IMA_APPRAISE_POLICY in the policy flag
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: NPetko Manolov <petkan@mip-labs.com>
Acked-by: NDmitry Kasatkin <dmitry.kasatkin@huawei.com>

Add support for measuring and appraising the IMA policy itself.

Changelog v4:
- use braces on both if/else branches, even if single line on one of the
branches - Dmitry
- Use the id mapping - Dmitry
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: NPetko Manolov <petkan@mip-labs.com>
Acked-by: NDmitry Kasatkin <dmitry.kasatkin@huawei.com>

Add IMA policy support for measuring/appraising the kexec image and
initramfs. Two new IMA policy identifiers KEXEC_KERNEL_CHECK and
KEXEC_INITRAMFS_CHECK are defined.

Example policy rules:
measure func=KEXEC_KERNEL_CHECK
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig
measure func=KEXEC_INITRAMFS_CHECK
appraise func=KEXEC_INITRAMFS_CHECK appraise_type=imasig

Moving the enumeration to the vfs layer simplified the patches, allowing
the IMA changes, for the most part, to be separated from the other
changes.  Unfortunately, passing either a kernel_read_file_id or a
ima_hooks enumeration within IMA is messy.

Option 1: duplicate kernel_read_file enumeration in ima_hooks

enum kernel_read_file_id {
	...
        READING_KEXEC_IMAGE,
        READING_KEXEC_INITRAMFS,
        READING_MAX_ID

enum ima_hooks {
	...
	KEXEC_KERNEL_CHECK
	KEXEC_INITRAMFS_CHECK

Option 2: define ima_hooks as extension of kernel_read_file
eg: enum ima_hooks {
        FILE_CHECK = READING_MAX_ID,
        MMAP_CHECK,

In order to pass both kernel_read_file_id and ima_hooks values, we
would need to specify a struct containing a union.

struct caller_id {
        union {
                enum ima_hooks func_id;
                enum kernel_read_file_id read_id;
        };
};

Option 3: incorportate the ima_hooks enumeration into kernel_read_file_id,
perhaps changing the enumeration name.

For now, duplicate the new READING_KEXEC_IMAGE/INITRAMFS in the ima_hooks.

Changelog v4:
- replaced switch statement with a kernel_read_file_id to an ima_hooks
id mapping array - Dmitry
- renamed ima_hook tokens KEXEC_CHECK and INITRAMFS_CHECK to
KEXEC_KERNEL_CHECK and KEXEC_INITRAMFS_CHECK respectively - Dave Young
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: NPetko Manolov <petkan@mip-labs.com>
Acked-by: NDmitry Kasatkin <dmitry.kasatkin@huawei.com>
Cc: Dave Young <dyoung@redhat.com>

Each time a file is read by the kernel, the file should be re-measured and
the file signature re-appraised, based on policy.  As there is no need to
preserve the status information, this patch replaces the firmware and
module specific cache status with a generic one named read_file.

This change simplifies adding support for other files read by the kernel.
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: NPetko Manolov <petkan@mip-labs.com>
Acked-by: NDmitry Kasatkin <dmitry.kasatkin@huawei.com>

This patch defines a new IMA hook ima_post_read_file() for measuring
and appraising files read by the kernel. The caller loads the file into
memory before calling this function, which calculates the hash followed by
the normal IMA policy based processing.

Changelog v5:
- fail ima_post_read_file() if either file or buf is NULL
v3:
- rename ima_hash_and_process_file() to ima_post_read_file()

v1:
- split patch
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: NDmitry Kasatkin <dmitry.kasatkin@huawei.com>

Cleanup the function arguments by using "ima_hooks" enumerator as needed.
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: NPetko Manolov <petkan@mip-labs.com>
Acked-by: NDmitry Kasatkin <dmitry.kasatkin@huawei.com>

Define and call a function to display the "ima_hooks" rules.
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: NPetko Manolov <petkan@mip-labs.com>
Acked-by: NDmitry Kasatkin <dmitry.kasatkin@huawei.com>

ima_check_policy() has no parameters, so use the normal void
parameter convention to make it match the prototype in the header file
security/integrity/ima/ima.h
Signed-off-by: NColin Ian King <colin.king@canonical.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

Commit "IMA: policy can now be updated multiple times" assumed that the
policy would be updated at least once.

If there are zero updates, the temporary list head object will get added
to the policy list, and later dereferenced as an IMA policy object, which
means that invalid memory will be accessed.

Changelog:
- Move list_empty() test to ima_release_policy(), before audit msg - Mimi
Signed-off-by: NSasha Levin <sasha.levin@oracle.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

While creating a temporary list of new rules, the ima_appraise flag is
updated, but not reverted on failure to append the new rules to the
existing policy.  This patch defines temp_ima_appraise flag.  Only when
the new rules are appended to the policy is the flag updated.
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: NPetko Manolov <petkan@mip-labs.com>

It is often useful to be able to read back the IMA policy.  It is
even more important after introducing CONFIG_IMA_WRITE_POLICY.
This option allows the root user to see the current policy rules.
Signed-off-by: NZbigniew Jasinski <z.jasinski@samsung.com>
Signed-off-by: NPetko Manolov <petkan@mip-labs.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

The new rules get appended to the original policy, forming a queue.
The new rules are first added to a temporary list, which on error
get released without disturbing the normal IMA operations.  On
success both lists (the current policy and the new rules) are spliced.

IMA policy reads are many orders of magnitude more numerous compared to
writes, the match code is RCU protected.  The updater side also does
list splice in RCU manner.
Signed-off-by: NPetko Manolov <petkan@mip-labs.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

This patch defines a builtin measurement policy "tcb", similar to the
existing "ima_tcb", but with additional rules to also measure files
based on the effective uid and to measure files opened with the "read"
mode bit set (eg. read, read-write).

Changing the builtin "ima_tcb" policy could potentially break existing
users.  Instead of defining a new separate boot command line option each
time the builtin measurement policy is modified, this patch defines a
single generic boot command line option "ima_policy=" to specify the
builtin policy and deprecates the use of the builtin ima_tcb policy.

[The "ima_policy=" boot command line option is based on Roberto Sassu's
"ima: added new policy type exec" patch.]
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: NDr. Greg Wettstein <gw@idfusion.org>
Cc: stable@vger.kernel.org

The current "mask" policy option matches files opened as MAY_READ,
MAY_WRITE, MAY_APPEND or MAY_EXEC.  This patch extends the "mask"
option to match files opened containing one of these modes.  For
example, "mask=^MAY_READ" would match files opened read-write.
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: NDr. Greg Wettstein <gw@idfusion.org>
Cc: stable@vger.kernel.org

The new "euid" policy condition measures files with the specified
effective uid (euid).  In addition, for CAP_SETUID files it measures
files with the specified uid or suid.

Changelog:
- fixed checkpatch.pl warnings
- fixed avc denied {setuid} messages - based on Roberto's feedback
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: NDr. Greg Wettstein <gw@idfusion.org>
Cc: stable@vger.kernel.org

Include don't appraise or measure rules for the NSFS filesystem
in the builtin ima_tcb and ima_appraise_tcb policies.

Changelog:
- Update documentation
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Cc: stable@vger.kernel.org # 3.19

This patch adds a rule in the default measurement policy to skip inodes
in the cgroupfs filesystem. Measurements for this filesystem can be
avoided, as all the digests collected have the same value of the digest of
an empty file.

Furthermore, this patch updates the documentation of IMA policies in
Documentation/ABI/testing/ima_policy to make it consistent with
the policies set in security/integrity/ima/ima_policy.c.
Signed-off-by: NRoberto Sassu <rsassu@suse.de>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

It's a bit easier to read this if we split it up into two for loops.
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

This patch provides CONFIG_IMA_APPRAISE_SIGNED_INIT kernel configuration
option to force IMA appraisal using signatures. This is useful, when EVM
key is not initialized yet and we want securely initialize integrity or
any other functionality.

It forces embedded policy to require signature. Signed initialization
script can initialize EVM key, update the IMA policy and change further
requirement of everything to be signed.

Changes in v3:
* kernel parameter fixed to configuration option in the patch description

Changes in v2:
* policy change of this patch separated from the key loading patch
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

The current implementation uses an atomic counter to provide exclusive
access to the sysfs 'policy' entry to update the IMA policy. While it is
highly unlikely, the usage of a counter might potentially allow another
process to overflow the counter, open the interface and insert additional
rules into the policy being loaded.

This patch replaces using an atomic counter with atomic bit operations
which is more reliable and a widely used method to provide exclusive access.

As bit operation keep the interface locked after successful update, it makes
it unnecessary to verify if the default policy was set or not during parsing
and interface closing. This patch also removes that code.

Changes in v3:
* move audit log message to ima_relead_policy() to report successful and
  unsuccessful result
* unnecessary comment removed

Changes in v2:
* keep interface locked after successful policy load as in original design
* remove sysfs entry as in original design
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

Empty policy lines cause parsing failures which is, especially
for new users, hard to spot. This patch prevents it.

Changes in v2:
* strip leading blanks and tabs in rules to prevent parsing failures
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

If a rule is a comment, there is no need to allocate an entry.
Move the checking for comments before allocating the entry.
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

This patch introduces the new variable 'ima_policy_flag', whose bits
are set depending on the action of the current policy rules. Only the
flags IMA_MEASURE, IMA_APPRAISE and IMA_AUDIT are set.

The new variable will be used to improve performance by skipping the
unnecessary execution of IMA code if the policy does not contain rules
with the above actions.

Changes in v6 (Roberto Sassu)
* do not check 'ima_initialized' before calling ima_update_policy_flag()
  in ima_update_policy() (suggested by Dmitry)
* calling ima_update_policy_flag() moved to init_ima to co-locate with
  ima_initialized (Dmitry)
* add/revise comments (Mimi)

Changes in v5 (Roberto Sassu)
* reset IMA_APPRAISE flag in 'ima_policy_flag' if 'ima_appraise' is set
  to zero (reported by Dmitry)
* update 'ima_policy_flag' only if IMA initialization is successful
  (suggested by Mimi and Dmitry)
* check 'ima_policy_flag' instead of 'ima_initialized'
  (suggested by Mimi and Dmitry)
Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

The "security: introduce kernel_fw_from_file hook" patch defined a
new security hook to evaluate any loaded firmware that wasn't built
into the kernel.

This patch defines ima_fw_from_file(), which is called from the new
security hook, to measure and/or appraise the loaded firmware's
integrity.
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: NKees Cook <keescook@chromium.org>

Replace spaces in op keyword labels in log output since userspace audit tools
can't parse orphaned keywords.
Reported-by: NSteve Grubb <sgrubb@redhat.com>
Signed-off-by: NRichard Guy Briggs <rgb@redhat.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

Files are measured or appraised based on the IMA policy.  When a
file, in policy, is opened with the O_DIRECT flag, a deadlock
occurs.

The first attempt at resolving this lockdep temporarily removed the
O_DIRECT flag and restored it, after calculating the hash.  The
second attempt introduced the O_DIRECT_HAVELOCK flag. Based on this
flag, do_blockdev_direct_IO() would skip taking the i_mutex a second
time.  The third attempt, by Dmitry Kasatkin, resolves the i_mutex
locking issue, by re-introducing the IMA mutex, but uncovered
another problem.  Reading a file with O_DIRECT flag set, writes
directly to userspace pages.  A second patch allocates a user-space
like memory.  This works for all IMA hooks, except ima_file_free(),
which is called on __fput() to recalculate the file hash.

Until this last issue is addressed, do not 'collect' the
measurement for measuring, appraising, or auditing files opened
with the O_DIRECT flag set.  Based on policy, permit or deny file
access.  This patch defines a new IMA policy rule option named
'permit_directio'.  Policy rules could be defined, based on LSM
or other criteria, to permit specific applications to open files
with the O_DIRECT flag set.

Changelog v1:
- permit or deny file access based IMA policy rules
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Cc: <stable@vger.kernel.org>

Between checkpatch changes (eg. sizeof) and inconsistencies between
Lindent and checkpatch, unfixed checkpatch errors make it difficult
to see new errors. This patch fixes them. Some lines with over 80 chars
remained unchanged to improve code readability.

The "extern" keyword is removed from internal evm.h to make it consistent
with internal ima.h.
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

ima_inode_post_setattr() calls ima_must_appraise() to check if the
file needs to be appraised. If it does not then it removes security.ima
xattr. With original policy matching code it might happen that even
file needs to be appraised with FILE_CHECK hook, it might not be
for POST_SETATTR hook. 'security.ima' might be erronously removed.

This patch treats POST_SETATTR as special wildcard function and will
cause ima_must_appraise() to be true if any of the hooks rules matches.
security.ima will not be removed if any of the hooks would require
appraisal.
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

A const char pointer allocates memory for a pointer as well as for
a string,  This patch replaces a number of the const char pointers
throughout IMA, with a static const char array.
Suggested-by: NDavid Howells <dhowells@redhat.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: NDavid Howells <dhowells@redhat.com>

The usage of strict_strto*() is not preferred, because
strict_strto*() is obsolete. Thus, kstrto*() should be
used.
Signed-off-by: NJingoo Han <jg1.han@samsung.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

This reverts commit 4c2c3927.

Everything in the initramfs should be measured and appraised,
but until the initramfs has extended attribute support, at
least measured.
Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
Cc: Stable Kernel <stable@kernel.org>

Commit "85865c1f ima: add policy support for file system uuid"
introduced a CONFIG_BLOCK dependency.  This patch defines a
wrapper called blk_part_pack_uuid(), which returns -EINVAL,
when CONFIG_BLOCK is not defined.

security/integrity/ima/ima_policy.c:538:4: error: implicit declaration
of function 'part_pack_uuid' [-Werror=implicit-function-declaration]

Changelog v2:
- Reference commit number in patch description
Changelog v1:
- rename ima_part_pack_uuid() to blk_part_pack_uuid()
- resolve scripts/checkpatch.pl warnings
Changelog v0:
- fix UUID scripts/Lindent msgs
Reported-by: NRandy Dunlap <rdunlap@infradead.org>
Reported-by: NDavid Rientjes <rientjes@google.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: NDavid Rientjes <rientjes@google.com>
Acked-by: NRandy Dunlap <rdunlap@infradead.org>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>