Lines Matching refs:entry
355 static void ima_lsm_free_rule(struct ima_rule_entry *entry) in ima_lsm_free_rule() argument
360 ima_filter_rule_free(entry->lsm[i].rule); in ima_lsm_free_rule()
361 kfree(entry->lsm[i].args_p); in ima_lsm_free_rule()
365 static void ima_free_rule(struct ima_rule_entry *entry) in ima_free_rule() argument
367 if (!entry) in ima_free_rule()
375 kfree(entry->fsname); in ima_free_rule()
376 ima_free_rule_opt_list(entry->keyrings); in ima_free_rule()
377 ima_lsm_free_rule(entry); in ima_free_rule()
378 kfree(entry); in ima_free_rule()
381 static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) in ima_lsm_copy_rule() argument
390 nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); in ima_lsm_copy_rule()
397 if (!entry->lsm[i].args_p) in ima_lsm_copy_rule()
400 nentry->lsm[i].type = entry->lsm[i].type; in ima_lsm_copy_rule()
401 nentry->lsm[i].args_p = entry->lsm[i].args_p; in ima_lsm_copy_rule()
407 entry->lsm[i].args_p = NULL; in ima_lsm_copy_rule()
419 static int ima_lsm_update_rule(struct ima_rule_entry *entry) in ima_lsm_update_rule() argument
423 nentry = ima_lsm_copy_rule(entry); in ima_lsm_update_rule()
427 list_replace_rcu(&entry->list, &nentry->list); in ima_lsm_update_rule()
435 ima_lsm_free_rule(entry); in ima_lsm_update_rule()
436 kfree(entry); in ima_lsm_update_rule()
441 static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry) in ima_rule_contains_lsm_cond() argument
446 if (entry->lsm[i].args_p) in ima_rule_contains_lsm_cond()
459 struct ima_rule_entry *entry, *e; in ima_lsm_update_rules() local
462 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { in ima_lsm_update_rules()
463 if (!ima_rule_contains_lsm_cond(entry)) in ima_lsm_update_rules()
466 result = ima_lsm_update_rule(entry); in ima_lsm_update_rules()
697 struct ima_rule_entry *entry; in ima_match_policy() local
706 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { in ima_match_policy()
708 if (!(entry->action & actmask)) in ima_match_policy()
711 if (!ima_match_rules(entry, mnt_userns, inode, cred, secid, in ima_match_policy()
715 action |= entry->flags & IMA_ACTION_FLAGS; in ima_match_policy()
717 action |= entry->action & IMA_DO_MASK; in ima_match_policy()
718 if (entry->action & IMA_APPRAISE) { in ima_match_policy()
719 action |= get_subaction(entry, func); in ima_match_policy()
725 entry->flags & IMA_VALIDATE_ALGOS) in ima_match_policy()
726 *allowed_algos = entry->allowed_algos; in ima_match_policy()
729 if (entry->action & IMA_DO_MASK) in ima_match_policy()
730 actmask &= ~(entry->action | entry->action << 1); in ima_match_policy()
732 actmask &= ~(entry->action | entry->action >> 1); in ima_match_policy()
734 if ((pcr) && (entry->flags & IMA_PCR)) in ima_match_policy()
735 *pcr = entry->pcr; in ima_match_policy()
737 if (template_desc && entry->template) in ima_match_policy()
738 *template_desc = entry->template; in ima_match_policy()
765 struct ima_rule_entry *entry; in ima_update_policy_flags() local
771 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { in ima_update_policy_flags()
784 if (entry->func == SETXATTR_CHECK) { in ima_update_policy_flags()
786 0, entry->allowed_algos); in ima_update_policy_flags()
791 if (entry->action & IMA_DO_MASK) in ima_update_policy_flags()
792 new_policy_flag |= entry->action; in ima_update_policy_flags()
822 struct ima_rule_entry *entry; in add_rules() local
828 entry = kmemdup(&entries[i], sizeof(*entry), in add_rules()
830 if (!entry) in add_rules()
833 list_add_tail(&entry->list, &ima_policy_rules); in add_rules()
846 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
1080 static int ima_lsm_rule_init(struct ima_rule_entry *entry, in ima_lsm_rule_init() argument
1085 if (entry->lsm[lsm_rule].rule) in ima_lsm_rule_init()
1088 entry->lsm[lsm_rule].args_p = match_strdup(args); in ima_lsm_rule_init()
1089 if (!entry->lsm[lsm_rule].args_p) in ima_lsm_rule_init()
1092 entry->lsm[lsm_rule].type = audit_type; in ima_lsm_rule_init()
1093 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, in ima_lsm_rule_init()
1094 entry->lsm[lsm_rule].args_p, in ima_lsm_rule_init()
1095 &entry->lsm[lsm_rule].rule); in ima_lsm_rule_init()
1096 if (!entry->lsm[lsm_rule].rule) { in ima_lsm_rule_init()
1098 entry->lsm[lsm_rule].args_p); in ima_lsm_rule_init()
1101 kfree(entry->lsm[lsm_rule].args_p); in ima_lsm_rule_init()
1102 entry->lsm[lsm_rule].args_p = NULL; in ima_lsm_rule_init()
1176 static bool ima_validate_rule(struct ima_rule_entry *entry) in ima_validate_rule() argument
1179 if (entry->action == UNKNOWN) in ima_validate_rule()
1182 if (entry->action != MEASURE && entry->flags & IMA_PCR) in ima_validate_rule()
1185 if (entry->action != APPRAISE && in ima_validate_rule()
1186 entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | in ima_validate_rule()
1196 if (((entry->flags & IMA_FUNC) && entry->func == NONE) || in ima_validate_rule()
1197 (!(entry->flags & IMA_FUNC) && entry->func != NONE)) in ima_validate_rule()
1204 switch (entry->func) { in ima_validate_rule()
1213 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | in ima_validate_rule()
1225 if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | in ima_validate_rule()
1236 if (entry->action & ~(MEASURE | DONT_MEASURE)) in ima_validate_rule()
1239 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | in ima_validate_rule()
1247 if (entry->action & ~(MEASURE | DONT_MEASURE)) in ima_validate_rule()
1250 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR | in ima_validate_rule()
1254 if (ima_rule_contains_lsm_cond(entry)) in ima_validate_rule()
1259 if (entry->action & ~(MEASURE | DONT_MEASURE)) in ima_validate_rule()
1262 if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_GID | IMA_PCR | in ima_validate_rule()
1266 if (ima_rule_contains_lsm_cond(entry)) in ima_validate_rule()
1272 if (entry->action != APPRAISE) in ima_validate_rule()
1276 if (!(entry->flags & IMA_VALIDATE_ALGOS)) in ima_validate_rule()
1283 if (entry->flags & ~(IMA_FUNC | IMA_VALIDATE_ALGOS)) in ima_validate_rule()
1292 if (entry->flags & IMA_CHECK_BLACKLIST && in ima_validate_rule()
1293 !(entry->flags & IMA_MODSIG_ALLOWED)) in ima_validate_rule()
1327 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) in ima_parse_rule() argument
1339 entry->uid = INVALID_UID; in ima_parse_rule()
1340 entry->gid = INVALID_GID; in ima_parse_rule()
1341 entry->fowner = INVALID_UID; in ima_parse_rule()
1342 entry->fgroup = INVALID_GID; in ima_parse_rule()
1343 entry->uid_op = &uid_eq; in ima_parse_rule()
1344 entry->gid_op = &gid_eq; in ima_parse_rule()
1345 entry->fowner_op = &uid_eq; in ima_parse_rule()
1346 entry->fgroup_op = &gid_eq; in ima_parse_rule()
1347 entry->action = UNKNOWN; in ima_parse_rule()
1362 if (entry->action != UNKNOWN) in ima_parse_rule()
1365 entry->action = MEASURE; in ima_parse_rule()
1370 if (entry->action != UNKNOWN) in ima_parse_rule()
1373 entry->action = DONT_MEASURE; in ima_parse_rule()
1378 if (entry->action != UNKNOWN) in ima_parse_rule()
1381 entry->action = APPRAISE; in ima_parse_rule()
1386 if (entry->action != UNKNOWN) in ima_parse_rule()
1389 entry->action = DONT_APPRAISE; in ima_parse_rule()
1394 if (entry->action != UNKNOWN) in ima_parse_rule()
1397 entry->action = AUDIT; in ima_parse_rule()
1402 if (entry->action != UNKNOWN) in ima_parse_rule()
1405 entry->action = HASH; in ima_parse_rule()
1410 if (entry->action != UNKNOWN) in ima_parse_rule()
1413 entry->action = DONT_HASH; in ima_parse_rule()
1418 if (entry->func) in ima_parse_rule()
1422 entry->func = FILE_CHECK; in ima_parse_rule()
1425 entry->func = FILE_CHECK; in ima_parse_rule()
1427 entry->func = MODULE_CHECK; in ima_parse_rule()
1429 entry->func = FIRMWARE_CHECK; in ima_parse_rule()
1432 entry->func = MMAP_CHECK; in ima_parse_rule()
1434 entry->func = BPRM_CHECK; in ima_parse_rule()
1436 entry->func = CREDS_CHECK; in ima_parse_rule()
1439 entry->func = KEXEC_KERNEL_CHECK; in ima_parse_rule()
1442 entry->func = KEXEC_INITRAMFS_CHECK; in ima_parse_rule()
1444 entry->func = POLICY_CHECK; in ima_parse_rule()
1446 entry->func = KEXEC_CMDLINE; in ima_parse_rule()
1449 entry->func = KEY_CHECK; in ima_parse_rule()
1451 entry->func = CRITICAL_DATA; in ima_parse_rule()
1453 entry->func = SETXATTR_CHECK; in ima_parse_rule()
1457 entry->flags |= IMA_FUNC; in ima_parse_rule()
1462 if (entry->mask) in ima_parse_rule()
1470 entry->mask = MAY_EXEC; in ima_parse_rule()
1472 entry->mask = MAY_WRITE; in ima_parse_rule()
1474 entry->mask = MAY_READ; in ima_parse_rule()
1476 entry->mask = MAY_APPEND; in ima_parse_rule()
1480 entry->flags |= (*args[0].from == '^') in ima_parse_rule()
1486 if (entry->fsmagic) { in ima_parse_rule()
1491 result = kstrtoul(args[0].from, 16, &entry->fsmagic); in ima_parse_rule()
1493 entry->flags |= IMA_FSMAGIC; in ima_parse_rule()
1498 entry->fsname = kstrdup(args[0].from, GFP_KERNEL); in ima_parse_rule()
1499 if (!entry->fsname) { in ima_parse_rule()
1504 entry->flags |= IMA_FSNAME; in ima_parse_rule()
1510 entry->keyrings) { in ima_parse_rule()
1515 entry->keyrings = ima_alloc_rule_opt_list(args); in ima_parse_rule()
1516 if (IS_ERR(entry->keyrings)) { in ima_parse_rule()
1517 result = PTR_ERR(entry->keyrings); in ima_parse_rule()
1518 entry->keyrings = NULL; in ima_parse_rule()
1522 entry->flags |= IMA_KEYRINGS; in ima_parse_rule()
1527 if (entry->label) { in ima_parse_rule()
1532 entry->label = ima_alloc_rule_opt_list(args); in ima_parse_rule()
1533 if (IS_ERR(entry->label)) { in ima_parse_rule()
1534 result = PTR_ERR(entry->label); in ima_parse_rule()
1535 entry->label = NULL; in ima_parse_rule()
1539 entry->flags |= IMA_LABEL; in ima_parse_rule()
1544 if (!uuid_is_null(&entry->fsuuid)) { in ima_parse_rule()
1549 result = uuid_parse(args[0].from, &entry->fsuuid); in ima_parse_rule()
1551 entry->flags |= IMA_FSUUID; in ima_parse_rule()
1555 entry->uid_op = &uid_gt; in ima_parse_rule()
1560 entry->uid_op = &uid_lt; in ima_parse_rule()
1571 if (uid_valid(entry->uid)) { in ima_parse_rule()
1578 entry->uid = make_kuid(current_user_ns(), in ima_parse_rule()
1580 if (!uid_valid(entry->uid) || in ima_parse_rule()
1584 entry->flags |= eid_token in ima_parse_rule()
1590 entry->gid_op = &gid_gt; in ima_parse_rule()
1595 entry->gid_op = &gid_lt; in ima_parse_rule()
1606 if (gid_valid(entry->gid)) { in ima_parse_rule()
1613 entry->gid = make_kgid(current_user_ns(), in ima_parse_rule()
1615 if (!gid_valid(entry->gid) || in ima_parse_rule()
1619 entry->flags |= eid_token in ima_parse_rule()
1624 entry->fowner_op = &uid_gt; in ima_parse_rule()
1628 entry->fowner_op = &uid_lt; in ima_parse_rule()
1633 if (uid_valid(entry->fowner)) { in ima_parse_rule()
1640 entry->fowner = make_kuid(current_user_ns(), in ima_parse_rule()
1642 if (!uid_valid(entry->fowner) || in ima_parse_rule()
1646 entry->flags |= IMA_FOWNER; in ima_parse_rule()
1650 entry->fgroup_op = &gid_gt; in ima_parse_rule()
1654 entry->fgroup_op = &gid_lt; in ima_parse_rule()
1659 if (gid_valid(entry->fgroup)) { in ima_parse_rule()
1666 entry->fgroup = make_kgid(current_user_ns(), in ima_parse_rule()
1668 if (!gid_valid(entry->fgroup) || in ima_parse_rule()
1672 entry->flags |= IMA_FGROUP; in ima_parse_rule()
1677 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1683 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1689 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1695 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1701 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1707 result = ima_lsm_rule_init(entry, args, in ima_parse_rule()
1714 entry->flags |= IMA_DIGSIG_REQUIRED; in ima_parse_rule()
1717 entry->flags |= IMA_DIGSIG_REQUIRED | in ima_parse_rule()
1726 entry->flags |= IMA_CHECK_BLACKLIST; in ima_parse_rule()
1733 if (entry->allowed_algos) { in ima_parse_rule()
1738 entry->allowed_algos = in ima_parse_rule()
1741 if (!entry->allowed_algos) { in ima_parse_rule()
1746 entry->flags |= IMA_VALIDATE_ALGOS; in ima_parse_rule()
1750 entry->flags |= IMA_PERMIT_DIRECTIO; in ima_parse_rule()
1755 result = kstrtoint(args[0].from, 10, &entry->pcr); in ima_parse_rule()
1756 if (result || INVALID_PCR(entry->pcr)) in ima_parse_rule()
1759 entry->flags |= IMA_PCR; in ima_parse_rule()
1764 if (entry->action != MEASURE) { in ima_parse_rule()
1769 if (!template_desc || entry->template) { in ima_parse_rule()
1782 entry->template = template_desc; in ima_parse_rule()
1790 if (!result && !ima_validate_rule(entry)) in ima_parse_rule()
1792 else if (entry->action == APPRAISE) in ima_parse_rule()
1793 temp_ima_appraise |= ima_appraise_flag(entry->func); in ima_parse_rule()
1795 if (!result && entry->flags & IMA_MODSIG_ALLOWED) { in ima_parse_rule()
1796 template_desc = entry->template ? entry->template : in ima_parse_rule()
1817 struct ima_rule_entry *entry; in ima_parse_add_rule() local
1828 entry = kzalloc(sizeof(*entry), GFP_KERNEL); in ima_parse_add_rule()
1829 if (!entry) { in ima_parse_add_rule()
1835 INIT_LIST_HEAD(&entry->list); in ima_parse_add_rule()
1837 result = ima_parse_rule(p, entry); in ima_parse_add_rule()
1839 ima_free_rule(entry); in ima_parse_add_rule()
1846 list_add_tail(&entry->list, &ima_temp_rules); in ima_parse_add_rule()
1859 struct ima_rule_entry *entry, *tmp; in ima_delete_rules() local
1862 list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { in ima_delete_rules()
1863 list_del(&entry->list); in ima_delete_rules()
1864 ima_free_rule(entry); in ima_delete_rules()
1889 struct ima_rule_entry *entry; in ima_policy_start() local
1894 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { in ima_policy_start()
1897 return entry; in ima_policy_start()
1906 struct ima_rule_entry *entry = v; in ima_policy_next() local
1909 entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); in ima_policy_next()
1913 return (&entry->list == &ima_default_rules || in ima_policy_next()
1914 &entry->list == &ima_policy_rules) ? NULL : entry; in ima_policy_next()
1963 struct ima_rule_entry *entry = v; in ima_policy_show() local
1970 if (entry->action & MEASURE) in ima_policy_show()
1972 if (entry->action & DONT_MEASURE) in ima_policy_show()
1974 if (entry->action & APPRAISE) in ima_policy_show()
1976 if (entry->action & DONT_APPRAISE) in ima_policy_show()
1978 if (entry->action & AUDIT) in ima_policy_show()
1980 if (entry->action & HASH) in ima_policy_show()
1982 if (entry->action & DONT_HASH) in ima_policy_show()
1987 if (entry->flags & IMA_FUNC) in ima_policy_show()
1988 policy_func_show(m, entry->func); in ima_policy_show()
1990 if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { in ima_policy_show()
1991 if (entry->flags & IMA_MASK) in ima_policy_show()
1993 if (entry->mask & MAY_EXEC) in ima_policy_show()
1995 if (entry->mask & MAY_WRITE) in ima_policy_show()
1997 if (entry->mask & MAY_READ) in ima_policy_show()
1999 if (entry->mask & MAY_APPEND) in ima_policy_show()
2004 if (entry->flags & IMA_FSMAGIC) { in ima_policy_show()
2005 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); in ima_policy_show()
2010 if (entry->flags & IMA_FSNAME) { in ima_policy_show()
2011 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); in ima_policy_show()
2016 if (entry->flags & IMA_KEYRINGS) { in ima_policy_show()
2018 ima_show_rule_opt_list(m, entry->keyrings); in ima_policy_show()
2022 if (entry->flags & IMA_LABEL) { in ima_policy_show()
2024 ima_show_rule_opt_list(m, entry->label); in ima_policy_show()
2028 if (entry->flags & IMA_PCR) { in ima_policy_show()
2029 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); in ima_policy_show()
2034 if (entry->flags & IMA_FSUUID) { in ima_policy_show()
2035 seq_printf(m, "fsuuid=%pU", &entry->fsuuid); in ima_policy_show()
2039 if (entry->flags & IMA_UID) { in ima_policy_show()
2040 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); in ima_policy_show()
2041 if (entry->uid_op == &uid_gt) in ima_policy_show()
2043 else if (entry->uid_op == &uid_lt) in ima_policy_show()
2050 if (entry->flags & IMA_EUID) { in ima_policy_show()
2051 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); in ima_policy_show()
2052 if (entry->uid_op == &uid_gt) in ima_policy_show()
2054 else if (entry->uid_op == &uid_lt) in ima_policy_show()
2061 if (entry->flags & IMA_GID) { in ima_policy_show()
2062 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); in ima_policy_show()
2063 if (entry->gid_op == &gid_gt) in ima_policy_show()
2065 else if (entry->gid_op == &gid_lt) in ima_policy_show()
2072 if (entry->flags & IMA_EGID) { in ima_policy_show()
2073 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); in ima_policy_show()
2074 if (entry->gid_op == &gid_gt) in ima_policy_show()
2076 else if (entry->gid_op == &gid_lt) in ima_policy_show()
2083 if (entry->flags & IMA_FOWNER) { in ima_policy_show()
2084 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); in ima_policy_show()
2085 if (entry->fowner_op == &uid_gt) in ima_policy_show()
2087 else if (entry->fowner_op == &uid_lt) in ima_policy_show()
2094 if (entry->flags & IMA_FGROUP) { in ima_policy_show()
2095 snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->fgroup)); in ima_policy_show()
2096 if (entry->fgroup_op == &gid_gt) in ima_policy_show()
2098 else if (entry->fgroup_op == &gid_lt) in ima_policy_show()
2105 if (entry->flags & IMA_VALIDATE_ALGOS) { in ima_policy_show()
2107 ima_policy_show_appraise_algos(m, entry->allowed_algos); in ima_policy_show()
2112 if (entry->lsm[i].rule) { in ima_policy_show()
2116 entry->lsm[i].args_p); in ima_policy_show()
2120 entry->lsm[i].args_p); in ima_policy_show()
2124 entry->lsm[i].args_p); in ima_policy_show()
2128 entry->lsm[i].args_p); in ima_policy_show()
2132 entry->lsm[i].args_p); in ima_policy_show()
2136 entry->lsm[i].args_p); in ima_policy_show()
2142 if (entry->template) in ima_policy_show()
2143 seq_printf(m, "template=%s ", entry->template->name); in ima_policy_show()
2144 if (entry->flags & IMA_DIGSIG_REQUIRED) { in ima_policy_show()
2145 if (entry->flags & IMA_MODSIG_ALLOWED) in ima_policy_show()
2150 if (entry->flags & IMA_CHECK_BLACKLIST) in ima_policy_show()
2152 if (entry->flags & IMA_PERMIT_DIRECTIO) in ima_policy_show()
2169 struct ima_rule_entry *entry; in ima_appraise_signature() local
2181 list_for_each_entry_rcu(entry, ima_rules_tmp, list) { in ima_appraise_signature()
2182 if (entry->action != APPRAISE) in ima_appraise_signature()
2189 if (entry->func && entry->func != func) in ima_appraise_signature()
2196 if (entry->flags & IMA_DIGSIG_REQUIRED) in ima_appraise_signature()