Commit | Line | Data |
---|---|---|
3323eec9 MZ |
1 | /* |
2 | * Copyright (C) 2008 IBM Corporation | |
3 | * Author: Mimi Zohar <zohar@us.ibm.com> | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License as published by | |
7 | * the Free Software Foundation, version 2 of the License. | |
8 | * | |
9 | * ima_policy.c | |
10 | * - initialize default measure policy rules | |
11 | * | |
12 | */ | |
13 | #include <linux/module.h> | |
14 | #include <linux/list.h> | |
15 | #include <linux/audit.h> | |
16 | #include <linux/security.h> | |
17 | #include <linux/magic.h> | |
18 | ||
19 | #include "ima.h" | |
20 | ||
21 | /* flags definitions */ | |
22 | #define IMA_FUNC 0x0001 | |
23 | #define IMA_MASK 0x0002 | |
24 | #define IMA_FSMAGIC 0x0004 | |
25 | #define IMA_UID 0x0008 | |
26 | ||
27 | enum ima_action { DONT_MEASURE, MEASURE }; | |
28 | ||
29 | struct ima_measure_rule_entry { | |
30 | struct list_head list; | |
31 | enum ima_action action; | |
32 | unsigned int flags; | |
33 | enum ima_hooks func; | |
34 | int mask; | |
35 | unsigned long fsmagic; | |
36 | uid_t uid; | |
37 | }; | |
38 | ||
39 | static struct ima_measure_rule_entry default_rules[] = { | |
40 | {.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC, | |
41 | .flags = IMA_FSMAGIC}, | |
42 | {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC}, | |
43 | {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC}, | |
44 | {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC}, | |
45 | {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC, | |
46 | .flags = IMA_FSMAGIC}, | |
47 | {.action = DONT_MEASURE,.fsmagic = 0xF97CFF8C,.flags = IMA_FSMAGIC}, | |
48 | {.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC, | |
49 | .flags = IMA_FUNC | IMA_MASK}, | |
50 | {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC, | |
51 | .flags = IMA_FUNC | IMA_MASK}, | |
52 | {.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0, | |
53 | .flags = IMA_FUNC | IMA_MASK | IMA_UID} | |
54 | }; | |
55 | ||
56 | static LIST_HEAD(measure_default_rules); | |
57 | static struct list_head *ima_measure; | |
58 | ||
59 | /** | |
60 | * ima_match_rules - determine whether an inode matches the measure rule. | |
61 | * @rule: a pointer to a rule | |
62 | * @inode: a pointer to an inode | |
63 | * @func: LIM hook identifier | |
64 | * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) | |
65 | * | |
66 | * Returns true on rule match, false on failure. | |
67 | */ | |
68 | static bool ima_match_rules(struct ima_measure_rule_entry *rule, | |
69 | struct inode *inode, enum ima_hooks func, int mask) | |
70 | { | |
71 | struct task_struct *tsk = current; | |
72 | ||
73 | if ((rule->flags & IMA_FUNC) && rule->func != func) | |
74 | return false; | |
75 | if ((rule->flags & IMA_MASK) && rule->mask != mask) | |
76 | return false; | |
77 | if ((rule->flags & IMA_FSMAGIC) | |
78 | && rule->fsmagic != inode->i_sb->s_magic) | |
79 | return false; | |
80 | if ((rule->flags & IMA_UID) && rule->uid != tsk->cred->uid) | |
81 | return false; | |
82 | return true; | |
83 | } | |
84 | ||
85 | /** | |
86 | * ima_match_policy - decision based on LSM and other conditions | |
87 | * @inode: pointer to an inode for which the policy decision is being made | |
88 | * @func: IMA hook identifier | |
89 | * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) | |
90 | * | |
91 | * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) | |
92 | * conditions. | |
93 | * | |
94 | * (There is no need for locking when walking the policy list, | |
95 | * as elements in the list are never deleted, nor does the list | |
96 | * change.) | |
97 | */ | |
98 | int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask) | |
99 | { | |
100 | struct ima_measure_rule_entry *entry; | |
101 | ||
102 | list_for_each_entry(entry, ima_measure, list) { | |
103 | bool rc; | |
104 | ||
105 | rc = ima_match_rules(entry, inode, func, mask); | |
106 | if (rc) | |
107 | return entry->action; | |
108 | } | |
109 | return 0; | |
110 | } | |
111 | ||
112 | /** | |
113 | * ima_init_policy - initialize the default measure rules. | |
114 | * | |
115 | * (Could use the default_rules directly, but in policy patch | |
116 | * ima_measure points to either the measure_default_rules or the | |
117 | * the new measure_policy_rules.) | |
118 | */ | |
119 | void ima_init_policy(void) | |
120 | { | |
121 | int i; | |
122 | ||
123 | for (i = 0; i < ARRAY_SIZE(default_rules); i++) | |
124 | list_add_tail(&default_rules[i].list, &measure_default_rules); | |
125 | ima_measure = &measure_default_rules; | |
126 | } |