[linux-2.6-block.git] / security / integrity / ima / ima_policy.c

/*
 * Copyright (C) 2008 IBM Corporation
 * Author: Mimi Zohar <zohar@us.ibm.com>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 2 of the License.
 *
 * ima_policy.c
 * 	- initialize default measure policy rules
 *
 */
#include <linux/module.h>
#include <linux/list.h>
#include <linux/audit.h>
#include <linux/security.h>
#include <linux/magic.h>

#include "ima.h"

/* flags definitions */
#define IMA_FUNC 	0x0001
#define IMA_MASK 	0x0002
#define IMA_FSMAGIC	0x0004
#define IMA_UID		0x0008

enum ima_action { DONT_MEASURE, MEASURE };

struct ima_measure_rule_entry {
	struct list_head list;
	enum ima_action action;
	unsigned int flags;
	enum ima_hooks func;
	int mask;
	unsigned long fsmagic;
	uid_t uid;
};

static struct ima_measure_rule_entry default_rules[] = {
	{.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC,
	 .flags = IMA_FSMAGIC},
	{.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
	{.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
	{.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
	{.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,
	 .flags = IMA_FSMAGIC},
	{.action = DONT_MEASURE,.fsmagic = 0xF97CFF8C,.flags = IMA_FSMAGIC},
	{.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC,
	 .flags = IMA_FUNC | IMA_MASK},
	{.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
	 .flags = IMA_FUNC | IMA_MASK},
	{.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0,
	 .flags = IMA_FUNC | IMA_MASK | IMA_UID}
};

static LIST_HEAD(measure_default_rules);
static struct list_head *ima_measure;

/**
 * ima_match_rules - determine whether an inode matches the measure rule.
 * @rule: a pointer to a rule
 * @inode: a pointer to an inode
 * @func: LIM hook identifier
 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
 *
 * Returns true on rule match, false on failure.
 */
static bool ima_match_rules(struct ima_measure_rule_entry *rule,
			    struct inode *inode, enum ima_hooks func, int mask)
{
	struct task_struct *tsk = current;

	if ((rule->flags & IMA_FUNC) && rule->func != func)
		return false;
	if ((rule->flags & IMA_MASK) && rule->mask != mask)
		return false;
	if ((rule->flags & IMA_FSMAGIC)
	    && rule->fsmagic != inode->i_sb->s_magic)
		return false;
	if ((rule->flags & IMA_UID) && rule->uid != tsk->cred->uid)
		return false;
	return true;
}

/**
 * ima_match_policy - decision based on LSM and other conditions
 * @inode: pointer to an inode for which the policy decision is being made
 * @func: IMA hook identifier
 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
 *
 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
 * conditions.
 *
 * (There is no need for locking when walking the policy list,
 * as elements in the list are never deleted, nor does the list
 * change.)
 */
int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask)
{
	struct ima_measure_rule_entry *entry;

	list_for_each_entry(entry, ima_measure, list) {
		bool rc;

		rc = ima_match_rules(entry, inode, func, mask);
		if (rc)
			return entry->action;
	}
	return 0;
}

/**
 * ima_init_policy - initialize the default measure rules.
 *
 * (Could use the default_rules directly, but in policy patch
 * ima_measure points to either the measure_default_rules or the
 * the new measure_policy_rules.)
 */
void ima_init_policy(void)
{
	int i;

	for (i = 0; i < ARRAY_SIZE(default_rules); i++)
		list_add_tail(&default_rules[i].list, &measure_default_rules);
	ima_measure = &measure_default_rules;
}
Commit	Line	Data
3323eec9 MZ	1	/*
	2	* Copyright (C) 2008 IBM Corporation
	3	* Author: Mimi Zohar <zohar@us.ibm.com>
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of the GNU General Public License as published by
	7	* the Free Software Foundation, version 2 of the License.
	8	*
	9	* ima_policy.c
	10	* - initialize default measure policy rules
	11	*
	12	*/
	13	#include <linux/module.h>
	14	#include <linux/list.h>
	15	#include <linux/audit.h>
	16	#include <linux/security.h>
	17	#include <linux/magic.h>
	18
	19	#include "ima.h"
	20
	21	/* flags definitions */
	22	#define IMA_FUNC 0x0001
	23	#define IMA_MASK 0x0002
	24	#define IMA_FSMAGIC 0x0004
	25	#define IMA_UID 0x0008
	26
	27	enum ima_action { DONT_MEASURE, MEASURE };
	28
	29	struct ima_measure_rule_entry {
	30	struct list_head list;
	31	enum ima_action action;
	32	unsigned int flags;
	33	enum ima_hooks func;
	34	int mask;
	35	unsigned long fsmagic;
	36	uid_t uid;
	37	};
	38
	39	static struct ima_measure_rule_entry default_rules[] = {
	40	{.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC,
	41	.flags = IMA_FSMAGIC},
	42	{.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
	43	{.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
	44	{.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
	45	{.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,
	46	.flags = IMA_FSMAGIC},
	47	{.action = DONT_MEASURE,.fsmagic = 0xF97CFF8C,.flags = IMA_FSMAGIC},
	48	{.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC,
	49	.flags = IMA_FUNC \| IMA_MASK},
	50	{.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
	51	.flags = IMA_FUNC \| IMA_MASK},
	52	{.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0,
	53	.flags = IMA_FUNC \| IMA_MASK \| IMA_UID}
	54	};
	55
	56	static LIST_HEAD(measure_default_rules);
	57	static struct list_head *ima_measure;
	58
	59	/**
	60	* ima_match_rules - determine whether an inode matches the measure rule.
	61	* @rule: a pointer to a rule
	62	* @inode: a pointer to an inode
	63	* @func: LIM hook identifier
	64	* @mask: requested action (MAY_READ \| MAY_WRITE \| MAY_APPEND \| MAY_EXEC)
65	*
66	* Returns true on rule match, false on failure.
67	*/
68	static bool ima_match_rules(struct ima_measure_rule_entry *rule,
69	struct inode *inode, enum ima_hooks func, int mask)
70	{
71	struct task_struct *tsk = current;
72
73	if ((rule->flags & IMA_FUNC) && rule->func != func)
74	return false;
75	if ((rule->flags & IMA_MASK) && rule->mask != mask)
76	return false;
77	if ((rule->flags & IMA_FSMAGIC)
78	&& rule->fsmagic != inode->i_sb->s_magic)
79	return false;
80	if ((rule->flags & IMA_UID) && rule->uid != tsk->cred->uid)
81	return false;
82	return true;
83	}
84
85	/**
86	* ima_match_policy - decision based on LSM and other conditions
87	* @inode: pointer to an inode for which the policy decision is being made
88	* @func: IMA hook identifier
89	* @mask: requested action (MAY_READ \| MAY_WRITE \| MAY_APPEND \| MAY_EXEC)
90	*
91	* Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
92	* conditions.
93	*
94	* (There is no need for locking when walking the policy list,
95	* as elements in the list are never deleted, nor does the list
96	* change.)
97	*/
98	int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask)
99	{
100	struct ima_measure_rule_entry *entry;
101
102	list_for_each_entry(entry, ima_measure, list) {
103	bool rc;
104
105	rc = ima_match_rules(entry, inode, func, mask);
106	if (rc)
107	return entry->action;
108	}
109	return 0;
110	}
111
112	/**
113	* ima_init_policy - initialize the default measure rules.
114	*
115	* (Could use the default_rules directly, but in policy patch
116	* ima_measure points to either the measure_default_rules or the
117	* the new measure_policy_rules.)
118	*/
119	void ima_init_policy(void)
120	{
121	int i;
122
123	for (i = 0; i < ARRAY_SIZE(default_rules); i++)
124	list_add_tail(&default_rules[i].list, &measure_default_rules);
125	ima_measure = &measure_default_rules;
126	}