aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Documentation/ABI/testing/ima_policy3
-rw-r--r--security/integrity/ima/ima_policy.c20
2 files changed, 17 insertions, 6 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 4a571fa10f96..0a378a88217a 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -27,7 +27,8 @@ Description:
27 27
28 base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK] 28 base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
29 [FIRMWARE_CHECK] 29 [FIRMWARE_CHECK]
30 mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] 30 mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
31 [[^]MAY_EXEC]
31 fsmagic:= hex value 32 fsmagic:= hex value
32 fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) 33 fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
33 uid:= decimal value 34 uid:= decimal value
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 525301cf7d90..b3a2038ed424 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -27,6 +27,7 @@
27#define IMA_UID 0x0008 27#define IMA_UID 0x0008
28#define IMA_FOWNER 0x0010 28#define IMA_FOWNER 0x0010
29#define IMA_FSUUID 0x0020 29#define IMA_FSUUID 0x0020
30#define IMA_INMASK 0x0040
30#define IMA_EUID 0x0080 31#define IMA_EUID 0x0080
31 32
32#define UNKNOWN 0 33#define UNKNOWN 0
@@ -187,6 +188,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
187 if ((rule->flags & IMA_MASK) && 188 if ((rule->flags & IMA_MASK) &&
188 (rule->mask != mask && func != POST_SETATTR)) 189 (rule->mask != mask && func != POST_SETATTR))
189 return false; 190 return false;
191 if ((rule->flags & IMA_INMASK) &&
192 (!(rule->mask & mask) && func != POST_SETATTR))
193 return false;
190 if ((rule->flags & IMA_FSMAGIC) 194 if ((rule->flags & IMA_FSMAGIC)
191 && rule->fsmagic != inode->i_sb->s_magic) 195 && rule->fsmagic != inode->i_sb->s_magic)
192 return false; 196 return false;
@@ -448,6 +452,7 @@ static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
448static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 452static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
449{ 453{
450 struct audit_buffer *ab; 454 struct audit_buffer *ab;
455 char *from;
451 char *p; 456 char *p;
452 int result = 0; 457 int result = 0;
453 458
@@ -538,18 +543,23 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
538 if (entry->mask) 543 if (entry->mask)
539 result = -EINVAL; 544 result = -EINVAL;
540 545
541 if ((strcmp(args[0].from, "MAY_EXEC")) == 0) 546 from = args[0].from;
547 if (*from == '^')
548 from++;
549
550 if ((strcmp(from, "MAY_EXEC")) == 0)
542 entry->mask = MAY_EXEC; 551 entry->mask = MAY_EXEC;
543 else if (strcmp(args[0].from, "MAY_WRITE") == 0) 552 else if (strcmp(from, "MAY_WRITE") == 0)
544 entry->mask = MAY_WRITE; 553 entry->mask = MAY_WRITE;
545 else if (strcmp(args[0].from, "MAY_READ") == 0) 554 else if (strcmp(from, "MAY_READ") == 0)
546 entry->mask = MAY_READ; 555 entry->mask = MAY_READ;
547 else if (strcmp(args[0].from, "MAY_APPEND") == 0) 556 else if (strcmp(from, "MAY_APPEND") == 0)
548 entry->mask = MAY_APPEND; 557 entry->mask = MAY_APPEND;
549 else 558 else
550 result = -EINVAL; 559 result = -EINVAL;
551 if (!result) 560 if (!result)
552 entry->flags |= IMA_MASK; 561 entry->flags |= (*args[0].from == '^')
562 ? IMA_INMASK : IMA_MASK;
553 break; 563 break;
554 case Opt_fsmagic: 564 case Opt_fsmagic:
555 ima_log_string(ab, "fsmagic", args[0].from); 565 ima_log_string(ab, "fsmagic", args[0].from);
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-24 19:45:38 -0400