1 files changed, 155 insertions, 54 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 1a9583008aae..c7dacd2eab7a 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -24,22 +24,29 @@
 #define IMA_MASK        0x0002
 #define IMA_FSMAGIC     0x0004
 #define IMA_UID         0x0008
+#define IMA_FOWNER      0x0010
-enum ima_action { UNKNOWN = -1, DONT_MEASURE = 0, MEASURE };
+#define UNKNOWN         0
+#define MEASURE         0x0001  /* same as IMA_MEASURE */
+#define DONT_MEASURE    0x0002
+#define APPRAISE        0x0004  /* same as IMA_APPRAISE */
+#define DONT_APPRAISE   0x0008
+#define AUDIT           0x0040
 #define MAX_LSM_RULES 6
 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
        LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
 };
-struct ima_measure_rule_entry {
+struct ima_rule_entry {
        struct list_head list;
-        enum ima_action action;
+        int action;
        unsigned int flags;
        enum ima_hooks func;
        int mask;
        unsigned long fsmagic;
-        uid_t uid;
+        kuid_t uid;
+        kuid_t fowner;
        struct {
                void *rule;     /* LSM file metadata specific */
                int type;       /* audit type */
@@ -48,7 +55,7 @@ struct ima_measure_rule_entry {
 /*
 * Without LSM specific knowledge, the default policy can only be
- * written in terms of .action, .func, .mask, .fsmagic, and .uid
+ * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
 */
 /*
@@ -57,7 +64,7 @@ struct ima_measure_rule_entry {
 * normal users can easily run the machine out of memory simply building
 * and running executables.
 */
-static struct ima_measure_rule_entry default_rules[] = {
+static struct ima_rule_entry default_rules[] = {
        {.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC},
        {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
        {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
@@ -71,23 +78,45 @@ static struct ima_measure_rule_entry default_rules[] = {
         .flags = IMA_FUNC | IMA_MASK},
        {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
         .flags = IMA_FUNC | IMA_MASK},
-        {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = 0,
+        {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = GLOBAL_ROOT_UID,
         .flags = IMA_FUNC | IMA_MASK | IMA_UID},
 };
-static LIST_HEAD(measure_default_rules);
+static struct ima_rule_entry default_appraise_rules[] = {
-static LIST_HEAD(measure_policy_rules);
+        {.action = DONT_APPRAISE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC},
-static struct list_head *ima_measure;
+        {.action = DONT_APPRAISE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_APPRAISE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_APPRAISE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_APPRAISE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_APPRAISE,.fsmagic = DEVPTS_SUPER_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_APPRAISE,.fsmagic = BINFMTFS_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_APPRAISE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_APPRAISE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_APPRAISE,.fsmagic = CGROUP_SUPER_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = APPRAISE,.fowner = GLOBAL_ROOT_UID,.flags = IMA_FOWNER},
+};
+static LIST_HEAD(ima_default_rules);
+static LIST_HEAD(ima_policy_rules);
+static struct list_head *ima_rules;
-static DEFINE_MUTEX(ima_measure_mutex);
+static DEFINE_MUTEX(ima_rules_mutex);
 static bool ima_use_tcb __initdata;
-static int __init default_policy_setup(char *str)
+static int __init default_measure_policy_setup(char *str)
 {
        ima_use_tcb = 1;
        return 1;
 }
-__setup("ima_tcb", default_policy_setup);
+__setup("ima_tcb", default_measure_policy_setup);
+static bool ima_use_appraise_tcb __initdata;
+static int __init default_appraise_policy_setup(char *str)
+{
+        ima_use_appraise_tcb = 1;
+        return 1;
+}
+__setup("ima_appraise_tcb", default_appraise_policy_setup);
 /**
 * ima_match_rules - determine whether an inode matches the measure rule.
@@ -98,7 +127,7 @@ __setup("ima_tcb", default_policy_setup);
 *
 * Returns true on rule match, false on failure.
 */
-static bool ima_match_rules(struct ima_measure_rule_entry *rule,
+static bool ima_match_rules(struct ima_rule_entry *rule,
                            struct inode *inode, enum ima_hooks func, int mask)
 {
        struct task_struct *tsk = current;
@@ -112,7 +141,9 @@ static bool ima_match_rules(struct ima_measure_rule_entry *rule,
        if ((rule->flags & IMA_FSMAGIC)
            && rule->fsmagic != inode->i_sb->s_magic)
                return false;
-        if ((rule->flags & IMA_UID) && rule->uid != cred->uid)
+        if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
+                return false;
+        if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid))
                return false;
        for (i = 0; i < MAX_LSM_RULES; i++) {
                int rc = 0;
@@ -163,39 +194,61 @@ static bool ima_match_rules(struct ima_measure_rule_entry *rule,
 * as elements in the list are never deleted, nor does the list
 * change.)
 */
-int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask)
+int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
+                     int flags)
 {
-        struct ima_measure_rule_entry *entry;
+        struct ima_rule_entry *entry;
+        int action = 0, actmask = flags | (flags << 1);
+        list_for_each_entry(entry, ima_rules, list) {
+                if (!(entry->action & actmask))
+                        continue;
+                if (!ima_match_rules(entry, inode, func, mask))
+                        continue;
-        list_for_each_entry(entry, ima_measure, list) {
+                action |= entry->action & IMA_DO_MASK;
-                bool rc;
+                if (entry->action & IMA_DO_MASK)
+                        actmask &= ~(entry->action | entry->action << 1);
+                else
+                        actmask &= ~(entry->action | entry->action >> 1);
-                rc = ima_match_rules(entry, inode, func, mask);
+                if (!actmask)
-                if (rc)
+                        break;
-                        return entry->action;
        }
-        return 0;
+        return action;
 }
 /**
 * ima_init_policy - initialize the default measure rules.
 *
- * ima_measure points to either the measure_default_rules or the
+ * ima_rules points to either the ima_default_rules or the
- * the new measure_policy_rules.
+ * the new ima_policy_rules.
 */
 void __init ima_init_policy(void)
 {
-        int i, entries;
+        int i, measure_entries, appraise_entries;
        /* if !ima_use_tcb set entries = 0 so we load NO default rules */
-        if (ima_use_tcb)
+        measure_entries = ima_use_tcb ? ARRAY_SIZE(default_rules) : 0;
-                entries = ARRAY_SIZE(default_rules);
+        appraise_entries = ima_use_appraise_tcb ?
-        else
+                         ARRAY_SIZE(default_appraise_rules) : 0;
-                entries = 0;
+        
+        for (i = 0; i < measure_entries + appraise_entries; i++) {
-        for (i = 0; i < entries; i++)
+                if (i < measure_entries)
-                list_add_tail(&default_rules[i].list, &measure_default_rules);
+                        list_add_tail(&default_rules[i].list,
-        ima_measure = &measure_default_rules;
+                                      &ima_default_rules);
+                else {
+                        int j = i - measure_entries;
+                        list_add_tail(&default_appraise_rules[j].list,
+                                      &ima_default_rules);
+                }
+        }
+        ima_rules = &ima_default_rules;
 }
 /**
@@ -212,8 +265,8 @@ void ima_update_policy(void)
        int result = 1;
        int audit_info = 0;
-        if (ima_measure == &measure_default_rules) {
+        if (ima_rules == &ima_default_rules) {
-                ima_measure = &measure_policy_rules;
+                ima_rules = &ima_policy_rules;
                cause = "complete";
                result = 0;
        }
@@ -224,14 +277,19 @@ void ima_update_policy(void)
 enum {
        Opt_err = -1,
        Opt_measure = 1, Opt_dont_measure,
+        Opt_appraise, Opt_dont_appraise,
+        Opt_audit,
        Opt_obj_user, Opt_obj_role, Opt_obj_type,
        Opt_subj_user, Opt_subj_role, Opt_subj_type,
-        Opt_func, Opt_mask, Opt_fsmagic, Opt_uid
+        Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner
 };
 static match_table_t policy_tokens = {
        {Opt_measure, "measure"},
        {Opt_dont_measure, "dont_measure"},
+        {Opt_appraise, "appraise"},
+        {Opt_dont_appraise, "dont_appraise"},
+        {Opt_audit, "audit"},
        {Opt_obj_user, "obj_user=%s"},
        {Opt_obj_role, "obj_role=%s"},
        {Opt_obj_type, "obj_type=%s"},
@@ -242,10 +300,11 @@ static match_table_t policy_tokens = {
        {Opt_mask, "mask=%s"},
        {Opt_fsmagic, "fsmagic=%s"},
        {Opt_uid, "uid=%s"},
+        {Opt_fowner, "fowner=%s"},
        {Opt_err, NULL}
 };
-static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry,
+static int ima_lsm_rule_init(struct ima_rule_entry *entry,
                             char *args, int lsm_rule, int audit_type)
 {
        int result;
@@ -269,7 +328,7 @@ static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
        audit_log_format(ab, " ");
 }
-static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
+static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 {
        struct audit_buffer *ab;
        char *p;
@@ -277,7 +336,8 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
-        entry->uid = -1;
+        entry->uid = INVALID_UID;
+        entry->fowner = INVALID_UID;
        entry->action = UNKNOWN;
        while ((p = strsep(&rule, " \t")) != NULL) {
                substring_t args[MAX_OPT_ARGS];
@@ -306,11 +366,35 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
                        entry->action = DONT_MEASURE;
                        break;
+                case Opt_appraise:
+                        ima_log_string(ab, "action", "appraise");
+                        if (entry->action != UNKNOWN)
+                                result = -EINVAL;
+                        entry->action = APPRAISE;
+                        break;
+                case Opt_dont_appraise:
+                        ima_log_string(ab, "action", "dont_appraise");
+                        if (entry->action != UNKNOWN)
+                                result = -EINVAL;
+                        entry->action = DONT_APPRAISE;
+                        break;
+                case Opt_audit:
+                        ima_log_string(ab, "action", "audit");
+                        if (entry->action != UNKNOWN)
+                                result = -EINVAL;
+                        entry->action = AUDIT;
+                        break;
                case Opt_func:
                        ima_log_string(ab, "func", args[0].from);
                        if (entry->func)
-                                result  = -EINVAL;
+                                result = -EINVAL;
                        if (strcmp(args[0].from, "FILE_CHECK") == 0)
                                entry->func = FILE_CHECK;
@@ -361,20 +445,37 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
                case Opt_uid:
                        ima_log_string(ab, "uid", args[0].from);
-                        if (entry->uid != -1) {
+                        if (uid_valid(entry->uid)) {
                                result = -EINVAL;
                                break;
                        }
                        result = strict_strtoul(args[0].from, 10, &lnum);
                        if (!result) {
-                                entry->uid = (uid_t) lnum;
+                                entry->uid = make_kuid(current_user_ns(), (uid_t)lnum);
-                                if (entry->uid != lnum)
+                                if (!uid_valid(entry->uid) || (((uid_t)lnum) != lnum))
                                        result = -EINVAL;
                                else
                                        entry->flags |= IMA_UID;
                        }
                        break;
+                case Opt_fowner:
+                        ima_log_string(ab, "fowner", args[0].from);
+                        if (uid_valid(entry->fowner)) {
+                                result = -EINVAL;
+                                break;
+                        }
+                        result = strict_strtoul(args[0].from, 10, &lnum);
+                        if (!result) {
+                                entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
+                                if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))
+                                        result = -EINVAL;
+                                else
+                                        entry->flags |= IMA_FOWNER;
+                        }
+                        break;
                case Opt_obj_user:
                        ima_log_string(ab, "obj_user", args[0].from);
                        result = ima_lsm_rule_init(entry, args[0].from,
@@ -426,7 +527,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
 }
 /**
- * ima_parse_add_rule - add a rule to measure_policy_rules
+ * ima_parse_add_rule - add a rule to ima_policy_rules
 * @rule - ima measurement policy rule
 *
 * Uses a mutex to protect the policy list from multiple concurrent writers.
@@ -436,12 +537,12 @@ ssize_t ima_parse_add_rule(char *rule)
 {
        const char *op = "update_policy";
        char *p;
-        struct ima_measure_rule_entry *entry;
+        struct ima_rule_entry *entry;
        ssize_t result, len;
        int audit_info = 0;
        /* Prevent installed policy from changing */
-        if (ima_measure != &measure_default_rules) {
+        if (ima_rules != &ima_default_rules) {
                integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
                                    NULL, op, "already exists",
                                    -EACCES, audit_info);
@@ -474,9 +575,9 @@ ssize_t ima_parse_add_rule(char *rule)
                return result;
        }
-        mutex_lock(&ima_measure_mutex);
+        mutex_lock(&ima_rules_mutex);
-        list_add_tail(&entry->list, &measure_policy_rules);
+        list_add_tail(&entry->list, &ima_policy_rules);
-        mutex_unlock(&ima_measure_mutex);
+        mutex_unlock(&ima_rules_mutex);
        return len;
 }
@@ -484,12 +585,12 @@ ssize_t ima_parse_add_rule(char *rule)
 /* ima_delete_rules called to cleanup invalid policy */
 void ima_delete_rules(void)
 {
-        struct ima_measure_rule_entry *entry, *tmp;
+        struct ima_rule_entry *entry, *tmp;
-        mutex_lock(&ima_measure_mutex);
+        mutex_lock(&ima_rules_mutex);
-        list_for_each_entry_safe(entry, tmp, &measure_policy_rules, list) {
+        list_for_each_entry_safe(entry, tmp, &ima_policy_rules, list) {
                list_del(&entry->list);
                kfree(entry);
        }
-        mutex_unlock(&ima_measure_mutex);
+        mutex_unlock(&ima_rules_mutex);
 }

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 1a9583008aae..c7dacd2eab7a 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c
@@ -24,22 +24,29 @@
24	#define IMA_MASK 0x0002	24	#define IMA_MASK 0x0002
25	#define IMA_FSMAGIC 0x0004	25	#define IMA_FSMAGIC 0x0004
26	#define IMA_UID 0x0008	26	#define IMA_UID 0x0008
		27	#define IMA_FOWNER 0x0010
27		28
28	enum ima_action { UNKNOWN = -1, DONT_MEASURE = 0, MEASURE };	29	#define UNKNOWN 0
		30	#define MEASURE 0x0001 /* same as IMA_MEASURE */
		31	#define DONT_MEASURE 0x0002
		32	#define APPRAISE 0x0004 /* same as IMA_APPRAISE */
		33	#define DONT_APPRAISE 0x0008
		34	#define AUDIT 0x0040
29		35
30	#define MAX_LSM_RULES 6	36	#define MAX_LSM_RULES 6
31	enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,	37	enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
32	LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE	38	LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
33	};	39	};
34		40
35	struct ima_measure_rule_entry {	41	struct ima_rule_entry {
36	struct list_head list;	42	struct list_head list;
37	enum ima_action action;	43	int action;
38	unsigned int flags;	44	unsigned int flags;
39	enum ima_hooks func;	45	enum ima_hooks func;
40	int mask;	46	int mask;
41	unsigned long fsmagic;	47	unsigned long fsmagic;
42	uid_t uid;	48	kuid_t uid;
		49	kuid_t fowner;
43	struct {	50	struct {
44	void rule; / LSM file metadata specific */	51	void rule; / LSM file metadata specific */
45	int type; /* audit type */	52	int type; /* audit type */
@@ -48,7 +55,7 @@ struct ima_measure_rule_entry {
48		55
49	/*	56	/*
50	* Without LSM specific knowledge, the default policy can only be	57	* Without LSM specific knowledge, the default policy can only be
51	* written in terms of .action, .func, .mask, .fsmagic, and .uid	58	* written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
52	*/	59	*/
53		60
54	/*	61	/*
@@ -57,7 +64,7 @@ struct ima_measure_rule_entry {
57	* normal users can easily run the machine out of memory simply building	64	* normal users can easily run the machine out of memory simply building
58	* and running executables.	65	* and running executables.
59	*/	66	*/
60	static struct ima_measure_rule_entry default_rules[] = {	67	static struct ima_rule_entry default_rules[] = {
61	{.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC},	68	{.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC},
62	{.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},	69	{.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
63	{.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},	70	{.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
@@ -71,23 +78,45 @@ static struct ima_measure_rule_entry default_rules[] = {
71	.flags = IMA_FUNC \| IMA_MASK},	78	.flags = IMA_FUNC \| IMA_MASK},
72	{.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,	79	{.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
73	.flags = IMA_FUNC \| IMA_MASK},	80	.flags = IMA_FUNC \| IMA_MASK},
74	{.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = 0,	81	{.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = GLOBAL_ROOT_UID,
75	.flags = IMA_FUNC \| IMA_MASK \| IMA_UID},	82	.flags = IMA_FUNC \| IMA_MASK \| IMA_UID},
76	};	83	};
77		84
78	static LIST_HEAD(measure_default_rules);	85	static struct ima_rule_entry default_appraise_rules[] = {
79	static LIST_HEAD(measure_policy_rules);	86	{.action = DONT_APPRAISE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC},
80	static struct list_head *ima_measure;	87	{.action = DONT_APPRAISE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
		88	{.action = DONT_APPRAISE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
		89	{.action = DONT_APPRAISE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
		90	{.action = DONT_APPRAISE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
		91	{.action = DONT_APPRAISE,.fsmagic = DEVPTS_SUPER_MAGIC,.flags = IMA_FSMAGIC},
		92	{.action = DONT_APPRAISE,.fsmagic = BINFMTFS_MAGIC,.flags = IMA_FSMAGIC},
		93	{.action = DONT_APPRAISE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
		94	{.action = DONT_APPRAISE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
		95	{.action = DONT_APPRAISE,.fsmagic = CGROUP_SUPER_MAGIC,.flags = IMA_FSMAGIC},
		96	{.action = APPRAISE,.fowner = GLOBAL_ROOT_UID,.flags = IMA_FOWNER},
		97	};
		98
		99	static LIST_HEAD(ima_default_rules);
		100	static LIST_HEAD(ima_policy_rules);
		101	static struct list_head *ima_rules;
81		102
82	static DEFINE_MUTEX(ima_measure_mutex);	103	static DEFINE_MUTEX(ima_rules_mutex);
83		104
84	static bool ima_use_tcb __initdata;	105	static bool ima_use_tcb __initdata;
85	static int __init default_policy_setup(char *str)	106	static int __init default_measure_policy_setup(char *str)
86	{	107	{
87	ima_use_tcb = 1;	108	ima_use_tcb = 1;
88	return 1;	109	return 1;
89	}	110	}
90	__setup("ima_tcb", default_policy_setup);	111	__setup("ima_tcb", default_measure_policy_setup);
		112
		113	static bool ima_use_appraise_tcb __initdata;
		114	static int __init default_appraise_policy_setup(char *str)
		115	{
		116	ima_use_appraise_tcb = 1;
		117	return 1;
		118	}
		119	__setup("ima_appraise_tcb", default_appraise_policy_setup);
91		120
92	/**	121	/**
93	* ima_match_rules - determine whether an inode matches the measure rule.	122	* ima_match_rules - determine whether an inode matches the measure rule.
@@ -98,7 +127,7 @@ __setup("ima_tcb", default_policy_setup);
98	*	127	*
99	* Returns true on rule match, false on failure.	128	* Returns true on rule match, false on failure.
100	*/	129	*/
101	static bool ima_match_rules(struct ima_measure_rule_entry *rule,	130	static bool ima_match_rules(struct ima_rule_entry *rule,
102	struct inode *inode, enum ima_hooks func, int mask)	131	struct inode *inode, enum ima_hooks func, int mask)
103	{	132	{
104	struct task_struct *tsk = current;	133	struct task_struct *tsk = current;
@@ -112,7 +141,9 @@ static bool ima_match_rules(struct ima_measure_rule_entry *rule,
112	if ((rule->flags & IMA_FSMAGIC)	141	if ((rule->flags & IMA_FSMAGIC)
113	&& rule->fsmagic != inode->i_sb->s_magic)	142	&& rule->fsmagic != inode->i_sb->s_magic)
114	return false;	143	return false;
115	if ((rule->flags & IMA_UID) && rule->uid != cred->uid)	144	if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
		145	return false;
		146	if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid))
116	return false;	147	return false;
117	for (i = 0; i < MAX_LSM_RULES; i++) {	148	for (i = 0; i < MAX_LSM_RULES; i++) {
118	int rc = 0;	149	int rc = 0;
@@ -163,39 +194,61 @@ static bool ima_match_rules(struct ima_measure_rule_entry *rule,
163	* as elements in the list are never deleted, nor does the list	194	* as elements in the list are never deleted, nor does the list
164	* change.)	195	* change.)
165	*/	196	*/
166	int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask)	197	int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
		198	int flags)
167	{	199	{
168	struct ima_measure_rule_entry *entry;	200	struct ima_rule_entry *entry;
		201	int action = 0, actmask = flags \| (flags << 1);
		202
		203	list_for_each_entry(entry, ima_rules, list) {
		204
		205	if (!(entry->action & actmask))
		206	continue;
		207
		208	if (!ima_match_rules(entry, inode, func, mask))
		209	continue;
169		210
170	list_for_each_entry(entry, ima_measure, list) {	211	action \|= entry->action & IMA_DO_MASK;
171	bool rc;	212	if (entry->action & IMA_DO_MASK)
		213	actmask &= ~(entry->action \| entry->action << 1);
		214	else
		215	actmask &= ~(entry->action \| entry->action >> 1);
172		216
173	rc = ima_match_rules(entry, inode, func, mask);	217	if (!actmask)
174	if (rc)	218	break;
175	return entry->action;
176	}	219	}
177	return 0;	220
		221	return action;
178	}	222	}
179		223
180	/**	224	/**
181	* ima_init_policy - initialize the default measure rules.	225	* ima_init_policy - initialize the default measure rules.
182	*	226	*
183	* ima_measure points to either the measure_default_rules or the	227	* ima_rules points to either the ima_default_rules or the
184	* the new measure_policy_rules.	228	* the new ima_policy_rules.
185	*/	229	*/
186	void __init ima_init_policy(void)	230	void __init ima_init_policy(void)
187	{	231	{
188	int i, entries;	232	int i, measure_entries, appraise_entries;
189		233
190	/* if !ima_use_tcb set entries = 0 so we load NO default rules */	234	/* if !ima_use_tcb set entries = 0 so we load NO default rules */
191	if (ima_use_tcb)	235	measure_entries = ima_use_tcb ? ARRAY_SIZE(default_rules) : 0;
192	entries = ARRAY_SIZE(default_rules);	236	appraise_entries = ima_use_appraise_tcb ?
193	else	237	ARRAY_SIZE(default_appraise_rules) : 0;
194	entries = 0;	238
195		239	for (i = 0; i < measure_entries + appraise_entries; i++) {
196	for (i = 0; i < entries; i++)	240	if (i < measure_entries)
197	list_add_tail(&default_rules[i].list, &measure_default_rules);	241	list_add_tail(&default_rules[i].list,
198	ima_measure = &measure_default_rules;	242	&ima_default_rules);
		243	else {
		244	int j = i - measure_entries;
		245
		246	list_add_tail(&default_appraise_rules[j].list,
		247	&ima_default_rules);
		248	}
		249	}
		250
		251	ima_rules = &ima_default_rules;
199	}	252	}
200		253
201	/**	254	/**
@@ -212,8 +265,8 @@ void ima_update_policy(void)
212	int result = 1;	265	int result = 1;
213	int audit_info = 0;	266	int audit_info = 0;
214		267
215	if (ima_measure == &measure_default_rules) {	268	if (ima_rules == &ima_default_rules) {
216	ima_measure = &measure_policy_rules;	269	ima_rules = &ima_policy_rules;
217	cause = "complete";	270	cause = "complete";
218	result = 0;	271	result = 0;
219	}	272	}
@@ -224,14 +277,19 @@ void ima_update_policy(void)
224	enum {	277	enum {
225	Opt_err = -1,	278	Opt_err = -1,
226	Opt_measure = 1, Opt_dont_measure,	279	Opt_measure = 1, Opt_dont_measure,
		280	Opt_appraise, Opt_dont_appraise,
		281	Opt_audit,
227	Opt_obj_user, Opt_obj_role, Opt_obj_type,	282	Opt_obj_user, Opt_obj_role, Opt_obj_type,
228	Opt_subj_user, Opt_subj_role, Opt_subj_type,	283	Opt_subj_user, Opt_subj_role, Opt_subj_type,
229	Opt_func, Opt_mask, Opt_fsmagic, Opt_uid	284	Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner
230	};	285	};
231		286
232	static match_table_t policy_tokens = {	287	static match_table_t policy_tokens = {
233	{Opt_measure, "measure"},	288	{Opt_measure, "measure"},
234	{Opt_dont_measure, "dont_measure"},	289	{Opt_dont_measure, "dont_measure"},
		290	{Opt_appraise, "appraise"},
		291	{Opt_dont_appraise, "dont_appraise"},
		292	{Opt_audit, "audit"},
235	{Opt_obj_user, "obj_user=%s"},	293	{Opt_obj_user, "obj_user=%s"},
236	{Opt_obj_role, "obj_role=%s"},	294	{Opt_obj_role, "obj_role=%s"},
237	{Opt_obj_type, "obj_type=%s"},	295	{Opt_obj_type, "obj_type=%s"},
@@ -242,10 +300,11 @@ static match_table_t policy_tokens = {
242	{Opt_mask, "mask=%s"},	300	{Opt_mask, "mask=%s"},
243	{Opt_fsmagic, "fsmagic=%s"},	301	{Opt_fsmagic, "fsmagic=%s"},
244	{Opt_uid, "uid=%s"},	302	{Opt_uid, "uid=%s"},
		303	{Opt_fowner, "fowner=%s"},
245	{Opt_err, NULL}	304	{Opt_err, NULL}
246	};	305	};
247		306
248	static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry,	307	static int ima_lsm_rule_init(struct ima_rule_entry *entry,
249	char *args, int lsm_rule, int audit_type)	308	char *args, int lsm_rule, int audit_type)
250	{	309	{
251	int result;	310	int result;
@@ -269,7 +328,7 @@ static void ima_log_string(struct audit_buffer ab, char key, char *value)
269	audit_log_format(ab, " ");	328	audit_log_format(ab, " ");
270	}	329	}
271		330
272	static int ima_parse_rule(char rule, struct ima_measure_rule_entry entry)	331	static int ima_parse_rule(char rule, struct ima_rule_entry entry)
273	{	332	{
274	struct audit_buffer *ab;	333	struct audit_buffer *ab;
275	char *p;	334	char *p;
@@ -277,7 +336,8 @@ static int ima_parse_rule(char rule, struct ima_measure_rule_entry entry)
277		336
278	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);	337	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
279		338
280	entry->uid = -1;	339	entry->uid = INVALID_UID;
		340	entry->fowner = INVALID_UID;
281	entry->action = UNKNOWN;	341	entry->action = UNKNOWN;
282	while ((p = strsep(&rule, " \t")) != NULL) {	342	while ((p = strsep(&rule, " \t")) != NULL) {
283	substring_t args[MAX_OPT_ARGS];	343	substring_t args[MAX_OPT_ARGS];
@@ -306,11 +366,35 @@ static int ima_parse_rule(char rule, struct ima_measure_rule_entry entry)
306		366
307	entry->action = DONT_MEASURE;	367	entry->action = DONT_MEASURE;
308	break;	368	break;
		369	case Opt_appraise:
		370	ima_log_string(ab, "action", "appraise");
		371
		372	if (entry->action != UNKNOWN)
		373	result = -EINVAL;
		374
		375	entry->action = APPRAISE;
		376	break;
		377	case Opt_dont_appraise:
		378	ima_log_string(ab, "action", "dont_appraise");
		379
		380	if (entry->action != UNKNOWN)
		381	result = -EINVAL;
		382
		383	entry->action = DONT_APPRAISE;
		384	break;
		385	case Opt_audit:
		386	ima_log_string(ab, "action", "audit");
		387
		388	if (entry->action != UNKNOWN)
		389	result = -EINVAL;
		390
		391	entry->action = AUDIT;
		392	break;
309	case Opt_func:	393	case Opt_func:
310	ima_log_string(ab, "func", args[0].from);	394	ima_log_string(ab, "func", args[0].from);
311		395
312	if (entry->func)	396	if (entry->func)
313	result = -EINVAL;	397	result = -EINVAL;
314		398
315	if (strcmp(args[0].from, "FILE_CHECK") == 0)	399	if (strcmp(args[0].from, "FILE_CHECK") == 0)
316	entry->func = FILE_CHECK;	400	entry->func = FILE_CHECK;
@@ -361,20 +445,37 @@ static int ima_parse_rule(char rule, struct ima_measure_rule_entry entry)
361	case Opt_uid:	445	case Opt_uid:
362	ima_log_string(ab, "uid", args[0].from);	446	ima_log_string(ab, "uid", args[0].from);
363		447
364	if (entry->uid != -1) {	448	if (uid_valid(entry->uid)) {
365	result = -EINVAL;	449	result = -EINVAL;
366	break;	450	break;
367	}	451	}
368		452
369	result = strict_strtoul(args[0].from, 10, &lnum);	453	result = strict_strtoul(args[0].from, 10, &lnum);
370	if (!result) {	454	if (!result) {
371	entry->uid = (uid_t) lnum;	455	entry->uid = make_kuid(current_user_ns(), (uid_t)lnum);
372	if (entry->uid != lnum)	456	if (!uid_valid(entry->uid) \|\| (((uid_t)lnum) != lnum))
373	result = -EINVAL;	457	result = -EINVAL;
374	else	458	else
375	entry->flags \|= IMA_UID;	459	entry->flags \|= IMA_UID;
376	}	460	}
377	break;	461	break;
		462	case Opt_fowner:
		463	ima_log_string(ab, "fowner", args[0].from);
		464
		465	if (uid_valid(entry->fowner)) {
		466	result = -EINVAL;
		467	break;
		468	}
		469
		470	result = strict_strtoul(args[0].from, 10, &lnum);
		471	if (!result) {
		472	entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
		473	if (!uid_valid(entry->fowner) \|\| (((uid_t)lnum) != lnum))
		474	result = -EINVAL;
		475	else
		476	entry->flags \|= IMA_FOWNER;
		477	}
		478	break;
378	case Opt_obj_user:	479	case Opt_obj_user:
379	ima_log_string(ab, "obj_user", args[0].from);	480	ima_log_string(ab, "obj_user", args[0].from);
380	result = ima_lsm_rule_init(entry, args[0].from,	481	result = ima_lsm_rule_init(entry, args[0].from,
@@ -426,7 +527,7 @@ static int ima_parse_rule(char rule, struct ima_measure_rule_entry entry)
426	}	527	}
427		528
428	/**	529	/**
429	* ima_parse_add_rule - add a rule to measure_policy_rules	530	* ima_parse_add_rule - add a rule to ima_policy_rules
430	* @rule - ima measurement policy rule	531	* @rule - ima measurement policy rule
431	*	532	*
432	* Uses a mutex to protect the policy list from multiple concurrent writers.	533	* Uses a mutex to protect the policy list from multiple concurrent writers.
@@ -436,12 +537,12 @@ ssize_t ima_parse_add_rule(char *rule)
436	{	537	{
437	const char *op = "update_policy";	538	const char *op = "update_policy";
438	char *p;	539	char *p;
439	struct ima_measure_rule_entry *entry;	540	struct ima_rule_entry *entry;
440	ssize_t result, len;	541	ssize_t result, len;
441	int audit_info = 0;	542	int audit_info = 0;
442		543
443	/* Prevent installed policy from changing */	544	/* Prevent installed policy from changing */
444	if (ima_measure != &measure_default_rules) {	545	if (ima_rules != &ima_default_rules) {
445	integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,	546	integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
446	NULL, op, "already exists",	547	NULL, op, "already exists",
447	-EACCES, audit_info);	548	-EACCES, audit_info);
@@ -474,9 +575,9 @@ ssize_t ima_parse_add_rule(char *rule)
474	return result;	575	return result;
475	}	576	}
476		577
477	mutex_lock(&ima_measure_mutex);	578	mutex_lock(&ima_rules_mutex);
478	list_add_tail(&entry->list, &measure_policy_rules);	579	list_add_tail(&entry->list, &ima_policy_rules);
479	mutex_unlock(&ima_measure_mutex);	580	mutex_unlock(&ima_rules_mutex);
480		581
481	return len;	582	return len;
482	}	583	}
@@ -484,12 +585,12 @@ ssize_t ima_parse_add_rule(char *rule)
484	/* ima_delete_rules called to cleanup invalid policy */	585	/* ima_delete_rules called to cleanup invalid policy */
485	void ima_delete_rules(void)	586	void ima_delete_rules(void)
486	{	587	{
487	struct ima_measure_rule_entry entry, tmp;	588	struct ima_rule_entry entry, tmp;
488		589
489	mutex_lock(&ima_measure_mutex);	590	mutex_lock(&ima_rules_mutex);
490	list_for_each_entry_safe(entry, tmp, &measure_policy_rules, list) {	591	list_for_each_entry_safe(entry, tmp, &ima_policy_rules, list) {
491	list_del(&entry->list);	592	list_del(&entry->list);
492	kfree(entry);	593	kfree(entry);
493	}	594	}
494	mutex_unlock(&ima_measure_mutex);	595	mutex_unlock(&ima_rules_mutex);
495	}	596	}