Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorri...
[sfrench/cifs-2.6.git] / security / integrity / ima / ima_policy.c
1 /*
2  * Copyright (C) 2008 IBM Corporation
3  * Author: Mimi Zohar <zohar@us.ibm.com>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License as published by
7  * the Free Software Foundation, version 2 of the License.
8  *
9  * ima_policy.c
10  *      - initialize default measure policy rules
11  *
12  */
13 #include <linux/init.h>
14 #include <linux/list.h>
15 #include <linux/fs.h>
16 #include <linux/security.h>
17 #include <linux/magic.h>
18 #include <linux/parser.h>
19 #include <linux/slab.h>
20 #include <linux/rculist.h>
21 #include <linux/genhd.h>
22 #include <linux/seq_file.h>
23 #include <linux/ima.h>
24
25 #include "ima.h"
26
27 /* flags definitions */
28 #define IMA_FUNC        0x0001
29 #define IMA_MASK        0x0002
30 #define IMA_FSMAGIC     0x0004
31 #define IMA_UID         0x0008
32 #define IMA_FOWNER      0x0010
33 #define IMA_FSUUID      0x0020
34 #define IMA_INMASK      0x0040
35 #define IMA_EUID        0x0080
36 #define IMA_PCR         0x0100
37 #define IMA_FSNAME      0x0200
38
39 #define UNKNOWN         0
40 #define MEASURE         0x0001  /* same as IMA_MEASURE */
41 #define DONT_MEASURE    0x0002
42 #define APPRAISE        0x0004  /* same as IMA_APPRAISE */
43 #define DONT_APPRAISE   0x0008
44 #define AUDIT           0x0040
45 #define HASH            0x0100
46 #define DONT_HASH       0x0200
47
48 #define INVALID_PCR(a) (((a) < 0) || \
49         (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
50
51 int ima_policy_flag;
52 static int temp_ima_appraise;
53 static int build_ima_appraise __ro_after_init;
54
55 #define MAX_LSM_RULES 6
56 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
57         LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
58 };
59
60 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
61
62 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY };
63
64 struct ima_rule_entry {
65         struct list_head list;
66         int action;
67         unsigned int flags;
68         enum ima_hooks func;
69         int mask;
70         unsigned long fsmagic;
71         uuid_t fsuuid;
72         kuid_t uid;
73         kuid_t fowner;
74         bool (*uid_op)(kuid_t, kuid_t);    /* Handlers for operators       */
75         bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
76         int pcr;
77         struct {
78                 void *rule;     /* LSM file metadata specific */
79                 void *args_p;   /* audit value */
80                 int type;       /* audit type */
81         } lsm[MAX_LSM_RULES];
82         char *fsname;
83 };
84
85 /*
86  * Without LSM specific knowledge, the default policy can only be
87  * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
88  */
89
90 /*
91  * The minimum rule set to allow for full TCB coverage.  Measures all files
92  * opened or mmap for exec and everything read by root.  Dangerous because
93  * normal users can easily run the machine out of memory simply building
94  * and running executables.
95  */
96 static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
97         {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
98         {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
99         {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
100         {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
101         {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
102         {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
103         {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
104         {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
105         {.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
106         {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
107          .flags = IMA_FSMAGIC},
108         {.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC,
109          .flags = IMA_FSMAGIC},
110         {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
111         {.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}
112 };
113
114 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
115         {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
116          .flags = IMA_FUNC | IMA_MASK},
117         {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
118          .flags = IMA_FUNC | IMA_MASK},
119         {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
120          .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
121          .flags = IMA_FUNC | IMA_MASK | IMA_UID},
122         {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
123         {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
124 };
125
126 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
127         {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
128          .flags = IMA_FUNC | IMA_MASK},
129         {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
130          .flags = IMA_FUNC | IMA_MASK},
131         {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
132          .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
133          .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
134         {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
135          .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
136          .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
137         {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
138         {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
139         {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
140 };
141
142 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
143         {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
144         {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
145         {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
146         {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
147         {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
148         {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
149         {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
150         {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
151         {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
152         {.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
153         {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
154         {.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC},
155         {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
156         {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
157 #ifdef CONFIG_IMA_WRITE_POLICY
158         {.action = APPRAISE, .func = POLICY_CHECK,
159         .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
160 #endif
161 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
162         {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
163          .flags = IMA_FOWNER},
164 #else
165         /* force signature */
166         {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
167          .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
168 #endif
169 };
170
171 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = {
172 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS
173         {.action = APPRAISE, .func = MODULE_CHECK,
174          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
175 #endif
176 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
177         {.action = APPRAISE, .func = FIRMWARE_CHECK,
178          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
179 #endif
180 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS
181         {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
182          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
183 #endif
184 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS
185         {.action = APPRAISE, .func = POLICY_CHECK,
186          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
187 #endif
188 };
189
190 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
191         {.action = APPRAISE, .func = MODULE_CHECK,
192          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
193         {.action = APPRAISE, .func = FIRMWARE_CHECK,
194          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
195         {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
196          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
197         {.action = APPRAISE, .func = POLICY_CHECK,
198          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
199 };
200
201 /* An array of architecture specific rules */
202 struct ima_rule_entry *arch_policy_entry __ro_after_init;
203
204 static LIST_HEAD(ima_default_rules);
205 static LIST_HEAD(ima_policy_rules);
206 static LIST_HEAD(ima_temp_rules);
207 static struct list_head *ima_rules;
208
209 static int ima_policy __initdata;
210
211 static int __init default_measure_policy_setup(char *str)
212 {
213         if (ima_policy)
214                 return 1;
215
216         ima_policy = ORIGINAL_TCB;
217         return 1;
218 }
219 __setup("ima_tcb", default_measure_policy_setup);
220
221 static bool ima_use_appraise_tcb __initdata;
222 static bool ima_use_secure_boot __initdata;
223 static bool ima_fail_unverifiable_sigs __ro_after_init;
224 static int __init policy_setup(char *str)
225 {
226         char *p;
227
228         while ((p = strsep(&str, " |\n")) != NULL) {
229                 if (*p == ' ')
230                         continue;
231                 if ((strcmp(p, "tcb") == 0) && !ima_policy)
232                         ima_policy = DEFAULT_TCB;
233                 else if (strcmp(p, "appraise_tcb") == 0)
234                         ima_use_appraise_tcb = true;
235                 else if (strcmp(p, "secure_boot") == 0)
236                         ima_use_secure_boot = true;
237                 else if (strcmp(p, "fail_securely") == 0)
238                         ima_fail_unverifiable_sigs = true;
239         }
240
241         return 1;
242 }
243 __setup("ima_policy=", policy_setup);
244
245 static int __init default_appraise_policy_setup(char *str)
246 {
247         ima_use_appraise_tcb = true;
248         return 1;
249 }
250 __setup("ima_appraise_tcb", default_appraise_policy_setup);
251
252 /*
253  * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
254  * to the old, stale LSM policy.  Update the IMA LSM based rules to reflect
255  * the reloaded LSM policy.  We assume the rules still exist; and BUG_ON() if
256  * they don't.
257  */
258 static void ima_lsm_update_rules(void)
259 {
260         struct ima_rule_entry *entry;
261         int result;
262         int i;
263
264         list_for_each_entry(entry, &ima_policy_rules, list) {
265                 for (i = 0; i < MAX_LSM_RULES; i++) {
266                         if (!entry->lsm[i].rule)
267                                 continue;
268                         result = security_filter_rule_init(entry->lsm[i].type,
269                                                            Audit_equal,
270                                                            entry->lsm[i].args_p,
271                                                            &entry->lsm[i].rule);
272                         BUG_ON(!entry->lsm[i].rule);
273                 }
274         }
275 }
276
277 /**
278  * ima_match_rules - determine whether an inode matches the measure rule.
279  * @rule: a pointer to a rule
280  * @inode: a pointer to an inode
281  * @cred: a pointer to a credentials structure for user validation
282  * @secid: the secid of the task to be validated
283  * @func: LIM hook identifier
284  * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
285  *
286  * Returns true on rule match, false on failure.
287  */
288 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
289                             const struct cred *cred, u32 secid,
290                             enum ima_hooks func, int mask)
291 {
292         int i;
293
294         if ((rule->flags & IMA_FUNC) &&
295             (rule->func != func && func != POST_SETATTR))
296                 return false;
297         if ((rule->flags & IMA_MASK) &&
298             (rule->mask != mask && func != POST_SETATTR))
299                 return false;
300         if ((rule->flags & IMA_INMASK) &&
301             (!(rule->mask & mask) && func != POST_SETATTR))
302                 return false;
303         if ((rule->flags & IMA_FSMAGIC)
304             && rule->fsmagic != inode->i_sb->s_magic)
305                 return false;
306         if ((rule->flags & IMA_FSNAME)
307             && strcmp(rule->fsname, inode->i_sb->s_type->name))
308                 return false;
309         if ((rule->flags & IMA_FSUUID) &&
310             !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
311                 return false;
312         if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
313                 return false;
314         if (rule->flags & IMA_EUID) {
315                 if (has_capability_noaudit(current, CAP_SETUID)) {
316                         if (!rule->uid_op(cred->euid, rule->uid)
317                             && !rule->uid_op(cred->suid, rule->uid)
318                             && !rule->uid_op(cred->uid, rule->uid))
319                                 return false;
320                 } else if (!rule->uid_op(cred->euid, rule->uid))
321                         return false;
322         }
323
324         if ((rule->flags & IMA_FOWNER) &&
325             !rule->fowner_op(inode->i_uid, rule->fowner))
326                 return false;
327         for (i = 0; i < MAX_LSM_RULES; i++) {
328                 int rc = 0;
329                 u32 osid;
330                 int retried = 0;
331
332                 if (!rule->lsm[i].rule)
333                         continue;
334 retry:
335                 switch (i) {
336                 case LSM_OBJ_USER:
337                 case LSM_OBJ_ROLE:
338                 case LSM_OBJ_TYPE:
339                         security_inode_getsecid(inode, &osid);
340                         rc = security_filter_rule_match(osid,
341                                                         rule->lsm[i].type,
342                                                         Audit_equal,
343                                                         rule->lsm[i].rule,
344                                                         NULL);
345                         break;
346                 case LSM_SUBJ_USER:
347                 case LSM_SUBJ_ROLE:
348                 case LSM_SUBJ_TYPE:
349                         rc = security_filter_rule_match(secid,
350                                                         rule->lsm[i].type,
351                                                         Audit_equal,
352                                                         rule->lsm[i].rule,
353                                                         NULL);
354                 default:
355                         break;
356                 }
357                 if ((rc < 0) && (!retried)) {
358                         retried = 1;
359                         ima_lsm_update_rules();
360                         goto retry;
361                 }
362                 if (!rc)
363                         return false;
364         }
365         return true;
366 }
367
368 /*
369  * In addition to knowing that we need to appraise the file in general,
370  * we need to differentiate between calling hooks, for hook specific rules.
371  */
372 static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
373 {
374         if (!(rule->flags & IMA_FUNC))
375                 return IMA_FILE_APPRAISE;
376
377         switch (func) {
378         case MMAP_CHECK:
379                 return IMA_MMAP_APPRAISE;
380         case BPRM_CHECK:
381                 return IMA_BPRM_APPRAISE;
382         case CREDS_CHECK:
383                 return IMA_CREDS_APPRAISE;
384         case FILE_CHECK:
385         case POST_SETATTR:
386                 return IMA_FILE_APPRAISE;
387         case MODULE_CHECK ... MAX_CHECK - 1:
388         default:
389                 return IMA_READ_APPRAISE;
390         }
391 }
392
393 /**
394  * ima_match_policy - decision based on LSM and other conditions
395  * @inode: pointer to an inode for which the policy decision is being made
396  * @cred: pointer to a credentials structure for which the policy decision is
397  *        being made
398  * @secid: LSM secid of the task to be validated
399  * @func: IMA hook identifier
400  * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
401  * @pcr: set the pcr to extend
402  *
403  * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
404  * conditions.
405  *
406  * Since the IMA policy may be updated multiple times we need to lock the
407  * list when walking it.  Reads are many orders of magnitude more numerous
408  * than writes so ima_match_policy() is classical RCU candidate.
409  */
410 int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
411                      enum ima_hooks func, int mask, int flags, int *pcr)
412 {
413         struct ima_rule_entry *entry;
414         int action = 0, actmask = flags | (flags << 1);
415
416         rcu_read_lock();
417         list_for_each_entry_rcu(entry, ima_rules, list) {
418
419                 if (!(entry->action & actmask))
420                         continue;
421
422                 if (!ima_match_rules(entry, inode, cred, secid, func, mask))
423                         continue;
424
425                 action |= entry->flags & IMA_ACTION_FLAGS;
426
427                 action |= entry->action & IMA_DO_MASK;
428                 if (entry->action & IMA_APPRAISE) {
429                         action |= get_subaction(entry, func);
430                         action &= ~IMA_HASH;
431                         if (ima_fail_unverifiable_sigs)
432                                 action |= IMA_FAIL_UNVERIFIABLE_SIGS;
433                 }
434
435                 if (entry->action & IMA_DO_MASK)
436                         actmask &= ~(entry->action | entry->action << 1);
437                 else
438                         actmask &= ~(entry->action | entry->action >> 1);
439
440                 if ((pcr) && (entry->flags & IMA_PCR))
441                         *pcr = entry->pcr;
442
443                 if (!actmask)
444                         break;
445         }
446         rcu_read_unlock();
447
448         return action;
449 }
450
451 /*
452  * Initialize the ima_policy_flag variable based on the currently
453  * loaded policy.  Based on this flag, the decision to short circuit
454  * out of a function or not call the function in the first place
455  * can be made earlier.
456  */
457 void ima_update_policy_flag(void)
458 {
459         struct ima_rule_entry *entry;
460
461         list_for_each_entry(entry, ima_rules, list) {
462                 if (entry->action & IMA_DO_MASK)
463                         ima_policy_flag |= entry->action;
464         }
465
466         ima_appraise |= (build_ima_appraise | temp_ima_appraise);
467         if (!ima_appraise)
468                 ima_policy_flag &= ~IMA_APPRAISE;
469 }
470
471 static int ima_appraise_flag(enum ima_hooks func)
472 {
473         if (func == MODULE_CHECK)
474                 return IMA_APPRAISE_MODULES;
475         else if (func == FIRMWARE_CHECK)
476                 return IMA_APPRAISE_FIRMWARE;
477         else if (func == POLICY_CHECK)
478                 return IMA_APPRAISE_POLICY;
479         else if (func == KEXEC_KERNEL_CHECK)
480                 return IMA_APPRAISE_KEXEC;
481         return 0;
482 }
483
484 static void add_rules(struct ima_rule_entry *entries, int count,
485                       enum policy_rule_list policy_rule)
486 {
487         int i = 0;
488
489         for (i = 0; i < count; i++) {
490                 struct ima_rule_entry *entry;
491
492                 if (policy_rule & IMA_DEFAULT_POLICY)
493                         list_add_tail(&entries[i].list, &ima_default_rules);
494
495                 if (policy_rule & IMA_CUSTOM_POLICY) {
496                         entry = kmemdup(&entries[i], sizeof(*entry),
497                                         GFP_KERNEL);
498                         if (!entry)
499                                 continue;
500
501                         list_add_tail(&entry->list, &ima_policy_rules);
502                 }
503                 if (entries[i].action == APPRAISE)
504                         temp_ima_appraise |= ima_appraise_flag(entries[i].func);
505                 if (entries[i].func == POLICY_CHECK)
506                         temp_ima_appraise |= IMA_APPRAISE_POLICY;
507         }
508 }
509
510 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
511
512 static int __init ima_init_arch_policy(void)
513 {
514         const char * const *arch_rules;
515         const char * const *rules;
516         int arch_entries = 0;
517         int i = 0;
518
519         arch_rules = arch_get_ima_policy();
520         if (!arch_rules)
521                 return arch_entries;
522
523         /* Get number of rules */
524         for (rules = arch_rules; *rules != NULL; rules++)
525                 arch_entries++;
526
527         arch_policy_entry = kcalloc(arch_entries + 1,
528                                     sizeof(*arch_policy_entry), GFP_KERNEL);
529         if (!arch_policy_entry)
530                 return 0;
531
532         /* Convert each policy string rules to struct ima_rule_entry format */
533         for (rules = arch_rules, i = 0; *rules != NULL; rules++) {
534                 char rule[255];
535                 int result;
536
537                 result = strlcpy(rule, *rules, sizeof(rule));
538
539                 INIT_LIST_HEAD(&arch_policy_entry[i].list);
540                 result = ima_parse_rule(rule, &arch_policy_entry[i]);
541                 if (result) {
542                         pr_warn("Skipping unknown architecture policy rule: %s\n",
543                                 rule);
544                         memset(&arch_policy_entry[i], 0,
545                                sizeof(*arch_policy_entry));
546                         continue;
547                 }
548                 i++;
549         }
550         return i;
551 }
552
553 /**
554  * ima_init_policy - initialize the default measure rules.
555  *
556  * ima_rules points to either the ima_default_rules or the
557  * the new ima_policy_rules.
558  */
559 void __init ima_init_policy(void)
560 {
561         int build_appraise_entries, arch_entries;
562
563         /* if !ima_policy, we load NO default rules */
564         if (ima_policy)
565                 add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules),
566                           IMA_DEFAULT_POLICY);
567
568         switch (ima_policy) {
569         case ORIGINAL_TCB:
570                 add_rules(original_measurement_rules,
571                           ARRAY_SIZE(original_measurement_rules),
572                           IMA_DEFAULT_POLICY);
573                 break;
574         case DEFAULT_TCB:
575                 add_rules(default_measurement_rules,
576                           ARRAY_SIZE(default_measurement_rules),
577                           IMA_DEFAULT_POLICY);
578         default:
579                 break;
580         }
581
582         /*
583          * Based on runtime secure boot flags, insert arch specific measurement
584          * and appraise rules requiring file signatures for both the initial
585          * and custom policies, prior to other appraise rules.
586          * (Highest priority)
587          */
588         arch_entries = ima_init_arch_policy();
589         if (!arch_entries)
590                 pr_info("No architecture policies found\n");
591         else
592                 add_rules(arch_policy_entry, arch_entries,
593                           IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
594
595         /*
596          * Insert the builtin "secure_boot" policy rules requiring file
597          * signatures, prior to other appraise rules.
598          */
599         if (ima_use_secure_boot)
600                 add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules),
601                           IMA_DEFAULT_POLICY);
602
603         /*
604          * Insert the build time appraise rules requiring file signatures
605          * for both the initial and custom policies, prior to other appraise
606          * rules. As the secure boot rules includes all of the build time
607          * rules, include either one or the other set of rules, but not both.
608          */
609         build_appraise_entries = ARRAY_SIZE(build_appraise_rules);
610         if (build_appraise_entries) {
611                 if (ima_use_secure_boot)
612                         add_rules(build_appraise_rules, build_appraise_entries,
613                                   IMA_CUSTOM_POLICY);
614                 else
615                         add_rules(build_appraise_rules, build_appraise_entries,
616                                   IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
617         }
618
619         if (ima_use_appraise_tcb)
620                 add_rules(default_appraise_rules,
621                           ARRAY_SIZE(default_appraise_rules),
622                           IMA_DEFAULT_POLICY);
623
624         ima_rules = &ima_default_rules;
625         ima_update_policy_flag();
626 }
627
628 /* Make sure we have a valid policy, at least containing some rules. */
629 int ima_check_policy(void)
630 {
631         if (list_empty(&ima_temp_rules))
632                 return -EINVAL;
633         return 0;
634 }
635
636 /**
637  * ima_update_policy - update default_rules with new measure rules
638  *
639  * Called on file .release to update the default rules with a complete new
640  * policy.  What we do here is to splice ima_policy_rules and ima_temp_rules so
641  * they make a queue.  The policy may be updated multiple times and this is the
642  * RCU updater.
643  *
644  * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
645  * we switch from the default policy to user defined.
646  */
647 void ima_update_policy(void)
648 {
649         struct list_head *policy = &ima_policy_rules;
650
651         list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu);
652
653         if (ima_rules != policy) {
654                 ima_policy_flag = 0;
655                 ima_rules = policy;
656
657                 /*
658                  * IMA architecture specific policy rules are specified
659                  * as strings and converted to an array of ima_entry_rules
660                  * on boot.  After loading a custom policy, free the
661                  * architecture specific rules stored as an array.
662                  */
663                 kfree(arch_policy_entry);
664         }
665         ima_update_policy_flag();
666 }
667
668 /* Keep the enumeration in sync with the policy_tokens! */
669 enum {
670         Opt_measure, Opt_dont_measure,
671         Opt_appraise, Opt_dont_appraise,
672         Opt_audit, Opt_hash, Opt_dont_hash,
673         Opt_obj_user, Opt_obj_role, Opt_obj_type,
674         Opt_subj_user, Opt_subj_role, Opt_subj_type,
675         Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname,
676         Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
677         Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
678         Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
679         Opt_appraise_type, Opt_permit_directio,
680         Opt_pcr, Opt_err
681 };
682
683 static const match_table_t policy_tokens = {
684         {Opt_measure, "measure"},
685         {Opt_dont_measure, "dont_measure"},
686         {Opt_appraise, "appraise"},
687         {Opt_dont_appraise, "dont_appraise"},
688         {Opt_audit, "audit"},
689         {Opt_hash, "hash"},
690         {Opt_dont_hash, "dont_hash"},
691         {Opt_obj_user, "obj_user=%s"},
692         {Opt_obj_role, "obj_role=%s"},
693         {Opt_obj_type, "obj_type=%s"},
694         {Opt_subj_user, "subj_user=%s"},
695         {Opt_subj_role, "subj_role=%s"},
696         {Opt_subj_type, "subj_type=%s"},
697         {Opt_func, "func=%s"},
698         {Opt_mask, "mask=%s"},
699         {Opt_fsmagic, "fsmagic=%s"},
700         {Opt_fsname, "fsname=%s"},
701         {Opt_fsuuid, "fsuuid=%s"},
702         {Opt_uid_eq, "uid=%s"},
703         {Opt_euid_eq, "euid=%s"},
704         {Opt_fowner_eq, "fowner=%s"},
705         {Opt_uid_gt, "uid>%s"},
706         {Opt_euid_gt, "euid>%s"},
707         {Opt_fowner_gt, "fowner>%s"},
708         {Opt_uid_lt, "uid<%s"},
709         {Opt_euid_lt, "euid<%s"},
710         {Opt_fowner_lt, "fowner<%s"},
711         {Opt_appraise_type, "appraise_type=%s"},
712         {Opt_permit_directio, "permit_directio"},
713         {Opt_pcr, "pcr=%s"},
714         {Opt_err, NULL}
715 };
716
717 static int ima_lsm_rule_init(struct ima_rule_entry *entry,
718                              substring_t *args, int lsm_rule, int audit_type)
719 {
720         int result;
721
722         if (entry->lsm[lsm_rule].rule)
723                 return -EINVAL;
724
725         entry->lsm[lsm_rule].args_p = match_strdup(args);
726         if (!entry->lsm[lsm_rule].args_p)
727                 return -ENOMEM;
728
729         entry->lsm[lsm_rule].type = audit_type;
730         result = security_filter_rule_init(entry->lsm[lsm_rule].type,
731                                            Audit_equal,
732                                            entry->lsm[lsm_rule].args_p,
733                                            &entry->lsm[lsm_rule].rule);
734         if (!entry->lsm[lsm_rule].rule) {
735                 kfree(entry->lsm[lsm_rule].args_p);
736                 return -EINVAL;
737         }
738
739         return result;
740 }
741
742 static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
743                               bool (*rule_operator)(kuid_t, kuid_t))
744 {
745         if (!ab)
746                 return;
747
748         if (rule_operator == &uid_gt)
749                 audit_log_format(ab, "%s>", key);
750         else if (rule_operator == &uid_lt)
751                 audit_log_format(ab, "%s<", key);
752         else
753                 audit_log_format(ab, "%s=", key);
754         audit_log_format(ab, "%s ", value);
755 }
756 static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
757 {
758         ima_log_string_op(ab, key, value, NULL);
759 }
760
761 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
762 {
763         struct audit_buffer *ab;
764         char *from;
765         char *p;
766         bool uid_token;
767         int result = 0;
768
769         ab = integrity_audit_log_start(audit_context(), GFP_KERNEL,
770                                        AUDIT_INTEGRITY_POLICY_RULE);
771
772         entry->uid = INVALID_UID;
773         entry->fowner = INVALID_UID;
774         entry->uid_op = &uid_eq;
775         entry->fowner_op = &uid_eq;
776         entry->action = UNKNOWN;
777         while ((p = strsep(&rule, " \t")) != NULL) {
778                 substring_t args[MAX_OPT_ARGS];
779                 int token;
780                 unsigned long lnum;
781
782                 if (result < 0)
783                         break;
784                 if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
785                         continue;
786                 token = match_token(p, policy_tokens, args);
787                 switch (token) {
788                 case Opt_measure:
789                         ima_log_string(ab, "action", "measure");
790
791                         if (entry->action != UNKNOWN)
792                                 result = -EINVAL;
793
794                         entry->action = MEASURE;
795                         break;
796                 case Opt_dont_measure:
797                         ima_log_string(ab, "action", "dont_measure");
798
799                         if (entry->action != UNKNOWN)
800                                 result = -EINVAL;
801
802                         entry->action = DONT_MEASURE;
803                         break;
804                 case Opt_appraise:
805                         ima_log_string(ab, "action", "appraise");
806
807                         if (entry->action != UNKNOWN)
808                                 result = -EINVAL;
809
810                         entry->action = APPRAISE;
811                         break;
812                 case Opt_dont_appraise:
813                         ima_log_string(ab, "action", "dont_appraise");
814
815                         if (entry->action != UNKNOWN)
816                                 result = -EINVAL;
817
818                         entry->action = DONT_APPRAISE;
819                         break;
820                 case Opt_audit:
821                         ima_log_string(ab, "action", "audit");
822
823                         if (entry->action != UNKNOWN)
824                                 result = -EINVAL;
825
826                         entry->action = AUDIT;
827                         break;
828                 case Opt_hash:
829                         ima_log_string(ab, "action", "hash");
830
831                         if (entry->action != UNKNOWN)
832                                 result = -EINVAL;
833
834                         entry->action = HASH;
835                         break;
836                 case Opt_dont_hash:
837                         ima_log_string(ab, "action", "dont_hash");
838
839                         if (entry->action != UNKNOWN)
840                                 result = -EINVAL;
841
842                         entry->action = DONT_HASH;
843                         break;
844                 case Opt_func:
845                         ima_log_string(ab, "func", args[0].from);
846
847                         if (entry->func)
848                                 result = -EINVAL;
849
850                         if (strcmp(args[0].from, "FILE_CHECK") == 0)
851                                 entry->func = FILE_CHECK;
852                         /* PATH_CHECK is for backwards compat */
853                         else if (strcmp(args[0].from, "PATH_CHECK") == 0)
854                                 entry->func = FILE_CHECK;
855                         else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
856                                 entry->func = MODULE_CHECK;
857                         else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
858                                 entry->func = FIRMWARE_CHECK;
859                         else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
860                                 || (strcmp(args[0].from, "MMAP_CHECK") == 0))
861                                 entry->func = MMAP_CHECK;
862                         else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
863                                 entry->func = BPRM_CHECK;
864                         else if (strcmp(args[0].from, "CREDS_CHECK") == 0)
865                                 entry->func = CREDS_CHECK;
866                         else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
867                                  0)
868                                 entry->func = KEXEC_KERNEL_CHECK;
869                         else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
870                                  == 0)
871                                 entry->func = KEXEC_INITRAMFS_CHECK;
872                         else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
873                                 entry->func = POLICY_CHECK;
874                         else
875                                 result = -EINVAL;
876                         if (!result)
877                                 entry->flags |= IMA_FUNC;
878                         break;
879                 case Opt_mask:
880                         ima_log_string(ab, "mask", args[0].from);
881
882                         if (entry->mask)
883                                 result = -EINVAL;
884
885                         from = args[0].from;
886                         if (*from == '^')
887                                 from++;
888
889                         if ((strcmp(from, "MAY_EXEC")) == 0)
890                                 entry->mask = MAY_EXEC;
891                         else if (strcmp(from, "MAY_WRITE") == 0)
892                                 entry->mask = MAY_WRITE;
893                         else if (strcmp(from, "MAY_READ") == 0)
894                                 entry->mask = MAY_READ;
895                         else if (strcmp(from, "MAY_APPEND") == 0)
896                                 entry->mask = MAY_APPEND;
897                         else
898                                 result = -EINVAL;
899                         if (!result)
900                                 entry->flags |= (*args[0].from == '^')
901                                      ? IMA_INMASK : IMA_MASK;
902                         break;
903                 case Opt_fsmagic:
904                         ima_log_string(ab, "fsmagic", args[0].from);
905
906                         if (entry->fsmagic) {
907                                 result = -EINVAL;
908                                 break;
909                         }
910
911                         result = kstrtoul(args[0].from, 16, &entry->fsmagic);
912                         if (!result)
913                                 entry->flags |= IMA_FSMAGIC;
914                         break;
915                 case Opt_fsname:
916                         ima_log_string(ab, "fsname", args[0].from);
917
918                         entry->fsname = kstrdup(args[0].from, GFP_KERNEL);
919                         if (!entry->fsname) {
920                                 result = -ENOMEM;
921                                 break;
922                         }
923                         result = 0;
924                         entry->flags |= IMA_FSNAME;
925                         break;
926                 case Opt_fsuuid:
927                         ima_log_string(ab, "fsuuid", args[0].from);
928
929                         if (!uuid_is_null(&entry->fsuuid)) {
930                                 result = -EINVAL;
931                                 break;
932                         }
933
934                         result = uuid_parse(args[0].from, &entry->fsuuid);
935                         if (!result)
936                                 entry->flags |= IMA_FSUUID;
937                         break;
938                 case Opt_uid_gt:
939                 case Opt_euid_gt:
940                         entry->uid_op = &uid_gt;
941                 case Opt_uid_lt:
942                 case Opt_euid_lt:
943                         if ((token == Opt_uid_lt) || (token == Opt_euid_lt))
944                                 entry->uid_op = &uid_lt;
945                 case Opt_uid_eq:
946                 case Opt_euid_eq:
947                         uid_token = (token == Opt_uid_eq) ||
948                                     (token == Opt_uid_gt) ||
949                                     (token == Opt_uid_lt);
950
951                         ima_log_string_op(ab, uid_token ? "uid" : "euid",
952                                           args[0].from, entry->uid_op);
953
954                         if (uid_valid(entry->uid)) {
955                                 result = -EINVAL;
956                                 break;
957                         }
958
959                         result = kstrtoul(args[0].from, 10, &lnum);
960                         if (!result) {
961                                 entry->uid = make_kuid(current_user_ns(),
962                                                        (uid_t) lnum);
963                                 if (!uid_valid(entry->uid) ||
964                                     (uid_t)lnum != lnum)
965                                         result = -EINVAL;
966                                 else
967                                         entry->flags |= uid_token
968                                             ? IMA_UID : IMA_EUID;
969                         }
970                         break;
971                 case Opt_fowner_gt:
972                         entry->fowner_op = &uid_gt;
973                 case Opt_fowner_lt:
974                         if (token == Opt_fowner_lt)
975                                 entry->fowner_op = &uid_lt;
976                 case Opt_fowner_eq:
977                         ima_log_string_op(ab, "fowner", args[0].from,
978                                           entry->fowner_op);
979
980                         if (uid_valid(entry->fowner)) {
981                                 result = -EINVAL;
982                                 break;
983                         }
984
985                         result = kstrtoul(args[0].from, 10, &lnum);
986                         if (!result) {
987                                 entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
988                                 if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))
989                                         result = -EINVAL;
990                                 else
991                                         entry->flags |= IMA_FOWNER;
992                         }
993                         break;
994                 case Opt_obj_user:
995                         ima_log_string(ab, "obj_user", args[0].from);
996                         result = ima_lsm_rule_init(entry, args,
997                                                    LSM_OBJ_USER,
998                                                    AUDIT_OBJ_USER);
999                         break;
1000                 case Opt_obj_role:
1001                         ima_log_string(ab, "obj_role", args[0].from);
1002                         result = ima_lsm_rule_init(entry, args,
1003                                                    LSM_OBJ_ROLE,
1004                                                    AUDIT_OBJ_ROLE);
1005                         break;
1006                 case Opt_obj_type:
1007                         ima_log_string(ab, "obj_type", args[0].from);
1008                         result = ima_lsm_rule_init(entry, args,
1009                                                    LSM_OBJ_TYPE,
1010                                                    AUDIT_OBJ_TYPE);
1011                         break;
1012                 case Opt_subj_user:
1013                         ima_log_string(ab, "subj_user", args[0].from);
1014                         result = ima_lsm_rule_init(entry, args,
1015                                                    LSM_SUBJ_USER,
1016                                                    AUDIT_SUBJ_USER);
1017                         break;
1018                 case Opt_subj_role:
1019                         ima_log_string(ab, "subj_role", args[0].from);
1020                         result = ima_lsm_rule_init(entry, args,
1021                                                    LSM_SUBJ_ROLE,
1022                                                    AUDIT_SUBJ_ROLE);
1023                         break;
1024                 case Opt_subj_type:
1025                         ima_log_string(ab, "subj_type", args[0].from);
1026                         result = ima_lsm_rule_init(entry, args,
1027                                                    LSM_SUBJ_TYPE,
1028                                                    AUDIT_SUBJ_TYPE);
1029                         break;
1030                 case Opt_appraise_type:
1031                         if (entry->action != APPRAISE) {
1032                                 result = -EINVAL;
1033                                 break;
1034                         }
1035
1036                         ima_log_string(ab, "appraise_type", args[0].from);
1037                         if ((strcmp(args[0].from, "imasig")) == 0)
1038                                 entry->flags |= IMA_DIGSIG_REQUIRED;
1039                         else
1040                                 result = -EINVAL;
1041                         break;
1042                 case Opt_permit_directio:
1043                         entry->flags |= IMA_PERMIT_DIRECTIO;
1044                         break;
1045                 case Opt_pcr:
1046                         if (entry->action != MEASURE) {
1047                                 result = -EINVAL;
1048                                 break;
1049                         }
1050                         ima_log_string(ab, "pcr", args[0].from);
1051
1052                         result = kstrtoint(args[0].from, 10, &entry->pcr);
1053                         if (result || INVALID_PCR(entry->pcr))
1054                                 result = -EINVAL;
1055                         else
1056                                 entry->flags |= IMA_PCR;
1057
1058                         break;
1059                 case Opt_err:
1060                         ima_log_string(ab, "UNKNOWN", p);
1061                         result = -EINVAL;
1062                         break;
1063                 }
1064         }
1065         if (!result && (entry->action == UNKNOWN))
1066                 result = -EINVAL;
1067         else if (entry->action == APPRAISE)
1068                 temp_ima_appraise |= ima_appraise_flag(entry->func);
1069
1070         audit_log_format(ab, "res=%d", !result);
1071         audit_log_end(ab);
1072         return result;
1073 }
1074
1075 /**
1076  * ima_parse_add_rule - add a rule to ima_policy_rules
1077  * @rule - ima measurement policy rule
1078  *
1079  * Avoid locking by allowing just one writer at a time in ima_write_policy()
1080  * Returns the length of the rule parsed, an error code on failure
1081  */
1082 ssize_t ima_parse_add_rule(char *rule)
1083 {
1084         static const char op[] = "update_policy";
1085         char *p;
1086         struct ima_rule_entry *entry;
1087         ssize_t result, len;
1088         int audit_info = 0;
1089
1090         p = strsep(&rule, "\n");
1091         len = strlen(p) + 1;
1092         p += strspn(p, " \t");
1093
1094         if (*p == '#' || *p == '\0')
1095                 return len;
1096
1097         entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1098         if (!entry) {
1099                 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1100                                     NULL, op, "-ENOMEM", -ENOMEM, audit_info);
1101                 return -ENOMEM;
1102         }
1103
1104         INIT_LIST_HEAD(&entry->list);
1105
1106         result = ima_parse_rule(p, entry);
1107         if (result) {
1108                 kfree(entry);
1109                 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
1110                                     NULL, op, "invalid-policy", result,
1111                                     audit_info);
1112                 return result;
1113         }
1114
1115         list_add_tail(&entry->list, &ima_temp_rules);
1116
1117         return len;
1118 }
1119
1120 /**
1121  * ima_delete_rules() called to cleanup invalid in-flight policy.
1122  * We don't need locking as we operate on the temp list, which is
1123  * different from the active one.  There is also only one user of
1124  * ima_delete_rules() at a time.
1125  */
1126 void ima_delete_rules(void)
1127 {
1128         struct ima_rule_entry *entry, *tmp;
1129         int i;
1130
1131         temp_ima_appraise = 0;
1132         list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
1133                 for (i = 0; i < MAX_LSM_RULES; i++)
1134                         kfree(entry->lsm[i].args_p);
1135
1136                 list_del(&entry->list);
1137                 kfree(entry);
1138         }
1139 }
1140
1141 #ifdef  CONFIG_IMA_READ_POLICY
1142 enum {
1143         mask_exec = 0, mask_write, mask_read, mask_append
1144 };
1145
1146 static const char *const mask_tokens[] = {
1147         "MAY_EXEC",
1148         "MAY_WRITE",
1149         "MAY_READ",
1150         "MAY_APPEND"
1151 };
1152
1153 #define __ima_hook_stringify(str)       (#str),
1154
1155 static const char *const func_tokens[] = {
1156         __ima_hooks(__ima_hook_stringify)
1157 };
1158
1159 void *ima_policy_start(struct seq_file *m, loff_t *pos)
1160 {
1161         loff_t l = *pos;
1162         struct ima_rule_entry *entry;
1163
1164         rcu_read_lock();
1165         list_for_each_entry_rcu(entry, ima_rules, list) {
1166                 if (!l--) {
1167                         rcu_read_unlock();
1168                         return entry;
1169                 }
1170         }
1171         rcu_read_unlock();
1172         return NULL;
1173 }
1174
1175 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos)
1176 {
1177         struct ima_rule_entry *entry = v;
1178
1179         rcu_read_lock();
1180         entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list);
1181         rcu_read_unlock();
1182         (*pos)++;
1183
1184         return (&entry->list == ima_rules) ? NULL : entry;
1185 }
1186
1187 void ima_policy_stop(struct seq_file *m, void *v)
1188 {
1189 }
1190
1191 #define pt(token)       policy_tokens[token].pattern
1192 #define mt(token)       mask_tokens[token]
1193
1194 /*
1195  * policy_func_show - display the ima_hooks policy rule
1196  */
1197 static void policy_func_show(struct seq_file *m, enum ima_hooks func)
1198 {
1199         if (func > 0 && func < MAX_CHECK)
1200                 seq_printf(m, "func=%s ", func_tokens[func]);
1201         else
1202                 seq_printf(m, "func=%d ", func);
1203 }
1204
1205 int ima_policy_show(struct seq_file *m, void *v)
1206 {
1207         struct ima_rule_entry *entry = v;
1208         int i;
1209         char tbuf[64] = {0,};
1210
1211         rcu_read_lock();
1212
1213         if (entry->action & MEASURE)
1214                 seq_puts(m, pt(Opt_measure));
1215         if (entry->action & DONT_MEASURE)
1216                 seq_puts(m, pt(Opt_dont_measure));
1217         if (entry->action & APPRAISE)
1218                 seq_puts(m, pt(Opt_appraise));
1219         if (entry->action & DONT_APPRAISE)
1220                 seq_puts(m, pt(Opt_dont_appraise));
1221         if (entry->action & AUDIT)
1222                 seq_puts(m, pt(Opt_audit));
1223         if (entry->action & HASH)
1224                 seq_puts(m, pt(Opt_hash));
1225         if (entry->action & DONT_HASH)
1226                 seq_puts(m, pt(Opt_dont_hash));
1227
1228         seq_puts(m, " ");
1229
1230         if (entry->flags & IMA_FUNC)
1231                 policy_func_show(m, entry->func);
1232
1233         if (entry->flags & IMA_MASK) {
1234                 if (entry->mask & MAY_EXEC)
1235                         seq_printf(m, pt(Opt_mask), mt(mask_exec));
1236                 if (entry->mask & MAY_WRITE)
1237                         seq_printf(m, pt(Opt_mask), mt(mask_write));
1238                 if (entry->mask & MAY_READ)
1239                         seq_printf(m, pt(Opt_mask), mt(mask_read));
1240                 if (entry->mask & MAY_APPEND)
1241                         seq_printf(m, pt(Opt_mask), mt(mask_append));
1242                 seq_puts(m, " ");
1243         }
1244
1245         if (entry->flags & IMA_FSMAGIC) {
1246                 snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);
1247                 seq_printf(m, pt(Opt_fsmagic), tbuf);
1248                 seq_puts(m, " ");
1249         }
1250
1251         if (entry->flags & IMA_FSNAME) {
1252                 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname);
1253                 seq_printf(m, pt(Opt_fsname), tbuf);
1254                 seq_puts(m, " ");
1255         }
1256
1257         if (entry->flags & IMA_PCR) {
1258                 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
1259                 seq_printf(m, pt(Opt_pcr), tbuf);
1260                 seq_puts(m, " ");
1261         }
1262
1263         if (entry->flags & IMA_FSUUID) {
1264                 seq_printf(m, "fsuuid=%pU", &entry->fsuuid);
1265                 seq_puts(m, " ");
1266         }
1267
1268         if (entry->flags & IMA_UID) {
1269                 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1270                 if (entry->uid_op == &uid_gt)
1271                         seq_printf(m, pt(Opt_uid_gt), tbuf);
1272                 else if (entry->uid_op == &uid_lt)
1273                         seq_printf(m, pt(Opt_uid_lt), tbuf);
1274                 else
1275                         seq_printf(m, pt(Opt_uid_eq), tbuf);
1276                 seq_puts(m, " ");
1277         }
1278
1279         if (entry->flags & IMA_EUID) {
1280                 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
1281                 if (entry->uid_op == &uid_gt)
1282                         seq_printf(m, pt(Opt_euid_gt), tbuf);
1283                 else if (entry->uid_op == &uid_lt)
1284                         seq_printf(m, pt(Opt_euid_lt), tbuf);
1285                 else
1286                         seq_printf(m, pt(Opt_euid_eq), tbuf);
1287                 seq_puts(m, " ");
1288         }
1289
1290         if (entry->flags & IMA_FOWNER) {
1291                 snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
1292                 if (entry->fowner_op == &uid_gt)
1293                         seq_printf(m, pt(Opt_fowner_gt), tbuf);
1294                 else if (entry->fowner_op == &uid_lt)
1295                         seq_printf(m, pt(Opt_fowner_lt), tbuf);
1296                 else
1297                         seq_printf(m, pt(Opt_fowner_eq), tbuf);
1298                 seq_puts(m, " ");
1299         }
1300
1301         for (i = 0; i < MAX_LSM_RULES; i++) {
1302                 if (entry->lsm[i].rule) {
1303                         switch (i) {
1304                         case LSM_OBJ_USER:
1305                                 seq_printf(m, pt(Opt_obj_user),
1306                                            (char *)entry->lsm[i].args_p);
1307                                 break;
1308                         case LSM_OBJ_ROLE:
1309                                 seq_printf(m, pt(Opt_obj_role),
1310                                            (char *)entry->lsm[i].args_p);
1311                                 break;
1312                         case LSM_OBJ_TYPE:
1313                                 seq_printf(m, pt(Opt_obj_type),
1314                                            (char *)entry->lsm[i].args_p);
1315                                 break;
1316                         case LSM_SUBJ_USER:
1317                                 seq_printf(m, pt(Opt_subj_user),
1318                                            (char *)entry->lsm[i].args_p);
1319                                 break;
1320                         case LSM_SUBJ_ROLE:
1321                                 seq_printf(m, pt(Opt_subj_role),
1322                                            (char *)entry->lsm[i].args_p);
1323                                 break;
1324                         case LSM_SUBJ_TYPE:
1325                                 seq_printf(m, pt(Opt_subj_type),
1326                                            (char *)entry->lsm[i].args_p);
1327                                 break;
1328                         }
1329                 }
1330         }
1331         if (entry->flags & IMA_DIGSIG_REQUIRED)
1332                 seq_puts(m, "appraise_type=imasig ");
1333         if (entry->flags & IMA_PERMIT_DIRECTIO)
1334                 seq_puts(m, "permit_directio ");
1335         rcu_read_unlock();
1336         seq_puts(m, "\n");
1337         return 0;
1338 }
1339 #endif  /* CONFIG_IMA_READ_POLICY */