Function report

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:security\integrity\ima\ima_policy.c Create Date:2022-07-28 19:59:03
Last Modify:2020-03-12 14:18:49 Copyright©Brick
home page Tree
Annotation kernel can get tool activityDownload SCCTChinese

Name:ima_parse_rule

Proto:static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)

Type:int

Parameter:

TypeParameterName
char *rule
struct ima_rule_entry *entry
899  result = 0
901  ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, IMA policy rules )
904  uid = INVALID_UID
905  fowner = INVALID_UID
906  uid_op = uid_eq
907  fowner_op = uid_eq
908  action = UNKNOWN
909  When ((p = strsep - Split a string into tokens*@s: The string to be searched*@ct: The characters to search for* strsep() updates @s to point after the token, ready for the next call.* It returns empty tokens, too, behaving exactly like the libc function) != NULL) cycle
914  If result < 0 Then Break
916  If p == '\0' || p == ' ' || p == '\t' Then Continue
918  token = match_token(p, policy_tokens, args)
920  Case token == Opt_measure
921  ima_log_string(ab, "action", "measure")
923  If action != UNKNOWN Then result = -EINVAL
926  action = same as IMA_MEASURE
927  Break
928  Case token == Opt_dont_measure
929  ima_log_string(ab, "action", "dont_measure")
931  If action != UNKNOWN Then result = -EINVAL
934  action = DONT_MEASURE
935  Break
936  Case token == Opt_appraise
937  ima_log_string(ab, "action", "appraise")
939  If action != UNKNOWN Then result = -EINVAL
942  action = same as IMA_APPRAISE
943  Break
944  Case token == Opt_dont_appraise
945  ima_log_string(ab, "action", "dont_appraise")
947  If action != UNKNOWN Then result = -EINVAL
950  action = DONT_APPRAISE
951  Break
952  Case token == Opt_audit
953  ima_log_string(ab, "action", "audit")
955  If action != UNKNOWN Then result = -EINVAL
958  action = AUDIT
959  Break
960  Case token == Opt_hash
961  ima_log_string(ab, "action", "hash")
963  If action != UNKNOWN Then result = -EINVAL
966  action = HASH
967  Break
968  Case token == Opt_dont_hash
969  ima_log_string(ab, "action", "dont_hash")
971  If action != UNKNOWN Then result = -EINVAL
974  action = DONT_HASH
975  Break
976  Case token == Opt_func
977  ima_log_string(ab, "func", from)
979  If func Then result = -EINVAL
982  If strcmp(from, "FILE_CHECK") == 0 Then func = FILE_CHECK
985  Else if strcmp(from, "PATH_CHECK") == 0 Then func = FILE_CHECK
987  Else if strcmp(from, "MODULE_CHECK") == 0 Then func = MODULE_CHECK
989  Else if strcmp(from, "FIRMWARE_CHECK") == 0 Then func = FIRMWARE_CHECK
991  Else if strcmp(from, "FILE_MMAP") == 0 || strcmp(from, "MMAP_CHECK") == 0 Then func = MMAP_CHECK
994  Else if strcmp(from, "BPRM_CHECK") == 0 Then func = BPRM_CHECK
996  Else if strcmp(from, "CREDS_CHECK") == 0 Then func = CREDS_CHECK
998  Else if strcmp(from, "KEXEC_KERNEL_CHECK") == 0 Then func = KEXEC_KERNEL_CHECK
1001  Else if strcmp(from, "KEXEC_INITRAMFS_CHECK") == 0 Then func = KEXEC_INITRAMFS_CHECK
1004  Else if strcmp(from, "POLICY_CHECK") == 0 Then func = POLICY_CHECK
1006  Else if strcmp(from, "KEXEC_CMDLINE") == 0 Then func = KEXEC_CMDLINE
1008  Else result = -EINVAL
1010  If Not result Then flags |= lags definitions
1012  Break
1013  Case token == Opt_mask
1014  ima_log_string(ab, "mask", from)
1016  If mask Then result = -EINVAL
1019  from = from
1020  If from == '^' Then from++
1023  If strcmp(from, "MAY_EXEC") == 0 Then mask = MAY_EXEC
1025  Else if strcmp(from, "MAY_WRITE") == 0 Then mask = MAY_WRITE
1027  Else if strcmp(from, "MAY_READ") == 0 Then mask = MAY_READ
1029  Else if strcmp(from, "MAY_APPEND") == 0 Then mask = MAY_APPEND
1031  Else result = -EINVAL
1033  If Not result Then flags |= If from == '^' Then IMA_INMASK Else IMA_MASK
1036  Break
1037  Case token == Opt_fsmagic
1038  ima_log_string(ab, "fsmagic", from)
1040  If fsmagic Then
1041  result = -EINVAL
1042  Break
1045  result = kstrtoul - convert a string to an unsigned long*@s: The start of the string. The string must be null-terminated, and may also* include a single newline before its terminating null. The first character* may also be a plus sign, but not a minus sign.
1046  If Not result Then flags |= IMA_FSMAGIC
1048  Break
1049  Case token == Opt_fsname
1050  ima_log_string(ab, "fsname", from)
1052  fsname = kstrdup - allocate space for and copy an existing string*@s: the string to duplicate*@gfp: the GFP mask used in the kmalloc() call when allocating memory* Return: newly allocated copy of @s or %NULL in case of error
1053  If Not fsname Then
1054  result = -ENOMEM
1055  Break
1057  result = 0
1058  flags |= IMA_FSNAME
1059  Break
1060  Case token == Opt_fsuuid
1061  ima_log_string(ab, "fsuuid", from)
1063  If Not uuid_is_null( & fsuuid) Then
1064  result = -EINVAL
1065  Break
1068  result = uuid_parse(from, & fsuuid)
1069  If Not result Then flags |= IMA_FSUUID
1071  Break
1072  Case token == Opt_uid_gt
1073  Case token == Opt_euid_gt
1074  uid_op = uid_gt
1076  Case token == Opt_uid_lt
1077  Case token == Opt_euid_lt
1078  If token == Opt_uid_lt || token == Opt_euid_lt Then uid_op = uid_lt
1081  Case token == Opt_uid_eq
1082  Case token == Opt_euid_eq
1083  uid_token = token == Opt_uid_eq || token == Opt_uid_gt || token == Opt_uid_lt
1087  ima_log_string_op(ab, uid_token ? "uid" : "euid", from, uid_op)
1090  If uid_valid(uid) Then
1091  result = -EINVAL
1092  Break
1095  result = kstrtoul - convert a string to an unsigned long*@s: The start of the string. The string must be null-terminated, and may also* include a single newline before its terminating null. The first character* may also be a plus sign, but not a minus sign.
1096  If Not result Then
1097  uid = make_kuid - Map a user-namespace uid pair into a kuid
1099  If Not uid_valid(uid) || lnum != lnum Then result = -EINVAL
1102  Else flags |= If uid_token Then IMA_UID Else IMA_EUID
1106  Break
1107  Case token == Opt_fowner_gt
1108  fowner_op = uid_gt
1110  Case token == Opt_fowner_lt
1111  If token == Opt_fowner_lt Then fowner_op = uid_lt
1114  Case token == Opt_fowner_eq
1115  ima_log_string_op(ab, "fowner", from, fowner_op)
1118  If uid_valid(fowner) Then
1119  result = -EINVAL
1120  Break
1123  result = kstrtoul - convert a string to an unsigned long*@s: The start of the string. The string must be null-terminated, and may also* include a single newline before its terminating null. The first character* may also be a plus sign, but not a minus sign.
1124  If Not result Then
1131  Break
1132  Case token == Opt_obj_user
1133  ima_log_string(ab, "obj_user", from)
1134  result = ima_lsm_rule_init(entry, args, LSM_OBJ_USER, AUDIT_OBJ_USER)
1137  Break
1138  Case token == Opt_obj_role
1139  ima_log_string(ab, "obj_role", from)
1140  result = ima_lsm_rule_init(entry, args, LSM_OBJ_ROLE, AUDIT_OBJ_ROLE)
1143  Break
1144  Case token == Opt_obj_type
1145  ima_log_string(ab, "obj_type", from)
1146  result = ima_lsm_rule_init(entry, args, LSM_OBJ_TYPE, AUDIT_OBJ_TYPE)
1149  Break
1150  Case token == Opt_subj_user
1151  ima_log_string(ab, "subj_user", from)
1152  result = ima_lsm_rule_init(entry, args, LSM_SUBJ_USER, security label user )
1155  Break
1156  Case token == Opt_subj_role
1157  ima_log_string(ab, "subj_role", from)
1158  result = ima_lsm_rule_init(entry, args, LSM_SUBJ_ROLE, security label role )
1161  Break
1162  Case token == Opt_subj_type
1163  ima_log_string(ab, "subj_type", from)
1164  result = ima_lsm_rule_init(entry, args, LSM_SUBJ_TYPE, security label type )
1167  Break
1168  Case token == Opt_appraise_type
1169  If action != same as IMA_APPRAISE Then
1170  result = -EINVAL
1171  Break
1174  ima_log_string(ab, "appraise_type", from)
1175  If strcmp(from, "imasig") == 0 Then flags |= IMA_DIGSIG_REQUIRED
1177  Else if ima_hook_supports_modsig(func) && strcmp(from, "imasig|modsig") == 0 Then flags |= IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED
1181  Else result = -EINVAL
1183  Break
1184  Case token == Opt_appraise_flag
1185  ima_log_string(ab, "appraise_flag", from)
1186  If strstr - Find the first substring in a %NUL terminated string*@s1: The string to be searched*@s2: The string to search for Then flags |= IMA_CHECK_BLACKLIST
1188  Break
1189  Case token == Opt_permit_directio
1190  flags |= IMA_PERMIT_DIRECTIO
1191  Break
1192  Case token == Opt_pcr
1193  If action != same as IMA_MEASURE Then
1194  result = -EINVAL
1195  Break
1197  ima_log_string(ab, "pcr", from)
1199  result = kstrtoint - convert a string to an int*@s: The start of the string. The string must be null-terminated, and may also* include a single newline before its terminating null. The first character* may also be a plus sign or a minus sign.
1200  If result || INVALID_PCR( uid_eq(), uid_gt(), uid_lt() ) Then result = -EINVAL
1202  Else flags |= IMA_PCR
1205  Break
1206  Case token == Opt_template
1207  ima_log_string(ab, "template", from)
1208  If action != same as IMA_MEASURE Then
1209  result = -EINVAL
1210  Break
1212  template_desc = lookup_template_desc(from)
1213  If Not template_desc || template Then
1214  result = -EINVAL
1215  Break
1223  template_desc_init_fields(fmt, & (fields), & (num_fields))
1226  template = template_desc
1227  Break
1228  Case token == Opt_err
1229  ima_log_string(ab, "UNKNOWN", p)
1230  result = -EINVAL
1231  Break
1234  If Not result && action == UNKNOWN Then result = -EINVAL
1236  Else if action == same as IMA_APPRAISE Then temp_ima_appraise |= ima_appraise_flag(func)
1239  If Not result && flags & IMA_MODSIG_ALLOWED Then
1240  template_desc = If template Then template Else ima_template_desc_current()
1242  Validating the appended signature included in the measurement list requires* the file hash calculated without the appended signature (i.e., the 'd-modsig'* field). Therefore, notify the user if they have the 'modsig' field but not
1245  audit_log_format - format a message into the audit buffer.*@ab: audit_buffer*@fmt: format string*@...: optional parameters matching @fmt string* All the work is done in audit_log_vformat.
1246  audit_log_end - end one audit record*@ab: the audit_buffer* We can not do a netlink send inside an irq context because it blocks (last* arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a* queue and a tasklet is scheduled to remove
1247  Return result
Caller
NameDescribe
ima_init_arch_policy
ima_parse_add_rulema_parse_add_rule - add a rule to ima_policy_rules*@rule - ima measurement policy rule* Avoid locking by allowing just one writer at a time in ima_write_policy()* Returns the length of the rule parsed, an error code on failure