xref: /linux-6.3-rc2/security/integrity/ima/ima_policy.c

100 	int action;  member
148 	{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
149 	{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
150 	{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
151 	{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
152 	{.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
153 	{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
154 	{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
155 	{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
156 	{.action = DONT_MEASURE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
157 	{.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
159 	{.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC,
161 	{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
162 	{.action = DONT_MEASURE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC}
166 	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
168 	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
170 	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
173 	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
174 	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
178 	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
180 	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
182 	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
185 	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
188 	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
189 	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
190 	{.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
194 	{.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
195 	{.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
196 	{.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
197 	{.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
198 	{.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
199 	{.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
200 	{.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
201 	{.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
202 	{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
203 	{.action = DONT_APPRAISE, .fsmagic = SMACK_MAGIC, .flags = IMA_FSMAGIC},
204 	{.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
205 	{.action = DONT_APPRAISE, .fsmagic = EFIVARFS_MAGIC, .flags = IMA_FSMAGIC},
206 	{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
207 	{.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
209 	{.action = APPRAISE, .func = POLICY_CHECK,
213 	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid,
217 	{.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &vfsuid_eq_kuid,
224 	{.action = APPRAISE, .func = MODULE_CHECK,
228 	{.action = APPRAISE, .func = FIRMWARE_CHECK,
232 	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
236 	{.action = APPRAISE, .func = POLICY_CHECK,
242 	{.action = APPRAISE, .func = MODULE_CHECK,
244 	{.action = APPRAISE, .func = FIRMWARE_CHECK,
246 	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
248 	{.action = APPRAISE, .func = POLICY_CHECK,
253 	{.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC},
743 	int action = 0, actmask = flags | (flags << 1);  in ima_match_policy()  local
753 		if (!(entry->action & actmask))  in ima_match_policy()
760 		action |= entry->flags & IMA_NONACTION_FLAGS;  in ima_match_policy()
762 		action |= entry->action & IMA_DO_MASK;  in ima_match_policy()
763 		if (entry->action & IMA_APPRAISE) {  in ima_match_policy()
764 			action |= get_subaction(entry, func);  in ima_match_policy()
765 			action &= ~IMA_HASH;  in ima_match_policy()
767 				action |= IMA_FAIL_UNVERIFIABLE_SIGS;  in ima_match_policy()
774 		if (entry->action & IMA_DO_MASK)  in ima_match_policy()
775 			actmask &= ~(entry->action | entry->action << 1);  in ima_match_policy()
777 			actmask &= ~(entry->action | entry->action >> 1);  in ima_match_policy()
790 	return action;  in ima_match_policy()
836 		if (entry->action & IMA_DO_MASK)  in ima_update_policy_flags()
837 			new_policy_flag |= entry->action;  in ima_update_policy_flags()
880 		if (entries[i].action == APPRAISE) {  in add_rules()
1241 	if (entry->action == UNKNOWN)  in ima_validate_rule()
1244 	if (entry->action != MEASURE && entry->flags & IMA_PCR)  in ima_validate_rule()
1247 	if (entry->action != APPRAISE &&  in ima_validate_rule()
1300 		if (entry->action & ~(MEASURE | DONT_MEASURE))  in ima_validate_rule()
1311 		if (entry->action & ~(MEASURE | DONT_MEASURE))  in ima_validate_rule()
1323 		if (entry->action & ~(MEASURE | DONT_MEASURE))  in ima_validate_rule()
1336 		if (entry->action != APPRAISE)  in ima_validate_rule()
1367 	if (entry->action == APPRAISE &&  in ima_validate_rule()
1423 	entry->action = UNKNOWN;  in ima_parse_rule()
1438 			if (entry->action != UNKNOWN)  in ima_parse_rule()
1441 			entry->action = MEASURE;  in ima_parse_rule()
1446 			if (entry->action != UNKNOWN)  in ima_parse_rule()
1449 			entry->action = DONT_MEASURE;  in ima_parse_rule()
1454 			if (entry->action != UNKNOWN)  in ima_parse_rule()
1457 			entry->action = APPRAISE;  in ima_parse_rule()
1462 			if (entry->action != UNKNOWN)  in ima_parse_rule()
1465 			entry->action = DONT_APPRAISE;  in ima_parse_rule()
1470 			if (entry->action != UNKNOWN)  in ima_parse_rule()
1473 			entry->action = AUDIT;  in ima_parse_rule()
1478 			if (entry->action != UNKNOWN)  in ima_parse_rule()
1481 			entry->action = HASH;  in ima_parse_rule()
1486 			if (entry->action != UNKNOWN)  in ima_parse_rule()
1489 			entry->action = DONT_HASH;  in ima_parse_rule()
1865 			if (entry->action != MEASURE) {  in ima_parse_rule()
1893 	else if (entry->action == APPRAISE)  in ima_parse_rule()
1903 	if (!result && entry->action == MEASURE &&  in ima_parse_rule()
2089 	if (entry->action & MEASURE)  in ima_policy_show()
2091 	if (entry->action & DONT_MEASURE)  in ima_policy_show()
2093 	if (entry->action & APPRAISE)  in ima_policy_show()
2095 	if (entry->action & DONT_APPRAISE)  in ima_policy_show()
2097 	if (entry->action & AUDIT)  in ima_policy_show()
2099 	if (entry->action & HASH)  in ima_policy_show()
2101 	if (entry->action & DONT_HASH)  in ima_policy_show()
2309 		if (entry->action != APPRAISE)  in ima_appraise_signature()

Last Index update Sun Aug 20 00:18:20 CST 2023