Commit | Line | Data |
---|---|---|
b886d83c | 1 | // SPDX-License-Identifier: GPL-2.0-only |
3323eec9 | 2 | /* |
4f83d5ea PG |
3 | * Integrity Measurement Architecture |
4 | * | |
3323eec9 MZ |
5 | * Copyright (C) 2005,2006,2007,2008 IBM Corporation |
6 | * | |
7 | * Authors: | |
8 | * Reiner Sailer <sailer@watson.ibm.com> | |
9 | * Serge Hallyn <serue@us.ibm.com> | |
10 | * Kylene Hall <kylene@us.ibm.com> | |
11 | * Mimi Zohar <zohar@us.ibm.com> | |
12 | * | |
3323eec9 | 13 | * File: ima_main.c |
e0d5bd2a | 14 | * implements the IMA hooks: ima_bprm_check, ima_file_mmap, |
9bbb6cad | 15 | * and ima_file_check. |
3323eec9 | 16 | */ |
ab60368a | 17 | |
b49d5643 | 18 | #include <linux/module.h> |
3323eec9 MZ |
19 | #include <linux/file.h> |
20 | #include <linux/binfmts.h> | |
21 | #include <linux/mount.h> | |
22 | #include <linux/mman.h> | |
5a0e3ad6 | 23 | #include <linux/slab.h> |
2fe5d6de | 24 | #include <linux/xattr.h> |
d5813a57 | 25 | #include <linux/ima.h> |
3b370b21 | 26 | #include <linux/iversion.h> |
d77ccdc6 | 27 | #include <linux/fs.h> |
3323eec9 MZ |
28 | |
29 | #include "ima.h" | |
30 | ||
2fe5d6de MZ |
31 | #ifdef CONFIG_IMA_APPRAISE |
32 | int ima_appraise = IMA_APPRAISE_ENFORCE; | |
33 | #else | |
34 | int ima_appraise; | |
35 | #endif | |
36 | ||
c7c8bb23 | 37 | int ima_hash_algo = HASH_ALGO_SHA1; |
e7a2ad7e | 38 | static int hash_setup_done; |
c7c8bb23 | 39 | |
b1694245 JK |
40 | static struct notifier_block ima_lsm_policy_notifier = { |
41 | .notifier_call = ima_lsm_policy_change, | |
42 | }; | |
43 | ||
3323eec9 MZ |
44 | static int __init hash_setup(char *str) |
45 | { | |
e7a2ad7e MZ |
46 | struct ima_template_desc *template_desc = ima_template_desc_current(); |
47 | int i; | |
48 | ||
49 | if (hash_setup_done) | |
50 | return 1; | |
51 | ||
52 | if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { | |
53 | if (strncmp(str, "sha1", 4) == 0) | |
54 | ima_hash_algo = HASH_ALGO_SHA1; | |
55 | else if (strncmp(str, "md5", 3) == 0) | |
56 | ima_hash_algo = HASH_ALGO_MD5; | |
ebe7c0a7 BW |
57 | else |
58 | return 1; | |
e7a2ad7e MZ |
59 | goto out; |
60 | } | |
61 | ||
b4df8608 YX |
62 | i = match_string(hash_algo_name, HASH_ALGO__LAST, str); |
63 | if (i < 0) | |
ebe7c0a7 | 64 | return 1; |
b4df8608 YX |
65 | |
66 | ima_hash_algo = i; | |
e7a2ad7e MZ |
67 | out: |
68 | hash_setup_done = 1; | |
3323eec9 MZ |
69 | return 1; |
70 | } | |
71 | __setup("ima_hash=", hash_setup); | |
72 | ||
2cd4737b MZ |
73 | /* Prevent mmap'ing a file execute that is already mmap'ed write */ |
74 | static int mmap_violation_check(enum ima_hooks func, struct file *file, | |
75 | char **pathbuf, const char **pathname, | |
76 | char *filename) | |
77 | { | |
78 | struct inode *inode; | |
79 | int rc = 0; | |
80 | ||
81 | if ((func == MMAP_CHECK) && mapping_writably_mapped(file->f_mapping)) { | |
82 | rc = -ETXTBSY; | |
83 | inode = file_inode(file); | |
84 | ||
85 | if (!*pathbuf) /* ima_rdwr_violation possibly pre-fetched */ | |
86 | *pathname = ima_d_path(&file->f_path, pathbuf, | |
87 | filename); | |
88 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, *pathname, | |
89 | "mmap_file", "mmapped_writers", rc, 0); | |
90 | } | |
91 | return rc; | |
92 | } | |
93 | ||
8eb988c7 | 94 | /* |
890275b5 | 95 | * ima_rdwr_violation_check |
8eb988c7 | 96 | * |
890275b5 | 97 | * Only invalidate the PCR for measured files: |
2bb930ab | 98 | * - Opening a file for write when already open for read, |
8eb988c7 MZ |
99 | * results in a time of measure, time of use (ToMToU) error. |
100 | * - Opening a file for read when already open for write, | |
2bb930ab | 101 | * could result in a file measurement error. |
8eb988c7 MZ |
102 | * |
103 | */ | |
f7a859ff RS |
104 | static void ima_rdwr_violation_check(struct file *file, |
105 | struct integrity_iint_cache *iint, | |
1b68bdf9 | 106 | int must_measure, |
f7a859ff | 107 | char **pathbuf, |
4e8581ee RS |
108 | const char **pathname, |
109 | char *filename) | |
8eb988c7 | 110 | { |
c77cecee | 111 | struct inode *inode = file_inode(file); |
8eb988c7 | 112 | fmode_t mode = file->f_mode; |
ad16ad00 | 113 | bool send_tomtou = false, send_writers = false; |
a178d202 | 114 | |
8eb988c7 | 115 | if (mode & FMODE_WRITE) { |
14503eb9 | 116 | if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) { |
f7a859ff RS |
117 | if (!iint) |
118 | iint = integrity_iint_find(inode); | |
14503eb9 | 119 | /* IMA_MEASURE is set from reader side */ |
0d73a552 DK |
120 | if (iint && test_bit(IMA_MUST_MEASURE, |
121 | &iint->atomic_flags)) | |
14503eb9 DK |
122 | send_tomtou = true; |
123 | } | |
b882fae2 | 124 | } else { |
0d73a552 DK |
125 | if (must_measure) |
126 | set_bit(IMA_MUST_MEASURE, &iint->atomic_flags); | |
eed9de3b | 127 | if (inode_is_open_for_write(inode) && must_measure) |
b882fae2 | 128 | send_writers = true; |
8eb988c7 | 129 | } |
ad16ad00 | 130 | |
08e1b76a MZ |
131 | if (!send_tomtou && !send_writers) |
132 | return; | |
133 | ||
bc15ed66 | 134 | *pathname = ima_d_path(&file->f_path, pathbuf, filename); |
ea1046d4 | 135 | |
ad16ad00 | 136 | if (send_tomtou) |
8d94eb9b RS |
137 | ima_add_violation(file, *pathname, iint, |
138 | "invalid_pcr", "ToMToU"); | |
ad16ad00 | 139 | if (send_writers) |
8d94eb9b | 140 | ima_add_violation(file, *pathname, iint, |
08e1b76a | 141 | "invalid_pcr", "open_writers"); |
8eb988c7 MZ |
142 | } |
143 | ||
f381c272 | 144 | static void ima_check_last_writer(struct integrity_iint_cache *iint, |
2fe5d6de | 145 | struct inode *inode, struct file *file) |
bc7d2a3e | 146 | { |
4b2a2c67 | 147 | fmode_t mode = file->f_mode; |
0d73a552 | 148 | bool update; |
bc7d2a3e | 149 | |
2fe5d6de MZ |
150 | if (!(mode & FMODE_WRITE)) |
151 | return; | |
152 | ||
0d73a552 | 153 | mutex_lock(&iint->mutex); |
b151d6b0 | 154 | if (atomic_read(&inode->i_writecount) == 1) { |
0d73a552 DK |
155 | update = test_and_clear_bit(IMA_UPDATE_XATTR, |
156 | &iint->atomic_flags); | |
ac0bf025 | 157 | if (!IS_I_VERSION(inode) || |
c472c07b | 158 | !inode_eq_iversion(inode, iint->version) || |
b151d6b0 DK |
159 | (iint->flags & IMA_NEW_FILE)) { |
160 | iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); | |
a422638d | 161 | iint->measured_pcrs = 0; |
0d73a552 | 162 | if (update) |
b151d6b0 DK |
163 | ima_update_xattr(iint, file); |
164 | } | |
2fe5d6de | 165 | } |
0d73a552 | 166 | mutex_unlock(&iint->mutex); |
bc7d2a3e EP |
167 | } |
168 | ||
3323eec9 MZ |
169 | /** |
170 | * ima_file_free - called on __fput() | |
171 | * @file: pointer to file structure being freed | |
172 | * | |
890275b5 | 173 | * Flag files that changed, based on i_version |
3323eec9 MZ |
174 | */ |
175 | void ima_file_free(struct file *file) | |
176 | { | |
496ad9aa | 177 | struct inode *inode = file_inode(file); |
f381c272 | 178 | struct integrity_iint_cache *iint; |
3323eec9 | 179 | |
0f34a006 | 180 | if (!ima_policy_flag || !S_ISREG(inode->i_mode)) |
3323eec9 | 181 | return; |
196f5181 | 182 | |
f381c272 | 183 | iint = integrity_iint_find(inode); |
854fdd55 MZ |
184 | if (!iint) |
185 | return; | |
3323eec9 | 186 | |
854fdd55 | 187 | ima_check_last_writer(iint, inode, file); |
3323eec9 MZ |
188 | } |
189 | ||
d906c10d MG |
190 | static int process_measurement(struct file *file, const struct cred *cred, |
191 | u32 secid, char *buf, loff_t size, int mask, | |
6035a27b | 192 | enum ima_hooks func) |
3323eec9 | 193 | { |
496ad9aa | 194 | struct inode *inode = file_inode(file); |
f7a859ff | 195 | struct integrity_iint_cache *iint = NULL; |
19453ce0 | 196 | struct ima_template_desc *template_desc = NULL; |
ea1046d4 | 197 | char *pathbuf = NULL; |
bc15ed66 | 198 | char filename[NAME_MAX]; |
ea1046d4 | 199 | const char *pathname = NULL; |
0d73a552 | 200 | int rc = 0, action, must_appraise = 0; |
725de7fa | 201 | int pcr = CONFIG_IMA_MEASURE_PCR_IDX; |
1525b06d | 202 | struct evm_ima_xattr_data *xattr_value = NULL; |
39b07096 | 203 | struct modsig *modsig = NULL; |
d3634d0f | 204 | int xattr_len = 0; |
f7a859ff | 205 | bool violation_check; |
1525b06d | 206 | enum hash_algo hash_algo; |
3323eec9 | 207 | |
a756024e | 208 | if (!ima_policy_flag || !S_ISREG(inode->i_mode)) |
3323eec9 | 209 | return 0; |
bc7d2a3e | 210 | |
d79d72e0 MZ |
211 | /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action |
212 | * bitmask based on the appraise/audit/measurement policy. | |
213 | * Included is the appraise submask. | |
214 | */ | |
19453ce0 | 215 | action = ima_get_action(inode, cred, secid, mask, func, &pcr, |
e9085e0a | 216 | &template_desc, NULL); |
4ad87a3d | 217 | violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) && |
f7a859ff RS |
218 | (ima_policy_flag & IMA_MEASURE)); |
219 | if (!action && !violation_check) | |
2fe5d6de MZ |
220 | return 0; |
221 | ||
2fe5d6de | 222 | must_appraise = action & IMA_APPRAISE; |
bc7d2a3e | 223 | |
5a73fcfa | 224 | /* Is the appraise rule hook specific? */ |
3a8a2ead | 225 | if (action & IMA_FILE_APPRAISE) |
4ad87a3d | 226 | func = FILE_CHECK; |
5a73fcfa | 227 | |
5955102c | 228 | inode_lock(inode); |
2fe5d6de | 229 | |
f7a859ff RS |
230 | if (action) { |
231 | iint = integrity_inode_get(inode); | |
232 | if (!iint) | |
0d73a552 | 233 | rc = -ENOMEM; |
f7a859ff RS |
234 | } |
235 | ||
0d73a552 | 236 | if (!rc && violation_check) |
1b68bdf9 | 237 | ima_rdwr_violation_check(file, iint, action & IMA_MEASURE, |
4e8581ee | 238 | &pathbuf, &pathname, filename); |
0d73a552 DK |
239 | |
240 | inode_unlock(inode); | |
241 | ||
242 | if (rc) | |
243 | goto out; | |
244 | if (!action) | |
245 | goto out; | |
246 | ||
247 | mutex_lock(&iint->mutex); | |
248 | ||
249 | if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags)) | |
250 | /* reset appraisal flags if ima_inode_post_setattr was called */ | |
251 | iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | | |
252 | IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | | |
253 | IMA_ACTION_FLAGS); | |
254 | ||
d77ccdc6 MZ |
255 | /* |
256 | * Re-evaulate the file if either the xattr has changed or the | |
257 | * kernel has no way of detecting file change on the filesystem. | |
258 | * (Limited to privileged mounted filesystems.) | |
259 | */ | |
260 | if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) || | |
261 | ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) && | |
9e67028e MZ |
262 | !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) && |
263 | !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) { | |
0d73a552 | 264 | iint->flags &= ~IMA_DONE_MASK; |
d77ccdc6 MZ |
265 | iint->measured_pcrs = 0; |
266 | } | |
bf2276d1 | 267 | |
2fe5d6de | 268 | /* Determine if already appraised/measured based on bitmask |
d79d72e0 MZ |
269 | * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED, |
270 | * IMA_AUDIT, IMA_AUDITED) | |
271 | */ | |
2fe5d6de | 272 | iint->flags |= action; |
0e5a247c | 273 | action &= IMA_DO_MASK; |
a422638d ER |
274 | action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1); |
275 | ||
276 | /* If target pcr is already measured, unset IMA_MEASURE action */ | |
277 | if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr))) | |
278 | action ^= IMA_MEASURE; | |
2fe5d6de | 279 | |
da1b0029 MZ |
280 | /* HASH sets the digital signature and update flags, nothing else */ |
281 | if ((action & IMA_HASH) && | |
282 | !(test_bit(IMA_DIGSIG, &iint->atomic_flags))) { | |
283 | xattr_len = ima_read_xattr(file_dentry(file), &xattr_value); | |
284 | if ((xattr_value && xattr_len > 2) && | |
285 | (xattr_value->type == EVM_IMA_XATTR_DIGSIG)) | |
286 | set_bit(IMA_DIGSIG, &iint->atomic_flags); | |
287 | iint->flags |= IMA_HASHED; | |
288 | action ^= IMA_HASH; | |
289 | set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); | |
290 | } | |
291 | ||
2fe5d6de MZ |
292 | /* Nothing to do, just return existing appraised status */ |
293 | if (!action) { | |
2cd4737b MZ |
294 | if (must_appraise) { |
295 | rc = mmap_violation_check(func, file, &pathbuf, | |
296 | &pathname, filename); | |
297 | if (!rc) | |
298 | rc = ima_get_cache_status(iint, func); | |
299 | } | |
0d73a552 | 300 | goto out_locked; |
2fe5d6de | 301 | } |
3323eec9 | 302 | |
f68c05f4 | 303 | if ((action & IMA_APPRAISE_SUBMASK) || |
39b07096 | 304 | strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) { |
1525b06d | 305 | /* read 'security.ima' */ |
e71b9dff | 306 | xattr_len = ima_read_xattr(file_dentry(file), &xattr_value); |
d3634d0f | 307 | |
e5092255 TJB |
308 | /* |
309 | * Read the appended modsig if allowed by the policy, and allow | |
310 | * an additional measurement list entry, if needed, based on the | |
311 | * template format and whether the file was already measured. | |
312 | */ | |
313 | if (iint->flags & IMA_MODSIG_ALLOWED) { | |
314 | rc = ima_read_modsig(func, buf, size, &modsig); | |
315 | ||
316 | if (!rc && ima_template_has_modsig(template_desc) && | |
317 | iint->flags & IMA_MEASURED) | |
318 | action |= IMA_MEASURE; | |
319 | } | |
39b07096 TJB |
320 | } |
321 | ||
1525b06d DK |
322 | hash_algo = ima_get_hash_algo(xattr_value, xattr_len); |
323 | ||
15588227 | 324 | rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig); |
f3cc6b25 | 325 | if (rc != 0 && rc != -EBADF && rc != -EINVAL) |
0d73a552 | 326 | goto out_locked; |
08e1b76a | 327 | |
bc15ed66 MZ |
328 | if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */ |
329 | pathname = ima_d_path(&file->f_path, &pathbuf, filename); | |
08e1b76a | 330 | |
2fe5d6de | 331 | if (action & IMA_MEASURE) |
bcbc9b0c | 332 | ima_store_measurement(iint, file, pathname, |
3878d505 | 333 | xattr_value, xattr_len, modsig, pcr, |
19453ce0 | 334 | template_desc); |
0d73a552 | 335 | if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) { |
273df864 NJ |
336 | rc = ima_check_blacklist(iint, modsig, pcr); |
337 | if (rc != -EPERM) { | |
338 | inode_lock(inode); | |
339 | rc = ima_appraise_measurement(func, iint, file, | |
340 | pathname, xattr_value, | |
341 | xattr_len, modsig); | |
342 | inode_unlock(inode); | |
343 | } | |
2cd4737b MZ |
344 | if (!rc) |
345 | rc = mmap_violation_check(func, file, &pathbuf, | |
346 | &pathname, filename); | |
0d73a552 | 347 | } |
e7c568e0 | 348 | if (action & IMA_AUDIT) |
ea1046d4 | 349 | ima_audit_measurement(iint, pathname); |
f7a859ff | 350 | |
f3cc6b25 MZ |
351 | if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO)) |
352 | rc = 0; | |
0d73a552 DK |
353 | out_locked: |
354 | if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) && | |
05d1a717 | 355 | !(iint->flags & IMA_NEW_FILE)) |
a175b8bb | 356 | rc = -EACCES; |
0d73a552 | 357 | mutex_unlock(&iint->mutex); |
f7a859ff | 358 | kfree(xattr_value); |
39b07096 | 359 | ima_free_modsig(modsig); |
0d73a552 | 360 | out: |
456f5fd3 DK |
361 | if (pathbuf) |
362 | __putname(pathbuf); | |
0d73a552 DK |
363 | if (must_appraise) { |
364 | if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE)) | |
365 | return -EACCES; | |
366 | if (file->f_mode & FMODE_WRITE) | |
367 | set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); | |
368 | } | |
750943a3 | 369 | return 0; |
3323eec9 MZ |
370 | } |
371 | ||
372 | /** | |
373 | * ima_file_mmap - based on policy, collect/store measurement. | |
374 | * @file: pointer to the file to be measured (May be NULL) | |
375 | * @prot: contains the protection that will be applied by the kernel. | |
376 | * | |
377 | * Measure files being mmapped executable based on the ima_must_measure() | |
378 | * policy decision. | |
379 | * | |
750943a3 DK |
380 | * On success return 0. On integrity appraisal error, assuming the file |
381 | * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. | |
3323eec9 MZ |
382 | */ |
383 | int ima_file_mmap(struct file *file, unsigned long prot) | |
384 | { | |
d906c10d MG |
385 | u32 secid; |
386 | ||
387 | if (file && (prot & PROT_EXEC)) { | |
388 | security_task_getsecid(current, &secid); | |
389 | return process_measurement(file, current_cred(), secid, NULL, | |
6035a27b | 390 | 0, MAY_EXEC, MMAP_CHECK); |
d906c10d MG |
391 | } |
392 | ||
750943a3 | 393 | return 0; |
3323eec9 MZ |
394 | } |
395 | ||
8eb613c0 MZ |
396 | /** |
397 | * ima_file_mprotect - based on policy, limit mprotect change | |
398 | * @prot: contains the protection that will be applied by the kernel. | |
399 | * | |
400 | * Files can be mmap'ed read/write and later changed to execute to circumvent | |
401 | * IMA's mmap appraisal policy rules. Due to locking issues (mmap semaphore | |
402 | * would be taken before i_mutex), files can not be measured or appraised at | |
403 | * this point. Eliminate this integrity gap by denying the mprotect | |
404 | * PROT_EXECUTE change, if an mmap appraise policy rule exists. | |
405 | * | |
406 | * On mprotect change success, return 0. On failure, return -EACESS. | |
407 | */ | |
408 | int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) | |
409 | { | |
410 | struct ima_template_desc *template; | |
411 | struct file *file = vma->vm_file; | |
412 | char filename[NAME_MAX]; | |
413 | char *pathbuf = NULL; | |
414 | const char *pathname = NULL; | |
415 | struct inode *inode; | |
416 | int result = 0; | |
417 | int action; | |
418 | u32 secid; | |
419 | int pcr; | |
420 | ||
421 | /* Is mprotect making an mmap'ed file executable? */ | |
4235b1a4 MZ |
422 | if (!(ima_policy_flag & IMA_APPRAISE) || !vma->vm_file || |
423 | !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC)) | |
8eb613c0 MZ |
424 | return 0; |
425 | ||
426 | security_task_getsecid(current, &secid); | |
427 | inode = file_inode(vma->vm_file); | |
428 | action = ima_get_action(inode, current_cred(), secid, MAY_EXEC, | |
429 | MMAP_CHECK, &pcr, &template, 0); | |
430 | ||
431 | /* Is the mmap'ed file in policy? */ | |
432 | if (!(action & (IMA_MEASURE | IMA_APPRAISE_SUBMASK))) | |
433 | return 0; | |
434 | ||
435 | if (action & IMA_APPRAISE_SUBMASK) | |
436 | result = -EPERM; | |
437 | ||
438 | file = vma->vm_file; | |
439 | pathname = ima_d_path(&file->f_path, &pathbuf, filename); | |
440 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, pathname, | |
441 | "collect_data", "failed-mprotect", result, 0); | |
442 | if (pathbuf) | |
443 | __putname(pathbuf); | |
444 | ||
445 | return result; | |
446 | } | |
447 | ||
3323eec9 MZ |
448 | /** |
449 | * ima_bprm_check - based on policy, collect/store measurement. | |
450 | * @bprm: contains the linux_binprm structure | |
451 | * | |
452 | * The OS protects against an executable file, already open for write, | |
453 | * from being executed in deny_write_access() and an executable file, | |
454 | * already open for execute, from being modified in get_write_access(). | |
455 | * So we can be certain that what we verify and measure here is actually | |
456 | * what is being executed. | |
457 | * | |
750943a3 DK |
458 | * On success return 0. On integrity appraisal error, assuming the file |
459 | * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. | |
3323eec9 MZ |
460 | */ |
461 | int ima_bprm_check(struct linux_binprm *bprm) | |
462 | { | |
d906c10d MG |
463 | int ret; |
464 | u32 secid; | |
465 | ||
466 | security_task_getsecid(current, &secid); | |
467 | ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, | |
6035a27b | 468 | MAY_EXEC, BPRM_CHECK); |
d906c10d MG |
469 | if (ret) |
470 | return ret; | |
471 | ||
472 | security_cred_getsecid(bprm->cred, &secid); | |
473 | return process_measurement(bprm->file, bprm->cred, secid, NULL, 0, | |
6035a27b | 474 | MAY_EXEC, CREDS_CHECK); |
3323eec9 MZ |
475 | } |
476 | ||
8eb988c7 MZ |
477 | /** |
478 | * ima_path_check - based on policy, collect/store measurement. | |
479 | * @file: pointer to the file to be measured | |
20f482ab | 480 | * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND |
8eb988c7 MZ |
481 | * |
482 | * Measure files based on the ima_must_measure() policy decision. | |
483 | * | |
750943a3 DK |
484 | * On success return 0. On integrity appraisal error, assuming the file |
485 | * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. | |
8eb988c7 | 486 | */ |
6035a27b | 487 | int ima_file_check(struct file *file, int mask) |
8eb988c7 | 488 | { |
d906c10d MG |
489 | u32 secid; |
490 | ||
491 | security_task_getsecid(current, &secid); | |
492 | return process_measurement(file, current_cred(), secid, NULL, 0, | |
20f482ab | 493 | mask & (MAY_READ | MAY_WRITE | MAY_EXEC | |
6035a27b | 494 | MAY_APPEND), FILE_CHECK); |
8eb988c7 | 495 | } |
9bbb6cad | 496 | EXPORT_SYMBOL_GPL(ima_file_check); |
8eb988c7 | 497 | |
6beea7af FR |
498 | /** |
499 | * ima_file_hash - return the stored measurement if a file has been hashed and | |
500 | * is in the iint cache. | |
501 | * @file: pointer to the file | |
502 | * @buf: buffer in which to store the hash | |
503 | * @buf_size: length of the buffer | |
504 | * | |
505 | * On success, return the hash algorithm (as defined in the enum hash_algo). | |
506 | * If buf is not NULL, this function also outputs the hash into buf. | |
507 | * If the hash is larger than buf_size, then only buf_size bytes will be copied. | |
508 | * It generally just makes sense to pass a buffer capable of holding the largest | |
509 | * possible hash: IMA_MAX_DIGEST_SIZE. | |
510 | * The file hash returned is based on the entire file, including the appended | |
511 | * signature. | |
512 | * | |
513 | * If IMA is disabled or if no measurement is available, return -EOPNOTSUPP. | |
514 | * If the parameters are incorrect, return -EINVAL. | |
515 | */ | |
516 | int ima_file_hash(struct file *file, char *buf, size_t buf_size) | |
517 | { | |
518 | struct inode *inode; | |
519 | struct integrity_iint_cache *iint; | |
520 | int hash_algo; | |
521 | ||
522 | if (!file) | |
523 | return -EINVAL; | |
524 | ||
525 | if (!ima_policy_flag) | |
526 | return -EOPNOTSUPP; | |
527 | ||
528 | inode = file_inode(file); | |
529 | iint = integrity_iint_find(inode); | |
530 | if (!iint) | |
531 | return -EOPNOTSUPP; | |
532 | ||
533 | mutex_lock(&iint->mutex); | |
534 | if (buf) { | |
535 | size_t copied_size; | |
536 | ||
537 | copied_size = min_t(size_t, iint->ima_hash->length, buf_size); | |
538 | memcpy(buf, iint->ima_hash->digest, copied_size); | |
539 | } | |
540 | hash_algo = iint->ima_hash->algo; | |
541 | mutex_unlock(&iint->mutex); | |
542 | ||
543 | return hash_algo; | |
544 | } | |
545 | EXPORT_SYMBOL_GPL(ima_file_hash); | |
546 | ||
fdb2410f MZ |
547 | /** |
548 | * ima_post_create_tmpfile - mark newly created tmpfile as new | |
549 | * @file : newly created tmpfile | |
550 | * | |
551 | * No measuring, appraising or auditing of newly created tmpfiles is needed. | |
552 | * Skip calling process_measurement(), but indicate which newly, created | |
553 | * tmpfiles are in policy. | |
554 | */ | |
555 | void ima_post_create_tmpfile(struct inode *inode) | |
556 | { | |
557 | struct integrity_iint_cache *iint; | |
558 | int must_appraise; | |
559 | ||
560 | must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); | |
561 | if (!must_appraise) | |
562 | return; | |
563 | ||
564 | /* Nothing to do if we can't allocate memory */ | |
565 | iint = integrity_inode_get(inode); | |
566 | if (!iint) | |
567 | return; | |
568 | ||
569 | /* needed for writing the security xattrs */ | |
570 | set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); | |
571 | iint->ima_file_status = INTEGRITY_PASS; | |
572 | } | |
573 | ||
05d1a717 MZ |
574 | /** |
575 | * ima_post_path_mknod - mark as a new inode | |
576 | * @dentry: newly created dentry | |
577 | * | |
578 | * Mark files created via the mknodat syscall as new, so that the | |
579 | * file data can be written later. | |
580 | */ | |
581 | void ima_post_path_mknod(struct dentry *dentry) | |
582 | { | |
583 | struct integrity_iint_cache *iint; | |
584 | struct inode *inode = dentry->d_inode; | |
585 | int must_appraise; | |
586 | ||
587 | must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); | |
588 | if (!must_appraise) | |
589 | return; | |
590 | ||
fdb2410f | 591 | /* Nothing to do if we can't allocate memory */ |
05d1a717 | 592 | iint = integrity_inode_get(inode); |
fdb2410f MZ |
593 | if (!iint) |
594 | return; | |
595 | ||
596 | /* needed for re-opening empty files */ | |
597 | iint->flags |= IMA_NEW_FILE; | |
05d1a717 MZ |
598 | } |
599 | ||
39eeb4fb MZ |
600 | /** |
601 | * ima_read_file - pre-measure/appraise hook decision based on policy | |
602 | * @file: pointer to the file to be measured/appraised/audit | |
603 | * @read_id: caller identifier | |
604 | * | |
605 | * Permit reading a file based on policy. The policy rules are written | |
606 | * in terms of the policy identifier. Appraising the integrity of | |
607 | * a file requires a file descriptor. | |
608 | * | |
609 | * For permission return 0, otherwise return -EACCES. | |
610 | */ | |
611 | int ima_read_file(struct file *file, enum kernel_read_file_id read_id) | |
612 | { | |
4f0496d8 MZ |
613 | /* |
614 | * READING_FIRMWARE_PREALLOC_BUFFER | |
615 | * | |
616 | * Do devices using pre-allocated memory run the risk of the | |
617 | * firmware being accessible to the device prior to the completion | |
618 | * of IMA's signature verification any more than when using two | |
619 | * buffers? | |
620 | */ | |
39eeb4fb MZ |
621 | return 0; |
622 | } | |
623 | ||
29d3c1c8 | 624 | const int read_idmap[READING_MAX_ID] = { |
d9ddf077 | 625 | [READING_FIRMWARE] = FIRMWARE_CHECK, |
fd90bc55 | 626 | [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, |
d9ddf077 MZ |
627 | [READING_MODULE] = MODULE_CHECK, |
628 | [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK, | |
629 | [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK, | |
19f8a847 | 630 | [READING_POLICY] = POLICY_CHECK |
d9ddf077 MZ |
631 | }; |
632 | ||
cf222217 MZ |
633 | /** |
634 | * ima_post_read_file - in memory collect/appraise/audit measurement | |
635 | * @file: pointer to the file to be measured/appraised/audit | |
636 | * @buf: pointer to in memory file contents | |
637 | * @size: size of in memory file contents | |
638 | * @read_id: caller identifier | |
639 | * | |
640 | * Measure/appraise/audit in memory file based on policy. Policy rules | |
641 | * are written in terms of a policy identifier. | |
642 | * | |
643 | * On success return 0. On integrity appraisal error, assuming the file | |
644 | * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. | |
645 | */ | |
646 | int ima_post_read_file(struct file *file, void *buf, loff_t size, | |
647 | enum kernel_read_file_id read_id) | |
648 | { | |
d9ddf077 | 649 | enum ima_hooks func; |
d906c10d | 650 | u32 secid; |
cf222217 | 651 | |
e40ba6d5 MZ |
652 | if (!file && read_id == READING_FIRMWARE) { |
653 | if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && | |
fed2512a MZ |
654 | (ima_appraise & IMA_APPRAISE_ENFORCE)) { |
655 | pr_err("Prevent firmware loading_store.\n"); | |
e40ba6d5 | 656 | return -EACCES; /* INTEGRITY_UNKNOWN */ |
fed2512a | 657 | } |
e40ba6d5 MZ |
658 | return 0; |
659 | } | |
660 | ||
a7d3d039 CH |
661 | /* permit signed certs */ |
662 | if (!file && read_id == READING_X509_CERTIFICATE) | |
663 | return 0; | |
664 | ||
cf222217 MZ |
665 | if (!file || !buf || size == 0) { /* should never happen */ |
666 | if (ima_appraise & IMA_APPRAISE_ENFORCE) | |
667 | return -EACCES; | |
668 | return 0; | |
669 | } | |
670 | ||
d9ddf077 | 671 | func = read_idmap[read_id] ?: FILE_CHECK; |
d906c10d MG |
672 | security_task_getsecid(current, &secid); |
673 | return process_measurement(file, current_cred(), secid, buf, size, | |
6035a27b | 674 | MAY_READ, func); |
5a9196d7 MZ |
675 | } |
676 | ||
16c267aa MZ |
677 | /** |
678 | * ima_load_data - appraise decision based on policy | |
679 | * @id: kernel load data caller identifier | |
680 | * | |
681 | * Callers of this LSM hook can not measure, appraise, or audit the | |
682 | * data provided by userspace. Enforce policy rules requring a file | |
683 | * signature (eg. kexec'ed kernel image). | |
684 | * | |
685 | * For permission return 0, otherwise return -EACCES. | |
686 | */ | |
687 | int ima_load_data(enum kernel_load_data_id id) | |
688 | { | |
b5ca1173 | 689 | bool ima_enforce, sig_enforce; |
c77b8cdf | 690 | |
b5ca1173 NJ |
691 | ima_enforce = |
692 | (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE; | |
16c267aa MZ |
693 | |
694 | switch (id) { | |
695 | case LOADING_KEXEC_IMAGE: | |
99d5cadf | 696 | if (IS_ENABLED(CONFIG_KEXEC_SIG) |
b5ca1173 NJ |
697 | && arch_ima_get_secureboot()) { |
698 | pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); | |
699 | return -EACCES; | |
700 | } | |
701 | ||
702 | if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) { | |
16c267aa MZ |
703 | pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); |
704 | return -EACCES; /* INTEGRITY_UNKNOWN */ | |
705 | } | |
fed2512a MZ |
706 | break; |
707 | case LOADING_FIRMWARE: | |
b5ca1173 | 708 | if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE)) { |
fed2512a MZ |
709 | pr_err("Prevent firmware sysfs fallback loading.\n"); |
710 | return -EACCES; /* INTEGRITY_UNKNOWN */ | |
711 | } | |
c77b8cdf MZ |
712 | break; |
713 | case LOADING_MODULE: | |
714 | sig_enforce = is_module_sig_enforced(); | |
715 | ||
b5ca1173 NJ |
716 | if (ima_enforce && (!sig_enforce |
717 | && (ima_appraise & IMA_APPRAISE_MODULES))) { | |
c77b8cdf MZ |
718 | pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n"); |
719 | return -EACCES; /* INTEGRITY_UNKNOWN */ | |
720 | } | |
16c267aa MZ |
721 | default: |
722 | break; | |
723 | } | |
724 | return 0; | |
725 | } | |
726 | ||
b0935123 PS |
727 | /* |
728 | * process_buffer_measurement - Measure the buffer to ima log. | |
729 | * @buf: pointer to the buffer that needs to be added to the log. | |
730 | * @size: size of buffer(in bytes). | |
731 | * @eventname: event name to be used for the buffer entry. | |
e14555e3 NJ |
732 | * @func: IMA hook |
733 | * @pcr: pcr to extend the measurement | |
e9085e0a | 734 | * @keyring: keyring name to determine the action to be performed |
b0935123 PS |
735 | * |
736 | * Based on policy, the buffer is measured into the ima log. | |
737 | */ | |
e14555e3 NJ |
738 | void process_buffer_measurement(const void *buf, int size, |
739 | const char *eventname, enum ima_hooks func, | |
e9085e0a | 740 | int pcr, const char *keyring) |
b0935123 PS |
741 | { |
742 | int ret = 0; | |
743 | struct ima_template_entry *entry = NULL; | |
744 | struct integrity_iint_cache iint = {}; | |
745 | struct ima_event_data event_data = {.iint = &iint, | |
86b4da8c PS |
746 | .filename = eventname, |
747 | .buf = buf, | |
748 | .buf_len = size}; | |
e14555e3 | 749 | struct ima_template_desc *template = NULL; |
b0935123 PS |
750 | struct { |
751 | struct ima_digest_data hdr; | |
752 | char digest[IMA_MAX_DIGEST_SIZE]; | |
753 | } hash = {}; | |
754 | int violation = 0; | |
b0935123 | 755 | int action = 0; |
e14555e3 | 756 | u32 secid; |
b0935123 | 757 | |
c5563bad LR |
758 | if (!ima_policy_flag) |
759 | return; | |
760 | ||
e14555e3 NJ |
761 | /* |
762 | * Both LSM hooks and auxilary based buffer measurements are | |
763 | * based on policy. To avoid code duplication, differentiate | |
764 | * between the LSM hooks and auxilary buffer measurements, | |
765 | * retrieving the policy rule information only for the LSM hook | |
766 | * buffer measurements. | |
767 | */ | |
768 | if (func) { | |
769 | security_task_getsecid(current, &secid); | |
770 | action = ima_get_action(NULL, current_cred(), secid, 0, func, | |
e9085e0a | 771 | &pcr, &template, keyring); |
e14555e3 NJ |
772 | if (!(action & IMA_MEASURE)) |
773 | return; | |
774 | } | |
775 | ||
776 | if (!pcr) | |
777 | pcr = CONFIG_IMA_MEASURE_PCR_IDX; | |
778 | ||
779 | if (!template) { | |
780 | template = lookup_template_desc("ima-buf"); | |
781 | ret = template_desc_init_fields(template->fmt, | |
782 | &(template->fields), | |
783 | &(template->num_fields)); | |
784 | if (ret < 0) { | |
785 | pr_err("template %s init failed, result: %d\n", | |
786 | (strlen(template->name) ? | |
787 | template->name : template->fmt), ret); | |
788 | return; | |
789 | } | |
790 | } | |
b0935123 PS |
791 | |
792 | iint.ima_hash = &hash.hdr; | |
793 | iint.ima_hash->algo = ima_hash_algo; | |
794 | iint.ima_hash->length = hash_digest_size[ima_hash_algo]; | |
795 | ||
796 | ret = ima_calc_buffer_hash(buf, size, iint.ima_hash); | |
797 | if (ret < 0) | |
798 | goto out; | |
799 | ||
e14555e3 | 800 | ret = ima_alloc_init_template(&event_data, &entry, template); |
b0935123 PS |
801 | if (ret < 0) |
802 | goto out; | |
803 | ||
804 | ret = ima_store_template(entry, violation, NULL, buf, pcr); | |
805 | ||
806 | if (ret < 0) | |
807 | ima_free_template_entry(entry); | |
808 | ||
809 | out: | |
72ec611c TS |
810 | if (ret < 0) |
811 | pr_devel("%s: failed, result: %d\n", __func__, ret); | |
812 | ||
b0935123 PS |
813 | return; |
814 | } | |
815 | ||
816 | /** | |
817 | * ima_kexec_cmdline - measure kexec cmdline boot args | |
818 | * @buf: pointer to buffer | |
819 | * @size: size of buffer | |
820 | * | |
821 | * Buffers can only be measured, not appraised. | |
822 | */ | |
823 | void ima_kexec_cmdline(const void *buf, int size) | |
824 | { | |
e14555e3 | 825 | if (buf && size != 0) |
b0935123 | 826 | process_buffer_measurement(buf, size, "kexec-cmdline", |
e9085e0a | 827 | KEXEC_CMDLINE, 0, NULL); |
b0935123 PS |
828 | } |
829 | ||
3323eec9 MZ |
830 | static int __init init_ima(void) |
831 | { | |
832 | int error; | |
833 | ||
3f23d624 | 834 | ima_init_template_list(); |
e7a2ad7e | 835 | hash_setup(CONFIG_IMA_DEFAULT_HASH); |
3323eec9 | 836 | error = ima_init(); |
ab60368a PV |
837 | |
838 | if (error && strcmp(hash_algo_name[ima_hash_algo], | |
839 | CONFIG_IMA_DEFAULT_HASH) != 0) { | |
840 | pr_info("Allocating %s failed, going to use default hash algorithm %s\n", | |
841 | hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH); | |
842 | hash_setup_done = 0; | |
843 | hash_setup(CONFIG_IMA_DEFAULT_HASH); | |
844 | error = ima_init(); | |
845 | } | |
846 | ||
e144d6b2 RS |
847 | if (error) |
848 | return error; | |
849 | ||
b1694245 JK |
850 | error = register_blocking_lsm_notifier(&ima_lsm_policy_notifier); |
851 | if (error) | |
852 | pr_warn("Couldn't register LSM notifier, error %d\n", error); | |
853 | ||
4ecd9934 | 854 | if (!error) |
a756024e | 855 | ima_update_policy_flag(); |
4ecd9934 | 856 | |
3323eec9 MZ |
857 | return error; |
858 | } | |
859 | ||
860 | late_initcall(init_ima); /* Start IMA after the TPM is available */ |