[linux-2.6-block.git] / security / integrity / ima / ima_main.c

/*
 * Copyright (C) 2005,2006,2007,2008 IBM Corporation
 *
 * Authors:
 * Reiner Sailer <sailer@watson.ibm.com>
 * Serge Hallyn <serue@us.ibm.com>
 * Kylene Hall <kylene@us.ibm.com>
 * Mimi Zohar <zohar@us.ibm.com>
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, version 2 of the
 * License.
 *
 * File: ima_main.c
 *	implements the IMA hooks: ima_bprm_check, ima_file_mmap,
 *	and ima_file_check.
 */

#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

#include <linux/module.h>
#include <linux/file.h>
#include <linux/binfmts.h>
#include <linux/mount.h>
#include <linux/mman.h>
#include <linux/slab.h>
#include <linux/xattr.h>
#include <linux/ima.h>
#include <linux/iversion.h>
#include <linux/fs.h>

#include "ima.h"

int ima_initialized;

#ifdef CONFIG_IMA_APPRAISE
int ima_appraise = IMA_APPRAISE_ENFORCE;
#else
int ima_appraise;
#endif

int ima_hash_algo = HASH_ALGO_SHA1;
static int hash_setup_done;

static int __init hash_setup(char *str)
{
	struct ima_template_desc *template_desc = ima_template_desc_current();
	int i;

	if (hash_setup_done)
		return 1;

	if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
		if (strncmp(str, "sha1", 4) == 0)
			ima_hash_algo = HASH_ALGO_SHA1;
		else if (strncmp(str, "md5", 3) == 0)
			ima_hash_algo = HASH_ALGO_MD5;
		else
			return 1;
		goto out;
	}

	for (i = 0; i < HASH_ALGO__LAST; i++) {
		if (strcmp(str, hash_algo_name[i]) == 0) {
			ima_hash_algo = i;
			break;
		}
	}
	if (i == HASH_ALGO__LAST)
		return 1;
out:
	hash_setup_done = 1;
	return 1;
}
__setup("ima_hash=", hash_setup);

/*
 * ima_rdwr_violation_check
 *
 * Only invalidate the PCR for measured files:
 *	- Opening a file for write when already open for read,
 *	  results in a time of measure, time of use (ToMToU) error.
 *	- Opening a file for read when already open for write,
 *	  could result in a file measurement error.
 *
 */
static void ima_rdwr_violation_check(struct file *file,
				     struct integrity_iint_cache *iint,
				     int must_measure,
				     char **pathbuf,
				     const char **pathname,
				     char *filename)
{
	struct inode *inode = file_inode(file);
	fmode_t mode = file->f_mode;
	bool send_tomtou = false, send_writers = false;

	if (mode & FMODE_WRITE) {
		if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
			if (!iint)
				iint = integrity_iint_find(inode);
			/* IMA_MEASURE is set from reader side */
			if (iint && test_bit(IMA_MUST_MEASURE,
						&iint->atomic_flags))
				send_tomtou = true;
		}
	} else {
		if (must_measure)
			set_bit(IMA_MUST_MEASURE, &iint->atomic_flags);
		if ((atomic_read(&inode->i_writecount) > 0) && must_measure)
			send_writers = true;
	}

	if (!send_tomtou && !send_writers)
		return;

	*pathname = ima_d_path(&file->f_path, pathbuf, filename);

	if (send_tomtou)
		ima_add_violation(file, *pathname, iint,
				  "invalid_pcr", "ToMToU");
	if (send_writers)
		ima_add_violation(file, *pathname, iint,
				  "invalid_pcr", "open_writers");
}

static void ima_check_last_writer(struct integrity_iint_cache *iint,
				  struct inode *inode, struct file *file)
{
	fmode_t mode = file->f_mode;
	bool update;

	if (!(mode & FMODE_WRITE))
		return;

	mutex_lock(&iint->mutex);
	if (atomic_read(&inode->i_writecount) == 1) {
		update = test_and_clear_bit(IMA_UPDATE_XATTR,
					    &iint->atomic_flags);
		if (!IS_I_VERSION(inode) ||
		    !inode_eq_iversion(inode, iint->version) ||
		    (iint->flags & IMA_NEW_FILE)) {
			iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
			iint->measured_pcrs = 0;
			if (update)
				ima_update_xattr(iint, file);
		}
	}
	mutex_unlock(&iint->mutex);
}

/**
 * ima_file_free - called on __fput()
 * @file: pointer to file structure being freed
 *
 * Flag files that changed, based on i_version
 */
void ima_file_free(struct file *file)
{
	struct inode *inode = file_inode(file);
	struct integrity_iint_cache *iint;

	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
		return;

	iint = integrity_iint_find(inode);
	if (!iint)
		return;

	ima_check_last_writer(iint, inode, file);
}

static int process_measurement(struct file *file, const struct cred *cred,
			       u32 secid, char *buf, loff_t size, int mask,
			       enum ima_hooks func, int opened)
{
	struct inode *inode = file_inode(file);
	struct integrity_iint_cache *iint = NULL;
	struct ima_template_desc *template_desc;
	char *pathbuf = NULL;
	char filename[NAME_MAX];
	const char *pathname = NULL;
	int rc = 0, action, must_appraise = 0;
	int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
	struct evm_ima_xattr_data *xattr_value = NULL;
	int xattr_len = 0;
	bool violation_check;
	enum hash_algo hash_algo;

	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
		return 0;

	/* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
	 * bitmask based on the appraise/audit/measurement policy.
	 * Included is the appraise submask.
	 */
	action = ima_get_action(inode, cred, secid, mask, func, &pcr);
	violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
			   (ima_policy_flag & IMA_MEASURE));
	if (!action && !violation_check)
		return 0;

	must_appraise = action & IMA_APPRAISE;

	/*  Is the appraise rule hook specific?  */
	if (action & IMA_FILE_APPRAISE)
		func = FILE_CHECK;

	inode_lock(inode);

	if (action) {
		iint = integrity_inode_get(inode);
		if (!iint)
			rc = -ENOMEM;
	}

	if (!rc && violation_check)
		ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
					 &pathbuf, &pathname, filename);

	inode_unlock(inode);

	if (rc)
		goto out;
	if (!action)
		goto out;

	mutex_lock(&iint->mutex);

	if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags))
		/* reset appraisal flags if ima_inode_post_setattr was called */
		iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
				 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
				 IMA_ACTION_FLAGS);

	/*
	 * Re-evaulate the file if either the xattr has changed or the
	 * kernel has no way of detecting file change on the filesystem.
	 * (Limited to privileged mounted filesystems.)
	 */
	if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) ||
	    ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
	     !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) &&
	     !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) {
		iint->flags &= ~IMA_DONE_MASK;
		iint->measured_pcrs = 0;
	}

	/* Determine if already appraised/measured based on bitmask
	 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
	 *  IMA_AUDIT, IMA_AUDITED)
	 */
	iint->flags |= action;
	action &= IMA_DO_MASK;
	action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);

	/* If target pcr is already measured, unset IMA_MEASURE action */
	if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
		action ^= IMA_MEASURE;

	/* HASH sets the digital signature and update flags, nothing else */
	if ((action & IMA_HASH) &&
	    !(test_bit(IMA_DIGSIG, &iint->atomic_flags))) {
		xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);
		if ((xattr_value && xattr_len > 2) &&
		    (xattr_value->type == EVM_IMA_XATTR_DIGSIG))
			set_bit(IMA_DIGSIG, &iint->atomic_flags);
		iint->flags |= IMA_HASHED;
		action ^= IMA_HASH;
		set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
	}

	/* Nothing to do, just return existing appraised status */
	if (!action) {
		if (must_appraise)
			rc = ima_get_cache_status(iint, func);
		goto out_locked;
	}

	template_desc = ima_template_desc_current();
	if ((action & IMA_APPRAISE_SUBMASK) ||
		    strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
		/* read 'security.ima' */
		xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);

	hash_algo = ima_get_hash_algo(xattr_value, xattr_len);

	rc = ima_collect_measurement(iint, file, buf, size, hash_algo);
	if (rc != 0 && rc != -EBADF && rc != -EINVAL)
		goto out_locked;

	if (!pathbuf)	/* ima_rdwr_violation possibly pre-fetched */
		pathname = ima_d_path(&file->f_path, &pathbuf, filename);

	if (action & IMA_MEASURE)
		ima_store_measurement(iint, file, pathname,
				      xattr_value, xattr_len, pcr);
	if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
		inode_lock(inode);
		rc = ima_appraise_measurement(func, iint, file, pathname,
					      xattr_value, xattr_len, opened);
		inode_unlock(inode);
	}
	if (action & IMA_AUDIT)
		ima_audit_measurement(iint, pathname);

	if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
		rc = 0;
out_locked:
	if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) &&
	     !(iint->flags & IMA_NEW_FILE))
		rc = -EACCES;
	mutex_unlock(&iint->mutex);
	kfree(xattr_value);
out:
	if (pathbuf)
		__putname(pathbuf);
	if (must_appraise) {
		if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE))
			return -EACCES;
		if (file->f_mode & FMODE_WRITE)
			set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
	}
	return 0;
}

/**
 * ima_file_mmap - based on policy, collect/store measurement.
 * @file: pointer to the file to be measured (May be NULL)
 * @prot: contains the protection that will be applied by the kernel.
 *
 * Measure files being mmapped executable based on the ima_must_measure()
 * policy decision.
 *
 * On success return 0.  On integrity appraisal error, assuming the file
 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
 */
int ima_file_mmap(struct file *file, unsigned long prot)
{
	u32 secid;

	if (file && (prot & PROT_EXEC)) {
		security_task_getsecid(current, &secid);
		return process_measurement(file, current_cred(), secid, NULL,
					   0, MAY_EXEC, MMAP_CHECK, 0);
	}

	return 0;
}

/**
 * ima_bprm_check - based on policy, collect/store measurement.
 * @bprm: contains the linux_binprm structure
 *
 * The OS protects against an executable file, already open for write,
 * from being executed in deny_write_access() and an executable file,
 * already open for execute, from being modified in get_write_access().
 * So we can be certain that what we verify and measure here is actually
 * what is being executed.
 *
 * On success return 0.  On integrity appraisal error, assuming the file
 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
 */
int ima_bprm_check(struct linux_binprm *bprm)
{
	int ret;
	u32 secid;

	security_task_getsecid(current, &secid);
	ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0,
				  MAY_EXEC, BPRM_CHECK, 0);
	if (ret)
		return ret;

	security_cred_getsecid(bprm->cred, &secid);
	return process_measurement(bprm->file, bprm->cred, secid, NULL, 0,
				   MAY_EXEC, CREDS_CHECK, 0);
}

/**
 * ima_path_check - based on policy, collect/store measurement.
 * @file: pointer to the file to be measured
 * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
 *
 * Measure files based on the ima_must_measure() policy decision.
 *
 * On success return 0.  On integrity appraisal error, assuming the file
 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
 */
int ima_file_check(struct file *file, int mask, int opened)
{
	u32 secid;

	security_task_getsecid(current, &secid);
	return process_measurement(file, current_cred(), secid, NULL, 0,
				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
					   MAY_APPEND), FILE_CHECK, opened);
}
EXPORT_SYMBOL_GPL(ima_file_check);

/**
 * ima_post_path_mknod - mark as a new inode
 * @dentry: newly created dentry
 *
 * Mark files created via the mknodat syscall as new, so that the
 * file data can be written later.
 */
void ima_post_path_mknod(struct dentry *dentry)
{
	struct integrity_iint_cache *iint;
	struct inode *inode = dentry->d_inode;
	int must_appraise;

	must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
	if (!must_appraise)
		return;

	iint = integrity_inode_get(inode);
	if (iint)
		iint->flags |= IMA_NEW_FILE;
}

/**
 * ima_read_file - pre-measure/appraise hook decision based on policy
 * @file: pointer to the file to be measured/appraised/audit
 * @read_id: caller identifier
 *
 * Permit reading a file based on policy. The policy rules are written
 * in terms of the policy identifier.  Appraising the integrity of
 * a file requires a file descriptor.
 *
 * For permission return 0, otherwise return -EACCES.
 */
int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
{
	bool sig_enforce = is_module_sig_enforced();

	if (!file && read_id == READING_MODULE) {
		if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) &&
		    (ima_appraise & IMA_APPRAISE_ENFORCE)) {
			pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
			return -EACCES;	/* INTEGRITY_UNKNOWN */
		}
		return 0;	/* We rely on module signature checking */
	}
	return 0;
}

static int read_idmap[READING_MAX_ID] = {
	[READING_FIRMWARE] = FIRMWARE_CHECK,
	[READING_MODULE] = MODULE_CHECK,
	[READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK,
	[READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK,
	[READING_POLICY] = POLICY_CHECK
};

/**
 * ima_post_read_file - in memory collect/appraise/audit measurement
 * @file: pointer to the file to be measured/appraised/audit
 * @buf: pointer to in memory file contents
 * @size: size of in memory file contents
 * @read_id: caller identifier
 *
 * Measure/appraise/audit in memory file based on policy.  Policy rules
 * are written in terms of a policy identifier.
 *
 * On success return 0.  On integrity appraisal error, assuming the file
 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
 */
int ima_post_read_file(struct file *file, void *buf, loff_t size,
		       enum kernel_read_file_id read_id)
{
	enum ima_hooks func;
	u32 secid;

	if (!file && read_id == READING_FIRMWARE) {
		if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
		    (ima_appraise & IMA_APPRAISE_ENFORCE))
			return -EACCES;	/* INTEGRITY_UNKNOWN */
		return 0;
	}

	if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */
		return 0;

	/* permit signed certs */
	if (!file && read_id == READING_X509_CERTIFICATE)
		return 0;

	if (!file || !buf || size == 0) { /* should never happen */
		if (ima_appraise & IMA_APPRAISE_ENFORCE)
			return -EACCES;
		return 0;
	}

	func = read_idmap[read_id] ?: FILE_CHECK;
	security_task_getsecid(current, &secid);
	return process_measurement(file, current_cred(), secid, buf, size,
				   MAY_READ, func, 0);
}

static int __init init_ima(void)
{
	int error;

	ima_init_template_list();
	hash_setup(CONFIG_IMA_DEFAULT_HASH);
	error = ima_init();

	if (error && strcmp(hash_algo_name[ima_hash_algo],
			    CONFIG_IMA_DEFAULT_HASH) != 0) {
		pr_info("Allocating %s failed, going to use default hash algorithm %s\n",
			hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH);
		hash_setup_done = 0;
		hash_setup(CONFIG_IMA_DEFAULT_HASH);
		error = ima_init();
	}

	if (!error) {
		ima_initialized = 1;
		ima_update_policy_flag();
	}
	return error;
}

late_initcall(init_ima);	/* Start IMA after the TPM is available */

MODULE_DESCRIPTION("Integrity Measurement Architecture");
MODULE_LICENSE("GPL");
Commit	Line	Data
3323eec9 MZ	1	/*
	2	* Copyright (C) 2005,2006,2007,2008 IBM Corporation
	3	*
	4	* Authors:
	5	* Reiner Sailer <sailer@watson.ibm.com>
	6	* Serge Hallyn <serue@us.ibm.com>
	7	* Kylene Hall <kylene@us.ibm.com>
	8	* Mimi Zohar <zohar@us.ibm.com>
	9	*
	10	* This program is free software; you can redistribute it and/or
	11	* modify it under the terms of the GNU General Public License as
	12	* published by the Free Software Foundation, version 2 of the
	13	* License.
	14	*
	15	* File: ima_main.c
e0d5bd2a	16	* implements the IMA hooks: ima_bprm_check, ima_file_mmap,
9bbb6cad	17	* and ima_file_check.
3323eec9	18	*/
ab60368a PV	19
	20	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
	21
3323eec9 MZ	22	#include <linux/module.h>
	23	#include <linux/file.h>
	24	#include <linux/binfmts.h>
	25	#include <linux/mount.h>
	26	#include <linux/mman.h>
5a0e3ad6	27	#include <linux/slab.h>
2fe5d6de	28	#include <linux/xattr.h>
d5813a57	29	#include <linux/ima.h>
3b370b21	30	#include <linux/iversion.h>
d77ccdc6	31	#include <linux/fs.h>
3323eec9 MZ	32
	33	#include "ima.h"
	34
	35	int ima_initialized;
	36
2fe5d6de MZ	37	#ifdef CONFIG_IMA_APPRAISE
	38	int ima_appraise = IMA_APPRAISE_ENFORCE;
	39	#else
	40	int ima_appraise;
	41	#endif
	42
c7c8bb23	43	int ima_hash_algo = HASH_ALGO_SHA1;
e7a2ad7e	44	static int hash_setup_done;
c7c8bb23	45
3323eec9 MZ	46	static int __init hash_setup(char *str)
3323eec9 MZ	47	{
e7a2ad7e MZ	48	struct ima_template_desc *template_desc = ima_template_desc_current();
	49	int i;
	50
	51	if (hash_setup_done)
	52	return 1;
	53
	54	if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
	55	if (strncmp(str, "sha1", 4) == 0)
	56	ima_hash_algo = HASH_ALGO_SHA1;
	57	else if (strncmp(str, "md5", 3) == 0)
	58	ima_hash_algo = HASH_ALGO_MD5;
ebe7c0a7 BW	59	else
ebe7c0a7 BW	60	return 1;
e7a2ad7e MZ	61	goto out;
	62	}
	63
	64	for (i = 0; i < HASH_ALGO__LAST; i++) {
	65	if (strcmp(str, hash_algo_name[i]) == 0) {
	66	ima_hash_algo = i;
	67	break;
	68	}
	69	}
ebe7c0a7 BW	70	if (i == HASH_ALGO__LAST)
ebe7c0a7 BW	71	return 1;
e7a2ad7e MZ	72	out:
e7a2ad7e MZ	73	hash_setup_done = 1;
3323eec9 MZ	74	return 1;
	75	}
	76	__setup("ima_hash=", hash_setup);
	77
8eb988c7	78	/*
890275b5	79	* ima_rdwr_violation_check
8eb988c7	80	*
890275b5	81	* Only invalidate the PCR for measured files:
2bb930ab	82	* - Opening a file for write when already open for read,
8eb988c7 MZ	83	* results in a time of measure, time of use (ToMToU) error.
8eb988c7 MZ	84	* - Opening a file for read when already open for write,
2bb930ab	85	* could result in a file measurement error.
8eb988c7 MZ	86	*
8eb988c7 MZ	87	*/
f7a859ff RS	88	static void ima_rdwr_violation_check(struct file *file,
f7a859ff RS	89	struct integrity_iint_cache *iint,
1b68bdf9	90	int must_measure,
f7a859ff	91	char **pathbuf,
4e8581ee RS	92	const char **pathname,
4e8581ee RS	93	char *filename)
8eb988c7	94	{
c77cecee	95	struct inode *inode = file_inode(file);
8eb988c7	96	fmode_t mode = file->f_mode;
ad16ad00	97	bool send_tomtou = false, send_writers = false;
a178d202	98
8eb988c7	99	if (mode & FMODE_WRITE) {
14503eb9	100	if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
f7a859ff RS	101	if (!iint)
f7a859ff RS	102	iint = integrity_iint_find(inode);
14503eb9	103	/* IMA_MEASURE is set from reader side */
0d73a552 DK	104	if (iint && test_bit(IMA_MUST_MEASURE,
0d73a552 DK	105	&iint->atomic_flags))
14503eb9 DK	106	send_tomtou = true;
14503eb9 DK	107	}
b882fae2	108	} else {
0d73a552 DK	109	if (must_measure)
0d73a552 DK	110	set_bit(IMA_MUST_MEASURE, &iint->atomic_flags);
1b68bdf9	111	if ((atomic_read(&inode->i_writecount) > 0) && must_measure)
b882fae2	112	send_writers = true;
8eb988c7	113	}
ad16ad00	114
08e1b76a MZ	115	if (!send_tomtou && !send_writers)
	116	return;
	117
bc15ed66	118	*pathname = ima_d_path(&file->f_path, pathbuf, filename);
ea1046d4	119
ad16ad00	120	if (send_tomtou)
8d94eb9b RS	121	ima_add_violation(file, *pathname, iint,
8d94eb9b RS	122	"invalid_pcr", "ToMToU");
ad16ad00	123	if (send_writers)
8d94eb9b	124	ima_add_violation(file, *pathname, iint,
08e1b76a	125	"invalid_pcr", "open_writers");
8eb988c7 MZ	126	}
8eb988c7 MZ	127
f381c272	128	static void ima_check_last_writer(struct integrity_iint_cache *iint,
2fe5d6de	129	struct inode inode, struct file file)
bc7d2a3e	130	{
4b2a2c67	131	fmode_t mode = file->f_mode;
0d73a552	132	bool update;
bc7d2a3e	133
2fe5d6de MZ	134	if (!(mode & FMODE_WRITE))
	135	return;
	136
0d73a552	137	mutex_lock(&iint->mutex);
b151d6b0	138	if (atomic_read(&inode->i_writecount) == 1) {
0d73a552 DK	139	update = test_and_clear_bit(IMA_UPDATE_XATTR,
0d73a552 DK	140	&iint->atomic_flags);
ac0bf025	141	if (!IS_I_VERSION(inode) \|\|
c472c07b	142	!inode_eq_iversion(inode, iint->version) \|\|
b151d6b0 DK	143	(iint->flags & IMA_NEW_FILE)) {
b151d6b0 DK	144	iint->flags &= ~(IMA_DONE_MASK \| IMA_NEW_FILE);
a422638d	145	iint->measured_pcrs = 0;
0d73a552	146	if (update)
b151d6b0 DK	147	ima_update_xattr(iint, file);
b151d6b0 DK	148	}
2fe5d6de	149	}
0d73a552	150	mutex_unlock(&iint->mutex);
bc7d2a3e EP	151	}
bc7d2a3e EP	152
3323eec9 MZ	153	/**
	154	* ima_file_free - called on __fput()
	155	* @file: pointer to file structure being freed
	156	*
890275b5	157	* Flag files that changed, based on i_version
3323eec9 MZ	158	*/
	159	void ima_file_free(struct file *file)
	160	{
496ad9aa	161	struct inode *inode = file_inode(file);
f381c272	162	struct integrity_iint_cache *iint;
3323eec9	163
0f34a006	164	if (!ima_policy_flag \|\| !S_ISREG(inode->i_mode))
3323eec9	165	return;
196f5181	166
f381c272	167	iint = integrity_iint_find(inode);
854fdd55 MZ	168	if (!iint)
854fdd55 MZ	169	return;
3323eec9	170
854fdd55	171	ima_check_last_writer(iint, inode, file);
3323eec9 MZ	172	}
3323eec9 MZ	173
d906c10d MG	174	static int process_measurement(struct file file, const struct cred cred,
	175	u32 secid, char *buf, loff_t size, int mask,
	176	enum ima_hooks func, int opened)
3323eec9	177	{
496ad9aa	178	struct inode *inode = file_inode(file);
f7a859ff	179	struct integrity_iint_cache *iint = NULL;
209b43ca	180	struct ima_template_desc *template_desc;
ea1046d4	181	char *pathbuf = NULL;
bc15ed66	182	char filename[NAME_MAX];
ea1046d4	183	const char *pathname = NULL;
0d73a552	184	int rc = 0, action, must_appraise = 0;
725de7fa	185	int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
1525b06d	186	struct evm_ima_xattr_data *xattr_value = NULL;
d3634d0f	187	int xattr_len = 0;
f7a859ff	188	bool violation_check;
1525b06d	189	enum hash_algo hash_algo;
3323eec9	190
a756024e	191	if (!ima_policy_flag \|\| !S_ISREG(inode->i_mode))
3323eec9	192	return 0;
bc7d2a3e	193
d79d72e0 MZ	194	/* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
	195	* bitmask based on the appraise/audit/measurement policy.
	196	* Included is the appraise submask.
	197	*/
d906c10d	198	action = ima_get_action(inode, cred, secid, mask, func, &pcr);
4ad87a3d	199	violation_check = ((func == FILE_CHECK \|\| func == MMAP_CHECK) &&
f7a859ff RS	200	(ima_policy_flag & IMA_MEASURE));
f7a859ff RS	201	if (!action && !violation_check)
2fe5d6de MZ	202	return 0;
2fe5d6de MZ	203
2fe5d6de	204	must_appraise = action & IMA_APPRAISE;
bc7d2a3e	205
5a73fcfa	206	/* Is the appraise rule hook specific? */
3a8a2ead	207	if (action & IMA_FILE_APPRAISE)
4ad87a3d	208	func = FILE_CHECK;
5a73fcfa	209
5955102c	210	inode_lock(inode);
2fe5d6de	211
f7a859ff RS	212	if (action) {
	213	iint = integrity_inode_get(inode);
	214	if (!iint)
0d73a552	215	rc = -ENOMEM;
f7a859ff RS	216	}
f7a859ff RS	217
0d73a552	218	if (!rc && violation_check)
1b68bdf9	219	ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
4e8581ee	220	&pathbuf, &pathname, filename);
0d73a552 DK	221
	222	inode_unlock(inode);
	223
	224	if (rc)
	225	goto out;
	226	if (!action)
	227	goto out;
	228
	229	mutex_lock(&iint->mutex);
	230
	231	if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags))
	232	/* reset appraisal flags if ima_inode_post_setattr was called */
	233	iint->flags &= ~(IMA_APPRAISE \| IMA_APPRAISED \|
	234	IMA_APPRAISE_SUBMASK \| IMA_APPRAISED_SUBMASK \|
	235	IMA_ACTION_FLAGS);
	236
d77ccdc6 MZ	237	/*
	238	* Re-evaulate the file if either the xattr has changed or the
	239	* kernel has no way of detecting file change on the filesystem.
	240	* (Limited to privileged mounted filesystems.)
	241	*/
	242	if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) \|\|
	243	((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
9e67028e MZ	244	!(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) &&
9e67028e MZ	245	!(action & IMA_FAIL_UNVERIFIABLE_SIGS))) {
0d73a552	246	iint->flags &= ~IMA_DONE_MASK;
d77ccdc6 MZ	247	iint->measured_pcrs = 0;
d77ccdc6 MZ	248	}
bf2276d1	249
2fe5d6de	250	/* Determine if already appraised/measured based on bitmask
d79d72e0 MZ	251	* (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
	252	* IMA_AUDIT, IMA_AUDITED)
	253	*/
2fe5d6de	254	iint->flags \|= action;
0e5a247c	255	action &= IMA_DO_MASK;
a422638d ER	256	action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
	257
	258	/* If target pcr is already measured, unset IMA_MEASURE action */
	259	if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
	260	action ^= IMA_MEASURE;
2fe5d6de	261
da1b0029 MZ	262	/* HASH sets the digital signature and update flags, nothing else */
	263	if ((action & IMA_HASH) &&
	264	!(test_bit(IMA_DIGSIG, &iint->atomic_flags))) {
	265	xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);
	266	if ((xattr_value && xattr_len > 2) &&
	267	(xattr_value->type == EVM_IMA_XATTR_DIGSIG))
	268	set_bit(IMA_DIGSIG, &iint->atomic_flags);
	269	iint->flags \|= IMA_HASHED;
	270	action ^= IMA_HASH;
	271	set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
	272	}
	273
2fe5d6de MZ	274	/* Nothing to do, just return existing appraised status */
2fe5d6de MZ	275	if (!action) {
d79d72e0	276	if (must_appraise)
4ad87a3d	277	rc = ima_get_cache_status(iint, func);
0d73a552	278	goto out_locked;
2fe5d6de	279	}
3323eec9	280
209b43ca	281	template_desc = ima_template_desc_current();
f68c05f4 DK	282	if ((action & IMA_APPRAISE_SUBMASK) \|\|
f68c05f4 DK	283	strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
1525b06d	284	/* read 'security.ima' */
e71b9dff	285	xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);
d3634d0f	286
1525b06d DK	287	hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
1525b06d DK	288
cf222217	289	rc = ima_collect_measurement(iint, file, buf, size, hash_algo);
f3cc6b25	290	if (rc != 0 && rc != -EBADF && rc != -EINVAL)
0d73a552	291	goto out_locked;
08e1b76a	292
bc15ed66 MZ	293	if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */
bc15ed66 MZ	294	pathname = ima_d_path(&file->f_path, &pathbuf, filename);
08e1b76a	295
2fe5d6de	296	if (action & IMA_MEASURE)
bcbc9b0c	297	ima_store_measurement(iint, file, pathname,
14b1da85	298	xattr_value, xattr_len, pcr);
0d73a552 DK	299	if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
0d73a552 DK	300	inode_lock(inode);
4ad87a3d	301	rc = ima_appraise_measurement(func, iint, file, pathname,
3034a146	302	xattr_value, xattr_len, opened);
0d73a552 DK	303	inode_unlock(inode);
0d73a552 DK	304	}
e7c568e0	305	if (action & IMA_AUDIT)
ea1046d4	306	ima_audit_measurement(iint, pathname);
f7a859ff	307
f3cc6b25 MZ	308	if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
f3cc6b25 MZ	309	rc = 0;
0d73a552 DK	310	out_locked:
0d73a552 DK	311	if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) &&
05d1a717	312	!(iint->flags & IMA_NEW_FILE))
a175b8bb	313	rc = -EACCES;
0d73a552	314	mutex_unlock(&iint->mutex);
f7a859ff	315	kfree(xattr_value);
0d73a552	316	out:
456f5fd3 DK	317	if (pathbuf)
456f5fd3 DK	318	__putname(pathbuf);
0d73a552 DK	319	if (must_appraise) {
	320	if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE))
	321	return -EACCES;
	322	if (file->f_mode & FMODE_WRITE)
	323	set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
	324	}
750943a3	325	return 0;
3323eec9 MZ	326	}
	327
	328	/**
	329	* ima_file_mmap - based on policy, collect/store measurement.
	330	* @file: pointer to the file to be measured (May be NULL)
	331	* @prot: contains the protection that will be applied by the kernel.
	332	*
	333	* Measure files being mmapped executable based on the ima_must_measure()
	334	* policy decision.
	335	*
750943a3 DK	336	* On success return 0. On integrity appraisal error, assuming the file
750943a3 DK	337	* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
3323eec9 MZ	338	*/
	339	int ima_file_mmap(struct file *file, unsigned long prot)
	340	{
d906c10d MG	341	u32 secid;
	342
	343	if (file && (prot & PROT_EXEC)) {
	344	security_task_getsecid(current, &secid);
	345	return process_measurement(file, current_cred(), secid, NULL,
	346	0, MAY_EXEC, MMAP_CHECK, 0);
	347	}
	348
750943a3	349	return 0;
3323eec9 MZ	350	}
	351
	352	/**
	353	* ima_bprm_check - based on policy, collect/store measurement.
	354	* @bprm: contains the linux_binprm structure
	355	*
	356	* The OS protects against an executable file, already open for write,
	357	* from being executed in deny_write_access() and an executable file,
	358	* already open for execute, from being modified in get_write_access().
	359	* So we can be certain that what we verify and measure here is actually
	360	* what is being executed.
	361	*
750943a3 DK	362	* On success return 0. On integrity appraisal error, assuming the file
750943a3 DK	363	* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
3323eec9 MZ	364	*/
	365	int ima_bprm_check(struct linux_binprm *bprm)
	366	{
d906c10d MG	367	int ret;
	368	u32 secid;
	369
	370	security_task_getsecid(current, &secid);
	371	ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0,
	372	MAY_EXEC, BPRM_CHECK, 0);
	373	if (ret)
	374	return ret;
	375
	376	security_cred_getsecid(bprm->cred, &secid);
	377	return process_measurement(bprm->file, bprm->cred, secid, NULL, 0,
	378	MAY_EXEC, CREDS_CHECK, 0);
3323eec9 MZ	379	}
3323eec9 MZ	380
8eb988c7 MZ	381	/**
	382	* ima_path_check - based on policy, collect/store measurement.
	383	* @file: pointer to the file to be measured
20f482ab	384	* @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
8eb988c7 MZ	385	*
	386	* Measure files based on the ima_must_measure() policy decision.
	387	*
750943a3 DK	388	* On success return 0. On integrity appraisal error, assuming the file
750943a3 DK	389	* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
8eb988c7	390	*/
3034a146	391	int ima_file_check(struct file *file, int mask, int opened)
8eb988c7	392	{
d906c10d MG	393	u32 secid;
	394
	395	security_task_getsecid(current, &secid);
	396	return process_measurement(file, current_cred(), secid, NULL, 0,
20f482ab LZ	397	mask & (MAY_READ \| MAY_WRITE \| MAY_EXEC \|
20f482ab LZ	398	MAY_APPEND), FILE_CHECK, opened);
8eb988c7	399	}
9bbb6cad	400	EXPORT_SYMBOL_GPL(ima_file_check);
8eb988c7	401
05d1a717 MZ	402	/**
	403	* ima_post_path_mknod - mark as a new inode
	404	* @dentry: newly created dentry
	405	*
	406	* Mark files created via the mknodat syscall as new, so that the
	407	* file data can be written later.
	408	*/
	409	void ima_post_path_mknod(struct dentry *dentry)
	410	{
	411	struct integrity_iint_cache *iint;
	412	struct inode *inode = dentry->d_inode;
	413	int must_appraise;
	414
	415	must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
	416	if (!must_appraise)
	417	return;
	418
	419	iint = integrity_inode_get(inode);
	420	if (iint)
	421	iint->flags \|= IMA_NEW_FILE;
	422	}
	423
39eeb4fb MZ	424	/**
	425	* ima_read_file - pre-measure/appraise hook decision based on policy
	426	* @file: pointer to the file to be measured/appraised/audit
	427	* @read_id: caller identifier
	428	*
	429	* Permit reading a file based on policy. The policy rules are written
	430	* in terms of the policy identifier. Appraising the integrity of
	431	* a file requires a file descriptor.
	432	*
	433	* For permission return 0, otherwise return -EACCES.
	434	*/
	435	int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
	436	{
7c9bc098 BM	437	bool sig_enforce = is_module_sig_enforced();
7c9bc098 BM	438
a1db7420	439	if (!file && read_id == READING_MODULE) {
7c9bc098	440	if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) &&
9c655be0 BM	441	(ima_appraise & IMA_APPRAISE_ENFORCE)) {
9c655be0 BM	442	pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
a1db7420	443	return -EACCES; /* INTEGRITY_UNKNOWN */
9c655be0	444	}
a1db7420 MZ	445	return 0; /* We rely on module signature checking */
a1db7420 MZ	446	}
39eeb4fb MZ	447	return 0;
	448	}
	449
d9ddf077 MZ	450	static int read_idmap[READING_MAX_ID] = {
	451	[READING_FIRMWARE] = FIRMWARE_CHECK,
	452	[READING_MODULE] = MODULE_CHECK,
	453	[READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK,
	454	[READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK,
19f8a847	455	[READING_POLICY] = POLICY_CHECK
d9ddf077 MZ	456	};
d9ddf077 MZ	457
cf222217 MZ	458	/**
	459	* ima_post_read_file - in memory collect/appraise/audit measurement
	460	* @file: pointer to the file to be measured/appraised/audit
	461	* @buf: pointer to in memory file contents
	462	* @size: size of in memory file contents
	463	* @read_id: caller identifier
	464	*
	465	* Measure/appraise/audit in memory file based on policy. Policy rules
	466	* are written in terms of a policy identifier.
	467	*
	468	* On success return 0. On integrity appraisal error, assuming the file
	469	* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
	470	*/
	471	int ima_post_read_file(struct file file, void buf, loff_t size,
	472	enum kernel_read_file_id read_id)
	473	{
d9ddf077	474	enum ima_hooks func;
d906c10d	475	u32 secid;
cf222217	476
e40ba6d5 MZ	477	if (!file && read_id == READING_FIRMWARE) {
	478	if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
	479	(ima_appraise & IMA_APPRAISE_ENFORCE))
	480	return -EACCES; /* INTEGRITY_UNKNOWN */
	481	return 0;
	482	}
	483
a1db7420 MZ	484	if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */
	485	return 0;
	486
a7d3d039 CH	487	/* permit signed certs */
	488	if (!file && read_id == READING_X509_CERTIFICATE)
	489	return 0;
	490
cf222217 MZ	491	if (!file \|\| !buf \|\| size == 0) { /* should never happen */
	492	if (ima_appraise & IMA_APPRAISE_ENFORCE)
	493	return -EACCES;
	494	return 0;
	495	}
	496
d9ddf077	497	func = read_idmap[read_id] ?: FILE_CHECK;
d906c10d MG	498	security_task_getsecid(current, &secid);
	499	return process_measurement(file, current_cred(), secid, buf, size,
	500	MAY_READ, func, 0);
5a9196d7 MZ	501	}
5a9196d7 MZ	502
3323eec9 MZ	503	static int __init init_ima(void)
	504	{
	505	int error;
	506
3f23d624	507	ima_init_template_list();
e7a2ad7e	508	hash_setup(CONFIG_IMA_DEFAULT_HASH);
3323eec9	509	error = ima_init();
ab60368a PV	510
	511	if (error && strcmp(hash_algo_name[ima_hash_algo],
	512	CONFIG_IMA_DEFAULT_HASH) != 0) {
	513	pr_info("Allocating %s failed, going to use default hash algorithm %s\n",
	514	hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH);
	515	hash_setup_done = 0;
	516	hash_setup(CONFIG_IMA_DEFAULT_HASH);
	517	error = ima_init();
	518	}
	519
a756024e	520	if (!error) {
31b70f66	521	ima_initialized = 1;
a756024e RS	522	ima_update_policy_flag();
a756024e RS	523	}
3323eec9 MZ	524	return error;
	525	}
	526
	527	late_initcall(init_ima); /* Start IMA after the TPM is available */
	528
	529	MODULE_DESCRIPTION("Integrity Measurement Architecture");
	530	MODULE_LICENSE("GPL");