ima_main.c 31 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Integrity Measurement Architecture
  4. *
  5. * Copyright (C) 2005,2006,2007,2008 IBM Corporation
  6. *
  7. * Authors:
  8. * Reiner Sailer <[email protected]>
  9. * Serge Hallyn <[email protected]>
  10. * Kylene Hall <[email protected]>
  11. * Mimi Zohar <[email protected]>
  12. *
  13. * File: ima_main.c
  14. * implements the IMA hooks: ima_bprm_check, ima_file_mmap,
  15. * and ima_file_check.
  16. */
  17. #include <linux/module.h>
  18. #include <linux/file.h>
  19. #include <linux/binfmts.h>
  20. #include <linux/kernel_read_file.h>
  21. #include <linux/mount.h>
  22. #include <linux/mman.h>
  23. #include <linux/slab.h>
  24. #include <linux/xattr.h>
  25. #include <linux/ima.h>
  26. #include <linux/iversion.h>
  27. #include <linux/fs.h>
  28. #include <linux/iversion.h>
  29. #include "ima.h"
  30. #ifdef CONFIG_IMA_APPRAISE
  31. int ima_appraise = IMA_APPRAISE_ENFORCE;
  32. #else
  33. int ima_appraise;
  34. #endif
  35. int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1;
  36. static int hash_setup_done;
  37. static struct notifier_block ima_lsm_policy_notifier = {
  38. .notifier_call = ima_lsm_policy_change,
  39. };
  40. static int __init hash_setup(char *str)
  41. {
  42. struct ima_template_desc *template_desc = ima_template_desc_current();
  43. int i;
  44. if (hash_setup_done)
  45. return 1;
  46. if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
  47. if (strncmp(str, "sha1", 4) == 0) {
  48. ima_hash_algo = HASH_ALGO_SHA1;
  49. } else if (strncmp(str, "md5", 3) == 0) {
  50. ima_hash_algo = HASH_ALGO_MD5;
  51. } else {
  52. pr_err("invalid hash algorithm \"%s\" for template \"%s\"",
  53. str, IMA_TEMPLATE_IMA_NAME);
  54. return 1;
  55. }
  56. goto out;
  57. }
  58. i = match_string(hash_algo_name, HASH_ALGO__LAST, str);
  59. if (i < 0) {
  60. pr_err("invalid hash algorithm \"%s\"", str);
  61. return 1;
  62. }
  63. ima_hash_algo = i;
  64. out:
  65. hash_setup_done = 1;
  66. return 1;
  67. }
  68. __setup("ima_hash=", hash_setup);
  69. enum hash_algo ima_get_current_hash_algo(void)
  70. {
  71. return ima_hash_algo;
  72. }
  73. /* Prevent mmap'ing a file execute that is already mmap'ed write */
  74. static int mmap_violation_check(enum ima_hooks func, struct file *file,
  75. char **pathbuf, const char **pathname,
  76. char *filename)
  77. {
  78. struct inode *inode;
  79. int rc = 0;
  80. if ((func == MMAP_CHECK) && mapping_writably_mapped(file->f_mapping)) {
  81. rc = -ETXTBSY;
  82. inode = file_inode(file);
  83. if (!*pathbuf) /* ima_rdwr_violation possibly pre-fetched */
  84. *pathname = ima_d_path(&file->f_path, pathbuf,
  85. filename);
  86. integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, *pathname,
  87. "mmap_file", "mmapped_writers", rc, 0);
  88. }
  89. return rc;
  90. }
  91. /*
  92. * ima_rdwr_violation_check
  93. *
  94. * Only invalidate the PCR for measured files:
  95. * - Opening a file for write when already open for read,
  96. * results in a time of measure, time of use (ToMToU) error.
  97. * - Opening a file for read when already open for write,
  98. * could result in a file measurement error.
  99. *
  100. */
  101. static void ima_rdwr_violation_check(struct file *file,
  102. struct integrity_iint_cache *iint,
  103. int must_measure,
  104. char **pathbuf,
  105. const char **pathname,
  106. char *filename)
  107. {
  108. struct inode *inode = file_inode(file);
  109. fmode_t mode = file->f_mode;
  110. bool send_tomtou = false, send_writers = false;
  111. if (mode & FMODE_WRITE) {
  112. if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
  113. if (!iint)
  114. iint = integrity_iint_find(inode);
  115. /* IMA_MEASURE is set from reader side */
  116. if (iint && test_bit(IMA_MUST_MEASURE,
  117. &iint->atomic_flags))
  118. send_tomtou = true;
  119. }
  120. } else {
  121. if (must_measure)
  122. set_bit(IMA_MUST_MEASURE, &iint->atomic_flags);
  123. if (inode_is_open_for_write(inode) && must_measure)
  124. send_writers = true;
  125. }
  126. if (!send_tomtou && !send_writers)
  127. return;
  128. *pathname = ima_d_path(&file->f_path, pathbuf, filename);
  129. if (send_tomtou)
  130. ima_add_violation(file, *pathname, iint,
  131. "invalid_pcr", "ToMToU");
  132. if (send_writers)
  133. ima_add_violation(file, *pathname, iint,
  134. "invalid_pcr", "open_writers");
  135. }
  136. static void ima_check_last_writer(struct integrity_iint_cache *iint,
  137. struct inode *inode, struct file *file)
  138. {
  139. fmode_t mode = file->f_mode;
  140. bool update;
  141. if (!(mode & FMODE_WRITE))
  142. return;
  143. mutex_lock(&iint->mutex);
  144. if (atomic_read(&inode->i_writecount) == 1) {
  145. update = test_and_clear_bit(IMA_UPDATE_XATTR,
  146. &iint->atomic_flags);
  147. if (!IS_I_VERSION(inode) ||
  148. !inode_eq_iversion(inode, iint->version) ||
  149. (iint->flags & IMA_NEW_FILE)) {
  150. iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
  151. iint->measured_pcrs = 0;
  152. if (update)
  153. ima_update_xattr(iint, file);
  154. }
  155. }
  156. mutex_unlock(&iint->mutex);
  157. }
  158. /**
  159. * ima_file_free - called on __fput()
  160. * @file: pointer to file structure being freed
  161. *
  162. * Flag files that changed, based on i_version
  163. */
  164. void ima_file_free(struct file *file)
  165. {
  166. struct inode *inode = file_inode(file);
  167. struct integrity_iint_cache *iint;
  168. if (!ima_policy_flag || !S_ISREG(inode->i_mode))
  169. return;
  170. iint = integrity_iint_find(inode);
  171. if (!iint)
  172. return;
  173. ima_check_last_writer(iint, inode, file);
  174. }
  175. static int process_measurement(struct file *file, const struct cred *cred,
  176. u32 secid, char *buf, loff_t size, int mask,
  177. enum ima_hooks func)
  178. {
  179. struct inode *backing_inode, *inode = file_inode(file);
  180. struct integrity_iint_cache *iint = NULL;
  181. struct ima_template_desc *template_desc = NULL;
  182. char *pathbuf = NULL;
  183. char filename[NAME_MAX];
  184. const char *pathname = NULL;
  185. int rc = 0, action, must_appraise = 0;
  186. int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
  187. struct evm_ima_xattr_data *xattr_value = NULL;
  188. struct modsig *modsig = NULL;
  189. int xattr_len = 0;
  190. bool violation_check;
  191. enum hash_algo hash_algo;
  192. unsigned int allowed_algos = 0;
  193. if (!ima_policy_flag || !S_ISREG(inode->i_mode))
  194. return 0;
  195. /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
  196. * bitmask based on the appraise/audit/measurement policy.
  197. * Included is the appraise submask.
  198. */
  199. action = ima_get_action(file_mnt_user_ns(file), inode, cred, secid,
  200. mask, func, &pcr, &template_desc, NULL,
  201. &allowed_algos);
  202. violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
  203. (ima_policy_flag & IMA_MEASURE));
  204. if (!action && !violation_check)
  205. return 0;
  206. must_appraise = action & IMA_APPRAISE;
  207. /* Is the appraise rule hook specific? */
  208. if (action & IMA_FILE_APPRAISE)
  209. func = FILE_CHECK;
  210. inode_lock(inode);
  211. if (action) {
  212. iint = integrity_inode_get(inode);
  213. if (!iint)
  214. rc = -ENOMEM;
  215. }
  216. if (!rc && violation_check)
  217. ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
  218. &pathbuf, &pathname, filename);
  219. inode_unlock(inode);
  220. if (rc)
  221. goto out;
  222. if (!action)
  223. goto out;
  224. mutex_lock(&iint->mutex);
  225. if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags))
  226. /* reset appraisal flags if ima_inode_post_setattr was called */
  227. iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
  228. IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
  229. IMA_NONACTION_FLAGS);
  230. /*
  231. * Re-evaulate the file if either the xattr has changed or the
  232. * kernel has no way of detecting file change on the filesystem.
  233. * (Limited to privileged mounted filesystems.)
  234. */
  235. if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) ||
  236. ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
  237. !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) &&
  238. !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) {
  239. iint->flags &= ~IMA_DONE_MASK;
  240. iint->measured_pcrs = 0;
  241. }
  242. /* Detect and re-evaluate changes made to the backing file. */
  243. backing_inode = d_real_inode(file_dentry(file));
  244. if (backing_inode != inode &&
  245. (action & IMA_DO_MASK) && (iint->flags & IMA_DONE_MASK)) {
  246. if (!IS_I_VERSION(backing_inode) ||
  247. backing_inode->i_sb->s_dev != iint->real_dev ||
  248. backing_inode->i_ino != iint->real_ino ||
  249. !inode_eq_iversion(backing_inode, iint->version)) {
  250. iint->flags &= ~IMA_DONE_MASK;
  251. iint->measured_pcrs = 0;
  252. }
  253. }
  254. /* Determine if already appraised/measured based on bitmask
  255. * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
  256. * IMA_AUDIT, IMA_AUDITED)
  257. */
  258. iint->flags |= action;
  259. action &= IMA_DO_MASK;
  260. action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
  261. /* If target pcr is already measured, unset IMA_MEASURE action */
  262. if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
  263. action ^= IMA_MEASURE;
  264. /* HASH sets the digital signature and update flags, nothing else */
  265. if ((action & IMA_HASH) &&
  266. !(test_bit(IMA_DIGSIG, &iint->atomic_flags))) {
  267. xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);
  268. if ((xattr_value && xattr_len > 2) &&
  269. (xattr_value->type == EVM_IMA_XATTR_DIGSIG))
  270. set_bit(IMA_DIGSIG, &iint->atomic_flags);
  271. iint->flags |= IMA_HASHED;
  272. action ^= IMA_HASH;
  273. set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
  274. }
  275. /* Nothing to do, just return existing appraised status */
  276. if (!action) {
  277. if (must_appraise) {
  278. rc = mmap_violation_check(func, file, &pathbuf,
  279. &pathname, filename);
  280. if (!rc)
  281. rc = ima_get_cache_status(iint, func);
  282. }
  283. goto out_locked;
  284. }
  285. if ((action & IMA_APPRAISE_SUBMASK) ||
  286. strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) {
  287. /* read 'security.ima' */
  288. xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);
  289. /*
  290. * Read the appended modsig if allowed by the policy, and allow
  291. * an additional measurement list entry, if needed, based on the
  292. * template format and whether the file was already measured.
  293. */
  294. if (iint->flags & IMA_MODSIG_ALLOWED) {
  295. rc = ima_read_modsig(func, buf, size, &modsig);
  296. if (!rc && ima_template_has_modsig(template_desc) &&
  297. iint->flags & IMA_MEASURED)
  298. action |= IMA_MEASURE;
  299. }
  300. }
  301. hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
  302. rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);
  303. if (rc != 0 && rc != -EBADF && rc != -EINVAL)
  304. goto out_locked;
  305. if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */
  306. pathname = ima_d_path(&file->f_path, &pathbuf, filename);
  307. if (action & IMA_MEASURE)
  308. ima_store_measurement(iint, file, pathname,
  309. xattr_value, xattr_len, modsig, pcr,
  310. template_desc);
  311. if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
  312. rc = ima_check_blacklist(iint, modsig, pcr);
  313. if (rc != -EPERM) {
  314. inode_lock(inode);
  315. rc = ima_appraise_measurement(func, iint, file,
  316. pathname, xattr_value,
  317. xattr_len, modsig);
  318. inode_unlock(inode);
  319. }
  320. if (!rc)
  321. rc = mmap_violation_check(func, file, &pathbuf,
  322. &pathname, filename);
  323. }
  324. if (action & IMA_AUDIT)
  325. ima_audit_measurement(iint, pathname);
  326. if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
  327. rc = 0;
  328. /* Ensure the digest was generated using an allowed algorithm */
  329. if (rc == 0 && must_appraise && allowed_algos != 0 &&
  330. (allowed_algos & (1U << hash_algo)) == 0) {
  331. rc = -EACCES;
  332. integrity_audit_msg(AUDIT_INTEGRITY_DATA, file_inode(file),
  333. pathname, "collect_data",
  334. "denied-hash-algorithm", rc, 0);
  335. }
  336. out_locked:
  337. if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) &&
  338. !(iint->flags & IMA_NEW_FILE))
  339. rc = -EACCES;
  340. mutex_unlock(&iint->mutex);
  341. kfree(xattr_value);
  342. ima_free_modsig(modsig);
  343. out:
  344. if (pathbuf)
  345. __putname(pathbuf);
  346. if (must_appraise) {
  347. if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE))
  348. return -EACCES;
  349. if (file->f_mode & FMODE_WRITE)
  350. set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
  351. }
  352. return 0;
  353. }
  354. /**
  355. * ima_file_mmap - based on policy, collect/store measurement.
  356. * @file: pointer to the file to be measured (May be NULL)
  357. * @reqprot: protection requested by the application
  358. * @prot: protection that will be applied by the kernel
  359. * @flags: operational flags
  360. *
  361. * Measure files being mmapped executable based on the ima_must_measure()
  362. * policy decision.
  363. *
  364. * On success return 0. On integrity appraisal error, assuming the file
  365. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  366. */
  367. int ima_file_mmap(struct file *file, unsigned long reqprot,
  368. unsigned long prot, unsigned long flags)
  369. {
  370. u32 secid;
  371. if (file && (prot & PROT_EXEC)) {
  372. security_current_getsecid_subj(&secid);
  373. return process_measurement(file, current_cred(), secid, NULL,
  374. 0, MAY_EXEC, MMAP_CHECK);
  375. }
  376. return 0;
  377. }
  378. /**
  379. * ima_file_mprotect - based on policy, limit mprotect change
  380. * @vma: vm_area_struct protection is set to
  381. * @prot: contains the protection that will be applied by the kernel.
  382. *
  383. * Files can be mmap'ed read/write and later changed to execute to circumvent
  384. * IMA's mmap appraisal policy rules. Due to locking issues (mmap semaphore
  385. * would be taken before i_mutex), files can not be measured or appraised at
  386. * this point. Eliminate this integrity gap by denying the mprotect
  387. * PROT_EXECUTE change, if an mmap appraise policy rule exists.
  388. *
  389. * On mprotect change success, return 0. On failure, return -EACESS.
  390. */
  391. int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot)
  392. {
  393. struct ima_template_desc *template = NULL;
  394. struct file *file;
  395. char filename[NAME_MAX];
  396. char *pathbuf = NULL;
  397. const char *pathname = NULL;
  398. struct inode *inode;
  399. int result = 0;
  400. int action;
  401. u32 secid;
  402. int pcr;
  403. /* Is mprotect making an mmap'ed file executable? */
  404. if (!(ima_policy_flag & IMA_APPRAISE) || !vma->vm_file ||
  405. !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC))
  406. return 0;
  407. security_current_getsecid_subj(&secid);
  408. inode = file_inode(vma->vm_file);
  409. action = ima_get_action(file_mnt_user_ns(vma->vm_file), inode,
  410. current_cred(), secid, MAY_EXEC, MMAP_CHECK,
  411. &pcr, &template, NULL, NULL);
  412. /* Is the mmap'ed file in policy? */
  413. if (!(action & (IMA_MEASURE | IMA_APPRAISE_SUBMASK)))
  414. return 0;
  415. if (action & IMA_APPRAISE_SUBMASK)
  416. result = -EPERM;
  417. file = vma->vm_file;
  418. pathname = ima_d_path(&file->f_path, &pathbuf, filename);
  419. integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, pathname,
  420. "collect_data", "failed-mprotect", result, 0);
  421. if (pathbuf)
  422. __putname(pathbuf);
  423. return result;
  424. }
  425. /**
  426. * ima_bprm_check - based on policy, collect/store measurement.
  427. * @bprm: contains the linux_binprm structure
  428. *
  429. * The OS protects against an executable file, already open for write,
  430. * from being executed in deny_write_access() and an executable file,
  431. * already open for execute, from being modified in get_write_access().
  432. * So we can be certain that what we verify and measure here is actually
  433. * what is being executed.
  434. *
  435. * On success return 0. On integrity appraisal error, assuming the file
  436. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  437. */
  438. int ima_bprm_check(struct linux_binprm *bprm)
  439. {
  440. int ret;
  441. u32 secid;
  442. security_current_getsecid_subj(&secid);
  443. ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0,
  444. MAY_EXEC, BPRM_CHECK);
  445. if (ret)
  446. return ret;
  447. security_cred_getsecid(bprm->cred, &secid);
  448. return process_measurement(bprm->file, bprm->cred, secid, NULL, 0,
  449. MAY_EXEC, CREDS_CHECK);
  450. }
  451. /**
  452. * ima_file_check - based on policy, collect/store measurement.
  453. * @file: pointer to the file to be measured
  454. * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
  455. *
  456. * Measure files based on the ima_must_measure() policy decision.
  457. *
  458. * On success return 0. On integrity appraisal error, assuming the file
  459. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  460. */
  461. int ima_file_check(struct file *file, int mask)
  462. {
  463. u32 secid;
  464. security_current_getsecid_subj(&secid);
  465. return process_measurement(file, current_cred(), secid, NULL, 0,
  466. mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
  467. MAY_APPEND), FILE_CHECK);
  468. }
  469. EXPORT_SYMBOL_GPL(ima_file_check);
  470. static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf,
  471. size_t buf_size)
  472. {
  473. struct integrity_iint_cache *iint = NULL, tmp_iint;
  474. int rc, hash_algo;
  475. if (ima_policy_flag) {
  476. iint = integrity_iint_find(inode);
  477. if (iint)
  478. mutex_lock(&iint->mutex);
  479. }
  480. if ((!iint || !(iint->flags & IMA_COLLECTED)) && file) {
  481. if (iint)
  482. mutex_unlock(&iint->mutex);
  483. memset(&tmp_iint, 0, sizeof(tmp_iint));
  484. tmp_iint.inode = inode;
  485. mutex_init(&tmp_iint.mutex);
  486. rc = ima_collect_measurement(&tmp_iint, file, NULL, 0,
  487. ima_hash_algo, NULL);
  488. if (rc < 0) {
  489. /* ima_hash could be allocated in case of failure. */
  490. if (rc != -ENOMEM)
  491. kfree(tmp_iint.ima_hash);
  492. return -EOPNOTSUPP;
  493. }
  494. iint = &tmp_iint;
  495. mutex_lock(&iint->mutex);
  496. }
  497. if (!iint)
  498. return -EOPNOTSUPP;
  499. /*
  500. * ima_file_hash can be called when ima_collect_measurement has still
  501. * not been called, we might not always have a hash.
  502. */
  503. if (!iint->ima_hash) {
  504. mutex_unlock(&iint->mutex);
  505. return -EOPNOTSUPP;
  506. }
  507. if (buf) {
  508. size_t copied_size;
  509. copied_size = min_t(size_t, iint->ima_hash->length, buf_size);
  510. memcpy(buf, iint->ima_hash->digest, copied_size);
  511. }
  512. hash_algo = iint->ima_hash->algo;
  513. mutex_unlock(&iint->mutex);
  514. if (iint == &tmp_iint)
  515. kfree(iint->ima_hash);
  516. return hash_algo;
  517. }
  518. /**
  519. * ima_file_hash - return a measurement of the file
  520. * @file: pointer to the file
  521. * @buf: buffer in which to store the hash
  522. * @buf_size: length of the buffer
  523. *
  524. * On success, return the hash algorithm (as defined in the enum hash_algo).
  525. * If buf is not NULL, this function also outputs the hash into buf.
  526. * If the hash is larger than buf_size, then only buf_size bytes will be copied.
  527. * It generally just makes sense to pass a buffer capable of holding the largest
  528. * possible hash: IMA_MAX_DIGEST_SIZE.
  529. * The file hash returned is based on the entire file, including the appended
  530. * signature.
  531. *
  532. * If the measurement cannot be performed, return -EOPNOTSUPP.
  533. * If the parameters are incorrect, return -EINVAL.
  534. */
  535. int ima_file_hash(struct file *file, char *buf, size_t buf_size)
  536. {
  537. if (!file)
  538. return -EINVAL;
  539. return __ima_inode_hash(file_inode(file), file, buf, buf_size);
  540. }
  541. EXPORT_SYMBOL_GPL(ima_file_hash);
  542. /**
  543. * ima_inode_hash - return the stored measurement if the inode has been hashed
  544. * and is in the iint cache.
  545. * @inode: pointer to the inode
  546. * @buf: buffer in which to store the hash
  547. * @buf_size: length of the buffer
  548. *
  549. * On success, return the hash algorithm (as defined in the enum hash_algo).
  550. * If buf is not NULL, this function also outputs the hash into buf.
  551. * If the hash is larger than buf_size, then only buf_size bytes will be copied.
  552. * It generally just makes sense to pass a buffer capable of holding the largest
  553. * possible hash: IMA_MAX_DIGEST_SIZE.
  554. * The hash returned is based on the entire contents, including the appended
  555. * signature.
  556. *
  557. * If IMA is disabled or if no measurement is available, return -EOPNOTSUPP.
  558. * If the parameters are incorrect, return -EINVAL.
  559. */
  560. int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size)
  561. {
  562. if (!inode)
  563. return -EINVAL;
  564. return __ima_inode_hash(inode, NULL, buf, buf_size);
  565. }
  566. EXPORT_SYMBOL_GPL(ima_inode_hash);
  567. /**
  568. * ima_post_create_tmpfile - mark newly created tmpfile as new
  569. * @mnt_userns: user namespace of the mount the inode was found from
  570. * @inode: inode of the newly created tmpfile
  571. *
  572. * No measuring, appraising or auditing of newly created tmpfiles is needed.
  573. * Skip calling process_measurement(), but indicate which newly, created
  574. * tmpfiles are in policy.
  575. */
  576. void ima_post_create_tmpfile(struct user_namespace *mnt_userns,
  577. struct inode *inode)
  578. {
  579. struct integrity_iint_cache *iint;
  580. int must_appraise;
  581. if (!ima_policy_flag || !S_ISREG(inode->i_mode))
  582. return;
  583. must_appraise = ima_must_appraise(mnt_userns, inode, MAY_ACCESS,
  584. FILE_CHECK);
  585. if (!must_appraise)
  586. return;
  587. /* Nothing to do if we can't allocate memory */
  588. iint = integrity_inode_get(inode);
  589. if (!iint)
  590. return;
  591. /* needed for writing the security xattrs */
  592. set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
  593. iint->ima_file_status = INTEGRITY_PASS;
  594. }
  595. /**
  596. * ima_post_path_mknod - mark as a new inode
  597. * @mnt_userns: user namespace of the mount the inode was found from
  598. * @dentry: newly created dentry
  599. *
  600. * Mark files created via the mknodat syscall as new, so that the
  601. * file data can be written later.
  602. */
  603. void ima_post_path_mknod(struct user_namespace *mnt_userns,
  604. struct dentry *dentry)
  605. {
  606. struct integrity_iint_cache *iint;
  607. struct inode *inode = dentry->d_inode;
  608. int must_appraise;
  609. if (!ima_policy_flag || !S_ISREG(inode->i_mode))
  610. return;
  611. must_appraise = ima_must_appraise(mnt_userns, inode, MAY_ACCESS,
  612. FILE_CHECK);
  613. if (!must_appraise)
  614. return;
  615. /* Nothing to do if we can't allocate memory */
  616. iint = integrity_inode_get(inode);
  617. if (!iint)
  618. return;
  619. /* needed for re-opening empty files */
  620. iint->flags |= IMA_NEW_FILE;
  621. }
  622. /**
  623. * ima_read_file - pre-measure/appraise hook decision based on policy
  624. * @file: pointer to the file to be measured/appraised/audit
  625. * @read_id: caller identifier
  626. * @contents: whether a subsequent call will be made to ima_post_read_file()
  627. *
  628. * Permit reading a file based on policy. The policy rules are written
  629. * in terms of the policy identifier. Appraising the integrity of
  630. * a file requires a file descriptor.
  631. *
  632. * For permission return 0, otherwise return -EACCES.
  633. */
  634. int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
  635. bool contents)
  636. {
  637. enum ima_hooks func;
  638. u32 secid;
  639. /*
  640. * Do devices using pre-allocated memory run the risk of the
  641. * firmware being accessible to the device prior to the completion
  642. * of IMA's signature verification any more than when using two
  643. * buffers? It may be desirable to include the buffer address
  644. * in this API and walk all the dma_map_single() mappings to check.
  645. */
  646. /*
  647. * There will be a call made to ima_post_read_file() with
  648. * a filled buffer, so we don't need to perform an extra
  649. * read early here.
  650. */
  651. if (contents)
  652. return 0;
  653. /* Read entire file for all partial reads. */
  654. func = read_idmap[read_id] ?: FILE_CHECK;
  655. security_current_getsecid_subj(&secid);
  656. return process_measurement(file, current_cred(), secid, NULL,
  657. 0, MAY_READ, func);
  658. }
  659. const int read_idmap[READING_MAX_ID] = {
  660. [READING_FIRMWARE] = FIRMWARE_CHECK,
  661. [READING_MODULE] = MODULE_CHECK,
  662. [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK,
  663. [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK,
  664. [READING_POLICY] = POLICY_CHECK
  665. };
  666. /**
  667. * ima_post_read_file - in memory collect/appraise/audit measurement
  668. * @file: pointer to the file to be measured/appraised/audit
  669. * @buf: pointer to in memory file contents
  670. * @size: size of in memory file contents
  671. * @read_id: caller identifier
  672. *
  673. * Measure/appraise/audit in memory file based on policy. Policy rules
  674. * are written in terms of a policy identifier.
  675. *
  676. * On success return 0. On integrity appraisal error, assuming the file
  677. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  678. */
  679. int ima_post_read_file(struct file *file, void *buf, loff_t size,
  680. enum kernel_read_file_id read_id)
  681. {
  682. enum ima_hooks func;
  683. u32 secid;
  684. /* permit signed certs */
  685. if (!file && read_id == READING_X509_CERTIFICATE)
  686. return 0;
  687. if (!file || !buf || size == 0) { /* should never happen */
  688. if (ima_appraise & IMA_APPRAISE_ENFORCE)
  689. return -EACCES;
  690. return 0;
  691. }
  692. func = read_idmap[read_id] ?: FILE_CHECK;
  693. security_current_getsecid_subj(&secid);
  694. return process_measurement(file, current_cred(), secid, buf, size,
  695. MAY_READ, func);
  696. }
  697. /**
  698. * ima_load_data - appraise decision based on policy
  699. * @id: kernel load data caller identifier
  700. * @contents: whether the full contents will be available in a later
  701. * call to ima_post_load_data().
  702. *
  703. * Callers of this LSM hook can not measure, appraise, or audit the
  704. * data provided by userspace. Enforce policy rules requiring a file
  705. * signature (eg. kexec'ed kernel image).
  706. *
  707. * For permission return 0, otherwise return -EACCES.
  708. */
  709. int ima_load_data(enum kernel_load_data_id id, bool contents)
  710. {
  711. bool ima_enforce, sig_enforce;
  712. ima_enforce =
  713. (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE;
  714. switch (id) {
  715. case LOADING_KEXEC_IMAGE:
  716. if (IS_ENABLED(CONFIG_KEXEC_SIG)
  717. && arch_ima_get_secureboot()) {
  718. pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
  719. return -EACCES;
  720. }
  721. if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) {
  722. pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
  723. return -EACCES; /* INTEGRITY_UNKNOWN */
  724. }
  725. break;
  726. case LOADING_FIRMWARE:
  727. if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE) && !contents) {
  728. pr_err("Prevent firmware sysfs fallback loading.\n");
  729. return -EACCES; /* INTEGRITY_UNKNOWN */
  730. }
  731. break;
  732. case LOADING_MODULE:
  733. sig_enforce = is_module_sig_enforced();
  734. if (ima_enforce && (!sig_enforce
  735. && (ima_appraise & IMA_APPRAISE_MODULES))) {
  736. pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
  737. return -EACCES; /* INTEGRITY_UNKNOWN */
  738. }
  739. break;
  740. default:
  741. break;
  742. }
  743. return 0;
  744. }
  745. /**
  746. * ima_post_load_data - appraise decision based on policy
  747. * @buf: pointer to in memory file contents
  748. * @size: size of in memory file contents
  749. * @load_id: kernel load data caller identifier
  750. * @description: @load_id-specific description of contents
  751. *
  752. * Measure/appraise/audit in memory buffer based on policy. Policy rules
  753. * are written in terms of a policy identifier.
  754. *
  755. * On success return 0. On integrity appraisal error, assuming the file
  756. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  757. */
  758. int ima_post_load_data(char *buf, loff_t size,
  759. enum kernel_load_data_id load_id,
  760. char *description)
  761. {
  762. if (load_id == LOADING_FIRMWARE) {
  763. if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
  764. (ima_appraise & IMA_APPRAISE_ENFORCE)) {
  765. pr_err("Prevent firmware loading_store.\n");
  766. return -EACCES; /* INTEGRITY_UNKNOWN */
  767. }
  768. return 0;
  769. }
  770. return 0;
  771. }
  772. /**
  773. * process_buffer_measurement - Measure the buffer or the buffer data hash
  774. * @mnt_userns: user namespace of the mount the inode was found from
  775. * @inode: inode associated with the object being measured (NULL for KEY_CHECK)
  776. * @buf: pointer to the buffer that needs to be added to the log.
  777. * @size: size of buffer(in bytes).
  778. * @eventname: event name to be used for the buffer entry.
  779. * @func: IMA hook
  780. * @pcr: pcr to extend the measurement
  781. * @func_data: func specific data, may be NULL
  782. * @buf_hash: measure buffer data hash
  783. * @digest: buffer digest will be written to
  784. * @digest_len: buffer length
  785. *
  786. * Based on policy, either the buffer data or buffer data hash is measured
  787. *
  788. * Return: 0 if the buffer has been successfully measured, 1 if the digest
  789. * has been written to the passed location but not added to a measurement entry,
  790. * a negative value otherwise.
  791. */
  792. int process_buffer_measurement(struct user_namespace *mnt_userns,
  793. struct inode *inode, const void *buf, int size,
  794. const char *eventname, enum ima_hooks func,
  795. int pcr, const char *func_data,
  796. bool buf_hash, u8 *digest, size_t digest_len)
  797. {
  798. int ret = 0;
  799. const char *audit_cause = "ENOMEM";
  800. struct ima_template_entry *entry = NULL;
  801. struct integrity_iint_cache iint = {};
  802. struct ima_event_data event_data = {.iint = &iint,
  803. .filename = eventname,
  804. .buf = buf,
  805. .buf_len = size};
  806. struct ima_template_desc *template;
  807. struct ima_max_digest_data hash;
  808. char digest_hash[IMA_MAX_DIGEST_SIZE];
  809. int digest_hash_len = hash_digest_size[ima_hash_algo];
  810. int violation = 0;
  811. int action = 0;
  812. u32 secid;
  813. if (digest && digest_len < digest_hash_len)
  814. return -EINVAL;
  815. if (!ima_policy_flag && !digest)
  816. return -ENOENT;
  817. template = ima_template_desc_buf();
  818. if (!template) {
  819. ret = -EINVAL;
  820. audit_cause = "ima_template_desc_buf";
  821. goto out;
  822. }
  823. /*
  824. * Both LSM hooks and auxilary based buffer measurements are
  825. * based on policy. To avoid code duplication, differentiate
  826. * between the LSM hooks and auxilary buffer measurements,
  827. * retrieving the policy rule information only for the LSM hook
  828. * buffer measurements.
  829. */
  830. if (func) {
  831. security_current_getsecid_subj(&secid);
  832. action = ima_get_action(mnt_userns, inode, current_cred(),
  833. secid, 0, func, &pcr, &template,
  834. func_data, NULL);
  835. if (!(action & IMA_MEASURE) && !digest)
  836. return -ENOENT;
  837. }
  838. if (!pcr)
  839. pcr = CONFIG_IMA_MEASURE_PCR_IDX;
  840. iint.ima_hash = &hash.hdr;
  841. iint.ima_hash->algo = ima_hash_algo;
  842. iint.ima_hash->length = hash_digest_size[ima_hash_algo];
  843. ret = ima_calc_buffer_hash(buf, size, iint.ima_hash);
  844. if (ret < 0) {
  845. audit_cause = "hashing_error";
  846. goto out;
  847. }
  848. if (buf_hash) {
  849. memcpy(digest_hash, hash.hdr.digest, digest_hash_len);
  850. ret = ima_calc_buffer_hash(digest_hash, digest_hash_len,
  851. iint.ima_hash);
  852. if (ret < 0) {
  853. audit_cause = "hashing_error";
  854. goto out;
  855. }
  856. event_data.buf = digest_hash;
  857. event_data.buf_len = digest_hash_len;
  858. }
  859. if (digest)
  860. memcpy(digest, iint.ima_hash->digest, digest_hash_len);
  861. if (!ima_policy_flag || (func && !(action & IMA_MEASURE)))
  862. return 1;
  863. ret = ima_alloc_init_template(&event_data, &entry, template);
  864. if (ret < 0) {
  865. audit_cause = "alloc_entry";
  866. goto out;
  867. }
  868. ret = ima_store_template(entry, violation, NULL, event_data.buf, pcr);
  869. if (ret < 0) {
  870. audit_cause = "store_entry";
  871. ima_free_template_entry(entry);
  872. }
  873. out:
  874. if (ret < 0)
  875. integrity_audit_message(AUDIT_INTEGRITY_PCR, NULL, eventname,
  876. func_measure_str(func),
  877. audit_cause, ret, 0, ret);
  878. return ret;
  879. }
  880. /**
  881. * ima_kexec_cmdline - measure kexec cmdline boot args
  882. * @kernel_fd: file descriptor of the kexec kernel being loaded
  883. * @buf: pointer to buffer
  884. * @size: size of buffer
  885. *
  886. * Buffers can only be measured, not appraised.
  887. */
  888. void ima_kexec_cmdline(int kernel_fd, const void *buf, int size)
  889. {
  890. struct fd f;
  891. if (!buf || !size)
  892. return;
  893. f = fdget(kernel_fd);
  894. if (!f.file)
  895. return;
  896. process_buffer_measurement(file_mnt_user_ns(f.file), file_inode(f.file),
  897. buf, size, "kexec-cmdline", KEXEC_CMDLINE, 0,
  898. NULL, false, NULL, 0);
  899. fdput(f);
  900. }
  901. /**
  902. * ima_measure_critical_data - measure kernel integrity critical data
  903. * @event_label: unique event label for grouping and limiting critical data
  904. * @event_name: event name for the record in the IMA measurement list
  905. * @buf: pointer to buffer data
  906. * @buf_len: length of buffer data (in bytes)
  907. * @hash: measure buffer data hash
  908. * @digest: buffer digest will be written to
  909. * @digest_len: buffer length
  910. *
  911. * Measure data critical to the integrity of the kernel into the IMA log
  912. * and extend the pcr. Examples of critical data could be various data
  913. * structures, policies, and states stored in kernel memory that can
  914. * impact the integrity of the system.
  915. *
  916. * Return: 0 if the buffer has been successfully measured, 1 if the digest
  917. * has been written to the passed location but not added to a measurement entry,
  918. * a negative value otherwise.
  919. */
  920. int ima_measure_critical_data(const char *event_label,
  921. const char *event_name,
  922. const void *buf, size_t buf_len,
  923. bool hash, u8 *digest, size_t digest_len)
  924. {
  925. if (!event_name || !event_label || !buf || !buf_len)
  926. return -ENOPARAM;
  927. return process_buffer_measurement(&init_user_ns, NULL, buf, buf_len,
  928. event_name, CRITICAL_DATA, 0,
  929. event_label, hash, digest,
  930. digest_len);
  931. }
  932. EXPORT_SYMBOL_GPL(ima_measure_critical_data);
  933. static int __init init_ima(void)
  934. {
  935. int error;
  936. ima_appraise_parse_cmdline();
  937. ima_init_template_list();
  938. hash_setup(CONFIG_IMA_DEFAULT_HASH);
  939. error = ima_init();
  940. if (error && strcmp(hash_algo_name[ima_hash_algo],
  941. CONFIG_IMA_DEFAULT_HASH) != 0) {
  942. pr_info("Allocating %s failed, going to use default hash algorithm %s\n",
  943. hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH);
  944. hash_setup_done = 0;
  945. hash_setup(CONFIG_IMA_DEFAULT_HASH);
  946. error = ima_init();
  947. }
  948. if (error)
  949. return error;
  950. error = register_blocking_lsm_notifier(&ima_lsm_policy_notifier);
  951. if (error)
  952. pr_warn("Couldn't register LSM notifier, error %d\n", error);
  953. if (!error)
  954. ima_update_policy_flags();
  955. return error;
  956. }
  957. late_initcall(init_ima); /* Start IMA after the TPM is available */