[mirror_ubuntu-eoan-kernel.git] / security / integrity / ima / ima_main.c

/*
 * Copyright (C) 2005,2006,2007,2008 IBM Corporation
 *
 * Authors:
 * Reiner Sailer <sailer@watson.ibm.com>
 * Serge Hallyn <serue@us.ibm.com>
 * Kylene Hall <kylene@us.ibm.com>
 * Mimi Zohar <zohar@us.ibm.com>
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, version 2 of the
 * License.
 *
 * File: ima_main.c
 *	implements the IMA hooks: ima_bprm_check, ima_file_mmap,
 *	and ima_file_check.
 */
#include <linux/module.h>
#include <linux/file.h>
#include <linux/binfmts.h>
#include <linux/mount.h>
#include <linux/mman.h>
#include <linux/slab.h>
#include <linux/xattr.h>
#include <linux/ima.h>
#include <linux/iversion.h>
#include <linux/fs.h>

#include "ima.h"

int ima_initialized;

#ifdef CONFIG_IMA_APPRAISE
int ima_appraise = IMA_APPRAISE_ENFORCE;
#else
int ima_appraise;
#endif

int ima_hash_algo = HASH_ALGO_SHA1;
static int hash_setup_done;

static int __init hash_setup(char *str)
{
	struct ima_template_desc *template_desc = ima_template_desc_current();
	int i;

	if (hash_setup_done)
		return 1;

	if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
		if (strncmp(str, "sha1", 4) == 0)
			ima_hash_algo = HASH_ALGO_SHA1;
		else if (strncmp(str, "md5", 3) == 0)
			ima_hash_algo = HASH_ALGO_MD5;
		else
			return 1;
		goto out;
	}

	for (i = 0; i < HASH_ALGO__LAST; i++) {
		if (strcmp(str, hash_algo_name[i]) == 0) {
			ima_hash_algo = i;
			break;
		}
	}
	if (i == HASH_ALGO__LAST)
		return 1;
out:
	hash_setup_done = 1;
	return 1;
}
__setup("ima_hash=", hash_setup);

/*
 * ima_rdwr_violation_check
 *
 * Only invalidate the PCR for measured files:
 *	- Opening a file for write when already open for read,
 *	  results in a time of measure, time of use (ToMToU) error.
 *	- Opening a file for read when already open for write,
 *	  could result in a file measurement error.
 *
 */
static void ima_rdwr_violation_check(struct file *file,
				     struct integrity_iint_cache *iint,
				     int must_measure,
				     char **pathbuf,
				     const char **pathname,
				     char *filename)
{
	struct inode *inode = file_inode(file);
	fmode_t mode = file->f_mode;
	bool send_tomtou = false, send_writers = false;

	if (mode & FMODE_WRITE) {
		if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
			if (!iint)
				iint = integrity_iint_find(inode);
			/* IMA_MEASURE is set from reader side */
			if (iint && test_bit(IMA_MUST_MEASURE,
						&iint->atomic_flags))
				send_tomtou = true;
		}
	} else {
		if (must_measure)
			set_bit(IMA_MUST_MEASURE, &iint->atomic_flags);
		if ((atomic_read(&inode->i_writecount) > 0) && must_measure)
			send_writers = true;
	}

	if (!send_tomtou && !send_writers)
		return;

	*pathname = ima_d_path(&file->f_path, pathbuf, filename);

	if (send_tomtou)
		ima_add_violation(file, *pathname, iint,
				  "invalid_pcr", "ToMToU");
	if (send_writers)
		ima_add_violation(file, *pathname, iint,
				  "invalid_pcr", "open_writers");
}

static void ima_check_last_writer(struct integrity_iint_cache *iint,
				  struct inode *inode, struct file *file)
{
	fmode_t mode = file->f_mode;
	bool update;

	if (!(mode & FMODE_WRITE))
		return;

	mutex_lock(&iint->mutex);
	if (atomic_read(&inode->i_writecount) == 1) {
		update = test_and_clear_bit(IMA_UPDATE_XATTR,
					    &iint->atomic_flags);
		if (!IS_I_VERSION(inode) ||
		    !inode_eq_iversion(inode, iint->version) ||
		    (iint->flags & IMA_NEW_FILE)) {
			iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
			iint->measured_pcrs = 0;
			if (update)
				ima_update_xattr(iint, file);
		}
	}
	mutex_unlock(&iint->mutex);
}

/**
 * ima_file_free - called on __fput()
 * @file: pointer to file structure being freed
 *
 * Flag files that changed, based on i_version
 */
void ima_file_free(struct file *file)
{
	struct inode *inode = file_inode(file);
	struct integrity_iint_cache *iint;

	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
		return;

	iint = integrity_iint_find(inode);
	if (!iint)
		return;

	ima_check_last_writer(iint, inode, file);
}

static int process_measurement(struct file *file, const struct cred *cred,
			       u32 secid, char *buf, loff_t size, int mask,
			       enum ima_hooks func, int opened)
{
	struct inode *inode = file_inode(file);
	struct integrity_iint_cache *iint = NULL;
	struct ima_template_desc *template_desc;
	char *pathbuf = NULL;
	char filename[NAME_MAX];
	const char *pathname = NULL;
	int rc = 0, action, must_appraise = 0;
	int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
	struct evm_ima_xattr_data *xattr_value = NULL;
	int xattr_len = 0;
	bool violation_check;
	enum hash_algo hash_algo;

	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
		return 0;

	/* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
	 * bitmask based on the appraise/audit/measurement policy.
	 * Included is the appraise submask.
	 */
	action = ima_get_action(inode, cred, secid, mask, func, &pcr);
	violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
			   (ima_policy_flag & IMA_MEASURE));
	if (!action && !violation_check)
		return 0;

	must_appraise = action & IMA_APPRAISE;

	/*  Is the appraise rule hook specific?  */
	if (action & IMA_FILE_APPRAISE)
		func = FILE_CHECK;

	inode_lock(inode);

	if (action) {
		iint = integrity_inode_get(inode);
		if (!iint)
			rc = -ENOMEM;
	}

	if (!rc && violation_check)
		ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
					 &pathbuf, &pathname, filename);

	inode_unlock(inode);

	if (rc)
		goto out;
	if (!action)
		goto out;

	mutex_lock(&iint->mutex);

	if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags))
		/* reset appraisal flags if ima_inode_post_setattr was called */
		iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
				 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
				 IMA_ACTION_FLAGS);

	/*
	 * Re-evaulate the file if either the xattr has changed or the
	 * kernel has no way of detecting file change on the filesystem.
	 * (Limited to privileged mounted filesystems.)
	 */
	if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) ||
	    ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
	     !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) &&
	     !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) {
		iint->flags &= ~IMA_DONE_MASK;
		iint->measured_pcrs = 0;
	}

	/* Determine if already appraised/measured based on bitmask
	 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
	 *  IMA_AUDIT, IMA_AUDITED)
	 */
	iint->flags |= action;
	action &= IMA_DO_MASK;
	action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);

	/* If target pcr is already measured, unset IMA_MEASURE action */
	if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
		action ^= IMA_MEASURE;

	/* HASH sets the digital signature and update flags, nothing else */
	if ((action & IMA_HASH) &&
	    !(test_bit(IMA_DIGSIG, &iint->atomic_flags))) {
		xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);
		if ((xattr_value && xattr_len > 2) &&
		    (xattr_value->type == EVM_IMA_XATTR_DIGSIG))
			set_bit(IMA_DIGSIG, &iint->atomic_flags);
		iint->flags |= IMA_HASHED;
		action ^= IMA_HASH;
		set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
	}

	/* Nothing to do, just return existing appraised status */
	if (!action) {
		if (must_appraise)
			rc = ima_get_cache_status(iint, func);
		goto out_locked;
	}

	template_desc = ima_template_desc_current();
	if ((action & IMA_APPRAISE_SUBMASK) ||
		    strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
		/* read 'security.ima' */
		xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);

	hash_algo = ima_get_hash_algo(xattr_value, xattr_len);

	rc = ima_collect_measurement(iint, file, buf, size, hash_algo);
	if (rc != 0 && rc != -EBADF && rc != -EINVAL)
		goto out_locked;

	if (!pathbuf)	/* ima_rdwr_violation possibly pre-fetched */
		pathname = ima_d_path(&file->f_path, &pathbuf, filename);

	if (action & IMA_MEASURE)
		ima_store_measurement(iint, file, pathname,
				      xattr_value, xattr_len, pcr);
	if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
		inode_lock(inode);
		rc = ima_appraise_measurement(func, iint, file, pathname,
					      xattr_value, xattr_len, opened);
		inode_unlock(inode);
	}
	if (action & IMA_AUDIT)
		ima_audit_measurement(iint, pathname);

	if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
		rc = 0;
out_locked:
	if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) &&
	     !(iint->flags & IMA_NEW_FILE))
		rc = -EACCES;
	mutex_unlock(&iint->mutex);
	kfree(xattr_value);
out:
	if (pathbuf)
		__putname(pathbuf);
	if (must_appraise) {
		if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE))
			return -EACCES;
		if (file->f_mode & FMODE_WRITE)
			set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
	}
	return 0;
}

/**
 * ima_file_mmap - based on policy, collect/store measurement.
 * @file: pointer to the file to be measured (May be NULL)
 * @prot: contains the protection that will be applied by the kernel.
 *
 * Measure files being mmapped executable based on the ima_must_measure()
 * policy decision.
 *
 * On success return 0.  On integrity appraisal error, assuming the file
 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
 */
int ima_file_mmap(struct file *file, unsigned long prot)
{
	u32 secid;

	if (file && (prot & PROT_EXEC)) {
		security_task_getsecid(current, &secid);
		return process_measurement(file, current_cred(), secid, NULL,
					   0, MAY_EXEC, MMAP_CHECK, 0);
	}

	return 0;
}

/**
 * ima_bprm_check - based on policy, collect/store measurement.
 * @bprm: contains the linux_binprm structure
 *
 * The OS protects against an executable file, already open for write,
 * from being executed in deny_write_access() and an executable file,
 * already open for execute, from being modified in get_write_access().
 * So we can be certain that what we verify and measure here is actually
 * what is being executed.
 *
 * On success return 0.  On integrity appraisal error, assuming the file
 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
 */
int ima_bprm_check(struct linux_binprm *bprm)
{
	int ret;
	u32 secid;

	security_task_getsecid(current, &secid);
	ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0,
				  MAY_EXEC, BPRM_CHECK, 0);
	if (ret)
		return ret;

	security_cred_getsecid(bprm->cred, &secid);
	return process_measurement(bprm->file, bprm->cred, secid, NULL, 0,
				   MAY_EXEC, CREDS_CHECK, 0);
}

/**
 * ima_path_check - based on policy, collect/store measurement.
 * @file: pointer to the file to be measured
 * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
 *
 * Measure files based on the ima_must_measure() policy decision.
 *
 * On success return 0.  On integrity appraisal error, assuming the file
 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
 */
int ima_file_check(struct file *file, int mask, int opened)
{
	u32 secid;

	security_task_getsecid(current, &secid);
	return process_measurement(file, current_cred(), secid, NULL, 0,
				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
					   MAY_APPEND), FILE_CHECK, opened);
}
EXPORT_SYMBOL_GPL(ima_file_check);

/**
 * ima_post_path_mknod - mark as a new inode
 * @dentry: newly created dentry
 *
 * Mark files created via the mknodat syscall as new, so that the
 * file data can be written later.
 */
void ima_post_path_mknod(struct dentry *dentry)
{
	struct integrity_iint_cache *iint;
	struct inode *inode = dentry->d_inode;
	int must_appraise;

	must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
	if (!must_appraise)
		return;

	iint = integrity_inode_get(inode);
	if (iint)
		iint->flags |= IMA_NEW_FILE;
}

/**
 * ima_read_file - pre-measure/appraise hook decision based on policy
 * @file: pointer to the file to be measured/appraised/audit
 * @read_id: caller identifier
 *
 * Permit reading a file based on policy. The policy rules are written
 * in terms of the policy identifier.  Appraising the integrity of
 * a file requires a file descriptor.
 *
 * For permission return 0, otherwise return -EACCES.
 */
int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
{
	bool sig_enforce = is_module_sig_enforced();

	if (!file && read_id == READING_MODULE) {
		if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) &&
		    (ima_appraise & IMA_APPRAISE_ENFORCE)) {
			pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
			return -EACCES;	/* INTEGRITY_UNKNOWN */
		}
		return 0;	/* We rely on module signature checking */
	}
	return 0;
}

static int read_idmap[READING_MAX_ID] = {
	[READING_FIRMWARE] = FIRMWARE_CHECK,
	[READING_MODULE] = MODULE_CHECK,
	[READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK,
	[READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK,
	[READING_POLICY] = POLICY_CHECK
};

/**
 * ima_post_read_file - in memory collect/appraise/audit measurement
 * @file: pointer to the file to be measured/appraised/audit
 * @buf: pointer to in memory file contents
 * @size: size of in memory file contents
 * @read_id: caller identifier
 *
 * Measure/appraise/audit in memory file based on policy.  Policy rules
 * are written in terms of a policy identifier.
 *
 * On success return 0.  On integrity appraisal error, assuming the file
 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
 */
int ima_post_read_file(struct file *file, void *buf, loff_t size,
		       enum kernel_read_file_id read_id)
{
	enum ima_hooks func;
	u32 secid;

	if (!file && read_id == READING_FIRMWARE) {
		if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
		    (ima_appraise & IMA_APPRAISE_ENFORCE))
			return -EACCES;	/* INTEGRITY_UNKNOWN */
		return 0;
	}

	if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */
		return 0;

	/* permit signed certs */
	if (!file && read_id == READING_X509_CERTIFICATE)
		return 0;

	if (!file || !buf || size == 0) { /* should never happen */
		if (ima_appraise & IMA_APPRAISE_ENFORCE)
			return -EACCES;
		return 0;
	}

	func = read_idmap[read_id] ?: FILE_CHECK;
	security_task_getsecid(current, &secid);
	return process_measurement(file, current_cred(), secid, buf, size,
				   MAY_READ, func, 0);
}

static int __init init_ima(void)
{
	int error;

	ima_init_template_list();
	hash_setup(CONFIG_IMA_DEFAULT_HASH);
	error = ima_init();
	if (!error) {
		ima_initialized = 1;
		ima_update_policy_flag();
	}
	return error;
}

late_initcall(init_ima);	/* Start IMA after the TPM is available */

MODULE_DESCRIPTION("Integrity Measurement Architecture");
MODULE_LICENSE("GPL");
Commit	Line	Data
3323eec9 MZ	1	/*
	2	* Copyright (C) 2005,2006,2007,2008 IBM Corporation
	3	*
	4	* Authors:
	5	* Reiner Sailer <sailer@watson.ibm.com>
	6	* Serge Hallyn <serue@us.ibm.com>
	7	* Kylene Hall <kylene@us.ibm.com>
	8	* Mimi Zohar <zohar@us.ibm.com>
	9	*
	10	* This program is free software; you can redistribute it and/or
	11	* modify it under the terms of the GNU General Public License as
	12	* published by the Free Software Foundation, version 2 of the
	13	* License.
	14	*
	15	* File: ima_main.c
e0d5bd2a	16	* implements the IMA hooks: ima_bprm_check, ima_file_mmap,
9bbb6cad	17	* and ima_file_check.
3323eec9 MZ	18	*/
	19	#include <linux/module.h>
	20	#include <linux/file.h>
	21	#include <linux/binfmts.h>
	22	#include <linux/mount.h>
	23	#include <linux/mman.h>
5a0e3ad6	24	#include <linux/slab.h>
2fe5d6de	25	#include <linux/xattr.h>
d5813a57	26	#include <linux/ima.h>
3b370b21	27	#include <linux/iversion.h>
d77ccdc6	28	#include <linux/fs.h>
3323eec9 MZ	29
	30	#include "ima.h"
	31
	32	int ima_initialized;
	33
2fe5d6de MZ	34	#ifdef CONFIG_IMA_APPRAISE
	35	int ima_appraise = IMA_APPRAISE_ENFORCE;
	36	#else
	37	int ima_appraise;
	38	#endif
	39
c7c8bb23	40	int ima_hash_algo = HASH_ALGO_SHA1;
e7a2ad7e	41	static int hash_setup_done;
c7c8bb23	42
3323eec9 MZ	43	static int __init hash_setup(char *str)
3323eec9 MZ	44	{
e7a2ad7e MZ	45	struct ima_template_desc *template_desc = ima_template_desc_current();
	46	int i;
	47
	48	if (hash_setup_done)
	49	return 1;
	50
	51	if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
	52	if (strncmp(str, "sha1", 4) == 0)
	53	ima_hash_algo = HASH_ALGO_SHA1;
	54	else if (strncmp(str, "md5", 3) == 0)
	55	ima_hash_algo = HASH_ALGO_MD5;
ebe7c0a7 BW	56	else
ebe7c0a7 BW	57	return 1;
e7a2ad7e MZ	58	goto out;
	59	}
	60
	61	for (i = 0; i < HASH_ALGO__LAST; i++) {
	62	if (strcmp(str, hash_algo_name[i]) == 0) {
	63	ima_hash_algo = i;
	64	break;
	65	}
	66	}
ebe7c0a7 BW	67	if (i == HASH_ALGO__LAST)
ebe7c0a7 BW	68	return 1;
e7a2ad7e MZ	69	out:
e7a2ad7e MZ	70	hash_setup_done = 1;
3323eec9 MZ	71	return 1;
	72	}
	73	__setup("ima_hash=", hash_setup);
	74
8eb988c7	75	/*
890275b5	76	* ima_rdwr_violation_check
8eb988c7	77	*
890275b5	78	* Only invalidate the PCR for measured files:
2bb930ab	79	* - Opening a file for write when already open for read,
8eb988c7 MZ	80	* results in a time of measure, time of use (ToMToU) error.
8eb988c7 MZ	81	* - Opening a file for read when already open for write,
2bb930ab	82	* could result in a file measurement error.
8eb988c7 MZ	83	*
8eb988c7 MZ	84	*/
f7a859ff RS	85	static void ima_rdwr_violation_check(struct file *file,
f7a859ff RS	86	struct integrity_iint_cache *iint,
1b68bdf9	87	int must_measure,
f7a859ff	88	char **pathbuf,
4e8581ee RS	89	const char **pathname,
4e8581ee RS	90	char *filename)
8eb988c7	91	{
c77cecee	92	struct inode *inode = file_inode(file);
8eb988c7	93	fmode_t mode = file->f_mode;
ad16ad00	94	bool send_tomtou = false, send_writers = false;
a178d202	95
8eb988c7	96	if (mode & FMODE_WRITE) {
14503eb9	97	if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
f7a859ff RS	98	if (!iint)
f7a859ff RS	99	iint = integrity_iint_find(inode);
14503eb9	100	/* IMA_MEASURE is set from reader side */
0d73a552 DK	101	if (iint && test_bit(IMA_MUST_MEASURE,
0d73a552 DK	102	&iint->atomic_flags))
14503eb9 DK	103	send_tomtou = true;
14503eb9 DK	104	}
b882fae2	105	} else {
0d73a552 DK	106	if (must_measure)
0d73a552 DK	107	set_bit(IMA_MUST_MEASURE, &iint->atomic_flags);
1b68bdf9	108	if ((atomic_read(&inode->i_writecount) > 0) && must_measure)
b882fae2	109	send_writers = true;
8eb988c7	110	}
ad16ad00	111
08e1b76a MZ	112	if (!send_tomtou && !send_writers)
	113	return;
	114
bc15ed66	115	*pathname = ima_d_path(&file->f_path, pathbuf, filename);
ea1046d4	116
ad16ad00	117	if (send_tomtou)
8d94eb9b RS	118	ima_add_violation(file, *pathname, iint,
8d94eb9b RS	119	"invalid_pcr", "ToMToU");
ad16ad00	120	if (send_writers)
8d94eb9b	121	ima_add_violation(file, *pathname, iint,
08e1b76a	122	"invalid_pcr", "open_writers");
8eb988c7 MZ	123	}
8eb988c7 MZ	124
f381c272	125	static void ima_check_last_writer(struct integrity_iint_cache *iint,
2fe5d6de	126	struct inode inode, struct file file)
bc7d2a3e	127	{
4b2a2c67	128	fmode_t mode = file->f_mode;
0d73a552	129	bool update;
bc7d2a3e	130
2fe5d6de MZ	131	if (!(mode & FMODE_WRITE))
	132	return;
	133
0d73a552	134	mutex_lock(&iint->mutex);
b151d6b0	135	if (atomic_read(&inode->i_writecount) == 1) {
0d73a552 DK	136	update = test_and_clear_bit(IMA_UPDATE_XATTR,
0d73a552 DK	137	&iint->atomic_flags);
ac0bf025	138	if (!IS_I_VERSION(inode) \|\|
c472c07b	139	!inode_eq_iversion(inode, iint->version) \|\|
b151d6b0 DK	140	(iint->flags & IMA_NEW_FILE)) {
b151d6b0 DK	141	iint->flags &= ~(IMA_DONE_MASK \| IMA_NEW_FILE);
a422638d	142	iint->measured_pcrs = 0;
0d73a552	143	if (update)
b151d6b0 DK	144	ima_update_xattr(iint, file);
b151d6b0 DK	145	}
2fe5d6de	146	}
0d73a552	147	mutex_unlock(&iint->mutex);
bc7d2a3e EP	148	}
bc7d2a3e EP	149
3323eec9 MZ	150	/**
	151	* ima_file_free - called on __fput()
	152	* @file: pointer to file structure being freed
	153	*
890275b5	154	* Flag files that changed, based on i_version
3323eec9 MZ	155	*/
	156	void ima_file_free(struct file *file)
	157	{
496ad9aa	158	struct inode *inode = file_inode(file);
f381c272	159	struct integrity_iint_cache *iint;
3323eec9	160
0f34a006	161	if (!ima_policy_flag \|\| !S_ISREG(inode->i_mode))
3323eec9	162	return;
196f5181	163
f381c272	164	iint = integrity_iint_find(inode);
854fdd55 MZ	165	if (!iint)
854fdd55 MZ	166	return;
3323eec9	167
854fdd55	168	ima_check_last_writer(iint, inode, file);
3323eec9 MZ	169	}
3323eec9 MZ	170
d906c10d MG	171	static int process_measurement(struct file file, const struct cred cred,
	172	u32 secid, char *buf, loff_t size, int mask,
	173	enum ima_hooks func, int opened)
3323eec9	174	{
496ad9aa	175	struct inode *inode = file_inode(file);
f7a859ff	176	struct integrity_iint_cache *iint = NULL;
209b43ca	177	struct ima_template_desc *template_desc;
ea1046d4	178	char *pathbuf = NULL;
bc15ed66	179	char filename[NAME_MAX];
ea1046d4	180	const char *pathname = NULL;
0d73a552	181	int rc = 0, action, must_appraise = 0;
725de7fa	182	int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
1525b06d	183	struct evm_ima_xattr_data *xattr_value = NULL;
d3634d0f	184	int xattr_len = 0;
f7a859ff	185	bool violation_check;
1525b06d	186	enum hash_algo hash_algo;
3323eec9	187
a756024e	188	if (!ima_policy_flag \|\| !S_ISREG(inode->i_mode))
3323eec9	189	return 0;
bc7d2a3e	190
d79d72e0 MZ	191	/* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
	192	* bitmask based on the appraise/audit/measurement policy.
	193	* Included is the appraise submask.
	194	*/
d906c10d	195	action = ima_get_action(inode, cred, secid, mask, func, &pcr);
4ad87a3d	196	violation_check = ((func == FILE_CHECK \|\| func == MMAP_CHECK) &&
f7a859ff RS	197	(ima_policy_flag & IMA_MEASURE));
f7a859ff RS	198	if (!action && !violation_check)
2fe5d6de MZ	199	return 0;
2fe5d6de MZ	200
2fe5d6de	201	must_appraise = action & IMA_APPRAISE;
bc7d2a3e	202
5a73fcfa	203	/* Is the appraise rule hook specific? */
3a8a2ead	204	if (action & IMA_FILE_APPRAISE)
4ad87a3d	205	func = FILE_CHECK;
5a73fcfa	206
5955102c	207	inode_lock(inode);
2fe5d6de	208
f7a859ff RS	209	if (action) {
	210	iint = integrity_inode_get(inode);
	211	if (!iint)
0d73a552	212	rc = -ENOMEM;
f7a859ff RS	213	}
f7a859ff RS	214
0d73a552	215	if (!rc && violation_check)
1b68bdf9	216	ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
4e8581ee	217	&pathbuf, &pathname, filename);
0d73a552 DK	218
	219	inode_unlock(inode);
	220
	221	if (rc)
	222	goto out;
	223	if (!action)
	224	goto out;
	225
	226	mutex_lock(&iint->mutex);
	227
	228	if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags))
	229	/* reset appraisal flags if ima_inode_post_setattr was called */
	230	iint->flags &= ~(IMA_APPRAISE \| IMA_APPRAISED \|
	231	IMA_APPRAISE_SUBMASK \| IMA_APPRAISED_SUBMASK \|
	232	IMA_ACTION_FLAGS);
	233
d77ccdc6 MZ	234	/*
	235	* Re-evaulate the file if either the xattr has changed or the
	236	* kernel has no way of detecting file change on the filesystem.
	237	* (Limited to privileged mounted filesystems.)
	238	*/
	239	if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) \|\|
	240	((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
9e67028e MZ	241	!(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) &&
9e67028e MZ	242	!(action & IMA_FAIL_UNVERIFIABLE_SIGS))) {
0d73a552	243	iint->flags &= ~IMA_DONE_MASK;
d77ccdc6 MZ	244	iint->measured_pcrs = 0;
d77ccdc6 MZ	245	}
bf2276d1	246
2fe5d6de	247	/* Determine if already appraised/measured based on bitmask
d79d72e0 MZ	248	* (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
	249	* IMA_AUDIT, IMA_AUDITED)
	250	*/
2fe5d6de	251	iint->flags \|= action;
0e5a247c	252	action &= IMA_DO_MASK;
a422638d ER	253	action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
	254
	255	/* If target pcr is already measured, unset IMA_MEASURE action */
	256	if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
	257	action ^= IMA_MEASURE;
2fe5d6de	258
da1b0029 MZ	259	/* HASH sets the digital signature and update flags, nothing else */
	260	if ((action & IMA_HASH) &&
	261	!(test_bit(IMA_DIGSIG, &iint->atomic_flags))) {
	262	xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);
	263	if ((xattr_value && xattr_len > 2) &&
	264	(xattr_value->type == EVM_IMA_XATTR_DIGSIG))
	265	set_bit(IMA_DIGSIG, &iint->atomic_flags);
	266	iint->flags \|= IMA_HASHED;
	267	action ^= IMA_HASH;
	268	set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
	269	}
	270
2fe5d6de MZ	271	/* Nothing to do, just return existing appraised status */
2fe5d6de MZ	272	if (!action) {
d79d72e0	273	if (must_appraise)
4ad87a3d	274	rc = ima_get_cache_status(iint, func);
0d73a552	275	goto out_locked;
2fe5d6de	276	}
3323eec9	277
209b43ca	278	template_desc = ima_template_desc_current();
f68c05f4 DK	279	if ((action & IMA_APPRAISE_SUBMASK) \|\|
f68c05f4 DK	280	strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
1525b06d	281	/* read 'security.ima' */
e71b9dff	282	xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);
d3634d0f	283
1525b06d DK	284	hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
1525b06d DK	285
cf222217	286	rc = ima_collect_measurement(iint, file, buf, size, hash_algo);
f3cc6b25	287	if (rc != 0 && rc != -EBADF && rc != -EINVAL)
0d73a552	288	goto out_locked;
08e1b76a	289
bc15ed66 MZ	290	if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */
bc15ed66 MZ	291	pathname = ima_d_path(&file->f_path, &pathbuf, filename);
08e1b76a	292
2fe5d6de	293	if (action & IMA_MEASURE)
bcbc9b0c	294	ima_store_measurement(iint, file, pathname,
14b1da85	295	xattr_value, xattr_len, pcr);
0d73a552 DK	296	if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
0d73a552 DK	297	inode_lock(inode);
4ad87a3d	298	rc = ima_appraise_measurement(func, iint, file, pathname,
3034a146	299	xattr_value, xattr_len, opened);
0d73a552 DK	300	inode_unlock(inode);
0d73a552 DK	301	}
e7c568e0	302	if (action & IMA_AUDIT)
ea1046d4	303	ima_audit_measurement(iint, pathname);
f7a859ff	304
f3cc6b25 MZ	305	if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
f3cc6b25 MZ	306	rc = 0;
0d73a552 DK	307	out_locked:
0d73a552 DK	308	if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) &&
05d1a717	309	!(iint->flags & IMA_NEW_FILE))
a175b8bb	310	rc = -EACCES;
0d73a552	311	mutex_unlock(&iint->mutex);
f7a859ff	312	kfree(xattr_value);
0d73a552	313	out:
456f5fd3 DK	314	if (pathbuf)
456f5fd3 DK	315	__putname(pathbuf);
0d73a552 DK	316	if (must_appraise) {
	317	if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE))
	318	return -EACCES;
	319	if (file->f_mode & FMODE_WRITE)
	320	set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
	321	}
750943a3	322	return 0;
3323eec9 MZ	323	}
	324
	325	/**
	326	* ima_file_mmap - based on policy, collect/store measurement.
	327	* @file: pointer to the file to be measured (May be NULL)
	328	* @prot: contains the protection that will be applied by the kernel.
	329	*
	330	* Measure files being mmapped executable based on the ima_must_measure()
	331	* policy decision.
	332	*
750943a3 DK	333	* On success return 0. On integrity appraisal error, assuming the file
750943a3 DK	334	* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
3323eec9 MZ	335	*/
	336	int ima_file_mmap(struct file *file, unsigned long prot)
	337	{
d906c10d MG	338	u32 secid;
	339
	340	if (file && (prot & PROT_EXEC)) {
	341	security_task_getsecid(current, &secid);
	342	return process_measurement(file, current_cred(), secid, NULL,
	343	0, MAY_EXEC, MMAP_CHECK, 0);
	344	}
	345
750943a3	346	return 0;
3323eec9 MZ	347	}
	348
	349	/**
	350	* ima_bprm_check - based on policy, collect/store measurement.
	351	* @bprm: contains the linux_binprm structure
	352	*
	353	* The OS protects against an executable file, already open for write,
	354	* from being executed in deny_write_access() and an executable file,
	355	* already open for execute, from being modified in get_write_access().
	356	* So we can be certain that what we verify and measure here is actually
	357	* what is being executed.
	358	*
750943a3 DK	359	* On success return 0. On integrity appraisal error, assuming the file
750943a3 DK	360	* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
3323eec9 MZ	361	*/
	362	int ima_bprm_check(struct linux_binprm *bprm)
	363	{
d906c10d MG	364	int ret;
	365	u32 secid;
	366
	367	security_task_getsecid(current, &secid);
	368	ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0,
	369	MAY_EXEC, BPRM_CHECK, 0);
	370	if (ret)
	371	return ret;
	372
	373	security_cred_getsecid(bprm->cred, &secid);
	374	return process_measurement(bprm->file, bprm->cred, secid, NULL, 0,
	375	MAY_EXEC, CREDS_CHECK, 0);
3323eec9 MZ	376	}
3323eec9 MZ	377
8eb988c7 MZ	378	/**
	379	* ima_path_check - based on policy, collect/store measurement.
	380	* @file: pointer to the file to be measured
20f482ab	381	* @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
8eb988c7 MZ	382	*
	383	* Measure files based on the ima_must_measure() policy decision.
	384	*
750943a3 DK	385	* On success return 0. On integrity appraisal error, assuming the file
750943a3 DK	386	* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
8eb988c7	387	*/
3034a146	388	int ima_file_check(struct file *file, int mask, int opened)
8eb988c7	389	{
d906c10d MG	390	u32 secid;
	391
	392	security_task_getsecid(current, &secid);
	393	return process_measurement(file, current_cred(), secid, NULL, 0,
20f482ab LZ	394	mask & (MAY_READ \| MAY_WRITE \| MAY_EXEC \|
20f482ab LZ	395	MAY_APPEND), FILE_CHECK, opened);
8eb988c7	396	}
9bbb6cad	397	EXPORT_SYMBOL_GPL(ima_file_check);
8eb988c7	398
05d1a717 MZ	399	/**
	400	* ima_post_path_mknod - mark as a new inode
	401	* @dentry: newly created dentry
	402	*
	403	* Mark files created via the mknodat syscall as new, so that the
	404	* file data can be written later.
	405	*/
	406	void ima_post_path_mknod(struct dentry *dentry)
	407	{
	408	struct integrity_iint_cache *iint;
	409	struct inode *inode = dentry->d_inode;
	410	int must_appraise;
	411
	412	must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
	413	if (!must_appraise)
	414	return;
	415
	416	iint = integrity_inode_get(inode);
	417	if (iint)
	418	iint->flags \|= IMA_NEW_FILE;
	419	}
	420
39eeb4fb MZ	421	/**
	422	* ima_read_file - pre-measure/appraise hook decision based on policy
	423	* @file: pointer to the file to be measured/appraised/audit
	424	* @read_id: caller identifier
	425	*
	426	* Permit reading a file based on policy. The policy rules are written
	427	* in terms of the policy identifier. Appraising the integrity of
	428	* a file requires a file descriptor.
	429	*
	430	* For permission return 0, otherwise return -EACCES.
	431	*/
	432	int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
	433	{
7c9bc098 BM	434	bool sig_enforce = is_module_sig_enforced();
7c9bc098 BM	435
a1db7420	436	if (!file && read_id == READING_MODULE) {
7c9bc098	437	if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) &&
9c655be0 BM	438	(ima_appraise & IMA_APPRAISE_ENFORCE)) {
9c655be0 BM	439	pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
a1db7420	440	return -EACCES; /* INTEGRITY_UNKNOWN */
9c655be0	441	}
a1db7420 MZ	442	return 0; /* We rely on module signature checking */
a1db7420 MZ	443	}
39eeb4fb MZ	444	return 0;
	445	}
	446
d9ddf077 MZ	447	static int read_idmap[READING_MAX_ID] = {
	448	[READING_FIRMWARE] = FIRMWARE_CHECK,
	449	[READING_MODULE] = MODULE_CHECK,
	450	[READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK,
	451	[READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK,
19f8a847	452	[READING_POLICY] = POLICY_CHECK
d9ddf077 MZ	453	};
d9ddf077 MZ	454
cf222217 MZ	455	/**
	456	* ima_post_read_file - in memory collect/appraise/audit measurement
	457	* @file: pointer to the file to be measured/appraised/audit
	458	* @buf: pointer to in memory file contents
	459	* @size: size of in memory file contents
	460	* @read_id: caller identifier
	461	*
	462	* Measure/appraise/audit in memory file based on policy. Policy rules
	463	* are written in terms of a policy identifier.
	464	*
	465	* On success return 0. On integrity appraisal error, assuming the file
	466	* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
	467	*/
	468	int ima_post_read_file(struct file file, void buf, loff_t size,
	469	enum kernel_read_file_id read_id)
	470	{
d9ddf077	471	enum ima_hooks func;
d906c10d	472	u32 secid;
cf222217	473
e40ba6d5 MZ	474	if (!file && read_id == READING_FIRMWARE) {
	475	if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
	476	(ima_appraise & IMA_APPRAISE_ENFORCE))
	477	return -EACCES; /* INTEGRITY_UNKNOWN */
	478	return 0;
	479	}
	480
a1db7420 MZ	481	if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */
	482	return 0;
	483
a7d3d039 CH	484	/* permit signed certs */
	485	if (!file && read_id == READING_X509_CERTIFICATE)
	486	return 0;
	487
cf222217 MZ	488	if (!file \|\| !buf \|\| size == 0) { /* should never happen */
	489	if (ima_appraise & IMA_APPRAISE_ENFORCE)
	490	return -EACCES;
	491	return 0;
	492	}
	493
d9ddf077	494	func = read_idmap[read_id] ?: FILE_CHECK;
d906c10d MG	495	security_task_getsecid(current, &secid);
	496	return process_measurement(file, current_cred(), secid, buf, size,
	497	MAY_READ, func, 0);
5a9196d7 MZ	498	}
5a9196d7 MZ	499
3323eec9 MZ	500	static int __init init_ima(void)
	501	{
	502	int error;
	503
3f23d624	504	ima_init_template_list();
e7a2ad7e	505	hash_setup(CONFIG_IMA_DEFAULT_HASH);
3323eec9	506	error = ima_init();
a756024e	507	if (!error) {
31b70f66	508	ima_initialized = 1;
a756024e RS	509	ima_update_policy_flag();
a756024e RS	510	}
3323eec9 MZ	511	return error;
	512	}
	513
	514	late_initcall(init_ima); /* Start IMA after the TPM is available */
	515
	516	MODULE_DESCRIPTION("Integrity Measurement Architecture");
	517	MODULE_LICENSE("GPL");