]>
Commit | Line | Data |
---|---|---|
3323eec9 MZ |
1 | /* |
2 | * Copyright (C) 2005,2006,2007,2008 IBM Corporation | |
3 | * | |
4 | * Authors: | |
5 | * Reiner Sailer <sailer@watson.ibm.com> | |
6 | * Serge Hallyn <serue@us.ibm.com> | |
7 | * Kylene Hall <kylene@us.ibm.com> | |
8 | * Mimi Zohar <zohar@us.ibm.com> | |
9 | * | |
10 | * This program is free software; you can redistribute it and/or | |
11 | * modify it under the terms of the GNU General Public License as | |
12 | * published by the Free Software Foundation, version 2 of the | |
13 | * License. | |
14 | * | |
15 | * File: ima_main.c | |
16 | * implements the IMA hooks: ima_bprm_check, ima_file_mmap, | |
17 | * and ima_path_check. | |
18 | */ | |
19 | #include <linux/module.h> | |
20 | #include <linux/file.h> | |
21 | #include <linux/binfmts.h> | |
22 | #include <linux/mount.h> | |
23 | #include <linux/mman.h> | |
24 | ||
25 | #include "ima.h" | |
26 | ||
27 | int ima_initialized; | |
28 | ||
29 | char *ima_hash = "sha1"; | |
30 | static int __init hash_setup(char *str) | |
31 | { | |
07ff7a0b MZ |
32 | if (strncmp(str, "md5", 3) == 0) |
33 | ima_hash = "md5"; | |
3323eec9 MZ |
34 | return 1; |
35 | } | |
36 | __setup("ima_hash=", hash_setup); | |
37 | ||
38 | /** | |
39 | * ima_file_free - called on __fput() | |
40 | * @file: pointer to file structure being freed | |
41 | * | |
42 | * Flag files that changed, based on i_version; | |
43 | * and decrement the iint readcount/writecount. | |
44 | */ | |
45 | void ima_file_free(struct file *file) | |
46 | { | |
47 | struct inode *inode = file->f_dentry->d_inode; | |
48 | struct ima_iint_cache *iint; | |
49 | ||
50 | if (!ima_initialized || !S_ISREG(inode->i_mode)) | |
51 | return; | |
52 | iint = ima_iint_find_get(inode); | |
53 | if (!iint) | |
54 | return; | |
55 | ||
56 | mutex_lock(&iint->mutex); | |
1df9f0a7 MZ |
57 | if (iint->opencount <= 0) { |
58 | printk(KERN_INFO | |
59 | "%s: %s open/free imbalance (r:%ld w:%ld o:%ld f:%ld)\n", | |
60 | __FUNCTION__, file->f_dentry->d_name.name, | |
61 | iint->readcount, iint->writecount, | |
62 | iint->opencount, atomic_long_read(&file->f_count)); | |
63 | if (!(iint->flags & IMA_IINT_DUMP_STACK)) { | |
64 | dump_stack(); | |
65 | iint->flags |= IMA_IINT_DUMP_STACK; | |
66 | } | |
67 | } | |
68 | iint->opencount--; | |
69 | ||
3323eec9 MZ |
70 | if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) |
71 | iint->readcount--; | |
72 | ||
73 | if (file->f_mode & FMODE_WRITE) { | |
74 | iint->writecount--; | |
75 | if (iint->writecount == 0) { | |
76 | if (iint->version != inode->i_version) | |
77 | iint->flags &= ~IMA_MEASURED; | |
78 | } | |
79 | } | |
80 | mutex_unlock(&iint->mutex); | |
81 | kref_put(&iint->refcount, iint_free); | |
82 | } | |
83 | ||
84 | /* ima_read_write_check - reflect possible reading/writing errors in the PCR. | |
85 | * | |
86 | * When opening a file for read, if the file is already open for write, | |
87 | * the file could change, resulting in a file measurement error. | |
88 | * | |
89 | * Opening a file for write, if the file is already open for read, results | |
90 | * in a time of measure, time of use (ToMToU) error. | |
91 | * | |
92 | * In either case invalidate the PCR. | |
93 | */ | |
94 | enum iint_pcr_error { TOMTOU, OPEN_WRITERS }; | |
95 | static void ima_read_write_check(enum iint_pcr_error error, | |
96 | struct ima_iint_cache *iint, | |
97 | struct inode *inode, | |
98 | const unsigned char *filename) | |
99 | { | |
100 | switch (error) { | |
101 | case TOMTOU: | |
102 | if (iint->readcount > 0) | |
103 | ima_add_violation(inode, filename, "invalid_pcr", | |
104 | "ToMToU"); | |
105 | break; | |
106 | case OPEN_WRITERS: | |
107 | if (iint->writecount > 0) | |
108 | ima_add_violation(inode, filename, "invalid_pcr", | |
109 | "open_writers"); | |
110 | break; | |
111 | } | |
112 | } | |
113 | ||
114 | static int get_path_measurement(struct ima_iint_cache *iint, struct file *file, | |
115 | const unsigned char *filename) | |
116 | { | |
117 | int rc = 0; | |
118 | ||
1df9f0a7 | 119 | iint->opencount++; |
3323eec9 MZ |
120 | iint->readcount++; |
121 | ||
122 | rc = ima_collect_measurement(iint, file); | |
123 | if (!rc) | |
124 | ima_store_measurement(iint, file, filename); | |
125 | return rc; | |
126 | } | |
127 | ||
b9fc745d MZ |
128 | static void ima_update_counts(struct ima_iint_cache *iint, int mask) |
129 | { | |
130 | iint->opencount++; | |
131 | if ((mask & MAY_WRITE) || (mask == 0)) | |
132 | iint->writecount++; | |
133 | else if (mask & (MAY_READ | MAY_EXEC)) | |
134 | iint->readcount++; | |
135 | } | |
136 | ||
3323eec9 MZ |
137 | /** |
138 | * ima_path_check - based on policy, collect/store measurement. | |
139 | * @path: contains a pointer to the path to be measured | |
140 | * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE | |
141 | * | |
142 | * Measure the file being open for readonly, based on the | |
143 | * ima_must_measure() policy decision. | |
144 | * | |
145 | * Keep read/write counters for all files, but only | |
146 | * invalidate the PCR for measured files: | |
147 | * - Opening a file for write when already open for read, | |
148 | * results in a time of measure, time of use (ToMToU) error. | |
149 | * - Opening a file for read when already open for write, | |
150 | * could result in a file measurement error. | |
151 | * | |
152 | * Return 0 on success, an error code on failure. | |
153 | * (Based on the results of appraise_measurement().) | |
154 | */ | |
b9fc745d | 155 | int ima_path_check(struct path *path, int mask, int update_counts) |
3323eec9 MZ |
156 | { |
157 | struct inode *inode = path->dentry->d_inode; | |
158 | struct ima_iint_cache *iint; | |
159 | struct file *file = NULL; | |
160 | int rc; | |
161 | ||
162 | if (!ima_initialized || !S_ISREG(inode->i_mode)) | |
163 | return 0; | |
164 | iint = ima_iint_find_insert_get(inode); | |
165 | if (!iint) | |
166 | return 0; | |
167 | ||
168 | mutex_lock(&iint->mutex); | |
b9fc745d MZ |
169 | if (update_counts) |
170 | ima_update_counts(iint, mask); | |
3323eec9 MZ |
171 | |
172 | rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK); | |
173 | if (rc < 0) | |
174 | goto out; | |
175 | ||
176 | if ((mask & MAY_WRITE) || (mask == 0)) | |
177 | ima_read_write_check(TOMTOU, iint, inode, | |
178 | path->dentry->d_name.name); | |
179 | ||
180 | if ((mask & (MAY_WRITE | MAY_READ | MAY_EXEC)) != MAY_READ) | |
181 | goto out; | |
182 | ||
183 | ima_read_write_check(OPEN_WRITERS, iint, inode, | |
184 | path->dentry->d_name.name); | |
185 | if (!(iint->flags & IMA_MEASURED)) { | |
186 | struct dentry *dentry = dget(path->dentry); | |
187 | struct vfsmount *mnt = mntget(path->mnt); | |
188 | ||
1a62e958 EP |
189 | file = dentry_open(dentry, mnt, O_RDONLY | O_LARGEFILE, |
190 | current_cred()); | |
f06dd16a EP |
191 | if (IS_ERR(file)) { |
192 | pr_info("%s dentry_open failed\n", dentry->d_name.name); | |
193 | rc = PTR_ERR(file); | |
194 | file = NULL; | |
195 | goto out; | |
196 | } | |
3323eec9 MZ |
197 | rc = get_path_measurement(iint, file, dentry->d_name.name); |
198 | } | |
199 | out: | |
200 | mutex_unlock(&iint->mutex); | |
201 | if (file) | |
202 | fput(file); | |
203 | kref_put(&iint->refcount, iint_free); | |
204 | return 0; | |
205 | } | |
b9fc745d | 206 | EXPORT_SYMBOL_GPL(ima_path_check); |
3323eec9 MZ |
207 | |
208 | static int process_measurement(struct file *file, const unsigned char *filename, | |
209 | int mask, int function) | |
210 | { | |
211 | struct inode *inode = file->f_dentry->d_inode; | |
212 | struct ima_iint_cache *iint; | |
213 | int rc; | |
214 | ||
215 | if (!ima_initialized || !S_ISREG(inode->i_mode)) | |
216 | return 0; | |
217 | iint = ima_iint_find_insert_get(inode); | |
218 | if (!iint) | |
219 | return -ENOMEM; | |
220 | ||
221 | mutex_lock(&iint->mutex); | |
222 | rc = ima_must_measure(iint, inode, mask, function); | |
223 | if (rc != 0) | |
224 | goto out; | |
225 | ||
226 | rc = ima_collect_measurement(iint, file); | |
227 | if (!rc) | |
228 | ima_store_measurement(iint, file, filename); | |
229 | out: | |
230 | mutex_unlock(&iint->mutex); | |
231 | kref_put(&iint->refcount, iint_free); | |
232 | return rc; | |
233 | } | |
234 | ||
b9fc745d MZ |
235 | /* |
236 | * ima_opens_get - increment file counts | |
237 | * | |
238 | * - for IPC shm and shmat file. | |
239 | * - for nfsd exported files. | |
240 | * | |
241 | * Increment the counts for these files to prevent unnecessary | |
242 | * imbalance messages. | |
243 | */ | |
244 | void ima_counts_get(struct file *file) | |
1df9f0a7 MZ |
245 | { |
246 | struct inode *inode = file->f_dentry->d_inode; | |
247 | struct ima_iint_cache *iint; | |
248 | ||
249 | if (!ima_initialized || !S_ISREG(inode->i_mode)) | |
250 | return; | |
251 | iint = ima_iint_find_insert_get(inode); | |
252 | if (!iint) | |
253 | return; | |
254 | mutex_lock(&iint->mutex); | |
255 | iint->opencount++; | |
b9fc745d MZ |
256 | if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) |
257 | iint->readcount++; | |
258 | ||
259 | if (file->f_mode & FMODE_WRITE) | |
260 | iint->writecount++; | |
1df9f0a7 MZ |
261 | mutex_unlock(&iint->mutex); |
262 | } | |
b9fc745d | 263 | EXPORT_SYMBOL_GPL(ima_counts_get); |
1df9f0a7 | 264 | |
3323eec9 MZ |
265 | /** |
266 | * ima_file_mmap - based on policy, collect/store measurement. | |
267 | * @file: pointer to the file to be measured (May be NULL) | |
268 | * @prot: contains the protection that will be applied by the kernel. | |
269 | * | |
270 | * Measure files being mmapped executable based on the ima_must_measure() | |
271 | * policy decision. | |
272 | * | |
273 | * Return 0 on success, an error code on failure. | |
274 | * (Based on the results of appraise_measurement().) | |
275 | */ | |
276 | int ima_file_mmap(struct file *file, unsigned long prot) | |
277 | { | |
278 | int rc; | |
279 | ||
280 | if (!file) | |
281 | return 0; | |
282 | if (prot & PROT_EXEC) | |
283 | rc = process_measurement(file, file->f_dentry->d_name.name, | |
284 | MAY_EXEC, FILE_MMAP); | |
285 | return 0; | |
286 | } | |
287 | ||
288 | /** | |
289 | * ima_bprm_check - based on policy, collect/store measurement. | |
290 | * @bprm: contains the linux_binprm structure | |
291 | * | |
292 | * The OS protects against an executable file, already open for write, | |
293 | * from being executed in deny_write_access() and an executable file, | |
294 | * already open for execute, from being modified in get_write_access(). | |
295 | * So we can be certain that what we verify and measure here is actually | |
296 | * what is being executed. | |
297 | * | |
298 | * Return 0 on success, an error code on failure. | |
299 | * (Based on the results of appraise_measurement().) | |
300 | */ | |
301 | int ima_bprm_check(struct linux_binprm *bprm) | |
302 | { | |
303 | int rc; | |
304 | ||
305 | rc = process_measurement(bprm->file, bprm->filename, | |
306 | MAY_EXEC, BPRM_CHECK); | |
307 | return 0; | |
308 | } | |
309 | ||
310 | static int __init init_ima(void) | |
311 | { | |
312 | int error; | |
313 | ||
314 | ima_iintcache_init(); | |
315 | error = ima_init(); | |
316 | ima_initialized = 1; | |
317 | return error; | |
318 | } | |
319 | ||
bab73937 MZ |
320 | static void __exit cleanup_ima(void) |
321 | { | |
322 | ima_cleanup(); | |
323 | } | |
324 | ||
3323eec9 MZ |
325 | late_initcall(init_ima); /* Start IMA after the TPM is available */ |
326 | ||
327 | MODULE_DESCRIPTION("Integrity Measurement Architecture"); | |
328 | MODULE_LICENSE("GPL"); |