[mirror_ubuntu-artful-kernel.git] / security / integrity / ima / ima_main.c

/*
 * Copyright (C) 2005,2006,2007,2008 IBM Corporation
 *
 * Authors:
 * Reiner Sailer <sailer@watson.ibm.com>
 * Serge Hallyn <serue@us.ibm.com>
 * Kylene Hall <kylene@us.ibm.com>
 * Mimi Zohar <zohar@us.ibm.com>
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, version 2 of the
 * License.
 *
 * File: ima_main.c
 *             implements the IMA hooks: ima_bprm_check, ima_file_mmap,
 *             and ima_path_check.
 */
#include <linux/module.h>
#include <linux/file.h>
#include <linux/binfmts.h>
#include <linux/mount.h>
#include <linux/mman.h>

#include "ima.h"

int ima_initialized;

char *ima_hash = "sha1";
static int __init hash_setup(char *str)
{
	if (strncmp(str, "md5", 3) == 0)
		ima_hash = "md5";
	return 1;
}
__setup("ima_hash=", hash_setup);

/**
 * ima_file_free - called on __fput()
 * @file: pointer to file structure being freed
 *
 * Flag files that changed, based on i_version;
 * and decrement the iint readcount/writecount.
 */
void ima_file_free(struct file *file)
{
	struct inode *inode = file->f_dentry->d_inode;
	struct ima_iint_cache *iint;

	if (!ima_initialized || !S_ISREG(inode->i_mode))
		return;
	iint = ima_iint_find_get(inode);
	if (!iint)
		return;

	mutex_lock(&iint->mutex);
	if (iint->opencount <= 0) {
		printk(KERN_INFO
		       "%s: %s open/free imbalance (r:%ld w:%ld o:%ld f:%ld)\n",
		       __FUNCTION__, file->f_dentry->d_name.name,
		       iint->readcount, iint->writecount,
		       iint->opencount, atomic_long_read(&file->f_count));
		if (!(iint->flags & IMA_IINT_DUMP_STACK)) {
			dump_stack();
			iint->flags |= IMA_IINT_DUMP_STACK;
		}
	}
	iint->opencount--;

	if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
		iint->readcount--;

	if (file->f_mode & FMODE_WRITE) {
		iint->writecount--;
		if (iint->writecount == 0) {
			if (iint->version != inode->i_version)
				iint->flags &= ~IMA_MEASURED;
		}
	}
	mutex_unlock(&iint->mutex);
	kref_put(&iint->refcount, iint_free);
}

/* ima_read_write_check - reflect possible reading/writing errors in the PCR.
 *
 * When opening a file for read, if the file is already open for write,
 * the file could change, resulting in a file measurement error.
 *
 * Opening a file for write, if the file is already open for read, results
 * in a time of measure, time of use (ToMToU) error.
 *
 * In either case invalidate the PCR.
 */
enum iint_pcr_error { TOMTOU, OPEN_WRITERS };
static void ima_read_write_check(enum iint_pcr_error error,
				 struct ima_iint_cache *iint,
				 struct inode *inode,
				 const unsigned char *filename)
{
	switch (error) {
	case TOMTOU:
		if (iint->readcount > 0)
			ima_add_violation(inode, filename, "invalid_pcr",
					  "ToMToU");
		break;
	case OPEN_WRITERS:
		if (iint->writecount > 0)
			ima_add_violation(inode, filename, "invalid_pcr",
					  "open_writers");
		break;
	}
}

static int get_path_measurement(struct ima_iint_cache *iint, struct file *file,
				const unsigned char *filename)
{
	int rc = 0;

	iint->opencount++;
	iint->readcount++;

	rc = ima_collect_measurement(iint, file);
	if (!rc)
		ima_store_measurement(iint, file, filename);
	return rc;
}

static void ima_update_counts(struct ima_iint_cache *iint, int mask)
{
	iint->opencount++;
	if ((mask & MAY_WRITE) || (mask == 0))
		iint->writecount++;
	else if (mask & (MAY_READ | MAY_EXEC))
		iint->readcount++;
}

/**
 * ima_path_check - based on policy, collect/store measurement.
 * @path: contains a pointer to the path to be measured
 * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
 *
 * Measure the file being open for readonly, based on the
 * ima_must_measure() policy decision.
 *
 * Keep read/write counters for all files, but only
 * invalidate the PCR for measured files:
 * 	- Opening a file for write when already open for read,
 *	  results in a time of measure, time of use (ToMToU) error.
 *	- Opening a file for read when already open for write,
 * 	  could result in a file measurement error.
 *
 * Return 0 on success, an error code on failure.
 * (Based on the results of appraise_measurement().)
 */
int ima_path_check(struct path *path, int mask, int update_counts)
{
	struct inode *inode = path->dentry->d_inode;
	struct ima_iint_cache *iint;
	struct file *file = NULL;
	int rc;

	if (!ima_initialized || !S_ISREG(inode->i_mode))
		return 0;
	iint = ima_iint_find_insert_get(inode);
	if (!iint)
		return 0;

	mutex_lock(&iint->mutex);
	if (update_counts)
		ima_update_counts(iint, mask);

	rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK);
	if (rc < 0)
		goto out;

	if ((mask & MAY_WRITE) || (mask == 0))
		ima_read_write_check(TOMTOU, iint, inode,
				     path->dentry->d_name.name);

	if ((mask & (MAY_WRITE | MAY_READ | MAY_EXEC)) != MAY_READ)
		goto out;

	ima_read_write_check(OPEN_WRITERS, iint, inode,
			     path->dentry->d_name.name);
	if (!(iint->flags & IMA_MEASURED)) {
		struct dentry *dentry = dget(path->dentry);
		struct vfsmount *mnt = mntget(path->mnt);

		file = dentry_open(dentry, mnt, O_RDONLY | O_LARGEFILE,
				   current_cred());
		if (IS_ERR(file)) {
			pr_info("%s dentry_open failed\n", dentry->d_name.name);
			rc = PTR_ERR(file);
			file = NULL;
			goto out;
		}
		rc = get_path_measurement(iint, file, dentry->d_name.name);
	}
out:
	mutex_unlock(&iint->mutex);
	if (file)
		fput(file);
	kref_put(&iint->refcount, iint_free);
	return 0;
}
EXPORT_SYMBOL_GPL(ima_path_check);

static int process_measurement(struct file *file, const unsigned char *filename,
			       int mask, int function)
{
	struct inode *inode = file->f_dentry->d_inode;
	struct ima_iint_cache *iint;
	int rc;

	if (!ima_initialized || !S_ISREG(inode->i_mode))
		return 0;
	iint = ima_iint_find_insert_get(inode);
	if (!iint)
		return -ENOMEM;

	mutex_lock(&iint->mutex);
	rc = ima_must_measure(iint, inode, mask, function);
	if (rc != 0)
		goto out;

	rc = ima_collect_measurement(iint, file);
	if (!rc)
		ima_store_measurement(iint, file, filename);
out:
	mutex_unlock(&iint->mutex);
	kref_put(&iint->refcount, iint_free);
	return rc;
}

/*
 * ima_opens_get - increment file counts
 *
 * - for IPC shm and shmat file.
 * - for nfsd exported files.
 *
 * Increment the counts for these files to prevent unnecessary
 * imbalance messages.
 */
void ima_counts_get(struct file *file)
{
	struct inode *inode = file->f_dentry->d_inode;
	struct ima_iint_cache *iint;

	if (!ima_initialized || !S_ISREG(inode->i_mode))
		return;
	iint = ima_iint_find_insert_get(inode);
	if (!iint)
		return;
	mutex_lock(&iint->mutex);
	iint->opencount++;
	if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
		iint->readcount++;

	if (file->f_mode & FMODE_WRITE)
		iint->writecount++;
	mutex_unlock(&iint->mutex);
}
EXPORT_SYMBOL_GPL(ima_counts_get);

/**
 * ima_file_mmap - based on policy, collect/store measurement.
 * @file: pointer to the file to be measured (May be NULL)
 * @prot: contains the protection that will be applied by the kernel.
 *
 * Measure files being mmapped executable based on the ima_must_measure()
 * policy decision.
 *
 * Return 0 on success, an error code on failure.
 * (Based on the results of appraise_measurement().)
 */
int ima_file_mmap(struct file *file, unsigned long prot)
{
	int rc;

	if (!file)
		return 0;
	if (prot & PROT_EXEC)
		rc = process_measurement(file, file->f_dentry->d_name.name,
					 MAY_EXEC, FILE_MMAP);
	return 0;
}

/**
 * ima_bprm_check - based on policy, collect/store measurement.
 * @bprm: contains the linux_binprm structure
 *
 * The OS protects against an executable file, already open for write,
 * from being executed in deny_write_access() and an executable file,
 * already open for execute, from being modified in get_write_access().
 * So we can be certain that what we verify and measure here is actually
 * what is being executed.
 *
 * Return 0 on success, an error code on failure.
 * (Based on the results of appraise_measurement().)
 */
int ima_bprm_check(struct linux_binprm *bprm)
{
	int rc;

	rc = process_measurement(bprm->file, bprm->filename,
				 MAY_EXEC, BPRM_CHECK);
	return 0;
}

static int __init init_ima(void)
{
	int error;

	ima_iintcache_init();
	error = ima_init();
	ima_initialized = 1;
	return error;
}

static void __exit cleanup_ima(void)
{
	ima_cleanup();
}

late_initcall(init_ima);	/* Start IMA after the TPM is available */

MODULE_DESCRIPTION("Integrity Measurement Architecture");
MODULE_LICENSE("GPL");
Commit	Line	Data
3323eec9 MZ	1	/*
	2	* Copyright (C) 2005,2006,2007,2008 IBM Corporation
	3	*
	4	* Authors:
	5	* Reiner Sailer <sailer@watson.ibm.com>
	6	* Serge Hallyn <serue@us.ibm.com>
	7	* Kylene Hall <kylene@us.ibm.com>
	8	* Mimi Zohar <zohar@us.ibm.com>
	9	*
	10	* This program is free software; you can redistribute it and/or
	11	* modify it under the terms of the GNU General Public License as
	12	* published by the Free Software Foundation, version 2 of the
	13	* License.
	14	*
	15	* File: ima_main.c
	16	* implements the IMA hooks: ima_bprm_check, ima_file_mmap,
	17	* and ima_path_check.
	18	*/
	19	#include <linux/module.h>
	20	#include <linux/file.h>
	21	#include <linux/binfmts.h>
	22	#include <linux/mount.h>
	23	#include <linux/mman.h>
	24
	25	#include "ima.h"
	26
	27	int ima_initialized;
	28
	29	char *ima_hash = "sha1";
	30	static int __init hash_setup(char *str)
	31	{
07ff7a0b MZ	32	if (strncmp(str, "md5", 3) == 0)
07ff7a0b MZ	33	ima_hash = "md5";
3323eec9 MZ	34	return 1;
	35	}
	36	__setup("ima_hash=", hash_setup);
	37
	38	/**
	39	* ima_file_free - called on __fput()
	40	* @file: pointer to file structure being freed
	41	*
	42	* Flag files that changed, based on i_version;
	43	* and decrement the iint readcount/writecount.
	44	*/
	45	void ima_file_free(struct file *file)
	46	{
	47	struct inode *inode = file->f_dentry->d_inode;
	48	struct ima_iint_cache *iint;
	49
	50	if (!ima_initialized \|\| !S_ISREG(inode->i_mode))
	51	return;
	52	iint = ima_iint_find_get(inode);
	53	if (!iint)
	54	return;
	55
	56	mutex_lock(&iint->mutex);
1df9f0a7 MZ	57	if (iint->opencount <= 0) {
	58	printk(KERN_INFO
	59	"%s: %s open/free imbalance (r:%ld w:%ld o:%ld f:%ld)\n",
	60	__FUNCTION__, file->f_dentry->d_name.name,
	61	iint->readcount, iint->writecount,
	62	iint->opencount, atomic_long_read(&file->f_count));
	63	if (!(iint->flags & IMA_IINT_DUMP_STACK)) {
	64	dump_stack();
	65	iint->flags \|= IMA_IINT_DUMP_STACK;
	66	}
	67	}
	68	iint->opencount--;
	69
3323eec9 MZ	70	if ((file->f_mode & (FMODE_READ \| FMODE_WRITE)) == FMODE_READ)
	71	iint->readcount--;
	72
	73	if (file->f_mode & FMODE_WRITE) {
	74	iint->writecount--;
	75	if (iint->writecount == 0) {
	76	if (iint->version != inode->i_version)
	77	iint->flags &= ~IMA_MEASURED;
	78	}
	79	}
	80	mutex_unlock(&iint->mutex);
	81	kref_put(&iint->refcount, iint_free);
	82	}
	83
	84	/* ima_read_write_check - reflect possible reading/writing errors in the PCR.
	85	*
	86	* When opening a file for read, if the file is already open for write,
	87	* the file could change, resulting in a file measurement error.
	88	*
	89	* Opening a file for write, if the file is already open for read, results
	90	* in a time of measure, time of use (ToMToU) error.
	91	*
	92	* In either case invalidate the PCR.
	93	*/
	94	enum iint_pcr_error { TOMTOU, OPEN_WRITERS };
	95	static void ima_read_write_check(enum iint_pcr_error error,
	96	struct ima_iint_cache *iint,
	97	struct inode *inode,
	98	const unsigned char *filename)
	99	{
	100	switch (error) {
	101	case TOMTOU:
	102	if (iint->readcount > 0)
	103	ima_add_violation(inode, filename, "invalid_pcr",
	104	"ToMToU");
	105	break;
	106	case OPEN_WRITERS:
	107	if (iint->writecount > 0)
	108	ima_add_violation(inode, filename, "invalid_pcr",
	109	"open_writers");
	110	break;
	111	}
	112	}
	113
	114	static int get_path_measurement(struct ima_iint_cache iint, struct file file,
	115	const unsigned char *filename)
	116	{
	117	int rc = 0;
	118
1df9f0a7	119	iint->opencount++;
3323eec9 MZ	120	iint->readcount++;
	121
	122	rc = ima_collect_measurement(iint, file);
	123	if (!rc)
	124	ima_store_measurement(iint, file, filename);
	125	return rc;
	126	}
	127
b9fc745d MZ	128	static void ima_update_counts(struct ima_iint_cache *iint, int mask)
	129	{
	130	iint->opencount++;
	131	if ((mask & MAY_WRITE) \|\| (mask == 0))
	132	iint->writecount++;
	133	else if (mask & (MAY_READ \| MAY_EXEC))
	134	iint->readcount++;
	135	}
	136
3323eec9 MZ	137	/**
	138	* ima_path_check - based on policy, collect/store measurement.
	139	* @path: contains a pointer to the path to be measured
	140	* @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
	141	*
	142	* Measure the file being open for readonly, based on the
	143	* ima_must_measure() policy decision.
	144	*
	145	* Keep read/write counters for all files, but only
	146	* invalidate the PCR for measured files:
	147	* - Opening a file for write when already open for read,
	148	* results in a time of measure, time of use (ToMToU) error.
	149	* - Opening a file for read when already open for write,
	150	* could result in a file measurement error.
	151	*
	152	* Return 0 on success, an error code on failure.
	153	* (Based on the results of appraise_measurement().)
	154	*/
b9fc745d	155	int ima_path_check(struct path *path, int mask, int update_counts)
3323eec9 MZ	156	{
	157	struct inode *inode = path->dentry->d_inode;
	158	struct ima_iint_cache *iint;
	159	struct file *file = NULL;
	160	int rc;
	161
	162	if (!ima_initialized \|\| !S_ISREG(inode->i_mode))
	163	return 0;
	164	iint = ima_iint_find_insert_get(inode);
	165	if (!iint)
	166	return 0;
	167
	168	mutex_lock(&iint->mutex);
b9fc745d MZ	169	if (update_counts)
b9fc745d MZ	170	ima_update_counts(iint, mask);
3323eec9 MZ	171
	172	rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK);
	173	if (rc < 0)
	174	goto out;
	175
	176	if ((mask & MAY_WRITE) \|\| (mask == 0))
	177	ima_read_write_check(TOMTOU, iint, inode,
	178	path->dentry->d_name.name);
	179
	180	if ((mask & (MAY_WRITE \| MAY_READ \| MAY_EXEC)) != MAY_READ)
	181	goto out;
	182
	183	ima_read_write_check(OPEN_WRITERS, iint, inode,
	184	path->dentry->d_name.name);
	185	if (!(iint->flags & IMA_MEASURED)) {
	186	struct dentry *dentry = dget(path->dentry);
	187	struct vfsmount *mnt = mntget(path->mnt);
	188
1a62e958 EP	189	file = dentry_open(dentry, mnt, O_RDONLY \| O_LARGEFILE,
1a62e958 EP	190	current_cred());
f06dd16a EP	191	if (IS_ERR(file)) {
	192	pr_info("%s dentry_open failed\n", dentry->d_name.name);
	193	rc = PTR_ERR(file);
	194	file = NULL;
	195	goto out;
	196	}
3323eec9 MZ	197	rc = get_path_measurement(iint, file, dentry->d_name.name);
	198	}
	199	out:
	200	mutex_unlock(&iint->mutex);
	201	if (file)
	202	fput(file);
	203	kref_put(&iint->refcount, iint_free);
	204	return 0;
	205	}
b9fc745d	206	EXPORT_SYMBOL_GPL(ima_path_check);
3323eec9 MZ	207
	208	static int process_measurement(struct file file, const unsigned char filename,
	209	int mask, int function)
	210	{
	211	struct inode *inode = file->f_dentry->d_inode;
	212	struct ima_iint_cache *iint;
	213	int rc;
	214
	215	if (!ima_initialized \|\| !S_ISREG(inode->i_mode))
	216	return 0;
	217	iint = ima_iint_find_insert_get(inode);
	218	if (!iint)
	219	return -ENOMEM;
	220
	221	mutex_lock(&iint->mutex);
	222	rc = ima_must_measure(iint, inode, mask, function);
	223	if (rc != 0)
	224	goto out;
	225
	226	rc = ima_collect_measurement(iint, file);
	227	if (!rc)
	228	ima_store_measurement(iint, file, filename);
	229	out:
	230	mutex_unlock(&iint->mutex);
	231	kref_put(&iint->refcount, iint_free);
	232	return rc;
	233	}
	234
b9fc745d MZ	235	/*
	236	* ima_opens_get - increment file counts
	237	*
	238	* - for IPC shm and shmat file.
	239	* - for nfsd exported files.
	240	*
	241	* Increment the counts for these files to prevent unnecessary
	242	* imbalance messages.
	243	*/
	244	void ima_counts_get(struct file *file)
1df9f0a7 MZ	245	{
	246	struct inode *inode = file->f_dentry->d_inode;
	247	struct ima_iint_cache *iint;
	248
	249	if (!ima_initialized \|\| !S_ISREG(inode->i_mode))
	250	return;
	251	iint = ima_iint_find_insert_get(inode);
	252	if (!iint)
	253	return;
	254	mutex_lock(&iint->mutex);
	255	iint->opencount++;
b9fc745d MZ	256	if ((file->f_mode & (FMODE_READ \| FMODE_WRITE)) == FMODE_READ)
	257	iint->readcount++;
	258
	259	if (file->f_mode & FMODE_WRITE)
	260	iint->writecount++;
1df9f0a7 MZ	261	mutex_unlock(&iint->mutex);
1df9f0a7 MZ	262	}
b9fc745d	263	EXPORT_SYMBOL_GPL(ima_counts_get);
1df9f0a7	264
3323eec9 MZ	265	/**
	266	* ima_file_mmap - based on policy, collect/store measurement.
	267	* @file: pointer to the file to be measured (May be NULL)
	268	* @prot: contains the protection that will be applied by the kernel.
	269	*
	270	* Measure files being mmapped executable based on the ima_must_measure()
	271	* policy decision.
	272	*
	273	* Return 0 on success, an error code on failure.
	274	* (Based on the results of appraise_measurement().)
	275	*/
	276	int ima_file_mmap(struct file *file, unsigned long prot)
	277	{
	278	int rc;
	279
	280	if (!file)
	281	return 0;
	282	if (prot & PROT_EXEC)
	283	rc = process_measurement(file, file->f_dentry->d_name.name,
	284	MAY_EXEC, FILE_MMAP);
	285	return 0;
	286	}
	287
	288	/**
	289	* ima_bprm_check - based on policy, collect/store measurement.
	290	* @bprm: contains the linux_binprm structure
	291	*
	292	* The OS protects against an executable file, already open for write,
	293	* from being executed in deny_write_access() and an executable file,
	294	* already open for execute, from being modified in get_write_access().
	295	* So we can be certain that what we verify and measure here is actually
	296	* what is being executed.
	297	*
	298	* Return 0 on success, an error code on failure.
	299	* (Based on the results of appraise_measurement().)
	300	*/
	301	int ima_bprm_check(struct linux_binprm *bprm)
	302	{
	303	int rc;
	304
	305	rc = process_measurement(bprm->file, bprm->filename,
	306	MAY_EXEC, BPRM_CHECK);
	307	return 0;
	308	}
	309
	310	static int __init init_ima(void)
	311	{
	312	int error;
	313
	314	ima_iintcache_init();
	315	error = ima_init();
	316	ima_initialized = 1;
	317	return error;
	318	}
	319
bab73937 MZ	320	static void __exit cleanup_ima(void)
	321	{
	322	ima_cleanup();
	323	}
	324
3323eec9 MZ	325	late_initcall(init_ima); /* Start IMA after the TPM is available */
	326
	327	MODULE_DESCRIPTION("Integrity Measurement Architecture");
	328	MODULE_LICENSE("GPL");