]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - security/integrity/ima/ima_main.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ima: allow to check MAY_APPEND
[mirror_ubuntu-artful-kernel.git] / security / integrity / ima / ima_main.c
1 /*
2 * Copyright (C) 2005,2006,2007,2008 IBM Corporation
3 *
4 * Authors:
5 * Reiner Sailer <sailer@watson.ibm.com>
6 * Serge Hallyn <serue@us.ibm.com>
7 * Kylene Hall <kylene@us.ibm.com>
8 * Mimi Zohar <zohar@us.ibm.com>
9 *
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License as
12 * published by the Free Software Foundation, version 2 of the
13 * License.
14 *
15 * File: ima_main.c
16 * implements the IMA hooks: ima_bprm_check, ima_file_mmap,
17 * and ima_file_check.
18 */
19 #include <linux/module.h>
20 #include <linux/file.h>
21 #include <linux/binfmts.h>
22 #include <linux/mount.h>
23 #include <linux/mman.h>
24 #include <linux/slab.h>
25 #include <linux/xattr.h>
26 #include <linux/ima.h>
27
28 #include "ima.h"
29
30 int ima_initialized;
31
32 #ifdef CONFIG_IMA_APPRAISE
33 int ima_appraise = IMA_APPRAISE_ENFORCE;
34 #else
35 int ima_appraise;
36 #endif
37
38 int ima_hash_algo = HASH_ALGO_SHA1;
39 static int hash_setup_done;
40
41 static int __init hash_setup(char *str)
42 {
43 struct ima_template_desc *template_desc = ima_template_desc_current();
44 int i;
45
46 if (hash_setup_done)
47 return 1;
48
49 if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
50 if (strncmp(str, "sha1", 4) == 0)
51 ima_hash_algo = HASH_ALGO_SHA1;
52 else if (strncmp(str, "md5", 3) == 0)
53 ima_hash_algo = HASH_ALGO_MD5;
54 goto out;
55 }
56
57 for (i = 0; i < HASH_ALGO__LAST; i++) {
58 if (strcmp(str, hash_algo_name[i]) == 0) {
59 ima_hash_algo = i;
60 break;
61 }
62 }
63 out:
64 hash_setup_done = 1;
65 return 1;
66 }
67 __setup("ima_hash=", hash_setup);
68
69 /*
70 * ima_rdwr_violation_check
71 *
72 * Only invalidate the PCR for measured files:
73 * - Opening a file for write when already open for read,
74 * results in a time of measure, time of use (ToMToU) error.
75 * - Opening a file for read when already open for write,
76 * could result in a file measurement error.
77 *
78 */
79 static void ima_rdwr_violation_check(struct file *file,
80 struct integrity_iint_cache *iint,
81 int must_measure,
82 char **pathbuf,
83 const char **pathname)
84 {
85 struct inode *inode = file_inode(file);
86 char filename[NAME_MAX];
87 fmode_t mode = file->f_mode;
88 bool send_tomtou = false, send_writers = false;
89
90 if (mode & FMODE_WRITE) {
91 if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
92 if (!iint)
93 iint = integrity_iint_find(inode);
94 /* IMA_MEASURE is set from reader side */
95 if (iint && (iint->flags & IMA_MEASURE))
96 send_tomtou = true;
97 }
98 } else {
99 if ((atomic_read(&inode->i_writecount) > 0) && must_measure)
100 send_writers = true;
101 }
102
103 if (!send_tomtou && !send_writers)
104 return;
105
106 *pathname = ima_d_path(&file->f_path, pathbuf, filename);
107
108 if (send_tomtou)
109 ima_add_violation(file, *pathname, iint,
110 "invalid_pcr", "ToMToU");
111 if (send_writers)
112 ima_add_violation(file, *pathname, iint,
113 "invalid_pcr", "open_writers");
114 }
115
116 static void ima_check_last_writer(struct integrity_iint_cache *iint,
117 struct inode *inode, struct file *file)
118 {
119 fmode_t mode = file->f_mode;
120
121 if (!(mode & FMODE_WRITE))
122 return;
123
124 inode_lock(inode);
125 if (atomic_read(&inode->i_writecount) == 1) {
126 if ((iint->version != inode->i_version) ||
127 (iint->flags & IMA_NEW_FILE)) {
128 iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
129 iint->measured_pcrs = 0;
130 if (iint->flags & IMA_APPRAISE)
131 ima_update_xattr(iint, file);
132 }
133 }
134 inode_unlock(inode);
135 }
136
137 /**
138 * ima_file_free - called on __fput()
139 * @file: pointer to file structure being freed
140 *
141 * Flag files that changed, based on i_version
142 */
143 void ima_file_free(struct file *file)
144 {
145 struct inode *inode = file_inode(file);
146 struct integrity_iint_cache *iint;
147
148 if (!ima_policy_flag || !S_ISREG(inode->i_mode))
149 return;
150
151 iint = integrity_iint_find(inode);
152 if (!iint)
153 return;
154
155 ima_check_last_writer(iint, inode, file);
156 }
157
158 static int process_measurement(struct file *file, char *buf, loff_t size,
159 int mask, enum ima_hooks func, int opened)
160 {
161 struct inode *inode = file_inode(file);
162 struct integrity_iint_cache *iint = NULL;
163 struct ima_template_desc *template_desc;
164 char *pathbuf = NULL;
165 char filename[NAME_MAX];
166 const char *pathname = NULL;
167 int rc = -ENOMEM, action, must_appraise;
168 int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
169 struct evm_ima_xattr_data *xattr_value = NULL;
170 int xattr_len = 0;
171 bool violation_check;
172 enum hash_algo hash_algo;
173
174 if (!ima_policy_flag || !S_ISREG(inode->i_mode))
175 return 0;
176
177 /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
178 * bitmask based on the appraise/audit/measurement policy.
179 * Included is the appraise submask.
180 */
181 action = ima_get_action(inode, mask, func, &pcr);
182 violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
183 (ima_policy_flag & IMA_MEASURE));
184 if (!action && !violation_check)
185 return 0;
186
187 must_appraise = action & IMA_APPRAISE;
188
189 /* Is the appraise rule hook specific? */
190 if (action & IMA_FILE_APPRAISE)
191 func = FILE_CHECK;
192
193 inode_lock(inode);
194
195 if (action) {
196 iint = integrity_inode_get(inode);
197 if (!iint)
198 goto out;
199 }
200
201 if (violation_check) {
202 ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
203 &pathbuf, &pathname);
204 if (!action) {
205 rc = 0;
206 goto out_free;
207 }
208 }
209
210 /* Determine if already appraised/measured based on bitmask
211 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
212 * IMA_AUDIT, IMA_AUDITED)
213 */
214 iint->flags |= action;
215 action &= IMA_DO_MASK;
216 action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
217
218 /* If target pcr is already measured, unset IMA_MEASURE action */
219 if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
220 action ^= IMA_MEASURE;
221
222 /* Nothing to do, just return existing appraised status */
223 if (!action) {
224 if (must_appraise)
225 rc = ima_get_cache_status(iint, func);
226 goto out_digsig;
227 }
228
229 template_desc = ima_template_desc_current();
230 if ((action & IMA_APPRAISE_SUBMASK) ||
231 strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
232 /* read 'security.ima' */
233 xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);
234
235 hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
236
237 rc = ima_collect_measurement(iint, file, buf, size, hash_algo);
238 if (rc != 0) {
239 if (file->f_flags & O_DIRECT)
240 rc = (iint->flags & IMA_PERMIT_DIRECTIO) ? 0 : -EACCES;
241 goto out_digsig;
242 }
243
244 if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */
245 pathname = ima_d_path(&file->f_path, &pathbuf, filename);
246
247 if (action & IMA_MEASURE)
248 ima_store_measurement(iint, file, pathname,
249 xattr_value, xattr_len, pcr);
250 if (action & IMA_APPRAISE_SUBMASK)
251 rc = ima_appraise_measurement(func, iint, file, pathname,
252 xattr_value, xattr_len, opened);
253 if (action & IMA_AUDIT)
254 ima_audit_measurement(iint, pathname);
255
256 out_digsig:
257 if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) &&
258 !(iint->flags & IMA_NEW_FILE))
259 rc = -EACCES;
260 kfree(xattr_value);
261 out_free:
262 if (pathbuf)
263 __putname(pathbuf);
264 out:
265 inode_unlock(inode);
266 if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE))
267 return -EACCES;
268 return 0;
269 }
270
271 /**
272 * ima_file_mmap - based on policy, collect/store measurement.
273 * @file: pointer to the file to be measured (May be NULL)
274 * @prot: contains the protection that will be applied by the kernel.
275 *
276 * Measure files being mmapped executable based on the ima_must_measure()
277 * policy decision.
278 *
279 * On success return 0. On integrity appraisal error, assuming the file
280 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
281 */
282 int ima_file_mmap(struct file *file, unsigned long prot)
283 {
284 if (file && (prot & PROT_EXEC))
285 return process_measurement(file, NULL, 0, MAY_EXEC,
286 MMAP_CHECK, 0);
287 return 0;
288 }
289
290 /**
291 * ima_bprm_check - based on policy, collect/store measurement.
292 * @bprm: contains the linux_binprm structure
293 *
294 * The OS protects against an executable file, already open for write,
295 * from being executed in deny_write_access() and an executable file,
296 * already open for execute, from being modified in get_write_access().
297 * So we can be certain that what we verify and measure here is actually
298 * what is being executed.
299 *
300 * On success return 0. On integrity appraisal error, assuming the file
301 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
302 */
303 int ima_bprm_check(struct linux_binprm *bprm)
304 {
305 return process_measurement(bprm->file, NULL, 0, MAY_EXEC,
306 BPRM_CHECK, 0);
307 }
308
309 /**
310 * ima_path_check - based on policy, collect/store measurement.
311 * @file: pointer to the file to be measured
312 * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
313 *
314 * Measure files based on the ima_must_measure() policy decision.
315 *
316 * On success return 0. On integrity appraisal error, assuming the file
317 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
318 */
319 int ima_file_check(struct file *file, int mask, int opened)
320 {
321 return process_measurement(file, NULL, 0,
322 mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
323 MAY_APPEND), FILE_CHECK, opened);
324 }
325 EXPORT_SYMBOL_GPL(ima_file_check);
326
327 /**
328 * ima_post_path_mknod - mark as a new inode
329 * @dentry: newly created dentry
330 *
331 * Mark files created via the mknodat syscall as new, so that the
332 * file data can be written later.
333 */
334 void ima_post_path_mknod(struct dentry *dentry)
335 {
336 struct integrity_iint_cache *iint;
337 struct inode *inode = dentry->d_inode;
338 int must_appraise;
339
340 must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
341 if (!must_appraise)
342 return;
343
344 iint = integrity_inode_get(inode);
345 if (iint)
346 iint->flags |= IMA_NEW_FILE;
347 }
348
349 /**
350 * ima_read_file - pre-measure/appraise hook decision based on policy
351 * @file: pointer to the file to be measured/appraised/audit
352 * @read_id: caller identifier
353 *
354 * Permit reading a file based on policy. The policy rules are written
355 * in terms of the policy identifier. Appraising the integrity of
356 * a file requires a file descriptor.
357 *
358 * For permission return 0, otherwise return -EACCES.
359 */
360 int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
361 {
362 if (!file && read_id == READING_MODULE) {
363 #ifndef CONFIG_MODULE_SIG_FORCE
364 if ((ima_appraise & IMA_APPRAISE_MODULES) &&
365 (ima_appraise & IMA_APPRAISE_ENFORCE))
366 return -EACCES; /* INTEGRITY_UNKNOWN */
367 #endif
368 return 0; /* We rely on module signature checking */
369 }
370 return 0;
371 }
372
373 static int read_idmap[READING_MAX_ID] = {
374 [READING_FIRMWARE] = FIRMWARE_CHECK,
375 [READING_MODULE] = MODULE_CHECK,
376 [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK,
377 [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK,
378 [READING_POLICY] = POLICY_CHECK
379 };
380
381 /**
382 * ima_post_read_file - in memory collect/appraise/audit measurement
383 * @file: pointer to the file to be measured/appraised/audit
384 * @buf: pointer to in memory file contents
385 * @size: size of in memory file contents
386 * @read_id: caller identifier
387 *
388 * Measure/appraise/audit in memory file based on policy. Policy rules
389 * are written in terms of a policy identifier.
390 *
391 * On success return 0. On integrity appraisal error, assuming the file
392 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
393 */
394 int ima_post_read_file(struct file *file, void *buf, loff_t size,
395 enum kernel_read_file_id read_id)
396 {
397 enum ima_hooks func;
398
399 if (!file && read_id == READING_FIRMWARE) {
400 if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
401 (ima_appraise & IMA_APPRAISE_ENFORCE))
402 return -EACCES; /* INTEGRITY_UNKNOWN */
403 return 0;
404 }
405
406 if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */
407 return 0;
408
409 if (!file || !buf || size == 0) { /* should never happen */
410 if (ima_appraise & IMA_APPRAISE_ENFORCE)
411 return -EACCES;
412 return 0;
413 }
414
415 func = read_idmap[read_id] ?: FILE_CHECK;
416 return process_measurement(file, buf, size, MAY_READ, func, 0);
417 }
418
419 static int __init init_ima(void)
420 {
421 int error;
422
423 ima_init_template_list();
424 hash_setup(CONFIG_IMA_DEFAULT_HASH);
425 error = ima_init();
426 if (!error) {
427 ima_initialized = 1;
428 ima_update_policy_flag();
429 }
430 return error;
431 }
432
433 late_initcall(init_ima); /* Start IMA after the TPM is available */
434
435 MODULE_DESCRIPTION("Integrity Measurement Architecture");
436 MODULE_LICENSE("GPL");
Ubuntu Artful kernel mirror