ima_main.c 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379
  1. /*
  2. * Copyright (C) 2005,2006,2007,2008 IBM Corporation
  3. *
  4. * Authors:
  5. * Reiner Sailer <sailer@watson.ibm.com>
  6. * Serge Hallyn <serue@us.ibm.com>
  7. * Kylene Hall <kylene@us.ibm.com>
  8. * Mimi Zohar <zohar@us.ibm.com>
  9. *
  10. * This program is free software; you can redistribute it and/or
  11. * modify it under the terms of the GNU General Public License as
  12. * published by the Free Software Foundation, version 2 of the
  13. * License.
  14. *
  15. * File: ima_main.c
  16. * implements the IMA hooks: ima_bprm_check, ima_file_mmap,
  17. * and ima_file_check.
  18. */
  19. #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  20. #include <linux/module.h>
  21. #include <linux/file.h>
  22. #include <linux/binfmts.h>
  23. #include <linux/mount.h>
  24. #include <linux/mman.h>
  25. #include <linux/slab.h>
  26. #include <linux/xattr.h>
  27. #include <linux/ima.h>
  28. #include <crypto/hash_info.h>
  29. #include "ima.h"
  30. int ima_initialized;
  31. #ifdef CONFIG_IMA_APPRAISE
  32. int ima_appraise = IMA_APPRAISE_ENFORCE;
  33. #else
  34. int ima_appraise;
  35. #endif
  36. int ima_hash_algo = HASH_ALGO_SHA1;
  37. static int hash_setup_done;
  38. static int __init hash_setup(char *str)
  39. {
  40. struct ima_template_desc *template_desc = ima_template_desc_current();
  41. int i;
  42. if (hash_setup_done)
  43. return 1;
  44. if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
  45. if (strncmp(str, "sha1", 4) == 0)
  46. ima_hash_algo = HASH_ALGO_SHA1;
  47. else if (strncmp(str, "md5", 3) == 0)
  48. ima_hash_algo = HASH_ALGO_MD5;
  49. else
  50. return 1;
  51. goto out;
  52. }
  53. for (i = 0; i < HASH_ALGO__LAST; i++) {
  54. if (strcmp(str, hash_algo_name[i]) == 0) {
  55. ima_hash_algo = i;
  56. break;
  57. }
  58. }
  59. if (i == HASH_ALGO__LAST)
  60. return 1;
  61. out:
  62. hash_setup_done = 1;
  63. return 1;
  64. }
  65. __setup("ima_hash=", hash_setup);
  66. /*
  67. * ima_rdwr_violation_check
  68. *
  69. * Only invalidate the PCR for measured files:
  70. * - Opening a file for write when already open for read,
  71. * results in a time of measure, time of use (ToMToU) error.
  72. * - Opening a file for read when already open for write,
  73. * could result in a file measurement error.
  74. *
  75. */
  76. static void ima_rdwr_violation_check(struct file *file,
  77. struct integrity_iint_cache *iint,
  78. int must_measure,
  79. char **pathbuf,
  80. const char **pathname)
  81. {
  82. struct inode *inode = file_inode(file);
  83. fmode_t mode = file->f_mode;
  84. bool send_tomtou = false, send_writers = false;
  85. if (mode & FMODE_WRITE) {
  86. if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
  87. if (!iint)
  88. iint = integrity_iint_find(inode);
  89. /* IMA_MEASURE is set from reader side */
  90. if (iint && (iint->flags & IMA_MEASURE))
  91. send_tomtou = true;
  92. }
  93. } else {
  94. if ((atomic_read(&inode->i_writecount) > 0) && must_measure)
  95. send_writers = true;
  96. }
  97. if (!send_tomtou && !send_writers)
  98. return;
  99. *pathname = ima_d_path(&file->f_path, pathbuf);
  100. if (send_tomtou)
  101. ima_add_violation(file, *pathname, iint,
  102. "invalid_pcr", "ToMToU");
  103. if (send_writers)
  104. ima_add_violation(file, *pathname, iint,
  105. "invalid_pcr", "open_writers");
  106. }
  107. static void ima_check_last_writer(struct integrity_iint_cache *iint,
  108. struct inode *inode, struct file *file)
  109. {
  110. fmode_t mode = file->f_mode;
  111. if (!(mode & FMODE_WRITE))
  112. return;
  113. mutex_lock(&inode->i_mutex);
  114. if (atomic_read(&inode->i_writecount) == 1) {
  115. if ((iint->version != inode->i_version) ||
  116. (iint->flags & IMA_NEW_FILE)) {
  117. iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
  118. if (iint->flags & IMA_APPRAISE)
  119. ima_update_xattr(iint, file);
  120. }
  121. }
  122. mutex_unlock(&inode->i_mutex);
  123. }
  124. /**
  125. * ima_file_free - called on __fput()
  126. * @file: pointer to file structure being freed
  127. *
  128. * Flag files that changed, based on i_version
  129. */
  130. void ima_file_free(struct file *file)
  131. {
  132. struct inode *inode = file_inode(file);
  133. struct integrity_iint_cache *iint;
  134. if (!ima_policy_flag || !S_ISREG(inode->i_mode))
  135. return;
  136. iint = integrity_iint_find(inode);
  137. if (!iint)
  138. return;
  139. ima_check_last_writer(iint, inode, file);
  140. }
  141. static int process_measurement(struct file *file, int mask, int function,
  142. int opened)
  143. {
  144. struct inode *inode = file_inode(file);
  145. struct integrity_iint_cache *iint = NULL;
  146. struct ima_template_desc *template_desc;
  147. char *pathbuf = NULL;
  148. const char *pathname = NULL;
  149. int rc = -ENOMEM, action, must_appraise;
  150. struct evm_ima_xattr_data *xattr_value = NULL, **xattr_ptr = NULL;
  151. int xattr_len = 0;
  152. bool violation_check;
  153. if (!ima_policy_flag || !S_ISREG(inode->i_mode))
  154. return 0;
  155. /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
  156. * bitmask based on the appraise/audit/measurement policy.
  157. * Included is the appraise submask.
  158. */
  159. action = ima_get_action(inode, mask, function);
  160. violation_check = ((function == FILE_CHECK || function == MMAP_CHECK) &&
  161. (ima_policy_flag & IMA_MEASURE));
  162. if (!action && !violation_check)
  163. return 0;
  164. must_appraise = action & IMA_APPRAISE;
  165. /* Is the appraise rule hook specific? */
  166. if (action & IMA_FILE_APPRAISE)
  167. function = FILE_CHECK;
  168. mutex_lock(&inode->i_mutex);
  169. if (action) {
  170. iint = integrity_inode_get(inode);
  171. if (!iint)
  172. goto out;
  173. }
  174. if (violation_check) {
  175. ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
  176. &pathbuf, &pathname);
  177. if (!action) {
  178. rc = 0;
  179. goto out_free;
  180. }
  181. }
  182. /* Determine if already appraised/measured based on bitmask
  183. * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
  184. * IMA_AUDIT, IMA_AUDITED)
  185. */
  186. iint->flags |= action;
  187. action &= IMA_DO_MASK;
  188. action &= ~((iint->flags & IMA_DONE_MASK) >> 1);
  189. /* Nothing to do, just return existing appraised status */
  190. if (!action) {
  191. if (must_appraise)
  192. rc = ima_get_cache_status(iint, function);
  193. goto out_digsig;
  194. }
  195. template_desc = ima_template_desc_current();
  196. if ((action & IMA_APPRAISE_SUBMASK) ||
  197. strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
  198. xattr_ptr = &xattr_value;
  199. rc = ima_collect_measurement(iint, file, xattr_ptr, &xattr_len);
  200. if (rc != 0) {
  201. if (file->f_flags & O_DIRECT)
  202. rc = (iint->flags & IMA_PERMIT_DIRECTIO) ? 0 : -EACCES;
  203. goto out_digsig;
  204. }
  205. if (!pathname) /* ima_rdwr_violation possibly pre-fetched */
  206. pathname = ima_d_path(&file->f_path, &pathbuf);
  207. if (action & IMA_MEASURE)
  208. ima_store_measurement(iint, file, pathname,
  209. xattr_value, xattr_len);
  210. if (action & IMA_APPRAISE_SUBMASK)
  211. rc = ima_appraise_measurement(function, iint, file, pathname,
  212. xattr_value, xattr_len, opened);
  213. if (action & IMA_AUDIT)
  214. ima_audit_measurement(iint, pathname);
  215. out_digsig:
  216. if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG))
  217. rc = -EACCES;
  218. kfree(xattr_value);
  219. out_free:
  220. if (pathbuf)
  221. __putname(pathbuf);
  222. out:
  223. mutex_unlock(&inode->i_mutex);
  224. if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE))
  225. return -EACCES;
  226. return 0;
  227. }
  228. /**
  229. * ima_file_mmap - based on policy, collect/store measurement.
  230. * @file: pointer to the file to be measured (May be NULL)
  231. * @prot: contains the protection that will be applied by the kernel.
  232. *
  233. * Measure files being mmapped executable based on the ima_must_measure()
  234. * policy decision.
  235. *
  236. * On success return 0. On integrity appraisal error, assuming the file
  237. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  238. */
  239. int ima_file_mmap(struct file *file, unsigned long prot)
  240. {
  241. if (file && (prot & PROT_EXEC))
  242. return process_measurement(file, MAY_EXEC, MMAP_CHECK, 0);
  243. return 0;
  244. }
  245. /**
  246. * ima_bprm_check - based on policy, collect/store measurement.
  247. * @bprm: contains the linux_binprm structure
  248. *
  249. * The OS protects against an executable file, already open for write,
  250. * from being executed in deny_write_access() and an executable file,
  251. * already open for execute, from being modified in get_write_access().
  252. * So we can be certain that what we verify and measure here is actually
  253. * what is being executed.
  254. *
  255. * On success return 0. On integrity appraisal error, assuming the file
  256. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  257. */
  258. int ima_bprm_check(struct linux_binprm *bprm)
  259. {
  260. return process_measurement(bprm->file, MAY_EXEC, BPRM_CHECK, 0);
  261. }
  262. /**
  263. * ima_path_check - based on policy, collect/store measurement.
  264. * @file: pointer to the file to be measured
  265. * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
  266. *
  267. * Measure files based on the ima_must_measure() policy decision.
  268. *
  269. * On success return 0. On integrity appraisal error, assuming the file
  270. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  271. */
  272. int ima_file_check(struct file *file, int mask, int opened)
  273. {
  274. return process_measurement(file,
  275. mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
  276. FILE_CHECK, opened);
  277. }
  278. EXPORT_SYMBOL_GPL(ima_file_check);
  279. /**
  280. * ima_module_check - based on policy, collect/store/appraise measurement.
  281. * @file: pointer to the file to be measured/appraised
  282. *
  283. * Measure/appraise kernel modules based on policy.
  284. *
  285. * On success return 0. On integrity appraisal error, assuming the file
  286. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  287. */
  288. int ima_module_check(struct file *file)
  289. {
  290. if (!file) {
  291. #ifndef CONFIG_MODULE_SIG_FORCE
  292. if ((ima_appraise & IMA_APPRAISE_MODULES) &&
  293. (ima_appraise & IMA_APPRAISE_ENFORCE))
  294. return -EACCES; /* INTEGRITY_UNKNOWN */
  295. #endif
  296. return 0; /* We rely on module signature checking */
  297. }
  298. return process_measurement(file, MAY_EXEC, MODULE_CHECK, 0);
  299. }
  300. int ima_fw_from_file(struct file *file, char *buf, size_t size)
  301. {
  302. if (!file) {
  303. if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
  304. (ima_appraise & IMA_APPRAISE_ENFORCE))
  305. return -EACCES; /* INTEGRITY_UNKNOWN */
  306. return 0;
  307. }
  308. return process_measurement(file, MAY_EXEC, FIRMWARE_CHECK, 0);
  309. }
  310. static int __init init_ima(void)
  311. {
  312. int error;
  313. hash_setup(CONFIG_IMA_DEFAULT_HASH);
  314. error = ima_init();
  315. if (error && strcmp(hash_algo_name[ima_hash_algo],
  316. CONFIG_IMA_DEFAULT_HASH) != 0) {
  317. pr_info("Allocating %s failed, going to use default hash algorithm %s\n",
  318. hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH);
  319. hash_setup_done = 0;
  320. hash_setup(CONFIG_IMA_DEFAULT_HASH);
  321. error = ima_init();
  322. }
  323. if (!error) {
  324. ima_initialized = 1;
  325. ima_update_policy_flag();
  326. }
  327. return error;
  328. }
  329. late_initcall(init_ima); /* Start IMA after the TPM is available */
  330. MODULE_DESCRIPTION("Integrity Measurement Architecture");
  331. MODULE_LICENSE("GPL");