134b82d3aSKP Singh // SPDX-License-Identifier: GPL-2.0 234b82d3aSKP Singh 334b82d3aSKP Singh /* 434b82d3aSKP Singh * Copyright 2020 Google LLC. 534b82d3aSKP Singh */ 634b82d3aSKP Singh 734b82d3aSKP Singh #include "vmlinux.h" 834b82d3aSKP Singh #include <errno.h> 934b82d3aSKP Singh #include <bpf/bpf_helpers.h> 1034b82d3aSKP Singh #include <bpf/bpf_tracing.h> 1134b82d3aSKP Singh 1234b82d3aSKP Singh u32 monitored_pid = 0; 1334b82d3aSKP Singh 14f446b570SKP Singh struct { 15f446b570SKP Singh __uint(type, BPF_MAP_TYPE_RINGBUF); 16f446b570SKP Singh __uint(max_entries, 1 << 12); 17f446b570SKP Singh } ringbuf SEC(".maps"); 18f446b570SKP Singh 1934b82d3aSKP Singh char _license[] SEC("license") = "GPL"; 2034b82d3aSKP Singh 2127a77d0dSRoberto Sassu bool use_ima_file_hash; 2291e8fa25SRoberto Sassu bool enable_bprm_creds_for_exec; 23*e6dcf7bbSRoberto Sassu bool enable_kernel_read_file; 2427a77d0dSRoberto Sassu 252746de3cSRoberto Sassu static void ima_test_common(struct file *file) 2634b82d3aSKP Singh { 27f446b570SKP Singh u64 ima_hash = 0; 28f446b570SKP Singh u64 *sample; 29f446b570SKP Singh int ret; 30f446b570SKP Singh u32 pid; 3134b82d3aSKP Singh 32f446b570SKP Singh pid = bpf_get_current_pid_tgid() >> 32; 33f446b570SKP Singh if (pid == monitored_pid) { 3427a77d0dSRoberto Sassu if (!use_ima_file_hash) 352746de3cSRoberto Sassu ret = bpf_ima_inode_hash(file->f_inode, &ima_hash, 36f446b570SKP Singh sizeof(ima_hash)); 3727a77d0dSRoberto Sassu else 3827a77d0dSRoberto Sassu ret = bpf_ima_file_hash(file, &ima_hash, 3927a77d0dSRoberto Sassu sizeof(ima_hash)); 40f446b570SKP Singh if (ret < 0 || ima_hash == 0) 41f446b570SKP Singh return; 4234b82d3aSKP Singh 43f446b570SKP Singh sample = bpf_ringbuf_reserve(&ringbuf, sizeof(u64), 0); 44f446b570SKP Singh if (!sample) 45f446b570SKP Singh return; 46f446b570SKP Singh 47f446b570SKP Singh *sample = ima_hash; 48f446b570SKP Singh bpf_ringbuf_submit(sample, 0); 49f446b570SKP Singh } 50f446b570SKP Singh 51f446b570SKP Singh return; 5234b82d3aSKP Singh } 532746de3cSRoberto Sassu 542746de3cSRoberto Sassu SEC("lsm.s/bprm_committed_creds") 552746de3cSRoberto Sassu void BPF_PROG(bprm_committed_creds, struct linux_binprm *bprm) 562746de3cSRoberto Sassu { 572746de3cSRoberto Sassu ima_test_common(bprm->file); 582746de3cSRoberto Sassu } 5991e8fa25SRoberto Sassu 6091e8fa25SRoberto Sassu SEC("lsm.s/bprm_creds_for_exec") 6191e8fa25SRoberto Sassu int BPF_PROG(bprm_creds_for_exec, struct linux_binprm *bprm) 6291e8fa25SRoberto Sassu { 6391e8fa25SRoberto Sassu if (!enable_bprm_creds_for_exec) 6491e8fa25SRoberto Sassu return 0; 6591e8fa25SRoberto Sassu 6691e8fa25SRoberto Sassu ima_test_common(bprm->file); 6791e8fa25SRoberto Sassu return 0; 6891e8fa25SRoberto Sassu } 69*e6dcf7bbSRoberto Sassu 70*e6dcf7bbSRoberto Sassu SEC("lsm.s/kernel_read_file") 71*e6dcf7bbSRoberto Sassu int BPF_PROG(kernel_read_file, struct file *file, enum kernel_read_file_id id, 72*e6dcf7bbSRoberto Sassu bool contents) 73*e6dcf7bbSRoberto Sassu { 74*e6dcf7bbSRoberto Sassu if (!enable_kernel_read_file) 75*e6dcf7bbSRoberto Sassu return 0; 76*e6dcf7bbSRoberto Sassu 77*e6dcf7bbSRoberto Sassu if (!contents) 78*e6dcf7bbSRoberto Sassu return 0; 79*e6dcf7bbSRoberto Sassu 80*e6dcf7bbSRoberto Sassu if (id != READING_POLICY) 81*e6dcf7bbSRoberto Sassu return 0; 82*e6dcf7bbSRoberto Sassu 83*e6dcf7bbSRoberto Sassu ima_test_common(file); 84*e6dcf7bbSRoberto Sassu return 0; 85*e6dcf7bbSRoberto Sassu } 86