13323eec9SMimi Zohar /* 23323eec9SMimi Zohar * Copyright (C) 2005,2006,2007,2008 IBM Corporation 33323eec9SMimi Zohar * 43323eec9SMimi Zohar * Authors: 53323eec9SMimi Zohar * Reiner Sailer <sailer@watson.ibm.com> 63323eec9SMimi Zohar * Mimi Zohar <zohar@us.ibm.com> 73323eec9SMimi Zohar * 83323eec9SMimi Zohar * This program is free software; you can redistribute it and/or 93323eec9SMimi Zohar * modify it under the terms of the GNU General Public License as 103323eec9SMimi Zohar * published by the Free Software Foundation, version 2 of the 113323eec9SMimi Zohar * License. 123323eec9SMimi Zohar * 133323eec9SMimi Zohar * File: ima.h 143323eec9SMimi Zohar * internal Integrity Measurement Architecture (IMA) definitions 153323eec9SMimi Zohar */ 163323eec9SMimi Zohar 173323eec9SMimi Zohar #ifndef __LINUX_IMA_H 183323eec9SMimi Zohar #define __LINUX_IMA_H 193323eec9SMimi Zohar 203323eec9SMimi Zohar #include <linux/types.h> 213323eec9SMimi Zohar #include <linux/crypto.h> 223323eec9SMimi Zohar #include <linux/security.h> 233323eec9SMimi Zohar #include <linux/hash.h> 243323eec9SMimi Zohar #include <linux/tpm.h> 253323eec9SMimi Zohar #include <linux/audit.h> 263323eec9SMimi Zohar 27f381c272SMimi Zohar #include "../integrity.h" 28f381c272SMimi Zohar 293323eec9SMimi Zohar enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_ASCII }; 303323eec9SMimi Zohar enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; 313323eec9SMimi Zohar 323323eec9SMimi Zohar /* digest size for IMA, fits SHA1 or MD5 */ 33f381c272SMimi Zohar #define IMA_DIGEST_SIZE SHA1_DIGEST_SIZE 343323eec9SMimi Zohar #define IMA_EVENT_NAME_LEN_MAX 255 353323eec9SMimi Zohar 363323eec9SMimi Zohar #define IMA_HASH_BITS 9 373323eec9SMimi Zohar #define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS) 383323eec9SMimi Zohar 393323eec9SMimi Zohar /* set during initialization */ 403323eec9SMimi Zohar extern int ima_initialized; 413323eec9SMimi Zohar extern int ima_used_chip; 42c7c8bb23SDmitry Kasatkin extern int ima_hash_algo; 432fe5d6deSMimi Zohar extern int ima_appraise; 443323eec9SMimi Zohar 453323eec9SMimi Zohar /* IMA inode template definition */ 463323eec9SMimi Zohar struct ima_template_data { 473323eec9SMimi Zohar u8 digest[IMA_DIGEST_SIZE]; /* sha1/md5 measurement hash */ 483323eec9SMimi Zohar char file_name[IMA_EVENT_NAME_LEN_MAX + 1]; /* name + \0 */ 493323eec9SMimi Zohar }; 503323eec9SMimi Zohar 513323eec9SMimi Zohar struct ima_template_entry { 52140d8022SMimi Zohar u8 digest[TPM_DIGEST_SIZE]; /* sha1 or md5 measurement hash */ 53523979adSMimi Zohar const char *template_name; 543323eec9SMimi Zohar int template_len; 553323eec9SMimi Zohar struct ima_template_data template; 563323eec9SMimi Zohar }; 573323eec9SMimi Zohar 583323eec9SMimi Zohar struct ima_queue_entry { 593323eec9SMimi Zohar struct hlist_node hnext; /* place in hash collision list */ 603323eec9SMimi Zohar struct list_head later; /* place in ima_measurements list */ 613323eec9SMimi Zohar struct ima_template_entry *entry; 623323eec9SMimi Zohar }; 633323eec9SMimi Zohar extern struct list_head ima_measurements; /* list of all measurements */ 643323eec9SMimi Zohar 653323eec9SMimi Zohar /* Internal IMA function definitions */ 663323eec9SMimi Zohar int ima_init(void); 67bab73937SMimi Zohar void ima_cleanup(void); 68bab73937SMimi Zohar int ima_fs_init(void); 69bab73937SMimi Zohar void ima_fs_cleanup(void); 70a178d202SEric Paris int ima_inode_alloc(struct inode *inode); 713323eec9SMimi Zohar int ima_add_template_entry(struct ima_template_entry *entry, int violation, 729803d413SRoberto Sassu const char *op, struct inode *inode, 739803d413SRoberto Sassu const unsigned char *filename); 74c7c8bb23SDmitry Kasatkin int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash); 75c7c8bb23SDmitry Kasatkin int ima_calc_buffer_hash(const void *data, int len, 76c7c8bb23SDmitry Kasatkin struct ima_digest_data *hash); 7709ef5435SDmitry Kasatkin int __init ima_calc_boot_aggregate(struct ima_digest_data *hash); 787d802a22SRoberto Sassu void ima_add_violation(struct file *file, const unsigned char *filename, 793323eec9SMimi Zohar const char *op, const char *cause); 8076bb28f6SDmitry Kasatkin int ima_init_crypto(void); 813323eec9SMimi Zohar 823323eec9SMimi Zohar /* 833323eec9SMimi Zohar * used to protect h_table and sha_table 843323eec9SMimi Zohar */ 853323eec9SMimi Zohar extern spinlock_t ima_queue_lock; 863323eec9SMimi Zohar 873323eec9SMimi Zohar struct ima_h_table { 883323eec9SMimi Zohar atomic_long_t len; /* number of stored measurements in the list */ 893323eec9SMimi Zohar atomic_long_t violations; 903323eec9SMimi Zohar struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE]; 913323eec9SMimi Zohar }; 923323eec9SMimi Zohar extern struct ima_h_table ima_htable; 933323eec9SMimi Zohar 943323eec9SMimi Zohar static inline unsigned long ima_hash_key(u8 *digest) 953323eec9SMimi Zohar { 963323eec9SMimi Zohar return hash_long(*digest, IMA_HASH_BITS); 973323eec9SMimi Zohar } 983323eec9SMimi Zohar 993323eec9SMimi Zohar /* LIM API function definitions */ 100d9d300cdSDmitry Kasatkin int ima_get_action(struct inode *inode, int mask, int function); 1011adace9bSMimi Zohar int ima_must_measure(struct inode *inode, int mask, int function); 102f381c272SMimi Zohar int ima_collect_measurement(struct integrity_iint_cache *iint, 103d3634d0fSDmitry Kasatkin struct file *file, 104d3634d0fSDmitry Kasatkin struct evm_ima_xattr_data **xattr_value, 105d3634d0fSDmitry Kasatkin int *xattr_len); 106f381c272SMimi Zohar void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, 1073323eec9SMimi Zohar const unsigned char *filename); 108e7c568e0SPeter Moody void ima_audit_measurement(struct integrity_iint_cache *iint, 109e7c568e0SPeter Moody const unsigned char *filename); 1103323eec9SMimi Zohar int ima_store_template(struct ima_template_entry *entry, int violation, 1119803d413SRoberto Sassu struct inode *inode, const unsigned char *filename); 112f381c272SMimi Zohar void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show); 113ea1046d4SDmitry Kasatkin const char *ima_d_path(struct path *path, char **pathbuf); 1143323eec9SMimi Zohar 11585491641SEric Paris /* rbtree tree calls to lookup, insert, delete 1163323eec9SMimi Zohar * integrity data associated with an inode. 1173323eec9SMimi Zohar */ 118f381c272SMimi Zohar struct integrity_iint_cache *integrity_iint_insert(struct inode *inode); 119f381c272SMimi Zohar struct integrity_iint_cache *integrity_iint_find(struct inode *inode); 1203323eec9SMimi Zohar 1213323eec9SMimi Zohar /* IMA policy related functions */ 12216cac49fSMimi Zohar enum ima_hooks { FILE_CHECK = 1, MMAP_CHECK, BPRM_CHECK, MODULE_CHECK, POST_SETATTR }; 1233323eec9SMimi Zohar 1242fe5d6deSMimi Zohar int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, 1252fe5d6deSMimi Zohar int flags); 1263323eec9SMimi Zohar void ima_init_policy(void); 1273323eec9SMimi Zohar void ima_update_policy(void); 1286ccd0456SEric Paris ssize_t ima_parse_add_rule(char *); 1294af4662fSMimi Zohar void ima_delete_rules(void); 1304af4662fSMimi Zohar 1312fe5d6deSMimi Zohar /* Appraise integrity measurements */ 1322fe5d6deSMimi Zohar #define IMA_APPRAISE_ENFORCE 0x01 1332fe5d6deSMimi Zohar #define IMA_APPRAISE_FIX 0x02 134a7f2a366SMimi Zohar #define IMA_APPRAISE_MODULES 0x04 1352fe5d6deSMimi Zohar 1362fe5d6deSMimi Zohar #ifdef CONFIG_IMA_APPRAISE 137d79d72e0SMimi Zohar int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, 138d3634d0fSDmitry Kasatkin struct file *file, const unsigned char *filename, 139d3634d0fSDmitry Kasatkin struct evm_ima_xattr_data *xattr_value, 140d3634d0fSDmitry Kasatkin int xattr_len); 141d26e1936SDmitry Kasatkin int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func); 1422fe5d6deSMimi Zohar void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file); 143d79d72e0SMimi Zohar enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, 144d79d72e0SMimi Zohar int func); 145d3634d0fSDmitry Kasatkin void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len, 146d3634d0fSDmitry Kasatkin struct ima_digest_data *hash); 147d3634d0fSDmitry Kasatkin int ima_read_xattr(struct dentry *dentry, 148d3634d0fSDmitry Kasatkin struct evm_ima_xattr_data **xattr_value); 1492fe5d6deSMimi Zohar 1502fe5d6deSMimi Zohar #else 151d79d72e0SMimi Zohar static inline int ima_appraise_measurement(int func, 152d79d72e0SMimi Zohar struct integrity_iint_cache *iint, 1532fe5d6deSMimi Zohar struct file *file, 154d3634d0fSDmitry Kasatkin const unsigned char *filename, 155d3634d0fSDmitry Kasatkin struct evm_ima_xattr_data *xattr_value, 156d3634d0fSDmitry Kasatkin int xattr_len) 1572fe5d6deSMimi Zohar { 1582fe5d6deSMimi Zohar return INTEGRITY_UNKNOWN; 1592fe5d6deSMimi Zohar } 1602fe5d6deSMimi Zohar 161d26e1936SDmitry Kasatkin static inline int ima_must_appraise(struct inode *inode, int mask, 162d26e1936SDmitry Kasatkin enum ima_hooks func) 1632fe5d6deSMimi Zohar { 1642fe5d6deSMimi Zohar return 0; 1652fe5d6deSMimi Zohar } 1662fe5d6deSMimi Zohar 1672fe5d6deSMimi Zohar static inline void ima_update_xattr(struct integrity_iint_cache *iint, 1682fe5d6deSMimi Zohar struct file *file) 1692fe5d6deSMimi Zohar { 1702fe5d6deSMimi Zohar } 171d79d72e0SMimi Zohar 172d79d72e0SMimi Zohar static inline enum integrity_status ima_get_cache_status(struct integrity_iint_cache 173d79d72e0SMimi Zohar *iint, int func) 174d79d72e0SMimi Zohar { 175d79d72e0SMimi Zohar return INTEGRITY_UNKNOWN; 176d79d72e0SMimi Zohar } 177d3634d0fSDmitry Kasatkin 178d3634d0fSDmitry Kasatkin static inline void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, 179d3634d0fSDmitry Kasatkin int xattr_len, 180d3634d0fSDmitry Kasatkin struct ima_digest_data *hash) 181d3634d0fSDmitry Kasatkin { 182d3634d0fSDmitry Kasatkin } 183d3634d0fSDmitry Kasatkin 184d3634d0fSDmitry Kasatkin static inline int ima_read_xattr(struct dentry *dentry, 185d3634d0fSDmitry Kasatkin struct evm_ima_xattr_data **xattr_value) 186d3634d0fSDmitry Kasatkin { 187d3634d0fSDmitry Kasatkin return 0; 188d3634d0fSDmitry Kasatkin } 189d3634d0fSDmitry Kasatkin 1902fe5d6deSMimi Zohar #endif 1912fe5d6deSMimi Zohar 1924af4662fSMimi Zohar /* LSM based policy rules require audit */ 1934af4662fSMimi Zohar #ifdef CONFIG_IMA_LSM_RULES 1944af4662fSMimi Zohar 1954af4662fSMimi Zohar #define security_filter_rule_init security_audit_rule_init 1964af4662fSMimi Zohar #define security_filter_rule_match security_audit_rule_match 1974af4662fSMimi Zohar 1984af4662fSMimi Zohar #else 1994af4662fSMimi Zohar 2004af4662fSMimi Zohar static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr, 2014af4662fSMimi Zohar void **lsmrule) 2024af4662fSMimi Zohar { 2034af4662fSMimi Zohar return -EINVAL; 2044af4662fSMimi Zohar } 2054af4662fSMimi Zohar 2064af4662fSMimi Zohar static inline int security_filter_rule_match(u32 secid, u32 field, u32 op, 2074af4662fSMimi Zohar void *lsmrule, 2084af4662fSMimi Zohar struct audit_context *actx) 2094af4662fSMimi Zohar { 2104af4662fSMimi Zohar return -EINVAL; 2114af4662fSMimi Zohar } 2124af4662fSMimi Zohar #endif /* CONFIG_IMA_LSM_RULES */ 2133323eec9SMimi Zohar #endif 214