xref: /openbmc/linux/security/integrity/ima/ima_api.c (revision 9e255e2b)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2008 IBM Corporation
4  *
5  * Author: Mimi Zohar <zohar@us.ibm.com>
6  *
7  * File: ima_api.c
8  *	Implements must_appraise_or_measure, collect_measurement,
9  *	appraise_measurement, store_measurement and store_template.
10  */
11 #include <linux/slab.h>
12 #include <linux/file.h>
13 #include <linux/fs.h>
14 #include <linux/xattr.h>
15 #include <linux/evm.h>
16 #include <linux/iversion.h>
17 
18 #include "ima.h"
19 
20 /*
21  * ima_free_template_entry - free an existing template entry
22  */
23 void ima_free_template_entry(struct ima_template_entry *entry)
24 {
25 	int i;
26 
27 	for (i = 0; i < entry->template_desc->num_fields; i++)
28 		kfree(entry->template_data[i].data);
29 
30 	kfree(entry->digests);
31 	kfree(entry);
32 }
33 
34 /*
35  * ima_alloc_init_template - create and initialize a new template entry
36  */
37 int ima_alloc_init_template(struct ima_event_data *event_data,
38 			    struct ima_template_entry **entry,
39 			    struct ima_template_desc *desc)
40 {
41 	struct ima_template_desc *template_desc;
42 	struct tpm_digest *digests;
43 	int i, result = 0;
44 
45 	if (desc)
46 		template_desc = desc;
47 	else
48 		template_desc = ima_template_desc_current();
49 
50 	*entry = kzalloc(struct_size(*entry, template_data,
51 				     template_desc->num_fields), GFP_NOFS);
52 	if (!*entry)
53 		return -ENOMEM;
54 
55 	digests = kcalloc(NR_BANKS(ima_tpm_chip) + ima_extra_slots,
56 			  sizeof(*digests), GFP_NOFS);
57 	if (!digests) {
58 		kfree(*entry);
59 		*entry = NULL;
60 		return -ENOMEM;
61 	}
62 
63 	(*entry)->digests = digests;
64 	(*entry)->template_desc = template_desc;
65 	for (i = 0; i < template_desc->num_fields; i++) {
66 		const struct ima_template_field *field =
67 			template_desc->fields[i];
68 		u32 len;
69 
70 		result = field->field_init(event_data,
71 					   &((*entry)->template_data[i]));
72 		if (result != 0)
73 			goto out;
74 
75 		len = (*entry)->template_data[i].len;
76 		(*entry)->template_data_len += sizeof(len);
77 		(*entry)->template_data_len += len;
78 	}
79 	return 0;
80 out:
81 	ima_free_template_entry(*entry);
82 	*entry = NULL;
83 	return result;
84 }
85 
86 /*
87  * ima_store_template - store ima template measurements
88  *
89  * Calculate the hash of a template entry, add the template entry
90  * to an ordered list of measurement entries maintained inside the kernel,
91  * and also update the aggregate integrity value (maintained inside the
92  * configured TPM PCR) over the hashes of the current list of measurement
93  * entries.
94  *
95  * Applications retrieve the current kernel-held measurement list through
96  * the securityfs entries in /sys/kernel/security/ima. The signed aggregate
97  * TPM PCR (called quote) can be retrieved using a TPM user space library
98  * and is used to validate the measurement list.
99  *
100  * Returns 0 on success, error code otherwise
101  */
102 int ima_store_template(struct ima_template_entry *entry,
103 		       int violation, struct inode *inode,
104 		       const unsigned char *filename, int pcr)
105 {
106 	static const char op[] = "add_template_measure";
107 	static const char audit_cause[] = "hashing_error";
108 	char *template_name = entry->template_desc->name;
109 	int result;
110 
111 	if (!violation) {
112 		result = ima_calc_field_array_hash(&entry->template_data[0],
113 						   entry);
114 		if (result < 0) {
115 			integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
116 					    template_name, op,
117 					    audit_cause, result, 0);
118 			return result;
119 		}
120 	}
121 	entry->pcr = pcr;
122 	result = ima_add_template_entry(entry, violation, op, inode, filename);
123 	return result;
124 }
125 
126 /*
127  * ima_add_violation - add violation to measurement list.
128  *
129  * Violations are flagged in the measurement list with zero hash values.
130  * By extending the PCR with 0xFF's instead of with zeroes, the PCR
131  * value is invalidated.
132  */
133 void ima_add_violation(struct file *file, const unsigned char *filename,
134 		       struct integrity_iint_cache *iint,
135 		       const char *op, const char *cause)
136 {
137 	struct ima_template_entry *entry;
138 	struct inode *inode = file_inode(file);
139 	struct ima_event_data event_data = { .iint = iint,
140 					     .file = file,
141 					     .filename = filename,
142 					     .violation = cause };
143 	int violation = 1;
144 	int result;
145 
146 	/* can overflow, only indicator */
147 	atomic_long_inc(&ima_htable.violations);
148 
149 	result = ima_alloc_init_template(&event_data, &entry, NULL);
150 	if (result < 0) {
151 		result = -ENOMEM;
152 		goto err_out;
153 	}
154 	result = ima_store_template(entry, violation, inode,
155 				    filename, CONFIG_IMA_MEASURE_PCR_IDX);
156 	if (result < 0)
157 		ima_free_template_entry(entry);
158 err_out:
159 	integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
160 			    op, cause, result, 0);
161 }
162 
163 /**
164  * ima_get_action - appraise & measure decision based on policy.
165  * @mnt_userns:	user namespace of the mount the inode was found from
166  * @inode: pointer to the inode associated with the object being validated
167  * @cred: pointer to credentials structure to validate
168  * @secid: secid of the task being validated
169  * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,
170  *        MAY_APPEND)
171  * @func: caller identifier
172  * @pcr: pointer filled in if matched measure policy sets pcr=
173  * @template_desc: pointer filled in if matched measure policy sets template=
174  * @func_data: func specific data, may be NULL
175  *
176  * The policy is defined in terms of keypairs:
177  *		subj=, obj=, type=, func=, mask=, fsmagic=
178  *	subj,obj, and type: are LSM specific.
179  *	func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK
180  *	| KEXEC_CMDLINE | KEY_CHECK | CRITICAL_DATA
181  *	mask: contains the permission mask
182  *	fsmagic: hex value
183  *
184  * Returns IMA_MEASURE, IMA_APPRAISE mask.
185  *
186  */
187 int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode,
188 		   const struct cred *cred, u32 secid, int mask,
189 		   enum ima_hooks func, int *pcr,
190 		   struct ima_template_desc **template_desc,
191 		   const char *func_data)
192 {
193 	int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH;
194 
195 	flags &= ima_policy_flag;
196 
197 	return ima_match_policy(mnt_userns, inode, cred, secid, func, mask,
198 				flags, pcr, template_desc, func_data);
199 }
200 
201 /*
202  * ima_collect_measurement - collect file measurement
203  *
204  * Calculate the file hash, if it doesn't already exist,
205  * storing the measurement and i_version in the iint.
206  *
207  * Must be called with iint->mutex held.
208  *
209  * Return 0 on success, error code otherwise
210  */
211 int ima_collect_measurement(struct integrity_iint_cache *iint,
212 			    struct file *file, void *buf, loff_t size,
213 			    enum hash_algo algo, struct modsig *modsig)
214 {
215 	const char *audit_cause = "failed";
216 	struct inode *inode = file_inode(file);
217 	const char *filename = file->f_path.dentry->d_name.name;
218 	int result = 0;
219 	int length;
220 	void *tmpbuf;
221 	u64 i_version;
222 	struct {
223 		struct ima_digest_data hdr;
224 		char digest[IMA_MAX_DIGEST_SIZE];
225 	} hash;
226 
227 	/*
228 	 * Always collect the modsig, because IMA might have already collected
229 	 * the file digest without collecting the modsig in a previous
230 	 * measurement rule.
231 	 */
232 	if (modsig)
233 		ima_collect_modsig(modsig, buf, size);
234 
235 	if (iint->flags & IMA_COLLECTED)
236 		goto out;
237 
238 	/*
239 	 * Dectecting file change is based on i_version. On filesystems
240 	 * which do not support i_version, support is limited to an initial
241 	 * measurement/appraisal/audit.
242 	 */
243 	i_version = inode_query_iversion(inode);
244 	hash.hdr.algo = algo;
245 
246 	/* Initialize hash digest to 0's in case of failure */
247 	memset(&hash.digest, 0, sizeof(hash.digest));
248 
249 	if (buf)
250 		result = ima_calc_buffer_hash(buf, size, &hash.hdr);
251 	else
252 		result = ima_calc_file_hash(file, &hash.hdr);
253 
254 	if (result && result != -EBADF && result != -EINVAL)
255 		goto out;
256 
257 	length = sizeof(hash.hdr) + hash.hdr.length;
258 	tmpbuf = krealloc(iint->ima_hash, length, GFP_NOFS);
259 	if (!tmpbuf) {
260 		result = -ENOMEM;
261 		goto out;
262 	}
263 
264 	iint->ima_hash = tmpbuf;
265 	memcpy(iint->ima_hash, &hash, length);
266 	iint->version = i_version;
267 
268 	/* Possibly temporary failure due to type of read (eg. O_DIRECT) */
269 	if (!result)
270 		iint->flags |= IMA_COLLECTED;
271 out:
272 	if (result) {
273 		if (file->f_flags & O_DIRECT)
274 			audit_cause = "failed(directio)";
275 
276 		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
277 				    filename, "collect_data", audit_cause,
278 				    result, 0);
279 	}
280 	return result;
281 }
282 
283 /*
284  * ima_store_measurement - store file measurement
285  *
286  * Create an "ima" template and then store the template by calling
287  * ima_store_template.
288  *
289  * We only get here if the inode has not already been measured,
290  * but the measurement could already exist:
291  *	- multiple copies of the same file on either the same or
292  *	  different filesystems.
293  *	- the inode was previously flushed as well as the iint info,
294  *	  containing the hashing info.
295  *
296  * Must be called with iint->mutex held.
297  */
298 void ima_store_measurement(struct integrity_iint_cache *iint,
299 			   struct file *file, const unsigned char *filename,
300 			   struct evm_ima_xattr_data *xattr_value,
301 			   int xattr_len, const struct modsig *modsig, int pcr,
302 			   struct ima_template_desc *template_desc)
303 {
304 	static const char op[] = "add_template_measure";
305 	static const char audit_cause[] = "ENOMEM";
306 	int result = -ENOMEM;
307 	struct inode *inode = file_inode(file);
308 	struct ima_template_entry *entry;
309 	struct ima_event_data event_data = { .iint = iint,
310 					     .file = file,
311 					     .filename = filename,
312 					     .xattr_value = xattr_value,
313 					     .xattr_len = xattr_len,
314 					     .modsig = modsig };
315 	int violation = 0;
316 
317 	/*
318 	 * We still need to store the measurement in the case of MODSIG because
319 	 * we only have its contents to put in the list at the time of
320 	 * appraisal, but a file measurement from earlier might already exist in
321 	 * the measurement list.
322 	 */
323 	if (iint->measured_pcrs & (0x1 << pcr) && !modsig)
324 		return;
325 
326 	result = ima_alloc_init_template(&event_data, &entry, template_desc);
327 	if (result < 0) {
328 		integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
329 				    op, audit_cause, result, 0);
330 		return;
331 	}
332 
333 	result = ima_store_template(entry, violation, inode, filename, pcr);
334 	if ((!result || result == -EEXIST) && !(file->f_flags & O_DIRECT)) {
335 		iint->flags |= IMA_MEASURED;
336 		iint->measured_pcrs |= (0x1 << pcr);
337 	}
338 	if (result < 0)
339 		ima_free_template_entry(entry);
340 }
341 
342 void ima_audit_measurement(struct integrity_iint_cache *iint,
343 			   const unsigned char *filename)
344 {
345 	struct audit_buffer *ab;
346 	char *hash;
347 	const char *algo_name = hash_algo_name[iint->ima_hash->algo];
348 	int i;
349 
350 	if (iint->flags & IMA_AUDITED)
351 		return;
352 
353 	hash = kzalloc((iint->ima_hash->length * 2) + 1, GFP_KERNEL);
354 	if (!hash)
355 		return;
356 
357 	for (i = 0; i < iint->ima_hash->length; i++)
358 		hex_byte_pack(hash + (i * 2), iint->ima_hash->digest[i]);
359 	hash[i * 2] = '\0';
360 
361 	ab = audit_log_start(audit_context(), GFP_KERNEL,
362 			     AUDIT_INTEGRITY_RULE);
363 	if (!ab)
364 		goto out;
365 
366 	audit_log_format(ab, "file=");
367 	audit_log_untrustedstring(ab, filename);
368 	audit_log_format(ab, " hash=\"%s:%s\"", algo_name, hash);
369 
370 	audit_log_task_info(ab);
371 	audit_log_end(ab);
372 
373 	iint->flags |= IMA_AUDITED;
374 out:
375 	kfree(hash);
376 	return;
377 }
378 
379 /*
380  * ima_d_path - return a pointer to the full pathname
381  *
382  * Attempt to return a pointer to the full pathname for use in the
383  * IMA measurement list, IMA audit records, and auditing logs.
384  *
385  * On failure, return a pointer to a copy of the filename, not dname.
386  * Returning a pointer to dname, could result in using the pointer
387  * after the memory has been freed.
388  */
389 const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf)
390 {
391 	char *pathname = NULL;
392 
393 	*pathbuf = __getname();
394 	if (*pathbuf) {
395 		pathname = d_absolute_path(path, *pathbuf, PATH_MAX);
396 		if (IS_ERR(pathname)) {
397 			__putname(*pathbuf);
398 			*pathbuf = NULL;
399 			pathname = NULL;
400 		}
401 	}
402 
403 	if (!pathname) {
404 		strlcpy(namebuf, path->dentry->d_name.name, NAME_MAX);
405 		pathname = namebuf;
406 	}
407 
408 	return pathname;
409 }
410