xref: /openbmc/linux/security/integrity/ima/ima_api.c (revision e23feb16)
1 /*
2  * Copyright (C) 2008 IBM Corporation
3  *
4  * Author: Mimi Zohar <zohar@us.ibm.com>
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License as
8  * published by the Free Software Foundation, version 2 of the
9  * License.
10  *
11  * File: ima_api.c
12  *	Implements must_appraise_or_measure, collect_measurement,
13  *	appraise_measurement, store_measurement and store_template.
14  */
15 #include <linux/module.h>
16 #include <linux/slab.h>
17 #include <linux/file.h>
18 #include <linux/fs.h>
19 #include <linux/xattr.h>
20 #include <linux/evm.h>
21 #include "ima.h"
22 
23 static const char *IMA_TEMPLATE_NAME = "ima";
24 
25 /*
26  * ima_store_template - store ima template measurements
27  *
28  * Calculate the hash of a template entry, add the template entry
29  * to an ordered list of measurement entries maintained inside the kernel,
30  * and also update the aggregate integrity value (maintained inside the
31  * configured TPM PCR) over the hashes of the current list of measurement
32  * entries.
33  *
34  * Applications retrieve the current kernel-held measurement list through
35  * the securityfs entries in /sys/kernel/security/ima. The signed aggregate
36  * TPM PCR (called quote) can be retrieved using a TPM user space library
37  * and is used to validate the measurement list.
38  *
39  * Returns 0 on success, error code otherwise
40  */
41 int ima_store_template(struct ima_template_entry *entry,
42 		       int violation, struct inode *inode)
43 {
44 	const char *op = "add_template_measure";
45 	const char *audit_cause = "hashing_error";
46 	int result;
47 
48 	memset(entry->digest, 0, sizeof(entry->digest));
49 	entry->template_name = IMA_TEMPLATE_NAME;
50 	entry->template_len = sizeof(entry->template);
51 
52 	if (!violation) {
53 		result = ima_calc_buffer_hash(&entry->template,
54 						entry->template_len,
55 						entry->digest);
56 		if (result < 0) {
57 			integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
58 					    entry->template_name, op,
59 					    audit_cause, result, 0);
60 			return result;
61 		}
62 	}
63 	result = ima_add_template_entry(entry, violation, op, inode);
64 	return result;
65 }
66 
67 /*
68  * ima_add_violation - add violation to measurement list.
69  *
70  * Violations are flagged in the measurement list with zero hash values.
71  * By extending the PCR with 0xFF's instead of with zeroes, the PCR
72  * value is invalidated.
73  */
74 void ima_add_violation(struct inode *inode, const unsigned char *filename,
75 		       const char *op, const char *cause)
76 {
77 	struct ima_template_entry *entry;
78 	int violation = 1;
79 	int result;
80 
81 	/* can overflow, only indicator */
82 	atomic_long_inc(&ima_htable.violations);
83 
84 	entry = kmalloc(sizeof(*entry), GFP_KERNEL);
85 	if (!entry) {
86 		result = -ENOMEM;
87 		goto err_out;
88 	}
89 	memset(&entry->template, 0, sizeof(entry->template));
90 	strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX);
91 	result = ima_store_template(entry, violation, inode);
92 	if (result < 0)
93 		kfree(entry);
94 err_out:
95 	integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
96 			    op, cause, result, 0);
97 }
98 
99 /**
100  * ima_get_action - appraise & measure decision based on policy.
101  * @inode: pointer to inode to measure
102  * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE)
103  * @function: calling function (FILE_CHECK, BPRM_CHECK, MMAP_CHECK, MODULE_CHECK)
104  *
105  * The policy is defined in terms of keypairs:
106  * 		subj=, obj=, type=, func=, mask=, fsmagic=
107  *	subj,obj, and type: are LSM specific.
108  * 	func: FILE_CHECK | BPRM_CHECK | MMAP_CHECK | MODULE_CHECK
109  * 	mask: contains the permission mask
110  *	fsmagic: hex value
111  *
112  * Returns IMA_MEASURE, IMA_APPRAISE mask.
113  *
114  */
115 int ima_get_action(struct inode *inode, int mask, int function)
116 {
117 	int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE;
118 
119 	if (!ima_appraise)
120 		flags &= ~IMA_APPRAISE;
121 
122 	return ima_match_policy(inode, function, mask, flags);
123 }
124 
125 int ima_must_measure(struct inode *inode, int mask, int function)
126 {
127 	return ima_match_policy(inode, function, mask, IMA_MEASURE);
128 }
129 
130 /*
131  * ima_collect_measurement - collect file measurement
132  *
133  * Calculate the file hash, if it doesn't already exist,
134  * storing the measurement and i_version in the iint.
135  *
136  * Must be called with iint->mutex held.
137  *
138  * Return 0 on success, error code otherwise
139  */
140 int ima_collect_measurement(struct integrity_iint_cache *iint,
141 			    struct file *file)
142 {
143 	struct inode *inode = file_inode(file);
144 	const char *filename = file->f_dentry->d_name.name;
145 	int result = 0;
146 
147 	if (!(iint->flags & IMA_COLLECTED)) {
148 		u64 i_version = file_inode(file)->i_version;
149 
150 		iint->ima_xattr.type = IMA_XATTR_DIGEST;
151 		result = ima_calc_file_hash(file, iint->ima_xattr.digest);
152 		if (!result) {
153 			iint->version = i_version;
154 			iint->flags |= IMA_COLLECTED;
155 		}
156 	}
157 	if (result)
158 		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
159 				    filename, "collect_data", "failed",
160 				    result, 0);
161 	return result;
162 }
163 
164 /*
165  * ima_store_measurement - store file measurement
166  *
167  * Create an "ima" template and then store the template by calling
168  * ima_store_template.
169  *
170  * We only get here if the inode has not already been measured,
171  * but the measurement could already exist:
172  * 	- multiple copies of the same file on either the same or
173  *	  different filesystems.
174  *	- the inode was previously flushed as well as the iint info,
175  *	  containing the hashing info.
176  *
177  * Must be called with iint->mutex held.
178  */
179 void ima_store_measurement(struct integrity_iint_cache *iint,
180 			   struct file *file, const unsigned char *filename)
181 {
182 	const char *op = "add_template_measure";
183 	const char *audit_cause = "ENOMEM";
184 	int result = -ENOMEM;
185 	struct inode *inode = file_inode(file);
186 	struct ima_template_entry *entry;
187 	int violation = 0;
188 
189 	if (iint->flags & IMA_MEASURED)
190 		return;
191 
192 	entry = kmalloc(sizeof(*entry), GFP_KERNEL);
193 	if (!entry) {
194 		integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
195 				    op, audit_cause, result, 0);
196 		return;
197 	}
198 	memset(&entry->template, 0, sizeof(entry->template));
199 	memcpy(entry->template.digest, iint->ima_xattr.digest, IMA_DIGEST_SIZE);
200 	strcpy(entry->template.file_name,
201 	       (strlen(filename) > IMA_EVENT_NAME_LEN_MAX) ?
202 	       file->f_dentry->d_name.name : filename);
203 
204 	result = ima_store_template(entry, violation, inode);
205 	if (!result || result == -EEXIST)
206 		iint->flags |= IMA_MEASURED;
207 	if (result < 0)
208 		kfree(entry);
209 }
210 
211 void ima_audit_measurement(struct integrity_iint_cache *iint,
212 			   const unsigned char *filename)
213 {
214 	struct audit_buffer *ab;
215 	char hash[(IMA_DIGEST_SIZE * 2) + 1];
216 	int i;
217 
218 	if (iint->flags & IMA_AUDITED)
219 		return;
220 
221 	for (i = 0; i < IMA_DIGEST_SIZE; i++)
222 		hex_byte_pack(hash + (i * 2), iint->ima_xattr.digest[i]);
223 	hash[i * 2] = '\0';
224 
225 	ab = audit_log_start(current->audit_context, GFP_KERNEL,
226 			     AUDIT_INTEGRITY_RULE);
227 	if (!ab)
228 		return;
229 
230 	audit_log_format(ab, "file=");
231 	audit_log_untrustedstring(ab, filename);
232 	audit_log_format(ab, " hash=");
233 	audit_log_untrustedstring(ab, hash);
234 
235 	audit_log_task_info(ab, current);
236 	audit_log_end(ab);
237 
238 	iint->flags |= IMA_AUDITED;
239 }
240 
241 const char *ima_d_path(struct path *path, char **pathbuf)
242 {
243 	char *pathname = NULL;
244 
245 	/* We will allow 11 spaces for ' (deleted)' to be appended */
246 	*pathbuf = kmalloc(PATH_MAX + 11, GFP_KERNEL);
247 	if (*pathbuf) {
248 		pathname = d_path(path, *pathbuf, PATH_MAX + 11);
249 		if (IS_ERR(pathname)) {
250 			kfree(*pathbuf);
251 			*pathbuf = NULL;
252 			pathname = NULL;
253 		}
254 	}
255 	return pathname;
256 }
257