xref: /openbmc/linux/security/integrity/ima/ima_api.c (revision f17f06a0)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2008 IBM Corporation
4  *
5  * Author: Mimi Zohar <zohar@us.ibm.com>
6  *
7  * File: ima_api.c
8  *	Implements must_appraise_or_measure, collect_measurement,
9  *	appraise_measurement, store_measurement and store_template.
10  */
11 #include <linux/slab.h>
12 #include <linux/file.h>
13 #include <linux/fs.h>
14 #include <linux/xattr.h>
15 #include <linux/evm.h>
16 #include <linux/iversion.h>
17 
18 #include "ima.h"
19 
20 /*
21  * ima_free_template_entry - free an existing template entry
22  */
23 void ima_free_template_entry(struct ima_template_entry *entry)
24 {
25 	int i;
26 
27 	for (i = 0; i < entry->template_desc->num_fields; i++)
28 		kfree(entry->template_data[i].data);
29 
30 	kfree(entry);
31 }
32 
33 /*
34  * ima_alloc_init_template - create and initialize a new template entry
35  */
36 int ima_alloc_init_template(struct ima_event_data *event_data,
37 			    struct ima_template_entry **entry,
38 			    struct ima_template_desc *desc)
39 {
40 	struct ima_template_desc *template_desc;
41 	int i, result = 0;
42 
43 	if (desc)
44 		template_desc = desc;
45 	else
46 		template_desc = ima_template_desc_current();
47 
48 	*entry = kzalloc(struct_size(*entry, template_data,
49 				     template_desc->num_fields), GFP_NOFS);
50 	if (!*entry)
51 		return -ENOMEM;
52 
53 	(*entry)->template_desc = template_desc;
54 	for (i = 0; i < template_desc->num_fields; i++) {
55 		const struct ima_template_field *field =
56 			template_desc->fields[i];
57 		u32 len;
58 
59 		result = field->field_init(event_data,
60 					   &((*entry)->template_data[i]));
61 		if (result != 0)
62 			goto out;
63 
64 		len = (*entry)->template_data[i].len;
65 		(*entry)->template_data_len += sizeof(len);
66 		(*entry)->template_data_len += len;
67 	}
68 	return 0;
69 out:
70 	ima_free_template_entry(*entry);
71 	*entry = NULL;
72 	return result;
73 }
74 
75 /*
76  * ima_store_template - store ima template measurements
77  *
78  * Calculate the hash of a template entry, add the template entry
79  * to an ordered list of measurement entries maintained inside the kernel,
80  * and also update the aggregate integrity value (maintained inside the
81  * configured TPM PCR) over the hashes of the current list of measurement
82  * entries.
83  *
84  * Applications retrieve the current kernel-held measurement list through
85  * the securityfs entries in /sys/kernel/security/ima. The signed aggregate
86  * TPM PCR (called quote) can be retrieved using a TPM user space library
87  * and is used to validate the measurement list.
88  *
89  * Returns 0 on success, error code otherwise
90  */
91 int ima_store_template(struct ima_template_entry *entry,
92 		       int violation, struct inode *inode,
93 		       const unsigned char *filename, int pcr)
94 {
95 	static const char op[] = "add_template_measure";
96 	static const char audit_cause[] = "hashing_error";
97 	char *template_name = entry->template_desc->name;
98 	int result;
99 	struct {
100 		struct ima_digest_data hdr;
101 		char digest[TPM_DIGEST_SIZE];
102 	} hash;
103 
104 	if (!violation) {
105 		int num_fields = entry->template_desc->num_fields;
106 
107 		/* this function uses default algo */
108 		hash.hdr.algo = HASH_ALGO_SHA1;
109 		result = ima_calc_field_array_hash(&entry->template_data[0],
110 						   entry->template_desc,
111 						   num_fields, &hash.hdr);
112 		if (result < 0) {
113 			integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
114 					    template_name, op,
115 					    audit_cause, result, 0);
116 			return result;
117 		}
118 		memcpy(entry->digest, hash.hdr.digest, hash.hdr.length);
119 	}
120 	entry->pcr = pcr;
121 	result = ima_add_template_entry(entry, violation, op, inode, filename);
122 	return result;
123 }
124 
125 /*
126  * ima_add_violation - add violation to measurement list.
127  *
128  * Violations are flagged in the measurement list with zero hash values.
129  * By extending the PCR with 0xFF's instead of with zeroes, the PCR
130  * value is invalidated.
131  */
132 void ima_add_violation(struct file *file, const unsigned char *filename,
133 		       struct integrity_iint_cache *iint,
134 		       const char *op, const char *cause)
135 {
136 	struct ima_template_entry *entry;
137 	struct inode *inode = file_inode(file);
138 	struct ima_event_data event_data = { .iint = iint,
139 					     .file = file,
140 					     .filename = filename,
141 					     .violation = cause };
142 	int violation = 1;
143 	int result;
144 
145 	/* can overflow, only indicator */
146 	atomic_long_inc(&ima_htable.violations);
147 
148 	result = ima_alloc_init_template(&event_data, &entry, NULL);
149 	if (result < 0) {
150 		result = -ENOMEM;
151 		goto err_out;
152 	}
153 	result = ima_store_template(entry, violation, inode,
154 				    filename, CONFIG_IMA_MEASURE_PCR_IDX);
155 	if (result < 0)
156 		ima_free_template_entry(entry);
157 err_out:
158 	integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
159 			    op, cause, result, 0);
160 }
161 
162 /**
163  * ima_get_action - appraise & measure decision based on policy.
164  * @inode: pointer to inode to measure
165  * @cred: pointer to credentials structure to validate
166  * @secid: secid of the task being validated
167  * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,
168  *        MAY_APPEND)
169  * @func: caller identifier
170  * @pcr: pointer filled in if matched measure policy sets pcr=
171  * @template_desc: pointer filled in if matched measure policy sets template=
172  * @keyring: keyring name used to determine the action
173  *
174  * The policy is defined in terms of keypairs:
175  *		subj=, obj=, type=, func=, mask=, fsmagic=
176  *	subj,obj, and type: are LSM specific.
177  *	func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK
178  *	| KEXEC_CMDLINE | KEY_CHECK
179  *	mask: contains the permission mask
180  *	fsmagic: hex value
181  *
182  * Returns IMA_MEASURE, IMA_APPRAISE mask.
183  *
184  */
185 int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,
186 		   int mask, enum ima_hooks func, int *pcr,
187 		   struct ima_template_desc **template_desc,
188 		   const char *keyring)
189 {
190 	int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH;
191 
192 	flags &= ima_policy_flag;
193 
194 	return ima_match_policy(inode, cred, secid, func, mask, flags, pcr,
195 				template_desc, keyring);
196 }
197 
198 /*
199  * ima_collect_measurement - collect file measurement
200  *
201  * Calculate the file hash, if it doesn't already exist,
202  * storing the measurement and i_version in the iint.
203  *
204  * Must be called with iint->mutex held.
205  *
206  * Return 0 on success, error code otherwise
207  */
208 int ima_collect_measurement(struct integrity_iint_cache *iint,
209 			    struct file *file, void *buf, loff_t size,
210 			    enum hash_algo algo, struct modsig *modsig)
211 {
212 	const char *audit_cause = "failed";
213 	struct inode *inode = file_inode(file);
214 	const char *filename = file->f_path.dentry->d_name.name;
215 	int result = 0;
216 	int length;
217 	void *tmpbuf;
218 	u64 i_version;
219 	struct {
220 		struct ima_digest_data hdr;
221 		char digest[IMA_MAX_DIGEST_SIZE];
222 	} hash;
223 
224 	/*
225 	 * Always collect the modsig, because IMA might have already collected
226 	 * the file digest without collecting the modsig in a previous
227 	 * measurement rule.
228 	 */
229 	if (modsig)
230 		ima_collect_modsig(modsig, buf, size);
231 
232 	if (iint->flags & IMA_COLLECTED)
233 		goto out;
234 
235 	/*
236 	 * Dectecting file change is based on i_version. On filesystems
237 	 * which do not support i_version, support is limited to an initial
238 	 * measurement/appraisal/audit.
239 	 */
240 	i_version = inode_query_iversion(inode);
241 	hash.hdr.algo = algo;
242 
243 	/* Initialize hash digest to 0's in case of failure */
244 	memset(&hash.digest, 0, sizeof(hash.digest));
245 
246 	if (buf)
247 		result = ima_calc_buffer_hash(buf, size, &hash.hdr);
248 	else
249 		result = ima_calc_file_hash(file, &hash.hdr);
250 
251 	if (result && result != -EBADF && result != -EINVAL)
252 		goto out;
253 
254 	length = sizeof(hash.hdr) + hash.hdr.length;
255 	tmpbuf = krealloc(iint->ima_hash, length, GFP_NOFS);
256 	if (!tmpbuf) {
257 		result = -ENOMEM;
258 		goto out;
259 	}
260 
261 	iint->ima_hash = tmpbuf;
262 	memcpy(iint->ima_hash, &hash, length);
263 	iint->version = i_version;
264 
265 	/* Possibly temporary failure due to type of read (eg. O_DIRECT) */
266 	if (!result)
267 		iint->flags |= IMA_COLLECTED;
268 out:
269 	if (result) {
270 		if (file->f_flags & O_DIRECT)
271 			audit_cause = "failed(directio)";
272 
273 		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
274 				    filename, "collect_data", audit_cause,
275 				    result, 0);
276 	}
277 	return result;
278 }
279 
280 /*
281  * ima_store_measurement - store file measurement
282  *
283  * Create an "ima" template and then store the template by calling
284  * ima_store_template.
285  *
286  * We only get here if the inode has not already been measured,
287  * but the measurement could already exist:
288  *	- multiple copies of the same file on either the same or
289  *	  different filesystems.
290  *	- the inode was previously flushed as well as the iint info,
291  *	  containing the hashing info.
292  *
293  * Must be called with iint->mutex held.
294  */
295 void ima_store_measurement(struct integrity_iint_cache *iint,
296 			   struct file *file, const unsigned char *filename,
297 			   struct evm_ima_xattr_data *xattr_value,
298 			   int xattr_len, const struct modsig *modsig, int pcr,
299 			   struct ima_template_desc *template_desc)
300 {
301 	static const char op[] = "add_template_measure";
302 	static const char audit_cause[] = "ENOMEM";
303 	int result = -ENOMEM;
304 	struct inode *inode = file_inode(file);
305 	struct ima_template_entry *entry;
306 	struct ima_event_data event_data = { .iint = iint,
307 					     .file = file,
308 					     .filename = filename,
309 					     .xattr_value = xattr_value,
310 					     .xattr_len = xattr_len,
311 					     .modsig = modsig };
312 	int violation = 0;
313 
314 	/*
315 	 * We still need to store the measurement in the case of MODSIG because
316 	 * we only have its contents to put in the list at the time of
317 	 * appraisal, but a file measurement from earlier might already exist in
318 	 * the measurement list.
319 	 */
320 	if (iint->measured_pcrs & (0x1 << pcr) && !modsig)
321 		return;
322 
323 	result = ima_alloc_init_template(&event_data, &entry, template_desc);
324 	if (result < 0) {
325 		integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
326 				    op, audit_cause, result, 0);
327 		return;
328 	}
329 
330 	result = ima_store_template(entry, violation, inode, filename, pcr);
331 	if ((!result || result == -EEXIST) && !(file->f_flags & O_DIRECT)) {
332 		iint->flags |= IMA_MEASURED;
333 		iint->measured_pcrs |= (0x1 << pcr);
334 	}
335 	if (result < 0)
336 		ima_free_template_entry(entry);
337 }
338 
339 void ima_audit_measurement(struct integrity_iint_cache *iint,
340 			   const unsigned char *filename)
341 {
342 	struct audit_buffer *ab;
343 	char *hash;
344 	const char *algo_name = hash_algo_name[iint->ima_hash->algo];
345 	int i;
346 
347 	if (iint->flags & IMA_AUDITED)
348 		return;
349 
350 	hash = kzalloc((iint->ima_hash->length * 2) + 1, GFP_KERNEL);
351 	if (!hash)
352 		return;
353 
354 	for (i = 0; i < iint->ima_hash->length; i++)
355 		hex_byte_pack(hash + (i * 2), iint->ima_hash->digest[i]);
356 	hash[i * 2] = '\0';
357 
358 	ab = audit_log_start(audit_context(), GFP_KERNEL,
359 			     AUDIT_INTEGRITY_RULE);
360 	if (!ab)
361 		goto out;
362 
363 	audit_log_format(ab, "file=");
364 	audit_log_untrustedstring(ab, filename);
365 	audit_log_format(ab, " hash=\"%s:%s\"", algo_name, hash);
366 
367 	audit_log_task_info(ab);
368 	audit_log_end(ab);
369 
370 	iint->flags |= IMA_AUDITED;
371 out:
372 	kfree(hash);
373 	return;
374 }
375 
376 /*
377  * ima_d_path - return a pointer to the full pathname
378  *
379  * Attempt to return a pointer to the full pathname for use in the
380  * IMA measurement list, IMA audit records, and auditing logs.
381  *
382  * On failure, return a pointer to a copy of the filename, not dname.
383  * Returning a pointer to dname, could result in using the pointer
384  * after the memory has been freed.
385  */
386 const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf)
387 {
388 	char *pathname = NULL;
389 
390 	*pathbuf = __getname();
391 	if (*pathbuf) {
392 		pathname = d_absolute_path(path, *pathbuf, PATH_MAX);
393 		if (IS_ERR(pathname)) {
394 			__putname(*pathbuf);
395 			*pathbuf = NULL;
396 			pathname = NULL;
397 		}
398 	}
399 
400 	if (!pathname) {
401 		strlcpy(namebuf, path->dentry->d_name.name, NAME_MAX);
402 		pathname = namebuf;
403 	}
404 
405 	return pathname;
406 }
407