xref: /openbmc/linux/security/integrity/ima/ima_api.c (revision f220d3eb)
1 /*
2  * Copyright (C) 2008 IBM Corporation
3  *
4  * Author: Mimi Zohar <zohar@us.ibm.com>
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License as
8  * published by the Free Software Foundation, version 2 of the
9  * License.
10  *
11  * File: ima_api.c
12  *	Implements must_appraise_or_measure, collect_measurement,
13  *	appraise_measurement, store_measurement and store_template.
14  */
15 #include <linux/module.h>
16 #include <linux/slab.h>
17 #include <linux/file.h>
18 #include <linux/fs.h>
19 #include <linux/xattr.h>
20 #include <linux/evm.h>
21 #include <linux/iversion.h>
22 
23 #include "ima.h"
24 
25 /*
26  * ima_free_template_entry - free an existing template entry
27  */
28 void ima_free_template_entry(struct ima_template_entry *entry)
29 {
30 	int i;
31 
32 	for (i = 0; i < entry->template_desc->num_fields; i++)
33 		kfree(entry->template_data[i].data);
34 
35 	kfree(entry);
36 }
37 
38 /*
39  * ima_alloc_init_template - create and initialize a new template entry
40  */
41 int ima_alloc_init_template(struct ima_event_data *event_data,
42 			    struct ima_template_entry **entry)
43 {
44 	struct ima_template_desc *template_desc = ima_template_desc_current();
45 	int i, result = 0;
46 
47 	*entry = kzalloc(sizeof(**entry) + template_desc->num_fields *
48 			 sizeof(struct ima_field_data), GFP_NOFS);
49 	if (!*entry)
50 		return -ENOMEM;
51 
52 	(*entry)->template_desc = template_desc;
53 	for (i = 0; i < template_desc->num_fields; i++) {
54 		struct ima_template_field *field = template_desc->fields[i];
55 		u32 len;
56 
57 		result = field->field_init(event_data,
58 					   &((*entry)->template_data[i]));
59 		if (result != 0)
60 			goto out;
61 
62 		len = (*entry)->template_data[i].len;
63 		(*entry)->template_data_len += sizeof(len);
64 		(*entry)->template_data_len += len;
65 	}
66 	return 0;
67 out:
68 	ima_free_template_entry(*entry);
69 	*entry = NULL;
70 	return result;
71 }
72 
73 /*
74  * ima_store_template - store ima template measurements
75  *
76  * Calculate the hash of a template entry, add the template entry
77  * to an ordered list of measurement entries maintained inside the kernel,
78  * and also update the aggregate integrity value (maintained inside the
79  * configured TPM PCR) over the hashes of the current list of measurement
80  * entries.
81  *
82  * Applications retrieve the current kernel-held measurement list through
83  * the securityfs entries in /sys/kernel/security/ima. The signed aggregate
84  * TPM PCR (called quote) can be retrieved using a TPM user space library
85  * and is used to validate the measurement list.
86  *
87  * Returns 0 on success, error code otherwise
88  */
89 int ima_store_template(struct ima_template_entry *entry,
90 		       int violation, struct inode *inode,
91 		       const unsigned char *filename, int pcr)
92 {
93 	static const char op[] = "add_template_measure";
94 	static const char audit_cause[] = "hashing_error";
95 	char *template_name = entry->template_desc->name;
96 	int result;
97 	struct {
98 		struct ima_digest_data hdr;
99 		char digest[TPM_DIGEST_SIZE];
100 	} hash;
101 
102 	if (!violation) {
103 		int num_fields = entry->template_desc->num_fields;
104 
105 		/* this function uses default algo */
106 		hash.hdr.algo = HASH_ALGO_SHA1;
107 		result = ima_calc_field_array_hash(&entry->template_data[0],
108 						   entry->template_desc,
109 						   num_fields, &hash.hdr);
110 		if (result < 0) {
111 			integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
112 					    template_name, op,
113 					    audit_cause, result, 0);
114 			return result;
115 		}
116 		memcpy(entry->digest, hash.hdr.digest, hash.hdr.length);
117 	}
118 	entry->pcr = pcr;
119 	result = ima_add_template_entry(entry, violation, op, inode, filename);
120 	return result;
121 }
122 
123 /*
124  * ima_add_violation - add violation to measurement list.
125  *
126  * Violations are flagged in the measurement list with zero hash values.
127  * By extending the PCR with 0xFF's instead of with zeroes, the PCR
128  * value is invalidated.
129  */
130 void ima_add_violation(struct file *file, const unsigned char *filename,
131 		       struct integrity_iint_cache *iint,
132 		       const char *op, const char *cause)
133 {
134 	struct ima_template_entry *entry;
135 	struct inode *inode = file_inode(file);
136 	struct ima_event_data event_data = {iint, file, filename, NULL, 0,
137 					    cause};
138 	int violation = 1;
139 	int result;
140 
141 	/* can overflow, only indicator */
142 	atomic_long_inc(&ima_htable.violations);
143 
144 	result = ima_alloc_init_template(&event_data, &entry);
145 	if (result < 0) {
146 		result = -ENOMEM;
147 		goto err_out;
148 	}
149 	result = ima_store_template(entry, violation, inode,
150 				    filename, CONFIG_IMA_MEASURE_PCR_IDX);
151 	if (result < 0)
152 		ima_free_template_entry(entry);
153 err_out:
154 	integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
155 			    op, cause, result, 0);
156 }
157 
158 /**
159  * ima_get_action - appraise & measure decision based on policy.
160  * @inode: pointer to inode to measure
161  * @cred: pointer to credentials structure to validate
162  * @secid: secid of the task being validated
163  * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,
164  *        MAY_APPEND)
165  * @func: caller identifier
166  * @pcr: pointer filled in if matched measure policy sets pcr=
167  *
168  * The policy is defined in terms of keypairs:
169  *		subj=, obj=, type=, func=, mask=, fsmagic=
170  *	subj,obj, and type: are LSM specific.
171  *	func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK
172  *	mask: contains the permission mask
173  *	fsmagic: hex value
174  *
175  * Returns IMA_MEASURE, IMA_APPRAISE mask.
176  *
177  */
178 int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,
179 		   int mask, enum ima_hooks func, int *pcr)
180 {
181 	int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH;
182 
183 	flags &= ima_policy_flag;
184 
185 	return ima_match_policy(inode, cred, secid, func, mask, flags, pcr);
186 }
187 
188 /*
189  * ima_collect_measurement - collect file measurement
190  *
191  * Calculate the file hash, if it doesn't already exist,
192  * storing the measurement and i_version in the iint.
193  *
194  * Must be called with iint->mutex held.
195  *
196  * Return 0 on success, error code otherwise
197  */
198 int ima_collect_measurement(struct integrity_iint_cache *iint,
199 			    struct file *file, void *buf, loff_t size,
200 			    enum hash_algo algo)
201 {
202 	const char *audit_cause = "failed";
203 	struct inode *inode = file_inode(file);
204 	const char *filename = file->f_path.dentry->d_name.name;
205 	int result = 0;
206 	int length;
207 	void *tmpbuf;
208 	u64 i_version;
209 	struct {
210 		struct ima_digest_data hdr;
211 		char digest[IMA_MAX_DIGEST_SIZE];
212 	} hash;
213 
214 	if (iint->flags & IMA_COLLECTED)
215 		goto out;
216 
217 	/*
218 	 * Dectecting file change is based on i_version. On filesystems
219 	 * which do not support i_version, support is limited to an initial
220 	 * measurement/appraisal/audit.
221 	 */
222 	i_version = inode_query_iversion(inode);
223 	hash.hdr.algo = algo;
224 
225 	/* Initialize hash digest to 0's in case of failure */
226 	memset(&hash.digest, 0, sizeof(hash.digest));
227 
228 	if (buf)
229 		result = ima_calc_buffer_hash(buf, size, &hash.hdr);
230 	else
231 		result = ima_calc_file_hash(file, &hash.hdr);
232 
233 	if (result && result != -EBADF && result != -EINVAL)
234 		goto out;
235 
236 	length = sizeof(hash.hdr) + hash.hdr.length;
237 	tmpbuf = krealloc(iint->ima_hash, length, GFP_NOFS);
238 	if (!tmpbuf) {
239 		result = -ENOMEM;
240 		goto out;
241 	}
242 
243 	iint->ima_hash = tmpbuf;
244 	memcpy(iint->ima_hash, &hash, length);
245 	iint->version = i_version;
246 
247 	/* Possibly temporary failure due to type of read (eg. O_DIRECT) */
248 	if (!result)
249 		iint->flags |= IMA_COLLECTED;
250 out:
251 	if (result) {
252 		if (file->f_flags & O_DIRECT)
253 			audit_cause = "failed(directio)";
254 
255 		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
256 				    filename, "collect_data", audit_cause,
257 				    result, 0);
258 	}
259 	return result;
260 }
261 
262 /*
263  * ima_store_measurement - store file measurement
264  *
265  * Create an "ima" template and then store the template by calling
266  * ima_store_template.
267  *
268  * We only get here if the inode has not already been measured,
269  * but the measurement could already exist:
270  *	- multiple copies of the same file on either the same or
271  *	  different filesystems.
272  *	- the inode was previously flushed as well as the iint info,
273  *	  containing the hashing info.
274  *
275  * Must be called with iint->mutex held.
276  */
277 void ima_store_measurement(struct integrity_iint_cache *iint,
278 			   struct file *file, const unsigned char *filename,
279 			   struct evm_ima_xattr_data *xattr_value,
280 			   int xattr_len, int pcr)
281 {
282 	static const char op[] = "add_template_measure";
283 	static const char audit_cause[] = "ENOMEM";
284 	int result = -ENOMEM;
285 	struct inode *inode = file_inode(file);
286 	struct ima_template_entry *entry;
287 	struct ima_event_data event_data = {iint, file, filename, xattr_value,
288 					    xattr_len, NULL};
289 	int violation = 0;
290 
291 	if (iint->measured_pcrs & (0x1 << pcr))
292 		return;
293 
294 	result = ima_alloc_init_template(&event_data, &entry);
295 	if (result < 0) {
296 		integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
297 				    op, audit_cause, result, 0);
298 		return;
299 	}
300 
301 	result = ima_store_template(entry, violation, inode, filename, pcr);
302 	if ((!result || result == -EEXIST) && !(file->f_flags & O_DIRECT)) {
303 		iint->flags |= IMA_MEASURED;
304 		iint->measured_pcrs |= (0x1 << pcr);
305 	}
306 	if (result < 0)
307 		ima_free_template_entry(entry);
308 }
309 
310 void ima_audit_measurement(struct integrity_iint_cache *iint,
311 			   const unsigned char *filename)
312 {
313 	struct audit_buffer *ab;
314 	char *hash;
315 	const char *algo_name = hash_algo_name[iint->ima_hash->algo];
316 	int i;
317 
318 	if (iint->flags & IMA_AUDITED)
319 		return;
320 
321 	hash = kzalloc((iint->ima_hash->length * 2) + 1, GFP_KERNEL);
322 	if (!hash)
323 		return;
324 
325 	for (i = 0; i < iint->ima_hash->length; i++)
326 		hex_byte_pack(hash + (i * 2), iint->ima_hash->digest[i]);
327 	hash[i * 2] = '\0';
328 
329 	ab = audit_log_start(audit_context(), GFP_KERNEL,
330 			     AUDIT_INTEGRITY_RULE);
331 	if (!ab)
332 		goto out;
333 
334 	audit_log_format(ab, "file=");
335 	audit_log_untrustedstring(ab, filename);
336 	audit_log_format(ab, " hash=\"%s:%s\"", algo_name, hash);
337 
338 	audit_log_task_info(ab, current);
339 	audit_log_end(ab);
340 
341 	iint->flags |= IMA_AUDITED;
342 out:
343 	kfree(hash);
344 	return;
345 }
346 
347 /*
348  * ima_d_path - return a pointer to the full pathname
349  *
350  * Attempt to return a pointer to the full pathname for use in the
351  * IMA measurement list, IMA audit records, and auditing logs.
352  *
353  * On failure, return a pointer to a copy of the filename, not dname.
354  * Returning a pointer to dname, could result in using the pointer
355  * after the memory has been freed.
356  */
357 const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf)
358 {
359 	char *pathname = NULL;
360 
361 	*pathbuf = __getname();
362 	if (*pathbuf) {
363 		pathname = d_absolute_path(path, *pathbuf, PATH_MAX);
364 		if (IS_ERR(pathname)) {
365 			__putname(*pathbuf);
366 			*pathbuf = NULL;
367 			pathname = NULL;
368 		}
369 	}
370 
371 	if (!pathname) {
372 		strlcpy(namebuf, path->dentry->d_name.name, NAME_MAX);
373 		pathname = namebuf;
374 	}
375 
376 	return pathname;
377 }
378