1 /* 2 * Copyright (C) 2008 IBM Corporation 3 * 4 * Author: Mimi Zohar <zohar@us.ibm.com> 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License as 8 * published by the Free Software Foundation, version 2 of the 9 * License. 10 * 11 * File: ima_api.c 12 * Implements must_appraise_or_measure, collect_measurement, 13 * appraise_measurement, store_measurement and store_template. 14 */ 15 #include <linux/slab.h> 16 #include <linux/file.h> 17 #include <linux/fs.h> 18 #include <linux/xattr.h> 19 #include <linux/evm.h> 20 #include <linux/iversion.h> 21 22 #include "ima.h" 23 24 /* 25 * ima_free_template_entry - free an existing template entry 26 */ 27 void ima_free_template_entry(struct ima_template_entry *entry) 28 { 29 int i; 30 31 for (i = 0; i < entry->template_desc->num_fields; i++) 32 kfree(entry->template_data[i].data); 33 34 kfree(entry); 35 } 36 37 /* 38 * ima_alloc_init_template - create and initialize a new template entry 39 */ 40 int ima_alloc_init_template(struct ima_event_data *event_data, 41 struct ima_template_entry **entry) 42 { 43 struct ima_template_desc *template_desc = ima_template_desc_current(); 44 int i, result = 0; 45 46 *entry = kzalloc(sizeof(**entry) + template_desc->num_fields * 47 sizeof(struct ima_field_data), GFP_NOFS); 48 if (!*entry) 49 return -ENOMEM; 50 51 (*entry)->template_desc = template_desc; 52 for (i = 0; i < template_desc->num_fields; i++) { 53 const struct ima_template_field *field = 54 template_desc->fields[i]; 55 u32 len; 56 57 result = field->field_init(event_data, 58 &((*entry)->template_data[i])); 59 if (result != 0) 60 goto out; 61 62 len = (*entry)->template_data[i].len; 63 (*entry)->template_data_len += sizeof(len); 64 (*entry)->template_data_len += len; 65 } 66 return 0; 67 out: 68 ima_free_template_entry(*entry); 69 *entry = NULL; 70 return result; 71 } 72 73 /* 74 * ima_store_template - store ima template measurements 75 * 76 * Calculate the hash of a template entry, add the template entry 77 * to an ordered list of measurement entries maintained inside the kernel, 78 * and also update the aggregate integrity value (maintained inside the 79 * configured TPM PCR) over the hashes of the current list of measurement 80 * entries. 81 * 82 * Applications retrieve the current kernel-held measurement list through 83 * the securityfs entries in /sys/kernel/security/ima. The signed aggregate 84 * TPM PCR (called quote) can be retrieved using a TPM user space library 85 * and is used to validate the measurement list. 86 * 87 * Returns 0 on success, error code otherwise 88 */ 89 int ima_store_template(struct ima_template_entry *entry, 90 int violation, struct inode *inode, 91 const unsigned char *filename, int pcr) 92 { 93 static const char op[] = "add_template_measure"; 94 static const char audit_cause[] = "hashing_error"; 95 char *template_name = entry->template_desc->name; 96 int result; 97 struct { 98 struct ima_digest_data hdr; 99 char digest[TPM_DIGEST_SIZE]; 100 } hash; 101 102 if (!violation) { 103 int num_fields = entry->template_desc->num_fields; 104 105 /* this function uses default algo */ 106 hash.hdr.algo = HASH_ALGO_SHA1; 107 result = ima_calc_field_array_hash(&entry->template_data[0], 108 entry->template_desc, 109 num_fields, &hash.hdr); 110 if (result < 0) { 111 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, 112 template_name, op, 113 audit_cause, result, 0); 114 return result; 115 } 116 memcpy(entry->digest, hash.hdr.digest, hash.hdr.length); 117 } 118 entry->pcr = pcr; 119 result = ima_add_template_entry(entry, violation, op, inode, filename); 120 return result; 121 } 122 123 /* 124 * ima_add_violation - add violation to measurement list. 125 * 126 * Violations are flagged in the measurement list with zero hash values. 127 * By extending the PCR with 0xFF's instead of with zeroes, the PCR 128 * value is invalidated. 129 */ 130 void ima_add_violation(struct file *file, const unsigned char *filename, 131 struct integrity_iint_cache *iint, 132 const char *op, const char *cause) 133 { 134 struct ima_template_entry *entry; 135 struct inode *inode = file_inode(file); 136 struct ima_event_data event_data = {iint, file, filename, NULL, 0, 137 cause}; 138 int violation = 1; 139 int result; 140 141 /* can overflow, only indicator */ 142 atomic_long_inc(&ima_htable.violations); 143 144 result = ima_alloc_init_template(&event_data, &entry); 145 if (result < 0) { 146 result = -ENOMEM; 147 goto err_out; 148 } 149 result = ima_store_template(entry, violation, inode, 150 filename, CONFIG_IMA_MEASURE_PCR_IDX); 151 if (result < 0) 152 ima_free_template_entry(entry); 153 err_out: 154 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 155 op, cause, result, 0); 156 } 157 158 /** 159 * ima_get_action - appraise & measure decision based on policy. 160 * @inode: pointer to inode to measure 161 * @cred: pointer to credentials structure to validate 162 * @secid: secid of the task being validated 163 * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC, 164 * MAY_APPEND) 165 * @func: caller identifier 166 * @pcr: pointer filled in if matched measure policy sets pcr= 167 * 168 * The policy is defined in terms of keypairs: 169 * subj=, obj=, type=, func=, mask=, fsmagic= 170 * subj,obj, and type: are LSM specific. 171 * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK 172 * mask: contains the permission mask 173 * fsmagic: hex value 174 * 175 * Returns IMA_MEASURE, IMA_APPRAISE mask. 176 * 177 */ 178 int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, 179 int mask, enum ima_hooks func, int *pcr) 180 { 181 int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH; 182 183 flags &= ima_policy_flag; 184 185 return ima_match_policy(inode, cred, secid, func, mask, flags, pcr); 186 } 187 188 /* 189 * ima_collect_measurement - collect file measurement 190 * 191 * Calculate the file hash, if it doesn't already exist, 192 * storing the measurement and i_version in the iint. 193 * 194 * Must be called with iint->mutex held. 195 * 196 * Return 0 on success, error code otherwise 197 */ 198 int ima_collect_measurement(struct integrity_iint_cache *iint, 199 struct file *file, void *buf, loff_t size, 200 enum hash_algo algo) 201 { 202 const char *audit_cause = "failed"; 203 struct inode *inode = file_inode(file); 204 const char *filename = file->f_path.dentry->d_name.name; 205 int result = 0; 206 int length; 207 void *tmpbuf; 208 u64 i_version; 209 struct { 210 struct ima_digest_data hdr; 211 char digest[IMA_MAX_DIGEST_SIZE]; 212 } hash; 213 214 if (iint->flags & IMA_COLLECTED) 215 goto out; 216 217 /* 218 * Dectecting file change is based on i_version. On filesystems 219 * which do not support i_version, support is limited to an initial 220 * measurement/appraisal/audit. 221 */ 222 i_version = inode_query_iversion(inode); 223 hash.hdr.algo = algo; 224 225 /* Initialize hash digest to 0's in case of failure */ 226 memset(&hash.digest, 0, sizeof(hash.digest)); 227 228 if (buf) 229 result = ima_calc_buffer_hash(buf, size, &hash.hdr); 230 else 231 result = ima_calc_file_hash(file, &hash.hdr); 232 233 if (result && result != -EBADF && result != -EINVAL) 234 goto out; 235 236 length = sizeof(hash.hdr) + hash.hdr.length; 237 tmpbuf = krealloc(iint->ima_hash, length, GFP_NOFS); 238 if (!tmpbuf) { 239 result = -ENOMEM; 240 goto out; 241 } 242 243 iint->ima_hash = tmpbuf; 244 memcpy(iint->ima_hash, &hash, length); 245 iint->version = i_version; 246 247 /* Possibly temporary failure due to type of read (eg. O_DIRECT) */ 248 if (!result) 249 iint->flags |= IMA_COLLECTED; 250 out: 251 if (result) { 252 if (file->f_flags & O_DIRECT) 253 audit_cause = "failed(directio)"; 254 255 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, 256 filename, "collect_data", audit_cause, 257 result, 0); 258 } 259 return result; 260 } 261 262 /* 263 * ima_store_measurement - store file measurement 264 * 265 * Create an "ima" template and then store the template by calling 266 * ima_store_template. 267 * 268 * We only get here if the inode has not already been measured, 269 * but the measurement could already exist: 270 * - multiple copies of the same file on either the same or 271 * different filesystems. 272 * - the inode was previously flushed as well as the iint info, 273 * containing the hashing info. 274 * 275 * Must be called with iint->mutex held. 276 */ 277 void ima_store_measurement(struct integrity_iint_cache *iint, 278 struct file *file, const unsigned char *filename, 279 struct evm_ima_xattr_data *xattr_value, 280 int xattr_len, int pcr) 281 { 282 static const char op[] = "add_template_measure"; 283 static const char audit_cause[] = "ENOMEM"; 284 int result = -ENOMEM; 285 struct inode *inode = file_inode(file); 286 struct ima_template_entry *entry; 287 struct ima_event_data event_data = {iint, file, filename, xattr_value, 288 xattr_len, NULL}; 289 int violation = 0; 290 291 if (iint->measured_pcrs & (0x1 << pcr)) 292 return; 293 294 result = ima_alloc_init_template(&event_data, &entry); 295 if (result < 0) { 296 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 297 op, audit_cause, result, 0); 298 return; 299 } 300 301 result = ima_store_template(entry, violation, inode, filename, pcr); 302 if ((!result || result == -EEXIST) && !(file->f_flags & O_DIRECT)) { 303 iint->flags |= IMA_MEASURED; 304 iint->measured_pcrs |= (0x1 << pcr); 305 } 306 if (result < 0) 307 ima_free_template_entry(entry); 308 } 309 310 void ima_audit_measurement(struct integrity_iint_cache *iint, 311 const unsigned char *filename) 312 { 313 struct audit_buffer *ab; 314 char *hash; 315 const char *algo_name = hash_algo_name[iint->ima_hash->algo]; 316 int i; 317 318 if (iint->flags & IMA_AUDITED) 319 return; 320 321 hash = kzalloc((iint->ima_hash->length * 2) + 1, GFP_KERNEL); 322 if (!hash) 323 return; 324 325 for (i = 0; i < iint->ima_hash->length; i++) 326 hex_byte_pack(hash + (i * 2), iint->ima_hash->digest[i]); 327 hash[i * 2] = '\0'; 328 329 ab = audit_log_start(audit_context(), GFP_KERNEL, 330 AUDIT_INTEGRITY_RULE); 331 if (!ab) 332 goto out; 333 334 audit_log_format(ab, "file="); 335 audit_log_untrustedstring(ab, filename); 336 audit_log_format(ab, " hash=\"%s:%s\"", algo_name, hash); 337 338 audit_log_task_info(ab); 339 audit_log_end(ab); 340 341 iint->flags |= IMA_AUDITED; 342 out: 343 kfree(hash); 344 return; 345 } 346 347 /* 348 * ima_d_path - return a pointer to the full pathname 349 * 350 * Attempt to return a pointer to the full pathname for use in the 351 * IMA measurement list, IMA audit records, and auditing logs. 352 * 353 * On failure, return a pointer to a copy of the filename, not dname. 354 * Returning a pointer to dname, could result in using the pointer 355 * after the memory has been freed. 356 */ 357 const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf) 358 { 359 char *pathname = NULL; 360 361 *pathbuf = __getname(); 362 if (*pathbuf) { 363 pathname = d_absolute_path(path, *pathbuf, PATH_MAX); 364 if (IS_ERR(pathname)) { 365 __putname(*pathbuf); 366 *pathbuf = NULL; 367 pathname = NULL; 368 } 369 } 370 371 if (!pathname) { 372 strlcpy(namebuf, path->dentry->d_name.name, NAME_MAX); 373 pathname = namebuf; 374 } 375 376 return pathname; 377 } 378