1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2008 IBM Corporation 4 * 5 * Author: Mimi Zohar <zohar@us.ibm.com> 6 * 7 * File: ima_api.c 8 * Implements must_appraise_or_measure, collect_measurement, 9 * appraise_measurement, store_measurement and store_template. 10 */ 11 #include <linux/slab.h> 12 #include <linux/file.h> 13 #include <linux/fs.h> 14 #include <linux/xattr.h> 15 #include <linux/evm.h> 16 #include <linux/iversion.h> 17 18 #include "ima.h" 19 20 /* 21 * ima_free_template_entry - free an existing template entry 22 */ 23 void ima_free_template_entry(struct ima_template_entry *entry) 24 { 25 int i; 26 27 for (i = 0; i < entry->template_desc->num_fields; i++) 28 kfree(entry->template_data[i].data); 29 30 kfree(entry); 31 } 32 33 /* 34 * ima_alloc_init_template - create and initialize a new template entry 35 */ 36 int ima_alloc_init_template(struct ima_event_data *event_data, 37 struct ima_template_entry **entry, 38 struct ima_template_desc *desc) 39 { 40 struct ima_template_desc *template_desc; 41 int i, result = 0; 42 43 if (desc) 44 template_desc = desc; 45 else 46 template_desc = ima_template_desc_current(); 47 48 *entry = kzalloc(struct_size(*entry, template_data, 49 template_desc->num_fields), GFP_NOFS); 50 if (!*entry) 51 return -ENOMEM; 52 53 (*entry)->template_desc = template_desc; 54 for (i = 0; i < template_desc->num_fields; i++) { 55 const struct ima_template_field *field = 56 template_desc->fields[i]; 57 u32 len; 58 59 result = field->field_init(event_data, 60 &((*entry)->template_data[i])); 61 if (result != 0) 62 goto out; 63 64 len = (*entry)->template_data[i].len; 65 (*entry)->template_data_len += sizeof(len); 66 (*entry)->template_data_len += len; 67 } 68 return 0; 69 out: 70 ima_free_template_entry(*entry); 71 *entry = NULL; 72 return result; 73 } 74 75 /* 76 * ima_store_template - store ima template measurements 77 * 78 * Calculate the hash of a template entry, add the template entry 79 * to an ordered list of measurement entries maintained inside the kernel, 80 * and also update the aggregate integrity value (maintained inside the 81 * configured TPM PCR) over the hashes of the current list of measurement 82 * entries. 83 * 84 * Applications retrieve the current kernel-held measurement list through 85 * the securityfs entries in /sys/kernel/security/ima. The signed aggregate 86 * TPM PCR (called quote) can be retrieved using a TPM user space library 87 * and is used to validate the measurement list. 88 * 89 * Returns 0 on success, error code otherwise 90 */ 91 int ima_store_template(struct ima_template_entry *entry, 92 int violation, struct inode *inode, 93 const unsigned char *filename, int pcr) 94 { 95 static const char op[] = "add_template_measure"; 96 static const char audit_cause[] = "hashing_error"; 97 char *template_name = entry->template_desc->name; 98 int result; 99 struct { 100 struct ima_digest_data hdr; 101 char digest[TPM_DIGEST_SIZE]; 102 } hash; 103 104 if (!violation) { 105 int num_fields = entry->template_desc->num_fields; 106 107 /* this function uses default algo */ 108 hash.hdr.algo = HASH_ALGO_SHA1; 109 result = ima_calc_field_array_hash(&entry->template_data[0], 110 entry->template_desc, 111 num_fields, &hash.hdr); 112 if (result < 0) { 113 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, 114 template_name, op, 115 audit_cause, result, 0); 116 return result; 117 } 118 memcpy(entry->digest, hash.hdr.digest, hash.hdr.length); 119 } 120 entry->pcr = pcr; 121 result = ima_add_template_entry(entry, violation, op, inode, filename); 122 return result; 123 } 124 125 /* 126 * ima_add_violation - add violation to measurement list. 127 * 128 * Violations are flagged in the measurement list with zero hash values. 129 * By extending the PCR with 0xFF's instead of with zeroes, the PCR 130 * value is invalidated. 131 */ 132 void ima_add_violation(struct file *file, const unsigned char *filename, 133 struct integrity_iint_cache *iint, 134 const char *op, const char *cause) 135 { 136 struct ima_template_entry *entry; 137 struct inode *inode = file_inode(file); 138 struct ima_event_data event_data = { .iint = iint, 139 .file = file, 140 .filename = filename, 141 .violation = cause }; 142 int violation = 1; 143 int result; 144 145 /* can overflow, only indicator */ 146 atomic_long_inc(&ima_htable.violations); 147 148 result = ima_alloc_init_template(&event_data, &entry, NULL); 149 if (result < 0) { 150 result = -ENOMEM; 151 goto err_out; 152 } 153 result = ima_store_template(entry, violation, inode, 154 filename, CONFIG_IMA_MEASURE_PCR_IDX); 155 if (result < 0) 156 ima_free_template_entry(entry); 157 err_out: 158 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 159 op, cause, result, 0); 160 } 161 162 /** 163 * ima_get_action - appraise & measure decision based on policy. 164 * @inode: pointer to inode to measure 165 * @cred: pointer to credentials structure to validate 166 * @secid: secid of the task being validated 167 * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC, 168 * MAY_APPEND) 169 * @func: caller identifier 170 * @pcr: pointer filled in if matched measure policy sets pcr= 171 * @template_desc: pointer filled in if matched measure policy sets template= 172 * @keyring: keyring name used to determine the action 173 * 174 * The policy is defined in terms of keypairs: 175 * subj=, obj=, type=, func=, mask=, fsmagic= 176 * subj,obj, and type: are LSM specific. 177 * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK 178 * | KEXEC_CMDLINE | KEY_CHECK 179 * mask: contains the permission mask 180 * fsmagic: hex value 181 * 182 * Returns IMA_MEASURE, IMA_APPRAISE mask. 183 * 184 */ 185 int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, 186 int mask, enum ima_hooks func, int *pcr, 187 struct ima_template_desc **template_desc, 188 const char *keyring) 189 { 190 int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH; 191 192 flags &= ima_policy_flag; 193 194 return ima_match_policy(inode, cred, secid, func, mask, flags, pcr, 195 template_desc, keyring); 196 } 197 198 /* 199 * ima_collect_measurement - collect file measurement 200 * 201 * Calculate the file hash, if it doesn't already exist, 202 * storing the measurement and i_version in the iint. 203 * 204 * Must be called with iint->mutex held. 205 * 206 * Return 0 on success, error code otherwise 207 */ 208 int ima_collect_measurement(struct integrity_iint_cache *iint, 209 struct file *file, void *buf, loff_t size, 210 enum hash_algo algo, struct modsig *modsig) 211 { 212 const char *audit_cause = "failed"; 213 struct inode *inode = file_inode(file); 214 const char *filename = file->f_path.dentry->d_name.name; 215 int result = 0; 216 int length; 217 void *tmpbuf; 218 u64 i_version; 219 struct { 220 struct ima_digest_data hdr; 221 char digest[IMA_MAX_DIGEST_SIZE]; 222 } hash; 223 224 /* 225 * Always collect the modsig, because IMA might have already collected 226 * the file digest without collecting the modsig in a previous 227 * measurement rule. 228 */ 229 if (modsig) 230 ima_collect_modsig(modsig, buf, size); 231 232 if (iint->flags & IMA_COLLECTED) 233 goto out; 234 235 /* 236 * Dectecting file change is based on i_version. On filesystems 237 * which do not support i_version, support is limited to an initial 238 * measurement/appraisal/audit. 239 */ 240 i_version = inode_query_iversion(inode); 241 hash.hdr.algo = algo; 242 243 /* Initialize hash digest to 0's in case of failure */ 244 memset(&hash.digest, 0, sizeof(hash.digest)); 245 246 if (buf) 247 result = ima_calc_buffer_hash(buf, size, &hash.hdr); 248 else 249 result = ima_calc_file_hash(file, &hash.hdr); 250 251 if (result && result != -EBADF && result != -EINVAL) 252 goto out; 253 254 length = sizeof(hash.hdr) + hash.hdr.length; 255 tmpbuf = krealloc(iint->ima_hash, length, GFP_NOFS); 256 if (!tmpbuf) { 257 result = -ENOMEM; 258 goto out; 259 } 260 261 iint->ima_hash = tmpbuf; 262 memcpy(iint->ima_hash, &hash, length); 263 iint->version = i_version; 264 265 /* Possibly temporary failure due to type of read (eg. O_DIRECT) */ 266 if (!result) 267 iint->flags |= IMA_COLLECTED; 268 out: 269 if (result) { 270 if (file->f_flags & O_DIRECT) 271 audit_cause = "failed(directio)"; 272 273 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, 274 filename, "collect_data", audit_cause, 275 result, 0); 276 } 277 return result; 278 } 279 280 /* 281 * ima_store_measurement - store file measurement 282 * 283 * Create an "ima" template and then store the template by calling 284 * ima_store_template. 285 * 286 * We only get here if the inode has not already been measured, 287 * but the measurement could already exist: 288 * - multiple copies of the same file on either the same or 289 * different filesystems. 290 * - the inode was previously flushed as well as the iint info, 291 * containing the hashing info. 292 * 293 * Must be called with iint->mutex held. 294 */ 295 void ima_store_measurement(struct integrity_iint_cache *iint, 296 struct file *file, const unsigned char *filename, 297 struct evm_ima_xattr_data *xattr_value, 298 int xattr_len, const struct modsig *modsig, int pcr, 299 struct ima_template_desc *template_desc) 300 { 301 static const char op[] = "add_template_measure"; 302 static const char audit_cause[] = "ENOMEM"; 303 int result = -ENOMEM; 304 struct inode *inode = file_inode(file); 305 struct ima_template_entry *entry; 306 struct ima_event_data event_data = { .iint = iint, 307 .file = file, 308 .filename = filename, 309 .xattr_value = xattr_value, 310 .xattr_len = xattr_len, 311 .modsig = modsig }; 312 int violation = 0; 313 314 /* 315 * We still need to store the measurement in the case of MODSIG because 316 * we only have its contents to put in the list at the time of 317 * appraisal, but a file measurement from earlier might already exist in 318 * the measurement list. 319 */ 320 if (iint->measured_pcrs & (0x1 << pcr) && !modsig) 321 return; 322 323 result = ima_alloc_init_template(&event_data, &entry, template_desc); 324 if (result < 0) { 325 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 326 op, audit_cause, result, 0); 327 return; 328 } 329 330 result = ima_store_template(entry, violation, inode, filename, pcr); 331 if ((!result || result == -EEXIST) && !(file->f_flags & O_DIRECT)) { 332 iint->flags |= IMA_MEASURED; 333 iint->measured_pcrs |= (0x1 << pcr); 334 } 335 if (result < 0) 336 ima_free_template_entry(entry); 337 } 338 339 void ima_audit_measurement(struct integrity_iint_cache *iint, 340 const unsigned char *filename) 341 { 342 struct audit_buffer *ab; 343 char *hash; 344 const char *algo_name = hash_algo_name[iint->ima_hash->algo]; 345 int i; 346 347 if (iint->flags & IMA_AUDITED) 348 return; 349 350 hash = kzalloc((iint->ima_hash->length * 2) + 1, GFP_KERNEL); 351 if (!hash) 352 return; 353 354 for (i = 0; i < iint->ima_hash->length; i++) 355 hex_byte_pack(hash + (i * 2), iint->ima_hash->digest[i]); 356 hash[i * 2] = '\0'; 357 358 ab = audit_log_start(audit_context(), GFP_KERNEL, 359 AUDIT_INTEGRITY_RULE); 360 if (!ab) 361 goto out; 362 363 audit_log_format(ab, "file="); 364 audit_log_untrustedstring(ab, filename); 365 audit_log_format(ab, " hash=\"%s:%s\"", algo_name, hash); 366 367 audit_log_task_info(ab); 368 audit_log_end(ab); 369 370 iint->flags |= IMA_AUDITED; 371 out: 372 kfree(hash); 373 return; 374 } 375 376 /* 377 * ima_d_path - return a pointer to the full pathname 378 * 379 * Attempt to return a pointer to the full pathname for use in the 380 * IMA measurement list, IMA audit records, and auditing logs. 381 * 382 * On failure, return a pointer to a copy of the filename, not dname. 383 * Returning a pointer to dname, could result in using the pointer 384 * after the memory has been freed. 385 */ 386 const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf) 387 { 388 char *pathname = NULL; 389 390 *pathbuf = __getname(); 391 if (*pathbuf) { 392 pathname = d_absolute_path(path, *pathbuf, PATH_MAX); 393 if (IS_ERR(pathname)) { 394 __putname(*pathbuf); 395 *pathbuf = NULL; 396 pathname = NULL; 397 } 398 } 399 400 if (!pathname) { 401 strlcpy(namebuf, path->dentry->d_name.name, NAME_MAX); 402 pathname = namebuf; 403 } 404 405 return pathname; 406 } 407