xref: /openbmc/linux/security/integrity/ima/ima_fs.c (revision b625fe69)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2005,2006,2007,2008 IBM Corporation
4  *
5  * Authors:
6  * Kylene Hall <kjhall@us.ibm.com>
7  * Reiner Sailer <sailer@us.ibm.com>
8  * Mimi Zohar <zohar@us.ibm.com>
9  *
10  * File: ima_fs.c
11  *	implemenents security file system for reporting
12  *	current measurement list and IMA statistics
13  */
14 
15 #include <linux/fcntl.h>
16 #include <linux/kernel_read_file.h>
17 #include <linux/slab.h>
18 #include <linux/init.h>
19 #include <linux/seq_file.h>
20 #include <linux/rculist.h>
21 #include <linux/rcupdate.h>
22 #include <linux/parser.h>
23 #include <linux/vmalloc.h>
24 
25 #include "ima.h"
26 
27 static DEFINE_MUTEX(ima_write_mutex);
28 
29 bool ima_canonical_fmt;
30 static int __init default_canonical_fmt_setup(char *str)
31 {
32 #ifdef __BIG_ENDIAN
33 	ima_canonical_fmt = true;
34 #endif
35 	return 1;
36 }
37 __setup("ima_canonical_fmt", default_canonical_fmt_setup);
38 
39 static int valid_policy = 1;
40 
41 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
42 				     loff_t *ppos, atomic_long_t *val)
43 {
44 	char tmpbuf[32];	/* greater than largest 'long' string value */
45 	ssize_t len;
46 
47 	len = scnprintf(tmpbuf, sizeof(tmpbuf), "%li\n", atomic_long_read(val));
48 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
49 }
50 
51 static ssize_t ima_show_htable_violations(struct file *filp,
52 					  char __user *buf,
53 					  size_t count, loff_t *ppos)
54 {
55 	return ima_show_htable_value(buf, count, ppos, &ima_htable.violations);
56 }
57 
58 static const struct file_operations ima_htable_violations_ops = {
59 	.read = ima_show_htable_violations,
60 	.llseek = generic_file_llseek,
61 };
62 
63 static ssize_t ima_show_measurements_count(struct file *filp,
64 					   char __user *buf,
65 					   size_t count, loff_t *ppos)
66 {
67 	return ima_show_htable_value(buf, count, ppos, &ima_htable.len);
68 
69 }
70 
71 static const struct file_operations ima_measurements_count_ops = {
72 	.read = ima_show_measurements_count,
73 	.llseek = generic_file_llseek,
74 };
75 
76 /* returns pointer to hlist_node */
77 static void *ima_measurements_start(struct seq_file *m, loff_t *pos)
78 {
79 	loff_t l = *pos;
80 	struct ima_queue_entry *qe;
81 
82 	/* we need a lock since pos could point beyond last element */
83 	rcu_read_lock();
84 	list_for_each_entry_rcu(qe, &ima_measurements, later) {
85 		if (!l--) {
86 			rcu_read_unlock();
87 			return qe;
88 		}
89 	}
90 	rcu_read_unlock();
91 	return NULL;
92 }
93 
94 static void *ima_measurements_next(struct seq_file *m, void *v, loff_t *pos)
95 {
96 	struct ima_queue_entry *qe = v;
97 
98 	/* lock protects when reading beyond last element
99 	 * against concurrent list-extension
100 	 */
101 	rcu_read_lock();
102 	qe = list_entry_rcu(qe->later.next, struct ima_queue_entry, later);
103 	rcu_read_unlock();
104 	(*pos)++;
105 
106 	return (&qe->later == &ima_measurements) ? NULL : qe;
107 }
108 
109 static void ima_measurements_stop(struct seq_file *m, void *v)
110 {
111 }
112 
113 void ima_putc(struct seq_file *m, void *data, int datalen)
114 {
115 	while (datalen--)
116 		seq_putc(m, *(char *)data++);
117 }
118 
119 /* print format:
120  *       32bit-le=pcr#
121  *       char[20]=template digest
122  *       32bit-le=template name size
123  *       char[n]=template name
124  *       [eventdata length]
125  *       eventdata[n]=template specific data
126  */
127 int ima_measurements_show(struct seq_file *m, void *v)
128 {
129 	/* the list never shrinks, so we don't need a lock here */
130 	struct ima_queue_entry *qe = v;
131 	struct ima_template_entry *e;
132 	char *template_name;
133 	u32 pcr, namelen, template_data_len; /* temporary fields */
134 	bool is_ima_template = false;
135 	int i;
136 
137 	/* get entry */
138 	e = qe->entry;
139 	if (e == NULL)
140 		return -1;
141 
142 	template_name = (e->template_desc->name[0] != '\0') ?
143 	    e->template_desc->name : e->template_desc->fmt;
144 
145 	/*
146 	 * 1st: PCRIndex
147 	 * PCR used defaults to the same (config option) in
148 	 * little-endian format, unless set in policy
149 	 */
150 	pcr = !ima_canonical_fmt ? e->pcr : (__force u32)cpu_to_le32(e->pcr);
151 	ima_putc(m, &pcr, sizeof(e->pcr));
152 
153 	/* 2nd: template digest */
154 	ima_putc(m, e->digests[ima_sha1_idx].digest, TPM_DIGEST_SIZE);
155 
156 	/* 3rd: template name size */
157 	namelen = !ima_canonical_fmt ? strlen(template_name) :
158 		(__force u32)cpu_to_le32(strlen(template_name));
159 	ima_putc(m, &namelen, sizeof(namelen));
160 
161 	/* 4th:  template name */
162 	ima_putc(m, template_name, strlen(template_name));
163 
164 	/* 5th:  template length (except for 'ima' template) */
165 	if (strcmp(template_name, IMA_TEMPLATE_IMA_NAME) == 0)
166 		is_ima_template = true;
167 
168 	if (!is_ima_template) {
169 		template_data_len = !ima_canonical_fmt ? e->template_data_len :
170 			(__force u32)cpu_to_le32(e->template_data_len);
171 		ima_putc(m, &template_data_len, sizeof(e->template_data_len));
172 	}
173 
174 	/* 6th:  template specific data */
175 	for (i = 0; i < e->template_desc->num_fields; i++) {
176 		enum ima_show_type show = IMA_SHOW_BINARY;
177 		const struct ima_template_field *field =
178 			e->template_desc->fields[i];
179 
180 		if (is_ima_template && strcmp(field->field_id, "d") == 0)
181 			show = IMA_SHOW_BINARY_NO_FIELD_LEN;
182 		if (is_ima_template && strcmp(field->field_id, "n") == 0)
183 			show = IMA_SHOW_BINARY_OLD_STRING_FMT;
184 		field->field_show(m, show, &e->template_data[i]);
185 	}
186 	return 0;
187 }
188 
189 static const struct seq_operations ima_measurments_seqops = {
190 	.start = ima_measurements_start,
191 	.next = ima_measurements_next,
192 	.stop = ima_measurements_stop,
193 	.show = ima_measurements_show
194 };
195 
196 static int ima_measurements_open(struct inode *inode, struct file *file)
197 {
198 	return seq_open(file, &ima_measurments_seqops);
199 }
200 
201 static const struct file_operations ima_measurements_ops = {
202 	.open = ima_measurements_open,
203 	.read = seq_read,
204 	.llseek = seq_lseek,
205 	.release = seq_release,
206 };
207 
208 void ima_print_digest(struct seq_file *m, u8 *digest, u32 size)
209 {
210 	u32 i;
211 
212 	for (i = 0; i < size; i++)
213 		seq_printf(m, "%02x", *(digest + i));
214 }
215 
216 /* print in ascii */
217 static int ima_ascii_measurements_show(struct seq_file *m, void *v)
218 {
219 	/* the list never shrinks, so we don't need a lock here */
220 	struct ima_queue_entry *qe = v;
221 	struct ima_template_entry *e;
222 	char *template_name;
223 	int i;
224 
225 	/* get entry */
226 	e = qe->entry;
227 	if (e == NULL)
228 		return -1;
229 
230 	template_name = (e->template_desc->name[0] != '\0') ?
231 	    e->template_desc->name : e->template_desc->fmt;
232 
233 	/* 1st: PCR used (config option) */
234 	seq_printf(m, "%2d ", e->pcr);
235 
236 	/* 2nd: SHA1 template hash */
237 	ima_print_digest(m, e->digests[ima_sha1_idx].digest, TPM_DIGEST_SIZE);
238 
239 	/* 3th:  template name */
240 	seq_printf(m, " %s", template_name);
241 
242 	/* 4th:  template specific data */
243 	for (i = 0; i < e->template_desc->num_fields; i++) {
244 		seq_puts(m, " ");
245 		if (e->template_data[i].len == 0)
246 			continue;
247 
248 		e->template_desc->fields[i]->field_show(m, IMA_SHOW_ASCII,
249 							&e->template_data[i]);
250 	}
251 	seq_puts(m, "\n");
252 	return 0;
253 }
254 
255 static const struct seq_operations ima_ascii_measurements_seqops = {
256 	.start = ima_measurements_start,
257 	.next = ima_measurements_next,
258 	.stop = ima_measurements_stop,
259 	.show = ima_ascii_measurements_show
260 };
261 
262 static int ima_ascii_measurements_open(struct inode *inode, struct file *file)
263 {
264 	return seq_open(file, &ima_ascii_measurements_seqops);
265 }
266 
267 static const struct file_operations ima_ascii_measurements_ops = {
268 	.open = ima_ascii_measurements_open,
269 	.read = seq_read,
270 	.llseek = seq_lseek,
271 	.release = seq_release,
272 };
273 
274 static ssize_t ima_read_policy(char *path)
275 {
276 	void *data = NULL;
277 	char *datap;
278 	size_t size;
279 	int rc, pathlen = strlen(path);
280 
281 	char *p;
282 
283 	/* remove \n */
284 	datap = path;
285 	strsep(&datap, "\n");
286 
287 	rc = kernel_read_file_from_path(path, 0, &data, INT_MAX, NULL,
288 					READING_POLICY);
289 	if (rc < 0) {
290 		pr_err("Unable to open file: %s (%d)", path, rc);
291 		return rc;
292 	}
293 	size = rc;
294 	rc = 0;
295 
296 	datap = data;
297 	while (size > 0 && (p = strsep(&datap, "\n"))) {
298 		pr_debug("rule: %s\n", p);
299 		rc = ima_parse_add_rule(p);
300 		if (rc < 0)
301 			break;
302 		size -= rc;
303 	}
304 
305 	vfree(data);
306 	if (rc < 0)
307 		return rc;
308 	else if (size)
309 		return -EINVAL;
310 	else
311 		return pathlen;
312 }
313 
314 static ssize_t ima_write_policy(struct file *file, const char __user *buf,
315 				size_t datalen, loff_t *ppos)
316 {
317 	char *data;
318 	ssize_t result;
319 
320 	if (datalen >= PAGE_SIZE)
321 		datalen = PAGE_SIZE - 1;
322 
323 	/* No partial writes. */
324 	result = -EINVAL;
325 	if (*ppos != 0)
326 		goto out;
327 
328 	data = memdup_user_nul(buf, datalen);
329 	if (IS_ERR(data)) {
330 		result = PTR_ERR(data);
331 		goto out;
332 	}
333 
334 	result = mutex_lock_interruptible(&ima_write_mutex);
335 	if (result < 0)
336 		goto out_free;
337 
338 	if (data[0] == '/') {
339 		result = ima_read_policy(data);
340 	} else if (ima_appraise & IMA_APPRAISE_POLICY) {
341 		pr_err("signed policy file (specified as an absolute pathname) required\n");
342 		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
343 				    "policy_update", "signed policy required",
344 				    1, 0);
345 		result = -EACCES;
346 	} else {
347 		result = ima_parse_add_rule(data);
348 	}
349 	mutex_unlock(&ima_write_mutex);
350 out_free:
351 	kfree(data);
352 out:
353 	if (result < 0)
354 		valid_policy = 0;
355 
356 	return result;
357 }
358 
359 static struct dentry *ima_dir;
360 static struct dentry *ima_symlink;
361 static struct dentry *binary_runtime_measurements;
362 static struct dentry *ascii_runtime_measurements;
363 static struct dentry *runtime_measurements_count;
364 static struct dentry *violations;
365 static struct dentry *ima_policy;
366 
367 enum ima_fs_flags {
368 	IMA_FS_BUSY,
369 };
370 
371 static unsigned long ima_fs_flags;
372 
373 #ifdef	CONFIG_IMA_READ_POLICY
374 static const struct seq_operations ima_policy_seqops = {
375 		.start = ima_policy_start,
376 		.next = ima_policy_next,
377 		.stop = ima_policy_stop,
378 		.show = ima_policy_show,
379 };
380 #endif
381 
382 /*
383  * ima_open_policy: sequentialize access to the policy file
384  */
385 static int ima_open_policy(struct inode *inode, struct file *filp)
386 {
387 	if (!(filp->f_flags & O_WRONLY)) {
388 #ifndef	CONFIG_IMA_READ_POLICY
389 		return -EACCES;
390 #else
391 		if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
392 			return -EACCES;
393 		if (!capable(CAP_SYS_ADMIN))
394 			return -EPERM;
395 		return seq_open(filp, &ima_policy_seqops);
396 #endif
397 	}
398 	if (test_and_set_bit(IMA_FS_BUSY, &ima_fs_flags))
399 		return -EBUSY;
400 	return 0;
401 }
402 
403 /*
404  * ima_release_policy - start using the new measure policy rules.
405  *
406  * Initially, ima_measure points to the default policy rules, now
407  * point to the new policy rules, and remove the securityfs policy file,
408  * assuming a valid policy.
409  */
410 static int ima_release_policy(struct inode *inode, struct file *file)
411 {
412 	const char *cause = valid_policy ? "completed" : "failed";
413 
414 	if ((file->f_flags & O_ACCMODE) == O_RDONLY)
415 		return seq_release(inode, file);
416 
417 	if (valid_policy && ima_check_policy() < 0) {
418 		cause = "failed";
419 		valid_policy = 0;
420 	}
421 
422 	pr_info("policy update %s\n", cause);
423 	integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
424 			    "policy_update", cause, !valid_policy, 0);
425 
426 	if (!valid_policy) {
427 		ima_delete_rules();
428 		valid_policy = 1;
429 		clear_bit(IMA_FS_BUSY, &ima_fs_flags);
430 		return 0;
431 	}
432 
433 	ima_update_policy();
434 #if !defined(CONFIG_IMA_WRITE_POLICY) && !defined(CONFIG_IMA_READ_POLICY)
435 	securityfs_remove(ima_policy);
436 	ima_policy = NULL;
437 #elif defined(CONFIG_IMA_WRITE_POLICY)
438 	clear_bit(IMA_FS_BUSY, &ima_fs_flags);
439 #elif defined(CONFIG_IMA_READ_POLICY)
440 	inode->i_mode &= ~S_IWUSR;
441 #endif
442 	return 0;
443 }
444 
445 static const struct file_operations ima_measure_policy_ops = {
446 	.open = ima_open_policy,
447 	.write = ima_write_policy,
448 	.read = seq_read,
449 	.release = ima_release_policy,
450 	.llseek = generic_file_llseek,
451 };
452 
453 int __init ima_fs_init(void)
454 {
455 	ima_dir = securityfs_create_dir("ima", integrity_dir);
456 	if (IS_ERR(ima_dir))
457 		return -1;
458 
459 	ima_symlink = securityfs_create_symlink("ima", NULL, "integrity/ima",
460 						NULL);
461 	if (IS_ERR(ima_symlink))
462 		goto out;
463 
464 	binary_runtime_measurements =
465 	    securityfs_create_file("binary_runtime_measurements",
466 				   S_IRUSR | S_IRGRP, ima_dir, NULL,
467 				   &ima_measurements_ops);
468 	if (IS_ERR(binary_runtime_measurements))
469 		goto out;
470 
471 	ascii_runtime_measurements =
472 	    securityfs_create_file("ascii_runtime_measurements",
473 				   S_IRUSR | S_IRGRP, ima_dir, NULL,
474 				   &ima_ascii_measurements_ops);
475 	if (IS_ERR(ascii_runtime_measurements))
476 		goto out;
477 
478 	runtime_measurements_count =
479 	    securityfs_create_file("runtime_measurements_count",
480 				   S_IRUSR | S_IRGRP, ima_dir, NULL,
481 				   &ima_measurements_count_ops);
482 	if (IS_ERR(runtime_measurements_count))
483 		goto out;
484 
485 	violations =
486 	    securityfs_create_file("violations", S_IRUSR | S_IRGRP,
487 				   ima_dir, NULL, &ima_htable_violations_ops);
488 	if (IS_ERR(violations))
489 		goto out;
490 
491 	ima_policy = securityfs_create_file("policy", POLICY_FILE_FLAGS,
492 					    ima_dir, NULL,
493 					    &ima_measure_policy_ops);
494 	if (IS_ERR(ima_policy))
495 		goto out;
496 
497 	return 0;
498 out:
499 	securityfs_remove(ima_policy);
500 	securityfs_remove(violations);
501 	securityfs_remove(runtime_measurements_count);
502 	securityfs_remove(ascii_runtime_measurements);
503 	securityfs_remove(binary_runtime_measurements);
504 	securityfs_remove(ima_symlink);
505 	securityfs_remove(ima_dir);
506 	return -1;
507 }
508