1 /* 2 * Integrity Measurement Architecture 3 * 4 * Copyright (C) 2005,2006,2007,2008 IBM Corporation 5 * 6 * Authors: 7 * Reiner Sailer <sailer@watson.ibm.com> 8 * Serge Hallyn <serue@us.ibm.com> 9 * Kylene Hall <kylene@us.ibm.com> 10 * Mimi Zohar <zohar@us.ibm.com> 11 * 12 * This program is free software; you can redistribute it and/or 13 * modify it under the terms of the GNU General Public License as 14 * published by the Free Software Foundation, version 2 of the 15 * License. 16 * 17 * File: ima_main.c 18 * implements the IMA hooks: ima_bprm_check, ima_file_mmap, 19 * and ima_file_check. 20 */ 21 22 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 23 24 #include <linux/module.h> 25 #include <linux/file.h> 26 #include <linux/binfmts.h> 27 #include <linux/mount.h> 28 #include <linux/mman.h> 29 #include <linux/slab.h> 30 #include <linux/xattr.h> 31 #include <linux/ima.h> 32 #include <linux/iversion.h> 33 #include <linux/fs.h> 34 35 #include "ima.h" 36 37 #ifdef CONFIG_IMA_APPRAISE 38 int ima_appraise = IMA_APPRAISE_ENFORCE; 39 #else 40 int ima_appraise; 41 #endif 42 43 int ima_hash_algo = HASH_ALGO_SHA1; 44 static int hash_setup_done; 45 46 static int __init hash_setup(char *str) 47 { 48 struct ima_template_desc *template_desc = ima_template_desc_current(); 49 int i; 50 51 if (hash_setup_done) 52 return 1; 53 54 if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { 55 if (strncmp(str, "sha1", 4) == 0) 56 ima_hash_algo = HASH_ALGO_SHA1; 57 else if (strncmp(str, "md5", 3) == 0) 58 ima_hash_algo = HASH_ALGO_MD5; 59 else 60 return 1; 61 goto out; 62 } 63 64 i = match_string(hash_algo_name, HASH_ALGO__LAST, str); 65 if (i < 0) 66 return 1; 67 68 ima_hash_algo = i; 69 out: 70 hash_setup_done = 1; 71 return 1; 72 } 73 __setup("ima_hash=", hash_setup); 74 75 /* 76 * ima_rdwr_violation_check 77 * 78 * Only invalidate the PCR for measured files: 79 * - Opening a file for write when already open for read, 80 * results in a time of measure, time of use (ToMToU) error. 81 * - Opening a file for read when already open for write, 82 * could result in a file measurement error. 83 * 84 */ 85 static void ima_rdwr_violation_check(struct file *file, 86 struct integrity_iint_cache *iint, 87 int must_measure, 88 char **pathbuf, 89 const char **pathname, 90 char *filename) 91 { 92 struct inode *inode = file_inode(file); 93 fmode_t mode = file->f_mode; 94 bool send_tomtou = false, send_writers = false; 95 96 if (mode & FMODE_WRITE) { 97 if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) { 98 if (!iint) 99 iint = integrity_iint_find(inode); 100 /* IMA_MEASURE is set from reader side */ 101 if (iint && test_bit(IMA_MUST_MEASURE, 102 &iint->atomic_flags)) 103 send_tomtou = true; 104 } 105 } else { 106 if (must_measure) 107 set_bit(IMA_MUST_MEASURE, &iint->atomic_flags); 108 if (inode_is_open_for_write(inode) && must_measure) 109 send_writers = true; 110 } 111 112 if (!send_tomtou && !send_writers) 113 return; 114 115 *pathname = ima_d_path(&file->f_path, pathbuf, filename); 116 117 if (send_tomtou) 118 ima_add_violation(file, *pathname, iint, 119 "invalid_pcr", "ToMToU"); 120 if (send_writers) 121 ima_add_violation(file, *pathname, iint, 122 "invalid_pcr", "open_writers"); 123 } 124 125 static void ima_check_last_writer(struct integrity_iint_cache *iint, 126 struct inode *inode, struct file *file) 127 { 128 fmode_t mode = file->f_mode; 129 bool update; 130 131 if (!(mode & FMODE_WRITE)) 132 return; 133 134 mutex_lock(&iint->mutex); 135 if (atomic_read(&inode->i_writecount) == 1) { 136 update = test_and_clear_bit(IMA_UPDATE_XATTR, 137 &iint->atomic_flags); 138 if (!IS_I_VERSION(inode) || 139 !inode_eq_iversion(inode, iint->version) || 140 (iint->flags & IMA_NEW_FILE)) { 141 iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); 142 iint->measured_pcrs = 0; 143 if (update) 144 ima_update_xattr(iint, file); 145 } 146 } 147 mutex_unlock(&iint->mutex); 148 } 149 150 /** 151 * ima_file_free - called on __fput() 152 * @file: pointer to file structure being freed 153 * 154 * Flag files that changed, based on i_version 155 */ 156 void ima_file_free(struct file *file) 157 { 158 struct inode *inode = file_inode(file); 159 struct integrity_iint_cache *iint; 160 161 if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 162 return; 163 164 iint = integrity_iint_find(inode); 165 if (!iint) 166 return; 167 168 ima_check_last_writer(iint, inode, file); 169 } 170 171 static int process_measurement(struct file *file, const struct cred *cred, 172 u32 secid, char *buf, loff_t size, int mask, 173 enum ima_hooks func) 174 { 175 struct inode *inode = file_inode(file); 176 struct integrity_iint_cache *iint = NULL; 177 struct ima_template_desc *template_desc; 178 char *pathbuf = NULL; 179 char filename[NAME_MAX]; 180 const char *pathname = NULL; 181 int rc = 0, action, must_appraise = 0; 182 int pcr = CONFIG_IMA_MEASURE_PCR_IDX; 183 struct evm_ima_xattr_data *xattr_value = NULL; 184 int xattr_len = 0; 185 bool violation_check; 186 enum hash_algo hash_algo; 187 188 if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 189 return 0; 190 191 /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action 192 * bitmask based on the appraise/audit/measurement policy. 193 * Included is the appraise submask. 194 */ 195 action = ima_get_action(inode, cred, secid, mask, func, &pcr); 196 violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) && 197 (ima_policy_flag & IMA_MEASURE)); 198 if (!action && !violation_check) 199 return 0; 200 201 must_appraise = action & IMA_APPRAISE; 202 203 /* Is the appraise rule hook specific? */ 204 if (action & IMA_FILE_APPRAISE) 205 func = FILE_CHECK; 206 207 inode_lock(inode); 208 209 if (action) { 210 iint = integrity_inode_get(inode); 211 if (!iint) 212 rc = -ENOMEM; 213 } 214 215 if (!rc && violation_check) 216 ima_rdwr_violation_check(file, iint, action & IMA_MEASURE, 217 &pathbuf, &pathname, filename); 218 219 inode_unlock(inode); 220 221 if (rc) 222 goto out; 223 if (!action) 224 goto out; 225 226 mutex_lock(&iint->mutex); 227 228 if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags)) 229 /* reset appraisal flags if ima_inode_post_setattr was called */ 230 iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | 231 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | 232 IMA_ACTION_FLAGS); 233 234 /* 235 * Re-evaulate the file if either the xattr has changed or the 236 * kernel has no way of detecting file change on the filesystem. 237 * (Limited to privileged mounted filesystems.) 238 */ 239 if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) || 240 ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) && 241 !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) && 242 !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) { 243 iint->flags &= ~IMA_DONE_MASK; 244 iint->measured_pcrs = 0; 245 } 246 247 /* Determine if already appraised/measured based on bitmask 248 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED, 249 * IMA_AUDIT, IMA_AUDITED) 250 */ 251 iint->flags |= action; 252 action &= IMA_DO_MASK; 253 action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1); 254 255 /* If target pcr is already measured, unset IMA_MEASURE action */ 256 if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr))) 257 action ^= IMA_MEASURE; 258 259 /* HASH sets the digital signature and update flags, nothing else */ 260 if ((action & IMA_HASH) && 261 !(test_bit(IMA_DIGSIG, &iint->atomic_flags))) { 262 xattr_len = ima_read_xattr(file_dentry(file), &xattr_value); 263 if ((xattr_value && xattr_len > 2) && 264 (xattr_value->type == EVM_IMA_XATTR_DIGSIG)) 265 set_bit(IMA_DIGSIG, &iint->atomic_flags); 266 iint->flags |= IMA_HASHED; 267 action ^= IMA_HASH; 268 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); 269 } 270 271 /* Nothing to do, just return existing appraised status */ 272 if (!action) { 273 if (must_appraise) 274 rc = ima_get_cache_status(iint, func); 275 goto out_locked; 276 } 277 278 template_desc = ima_template_desc_current(); 279 if ((action & IMA_APPRAISE_SUBMASK) || 280 strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) 281 /* read 'security.ima' */ 282 xattr_len = ima_read_xattr(file_dentry(file), &xattr_value); 283 284 hash_algo = ima_get_hash_algo(xattr_value, xattr_len); 285 286 rc = ima_collect_measurement(iint, file, buf, size, hash_algo); 287 if (rc != 0 && rc != -EBADF && rc != -EINVAL) 288 goto out_locked; 289 290 if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */ 291 pathname = ima_d_path(&file->f_path, &pathbuf, filename); 292 293 if (action & IMA_MEASURE) 294 ima_store_measurement(iint, file, pathname, 295 xattr_value, xattr_len, pcr); 296 if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) { 297 inode_lock(inode); 298 rc = ima_appraise_measurement(func, iint, file, pathname, 299 xattr_value, xattr_len); 300 inode_unlock(inode); 301 } 302 if (action & IMA_AUDIT) 303 ima_audit_measurement(iint, pathname); 304 305 if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO)) 306 rc = 0; 307 out_locked: 308 if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) && 309 !(iint->flags & IMA_NEW_FILE)) 310 rc = -EACCES; 311 mutex_unlock(&iint->mutex); 312 kfree(xattr_value); 313 out: 314 if (pathbuf) 315 __putname(pathbuf); 316 if (must_appraise) { 317 if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE)) 318 return -EACCES; 319 if (file->f_mode & FMODE_WRITE) 320 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); 321 } 322 return 0; 323 } 324 325 /** 326 * ima_file_mmap - based on policy, collect/store measurement. 327 * @file: pointer to the file to be measured (May be NULL) 328 * @prot: contains the protection that will be applied by the kernel. 329 * 330 * Measure files being mmapped executable based on the ima_must_measure() 331 * policy decision. 332 * 333 * On success return 0. On integrity appraisal error, assuming the file 334 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 335 */ 336 int ima_file_mmap(struct file *file, unsigned long prot) 337 { 338 u32 secid; 339 340 if (file && (prot & PROT_EXEC)) { 341 security_task_getsecid(current, &secid); 342 return process_measurement(file, current_cred(), secid, NULL, 343 0, MAY_EXEC, MMAP_CHECK); 344 } 345 346 return 0; 347 } 348 349 /** 350 * ima_bprm_check - based on policy, collect/store measurement. 351 * @bprm: contains the linux_binprm structure 352 * 353 * The OS protects against an executable file, already open for write, 354 * from being executed in deny_write_access() and an executable file, 355 * already open for execute, from being modified in get_write_access(). 356 * So we can be certain that what we verify and measure here is actually 357 * what is being executed. 358 * 359 * On success return 0. On integrity appraisal error, assuming the file 360 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 361 */ 362 int ima_bprm_check(struct linux_binprm *bprm) 363 { 364 int ret; 365 u32 secid; 366 367 security_task_getsecid(current, &secid); 368 ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, 369 MAY_EXEC, BPRM_CHECK); 370 if (ret) 371 return ret; 372 373 security_cred_getsecid(bprm->cred, &secid); 374 return process_measurement(bprm->file, bprm->cred, secid, NULL, 0, 375 MAY_EXEC, CREDS_CHECK); 376 } 377 378 /** 379 * ima_path_check - based on policy, collect/store measurement. 380 * @file: pointer to the file to be measured 381 * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND 382 * 383 * Measure files based on the ima_must_measure() policy decision. 384 * 385 * On success return 0. On integrity appraisal error, assuming the file 386 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 387 */ 388 int ima_file_check(struct file *file, int mask) 389 { 390 u32 secid; 391 392 security_task_getsecid(current, &secid); 393 return process_measurement(file, current_cred(), secid, NULL, 0, 394 mask & (MAY_READ | MAY_WRITE | MAY_EXEC | 395 MAY_APPEND), FILE_CHECK); 396 } 397 EXPORT_SYMBOL_GPL(ima_file_check); 398 399 /** 400 * ima_post_create_tmpfile - mark newly created tmpfile as new 401 * @file : newly created tmpfile 402 * 403 * No measuring, appraising or auditing of newly created tmpfiles is needed. 404 * Skip calling process_measurement(), but indicate which newly, created 405 * tmpfiles are in policy. 406 */ 407 void ima_post_create_tmpfile(struct inode *inode) 408 { 409 struct integrity_iint_cache *iint; 410 int must_appraise; 411 412 must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); 413 if (!must_appraise) 414 return; 415 416 /* Nothing to do if we can't allocate memory */ 417 iint = integrity_inode_get(inode); 418 if (!iint) 419 return; 420 421 /* needed for writing the security xattrs */ 422 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); 423 iint->ima_file_status = INTEGRITY_PASS; 424 } 425 426 /** 427 * ima_post_path_mknod - mark as a new inode 428 * @dentry: newly created dentry 429 * 430 * Mark files created via the mknodat syscall as new, so that the 431 * file data can be written later. 432 */ 433 void ima_post_path_mknod(struct dentry *dentry) 434 { 435 struct integrity_iint_cache *iint; 436 struct inode *inode = dentry->d_inode; 437 int must_appraise; 438 439 must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); 440 if (!must_appraise) 441 return; 442 443 /* Nothing to do if we can't allocate memory */ 444 iint = integrity_inode_get(inode); 445 if (!iint) 446 return; 447 448 /* needed for re-opening empty files */ 449 iint->flags |= IMA_NEW_FILE; 450 } 451 452 /** 453 * ima_read_file - pre-measure/appraise hook decision based on policy 454 * @file: pointer to the file to be measured/appraised/audit 455 * @read_id: caller identifier 456 * 457 * Permit reading a file based on policy. The policy rules are written 458 * in terms of the policy identifier. Appraising the integrity of 459 * a file requires a file descriptor. 460 * 461 * For permission return 0, otherwise return -EACCES. 462 */ 463 int ima_read_file(struct file *file, enum kernel_read_file_id read_id) 464 { 465 /* 466 * READING_FIRMWARE_PREALLOC_BUFFER 467 * 468 * Do devices using pre-allocated memory run the risk of the 469 * firmware being accessible to the device prior to the completion 470 * of IMA's signature verification any more than when using two 471 * buffers? 472 */ 473 return 0; 474 } 475 476 static const int read_idmap[READING_MAX_ID] = { 477 [READING_FIRMWARE] = FIRMWARE_CHECK, 478 [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, 479 [READING_MODULE] = MODULE_CHECK, 480 [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK, 481 [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK, 482 [READING_POLICY] = POLICY_CHECK 483 }; 484 485 /** 486 * ima_post_read_file - in memory collect/appraise/audit measurement 487 * @file: pointer to the file to be measured/appraised/audit 488 * @buf: pointer to in memory file contents 489 * @size: size of in memory file contents 490 * @read_id: caller identifier 491 * 492 * Measure/appraise/audit in memory file based on policy. Policy rules 493 * are written in terms of a policy identifier. 494 * 495 * On success return 0. On integrity appraisal error, assuming the file 496 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 497 */ 498 int ima_post_read_file(struct file *file, void *buf, loff_t size, 499 enum kernel_read_file_id read_id) 500 { 501 enum ima_hooks func; 502 u32 secid; 503 504 if (!file && read_id == READING_FIRMWARE) { 505 if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && 506 (ima_appraise & IMA_APPRAISE_ENFORCE)) { 507 pr_err("Prevent firmware loading_store.\n"); 508 return -EACCES; /* INTEGRITY_UNKNOWN */ 509 } 510 return 0; 511 } 512 513 /* permit signed certs */ 514 if (!file && read_id == READING_X509_CERTIFICATE) 515 return 0; 516 517 if (!file || !buf || size == 0) { /* should never happen */ 518 if (ima_appraise & IMA_APPRAISE_ENFORCE) 519 return -EACCES; 520 return 0; 521 } 522 523 func = read_idmap[read_id] ?: FILE_CHECK; 524 security_task_getsecid(current, &secid); 525 return process_measurement(file, current_cred(), secid, buf, size, 526 MAY_READ, func); 527 } 528 529 /** 530 * ima_load_data - appraise decision based on policy 531 * @id: kernel load data caller identifier 532 * 533 * Callers of this LSM hook can not measure, appraise, or audit the 534 * data provided by userspace. Enforce policy rules requring a file 535 * signature (eg. kexec'ed kernel image). 536 * 537 * For permission return 0, otherwise return -EACCES. 538 */ 539 int ima_load_data(enum kernel_load_data_id id) 540 { 541 bool ima_enforce, sig_enforce; 542 543 ima_enforce = 544 (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE; 545 546 switch (id) { 547 case LOADING_KEXEC_IMAGE: 548 if (IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) 549 && arch_ima_get_secureboot()) { 550 pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); 551 return -EACCES; 552 } 553 554 if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) { 555 pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); 556 return -EACCES; /* INTEGRITY_UNKNOWN */ 557 } 558 break; 559 case LOADING_FIRMWARE: 560 if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE)) { 561 pr_err("Prevent firmware sysfs fallback loading.\n"); 562 return -EACCES; /* INTEGRITY_UNKNOWN */ 563 } 564 break; 565 case LOADING_MODULE: 566 sig_enforce = is_module_sig_enforced(); 567 568 if (ima_enforce && (!sig_enforce 569 && (ima_appraise & IMA_APPRAISE_MODULES))) { 570 pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n"); 571 return -EACCES; /* INTEGRITY_UNKNOWN */ 572 } 573 default: 574 break; 575 } 576 return 0; 577 } 578 579 static int __init init_ima(void) 580 { 581 int error; 582 583 ima_init_template_list(); 584 hash_setup(CONFIG_IMA_DEFAULT_HASH); 585 error = ima_init(); 586 587 if (error && strcmp(hash_algo_name[ima_hash_algo], 588 CONFIG_IMA_DEFAULT_HASH) != 0) { 589 pr_info("Allocating %s failed, going to use default hash algorithm %s\n", 590 hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH); 591 hash_setup_done = 0; 592 hash_setup(CONFIG_IMA_DEFAULT_HASH); 593 error = ima_init(); 594 } 595 596 if (!error) 597 ima_update_policy_flag(); 598 599 return error; 600 } 601 602 late_initcall(init_ima); /* Start IMA after the TPM is available */ 603