1 /* 2 * Copyright (C) 2005,2006,2007,2008 IBM Corporation 3 * 4 * Authors: 5 * Reiner Sailer <sailer@watson.ibm.com> 6 * Serge Hallyn <serue@us.ibm.com> 7 * Kylene Hall <kylene@us.ibm.com> 8 * Mimi Zohar <zohar@us.ibm.com> 9 * 10 * This program is free software; you can redistribute it and/or 11 * modify it under the terms of the GNU General Public License as 12 * published by the Free Software Foundation, version 2 of the 13 * License. 14 * 15 * File: ima_main.c 16 * implements the IMA hooks: ima_bprm_check, ima_file_mmap, 17 * and ima_file_check. 18 */ 19 #include <linux/module.h> 20 #include <linux/file.h> 21 #include <linux/binfmts.h> 22 #include <linux/mount.h> 23 #include <linux/mman.h> 24 #include <linux/slab.h> 25 #include <linux/xattr.h> 26 #include <linux/ima.h> 27 28 #include "ima.h" 29 30 int ima_initialized; 31 32 #ifdef CONFIG_IMA_APPRAISE 33 int ima_appraise = IMA_APPRAISE_ENFORCE; 34 #else 35 int ima_appraise; 36 #endif 37 38 char *ima_hash = "sha1"; 39 static int __init hash_setup(char *str) 40 { 41 if (strncmp(str, "md5", 3) == 0) 42 ima_hash = "md5"; 43 return 1; 44 } 45 __setup("ima_hash=", hash_setup); 46 47 /* 48 * ima_rdwr_violation_check 49 * 50 * Only invalidate the PCR for measured files: 51 * - Opening a file for write when already open for read, 52 * results in a time of measure, time of use (ToMToU) error. 53 * - Opening a file for read when already open for write, 54 * could result in a file measurement error. 55 * 56 */ 57 static void ima_rdwr_violation_check(struct file *file) 58 { 59 struct dentry *dentry = file->f_path.dentry; 60 struct inode *inode = dentry->d_inode; 61 fmode_t mode = file->f_mode; 62 int must_measure; 63 bool send_tomtou = false, send_writers = false; 64 unsigned char *pathname = NULL, *pathbuf = NULL; 65 66 if (!S_ISREG(inode->i_mode) || !ima_initialized) 67 return; 68 69 mutex_lock(&inode->i_mutex); /* file metadata: permissions, xattr */ 70 71 if (mode & FMODE_WRITE) { 72 if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) 73 send_tomtou = true; 74 goto out; 75 } 76 77 must_measure = ima_must_measure(inode, MAY_READ, FILE_CHECK); 78 if (!must_measure) 79 goto out; 80 81 if (atomic_read(&inode->i_writecount) > 0) 82 send_writers = true; 83 out: 84 mutex_unlock(&inode->i_mutex); 85 86 if (!send_tomtou && !send_writers) 87 return; 88 89 /* We will allow 11 spaces for ' (deleted)' to be appended */ 90 pathbuf = kmalloc(PATH_MAX + 11, GFP_KERNEL); 91 if (pathbuf) { 92 pathname = d_path(&file->f_path, pathbuf, PATH_MAX + 11); 93 if (IS_ERR(pathname)) 94 pathname = NULL; 95 else if (strlen(pathname) > IMA_EVENT_NAME_LEN_MAX) 96 pathname = NULL; 97 } 98 if (send_tomtou) 99 ima_add_violation(inode, 100 !pathname ? dentry->d_name.name : pathname, 101 "invalid_pcr", "ToMToU"); 102 if (send_writers) 103 ima_add_violation(inode, 104 !pathname ? dentry->d_name.name : pathname, 105 "invalid_pcr", "open_writers"); 106 kfree(pathbuf); 107 } 108 109 static void ima_check_last_writer(struct integrity_iint_cache *iint, 110 struct inode *inode, struct file *file) 111 { 112 fmode_t mode = file->f_mode; 113 114 if (!(mode & FMODE_WRITE)) 115 return; 116 117 mutex_lock(&inode->i_mutex); 118 if (atomic_read(&inode->i_writecount) == 1 && 119 iint->version != inode->i_version) { 120 iint->flags &= ~IMA_DONE_MASK; 121 if (iint->flags & IMA_APPRAISE) 122 ima_update_xattr(iint, file); 123 } 124 mutex_unlock(&inode->i_mutex); 125 } 126 127 /** 128 * ima_file_free - called on __fput() 129 * @file: pointer to file structure being freed 130 * 131 * Flag files that changed, based on i_version 132 */ 133 void ima_file_free(struct file *file) 134 { 135 struct inode *inode = file->f_dentry->d_inode; 136 struct integrity_iint_cache *iint; 137 138 if (!iint_initialized || !S_ISREG(inode->i_mode)) 139 return; 140 141 iint = integrity_iint_find(inode); 142 if (!iint) 143 return; 144 145 ima_check_last_writer(iint, inode, file); 146 } 147 148 static int process_measurement(struct file *file, const unsigned char *filename, 149 int mask, int function) 150 { 151 struct inode *inode = file->f_dentry->d_inode; 152 struct integrity_iint_cache *iint; 153 unsigned char *pathname = NULL, *pathbuf = NULL; 154 int rc = -ENOMEM, action, must_appraise; 155 156 if (!ima_initialized || !S_ISREG(inode->i_mode)) 157 return 0; 158 159 /* Determine if in appraise/audit/measurement policy, 160 * returns IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT bitmask. */ 161 action = ima_get_action(inode, mask, function); 162 if (!action) 163 return 0; 164 165 must_appraise = action & IMA_APPRAISE; 166 167 mutex_lock(&inode->i_mutex); 168 169 iint = integrity_inode_get(inode); 170 if (!iint) 171 goto out; 172 173 /* Determine if already appraised/measured based on bitmask 174 * (IMA_MEASURE, IMA_MEASURED, IMA_APPRAISE, IMA_APPRAISED, 175 * IMA_AUDIT, IMA_AUDITED) */ 176 iint->flags |= action; 177 action &= ~((iint->flags & IMA_DONE_MASK) >> 1); 178 179 /* Nothing to do, just return existing appraised status */ 180 if (!action) { 181 if (iint->flags & IMA_APPRAISED) 182 rc = iint->ima_status; 183 goto out; 184 } 185 186 rc = ima_collect_measurement(iint, file); 187 if (rc != 0) 188 goto out; 189 190 if (function != BPRM_CHECK) { 191 /* We will allow 11 spaces for ' (deleted)' to be appended */ 192 pathbuf = kmalloc(PATH_MAX + 11, GFP_KERNEL); 193 if (pathbuf) { 194 pathname = 195 d_path(&file->f_path, pathbuf, PATH_MAX + 11); 196 if (IS_ERR(pathname)) 197 pathname = NULL; 198 } 199 } 200 if (action & IMA_MEASURE) 201 ima_store_measurement(iint, file, 202 !pathname ? filename : pathname); 203 if (action & IMA_APPRAISE) 204 rc = ima_appraise_measurement(iint, file, 205 !pathname ? filename : pathname); 206 if (action & IMA_AUDIT) 207 ima_audit_measurement(iint, !pathname ? filename : pathname); 208 kfree(pathbuf); 209 out: 210 mutex_unlock(&inode->i_mutex); 211 return (rc && must_appraise) ? -EACCES : 0; 212 } 213 214 /** 215 * ima_file_mmap - based on policy, collect/store measurement. 216 * @file: pointer to the file to be measured (May be NULL) 217 * @prot: contains the protection that will be applied by the kernel. 218 * 219 * Measure files being mmapped executable based on the ima_must_measure() 220 * policy decision. 221 * 222 * Return 0 on success, an error code on failure. 223 * (Based on the results of appraise_measurement().) 224 */ 225 int ima_file_mmap(struct file *file, unsigned long prot) 226 { 227 int rc = 0; 228 229 if (!file) 230 return 0; 231 if (prot & PROT_EXEC) 232 rc = process_measurement(file, file->f_dentry->d_name.name, 233 MAY_EXEC, FILE_MMAP); 234 return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0; 235 } 236 237 /** 238 * ima_bprm_check - based on policy, collect/store measurement. 239 * @bprm: contains the linux_binprm structure 240 * 241 * The OS protects against an executable file, already open for write, 242 * from being executed in deny_write_access() and an executable file, 243 * already open for execute, from being modified in get_write_access(). 244 * So we can be certain that what we verify and measure here is actually 245 * what is being executed. 246 * 247 * Return 0 on success, an error code on failure. 248 * (Based on the results of appraise_measurement().) 249 */ 250 int ima_bprm_check(struct linux_binprm *bprm) 251 { 252 int rc; 253 254 rc = process_measurement(bprm->file, 255 (strcmp(bprm->filename, bprm->interp) == 0) ? 256 bprm->filename : bprm->interp, 257 MAY_EXEC, BPRM_CHECK); 258 return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0; 259 } 260 261 /** 262 * ima_path_check - based on policy, collect/store measurement. 263 * @file: pointer to the file to be measured 264 * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE 265 * 266 * Measure files based on the ima_must_measure() policy decision. 267 * 268 * Always return 0 and audit dentry_open failures. 269 * (Return code will be based upon measurement appraisal.) 270 */ 271 int ima_file_check(struct file *file, int mask) 272 { 273 int rc; 274 275 ima_rdwr_violation_check(file); 276 rc = process_measurement(file, file->f_dentry->d_name.name, 277 mask & (MAY_READ | MAY_WRITE | MAY_EXEC), 278 FILE_CHECK); 279 return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0; 280 } 281 EXPORT_SYMBOL_GPL(ima_file_check); 282 283 /** 284 * ima_module_check - based on policy, collect/store/appraise measurement. 285 * @file: pointer to the file to be measured/appraised 286 * 287 * Measure/appraise kernel modules based on policy. 288 * 289 * Always return 0 and audit dentry_open failures. 290 * Return code is based upon measurement appraisal. 291 */ 292 int ima_module_check(struct file *file) 293 { 294 int rc = 0; 295 296 if (!file) { 297 if (ima_appraise & IMA_APPRAISE_MODULES) { 298 #ifndef CONFIG_MODULE_SIG_FORCE 299 rc = -EACCES; /* INTEGRITY_UNKNOWN */ 300 #endif 301 } 302 } else 303 rc = process_measurement(file, file->f_dentry->d_name.name, 304 MAY_EXEC, MODULE_CHECK); 305 return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0; 306 } 307 308 static int __init init_ima(void) 309 { 310 int error; 311 312 error = ima_init(); 313 if (!error) 314 ima_initialized = 1; 315 return error; 316 } 317 318 late_initcall(init_ima); /* Start IMA after the TPM is available */ 319 320 MODULE_DESCRIPTION("Integrity Measurement Architecture"); 321 MODULE_LICENSE("GPL"); 322