1 /* 2 * Copyright (C) 2005,2006,2007,2008 IBM Corporation 3 * 4 * Authors: 5 * Reiner Sailer <sailer@watson.ibm.com> 6 * Serge Hallyn <serue@us.ibm.com> 7 * Kylene Hall <kylene@us.ibm.com> 8 * Mimi Zohar <zohar@us.ibm.com> 9 * 10 * This program is free software; you can redistribute it and/or 11 * modify it under the terms of the GNU General Public License as 12 * published by the Free Software Foundation, version 2 of the 13 * License. 14 * 15 * File: ima_main.c 16 * implements the IMA hooks: ima_bprm_check, ima_file_mmap, 17 * and ima_file_check. 18 */ 19 20 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 21 22 #include <linux/module.h> 23 #include <linux/file.h> 24 #include <linux/binfmts.h> 25 #include <linux/mount.h> 26 #include <linux/mman.h> 27 #include <linux/slab.h> 28 #include <linux/xattr.h> 29 #include <linux/ima.h> 30 #include <linux/iversion.h> 31 #include <linux/fs.h> 32 33 #include "ima.h" 34 35 int ima_initialized; 36 37 #ifdef CONFIG_IMA_APPRAISE 38 int ima_appraise = IMA_APPRAISE_ENFORCE; 39 #else 40 int ima_appraise; 41 #endif 42 43 int ima_hash_algo = HASH_ALGO_SHA1; 44 static int hash_setup_done; 45 46 static int __init hash_setup(char *str) 47 { 48 struct ima_template_desc *template_desc = ima_template_desc_current(); 49 int i; 50 51 if (hash_setup_done) 52 return 1; 53 54 if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { 55 if (strncmp(str, "sha1", 4) == 0) 56 ima_hash_algo = HASH_ALGO_SHA1; 57 else if (strncmp(str, "md5", 3) == 0) 58 ima_hash_algo = HASH_ALGO_MD5; 59 else 60 return 1; 61 goto out; 62 } 63 64 for (i = 0; i < HASH_ALGO__LAST; i++) { 65 if (strcmp(str, hash_algo_name[i]) == 0) { 66 ima_hash_algo = i; 67 break; 68 } 69 } 70 if (i == HASH_ALGO__LAST) 71 return 1; 72 out: 73 hash_setup_done = 1; 74 return 1; 75 } 76 __setup("ima_hash=", hash_setup); 77 78 /* 79 * ima_rdwr_violation_check 80 * 81 * Only invalidate the PCR for measured files: 82 * - Opening a file for write when already open for read, 83 * results in a time of measure, time of use (ToMToU) error. 84 * - Opening a file for read when already open for write, 85 * could result in a file measurement error. 86 * 87 */ 88 static void ima_rdwr_violation_check(struct file *file, 89 struct integrity_iint_cache *iint, 90 int must_measure, 91 char **pathbuf, 92 const char **pathname, 93 char *filename) 94 { 95 struct inode *inode = file_inode(file); 96 fmode_t mode = file->f_mode; 97 bool send_tomtou = false, send_writers = false; 98 99 if (mode & FMODE_WRITE) { 100 if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) { 101 if (!iint) 102 iint = integrity_iint_find(inode); 103 /* IMA_MEASURE is set from reader side */ 104 if (iint && test_bit(IMA_MUST_MEASURE, 105 &iint->atomic_flags)) 106 send_tomtou = true; 107 } 108 } else { 109 if (must_measure) 110 set_bit(IMA_MUST_MEASURE, &iint->atomic_flags); 111 if ((atomic_read(&inode->i_writecount) > 0) && must_measure) 112 send_writers = true; 113 } 114 115 if (!send_tomtou && !send_writers) 116 return; 117 118 *pathname = ima_d_path(&file->f_path, pathbuf, filename); 119 120 if (send_tomtou) 121 ima_add_violation(file, *pathname, iint, 122 "invalid_pcr", "ToMToU"); 123 if (send_writers) 124 ima_add_violation(file, *pathname, iint, 125 "invalid_pcr", "open_writers"); 126 } 127 128 static void ima_check_last_writer(struct integrity_iint_cache *iint, 129 struct inode *inode, struct file *file) 130 { 131 fmode_t mode = file->f_mode; 132 bool update; 133 134 if (!(mode & FMODE_WRITE)) 135 return; 136 137 mutex_lock(&iint->mutex); 138 if (atomic_read(&inode->i_writecount) == 1) { 139 update = test_and_clear_bit(IMA_UPDATE_XATTR, 140 &iint->atomic_flags); 141 if (!IS_I_VERSION(inode) || 142 !inode_eq_iversion(inode, iint->version) || 143 (iint->flags & IMA_NEW_FILE)) { 144 iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); 145 iint->measured_pcrs = 0; 146 if (update) 147 ima_update_xattr(iint, file); 148 } 149 } 150 mutex_unlock(&iint->mutex); 151 } 152 153 /** 154 * ima_file_free - called on __fput() 155 * @file: pointer to file structure being freed 156 * 157 * Flag files that changed, based on i_version 158 */ 159 void ima_file_free(struct file *file) 160 { 161 struct inode *inode = file_inode(file); 162 struct integrity_iint_cache *iint; 163 164 if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 165 return; 166 167 iint = integrity_iint_find(inode); 168 if (!iint) 169 return; 170 171 ima_check_last_writer(iint, inode, file); 172 } 173 174 static int process_measurement(struct file *file, const struct cred *cred, 175 u32 secid, char *buf, loff_t size, int mask, 176 enum ima_hooks func, int opened) 177 { 178 struct inode *inode = file_inode(file); 179 struct integrity_iint_cache *iint = NULL; 180 struct ima_template_desc *template_desc; 181 char *pathbuf = NULL; 182 char filename[NAME_MAX]; 183 const char *pathname = NULL; 184 int rc = 0, action, must_appraise = 0; 185 int pcr = CONFIG_IMA_MEASURE_PCR_IDX; 186 struct evm_ima_xattr_data *xattr_value = NULL; 187 int xattr_len = 0; 188 bool violation_check; 189 enum hash_algo hash_algo; 190 191 if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 192 return 0; 193 194 /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action 195 * bitmask based on the appraise/audit/measurement policy. 196 * Included is the appraise submask. 197 */ 198 action = ima_get_action(inode, cred, secid, mask, func, &pcr); 199 violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) && 200 (ima_policy_flag & IMA_MEASURE)); 201 if (!action && !violation_check) 202 return 0; 203 204 must_appraise = action & IMA_APPRAISE; 205 206 /* Is the appraise rule hook specific? */ 207 if (action & IMA_FILE_APPRAISE) 208 func = FILE_CHECK; 209 210 inode_lock(inode); 211 212 if (action) { 213 iint = integrity_inode_get(inode); 214 if (!iint) 215 rc = -ENOMEM; 216 } 217 218 if (!rc && violation_check) 219 ima_rdwr_violation_check(file, iint, action & IMA_MEASURE, 220 &pathbuf, &pathname, filename); 221 222 inode_unlock(inode); 223 224 if (rc) 225 goto out; 226 if (!action) 227 goto out; 228 229 mutex_lock(&iint->mutex); 230 231 if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags)) 232 /* reset appraisal flags if ima_inode_post_setattr was called */ 233 iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | 234 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | 235 IMA_ACTION_FLAGS); 236 237 /* 238 * Re-evaulate the file if either the xattr has changed or the 239 * kernel has no way of detecting file change on the filesystem. 240 * (Limited to privileged mounted filesystems.) 241 */ 242 if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) || 243 ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) && 244 !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) && 245 !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) { 246 iint->flags &= ~IMA_DONE_MASK; 247 iint->measured_pcrs = 0; 248 } 249 250 /* Determine if already appraised/measured based on bitmask 251 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED, 252 * IMA_AUDIT, IMA_AUDITED) 253 */ 254 iint->flags |= action; 255 action &= IMA_DO_MASK; 256 action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1); 257 258 /* If target pcr is already measured, unset IMA_MEASURE action */ 259 if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr))) 260 action ^= IMA_MEASURE; 261 262 /* HASH sets the digital signature and update flags, nothing else */ 263 if ((action & IMA_HASH) && 264 !(test_bit(IMA_DIGSIG, &iint->atomic_flags))) { 265 xattr_len = ima_read_xattr(file_dentry(file), &xattr_value); 266 if ((xattr_value && xattr_len > 2) && 267 (xattr_value->type == EVM_IMA_XATTR_DIGSIG)) 268 set_bit(IMA_DIGSIG, &iint->atomic_flags); 269 iint->flags |= IMA_HASHED; 270 action ^= IMA_HASH; 271 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); 272 } 273 274 /* Nothing to do, just return existing appraised status */ 275 if (!action) { 276 if (must_appraise) 277 rc = ima_get_cache_status(iint, func); 278 goto out_locked; 279 } 280 281 template_desc = ima_template_desc_current(); 282 if ((action & IMA_APPRAISE_SUBMASK) || 283 strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) 284 /* read 'security.ima' */ 285 xattr_len = ima_read_xattr(file_dentry(file), &xattr_value); 286 287 hash_algo = ima_get_hash_algo(xattr_value, xattr_len); 288 289 rc = ima_collect_measurement(iint, file, buf, size, hash_algo); 290 if (rc != 0 && rc != -EBADF && rc != -EINVAL) 291 goto out_locked; 292 293 if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */ 294 pathname = ima_d_path(&file->f_path, &pathbuf, filename); 295 296 if (action & IMA_MEASURE) 297 ima_store_measurement(iint, file, pathname, 298 xattr_value, xattr_len, pcr); 299 if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) { 300 inode_lock(inode); 301 rc = ima_appraise_measurement(func, iint, file, pathname, 302 xattr_value, xattr_len, opened); 303 inode_unlock(inode); 304 } 305 if (action & IMA_AUDIT) 306 ima_audit_measurement(iint, pathname); 307 308 if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO)) 309 rc = 0; 310 out_locked: 311 if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) && 312 !(iint->flags & IMA_NEW_FILE)) 313 rc = -EACCES; 314 mutex_unlock(&iint->mutex); 315 kfree(xattr_value); 316 out: 317 if (pathbuf) 318 __putname(pathbuf); 319 if (must_appraise) { 320 if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE)) 321 return -EACCES; 322 if (file->f_mode & FMODE_WRITE) 323 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); 324 } 325 return 0; 326 } 327 328 /** 329 * ima_file_mmap - based on policy, collect/store measurement. 330 * @file: pointer to the file to be measured (May be NULL) 331 * @prot: contains the protection that will be applied by the kernel. 332 * 333 * Measure files being mmapped executable based on the ima_must_measure() 334 * policy decision. 335 * 336 * On success return 0. On integrity appraisal error, assuming the file 337 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 338 */ 339 int ima_file_mmap(struct file *file, unsigned long prot) 340 { 341 u32 secid; 342 343 if (file && (prot & PROT_EXEC)) { 344 security_task_getsecid(current, &secid); 345 return process_measurement(file, current_cred(), secid, NULL, 346 0, MAY_EXEC, MMAP_CHECK, 0); 347 } 348 349 return 0; 350 } 351 352 /** 353 * ima_bprm_check - based on policy, collect/store measurement. 354 * @bprm: contains the linux_binprm structure 355 * 356 * The OS protects against an executable file, already open for write, 357 * from being executed in deny_write_access() and an executable file, 358 * already open for execute, from being modified in get_write_access(). 359 * So we can be certain that what we verify and measure here is actually 360 * what is being executed. 361 * 362 * On success return 0. On integrity appraisal error, assuming the file 363 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 364 */ 365 int ima_bprm_check(struct linux_binprm *bprm) 366 { 367 int ret; 368 u32 secid; 369 370 security_task_getsecid(current, &secid); 371 ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, 372 MAY_EXEC, BPRM_CHECK, 0); 373 if (ret) 374 return ret; 375 376 security_cred_getsecid(bprm->cred, &secid); 377 return process_measurement(bprm->file, bprm->cred, secid, NULL, 0, 378 MAY_EXEC, CREDS_CHECK, 0); 379 } 380 381 /** 382 * ima_path_check - based on policy, collect/store measurement. 383 * @file: pointer to the file to be measured 384 * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND 385 * 386 * Measure files based on the ima_must_measure() policy decision. 387 * 388 * On success return 0. On integrity appraisal error, assuming the file 389 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 390 */ 391 int ima_file_check(struct file *file, int mask, int opened) 392 { 393 u32 secid; 394 395 security_task_getsecid(current, &secid); 396 return process_measurement(file, current_cred(), secid, NULL, 0, 397 mask & (MAY_READ | MAY_WRITE | MAY_EXEC | 398 MAY_APPEND), FILE_CHECK, opened); 399 } 400 EXPORT_SYMBOL_GPL(ima_file_check); 401 402 /** 403 * ima_post_path_mknod - mark as a new inode 404 * @dentry: newly created dentry 405 * 406 * Mark files created via the mknodat syscall as new, so that the 407 * file data can be written later. 408 */ 409 void ima_post_path_mknod(struct dentry *dentry) 410 { 411 struct integrity_iint_cache *iint; 412 struct inode *inode = dentry->d_inode; 413 int must_appraise; 414 415 must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); 416 if (!must_appraise) 417 return; 418 419 iint = integrity_inode_get(inode); 420 if (iint) 421 iint->flags |= IMA_NEW_FILE; 422 } 423 424 /** 425 * ima_read_file - pre-measure/appraise hook decision based on policy 426 * @file: pointer to the file to be measured/appraised/audit 427 * @read_id: caller identifier 428 * 429 * Permit reading a file based on policy. The policy rules are written 430 * in terms of the policy identifier. Appraising the integrity of 431 * a file requires a file descriptor. 432 * 433 * For permission return 0, otherwise return -EACCES. 434 */ 435 int ima_read_file(struct file *file, enum kernel_read_file_id read_id) 436 { 437 bool sig_enforce = is_module_sig_enforced(); 438 439 if (!file && read_id == READING_MODULE) { 440 if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) && 441 (ima_appraise & IMA_APPRAISE_ENFORCE)) { 442 pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n"); 443 return -EACCES; /* INTEGRITY_UNKNOWN */ 444 } 445 return 0; /* We rely on module signature checking */ 446 } 447 return 0; 448 } 449 450 static int read_idmap[READING_MAX_ID] = { 451 [READING_FIRMWARE] = FIRMWARE_CHECK, 452 [READING_MODULE] = MODULE_CHECK, 453 [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK, 454 [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK, 455 [READING_POLICY] = POLICY_CHECK 456 }; 457 458 /** 459 * ima_post_read_file - in memory collect/appraise/audit measurement 460 * @file: pointer to the file to be measured/appraised/audit 461 * @buf: pointer to in memory file contents 462 * @size: size of in memory file contents 463 * @read_id: caller identifier 464 * 465 * Measure/appraise/audit in memory file based on policy. Policy rules 466 * are written in terms of a policy identifier. 467 * 468 * On success return 0. On integrity appraisal error, assuming the file 469 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 470 */ 471 int ima_post_read_file(struct file *file, void *buf, loff_t size, 472 enum kernel_read_file_id read_id) 473 { 474 enum ima_hooks func; 475 u32 secid; 476 477 if (!file && read_id == READING_FIRMWARE) { 478 if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && 479 (ima_appraise & IMA_APPRAISE_ENFORCE)) 480 return -EACCES; /* INTEGRITY_UNKNOWN */ 481 return 0; 482 } 483 484 if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */ 485 return 0; 486 487 /* permit signed certs */ 488 if (!file && read_id == READING_X509_CERTIFICATE) 489 return 0; 490 491 if (!file || !buf || size == 0) { /* should never happen */ 492 if (ima_appraise & IMA_APPRAISE_ENFORCE) 493 return -EACCES; 494 return 0; 495 } 496 497 func = read_idmap[read_id] ?: FILE_CHECK; 498 security_task_getsecid(current, &secid); 499 return process_measurement(file, current_cred(), secid, buf, size, 500 MAY_READ, func, 0); 501 } 502 503 static int __init init_ima(void) 504 { 505 int error; 506 507 ima_init_template_list(); 508 hash_setup(CONFIG_IMA_DEFAULT_HASH); 509 error = ima_init(); 510 511 if (error && strcmp(hash_algo_name[ima_hash_algo], 512 CONFIG_IMA_DEFAULT_HASH) != 0) { 513 pr_info("Allocating %s failed, going to use default hash algorithm %s\n", 514 hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH); 515 hash_setup_done = 0; 516 hash_setup(CONFIG_IMA_DEFAULT_HASH); 517 error = ima_init(); 518 } 519 520 if (!error) { 521 ima_initialized = 1; 522 ima_update_policy_flag(); 523 } 524 return error; 525 } 526 527 late_initcall(init_ima); /* Start IMA after the TPM is available */ 528 529 MODULE_DESCRIPTION("Integrity Measurement Architecture"); 530 MODULE_LICENSE("GPL"); 531