1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Integrity Measurement Architecture 4 * 5 * Copyright (C) 2005,2006,2007,2008 IBM Corporation 6 * 7 * Authors: 8 * Reiner Sailer <sailer@watson.ibm.com> 9 * Serge Hallyn <serue@us.ibm.com> 10 * Kylene Hall <kylene@us.ibm.com> 11 * Mimi Zohar <zohar@us.ibm.com> 12 * 13 * File: ima_main.c 14 * implements the IMA hooks: ima_bprm_check, ima_file_mmap, 15 * and ima_file_check. 16 */ 17 18 #include <linux/module.h> 19 #include <linux/file.h> 20 #include <linux/binfmts.h> 21 #include <linux/kernel_read_file.h> 22 #include <linux/mount.h> 23 #include <linux/mman.h> 24 #include <linux/slab.h> 25 #include <linux/xattr.h> 26 #include <linux/ima.h> 27 #include <linux/fs.h> 28 29 #include "ima.h" 30 31 #ifdef CONFIG_IMA_APPRAISE 32 int ima_appraise = IMA_APPRAISE_ENFORCE; 33 #else 34 int ima_appraise; 35 #endif 36 37 int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1; 38 static int hash_setup_done; 39 40 static struct notifier_block ima_lsm_policy_notifier = { 41 .notifier_call = ima_lsm_policy_change, 42 }; 43 44 static int __init hash_setup(char *str) 45 { 46 struct ima_template_desc *template_desc = ima_template_desc_current(); 47 int i; 48 49 if (hash_setup_done) 50 return 1; 51 52 if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { 53 if (strncmp(str, "sha1", 4) == 0) { 54 ima_hash_algo = HASH_ALGO_SHA1; 55 } else if (strncmp(str, "md5", 3) == 0) { 56 ima_hash_algo = HASH_ALGO_MD5; 57 } else { 58 pr_err("invalid hash algorithm \"%s\" for template \"%s\"", 59 str, IMA_TEMPLATE_IMA_NAME); 60 return 1; 61 } 62 goto out; 63 } 64 65 i = match_string(hash_algo_name, HASH_ALGO__LAST, str); 66 if (i < 0) { 67 pr_err("invalid hash algorithm \"%s\"", str); 68 return 1; 69 } 70 71 ima_hash_algo = i; 72 out: 73 hash_setup_done = 1; 74 return 1; 75 } 76 __setup("ima_hash=", hash_setup); 77 78 enum hash_algo ima_get_current_hash_algo(void) 79 { 80 return ima_hash_algo; 81 } 82 83 /* Prevent mmap'ing a file execute that is already mmap'ed write */ 84 static int mmap_violation_check(enum ima_hooks func, struct file *file, 85 char **pathbuf, const char **pathname, 86 char *filename) 87 { 88 struct inode *inode; 89 int rc = 0; 90 91 if ((func == MMAP_CHECK || func == MMAP_CHECK_REQPROT) && 92 mapping_writably_mapped(file->f_mapping)) { 93 rc = -ETXTBSY; 94 inode = file_inode(file); 95 96 if (!*pathbuf) /* ima_rdwr_violation possibly pre-fetched */ 97 *pathname = ima_d_path(&file->f_path, pathbuf, 98 filename); 99 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, *pathname, 100 "mmap_file", "mmapped_writers", rc, 0); 101 } 102 return rc; 103 } 104 105 /* 106 * ima_rdwr_violation_check 107 * 108 * Only invalidate the PCR for measured files: 109 * - Opening a file for write when already open for read, 110 * results in a time of measure, time of use (ToMToU) error. 111 * - Opening a file for read when already open for write, 112 * could result in a file measurement error. 113 * 114 */ 115 static void ima_rdwr_violation_check(struct file *file, 116 struct integrity_iint_cache *iint, 117 int must_measure, 118 char **pathbuf, 119 const char **pathname, 120 char *filename) 121 { 122 struct inode *inode = file_inode(file); 123 fmode_t mode = file->f_mode; 124 bool send_tomtou = false, send_writers = false; 125 126 if (mode & FMODE_WRITE) { 127 if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) { 128 if (!iint) 129 iint = integrity_iint_find(inode); 130 /* IMA_MEASURE is set from reader side */ 131 if (iint && test_bit(IMA_MUST_MEASURE, 132 &iint->atomic_flags)) 133 send_tomtou = true; 134 } 135 } else { 136 if (must_measure) 137 set_bit(IMA_MUST_MEASURE, &iint->atomic_flags); 138 if (inode_is_open_for_write(inode) && must_measure) 139 send_writers = true; 140 } 141 142 if (!send_tomtou && !send_writers) 143 return; 144 145 *pathname = ima_d_path(&file->f_path, pathbuf, filename); 146 147 if (send_tomtou) 148 ima_add_violation(file, *pathname, iint, 149 "invalid_pcr", "ToMToU"); 150 if (send_writers) 151 ima_add_violation(file, *pathname, iint, 152 "invalid_pcr", "open_writers"); 153 } 154 155 static void ima_check_last_writer(struct integrity_iint_cache *iint, 156 struct inode *inode, struct file *file) 157 { 158 fmode_t mode = file->f_mode; 159 bool update; 160 161 if (!(mode & FMODE_WRITE)) 162 return; 163 164 mutex_lock(&iint->mutex); 165 if (atomic_read(&inode->i_writecount) == 1) { 166 struct kstat stat; 167 168 update = test_and_clear_bit(IMA_UPDATE_XATTR, 169 &iint->atomic_flags); 170 if ((iint->flags & IMA_NEW_FILE) || 171 vfs_getattr_nosec(&file->f_path, &stat, 172 STATX_CHANGE_COOKIE, 173 AT_STATX_SYNC_AS_STAT) || 174 !(stat.result_mask & STATX_CHANGE_COOKIE) || 175 stat.change_cookie != iint->version) { 176 iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); 177 iint->measured_pcrs = 0; 178 if (update) 179 ima_update_xattr(iint, file); 180 } 181 } 182 mutex_unlock(&iint->mutex); 183 } 184 185 /** 186 * ima_file_free - called on __fput() 187 * @file: pointer to file structure being freed 188 * 189 * Flag files that changed, based on i_version 190 */ 191 void ima_file_free(struct file *file) 192 { 193 struct inode *inode = file_inode(file); 194 struct integrity_iint_cache *iint; 195 196 if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 197 return; 198 199 iint = integrity_iint_find(inode); 200 if (!iint) 201 return; 202 203 ima_check_last_writer(iint, inode, file); 204 } 205 206 static int process_measurement(struct file *file, const struct cred *cred, 207 u32 secid, char *buf, loff_t size, int mask, 208 enum ima_hooks func) 209 { 210 struct inode *inode = file_inode(file); 211 struct integrity_iint_cache *iint = NULL; 212 struct ima_template_desc *template_desc = NULL; 213 char *pathbuf = NULL; 214 char filename[NAME_MAX]; 215 const char *pathname = NULL; 216 int rc = 0, action, must_appraise = 0; 217 int pcr = CONFIG_IMA_MEASURE_PCR_IDX; 218 struct evm_ima_xattr_data *xattr_value = NULL; 219 struct modsig *modsig = NULL; 220 int xattr_len = 0; 221 bool violation_check; 222 enum hash_algo hash_algo; 223 unsigned int allowed_algos = 0; 224 225 if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 226 return 0; 227 228 /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action 229 * bitmask based on the appraise/audit/measurement policy. 230 * Included is the appraise submask. 231 */ 232 action = ima_get_action(file_mnt_idmap(file), inode, cred, secid, 233 mask, func, &pcr, &template_desc, NULL, 234 &allowed_algos); 235 violation_check = ((func == FILE_CHECK || func == MMAP_CHECK || 236 func == MMAP_CHECK_REQPROT) && 237 (ima_policy_flag & IMA_MEASURE)); 238 if (!action && !violation_check) 239 return 0; 240 241 must_appraise = action & IMA_APPRAISE; 242 243 /* Is the appraise rule hook specific? */ 244 if (action & IMA_FILE_APPRAISE) 245 func = FILE_CHECK; 246 247 inode_lock(inode); 248 249 if (action) { 250 iint = integrity_inode_get(inode); 251 if (!iint) 252 rc = -ENOMEM; 253 } 254 255 if (!rc && violation_check) 256 ima_rdwr_violation_check(file, iint, action & IMA_MEASURE, 257 &pathbuf, &pathname, filename); 258 259 inode_unlock(inode); 260 261 if (rc) 262 goto out; 263 if (!action) 264 goto out; 265 266 mutex_lock(&iint->mutex); 267 268 if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags)) 269 /* reset appraisal flags if ima_inode_post_setattr was called */ 270 iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | 271 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | 272 IMA_NONACTION_FLAGS); 273 274 /* 275 * Re-evaulate the file if either the xattr has changed or the 276 * kernel has no way of detecting file change on the filesystem. 277 * (Limited to privileged mounted filesystems.) 278 */ 279 if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) || 280 ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) && 281 !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) && 282 !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) { 283 iint->flags &= ~IMA_DONE_MASK; 284 iint->measured_pcrs = 0; 285 } 286 287 /* Determine if already appraised/measured based on bitmask 288 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED, 289 * IMA_AUDIT, IMA_AUDITED) 290 */ 291 iint->flags |= action; 292 action &= IMA_DO_MASK; 293 action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1); 294 295 /* If target pcr is already measured, unset IMA_MEASURE action */ 296 if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr))) 297 action ^= IMA_MEASURE; 298 299 /* HASH sets the digital signature and update flags, nothing else */ 300 if ((action & IMA_HASH) && 301 !(test_bit(IMA_DIGSIG, &iint->atomic_flags))) { 302 xattr_len = ima_read_xattr(file_dentry(file), 303 &xattr_value, xattr_len); 304 if ((xattr_value && xattr_len > 2) && 305 (xattr_value->type == EVM_IMA_XATTR_DIGSIG)) 306 set_bit(IMA_DIGSIG, &iint->atomic_flags); 307 iint->flags |= IMA_HASHED; 308 action ^= IMA_HASH; 309 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); 310 } 311 312 /* Nothing to do, just return existing appraised status */ 313 if (!action) { 314 if (must_appraise) { 315 rc = mmap_violation_check(func, file, &pathbuf, 316 &pathname, filename); 317 if (!rc) 318 rc = ima_get_cache_status(iint, func); 319 } 320 goto out_locked; 321 } 322 323 if ((action & IMA_APPRAISE_SUBMASK) || 324 strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) { 325 /* read 'security.ima' */ 326 xattr_len = ima_read_xattr(file_dentry(file), 327 &xattr_value, xattr_len); 328 329 /* 330 * Read the appended modsig if allowed by the policy, and allow 331 * an additional measurement list entry, if needed, based on the 332 * template format and whether the file was already measured. 333 */ 334 if (iint->flags & IMA_MODSIG_ALLOWED) { 335 rc = ima_read_modsig(func, buf, size, &modsig); 336 337 if (!rc && ima_template_has_modsig(template_desc) && 338 iint->flags & IMA_MEASURED) 339 action |= IMA_MEASURE; 340 } 341 } 342 343 hash_algo = ima_get_hash_algo(xattr_value, xattr_len); 344 345 rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig); 346 if (rc != 0 && rc != -EBADF && rc != -EINVAL) 347 goto out_locked; 348 349 if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */ 350 pathname = ima_d_path(&file->f_path, &pathbuf, filename); 351 352 if (action & IMA_MEASURE) 353 ima_store_measurement(iint, file, pathname, 354 xattr_value, xattr_len, modsig, pcr, 355 template_desc); 356 if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) { 357 rc = ima_check_blacklist(iint, modsig, pcr); 358 if (rc != -EPERM) { 359 inode_lock(inode); 360 rc = ima_appraise_measurement(func, iint, file, 361 pathname, xattr_value, 362 xattr_len, modsig); 363 inode_unlock(inode); 364 } 365 if (!rc) 366 rc = mmap_violation_check(func, file, &pathbuf, 367 &pathname, filename); 368 } 369 if (action & IMA_AUDIT) 370 ima_audit_measurement(iint, pathname); 371 372 if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO)) 373 rc = 0; 374 375 /* Ensure the digest was generated using an allowed algorithm */ 376 if (rc == 0 && must_appraise && allowed_algos != 0 && 377 (allowed_algos & (1U << hash_algo)) == 0) { 378 rc = -EACCES; 379 380 integrity_audit_msg(AUDIT_INTEGRITY_DATA, file_inode(file), 381 pathname, "collect_data", 382 "denied-hash-algorithm", rc, 0); 383 } 384 out_locked: 385 if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) && 386 !(iint->flags & IMA_NEW_FILE)) 387 rc = -EACCES; 388 mutex_unlock(&iint->mutex); 389 kfree(xattr_value); 390 ima_free_modsig(modsig); 391 out: 392 if (pathbuf) 393 __putname(pathbuf); 394 if (must_appraise) { 395 if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE)) 396 return -EACCES; 397 if (file->f_mode & FMODE_WRITE) 398 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); 399 } 400 return 0; 401 } 402 403 /** 404 * ima_file_mmap - based on policy, collect/store measurement. 405 * @file: pointer to the file to be measured (May be NULL) 406 * @reqprot: protection requested by the application 407 * @prot: protection that will be applied by the kernel 408 * @flags: operational flags 409 * 410 * Measure files being mmapped executable based on the ima_must_measure() 411 * policy decision. 412 * 413 * On success return 0. On integrity appraisal error, assuming the file 414 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 415 */ 416 int ima_file_mmap(struct file *file, unsigned long reqprot, 417 unsigned long prot, unsigned long flags) 418 { 419 u32 secid; 420 int ret; 421 422 if (!file) 423 return 0; 424 425 security_current_getsecid_subj(&secid); 426 427 if (reqprot & PROT_EXEC) { 428 ret = process_measurement(file, current_cred(), secid, NULL, 429 0, MAY_EXEC, MMAP_CHECK_REQPROT); 430 if (ret) 431 return ret; 432 } 433 434 if (prot & PROT_EXEC) 435 return process_measurement(file, current_cred(), secid, NULL, 436 0, MAY_EXEC, MMAP_CHECK); 437 438 return 0; 439 } 440 441 /** 442 * ima_file_mprotect - based on policy, limit mprotect change 443 * @vma: vm_area_struct protection is set to 444 * @prot: contains the protection that will be applied by the kernel. 445 * 446 * Files can be mmap'ed read/write and later changed to execute to circumvent 447 * IMA's mmap appraisal policy rules. Due to locking issues (mmap semaphore 448 * would be taken before i_mutex), files can not be measured or appraised at 449 * this point. Eliminate this integrity gap by denying the mprotect 450 * PROT_EXECUTE change, if an mmap appraise policy rule exists. 451 * 452 * On mprotect change success, return 0. On failure, return -EACESS. 453 */ 454 int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) 455 { 456 struct ima_template_desc *template = NULL; 457 struct file *file; 458 char filename[NAME_MAX]; 459 char *pathbuf = NULL; 460 const char *pathname = NULL; 461 struct inode *inode; 462 int result = 0; 463 int action; 464 u32 secid; 465 int pcr; 466 467 /* Is mprotect making an mmap'ed file executable? */ 468 if (!(ima_policy_flag & IMA_APPRAISE) || !vma->vm_file || 469 !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC)) 470 return 0; 471 472 security_current_getsecid_subj(&secid); 473 inode = file_inode(vma->vm_file); 474 action = ima_get_action(file_mnt_idmap(vma->vm_file), inode, 475 current_cred(), secid, MAY_EXEC, MMAP_CHECK, 476 &pcr, &template, NULL, NULL); 477 action |= ima_get_action(file_mnt_idmap(vma->vm_file), inode, 478 current_cred(), secid, MAY_EXEC, 479 MMAP_CHECK_REQPROT, &pcr, &template, NULL, 480 NULL); 481 482 /* Is the mmap'ed file in policy? */ 483 if (!(action & (IMA_MEASURE | IMA_APPRAISE_SUBMASK))) 484 return 0; 485 486 if (action & IMA_APPRAISE_SUBMASK) 487 result = -EPERM; 488 489 file = vma->vm_file; 490 pathname = ima_d_path(&file->f_path, &pathbuf, filename); 491 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, pathname, 492 "collect_data", "failed-mprotect", result, 0); 493 if (pathbuf) 494 __putname(pathbuf); 495 496 return result; 497 } 498 499 /** 500 * ima_bprm_check - based on policy, collect/store measurement. 501 * @bprm: contains the linux_binprm structure 502 * 503 * The OS protects against an executable file, already open for write, 504 * from being executed in deny_write_access() and an executable file, 505 * already open for execute, from being modified in get_write_access(). 506 * So we can be certain that what we verify and measure here is actually 507 * what is being executed. 508 * 509 * On success return 0. On integrity appraisal error, assuming the file 510 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 511 */ 512 int ima_bprm_check(struct linux_binprm *bprm) 513 { 514 int ret; 515 u32 secid; 516 517 security_current_getsecid_subj(&secid); 518 ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, 519 MAY_EXEC, BPRM_CHECK); 520 if (ret) 521 return ret; 522 523 security_cred_getsecid(bprm->cred, &secid); 524 return process_measurement(bprm->file, bprm->cred, secid, NULL, 0, 525 MAY_EXEC, CREDS_CHECK); 526 } 527 528 /** 529 * ima_file_check - based on policy, collect/store measurement. 530 * @file: pointer to the file to be measured 531 * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND 532 * 533 * Measure files based on the ima_must_measure() policy decision. 534 * 535 * On success return 0. On integrity appraisal error, assuming the file 536 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 537 */ 538 int ima_file_check(struct file *file, int mask) 539 { 540 u32 secid; 541 542 security_current_getsecid_subj(&secid); 543 return process_measurement(file, current_cred(), secid, NULL, 0, 544 mask & (MAY_READ | MAY_WRITE | MAY_EXEC | 545 MAY_APPEND), FILE_CHECK); 546 } 547 EXPORT_SYMBOL_GPL(ima_file_check); 548 549 static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf, 550 size_t buf_size) 551 { 552 struct integrity_iint_cache *iint = NULL, tmp_iint; 553 int rc, hash_algo; 554 555 if (ima_policy_flag) { 556 iint = integrity_iint_find(inode); 557 if (iint) 558 mutex_lock(&iint->mutex); 559 } 560 561 if ((!iint || !(iint->flags & IMA_COLLECTED)) && file) { 562 if (iint) 563 mutex_unlock(&iint->mutex); 564 565 memset(&tmp_iint, 0, sizeof(tmp_iint)); 566 tmp_iint.inode = inode; 567 mutex_init(&tmp_iint.mutex); 568 569 rc = ima_collect_measurement(&tmp_iint, file, NULL, 0, 570 ima_hash_algo, NULL); 571 if (rc < 0) { 572 /* ima_hash could be allocated in case of failure. */ 573 if (rc != -ENOMEM) 574 kfree(tmp_iint.ima_hash); 575 576 return -EOPNOTSUPP; 577 } 578 579 iint = &tmp_iint; 580 mutex_lock(&iint->mutex); 581 } 582 583 if (!iint) 584 return -EOPNOTSUPP; 585 586 /* 587 * ima_file_hash can be called when ima_collect_measurement has still 588 * not been called, we might not always have a hash. 589 */ 590 if (!iint->ima_hash || !(iint->flags & IMA_COLLECTED)) { 591 mutex_unlock(&iint->mutex); 592 return -EOPNOTSUPP; 593 } 594 595 if (buf) { 596 size_t copied_size; 597 598 copied_size = min_t(size_t, iint->ima_hash->length, buf_size); 599 memcpy(buf, iint->ima_hash->digest, copied_size); 600 } 601 hash_algo = iint->ima_hash->algo; 602 mutex_unlock(&iint->mutex); 603 604 if (iint == &tmp_iint) 605 kfree(iint->ima_hash); 606 607 return hash_algo; 608 } 609 610 /** 611 * ima_file_hash - return a measurement of the file 612 * @file: pointer to the file 613 * @buf: buffer in which to store the hash 614 * @buf_size: length of the buffer 615 * 616 * On success, return the hash algorithm (as defined in the enum hash_algo). 617 * If buf is not NULL, this function also outputs the hash into buf. 618 * If the hash is larger than buf_size, then only buf_size bytes will be copied. 619 * It generally just makes sense to pass a buffer capable of holding the largest 620 * possible hash: IMA_MAX_DIGEST_SIZE. 621 * The file hash returned is based on the entire file, including the appended 622 * signature. 623 * 624 * If the measurement cannot be performed, return -EOPNOTSUPP. 625 * If the parameters are incorrect, return -EINVAL. 626 */ 627 int ima_file_hash(struct file *file, char *buf, size_t buf_size) 628 { 629 if (!file) 630 return -EINVAL; 631 632 return __ima_inode_hash(file_inode(file), file, buf, buf_size); 633 } 634 EXPORT_SYMBOL_GPL(ima_file_hash); 635 636 /** 637 * ima_inode_hash - return the stored measurement if the inode has been hashed 638 * and is in the iint cache. 639 * @inode: pointer to the inode 640 * @buf: buffer in which to store the hash 641 * @buf_size: length of the buffer 642 * 643 * On success, return the hash algorithm (as defined in the enum hash_algo). 644 * If buf is not NULL, this function also outputs the hash into buf. 645 * If the hash is larger than buf_size, then only buf_size bytes will be copied. 646 * It generally just makes sense to pass a buffer capable of holding the largest 647 * possible hash: IMA_MAX_DIGEST_SIZE. 648 * The hash returned is based on the entire contents, including the appended 649 * signature. 650 * 651 * If IMA is disabled or if no measurement is available, return -EOPNOTSUPP. 652 * If the parameters are incorrect, return -EINVAL. 653 */ 654 int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size) 655 { 656 if (!inode) 657 return -EINVAL; 658 659 return __ima_inode_hash(inode, NULL, buf, buf_size); 660 } 661 EXPORT_SYMBOL_GPL(ima_inode_hash); 662 663 /** 664 * ima_post_create_tmpfile - mark newly created tmpfile as new 665 * @idmap: idmap of the mount the inode was found from 666 * @inode: inode of the newly created tmpfile 667 * 668 * No measuring, appraising or auditing of newly created tmpfiles is needed. 669 * Skip calling process_measurement(), but indicate which newly, created 670 * tmpfiles are in policy. 671 */ 672 void ima_post_create_tmpfile(struct mnt_idmap *idmap, 673 struct inode *inode) 674 { 675 struct integrity_iint_cache *iint; 676 int must_appraise; 677 678 if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 679 return; 680 681 must_appraise = ima_must_appraise(idmap, inode, MAY_ACCESS, 682 FILE_CHECK); 683 if (!must_appraise) 684 return; 685 686 /* Nothing to do if we can't allocate memory */ 687 iint = integrity_inode_get(inode); 688 if (!iint) 689 return; 690 691 /* needed for writing the security xattrs */ 692 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); 693 iint->ima_file_status = INTEGRITY_PASS; 694 } 695 696 /** 697 * ima_post_path_mknod - mark as a new inode 698 * @idmap: idmap of the mount the inode was found from 699 * @dentry: newly created dentry 700 * 701 * Mark files created via the mknodat syscall as new, so that the 702 * file data can be written later. 703 */ 704 void ima_post_path_mknod(struct mnt_idmap *idmap, 705 struct dentry *dentry) 706 { 707 struct integrity_iint_cache *iint; 708 struct inode *inode = dentry->d_inode; 709 int must_appraise; 710 711 if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 712 return; 713 714 must_appraise = ima_must_appraise(idmap, inode, MAY_ACCESS, 715 FILE_CHECK); 716 if (!must_appraise) 717 return; 718 719 /* Nothing to do if we can't allocate memory */ 720 iint = integrity_inode_get(inode); 721 if (!iint) 722 return; 723 724 /* needed for re-opening empty files */ 725 iint->flags |= IMA_NEW_FILE; 726 } 727 728 /** 729 * ima_read_file - pre-measure/appraise hook decision based on policy 730 * @file: pointer to the file to be measured/appraised/audit 731 * @read_id: caller identifier 732 * @contents: whether a subsequent call will be made to ima_post_read_file() 733 * 734 * Permit reading a file based on policy. The policy rules are written 735 * in terms of the policy identifier. Appraising the integrity of 736 * a file requires a file descriptor. 737 * 738 * For permission return 0, otherwise return -EACCES. 739 */ 740 int ima_read_file(struct file *file, enum kernel_read_file_id read_id, 741 bool contents) 742 { 743 enum ima_hooks func; 744 u32 secid; 745 746 /* 747 * Do devices using pre-allocated memory run the risk of the 748 * firmware being accessible to the device prior to the completion 749 * of IMA's signature verification any more than when using two 750 * buffers? It may be desirable to include the buffer address 751 * in this API and walk all the dma_map_single() mappings to check. 752 */ 753 754 /* 755 * There will be a call made to ima_post_read_file() with 756 * a filled buffer, so we don't need to perform an extra 757 * read early here. 758 */ 759 if (contents) 760 return 0; 761 762 /* Read entire file for all partial reads. */ 763 func = read_idmap[read_id] ?: FILE_CHECK; 764 security_current_getsecid_subj(&secid); 765 return process_measurement(file, current_cred(), secid, NULL, 766 0, MAY_READ, func); 767 } 768 769 const int read_idmap[READING_MAX_ID] = { 770 [READING_FIRMWARE] = FIRMWARE_CHECK, 771 [READING_MODULE] = MODULE_CHECK, 772 [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK, 773 [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK, 774 [READING_POLICY] = POLICY_CHECK 775 }; 776 777 /** 778 * ima_post_read_file - in memory collect/appraise/audit measurement 779 * @file: pointer to the file to be measured/appraised/audit 780 * @buf: pointer to in memory file contents 781 * @size: size of in memory file contents 782 * @read_id: caller identifier 783 * 784 * Measure/appraise/audit in memory file based on policy. Policy rules 785 * are written in terms of a policy identifier. 786 * 787 * On success return 0. On integrity appraisal error, assuming the file 788 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 789 */ 790 int ima_post_read_file(struct file *file, void *buf, loff_t size, 791 enum kernel_read_file_id read_id) 792 { 793 enum ima_hooks func; 794 u32 secid; 795 796 /* permit signed certs */ 797 if (!file && read_id == READING_X509_CERTIFICATE) 798 return 0; 799 800 if (!file || !buf || size == 0) { /* should never happen */ 801 if (ima_appraise & IMA_APPRAISE_ENFORCE) 802 return -EACCES; 803 return 0; 804 } 805 806 func = read_idmap[read_id] ?: FILE_CHECK; 807 security_current_getsecid_subj(&secid); 808 return process_measurement(file, current_cred(), secid, buf, size, 809 MAY_READ, func); 810 } 811 812 /** 813 * ima_load_data - appraise decision based on policy 814 * @id: kernel load data caller identifier 815 * @contents: whether the full contents will be available in a later 816 * call to ima_post_load_data(). 817 * 818 * Callers of this LSM hook can not measure, appraise, or audit the 819 * data provided by userspace. Enforce policy rules requiring a file 820 * signature (eg. kexec'ed kernel image). 821 * 822 * For permission return 0, otherwise return -EACCES. 823 */ 824 int ima_load_data(enum kernel_load_data_id id, bool contents) 825 { 826 bool ima_enforce, sig_enforce; 827 828 ima_enforce = 829 (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE; 830 831 switch (id) { 832 case LOADING_KEXEC_IMAGE: 833 if (IS_ENABLED(CONFIG_KEXEC_SIG) 834 && arch_ima_get_secureboot()) { 835 pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); 836 return -EACCES; 837 } 838 839 if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) { 840 pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); 841 return -EACCES; /* INTEGRITY_UNKNOWN */ 842 } 843 break; 844 case LOADING_FIRMWARE: 845 if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE) && !contents) { 846 pr_err("Prevent firmware sysfs fallback loading.\n"); 847 return -EACCES; /* INTEGRITY_UNKNOWN */ 848 } 849 break; 850 case LOADING_MODULE: 851 sig_enforce = is_module_sig_enforced(); 852 853 if (ima_enforce && (!sig_enforce 854 && (ima_appraise & IMA_APPRAISE_MODULES))) { 855 pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n"); 856 return -EACCES; /* INTEGRITY_UNKNOWN */ 857 } 858 break; 859 default: 860 break; 861 } 862 return 0; 863 } 864 865 /** 866 * ima_post_load_data - appraise decision based on policy 867 * @buf: pointer to in memory file contents 868 * @size: size of in memory file contents 869 * @load_id: kernel load data caller identifier 870 * @description: @load_id-specific description of contents 871 * 872 * Measure/appraise/audit in memory buffer based on policy. Policy rules 873 * are written in terms of a policy identifier. 874 * 875 * On success return 0. On integrity appraisal error, assuming the file 876 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 877 */ 878 int ima_post_load_data(char *buf, loff_t size, 879 enum kernel_load_data_id load_id, 880 char *description) 881 { 882 if (load_id == LOADING_FIRMWARE) { 883 if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && 884 (ima_appraise & IMA_APPRAISE_ENFORCE)) { 885 pr_err("Prevent firmware loading_store.\n"); 886 return -EACCES; /* INTEGRITY_UNKNOWN */ 887 } 888 return 0; 889 } 890 891 return 0; 892 } 893 894 /** 895 * process_buffer_measurement - Measure the buffer or the buffer data hash 896 * @idmap: idmap of the mount the inode was found from 897 * @inode: inode associated with the object being measured (NULL for KEY_CHECK) 898 * @buf: pointer to the buffer that needs to be added to the log. 899 * @size: size of buffer(in bytes). 900 * @eventname: event name to be used for the buffer entry. 901 * @func: IMA hook 902 * @pcr: pcr to extend the measurement 903 * @func_data: func specific data, may be NULL 904 * @buf_hash: measure buffer data hash 905 * @digest: buffer digest will be written to 906 * @digest_len: buffer length 907 * 908 * Based on policy, either the buffer data or buffer data hash is measured 909 * 910 * Return: 0 if the buffer has been successfully measured, 1 if the digest 911 * has been written to the passed location but not added to a measurement entry, 912 * a negative value otherwise. 913 */ 914 int process_buffer_measurement(struct mnt_idmap *idmap, 915 struct inode *inode, const void *buf, int size, 916 const char *eventname, enum ima_hooks func, 917 int pcr, const char *func_data, 918 bool buf_hash, u8 *digest, size_t digest_len) 919 { 920 int ret = 0; 921 const char *audit_cause = "ENOMEM"; 922 struct ima_template_entry *entry = NULL; 923 struct integrity_iint_cache iint = {}; 924 struct ima_event_data event_data = {.iint = &iint, 925 .filename = eventname, 926 .buf = buf, 927 .buf_len = size}; 928 struct ima_template_desc *template; 929 struct ima_max_digest_data hash; 930 char digest_hash[IMA_MAX_DIGEST_SIZE]; 931 int digest_hash_len = hash_digest_size[ima_hash_algo]; 932 int violation = 0; 933 int action = 0; 934 u32 secid; 935 936 if (digest && digest_len < digest_hash_len) 937 return -EINVAL; 938 939 if (!ima_policy_flag && !digest) 940 return -ENOENT; 941 942 template = ima_template_desc_buf(); 943 if (!template) { 944 ret = -EINVAL; 945 audit_cause = "ima_template_desc_buf"; 946 goto out; 947 } 948 949 /* 950 * Both LSM hooks and auxilary based buffer measurements are 951 * based on policy. To avoid code duplication, differentiate 952 * between the LSM hooks and auxilary buffer measurements, 953 * retrieving the policy rule information only for the LSM hook 954 * buffer measurements. 955 */ 956 if (func) { 957 security_current_getsecid_subj(&secid); 958 action = ima_get_action(idmap, inode, current_cred(), 959 secid, 0, func, &pcr, &template, 960 func_data, NULL); 961 if (!(action & IMA_MEASURE) && !digest) 962 return -ENOENT; 963 } 964 965 if (!pcr) 966 pcr = CONFIG_IMA_MEASURE_PCR_IDX; 967 968 iint.ima_hash = &hash.hdr; 969 iint.ima_hash->algo = ima_hash_algo; 970 iint.ima_hash->length = hash_digest_size[ima_hash_algo]; 971 972 ret = ima_calc_buffer_hash(buf, size, iint.ima_hash); 973 if (ret < 0) { 974 audit_cause = "hashing_error"; 975 goto out; 976 } 977 978 if (buf_hash) { 979 memcpy(digest_hash, hash.hdr.digest, digest_hash_len); 980 981 ret = ima_calc_buffer_hash(digest_hash, digest_hash_len, 982 iint.ima_hash); 983 if (ret < 0) { 984 audit_cause = "hashing_error"; 985 goto out; 986 } 987 988 event_data.buf = digest_hash; 989 event_data.buf_len = digest_hash_len; 990 } 991 992 if (digest) 993 memcpy(digest, iint.ima_hash->digest, digest_hash_len); 994 995 if (!ima_policy_flag || (func && !(action & IMA_MEASURE))) 996 return 1; 997 998 ret = ima_alloc_init_template(&event_data, &entry, template); 999 if (ret < 0) { 1000 audit_cause = "alloc_entry"; 1001 goto out; 1002 } 1003 1004 ret = ima_store_template(entry, violation, NULL, event_data.buf, pcr); 1005 if (ret < 0) { 1006 audit_cause = "store_entry"; 1007 ima_free_template_entry(entry); 1008 } 1009 1010 out: 1011 if (ret < 0) 1012 integrity_audit_message(AUDIT_INTEGRITY_PCR, NULL, eventname, 1013 func_measure_str(func), 1014 audit_cause, ret, 0, ret); 1015 1016 return ret; 1017 } 1018 1019 /** 1020 * ima_kexec_cmdline - measure kexec cmdline boot args 1021 * @kernel_fd: file descriptor of the kexec kernel being loaded 1022 * @buf: pointer to buffer 1023 * @size: size of buffer 1024 * 1025 * Buffers can only be measured, not appraised. 1026 */ 1027 void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) 1028 { 1029 struct fd f; 1030 1031 if (!buf || !size) 1032 return; 1033 1034 f = fdget(kernel_fd); 1035 if (!f.file) 1036 return; 1037 1038 process_buffer_measurement(file_mnt_idmap(f.file), file_inode(f.file), 1039 buf, size, "kexec-cmdline", KEXEC_CMDLINE, 0, 1040 NULL, false, NULL, 0); 1041 fdput(f); 1042 } 1043 1044 /** 1045 * ima_measure_critical_data - measure kernel integrity critical data 1046 * @event_label: unique event label for grouping and limiting critical data 1047 * @event_name: event name for the record in the IMA measurement list 1048 * @buf: pointer to buffer data 1049 * @buf_len: length of buffer data (in bytes) 1050 * @hash: measure buffer data hash 1051 * @digest: buffer digest will be written to 1052 * @digest_len: buffer length 1053 * 1054 * Measure data critical to the integrity of the kernel into the IMA log 1055 * and extend the pcr. Examples of critical data could be various data 1056 * structures, policies, and states stored in kernel memory that can 1057 * impact the integrity of the system. 1058 * 1059 * Return: 0 if the buffer has been successfully measured, 1 if the digest 1060 * has been written to the passed location but not added to a measurement entry, 1061 * a negative value otherwise. 1062 */ 1063 int ima_measure_critical_data(const char *event_label, 1064 const char *event_name, 1065 const void *buf, size_t buf_len, 1066 bool hash, u8 *digest, size_t digest_len) 1067 { 1068 if (!event_name || !event_label || !buf || !buf_len) 1069 return -ENOPARAM; 1070 1071 return process_buffer_measurement(&nop_mnt_idmap, NULL, buf, buf_len, 1072 event_name, CRITICAL_DATA, 0, 1073 event_label, hash, digest, 1074 digest_len); 1075 } 1076 EXPORT_SYMBOL_GPL(ima_measure_critical_data); 1077 1078 static int __init init_ima(void) 1079 { 1080 int error; 1081 1082 ima_appraise_parse_cmdline(); 1083 ima_init_template_list(); 1084 hash_setup(CONFIG_IMA_DEFAULT_HASH); 1085 error = ima_init(); 1086 1087 if (error && strcmp(hash_algo_name[ima_hash_algo], 1088 CONFIG_IMA_DEFAULT_HASH) != 0) { 1089 pr_info("Allocating %s failed, going to use default hash algorithm %s\n", 1090 hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH); 1091 hash_setup_done = 0; 1092 hash_setup(CONFIG_IMA_DEFAULT_HASH); 1093 error = ima_init(); 1094 } 1095 1096 if (error) 1097 return error; 1098 1099 error = register_blocking_lsm_notifier(&ima_lsm_policy_notifier); 1100 if (error) 1101 pr_warn("Couldn't register LSM notifier, error %d\n", error); 1102 1103 if (!error) 1104 ima_update_policy_flags(); 1105 1106 return error; 1107 } 1108 1109 late_initcall(init_ima); /* Start IMA after the TPM is available */ 1110