1 /*
2  * Copyright (C) 2005,2006,2007,2008 IBM Corporation
3  *
4  * Authors:
5  * Reiner Sailer <sailer@watson.ibm.com>
6  * Serge Hallyn <serue@us.ibm.com>
7  * Kylene Hall <kylene@us.ibm.com>
8  * Mimi Zohar <zohar@us.ibm.com>
9  *
10  * This program is free software; you can redistribute it and/or
11  * modify it under the terms of the GNU General Public License as
12  * published by the Free Software Foundation, version 2 of the
13  * License.
14  *
15  * File: ima_main.c
16  *             implements the IMA hooks: ima_bprm_check, ima_file_mmap,
17  *             and ima_path_check.
18  */
19 #include <linux/module.h>
20 #include <linux/file.h>
21 #include <linux/binfmts.h>
22 #include <linux/mount.h>
23 #include <linux/mman.h>
24 
25 #include "ima.h"
26 
27 int ima_initialized;
28 
29 char *ima_hash = "sha1";
30 static int __init hash_setup(char *str)
31 {
32 	const char *op = "hash_setup";
33 	const char *hash = "sha1";
34 	int result = 0;
35 	int audit_info = 0;
36 
37 	if (strncmp(str, "md5", 3) == 0) {
38 		hash = "md5";
39 		ima_hash = str;
40 	} else if (strncmp(str, "sha1", 4) != 0) {
41 		hash = "invalid_hash_type";
42 		result = 1;
43 	}
44 	integrity_audit_msg(AUDIT_INTEGRITY_HASH, NULL, NULL, op, hash,
45 			    result, audit_info);
46 	return 1;
47 }
48 __setup("ima_hash=", hash_setup);
49 
50 /**
51  * ima_file_free - called on __fput()
52  * @file: pointer to file structure being freed
53  *
54  * Flag files that changed, based on i_version;
55  * and decrement the iint readcount/writecount.
56  */
57 void ima_file_free(struct file *file)
58 {
59 	struct inode *inode = file->f_dentry->d_inode;
60 	struct ima_iint_cache *iint;
61 
62 	if (!ima_initialized || !S_ISREG(inode->i_mode))
63 		return;
64 	iint = ima_iint_find_get(inode);
65 	if (!iint)
66 		return;
67 
68 	mutex_lock(&iint->mutex);
69 	if (iint->opencount <= 0) {
70 		printk(KERN_INFO
71 		       "%s: %s open/free imbalance (r:%ld w:%ld o:%ld f:%ld)\n",
72 		       __FUNCTION__, file->f_dentry->d_name.name,
73 		       iint->readcount, iint->writecount,
74 		       iint->opencount, atomic_long_read(&file->f_count));
75 		if (!(iint->flags & IMA_IINT_DUMP_STACK)) {
76 			dump_stack();
77 			iint->flags |= IMA_IINT_DUMP_STACK;
78 		}
79 	}
80 	iint->opencount--;
81 
82 	if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
83 		iint->readcount--;
84 
85 	if (file->f_mode & FMODE_WRITE) {
86 		iint->writecount--;
87 		if (iint->writecount == 0) {
88 			if (iint->version != inode->i_version)
89 				iint->flags &= ~IMA_MEASURED;
90 		}
91 	}
92 	mutex_unlock(&iint->mutex);
93 	kref_put(&iint->refcount, iint_free);
94 }
95 
96 /* ima_read_write_check - reflect possible reading/writing errors in the PCR.
97  *
98  * When opening a file for read, if the file is already open for write,
99  * the file could change, resulting in a file measurement error.
100  *
101  * Opening a file for write, if the file is already open for read, results
102  * in a time of measure, time of use (ToMToU) error.
103  *
104  * In either case invalidate the PCR.
105  */
106 enum iint_pcr_error { TOMTOU, OPEN_WRITERS };
107 static void ima_read_write_check(enum iint_pcr_error error,
108 				 struct ima_iint_cache *iint,
109 				 struct inode *inode,
110 				 const unsigned char *filename)
111 {
112 	switch (error) {
113 	case TOMTOU:
114 		if (iint->readcount > 0)
115 			ima_add_violation(inode, filename, "invalid_pcr",
116 					  "ToMToU");
117 		break;
118 	case OPEN_WRITERS:
119 		if (iint->writecount > 0)
120 			ima_add_violation(inode, filename, "invalid_pcr",
121 					  "open_writers");
122 		break;
123 	}
124 }
125 
126 static int get_path_measurement(struct ima_iint_cache *iint, struct file *file,
127 				const unsigned char *filename)
128 {
129 	int rc = 0;
130 
131 	if (IS_ERR(file)) {
132 		pr_info("%s dentry_open failed\n", filename);
133 		return rc;
134 	}
135 	iint->opencount++;
136 	iint->readcount++;
137 
138 	rc = ima_collect_measurement(iint, file);
139 	if (!rc)
140 		ima_store_measurement(iint, file, filename);
141 	return rc;
142 }
143 
144 /**
145  * ima_path_check - based on policy, collect/store measurement.
146  * @path: contains a pointer to the path to be measured
147  * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
148  *
149  * Measure the file being open for readonly, based on the
150  * ima_must_measure() policy decision.
151  *
152  * Keep read/write counters for all files, but only
153  * invalidate the PCR for measured files:
154  * 	- Opening a file for write when already open for read,
155  *	  results in a time of measure, time of use (ToMToU) error.
156  *	- Opening a file for read when already open for write,
157  * 	  could result in a file measurement error.
158  *
159  * Return 0 on success, an error code on failure.
160  * (Based on the results of appraise_measurement().)
161  */
162 int ima_path_check(struct path *path, int mask)
163 {
164 	struct inode *inode = path->dentry->d_inode;
165 	struct ima_iint_cache *iint;
166 	struct file *file = NULL;
167 	int rc;
168 
169 	if (!ima_initialized || !S_ISREG(inode->i_mode))
170 		return 0;
171 	iint = ima_iint_find_insert_get(inode);
172 	if (!iint)
173 		return 0;
174 
175 	mutex_lock(&iint->mutex);
176 	iint->opencount++;
177 	if ((mask & MAY_WRITE) || (mask == 0))
178 		iint->writecount++;
179 	else if (mask & (MAY_READ | MAY_EXEC))
180 		iint->readcount++;
181 
182 	rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK);
183 	if (rc < 0)
184 		goto out;
185 
186 	if ((mask & MAY_WRITE) || (mask == 0))
187 		ima_read_write_check(TOMTOU, iint, inode,
188 				     path->dentry->d_name.name);
189 
190 	if ((mask & (MAY_WRITE | MAY_READ | MAY_EXEC)) != MAY_READ)
191 		goto out;
192 
193 	ima_read_write_check(OPEN_WRITERS, iint, inode,
194 			     path->dentry->d_name.name);
195 	if (!(iint->flags & IMA_MEASURED)) {
196 		struct dentry *dentry = dget(path->dentry);
197 		struct vfsmount *mnt = mntget(path->mnt);
198 
199 		file = dentry_open(dentry, mnt, O_RDONLY, current->cred);
200 		rc = get_path_measurement(iint, file, dentry->d_name.name);
201 	}
202 out:
203 	mutex_unlock(&iint->mutex);
204 	if (file)
205 		fput(file);
206 	kref_put(&iint->refcount, iint_free);
207 	return 0;
208 }
209 
210 static int process_measurement(struct file *file, const unsigned char *filename,
211 			       int mask, int function)
212 {
213 	struct inode *inode = file->f_dentry->d_inode;
214 	struct ima_iint_cache *iint;
215 	int rc;
216 
217 	if (!ima_initialized || !S_ISREG(inode->i_mode))
218 		return 0;
219 	iint = ima_iint_find_insert_get(inode);
220 	if (!iint)
221 		return -ENOMEM;
222 
223 	mutex_lock(&iint->mutex);
224 	rc = ima_must_measure(iint, inode, mask, function);
225 	if (rc != 0)
226 		goto out;
227 
228 	rc = ima_collect_measurement(iint, file);
229 	if (!rc)
230 		ima_store_measurement(iint, file, filename);
231 out:
232 	mutex_unlock(&iint->mutex);
233 	kref_put(&iint->refcount, iint_free);
234 	return rc;
235 }
236 
237 static void opencount_get(struct file *file)
238 {
239 	struct inode *inode = file->f_dentry->d_inode;
240 	struct ima_iint_cache *iint;
241 
242 	if (!ima_initialized || !S_ISREG(inode->i_mode))
243 		return;
244 	iint = ima_iint_find_insert_get(inode);
245 	if (!iint)
246 		return;
247 	mutex_lock(&iint->mutex);
248 	iint->opencount++;
249 	mutex_unlock(&iint->mutex);
250 }
251 
252 /**
253  * ima_file_mmap - based on policy, collect/store measurement.
254  * @file: pointer to the file to be measured (May be NULL)
255  * @prot: contains the protection that will be applied by the kernel.
256  *
257  * Measure files being mmapped executable based on the ima_must_measure()
258  * policy decision.
259  *
260  * Return 0 on success, an error code on failure.
261  * (Based on the results of appraise_measurement().)
262  */
263 int ima_file_mmap(struct file *file, unsigned long prot)
264 {
265 	int rc;
266 
267 	if (!file)
268 		return 0;
269 	if (prot & PROT_EXEC)
270 		rc = process_measurement(file, file->f_dentry->d_name.name,
271 					 MAY_EXEC, FILE_MMAP);
272 	return 0;
273 }
274 
275 /*
276  * ima_shm_check - IPC shm and shmat create/fput a file
277  *
278  * Maintain the opencount for these files to prevent unnecessary
279  * imbalance messages.
280  */
281 void ima_shm_check(struct file *file)
282 {
283 	opencount_get(file);
284 	return;
285 }
286 
287 /**
288  * ima_bprm_check - based on policy, collect/store measurement.
289  * @bprm: contains the linux_binprm structure
290  *
291  * The OS protects against an executable file, already open for write,
292  * from being executed in deny_write_access() and an executable file,
293  * already open for execute, from being modified in get_write_access().
294  * So we can be certain that what we verify and measure here is actually
295  * what is being executed.
296  *
297  * Return 0 on success, an error code on failure.
298  * (Based on the results of appraise_measurement().)
299  */
300 int ima_bprm_check(struct linux_binprm *bprm)
301 {
302 	int rc;
303 
304 	rc = process_measurement(bprm->file, bprm->filename,
305 				 MAY_EXEC, BPRM_CHECK);
306 	return 0;
307 }
308 
309 static int __init init_ima(void)
310 {
311 	int error;
312 
313 	ima_iintcache_init();
314 	error = ima_init();
315 	ima_initialized = 1;
316 	return error;
317 }
318 
319 static void __exit cleanup_ima(void)
320 {
321 	ima_cleanup();
322 }
323 
324 late_initcall(init_ima);	/* Start IMA after the TPM is available */
325 
326 MODULE_DESCRIPTION("Integrity Measurement Architecture");
327 MODULE_LICENSE("GPL");
328