1 /* 2 * Copyright (C) 2005,2006,2007,2008 IBM Corporation 3 * 4 * Authors: 5 * Reiner Sailer <sailer@watson.ibm.com> 6 * Serge Hallyn <serue@us.ibm.com> 7 * Kylene Hall <kylene@us.ibm.com> 8 * Mimi Zohar <zohar@us.ibm.com> 9 * 10 * This program is free software; you can redistribute it and/or 11 * modify it under the terms of the GNU General Public License as 12 * published by the Free Software Foundation, version 2 of the 13 * License. 14 * 15 * File: ima_main.c 16 * implements the IMA hooks: ima_bprm_check, ima_file_mmap, 17 * and ima_file_check. 18 */ 19 #include <linux/module.h> 20 #include <linux/file.h> 21 #include <linux/binfmts.h> 22 #include <linux/mount.h> 23 #include <linux/mman.h> 24 #include <linux/slab.h> 25 26 #include "ima.h" 27 28 int ima_initialized; 29 30 char *ima_hash = "sha1"; 31 static int __init hash_setup(char *str) 32 { 33 if (strncmp(str, "md5", 3) == 0) 34 ima_hash = "md5"; 35 return 1; 36 } 37 __setup("ima_hash=", hash_setup); 38 39 struct ima_imbalance { 40 struct hlist_node node; 41 unsigned long fsmagic; 42 }; 43 44 /* 45 * ima_limit_imbalance - emit one imbalance message per filesystem type 46 * 47 * Maintain list of filesystem types that do not measure files properly. 48 * Return false if unknown, true if known. 49 */ 50 static bool ima_limit_imbalance(struct file *file) 51 { 52 static DEFINE_SPINLOCK(ima_imbalance_lock); 53 static HLIST_HEAD(ima_imbalance_list); 54 55 struct super_block *sb = file->f_dentry->d_sb; 56 struct ima_imbalance *entry; 57 struct hlist_node *node; 58 bool found = false; 59 60 rcu_read_lock(); 61 hlist_for_each_entry_rcu(entry, node, &ima_imbalance_list, node) { 62 if (entry->fsmagic == sb->s_magic) { 63 found = true; 64 break; 65 } 66 } 67 rcu_read_unlock(); 68 if (found) 69 goto out; 70 71 entry = kmalloc(sizeof(*entry), GFP_NOFS); 72 if (!entry) 73 goto out; 74 entry->fsmagic = sb->s_magic; 75 spin_lock(&ima_imbalance_lock); 76 /* 77 * we could have raced and something else might have added this fs 78 * to the list, but we don't really care 79 */ 80 hlist_add_head_rcu(&entry->node, &ima_imbalance_list); 81 spin_unlock(&ima_imbalance_lock); 82 printk(KERN_INFO "IMA: unmeasured files on fsmagic: %lX\n", 83 entry->fsmagic); 84 out: 85 return found; 86 } 87 88 /* 89 * ima_counts_get - increment file counts 90 * 91 * Maintain read/write counters for all files, but only 92 * invalidate the PCR for measured files: 93 * - Opening a file for write when already open for read, 94 * results in a time of measure, time of use (ToMToU) error. 95 * - Opening a file for read when already open for write, 96 * could result in a file measurement error. 97 * 98 */ 99 void ima_counts_get(struct file *file) 100 { 101 struct dentry *dentry = file->f_path.dentry; 102 struct inode *inode = dentry->d_inode; 103 fmode_t mode = file->f_mode; 104 int rc; 105 bool send_tomtou = false, send_writers = false; 106 107 if (!S_ISREG(inode->i_mode)) 108 return; 109 110 spin_lock(&inode->i_lock); 111 112 if (!ima_initialized) 113 goto out; 114 115 if (mode & FMODE_WRITE) { 116 if (inode->i_readcount && IS_IMA(inode)) 117 send_tomtou = true; 118 goto out; 119 } 120 121 rc = ima_must_measure(NULL, inode, MAY_READ, FILE_CHECK); 122 if (rc < 0) 123 goto out; 124 125 if (atomic_read(&inode->i_writecount) > 0) 126 send_writers = true; 127 out: 128 /* remember the vfs deals with i_writecount */ 129 if ((mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) 130 inode->i_readcount++; 131 132 spin_unlock(&inode->i_lock); 133 134 if (send_tomtou) 135 ima_add_violation(inode, dentry->d_name.name, "invalid_pcr", 136 "ToMToU"); 137 if (send_writers) 138 ima_add_violation(inode, dentry->d_name.name, "invalid_pcr", 139 "open_writers"); 140 } 141 142 /* 143 * Decrement ima counts 144 */ 145 static void ima_dec_counts(struct inode *inode, struct file *file) 146 { 147 mode_t mode = file->f_mode; 148 149 assert_spin_locked(&inode->i_lock); 150 151 if ((mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) { 152 if (unlikely(inode->i_readcount == 0)) { 153 if (!ima_limit_imbalance(file)) { 154 printk(KERN_INFO "%s: open/free imbalance (r:%u)\n", 155 __func__, inode->i_readcount); 156 dump_stack(); 157 } 158 return; 159 } 160 inode->i_readcount--; 161 } 162 } 163 164 static void ima_check_last_writer(struct ima_iint_cache *iint, 165 struct inode *inode, 166 struct file *file) 167 { 168 mode_t mode = file->f_mode; 169 170 BUG_ON(!mutex_is_locked(&iint->mutex)); 171 assert_spin_locked(&inode->i_lock); 172 173 if (mode & FMODE_WRITE && 174 atomic_read(&inode->i_writecount) == 1 && 175 iint->version != inode->i_version) 176 iint->flags &= ~IMA_MEASURED; 177 } 178 179 static void ima_file_free_iint(struct ima_iint_cache *iint, struct inode *inode, 180 struct file *file) 181 { 182 mutex_lock(&iint->mutex); 183 spin_lock(&inode->i_lock); 184 185 ima_dec_counts(inode, file); 186 ima_check_last_writer(iint, inode, file); 187 188 spin_unlock(&inode->i_lock); 189 mutex_unlock(&iint->mutex); 190 } 191 192 static void ima_file_free_noiint(struct inode *inode, struct file *file) 193 { 194 spin_lock(&inode->i_lock); 195 196 ima_dec_counts(inode, file); 197 198 spin_unlock(&inode->i_lock); 199 } 200 201 /** 202 * ima_file_free - called on __fput() 203 * @file: pointer to file structure being freed 204 * 205 * Flag files that changed, based on i_version; 206 * and decrement the i_readcount. 207 */ 208 void ima_file_free(struct file *file) 209 { 210 struct inode *inode = file->f_dentry->d_inode; 211 struct ima_iint_cache *iint; 212 213 if (!iint_initialized || !S_ISREG(inode->i_mode)) 214 return; 215 216 iint = ima_iint_find(inode); 217 218 if (iint) 219 ima_file_free_iint(iint, inode, file); 220 else 221 ima_file_free_noiint(inode, file); 222 223 } 224 225 static int process_measurement(struct file *file, const unsigned char *filename, 226 int mask, int function) 227 { 228 struct inode *inode = file->f_dentry->d_inode; 229 struct ima_iint_cache *iint; 230 int rc = 0; 231 232 if (!ima_initialized || !S_ISREG(inode->i_mode)) 233 return 0; 234 235 rc = ima_must_measure(NULL, inode, mask, function); 236 if (rc != 0) 237 return rc; 238 retry: 239 iint = ima_iint_find(inode); 240 if (!iint) { 241 rc = ima_inode_alloc(inode); 242 if (!rc || rc == -EEXIST) 243 goto retry; 244 return rc; 245 } 246 247 mutex_lock(&iint->mutex); 248 249 rc = ima_must_measure(iint, inode, mask, function); 250 if (rc != 0) 251 goto out; 252 253 rc = ima_collect_measurement(iint, file); 254 if (!rc) 255 ima_store_measurement(iint, file, filename); 256 out: 257 mutex_unlock(&iint->mutex); 258 return rc; 259 } 260 261 /** 262 * ima_file_mmap - based on policy, collect/store measurement. 263 * @file: pointer to the file to be measured (May be NULL) 264 * @prot: contains the protection that will be applied by the kernel. 265 * 266 * Measure files being mmapped executable based on the ima_must_measure() 267 * policy decision. 268 * 269 * Return 0 on success, an error code on failure. 270 * (Based on the results of appraise_measurement().) 271 */ 272 int ima_file_mmap(struct file *file, unsigned long prot) 273 { 274 int rc; 275 276 if (!file) 277 return 0; 278 if (prot & PROT_EXEC) 279 rc = process_measurement(file, file->f_dentry->d_name.name, 280 MAY_EXEC, FILE_MMAP); 281 return 0; 282 } 283 284 /** 285 * ima_bprm_check - based on policy, collect/store measurement. 286 * @bprm: contains the linux_binprm structure 287 * 288 * The OS protects against an executable file, already open for write, 289 * from being executed in deny_write_access() and an executable file, 290 * already open for execute, from being modified in get_write_access(). 291 * So we can be certain that what we verify and measure here is actually 292 * what is being executed. 293 * 294 * Return 0 on success, an error code on failure. 295 * (Based on the results of appraise_measurement().) 296 */ 297 int ima_bprm_check(struct linux_binprm *bprm) 298 { 299 int rc; 300 301 rc = process_measurement(bprm->file, bprm->filename, 302 MAY_EXEC, BPRM_CHECK); 303 return 0; 304 } 305 306 /** 307 * ima_path_check - based on policy, collect/store measurement. 308 * @file: pointer to the file to be measured 309 * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE 310 * 311 * Measure files based on the ima_must_measure() policy decision. 312 * 313 * Always return 0 and audit dentry_open failures. 314 * (Return code will be based upon measurement appraisal.) 315 */ 316 int ima_file_check(struct file *file, int mask) 317 { 318 int rc; 319 320 rc = process_measurement(file, file->f_dentry->d_name.name, 321 mask & (MAY_READ | MAY_WRITE | MAY_EXEC), 322 FILE_CHECK); 323 return 0; 324 } 325 EXPORT_SYMBOL_GPL(ima_file_check); 326 327 static int __init init_ima(void) 328 { 329 int error; 330 331 error = ima_init(); 332 ima_initialized = 1; 333 return error; 334 } 335 336 static void __exit cleanup_ima(void) 337 { 338 ima_cleanup(); 339 } 340 341 late_initcall(init_ima); /* Start IMA after the TPM is available */ 342 343 MODULE_DESCRIPTION("Integrity Measurement Architecture"); 344 MODULE_LICENSE("GPL"); 345