1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Integrity Measurement Architecture 4 * 5 * Copyright (C) 2005,2006,2007,2008 IBM Corporation 6 * 7 * Authors: 8 * Reiner Sailer <sailer@watson.ibm.com> 9 * Serge Hallyn <serue@us.ibm.com> 10 * Kylene Hall <kylene@us.ibm.com> 11 * Mimi Zohar <zohar@us.ibm.com> 12 * 13 * File: ima_main.c 14 * implements the IMA hooks: ima_bprm_check, ima_file_mmap, 15 * and ima_file_check. 16 */ 17 18#include <linux/module.h> 19#include <linux/file.h> 20#include <linux/binfmts.h> 21#include <linux/kernel_read_file.h> 22#include <linux/mount.h> 23#include <linux/mman.h> 24#include <linux/slab.h> 25#include <linux/xattr.h> 26#include <linux/ima.h> 27#include <linux/iversion.h> 28#include <linux/fs.h> 29#include <linux/iversion.h> 30 31#include "ima.h" 32 33#ifdef CONFIG_IMA_APPRAISE 34int ima_appraise = IMA_APPRAISE_ENFORCE; 35#else 36int ima_appraise; 37#endif 38 39int ima_hash_algo = HASH_ALGO_SHA1; 40static int hash_setup_done; 41 42static struct notifier_block ima_lsm_policy_notifier = { 43 .notifier_call = ima_lsm_policy_change, 44}; 45 46static int __init hash_setup(char *str) 47{ 48 struct ima_template_desc *template_desc = ima_template_desc_current(); 49 int i; 50 51 if (hash_setup_done) 52 return 1; 53 54 if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { 55 if (strncmp(str, "sha1", 4) == 0) { 56 ima_hash_algo = HASH_ALGO_SHA1; 57 } else if (strncmp(str, "md5", 3) == 0) { 58 ima_hash_algo = HASH_ALGO_MD5; 59 } else { 60 pr_err("invalid hash algorithm \"%s\" for template \"%s\"", 61 str, IMA_TEMPLATE_IMA_NAME); 62 return 1; 63 } 64 goto out; 65 } 66 67 i = match_string(hash_algo_name, HASH_ALGO__LAST, str); 68 if (i < 0) { 69 pr_err("invalid hash algorithm \"%s\"", str); 70 return 1; 71 } 72 73 ima_hash_algo = i; 74out: 75 hash_setup_done = 1; 76 return 1; 77} 78__setup("ima_hash=", hash_setup); 79 80/* Prevent mmap'ing a file execute that is already mmap'ed write */ 81static int mmap_violation_check(enum ima_hooks func, struct file *file, 82 char **pathbuf, const char **pathname, 83 char *filename) 84{ 85 struct inode *inode; 86 int rc = 0; 87 88 if ((func == MMAP_CHECK) && mapping_writably_mapped(file->f_mapping)) { 89 rc = -ETXTBSY; 90 inode = file_inode(file); 91 92 if (!*pathbuf) /* ima_rdwr_violation possibly pre-fetched */ 93 *pathname = ima_d_path(&file->f_path, pathbuf, 94 filename); 95 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, *pathname, 96 "mmap_file", "mmapped_writers", rc, 0); 97 } 98 return rc; 99} 100 101/* 102 * ima_rdwr_violation_check 103 * 104 * Only invalidate the PCR for measured files: 105 * - Opening a file for write when already open for read, 106 * results in a time of measure, time of use (ToMToU) error. 107 * - Opening a file for read when already open for write, 108 * could result in a file measurement error. 109 * 110 */ 111static void ima_rdwr_violation_check(struct file *file, 112 struct integrity_iint_cache *iint, 113 int must_measure, 114 char **pathbuf, 115 const char **pathname, 116 char *filename) 117{ 118 struct inode *inode = file_inode(file); 119 fmode_t mode = file->f_mode; 120 bool send_tomtou = false, send_writers = false; 121 122 if (mode & FMODE_WRITE) { 123 if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) { 124 if (!iint) 125 iint = integrity_iint_find(inode); 126 /* IMA_MEASURE is set from reader side */ 127 if (iint && test_bit(IMA_MUST_MEASURE, 128 &iint->atomic_flags)) 129 send_tomtou = true; 130 } 131 } else { 132 if (must_measure) 133 set_bit(IMA_MUST_MEASURE, &iint->atomic_flags); 134 if (inode_is_open_for_write(inode) && must_measure) 135 send_writers = true; 136 } 137 138 if (!send_tomtou && !send_writers) 139 return; 140 141 *pathname = ima_d_path(&file->f_path, pathbuf, filename); 142 143 if (send_tomtou) 144 ima_add_violation(file, *pathname, iint, 145 "invalid_pcr", "ToMToU"); 146 if (send_writers) 147 ima_add_violation(file, *pathname, iint, 148 "invalid_pcr", "open_writers"); 149} 150 151static void ima_check_last_writer(struct integrity_iint_cache *iint, 152 struct inode *inode, struct file *file) 153{ 154 fmode_t mode = file->f_mode; 155 bool update; 156 157 if (!(mode & FMODE_WRITE)) 158 return; 159 160 mutex_lock(&iint->mutex); 161 if (atomic_read(&inode->i_writecount) == 1) { 162 update = test_and_clear_bit(IMA_UPDATE_XATTR, 163 &iint->atomic_flags); 164 if (!IS_I_VERSION(inode) || 165 !inode_eq_iversion(inode, iint->version) || 166 (iint->flags & IMA_NEW_FILE)) { 167 iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); 168 iint->measured_pcrs = 0; 169 if (update) 170 ima_update_xattr(iint, file); 171 } 172 } 173 mutex_unlock(&iint->mutex); 174} 175 176/** 177 * ima_file_free - called on __fput() 178 * @file: pointer to file structure being freed 179 * 180 * Flag files that changed, based on i_version 181 */ 182void ima_file_free(struct file *file) 183{ 184 struct inode *inode = file_inode(file); 185 struct integrity_iint_cache *iint; 186 187 if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 188 return; 189 190 iint = integrity_iint_find(inode); 191 if (!iint) 192 return; 193 194 ima_check_last_writer(iint, inode, file); 195} 196 197static int process_measurement(struct file *file, const struct cred *cred, 198 u32 secid, char *buf, loff_t size, int mask, 199 enum ima_hooks func) 200{ 201 struct inode *backing_inode, *inode = file_inode(file); 202 struct integrity_iint_cache *iint = NULL; 203 struct ima_template_desc *template_desc = NULL; 204 char *pathbuf = NULL; 205 char filename[NAME_MAX]; 206 const char *pathname = NULL; 207 int rc = 0, action, must_appraise = 0; 208 int pcr = CONFIG_IMA_MEASURE_PCR_IDX; 209 struct evm_ima_xattr_data *xattr_value = NULL; 210 struct modsig *modsig = NULL; 211 int xattr_len = 0; 212 bool violation_check; 213 enum hash_algo hash_algo; 214 215 if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 216 return 0; 217 218 /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action 219 * bitmask based on the appraise/audit/measurement policy. 220 * Included is the appraise submask. 221 */ 222 action = ima_get_action(inode, cred, secid, mask, func, &pcr, 223 &template_desc, NULL); 224 violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) && 225 (ima_policy_flag & IMA_MEASURE)); 226 if (!action && !violation_check) 227 return 0; 228 229 must_appraise = action & IMA_APPRAISE; 230 231 /* Is the appraise rule hook specific? */ 232 if (action & IMA_FILE_APPRAISE) 233 func = FILE_CHECK; 234 235 inode_lock(inode); 236 237 if (action) { 238 iint = integrity_inode_get(inode); 239 if (!iint) 240 rc = -ENOMEM; 241 } 242 243 if (!rc && violation_check) 244 ima_rdwr_violation_check(file, iint, action & IMA_MEASURE, 245 &pathbuf, &pathname, filename); 246 247 inode_unlock(inode); 248 249 if (rc) 250 goto out; 251 if (!action) 252 goto out; 253 254 mutex_lock(&iint->mutex); 255 256 if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags)) 257 /* reset appraisal flags if ima_inode_post_setattr was called */ 258 iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | 259 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | 260 IMA_ACTION_FLAGS); 261 262 /* 263 * Re-evaulate the file if either the xattr has changed or the 264 * kernel has no way of detecting file change on the filesystem. 265 * (Limited to privileged mounted filesystems.) 266 */ 267 if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) || 268 ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) && 269 !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) && 270 !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) { 271 iint->flags &= ~IMA_DONE_MASK; 272 iint->measured_pcrs = 0; 273 } 274 275 /* Detect and re-evaluate changes made to the backing file. */ 276 backing_inode = d_real_inode(file_dentry(file)); 277 if (backing_inode != inode && 278 (action & IMA_DO_MASK) && (iint->flags & IMA_DONE_MASK)) { 279 if (!IS_I_VERSION(backing_inode) || 280 backing_inode->i_sb->s_dev != iint->real_dev || 281 backing_inode->i_ino != iint->real_ino || 282 !inode_eq_iversion(backing_inode, iint->version)) { 283 iint->flags &= ~IMA_DONE_MASK; 284 iint->measured_pcrs = 0; 285 } 286 } 287 288 /* Determine if already appraised/measured based on bitmask 289 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED, 290 * IMA_AUDIT, IMA_AUDITED) 291 */ 292 iint->flags |= action; 293 action &= IMA_DO_MASK; 294 action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1); 295 296 /* If target pcr is already measured, unset IMA_MEASURE action */ 297 if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr))) 298 action ^= IMA_MEASURE; 299 300 /* HASH sets the digital signature and update flags, nothing else */ 301 if ((action & IMA_HASH) && 302 !(test_bit(IMA_DIGSIG, &iint->atomic_flags))) { 303 xattr_len = ima_read_xattr(file_dentry(file), &xattr_value); 304 if ((xattr_value && xattr_len > 2) && 305 (xattr_value->type == EVM_IMA_XATTR_DIGSIG)) 306 set_bit(IMA_DIGSIG, &iint->atomic_flags); 307 iint->flags |= IMA_HASHED; 308 action ^= IMA_HASH; 309 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); 310 } 311 312 /* Nothing to do, just return existing appraised status */ 313 if (!action) { 314 if (must_appraise) { 315 rc = mmap_violation_check(func, file, &pathbuf, 316 &pathname, filename); 317 if (!rc) 318 rc = ima_get_cache_status(iint, func); 319 } 320 goto out_locked; 321 } 322 323 if ((action & IMA_APPRAISE_SUBMASK) || 324 strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) { 325 /* read 'security.ima' */ 326 xattr_len = ima_read_xattr(file_dentry(file), &xattr_value); 327 328 /* 329 * Read the appended modsig if allowed by the policy, and allow 330 * an additional measurement list entry, if needed, based on the 331 * template format and whether the file was already measured. 332 */ 333 if (iint->flags & IMA_MODSIG_ALLOWED) { 334 rc = ima_read_modsig(func, buf, size, &modsig); 335 336 if (!rc && ima_template_has_modsig(template_desc) && 337 iint->flags & IMA_MEASURED) 338 action |= IMA_MEASURE; 339 } 340 } 341 342 hash_algo = ima_get_hash_algo(xattr_value, xattr_len); 343 344 rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig); 345 if (rc != 0 && rc != -EBADF && rc != -EINVAL) 346 goto out_locked; 347 348 if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */ 349 pathname = ima_d_path(&file->f_path, &pathbuf, filename); 350 351 if (action & IMA_MEASURE) 352 ima_store_measurement(iint, file, pathname, 353 xattr_value, xattr_len, modsig, pcr, 354 template_desc); 355 if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) { 356 rc = ima_check_blacklist(iint, modsig, pcr); 357 if (rc != -EPERM) { 358 inode_lock(inode); 359 rc = ima_appraise_measurement(func, iint, file, 360 pathname, xattr_value, 361 xattr_len, modsig); 362 inode_unlock(inode); 363 } 364 if (!rc) 365 rc = mmap_violation_check(func, file, &pathbuf, 366 &pathname, filename); 367 } 368 if (action & IMA_AUDIT) 369 ima_audit_measurement(iint, pathname); 370 371 if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO)) 372 rc = 0; 373out_locked: 374 if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) && 375 !(iint->flags & IMA_NEW_FILE)) 376 rc = -EACCES; 377 mutex_unlock(&iint->mutex); 378 kfree(xattr_value); 379 ima_free_modsig(modsig); 380out: 381 if (pathbuf) 382 __putname(pathbuf); 383 if (must_appraise) { 384 if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE)) 385 return -EACCES; 386 if (file->f_mode & FMODE_WRITE) 387 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); 388 } 389 return 0; 390} 391 392/** 393 * ima_file_mmap - based on policy, collect/store measurement. 394 * @file: pointer to the file to be measured (May be NULL) 395 * @reqprot: protection requested by the application 396 * @prot: protection that will be applied by the kernel 397 * @flags: operational flags 398 * 399 * Measure files being mmapped executable based on the ima_must_measure() 400 * policy decision. 401 * 402 * On success return 0. On integrity appraisal error, assuming the file 403 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 404 */ 405int ima_file_mmap(struct file *file, unsigned long reqprot, 406 unsigned long prot, unsigned long flags) 407{ 408 u32 secid; 409 410 if (file && (prot & PROT_EXEC)) { 411 security_task_getsecid(current, &secid); 412 return process_measurement(file, current_cred(), secid, NULL, 413 0, MAY_EXEC, MMAP_CHECK); 414 } 415 416 return 0; 417} 418 419/** 420 * ima_file_mprotect - based on policy, limit mprotect change 421 * @prot: contains the protection that will be applied by the kernel. 422 * 423 * Files can be mmap'ed read/write and later changed to execute to circumvent 424 * IMA's mmap appraisal policy rules. Due to locking issues (mmap semaphore 425 * would be taken before i_mutex), files can not be measured or appraised at 426 * this point. Eliminate this integrity gap by denying the mprotect 427 * PROT_EXECUTE change, if an mmap appraise policy rule exists. 428 * 429 * On mprotect change success, return 0. On failure, return -EACESS. 430 */ 431int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) 432{ 433 struct ima_template_desc *template; 434 struct file *file = vma->vm_file; 435 char filename[NAME_MAX]; 436 char *pathbuf = NULL; 437 const char *pathname = NULL; 438 struct inode *inode; 439 int result = 0; 440 int action; 441 u32 secid; 442 int pcr; 443 444 /* Is mprotect making an mmap'ed file executable? */ 445 if (!(ima_policy_flag & IMA_APPRAISE) || !vma->vm_file || 446 !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC)) 447 return 0; 448 449 security_task_getsecid(current, &secid); 450 inode = file_inode(vma->vm_file); 451 action = ima_get_action(inode, current_cred(), secid, MAY_EXEC, 452 MMAP_CHECK, &pcr, &template, 0); 453 454 /* Is the mmap'ed file in policy? */ 455 if (!(action & (IMA_MEASURE | IMA_APPRAISE_SUBMASK))) 456 return 0; 457 458 if (action & IMA_APPRAISE_SUBMASK) 459 result = -EPERM; 460 461 file = vma->vm_file; 462 pathname = ima_d_path(&file->f_path, &pathbuf, filename); 463 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, pathname, 464 "collect_data", "failed-mprotect", result, 0); 465 if (pathbuf) 466 __putname(pathbuf); 467 468 return result; 469} 470 471/** 472 * ima_bprm_check - based on policy, collect/store measurement. 473 * @bprm: contains the linux_binprm structure 474 * 475 * The OS protects against an executable file, already open for write, 476 * from being executed in deny_write_access() and an executable file, 477 * already open for execute, from being modified in get_write_access(). 478 * So we can be certain that what we verify and measure here is actually 479 * what is being executed. 480 * 481 * On success return 0. On integrity appraisal error, assuming the file 482 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 483 */ 484int ima_bprm_check(struct linux_binprm *bprm) 485{ 486 int ret; 487 u32 secid; 488 489 security_task_getsecid(current, &secid); 490 ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, 491 MAY_EXEC, BPRM_CHECK); 492 if (ret) 493 return ret; 494 495 security_cred_getsecid(bprm->cred, &secid); 496 return process_measurement(bprm->file, bprm->cred, secid, NULL, 0, 497 MAY_EXEC, CREDS_CHECK); 498} 499 500/** 501 * ima_path_check - based on policy, collect/store measurement. 502 * @file: pointer to the file to be measured 503 * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND 504 * 505 * Measure files based on the ima_must_measure() policy decision. 506 * 507 * On success return 0. On integrity appraisal error, assuming the file 508 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 509 */ 510int ima_file_check(struct file *file, int mask) 511{ 512 u32 secid; 513 514 security_task_getsecid(current, &secid); 515 return process_measurement(file, current_cred(), secid, NULL, 0, 516 mask & (MAY_READ | MAY_WRITE | MAY_EXEC | 517 MAY_APPEND), FILE_CHECK); 518} 519EXPORT_SYMBOL_GPL(ima_file_check); 520 521/** 522 * ima_file_hash - return the stored measurement if a file has been hashed and 523 * is in the iint cache. 524 * @file: pointer to the file 525 * @buf: buffer in which to store the hash 526 * @buf_size: length of the buffer 527 * 528 * On success, return the hash algorithm (as defined in the enum hash_algo). 529 * If buf is not NULL, this function also outputs the hash into buf. 530 * If the hash is larger than buf_size, then only buf_size bytes will be copied. 531 * It generally just makes sense to pass a buffer capable of holding the largest 532 * possible hash: IMA_MAX_DIGEST_SIZE. 533 * The file hash returned is based on the entire file, including the appended 534 * signature. 535 * 536 * If IMA is disabled or if no measurement is available, return -EOPNOTSUPP. 537 * If the parameters are incorrect, return -EINVAL. 538 */ 539int ima_file_hash(struct file *file, char *buf, size_t buf_size) 540{ 541 struct inode *inode; 542 struct integrity_iint_cache *iint; 543 int hash_algo; 544 545 if (!file) 546 return -EINVAL; 547 548 if (!ima_policy_flag) 549 return -EOPNOTSUPP; 550 551 inode = file_inode(file); 552 iint = integrity_iint_find(inode); 553 if (!iint) 554 return -EOPNOTSUPP; 555 556 mutex_lock(&iint->mutex); 557 558 /* 559 * ima_file_hash can be called when ima_collect_measurement has still 560 * not been called, we might not always have a hash. 561 */ 562 if (!iint->ima_hash) { 563 mutex_unlock(&iint->mutex); 564 return -EOPNOTSUPP; 565 } 566 567 if (buf) { 568 size_t copied_size; 569 570 copied_size = min_t(size_t, iint->ima_hash->length, buf_size); 571 memcpy(buf, iint->ima_hash->digest, copied_size); 572 } 573 hash_algo = iint->ima_hash->algo; 574 mutex_unlock(&iint->mutex); 575 576 return hash_algo; 577} 578EXPORT_SYMBOL_GPL(ima_file_hash); 579 580/** 581 * ima_post_create_tmpfile - mark newly created tmpfile as new 582 * @file : newly created tmpfile 583 * 584 * No measuring, appraising or auditing of newly created tmpfiles is needed. 585 * Skip calling process_measurement(), but indicate which newly, created 586 * tmpfiles are in policy. 587 */ 588void ima_post_create_tmpfile(struct inode *inode) 589{ 590 struct integrity_iint_cache *iint; 591 int must_appraise; 592 593 must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); 594 if (!must_appraise) 595 return; 596 597 /* Nothing to do if we can't allocate memory */ 598 iint = integrity_inode_get(inode); 599 if (!iint) 600 return; 601 602 /* needed for writing the security xattrs */ 603 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); 604 iint->ima_file_status = INTEGRITY_PASS; 605} 606 607/** 608 * ima_post_path_mknod - mark as a new inode 609 * @dentry: newly created dentry 610 * 611 * Mark files created via the mknodat syscall as new, so that the 612 * file data can be written later. 613 */ 614void ima_post_path_mknod(struct dentry *dentry) 615{ 616 struct integrity_iint_cache *iint; 617 struct inode *inode = dentry->d_inode; 618 int must_appraise; 619 620 must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); 621 if (!must_appraise) 622 return; 623 624 /* Nothing to do if we can't allocate memory */ 625 iint = integrity_inode_get(inode); 626 if (!iint) 627 return; 628 629 /* needed for re-opening empty files */ 630 iint->flags |= IMA_NEW_FILE; 631} 632 633/** 634 * ima_read_file - pre-measure/appraise hook decision based on policy 635 * @file: pointer to the file to be measured/appraised/audit 636 * @read_id: caller identifier 637 * @contents: whether a subsequent call will be made to ima_post_read_file() 638 * 639 * Permit reading a file based on policy. The policy rules are written 640 * in terms of the policy identifier. Appraising the integrity of 641 * a file requires a file descriptor. 642 * 643 * For permission return 0, otherwise return -EACCES. 644 */ 645int ima_read_file(struct file *file, enum kernel_read_file_id read_id, 646 bool contents) 647{ 648 enum ima_hooks func; 649 u32 secid; 650 651 /* 652 * Do devices using pre-allocated memory run the risk of the 653 * firmware being accessible to the device prior to the completion 654 * of IMA's signature verification any more than when using two 655 * buffers? It may be desirable to include the buffer address 656 * in this API and walk all the dma_map_single() mappings to check. 657 */ 658 659 /* 660 * There will be a call made to ima_post_read_file() with 661 * a filled buffer, so we don't need to perform an extra 662 * read early here. 663 */ 664 if (contents) 665 return 0; 666 667 /* Read entire file for all partial reads. */ 668 func = read_idmap[read_id] ?: FILE_CHECK; 669 security_task_getsecid(current, &secid); 670 return process_measurement(file, current_cred(), secid, NULL, 671 0, MAY_READ, func); 672} 673 674const int read_idmap[READING_MAX_ID] = { 675 [READING_FIRMWARE] = FIRMWARE_CHECK, 676 [READING_MODULE] = MODULE_CHECK, 677 [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK, 678 [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK, 679 [READING_POLICY] = POLICY_CHECK 680}; 681 682/** 683 * ima_post_read_file - in memory collect/appraise/audit measurement 684 * @file: pointer to the file to be measured/appraised/audit 685 * @buf: pointer to in memory file contents 686 * @size: size of in memory file contents 687 * @read_id: caller identifier 688 * 689 * Measure/appraise/audit in memory file based on policy. Policy rules 690 * are written in terms of a policy identifier. 691 * 692 * On success return 0. On integrity appraisal error, assuming the file 693 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 694 */ 695int ima_post_read_file(struct file *file, void *buf, loff_t size, 696 enum kernel_read_file_id read_id) 697{ 698 enum ima_hooks func; 699 u32 secid; 700 701 /* permit signed certs */ 702 if (!file && read_id == READING_X509_CERTIFICATE) 703 return 0; 704 705 if (!file || !buf || size == 0) { /* should never happen */ 706 if (ima_appraise & IMA_APPRAISE_ENFORCE) 707 return -EACCES; 708 return 0; 709 } 710 711 func = read_idmap[read_id] ?: FILE_CHECK; 712 security_task_getsecid(current, &secid); 713 return process_measurement(file, current_cred(), secid, buf, size, 714 MAY_READ, func); 715} 716 717/** 718 * ima_load_data - appraise decision based on policy 719 * @id: kernel load data caller identifier 720 * @contents: whether the full contents will be available in a later 721 * call to ima_post_load_data(). 722 * 723 * Callers of this LSM hook can not measure, appraise, or audit the 724 * data provided by userspace. Enforce policy rules requring a file 725 * signature (eg. kexec'ed kernel image). 726 * 727 * For permission return 0, otherwise return -EACCES. 728 */ 729int ima_load_data(enum kernel_load_data_id id, bool contents) 730{ 731 bool ima_enforce, sig_enforce; 732 733 ima_enforce = 734 (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE; 735 736 switch (id) { 737 case LOADING_KEXEC_IMAGE: 738 if (IS_ENABLED(CONFIG_KEXEC_SIG) 739 && arch_ima_get_secureboot()) { 740 pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); 741 return -EACCES; 742 } 743 744 if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) { 745 pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); 746 return -EACCES; /* INTEGRITY_UNKNOWN */ 747 } 748 break; 749 case LOADING_FIRMWARE: 750 if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE) && !contents) { 751 pr_err("Prevent firmware sysfs fallback loading.\n"); 752 return -EACCES; /* INTEGRITY_UNKNOWN */ 753 } 754 break; 755 case LOADING_MODULE: 756 sig_enforce = is_module_sig_enforced(); 757 758 if (ima_enforce && (!sig_enforce 759 && (ima_appraise & IMA_APPRAISE_MODULES))) { 760 pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n"); 761 return -EACCES; /* INTEGRITY_UNKNOWN */ 762 } 763 break; 764 default: 765 break; 766 } 767 return 0; 768} 769 770/** 771 * ima_post_load_data - appraise decision based on policy 772 * @buf: pointer to in memory file contents 773 * @size: size of in memory file contents 774 * @id: kernel load data caller identifier 775 * @description: @id-specific description of contents 776 * 777 * Measure/appraise/audit in memory buffer based on policy. Policy rules 778 * are written in terms of a policy identifier. 779 * 780 * On success return 0. On integrity appraisal error, assuming the file 781 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 782 */ 783int ima_post_load_data(char *buf, loff_t size, 784 enum kernel_load_data_id load_id, 785 char *description) 786{ 787 if (load_id == LOADING_FIRMWARE) { 788 if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && 789 (ima_appraise & IMA_APPRAISE_ENFORCE)) { 790 pr_err("Prevent firmware loading_store.\n"); 791 return -EACCES; /* INTEGRITY_UNKNOWN */ 792 } 793 return 0; 794 } 795 796 return 0; 797} 798 799/* 800 * process_buffer_measurement - Measure the buffer to ima log. 801 * @inode: inode associated with the object being measured (NULL for KEY_CHECK) 802 * @buf: pointer to the buffer that needs to be added to the log. 803 * @size: size of buffer(in bytes). 804 * @eventname: event name to be used for the buffer entry. 805 * @func: IMA hook 806 * @pcr: pcr to extend the measurement 807 * @keyring: keyring name to determine the action to be performed 808 * 809 * Based on policy, the buffer is measured into the ima log. 810 */ 811void process_buffer_measurement(struct inode *inode, const void *buf, int size, 812 const char *eventname, enum ima_hooks func, 813 int pcr, const char *keyring) 814{ 815 int ret = 0; 816 const char *audit_cause = "ENOMEM"; 817 struct ima_template_entry *entry = NULL; 818 struct integrity_iint_cache iint = {}; 819 struct ima_event_data event_data = {.iint = &iint, 820 .filename = eventname, 821 .buf = buf, 822 .buf_len = size}; 823 struct ima_template_desc *template = NULL; 824 struct { 825 struct ima_digest_data hdr; 826 char digest[IMA_MAX_DIGEST_SIZE]; 827 } hash = {}; 828 int violation = 0; 829 int action = 0; 830 u32 secid; 831 832 if (!ima_policy_flag) 833 return; 834 835 /* 836 * Both LSM hooks and auxilary based buffer measurements are 837 * based on policy. To avoid code duplication, differentiate 838 * between the LSM hooks and auxilary buffer measurements, 839 * retrieving the policy rule information only for the LSM hook 840 * buffer measurements. 841 */ 842 if (func) { 843 security_task_getsecid(current, &secid); 844 action = ima_get_action(inode, current_cred(), secid, 0, func, 845 &pcr, &template, keyring); 846 if (!(action & IMA_MEASURE)) 847 return; 848 } 849 850 if (!pcr) 851 pcr = CONFIG_IMA_MEASURE_PCR_IDX; 852 853 if (!template) { 854 template = lookup_template_desc("ima-buf"); 855 ret = template_desc_init_fields(template->fmt, 856 &(template->fields), 857 &(template->num_fields)); 858 if (ret < 0) { 859 pr_err("template %s init failed, result: %d\n", 860 (strlen(template->name) ? 861 template->name : template->fmt), ret); 862 return; 863 } 864 } 865 866 iint.ima_hash = &hash.hdr; 867 iint.ima_hash->algo = ima_hash_algo; 868 iint.ima_hash->length = hash_digest_size[ima_hash_algo]; 869 870 ret = ima_calc_buffer_hash(buf, size, iint.ima_hash); 871 if (ret < 0) { 872 audit_cause = "hashing_error"; 873 goto out; 874 } 875 876 ret = ima_alloc_init_template(&event_data, &entry, template); 877 if (ret < 0) { 878 audit_cause = "alloc_entry"; 879 goto out; 880 } 881 882 ret = ima_store_template(entry, violation, NULL, buf, pcr); 883 if (ret < 0) { 884 audit_cause = "store_entry"; 885 ima_free_template_entry(entry); 886 } 887 888out: 889 if (ret < 0) 890 integrity_audit_message(AUDIT_INTEGRITY_PCR, NULL, eventname, 891 func_measure_str(func), 892 audit_cause, ret, 0, ret); 893 894 return; 895} 896 897/** 898 * ima_kexec_cmdline - measure kexec cmdline boot args 899 * @kernel_fd: file descriptor of the kexec kernel being loaded 900 * @buf: pointer to buffer 901 * @size: size of buffer 902 * 903 * Buffers can only be measured, not appraised. 904 */ 905void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) 906{ 907 struct fd f; 908 909 if (!buf || !size) 910 return; 911 912 f = fdget(kernel_fd); 913 if (!f.file) 914 return; 915 916 process_buffer_measurement(file_inode(f.file), buf, size, 917 "kexec-cmdline", KEXEC_CMDLINE, 0, NULL); 918 fdput(f); 919} 920 921static int __init init_ima(void) 922{ 923 int error; 924 925 ima_init_template_list(); 926 hash_setup(CONFIG_IMA_DEFAULT_HASH); 927 error = ima_init(); 928 929 if (error && strcmp(hash_algo_name[ima_hash_algo], 930 CONFIG_IMA_DEFAULT_HASH) != 0) { 931 pr_info("Allocating %s failed, going to use default hash algorithm %s\n", 932 hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH); 933 hash_setup_done = 0; 934 hash_setup(CONFIG_IMA_DEFAULT_HASH); 935 error = ima_init(); 936 } 937 938 if (error) 939 return error; 940 941 error = register_blocking_lsm_notifier(&ima_lsm_policy_notifier); 942 if (error) 943 pr_warn("Couldn't register LSM notifier, error %d\n", error); 944 945 if (!error) 946 ima_update_policy_flag(); 947 948 return error; 949} 950 951late_initcall(init_ima); /* Start IMA after the TPM is available */ 952