| ima_main.c (06cca5110774f7b59a1685431ac697865588f4ca) | ima_main.c (cd3cec0a02c7338ce2901c574f3935b8f6984aab) |
|---|---|
| 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Integrity Measurement Architecture 4 * 5 * Copyright (C) 2005,2006,2007,2008 IBM Corporation 6 * 7 * Authors: 8 * Reiner Sailer <sailer@watson.ibm.com> --- 175 unchanged lines hidden (view full) --- 184} 185 186/** 187 * ima_file_free - called on __fput() 188 * @file: pointer to file structure being freed 189 * 190 * Flag files that changed, based on i_version 191 */ | 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Integrity Measurement Architecture 4 * 5 * Copyright (C) 2005,2006,2007,2008 IBM Corporation 6 * 7 * Authors: 8 * Reiner Sailer <sailer@watson.ibm.com> --- 175 unchanged lines hidden (view full) --- 184} 185 186/** 187 * ima_file_free - called on __fput() 188 * @file: pointer to file structure being freed 189 * 190 * Flag files that changed, based on i_version 191 */ |
| 192void ima_file_free(struct file *file) | 192static void ima_file_free(struct file *file) |
| 193{ 194 struct inode *inode = file_inode(file); 195 struct integrity_iint_cache *iint; 196 197 if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 198 return; 199 200 iint = integrity_iint_find(inode); --- 221 unchanged lines hidden (view full) --- 422 * @flags: operational flags 423 * 424 * Measure files being mmapped executable based on the ima_must_measure() 425 * policy decision. 426 * 427 * On success return 0. On integrity appraisal error, assuming the file 428 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 429 */ | 193{ 194 struct inode *inode = file_inode(file); 195 struct integrity_iint_cache *iint; 196 197 if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 198 return; 199 200 iint = integrity_iint_find(inode); --- 221 unchanged lines hidden (view full) --- 422 * @flags: operational flags 423 * 424 * Measure files being mmapped executable based on the ima_must_measure() 425 * policy decision. 426 * 427 * On success return 0. On integrity appraisal error, assuming the file 428 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 429 */ |
| 430int ima_file_mmap(struct file *file, unsigned long reqprot, 431 unsigned long prot, unsigned long flags) | 430static int ima_file_mmap(struct file *file, unsigned long reqprot, 431 unsigned long prot, unsigned long flags) |
| 432{ 433 u32 secid; 434 int ret; 435 436 if (!file) 437 return 0; 438 439 security_current_getsecid_subj(&secid); --- 21 unchanged lines hidden (view full) --- 461 * Files can be mmap'ed read/write and later changed to execute to circumvent 462 * IMA's mmap appraisal policy rules. Due to locking issues (mmap semaphore 463 * would be taken before i_mutex), files can not be measured or appraised at 464 * this point. Eliminate this integrity gap by denying the mprotect 465 * PROT_EXECUTE change, if an mmap appraise policy rule exists. 466 * 467 * On mprotect change success, return 0. On failure, return -EACESS. 468 */ | 432{ 433 u32 secid; 434 int ret; 435 436 if (!file) 437 return 0; 438 439 security_current_getsecid_subj(&secid); --- 21 unchanged lines hidden (view full) --- 461 * Files can be mmap'ed read/write and later changed to execute to circumvent 462 * IMA's mmap appraisal policy rules. Due to locking issues (mmap semaphore 463 * would be taken before i_mutex), files can not be measured or appraised at 464 * this point. Eliminate this integrity gap by denying the mprotect 465 * PROT_EXECUTE change, if an mmap appraise policy rule exists. 466 * 467 * On mprotect change success, return 0. On failure, return -EACESS. 468 */ |
| 469int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, 470 unsigned long prot) | 469static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, 470 unsigned long prot) |
| 471{ 472 struct ima_template_desc *template = NULL; 473 struct file *file; 474 char filename[NAME_MAX]; 475 char *pathbuf = NULL; 476 const char *pathname = NULL; 477 struct inode *inode; 478 int result = 0; --- 41 unchanged lines hidden (view full) --- 520 * from being executed in deny_write_access() and an executable file, 521 * already open for execute, from being modified in get_write_access(). 522 * So we can be certain that what we verify and measure here is actually 523 * what is being executed. 524 * 525 * On success return 0. On integrity appraisal error, assuming the file 526 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 527 */ | 471{ 472 struct ima_template_desc *template = NULL; 473 struct file *file; 474 char filename[NAME_MAX]; 475 char *pathbuf = NULL; 476 const char *pathname = NULL; 477 struct inode *inode; 478 int result = 0; --- 41 unchanged lines hidden (view full) --- 520 * from being executed in deny_write_access() and an executable file, 521 * already open for execute, from being modified in get_write_access(). 522 * So we can be certain that what we verify and measure here is actually 523 * what is being executed. 524 * 525 * On success return 0. On integrity appraisal error, assuming the file 526 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 527 */ |
| 528int ima_bprm_check(struct linux_binprm *bprm) | 528static int ima_bprm_check(struct linux_binprm *bprm) |
| 529{ 530 int ret; 531 u32 secid; 532 533 security_current_getsecid_subj(&secid); 534 ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, 535 MAY_EXEC, BPRM_CHECK); 536 if (ret) --- 9 unchanged lines hidden (view full) --- 546 * @file: pointer to the file to be measured 547 * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND 548 * 549 * Measure files based on the ima_must_measure() policy decision. 550 * 551 * On success return 0. On integrity appraisal error, assuming the file 552 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 553 */ | 529{ 530 int ret; 531 u32 secid; 532 533 security_current_getsecid_subj(&secid); 534 ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, 535 MAY_EXEC, BPRM_CHECK); 536 if (ret) --- 9 unchanged lines hidden (view full) --- 546 * @file: pointer to the file to be measured 547 * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND 548 * 549 * Measure files based on the ima_must_measure() policy decision. 550 * 551 * On success return 0. On integrity appraisal error, assuming the file 552 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 553 */ |
| 554int ima_file_check(struct file *file, int mask) | 554static int ima_file_check(struct file *file, int mask) |
| 555{ 556 u32 secid; 557 558 security_current_getsecid_subj(&secid); 559 return process_measurement(file, current_cred(), secid, NULL, 0, 560 mask & (MAY_READ | MAY_WRITE | MAY_EXEC | 561 MAY_APPEND), FILE_CHECK); 562} | 555{ 556 u32 secid; 557 558 security_current_getsecid_subj(&secid); 559 return process_measurement(file, current_cred(), secid, NULL, 0, 560 mask & (MAY_READ | MAY_WRITE | MAY_EXEC | 561 MAY_APPEND), FILE_CHECK); 562} |
| 563EXPORT_SYMBOL_GPL(ima_file_check); | |
| 564 565static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf, 566 size_t buf_size) 567{ 568 struct integrity_iint_cache *iint = NULL, tmp_iint; 569 int rc, hash_algo; 570 571 if (ima_policy_flag) { --- 108 unchanged lines hidden (view full) --- 680 * ima_post_create_tmpfile - mark newly created tmpfile as new 681 * @idmap: idmap of the mount the inode was found from 682 * @inode: inode of the newly created tmpfile 683 * 684 * No measuring, appraising or auditing of newly created tmpfiles is needed. 685 * Skip calling process_measurement(), but indicate which newly, created 686 * tmpfiles are in policy. 687 */ | 563 564static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf, 565 size_t buf_size) 566{ 567 struct integrity_iint_cache *iint = NULL, tmp_iint; 568 int rc, hash_algo; 569 570 if (ima_policy_flag) { --- 108 unchanged lines hidden (view full) --- 679 * ima_post_create_tmpfile - mark newly created tmpfile as new 680 * @idmap: idmap of the mount the inode was found from 681 * @inode: inode of the newly created tmpfile 682 * 683 * No measuring, appraising or auditing of newly created tmpfiles is needed. 684 * Skip calling process_measurement(), but indicate which newly, created 685 * tmpfiles are in policy. 686 */ |
| 688void ima_post_create_tmpfile(struct mnt_idmap *idmap, 689 struct inode *inode) | 687static void ima_post_create_tmpfile(struct mnt_idmap *idmap, 688 struct inode *inode) 689 |
| 690{ 691 struct integrity_iint_cache *iint; 692 int must_appraise; 693 694 if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 695 return; 696 697 must_appraise = ima_must_appraise(idmap, inode, MAY_ACCESS, --- 14 unchanged lines hidden (view full) --- 712/** 713 * ima_post_path_mknod - mark as a new inode 714 * @idmap: idmap of the mount the inode was found from 715 * @dentry: newly created dentry 716 * 717 * Mark files created via the mknodat syscall as new, so that the 718 * file data can be written later. 719 */ | 690{ 691 struct integrity_iint_cache *iint; 692 int must_appraise; 693 694 if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 695 return; 696 697 must_appraise = ima_must_appraise(idmap, inode, MAY_ACCESS, --- 14 unchanged lines hidden (view full) --- 712/** 713 * ima_post_path_mknod - mark as a new inode 714 * @idmap: idmap of the mount the inode was found from 715 * @dentry: newly created dentry 716 * 717 * Mark files created via the mknodat syscall as new, so that the 718 * file data can be written later. 719 */ |
| 720void ima_post_path_mknod(struct mnt_idmap *idmap, 721 struct dentry *dentry) | 720static void ima_post_path_mknod(struct mnt_idmap *idmap, struct dentry *dentry) |
| 722{ 723 struct integrity_iint_cache *iint; 724 struct inode *inode = dentry->d_inode; 725 int must_appraise; 726 727 if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 728 return; 729 --- 18 unchanged lines hidden (view full) --- 748 * @contents: whether a subsequent call will be made to ima_post_read_file() 749 * 750 * Permit reading a file based on policy. The policy rules are written 751 * in terms of the policy identifier. Appraising the integrity of 752 * a file requires a file descriptor. 753 * 754 * For permission return 0, otherwise return -EACCES. 755 */ | 721{ 722 struct integrity_iint_cache *iint; 723 struct inode *inode = dentry->d_inode; 724 int must_appraise; 725 726 if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 727 return; 728 --- 18 unchanged lines hidden (view full) --- 747 * @contents: whether a subsequent call will be made to ima_post_read_file() 748 * 749 * Permit reading a file based on policy. The policy rules are written 750 * in terms of the policy identifier. Appraising the integrity of 751 * a file requires a file descriptor. 752 * 753 * For permission return 0, otherwise return -EACCES. 754 */ |
| 756int ima_read_file(struct file *file, enum kernel_read_file_id read_id, 757 bool contents) | 755static int ima_read_file(struct file *file, enum kernel_read_file_id read_id, 756 bool contents) |
| 758{ 759 enum ima_hooks func; 760 u32 secid; 761 762 /* 763 * Do devices using pre-allocated memory run the risk of the 764 * firmware being accessible to the device prior to the completion 765 * of IMA's signature verification any more than when using two --- 32 unchanged lines hidden (view full) --- 798 * @read_id: caller identifier 799 * 800 * Measure/appraise/audit in memory file based on policy. Policy rules 801 * are written in terms of a policy identifier. 802 * 803 * On success return 0. On integrity appraisal error, assuming the file 804 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 805 */ | 757{ 758 enum ima_hooks func; 759 u32 secid; 760 761 /* 762 * Do devices using pre-allocated memory run the risk of the 763 * firmware being accessible to the device prior to the completion 764 * of IMA's signature verification any more than when using two --- 32 unchanged lines hidden (view full) --- 797 * @read_id: caller identifier 798 * 799 * Measure/appraise/audit in memory file based on policy. Policy rules 800 * are written in terms of a policy identifier. 801 * 802 * On success return 0. On integrity appraisal error, assuming the file 803 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 804 */ |
| 806int ima_post_read_file(struct file *file, char *buf, loff_t size, 807 enum kernel_read_file_id read_id) | 805static int ima_post_read_file(struct file *file, char *buf, loff_t size, 806 enum kernel_read_file_id read_id) |
| 808{ 809 enum ima_hooks func; 810 u32 secid; 811 812 /* permit signed certs */ 813 if (!file && read_id == READING_X509_CERTIFICATE) 814 return 0; 815 --- 16 unchanged lines hidden (view full) --- 832 * call to ima_post_load_data(). 833 * 834 * Callers of this LSM hook can not measure, appraise, or audit the 835 * data provided by userspace. Enforce policy rules requiring a file 836 * signature (eg. kexec'ed kernel image). 837 * 838 * For permission return 0, otherwise return -EACCES. 839 */ | 807{ 808 enum ima_hooks func; 809 u32 secid; 810 811 /* permit signed certs */ 812 if (!file && read_id == READING_X509_CERTIFICATE) 813 return 0; 814 --- 16 unchanged lines hidden (view full) --- 831 * call to ima_post_load_data(). 832 * 833 * Callers of this LSM hook can not measure, appraise, or audit the 834 * data provided by userspace. Enforce policy rules requiring a file 835 * signature (eg. kexec'ed kernel image). 836 * 837 * For permission return 0, otherwise return -EACCES. 838 */ |
| 840int ima_load_data(enum kernel_load_data_id id, bool contents) | 839static int ima_load_data(enum kernel_load_data_id id, bool contents) |
| 841{ 842 bool ima_enforce, sig_enforce; 843 844 ima_enforce = 845 (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE; 846 847 switch (id) { 848 case LOADING_KEXEC_IMAGE: --- 37 unchanged lines hidden (view full) --- 886 * @description: @load_id-specific description of contents 887 * 888 * Measure/appraise/audit in memory buffer based on policy. Policy rules 889 * are written in terms of a policy identifier. 890 * 891 * On success return 0. On integrity appraisal error, assuming the file 892 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 893 */ | 840{ 841 bool ima_enforce, sig_enforce; 842 843 ima_enforce = 844 (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE; 845 846 switch (id) { 847 case LOADING_KEXEC_IMAGE: --- 37 unchanged lines hidden (view full) --- 885 * @description: @load_id-specific description of contents 886 * 887 * Measure/appraise/audit in memory buffer based on policy. Policy rules 888 * are written in terms of a policy identifier. 889 * 890 * On success return 0. On integrity appraisal error, assuming the file 891 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 892 */ |
| 894int ima_post_load_data(char *buf, loff_t size, 895 enum kernel_load_data_id load_id, 896 char *description) | 893static int ima_post_load_data(char *buf, loff_t size, 894 enum kernel_load_data_id load_id, 895 char *description) |
| 897{ 898 if (load_id == LOADING_FIRMWARE) { 899 if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && 900 (ima_appraise & IMA_APPRAISE_ENFORCE)) { 901 pr_err("Prevent firmware loading_store.\n"); 902 return -EACCES; /* INTEGRITY_UNKNOWN */ 903 } 904 return 0; --- 204 unchanged lines hidden (view full) --- 1109 * in order to load a kernel module with same name. 1110 * 1111 * Since we don't have any real "crypto-pkcs1pad(rsa,*)" kernel modules, 1112 * we are safe to fail such module request from crypto_larval_lookup(), and 1113 * avoid the verification loop. 1114 * 1115 * Return: Zero if it is safe to load the kernel module, -EINVAL otherwise. 1116 */ | 896{ 897 if (load_id == LOADING_FIRMWARE) { 898 if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && 899 (ima_appraise & IMA_APPRAISE_ENFORCE)) { 900 pr_err("Prevent firmware loading_store.\n"); 901 return -EACCES; /* INTEGRITY_UNKNOWN */ 902 } 903 return 0; --- 204 unchanged lines hidden (view full) --- 1108 * in order to load a kernel module with same name. 1109 * 1110 * Since we don't have any real "crypto-pkcs1pad(rsa,*)" kernel modules, 1111 * we are safe to fail such module request from crypto_larval_lookup(), and 1112 * avoid the verification loop. 1113 * 1114 * Return: Zero if it is safe to load the kernel module, -EINVAL otherwise. 1115 */ |
| 1117int ima_kernel_module_request(char *kmod_name) | 1116static int ima_kernel_module_request(char *kmod_name) |
| 1118{ 1119 if (strncmp(kmod_name, "crypto-pkcs1pad(rsa,", 20) == 0) 1120 return -EINVAL; 1121 1122 return 0; 1123} 1124 1125#endif /* CONFIG_INTEGRITY_ASYMMETRIC_KEYS */ --- 24 unchanged lines hidden (view full) --- 1150 pr_warn("Couldn't register LSM notifier, error %d\n", error); 1151 1152 if (!error) 1153 ima_update_policy_flags(); 1154 1155 return error; 1156} 1157 | 1117{ 1118 if (strncmp(kmod_name, "crypto-pkcs1pad(rsa,", 20) == 0) 1119 return -EINVAL; 1120 1121 return 0; 1122} 1123 1124#endif /* CONFIG_INTEGRITY_ASYMMETRIC_KEYS */ --- 24 unchanged lines hidden (view full) --- 1149 pr_warn("Couldn't register LSM notifier, error %d\n", error); 1150 1151 if (!error) 1152 ima_update_policy_flags(); 1153 1154 return error; 1155} 1156 |
| 1157static struct security_hook_list ima_hooks[] __ro_after_init = { 1158 LSM_HOOK_INIT(bprm_check_security, ima_bprm_check), 1159 LSM_HOOK_INIT(file_post_open, ima_file_check), 1160 LSM_HOOK_INIT(inode_post_create_tmpfile, ima_post_create_tmpfile), 1161 LSM_HOOK_INIT(file_release, ima_file_free), 1162 LSM_HOOK_INIT(mmap_file, ima_file_mmap), 1163 LSM_HOOK_INIT(file_mprotect, ima_file_mprotect), 1164 LSM_HOOK_INIT(kernel_load_data, ima_load_data), 1165 LSM_HOOK_INIT(kernel_post_load_data, ima_post_load_data), 1166 LSM_HOOK_INIT(kernel_read_file, ima_read_file), 1167 LSM_HOOK_INIT(kernel_post_read_file, ima_post_read_file), 1168 LSM_HOOK_INIT(path_post_mknod, ima_post_path_mknod), 1169#ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS 1170 LSM_HOOK_INIT(key_post_create_or_update, ima_post_key_create_or_update), 1171#endif 1172#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS 1173 LSM_HOOK_INIT(kernel_module_request, ima_kernel_module_request), 1174#endif 1175}; 1176 1177static const struct lsm_id ima_lsmid = { 1178 .name = "ima", 1179 .id = LSM_ID_IMA, 1180}; 1181 1182static int __init init_ima_lsm(void) 1183{ 1184 security_add_hooks(ima_hooks, ARRAY_SIZE(ima_hooks), &ima_lsmid); 1185 return 0; 1186} 1187 1188DEFINE_LSM(ima) = { 1189 .name = "ima", 1190 .init = init_ima_lsm, 1191 .order = LSM_ORDER_LAST, 1192}; 1193 |
|
| 1158late_initcall(init_ima); /* Start IMA after the TPM is available */ | 1194late_initcall(init_ima); /* Start IMA after the TPM is available */ |