Lines Matching full:file
13 * File: ima_main.c
19 #include <linux/file.h>
105 /* Prevent mmap'ing a file execute that is already mmap'ed write */
106 static int mmap_violation_check(enum ima_hooks func, struct file *file,
114 mapping_writably_mapped(file->f_mapping)) {
116 inode = file_inode(file);
119 *pathname = ima_d_path(&file->f_path, pathbuf,
131 * - Opening a file for write when already open for read,
133 * - Opening a file for read when already open for write,
134 * could result in a file measurement error.
137 static void ima_rdwr_violation_check(struct file *file,
144 struct inode *inode = file_inode(file);
145 fmode_t mode = file->f_mode;
173 *pathname = ima_d_path(&file->f_path, pathbuf, filename);
176 ima_add_violation(file, *pathname, iint,
179 ima_add_violation(file, *pathname, iint,
184 struct inode *inode, struct file *file)
186 fmode_t mode = file->f_mode;
201 vfs_getattr_nosec(&file->f_path, &stat,
209 ima_update_xattr(iint, file);
217 * @file: pointer to file structure being freed
221 static void ima_file_free(struct file *file)
223 struct inode *inode = file_inode(file);
233 ima_check_last_writer(iint, inode, file);
236 static int process_measurement(struct file *file, const struct cred *cred,
242 struct inode *real_inode, *inode = file_inode(file);
265 action = ima_get_action(file_mnt_idmap(file), inode, cred, prop,
272 (file->f_mode & FMODE_WRITE)));
291 ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
313 * Re-evaulate the file if either the xattr has changed or the
314 * kernel has no way of detecting file change on the filesystem.
326 * On stacked filesystems, detect and re-evaluate file data and
329 real_inode = d_real_inode(file_dentry(file));
342 metadata_inode = d_inode(d_real(file_dentry(file),
364 xattr_len = ima_read_xattr(file_dentry(file),
377 rc = mmap_violation_check(func, file, &pathbuf,
388 xattr_len = ima_read_xattr(file_dentry(file),
394 * template format and whether the file was already measured.
407 rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);
418 pathname = ima_d_path(&file->f_path, &pathbuf, filename);
421 ima_store_measurement(iint, file, pathname,
428 rc = ima_appraise_measurement(func, iint, file,
435 rc = mmap_violation_check(func, file, &pathbuf,
441 if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
449 integrity_audit_msg(AUDIT_INTEGRITY_DATA, file_inode(file),
466 if (file->f_mode & FMODE_WRITE)
474 * @file: pointer to the file to be measured (May be NULL)
482 * On success return 0. On integrity appraisal error, assuming the file
485 static int ima_file_mmap(struct file *file, unsigned long reqprot,
491 if (!file)
497 ret = process_measurement(file, current_cred(), &prop, NULL,
505 return process_measurement(file, current_cred(), &prop, NULL,
529 struct file *file;
539 /* Is mprotect making an mmap'ed file executable? */
554 /* Is the mmap'ed file in policy? */
561 file = vma->vm_file;
562 pathname = ima_d_path(&file->f_path, &pathbuf, filename);
575 * The OS protects against an executable file, already open for write,
576 * from being executed in deny_write_access() and an executable file,
581 * On success return 0. On integrity appraisal error, assuming the file
589 return process_measurement(bprm->file, current_cred(),
597 * @file: contains the file descriptor of the binary being executed
599 * The OS protects against an executable file, already open for write,
600 * from being executed in deny_write_access() and an executable file,
608 * commit 56305aa9b6fab ("exec: Compute file based creds only once"), the
612 * On success return 0. On integrity appraisal error, assuming the file
615 static int ima_creds_check(struct linux_binprm *bprm, const struct file *file)
620 return process_measurement((struct file *)file, bprm->cred, &prop, NULL,
629 * and appraise the integrity of a file to be executed by script interpreters.
630 * Unlike any of the other LSM hooks where the kernel enforces file integrity,
631 * enforcing file integrity is left up to the discretion of the script
634 * On success return 0. On integrity appraisal error, assuming the file
654 * @file: pointer to the file to be measured
659 * On success return 0. On integrity appraisal error, assuming the file
662 static int ima_file_check(struct file *file, int mask)
667 return process_measurement(file, current_cred(), &prop, NULL, 0,
672 static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf,
684 if ((!iint || !(iint->flags & IMA_COLLECTED)) && file) {
691 rc = ima_collect_measurement(&tmp_iint, file, NULL, 0,
733 * ima_file_hash - return a measurement of the file
734 * @file: pointer to the file
743 * The file hash returned is based on the entire file, including the appended
749 int ima_file_hash(struct file *file, char *buf, size_t buf_size)
751 if (!file)
754 return __ima_inode_hash(file_inode(file), file, buf, buf_size);
825 * file data can be written later.
852 * @file: pointer to the file to be measured/appraised/audit
856 * Permit reading a file based on policy. The policy rules are written
858 * a file requires a file descriptor.
862 static int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
884 /* Read entire file for all partial reads. */
887 return process_measurement(file, current_cred(), &prop, NULL, 0,
902 * @file: pointer to the file to be measured/appraised/audit
903 * @buf: pointer to in memory file contents
904 * @size: size of in memory file contents
907 * Measure/appraise/audit in memory file based on policy. Policy rules
910 * On success return 0. On integrity appraisal error, assuming the file
913 static int ima_post_read_file(struct file *file, char *buf, loff_t size,
920 if (!file && read_id == READING_X509_CERTIFICATE)
923 if (!file || !buf || size == 0) { /* should never happen */
931 return process_measurement(file, current_cred(), &prop, buf, size,
942 * data provided by userspace. Enforce policy rules requiring a file
958 pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
963 pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
978 pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
990 * @buf: pointer to in memory file contents
991 * @size: size of in memory file contents
998 * On success return 0. On integrity appraisal error, assuming the file
1153 * @kernel_fd: file descriptor of the kexec kernel being loaded