xref: /linux/security/integrity/ima/ima_api.c (revision 24c776355f4097316a763005434ffff716aa21a8)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2008 IBM Corporation
4  *
5  * Author: Mimi Zohar <zohar@us.ibm.com>
6  *
7  * File: ima_api.c
8  *	Implements must_appraise_or_measure, collect_measurement,
9  *	appraise_measurement, store_measurement and store_template.
10  */
11 #include <linux/slab.h>
12 #include <linux/file.h>
13 #include <linux/fs.h>
14 #include <linux/hex.h>
15 #include <linux/xattr.h>
16 #include <linux/evm.h>
17 #include <linux/fsverity.h>
18 
19 #include "ima.h"
20 
21 /*
22  * ima_free_template_entry - free an existing template entry
23  */
24 void ima_free_template_entry(struct ima_template_entry *entry)
25 {
26 	int i;
27 
28 	for (i = 0; i < entry->template_desc->num_fields; i++)
29 		kfree(entry->template_data[i].data);
30 
31 	kfree(entry->digests);
32 	kfree(entry);
33 }
34 
35 /*
36  * ima_alloc_init_template - create and initialize a new template entry
37  */
38 int ima_alloc_init_template(struct ima_event_data *event_data,
39 			    struct ima_template_entry **entry,
40 			    struct ima_template_desc *desc)
41 {
42 	struct ima_template_desc *template_desc;
43 	struct tpm_digest *digests;
44 	int i, result = 0;
45 
46 	if (desc)
47 		template_desc = desc;
48 	else
49 		template_desc = ima_template_desc_current();
50 
51 	*entry = kzalloc(struct_size(*entry, template_data,
52 				     template_desc->num_fields), GFP_NOFS);
53 	if (!*entry)
54 		return -ENOMEM;
55 
56 	digests = kcalloc(NR_BANKS(ima_tpm_chip) + ima_extra_slots,
57 			  sizeof(*digests), GFP_NOFS);
58 	if (!digests) {
59 		kfree(*entry);
60 		*entry = NULL;
61 		return -ENOMEM;
62 	}
63 
64 	(*entry)->digests = digests;
65 	(*entry)->template_desc = template_desc;
66 	for (i = 0; i < template_desc->num_fields; i++) {
67 		const struct ima_template_field *field =
68 			template_desc->fields[i];
69 		u32 len;
70 
71 		result = field->field_init(event_data,
72 					   &((*entry)->template_data[i]));
73 		if (result != 0)
74 			goto out;
75 
76 		len = (*entry)->template_data[i].len;
77 		(*entry)->template_data_len += sizeof(len);
78 		(*entry)->template_data_len += len;
79 	}
80 	return 0;
81 out:
82 	ima_free_template_entry(*entry);
83 	*entry = NULL;
84 	return result;
85 }
86 
87 /*
88  * ima_store_template - store ima template measurements
89  *
90  * Calculate the hash of a template entry, add the template entry
91  * to an ordered list of measurement entries maintained inside the kernel,
92  * and also update the aggregate integrity value (maintained inside the
93  * configured TPM PCR) over the hashes of the current list of measurement
94  * entries.
95  *
96  * Applications retrieve the current kernel-held measurement list through
97  * the securityfs entries in /sys/kernel/security/ima. The signed aggregate
98  * TPM PCR (called quote) can be retrieved using a TPM user space library
99  * and is used to validate the measurement list.
100  *
101  * Returns 0 on success, error code otherwise
102  */
103 int ima_store_template(struct ima_template_entry *entry,
104 		       int violation, struct inode *inode,
105 		       const unsigned char *filename, int pcr)
106 {
107 	static const char op[] = "add_template_measure";
108 	static const char audit_cause[] = "hashing_error";
109 	char *template_name = entry->template_desc->name;
110 	int result;
111 
112 	if (!violation) {
113 		result = ima_calc_field_array_hash(&entry->template_data[0],
114 						   entry);
115 		if (result < 0) {
116 			integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
117 					    template_name, op,
118 					    audit_cause, result, 0);
119 			return result;
120 		}
121 	}
122 	entry->pcr = pcr;
123 	result = ima_add_template_entry(entry, violation, op, inode, filename);
124 	return result;
125 }
126 
127 /*
128  * ima_add_violation - add violation to measurement list.
129  *
130  * Violations are flagged in the measurement list with zero hash values.
131  * By extending the PCR with 0xFF's instead of with zeroes, the PCR
132  * value is invalidated.
133  */
134 void ima_add_violation(struct file *file, const unsigned char *filename,
135 		       struct ima_iint_cache *iint, const char *op,
136 		       const char *cause)
137 {
138 	struct ima_template_entry *entry;
139 	struct inode *inode = file_inode(file);
140 	struct ima_event_data event_data = { .iint = iint,
141 					     .file = file,
142 					     .filename = filename,
143 					     .violation = cause };
144 	int violation = 1;
145 	int result;
146 
147 	/* can overflow, only indicator */
148 	atomic_long_inc(&ima_htable.violations);
149 
150 	result = ima_alloc_init_template(&event_data, &entry, NULL);
151 	if (result < 0) {
152 		result = -ENOMEM;
153 		goto err_out;
154 	}
155 	result = ima_store_template(entry, violation, inode,
156 				    filename, CONFIG_IMA_MEASURE_PCR_IDX);
157 	if (result < 0)
158 		ima_free_template_entry(entry);
159 err_out:
160 	integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
161 			    op, cause, result, 0);
162 }
163 
164 /**
165  * ima_get_action - appraise & measure decision based on policy.
166  * @idmap: idmap of the mount the inode was found from
167  * @inode: pointer to the inode associated with the object being validated
168  * @cred: pointer to credentials structure to validate
169  * @prop: properties of the task being validated
170  * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,
171  *        MAY_APPEND)
172  * @func: caller identifier
173  * @pcr: pointer filled in if matched measure policy sets pcr=
174  * @template_desc: pointer filled in if matched measure policy sets template=
175  * @func_data: func specific data, may be NULL
176  * @allowed_algos: allowlist of hash algorithms for the IMA xattr
177  *
178  * The policy is defined in terms of keypairs:
179  *		subj=, obj=, type=, func=, mask=, fsmagic=
180  *	subj,obj, and type: are LSM specific.
181  *	func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK
182  *	| KEXEC_CMDLINE | KEY_CHECK | CRITICAL_DATA | SETXATTR_CHECK
183  *	| MMAP_CHECK_REQPROT
184  *	mask: contains the permission mask
185  *	fsmagic: hex value
186  *
187  * Returns IMA_MEASURE, IMA_APPRAISE mask.
188  *
189  */
190 int ima_get_action(struct mnt_idmap *idmap, struct inode *inode,
191 		   const struct cred *cred, struct lsm_prop *prop, int mask,
192 		   enum ima_hooks func, int *pcr,
193 		   struct ima_template_desc **template_desc,
194 		   const char *func_data, unsigned int *allowed_algos)
195 {
196 	int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH;
197 
198 	flags &= ima_policy_flag;
199 
200 	return ima_match_policy(idmap, inode, cred, prop, func, mask,
201 				flags, pcr, template_desc, func_data,
202 				allowed_algos);
203 }
204 
205 static bool ima_get_verity_digest(struct ima_iint_cache *iint,
206 				  struct inode *inode,
207 				  struct ima_max_digest_data *hash)
208 {
209 	enum hash_algo alg;
210 	int digest_len;
211 
212 	/*
213 	 * On failure, 'measure' policy rules will result in a file data
214 	 * hash containing 0's.
215 	 */
216 	digest_len = fsverity_get_digest(inode, hash->digest, NULL, &alg);
217 	if (digest_len == 0)
218 		return false;
219 
220 	/*
221 	 * Unlike in the case of actually calculating the file hash, in
222 	 * the fsverity case regardless of the hash algorithm, return
223 	 * the verity digest to be included in the measurement list. A
224 	 * mismatch between the verity algorithm and the xattr signature
225 	 * algorithm, if one exists, will be detected later.
226 	 */
227 	hash->hdr.algo = alg;
228 	hash->hdr.length = digest_len;
229 	return true;
230 }
231 
232 /*
233  * ima_collect_measurement - collect file measurement
234  *
235  * Calculate the file hash, if it doesn't already exist,
236  * storing the measurement and i_version in the iint.
237  *
238  * Must be called with iint->mutex held.
239  *
240  * Return 0 on success, error code otherwise
241  */
242 int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file,
243 			    void *buf, loff_t size, enum hash_algo algo,
244 			    struct modsig *modsig)
245 {
246 	const char *audit_cause = "failed";
247 	struct inode *inode = file_inode(file);
248 	struct inode *real_inode = d_real_inode(file_dentry(file));
249 	struct ima_max_digest_data hash;
250 	struct ima_digest_data *hash_hdr = container_of(&hash.hdr,
251 						struct ima_digest_data, hdr);
252 	struct name_snapshot filename;
253 	struct kstat stat;
254 	int result = 0;
255 	int length;
256 	void *tmpbuf;
257 	u64 i_version = 0;
258 
259 	/*
260 	 * Always collect the modsig, because IMA might have already collected
261 	 * the file digest without collecting the modsig in a previous
262 	 * measurement rule.
263 	 */
264 	if (modsig)
265 		ima_collect_modsig(modsig, buf, size);
266 
267 	if (iint->flags & IMA_COLLECTED)
268 		goto out;
269 
270 	/*
271 	 * Detecting file change is based on i_version. On filesystems
272 	 * which do not support i_version, support was originally limited
273 	 * to an initial measurement/appraisal/audit, but was modified to
274 	 * assume the file changed.
275 	 */
276 	result = vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE,
277 				   AT_STATX_SYNC_AS_STAT);
278 	if (!result && (stat.result_mask & STATX_CHANGE_COOKIE))
279 		i_version = stat.change_cookie;
280 	hash.hdr.algo = algo;
281 	hash.hdr.length = hash_digest_size[algo];
282 
283 	/* Initialize hash digest to 0's in case of failure */
284 	memset(&hash.digest, 0, sizeof(hash.digest));
285 
286 	if (iint->flags & IMA_VERITY_REQUIRED) {
287 		if (!ima_get_verity_digest(iint, inode, &hash)) {
288 			audit_cause = "no-verity-digest";
289 			result = -ENODATA;
290 		}
291 	} else if (buf) {
292 		result = ima_calc_buffer_hash(buf, size, hash_hdr);
293 	} else {
294 		result = ima_calc_file_hash(file, hash_hdr);
295 	}
296 
297 	if (result && result != -EBADF && result != -EINVAL)
298 		goto out;
299 
300 	length = sizeof(hash.hdr) + hash.hdr.length;
301 	tmpbuf = krealloc(iint->ima_hash, length, GFP_NOFS);
302 	if (!tmpbuf) {
303 		result = -ENOMEM;
304 		goto out;
305 	}
306 
307 	iint->ima_hash = tmpbuf;
308 	memcpy(iint->ima_hash, &hash, length);
309 	if (real_inode == inode)
310 		iint->real_inode.version = i_version;
311 	else
312 		integrity_inode_attrs_store(&iint->real_inode, i_version,
313 					    real_inode);
314 
315 	/* Possibly temporary failure due to type of read (eg. O_DIRECT) */
316 	if (!result)
317 		iint->flags |= IMA_COLLECTED;
318 out:
319 	if (result) {
320 		if (file->f_flags & O_DIRECT)
321 			audit_cause = "failed(directio)";
322 
323 		take_dentry_name_snapshot(&filename, file->f_path.dentry);
324 
325 		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
326 				    filename.name.name, "collect_data",
327 				    audit_cause, result, 0);
328 
329 		release_dentry_name_snapshot(&filename);
330 	}
331 	return result;
332 }
333 
334 /*
335  * ima_store_measurement - store file measurement
336  *
337  * Create an "ima" template and then store the template by calling
338  * ima_store_template.
339  *
340  * We only get here if the inode has not already been measured,
341  * but the measurement could already exist:
342  *	- multiple copies of the same file on either the same or
343  *	  different filesystems.
344  *	- the inode was previously flushed as well as the iint info,
345  *	  containing the hashing info.
346  *
347  * Must be called with iint->mutex held.
348  */
349 void ima_store_measurement(struct ima_iint_cache *iint, struct file *file,
350 			   const unsigned char *filename,
351 			   struct evm_ima_xattr_data *xattr_value,
352 			   int xattr_len, const struct modsig *modsig, int pcr,
353 			   struct ima_template_desc *template_desc)
354 {
355 	static const char op[] = "add_template_measure";
356 	static const char audit_cause[] = "ENOMEM";
357 	int result = -ENOMEM;
358 	struct inode *inode = file_inode(file);
359 	struct ima_template_entry *entry;
360 	struct ima_event_data event_data = { .iint = iint,
361 					     .file = file,
362 					     .filename = filename,
363 					     .xattr_value = xattr_value,
364 					     .xattr_len = xattr_len,
365 					     .modsig = modsig };
366 	int violation = 0;
367 
368 	/*
369 	 * We still need to store the measurement in the case of MODSIG because
370 	 * we only have its contents to put in the list at the time of
371 	 * appraisal, but a file measurement from earlier might already exist in
372 	 * the measurement list.
373 	 */
374 	if (iint->measured_pcrs & (0x1 << pcr) && !modsig)
375 		return;
376 
377 	result = ima_alloc_init_template(&event_data, &entry, template_desc);
378 	if (result < 0) {
379 		integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
380 				    op, audit_cause, result, 0);
381 		return;
382 	}
383 
384 	result = ima_store_template(entry, violation, inode, filename, pcr);
385 	if ((!result || result == -EEXIST) && !(file->f_flags & O_DIRECT)) {
386 		iint->flags |= IMA_MEASURED;
387 		iint->measured_pcrs |= (0x1 << pcr);
388 	}
389 	if (result < 0)
390 		ima_free_template_entry(entry);
391 }
392 
393 void ima_audit_measurement(struct ima_iint_cache *iint,
394 			   const unsigned char *filename)
395 {
396 	struct audit_buffer *ab;
397 	char *hash;
398 	const char *algo_name = hash_algo_name[iint->ima_hash->algo];
399 	int i;
400 
401 	if (iint->flags & IMA_AUDITED)
402 		return;
403 
404 	hash = kzalloc((iint->ima_hash->length * 2) + 1, GFP_KERNEL);
405 	if (!hash)
406 		return;
407 
408 	for (i = 0; i < iint->ima_hash->length; i++)
409 		hex_byte_pack(hash + (i * 2), iint->ima_hash->digest[i]);
410 	hash[i * 2] = '\0';
411 
412 	ab = audit_log_start(audit_context(), GFP_KERNEL,
413 			     AUDIT_INTEGRITY_RULE);
414 	if (!ab)
415 		goto out;
416 
417 	audit_log_format(ab, "file=");
418 	audit_log_untrustedstring(ab, filename);
419 	audit_log_format(ab, " hash=\"%s:%s\"", algo_name, hash);
420 
421 	audit_log_task_info(ab);
422 	audit_log_end(ab);
423 
424 	iint->flags |= IMA_AUDITED;
425 out:
426 	kfree(hash);
427 	return;
428 }
429 
430 /*
431  * ima_d_path - return a pointer to the full pathname
432  *
433  * Attempt to return a pointer to the full pathname for use in the
434  * IMA measurement list, IMA audit records, and auditing logs.
435  *
436  * On failure, return a pointer to a copy of the filename, not dname.
437  * Returning a pointer to dname, could result in using the pointer
438  * after the memory has been freed.
439  */
440 const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf)
441 {
442 	struct name_snapshot filename;
443 	char *pathname = NULL;
444 
445 	*pathbuf = __getname();
446 	if (*pathbuf) {
447 		pathname = d_absolute_path(path, *pathbuf, PATH_MAX);
448 		if (IS_ERR(pathname)) {
449 			__putname(*pathbuf);
450 			*pathbuf = NULL;
451 			pathname = NULL;
452 		}
453 	}
454 
455 	if (!pathname) {
456 		take_dentry_name_snapshot(&filename, path->dentry);
457 		strscpy(namebuf, filename.name.name, NAME_MAX);
458 		release_dentry_name_snapshot(&filename);
459 
460 		pathname = namebuf;
461 	}
462 
463 	return pathname;
464 }
465