1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2008 IBM Corporation 4 * 5 * Author: Mimi Zohar <zohar@us.ibm.com> 6 * 7 * File: ima_api.c 8 * Implements must_appraise_or_measure, collect_measurement, 9 * appraise_measurement, store_measurement and store_template. 10 */ 11 #include <linux/slab.h> 12 #include <linux/file.h> 13 #include <linux/fs.h> 14 #include <linux/hex.h> 15 #include <linux/xattr.h> 16 #include <linux/evm.h> 17 #include <linux/fsverity.h> 18 19 #include "ima.h" 20 21 /* 22 * ima_free_template_entry - free an existing template entry 23 */ 24 void ima_free_template_entry(struct ima_template_entry *entry) 25 { 26 int i; 27 28 for (i = 0; i < entry->template_desc->num_fields; i++) 29 kfree(entry->template_data[i].data); 30 31 kfree(entry->digests); 32 kfree(entry); 33 } 34 35 /* 36 * ima_alloc_init_template - create and initialize a new template entry 37 */ 38 int ima_alloc_init_template(struct ima_event_data *event_data, 39 struct ima_template_entry **entry, 40 struct ima_template_desc *desc) 41 { 42 struct ima_template_desc *template_desc; 43 struct tpm_digest *digests; 44 int i, result = 0; 45 46 if (desc) 47 template_desc = desc; 48 else 49 template_desc = ima_template_desc_current(); 50 51 *entry = kzalloc(struct_size(*entry, template_data, 52 template_desc->num_fields), GFP_NOFS); 53 if (!*entry) 54 return -ENOMEM; 55 56 digests = kcalloc(NR_BANKS(ima_tpm_chip) + ima_extra_slots, 57 sizeof(*digests), GFP_NOFS); 58 if (!digests) { 59 kfree(*entry); 60 *entry = NULL; 61 return -ENOMEM; 62 } 63 64 (*entry)->digests = digests; 65 (*entry)->template_desc = template_desc; 66 for (i = 0; i < template_desc->num_fields; i++) { 67 const struct ima_template_field *field = 68 template_desc->fields[i]; 69 u32 len; 70 71 result = field->field_init(event_data, 72 &((*entry)->template_data[i])); 73 if (result != 0) 74 goto out; 75 76 len = (*entry)->template_data[i].len; 77 (*entry)->template_data_len += sizeof(len); 78 (*entry)->template_data_len += len; 79 } 80 return 0; 81 out: 82 ima_free_template_entry(*entry); 83 *entry = NULL; 84 return result; 85 } 86 87 /* 88 * ima_store_template - store ima template measurements 89 * 90 * Calculate the hash of a template entry, add the template entry 91 * to an ordered list of measurement entries maintained inside the kernel, 92 * and also update the aggregate integrity value (maintained inside the 93 * configured TPM PCR) over the hashes of the current list of measurement 94 * entries. 95 * 96 * Applications retrieve the current kernel-held measurement list through 97 * the securityfs entries in /sys/kernel/security/ima. The signed aggregate 98 * TPM PCR (called quote) can be retrieved using a TPM user space library 99 * and is used to validate the measurement list. 100 * 101 * Returns 0 on success, error code otherwise 102 */ 103 int ima_store_template(struct ima_template_entry *entry, 104 int violation, struct inode *inode, 105 const unsigned char *filename, int pcr) 106 { 107 static const char op[] = "add_template_measure"; 108 static const char audit_cause[] = "hashing_error"; 109 char *template_name = entry->template_desc->name; 110 int result; 111 112 if (!violation) { 113 result = ima_calc_field_array_hash(&entry->template_data[0], 114 entry); 115 if (result < 0) { 116 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, 117 template_name, op, 118 audit_cause, result, 0); 119 return result; 120 } 121 } 122 entry->pcr = pcr; 123 result = ima_add_template_entry(entry, violation, op, inode, filename); 124 return result; 125 } 126 127 /* 128 * ima_add_violation - add violation to measurement list. 129 * 130 * Violations are flagged in the measurement list with zero hash values. 131 * By extending the PCR with 0xFF's instead of with zeroes, the PCR 132 * value is invalidated. 133 */ 134 void ima_add_violation(struct file *file, const unsigned char *filename, 135 struct ima_iint_cache *iint, const char *op, 136 const char *cause) 137 { 138 struct ima_template_entry *entry; 139 struct inode *inode = file_inode(file); 140 struct ima_event_data event_data = { .iint = iint, 141 .file = file, 142 .filename = filename, 143 .violation = cause }; 144 int violation = 1; 145 int result; 146 147 /* can overflow, only indicator */ 148 atomic_long_inc(&ima_htable.violations); 149 150 result = ima_alloc_init_template(&event_data, &entry, NULL); 151 if (result < 0) { 152 result = -ENOMEM; 153 goto err_out; 154 } 155 result = ima_store_template(entry, violation, inode, 156 filename, CONFIG_IMA_MEASURE_PCR_IDX); 157 if (result < 0) 158 ima_free_template_entry(entry); 159 err_out: 160 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 161 op, cause, result, 0); 162 } 163 164 /** 165 * ima_get_action - appraise & measure decision based on policy. 166 * @idmap: idmap of the mount the inode was found from 167 * @inode: pointer to the inode associated with the object being validated 168 * @cred: pointer to credentials structure to validate 169 * @prop: properties of the task being validated 170 * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC, 171 * MAY_APPEND) 172 * @func: caller identifier 173 * @pcr: pointer filled in if matched measure policy sets pcr= 174 * @template_desc: pointer filled in if matched measure policy sets template= 175 * @func_data: func specific data, may be NULL 176 * @allowed_algos: allowlist of hash algorithms for the IMA xattr 177 * 178 * The policy is defined in terms of keypairs: 179 * subj=, obj=, type=, func=, mask=, fsmagic= 180 * subj,obj, and type: are LSM specific. 181 * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK 182 * | KEXEC_CMDLINE | KEY_CHECK | CRITICAL_DATA | SETXATTR_CHECK 183 * | MMAP_CHECK_REQPROT 184 * mask: contains the permission mask 185 * fsmagic: hex value 186 * 187 * Returns IMA_MEASURE, IMA_APPRAISE mask. 188 * 189 */ 190 int ima_get_action(struct mnt_idmap *idmap, struct inode *inode, 191 const struct cred *cred, struct lsm_prop *prop, int mask, 192 enum ima_hooks func, int *pcr, 193 struct ima_template_desc **template_desc, 194 const char *func_data, unsigned int *allowed_algos) 195 { 196 int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH; 197 198 flags &= ima_policy_flag; 199 200 return ima_match_policy(idmap, inode, cred, prop, func, mask, 201 flags, pcr, template_desc, func_data, 202 allowed_algos); 203 } 204 205 static bool ima_get_verity_digest(struct ima_iint_cache *iint, 206 struct inode *inode, 207 struct ima_max_digest_data *hash) 208 { 209 enum hash_algo alg; 210 int digest_len; 211 212 /* 213 * On failure, 'measure' policy rules will result in a file data 214 * hash containing 0's. 215 */ 216 digest_len = fsverity_get_digest(inode, hash->digest, NULL, &alg); 217 if (digest_len == 0) 218 return false; 219 220 /* 221 * Unlike in the case of actually calculating the file hash, in 222 * the fsverity case regardless of the hash algorithm, return 223 * the verity digest to be included in the measurement list. A 224 * mismatch between the verity algorithm and the xattr signature 225 * algorithm, if one exists, will be detected later. 226 */ 227 hash->hdr.algo = alg; 228 hash->hdr.length = digest_len; 229 return true; 230 } 231 232 /* 233 * ima_collect_measurement - collect file measurement 234 * 235 * Calculate the file hash, if it doesn't already exist, 236 * storing the measurement and i_version in the iint. 237 * 238 * Must be called with iint->mutex held. 239 * 240 * Return 0 on success, error code otherwise 241 */ 242 int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file, 243 void *buf, loff_t size, enum hash_algo algo, 244 struct modsig *modsig) 245 { 246 const char *audit_cause = "failed"; 247 struct inode *inode = file_inode(file); 248 struct inode *real_inode = d_real_inode(file_dentry(file)); 249 struct ima_max_digest_data hash; 250 struct ima_digest_data *hash_hdr = container_of(&hash.hdr, 251 struct ima_digest_data, hdr); 252 struct name_snapshot filename; 253 struct kstat stat; 254 int result = 0; 255 int length; 256 void *tmpbuf; 257 u64 i_version = 0; 258 259 /* 260 * Always collect the modsig, because IMA might have already collected 261 * the file digest without collecting the modsig in a previous 262 * measurement rule. 263 */ 264 if (modsig) 265 ima_collect_modsig(modsig, buf, size); 266 267 if (iint->flags & IMA_COLLECTED) 268 goto out; 269 270 /* 271 * Detecting file change is based on i_version. On filesystems 272 * which do not support i_version, support was originally limited 273 * to an initial measurement/appraisal/audit, but was modified to 274 * assume the file changed. 275 */ 276 result = vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE, 277 AT_STATX_SYNC_AS_STAT); 278 if (!result && (stat.result_mask & STATX_CHANGE_COOKIE)) 279 i_version = stat.change_cookie; 280 hash.hdr.algo = algo; 281 hash.hdr.length = hash_digest_size[algo]; 282 283 /* Initialize hash digest to 0's in case of failure */ 284 memset(&hash.digest, 0, sizeof(hash.digest)); 285 286 if (iint->flags & IMA_VERITY_REQUIRED) { 287 if (!ima_get_verity_digest(iint, inode, &hash)) { 288 audit_cause = "no-verity-digest"; 289 result = -ENODATA; 290 } 291 } else if (buf) { 292 result = ima_calc_buffer_hash(buf, size, hash_hdr); 293 } else { 294 result = ima_calc_file_hash(file, hash_hdr); 295 } 296 297 if (result && result != -EBADF && result != -EINVAL) 298 goto out; 299 300 length = sizeof(hash.hdr) + hash.hdr.length; 301 tmpbuf = krealloc(iint->ima_hash, length, GFP_NOFS); 302 if (!tmpbuf) { 303 result = -ENOMEM; 304 goto out; 305 } 306 307 iint->ima_hash = tmpbuf; 308 memcpy(iint->ima_hash, &hash, length); 309 if (real_inode == inode) 310 iint->real_inode.version = i_version; 311 else 312 integrity_inode_attrs_store(&iint->real_inode, i_version, 313 real_inode); 314 315 /* Possibly temporary failure due to type of read (eg. O_DIRECT) */ 316 if (!result) 317 iint->flags |= IMA_COLLECTED; 318 out: 319 if (result) { 320 if (file->f_flags & O_DIRECT) 321 audit_cause = "failed(directio)"; 322 323 take_dentry_name_snapshot(&filename, file->f_path.dentry); 324 325 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, 326 filename.name.name, "collect_data", 327 audit_cause, result, 0); 328 329 release_dentry_name_snapshot(&filename); 330 } 331 return result; 332 } 333 334 /* 335 * ima_store_measurement - store file measurement 336 * 337 * Create an "ima" template and then store the template by calling 338 * ima_store_template. 339 * 340 * We only get here if the inode has not already been measured, 341 * but the measurement could already exist: 342 * - multiple copies of the same file on either the same or 343 * different filesystems. 344 * - the inode was previously flushed as well as the iint info, 345 * containing the hashing info. 346 * 347 * Must be called with iint->mutex held. 348 */ 349 void ima_store_measurement(struct ima_iint_cache *iint, struct file *file, 350 const unsigned char *filename, 351 struct evm_ima_xattr_data *xattr_value, 352 int xattr_len, const struct modsig *modsig, int pcr, 353 struct ima_template_desc *template_desc) 354 { 355 static const char op[] = "add_template_measure"; 356 static const char audit_cause[] = "ENOMEM"; 357 int result = -ENOMEM; 358 struct inode *inode = file_inode(file); 359 struct ima_template_entry *entry; 360 struct ima_event_data event_data = { .iint = iint, 361 .file = file, 362 .filename = filename, 363 .xattr_value = xattr_value, 364 .xattr_len = xattr_len, 365 .modsig = modsig }; 366 int violation = 0; 367 368 /* 369 * We still need to store the measurement in the case of MODSIG because 370 * we only have its contents to put in the list at the time of 371 * appraisal, but a file measurement from earlier might already exist in 372 * the measurement list. 373 */ 374 if (iint->measured_pcrs & (0x1 << pcr) && !modsig) 375 return; 376 377 result = ima_alloc_init_template(&event_data, &entry, template_desc); 378 if (result < 0) { 379 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 380 op, audit_cause, result, 0); 381 return; 382 } 383 384 result = ima_store_template(entry, violation, inode, filename, pcr); 385 if ((!result || result == -EEXIST) && !(file->f_flags & O_DIRECT)) { 386 iint->flags |= IMA_MEASURED; 387 iint->measured_pcrs |= (0x1 << pcr); 388 } 389 if (result < 0) 390 ima_free_template_entry(entry); 391 } 392 393 void ima_audit_measurement(struct ima_iint_cache *iint, 394 const unsigned char *filename) 395 { 396 struct audit_buffer *ab; 397 char *hash; 398 const char *algo_name = hash_algo_name[iint->ima_hash->algo]; 399 int i; 400 401 if (iint->flags & IMA_AUDITED) 402 return; 403 404 hash = kzalloc((iint->ima_hash->length * 2) + 1, GFP_KERNEL); 405 if (!hash) 406 return; 407 408 for (i = 0; i < iint->ima_hash->length; i++) 409 hex_byte_pack(hash + (i * 2), iint->ima_hash->digest[i]); 410 hash[i * 2] = '\0'; 411 412 ab = audit_log_start(audit_context(), GFP_KERNEL, 413 AUDIT_INTEGRITY_RULE); 414 if (!ab) 415 goto out; 416 417 audit_log_format(ab, "file="); 418 audit_log_untrustedstring(ab, filename); 419 audit_log_format(ab, " hash=\"%s:%s\"", algo_name, hash); 420 421 audit_log_task_info(ab); 422 audit_log_end(ab); 423 424 iint->flags |= IMA_AUDITED; 425 out: 426 kfree(hash); 427 return; 428 } 429 430 /* 431 * ima_d_path - return a pointer to the full pathname 432 * 433 * Attempt to return a pointer to the full pathname for use in the 434 * IMA measurement list, IMA audit records, and auditing logs. 435 * 436 * On failure, return a pointer to a copy of the filename, not dname. 437 * Returning a pointer to dname, could result in using the pointer 438 * after the memory has been freed. 439 */ 440 const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf) 441 { 442 struct name_snapshot filename; 443 char *pathname = NULL; 444 445 *pathbuf = __getname(); 446 if (*pathbuf) { 447 pathname = d_absolute_path(path, *pathbuf, PATH_MAX); 448 if (IS_ERR(pathname)) { 449 __putname(*pathbuf); 450 *pathbuf = NULL; 451 pathname = NULL; 452 } 453 } 454 455 if (!pathname) { 456 take_dentry_name_snapshot(&filename, path->dentry); 457 strscpy(namebuf, filename.name.name, NAME_MAX); 458 release_dentry_name_snapshot(&filename); 459 460 pathname = namebuf; 461 } 462 463 return pathname; 464 } 465