1 /* 2 * Copyright (C) 2008 IBM Corporation 3 * 4 * Author: Mimi Zohar <zohar@us.ibm.com> 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License as 8 * published by the Free Software Foundation, version 2 of the 9 * License. 10 * 11 * File: ima_api.c 12 * Implements must_appraise_or_measure, collect_measurement, 13 * appraise_measurement, store_measurement and store_template. 14 */ 15 #include <linux/module.h> 16 #include <linux/slab.h> 17 #include <linux/file.h> 18 #include <linux/fs.h> 19 #include <linux/xattr.h> 20 #include <linux/evm.h> 21 #include "ima.h" 22 23 static const char *IMA_TEMPLATE_NAME = "ima"; 24 25 /* 26 * ima_store_template - store ima template measurements 27 * 28 * Calculate the hash of a template entry, add the template entry 29 * to an ordered list of measurement entries maintained inside the kernel, 30 * and also update the aggregate integrity value (maintained inside the 31 * configured TPM PCR) over the hashes of the current list of measurement 32 * entries. 33 * 34 * Applications retrieve the current kernel-held measurement list through 35 * the securityfs entries in /sys/kernel/security/ima. The signed aggregate 36 * TPM PCR (called quote) can be retrieved using a TPM user space library 37 * and is used to validate the measurement list. 38 * 39 * Returns 0 on success, error code otherwise 40 */ 41 int ima_store_template(struct ima_template_entry *entry, 42 int violation, struct inode *inode) 43 { 44 const char *op = "add_template_measure"; 45 const char *audit_cause = "hashing_error"; 46 int result; 47 48 memset(entry->digest, 0, sizeof(entry->digest)); 49 entry->template_name = IMA_TEMPLATE_NAME; 50 entry->template_len = sizeof(entry->template); 51 52 if (!violation) { 53 result = ima_calc_buffer_hash(&entry->template, 54 entry->template_len, 55 entry->digest); 56 if (result < 0) { 57 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, 58 entry->template_name, op, 59 audit_cause, result, 0); 60 return result; 61 } 62 } 63 result = ima_add_template_entry(entry, violation, op, inode); 64 return result; 65 } 66 67 /* 68 * ima_add_violation - add violation to measurement list. 69 * 70 * Violations are flagged in the measurement list with zero hash values. 71 * By extending the PCR with 0xFF's instead of with zeroes, the PCR 72 * value is invalidated. 73 */ 74 void ima_add_violation(struct inode *inode, const unsigned char *filename, 75 const char *op, const char *cause) 76 { 77 struct ima_template_entry *entry; 78 int violation = 1; 79 int result; 80 81 /* can overflow, only indicator */ 82 atomic_long_inc(&ima_htable.violations); 83 84 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 85 if (!entry) { 86 result = -ENOMEM; 87 goto err_out; 88 } 89 memset(&entry->template, 0, sizeof(entry->template)); 90 strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX); 91 result = ima_store_template(entry, violation, inode); 92 if (result < 0) 93 kfree(entry); 94 err_out: 95 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 96 op, cause, result, 0); 97 } 98 99 /** 100 * ima_get_action - appraise & measure decision based on policy. 101 * @inode: pointer to inode to measure 102 * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE) 103 * @function: calling function (FILE_CHECK, BPRM_CHECK, MMAP_CHECK, MODULE_CHECK) 104 * 105 * The policy is defined in terms of keypairs: 106 * subj=, obj=, type=, func=, mask=, fsmagic= 107 * subj,obj, and type: are LSM specific. 108 * func: FILE_CHECK | BPRM_CHECK | MMAP_CHECK | MODULE_CHECK 109 * mask: contains the permission mask 110 * fsmagic: hex value 111 * 112 * Returns IMA_MEASURE, IMA_APPRAISE mask. 113 * 114 */ 115 int ima_get_action(struct inode *inode, int mask, int function) 116 { 117 int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE; 118 119 if (!ima_appraise) 120 flags &= ~IMA_APPRAISE; 121 122 return ima_match_policy(inode, function, mask, flags); 123 } 124 125 int ima_must_measure(struct inode *inode, int mask, int function) 126 { 127 return ima_match_policy(inode, function, mask, IMA_MEASURE); 128 } 129 130 /* 131 * ima_collect_measurement - collect file measurement 132 * 133 * Calculate the file hash, if it doesn't already exist, 134 * storing the measurement and i_version in the iint. 135 * 136 * Must be called with iint->mutex held. 137 * 138 * Return 0 on success, error code otherwise 139 */ 140 int ima_collect_measurement(struct integrity_iint_cache *iint, 141 struct file *file) 142 { 143 struct inode *inode = file_inode(file); 144 const char *filename = file->f_dentry->d_name.name; 145 int result = 0; 146 147 if (!(iint->flags & IMA_COLLECTED)) { 148 u64 i_version = file_inode(file)->i_version; 149 150 iint->ima_xattr.type = IMA_XATTR_DIGEST; 151 result = ima_calc_file_hash(file, iint->ima_xattr.digest); 152 if (!result) { 153 iint->version = i_version; 154 iint->flags |= IMA_COLLECTED; 155 } 156 } 157 if (result) 158 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, 159 filename, "collect_data", "failed", 160 result, 0); 161 return result; 162 } 163 164 /* 165 * ima_store_measurement - store file measurement 166 * 167 * Create an "ima" template and then store the template by calling 168 * ima_store_template. 169 * 170 * We only get here if the inode has not already been measured, 171 * but the measurement could already exist: 172 * - multiple copies of the same file on either the same or 173 * different filesystems. 174 * - the inode was previously flushed as well as the iint info, 175 * containing the hashing info. 176 * 177 * Must be called with iint->mutex held. 178 */ 179 void ima_store_measurement(struct integrity_iint_cache *iint, 180 struct file *file, const unsigned char *filename) 181 { 182 const char *op = "add_template_measure"; 183 const char *audit_cause = "ENOMEM"; 184 int result = -ENOMEM; 185 struct inode *inode = file_inode(file); 186 struct ima_template_entry *entry; 187 int violation = 0; 188 189 if (iint->flags & IMA_MEASURED) 190 return; 191 192 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 193 if (!entry) { 194 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 195 op, audit_cause, result, 0); 196 return; 197 } 198 memset(&entry->template, 0, sizeof(entry->template)); 199 memcpy(entry->template.digest, iint->ima_xattr.digest, IMA_DIGEST_SIZE); 200 strcpy(entry->template.file_name, 201 (strlen(filename) > IMA_EVENT_NAME_LEN_MAX) ? 202 file->f_dentry->d_name.name : filename); 203 204 result = ima_store_template(entry, violation, inode); 205 if (!result || result == -EEXIST) 206 iint->flags |= IMA_MEASURED; 207 if (result < 0) 208 kfree(entry); 209 } 210 211 void ima_audit_measurement(struct integrity_iint_cache *iint, 212 const unsigned char *filename) 213 { 214 struct audit_buffer *ab; 215 char hash[(IMA_DIGEST_SIZE * 2) + 1]; 216 int i; 217 218 if (iint->flags & IMA_AUDITED) 219 return; 220 221 for (i = 0; i < IMA_DIGEST_SIZE; i++) 222 hex_byte_pack(hash + (i * 2), iint->ima_xattr.digest[i]); 223 hash[i * 2] = '\0'; 224 225 ab = audit_log_start(current->audit_context, GFP_KERNEL, 226 AUDIT_INTEGRITY_RULE); 227 if (!ab) 228 return; 229 230 audit_log_format(ab, "file="); 231 audit_log_untrustedstring(ab, filename); 232 audit_log_format(ab, " hash="); 233 audit_log_untrustedstring(ab, hash); 234 235 audit_log_task_info(ab, current); 236 audit_log_end(ab); 237 238 iint->flags |= IMA_AUDITED; 239 } 240 241 const char *ima_d_path(struct path *path, char **pathbuf) 242 { 243 char *pathname = NULL; 244 245 /* We will allow 11 spaces for ' (deleted)' to be appended */ 246 *pathbuf = kmalloc(PATH_MAX + 11, GFP_KERNEL); 247 if (*pathbuf) { 248 pathname = d_path(path, *pathbuf, PATH_MAX + 11); 249 if (IS_ERR(pathname)) { 250 kfree(*pathbuf); 251 *pathbuf = NULL; 252 pathname = NULL; 253 } 254 } 255 return pathname; 256 } 257