1 /* 2 * Copyright (C) 2005,2006,2007,2008 IBM Corporation 3 * 4 * Authors: 5 * Reiner Sailer <sailer@watson.ibm.com> 6 * Serge Hallyn <serue@us.ibm.com> 7 * Kylene Hall <kylene@us.ibm.com> 8 * Mimi Zohar <zohar@us.ibm.com> 9 * 10 * This program is free software; you can redistribute it and/or 11 * modify it under the terms of the GNU General Public License as 12 * published by the Free Software Foundation, version 2 of the 13 * License. 14 * 15 * File: ima_main.c 16 * implements the IMA hooks: ima_bprm_check, ima_file_mmap, 17 * and ima_file_check. 18 */ 19 #include <linux/module.h> 20 #include <linux/file.h> 21 #include <linux/binfmts.h> 22 #include <linux/mount.h> 23 #include <linux/mman.h> 24 25 #include "ima.h" 26 27 int ima_initialized; 28 29 char *ima_hash = "sha1"; 30 static int __init hash_setup(char *str) 31 { 32 if (strncmp(str, "md5", 3) == 0) 33 ima_hash = "md5"; 34 return 1; 35 } 36 __setup("ima_hash=", hash_setup); 37 38 struct ima_imbalance { 39 struct hlist_node node; 40 unsigned long fsmagic; 41 }; 42 43 /* 44 * ima_limit_imbalance - emit one imbalance message per filesystem type 45 * 46 * Maintain list of filesystem types that do not measure files properly. 47 * Return false if unknown, true if known. 48 */ 49 static bool ima_limit_imbalance(struct file *file) 50 { 51 static DEFINE_SPINLOCK(ima_imbalance_lock); 52 static HLIST_HEAD(ima_imbalance_list); 53 54 struct super_block *sb = file->f_dentry->d_sb; 55 struct ima_imbalance *entry; 56 struct hlist_node *node; 57 bool found = false; 58 59 rcu_read_lock(); 60 hlist_for_each_entry_rcu(entry, node, &ima_imbalance_list, node) { 61 if (entry->fsmagic == sb->s_magic) { 62 found = true; 63 break; 64 } 65 } 66 rcu_read_unlock(); 67 if (found) 68 goto out; 69 70 entry = kmalloc(sizeof(*entry), GFP_NOFS); 71 if (!entry) 72 goto out; 73 entry->fsmagic = sb->s_magic; 74 spin_lock(&ima_imbalance_lock); 75 /* 76 * we could have raced and something else might have added this fs 77 * to the list, but we don't really care 78 */ 79 hlist_add_head_rcu(&entry->node, &ima_imbalance_list); 80 spin_unlock(&ima_imbalance_lock); 81 printk(KERN_INFO "IMA: unmeasured files on fsmagic: %lX\n", 82 entry->fsmagic); 83 out: 84 return found; 85 } 86 87 /* ima_read_write_check - reflect possible reading/writing errors in the PCR. 88 * 89 * When opening a file for read, if the file is already open for write, 90 * the file could change, resulting in a file measurement error. 91 * 92 * Opening a file for write, if the file is already open for read, results 93 * in a time of measure, time of use (ToMToU) error. 94 * 95 * In either case invalidate the PCR. 96 */ 97 enum iint_pcr_error { TOMTOU, OPEN_WRITERS }; 98 static void ima_read_write_check(enum iint_pcr_error error, 99 struct ima_iint_cache *iint, 100 struct inode *inode, 101 const unsigned char *filename) 102 { 103 switch (error) { 104 case TOMTOU: 105 if (iint->readcount > 0) 106 ima_add_violation(inode, filename, "invalid_pcr", 107 "ToMToU"); 108 break; 109 case OPEN_WRITERS: 110 if (iint->writecount > 0) 111 ima_add_violation(inode, filename, "invalid_pcr", 112 "open_writers"); 113 break; 114 } 115 } 116 117 /* 118 * Update the counts given an fmode_t 119 */ 120 static void ima_inc_counts(struct ima_iint_cache *iint, fmode_t mode) 121 { 122 BUG_ON(!mutex_is_locked(&iint->mutex)); 123 124 iint->opencount++; 125 if ((mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) 126 iint->readcount++; 127 if (mode & FMODE_WRITE) 128 iint->writecount++; 129 } 130 131 /* 132 * ima_counts_get - increment file counts 133 * 134 * Maintain read/write counters for all files, but only 135 * invalidate the PCR for measured files: 136 * - Opening a file for write when already open for read, 137 * results in a time of measure, time of use (ToMToU) error. 138 * - Opening a file for read when already open for write, 139 * could result in a file measurement error. 140 * 141 */ 142 void ima_counts_get(struct file *file) 143 { 144 struct dentry *dentry = file->f_path.dentry; 145 struct inode *inode = dentry->d_inode; 146 fmode_t mode = file->f_mode; 147 struct ima_iint_cache *iint; 148 int rc; 149 150 if (!ima_initialized || !S_ISREG(inode->i_mode)) 151 return; 152 iint = ima_iint_find_get(inode); 153 if (!iint) 154 return; 155 mutex_lock(&iint->mutex); 156 rc = ima_must_measure(iint, inode, MAY_READ, FILE_CHECK); 157 if (rc < 0) 158 goto out; 159 160 if (mode & FMODE_WRITE) { 161 ima_read_write_check(TOMTOU, iint, inode, dentry->d_name.name); 162 goto out; 163 } 164 ima_read_write_check(OPEN_WRITERS, iint, inode, dentry->d_name.name); 165 out: 166 ima_inc_counts(iint, file->f_mode); 167 mutex_unlock(&iint->mutex); 168 169 kref_put(&iint->refcount, iint_free); 170 } 171 172 /* 173 * Decrement ima counts 174 */ 175 static void ima_dec_counts(struct ima_iint_cache *iint, struct inode *inode, 176 struct file *file) 177 { 178 mode_t mode = file->f_mode; 179 BUG_ON(!mutex_is_locked(&iint->mutex)); 180 181 iint->opencount--; 182 if ((mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) 183 iint->readcount--; 184 if (mode & FMODE_WRITE) { 185 iint->writecount--; 186 if (iint->writecount == 0) { 187 if (iint->version != inode->i_version) 188 iint->flags &= ~IMA_MEASURED; 189 } 190 } 191 192 if (((iint->opencount < 0) || 193 (iint->readcount < 0) || 194 (iint->writecount < 0)) && 195 !ima_limit_imbalance(file)) { 196 printk(KERN_INFO "%s: open/free imbalance (r:%ld w:%ld o:%ld)\n", 197 __FUNCTION__, iint->readcount, iint->writecount, 198 iint->opencount); 199 dump_stack(); 200 } 201 } 202 203 /** 204 * ima_file_free - called on __fput() 205 * @file: pointer to file structure being freed 206 * 207 * Flag files that changed, based on i_version; 208 * and decrement the iint readcount/writecount. 209 */ 210 void ima_file_free(struct file *file) 211 { 212 struct inode *inode = file->f_dentry->d_inode; 213 struct ima_iint_cache *iint; 214 215 if (!ima_initialized || !S_ISREG(inode->i_mode)) 216 return; 217 iint = ima_iint_find_get(inode); 218 if (!iint) 219 return; 220 221 mutex_lock(&iint->mutex); 222 ima_dec_counts(iint, inode, file); 223 mutex_unlock(&iint->mutex); 224 kref_put(&iint->refcount, iint_free); 225 } 226 227 static int process_measurement(struct file *file, const unsigned char *filename, 228 int mask, int function) 229 { 230 struct inode *inode = file->f_dentry->d_inode; 231 struct ima_iint_cache *iint; 232 int rc; 233 234 if (!ima_initialized || !S_ISREG(inode->i_mode)) 235 return 0; 236 iint = ima_iint_find_get(inode); 237 if (!iint) 238 return -ENOMEM; 239 240 mutex_lock(&iint->mutex); 241 rc = ima_must_measure(iint, inode, mask, function); 242 if (rc != 0) 243 goto out; 244 245 rc = ima_collect_measurement(iint, file); 246 if (!rc) 247 ima_store_measurement(iint, file, filename); 248 out: 249 mutex_unlock(&iint->mutex); 250 kref_put(&iint->refcount, iint_free); 251 return rc; 252 } 253 254 /** 255 * ima_file_mmap - based on policy, collect/store measurement. 256 * @file: pointer to the file to be measured (May be NULL) 257 * @prot: contains the protection that will be applied by the kernel. 258 * 259 * Measure files being mmapped executable based on the ima_must_measure() 260 * policy decision. 261 * 262 * Return 0 on success, an error code on failure. 263 * (Based on the results of appraise_measurement().) 264 */ 265 int ima_file_mmap(struct file *file, unsigned long prot) 266 { 267 int rc; 268 269 if (!file) 270 return 0; 271 if (prot & PROT_EXEC) 272 rc = process_measurement(file, file->f_dentry->d_name.name, 273 MAY_EXEC, FILE_MMAP); 274 return 0; 275 } 276 277 /** 278 * ima_bprm_check - based on policy, collect/store measurement. 279 * @bprm: contains the linux_binprm structure 280 * 281 * The OS protects against an executable file, already open for write, 282 * from being executed in deny_write_access() and an executable file, 283 * already open for execute, from being modified in get_write_access(). 284 * So we can be certain that what we verify and measure here is actually 285 * what is being executed. 286 * 287 * Return 0 on success, an error code on failure. 288 * (Based on the results of appraise_measurement().) 289 */ 290 int ima_bprm_check(struct linux_binprm *bprm) 291 { 292 int rc; 293 294 rc = process_measurement(bprm->file, bprm->filename, 295 MAY_EXEC, BPRM_CHECK); 296 return 0; 297 } 298 299 /** 300 * ima_path_check - based on policy, collect/store measurement. 301 * @file: pointer to the file to be measured 302 * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE 303 * 304 * Measure files based on the ima_must_measure() policy decision. 305 * 306 * Always return 0 and audit dentry_open failures. 307 * (Return code will be based upon measurement appraisal.) 308 */ 309 int ima_file_check(struct file *file, int mask) 310 { 311 int rc; 312 313 rc = process_measurement(file, file->f_dentry->d_name.name, 314 mask & (MAY_READ | MAY_WRITE | MAY_EXEC), 315 FILE_CHECK); 316 return 0; 317 } 318 EXPORT_SYMBOL_GPL(ima_file_check); 319 320 static int __init init_ima(void) 321 { 322 int error; 323 324 error = ima_init(); 325 ima_initialized = 1; 326 return error; 327 } 328 329 static void __exit cleanup_ima(void) 330 { 331 ima_cleanup(); 332 } 333 334 late_initcall(init_ima); /* Start IMA after the TPM is available */ 335 336 MODULE_DESCRIPTION("Integrity Measurement Architecture"); 337 MODULE_LICENSE("GPL"); 338