1 /* 2 * Copyright (C) 2005,2006,2007,2008 IBM Corporation 3 * 4 * Authors: 5 * Reiner Sailer <sailer@watson.ibm.com> 6 * Serge Hallyn <serue@us.ibm.com> 7 * Kylene Hall <kylene@us.ibm.com> 8 * Mimi Zohar <zohar@us.ibm.com> 9 * 10 * This program is free software; you can redistribute it and/or 11 * modify it under the terms of the GNU General Public License as 12 * published by the Free Software Foundation, version 2 of the 13 * License. 14 * 15 * File: ima_main.c 16 * implements the IMA hooks: ima_bprm_check, ima_file_mmap, 17 * and ima_file_check. 18 */ 19 #include <linux/module.h> 20 #include <linux/file.h> 21 #include <linux/binfmts.h> 22 #include <linux/mount.h> 23 #include <linux/mman.h> 24 #include <linux/slab.h> 25 26 #include "ima.h" 27 28 int ima_initialized; 29 30 char *ima_hash = "sha1"; 31 static int __init hash_setup(char *str) 32 { 33 if (strncmp(str, "md5", 3) == 0) 34 ima_hash = "md5"; 35 return 1; 36 } 37 __setup("ima_hash=", hash_setup); 38 39 struct ima_imbalance { 40 struct hlist_node node; 41 unsigned long fsmagic; 42 }; 43 44 /* 45 * ima_limit_imbalance - emit one imbalance message per filesystem type 46 * 47 * Maintain list of filesystem types that do not measure files properly. 48 * Return false if unknown, true if known. 49 */ 50 static bool ima_limit_imbalance(struct file *file) 51 { 52 static DEFINE_SPINLOCK(ima_imbalance_lock); 53 static HLIST_HEAD(ima_imbalance_list); 54 55 struct super_block *sb = file->f_dentry->d_sb; 56 struct ima_imbalance *entry; 57 struct hlist_node *node; 58 bool found = false; 59 60 rcu_read_lock(); 61 hlist_for_each_entry_rcu(entry, node, &ima_imbalance_list, node) { 62 if (entry->fsmagic == sb->s_magic) { 63 found = true; 64 break; 65 } 66 } 67 rcu_read_unlock(); 68 if (found) 69 goto out; 70 71 entry = kmalloc(sizeof(*entry), GFP_NOFS); 72 if (!entry) 73 goto out; 74 entry->fsmagic = sb->s_magic; 75 spin_lock(&ima_imbalance_lock); 76 /* 77 * we could have raced and something else might have added this fs 78 * to the list, but we don't really care 79 */ 80 hlist_add_head_rcu(&entry->node, &ima_imbalance_list); 81 spin_unlock(&ima_imbalance_lock); 82 printk(KERN_INFO "IMA: unmeasured files on fsmagic: %lX\n", 83 entry->fsmagic); 84 out: 85 return found; 86 } 87 88 /* ima_read_write_check - reflect possible reading/writing errors in the PCR. 89 * 90 * When opening a file for read, if the file is already open for write, 91 * the file could change, resulting in a file measurement error. 92 * 93 * Opening a file for write, if the file is already open for read, results 94 * in a time of measure, time of use (ToMToU) error. 95 * 96 * In either case invalidate the PCR. 97 */ 98 enum iint_pcr_error { TOMTOU, OPEN_WRITERS }; 99 static void ima_read_write_check(enum iint_pcr_error error, 100 struct ima_iint_cache *iint, 101 struct inode *inode, 102 const unsigned char *filename) 103 { 104 switch (error) { 105 case TOMTOU: 106 if (iint->readcount > 0) 107 ima_add_violation(inode, filename, "invalid_pcr", 108 "ToMToU"); 109 break; 110 case OPEN_WRITERS: 111 if (iint->writecount > 0) 112 ima_add_violation(inode, filename, "invalid_pcr", 113 "open_writers"); 114 break; 115 } 116 } 117 118 /* 119 * Update the counts given an fmode_t 120 */ 121 static void ima_inc_counts(struct ima_iint_cache *iint, fmode_t mode) 122 { 123 BUG_ON(!mutex_is_locked(&iint->mutex)); 124 125 iint->opencount++; 126 if ((mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) 127 iint->readcount++; 128 if (mode & FMODE_WRITE) 129 iint->writecount++; 130 } 131 132 /* 133 * ima_counts_get - increment file counts 134 * 135 * Maintain read/write counters for all files, but only 136 * invalidate the PCR for measured files: 137 * - Opening a file for write when already open for read, 138 * results in a time of measure, time of use (ToMToU) error. 139 * - Opening a file for read when already open for write, 140 * could result in a file measurement error. 141 * 142 */ 143 void ima_counts_get(struct file *file) 144 { 145 struct dentry *dentry = file->f_path.dentry; 146 struct inode *inode = dentry->d_inode; 147 fmode_t mode = file->f_mode; 148 struct ima_iint_cache *iint; 149 int rc; 150 151 if (!ima_initialized || !S_ISREG(inode->i_mode)) 152 return; 153 iint = ima_iint_find_get(inode); 154 if (!iint) 155 return; 156 mutex_lock(&iint->mutex); 157 rc = ima_must_measure(iint, inode, MAY_READ, FILE_CHECK); 158 if (rc < 0) 159 goto out; 160 161 if (mode & FMODE_WRITE) { 162 ima_read_write_check(TOMTOU, iint, inode, dentry->d_name.name); 163 goto out; 164 } 165 ima_read_write_check(OPEN_WRITERS, iint, inode, dentry->d_name.name); 166 out: 167 ima_inc_counts(iint, file->f_mode); 168 mutex_unlock(&iint->mutex); 169 170 kref_put(&iint->refcount, iint_free); 171 } 172 173 /* 174 * Decrement ima counts 175 */ 176 static void ima_dec_counts(struct ima_iint_cache *iint, struct inode *inode, 177 struct file *file) 178 { 179 mode_t mode = file->f_mode; 180 BUG_ON(!mutex_is_locked(&iint->mutex)); 181 182 iint->opencount--; 183 if ((mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) 184 iint->readcount--; 185 if (mode & FMODE_WRITE) { 186 iint->writecount--; 187 if (iint->writecount == 0) { 188 if (iint->version != inode->i_version) 189 iint->flags &= ~IMA_MEASURED; 190 } 191 } 192 193 if (((iint->opencount < 0) || 194 (iint->readcount < 0) || 195 (iint->writecount < 0)) && 196 !ima_limit_imbalance(file)) { 197 printk(KERN_INFO "%s: open/free imbalance (r:%ld w:%ld o:%ld)\n", 198 __func__, iint->readcount, iint->writecount, 199 iint->opencount); 200 dump_stack(); 201 } 202 } 203 204 /** 205 * ima_file_free - called on __fput() 206 * @file: pointer to file structure being freed 207 * 208 * Flag files that changed, based on i_version; 209 * and decrement the iint readcount/writecount. 210 */ 211 void ima_file_free(struct file *file) 212 { 213 struct inode *inode = file->f_dentry->d_inode; 214 struct ima_iint_cache *iint; 215 216 if (!ima_initialized || !S_ISREG(inode->i_mode)) 217 return; 218 iint = ima_iint_find_get(inode); 219 if (!iint) 220 return; 221 222 mutex_lock(&iint->mutex); 223 ima_dec_counts(iint, inode, file); 224 mutex_unlock(&iint->mutex); 225 kref_put(&iint->refcount, iint_free); 226 } 227 228 static int process_measurement(struct file *file, const unsigned char *filename, 229 int mask, int function) 230 { 231 struct inode *inode = file->f_dentry->d_inode; 232 struct ima_iint_cache *iint; 233 int rc; 234 235 if (!ima_initialized || !S_ISREG(inode->i_mode)) 236 return 0; 237 iint = ima_iint_find_get(inode); 238 if (!iint) 239 return -ENOMEM; 240 241 mutex_lock(&iint->mutex); 242 rc = ima_must_measure(iint, inode, mask, function); 243 if (rc != 0) 244 goto out; 245 246 rc = ima_collect_measurement(iint, file); 247 if (!rc) 248 ima_store_measurement(iint, file, filename); 249 out: 250 mutex_unlock(&iint->mutex); 251 kref_put(&iint->refcount, iint_free); 252 return rc; 253 } 254 255 /** 256 * ima_file_mmap - based on policy, collect/store measurement. 257 * @file: pointer to the file to be measured (May be NULL) 258 * @prot: contains the protection that will be applied by the kernel. 259 * 260 * Measure files being mmapped executable based on the ima_must_measure() 261 * policy decision. 262 * 263 * Return 0 on success, an error code on failure. 264 * (Based on the results of appraise_measurement().) 265 */ 266 int ima_file_mmap(struct file *file, unsigned long prot) 267 { 268 int rc; 269 270 if (!file) 271 return 0; 272 if (prot & PROT_EXEC) 273 rc = process_measurement(file, file->f_dentry->d_name.name, 274 MAY_EXEC, FILE_MMAP); 275 return 0; 276 } 277 278 /** 279 * ima_bprm_check - based on policy, collect/store measurement. 280 * @bprm: contains the linux_binprm structure 281 * 282 * The OS protects against an executable file, already open for write, 283 * from being executed in deny_write_access() and an executable file, 284 * already open for execute, from being modified in get_write_access(). 285 * So we can be certain that what we verify and measure here is actually 286 * what is being executed. 287 * 288 * Return 0 on success, an error code on failure. 289 * (Based on the results of appraise_measurement().) 290 */ 291 int ima_bprm_check(struct linux_binprm *bprm) 292 { 293 int rc; 294 295 rc = process_measurement(bprm->file, bprm->filename, 296 MAY_EXEC, BPRM_CHECK); 297 return 0; 298 } 299 300 /** 301 * ima_path_check - based on policy, collect/store measurement. 302 * @file: pointer to the file to be measured 303 * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE 304 * 305 * Measure files based on the ima_must_measure() policy decision. 306 * 307 * Always return 0 and audit dentry_open failures. 308 * (Return code will be based upon measurement appraisal.) 309 */ 310 int ima_file_check(struct file *file, int mask) 311 { 312 int rc; 313 314 rc = process_measurement(file, file->f_dentry->d_name.name, 315 mask & (MAY_READ | MAY_WRITE | MAY_EXEC), 316 FILE_CHECK); 317 return 0; 318 } 319 EXPORT_SYMBOL_GPL(ima_file_check); 320 321 static int __init init_ima(void) 322 { 323 int error; 324 325 error = ima_init(); 326 ima_initialized = 1; 327 return error; 328 } 329 330 static void __exit cleanup_ima(void) 331 { 332 ima_cleanup(); 333 } 334 335 late_initcall(init_ima); /* Start IMA after the TPM is available */ 336 337 MODULE_DESCRIPTION("Integrity Measurement Architecture"); 338 MODULE_LICENSE("GPL"); 339