xref: /linux/security/integrity/ima/ima_main.c (revision e5c86679d5e864947a52fb31e45a425dea3e7fa9)
1 /*
2  * Copyright (C) 2005,2006,2007,2008 IBM Corporation
3  *
4  * Authors:
5  * Reiner Sailer <sailer@watson.ibm.com>
6  * Serge Hallyn <serue@us.ibm.com>
7  * Kylene Hall <kylene@us.ibm.com>
8  * Mimi Zohar <zohar@us.ibm.com>
9  *
10  * This program is free software; you can redistribute it and/or
11  * modify it under the terms of the GNU General Public License as
12  * published by the Free Software Foundation, version 2 of the
13  * License.
14  *
15  * File: ima_main.c
16  *	implements the IMA hooks: ima_bprm_check, ima_file_mmap,
17  *	and ima_file_check.
18  */
19 #include <linux/module.h>
20 #include <linux/file.h>
21 #include <linux/binfmts.h>
22 #include <linux/mount.h>
23 #include <linux/mman.h>
24 #include <linux/slab.h>
25 #include <linux/xattr.h>
26 #include <linux/ima.h>
27 
28 #include "ima.h"
29 
30 int ima_initialized;
31 
32 #ifdef CONFIG_IMA_APPRAISE
33 int ima_appraise = IMA_APPRAISE_ENFORCE;
34 #else
35 int ima_appraise;
36 #endif
37 
38 int ima_hash_algo = HASH_ALGO_SHA1;
39 static int hash_setup_done;
40 
41 static int __init hash_setup(char *str)
42 {
43 	struct ima_template_desc *template_desc = ima_template_desc_current();
44 	int i;
45 
46 	if (hash_setup_done)
47 		return 1;
48 
49 	if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
50 		if (strncmp(str, "sha1", 4) == 0)
51 			ima_hash_algo = HASH_ALGO_SHA1;
52 		else if (strncmp(str, "md5", 3) == 0)
53 			ima_hash_algo = HASH_ALGO_MD5;
54 		goto out;
55 	}
56 
57 	for (i = 0; i < HASH_ALGO__LAST; i++) {
58 		if (strcmp(str, hash_algo_name[i]) == 0) {
59 			ima_hash_algo = i;
60 			break;
61 		}
62 	}
63 out:
64 	hash_setup_done = 1;
65 	return 1;
66 }
67 __setup("ima_hash=", hash_setup);
68 
69 /*
70  * ima_rdwr_violation_check
71  *
72  * Only invalidate the PCR for measured files:
73  *	- Opening a file for write when already open for read,
74  *	  results in a time of measure, time of use (ToMToU) error.
75  *	- Opening a file for read when already open for write,
76  *	  could result in a file measurement error.
77  *
78  */
79 static void ima_rdwr_violation_check(struct file *file,
80 				     struct integrity_iint_cache *iint,
81 				     int must_measure,
82 				     char **pathbuf,
83 				     const char **pathname)
84 {
85 	struct inode *inode = file_inode(file);
86 	char filename[NAME_MAX];
87 	fmode_t mode = file->f_mode;
88 	bool send_tomtou = false, send_writers = false;
89 
90 	if (mode & FMODE_WRITE) {
91 		if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
92 			if (!iint)
93 				iint = integrity_iint_find(inode);
94 			/* IMA_MEASURE is set from reader side */
95 			if (iint && (iint->flags & IMA_MEASURE))
96 				send_tomtou = true;
97 		}
98 	} else {
99 		if ((atomic_read(&inode->i_writecount) > 0) && must_measure)
100 			send_writers = true;
101 	}
102 
103 	if (!send_tomtou && !send_writers)
104 		return;
105 
106 	*pathname = ima_d_path(&file->f_path, pathbuf, filename);
107 
108 	if (send_tomtou)
109 		ima_add_violation(file, *pathname, iint,
110 				  "invalid_pcr", "ToMToU");
111 	if (send_writers)
112 		ima_add_violation(file, *pathname, iint,
113 				  "invalid_pcr", "open_writers");
114 }
115 
116 static void ima_check_last_writer(struct integrity_iint_cache *iint,
117 				  struct inode *inode, struct file *file)
118 {
119 	fmode_t mode = file->f_mode;
120 
121 	if (!(mode & FMODE_WRITE))
122 		return;
123 
124 	inode_lock(inode);
125 	if (atomic_read(&inode->i_writecount) == 1) {
126 		if ((iint->version != inode->i_version) ||
127 		    (iint->flags & IMA_NEW_FILE)) {
128 			iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
129 			iint->measured_pcrs = 0;
130 			if (iint->flags & IMA_APPRAISE)
131 				ima_update_xattr(iint, file);
132 		}
133 	}
134 	inode_unlock(inode);
135 }
136 
137 /**
138  * ima_file_free - called on __fput()
139  * @file: pointer to file structure being freed
140  *
141  * Flag files that changed, based on i_version
142  */
143 void ima_file_free(struct file *file)
144 {
145 	struct inode *inode = file_inode(file);
146 	struct integrity_iint_cache *iint;
147 
148 	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
149 		return;
150 
151 	iint = integrity_iint_find(inode);
152 	if (!iint)
153 		return;
154 
155 	ima_check_last_writer(iint, inode, file);
156 }
157 
158 static int process_measurement(struct file *file, char *buf, loff_t size,
159 			       int mask, enum ima_hooks func, int opened)
160 {
161 	struct inode *inode = file_inode(file);
162 	struct integrity_iint_cache *iint = NULL;
163 	struct ima_template_desc *template_desc;
164 	char *pathbuf = NULL;
165 	char filename[NAME_MAX];
166 	const char *pathname = NULL;
167 	int rc = -ENOMEM, action, must_appraise;
168 	int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
169 	struct evm_ima_xattr_data *xattr_value = NULL;
170 	int xattr_len = 0;
171 	bool violation_check;
172 	enum hash_algo hash_algo;
173 
174 	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
175 		return 0;
176 
177 	/* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
178 	 * bitmask based on the appraise/audit/measurement policy.
179 	 * Included is the appraise submask.
180 	 */
181 	action = ima_get_action(inode, mask, func, &pcr);
182 	violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
183 			   (ima_policy_flag & IMA_MEASURE));
184 	if (!action && !violation_check)
185 		return 0;
186 
187 	must_appraise = action & IMA_APPRAISE;
188 
189 	/*  Is the appraise rule hook specific?  */
190 	if (action & IMA_FILE_APPRAISE)
191 		func = FILE_CHECK;
192 
193 	inode_lock(inode);
194 
195 	if (action) {
196 		iint = integrity_inode_get(inode);
197 		if (!iint)
198 			goto out;
199 	}
200 
201 	if (violation_check) {
202 		ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
203 					 &pathbuf, &pathname);
204 		if (!action) {
205 			rc = 0;
206 			goto out_free;
207 		}
208 	}
209 
210 	/* Determine if already appraised/measured based on bitmask
211 	 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
212 	 *  IMA_AUDIT, IMA_AUDITED)
213 	 */
214 	iint->flags |= action;
215 	action &= IMA_DO_MASK;
216 	action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
217 
218 	/* If target pcr is already measured, unset IMA_MEASURE action */
219 	if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
220 		action ^= IMA_MEASURE;
221 
222 	/* Nothing to do, just return existing appraised status */
223 	if (!action) {
224 		if (must_appraise)
225 			rc = ima_get_cache_status(iint, func);
226 		goto out_digsig;
227 	}
228 
229 	template_desc = ima_template_desc_current();
230 	if ((action & IMA_APPRAISE_SUBMASK) ||
231 		    strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
232 		/* read 'security.ima' */
233 		xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);
234 
235 	hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
236 
237 	rc = ima_collect_measurement(iint, file, buf, size, hash_algo);
238 	if (rc != 0) {
239 		if (file->f_flags & O_DIRECT)
240 			rc = (iint->flags & IMA_PERMIT_DIRECTIO) ? 0 : -EACCES;
241 		goto out_digsig;
242 	}
243 
244 	if (!pathbuf)	/* ima_rdwr_violation possibly pre-fetched */
245 		pathname = ima_d_path(&file->f_path, &pathbuf, filename);
246 
247 	if (action & IMA_MEASURE)
248 		ima_store_measurement(iint, file, pathname,
249 				      xattr_value, xattr_len, pcr);
250 	if (action & IMA_APPRAISE_SUBMASK)
251 		rc = ima_appraise_measurement(func, iint, file, pathname,
252 					      xattr_value, xattr_len, opened);
253 	if (action & IMA_AUDIT)
254 		ima_audit_measurement(iint, pathname);
255 
256 out_digsig:
257 	if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) &&
258 	     !(iint->flags & IMA_NEW_FILE))
259 		rc = -EACCES;
260 	kfree(xattr_value);
261 out_free:
262 	if (pathbuf)
263 		__putname(pathbuf);
264 out:
265 	inode_unlock(inode);
266 	if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE))
267 		return -EACCES;
268 	return 0;
269 }
270 
271 /**
272  * ima_file_mmap - based on policy, collect/store measurement.
273  * @file: pointer to the file to be measured (May be NULL)
274  * @prot: contains the protection that will be applied by the kernel.
275  *
276  * Measure files being mmapped executable based on the ima_must_measure()
277  * policy decision.
278  *
279  * On success return 0.  On integrity appraisal error, assuming the file
280  * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
281  */
282 int ima_file_mmap(struct file *file, unsigned long prot)
283 {
284 	if (file && (prot & PROT_EXEC))
285 		return process_measurement(file, NULL, 0, MAY_EXEC,
286 					   MMAP_CHECK, 0);
287 	return 0;
288 }
289 
290 /**
291  * ima_bprm_check - based on policy, collect/store measurement.
292  * @bprm: contains the linux_binprm structure
293  *
294  * The OS protects against an executable file, already open for write,
295  * from being executed in deny_write_access() and an executable file,
296  * already open for execute, from being modified in get_write_access().
297  * So we can be certain that what we verify and measure here is actually
298  * what is being executed.
299  *
300  * On success return 0.  On integrity appraisal error, assuming the file
301  * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
302  */
303 int ima_bprm_check(struct linux_binprm *bprm)
304 {
305 	return process_measurement(bprm->file, NULL, 0, MAY_EXEC,
306 				   BPRM_CHECK, 0);
307 }
308 
309 /**
310  * ima_path_check - based on policy, collect/store measurement.
311  * @file: pointer to the file to be measured
312  * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
313  *
314  * Measure files based on the ima_must_measure() policy decision.
315  *
316  * On success return 0.  On integrity appraisal error, assuming the file
317  * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
318  */
319 int ima_file_check(struct file *file, int mask, int opened)
320 {
321 	return process_measurement(file, NULL, 0,
322 				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
323 					   MAY_APPEND), FILE_CHECK, opened);
324 }
325 EXPORT_SYMBOL_GPL(ima_file_check);
326 
327 /**
328  * ima_post_path_mknod - mark as a new inode
329  * @dentry: newly created dentry
330  *
331  * Mark files created via the mknodat syscall as new, so that the
332  * file data can be written later.
333  */
334 void ima_post_path_mknod(struct dentry *dentry)
335 {
336 	struct integrity_iint_cache *iint;
337 	struct inode *inode = dentry->d_inode;
338 	int must_appraise;
339 
340 	must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
341 	if (!must_appraise)
342 		return;
343 
344 	iint = integrity_inode_get(inode);
345 	if (iint)
346 		iint->flags |= IMA_NEW_FILE;
347 }
348 
349 /**
350  * ima_read_file - pre-measure/appraise hook decision based on policy
351  * @file: pointer to the file to be measured/appraised/audit
352  * @read_id: caller identifier
353  *
354  * Permit reading a file based on policy. The policy rules are written
355  * in terms of the policy identifier.  Appraising the integrity of
356  * a file requires a file descriptor.
357  *
358  * For permission return 0, otherwise return -EACCES.
359  */
360 int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
361 {
362 	if (!file && read_id == READING_MODULE) {
363 #ifndef CONFIG_MODULE_SIG_FORCE
364 		if ((ima_appraise & IMA_APPRAISE_MODULES) &&
365 		    (ima_appraise & IMA_APPRAISE_ENFORCE))
366 			return -EACCES;	/* INTEGRITY_UNKNOWN */
367 #endif
368 		return 0;	/* We rely on module signature checking */
369 	}
370 	return 0;
371 }
372 
373 static int read_idmap[READING_MAX_ID] = {
374 	[READING_FIRMWARE] = FIRMWARE_CHECK,
375 	[READING_MODULE] = MODULE_CHECK,
376 	[READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK,
377 	[READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK,
378 	[READING_POLICY] = POLICY_CHECK
379 };
380 
381 /**
382  * ima_post_read_file - in memory collect/appraise/audit measurement
383  * @file: pointer to the file to be measured/appraised/audit
384  * @buf: pointer to in memory file contents
385  * @size: size of in memory file contents
386  * @read_id: caller identifier
387  *
388  * Measure/appraise/audit in memory file based on policy.  Policy rules
389  * are written in terms of a policy identifier.
390  *
391  * On success return 0.  On integrity appraisal error, assuming the file
392  * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
393  */
394 int ima_post_read_file(struct file *file, void *buf, loff_t size,
395 		       enum kernel_read_file_id read_id)
396 {
397 	enum ima_hooks func;
398 
399 	if (!file && read_id == READING_FIRMWARE) {
400 		if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
401 		    (ima_appraise & IMA_APPRAISE_ENFORCE))
402 			return -EACCES;	/* INTEGRITY_UNKNOWN */
403 		return 0;
404 	}
405 
406 	if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */
407 		return 0;
408 
409 	if (!file || !buf || size == 0) { /* should never happen */
410 		if (ima_appraise & IMA_APPRAISE_ENFORCE)
411 			return -EACCES;
412 		return 0;
413 	}
414 
415 	func = read_idmap[read_id] ?: FILE_CHECK;
416 	return process_measurement(file, buf, size, MAY_READ, func, 0);
417 }
418 
419 static int __init init_ima(void)
420 {
421 	int error;
422 
423 	ima_init_template_list();
424 	hash_setup(CONFIG_IMA_DEFAULT_HASH);
425 	error = ima_init();
426 	if (!error) {
427 		ima_initialized = 1;
428 		ima_update_policy_flag();
429 	}
430 	return error;
431 }
432 
433 late_initcall(init_ima);	/* Start IMA after the TPM is available */
434 
435 MODULE_DESCRIPTION("Integrity Measurement Architecture");
436 MODULE_LICENSE("GPL");
437