xref: /linux/security/integrity/ima/ima_template_lib.c (revision 7dcfeacc5a9d0c130160b86de23279793a8732c8) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2013 Politecnico di Torino, Italy
4  *                    TORSEC group -- https://security.polito.it
5  *
6  * Author: Roberto Sassu <roberto.sassu@polito.it>
7  *
8  * File: ima_template_lib.c
9  *      Library of supported template fields.
10  */
11 
12 #include "ima_template_lib.h"
13 #include <linux/xattr.h>
14 
15 static bool ima_template_hash_algo_allowed(u8 algo)
16 {
17 	if (algo == HASH_ALGO_SHA1 || algo == HASH_ALGO_MD5)
18 		return true;
19 
20 	return false;
21 }
22 
23 enum data_formats {
24 	DATA_FMT_DIGEST = 0,
25 	DATA_FMT_DIGEST_WITH_ALGO,
26 	DATA_FMT_STRING,
27 	DATA_FMT_HEX,
28 	DATA_FMT_UINT
29 };
30 
31 static int ima_write_template_field_data(const void *data, const u32 datalen,
32 					 enum data_formats datafmt,
33 					 struct ima_field_data *field_data)
34 {
35 	u8 *buf, *buf_ptr;
36 	u32 buflen = datalen;
37 
38 	if (datafmt == DATA_FMT_STRING)
39 		buflen = datalen + 1;
40 
41 	buf = kzalloc(buflen, GFP_KERNEL);
42 	if (!buf)
43 		return -ENOMEM;
44 
45 	memcpy(buf, data, datalen);
46 
47 	/*
48 	 * Replace all space characters with underscore for event names and
49 	 * strings. This avoid that, during the parsing of a measurements list,
50 	 * filenames with spaces or that end with the suffix ' (deleted)' are
51 	 * split into multiple template fields (the space is the delimitator
52 	 * character for measurements lists in ASCII format).
53 	 */
54 	if (datafmt == DATA_FMT_STRING) {
55 		for (buf_ptr = buf; buf_ptr - buf < datalen; buf_ptr++)
56 			if (*buf_ptr == ' ')
57 				*buf_ptr = '_';
58 	}
59 
60 	field_data->data = buf;
61 	field_data->len = buflen;
62 	return 0;
63 }
64 
65 static void ima_show_template_data_ascii(struct seq_file *m,
66 					 enum ima_show_type show,
67 					 enum data_formats datafmt,
68 					 struct ima_field_data *field_data)
69 {
70 	u8 *buf_ptr = field_data->data;
71 	u32 buflen = field_data->len;
72 
73 	switch (datafmt) {
74 	case DATA_FMT_DIGEST_WITH_ALGO:
75 		buf_ptr = strnchr(field_data->data, buflen, ':');
76 		if (buf_ptr != field_data->data)
77 			seq_printf(m, "%s", field_data->data);
78 
79 		/* skip ':' and '\0' */
80 		buf_ptr += 2;
81 		buflen -= buf_ptr - field_data->data;
82 		fallthrough;
83 	case DATA_FMT_DIGEST:
84 	case DATA_FMT_HEX:
85 		if (!buflen)
86 			break;
87 		ima_print_digest(m, buf_ptr, buflen);
88 		break;
89 	case DATA_FMT_STRING:
90 		seq_printf(m, "%s", buf_ptr);
91 		break;
92 	case DATA_FMT_UINT:
93 		switch (field_data->len) {
94 		case sizeof(u8):
95 			seq_printf(m, "%u", *(u8 *)buf_ptr);
96 			break;
97 		case sizeof(u16):
98 			if (ima_canonical_fmt)
99 				seq_printf(m, "%u",
100 					   le16_to_cpu(*(u16 *)buf_ptr));
101 			else
102 				seq_printf(m, "%u", *(u16 *)buf_ptr);
103 			break;
104 		case sizeof(u32):
105 			if (ima_canonical_fmt)
106 				seq_printf(m, "%u",
107 					   le32_to_cpu(*(u32 *)buf_ptr));
108 			else
109 				seq_printf(m, "%u", *(u32 *)buf_ptr);
110 			break;
111 		case sizeof(u64):
112 			if (ima_canonical_fmt)
113 				seq_printf(m, "%llu",
114 					   le64_to_cpu(*(u64 *)buf_ptr));
115 			else
116 				seq_printf(m, "%llu", *(u64 *)buf_ptr);
117 			break;
118 		default:
119 			break;
120 		}
121 	default:
122 		break;
123 	}
124 }
125 
126 static void ima_show_template_data_binary(struct seq_file *m,
127 					  enum ima_show_type show,
128 					  enum data_formats datafmt,
129 					  struct ima_field_data *field_data)
130 {
131 	u32 len = (show == IMA_SHOW_BINARY_OLD_STRING_FMT) ?
132 	    strlen(field_data->data) : field_data->len;
133 
134 	if (show != IMA_SHOW_BINARY_NO_FIELD_LEN) {
135 		u32 field_len = !ima_canonical_fmt ? len : cpu_to_le32(len);
136 
137 		ima_putc(m, &field_len, sizeof(field_len));
138 	}
139 
140 	if (!len)
141 		return;
142 
143 	ima_putc(m, field_data->data, len);
144 }
145 
146 static void ima_show_template_field_data(struct seq_file *m,
147 					 enum ima_show_type show,
148 					 enum data_formats datafmt,
149 					 struct ima_field_data *field_data)
150 {
151 	switch (show) {
152 	case IMA_SHOW_ASCII:
153 		ima_show_template_data_ascii(m, show, datafmt, field_data);
154 		break;
155 	case IMA_SHOW_BINARY:
156 	case IMA_SHOW_BINARY_NO_FIELD_LEN:
157 	case IMA_SHOW_BINARY_OLD_STRING_FMT:
158 		ima_show_template_data_binary(m, show, datafmt, field_data);
159 		break;
160 	default:
161 		break;
162 	}
163 }
164 
165 void ima_show_template_digest(struct seq_file *m, enum ima_show_type show,
166 			      struct ima_field_data *field_data)
167 {
168 	ima_show_template_field_data(m, show, DATA_FMT_DIGEST, field_data);
169 }
170 
171 void ima_show_template_digest_ng(struct seq_file *m, enum ima_show_type show,
172 				 struct ima_field_data *field_data)
173 {
174 	ima_show_template_field_data(m, show, DATA_FMT_DIGEST_WITH_ALGO,
175 				     field_data);
176 }
177 
178 void ima_show_template_string(struct seq_file *m, enum ima_show_type show,
179 			      struct ima_field_data *field_data)
180 {
181 	ima_show_template_field_data(m, show, DATA_FMT_STRING, field_data);
182 }
183 
184 void ima_show_template_sig(struct seq_file *m, enum ima_show_type show,
185 			   struct ima_field_data *field_data)
186 {
187 	ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data);
188 }
189 
190 void ima_show_template_buf(struct seq_file *m, enum ima_show_type show,
191 			   struct ima_field_data *field_data)
192 {
193 	ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data);
194 }
195 
196 void ima_show_template_uint(struct seq_file *m, enum ima_show_type show,
197 			    struct ima_field_data *field_data)
198 {
199 	ima_show_template_field_data(m, show, DATA_FMT_UINT, field_data);
200 }
201 
202 /**
203  * ima_parse_buf() - Parses lengths and data from an input buffer
204  * @bufstartp:       Buffer start address.
205  * @bufendp:         Buffer end address.
206  * @bufcurp:         Pointer to remaining (non-parsed) data.
207  * @maxfields:       Length of fields array.
208  * @fields:          Array containing lengths and pointers of parsed data.
209  * @curfields:       Number of array items containing parsed data.
210  * @len_mask:        Bitmap (if bit is set, data length should not be parsed).
211  * @enforce_mask:    Check if curfields == maxfields and/or bufcurp == bufendp.
212  * @bufname:         String identifier of the input buffer.
213  *
214  * Return: 0 on success, -EINVAL on error.
215  */
216 int ima_parse_buf(void *bufstartp, void *bufendp, void **bufcurp,
217 		  int maxfields, struct ima_field_data *fields, int *curfields,
218 		  unsigned long *len_mask, int enforce_mask, char *bufname)
219 {
220 	void *bufp = bufstartp;
221 	int i;
222 
223 	for (i = 0; i < maxfields; i++) {
224 		if (len_mask == NULL || !test_bit(i, len_mask)) {
225 			if (bufp > (bufendp - sizeof(u32)))
226 				break;
227 
228 			fields[i].len = *(u32 *)bufp;
229 			if (ima_canonical_fmt)
230 				fields[i].len = le32_to_cpu(fields[i].len);
231 
232 			bufp += sizeof(u32);
233 		}
234 
235 		if (bufp > (bufendp - fields[i].len))
236 			break;
237 
238 		fields[i].data = bufp;
239 		bufp += fields[i].len;
240 	}
241 
242 	if ((enforce_mask & ENFORCE_FIELDS) && i != maxfields) {
243 		pr_err("%s: nr of fields mismatch: expected: %d, current: %d\n",
244 		       bufname, maxfields, i);
245 		return -EINVAL;
246 	}
247 
248 	if ((enforce_mask & ENFORCE_BUFEND) && bufp != bufendp) {
249 		pr_err("%s: buf end mismatch: expected: %p, current: %p\n",
250 		       bufname, bufendp, bufp);
251 		return -EINVAL;
252 	}
253 
254 	if (curfields)
255 		*curfields = i;
256 
257 	if (bufcurp)
258 		*bufcurp = bufp;
259 
260 	return 0;
261 }
262 
263 static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize,
264 				       u8 hash_algo,
265 				       struct ima_field_data *field_data)
266 {
267 	/*
268 	 * digest formats:
269 	 *  - DATA_FMT_DIGEST: digest
270 	 *  - DATA_FMT_DIGEST_WITH_ALGO: [<hash algo>] + ':' + '\0' + digest,
271 	 *    where <hash algo> is provided if the hash algoritm is not
272 	 *    SHA1 or MD5
273 	 */
274 	u8 buffer[CRYPTO_MAX_ALG_NAME + 2 + IMA_MAX_DIGEST_SIZE] = { 0 };
275 	enum data_formats fmt = DATA_FMT_DIGEST;
276 	u32 offset = 0;
277 
278 	if (hash_algo < HASH_ALGO__LAST) {
279 		fmt = DATA_FMT_DIGEST_WITH_ALGO;
280 		offset += snprintf(buffer, CRYPTO_MAX_ALG_NAME + 1, "%s",
281 				   hash_algo_name[hash_algo]);
282 		buffer[offset] = ':';
283 		offset += 2;
284 	}
285 
286 	if (digest)
287 		memcpy(buffer + offset, digest, digestsize);
288 	else
289 		/*
290 		 * If digest is NULL, the event being recorded is a violation.
291 		 * Make room for the digest by increasing the offset of
292 		 * IMA_DIGEST_SIZE.
293 		 */
294 		offset += IMA_DIGEST_SIZE;
295 
296 	return ima_write_template_field_data(buffer, offset + digestsize,
297 					     fmt, field_data);
298 }
299 
300 /*
301  * This function writes the digest of an event (with size limit).
302  */
303 int ima_eventdigest_init(struct ima_event_data *event_data,
304 			 struct ima_field_data *field_data)
305 {
306 	struct {
307 		struct ima_digest_data hdr;
308 		char digest[IMA_MAX_DIGEST_SIZE];
309 	} hash;
310 	u8 *cur_digest = NULL;
311 	u32 cur_digestsize = 0;
312 	struct inode *inode;
313 	int result;
314 
315 	memset(&hash, 0, sizeof(hash));
316 
317 	if (event_data->violation)	/* recording a violation. */
318 		goto out;
319 
320 	if (ima_template_hash_algo_allowed(event_data->iint->ima_hash->algo)) {
321 		cur_digest = event_data->iint->ima_hash->digest;
322 		cur_digestsize = event_data->iint->ima_hash->length;
323 		goto out;
324 	}
325 
326 	if ((const char *)event_data->filename == boot_aggregate_name) {
327 		if (ima_tpm_chip) {
328 			hash.hdr.algo = HASH_ALGO_SHA1;
329 			result = ima_calc_boot_aggregate(&hash.hdr);
330 
331 			/* algo can change depending on available PCR banks */
332 			if (!result && hash.hdr.algo != HASH_ALGO_SHA1)
333 				result = -EINVAL;
334 
335 			if (result < 0)
336 				memset(&hash, 0, sizeof(hash));
337 		}
338 
339 		cur_digest = hash.hdr.digest;
340 		cur_digestsize = hash_digest_size[HASH_ALGO_SHA1];
341 		goto out;
342 	}
343 
344 	if (!event_data->file)	/* missing info to re-calculate the digest */
345 		return -EINVAL;
346 
347 	inode = file_inode(event_data->file);
348 	hash.hdr.algo = ima_template_hash_algo_allowed(ima_hash_algo) ?
349 	    ima_hash_algo : HASH_ALGO_SHA1;
350 	result = ima_calc_file_hash(event_data->file, &hash.hdr);
351 	if (result) {
352 		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
353 				    event_data->filename, "collect_data",
354 				    "failed", result, 0);
355 		return result;
356 	}
357 	cur_digest = hash.hdr.digest;
358 	cur_digestsize = hash.hdr.length;
359 out:
360 	return ima_eventdigest_init_common(cur_digest, cur_digestsize,
361 					   HASH_ALGO__LAST, field_data);
362 }
363 
364 /*
365  * This function writes the digest of an event (without size limit).
366  */
367 int ima_eventdigest_ng_init(struct ima_event_data *event_data,
368 			    struct ima_field_data *field_data)
369 {
370 	u8 *cur_digest = NULL, hash_algo = HASH_ALGO_SHA1;
371 	u32 cur_digestsize = 0;
372 
373 	if (event_data->violation)	/* recording a violation. */
374 		goto out;
375 
376 	cur_digest = event_data->iint->ima_hash->digest;
377 	cur_digestsize = event_data->iint->ima_hash->length;
378 
379 	hash_algo = event_data->iint->ima_hash->algo;
380 out:
381 	return ima_eventdigest_init_common(cur_digest, cur_digestsize,
382 					   hash_algo, field_data);
383 }
384 
385 /*
386  * This function writes the digest of the file which is expected to match the
387  * digest contained in the file's appended signature.
388  */
389 int ima_eventdigest_modsig_init(struct ima_event_data *event_data,
390 				struct ima_field_data *field_data)
391 {
392 	enum hash_algo hash_algo;
393 	const u8 *cur_digest;
394 	u32 cur_digestsize;
395 
396 	if (!event_data->modsig)
397 		return 0;
398 
399 	if (event_data->violation) {
400 		/* Recording a violation. */
401 		hash_algo = HASH_ALGO_SHA1;
402 		cur_digest = NULL;
403 		cur_digestsize = 0;
404 	} else {
405 		int rc;
406 
407 		rc = ima_get_modsig_digest(event_data->modsig, &hash_algo,
408 					   &cur_digest, &cur_digestsize);
409 		if (rc)
410 			return rc;
411 		else if (hash_algo == HASH_ALGO__LAST || cur_digestsize == 0)
412 			/* There was some error collecting the digest. */
413 			return -EINVAL;
414 	}
415 
416 	return ima_eventdigest_init_common(cur_digest, cur_digestsize,
417 					   hash_algo, field_data);
418 }
419 
420 static int ima_eventname_init_common(struct ima_event_data *event_data,
421 				     struct ima_field_data *field_data,
422 				     bool size_limit)
423 {
424 	const char *cur_filename = NULL;
425 	u32 cur_filename_len = 0;
426 
427 	BUG_ON(event_data->filename == NULL && event_data->file == NULL);
428 
429 	if (event_data->filename) {
430 		cur_filename = event_data->filename;
431 		cur_filename_len = strlen(event_data->filename);
432 
433 		if (!size_limit || cur_filename_len <= IMA_EVENT_NAME_LEN_MAX)
434 			goto out;
435 	}
436 
437 	if (event_data->file) {
438 		cur_filename = event_data->file->f_path.dentry->d_name.name;
439 		cur_filename_len = strlen(cur_filename);
440 	} else
441 		/*
442 		 * Truncate filename if the latter is too long and
443 		 * the file descriptor is not available.
444 		 */
445 		cur_filename_len = IMA_EVENT_NAME_LEN_MAX;
446 out:
447 	return ima_write_template_field_data(cur_filename, cur_filename_len,
448 					     DATA_FMT_STRING, field_data);
449 }
450 
451 /*
452  * This function writes the name of an event (with size limit).
453  */
454 int ima_eventname_init(struct ima_event_data *event_data,
455 		       struct ima_field_data *field_data)
456 {
457 	return ima_eventname_init_common(event_data, field_data, true);
458 }
459 
460 /*
461  * This function writes the name of an event (without size limit).
462  */
463 int ima_eventname_ng_init(struct ima_event_data *event_data,
464 			  struct ima_field_data *field_data)
465 {
466 	return ima_eventname_init_common(event_data, field_data, false);
467 }
468 
469 /*
470  *  ima_eventsig_init - include the file signature as part of the template data
471  */
472 int ima_eventsig_init(struct ima_event_data *event_data,
473 		      struct ima_field_data *field_data)
474 {
475 	struct evm_ima_xattr_data *xattr_value = event_data->xattr_value;
476 
477 	if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG))
478 		return ima_eventevmsig_init(event_data, field_data);
479 
480 	return ima_write_template_field_data(xattr_value, event_data->xattr_len,
481 					     DATA_FMT_HEX, field_data);
482 }
483 
484 /*
485  *  ima_eventbuf_init - include the buffer(kexec-cmldine) as part of the
486  *  template data.
487  */
488 int ima_eventbuf_init(struct ima_event_data *event_data,
489 		      struct ima_field_data *field_data)
490 {
491 	if ((!event_data->buf) || (event_data->buf_len == 0))
492 		return 0;
493 
494 	return ima_write_template_field_data(event_data->buf,
495 					     event_data->buf_len, DATA_FMT_HEX,
496 					     field_data);
497 }
498 
499 /*
500  *  ima_eventmodsig_init - include the appended file signature as part of the
501  *  template data
502  */
503 int ima_eventmodsig_init(struct ima_event_data *event_data,
504 			 struct ima_field_data *field_data)
505 {
506 	const void *data;
507 	u32 data_len;
508 	int rc;
509 
510 	if (!event_data->modsig)
511 		return 0;
512 
513 	/*
514 	 * modsig is a runtime structure containing pointers. Get its raw data
515 	 * instead.
516 	 */
517 	rc = ima_get_raw_modsig(event_data->modsig, &data, &data_len);
518 	if (rc)
519 		return rc;
520 
521 	return ima_write_template_field_data(data, data_len, DATA_FMT_HEX,
522 					     field_data);
523 }
524 
525 /*
526  *  ima_eventevmsig_init - include the EVM portable signature as part of the
527  *  template data
528  */
529 int ima_eventevmsig_init(struct ima_event_data *event_data,
530 			 struct ima_field_data *field_data)
531 {
532 	struct evm_ima_xattr_data *xattr_data = NULL;
533 	int rc = 0;
534 
535 	if (!event_data->file)
536 		return 0;
537 
538 	rc = vfs_getxattr_alloc(&init_user_ns, file_dentry(event_data->file),
539 				XATTR_NAME_EVM, (char **)&xattr_data, 0,
540 				GFP_NOFS);
541 	if (rc <= 0)
542 		return 0;
543 
544 	if (xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) {
545 		kfree(xattr_data);
546 		return 0;
547 	}
548 
549 	rc = ima_write_template_field_data((char *)xattr_data, rc, DATA_FMT_HEX,
550 					   field_data);
551 	kfree(xattr_data);
552 	return rc;
553 }
554 
555 static int ima_eventinodedac_init_common(struct ima_event_data *event_data,
556 					 struct ima_field_data *field_data,
557 					 bool get_uid)
558 {
559 	unsigned int id;
560 
561 	if (!event_data->file)
562 		return 0;
563 
564 	if (get_uid)
565 		id = i_uid_read(file_inode(event_data->file));
566 	else
567 		id = i_gid_read(file_inode(event_data->file));
568 
569 	if (ima_canonical_fmt) {
570 		if (sizeof(id) == sizeof(u16))
571 			id = cpu_to_le16(id);
572 		else
573 			id = cpu_to_le32(id);
574 	}
575 
576 	return ima_write_template_field_data((void *)&id, sizeof(id),
577 					     DATA_FMT_UINT, field_data);
578 }
579 
580 /*
581  *  ima_eventinodeuid_init - include the inode UID as part of the template
582  *  data
583  */
584 int ima_eventinodeuid_init(struct ima_event_data *event_data,
585 			   struct ima_field_data *field_data)
586 {
587 	return ima_eventinodedac_init_common(event_data, field_data, true);
588 }
589 
590 /*
591  *  ima_eventinodegid_init - include the inode GID as part of the template
592  *  data
593  */
594 int ima_eventinodegid_init(struct ima_event_data *event_data,
595 			   struct ima_field_data *field_data)
596 {
597 	return ima_eventinodedac_init_common(event_data, field_data, false);
598 }
599