ima_main.c 11.4 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
/*
 * Copyright (C) 2005,2006,2007,2008 IBM Corporation
 *
 * Authors:
 * Reiner Sailer <sailer@watson.ibm.com>
 * Serge Hallyn <serue@us.ibm.com>
 * Kylene Hall <kylene@us.ibm.com>
 * Mimi Zohar <zohar@us.ibm.com>
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, version 2 of the
 * License.
 *
 * File: ima_main.c
16
 *	implements the IMA hooks: ima_bprm_check, ima_file_mmap,
17
 *	and ima_file_check.
18 19 20 21 22 23
 */
#include <linux/module.h>
#include <linux/file.h>
#include <linux/binfmts.h>
#include <linux/mount.h>
#include <linux/mman.h>
24
#include <linux/slab.h>
M
Mimi Zohar 已提交
25
#include <linux/xattr.h>
26
#include <linux/ima.h>
27 28 29 30 31

#include "ima.h"

int ima_initialized;

M
Mimi Zohar 已提交
32 33 34 35 36 37
#ifdef CONFIG_IMA_APPRAISE
int ima_appraise = IMA_APPRAISE_ENFORCE;
#else
int ima_appraise;
#endif

38
int ima_hash_algo = HASH_ALGO_SHA1;
39
static int hash_setup_done;
40

41 42
static int __init hash_setup(char *str)
{
43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
	struct ima_template_desc *template_desc = ima_template_desc_current();
	int i;

	if (hash_setup_done)
		return 1;

	if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
		if (strncmp(str, "sha1", 4) == 0)
			ima_hash_algo = HASH_ALGO_SHA1;
		else if (strncmp(str, "md5", 3) == 0)
			ima_hash_algo = HASH_ALGO_MD5;
		goto out;
	}

	for (i = 0; i < HASH_ALGO__LAST; i++) {
		if (strcmp(str, hash_algo_name[i]) == 0) {
			ima_hash_algo = i;
			break;
		}
	}
out:
	hash_setup_done = 1;
65 66 67 68
	return 1;
}
__setup("ima_hash=", hash_setup);

M
Mimi Zohar 已提交
69
/*
70
 * ima_rdwr_violation_check
M
Mimi Zohar 已提交
71
 *
72
 * Only invalidate the PCR for measured files:
73
 *	- Opening a file for write when already open for read,
M
Mimi Zohar 已提交
74 75
 *	  results in a time of measure, time of use (ToMToU) error.
 *	- Opening a file for read when already open for write,
76
 *	  could result in a file measurement error.
M
Mimi Zohar 已提交
77 78
 *
 */
79 80
static void ima_rdwr_violation_check(struct file *file,
				     struct integrity_iint_cache *iint,
81
				     int must_measure,
82 83
				     char **pathbuf,
				     const char **pathname)
M
Mimi Zohar 已提交
84
{
85
	struct inode *inode = file_inode(file);
M
Mimi Zohar 已提交
86
	fmode_t mode = file->f_mode;
87
	bool send_tomtou = false, send_writers = false;
88

M
Mimi Zohar 已提交
89
	if (mode & FMODE_WRITE) {
90
		if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
91 92
			if (!iint)
				iint = integrity_iint_find(inode);
93 94 95 96
			/* IMA_MEASURE is set from reader side */
			if (iint && (iint->flags & IMA_MEASURE))
				send_tomtou = true;
		}
97
	} else {
98
		if ((atomic_read(&inode->i_writecount) > 0) && must_measure)
99
			send_writers = true;
M
Mimi Zohar 已提交
100
	}
101

102 103 104
	if (!send_tomtou && !send_writers)
		return;

105
	*pathname = ima_d_path(&file->f_path, pathbuf);
106

107
	if (send_tomtou)
108 109
		ima_add_violation(file, *pathname, iint,
				  "invalid_pcr", "ToMToU");
110
	if (send_writers)
111
		ima_add_violation(file, *pathname, iint,
112
				  "invalid_pcr", "open_writers");
M
Mimi Zohar 已提交
113 114
}

115
static void ima_check_last_writer(struct integrity_iint_cache *iint,
M
Mimi Zohar 已提交
116
				  struct inode *inode, struct file *file)
E
Eric Paris 已提交
117
{
A
Al Viro 已提交
118
	fmode_t mode = file->f_mode;
E
Eric Paris 已提交
119

M
Mimi Zohar 已提交
120 121 122
	if (!(mode & FMODE_WRITE))
		return;

A
Al Viro 已提交
123
	inode_lock(inode);
124 125 126 127 128 129 130
	if (atomic_read(&inode->i_writecount) == 1) {
		if ((iint->version != inode->i_version) ||
		    (iint->flags & IMA_NEW_FILE)) {
			iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
			if (iint->flags & IMA_APPRAISE)
				ima_update_xattr(iint, file);
		}
M
Mimi Zohar 已提交
131
	}
A
Al Viro 已提交
132
	inode_unlock(inode);
E
Eric Paris 已提交
133 134
}

135 136 137 138
/**
 * ima_file_free - called on __fput()
 * @file: pointer to file structure being freed
 *
139
 * Flag files that changed, based on i_version
140 141 142
 */
void ima_file_free(struct file *file)
{
A
Al Viro 已提交
143
	struct inode *inode = file_inode(file);
144
	struct integrity_iint_cache *iint;
145

146
	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
147
		return;
148

149
	iint = integrity_iint_find(inode);
M
Mimi Zohar 已提交
150 151
	if (!iint)
		return;
152

M
Mimi Zohar 已提交
153
	ima_check_last_writer(iint, inode, file);
154 155
}

156 157
static int process_measurement(struct file *file, char *buf, loff_t size,
			       int mask, enum ima_hooks func, int opened)
158
{
A
Al Viro 已提交
159
	struct inode *inode = file_inode(file);
160
	struct integrity_iint_cache *iint = NULL;
161
	struct ima_template_desc *template_desc;
162 163
	char *pathbuf = NULL;
	const char *pathname = NULL;
164
	int rc = -ENOMEM, action, must_appraise;
165
	struct evm_ima_xattr_data *xattr_value = NULL;
166
	int xattr_len = 0;
167
	bool violation_check;
168
	enum hash_algo hash_algo;
169

170
	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
171
		return 0;
E
Eric Paris 已提交
172

173 174 175 176
	/* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
	 * bitmask based on the appraise/audit/measurement policy.
	 * Included is the appraise submask.
	 */
177 178
	action = ima_get_action(inode, mask, func);
	violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
179 180
			   (ima_policy_flag & IMA_MEASURE));
	if (!action && !violation_check)
M
Mimi Zohar 已提交
181 182 183
		return 0;

	must_appraise = action & IMA_APPRAISE;
E
Eric Paris 已提交
184

185
	/*  Is the appraise rule hook specific?  */
186
	if (action & IMA_FILE_APPRAISE)
187
		func = FILE_CHECK;
188

A
Al Viro 已提交
189
	inode_lock(inode);
M
Mimi Zohar 已提交
190

191 192 193 194 195 196 197
	if (action) {
		iint = integrity_inode_get(inode);
		if (!iint)
			goto out;
	}

	if (violation_check) {
198 199
		ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
					 &pathbuf, &pathname);
200 201 202 203 204
		if (!action) {
			rc = 0;
			goto out_free;
		}
	}
205

M
Mimi Zohar 已提交
206
	/* Determine if already appraised/measured based on bitmask
207 208 209
	 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
	 *  IMA_AUDIT, IMA_AUDITED)
	 */
M
Mimi Zohar 已提交
210
	iint->flags |= action;
211
	action &= IMA_DO_MASK;
212
	action &= ~((iint->flags & IMA_DONE_MASK) >> 1);
M
Mimi Zohar 已提交
213 214 215

	/* Nothing to do, just return existing appraised status */
	if (!action) {
216
		if (must_appraise)
217
			rc = ima_get_cache_status(iint, func);
218
		goto out_digsig;
M
Mimi Zohar 已提交
219
	}
220

221
	template_desc = ima_template_desc_current();
222 223
	if ((action & IMA_APPRAISE_SUBMASK) ||
		    strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
224 225
		/* read 'security.ima' */
		xattr_len = ima_read_xattr(file->f_path.dentry, &xattr_value);
226

227 228
	hash_algo = ima_get_hash_algo(xattr_value, xattr_len);

229
	rc = ima_collect_measurement(iint, file, buf, size, hash_algo);
230 231 232
	if (rc != 0) {
		if (file->f_flags & O_DIRECT)
			rc = (iint->flags & IMA_PERMIT_DIRECTIO) ? 0 : -EACCES;
233
		goto out_digsig;
234
	}
235

236 237
	if (!pathname)	/* ima_rdwr_violation possibly pre-fetched */
		pathname = ima_d_path(&file->f_path, &pathbuf);
238

M
Mimi Zohar 已提交
239
	if (action & IMA_MEASURE)
240 241
		ima_store_measurement(iint, file, pathname,
				      xattr_value, xattr_len);
242
	if (action & IMA_APPRAISE_SUBMASK)
243
		rc = ima_appraise_measurement(func, iint, file, pathname,
244
					      xattr_value, xattr_len, opened);
P
Peter Moody 已提交
245
	if (action & IMA_AUDIT)
246
		ima_audit_measurement(iint, pathname);
247

248
out_digsig:
249 250
	if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) &&
	     !(iint->flags & IMA_NEW_FILE))
251
		rc = -EACCES;
252 253
	kfree(xattr_value);
out_free:
D
Dmitry Kasatkin 已提交
254 255
	if (pathbuf)
		__putname(pathbuf);
256
out:
A
Al Viro 已提交
257
	inode_unlock(inode);
258 259 260
	if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE))
		return -EACCES;
	return 0;
261 262 263 264 265 266 267 268 269 270
}

/**
 * ima_file_mmap - based on policy, collect/store measurement.
 * @file: pointer to the file to be measured (May be NULL)
 * @prot: contains the protection that will be applied by the kernel.
 *
 * Measure files being mmapped executable based on the ima_must_measure()
 * policy decision.
 *
271 272
 * On success return 0.  On integrity appraisal error, assuming the file
 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
273 274 275
 */
int ima_file_mmap(struct file *file, unsigned long prot)
{
276
	if (file && (prot & PROT_EXEC))
277 278
		return process_measurement(file, NULL, 0, MAY_EXEC,
					   MMAP_CHECK, 0);
279
	return 0;
280 281 282 283 284 285 286 287 288 289 290 291
}

/**
 * ima_bprm_check - based on policy, collect/store measurement.
 * @bprm: contains the linux_binprm structure
 *
 * The OS protects against an executable file, already open for write,
 * from being executed in deny_write_access() and an executable file,
 * already open for execute, from being modified in get_write_access().
 * So we can be certain that what we verify and measure here is actually
 * what is being executed.
 *
292 293
 * On success return 0.  On integrity appraisal error, assuming the file
 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
294 295 296
 */
int ima_bprm_check(struct linux_binprm *bprm)
{
297 298
	return process_measurement(bprm->file, NULL, 0, MAY_EXEC,
				   BPRM_CHECK, 0);
299 300
}

M
Mimi Zohar 已提交
301 302 303 304 305 306 307
/**
 * ima_path_check - based on policy, collect/store measurement.
 * @file: pointer to the file to be measured
 * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
 *
 * Measure files based on the ima_must_measure() policy decision.
 *
308 309
 * On success return 0.  On integrity appraisal error, assuming the file
 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
M
Mimi Zohar 已提交
310
 */
311
int ima_file_check(struct file *file, int mask, int opened)
M
Mimi Zohar 已提交
312
{
313
	return process_measurement(file, NULL, 0,
D
Dmitry Kasatkin 已提交
314
				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
315
				   FILE_CHECK, opened);
M
Mimi Zohar 已提交
316
}
317
EXPORT_SYMBOL_GPL(ima_file_check);
M
Mimi Zohar 已提交
318

319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340
/**
 * ima_post_path_mknod - mark as a new inode
 * @dentry: newly created dentry
 *
 * Mark files created via the mknodat syscall as new, so that the
 * file data can be written later.
 */
void ima_post_path_mknod(struct dentry *dentry)
{
	struct integrity_iint_cache *iint;
	struct inode *inode = dentry->d_inode;
	int must_appraise;

	must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
	if (!must_appraise)
		return;

	iint = integrity_inode_get(inode);
	if (iint)
		iint->flags |= IMA_NEW_FILE;
}

341 342 343 344 345 346 347 348 349 350 351 352 353
/**
 * ima_read_file - pre-measure/appraise hook decision based on policy
 * @file: pointer to the file to be measured/appraised/audit
 * @read_id: caller identifier
 *
 * Permit reading a file based on policy. The policy rules are written
 * in terms of the policy identifier.  Appraising the integrity of
 * a file requires a file descriptor.
 *
 * For permission return 0, otherwise return -EACCES.
 */
int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
{
354 355 356 357 358 359 360 361
	if (!file && read_id == READING_MODULE) {
#ifndef CONFIG_MODULE_SIG_FORCE
		if ((ima_appraise & IMA_APPRAISE_MODULES) &&
		    (ima_appraise & IMA_APPRAISE_ENFORCE))
			return -EACCES;	/* INTEGRITY_UNKNOWN */
#endif
		return 0;	/* We rely on module signature checking */
	}
362 363 364
	return 0;
}

365 366 367 368 369
static int read_idmap[READING_MAX_ID] = {
	[READING_FIRMWARE] = FIRMWARE_CHECK,
	[READING_MODULE] = MODULE_CHECK,
	[READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK,
	[READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK,
370
	[READING_POLICY] = POLICY_CHECK
371 372
};

373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388
/**
 * ima_post_read_file - in memory collect/appraise/audit measurement
 * @file: pointer to the file to be measured/appraised/audit
 * @buf: pointer to in memory file contents
 * @size: size of in memory file contents
 * @read_id: caller identifier
 *
 * Measure/appraise/audit in memory file based on policy.  Policy rules
 * are written in terms of a policy identifier.
 *
 * On success return 0.  On integrity appraisal error, assuming the file
 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
 */
int ima_post_read_file(struct file *file, void *buf, loff_t size,
		       enum kernel_read_file_id read_id)
{
389
	enum ima_hooks func;
390

391 392 393 394 395 396 397
	if (!file && read_id == READING_FIRMWARE) {
		if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
		    (ima_appraise & IMA_APPRAISE_ENFORCE))
			return -EACCES;	/* INTEGRITY_UNKNOWN */
		return 0;
	}

398 399 400
	if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */
		return 0;

401 402 403 404 405 406
	if (!file || !buf || size == 0) { /* should never happen */
		if (ima_appraise & IMA_APPRAISE_ENFORCE)
			return -EACCES;
		return 0;
	}

407
	func = read_idmap[read_id] ?: FILE_CHECK;
408
	return process_measurement(file, buf, size, MAY_READ, func, 0);
409 410
}

411 412 413 414
static int __init init_ima(void)
{
	int error;

415
	hash_setup(CONFIG_IMA_DEFAULT_HASH);
416
	error = ima_init();
417
	if (!error) {
418
		ima_initialized = 1;
419 420
		ima_update_policy_flag();
	}
421 422 423 424 425 426 427
	return error;
}

late_initcall(init_ima);	/* Start IMA after the TPM is available */

MODULE_DESCRIPTION("Integrity Measurement Architecture");
MODULE_LICENSE("GPL");