/* SPDX-License-Identifier: GPL-2.0-only */ /* * Copyright (C) 2008 IBM Corporation * Author: Mimi Zohar */ #ifndef _LINUX_IMA_H #define _LINUX_IMA_H #include #include #include #include struct linux_binprm; struct nsproxy; struct task_struct; struct list_head; struct llist_node; struct ima_policy_data; #ifdef CONFIG_IMA extern int ima_bprm_check(struct linux_binprm *bprm); extern int ima_file_check(struct file *file, int mask); extern void ima_post_create_tmpfile(struct inode *inode); extern int ima_file_alloc(struct file *file); extern void ima_file_free(struct file *file); extern int ima_file_mmap(struct file *file, unsigned long prot); extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot); extern int ima_load_data(enum kernel_load_data_id id, bool contents); extern int ima_post_load_data(char *buf, loff_t size, enum kernel_load_data_id id, char *description); extern int ima_read_file(struct file *file, enum kernel_read_file_id id, bool contents); extern int ima_post_read_file(struct file *file, void *buf, loff_t size, enum kernel_read_file_id id); extern void ima_post_path_mknod(struct dentry *dentry); extern int ima_file_hash(struct file *file, char *buf, size_t buf_size); extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size); #ifdef CONFIG_IMA_KEXEC extern void ima_add_kexec_buffer(struct kimage *image); #endif #ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT extern bool arch_ima_get_secureboot(void); extern const char * const *arch_get_ima_policy(void); #else static inline bool arch_ima_get_secureboot(void) { return false; } static inline const char * const *arch_get_ima_policy(void) { return NULL; } #endif #else static inline int ima_bprm_check(struct linux_binprm *bprm) { return 0; } static inline int ima_file_check(struct file *file, int mask) { return 0; } static inline void ima_post_create_tmpfile(struct inode *inode) { } static inline int ima_file_alloc(struct file *file) { return 0; } static inline void ima_file_free(struct file *file) { return; } static inline int ima_file_mmap(struct file *file, unsigned long prot) { return 0; } static inline int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) { return 0; } static inline int ima_load_data(enum kernel_load_data_id id, bool contents) { return 0; } static inline int ima_post_load_data(char *buf, loff_t size, enum kernel_load_data_id id, char *description) { return 0; } static inline int ima_read_file(struct file *file, enum kernel_read_file_id id, bool contents) { return 0; } static inline int ima_post_read_file(struct file *file, void *buf, loff_t size, enum kernel_read_file_id id) { return 0; } static inline void ima_post_path_mknod(struct dentry *dentry) { return; } static inline int ima_file_hash(struct file *file, char *buf, size_t buf_size) { return -EOPNOTSUPP; } static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) {} #endif /* CONFIG_IMA */ #ifndef CONFIG_IMA_KEXEC struct kimage; static inline void ima_add_kexec_buffer(struct kimage *image) {} #endif #ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS extern void ima_post_key_create_or_update(struct key *keyring, struct key *key, const void *payload, size_t plen, unsigned long flags, bool create); #else static inline void ima_post_key_create_or_update(struct key *keyring, struct key *key, const void *payload, size_t plen, unsigned long flags, bool create) {} #endif /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */ #ifdef CONFIG_IMA_APPRAISE extern bool is_ima_appraise_enabled(const struct ima_namespace *ima_ns); extern void ima_inode_post_setattr(struct dentry *dentry); extern int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len); extern void ima_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len); extern int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name); extern void ima_inode_post_removexattr(struct dentry *dentry, const char *xattr_name); #else static inline bool is_ima_appraise_enabled(const struct ima_namespace *ima_ns) { return 0; } static inline void ima_inode_post_setattr(struct dentry *dentry) { return; } static inline int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len) { return 0; } static inline void ima_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len) { } static inline int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name) { return 0; } static inline void ima_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) { } #endif /* CONFIG_IMA_APPRAISE */ #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) extern bool ima_appraise_signature(enum kernel_read_file_id func); #else static inline bool ima_appraise_signature(enum kernel_read_file_id func) { return false; } #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ struct ima_namespace { struct kref kref; struct ns_common ns; struct ucounts *ucounts; struct user_namespace *user_ns; struct list_head list; struct llist_node cleanup_list; /* namespaces on a death row */ atomic_t inactive; /* set only when ns is added to the cleanup list */ bool frozen; struct ima_policy_data *policy_data; } __randomize_layout; extern struct ima_namespace init_ima_ns; #ifdef CONFIG_IMA_NS struct ima_namespace *copy_ima_ns(unsigned long flags, struct user_namespace *user_ns, struct ima_namespace *old_ns); void free_ima_ns(struct kref *kref); int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk); static inline struct ima_namespace *get_ima_ns(struct ima_namespace *ns) { if (ns) kref_get(&ns->kref); return ns; } static inline void put_ima_ns(struct ima_namespace *ns) { if (ns) kref_put(&ns->kref, free_ima_ns); } #else static inline struct ima_namespace *copy_ima_ns(unsigned long flags, struct user_namespace *user_ns, struct ima_namespace *old_ns) { return old_ns; } static inline int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk) { return 0; } static inline struct ima_namespace *get_ima_ns(struct ima_namespace *ns) { return ns; } static inline void put_ima_ns(struct ima_namespace *ns) { } #endif /* CONFIG_IMA_NS */ #endif /* _LINUX_IMA_H */