ima_main.c 39 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Integrity Measurement Architecture
  4. *
  5. * Copyright (C) 2005,2006,2007,2008 IBM Corporation
  6. *
  7. * Authors:
  8. * Reiner Sailer <sailer@watson.ibm.com>
  9. * Serge Hallyn <serue@us.ibm.com>
  10. * Kylene Hall <kylene@us.ibm.com>
  11. * Mimi Zohar <zohar@us.ibm.com>
  12. *
  13. * File: ima_main.c
  14. * implements the IMA hooks: ima_bprm_check, ima_file_mmap,
  15. * and ima_file_check.
  16. */
  17. #include <linux/module.h>
  18. #include <linux/file.h>
  19. #include <linux/binfmts.h>
  20. #include <linux/kernel_read_file.h>
  21. #include <linux/mount.h>
  22. #include <linux/mman.h>
  23. #include <linux/slab.h>
  24. #include <linux/xattr.h>
  25. #include <linux/ima.h>
  26. #include <linux/fs.h>
  27. #include <linux/iversion.h>
  28. #include <linux/evm.h>
  29. #include <linux/crash_dump.h>
  30. #include "ima.h"
  31. #ifdef CONFIG_IMA_APPRAISE
  32. int ima_appraise = IMA_APPRAISE_ENFORCE;
  33. #else
  34. int ima_appraise;
  35. #endif
  36. int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1;
  37. static int hash_setup_done;
  38. static int ima_disabled __ro_after_init;
  39. static struct notifier_block ima_lsm_policy_notifier = {
  40. .notifier_call = ima_lsm_policy_change,
  41. };
  42. static int __init ima_setup(char *str)
  43. {
  44. if (!is_kdump_kernel()) {
  45. pr_info("Warning: ima setup option only permitted in kdump");
  46. return 1;
  47. }
  48. if (strncmp(str, "off", 3) == 0)
  49. ima_disabled = 1;
  50. else if (strncmp(str, "on", 2) == 0)
  51. ima_disabled = 0;
  52. else
  53. pr_err("Invalid ima setup option: \"%s\" , please specify ima=on|off.", str);
  54. return 1;
  55. }
  56. __setup("ima=", ima_setup);
  57. static int __init hash_setup(char *str)
  58. {
  59. struct ima_template_desc *template_desc = ima_template_desc_current();
  60. int i;
  61. if (hash_setup_done)
  62. return 1;
  63. if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
  64. if (strncmp(str, "sha1", 4) == 0) {
  65. ima_hash_algo = HASH_ALGO_SHA1;
  66. } else if (strncmp(str, "md5", 3) == 0) {
  67. ima_hash_algo = HASH_ALGO_MD5;
  68. } else {
  69. pr_err("invalid hash algorithm \"%s\" for template \"%s\"",
  70. str, IMA_TEMPLATE_IMA_NAME);
  71. return 1;
  72. }
  73. goto out;
  74. }
  75. i = match_string(hash_algo_name, HASH_ALGO__LAST, str);
  76. if (i < 0) {
  77. pr_err("invalid hash algorithm \"%s\"", str);
  78. return 1;
  79. }
  80. ima_hash_algo = i;
  81. out:
  82. hash_setup_done = 1;
  83. return 1;
  84. }
  85. __setup("ima_hash=", hash_setup);
  86. enum hash_algo ima_get_current_hash_algo(void)
  87. {
  88. return ima_hash_algo;
  89. }
  90. /* Prevent mmap'ing a file execute that is already mmap'ed write */
  91. static int mmap_violation_check(enum ima_hooks func, struct file *file,
  92. char **pathbuf, const char **pathname,
  93. char *filename)
  94. {
  95. struct inode *inode;
  96. int rc = 0;
  97. if ((func == MMAP_CHECK || func == MMAP_CHECK_REQPROT) &&
  98. mapping_writably_mapped(file->f_mapping)) {
  99. rc = -ETXTBSY;
  100. inode = file_inode(file);
  101. if (!*pathbuf) /* ima_rdwr_violation possibly pre-fetched */
  102. *pathname = ima_d_path(&file->f_path, pathbuf,
  103. filename);
  104. integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, *pathname,
  105. "mmap_file", "mmapped_writers", rc, 0);
  106. }
  107. return rc;
  108. }
  109. /*
  110. * ima_rdwr_violation_check
  111. *
  112. * Only invalidate the PCR for measured files:
  113. * - Opening a file for write when already open for read,
  114. * results in a time of measure, time of use (ToMToU) error.
  115. * - Opening a file for read when already open for write,
  116. * could result in a file measurement error.
  117. *
  118. */
  119. static void ima_rdwr_violation_check(struct file *file,
  120. struct ima_iint_cache *iint,
  121. int must_measure,
  122. char **pathbuf,
  123. const char **pathname,
  124. char *filename)
  125. {
  126. struct inode *inode = file_inode(file);
  127. fmode_t mode = file->f_mode;
  128. bool send_tomtou = false, send_writers = false;
  129. if (mode & FMODE_WRITE) {
  130. if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
  131. if (!iint)
  132. iint = ima_iint_find(inode);
  133. /* IMA_MEASURE is set from reader side */
  134. if (iint && test_and_clear_bit(IMA_MAY_EMIT_TOMTOU,
  135. &iint->atomic_flags))
  136. send_tomtou = true;
  137. }
  138. } else {
  139. if (must_measure)
  140. set_bit(IMA_MAY_EMIT_TOMTOU, &iint->atomic_flags);
  141. /* Limit number of open_writers violations */
  142. if (inode_is_open_for_write(inode) && must_measure) {
  143. if (!test_and_set_bit(IMA_EMITTED_OPENWRITERS,
  144. &iint->atomic_flags))
  145. send_writers = true;
  146. }
  147. }
  148. if (!send_tomtou && !send_writers)
  149. return;
  150. *pathname = ima_d_path(&file->f_path, pathbuf, filename);
  151. if (send_tomtou)
  152. ima_add_violation(file, *pathname, iint,
  153. "invalid_pcr", "ToMToU");
  154. if (send_writers)
  155. ima_add_violation(file, *pathname, iint,
  156. "invalid_pcr", "open_writers");
  157. }
  158. static void ima_check_last_writer(struct ima_iint_cache *iint,
  159. struct inode *inode, struct file *file)
  160. {
  161. fmode_t mode = file->f_mode;
  162. bool update;
  163. if (!(mode & FMODE_WRITE))
  164. return;
  165. mutex_lock(&iint->mutex);
  166. if (atomic_read(&inode->i_writecount) == 1) {
  167. struct kstat stat;
  168. clear_bit(IMA_EMITTED_OPENWRITERS, &iint->atomic_flags);
  169. update = test_and_clear_bit(IMA_UPDATE_XATTR,
  170. &iint->atomic_flags);
  171. if ((iint->flags & IMA_NEW_FILE) ||
  172. vfs_getattr_nosec(&file->f_path, &stat,
  173. STATX_CHANGE_COOKIE,
  174. AT_STATX_SYNC_AS_STAT) ||
  175. !(stat.result_mask & STATX_CHANGE_COOKIE) ||
  176. stat.change_cookie != iint->real_inode.version) {
  177. iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
  178. iint->measured_pcrs = 0;
  179. if (update)
  180. ima_update_xattr(iint, file);
  181. }
  182. }
  183. mutex_unlock(&iint->mutex);
  184. }
  185. /**
  186. * ima_file_free - called on __fput()
  187. * @file: pointer to file structure being freed
  188. *
  189. * Flag files that changed, based on i_version
  190. */
  191. static void ima_file_free(struct file *file)
  192. {
  193. struct inode *inode = file_inode(file);
  194. struct ima_iint_cache *iint;
  195. if (!ima_policy_flag || !S_ISREG(inode->i_mode))
  196. return;
  197. iint = ima_iint_find(inode);
  198. if (!iint)
  199. return;
  200. ima_check_last_writer(iint, inode, file);
  201. }
  202. static int process_measurement(struct file *file, const struct cred *cred,
  203. struct lsm_prop *prop, char *buf, loff_t size,
  204. int mask, enum ima_hooks func,
  205. enum kernel_read_file_id read_id,
  206. bool bprm_is_check)
  207. {
  208. struct inode *real_inode, *inode = file_inode(file);
  209. struct ima_iint_cache *iint = NULL;
  210. struct ima_template_desc *template_desc = NULL;
  211. struct inode *metadata_inode;
  212. char *pathbuf = NULL;
  213. char filename[NAME_MAX];
  214. const char *pathname = NULL;
  215. int rc = 0, action, must_appraise = 0;
  216. int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
  217. struct evm_ima_xattr_data *xattr_value = NULL;
  218. struct modsig *modsig = NULL;
  219. int xattr_len = 0;
  220. bool violation_check;
  221. enum hash_algo hash_algo;
  222. unsigned int allowed_algos = 0;
  223. if (!ima_policy_flag || !S_ISREG(inode->i_mode))
  224. return 0;
  225. /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
  226. * bitmask based on the appraise/audit/measurement policy.
  227. * Included is the appraise submask.
  228. */
  229. action = ima_get_action(file_mnt_idmap(file), inode, cred, prop,
  230. mask, func, &pcr, &template_desc, NULL,
  231. &allowed_algos);
  232. violation_check = ((func == FILE_CHECK || func == MMAP_CHECK ||
  233. func == MMAP_CHECK_REQPROT) &&
  234. (ima_policy_flag & IMA_MEASURE) &&
  235. ((action & IMA_MEASURE) ||
  236. (file->f_mode & FMODE_WRITE)));
  237. if (!action && !violation_check)
  238. return 0;
  239. must_appraise = action & IMA_APPRAISE;
  240. /* Is the appraise rule hook specific? */
  241. if (action & IMA_FILE_APPRAISE)
  242. func = FILE_CHECK;
  243. inode_lock(inode);
  244. if (action) {
  245. iint = ima_inode_get(inode);
  246. if (!iint)
  247. rc = -ENOMEM;
  248. }
  249. if (!rc && violation_check)
  250. ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
  251. &pathbuf, &pathname, filename);
  252. inode_unlock(inode);
  253. if (rc)
  254. goto out;
  255. if (!action)
  256. goto out;
  257. mutex_lock(&iint->mutex);
  258. if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags))
  259. /*
  260. * Reset appraisal flags (action and non-action rule-specific)
  261. * if ima_inode_post_setattr was called.
  262. */
  263. iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
  264. IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
  265. IMA_NONACTION_RULE_FLAGS);
  266. /*
  267. * Re-evaulate the file if either the xattr has changed or the
  268. * kernel has no way of detecting file change on the filesystem.
  269. * (Limited to privileged mounted filesystems.)
  270. */
  271. if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) ||
  272. ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
  273. !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) &&
  274. !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) {
  275. iint->flags &= ~IMA_DONE_MASK;
  276. iint->measured_pcrs = 0;
  277. }
  278. /*
  279. * On stacked filesystems, detect and re-evaluate file data and
  280. * metadata changes.
  281. */
  282. real_inode = d_real_inode(file_dentry(file));
  283. if (real_inode != inode &&
  284. (action & IMA_DO_MASK) && (iint->flags & IMA_DONE_MASK)) {
  285. if (!IS_I_VERSION(real_inode) ||
  286. integrity_inode_attrs_changed(&iint->real_inode,
  287. real_inode)) {
  288. iint->flags &= ~IMA_DONE_MASK;
  289. iint->measured_pcrs = 0;
  290. }
  291. /*
  292. * Reset the EVM status when metadata changed.
  293. */
  294. metadata_inode = d_inode(d_real(file_dentry(file),
  295. D_REAL_METADATA));
  296. if (evm_metadata_changed(inode, metadata_inode))
  297. iint->flags &= ~(IMA_APPRAISED |
  298. IMA_APPRAISED_SUBMASK);
  299. }
  300. /* Determine if already appraised/measured based on bitmask
  301. * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
  302. * IMA_AUDIT, IMA_AUDITED)
  303. */
  304. iint->flags |= action;
  305. action &= IMA_DO_MASK;
  306. action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
  307. /* If target pcr is already measured, unset IMA_MEASURE action */
  308. if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
  309. action ^= IMA_MEASURE;
  310. /* HASH sets the digital signature and update flags, nothing else */
  311. if ((action & IMA_HASH) &&
  312. !(test_bit(IMA_DIGSIG, &iint->atomic_flags))) {
  313. xattr_len = ima_read_xattr(file_dentry(file),
  314. &xattr_value, xattr_len);
  315. if ((xattr_value && xattr_len > 2) &&
  316. (xattr_value->type == EVM_IMA_XATTR_DIGSIG))
  317. set_bit(IMA_DIGSIG, &iint->atomic_flags);
  318. iint->flags |= IMA_HASHED;
  319. action ^= IMA_HASH;
  320. set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
  321. }
  322. /* Nothing to do, just return existing appraised status */
  323. if (!action) {
  324. if (must_appraise) {
  325. rc = mmap_violation_check(func, file, &pathbuf,
  326. &pathname, filename);
  327. if (!rc)
  328. rc = ima_get_cache_status(iint, func);
  329. }
  330. goto out_locked;
  331. }
  332. if ((action & IMA_APPRAISE_SUBMASK) ||
  333. strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) {
  334. /* read 'security.ima' */
  335. xattr_len = ima_read_xattr(file_dentry(file),
  336. &xattr_value, xattr_len);
  337. /*
  338. * Read the appended modsig if allowed by the policy, and allow
  339. * an additional measurement list entry, if needed, based on the
  340. * template format and whether the file was already measured.
  341. */
  342. if (iint->flags & IMA_MODSIG_ALLOWED) {
  343. rc = ima_read_modsig(func, buf, size, &modsig);
  344. if (!rc && ima_template_has_modsig(template_desc) &&
  345. iint->flags & IMA_MEASURED)
  346. action |= IMA_MEASURE;
  347. }
  348. }
  349. hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
  350. rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);
  351. if (rc != 0 && rc != -EBADF && rc != -EINVAL)
  352. goto out_locked;
  353. /* Defer measuring/appraising kernel modules to READING_MODULE */
  354. if (read_id == READING_MODULE_COMPRESSED) {
  355. must_appraise = 0;
  356. goto out_locked;
  357. }
  358. if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */
  359. pathname = ima_d_path(&file->f_path, &pathbuf, filename);
  360. if (action & IMA_MEASURE)
  361. ima_store_measurement(iint, file, pathname,
  362. xattr_value, xattr_len, modsig, pcr,
  363. template_desc);
  364. if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
  365. rc = ima_check_blacklist(iint, modsig, pcr);
  366. if (rc != -EPERM) {
  367. inode_lock(inode);
  368. rc = ima_appraise_measurement(func, iint, file,
  369. pathname, xattr_value,
  370. xattr_len, modsig,
  371. bprm_is_check);
  372. inode_unlock(inode);
  373. }
  374. if (!rc)
  375. rc = mmap_violation_check(func, file, &pathbuf,
  376. &pathname, filename);
  377. }
  378. if (action & IMA_AUDIT)
  379. ima_audit_measurement(iint, pathname);
  380. if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
  381. rc = 0;
  382. /* Ensure the digest was generated using an allowed algorithm */
  383. if (rc == 0 && must_appraise && allowed_algos != 0 &&
  384. (allowed_algos & (1U << hash_algo)) == 0) {
  385. rc = -EACCES;
  386. integrity_audit_msg(AUDIT_INTEGRITY_DATA, file_inode(file),
  387. pathname, "collect_data",
  388. "denied-hash-algorithm", rc, 0);
  389. }
  390. out_locked:
  391. if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) &&
  392. !(iint->flags & IMA_NEW_FILE))
  393. rc = -EACCES;
  394. mutex_unlock(&iint->mutex);
  395. kfree(xattr_value);
  396. ima_free_modsig(modsig);
  397. out:
  398. if (pathbuf)
  399. __putname(pathbuf);
  400. if (must_appraise) {
  401. if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE))
  402. return -EACCES;
  403. if (file->f_mode & FMODE_WRITE)
  404. set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
  405. }
  406. return 0;
  407. }
  408. /**
  409. * ima_file_mmap - based on policy, collect/store measurement.
  410. * @file: pointer to the file to be measured (May be NULL)
  411. * @reqprot: protection requested by the application
  412. * @prot: protection that will be applied by the kernel
  413. * @flags: operational flags
  414. *
  415. * Measure files being mmapped executable based on the ima_must_measure()
  416. * policy decision.
  417. *
  418. * On success return 0. On integrity appraisal error, assuming the file
  419. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  420. */
  421. static int ima_file_mmap(struct file *file, unsigned long reqprot,
  422. unsigned long prot, unsigned long flags)
  423. {
  424. struct lsm_prop prop;
  425. int ret;
  426. if (!file)
  427. return 0;
  428. security_current_getlsmprop_subj(&prop);
  429. if (reqprot & PROT_EXEC) {
  430. ret = process_measurement(file, current_cred(), &prop, NULL,
  431. 0, MAY_EXEC, MMAP_CHECK_REQPROT, 0,
  432. false);
  433. if (ret)
  434. return ret;
  435. }
  436. if (prot & PROT_EXEC)
  437. return process_measurement(file, current_cred(), &prop, NULL,
  438. 0, MAY_EXEC, MMAP_CHECK, 0, false);
  439. return 0;
  440. }
  441. /**
  442. * ima_file_mprotect - based on policy, limit mprotect change
  443. * @vma: vm_area_struct protection is set to
  444. * @reqprot: protection requested by the application
  445. * @prot: protection that will be applied by the kernel
  446. *
  447. * Files can be mmap'ed read/write and later changed to execute to circumvent
  448. * IMA's mmap appraisal policy rules. Due to locking issues (mmap semaphore
  449. * would be taken before i_mutex), files can not be measured or appraised at
  450. * this point. Eliminate this integrity gap by denying the mprotect
  451. * PROT_EXECUTE change, if an mmap appraise policy rule exists.
  452. *
  453. * On mprotect change success, return 0. On failure, return -EACESS.
  454. */
  455. static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
  456. unsigned long prot)
  457. {
  458. struct ima_template_desc *template = NULL;
  459. struct file *file;
  460. char filename[NAME_MAX];
  461. char *pathbuf = NULL;
  462. const char *pathname = NULL;
  463. struct inode *inode;
  464. struct lsm_prop prop;
  465. int result = 0;
  466. int action;
  467. int pcr;
  468. /* Is mprotect making an mmap'ed file executable? */
  469. if (!(ima_policy_flag & IMA_APPRAISE) || !vma->vm_file ||
  470. !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC))
  471. return 0;
  472. security_current_getlsmprop_subj(&prop);
  473. inode = file_inode(vma->vm_file);
  474. action = ima_get_action(file_mnt_idmap(vma->vm_file), inode,
  475. current_cred(), &prop, MAY_EXEC, MMAP_CHECK,
  476. &pcr, &template, NULL, NULL);
  477. action |= ima_get_action(file_mnt_idmap(vma->vm_file), inode,
  478. current_cred(), &prop, MAY_EXEC,
  479. MMAP_CHECK_REQPROT, &pcr, &template, NULL,
  480. NULL);
  481. /* Is the mmap'ed file in policy? */
  482. if (!(action & (IMA_MEASURE | IMA_APPRAISE_SUBMASK)))
  483. return 0;
  484. if (action & IMA_APPRAISE_SUBMASK)
  485. result = -EPERM;
  486. file = vma->vm_file;
  487. pathname = ima_d_path(&file->f_path, &pathbuf, filename);
  488. integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, pathname,
  489. "collect_data", "failed-mprotect", result, 0);
  490. if (pathbuf)
  491. __putname(pathbuf);
  492. return result;
  493. }
  494. /**
  495. * ima_bprm_check - based on policy, collect/store measurement.
  496. * @bprm: contains the linux_binprm structure
  497. *
  498. * The OS protects against an executable file, already open for write,
  499. * from being executed in deny_write_access() and an executable file,
  500. * already open for execute, from being modified in get_write_access().
  501. * So we can be certain that what we verify and measure here is actually
  502. * what is being executed.
  503. *
  504. * On success return 0. On integrity appraisal error, assuming the file
  505. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  506. */
  507. static int ima_bprm_check(struct linux_binprm *bprm)
  508. {
  509. struct lsm_prop prop;
  510. security_current_getlsmprop_subj(&prop);
  511. return process_measurement(bprm->file, current_cred(),
  512. &prop, NULL, 0, MAY_EXEC, BPRM_CHECK, 0,
  513. bprm->is_check);
  514. }
  515. /**
  516. * ima_creds_check - based on policy, collect/store measurement.
  517. * @bprm: contains the linux_binprm structure
  518. * @file: contains the file descriptor of the binary being executed
  519. *
  520. * The OS protects against an executable file, already open for write,
  521. * from being executed in deny_write_access() and an executable file,
  522. * already open for execute, from being modified in get_write_access().
  523. * So we can be certain that what we verify and measure here is actually
  524. * what is being executed.
  525. *
  526. * The difference from ima_bprm_check() is that ima_creds_check() is invoked
  527. * only after determining the final binary to be executed without interpreter,
  528. * and not when searching for intermediate binaries. The reason is that since
  529. * commit 56305aa9b6fab ("exec: Compute file based creds only once"), the
  530. * credentials to be applied to the process are calculated only at that stage
  531. * (bprm_creds_from_file security hook instead of bprm_check_security).
  532. *
  533. * On success return 0. On integrity appraisal error, assuming the file
  534. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  535. */
  536. static int ima_creds_check(struct linux_binprm *bprm, const struct file *file)
  537. {
  538. struct lsm_prop prop;
  539. security_current_getlsmprop_subj(&prop);
  540. return process_measurement((struct file *)file, bprm->cred, &prop, NULL,
  541. 0, MAY_EXEC, CREDS_CHECK, 0, false);
  542. }
  543. /**
  544. * ima_bprm_creds_for_exec - collect/store/appraise measurement.
  545. * @bprm: contains the linux_binprm structure
  546. *
  547. * Based on the IMA policy and the execveat(2) AT_EXECVE_CHECK flag, measure
  548. * and appraise the integrity of a file to be executed by script interpreters.
  549. * Unlike any of the other LSM hooks where the kernel enforces file integrity,
  550. * enforcing file integrity is left up to the discretion of the script
  551. * interpreter (userspace).
  552. *
  553. * On success return 0. On integrity appraisal error, assuming the file
  554. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  555. */
  556. static int ima_bprm_creds_for_exec(struct linux_binprm *bprm)
  557. {
  558. /*
  559. * As security_bprm_check() is called multiple times, both
  560. * the script and the shebang interpreter are measured, appraised,
  561. * and audited. Limit usage of this LSM hook to just measuring,
  562. * appraising, and auditing the indirect script execution
  563. * (e.g. ./sh example.sh).
  564. */
  565. if (!bprm->is_check)
  566. return 0;
  567. return ima_bprm_check(bprm);
  568. }
  569. /**
  570. * ima_file_check - based on policy, collect/store measurement.
  571. * @file: pointer to the file to be measured
  572. * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
  573. *
  574. * Measure files based on the ima_must_measure() policy decision.
  575. *
  576. * On success return 0. On integrity appraisal error, assuming the file
  577. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  578. */
  579. static int ima_file_check(struct file *file, int mask)
  580. {
  581. struct lsm_prop prop;
  582. security_current_getlsmprop_subj(&prop);
  583. return process_measurement(file, current_cred(), &prop, NULL, 0,
  584. mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
  585. MAY_APPEND), FILE_CHECK, 0, false);
  586. }
  587. static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf,
  588. size_t buf_size)
  589. {
  590. struct ima_iint_cache *iint = NULL, tmp_iint;
  591. int rc, hash_algo;
  592. if (ima_policy_flag) {
  593. iint = ima_iint_find(inode);
  594. if (iint)
  595. mutex_lock(&iint->mutex);
  596. }
  597. if ((!iint || !(iint->flags & IMA_COLLECTED)) && file) {
  598. if (iint)
  599. mutex_unlock(&iint->mutex);
  600. memset(&tmp_iint, 0, sizeof(tmp_iint));
  601. mutex_init(&tmp_iint.mutex);
  602. rc = ima_collect_measurement(&tmp_iint, file, NULL, 0,
  603. ima_hash_algo, NULL);
  604. if (rc < 0) {
  605. /* ima_hash could be allocated in case of failure. */
  606. if (rc != -ENOMEM)
  607. kfree(tmp_iint.ima_hash);
  608. return -EOPNOTSUPP;
  609. }
  610. iint = &tmp_iint;
  611. mutex_lock(&iint->mutex);
  612. }
  613. if (!iint)
  614. return -EOPNOTSUPP;
  615. /*
  616. * ima_file_hash can be called when ima_collect_measurement has still
  617. * not been called, we might not always have a hash.
  618. */
  619. if (!iint->ima_hash || !(iint->flags & IMA_COLLECTED)) {
  620. mutex_unlock(&iint->mutex);
  621. return -EOPNOTSUPP;
  622. }
  623. if (buf) {
  624. size_t copied_size;
  625. copied_size = min_t(size_t, iint->ima_hash->length, buf_size);
  626. memcpy(buf, iint->ima_hash->digest, copied_size);
  627. }
  628. hash_algo = iint->ima_hash->algo;
  629. mutex_unlock(&iint->mutex);
  630. if (iint == &tmp_iint)
  631. kfree(iint->ima_hash);
  632. return hash_algo;
  633. }
  634. /**
  635. * ima_file_hash - return a measurement of the file
  636. * @file: pointer to the file
  637. * @buf: buffer in which to store the hash
  638. * @buf_size: length of the buffer
  639. *
  640. * On success, return the hash algorithm (as defined in the enum hash_algo).
  641. * If buf is not NULL, this function also outputs the hash into buf.
  642. * If the hash is larger than buf_size, then only buf_size bytes will be copied.
  643. * It generally just makes sense to pass a buffer capable of holding the largest
  644. * possible hash: IMA_MAX_DIGEST_SIZE.
  645. * The file hash returned is based on the entire file, including the appended
  646. * signature.
  647. *
  648. * If the measurement cannot be performed, return -EOPNOTSUPP.
  649. * If the parameters are incorrect, return -EINVAL.
  650. */
  651. int ima_file_hash(struct file *file, char *buf, size_t buf_size)
  652. {
  653. if (!file)
  654. return -EINVAL;
  655. return __ima_inode_hash(file_inode(file), file, buf, buf_size);
  656. }
  657. EXPORT_SYMBOL_GPL(ima_file_hash);
  658. /**
  659. * ima_inode_hash - return the stored measurement if the inode has been hashed
  660. * and is in the iint cache.
  661. * @inode: pointer to the inode
  662. * @buf: buffer in which to store the hash
  663. * @buf_size: length of the buffer
  664. *
  665. * On success, return the hash algorithm (as defined in the enum hash_algo).
  666. * If buf is not NULL, this function also outputs the hash into buf.
  667. * If the hash is larger than buf_size, then only buf_size bytes will be copied.
  668. * It generally just makes sense to pass a buffer capable of holding the largest
  669. * possible hash: IMA_MAX_DIGEST_SIZE.
  670. * The hash returned is based on the entire contents, including the appended
  671. * signature.
  672. *
  673. * If IMA is disabled or if no measurement is available, return -EOPNOTSUPP.
  674. * If the parameters are incorrect, return -EINVAL.
  675. */
  676. int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size)
  677. {
  678. if (!inode)
  679. return -EINVAL;
  680. return __ima_inode_hash(inode, NULL, buf, buf_size);
  681. }
  682. EXPORT_SYMBOL_GPL(ima_inode_hash);
  683. /**
  684. * ima_post_create_tmpfile - mark newly created tmpfile as new
  685. * @idmap: idmap of the mount the inode was found from
  686. * @inode: inode of the newly created tmpfile
  687. *
  688. * No measuring, appraising or auditing of newly created tmpfiles is needed.
  689. * Skip calling process_measurement(), but indicate which newly, created
  690. * tmpfiles are in policy.
  691. */
  692. static void ima_post_create_tmpfile(struct mnt_idmap *idmap,
  693. struct inode *inode)
  694. {
  695. struct ima_iint_cache *iint;
  696. int must_appraise;
  697. if (!ima_policy_flag || !S_ISREG(inode->i_mode))
  698. return;
  699. must_appraise = ima_must_appraise(idmap, inode, MAY_ACCESS,
  700. FILE_CHECK);
  701. if (!must_appraise)
  702. return;
  703. /* Nothing to do if we can't allocate memory */
  704. iint = ima_inode_get(inode);
  705. if (!iint)
  706. return;
  707. /* needed for writing the security xattrs */
  708. set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
  709. iint->ima_file_status = INTEGRITY_PASS;
  710. }
  711. /**
  712. * ima_post_path_mknod - mark as a new inode
  713. * @idmap: idmap of the mount the inode was found from
  714. * @dentry: newly created dentry
  715. *
  716. * Mark files created via the mknodat syscall as new, so that the
  717. * file data can be written later.
  718. */
  719. static void ima_post_path_mknod(struct mnt_idmap *idmap, struct dentry *dentry)
  720. {
  721. struct ima_iint_cache *iint;
  722. struct inode *inode = dentry->d_inode;
  723. int must_appraise;
  724. if (!ima_policy_flag || !S_ISREG(inode->i_mode))
  725. return;
  726. must_appraise = ima_must_appraise(idmap, inode, MAY_ACCESS,
  727. FILE_CHECK);
  728. if (!must_appraise)
  729. return;
  730. /* Nothing to do if we can't allocate memory */
  731. iint = ima_inode_get(inode);
  732. if (!iint)
  733. return;
  734. /* needed for re-opening empty files */
  735. iint->flags |= IMA_NEW_FILE;
  736. }
  737. /**
  738. * ima_read_file - pre-measure/appraise hook decision based on policy
  739. * @file: pointer to the file to be measured/appraised/audit
  740. * @read_id: caller identifier
  741. * @contents: whether a subsequent call will be made to ima_post_read_file()
  742. *
  743. * Permit reading a file based on policy. The policy rules are written
  744. * in terms of the policy identifier. Appraising the integrity of
  745. * a file requires a file descriptor.
  746. *
  747. * For permission return 0, otherwise return -EACCES.
  748. */
  749. static int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
  750. bool contents)
  751. {
  752. enum ima_hooks func;
  753. struct lsm_prop prop;
  754. /*
  755. * Do devices using pre-allocated memory run the risk of the
  756. * firmware being accessible to the device prior to the completion
  757. * of IMA's signature verification any more than when using two
  758. * buffers? It may be desirable to include the buffer address
  759. * in this API and walk all the dma_map_single() mappings to check.
  760. */
  761. /*
  762. * There will be a call made to ima_post_read_file() with
  763. * a filled buffer, so we don't need to perform an extra
  764. * read early here.
  765. */
  766. if (contents)
  767. return 0;
  768. /* Read entire file for all partial reads. */
  769. func = read_idmap[read_id] ?: FILE_CHECK;
  770. security_current_getlsmprop_subj(&prop);
  771. return process_measurement(file, current_cred(), &prop, NULL, 0,
  772. MAY_READ, func, 0, false);
  773. }
  774. const int read_idmap[READING_MAX_ID] = {
  775. [READING_FIRMWARE] = FIRMWARE_CHECK,
  776. [READING_MODULE] = MODULE_CHECK,
  777. [READING_MODULE_COMPRESSED] = MODULE_CHECK,
  778. [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK,
  779. [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK,
  780. [READING_POLICY] = POLICY_CHECK
  781. };
  782. /**
  783. * ima_post_read_file - in memory collect/appraise/audit measurement
  784. * @file: pointer to the file to be measured/appraised/audit
  785. * @buf: pointer to in memory file contents
  786. * @size: size of in memory file contents
  787. * @read_id: caller identifier
  788. *
  789. * Measure/appraise/audit in memory file based on policy. Policy rules
  790. * are written in terms of a policy identifier.
  791. *
  792. * On success return 0. On integrity appraisal error, assuming the file
  793. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  794. */
  795. static int ima_post_read_file(struct file *file, char *buf, loff_t size,
  796. enum kernel_read_file_id read_id)
  797. {
  798. enum ima_hooks func;
  799. struct lsm_prop prop;
  800. /* permit signed certs */
  801. if (!file && read_id == READING_X509_CERTIFICATE)
  802. return 0;
  803. if (!file || !buf || size == 0) { /* should never happen */
  804. if (ima_appraise & IMA_APPRAISE_ENFORCE)
  805. return -EACCES;
  806. return 0;
  807. }
  808. func = read_idmap[read_id] ?: FILE_CHECK;
  809. security_current_getlsmprop_subj(&prop);
  810. return process_measurement(file, current_cred(), &prop, buf, size,
  811. MAY_READ, func, read_id, false);
  812. }
  813. /**
  814. * ima_load_data - appraise decision based on policy
  815. * @id: kernel load data caller identifier
  816. * @contents: whether the full contents will be available in a later
  817. * call to ima_post_load_data().
  818. *
  819. * Callers of this LSM hook can not measure, appraise, or audit the
  820. * data provided by userspace. Enforce policy rules requiring a file
  821. * signature (eg. kexec'ed kernel image).
  822. *
  823. * For permission return 0, otherwise return -EACCES.
  824. */
  825. static int ima_load_data(enum kernel_load_data_id id, bool contents)
  826. {
  827. bool ima_enforce, sig_enforce;
  828. ima_enforce =
  829. (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE;
  830. switch (id) {
  831. case LOADING_KEXEC_IMAGE:
  832. if (IS_ENABLED(CONFIG_KEXEC_SIG)
  833. && arch_ima_get_secureboot()) {
  834. pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
  835. return -EACCES;
  836. }
  837. if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) {
  838. pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
  839. return -EACCES; /* INTEGRITY_UNKNOWN */
  840. }
  841. break;
  842. case LOADING_FIRMWARE:
  843. if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE) && !contents) {
  844. pr_err("Prevent firmware sysfs fallback loading.\n");
  845. return -EACCES; /* INTEGRITY_UNKNOWN */
  846. }
  847. break;
  848. case LOADING_MODULE:
  849. sig_enforce = is_module_sig_enforced();
  850. if (ima_enforce && (!sig_enforce
  851. && (ima_appraise & IMA_APPRAISE_MODULES))) {
  852. pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
  853. return -EACCES; /* INTEGRITY_UNKNOWN */
  854. }
  855. break;
  856. default:
  857. break;
  858. }
  859. return 0;
  860. }
  861. /**
  862. * ima_post_load_data - appraise decision based on policy
  863. * @buf: pointer to in memory file contents
  864. * @size: size of in memory file contents
  865. * @load_id: kernel load data caller identifier
  866. * @description: @load_id-specific description of contents
  867. *
  868. * Measure/appraise/audit in memory buffer based on policy. Policy rules
  869. * are written in terms of a policy identifier.
  870. *
  871. * On success return 0. On integrity appraisal error, assuming the file
  872. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  873. */
  874. static int ima_post_load_data(char *buf, loff_t size,
  875. enum kernel_load_data_id load_id,
  876. char *description)
  877. {
  878. if (load_id == LOADING_FIRMWARE) {
  879. if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
  880. (ima_appraise & IMA_APPRAISE_ENFORCE)) {
  881. pr_err("Prevent firmware loading_store.\n");
  882. return -EACCES; /* INTEGRITY_UNKNOWN */
  883. }
  884. return 0;
  885. }
  886. /*
  887. * Measure the init_module syscall buffer containing the ELF image.
  888. */
  889. if (load_id == LOADING_MODULE)
  890. ima_measure_critical_data("modules", "init_module",
  891. buf, size, true, NULL, 0);
  892. return 0;
  893. }
  894. /**
  895. * process_buffer_measurement - Measure the buffer or the buffer data hash
  896. * @idmap: idmap of the mount the inode was found from
  897. * @inode: inode associated with the object being measured (NULL for KEY_CHECK)
  898. * @buf: pointer to the buffer that needs to be added to the log.
  899. * @size: size of buffer(in bytes).
  900. * @eventname: event name to be used for the buffer entry.
  901. * @func: IMA hook
  902. * @pcr: pcr to extend the measurement
  903. * @func_data: func specific data, may be NULL
  904. * @buf_hash: measure buffer data hash
  905. * @digest: buffer digest will be written to
  906. * @digest_len: buffer length
  907. *
  908. * Based on policy, either the buffer data or buffer data hash is measured
  909. *
  910. * Return: 0 if the buffer has been successfully measured, 1 if the digest
  911. * has been written to the passed location but not added to a measurement entry,
  912. * a negative value otherwise.
  913. */
  914. int process_buffer_measurement(struct mnt_idmap *idmap,
  915. struct inode *inode, const void *buf, int size,
  916. const char *eventname, enum ima_hooks func,
  917. int pcr, const char *func_data,
  918. bool buf_hash, u8 *digest, size_t digest_len)
  919. {
  920. int ret = 0;
  921. const char *audit_cause = "ENOMEM";
  922. struct ima_template_entry *entry = NULL;
  923. struct ima_iint_cache iint = {};
  924. struct ima_event_data event_data = {.iint = &iint,
  925. .filename = eventname,
  926. .buf = buf,
  927. .buf_len = size};
  928. struct ima_template_desc *template;
  929. struct ima_max_digest_data hash;
  930. struct ima_digest_data *hash_hdr = container_of(&hash.hdr,
  931. struct ima_digest_data, hdr);
  932. char digest_hash[IMA_MAX_DIGEST_SIZE];
  933. int digest_hash_len = hash_digest_size[ima_hash_algo];
  934. int violation = 0;
  935. int action = 0;
  936. struct lsm_prop prop;
  937. if (digest && digest_len < digest_hash_len)
  938. return -EINVAL;
  939. if (!ima_policy_flag && !digest)
  940. return -ENOENT;
  941. template = ima_template_desc_buf();
  942. if (!template) {
  943. ret = -EINVAL;
  944. audit_cause = "ima_template_desc_buf";
  945. goto out;
  946. }
  947. /*
  948. * Both LSM hooks and auxiliary based buffer measurements are
  949. * based on policy. To avoid code duplication, differentiate
  950. * between the LSM hooks and auxiliary buffer measurements,
  951. * retrieving the policy rule information only for the LSM hook
  952. * buffer measurements.
  953. */
  954. if (func) {
  955. security_current_getlsmprop_subj(&prop);
  956. action = ima_get_action(idmap, inode, current_cred(),
  957. &prop, 0, func, &pcr, &template,
  958. func_data, NULL);
  959. if (!(action & IMA_MEASURE) && !digest)
  960. return -ENOENT;
  961. }
  962. if (!pcr)
  963. pcr = CONFIG_IMA_MEASURE_PCR_IDX;
  964. iint.ima_hash = hash_hdr;
  965. iint.ima_hash->algo = ima_hash_algo;
  966. iint.ima_hash->length = hash_digest_size[ima_hash_algo];
  967. ret = ima_calc_buffer_hash(buf, size, iint.ima_hash);
  968. if (ret < 0) {
  969. audit_cause = "hashing_error";
  970. goto out;
  971. }
  972. if (buf_hash) {
  973. memcpy(digest_hash, hash_hdr->digest, digest_hash_len);
  974. ret = ima_calc_buffer_hash(digest_hash, digest_hash_len,
  975. iint.ima_hash);
  976. if (ret < 0) {
  977. audit_cause = "hashing_error";
  978. goto out;
  979. }
  980. event_data.buf = digest_hash;
  981. event_data.buf_len = digest_hash_len;
  982. }
  983. if (digest)
  984. memcpy(digest, iint.ima_hash->digest, digest_hash_len);
  985. if (!ima_policy_flag || (func && !(action & IMA_MEASURE)))
  986. return 1;
  987. ret = ima_alloc_init_template(&event_data, &entry, template);
  988. if (ret < 0) {
  989. audit_cause = "alloc_entry";
  990. goto out;
  991. }
  992. ret = ima_store_template(entry, violation, NULL, event_data.buf, pcr);
  993. if (ret < 0) {
  994. audit_cause = "store_entry";
  995. ima_free_template_entry(entry);
  996. }
  997. out:
  998. if (ret < 0)
  999. integrity_audit_message(AUDIT_INTEGRITY_PCR, NULL, eventname,
  1000. func_measure_str(func),
  1001. audit_cause, ret, 0, ret);
  1002. return ret;
  1003. }
  1004. /**
  1005. * ima_kexec_cmdline - measure kexec cmdline boot args
  1006. * @kernel_fd: file descriptor of the kexec kernel being loaded
  1007. * @buf: pointer to buffer
  1008. * @size: size of buffer
  1009. *
  1010. * Buffers can only be measured, not appraised.
  1011. */
  1012. void ima_kexec_cmdline(int kernel_fd, const void *buf, int size)
  1013. {
  1014. if (!buf || !size)
  1015. return;
  1016. CLASS(fd, f)(kernel_fd);
  1017. if (fd_empty(f))
  1018. return;
  1019. process_buffer_measurement(file_mnt_idmap(fd_file(f)), file_inode(fd_file(f)),
  1020. buf, size, "kexec-cmdline", KEXEC_CMDLINE, 0,
  1021. NULL, false, NULL, 0);
  1022. }
  1023. /**
  1024. * ima_measure_critical_data - measure kernel integrity critical data
  1025. * @event_label: unique event label for grouping and limiting critical data
  1026. * @event_name: event name for the record in the IMA measurement list
  1027. * @buf: pointer to buffer data
  1028. * @buf_len: length of buffer data (in bytes)
  1029. * @hash: measure buffer data hash
  1030. * @digest: buffer digest will be written to
  1031. * @digest_len: buffer length
  1032. *
  1033. * Measure data critical to the integrity of the kernel into the IMA log
  1034. * and extend the pcr. Examples of critical data could be various data
  1035. * structures, policies, and states stored in kernel memory that can
  1036. * impact the integrity of the system.
  1037. *
  1038. * Return: 0 if the buffer has been successfully measured, 1 if the digest
  1039. * has been written to the passed location but not added to a measurement entry,
  1040. * a negative value otherwise.
  1041. */
  1042. int ima_measure_critical_data(const char *event_label,
  1043. const char *event_name,
  1044. const void *buf, size_t buf_len,
  1045. bool hash, u8 *digest, size_t digest_len)
  1046. {
  1047. if (!event_name || !event_label || !buf || !buf_len)
  1048. return -ENOPARAM;
  1049. return process_buffer_measurement(&nop_mnt_idmap, NULL, buf, buf_len,
  1050. event_name, CRITICAL_DATA, 0,
  1051. event_label, hash, digest,
  1052. digest_len);
  1053. }
  1054. EXPORT_SYMBOL_GPL(ima_measure_critical_data);
  1055. #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
  1056. /**
  1057. * ima_kernel_module_request - Prevent crypto-pkcs1(rsa,*) requests
  1058. * @kmod_name: kernel module name
  1059. *
  1060. * Avoid a verification loop where verifying the signature of the modprobe
  1061. * binary requires executing modprobe itself. Since the modprobe iint->mutex
  1062. * is already held when the signature verification is performed, a deadlock
  1063. * occurs as soon as modprobe is executed within the critical region, since
  1064. * the same lock cannot be taken again.
  1065. *
  1066. * This happens when public_key_verify_signature(), in case of RSA algorithm,
  1067. * use alg_name to store internal information in order to construct an
  1068. * algorithm on the fly, but crypto_larval_lookup() will try to use alg_name
  1069. * in order to load a kernel module with same name.
  1070. *
  1071. * Since we don't have any real "crypto-pkcs1(rsa,*)" kernel modules,
  1072. * we are safe to fail such module request from crypto_larval_lookup(), and
  1073. * avoid the verification loop.
  1074. *
  1075. * Return: Zero if it is safe to load the kernel module, -EINVAL otherwise.
  1076. */
  1077. static int ima_kernel_module_request(char *kmod_name)
  1078. {
  1079. if (strncmp(kmod_name, "crypto-pkcs1(rsa,", 17) == 0)
  1080. return -EINVAL;
  1081. return 0;
  1082. }
  1083. #endif /* CONFIG_INTEGRITY_ASYMMETRIC_KEYS */
  1084. static int __init init_ima(void)
  1085. {
  1086. int error;
  1087. /*Note that turning IMA off is intentionally limited to kdump kernel.*/
  1088. if (ima_disabled && is_kdump_kernel()) {
  1089. pr_info("IMA functionality is disabled");
  1090. return 0;
  1091. }
  1092. ima_appraise_parse_cmdline();
  1093. ima_init_template_list();
  1094. hash_setup(CONFIG_IMA_DEFAULT_HASH);
  1095. error = ima_init();
  1096. if (error && strcmp(hash_algo_name[ima_hash_algo],
  1097. CONFIG_IMA_DEFAULT_HASH) != 0) {
  1098. pr_info("Allocating %s failed, going to use default hash algorithm %s\n",
  1099. hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH);
  1100. hash_setup_done = 0;
  1101. hash_setup(CONFIG_IMA_DEFAULT_HASH);
  1102. error = ima_init();
  1103. }
  1104. if (error)
  1105. return error;
  1106. error = register_blocking_lsm_notifier(&ima_lsm_policy_notifier);
  1107. if (error)
  1108. pr_warn("Couldn't register LSM notifier, error %d\n", error);
  1109. if (!error)
  1110. ima_update_policy_flags();
  1111. return error;
  1112. }
  1113. static struct security_hook_list ima_hooks[] __ro_after_init = {
  1114. LSM_HOOK_INIT(bprm_check_security, ima_bprm_check),
  1115. LSM_HOOK_INIT(bprm_creds_for_exec, ima_bprm_creds_for_exec),
  1116. LSM_HOOK_INIT(bprm_creds_from_file, ima_creds_check),
  1117. LSM_HOOK_INIT(file_post_open, ima_file_check),
  1118. LSM_HOOK_INIT(inode_post_create_tmpfile, ima_post_create_tmpfile),
  1119. LSM_HOOK_INIT(file_release, ima_file_free),
  1120. LSM_HOOK_INIT(mmap_file, ima_file_mmap),
  1121. LSM_HOOK_INIT(file_mprotect, ima_file_mprotect),
  1122. LSM_HOOK_INIT(kernel_load_data, ima_load_data),
  1123. LSM_HOOK_INIT(kernel_post_load_data, ima_post_load_data),
  1124. LSM_HOOK_INIT(kernel_read_file, ima_read_file),
  1125. LSM_HOOK_INIT(kernel_post_read_file, ima_post_read_file),
  1126. LSM_HOOK_INIT(path_post_mknod, ima_post_path_mknod),
  1127. #ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS
  1128. LSM_HOOK_INIT(key_post_create_or_update, ima_post_key_create_or_update),
  1129. #endif
  1130. #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
  1131. LSM_HOOK_INIT(kernel_module_request, ima_kernel_module_request),
  1132. #endif
  1133. LSM_HOOK_INIT(inode_free_security_rcu, ima_inode_free_rcu),
  1134. };
  1135. static const struct lsm_id ima_lsmid = {
  1136. .name = "ima",
  1137. .id = LSM_ID_IMA,
  1138. };
  1139. static int __init init_ima_lsm(void)
  1140. {
  1141. ima_iintcache_init();
  1142. security_add_hooks(ima_hooks, ARRAY_SIZE(ima_hooks), &ima_lsmid);
  1143. init_ima_appraise_lsm(&ima_lsmid);
  1144. return 0;
  1145. }
  1146. struct lsm_blob_sizes ima_blob_sizes __ro_after_init = {
  1147. .lbs_inode = sizeof(struct ima_iint_cache *),
  1148. };
  1149. DEFINE_LSM(ima) = {
  1150. .id = &ima_lsmid,
  1151. .init = init_ima_lsm,
  1152. .order = LSM_ORDER_LAST,
  1153. .blobs = &ima_blob_sizes,
  1154. /* Start IMA after the TPM is available */
  1155. .initcall_late = init_ima,
  1156. };