1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (C) 2008 IBM Corporation
8 * Implements must_appraise_or_measure, collect_measurement,
9 * appraise_measurement, store_measurement and store_template.
11 #include <linux/slab.h>
12 #include <linux/file.h>
14 #include <linux/xattr.h>
15 #include <linux/evm.h>
16 #include <linux/fsverity.h>
21 * ima_free_template_entry - free an existing template entry
23 void ima_free_template_entry(struct ima_template_entry *entry)
27 for (i = 0; i < entry->template_desc->num_fields; i++)
28 kfree(entry->template_data[i].data);
30 kfree(entry->digests);
35 * ima_alloc_init_template - create and initialize a new template entry
37 int ima_alloc_init_template(struct ima_event_data *event_data,
38 struct ima_template_entry **entry,
39 struct ima_template_desc *desc)
41 struct ima_template_desc *template_desc;
42 struct tpm_digest *digests;
48 template_desc = ima_template_desc_current();
50 *entry = kzalloc(struct_size(*entry, template_data,
51 template_desc->num_fields), GFP_NOFS);
55 digests = kcalloc(NR_BANKS(ima_tpm_chip) + ima_extra_slots,
56 sizeof(*digests), GFP_NOFS);
63 (*entry)->digests = digests;
64 (*entry)->template_desc = template_desc;
65 for (i = 0; i < template_desc->num_fields; i++) {
66 const struct ima_template_field *field =
67 template_desc->fields[i];
70 result = field->field_init(event_data,
71 &((*entry)->template_data[i]));
75 len = (*entry)->template_data[i].len;
76 (*entry)->template_data_len += sizeof(len);
77 (*entry)->template_data_len += len;
81 ima_free_template_entry(*entry);
87 * ima_store_template - store ima template measurements
89 * Calculate the hash of a template entry, add the template entry
90 * to an ordered list of measurement entries maintained inside the kernel,
91 * and also update the aggregate integrity value (maintained inside the
92 * configured TPM PCR) over the hashes of the current list of measurement
95 * Applications retrieve the current kernel-held measurement list through
96 * the securityfs entries in /sys/kernel/security/ima. The signed aggregate
97 * TPM PCR (called quote) can be retrieved using a TPM user space library
98 * and is used to validate the measurement list.
100 * Returns 0 on success, error code otherwise
102 int ima_store_template(struct ima_template_entry *entry,
103 int violation, struct inode *inode,
104 const unsigned char *filename, int pcr)
106 static const char op[] = "add_template_measure";
107 static const char audit_cause[] = "hashing_error";
108 char *template_name = entry->template_desc->name;
112 result = ima_calc_field_array_hash(&entry->template_data[0],
115 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
117 audit_cause, result, 0);
122 result = ima_add_template_entry(entry, violation, op, inode, filename);
127 * ima_add_violation - add violation to measurement list.
129 * Violations are flagged in the measurement list with zero hash values.
130 * By extending the PCR with 0xFF's instead of with zeroes, the PCR
131 * value is invalidated.
133 void ima_add_violation(struct file *file, const unsigned char *filename,
134 struct ima_iint_cache *iint, const char *op,
137 struct ima_template_entry *entry;
138 struct inode *inode = file_inode(file);
139 struct ima_event_data event_data = { .iint = iint,
141 .filename = filename,
142 .violation = cause };
146 /* can overflow, only indicator */
147 atomic_long_inc(&ima_htable.violations);
149 result = ima_alloc_init_template(&event_data, &entry, NULL);
154 result = ima_store_template(entry, violation, inode,
155 filename, CONFIG_IMA_MEASURE_PCR_IDX);
157 ima_free_template_entry(entry);
159 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
160 op, cause, result, 0);
164 * ima_get_action - appraise & measure decision based on policy.
165 * @idmap: idmap of the mount the inode was found from
166 * @inode: pointer to the inode associated with the object being validated
167 * @cred: pointer to credentials structure to validate
168 * @prop: properties of the task being validated
169 * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,
171 * @func: caller identifier
172 * @pcr: pointer filled in if matched measure policy sets pcr=
173 * @template_desc: pointer filled in if matched measure policy sets template=
174 * @func_data: func specific data, may be NULL
175 * @allowed_algos: allowlist of hash algorithms for the IMA xattr
177 * The policy is defined in terms of keypairs:
178 * subj=, obj=, type=, func=, mask=, fsmagic=
179 * subj,obj, and type: are LSM specific.
180 * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK
181 * | KEXEC_CMDLINE | KEY_CHECK | CRITICAL_DATA | SETXATTR_CHECK
182 * | MMAP_CHECK_REQPROT
183 * mask: contains the permission mask
186 * Returns IMA_MEASURE, IMA_APPRAISE mask.
189 int ima_get_action(struct mnt_idmap *idmap, struct inode *inode,
190 const struct cred *cred, struct lsm_prop *prop, int mask,
191 enum ima_hooks func, int *pcr,
192 struct ima_template_desc **template_desc,
193 const char *func_data, unsigned int *allowed_algos)
195 int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH;
197 flags &= ima_policy_flag;
199 return ima_match_policy(idmap, inode, cred, prop, func, mask,
200 flags, pcr, template_desc, func_data,
204 static bool ima_get_verity_digest(struct ima_iint_cache *iint,
206 struct ima_max_digest_data *hash)
212 * On failure, 'measure' policy rules will result in a file data
213 * hash containing 0's.
215 digest_len = fsverity_get_digest(inode, hash->digest, NULL, &alg);
220 * Unlike in the case of actually calculating the file hash, in
221 * the fsverity case regardless of the hash algorithm, return
222 * the verity digest to be included in the measurement list. A
223 * mismatch between the verity algorithm and the xattr signature
224 * algorithm, if one exists, will be detected later.
226 hash->hdr.algo = alg;
227 hash->hdr.length = digest_len;
232 * ima_collect_measurement - collect file measurement
234 * Calculate the file hash, if it doesn't already exist,
235 * storing the measurement and i_version in the iint.
237 * Must be called with iint->mutex held.
239 * Return 0 on success, error code otherwise
241 int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file,
242 void *buf, loff_t size, enum hash_algo algo,
243 struct modsig *modsig)
245 const char *audit_cause = "failed";
246 struct inode *inode = file_inode(file);
247 struct inode *real_inode = d_real_inode(file_dentry(file));
248 struct ima_max_digest_data hash;
249 struct ima_digest_data *hash_hdr = container_of(&hash.hdr,
250 struct ima_digest_data, hdr);
251 struct name_snapshot filename;
259 * Always collect the modsig, because IMA might have already collected
260 * the file digest without collecting the modsig in a previous
264 ima_collect_modsig(modsig, buf, size);
266 if (iint->flags & IMA_COLLECTED)
270 * Detecting file change is based on i_version. On filesystems
271 * which do not support i_version, support was originally limited
272 * to an initial measurement/appraisal/audit, but was modified to
273 * assume the file changed.
275 result = vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE,
276 AT_STATX_SYNC_AS_STAT);
277 if (!result && (stat.result_mask & STATX_CHANGE_COOKIE))
278 i_version = stat.change_cookie;
279 hash.hdr.algo = algo;
280 hash.hdr.length = hash_digest_size[algo];
282 /* Initialize hash digest to 0's in case of failure */
283 memset(&hash.digest, 0, sizeof(hash.digest));
285 if (iint->flags & IMA_VERITY_REQUIRED) {
286 if (!ima_get_verity_digest(iint, inode, &hash)) {
287 audit_cause = "no-verity-digest";
291 result = ima_calc_buffer_hash(buf, size, hash_hdr);
293 result = ima_calc_file_hash(file, hash_hdr);
296 if (result && result != -EBADF && result != -EINVAL)
299 length = sizeof(hash.hdr) + hash.hdr.length;
300 tmpbuf = krealloc(iint->ima_hash, length, GFP_NOFS);
306 iint->ima_hash = tmpbuf;
307 memcpy(iint->ima_hash, &hash, length);
308 if (real_inode == inode)
309 iint->real_inode.version = i_version;
311 integrity_inode_attrs_store(&iint->real_inode, i_version,
314 /* Possibly temporary failure due to type of read (eg. O_DIRECT) */
316 iint->flags |= IMA_COLLECTED;
319 if (file->f_flags & O_DIRECT)
320 audit_cause = "failed(directio)";
322 take_dentry_name_snapshot(&filename, file->f_path.dentry);
324 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
325 filename.name.name, "collect_data",
326 audit_cause, result, 0);
328 release_dentry_name_snapshot(&filename);
334 * ima_store_measurement - store file measurement
336 * Create an "ima" template and then store the template by calling
337 * ima_store_template.
339 * We only get here if the inode has not already been measured,
340 * but the measurement could already exist:
341 * - multiple copies of the same file on either the same or
342 * different filesystems.
343 * - the inode was previously flushed as well as the iint info,
344 * containing the hashing info.
346 * Must be called with iint->mutex held.
348 void ima_store_measurement(struct ima_iint_cache *iint, struct file *file,
349 const unsigned char *filename,
350 struct evm_ima_xattr_data *xattr_value,
351 int xattr_len, const struct modsig *modsig, int pcr,
352 struct ima_template_desc *template_desc)
354 static const char op[] = "add_template_measure";
355 static const char audit_cause[] = "ENOMEM";
356 int result = -ENOMEM;
357 struct inode *inode = file_inode(file);
358 struct ima_template_entry *entry;
359 struct ima_event_data event_data = { .iint = iint,
361 .filename = filename,
362 .xattr_value = xattr_value,
363 .xattr_len = xattr_len,
368 * We still need to store the measurement in the case of MODSIG because
369 * we only have its contents to put in the list at the time of
370 * appraisal, but a file measurement from earlier might already exist in
371 * the measurement list.
373 if (iint->measured_pcrs & (0x1 << pcr) && !modsig)
376 result = ima_alloc_init_template(&event_data, &entry, template_desc);
378 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
379 op, audit_cause, result, 0);
383 result = ima_store_template(entry, violation, inode, filename, pcr);
384 if ((!result || result == -EEXIST) && !(file->f_flags & O_DIRECT)) {
385 iint->flags |= IMA_MEASURED;
386 iint->measured_pcrs |= (0x1 << pcr);
389 ima_free_template_entry(entry);
392 void ima_audit_measurement(struct ima_iint_cache *iint,
393 const unsigned char *filename)
395 struct audit_buffer *ab;
397 const char *algo_name = hash_algo_name[iint->ima_hash->algo];
400 if (iint->flags & IMA_AUDITED)
403 hash = kzalloc((iint->ima_hash->length * 2) + 1, GFP_KERNEL);
407 for (i = 0; i < iint->ima_hash->length; i++)
408 hex_byte_pack(hash + (i * 2), iint->ima_hash->digest[i]);
411 ab = audit_log_start(audit_context(), GFP_KERNEL,
412 AUDIT_INTEGRITY_RULE);
416 audit_log_format(ab, "file=");
417 audit_log_untrustedstring(ab, filename);
418 audit_log_format(ab, " hash=\"%s:%s\"", algo_name, hash);
420 audit_log_task_info(ab);
423 iint->flags |= IMA_AUDITED;
430 * ima_d_path - return a pointer to the full pathname
432 * Attempt to return a pointer to the full pathname for use in the
433 * IMA measurement list, IMA audit records, and auditing logs.
435 * On failure, return a pointer to a copy of the filename, not dname.
436 * Returning a pointer to dname, could result in using the pointer
437 * after the memory has been freed.
439 const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf)
441 struct name_snapshot filename;
442 char *pathname = NULL;
444 *pathbuf = __getname();
446 pathname = d_absolute_path(path, *pathbuf, PATH_MAX);
447 if (IS_ERR(pathname)) {
455 take_dentry_name_snapshot(&filename, path->dentry);
456 strscpy(namebuf, filename.name.name, NAME_MAX);
457 release_dentry_name_snapshot(&filename);
projects / J-linux.git / blob