1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2008 IBM Corporation 4 * 5 * Author: Mimi Zohar <zohar@us.ibm.com> 6 * 7 * File: ima_api.c 8 * Implements must_appraise_or_measure, collect_measurement, 9 * appraise_measurement, store_measurement and store_template. 10 */ 11 #include <linux/slab.h> 12 #include <linux/file.h> 13 #include <linux/fs.h> 14 #include <linux/xattr.h> 15 #include <linux/evm.h> 16 #include <linux/iversion.h> 17 18 #include "ima.h" 19 20 /* 21 * ima_free_template_entry - free an existing template entry 22 */ 23 void ima_free_template_entry(struct ima_template_entry *entry) 24 { 25 int i; 26 27 for (i = 0; i < entry->template_desc->num_fields; i++) 28 kfree(entry->template_data[i].data); 29 30 kfree(entry); 31 } 32 33 /* 34 * ima_alloc_init_template - create and initialize a new template entry 35 */ 36 int ima_alloc_init_template(struct ima_event_data *event_data, 37 struct ima_template_entry **entry) 38 { 39 struct ima_template_desc *template_desc = ima_template_desc_current(); 40 int i, result = 0; 41 42 *entry = kzalloc(sizeof(**entry) + template_desc->num_fields * 43 sizeof(struct ima_field_data), GFP_NOFS); 44 if (!*entry) 45 return -ENOMEM; 46 47 (*entry)->template_desc = template_desc; 48 for (i = 0; i < template_desc->num_fields; i++) { 49 const struct ima_template_field *field = 50 template_desc->fields[i]; 51 u32 len; 52 53 result = field->field_init(event_data, 54 &((*entry)->template_data[i])); 55 if (result != 0) 56 goto out; 57 58 len = (*entry)->template_data[i].len; 59 (*entry)->template_data_len += sizeof(len); 60 (*entry)->template_data_len += len; 61 } 62 return 0; 63 out: 64 ima_free_template_entry(*entry); 65 *entry = NULL; 66 return result; 67 } 68 69 /* 70 * ima_store_template - store ima template measurements 71 * 72 * Calculate the hash of a template entry, add the template entry 73 * to an ordered list of measurement entries maintained inside the kernel, 74 * and also update the aggregate integrity value (maintained inside the 75 * configured TPM PCR) over the hashes of the current list of measurement 76 * entries. 77 * 78 * Applications retrieve the current kernel-held measurement list through 79 * the securityfs entries in /sys/kernel/security/ima. The signed aggregate 80 * TPM PCR (called quote) can be retrieved using a TPM user space library 81 * and is used to validate the measurement list. 82 * 83 * Returns 0 on success, error code otherwise 84 */ 85 int ima_store_template(struct ima_template_entry *entry, 86 int violation, struct inode *inode, 87 const unsigned char *filename, int pcr) 88 { 89 static const char op[] = "add_template_measure"; 90 static const char audit_cause[] = "hashing_error"; 91 char *template_name = entry->template_desc->name; 92 int result; 93 struct { 94 struct ima_digest_data hdr; 95 char digest[TPM_DIGEST_SIZE]; 96 } hash; 97 98 if (!violation) { 99 int num_fields = entry->template_desc->num_fields; 100 101 /* this function uses default algo */ 102 hash.hdr.algo = HASH_ALGO_SHA1; 103 result = ima_calc_field_array_hash(&entry->template_data[0], 104 entry->template_desc, 105 num_fields, &hash.hdr); 106 if (result < 0) { 107 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, 108 template_name, op, 109 audit_cause, result, 0); 110 return result; 111 } 112 memcpy(entry->digest, hash.hdr.digest, hash.hdr.length); 113 } 114 entry->pcr = pcr; 115 result = ima_add_template_entry(entry, violation, op, inode, filename); 116 return result; 117 } 118 119 /* 120 * ima_add_violation - add violation to measurement list. 121 * 122 * Violations are flagged in the measurement list with zero hash values. 123 * By extending the PCR with 0xFF's instead of with zeroes, the PCR 124 * value is invalidated. 125 */ 126 void ima_add_violation(struct file *file, const unsigned char *filename, 127 struct integrity_iint_cache *iint, 128 const char *op, const char *cause) 129 { 130 struct ima_template_entry *entry; 131 struct inode *inode = file_inode(file); 132 struct ima_event_data event_data = {iint, file, filename, NULL, 0, 133 cause}; 134 int violation = 1; 135 int result; 136 137 /* can overflow, only indicator */ 138 atomic_long_inc(&ima_htable.violations); 139 140 result = ima_alloc_init_template(&event_data, &entry); 141 if (result < 0) { 142 result = -ENOMEM; 143 goto err_out; 144 } 145 result = ima_store_template(entry, violation, inode, 146 filename, CONFIG_IMA_MEASURE_PCR_IDX); 147 if (result < 0) 148 ima_free_template_entry(entry); 149 err_out: 150 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 151 op, cause, result, 0); 152 } 153 154 /** 155 * ima_get_action - appraise & measure decision based on policy. 156 * @inode: pointer to inode to measure 157 * @cred: pointer to credentials structure to validate 158 * @secid: secid of the task being validated 159 * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC, 160 * MAY_APPEND) 161 * @func: caller identifier 162 * @pcr: pointer filled in if matched measure policy sets pcr= 163 * 164 * The policy is defined in terms of keypairs: 165 * subj=, obj=, type=, func=, mask=, fsmagic= 166 * subj,obj, and type: are LSM specific. 167 * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK 168 * mask: contains the permission mask 169 * fsmagic: hex value 170 * 171 * Returns IMA_MEASURE, IMA_APPRAISE mask. 172 * 173 */ 174 int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, 175 int mask, enum ima_hooks func, int *pcr) 176 { 177 int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH; 178 179 flags &= ima_policy_flag; 180 181 return ima_match_policy(inode, cred, secid, func, mask, flags, pcr); 182 } 183 184 /* 185 * ima_collect_measurement - collect file measurement 186 * 187 * Calculate the file hash, if it doesn't already exist, 188 * storing the measurement and i_version in the iint. 189 * 190 * Must be called with iint->mutex held. 191 * 192 * Return 0 on success, error code otherwise 193 */ 194 int ima_collect_measurement(struct integrity_iint_cache *iint, 195 struct file *file, void *buf, loff_t size, 196 enum hash_algo algo) 197 { 198 const char *audit_cause = "failed"; 199 struct inode *inode = file_inode(file); 200 const char *filename = file->f_path.dentry->d_name.name; 201 int result = 0; 202 int length; 203 void *tmpbuf; 204 u64 i_version; 205 struct { 206 struct ima_digest_data hdr; 207 char digest[IMA_MAX_DIGEST_SIZE]; 208 } hash; 209 210 if (iint->flags & IMA_COLLECTED) 211 goto out; 212 213 /* 214 * Dectecting file change is based on i_version. On filesystems 215 * which do not support i_version, support is limited to an initial 216 * measurement/appraisal/audit. 217 */ 218 i_version = inode_query_iversion(inode); 219 hash.hdr.algo = algo; 220 221 /* Initialize hash digest to 0's in case of failure */ 222 memset(&hash.digest, 0, sizeof(hash.digest)); 223 224 if (buf) 225 result = ima_calc_buffer_hash(buf, size, &hash.hdr); 226 else 227 result = ima_calc_file_hash(file, &hash.hdr); 228 229 if (result && result != -EBADF && result != -EINVAL) 230 goto out; 231 232 length = sizeof(hash.hdr) + hash.hdr.length; 233 tmpbuf = krealloc(iint->ima_hash, length, GFP_NOFS); 234 if (!tmpbuf) { 235 result = -ENOMEM; 236 goto out; 237 } 238 239 iint->ima_hash = tmpbuf; 240 memcpy(iint->ima_hash, &hash, length); 241 iint->version = i_version; 242 243 /* Possibly temporary failure due to type of read (eg. O_DIRECT) */ 244 if (!result) 245 iint->flags |= IMA_COLLECTED; 246 out: 247 if (result) { 248 if (file->f_flags & O_DIRECT) 249 audit_cause = "failed(directio)"; 250 251 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, 252 filename, "collect_data", audit_cause, 253 result, 0); 254 } 255 return result; 256 } 257 258 /* 259 * ima_store_measurement - store file measurement 260 * 261 * Create an "ima" template and then store the template by calling 262 * ima_store_template. 263 * 264 * We only get here if the inode has not already been measured, 265 * but the measurement could already exist: 266 * - multiple copies of the same file on either the same or 267 * different filesystems. 268 * - the inode was previously flushed as well as the iint info, 269 * containing the hashing info. 270 * 271 * Must be called with iint->mutex held. 272 */ 273 void ima_store_measurement(struct integrity_iint_cache *iint, 274 struct file *file, const unsigned char *filename, 275 struct evm_ima_xattr_data *xattr_value, 276 int xattr_len, int pcr) 277 { 278 static const char op[] = "add_template_measure"; 279 static const char audit_cause[] = "ENOMEM"; 280 int result = -ENOMEM; 281 struct inode *inode = file_inode(file); 282 struct ima_template_entry *entry; 283 struct ima_event_data event_data = {iint, file, filename, xattr_value, 284 xattr_len, NULL}; 285 int violation = 0; 286 287 if (iint->measured_pcrs & (0x1 << pcr)) 288 return; 289 290 result = ima_alloc_init_template(&event_data, &entry); 291 if (result < 0) { 292 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 293 op, audit_cause, result, 0); 294 return; 295 } 296 297 result = ima_store_template(entry, violation, inode, filename, pcr); 298 if ((!result || result == -EEXIST) && !(file->f_flags & O_DIRECT)) { 299 iint->flags |= IMA_MEASURED; 300 iint->measured_pcrs |= (0x1 << pcr); 301 } 302 if (result < 0) 303 ima_free_template_entry(entry); 304 } 305 306 void ima_audit_measurement(struct integrity_iint_cache *iint, 307 const unsigned char *filename) 308 { 309 struct audit_buffer *ab; 310 char *hash; 311 const char *algo_name = hash_algo_name[iint->ima_hash->algo]; 312 int i; 313 314 if (iint->flags & IMA_AUDITED) 315 return; 316 317 hash = kzalloc((iint->ima_hash->length * 2) + 1, GFP_KERNEL); 318 if (!hash) 319 return; 320 321 for (i = 0; i < iint->ima_hash->length; i++) 322 hex_byte_pack(hash + (i * 2), iint->ima_hash->digest[i]); 323 hash[i * 2] = '\0'; 324 325 ab = audit_log_start(audit_context(), GFP_KERNEL, 326 AUDIT_INTEGRITY_RULE); 327 if (!ab) 328 goto out; 329 330 audit_log_format(ab, "file="); 331 audit_log_untrustedstring(ab, filename); 332 audit_log_format(ab, " hash=\"%s:%s\"", algo_name, hash); 333 334 audit_log_task_info(ab); 335 audit_log_end(ab); 336 337 iint->flags |= IMA_AUDITED; 338 out: 339 kfree(hash); 340 return; 341 } 342 343 /* 344 * ima_d_path - return a pointer to the full pathname 345 * 346 * Attempt to return a pointer to the full pathname for use in the 347 * IMA measurement list, IMA audit records, and auditing logs. 348 * 349 * On failure, return a pointer to a copy of the filename, not dname. 350 * Returning a pointer to dname, could result in using the pointer 351 * after the memory has been freed. 352 */ 353 const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf) 354 { 355 char *pathname = NULL; 356 357 *pathbuf = __getname(); 358 if (*pathbuf) { 359 pathname = d_absolute_path(path, *pathbuf, PATH_MAX); 360 if (IS_ERR(pathname)) { 361 __putname(*pathbuf); 362 *pathbuf = NULL; 363 pathname = NULL; 364 } 365 } 366 367 if (!pathname) { 368 strlcpy(namebuf, path->dentry->d_name.name, NAME_MAX); 369 pathname = namebuf; 370 } 371 372 return pathname; 373 } 374