1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (C) 2008 IBM Corporation
5 * Author: Mimi Zohar <zohar@us.ibm.com>
8 * Implements must_appraise_or_measure, collect_measurement,
9 * appraise_measurement, store_measurement and store_template.
11 #include <linux/slab.h>
12 #include <linux/file.h>
14 #include <linux/xattr.h>
15 #include <linux/evm.h>
16 #include <linux/iversion.h>
21 * ima_free_template_entry - free an existing template entry
23 void ima_free_template_entry(struct ima_template_entry *entry)
27 for (i = 0; i < entry->template_desc->num_fields; i++)
28 kfree(entry->template_data[i].data);
34 * ima_alloc_init_template - create and initialize a new template entry
36 int ima_alloc_init_template(struct ima_event_data *event_data,
37 struct ima_template_entry **entry,
38 struct ima_template_desc *desc)
40 struct ima_template_desc *template_desc;
46 template_desc = ima_template_desc_current();
48 *entry = kzalloc(struct_size(*entry, template_data,
49 template_desc->num_fields), GFP_NOFS);
53 (*entry)->template_desc = template_desc;
54 for (i = 0; i < template_desc->num_fields; i++) {
55 const struct ima_template_field *field =
56 template_desc->fields[i];
59 result = field->field_init(event_data,
60 &((*entry)->template_data[i]));
64 len = (*entry)->template_data[i].len;
65 (*entry)->template_data_len += sizeof(len);
66 (*entry)->template_data_len += len;
70 ima_free_template_entry(*entry);
76 * ima_store_template - store ima template measurements
78 * Calculate the hash of a template entry, add the template entry
79 * to an ordered list of measurement entries maintained inside the kernel,
80 * and also update the aggregate integrity value (maintained inside the
81 * configured TPM PCR) over the hashes of the current list of measurement
84 * Applications retrieve the current kernel-held measurement list through
85 * the securityfs entries in /sys/kernel/security/ima. The signed aggregate
86 * TPM PCR (called quote) can be retrieved using a TPM user space library
87 * and is used to validate the measurement list.
89 * Returns 0 on success, error code otherwise
91 int ima_store_template(struct ima_template_entry *entry,
92 int violation, struct inode *inode,
93 const unsigned char *filename, int pcr)
95 static const char op[] = "add_template_measure";
96 static const char audit_cause[] = "hashing_error";
97 char *template_name = entry->template_desc->name;
100 struct ima_digest_data hdr;
101 char digest[TPM_DIGEST_SIZE];
105 int num_fields = entry->template_desc->num_fields;
107 /* this function uses default algo */
108 hash.hdr.algo = HASH_ALGO_SHA1;
109 result = ima_calc_field_array_hash(&entry->template_data[0],
110 entry->template_desc,
111 num_fields, &hash.hdr);
113 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
115 audit_cause, result, 0);
118 memcpy(entry->digest, hash.hdr.digest, hash.hdr.length);
121 result = ima_add_template_entry(entry, violation, op, inode, filename);
126 * ima_add_violation - add violation to measurement list.
128 * Violations are flagged in the measurement list with zero hash values.
129 * By extending the PCR with 0xFF's instead of with zeroes, the PCR
130 * value is invalidated.
132 void ima_add_violation(struct file *file, const unsigned char *filename,
133 struct integrity_iint_cache *iint,
134 const char *op, const char *cause)
136 struct ima_template_entry *entry;
137 struct inode *inode = file_inode(file);
138 struct ima_event_data event_data = { .iint = iint,
140 .filename = filename,
141 .violation = cause };
145 /* can overflow, only indicator */
146 atomic_long_inc(&ima_htable.violations);
148 result = ima_alloc_init_template(&event_data, &entry, NULL);
153 result = ima_store_template(entry, violation, inode,
154 filename, CONFIG_IMA_MEASURE_PCR_IDX);
156 ima_free_template_entry(entry);
158 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
159 op, cause, result, 0);
163 * ima_get_action - appraise & measure decision based on policy.
164 * @inode: pointer to inode to measure
165 * @cred: pointer to credentials structure to validate
166 * @secid: secid of the task being validated
167 * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,
169 * @func: caller identifier
170 * @pcr: pointer filled in if matched measure policy sets pcr=
171 * @template_desc: pointer filled in if matched measure policy sets template=
172 * @keyring: keyring name used to determine the action
174 * The policy is defined in terms of keypairs:
175 * subj=, obj=, type=, func=, mask=, fsmagic=
176 * subj,obj, and type: are LSM specific.
177 * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK
178 * | KEXEC_CMDLINE | KEY_CHECK
179 * mask: contains the permission mask
182 * Returns IMA_MEASURE, IMA_APPRAISE mask.
185 int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,
186 int mask, enum ima_hooks func, int *pcr,
187 struct ima_template_desc **template_desc,
190 int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH;
192 flags &= ima_policy_flag;
194 return ima_match_policy(inode, cred, secid, func, mask, flags, pcr,
195 template_desc, keyring);
199 * ima_collect_measurement - collect file measurement
201 * Calculate the file hash, if it doesn't already exist,
202 * storing the measurement and i_version in the iint.
204 * Must be called with iint->mutex held.
206 * Return 0 on success, error code otherwise
208 int ima_collect_measurement(struct integrity_iint_cache *iint,
209 struct file *file, void *buf, loff_t size,
210 enum hash_algo algo, struct modsig *modsig)
212 const char *audit_cause = "failed";
213 struct inode *inode = file_inode(file);
214 const char *filename = file->f_path.dentry->d_name.name;
220 struct ima_digest_data hdr;
221 char digest[IMA_MAX_DIGEST_SIZE];
225 * Always collect the modsig, because IMA might have already collected
226 * the file digest without collecting the modsig in a previous
230 ima_collect_modsig(modsig, buf, size);
232 if (iint->flags & IMA_COLLECTED)
236 * Dectecting file change is based on i_version. On filesystems
237 * which do not support i_version, support is limited to an initial
238 * measurement/appraisal/audit.
240 i_version = inode_query_iversion(inode);
241 hash.hdr.algo = algo;
243 /* Initialize hash digest to 0's in case of failure */
244 memset(&hash.digest, 0, sizeof(hash.digest));
247 result = ima_calc_buffer_hash(buf, size, &hash.hdr);
249 result = ima_calc_file_hash(file, &hash.hdr);
251 if (result && result != -EBADF && result != -EINVAL)
254 length = sizeof(hash.hdr) + hash.hdr.length;
255 tmpbuf = krealloc(iint->ima_hash, length, GFP_NOFS);
261 iint->ima_hash = tmpbuf;
262 memcpy(iint->ima_hash, &hash, length);
263 iint->version = i_version;
265 /* Possibly temporary failure due to type of read (eg. O_DIRECT) */
267 iint->flags |= IMA_COLLECTED;
270 if (file->f_flags & O_DIRECT)
271 audit_cause = "failed(directio)";
273 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
274 filename, "collect_data", audit_cause,
281 * ima_store_measurement - store file measurement
283 * Create an "ima" template and then store the template by calling
284 * ima_store_template.
286 * We only get here if the inode has not already been measured,
287 * but the measurement could already exist:
288 * - multiple copies of the same file on either the same or
289 * different filesystems.
290 * - the inode was previously flushed as well as the iint info,
291 * containing the hashing info.
293 * Must be called with iint->mutex held.
295 void ima_store_measurement(struct integrity_iint_cache *iint,
296 struct file *file, const unsigned char *filename,
297 struct evm_ima_xattr_data *xattr_value,
298 int xattr_len, const struct modsig *modsig, int pcr,
299 struct ima_template_desc *template_desc)
301 static const char op[] = "add_template_measure";
302 static const char audit_cause[] = "ENOMEM";
303 int result = -ENOMEM;
304 struct inode *inode = file_inode(file);
305 struct ima_template_entry *entry;
306 struct ima_event_data event_data = { .iint = iint,
308 .filename = filename,
309 .xattr_value = xattr_value,
310 .xattr_len = xattr_len,
315 * We still need to store the measurement in the case of MODSIG because
316 * we only have its contents to put in the list at the time of
317 * appraisal, but a file measurement from earlier might already exist in
318 * the measurement list.
320 if (iint->measured_pcrs & (0x1 << pcr) && !modsig)
323 result = ima_alloc_init_template(&event_data, &entry, template_desc);
325 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
326 op, audit_cause, result, 0);
330 result = ima_store_template(entry, violation, inode, filename, pcr);
331 if ((!result || result == -EEXIST) && !(file->f_flags & O_DIRECT)) {
332 iint->flags |= IMA_MEASURED;
333 iint->measured_pcrs |= (0x1 << pcr);
336 ima_free_template_entry(entry);
339 void ima_audit_measurement(struct integrity_iint_cache *iint,
340 const unsigned char *filename)
342 struct audit_buffer *ab;
344 const char *algo_name = hash_algo_name[iint->ima_hash->algo];
347 if (iint->flags & IMA_AUDITED)
350 hash = kzalloc((iint->ima_hash->length * 2) + 1, GFP_KERNEL);
354 for (i = 0; i < iint->ima_hash->length; i++)
355 hex_byte_pack(hash + (i * 2), iint->ima_hash->digest[i]);
358 ab = audit_log_start(audit_context(), GFP_KERNEL,
359 AUDIT_INTEGRITY_RULE);
363 audit_log_format(ab, "file=");
364 audit_log_untrustedstring(ab, filename);
365 audit_log_format(ab, " hash=\"%s:%s\"", algo_name, hash);
367 audit_log_task_info(ab);
370 iint->flags |= IMA_AUDITED;
377 * ima_d_path - return a pointer to the full pathname
379 * Attempt to return a pointer to the full pathname for use in the
380 * IMA measurement list, IMA audit records, and auditing logs.
382 * On failure, return a pointer to a copy of the filename, not dname.
383 * Returning a pointer to dname, could result in using the pointer
384 * after the memory has been freed.
386 const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf)
388 char *pathname = NULL;
390 *pathbuf = __getname();
392 pathname = d_absolute_path(path, *pathbuf, PATH_MAX);
393 if (IS_ERR(pathname)) {
401 strlcpy(namebuf, path->dentry->d_name.name, NAME_MAX);