security/integrity/ima/ima_main.c

   1 /*
   2  * Copyright (C) 2005,2006,2007,2008 IBM Corporation
   3  *
   4  * Authors:
   5  * Reiner Sailer <sailer@watson.ibm.com>
   6  * Serge Hallyn <serue@us.ibm.com>
   7  * Kylene Hall <kylene@us.ibm.com>
   8  * Mimi Zohar <zohar@us.ibm.com>
   9  *
  10  * This program is free software; you can redistribute it and/or
  11  * modify it under the terms of the GNU General Public License as
  12  * published by the Free Software Foundation, version 2 of the
  13  * License.
  14  *
  15  * File: ima_main.c
  16  *      implements the IMA hooks: ima_bprm_check, ima_file_mmap,
  17  *      and ima_file_check.
  18  */
  19 #include <linux/module.h>
  20 #include <linux/file.h>
  21 #include <linux/binfmts.h>
  22 #include <linux/mount.h>
  23 #include <linux/mman.h>
  24 #include <linux/slab.h>
  25 #include <linux/xattr.h>
  26 #include <linux/ima.h>
  27
  28 #include "ima.h"
  29
  30 int ima_initialized;
  31
  32 #ifdef CONFIG_IMA_APPRAISE
  33 int ima_appraise = IMA_APPRAISE_ENFORCE;
  34 #else
  35 int ima_appraise;
  36 #endif
  37
  38 int ima_hash_algo = HASH_ALGO_SHA1;
  39 static int hash_setup_done;
  40
  41 static int __init hash_setup(char *str)
  42 {
  43         struct ima_template_desc *template_desc = ima_template_desc_current();
  44         int i;
  45
  46         if (hash_setup_done)
  47                 return 1;
  48
  49         if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
  50                 if (strncmp(str, "sha1", 4) == 0)
  51                         ima_hash_algo = HASH_ALGO_SHA1;
  52                 else if (strncmp(str, "md5", 3) == 0)
  53                         ima_hash_algo = HASH_ALGO_MD5;
  54                 goto out;
  55         }
  56
  57         for (i = 0; i < HASH_ALGO__LAST; i++) {
  58                 if (strcmp(str, hash_algo_name[i]) == 0) {
  59                         ima_hash_algo = i;
  60                         break;
  61                 }
  62         }
  63 out:
  64         hash_setup_done = 1;
  65         return 1;
  66 }
  67 __setup("ima_hash=", hash_setup);
  68
  69 /*
  70  * ima_rdwr_violation_check
  71  *
  72  * Only invalidate the PCR for measured files:
  73  *      - Opening a file for write when already open for read,
  74  *        results in a time of measure, time of use (ToMToU) error.
  75  *      - Opening a file for read when already open for write,
  76  *        could result in a file measurement error.
  77  *
  78  */
  79 static void ima_rdwr_violation_check(struct file *file,
  80                                      struct integrity_iint_cache *iint,
  81                                      int must_measure,
  82                                      char **pathbuf,
  83                                      const char **pathname)
  84 {
  85         struct inode *inode = file_inode(file);
  86         fmode_t mode = file->f_mode;
  87         bool send_tomtou = false, send_writers = false;
  88
  89         if (mode & FMODE_WRITE) {
  90                 if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
  91                         if (!iint)
  92                                 iint = integrity_iint_find(inode);
  93                         /* IMA_MEASURE is set from reader side */
  94                         if (iint && (iint->flags & IMA_MEASURE))
  95                                 send_tomtou = true;
  96                 }
  97         } else {
  98                 if ((atomic_read(&inode->i_writecount) > 0) && must_measure)
  99                         send_writers = true;
 100         }
 101
 102         if (!send_tomtou && !send_writers)
 103                 return;
 104
 105         *pathname = ima_d_path(&file->f_path, pathbuf);
 106
 107         if (send_tomtou)
 108                 ima_add_violation(file, *pathname, iint,
 109                                   "invalid_pcr", "ToMToU");
 110         if (send_writers)
 111                 ima_add_violation(file, *pathname, iint,
 112                                   "invalid_pcr", "open_writers");
 113 }
 114
 115 static void ima_check_last_writer(struct integrity_iint_cache *iint,
 116                                   struct inode *inode, struct file *file)
 117 {
 118         fmode_t mode = file->f_mode;
 119
 120         if (!(mode & FMODE_WRITE))
 121                 return;
 122
 123         inode_lock(inode);
 124         if (atomic_read(&inode->i_writecount) == 1) {
 125                 if ((iint->version != inode->i_version) ||
 126                     (iint->flags & IMA_NEW_FILE)) {
 127                         iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
 128                         if (iint->flags & IMA_APPRAISE)
 129                                 ima_update_xattr(iint, file);
 130                 }
 131         }
 132         inode_unlock(inode);
 133 }
 134
 135 /**
 136  * ima_file_free - called on __fput()
 137  * @file: pointer to file structure being freed
 138  *
 139  * Flag files that changed, based on i_version
 140  */
 141 void ima_file_free(struct file *file)
 142 {
 143         struct inode *inode = file_inode(file);
 144         struct integrity_iint_cache *iint;
 145
 146         if (!ima_policy_flag || !S_ISREG(inode->i_mode))
 147                 return;
 148
 149         iint = integrity_iint_find(inode);
 150         if (!iint)
 151                 return;
 152
 153         ima_check_last_writer(iint, inode, file);
 154 }
 155
 156 static int process_measurement(struct file *file, char *buf, loff_t size,
 157                                int mask, enum ima_hooks func, int opened)
 158 {
 159         struct inode *inode = file_inode(file);
 160         struct integrity_iint_cache *iint = NULL;
 161         struct ima_template_desc *template_desc;
 162         char *pathbuf = NULL;
 163         const char *pathname = NULL;
 164         int rc = -ENOMEM, action, must_appraise;
 165         struct evm_ima_xattr_data *xattr_value = NULL;
 166         int xattr_len = 0;
 167         bool violation_check;
 168         enum hash_algo hash_algo;
 169
 170         if (!ima_policy_flag || !S_ISREG(inode->i_mode))
 171                 return 0;
 172
 173         /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
 174          * bitmask based on the appraise/audit/measurement policy.
 175          * Included is the appraise submask.
 176          */
 177         action = ima_get_action(inode, mask, func);
 178         violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
 179                            (ima_policy_flag & IMA_MEASURE));
 180         if (!action && !violation_check)
 181                 return 0;
 182
 183         must_appraise = action & IMA_APPRAISE;
 184
 185         /*  Is the appraise rule hook specific?  */
 186         if (action & IMA_FILE_APPRAISE)
 187                 func = FILE_CHECK;
 188
 189         inode_lock(inode);
 190
 191         if (action) {
 192                 iint = integrity_inode_get(inode);
 193                 if (!iint)
 194                         goto out;
 195         }
 196
 197         if (violation_check) {
 198                 ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
 199                                          &pathbuf, &pathname);
 200                 if (!action) {
 201                         rc = 0;
 202                         goto out_free;
 203                 }
 204         }
 205
 206         /* Determine if already appraised/measured based on bitmask
 207          * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
 208          *  IMA_AUDIT, IMA_AUDITED)
 209          */
 210         iint->flags |= action;
 211         action &= IMA_DO_MASK;
 212         action &= ~((iint->flags & IMA_DONE_MASK) >> 1);
 213
 214         /* Nothing to do, just return existing appraised status */
 215         if (!action) {
 216                 if (must_appraise)
 217                         rc = ima_get_cache_status(iint, func);
 218                 goto out_digsig;
 219         }
 220
 221         template_desc = ima_template_desc_current();
 222         if ((action & IMA_APPRAISE_SUBMASK) ||
 223                     strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
 224                 /* read 'security.ima' */
 225                 xattr_len = ima_read_xattr(file->f_path.dentry, &xattr_value);
 226
 227         hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
 228
 229         rc = ima_collect_measurement(iint, file, buf, size, hash_algo);
 230         if (rc != 0) {
 231                 if (file->f_flags & O_DIRECT)
 232                         rc = (iint->flags & IMA_PERMIT_DIRECTIO) ? 0 : -EACCES;
 233                 goto out_digsig;
 234         }
 235
 236         if (!pathname)  /* ima_rdwr_violation possibly pre-fetched */
 237                 pathname = ima_d_path(&file->f_path, &pathbuf);
 238
 239         if (action & IMA_MEASURE)
 240                 ima_store_measurement(iint, file, pathname,
 241                                       xattr_value, xattr_len);
 242         if (action & IMA_APPRAISE_SUBMASK)
 243                 rc = ima_appraise_measurement(func, iint, file, pathname,
 244                                               xattr_value, xattr_len, opened);
 245         if (action & IMA_AUDIT)
 246                 ima_audit_measurement(iint, pathname);
 247
 248 out_digsig:
 249         if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) &&
 250              !(iint->flags & IMA_NEW_FILE))
 251                 rc = -EACCES;
 252         kfree(xattr_value);
 253 out_free:
 254         if (pathbuf)
 255                 __putname(pathbuf);
 256 out:
 257         inode_unlock(inode);
 258         if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE))
 259                 return -EACCES;
 260         return 0;
 261 }
 262
 263 /**
 264  * ima_file_mmap - based on policy, collect/store measurement.
 265  * @file: pointer to the file to be measured (May be NULL)
 266  * @prot: contains the protection that will be applied by the kernel.
 267  *
 268  * Measure files being mmapped executable based on the ima_must_measure()
 269  * policy decision.
 270  *
 271  * On success return 0.  On integrity appraisal error, assuming the file
 272  * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
 273  */
 274 int ima_file_mmap(struct file *file, unsigned long prot)
 275 {
 276         if (file && (prot & PROT_EXEC))
 277                 return process_measurement(file, NULL, 0, MAY_EXEC,
 278                                            MMAP_CHECK, 0);
 279         return 0;
 280 }
 281
 282 /**
 283  * ima_bprm_check - based on policy, collect/store measurement.
 284  * @bprm: contains the linux_binprm structure
 285  *
 286  * The OS protects against an executable file, already open for write,
 287  * from being executed in deny_write_access() and an executable file,
 288  * already open for execute, from being modified in get_write_access().
 289  * So we can be certain that what we verify and measure here is actually
 290  * what is being executed.
 291  *
 292  * On success return 0.  On integrity appraisal error, assuming the file
 293  * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
 294  */
 295 int ima_bprm_check(struct linux_binprm *bprm)
 296 {
 297         return process_measurement(bprm->file, NULL, 0, MAY_EXEC,
 298                                    BPRM_CHECK, 0);
 299 }
 300
 301 /**
 302  * ima_path_check - based on policy, collect/store measurement.
 303  * @file: pointer to the file to be measured
 304  * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
 305  *
 306  * Measure files based on the ima_must_measure() policy decision.
 307  *
 308  * On success return 0.  On integrity appraisal error, assuming the file
 309  * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
 310  */
 311 int ima_file_check(struct file *file, int mask, int opened)
 312 {
 313         return process_measurement(file, NULL, 0,
 314                                    mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
 315                                    FILE_CHECK, opened);
 316 }
 317 EXPORT_SYMBOL_GPL(ima_file_check);
 318
 319 /**
 320  * ima_post_path_mknod - mark as a new inode
 321  * @dentry: newly created dentry
 322  *
 323  * Mark files created via the mknodat syscall as new, so that the
 324  * file data can be written later.
 325  */
 326 void ima_post_path_mknod(struct dentry *dentry)
 327 {
 328         struct integrity_iint_cache *iint;
 329         struct inode *inode = dentry->d_inode;
 330         int must_appraise;
 331
 332         must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
 333         if (!must_appraise)
 334                 return;
 335
 336         iint = integrity_inode_get(inode);
 337         if (iint)
 338                 iint->flags |= IMA_NEW_FILE;
 339 }
 340
 341 /**
 342  * ima_read_file - pre-measure/appraise hook decision based on policy
 343  * @file: pointer to the file to be measured/appraised/audit
 344  * @read_id: caller identifier
 345  *
 346  * Permit reading a file based on policy. The policy rules are written
 347  * in terms of the policy identifier.  Appraising the integrity of
 348  * a file requires a file descriptor.
 349  *
 350  * For permission return 0, otherwise return -EACCES.
 351  */
 352 int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
 353 {
 354         if (!file && read_id == READING_MODULE) {
 355 #ifndef CONFIG_MODULE_SIG_FORCE
 356                 if ((ima_appraise & IMA_APPRAISE_MODULES) &&
 357                     (ima_appraise & IMA_APPRAISE_ENFORCE))
 358                         return -EACCES; /* INTEGRITY_UNKNOWN */
 359 #endif
 360                 return 0;       /* We rely on module signature checking */
 361         }
 362         return 0;
 363 }
 364
 365 static int read_idmap[READING_MAX_ID] = {
 366         [READING_FIRMWARE] = FIRMWARE_CHECK,
 367         [READING_MODULE] = MODULE_CHECK,
 368         [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK,
 369         [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK,
 370         [READING_POLICY] = POLICY_CHECK
 371 };
 372
 373 /**
 374  * ima_post_read_file - in memory collect/appraise/audit measurement
 375  * @file: pointer to the file to be measured/appraised/audit
 376  * @buf: pointer to in memory file contents
 377  * @size: size of in memory file contents
 378  * @read_id: caller identifier
 379  *
 380  * Measure/appraise/audit in memory file based on policy.  Policy rules
 381  * are written in terms of a policy identifier.
 382  *
 383  * On success return 0.  On integrity appraisal error, assuming the file
 384  * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
 385  */
 386 int ima_post_read_file(struct file *file, void *buf, loff_t size,
 387                        enum kernel_read_file_id read_id)
 388 {
 389         enum ima_hooks func;
 390
 391         if (!file && read_id == READING_FIRMWARE) {
 392                 if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
 393                     (ima_appraise & IMA_APPRAISE_ENFORCE))
 394                         return -EACCES; /* INTEGRITY_UNKNOWN */
 395                 return 0;
 396         }
 397
 398         if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */
 399                 return 0;
 400
 401         if (!file || !buf || size == 0) { /* should never happen */
 402                 if (ima_appraise & IMA_APPRAISE_ENFORCE)
 403                         return -EACCES;
 404                 return 0;
 405         }
 406
 407         func = read_idmap[read_id] ?: FILE_CHECK;
 408         return process_measurement(file, buf, size, MAY_READ, func, 0);
 409 }
 410
 411 static int __init init_ima(void)
 412 {
 413         int error;
 414
 415         hash_setup(CONFIG_IMA_DEFAULT_HASH);
 416         error = ima_init();
 417         if (!error) {
 418                 ima_initialized = 1;
 419                 ima_update_policy_flag();
 420         }
 421         return error;
 422 }
 423
 424 late_initcall(init_ima);        /* Start IMA after the TPM is available */
 425
 426 MODULE_DESCRIPTION("Integrity Measurement Architecture");
 427 MODULE_LICENSE("GPL");