security/integrity/ima/ima_api.c

   1 /*
   2  * Copyright (C) 2008 IBM Corporation
   3  *
   4  * Author: Mimi Zohar <zohar@us.ibm.com>
   5  *
   6  * This program is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU General Public License as
   8  * published by the Free Software Foundation, version 2 of the
   9  * License.
  10  *
  11  * File: ima_api.c
  12  *      Implements must_appraise_or_measure, collect_measurement,
  13  *      appraise_measurement, store_measurement and store_template.
  14  */
  15 #include <linux/module.h>
  16 #include <linux/slab.h>
  17 #include <linux/file.h>
  18 #include <linux/fs.h>
  19 #include <linux/xattr.h>
  20 #include <linux/evm.h>
  21 #include "ima.h"
  22
  23 static const char *IMA_TEMPLATE_NAME = "ima";
  24
  25 /*
  26  * ima_store_template - store ima template measurements
  27  *
  28  * Calculate the hash of a template entry, add the template entry
  29  * to an ordered list of measurement entries maintained inside the kernel,
  30  * and also update the aggregate integrity value (maintained inside the
  31  * configured TPM PCR) over the hashes of the current list of measurement
  32  * entries.
  33  *
  34  * Applications retrieve the current kernel-held measurement list through
  35  * the securityfs entries in /sys/kernel/security/ima. The signed aggregate
  36  * TPM PCR (called quote) can be retrieved using a TPM user space library
  37  * and is used to validate the measurement list.
  38  *
  39  * Returns 0 on success, error code otherwise
  40  */
  41 int ima_store_template(struct ima_template_entry *entry,
  42                        int violation, struct inode *inode)
  43 {
  44         const char *op = "add_template_measure";
  45         const char *audit_cause = "hashing_error";
  46         int result;
  47
  48         memset(entry->digest, 0, sizeof(entry->digest));
  49         entry->template_name = IMA_TEMPLATE_NAME;
  50         entry->template_len = sizeof(entry->template);
  51
  52         if (!violation) {
  53                 result = ima_calc_buffer_hash(&entry->template,
  54                                                 entry->template_len,
  55                                                 entry->digest);
  56                 if (result < 0) {
  57                         integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
  58                                             entry->template_name, op,
  59                                             audit_cause, result, 0);
  60                         return result;
  61                 }
  62         }
  63         result = ima_add_template_entry(entry, violation, op, inode);
  64         return result;
  65 }
  66
  67 /*
  68  * ima_add_violation - add violation to measurement list.
  69  *
  70  * Violations are flagged in the measurement list with zero hash values.
  71  * By extending the PCR with 0xFF's instead of with zeroes, the PCR
  72  * value is invalidated.
  73  */
  74 void ima_add_violation(struct inode *inode, const unsigned char *filename,
  75                        const char *op, const char *cause)
  76 {
  77         struct ima_template_entry *entry;
  78         int violation = 1;
  79         int result;
  80
  81         /* can overflow, only indicator */
  82         atomic_long_inc(&ima_htable.violations);
  83
  84         entry = kmalloc(sizeof(*entry), GFP_KERNEL);
  85         if (!entry) {
  86                 result = -ENOMEM;
  87                 goto err_out;
  88         }
  89         memset(&entry->template, 0, sizeof(entry->template));
  90         strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX);
  91         result = ima_store_template(entry, violation, inode);
  92         if (result < 0)
  93                 kfree(entry);
  94 err_out:
  95         integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
  96                             op, cause, result, 0);
  97 }
  98
  99 /**
 100  * ima_get_action - appraise & measure decision based on policy.
 101  * @inode: pointer to inode to measure
 102  * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE)
 103  * @function: calling function (FILE_CHECK, BPRM_CHECK, MMAP_CHECK, MODULE_CHECK)
 104  *
 105  * The policy is defined in terms of keypairs:
 106  *              subj=, obj=, type=, func=, mask=, fsmagic=
 107  *      subj,obj, and type: are LSM specific.
 108  *      func: FILE_CHECK | BPRM_CHECK | MMAP_CHECK | MODULE_CHECK
 109  *      mask: contains the permission mask
 110  *      fsmagic: hex value
 111  *
 112  * Returns IMA_MEASURE, IMA_APPRAISE mask.
 113  *
 114  */
 115 int ima_get_action(struct inode *inode, int mask, int function)
 116 {
 117         int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE;
 118
 119         if (!ima_appraise)
 120                 flags &= ~IMA_APPRAISE;
 121
 122         return ima_match_policy(inode, function, mask, flags);
 123 }
 124
 125 int ima_must_measure(struct inode *inode, int mask, int function)
 126 {
 127         return ima_match_policy(inode, function, mask, IMA_MEASURE);
 128 }
 129
 130 /*
 131  * ima_collect_measurement - collect file measurement
 132  *
 133  * Calculate the file hash, if it doesn't already exist,
 134  * storing the measurement and i_version in the iint.
 135  *
 136  * Must be called with iint->mutex held.
 137  *
 138  * Return 0 on success, error code otherwise
 139  */
 140 int ima_collect_measurement(struct integrity_iint_cache *iint,
 141                             struct file *file)
 142 {
 143         const char *audit_cause = "failed";
 144         struct inode *inode = file_inode(file);
 145         const char *filename = file->f_dentry->d_name.name;
 146         int result = 0;
 147
 148         if (!(iint->flags & IMA_COLLECTED)) {
 149                 u64 i_version = file_inode(file)->i_version;
 150
 151                 if (file->f_flags & O_DIRECT) {
 152                         audit_cause = "failed(directio)";
 153                         result = -EACCES;
 154                         goto out;
 155                 }
 156                 iint->ima_xattr.type = IMA_XATTR_DIGEST;
 157                 result = ima_calc_file_hash(file, iint->ima_xattr.digest);
 158                 if (!result) {
 159                         iint->version = i_version;
 160                         iint->flags |= IMA_COLLECTED;
 161                 }
 162         }
 163 out:
 164         if (result)
 165                 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
 166                                     filename, "collect_data", audit_cause,
 167                                     result, 0);
 168         return result;
 169 }
 170
 171 /*
 172  * ima_store_measurement - store file measurement
 173  *
 174  * Create an "ima" template and then store the template by calling
 175  * ima_store_template.
 176  *
 177  * We only get here if the inode has not already been measured,
 178  * but the measurement could already exist:
 179  *      - multiple copies of the same file on either the same or
 180  *        different filesystems.
 181  *      - the inode was previously flushed as well as the iint info,
 182  *        containing the hashing info.
 183  *
 184  * Must be called with iint->mutex held.
 185  */
 186 void ima_store_measurement(struct integrity_iint_cache *iint,
 187                            struct file *file, const unsigned char *filename)
 188 {
 189         const char *op = "add_template_measure";
 190         const char *audit_cause = "ENOMEM";
 191         int result = -ENOMEM;
 192         struct inode *inode = file_inode(file);
 193         struct ima_template_entry *entry;
 194         int violation = 0;
 195
 196         if (iint->flags & IMA_MEASURED)
 197                 return;
 198
 199         entry = kmalloc(sizeof(*entry), GFP_KERNEL);
 200         if (!entry) {
 201                 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
 202                                     op, audit_cause, result, 0);
 203                 return;
 204         }
 205         memset(&entry->template, 0, sizeof(entry->template));
 206         memcpy(entry->template.digest, iint->ima_xattr.digest, IMA_DIGEST_SIZE);
 207         strcpy(entry->template.file_name,
 208                (strlen(filename) > IMA_EVENT_NAME_LEN_MAX) ?
 209                file->f_dentry->d_name.name : filename);
 210
 211         result = ima_store_template(entry, violation, inode);
 212         if (!result || result == -EEXIST)
 213                 iint->flags |= IMA_MEASURED;
 214         if (result < 0)
 215                 kfree(entry);
 216 }
 217
 218 void ima_audit_measurement(struct integrity_iint_cache *iint,
 219                            const unsigned char *filename)
 220 {
 221         struct audit_buffer *ab;
 222         char hash[(IMA_DIGEST_SIZE * 2) + 1];
 223         int i;
 224
 225         if (iint->flags & IMA_AUDITED)
 226                 return;
 227
 228         for (i = 0; i < IMA_DIGEST_SIZE; i++)
 229                 hex_byte_pack(hash + (i * 2), iint->ima_xattr.digest[i]);
 230         hash[i * 2] = '\0';
 231
 232         ab = audit_log_start(current->audit_context, GFP_KERNEL,
 233                              AUDIT_INTEGRITY_RULE);
 234         if (!ab)
 235                 return;
 236
 237         audit_log_format(ab, "file=");
 238         audit_log_untrustedstring(ab, filename);
 239         audit_log_format(ab, " hash=");
 240         audit_log_untrustedstring(ab, hash);
 241
 242         audit_log_task_info(ab, current);
 243         audit_log_end(ab);
 244
 245         iint->flags |= IMA_AUDITED;
 246 }
 247
 248 const char *ima_d_path(struct path *path, char **pathbuf)
 249 {
 250         char *pathname = NULL;
 251
 252         /* We will allow 11 spaces for ' (deleted)' to be appended */
 253         *pathbuf = kmalloc(PATH_MAX + 11, GFP_KERNEL);
 254         if (*pathbuf) {
 255                 pathname = d_path(path, *pathbuf, PATH_MAX + 11);
 256                 if (IS_ERR(pathname)) {
 257                         kfree(*pathbuf);
 258                         *pathbuf = NULL;
 259                         pathname = NULL;
 260                 }
 261         }
 262         return pathname;
 263 }