Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
[linux/fpc-iii.git] / security / integrity / integrity.h
blob2fb5e53e927f2bf5432a34af1251c89f359d90f7
1 /*
2 * Copyright (C) 2009-2010 IBM Corporation
4 * Authors:
5 * Mimi Zohar <zohar@us.ibm.com>
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation, version 2 of the
10 * License.
14 #include <linux/types.h>
15 #include <linux/integrity.h>
16 #include <crypto/sha.h>
17 #include <linux/key.h>
19 /* iint action cache flags */
20 #define IMA_MEASURE 0x00000001
21 #define IMA_MEASURED 0x00000002
22 #define IMA_APPRAISE 0x00000004
23 #define IMA_APPRAISED 0x00000008
24 /*#define IMA_COLLECT 0x00000010 do not use this flag */
25 #define IMA_COLLECTED 0x00000020
26 #define IMA_AUDIT 0x00000040
27 #define IMA_AUDITED 0x00000080
29 /* iint cache flags */
30 #define IMA_ACTION_FLAGS 0xff000000
31 #define IMA_DIGSIG 0x01000000
32 #define IMA_DIGSIG_REQUIRED 0x02000000
34 #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
35 IMA_APPRAISE_SUBMASK)
36 #define IMA_DONE_MASK (IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED | \
37 IMA_COLLECTED | IMA_APPRAISED_SUBMASK)
39 /* iint subaction appraise cache flags */
40 #define IMA_FILE_APPRAISE 0x00000100
41 #define IMA_FILE_APPRAISED 0x00000200
42 #define IMA_MMAP_APPRAISE 0x00000400
43 #define IMA_MMAP_APPRAISED 0x00000800
44 #define IMA_BPRM_APPRAISE 0x00001000
45 #define IMA_BPRM_APPRAISED 0x00002000
46 #define IMA_MODULE_APPRAISE 0x00004000
47 #define IMA_MODULE_APPRAISED 0x00008000
48 #define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \
49 IMA_BPRM_APPRAISE | IMA_MODULE_APPRAISE)
50 #define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \
51 IMA_BPRM_APPRAISED | IMA_MODULE_APPRAISED)
53 enum evm_ima_xattr_type {
54 IMA_XATTR_DIGEST = 0x01,
55 EVM_XATTR_HMAC,
56 EVM_IMA_XATTR_DIGSIG,
57 IMA_XATTR_DIGEST_NG,
60 struct evm_ima_xattr_data {
61 u8 type;
62 u8 digest[SHA1_DIGEST_SIZE];
63 } __packed;
65 #define IMA_MAX_DIGEST_SIZE 64
67 struct ima_digest_data {
68 u8 algo;
69 u8 length;
70 union {
71 struct {
72 u8 unused;
73 u8 type;
74 } sha1;
75 struct {
76 u8 type;
77 u8 algo;
78 } ng;
79 u8 data[2];
80 } xattr;
81 u8 digest[0];
82 } __packed;
85 * signature format v2 - for using with asymmetric keys
87 struct signature_v2_hdr {
88 uint8_t type; /* xattr type */
89 uint8_t version; /* signature format version */
90 uint8_t hash_algo; /* Digest algorithm [enum pkey_hash_algo] */
91 uint32_t keyid; /* IMA key identifier - not X509/PGP specific */
92 uint16_t sig_size; /* signature size */
93 uint8_t sig[0]; /* signature payload */
94 } __packed;
96 /* integrity data associated with an inode */
97 struct integrity_iint_cache {
98 struct rb_node rb_node; /* rooted in integrity_iint_tree */
99 struct inode *inode; /* back pointer to inode in question */
100 u64 version; /* track inode changes */
101 unsigned long flags;
102 enum integrity_status ima_file_status:4;
103 enum integrity_status ima_mmap_status:4;
104 enum integrity_status ima_bprm_status:4;
105 enum integrity_status ima_module_status:4;
106 enum integrity_status evm_status:4;
107 struct ima_digest_data *ima_hash;
110 /* rbtree tree calls to lookup, insert, delete
111 * integrity data associated with an inode.
113 struct integrity_iint_cache *integrity_iint_insert(struct inode *inode);
114 struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
116 #define INTEGRITY_KEYRING_EVM 0
117 #define INTEGRITY_KEYRING_MODULE 1
118 #define INTEGRITY_KEYRING_IMA 2
119 #define INTEGRITY_KEYRING_MAX 3
121 #ifdef CONFIG_INTEGRITY_SIGNATURE
123 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
124 const char *digest, int digestlen);
126 #else
128 static inline int integrity_digsig_verify(const unsigned int id,
129 const char *sig, int siglen,
130 const char *digest, int digestlen)
132 return -EOPNOTSUPP;
135 #endif /* CONFIG_INTEGRITY_SIGNATURE */
137 #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
138 int asymmetric_verify(struct key *keyring, const char *sig,
139 int siglen, const char *data, int datalen);
140 #else
141 static inline int asymmetric_verify(struct key *keyring, const char *sig,
142 int siglen, const char *data, int datalen)
144 return -EOPNOTSUPP;
146 #endif
148 #ifdef CONFIG_INTEGRITY_AUDIT
149 /* declarations */
150 void integrity_audit_msg(int audit_msgno, struct inode *inode,
151 const unsigned char *fname, const char *op,
152 const char *cause, int result, int info);
153 #else
154 static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
155 const unsigned char *fname,
156 const char *op, const char *cause,
157 int result, int info)
160 #endif
162 /* set during initialization */
163 extern int iint_initialized;