1 /*
2  * Copyright (C) 2005,2006,2007,2008 IBM Corporation
3  *
4  * Authors:
5  * Reiner Sailer <sailer@watson.ibm.com>
6  * Serge Hallyn <serue@us.ibm.com>
7  * Kylene Hall <kylene@us.ibm.com>
8  * Mimi Zohar <zohar@us.ibm.com>
9  *
10  * This program is free software; you can redistribute it and/or
11  * modify it under the terms of the GNU General Public License as
12  * published by the Free Software Foundation, version 2 of the
13  * License.
14  *
15  * File: ima_main.c
16  *	implements the IMA hooks: ima_bprm_check, ima_file_mmap,
17  *	and ima_file_check.
18  */
19 #include <linux/module.h>
20 #include <linux/file.h>
21 #include <linux/binfmts.h>
22 #include <linux/mount.h>
23 #include <linux/mman.h>
24 #include <linux/slab.h>
25 #include <linux/xattr.h>
26 #include <linux/ima.h>
27 #include <crypto/hash_info.h>
28 
29 #include "ima.h"
30 
31 int ima_initialized;
32 
33 #ifdef CONFIG_IMA_APPRAISE
34 int ima_appraise = IMA_APPRAISE_ENFORCE;
35 #else
36 int ima_appraise;
37 #endif
38 
39 int ima_hash_algo = HASH_ALGO_SHA1;
40 static int hash_setup_done;
41 
hash_setup(char * str)42 static int __init hash_setup(char *str)
43 {
44 	struct ima_template_desc *template_desc = ima_template_desc_current();
45 	int i;
46 
47 	if (hash_setup_done)
48 		return 1;
49 
50 	if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
51 		if (strncmp(str, "sha1", 4) == 0)
52 			ima_hash_algo = HASH_ALGO_SHA1;
53 		else if (strncmp(str, "md5", 3) == 0)
54 			ima_hash_algo = HASH_ALGO_MD5;
55 		goto out;
56 	}
57 
58 	for (i = 0; i < HASH_ALGO__LAST; i++) {
59 		if (strcmp(str, hash_algo_name[i]) == 0) {
60 			ima_hash_algo = i;
61 			break;
62 		}
63 	}
64 out:
65 	hash_setup_done = 1;
66 	return 1;
67 }
68 __setup("ima_hash=", hash_setup);
69 
70 /*
71  * ima_rdwr_violation_check
72  *
73  * Only invalidate the PCR for measured files:
74  *	- Opening a file for write when already open for read,
75  *	  results in a time of measure, time of use (ToMToU) error.
76  *	- Opening a file for read when already open for write,
77  *	  could result in a file measurement error.
78  *
79  */
ima_rdwr_violation_check(struct file * file,struct integrity_iint_cache * iint,int must_measure,char ** pathbuf,const char ** pathname)80 static void ima_rdwr_violation_check(struct file *file,
81 				     struct integrity_iint_cache *iint,
82 				     int must_measure,
83 				     char **pathbuf,
84 				     const char **pathname)
85 {
86 	struct inode *inode = file_inode(file);
87 	fmode_t mode = file->f_mode;
88 	bool send_tomtou = false, send_writers = false;
89 
90 	if (mode & FMODE_WRITE) {
91 		if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
92 			if (!iint)
93 				iint = integrity_iint_find(inode);
94 			/* IMA_MEASURE is set from reader side */
95 			if (iint && (iint->flags & IMA_MEASURE))
96 				send_tomtou = true;
97 		}
98 	} else {
99 		if ((atomic_read(&inode->i_writecount) > 0) && must_measure)
100 			send_writers = true;
101 	}
102 
103 	if (!send_tomtou && !send_writers)
104 		return;
105 
106 	*pathname = ima_d_path(&file->f_path, pathbuf);
107 
108 	if (send_tomtou)
109 		ima_add_violation(file, *pathname, "invalid_pcr", "ToMToU");
110 	if (send_writers)
111 		ima_add_violation(file, *pathname,
112 				  "invalid_pcr", "open_writers");
113 }
114 
ima_check_last_writer(struct integrity_iint_cache * iint,struct inode * inode,struct file * file)115 static void ima_check_last_writer(struct integrity_iint_cache *iint,
116 				  struct inode *inode, struct file *file)
117 {
118 	fmode_t mode = file->f_mode;
119 
120 	if (!(mode & FMODE_WRITE))
121 		return;
122 
123 	mutex_lock(&inode->i_mutex);
124 	if (atomic_read(&inode->i_writecount) == 1) {
125 		if ((iint->version != inode->i_version) ||
126 		    (iint->flags & IMA_NEW_FILE)) {
127 			iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
128 			if (iint->flags & IMA_APPRAISE)
129 				ima_update_xattr(iint, file);
130 		}
131 	}
132 	mutex_unlock(&inode->i_mutex);
133 }
134 
135 /**
136  * ima_file_free - called on __fput()
137  * @file: pointer to file structure being freed
138  *
139  * Flag files that changed, based on i_version
140  */
ima_file_free(struct file * file)141 void ima_file_free(struct file *file)
142 {
143 	struct inode *inode = file_inode(file);
144 	struct integrity_iint_cache *iint;
145 
146 	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
147 		return;
148 
149 	iint = integrity_iint_find(inode);
150 	if (!iint)
151 		return;
152 
153 	ima_check_last_writer(iint, inode, file);
154 }
155 
process_measurement(struct file * file,int mask,int function,int opened)156 static int process_measurement(struct file *file, int mask, int function,
157 			       int opened)
158 {
159 	struct inode *inode = file_inode(file);
160 	struct integrity_iint_cache *iint = NULL;
161 	struct ima_template_desc *template_desc;
162 	char *pathbuf = NULL;
163 	const char *pathname = NULL;
164 	int rc = -ENOMEM, action, must_appraise;
165 	struct evm_ima_xattr_data *xattr_value = NULL, **xattr_ptr = NULL;
166 	int xattr_len = 0;
167 	bool violation_check;
168 
169 	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
170 		return 0;
171 
172 	/* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
173 	 * bitmask based on the appraise/audit/measurement policy.
174 	 * Included is the appraise submask.
175 	 */
176 	action = ima_get_action(inode, mask, function);
177 	violation_check = ((function == FILE_CHECK || function == MMAP_CHECK) &&
178 			   (ima_policy_flag & IMA_MEASURE));
179 	if (!action && !violation_check)
180 		return 0;
181 
182 	must_appraise = action & IMA_APPRAISE;
183 
184 	/*  Is the appraise rule hook specific?  */
185 	if (action & IMA_FILE_APPRAISE)
186 		function = FILE_CHECK;
187 
188 	mutex_lock(&inode->i_mutex);
189 
190 	if (action) {
191 		iint = integrity_inode_get(inode);
192 		if (!iint)
193 			goto out;
194 	}
195 
196 	if (violation_check) {
197 		ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
198 					 &pathbuf, &pathname);
199 		if (!action) {
200 			rc = 0;
201 			goto out_free;
202 		}
203 	}
204 
205 	/* Determine if already appraised/measured based on bitmask
206 	 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
207 	 *  IMA_AUDIT, IMA_AUDITED)
208 	 */
209 	iint->flags |= action;
210 	action &= IMA_DO_MASK;
211 	action &= ~((iint->flags & IMA_DONE_MASK) >> 1);
212 
213 	/* Nothing to do, just return existing appraised status */
214 	if (!action) {
215 		if (must_appraise)
216 			rc = ima_get_cache_status(iint, function);
217 		goto out_digsig;
218 	}
219 
220 	template_desc = ima_template_desc_current();
221 	if ((action & IMA_APPRAISE_SUBMASK) ||
222 		    strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
223 		xattr_ptr = &xattr_value;
224 
225 	rc = ima_collect_measurement(iint, file, xattr_ptr, &xattr_len);
226 	if (rc != 0) {
227 		if (file->f_flags & O_DIRECT)
228 			rc = (iint->flags & IMA_PERMIT_DIRECTIO) ? 0 : -EACCES;
229 		goto out_digsig;
230 	}
231 
232 	if (!pathname)	/* ima_rdwr_violation possibly pre-fetched */
233 		pathname = ima_d_path(&file->f_path, &pathbuf);
234 
235 	if (action & IMA_MEASURE)
236 		ima_store_measurement(iint, file, pathname,
237 				      xattr_value, xattr_len);
238 	if (action & IMA_APPRAISE_SUBMASK)
239 		rc = ima_appraise_measurement(function, iint, file, pathname,
240 					      xattr_value, xattr_len, opened);
241 	if (action & IMA_AUDIT)
242 		ima_audit_measurement(iint, pathname);
243 
244 out_digsig:
245 	if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG))
246 		rc = -EACCES;
247 	kfree(xattr_value);
248 out_free:
249 	if (pathbuf)
250 		__putname(pathbuf);
251 out:
252 	mutex_unlock(&inode->i_mutex);
253 	if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE))
254 		return -EACCES;
255 	return 0;
256 }
257 
258 /**
259  * ima_file_mmap - based on policy, collect/store measurement.
260  * @file: pointer to the file to be measured (May be NULL)
261  * @prot: contains the protection that will be applied by the kernel.
262  *
263  * Measure files being mmapped executable based on the ima_must_measure()
264  * policy decision.
265  *
266  * On success return 0.  On integrity appraisal error, assuming the file
267  * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
268  */
ima_file_mmap(struct file * file,unsigned long prot)269 int ima_file_mmap(struct file *file, unsigned long prot)
270 {
271 	if (file && (prot & PROT_EXEC))
272 		return process_measurement(file, MAY_EXEC, MMAP_CHECK, 0);
273 	return 0;
274 }
275 
276 /**
277  * ima_bprm_check - based on policy, collect/store measurement.
278  * @bprm: contains the linux_binprm structure
279  *
280  * The OS protects against an executable file, already open for write,
281  * from being executed in deny_write_access() and an executable file,
282  * already open for execute, from being modified in get_write_access().
283  * So we can be certain that what we verify and measure here is actually
284  * what is being executed.
285  *
286  * On success return 0.  On integrity appraisal error, assuming the file
287  * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
288  */
ima_bprm_check(struct linux_binprm * bprm)289 int ima_bprm_check(struct linux_binprm *bprm)
290 {
291 	return process_measurement(bprm->file, MAY_EXEC, BPRM_CHECK, 0);
292 }
293 
294 /**
295  * ima_path_check - based on policy, collect/store measurement.
296  * @file: pointer to the file to be measured
297  * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
298  *
299  * Measure files based on the ima_must_measure() policy decision.
300  *
301  * On success return 0.  On integrity appraisal error, assuming the file
302  * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
303  */
ima_file_check(struct file * file,int mask,int opened)304 int ima_file_check(struct file *file, int mask, int opened)
305 {
306 	return process_measurement(file,
307 				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
308 				   FILE_CHECK, opened);
309 }
310 EXPORT_SYMBOL_GPL(ima_file_check);
311 
312 /**
313  * ima_module_check - based on policy, collect/store/appraise measurement.
314  * @file: pointer to the file to be measured/appraised
315  *
316  * Measure/appraise kernel modules based on policy.
317  *
318  * On success return 0.  On integrity appraisal error, assuming the file
319  * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
320  */
ima_module_check(struct file * file)321 int ima_module_check(struct file *file)
322 {
323 	if (!file) {
324 #ifndef CONFIG_MODULE_SIG_FORCE
325 		if ((ima_appraise & IMA_APPRAISE_MODULES) &&
326 		    (ima_appraise & IMA_APPRAISE_ENFORCE))
327 			return -EACCES;	/* INTEGRITY_UNKNOWN */
328 #endif
329 		return 0;	/* We rely on module signature checking */
330 	}
331 	return process_measurement(file, MAY_EXEC, MODULE_CHECK, 0);
332 }
333 
ima_fw_from_file(struct file * file,char * buf,size_t size)334 int ima_fw_from_file(struct file *file, char *buf, size_t size)
335 {
336 	if (!file) {
337 		if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
338 		    (ima_appraise & IMA_APPRAISE_ENFORCE))
339 			return -EACCES;	/* INTEGRITY_UNKNOWN */
340 		return 0;
341 	}
342 	return process_measurement(file, MAY_EXEC, FIRMWARE_CHECK, 0);
343 }
344 
init_ima(void)345 static int __init init_ima(void)
346 {
347 	int error;
348 
349 	hash_setup(CONFIG_IMA_DEFAULT_HASH);
350 	error = ima_init();
351 	if (!error) {
352 		ima_initialized = 1;
353 		ima_update_policy_flag();
354 	}
355 	return error;
356 }
357 
358 late_initcall(init_ima);	/* Start IMA after the TPM is available */
359 
360 MODULE_DESCRIPTION("Integrity Measurement Architecture");
361 MODULE_LICENSE("GPL");
362