1/*
2 * Copyright (C) 2005,2006,2007,2008 IBM Corporation
3 *
4 * Authors:
5 * Reiner Sailer <sailer@watson.ibm.com>
6 * Serge Hallyn <serue@us.ibm.com>
7 * Kylene Hall <kylene@us.ibm.com>
8 * Mimi Zohar <zohar@us.ibm.com>
9 *
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License as
12 * published by the Free Software Foundation, version 2 of the
13 * License.
14 *
15 * File: ima_main.c
16 *	implements the IMA hooks: ima_bprm_check, ima_file_mmap,
17 *	and ima_file_check.
18 */
19#include <linux/module.h>
20#include <linux/file.h>
21#include <linux/binfmts.h>
22#include <linux/mount.h>
23#include <linux/mman.h>
24#include <linux/slab.h>
25#include <linux/xattr.h>
26#include <linux/ima.h>
27#include <crypto/hash_info.h>
28
29#include "ima.h"
30
31int ima_initialized;
32
33#ifdef CONFIG_IMA_APPRAISE
34int ima_appraise = IMA_APPRAISE_ENFORCE;
35#else
36int ima_appraise;
37#endif
38
39int ima_hash_algo = HASH_ALGO_SHA1;
40static int hash_setup_done;
41
42static int __init hash_setup(char *str)
43{
44	struct ima_template_desc *template_desc = ima_template_desc_current();
45	int i;
46
47	if (hash_setup_done)
48		return 1;
49
50	if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
51		if (strncmp(str, "sha1", 4) == 0)
52			ima_hash_algo = HASH_ALGO_SHA1;
53		else if (strncmp(str, "md5", 3) == 0)
54			ima_hash_algo = HASH_ALGO_MD5;
55		goto out;
56	}
57
58	for (i = 0; i < HASH_ALGO__LAST; i++) {
59		if (strcmp(str, hash_algo_name[i]) == 0) {
60			ima_hash_algo = i;
61			break;
62		}
63	}
64out:
65	hash_setup_done = 1;
66	return 1;
67}
68__setup("ima_hash=", hash_setup);
69
70/*
71 * ima_rdwr_violation_check
72 *
73 * Only invalidate the PCR for measured files:
74 *	- Opening a file for write when already open for read,
75 *	  results in a time of measure, time of use (ToMToU) error.
76 *	- Opening a file for read when already open for write,
77 *	  could result in a file measurement error.
78 *
79 */
80static void ima_rdwr_violation_check(struct file *file,
81				     struct integrity_iint_cache *iint,
82				     int must_measure,
83				     char **pathbuf,
84				     const char **pathname)
85{
86	struct inode *inode = file_inode(file);
87	fmode_t mode = file->f_mode;
88	bool send_tomtou = false, send_writers = false;
89
90	if (mode & FMODE_WRITE) {
91		if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
92			if (!iint)
93				iint = integrity_iint_find(inode);
94			/* IMA_MEASURE is set from reader side */
95			if (iint && (iint->flags & IMA_MEASURE))
96				send_tomtou = true;
97		}
98	} else {
99		if ((atomic_read(&inode->i_writecount) > 0) && must_measure)
100			send_writers = true;
101	}
102
103	if (!send_tomtou && !send_writers)
104		return;
105
106	*pathname = ima_d_path(&file->f_path, pathbuf);
107
108	if (send_tomtou)
109		ima_add_violation(file, *pathname, "invalid_pcr", "ToMToU");
110	if (send_writers)
111		ima_add_violation(file, *pathname,
112				  "invalid_pcr", "open_writers");
113}
114
115static void ima_check_last_writer(struct integrity_iint_cache *iint,
116				  struct inode *inode, struct file *file)
117{
118	fmode_t mode = file->f_mode;
119
120	if (!(mode & FMODE_WRITE))
121		return;
122
123	mutex_lock(&inode->i_mutex);
124	if (atomic_read(&inode->i_writecount) == 1) {
125		if ((iint->version != inode->i_version) ||
126		    (iint->flags & IMA_NEW_FILE)) {
127			iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
128			if (iint->flags & IMA_APPRAISE)
129				ima_update_xattr(iint, file);
130		}
131	}
132	mutex_unlock(&inode->i_mutex);
133}
134
135/**
136 * ima_file_free - called on __fput()
137 * @file: pointer to file structure being freed
138 *
139 * Flag files that changed, based on i_version
140 */
141void ima_file_free(struct file *file)
142{
143	struct inode *inode = file_inode(file);
144	struct integrity_iint_cache *iint;
145
146	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
147		return;
148
149	iint = integrity_iint_find(inode);
150	if (!iint)
151		return;
152
153	ima_check_last_writer(iint, inode, file);
154}
155
156static int process_measurement(struct file *file, int mask, int function,
157			       int opened)
158{
159	struct inode *inode = file_inode(file);
160	struct integrity_iint_cache *iint = NULL;
161	struct ima_template_desc *template_desc;
162	char *pathbuf = NULL;
163	const char *pathname = NULL;
164	int rc = -ENOMEM, action, must_appraise;
165	struct evm_ima_xattr_data *xattr_value = NULL, **xattr_ptr = NULL;
166	int xattr_len = 0;
167	bool violation_check;
168
169	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
170		return 0;
171
172	/* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
173	 * bitmask based on the appraise/audit/measurement policy.
174	 * Included is the appraise submask.
175	 */
176	action = ima_get_action(inode, mask, function);
177	violation_check = ((function == FILE_CHECK || function == MMAP_CHECK) &&
178			   (ima_policy_flag & IMA_MEASURE));
179	if (!action && !violation_check)
180		return 0;
181
182	must_appraise = action & IMA_APPRAISE;
183
184	/*  Is the appraise rule hook specific?  */
185	if (action & IMA_FILE_APPRAISE)
186		function = FILE_CHECK;
187
188	mutex_lock(&inode->i_mutex);
189
190	if (action) {
191		iint = integrity_inode_get(inode);
192		if (!iint)
193			goto out;
194	}
195
196	if (violation_check) {
197		ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
198					 &pathbuf, &pathname);
199		if (!action) {
200			rc = 0;
201			goto out_free;
202		}
203	}
204
205	/* Determine if already appraised/measured based on bitmask
206	 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
207	 *  IMA_AUDIT, IMA_AUDITED)
208	 */
209	iint->flags |= action;
210	action &= IMA_DO_MASK;
211	action &= ~((iint->flags & IMA_DONE_MASK) >> 1);
212
213	/* Nothing to do, just return existing appraised status */
214	if (!action) {
215		if (must_appraise)
216			rc = ima_get_cache_status(iint, function);
217		goto out_digsig;
218	}
219
220	template_desc = ima_template_desc_current();
221	if ((action & IMA_APPRAISE_SUBMASK) ||
222		    strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
223		xattr_ptr = &xattr_value;
224
225	rc = ima_collect_measurement(iint, file, xattr_ptr, &xattr_len);
226	if (rc != 0) {
227		if (file->f_flags & O_DIRECT)
228			rc = (iint->flags & IMA_PERMIT_DIRECTIO) ? 0 : -EACCES;
229		goto out_digsig;
230	}
231
232	if (!pathname)	/* ima_rdwr_violation possibly pre-fetched */
233		pathname = ima_d_path(&file->f_path, &pathbuf);
234
235	if (action & IMA_MEASURE)
236		ima_store_measurement(iint, file, pathname,
237				      xattr_value, xattr_len);
238	if (action & IMA_APPRAISE_SUBMASK)
239		rc = ima_appraise_measurement(function, iint, file, pathname,
240					      xattr_value, xattr_len, opened);
241	if (action & IMA_AUDIT)
242		ima_audit_measurement(iint, pathname);
243
244out_digsig:
245	if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG))
246		rc = -EACCES;
247	kfree(xattr_value);
248out_free:
249	if (pathbuf)
250		__putname(pathbuf);
251out:
252	mutex_unlock(&inode->i_mutex);
253	if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE))
254		return -EACCES;
255	return 0;
256}
257
258/**
259 * ima_file_mmap - based on policy, collect/store measurement.
260 * @file: pointer to the file to be measured (May be NULL)
261 * @prot: contains the protection that will be applied by the kernel.
262 *
263 * Measure files being mmapped executable based on the ima_must_measure()
264 * policy decision.
265 *
266 * On success return 0.  On integrity appraisal error, assuming the file
267 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
268 */
269int ima_file_mmap(struct file *file, unsigned long prot)
270{
271	if (file && (prot & PROT_EXEC))
272		return process_measurement(file, MAY_EXEC, MMAP_CHECK, 0);
273	return 0;
274}
275
276/**
277 * ima_bprm_check - based on policy, collect/store measurement.
278 * @bprm: contains the linux_binprm structure
279 *
280 * The OS protects against an executable file, already open for write,
281 * from being executed in deny_write_access() and an executable file,
282 * already open for execute, from being modified in get_write_access().
283 * So we can be certain that what we verify and measure here is actually
284 * what is being executed.
285 *
286 * On success return 0.  On integrity appraisal error, assuming the file
287 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
288 */
289int ima_bprm_check(struct linux_binprm *bprm)
290{
291	return process_measurement(bprm->file, MAY_EXEC, BPRM_CHECK, 0);
292}
293
294/**
295 * ima_path_check - based on policy, collect/store measurement.
296 * @file: pointer to the file to be measured
297 * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
298 *
299 * Measure files based on the ima_must_measure() policy decision.
300 *
301 * On success return 0.  On integrity appraisal error, assuming the file
302 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
303 */
304int ima_file_check(struct file *file, int mask, int opened)
305{
306	return process_measurement(file,
307				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
308				   FILE_CHECK, opened);
309}
310EXPORT_SYMBOL_GPL(ima_file_check);
311
312/**
313 * ima_module_check - based on policy, collect/store/appraise measurement.
314 * @file: pointer to the file to be measured/appraised
315 *
316 * Measure/appraise kernel modules based on policy.
317 *
318 * On success return 0.  On integrity appraisal error, assuming the file
319 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
320 */
321int ima_module_check(struct file *file)
322{
323	if (!file) {
324#ifndef CONFIG_MODULE_SIG_FORCE
325		if ((ima_appraise & IMA_APPRAISE_MODULES) &&
326		    (ima_appraise & IMA_APPRAISE_ENFORCE))
327			return -EACCES;	/* INTEGRITY_UNKNOWN */
328#endif
329		return 0;	/* We rely on module signature checking */
330	}
331	return process_measurement(file, MAY_EXEC, MODULE_CHECK, 0);
332}
333
334int ima_fw_from_file(struct file *file, char *buf, size_t size)
335{
336	if (!file) {
337		if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
338		    (ima_appraise & IMA_APPRAISE_ENFORCE))
339			return -EACCES;	/* INTEGRITY_UNKNOWN */
340		return 0;
341	}
342	return process_measurement(file, MAY_EXEC, FIRMWARE_CHECK, 0);
343}
344
345static int __init init_ima(void)
346{
347	int error;
348
349	hash_setup(CONFIG_IMA_DEFAULT_HASH);
350	error = ima_init();
351	if (!error) {
352		ima_initialized = 1;
353		ima_update_policy_flag();
354	}
355	return error;
356}
357
358late_initcall(init_ima);	/* Start IMA after the TPM is available */
359
360MODULE_DESCRIPTION("Integrity Measurement Architecture");
361MODULE_LICENSE("GPL");
362