2 * Copyright (C) 2008 IBM Corporation
4 * Author: Mimi Zohar <zohar@us.ibm.com>
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License as
8 * published by the Free Software Foundation, version 2 of the
12 * Implements must_appraise_or_measure, collect_measurement,
13 * appraise_measurement, store_measurement and store_template.
15 #include <linux/module.h>
16 #include <linux/slab.h>
17 #include <linux/file.h>
19 #include <linux/xattr.h>
20 #include <linux/evm.h>
23 static const char *IMA_TEMPLATE_NAME = "ima";
26 * ima_store_template - store ima template measurements
28 * Calculate the hash of a template entry, add the template entry
29 * to an ordered list of measurement entries maintained inside the kernel,
30 * and also update the aggregate integrity value (maintained inside the
31 * configured TPM PCR) over the hashes of the current list of measurement
34 * Applications retrieve the current kernel-held measurement list through
35 * the securityfs entries in /sys/kernel/security/ima. The signed aggregate
36 * TPM PCR (called quote) can be retrieved using a TPM user space library
37 * and is used to validate the measurement list.
39 * Returns 0 on success, error code otherwise
41 int ima_store_template(struct ima_template_entry *entry,
42 int violation, struct inode *inode)
44 const char *op = "add_template_measure";
45 const char *audit_cause = "hashing_error";
48 struct ima_digest_data hdr;
49 char digest[TPM_DIGEST_SIZE];
52 memset(entry->digest, 0, sizeof(entry->digest));
53 entry->template_name = IMA_TEMPLATE_NAME;
54 entry->template_len = sizeof(entry->template);
57 result = ima_calc_buffer_hash(&entry->template,
58 entry->template_len, &hash.hdr);
60 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
61 entry->template_name, op,
62 audit_cause, result, 0);
65 memcpy(entry->digest, hash.hdr.digest, hash.hdr.length);
67 result = ima_add_template_entry(entry, violation, op, inode);
72 * ima_add_violation - add violation to measurement list.
74 * Violations are flagged in the measurement list with zero hash values.
75 * By extending the PCR with 0xFF's instead of with zeroes, the PCR
76 * value is invalidated.
78 void ima_add_violation(struct inode *inode, const unsigned char *filename,
79 const char *op, const char *cause)
81 struct ima_template_entry *entry;
85 /* can overflow, only indicator */
86 atomic_long_inc(&ima_htable.violations);
88 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
93 memset(&entry->template, 0, sizeof(entry->template));
94 strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX);
95 result = ima_store_template(entry, violation, inode);
99 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
100 op, cause, result, 0);
104 * ima_get_action - appraise & measure decision based on policy.
105 * @inode: pointer to inode to measure
106 * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE)
107 * @function: calling function (FILE_CHECK, BPRM_CHECK, MMAP_CHECK, MODULE_CHECK)
109 * The policy is defined in terms of keypairs:
110 * subj=, obj=, type=, func=, mask=, fsmagic=
111 * subj,obj, and type: are LSM specific.
112 * func: FILE_CHECK | BPRM_CHECK | MMAP_CHECK | MODULE_CHECK
113 * mask: contains the permission mask
116 * Returns IMA_MEASURE, IMA_APPRAISE mask.
119 int ima_get_action(struct inode *inode, int mask, int function)
121 int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE;
124 flags &= ~IMA_APPRAISE;
126 return ima_match_policy(inode, function, mask, flags);
129 int ima_must_measure(struct inode *inode, int mask, int function)
131 return ima_match_policy(inode, function, mask, IMA_MEASURE);
135 * ima_collect_measurement - collect file measurement
137 * Calculate the file hash, if it doesn't already exist,
138 * storing the measurement and i_version in the iint.
140 * Must be called with iint->mutex held.
142 * Return 0 on success, error code otherwise
144 int ima_collect_measurement(struct integrity_iint_cache *iint,
146 struct evm_ima_xattr_data **xattr_value,
149 struct inode *inode = file_inode(file);
150 const char *filename = file->f_dentry->d_name.name;
153 struct ima_digest_data hdr;
154 char digest[IMA_MAX_DIGEST_SIZE];
158 *xattr_len = ima_read_xattr(file->f_dentry, xattr_value);
160 if (!(iint->flags & IMA_COLLECTED)) {
161 u64 i_version = file_inode(file)->i_version;
163 /* use default hash algorithm */
164 hash.hdr.algo = ima_hash_algo;
167 ima_get_hash_algo(*xattr_value, *xattr_len, &hash.hdr);
169 result = ima_calc_file_hash(file, &hash.hdr);
171 int length = sizeof(hash.hdr) + hash.hdr.length;
172 void *tmpbuf = krealloc(iint->ima_hash, length,
175 iint->ima_hash = tmpbuf;
176 memcpy(iint->ima_hash, &hash, length);
177 iint->version = i_version;
178 iint->flags |= IMA_COLLECTED;
184 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
185 filename, "collect_data", "failed",
191 * ima_store_measurement - store file measurement
193 * Create an "ima" template and then store the template by calling
194 * ima_store_template.
196 * We only get here if the inode has not already been measured,
197 * but the measurement could already exist:
198 * - multiple copies of the same file on either the same or
199 * different filesystems.
200 * - the inode was previously flushed as well as the iint info,
201 * containing the hashing info.
203 * Must be called with iint->mutex held.
205 void ima_store_measurement(struct integrity_iint_cache *iint,
206 struct file *file, const unsigned char *filename)
208 const char *op = "add_template_measure";
209 const char *audit_cause = "ENOMEM";
210 int result = -ENOMEM;
211 struct inode *inode = file_inode(file);
212 struct ima_template_entry *entry;
215 if (iint->flags & IMA_MEASURED)
218 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
220 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
221 op, audit_cause, result, 0);
224 memset(&entry->template, 0, sizeof(entry->template));
225 if (iint->ima_hash->algo != ima_hash_algo) {
227 struct ima_digest_data hdr;
228 char digest[IMA_MAX_DIGEST_SIZE];
231 hash.hdr.algo = ima_hash_algo;
232 result = ima_calc_file_hash(file, &hash.hdr);
234 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
235 filename, "collect_data", "failed",
238 memcpy(entry->template.digest, hash.hdr.digest,
241 memcpy(entry->template.digest, iint->ima_hash->digest,
242 iint->ima_hash->length);
243 strcpy(entry->template.file_name,
244 (strlen(filename) > IMA_EVENT_NAME_LEN_MAX) ?
245 file->f_dentry->d_name.name : filename);
247 result = ima_store_template(entry, violation, inode);
248 if (!result || result == -EEXIST)
249 iint->flags |= IMA_MEASURED;
254 void ima_audit_measurement(struct integrity_iint_cache *iint,
255 const unsigned char *filename)
257 struct audit_buffer *ab;
258 char hash[(iint->ima_hash->length * 2) + 1];
261 if (iint->flags & IMA_AUDITED)
264 for (i = 0; i < iint->ima_hash->length; i++)
265 hex_byte_pack(hash + (i * 2), iint->ima_hash->digest[i]);
268 ab = audit_log_start(current->audit_context, GFP_KERNEL,
269 AUDIT_INTEGRITY_RULE);
273 audit_log_format(ab, "file=");
274 audit_log_untrustedstring(ab, filename);
275 audit_log_format(ab, " hash=");
276 audit_log_untrustedstring(ab, hash);
278 audit_log_task_info(ab, current);
281 iint->flags |= IMA_AUDITED;
284 const char *ima_d_path(struct path *path, char **pathbuf)
286 char *pathname = NULL;
288 /* We will allow 11 spaces for ' (deleted)' to be appended */
289 *pathbuf = kmalloc(PATH_MAX + 11, GFP_KERNEL);
291 pathname = d_path(path, *pathbuf, PATH_MAX + 11);
292 if (IS_ERR(pathname)) {