1 | /* SPDX-License-Identifier: GPL-2.0-only */ |
2 | /* |
3 | * Copyright (C) 2008 IBM Corporation |
4 | * Author: Mimi Zohar <zohar@us.ibm.com> |
5 | */ |
6 | |
7 | #ifndef _LINUX_IMA_H |
8 | #define _LINUX_IMA_H |
9 | |
10 | #include <linux/kernel_read_file.h> |
11 | #include <linux/fs.h> |
12 | #include <linux/security.h> |
13 | #include <linux/kexec.h> |
14 | #include <crypto/hash_info.h> |
15 | struct linux_binprm; |
16 | |
17 | #ifdef CONFIG_IMA |
18 | extern enum hash_algo ima_get_current_hash_algo(void); |
19 | extern int ima_bprm_check(struct linux_binprm *bprm); |
20 | extern int ima_file_check(struct file *file, int mask); |
21 | extern void ima_post_create_tmpfile(struct mnt_idmap *idmap, |
22 | struct inode *inode); |
23 | extern void ima_file_free(struct file *file); |
24 | extern int ima_file_mmap(struct file *file, unsigned long reqprot, |
25 | unsigned long prot, unsigned long flags); |
26 | extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot); |
27 | extern int ima_load_data(enum kernel_load_data_id id, bool contents); |
28 | extern int ima_post_load_data(char *buf, loff_t size, |
29 | enum kernel_load_data_id id, char *description); |
30 | extern int ima_read_file(struct file *file, enum kernel_read_file_id id, |
31 | bool contents); |
32 | extern int ima_post_read_file(struct file *file, void *buf, loff_t size, |
33 | enum kernel_read_file_id id); |
34 | extern void ima_post_path_mknod(struct mnt_idmap *idmap, |
35 | struct dentry *dentry); |
36 | extern int ima_file_hash(struct file *file, char *buf, size_t buf_size); |
37 | extern int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size); |
38 | extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size); |
39 | extern int ima_measure_critical_data(const char *event_label, |
40 | const char *event_name, |
41 | const void *buf, size_t buf_len, |
42 | bool hash, u8 *digest, size_t digest_len); |
43 | |
44 | #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM |
45 | extern void ima_appraise_parse_cmdline(void); |
46 | #else |
47 | static inline void ima_appraise_parse_cmdline(void) {} |
48 | #endif |
49 | |
50 | #ifdef CONFIG_IMA_KEXEC |
51 | extern void ima_add_kexec_buffer(struct kimage *image); |
52 | #endif |
53 | |
54 | #else |
55 | static inline enum hash_algo ima_get_current_hash_algo(void) |
56 | { |
57 | return HASH_ALGO__LAST; |
58 | } |
59 | |
60 | static inline int ima_bprm_check(struct linux_binprm *bprm) |
61 | { |
62 | return 0; |
63 | } |
64 | |
65 | static inline int ima_file_check(struct file *file, int mask) |
66 | { |
67 | return 0; |
68 | } |
69 | |
70 | static inline void ima_post_create_tmpfile(struct mnt_idmap *idmap, |
71 | struct inode *inode) |
72 | { |
73 | } |
74 | |
75 | static inline void ima_file_free(struct file *file) |
76 | { |
77 | return; |
78 | } |
79 | |
80 | static inline int ima_file_mmap(struct file *file, unsigned long reqprot, |
81 | unsigned long prot, unsigned long flags) |
82 | { |
83 | return 0; |
84 | } |
85 | |
86 | static inline int ima_file_mprotect(struct vm_area_struct *vma, |
87 | unsigned long prot) |
88 | { |
89 | return 0; |
90 | } |
91 | |
92 | static inline int ima_load_data(enum kernel_load_data_id id, bool contents) |
93 | { |
94 | return 0; |
95 | } |
96 | |
97 | static inline int ima_post_load_data(char *buf, loff_t size, |
98 | enum kernel_load_data_id id, |
99 | char *description) |
100 | { |
101 | return 0; |
102 | } |
103 | |
104 | static inline int ima_read_file(struct file *file, enum kernel_read_file_id id, |
105 | bool contents) |
106 | { |
107 | return 0; |
108 | } |
109 | |
110 | static inline int ima_post_read_file(struct file *file, void *buf, loff_t size, |
111 | enum kernel_read_file_id id) |
112 | { |
113 | return 0; |
114 | } |
115 | |
116 | static inline void ima_post_path_mknod(struct mnt_idmap *idmap, |
117 | struct dentry *dentry) |
118 | { |
119 | return; |
120 | } |
121 | |
122 | static inline int ima_file_hash(struct file *file, char *buf, size_t buf_size) |
123 | { |
124 | return -EOPNOTSUPP; |
125 | } |
126 | |
127 | static inline int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size) |
128 | { |
129 | return -EOPNOTSUPP; |
130 | } |
131 | |
132 | static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) {} |
133 | |
134 | static inline int ima_measure_critical_data(const char *event_label, |
135 | const char *event_name, |
136 | const void *buf, size_t buf_len, |
137 | bool hash, u8 *digest, |
138 | size_t digest_len) |
139 | { |
140 | return -ENOENT; |
141 | } |
142 | |
143 | #endif /* CONFIG_IMA */ |
144 | |
145 | #ifdef CONFIG_HAVE_IMA_KEXEC |
146 | int __init ima_free_kexec_buffer(void); |
147 | int __init ima_get_kexec_buffer(void **addr, size_t *size); |
148 | #endif |
149 | |
150 | #ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT |
151 | extern bool arch_ima_get_secureboot(void); |
152 | extern const char * const *arch_get_ima_policy(void); |
153 | #else |
154 | static inline bool arch_ima_get_secureboot(void) |
155 | { |
156 | return false; |
157 | } |
158 | |
159 | static inline const char * const *arch_get_ima_policy(void) |
160 | { |
161 | return NULL; |
162 | } |
163 | #endif |
164 | |
165 | #ifndef CONFIG_IMA_KEXEC |
166 | struct kimage; |
167 | |
168 | static inline void ima_add_kexec_buffer(struct kimage *image) |
169 | {} |
170 | #endif |
171 | |
172 | #ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS |
173 | extern void ima_post_key_create_or_update(struct key *keyring, |
174 | struct key *key, |
175 | const void *payload, size_t plen, |
176 | unsigned long flags, bool create); |
177 | #else |
178 | static inline void ima_post_key_create_or_update(struct key *keyring, |
179 | struct key *key, |
180 | const void *payload, |
181 | size_t plen, |
182 | unsigned long flags, |
183 | bool create) {} |
184 | #endif /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */ |
185 | |
186 | #ifdef CONFIG_IMA_APPRAISE |
187 | extern bool is_ima_appraise_enabled(void); |
188 | extern void ima_inode_post_setattr(struct mnt_idmap *idmap, |
189 | struct dentry *dentry); |
190 | extern int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, |
191 | const void *xattr_value, size_t xattr_value_len); |
192 | extern int ima_inode_set_acl(struct mnt_idmap *idmap, |
193 | struct dentry *dentry, const char *acl_name, |
194 | struct posix_acl *kacl); |
195 | static inline int ima_inode_remove_acl(struct mnt_idmap *idmap, |
196 | struct dentry *dentry, |
197 | const char *acl_name) |
198 | { |
199 | return ima_inode_set_acl(idmap, dentry, acl_name, NULL); |
200 | } |
201 | extern int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name); |
202 | #else |
203 | static inline bool is_ima_appraise_enabled(void) |
204 | { |
205 | return 0; |
206 | } |
207 | |
208 | static inline void ima_inode_post_setattr(struct mnt_idmap *idmap, |
209 | struct dentry *dentry) |
210 | { |
211 | return; |
212 | } |
213 | |
214 | static inline int ima_inode_setxattr(struct dentry *dentry, |
215 | const char *xattr_name, |
216 | const void *xattr_value, |
217 | size_t xattr_value_len) |
218 | { |
219 | return 0; |
220 | } |
221 | |
222 | static inline int ima_inode_set_acl(struct mnt_idmap *idmap, |
223 | struct dentry *dentry, const char *acl_name, |
224 | struct posix_acl *kacl) |
225 | { |
226 | |
227 | return 0; |
228 | } |
229 | |
230 | static inline int ima_inode_removexattr(struct dentry *dentry, |
231 | const char *xattr_name) |
232 | { |
233 | return 0; |
234 | } |
235 | |
236 | static inline int ima_inode_remove_acl(struct mnt_idmap *idmap, |
237 | struct dentry *dentry, |
238 | const char *acl_name) |
239 | { |
240 | return 0; |
241 | } |
242 | #endif /* CONFIG_IMA_APPRAISE */ |
243 | |
244 | #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) |
245 | extern bool ima_appraise_signature(enum kernel_read_file_id func); |
246 | #else |
247 | static inline bool ima_appraise_signature(enum kernel_read_file_id func) |
248 | { |
249 | return false; |
250 | } |
251 | #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ |
252 | #endif /* _LINUX_IMA_H */ |
253 | |