1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * Integrity Measurement Architecture |
4 | * |
5 | * Copyright (C) 2005,2006,2007,2008 IBM Corporation |
6 | * |
7 | * Authors: |
8 | * Reiner Sailer <sailer@watson.ibm.com> |
9 | * Serge Hallyn <serue@us.ibm.com> |
10 | * Kylene Hall <kylene@us.ibm.com> |
11 | * Mimi Zohar <zohar@us.ibm.com> |
12 | * |
13 | * File: ima_main.c |
14 | * implements the IMA hooks: ima_bprm_check, ima_file_mmap, |
15 | * and ima_file_check. |
16 | */ |
17 | |
18 | #include <linux/module.h> |
19 | #include <linux/file.h> |
20 | #include <linux/binfmts.h> |
21 | #include <linux/kernel_read_file.h> |
22 | #include <linux/mount.h> |
23 | #include <linux/mman.h> |
24 | #include <linux/slab.h> |
25 | #include <linux/xattr.h> |
26 | #include <linux/ima.h> |
27 | #include <linux/fs.h> |
28 | #include <linux/iversion.h> |
29 | |
30 | #include "ima.h" |
31 | |
32 | #ifdef CONFIG_IMA_APPRAISE |
33 | int ima_appraise = IMA_APPRAISE_ENFORCE; |
34 | #else |
35 | int ima_appraise; |
36 | #endif |
37 | |
38 | int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1; |
39 | static int hash_setup_done; |
40 | |
41 | static struct notifier_block ima_lsm_policy_notifier = { |
42 | .notifier_call = ima_lsm_policy_change, |
43 | }; |
44 | |
45 | static int __init hash_setup(char *str) |
46 | { |
47 | struct ima_template_desc *template_desc = ima_template_desc_current(); |
48 | int i; |
49 | |
50 | if (hash_setup_done) |
51 | return 1; |
52 | |
53 | if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { |
54 | if (strncmp(str, "sha1" , 4) == 0) { |
55 | ima_hash_algo = HASH_ALGO_SHA1; |
56 | } else if (strncmp(str, "md5" , 3) == 0) { |
57 | ima_hash_algo = HASH_ALGO_MD5; |
58 | } else { |
59 | pr_err("invalid hash algorithm \"%s\" for template \"%s\"" , |
60 | str, IMA_TEMPLATE_IMA_NAME); |
61 | return 1; |
62 | } |
63 | goto out; |
64 | } |
65 | |
66 | i = match_string(array: hash_algo_name, n: HASH_ALGO__LAST, string: str); |
67 | if (i < 0) { |
68 | pr_err("invalid hash algorithm \"%s\"" , str); |
69 | return 1; |
70 | } |
71 | |
72 | ima_hash_algo = i; |
73 | out: |
74 | hash_setup_done = 1; |
75 | return 1; |
76 | } |
77 | __setup("ima_hash=" , hash_setup); |
78 | |
79 | enum hash_algo ima_get_current_hash_algo(void) |
80 | { |
81 | return ima_hash_algo; |
82 | } |
83 | |
84 | /* Prevent mmap'ing a file execute that is already mmap'ed write */ |
85 | static int mmap_violation_check(enum ima_hooks func, struct file *file, |
86 | char **pathbuf, const char **pathname, |
87 | char *filename) |
88 | { |
89 | struct inode *inode; |
90 | int rc = 0; |
91 | |
92 | if ((func == MMAP_CHECK || func == MMAP_CHECK_REQPROT) && |
93 | mapping_writably_mapped(mapping: file->f_mapping)) { |
94 | rc = -ETXTBSY; |
95 | inode = file_inode(f: file); |
96 | |
97 | if (!*pathbuf) /* ima_rdwr_violation possibly pre-fetched */ |
98 | *pathname = ima_d_path(path: &file->f_path, pathbuf, |
99 | filename); |
100 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, fname: *pathname, |
101 | op: "mmap_file" , cause: "mmapped_writers" , result: rc, info: 0); |
102 | } |
103 | return rc; |
104 | } |
105 | |
106 | /* |
107 | * ima_rdwr_violation_check |
108 | * |
109 | * Only invalidate the PCR for measured files: |
110 | * - Opening a file for write when already open for read, |
111 | * results in a time of measure, time of use (ToMToU) error. |
112 | * - Opening a file for read when already open for write, |
113 | * could result in a file measurement error. |
114 | * |
115 | */ |
116 | static void ima_rdwr_violation_check(struct file *file, |
117 | struct ima_iint_cache *iint, |
118 | int must_measure, |
119 | char **pathbuf, |
120 | const char **pathname, |
121 | char *filename) |
122 | { |
123 | struct inode *inode = file_inode(f: file); |
124 | fmode_t mode = file->f_mode; |
125 | bool send_tomtou = false, send_writers = false; |
126 | |
127 | if (mode & FMODE_WRITE) { |
128 | if (atomic_read(v: &inode->i_readcount) && IS_IMA(inode)) { |
129 | if (!iint) |
130 | iint = ima_iint_find(inode); |
131 | /* IMA_MEASURE is set from reader side */ |
132 | if (iint && test_bit(IMA_MUST_MEASURE, |
133 | &iint->atomic_flags)) |
134 | send_tomtou = true; |
135 | } |
136 | } else { |
137 | if (must_measure) |
138 | set_bit(IMA_MUST_MEASURE, addr: &iint->atomic_flags); |
139 | if (inode_is_open_for_write(inode) && must_measure) |
140 | send_writers = true; |
141 | } |
142 | |
143 | if (!send_tomtou && !send_writers) |
144 | return; |
145 | |
146 | *pathname = ima_d_path(path: &file->f_path, pathbuf, filename); |
147 | |
148 | if (send_tomtou) |
149 | ima_add_violation(file, filename: *pathname, iint, |
150 | op: "invalid_pcr" , cause: "ToMToU" ); |
151 | if (send_writers) |
152 | ima_add_violation(file, filename: *pathname, iint, |
153 | op: "invalid_pcr" , cause: "open_writers" ); |
154 | } |
155 | |
156 | static void ima_check_last_writer(struct ima_iint_cache *iint, |
157 | struct inode *inode, struct file *file) |
158 | { |
159 | fmode_t mode = file->f_mode; |
160 | bool update; |
161 | |
162 | if (!(mode & FMODE_WRITE)) |
163 | return; |
164 | |
165 | mutex_lock(&iint->mutex); |
166 | if (atomic_read(v: &inode->i_writecount) == 1) { |
167 | struct kstat stat; |
168 | |
169 | update = test_and_clear_bit(IMA_UPDATE_XATTR, |
170 | addr: &iint->atomic_flags); |
171 | if ((iint->flags & IMA_NEW_FILE) || |
172 | vfs_getattr_nosec(&file->f_path, &stat, |
173 | STATX_CHANGE_COOKIE, |
174 | AT_STATX_SYNC_AS_STAT) || |
175 | !(stat.result_mask & STATX_CHANGE_COOKIE) || |
176 | stat.change_cookie != iint->version) { |
177 | iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); |
178 | iint->measured_pcrs = 0; |
179 | if (update) |
180 | ima_update_xattr(iint, file); |
181 | } |
182 | } |
183 | mutex_unlock(lock: &iint->mutex); |
184 | } |
185 | |
186 | /** |
187 | * ima_file_free - called on __fput() |
188 | * @file: pointer to file structure being freed |
189 | * |
190 | * Flag files that changed, based on i_version |
191 | */ |
192 | static void ima_file_free(struct file *file) |
193 | { |
194 | struct inode *inode = file_inode(f: file); |
195 | struct ima_iint_cache *iint; |
196 | |
197 | if (!ima_policy_flag || !S_ISREG(inode->i_mode)) |
198 | return; |
199 | |
200 | iint = ima_iint_find(inode); |
201 | if (!iint) |
202 | return; |
203 | |
204 | ima_check_last_writer(iint, inode, file); |
205 | } |
206 | |
207 | static int process_measurement(struct file *file, const struct cred *cred, |
208 | u32 secid, char *buf, loff_t size, int mask, |
209 | enum ima_hooks func) |
210 | { |
211 | struct inode *backing_inode, *inode = file_inode(f: file); |
212 | struct ima_iint_cache *iint = NULL; |
213 | struct ima_template_desc *template_desc = NULL; |
214 | char *pathbuf = NULL; |
215 | char filename[NAME_MAX]; |
216 | const char *pathname = NULL; |
217 | int rc = 0, action, must_appraise = 0; |
218 | int pcr = CONFIG_IMA_MEASURE_PCR_IDX; |
219 | struct evm_ima_xattr_data *xattr_value = NULL; |
220 | struct modsig *modsig = NULL; |
221 | int xattr_len = 0; |
222 | bool violation_check; |
223 | enum hash_algo hash_algo; |
224 | unsigned int allowed_algos = 0; |
225 | |
226 | if (!ima_policy_flag || !S_ISREG(inode->i_mode)) |
227 | return 0; |
228 | |
229 | /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action |
230 | * bitmask based on the appraise/audit/measurement policy. |
231 | * Included is the appraise submask. |
232 | */ |
233 | action = ima_get_action(idmap: file_mnt_idmap(file), inode, cred, secid, |
234 | mask, func, pcr: &pcr, template_desc: &template_desc, NULL, |
235 | allowed_algos: &allowed_algos); |
236 | violation_check = ((func == FILE_CHECK || func == MMAP_CHECK || |
237 | func == MMAP_CHECK_REQPROT) && |
238 | (ima_policy_flag & IMA_MEASURE)); |
239 | if (!action && !violation_check) |
240 | return 0; |
241 | |
242 | must_appraise = action & IMA_APPRAISE; |
243 | |
244 | /* Is the appraise rule hook specific? */ |
245 | if (action & IMA_FILE_APPRAISE) |
246 | func = FILE_CHECK; |
247 | |
248 | inode_lock(inode); |
249 | |
250 | if (action) { |
251 | iint = ima_inode_get(inode); |
252 | if (!iint) |
253 | rc = -ENOMEM; |
254 | } |
255 | |
256 | if (!rc && violation_check) |
257 | ima_rdwr_violation_check(file, iint, must_measure: action & IMA_MEASURE, |
258 | pathbuf: &pathbuf, pathname: &pathname, filename); |
259 | |
260 | inode_unlock(inode); |
261 | |
262 | if (rc) |
263 | goto out; |
264 | if (!action) |
265 | goto out; |
266 | |
267 | mutex_lock(&iint->mutex); |
268 | |
269 | if (test_and_clear_bit(IMA_CHANGE_ATTR, addr: &iint->atomic_flags)) |
270 | /* reset appraisal flags if ima_inode_post_setattr was called */ |
271 | iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | |
272 | IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | |
273 | IMA_NONACTION_FLAGS); |
274 | |
275 | /* |
276 | * Re-evaulate the file if either the xattr has changed or the |
277 | * kernel has no way of detecting file change on the filesystem. |
278 | * (Limited to privileged mounted filesystems.) |
279 | */ |
280 | if (test_and_clear_bit(IMA_CHANGE_XATTR, addr: &iint->atomic_flags) || |
281 | ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) && |
282 | !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) && |
283 | !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) { |
284 | iint->flags &= ~IMA_DONE_MASK; |
285 | iint->measured_pcrs = 0; |
286 | } |
287 | |
288 | /* Detect and re-evaluate changes made to the backing file. */ |
289 | backing_inode = d_real_inode(dentry: file_dentry(file)); |
290 | if (backing_inode != inode && |
291 | (action & IMA_DO_MASK) && (iint->flags & IMA_DONE_MASK)) { |
292 | if (!IS_I_VERSION(backing_inode) || |
293 | backing_inode->i_sb->s_dev != iint->real_dev || |
294 | backing_inode->i_ino != iint->real_ino || |
295 | !inode_eq_iversion(inode: backing_inode, old: iint->version)) { |
296 | iint->flags &= ~IMA_DONE_MASK; |
297 | iint->measured_pcrs = 0; |
298 | } |
299 | } |
300 | |
301 | /* Determine if already appraised/measured based on bitmask |
302 | * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED, |
303 | * IMA_AUDIT, IMA_AUDITED) |
304 | */ |
305 | iint->flags |= action; |
306 | action &= IMA_DO_MASK; |
307 | action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1); |
308 | |
309 | /* If target pcr is already measured, unset IMA_MEASURE action */ |
310 | if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr))) |
311 | action ^= IMA_MEASURE; |
312 | |
313 | /* HASH sets the digital signature and update flags, nothing else */ |
314 | if ((action & IMA_HASH) && |
315 | !(test_bit(IMA_DIGSIG, &iint->atomic_flags))) { |
316 | xattr_len = ima_read_xattr(dentry: file_dentry(file), |
317 | xattr_value: &xattr_value, xattr_len); |
318 | if ((xattr_value && xattr_len > 2) && |
319 | (xattr_value->type == EVM_IMA_XATTR_DIGSIG)) |
320 | set_bit(IMA_DIGSIG, addr: &iint->atomic_flags); |
321 | iint->flags |= IMA_HASHED; |
322 | action ^= IMA_HASH; |
323 | set_bit(IMA_UPDATE_XATTR, addr: &iint->atomic_flags); |
324 | } |
325 | |
326 | /* Nothing to do, just return existing appraised status */ |
327 | if (!action) { |
328 | if (must_appraise) { |
329 | rc = mmap_violation_check(func, file, pathbuf: &pathbuf, |
330 | pathname: &pathname, filename); |
331 | if (!rc) |
332 | rc = ima_get_cache_status(iint, func); |
333 | } |
334 | goto out_locked; |
335 | } |
336 | |
337 | if ((action & IMA_APPRAISE_SUBMASK) || |
338 | strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) { |
339 | /* read 'security.ima' */ |
340 | xattr_len = ima_read_xattr(dentry: file_dentry(file), |
341 | xattr_value: &xattr_value, xattr_len); |
342 | |
343 | /* |
344 | * Read the appended modsig if allowed by the policy, and allow |
345 | * an additional measurement list entry, if needed, based on the |
346 | * template format and whether the file was already measured. |
347 | */ |
348 | if (iint->flags & IMA_MODSIG_ALLOWED) { |
349 | rc = ima_read_modsig(func, buf, buf_len: size, modsig: &modsig); |
350 | |
351 | if (!rc && ima_template_has_modsig(ima_template: template_desc) && |
352 | iint->flags & IMA_MEASURED) |
353 | action |= IMA_MEASURE; |
354 | } |
355 | } |
356 | |
357 | hash_algo = ima_get_hash_algo(xattr_value, xattr_len); |
358 | |
359 | rc = ima_collect_measurement(iint, file, buf, size, algo: hash_algo, modsig); |
360 | if (rc != 0 && rc != -EBADF && rc != -EINVAL) |
361 | goto out_locked; |
362 | |
363 | if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */ |
364 | pathname = ima_d_path(path: &file->f_path, pathbuf: &pathbuf, filename); |
365 | |
366 | if (action & IMA_MEASURE) |
367 | ima_store_measurement(iint, file, filename: pathname, |
368 | xattr_value, xattr_len, modsig, pcr, |
369 | template_desc); |
370 | if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) { |
371 | rc = ima_check_blacklist(iint, modsig, pcr); |
372 | if (rc != -EPERM) { |
373 | inode_lock(inode); |
374 | rc = ima_appraise_measurement(func, iint, file, |
375 | filename: pathname, xattr_value, |
376 | xattr_len, modsig); |
377 | inode_unlock(inode); |
378 | } |
379 | if (!rc) |
380 | rc = mmap_violation_check(func, file, pathbuf: &pathbuf, |
381 | pathname: &pathname, filename); |
382 | } |
383 | if (action & IMA_AUDIT) |
384 | ima_audit_measurement(iint, filename: pathname); |
385 | |
386 | if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO)) |
387 | rc = 0; |
388 | |
389 | /* Ensure the digest was generated using an allowed algorithm */ |
390 | if (rc == 0 && must_appraise && allowed_algos != 0 && |
391 | (allowed_algos & (1U << hash_algo)) == 0) { |
392 | rc = -EACCES; |
393 | |
394 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode: file_inode(f: file), |
395 | fname: pathname, op: "collect_data" , |
396 | cause: "denied-hash-algorithm" , result: rc, info: 0); |
397 | } |
398 | out_locked: |
399 | if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) && |
400 | !(iint->flags & IMA_NEW_FILE)) |
401 | rc = -EACCES; |
402 | mutex_unlock(lock: &iint->mutex); |
403 | kfree(objp: xattr_value); |
404 | ima_free_modsig(modsig); |
405 | out: |
406 | if (pathbuf) |
407 | __putname(pathbuf); |
408 | if (must_appraise) { |
409 | if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE)) |
410 | return -EACCES; |
411 | if (file->f_mode & FMODE_WRITE) |
412 | set_bit(IMA_UPDATE_XATTR, addr: &iint->atomic_flags); |
413 | } |
414 | return 0; |
415 | } |
416 | |
417 | /** |
418 | * ima_file_mmap - based on policy, collect/store measurement. |
419 | * @file: pointer to the file to be measured (May be NULL) |
420 | * @reqprot: protection requested by the application |
421 | * @prot: protection that will be applied by the kernel |
422 | * @flags: operational flags |
423 | * |
424 | * Measure files being mmapped executable based on the ima_must_measure() |
425 | * policy decision. |
426 | * |
427 | * On success return 0. On integrity appraisal error, assuming the file |
428 | * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. |
429 | */ |
430 | static int ima_file_mmap(struct file *file, unsigned long reqprot, |
431 | unsigned long prot, unsigned long flags) |
432 | { |
433 | u32 secid; |
434 | int ret; |
435 | |
436 | if (!file) |
437 | return 0; |
438 | |
439 | security_current_getsecid_subj(secid: &secid); |
440 | |
441 | if (reqprot & PROT_EXEC) { |
442 | ret = process_measurement(file, current_cred(), secid, NULL, |
443 | size: 0, MAY_EXEC, func: MMAP_CHECK_REQPROT); |
444 | if (ret) |
445 | return ret; |
446 | } |
447 | |
448 | if (prot & PROT_EXEC) |
449 | return process_measurement(file, current_cred(), secid, NULL, |
450 | size: 0, MAY_EXEC, func: MMAP_CHECK); |
451 | |
452 | return 0; |
453 | } |
454 | |
455 | /** |
456 | * ima_file_mprotect - based on policy, limit mprotect change |
457 | * @vma: vm_area_struct protection is set to |
458 | * @reqprot: protection requested by the application |
459 | * @prot: protection that will be applied by the kernel |
460 | * |
461 | * Files can be mmap'ed read/write and later changed to execute to circumvent |
462 | * IMA's mmap appraisal policy rules. Due to locking issues (mmap semaphore |
463 | * would be taken before i_mutex), files can not be measured or appraised at |
464 | * this point. Eliminate this integrity gap by denying the mprotect |
465 | * PROT_EXECUTE change, if an mmap appraise policy rule exists. |
466 | * |
467 | * On mprotect change success, return 0. On failure, return -EACESS. |
468 | */ |
469 | static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, |
470 | unsigned long prot) |
471 | { |
472 | struct ima_template_desc *template = NULL; |
473 | struct file *file; |
474 | char filename[NAME_MAX]; |
475 | char *pathbuf = NULL; |
476 | const char *pathname = NULL; |
477 | struct inode *inode; |
478 | int result = 0; |
479 | int action; |
480 | u32 secid; |
481 | int pcr; |
482 | |
483 | /* Is mprotect making an mmap'ed file executable? */ |
484 | if (!(ima_policy_flag & IMA_APPRAISE) || !vma->vm_file || |
485 | !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC)) |
486 | return 0; |
487 | |
488 | security_current_getsecid_subj(secid: &secid); |
489 | inode = file_inode(f: vma->vm_file); |
490 | action = ima_get_action(idmap: file_mnt_idmap(file: vma->vm_file), inode, |
491 | current_cred(), secid, MAY_EXEC, func: MMAP_CHECK, |
492 | pcr: &pcr, template_desc: &template, NULL, NULL); |
493 | action |= ima_get_action(idmap: file_mnt_idmap(file: vma->vm_file), inode, |
494 | current_cred(), secid, MAY_EXEC, |
495 | func: MMAP_CHECK_REQPROT, pcr: &pcr, template_desc: &template, NULL, |
496 | NULL); |
497 | |
498 | /* Is the mmap'ed file in policy? */ |
499 | if (!(action & (IMA_MEASURE | IMA_APPRAISE_SUBMASK))) |
500 | return 0; |
501 | |
502 | if (action & IMA_APPRAISE_SUBMASK) |
503 | result = -EPERM; |
504 | |
505 | file = vma->vm_file; |
506 | pathname = ima_d_path(path: &file->f_path, pathbuf: &pathbuf, filename); |
507 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, fname: pathname, |
508 | op: "collect_data" , cause: "failed-mprotect" , result, info: 0); |
509 | if (pathbuf) |
510 | __putname(pathbuf); |
511 | |
512 | return result; |
513 | } |
514 | |
515 | /** |
516 | * ima_bprm_check - based on policy, collect/store measurement. |
517 | * @bprm: contains the linux_binprm structure |
518 | * |
519 | * The OS protects against an executable file, already open for write, |
520 | * from being executed in deny_write_access() and an executable file, |
521 | * already open for execute, from being modified in get_write_access(). |
522 | * So we can be certain that what we verify and measure here is actually |
523 | * what is being executed. |
524 | * |
525 | * On success return 0. On integrity appraisal error, assuming the file |
526 | * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. |
527 | */ |
528 | static int ima_bprm_check(struct linux_binprm *bprm) |
529 | { |
530 | int ret; |
531 | u32 secid; |
532 | |
533 | security_current_getsecid_subj(secid: &secid); |
534 | ret = process_measurement(file: bprm->file, current_cred(), secid, NULL, size: 0, |
535 | MAY_EXEC, func: BPRM_CHECK); |
536 | if (ret) |
537 | return ret; |
538 | |
539 | security_cred_getsecid(c: bprm->cred, secid: &secid); |
540 | return process_measurement(file: bprm->file, cred: bprm->cred, secid, NULL, size: 0, |
541 | MAY_EXEC, func: CREDS_CHECK); |
542 | } |
543 | |
544 | /** |
545 | * ima_file_check - based on policy, collect/store measurement. |
546 | * @file: pointer to the file to be measured |
547 | * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND |
548 | * |
549 | * Measure files based on the ima_must_measure() policy decision. |
550 | * |
551 | * On success return 0. On integrity appraisal error, assuming the file |
552 | * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. |
553 | */ |
554 | static int ima_file_check(struct file *file, int mask) |
555 | { |
556 | u32 secid; |
557 | |
558 | security_current_getsecid_subj(secid: &secid); |
559 | return process_measurement(file, current_cred(), secid, NULL, size: 0, |
560 | mask: mask & (MAY_READ | MAY_WRITE | MAY_EXEC | |
561 | MAY_APPEND), func: FILE_CHECK); |
562 | } |
563 | |
564 | static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf, |
565 | size_t buf_size) |
566 | { |
567 | struct ima_iint_cache *iint = NULL, tmp_iint; |
568 | int rc, hash_algo; |
569 | |
570 | if (ima_policy_flag) { |
571 | iint = ima_iint_find(inode); |
572 | if (iint) |
573 | mutex_lock(&iint->mutex); |
574 | } |
575 | |
576 | if ((!iint || !(iint->flags & IMA_COLLECTED)) && file) { |
577 | if (iint) |
578 | mutex_unlock(lock: &iint->mutex); |
579 | |
580 | memset(&tmp_iint, 0, sizeof(tmp_iint)); |
581 | mutex_init(&tmp_iint.mutex); |
582 | |
583 | rc = ima_collect_measurement(iint: &tmp_iint, file, NULL, size: 0, |
584 | algo: ima_hash_algo, NULL); |
585 | if (rc < 0) { |
586 | /* ima_hash could be allocated in case of failure. */ |
587 | if (rc != -ENOMEM) |
588 | kfree(objp: tmp_iint.ima_hash); |
589 | |
590 | return -EOPNOTSUPP; |
591 | } |
592 | |
593 | iint = &tmp_iint; |
594 | mutex_lock(&iint->mutex); |
595 | } |
596 | |
597 | if (!iint) |
598 | return -EOPNOTSUPP; |
599 | |
600 | /* |
601 | * ima_file_hash can be called when ima_collect_measurement has still |
602 | * not been called, we might not always have a hash. |
603 | */ |
604 | if (!iint->ima_hash || !(iint->flags & IMA_COLLECTED)) { |
605 | mutex_unlock(lock: &iint->mutex); |
606 | return -EOPNOTSUPP; |
607 | } |
608 | |
609 | if (buf) { |
610 | size_t copied_size; |
611 | |
612 | copied_size = min_t(size_t, iint->ima_hash->length, buf_size); |
613 | memcpy(buf, iint->ima_hash->digest, copied_size); |
614 | } |
615 | hash_algo = iint->ima_hash->algo; |
616 | mutex_unlock(lock: &iint->mutex); |
617 | |
618 | if (iint == &tmp_iint) |
619 | kfree(objp: iint->ima_hash); |
620 | |
621 | return hash_algo; |
622 | } |
623 | |
624 | /** |
625 | * ima_file_hash - return a measurement of the file |
626 | * @file: pointer to the file |
627 | * @buf: buffer in which to store the hash |
628 | * @buf_size: length of the buffer |
629 | * |
630 | * On success, return the hash algorithm (as defined in the enum hash_algo). |
631 | * If buf is not NULL, this function also outputs the hash into buf. |
632 | * If the hash is larger than buf_size, then only buf_size bytes will be copied. |
633 | * It generally just makes sense to pass a buffer capable of holding the largest |
634 | * possible hash: IMA_MAX_DIGEST_SIZE. |
635 | * The file hash returned is based on the entire file, including the appended |
636 | * signature. |
637 | * |
638 | * If the measurement cannot be performed, return -EOPNOTSUPP. |
639 | * If the parameters are incorrect, return -EINVAL. |
640 | */ |
641 | int ima_file_hash(struct file *file, char *buf, size_t buf_size) |
642 | { |
643 | if (!file) |
644 | return -EINVAL; |
645 | |
646 | return __ima_inode_hash(inode: file_inode(f: file), file, buf, buf_size); |
647 | } |
648 | EXPORT_SYMBOL_GPL(ima_file_hash); |
649 | |
650 | /** |
651 | * ima_inode_hash - return the stored measurement if the inode has been hashed |
652 | * and is in the iint cache. |
653 | * @inode: pointer to the inode |
654 | * @buf: buffer in which to store the hash |
655 | * @buf_size: length of the buffer |
656 | * |
657 | * On success, return the hash algorithm (as defined in the enum hash_algo). |
658 | * If buf is not NULL, this function also outputs the hash into buf. |
659 | * If the hash is larger than buf_size, then only buf_size bytes will be copied. |
660 | * It generally just makes sense to pass a buffer capable of holding the largest |
661 | * possible hash: IMA_MAX_DIGEST_SIZE. |
662 | * The hash returned is based on the entire contents, including the appended |
663 | * signature. |
664 | * |
665 | * If IMA is disabled or if no measurement is available, return -EOPNOTSUPP. |
666 | * If the parameters are incorrect, return -EINVAL. |
667 | */ |
668 | int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size) |
669 | { |
670 | if (!inode) |
671 | return -EINVAL; |
672 | |
673 | return __ima_inode_hash(inode, NULL, buf, buf_size); |
674 | } |
675 | EXPORT_SYMBOL_GPL(ima_inode_hash); |
676 | |
677 | /** |
678 | * ima_post_create_tmpfile - mark newly created tmpfile as new |
679 | * @idmap: idmap of the mount the inode was found from |
680 | * @inode: inode of the newly created tmpfile |
681 | * |
682 | * No measuring, appraising or auditing of newly created tmpfiles is needed. |
683 | * Skip calling process_measurement(), but indicate which newly, created |
684 | * tmpfiles are in policy. |
685 | */ |
686 | static void ima_post_create_tmpfile(struct mnt_idmap *idmap, |
687 | struct inode *inode) |
688 | |
689 | { |
690 | struct ima_iint_cache *iint; |
691 | int must_appraise; |
692 | |
693 | if (!ima_policy_flag || !S_ISREG(inode->i_mode)) |
694 | return; |
695 | |
696 | must_appraise = ima_must_appraise(idmap, inode, MAY_ACCESS, |
697 | func: FILE_CHECK); |
698 | if (!must_appraise) |
699 | return; |
700 | |
701 | /* Nothing to do if we can't allocate memory */ |
702 | iint = ima_inode_get(inode); |
703 | if (!iint) |
704 | return; |
705 | |
706 | /* needed for writing the security xattrs */ |
707 | set_bit(IMA_UPDATE_XATTR, addr: &iint->atomic_flags); |
708 | iint->ima_file_status = INTEGRITY_PASS; |
709 | } |
710 | |
711 | /** |
712 | * ima_post_path_mknod - mark as a new inode |
713 | * @idmap: idmap of the mount the inode was found from |
714 | * @dentry: newly created dentry |
715 | * |
716 | * Mark files created via the mknodat syscall as new, so that the |
717 | * file data can be written later. |
718 | */ |
719 | static void ima_post_path_mknod(struct mnt_idmap *idmap, struct dentry *dentry) |
720 | { |
721 | struct ima_iint_cache *iint; |
722 | struct inode *inode = dentry->d_inode; |
723 | int must_appraise; |
724 | |
725 | if (!ima_policy_flag || !S_ISREG(inode->i_mode)) |
726 | return; |
727 | |
728 | must_appraise = ima_must_appraise(idmap, inode, MAY_ACCESS, |
729 | func: FILE_CHECK); |
730 | if (!must_appraise) |
731 | return; |
732 | |
733 | /* Nothing to do if we can't allocate memory */ |
734 | iint = ima_inode_get(inode); |
735 | if (!iint) |
736 | return; |
737 | |
738 | /* needed for re-opening empty files */ |
739 | iint->flags |= IMA_NEW_FILE; |
740 | } |
741 | |
742 | /** |
743 | * ima_read_file - pre-measure/appraise hook decision based on policy |
744 | * @file: pointer to the file to be measured/appraised/audit |
745 | * @read_id: caller identifier |
746 | * @contents: whether a subsequent call will be made to ima_post_read_file() |
747 | * |
748 | * Permit reading a file based on policy. The policy rules are written |
749 | * in terms of the policy identifier. Appraising the integrity of |
750 | * a file requires a file descriptor. |
751 | * |
752 | * For permission return 0, otherwise return -EACCES. |
753 | */ |
754 | static int ima_read_file(struct file *file, enum kernel_read_file_id read_id, |
755 | bool contents) |
756 | { |
757 | enum ima_hooks func; |
758 | u32 secid; |
759 | |
760 | /* |
761 | * Do devices using pre-allocated memory run the risk of the |
762 | * firmware being accessible to the device prior to the completion |
763 | * of IMA's signature verification any more than when using two |
764 | * buffers? It may be desirable to include the buffer address |
765 | * in this API and walk all the dma_map_single() mappings to check. |
766 | */ |
767 | |
768 | /* |
769 | * There will be a call made to ima_post_read_file() with |
770 | * a filled buffer, so we don't need to perform an extra |
771 | * read early here. |
772 | */ |
773 | if (contents) |
774 | return 0; |
775 | |
776 | /* Read entire file for all partial reads. */ |
777 | func = read_idmap[read_id] ?: FILE_CHECK; |
778 | security_current_getsecid_subj(secid: &secid); |
779 | return process_measurement(file, current_cred(), secid, NULL, |
780 | size: 0, MAY_READ, func); |
781 | } |
782 | |
783 | const int read_idmap[READING_MAX_ID] = { |
784 | [READING_FIRMWARE] = FIRMWARE_CHECK, |
785 | [READING_MODULE] = MODULE_CHECK, |
786 | [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK, |
787 | [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK, |
788 | [READING_POLICY] = POLICY_CHECK |
789 | }; |
790 | |
791 | /** |
792 | * ima_post_read_file - in memory collect/appraise/audit measurement |
793 | * @file: pointer to the file to be measured/appraised/audit |
794 | * @buf: pointer to in memory file contents |
795 | * @size: size of in memory file contents |
796 | * @read_id: caller identifier |
797 | * |
798 | * Measure/appraise/audit in memory file based on policy. Policy rules |
799 | * are written in terms of a policy identifier. |
800 | * |
801 | * On success return 0. On integrity appraisal error, assuming the file |
802 | * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. |
803 | */ |
804 | static int ima_post_read_file(struct file *file, char *buf, loff_t size, |
805 | enum kernel_read_file_id read_id) |
806 | { |
807 | enum ima_hooks func; |
808 | u32 secid; |
809 | |
810 | /* permit signed certs */ |
811 | if (!file && read_id == READING_X509_CERTIFICATE) |
812 | return 0; |
813 | |
814 | if (!file || !buf || size == 0) { /* should never happen */ |
815 | if (ima_appraise & IMA_APPRAISE_ENFORCE) |
816 | return -EACCES; |
817 | return 0; |
818 | } |
819 | |
820 | func = read_idmap[read_id] ?: FILE_CHECK; |
821 | security_current_getsecid_subj(secid: &secid); |
822 | return process_measurement(file, current_cred(), secid, buf, size, |
823 | MAY_READ, func); |
824 | } |
825 | |
826 | /** |
827 | * ima_load_data - appraise decision based on policy |
828 | * @id: kernel load data caller identifier |
829 | * @contents: whether the full contents will be available in a later |
830 | * call to ima_post_load_data(). |
831 | * |
832 | * Callers of this LSM hook can not measure, appraise, or audit the |
833 | * data provided by userspace. Enforce policy rules requiring a file |
834 | * signature (eg. kexec'ed kernel image). |
835 | * |
836 | * For permission return 0, otherwise return -EACCES. |
837 | */ |
838 | static int ima_load_data(enum kernel_load_data_id id, bool contents) |
839 | { |
840 | bool ima_enforce, sig_enforce; |
841 | |
842 | ima_enforce = |
843 | (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE; |
844 | |
845 | switch (id) { |
846 | case LOADING_KEXEC_IMAGE: |
847 | if (IS_ENABLED(CONFIG_KEXEC_SIG) |
848 | && arch_ima_get_secureboot()) { |
849 | pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n" ); |
850 | return -EACCES; |
851 | } |
852 | |
853 | if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) { |
854 | pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n" ); |
855 | return -EACCES; /* INTEGRITY_UNKNOWN */ |
856 | } |
857 | break; |
858 | case LOADING_FIRMWARE: |
859 | if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE) && !contents) { |
860 | pr_err("Prevent firmware sysfs fallback loading.\n" ); |
861 | return -EACCES; /* INTEGRITY_UNKNOWN */ |
862 | } |
863 | break; |
864 | case LOADING_MODULE: |
865 | sig_enforce = is_module_sig_enforced(); |
866 | |
867 | if (ima_enforce && (!sig_enforce |
868 | && (ima_appraise & IMA_APPRAISE_MODULES))) { |
869 | pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n" ); |
870 | return -EACCES; /* INTEGRITY_UNKNOWN */ |
871 | } |
872 | break; |
873 | default: |
874 | break; |
875 | } |
876 | return 0; |
877 | } |
878 | |
879 | /** |
880 | * ima_post_load_data - appraise decision based on policy |
881 | * @buf: pointer to in memory file contents |
882 | * @size: size of in memory file contents |
883 | * @load_id: kernel load data caller identifier |
884 | * @description: @load_id-specific description of contents |
885 | * |
886 | * Measure/appraise/audit in memory buffer based on policy. Policy rules |
887 | * are written in terms of a policy identifier. |
888 | * |
889 | * On success return 0. On integrity appraisal error, assuming the file |
890 | * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. |
891 | */ |
892 | static int ima_post_load_data(char *buf, loff_t size, |
893 | enum kernel_load_data_id load_id, |
894 | char *description) |
895 | { |
896 | if (load_id == LOADING_FIRMWARE) { |
897 | if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && |
898 | (ima_appraise & IMA_APPRAISE_ENFORCE)) { |
899 | pr_err("Prevent firmware loading_store.\n" ); |
900 | return -EACCES; /* INTEGRITY_UNKNOWN */ |
901 | } |
902 | return 0; |
903 | } |
904 | |
905 | return 0; |
906 | } |
907 | |
908 | /** |
909 | * process_buffer_measurement - Measure the buffer or the buffer data hash |
910 | * @idmap: idmap of the mount the inode was found from |
911 | * @inode: inode associated with the object being measured (NULL for KEY_CHECK) |
912 | * @buf: pointer to the buffer that needs to be added to the log. |
913 | * @size: size of buffer(in bytes). |
914 | * @eventname: event name to be used for the buffer entry. |
915 | * @func: IMA hook |
916 | * @pcr: pcr to extend the measurement |
917 | * @func_data: func specific data, may be NULL |
918 | * @buf_hash: measure buffer data hash |
919 | * @digest: buffer digest will be written to |
920 | * @digest_len: buffer length |
921 | * |
922 | * Based on policy, either the buffer data or buffer data hash is measured |
923 | * |
924 | * Return: 0 if the buffer has been successfully measured, 1 if the digest |
925 | * has been written to the passed location but not added to a measurement entry, |
926 | * a negative value otherwise. |
927 | */ |
928 | int process_buffer_measurement(struct mnt_idmap *idmap, |
929 | struct inode *inode, const void *buf, int size, |
930 | const char *eventname, enum ima_hooks func, |
931 | int pcr, const char *func_data, |
932 | bool buf_hash, u8 *digest, size_t digest_len) |
933 | { |
934 | int ret = 0; |
935 | const char *audit_cause = "ENOMEM" ; |
936 | struct ima_template_entry *entry = NULL; |
937 | struct ima_iint_cache iint = {}; |
938 | struct ima_event_data event_data = {.iint = &iint, |
939 | .filename = eventname, |
940 | .buf = buf, |
941 | .buf_len = size}; |
942 | struct ima_template_desc *template; |
943 | struct ima_max_digest_data hash; |
944 | char digest_hash[IMA_MAX_DIGEST_SIZE]; |
945 | int digest_hash_len = hash_digest_size[ima_hash_algo]; |
946 | int violation = 0; |
947 | int action = 0; |
948 | u32 secid; |
949 | |
950 | if (digest && digest_len < digest_hash_len) |
951 | return -EINVAL; |
952 | |
953 | if (!ima_policy_flag && !digest) |
954 | return -ENOENT; |
955 | |
956 | template = ima_template_desc_buf(); |
957 | if (!template) { |
958 | ret = -EINVAL; |
959 | audit_cause = "ima_template_desc_buf" ; |
960 | goto out; |
961 | } |
962 | |
963 | /* |
964 | * Both LSM hooks and auxilary based buffer measurements are |
965 | * based on policy. To avoid code duplication, differentiate |
966 | * between the LSM hooks and auxilary buffer measurements, |
967 | * retrieving the policy rule information only for the LSM hook |
968 | * buffer measurements. |
969 | */ |
970 | if (func) { |
971 | security_current_getsecid_subj(secid: &secid); |
972 | action = ima_get_action(idmap, inode, current_cred(), |
973 | secid, mask: 0, func, pcr: &pcr, template_desc: &template, |
974 | func_data, NULL); |
975 | if (!(action & IMA_MEASURE) && !digest) |
976 | return -ENOENT; |
977 | } |
978 | |
979 | if (!pcr) |
980 | pcr = CONFIG_IMA_MEASURE_PCR_IDX; |
981 | |
982 | iint.ima_hash = &hash.hdr; |
983 | iint.ima_hash->algo = ima_hash_algo; |
984 | iint.ima_hash->length = hash_digest_size[ima_hash_algo]; |
985 | |
986 | ret = ima_calc_buffer_hash(buf, len: size, hash: iint.ima_hash); |
987 | if (ret < 0) { |
988 | audit_cause = "hashing_error" ; |
989 | goto out; |
990 | } |
991 | |
992 | if (buf_hash) { |
993 | memcpy(digest_hash, hash.hdr.digest, digest_hash_len); |
994 | |
995 | ret = ima_calc_buffer_hash(buf: digest_hash, len: digest_hash_len, |
996 | hash: iint.ima_hash); |
997 | if (ret < 0) { |
998 | audit_cause = "hashing_error" ; |
999 | goto out; |
1000 | } |
1001 | |
1002 | event_data.buf = digest_hash; |
1003 | event_data.buf_len = digest_hash_len; |
1004 | } |
1005 | |
1006 | if (digest) |
1007 | memcpy(digest, iint.ima_hash->digest, digest_hash_len); |
1008 | |
1009 | if (!ima_policy_flag || (func && !(action & IMA_MEASURE))) |
1010 | return 1; |
1011 | |
1012 | ret = ima_alloc_init_template(event_data: &event_data, entry: &entry, template_desc: template); |
1013 | if (ret < 0) { |
1014 | audit_cause = "alloc_entry" ; |
1015 | goto out; |
1016 | } |
1017 | |
1018 | ret = ima_store_template(entry, violation, NULL, filename: event_data.buf, pcr); |
1019 | if (ret < 0) { |
1020 | audit_cause = "store_entry" ; |
1021 | ima_free_template_entry(entry); |
1022 | } |
1023 | |
1024 | out: |
1025 | if (ret < 0) |
1026 | integrity_audit_message(AUDIT_INTEGRITY_PCR, NULL, fname: eventname, |
1027 | op: func_measure_str(func), |
1028 | cause: audit_cause, result: ret, info: 0, errno: ret); |
1029 | |
1030 | return ret; |
1031 | } |
1032 | |
1033 | /** |
1034 | * ima_kexec_cmdline - measure kexec cmdline boot args |
1035 | * @kernel_fd: file descriptor of the kexec kernel being loaded |
1036 | * @buf: pointer to buffer |
1037 | * @size: size of buffer |
1038 | * |
1039 | * Buffers can only be measured, not appraised. |
1040 | */ |
1041 | void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) |
1042 | { |
1043 | struct fd f; |
1044 | |
1045 | if (!buf || !size) |
1046 | return; |
1047 | |
1048 | f = fdget(fd: kernel_fd); |
1049 | if (!f.file) |
1050 | return; |
1051 | |
1052 | process_buffer_measurement(idmap: file_mnt_idmap(file: f.file), inode: file_inode(f: f.file), |
1053 | buf, size, eventname: "kexec-cmdline" , func: KEXEC_CMDLINE, pcr: 0, |
1054 | NULL, buf_hash: false, NULL, digest_len: 0); |
1055 | fdput(fd: f); |
1056 | } |
1057 | |
1058 | /** |
1059 | * ima_measure_critical_data - measure kernel integrity critical data |
1060 | * @event_label: unique event label for grouping and limiting critical data |
1061 | * @event_name: event name for the record in the IMA measurement list |
1062 | * @buf: pointer to buffer data |
1063 | * @buf_len: length of buffer data (in bytes) |
1064 | * @hash: measure buffer data hash |
1065 | * @digest: buffer digest will be written to |
1066 | * @digest_len: buffer length |
1067 | * |
1068 | * Measure data critical to the integrity of the kernel into the IMA log |
1069 | * and extend the pcr. Examples of critical data could be various data |
1070 | * structures, policies, and states stored in kernel memory that can |
1071 | * impact the integrity of the system. |
1072 | * |
1073 | * Return: 0 if the buffer has been successfully measured, 1 if the digest |
1074 | * has been written to the passed location but not added to a measurement entry, |
1075 | * a negative value otherwise. |
1076 | */ |
1077 | int ima_measure_critical_data(const char *event_label, |
1078 | const char *event_name, |
1079 | const void *buf, size_t buf_len, |
1080 | bool hash, u8 *digest, size_t digest_len) |
1081 | { |
1082 | if (!event_name || !event_label || !buf || !buf_len) |
1083 | return -ENOPARAM; |
1084 | |
1085 | return process_buffer_measurement(idmap: &nop_mnt_idmap, NULL, buf, size: buf_len, |
1086 | eventname: event_name, func: CRITICAL_DATA, pcr: 0, |
1087 | func_data: event_label, buf_hash: hash, digest, |
1088 | digest_len); |
1089 | } |
1090 | EXPORT_SYMBOL_GPL(ima_measure_critical_data); |
1091 | |
1092 | #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS |
1093 | |
1094 | /** |
1095 | * ima_kernel_module_request - Prevent crypto-pkcs1pad(rsa,*) requests |
1096 | * @kmod_name: kernel module name |
1097 | * |
1098 | * Avoid a verification loop where verifying the signature of the modprobe |
1099 | * binary requires executing modprobe itself. Since the modprobe iint->mutex |
1100 | * is already held when the signature verification is performed, a deadlock |
1101 | * occurs as soon as modprobe is executed within the critical region, since |
1102 | * the same lock cannot be taken again. |
1103 | * |
1104 | * This happens when public_key_verify_signature(), in case of RSA algorithm, |
1105 | * use alg_name to store internal information in order to construct an |
1106 | * algorithm on the fly, but crypto_larval_lookup() will try to use alg_name |
1107 | * in order to load a kernel module with same name. |
1108 | * |
1109 | * Since we don't have any real "crypto-pkcs1pad(rsa,*)" kernel modules, |
1110 | * we are safe to fail such module request from crypto_larval_lookup(), and |
1111 | * avoid the verification loop. |
1112 | * |
1113 | * Return: Zero if it is safe to load the kernel module, -EINVAL otherwise. |
1114 | */ |
1115 | static int ima_kernel_module_request(char *kmod_name) |
1116 | { |
1117 | if (strncmp(kmod_name, "crypto-pkcs1pad(rsa," , 20) == 0) |
1118 | return -EINVAL; |
1119 | |
1120 | return 0; |
1121 | } |
1122 | |
1123 | #endif /* CONFIG_INTEGRITY_ASYMMETRIC_KEYS */ |
1124 | |
1125 | static int __init init_ima(void) |
1126 | { |
1127 | int error; |
1128 | |
1129 | ima_appraise_parse_cmdline(); |
1130 | ima_init_template_list(); |
1131 | hash_setup(CONFIG_IMA_DEFAULT_HASH); |
1132 | error = ima_init(); |
1133 | |
1134 | if (error && strcmp(hash_algo_name[ima_hash_algo], |
1135 | CONFIG_IMA_DEFAULT_HASH) != 0) { |
1136 | pr_info("Allocating %s failed, going to use default hash algorithm %s\n" , |
1137 | hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH); |
1138 | hash_setup_done = 0; |
1139 | hash_setup(CONFIG_IMA_DEFAULT_HASH); |
1140 | error = ima_init(); |
1141 | } |
1142 | |
1143 | if (error) |
1144 | return error; |
1145 | |
1146 | error = register_blocking_lsm_notifier(nb: &ima_lsm_policy_notifier); |
1147 | if (error) |
1148 | pr_warn("Couldn't register LSM notifier, error %d\n" , error); |
1149 | |
1150 | if (!error) |
1151 | ima_update_policy_flags(); |
1152 | |
1153 | return error; |
1154 | } |
1155 | |
1156 | static struct security_hook_list ima_hooks[] __ro_after_init = { |
1157 | LSM_HOOK_INIT(bprm_check_security, ima_bprm_check), |
1158 | LSM_HOOK_INIT(file_post_open, ima_file_check), |
1159 | LSM_HOOK_INIT(inode_post_create_tmpfile, ima_post_create_tmpfile), |
1160 | LSM_HOOK_INIT(file_release, ima_file_free), |
1161 | LSM_HOOK_INIT(mmap_file, ima_file_mmap), |
1162 | LSM_HOOK_INIT(file_mprotect, ima_file_mprotect), |
1163 | LSM_HOOK_INIT(kernel_load_data, ima_load_data), |
1164 | LSM_HOOK_INIT(kernel_post_load_data, ima_post_load_data), |
1165 | LSM_HOOK_INIT(kernel_read_file, ima_read_file), |
1166 | LSM_HOOK_INIT(kernel_post_read_file, ima_post_read_file), |
1167 | LSM_HOOK_INIT(path_post_mknod, ima_post_path_mknod), |
1168 | #ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS |
1169 | LSM_HOOK_INIT(key_post_create_or_update, ima_post_key_create_or_update), |
1170 | #endif |
1171 | #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS |
1172 | LSM_HOOK_INIT(kernel_module_request, ima_kernel_module_request), |
1173 | #endif |
1174 | LSM_HOOK_INIT(inode_free_security, ima_inode_free), |
1175 | }; |
1176 | |
1177 | static const struct lsm_id ima_lsmid = { |
1178 | .name = "ima" , |
1179 | .id = LSM_ID_IMA, |
1180 | }; |
1181 | |
1182 | static int __init init_ima_lsm(void) |
1183 | { |
1184 | ima_iintcache_init(); |
1185 | security_add_hooks(hooks: ima_hooks, ARRAY_SIZE(ima_hooks), lsmid: &ima_lsmid); |
1186 | init_ima_appraise_lsm(lsmid: &ima_lsmid); |
1187 | return 0; |
1188 | } |
1189 | |
1190 | struct lsm_blob_sizes ima_blob_sizes __ro_after_init = { |
1191 | .lbs_inode = sizeof(struct ima_iint_cache *), |
1192 | }; |
1193 | |
1194 | DEFINE_LSM(ima) = { |
1195 | .name = "ima" , |
1196 | .init = init_ima_lsm, |
1197 | .order = LSM_ORDER_LAST, |
1198 | .blobs = &ima_blob_sizes, |
1199 | }; |
1200 | |
1201 | late_initcall(init_ima); /* Start IMA after the TPM is available */ |
1202 | |