1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Integrity Measurement Architecture
4 *
5 * Copyright (C) 2005,2006,2007,2008 IBM Corporation
6 *
7 * Authors:
8 * Reiner Sailer <sailer@watson.ibm.com>
9 * Serge Hallyn <serue@us.ibm.com>
10 * Kylene Hall <kylene@us.ibm.com>
11 * Mimi Zohar <zohar@us.ibm.com>
12 *
13 * File: ima_main.c
14 * implements the IMA hooks: ima_bprm_check, ima_file_mmap,
15 * and ima_file_check.
16 */
17
18 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
19
20 #include <linux/module.h>
21 #include <linux/file.h>
22 #include <linux/binfmts.h>
23 #include <linux/mount.h>
24 #include <linux/mman.h>
25 #include <linux/slab.h>
26 #include <linux/xattr.h>
27 #include <linux/ima.h>
28 #include <linux/iversion.h>
29 #include <linux/fs.h>
30 #include <linux/iversion.h>
31
32 #include "ima.h"
33
34 #ifdef CONFIG_IMA_APPRAISE
35 int ima_appraise = IMA_APPRAISE_ENFORCE;
36 #else
37 int ima_appraise;
38 #endif
39
40 int ima_hash_algo = HASH_ALGO_SHA1;
41 static int hash_setup_done;
42
43 static struct notifier_block ima_lsm_policy_notifier = {
44 .notifier_call = ima_lsm_policy_change,
45 };
46
hash_setup(char * str)47 static int __init hash_setup(char *str)
48 {
49 struct ima_template_desc *template_desc = ima_template_desc_current();
50 int i;
51
52 if (hash_setup_done)
53 return 1;
54
55 if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
56 if (strncmp(str, "sha1", 4) == 0)
57 ima_hash_algo = HASH_ALGO_SHA1;
58 else if (strncmp(str, "md5", 3) == 0)
59 ima_hash_algo = HASH_ALGO_MD5;
60 else
61 return 1;
62 goto out;
63 }
64
65 i = match_string(hash_algo_name, HASH_ALGO__LAST, str);
66 if (i < 0)
67 return 1;
68
69 ima_hash_algo = i;
70 out:
71 hash_setup_done = 1;
72 return 1;
73 }
74 __setup("ima_hash=", hash_setup);
75
76 /* Prevent mmap'ing a file execute that is already mmap'ed write */
mmap_violation_check(enum ima_hooks func,struct file * file,char ** pathbuf,const char ** pathname,char * filename)77 static int mmap_violation_check(enum ima_hooks func, struct file *file,
78 char **pathbuf, const char **pathname,
79 char *filename)
80 {
81 struct inode *inode;
82 int rc = 0;
83
84 if ((func == MMAP_CHECK) && mapping_writably_mapped(file->f_mapping)) {
85 rc = -ETXTBSY;
86 inode = file_inode(file);
87
88 if (!*pathbuf) /* ima_rdwr_violation possibly pre-fetched */
89 *pathname = ima_d_path(&file->f_path, pathbuf,
90 filename);
91 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, *pathname,
92 "mmap_file", "mmapped_writers", rc, 0);
93 }
94 return rc;
95 }
96
97 /*
98 * ima_rdwr_violation_check
99 *
100 * Only invalidate the PCR for measured files:
101 * - Opening a file for write when already open for read,
102 * results in a time of measure, time of use (ToMToU) error.
103 * - Opening a file for read when already open for write,
104 * could result in a file measurement error.
105 *
106 */
ima_rdwr_violation_check(struct file * file,struct integrity_iint_cache * iint,int must_measure,char ** pathbuf,const char ** pathname,char * filename)107 static void ima_rdwr_violation_check(struct file *file,
108 struct integrity_iint_cache *iint,
109 int must_measure,
110 char **pathbuf,
111 const char **pathname,
112 char *filename)
113 {
114 struct inode *inode = file_inode(file);
115 fmode_t mode = file->f_mode;
116 bool send_tomtou = false, send_writers = false;
117
118 if (mode & FMODE_WRITE) {
119 if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
120 if (!iint)
121 iint = integrity_iint_find(inode);
122 /* IMA_MEASURE is set from reader side */
123 if (iint && test_bit(IMA_MUST_MEASURE,
124 &iint->atomic_flags))
125 send_tomtou = true;
126 }
127 } else {
128 if (must_measure)
129 set_bit(IMA_MUST_MEASURE, &iint->atomic_flags);
130 if (inode_is_open_for_write(inode) && must_measure)
131 send_writers = true;
132 }
133
134 if (!send_tomtou && !send_writers)
135 return;
136
137 *pathname = ima_d_path(&file->f_path, pathbuf, filename);
138
139 if (send_tomtou)
140 ima_add_violation(file, *pathname, iint,
141 "invalid_pcr", "ToMToU");
142 if (send_writers)
143 ima_add_violation(file, *pathname, iint,
144 "invalid_pcr", "open_writers");
145 }
146
ima_check_last_writer(struct integrity_iint_cache * iint,struct inode * inode,struct file * file)147 static void ima_check_last_writer(struct integrity_iint_cache *iint,
148 struct inode *inode, struct file *file)
149 {
150 fmode_t mode = file->f_mode;
151 bool update;
152
153 if (!(mode & FMODE_WRITE))
154 return;
155
156 mutex_lock(&iint->mutex);
157 if (atomic_read(&inode->i_writecount) == 1) {
158 update = test_and_clear_bit(IMA_UPDATE_XATTR,
159 &iint->atomic_flags);
160 if (!IS_I_VERSION(inode) ||
161 !inode_eq_iversion(inode, iint->version) ||
162 (iint->flags & IMA_NEW_FILE)) {
163 iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
164 iint->measured_pcrs = 0;
165 if (update)
166 ima_update_xattr(iint, file);
167 }
168 }
169 mutex_unlock(&iint->mutex);
170 }
171
172 /**
173 * ima_file_free - called on __fput()
174 * @file: pointer to file structure being freed
175 *
176 * Flag files that changed, based on i_version
177 */
ima_file_free(struct file * file)178 void ima_file_free(struct file *file)
179 {
180 struct inode *inode = file_inode(file);
181 struct integrity_iint_cache *iint;
182
183 if (!ima_policy_flag || !S_ISREG(inode->i_mode))
184 return;
185
186 iint = integrity_iint_find(inode);
187 if (!iint)
188 return;
189
190 ima_check_last_writer(iint, inode, file);
191 }
192
process_measurement(struct file * file,const struct cred * cred,u32 secid,char * buf,loff_t size,int mask,enum ima_hooks func)193 static int process_measurement(struct file *file, const struct cred *cred,
194 u32 secid, char *buf, loff_t size, int mask,
195 enum ima_hooks func)
196 {
197 struct inode *backing_inode, *inode = file_inode(file);
198 struct integrity_iint_cache *iint = NULL;
199 struct ima_template_desc *template_desc = NULL;
200 char *pathbuf = NULL;
201 char filename[NAME_MAX];
202 const char *pathname = NULL;
203 int rc = 0, action, must_appraise = 0;
204 int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
205 struct evm_ima_xattr_data *xattr_value = NULL;
206 struct modsig *modsig = NULL;
207 int xattr_len = 0;
208 bool violation_check;
209 enum hash_algo hash_algo;
210
211 if (!ima_policy_flag || !S_ISREG(inode->i_mode))
212 return 0;
213
214 /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
215 * bitmask based on the appraise/audit/measurement policy.
216 * Included is the appraise submask.
217 */
218 action = ima_get_action(inode, cred, secid, mask, func, &pcr,
219 &template_desc);
220 violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
221 (ima_policy_flag & IMA_MEASURE));
222 if (!action && !violation_check)
223 return 0;
224
225 must_appraise = action & IMA_APPRAISE;
226
227 /* Is the appraise rule hook specific? */
228 if (action & IMA_FILE_APPRAISE)
229 func = FILE_CHECK;
230
231 inode_lock(inode);
232
233 if (action) {
234 iint = integrity_inode_get(inode);
235 if (!iint)
236 rc = -ENOMEM;
237 }
238
239 if (!rc && violation_check)
240 ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
241 &pathbuf, &pathname, filename);
242
243 inode_unlock(inode);
244
245 if (rc)
246 goto out;
247 if (!action)
248 goto out;
249
250 mutex_lock(&iint->mutex);
251
252 if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags))
253 /* reset appraisal flags if ima_inode_post_setattr was called */
254 iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
255 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
256 IMA_ACTION_FLAGS);
257
258 /*
259 * Re-evaulate the file if either the xattr has changed or the
260 * kernel has no way of detecting file change on the filesystem.
261 * (Limited to privileged mounted filesystems.)
262 */
263 if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) ||
264 ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
265 !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) &&
266 !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) {
267 iint->flags &= ~IMA_DONE_MASK;
268 iint->measured_pcrs = 0;
269 }
270
271 /* Detect and re-evaluate changes made to the backing file. */
272 backing_inode = d_real_inode(file_dentry(file));
273 if (backing_inode != inode &&
274 (action & IMA_DO_MASK) && (iint->flags & IMA_DONE_MASK)) {
275 if (!IS_I_VERSION(backing_inode) ||
276 backing_inode->i_sb->s_dev != iint->real_dev ||
277 backing_inode->i_ino != iint->real_ino ||
278 !inode_eq_iversion(backing_inode, iint->version)) {
279 iint->flags &= ~IMA_DONE_MASK;
280 iint->measured_pcrs = 0;
281 }
282 }
283
284 /* Determine if already appraised/measured based on bitmask
285 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
286 * IMA_AUDIT, IMA_AUDITED)
287 */
288 iint->flags |= action;
289 action &= IMA_DO_MASK;
290 action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
291
292 /* If target pcr is already measured, unset IMA_MEASURE action */
293 if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
294 action ^= IMA_MEASURE;
295
296 /* HASH sets the digital signature and update flags, nothing else */
297 if ((action & IMA_HASH) &&
298 !(test_bit(IMA_DIGSIG, &iint->atomic_flags))) {
299 xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);
300 if ((xattr_value && xattr_len > 2) &&
301 (xattr_value->type == EVM_IMA_XATTR_DIGSIG))
302 set_bit(IMA_DIGSIG, &iint->atomic_flags);
303 iint->flags |= IMA_HASHED;
304 action ^= IMA_HASH;
305 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
306 }
307
308 /* Nothing to do, just return existing appraised status */
309 if (!action) {
310 if (must_appraise) {
311 rc = mmap_violation_check(func, file, &pathbuf,
312 &pathname, filename);
313 if (!rc)
314 rc = ima_get_cache_status(iint, func);
315 }
316 goto out_locked;
317 }
318
319 if ((action & IMA_APPRAISE_SUBMASK) ||
320 strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) {
321 /* read 'security.ima' */
322 xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);
323
324 /*
325 * Read the appended modsig if allowed by the policy, and allow
326 * an additional measurement list entry, if needed, based on the
327 * template format and whether the file was already measured.
328 */
329 if (iint->flags & IMA_MODSIG_ALLOWED) {
330 rc = ima_read_modsig(func, buf, size, &modsig);
331
332 if (!rc && ima_template_has_modsig(template_desc) &&
333 iint->flags & IMA_MEASURED)
334 action |= IMA_MEASURE;
335 }
336 }
337
338 hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
339
340 rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);
341 if (rc != 0 && rc != -EBADF && rc != -EINVAL)
342 goto out_locked;
343
344 if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */
345 pathname = ima_d_path(&file->f_path, &pathbuf, filename);
346
347 if (action & IMA_MEASURE)
348 ima_store_measurement(iint, file, pathname,
349 xattr_value, xattr_len, modsig, pcr,
350 template_desc);
351 if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
352 inode_lock(inode);
353 rc = ima_appraise_measurement(func, iint, file, pathname,
354 xattr_value, xattr_len, modsig);
355 inode_unlock(inode);
356 if (!rc)
357 rc = mmap_violation_check(func, file, &pathbuf,
358 &pathname, filename);
359 }
360 if (action & IMA_AUDIT)
361 ima_audit_measurement(iint, pathname);
362
363 if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
364 rc = 0;
365 out_locked:
366 if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) &&
367 !(iint->flags & IMA_NEW_FILE))
368 rc = -EACCES;
369 mutex_unlock(&iint->mutex);
370 kfree(xattr_value);
371 ima_free_modsig(modsig);
372 out:
373 if (pathbuf)
374 __putname(pathbuf);
375 if (must_appraise) {
376 if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE))
377 return -EACCES;
378 if (file->f_mode & FMODE_WRITE)
379 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
380 }
381 return 0;
382 }
383
384 /**
385 * ima_file_mmap - based on policy, collect/store measurement.
386 * @file: pointer to the file to be measured (May be NULL)
387 * @reqprot: protection requested by the application
388 * @prot: protection that will be applied by the kernel
389 * @flags: operational flags
390 *
391 * Measure files being mmapped executable based on the ima_must_measure()
392 * policy decision.
393 *
394 * On success return 0. On integrity appraisal error, assuming the file
395 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
396 */
ima_file_mmap(struct file * file,unsigned long reqprot,unsigned long prot,unsigned long flags)397 int ima_file_mmap(struct file *file, unsigned long reqprot,
398 unsigned long prot, unsigned long flags)
399 {
400 u32 secid;
401
402 if (file && (prot & PROT_EXEC)) {
403 security_task_getsecid(current, &secid);
404 return process_measurement(file, current_cred(), secid, NULL,
405 0, MAY_EXEC, MMAP_CHECK);
406 }
407
408 return 0;
409 }
410
411 /**
412 * ima_bprm_check - based on policy, collect/store measurement.
413 * @bprm: contains the linux_binprm structure
414 *
415 * The OS protects against an executable file, already open for write,
416 * from being executed in deny_write_access() and an executable file,
417 * already open for execute, from being modified in get_write_access().
418 * So we can be certain that what we verify and measure here is actually
419 * what is being executed.
420 *
421 * On success return 0. On integrity appraisal error, assuming the file
422 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
423 */
ima_bprm_check(struct linux_binprm * bprm)424 int ima_bprm_check(struct linux_binprm *bprm)
425 {
426 int ret;
427 u32 secid;
428
429 security_task_getsecid(current, &secid);
430 ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0,
431 MAY_EXEC, BPRM_CHECK);
432 if (ret)
433 return ret;
434
435 security_cred_getsecid(bprm->cred, &secid);
436 return process_measurement(bprm->file, bprm->cred, secid, NULL, 0,
437 MAY_EXEC, CREDS_CHECK);
438 }
439
440 /**
441 * ima_path_check - based on policy, collect/store measurement.
442 * @file: pointer to the file to be measured
443 * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
444 *
445 * Measure files based on the ima_must_measure() policy decision.
446 *
447 * On success return 0. On integrity appraisal error, assuming the file
448 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
449 */
ima_file_check(struct file * file,int mask)450 int ima_file_check(struct file *file, int mask)
451 {
452 u32 secid;
453
454 security_task_getsecid(current, &secid);
455 return process_measurement(file, current_cred(), secid, NULL, 0,
456 mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
457 MAY_APPEND), FILE_CHECK);
458 }
459 EXPORT_SYMBOL_GPL(ima_file_check);
460
461 /**
462 * ima_post_create_tmpfile - mark newly created tmpfile as new
463 * @file : newly created tmpfile
464 *
465 * No measuring, appraising or auditing of newly created tmpfiles is needed.
466 * Skip calling process_measurement(), but indicate which newly, created
467 * tmpfiles are in policy.
468 */
ima_post_create_tmpfile(struct inode * inode)469 void ima_post_create_tmpfile(struct inode *inode)
470 {
471 struct integrity_iint_cache *iint;
472 int must_appraise;
473
474 must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
475 if (!must_appraise)
476 return;
477
478 /* Nothing to do if we can't allocate memory */
479 iint = integrity_inode_get(inode);
480 if (!iint)
481 return;
482
483 /* needed for writing the security xattrs */
484 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
485 iint->ima_file_status = INTEGRITY_PASS;
486 }
487
488 /**
489 * ima_post_path_mknod - mark as a new inode
490 * @dentry: newly created dentry
491 *
492 * Mark files created via the mknodat syscall as new, so that the
493 * file data can be written later.
494 */
ima_post_path_mknod(struct dentry * dentry)495 void ima_post_path_mknod(struct dentry *dentry)
496 {
497 struct integrity_iint_cache *iint;
498 struct inode *inode = dentry->d_inode;
499 int must_appraise;
500
501 must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
502 if (!must_appraise)
503 return;
504
505 /* Nothing to do if we can't allocate memory */
506 iint = integrity_inode_get(inode);
507 if (!iint)
508 return;
509
510 /* needed for re-opening empty files */
511 iint->flags |= IMA_NEW_FILE;
512 }
513
514 /**
515 * ima_read_file - pre-measure/appraise hook decision based on policy
516 * @file: pointer to the file to be measured/appraised/audit
517 * @read_id: caller identifier
518 *
519 * Permit reading a file based on policy. The policy rules are written
520 * in terms of the policy identifier. Appraising the integrity of
521 * a file requires a file descriptor.
522 *
523 * For permission return 0, otherwise return -EACCES.
524 */
ima_read_file(struct file * file,enum kernel_read_file_id read_id)525 int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
526 {
527 /*
528 * READING_FIRMWARE_PREALLOC_BUFFER
529 *
530 * Do devices using pre-allocated memory run the risk of the
531 * firmware being accessible to the device prior to the completion
532 * of IMA's signature verification any more than when using two
533 * buffers?
534 */
535 return 0;
536 }
537
538 const int read_idmap[READING_MAX_ID] = {
539 [READING_FIRMWARE] = FIRMWARE_CHECK,
540 [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK,
541 [READING_MODULE] = MODULE_CHECK,
542 [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK,
543 [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK,
544 [READING_POLICY] = POLICY_CHECK
545 };
546
547 /**
548 * ima_post_read_file - in memory collect/appraise/audit measurement
549 * @file: pointer to the file to be measured/appraised/audit
550 * @buf: pointer to in memory file contents
551 * @size: size of in memory file contents
552 * @read_id: caller identifier
553 *
554 * Measure/appraise/audit in memory file based on policy. Policy rules
555 * are written in terms of a policy identifier.
556 *
557 * On success return 0. On integrity appraisal error, assuming the file
558 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
559 */
ima_post_read_file(struct file * file,void * buf,loff_t size,enum kernel_read_file_id read_id)560 int ima_post_read_file(struct file *file, void *buf, loff_t size,
561 enum kernel_read_file_id read_id)
562 {
563 enum ima_hooks func;
564 u32 secid;
565
566 if (!file && read_id == READING_FIRMWARE) {
567 if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
568 (ima_appraise & IMA_APPRAISE_ENFORCE)) {
569 pr_err("Prevent firmware loading_store.\n");
570 return -EACCES; /* INTEGRITY_UNKNOWN */
571 }
572 return 0;
573 }
574
575 /* permit signed certs */
576 if (!file && read_id == READING_X509_CERTIFICATE)
577 return 0;
578
579 if (!file || !buf || size == 0) { /* should never happen */
580 if (ima_appraise & IMA_APPRAISE_ENFORCE)
581 return -EACCES;
582 return 0;
583 }
584
585 func = read_idmap[read_id] ?: FILE_CHECK;
586 security_task_getsecid(current, &secid);
587 return process_measurement(file, current_cred(), secid, buf, size,
588 MAY_READ, func);
589 }
590
591 /**
592 * ima_load_data - appraise decision based on policy
593 * @id: kernel load data caller identifier
594 *
595 * Callers of this LSM hook can not measure, appraise, or audit the
596 * data provided by userspace. Enforce policy rules requring a file
597 * signature (eg. kexec'ed kernel image).
598 *
599 * For permission return 0, otherwise return -EACCES.
600 */
ima_load_data(enum kernel_load_data_id id)601 int ima_load_data(enum kernel_load_data_id id)
602 {
603 bool ima_enforce, sig_enforce;
604
605 ima_enforce =
606 (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE;
607
608 switch (id) {
609 case LOADING_KEXEC_IMAGE:
610 if (IS_ENABLED(CONFIG_KEXEC_SIG)
611 && arch_ima_get_secureboot()) {
612 pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
613 return -EACCES;
614 }
615
616 if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) {
617 pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
618 return -EACCES; /* INTEGRITY_UNKNOWN */
619 }
620 break;
621 case LOADING_FIRMWARE:
622 if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE)) {
623 pr_err("Prevent firmware sysfs fallback loading.\n");
624 return -EACCES; /* INTEGRITY_UNKNOWN */
625 }
626 break;
627 case LOADING_MODULE:
628 sig_enforce = is_module_sig_enforced();
629
630 if (ima_enforce && (!sig_enforce
631 && (ima_appraise & IMA_APPRAISE_MODULES))) {
632 pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
633 return -EACCES; /* INTEGRITY_UNKNOWN */
634 }
635 break;
636 default:
637 break;
638 }
639 return 0;
640 }
641
642 /*
643 * process_buffer_measurement - Measure the buffer to ima log.
644 * @buf: pointer to the buffer that needs to be added to the log.
645 * @size: size of buffer(in bytes).
646 * @eventname: event name to be used for the buffer entry.
647 * @cred: a pointer to a credentials structure for user validation.
648 * @secid: the secid of the task to be validated.
649 *
650 * Based on policy, the buffer is measured into the ima log.
651 */
process_buffer_measurement(const void * buf,int size,const char * eventname,const struct cred * cred,u32 secid)652 static void process_buffer_measurement(const void *buf, int size,
653 const char *eventname,
654 const struct cred *cred, u32 secid)
655 {
656 int ret = 0;
657 struct ima_template_entry *entry = NULL;
658 struct integrity_iint_cache iint = {};
659 struct ima_event_data event_data = {.iint = &iint,
660 .filename = eventname,
661 .buf = buf,
662 .buf_len = size};
663 struct ima_template_desc *template_desc = NULL;
664 struct {
665 struct ima_digest_data hdr;
666 char digest[IMA_MAX_DIGEST_SIZE];
667 } hash = {};
668 int violation = 0;
669 int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
670 int action = 0;
671
672 action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr,
673 &template_desc);
674 if (!(action & IMA_MEASURE))
675 return;
676
677 iint.ima_hash = &hash.hdr;
678 iint.ima_hash->algo = ima_hash_algo;
679 iint.ima_hash->length = hash_digest_size[ima_hash_algo];
680
681 ret = ima_calc_buffer_hash(buf, size, iint.ima_hash);
682 if (ret < 0)
683 goto out;
684
685 ret = ima_alloc_init_template(&event_data, &entry, template_desc);
686 if (ret < 0)
687 goto out;
688
689 ret = ima_store_template(entry, violation, NULL, buf, pcr);
690
691 if (ret < 0)
692 ima_free_template_entry(entry);
693
694 out:
695 return;
696 }
697
698 /**
699 * ima_kexec_cmdline - measure kexec cmdline boot args
700 * @buf: pointer to buffer
701 * @size: size of buffer
702 *
703 * Buffers can only be measured, not appraised.
704 */
ima_kexec_cmdline(const void * buf,int size)705 void ima_kexec_cmdline(const void *buf, int size)
706 {
707 u32 secid;
708
709 if (buf && size != 0) {
710 security_task_getsecid(current, &secid);
711 process_buffer_measurement(buf, size, "kexec-cmdline",
712 current_cred(), secid);
713 }
714 }
715
init_ima(void)716 static int __init init_ima(void)
717 {
718 int error;
719
720 ima_init_template_list();
721 hash_setup(CONFIG_IMA_DEFAULT_HASH);
722 error = ima_init();
723
724 if (error && strcmp(hash_algo_name[ima_hash_algo],
725 CONFIG_IMA_DEFAULT_HASH) != 0) {
726 pr_info("Allocating %s failed, going to use default hash algorithm %s\n",
727 hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH);
728 hash_setup_done = 0;
729 hash_setup(CONFIG_IMA_DEFAULT_HASH);
730 error = ima_init();
731 }
732
733 if (error)
734 return error;
735
736 error = register_blocking_lsm_notifier(&ima_lsm_policy_notifier);
737 if (error)
738 pr_warn("Couldn't register LSM notifier, error %d\n", error);
739
740 if (!error)
741 ima_update_policy_flag();
742
743 return error;
744 }
745
746 late_initcall(init_ima); /* Start IMA after the TPM is available */
747