0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
0013 #ifndef __LINUX_IMA_H
0014 #define __LINUX_IMA_H
0015
0016 #include <linux/types.h>
0017 #include <linux/crypto.h>
0018 #include <linux/fs.h>
0019 #include <linux/security.h>
0020 #include <linux/hash.h>
0021 #include <linux/tpm.h>
0022 #include <linux/audit.h>
0023 #include <crypto/hash_info.h>
0024
0025 #include "../integrity.h"
0026
0027 enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO_FIELD_LEN,
0028 IMA_SHOW_BINARY_OLD_STRING_FMT, IMA_SHOW_ASCII };
0029 enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8, TPM_PCR10 = 10 };
0030
0031
0032 #define IMA_DIGEST_SIZE SHA1_DIGEST_SIZE
0033 #define IMA_EVENT_NAME_LEN_MAX 255
0034
0035 #define IMA_HASH_BITS 10
0036 #define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS)
0037
0038 #define IMA_TEMPLATE_FIELD_ID_MAX_LEN 16
0039 #define IMA_TEMPLATE_NUM_FIELDS_MAX 15
0040
0041 #define IMA_TEMPLATE_IMA_NAME "ima"
0042 #define IMA_TEMPLATE_IMA_FMT "d|n"
0043
0044 #define NR_BANKS(chip) ((chip != NULL) ? chip->nr_allocated_banks : 0)
0045
0046
0047 extern int ima_policy_flag;
0048
0049
0050 extern atomic_t ima_setxattr_allowed_hash_algorithms;
0051
0052
0053 extern int ima_hash_algo __ro_after_init;
0054 extern int ima_sha1_idx __ro_after_init;
0055 extern int ima_hash_algo_idx __ro_after_init;
0056 extern int ima_extra_slots __ro_after_init;
0057 extern int ima_appraise;
0058 extern struct tpm_chip *ima_tpm_chip;
0059 extern const char boot_aggregate_name[];
0060
0061
0062 struct ima_event_data {
0063 struct integrity_iint_cache *iint;
0064 struct file *file;
0065 const unsigned char *filename;
0066 struct evm_ima_xattr_data *xattr_value;
0067 int xattr_len;
0068 const struct modsig *modsig;
0069 const char *violation;
0070 const void *buf;
0071 int buf_len;
0072 };
0073
0074
0075 struct ima_field_data {
0076 u8 *data;
0077 u32 len;
0078 };
0079
0080
0081 struct ima_template_field {
0082 const char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
0083 int (*field_init)(struct ima_event_data *event_data,
0084 struct ima_field_data *field_data);
0085 void (*field_show)(struct seq_file *m, enum ima_show_type show,
0086 struct ima_field_data *field_data);
0087 };
0088
0089
0090 struct ima_template_desc {
0091 struct list_head list;
0092 char *name;
0093 char *fmt;
0094 int num_fields;
0095 const struct ima_template_field **fields;
0096 };
0097
0098 struct ima_template_entry {
0099 int pcr;
0100 struct tpm_digest *digests;
0101 struct ima_template_desc *template_desc;
0102 u32 template_data_len;
0103 struct ima_field_data template_data[];
0104 };
0105
0106 struct ima_queue_entry {
0107 struct hlist_node hnext;
0108 struct list_head later;
0109 struct ima_template_entry *entry;
0110 };
0111 extern struct list_head ima_measurements;
0112
0113
0114 struct ima_kexec_hdr {
0115 u16 version;
0116 u16 _reserved0;
0117 u32 _reserved1;
0118 u64 buffer_size;
0119 u64 count;
0120 };
0121
0122 extern const int read_idmap[];
0123
0124 #ifdef CONFIG_HAVE_IMA_KEXEC
0125 void ima_load_kexec_buffer(void);
0126 #else
0127 static inline void ima_load_kexec_buffer(void) {}
0128 #endif
0129
0130
0131
0132
0133
0134 extern bool ima_canonical_fmt;
0135
0136
0137 int ima_init(void);
0138 int ima_fs_init(void);
0139 int ima_add_template_entry(struct ima_template_entry *entry, int violation,
0140 const char *op, struct inode *inode,
0141 const unsigned char *filename);
0142 int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash);
0143 int ima_calc_buffer_hash(const void *buf, loff_t len,
0144 struct ima_digest_data *hash);
0145 int ima_calc_field_array_hash(struct ima_field_data *field_data,
0146 struct ima_template_entry *entry);
0147 int ima_calc_boot_aggregate(struct ima_digest_data *hash);
0148 void ima_add_violation(struct file *file, const unsigned char *filename,
0149 struct integrity_iint_cache *iint,
0150 const char *op, const char *cause);
0151 int ima_init_crypto(void);
0152 void ima_putc(struct seq_file *m, void *data, int datalen);
0153 void ima_print_digest(struct seq_file *m, u8 *digest, u32 size);
0154 int template_desc_init_fields(const char *template_fmt,
0155 const struct ima_template_field ***fields,
0156 int *num_fields);
0157 struct ima_template_desc *ima_template_desc_current(void);
0158 struct ima_template_desc *ima_template_desc_buf(void);
0159 struct ima_template_desc *lookup_template_desc(const char *name);
0160 bool ima_template_has_modsig(const struct ima_template_desc *ima_template);
0161 int ima_restore_measurement_entry(struct ima_template_entry *entry);
0162 int ima_restore_measurement_list(loff_t bufsize, void *buf);
0163 int ima_measurements_show(struct seq_file *m, void *v);
0164 unsigned long ima_get_binary_runtime_size(void);
0165 int ima_init_template(void);
0166 void ima_init_template_list(void);
0167 int __init ima_init_digests(void);
0168 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
0169 void *lsm_data);
0170
0171
0172
0173
0174 extern spinlock_t ima_queue_lock;
0175
0176 struct ima_h_table {
0177 atomic_long_t len;
0178 atomic_long_t violations;
0179 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
0180 };
0181 extern struct ima_h_table ima_htable;
0182
0183 static inline unsigned int ima_hash_key(u8 *digest)
0184 {
0185
0186 return (digest[0] | digest[1] << 8) % IMA_MEASURE_HTABLE_SIZE;
0187 }
0188
0189 #define __ima_hooks(hook) \
0190 hook(NONE, none) \
0191 hook(FILE_CHECK, file) \
0192 hook(MMAP_CHECK, mmap) \
0193 hook(BPRM_CHECK, bprm) \
0194 hook(CREDS_CHECK, creds) \
0195 hook(POST_SETATTR, post_setattr) \
0196 hook(MODULE_CHECK, module) \
0197 hook(FIRMWARE_CHECK, firmware) \
0198 hook(KEXEC_KERNEL_CHECK, kexec_kernel) \
0199 hook(KEXEC_INITRAMFS_CHECK, kexec_initramfs) \
0200 hook(POLICY_CHECK, policy) \
0201 hook(KEXEC_CMDLINE, kexec_cmdline) \
0202 hook(KEY_CHECK, key) \
0203 hook(CRITICAL_DATA, critical_data) \
0204 hook(SETXATTR_CHECK, setxattr_check) \
0205 hook(MAX_CHECK, none)
0206
0207 #define __ima_hook_enumify(ENUM, str) ENUM,
0208 #define __ima_stringify(arg) (#arg)
0209 #define __ima_hook_measuring_stringify(ENUM, str) \
0210 (__ima_stringify(measuring_ ##str)),
0211
0212 enum ima_hooks {
0213 __ima_hooks(__ima_hook_enumify)
0214 };
0215
0216 static const char * const ima_hooks_measure_str[] = {
0217 __ima_hooks(__ima_hook_measuring_stringify)
0218 };
0219
0220 static inline const char *func_measure_str(enum ima_hooks func)
0221 {
0222 if (func >= MAX_CHECK)
0223 return ima_hooks_measure_str[NONE];
0224
0225 return ima_hooks_measure_str[func];
0226 }
0227
0228 extern const char *const func_tokens[];
0229
0230 struct modsig;
0231
0232 #ifdef CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS
0233
0234
0235
0236 struct ima_key_entry {
0237 struct list_head list;
0238 void *payload;
0239 size_t payload_len;
0240 char *keyring_name;
0241 };
0242 void ima_init_key_queue(void);
0243 bool ima_should_queue_key(void);
0244 bool ima_queue_key(struct key *keyring, const void *payload,
0245 size_t payload_len);
0246 void ima_process_queued_keys(void);
0247 #else
0248 static inline void ima_init_key_queue(void) {}
0249 static inline bool ima_should_queue_key(void) { return false; }
0250 static inline bool ima_queue_key(struct key *keyring,
0251 const void *payload,
0252 size_t payload_len) { return false; }
0253 static inline void ima_process_queued_keys(void) {}
0254 #endif
0255
0256
0257 int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode,
0258 const struct cred *cred, u32 secid, int mask,
0259 enum ima_hooks func, int *pcr,
0260 struct ima_template_desc **template_desc,
0261 const char *func_data, unsigned int *allowed_algos);
0262 int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
0263 int ima_collect_measurement(struct integrity_iint_cache *iint,
0264 struct file *file, void *buf, loff_t size,
0265 enum hash_algo algo, struct modsig *modsig);
0266 void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
0267 const unsigned char *filename,
0268 struct evm_ima_xattr_data *xattr_value,
0269 int xattr_len, const struct modsig *modsig, int pcr,
0270 struct ima_template_desc *template_desc);
0271 int process_buffer_measurement(struct user_namespace *mnt_userns,
0272 struct inode *inode, const void *buf, int size,
0273 const char *eventname, enum ima_hooks func,
0274 int pcr, const char *func_data,
0275 bool buf_hash, u8 *digest, size_t digest_len);
0276 void ima_audit_measurement(struct integrity_iint_cache *iint,
0277 const unsigned char *filename);
0278 int ima_alloc_init_template(struct ima_event_data *event_data,
0279 struct ima_template_entry **entry,
0280 struct ima_template_desc *template_desc);
0281 int ima_store_template(struct ima_template_entry *entry, int violation,
0282 struct inode *inode,
0283 const unsigned char *filename, int pcr);
0284 void ima_free_template_entry(struct ima_template_entry *entry);
0285 const char *ima_d_path(const struct path *path, char **pathbuf, char *filename);
0286
0287
0288 int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode,
0289 const struct cred *cred, u32 secid, enum ima_hooks func,
0290 int mask, int flags, int *pcr,
0291 struct ima_template_desc **template_desc,
0292 const char *func_data, unsigned int *allowed_algos);
0293 void ima_init_policy(void);
0294 void ima_update_policy(void);
0295 void ima_update_policy_flags(void);
0296 ssize_t ima_parse_add_rule(char *);
0297 void ima_delete_rules(void);
0298 int ima_check_policy(void);
0299 void *ima_policy_start(struct seq_file *m, loff_t *pos);
0300 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);
0301 void ima_policy_stop(struct seq_file *m, void *v);
0302 int ima_policy_show(struct seq_file *m, void *v);
0303
0304
0305 #define IMA_APPRAISE_ENFORCE 0x01
0306 #define IMA_APPRAISE_FIX 0x02
0307 #define IMA_APPRAISE_LOG 0x04
0308 #define IMA_APPRAISE_MODULES 0x08
0309 #define IMA_APPRAISE_FIRMWARE 0x10
0310 #define IMA_APPRAISE_POLICY 0x20
0311 #define IMA_APPRAISE_KEXEC 0x40
0312
0313 #ifdef CONFIG_IMA_APPRAISE
0314 int ima_check_blacklist(struct integrity_iint_cache *iint,
0315 const struct modsig *modsig, int pcr);
0316 int ima_appraise_measurement(enum ima_hooks func,
0317 struct integrity_iint_cache *iint,
0318 struct file *file, const unsigned char *filename,
0319 struct evm_ima_xattr_data *xattr_value,
0320 int xattr_len, const struct modsig *modsig);
0321 int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode,
0322 int mask, enum ima_hooks func);
0323 void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
0324 enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
0325 enum ima_hooks func);
0326 enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value,
0327 int xattr_len);
0328 int ima_read_xattr(struct dentry *dentry,
0329 struct evm_ima_xattr_data **xattr_value);
0330
0331 #else
0332 static inline int ima_check_blacklist(struct integrity_iint_cache *iint,
0333 const struct modsig *modsig, int pcr)
0334 {
0335 return 0;
0336 }
0337
0338 static inline int ima_appraise_measurement(enum ima_hooks func,
0339 struct integrity_iint_cache *iint,
0340 struct file *file,
0341 const unsigned char *filename,
0342 struct evm_ima_xattr_data *xattr_value,
0343 int xattr_len,
0344 const struct modsig *modsig)
0345 {
0346 return INTEGRITY_UNKNOWN;
0347 }
0348
0349 static inline int ima_must_appraise(struct user_namespace *mnt_userns,
0350 struct inode *inode, int mask,
0351 enum ima_hooks func)
0352 {
0353 return 0;
0354 }
0355
0356 static inline void ima_update_xattr(struct integrity_iint_cache *iint,
0357 struct file *file)
0358 {
0359 }
0360
0361 static inline enum integrity_status ima_get_cache_status(struct integrity_iint_cache
0362 *iint,
0363 enum ima_hooks func)
0364 {
0365 return INTEGRITY_UNKNOWN;
0366 }
0367
0368 static inline enum hash_algo
0369 ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len)
0370 {
0371 return ima_hash_algo;
0372 }
0373
0374 static inline int ima_read_xattr(struct dentry *dentry,
0375 struct evm_ima_xattr_data **xattr_value)
0376 {
0377 return 0;
0378 }
0379
0380 #endif
0381
0382 #ifdef CONFIG_IMA_APPRAISE_MODSIG
0383 int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
0384 struct modsig **modsig);
0385 void ima_collect_modsig(struct modsig *modsig, const void *buf, loff_t size);
0386 int ima_get_modsig_digest(const struct modsig *modsig, enum hash_algo *algo,
0387 const u8 **digest, u32 *digest_size);
0388 int ima_get_raw_modsig(const struct modsig *modsig, const void **data,
0389 u32 *data_len);
0390 void ima_free_modsig(struct modsig *modsig);
0391 #else
0392 static inline int ima_read_modsig(enum ima_hooks func, const void *buf,
0393 loff_t buf_len, struct modsig **modsig)
0394 {
0395 return -EOPNOTSUPP;
0396 }
0397
0398 static inline void ima_collect_modsig(struct modsig *modsig, const void *buf,
0399 loff_t size)
0400 {
0401 }
0402
0403 static inline int ima_get_modsig_digest(const struct modsig *modsig,
0404 enum hash_algo *algo, const u8 **digest,
0405 u32 *digest_size)
0406 {
0407 return -EOPNOTSUPP;
0408 }
0409
0410 static inline int ima_get_raw_modsig(const struct modsig *modsig,
0411 const void **data, u32 *data_len)
0412 {
0413 return -EOPNOTSUPP;
0414 }
0415
0416 static inline void ima_free_modsig(struct modsig *modsig)
0417 {
0418 }
0419 #endif
0420
0421
0422 #ifdef CONFIG_IMA_LSM_RULES
0423
0424 #define ima_filter_rule_init security_audit_rule_init
0425 #define ima_filter_rule_free security_audit_rule_free
0426 #define ima_filter_rule_match security_audit_rule_match
0427
0428 #else
0429
0430 static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
0431 void **lsmrule)
0432 {
0433 return -EINVAL;
0434 }
0435
0436 static inline void ima_filter_rule_free(void *lsmrule)
0437 {
0438 }
0439
0440 static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
0441 void *lsmrule)
0442 {
0443 return -EINVAL;
0444 }
0445 #endif
0446
0447 #ifdef CONFIG_IMA_READ_POLICY
0448 #define POLICY_FILE_FLAGS (S_IWUSR | S_IRUSR)
0449 #else
0450 #define POLICY_FILE_FLAGS S_IWUSR
0451 #endif
0452
0453 #endif
