integrity/ima/ima_queue_keys.c

0001 // SPDX-License-Identifier: GPL-2.0+
0002 /*
0003  * Copyright (C) 2019 Microsoft Corporation
0004  *
0005  * Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com)
0006  *
0007  * File: ima_queue_keys.c
0008  *       Enables deferred processing of keys
0009  */
0010
0011 #include <linux/user_namespace.h>
0012 #include <linux/workqueue.h>
0013 #include <keys/asymmetric-type.h>
0014 #include "ima.h"
0015
0016 /*
0017  * Flag to indicate whether a key can be processed
0018  * right away or should be queued for processing later.
0019  */
0020 static bool ima_process_keys;
0021
0022 /*
0023  * To synchronize access to the list of keys that need to be measured
0024  */
0025 static DEFINE_MUTEX(ima_keys_lock);
0026 static LIST_HEAD(ima_keys);
0027
0028 /*
0029  * If custom IMA policy is not loaded then keys queued up
0030  * for measurement should be freed. This worker is used
0031  * for handling this scenario.
0032  */
0033 static long ima_key_queue_timeout = 300000; /* 5 Minutes */
0034 static void ima_keys_handler(struct work_struct *work);
0035 static DECLARE_DELAYED_WORK(ima_keys_delayed_work, ima_keys_handler);
0036 static bool timer_expired;
0037
0038 /*
0039  * This worker function frees keys that may still be
0040  * queued up in case custom IMA policy was not loaded.
0041  */
0042 static void ima_keys_handler(struct work_struct *work)
0043 {
0044     timer_expired = true;
0045     ima_process_queued_keys();
0046 }
0047
0048 /*
0049  * This function sets up a worker to free queued keys in case
0050  * custom IMA policy was never loaded.
0051  */
0052 void ima_init_key_queue(void)
0053 {
0054     schedule_delayed_work(&ima_keys_delayed_work,
0055                   msecs_to_jiffies(ima_key_queue_timeout));
0056 }
0057
0058 static void ima_free_key_entry(struct ima_key_entry *entry)
0059 {
0060     if (entry) {
0061         kfree(entry->payload);
0062         kfree(entry->keyring_name);
0063         kfree(entry);
0064     }
0065 }
0066
0067 static struct ima_key_entry *ima_alloc_key_entry(struct key *keyring,
0068                          const void *payload,
0069                          size_t payload_len)
0070 {
0071     int rc = 0;
0072     const char *audit_cause = "ENOMEM";
0073     struct ima_key_entry *entry;
0074
0075     entry = kzalloc(sizeof(*entry), GFP_KERNEL);
0076     if (entry) {
0077         entry->payload = kmemdup(payload, payload_len, GFP_KERNEL);
0078         entry->keyring_name = kstrdup(keyring->description,
0079                           GFP_KERNEL);
0080         entry->payload_len = payload_len;
0081     }
0082
0083     if ((entry == NULL) || (entry->payload == NULL) ||
0084         (entry->keyring_name == NULL)) {
0085         rc = -ENOMEM;
0086         goto out;
0087     }
0088
0089     INIT_LIST_HEAD(&entry->list);
0090
0091 out:
0092     if (rc) {
0093         integrity_audit_message(AUDIT_INTEGRITY_PCR, NULL,
0094                     keyring->description,
0095                     func_measure_str(KEY_CHECK),
0096                     audit_cause, rc, 0, rc);
0097         ima_free_key_entry(entry);
0098         entry = NULL;
0099     }
0100
0101     return entry;
0102 }
0103
0104 bool ima_queue_key(struct key *keyring, const void *payload,
0105            size_t payload_len)
0106 {
0107     bool queued = false;
0108     struct ima_key_entry *entry;
0109
0110     entry = ima_alloc_key_entry(keyring, payload, payload_len);
0111     if (!entry)
0112         return false;
0113
0114     mutex_lock(&ima_keys_lock);
0115     if (!ima_process_keys) {
0116         list_add_tail(&entry->list, &ima_keys);
0117         queued = true;
0118     }
0119     mutex_unlock(&ima_keys_lock);
0120
0121     if (!queued)
0122         ima_free_key_entry(entry);
0123
0124     return queued;
0125 }
0126
0127 /*
0128  * ima_process_queued_keys() - process keys queued for measurement
0129  *
0130  * This function sets ima_process_keys to true and processes queued keys.
0131  * From here on keys will be processed right away (not queued).
0132  */
0133 void ima_process_queued_keys(void)
0134 {
0135     struct ima_key_entry *entry, *tmp;
0136     bool process = false;
0137
0138     if (ima_process_keys)
0139         return;
0140
0141     /*
0142      * Since ima_process_keys is set to true, any new key will be
0143      * processed immediately and not be queued to ima_keys list.
0144      * First one setting the ima_process_keys flag to true will
0145      * process the queued keys.
0146      */
0147     mutex_lock(&ima_keys_lock);
0148     if (!ima_process_keys) {
0149         ima_process_keys = true;
0150         process = true;
0151     }
0152     mutex_unlock(&ima_keys_lock);
0153
0154     if (!process)
0155         return;
0156
0157     if (!timer_expired)
0158         cancel_delayed_work_sync(&ima_keys_delayed_work);
0159
0160     list_for_each_entry_safe(entry, tmp, &ima_keys, list) {
0161         if (!timer_expired)
0162             process_buffer_measurement(&init_user_ns, NULL,
0163                            entry->payload,
0164                            entry->payload_len,
0165                            entry->keyring_name,
0166                            KEY_CHECK, 0,
0167                            entry->keyring_name,
0168                            false, NULL, 0);
0169         list_del(&entry->list);
0170         ima_free_key_entry(entry);
0171     }
0172 }
0173
0174 inline bool ima_should_queue_key(void)
0175 {
0176     return !ima_process_keys;
0177 }