security/selinux/ima.c

0001 // SPDX-License-Identifier: GPL-2.0+
0002 /*
0003  * Copyright (C) 2021 Microsoft Corporation
0004  *
0005  * Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com)
0006  *
0007  * Measure critical data structures maintainted by SELinux
0008  * using IMA subsystem.
0009  */
0010 #include <linux/vmalloc.h>
0011 #include <linux/ima.h>
0012 #include "security.h"
0013 #include "ima.h"
0014
0015 /*
0016  * selinux_ima_collect_state - Read selinux configuration settings
0017  *
0018  * @state: selinux_state
0019  *
0020  * On success returns the configuration settings string.
0021  * On error, returns NULL.
0022  */
0023 static char *selinux_ima_collect_state(struct selinux_state *state)
0024 {
0025     const char *on = "=1;", *off = "=0;";
0026     char *buf;
0027     int buf_len, len, i, rc;
0028
0029     buf_len = strlen("initialized=0;enforcing=0;checkreqprot=0;") + 1;
0030
0031     len = strlen(on);
0032     for (i = 0; i < __POLICYDB_CAP_MAX; i++)
0033         buf_len += strlen(selinux_policycap_names[i]) + len;
0034
0035     buf = kzalloc(buf_len, GFP_KERNEL);
0036     if (!buf)
0037         return NULL;
0038
0039     rc = strscpy(buf, "initialized", buf_len);
0040     WARN_ON(rc < 0);
0041
0042     rc = strlcat(buf, selinux_initialized(state) ? on : off, buf_len);
0043     WARN_ON(rc >= buf_len);
0044
0045     rc = strlcat(buf, "enforcing", buf_len);
0046     WARN_ON(rc >= buf_len);
0047
0048     rc = strlcat(buf, enforcing_enabled(state) ? on : off, buf_len);
0049     WARN_ON(rc >= buf_len);
0050
0051     rc = strlcat(buf, "checkreqprot", buf_len);
0052     WARN_ON(rc >= buf_len);
0053
0054     rc = strlcat(buf, checkreqprot_get(state) ? on : off, buf_len);
0055     WARN_ON(rc >= buf_len);
0056
0057     for (i = 0; i < __POLICYDB_CAP_MAX; i++) {
0058         rc = strlcat(buf, selinux_policycap_names[i], buf_len);
0059         WARN_ON(rc >= buf_len);
0060
0061         rc = strlcat(buf, state->policycap[i] ? on : off, buf_len);
0062         WARN_ON(rc >= buf_len);
0063     }
0064
0065     return buf;
0066 }
0067
0068 /*
0069  * selinux_ima_measure_state_locked - Measure SELinux state and hash of policy
0070  *
0071  * @state: selinux state struct
0072  */
0073 void selinux_ima_measure_state_locked(struct selinux_state *state)
0074 {
0075     char *state_str = NULL;
0076     void *policy = NULL;
0077     size_t policy_len;
0078     int rc = 0;
0079
0080     lockdep_assert_held(&state->policy_mutex);
0081
0082     state_str = selinux_ima_collect_state(state);
0083     if (!state_str) {
0084         pr_err("SELinux: %s: failed to read state.\n", __func__);
0085         return;
0086     }
0087
0088     ima_measure_critical_data("selinux", "selinux-state",
0089                   state_str, strlen(state_str), false,
0090                   NULL, 0);
0091
0092     kfree(state_str);
0093
0094     /*
0095      * Measure SELinux policy only after initialization is completed.
0096      */
0097     if (!selinux_initialized(state))
0098         return;
0099
0100     rc = security_read_state_kernel(state, &policy, &policy_len);
0101     if (rc) {
0102         pr_err("SELinux: %s: failed to read policy %d.\n", __func__, rc);
0103         return;
0104     }
0105
0106     ima_measure_critical_data("selinux", "selinux-policy-hash",
0107                   policy, policy_len, true,
0108                   NULL, 0);
0109
0110     vfree(policy);
0111 }
0112
0113 /*
0114  * selinux_ima_measure_state - Measure SELinux state and hash of policy
0115  *
0116  * @state: selinux state struct
0117  */
0118 void selinux_ima_measure_state(struct selinux_state *state)
0119 {
0120     lockdep_assert_not_held(&state->policy_mutex);
0121
0122     mutex_lock(&state->policy_mutex);
0123     selinux_ima_measure_state_locked(state);
0124     mutex_unlock(&state->policy_mutex);
0125 }