]>
Commit | Line | Data |
---|---|---|
3323eec9 MZ |
1 | /* |
2 | * Copyright (C) 2005,2006,2007,2008 IBM Corporation | |
3 | * | |
4 | * Authors: | |
5 | * Reiner Sailer <sailer@watson.ibm.com> | |
6 | * Serge Hallyn <serue@us.ibm.com> | |
7 | * Kylene Hall <kylene@us.ibm.com> | |
8 | * Mimi Zohar <zohar@us.ibm.com> | |
9 | * | |
10 | * This program is free software; you can redistribute it and/or | |
11 | * modify it under the terms of the GNU General Public License as | |
12 | * published by the Free Software Foundation, version 2 of the | |
13 | * License. | |
14 | * | |
15 | * File: ima_main.c | |
16 | * implements the IMA hooks: ima_bprm_check, ima_file_mmap, | |
17 | * and ima_path_check. | |
18 | */ | |
19 | #include <linux/module.h> | |
20 | #include <linux/file.h> | |
21 | #include <linux/binfmts.h> | |
22 | #include <linux/mount.h> | |
23 | #include <linux/mman.h> | |
24 | ||
25 | #include "ima.h" | |
26 | ||
27 | int ima_initialized; | |
28 | ||
29 | char *ima_hash = "sha1"; | |
30 | static int __init hash_setup(char *str) | |
31 | { | |
07ff7a0b MZ |
32 | if (strncmp(str, "md5", 3) == 0) |
33 | ima_hash = "md5"; | |
3323eec9 MZ |
34 | return 1; |
35 | } | |
36 | __setup("ima_hash=", hash_setup); | |
37 | ||
38 | /** | |
39 | * ima_file_free - called on __fput() | |
40 | * @file: pointer to file structure being freed | |
41 | * | |
42 | * Flag files that changed, based on i_version; | |
43 | * and decrement the iint readcount/writecount. | |
44 | */ | |
45 | void ima_file_free(struct file *file) | |
46 | { | |
47 | struct inode *inode = file->f_dentry->d_inode; | |
48 | struct ima_iint_cache *iint; | |
49 | ||
50 | if (!ima_initialized || !S_ISREG(inode->i_mode)) | |
51 | return; | |
52 | iint = ima_iint_find_get(inode); | |
53 | if (!iint) | |
54 | return; | |
55 | ||
56 | mutex_lock(&iint->mutex); | |
1df9f0a7 MZ |
57 | if (iint->opencount <= 0) { |
58 | printk(KERN_INFO | |
59 | "%s: %s open/free imbalance (r:%ld w:%ld o:%ld f:%ld)\n", | |
60 | __FUNCTION__, file->f_dentry->d_name.name, | |
61 | iint->readcount, iint->writecount, | |
62 | iint->opencount, atomic_long_read(&file->f_count)); | |
63 | if (!(iint->flags & IMA_IINT_DUMP_STACK)) { | |
64 | dump_stack(); | |
65 | iint->flags |= IMA_IINT_DUMP_STACK; | |
66 | } | |
67 | } | |
68 | iint->opencount--; | |
69 | ||
3323eec9 MZ |
70 | if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) |
71 | iint->readcount--; | |
72 | ||
73 | if (file->f_mode & FMODE_WRITE) { | |
74 | iint->writecount--; | |
75 | if (iint->writecount == 0) { | |
76 | if (iint->version != inode->i_version) | |
77 | iint->flags &= ~IMA_MEASURED; | |
78 | } | |
79 | } | |
80 | mutex_unlock(&iint->mutex); | |
81 | kref_put(&iint->refcount, iint_free); | |
82 | } | |
83 | ||
84 | /* ima_read_write_check - reflect possible reading/writing errors in the PCR. | |
85 | * | |
86 | * When opening a file for read, if the file is already open for write, | |
87 | * the file could change, resulting in a file measurement error. | |
88 | * | |
89 | * Opening a file for write, if the file is already open for read, results | |
90 | * in a time of measure, time of use (ToMToU) error. | |
91 | * | |
92 | * In either case invalidate the PCR. | |
93 | */ | |
94 | enum iint_pcr_error { TOMTOU, OPEN_WRITERS }; | |
95 | static void ima_read_write_check(enum iint_pcr_error error, | |
96 | struct ima_iint_cache *iint, | |
97 | struct inode *inode, | |
98 | const unsigned char *filename) | |
99 | { | |
100 | switch (error) { | |
101 | case TOMTOU: | |
102 | if (iint->readcount > 0) | |
103 | ima_add_violation(inode, filename, "invalid_pcr", | |
104 | "ToMToU"); | |
105 | break; | |
106 | case OPEN_WRITERS: | |
107 | if (iint->writecount > 0) | |
108 | ima_add_violation(inode, filename, "invalid_pcr", | |
109 | "open_writers"); | |
110 | break; | |
111 | } | |
112 | } | |
113 | ||
114 | static int get_path_measurement(struct ima_iint_cache *iint, struct file *file, | |
115 | const unsigned char *filename) | |
116 | { | |
117 | int rc = 0; | |
118 | ||
1df9f0a7 | 119 | iint->opencount++; |
3323eec9 MZ |
120 | iint->readcount++; |
121 | ||
122 | rc = ima_collect_measurement(iint, file); | |
123 | if (!rc) | |
124 | ima_store_measurement(iint, file, filename); | |
125 | return rc; | |
126 | } | |
127 | ||
b9fc745d MZ |
128 | static void ima_update_counts(struct ima_iint_cache *iint, int mask) |
129 | { | |
130 | iint->opencount++; | |
131 | if ((mask & MAY_WRITE) || (mask == 0)) | |
132 | iint->writecount++; | |
133 | else if (mask & (MAY_READ | MAY_EXEC)) | |
134 | iint->readcount++; | |
135 | } | |
136 | ||
3323eec9 MZ |
137 | /** |
138 | * ima_path_check - based on policy, collect/store measurement. | |
139 | * @path: contains a pointer to the path to be measured | |
140 | * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE | |
141 | * | |
142 | * Measure the file being open for readonly, based on the | |
143 | * ima_must_measure() policy decision. | |
144 | * | |
145 | * Keep read/write counters for all files, but only | |
146 | * invalidate the PCR for measured files: | |
147 | * - Opening a file for write when already open for read, | |
148 | * results in a time of measure, time of use (ToMToU) error. | |
149 | * - Opening a file for read when already open for write, | |
150 | * could result in a file measurement error. | |
151 | * | |
04288f42 MZ |
152 | * Always return 0 and audit dentry_open failures. |
153 | * (Return code will be based upon measurement appraisal.) | |
3323eec9 | 154 | */ |
b9fc745d | 155 | int ima_path_check(struct path *path, int mask, int update_counts) |
3323eec9 MZ |
156 | { |
157 | struct inode *inode = path->dentry->d_inode; | |
158 | struct ima_iint_cache *iint; | |
159 | struct file *file = NULL; | |
160 | int rc; | |
161 | ||
162 | if (!ima_initialized || !S_ISREG(inode->i_mode)) | |
163 | return 0; | |
164 | iint = ima_iint_find_insert_get(inode); | |
165 | if (!iint) | |
166 | return 0; | |
167 | ||
168 | mutex_lock(&iint->mutex); | |
b9fc745d MZ |
169 | if (update_counts) |
170 | ima_update_counts(iint, mask); | |
3323eec9 MZ |
171 | |
172 | rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK); | |
173 | if (rc < 0) | |
174 | goto out; | |
175 | ||
176 | if ((mask & MAY_WRITE) || (mask == 0)) | |
177 | ima_read_write_check(TOMTOU, iint, inode, | |
178 | path->dentry->d_name.name); | |
179 | ||
180 | if ((mask & (MAY_WRITE | MAY_READ | MAY_EXEC)) != MAY_READ) | |
181 | goto out; | |
182 | ||
183 | ima_read_write_check(OPEN_WRITERS, iint, inode, | |
184 | path->dentry->d_name.name); | |
185 | if (!(iint->flags & IMA_MEASURED)) { | |
186 | struct dentry *dentry = dget(path->dentry); | |
187 | struct vfsmount *mnt = mntget(path->mnt); | |
188 | ||
1a62e958 EP |
189 | file = dentry_open(dentry, mnt, O_RDONLY | O_LARGEFILE, |
190 | current_cred()); | |
f06dd16a | 191 | if (IS_ERR(file)) { |
04288f42 MZ |
192 | int audit_info = 0; |
193 | ||
194 | integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, | |
195 | dentry->d_name.name, | |
196 | "add_measurement", | |
197 | "dentry_open failed", | |
198 | 1, audit_info); | |
f06dd16a EP |
199 | file = NULL; |
200 | goto out; | |
201 | } | |
3323eec9 MZ |
202 | rc = get_path_measurement(iint, file, dentry->d_name.name); |
203 | } | |
204 | out: | |
205 | mutex_unlock(&iint->mutex); | |
206 | if (file) | |
207 | fput(file); | |
208 | kref_put(&iint->refcount, iint_free); | |
209 | return 0; | |
210 | } | |
b9fc745d | 211 | EXPORT_SYMBOL_GPL(ima_path_check); |
3323eec9 MZ |
212 | |
213 | static int process_measurement(struct file *file, const unsigned char *filename, | |
214 | int mask, int function) | |
215 | { | |
216 | struct inode *inode = file->f_dentry->d_inode; | |
217 | struct ima_iint_cache *iint; | |
218 | int rc; | |
219 | ||
220 | if (!ima_initialized || !S_ISREG(inode->i_mode)) | |
221 | return 0; | |
222 | iint = ima_iint_find_insert_get(inode); | |
223 | if (!iint) | |
224 | return -ENOMEM; | |
225 | ||
226 | mutex_lock(&iint->mutex); | |
227 | rc = ima_must_measure(iint, inode, mask, function); | |
228 | if (rc != 0) | |
229 | goto out; | |
230 | ||
231 | rc = ima_collect_measurement(iint, file); | |
232 | if (!rc) | |
233 | ima_store_measurement(iint, file, filename); | |
234 | out: | |
235 | mutex_unlock(&iint->mutex); | |
236 | kref_put(&iint->refcount, iint_free); | |
237 | return rc; | |
238 | } | |
239 | ||
b9fc745d | 240 | /* |
94e5d714 MZ |
241 | * ima_counts_put - decrement file counts |
242 | * | |
243 | * File counts are incremented in ima_path_check. On file open | |
244 | * error, such as ETXTBSY, decrement the counts to prevent | |
245 | * unnecessary imbalance messages. | |
246 | */ | |
247 | void ima_counts_put(struct path *path, int mask) | |
248 | { | |
249 | struct inode *inode = path->dentry->d_inode; | |
250 | struct ima_iint_cache *iint; | |
251 | ||
acd0c935 MZ |
252 | /* The inode may already have been freed, freeing the iint |
253 | * with it. Verify the inode is not NULL before dereferencing | |
254 | * it. | |
255 | */ | |
256 | if (!ima_initialized || !inode || !S_ISREG(inode->i_mode)) | |
94e5d714 MZ |
257 | return; |
258 | iint = ima_iint_find_insert_get(inode); | |
259 | if (!iint) | |
260 | return; | |
261 | ||
262 | mutex_lock(&iint->mutex); | |
263 | iint->opencount--; | |
264 | if ((mask & MAY_WRITE) || (mask == 0)) | |
265 | iint->writecount--; | |
266 | else if (mask & (MAY_READ | MAY_EXEC)) | |
267 | iint->readcount--; | |
268 | mutex_unlock(&iint->mutex); | |
53a7197a EP |
269 | |
270 | kref_put(&iint->refcount, iint_free); | |
94e5d714 MZ |
271 | } |
272 | ||
273 | /* | |
274 | * ima_counts_get - increment file counts | |
b9fc745d MZ |
275 | * |
276 | * - for IPC shm and shmat file. | |
277 | * - for nfsd exported files. | |
278 | * | |
279 | * Increment the counts for these files to prevent unnecessary | |
280 | * imbalance messages. | |
281 | */ | |
282 | void ima_counts_get(struct file *file) | |
1df9f0a7 MZ |
283 | { |
284 | struct inode *inode = file->f_dentry->d_inode; | |
285 | struct ima_iint_cache *iint; | |
286 | ||
287 | if (!ima_initialized || !S_ISREG(inode->i_mode)) | |
288 | return; | |
289 | iint = ima_iint_find_insert_get(inode); | |
290 | if (!iint) | |
291 | return; | |
292 | mutex_lock(&iint->mutex); | |
293 | iint->opencount++; | |
b9fc745d MZ |
294 | if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) |
295 | iint->readcount++; | |
296 | ||
297 | if (file->f_mode & FMODE_WRITE) | |
298 | iint->writecount++; | |
1df9f0a7 | 299 | mutex_unlock(&iint->mutex); |
53a7197a EP |
300 | |
301 | kref_put(&iint->refcount, iint_free); | |
1df9f0a7 | 302 | } |
b9fc745d | 303 | EXPORT_SYMBOL_GPL(ima_counts_get); |
1df9f0a7 | 304 | |
3323eec9 MZ |
305 | /** |
306 | * ima_file_mmap - based on policy, collect/store measurement. | |
307 | * @file: pointer to the file to be measured (May be NULL) | |
308 | * @prot: contains the protection that will be applied by the kernel. | |
309 | * | |
310 | * Measure files being mmapped executable based on the ima_must_measure() | |
311 | * policy decision. | |
312 | * | |
313 | * Return 0 on success, an error code on failure. | |
314 | * (Based on the results of appraise_measurement().) | |
315 | */ | |
316 | int ima_file_mmap(struct file *file, unsigned long prot) | |
317 | { | |
318 | int rc; | |
319 | ||
320 | if (!file) | |
321 | return 0; | |
322 | if (prot & PROT_EXEC) | |
323 | rc = process_measurement(file, file->f_dentry->d_name.name, | |
324 | MAY_EXEC, FILE_MMAP); | |
325 | return 0; | |
326 | } | |
327 | ||
328 | /** | |
329 | * ima_bprm_check - based on policy, collect/store measurement. | |
330 | * @bprm: contains the linux_binprm structure | |
331 | * | |
332 | * The OS protects against an executable file, already open for write, | |
333 | * from being executed in deny_write_access() and an executable file, | |
334 | * already open for execute, from being modified in get_write_access(). | |
335 | * So we can be certain that what we verify and measure here is actually | |
336 | * what is being executed. | |
337 | * | |
338 | * Return 0 on success, an error code on failure. | |
339 | * (Based on the results of appraise_measurement().) | |
340 | */ | |
341 | int ima_bprm_check(struct linux_binprm *bprm) | |
342 | { | |
343 | int rc; | |
344 | ||
345 | rc = process_measurement(bprm->file, bprm->filename, | |
346 | MAY_EXEC, BPRM_CHECK); | |
347 | return 0; | |
348 | } | |
349 | ||
350 | static int __init init_ima(void) | |
351 | { | |
352 | int error; | |
353 | ||
354 | ima_iintcache_init(); | |
355 | error = ima_init(); | |
356 | ima_initialized = 1; | |
357 | return error; | |
358 | } | |
359 | ||
bab73937 MZ |
360 | static void __exit cleanup_ima(void) |
361 | { | |
362 | ima_cleanup(); | |
363 | } | |
364 | ||
3323eec9 MZ |
365 | late_initcall(init_ima); /* Start IMA after the TPM is available */ |
366 | ||
367 | MODULE_DESCRIPTION("Integrity Measurement Architecture"); | |
368 | MODULE_LICENSE("GPL"); |