1
2
3
4
5
6
7
8
9
10
11
12
13#ifndef __LINUX_IMA_H
14#define __LINUX_IMA_H
15
16#include <linux/types.h>
17#include <linux/crypto.h>
18#include <linux/fs.h>
19#include <linux/security.h>
20#include <linux/hash.h>
21#include <linux/tpm.h>
22#include <linux/audit.h>
23#include <crypto/hash_info.h>
24
25#include "../integrity.h"
26
27enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO_FIELD_LEN,
28 IMA_SHOW_BINARY_OLD_STRING_FMT, IMA_SHOW_ASCII };
29enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8, TPM_PCR10 = 10 };
30
31
32#define IMA_DIGEST_SIZE SHA1_DIGEST_SIZE
33#define IMA_EVENT_NAME_LEN_MAX 255
34
35#define IMA_HASH_BITS 10
36#define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS)
37
38#define IMA_TEMPLATE_FIELD_ID_MAX_LEN 16
39#define IMA_TEMPLATE_NUM_FIELDS_MAX 15
40
41#define IMA_TEMPLATE_IMA_NAME "ima"
42#define IMA_TEMPLATE_IMA_FMT "d|n"
43
44#define NR_BANKS(chip) ((chip != NULL) ? chip->nr_allocated_banks : 0)
45
46
47extern int ima_policy_flag;
48
49
50extern int ima_hash_algo;
51extern int ima_sha1_idx __ro_after_init;
52extern int ima_hash_algo_idx __ro_after_init;
53extern int ima_extra_slots __ro_after_init;
54extern int ima_appraise;
55extern struct tpm_chip *ima_tpm_chip;
56extern const char boot_aggregate_name[];
57
58
59struct ima_event_data {
60 struct integrity_iint_cache *iint;
61 struct file *file;
62 const unsigned char *filename;
63 struct evm_ima_xattr_data *xattr_value;
64 int xattr_len;
65 const struct modsig *modsig;
66 const char *violation;
67 const void *buf;
68 int buf_len;
69};
70
71
72struct ima_field_data {
73 u8 *data;
74 u32 len;
75};
76
77
78struct ima_template_field {
79 const char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
80 int (*field_init)(struct ima_event_data *event_data,
81 struct ima_field_data *field_data);
82 void (*field_show)(struct seq_file *m, enum ima_show_type show,
83 struct ima_field_data *field_data);
84};
85
86
87struct ima_template_desc {
88 struct list_head list;
89 char *name;
90 char *fmt;
91 int num_fields;
92 const struct ima_template_field **fields;
93};
94
95struct ima_template_entry {
96 int pcr;
97 struct tpm_digest *digests;
98 struct ima_template_desc *template_desc;
99 u32 template_data_len;
100 struct ima_field_data template_data[];
101};
102
103struct ima_queue_entry {
104 struct hlist_node hnext;
105 struct list_head later;
106 struct ima_template_entry *entry;
107};
108extern struct list_head ima_measurements;
109
110
111struct ima_kexec_hdr {
112 u16 version;
113 u16 _reserved0;
114 u32 _reserved1;
115 u64 buffer_size;
116 u64 count;
117};
118
119extern const int read_idmap[];
120
121#ifdef CONFIG_HAVE_IMA_KEXEC
122void ima_load_kexec_buffer(void);
123#else
124static inline void ima_load_kexec_buffer(void) {}
125#endif
126
127
128
129
130
131extern bool ima_canonical_fmt;
132
133
134int ima_init(void);
135int ima_fs_init(void);
136int ima_add_template_entry(struct ima_template_entry *entry, int violation,
137 const char *op, struct inode *inode,
138 const unsigned char *filename);
139int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash);
140int ima_calc_buffer_hash(const void *buf, loff_t len,
141 struct ima_digest_data *hash);
142int ima_calc_field_array_hash(struct ima_field_data *field_data,
143 struct ima_template_entry *entry);
144int ima_calc_boot_aggregate(struct ima_digest_data *hash);
145void ima_add_violation(struct file *file, const unsigned char *filename,
146 struct integrity_iint_cache *iint,
147 const char *op, const char *cause);
148int ima_init_crypto(void);
149void ima_putc(struct seq_file *m, void *data, int datalen);
150void ima_print_digest(struct seq_file *m, u8 *digest, u32 size);
151int template_desc_init_fields(const char *template_fmt,
152 const struct ima_template_field ***fields,
153 int *num_fields);
154struct ima_template_desc *ima_template_desc_current(void);
155struct ima_template_desc *ima_template_desc_buf(void);
156struct ima_template_desc *lookup_template_desc(const char *name);
157bool ima_template_has_modsig(const struct ima_template_desc *ima_template);
158int ima_restore_measurement_entry(struct ima_template_entry *entry);
159int ima_restore_measurement_list(loff_t bufsize, void *buf);
160int ima_measurements_show(struct seq_file *m, void *v);
161unsigned long ima_get_binary_runtime_size(void);
162int ima_init_template(void);
163void ima_init_template_list(void);
164int __init ima_init_digests(void);
165int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
166 void *lsm_data);
167
168
169
170
171extern spinlock_t ima_queue_lock;
172
173struct ima_h_table {
174 atomic_long_t len;
175 atomic_long_t violations;
176 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
177};
178extern struct ima_h_table ima_htable;
179
180static inline unsigned int ima_hash_key(u8 *digest)
181{
182
183 return (digest[0] | digest[1] << 8) % IMA_MEASURE_HTABLE_SIZE;
184}
185
186#define __ima_hooks(hook) \
187 hook(NONE, none) \
188 hook(FILE_CHECK, file) \
189 hook(MMAP_CHECK, mmap) \
190 hook(BPRM_CHECK, bprm) \
191 hook(CREDS_CHECK, creds) \
192 hook(POST_SETATTR, post_setattr) \
193 hook(MODULE_CHECK, module) \
194 hook(FIRMWARE_CHECK, firmware) \
195 hook(KEXEC_KERNEL_CHECK, kexec_kernel) \
196 hook(KEXEC_INITRAMFS_CHECK, kexec_initramfs) \
197 hook(POLICY_CHECK, policy) \
198 hook(KEXEC_CMDLINE, kexec_cmdline) \
199 hook(KEY_CHECK, key) \
200 hook(CRITICAL_DATA, critical_data) \
201 hook(MAX_CHECK, none)
202
203#define __ima_hook_enumify(ENUM, str) ENUM,
204#define __ima_stringify(arg) (#arg)
205#define __ima_hook_measuring_stringify(ENUM, str) \
206 (__ima_stringify(measuring_ ##str)),
207
208enum ima_hooks {
209 __ima_hooks(__ima_hook_enumify)
210};
211
212static const char * const ima_hooks_measure_str[] = {
213 __ima_hooks(__ima_hook_measuring_stringify)
214};
215
216static inline const char *func_measure_str(enum ima_hooks func)
217{
218 if (func >= MAX_CHECK)
219 return ima_hooks_measure_str[NONE];
220
221 return ima_hooks_measure_str[func];
222}
223
224extern const char *const func_tokens[];
225
226struct modsig;
227
228#ifdef CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS
229
230
231
232struct ima_key_entry {
233 struct list_head list;
234 void *payload;
235 size_t payload_len;
236 char *keyring_name;
237};
238void ima_init_key_queue(void);
239bool ima_should_queue_key(void);
240bool ima_queue_key(struct key *keyring, const void *payload,
241 size_t payload_len);
242void ima_process_queued_keys(void);
243#else
244static inline void ima_init_key_queue(void) {}
245static inline bool ima_should_queue_key(void) { return false; }
246static inline bool ima_queue_key(struct key *keyring,
247 const void *payload,
248 size_t payload_len) { return false; }
249static inline void ima_process_queued_keys(void) {}
250#endif
251
252
253int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode,
254 const struct cred *cred, u32 secid, int mask,
255 enum ima_hooks func, int *pcr,
256 struct ima_template_desc **template_desc,
257 const char *func_data);
258int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
259int ima_collect_measurement(struct integrity_iint_cache *iint,
260 struct file *file, void *buf, loff_t size,
261 enum hash_algo algo, struct modsig *modsig);
262void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
263 const unsigned char *filename,
264 struct evm_ima_xattr_data *xattr_value,
265 int xattr_len, const struct modsig *modsig, int pcr,
266 struct ima_template_desc *template_desc);
267void process_buffer_measurement(struct user_namespace *mnt_userns,
268 struct inode *inode, const void *buf, int size,
269 const char *eventname, enum ima_hooks func,
270 int pcr, const char *func_data,
271 bool buf_hash);
272void ima_audit_measurement(struct integrity_iint_cache *iint,
273 const unsigned char *filename);
274int ima_alloc_init_template(struct ima_event_data *event_data,
275 struct ima_template_entry **entry,
276 struct ima_template_desc *template_desc);
277int ima_store_template(struct ima_template_entry *entry, int violation,
278 struct inode *inode,
279 const unsigned char *filename, int pcr);
280void ima_free_template_entry(struct ima_template_entry *entry);
281const char *ima_d_path(const struct path *path, char **pathbuf, char *filename);
282
283
284int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode,
285 const struct cred *cred, u32 secid, enum ima_hooks func,
286 int mask, int flags, int *pcr,
287 struct ima_template_desc **template_desc,
288 const char *func_data);
289void ima_init_policy(void);
290void ima_update_policy(void);
291void ima_update_policy_flag(void);
292ssize_t ima_parse_add_rule(char *);
293void ima_delete_rules(void);
294int ima_check_policy(void);
295void *ima_policy_start(struct seq_file *m, loff_t *pos);
296void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);
297void ima_policy_stop(struct seq_file *m, void *v);
298int ima_policy_show(struct seq_file *m, void *v);
299
300
301#define IMA_APPRAISE_ENFORCE 0x01
302#define IMA_APPRAISE_FIX 0x02
303#define IMA_APPRAISE_LOG 0x04
304#define IMA_APPRAISE_MODULES 0x08
305#define IMA_APPRAISE_FIRMWARE 0x10
306#define IMA_APPRAISE_POLICY 0x20
307#define IMA_APPRAISE_KEXEC 0x40
308
309#ifdef CONFIG_IMA_APPRAISE
310int ima_check_blacklist(struct integrity_iint_cache *iint,
311 const struct modsig *modsig, int pcr);
312int ima_appraise_measurement(enum ima_hooks func,
313 struct integrity_iint_cache *iint,
314 struct file *file, const unsigned char *filename,
315 struct evm_ima_xattr_data *xattr_value,
316 int xattr_len, const struct modsig *modsig);
317int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode,
318 int mask, enum ima_hooks func);
319void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
320enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
321 enum ima_hooks func);
322enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
323 int xattr_len);
324int ima_read_xattr(struct dentry *dentry,
325 struct evm_ima_xattr_data **xattr_value);
326
327#else
328static inline int ima_check_blacklist(struct integrity_iint_cache *iint,
329 const struct modsig *modsig, int pcr)
330{
331 return 0;
332}
333
334static inline int ima_appraise_measurement(enum ima_hooks func,
335 struct integrity_iint_cache *iint,
336 struct file *file,
337 const unsigned char *filename,
338 struct evm_ima_xattr_data *xattr_value,
339 int xattr_len,
340 const struct modsig *modsig)
341{
342 return INTEGRITY_UNKNOWN;
343}
344
345static inline int ima_must_appraise(struct user_namespace *mnt_userns,
346 struct inode *inode, int mask,
347 enum ima_hooks func)
348{
349 return 0;
350}
351
352static inline void ima_update_xattr(struct integrity_iint_cache *iint,
353 struct file *file)
354{
355}
356
357static inline enum integrity_status ima_get_cache_status(struct integrity_iint_cache
358 *iint,
359 enum ima_hooks func)
360{
361 return INTEGRITY_UNKNOWN;
362}
363
364static inline enum hash_algo
365ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len)
366{
367 return ima_hash_algo;
368}
369
370static inline int ima_read_xattr(struct dentry *dentry,
371 struct evm_ima_xattr_data **xattr_value)
372{
373 return 0;
374}
375
376#endif
377
378#ifdef CONFIG_IMA_APPRAISE_MODSIG
379int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
380 struct modsig **modsig);
381void ima_collect_modsig(struct modsig *modsig, const void *buf, loff_t size);
382int ima_get_modsig_digest(const struct modsig *modsig, enum hash_algo *algo,
383 const u8 **digest, u32 *digest_size);
384int ima_get_raw_modsig(const struct modsig *modsig, const void **data,
385 u32 *data_len);
386void ima_free_modsig(struct modsig *modsig);
387#else
388static inline int ima_read_modsig(enum ima_hooks func, const void *buf,
389 loff_t buf_len, struct modsig **modsig)
390{
391 return -EOPNOTSUPP;
392}
393
394static inline void ima_collect_modsig(struct modsig *modsig, const void *buf,
395 loff_t size)
396{
397}
398
399static inline int ima_get_modsig_digest(const struct modsig *modsig,
400 enum hash_algo *algo, const u8 **digest,
401 u32 *digest_size)
402{
403 return -EOPNOTSUPP;
404}
405
406static inline int ima_get_raw_modsig(const struct modsig *modsig,
407 const void **data, u32 *data_len)
408{
409 return -EOPNOTSUPP;
410}
411
412static inline void ima_free_modsig(struct modsig *modsig)
413{
414}
415#endif
416
417
418#ifdef CONFIG_IMA_LSM_RULES
419
420#define ima_filter_rule_init security_audit_rule_init
421#define ima_filter_rule_free security_audit_rule_free
422#define ima_filter_rule_match security_audit_rule_match
423
424#else
425
426static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
427 void **lsmrule)
428{
429 return -EINVAL;
430}
431
432static inline void ima_filter_rule_free(void *lsmrule)
433{
434}
435
436static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
437 void *lsmrule)
438{
439 return -EINVAL;
440}
441#endif
442
443#ifdef CONFIG_IMA_READ_POLICY
444#define POLICY_FILE_FLAGS (S_IWUSR | S_IRUSR)
445#else
446#define POLICY_FILE_FLAGS S_IWUSR
447#endif
448
449#endif
450