LXR linux/security/integrity/ima/ima

   1/*
   2 * Copyright (C) 2005,2006,2007,2008 IBM Corporation
   3 *
   4 * Authors:
   5 * Kylene Hall <kjhall@us.ibm.com>
   6 * Reiner Sailer <sailer@us.ibm.com>
   7 * Mimi Zohar <zohar@us.ibm.com>
   8 *
   9 * This program is free software; you can redistribute it and/or
  10 * modify it under the terms of the GNU General Public License as
  11 * published by the Free Software Foundation, version 2 of the
  12 * License.
  13 *
  14 * File: ima_fs.c
  15 *      implemenents security file system for reporting
  16 *      current measurement list and IMA statistics
  17 */
  18#include <linux/fcntl.h>
  19#include <linux/slab.h>
  20#include <linux/module.h>
  21#include <linux/seq_file.h>
  22#include <linux/rculist.h>
  23#include <linux/rcupdate.h>
  24#include <linux/parser.h>
  25#include <linux/vmalloc.h>
  26
  27#include "ima.h"
  28
  29static DEFINE_MUTEX(ima_write_mutex);
  30
  31static int valid_policy = 1;
  32#define TMPBUFLEN 12
  33static ssize_t ima_show_htable_value(char __user *buf, size_t count,
  34                                     loff_t *ppos, atomic_long_t *val)
  35{
  36        char tmpbuf[TMPBUFLEN];
  37        ssize_t len;
  38
  39        len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
  40        return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
  41}
  42
  43static ssize_t ima_show_htable_violations(struct file *filp,
  44                                          char __user *buf,
  45                                          size_t count, loff_t *ppos)
  46{
  47        return ima_show_htable_value(buf, count, ppos, &ima_htable.violations);
  48}
  49
  50static const struct file_operations ima_htable_violations_ops = {
  51        .read = ima_show_htable_violations,
  52        .llseek = generic_file_llseek,
  53};
  54
  55static ssize_t ima_show_measurements_count(struct file *filp,
  56                                           char __user *buf,
  57                                           size_t count, loff_t *ppos)
  58{
  59        return ima_show_htable_value(buf, count, ppos, &ima_htable.len);
  60
  61}
  62
  63static const struct file_operations ima_measurements_count_ops = {
  64        .read = ima_show_measurements_count,
  65        .llseek = generic_file_llseek,
  66};
  67
  68/* returns pointer to hlist_node */
  69static void *ima_measurements_start(struct seq_file *m, loff_t *pos)
  70{
  71        loff_t l = *pos;
  72        struct ima_queue_entry *qe;
  73
  74        /* we need a lock since pos could point beyond last element */
  75        rcu_read_lock();
  76        list_for_each_entry_rcu(qe, &ima_measurements, later) {
  77                if (!l--) {
  78                        rcu_read_unlock();
  79                        return qe;
  80                }
  81        }
  82        rcu_read_unlock();
  83        return NULL;
  84}
  85
  86static void *ima_measurements_next(struct seq_file *m, void *v, loff_t *pos)
  87{
  88        struct ima_queue_entry *qe = v;
  89
  90        /* lock protects when reading beyond last element
  91         * against concurrent list-extension
  92         */
  93        rcu_read_lock();
  94        qe = list_entry_rcu(qe->later.next, struct ima_queue_entry, later);
  95        rcu_read_unlock();
  96        (*pos)++;
  97
  98        return (&qe->later == &ima_measurements) ? NULL : qe;
  99}
 100
 101static void ima_measurements_stop(struct seq_file *m, void *v)
 102{
 103}
 104
 105void ima_putc(struct seq_file *m, void *data, int datalen)
 106{
 107        while (datalen--)
 108                seq_putc(m, *(char *)data++);
 109}
 110
 111/* print format:
 112 *       32bit-le=pcr#
 113 *       char[20]=template digest
 114 *       32bit-le=template name size
 115 *       char[n]=template name
 116 *       [eventdata length]
 117 *       eventdata[n]=template specific data
 118 */
 119static int ima_measurements_show(struct seq_file *m, void *v)
 120{
 121        /* the list never shrinks, so we don't need a lock here */
 122        struct ima_queue_entry *qe = v;
 123        struct ima_template_entry *e;
 124        char *template_name;
 125        int namelen;
 126        u32 pcr = CONFIG_IMA_MEASURE_PCR_IDX;
 127        bool is_ima_template = false;
 128        int i;
 129
 130        /* get entry */
 131        e = qe->entry;
 132        if (e == NULL)
 133                return -1;
 134
 135        template_name = (e->template_desc->name[0] != '\0') ?
 136            e->template_desc->name : e->template_desc->fmt;
 137
 138        /*
 139         * 1st: PCRIndex
 140         * PCR used is always the same (config option) in
 141         * little-endian format
 142         */
 143        ima_putc(m, &pcr, sizeof(pcr));
 144
 145        /* 2nd: template digest */
 146        ima_putc(m, e->digest, TPM_DIGEST_SIZE);
 147
 148        /* 3rd: template name size */
 149        namelen = strlen(template_name);
 150        ima_putc(m, &namelen, sizeof(namelen));
 151
 152        /* 4th:  template name */
 153        ima_putc(m, template_name, namelen);
 154
 155        /* 5th:  template length (except for 'ima' template) */
 156        if (strcmp(template_name, IMA_TEMPLATE_IMA_NAME) == 0)
 157                is_ima_template = true;
 158
 159        if (!is_ima_template)
 160                ima_putc(m, &e->template_data_len,
 161                         sizeof(e->template_data_len));
 162
 163        /* 6th:  template specific data */
 164        for (i = 0; i < e->template_desc->num_fields; i++) {
 165                enum ima_show_type show = IMA_SHOW_BINARY;
 166                struct ima_template_field *field = e->template_desc->fields[i];
 167
 168                if (is_ima_template && strcmp(field->field_id, "d") == 0)
 169                        show = IMA_SHOW_BINARY_NO_FIELD_LEN;
 170                if (is_ima_template && strcmp(field->field_id, "n") == 0)
 171                        show = IMA_SHOW_BINARY_OLD_STRING_FMT;
 172                field->field_show(m, show, &e->template_data[i]);
 173        }
 174        return 0;
 175}
 176
 177static const struct seq_operations ima_measurments_seqops = {
 178        .start = ima_measurements_start,
 179        .next = ima_measurements_next,
 180        .stop = ima_measurements_stop,
 181        .show = ima_measurements_show
 182};
 183
 184static int ima_measurements_open(struct inode *inode, struct file *file)
 185{
 186        return seq_open(file, &ima_measurments_seqops);
 187}
 188
 189static const struct file_operations ima_measurements_ops = {
 190        .open = ima_measurements_open,
 191        .read = seq_read,
 192        .llseek = seq_lseek,
 193        .release = seq_release,
 194};
 195
 196void ima_print_digest(struct seq_file *m, u8 *digest, u32 size)
 197{
 198        u32 i;
 199
 200        for (i = 0; i < size; i++)
 201                seq_printf(m, "%02x", *(digest + i));
 202}
 203
 204/* print in ascii */
 205static int ima_ascii_measurements_show(struct seq_file *m, void *v)
 206{
 207        /* the list never shrinks, so we don't need a lock here */
 208        struct ima_queue_entry *qe = v;
 209        struct ima_template_entry *e;
 210        char *template_name;
 211        int i;
 212
 213        /* get entry */
 214        e = qe->entry;
 215        if (e == NULL)
 216                return -1;
 217
 218        template_name = (e->template_desc->name[0] != '\0') ?
 219            e->template_desc->name : e->template_desc->fmt;
 220
 221        /* 1st: PCR used (config option) */
 222        seq_printf(m, "%2d ", CONFIG_IMA_MEASURE_PCR_IDX);
 223
 224        /* 2nd: SHA1 template hash */
 225        ima_print_digest(m, e->digest, TPM_DIGEST_SIZE);
 226
 227        /* 3th:  template name */
 228        seq_printf(m, " %s", template_name);
 229
 230        /* 4th:  template specific data */
 231        for (i = 0; i < e->template_desc->num_fields; i++) {
 232                seq_puts(m, " ");
 233                if (e->template_data[i].len == 0)
 234                        continue;
 235
 236                e->template_desc->fields[i]->field_show(m, IMA_SHOW_ASCII,
 237                                                        &e->template_data[i]);
 238        }
 239        seq_puts(m, "\n");
 240        return 0;
 241}
 242
 243static const struct seq_operations ima_ascii_measurements_seqops = {
 244        .start = ima_measurements_start,
 245        .next = ima_measurements_next,
 246        .stop = ima_measurements_stop,
 247        .show = ima_ascii_measurements_show
 248};
 249
 250static int ima_ascii_measurements_open(struct inode *inode, struct file *file)
 251{
 252        return seq_open(file, &ima_ascii_measurements_seqops);
 253}
 254
 255static const struct file_operations ima_ascii_measurements_ops = {
 256        .open = ima_ascii_measurements_open,
 257        .read = seq_read,
 258        .llseek = seq_lseek,
 259        .release = seq_release,
 260};
 261
 262static ssize_t ima_read_policy(char *path)
 263{
 264        void *data;
 265        char *datap;
 266        loff_t size;
 267        int rc, pathlen = strlen(path);
 268
 269        char *p;
 270
 271        /* remove \n */
 272        datap = path;
 273        strsep(&datap, "\n");
 274
 275        rc = kernel_read_file_from_path(path, &data, &size, 0, READING_POLICY);
 276        if (rc < 0) {
 277                pr_err("Unable to open file: %s (%d)", path, rc);
 278                return rc;
 279        }
 280
 281        datap = data;
 282        while (size > 0 && (p = strsep(&datap, "\n"))) {
 283                pr_debug("rule: %s\n", p);
 284                rc = ima_parse_add_rule(p);
 285                if (rc < 0)
 286                        break;
 287                size -= rc;
 288        }
 289
 290        vfree(data);
 291        if (rc < 0)
 292                return rc;
 293        else if (size)
 294                return -EINVAL;
 295        else
 296                return pathlen;
 297}
 298
 299static ssize_t ima_write_policy(struct file *file, const char __user *buf,
 300                                size_t datalen, loff_t *ppos)
 301{
 302        char *data;
 303        ssize_t result;
 304
 305        if (datalen >= PAGE_SIZE)
 306                datalen = PAGE_SIZE - 1;
 307
 308        /* No partial writes. */
 309        result = -EINVAL;
 310        if (*ppos != 0)
 311                goto out;
 312
 313        result = -ENOMEM;
 314        data = kmalloc(datalen + 1, GFP_KERNEL);
 315        if (!data)
 316                goto out;
 317
 318        *(data + datalen) = '\0';
 319
 320        result = -EFAULT;
 321        if (copy_from_user(data, buf, datalen))
 322                goto out_free;
 323
 324        result = mutex_lock_interruptible(&ima_write_mutex);
 325        if (result < 0)
 326                goto out_free;
 327
 328        if (data[0] == '/') {
 329                result = ima_read_policy(data);
 330        } else if (ima_appraise & IMA_APPRAISE_POLICY) {
 331                pr_err("IMA: signed policy file (specified as an absolute pathname) required\n");
 332                integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
 333                                    "policy_update", "signed policy required",
 334                                    1, 0);
 335                if (ima_appraise & IMA_APPRAISE_ENFORCE)
 336                        result = -EACCES;
 337        } else {
 338                result = ima_parse_add_rule(data);
 339        }
 340        mutex_unlock(&ima_write_mutex);
 341out_free:
 342        kfree(data);
 343out:
 344        if (result < 0)
 345                valid_policy = 0;
 346
 347        return result;
 348}
 349
 350static struct dentry *ima_dir;
 351static struct dentry *binary_runtime_measurements;
 352static struct dentry *ascii_runtime_measurements;
 353static struct dentry *runtime_measurements_count;
 354static struct dentry *violations;
 355static struct dentry *ima_policy;
 356
 357enum ima_fs_flags {
 358        IMA_FS_BUSY,
 359};
 360
 361static unsigned long ima_fs_flags;
 362
 363#ifdef  CONFIG_IMA_READ_POLICY
 364static const struct seq_operations ima_policy_seqops = {
 365                .start = ima_policy_start,
 366                .next = ima_policy_next,
 367                .stop = ima_policy_stop,
 368                .show = ima_policy_show,
 369};
 370#endif
 371
 372/*
 373 * ima_open_policy: sequentialize access to the policy file
 374 */
 375static int ima_open_policy(struct inode *inode, struct file *filp)
 376{
 377        if (!(filp->f_flags & O_WRONLY)) {
 378#ifndef CONFIG_IMA_READ_POLICY
 379                return -EACCES;
 380#else
 381                if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
 382                        return -EACCES;
 383                if (!capable(CAP_SYS_ADMIN))
 384                        return -EPERM;
 385                return seq_open(filp, &ima_policy_seqops);
 386#endif
 387        }
 388        if (test_and_set_bit(IMA_FS_BUSY, &ima_fs_flags))
 389                return -EBUSY;
 390        return 0;
 391}
 392
 393/*
 394 * ima_release_policy - start using the new measure policy rules.
 395 *
 396 * Initially, ima_measure points to the default policy rules, now
 397 * point to the new policy rules, and remove the securityfs policy file,
 398 * assuming a valid policy.
 399 */
 400static int ima_release_policy(struct inode *inode, struct file *file)
 401{
 402        const char *cause = valid_policy ? "completed" : "failed";
 403
 404        if ((file->f_flags & O_ACCMODE) == O_RDONLY)
 405                return 0;
 406
 407        if (valid_policy && ima_check_policy() < 0) {
 408                cause = "failed";
 409                valid_policy = 0;
 410        }
 411
 412        pr_info("IMA: policy update %s\n", cause);
 413        integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
 414                            "policy_update", cause, !valid_policy, 0);
 415
 416        if (!valid_policy) {
 417                ima_delete_rules();
 418                valid_policy = 1;
 419                clear_bit(IMA_FS_BUSY, &ima_fs_flags);
 420                return 0;
 421        }
 422
 423        ima_update_policy();
 424#ifndef CONFIG_IMA_WRITE_POLICY
 425        securityfs_remove(ima_policy);
 426        ima_policy = NULL;
 427#else
 428        clear_bit(IMA_FS_BUSY, &ima_fs_flags);
 429#endif
 430        return 0;
 431}
 432
 433static const struct file_operations ima_measure_policy_ops = {
 434        .open = ima_open_policy,
 435        .write = ima_write_policy,
 436        .read = seq_read,
 437        .release = ima_release_policy,
 438        .llseek = generic_file_llseek,
 439};
 440
 441int __init ima_fs_init(void)
 442{
 443        ima_dir = securityfs_create_dir("ima", NULL);
 444        if (IS_ERR(ima_dir))
 445                return -1;
 446
 447        binary_runtime_measurements =
 448            securityfs_create_file("binary_runtime_measurements",
 449                                   S_IRUSR | S_IRGRP, ima_dir, NULL,
 450                                   &ima_measurements_ops);
 451        if (IS_ERR(binary_runtime_measurements))
 452                goto out;
 453
 454        ascii_runtime_measurements =
 455            securityfs_create_file("ascii_runtime_measurements",
 456                                   S_IRUSR | S_IRGRP, ima_dir, NULL,
 457                                   &ima_ascii_measurements_ops);
 458        if (IS_ERR(ascii_runtime_measurements))
 459                goto out;
 460
 461        runtime_measurements_count =
 462            securityfs_create_file("runtime_measurements_count",
 463                                   S_IRUSR | S_IRGRP, ima_dir, NULL,
 464                                   &ima_measurements_count_ops);
 465        if (IS_ERR(runtime_measurements_count))
 466                goto out;
 467
 468        violations =
 469            securityfs_create_file("violations", S_IRUSR | S_IRGRP,
 470                                   ima_dir, NULL, &ima_htable_violations_ops);
 471        if (IS_ERR(violations))
 472                goto out;
 473
 474        ima_policy = securityfs_create_file("policy", POLICY_FILE_FLAGS,
 475                                            ima_dir, NULL,
 476                                            &ima_measure_policy_ops);
 477        if (IS_ERR(ima_policy))
 478                goto out;
 479
 480        return 0;
 481out:
 482        securityfs_remove(violations);
 483        securityfs_remove(runtime_measurements_count);
 484        securityfs_remove(ascii_runtime_measurements);
 485        securityfs_remove(binary_runtime_measurements);
 486        securityfs_remove(ima_dir);
 487        securityfs_remove(ima_policy);
 488        return -1;
 489}
 490