1
2
3
4
5
6
7
8
9
10
11
12
13
14#include <linux/types.h>
15#include <linux/integrity.h>
16#include <crypto/sha.h>
17#include <linux/key.h>
18#include <linux/audit.h>
19
20
21#define IMA_MEASURE 0x00000001
22#define IMA_MEASURED 0x00000002
23#define IMA_APPRAISE 0x00000004
24#define IMA_APPRAISED 0x00000008
25
26#define IMA_COLLECTED 0x00000020
27#define IMA_AUDIT 0x00000040
28#define IMA_AUDITED 0x00000080
29#define IMA_HASH 0x00000100
30#define IMA_HASHED 0x00000200
31
32
33#define IMA_ACTION_FLAGS 0xff000000
34#define IMA_DIGSIG_REQUIRED 0x01000000
35#define IMA_PERMIT_DIRECTIO 0x02000000
36#define IMA_NEW_FILE 0x04000000
37#define EVM_IMMUTABLE_DIGSIG 0x08000000
38#define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000
39
40#define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
41 IMA_HASH | IMA_APPRAISE_SUBMASK)
42#define IMA_DONE_MASK (IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED | \
43 IMA_HASHED | IMA_COLLECTED | \
44 IMA_APPRAISED_SUBMASK)
45
46
47#define IMA_FILE_APPRAISE 0x00001000
48#define IMA_FILE_APPRAISED 0x00002000
49#define IMA_MMAP_APPRAISE 0x00004000
50#define IMA_MMAP_APPRAISED 0x00008000
51#define IMA_BPRM_APPRAISE 0x00010000
52#define IMA_BPRM_APPRAISED 0x00020000
53#define IMA_READ_APPRAISE 0x00040000
54#define IMA_READ_APPRAISED 0x00080000
55#define IMA_CREDS_APPRAISE 0x00100000
56#define IMA_CREDS_APPRAISED 0x00200000
57#define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \
58 IMA_BPRM_APPRAISE | IMA_READ_APPRAISE | \
59 IMA_CREDS_APPRAISE)
60#define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \
61 IMA_BPRM_APPRAISED | IMA_READ_APPRAISED | \
62 IMA_CREDS_APPRAISED)
63
64
65#define IMA_CHANGE_XATTR 0
66#define IMA_UPDATE_XATTR 1
67#define IMA_CHANGE_ATTR 2
68#define IMA_DIGSIG 3
69#define IMA_MUST_MEASURE 4
70
71enum evm_ima_xattr_type {
72 IMA_XATTR_DIGEST = 0x01,
73 EVM_XATTR_HMAC,
74 EVM_IMA_XATTR_DIGSIG,
75 IMA_XATTR_DIGEST_NG,
76 EVM_XATTR_PORTABLE_DIGSIG,
77 IMA_XATTR_LAST
78};
79
80struct evm_ima_xattr_data {
81 u8 type;
82 u8 digest[SHA1_DIGEST_SIZE];
83} __packed;
84
85#define IMA_MAX_DIGEST_SIZE 64
86
87struct ima_digest_data {
88 u8 algo;
89 u8 length;
90 union {
91 struct {
92 u8 unused;
93 u8 type;
94 } sha1;
95 struct {
96 u8 type;
97 u8 algo;
98 } ng;
99 u8 data[2];
100 } xattr;
101 u8 digest[0];
102} __packed;
103
104
105
106
107struct signature_v2_hdr {
108 uint8_t type;
109 uint8_t version;
110 uint8_t hash_algo;
111 __be32 keyid;
112 __be16 sig_size;
113 uint8_t sig[0];
114} __packed;
115
116
117struct integrity_iint_cache {
118 struct rb_node rb_node;
119 struct mutex mutex;
120 struct inode *inode;
121 u64 version;
122 unsigned long flags;
123 unsigned long measured_pcrs;
124 unsigned long atomic_flags;
125 enum integrity_status ima_file_status:4;
126 enum integrity_status ima_mmap_status:4;
127 enum integrity_status ima_bprm_status:4;
128 enum integrity_status ima_read_status:4;
129 enum integrity_status ima_creds_status:4;
130 enum integrity_status evm_status:4;
131 struct ima_digest_data *ima_hash;
132};
133
134
135
136
137struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
138
139int integrity_kernel_read(struct file *file, loff_t offset,
140 void *addr, unsigned long count);
141
142#define INTEGRITY_KEYRING_EVM 0
143#define INTEGRITY_KEYRING_IMA 1
144#define INTEGRITY_KEYRING_MODULE 2
145#define INTEGRITY_KEYRING_MAX 3
146
147extern struct dentry *integrity_dir;
148
149#ifdef CONFIG_INTEGRITY_SIGNATURE
150
151int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
152 const char *digest, int digestlen);
153
154int __init integrity_init_keyring(const unsigned int id);
155int __init integrity_load_x509(const unsigned int id, const char *path);
156#else
157
158static inline int integrity_digsig_verify(const unsigned int id,
159 const char *sig, int siglen,
160 const char *digest, int digestlen)
161{
162 return -EOPNOTSUPP;
163}
164
165static inline int integrity_init_keyring(const unsigned int id)
166{
167 return 0;
168}
169#endif
170
171#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
172int asymmetric_verify(struct key *keyring, const char *sig,
173 int siglen, const char *data, int datalen);
174#else
175static inline int asymmetric_verify(struct key *keyring, const char *sig,
176 int siglen, const char *data, int datalen)
177{
178 return -EOPNOTSUPP;
179}
180#endif
181
182#ifdef CONFIG_IMA_LOAD_X509
183void __init ima_load_x509(void);
184#else
185static inline void ima_load_x509(void)
186{
187}
188#endif
189
190#ifdef CONFIG_EVM_LOAD_X509
191void __init evm_load_x509(void);
192#else
193static inline void evm_load_x509(void)
194{
195}
196#endif
197
198#ifdef CONFIG_INTEGRITY_AUDIT
199
200void integrity_audit_msg(int audit_msgno, struct inode *inode,
201 const unsigned char *fname, const char *op,
202 const char *cause, int result, int info);
203
204static inline struct audit_buffer *
205integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
206{
207 return audit_log_start(ctx, gfp_mask, type);
208}
209
210#else
211static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
212 const unsigned char *fname,
213 const char *op, const char *cause,
214 int result, int info)
215{
216}
217
218static inline struct audit_buffer *
219integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
220{
221 return NULL;
222}
223
224#endif
225
