2 * Copyright (C) 2005,2006,2007,2008 IBM Corporation
5 * Reiner Sailer <sailer@watson.ibm.com>
6 * Serge Hallyn <serue@us.ibm.com>
7 * Kylene Hall <kylene@us.ibm.com>
8 * Mimi Zohar <zohar@us.ibm.com>
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License as
12 * published by the Free Software Foundation, version 2 of the
16 * implements the IMA hooks: ima_bprm_check, ima_file_mmap,
19 #include <linux/module.h>
20 #include <linux/file.h>
21 #include <linux/binfmts.h>
22 #include <linux/mount.h>
23 #include <linux/mman.h>
24 #include <linux/slab.h>
25 #include <linux/ima.h>
31 char *ima_hash = "sha1";
32 static int __init hash_setup(char *str)
34 if (strncmp(str, "md5", 3) == 0)
38 __setup("ima_hash=", hash_setup);
41 * ima_rdwr_violation_check
43 * Only invalidate the PCR for measured files:
44 * - Opening a file for write when already open for read,
45 * results in a time of measure, time of use (ToMToU) error.
46 * - Opening a file for read when already open for write,
47 * could result in a file measurement error.
50 static void ima_rdwr_violation_check(struct file *file)
52 struct dentry *dentry = file->f_path.dentry;
53 struct inode *inode = dentry->d_inode;
54 fmode_t mode = file->f_mode;
56 bool send_tomtou = false, send_writers = false;
57 unsigned char *pathname = NULL, *pathbuf = NULL;
59 if (!S_ISREG(inode->i_mode) || !ima_initialized)
62 mutex_lock(&inode->i_mutex); /* file metadata: permissions, xattr */
64 if (mode & FMODE_WRITE) {
65 if (atomic_read(&inode->i_readcount) && IS_IMA(inode))
70 rc = ima_must_measure(inode, MAY_READ, FILE_CHECK);
74 if (atomic_read(&inode->i_writecount) > 0)
77 mutex_unlock(&inode->i_mutex);
79 if (!send_tomtou && !send_writers)
82 /* We will allow 11 spaces for ' (deleted)' to be appended */
83 pathbuf = kmalloc(PATH_MAX + 11, GFP_KERNEL);
85 pathname = d_path(&file->f_path, pathbuf, PATH_MAX + 11);
88 else if (strlen(pathname) > IMA_EVENT_NAME_LEN_MAX)
92 ima_add_violation(inode,
93 !pathname ? dentry->d_name.name : pathname,
94 "invalid_pcr", "ToMToU");
96 ima_add_violation(inode,
97 !pathname ? dentry->d_name.name : pathname,
98 "invalid_pcr", "open_writers");
102 static void ima_check_last_writer(struct integrity_iint_cache *iint,
106 fmode_t mode = file->f_mode;
108 mutex_lock(&iint->mutex);
109 if (mode & FMODE_WRITE &&
110 atomic_read(&inode->i_writecount) == 1 &&
111 iint->version != inode->i_version)
112 iint->flags &= ~IMA_MEASURED;
113 mutex_unlock(&iint->mutex);
117 * ima_file_free - called on __fput()
118 * @file: pointer to file structure being freed
120 * Flag files that changed, based on i_version
122 void ima_file_free(struct file *file)
124 struct inode *inode = file->f_dentry->d_inode;
125 struct integrity_iint_cache *iint;
127 if (!iint_initialized || !S_ISREG(inode->i_mode))
130 iint = integrity_iint_find(inode);
134 ima_check_last_writer(iint, inode, file);
137 static int process_measurement(struct file *file, const unsigned char *filename,
138 int mask, int function)
140 struct inode *inode = file->f_dentry->d_inode;
141 struct integrity_iint_cache *iint;
142 unsigned char *pathname = NULL, *pathbuf = NULL;
145 if (!ima_initialized || !S_ISREG(inode->i_mode))
148 rc = ima_must_measure(inode, mask, function);
152 iint = integrity_iint_find(inode);
154 rc = integrity_inode_alloc(inode);
155 if (!rc || rc == -EEXIST)
160 mutex_lock(&iint->mutex);
162 rc = iint->flags & IMA_MEASURED ? 1 : 0;
166 rc = ima_collect_measurement(iint, file);
170 if (function != BPRM_CHECK) {
171 /* We will allow 11 spaces for ' (deleted)' to be appended */
172 pathbuf = kmalloc(PATH_MAX + 11, GFP_KERNEL);
175 d_path(&file->f_path, pathbuf, PATH_MAX + 11);
176 if (IS_ERR(pathname))
180 ima_store_measurement(iint, file, !pathname ? filename : pathname);
183 mutex_unlock(&iint->mutex);
188 * ima_file_mmap - based on policy, collect/store measurement.
189 * @file: pointer to the file to be measured (May be NULL)
190 * @prot: contains the protection that will be applied by the kernel.
192 * Measure files being mmapped executable based on the ima_must_measure()
195 * Return 0 on success, an error code on failure.
196 * (Based on the results of appraise_measurement().)
198 int ima_file_mmap(struct file *file, unsigned long prot)
204 if (prot & PROT_EXEC)
205 rc = process_measurement(file, file->f_dentry->d_name.name,
206 MAY_EXEC, FILE_MMAP);
211 * ima_bprm_check - based on policy, collect/store measurement.
212 * @bprm: contains the linux_binprm structure
214 * The OS protects against an executable file, already open for write,
215 * from being executed in deny_write_access() and an executable file,
216 * already open for execute, from being modified in get_write_access().
217 * So we can be certain that what we verify and measure here is actually
218 * what is being executed.
220 * Return 0 on success, an error code on failure.
221 * (Based on the results of appraise_measurement().)
223 int ima_bprm_check(struct linux_binprm *bprm)
227 rc = process_measurement(bprm->file,
228 (strcmp(bprm->filename, bprm->interp) == 0) ?
229 bprm->filename : bprm->interp,
230 MAY_EXEC, BPRM_CHECK);
235 * ima_path_check - based on policy, collect/store measurement.
236 * @file: pointer to the file to be measured
237 * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
239 * Measure files based on the ima_must_measure() policy decision.
241 * Always return 0 and audit dentry_open failures.
242 * (Return code will be based upon measurement appraisal.)
244 int ima_file_check(struct file *file, int mask)
248 ima_rdwr_violation_check(file);
249 rc = process_measurement(file, file->f_dentry->d_name.name,
250 mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
254 EXPORT_SYMBOL_GPL(ima_file_check);
256 static int __init init_ima(void)
266 late_initcall(init_ima); /* Start IMA after the TPM is available */
268 MODULE_DESCRIPTION("Integrity Measurement Architecture");
269 MODULE_LICENSE("GPL");