e7c568e0fd
This adds an 'audit' policy action which audit logs file measurements. Changelog v6: - use new action flag handling (Dmitry Kasatkin). - removed whitespace (Mimi) Changelog v5: - use audit_log_untrustedstring. Changelog v4: - cleanup digest -> hash conversion. - use filename rather than d_path in ima_audit_measurement. Changelog v3: - Use newly exported audit_log_task_info for logging pid/ppid/uid/etc. - Update the ima_policy ABI documentation. Changelog v2: - Use 'audit' action rather than 'measure_and_audit' to permit auditing in the absence of measuring.. Changelog v1: - Initial posting. Signed-off-by: Peter Moody <pmoody@google.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
240 lines
6.8 KiB
C
240 lines
6.8 KiB
C
/*
|
|
* Copyright (C) 2008 IBM Corporation
|
|
*
|
|
* Author: Mimi Zohar <zohar@us.ibm.com>
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License as
|
|
* published by the Free Software Foundation, version 2 of the
|
|
* License.
|
|
*
|
|
* File: ima_api.c
|
|
* Implements must_appraise_or_measure, collect_measurement,
|
|
* appraise_measurement, store_measurement and store_template.
|
|
*/
|
|
#include <linux/module.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/file.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/xattr.h>
|
|
#include <linux/evm.h>
|
|
#include "ima.h"
|
|
|
|
static const char *IMA_TEMPLATE_NAME = "ima";
|
|
|
|
/*
|
|
* ima_store_template - store ima template measurements
|
|
*
|
|
* Calculate the hash of a template entry, add the template entry
|
|
* to an ordered list of measurement entries maintained inside the kernel,
|
|
* and also update the aggregate integrity value (maintained inside the
|
|
* configured TPM PCR) over the hashes of the current list of measurement
|
|
* entries.
|
|
*
|
|
* Applications retrieve the current kernel-held measurement list through
|
|
* the securityfs entries in /sys/kernel/security/ima. The signed aggregate
|
|
* TPM PCR (called quote) can be retrieved using a TPM user space library
|
|
* and is used to validate the measurement list.
|
|
*
|
|
* Returns 0 on success, error code otherwise
|
|
*/
|
|
int ima_store_template(struct ima_template_entry *entry,
|
|
int violation, struct inode *inode)
|
|
{
|
|
const char *op = "add_template_measure";
|
|
const char *audit_cause = "hashing_error";
|
|
int result;
|
|
|
|
memset(entry->digest, 0, sizeof(entry->digest));
|
|
entry->template_name = IMA_TEMPLATE_NAME;
|
|
entry->template_len = sizeof(entry->template);
|
|
|
|
if (!violation) {
|
|
result = ima_calc_template_hash(entry->template_len,
|
|
&entry->template,
|
|
entry->digest);
|
|
if (result < 0) {
|
|
integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
|
|
entry->template_name, op,
|
|
audit_cause, result, 0);
|
|
return result;
|
|
}
|
|
}
|
|
result = ima_add_template_entry(entry, violation, op, inode);
|
|
return result;
|
|
}
|
|
|
|
/*
|
|
* ima_add_violation - add violation to measurement list.
|
|
*
|
|
* Violations are flagged in the measurement list with zero hash values.
|
|
* By extending the PCR with 0xFF's instead of with zeroes, the PCR
|
|
* value is invalidated.
|
|
*/
|
|
void ima_add_violation(struct inode *inode, const unsigned char *filename,
|
|
const char *op, const char *cause)
|
|
{
|
|
struct ima_template_entry *entry;
|
|
int violation = 1;
|
|
int result;
|
|
|
|
/* can overflow, only indicator */
|
|
atomic_long_inc(&ima_htable.violations);
|
|
|
|
entry = kmalloc(sizeof(*entry), GFP_KERNEL);
|
|
if (!entry) {
|
|
result = -ENOMEM;
|
|
goto err_out;
|
|
}
|
|
memset(&entry->template, 0, sizeof(entry->template));
|
|
strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX);
|
|
result = ima_store_template(entry, violation, inode);
|
|
if (result < 0)
|
|
kfree(entry);
|
|
err_out:
|
|
integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
|
|
op, cause, result, 0);
|
|
}
|
|
|
|
/**
|
|
* ima_get_action - appraise & measure decision based on policy.
|
|
* @inode: pointer to inode to measure
|
|
* @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE)
|
|
* @function: calling function (FILE_CHECK, BPRM_CHECK, FILE_MMAP)
|
|
*
|
|
* The policy is defined in terms of keypairs:
|
|
* subj=, obj=, type=, func=, mask=, fsmagic=
|
|
* subj,obj, and type: are LSM specific.
|
|
* func: FILE_CHECK | BPRM_CHECK | FILE_MMAP
|
|
* mask: contains the permission mask
|
|
* fsmagic: hex value
|
|
*
|
|
* Returns IMA_MEASURE, IMA_APPRAISE mask.
|
|
*
|
|
*/
|
|
int ima_get_action(struct inode *inode, int mask, int function)
|
|
{
|
|
int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE;
|
|
|
|
if (!ima_appraise)
|
|
flags &= ~IMA_APPRAISE;
|
|
|
|
return ima_match_policy(inode, function, mask, flags);
|
|
}
|
|
|
|
int ima_must_measure(struct inode *inode, int mask, int function)
|
|
{
|
|
return ima_match_policy(inode, function, mask, IMA_MEASURE);
|
|
}
|
|
|
|
/*
|
|
* ima_collect_measurement - collect file measurement
|
|
*
|
|
* Calculate the file hash, if it doesn't already exist,
|
|
* storing the measurement and i_version in the iint.
|
|
*
|
|
* Must be called with iint->mutex held.
|
|
*
|
|
* Return 0 on success, error code otherwise
|
|
*/
|
|
int ima_collect_measurement(struct integrity_iint_cache *iint,
|
|
struct file *file)
|
|
{
|
|
struct inode *inode = file->f_dentry->d_inode;
|
|
const char *filename = file->f_dentry->d_name.name;
|
|
int result = 0;
|
|
|
|
if (!(iint->flags & IMA_COLLECTED)) {
|
|
u64 i_version = file->f_dentry->d_inode->i_version;
|
|
|
|
iint->ima_xattr.type = IMA_XATTR_DIGEST;
|
|
result = ima_calc_hash(file, iint->ima_xattr.digest);
|
|
if (!result) {
|
|
iint->version = i_version;
|
|
iint->flags |= IMA_COLLECTED;
|
|
}
|
|
}
|
|
if (result)
|
|
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
|
|
filename, "collect_data", "failed",
|
|
result, 0);
|
|
return result;
|
|
}
|
|
|
|
/*
|
|
* ima_store_measurement - store file measurement
|
|
*
|
|
* Create an "ima" template and then store the template by calling
|
|
* ima_store_template.
|
|
*
|
|
* We only get here if the inode has not already been measured,
|
|
* but the measurement could already exist:
|
|
* - multiple copies of the same file on either the same or
|
|
* different filesystems.
|
|
* - the inode was previously flushed as well as the iint info,
|
|
* containing the hashing info.
|
|
*
|
|
* Must be called with iint->mutex held.
|
|
*/
|
|
void ima_store_measurement(struct integrity_iint_cache *iint,
|
|
struct file *file, const unsigned char *filename)
|
|
{
|
|
const char *op = "add_template_measure";
|
|
const char *audit_cause = "ENOMEM";
|
|
int result = -ENOMEM;
|
|
struct inode *inode = file->f_dentry->d_inode;
|
|
struct ima_template_entry *entry;
|
|
int violation = 0;
|
|
|
|
if (iint->flags & IMA_MEASURED)
|
|
return;
|
|
|
|
entry = kmalloc(sizeof(*entry), GFP_KERNEL);
|
|
if (!entry) {
|
|
integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
|
|
op, audit_cause, result, 0);
|
|
return;
|
|
}
|
|
memset(&entry->template, 0, sizeof(entry->template));
|
|
memcpy(entry->template.digest, iint->ima_xattr.digest, IMA_DIGEST_SIZE);
|
|
strcpy(entry->template.file_name,
|
|
(strlen(filename) > IMA_EVENT_NAME_LEN_MAX) ?
|
|
file->f_dentry->d_name.name : filename);
|
|
|
|
result = ima_store_template(entry, violation, inode);
|
|
if (!result || result == -EEXIST)
|
|
iint->flags |= IMA_MEASURED;
|
|
if (result < 0)
|
|
kfree(entry);
|
|
}
|
|
|
|
void ima_audit_measurement(struct integrity_iint_cache *iint,
|
|
const unsigned char *filename)
|
|
{
|
|
struct audit_buffer *ab;
|
|
char hash[(IMA_DIGEST_SIZE * 2) + 1];
|
|
int i;
|
|
|
|
if (iint->flags & IMA_AUDITED)
|
|
return;
|
|
|
|
for (i = 0; i < IMA_DIGEST_SIZE; i++)
|
|
hex_byte_pack(hash + (i * 2), iint->ima_xattr.digest[i]);
|
|
hash[i * 2] = '\0';
|
|
|
|
ab = audit_log_start(current->audit_context, GFP_KERNEL,
|
|
AUDIT_INTEGRITY_RULE);
|
|
if (!ab)
|
|
return;
|
|
|
|
audit_log_format(ab, "file=");
|
|
audit_log_untrustedstring(ab, filename);
|
|
audit_log_format(ab, " hash=");
|
|
audit_log_untrustedstring(ab, hash);
|
|
|
|
audit_log_task_info(ab, current);
|
|
audit_log_end(ab);
|
|
|
|
iint->flags |= IMA_AUDITED;
|
|
}
|