root/security/integrity/ima/ima.h

/* [<][>][^][v][top][bottom][index][help] */

INCLUDED FROM

DEFINITIONS

This source file includes following definitions.
  1. ima_load_kexec_buffer
  2. ima_hash_key
  3. __ima_hooks
  4. ima_appraise_measurement
  5. ima_must_appraise
  6. ima_update_xattr
  7. ima_get_cache_status
  8. ima_get_hash_algo
  9. ima_read_xattr
  10. ima_hook_supports_modsig
  11. ima_read_modsig
  12. ima_collect_modsig
  13. ima_get_modsig_digest
  14. ima_get_raw_modsig
  15. ima_free_modsig
  16. security_filter_rule_init
  17. security_filter_rule_match
   1 /* SPDX-License-Identifier: GPL-2.0-only */
   2 /*
   3  * Copyright (C) 2005,2006,2007,2008 IBM Corporation
   4  *
   5  * Authors:
   6  * Reiner Sailer <sailer@watson.ibm.com>
   7  * Mimi Zohar <zohar@us.ibm.com>
   8  *
   9  * File: ima.h
  10  *      internal Integrity Measurement Architecture (IMA) definitions
  11  */
  12 
  13 #ifndef __LINUX_IMA_H
  14 #define __LINUX_IMA_H
  15 
  16 #include <linux/types.h>
  17 #include <linux/crypto.h>
  18 #include <linux/fs.h>
  19 #include <linux/security.h>
  20 #include <linux/hash.h>
  21 #include <linux/tpm.h>
  22 #include <linux/audit.h>
  23 #include <crypto/hash_info.h>
  24 
  25 #include "../integrity.h"
  26 
  27 #ifdef CONFIG_HAVE_IMA_KEXEC
  28 #include <asm/ima.h>
  29 #endif
  30 
  31 enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO_FIELD_LEN,
  32                      IMA_SHOW_BINARY_OLD_STRING_FMT, IMA_SHOW_ASCII };
  33 enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
  34 
  35 /* digest size for IMA, fits SHA1 or MD5 */
  36 #define IMA_DIGEST_SIZE         SHA1_DIGEST_SIZE
  37 #define IMA_EVENT_NAME_LEN_MAX  255
  38 
  39 #define IMA_HASH_BITS 9
  40 #define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS)
  41 
  42 #define IMA_TEMPLATE_FIELD_ID_MAX_LEN   16
  43 #define IMA_TEMPLATE_NUM_FIELDS_MAX     15
  44 
  45 #define IMA_TEMPLATE_IMA_NAME "ima"
  46 #define IMA_TEMPLATE_IMA_FMT "d|n"
  47 
  48 /* current content of the policy */
  49 extern int ima_policy_flag;
  50 
  51 /* set during initialization */
  52 extern int ima_hash_algo;
  53 extern int ima_appraise;
  54 extern struct tpm_chip *ima_tpm_chip;
  55 
  56 /* IMA event related data */
  57 struct ima_event_data {
  58         struct integrity_iint_cache *iint;
  59         struct file *file;
  60         const unsigned char *filename;
  61         struct evm_ima_xattr_data *xattr_value;
  62         int xattr_len;
  63         const struct modsig *modsig;
  64         const char *violation;
  65         const void *buf;
  66         int buf_len;
  67 };
  68 
  69 /* IMA template field data definition */
  70 struct ima_field_data {
  71         u8 *data;
  72         u32 len;
  73 };
  74 
  75 /* IMA template field definition */
  76 struct ima_template_field {
  77         const char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
  78         int (*field_init)(struct ima_event_data *event_data,
  79                           struct ima_field_data *field_data);
  80         void (*field_show)(struct seq_file *m, enum ima_show_type show,
  81                            struct ima_field_data *field_data);
  82 };
  83 
  84 /* IMA template descriptor definition */
  85 struct ima_template_desc {
  86         struct list_head list;
  87         char *name;
  88         char *fmt;
  89         int num_fields;
  90         const struct ima_template_field **fields;
  91 };
  92 
  93 struct ima_template_entry {
  94         int pcr;
  95         u8 digest[TPM_DIGEST_SIZE];     /* sha1 or md5 measurement hash */
  96         struct ima_template_desc *template_desc; /* template descriptor */
  97         u32 template_data_len;
  98         struct ima_field_data template_data[0]; /* template related data */
  99 };
 100 
 101 struct ima_queue_entry {
 102         struct hlist_node hnext;        /* place in hash collision list */
 103         struct list_head later;         /* place in ima_measurements list */
 104         struct ima_template_entry *entry;
 105 };
 106 extern struct list_head ima_measurements;       /* list of all measurements */
 107 
 108 /* Some details preceding the binary serialized measurement list */
 109 struct ima_kexec_hdr {
 110         u16 version;
 111         u16 _reserved0;
 112         u32 _reserved1;
 113         u64 buffer_size;
 114         u64 count;
 115 };
 116 
 117 extern const int read_idmap[];
 118 
 119 #ifdef CONFIG_HAVE_IMA_KEXEC
 120 void ima_load_kexec_buffer(void);
 121 #else
 122 static inline void ima_load_kexec_buffer(void) {}
 123 #endif /* CONFIG_HAVE_IMA_KEXEC */
 124 
 125 /*
 126  * The default binary_runtime_measurements list format is defined as the
 127  * platform native format.  The canonical format is defined as little-endian.
 128  */
 129 extern bool ima_canonical_fmt;
 130 
 131 /* Internal IMA function definitions */
 132 int ima_init(void);
 133 int ima_fs_init(void);
 134 int ima_add_template_entry(struct ima_template_entry *entry, int violation,
 135                            const char *op, struct inode *inode,
 136                            const unsigned char *filename);
 137 int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash);
 138 int ima_calc_buffer_hash(const void *buf, loff_t len,
 139                          struct ima_digest_data *hash);
 140 int ima_calc_field_array_hash(struct ima_field_data *field_data,
 141                               struct ima_template_desc *desc, int num_fields,
 142                               struct ima_digest_data *hash);
 143 int __init ima_calc_boot_aggregate(struct ima_digest_data *hash);
 144 void ima_add_violation(struct file *file, const unsigned char *filename,
 145                        struct integrity_iint_cache *iint,
 146                        const char *op, const char *cause);
 147 int ima_init_crypto(void);
 148 void ima_putc(struct seq_file *m, void *data, int datalen);
 149 void ima_print_digest(struct seq_file *m, u8 *digest, u32 size);
 150 int template_desc_init_fields(const char *template_fmt,
 151                               const struct ima_template_field ***fields,
 152                               int *num_fields);
 153 struct ima_template_desc *ima_template_desc_current(void);
 154 struct ima_template_desc *lookup_template_desc(const char *name);
 155 bool ima_template_has_modsig(const struct ima_template_desc *ima_template);
 156 int ima_restore_measurement_entry(struct ima_template_entry *entry);
 157 int ima_restore_measurement_list(loff_t bufsize, void *buf);
 158 int ima_measurements_show(struct seq_file *m, void *v);
 159 unsigned long ima_get_binary_runtime_size(void);
 160 int ima_init_template(void);
 161 void ima_init_template_list(void);
 162 int __init ima_init_digests(void);
 163 int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
 164                           void *lsm_data);
 165 
 166 /*
 167  * used to protect h_table and sha_table
 168  */
 169 extern spinlock_t ima_queue_lock;
 170 
 171 struct ima_h_table {
 172         atomic_long_t len;      /* number of stored measurements in the list */
 173         atomic_long_t violations;
 174         struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
 175 };
 176 extern struct ima_h_table ima_htable;
 177 
 178 static inline unsigned long ima_hash_key(u8 *digest)
 179 {
 180         return hash_long(*digest, IMA_HASH_BITS);
 181 }
 182 
 183 #define __ima_hooks(hook)               \
 184         hook(NONE)                      \
 185         hook(FILE_CHECK)                \
 186         hook(MMAP_CHECK)                \
 187         hook(BPRM_CHECK)                \
 188         hook(CREDS_CHECK)               \
 189         hook(POST_SETATTR)              \
 190         hook(MODULE_CHECK)              \
 191         hook(FIRMWARE_CHECK)            \
 192         hook(KEXEC_KERNEL_CHECK)        \
 193         hook(KEXEC_INITRAMFS_CHECK)     \
 194         hook(POLICY_CHECK)              \
 195         hook(KEXEC_CMDLINE)             \
 196         hook(MAX_CHECK)
 197 #define __ima_hook_enumify(ENUM)        ENUM,
 198 
 199 enum ima_hooks {
 200         __ima_hooks(__ima_hook_enumify)
 201 };
 202 
 203 extern const char *const func_tokens[];
 204 
 205 struct modsig;
 206 
 207 /* LIM API function definitions */
 208 int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,
 209                    int mask, enum ima_hooks func, int *pcr,
 210                    struct ima_template_desc **template_desc);
 211 int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
 212 int ima_collect_measurement(struct integrity_iint_cache *iint,
 213                             struct file *file, void *buf, loff_t size,
 214                             enum hash_algo algo, struct modsig *modsig);
 215 void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
 216                            const unsigned char *filename,
 217                            struct evm_ima_xattr_data *xattr_value,
 218                            int xattr_len, const struct modsig *modsig, int pcr,
 219                            struct ima_template_desc *template_desc);
 220 void ima_audit_measurement(struct integrity_iint_cache *iint,
 221                            const unsigned char *filename);
 222 int ima_alloc_init_template(struct ima_event_data *event_data,
 223                             struct ima_template_entry **entry,
 224                             struct ima_template_desc *template_desc);
 225 int ima_store_template(struct ima_template_entry *entry, int violation,
 226                        struct inode *inode,
 227                        const unsigned char *filename, int pcr);
 228 void ima_free_template_entry(struct ima_template_entry *entry);
 229 const char *ima_d_path(const struct path *path, char **pathbuf, char *filename);
 230 
 231 /* IMA policy related functions */
 232 int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
 233                      enum ima_hooks func, int mask, int flags, int *pcr,
 234                      struct ima_template_desc **template_desc);
 235 void ima_init_policy(void);
 236 void ima_update_policy(void);
 237 void ima_update_policy_flag(void);
 238 ssize_t ima_parse_add_rule(char *);
 239 void ima_delete_rules(void);
 240 int ima_check_policy(void);
 241 void *ima_policy_start(struct seq_file *m, loff_t *pos);
 242 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);
 243 void ima_policy_stop(struct seq_file *m, void *v);
 244 int ima_policy_show(struct seq_file *m, void *v);
 245 
 246 /* Appraise integrity measurements */
 247 #define IMA_APPRAISE_ENFORCE    0x01
 248 #define IMA_APPRAISE_FIX        0x02
 249 #define IMA_APPRAISE_LOG        0x04
 250 #define IMA_APPRAISE_MODULES    0x08
 251 #define IMA_APPRAISE_FIRMWARE   0x10
 252 #define IMA_APPRAISE_POLICY     0x20
 253 #define IMA_APPRAISE_KEXEC      0x40
 254 
 255 #ifdef CONFIG_IMA_APPRAISE
 256 int ima_appraise_measurement(enum ima_hooks func,
 257                              struct integrity_iint_cache *iint,
 258                              struct file *file, const unsigned char *filename,
 259                              struct evm_ima_xattr_data *xattr_value,
 260                              int xattr_len, const struct modsig *modsig);
 261 int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
 262 void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
 263 enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
 264                                            enum ima_hooks func);
 265 enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
 266                                  int xattr_len);
 267 int ima_read_xattr(struct dentry *dentry,
 268                    struct evm_ima_xattr_data **xattr_value);
 269 
 270 #else
 271 static inline int ima_appraise_measurement(enum ima_hooks func,
 272                                            struct integrity_iint_cache *iint,
 273                                            struct file *file,
 274                                            const unsigned char *filename,
 275                                            struct evm_ima_xattr_data *xattr_value,
 276                                            int xattr_len,
 277                                            const struct modsig *modsig)
 278 {
 279         return INTEGRITY_UNKNOWN;
 280 }
 281 
 282 static inline int ima_must_appraise(struct inode *inode, int mask,
 283                                     enum ima_hooks func)
 284 {
 285         return 0;
 286 }
 287 
 288 static inline void ima_update_xattr(struct integrity_iint_cache *iint,
 289                                     struct file *file)
 290 {
 291 }
 292 
 293 static inline enum integrity_status ima_get_cache_status(struct integrity_iint_cache
 294                                                          *iint,
 295                                                          enum ima_hooks func)
 296 {
 297         return INTEGRITY_UNKNOWN;
 298 }
 299 
 300 static inline enum hash_algo
 301 ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len)
 302 {
 303         return ima_hash_algo;
 304 }
 305 
 306 static inline int ima_read_xattr(struct dentry *dentry,
 307                                  struct evm_ima_xattr_data **xattr_value)
 308 {
 309         return 0;
 310 }
 311 
 312 #endif /* CONFIG_IMA_APPRAISE */
 313 
 314 #ifdef CONFIG_IMA_APPRAISE_MODSIG
 315 bool ima_hook_supports_modsig(enum ima_hooks func);
 316 int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
 317                     struct modsig **modsig);
 318 void ima_collect_modsig(struct modsig *modsig, const void *buf, loff_t size);
 319 int ima_get_modsig_digest(const struct modsig *modsig, enum hash_algo *algo,
 320                           const u8 **digest, u32 *digest_size);
 321 int ima_get_raw_modsig(const struct modsig *modsig, const void **data,
 322                        u32 *data_len);
 323 void ima_free_modsig(struct modsig *modsig);
 324 #else
 325 static inline bool ima_hook_supports_modsig(enum ima_hooks func)
 326 {
 327         return false;
 328 }
 329 
 330 static inline int ima_read_modsig(enum ima_hooks func, const void *buf,
 331                                   loff_t buf_len, struct modsig **modsig)
 332 {
 333         return -EOPNOTSUPP;
 334 }
 335 
 336 static inline void ima_collect_modsig(struct modsig *modsig, const void *buf,
 337                                       loff_t size)
 338 {
 339 }
 340 
 341 static inline int ima_get_modsig_digest(const struct modsig *modsig,
 342                                         enum hash_algo *algo, const u8 **digest,
 343                                         u32 *digest_size)
 344 {
 345         return -EOPNOTSUPP;
 346 }
 347 
 348 static inline int ima_get_raw_modsig(const struct modsig *modsig,
 349                                      const void **data, u32 *data_len)
 350 {
 351         return -EOPNOTSUPP;
 352 }
 353 
 354 static inline void ima_free_modsig(struct modsig *modsig)
 355 {
 356 }
 357 #endif /* CONFIG_IMA_APPRAISE_MODSIG */
 358 
 359 /* LSM based policy rules require audit */
 360 #ifdef CONFIG_IMA_LSM_RULES
 361 
 362 #define security_filter_rule_init security_audit_rule_init
 363 #define security_filter_rule_match security_audit_rule_match
 364 
 365 #else
 366 
 367 static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr,
 368                                             void **lsmrule)
 369 {
 370         return -EINVAL;
 371 }
 372 
 373 static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
 374                                              void *lsmrule)
 375 {
 376         return -EINVAL;
 377 }
 378 #endif /* CONFIG_IMA_LSM_RULES */
 379 
 380 #ifdef  CONFIG_IMA_READ_POLICY
 381 #define POLICY_FILE_FLAGS       (S_IWUSR | S_IRUSR)
 382 #else
 383 #define POLICY_FILE_FLAGS       S_IWUSR
 384 #endif /* CONFIG_IMA_READ_POLICY */
 385 
 386 #endif /* __LINUX_IMA_H */
/* [<][>][^][v][top][bottom][index][help] */