2 * Copyright (C) 2005,2006,2007,2008 IBM Corporation
5 * Reiner Sailer <sailer@watson.ibm.com>
6 * Serge Hallyn <serue@us.ibm.com>
7 * Kylene Hall <kylene@us.ibm.com>
8 * Mimi Zohar <zohar@us.ibm.com>
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License as
12 * published by the Free Software Foundation, version 2 of the
16 * implements the IMA hooks: ima_bprm_check, ima_file_mmap,
19 #include <linux/module.h>
20 #include <linux/file.h>
21 #include <linux/binfmts.h>
22 #include <linux/mount.h>
23 #include <linux/mman.h>
29 char *ima_hash = "sha1";
30 static int __init hash_setup(char *str)
32 const char *op = "hash_setup";
33 const char *hash = "sha1";
37 if (strncmp(str, "md5", 3) == 0) {
40 } else if (strncmp(str, "sha1", 4) != 0) {
41 hash = "invalid_hash_type";
44 integrity_audit_msg(AUDIT_INTEGRITY_HASH, NULL, NULL, op, hash,
48 __setup("ima_hash=", hash_setup);
51 * ima_file_free - called on __fput()
52 * @file: pointer to file structure being freed
54 * Flag files that changed, based on i_version;
55 * and decrement the iint readcount/writecount.
57 void ima_file_free(struct file *file)
59 struct inode *inode = file->f_dentry->d_inode;
60 struct ima_iint_cache *iint;
62 if (!ima_initialized || !S_ISREG(inode->i_mode))
64 iint = ima_iint_find_get(inode);
68 mutex_lock(&iint->mutex);
69 if (iint->opencount <= 0) {
71 "%s: %s open/free imbalance (r:%ld w:%ld o:%ld f:%ld)\n",
72 __FUNCTION__, file->f_dentry->d_name.name,
73 iint->readcount, iint->writecount,
74 iint->opencount, atomic_long_read(&file->f_count));
75 if (!(iint->flags & IMA_IINT_DUMP_STACK)) {
77 iint->flags |= IMA_IINT_DUMP_STACK;
82 if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
85 if (file->f_mode & FMODE_WRITE) {
87 if (iint->writecount == 0) {
88 if (iint->version != inode->i_version)
89 iint->flags &= ~IMA_MEASURED;
92 mutex_unlock(&iint->mutex);
93 kref_put(&iint->refcount, iint_free);
96 /* ima_read_write_check - reflect possible reading/writing errors in the PCR.
98 * When opening a file for read, if the file is already open for write,
99 * the file could change, resulting in a file measurement error.
101 * Opening a file for write, if the file is already open for read, results
102 * in a time of measure, time of use (ToMToU) error.
104 * In either case invalidate the PCR.
106 enum iint_pcr_error { TOMTOU, OPEN_WRITERS };
107 static void ima_read_write_check(enum iint_pcr_error error,
108 struct ima_iint_cache *iint,
110 const unsigned char *filename)
114 if (iint->readcount > 0)
115 ima_add_violation(inode, filename, "invalid_pcr",
119 if (iint->writecount > 0)
120 ima_add_violation(inode, filename, "invalid_pcr",
126 static int get_path_measurement(struct ima_iint_cache *iint, struct file *file,
127 const unsigned char *filename)
132 pr_info("%s dentry_open failed\n", filename);
138 rc = ima_collect_measurement(iint, file);
140 ima_store_measurement(iint, file, filename);
145 * ima_path_check - based on policy, collect/store measurement.
146 * @path: contains a pointer to the path to be measured
147 * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
149 * Measure the file being open for readonly, based on the
150 * ima_must_measure() policy decision.
152 * Keep read/write counters for all files, but only
153 * invalidate the PCR for measured files:
154 * - Opening a file for write when already open for read,
155 * results in a time of measure, time of use (ToMToU) error.
156 * - Opening a file for read when already open for write,
157 * could result in a file measurement error.
159 * Return 0 on success, an error code on failure.
160 * (Based on the results of appraise_measurement().)
162 int ima_path_check(struct path *path, int mask)
164 struct inode *inode = path->dentry->d_inode;
165 struct ima_iint_cache *iint;
166 struct file *file = NULL;
169 if (!ima_initialized || !S_ISREG(inode->i_mode))
171 iint = ima_iint_find_insert_get(inode);
175 mutex_lock(&iint->mutex);
177 if ((mask & MAY_WRITE) || (mask == 0))
179 else if (mask & (MAY_READ | MAY_EXEC))
182 rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK);
186 if ((mask & MAY_WRITE) || (mask == 0))
187 ima_read_write_check(TOMTOU, iint, inode,
188 path->dentry->d_name.name);
190 if ((mask & (MAY_WRITE | MAY_READ | MAY_EXEC)) != MAY_READ)
193 ima_read_write_check(OPEN_WRITERS, iint, inode,
194 path->dentry->d_name.name);
195 if (!(iint->flags & IMA_MEASURED)) {
196 struct dentry *dentry = dget(path->dentry);
197 struct vfsmount *mnt = mntget(path->mnt);
199 file = dentry_open(dentry, mnt, O_RDONLY, current->cred);
200 rc = get_path_measurement(iint, file, dentry->d_name.name);
203 mutex_unlock(&iint->mutex);
206 kref_put(&iint->refcount, iint_free);
210 static int process_measurement(struct file *file, const unsigned char *filename,
211 int mask, int function)
213 struct inode *inode = file->f_dentry->d_inode;
214 struct ima_iint_cache *iint;
217 if (!ima_initialized || !S_ISREG(inode->i_mode))
219 iint = ima_iint_find_insert_get(inode);
223 mutex_lock(&iint->mutex);
224 rc = ima_must_measure(iint, inode, mask, function);
228 rc = ima_collect_measurement(iint, file);
230 ima_store_measurement(iint, file, filename);
232 mutex_unlock(&iint->mutex);
233 kref_put(&iint->refcount, iint_free);
237 static void opencount_get(struct file *file)
239 struct inode *inode = file->f_dentry->d_inode;
240 struct ima_iint_cache *iint;
242 if (!ima_initialized || !S_ISREG(inode->i_mode))
244 iint = ima_iint_find_insert_get(inode);
247 mutex_lock(&iint->mutex);
249 mutex_unlock(&iint->mutex);
253 * ima_file_mmap - based on policy, collect/store measurement.
254 * @file: pointer to the file to be measured (May be NULL)
255 * @prot: contains the protection that will be applied by the kernel.
257 * Measure files being mmapped executable based on the ima_must_measure()
260 * Return 0 on success, an error code on failure.
261 * (Based on the results of appraise_measurement().)
263 int ima_file_mmap(struct file *file, unsigned long prot)
269 if (prot & PROT_EXEC)
270 rc = process_measurement(file, file->f_dentry->d_name.name,
271 MAY_EXEC, FILE_MMAP);
276 * ima_shm_check - IPC shm and shmat create/fput a file
278 * Maintain the opencount for these files to prevent unnecessary
279 * imbalance messages.
281 void ima_shm_check(struct file *file)
288 * ima_bprm_check - based on policy, collect/store measurement.
289 * @bprm: contains the linux_binprm structure
291 * The OS protects against an executable file, already open for write,
292 * from being executed in deny_write_access() and an executable file,
293 * already open for execute, from being modified in get_write_access().
294 * So we can be certain that what we verify and measure here is actually
295 * what is being executed.
297 * Return 0 on success, an error code on failure.
298 * (Based on the results of appraise_measurement().)
300 int ima_bprm_check(struct linux_binprm *bprm)
304 rc = process_measurement(bprm->file, bprm->filename,
305 MAY_EXEC, BPRM_CHECK);
309 static int __init init_ima(void)
313 ima_iintcache_init();
319 static void __exit cleanup_ima(void)
324 late_initcall(init_ima); /* Start IMA after the TPM is available */
326 MODULE_DESCRIPTION("Integrity Measurement Architecture");
327 MODULE_LICENSE("GPL");