Commit cf222217 authored by Mimi Zohar's avatar Mimi Zohar

ima: define a new hook to measure and appraise a file already in memory

This patch defines a new IMA hook ima_post_read_file() for measuring
and appraising files read by the kernel. The caller loads the file into
memory before calling this function, which calculates the hash followed by
the normal IMA policy based processing.

Changelog v5:
- fail ima_post_read_file() if either file or buf is NULL
v3:
- rename ima_hash_and_process_file() to ima_post_read_file()

v1:
- split patch
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: default avatarDmitry Kasatkin <dmitry.kasatkin@huawei.com>
parent 98304bcf
...@@ -20,6 +20,8 @@ extern void ima_file_free(struct file *file); ...@@ -20,6 +20,8 @@ extern void ima_file_free(struct file *file);
extern int ima_file_mmap(struct file *file, unsigned long prot); extern int ima_file_mmap(struct file *file, unsigned long prot);
extern int ima_module_check(struct file *file); extern int ima_module_check(struct file *file);
extern int ima_fw_from_file(struct file *file, char *buf, size_t size); extern int ima_fw_from_file(struct file *file, char *buf, size_t size);
extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
enum kernel_read_file_id id);
#else #else
static inline int ima_bprm_check(struct linux_binprm *bprm) static inline int ima_bprm_check(struct linux_binprm *bprm)
...@@ -52,6 +54,12 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size) ...@@ -52,6 +54,12 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size)
return 0; return 0;
} }
static inline int ima_post_read_file(struct file *file, void *buf, loff_t size,
enum kernel_read_file_id id)
{
return 0;
}
#endif /* CONFIG_IMA */ #endif /* CONFIG_IMA */
#ifdef CONFIG_IMA_APPRAISE #ifdef CONFIG_IMA_APPRAISE
......
...@@ -24,6 +24,7 @@ ...@@ -24,6 +24,7 @@
#include <linux/key.h> #include <linux/key.h>
#include <linux/capability.h> #include <linux/capability.h>
#include <linux/fs.h>
#include <linux/slab.h> #include <linux/slab.h>
#include <linux/err.h> #include <linux/err.h>
#include <linux/string.h> #include <linux/string.h>
......
...@@ -19,6 +19,7 @@ ...@@ -19,6 +19,7 @@
#include <linux/types.h> #include <linux/types.h>
#include <linux/crypto.h> #include <linux/crypto.h>
#include <linux/fs.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/hash.h> #include <linux/hash.h>
#include <linux/tpm.h> #include <linux/tpm.h>
...@@ -152,7 +153,8 @@ enum ima_hooks { ...@@ -152,7 +153,8 @@ enum ima_hooks {
int ima_get_action(struct inode *inode, int mask, enum ima_hooks func); int ima_get_action(struct inode *inode, int mask, enum ima_hooks func);
int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
int ima_collect_measurement(struct integrity_iint_cache *iint, int ima_collect_measurement(struct integrity_iint_cache *iint,
struct file *file, enum hash_algo algo); struct file *file, void *buf, loff_t size,
enum hash_algo algo);
void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
const unsigned char *filename, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value, struct evm_ima_xattr_data *xattr_value,
......
...@@ -188,7 +188,8 @@ int ima_get_action(struct inode *inode, int mask, enum ima_hooks func) ...@@ -188,7 +188,8 @@ int ima_get_action(struct inode *inode, int mask, enum ima_hooks func)
* Return 0 on success, error code otherwise * Return 0 on success, error code otherwise
*/ */
int ima_collect_measurement(struct integrity_iint_cache *iint, int ima_collect_measurement(struct integrity_iint_cache *iint,
struct file *file, enum hash_algo algo) struct file *file, void *buf, loff_t size,
enum hash_algo algo)
{ {
const char *audit_cause = "failed"; const char *audit_cause = "failed";
struct inode *inode = file_inode(file); struct inode *inode = file_inode(file);
...@@ -210,7 +211,8 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, ...@@ -210,7 +211,8 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
hash.hdr.algo = algo; hash.hdr.algo = algo;
result = ima_calc_file_hash(file, &hash.hdr); result = (!buf) ? ima_calc_file_hash(file, &hash.hdr) :
ima_calc_buffer_hash(buf, size, &hash.hdr);
if (!result) { if (!result) {
int length = sizeof(hash.hdr) + hash.hdr.length; int length = sizeof(hash.hdr) + hash.hdr.length;
void *tmpbuf = krealloc(iint->ima_hash, length, void *tmpbuf = krealloc(iint->ima_hash, length,
......
...@@ -300,7 +300,7 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) ...@@ -300,7 +300,7 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
if (iint->flags & IMA_DIGSIG) if (iint->flags & IMA_DIGSIG)
return; return;
rc = ima_collect_measurement(iint, file, ima_hash_algo); rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo);
if (rc < 0) if (rc < 0)
return; return;
......
...@@ -153,8 +153,8 @@ void ima_file_free(struct file *file) ...@@ -153,8 +153,8 @@ void ima_file_free(struct file *file)
ima_check_last_writer(iint, inode, file); ima_check_last_writer(iint, inode, file);
} }
static int process_measurement(struct file *file, int mask, static int process_measurement(struct file *file, char *buf, loff_t size,
enum ima_hooks func, int opened) int mask, enum ima_hooks func, int opened)
{ {
struct inode *inode = file_inode(file); struct inode *inode = file_inode(file);
struct integrity_iint_cache *iint = NULL; struct integrity_iint_cache *iint = NULL;
...@@ -226,7 +226,7 @@ static int process_measurement(struct file *file, int mask, ...@@ -226,7 +226,7 @@ static int process_measurement(struct file *file, int mask,
hash_algo = ima_get_hash_algo(xattr_value, xattr_len); hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
rc = ima_collect_measurement(iint, file, hash_algo); rc = ima_collect_measurement(iint, file, buf, size, hash_algo);
if (rc != 0) { if (rc != 0) {
if (file->f_flags & O_DIRECT) if (file->f_flags & O_DIRECT)
rc = (iint->flags & IMA_PERMIT_DIRECTIO) ? 0 : -EACCES; rc = (iint->flags & IMA_PERMIT_DIRECTIO) ? 0 : -EACCES;
...@@ -273,7 +273,8 @@ static int process_measurement(struct file *file, int mask, ...@@ -273,7 +273,8 @@ static int process_measurement(struct file *file, int mask,
int ima_file_mmap(struct file *file, unsigned long prot) int ima_file_mmap(struct file *file, unsigned long prot)
{ {
if (file && (prot & PROT_EXEC)) if (file && (prot & PROT_EXEC))
return process_measurement(file, MAY_EXEC, MMAP_CHECK, 0); return process_measurement(file, NULL, 0, MAY_EXEC,
MMAP_CHECK, 0);
return 0; return 0;
} }
...@@ -292,7 +293,8 @@ int ima_file_mmap(struct file *file, unsigned long prot) ...@@ -292,7 +293,8 @@ int ima_file_mmap(struct file *file, unsigned long prot)
*/ */
int ima_bprm_check(struct linux_binprm *bprm) int ima_bprm_check(struct linux_binprm *bprm)
{ {
return process_measurement(bprm->file, MAY_EXEC, BPRM_CHECK, 0); return process_measurement(bprm->file, NULL, 0, MAY_EXEC,
BPRM_CHECK, 0);
} }
/** /**
...@@ -307,7 +309,7 @@ int ima_bprm_check(struct linux_binprm *bprm) ...@@ -307,7 +309,7 @@ int ima_bprm_check(struct linux_binprm *bprm)
*/ */
int ima_file_check(struct file *file, int mask, int opened) int ima_file_check(struct file *file, int mask, int opened)
{ {
return process_measurement(file, return process_measurement(file, NULL, 0,
mask & (MAY_READ | MAY_WRITE | MAY_EXEC), mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
FILE_CHECK, opened); FILE_CHECK, opened);
} }
...@@ -332,7 +334,7 @@ int ima_module_check(struct file *file) ...@@ -332,7 +334,7 @@ int ima_module_check(struct file *file)
#endif #endif
return 0; /* We rely on module signature checking */ return 0; /* We rely on module signature checking */
} }
return process_measurement(file, MAY_EXEC, MODULE_CHECK, 0); return process_measurement(file, NULL, 0, MAY_EXEC, MODULE_CHECK, 0);
} }
int ima_fw_from_file(struct file *file, char *buf, size_t size) int ima_fw_from_file(struct file *file, char *buf, size_t size)
...@@ -343,7 +345,34 @@ int ima_fw_from_file(struct file *file, char *buf, size_t size) ...@@ -343,7 +345,34 @@ int ima_fw_from_file(struct file *file, char *buf, size_t size)
return -EACCES; /* INTEGRITY_UNKNOWN */ return -EACCES; /* INTEGRITY_UNKNOWN */
return 0; return 0;
} }
return process_measurement(file, MAY_EXEC, FIRMWARE_CHECK, 0); return process_measurement(file, NULL, 0, MAY_EXEC, FIRMWARE_CHECK, 0);
}
/**
* ima_post_read_file - in memory collect/appraise/audit measurement
* @file: pointer to the file to be measured/appraised/audit
* @buf: pointer to in memory file contents
* @size: size of in memory file contents
* @read_id: caller identifier
*
* Measure/appraise/audit in memory file based on policy. Policy rules
* are written in terms of a policy identifier.
*
* On success return 0. On integrity appraisal error, assuming the file
* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
*/
int ima_post_read_file(struct file *file, void *buf, loff_t size,
enum kernel_read_file_id read_id)
{
enum ima_hooks func = FILE_CHECK;
if (!file || !buf || size == 0) { /* should never happen */
if (ima_appraise & IMA_APPRAISE_ENFORCE)
return -EACCES;
return 0;
}
return process_measurement(file, buf, size, MAY_READ, func, 0);
} }
static int __init init_ima(void) static int __init init_ima(void)
......
...@@ -12,6 +12,7 @@ ...@@ -12,6 +12,7 @@
*/ */
#include <linux/module.h> #include <linux/module.h>
#include <linux/list.h> #include <linux/list.h>
#include <linux/fs.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/magic.h> #include <linux/magic.h>
#include <linux/parser.h> #include <linux/parser.h>
......
...@@ -49,12 +49,14 @@ ...@@ -49,12 +49,14 @@
#define IMA_MODULE_APPRAISED 0x00008000 #define IMA_MODULE_APPRAISED 0x00008000
#define IMA_FIRMWARE_APPRAISE 0x00010000 #define IMA_FIRMWARE_APPRAISE 0x00010000
#define IMA_FIRMWARE_APPRAISED 0x00020000 #define IMA_FIRMWARE_APPRAISED 0x00020000
#define IMA_READ_APPRAISE 0x00040000
#define IMA_READ_APPRAISED 0x00080000
#define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \ #define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \
IMA_BPRM_APPRAISE | IMA_MODULE_APPRAISE | \ IMA_BPRM_APPRAISE | IMA_MODULE_APPRAISE | \
IMA_FIRMWARE_APPRAISE) IMA_FIRMWARE_APPRAISE | IMA_READ_APPRAISE)
#define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \ #define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \
IMA_BPRM_APPRAISED | IMA_MODULE_APPRAISED | \ IMA_BPRM_APPRAISED | IMA_MODULE_APPRAISED | \
IMA_FIRMWARE_APPRAISED) IMA_FIRMWARE_APPRAISED | IMA_READ_APPRAISED)
enum evm_ima_xattr_type { enum evm_ima_xattr_type {
IMA_XATTR_DIGEST = 0x01, IMA_XATTR_DIGEST = 0x01,
...@@ -111,6 +113,7 @@ struct integrity_iint_cache { ...@@ -111,6 +113,7 @@ struct integrity_iint_cache {
enum integrity_status ima_bprm_status:4; enum integrity_status ima_bprm_status:4;
enum integrity_status ima_module_status:4; enum integrity_status ima_module_status:4;
enum integrity_status ima_firmware_status:4; enum integrity_status ima_firmware_status:4;
enum integrity_status ima_read_status:4;
enum integrity_status evm_status:4; enum integrity_status evm_status:4;
struct ima_digest_data *ima_hash; struct ima_digest_data *ima_hash;
}; };
......
...@@ -913,7 +913,12 @@ int security_kernel_module_from_file(struct file *file) ...@@ -913,7 +913,12 @@ int security_kernel_module_from_file(struct file *file)
int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,
enum kernel_read_file_id id) enum kernel_read_file_id id)
{ {
return call_int_hook(kernel_post_read_file, 0, file, buf, size, id); int ret;
ret = call_int_hook(kernel_post_read_file, 0, file, buf, size, id);
if (ret)
return ret;
return ima_post_read_file(file, buf, size, id);
} }
EXPORT_SYMBOL_GPL(security_kernel_post_read_file); EXPORT_SYMBOL_GPL(security_kernel_post_read_file);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment