add new system file

hc

2024-02-20 102a0743326a03cd1a1202ceda21e175b7d3575c

 kernel/security/integrity/ima/ima_main.c
..
..
@@ -1,4 +1,7 @@
1
+// SPDX-License-Identifier: GPL-2.0-only
1
2
 /*
3
+ * Integrity Measurement Architecture
4
+ *
2
5
  * Copyright (C) 2005,2006,2007,2008 IBM Corporation
3
6
  *
4
7
  * Authors:
..
..
@@ -7,21 +10,15 @@
7
10
  * Kylene Hall <kylene@us.ibm.com>
8
11
  * Mimi Zohar <zohar@us.ibm.com>
9
12
  *
10
- * This program is free software; you can redistribute it and/or
11
- * modify it under the terms of the GNU General Public License as
12
- * published by the Free Software Foundation, version 2 of the
13
- * License.
14
- *
15
13
  * File: ima_main.c
16
14
  *	implements the IMA hooks: ima_bprm_check, ima_file_mmap,
17
15
  *	and ima_file_check.
18
16
  */
19
17
 
20
-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
21
-
22
18
 #include <linux/module.h>
23
19
 #include <linux/file.h>
24
20
 #include <linux/binfmts.h>
21
+#include <linux/kernel_read_file.h>
25
22
 #include <linux/mount.h>
26
23
 #include <linux/mman.h>
27
24
 #include <linux/slab.h>
..
..
@@ -41,6 +38,10 @@
41
38
 int ima_hash_algo = HASH_ALGO_SHA1;
42
39
 static int hash_setup_done;
43
40
 
41
+static struct notifier_block ima_lsm_policy_notifier = {
42
+	.notifier_call = ima_lsm_policy_change,
43
+};
44
+
44
45
 static int __init hash_setup(char *str)
45
46
 {
46
47
 	struct ima_template_desc *template_desc = ima_template_desc_current();
..
..
@@ -50,18 +51,23 @@
50
51
 		return 1;
51
52
 
52
53
 	if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
53
-		if (strncmp(str, "sha1", 4) == 0)
54
+		if (strncmp(str, "sha1", 4) == 0) {
54
55
 			ima_hash_algo = HASH_ALGO_SHA1;
55
-		else if (strncmp(str, "md5", 3) == 0)
56
+		} else if (strncmp(str, "md5", 3) == 0) {
56
57
 			ima_hash_algo = HASH_ALGO_MD5;
57
-		else
58
+		} else {
59
+			pr_err("invalid hash algorithm \"%s\" for template \"%s\"",
60
+				str, IMA_TEMPLATE_IMA_NAME);
58
61
 			return 1;
62
+		}
59
63
 		goto out;
60
64
 	}
61
65
 
62
66
 	i = match_string(hash_algo_name, HASH_ALGO__LAST, str);
63
-	if (i < 0)
67
+	if (i < 0) {
68
+		pr_err("invalid hash algorithm \"%s\"", str);
64
69
 		return 1;
70
+	}
65
71
 
66
72
 	ima_hash_algo = i;
67
73
 out:
..
..
@@ -69,6 +75,27 @@
69
75
 	return 1;
70
76
 }
71
77
 __setup("ima_hash=", hash_setup);
78
+
79
+/* Prevent mmap'ing a file execute that is already mmap'ed write */
80
+static int mmap_violation_check(enum ima_hooks func, struct file *file,
81
+				char **pathbuf, const char **pathname,
82
+				char *filename)
83
+{
84
+	struct inode *inode;
85
+	int rc = 0;
86
+
87
+	if ((func == MMAP_CHECK) && mapping_writably_mapped(file->f_mapping)) {
88
+		rc = -ETXTBSY;
89
+		inode = file_inode(file);
90
+
91
+		if (!*pathbuf)	/* ima_rdwr_violation possibly pre-fetched */
92
+			*pathname = ima_d_path(&file->f_path, pathbuf,
93
+					       filename);
94
+		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, *pathname,
95
+				    "mmap_file", "mmapped_writers", rc, 0);
96
+	}
97
+	return rc;
98
+}
72
99
 
73
100
 /*
74
101
  * ima_rdwr_violation_check
..
..
@@ -103,7 +130,7 @@
103
130
 	} else {
104
131
 		if (must_measure)
105
132
 			set_bit(IMA_MUST_MEASURE, &iint->atomic_flags);
106
-		if ((atomic_read(&inode->i_writecount) > 0) && must_measure)
133
+		if (inode_is_open_for_write(inode) && must_measure)
107
134
 			send_writers = true;
108
135
 	}
109
136
 
..
..
@@ -172,13 +199,14 @@
172
199
 {
173
200
 	struct inode *inode = file_inode(file);
174
201
 	struct integrity_iint_cache *iint = NULL;
175
-	struct ima_template_desc *template_desc;
202
+	struct ima_template_desc *template_desc = NULL;
176
203
 	char *pathbuf = NULL;
177
204
 	char filename[NAME_MAX];
178
205
 	const char *pathname = NULL;
179
206
 	int rc = 0, action, must_appraise = 0;
180
207
 	int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
181
208
 	struct evm_ima_xattr_data *xattr_value = NULL;
209
+	struct modsig *modsig = NULL;
182
210
 	int xattr_len = 0;
183
211
 	bool violation_check;
184
212
 	enum hash_algo hash_algo;
..
..
@@ -190,7 +218,8 @@
190
218
 	 * bitmask based on the appraise/audit/measurement policy.
191
219
 	 * Included is the appraise submask.
192
220
 	 */
193
-	action = ima_get_action(inode, cred, secid, mask, func, &pcr);
221
+	action = ima_get_action(inode, cred, secid, mask, func, &pcr,
222
+				&template_desc, NULL);
194
223
 	violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
195
224
 			   (ima_policy_flag & IMA_MEASURE));
196
225
 	if (!action && !violation_check)
..
..
@@ -268,20 +297,37 @@
268
297
 
269
298
 	/* Nothing to do, just return existing appraised status */
270
299
 	if (!action) {
271
-		if (must_appraise)
272
-			rc = ima_get_cache_status(iint, func);
300
+		if (must_appraise) {
301
+			rc = mmap_violation_check(func, file, &pathbuf,
302
+						  &pathname, filename);
303
+			if (!rc)
304
+				rc = ima_get_cache_status(iint, func);
305
+		}
273
306
 		goto out_locked;
274
307
 	}
275
308
 
276
-	template_desc = ima_template_desc_current();
277
309
 	if ((action & IMA_APPRAISE_SUBMASK) ||
278
-		    strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
310
+	    strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) {
279
311
 		/* read 'security.ima' */
280
312
 		xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);
281
313
 
314
+		/*
315
+		 * Read the appended modsig if allowed by the policy, and allow
316
+		 * an additional measurement list entry, if needed, based on the
317
+		 * template format and whether the file was already measured.
318
+		 */
319
+		if (iint->flags & IMA_MODSIG_ALLOWED) {
320
+			rc = ima_read_modsig(func, buf, size, &modsig);
321
+
322
+			if (!rc && ima_template_has_modsig(template_desc) &&
323
+			    iint->flags & IMA_MEASURED)
324
+				action |= IMA_MEASURE;
325
+		}
326
+	}
327
+
282
328
 	hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
283
329
 
284
-	rc = ima_collect_measurement(iint, file, buf, size, hash_algo);
330
+	rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);
285
331
 	if (rc != 0 && rc != -EBADF && rc != -EINVAL)
286
332
 		goto out_locked;
287
333
 
..
..
@@ -290,12 +336,20 @@
290
336
 
291
337
 	if (action & IMA_MEASURE)
292
338
 		ima_store_measurement(iint, file, pathname,
293
-				      xattr_value, xattr_len, pcr);
339
+				      xattr_value, xattr_len, modsig, pcr,
340
+				      template_desc);
294
341
 	if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
295
-		inode_lock(inode);
296
-		rc = ima_appraise_measurement(func, iint, file, pathname,
297
-					      xattr_value, xattr_len);
298
-		inode_unlock(inode);
342
+		rc = ima_check_blacklist(iint, modsig, pcr);
343
+		if (rc != -EPERM) {
344
+			inode_lock(inode);
345
+			rc = ima_appraise_measurement(func, iint, file,
346
+						      pathname, xattr_value,
347
+						      xattr_len, modsig);
348
+			inode_unlock(inode);
349
+		}
350
+		if (!rc)
351
+			rc = mmap_violation_check(func, file, &pathbuf,
352
+						  &pathname, filename);
299
353
 	}
300
354
 	if (action & IMA_AUDIT)
301
355
 		ima_audit_measurement(iint, pathname);
..
..
@@ -308,6 +362,7 @@
308
362
 		rc = -EACCES;
309
363
 	mutex_unlock(&iint->mutex);
310
364
 	kfree(xattr_value);
365
+	ima_free_modsig(modsig);
311
366
 out:
312
367
 	if (pathbuf)
313
368
 		__putname(pathbuf);
..
..
@@ -323,7 +378,9 @@
323
378
 /**
324
379
  * ima_file_mmap - based on policy, collect/store measurement.
325
380
  * @file: pointer to the file to be measured (May be NULL)
326
- * @prot: contains the protection that will be applied by the kernel.
381
+ * @reqprot: protection requested by the application
382
+ * @prot: protection that will be applied by the kernel
383
+ * @flags: operational flags
327
384
  *
328
385
  * Measure files being mmapped executable based on the ima_must_measure()
329
386
  * policy decision.
..
..
@@ -331,7 +388,8 @@
331
388
  * On success return 0.  On integrity appraisal error, assuming the file
332
389
  * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
333
390
  */
334
-int ima_file_mmap(struct file *file, unsigned long prot)
391
+int ima_file_mmap(struct file *file, unsigned long reqprot,
392
+		  unsigned long prot, unsigned long flags)
335
393
 {
336
394
 	u32 secid;
337
395
 
..
..
@@ -342,6 +400,58 @@
342
400
 	}
343
401
 
344
402
 	return 0;
403
+}
404
+
405
+/**
406
+ * ima_file_mprotect - based on policy, limit mprotect change
407
+ * @prot: contains the protection that will be applied by the kernel.
408
+ *
409
+ * Files can be mmap'ed read/write and later changed to execute to circumvent
410
+ * IMA's mmap appraisal policy rules.  Due to locking issues (mmap semaphore
411
+ * would be taken before i_mutex), files can not be measured or appraised at
412
+ * this point.  Eliminate this integrity gap by denying the mprotect
413
+ * PROT_EXECUTE change, if an mmap appraise policy rule exists.
414
+ *
415
+ * On mprotect change success, return 0.  On failure, return -EACESS.
416
+ */
417
+int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot)
418
+{
419
+	struct ima_template_desc *template;
420
+	struct file *file = vma->vm_file;
421
+	char filename[NAME_MAX];
422
+	char *pathbuf = NULL;
423
+	const char *pathname = NULL;
424
+	struct inode *inode;
425
+	int result = 0;
426
+	int action;
427
+	u32 secid;
428
+	int pcr;
429
+
430
+	/* Is mprotect making an mmap'ed file executable? */
431
+	if (!(ima_policy_flag & IMA_APPRAISE) || !vma->vm_file ||
432
+	    !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC))
433
+		return 0;
434
+
435
+	security_task_getsecid(current, &secid);
436
+	inode = file_inode(vma->vm_file);
437
+	action = ima_get_action(inode, current_cred(), secid, MAY_EXEC,
438
+				MMAP_CHECK, &pcr, &template, 0);
439
+
440
+	/* Is the mmap'ed file in policy? */
441
+	if (!(action & (IMA_MEASURE | IMA_APPRAISE_SUBMASK)))
442
+		return 0;
443
+
444
+	if (action & IMA_APPRAISE_SUBMASK)
445
+		result = -EPERM;
446
+
447
+	file = vma->vm_file;
448
+	pathname = ima_d_path(&file->f_path, &pathbuf, filename);
449
+	integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, pathname,
450
+			    "collect_data", "failed-mprotect", result, 0);
451
+	if (pathbuf)
452
+		__putname(pathbuf);
453
+
454
+	return result;
345
455
 }
346
456
 
347
457
 /**
..
..
@@ -395,6 +505,92 @@
395
505
 EXPORT_SYMBOL_GPL(ima_file_check);
396
506
 
397
507
 /**
508
+ * ima_file_hash - return the stored measurement if a file has been hashed and
509
+ * is in the iint cache.
510
+ * @file: pointer to the file
511
+ * @buf: buffer in which to store the hash
512
+ * @buf_size: length of the buffer
513
+ *
514
+ * On success, return the hash algorithm (as defined in the enum hash_algo).
515
+ * If buf is not NULL, this function also outputs the hash into buf.
516
+ * If the hash is larger than buf_size, then only buf_size bytes will be copied.
517
+ * It generally just makes sense to pass a buffer capable of holding the largest
518
+ * possible hash: IMA_MAX_DIGEST_SIZE.
519
+ * The file hash returned is based on the entire file, including the appended
520
+ * signature.
521
+ *
522
+ * If IMA is disabled or if no measurement is available, return -EOPNOTSUPP.
523
+ * If the parameters are incorrect, return -EINVAL.
524
+ */
525
+int ima_file_hash(struct file *file, char *buf, size_t buf_size)
526
+{
527
+	struct inode *inode;
528
+	struct integrity_iint_cache *iint;
529
+	int hash_algo;
530
+
531
+	if (!file)
532
+		return -EINVAL;
533
+
534
+	if (!ima_policy_flag)
535
+		return -EOPNOTSUPP;
536
+
537
+	inode = file_inode(file);
538
+	iint = integrity_iint_find(inode);
539
+	if (!iint)
540
+		return -EOPNOTSUPP;
541
+
542
+	mutex_lock(&iint->mutex);
543
+
544
+	/*
545
+	 * ima_file_hash can be called when ima_collect_measurement has still
546
+	 * not been called, we might not always have a hash.
547
+	 */
548
+	if (!iint->ima_hash) {
549
+		mutex_unlock(&iint->mutex);
550
+		return -EOPNOTSUPP;
551
+	}
552
+
553
+	if (buf) {
554
+		size_t copied_size;
555
+
556
+		copied_size = min_t(size_t, iint->ima_hash->length, buf_size);
557
+		memcpy(buf, iint->ima_hash->digest, copied_size);
558
+	}
559
+	hash_algo = iint->ima_hash->algo;
560
+	mutex_unlock(&iint->mutex);
561
+
562
+	return hash_algo;
563
+}
564
+EXPORT_SYMBOL_GPL(ima_file_hash);
565
+
566
+/**
567
+ * ima_post_create_tmpfile - mark newly created tmpfile as new
568
+ * @file : newly created tmpfile
569
+ *
570
+ * No measuring, appraising or auditing of newly created tmpfiles is needed.
571
+ * Skip calling process_measurement(), but indicate which newly, created
572
+ * tmpfiles are in policy.
573
+ */
574
+void ima_post_create_tmpfile(struct inode *inode)
575
+{
576
+	struct integrity_iint_cache *iint;
577
+	int must_appraise;
578
+
579
+	must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
580
+	if (!must_appraise)
581
+		return;
582
+
583
+	/* Nothing to do if we can't allocate memory */
584
+	iint = integrity_inode_get(inode);
585
+	if (!iint)
586
+		return;
587
+
588
+	/* needed for writing the security xattrs */
589
+	set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
590
+	iint->ima_file_status = INTEGRITY_PASS;
591
+}
592
+
593
+/**
398
594
  * ima_post_path_mknod - mark as a new inode
399
595
  * @dentry: newly created dentry
400
596
  *
..
..
@@ -411,15 +607,20 @@
411
607
 	if (!must_appraise)
412
608
 		return;
413
609
 
610
+	/* Nothing to do if we can't allocate memory */
414
611
 	iint = integrity_inode_get(inode);
415
-	if (iint)
416
-		iint->flags |= IMA_NEW_FILE;
612
+	if (!iint)
613
+		return;
614
+
615
+	/* needed for re-opening empty files */
616
+	iint->flags |= IMA_NEW_FILE;
417
617
 }
418
618
 
419
619
 /**
420
620
  * ima_read_file - pre-measure/appraise hook decision based on policy
421
621
  * @file: pointer to the file to be measured/appraised/audit
422
622
  * @read_id: caller identifier
623
+ * @contents: whether a subsequent call will be made to ima_post_read_file()
423
624
  *
424
625
  * Permit reading a file based on policy. The policy rules are written
425
626
  * in terms of the policy identifier.  Appraising the integrity of
..
..
@@ -427,22 +628,37 @@
427
628
  *
428
629
  * For permission return 0, otherwise return -EACCES.
429
630
  */
430
-int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
631
+int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
632
+		  bool contents)
431
633
 {
634
+	enum ima_hooks func;
635
+	u32 secid;
636
+
432
637
 	/*
433
-	 * READING_FIRMWARE_PREALLOC_BUFFER
434
-	 *
435
638
 	 * Do devices using pre-allocated memory run the risk of the
436
639
 	 * firmware being accessible to the device prior to the completion
437
640
 	 * of IMA's signature verification any more than when using two
438
-	 * buffers?
641
+	 * buffers? It may be desirable to include the buffer address
642
+	 * in this API and walk all the dma_map_single() mappings to check.
439
643
 	 */
440
-	return 0;
644
+
645
+	/*
646
+	 * There will be a call made to ima_post_read_file() with
647
+	 * a filled buffer, so we don't need to perform an extra
648
+	 * read early here.
649
+	 */
650
+	if (contents)
651
+		return 0;
652
+
653
+	/* Read entire file for all partial reads. */
654
+	func = read_idmap[read_id] ?: FILE_CHECK;
655
+	security_task_getsecid(current, &secid);
656
+	return process_measurement(file, current_cred(), secid, NULL,
657
+				   0, MAY_READ, func);
441
658
 }
442
659
 
443
-static int read_idmap[READING_MAX_ID] = {
660
+const int read_idmap[READING_MAX_ID] = {
444
661
 	[READING_FIRMWARE] = FIRMWARE_CHECK,
445
-	[READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK,
446
662
 	[READING_MODULE] = MODULE_CHECK,
447
663
 	[READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK,
448
664
 	[READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK,
..
..
@@ -468,15 +684,6 @@
468
684
 	enum ima_hooks func;
469
685
 	u32 secid;
470
686
 
471
-	if (!file && read_id == READING_FIRMWARE) {
472
-		if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
473
-		    (ima_appraise & IMA_APPRAISE_ENFORCE)) {
474
-			pr_err("Prevent firmware loading_store.\n");
475
-			return -EACCES;	/* INTEGRITY_UNKNOWN */
476
-		}
477
-		return 0;
478
-	}
479
-
480
687
 	/* permit signed certs */
481
688
 	if (!file && read_id == READING_X509_CERTIFICATE)
482
689
 		return 0;
..
..
@@ -496,6 +703,8 @@
496
703
 /**
497
704
  * ima_load_data - appraise decision based on policy
498
705
  * @id: kernel load data caller identifier
706
+ * @contents: whether the full contents will be available in a later
707
+ *	      call to ima_post_load_data().
499
708
  *
500
709
  * Callers of this LSM hook can not measure, appraise, or audit the
501
710
  * data provided by userspace.  Enforce policy rules requring a file
..
..
@@ -503,22 +712,28 @@
503
712
  *
504
713
  * For permission return 0, otherwise return -EACCES.
505
714
  */
506
-int ima_load_data(enum kernel_load_data_id id)
715
+int ima_load_data(enum kernel_load_data_id id, bool contents)
507
716
 {
508
-	bool sig_enforce;
717
+	bool ima_enforce, sig_enforce;
509
718
 
510
-	if ((ima_appraise & IMA_APPRAISE_ENFORCE) != IMA_APPRAISE_ENFORCE)
511
-		return 0;
719
+	ima_enforce =
720
+		(ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE;
512
721
 
513
722
 	switch (id) {
514
723
 	case LOADING_KEXEC_IMAGE:
515
-		if (ima_appraise & IMA_APPRAISE_KEXEC) {
724
+		if (IS_ENABLED(CONFIG_KEXEC_SIG)
725
+		    && arch_ima_get_secureboot()) {
726
+			pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
727
+			return -EACCES;
728
+		}
729
+
730
+		if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) {
516
731
 			pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
517
732
 			return -EACCES;	/* INTEGRITY_UNKNOWN */
518
733
 		}
519
734
 		break;
520
735
 	case LOADING_FIRMWARE:
521
-		if (ima_appraise & IMA_APPRAISE_FIRMWARE) {
736
+		if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE) && !contents) {
522
737
 			pr_err("Prevent firmware sysfs fallback loading.\n");
523
738
 			return -EACCES;	/* INTEGRITY_UNKNOWN */
524
739
 		}
..
..
@@ -526,14 +741,167 @@
526
741
 	case LOADING_MODULE:
527
742
 		sig_enforce = is_module_sig_enforced();
528
743
 
529
-		if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES)) {
744
+		if (ima_enforce && (!sig_enforce
745
+				    && (ima_appraise & IMA_APPRAISE_MODULES))) {
530
746
 			pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
531
747
 			return -EACCES;	/* INTEGRITY_UNKNOWN */
532
748
 		}
749
+		break;
533
750
 	default:
534
751
 		break;
535
752
 	}
536
753
 	return 0;
754
+}
755
+
756
+/**
757
+ * ima_post_load_data - appraise decision based on policy
758
+ * @buf: pointer to in memory file contents
759
+ * @size: size of in memory file contents
760
+ * @id: kernel load data caller identifier
761
+ * @description: @id-specific description of contents
762
+ *
763
+ * Measure/appraise/audit in memory buffer based on policy.  Policy rules
764
+ * are written in terms of a policy identifier.
765
+ *
766
+ * On success return 0.  On integrity appraisal error, assuming the file
767
+ * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
768
+ */
769
+int ima_post_load_data(char *buf, loff_t size,
770
+		       enum kernel_load_data_id load_id,
771
+		       char *description)
772
+{
773
+	if (load_id == LOADING_FIRMWARE) {
774
+		if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
775
+		    (ima_appraise & IMA_APPRAISE_ENFORCE)) {
776
+			pr_err("Prevent firmware loading_store.\n");
777
+			return -EACCES; /* INTEGRITY_UNKNOWN */
778
+		}
779
+		return 0;
780
+	}
781
+
782
+	return 0;
783
+}
784
+
785
+/*
786
+ * process_buffer_measurement - Measure the buffer to ima log.
787
+ * @inode: inode associated with the object being measured (NULL for KEY_CHECK)
788
+ * @buf: pointer to the buffer that needs to be added to the log.
789
+ * @size: size of buffer(in bytes).
790
+ * @eventname: event name to be used for the buffer entry.
791
+ * @func: IMA hook
792
+ * @pcr: pcr to extend the measurement
793
+ * @keyring: keyring name to determine the action to be performed
794
+ *
795
+ * Based on policy, the buffer is measured into the ima log.
796
+ */
797
+void process_buffer_measurement(struct inode *inode, const void *buf, int size,
798
+				const char *eventname, enum ima_hooks func,
799
+				int pcr, const char *keyring)
800
+{
801
+	int ret = 0;
802
+	const char *audit_cause = "ENOMEM";
803
+	struct ima_template_entry *entry = NULL;
804
+	struct integrity_iint_cache iint = {};
805
+	struct ima_event_data event_data = {.iint = &iint,
806
+					    .filename = eventname,
807
+					    .buf = buf,
808
+					    .buf_len = size};
809
+	struct ima_template_desc *template = NULL;
810
+	struct {
811
+		struct ima_digest_data hdr;
812
+		char digest[IMA_MAX_DIGEST_SIZE];
813
+	} hash = {};
814
+	int violation = 0;
815
+	int action = 0;
816
+	u32 secid;
817
+
818
+	if (!ima_policy_flag)
819
+		return;
820
+
821
+	/*
822
+	 * Both LSM hooks and auxilary based buffer measurements are
823
+	 * based on policy.  To avoid code duplication, differentiate
824
+	 * between the LSM hooks and auxilary buffer measurements,
825
+	 * retrieving the policy rule information only for the LSM hook
826
+	 * buffer measurements.
827
+	 */
828
+	if (func) {
829
+		security_task_getsecid(current, &secid);
830
+		action = ima_get_action(inode, current_cred(), secid, 0, func,
831
+					&pcr, &template, keyring);
832
+		if (!(action & IMA_MEASURE))
833
+			return;
834
+	}
835
+
836
+	if (!pcr)
837
+		pcr = CONFIG_IMA_MEASURE_PCR_IDX;
838
+
839
+	if (!template) {
840
+		template = lookup_template_desc("ima-buf");
841
+		ret = template_desc_init_fields(template->fmt,
842
+						&(template->fields),
843
+						&(template->num_fields));
844
+		if (ret < 0) {
845
+			pr_err("template %s init failed, result: %d\n",
846
+			       (strlen(template->name) ?
847
+				template->name : template->fmt), ret);
848
+			return;
849
+		}
850
+	}
851
+
852
+	iint.ima_hash = &hash.hdr;
853
+	iint.ima_hash->algo = ima_hash_algo;
854
+	iint.ima_hash->length = hash_digest_size[ima_hash_algo];
855
+
856
+	ret = ima_calc_buffer_hash(buf, size, iint.ima_hash);
857
+	if (ret < 0) {
858
+		audit_cause = "hashing_error";
859
+		goto out;
860
+	}
861
+
862
+	ret = ima_alloc_init_template(&event_data, &entry, template);
863
+	if (ret < 0) {
864
+		audit_cause = "alloc_entry";
865
+		goto out;
866
+	}
867
+
868
+	ret = ima_store_template(entry, violation, NULL, buf, pcr);
869
+	if (ret < 0) {
870
+		audit_cause = "store_entry";
871
+		ima_free_template_entry(entry);
872
+	}
873
+
874
+out:
875
+	if (ret < 0)
876
+		integrity_audit_message(AUDIT_INTEGRITY_PCR, NULL, eventname,
877
+					func_measure_str(func),
878
+					audit_cause, ret, 0, ret);
879
+
880
+	return;
881
+}
882
+
883
+/**
884
+ * ima_kexec_cmdline - measure kexec cmdline boot args
885
+ * @kernel_fd: file descriptor of the kexec kernel being loaded
886
+ * @buf: pointer to buffer
887
+ * @size: size of buffer
888
+ *
889
+ * Buffers can only be measured, not appraised.
890
+ */
891
+void ima_kexec_cmdline(int kernel_fd, const void *buf, int size)
892
+{
893
+	struct fd f;
894
+
895
+	if (!buf || !size)
896
+		return;
897
+
898
+	f = fdget(kernel_fd);
899
+	if (!f.file)
900
+		return;
901
+
902
+	process_buffer_measurement(file_inode(f.file), buf, size,
903
+				   "kexec-cmdline", KEXEC_CMDLINE, 0, NULL);
904
+	fdput(f);
537
905
 }
538
906
 
539
907
 static int __init init_ima(void)
..
..
@@ -553,6 +921,13 @@
553
921
 		error = ima_init();
554
922
 	}
555
923
 
924
+	if (error)
925
+		return error;
926
+
927
+	error = register_blocking_lsm_notifier(&ima_lsm_policy_notifier);
928
+	if (error)
929
+		pr_warn("Couldn't register LSM notifier, error %d\n", error);
930
+
556
931
 	if (!error)
557
932
 		ima_update_policy_flag();
558
933
 
..
..
@@ -560,6 +935,3 @@
560
935
 }
561
936
 
562
937
 late_initcall(init_ima);	/* Start IMA after the TPM is available */
563
-
564
-MODULE_DESCRIPTION("Integrity Measurement Architecture");
565
-MODULE_LICENSE("GPL");