kernel_5.10 no rt

hc

2023-12-11 6778948f9de86c3cfaf36725a7c87dcff9ba247f

 kernel/security/integrity/ima/ima.h
..
..
@@ -1,14 +1,10 @@
1
+/* SPDX-License-Identifier: GPL-2.0-only */
1
2
 /*
2
3
  * Copyright (C) 2005,2006,2007,2008 IBM Corporation
3
4
  *
4
5
  * Authors:
5
6
  * Reiner Sailer <sailer@watson.ibm.com>
6
7
  * Mimi Zohar <zohar@us.ibm.com>
7
- *
8
- * This program is free software; you can redistribute it and/or
9
- * modify it under the terms of the GNU General Public License as
10
- * published by the Free Software Foundation, version 2 of the
11
- * License.
12
8
  *
13
9
  * File: ima.h
14
10
  *	internal Integrity Measurement Architecture (IMA) definitions
..
..
@@ -34,7 +30,7 @@
34
30
 
35
31
 enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO_FIELD_LEN,
36
32
 		     IMA_SHOW_BINARY_OLD_STRING_FMT, IMA_SHOW_ASCII };
37
-enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
33
+enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8, TPM_PCR10 = 10 };
38
34
 
39
35
 /* digest size for IMA, fits SHA1 or MD5 */
40
36
 #define IMA_DIGEST_SIZE		SHA1_DIGEST_SIZE
..
..
@@ -49,11 +45,16 @@
49
45
 #define IMA_TEMPLATE_IMA_NAME "ima"
50
46
 #define IMA_TEMPLATE_IMA_FMT "d|n"
51
47
 
48
+#define NR_BANKS(chip) ((chip != NULL) ? chip->nr_allocated_banks : 0)
49
+
52
50
 /* current content of the policy */
53
51
 extern int ima_policy_flag;
54
52
 
55
53
 /* set during initialization */
56
54
 extern int ima_hash_algo;
55
+extern int ima_sha1_idx __ro_after_init;
56
+extern int ima_hash_algo_idx __ro_after_init;
57
+extern int ima_extra_slots __ro_after_init;
57
58
 extern int ima_appraise;
58
59
 extern struct tpm_chip *ima_tpm_chip;
59
60
 extern const char boot_aggregate_name[];
..
..
@@ -65,7 +66,10 @@
65
66
 	const unsigned char *filename;
66
67
 	struct evm_ima_xattr_data *xattr_value;
67
68
 	int xattr_len;
69
+	const struct modsig *modsig;
68
70
 	const char *violation;
71
+	const void *buf;
72
+	int buf_len;
69
73
 };
70
74
 
71
75
 /* IMA template field data definition */
..
..
@@ -89,15 +93,15 @@
89
93
 	char *name;
90
94
 	char *fmt;
91
95
 	int num_fields;
92
-	struct ima_template_field **fields;
96
+	const struct ima_template_field **fields;
93
97
 };
94
98
 
95
99
 struct ima_template_entry {
96
100
 	int pcr;
97
-	u8 digest[TPM_DIGEST_SIZE];	/* sha1 or md5 measurement hash */
101
+	struct tpm_digest *digests;
98
102
 	struct ima_template_desc *template_desc; /* template descriptor */
99
103
 	u32 template_data_len;
100
-	struct ima_field_data template_data[0];	/* template related data */
104
+	struct ima_field_data template_data[];	/* template related data */
101
105
 };
102
106
 
103
107
 struct ima_queue_entry {
..
..
@@ -115,6 +119,8 @@
115
119
 	u64 buffer_size;
116
120
 	u64 count;
117
121
 };
122
+
123
+extern const int read_idmap[];
118
124
 
119
125
 #ifdef CONFIG_HAVE_IMA_KEXEC
120
126
 void ima_load_kexec_buffer(void);
..
..
@@ -138,8 +144,7 @@
138
144
 int ima_calc_buffer_hash(const void *buf, loff_t len,
139
145
 			 struct ima_digest_data *hash);
140
146
 int ima_calc_field_array_hash(struct ima_field_data *field_data,
141
-			      struct ima_template_desc *desc, int num_fields,
142
-			      struct ima_digest_data *hash);
147
+			      struct ima_template_entry *entry);
143
148
 int ima_calc_boot_aggregate(struct ima_digest_data *hash);
144
149
 void ima_add_violation(struct file *file, const unsigned char *filename,
145
150
 		       struct integrity_iint_cache *iint,
..
..
@@ -147,13 +152,21 @@
147
152
 int ima_init_crypto(void);
148
153
 void ima_putc(struct seq_file *m, void *data, int datalen);
149
154
 void ima_print_digest(struct seq_file *m, u8 *digest, u32 size);
155
+int template_desc_init_fields(const char *template_fmt,
156
+			      const struct ima_template_field ***fields,
157
+			      int *num_fields);
150
158
 struct ima_template_desc *ima_template_desc_current(void);
159
+struct ima_template_desc *lookup_template_desc(const char *name);
160
+bool ima_template_has_modsig(const struct ima_template_desc *ima_template);
151
161
 int ima_restore_measurement_entry(struct ima_template_entry *entry);
152
162
 int ima_restore_measurement_list(loff_t bufsize, void *buf);
153
163
 int ima_measurements_show(struct seq_file *m, void *v);
154
164
 unsigned long ima_get_binary_runtime_size(void);
155
165
 int ima_init_template(void);
156
166
 void ima_init_template_list(void);
167
+int __init ima_init_digests(void);
168
+int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
169
+			  void *lsm_data);
157
170
 
158
171
 /*
159
172
  * used to protect h_table and sha_table
..
..
@@ -173,40 +186,93 @@
173
186
 	return (digest[0] | digest[1] << 8) % IMA_MEASURE_HTABLE_SIZE;
174
187
 }
175
188
 
176
-#define __ima_hooks(hook)		\
177
-	hook(NONE)			\
178
-	hook(FILE_CHECK)		\
179
-	hook(MMAP_CHECK)		\
180
-	hook(BPRM_CHECK)		\
181
-	hook(CREDS_CHECK)		\
182
-	hook(POST_SETATTR)		\
183
-	hook(MODULE_CHECK)		\
184
-	hook(FIRMWARE_CHECK)		\
185
-	hook(KEXEC_KERNEL_CHECK)	\
186
-	hook(KEXEC_INITRAMFS_CHECK)	\
187
-	hook(POLICY_CHECK)		\
188
-	hook(MAX_CHECK)
189
-#define __ima_hook_enumify(ENUM)	ENUM,
189
+#define __ima_hooks(hook)				\
190
+	hook(NONE, none)				\
191
+	hook(FILE_CHECK, file)				\
192
+	hook(MMAP_CHECK, mmap)				\
193
+	hook(BPRM_CHECK, bprm)				\
194
+	hook(CREDS_CHECK, creds)			\
195
+	hook(POST_SETATTR, post_setattr)		\
196
+	hook(MODULE_CHECK, module)			\
197
+	hook(FIRMWARE_CHECK, firmware)			\
198
+	hook(KEXEC_KERNEL_CHECK, kexec_kernel)		\
199
+	hook(KEXEC_INITRAMFS_CHECK, kexec_initramfs)	\
200
+	hook(POLICY_CHECK, policy)			\
201
+	hook(KEXEC_CMDLINE, kexec_cmdline)		\
202
+	hook(KEY_CHECK, key)				\
203
+	hook(MAX_CHECK, none)
204
+
205
+#define __ima_hook_enumify(ENUM, str)	ENUM,
206
+#define __ima_stringify(arg) (#arg)
207
+#define __ima_hook_measuring_stringify(ENUM, str) \
208
+		(__ima_stringify(measuring_ ##str)),
190
209
 
191
210
 enum ima_hooks {
192
211
 	__ima_hooks(__ima_hook_enumify)
193
212
 };
194
213
 
214
+static const char * const ima_hooks_measure_str[] = {
215
+	__ima_hooks(__ima_hook_measuring_stringify)
216
+};
217
+
218
+static inline const char *func_measure_str(enum ima_hooks func)
219
+{
220
+	if (func >= MAX_CHECK)
221
+		return ima_hooks_measure_str[NONE];
222
+
223
+	return ima_hooks_measure_str[func];
224
+}
225
+
226
+extern const char *const func_tokens[];
227
+
228
+struct modsig;
229
+
230
+#ifdef CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS
231
+/*
232
+ * To track keys that need to be measured.
233
+ */
234
+struct ima_key_entry {
235
+	struct list_head list;
236
+	void *payload;
237
+	size_t payload_len;
238
+	char *keyring_name;
239
+};
240
+void ima_init_key_queue(void);
241
+bool ima_should_queue_key(void);
242
+bool ima_queue_key(struct key *keyring, const void *payload,
243
+		   size_t payload_len);
244
+void ima_process_queued_keys(void);
245
+#else
246
+static inline void ima_init_key_queue(void) {}
247
+static inline bool ima_should_queue_key(void) { return false; }
248
+static inline bool ima_queue_key(struct key *keyring,
249
+				 const void *payload,
250
+				 size_t payload_len) { return false; }
251
+static inline void ima_process_queued_keys(void) {}
252
+#endif /* CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS */
253
+
195
254
 /* LIM API function definitions */
196
255
 int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,
197
-		   int mask, enum ima_hooks func, int *pcr);
256
+		   int mask, enum ima_hooks func, int *pcr,
257
+		   struct ima_template_desc **template_desc,
258
+		   const char *keyring);
198
259
 int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
199
260
 int ima_collect_measurement(struct integrity_iint_cache *iint,
200
261
 			    struct file *file, void *buf, loff_t size,
201
-			    enum hash_algo algo);
262
+			    enum hash_algo algo, struct modsig *modsig);
202
263
 void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
203
264
 			   const unsigned char *filename,
204
265
 			   struct evm_ima_xattr_data *xattr_value,
205
-			   int xattr_len, int pcr);
266
+			   int xattr_len, const struct modsig *modsig, int pcr,
267
+			   struct ima_template_desc *template_desc);
268
+void process_buffer_measurement(struct inode *inode, const void *buf, int size,
269
+				const char *eventname, enum ima_hooks func,
270
+				int pcr, const char *keyring);
206
271
 void ima_audit_measurement(struct integrity_iint_cache *iint,
207
272
 			   const unsigned char *filename);
208
273
 int ima_alloc_init_template(struct ima_event_data *event_data,
209
-			    struct ima_template_entry **entry);
274
+			    struct ima_template_entry **entry,
275
+			    struct ima_template_desc *template_desc);
210
276
 int ima_store_template(struct ima_template_entry *entry, int violation,
211
277
 		       struct inode *inode,
212
278
 		       const unsigned char *filename, int pcr);
..
..
@@ -215,7 +281,9 @@
215
281
 
216
282
 /* IMA policy related functions */
217
283
 int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
218
-		     enum ima_hooks func, int mask, int flags, int *pcr);
284
+		     enum ima_hooks func, int mask, int flags, int *pcr,
285
+		     struct ima_template_desc **template_desc,
286
+		     const char *keyring);
219
287
 void ima_init_policy(void);
220
288
 void ima_update_policy(void);
221
289
 void ima_update_policy_flag(void);
..
..
@@ -237,11 +305,13 @@
237
305
 #define IMA_APPRAISE_KEXEC	0x40
238
306
 
239
307
 #ifdef CONFIG_IMA_APPRAISE
308
+int ima_check_blacklist(struct integrity_iint_cache *iint,
309
+			const struct modsig *modsig, int pcr);
240
310
 int ima_appraise_measurement(enum ima_hooks func,
241
311
 			     struct integrity_iint_cache *iint,
242
312
 			     struct file *file, const unsigned char *filename,
243
313
 			     struct evm_ima_xattr_data *xattr_value,
244
-			     int xattr_len);
314
+			     int xattr_len, const struct modsig *modsig);
245
315
 int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
246
316
 void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
247
317
 enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
..
..
@@ -252,12 +322,19 @@
252
322
 		   struct evm_ima_xattr_data **xattr_value);
253
323
 
254
324
 #else
325
+static inline int ima_check_blacklist(struct integrity_iint_cache *iint,
326
+				      const struct modsig *modsig, int pcr)
327
+{
328
+	return 0;
329
+}
330
+
255
331
 static inline int ima_appraise_measurement(enum ima_hooks func,
256
332
 					   struct integrity_iint_cache *iint,
257
333
 					   struct file *file,
258
334
 					   const unsigned char *filename,
259
335
 					   struct evm_ima_xattr_data *xattr_value,
260
-					   int xattr_len)
336
+					   int xattr_len,
337
+					   const struct modsig *modsig)
261
338
 {
262
339
 	return INTEGRITY_UNKNOWN;
263
340
 }
..
..
@@ -294,23 +371,66 @@
294
371
 
295
372
 #endif /* CONFIG_IMA_APPRAISE */
296
373
 
374
+#ifdef CONFIG_IMA_APPRAISE_MODSIG
375
+int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
376
+		    struct modsig **modsig);
377
+void ima_collect_modsig(struct modsig *modsig, const void *buf, loff_t size);
378
+int ima_get_modsig_digest(const struct modsig *modsig, enum hash_algo *algo,
379
+			  const u8 **digest, u32 *digest_size);
380
+int ima_get_raw_modsig(const struct modsig *modsig, const void **data,
381
+		       u32 *data_len);
382
+void ima_free_modsig(struct modsig *modsig);
383
+#else
384
+static inline int ima_read_modsig(enum ima_hooks func, const void *buf,
385
+				  loff_t buf_len, struct modsig **modsig)
386
+{
387
+	return -EOPNOTSUPP;
388
+}
389
+
390
+static inline void ima_collect_modsig(struct modsig *modsig, const void *buf,
391
+				      loff_t size)
392
+{
393
+}
394
+
395
+static inline int ima_get_modsig_digest(const struct modsig *modsig,
396
+					enum hash_algo *algo, const u8 **digest,
397
+					u32 *digest_size)
398
+{
399
+	return -EOPNOTSUPP;
400
+}
401
+
402
+static inline int ima_get_raw_modsig(const struct modsig *modsig,
403
+				     const void **data, u32 *data_len)
404
+{
405
+	return -EOPNOTSUPP;
406
+}
407
+
408
+static inline void ima_free_modsig(struct modsig *modsig)
409
+{
410
+}
411
+#endif /* CONFIG_IMA_APPRAISE_MODSIG */
412
+
297
413
 /* LSM based policy rules require audit */
298
414
 #ifdef CONFIG_IMA_LSM_RULES
299
415
 
300
-#define security_filter_rule_init security_audit_rule_init
301
-#define security_filter_rule_match security_audit_rule_match
416
+#define ima_filter_rule_init security_audit_rule_init
417
+#define ima_filter_rule_free security_audit_rule_free
418
+#define ima_filter_rule_match security_audit_rule_match
302
419
 
303
420
 #else
304
421
 
305
-static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr,
306
-					    void **lsmrule)
422
+static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
423
+				       void **lsmrule)
307
424
 {
308
425
 	return -EINVAL;
309
426
 }
310
427
 
311
-static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
312
-					     void *lsmrule,
313
-					     struct audit_context *actx)
428
+static inline void ima_filter_rule_free(void *lsmrule)
429
+{
430
+}
431
+
432
+static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
433
+					void *lsmrule)
314
434
 {
315
435
 	return -EINVAL;
316
436
 }