Blame view
security/integrity/ima/ima.h
9.38 KB
3323eec92 integrity: IMA as... |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
/* * Copyright (C) 2005,2006,2007,2008 IBM Corporation * * Authors: * Reiner Sailer <sailer@watson.ibm.com> * Mimi Zohar <zohar@us.ibm.com> * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation, version 2 of the * License. * * File: ima.h * internal Integrity Measurement Architecture (IMA) definitions */ #ifndef __LINUX_IMA_H #define __LINUX_IMA_H #include <linux/types.h> #include <linux/crypto.h> |
cf2222178 ima: define a new... |
22 |
#include <linux/fs.h> |
3323eec92 integrity: IMA as... |
23 24 25 26 |
#include <linux/security.h> #include <linux/hash.h> #include <linux/tpm.h> #include <linux/audit.h> |
1525b06d9 ima: separate 'se... |
27 |
#include <crypto/hash_info.h> |
3323eec92 integrity: IMA as... |
28 |
|
f381c2722 integrity: move i... |
29 |
#include "../integrity.h" |
94c3aac56 ima: on soft rebo... |
30 31 32 |
#ifdef CONFIG_HAVE_IMA_KEXEC #include <asm/ima.h> #endif |
3e8e5503a ima: do not send ... |
33 |
enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO_FIELD_LEN, |
c019e307a ima: restore the ... |
34 |
IMA_SHOW_BINARY_OLD_STRING_FMT, IMA_SHOW_ASCII }; |
3323eec92 integrity: IMA as... |
35 36 37 |
enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; /* digest size for IMA, fits SHA1 or MD5 */ |
f381c2722 integrity: move i... |
38 |
#define IMA_DIGEST_SIZE SHA1_DIGEST_SIZE |
3323eec92 integrity: IMA as... |
39 40 41 42 |
#define IMA_EVENT_NAME_LEN_MAX 255 #define IMA_HASH_BITS 9 #define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS) |
adf53a778 ima: new template... |
43 44 |
#define IMA_TEMPLATE_FIELD_ID_MAX_LEN 16 #define IMA_TEMPLATE_NUM_FIELDS_MAX 15 |
3ce1217d6 ima: define templ... |
45 46 |
#define IMA_TEMPLATE_IMA_NAME "ima" #define IMA_TEMPLATE_IMA_FMT "d|n" |
a756024ef ima: added ima_po... |
47 48 |
/* current content of the policy */ extern int ima_policy_flag; |
3323eec92 integrity: IMA as... |
49 50 51 |
/* set during initialization */ extern int ima_initialized; extern int ima_used_chip; |
c7c8bb237 ima: provide supp... |
52 |
extern int ima_hash_algo; |
2fe5d6def ima: integrity ap... |
53 |
extern int ima_appraise; |
3323eec92 integrity: IMA as... |
54 |
|
23b574193 ima: wrap event r... |
55 56 57 58 59 60 61 |
/* IMA event related data */ struct ima_event_data { struct integrity_iint_cache *iint; struct file *file; const unsigned char *filename; struct evm_ima_xattr_data *xattr_value; int xattr_len; |
8d94eb9b5 ima: pass iint to... |
62 |
const char *violation; |
23b574193 ima: wrap event r... |
63 |
}; |
adf53a778 ima: new template... |
64 65 66 67 68 69 70 71 72 |
/* IMA template field data definition */ struct ima_field_data { u8 *data; u32 len; }; /* IMA template field definition */ struct ima_template_field { const char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN]; |
23b574193 ima: wrap event r... |
73 74 75 76 |
int (*field_init)(struct ima_event_data *event_data, struct ima_field_data *field_data); void (*field_show)(struct seq_file *m, enum ima_show_type show, struct ima_field_data *field_data); |
adf53a778 ima: new template... |
77 78 79 80 |
}; /* IMA template descriptor definition */ struct ima_template_desc { |
3f23d624d ima: store the bu... |
81 |
struct list_head list; |
adf53a778 ima: new template... |
82 83 84 85 86 |
char *name; char *fmt; int num_fields; struct ima_template_field **fields; }; |
3323eec92 integrity: IMA as... |
87 |
struct ima_template_entry { |
14b1da85b ima: include pcr ... |
88 |
int pcr; |
140d80224 ima: differentiat... |
89 |
u8 digest[TPM_DIGEST_SIZE]; /* sha1 or md5 measurement hash */ |
a71dc65d3 ima: switch to ne... |
90 91 92 |
struct ima_template_desc *template_desc; /* template descriptor */ u32 template_data_len; struct ima_field_data template_data[0]; /* template related data */ |
3323eec92 integrity: IMA as... |
93 94 95 96 97 98 99 100 |
}; struct ima_queue_entry { struct hlist_node hnext; /* place in hash collision list */ struct list_head later; /* place in ima_measurements list */ struct ima_template_entry *entry; }; extern struct list_head ima_measurements; /* list of all measurements */ |
94c3aac56 ima: on soft rebo... |
101 102 103 104 105 106 107 108 109 110 111 112 113 114 |
/* Some details preceding the binary serialized measurement list */ struct ima_kexec_hdr { u16 version; u16 _reserved0; u32 _reserved1; u64 buffer_size; u64 count; }; #ifdef CONFIG_HAVE_IMA_KEXEC void ima_load_kexec_buffer(void); #else static inline void ima_load_kexec_buffer(void) {} #endif /* CONFIG_HAVE_IMA_KEXEC */ |
d68a6fe9f ima: define a can... |
115 116 117 118 119 |
/* * The default binary_runtime_measurements list format is defined as the * platform native format. The canonical format is defined as little-endian. */ extern bool ima_canonical_fmt; |
3323eec92 integrity: IMA as... |
120 |
/* Internal IMA function definitions */ |
3323eec92 integrity: IMA as... |
121 |
int ima_init(void); |
bab739378 integrity: IMA di... |
122 |
int ima_fs_init(void); |
3323eec92 integrity: IMA as... |
123 |
int ima_add_template_entry(struct ima_template_entry *entry, int violation, |
9803d413f ima: pass the fil... |
124 125 |
const char *op, struct inode *inode, const unsigned char *filename); |
c7c8bb237 ima: provide supp... |
126 |
int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash); |
11d7646df ima: provide buff... |
127 128 |
int ima_calc_buffer_hash(const void *buf, loff_t len, struct ima_digest_data *hash); |
b6f8f16f4 ima: do not inclu... |
129 130 |
int ima_calc_field_array_hash(struct ima_field_data *field_data, struct ima_template_desc *desc, int num_fields, |
a71dc65d3 ima: switch to ne... |
131 |
struct ima_digest_data *hash); |
09ef54359 ima: ima_calc_boo... |
132 |
int __init ima_calc_boot_aggregate(struct ima_digest_data *hash); |
7d802a227 ima: pass the fil... |
133 |
void ima_add_violation(struct file *file, const unsigned char *filename, |
8d94eb9b5 ima: pass iint to... |
134 |
struct integrity_iint_cache *iint, |
3323eec92 integrity: IMA as... |
135 |
const char *op, const char *cause); |
76bb28f61 ima: use new cryp... |
136 |
int ima_init_crypto(void); |
3ce1217d6 ima: define templ... |
137 |
void ima_putc(struct seq_file *m, void *data, int datalen); |
45b26133b ima: fix ima_show... |
138 |
void ima_print_digest(struct seq_file *m, u8 *digest, u32 size); |
a71dc65d3 ima: switch to ne... |
139 |
struct ima_template_desc *ima_template_desc_current(void); |
94c3aac56 ima: on soft rebo... |
140 141 |
int ima_restore_measurement_entry(struct ima_template_entry *entry); int ima_restore_measurement_list(loff_t bufsize, void *buf); |
7b8589cc2 ima: on soft rebo... |
142 |
int ima_measurements_show(struct seq_file *m, void *v); |
d158847ae ima: maintain mem... |
143 |
unsigned long ima_get_binary_runtime_size(void); |
a71dc65d3 ima: switch to ne... |
144 |
int ima_init_template(void); |
3f23d624d ima: store the bu... |
145 |
void ima_init_template_list(void); |
3323eec92 integrity: IMA as... |
146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 |
/* * used to protect h_table and sha_table */ extern spinlock_t ima_queue_lock; struct ima_h_table { atomic_long_t len; /* number of stored measurements in the list */ atomic_long_t violations; struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE]; }; extern struct ima_h_table ima_htable; static inline unsigned long ima_hash_key(u8 *digest) { return hash_long(*digest, IMA_HASH_BITS); } |
2663218ba ima: Simplify pol... |
163 164 165 166 167 168 169 170 171 172 173 174 175 |
#define __ima_hooks(hook) \ hook(NONE) \ hook(FILE_CHECK) \ hook(MMAP_CHECK) \ hook(BPRM_CHECK) \ hook(POST_SETATTR) \ hook(MODULE_CHECK) \ hook(FIRMWARE_CHECK) \ hook(KEXEC_KERNEL_CHECK) \ hook(KEXEC_INITRAMFS_CHECK) \ hook(POLICY_CHECK) \ hook(MAX_CHECK) #define __ima_hook_enumify(ENUM) ENUM, |
4ad87a3d7 ima: use "ima_hoo... |
176 |
enum ima_hooks { |
2663218ba ima: Simplify pol... |
177 |
__ima_hooks(__ima_hook_enumify) |
4ad87a3d7 ima: use "ima_hoo... |
178 |
}; |
3323eec92 integrity: IMA as... |
179 |
/* LIM API function definitions */ |
725de7fab ima: extend ima_g... |
180 181 |
int ima_get_action(struct inode *inode, int mask, enum ima_hooks func, int *pcr); |
4ad87a3d7 ima: use "ima_hoo... |
182 |
int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); |
f381c2722 integrity: move i... |
183 |
int ima_collect_measurement(struct integrity_iint_cache *iint, |
cf2222178 ima: define a new... |
184 185 |
struct file *file, void *buf, loff_t size, enum hash_algo algo); |
f381c2722 integrity: move i... |
186 |
void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, |
bcbc9b0cf ima: extend the m... |
187 188 |
const unsigned char *filename, struct evm_ima_xattr_data *xattr_value, |
14b1da85b ima: include pcr ... |
189 |
int xattr_len, int pcr); |
e7c568e0f ima: audit log ha... |
190 191 |
void ima_audit_measurement(struct integrity_iint_cache *iint, const unsigned char *filename); |
23b574193 ima: wrap event r... |
192 193 |
int ima_alloc_init_template(struct ima_event_data *event_data, struct ima_template_entry **entry); |
3323eec92 integrity: IMA as... |
194 |
int ima_store_template(struct ima_template_entry *entry, int violation, |
14b1da85b ima: include pcr ... |
195 196 |
struct inode *inode, const unsigned char *filename, int pcr); |
a7ed7c60e ima: properly fre... |
197 |
void ima_free_template_entry(struct ima_template_entry *entry); |
bc15ed663 ima: fix ima_d_pa... |
198 |
const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); |
3323eec92 integrity: IMA as... |
199 |
|
3323eec92 integrity: IMA as... |
200 |
/* IMA policy related functions */ |
2fe5d6def ima: integrity ap... |
201 |
int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, |
725de7fab ima: extend ima_g... |
202 |
int flags, int *pcr); |
3323eec92 integrity: IMA as... |
203 204 |
void ima_init_policy(void); void ima_update_policy(void); |
a756024ef ima: added ima_po... |
205 |
void ima_update_policy_flag(void); |
6ccd04563 ima: handle multi... |
206 |
ssize_t ima_parse_add_rule(char *); |
4af4662fa integrity: IMA po... |
207 |
void ima_delete_rules(void); |
0112721df IMA: policy can b... |
208 |
int ima_check_policy(void); |
80eae209d IMA: allow readin... |
209 210 211 212 |
void *ima_policy_start(struct seq_file *m, loff_t *pos); void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos); void ima_policy_stop(struct seq_file *m, void *v); int ima_policy_show(struct seq_file *m, void *v); |
4af4662fa integrity: IMA po... |
213 |
|
2fe5d6def ima: integrity ap... |
214 215 216 |
/* Appraise integrity measurements */ #define IMA_APPRAISE_ENFORCE 0x01 #define IMA_APPRAISE_FIX 0x02 |
2faa6ef3b ima: provide 'ima... |
217 218 219 |
#define IMA_APPRAISE_LOG 0x04 #define IMA_APPRAISE_MODULES 0x08 #define IMA_APPRAISE_FIRMWARE 0x10 |
19f8a8471 ima: measure and ... |
220 |
#define IMA_APPRAISE_POLICY 0x20 |
2fe5d6def ima: integrity ap... |
221 222 |
#ifdef CONFIG_IMA_APPRAISE |
4ad87a3d7 ima: use "ima_hoo... |
223 224 |
int ima_appraise_measurement(enum ima_hooks func, struct integrity_iint_cache *iint, |
d3634d0f4 ima: read and use... |
225 226 |
struct file *file, const unsigned char *filename, struct evm_ima_xattr_data *xattr_value, |
3034a1468 ima: pass 'opened... |
227 |
int xattr_len, int opened); |
d26e19362 ima: fix bug in a... |
228 |
int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func); |
2fe5d6def ima: integrity ap... |
229 |
void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file); |
d79d72e02 ima: per hook cac... |
230 |
enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, |
4ad87a3d7 ima: use "ima_hoo... |
231 |
enum ima_hooks func); |
1525b06d9 ima: separate 'se... |
232 233 |
enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len); |
d3634d0f4 ima: read and use... |
234 235 |
int ima_read_xattr(struct dentry *dentry, struct evm_ima_xattr_data **xattr_value); |
2fe5d6def ima: integrity ap... |
236 237 |
#else |
4ad87a3d7 ima: use "ima_hoo... |
238 |
static inline int ima_appraise_measurement(enum ima_hooks func, |
d79d72e02 ima: per hook cac... |
239 |
struct integrity_iint_cache *iint, |
2fe5d6def ima: integrity ap... |
240 |
struct file *file, |
d3634d0f4 ima: read and use... |
241 242 |
const unsigned char *filename, struct evm_ima_xattr_data *xattr_value, |
3034a1468 ima: pass 'opened... |
243 |
int xattr_len, int opened) |
2fe5d6def ima: integrity ap... |
244 245 246 |
{ return INTEGRITY_UNKNOWN; } |
d26e19362 ima: fix bug in a... |
247 248 |
static inline int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func) |
2fe5d6def ima: integrity ap... |
249 250 251 252 253 254 255 256 |
{ return 0; } static inline void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) { } |
d79d72e02 ima: per hook cac... |
257 258 |
static inline enum integrity_status ima_get_cache_status(struct integrity_iint_cache |
4ad87a3d7 ima: use "ima_hoo... |
259 260 |
*iint, enum ima_hooks func) |
d79d72e02 ima: per hook cac... |
261 262 263 |
{ return INTEGRITY_UNKNOWN; } |
d3634d0f4 ima: read and use... |
264 |
|
1525b06d9 ima: separate 'se... |
265 266 |
static inline enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len) |
d3634d0f4 ima: read and use... |
267 |
{ |
1525b06d9 ima: separate 'se... |
268 |
return ima_hash_algo; |
d3634d0f4 ima: read and use... |
269 270 271 272 273 274 275 |
} static inline int ima_read_xattr(struct dentry *dentry, struct evm_ima_xattr_data **xattr_value) { return 0; } |
bb543e395 integrity: Small ... |
276 |
#endif /* CONFIG_IMA_APPRAISE */ |
2fe5d6def ima: integrity ap... |
277 |
|
4af4662fa integrity: IMA po... |
278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 |
/* LSM based policy rules require audit */ #ifdef CONFIG_IMA_LSM_RULES #define security_filter_rule_init security_audit_rule_init #define security_filter_rule_match security_audit_rule_match #else static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) { return -EINVAL; } static inline int security_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, struct audit_context *actx) { return -EINVAL; } |
5d659f286 ima: fix up #endi... |
298 |
#endif /* CONFIG_IMA_LSM_RULES */ |
80eae209d IMA: allow readin... |
299 300 301 302 303 |
#ifdef CONFIG_IMA_READ_POLICY #define POLICY_FILE_FLAGS (S_IWUSR | S_IRUSR) #else #define POLICY_FILE_FLAGS S_IWUSR |
5d659f286 ima: fix up #endi... |
304 |
#endif /* CONFIG_IMA_READ_POLICY */ |
80eae209d IMA: allow readin... |
305 306 |
#endif /* __LINUX_IMA_H */ |