Blame view
security/integrity/integrity.h
7.37 KB
b886d83c5 treewide: Replace... |
1 |
/* SPDX-License-Identifier: GPL-2.0-only */ |
f381c2722 integrity: move i... |
2 3 4 5 6 |
/* * Copyright (C) 2009-2010 IBM Corporation * * Authors: * Mimi Zohar <zohar@us.ibm.com> |
f381c2722 integrity: move i... |
7 |
*/ |
555d6d71d integrity: Remove... |
8 9 10 11 12 |
#ifdef pr_fmt #undef pr_fmt #endif #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
f381c2722 integrity: move i... |
13 14 15 |
#include <linux/types.h> #include <linux/integrity.h> #include <crypto/sha.h> |
e0751257a ima: digital sign... |
16 |
#include <linux/key.h> |
2afd020aa ima: Do not audit... |
17 |
#include <linux/audit.h> |
f381c2722 integrity: move i... |
18 |
|
45e2472e6 ima: generic IMA ... |
19 |
/* iint action cache flags */ |
f578c08ec ima: increase iin... |
20 21 22 23 24 25 26 27 |
#define IMA_MEASURE 0x00000001 #define IMA_MEASURED 0x00000002 #define IMA_APPRAISE 0x00000004 #define IMA_APPRAISED 0x00000008 /*#define IMA_COLLECT 0x00000010 do not use this flag */ #define IMA_COLLECTED 0x00000020 #define IMA_AUDIT 0x00000040 #define IMA_AUDITED 0x00000080 |
da1b0029f ima: support new ... |
28 29 |
#define IMA_HASH 0x00000100 #define IMA_HASHED 0x00000200 |
45e2472e6 ima: generic IMA ... |
30 |
|
f381c2722 integrity: move i... |
31 |
/* iint cache flags */ |
f578c08ec ima: increase iin... |
32 |
#define IMA_ACTION_FLAGS 0xff000000 |
0d73a5520 ima: re-introduce... |
33 34 35 36 |
#define IMA_DIGSIG_REQUIRED 0x01000000 #define IMA_PERMIT_DIRECTIO 0x02000000 #define IMA_NEW_FILE 0x04000000 #define EVM_IMMUTABLE_DIGSIG 0x08000000 |
9e67028e7 ima: fail signatu... |
37 |
#define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000 |
9044d627f ima: Add modsig a... |
38 |
#define IMA_MODSIG_ALLOWED 0x20000000 |
273df864c ima: Check agains... |
39 |
#define IMA_CHECK_BLACKLIST 0x40000000 |
45e2472e6 ima: generic IMA ... |
40 |
|
d79d72e02 ima: per hook cac... |
41 |
#define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ |
da1b0029f ima: support new ... |
42 |
IMA_HASH | IMA_APPRAISE_SUBMASK) |
d79d72e02 ima: per hook cac... |
43 |
#define IMA_DONE_MASK (IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED | \ |
da1b0029f ima: support new ... |
44 45 |
IMA_HASHED | IMA_COLLECTED | \ IMA_APPRAISED_SUBMASK) |
d79d72e02 ima: per hook cac... |
46 47 |
/* iint subaction appraise cache flags */ |
da1b0029f ima: support new ... |
48 49 50 51 52 53 54 55 |
#define IMA_FILE_APPRAISE 0x00001000 #define IMA_FILE_APPRAISED 0x00002000 #define IMA_MMAP_APPRAISE 0x00004000 #define IMA_MMAP_APPRAISED 0x00008000 #define IMA_BPRM_APPRAISE 0x00010000 #define IMA_BPRM_APPRAISED 0x00020000 #define IMA_READ_APPRAISE 0x00040000 #define IMA_READ_APPRAISED 0x00080000 |
d906c10d8 IMA: Support usin... |
56 57 |
#define IMA_CREDS_APPRAISE 0x00100000 #define IMA_CREDS_APPRAISED 0x00200000 |
d79d72e02 ima: per hook cac... |
58 |
#define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \ |
d906c10d8 IMA: Support usin... |
59 60 |
IMA_BPRM_APPRAISE | IMA_READ_APPRAISE | \ IMA_CREDS_APPRAISE) |
d79d72e02 ima: per hook cac... |
61 |
#define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \ |
d906c10d8 IMA: Support usin... |
62 63 |
IMA_BPRM_APPRAISED | IMA_READ_APPRAISED | \ IMA_CREDS_APPRAISED) |
f381c2722 integrity: move i... |
64 |
|
0d73a5520 ima: re-introduce... |
65 66 67 68 69 70 |
/* iint cache atomic_flags */ #define IMA_CHANGE_XATTR 0 #define IMA_UPDATE_XATTR 1 #define IMA_CHANGE_ATTR 2 #define IMA_DIGSIG 3 #define IMA_MUST_MEASURE 4 |
6be5cc524 evm: add support ... |
71 72 73 74 |
enum evm_ima_xattr_type { IMA_XATTR_DIGEST = 0x01, EVM_XATTR_HMAC, EVM_IMA_XATTR_DIGSIG, |
3ea7a5606 ima: provide hash... |
75 |
IMA_XATTR_DIGEST_NG, |
50b977481 EVM: Add support ... |
76 |
EVM_XATTR_PORTABLE_DIGSIG, |
a48fda9de ima: check xattr ... |
77 |
IMA_XATTR_LAST |
6be5cc524 evm: add support ... |
78 79 80 81 |
}; struct evm_ima_xattr_data { u8 type; |
650b29dbd integrity: Introd... |
82 83 84 85 86 87 |
u8 data[]; } __packed; /* Only used in the EVM HMAC code. */ struct evm_xattr { struct evm_ima_xattr_data data; |
6be5cc524 evm: add support ... |
88 |
u8 digest[SHA1_DIGEST_SIZE]; |
c7c8bb237 ima: provide supp... |
89 90 91 92 93 94 95 |
} __packed; #define IMA_MAX_DIGEST_SIZE 64 struct ima_digest_data { u8 algo; u8 length; |
3ea7a5606 ima: provide hash... |
96 97 98 99 100 101 102 103 104 105 106 |
union { struct { u8 unused; u8 type; } sha1; struct { u8 type; u8 algo; } ng; u8 data[2]; } xattr; |
eb492c627 ima: Replace zero... |
107 |
u8 digest[]; |
c7c8bb237 ima: provide supp... |
108 |
} __packed; |
6be5cc524 evm: add support ... |
109 |
|
d3634d0f4 ima: read and use... |
110 111 112 113 |
/* * signature format v2 - for using with asymmetric keys */ struct signature_v2_hdr { |
b1aaab22e ima: pass full xa... |
114 |
uint8_t type; /* xattr type */ |
d3634d0f4 ima: read and use... |
115 |
uint8_t version; /* signature format version */ |
4e8ae72a7 X.509: Make algo ... |
116 |
uint8_t hash_algo; /* Digest algorithm [enum hash_algo] */ |
bb543e395 integrity: Small ... |
117 118 |
__be32 keyid; /* IMA key identifier - not X509/PGP specific */ __be16 sig_size; /* signature size */ |
eb492c627 ima: Replace zero... |
119 |
uint8_t sig[]; /* signature payload */ |
d3634d0f4 ima: read and use... |
120 |
} __packed; |
f381c2722 integrity: move i... |
121 122 |
/* integrity data associated with an inode */ struct integrity_iint_cache { |
c7c8bb237 ima: provide supp... |
123 |
struct rb_node rb_node; /* rooted in integrity_iint_tree */ |
0d73a5520 ima: re-introduce... |
124 |
struct mutex mutex; /* protects: version, flags, digest */ |
f381c2722 integrity: move i... |
125 126 |
struct inode *inode; /* back pointer to inode in question */ u64 version; /* track inode changes */ |
f578c08ec ima: increase iin... |
127 |
unsigned long flags; |
96d450bbe integrity: add me... |
128 |
unsigned long measured_pcrs; |
0d73a5520 ima: re-introduce... |
129 |
unsigned long atomic_flags; |
d79d72e02 ima: per hook cac... |
130 131 132 |
enum integrity_status ima_file_status:4; enum integrity_status ima_mmap_status:4; enum integrity_status ima_bprm_status:4; |
cf2222178 ima: define a new... |
133 |
enum integrity_status ima_read_status:4; |
d906c10d8 IMA: Support usin... |
134 |
enum integrity_status ima_creds_status:4; |
ee8663317 integrity: reduce... |
135 |
enum integrity_status evm_status:4; |
a35c3fb64 ima: use dynamica... |
136 |
struct ima_digest_data *ima_hash; |
f381c2722 integrity: move i... |
137 138 139 140 141 |
}; /* rbtree tree calls to lookup, insert, delete * integrity data associated with an inode. */ |
f381c2722 integrity: move i... |
142 |
struct integrity_iint_cache *integrity_iint_find(struct inode *inode); |
4892722e0 integrity: sparse... |
143 |
|
e3c4abbfa integrity: define... |
144 |
int integrity_kernel_read(struct file *file, loff_t offset, |
bb543e395 integrity: Small ... |
145 |
void *addr, unsigned long count); |
8607c5014 integrity: digita... |
146 |
#define INTEGRITY_KEYRING_EVM 0 |
f4dc37785 integrity: define... |
147 |
#define INTEGRITY_KEYRING_IMA 1 |
c7f7e58fc integrity: Remove... |
148 149 |
#define INTEGRITY_KEYRING_PLATFORM 2 #define INTEGRITY_KEYRING_MAX 3 |
8607c5014 integrity: digita... |
150 |
|
0c343af80 integrity: Add an... |
151 |
extern struct dentry *integrity_dir; |
39b070963 ima: Implement su... |
152 |
struct modsig; |
f1be242c9 integrity: digita... |
153 |
#ifdef CONFIG_INTEGRITY_SIGNATURE |
8607c5014 integrity: digita... |
154 155 |
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, |
089bc8e95 ima: fix script m... |
156 |
const char *digest, int digestlen); |
39b070963 ima: Implement su... |
157 |
int integrity_modsig_verify(unsigned int id, const struct modsig *modsig); |
8607c5014 integrity: digita... |
158 |
|
d16a8585d integrity: add mi... |
159 |
int __init integrity_init_keyring(const unsigned int id); |
9d03a721a integrity: add va... |
160 |
int __init integrity_load_x509(const unsigned int id, const char *path); |
60740accf integrity: Load c... |
161 |
int __init integrity_load_cert(const unsigned int id, const char *source, |
028db3e29 Revert "Merge tag... |
162 |
const void *data, size_t len, key_perm_t perm); |
8607c5014 integrity: digita... |
163 164 165 166 167 168 169 170 |
#else static inline int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, const char *digest, int digestlen) { return -EOPNOTSUPP; } |
39b070963 ima: Implement su... |
171 172 173 174 175 |
static inline int integrity_modsig_verify(unsigned int id, const struct modsig *modsig) { return -EOPNOTSUPP; } |
7d2ce2320 ima: define '.ima... |
176 177 178 179 |
static inline int integrity_init_keyring(const unsigned int id) { return 0; } |
60740accf integrity: Load c... |
180 181 182 183 |
static inline int __init integrity_load_cert(const unsigned int id, const char *source, const void *data, size_t len, |
028db3e29 Revert "Merge tag... |
184 |
key_perm_t perm) |
60740accf integrity: Load c... |
185 186 187 |
{ return 0; } |
f1be242c9 integrity: digita... |
188 |
#endif /* CONFIG_INTEGRITY_SIGNATURE */ |
8607c5014 integrity: digita... |
189 |
|
e0751257a ima: digital sign... |
190 191 192 193 194 195 196 197 198 199 |
#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS int asymmetric_verify(struct key *keyring, const char *sig, int siglen, const char *data, int datalen); #else static inline int asymmetric_verify(struct key *keyring, const char *sig, int siglen, const char *data, int datalen) { return -EOPNOTSUPP; } #endif |
39b070963 ima: Implement su... |
200 201 202 203 204 205 206 207 208 |
#ifdef CONFIG_IMA_APPRAISE_MODSIG int ima_modsig_verify(struct key *keyring, const struct modsig *modsig); #else static inline int ima_modsig_verify(struct key *keyring, const struct modsig *modsig) { return -EOPNOTSUPP; } #endif |
fd5f4e905 ima: load x509 ce... |
209 210 211 212 213 214 215 |
#ifdef CONFIG_IMA_LOAD_X509 void __init ima_load_x509(void); #else static inline void ima_load_x509(void) { } #endif |
2ce523eb8 evm: load an x509... |
216 217 218 219 220 221 222 |
#ifdef CONFIG_EVM_LOAD_X509 void __init evm_load_x509(void); #else static inline void evm_load_x509(void) { } #endif |
d726d8d71 integrity: move i... |
223 224 225 226 227 |
#ifdef CONFIG_INTEGRITY_AUDIT /* declarations */ void integrity_audit_msg(int audit_msgno, struct inode *inode, const unsigned char *fname, const char *op, const char *cause, int result, int info); |
2afd020aa ima: Do not audit... |
228 |
|
2f845882e integrity: Add er... |
229 230 231 232 |
void integrity_audit_message(int audit_msgno, struct inode *inode, const unsigned char *fname, const char *op, const char *cause, int result, int info, int errno); |
2afd020aa ima: Do not audit... |
233 234 235 236 237 |
static inline struct audit_buffer * integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) { return audit_log_start(ctx, gfp_mask, type); } |
d726d8d71 integrity: move i... |
238 239 240 241 242 243 244 |
#else static inline void integrity_audit_msg(int audit_msgno, struct inode *inode, const unsigned char *fname, const char *op, const char *cause, int result, int info) { } |
2afd020aa ima: Do not audit... |
245 |
|
2f845882e integrity: Add er... |
246 247 248 249 250 251 252 |
static inline void integrity_audit_message(int audit_msgno, struct inode *inode, const unsigned char *fname, const char *op, const char *cause, int result, int info, int errno) { } |
2afd020aa ima: Do not audit... |
253 254 255 256 257 |
static inline struct audit_buffer * integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) { return NULL; } |
d726d8d71 integrity: move i... |
258 |
#endif |
60740accf integrity: Load c... |
259 260 261 262 263 264 265 266 267 268 |
#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING void __init add_to_platform_keyring(const char *source, const void *data, size_t len); #else static inline void __init add_to_platform_keyring(const char *source, const void *data, size_t len) { } #endif |