Blame view
security/integrity/integrity.h
7.37 KB
b886d83c5
treewide: Replace...
|
1 |
/* SPDX-License-Identifier: GPL-2.0-only */ |
f381c2722
integrity: move i...
|
2 3 4 5 6 |
/* * Copyright (C) 2009-2010 IBM Corporation * * Authors: * Mimi Zohar <zohar@us.ibm.com> |
|
f381c2722
integrity: move i...
|
7 |
*/ |
555d6d71d
integrity: Remove...
|
8 9 10 11 12 |
#ifdef pr_fmt #undef pr_fmt #endif #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
|
f381c2722
integrity: move i...
|
13 14 15 |
#include <linux/types.h> #include <linux/integrity.h> #include <crypto/sha.h> |
e0751257a
ima: digital sign...
|
16 |
#include <linux/key.h> |
2afd020aa
ima: Do not audit...
|
17 |
#include <linux/audit.h> |
|
f381c2722
integrity: move i...
|
18 |
|
|
45e2472e6
ima: generic IMA ...
|
19 |
/* iint action cache flags */ |
|
f578c08ec
ima: increase iin...
|
20 21 22 23 24 25 26 27 |
#define IMA_MEASURE 0x00000001 #define IMA_MEASURED 0x00000002 #define IMA_APPRAISE 0x00000004 #define IMA_APPRAISED 0x00000008 /*#define IMA_COLLECT 0x00000010 do not use this flag */ #define IMA_COLLECTED 0x00000020 #define IMA_AUDIT 0x00000040 #define IMA_AUDITED 0x00000080 |
|
da1b0029f
ima: support new ...
|
28 29 |
#define IMA_HASH 0x00000100 #define IMA_HASHED 0x00000200 |
|
45e2472e6
ima: generic IMA ...
|
30 |
|
|
f381c2722
integrity: move i...
|
31 |
/* iint cache flags */ |
|
f578c08ec
ima: increase iin...
|
32 |
#define IMA_ACTION_FLAGS 0xff000000 |
0d73a5520
ima: re-introduce...
|
33 34 35 36 |
#define IMA_DIGSIG_REQUIRED 0x01000000 #define IMA_PERMIT_DIRECTIO 0x02000000 #define IMA_NEW_FILE 0x04000000 #define EVM_IMMUTABLE_DIGSIG 0x08000000 |
|
9e67028e7
ima: fail signatu...
|
37 |
#define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000 |
9044d627f
ima: Add modsig a...
|
38 |
#define IMA_MODSIG_ALLOWED 0x20000000 |
273df864c
ima: Check agains...
|
39 |
#define IMA_CHECK_BLACKLIST 0x40000000 |
|
45e2472e6
ima: generic IMA ...
|
40 |
|
|
d79d72e02
ima: per hook cac...
|
41 |
#define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ |
|
da1b0029f
ima: support new ...
|
42 |
IMA_HASH | IMA_APPRAISE_SUBMASK) |
|
d79d72e02
ima: per hook cac...
|
43 |
#define IMA_DONE_MASK (IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED | \ |
|
da1b0029f
ima: support new ...
|
44 45 |
IMA_HASHED | IMA_COLLECTED | \ IMA_APPRAISED_SUBMASK) |
|
d79d72e02
ima: per hook cac...
|
46 47 |
/* iint subaction appraise cache flags */ |
|
da1b0029f
ima: support new ...
|
48 49 50 51 52 53 54 55 |
#define IMA_FILE_APPRAISE 0x00001000 #define IMA_FILE_APPRAISED 0x00002000 #define IMA_MMAP_APPRAISE 0x00004000 #define IMA_MMAP_APPRAISED 0x00008000 #define IMA_BPRM_APPRAISE 0x00010000 #define IMA_BPRM_APPRAISED 0x00020000 #define IMA_READ_APPRAISE 0x00040000 #define IMA_READ_APPRAISED 0x00080000 |
d906c10d8
IMA: Support usin...
|
56 57 |
#define IMA_CREDS_APPRAISE 0x00100000 #define IMA_CREDS_APPRAISED 0x00200000 |
|
d79d72e02
ima: per hook cac...
|
58 |
#define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \ |
|
d906c10d8
IMA: Support usin...
|
59 60 |
IMA_BPRM_APPRAISE | IMA_READ_APPRAISE | \ IMA_CREDS_APPRAISE) |
|
d79d72e02
ima: per hook cac...
|
61 |
#define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \ |
|
d906c10d8
IMA: Support usin...
|
62 63 |
IMA_BPRM_APPRAISED | IMA_READ_APPRAISED | \ IMA_CREDS_APPRAISED) |
|
f381c2722
integrity: move i...
|
64 |
|
|
0d73a5520
ima: re-introduce...
|
65 66 67 68 69 70 |
/* iint cache atomic_flags */ #define IMA_CHANGE_XATTR 0 #define IMA_UPDATE_XATTR 1 #define IMA_CHANGE_ATTR 2 #define IMA_DIGSIG 3 #define IMA_MUST_MEASURE 4 |
6be5cc524
evm: add support ...
|
71 72 73 74 |
enum evm_ima_xattr_type {
IMA_XATTR_DIGEST = 0x01,
EVM_XATTR_HMAC,
EVM_IMA_XATTR_DIGSIG,
|
3ea7a5606
ima: provide hash...
|
75 |
IMA_XATTR_DIGEST_NG, |
|
50b977481
EVM: Add support ...
|
76 |
EVM_XATTR_PORTABLE_DIGSIG, |
|
a48fda9de
ima: check xattr ...
|
77 |
IMA_XATTR_LAST |
|
6be5cc524
evm: add support ...
|
78 79 80 81 |
};
struct evm_ima_xattr_data {
u8 type;
|
|
650b29dbd
integrity: Introd...
|
82 83 84 85 86 87 |
u8 data[];
} __packed;
/* Only used in the EVM HMAC code. */
struct evm_xattr {
struct evm_ima_xattr_data data;
|
|
6be5cc524
evm: add support ...
|
88 |
u8 digest[SHA1_DIGEST_SIZE]; |
|
c7c8bb237
ima: provide supp...
|
89 90 91 92 93 94 95 |
} __packed;
#define IMA_MAX_DIGEST_SIZE 64
struct ima_digest_data {
u8 algo;
u8 length;
|
|
3ea7a5606
ima: provide hash...
|
96 97 98 99 100 101 102 103 104 105 106 |
union {
struct {
u8 unused;
u8 type;
} sha1;
struct {
u8 type;
u8 algo;
} ng;
u8 data[2];
} xattr;
|
eb492c627
ima: Replace zero...
|
107 |
u8 digest[]; |
|
c7c8bb237
ima: provide supp...
|
108 |
} __packed; |
|
6be5cc524
evm: add support ...
|
109 |
|
|
d3634d0f4
ima: read and use...
|
110 111 112 113 |
/*
* signature format v2 - for using with asymmetric keys
*/
struct signature_v2_hdr {
|
|
b1aaab22e
ima: pass full xa...
|
114 |
uint8_t type; /* xattr type */ |
|
d3634d0f4
ima: read and use...
|
115 |
uint8_t version; /* signature format version */ |
4e8ae72a7
X.509: Make algo ...
|
116 |
uint8_t hash_algo; /* Digest algorithm [enum hash_algo] */ |
bb543e395
integrity: Small ...
|
117 118 |
__be32 keyid; /* IMA key identifier - not X509/PGP specific */ __be16 sig_size; /* signature size */ |
|
eb492c627
ima: Replace zero...
|
119 |
uint8_t sig[]; /* signature payload */ |
|
d3634d0f4
ima: read and use...
|
120 |
} __packed; |
|
f381c2722
integrity: move i...
|
121 122 |
/* integrity data associated with an inode */
struct integrity_iint_cache {
|
|
c7c8bb237
ima: provide supp...
|
123 |
struct rb_node rb_node; /* rooted in integrity_iint_tree */ |
|
0d73a5520
ima: re-introduce...
|
124 |
struct mutex mutex; /* protects: version, flags, digest */ |
|
f381c2722
integrity: move i...
|
125 126 |
struct inode *inode; /* back pointer to inode in question */ u64 version; /* track inode changes */ |
|
f578c08ec
ima: increase iin...
|
127 |
unsigned long flags; |
96d450bbe
integrity: add me...
|
128 |
unsigned long measured_pcrs; |
|
0d73a5520
ima: re-introduce...
|
129 |
unsigned long atomic_flags; |
|
d79d72e02
ima: per hook cac...
|
130 131 132 |
enum integrity_status ima_file_status:4; enum integrity_status ima_mmap_status:4; enum integrity_status ima_bprm_status:4; |
|
cf2222178
ima: define a new...
|
133 |
enum integrity_status ima_read_status:4; |
|
d906c10d8
IMA: Support usin...
|
134 |
enum integrity_status ima_creds_status:4; |
|
ee8663317
integrity: reduce...
|
135 |
enum integrity_status evm_status:4; |
|
a35c3fb64
ima: use dynamica...
|
136 |
struct ima_digest_data *ima_hash; |
|
f381c2722
integrity: move i...
|
137 138 139 140 141 |
}; /* rbtree tree calls to lookup, insert, delete * integrity data associated with an inode. */ |
|
f381c2722
integrity: move i...
|
142 |
struct integrity_iint_cache *integrity_iint_find(struct inode *inode); |
4892722e0
integrity: sparse...
|
143 |
|
|
e3c4abbfa
integrity: define...
|
144 |
int integrity_kernel_read(struct file *file, loff_t offset, |
|
bb543e395
integrity: Small ...
|
145 |
void *addr, unsigned long count); |
|
8607c5014
integrity: digita...
|
146 |
#define INTEGRITY_KEYRING_EVM 0 |
f4dc37785
integrity: define...
|
147 |
#define INTEGRITY_KEYRING_IMA 1 |
|
c7f7e58fc
integrity: Remove...
|
148 149 |
#define INTEGRITY_KEYRING_PLATFORM 2 #define INTEGRITY_KEYRING_MAX 3 |
|
8607c5014
integrity: digita...
|
150 |
|
|
0c343af80
integrity: Add an...
|
151 |
extern struct dentry *integrity_dir; |
|
39b070963
ima: Implement su...
|
152 |
struct modsig; |
|
f1be242c9
integrity: digita...
|
153 |
#ifdef CONFIG_INTEGRITY_SIGNATURE |
|
8607c5014
integrity: digita...
|
154 155 |
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, |
|
089bc8e95
ima: fix script m...
|
156 |
const char *digest, int digestlen); |
|
39b070963
ima: Implement su...
|
157 |
int integrity_modsig_verify(unsigned int id, const struct modsig *modsig); |
|
8607c5014
integrity: digita...
|
158 |
|
|
d16a8585d
integrity: add mi...
|
159 |
int __init integrity_init_keyring(const unsigned int id); |
|
9d03a721a
integrity: add va...
|
160 |
int __init integrity_load_x509(const unsigned int id, const char *path); |
|
60740accf
integrity: Load c...
|
161 |
int __init integrity_load_cert(const unsigned int id, const char *source, |
028db3e29
Revert "Merge tag...
|
162 |
const void *data, size_t len, key_perm_t perm); |
|
8607c5014
integrity: digita...
|
163 164 165 166 167 168 169 170 |
#else
static inline int integrity_digsig_verify(const unsigned int id,
const char *sig, int siglen,
const char *digest, int digestlen)
{
return -EOPNOTSUPP;
}
|
|
39b070963
ima: Implement su...
|
171 172 173 174 175 |
static inline int integrity_modsig_verify(unsigned int id,
const struct modsig *modsig)
{
return -EOPNOTSUPP;
}
|
|
7d2ce2320
ima: define '.ima...
|
176 177 178 179 |
static inline int integrity_init_keyring(const unsigned int id)
{
return 0;
}
|
|
60740accf
integrity: Load c...
|
180 181 182 183 |
static inline int __init integrity_load_cert(const unsigned int id, const char *source, const void *data, size_t len, |
|
028db3e29
Revert "Merge tag...
|
184 |
key_perm_t perm) |
|
60740accf
integrity: Load c...
|
185 186 187 |
{
return 0;
}
|
|
f1be242c9
integrity: digita...
|
188 |
#endif /* CONFIG_INTEGRITY_SIGNATURE */ |
|
8607c5014
integrity: digita...
|
189 |
|
|
e0751257a
ima: digital sign...
|
190 191 192 193 194 195 196 197 198 199 |
#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
int asymmetric_verify(struct key *keyring, const char *sig,
int siglen, const char *data, int datalen);
#else
static inline int asymmetric_verify(struct key *keyring, const char *sig,
int siglen, const char *data, int datalen)
{
return -EOPNOTSUPP;
}
#endif
|
|
39b070963
ima: Implement su...
|
200 201 202 203 204 205 206 207 208 |
#ifdef CONFIG_IMA_APPRAISE_MODSIG
int ima_modsig_verify(struct key *keyring, const struct modsig *modsig);
#else
static inline int ima_modsig_verify(struct key *keyring,
const struct modsig *modsig)
{
return -EOPNOTSUPP;
}
#endif
|
|
fd5f4e905
ima: load x509 ce...
|
209 210 211 212 213 214 215 |
#ifdef CONFIG_IMA_LOAD_X509
void __init ima_load_x509(void);
#else
static inline void ima_load_x509(void)
{
}
#endif
|
|
2ce523eb8
evm: load an x509...
|
216 217 218 219 220 221 222 |
#ifdef CONFIG_EVM_LOAD_X509
void __init evm_load_x509(void);
#else
static inline void evm_load_x509(void)
{
}
#endif
|
|
d726d8d71
integrity: move i...
|
223 224 225 226 227 |
#ifdef CONFIG_INTEGRITY_AUDIT /* declarations */ void integrity_audit_msg(int audit_msgno, struct inode *inode, const unsigned char *fname, const char *op, const char *cause, int result, int info); |
|
2afd020aa
ima: Do not audit...
|
228 |
|
2f845882e
integrity: Add er...
|
229 230 231 232 |
void integrity_audit_message(int audit_msgno, struct inode *inode, const unsigned char *fname, const char *op, const char *cause, int result, int info, int errno); |
|
2afd020aa
ima: Do not audit...
|
233 234 235 236 237 |
static inline struct audit_buffer *
integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
{
return audit_log_start(ctx, gfp_mask, type);
}
|
|
d726d8d71
integrity: move i...
|
238 239 240 241 242 243 244 |
#else
static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
const unsigned char *fname,
const char *op, const char *cause,
int result, int info)
{
}
|
|
2afd020aa
ima: Do not audit...
|
245 |
|
|
2f845882e
integrity: Add er...
|
246 247 248 249 250 251 252 |
static inline void integrity_audit_message(int audit_msgno,
struct inode *inode,
const unsigned char *fname,
const char *op, const char *cause,
int result, int info, int errno)
{
}
|
|
2afd020aa
ima: Do not audit...
|
253 254 255 256 257 |
static inline struct audit_buffer *
integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
{
return NULL;
}
|
|
d726d8d71
integrity: move i...
|
258 |
#endif |
|
60740accf
integrity: Load c...
|
259 260 261 262 263 264 265 266 267 268 |
#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
void __init add_to_platform_keyring(const char *source, const void *data,
size_t len);
#else
static inline void __init add_to_platform_keyring(const char *source,
const void *data, size_t len)
{
}
#endif
|