Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/security/integrity/ima/ima_fs.c 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   1) // SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   3)  * Copyright (C) 2005,2006,2007,2008 IBM Corporation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   4)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   5)  * Authors:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   6)  * Kylene Hall <kjhall@us.ibm.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   7)  * Reiner Sailer <sailer@us.ibm.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   8)  * Mimi Zohar <zohar@us.ibm.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   9)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  10)  * File: ima_fs.c
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  11)  *	implemenents security file system for reporting
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  12)  *	current measurement list and IMA statistics
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  13)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  14) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  15) #include <linux/fcntl.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  16) #include <linux/kernel_read_file.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  17) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  18) #include <linux/init.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  19) #include <linux/seq_file.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  20) #include <linux/rculist.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  21) #include <linux/rcupdate.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  22) #include <linux/parser.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  23) #include <linux/vmalloc.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  24) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  25) #include "ima.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  26) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  27) static DEFINE_MUTEX(ima_write_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  28) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  29) bool ima_canonical_fmt;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  30) static int __init default_canonical_fmt_setup(char *str)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  31) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  32) #ifdef __BIG_ENDIAN
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  33) 	ima_canonical_fmt = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  34) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  35) 	return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  36) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  37) __setup("ima_canonical_fmt", default_canonical_fmt_setup);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  38) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  39) static int valid_policy = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  40) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  41) static ssize_t ima_show_htable_value(char __user *buf, size_t count,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  42) 				     loff_t *ppos, atomic_long_t *val)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  43) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  44) 	char tmpbuf[32];	/* greater than largest 'long' string value */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  45) 	ssize_t len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  46) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  47) 	len = scnprintf(tmpbuf, sizeof(tmpbuf), "%li\n", atomic_long_read(val));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  48) 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  49) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  50) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  51) static ssize_t ima_show_htable_violations(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  52) 					  char __user *buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  53) 					  size_t count, loff_t *ppos)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  54) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  55) 	return ima_show_htable_value(buf, count, ppos, &ima_htable.violations);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  56) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  57) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  58) static const struct file_operations ima_htable_violations_ops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  59) 	.read = ima_show_htable_violations,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  60) 	.llseek = generic_file_llseek,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  61) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  62) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  63) static ssize_t ima_show_measurements_count(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  64) 					   char __user *buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  65) 					   size_t count, loff_t *ppos)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  66) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  67) 	return ima_show_htable_value(buf, count, ppos, &ima_htable.len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  68) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  69) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  70) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  71) static const struct file_operations ima_measurements_count_ops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  72) 	.read = ima_show_measurements_count,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  73) 	.llseek = generic_file_llseek,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  74) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  75) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  76) /* returns pointer to hlist_node */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  77) static void *ima_measurements_start(struct seq_file *m, loff_t *pos)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  78) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  79) 	loff_t l = *pos;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  80) 	struct ima_queue_entry *qe;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  81) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  82) 	/* we need a lock since pos could point beyond last element */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  83) 	rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  84) 	list_for_each_entry_rcu(qe, &ima_measurements, later) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  85) 		if (!l--) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  86) 			rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  87) 			return qe;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  88) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  89) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  90) 	rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  91) 	return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  92) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  93) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  94) static void *ima_measurements_next(struct seq_file *m, void *v, loff_t *pos)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  95) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  96) 	struct ima_queue_entry *qe = v;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  97) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  98) 	/* lock protects when reading beyond last element
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  99) 	 * against concurrent list-extension
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) 	rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) 	qe = list_entry_rcu(qe->later.next, struct ima_queue_entry, later);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) 	rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) 	(*pos)++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) 	return (&qe->later == &ima_measurements) ? NULL : qe;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) static void ima_measurements_stop(struct seq_file *m, void *v)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) void ima_putc(struct seq_file *m, void *data, int datalen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) 	while (datalen--)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) 		seq_putc(m, *(char *)data++);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) /* print format:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120)  *       32bit-le=pcr#
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121)  *       char[20]=template digest
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122)  *       32bit-le=template name size
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123)  *       char[n]=template name
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124)  *       [eventdata length]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125)  *       eventdata[n]=template specific data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) int ima_measurements_show(struct seq_file *m, void *v)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) 	/* the list never shrinks, so we don't need a lock here */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) 	struct ima_queue_entry *qe = v;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) 	struct ima_template_entry *e;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) 	char *template_name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) 	u32 pcr, namelen, template_data_len; /* temporary fields */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) 	bool is_ima_template = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) 	int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) 	/* get entry */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) 	e = qe->entry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) 	if (e == NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) 		return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) 	template_name = (e->template_desc->name[0] != '\0') ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) 	    e->template_desc->name : e->template_desc->fmt;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) 	 * 1st: PCRIndex
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) 	 * PCR used defaults to the same (config option) in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) 	 * little-endian format, unless set in policy
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) 	pcr = !ima_canonical_fmt ? e->pcr : cpu_to_le32(e->pcr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) 	ima_putc(m, &pcr, sizeof(e->pcr));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) 	/* 2nd: template digest */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) 	ima_putc(m, e->digests[ima_sha1_idx].digest, TPM_DIGEST_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) 	/* 3rd: template name size */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) 	namelen = !ima_canonical_fmt ? strlen(template_name) :
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) 		cpu_to_le32(strlen(template_name));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) 	ima_putc(m, &namelen, sizeof(namelen));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) 	/* 4th:  template name */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) 	ima_putc(m, template_name, strlen(template_name));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) 	/* 5th:  template length (except for 'ima' template) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) 	if (strcmp(template_name, IMA_TEMPLATE_IMA_NAME) == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) 		is_ima_template = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) 	if (!is_ima_template) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) 		template_data_len = !ima_canonical_fmt ? e->template_data_len :
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) 			cpu_to_le32(e->template_data_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) 		ima_putc(m, &template_data_len, sizeof(e->template_data_len));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) 	/* 6th:  template specific data */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) 	for (i = 0; i < e->template_desc->num_fields; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) 		enum ima_show_type show = IMA_SHOW_BINARY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) 		const struct ima_template_field *field =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) 			e->template_desc->fields[i];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) 		if (is_ima_template && strcmp(field->field_id, "d") == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) 			show = IMA_SHOW_BINARY_NO_FIELD_LEN;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) 		if (is_ima_template && strcmp(field->field_id, "n") == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) 			show = IMA_SHOW_BINARY_OLD_STRING_FMT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) 		field->field_show(m, show, &e->template_data[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) static const struct seq_operations ima_measurments_seqops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) 	.start = ima_measurements_start,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) 	.next = ima_measurements_next,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) 	.stop = ima_measurements_stop,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) 	.show = ima_measurements_show
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) static int ima_measurements_open(struct inode *inode, struct file *file)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) 	return seq_open(file, &ima_measurments_seqops);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) static const struct file_operations ima_measurements_ops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) 	.open = ima_measurements_open,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) 	.read = seq_read,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) 	.llseek = seq_lseek,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) 	.release = seq_release,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) void ima_print_digest(struct seq_file *m, u8 *digest, u32 size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) 	u32 i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) 	for (i = 0; i < size; i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) 		seq_printf(m, "%02x", *(digest + i));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) /* print in ascii */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) static int ima_ascii_measurements_show(struct seq_file *m, void *v)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) 	/* the list never shrinks, so we don't need a lock here */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) 	struct ima_queue_entry *qe = v;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) 	struct ima_template_entry *e;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) 	char *template_name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) 	int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) 	/* get entry */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) 	e = qe->entry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) 	if (e == NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) 		return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) 	template_name = (e->template_desc->name[0] != '\0') ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) 	    e->template_desc->name : e->template_desc->fmt;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) 	/* 1st: PCR used (config option) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) 	seq_printf(m, "%2d ", e->pcr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) 	/* 2nd: SHA1 template hash */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) 	ima_print_digest(m, e->digests[ima_sha1_idx].digest, TPM_DIGEST_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) 	/* 3th:  template name */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) 	seq_printf(m, " %s", template_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) 	/* 4th:  template specific data */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) 	for (i = 0; i < e->template_desc->num_fields; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) 		seq_puts(m, " ");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) 		if (e->template_data[i].len == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) 			continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) 		e->template_desc->fields[i]->field_show(m, IMA_SHOW_ASCII,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) 							&e->template_data[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) 	seq_puts(m, "\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) static const struct seq_operations ima_ascii_measurements_seqops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) 	.start = ima_measurements_start,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) 	.next = ima_measurements_next,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) 	.stop = ima_measurements_stop,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) 	.show = ima_ascii_measurements_show
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) static int ima_ascii_measurements_open(struct inode *inode, struct file *file)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) 	return seq_open(file, &ima_ascii_measurements_seqops);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) static const struct file_operations ima_ascii_measurements_ops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) 	.open = ima_ascii_measurements_open,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) 	.read = seq_read,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) 	.llseek = seq_lseek,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) 	.release = seq_release,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) static ssize_t ima_read_policy(char *path)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) 	void *data = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) 	char *datap;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) 	size_t size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) 	int rc, pathlen = strlen(path);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) 	char *p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) 	/* remove \n */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) 	datap = path;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) 	strsep(&datap, "\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) 	rc = kernel_read_file_from_path(path, 0, &data, INT_MAX, NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) 					READING_POLICY);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) 	if (rc < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) 		pr_err("Unable to open file: %s (%d)", path, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) 		return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) 	size = rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) 	rc = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) 	datap = data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) 	while (size > 0 && (p = strsep(&datap, "\n"))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) 		pr_debug("rule: %s\n", p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) 		rc = ima_parse_add_rule(p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) 		if (rc < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) 			break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) 		size -= rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) 	vfree(data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) 	if (rc < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) 		return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) 	else if (size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) 	else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) 		return pathlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) static ssize_t ima_write_policy(struct file *file, const char __user *buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) 				size_t datalen, loff_t *ppos)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) 	char *data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) 	ssize_t result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) 	if (datalen >= PAGE_SIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) 		datalen = PAGE_SIZE - 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) 	/* No partial writes. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) 	result = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) 	if (*ppos != 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) 	data = memdup_user_nul(buf, datalen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) 	if (IS_ERR(data)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) 		result = PTR_ERR(data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) 	result = mutex_lock_interruptible(&ima_write_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) 	if (result < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) 		goto out_free;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) 	if (data[0] == '/') {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) 		result = ima_read_policy(data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) 	} else if (ima_appraise & IMA_APPRAISE_POLICY) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) 		pr_err("signed policy file (specified as an absolute pathname) required\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) 		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) 				    "policy_update", "signed policy required",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) 				    1, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) 		result = -EACCES;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) 	} else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) 		result = ima_parse_add_rule(data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) 	mutex_unlock(&ima_write_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) out_free:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) 	kfree(data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) 	if (result < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) 		valid_policy = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) 	return result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) static struct dentry *ima_dir;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) static struct dentry *ima_symlink;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) static struct dentry *binary_runtime_measurements;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) static struct dentry *ascii_runtime_measurements;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) static struct dentry *runtime_measurements_count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) static struct dentry *violations;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) static struct dentry *ima_policy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) enum ima_fs_flags {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) 	IMA_FS_BUSY,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) static unsigned long ima_fs_flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) #ifdef	CONFIG_IMA_READ_POLICY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) static const struct seq_operations ima_policy_seqops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) 		.start = ima_policy_start,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) 		.next = ima_policy_next,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) 		.stop = ima_policy_stop,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) 		.show = ima_policy_show,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383)  * ima_open_policy: sequentialize access to the policy file
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) static int ima_open_policy(struct inode *inode, struct file *filp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) 	if (!(filp->f_flags & O_WRONLY)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) #ifndef	CONFIG_IMA_READ_POLICY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) 		return -EACCES;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) #else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) 		if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) 			return -EACCES;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) 		if (!capable(CAP_SYS_ADMIN))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) 			return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) 		return seq_open(filp, &ima_policy_seqops);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) 	if (test_and_set_bit(IMA_FS_BUSY, &ima_fs_flags))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) 		return -EBUSY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404)  * ima_release_policy - start using the new measure policy rules.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406)  * Initially, ima_measure points to the default policy rules, now
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407)  * point to the new policy rules, and remove the securityfs policy file,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408)  * assuming a valid policy.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) static int ima_release_policy(struct inode *inode, struct file *file)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) 	const char *cause = valid_policy ? "completed" : "failed";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) 	if ((file->f_flags & O_ACCMODE) == O_RDONLY)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) 		return seq_release(inode, file);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) 	if (valid_policy && ima_check_policy() < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) 		cause = "failed";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) 		valid_policy = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) 	pr_info("policy update %s\n", cause);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) 	integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) 			    "policy_update", cause, !valid_policy, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) 	if (!valid_policy) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) 		ima_delete_rules();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) 		valid_policy = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) 		clear_bit(IMA_FS_BUSY, &ima_fs_flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) 	ima_update_policy();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) #if !defined(CONFIG_IMA_WRITE_POLICY) && !defined(CONFIG_IMA_READ_POLICY)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) 	securityfs_remove(ima_policy);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) 	ima_policy = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) #elif defined(CONFIG_IMA_WRITE_POLICY)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) 	clear_bit(IMA_FS_BUSY, &ima_fs_flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) #elif defined(CONFIG_IMA_READ_POLICY)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) 	inode->i_mode &= ~S_IWUSR;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) static const struct file_operations ima_measure_policy_ops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) 	.open = ima_open_policy,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) 	.write = ima_write_policy,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) 	.read = seq_read,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) 	.release = ima_release_policy,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) 	.llseek = generic_file_llseek,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) int __init ima_fs_init(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) 	ima_dir = securityfs_create_dir("ima", integrity_dir);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456) 	if (IS_ERR(ima_dir))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) 		return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) 	ima_symlink = securityfs_create_symlink("ima", NULL, "integrity/ima",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) 						NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461) 	if (IS_ERR(ima_symlink))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) 	binary_runtime_measurements =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) 	    securityfs_create_file("binary_runtime_measurements",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466) 				   S_IRUSR | S_IRGRP, ima_dir, NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) 				   &ima_measurements_ops);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) 	if (IS_ERR(binary_runtime_measurements))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) 	ascii_runtime_measurements =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) 	    securityfs_create_file("ascii_runtime_measurements",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473) 				   S_IRUSR | S_IRGRP, ima_dir, NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474) 				   &ima_ascii_measurements_ops);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) 	if (IS_ERR(ascii_runtime_measurements))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478) 	runtime_measurements_count =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479) 	    securityfs_create_file("runtime_measurements_count",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480) 				   S_IRUSR | S_IRGRP, ima_dir, NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481) 				   &ima_measurements_count_ops);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) 	if (IS_ERR(runtime_measurements_count))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485) 	violations =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486) 	    securityfs_create_file("violations", S_IRUSR | S_IRGRP,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) 				   ima_dir, NULL, &ima_htable_violations_ops);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488) 	if (IS_ERR(violations))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) 	ima_policy = securityfs_create_file("policy", POLICY_FILE_FLAGS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) 					    ima_dir, NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) 					    &ima_measure_policy_ops);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) 	if (IS_ERR(ima_policy))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) 	securityfs_remove(ima_policy);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) 	securityfs_remove(violations);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) 	securityfs_remove(runtime_measurements_count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) 	securityfs_remove(ascii_runtime_measurements);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) 	securityfs_remove(binary_runtime_measurements);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504) 	securityfs_remove(ima_symlink);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505) 	securityfs_remove(ima_dir);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506) 	return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507) }
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.