security/integrity/integrity.h at v4.19-rc3

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / security / integrity / integrity.h
at v4.19-rc3 224 lines 6.0 kB view raw
wrap content
  1/*
  2 * Copyright (C) 2009-2010 IBM Corporation
  3 *
  4 * Authors:
  5 * Mimi Zohar <zohar@us.ibm.com>
  6 *
  7 * This program is free software; you can redistribute it and/or
  8 * modify it under the terms of the GNU General Public License as
  9 * published by the Free Software Foundation, version 2 of the
 10 * License.
 11 *
 12 */
 13
 14#include <linux/types.h>
 15#include <linux/integrity.h>
 16#include <crypto/sha.h>
 17#include <linux/key.h>
 18#include <linux/audit.h>
 19
 20/* iint action cache flags */
 21#define IMA_MEASURE		0x00000001
 22#define IMA_MEASURED		0x00000002
 23#define IMA_APPRAISE		0x00000004
 24#define IMA_APPRAISED		0x00000008
 25/*#define IMA_COLLECT		0x00000010  do not use this flag */
 26#define IMA_COLLECTED		0x00000020
 27#define IMA_AUDIT		0x00000040
 28#define IMA_AUDITED		0x00000080
 29#define IMA_HASH		0x00000100
 30#define IMA_HASHED		0x00000200
 31
 32/* iint cache flags */
 33#define IMA_ACTION_FLAGS	0xff000000
 34#define IMA_DIGSIG_REQUIRED	0x01000000
 35#define IMA_PERMIT_DIRECTIO	0x02000000
 36#define IMA_NEW_FILE		0x04000000
 37#define EVM_IMMUTABLE_DIGSIG	0x08000000
 38#define IMA_FAIL_UNVERIFIABLE_SIGS	0x10000000
 39
 40#define IMA_DO_MASK		(IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
 41				 IMA_HASH | IMA_APPRAISE_SUBMASK)
 42#define IMA_DONE_MASK		(IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED | \
 43				 IMA_HASHED | IMA_COLLECTED | \
 44				 IMA_APPRAISED_SUBMASK)
 45
 46/* iint subaction appraise cache flags */
 47#define IMA_FILE_APPRAISE	0x00001000
 48#define IMA_FILE_APPRAISED	0x00002000
 49#define IMA_MMAP_APPRAISE	0x00004000
 50#define IMA_MMAP_APPRAISED	0x00008000
 51#define IMA_BPRM_APPRAISE	0x00010000
 52#define IMA_BPRM_APPRAISED	0x00020000
 53#define IMA_READ_APPRAISE	0x00040000
 54#define IMA_READ_APPRAISED	0x00080000
 55#define IMA_CREDS_APPRAISE	0x00100000
 56#define IMA_CREDS_APPRAISED	0x00200000
 57#define IMA_APPRAISE_SUBMASK	(IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \
 58				 IMA_BPRM_APPRAISE | IMA_READ_APPRAISE | \
 59				 IMA_CREDS_APPRAISE)
 60#define IMA_APPRAISED_SUBMASK	(IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \
 61				 IMA_BPRM_APPRAISED | IMA_READ_APPRAISED | \
 62				 IMA_CREDS_APPRAISED)
 63
 64/* iint cache atomic_flags */
 65#define IMA_CHANGE_XATTR	0
 66#define IMA_UPDATE_XATTR	1
 67#define IMA_CHANGE_ATTR		2
 68#define IMA_DIGSIG		3
 69#define IMA_MUST_MEASURE	4
 70
 71enum evm_ima_xattr_type {
 72	IMA_XATTR_DIGEST = 0x01,
 73	EVM_XATTR_HMAC,
 74	EVM_IMA_XATTR_DIGSIG,
 75	IMA_XATTR_DIGEST_NG,
 76	EVM_XATTR_PORTABLE_DIGSIG,
 77	IMA_XATTR_LAST
 78};
 79
 80struct evm_ima_xattr_data {
 81	u8 type;
 82	u8 digest[SHA1_DIGEST_SIZE];
 83} __packed;
 84
 85#define IMA_MAX_DIGEST_SIZE	64
 86
 87struct ima_digest_data {
 88	u8 algo;
 89	u8 length;
 90	union {
 91		struct {
 92			u8 unused;
 93			u8 type;
 94		} sha1;
 95		struct {
 96			u8 type;
 97			u8 algo;
 98		} ng;
 99		u8 data[2];
100	} xattr;
101	u8 digest[0];
102} __packed;
103
104/*
105 * signature format v2 - for using with asymmetric keys
106 */
107struct signature_v2_hdr {
108	uint8_t type;		/* xattr type */
109	uint8_t version;	/* signature format version */
110	uint8_t	hash_algo;	/* Digest algorithm [enum hash_algo] */
111	__be32 keyid;		/* IMA key identifier - not X509/PGP specific */
112	__be16 sig_size;	/* signature size */
113	uint8_t sig[0];		/* signature payload */
114} __packed;
115
116/* integrity data associated with an inode */
117struct integrity_iint_cache {
118	struct rb_node rb_node;	/* rooted in integrity_iint_tree */
119	struct mutex mutex;	/* protects: version, flags, digest */
120	struct inode *inode;	/* back pointer to inode in question */
121	u64 version;		/* track inode changes */
122	unsigned long flags;
123	unsigned long measured_pcrs;
124	unsigned long atomic_flags;
125	enum integrity_status ima_file_status:4;
126	enum integrity_status ima_mmap_status:4;
127	enum integrity_status ima_bprm_status:4;
128	enum integrity_status ima_read_status:4;
129	enum integrity_status ima_creds_status:4;
130	enum integrity_status evm_status:4;
131	struct ima_digest_data *ima_hash;
132};
133
134/* rbtree tree calls to lookup, insert, delete
135 * integrity data associated with an inode.
136 */
137struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
138
139int integrity_kernel_read(struct file *file, loff_t offset,
140			  void *addr, unsigned long count);
141
142#define INTEGRITY_KEYRING_EVM		0
143#define INTEGRITY_KEYRING_IMA		1
144#define INTEGRITY_KEYRING_MODULE	2
145#define INTEGRITY_KEYRING_MAX		3
146
147extern struct dentry *integrity_dir;
148
149#ifdef CONFIG_INTEGRITY_SIGNATURE
150
151int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
152			    const char *digest, int digestlen);
153
154int __init integrity_init_keyring(const unsigned int id);
155int __init integrity_load_x509(const unsigned int id, const char *path);
156#else
157
158static inline int integrity_digsig_verify(const unsigned int id,
159					  const char *sig, int siglen,
160					  const char *digest, int digestlen)
161{
162	return -EOPNOTSUPP;
163}
164
165static inline int integrity_init_keyring(const unsigned int id)
166{
167	return 0;
168}
169#endif /* CONFIG_INTEGRITY_SIGNATURE */
170
171#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
172int asymmetric_verify(struct key *keyring, const char *sig,
173		      int siglen, const char *data, int datalen);
174#else
175static inline int asymmetric_verify(struct key *keyring, const char *sig,
176				    int siglen, const char *data, int datalen)
177{
178	return -EOPNOTSUPP;
179}
180#endif
181
182#ifdef CONFIG_IMA_LOAD_X509
183void __init ima_load_x509(void);
184#else
185static inline void ima_load_x509(void)
186{
187}
188#endif
189
190#ifdef CONFIG_EVM_LOAD_X509
191void __init evm_load_x509(void);
192#else
193static inline void evm_load_x509(void)
194{
195}
196#endif
197
198#ifdef CONFIG_INTEGRITY_AUDIT
199/* declarations */
200void integrity_audit_msg(int audit_msgno, struct inode *inode,
201			 const unsigned char *fname, const char *op,
202			 const char *cause, int result, int info);
203
204static inline struct audit_buffer *
205integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
206{
207	return audit_log_start(ctx, gfp_mask, type);
208}
209
210#else
211static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
212				       const unsigned char *fname,
213				       const char *op, const char *cause,
214				       int result, int info)
215{
216}
217
218static inline struct audit_buffer *
219integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
220{
221	return NULL;
222}
223
224#endif
Configure Feed

Configure Feed
