integrity: IMA as an integrity service provider

IMA provides hardware (TPM) based measurement and attestation for
file measurements. As the Trusted Computing (TPM) model requires,
IMA measures all files before they are accessed in any way (on the
integrity_bprm_check, integrity_path_check and integrity_file_mmap
hooks), and commits the measurements to the TPM. Once added to the
TPM, measurements can not be removed.

In addition, IMA maintains a list of these file measurements, which
can be used to validate the aggregate value stored in the TPM.  The
TPM can sign these measurements, and thus the system can prove, to
itself and to a third party, the system's integrity in a way that
cannot be circumvented by malicious or compromised software.

- alloc ima_template_entry before calling ima_store_template()
- log ima_add_boot_aggregate() failure
- removed unused IMA_TEMPLATE_NAME_LEN
- replaced hard coded string length with #define name

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>

1 files changed, 126 insertions, 0 deletions

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
new file mode 100644
index 000000000000..7c3d1ffb1472
--- /dev/null
+++ b/security/integrity/ima/ima_policy.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2008 IBM Corporation
+ * Author: Mimi Zohar <zohar@us.ibm.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2 of the License.
+ *
+ * ima_policy.c
+ *      - initialize default measure policy rules
+ *
+ */
+#include <linux/module.h>
+#include <linux/list.h>
+#include <linux/audit.h>
+#include <linux/security.h>
+#include <linux/magic.h>
+
+#include "ima.h"
+
+/* flags definitions */
+#define IMA_FUNC        0x0001
+#define IMA_MASK        0x0002
+#define IMA_FSMAGIC     0x0004
+#define IMA_UID         0x0008
+
+enum ima_action { DONT_MEASURE, MEASURE };
+
+struct ima_measure_rule_entry {
+        struct list_head list;
+        enum ima_action action;
+        unsigned int flags;
+        enum ima_hooks func;
+        int mask;
+        unsigned long fsmagic;
+        uid_t uid;
+};
+
+static struct ima_measure_rule_entry default_rules[] = {
+        {.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC,
+         .flags = IMA_FSMAGIC},
+        {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,
+         .flags = IMA_FSMAGIC},
+        {.action = DONT_MEASURE,.fsmagic = 0xF97CFF8C,.flags = IMA_FSMAGIC},
+        {.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC,
+         .flags = IMA_FUNC | IMA_MASK},
+        {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
+         .flags = IMA_FUNC | IMA_MASK},
+        {.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0,
+         .flags = IMA_FUNC | IMA_MASK | IMA_UID}
+};
+
+static LIST_HEAD(measure_default_rules);
+static struct list_head *ima_measure;
+
+/**
+ * ima_match_rules - determine whether an inode matches the measure rule.
+ * @rule: a pointer to a rule
+ * @inode: a pointer to an inode
+ * @func: LIM hook identifier
+ * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
+ *
+ * Returns true on rule match, false on failure.
+ */
+static bool ima_match_rules(struct ima_measure_rule_entry *rule,
+                            struct inode *inode, enum ima_hooks func, int mask)
+{
+        struct task_struct *tsk = current;
+
+        if ((rule->flags & IMA_FUNC) && rule->func != func)
+                return false;
+        if ((rule->flags & IMA_MASK) && rule->mask != mask)
+                return false;
+        if ((rule->flags & IMA_FSMAGIC)
+            && rule->fsmagic != inode->i_sb->s_magic)
+                return false;
+        if ((rule->flags & IMA_UID) && rule->uid != tsk->cred->uid)
+                return false;
+        return true;
+}
+
+/**
+ * ima_match_policy - decision based on LSM and other conditions
+ * @inode: pointer to an inode for which the policy decision is being made
+ * @func: IMA hook identifier
+ * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
+ *
+ * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
+ * conditions.
+ *
+ * (There is no need for locking when walking the policy list,
+ * as elements in the list are never deleted, nor does the list
+ * change.)
+ */
+int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask)
+{
+        struct ima_measure_rule_entry *entry;
+
+        list_for_each_entry(entry, ima_measure, list) {
+                bool rc;
+
+                rc = ima_match_rules(entry, inode, func, mask);
+                if (rc)
+                        return entry->action;
+        }
+        return 0;
+}
+
+/**
+ * ima_init_policy - initialize the default measure rules.
+ *
+ * (Could use the default_rules directly, but in policy patch
+ * ima_measure points to either the measure_default_rules or the
+ * the new measure_policy_rules.)
+ */
+void ima_init_policy(void)
+{
+        int i;
+
+        for (i = 0; i < ARRAY_SIZE(default_rules); i++)
+                list_add_tail(&default_rules[i].list, &measure_default_rules);
+        ima_measure = &measure_default_rules;
+}