aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity/ima/ima.h
diff options
context:
space:
mode:
Diffstat (limited to 'security/integrity/ima/ima.h')
-rw-r--r--security/integrity/ima/ima.h106
1 files changed, 85 insertions, 21 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index b3dd616560f7..0356e1d437ca 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -26,7 +26,8 @@
26 26
27#include "../integrity.h" 27#include "../integrity.h"
28 28
29enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_ASCII }; 29enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO_FIELD_LEN,
30 IMA_SHOW_ASCII };
30enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; 31enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
31 32
32/* digest size for IMA, fits SHA1 or MD5 */ 33/* digest size for IMA, fits SHA1 or MD5 */
@@ -36,23 +37,48 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
36#define IMA_HASH_BITS 9 37#define IMA_HASH_BITS 9
37#define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS) 38#define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS)
38 39
40#define IMA_TEMPLATE_FIELD_ID_MAX_LEN 16
41#define IMA_TEMPLATE_NUM_FIELDS_MAX 15
42
43#define IMA_TEMPLATE_IMA_NAME "ima"
44#define IMA_TEMPLATE_IMA_FMT "d|n"
45
39/* set during initialization */ 46/* set during initialization */
40extern int ima_initialized; 47extern int ima_initialized;
41extern int ima_used_chip; 48extern int ima_used_chip;
42extern char *ima_hash; 49extern int ima_hash_algo;
43extern int ima_appraise; 50extern int ima_appraise;
44 51
45/* IMA inode template definition */ 52/* IMA template field data definition */
46struct ima_template_data { 53struct ima_field_data {
47 u8 digest[IMA_DIGEST_SIZE]; /* sha1/md5 measurement hash */ 54 u8 *data;
48 char file_name[IMA_EVENT_NAME_LEN_MAX + 1]; /* name + \0 */ 55 u32 len;
56};
57
58/* IMA template field definition */
59struct ima_template_field {
60 const char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
61 int (*field_init) (struct integrity_iint_cache *iint, struct file *file,
62 const unsigned char *filename,
63 struct evm_ima_xattr_data *xattr_value,
64 int xattr_len, struct ima_field_data *field_data);
65 void (*field_show) (struct seq_file *m, enum ima_show_type show,
66 struct ima_field_data *field_data);
67};
68
69/* IMA template descriptor definition */
70struct ima_template_desc {
71 char *name;
72 char *fmt;
73 int num_fields;
74 struct ima_template_field **fields;
49}; 75};
50 76
51struct ima_template_entry { 77struct ima_template_entry {
52 u8 digest[IMA_DIGEST_SIZE]; /* sha1 or md5 measurement hash */ 78 u8 digest[TPM_DIGEST_SIZE]; /* sha1 or md5 measurement hash */
53 const char *template_name; 79 struct ima_template_desc *template_desc; /* template descriptor */
54 int template_len; 80 u32 template_data_len;
55 struct ima_template_data template; 81 struct ima_field_data template_data[0]; /* template related data */
56}; 82};
57 83
58struct ima_queue_entry { 84struct ima_queue_entry {
@@ -69,13 +95,22 @@ int ima_fs_init(void);
69void ima_fs_cleanup(void); 95void ima_fs_cleanup(void);
70int ima_inode_alloc(struct inode *inode); 96int ima_inode_alloc(struct inode *inode);
71int ima_add_template_entry(struct ima_template_entry *entry, int violation, 97int ima_add_template_entry(struct ima_template_entry *entry, int violation,
72 const char *op, struct inode *inode); 98 const char *op, struct inode *inode,
73int ima_calc_file_hash(struct file *file, char *digest); 99 const unsigned char *filename);
74int ima_calc_buffer_hash(const void *data, int len, char *digest); 100int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash);
75int ima_calc_boot_aggregate(char *digest); 101int ima_calc_field_array_hash(struct ima_field_data *field_data,
76void ima_add_violation(struct inode *inode, const unsigned char *filename, 102 struct ima_template_desc *desc, int num_fields,
103 struct ima_digest_data *hash);
104int __init ima_calc_boot_aggregate(struct ima_digest_data *hash);
105void ima_add_violation(struct file *file, const unsigned char *filename,
77 const char *op, const char *cause); 106 const char *op, const char *cause);
78int ima_init_crypto(void); 107int ima_init_crypto(void);
108void ima_putc(struct seq_file *m, void *data, int datalen);
109void ima_print_digest(struct seq_file *m, u8 *digest, int size);
110struct ima_template_desc *ima_template_desc_current(void);
111int ima_init_template(void);
112
113int ima_init_template(void);
79 114
80/* 115/*
81 * used to protect h_table and sha_table 116 * used to protect h_table and sha_table
@@ -98,14 +133,22 @@ static inline unsigned long ima_hash_key(u8 *digest)
98int ima_get_action(struct inode *inode, int mask, int function); 133int ima_get_action(struct inode *inode, int mask, int function);
99int ima_must_measure(struct inode *inode, int mask, int function); 134int ima_must_measure(struct inode *inode, int mask, int function);
100int ima_collect_measurement(struct integrity_iint_cache *iint, 135int ima_collect_measurement(struct integrity_iint_cache *iint,
101 struct file *file); 136 struct file *file,
137 struct evm_ima_xattr_data **xattr_value,
138 int *xattr_len);
102void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, 139void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
103 const unsigned char *filename); 140 const unsigned char *filename,
141 struct evm_ima_xattr_data *xattr_value,
142 int xattr_len);
104void ima_audit_measurement(struct integrity_iint_cache *iint, 143void ima_audit_measurement(struct integrity_iint_cache *iint,
105 const unsigned char *filename); 144 const unsigned char *filename);
145int ima_alloc_init_template(struct integrity_iint_cache *iint,
146 struct file *file, const unsigned char *filename,
147 struct evm_ima_xattr_data *xattr_value,
148 int xattr_len, struct ima_template_entry **entry);
106int ima_store_template(struct ima_template_entry *entry, int violation, 149int ima_store_template(struct ima_template_entry *entry, int violation,
107 struct inode *inode); 150 struct inode *inode, const unsigned char *filename);
108void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show); 151void ima_free_template_entry(struct ima_template_entry *entry);
109const char *ima_d_path(struct path *path, char **pathbuf); 152const char *ima_d_path(struct path *path, char **pathbuf);
110 153
111/* rbtree tree calls to lookup, insert, delete 154/* rbtree tree calls to lookup, insert, delete
@@ -131,17 +174,25 @@ void ima_delete_rules(void);
131 174
132#ifdef CONFIG_IMA_APPRAISE 175#ifdef CONFIG_IMA_APPRAISE
133int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, 176int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
134 struct file *file, const unsigned char *filename); 177 struct file *file, const unsigned char *filename,
178 struct evm_ima_xattr_data *xattr_value,
179 int xattr_len);
135int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func); 180int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
136void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file); 181void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
137enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, 182enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
138 int func); 183 int func);
184void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len,
185 struct ima_digest_data *hash);
186int ima_read_xattr(struct dentry *dentry,
187 struct evm_ima_xattr_data **xattr_value);
139 188
140#else 189#else
141static inline int ima_appraise_measurement(int func, 190static inline int ima_appraise_measurement(int func,
142 struct integrity_iint_cache *iint, 191 struct integrity_iint_cache *iint,
143 struct file *file, 192 struct file *file,
144 const unsigned char *filename) 193 const unsigned char *filename,
194 struct evm_ima_xattr_data *xattr_value,
195 int xattr_len)
145{ 196{
146 return INTEGRITY_UNKNOWN; 197 return INTEGRITY_UNKNOWN;
147} 198}
@@ -162,6 +213,19 @@ static inline enum integrity_status ima_get_cache_status(struct integrity_iint_c
162{ 213{
163 return INTEGRITY_UNKNOWN; 214 return INTEGRITY_UNKNOWN;
164} 215}
216
217static inline void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
218 int xattr_len,
219 struct ima_digest_data *hash)
220{
221}
222
223static inline int ima_read_xattr(struct dentry *dentry,
224 struct evm_ima_xattr_data **xattr_value)
225{
226 return 0;
227}
228
165#endif 229#endif
166 230
167/* LSM based policy rules require audit */ 231/* LSM based policy rules require audit */
generated by cgit v1.2.2 (git 2.25.0) at 2026-05-29 12:06:17 -0400