13  * File: ima_main.c
19 #include <linux/file.h>
79 /* Prevent mmap'ing a file execute that is already mmap'ed write */
80 static int mmap_violation_check(enum ima_hooks func, struct file *file,  in mmap_violation_check()  argument
87 	if ((func == MMAP_CHECK) && mapping_writably_mapped(file->f_mapping)) {  in mmap_violation_check()
89 		inode = file_inode(file);  in mmap_violation_check()
92 			*pathname = ima_d_path(&file->f_path, pathbuf,  in mmap_violation_check()
104  *	- Opening a file for write when already open for read,
106  *	- Opening a file for read when already open for write,
107  *	  could result in a file measurement error.
110 static void ima_rdwr_violation_check(struct file *file,  in ima_rdwr_violation_check()  argument
117 	struct inode *inode = file_inode(file);  in ima_rdwr_violation_check()
118 	fmode_t mode = file->f_mode;  in ima_rdwr_violation_check()
140 	*pathname = ima_d_path(&file->f_path, pathbuf, filename);  in ima_rdwr_violation_check()
143 		ima_add_violation(file, *pathname, iint,  in ima_rdwr_violation_check()
146 		ima_add_violation(file, *pathname, iint,  in ima_rdwr_violation_check()
151 				  struct inode *inode, struct file *file)  in ima_check_last_writer()  argument
153 	fmode_t mode = file->f_mode;  in ima_check_last_writer()
169 				ima_update_xattr(iint, file);  in ima_check_last_writer()
177  * @file: pointer to file structure being freed
181 void ima_file_free(struct file *file)  in ima_file_free()  argument
183 	struct inode *inode = file_inode(file);  in ima_file_free()
193 	ima_check_last_writer(iint, inode, file);  in ima_file_free()
196 static int process_measurement(struct file *file, const struct cred *cred,  in process_measurement()  argument
200 	struct inode *inode = file_inode(file);  in process_measurement()
243 		ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,  in process_measurement()
262 	 * Re-evaulate the file if either the xattr has changed or the  in process_measurement()
263 	 * kernel has no way of detecting file change on the filesystem.  in process_measurement()
289 		xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);  in process_measurement()
301 			rc = mmap_violation_check(func, file, &pathbuf,  in process_measurement()
312 		xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);  in process_measurement()
317 		 * template format and whether the file was already measured.  in process_measurement()
330 	rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);  in process_measurement()
335 		pathname = ima_d_path(&file->f_path, &pathbuf, filename);  in process_measurement()
338 		ima_store_measurement(iint, file, pathname,  in process_measurement()
345 			rc = ima_appraise_measurement(func, iint, file,  in process_measurement()
351 			rc = mmap_violation_check(func, file, &pathbuf,  in process_measurement()
357 	if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))  in process_measurement()
372 		if (file->f_mode & FMODE_WRITE)  in process_measurement()
380  * @file: pointer to the file to be measured (May be NULL)
386  * On success return 0.  On integrity appraisal error, assuming the file
389 int ima_file_mmap(struct file *file, unsigned long prot)  in ima_file_mmap()  argument
393 	if (file && (prot & PROT_EXEC)) {  in ima_file_mmap()
395 		return process_measurement(file, current_cred(), secid, NULL,  in ima_file_mmap()
417 	struct file *file = vma->vm_file;  in ima_file_mprotect()  local
427 	/* Is mprotect making an mmap'ed file executable? */  in ima_file_mprotect()
437 	/* Is the mmap'ed file in policy? */  in ima_file_mprotect()
444 	file = vma->vm_file;  in ima_file_mprotect()
445 	pathname = ima_d_path(&file->f_path, &pathbuf, filename);  in ima_file_mprotect()
458  * The OS protects against an executable file, already open for write,
459  * from being executed in deny_write_access() and an executable file,
464  * On success return 0.  On integrity appraisal error, assuming the file
473 	ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0,  in ima_bprm_check()
479 	return process_measurement(bprm->file, bprm->cred, secid, NULL, 0,  in ima_bprm_check()
485  * @file: pointer to the file to be measured
490  * On success return 0.  On integrity appraisal error, assuming the file
493 int ima_file_check(struct file *file, int mask)  in ima_file_check()  argument
498 	return process_measurement(file, current_cred(), secid, NULL, 0,  in ima_file_check()
505  * ima_file_hash - return the stored measurement if a file has been hashed and
507  * @file: pointer to the file
516  * The file hash returned is based on the entire file, including the appended
522 int ima_file_hash(struct file *file, char *buf, size_t buf_size)  in ima_file_hash()  argument
528 	if (!file)  in ima_file_hash()
534 	inode = file_inode(file);  in ima_file_hash()
565  * @file : newly created tmpfile
595  * file data can be written later.
618  * @file: pointer to the file to be measured/appraised/audit
622  * Permit reading a file based on policy. The policy rules are written
624  * a file requires a file descriptor.
628 int ima_read_file(struct file *file, enum kernel_read_file_id read_id,  in ima_read_file()  argument
650 	/* Read entire file for all partial reads. */  in ima_read_file()
653 	return process_measurement(file, current_cred(), secid, NULL,  in ima_read_file()
667  * @file: pointer to the file to be measured/appraised/audit
668  * @buf: pointer to in memory file contents
669  * @size: size of in memory file contents
672  * Measure/appraise/audit in memory file based on policy.  Policy rules
675  * On success return 0.  On integrity appraisal error, assuming the file
678 int ima_post_read_file(struct file *file, void *buf, loff_t size,  in ima_post_read_file()  argument
685 	if (!file && read_id == READING_X509_CERTIFICATE)  in ima_post_read_file()
688 	if (!file || !buf || size == 0) { /* should never happen */  in ima_post_read_file()
696 	return process_measurement(file, current_cred(), secid, buf, size,  in ima_post_read_file()
707  * data provided by userspace.  Enforce policy rules requring a file
723 …pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load…  in ima_load_data()
728 …pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load…  in ima_load_data()
743 …pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter mi…  in ima_load_data()
754  * @buf: pointer to in memory file contents
755  * @size: size of in memory file contents
762  * On success return 0.  On integrity appraisal error, assuming the file
881  * @kernel_fd: file descriptor of the kexec kernel being loaded
895 	if (!f.file)  in ima_kexec_cmdline()
898 	process_buffer_measurement(file_inode(f.file), buf, size,  in ima_kexec_cmdline()