Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ima.h
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2005,2006,2007,2008 IBM Corporation
3  *
4  * Authors:
5  * Reiner Sailer <[email protected]>
6  * Mimi Zohar <[email protected]>
7  *
8  * This program is free software; you can redistribute it and/or
9  * modify it under the terms of the GNU General Public License as
10  * published by the Free Software Foundation, version 2 of the
11  * License.
12  *
13  * File: ima.h
14  * internal Integrity Measurement Architecture (IMA) definitions
15  */
16 
17 #ifndef __LINUX_IMA_H
18 #define __LINUX_IMA_H
19 
20 #include <linux/types.h>
21 #include <linux/crypto.h>
22 #include <linux/security.h>
23 #include <linux/hash.h>
24 #include <linux/tpm.h>
25 #include <linux/audit.h>
26 
27 #include "../integrity.h"
28 
30 enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
31 
32 /* digest size for IMA, fits SHA1 or MD5 */
33 #define IMA_DIGEST_SIZE SHA1_DIGEST_SIZE
34 #define IMA_EVENT_NAME_LEN_MAX 255
35 
36 #define IMA_HASH_BITS 9
37 #define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS)
38 
39 /* set during initialization */
40 extern int ima_initialized;
41 extern int ima_used_chip;
42 extern char *ima_hash;
43 extern int ima_appraise;
44 
45 /* IMA inode template definition */
47  u8 digest[IMA_DIGEST_SIZE]; /* sha1/md5 measurement hash */
48  char file_name[IMA_EVENT_NAME_LEN_MAX + 1]; /* name + \0 */
49 };
50 
52  u8 digest[IMA_DIGEST_SIZE]; /* sha1 or md5 measurement hash */
53  const char *template_name;
56 };
57 
59  struct hlist_node hnext; /* place in hash collision list */
60  struct list_head later; /* place in ima_measurements list */
62 };
63 extern struct list_head ima_measurements; /* list of all measurements */
64 
65 #ifdef CONFIG_IMA_AUDIT
66 /* declarations */
67 void integrity_audit_msg(int audit_msgno, struct inode *inode,
68  const unsigned char *fname, const char *op,
69  const char *cause, int result, int info);
70 #else
71 static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
72  const unsigned char *fname,
73  const char *op, const char *cause,
74  int result, int info)
75 {
76 }
77 #endif
78 
79 /* Internal IMA function definitions */
80 int ima_init(void);
81 void ima_cleanup(void);
82 int ima_fs_init(void);
83 void ima_fs_cleanup(void);
84 int ima_inode_alloc(struct inode *inode);
85 int ima_add_template_entry(struct ima_template_entry *entry, int violation,
86  const char *op, struct inode *inode);
87 int ima_calc_hash(struct file *file, char *digest);
88 int ima_calc_template_hash(int template_len, void *template, char *digest);
90 void ima_add_violation(struct inode *inode, const unsigned char *filename,
91  const char *op, const char *cause);
92 
93 /*
94  * used to protect h_table and sha_table
95  */
97 
98 struct ima_h_table {
99  atomic_long_t len; /* number of stored measurements in the list */
102 };
103 extern struct ima_h_table ima_htable;
104 
105 static inline unsigned long ima_hash_key(u8 *digest)
106 {
107  return hash_long(*digest, IMA_HASH_BITS);
108 }
109 
110 /* LIM API function definitions */
111 int ima_get_action(struct inode *inode, int mask, int function);
112 int ima_must_measure(struct inode *inode, int mask, int function);
114  struct file *file);
115 void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
116  const unsigned char *filename);
118  const unsigned char *filename);
119 int ima_store_template(struct ima_template_entry *entry, int violation,
120  struct inode *inode);
121 void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show);
122 
123 /* rbtree tree calls to lookup, insert, delete
124  * integrity data associated with an inode.
125  */
128 
129 /* IMA policy related functions */
131 
132 int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
133  int flags);
134 void ima_init_policy(void);
135 void ima_update_policy(void);
137 void ima_delete_rules(void);
138 
139 /* Appraise integrity measurements */
140 #define IMA_APPRAISE_ENFORCE 0x01
141 #define IMA_APPRAISE_FIX 0x02
142 
143 #ifdef CONFIG_IMA_APPRAISE
145  struct file *file, const unsigned char *filename);
146 int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
147 void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
148 
149 #else
150 static inline int ima_appraise_measurement(struct integrity_iint_cache *iint,
151  struct file *file,
152  const unsigned char *filename)
153 {
154  return INTEGRITY_UNKNOWN;
155 }
156 
157 static inline int ima_must_appraise(struct inode *inode, int mask,
158  enum ima_hooks func)
159 {
160  return 0;
161 }
162 
163 static inline void ima_update_xattr(struct integrity_iint_cache *iint,
164  struct file *file)
165 {
166 }
167 #endif
168 
169 /* LSM based policy rules require audit */
170 #ifdef CONFIG_IMA_LSM_RULES
171 
172 #define security_filter_rule_init security_audit_rule_init
173 #define security_filter_rule_match security_audit_rule_match
174 
175 #else
176 
177 static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr,
178  void **lsmrule)
179 {
180  return -EINVAL;
181 }
182 
183 static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
184  void *lsmrule,
185  struct audit_context *actx)
186 {
187  return -EINVAL;
188 }
189 #endif /* CONFIG_IMA_LSM_RULES */
190 #endif