~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/integrity/integrity.h

Version: ~ [ linux-5.10-rc5 ] ~ [ linux-5.9.10 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.79 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.159 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.208 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.245 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.245 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.85 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * Copyright (C) 2009-2010 IBM Corporation
  3  *
  4  * Authors:
  5  * Mimi Zohar <zohar@us.ibm.com>
  6  *
  7  * This program is free software; you can redistribute it and/or
  8  * modify it under the terms of the GNU General Public License as
  9  * published by the Free Software Foundation, version 2 of the
 10  * License.
 11  *
 12  */
 13 
 14 #include <linux/types.h>
 15 #include <linux/integrity.h>
 16 #include <crypto/sha.h>
 17 #include <linux/key.h>
 18 
 19 /* iint action cache flags */
 20 #define IMA_MEASURE             0x00000001
 21 #define IMA_MEASURED            0x00000002
 22 #define IMA_APPRAISE            0x00000004
 23 #define IMA_APPRAISED           0x00000008
 24 /*#define IMA_COLLECT           0x00000010  do not use this flag */
 25 #define IMA_COLLECTED           0x00000020
 26 #define IMA_AUDIT               0x00000040
 27 #define IMA_AUDITED             0x00000080
 28 
 29 /* iint cache flags */
 30 #define IMA_ACTION_FLAGS        0xff000000
 31 #define IMA_ACTION_RULE_FLAGS   0x06000000
 32 #define IMA_DIGSIG              0x01000000
 33 #define IMA_DIGSIG_REQUIRED     0x02000000
 34 #define IMA_PERMIT_DIRECTIO     0x04000000
 35 #define IMA_NEW_FILE            0x08000000
 36 
 37 #define IMA_DO_MASK             (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
 38                                  IMA_APPRAISE_SUBMASK)
 39 #define IMA_DONE_MASK           (IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED | \
 40                                  IMA_COLLECTED | IMA_APPRAISED_SUBMASK)
 41 
 42 /* iint subaction appraise cache flags */
 43 #define IMA_FILE_APPRAISE       0x00000100
 44 #define IMA_FILE_APPRAISED      0x00000200
 45 #define IMA_MMAP_APPRAISE       0x00000400
 46 #define IMA_MMAP_APPRAISED      0x00000800
 47 #define IMA_BPRM_APPRAISE       0x00001000
 48 #define IMA_BPRM_APPRAISED      0x00002000
 49 #define IMA_READ_APPRAISE       0x00004000
 50 #define IMA_READ_APPRAISED      0x00008000
 51 #define IMA_APPRAISE_SUBMASK    (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \
 52                                  IMA_BPRM_APPRAISE | IMA_READ_APPRAISE)
 53 #define IMA_APPRAISED_SUBMASK   (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \
 54                                  IMA_BPRM_APPRAISED | IMA_READ_APPRAISED)
 55 
 56 enum evm_ima_xattr_type {
 57         IMA_XATTR_DIGEST = 0x01,
 58         EVM_XATTR_HMAC,
 59         EVM_IMA_XATTR_DIGSIG,
 60         IMA_XATTR_DIGEST_NG,
 61         IMA_XATTR_LAST
 62 };
 63 
 64 struct evm_ima_xattr_data {
 65         u8 type;
 66         u8 digest[SHA1_DIGEST_SIZE];
 67 } __packed;
 68 
 69 #define IMA_MAX_DIGEST_SIZE     64
 70 
 71 struct ima_digest_data {
 72         u8 algo;
 73         u8 length;
 74         union {
 75                 struct {
 76                         u8 unused;
 77                         u8 type;
 78                 } sha1;
 79                 struct {
 80                         u8 type;
 81                         u8 algo;
 82                 } ng;
 83                 u8 data[2];
 84         } xattr;
 85         u8 digest[0];
 86 } __packed;
 87 
 88 /*
 89  * signature format v2 - for using with asymmetric keys
 90  */
 91 struct signature_v2_hdr {
 92         uint8_t type;           /* xattr type */
 93         uint8_t version;        /* signature format version */
 94         uint8_t hash_algo;      /* Digest algorithm [enum hash_algo] */
 95         __be32 keyid;           /* IMA key identifier - not X509/PGP specific */
 96         __be16 sig_size;        /* signature size */
 97         uint8_t sig[0];         /* signature payload */
 98 } __packed;
 99 
100 /* integrity data associated with an inode */
101 struct integrity_iint_cache {
102         struct rb_node rb_node; /* rooted in integrity_iint_tree */
103         struct inode *inode;    /* back pointer to inode in question */
104         u64 version;            /* track inode changes */
105         unsigned long flags;
106         unsigned long measured_pcrs;
107         enum integrity_status ima_file_status:4;
108         enum integrity_status ima_mmap_status:4;
109         enum integrity_status ima_bprm_status:4;
110         enum integrity_status ima_read_status:4;
111         enum integrity_status evm_status:4;
112         struct ima_digest_data *ima_hash;
113 };
114 
115 /* rbtree tree calls to lookup, insert, delete
116  * integrity data associated with an inode.
117  */
118 struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
119 
120 int integrity_kernel_read(struct file *file, loff_t offset,
121                           void *addr, unsigned long count);
122 
123 #define INTEGRITY_KEYRING_EVM           0
124 #define INTEGRITY_KEYRING_IMA           1
125 #define INTEGRITY_KEYRING_MODULE        2
126 #define INTEGRITY_KEYRING_MAX           3
127 
128 #ifdef CONFIG_INTEGRITY_SIGNATURE
129 
130 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
131                             const char *digest, int digestlen);
132 
133 int __init integrity_init_keyring(const unsigned int id);
134 int __init integrity_load_x509(const unsigned int id, const char *path);
135 #else
136 
137 static inline int integrity_digsig_verify(const unsigned int id,
138                                           const char *sig, int siglen,
139                                           const char *digest, int digestlen)
140 {
141         return -EOPNOTSUPP;
142 }
143 
144 static inline int integrity_init_keyring(const unsigned int id)
145 {
146         return 0;
147 }
148 #endif /* CONFIG_INTEGRITY_SIGNATURE */
149 
150 #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
151 int asymmetric_verify(struct key *keyring, const char *sig,
152                       int siglen, const char *data, int datalen);
153 #else
154 static inline int asymmetric_verify(struct key *keyring, const char *sig,
155                                     int siglen, const char *data, int datalen)
156 {
157         return -EOPNOTSUPP;
158 }
159 #endif
160 
161 #ifdef CONFIG_IMA_LOAD_X509
162 void __init ima_load_x509(void);
163 #else
164 static inline void ima_load_x509(void)
165 {
166 }
167 #endif
168 
169 #ifdef CONFIG_EVM_LOAD_X509
170 void __init evm_load_x509(void);
171 #else
172 static inline void evm_load_x509(void)
173 {
174 }
175 #endif
176 
177 #ifdef CONFIG_INTEGRITY_AUDIT
178 /* declarations */
179 void integrity_audit_msg(int audit_msgno, struct inode *inode,
180                          const unsigned char *fname, const char *op,
181                          const char *cause, int result, int info);
182 #else
183 static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
184                                        const unsigned char *fname,
185                                        const char *op, const char *cause,
186                                        int result, int info)
187 {
188 }
189 #endif
190 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp