ima_main.c source code [linux/security/integrity/ima/ima_main.c]

1	// SPDX-License-Identifier: GPL-2.0-only
2	/*
3	* Integrity Measurement Architecture
4	*
5	* Copyright (C) 2005,2006,2007,2008 IBM Corporation
6	*
7	* Authors:
8	* Reiner Sailer <sailer@watson.ibm.com>
9	* Serge Hallyn <serue@us.ibm.com>
10	* Kylene Hall <kylene@us.ibm.com>
11	* Mimi Zohar <zohar@us.ibm.com>
12	*
13	* File: ima_main.c
14	* implements the IMA hooks: ima_bprm_check, ima_file_mmap,
15	* and ima_file_check.
16	*/
17
18	#include <linux/module.h>
19	#include <linux/file.h>
20	#include <linux/binfmts.h>
21	#include <linux/kernel_read_file.h>
22	#include <linux/mount.h>
23	#include <linux/mman.h>
24	#include <linux/slab.h>
25	#include <linux/xattr.h>
26	#include <linux/ima.h>
27	#include <linux/fs.h>
28	#include <linux/iversion.h>
29	#include <linux/evm.h>
30	#include <linux/crash_dump.h>
31
32	#include "ima.h"
33
34	#ifdef CONFIG_IMA_APPRAISE
35	int ima_appraise = IMA_APPRAISE_ENFORCE;
36	#else
37	int ima_appraise;
38	#endif
39
40	int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1;
41	static int hash_setup_done;
42	static int ima_disabled __ro_after_init;
43
44	static struct notifier_block ima_lsm_policy_notifier = {
45	.notifier_call = ima_lsm_policy_change,
46	};
47
48	static int __init ima_setup(char *str)
49	{
50	if (!is_kdump_kernel()) {
51	pr_info("Warning: ima setup option only permitted in kdump");
52	return `1`;
53	}
54
55	if (strncmp(str, "off", `3`) == `0`)
56	ima_disabled = `1`;
57	else if (strncmp(str, "on", `2`) == `0`)
58	ima_disabled = `0`;
59	else
60	pr_err("Invalid ima setup option: \"%s\" , please specify ima=on\|off.", str);
61
62	return `1`;
63	}
64	__setup("ima=", ima_setup);
65
66	static int __init hash_setup(char *str)
67	{
68	struct ima_template_desc *template_desc = ima_template_desc_current();
69	int i;
70
71	if (hash_setup_done)
72	return `1`;
73
74	if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == `0`) {
75	if (strncmp(str, "sha1", `4`) == `0`) {
76	ima_hash_algo = HASH_ALGO_SHA1;
77	} else if (strncmp(str, "md5", `3`) == `0`) {
78	ima_hash_algo = HASH_ALGO_MD5;
79	} else {
80	pr_err("invalid hash algorithm \"%s\" for template \"%s\"",
81	str, IMA_TEMPLATE_IMA_NAME);
82	return `1`;
83	}
84	goto out;
85	}
86
87	i = match_string(array: hash_algo_name, n: HASH_ALGO__LAST, string: str);
88	if (i < `0`) {
89	pr_err("invalid hash algorithm \"%s\"", str);
90	return `1`;
91	}
92
93	ima_hash_algo = i;
94	out:
95	hash_setup_done = `1`;
96	return `1`;
97	}
98	__setup("ima_hash=", hash_setup);
99
100	enum hash_algo ima_get_current_hash_algo(void)
101	{
102	return ima_hash_algo;
103	}
104
105	/ Prevent mmap'ing a file execute that is already mmap'ed write /
106	static int mmap_violation_check(enum ima_hooks func, struct file *file,
107	char *pathbuf, const* char **pathname,
108	char *filename)
109	{
110	struct inode *inode;
111	int rc = `0`;
112
113	if ((func == MMAP_CHECK \|\| func == MMAP_CHECK_REQPROT) &&
114	mapping_writably_mapped(mapping: file->f_mapping)) {
115	rc = -ETXTBSY;
116	inode = file_inode(f: file);
117
118	if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched /
119	*pathname = ima_d_path(path: &file->f_path, pathbuf,
120	filename);
121	integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, fname: *pathname,
122	op: "mmap_file", cause: "mmapped_writers", result: rc, info: `0`);
123	}
124	return rc;
125	}
126
127	/*
128	* ima_rdwr_violation_check
129	*
130	* Only invalidate the PCR for measured files:
131	* - Opening a file for write when already open for read,
132	* results in a time of measure, time of use (ToMToU) error.
133	* - Opening a file for read when already open for write,
134	* could result in a file measurement error.
135	*
136	*/
137	static void ima_rdwr_violation_check(struct file *file,
138	struct ima_iint_cache *iint,
139	int must_measure,
140	char **pathbuf,
141	const char **pathname,
142	char *filename)
143	{
144	struct inode *inode = file_inode(f: file);
145	fmode_t mode = file->f_mode;
146	bool send_tomtou = false, send_writers = false;
147
148	if (mode & FMODE_WRITE) {
149	if (atomic_read(v: &inode->i_readcount) && IS_IMA(inode)) {
150	if (!iint)
151	iint = ima_iint_find(inode);
152
153	/ IMA_MEASURE is set from reader side /
154	if (iint && test_and_clear_bit(IMA_MAY_EMIT_TOMTOU,
155	addr: &iint->atomic_flags))
156	send_tomtou = true;
157	}
158	} else {
159	if (must_measure)
160	set_bit(IMA_MAY_EMIT_TOMTOU, addr: &iint->atomic_flags);
161
162	/ Limit number of open_writers violations /
163	if (inode_is_open_for_write(inode) && must_measure) {
164	if (!test_and_set_bit(IMA_EMITTED_OPENWRITERS,
165	addr: &iint->atomic_flags))
166	send_writers = true;
167	}
168	}
169
170	if (!send_tomtou && !send_writers)
171	return;
172
173	*pathname = ima_d_path(path: &file->f_path, pathbuf, filename);
174
175	if (send_tomtou)
176	ima_add_violation(file, filename: *pathname, iint,
177	op: "invalid_pcr", cause: "ToMToU");
178	if (send_writers)
179	ima_add_violation(file, filename: *pathname, iint,
180	op: "invalid_pcr", cause: "open_writers");
181	}
182
183	static void ima_check_last_writer(struct ima_iint_cache *iint,
184	struct inode inode, struct* file *file)
185	{
186	fmode_t mode = file->f_mode;
187	bool update;
188
189	if (!(mode & FMODE_WRITE))
190	return;
191
192	mutex_lock(&iint->mutex);
193	if (atomic_read(v: &inode->i_writecount) == `1`) {
194	struct kstat stat;
195
196	clear_bit(IMA_EMITTED_OPENWRITERS, addr: &iint->atomic_flags);
197
198	update = test_and_clear_bit(IMA_UPDATE_XATTR,
199	addr: &iint->atomic_flags);
200	if ((iint->flags & IMA_NEW_FILE) \|\|
201	vfs_getattr_nosec(&file->f_path, &stat,
202	STATX_CHANGE_COOKIE,
203	AT_STATX_SYNC_AS_STAT) \|\|
204	!(stat.result_mask & STATX_CHANGE_COOKIE) \|\|
205	stat.change_cookie != iint->real_inode.version) {
206	iint->flags &= ~(IMA_DONE_MASK \| IMA_NEW_FILE);
207	iint->measured_pcrs = `0`;
208	if (update)
209	ima_update_xattr(iint, file);
210	}
211	}
212	mutex_unlock(lock: &iint->mutex);
213	}
214
215	/**
216	* ima_file_free - called on __fput()
217	* @file: pointer to file structure being freed
218	*
219	* Flag files that changed, based on i_version
220	*/
221	static void ima_file_free(struct file *file)
222	{
223	struct inode *inode = file_inode(f: file);
224	struct ima_iint_cache *iint;
225
226	if (!ima_policy_flag \|\| !S_ISREG(inode->i_mode))
227	return;
228
229	iint = ima_iint_find(inode);
230	if (!iint)
231	return;
232
233	ima_check_last_writer(iint, inode, file);
234	}
235
236	static int process_measurement(struct file file, const* struct cred *cred,
237	struct lsm_prop prop, char* *buf, loff_t size,
238	int mask, enum ima_hooks func,
239	enum kernel_read_file_id read_id)
240	{
241	struct inode real_inode, inode = file_inode(f: file);
242	struct ima_iint_cache *iint = NULL;
243	struct ima_template_desc *template_desc = NULL;
244	struct inode *metadata_inode;
245	char *pathbuf = NULL;
246	char filename[NAME_MAX];
247	const char *pathname = NULL;
248	int rc = `0`, action, must_appraise = `0`;
249	int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
250	struct evm_ima_xattr_data *xattr_value = NULL;
251	struct modsig *modsig = NULL;
252	int xattr_len = `0`;
253	bool violation_check;
254	enum hash_algo hash_algo;
255	unsigned int allowed_algos = `0`;
256
257	if (!ima_policy_flag \|\| !S_ISREG(inode->i_mode))
258	return `0`;
259
260	/ Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action*
261	* bitmask based on the appraise/audit/measurement policy.
262	* Included is the appraise submask.
263	*/
264	action = ima_get_action(idmap: file_mnt_idmap(file), inode, cred, prop,
265	mask, func, pcr: &pcr, template_desc: &template_desc, NULL,
266	allowed_algos: &allowed_algos);
267	violation_check = ((func == FILE_CHECK \|\| func == MMAP_CHECK \|\|
268	func == MMAP_CHECK_REQPROT) &&
269	(ima_policy_flag & IMA_MEASURE) &&
270	((action & IMA_MEASURE) \|\|
271	(file->f_mode & FMODE_WRITE)));
272	if (!action && !violation_check)
273	return `0`;
274
275	must_appraise = action & IMA_APPRAISE;
276
277	/ Is the appraise rule hook specific? /
278	if (action & IMA_FILE_APPRAISE)
279	func = FILE_CHECK;
280
281	inode_lock(inode);
282
283	if (action) {
284	iint = ima_inode_get(inode);
285	if (!iint)
286	rc = -ENOMEM;
287	}
288
289	if (!rc && violation_check)
290	ima_rdwr_violation_check(file, iint, must_measure: action & IMA_MEASURE,
291	pathbuf: &pathbuf, pathname: &pathname, filename);
292
293	inode_unlock(inode);
294
295	if (rc)
296	goto out;
297	if (!action)
298	goto out;
299
300	mutex_lock(&iint->mutex);
301
302	if (test_and_clear_bit(IMA_CHANGE_ATTR, addr: &iint->atomic_flags))
303	/*
304	* Reset appraisal flags (action and non-action rule-specific)
305	* if ima_inode_post_setattr was called.
306	*/
307	iint->flags &= ~(IMA_APPRAISE \| IMA_APPRAISED \|
308	IMA_APPRAISE_SUBMASK \| IMA_APPRAISED_SUBMASK \|
309	IMA_NONACTION_RULE_FLAGS);
310
311	/*
312	* Re-evaulate the file if either the xattr has changed or the
313	* kernel has no way of detecting file change on the filesystem.
314	* (Limited to privileged mounted filesystems.)
315	*/
316	if (test_and_clear_bit(IMA_CHANGE_XATTR, addr: &iint->atomic_flags) \|\|
317	((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
318	!(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) &&
319	!(action & IMA_FAIL_UNVERIFIABLE_SIGS))) {
320	iint->flags &= ~IMA_DONE_MASK;
321	iint->measured_pcrs = `0`;
322	}
323
324	/*
325	* On stacked filesystems, detect and re-evaluate file data and
326	* metadata changes.
327	*/
328	real_inode = d_real_inode(dentry: file_dentry(file));
329	if (real_inode != inode &&
330	(action & IMA_DO_MASK) && (iint->flags & IMA_DONE_MASK)) {
331	if (!IS_I_VERSION(real_inode) \|\|
332	integrity_inode_attrs_changed(attrs: &iint->real_inode,
333	inode: real_inode)) {
334	iint->flags &= ~IMA_DONE_MASK;
335	iint->measured_pcrs = `0`;
336	}
337
338	/*
339	* Reset the EVM status when metadata changed.
340	*/
341	metadata_inode = d_inode(dentry: d_real(dentry: file_dentry(file),
342	type: D_REAL_METADATA));
343	if (evm_metadata_changed(inode, metadata_inode))
344	iint->flags &= ~(IMA_APPRAISED \|
345	IMA_APPRAISED_SUBMASK);
346	}
347
348	/ Determine if already appraised/measured based on bitmask*
349	* (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
350	* IMA_AUDIT, IMA_AUDITED)
351	*/
352	iint->flags \|= action;
353	action &= IMA_DO_MASK;
354	action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> `1`);
355
356	/ If target pcr is already measured, unset IMA_MEASURE action /
357	if ((action & IMA_MEASURE) && (iint->measured_pcrs & (`0x1` << pcr)))
358	action ^= IMA_MEASURE;
359
360	/ HASH sets the digital signature and update flags, nothing else /
361	if ((action & IMA_HASH) &&
362	!(test_bit(IMA_DIGSIG, &iint->atomic_flags))) {
363	xattr_len = ima_read_xattr(dentry: file_dentry(file),
364	xattr_value: &xattr_value, xattr_len);
365	if ((xattr_value && xattr_len > `2`) &&
366	(xattr_value->type == EVM_IMA_XATTR_DIGSIG))
367	set_bit(IMA_DIGSIG, addr: &iint->atomic_flags);
368	iint->flags \|= IMA_HASHED;
369	action ^= IMA_HASH;
370	set_bit(IMA_UPDATE_XATTR, addr: &iint->atomic_flags);
371	}
372
373	/ Nothing to do, just return existing appraised status /
374	if (!action) {
375	if (must_appraise) {
376	rc = mmap_violation_check(func, file, pathbuf: &pathbuf,
377	pathname: &pathname, filename);
378	if (!rc)
379	rc = ima_get_cache_status(iint, func);
380	}
381	goto out_locked;
382	}
383
384	if ((action & IMA_APPRAISE_SUBMASK) \|\|
385	strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != `0`) {
386	/ read 'security.ima' /
387	xattr_len = ima_read_xattr(dentry: file_dentry(file),
388	xattr_value: &xattr_value, xattr_len);
389
390	/*
391	* Read the appended modsig if allowed by the policy, and allow
392	* an additional measurement list entry, if needed, based on the
393	* template format and whether the file was already measured.
394	*/
395	if (iint->flags & IMA_MODSIG_ALLOWED) {
396	rc = ima_read_modsig(func, buf, buf_len: size, modsig: &modsig);
397
398	if (!rc && ima_template_has_modsig(ima_template: template_desc) &&
399	iint->flags & IMA_MEASURED)
400	action \|= IMA_MEASURE;
401	}
402	}
403
404	hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
405
406	rc = ima_collect_measurement(iint, file, buf, size, algo: hash_algo, modsig);
407	if (rc != `0` && rc != -EBADF && rc != -EINVAL)
408	goto out_locked;
409
410	/ Defer measuring/appraising kernel modules to READING_MODULE /
411	if (read_id == READING_MODULE_COMPRESSED) {
412	must_appraise = `0`;
413	goto out_locked;
414	}
415
416	if (!pathbuf) / ima_rdwr_violation possibly pre-fetched /
417	pathname = ima_d_path(path: &file->f_path, pathbuf: &pathbuf, filename);
418
419	if (action & IMA_MEASURE)
420	ima_store_measurement(iint, file, filename: pathname,
421	xattr_value, xattr_len, modsig, pcr,
422	template_desc);
423	if (rc == `0` && (action & IMA_APPRAISE_SUBMASK)) {
424	rc = ima_check_blacklist(iint, modsig, pcr);
425	if (rc != -EPERM) {
426	inode_lock(inode);
427	rc = ima_appraise_measurement(func, iint, file,
428	filename: pathname, xattr_value,
429	xattr_len, modsig);
430	inode_unlock(inode);
431	}
432	if (!rc)
433	rc = mmap_violation_check(func, file, pathbuf: &pathbuf,
434	pathname: &pathname, filename);
435	}
436	if (action & IMA_AUDIT)
437	ima_audit_measurement(iint, filename: pathname);
438
439	if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
440	rc = `0`;
441
442	/ Ensure the digest was generated using an allowed algorithm /
443	if (rc == `0` && must_appraise && allowed_algos != `0` &&
444	(allowed_algos & (`1U` << hash_algo)) == `0`) {
445	rc = -EACCES;
446
447	integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode: file_inode(f: file),
448	fname: pathname, op: "collect_data",
449	cause: "denied-hash-algorithm", result: rc, info: `0`);
450	}
451	out_locked:
452	if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) &&
453	!(iint->flags & IMA_NEW_FILE))
454	rc = -EACCES;
455	mutex_unlock(lock: &iint->mutex);
456	kfree(objp: xattr_value);
457	ima_free_modsig(modsig);
458	out:
459	if (pathbuf)
460	__putname(pathbuf);
461	if (must_appraise) {
462	if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE))
463	return -EACCES;
464	if (file->f_mode & FMODE_WRITE)
465	set_bit(IMA_UPDATE_XATTR, addr: &iint->atomic_flags);
466	}
467	return `0`;
468	}
469
470	/**
471	* ima_file_mmap - based on policy, collect/store measurement.
472	* @file: pointer to the file to be measured (May be NULL)
473	* @reqprot: protection requested by the application
474	* @prot: protection that will be applied by the kernel
475	* @flags: operational flags
476	*
477	* Measure files being mmapped executable based on the ima_must_measure()
478	* policy decision.
479	*
480	* On success return 0. On integrity appraisal error, assuming the file
481	* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
482	*/
483	static int ima_file_mmap(struct file file, unsigned* long reqprot,
484	unsigned long prot, unsigned long flags)
485	{
486	struct lsm_prop prop;
487	int ret;
488
489	if (!file)
490	return `0`;
491
492	security_current_getlsmprop_subj(prop: &prop);
493
494	if (reqprot & PROT_EXEC) {
495	ret = process_measurement(file, current_cred(), prop: &prop, NULL,
496	size: `0`, MAY_EXEC, func: MMAP_CHECK_REQPROT, read_id: `0`);
497	if (ret)
498	return ret;
499	}
500
501	if (prot & PROT_EXEC)
502	return process_measurement(file, current_cred(), prop: &prop, NULL,
503	size: `0`, MAY_EXEC, func: MMAP_CHECK, read_id: `0`);
504
505	return `0`;
506	}
507
508	/**
509	* ima_file_mprotect - based on policy, limit mprotect change
510	* @vma: vm_area_struct protection is set to
511	* @reqprot: protection requested by the application
512	* @prot: protection that will be applied by the kernel
513	*
514	* Files can be mmap'ed read/write and later changed to execute to circumvent
515	* IMA's mmap appraisal policy rules. Due to locking issues (mmap semaphore
516	* would be taken before i_mutex), files can not be measured or appraised at
517	* this point. Eliminate this integrity gap by denying the mprotect
518	* PROT_EXECUTE change, if an mmap appraise policy rule exists.
519	*
520	* On mprotect change success, return 0. On failure, return -EACESS.
521	*/
522	static int ima_file_mprotect(struct vm_area_struct vma, unsigned* long reqprot,
523	unsigned long prot)
524	{
525	struct ima_template_desc *template = NULL;
526	struct file *file;
527	char filename[NAME_MAX];
528	char *pathbuf = NULL;
529	const char *pathname = NULL;
530	struct inode *inode;
531	struct lsm_prop prop;
532	int result = `0`;
533	int action;
534	int pcr;
535
536	/ Is mprotect making an mmap'ed file executable? /
537	if (!(ima_policy_flag & IMA_APPRAISE) \|\| !vma->vm_file \|\|
538	!(prot & PROT_EXEC) \|\| (vma->vm_flags & VM_EXEC))
539	return `0`;
540
541	security_current_getlsmprop_subj(prop: &prop);
542	inode = file_inode(f: vma->vm_file);
543	action = ima_get_action(idmap: file_mnt_idmap(file: vma->vm_file), inode,
544	current_cred(), prop: &prop, MAY_EXEC, func: MMAP_CHECK,
545	pcr: &pcr, template_desc: &template, NULL, NULL);
546	action \|= ima_get_action(idmap: file_mnt_idmap(file: vma->vm_file), inode,
547	current_cred(), prop: &prop, MAY_EXEC,
548	func: MMAP_CHECK_REQPROT, pcr: &pcr, template_desc: &template, NULL,
549	NULL);
550
551	/ Is the mmap'ed file in policy? /
552	if (!(action & (IMA_MEASURE \| IMA_APPRAISE_SUBMASK)))
553	return `0`;
554
555	if (action & IMA_APPRAISE_SUBMASK)
556	result = -EPERM;
557
558	file = vma->vm_file;
559	pathname = ima_d_path(path: &file->f_path, pathbuf: &pathbuf, filename);
560	integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, fname: pathname,
561	op: "collect_data", cause: "failed-mprotect", result, info: `0`);
562	if (pathbuf)
563	__putname(pathbuf);
564
565	return result;
566	}
567
568	/**
569	* ima_bprm_check - based on policy, collect/store measurement.
570	* @bprm: contains the linux_binprm structure
571	*
572	* The OS protects against an executable file, already open for write,
573	* from being executed in deny_write_access() and an executable file,
574	* already open for execute, from being modified in get_write_access().
575	* So we can be certain that what we verify and measure here is actually
576	* what is being executed.
577	*
578	* On success return 0. On integrity appraisal error, assuming the file
579	* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
580	*/
581	static int ima_bprm_check(struct linux_binprm *bprm)
582	{
583	struct lsm_prop prop;
584
585	security_current_getlsmprop_subj(prop: &prop);
586	return process_measurement(file: bprm->file, current_cred(),
587	prop: &prop, NULL, size: `0`, MAY_EXEC, func: BPRM_CHECK, read_id: `0`);
588	}
589
590	/**
591	* ima_creds_check - based on policy, collect/store measurement.
592	* @bprm: contains the linux_binprm structure
593	* @file: contains the file descriptor of the binary being executed
594	*
595	* The OS protects against an executable file, already open for write,
596	* from being executed in deny_write_access() and an executable file,
597	* already open for execute, from being modified in get_write_access().
598	* So we can be certain that what we verify and measure here is actually
599	* what is being executed.
600	*
601	* The difference from ima_bprm_check() is that ima_creds_check() is invoked
602	* only after determining the final binary to be executed without interpreter,
603	* and not when searching for intermediate binaries. The reason is that since
604	* commit 56305aa9b6fab ("exec: Compute file based creds only once"), the
605	* credentials to be applied to the process are calculated only at that stage
606	* (bprm_creds_from_file security hook instead of bprm_check_security).
607	*
608	* On success return 0. On integrity appraisal error, assuming the file
609	* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
610	*/
611	static int ima_creds_check(struct linux_binprm bprm, const* struct file *file)
612	{
613	struct lsm_prop prop;
614
615	security_current_getlsmprop_subj(prop: &prop);
616	return process_measurement(file: (struct file *)file, cred: bprm->cred, prop: &prop, NULL,
617	size: `0`, MAY_EXEC, func: CREDS_CHECK, read_id: `0`);
618	}
619
620	/**
621	* ima_bprm_creds_for_exec - collect/store/appraise measurement.
622	* @bprm: contains the linux_binprm structure
623	*
624	* Based on the IMA policy and the execveat(2) AT_EXECVE_CHECK flag, measure
625	* and appraise the integrity of a file to be executed by script interpreters.
626	* Unlike any of the other LSM hooks where the kernel enforces file integrity,
627	* enforcing file integrity is left up to the discretion of the script
628	* interpreter (userspace).
629	*
630	* On success return 0. On integrity appraisal error, assuming the file
631	* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
632	*/
633	static int ima_bprm_creds_for_exec(struct linux_binprm *bprm)
634	{
635	/*
636	* As security_bprm_check() is called multiple times, both
637	* the script and the shebang interpreter are measured, appraised,
638	* and audited. Limit usage of this LSM hook to just measuring,
639	* appraising, and auditing the indirect script execution
640	* (e.g. ./sh example.sh).
641	*/
642	if (!bprm->is_check)
643	return `0`;
644
645	return ima_bprm_check(bprm);
646	}
647
648	/**
649	* ima_file_check - based on policy, collect/store measurement.
650	* @file: pointer to the file to be measured
651	* @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
652	*
653	* Measure files based on the ima_must_measure() policy decision.
654	*
655	* On success return 0. On integrity appraisal error, assuming the file
656	* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
657	*/
658	static int ima_file_check(struct file file, int* mask)
659	{
660	struct lsm_prop prop;
661
662	security_current_getlsmprop_subj(prop: &prop);
663	return process_measurement(file, current_cred(), prop: &prop, NULL, size: `0`,
664	mask: mask & (MAY_READ \| MAY_WRITE \| MAY_EXEC \|
665	MAY_APPEND), func: FILE_CHECK, read_id: `0`);
666	}
667
668	static int __ima_inode_hash(struct inode inode, struct* file file, char* *buf,
669	size_t buf_size)
670	{
671	struct ima_iint_cache *iint = NULL, tmp_iint;
672	int rc, hash_algo;
673
674	if (ima_policy_flag) {
675	iint = ima_iint_find(inode);
676	if (iint)
677	mutex_lock(&iint->mutex);
678	}
679
680	if ((!iint \|\| !(iint->flags & IMA_COLLECTED)) && file) {
681	if (iint)
682	mutex_unlock(lock: &iint->mutex);
683
684	memset(&tmp_iint, `0`, sizeof(tmp_iint));
685	mutex_init(&tmp_iint.mutex);
686
687	rc = ima_collect_measurement(iint: &tmp_iint, file, NULL, size: `0`,
688	algo: ima_hash_algo, NULL);
689	if (rc < `0`) {
690	/ ima_hash could be allocated in case of failure. /
691	if (rc != -ENOMEM)
692	kfree(objp: tmp_iint.ima_hash);
693
694	return -EOPNOTSUPP;
695	}
696
697	iint = &tmp_iint;
698	mutex_lock(&iint->mutex);
699	}
700
701	if (!iint)
702	return -EOPNOTSUPP;
703
704	/*
705	* ima_file_hash can be called when ima_collect_measurement has still
706	* not been called, we might not always have a hash.
707	*/
708	if (!iint->ima_hash \|\| !(iint->flags & IMA_COLLECTED)) {
709	mutex_unlock(lock: &iint->mutex);
710	return -EOPNOTSUPP;
711	}
712
713	if (buf) {
714	size_t copied_size;
715
716	copied_size = min_t(size_t, iint->ima_hash->length, buf_size);
717	memcpy(buf, iint->ima_hash->digest, copied_size);
718	}
719	hash_algo = iint->ima_hash->algo;
720	mutex_unlock(lock: &iint->mutex);
721
722	if (iint == &tmp_iint)
723	kfree(objp: iint->ima_hash);
724
725	return hash_algo;
726	}
727
728	/**
729	* ima_file_hash - return a measurement of the file
730	* @file: pointer to the file
731	* @buf: buffer in which to store the hash
732	* @buf_size: length of the buffer
733	*
734	* On success, return the hash algorithm (as defined in the enum hash_algo).
735	* If buf is not NULL, this function also outputs the hash into buf.
736	* If the hash is larger than buf_size, then only buf_size bytes will be copied.
737	* It generally just makes sense to pass a buffer capable of holding the largest
738	* possible hash: IMA_MAX_DIGEST_SIZE.
739	* The file hash returned is based on the entire file, including the appended
740	* signature.
741	*
742	* If the measurement cannot be performed, return -EOPNOTSUPP.
743	* If the parameters are incorrect, return -EINVAL.
744	*/
745	int ima_file_hash(struct file file, char* *buf, size_t buf_size)
746	{
747	if (!file)
748	return -EINVAL;
749
750	return __ima_inode_hash(inode: file_inode(f: file), file, buf, buf_size);
751	}
752	EXPORT_SYMBOL_GPL(ima_file_hash);
753
754	/**
755	* ima_inode_hash - return the stored measurement if the inode has been hashed
756	* and is in the iint cache.
757	* @inode: pointer to the inode
758	* @buf: buffer in which to store the hash
759	* @buf_size: length of the buffer
760	*
761	* On success, return the hash algorithm (as defined in the enum hash_algo).
762	* If buf is not NULL, this function also outputs the hash into buf.
763	* If the hash is larger than buf_size, then only buf_size bytes will be copied.
764	* It generally just makes sense to pass a buffer capable of holding the largest
765	* possible hash: IMA_MAX_DIGEST_SIZE.
766	* The hash returned is based on the entire contents, including the appended
767	* signature.
768	*
769	* If IMA is disabled or if no measurement is available, return -EOPNOTSUPP.
770	* If the parameters are incorrect, return -EINVAL.
771	*/
772	int ima_inode_hash(struct inode inode, char* *buf, size_t buf_size)
773	{
774	if (!inode)
775	return -EINVAL;
776
777	return __ima_inode_hash(inode, NULL, buf, buf_size);
778	}
779	EXPORT_SYMBOL_GPL(ima_inode_hash);
780
781	/**
782	* ima_post_create_tmpfile - mark newly created tmpfile as new
783	* @idmap: idmap of the mount the inode was found from
784	* @inode: inode of the newly created tmpfile
785	*
786	* No measuring, appraising or auditing of newly created tmpfiles is needed.
787	* Skip calling process_measurement(), but indicate which newly, created
788	* tmpfiles are in policy.
789	*/
790	static void ima_post_create_tmpfile(struct mnt_idmap *idmap,
791	struct inode *inode)
792
793	{
794	struct ima_iint_cache *iint;
795	int must_appraise;
796
797	if (!ima_policy_flag \|\| !S_ISREG(inode->i_mode))
798	return;
799
800	must_appraise = ima_must_appraise(idmap, inode, MAY_ACCESS,
801	func: FILE_CHECK);
802	if (!must_appraise)
803	return;
804
805	/ Nothing to do if we can't allocate memory /
806	iint = ima_inode_get(inode);
807	if (!iint)
808	return;
809
810	/ needed for writing the security xattrs /
811	set_bit(IMA_UPDATE_XATTR, addr: &iint->atomic_flags);
812	iint->ima_file_status = INTEGRITY_PASS;
813	}
814
815	/**
816	* ima_post_path_mknod - mark as a new inode
817	* @idmap: idmap of the mount the inode was found from
818	* @dentry: newly created dentry
819	*
820	* Mark files created via the mknodat syscall as new, so that the
821	* file data can be written later.
822	*/
823	static void ima_post_path_mknod(struct mnt_idmap idmap, struct* dentry *dentry)
824	{
825	struct ima_iint_cache *iint;
826	struct inode *inode = dentry->d_inode;
827	int must_appraise;
828
829	if (!ima_policy_flag \|\| !S_ISREG(inode->i_mode))
830	return;
831
832	must_appraise = ima_must_appraise(idmap, inode, MAY_ACCESS,
833	func: FILE_CHECK);
834	if (!must_appraise)
835	return;
836
837	/ Nothing to do if we can't allocate memory /
838	iint = ima_inode_get(inode);
839	if (!iint)
840	return;
841
842	/ needed for re-opening empty files /
843	iint->flags \|= IMA_NEW_FILE;
844	}
845
846	/**
847	* ima_read_file - pre-measure/appraise hook decision based on policy
848	* @file: pointer to the file to be measured/appraised/audit
849	* @read_id: caller identifier
850	* @contents: whether a subsequent call will be made to ima_post_read_file()
851	*
852	* Permit reading a file based on policy. The policy rules are written
853	* in terms of the policy identifier. Appraising the integrity of
854	* a file requires a file descriptor.
855	*
856	* For permission return 0, otherwise return -EACCES.
857	*/
858	static int ima_read_file(struct file file, enum* kernel_read_file_id read_id,
859	bool contents)
860	{
861	enum ima_hooks func;
862	struct lsm_prop prop;
863
864	/*
865	* Do devices using pre-allocated memory run the risk of the
866	* firmware being accessible to the device prior to the completion
867	* of IMA's signature verification any more than when using two
868	* buffers? It may be desirable to include the buffer address
869	* in this API and walk all the dma_map_single() mappings to check.
870	*/
871
872	/*
873	* There will be a call made to ima_post_read_file() with
874	* a filled buffer, so we don't need to perform an extra
875	* read early here.
876	*/
877	if (contents)
878	return `0`;
879
880	/ Read entire file for all partial reads. /
881	func = read_idmap[read_id] ?: FILE_CHECK;
882	security_current_getlsmprop_subj(prop: &prop);
883	return process_measurement(file, current_cred(), prop: &prop, NULL, size: `0`,
884	MAY_READ, func, read_id: `0`);
885	}
886
887	const int read_idmap[READING_MAX_ID] = {
888	[READING_FIRMWARE] = FIRMWARE_CHECK,
889	[READING_MODULE] = MODULE_CHECK,
890	[READING_MODULE_COMPRESSED] = MODULE_CHECK,
891	[READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK,
892	[READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK,
893	[READING_POLICY] = POLICY_CHECK
894	};
895
896	/**
897	* ima_post_read_file - in memory collect/appraise/audit measurement
898	* @file: pointer to the file to be measured/appraised/audit
899	* @buf: pointer to in memory file contents
900	* @size: size of in memory file contents
901	* @read_id: caller identifier
902	*
903	* Measure/appraise/audit in memory file based on policy. Policy rules
904	* are written in terms of a policy identifier.
905	*
906	* On success return 0. On integrity appraisal error, assuming the file
907	* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
908	*/
909	static int ima_post_read_file(struct file file, char* *buf, loff_t size,
910	enum kernel_read_file_id read_id)
911	{
912	enum ima_hooks func;
913	struct lsm_prop prop;
914
915	/ permit signed certs /
916	if (!file && read_id == READING_X509_CERTIFICATE)
917	return `0`;
918
919	if (!file \|\| !buf \|\| size == `0`) { / should never happen /
920	if (ima_appraise & IMA_APPRAISE_ENFORCE)
921	return -EACCES;
922	return `0`;
923	}
924
925	func = read_idmap[read_id] ?: FILE_CHECK;
926	security_current_getlsmprop_subj(prop: &prop);
927	return process_measurement(file, current_cred(), prop: &prop, buf, size,
928	MAY_READ, func, read_id);
929	}
930
931	/**
932	* ima_load_data - appraise decision based on policy
933	* @id: kernel load data caller identifier
934	* @contents: whether the full contents will be available in a later
935	* call to ima_post_load_data().
936	*
937	* Callers of this LSM hook can not measure, appraise, or audit the
938	* data provided by userspace. Enforce policy rules requiring a file
939	* signature (eg. kexec'ed kernel image).
940	*
941	* For permission return 0, otherwise return -EACCES.
942	*/
943	static int ima_load_data(enum kernel_load_data_id id, bool contents)
944	{
945	bool ima_enforce, sig_enforce;
946
947	ima_enforce =
948	(ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE;
949
950	switch (id) {
951	case LOADING_KEXEC_IMAGE:
952	if (IS_ENABLED(CONFIG_KEXEC_SIG)
953	&& arch_ima_get_secureboot()) {
954	pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
955	return -EACCES;
956	}
957
958	if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) {
959	pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
960	return -EACCES; / INTEGRITY_UNKNOWN /
961	}
962	break;
963	case LOADING_FIRMWARE:
964	if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE) && !contents) {
965	pr_err("Prevent firmware sysfs fallback loading.\n");
966	return -EACCES; / INTEGRITY_UNKNOWN /
967	}
968	break;
969	case LOADING_MODULE:
970	sig_enforce = is_module_sig_enforced();
971
972	if (ima_enforce && (!sig_enforce
973	&& (ima_appraise & IMA_APPRAISE_MODULES))) {
974	pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
975	return -EACCES; / INTEGRITY_UNKNOWN /
976	}
977	break;
978	default:
979	break;
980	}
981	return `0`;
982	}
983
984	/**
985	* ima_post_load_data - appraise decision based on policy
986	* @buf: pointer to in memory file contents
987	* @size: size of in memory file contents
988	* @load_id: kernel load data caller identifier
989	* @description: @load_id-specific description of contents
990	*
991	* Measure/appraise/audit in memory buffer based on policy. Policy rules
992	* are written in terms of a policy identifier.
993	*
994	* On success return 0. On integrity appraisal error, assuming the file
995	* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
996	*/
997	static int ima_post_load_data(char *buf, loff_t size,
998	enum kernel_load_data_id load_id,
999	char *description)
1000	{
1001	if (load_id == LOADING_FIRMWARE) {
1002	if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
1003	(ima_appraise & IMA_APPRAISE_ENFORCE)) {
1004	pr_err("Prevent firmware loading_store.\n");
1005	return -EACCES; / INTEGRITY_UNKNOWN /
1006	}
1007	return `0`;
1008	}
1009
1010	/*
1011	* Measure the init_module syscall buffer containing the ELF image.
1012	*/
1013	if (load_id == LOADING_MODULE)
1014	ima_measure_critical_data(event_label: "modules", event_name: "init_module",
1015	buf, buf_len: size, hash: true, NULL, digest_len: `0`);
1016
1017	return `0`;
1018	}
1019
1020	/**
1021	* process_buffer_measurement - Measure the buffer or the buffer data hash
1022	* @idmap: idmap of the mount the inode was found from
1023	* @inode: inode associated with the object being measured (NULL for KEY_CHECK)
1024	* @buf: pointer to the buffer that needs to be added to the log.
1025	* @size: size of buffer(in bytes).
1026	* @eventname: event name to be used for the buffer entry.
1027	* @func: IMA hook
1028	* @pcr: pcr to extend the measurement
1029	* @func_data: func specific data, may be NULL
1030	* @buf_hash: measure buffer data hash
1031	* @digest: buffer digest will be written to
1032	* @digest_len: buffer length
1033	*
1034	* Based on policy, either the buffer data or buffer data hash is measured
1035	*
1036	* Return: 0 if the buffer has been successfully measured, 1 if the digest
1037	* has been written to the passed location but not added to a measurement entry,
1038	* a negative value otherwise.
1039	*/
1040	int process_buffer_measurement(struct mnt_idmap *idmap,
1041	struct inode inode, const* void buf, int* size,
1042	const char eventname, enum* ima_hooks func,
1043	int pcr, const char *func_data,
1044	bool buf_hash, u8 *digest, size_t digest_len)
1045	{
1046	int ret = `0`;
1047	const char *audit_cause = "ENOMEM";
1048	struct ima_template_entry *entry = NULL;
1049	struct ima_iint_cache iint = {};
1050	struct ima_event_data event_data = {.iint = &iint,
1051	.filename = eventname,
1052	.buf = buf,
1053	.buf_len = size};
1054	struct ima_template_desc *template;
1055	struct ima_max_digest_data hash;
1056	struct ima_digest_data *hash_hdr = container_of(&hash.hdr,
1057	struct ima_digest_data, hdr);
1058	char digest_hash[IMA_MAX_DIGEST_SIZE];
1059	int digest_hash_len = hash_digest_size[ima_hash_algo];
1060	int violation = `0`;
1061	int action = `0`;
1062	struct lsm_prop prop;
1063
1064	if (digest && digest_len < digest_hash_len)
1065	return -EINVAL;
1066
1067	if (!ima_policy_flag && !digest)
1068	return -ENOENT;
1069
1070	template = ima_template_desc_buf();
1071	if (!template) {
1072	ret = -EINVAL;
1073	audit_cause = "ima_template_desc_buf";
1074	goto out;
1075	}
1076
1077	/*
1078	* Both LSM hooks and auxiliary based buffer measurements are
1079	* based on policy. To avoid code duplication, differentiate
1080	* between the LSM hooks and auxiliary buffer measurements,
1081	* retrieving the policy rule information only for the LSM hook
1082	* buffer measurements.
1083	*/
1084	if (func) {
1085	security_current_getlsmprop_subj(prop: &prop);
1086	action = ima_get_action(idmap, inode, current_cred(),
1087	prop: &prop, mask: `0`, func, pcr: &pcr, template_desc: &template,
1088	func_data, NULL);
1089	if (!(action & IMA_MEASURE) && !digest)
1090	return -ENOENT;
1091	}
1092
1093	if (!pcr)
1094	pcr = CONFIG_IMA_MEASURE_PCR_IDX;
1095
1096	iint.ima_hash = hash_hdr;
1097	iint.ima_hash->algo = ima_hash_algo;
1098	iint.ima_hash->length = hash_digest_size[ima_hash_algo];
1099
1100	ret = ima_calc_buffer_hash(buf, len: size, hash: iint.ima_hash);
1101	if (ret < `0`) {
1102	audit_cause = "hashing_error";
1103	goto out;
1104	}
1105
1106	if (buf_hash) {
1107	memcpy(digest_hash, hash_hdr->digest, digest_hash_len);
1108
1109	ret = ima_calc_buffer_hash(buf: digest_hash, len: digest_hash_len,
1110	hash: iint.ima_hash);
1111	if (ret < `0`) {
1112	audit_cause = "hashing_error";
1113	goto out;
1114	}
1115
1116	event_data.buf = digest_hash;
1117	event_data.buf_len = digest_hash_len;
1118	}
1119
1120	if (digest)
1121	memcpy(digest, iint.ima_hash->digest, digest_hash_len);
1122
1123	if (!ima_policy_flag \|\| (func && !(action & IMA_MEASURE)))
1124	return `1`;
1125
1126	ret = ima_alloc_init_template(event_data: &event_data, entry: &entry, template_desc: template);
1127	if (ret < `0`) {
1128	audit_cause = "alloc_entry";
1129	goto out;
1130	}
1131
1132	ret = ima_store_template(entry, violation, NULL, filename: event_data.buf, pcr);
1133	if (ret < `0`) {
1134	audit_cause = "store_entry";
1135	ima_free_template_entry(entry);
1136	}
1137
1138	out:
1139	if (ret < `0`)
1140	integrity_audit_message(AUDIT_INTEGRITY_PCR, NULL, fname: eventname,
1141	op: func_measure_str(func),
1142	cause: audit_cause, result: ret, info: `0`, errno: ret);
1143
1144	return ret;
1145	}
1146
1147	/**
1148	* ima_kexec_cmdline - measure kexec cmdline boot args
1149	* @kernel_fd: file descriptor of the kexec kernel being loaded
1150	* @buf: pointer to buffer
1151	* @size: size of buffer
1152	*
1153	* Buffers can only be measured, not appraised.
1154	*/
1155	void ima_kexec_cmdline(int kernel_fd, const void buf, int* size)
1156	{
1157	if (!buf \|\| !size)
1158	return;
1159
1160	CLASS(fd, f)(fd: kernel_fd);
1161	if (fd_empty(f))
1162	return;
1163
1164	process_buffer_measurement(idmap: file_mnt_idmap(fd_file(f)), inode: file_inode(fd_file(f)),
1165	buf, size, eventname: "kexec-cmdline", func: KEXEC_CMDLINE, pcr: `0`,
1166	NULL, buf_hash: false, NULL, digest_len: `0`);
1167	}
1168
1169	/**
1170	* ima_measure_critical_data - measure kernel integrity critical data
1171	* @event_label: unique event label for grouping and limiting critical data
1172	* @event_name: event name for the record in the IMA measurement list
1173	* @buf: pointer to buffer data
1174	* @buf_len: length of buffer data (in bytes)
1175	* @hash: measure buffer data hash
1176	* @digest: buffer digest will be written to
1177	* @digest_len: buffer length
1178	*
1179	* Measure data critical to the integrity of the kernel into the IMA log
1180	* and extend the pcr. Examples of critical data could be various data
1181	* structures, policies, and states stored in kernel memory that can
1182	* impact the integrity of the system.
1183	*
1184	* Return: 0 if the buffer has been successfully measured, 1 if the digest
1185	* has been written to the passed location but not added to a measurement entry,
1186	* a negative value otherwise.
1187	*/
1188	int ima_measure_critical_data(const char *event_label,
1189	const char *event_name,
1190	const void *buf, size_t buf_len,
1191	bool hash, u8 *digest, size_t digest_len)
1192	{
1193	if (!event_name \|\| !event_label \|\| !buf \|\| !buf_len)
1194	return -ENOPARAM;
1195
1196	return process_buffer_measurement(idmap: &nop_mnt_idmap, NULL, buf, size: buf_len,
1197	eventname: event_name, func: CRITICAL_DATA, pcr: `0`,
1198	func_data: event_label, buf_hash: hash, digest,
1199	digest_len);
1200	}
1201	EXPORT_SYMBOL_GPL(ima_measure_critical_data);
1202
1203	#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
1204
1205	/**
1206	* ima_kernel_module_request - Prevent crypto-pkcs1(rsa,*) requests
1207	* @kmod_name: kernel module name
1208	*
1209	* Avoid a verification loop where verifying the signature of the modprobe
1210	* binary requires executing modprobe itself. Since the modprobe iint->mutex
1211	* is already held when the signature verification is performed, a deadlock
1212	* occurs as soon as modprobe is executed within the critical region, since
1213	* the same lock cannot be taken again.
1214	*
1215	* This happens when public_key_verify_signature(), in case of RSA algorithm,
1216	* use alg_name to store internal information in order to construct an
1217	* algorithm on the fly, but crypto_larval_lookup() will try to use alg_name
1218	* in order to load a kernel module with same name.
1219	*
1220	* Since we don't have any real "crypto-pkcs1(rsa,*)" kernel modules,
1221	* we are safe to fail such module request from crypto_larval_lookup(), and
1222	* avoid the verification loop.
1223	*
1224	* Return: Zero if it is safe to load the kernel module, -EINVAL otherwise.
1225	*/
1226	static int ima_kernel_module_request(char *kmod_name)
1227	{
1228	if (strncmp(kmod_name, "crypto-pkcs1(rsa,", `17`) == `0`)
1229	return -EINVAL;
1230
1231	return `0`;
1232	}
1233
1234	#endif /* CONFIG_INTEGRITY_ASYMMETRIC_KEYS */
1235
1236	static int __init init_ima(void)
1237	{
1238	int error;
1239
1240	/Note that turning IMA off is intentionally limited to kdump kernel./
1241	if (ima_disabled && is_kdump_kernel()) {
1242	pr_info("IMA functionality is disabled");
1243	return `0`;
1244	}
1245
1246	ima_appraise_parse_cmdline();
1247	ima_init_template_list();
1248	hash_setup(CONFIG_IMA_DEFAULT_HASH);
1249	error = ima_init();
1250
1251	if (error && strcmp(hash_algo_name[ima_hash_algo],
1252	CONFIG_IMA_DEFAULT_HASH) != `0`) {
1253	pr_info("Allocating %s failed, going to use default hash algorithm %s\n",
1254	hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH);
1255	hash_setup_done = `0`;
1256	hash_setup(CONFIG_IMA_DEFAULT_HASH);
1257	error = ima_init();
1258	}
1259
1260	if (error)
1261	return error;
1262
1263	error = register_blocking_lsm_notifier(nb: &ima_lsm_policy_notifier);
1264	if (error)
1265	pr_warn("Couldn't register LSM notifier, error %d\n", error);
1266
1267	if (!error)
1268	ima_update_policy_flags();
1269
1270	return error;
1271	}
1272
1273	static struct security_hook_list ima_hooks[] __ro_after_init = {
1274	LSM_HOOK_INIT(bprm_check_security, ima_bprm_check),
1275	LSM_HOOK_INIT(bprm_creds_for_exec, ima_bprm_creds_for_exec),
1276	LSM_HOOK_INIT(bprm_creds_from_file, ima_creds_check),
1277	LSM_HOOK_INIT(file_post_open, ima_file_check),
1278	LSM_HOOK_INIT(inode_post_create_tmpfile, ima_post_create_tmpfile),
1279	LSM_HOOK_INIT(file_release, ima_file_free),
1280	LSM_HOOK_INIT(mmap_file, ima_file_mmap),
1281	LSM_HOOK_INIT(file_mprotect, ima_file_mprotect),
1282	LSM_HOOK_INIT(kernel_load_data, ima_load_data),
1283	LSM_HOOK_INIT(kernel_post_load_data, ima_post_load_data),
1284	LSM_HOOK_INIT(kernel_read_file, ima_read_file),
1285	LSM_HOOK_INIT(kernel_post_read_file, ima_post_read_file),
1286	LSM_HOOK_INIT(path_post_mknod, ima_post_path_mknod),
1287	#ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS
1288	LSM_HOOK_INIT(key_post_create_or_update, ima_post_key_create_or_update),
1289	#endif
1290	#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
1291	LSM_HOOK_INIT(kernel_module_request, ima_kernel_module_request),
1292	#endif
1293	LSM_HOOK_INIT(inode_free_security_rcu, ima_inode_free_rcu),
1294	};
1295
1296	static const struct lsm_id ima_lsmid = {
1297	.name = "ima",
1298	.id = LSM_ID_IMA,
1299	};
1300
1301	static int __init init_ima_lsm(void)
1302	{
1303	ima_iintcache_init();
1304	security_add_hooks(hooks: ima_hooks, ARRAY_SIZE(ima_hooks), lsmid: &ima_lsmid);
1305	init_ima_appraise_lsm(lsmid: &ima_lsmid);
1306	return `0`;
1307	}
1308
1309	struct lsm_blob_sizes ima_blob_sizes __ro_after_init = {
1310	.lbs_inode = sizeof(struct ima_iint_cache *),
1311	};
1312
1313	DEFINE_LSM(ima) = {
1314	.id = &ima_lsmid,
1315	.init = init_ima_lsm,
1316	.order = LSM_ORDER_LAST,
1317	.blobs = &ima_blob_sizes,
1318	/ Start IMA after the TPM is available /
1319	.initcall_late = init_ima,
1320	};
1321

source code of linux/security/integrity/ima/ima_main.c