xref: /linux-6.15/include/linux/ima.h (revision fec5f85e) 
1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3  * Copyright (C) 2008 IBM Corporation
4  * Author: Mimi Zohar <[email protected]>
5  */
6 
7 #ifndef _LINUX_IMA_H
8 #define _LINUX_IMA_H
9 
10 #include <linux/kernel_read_file.h>
11 #include <linux/fs.h>
12 #include <linux/security.h>
13 #include <linux/kexec.h>
14 #include <crypto/hash_info.h>
15 struct linux_binprm;
16 
17 #ifdef CONFIG_IMA
18 extern enum hash_algo ima_get_current_hash_algo(void);
19 extern int ima_bprm_check(struct linux_binprm *bprm);
20 extern int ima_file_check(struct file *file, int mask);
21 extern void ima_post_create_tmpfile(struct mnt_idmap *idmap,
22 				    struct inode *inode);
23 extern void ima_file_free(struct file *file);
24 extern int ima_file_mmap(struct file *file, unsigned long reqprot,
25 			 unsigned long prot, unsigned long flags);
26 extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
27 			     unsigned long prot);
28 extern int ima_load_data(enum kernel_load_data_id id, bool contents);
29 extern int ima_post_load_data(char *buf, loff_t size,
30 			      enum kernel_load_data_id id, char *description);
31 extern int ima_read_file(struct file *file, enum kernel_read_file_id id,
32 			 bool contents);
33 extern int ima_post_read_file(struct file *file, char *buf, loff_t size,
34 			      enum kernel_read_file_id id);
35 extern void ima_post_path_mknod(struct mnt_idmap *idmap,
36 				struct dentry *dentry);
37 extern int ima_file_hash(struct file *file, char *buf, size_t buf_size);
38 extern int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size);
39 extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size);
40 extern int ima_measure_critical_data(const char *event_label,
41 				     const char *event_name,
42 				     const void *buf, size_t buf_len,
43 				     bool hash, u8 *digest, size_t digest_len);
44 
45 #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
46 extern void ima_appraise_parse_cmdline(void);
47 #else
48 static inline void ima_appraise_parse_cmdline(void) {}
49 #endif
50 
51 #ifdef CONFIG_IMA_KEXEC
52 extern void ima_add_kexec_buffer(struct kimage *image);
53 #endif
54 
55 #else
56 static inline enum hash_algo ima_get_current_hash_algo(void)
57 {
58 	return HASH_ALGO__LAST;
59 }
60 
61 static inline int ima_bprm_check(struct linux_binprm *bprm)
62 {
63 	return 0;
64 }
65 
66 static inline int ima_file_check(struct file *file, int mask)
67 {
68 	return 0;
69 }
70 
71 static inline void ima_post_create_tmpfile(struct mnt_idmap *idmap,
72 					   struct inode *inode)
73 {
74 }
75 
76 static inline void ima_file_free(struct file *file)
77 {
78 	return;
79 }
80 
81 static inline int ima_file_mmap(struct file *file, unsigned long reqprot,
82 				unsigned long prot, unsigned long flags)
83 {
84 	return 0;
85 }
86 
87 static inline int ima_file_mprotect(struct vm_area_struct *vma,
88 				    unsigned long reqprot, unsigned long prot)
89 {
90 	return 0;
91 }
92 
93 static inline int ima_load_data(enum kernel_load_data_id id, bool contents)
94 {
95 	return 0;
96 }
97 
98 static inline int ima_post_load_data(char *buf, loff_t size,
99 				     enum kernel_load_data_id id,
100 				     char *description)
101 {
102 	return 0;
103 }
104 
105 static inline int ima_read_file(struct file *file, enum kernel_read_file_id id,
106 				bool contents)
107 {
108 	return 0;
109 }
110 
111 static inline int ima_post_read_file(struct file *file, char *buf, loff_t size,
112 				     enum kernel_read_file_id id)
113 {
114 	return 0;
115 }
116 
117 static inline void ima_post_path_mknod(struct mnt_idmap *idmap,
118 				       struct dentry *dentry)
119 {
120 	return;
121 }
122 
123 static inline int ima_file_hash(struct file *file, char *buf, size_t buf_size)
124 {
125 	return -EOPNOTSUPP;
126 }
127 
128 static inline int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size)
129 {
130 	return -EOPNOTSUPP;
131 }
132 
133 static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) {}
134 
135 static inline int ima_measure_critical_data(const char *event_label,
136 					     const char *event_name,
137 					     const void *buf, size_t buf_len,
138 					     bool hash, u8 *digest,
139 					     size_t digest_len)
140 {
141 	return -ENOENT;
142 }
143 
144 #endif /* CONFIG_IMA */
145 
146 #ifdef CONFIG_HAVE_IMA_KEXEC
147 int __init ima_free_kexec_buffer(void);
148 int __init ima_get_kexec_buffer(void **addr, size_t *size);
149 #endif
150 
151 #ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
152 extern bool arch_ima_get_secureboot(void);
153 extern const char * const *arch_get_ima_policy(void);
154 #else
155 static inline bool arch_ima_get_secureboot(void)
156 {
157 	return false;
158 }
159 
160 static inline const char * const *arch_get_ima_policy(void)
161 {
162 	return NULL;
163 }
164 #endif
165 
166 #ifndef CONFIG_IMA_KEXEC
167 struct kimage;
168 
169 static inline void ima_add_kexec_buffer(struct kimage *image)
170 {}
171 #endif
172 
173 #ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS
174 extern void ima_post_key_create_or_update(struct key *keyring,
175 					  struct key *key,
176 					  const void *payload, size_t plen,
177 					  unsigned long flags, bool create);
178 #else
179 static inline void ima_post_key_create_or_update(struct key *keyring,
180 						 struct key *key,
181 						 const void *payload,
182 						 size_t plen,
183 						 unsigned long flags,
184 						 bool create) {}
185 #endif  /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */
186 
187 #ifdef CONFIG_IMA_APPRAISE
188 extern bool is_ima_appraise_enabled(void);
189 extern void ima_inode_post_setattr(struct mnt_idmap *idmap,
190 				   struct dentry *dentry, int ia_valid);
191 extern int ima_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
192 			      const char *xattr_name, const void *xattr_value,
193 			      size_t xattr_value_len, int flags);
194 extern int ima_inode_set_acl(struct mnt_idmap *idmap,
195 			     struct dentry *dentry, const char *acl_name,
196 			     struct posix_acl *kacl);
197 static inline int ima_inode_remove_acl(struct mnt_idmap *idmap,
198 				       struct dentry *dentry,
199 				       const char *acl_name)
200 {
201 	return ima_inode_set_acl(idmap, dentry, acl_name, NULL);
202 }
203 
204 extern int ima_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry,
205 				 const char *xattr_name);
206 #else
207 static inline bool is_ima_appraise_enabled(void)
208 {
209 	return 0;
210 }
211 
212 static inline void ima_inode_post_setattr(struct mnt_idmap *idmap,
213 					  struct dentry *dentry, int ia_valid)
214 {
215 	return;
216 }
217 
218 static inline int ima_inode_setxattr(struct mnt_idmap *idmap,
219 				     struct dentry *dentry,
220 				     const char *xattr_name,
221 				     const void *xattr_value,
222 				     size_t xattr_value_len,
223 				     int flags)
224 {
225 	return 0;
226 }
227 
228 static inline int ima_inode_set_acl(struct mnt_idmap *idmap,
229 				    struct dentry *dentry, const char *acl_name,
230 				    struct posix_acl *kacl)
231 {
232 
233 	return 0;
234 }
235 
236 static inline int ima_inode_removexattr(struct mnt_idmap *idmap,
237 					struct dentry *dentry,
238 					const char *xattr_name)
239 {
240 	return 0;
241 }
242 
243 static inline int ima_inode_remove_acl(struct mnt_idmap *idmap,
244 				       struct dentry *dentry,
245 				       const char *acl_name)
246 {
247 	return 0;
248 }
249 #endif /* CONFIG_IMA_APPRAISE */
250 
251 #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
252 extern bool ima_appraise_signature(enum kernel_read_file_id func);
253 #else
254 static inline bool ima_appraise_signature(enum kernel_read_file_id func)
255 {
256 	return false;
257 }
258 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
259 #endif /* _LINUX_IMA_H */
260