Merge branch 'bpf-lsm: Extend interoperability with IMA'

 *		0 on success.

 *		**-EINVAL** for invalid input

 *		**-EOPNOTSUPP** for unsupported protocol

 *

 * long bpf_ima_file_hash(struct file *file, void *dst, u32 size)

 *	Description

 *		Returns a calculated IMA hash of the *file*.

 *		If the hash is larger than *size*, then only *size*

 *		bytes will be copied to *dst*

 *	Return

 *		The **hash_algo** is returned on success,

 *		**-EOPNOTSUP** if the hash calculation failed or **-EINVAL** if

 *		invalid arguments are passed.

 */

#define __BPF_FUNC_MAPPER(FN)		\

	FN(unspec),			\

	FN(xdp_store_bytes),		\

	FN(copy_from_user_task),	\

	FN(skb_set_tstamp),		\

	FN(ima_file_hash),		\

	/* */

/* integer value in 'imm' field of BPF_CALL instruction selects which helper

	.allowed	= bpf_ima_inode_hash_allowed,

};

BPF_CALL_3(bpf_ima_file_hash, struct file *, file, void *, dst, u32, size)

{

	return ima_file_hash(file, dst, size);

}

BTF_ID_LIST_SINGLE(bpf_ima_file_hash_btf_ids, struct, file)

static const struct bpf_func_proto bpf_ima_file_hash_proto = {

	.func		= bpf_ima_file_hash,

	.gpl_only	= false,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_PTR_TO_BTF_ID,

	.arg1_btf_id	= &bpf_ima_file_hash_btf_ids[0],

	.arg2_type	= ARG_PTR_TO_UNINIT_MEM,

	.arg3_type	= ARG_CONST_SIZE,

	.allowed	= bpf_ima_inode_hash_allowed,

};

static const struct bpf_func_proto *

bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)

{

		return &bpf_bprm_opts_set_proto;

	case BPF_FUNC_ima_inode_hash:

		return prog->aux->sleepable ? &bpf_ima_inode_hash_proto : NULL;

	case BPF_FUNC_ima_file_hash:

		return prog->aux->sleepable ? &bpf_ima_file_hash_proto : NULL;

	default:

		return tracing_prog_func_proto(func_id, prog);

	}

BTF_ID(func, bpf_lsm_inode_symlink)

BTF_ID(func, bpf_lsm_inode_unlink)

BTF_ID(func, bpf_lsm_kernel_module_request)

BTF_ID(func, bpf_lsm_kernel_read_file)

BTF_ID(func, bpf_lsm_kernfs_init_security)

#ifdef CONFIG_KEYS

/**

 * ima_file_mprotect - based on policy, limit mprotect change

 * @vma: vm_area_struct protection is set to

 * @prot: contains the protection that will be applied by the kernel.

 *

 * Files can be mmap'ed read/write and later changed to execute to circumvent

}

EXPORT_SYMBOL_GPL(ima_file_check);

static int __ima_inode_hash(struct inode *inode, char *buf, size_t buf_size)

static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf,

			    size_t buf_size)

{

	struct integrity_iint_cache *iint;

	int hash_algo;

	if (!ima_policy_flag)

		return -EOPNOTSUPP;

	struct integrity_iint_cache *iint = NULL, tmp_iint;

	int rc, hash_algo;

	if (ima_policy_flag) {

		iint = integrity_iint_find(inode);

	if (!iint)

		if (iint)

			mutex_lock(&iint->mutex);

	}

	if ((!iint || !(iint->flags & IMA_COLLECTED)) && file) {

		if (iint)

			mutex_unlock(&iint->mutex);

		memset(&tmp_iint, 0, sizeof(tmp_iint));

		tmp_iint.inode = inode;

		mutex_init(&tmp_iint.mutex);

		rc = ima_collect_measurement(&tmp_iint, file, NULL, 0,

					     ima_hash_algo, NULL);

		if (rc < 0)

			return -EOPNOTSUPP;

		iint = &tmp_iint;

		mutex_lock(&iint->mutex);

	}

	if (!iint)

		return -EOPNOTSUPP;

	/*

	 * ima_file_hash can be called when ima_collect_measurement has still

	hash_algo = iint->ima_hash->algo;

	mutex_unlock(&iint->mutex);

	if (iint == &tmp_iint)

		kfree(iint->ima_hash);

	return hash_algo;

}

/**

 * ima_file_hash - return the stored measurement if a file has been hashed and

 * is in the iint cache.

 * ima_file_hash - return a measurement of the file

 * @file: pointer to the file

 * @buf: buffer in which to store the hash

 * @buf_size: length of the buffer

 * The file hash returned is based on the entire file, including the appended

 * signature.

 *

 * If IMA is disabled or if no measurement is available, return -EOPNOTSUPP.

 * If the measurement cannot be performed, return -EOPNOTSUPP.

 * If the parameters are incorrect, return -EINVAL.

 */

int ima_file_hash(struct file *file, char *buf, size_t buf_size)

	if (!file)

		return -EINVAL;

	return __ima_inode_hash(file_inode(file), buf, buf_size);

	return __ima_inode_hash(file_inode(file), file, buf, buf_size);

}

EXPORT_SYMBOL_GPL(ima_file_hash);

	if (!inode)

		return -EINVAL;

	return __ima_inode_hash(inode, buf, buf_size);

	return __ima_inode_hash(inode, NULL, buf, buf_size);

}

EXPORT_SYMBOL_GPL(ima_inode_hash);

/**

 * ima_post_create_tmpfile - mark newly created tmpfile as new

 * @mnt_userns: user namespace of the mount the inode was found from

 * @file : newly created tmpfile

 * @inode: inode of the newly created tmpfile

 *

 * No measuring, appraising or auditing of newly created tmpfiles is needed.

 * Skip calling process_measurement(), but indicate which newly, created

 * ima_post_load_data - appraise decision based on policy

 * @buf: pointer to in memory file contents

 * @size: size of in memory file contents

 * @id: kernel load data caller identifier

 * @description: @id-specific description of contents

 * @load_id: kernel load data caller identifier

 * @description: @load_id-specific description of contents

 *

 * Measure/appraise/audit in memory buffer based on policy.  Policy rules

 * are written in terms of a policy identifier.

 *		0 on success.

 *		**-EINVAL** for invalid input

 *		**-EOPNOTSUPP** for unsupported protocol

 *

 * long bpf_ima_file_hash(struct file *file, void *dst, u32 size)

 *	Description

 *		Returns a calculated IMA hash of the *file*.

 *		If the hash is larger than *size*, then only *size*

 *		bytes will be copied to *dst*

 *	Return

 *		The **hash_algo** is returned on success,

 *		**-EOPNOTSUP** if the hash calculation failed or **-EINVAL** if

 *		invalid arguments are passed.

 */

#define __BPF_FUNC_MAPPER(FN)		\

	FN(unspec),			\

	FN(xdp_store_bytes),		\

	FN(copy_from_user_task),	\

	FN(skb_set_tstamp),		\

	FN(ima_file_hash),		\

	/* */

/* integer value in 'imm' field of BPF_CALL instruction selects which helper

usage()

{

	echo "Usage: $0 <setup|cleanup|run> <existing_tmp_dir>"

	echo "Usage: $0 <setup|cleanup|run|modify-bin|restore-bin|load-policy> <existing_tmp_dir>"

	exit 1

}

	ensure_mount_securityfs

	echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" > ${IMA_POLICY_FILE}

	echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" > ${mount_dir}/policy_test

}

cleanup() {

	exec "${copied_bin_path}"

}

modify_bin()

{

	local tmp_dir="$1"

	local mount_dir="${tmp_dir}/mnt"

	local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"

	echo "mod" >> "${copied_bin_path}"

}

restore_bin()

{

	local tmp_dir="$1"

	local mount_dir="${tmp_dir}/mnt"

	local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"

	truncate -s -4 "${copied_bin_path}"

}

load_policy()

{

	local tmp_dir="$1"

	local mount_dir="${tmp_dir}/mnt"

	echo ${mount_dir}/policy_test > ${IMA_POLICY_FILE} 2> /dev/null

}

catch()

{

	local exit_code="$1"

		cleanup "${tmp_dir}"

	elif [[ "${action}" == "run" ]]; then

		run "${tmp_dir}"

	elif [[ "${action}" == "modify-bin" ]]; then

		modify_bin "${tmp_dir}"

	elif [[ "${action}" == "restore-bin" ]]; then

		restore_bin "${tmp_dir}"

	elif [[ "${action}" == "load-policy" ]]; then

		load_policy "${tmp_dir}"

	else

		echo "Unknown action: ${action}"

		exit 1