xref: /OK3568_Linux_fs/kernel/security/integrity/ima/ima.h (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593Smuzhiyun /* SPDX-License-Identifier: GPL-2.0-only */
2*4882a593Smuzhiyun /*
3*4882a593Smuzhiyun  * Copyright (C) 2005,2006,2007,2008 IBM Corporation
4*4882a593Smuzhiyun  *
5*4882a593Smuzhiyun  * Authors:
6*4882a593Smuzhiyun  * Reiner Sailer <sailer@watson.ibm.com>
7*4882a593Smuzhiyun  * Mimi Zohar <zohar@us.ibm.com>
8*4882a593Smuzhiyun  *
9*4882a593Smuzhiyun  * File: ima.h
10*4882a593Smuzhiyun  *	internal Integrity Measurement Architecture (IMA) definitions
11*4882a593Smuzhiyun  */
12*4882a593Smuzhiyun 
13*4882a593Smuzhiyun #ifndef __LINUX_IMA_H
14*4882a593Smuzhiyun #define __LINUX_IMA_H
15*4882a593Smuzhiyun 
16*4882a593Smuzhiyun #include <linux/types.h>
17*4882a593Smuzhiyun #include <linux/crypto.h>
18*4882a593Smuzhiyun #include <linux/fs.h>
19*4882a593Smuzhiyun #include <linux/security.h>
20*4882a593Smuzhiyun #include <linux/hash.h>
21*4882a593Smuzhiyun #include <linux/tpm.h>
22*4882a593Smuzhiyun #include <linux/audit.h>
23*4882a593Smuzhiyun #include <crypto/hash_info.h>
24*4882a593Smuzhiyun 
25*4882a593Smuzhiyun #include "../integrity.h"
26*4882a593Smuzhiyun 
27*4882a593Smuzhiyun #ifdef CONFIG_HAVE_IMA_KEXEC
28*4882a593Smuzhiyun #include <asm/ima.h>
29*4882a593Smuzhiyun #endif
30*4882a593Smuzhiyun 
31*4882a593Smuzhiyun enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO_FIELD_LEN,
32*4882a593Smuzhiyun 		     IMA_SHOW_BINARY_OLD_STRING_FMT, IMA_SHOW_ASCII };
33*4882a593Smuzhiyun enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8, TPM_PCR10 = 10 };
34*4882a593Smuzhiyun 
35*4882a593Smuzhiyun /* digest size for IMA, fits SHA1 or MD5 */
36*4882a593Smuzhiyun #define IMA_DIGEST_SIZE		SHA1_DIGEST_SIZE
37*4882a593Smuzhiyun #define IMA_EVENT_NAME_LEN_MAX	255
38*4882a593Smuzhiyun 
39*4882a593Smuzhiyun #define IMA_HASH_BITS 10
40*4882a593Smuzhiyun #define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS)
41*4882a593Smuzhiyun 
42*4882a593Smuzhiyun #define IMA_TEMPLATE_FIELD_ID_MAX_LEN	16
43*4882a593Smuzhiyun #define IMA_TEMPLATE_NUM_FIELDS_MAX	15
44*4882a593Smuzhiyun 
45*4882a593Smuzhiyun #define IMA_TEMPLATE_IMA_NAME "ima"
46*4882a593Smuzhiyun #define IMA_TEMPLATE_IMA_FMT "d|n"
47*4882a593Smuzhiyun 
48*4882a593Smuzhiyun #define NR_BANKS(chip) ((chip != NULL) ? chip->nr_allocated_banks : 0)
49*4882a593Smuzhiyun 
50*4882a593Smuzhiyun /* current content of the policy */
51*4882a593Smuzhiyun extern int ima_policy_flag;
52*4882a593Smuzhiyun 
53*4882a593Smuzhiyun /* set during initialization */
54*4882a593Smuzhiyun extern int ima_hash_algo;
55*4882a593Smuzhiyun extern int ima_sha1_idx __ro_after_init;
56*4882a593Smuzhiyun extern int ima_hash_algo_idx __ro_after_init;
57*4882a593Smuzhiyun extern int ima_extra_slots __ro_after_init;
58*4882a593Smuzhiyun extern int ima_appraise;
59*4882a593Smuzhiyun extern struct tpm_chip *ima_tpm_chip;
60*4882a593Smuzhiyun extern const char boot_aggregate_name[];
61*4882a593Smuzhiyun 
62*4882a593Smuzhiyun /* IMA event related data */
63*4882a593Smuzhiyun struct ima_event_data {
64*4882a593Smuzhiyun 	struct integrity_iint_cache *iint;
65*4882a593Smuzhiyun 	struct file *file;
66*4882a593Smuzhiyun 	const unsigned char *filename;
67*4882a593Smuzhiyun 	struct evm_ima_xattr_data *xattr_value;
68*4882a593Smuzhiyun 	int xattr_len;
69*4882a593Smuzhiyun 	const struct modsig *modsig;
70*4882a593Smuzhiyun 	const char *violation;
71*4882a593Smuzhiyun 	const void *buf;
72*4882a593Smuzhiyun 	int buf_len;
73*4882a593Smuzhiyun };
74*4882a593Smuzhiyun 
75*4882a593Smuzhiyun /* IMA template field data definition */
76*4882a593Smuzhiyun struct ima_field_data {
77*4882a593Smuzhiyun 	u8 *data;
78*4882a593Smuzhiyun 	u32 len;
79*4882a593Smuzhiyun };
80*4882a593Smuzhiyun 
81*4882a593Smuzhiyun /* IMA template field definition */
82*4882a593Smuzhiyun struct ima_template_field {
83*4882a593Smuzhiyun 	const char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
84*4882a593Smuzhiyun 	int (*field_init)(struct ima_event_data *event_data,
85*4882a593Smuzhiyun 			  struct ima_field_data *field_data);
86*4882a593Smuzhiyun 	void (*field_show)(struct seq_file *m, enum ima_show_type show,
87*4882a593Smuzhiyun 			   struct ima_field_data *field_data);
88*4882a593Smuzhiyun };
89*4882a593Smuzhiyun 
90*4882a593Smuzhiyun /* IMA template descriptor definition */
91*4882a593Smuzhiyun struct ima_template_desc {
92*4882a593Smuzhiyun 	struct list_head list;
93*4882a593Smuzhiyun 	char *name;
94*4882a593Smuzhiyun 	char *fmt;
95*4882a593Smuzhiyun 	int num_fields;
96*4882a593Smuzhiyun 	const struct ima_template_field **fields;
97*4882a593Smuzhiyun };
98*4882a593Smuzhiyun 
99*4882a593Smuzhiyun struct ima_template_entry {
100*4882a593Smuzhiyun 	int pcr;
101*4882a593Smuzhiyun 	struct tpm_digest *digests;
102*4882a593Smuzhiyun 	struct ima_template_desc *template_desc; /* template descriptor */
103*4882a593Smuzhiyun 	u32 template_data_len;
104*4882a593Smuzhiyun 	struct ima_field_data template_data[];	/* template related data */
105*4882a593Smuzhiyun };
106*4882a593Smuzhiyun 
107*4882a593Smuzhiyun struct ima_queue_entry {
108*4882a593Smuzhiyun 	struct hlist_node hnext;	/* place in hash collision list */
109*4882a593Smuzhiyun 	struct list_head later;		/* place in ima_measurements list */
110*4882a593Smuzhiyun 	struct ima_template_entry *entry;
111*4882a593Smuzhiyun };
112*4882a593Smuzhiyun extern struct list_head ima_measurements;	/* list of all measurements */
113*4882a593Smuzhiyun 
114*4882a593Smuzhiyun /* Some details preceding the binary serialized measurement list */
115*4882a593Smuzhiyun struct ima_kexec_hdr {
116*4882a593Smuzhiyun 	u16 version;
117*4882a593Smuzhiyun 	u16 _reserved0;
118*4882a593Smuzhiyun 	u32 _reserved1;
119*4882a593Smuzhiyun 	u64 buffer_size;
120*4882a593Smuzhiyun 	u64 count;
121*4882a593Smuzhiyun };
122*4882a593Smuzhiyun 
123*4882a593Smuzhiyun extern const int read_idmap[];
124*4882a593Smuzhiyun 
125*4882a593Smuzhiyun #ifdef CONFIG_HAVE_IMA_KEXEC
126*4882a593Smuzhiyun void ima_load_kexec_buffer(void);
127*4882a593Smuzhiyun #else
ima_load_kexec_buffer(void)128*4882a593Smuzhiyun static inline void ima_load_kexec_buffer(void) {}
129*4882a593Smuzhiyun #endif /* CONFIG_HAVE_IMA_KEXEC */
130*4882a593Smuzhiyun 
131*4882a593Smuzhiyun /*
132*4882a593Smuzhiyun  * The default binary_runtime_measurements list format is defined as the
133*4882a593Smuzhiyun  * platform native format.  The canonical format is defined as little-endian.
134*4882a593Smuzhiyun  */
135*4882a593Smuzhiyun extern bool ima_canonical_fmt;
136*4882a593Smuzhiyun 
137*4882a593Smuzhiyun /* Internal IMA function definitions */
138*4882a593Smuzhiyun int ima_init(void);
139*4882a593Smuzhiyun int ima_fs_init(void);
140*4882a593Smuzhiyun int ima_add_template_entry(struct ima_template_entry *entry, int violation,
141*4882a593Smuzhiyun 			   const char *op, struct inode *inode,
142*4882a593Smuzhiyun 			   const unsigned char *filename);
143*4882a593Smuzhiyun int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash);
144*4882a593Smuzhiyun int ima_calc_buffer_hash(const void *buf, loff_t len,
145*4882a593Smuzhiyun 			 struct ima_digest_data *hash);
146*4882a593Smuzhiyun int ima_calc_field_array_hash(struct ima_field_data *field_data,
147*4882a593Smuzhiyun 			      struct ima_template_entry *entry);
148*4882a593Smuzhiyun int ima_calc_boot_aggregate(struct ima_digest_data *hash);
149*4882a593Smuzhiyun void ima_add_violation(struct file *file, const unsigned char *filename,
150*4882a593Smuzhiyun 		       struct integrity_iint_cache *iint,
151*4882a593Smuzhiyun 		       const char *op, const char *cause);
152*4882a593Smuzhiyun int ima_init_crypto(void);
153*4882a593Smuzhiyun void ima_putc(struct seq_file *m, void *data, int datalen);
154*4882a593Smuzhiyun void ima_print_digest(struct seq_file *m, u8 *digest, u32 size);
155*4882a593Smuzhiyun int template_desc_init_fields(const char *template_fmt,
156*4882a593Smuzhiyun 			      const struct ima_template_field ***fields,
157*4882a593Smuzhiyun 			      int *num_fields);
158*4882a593Smuzhiyun struct ima_template_desc *ima_template_desc_current(void);
159*4882a593Smuzhiyun struct ima_template_desc *lookup_template_desc(const char *name);
160*4882a593Smuzhiyun bool ima_template_has_modsig(const struct ima_template_desc *ima_template);
161*4882a593Smuzhiyun int ima_restore_measurement_entry(struct ima_template_entry *entry);
162*4882a593Smuzhiyun int ima_restore_measurement_list(loff_t bufsize, void *buf);
163*4882a593Smuzhiyun int ima_measurements_show(struct seq_file *m, void *v);
164*4882a593Smuzhiyun unsigned long ima_get_binary_runtime_size(void);
165*4882a593Smuzhiyun int ima_init_template(void);
166*4882a593Smuzhiyun void ima_init_template_list(void);
167*4882a593Smuzhiyun int __init ima_init_digests(void);
168*4882a593Smuzhiyun int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
169*4882a593Smuzhiyun 			  void *lsm_data);
170*4882a593Smuzhiyun 
171*4882a593Smuzhiyun /*
172*4882a593Smuzhiyun  * used to protect h_table and sha_table
173*4882a593Smuzhiyun  */
174*4882a593Smuzhiyun extern spinlock_t ima_queue_lock;
175*4882a593Smuzhiyun 
176*4882a593Smuzhiyun struct ima_h_table {
177*4882a593Smuzhiyun 	atomic_long_t len;	/* number of stored measurements in the list */
178*4882a593Smuzhiyun 	atomic_long_t violations;
179*4882a593Smuzhiyun 	struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
180*4882a593Smuzhiyun };
181*4882a593Smuzhiyun extern struct ima_h_table ima_htable;
182*4882a593Smuzhiyun 
ima_hash_key(u8 * digest)183*4882a593Smuzhiyun static inline unsigned int ima_hash_key(u8 *digest)
184*4882a593Smuzhiyun {
185*4882a593Smuzhiyun 	/* there is no point in taking a hash of part of a digest */
186*4882a593Smuzhiyun 	return (digest[0] | digest[1] << 8) % IMA_MEASURE_HTABLE_SIZE;
187*4882a593Smuzhiyun }
188*4882a593Smuzhiyun 
189*4882a593Smuzhiyun #define __ima_hooks(hook)				\
190*4882a593Smuzhiyun 	hook(NONE, none)				\
191*4882a593Smuzhiyun 	hook(FILE_CHECK, file)				\
192*4882a593Smuzhiyun 	hook(MMAP_CHECK, mmap)				\
193*4882a593Smuzhiyun 	hook(BPRM_CHECK, bprm)				\
194*4882a593Smuzhiyun 	hook(CREDS_CHECK, creds)			\
195*4882a593Smuzhiyun 	hook(POST_SETATTR, post_setattr)		\
196*4882a593Smuzhiyun 	hook(MODULE_CHECK, module)			\
197*4882a593Smuzhiyun 	hook(FIRMWARE_CHECK, firmware)			\
198*4882a593Smuzhiyun 	hook(KEXEC_KERNEL_CHECK, kexec_kernel)		\
199*4882a593Smuzhiyun 	hook(KEXEC_INITRAMFS_CHECK, kexec_initramfs)	\
200*4882a593Smuzhiyun 	hook(POLICY_CHECK, policy)			\
201*4882a593Smuzhiyun 	hook(KEXEC_CMDLINE, kexec_cmdline)		\
202*4882a593Smuzhiyun 	hook(KEY_CHECK, key)				\
203*4882a593Smuzhiyun 	hook(MAX_CHECK, none)
204*4882a593Smuzhiyun 
205*4882a593Smuzhiyun #define __ima_hook_enumify(ENUM, str)	ENUM,
206*4882a593Smuzhiyun #define __ima_stringify(arg) (#arg)
207*4882a593Smuzhiyun #define __ima_hook_measuring_stringify(ENUM, str) \
208*4882a593Smuzhiyun 		(__ima_stringify(measuring_ ##str)),
209*4882a593Smuzhiyun 
210*4882a593Smuzhiyun enum ima_hooks {
211*4882a593Smuzhiyun 	__ima_hooks(__ima_hook_enumify)
212*4882a593Smuzhiyun };
213*4882a593Smuzhiyun 
214*4882a593Smuzhiyun static const char * const ima_hooks_measure_str[] = {
215*4882a593Smuzhiyun 	__ima_hooks(__ima_hook_measuring_stringify)
216*4882a593Smuzhiyun };
217*4882a593Smuzhiyun 
func_measure_str(enum ima_hooks func)218*4882a593Smuzhiyun static inline const char *func_measure_str(enum ima_hooks func)
219*4882a593Smuzhiyun {
220*4882a593Smuzhiyun 	if (func >= MAX_CHECK)
221*4882a593Smuzhiyun 		return ima_hooks_measure_str[NONE];
222*4882a593Smuzhiyun 
223*4882a593Smuzhiyun 	return ima_hooks_measure_str[func];
224*4882a593Smuzhiyun }
225*4882a593Smuzhiyun 
226*4882a593Smuzhiyun extern const char *const func_tokens[];
227*4882a593Smuzhiyun 
228*4882a593Smuzhiyun struct modsig;
229*4882a593Smuzhiyun 
230*4882a593Smuzhiyun #ifdef CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS
231*4882a593Smuzhiyun /*
232*4882a593Smuzhiyun  * To track keys that need to be measured.
233*4882a593Smuzhiyun  */
234*4882a593Smuzhiyun struct ima_key_entry {
235*4882a593Smuzhiyun 	struct list_head list;
236*4882a593Smuzhiyun 	void *payload;
237*4882a593Smuzhiyun 	size_t payload_len;
238*4882a593Smuzhiyun 	char *keyring_name;
239*4882a593Smuzhiyun };
240*4882a593Smuzhiyun void ima_init_key_queue(void);
241*4882a593Smuzhiyun bool ima_should_queue_key(void);
242*4882a593Smuzhiyun bool ima_queue_key(struct key *keyring, const void *payload,
243*4882a593Smuzhiyun 		   size_t payload_len);
244*4882a593Smuzhiyun void ima_process_queued_keys(void);
245*4882a593Smuzhiyun #else
ima_init_key_queue(void)246*4882a593Smuzhiyun static inline void ima_init_key_queue(void) {}
ima_should_queue_key(void)247*4882a593Smuzhiyun static inline bool ima_should_queue_key(void) { return false; }
ima_queue_key(struct key * keyring,const void * payload,size_t payload_len)248*4882a593Smuzhiyun static inline bool ima_queue_key(struct key *keyring,
249*4882a593Smuzhiyun 				 const void *payload,
250*4882a593Smuzhiyun 				 size_t payload_len) { return false; }
ima_process_queued_keys(void)251*4882a593Smuzhiyun static inline void ima_process_queued_keys(void) {}
252*4882a593Smuzhiyun #endif /* CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS */
253*4882a593Smuzhiyun 
254*4882a593Smuzhiyun /* LIM API function definitions */
255*4882a593Smuzhiyun int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,
256*4882a593Smuzhiyun 		   int mask, enum ima_hooks func, int *pcr,
257*4882a593Smuzhiyun 		   struct ima_template_desc **template_desc,
258*4882a593Smuzhiyun 		   const char *keyring);
259*4882a593Smuzhiyun int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
260*4882a593Smuzhiyun int ima_collect_measurement(struct integrity_iint_cache *iint,
261*4882a593Smuzhiyun 			    struct file *file, void *buf, loff_t size,
262*4882a593Smuzhiyun 			    enum hash_algo algo, struct modsig *modsig);
263*4882a593Smuzhiyun void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
264*4882a593Smuzhiyun 			   const unsigned char *filename,
265*4882a593Smuzhiyun 			   struct evm_ima_xattr_data *xattr_value,
266*4882a593Smuzhiyun 			   int xattr_len, const struct modsig *modsig, int pcr,
267*4882a593Smuzhiyun 			   struct ima_template_desc *template_desc);
268*4882a593Smuzhiyun void process_buffer_measurement(struct inode *inode, const void *buf, int size,
269*4882a593Smuzhiyun 				const char *eventname, enum ima_hooks func,
270*4882a593Smuzhiyun 				int pcr, const char *keyring);
271*4882a593Smuzhiyun void ima_audit_measurement(struct integrity_iint_cache *iint,
272*4882a593Smuzhiyun 			   const unsigned char *filename);
273*4882a593Smuzhiyun int ima_alloc_init_template(struct ima_event_data *event_data,
274*4882a593Smuzhiyun 			    struct ima_template_entry **entry,
275*4882a593Smuzhiyun 			    struct ima_template_desc *template_desc);
276*4882a593Smuzhiyun int ima_store_template(struct ima_template_entry *entry, int violation,
277*4882a593Smuzhiyun 		       struct inode *inode,
278*4882a593Smuzhiyun 		       const unsigned char *filename, int pcr);
279*4882a593Smuzhiyun void ima_free_template_entry(struct ima_template_entry *entry);
280*4882a593Smuzhiyun const char *ima_d_path(const struct path *path, char **pathbuf, char *filename);
281*4882a593Smuzhiyun 
282*4882a593Smuzhiyun /* IMA policy related functions */
283*4882a593Smuzhiyun int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
284*4882a593Smuzhiyun 		     enum ima_hooks func, int mask, int flags, int *pcr,
285*4882a593Smuzhiyun 		     struct ima_template_desc **template_desc,
286*4882a593Smuzhiyun 		     const char *keyring);
287*4882a593Smuzhiyun void ima_init_policy(void);
288*4882a593Smuzhiyun void ima_update_policy(void);
289*4882a593Smuzhiyun void ima_update_policy_flag(void);
290*4882a593Smuzhiyun ssize_t ima_parse_add_rule(char *);
291*4882a593Smuzhiyun void ima_delete_rules(void);
292*4882a593Smuzhiyun int ima_check_policy(void);
293*4882a593Smuzhiyun void *ima_policy_start(struct seq_file *m, loff_t *pos);
294*4882a593Smuzhiyun void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);
295*4882a593Smuzhiyun void ima_policy_stop(struct seq_file *m, void *v);
296*4882a593Smuzhiyun int ima_policy_show(struct seq_file *m, void *v);
297*4882a593Smuzhiyun 
298*4882a593Smuzhiyun /* Appraise integrity measurements */
299*4882a593Smuzhiyun #define IMA_APPRAISE_ENFORCE	0x01
300*4882a593Smuzhiyun #define IMA_APPRAISE_FIX	0x02
301*4882a593Smuzhiyun #define IMA_APPRAISE_LOG	0x04
302*4882a593Smuzhiyun #define IMA_APPRAISE_MODULES	0x08
303*4882a593Smuzhiyun #define IMA_APPRAISE_FIRMWARE	0x10
304*4882a593Smuzhiyun #define IMA_APPRAISE_POLICY	0x20
305*4882a593Smuzhiyun #define IMA_APPRAISE_KEXEC	0x40
306*4882a593Smuzhiyun 
307*4882a593Smuzhiyun #ifdef CONFIG_IMA_APPRAISE
308*4882a593Smuzhiyun int ima_check_blacklist(struct integrity_iint_cache *iint,
309*4882a593Smuzhiyun 			const struct modsig *modsig, int pcr);
310*4882a593Smuzhiyun int ima_appraise_measurement(enum ima_hooks func,
311*4882a593Smuzhiyun 			     struct integrity_iint_cache *iint,
312*4882a593Smuzhiyun 			     struct file *file, const unsigned char *filename,
313*4882a593Smuzhiyun 			     struct evm_ima_xattr_data *xattr_value,
314*4882a593Smuzhiyun 			     int xattr_len, const struct modsig *modsig);
315*4882a593Smuzhiyun int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
316*4882a593Smuzhiyun void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
317*4882a593Smuzhiyun enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
318*4882a593Smuzhiyun 					   enum ima_hooks func);
319*4882a593Smuzhiyun enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
320*4882a593Smuzhiyun 				 int xattr_len);
321*4882a593Smuzhiyun int ima_read_xattr(struct dentry *dentry,
322*4882a593Smuzhiyun 		   struct evm_ima_xattr_data **xattr_value);
323*4882a593Smuzhiyun 
324*4882a593Smuzhiyun #else
ima_check_blacklist(struct integrity_iint_cache * iint,const struct modsig * modsig,int pcr)325*4882a593Smuzhiyun static inline int ima_check_blacklist(struct integrity_iint_cache *iint,
326*4882a593Smuzhiyun 				      const struct modsig *modsig, int pcr)
327*4882a593Smuzhiyun {
328*4882a593Smuzhiyun 	return 0;
329*4882a593Smuzhiyun }
330*4882a593Smuzhiyun 
ima_appraise_measurement(enum ima_hooks func,struct integrity_iint_cache * iint,struct file * file,const unsigned char * filename,struct evm_ima_xattr_data * xattr_value,int xattr_len,const struct modsig * modsig)331*4882a593Smuzhiyun static inline int ima_appraise_measurement(enum ima_hooks func,
332*4882a593Smuzhiyun 					   struct integrity_iint_cache *iint,
333*4882a593Smuzhiyun 					   struct file *file,
334*4882a593Smuzhiyun 					   const unsigned char *filename,
335*4882a593Smuzhiyun 					   struct evm_ima_xattr_data *xattr_value,
336*4882a593Smuzhiyun 					   int xattr_len,
337*4882a593Smuzhiyun 					   const struct modsig *modsig)
338*4882a593Smuzhiyun {
339*4882a593Smuzhiyun 	return INTEGRITY_UNKNOWN;
340*4882a593Smuzhiyun }
341*4882a593Smuzhiyun 
ima_must_appraise(struct inode * inode,int mask,enum ima_hooks func)342*4882a593Smuzhiyun static inline int ima_must_appraise(struct inode *inode, int mask,
343*4882a593Smuzhiyun 				    enum ima_hooks func)
344*4882a593Smuzhiyun {
345*4882a593Smuzhiyun 	return 0;
346*4882a593Smuzhiyun }
347*4882a593Smuzhiyun 
ima_update_xattr(struct integrity_iint_cache * iint,struct file * file)348*4882a593Smuzhiyun static inline void ima_update_xattr(struct integrity_iint_cache *iint,
349*4882a593Smuzhiyun 				    struct file *file)
350*4882a593Smuzhiyun {
351*4882a593Smuzhiyun }
352*4882a593Smuzhiyun 
ima_get_cache_status(struct integrity_iint_cache * iint,enum ima_hooks func)353*4882a593Smuzhiyun static inline enum integrity_status ima_get_cache_status(struct integrity_iint_cache
354*4882a593Smuzhiyun 							 *iint,
355*4882a593Smuzhiyun 							 enum ima_hooks func)
356*4882a593Smuzhiyun {
357*4882a593Smuzhiyun 	return INTEGRITY_UNKNOWN;
358*4882a593Smuzhiyun }
359*4882a593Smuzhiyun 
360*4882a593Smuzhiyun static inline enum hash_algo
ima_get_hash_algo(struct evm_ima_xattr_data * xattr_value,int xattr_len)361*4882a593Smuzhiyun ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len)
362*4882a593Smuzhiyun {
363*4882a593Smuzhiyun 	return ima_hash_algo;
364*4882a593Smuzhiyun }
365*4882a593Smuzhiyun 
ima_read_xattr(struct dentry * dentry,struct evm_ima_xattr_data ** xattr_value)366*4882a593Smuzhiyun static inline int ima_read_xattr(struct dentry *dentry,
367*4882a593Smuzhiyun 				 struct evm_ima_xattr_data **xattr_value)
368*4882a593Smuzhiyun {
369*4882a593Smuzhiyun 	return 0;
370*4882a593Smuzhiyun }
371*4882a593Smuzhiyun 
372*4882a593Smuzhiyun #endif /* CONFIG_IMA_APPRAISE */
373*4882a593Smuzhiyun 
374*4882a593Smuzhiyun #ifdef CONFIG_IMA_APPRAISE_MODSIG
375*4882a593Smuzhiyun int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
376*4882a593Smuzhiyun 		    struct modsig **modsig);
377*4882a593Smuzhiyun void ima_collect_modsig(struct modsig *modsig, const void *buf, loff_t size);
378*4882a593Smuzhiyun int ima_get_modsig_digest(const struct modsig *modsig, enum hash_algo *algo,
379*4882a593Smuzhiyun 			  const u8 **digest, u32 *digest_size);
380*4882a593Smuzhiyun int ima_get_raw_modsig(const struct modsig *modsig, const void **data,
381*4882a593Smuzhiyun 		       u32 *data_len);
382*4882a593Smuzhiyun void ima_free_modsig(struct modsig *modsig);
383*4882a593Smuzhiyun #else
ima_read_modsig(enum ima_hooks func,const void * buf,loff_t buf_len,struct modsig ** modsig)384*4882a593Smuzhiyun static inline int ima_read_modsig(enum ima_hooks func, const void *buf,
385*4882a593Smuzhiyun 				  loff_t buf_len, struct modsig **modsig)
386*4882a593Smuzhiyun {
387*4882a593Smuzhiyun 	return -EOPNOTSUPP;
388*4882a593Smuzhiyun }
389*4882a593Smuzhiyun 
ima_collect_modsig(struct modsig * modsig,const void * buf,loff_t size)390*4882a593Smuzhiyun static inline void ima_collect_modsig(struct modsig *modsig, const void *buf,
391*4882a593Smuzhiyun 				      loff_t size)
392*4882a593Smuzhiyun {
393*4882a593Smuzhiyun }
394*4882a593Smuzhiyun 
ima_get_modsig_digest(const struct modsig * modsig,enum hash_algo * algo,const u8 ** digest,u32 * digest_size)395*4882a593Smuzhiyun static inline int ima_get_modsig_digest(const struct modsig *modsig,
396*4882a593Smuzhiyun 					enum hash_algo *algo, const u8 **digest,
397*4882a593Smuzhiyun 					u32 *digest_size)
398*4882a593Smuzhiyun {
399*4882a593Smuzhiyun 	return -EOPNOTSUPP;
400*4882a593Smuzhiyun }
401*4882a593Smuzhiyun 
ima_get_raw_modsig(const struct modsig * modsig,const void ** data,u32 * data_len)402*4882a593Smuzhiyun static inline int ima_get_raw_modsig(const struct modsig *modsig,
403*4882a593Smuzhiyun 				     const void **data, u32 *data_len)
404*4882a593Smuzhiyun {
405*4882a593Smuzhiyun 	return -EOPNOTSUPP;
406*4882a593Smuzhiyun }
407*4882a593Smuzhiyun 
ima_free_modsig(struct modsig * modsig)408*4882a593Smuzhiyun static inline void ima_free_modsig(struct modsig *modsig)
409*4882a593Smuzhiyun {
410*4882a593Smuzhiyun }
411*4882a593Smuzhiyun #endif /* CONFIG_IMA_APPRAISE_MODSIG */
412*4882a593Smuzhiyun 
413*4882a593Smuzhiyun /* LSM based policy rules require audit */
414*4882a593Smuzhiyun #ifdef CONFIG_IMA_LSM_RULES
415*4882a593Smuzhiyun 
416*4882a593Smuzhiyun #define ima_filter_rule_init security_audit_rule_init
417*4882a593Smuzhiyun #define ima_filter_rule_free security_audit_rule_free
418*4882a593Smuzhiyun #define ima_filter_rule_match security_audit_rule_match
419*4882a593Smuzhiyun 
420*4882a593Smuzhiyun #else
421*4882a593Smuzhiyun 
ima_filter_rule_init(u32 field,u32 op,char * rulestr,void ** lsmrule)422*4882a593Smuzhiyun static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
423*4882a593Smuzhiyun 				       void **lsmrule)
424*4882a593Smuzhiyun {
425*4882a593Smuzhiyun 	return -EINVAL;
426*4882a593Smuzhiyun }
427*4882a593Smuzhiyun 
ima_filter_rule_free(void * lsmrule)428*4882a593Smuzhiyun static inline void ima_filter_rule_free(void *lsmrule)
429*4882a593Smuzhiyun {
430*4882a593Smuzhiyun }
431*4882a593Smuzhiyun 
ima_filter_rule_match(u32 secid,u32 field,u32 op,void * lsmrule)432*4882a593Smuzhiyun static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
433*4882a593Smuzhiyun 					void *lsmrule)
434*4882a593Smuzhiyun {
435*4882a593Smuzhiyun 	return -EINVAL;
436*4882a593Smuzhiyun }
437*4882a593Smuzhiyun #endif /* CONFIG_IMA_LSM_RULES */
438*4882a593Smuzhiyun 
439*4882a593Smuzhiyun #ifdef	CONFIG_IMA_READ_POLICY
440*4882a593Smuzhiyun #define	POLICY_FILE_FLAGS	(S_IWUSR | S_IRUSR)
441*4882a593Smuzhiyun #else
442*4882a593Smuzhiyun #define	POLICY_FILE_FLAGS	S_IWUSR
443*4882a593Smuzhiyun #endif /* CONFIG_IMA_READ_POLICY */
444*4882a593Smuzhiyun 
445*4882a593Smuzhiyun #endif /* __LINUX_IMA_H */
446