evm_main.c 25 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Copyright (C) 2005-2010 IBM Corporation
  4. *
  5. * Author:
  6. * Mimi Zohar <[email protected]>
  7. * Kylene Hall <[email protected]>
  8. *
  9. * File: evm_main.c
  10. * implements evm_inode_setxattr, evm_inode_post_setxattr,
  11. * evm_inode_removexattr, and evm_verifyxattr
  12. */
  13. #define pr_fmt(fmt) "EVM: "fmt
  14. #include <linux/init.h>
  15. #include <linux/crypto.h>
  16. #include <linux/audit.h>
  17. #include <linux/xattr.h>
  18. #include <linux/integrity.h>
  19. #include <linux/evm.h>
  20. #include <linux/magic.h>
  21. #include <linux/posix_acl_xattr.h>
  22. #include <crypto/hash.h>
  23. #include <crypto/hash_info.h>
  24. #include <crypto/algapi.h>
  25. #include "evm.h"
  26. int evm_initialized;
  27. static const char * const integrity_status_msg[] = {
  28. "pass", "pass_immutable", "fail", "fail_immutable", "no_label",
  29. "no_xattrs", "unknown"
  30. };
  31. int evm_hmac_attrs;
  32. static struct xattr_list evm_config_default_xattrnames[] = {
  33. {
  34. .name = XATTR_NAME_SELINUX,
  35. .enabled = IS_ENABLED(CONFIG_SECURITY_SELINUX)
  36. },
  37. {
  38. .name = XATTR_NAME_SMACK,
  39. .enabled = IS_ENABLED(CONFIG_SECURITY_SMACK)
  40. },
  41. {
  42. .name = XATTR_NAME_SMACKEXEC,
  43. .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
  44. },
  45. {
  46. .name = XATTR_NAME_SMACKTRANSMUTE,
  47. .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
  48. },
  49. {
  50. .name = XATTR_NAME_SMACKMMAP,
  51. .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
  52. },
  53. {
  54. .name = XATTR_NAME_APPARMOR,
  55. .enabled = IS_ENABLED(CONFIG_SECURITY_APPARMOR)
  56. },
  57. {
  58. .name = XATTR_NAME_IMA,
  59. .enabled = IS_ENABLED(CONFIG_IMA_APPRAISE)
  60. },
  61. {
  62. .name = XATTR_NAME_CAPS,
  63. .enabled = true
  64. },
  65. };
  66. LIST_HEAD(evm_config_xattrnames);
  67. static int evm_fixmode __ro_after_init;
  68. static int __init evm_set_fixmode(char *str)
  69. {
  70. if (strncmp(str, "fix", 3) == 0)
  71. evm_fixmode = 1;
  72. else
  73. pr_err("invalid \"%s\" mode", str);
  74. return 1;
  75. }
  76. __setup("evm=", evm_set_fixmode);
  77. static void __init evm_init_config(void)
  78. {
  79. int i, xattrs;
  80. xattrs = ARRAY_SIZE(evm_config_default_xattrnames);
  81. pr_info("Initialising EVM extended attributes:\n");
  82. for (i = 0; i < xattrs; i++) {
  83. pr_info("%s%s\n", evm_config_default_xattrnames[i].name,
  84. !evm_config_default_xattrnames[i].enabled ?
  85. " (disabled)" : "");
  86. list_add_tail(&evm_config_default_xattrnames[i].list,
  87. &evm_config_xattrnames);
  88. }
  89. #ifdef CONFIG_EVM_ATTR_FSUUID
  90. evm_hmac_attrs |= EVM_ATTR_FSUUID;
  91. #endif
  92. pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
  93. }
  94. static bool evm_key_loaded(void)
  95. {
  96. return (bool)(evm_initialized & EVM_KEY_MASK);
  97. }
  98. /*
  99. * This function determines whether or not it is safe to ignore verification
  100. * errors, based on the ability of EVM to calculate HMACs. If the HMAC key
  101. * is not loaded, and it cannot be loaded in the future due to the
  102. * EVM_SETUP_COMPLETE initialization flag, allowing an operation despite the
  103. * attrs/xattrs being found invalid will not make them valid.
  104. */
  105. static bool evm_hmac_disabled(void)
  106. {
  107. if (evm_initialized & EVM_INIT_HMAC)
  108. return false;
  109. if (!(evm_initialized & EVM_SETUP_COMPLETE))
  110. return false;
  111. return true;
  112. }
  113. static int evm_find_protected_xattrs(struct dentry *dentry)
  114. {
  115. struct inode *inode = d_backing_inode(dentry);
  116. struct xattr_list *xattr;
  117. int error;
  118. int count = 0;
  119. if (!(inode->i_opflags & IOP_XATTR))
  120. return -EOPNOTSUPP;
  121. list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
  122. error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0);
  123. if (error < 0) {
  124. if (error == -ENODATA)
  125. continue;
  126. return error;
  127. }
  128. count++;
  129. }
  130. return count;
  131. }
  132. /*
  133. * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
  134. *
  135. * Compute the HMAC on the dentry's protected set of extended attributes
  136. * and compare it against the stored security.evm xattr.
  137. *
  138. * For performance:
  139. * - use the previoulsy retrieved xattr value and length to calculate the
  140. * HMAC.)
  141. * - cache the verification result in the iint, when available.
  142. *
  143. * Returns integrity status
  144. */
  145. static enum integrity_status evm_verify_hmac(struct dentry *dentry,
  146. const char *xattr_name,
  147. char *xattr_value,
  148. size_t xattr_value_len,
  149. struct integrity_iint_cache *iint)
  150. {
  151. struct evm_ima_xattr_data *xattr_data = NULL;
  152. struct signature_v2_hdr *hdr;
  153. enum integrity_status evm_status = INTEGRITY_PASS;
  154. struct evm_digest digest;
  155. struct inode *inode;
  156. int rc, xattr_len, evm_immutable = 0;
  157. if (iint && (iint->evm_status == INTEGRITY_PASS ||
  158. iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
  159. return iint->evm_status;
  160. /* if status is not PASS, try to check again - against -ENOMEM */
  161. /* first need to know the sig type */
  162. rc = vfs_getxattr_alloc(&init_user_ns, dentry, XATTR_NAME_EVM,
  163. (char **)&xattr_data, 0, GFP_NOFS);
  164. if (rc <= 0) {
  165. evm_status = INTEGRITY_FAIL;
  166. if (rc == -ENODATA) {
  167. rc = evm_find_protected_xattrs(dentry);
  168. if (rc > 0)
  169. evm_status = INTEGRITY_NOLABEL;
  170. else if (rc == 0)
  171. evm_status = INTEGRITY_NOXATTRS; /* new file */
  172. } else if (rc == -EOPNOTSUPP) {
  173. evm_status = INTEGRITY_UNKNOWN;
  174. }
  175. goto out;
  176. }
  177. xattr_len = rc;
  178. /* check value type */
  179. switch (xattr_data->type) {
  180. case EVM_XATTR_HMAC:
  181. if (xattr_len != sizeof(struct evm_xattr)) {
  182. evm_status = INTEGRITY_FAIL;
  183. goto out;
  184. }
  185. digest.hdr.algo = HASH_ALGO_SHA1;
  186. rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
  187. xattr_value_len, &digest);
  188. if (rc)
  189. break;
  190. rc = crypto_memneq(xattr_data->data, digest.digest,
  191. SHA1_DIGEST_SIZE);
  192. if (rc)
  193. rc = -EINVAL;
  194. break;
  195. case EVM_XATTR_PORTABLE_DIGSIG:
  196. evm_immutable = 1;
  197. fallthrough;
  198. case EVM_IMA_XATTR_DIGSIG:
  199. /* accept xattr with non-empty signature field */
  200. if (xattr_len <= sizeof(struct signature_v2_hdr)) {
  201. evm_status = INTEGRITY_FAIL;
  202. goto out;
  203. }
  204. hdr = (struct signature_v2_hdr *)xattr_data;
  205. digest.hdr.algo = hdr->hash_algo;
  206. rc = evm_calc_hash(dentry, xattr_name, xattr_value,
  207. xattr_value_len, xattr_data->type, &digest);
  208. if (rc)
  209. break;
  210. rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
  211. (const char *)xattr_data, xattr_len,
  212. digest.digest, digest.hdr.length);
  213. if (!rc) {
  214. inode = d_backing_inode(dentry);
  215. if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
  216. if (iint)
  217. iint->flags |= EVM_IMMUTABLE_DIGSIG;
  218. evm_status = INTEGRITY_PASS_IMMUTABLE;
  219. } else if (!IS_RDONLY(inode) &&
  220. !(inode->i_sb->s_readonly_remount) &&
  221. !IS_IMMUTABLE(inode)) {
  222. evm_update_evmxattr(dentry, xattr_name,
  223. xattr_value,
  224. xattr_value_len);
  225. }
  226. }
  227. break;
  228. default:
  229. rc = -EINVAL;
  230. break;
  231. }
  232. if (rc) {
  233. if (rc == -ENODATA)
  234. evm_status = INTEGRITY_NOXATTRS;
  235. else if (evm_immutable)
  236. evm_status = INTEGRITY_FAIL_IMMUTABLE;
  237. else
  238. evm_status = INTEGRITY_FAIL;
  239. }
  240. pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length, digest.hdr.length,
  241. digest.digest);
  242. out:
  243. if (iint)
  244. iint->evm_status = evm_status;
  245. kfree(xattr_data);
  246. return evm_status;
  247. }
  248. static int evm_protected_xattr_common(const char *req_xattr_name,
  249. bool all_xattrs)
  250. {
  251. int namelen;
  252. int found = 0;
  253. struct xattr_list *xattr;
  254. namelen = strlen(req_xattr_name);
  255. list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
  256. if (!all_xattrs && !xattr->enabled)
  257. continue;
  258. if ((strlen(xattr->name) == namelen)
  259. && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
  260. found = 1;
  261. break;
  262. }
  263. if (strncmp(req_xattr_name,
  264. xattr->name + XATTR_SECURITY_PREFIX_LEN,
  265. strlen(req_xattr_name)) == 0) {
  266. found = 1;
  267. break;
  268. }
  269. }
  270. return found;
  271. }
  272. static int evm_protected_xattr(const char *req_xattr_name)
  273. {
  274. return evm_protected_xattr_common(req_xattr_name, false);
  275. }
  276. int evm_protected_xattr_if_enabled(const char *req_xattr_name)
  277. {
  278. return evm_protected_xattr_common(req_xattr_name, true);
  279. }
  280. /**
  281. * evm_read_protected_xattrs - read EVM protected xattr names, lengths, values
  282. * @dentry: dentry of the read xattrs
  283. * @buffer: buffer xattr names, lengths or values are copied to
  284. * @buffer_size: size of buffer
  285. * @type: n: names, l: lengths, v: values
  286. * @canonical_fmt: data format (true: little endian, false: native format)
  287. *
  288. * Read protected xattr names (separated by |), lengths (u32) or values for a
  289. * given dentry and return the total size of copied data. If buffer is NULL,
  290. * just return the total size.
  291. *
  292. * Returns the total size on success, a negative value on error.
  293. */
  294. int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer,
  295. int buffer_size, char type, bool canonical_fmt)
  296. {
  297. struct xattr_list *xattr;
  298. int rc, size, total_size = 0;
  299. list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
  300. rc = __vfs_getxattr(dentry, d_backing_inode(dentry),
  301. xattr->name, NULL, 0);
  302. if (rc < 0 && rc == -ENODATA)
  303. continue;
  304. else if (rc < 0)
  305. return rc;
  306. switch (type) {
  307. case 'n':
  308. size = strlen(xattr->name) + 1;
  309. if (buffer) {
  310. if (total_size)
  311. *(buffer + total_size - 1) = '|';
  312. memcpy(buffer + total_size, xattr->name, size);
  313. }
  314. break;
  315. case 'l':
  316. size = sizeof(u32);
  317. if (buffer) {
  318. if (canonical_fmt)
  319. rc = (__force int)cpu_to_le32(rc);
  320. *(u32 *)(buffer + total_size) = rc;
  321. }
  322. break;
  323. case 'v':
  324. size = rc;
  325. if (buffer) {
  326. rc = __vfs_getxattr(dentry,
  327. d_backing_inode(dentry), xattr->name,
  328. buffer + total_size,
  329. buffer_size - total_size);
  330. if (rc < 0)
  331. return rc;
  332. }
  333. break;
  334. default:
  335. return -EINVAL;
  336. }
  337. total_size += size;
  338. }
  339. return total_size;
  340. }
  341. /**
  342. * evm_verifyxattr - verify the integrity of the requested xattr
  343. * @dentry: object of the verify xattr
  344. * @xattr_name: requested xattr
  345. * @xattr_value: requested xattr value
  346. * @xattr_value_len: requested xattr value length
  347. * @iint: inode integrity metadata
  348. *
  349. * Calculate the HMAC for the given dentry and verify it against the stored
  350. * security.evm xattr. For performance, use the xattr value and length
  351. * previously retrieved to calculate the HMAC.
  352. *
  353. * Returns the xattr integrity status.
  354. *
  355. * This function requires the caller to lock the inode's i_mutex before it
  356. * is executed.
  357. */
  358. enum integrity_status evm_verifyxattr(struct dentry *dentry,
  359. const char *xattr_name,
  360. void *xattr_value, size_t xattr_value_len,
  361. struct integrity_iint_cache *iint)
  362. {
  363. if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
  364. return INTEGRITY_UNKNOWN;
  365. if (!iint) {
  366. iint = integrity_iint_find(d_backing_inode(dentry));
  367. if (!iint)
  368. return INTEGRITY_UNKNOWN;
  369. }
  370. return evm_verify_hmac(dentry, xattr_name, xattr_value,
  371. xattr_value_len, iint);
  372. }
  373. EXPORT_SYMBOL_GPL(evm_verifyxattr);
  374. /*
  375. * evm_verify_current_integrity - verify the dentry's metadata integrity
  376. * @dentry: pointer to the affected dentry
  377. *
  378. * Verify and return the dentry's metadata integrity. The exceptions are
  379. * before EVM is initialized or in 'fix' mode.
  380. */
  381. static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
  382. {
  383. struct inode *inode = d_backing_inode(dentry);
  384. if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
  385. return INTEGRITY_PASS;
  386. return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
  387. }
  388. /*
  389. * evm_xattr_acl_change - check if passed ACL changes the inode mode
  390. * @mnt_userns: user namespace of the idmapped mount
  391. * @dentry: pointer to the affected dentry
  392. * @xattr_name: requested xattr
  393. * @xattr_value: requested xattr value
  394. * @xattr_value_len: requested xattr value length
  395. *
  396. * Check if passed ACL changes the inode mode, which is protected by EVM.
  397. *
  398. * Returns 1 if passed ACL causes inode mode change, 0 otherwise.
  399. */
  400. static int evm_xattr_acl_change(struct user_namespace *mnt_userns,
  401. struct dentry *dentry, const char *xattr_name,
  402. const void *xattr_value, size_t xattr_value_len)
  403. {
  404. #ifdef CONFIG_FS_POSIX_ACL
  405. umode_t mode;
  406. struct posix_acl *acl = NULL, *acl_res;
  407. struct inode *inode = d_backing_inode(dentry);
  408. int rc;
  409. /*
  410. * An earlier comment here mentioned that the idmappings for
  411. * ACL_{GROUP,USER} don't matter since EVM is only interested in the
  412. * mode stored as part of POSIX ACLs. Nonetheless, if it must translate
  413. * from the uapi POSIX ACL representation to the VFS internal POSIX ACL
  414. * representation it should do so correctly. There's no guarantee that
  415. * we won't change POSIX ACLs in a way that ACL_{GROUP,USER} matters
  416. * for the mode at some point and it's difficult to keep track of all
  417. * the LSM and integrity modules and what they do to POSIX ACLs.
  418. *
  419. * Frankly, EVM shouldn't try to interpret the uapi struct for POSIX
  420. * ACLs it received. It requires knowledge that only the VFS is
  421. * guaranteed to have.
  422. */
  423. acl = vfs_set_acl_prepare(mnt_userns, i_user_ns(inode),
  424. xattr_value, xattr_value_len);
  425. if (IS_ERR_OR_NULL(acl))
  426. return 1;
  427. acl_res = acl;
  428. /*
  429. * Passing mnt_userns is necessary to correctly determine the GID in
  430. * an idmapped mount, as the GID is used to clear the setgid bit in
  431. * the inode mode.
  432. */
  433. rc = posix_acl_update_mode(mnt_userns, inode, &mode, &acl_res);
  434. posix_acl_release(acl);
  435. if (rc)
  436. return 1;
  437. if (inode->i_mode != mode)
  438. return 1;
  439. #endif
  440. return 0;
  441. }
  442. /*
  443. * evm_xattr_change - check if passed xattr value differs from current value
  444. * @mnt_userns: user namespace of the idmapped mount
  445. * @dentry: pointer to the affected dentry
  446. * @xattr_name: requested xattr
  447. * @xattr_value: requested xattr value
  448. * @xattr_value_len: requested xattr value length
  449. *
  450. * Check if passed xattr value differs from current value.
  451. *
  452. * Returns 1 if passed xattr value differs from current value, 0 otherwise.
  453. */
  454. static int evm_xattr_change(struct user_namespace *mnt_userns,
  455. struct dentry *dentry, const char *xattr_name,
  456. const void *xattr_value, size_t xattr_value_len)
  457. {
  458. char *xattr_data = NULL;
  459. int rc = 0;
  460. if (posix_xattr_acl(xattr_name))
  461. return evm_xattr_acl_change(mnt_userns, dentry, xattr_name,
  462. xattr_value, xattr_value_len);
  463. rc = vfs_getxattr_alloc(&init_user_ns, dentry, xattr_name, &xattr_data,
  464. 0, GFP_NOFS);
  465. if (rc < 0)
  466. return 1;
  467. if (rc == xattr_value_len)
  468. rc = !!memcmp(xattr_value, xattr_data, rc);
  469. else
  470. rc = 1;
  471. kfree(xattr_data);
  472. return rc;
  473. }
  474. /*
  475. * evm_protect_xattr - protect the EVM extended attribute
  476. *
  477. * Prevent security.evm from being modified or removed without the
  478. * necessary permissions or when the existing value is invalid.
  479. *
  480. * The posix xattr acls are 'system' prefixed, which normally would not
  481. * affect security.evm. An interesting side affect of writing posix xattr
  482. * acls is their modifying of the i_mode, which is included in security.evm.
  483. * For posix xattr acls only, permit security.evm, even if it currently
  484. * doesn't exist, to be updated unless the EVM signature is immutable.
  485. */
  486. static int evm_protect_xattr(struct user_namespace *mnt_userns,
  487. struct dentry *dentry, const char *xattr_name,
  488. const void *xattr_value, size_t xattr_value_len)
  489. {
  490. enum integrity_status evm_status;
  491. if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
  492. if (!capable(CAP_SYS_ADMIN))
  493. return -EPERM;
  494. } else if (!evm_protected_xattr(xattr_name)) {
  495. if (!posix_xattr_acl(xattr_name))
  496. return 0;
  497. evm_status = evm_verify_current_integrity(dentry);
  498. if ((evm_status == INTEGRITY_PASS) ||
  499. (evm_status == INTEGRITY_NOXATTRS))
  500. return 0;
  501. goto out;
  502. }
  503. evm_status = evm_verify_current_integrity(dentry);
  504. if (evm_status == INTEGRITY_NOXATTRS) {
  505. struct integrity_iint_cache *iint;
  506. /* Exception if the HMAC is not going to be calculated. */
  507. if (evm_hmac_disabled())
  508. return 0;
  509. iint = integrity_iint_find(d_backing_inode(dentry));
  510. if (iint && (iint->flags & IMA_NEW_FILE))
  511. return 0;
  512. /* exception for pseudo filesystems */
  513. if (dentry->d_sb->s_magic == TMPFS_MAGIC
  514. || dentry->d_sb->s_magic == SYSFS_MAGIC)
  515. return 0;
  516. integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
  517. dentry->d_inode, dentry->d_name.name,
  518. "update_metadata",
  519. integrity_status_msg[evm_status],
  520. -EPERM, 0);
  521. }
  522. out:
  523. /* Exception if the HMAC is not going to be calculated. */
  524. if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
  525. evm_status == INTEGRITY_UNKNOWN))
  526. return 0;
  527. /*
  528. * Writing other xattrs is safe for portable signatures, as portable
  529. * signatures are immutable and can never be updated.
  530. */
  531. if (evm_status == INTEGRITY_FAIL_IMMUTABLE)
  532. return 0;
  533. if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
  534. !evm_xattr_change(mnt_userns, dentry, xattr_name, xattr_value,
  535. xattr_value_len))
  536. return 0;
  537. if (evm_status != INTEGRITY_PASS &&
  538. evm_status != INTEGRITY_PASS_IMMUTABLE)
  539. integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
  540. dentry->d_name.name, "appraise_metadata",
  541. integrity_status_msg[evm_status],
  542. -EPERM, 0);
  543. return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
  544. }
  545. /**
  546. * evm_inode_setxattr - protect the EVM extended attribute
  547. * @mnt_userns: user namespace of the idmapped mount
  548. * @dentry: pointer to the affected dentry
  549. * @xattr_name: pointer to the affected extended attribute name
  550. * @xattr_value: pointer to the new extended attribute value
  551. * @xattr_value_len: pointer to the new extended attribute value length
  552. *
  553. * Before allowing the 'security.evm' protected xattr to be updated,
  554. * verify the existing value is valid. As only the kernel should have
  555. * access to the EVM encrypted key needed to calculate the HMAC, prevent
  556. * userspace from writing HMAC value. Writing 'security.evm' requires
  557. * requires CAP_SYS_ADMIN privileges.
  558. */
  559. int evm_inode_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry,
  560. const char *xattr_name, const void *xattr_value,
  561. size_t xattr_value_len)
  562. {
  563. const struct evm_ima_xattr_data *xattr_data = xattr_value;
  564. /* Policy permits modification of the protected xattrs even though
  565. * there's no HMAC key loaded
  566. */
  567. if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
  568. return 0;
  569. if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
  570. if (!xattr_value_len)
  571. return -EINVAL;
  572. if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
  573. xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
  574. return -EPERM;
  575. }
  576. return evm_protect_xattr(mnt_userns, dentry, xattr_name, xattr_value,
  577. xattr_value_len);
  578. }
  579. /**
  580. * evm_inode_removexattr - protect the EVM extended attribute
  581. * @mnt_userns: user namespace of the idmapped mount
  582. * @dentry: pointer to the affected dentry
  583. * @xattr_name: pointer to the affected extended attribute name
  584. *
  585. * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
  586. * the current value is valid.
  587. */
  588. int evm_inode_removexattr(struct user_namespace *mnt_userns,
  589. struct dentry *dentry, const char *xattr_name)
  590. {
  591. /* Policy permits modification of the protected xattrs even though
  592. * there's no HMAC key loaded
  593. */
  594. if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
  595. return 0;
  596. return evm_protect_xattr(mnt_userns, dentry, xattr_name, NULL, 0);
  597. }
  598. static void evm_reset_status(struct inode *inode)
  599. {
  600. struct integrity_iint_cache *iint;
  601. iint = integrity_iint_find(inode);
  602. if (iint)
  603. iint->evm_status = INTEGRITY_UNKNOWN;
  604. }
  605. /**
  606. * evm_revalidate_status - report whether EVM status re-validation is necessary
  607. * @xattr_name: pointer to the affected extended attribute name
  608. *
  609. * Report whether callers of evm_verifyxattr() should re-validate the
  610. * EVM status.
  611. *
  612. * Return true if re-validation is necessary, false otherwise.
  613. */
  614. bool evm_revalidate_status(const char *xattr_name)
  615. {
  616. if (!evm_key_loaded())
  617. return false;
  618. /* evm_inode_post_setattr() passes NULL */
  619. if (!xattr_name)
  620. return true;
  621. if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name) &&
  622. strcmp(xattr_name, XATTR_NAME_EVM))
  623. return false;
  624. return true;
  625. }
  626. /**
  627. * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
  628. * @dentry: pointer to the affected dentry
  629. * @xattr_name: pointer to the affected extended attribute name
  630. * @xattr_value: pointer to the new extended attribute value
  631. * @xattr_value_len: pointer to the new extended attribute value length
  632. *
  633. * Update the HMAC stored in 'security.evm' to reflect the change.
  634. *
  635. * No need to take the i_mutex lock here, as this function is called from
  636. * __vfs_setxattr_noperm(). The caller of which has taken the inode's
  637. * i_mutex lock.
  638. */
  639. void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
  640. const void *xattr_value, size_t xattr_value_len)
  641. {
  642. if (!evm_revalidate_status(xattr_name))
  643. return;
  644. evm_reset_status(dentry->d_inode);
  645. if (!strcmp(xattr_name, XATTR_NAME_EVM))
  646. return;
  647. if (!(evm_initialized & EVM_INIT_HMAC))
  648. return;
  649. evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
  650. }
  651. /**
  652. * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
  653. * @dentry: pointer to the affected dentry
  654. * @xattr_name: pointer to the affected extended attribute name
  655. *
  656. * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
  657. *
  658. * No need to take the i_mutex lock here, as this function is called from
  659. * vfs_removexattr() which takes the i_mutex.
  660. */
  661. void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
  662. {
  663. if (!evm_revalidate_status(xattr_name))
  664. return;
  665. evm_reset_status(dentry->d_inode);
  666. if (!strcmp(xattr_name, XATTR_NAME_EVM))
  667. return;
  668. if (!(evm_initialized & EVM_INIT_HMAC))
  669. return;
  670. evm_update_evmxattr(dentry, xattr_name, NULL, 0);
  671. }
  672. static int evm_attr_change(struct user_namespace *mnt_userns,
  673. struct dentry *dentry, struct iattr *attr)
  674. {
  675. struct inode *inode = d_backing_inode(dentry);
  676. unsigned int ia_valid = attr->ia_valid;
  677. if (!i_uid_needs_update(mnt_userns, attr, inode) &&
  678. !i_gid_needs_update(mnt_userns, attr, inode) &&
  679. (!(ia_valid & ATTR_MODE) || attr->ia_mode == inode->i_mode))
  680. return 0;
  681. return 1;
  682. }
  683. /**
  684. * evm_inode_setattr - prevent updating an invalid EVM extended attribute
  685. * @idmap: idmap of the mount
  686. * @dentry: pointer to the affected dentry
  687. * @attr: iattr structure containing the new file attributes
  688. *
  689. * Permit update of file attributes when files have a valid EVM signature,
  690. * except in the case of them having an immutable portable signature.
  691. */
  692. int evm_inode_setattr(struct user_namespace *mnt_userns, struct dentry *dentry,
  693. struct iattr *attr)
  694. {
  695. unsigned int ia_valid = attr->ia_valid;
  696. enum integrity_status evm_status;
  697. /* Policy permits modification of the protected attrs even though
  698. * there's no HMAC key loaded
  699. */
  700. if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
  701. return 0;
  702. if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
  703. return 0;
  704. evm_status = evm_verify_current_integrity(dentry);
  705. /*
  706. * Writing attrs is safe for portable signatures, as portable signatures
  707. * are immutable and can never be updated.
  708. */
  709. if ((evm_status == INTEGRITY_PASS) ||
  710. (evm_status == INTEGRITY_NOXATTRS) ||
  711. (evm_status == INTEGRITY_FAIL_IMMUTABLE) ||
  712. (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
  713. evm_status == INTEGRITY_UNKNOWN)))
  714. return 0;
  715. if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
  716. !evm_attr_change(mnt_userns, dentry, attr))
  717. return 0;
  718. integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
  719. dentry->d_name.name, "appraise_metadata",
  720. integrity_status_msg[evm_status], -EPERM, 0);
  721. return -EPERM;
  722. }
  723. /**
  724. * evm_inode_post_setattr - update 'security.evm' after modifying metadata
  725. * @dentry: pointer to the affected dentry
  726. * @ia_valid: for the UID and GID status
  727. *
  728. * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
  729. * changes.
  730. *
  731. * This function is called from notify_change(), which expects the caller
  732. * to lock the inode's i_mutex.
  733. */
  734. void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
  735. {
  736. if (!evm_revalidate_status(NULL))
  737. return;
  738. evm_reset_status(dentry->d_inode);
  739. if (!(evm_initialized & EVM_INIT_HMAC))
  740. return;
  741. if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
  742. evm_update_evmxattr(dentry, NULL, NULL, 0);
  743. }
  744. /*
  745. * evm_inode_init_security - initializes security.evm HMAC value
  746. */
  747. int evm_inode_init_security(struct inode *inode,
  748. const struct xattr *lsm_xattr,
  749. struct xattr *evm_xattr)
  750. {
  751. struct evm_xattr *xattr_data;
  752. int rc;
  753. if (!(evm_initialized & EVM_INIT_HMAC) ||
  754. !evm_protected_xattr(lsm_xattr->name))
  755. return 0;
  756. xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
  757. if (!xattr_data)
  758. return -ENOMEM;
  759. xattr_data->data.type = EVM_XATTR_HMAC;
  760. rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
  761. if (rc < 0)
  762. goto out;
  763. evm_xattr->value = xattr_data;
  764. evm_xattr->value_len = sizeof(*xattr_data);
  765. evm_xattr->name = XATTR_EVM_SUFFIX;
  766. return 0;
  767. out:
  768. kfree(xattr_data);
  769. return rc;
  770. }
  771. EXPORT_SYMBOL_GPL(evm_inode_init_security);
  772. #ifdef CONFIG_EVM_LOAD_X509
  773. void __init evm_load_x509(void)
  774. {
  775. int rc;
  776. rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
  777. if (!rc)
  778. evm_initialized |= EVM_INIT_X509;
  779. }
  780. #endif
  781. static int __init init_evm(void)
  782. {
  783. int error;
  784. struct list_head *pos, *q;
  785. evm_init_config();
  786. error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
  787. if (error)
  788. goto error;
  789. error = evm_init_secfs();
  790. if (error < 0) {
  791. pr_info("Error registering secfs\n");
  792. goto error;
  793. }
  794. error:
  795. if (error != 0) {
  796. if (!list_empty(&evm_config_xattrnames)) {
  797. list_for_each_safe(pos, q, &evm_config_xattrnames)
  798. list_del(pos);
  799. }
  800. }
  801. return error;
  802. }
  803. late_initcall(init_evm);