1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Copyright (C) 2005-2010 IBM Corporation 4 * 5 * Author: 6 * Mimi Zohar <zohar@us.ibm.com> 7 * Kylene Hall <kjhall@us.ibm.com> 8 * 9 * File: evm_main.c 10 * implements evm_inode_setxattr, evm_inode_post_setxattr, 11 * evm_inode_removexattr, and evm_verifyxattr 12 */ 13 14#include <linux/init.h> 15#include <linux/crypto.h> 16#include <linux/audit.h> 17#include <linux/xattr.h> 18#include <linux/integrity.h> 19#include <linux/evm.h> 20#include <linux/magic.h> 21 22#include <crypto/hash.h> 23#include <crypto/hash_info.h> 24#include <crypto/algapi.h> 25#include "evm.h" 26 27int evm_initialized; 28 29static const char * const integrity_status_msg[] = { 30 "pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown" 31}; 32int evm_hmac_attrs; 33 34static struct xattr_list evm_config_default_xattrnames[] = { 35#ifdef CONFIG_SECURITY_SELINUX 36 {.name = XATTR_NAME_SELINUX}, 37#endif 38#ifdef CONFIG_SECURITY_SMACK 39 {.name = XATTR_NAME_SMACK}, 40#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS 41 {.name = XATTR_NAME_SMACKEXEC}, 42 {.name = XATTR_NAME_SMACKTRANSMUTE}, 43 {.name = XATTR_NAME_SMACKMMAP}, 44#endif 45#endif 46#ifdef CONFIG_SECURITY_APPARMOR 47 {.name = XATTR_NAME_APPARMOR}, 48#endif 49#ifdef CONFIG_IMA_APPRAISE 50 {.name = XATTR_NAME_IMA}, 51#endif 52 {.name = XATTR_NAME_CAPS}, 53}; 54 55LIST_HEAD(evm_config_xattrnames); 56 57static int evm_fixmode __ro_after_init; 58static int __init evm_set_fixmode(char *str) 59{ 60 if (strncmp(str, "fix", 3) == 0) 61 evm_fixmode = 1; 62 else 63 pr_err("invalid \"%s\" mode", str); 64 65 return 1; 66} 67__setup("evm=", evm_set_fixmode); 68 69static void __init evm_init_config(void) 70{ 71 int i, xattrs; 72 73 xattrs = ARRAY_SIZE(evm_config_default_xattrnames); 74 75 pr_info("Initialising EVM extended attributes:\n"); 76 for (i = 0; i < xattrs; i++) { 77 pr_info("%s\n", evm_config_default_xattrnames[i].name); 78 list_add_tail(&evm_config_default_xattrnames[i].list, 79 &evm_config_xattrnames); 80 } 81 82#ifdef CONFIG_EVM_ATTR_FSUUID 83 evm_hmac_attrs |= EVM_ATTR_FSUUID; 84#endif 85 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); 86} 87 88static bool evm_key_loaded(void) 89{ 90 return (bool)(evm_initialized & EVM_KEY_MASK); 91} 92 93static int evm_find_protected_xattrs(struct dentry *dentry) 94{ 95 struct inode *inode = d_backing_inode(dentry); 96 struct xattr_list *xattr; 97 int error; 98 int count = 0; 99 100 if (!(inode->i_opflags & IOP_XATTR)) 101 return -EOPNOTSUPP; 102 103 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) { 104 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0); 105 if (error < 0) { 106 if (error == -ENODATA) 107 continue; 108 return error; 109 } 110 count++; 111 } 112 113 return count; 114} 115 116/* 117 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr 118 * 119 * Compute the HMAC on the dentry's protected set of extended attributes 120 * and compare it against the stored security.evm xattr. 121 * 122 * For performance: 123 * - use the previoulsy retrieved xattr value and length to calculate the 124 * HMAC.) 125 * - cache the verification result in the iint, when available. 126 * 127 * Returns integrity status 128 */ 129static enum integrity_status evm_verify_hmac(struct dentry *dentry, 130 const char *xattr_name, 131 char *xattr_value, 132 size_t xattr_value_len, 133 struct integrity_iint_cache *iint) 134{ 135 struct evm_ima_xattr_data *xattr_data = NULL; 136 struct signature_v2_hdr *hdr; 137 enum integrity_status evm_status = INTEGRITY_PASS; 138 struct evm_digest digest; 139 struct inode *inode; 140 int rc, xattr_len; 141 142 if (iint && (iint->evm_status == INTEGRITY_PASS || 143 iint->evm_status == INTEGRITY_PASS_IMMUTABLE)) 144 return iint->evm_status; 145 146 /* if status is not PASS, try to check again - against -ENOMEM */ 147 148 /* first need to know the sig type */ 149 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0, 150 GFP_NOFS); 151 if (rc <= 0) { 152 evm_status = INTEGRITY_FAIL; 153 if (rc == -ENODATA) { 154 rc = evm_find_protected_xattrs(dentry); 155 if (rc > 0) 156 evm_status = INTEGRITY_NOLABEL; 157 else if (rc == 0) 158 evm_status = INTEGRITY_NOXATTRS; /* new file */ 159 } else if (rc == -EOPNOTSUPP) { 160 evm_status = INTEGRITY_UNKNOWN; 161 } 162 goto out; 163 } 164 165 xattr_len = rc; 166 167 /* check value type */ 168 switch (xattr_data->type) { 169 case EVM_XATTR_HMAC: 170 if (xattr_len != sizeof(struct evm_xattr)) { 171 evm_status = INTEGRITY_FAIL; 172 goto out; 173 } 174 175 digest.hdr.algo = HASH_ALGO_SHA1; 176 rc = evm_calc_hmac(dentry, xattr_name, xattr_value, 177 xattr_value_len, &digest); 178 if (rc) 179 break; 180 rc = crypto_memneq(xattr_data->data, digest.digest, 181 SHA1_DIGEST_SIZE); 182 if (rc) 183 rc = -EINVAL; 184 break; 185 case EVM_IMA_XATTR_DIGSIG: 186 case EVM_XATTR_PORTABLE_DIGSIG: 187 /* accept xattr with non-empty signature field */ 188 if (xattr_len <= sizeof(struct signature_v2_hdr)) { 189 evm_status = INTEGRITY_FAIL; 190 goto out; 191 } 192 193 hdr = (struct signature_v2_hdr *)xattr_data; 194 digest.hdr.algo = hdr->hash_algo; 195 rc = evm_calc_hash(dentry, xattr_name, xattr_value, 196 xattr_value_len, xattr_data->type, &digest); 197 if (rc) 198 break; 199 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 200 (const char *)xattr_data, xattr_len, 201 digest.digest, digest.hdr.length); 202 if (!rc) { 203 inode = d_backing_inode(dentry); 204 205 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) { 206 if (iint) 207 iint->flags |= EVM_IMMUTABLE_DIGSIG; 208 evm_status = INTEGRITY_PASS_IMMUTABLE; 209 } else if (!IS_RDONLY(inode) && 210 !(inode->i_sb->s_readonly_remount) && 211 !IS_IMMUTABLE(inode)) { 212 evm_update_evmxattr(dentry, xattr_name, 213 xattr_value, 214 xattr_value_len); 215 } 216 } 217 break; 218 default: 219 rc = -EINVAL; 220 break; 221 } 222 223 if (rc) 224 evm_status = (rc == -ENODATA) ? 225 INTEGRITY_NOXATTRS : INTEGRITY_FAIL; 226out: 227 if (iint) 228 iint->evm_status = evm_status; 229 kfree(xattr_data); 230 return evm_status; 231} 232 233static int evm_protected_xattr(const char *req_xattr_name) 234{ 235 int namelen; 236 int found = 0; 237 struct xattr_list *xattr; 238 239 namelen = strlen(req_xattr_name); 240 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) { 241 if ((strlen(xattr->name) == namelen) 242 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) { 243 found = 1; 244 break; 245 } 246 if (strncmp(req_xattr_name, 247 xattr->name + XATTR_SECURITY_PREFIX_LEN, 248 strlen(req_xattr_name)) == 0) { 249 found = 1; 250 break; 251 } 252 } 253 254 return found; 255} 256 257/** 258 * evm_verifyxattr - verify the integrity of the requested xattr 259 * @dentry: object of the verify xattr 260 * @xattr_name: requested xattr 261 * @xattr_value: requested xattr value 262 * @xattr_value_len: requested xattr value length 263 * 264 * Calculate the HMAC for the given dentry and verify it against the stored 265 * security.evm xattr. For performance, use the xattr value and length 266 * previously retrieved to calculate the HMAC. 267 * 268 * Returns the xattr integrity status. 269 * 270 * This function requires the caller to lock the inode's i_mutex before it 271 * is executed. 272 */ 273enum integrity_status evm_verifyxattr(struct dentry *dentry, 274 const char *xattr_name, 275 void *xattr_value, size_t xattr_value_len, 276 struct integrity_iint_cache *iint) 277{ 278 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 279 return INTEGRITY_UNKNOWN; 280 281 if (!iint) { 282 iint = integrity_iint_find(d_backing_inode(dentry)); 283 if (!iint) 284 return INTEGRITY_UNKNOWN; 285 } 286 return evm_verify_hmac(dentry, xattr_name, xattr_value, 287 xattr_value_len, iint); 288} 289EXPORT_SYMBOL_GPL(evm_verifyxattr); 290 291/* 292 * evm_verify_current_integrity - verify the dentry's metadata integrity 293 * @dentry: pointer to the affected dentry 294 * 295 * Verify and return the dentry's metadata integrity. The exceptions are 296 * before EVM is initialized or in 'fix' mode. 297 */ 298static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) 299{ 300 struct inode *inode = d_backing_inode(dentry); 301 302 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode) 303 return 0; 304 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); 305} 306 307/* 308 * evm_protect_xattr - protect the EVM extended attribute 309 * 310 * Prevent security.evm from being modified or removed without the 311 * necessary permissions or when the existing value is invalid. 312 * 313 * The posix xattr acls are 'system' prefixed, which normally would not 314 * affect security.evm. An interesting side affect of writing posix xattr 315 * acls is their modifying of the i_mode, which is included in security.evm. 316 * For posix xattr acls only, permit security.evm, even if it currently 317 * doesn't exist, to be updated unless the EVM signature is immutable. 318 */ 319static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, 320 const void *xattr_value, size_t xattr_value_len) 321{ 322 enum integrity_status evm_status; 323 324 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 325 if (!capable(CAP_SYS_ADMIN)) 326 return -EPERM; 327 } else if (!evm_protected_xattr(xattr_name)) { 328 if (!posix_xattr_acl(xattr_name)) 329 return 0; 330 evm_status = evm_verify_current_integrity(dentry); 331 if ((evm_status == INTEGRITY_PASS) || 332 (evm_status == INTEGRITY_NOXATTRS)) 333 return 0; 334 goto out; 335 } 336 337 evm_status = evm_verify_current_integrity(dentry); 338 if (evm_status == INTEGRITY_NOXATTRS) { 339 struct integrity_iint_cache *iint; 340 341 iint = integrity_iint_find(d_backing_inode(dentry)); 342 if (iint && (iint->flags & IMA_NEW_FILE)) 343 return 0; 344 345 /* exception for pseudo filesystems */ 346 if (dentry->d_sb->s_magic == TMPFS_MAGIC 347 || dentry->d_sb->s_magic == SYSFS_MAGIC) 348 return 0; 349 350 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, 351 dentry->d_inode, dentry->d_name.name, 352 "update_metadata", 353 integrity_status_msg[evm_status], 354 -EPERM, 0); 355 } 356out: 357 if (evm_status != INTEGRITY_PASS) 358 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 359 dentry->d_name.name, "appraise_metadata", 360 integrity_status_msg[evm_status], 361 -EPERM, 0); 362 return evm_status == INTEGRITY_PASS ? 0 : -EPERM; 363} 364 365/** 366 * evm_inode_setxattr - protect the EVM extended attribute 367 * @dentry: pointer to the affected dentry 368 * @xattr_name: pointer to the affected extended attribute name 369 * @xattr_value: pointer to the new extended attribute value 370 * @xattr_value_len: pointer to the new extended attribute value length 371 * 372 * Before allowing the 'security.evm' protected xattr to be updated, 373 * verify the existing value is valid. As only the kernel should have 374 * access to the EVM encrypted key needed to calculate the HMAC, prevent 375 * userspace from writing HMAC value. Writing 'security.evm' requires 376 * requires CAP_SYS_ADMIN privileges. 377 */ 378int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, 379 const void *xattr_value, size_t xattr_value_len) 380{ 381 const struct evm_ima_xattr_data *xattr_data = xattr_value; 382 383 /* Policy permits modification of the protected xattrs even though 384 * there's no HMAC key loaded 385 */ 386 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 387 return 0; 388 389 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 390 if (!xattr_value_len) 391 return -EINVAL; 392 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG && 393 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) 394 return -EPERM; 395 } 396 return evm_protect_xattr(dentry, xattr_name, xattr_value, 397 xattr_value_len); 398} 399 400/** 401 * evm_inode_removexattr - protect the EVM extended attribute 402 * @dentry: pointer to the affected dentry 403 * @xattr_name: pointer to the affected extended attribute name 404 * 405 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that 406 * the current value is valid. 407 */ 408int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) 409{ 410 /* Policy permits modification of the protected xattrs even though 411 * there's no HMAC key loaded 412 */ 413 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 414 return 0; 415 416 return evm_protect_xattr(dentry, xattr_name, NULL, 0); 417} 418 419static void evm_reset_status(struct inode *inode) 420{ 421 struct integrity_iint_cache *iint; 422 423 iint = integrity_iint_find(inode); 424 if (iint) 425 iint->evm_status = INTEGRITY_UNKNOWN; 426} 427 428/** 429 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes 430 * @dentry: pointer to the affected dentry 431 * @xattr_name: pointer to the affected extended attribute name 432 * @xattr_value: pointer to the new extended attribute value 433 * @xattr_value_len: pointer to the new extended attribute value length 434 * 435 * Update the HMAC stored in 'security.evm' to reflect the change. 436 * 437 * No need to take the i_mutex lock here, as this function is called from 438 * __vfs_setxattr_noperm(). The caller of which has taken the inode's 439 * i_mutex lock. 440 */ 441void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, 442 const void *xattr_value, size_t xattr_value_len) 443{ 444 if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name) 445 && !posix_xattr_acl(xattr_name))) 446 return; 447 448 evm_reset_status(dentry->d_inode); 449 450 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); 451} 452 453/** 454 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr 455 * @dentry: pointer to the affected dentry 456 * @xattr_name: pointer to the affected extended attribute name 457 * 458 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. 459 * 460 * No need to take the i_mutex lock here, as this function is called from 461 * vfs_removexattr() which takes the i_mutex. 462 */ 463void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) 464{ 465 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 466 return; 467 468 evm_reset_status(dentry->d_inode); 469 470 evm_update_evmxattr(dentry, xattr_name, NULL, 0); 471} 472 473/** 474 * evm_inode_setattr - prevent updating an invalid EVM extended attribute 475 * @idmap: idmap of the mount 476 * @dentry: pointer to the affected dentry 477 * @attr: iattr structure containing the new file attributes 478 * 479 * Permit update of file attributes when files have a valid EVM signature, 480 * except in the case of them having an immutable portable signature. 481 */ 482int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) 483{ 484 unsigned int ia_valid = attr->ia_valid; 485 enum integrity_status evm_status; 486 487 /* Policy permits modification of the protected attrs even though 488 * there's no HMAC key loaded 489 */ 490 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 491 return 0; 492 493 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) 494 return 0; 495 evm_status = evm_verify_current_integrity(dentry); 496 if ((evm_status == INTEGRITY_PASS) || 497 (evm_status == INTEGRITY_NOXATTRS)) 498 return 0; 499 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 500 dentry->d_name.name, "appraise_metadata", 501 integrity_status_msg[evm_status], -EPERM, 0); 502 return -EPERM; 503} 504 505/** 506 * evm_inode_post_setattr - update 'security.evm' after modifying metadata 507 * @dentry: pointer to the affected dentry 508 * @ia_valid: for the UID and GID status 509 * 510 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID 511 * changes. 512 * 513 * This function is called from notify_change(), which expects the caller 514 * to lock the inode's i_mutex. 515 */ 516void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) 517{ 518 if (!evm_key_loaded()) 519 return; 520 521 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) 522 evm_update_evmxattr(dentry, NULL, NULL, 0); 523} 524 525/* 526 * evm_inode_init_security - initializes security.evm HMAC value 527 */ 528int evm_inode_init_security(struct inode *inode, 529 const struct xattr *lsm_xattr, 530 struct xattr *evm_xattr) 531{ 532 struct evm_xattr *xattr_data; 533 int rc; 534 535 if (!(evm_initialized & EVM_INIT_HMAC) || 536 !evm_protected_xattr(lsm_xattr->name)) 537 return 0; 538 539 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); 540 if (!xattr_data) 541 return -ENOMEM; 542 543 xattr_data->data.type = EVM_XATTR_HMAC; 544 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); 545 if (rc < 0) 546 goto out; 547 548 evm_xattr->value = xattr_data; 549 evm_xattr->value_len = sizeof(*xattr_data); 550 evm_xattr->name = XATTR_EVM_SUFFIX; 551 return 0; 552out: 553 kfree(xattr_data); 554 return rc; 555} 556EXPORT_SYMBOL_GPL(evm_inode_init_security); 557 558#ifdef CONFIG_EVM_LOAD_X509 559void __init evm_load_x509(void) 560{ 561 int rc; 562 563 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH); 564 if (!rc) 565 evm_initialized |= EVM_INIT_X509; 566} 567#endif 568 569static int __init init_evm(void) 570{ 571 int error; 572 struct list_head *pos, *q; 573 574 evm_init_config(); 575 576 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM); 577 if (error) 578 goto error; 579 580 error = evm_init_secfs(); 581 if (error < 0) { 582 pr_info("Error registering secfs\n"); 583 goto error; 584 } 585 586error: 587 if (error != 0) { 588 if (!list_empty(&evm_config_xattrnames)) { 589 list_for_each_safe(pos, q, &evm_config_xattrnames) 590 list_del(pos); 591 } 592 } 593 594 return error; 595} 596 597late_initcall(init_evm); 598