1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2005-2010 IBM Corporation 4 * 5 * Author: 6 * Mimi Zohar <zohar@us.ibm.com> 7 * Kylene Hall <kjhall@us.ibm.com> 8 * 9 * File: evm_main.c 10 * implements evm_inode_setxattr, evm_inode_post_setxattr, 11 * evm_inode_removexattr, and evm_verifyxattr 12 */ 13 14 #include <linux/init.h> 15 #include <linux/crypto.h> 16 #include <linux/audit.h> 17 #include <linux/xattr.h> 18 #include <linux/integrity.h> 19 #include <linux/evm.h> 20 #include <linux/magic.h> 21 22 #include <crypto/hash.h> 23 #include <crypto/hash_info.h> 24 #include <crypto/algapi.h> 25 #include "evm.h" 26 27 int evm_initialized; 28 29 static const char * const integrity_status_msg[] = { 30 "pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown" 31 }; 32 int evm_hmac_attrs; 33 34 static struct xattr_list evm_config_default_xattrnames[] = { 35 #ifdef CONFIG_SECURITY_SELINUX 36 {.name = XATTR_NAME_SELINUX}, 37 #endif 38 #ifdef CONFIG_SECURITY_SMACK 39 {.name = XATTR_NAME_SMACK}, 40 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS 41 {.name = XATTR_NAME_SMACKEXEC}, 42 {.name = XATTR_NAME_SMACKTRANSMUTE}, 43 {.name = XATTR_NAME_SMACKMMAP}, 44 #endif 45 #endif 46 #ifdef CONFIG_SECURITY_APPARMOR 47 {.name = XATTR_NAME_APPARMOR}, 48 #endif 49 #ifdef CONFIG_IMA_APPRAISE 50 {.name = XATTR_NAME_IMA}, 51 #endif 52 {.name = XATTR_NAME_CAPS}, 53 }; 54 55 LIST_HEAD(evm_config_xattrnames); 56 57 static int evm_fixmode; 58 static int __init evm_set_fixmode(char *str) 59 { 60 if (strncmp(str, "fix", 3) == 0) 61 evm_fixmode = 1; 62 return 0; 63 } 64 __setup("evm=", evm_set_fixmode); 65 66 static void __init evm_init_config(void) 67 { 68 int i, xattrs; 69 70 xattrs = ARRAY_SIZE(evm_config_default_xattrnames); 71 72 pr_info("Initialising EVM extended attributes:\n"); 73 for (i = 0; i < xattrs; i++) { 74 pr_info("%s\n", evm_config_default_xattrnames[i].name); 75 list_add_tail(&evm_config_default_xattrnames[i].list, 76 &evm_config_xattrnames); 77 } 78 79 #ifdef CONFIG_EVM_ATTR_FSUUID 80 evm_hmac_attrs |= EVM_ATTR_FSUUID; 81 #endif 82 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); 83 } 84 85 static bool evm_key_loaded(void) 86 { 87 return (bool)(evm_initialized & EVM_KEY_MASK); 88 } 89 90 static int evm_find_protected_xattrs(struct dentry *dentry) 91 { 92 struct inode *inode = d_backing_inode(dentry); 93 struct xattr_list *xattr; 94 int error; 95 int count = 0; 96 97 if (!(inode->i_opflags & IOP_XATTR)) 98 return -EOPNOTSUPP; 99 100 list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) { 101 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0); 102 if (error < 0) { 103 if (error == -ENODATA) 104 continue; 105 return error; 106 } 107 count++; 108 } 109 110 return count; 111 } 112 113 /* 114 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr 115 * 116 * Compute the HMAC on the dentry's protected set of extended attributes 117 * and compare it against the stored security.evm xattr. 118 * 119 * For performance: 120 * - use the previoulsy retrieved xattr value and length to calculate the 121 * HMAC.) 122 * - cache the verification result in the iint, when available. 123 * 124 * Returns integrity status 125 */ 126 static enum integrity_status evm_verify_hmac(struct dentry *dentry, 127 const char *xattr_name, 128 char *xattr_value, 129 size_t xattr_value_len, 130 struct integrity_iint_cache *iint) 131 { 132 struct evm_ima_xattr_data *xattr_data = NULL; 133 struct signature_v2_hdr *hdr; 134 enum integrity_status evm_status = INTEGRITY_PASS; 135 struct evm_digest digest; 136 struct inode *inode; 137 int rc, xattr_len; 138 139 if (iint && (iint->evm_status == INTEGRITY_PASS || 140 iint->evm_status == INTEGRITY_PASS_IMMUTABLE)) 141 return iint->evm_status; 142 143 /* if status is not PASS, try to check again - against -ENOMEM */ 144 145 /* first need to know the sig type */ 146 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0, 147 GFP_NOFS); 148 if (rc <= 0) { 149 evm_status = INTEGRITY_FAIL; 150 if (rc == -ENODATA) { 151 rc = evm_find_protected_xattrs(dentry); 152 if (rc > 0) 153 evm_status = INTEGRITY_NOLABEL; 154 else if (rc == 0) 155 evm_status = INTEGRITY_NOXATTRS; /* new file */ 156 } else if (rc == -EOPNOTSUPP) { 157 evm_status = INTEGRITY_UNKNOWN; 158 } 159 goto out; 160 } 161 162 xattr_len = rc; 163 164 /* check value type */ 165 switch (xattr_data->type) { 166 case EVM_XATTR_HMAC: 167 if (xattr_len != sizeof(struct evm_xattr)) { 168 evm_status = INTEGRITY_FAIL; 169 goto out; 170 } 171 172 digest.hdr.algo = HASH_ALGO_SHA1; 173 rc = evm_calc_hmac(dentry, xattr_name, xattr_value, 174 xattr_value_len, &digest); 175 if (rc) 176 break; 177 rc = crypto_memneq(xattr_data->data, digest.digest, 178 SHA1_DIGEST_SIZE); 179 if (rc) 180 rc = -EINVAL; 181 break; 182 case EVM_IMA_XATTR_DIGSIG: 183 case EVM_XATTR_PORTABLE_DIGSIG: 184 hdr = (struct signature_v2_hdr *)xattr_data; 185 digest.hdr.algo = hdr->hash_algo; 186 rc = evm_calc_hash(dentry, xattr_name, xattr_value, 187 xattr_value_len, xattr_data->type, &digest); 188 if (rc) 189 break; 190 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 191 (const char *)xattr_data, xattr_len, 192 digest.digest, digest.hdr.length); 193 if (!rc) { 194 inode = d_backing_inode(dentry); 195 196 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) { 197 if (iint) 198 iint->flags |= EVM_IMMUTABLE_DIGSIG; 199 evm_status = INTEGRITY_PASS_IMMUTABLE; 200 } else if (!IS_RDONLY(inode) && 201 !(inode->i_sb->s_readonly_remount) && 202 !IS_IMMUTABLE(inode)) { 203 evm_update_evmxattr(dentry, xattr_name, 204 xattr_value, 205 xattr_value_len); 206 } 207 } 208 break; 209 default: 210 rc = -EINVAL; 211 break; 212 } 213 214 if (rc) 215 evm_status = (rc == -ENODATA) ? 216 INTEGRITY_NOXATTRS : INTEGRITY_FAIL; 217 out: 218 if (iint) 219 iint->evm_status = evm_status; 220 kfree(xattr_data); 221 return evm_status; 222 } 223 224 static int evm_protected_xattr(const char *req_xattr_name) 225 { 226 int namelen; 227 int found = 0; 228 struct xattr_list *xattr; 229 230 namelen = strlen(req_xattr_name); 231 list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) { 232 if ((strlen(xattr->name) == namelen) 233 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) { 234 found = 1; 235 break; 236 } 237 if (strncmp(req_xattr_name, 238 xattr->name + XATTR_SECURITY_PREFIX_LEN, 239 strlen(req_xattr_name)) == 0) { 240 found = 1; 241 break; 242 } 243 } 244 245 return found; 246 } 247 248 /** 249 * evm_verifyxattr - verify the integrity of the requested xattr 250 * @dentry: object of the verify xattr 251 * @xattr_name: requested xattr 252 * @xattr_value: requested xattr value 253 * @xattr_value_len: requested xattr value length 254 * 255 * Calculate the HMAC for the given dentry and verify it against the stored 256 * security.evm xattr. For performance, use the xattr value and length 257 * previously retrieved to calculate the HMAC. 258 * 259 * Returns the xattr integrity status. 260 * 261 * This function requires the caller to lock the inode's i_mutex before it 262 * is executed. 263 */ 264 enum integrity_status evm_verifyxattr(struct dentry *dentry, 265 const char *xattr_name, 266 void *xattr_value, size_t xattr_value_len, 267 struct integrity_iint_cache *iint) 268 { 269 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 270 return INTEGRITY_UNKNOWN; 271 272 if (!iint) { 273 iint = integrity_iint_find(d_backing_inode(dentry)); 274 if (!iint) 275 return INTEGRITY_UNKNOWN; 276 } 277 return evm_verify_hmac(dentry, xattr_name, xattr_value, 278 xattr_value_len, iint); 279 } 280 EXPORT_SYMBOL_GPL(evm_verifyxattr); 281 282 /* 283 * evm_verify_current_integrity - verify the dentry's metadata integrity 284 * @dentry: pointer to the affected dentry 285 * 286 * Verify and return the dentry's metadata integrity. The exceptions are 287 * before EVM is initialized or in 'fix' mode. 288 */ 289 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) 290 { 291 struct inode *inode = d_backing_inode(dentry); 292 293 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode) 294 return 0; 295 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); 296 } 297 298 /* 299 * evm_protect_xattr - protect the EVM extended attribute 300 * 301 * Prevent security.evm from being modified or removed without the 302 * necessary permissions or when the existing value is invalid. 303 * 304 * The posix xattr acls are 'system' prefixed, which normally would not 305 * affect security.evm. An interesting side affect of writing posix xattr 306 * acls is their modifying of the i_mode, which is included in security.evm. 307 * For posix xattr acls only, permit security.evm, even if it currently 308 * doesn't exist, to be updated unless the EVM signature is immutable. 309 */ 310 static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, 311 const void *xattr_value, size_t xattr_value_len) 312 { 313 enum integrity_status evm_status; 314 315 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 316 if (!capable(CAP_SYS_ADMIN)) 317 return -EPERM; 318 } else if (!evm_protected_xattr(xattr_name)) { 319 if (!posix_xattr_acl(xattr_name)) 320 return 0; 321 evm_status = evm_verify_current_integrity(dentry); 322 if ((evm_status == INTEGRITY_PASS) || 323 (evm_status == INTEGRITY_NOXATTRS)) 324 return 0; 325 goto out; 326 } 327 328 evm_status = evm_verify_current_integrity(dentry); 329 if (evm_status == INTEGRITY_NOXATTRS) { 330 struct integrity_iint_cache *iint; 331 332 iint = integrity_iint_find(d_backing_inode(dentry)); 333 if (iint && (iint->flags & IMA_NEW_FILE)) 334 return 0; 335 336 /* exception for pseudo filesystems */ 337 if (dentry->d_sb->s_magic == TMPFS_MAGIC 338 || dentry->d_sb->s_magic == SYSFS_MAGIC) 339 return 0; 340 341 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, 342 dentry->d_inode, dentry->d_name.name, 343 "update_metadata", 344 integrity_status_msg[evm_status], 345 -EPERM, 0); 346 } 347 out: 348 if (evm_status != INTEGRITY_PASS) 349 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 350 dentry->d_name.name, "appraise_metadata", 351 integrity_status_msg[evm_status], 352 -EPERM, 0); 353 return evm_status == INTEGRITY_PASS ? 0 : -EPERM; 354 } 355 356 /** 357 * evm_inode_setxattr - protect the EVM extended attribute 358 * @dentry: pointer to the affected dentry 359 * @xattr_name: pointer to the affected extended attribute name 360 * @xattr_value: pointer to the new extended attribute value 361 * @xattr_value_len: pointer to the new extended attribute value length 362 * 363 * Before allowing the 'security.evm' protected xattr to be updated, 364 * verify the existing value is valid. As only the kernel should have 365 * access to the EVM encrypted key needed to calculate the HMAC, prevent 366 * userspace from writing HMAC value. Writing 'security.evm' requires 367 * requires CAP_SYS_ADMIN privileges. 368 */ 369 int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, 370 const void *xattr_value, size_t xattr_value_len) 371 { 372 const struct evm_ima_xattr_data *xattr_data = xattr_value; 373 374 /* Policy permits modification of the protected xattrs even though 375 * there's no HMAC key loaded 376 */ 377 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 378 return 0; 379 380 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 381 if (!xattr_value_len) 382 return -EINVAL; 383 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG && 384 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) 385 return -EPERM; 386 } 387 return evm_protect_xattr(dentry, xattr_name, xattr_value, 388 xattr_value_len); 389 } 390 391 /** 392 * evm_inode_removexattr - protect the EVM extended attribute 393 * @dentry: pointer to the affected dentry 394 * @xattr_name: pointer to the affected extended attribute name 395 * 396 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that 397 * the current value is valid. 398 */ 399 int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) 400 { 401 /* Policy permits modification of the protected xattrs even though 402 * there's no HMAC key loaded 403 */ 404 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 405 return 0; 406 407 return evm_protect_xattr(dentry, xattr_name, NULL, 0); 408 } 409 410 static void evm_reset_status(struct inode *inode) 411 { 412 struct integrity_iint_cache *iint; 413 414 iint = integrity_iint_find(inode); 415 if (iint) 416 iint->evm_status = INTEGRITY_UNKNOWN; 417 } 418 419 /** 420 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes 421 * @dentry: pointer to the affected dentry 422 * @xattr_name: pointer to the affected extended attribute name 423 * @xattr_value: pointer to the new extended attribute value 424 * @xattr_value_len: pointer to the new extended attribute value length 425 * 426 * Update the HMAC stored in 'security.evm' to reflect the change. 427 * 428 * No need to take the i_mutex lock here, as this function is called from 429 * __vfs_setxattr_noperm(). The caller of which has taken the inode's 430 * i_mutex lock. 431 */ 432 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, 433 const void *xattr_value, size_t xattr_value_len) 434 { 435 if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name) 436 && !posix_xattr_acl(xattr_name))) 437 return; 438 439 evm_reset_status(dentry->d_inode); 440 441 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); 442 } 443 444 /** 445 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr 446 * @dentry: pointer to the affected dentry 447 * @xattr_name: pointer to the affected extended attribute name 448 * 449 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. 450 * 451 * No need to take the i_mutex lock here, as this function is called from 452 * vfs_removexattr() which takes the i_mutex. 453 */ 454 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) 455 { 456 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 457 return; 458 459 evm_reset_status(dentry->d_inode); 460 461 evm_update_evmxattr(dentry, xattr_name, NULL, 0); 462 } 463 464 /** 465 * evm_inode_setattr - prevent updating an invalid EVM extended attribute 466 * @dentry: pointer to the affected dentry 467 * 468 * Permit update of file attributes when files have a valid EVM signature, 469 * except in the case of them having an immutable portable signature. 470 */ 471 int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) 472 { 473 unsigned int ia_valid = attr->ia_valid; 474 enum integrity_status evm_status; 475 476 /* Policy permits modification of the protected attrs even though 477 * there's no HMAC key loaded 478 */ 479 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 480 return 0; 481 482 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) 483 return 0; 484 evm_status = evm_verify_current_integrity(dentry); 485 if ((evm_status == INTEGRITY_PASS) || 486 (evm_status == INTEGRITY_NOXATTRS)) 487 return 0; 488 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 489 dentry->d_name.name, "appraise_metadata", 490 integrity_status_msg[evm_status], -EPERM, 0); 491 return -EPERM; 492 } 493 494 /** 495 * evm_inode_post_setattr - update 'security.evm' after modifying metadata 496 * @dentry: pointer to the affected dentry 497 * @ia_valid: for the UID and GID status 498 * 499 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID 500 * changes. 501 * 502 * This function is called from notify_change(), which expects the caller 503 * to lock the inode's i_mutex. 504 */ 505 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) 506 { 507 if (!evm_key_loaded()) 508 return; 509 510 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) 511 evm_update_evmxattr(dentry, NULL, NULL, 0); 512 } 513 514 /* 515 * evm_inode_init_security - initializes security.evm 516 */ 517 int evm_inode_init_security(struct inode *inode, 518 const struct xattr *lsm_xattr, 519 struct xattr *evm_xattr) 520 { 521 struct evm_xattr *xattr_data; 522 int rc; 523 524 if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name)) 525 return 0; 526 527 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); 528 if (!xattr_data) 529 return -ENOMEM; 530 531 xattr_data->data.type = EVM_XATTR_HMAC; 532 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); 533 if (rc < 0) 534 goto out; 535 536 evm_xattr->value = xattr_data; 537 evm_xattr->value_len = sizeof(*xattr_data); 538 evm_xattr->name = XATTR_EVM_SUFFIX; 539 return 0; 540 out: 541 kfree(xattr_data); 542 return rc; 543 } 544 EXPORT_SYMBOL_GPL(evm_inode_init_security); 545 546 #ifdef CONFIG_EVM_LOAD_X509 547 void __init evm_load_x509(void) 548 { 549 int rc; 550 551 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH); 552 if (!rc) 553 evm_initialized |= EVM_INIT_X509; 554 } 555 #endif 556 557 static int __init init_evm(void) 558 { 559 int error; 560 struct list_head *pos, *q; 561 562 evm_init_config(); 563 564 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM); 565 if (error) 566 goto error; 567 568 error = evm_init_secfs(); 569 if (error < 0) { 570 pr_info("Error registering secfs\n"); 571 goto error; 572 } 573 574 error: 575 if (error != 0) { 576 if (!list_empty(&evm_config_xattrnames)) { 577 list_for_each_safe(pos, q, &evm_config_xattrnames) 578 list_del(pos); 579 } 580 } 581 582 return error; 583 } 584 585 late_initcall(init_evm); 586