1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2005-2010 IBM Corporation 4 * 5 * Author: 6 * Mimi Zohar <zohar@us.ibm.com> 7 * Kylene Hall <kjhall@us.ibm.com> 8 * 9 * File: evm_main.c 10 * implements evm_inode_setxattr, evm_inode_post_setxattr, 11 * evm_inode_removexattr, and evm_verifyxattr 12 */ 13 14 #include <linux/init.h> 15 #include <linux/crypto.h> 16 #include <linux/audit.h> 17 #include <linux/xattr.h> 18 #include <linux/integrity.h> 19 #include <linux/evm.h> 20 #include <linux/magic.h> 21 22 #include <crypto/hash.h> 23 #include <crypto/hash_info.h> 24 #include <crypto/algapi.h> 25 #include "evm.h" 26 27 int evm_initialized; 28 29 static const char * const integrity_status_msg[] = { 30 "pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown" 31 }; 32 int evm_hmac_attrs; 33 34 static struct xattr_list evm_config_default_xattrnames[] = { 35 #ifdef CONFIG_SECURITY_SELINUX 36 {.name = XATTR_NAME_SELINUX}, 37 #endif 38 #ifdef CONFIG_SECURITY_SMACK 39 {.name = XATTR_NAME_SMACK}, 40 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS 41 {.name = XATTR_NAME_SMACKEXEC}, 42 {.name = XATTR_NAME_SMACKTRANSMUTE}, 43 {.name = XATTR_NAME_SMACKMMAP}, 44 #endif 45 #endif 46 #ifdef CONFIG_SECURITY_APPARMOR 47 {.name = XATTR_NAME_APPARMOR}, 48 #endif 49 #ifdef CONFIG_IMA_APPRAISE 50 {.name = XATTR_NAME_IMA}, 51 #endif 52 {.name = XATTR_NAME_CAPS}, 53 }; 54 55 LIST_HEAD(evm_config_xattrnames); 56 57 static int evm_fixmode; 58 static int __init evm_set_fixmode(char *str) 59 { 60 if (strncmp(str, "fix", 3) == 0) 61 evm_fixmode = 1; 62 else 63 pr_err("invalid \"%s\" mode", str); 64 65 return 0; 66 } 67 __setup("evm=", evm_set_fixmode); 68 69 static void __init evm_init_config(void) 70 { 71 int i, xattrs; 72 73 xattrs = ARRAY_SIZE(evm_config_default_xattrnames); 74 75 pr_info("Initialising EVM extended attributes:\n"); 76 for (i = 0; i < xattrs; i++) { 77 pr_info("%s\n", evm_config_default_xattrnames[i].name); 78 list_add_tail(&evm_config_default_xattrnames[i].list, 79 &evm_config_xattrnames); 80 } 81 82 #ifdef CONFIG_EVM_ATTR_FSUUID 83 evm_hmac_attrs |= EVM_ATTR_FSUUID; 84 #endif 85 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); 86 } 87 88 static bool evm_key_loaded(void) 89 { 90 return (bool)(evm_initialized & EVM_KEY_MASK); 91 } 92 93 static int evm_find_protected_xattrs(struct dentry *dentry) 94 { 95 struct inode *inode = d_backing_inode(dentry); 96 struct xattr_list *xattr; 97 int error; 98 int count = 0; 99 100 if (!(inode->i_opflags & IOP_XATTR)) 101 return -EOPNOTSUPP; 102 103 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) { 104 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0); 105 if (error < 0) { 106 if (error == -ENODATA) 107 continue; 108 return error; 109 } 110 count++; 111 } 112 113 return count; 114 } 115 116 /* 117 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr 118 * 119 * Compute the HMAC on the dentry's protected set of extended attributes 120 * and compare it against the stored security.evm xattr. 121 * 122 * For performance: 123 * - use the previoulsy retrieved xattr value and length to calculate the 124 * HMAC.) 125 * - cache the verification result in the iint, when available. 126 * 127 * Returns integrity status 128 */ 129 static enum integrity_status evm_verify_hmac(struct dentry *dentry, 130 const char *xattr_name, 131 char *xattr_value, 132 size_t xattr_value_len, 133 struct integrity_iint_cache *iint) 134 { 135 struct evm_ima_xattr_data *xattr_data = NULL; 136 struct signature_v2_hdr *hdr; 137 enum integrity_status evm_status = INTEGRITY_PASS; 138 struct evm_digest digest; 139 struct inode *inode; 140 int rc, xattr_len; 141 142 if (iint && (iint->evm_status == INTEGRITY_PASS || 143 iint->evm_status == INTEGRITY_PASS_IMMUTABLE)) 144 return iint->evm_status; 145 146 /* if status is not PASS, try to check again - against -ENOMEM */ 147 148 /* first need to know the sig type */ 149 rc = vfs_getxattr_alloc(&init_user_ns, dentry, XATTR_NAME_EVM, 150 (char **)&xattr_data, 0, GFP_NOFS); 151 if (rc <= 0) { 152 evm_status = INTEGRITY_FAIL; 153 if (rc == -ENODATA) { 154 rc = evm_find_protected_xattrs(dentry); 155 if (rc > 0) 156 evm_status = INTEGRITY_NOLABEL; 157 else if (rc == 0) 158 evm_status = INTEGRITY_NOXATTRS; /* new file */ 159 } else if (rc == -EOPNOTSUPP) { 160 evm_status = INTEGRITY_UNKNOWN; 161 } 162 goto out; 163 } 164 165 xattr_len = rc; 166 167 /* check value type */ 168 switch (xattr_data->type) { 169 case EVM_XATTR_HMAC: 170 if (xattr_len != sizeof(struct evm_xattr)) { 171 evm_status = INTEGRITY_FAIL; 172 goto out; 173 } 174 175 digest.hdr.algo = HASH_ALGO_SHA1; 176 rc = evm_calc_hmac(dentry, xattr_name, xattr_value, 177 xattr_value_len, &digest); 178 if (rc) 179 break; 180 rc = crypto_memneq(xattr_data->data, digest.digest, 181 SHA1_DIGEST_SIZE); 182 if (rc) 183 rc = -EINVAL; 184 break; 185 case EVM_IMA_XATTR_DIGSIG: 186 case EVM_XATTR_PORTABLE_DIGSIG: 187 /* accept xattr with non-empty signature field */ 188 if (xattr_len <= sizeof(struct signature_v2_hdr)) { 189 evm_status = INTEGRITY_FAIL; 190 goto out; 191 } 192 193 hdr = (struct signature_v2_hdr *)xattr_data; 194 digest.hdr.algo = hdr->hash_algo; 195 rc = evm_calc_hash(dentry, xattr_name, xattr_value, 196 xattr_value_len, xattr_data->type, &digest); 197 if (rc) 198 break; 199 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 200 (const char *)xattr_data, xattr_len, 201 digest.digest, digest.hdr.length); 202 if (!rc) { 203 inode = d_backing_inode(dentry); 204 205 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) { 206 if (iint) 207 iint->flags |= EVM_IMMUTABLE_DIGSIG; 208 evm_status = INTEGRITY_PASS_IMMUTABLE; 209 } else if (!IS_RDONLY(inode) && 210 !(inode->i_sb->s_readonly_remount) && 211 !IS_IMMUTABLE(inode)) { 212 evm_update_evmxattr(dentry, xattr_name, 213 xattr_value, 214 xattr_value_len); 215 } 216 } 217 break; 218 default: 219 rc = -EINVAL; 220 break; 221 } 222 223 if (rc) 224 evm_status = (rc == -ENODATA) ? 225 INTEGRITY_NOXATTRS : INTEGRITY_FAIL; 226 out: 227 if (iint) 228 iint->evm_status = evm_status; 229 kfree(xattr_data); 230 return evm_status; 231 } 232 233 static int evm_protected_xattr(const char *req_xattr_name) 234 { 235 int namelen; 236 int found = 0; 237 struct xattr_list *xattr; 238 239 namelen = strlen(req_xattr_name); 240 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) { 241 if ((strlen(xattr->name) == namelen) 242 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) { 243 found = 1; 244 break; 245 } 246 if (strncmp(req_xattr_name, 247 xattr->name + XATTR_SECURITY_PREFIX_LEN, 248 strlen(req_xattr_name)) == 0) { 249 found = 1; 250 break; 251 } 252 } 253 254 return found; 255 } 256 257 /** 258 * evm_verifyxattr - verify the integrity of the requested xattr 259 * @dentry: object of the verify xattr 260 * @xattr_name: requested xattr 261 * @xattr_value: requested xattr value 262 * @xattr_value_len: requested xattr value length 263 * 264 * Calculate the HMAC for the given dentry and verify it against the stored 265 * security.evm xattr. For performance, use the xattr value and length 266 * previously retrieved to calculate the HMAC. 267 * 268 * Returns the xattr integrity status. 269 * 270 * This function requires the caller to lock the inode's i_mutex before it 271 * is executed. 272 */ 273 enum integrity_status evm_verifyxattr(struct dentry *dentry, 274 const char *xattr_name, 275 void *xattr_value, size_t xattr_value_len, 276 struct integrity_iint_cache *iint) 277 { 278 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 279 return INTEGRITY_UNKNOWN; 280 281 if (!iint) { 282 iint = integrity_iint_find(d_backing_inode(dentry)); 283 if (!iint) 284 return INTEGRITY_UNKNOWN; 285 } 286 return evm_verify_hmac(dentry, xattr_name, xattr_value, 287 xattr_value_len, iint); 288 } 289 EXPORT_SYMBOL_GPL(evm_verifyxattr); 290 291 /* 292 * evm_verify_current_integrity - verify the dentry's metadata integrity 293 * @dentry: pointer to the affected dentry 294 * 295 * Verify and return the dentry's metadata integrity. The exceptions are 296 * before EVM is initialized or in 'fix' mode. 297 */ 298 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) 299 { 300 struct inode *inode = d_backing_inode(dentry); 301 302 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode) 303 return 0; 304 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); 305 } 306 307 /* 308 * evm_protect_xattr - protect the EVM extended attribute 309 * 310 * Prevent security.evm from being modified or removed without the 311 * necessary permissions or when the existing value is invalid. 312 * 313 * The posix xattr acls are 'system' prefixed, which normally would not 314 * affect security.evm. An interesting side affect of writing posix xattr 315 * acls is their modifying of the i_mode, which is included in security.evm. 316 * For posix xattr acls only, permit security.evm, even if it currently 317 * doesn't exist, to be updated unless the EVM signature is immutable. 318 */ 319 static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, 320 const void *xattr_value, size_t xattr_value_len) 321 { 322 enum integrity_status evm_status; 323 324 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 325 if (!capable(CAP_SYS_ADMIN)) 326 return -EPERM; 327 } else if (!evm_protected_xattr(xattr_name)) { 328 if (!posix_xattr_acl(xattr_name)) 329 return 0; 330 evm_status = evm_verify_current_integrity(dentry); 331 if ((evm_status == INTEGRITY_PASS) || 332 (evm_status == INTEGRITY_NOXATTRS)) 333 return 0; 334 goto out; 335 } 336 337 evm_status = evm_verify_current_integrity(dentry); 338 if (evm_status == INTEGRITY_NOXATTRS) { 339 struct integrity_iint_cache *iint; 340 341 iint = integrity_iint_find(d_backing_inode(dentry)); 342 if (iint && (iint->flags & IMA_NEW_FILE)) 343 return 0; 344 345 /* exception for pseudo filesystems */ 346 if (dentry->d_sb->s_magic == TMPFS_MAGIC 347 || dentry->d_sb->s_magic == SYSFS_MAGIC) 348 return 0; 349 350 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, 351 dentry->d_inode, dentry->d_name.name, 352 "update_metadata", 353 integrity_status_msg[evm_status], 354 -EPERM, 0); 355 } 356 out: 357 if (evm_status != INTEGRITY_PASS) 358 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 359 dentry->d_name.name, "appraise_metadata", 360 integrity_status_msg[evm_status], 361 -EPERM, 0); 362 return evm_status == INTEGRITY_PASS ? 0 : -EPERM; 363 } 364 365 /** 366 * evm_inode_setxattr - protect the EVM extended attribute 367 * @dentry: pointer to the affected dentry 368 * @xattr_name: pointer to the affected extended attribute name 369 * @xattr_value: pointer to the new extended attribute value 370 * @xattr_value_len: pointer to the new extended attribute value length 371 * 372 * Before allowing the 'security.evm' protected xattr to be updated, 373 * verify the existing value is valid. As only the kernel should have 374 * access to the EVM encrypted key needed to calculate the HMAC, prevent 375 * userspace from writing HMAC value. Writing 'security.evm' requires 376 * requires CAP_SYS_ADMIN privileges. 377 */ 378 int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, 379 const void *xattr_value, size_t xattr_value_len) 380 { 381 const struct evm_ima_xattr_data *xattr_data = xattr_value; 382 383 /* Policy permits modification of the protected xattrs even though 384 * there's no HMAC key loaded 385 */ 386 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 387 return 0; 388 389 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 390 if (!xattr_value_len) 391 return -EINVAL; 392 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG && 393 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) 394 return -EPERM; 395 } 396 return evm_protect_xattr(dentry, xattr_name, xattr_value, 397 xattr_value_len); 398 } 399 400 /** 401 * evm_inode_removexattr - protect the EVM extended attribute 402 * @dentry: pointer to the affected dentry 403 * @xattr_name: pointer to the affected extended attribute name 404 * 405 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that 406 * the current value is valid. 407 */ 408 int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) 409 { 410 /* Policy permits modification of the protected xattrs even though 411 * there's no HMAC key loaded 412 */ 413 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 414 return 0; 415 416 return evm_protect_xattr(dentry, xattr_name, NULL, 0); 417 } 418 419 static void evm_reset_status(struct inode *inode) 420 { 421 struct integrity_iint_cache *iint; 422 423 iint = integrity_iint_find(inode); 424 if (iint) 425 iint->evm_status = INTEGRITY_UNKNOWN; 426 } 427 428 /** 429 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes 430 * @dentry: pointer to the affected dentry 431 * @xattr_name: pointer to the affected extended attribute name 432 * @xattr_value: pointer to the new extended attribute value 433 * @xattr_value_len: pointer to the new extended attribute value length 434 * 435 * Update the HMAC stored in 'security.evm' to reflect the change. 436 * 437 * No need to take the i_mutex lock here, as this function is called from 438 * __vfs_setxattr_noperm(). The caller of which has taken the inode's 439 * i_mutex lock. 440 */ 441 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, 442 const void *xattr_value, size_t xattr_value_len) 443 { 444 if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name) 445 && !posix_xattr_acl(xattr_name))) 446 return; 447 448 evm_reset_status(dentry->d_inode); 449 450 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); 451 } 452 453 /** 454 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr 455 * @dentry: pointer to the affected dentry 456 * @xattr_name: pointer to the affected extended attribute name 457 * 458 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. 459 * 460 * No need to take the i_mutex lock here, as this function is called from 461 * vfs_removexattr() which takes the i_mutex. 462 */ 463 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) 464 { 465 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 466 return; 467 468 evm_reset_status(dentry->d_inode); 469 470 evm_update_evmxattr(dentry, xattr_name, NULL, 0); 471 } 472 473 /** 474 * evm_inode_setattr - prevent updating an invalid EVM extended attribute 475 * @dentry: pointer to the affected dentry 476 * 477 * Permit update of file attributes when files have a valid EVM signature, 478 * except in the case of them having an immutable portable signature. 479 */ 480 int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) 481 { 482 unsigned int ia_valid = attr->ia_valid; 483 enum integrity_status evm_status; 484 485 /* Policy permits modification of the protected attrs even though 486 * there's no HMAC key loaded 487 */ 488 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 489 return 0; 490 491 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) 492 return 0; 493 evm_status = evm_verify_current_integrity(dentry); 494 if ((evm_status == INTEGRITY_PASS) || 495 (evm_status == INTEGRITY_NOXATTRS)) 496 return 0; 497 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 498 dentry->d_name.name, "appraise_metadata", 499 integrity_status_msg[evm_status], -EPERM, 0); 500 return -EPERM; 501 } 502 503 /** 504 * evm_inode_post_setattr - update 'security.evm' after modifying metadata 505 * @dentry: pointer to the affected dentry 506 * @ia_valid: for the UID and GID status 507 * 508 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID 509 * changes. 510 * 511 * This function is called from notify_change(), which expects the caller 512 * to lock the inode's i_mutex. 513 */ 514 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) 515 { 516 if (!evm_key_loaded()) 517 return; 518 519 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) 520 evm_update_evmxattr(dentry, NULL, NULL, 0); 521 } 522 523 /* 524 * evm_inode_init_security - initializes security.evm 525 */ 526 int evm_inode_init_security(struct inode *inode, 527 const struct xattr *lsm_xattr, 528 struct xattr *evm_xattr) 529 { 530 struct evm_xattr *xattr_data; 531 int rc; 532 533 if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name)) 534 return 0; 535 536 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); 537 if (!xattr_data) 538 return -ENOMEM; 539 540 xattr_data->data.type = EVM_XATTR_HMAC; 541 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); 542 if (rc < 0) 543 goto out; 544 545 evm_xattr->value = xattr_data; 546 evm_xattr->value_len = sizeof(*xattr_data); 547 evm_xattr->name = XATTR_EVM_SUFFIX; 548 return 0; 549 out: 550 kfree(xattr_data); 551 return rc; 552 } 553 EXPORT_SYMBOL_GPL(evm_inode_init_security); 554 555 #ifdef CONFIG_EVM_LOAD_X509 556 void __init evm_load_x509(void) 557 { 558 int rc; 559 560 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH); 561 if (!rc) 562 evm_initialized |= EVM_INIT_X509; 563 } 564 #endif 565 566 static int __init init_evm(void) 567 { 568 int error; 569 struct list_head *pos, *q; 570 571 evm_init_config(); 572 573 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM); 574 if (error) 575 goto error; 576 577 error = evm_init_secfs(); 578 if (error < 0) { 579 pr_info("Error registering secfs\n"); 580 goto error; 581 } 582 583 error: 584 if (error != 0) { 585 if (!list_empty(&evm_config_xattrnames)) { 586 list_for_each_safe(pos, q, &evm_config_xattrnames) 587 list_del(pos); 588 } 589 } 590 591 return error; 592 } 593 594 late_initcall(init_evm); 595