1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2005-2010 IBM Corporation 4 * 5 * Author: 6 * Mimi Zohar <zohar@us.ibm.com> 7 * Kylene Hall <kjhall@us.ibm.com> 8 * 9 * File: evm_main.c 10 * implements evm_inode_setxattr, evm_inode_post_setxattr, 11 * evm_inode_removexattr, and evm_verifyxattr 12 */ 13 14 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 15 16 #include <linux/init.h> 17 #include <linux/crypto.h> 18 #include <linux/audit.h> 19 #include <linux/xattr.h> 20 #include <linux/integrity.h> 21 #include <linux/evm.h> 22 #include <linux/magic.h> 23 24 #include <crypto/hash.h> 25 #include <crypto/hash_info.h> 26 #include <crypto/algapi.h> 27 #include "evm.h" 28 29 int evm_initialized; 30 31 static const char * const integrity_status_msg[] = { 32 "pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown" 33 }; 34 int evm_hmac_attrs; 35 36 static struct xattr_list evm_config_default_xattrnames[] = { 37 #ifdef CONFIG_SECURITY_SELINUX 38 {.name = XATTR_NAME_SELINUX}, 39 #endif 40 #ifdef CONFIG_SECURITY_SMACK 41 {.name = XATTR_NAME_SMACK}, 42 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS 43 {.name = XATTR_NAME_SMACKEXEC}, 44 {.name = XATTR_NAME_SMACKTRANSMUTE}, 45 {.name = XATTR_NAME_SMACKMMAP}, 46 #endif 47 #endif 48 #ifdef CONFIG_SECURITY_APPARMOR 49 {.name = XATTR_NAME_APPARMOR}, 50 #endif 51 #ifdef CONFIG_IMA_APPRAISE 52 {.name = XATTR_NAME_IMA}, 53 #endif 54 {.name = XATTR_NAME_CAPS}, 55 }; 56 57 LIST_HEAD(evm_config_xattrnames); 58 59 static int evm_fixmode; 60 static int __init evm_set_fixmode(char *str) 61 { 62 if (strncmp(str, "fix", 3) == 0) 63 evm_fixmode = 1; 64 return 0; 65 } 66 __setup("evm=", evm_set_fixmode); 67 68 static void __init evm_init_config(void) 69 { 70 int i, xattrs; 71 72 xattrs = ARRAY_SIZE(evm_config_default_xattrnames); 73 74 pr_info("Initialising EVM extended attributes:\n"); 75 for (i = 0; i < xattrs; i++) { 76 pr_info("%s\n", evm_config_default_xattrnames[i].name); 77 list_add_tail(&evm_config_default_xattrnames[i].list, 78 &evm_config_xattrnames); 79 } 80 81 #ifdef CONFIG_EVM_ATTR_FSUUID 82 evm_hmac_attrs |= EVM_ATTR_FSUUID; 83 #endif 84 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); 85 } 86 87 static bool evm_key_loaded(void) 88 { 89 return (bool)(evm_initialized & EVM_KEY_MASK); 90 } 91 92 static int evm_find_protected_xattrs(struct dentry *dentry) 93 { 94 struct inode *inode = d_backing_inode(dentry); 95 struct xattr_list *xattr; 96 int error; 97 int count = 0; 98 99 if (!(inode->i_opflags & IOP_XATTR)) 100 return -EOPNOTSUPP; 101 102 list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) { 103 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0); 104 if (error < 0) { 105 if (error == -ENODATA) 106 continue; 107 return error; 108 } 109 count++; 110 } 111 112 return count; 113 } 114 115 /* 116 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr 117 * 118 * Compute the HMAC on the dentry's protected set of extended attributes 119 * and compare it against the stored security.evm xattr. 120 * 121 * For performance: 122 * - use the previoulsy retrieved xattr value and length to calculate the 123 * HMAC.) 124 * - cache the verification result in the iint, when available. 125 * 126 * Returns integrity status 127 */ 128 static enum integrity_status evm_verify_hmac(struct dentry *dentry, 129 const char *xattr_name, 130 char *xattr_value, 131 size_t xattr_value_len, 132 struct integrity_iint_cache *iint) 133 { 134 struct evm_ima_xattr_data *xattr_data = NULL; 135 struct signature_v2_hdr *hdr; 136 enum integrity_status evm_status = INTEGRITY_PASS; 137 struct evm_digest digest; 138 struct inode *inode; 139 int rc, xattr_len; 140 141 if (iint && (iint->evm_status == INTEGRITY_PASS || 142 iint->evm_status == INTEGRITY_PASS_IMMUTABLE)) 143 return iint->evm_status; 144 145 /* if status is not PASS, try to check again - against -ENOMEM */ 146 147 /* first need to know the sig type */ 148 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0, 149 GFP_NOFS); 150 if (rc <= 0) { 151 evm_status = INTEGRITY_FAIL; 152 if (rc == -ENODATA) { 153 rc = evm_find_protected_xattrs(dentry); 154 if (rc > 0) 155 evm_status = INTEGRITY_NOLABEL; 156 else if (rc == 0) 157 evm_status = INTEGRITY_NOXATTRS; /* new file */ 158 } else if (rc == -EOPNOTSUPP) { 159 evm_status = INTEGRITY_UNKNOWN; 160 } 161 goto out; 162 } 163 164 xattr_len = rc; 165 166 /* check value type */ 167 switch (xattr_data->type) { 168 case EVM_XATTR_HMAC: 169 if (xattr_len != sizeof(struct evm_xattr)) { 170 evm_status = INTEGRITY_FAIL; 171 goto out; 172 } 173 174 digest.hdr.algo = HASH_ALGO_SHA1; 175 rc = evm_calc_hmac(dentry, xattr_name, xattr_value, 176 xattr_value_len, &digest); 177 if (rc) 178 break; 179 rc = crypto_memneq(xattr_data->data, digest.digest, 180 SHA1_DIGEST_SIZE); 181 if (rc) 182 rc = -EINVAL; 183 break; 184 case EVM_IMA_XATTR_DIGSIG: 185 case EVM_XATTR_PORTABLE_DIGSIG: 186 hdr = (struct signature_v2_hdr *)xattr_data; 187 digest.hdr.algo = hdr->hash_algo; 188 rc = evm_calc_hash(dentry, xattr_name, xattr_value, 189 xattr_value_len, xattr_data->type, &digest); 190 if (rc) 191 break; 192 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 193 (const char *)xattr_data, xattr_len, 194 digest.digest, digest.hdr.length); 195 if (!rc) { 196 inode = d_backing_inode(dentry); 197 198 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) { 199 if (iint) 200 iint->flags |= EVM_IMMUTABLE_DIGSIG; 201 evm_status = INTEGRITY_PASS_IMMUTABLE; 202 } else if (!IS_RDONLY(inode) && 203 !(inode->i_sb->s_readonly_remount) && 204 !IS_IMMUTABLE(inode)) { 205 evm_update_evmxattr(dentry, xattr_name, 206 xattr_value, 207 xattr_value_len); 208 } 209 } 210 break; 211 default: 212 rc = -EINVAL; 213 break; 214 } 215 216 if (rc) 217 evm_status = (rc == -ENODATA) ? 218 INTEGRITY_NOXATTRS : INTEGRITY_FAIL; 219 out: 220 if (iint) 221 iint->evm_status = evm_status; 222 kfree(xattr_data); 223 return evm_status; 224 } 225 226 static int evm_protected_xattr(const char *req_xattr_name) 227 { 228 int namelen; 229 int found = 0; 230 struct xattr_list *xattr; 231 232 namelen = strlen(req_xattr_name); 233 list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) { 234 if ((strlen(xattr->name) == namelen) 235 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) { 236 found = 1; 237 break; 238 } 239 if (strncmp(req_xattr_name, 240 xattr->name + XATTR_SECURITY_PREFIX_LEN, 241 strlen(req_xattr_name)) == 0) { 242 found = 1; 243 break; 244 } 245 } 246 247 return found; 248 } 249 250 /** 251 * evm_verifyxattr - verify the integrity of the requested xattr 252 * @dentry: object of the verify xattr 253 * @xattr_name: requested xattr 254 * @xattr_value: requested xattr value 255 * @xattr_value_len: requested xattr value length 256 * 257 * Calculate the HMAC for the given dentry and verify it against the stored 258 * security.evm xattr. For performance, use the xattr value and length 259 * previously retrieved to calculate the HMAC. 260 * 261 * Returns the xattr integrity status. 262 * 263 * This function requires the caller to lock the inode's i_mutex before it 264 * is executed. 265 */ 266 enum integrity_status evm_verifyxattr(struct dentry *dentry, 267 const char *xattr_name, 268 void *xattr_value, size_t xattr_value_len, 269 struct integrity_iint_cache *iint) 270 { 271 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 272 return INTEGRITY_UNKNOWN; 273 274 if (!iint) { 275 iint = integrity_iint_find(d_backing_inode(dentry)); 276 if (!iint) 277 return INTEGRITY_UNKNOWN; 278 } 279 return evm_verify_hmac(dentry, xattr_name, xattr_value, 280 xattr_value_len, iint); 281 } 282 EXPORT_SYMBOL_GPL(evm_verifyxattr); 283 284 /* 285 * evm_verify_current_integrity - verify the dentry's metadata integrity 286 * @dentry: pointer to the affected dentry 287 * 288 * Verify and return the dentry's metadata integrity. The exceptions are 289 * before EVM is initialized or in 'fix' mode. 290 */ 291 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) 292 { 293 struct inode *inode = d_backing_inode(dentry); 294 295 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode) 296 return 0; 297 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); 298 } 299 300 /* 301 * evm_protect_xattr - protect the EVM extended attribute 302 * 303 * Prevent security.evm from being modified or removed without the 304 * necessary permissions or when the existing value is invalid. 305 * 306 * The posix xattr acls are 'system' prefixed, which normally would not 307 * affect security.evm. An interesting side affect of writing posix xattr 308 * acls is their modifying of the i_mode, which is included in security.evm. 309 * For posix xattr acls only, permit security.evm, even if it currently 310 * doesn't exist, to be updated unless the EVM signature is immutable. 311 */ 312 static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, 313 const void *xattr_value, size_t xattr_value_len) 314 { 315 enum integrity_status evm_status; 316 317 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 318 if (!capable(CAP_SYS_ADMIN)) 319 return -EPERM; 320 } else if (!evm_protected_xattr(xattr_name)) { 321 if (!posix_xattr_acl(xattr_name)) 322 return 0; 323 evm_status = evm_verify_current_integrity(dentry); 324 if ((evm_status == INTEGRITY_PASS) || 325 (evm_status == INTEGRITY_NOXATTRS)) 326 return 0; 327 goto out; 328 } 329 330 evm_status = evm_verify_current_integrity(dentry); 331 if (evm_status == INTEGRITY_NOXATTRS) { 332 struct integrity_iint_cache *iint; 333 334 iint = integrity_iint_find(d_backing_inode(dentry)); 335 if (iint && (iint->flags & IMA_NEW_FILE)) 336 return 0; 337 338 /* exception for pseudo filesystems */ 339 if (dentry->d_sb->s_magic == TMPFS_MAGIC 340 || dentry->d_sb->s_magic == SYSFS_MAGIC) 341 return 0; 342 343 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, 344 dentry->d_inode, dentry->d_name.name, 345 "update_metadata", 346 integrity_status_msg[evm_status], 347 -EPERM, 0); 348 } 349 out: 350 if (evm_status != INTEGRITY_PASS) 351 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 352 dentry->d_name.name, "appraise_metadata", 353 integrity_status_msg[evm_status], 354 -EPERM, 0); 355 return evm_status == INTEGRITY_PASS ? 0 : -EPERM; 356 } 357 358 /** 359 * evm_inode_setxattr - protect the EVM extended attribute 360 * @dentry: pointer to the affected dentry 361 * @xattr_name: pointer to the affected extended attribute name 362 * @xattr_value: pointer to the new extended attribute value 363 * @xattr_value_len: pointer to the new extended attribute value length 364 * 365 * Before allowing the 'security.evm' protected xattr to be updated, 366 * verify the existing value is valid. As only the kernel should have 367 * access to the EVM encrypted key needed to calculate the HMAC, prevent 368 * userspace from writing HMAC value. Writing 'security.evm' requires 369 * requires CAP_SYS_ADMIN privileges. 370 */ 371 int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, 372 const void *xattr_value, size_t xattr_value_len) 373 { 374 const struct evm_ima_xattr_data *xattr_data = xattr_value; 375 376 /* Policy permits modification of the protected xattrs even though 377 * there's no HMAC key loaded 378 */ 379 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 380 return 0; 381 382 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 383 if (!xattr_value_len) 384 return -EINVAL; 385 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG && 386 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) 387 return -EPERM; 388 } 389 return evm_protect_xattr(dentry, xattr_name, xattr_value, 390 xattr_value_len); 391 } 392 393 /** 394 * evm_inode_removexattr - protect the EVM extended attribute 395 * @dentry: pointer to the affected dentry 396 * @xattr_name: pointer to the affected extended attribute name 397 * 398 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that 399 * the current value is valid. 400 */ 401 int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) 402 { 403 /* Policy permits modification of the protected xattrs even though 404 * there's no HMAC key loaded 405 */ 406 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 407 return 0; 408 409 return evm_protect_xattr(dentry, xattr_name, NULL, 0); 410 } 411 412 static void evm_reset_status(struct inode *inode) 413 { 414 struct integrity_iint_cache *iint; 415 416 iint = integrity_iint_find(inode); 417 if (iint) 418 iint->evm_status = INTEGRITY_UNKNOWN; 419 } 420 421 /** 422 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes 423 * @dentry: pointer to the affected dentry 424 * @xattr_name: pointer to the affected extended attribute name 425 * @xattr_value: pointer to the new extended attribute value 426 * @xattr_value_len: pointer to the new extended attribute value length 427 * 428 * Update the HMAC stored in 'security.evm' to reflect the change. 429 * 430 * No need to take the i_mutex lock here, as this function is called from 431 * __vfs_setxattr_noperm(). The caller of which has taken the inode's 432 * i_mutex lock. 433 */ 434 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, 435 const void *xattr_value, size_t xattr_value_len) 436 { 437 if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name) 438 && !posix_xattr_acl(xattr_name))) 439 return; 440 441 evm_reset_status(dentry->d_inode); 442 443 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); 444 } 445 446 /** 447 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr 448 * @dentry: pointer to the affected dentry 449 * @xattr_name: pointer to the affected extended attribute name 450 * 451 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. 452 * 453 * No need to take the i_mutex lock here, as this function is called from 454 * vfs_removexattr() which takes the i_mutex. 455 */ 456 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) 457 { 458 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 459 return; 460 461 evm_reset_status(dentry->d_inode); 462 463 evm_update_evmxattr(dentry, xattr_name, NULL, 0); 464 } 465 466 /** 467 * evm_inode_setattr - prevent updating an invalid EVM extended attribute 468 * @dentry: pointer to the affected dentry 469 * 470 * Permit update of file attributes when files have a valid EVM signature, 471 * except in the case of them having an immutable portable signature. 472 */ 473 int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) 474 { 475 unsigned int ia_valid = attr->ia_valid; 476 enum integrity_status evm_status; 477 478 /* Policy permits modification of the protected attrs even though 479 * there's no HMAC key loaded 480 */ 481 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 482 return 0; 483 484 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) 485 return 0; 486 evm_status = evm_verify_current_integrity(dentry); 487 if ((evm_status == INTEGRITY_PASS) || 488 (evm_status == INTEGRITY_NOXATTRS)) 489 return 0; 490 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 491 dentry->d_name.name, "appraise_metadata", 492 integrity_status_msg[evm_status], -EPERM, 0); 493 return -EPERM; 494 } 495 496 /** 497 * evm_inode_post_setattr - update 'security.evm' after modifying metadata 498 * @dentry: pointer to the affected dentry 499 * @ia_valid: for the UID and GID status 500 * 501 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID 502 * changes. 503 * 504 * This function is called from notify_change(), which expects the caller 505 * to lock the inode's i_mutex. 506 */ 507 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) 508 { 509 if (!evm_key_loaded()) 510 return; 511 512 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) 513 evm_update_evmxattr(dentry, NULL, NULL, 0); 514 } 515 516 /* 517 * evm_inode_init_security - initializes security.evm 518 */ 519 int evm_inode_init_security(struct inode *inode, 520 const struct xattr *lsm_xattr, 521 struct xattr *evm_xattr) 522 { 523 struct evm_xattr *xattr_data; 524 int rc; 525 526 if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name)) 527 return 0; 528 529 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); 530 if (!xattr_data) 531 return -ENOMEM; 532 533 xattr_data->data.type = EVM_XATTR_HMAC; 534 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); 535 if (rc < 0) 536 goto out; 537 538 evm_xattr->value = xattr_data; 539 evm_xattr->value_len = sizeof(*xattr_data); 540 evm_xattr->name = XATTR_EVM_SUFFIX; 541 return 0; 542 out: 543 kfree(xattr_data); 544 return rc; 545 } 546 EXPORT_SYMBOL_GPL(evm_inode_init_security); 547 548 #ifdef CONFIG_EVM_LOAD_X509 549 void __init evm_load_x509(void) 550 { 551 int rc; 552 553 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH); 554 if (!rc) 555 evm_initialized |= EVM_INIT_X509; 556 } 557 #endif 558 559 static int __init init_evm(void) 560 { 561 int error; 562 struct list_head *pos, *q; 563 564 evm_init_config(); 565 566 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM); 567 if (error) 568 goto error; 569 570 error = evm_init_secfs(); 571 if (error < 0) { 572 pr_info("Error registering secfs\n"); 573 goto error; 574 } 575 576 error: 577 if (error != 0) { 578 if (!list_empty(&evm_config_xattrnames)) { 579 list_for_each_safe(pos, q, &evm_config_xattrnames) 580 list_del(pos); 581 } 582 } 583 584 return error; 585 } 586 587 late_initcall(init_evm); 588