1 /* 2 * Copyright (C) 2005-2010 IBM Corporation 3 * 4 * Author: 5 * Mimi Zohar <zohar@us.ibm.com> 6 * Kylene Hall <kjhall@us.ibm.com> 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation, version 2 of the License. 11 * 12 * File: evm_main.c 13 * implements evm_inode_setxattr, evm_inode_post_setxattr, 14 * evm_inode_removexattr, and evm_verifyxattr 15 */ 16 17 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 18 19 #include <linux/module.h> 20 #include <linux/crypto.h> 21 #include <linux/audit.h> 22 #include <linux/xattr.h> 23 #include <linux/integrity.h> 24 #include <linux/evm.h> 25 #include <linux/magic.h> 26 27 #include <crypto/hash.h> 28 #include <crypto/algapi.h> 29 #include "evm.h" 30 31 int evm_initialized; 32 33 static char *integrity_status_msg[] = { 34 "pass", "fail", "no_label", "no_xattrs", "unknown" 35 }; 36 char *evm_hmac = "hmac(sha1)"; 37 char *evm_hash = "sha1"; 38 int evm_hmac_attrs; 39 40 char *evm_config_xattrnames[] = { 41 #ifdef CONFIG_SECURITY_SELINUX 42 XATTR_NAME_SELINUX, 43 #endif 44 #ifdef CONFIG_SECURITY_SMACK 45 XATTR_NAME_SMACK, 46 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS 47 XATTR_NAME_SMACKEXEC, 48 XATTR_NAME_SMACKTRANSMUTE, 49 XATTR_NAME_SMACKMMAP, 50 #endif 51 #endif 52 #ifdef CONFIG_IMA_APPRAISE 53 XATTR_NAME_IMA, 54 #endif 55 XATTR_NAME_CAPS, 56 NULL 57 }; 58 59 static int evm_fixmode; 60 static int __init evm_set_fixmode(char *str) 61 { 62 if (strncmp(str, "fix", 3) == 0) 63 evm_fixmode = 1; 64 return 0; 65 } 66 __setup("evm=", evm_set_fixmode); 67 68 static void __init evm_init_config(void) 69 { 70 #ifdef CONFIG_EVM_ATTR_FSUUID 71 evm_hmac_attrs |= EVM_ATTR_FSUUID; 72 #endif 73 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); 74 } 75 76 static int evm_find_protected_xattrs(struct dentry *dentry) 77 { 78 struct inode *inode = d_backing_inode(dentry); 79 char **xattr; 80 int error; 81 int count = 0; 82 83 if (!(inode->i_opflags & IOP_XATTR)) 84 return -EOPNOTSUPP; 85 86 for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) { 87 error = __vfs_getxattr(dentry, inode, *xattr, NULL, 0); 88 if (error < 0) { 89 if (error == -ENODATA) 90 continue; 91 return error; 92 } 93 count++; 94 } 95 96 return count; 97 } 98 99 /* 100 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr 101 * 102 * Compute the HMAC on the dentry's protected set of extended attributes 103 * and compare it against the stored security.evm xattr. 104 * 105 * For performance: 106 * - use the previoulsy retrieved xattr value and length to calculate the 107 * HMAC.) 108 * - cache the verification result in the iint, when available. 109 * 110 * Returns integrity status 111 */ 112 static enum integrity_status evm_verify_hmac(struct dentry *dentry, 113 const char *xattr_name, 114 char *xattr_value, 115 size_t xattr_value_len, 116 struct integrity_iint_cache *iint) 117 { 118 struct evm_ima_xattr_data *xattr_data = NULL; 119 struct evm_ima_xattr_data calc; 120 enum integrity_status evm_status = INTEGRITY_PASS; 121 int rc, xattr_len; 122 123 if (iint && iint->evm_status == INTEGRITY_PASS) 124 return iint->evm_status; 125 126 /* if status is not PASS, try to check again - against -ENOMEM */ 127 128 /* first need to know the sig type */ 129 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0, 130 GFP_NOFS); 131 if (rc <= 0) { 132 evm_status = INTEGRITY_FAIL; 133 if (rc == -ENODATA) { 134 rc = evm_find_protected_xattrs(dentry); 135 if (rc > 0) 136 evm_status = INTEGRITY_NOLABEL; 137 else if (rc == 0) 138 evm_status = INTEGRITY_NOXATTRS; /* new file */ 139 } else if (rc == -EOPNOTSUPP) { 140 evm_status = INTEGRITY_UNKNOWN; 141 } 142 goto out; 143 } 144 145 xattr_len = rc; 146 147 /* check value type */ 148 switch (xattr_data->type) { 149 case EVM_XATTR_HMAC: 150 if (xattr_len != sizeof(struct evm_ima_xattr_data)) { 151 evm_status = INTEGRITY_FAIL; 152 goto out; 153 } 154 rc = evm_calc_hmac(dentry, xattr_name, xattr_value, 155 xattr_value_len, calc.digest); 156 if (rc) 157 break; 158 rc = crypto_memneq(xattr_data->digest, calc.digest, 159 sizeof(calc.digest)); 160 if (rc) 161 rc = -EINVAL; 162 break; 163 case EVM_IMA_XATTR_DIGSIG: 164 rc = evm_calc_hash(dentry, xattr_name, xattr_value, 165 xattr_value_len, calc.digest); 166 if (rc) 167 break; 168 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 169 (const char *)xattr_data, xattr_len, 170 calc.digest, sizeof(calc.digest)); 171 if (!rc) { 172 /* Replace RSA with HMAC if not mounted readonly and 173 * not immutable 174 */ 175 if (!IS_RDONLY(d_backing_inode(dentry)) && 176 !IS_IMMUTABLE(d_backing_inode(dentry))) 177 evm_update_evmxattr(dentry, xattr_name, 178 xattr_value, 179 xattr_value_len); 180 } 181 break; 182 default: 183 rc = -EINVAL; 184 break; 185 } 186 187 if (rc) 188 evm_status = (rc == -ENODATA) ? 189 INTEGRITY_NOXATTRS : INTEGRITY_FAIL; 190 out: 191 if (iint) 192 iint->evm_status = evm_status; 193 kfree(xattr_data); 194 return evm_status; 195 } 196 197 static int evm_protected_xattr(const char *req_xattr_name) 198 { 199 char **xattrname; 200 int namelen; 201 int found = 0; 202 203 namelen = strlen(req_xattr_name); 204 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { 205 if ((strlen(*xattrname) == namelen) 206 && (strncmp(req_xattr_name, *xattrname, namelen) == 0)) { 207 found = 1; 208 break; 209 } 210 if (strncmp(req_xattr_name, 211 *xattrname + XATTR_SECURITY_PREFIX_LEN, 212 strlen(req_xattr_name)) == 0) { 213 found = 1; 214 break; 215 } 216 } 217 return found; 218 } 219 220 /** 221 * evm_verifyxattr - verify the integrity of the requested xattr 222 * @dentry: object of the verify xattr 223 * @xattr_name: requested xattr 224 * @xattr_value: requested xattr value 225 * @xattr_value_len: requested xattr value length 226 * 227 * Calculate the HMAC for the given dentry and verify it against the stored 228 * security.evm xattr. For performance, use the xattr value and length 229 * previously retrieved to calculate the HMAC. 230 * 231 * Returns the xattr integrity status. 232 * 233 * This function requires the caller to lock the inode's i_mutex before it 234 * is executed. 235 */ 236 enum integrity_status evm_verifyxattr(struct dentry *dentry, 237 const char *xattr_name, 238 void *xattr_value, size_t xattr_value_len, 239 struct integrity_iint_cache *iint) 240 { 241 if (!evm_initialized || !evm_protected_xattr(xattr_name)) 242 return INTEGRITY_UNKNOWN; 243 244 if (!iint) { 245 iint = integrity_iint_find(d_backing_inode(dentry)); 246 if (!iint) 247 return INTEGRITY_UNKNOWN; 248 } 249 return evm_verify_hmac(dentry, xattr_name, xattr_value, 250 xattr_value_len, iint); 251 } 252 EXPORT_SYMBOL_GPL(evm_verifyxattr); 253 254 /* 255 * evm_verify_current_integrity - verify the dentry's metadata integrity 256 * @dentry: pointer to the affected dentry 257 * 258 * Verify and return the dentry's metadata integrity. The exceptions are 259 * before EVM is initialized or in 'fix' mode. 260 */ 261 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) 262 { 263 struct inode *inode = d_backing_inode(dentry); 264 265 if (!evm_initialized || !S_ISREG(inode->i_mode) || evm_fixmode) 266 return 0; 267 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); 268 } 269 270 /* 271 * evm_protect_xattr - protect the EVM extended attribute 272 * 273 * Prevent security.evm from being modified or removed without the 274 * necessary permissions or when the existing value is invalid. 275 * 276 * The posix xattr acls are 'system' prefixed, which normally would not 277 * affect security.evm. An interesting side affect of writing posix xattr 278 * acls is their modifying of the i_mode, which is included in security.evm. 279 * For posix xattr acls only, permit security.evm, even if it currently 280 * doesn't exist, to be updated. 281 */ 282 static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, 283 const void *xattr_value, size_t xattr_value_len) 284 { 285 enum integrity_status evm_status; 286 287 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 288 if (!capable(CAP_SYS_ADMIN)) 289 return -EPERM; 290 } else if (!evm_protected_xattr(xattr_name)) { 291 if (!posix_xattr_acl(xattr_name)) 292 return 0; 293 evm_status = evm_verify_current_integrity(dentry); 294 if ((evm_status == INTEGRITY_PASS) || 295 (evm_status == INTEGRITY_NOXATTRS)) 296 return 0; 297 goto out; 298 } 299 evm_status = evm_verify_current_integrity(dentry); 300 if (evm_status == INTEGRITY_NOXATTRS) { 301 struct integrity_iint_cache *iint; 302 303 iint = integrity_iint_find(d_backing_inode(dentry)); 304 if (iint && (iint->flags & IMA_NEW_FILE)) 305 return 0; 306 307 /* exception for pseudo filesystems */ 308 if (dentry->d_sb->s_magic == TMPFS_MAGIC 309 || dentry->d_sb->s_magic == SYSFS_MAGIC) 310 return 0; 311 312 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, 313 dentry->d_inode, dentry->d_name.name, 314 "update_metadata", 315 integrity_status_msg[evm_status], 316 -EPERM, 0); 317 } 318 out: 319 if (evm_status != INTEGRITY_PASS) 320 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 321 dentry->d_name.name, "appraise_metadata", 322 integrity_status_msg[evm_status], 323 -EPERM, 0); 324 return evm_status == INTEGRITY_PASS ? 0 : -EPERM; 325 } 326 327 /** 328 * evm_inode_setxattr - protect the EVM extended attribute 329 * @dentry: pointer to the affected dentry 330 * @xattr_name: pointer to the affected extended attribute name 331 * @xattr_value: pointer to the new extended attribute value 332 * @xattr_value_len: pointer to the new extended attribute value length 333 * 334 * Before allowing the 'security.evm' protected xattr to be updated, 335 * verify the existing value is valid. As only the kernel should have 336 * access to the EVM encrypted key needed to calculate the HMAC, prevent 337 * userspace from writing HMAC value. Writing 'security.evm' requires 338 * requires CAP_SYS_ADMIN privileges. 339 */ 340 int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, 341 const void *xattr_value, size_t xattr_value_len) 342 { 343 const struct evm_ima_xattr_data *xattr_data = xattr_value; 344 345 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 346 if (!xattr_value_len) 347 return -EINVAL; 348 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG) 349 return -EPERM; 350 } 351 return evm_protect_xattr(dentry, xattr_name, xattr_value, 352 xattr_value_len); 353 } 354 355 /** 356 * evm_inode_removexattr - protect the EVM extended attribute 357 * @dentry: pointer to the affected dentry 358 * @xattr_name: pointer to the affected extended attribute name 359 * 360 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that 361 * the current value is valid. 362 */ 363 int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) 364 { 365 return evm_protect_xattr(dentry, xattr_name, NULL, 0); 366 } 367 368 static void evm_reset_status(struct inode *inode) 369 { 370 struct integrity_iint_cache *iint; 371 372 iint = integrity_iint_find(inode); 373 if (iint) 374 iint->evm_status = INTEGRITY_UNKNOWN; 375 } 376 377 /** 378 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes 379 * @dentry: pointer to the affected dentry 380 * @xattr_name: pointer to the affected extended attribute name 381 * @xattr_value: pointer to the new extended attribute value 382 * @xattr_value_len: pointer to the new extended attribute value length 383 * 384 * Update the HMAC stored in 'security.evm' to reflect the change. 385 * 386 * No need to take the i_mutex lock here, as this function is called from 387 * __vfs_setxattr_noperm(). The caller of which has taken the inode's 388 * i_mutex lock. 389 */ 390 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, 391 const void *xattr_value, size_t xattr_value_len) 392 { 393 if (!evm_initialized || (!evm_protected_xattr(xattr_name) 394 && !posix_xattr_acl(xattr_name))) 395 return; 396 397 evm_reset_status(dentry->d_inode); 398 399 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); 400 } 401 402 /** 403 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr 404 * @dentry: pointer to the affected dentry 405 * @xattr_name: pointer to the affected extended attribute name 406 * 407 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. 408 * 409 * No need to take the i_mutex lock here, as this function is called from 410 * vfs_removexattr() which takes the i_mutex. 411 */ 412 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) 413 { 414 if (!evm_initialized || !evm_protected_xattr(xattr_name)) 415 return; 416 417 evm_reset_status(dentry->d_inode); 418 419 evm_update_evmxattr(dentry, xattr_name, NULL, 0); 420 } 421 422 /** 423 * evm_inode_setattr - prevent updating an invalid EVM extended attribute 424 * @dentry: pointer to the affected dentry 425 */ 426 int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) 427 { 428 unsigned int ia_valid = attr->ia_valid; 429 enum integrity_status evm_status; 430 431 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) 432 return 0; 433 evm_status = evm_verify_current_integrity(dentry); 434 if ((evm_status == INTEGRITY_PASS) || 435 (evm_status == INTEGRITY_NOXATTRS)) 436 return 0; 437 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 438 dentry->d_name.name, "appraise_metadata", 439 integrity_status_msg[evm_status], -EPERM, 0); 440 return -EPERM; 441 } 442 443 /** 444 * evm_inode_post_setattr - update 'security.evm' after modifying metadata 445 * @dentry: pointer to the affected dentry 446 * @ia_valid: for the UID and GID status 447 * 448 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID 449 * changes. 450 * 451 * This function is called from notify_change(), which expects the caller 452 * to lock the inode's i_mutex. 453 */ 454 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) 455 { 456 if (!evm_initialized) 457 return; 458 459 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) 460 evm_update_evmxattr(dentry, NULL, NULL, 0); 461 } 462 463 /* 464 * evm_inode_init_security - initializes security.evm 465 */ 466 int evm_inode_init_security(struct inode *inode, 467 const struct xattr *lsm_xattr, 468 struct xattr *evm_xattr) 469 { 470 struct evm_ima_xattr_data *xattr_data; 471 int rc; 472 473 if (!evm_initialized || !evm_protected_xattr(lsm_xattr->name)) 474 return 0; 475 476 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); 477 if (!xattr_data) 478 return -ENOMEM; 479 480 xattr_data->type = EVM_XATTR_HMAC; 481 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); 482 if (rc < 0) 483 goto out; 484 485 evm_xattr->value = xattr_data; 486 evm_xattr->value_len = sizeof(*xattr_data); 487 evm_xattr->name = XATTR_EVM_SUFFIX; 488 return 0; 489 out: 490 kfree(xattr_data); 491 return rc; 492 } 493 EXPORT_SYMBOL_GPL(evm_inode_init_security); 494 495 #ifdef CONFIG_EVM_LOAD_X509 496 void __init evm_load_x509(void) 497 { 498 int rc; 499 500 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH); 501 if (!rc) 502 evm_initialized |= EVM_INIT_X509; 503 } 504 #endif 505 506 static int __init init_evm(void) 507 { 508 int error; 509 510 evm_init_config(); 511 512 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM); 513 if (error) 514 return error; 515 516 error = evm_init_secfs(); 517 if (error < 0) { 518 pr_info("Error registering secfs\n"); 519 return error; 520 } 521 522 return 0; 523 } 524 525 /* 526 * evm_display_config - list the EVM protected security extended attributes 527 */ 528 static int __init evm_display_config(void) 529 { 530 char **xattrname; 531 532 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) 533 pr_info("%s\n", *xattrname); 534 return 0; 535 } 536 537 pure_initcall(evm_display_config); 538 late_initcall(init_evm); 539 540 MODULE_DESCRIPTION("Extended Verification Module"); 541 MODULE_LICENSE("GPL"); 542