1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2005-2010 IBM Corporation
4  *
5  * Author:
6  * Mimi Zohar <zohar@us.ibm.com>
7  * Kylene Hall <kjhall@us.ibm.com>
8  *
9  * File: evm_main.c
10  *	implements evm_inode_setxattr, evm_inode_post_setxattr,
11  *	evm_inode_removexattr, and evm_verifyxattr
12  */
13 
14 #include <linux/init.h>
15 #include <linux/crypto.h>
16 #include <linux/audit.h>
17 #include <linux/xattr.h>
18 #include <linux/integrity.h>
19 #include <linux/evm.h>
20 #include <linux/magic.h>
21 
22 #include <crypto/hash.h>
23 #include <crypto/hash_info.h>
24 #include <crypto/algapi.h>
25 #include "evm.h"
26 
27 int evm_initialized;
28 
29 static const char * const integrity_status_msg[] = {
30 	"pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown"
31 };
32 int evm_hmac_attrs;
33 
34 static struct xattr_list evm_config_default_xattrnames[] = {
35 #ifdef CONFIG_SECURITY_SELINUX
36 	{.name = XATTR_NAME_SELINUX},
37 #endif
38 #ifdef CONFIG_SECURITY_SMACK
39 	{.name = XATTR_NAME_SMACK},
40 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
41 	{.name = XATTR_NAME_SMACKEXEC},
42 	{.name = XATTR_NAME_SMACKTRANSMUTE},
43 	{.name = XATTR_NAME_SMACKMMAP},
44 #endif
45 #endif
46 #ifdef CONFIG_SECURITY_APPARMOR
47 	{.name = XATTR_NAME_APPARMOR},
48 #endif
49 #ifdef CONFIG_IMA_APPRAISE
50 	{.name = XATTR_NAME_IMA},
51 #endif
52 	{.name = XATTR_NAME_CAPS},
53 };
54 
55 LIST_HEAD(evm_config_xattrnames);
56 
57 static int evm_fixmode;
58 static int __init evm_set_fixmode(char *str)
59 {
60 	if (strncmp(str, "fix", 3) == 0)
61 		evm_fixmode = 1;
62 	return 0;
63 }
64 __setup("evm=", evm_set_fixmode);
65 
66 static void __init evm_init_config(void)
67 {
68 	int i, xattrs;
69 
70 	xattrs = ARRAY_SIZE(evm_config_default_xattrnames);
71 
72 	pr_info("Initialising EVM extended attributes:\n");
73 	for (i = 0; i < xattrs; i++) {
74 		pr_info("%s\n", evm_config_default_xattrnames[i].name);
75 		list_add_tail(&evm_config_default_xattrnames[i].list,
76 			      &evm_config_xattrnames);
77 	}
78 
79 #ifdef CONFIG_EVM_ATTR_FSUUID
80 	evm_hmac_attrs |= EVM_ATTR_FSUUID;
81 #endif
82 	pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
83 }
84 
85 static bool evm_key_loaded(void)
86 {
87 	return (bool)(evm_initialized & EVM_KEY_MASK);
88 }
89 
90 static int evm_find_protected_xattrs(struct dentry *dentry)
91 {
92 	struct inode *inode = d_backing_inode(dentry);
93 	struct xattr_list *xattr;
94 	int error;
95 	int count = 0;
96 
97 	if (!(inode->i_opflags & IOP_XATTR))
98 		return -EOPNOTSUPP;
99 
100 	list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
101 		error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0);
102 		if (error < 0) {
103 			if (error == -ENODATA)
104 				continue;
105 			return error;
106 		}
107 		count++;
108 	}
109 
110 	return count;
111 }
112 
113 /*
114  * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
115  *
116  * Compute the HMAC on the dentry's protected set of extended attributes
117  * and compare it against the stored security.evm xattr.
118  *
119  * For performance:
120  * - use the previoulsy retrieved xattr value and length to calculate the
121  *   HMAC.)
122  * - cache the verification result in the iint, when available.
123  *
124  * Returns integrity status
125  */
126 static enum integrity_status evm_verify_hmac(struct dentry *dentry,
127 					     const char *xattr_name,
128 					     char *xattr_value,
129 					     size_t xattr_value_len,
130 					     struct integrity_iint_cache *iint)
131 {
132 	struct evm_ima_xattr_data *xattr_data = NULL;
133 	struct signature_v2_hdr *hdr;
134 	enum integrity_status evm_status = INTEGRITY_PASS;
135 	struct evm_digest digest;
136 	struct inode *inode;
137 	int rc, xattr_len;
138 
139 	if (iint && (iint->evm_status == INTEGRITY_PASS ||
140 		     iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
141 		return iint->evm_status;
142 
143 	/* if status is not PASS, try to check again - against -ENOMEM */
144 
145 	/* first need to know the sig type */
146 	rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
147 				GFP_NOFS);
148 	if (rc <= 0) {
149 		evm_status = INTEGRITY_FAIL;
150 		if (rc == -ENODATA) {
151 			rc = evm_find_protected_xattrs(dentry);
152 			if (rc > 0)
153 				evm_status = INTEGRITY_NOLABEL;
154 			else if (rc == 0)
155 				evm_status = INTEGRITY_NOXATTRS; /* new file */
156 		} else if (rc == -EOPNOTSUPP) {
157 			evm_status = INTEGRITY_UNKNOWN;
158 		}
159 		goto out;
160 	}
161 
162 	xattr_len = rc;
163 
164 	/* check value type */
165 	switch (xattr_data->type) {
166 	case EVM_XATTR_HMAC:
167 		if (xattr_len != sizeof(struct evm_xattr)) {
168 			evm_status = INTEGRITY_FAIL;
169 			goto out;
170 		}
171 
172 		digest.hdr.algo = HASH_ALGO_SHA1;
173 		rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
174 				   xattr_value_len, &digest);
175 		if (rc)
176 			break;
177 		rc = crypto_memneq(xattr_data->data, digest.digest,
178 				   SHA1_DIGEST_SIZE);
179 		if (rc)
180 			rc = -EINVAL;
181 		break;
182 	case EVM_IMA_XATTR_DIGSIG:
183 	case EVM_XATTR_PORTABLE_DIGSIG:
184 		hdr = (struct signature_v2_hdr *)xattr_data;
185 		digest.hdr.algo = hdr->hash_algo;
186 		rc = evm_calc_hash(dentry, xattr_name, xattr_value,
187 				   xattr_value_len, xattr_data->type, &digest);
188 		if (rc)
189 			break;
190 		rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
191 					(const char *)xattr_data, xattr_len,
192 					digest.digest, digest.hdr.length);
193 		if (!rc) {
194 			inode = d_backing_inode(dentry);
195 
196 			if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
197 				if (iint)
198 					iint->flags |= EVM_IMMUTABLE_DIGSIG;
199 				evm_status = INTEGRITY_PASS_IMMUTABLE;
200 			} else if (!IS_RDONLY(inode) &&
201 				   !(inode->i_sb->s_readonly_remount) &&
202 				   !IS_IMMUTABLE(inode)) {
203 				evm_update_evmxattr(dentry, xattr_name,
204 						    xattr_value,
205 						    xattr_value_len);
206 			}
207 		}
208 		break;
209 	default:
210 		rc = -EINVAL;
211 		break;
212 	}
213 
214 	if (rc)
215 		evm_status = (rc == -ENODATA) ?
216 				INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
217 out:
218 	if (iint)
219 		iint->evm_status = evm_status;
220 	kfree(xattr_data);
221 	return evm_status;
222 }
223 
224 static int evm_protected_xattr(const char *req_xattr_name)
225 {
226 	int namelen;
227 	int found = 0;
228 	struct xattr_list *xattr;
229 
230 	namelen = strlen(req_xattr_name);
231 	list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
232 		if ((strlen(xattr->name) == namelen)
233 		    && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
234 			found = 1;
235 			break;
236 		}
237 		if (strncmp(req_xattr_name,
238 			    xattr->name + XATTR_SECURITY_PREFIX_LEN,
239 			    strlen(req_xattr_name)) == 0) {
240 			found = 1;
241 			break;
242 		}
243 	}
244 
245 	return found;
246 }
247 
248 /**
249  * evm_verifyxattr - verify the integrity of the requested xattr
250  * @dentry: object of the verify xattr
251  * @xattr_name: requested xattr
252  * @xattr_value: requested xattr value
253  * @xattr_value_len: requested xattr value length
254  *
255  * Calculate the HMAC for the given dentry and verify it against the stored
256  * security.evm xattr. For performance, use the xattr value and length
257  * previously retrieved to calculate the HMAC.
258  *
259  * Returns the xattr integrity status.
260  *
261  * This function requires the caller to lock the inode's i_mutex before it
262  * is executed.
263  */
264 enum integrity_status evm_verifyxattr(struct dentry *dentry,
265 				      const char *xattr_name,
266 				      void *xattr_value, size_t xattr_value_len,
267 				      struct integrity_iint_cache *iint)
268 {
269 	if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
270 		return INTEGRITY_UNKNOWN;
271 
272 	if (!iint) {
273 		iint = integrity_iint_find(d_backing_inode(dentry));
274 		if (!iint)
275 			return INTEGRITY_UNKNOWN;
276 	}
277 	return evm_verify_hmac(dentry, xattr_name, xattr_value,
278 				 xattr_value_len, iint);
279 }
280 EXPORT_SYMBOL_GPL(evm_verifyxattr);
281 
282 /*
283  * evm_verify_current_integrity - verify the dentry's metadata integrity
284  * @dentry: pointer to the affected dentry
285  *
286  * Verify and return the dentry's metadata integrity. The exceptions are
287  * before EVM is initialized or in 'fix' mode.
288  */
289 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
290 {
291 	struct inode *inode = d_backing_inode(dentry);
292 
293 	if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
294 		return 0;
295 	return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
296 }
297 
298 /*
299  * evm_protect_xattr - protect the EVM extended attribute
300  *
301  * Prevent security.evm from being modified or removed without the
302  * necessary permissions or when the existing value is invalid.
303  *
304  * The posix xattr acls are 'system' prefixed, which normally would not
305  * affect security.evm.  An interesting side affect of writing posix xattr
306  * acls is their modifying of the i_mode, which is included in security.evm.
307  * For posix xattr acls only, permit security.evm, even if it currently
308  * doesn't exist, to be updated unless the EVM signature is immutable.
309  */
310 static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
311 			     const void *xattr_value, size_t xattr_value_len)
312 {
313 	enum integrity_status evm_status;
314 
315 	if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
316 		if (!capable(CAP_SYS_ADMIN))
317 			return -EPERM;
318 	} else if (!evm_protected_xattr(xattr_name)) {
319 		if (!posix_xattr_acl(xattr_name))
320 			return 0;
321 		evm_status = evm_verify_current_integrity(dentry);
322 		if ((evm_status == INTEGRITY_PASS) ||
323 		    (evm_status == INTEGRITY_NOXATTRS))
324 			return 0;
325 		goto out;
326 	}
327 
328 	evm_status = evm_verify_current_integrity(dentry);
329 	if (evm_status == INTEGRITY_NOXATTRS) {
330 		struct integrity_iint_cache *iint;
331 
332 		iint = integrity_iint_find(d_backing_inode(dentry));
333 		if (iint && (iint->flags & IMA_NEW_FILE))
334 			return 0;
335 
336 		/* exception for pseudo filesystems */
337 		if (dentry->d_sb->s_magic == TMPFS_MAGIC
338 		    || dentry->d_sb->s_magic == SYSFS_MAGIC)
339 			return 0;
340 
341 		integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
342 				    dentry->d_inode, dentry->d_name.name,
343 				    "update_metadata",
344 				    integrity_status_msg[evm_status],
345 				    -EPERM, 0);
346 	}
347 out:
348 	if (evm_status != INTEGRITY_PASS)
349 		integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
350 				    dentry->d_name.name, "appraise_metadata",
351 				    integrity_status_msg[evm_status],
352 				    -EPERM, 0);
353 	return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
354 }
355 
356 /**
357  * evm_inode_setxattr - protect the EVM extended attribute
358  * @dentry: pointer to the affected dentry
359  * @xattr_name: pointer to the affected extended attribute name
360  * @xattr_value: pointer to the new extended attribute value
361  * @xattr_value_len: pointer to the new extended attribute value length
362  *
363  * Before allowing the 'security.evm' protected xattr to be updated,
364  * verify the existing value is valid.  As only the kernel should have
365  * access to the EVM encrypted key needed to calculate the HMAC, prevent
366  * userspace from writing HMAC value.  Writing 'security.evm' requires
367  * requires CAP_SYS_ADMIN privileges.
368  */
369 int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
370 		       const void *xattr_value, size_t xattr_value_len)
371 {
372 	const struct evm_ima_xattr_data *xattr_data = xattr_value;
373 
374 	/* Policy permits modification of the protected xattrs even though
375 	 * there's no HMAC key loaded
376 	 */
377 	if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
378 		return 0;
379 
380 	if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
381 		if (!xattr_value_len)
382 			return -EINVAL;
383 		if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
384 		    xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
385 			return -EPERM;
386 	}
387 	return evm_protect_xattr(dentry, xattr_name, xattr_value,
388 				 xattr_value_len);
389 }
390 
391 /**
392  * evm_inode_removexattr - protect the EVM extended attribute
393  * @dentry: pointer to the affected dentry
394  * @xattr_name: pointer to the affected extended attribute name
395  *
396  * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
397  * the current value is valid.
398  */
399 int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
400 {
401 	/* Policy permits modification of the protected xattrs even though
402 	 * there's no HMAC key loaded
403 	 */
404 	if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
405 		return 0;
406 
407 	return evm_protect_xattr(dentry, xattr_name, NULL, 0);
408 }
409 
410 static void evm_reset_status(struct inode *inode)
411 {
412 	struct integrity_iint_cache *iint;
413 
414 	iint = integrity_iint_find(inode);
415 	if (iint)
416 		iint->evm_status = INTEGRITY_UNKNOWN;
417 }
418 
419 /**
420  * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
421  * @dentry: pointer to the affected dentry
422  * @xattr_name: pointer to the affected extended attribute name
423  * @xattr_value: pointer to the new extended attribute value
424  * @xattr_value_len: pointer to the new extended attribute value length
425  *
426  * Update the HMAC stored in 'security.evm' to reflect the change.
427  *
428  * No need to take the i_mutex lock here, as this function is called from
429  * __vfs_setxattr_noperm().  The caller of which has taken the inode's
430  * i_mutex lock.
431  */
432 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
433 			     const void *xattr_value, size_t xattr_value_len)
434 {
435 	if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name)
436 				  && !posix_xattr_acl(xattr_name)))
437 		return;
438 
439 	evm_reset_status(dentry->d_inode);
440 
441 	evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
442 }
443 
444 /**
445  * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
446  * @dentry: pointer to the affected dentry
447  * @xattr_name: pointer to the affected extended attribute name
448  *
449  * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
450  *
451  * No need to take the i_mutex lock here, as this function is called from
452  * vfs_removexattr() which takes the i_mutex.
453  */
454 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
455 {
456 	if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
457 		return;
458 
459 	evm_reset_status(dentry->d_inode);
460 
461 	evm_update_evmxattr(dentry, xattr_name, NULL, 0);
462 }
463 
464 /**
465  * evm_inode_setattr - prevent updating an invalid EVM extended attribute
466  * @dentry: pointer to the affected dentry
467  *
468  * Permit update of file attributes when files have a valid EVM signature,
469  * except in the case of them having an immutable portable signature.
470  */
471 int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
472 {
473 	unsigned int ia_valid = attr->ia_valid;
474 	enum integrity_status evm_status;
475 
476 	/* Policy permits modification of the protected attrs even though
477 	 * there's no HMAC key loaded
478 	 */
479 	if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
480 		return 0;
481 
482 	if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
483 		return 0;
484 	evm_status = evm_verify_current_integrity(dentry);
485 	if ((evm_status == INTEGRITY_PASS) ||
486 	    (evm_status == INTEGRITY_NOXATTRS))
487 		return 0;
488 	integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
489 			    dentry->d_name.name, "appraise_metadata",
490 			    integrity_status_msg[evm_status], -EPERM, 0);
491 	return -EPERM;
492 }
493 
494 /**
495  * evm_inode_post_setattr - update 'security.evm' after modifying metadata
496  * @dentry: pointer to the affected dentry
497  * @ia_valid: for the UID and GID status
498  *
499  * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
500  * changes.
501  *
502  * This function is called from notify_change(), which expects the caller
503  * to lock the inode's i_mutex.
504  */
505 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
506 {
507 	if (!evm_key_loaded())
508 		return;
509 
510 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
511 		evm_update_evmxattr(dentry, NULL, NULL, 0);
512 }
513 
514 /*
515  * evm_inode_init_security - initializes security.evm
516  */
517 int evm_inode_init_security(struct inode *inode,
518 				 const struct xattr *lsm_xattr,
519 				 struct xattr *evm_xattr)
520 {
521 	struct evm_xattr *xattr_data;
522 	int rc;
523 
524 	if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name))
525 		return 0;
526 
527 	xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
528 	if (!xattr_data)
529 		return -ENOMEM;
530 
531 	xattr_data->data.type = EVM_XATTR_HMAC;
532 	rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
533 	if (rc < 0)
534 		goto out;
535 
536 	evm_xattr->value = xattr_data;
537 	evm_xattr->value_len = sizeof(*xattr_data);
538 	evm_xattr->name = XATTR_EVM_SUFFIX;
539 	return 0;
540 out:
541 	kfree(xattr_data);
542 	return rc;
543 }
544 EXPORT_SYMBOL_GPL(evm_inode_init_security);
545 
546 #ifdef CONFIG_EVM_LOAD_X509
547 void __init evm_load_x509(void)
548 {
549 	int rc;
550 
551 	rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
552 	if (!rc)
553 		evm_initialized |= EVM_INIT_X509;
554 }
555 #endif
556 
557 static int __init init_evm(void)
558 {
559 	int error;
560 	struct list_head *pos, *q;
561 
562 	evm_init_config();
563 
564 	error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
565 	if (error)
566 		goto error;
567 
568 	error = evm_init_secfs();
569 	if (error < 0) {
570 		pr_info("Error registering secfs\n");
571 		goto error;
572 	}
573 
574 error:
575 	if (error != 0) {
576 		if (!list_empty(&evm_config_xattrnames)) {
577 			list_for_each_safe(pos, q, &evm_config_xattrnames)
578 				list_del(pos);
579 		}
580 	}
581 
582 	return error;
583 }
584 
585 late_initcall(init_evm);
586