1 /* 2 * Copyright (C) 2005-2010 IBM Corporation 3 * 4 * Author: 5 * Mimi Zohar <zohar@us.ibm.com> 6 * Kylene Hall <kjhall@us.ibm.com> 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation, version 2 of the License. 11 * 12 * File: evm_main.c 13 * implements evm_inode_setxattr, evm_inode_post_setxattr, 14 * evm_inode_removexattr, and evm_verifyxattr 15 */ 16 17 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 18 19 #include <linux/module.h> 20 #include <linux/crypto.h> 21 #include <linux/audit.h> 22 #include <linux/xattr.h> 23 #include <linux/integrity.h> 24 #include <linux/evm.h> 25 #include <linux/magic.h> 26 27 #include <crypto/hash.h> 28 #include <crypto/algapi.h> 29 #include "evm.h" 30 31 int evm_initialized; 32 33 static char *integrity_status_msg[] = { 34 "pass", "fail", "no_label", "no_xattrs", "unknown" 35 }; 36 char *evm_hmac = "hmac(sha1)"; 37 char *evm_hash = "sha1"; 38 int evm_hmac_attrs; 39 40 char *evm_config_xattrnames[] = { 41 #ifdef CONFIG_SECURITY_SELINUX 42 XATTR_NAME_SELINUX, 43 #endif 44 #ifdef CONFIG_SECURITY_SMACK 45 XATTR_NAME_SMACK, 46 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS 47 XATTR_NAME_SMACKEXEC, 48 XATTR_NAME_SMACKTRANSMUTE, 49 XATTR_NAME_SMACKMMAP, 50 #endif 51 #endif 52 #ifdef CONFIG_SECURITY_APPARMOR 53 XATTR_NAME_APPARMOR, 54 #endif 55 #ifdef CONFIG_IMA_APPRAISE 56 XATTR_NAME_IMA, 57 #endif 58 XATTR_NAME_CAPS, 59 NULL 60 }; 61 62 static int evm_fixmode; 63 static int __init evm_set_fixmode(char *str) 64 { 65 if (strncmp(str, "fix", 3) == 0) 66 evm_fixmode = 1; 67 return 0; 68 } 69 __setup("evm=", evm_set_fixmode); 70 71 static void __init evm_init_config(void) 72 { 73 #ifdef CONFIG_EVM_ATTR_FSUUID 74 evm_hmac_attrs |= EVM_ATTR_FSUUID; 75 #endif 76 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); 77 } 78 79 static int evm_find_protected_xattrs(struct dentry *dentry) 80 { 81 struct inode *inode = d_backing_inode(dentry); 82 char **xattr; 83 int error; 84 int count = 0; 85 86 if (!(inode->i_opflags & IOP_XATTR)) 87 return -EOPNOTSUPP; 88 89 for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) { 90 error = __vfs_getxattr(dentry, inode, *xattr, NULL, 0); 91 if (error < 0) { 92 if (error == -ENODATA) 93 continue; 94 return error; 95 } 96 count++; 97 } 98 99 return count; 100 } 101 102 /* 103 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr 104 * 105 * Compute the HMAC on the dentry's protected set of extended attributes 106 * and compare it against the stored security.evm xattr. 107 * 108 * For performance: 109 * - use the previoulsy retrieved xattr value and length to calculate the 110 * HMAC.) 111 * - cache the verification result in the iint, when available. 112 * 113 * Returns integrity status 114 */ 115 static enum integrity_status evm_verify_hmac(struct dentry *dentry, 116 const char *xattr_name, 117 char *xattr_value, 118 size_t xattr_value_len, 119 struct integrity_iint_cache *iint) 120 { 121 struct evm_ima_xattr_data *xattr_data = NULL; 122 struct evm_ima_xattr_data calc; 123 enum integrity_status evm_status = INTEGRITY_PASS; 124 int rc, xattr_len; 125 126 if (iint && iint->evm_status == INTEGRITY_PASS) 127 return iint->evm_status; 128 129 /* if status is not PASS, try to check again - against -ENOMEM */ 130 131 /* first need to know the sig type */ 132 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0, 133 GFP_NOFS); 134 if (rc <= 0) { 135 evm_status = INTEGRITY_FAIL; 136 if (rc == -ENODATA) { 137 rc = evm_find_protected_xattrs(dentry); 138 if (rc > 0) 139 evm_status = INTEGRITY_NOLABEL; 140 else if (rc == 0) 141 evm_status = INTEGRITY_NOXATTRS; /* new file */ 142 } else if (rc == -EOPNOTSUPP) { 143 evm_status = INTEGRITY_UNKNOWN; 144 } 145 goto out; 146 } 147 148 xattr_len = rc; 149 150 /* check value type */ 151 switch (xattr_data->type) { 152 case EVM_XATTR_HMAC: 153 if (xattr_len != sizeof(struct evm_ima_xattr_data)) { 154 evm_status = INTEGRITY_FAIL; 155 goto out; 156 } 157 rc = evm_calc_hmac(dentry, xattr_name, xattr_value, 158 xattr_value_len, calc.digest); 159 if (rc) 160 break; 161 rc = crypto_memneq(xattr_data->digest, calc.digest, 162 sizeof(calc.digest)); 163 if (rc) 164 rc = -EINVAL; 165 break; 166 case EVM_IMA_XATTR_DIGSIG: 167 rc = evm_calc_hash(dentry, xattr_name, xattr_value, 168 xattr_value_len, calc.digest); 169 if (rc) 170 break; 171 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 172 (const char *)xattr_data, xattr_len, 173 calc.digest, sizeof(calc.digest)); 174 if (!rc) { 175 /* Replace RSA with HMAC if not mounted readonly and 176 * not immutable 177 */ 178 if (!IS_RDONLY(d_backing_inode(dentry)) && 179 !IS_IMMUTABLE(d_backing_inode(dentry))) 180 evm_update_evmxattr(dentry, xattr_name, 181 xattr_value, 182 xattr_value_len); 183 } 184 break; 185 default: 186 rc = -EINVAL; 187 break; 188 } 189 190 if (rc) 191 evm_status = (rc == -ENODATA) ? 192 INTEGRITY_NOXATTRS : INTEGRITY_FAIL; 193 out: 194 if (iint) 195 iint->evm_status = evm_status; 196 kfree(xattr_data); 197 return evm_status; 198 } 199 200 static int evm_protected_xattr(const char *req_xattr_name) 201 { 202 char **xattrname; 203 int namelen; 204 int found = 0; 205 206 namelen = strlen(req_xattr_name); 207 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { 208 if ((strlen(*xattrname) == namelen) 209 && (strncmp(req_xattr_name, *xattrname, namelen) == 0)) { 210 found = 1; 211 break; 212 } 213 if (strncmp(req_xattr_name, 214 *xattrname + XATTR_SECURITY_PREFIX_LEN, 215 strlen(req_xattr_name)) == 0) { 216 found = 1; 217 break; 218 } 219 } 220 return found; 221 } 222 223 /** 224 * evm_verifyxattr - verify the integrity of the requested xattr 225 * @dentry: object of the verify xattr 226 * @xattr_name: requested xattr 227 * @xattr_value: requested xattr value 228 * @xattr_value_len: requested xattr value length 229 * 230 * Calculate the HMAC for the given dentry and verify it against the stored 231 * security.evm xattr. For performance, use the xattr value and length 232 * previously retrieved to calculate the HMAC. 233 * 234 * Returns the xattr integrity status. 235 * 236 * This function requires the caller to lock the inode's i_mutex before it 237 * is executed. 238 */ 239 enum integrity_status evm_verifyxattr(struct dentry *dentry, 240 const char *xattr_name, 241 void *xattr_value, size_t xattr_value_len, 242 struct integrity_iint_cache *iint) 243 { 244 if (!evm_initialized || !evm_protected_xattr(xattr_name)) 245 return INTEGRITY_UNKNOWN; 246 247 if (!iint) { 248 iint = integrity_iint_find(d_backing_inode(dentry)); 249 if (!iint) 250 return INTEGRITY_UNKNOWN; 251 } 252 return evm_verify_hmac(dentry, xattr_name, xattr_value, 253 xattr_value_len, iint); 254 } 255 EXPORT_SYMBOL_GPL(evm_verifyxattr); 256 257 /* 258 * evm_verify_current_integrity - verify the dentry's metadata integrity 259 * @dentry: pointer to the affected dentry 260 * 261 * Verify and return the dentry's metadata integrity. The exceptions are 262 * before EVM is initialized or in 'fix' mode. 263 */ 264 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) 265 { 266 struct inode *inode = d_backing_inode(dentry); 267 268 if (!evm_initialized || !S_ISREG(inode->i_mode) || evm_fixmode) 269 return 0; 270 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); 271 } 272 273 /* 274 * evm_protect_xattr - protect the EVM extended attribute 275 * 276 * Prevent security.evm from being modified or removed without the 277 * necessary permissions or when the existing value is invalid. 278 * 279 * The posix xattr acls are 'system' prefixed, which normally would not 280 * affect security.evm. An interesting side affect of writing posix xattr 281 * acls is their modifying of the i_mode, which is included in security.evm. 282 * For posix xattr acls only, permit security.evm, even if it currently 283 * doesn't exist, to be updated. 284 */ 285 static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, 286 const void *xattr_value, size_t xattr_value_len) 287 { 288 enum integrity_status evm_status; 289 290 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 291 if (!capable(CAP_SYS_ADMIN)) 292 return -EPERM; 293 } else if (!evm_protected_xattr(xattr_name)) { 294 if (!posix_xattr_acl(xattr_name)) 295 return 0; 296 evm_status = evm_verify_current_integrity(dentry); 297 if ((evm_status == INTEGRITY_PASS) || 298 (evm_status == INTEGRITY_NOXATTRS)) 299 return 0; 300 goto out; 301 } 302 evm_status = evm_verify_current_integrity(dentry); 303 if (evm_status == INTEGRITY_NOXATTRS) { 304 struct integrity_iint_cache *iint; 305 306 iint = integrity_iint_find(d_backing_inode(dentry)); 307 if (iint && (iint->flags & IMA_NEW_FILE)) 308 return 0; 309 310 /* exception for pseudo filesystems */ 311 if (dentry->d_sb->s_magic == TMPFS_MAGIC 312 || dentry->d_sb->s_magic == SYSFS_MAGIC) 313 return 0; 314 315 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, 316 dentry->d_inode, dentry->d_name.name, 317 "update_metadata", 318 integrity_status_msg[evm_status], 319 -EPERM, 0); 320 } 321 out: 322 if (evm_status != INTEGRITY_PASS) 323 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 324 dentry->d_name.name, "appraise_metadata", 325 integrity_status_msg[evm_status], 326 -EPERM, 0); 327 return evm_status == INTEGRITY_PASS ? 0 : -EPERM; 328 } 329 330 /** 331 * evm_inode_setxattr - protect the EVM extended attribute 332 * @dentry: pointer to the affected dentry 333 * @xattr_name: pointer to the affected extended attribute name 334 * @xattr_value: pointer to the new extended attribute value 335 * @xattr_value_len: pointer to the new extended attribute value length 336 * 337 * Before allowing the 'security.evm' protected xattr to be updated, 338 * verify the existing value is valid. As only the kernel should have 339 * access to the EVM encrypted key needed to calculate the HMAC, prevent 340 * userspace from writing HMAC value. Writing 'security.evm' requires 341 * requires CAP_SYS_ADMIN privileges. 342 */ 343 int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, 344 const void *xattr_value, size_t xattr_value_len) 345 { 346 const struct evm_ima_xattr_data *xattr_data = xattr_value; 347 348 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 349 if (!xattr_value_len) 350 return -EINVAL; 351 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG) 352 return -EPERM; 353 } 354 return evm_protect_xattr(dentry, xattr_name, xattr_value, 355 xattr_value_len); 356 } 357 358 /** 359 * evm_inode_removexattr - protect the EVM extended attribute 360 * @dentry: pointer to the affected dentry 361 * @xattr_name: pointer to the affected extended attribute name 362 * 363 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that 364 * the current value is valid. 365 */ 366 int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) 367 { 368 return evm_protect_xattr(dentry, xattr_name, NULL, 0); 369 } 370 371 static void evm_reset_status(struct inode *inode) 372 { 373 struct integrity_iint_cache *iint; 374 375 iint = integrity_iint_find(inode); 376 if (iint) 377 iint->evm_status = INTEGRITY_UNKNOWN; 378 } 379 380 /** 381 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes 382 * @dentry: pointer to the affected dentry 383 * @xattr_name: pointer to the affected extended attribute name 384 * @xattr_value: pointer to the new extended attribute value 385 * @xattr_value_len: pointer to the new extended attribute value length 386 * 387 * Update the HMAC stored in 'security.evm' to reflect the change. 388 * 389 * No need to take the i_mutex lock here, as this function is called from 390 * __vfs_setxattr_noperm(). The caller of which has taken the inode's 391 * i_mutex lock. 392 */ 393 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, 394 const void *xattr_value, size_t xattr_value_len) 395 { 396 if (!evm_initialized || (!evm_protected_xattr(xattr_name) 397 && !posix_xattr_acl(xattr_name))) 398 return; 399 400 evm_reset_status(dentry->d_inode); 401 402 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); 403 } 404 405 /** 406 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr 407 * @dentry: pointer to the affected dentry 408 * @xattr_name: pointer to the affected extended attribute name 409 * 410 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. 411 * 412 * No need to take the i_mutex lock here, as this function is called from 413 * vfs_removexattr() which takes the i_mutex. 414 */ 415 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) 416 { 417 if (!evm_initialized || !evm_protected_xattr(xattr_name)) 418 return; 419 420 evm_reset_status(dentry->d_inode); 421 422 evm_update_evmxattr(dentry, xattr_name, NULL, 0); 423 } 424 425 /** 426 * evm_inode_setattr - prevent updating an invalid EVM extended attribute 427 * @dentry: pointer to the affected dentry 428 */ 429 int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) 430 { 431 unsigned int ia_valid = attr->ia_valid; 432 enum integrity_status evm_status; 433 434 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) 435 return 0; 436 evm_status = evm_verify_current_integrity(dentry); 437 if ((evm_status == INTEGRITY_PASS) || 438 (evm_status == INTEGRITY_NOXATTRS)) 439 return 0; 440 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 441 dentry->d_name.name, "appraise_metadata", 442 integrity_status_msg[evm_status], -EPERM, 0); 443 return -EPERM; 444 } 445 446 /** 447 * evm_inode_post_setattr - update 'security.evm' after modifying metadata 448 * @dentry: pointer to the affected dentry 449 * @ia_valid: for the UID and GID status 450 * 451 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID 452 * changes. 453 * 454 * This function is called from notify_change(), which expects the caller 455 * to lock the inode's i_mutex. 456 */ 457 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) 458 { 459 if (!evm_initialized) 460 return; 461 462 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) 463 evm_update_evmxattr(dentry, NULL, NULL, 0); 464 } 465 466 /* 467 * evm_inode_init_security - initializes security.evm 468 */ 469 int evm_inode_init_security(struct inode *inode, 470 const struct xattr *lsm_xattr, 471 struct xattr *evm_xattr) 472 { 473 struct evm_ima_xattr_data *xattr_data; 474 int rc; 475 476 if (!evm_initialized || !evm_protected_xattr(lsm_xattr->name)) 477 return 0; 478 479 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); 480 if (!xattr_data) 481 return -ENOMEM; 482 483 xattr_data->type = EVM_XATTR_HMAC; 484 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); 485 if (rc < 0) 486 goto out; 487 488 evm_xattr->value = xattr_data; 489 evm_xattr->value_len = sizeof(*xattr_data); 490 evm_xattr->name = XATTR_EVM_SUFFIX; 491 return 0; 492 out: 493 kfree(xattr_data); 494 return rc; 495 } 496 EXPORT_SYMBOL_GPL(evm_inode_init_security); 497 498 #ifdef CONFIG_EVM_LOAD_X509 499 void __init evm_load_x509(void) 500 { 501 int rc; 502 503 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH); 504 if (!rc) 505 evm_initialized |= EVM_INIT_X509; 506 } 507 #endif 508 509 static int __init init_evm(void) 510 { 511 int error; 512 513 evm_init_config(); 514 515 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM); 516 if (error) 517 return error; 518 519 error = evm_init_secfs(); 520 if (error < 0) { 521 pr_info("Error registering secfs\n"); 522 return error; 523 } 524 525 return 0; 526 } 527 528 /* 529 * evm_display_config - list the EVM protected security extended attributes 530 */ 531 static int __init evm_display_config(void) 532 { 533 char **xattrname; 534 535 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) 536 pr_info("%s\n", *xattrname); 537 return 0; 538 } 539 540 pure_initcall(evm_display_config); 541 late_initcall(init_evm); 542 543 MODULE_DESCRIPTION("Extended Verification Module"); 544 MODULE_LICENSE("GPL"); 545