1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2005-2010 IBM Corporation 4 * 5 * Author: 6 * Mimi Zohar <zohar@us.ibm.com> 7 * Kylene Hall <kjhall@us.ibm.com> 8 * 9 * File: evm_main.c 10 * implements evm_inode_setxattr, evm_inode_post_setxattr, 11 * evm_inode_removexattr, evm_verifyxattr, and evm_inode_set_acl. 12 */ 13 14 #define pr_fmt(fmt) "EVM: "fmt 15 16 #include <linux/init.h> 17 #include <linux/crypto.h> 18 #include <linux/audit.h> 19 #include <linux/xattr.h> 20 #include <linux/integrity.h> 21 #include <linux/evm.h> 22 #include <linux/magic.h> 23 #include <linux/posix_acl_xattr.h> 24 #include <linux/lsm_hooks.h> 25 26 #include <crypto/hash.h> 27 #include <crypto/hash_info.h> 28 #include <crypto/algapi.h> 29 #include "evm.h" 30 31 int evm_initialized; 32 33 static const char * const integrity_status_msg[] = { 34 "pass", "pass_immutable", "fail", "fail_immutable", "no_label", 35 "no_xattrs", "unknown" 36 }; 37 int evm_hmac_attrs; 38 39 static struct xattr_list evm_config_default_xattrnames[] = { 40 { 41 .name = XATTR_NAME_SELINUX, 42 .enabled = IS_ENABLED(CONFIG_SECURITY_SELINUX) 43 }, 44 { 45 .name = XATTR_NAME_SMACK, 46 .enabled = IS_ENABLED(CONFIG_SECURITY_SMACK) 47 }, 48 { 49 .name = XATTR_NAME_SMACKEXEC, 50 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS) 51 }, 52 { 53 .name = XATTR_NAME_SMACKTRANSMUTE, 54 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS) 55 }, 56 { 57 .name = XATTR_NAME_SMACKMMAP, 58 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS) 59 }, 60 { 61 .name = XATTR_NAME_APPARMOR, 62 .enabled = IS_ENABLED(CONFIG_SECURITY_APPARMOR) 63 }, 64 { 65 .name = XATTR_NAME_IMA, 66 .enabled = IS_ENABLED(CONFIG_IMA_APPRAISE) 67 }, 68 { 69 .name = XATTR_NAME_CAPS, 70 .enabled = true 71 }, 72 }; 73 74 LIST_HEAD(evm_config_xattrnames); 75 76 static int evm_fixmode __ro_after_init; 77 static int __init evm_set_fixmode(char *str) 78 { 79 if (strncmp(str, "fix", 3) == 0) 80 evm_fixmode = 1; 81 else 82 pr_err("invalid \"%s\" mode", str); 83 84 return 1; 85 } 86 __setup("evm=", evm_set_fixmode); 87 88 static void __init evm_init_config(void) 89 { 90 int i, xattrs; 91 92 xattrs = ARRAY_SIZE(evm_config_default_xattrnames); 93 94 pr_info("Initialising EVM extended attributes:\n"); 95 for (i = 0; i < xattrs; i++) { 96 pr_info("%s%s\n", evm_config_default_xattrnames[i].name, 97 !evm_config_default_xattrnames[i].enabled ? 98 " (disabled)" : ""); 99 list_add_tail(&evm_config_default_xattrnames[i].list, 100 &evm_config_xattrnames); 101 } 102 103 #ifdef CONFIG_EVM_ATTR_FSUUID 104 evm_hmac_attrs |= EVM_ATTR_FSUUID; 105 #endif 106 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); 107 } 108 109 static bool evm_key_loaded(void) 110 { 111 return (bool)(evm_initialized & EVM_KEY_MASK); 112 } 113 114 /* 115 * This function determines whether or not it is safe to ignore verification 116 * errors, based on the ability of EVM to calculate HMACs. If the HMAC key 117 * is not loaded, and it cannot be loaded in the future due to the 118 * EVM_SETUP_COMPLETE initialization flag, allowing an operation despite the 119 * attrs/xattrs being found invalid will not make them valid. 120 */ 121 static bool evm_hmac_disabled(void) 122 { 123 if (evm_initialized & EVM_INIT_HMAC) 124 return false; 125 126 if (!(evm_initialized & EVM_SETUP_COMPLETE)) 127 return false; 128 129 return true; 130 } 131 132 static int evm_find_protected_xattrs(struct dentry *dentry) 133 { 134 struct inode *inode = d_backing_inode(dentry); 135 struct xattr_list *xattr; 136 int error; 137 int count = 0; 138 139 if (!(inode->i_opflags & IOP_XATTR)) 140 return -EOPNOTSUPP; 141 142 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) { 143 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0); 144 if (error < 0) { 145 if (error == -ENODATA) 146 continue; 147 return error; 148 } 149 count++; 150 } 151 152 return count; 153 } 154 155 /* 156 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr 157 * 158 * Compute the HMAC on the dentry's protected set of extended attributes 159 * and compare it against the stored security.evm xattr. 160 * 161 * For performance: 162 * - use the previoulsy retrieved xattr value and length to calculate the 163 * HMAC.) 164 * - cache the verification result in the iint, when available. 165 * 166 * Returns integrity status 167 */ 168 static enum integrity_status evm_verify_hmac(struct dentry *dentry, 169 const char *xattr_name, 170 char *xattr_value, 171 size_t xattr_value_len, 172 struct integrity_iint_cache *iint) 173 { 174 struct evm_ima_xattr_data *xattr_data = NULL; 175 struct signature_v2_hdr *hdr; 176 enum integrity_status evm_status = INTEGRITY_PASS; 177 struct evm_digest digest; 178 struct inode *inode; 179 int rc, xattr_len, evm_immutable = 0; 180 181 if (iint && (iint->evm_status == INTEGRITY_PASS || 182 iint->evm_status == INTEGRITY_PASS_IMMUTABLE)) 183 return iint->evm_status; 184 185 /* if status is not PASS, try to check again - against -ENOMEM */ 186 187 /* first need to know the sig type */ 188 rc = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, XATTR_NAME_EVM, 189 (char **)&xattr_data, 0, GFP_NOFS); 190 if (rc <= 0) { 191 evm_status = INTEGRITY_FAIL; 192 if (rc == -ENODATA) { 193 rc = evm_find_protected_xattrs(dentry); 194 if (rc > 0) 195 evm_status = INTEGRITY_NOLABEL; 196 else if (rc == 0) 197 evm_status = INTEGRITY_NOXATTRS; /* new file */ 198 } else if (rc == -EOPNOTSUPP) { 199 evm_status = INTEGRITY_UNKNOWN; 200 } 201 goto out; 202 } 203 204 xattr_len = rc; 205 206 /* check value type */ 207 switch (xattr_data->type) { 208 case EVM_XATTR_HMAC: 209 if (xattr_len != sizeof(struct evm_xattr)) { 210 evm_status = INTEGRITY_FAIL; 211 goto out; 212 } 213 214 digest.hdr.algo = HASH_ALGO_SHA1; 215 rc = evm_calc_hmac(dentry, xattr_name, xattr_value, 216 xattr_value_len, &digest); 217 if (rc) 218 break; 219 rc = crypto_memneq(xattr_data->data, digest.digest, 220 SHA1_DIGEST_SIZE); 221 if (rc) 222 rc = -EINVAL; 223 break; 224 case EVM_XATTR_PORTABLE_DIGSIG: 225 evm_immutable = 1; 226 fallthrough; 227 case EVM_IMA_XATTR_DIGSIG: 228 /* accept xattr with non-empty signature field */ 229 if (xattr_len <= sizeof(struct signature_v2_hdr)) { 230 evm_status = INTEGRITY_FAIL; 231 goto out; 232 } 233 234 hdr = (struct signature_v2_hdr *)xattr_data; 235 digest.hdr.algo = hdr->hash_algo; 236 rc = evm_calc_hash(dentry, xattr_name, xattr_value, 237 xattr_value_len, xattr_data->type, &digest); 238 if (rc) 239 break; 240 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 241 (const char *)xattr_data, xattr_len, 242 digest.digest, digest.hdr.length); 243 if (!rc) { 244 inode = d_backing_inode(dentry); 245 246 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) { 247 if (iint) 248 iint->flags |= EVM_IMMUTABLE_DIGSIG; 249 evm_status = INTEGRITY_PASS_IMMUTABLE; 250 } else if (!IS_RDONLY(inode) && 251 !(inode->i_sb->s_readonly_remount) && 252 !IS_IMMUTABLE(inode)) { 253 evm_update_evmxattr(dentry, xattr_name, 254 xattr_value, 255 xattr_value_len); 256 } 257 } 258 break; 259 default: 260 rc = -EINVAL; 261 break; 262 } 263 264 if (rc) { 265 if (rc == -ENODATA) 266 evm_status = INTEGRITY_NOXATTRS; 267 else if (evm_immutable) 268 evm_status = INTEGRITY_FAIL_IMMUTABLE; 269 else 270 evm_status = INTEGRITY_FAIL; 271 } 272 pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length, digest.hdr.length, 273 digest.digest); 274 out: 275 if (iint) 276 iint->evm_status = evm_status; 277 kfree(xattr_data); 278 return evm_status; 279 } 280 281 static int evm_protected_xattr_common(const char *req_xattr_name, 282 bool all_xattrs) 283 { 284 int namelen; 285 int found = 0; 286 struct xattr_list *xattr; 287 288 namelen = strlen(req_xattr_name); 289 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) { 290 if (!all_xattrs && !xattr->enabled) 291 continue; 292 293 if ((strlen(xattr->name) == namelen) 294 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) { 295 found = 1; 296 break; 297 } 298 if (strncmp(req_xattr_name, 299 xattr->name + XATTR_SECURITY_PREFIX_LEN, 300 strlen(req_xattr_name)) == 0) { 301 found = 1; 302 break; 303 } 304 } 305 306 return found; 307 } 308 309 int evm_protected_xattr(const char *req_xattr_name) 310 { 311 return evm_protected_xattr_common(req_xattr_name, false); 312 } 313 314 int evm_protected_xattr_if_enabled(const char *req_xattr_name) 315 { 316 return evm_protected_xattr_common(req_xattr_name, true); 317 } 318 319 /** 320 * evm_read_protected_xattrs - read EVM protected xattr names, lengths, values 321 * @dentry: dentry of the read xattrs 322 * @buffer: buffer xattr names, lengths or values are copied to 323 * @buffer_size: size of buffer 324 * @type: n: names, l: lengths, v: values 325 * @canonical_fmt: data format (true: little endian, false: native format) 326 * 327 * Read protected xattr names (separated by |), lengths (u32) or values for a 328 * given dentry and return the total size of copied data. If buffer is NULL, 329 * just return the total size. 330 * 331 * Returns the total size on success, a negative value on error. 332 */ 333 int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer, 334 int buffer_size, char type, bool canonical_fmt) 335 { 336 struct xattr_list *xattr; 337 int rc, size, total_size = 0; 338 339 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) { 340 rc = __vfs_getxattr(dentry, d_backing_inode(dentry), 341 xattr->name, NULL, 0); 342 if (rc < 0 && rc == -ENODATA) 343 continue; 344 else if (rc < 0) 345 return rc; 346 347 switch (type) { 348 case 'n': 349 size = strlen(xattr->name) + 1; 350 if (buffer) { 351 if (total_size) 352 *(buffer + total_size - 1) = '|'; 353 354 memcpy(buffer + total_size, xattr->name, size); 355 } 356 break; 357 case 'l': 358 size = sizeof(u32); 359 if (buffer) { 360 if (canonical_fmt) 361 rc = (__force int)cpu_to_le32(rc); 362 363 *(u32 *)(buffer + total_size) = rc; 364 } 365 break; 366 case 'v': 367 size = rc; 368 if (buffer) { 369 rc = __vfs_getxattr(dentry, 370 d_backing_inode(dentry), xattr->name, 371 buffer + total_size, 372 buffer_size - total_size); 373 if (rc < 0) 374 return rc; 375 } 376 break; 377 default: 378 return -EINVAL; 379 } 380 381 total_size += size; 382 } 383 384 return total_size; 385 } 386 387 /** 388 * evm_verifyxattr - verify the integrity of the requested xattr 389 * @dentry: object of the verify xattr 390 * @xattr_name: requested xattr 391 * @xattr_value: requested xattr value 392 * @xattr_value_len: requested xattr value length 393 * @iint: inode integrity metadata 394 * 395 * Calculate the HMAC for the given dentry and verify it against the stored 396 * security.evm xattr. For performance, use the xattr value and length 397 * previously retrieved to calculate the HMAC. 398 * 399 * Returns the xattr integrity status. 400 * 401 * This function requires the caller to lock the inode's i_mutex before it 402 * is executed. 403 */ 404 enum integrity_status evm_verifyxattr(struct dentry *dentry, 405 const char *xattr_name, 406 void *xattr_value, size_t xattr_value_len, 407 struct integrity_iint_cache *iint) 408 { 409 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 410 return INTEGRITY_UNKNOWN; 411 412 if (!iint) { 413 iint = integrity_iint_find(d_backing_inode(dentry)); 414 if (!iint) 415 return INTEGRITY_UNKNOWN; 416 } 417 return evm_verify_hmac(dentry, xattr_name, xattr_value, 418 xattr_value_len, iint); 419 } 420 EXPORT_SYMBOL_GPL(evm_verifyxattr); 421 422 /* 423 * evm_verify_current_integrity - verify the dentry's metadata integrity 424 * @dentry: pointer to the affected dentry 425 * 426 * Verify and return the dentry's metadata integrity. The exceptions are 427 * before EVM is initialized or in 'fix' mode. 428 */ 429 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) 430 { 431 struct inode *inode = d_backing_inode(dentry); 432 433 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode) 434 return INTEGRITY_PASS; 435 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); 436 } 437 438 /* 439 * evm_xattr_change - check if passed xattr value differs from current value 440 * @idmap: idmap of the mount 441 * @dentry: pointer to the affected dentry 442 * @xattr_name: requested xattr 443 * @xattr_value: requested xattr value 444 * @xattr_value_len: requested xattr value length 445 * 446 * Check if passed xattr value differs from current value. 447 * 448 * Returns 1 if passed xattr value differs from current value, 0 otherwise. 449 */ 450 static int evm_xattr_change(struct mnt_idmap *idmap, 451 struct dentry *dentry, const char *xattr_name, 452 const void *xattr_value, size_t xattr_value_len) 453 { 454 char *xattr_data = NULL; 455 int rc = 0; 456 457 rc = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, xattr_name, &xattr_data, 458 0, GFP_NOFS); 459 if (rc < 0) { 460 rc = 1; 461 goto out; 462 } 463 464 if (rc == xattr_value_len) 465 rc = !!memcmp(xattr_value, xattr_data, rc); 466 else 467 rc = 1; 468 469 out: 470 kfree(xattr_data); 471 return rc; 472 } 473 474 /* 475 * evm_protect_xattr - protect the EVM extended attribute 476 * 477 * Prevent security.evm from being modified or removed without the 478 * necessary permissions or when the existing value is invalid. 479 * 480 * The posix xattr acls are 'system' prefixed, which normally would not 481 * affect security.evm. An interesting side affect of writing posix xattr 482 * acls is their modifying of the i_mode, which is included in security.evm. 483 * For posix xattr acls only, permit security.evm, even if it currently 484 * doesn't exist, to be updated unless the EVM signature is immutable. 485 */ 486 static int evm_protect_xattr(struct mnt_idmap *idmap, 487 struct dentry *dentry, const char *xattr_name, 488 const void *xattr_value, size_t xattr_value_len) 489 { 490 enum integrity_status evm_status; 491 492 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 493 if (!capable(CAP_SYS_ADMIN)) 494 return -EPERM; 495 } else if (!evm_protected_xattr(xattr_name)) { 496 if (!posix_xattr_acl(xattr_name)) 497 return 0; 498 evm_status = evm_verify_current_integrity(dentry); 499 if ((evm_status == INTEGRITY_PASS) || 500 (evm_status == INTEGRITY_NOXATTRS)) 501 return 0; 502 goto out; 503 } 504 505 evm_status = evm_verify_current_integrity(dentry); 506 if (evm_status == INTEGRITY_NOXATTRS) { 507 struct integrity_iint_cache *iint; 508 509 /* Exception if the HMAC is not going to be calculated. */ 510 if (evm_hmac_disabled()) 511 return 0; 512 513 iint = integrity_iint_find(d_backing_inode(dentry)); 514 if (iint && (iint->flags & IMA_NEW_FILE)) 515 return 0; 516 517 /* exception for pseudo filesystems */ 518 if (dentry->d_sb->s_magic == TMPFS_MAGIC 519 || dentry->d_sb->s_magic == SYSFS_MAGIC) 520 return 0; 521 522 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, 523 dentry->d_inode, dentry->d_name.name, 524 "update_metadata", 525 integrity_status_msg[evm_status], 526 -EPERM, 0); 527 } 528 out: 529 /* Exception if the HMAC is not going to be calculated. */ 530 if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL || 531 evm_status == INTEGRITY_UNKNOWN)) 532 return 0; 533 534 /* 535 * Writing other xattrs is safe for portable signatures, as portable 536 * signatures are immutable and can never be updated. 537 */ 538 if (evm_status == INTEGRITY_FAIL_IMMUTABLE) 539 return 0; 540 541 if (evm_status == INTEGRITY_PASS_IMMUTABLE && 542 !evm_xattr_change(idmap, dentry, xattr_name, xattr_value, 543 xattr_value_len)) 544 return 0; 545 546 if (evm_status != INTEGRITY_PASS && 547 evm_status != INTEGRITY_PASS_IMMUTABLE) 548 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 549 dentry->d_name.name, "appraise_metadata", 550 integrity_status_msg[evm_status], 551 -EPERM, 0); 552 return evm_status == INTEGRITY_PASS ? 0 : -EPERM; 553 } 554 555 /** 556 * evm_inode_setxattr - protect the EVM extended attribute 557 * @idmap: idmap of the mount 558 * @dentry: pointer to the affected dentry 559 * @xattr_name: pointer to the affected extended attribute name 560 * @xattr_value: pointer to the new extended attribute value 561 * @xattr_value_len: pointer to the new extended attribute value length 562 * 563 * Before allowing the 'security.evm' protected xattr to be updated, 564 * verify the existing value is valid. As only the kernel should have 565 * access to the EVM encrypted key needed to calculate the HMAC, prevent 566 * userspace from writing HMAC value. Writing 'security.evm' requires 567 * requires CAP_SYS_ADMIN privileges. 568 */ 569 int evm_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, 570 const char *xattr_name, const void *xattr_value, 571 size_t xattr_value_len) 572 { 573 const struct evm_ima_xattr_data *xattr_data = xattr_value; 574 575 /* Policy permits modification of the protected xattrs even though 576 * there's no HMAC key loaded 577 */ 578 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 579 return 0; 580 581 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 582 if (!xattr_value_len) 583 return -EINVAL; 584 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG && 585 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) 586 return -EPERM; 587 } 588 return evm_protect_xattr(idmap, dentry, xattr_name, xattr_value, 589 xattr_value_len); 590 } 591 592 /** 593 * evm_inode_removexattr - protect the EVM extended attribute 594 * @idmap: idmap of the mount 595 * @dentry: pointer to the affected dentry 596 * @xattr_name: pointer to the affected extended attribute name 597 * 598 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that 599 * the current value is valid. 600 */ 601 int evm_inode_removexattr(struct mnt_idmap *idmap, 602 struct dentry *dentry, const char *xattr_name) 603 { 604 /* Policy permits modification of the protected xattrs even though 605 * there's no HMAC key loaded 606 */ 607 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 608 return 0; 609 610 return evm_protect_xattr(idmap, dentry, xattr_name, NULL, 0); 611 } 612 613 #ifdef CONFIG_FS_POSIX_ACL 614 static int evm_inode_set_acl_change(struct mnt_idmap *idmap, 615 struct dentry *dentry, const char *name, 616 struct posix_acl *kacl) 617 { 618 int rc; 619 620 umode_t mode; 621 struct inode *inode = d_backing_inode(dentry); 622 623 if (!kacl) 624 return 1; 625 626 rc = posix_acl_update_mode(idmap, inode, &mode, &kacl); 627 if (rc || (inode->i_mode != mode)) 628 return 1; 629 630 return 0; 631 } 632 #else 633 static inline int evm_inode_set_acl_change(struct mnt_idmap *idmap, 634 struct dentry *dentry, 635 const char *name, 636 struct posix_acl *kacl) 637 { 638 return 0; 639 } 640 #endif 641 642 /** 643 * evm_inode_set_acl - protect the EVM extended attribute from posix acls 644 * @idmap: idmap of the idmapped mount 645 * @dentry: pointer to the affected dentry 646 * @acl_name: name of the posix acl 647 * @kacl: pointer to the posix acls 648 * 649 * Prevent modifying posix acls causing the EVM HMAC to be re-calculated 650 * and 'security.evm' xattr updated, unless the existing 'security.evm' is 651 * valid. 652 */ 653 int evm_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry, 654 const char *acl_name, struct posix_acl *kacl) 655 { 656 enum integrity_status evm_status; 657 658 /* Policy permits modification of the protected xattrs even though 659 * there's no HMAC key loaded 660 */ 661 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 662 return 0; 663 664 evm_status = evm_verify_current_integrity(dentry); 665 if ((evm_status == INTEGRITY_PASS) || 666 (evm_status == INTEGRITY_NOXATTRS)) 667 return 0; 668 669 /* Exception if the HMAC is not going to be calculated. */ 670 if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL || 671 evm_status == INTEGRITY_UNKNOWN)) 672 return 0; 673 674 /* 675 * Writing other xattrs is safe for portable signatures, as portable 676 * signatures are immutable and can never be updated. 677 */ 678 if (evm_status == INTEGRITY_FAIL_IMMUTABLE) 679 return 0; 680 681 if (evm_status == INTEGRITY_PASS_IMMUTABLE && 682 !evm_inode_set_acl_change(idmap, dentry, acl_name, kacl)) 683 return 0; 684 685 if (evm_status != INTEGRITY_PASS_IMMUTABLE) 686 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 687 dentry->d_name.name, "appraise_metadata", 688 integrity_status_msg[evm_status], 689 -EPERM, 0); 690 return -EPERM; 691 } 692 693 static void evm_reset_status(struct inode *inode) 694 { 695 struct integrity_iint_cache *iint; 696 697 iint = integrity_iint_find(inode); 698 if (iint) 699 iint->evm_status = INTEGRITY_UNKNOWN; 700 } 701 702 /** 703 * evm_revalidate_status - report whether EVM status re-validation is necessary 704 * @xattr_name: pointer to the affected extended attribute name 705 * 706 * Report whether callers of evm_verifyxattr() should re-validate the 707 * EVM status. 708 * 709 * Return true if re-validation is necessary, false otherwise. 710 */ 711 bool evm_revalidate_status(const char *xattr_name) 712 { 713 if (!evm_key_loaded()) 714 return false; 715 716 /* evm_inode_post_setattr() passes NULL */ 717 if (!xattr_name) 718 return true; 719 720 if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name) && 721 strcmp(xattr_name, XATTR_NAME_EVM)) 722 return false; 723 724 return true; 725 } 726 727 /** 728 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes 729 * @dentry: pointer to the affected dentry 730 * @xattr_name: pointer to the affected extended attribute name 731 * @xattr_value: pointer to the new extended attribute value 732 * @xattr_value_len: pointer to the new extended attribute value length 733 * 734 * Update the HMAC stored in 'security.evm' to reflect the change. 735 * 736 * No need to take the i_mutex lock here, as this function is called from 737 * __vfs_setxattr_noperm(). The caller of which has taken the inode's 738 * i_mutex lock. 739 */ 740 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, 741 const void *xattr_value, size_t xattr_value_len) 742 { 743 if (!evm_revalidate_status(xattr_name)) 744 return; 745 746 evm_reset_status(dentry->d_inode); 747 748 if (!strcmp(xattr_name, XATTR_NAME_EVM)) 749 return; 750 751 if (!(evm_initialized & EVM_INIT_HMAC)) 752 return; 753 754 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); 755 } 756 757 /** 758 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr 759 * @dentry: pointer to the affected dentry 760 * @xattr_name: pointer to the affected extended attribute name 761 * 762 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. 763 * 764 * No need to take the i_mutex lock here, as this function is called from 765 * vfs_removexattr() which takes the i_mutex. 766 */ 767 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) 768 { 769 if (!evm_revalidate_status(xattr_name)) 770 return; 771 772 evm_reset_status(dentry->d_inode); 773 774 if (!strcmp(xattr_name, XATTR_NAME_EVM)) 775 return; 776 777 if (!(evm_initialized & EVM_INIT_HMAC)) 778 return; 779 780 evm_update_evmxattr(dentry, xattr_name, NULL, 0); 781 } 782 783 static int evm_attr_change(struct mnt_idmap *idmap, 784 struct dentry *dentry, struct iattr *attr) 785 { 786 struct inode *inode = d_backing_inode(dentry); 787 unsigned int ia_valid = attr->ia_valid; 788 789 if (!i_uid_needs_update(idmap, attr, inode) && 790 !i_gid_needs_update(idmap, attr, inode) && 791 (!(ia_valid & ATTR_MODE) || attr->ia_mode == inode->i_mode)) 792 return 0; 793 794 return 1; 795 } 796 797 /** 798 * evm_inode_setattr - prevent updating an invalid EVM extended attribute 799 * @idmap: idmap of the mount 800 * @dentry: pointer to the affected dentry 801 * @attr: iattr structure containing the new file attributes 802 * 803 * Permit update of file attributes when files have a valid EVM signature, 804 * except in the case of them having an immutable portable signature. 805 */ 806 int evm_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 807 struct iattr *attr) 808 { 809 unsigned int ia_valid = attr->ia_valid; 810 enum integrity_status evm_status; 811 812 /* Policy permits modification of the protected attrs even though 813 * there's no HMAC key loaded 814 */ 815 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 816 return 0; 817 818 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) 819 return 0; 820 evm_status = evm_verify_current_integrity(dentry); 821 /* 822 * Writing attrs is safe for portable signatures, as portable signatures 823 * are immutable and can never be updated. 824 */ 825 if ((evm_status == INTEGRITY_PASS) || 826 (evm_status == INTEGRITY_NOXATTRS) || 827 (evm_status == INTEGRITY_FAIL_IMMUTABLE) || 828 (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL || 829 evm_status == INTEGRITY_UNKNOWN))) 830 return 0; 831 832 if (evm_status == INTEGRITY_PASS_IMMUTABLE && 833 !evm_attr_change(idmap, dentry, attr)) 834 return 0; 835 836 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 837 dentry->d_name.name, "appraise_metadata", 838 integrity_status_msg[evm_status], -EPERM, 0); 839 return -EPERM; 840 } 841 842 /** 843 * evm_inode_post_setattr - update 'security.evm' after modifying metadata 844 * @dentry: pointer to the affected dentry 845 * @ia_valid: for the UID and GID status 846 * 847 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID 848 * changes. 849 * 850 * This function is called from notify_change(), which expects the caller 851 * to lock the inode's i_mutex. 852 */ 853 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) 854 { 855 if (!evm_revalidate_status(NULL)) 856 return; 857 858 evm_reset_status(dentry->d_inode); 859 860 if (!(evm_initialized & EVM_INIT_HMAC)) 861 return; 862 863 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) 864 evm_update_evmxattr(dentry, NULL, NULL, 0); 865 } 866 867 /* 868 * evm_inode_init_security - initializes security.evm HMAC value 869 */ 870 int evm_inode_init_security(struct inode *inode, struct inode *dir, 871 const struct qstr *qstr, struct xattr *xattrs, 872 int *xattr_count) 873 { 874 struct evm_xattr *xattr_data; 875 struct xattr *xattr, *evm_xattr; 876 bool evm_protected_xattrs = false; 877 int rc; 878 879 if (!(evm_initialized & EVM_INIT_HMAC) || !xattrs) 880 return 0; 881 882 /* 883 * security_inode_init_security() makes sure that the xattrs array is 884 * contiguous, there is enough space for security.evm, and that there is 885 * a terminator at the end of the array. 886 */ 887 for (xattr = xattrs; xattr->name; xattr++) { 888 if (evm_protected_xattr(xattr->name)) 889 evm_protected_xattrs = true; 890 } 891 892 /* EVM xattr not needed. */ 893 if (!evm_protected_xattrs) 894 return 0; 895 896 evm_xattr = lsm_get_xattr_slot(xattrs, xattr_count); 897 /* 898 * Array terminator (xattr name = NULL) must be the first non-filled 899 * xattr slot. 900 */ 901 WARN_ONCE(evm_xattr != xattr, 902 "%s: xattrs terminator is not the first non-filled slot\n", 903 __func__); 904 905 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); 906 if (!xattr_data) 907 return -ENOMEM; 908 909 xattr_data->data.type = EVM_XATTR_HMAC; 910 rc = evm_init_hmac(inode, xattrs, xattr_data->digest); 911 if (rc < 0) 912 goto out; 913 914 evm_xattr->value = xattr_data; 915 evm_xattr->value_len = sizeof(*xattr_data); 916 evm_xattr->name = XATTR_EVM_SUFFIX; 917 return 0; 918 out: 919 kfree(xattr_data); 920 return rc; 921 } 922 EXPORT_SYMBOL_GPL(evm_inode_init_security); 923 924 #ifdef CONFIG_EVM_LOAD_X509 925 void __init evm_load_x509(void) 926 { 927 int rc; 928 929 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH); 930 if (!rc) 931 evm_initialized |= EVM_INIT_X509; 932 } 933 #endif 934 935 static int __init init_evm(void) 936 { 937 int error; 938 struct list_head *pos, *q; 939 940 evm_init_config(); 941 942 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM); 943 if (error) 944 goto error; 945 946 error = evm_init_secfs(); 947 if (error < 0) { 948 pr_info("Error registering secfs\n"); 949 goto error; 950 } 951 952 error: 953 if (error != 0) { 954 if (!list_empty(&evm_config_xattrnames)) { 955 list_for_each_safe(pos, q, &evm_config_xattrnames) 956 list_del(pos); 957 } 958 } 959 960 return error; 961 } 962 963 late_initcall(init_evm); 964