1 /* 2 * Copyright (C) 2005-2010 IBM Corporation 3 * 4 * Author: 5 * Mimi Zohar <zohar@us.ibm.com> 6 * Kylene Hall <kjhall@us.ibm.com> 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation, version 2 of the License. 11 * 12 * File: evm_main.c 13 * implements evm_inode_setxattr, evm_inode_post_setxattr, 14 * evm_inode_removexattr, and evm_verifyxattr 15 */ 16 17 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 18 19 #include <linux/module.h> 20 #include <linux/crypto.h> 21 #include <linux/audit.h> 22 #include <linux/xattr.h> 23 #include <linux/integrity.h> 24 #include <linux/evm.h> 25 #include <linux/magic.h> 26 27 #include <crypto/hash.h> 28 #include <crypto/algapi.h> 29 #include "evm.h" 30 31 int evm_initialized; 32 33 static const char * const integrity_status_msg[] = { 34 "pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown" 35 }; 36 int evm_hmac_attrs; 37 38 char *evm_config_xattrnames[] = { 39 #ifdef CONFIG_SECURITY_SELINUX 40 XATTR_NAME_SELINUX, 41 #endif 42 #ifdef CONFIG_SECURITY_SMACK 43 XATTR_NAME_SMACK, 44 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS 45 XATTR_NAME_SMACKEXEC, 46 XATTR_NAME_SMACKTRANSMUTE, 47 XATTR_NAME_SMACKMMAP, 48 #endif 49 #endif 50 #ifdef CONFIG_SECURITY_APPARMOR 51 XATTR_NAME_APPARMOR, 52 #endif 53 #ifdef CONFIG_IMA_APPRAISE 54 XATTR_NAME_IMA, 55 #endif 56 XATTR_NAME_CAPS, 57 NULL 58 }; 59 60 static int evm_fixmode; 61 static int __init evm_set_fixmode(char *str) 62 { 63 if (strncmp(str, "fix", 3) == 0) 64 evm_fixmode = 1; 65 return 0; 66 } 67 __setup("evm=", evm_set_fixmode); 68 69 static void __init evm_init_config(void) 70 { 71 #ifdef CONFIG_EVM_ATTR_FSUUID 72 evm_hmac_attrs |= EVM_ATTR_FSUUID; 73 #endif 74 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); 75 } 76 77 static bool evm_key_loaded(void) 78 { 79 return (bool)(evm_initialized & EVM_KEY_MASK); 80 } 81 82 static int evm_find_protected_xattrs(struct dentry *dentry) 83 { 84 struct inode *inode = d_backing_inode(dentry); 85 char **xattr; 86 int error; 87 int count = 0; 88 89 if (!(inode->i_opflags & IOP_XATTR)) 90 return -EOPNOTSUPP; 91 92 for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) { 93 error = __vfs_getxattr(dentry, inode, *xattr, NULL, 0); 94 if (error < 0) { 95 if (error == -ENODATA) 96 continue; 97 return error; 98 } 99 count++; 100 } 101 102 return count; 103 } 104 105 /* 106 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr 107 * 108 * Compute the HMAC on the dentry's protected set of extended attributes 109 * and compare it against the stored security.evm xattr. 110 * 111 * For performance: 112 * - use the previoulsy retrieved xattr value and length to calculate the 113 * HMAC.) 114 * - cache the verification result in the iint, when available. 115 * 116 * Returns integrity status 117 */ 118 static enum integrity_status evm_verify_hmac(struct dentry *dentry, 119 const char *xattr_name, 120 char *xattr_value, 121 size_t xattr_value_len, 122 struct integrity_iint_cache *iint) 123 { 124 struct evm_ima_xattr_data *xattr_data = NULL; 125 struct evm_ima_xattr_data calc; 126 enum integrity_status evm_status = INTEGRITY_PASS; 127 struct inode *inode; 128 int rc, xattr_len; 129 130 if (iint && (iint->evm_status == INTEGRITY_PASS || 131 iint->evm_status == INTEGRITY_PASS_IMMUTABLE)) 132 return iint->evm_status; 133 134 /* if status is not PASS, try to check again - against -ENOMEM */ 135 136 /* first need to know the sig type */ 137 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0, 138 GFP_NOFS); 139 if (rc <= 0) { 140 evm_status = INTEGRITY_FAIL; 141 if (rc == -ENODATA) { 142 rc = evm_find_protected_xattrs(dentry); 143 if (rc > 0) 144 evm_status = INTEGRITY_NOLABEL; 145 else if (rc == 0) 146 evm_status = INTEGRITY_NOXATTRS; /* new file */ 147 } else if (rc == -EOPNOTSUPP) { 148 evm_status = INTEGRITY_UNKNOWN; 149 } 150 goto out; 151 } 152 153 xattr_len = rc; 154 155 /* check value type */ 156 switch (xattr_data->type) { 157 case EVM_XATTR_HMAC: 158 if (xattr_len != sizeof(struct evm_ima_xattr_data)) { 159 evm_status = INTEGRITY_FAIL; 160 goto out; 161 } 162 rc = evm_calc_hmac(dentry, xattr_name, xattr_value, 163 xattr_value_len, calc.digest); 164 if (rc) 165 break; 166 rc = crypto_memneq(xattr_data->digest, calc.digest, 167 sizeof(calc.digest)); 168 if (rc) 169 rc = -EINVAL; 170 break; 171 case EVM_IMA_XATTR_DIGSIG: 172 case EVM_XATTR_PORTABLE_DIGSIG: 173 rc = evm_calc_hash(dentry, xattr_name, xattr_value, 174 xattr_value_len, xattr_data->type, 175 calc.digest); 176 if (rc) 177 break; 178 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 179 (const char *)xattr_data, xattr_len, 180 calc.digest, sizeof(calc.digest)); 181 if (!rc) { 182 inode = d_backing_inode(dentry); 183 184 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) { 185 if (iint) 186 iint->flags |= EVM_IMMUTABLE_DIGSIG; 187 evm_status = INTEGRITY_PASS_IMMUTABLE; 188 } else if (!IS_RDONLY(inode) && 189 !(inode->i_sb->s_readonly_remount) && 190 !IS_IMMUTABLE(inode)) { 191 evm_update_evmxattr(dentry, xattr_name, 192 xattr_value, 193 xattr_value_len); 194 } 195 } 196 break; 197 default: 198 rc = -EINVAL; 199 break; 200 } 201 202 if (rc) 203 evm_status = (rc == -ENODATA) ? 204 INTEGRITY_NOXATTRS : INTEGRITY_FAIL; 205 out: 206 if (iint) 207 iint->evm_status = evm_status; 208 kfree(xattr_data); 209 return evm_status; 210 } 211 212 static int evm_protected_xattr(const char *req_xattr_name) 213 { 214 char **xattrname; 215 int namelen; 216 int found = 0; 217 218 namelen = strlen(req_xattr_name); 219 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { 220 if ((strlen(*xattrname) == namelen) 221 && (strncmp(req_xattr_name, *xattrname, namelen) == 0)) { 222 found = 1; 223 break; 224 } 225 if (strncmp(req_xattr_name, 226 *xattrname + XATTR_SECURITY_PREFIX_LEN, 227 strlen(req_xattr_name)) == 0) { 228 found = 1; 229 break; 230 } 231 } 232 return found; 233 } 234 235 /** 236 * evm_verifyxattr - verify the integrity of the requested xattr 237 * @dentry: object of the verify xattr 238 * @xattr_name: requested xattr 239 * @xattr_value: requested xattr value 240 * @xattr_value_len: requested xattr value length 241 * 242 * Calculate the HMAC for the given dentry and verify it against the stored 243 * security.evm xattr. For performance, use the xattr value and length 244 * previously retrieved to calculate the HMAC. 245 * 246 * Returns the xattr integrity status. 247 * 248 * This function requires the caller to lock the inode's i_mutex before it 249 * is executed. 250 */ 251 enum integrity_status evm_verifyxattr(struct dentry *dentry, 252 const char *xattr_name, 253 void *xattr_value, size_t xattr_value_len, 254 struct integrity_iint_cache *iint) 255 { 256 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 257 return INTEGRITY_UNKNOWN; 258 259 if (!iint) { 260 iint = integrity_iint_find(d_backing_inode(dentry)); 261 if (!iint) 262 return INTEGRITY_UNKNOWN; 263 } 264 return evm_verify_hmac(dentry, xattr_name, xattr_value, 265 xattr_value_len, iint); 266 } 267 EXPORT_SYMBOL_GPL(evm_verifyxattr); 268 269 /* 270 * evm_verify_current_integrity - verify the dentry's metadata integrity 271 * @dentry: pointer to the affected dentry 272 * 273 * Verify and return the dentry's metadata integrity. The exceptions are 274 * before EVM is initialized or in 'fix' mode. 275 */ 276 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) 277 { 278 struct inode *inode = d_backing_inode(dentry); 279 280 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode) 281 return 0; 282 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); 283 } 284 285 /* 286 * evm_protect_xattr - protect the EVM extended attribute 287 * 288 * Prevent security.evm from being modified or removed without the 289 * necessary permissions or when the existing value is invalid. 290 * 291 * The posix xattr acls are 'system' prefixed, which normally would not 292 * affect security.evm. An interesting side affect of writing posix xattr 293 * acls is their modifying of the i_mode, which is included in security.evm. 294 * For posix xattr acls only, permit security.evm, even if it currently 295 * doesn't exist, to be updated unless the EVM signature is immutable. 296 */ 297 static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, 298 const void *xattr_value, size_t xattr_value_len) 299 { 300 enum integrity_status evm_status; 301 302 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 303 if (!capable(CAP_SYS_ADMIN)) 304 return -EPERM; 305 } else if (!evm_protected_xattr(xattr_name)) { 306 if (!posix_xattr_acl(xattr_name)) 307 return 0; 308 evm_status = evm_verify_current_integrity(dentry); 309 if ((evm_status == INTEGRITY_PASS) || 310 (evm_status == INTEGRITY_NOXATTRS)) 311 return 0; 312 goto out; 313 } 314 315 evm_status = evm_verify_current_integrity(dentry); 316 if (evm_status == INTEGRITY_NOXATTRS) { 317 struct integrity_iint_cache *iint; 318 319 iint = integrity_iint_find(d_backing_inode(dentry)); 320 if (iint && (iint->flags & IMA_NEW_FILE)) 321 return 0; 322 323 /* exception for pseudo filesystems */ 324 if (dentry->d_sb->s_magic == TMPFS_MAGIC 325 || dentry->d_sb->s_magic == SYSFS_MAGIC) 326 return 0; 327 328 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, 329 dentry->d_inode, dentry->d_name.name, 330 "update_metadata", 331 integrity_status_msg[evm_status], 332 -EPERM, 0); 333 } 334 out: 335 if (evm_status != INTEGRITY_PASS) 336 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 337 dentry->d_name.name, "appraise_metadata", 338 integrity_status_msg[evm_status], 339 -EPERM, 0); 340 return evm_status == INTEGRITY_PASS ? 0 : -EPERM; 341 } 342 343 /** 344 * evm_inode_setxattr - protect the EVM extended attribute 345 * @dentry: pointer to the affected dentry 346 * @xattr_name: pointer to the affected extended attribute name 347 * @xattr_value: pointer to the new extended attribute value 348 * @xattr_value_len: pointer to the new extended attribute value length 349 * 350 * Before allowing the 'security.evm' protected xattr to be updated, 351 * verify the existing value is valid. As only the kernel should have 352 * access to the EVM encrypted key needed to calculate the HMAC, prevent 353 * userspace from writing HMAC value. Writing 'security.evm' requires 354 * requires CAP_SYS_ADMIN privileges. 355 */ 356 int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, 357 const void *xattr_value, size_t xattr_value_len) 358 { 359 const struct evm_ima_xattr_data *xattr_data = xattr_value; 360 361 /* Policy permits modification of the protected xattrs even though 362 * there's no HMAC key loaded 363 */ 364 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 365 return 0; 366 367 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 368 if (!xattr_value_len) 369 return -EINVAL; 370 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG && 371 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) 372 return -EPERM; 373 } 374 return evm_protect_xattr(dentry, xattr_name, xattr_value, 375 xattr_value_len); 376 } 377 378 /** 379 * evm_inode_removexattr - protect the EVM extended attribute 380 * @dentry: pointer to the affected dentry 381 * @xattr_name: pointer to the affected extended attribute name 382 * 383 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that 384 * the current value is valid. 385 */ 386 int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) 387 { 388 /* Policy permits modification of the protected xattrs even though 389 * there's no HMAC key loaded 390 */ 391 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 392 return 0; 393 394 return evm_protect_xattr(dentry, xattr_name, NULL, 0); 395 } 396 397 static void evm_reset_status(struct inode *inode) 398 { 399 struct integrity_iint_cache *iint; 400 401 iint = integrity_iint_find(inode); 402 if (iint) 403 iint->evm_status = INTEGRITY_UNKNOWN; 404 } 405 406 /** 407 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes 408 * @dentry: pointer to the affected dentry 409 * @xattr_name: pointer to the affected extended attribute name 410 * @xattr_value: pointer to the new extended attribute value 411 * @xattr_value_len: pointer to the new extended attribute value length 412 * 413 * Update the HMAC stored in 'security.evm' to reflect the change. 414 * 415 * No need to take the i_mutex lock here, as this function is called from 416 * __vfs_setxattr_noperm(). The caller of which has taken the inode's 417 * i_mutex lock. 418 */ 419 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, 420 const void *xattr_value, size_t xattr_value_len) 421 { 422 if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name) 423 && !posix_xattr_acl(xattr_name))) 424 return; 425 426 evm_reset_status(dentry->d_inode); 427 428 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); 429 } 430 431 /** 432 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr 433 * @dentry: pointer to the affected dentry 434 * @xattr_name: pointer to the affected extended attribute name 435 * 436 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. 437 * 438 * No need to take the i_mutex lock here, as this function is called from 439 * vfs_removexattr() which takes the i_mutex. 440 */ 441 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) 442 { 443 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 444 return; 445 446 evm_reset_status(dentry->d_inode); 447 448 evm_update_evmxattr(dentry, xattr_name, NULL, 0); 449 } 450 451 /** 452 * evm_inode_setattr - prevent updating an invalid EVM extended attribute 453 * @dentry: pointer to the affected dentry 454 * 455 * Permit update of file attributes when files have a valid EVM signature, 456 * except in the case of them having an immutable portable signature. 457 */ 458 int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) 459 { 460 unsigned int ia_valid = attr->ia_valid; 461 enum integrity_status evm_status; 462 463 /* Policy permits modification of the protected attrs even though 464 * there's no HMAC key loaded 465 */ 466 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 467 return 0; 468 469 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) 470 return 0; 471 evm_status = evm_verify_current_integrity(dentry); 472 if ((evm_status == INTEGRITY_PASS) || 473 (evm_status == INTEGRITY_NOXATTRS)) 474 return 0; 475 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 476 dentry->d_name.name, "appraise_metadata", 477 integrity_status_msg[evm_status], -EPERM, 0); 478 return -EPERM; 479 } 480 481 /** 482 * evm_inode_post_setattr - update 'security.evm' after modifying metadata 483 * @dentry: pointer to the affected dentry 484 * @ia_valid: for the UID and GID status 485 * 486 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID 487 * changes. 488 * 489 * This function is called from notify_change(), which expects the caller 490 * to lock the inode's i_mutex. 491 */ 492 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) 493 { 494 if (!evm_key_loaded()) 495 return; 496 497 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) 498 evm_update_evmxattr(dentry, NULL, NULL, 0); 499 } 500 501 /* 502 * evm_inode_init_security - initializes security.evm 503 */ 504 int evm_inode_init_security(struct inode *inode, 505 const struct xattr *lsm_xattr, 506 struct xattr *evm_xattr) 507 { 508 struct evm_ima_xattr_data *xattr_data; 509 int rc; 510 511 if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name)) 512 return 0; 513 514 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); 515 if (!xattr_data) 516 return -ENOMEM; 517 518 xattr_data->type = EVM_XATTR_HMAC; 519 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); 520 if (rc < 0) 521 goto out; 522 523 evm_xattr->value = xattr_data; 524 evm_xattr->value_len = sizeof(*xattr_data); 525 evm_xattr->name = XATTR_EVM_SUFFIX; 526 return 0; 527 out: 528 kfree(xattr_data); 529 return rc; 530 } 531 EXPORT_SYMBOL_GPL(evm_inode_init_security); 532 533 #ifdef CONFIG_EVM_LOAD_X509 534 void __init evm_load_x509(void) 535 { 536 int rc; 537 538 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH); 539 if (!rc) 540 evm_initialized |= EVM_INIT_X509; 541 } 542 #endif 543 544 static int __init init_evm(void) 545 { 546 int error; 547 548 evm_init_config(); 549 550 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM); 551 if (error) 552 return error; 553 554 error = evm_init_secfs(); 555 if (error < 0) { 556 pr_info("Error registering secfs\n"); 557 return error; 558 } 559 560 return 0; 561 } 562 563 /* 564 * evm_display_config - list the EVM protected security extended attributes 565 */ 566 static int __init evm_display_config(void) 567 { 568 char **xattrname; 569 570 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) 571 pr_info("%s\n", *xattrname); 572 return 0; 573 } 574 575 pure_initcall(evm_display_config); 576 late_initcall(init_evm); 577 578 MODULE_DESCRIPTION("Extended Verification Module"); 579 MODULE_LICENSE("GPL"); 580