1 /* 2 * Copyright (C) 2005-2010 IBM Corporation 3 * 4 * Author: 5 * Mimi Zohar <zohar@us.ibm.com> 6 * Kylene Hall <kjhall@us.ibm.com> 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation, version 2 of the License. 11 * 12 * File: evm_main.c 13 * implements evm_inode_setxattr, evm_inode_post_setxattr, 14 * evm_inode_removexattr, and evm_verifyxattr 15 */ 16 17 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 18 19 #include <linux/module.h> 20 #include <linux/crypto.h> 21 #include <linux/audit.h> 22 #include <linux/xattr.h> 23 #include <linux/integrity.h> 24 #include <linux/evm.h> 25 #include <linux/magic.h> 26 27 #include <crypto/hash.h> 28 #include <crypto/algapi.h> 29 #include "evm.h" 30 31 int evm_initialized; 32 33 static char *integrity_status_msg[] = { 34 "pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown" 35 }; 36 char *evm_hmac = "hmac(sha1)"; 37 char *evm_hash = "sha1"; 38 int evm_hmac_attrs; 39 40 char *evm_config_xattrnames[] = { 41 #ifdef CONFIG_SECURITY_SELINUX 42 XATTR_NAME_SELINUX, 43 #endif 44 #ifdef CONFIG_SECURITY_SMACK 45 XATTR_NAME_SMACK, 46 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS 47 XATTR_NAME_SMACKEXEC, 48 XATTR_NAME_SMACKTRANSMUTE, 49 XATTR_NAME_SMACKMMAP, 50 #endif 51 #endif 52 #ifdef CONFIG_SECURITY_APPARMOR 53 XATTR_NAME_APPARMOR, 54 #endif 55 #ifdef CONFIG_IMA_APPRAISE 56 XATTR_NAME_IMA, 57 #endif 58 XATTR_NAME_CAPS, 59 NULL 60 }; 61 62 static int evm_fixmode; 63 static int __init evm_set_fixmode(char *str) 64 { 65 if (strncmp(str, "fix", 3) == 0) 66 evm_fixmode = 1; 67 return 0; 68 } 69 __setup("evm=", evm_set_fixmode); 70 71 static void __init evm_init_config(void) 72 { 73 #ifdef CONFIG_EVM_ATTR_FSUUID 74 evm_hmac_attrs |= EVM_ATTR_FSUUID; 75 #endif 76 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); 77 } 78 79 static bool evm_key_loaded(void) 80 { 81 return (bool)(evm_initialized & EVM_KEY_MASK); 82 } 83 84 static int evm_find_protected_xattrs(struct dentry *dentry) 85 { 86 struct inode *inode = d_backing_inode(dentry); 87 char **xattr; 88 int error; 89 int count = 0; 90 91 if (!(inode->i_opflags & IOP_XATTR)) 92 return -EOPNOTSUPP; 93 94 for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) { 95 error = __vfs_getxattr(dentry, inode, *xattr, NULL, 0); 96 if (error < 0) { 97 if (error == -ENODATA) 98 continue; 99 return error; 100 } 101 count++; 102 } 103 104 return count; 105 } 106 107 /* 108 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr 109 * 110 * Compute the HMAC on the dentry's protected set of extended attributes 111 * and compare it against the stored security.evm xattr. 112 * 113 * For performance: 114 * - use the previoulsy retrieved xattr value and length to calculate the 115 * HMAC.) 116 * - cache the verification result in the iint, when available. 117 * 118 * Returns integrity status 119 */ 120 static enum integrity_status evm_verify_hmac(struct dentry *dentry, 121 const char *xattr_name, 122 char *xattr_value, 123 size_t xattr_value_len, 124 struct integrity_iint_cache *iint) 125 { 126 struct evm_ima_xattr_data *xattr_data = NULL; 127 struct evm_ima_xattr_data calc; 128 enum integrity_status evm_status = INTEGRITY_PASS; 129 int rc, xattr_len; 130 131 if (iint && (iint->evm_status == INTEGRITY_PASS || 132 iint->evm_status == INTEGRITY_PASS_IMMUTABLE)) 133 return iint->evm_status; 134 135 /* if status is not PASS, try to check again - against -ENOMEM */ 136 137 /* first need to know the sig type */ 138 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0, 139 GFP_NOFS); 140 if (rc <= 0) { 141 evm_status = INTEGRITY_FAIL; 142 if (rc == -ENODATA) { 143 rc = evm_find_protected_xattrs(dentry); 144 if (rc > 0) 145 evm_status = INTEGRITY_NOLABEL; 146 else if (rc == 0) 147 evm_status = INTEGRITY_NOXATTRS; /* new file */ 148 } else if (rc == -EOPNOTSUPP) { 149 evm_status = INTEGRITY_UNKNOWN; 150 } 151 goto out; 152 } 153 154 xattr_len = rc; 155 156 /* check value type */ 157 switch (xattr_data->type) { 158 case EVM_XATTR_HMAC: 159 if (xattr_len != sizeof(struct evm_ima_xattr_data)) { 160 evm_status = INTEGRITY_FAIL; 161 goto out; 162 } 163 rc = evm_calc_hmac(dentry, xattr_name, xattr_value, 164 xattr_value_len, calc.digest); 165 if (rc) 166 break; 167 rc = crypto_memneq(xattr_data->digest, calc.digest, 168 sizeof(calc.digest)); 169 if (rc) 170 rc = -EINVAL; 171 break; 172 case EVM_IMA_XATTR_DIGSIG: 173 case EVM_XATTR_PORTABLE_DIGSIG: 174 rc = evm_calc_hash(dentry, xattr_name, xattr_value, 175 xattr_value_len, xattr_data->type, 176 calc.digest); 177 if (rc) 178 break; 179 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 180 (const char *)xattr_data, xattr_len, 181 calc.digest, sizeof(calc.digest)); 182 if (!rc) { 183 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) { 184 if (iint) 185 iint->flags |= EVM_IMMUTABLE_DIGSIG; 186 evm_status = INTEGRITY_PASS_IMMUTABLE; 187 } else if (!IS_RDONLY(d_backing_inode(dentry)) && 188 !IS_IMMUTABLE(d_backing_inode(dentry))) { 189 evm_update_evmxattr(dentry, xattr_name, 190 xattr_value, 191 xattr_value_len); 192 } 193 } 194 break; 195 default: 196 rc = -EINVAL; 197 break; 198 } 199 200 if (rc) 201 evm_status = (rc == -ENODATA) ? 202 INTEGRITY_NOXATTRS : INTEGRITY_FAIL; 203 out: 204 if (iint) 205 iint->evm_status = evm_status; 206 kfree(xattr_data); 207 return evm_status; 208 } 209 210 static int evm_protected_xattr(const char *req_xattr_name) 211 { 212 char **xattrname; 213 int namelen; 214 int found = 0; 215 216 namelen = strlen(req_xattr_name); 217 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { 218 if ((strlen(*xattrname) == namelen) 219 && (strncmp(req_xattr_name, *xattrname, namelen) == 0)) { 220 found = 1; 221 break; 222 } 223 if (strncmp(req_xattr_name, 224 *xattrname + XATTR_SECURITY_PREFIX_LEN, 225 strlen(req_xattr_name)) == 0) { 226 found = 1; 227 break; 228 } 229 } 230 return found; 231 } 232 233 /** 234 * evm_verifyxattr - verify the integrity of the requested xattr 235 * @dentry: object of the verify xattr 236 * @xattr_name: requested xattr 237 * @xattr_value: requested xattr value 238 * @xattr_value_len: requested xattr value length 239 * 240 * Calculate the HMAC for the given dentry and verify it against the stored 241 * security.evm xattr. For performance, use the xattr value and length 242 * previously retrieved to calculate the HMAC. 243 * 244 * Returns the xattr integrity status. 245 * 246 * This function requires the caller to lock the inode's i_mutex before it 247 * is executed. 248 */ 249 enum integrity_status evm_verifyxattr(struct dentry *dentry, 250 const char *xattr_name, 251 void *xattr_value, size_t xattr_value_len, 252 struct integrity_iint_cache *iint) 253 { 254 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 255 return INTEGRITY_UNKNOWN; 256 257 if (!iint) { 258 iint = integrity_iint_find(d_backing_inode(dentry)); 259 if (!iint) 260 return INTEGRITY_UNKNOWN; 261 } 262 return evm_verify_hmac(dentry, xattr_name, xattr_value, 263 xattr_value_len, iint); 264 } 265 EXPORT_SYMBOL_GPL(evm_verifyxattr); 266 267 /* 268 * evm_verify_current_integrity - verify the dentry's metadata integrity 269 * @dentry: pointer to the affected dentry 270 * 271 * Verify and return the dentry's metadata integrity. The exceptions are 272 * before EVM is initialized or in 'fix' mode. 273 */ 274 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) 275 { 276 struct inode *inode = d_backing_inode(dentry); 277 278 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode) 279 return 0; 280 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); 281 } 282 283 /* 284 * evm_protect_xattr - protect the EVM extended attribute 285 * 286 * Prevent security.evm from being modified or removed without the 287 * necessary permissions or when the existing value is invalid. 288 * 289 * The posix xattr acls are 'system' prefixed, which normally would not 290 * affect security.evm. An interesting side affect of writing posix xattr 291 * acls is their modifying of the i_mode, which is included in security.evm. 292 * For posix xattr acls only, permit security.evm, even if it currently 293 * doesn't exist, to be updated unless the EVM signature is immutable. 294 */ 295 static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, 296 const void *xattr_value, size_t xattr_value_len) 297 { 298 enum integrity_status evm_status; 299 300 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 301 if (!capable(CAP_SYS_ADMIN)) 302 return -EPERM; 303 } else if (!evm_protected_xattr(xattr_name)) { 304 if (!posix_xattr_acl(xattr_name)) 305 return 0; 306 evm_status = evm_verify_current_integrity(dentry); 307 if ((evm_status == INTEGRITY_PASS) || 308 (evm_status == INTEGRITY_NOXATTRS)) 309 return 0; 310 goto out; 311 } 312 313 evm_status = evm_verify_current_integrity(dentry); 314 if (evm_status == INTEGRITY_NOXATTRS) { 315 struct integrity_iint_cache *iint; 316 317 iint = integrity_iint_find(d_backing_inode(dentry)); 318 if (iint && (iint->flags & IMA_NEW_FILE)) 319 return 0; 320 321 /* exception for pseudo filesystems */ 322 if (dentry->d_sb->s_magic == TMPFS_MAGIC 323 || dentry->d_sb->s_magic == SYSFS_MAGIC) 324 return 0; 325 326 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, 327 dentry->d_inode, dentry->d_name.name, 328 "update_metadata", 329 integrity_status_msg[evm_status], 330 -EPERM, 0); 331 } 332 out: 333 if (evm_status != INTEGRITY_PASS) 334 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 335 dentry->d_name.name, "appraise_metadata", 336 integrity_status_msg[evm_status], 337 -EPERM, 0); 338 return evm_status == INTEGRITY_PASS ? 0 : -EPERM; 339 } 340 341 /** 342 * evm_inode_setxattr - protect the EVM extended attribute 343 * @dentry: pointer to the affected dentry 344 * @xattr_name: pointer to the affected extended attribute name 345 * @xattr_value: pointer to the new extended attribute value 346 * @xattr_value_len: pointer to the new extended attribute value length 347 * 348 * Before allowing the 'security.evm' protected xattr to be updated, 349 * verify the existing value is valid. As only the kernel should have 350 * access to the EVM encrypted key needed to calculate the HMAC, prevent 351 * userspace from writing HMAC value. Writing 'security.evm' requires 352 * requires CAP_SYS_ADMIN privileges. 353 */ 354 int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, 355 const void *xattr_value, size_t xattr_value_len) 356 { 357 const struct evm_ima_xattr_data *xattr_data = xattr_value; 358 359 /* Policy permits modification of the protected xattrs even though 360 * there's no HMAC key loaded 361 */ 362 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 363 return 0; 364 365 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 366 if (!xattr_value_len) 367 return -EINVAL; 368 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG && 369 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) 370 return -EPERM; 371 } 372 return evm_protect_xattr(dentry, xattr_name, xattr_value, 373 xattr_value_len); 374 } 375 376 /** 377 * evm_inode_removexattr - protect the EVM extended attribute 378 * @dentry: pointer to the affected dentry 379 * @xattr_name: pointer to the affected extended attribute name 380 * 381 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that 382 * the current value is valid. 383 */ 384 int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) 385 { 386 /* Policy permits modification of the protected xattrs even though 387 * there's no HMAC key loaded 388 */ 389 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 390 return 0; 391 392 return evm_protect_xattr(dentry, xattr_name, NULL, 0); 393 } 394 395 static void evm_reset_status(struct inode *inode) 396 { 397 struct integrity_iint_cache *iint; 398 399 iint = integrity_iint_find(inode); 400 if (iint) 401 iint->evm_status = INTEGRITY_UNKNOWN; 402 } 403 404 /** 405 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes 406 * @dentry: pointer to the affected dentry 407 * @xattr_name: pointer to the affected extended attribute name 408 * @xattr_value: pointer to the new extended attribute value 409 * @xattr_value_len: pointer to the new extended attribute value length 410 * 411 * Update the HMAC stored in 'security.evm' to reflect the change. 412 * 413 * No need to take the i_mutex lock here, as this function is called from 414 * __vfs_setxattr_noperm(). The caller of which has taken the inode's 415 * i_mutex lock. 416 */ 417 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, 418 const void *xattr_value, size_t xattr_value_len) 419 { 420 if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name) 421 && !posix_xattr_acl(xattr_name))) 422 return; 423 424 evm_reset_status(dentry->d_inode); 425 426 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); 427 } 428 429 /** 430 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr 431 * @dentry: pointer to the affected dentry 432 * @xattr_name: pointer to the affected extended attribute name 433 * 434 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. 435 * 436 * No need to take the i_mutex lock here, as this function is called from 437 * vfs_removexattr() which takes the i_mutex. 438 */ 439 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) 440 { 441 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 442 return; 443 444 evm_reset_status(dentry->d_inode); 445 446 evm_update_evmxattr(dentry, xattr_name, NULL, 0); 447 } 448 449 /** 450 * evm_inode_setattr - prevent updating an invalid EVM extended attribute 451 * @dentry: pointer to the affected dentry 452 * 453 * Permit update of file attributes when files have a valid EVM signature, 454 * except in the case of them having an immutable portable signature. 455 */ 456 int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) 457 { 458 unsigned int ia_valid = attr->ia_valid; 459 enum integrity_status evm_status; 460 461 /* Policy permits modification of the protected attrs even though 462 * there's no HMAC key loaded 463 */ 464 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 465 return 0; 466 467 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) 468 return 0; 469 evm_status = evm_verify_current_integrity(dentry); 470 if ((evm_status == INTEGRITY_PASS) || 471 (evm_status == INTEGRITY_NOXATTRS)) 472 return 0; 473 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 474 dentry->d_name.name, "appraise_metadata", 475 integrity_status_msg[evm_status], -EPERM, 0); 476 return -EPERM; 477 } 478 479 /** 480 * evm_inode_post_setattr - update 'security.evm' after modifying metadata 481 * @dentry: pointer to the affected dentry 482 * @ia_valid: for the UID and GID status 483 * 484 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID 485 * changes. 486 * 487 * This function is called from notify_change(), which expects the caller 488 * to lock the inode's i_mutex. 489 */ 490 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) 491 { 492 if (!evm_key_loaded()) 493 return; 494 495 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) 496 evm_update_evmxattr(dentry, NULL, NULL, 0); 497 } 498 499 /* 500 * evm_inode_init_security - initializes security.evm 501 */ 502 int evm_inode_init_security(struct inode *inode, 503 const struct xattr *lsm_xattr, 504 struct xattr *evm_xattr) 505 { 506 struct evm_ima_xattr_data *xattr_data; 507 int rc; 508 509 if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name)) 510 return 0; 511 512 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); 513 if (!xattr_data) 514 return -ENOMEM; 515 516 xattr_data->type = EVM_XATTR_HMAC; 517 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); 518 if (rc < 0) 519 goto out; 520 521 evm_xattr->value = xattr_data; 522 evm_xattr->value_len = sizeof(*xattr_data); 523 evm_xattr->name = XATTR_EVM_SUFFIX; 524 return 0; 525 out: 526 kfree(xattr_data); 527 return rc; 528 } 529 EXPORT_SYMBOL_GPL(evm_inode_init_security); 530 531 #ifdef CONFIG_EVM_LOAD_X509 532 void __init evm_load_x509(void) 533 { 534 int rc; 535 536 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH); 537 if (!rc) 538 evm_initialized |= EVM_INIT_X509; 539 } 540 #endif 541 542 static int __init init_evm(void) 543 { 544 int error; 545 546 evm_init_config(); 547 548 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM); 549 if (error) 550 return error; 551 552 error = evm_init_secfs(); 553 if (error < 0) { 554 pr_info("Error registering secfs\n"); 555 return error; 556 } 557 558 return 0; 559 } 560 561 /* 562 * evm_display_config - list the EVM protected security extended attributes 563 */ 564 static int __init evm_display_config(void) 565 { 566 char **xattrname; 567 568 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) 569 pr_info("%s\n", *xattrname); 570 return 0; 571 } 572 573 pure_initcall(evm_display_config); 574 late_initcall(init_evm); 575 576 MODULE_DESCRIPTION("Extended Verification Module"); 577 MODULE_LICENSE("GPL"); 578