1 /* 2 * Copyright (C) 2005-2010 IBM Corporation 3 * 4 * Author: 5 * Mimi Zohar <zohar@us.ibm.com> 6 * Kylene Hall <kjhall@us.ibm.com> 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation, version 2 of the License. 11 * 12 * File: evm_main.c 13 * implements evm_inode_setxattr, evm_inode_post_setxattr, 14 * evm_inode_removexattr, and evm_verifyxattr 15 */ 16 17 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 18 19 #include <linux/init.h> 20 #include <linux/crypto.h> 21 #include <linux/audit.h> 22 #include <linux/xattr.h> 23 #include <linux/integrity.h> 24 #include <linux/evm.h> 25 #include <linux/magic.h> 26 27 #include <crypto/hash.h> 28 #include <crypto/hash_info.h> 29 #include <crypto/algapi.h> 30 #include "evm.h" 31 32 int evm_initialized; 33 34 static const char * const integrity_status_msg[] = { 35 "pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown" 36 }; 37 int evm_hmac_attrs; 38 39 static struct xattr_list evm_config_default_xattrnames[] = { 40 #ifdef CONFIG_SECURITY_SELINUX 41 {.name = XATTR_NAME_SELINUX}, 42 #endif 43 #ifdef CONFIG_SECURITY_SMACK 44 {.name = XATTR_NAME_SMACK}, 45 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS 46 {.name = XATTR_NAME_SMACKEXEC}, 47 {.name = XATTR_NAME_SMACKTRANSMUTE}, 48 {.name = XATTR_NAME_SMACKMMAP}, 49 #endif 50 #endif 51 #ifdef CONFIG_SECURITY_APPARMOR 52 {.name = XATTR_NAME_APPARMOR}, 53 #endif 54 #ifdef CONFIG_IMA_APPRAISE 55 {.name = XATTR_NAME_IMA}, 56 #endif 57 {.name = XATTR_NAME_CAPS}, 58 }; 59 60 LIST_HEAD(evm_config_xattrnames); 61 62 static int evm_fixmode; 63 static int __init evm_set_fixmode(char *str) 64 { 65 if (strncmp(str, "fix", 3) == 0) 66 evm_fixmode = 1; 67 return 0; 68 } 69 __setup("evm=", evm_set_fixmode); 70 71 static void __init evm_init_config(void) 72 { 73 int i, xattrs; 74 75 xattrs = ARRAY_SIZE(evm_config_default_xattrnames); 76 77 pr_info("Initialising EVM extended attributes:\n"); 78 for (i = 0; i < xattrs; i++) { 79 pr_info("%s\n", evm_config_default_xattrnames[i].name); 80 list_add_tail(&evm_config_default_xattrnames[i].list, 81 &evm_config_xattrnames); 82 } 83 84 #ifdef CONFIG_EVM_ATTR_FSUUID 85 evm_hmac_attrs |= EVM_ATTR_FSUUID; 86 #endif 87 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); 88 } 89 90 static bool evm_key_loaded(void) 91 { 92 return (bool)(evm_initialized & EVM_KEY_MASK); 93 } 94 95 static int evm_find_protected_xattrs(struct dentry *dentry) 96 { 97 struct inode *inode = d_backing_inode(dentry); 98 struct xattr_list *xattr; 99 int error; 100 int count = 0; 101 102 if (!(inode->i_opflags & IOP_XATTR)) 103 return -EOPNOTSUPP; 104 105 list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) { 106 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0); 107 if (error < 0) { 108 if (error == -ENODATA) 109 continue; 110 return error; 111 } 112 count++; 113 } 114 115 return count; 116 } 117 118 /* 119 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr 120 * 121 * Compute the HMAC on the dentry's protected set of extended attributes 122 * and compare it against the stored security.evm xattr. 123 * 124 * For performance: 125 * - use the previoulsy retrieved xattr value and length to calculate the 126 * HMAC.) 127 * - cache the verification result in the iint, when available. 128 * 129 * Returns integrity status 130 */ 131 static enum integrity_status evm_verify_hmac(struct dentry *dentry, 132 const char *xattr_name, 133 char *xattr_value, 134 size_t xattr_value_len, 135 struct integrity_iint_cache *iint) 136 { 137 struct evm_ima_xattr_data *xattr_data = NULL; 138 struct signature_v2_hdr *hdr; 139 enum integrity_status evm_status = INTEGRITY_PASS; 140 struct evm_digest digest; 141 struct inode *inode; 142 int rc, xattr_len; 143 144 if (iint && (iint->evm_status == INTEGRITY_PASS || 145 iint->evm_status == INTEGRITY_PASS_IMMUTABLE)) 146 return iint->evm_status; 147 148 /* if status is not PASS, try to check again - against -ENOMEM */ 149 150 /* first need to know the sig type */ 151 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0, 152 GFP_NOFS); 153 if (rc <= 0) { 154 evm_status = INTEGRITY_FAIL; 155 if (rc == -ENODATA) { 156 rc = evm_find_protected_xattrs(dentry); 157 if (rc > 0) 158 evm_status = INTEGRITY_NOLABEL; 159 else if (rc == 0) 160 evm_status = INTEGRITY_NOXATTRS; /* new file */ 161 } else if (rc == -EOPNOTSUPP) { 162 evm_status = INTEGRITY_UNKNOWN; 163 } 164 goto out; 165 } 166 167 xattr_len = rc; 168 169 /* check value type */ 170 switch (xattr_data->type) { 171 case EVM_XATTR_HMAC: 172 if (xattr_len != sizeof(struct evm_ima_xattr_data)) { 173 evm_status = INTEGRITY_FAIL; 174 goto out; 175 } 176 177 digest.hdr.algo = HASH_ALGO_SHA1; 178 rc = evm_calc_hmac(dentry, xattr_name, xattr_value, 179 xattr_value_len, &digest); 180 if (rc) 181 break; 182 rc = crypto_memneq(xattr_data->digest, digest.digest, 183 SHA1_DIGEST_SIZE); 184 if (rc) 185 rc = -EINVAL; 186 break; 187 case EVM_IMA_XATTR_DIGSIG: 188 case EVM_XATTR_PORTABLE_DIGSIG: 189 hdr = (struct signature_v2_hdr *)xattr_data; 190 digest.hdr.algo = hdr->hash_algo; 191 rc = evm_calc_hash(dentry, xattr_name, xattr_value, 192 xattr_value_len, xattr_data->type, &digest); 193 if (rc) 194 break; 195 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 196 (const char *)xattr_data, xattr_len, 197 digest.digest, digest.hdr.length); 198 if (!rc) { 199 inode = d_backing_inode(dentry); 200 201 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) { 202 if (iint) 203 iint->flags |= EVM_IMMUTABLE_DIGSIG; 204 evm_status = INTEGRITY_PASS_IMMUTABLE; 205 } else if (!IS_RDONLY(inode) && 206 !(inode->i_sb->s_readonly_remount) && 207 !IS_IMMUTABLE(inode)) { 208 evm_update_evmxattr(dentry, xattr_name, 209 xattr_value, 210 xattr_value_len); 211 } 212 } 213 break; 214 default: 215 rc = -EINVAL; 216 break; 217 } 218 219 if (rc) 220 evm_status = (rc == -ENODATA) ? 221 INTEGRITY_NOXATTRS : INTEGRITY_FAIL; 222 out: 223 if (iint) 224 iint->evm_status = evm_status; 225 kfree(xattr_data); 226 return evm_status; 227 } 228 229 static int evm_protected_xattr(const char *req_xattr_name) 230 { 231 int namelen; 232 int found = 0; 233 struct xattr_list *xattr; 234 235 namelen = strlen(req_xattr_name); 236 list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) { 237 if ((strlen(xattr->name) == namelen) 238 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) { 239 found = 1; 240 break; 241 } 242 if (strncmp(req_xattr_name, 243 xattr->name + XATTR_SECURITY_PREFIX_LEN, 244 strlen(req_xattr_name)) == 0) { 245 found = 1; 246 break; 247 } 248 } 249 250 return found; 251 } 252 253 /** 254 * evm_verifyxattr - verify the integrity of the requested xattr 255 * @dentry: object of the verify xattr 256 * @xattr_name: requested xattr 257 * @xattr_value: requested xattr value 258 * @xattr_value_len: requested xattr value length 259 * 260 * Calculate the HMAC for the given dentry and verify it against the stored 261 * security.evm xattr. For performance, use the xattr value and length 262 * previously retrieved to calculate the HMAC. 263 * 264 * Returns the xattr integrity status. 265 * 266 * This function requires the caller to lock the inode's i_mutex before it 267 * is executed. 268 */ 269 enum integrity_status evm_verifyxattr(struct dentry *dentry, 270 const char *xattr_name, 271 void *xattr_value, size_t xattr_value_len, 272 struct integrity_iint_cache *iint) 273 { 274 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 275 return INTEGRITY_UNKNOWN; 276 277 if (!iint) { 278 iint = integrity_iint_find(d_backing_inode(dentry)); 279 if (!iint) 280 return INTEGRITY_UNKNOWN; 281 } 282 return evm_verify_hmac(dentry, xattr_name, xattr_value, 283 xattr_value_len, iint); 284 } 285 EXPORT_SYMBOL_GPL(evm_verifyxattr); 286 287 /* 288 * evm_verify_current_integrity - verify the dentry's metadata integrity 289 * @dentry: pointer to the affected dentry 290 * 291 * Verify and return the dentry's metadata integrity. The exceptions are 292 * before EVM is initialized or in 'fix' mode. 293 */ 294 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) 295 { 296 struct inode *inode = d_backing_inode(dentry); 297 298 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode) 299 return 0; 300 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); 301 } 302 303 /* 304 * evm_protect_xattr - protect the EVM extended attribute 305 * 306 * Prevent security.evm from being modified or removed without the 307 * necessary permissions or when the existing value is invalid. 308 * 309 * The posix xattr acls are 'system' prefixed, which normally would not 310 * affect security.evm. An interesting side affect of writing posix xattr 311 * acls is their modifying of the i_mode, which is included in security.evm. 312 * For posix xattr acls only, permit security.evm, even if it currently 313 * doesn't exist, to be updated unless the EVM signature is immutable. 314 */ 315 static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, 316 const void *xattr_value, size_t xattr_value_len) 317 { 318 enum integrity_status evm_status; 319 320 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 321 if (!capable(CAP_SYS_ADMIN)) 322 return -EPERM; 323 } else if (!evm_protected_xattr(xattr_name)) { 324 if (!posix_xattr_acl(xattr_name)) 325 return 0; 326 evm_status = evm_verify_current_integrity(dentry); 327 if ((evm_status == INTEGRITY_PASS) || 328 (evm_status == INTEGRITY_NOXATTRS)) 329 return 0; 330 goto out; 331 } 332 333 evm_status = evm_verify_current_integrity(dentry); 334 if (evm_status == INTEGRITY_NOXATTRS) { 335 struct integrity_iint_cache *iint; 336 337 iint = integrity_iint_find(d_backing_inode(dentry)); 338 if (iint && (iint->flags & IMA_NEW_FILE)) 339 return 0; 340 341 /* exception for pseudo filesystems */ 342 if (dentry->d_sb->s_magic == TMPFS_MAGIC 343 || dentry->d_sb->s_magic == SYSFS_MAGIC) 344 return 0; 345 346 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, 347 dentry->d_inode, dentry->d_name.name, 348 "update_metadata", 349 integrity_status_msg[evm_status], 350 -EPERM, 0); 351 } 352 out: 353 if (evm_status != INTEGRITY_PASS) 354 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 355 dentry->d_name.name, "appraise_metadata", 356 integrity_status_msg[evm_status], 357 -EPERM, 0); 358 return evm_status == INTEGRITY_PASS ? 0 : -EPERM; 359 } 360 361 /** 362 * evm_inode_setxattr - protect the EVM extended attribute 363 * @dentry: pointer to the affected dentry 364 * @xattr_name: pointer to the affected extended attribute name 365 * @xattr_value: pointer to the new extended attribute value 366 * @xattr_value_len: pointer to the new extended attribute value length 367 * 368 * Before allowing the 'security.evm' protected xattr to be updated, 369 * verify the existing value is valid. As only the kernel should have 370 * access to the EVM encrypted key needed to calculate the HMAC, prevent 371 * userspace from writing HMAC value. Writing 'security.evm' requires 372 * requires CAP_SYS_ADMIN privileges. 373 */ 374 int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, 375 const void *xattr_value, size_t xattr_value_len) 376 { 377 const struct evm_ima_xattr_data *xattr_data = xattr_value; 378 379 /* Policy permits modification of the protected xattrs even though 380 * there's no HMAC key loaded 381 */ 382 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 383 return 0; 384 385 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 386 if (!xattr_value_len) 387 return -EINVAL; 388 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG && 389 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) 390 return -EPERM; 391 } 392 return evm_protect_xattr(dentry, xattr_name, xattr_value, 393 xattr_value_len); 394 } 395 396 /** 397 * evm_inode_removexattr - protect the EVM extended attribute 398 * @dentry: pointer to the affected dentry 399 * @xattr_name: pointer to the affected extended attribute name 400 * 401 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that 402 * the current value is valid. 403 */ 404 int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) 405 { 406 /* Policy permits modification of the protected xattrs even though 407 * there's no HMAC key loaded 408 */ 409 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 410 return 0; 411 412 return evm_protect_xattr(dentry, xattr_name, NULL, 0); 413 } 414 415 static void evm_reset_status(struct inode *inode) 416 { 417 struct integrity_iint_cache *iint; 418 419 iint = integrity_iint_find(inode); 420 if (iint) 421 iint->evm_status = INTEGRITY_UNKNOWN; 422 } 423 424 /** 425 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes 426 * @dentry: pointer to the affected dentry 427 * @xattr_name: pointer to the affected extended attribute name 428 * @xattr_value: pointer to the new extended attribute value 429 * @xattr_value_len: pointer to the new extended attribute value length 430 * 431 * Update the HMAC stored in 'security.evm' to reflect the change. 432 * 433 * No need to take the i_mutex lock here, as this function is called from 434 * __vfs_setxattr_noperm(). The caller of which has taken the inode's 435 * i_mutex lock. 436 */ 437 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, 438 const void *xattr_value, size_t xattr_value_len) 439 { 440 if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name) 441 && !posix_xattr_acl(xattr_name))) 442 return; 443 444 evm_reset_status(dentry->d_inode); 445 446 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); 447 } 448 449 /** 450 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr 451 * @dentry: pointer to the affected dentry 452 * @xattr_name: pointer to the affected extended attribute name 453 * 454 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. 455 * 456 * No need to take the i_mutex lock here, as this function is called from 457 * vfs_removexattr() which takes the i_mutex. 458 */ 459 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) 460 { 461 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 462 return; 463 464 evm_reset_status(dentry->d_inode); 465 466 evm_update_evmxattr(dentry, xattr_name, NULL, 0); 467 } 468 469 /** 470 * evm_inode_setattr - prevent updating an invalid EVM extended attribute 471 * @dentry: pointer to the affected dentry 472 * 473 * Permit update of file attributes when files have a valid EVM signature, 474 * except in the case of them having an immutable portable signature. 475 */ 476 int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) 477 { 478 unsigned int ia_valid = attr->ia_valid; 479 enum integrity_status evm_status; 480 481 /* Policy permits modification of the protected attrs even though 482 * there's no HMAC key loaded 483 */ 484 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 485 return 0; 486 487 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) 488 return 0; 489 evm_status = evm_verify_current_integrity(dentry); 490 if ((evm_status == INTEGRITY_PASS) || 491 (evm_status == INTEGRITY_NOXATTRS)) 492 return 0; 493 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 494 dentry->d_name.name, "appraise_metadata", 495 integrity_status_msg[evm_status], -EPERM, 0); 496 return -EPERM; 497 } 498 499 /** 500 * evm_inode_post_setattr - update 'security.evm' after modifying metadata 501 * @dentry: pointer to the affected dentry 502 * @ia_valid: for the UID and GID status 503 * 504 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID 505 * changes. 506 * 507 * This function is called from notify_change(), which expects the caller 508 * to lock the inode's i_mutex. 509 */ 510 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) 511 { 512 if (!evm_key_loaded()) 513 return; 514 515 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) 516 evm_update_evmxattr(dentry, NULL, NULL, 0); 517 } 518 519 /* 520 * evm_inode_init_security - initializes security.evm 521 */ 522 int evm_inode_init_security(struct inode *inode, 523 const struct xattr *lsm_xattr, 524 struct xattr *evm_xattr) 525 { 526 struct evm_ima_xattr_data *xattr_data; 527 int rc; 528 529 if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name)) 530 return 0; 531 532 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); 533 if (!xattr_data) 534 return -ENOMEM; 535 536 xattr_data->type = EVM_XATTR_HMAC; 537 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); 538 if (rc < 0) 539 goto out; 540 541 evm_xattr->value = xattr_data; 542 evm_xattr->value_len = sizeof(*xattr_data); 543 evm_xattr->name = XATTR_EVM_SUFFIX; 544 return 0; 545 out: 546 kfree(xattr_data); 547 return rc; 548 } 549 EXPORT_SYMBOL_GPL(evm_inode_init_security); 550 551 #ifdef CONFIG_EVM_LOAD_X509 552 void __init evm_load_x509(void) 553 { 554 int rc; 555 556 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH); 557 if (!rc) 558 evm_initialized |= EVM_INIT_X509; 559 } 560 #endif 561 562 static int __init init_evm(void) 563 { 564 int error; 565 struct list_head *pos, *q; 566 567 evm_init_config(); 568 569 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM); 570 if (error) 571 goto error; 572 573 error = evm_init_secfs(); 574 if (error < 0) { 575 pr_info("Error registering secfs\n"); 576 goto error; 577 } 578 579 error: 580 if (error != 0) { 581 if (!list_empty(&evm_config_xattrnames)) { 582 list_for_each_safe(pos, q, &evm_config_xattrnames) 583 list_del(pos); 584 } 585 } 586 587 return error; 588 } 589 590 late_initcall(init_evm); 591