1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2005-2010 IBM Corporation 4 * 5 * Author: 6 * Mimi Zohar <zohar@us.ibm.com> 7 * Kylene Hall <kjhall@us.ibm.com> 8 * 9 * File: evm_main.c 10 * implements evm_inode_setxattr, evm_inode_post_setxattr, 11 * evm_inode_removexattr, and evm_verifyxattr 12 */ 13 14 #define pr_fmt(fmt) "EVM: "fmt 15 16 #include <linux/init.h> 17 #include <linux/crypto.h> 18 #include <linux/audit.h> 19 #include <linux/xattr.h> 20 #include <linux/integrity.h> 21 #include <linux/evm.h> 22 #include <linux/magic.h> 23 #include <linux/posix_acl_xattr.h> 24 25 #include <crypto/hash.h> 26 #include <crypto/hash_info.h> 27 #include <crypto/algapi.h> 28 #include "evm.h" 29 30 int evm_initialized; 31 32 static const char * const integrity_status_msg[] = { 33 "pass", "pass_immutable", "fail", "fail_immutable", "no_label", 34 "no_xattrs", "unknown" 35 }; 36 int evm_hmac_attrs; 37 38 static struct xattr_list evm_config_default_xattrnames[] = { 39 {.name = XATTR_NAME_SELINUX, 40 #ifdef CONFIG_SECURITY_SELINUX 41 .enabled = true 42 #endif 43 }, 44 {.name = XATTR_NAME_SMACK, 45 #ifdef CONFIG_SECURITY_SMACK 46 .enabled = true 47 #endif 48 }, 49 {.name = XATTR_NAME_SMACKEXEC, 50 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS 51 .enabled = true 52 #endif 53 }, 54 {.name = XATTR_NAME_SMACKTRANSMUTE, 55 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS 56 .enabled = true 57 #endif 58 }, 59 {.name = XATTR_NAME_SMACKMMAP, 60 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS 61 .enabled = true 62 #endif 63 }, 64 {.name = XATTR_NAME_APPARMOR, 65 #ifdef CONFIG_SECURITY_APPARMOR 66 .enabled = true 67 #endif 68 }, 69 {.name = XATTR_NAME_IMA, 70 #ifdef CONFIG_IMA_APPRAISE 71 .enabled = true 72 #endif 73 }, 74 {.name = XATTR_NAME_CAPS, 75 .enabled = true 76 }, 77 }; 78 79 LIST_HEAD(evm_config_xattrnames); 80 81 static int evm_fixmode __ro_after_init; 82 static int __init evm_set_fixmode(char *str) 83 { 84 if (strncmp(str, "fix", 3) == 0) 85 evm_fixmode = 1; 86 else 87 pr_err("invalid \"%s\" mode", str); 88 89 return 1; 90 } 91 __setup("evm=", evm_set_fixmode); 92 93 static void __init evm_init_config(void) 94 { 95 int i, xattrs; 96 97 xattrs = ARRAY_SIZE(evm_config_default_xattrnames); 98 99 pr_info("Initialising EVM extended attributes:\n"); 100 for (i = 0; i < xattrs; i++) { 101 pr_info("%s%s\n", evm_config_default_xattrnames[i].name, 102 !evm_config_default_xattrnames[i].enabled ? 103 " (disabled)" : ""); 104 list_add_tail(&evm_config_default_xattrnames[i].list, 105 &evm_config_xattrnames); 106 } 107 108 #ifdef CONFIG_EVM_ATTR_FSUUID 109 evm_hmac_attrs |= EVM_ATTR_FSUUID; 110 #endif 111 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); 112 } 113 114 static bool evm_key_loaded(void) 115 { 116 return (bool)(evm_initialized & EVM_KEY_MASK); 117 } 118 119 /* 120 * This function determines whether or not it is safe to ignore verification 121 * errors, based on the ability of EVM to calculate HMACs. If the HMAC key 122 * is not loaded, and it cannot be loaded in the future due to the 123 * EVM_SETUP_COMPLETE initialization flag, allowing an operation despite the 124 * attrs/xattrs being found invalid will not make them valid. 125 */ 126 static bool evm_hmac_disabled(void) 127 { 128 if (evm_initialized & EVM_INIT_HMAC) 129 return false; 130 131 if (!(evm_initialized & EVM_SETUP_COMPLETE)) 132 return false; 133 134 return true; 135 } 136 137 static int evm_find_protected_xattrs(struct dentry *dentry) 138 { 139 struct inode *inode = d_backing_inode(dentry); 140 struct xattr_list *xattr; 141 int error; 142 int count = 0; 143 144 if (!(inode->i_opflags & IOP_XATTR)) 145 return -EOPNOTSUPP; 146 147 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) { 148 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0); 149 if (error < 0) { 150 if (error == -ENODATA) 151 continue; 152 return error; 153 } 154 count++; 155 } 156 157 return count; 158 } 159 160 /* 161 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr 162 * 163 * Compute the HMAC on the dentry's protected set of extended attributes 164 * and compare it against the stored security.evm xattr. 165 * 166 * For performance: 167 * - use the previoulsy retrieved xattr value and length to calculate the 168 * HMAC.) 169 * - cache the verification result in the iint, when available. 170 * 171 * Returns integrity status 172 */ 173 static enum integrity_status evm_verify_hmac(struct dentry *dentry, 174 const char *xattr_name, 175 char *xattr_value, 176 size_t xattr_value_len, 177 struct integrity_iint_cache *iint) 178 { 179 struct evm_ima_xattr_data *xattr_data = NULL; 180 struct signature_v2_hdr *hdr; 181 enum integrity_status evm_status = INTEGRITY_PASS; 182 struct evm_digest digest; 183 struct inode *inode; 184 int rc, xattr_len, evm_immutable = 0; 185 186 if (iint && (iint->evm_status == INTEGRITY_PASS || 187 iint->evm_status == INTEGRITY_PASS_IMMUTABLE)) 188 return iint->evm_status; 189 190 /* if status is not PASS, try to check again - against -ENOMEM */ 191 192 /* first need to know the sig type */ 193 rc = vfs_getxattr_alloc(&init_user_ns, dentry, XATTR_NAME_EVM, 194 (char **)&xattr_data, 0, GFP_NOFS); 195 if (rc <= 0) { 196 evm_status = INTEGRITY_FAIL; 197 if (rc == -ENODATA) { 198 rc = evm_find_protected_xattrs(dentry); 199 if (rc > 0) 200 evm_status = INTEGRITY_NOLABEL; 201 else if (rc == 0) 202 evm_status = INTEGRITY_NOXATTRS; /* new file */ 203 } else if (rc == -EOPNOTSUPP) { 204 evm_status = INTEGRITY_UNKNOWN; 205 } 206 goto out; 207 } 208 209 xattr_len = rc; 210 211 /* check value type */ 212 switch (xattr_data->type) { 213 case EVM_XATTR_HMAC: 214 if (xattr_len != sizeof(struct evm_xattr)) { 215 evm_status = INTEGRITY_FAIL; 216 goto out; 217 } 218 219 digest.hdr.algo = HASH_ALGO_SHA1; 220 rc = evm_calc_hmac(dentry, xattr_name, xattr_value, 221 xattr_value_len, &digest); 222 if (rc) 223 break; 224 rc = crypto_memneq(xattr_data->data, digest.digest, 225 SHA1_DIGEST_SIZE); 226 if (rc) 227 rc = -EINVAL; 228 break; 229 case EVM_XATTR_PORTABLE_DIGSIG: 230 evm_immutable = 1; 231 fallthrough; 232 case EVM_IMA_XATTR_DIGSIG: 233 /* accept xattr with non-empty signature field */ 234 if (xattr_len <= sizeof(struct signature_v2_hdr)) { 235 evm_status = INTEGRITY_FAIL; 236 goto out; 237 } 238 239 hdr = (struct signature_v2_hdr *)xattr_data; 240 digest.hdr.algo = hdr->hash_algo; 241 rc = evm_calc_hash(dentry, xattr_name, xattr_value, 242 xattr_value_len, xattr_data->type, &digest); 243 if (rc) 244 break; 245 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 246 (const char *)xattr_data, xattr_len, 247 digest.digest, digest.hdr.length); 248 if (!rc) { 249 inode = d_backing_inode(dentry); 250 251 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) { 252 if (iint) 253 iint->flags |= EVM_IMMUTABLE_DIGSIG; 254 evm_status = INTEGRITY_PASS_IMMUTABLE; 255 } else if (!IS_RDONLY(inode) && 256 !(inode->i_sb->s_readonly_remount) && 257 !IS_IMMUTABLE(inode)) { 258 evm_update_evmxattr(dentry, xattr_name, 259 xattr_value, 260 xattr_value_len); 261 } 262 } 263 break; 264 default: 265 rc = -EINVAL; 266 break; 267 } 268 269 if (rc) { 270 if (rc == -ENODATA) 271 evm_status = INTEGRITY_NOXATTRS; 272 else if (evm_immutable) 273 evm_status = INTEGRITY_FAIL_IMMUTABLE; 274 else 275 evm_status = INTEGRITY_FAIL; 276 } 277 pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length, digest.hdr.length, 278 digest.digest); 279 out: 280 if (iint) 281 iint->evm_status = evm_status; 282 kfree(xattr_data); 283 return evm_status; 284 } 285 286 static int evm_protected_xattr_common(const char *req_xattr_name, 287 bool all_xattrs) 288 { 289 int namelen; 290 int found = 0; 291 struct xattr_list *xattr; 292 293 namelen = strlen(req_xattr_name); 294 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) { 295 if (!all_xattrs && !xattr->enabled) 296 continue; 297 298 if ((strlen(xattr->name) == namelen) 299 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) { 300 found = 1; 301 break; 302 } 303 if (strncmp(req_xattr_name, 304 xattr->name + XATTR_SECURITY_PREFIX_LEN, 305 strlen(req_xattr_name)) == 0) { 306 found = 1; 307 break; 308 } 309 } 310 311 return found; 312 } 313 314 static int evm_protected_xattr(const char *req_xattr_name) 315 { 316 return evm_protected_xattr_common(req_xattr_name, false); 317 } 318 319 int evm_protected_xattr_if_enabled(const char *req_xattr_name) 320 { 321 return evm_protected_xattr_common(req_xattr_name, true); 322 } 323 324 /** 325 * evm_read_protected_xattrs - read EVM protected xattr names, lengths, values 326 * @dentry: dentry of the read xattrs 327 * @inode: inode of the read xattrs 328 * @buffer: buffer xattr names, lengths or values are copied to 329 * @buffer_size: size of buffer 330 * @type: n: names, l: lengths, v: values 331 * @canonical_fmt: data format (true: little endian, false: native format) 332 * 333 * Read protected xattr names (separated by |), lengths (u32) or values for a 334 * given dentry and return the total size of copied data. If buffer is NULL, 335 * just return the total size. 336 * 337 * Returns the total size on success, a negative value on error. 338 */ 339 int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer, 340 int buffer_size, char type, bool canonical_fmt) 341 { 342 struct xattr_list *xattr; 343 int rc, size, total_size = 0; 344 345 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) { 346 rc = __vfs_getxattr(dentry, d_backing_inode(dentry), 347 xattr->name, NULL, 0); 348 if (rc < 0 && rc == -ENODATA) 349 continue; 350 else if (rc < 0) 351 return rc; 352 353 switch (type) { 354 case 'n': 355 size = strlen(xattr->name) + 1; 356 if (buffer) { 357 if (total_size) 358 *(buffer + total_size - 1) = '|'; 359 360 memcpy(buffer + total_size, xattr->name, size); 361 } 362 break; 363 case 'l': 364 size = sizeof(u32); 365 if (buffer) { 366 if (canonical_fmt) 367 rc = (__force int)cpu_to_le32(rc); 368 369 *(u32 *)(buffer + total_size) = rc; 370 } 371 break; 372 case 'v': 373 size = rc; 374 if (buffer) { 375 rc = __vfs_getxattr(dentry, 376 d_backing_inode(dentry), xattr->name, 377 buffer + total_size, 378 buffer_size - total_size); 379 if (rc < 0) 380 return rc; 381 } 382 break; 383 default: 384 return -EINVAL; 385 } 386 387 total_size += size; 388 } 389 390 return total_size; 391 } 392 393 /** 394 * evm_verifyxattr - verify the integrity of the requested xattr 395 * @dentry: object of the verify xattr 396 * @xattr_name: requested xattr 397 * @xattr_value: requested xattr value 398 * @xattr_value_len: requested xattr value length 399 * 400 * Calculate the HMAC for the given dentry and verify it against the stored 401 * security.evm xattr. For performance, use the xattr value and length 402 * previously retrieved to calculate the HMAC. 403 * 404 * Returns the xattr integrity status. 405 * 406 * This function requires the caller to lock the inode's i_mutex before it 407 * is executed. 408 */ 409 enum integrity_status evm_verifyxattr(struct dentry *dentry, 410 const char *xattr_name, 411 void *xattr_value, size_t xattr_value_len, 412 struct integrity_iint_cache *iint) 413 { 414 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 415 return INTEGRITY_UNKNOWN; 416 417 if (!iint) { 418 iint = integrity_iint_find(d_backing_inode(dentry)); 419 if (!iint) 420 return INTEGRITY_UNKNOWN; 421 } 422 return evm_verify_hmac(dentry, xattr_name, xattr_value, 423 xattr_value_len, iint); 424 } 425 EXPORT_SYMBOL_GPL(evm_verifyxattr); 426 427 /* 428 * evm_verify_current_integrity - verify the dentry's metadata integrity 429 * @dentry: pointer to the affected dentry 430 * 431 * Verify and return the dentry's metadata integrity. The exceptions are 432 * before EVM is initialized or in 'fix' mode. 433 */ 434 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) 435 { 436 struct inode *inode = d_backing_inode(dentry); 437 438 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode) 439 return INTEGRITY_PASS; 440 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); 441 } 442 443 /* 444 * evm_xattr_acl_change - check if passed ACL changes the inode mode 445 * @mnt_userns: user namespace of the idmapped mount 446 * @dentry: pointer to the affected dentry 447 * @xattr_name: requested xattr 448 * @xattr_value: requested xattr value 449 * @xattr_value_len: requested xattr value length 450 * 451 * Check if passed ACL changes the inode mode, which is protected by EVM. 452 * 453 * Returns 1 if passed ACL causes inode mode change, 0 otherwise. 454 */ 455 static int evm_xattr_acl_change(struct user_namespace *mnt_userns, 456 struct dentry *dentry, const char *xattr_name, 457 const void *xattr_value, size_t xattr_value_len) 458 { 459 #ifdef CONFIG_FS_POSIX_ACL 460 umode_t mode; 461 struct posix_acl *acl = NULL, *acl_res; 462 struct inode *inode = d_backing_inode(dentry); 463 int rc; 464 465 /* 466 * user_ns is not relevant here, ACL_USER/ACL_GROUP don't have impact 467 * on the inode mode (see posix_acl_equiv_mode()). 468 */ 469 acl = posix_acl_from_xattr(&init_user_ns, xattr_value, xattr_value_len); 470 if (IS_ERR_OR_NULL(acl)) 471 return 1; 472 473 acl_res = acl; 474 /* 475 * Passing mnt_userns is necessary to correctly determine the GID in 476 * an idmapped mount, as the GID is used to clear the setgid bit in 477 * the inode mode. 478 */ 479 rc = posix_acl_update_mode(mnt_userns, inode, &mode, &acl_res); 480 481 posix_acl_release(acl); 482 483 if (rc) 484 return 1; 485 486 if (inode->i_mode != mode) 487 return 1; 488 #endif 489 return 0; 490 } 491 492 /* 493 * evm_xattr_change - check if passed xattr value differs from current value 494 * @mnt_userns: user namespace of the idmapped mount 495 * @dentry: pointer to the affected dentry 496 * @xattr_name: requested xattr 497 * @xattr_value: requested xattr value 498 * @xattr_value_len: requested xattr value length 499 * 500 * Check if passed xattr value differs from current value. 501 * 502 * Returns 1 if passed xattr value differs from current value, 0 otherwise. 503 */ 504 static int evm_xattr_change(struct user_namespace *mnt_userns, 505 struct dentry *dentry, const char *xattr_name, 506 const void *xattr_value, size_t xattr_value_len) 507 { 508 char *xattr_data = NULL; 509 int rc = 0; 510 511 if (posix_xattr_acl(xattr_name)) 512 return evm_xattr_acl_change(mnt_userns, dentry, xattr_name, 513 xattr_value, xattr_value_len); 514 515 rc = vfs_getxattr_alloc(&init_user_ns, dentry, xattr_name, &xattr_data, 516 0, GFP_NOFS); 517 if (rc < 0) 518 return 1; 519 520 if (rc == xattr_value_len) 521 rc = !!memcmp(xattr_value, xattr_data, rc); 522 else 523 rc = 1; 524 525 kfree(xattr_data); 526 return rc; 527 } 528 529 /* 530 * evm_protect_xattr - protect the EVM extended attribute 531 * 532 * Prevent security.evm from being modified or removed without the 533 * necessary permissions or when the existing value is invalid. 534 * 535 * The posix xattr acls are 'system' prefixed, which normally would not 536 * affect security.evm. An interesting side affect of writing posix xattr 537 * acls is their modifying of the i_mode, which is included in security.evm. 538 * For posix xattr acls only, permit security.evm, even if it currently 539 * doesn't exist, to be updated unless the EVM signature is immutable. 540 */ 541 static int evm_protect_xattr(struct user_namespace *mnt_userns, 542 struct dentry *dentry, const char *xattr_name, 543 const void *xattr_value, size_t xattr_value_len) 544 { 545 enum integrity_status evm_status; 546 547 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 548 if (!capable(CAP_SYS_ADMIN)) 549 return -EPERM; 550 } else if (!evm_protected_xattr(xattr_name)) { 551 if (!posix_xattr_acl(xattr_name)) 552 return 0; 553 evm_status = evm_verify_current_integrity(dentry); 554 if ((evm_status == INTEGRITY_PASS) || 555 (evm_status == INTEGRITY_NOXATTRS)) 556 return 0; 557 goto out; 558 } 559 560 evm_status = evm_verify_current_integrity(dentry); 561 if (evm_status == INTEGRITY_NOXATTRS) { 562 struct integrity_iint_cache *iint; 563 564 /* Exception if the HMAC is not going to be calculated. */ 565 if (evm_hmac_disabled()) 566 return 0; 567 568 iint = integrity_iint_find(d_backing_inode(dentry)); 569 if (iint && (iint->flags & IMA_NEW_FILE)) 570 return 0; 571 572 /* exception for pseudo filesystems */ 573 if (dentry->d_sb->s_magic == TMPFS_MAGIC 574 || dentry->d_sb->s_magic == SYSFS_MAGIC) 575 return 0; 576 577 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, 578 dentry->d_inode, dentry->d_name.name, 579 "update_metadata", 580 integrity_status_msg[evm_status], 581 -EPERM, 0); 582 } 583 out: 584 /* Exception if the HMAC is not going to be calculated. */ 585 if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL || 586 evm_status == INTEGRITY_UNKNOWN)) 587 return 0; 588 589 /* 590 * Writing other xattrs is safe for portable signatures, as portable 591 * signatures are immutable and can never be updated. 592 */ 593 if (evm_status == INTEGRITY_FAIL_IMMUTABLE) 594 return 0; 595 596 if (evm_status == INTEGRITY_PASS_IMMUTABLE && 597 !evm_xattr_change(mnt_userns, dentry, xattr_name, xattr_value, 598 xattr_value_len)) 599 return 0; 600 601 if (evm_status != INTEGRITY_PASS && 602 evm_status != INTEGRITY_PASS_IMMUTABLE) 603 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 604 dentry->d_name.name, "appraise_metadata", 605 integrity_status_msg[evm_status], 606 -EPERM, 0); 607 return evm_status == INTEGRITY_PASS ? 0 : -EPERM; 608 } 609 610 /** 611 * evm_inode_setxattr - protect the EVM extended attribute 612 * @mnt_userns: user namespace of the idmapped mount 613 * @dentry: pointer to the affected dentry 614 * @xattr_name: pointer to the affected extended attribute name 615 * @xattr_value: pointer to the new extended attribute value 616 * @xattr_value_len: pointer to the new extended attribute value length 617 * 618 * Before allowing the 'security.evm' protected xattr to be updated, 619 * verify the existing value is valid. As only the kernel should have 620 * access to the EVM encrypted key needed to calculate the HMAC, prevent 621 * userspace from writing HMAC value. Writing 'security.evm' requires 622 * requires CAP_SYS_ADMIN privileges. 623 */ 624 int evm_inode_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry, 625 const char *xattr_name, const void *xattr_value, 626 size_t xattr_value_len) 627 { 628 const struct evm_ima_xattr_data *xattr_data = xattr_value; 629 630 /* Policy permits modification of the protected xattrs even though 631 * there's no HMAC key loaded 632 */ 633 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 634 return 0; 635 636 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 637 if (!xattr_value_len) 638 return -EINVAL; 639 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG && 640 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) 641 return -EPERM; 642 } 643 return evm_protect_xattr(mnt_userns, dentry, xattr_name, xattr_value, 644 xattr_value_len); 645 } 646 647 /** 648 * evm_inode_removexattr - protect the EVM extended attribute 649 * @mnt_userns: user namespace of the idmapped mount 650 * @dentry: pointer to the affected dentry 651 * @xattr_name: pointer to the affected extended attribute name 652 * 653 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that 654 * the current value is valid. 655 */ 656 int evm_inode_removexattr(struct user_namespace *mnt_userns, 657 struct dentry *dentry, const char *xattr_name) 658 { 659 /* Policy permits modification of the protected xattrs even though 660 * there's no HMAC key loaded 661 */ 662 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 663 return 0; 664 665 return evm_protect_xattr(mnt_userns, dentry, xattr_name, NULL, 0); 666 } 667 668 static void evm_reset_status(struct inode *inode) 669 { 670 struct integrity_iint_cache *iint; 671 672 iint = integrity_iint_find(inode); 673 if (iint) 674 iint->evm_status = INTEGRITY_UNKNOWN; 675 } 676 677 /** 678 * evm_revalidate_status - report whether EVM status re-validation is necessary 679 * @xattr_name: pointer to the affected extended attribute name 680 * 681 * Report whether callers of evm_verifyxattr() should re-validate the 682 * EVM status. 683 * 684 * Return true if re-validation is necessary, false otherwise. 685 */ 686 bool evm_revalidate_status(const char *xattr_name) 687 { 688 if (!evm_key_loaded()) 689 return false; 690 691 /* evm_inode_post_setattr() passes NULL */ 692 if (!xattr_name) 693 return true; 694 695 if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name) && 696 strcmp(xattr_name, XATTR_NAME_EVM)) 697 return false; 698 699 return true; 700 } 701 702 /** 703 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes 704 * @dentry: pointer to the affected dentry 705 * @xattr_name: pointer to the affected extended attribute name 706 * @xattr_value: pointer to the new extended attribute value 707 * @xattr_value_len: pointer to the new extended attribute value length 708 * 709 * Update the HMAC stored in 'security.evm' to reflect the change. 710 * 711 * No need to take the i_mutex lock here, as this function is called from 712 * __vfs_setxattr_noperm(). The caller of which has taken the inode's 713 * i_mutex lock. 714 */ 715 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, 716 const void *xattr_value, size_t xattr_value_len) 717 { 718 if (!evm_revalidate_status(xattr_name)) 719 return; 720 721 evm_reset_status(dentry->d_inode); 722 723 if (!strcmp(xattr_name, XATTR_NAME_EVM)) 724 return; 725 726 if (!(evm_initialized & EVM_INIT_HMAC)) 727 return; 728 729 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); 730 } 731 732 /** 733 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr 734 * @dentry: pointer to the affected dentry 735 * @xattr_name: pointer to the affected extended attribute name 736 * 737 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. 738 * 739 * No need to take the i_mutex lock here, as this function is called from 740 * vfs_removexattr() which takes the i_mutex. 741 */ 742 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) 743 { 744 if (!evm_revalidate_status(xattr_name)) 745 return; 746 747 evm_reset_status(dentry->d_inode); 748 749 if (!strcmp(xattr_name, XATTR_NAME_EVM)) 750 return; 751 752 if (!(evm_initialized & EVM_INIT_HMAC)) 753 return; 754 755 evm_update_evmxattr(dentry, xattr_name, NULL, 0); 756 } 757 758 static int evm_attr_change(struct dentry *dentry, struct iattr *attr) 759 { 760 struct inode *inode = d_backing_inode(dentry); 761 unsigned int ia_valid = attr->ia_valid; 762 763 if ((!(ia_valid & ATTR_UID) || uid_eq(attr->ia_uid, inode->i_uid)) && 764 (!(ia_valid & ATTR_GID) || gid_eq(attr->ia_gid, inode->i_gid)) && 765 (!(ia_valid & ATTR_MODE) || attr->ia_mode == inode->i_mode)) 766 return 0; 767 768 return 1; 769 } 770 771 /** 772 * evm_inode_setattr - prevent updating an invalid EVM extended attribute 773 * @dentry: pointer to the affected dentry 774 * 775 * Permit update of file attributes when files have a valid EVM signature, 776 * except in the case of them having an immutable portable signature. 777 */ 778 int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) 779 { 780 unsigned int ia_valid = attr->ia_valid; 781 enum integrity_status evm_status; 782 783 /* Policy permits modification of the protected attrs even though 784 * there's no HMAC key loaded 785 */ 786 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 787 return 0; 788 789 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) 790 return 0; 791 evm_status = evm_verify_current_integrity(dentry); 792 /* 793 * Writing attrs is safe for portable signatures, as portable signatures 794 * are immutable and can never be updated. 795 */ 796 if ((evm_status == INTEGRITY_PASS) || 797 (evm_status == INTEGRITY_NOXATTRS) || 798 (evm_status == INTEGRITY_FAIL_IMMUTABLE) || 799 (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL || 800 evm_status == INTEGRITY_UNKNOWN))) 801 return 0; 802 803 if (evm_status == INTEGRITY_PASS_IMMUTABLE && 804 !evm_attr_change(dentry, attr)) 805 return 0; 806 807 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 808 dentry->d_name.name, "appraise_metadata", 809 integrity_status_msg[evm_status], -EPERM, 0); 810 return -EPERM; 811 } 812 813 /** 814 * evm_inode_post_setattr - update 'security.evm' after modifying metadata 815 * @dentry: pointer to the affected dentry 816 * @ia_valid: for the UID and GID status 817 * 818 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID 819 * changes. 820 * 821 * This function is called from notify_change(), which expects the caller 822 * to lock the inode's i_mutex. 823 */ 824 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) 825 { 826 if (!evm_revalidate_status(NULL)) 827 return; 828 829 evm_reset_status(dentry->d_inode); 830 831 if (!(evm_initialized & EVM_INIT_HMAC)) 832 return; 833 834 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) 835 evm_update_evmxattr(dentry, NULL, NULL, 0); 836 } 837 838 /* 839 * evm_inode_init_security - initializes security.evm HMAC value 840 */ 841 int evm_inode_init_security(struct inode *inode, 842 const struct xattr *lsm_xattr, 843 struct xattr *evm_xattr) 844 { 845 struct evm_xattr *xattr_data; 846 int rc; 847 848 if (!(evm_initialized & EVM_INIT_HMAC) || 849 !evm_protected_xattr(lsm_xattr->name)) 850 return 0; 851 852 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); 853 if (!xattr_data) 854 return -ENOMEM; 855 856 xattr_data->data.type = EVM_XATTR_HMAC; 857 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); 858 if (rc < 0) 859 goto out; 860 861 evm_xattr->value = xattr_data; 862 evm_xattr->value_len = sizeof(*xattr_data); 863 evm_xattr->name = XATTR_EVM_SUFFIX; 864 return 0; 865 out: 866 kfree(xattr_data); 867 return rc; 868 } 869 EXPORT_SYMBOL_GPL(evm_inode_init_security); 870 871 #ifdef CONFIG_EVM_LOAD_X509 872 void __init evm_load_x509(void) 873 { 874 int rc; 875 876 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH); 877 if (!rc) 878 evm_initialized |= EVM_INIT_X509; 879 } 880 #endif 881 882 static int __init init_evm(void) 883 { 884 int error; 885 struct list_head *pos, *q; 886 887 evm_init_config(); 888 889 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM); 890 if (error) 891 goto error; 892 893 error = evm_init_secfs(); 894 if (error < 0) { 895 pr_info("Error registering secfs\n"); 896 goto error; 897 } 898 899 error: 900 if (error != 0) { 901 if (!list_empty(&evm_config_xattrnames)) { 902 list_for_each_safe(pos, q, &evm_config_xattrnames) 903 list_del(pos); 904 } 905 } 906 907 return error; 908 } 909 910 late_initcall(init_evm); 911