1 /* 2 * Copyright (C) 2005-2010 IBM Corporation 3 * 4 * Author: 5 * Mimi Zohar <zohar@us.ibm.com> 6 * Kylene Hall <kjhall@us.ibm.com> 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation, version 2 of the License. 11 * 12 * File: evm_main.c 13 * implements evm_inode_setxattr, evm_inode_post_setxattr, 14 * evm_inode_removexattr, and evm_verifyxattr 15 */ 16 17 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 18 19 #include <linux/module.h> 20 #include <linux/crypto.h> 21 #include <linux/audit.h> 22 #include <linux/xattr.h> 23 #include <linux/integrity.h> 24 #include <linux/evm.h> 25 #include <crypto/hash.h> 26 #include "evm.h" 27 28 int evm_initialized; 29 30 static char *integrity_status_msg[] = { 31 "pass", "fail", "no_label", "no_xattrs", "unknown" 32 }; 33 char *evm_hmac = "hmac(sha1)"; 34 char *evm_hash = "sha1"; 35 int evm_hmac_attrs; 36 37 char *evm_config_xattrnames[] = { 38 #ifdef CONFIG_SECURITY_SELINUX 39 XATTR_NAME_SELINUX, 40 #endif 41 #ifdef CONFIG_SECURITY_SMACK 42 XATTR_NAME_SMACK, 43 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS 44 XATTR_NAME_SMACKEXEC, 45 XATTR_NAME_SMACKTRANSMUTE, 46 XATTR_NAME_SMACKMMAP, 47 #endif 48 #endif 49 #ifdef CONFIG_IMA_APPRAISE 50 XATTR_NAME_IMA, 51 #endif 52 XATTR_NAME_CAPS, 53 NULL 54 }; 55 56 static int evm_fixmode; 57 static int __init evm_set_fixmode(char *str) 58 { 59 if (strncmp(str, "fix", 3) == 0) 60 evm_fixmode = 1; 61 return 0; 62 } 63 __setup("evm=", evm_set_fixmode); 64 65 static void __init evm_init_config(void) 66 { 67 #ifdef CONFIG_EVM_ATTR_FSUUID 68 evm_hmac_attrs |= EVM_ATTR_FSUUID; 69 #endif 70 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); 71 } 72 73 static int evm_find_protected_xattrs(struct dentry *dentry) 74 { 75 struct inode *inode = dentry->d_inode; 76 char **xattr; 77 int error; 78 int count = 0; 79 80 if (!inode->i_op->getxattr) 81 return -EOPNOTSUPP; 82 83 for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) { 84 error = inode->i_op->getxattr(dentry, *xattr, NULL, 0); 85 if (error < 0) { 86 if (error == -ENODATA) 87 continue; 88 return error; 89 } 90 count++; 91 } 92 93 return count; 94 } 95 96 /* 97 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr 98 * 99 * Compute the HMAC on the dentry's protected set of extended attributes 100 * and compare it against the stored security.evm xattr. 101 * 102 * For performance: 103 * - use the previoulsy retrieved xattr value and length to calculate the 104 * HMAC.) 105 * - cache the verification result in the iint, when available. 106 * 107 * Returns integrity status 108 */ 109 static enum integrity_status evm_verify_hmac(struct dentry *dentry, 110 const char *xattr_name, 111 char *xattr_value, 112 size_t xattr_value_len, 113 struct integrity_iint_cache *iint) 114 { 115 struct evm_ima_xattr_data *xattr_data = NULL; 116 struct evm_ima_xattr_data calc; 117 enum integrity_status evm_status = INTEGRITY_PASS; 118 int rc, xattr_len; 119 120 if (iint && iint->evm_status == INTEGRITY_PASS) 121 return iint->evm_status; 122 123 /* if status is not PASS, try to check again - against -ENOMEM */ 124 125 /* first need to know the sig type */ 126 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0, 127 GFP_NOFS); 128 if (rc <= 0) { 129 if (rc == 0) 130 evm_status = INTEGRITY_FAIL; /* empty */ 131 else if (rc == -ENODATA) { 132 rc = evm_find_protected_xattrs(dentry); 133 if (rc > 0) 134 evm_status = INTEGRITY_NOLABEL; 135 else if (rc == 0) 136 evm_status = INTEGRITY_NOXATTRS; /* new file */ 137 } 138 goto out; 139 } 140 141 xattr_len = rc; 142 143 /* check value type */ 144 switch (xattr_data->type) { 145 case EVM_XATTR_HMAC: 146 rc = evm_calc_hmac(dentry, xattr_name, xattr_value, 147 xattr_value_len, calc.digest); 148 if (rc) 149 break; 150 rc = memcmp(xattr_data->digest, calc.digest, 151 sizeof(calc.digest)); 152 if (rc) 153 rc = -EINVAL; 154 break; 155 case EVM_IMA_XATTR_DIGSIG: 156 rc = evm_calc_hash(dentry, xattr_name, xattr_value, 157 xattr_value_len, calc.digest); 158 if (rc) 159 break; 160 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 161 (const char *)xattr_data, xattr_len, 162 calc.digest, sizeof(calc.digest)); 163 if (!rc) { 164 /* we probably want to replace rsa with hmac here */ 165 evm_update_evmxattr(dentry, xattr_name, xattr_value, 166 xattr_value_len); 167 } 168 break; 169 default: 170 rc = -EINVAL; 171 break; 172 } 173 174 if (rc) 175 evm_status = (rc == -ENODATA) ? 176 INTEGRITY_NOXATTRS : INTEGRITY_FAIL; 177 out: 178 if (iint) 179 iint->evm_status = evm_status; 180 kfree(xattr_data); 181 return evm_status; 182 } 183 184 static int evm_protected_xattr(const char *req_xattr_name) 185 { 186 char **xattrname; 187 int namelen; 188 int found = 0; 189 190 namelen = strlen(req_xattr_name); 191 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { 192 if ((strlen(*xattrname) == namelen) 193 && (strncmp(req_xattr_name, *xattrname, namelen) == 0)) { 194 found = 1; 195 break; 196 } 197 if (strncmp(req_xattr_name, 198 *xattrname + XATTR_SECURITY_PREFIX_LEN, 199 strlen(req_xattr_name)) == 0) { 200 found = 1; 201 break; 202 } 203 } 204 return found; 205 } 206 207 /** 208 * evm_verifyxattr - verify the integrity of the requested xattr 209 * @dentry: object of the verify xattr 210 * @xattr_name: requested xattr 211 * @xattr_value: requested xattr value 212 * @xattr_value_len: requested xattr value length 213 * 214 * Calculate the HMAC for the given dentry and verify it against the stored 215 * security.evm xattr. For performance, use the xattr value and length 216 * previously retrieved to calculate the HMAC. 217 * 218 * Returns the xattr integrity status. 219 * 220 * This function requires the caller to lock the inode's i_mutex before it 221 * is executed. 222 */ 223 enum integrity_status evm_verifyxattr(struct dentry *dentry, 224 const char *xattr_name, 225 void *xattr_value, size_t xattr_value_len, 226 struct integrity_iint_cache *iint) 227 { 228 if (!evm_initialized || !evm_protected_xattr(xattr_name)) 229 return INTEGRITY_UNKNOWN; 230 231 if (!iint) { 232 iint = integrity_iint_find(dentry->d_inode); 233 if (!iint) 234 return INTEGRITY_UNKNOWN; 235 } 236 return evm_verify_hmac(dentry, xattr_name, xattr_value, 237 xattr_value_len, iint); 238 } 239 EXPORT_SYMBOL_GPL(evm_verifyxattr); 240 241 /* 242 * evm_verify_current_integrity - verify the dentry's metadata integrity 243 * @dentry: pointer to the affected dentry 244 * 245 * Verify and return the dentry's metadata integrity. The exceptions are 246 * before EVM is initialized or in 'fix' mode. 247 */ 248 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) 249 { 250 struct inode *inode = dentry->d_inode; 251 252 if (!evm_initialized || !S_ISREG(inode->i_mode) || evm_fixmode) 253 return 0; 254 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); 255 } 256 257 /* 258 * evm_protect_xattr - protect the EVM extended attribute 259 * 260 * Prevent security.evm from being modified or removed without the 261 * necessary permissions or when the existing value is invalid. 262 * 263 * The posix xattr acls are 'system' prefixed, which normally would not 264 * affect security.evm. An interesting side affect of writing posix xattr 265 * acls is their modifying of the i_mode, which is included in security.evm. 266 * For posix xattr acls only, permit security.evm, even if it currently 267 * doesn't exist, to be updated. 268 */ 269 static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, 270 const void *xattr_value, size_t xattr_value_len) 271 { 272 enum integrity_status evm_status; 273 274 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 275 if (!capable(CAP_SYS_ADMIN)) 276 return -EPERM; 277 } else if (!evm_protected_xattr(xattr_name)) { 278 if (!posix_xattr_acl(xattr_name)) 279 return 0; 280 evm_status = evm_verify_current_integrity(dentry); 281 if ((evm_status == INTEGRITY_PASS) || 282 (evm_status == INTEGRITY_NOXATTRS)) 283 return 0; 284 goto out; 285 } 286 evm_status = evm_verify_current_integrity(dentry); 287 out: 288 if (evm_status != INTEGRITY_PASS) 289 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode, 290 dentry->d_name.name, "appraise_metadata", 291 integrity_status_msg[evm_status], 292 -EPERM, 0); 293 return evm_status == INTEGRITY_PASS ? 0 : -EPERM; 294 } 295 296 /** 297 * evm_inode_setxattr - protect the EVM extended attribute 298 * @dentry: pointer to the affected dentry 299 * @xattr_name: pointer to the affected extended attribute name 300 * @xattr_value: pointer to the new extended attribute value 301 * @xattr_value_len: pointer to the new extended attribute value length 302 * 303 * Before allowing the 'security.evm' protected xattr to be updated, 304 * verify the existing value is valid. As only the kernel should have 305 * access to the EVM encrypted key needed to calculate the HMAC, prevent 306 * userspace from writing HMAC value. Writing 'security.evm' requires 307 * requires CAP_SYS_ADMIN privileges. 308 */ 309 int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, 310 const void *xattr_value, size_t xattr_value_len) 311 { 312 const struct evm_ima_xattr_data *xattr_data = xattr_value; 313 314 if ((strcmp(xattr_name, XATTR_NAME_EVM) == 0) 315 && (xattr_data->type == EVM_XATTR_HMAC)) 316 return -EPERM; 317 return evm_protect_xattr(dentry, xattr_name, xattr_value, 318 xattr_value_len); 319 } 320 321 /** 322 * evm_inode_removexattr - protect the EVM extended attribute 323 * @dentry: pointer to the affected dentry 324 * @xattr_name: pointer to the affected extended attribute name 325 * 326 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that 327 * the current value is valid. 328 */ 329 int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) 330 { 331 return evm_protect_xattr(dentry, xattr_name, NULL, 0); 332 } 333 334 /** 335 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes 336 * @dentry: pointer to the affected dentry 337 * @xattr_name: pointer to the affected extended attribute name 338 * @xattr_value: pointer to the new extended attribute value 339 * @xattr_value_len: pointer to the new extended attribute value length 340 * 341 * Update the HMAC stored in 'security.evm' to reflect the change. 342 * 343 * No need to take the i_mutex lock here, as this function is called from 344 * __vfs_setxattr_noperm(). The caller of which has taken the inode's 345 * i_mutex lock. 346 */ 347 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, 348 const void *xattr_value, size_t xattr_value_len) 349 { 350 if (!evm_initialized || (!evm_protected_xattr(xattr_name) 351 && !posix_xattr_acl(xattr_name))) 352 return; 353 354 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); 355 return; 356 } 357 358 /** 359 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr 360 * @dentry: pointer to the affected dentry 361 * @xattr_name: pointer to the affected extended attribute name 362 * 363 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. 364 */ 365 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) 366 { 367 struct inode *inode = dentry->d_inode; 368 369 if (!evm_initialized || !evm_protected_xattr(xattr_name)) 370 return; 371 372 mutex_lock(&inode->i_mutex); 373 evm_update_evmxattr(dentry, xattr_name, NULL, 0); 374 mutex_unlock(&inode->i_mutex); 375 return; 376 } 377 378 /** 379 * evm_inode_setattr - prevent updating an invalid EVM extended attribute 380 * @dentry: pointer to the affected dentry 381 */ 382 int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) 383 { 384 unsigned int ia_valid = attr->ia_valid; 385 enum integrity_status evm_status; 386 387 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) 388 return 0; 389 evm_status = evm_verify_current_integrity(dentry); 390 if ((evm_status == INTEGRITY_PASS) || 391 (evm_status == INTEGRITY_NOXATTRS)) 392 return 0; 393 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode, 394 dentry->d_name.name, "appraise_metadata", 395 integrity_status_msg[evm_status], -EPERM, 0); 396 return -EPERM; 397 } 398 399 /** 400 * evm_inode_post_setattr - update 'security.evm' after modifying metadata 401 * @dentry: pointer to the affected dentry 402 * @ia_valid: for the UID and GID status 403 * 404 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID 405 * changes. 406 * 407 * This function is called from notify_change(), which expects the caller 408 * to lock the inode's i_mutex. 409 */ 410 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) 411 { 412 if (!evm_initialized) 413 return; 414 415 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) 416 evm_update_evmxattr(dentry, NULL, NULL, 0); 417 return; 418 } 419 420 /* 421 * evm_inode_init_security - initializes security.evm 422 */ 423 int evm_inode_init_security(struct inode *inode, 424 const struct xattr *lsm_xattr, 425 struct xattr *evm_xattr) 426 { 427 struct evm_ima_xattr_data *xattr_data; 428 int rc; 429 430 if (!evm_initialized || !evm_protected_xattr(lsm_xattr->name)) 431 return 0; 432 433 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); 434 if (!xattr_data) 435 return -ENOMEM; 436 437 xattr_data->type = EVM_XATTR_HMAC; 438 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); 439 if (rc < 0) 440 goto out; 441 442 evm_xattr->value = xattr_data; 443 evm_xattr->value_len = sizeof(*xattr_data); 444 evm_xattr->name = XATTR_EVM_SUFFIX; 445 return 0; 446 out: 447 kfree(xattr_data); 448 return rc; 449 } 450 EXPORT_SYMBOL_GPL(evm_inode_init_security); 451 452 static int __init init_evm(void) 453 { 454 int error; 455 456 evm_init_config(); 457 458 error = evm_init_secfs(); 459 if (error < 0) { 460 pr_info("Error registering secfs\n"); 461 goto err; 462 } 463 464 return 0; 465 err: 466 return error; 467 } 468 469 /* 470 * evm_display_config - list the EVM protected security extended attributes 471 */ 472 static int __init evm_display_config(void) 473 { 474 char **xattrname; 475 476 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) 477 pr_info("%s\n", *xattrname); 478 return 0; 479 } 480 481 pure_initcall(evm_display_config); 482 late_initcall(init_evm); 483 484 MODULE_DESCRIPTION("Extended Verification Module"); 485 MODULE_LICENSE("GPL"); 486