1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2010 IBM Corporation 4 * 5 * Authors: 6 * Mimi Zohar <zohar@us.ibm.com> 7 * 8 * File: evm_secfs.c 9 * - Used to signal when key is on keyring 10 * - Get the key and enable EVM 11 */ 12 13 #include <linux/audit.h> 14 #include <linux/uaccess.h> 15 #include <linux/init.h> 16 #include <linux/mutex.h> 17 #include "evm.h" 18 19 static struct dentry *evm_dir; 20 static struct dentry *evm_init_tpm; 21 static struct dentry *evm_symlink; 22 23 #ifdef CONFIG_EVM_ADD_XATTRS 24 static struct dentry *evm_xattrs; 25 static DEFINE_MUTEX(xattr_list_mutex); 26 static int evm_xattrs_locked; 27 #endif 28 29 /** 30 * evm_read_key - read() for <securityfs>/evm 31 * 32 * @filp: file pointer, not actually used 33 * @buf: where to put the result 34 * @count: maximum to send along 35 * @ppos: where to start 36 * 37 * Returns number of bytes read or error code, as appropriate 38 */ 39 static ssize_t evm_read_key(struct file *filp, char __user *buf, 40 size_t count, loff_t *ppos) 41 { 42 char temp[80]; 43 ssize_t rc; 44 45 if (*ppos != 0) 46 return 0; 47 48 sprintf(temp, "%d", (evm_initialized & ~EVM_SETUP_COMPLETE)); 49 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); 50 51 return rc; 52 } 53 54 /** 55 * evm_write_key - write() for <securityfs>/evm 56 * @file: file pointer, not actually used 57 * @buf: where to get the data from 58 * @count: bytes sent 59 * @ppos: where to start 60 * 61 * Used to signal that key is on the kernel key ring. 62 * - get the integrity hmac key from the kernel key ring 63 * - create list of hmac protected extended attributes 64 * Returns number of bytes written or error code, as appropriate 65 */ 66 static ssize_t evm_write_key(struct file *file, const char __user *buf, 67 size_t count, loff_t *ppos) 68 { 69 int i, ret; 70 71 if (!capable(CAP_SYS_ADMIN) || (evm_initialized & EVM_SETUP_COMPLETE)) 72 return -EPERM; 73 74 ret = kstrtoint_from_user(buf, count, 0, &i); 75 76 if (ret) 77 return ret; 78 79 /* Reject invalid values */ 80 if (!i || (i & ~EVM_INIT_MASK) != 0) 81 return -EINVAL; 82 83 /* Don't allow a request to freshly enable metadata writes if 84 * keys are loaded. 85 */ 86 if ((i & EVM_ALLOW_METADATA_WRITES) && 87 ((evm_initialized & EVM_KEY_MASK) != 0) && 88 !(evm_initialized & EVM_ALLOW_METADATA_WRITES)) 89 return -EPERM; 90 91 if (i & EVM_INIT_HMAC) { 92 ret = evm_init_key(); 93 if (ret != 0) 94 return ret; 95 /* Forbid further writes after the symmetric key is loaded */ 96 i |= EVM_SETUP_COMPLETE; 97 } 98 99 evm_initialized |= i; 100 101 /* Don't allow protected metadata modification if a symmetric key 102 * is loaded 103 */ 104 if (evm_initialized & EVM_INIT_HMAC) 105 evm_initialized &= ~(EVM_ALLOW_METADATA_WRITES); 106 107 return count; 108 } 109 110 static const struct file_operations evm_key_ops = { 111 .read = evm_read_key, 112 .write = evm_write_key, 113 }; 114 115 #ifdef CONFIG_EVM_ADD_XATTRS 116 /** 117 * evm_read_xattrs - read() for <securityfs>/evm_xattrs 118 * 119 * @filp: file pointer, not actually used 120 * @buf: where to put the result 121 * @count: maximum to send along 122 * @ppos: where to start 123 * 124 * Returns number of bytes read or error code, as appropriate 125 */ 126 static ssize_t evm_read_xattrs(struct file *filp, char __user *buf, 127 size_t count, loff_t *ppos) 128 { 129 char *temp; 130 int offset = 0; 131 ssize_t rc, size = 0; 132 struct xattr_list *xattr; 133 134 if (*ppos != 0) 135 return 0; 136 137 rc = mutex_lock_interruptible(&xattr_list_mutex); 138 if (rc) 139 return -ERESTARTSYS; 140 141 list_for_each_entry(xattr, &evm_config_xattrnames, list) 142 size += strlen(xattr->name) + 1; 143 144 temp = kmalloc(size + 1, GFP_KERNEL); 145 if (!temp) { 146 mutex_unlock(&xattr_list_mutex); 147 return -ENOMEM; 148 } 149 150 list_for_each_entry(xattr, &evm_config_xattrnames, list) { 151 sprintf(temp + offset, "%s\n", xattr->name); 152 offset += strlen(xattr->name) + 1; 153 } 154 155 mutex_unlock(&xattr_list_mutex); 156 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); 157 158 kfree(temp); 159 160 return rc; 161 } 162 163 /** 164 * evm_write_xattrs - write() for <securityfs>/evm_xattrs 165 * @file: file pointer, not actually used 166 * @buf: where to get the data from 167 * @count: bytes sent 168 * @ppos: where to start 169 * 170 * Returns number of bytes written or error code, as appropriate 171 */ 172 static ssize_t evm_write_xattrs(struct file *file, const char __user *buf, 173 size_t count, loff_t *ppos) 174 { 175 int len, err; 176 struct xattr_list *xattr, *tmp; 177 struct audit_buffer *ab; 178 struct iattr newattrs; 179 struct inode *inode; 180 181 if (!capable(CAP_SYS_ADMIN) || evm_xattrs_locked) 182 return -EPERM; 183 184 if (*ppos != 0) 185 return -EINVAL; 186 187 if (count > XATTR_NAME_MAX) 188 return -E2BIG; 189 190 ab = audit_log_start(audit_context(), GFP_KERNEL, 191 AUDIT_INTEGRITY_EVM_XATTR); 192 if (!ab) 193 return -ENOMEM; 194 195 xattr = kmalloc(sizeof(struct xattr_list), GFP_KERNEL); 196 if (!xattr) { 197 err = -ENOMEM; 198 goto out; 199 } 200 201 xattr->name = memdup_user_nul(buf, count); 202 if (IS_ERR(xattr->name)) { 203 err = PTR_ERR(xattr->name); 204 xattr->name = NULL; 205 goto out; 206 } 207 208 /* Remove any trailing newline */ 209 len = strlen(xattr->name); 210 if (len && xattr->name[len-1] == '\n') 211 xattr->name[len-1] = '\0'; 212 213 audit_log_format(ab, "xattr="); 214 audit_log_untrustedstring(ab, xattr->name); 215 216 if (strcmp(xattr->name, ".") == 0) { 217 evm_xattrs_locked = 1; 218 newattrs.ia_mode = S_IFREG | 0440; 219 newattrs.ia_valid = ATTR_MODE; 220 inode = evm_xattrs->d_inode; 221 inode_lock(inode); 222 err = simple_setattr(&init_user_ns, evm_xattrs, &newattrs); 223 inode_unlock(inode); 224 if (!err) 225 err = count; 226 goto out; 227 } 228 229 if (strncmp(xattr->name, XATTR_SECURITY_PREFIX, 230 XATTR_SECURITY_PREFIX_LEN) != 0) { 231 err = -EINVAL; 232 goto out; 233 } 234 235 /* 236 * xattr_list_mutex guards against races in evm_read_xattrs(). 237 * Entries are only added to the evm_config_xattrnames list 238 * and never deleted. Therefore, the list is traversed 239 * using list_for_each_entry_lockless() without holding 240 * the mutex in evm_calc_hmac_or_hash(), evm_find_protected_xattrs() 241 * and evm_protected_xattr(). 242 */ 243 mutex_lock(&xattr_list_mutex); 244 list_for_each_entry(tmp, &evm_config_xattrnames, list) { 245 if (strcmp(xattr->name, tmp->name) == 0) { 246 err = -EEXIST; 247 mutex_unlock(&xattr_list_mutex); 248 goto out; 249 } 250 } 251 list_add_tail_rcu(&xattr->list, &evm_config_xattrnames); 252 mutex_unlock(&xattr_list_mutex); 253 254 audit_log_format(ab, " res=0"); 255 audit_log_end(ab); 256 return count; 257 out: 258 audit_log_format(ab, " res=%d", err); 259 audit_log_end(ab); 260 if (xattr) { 261 kfree(xattr->name); 262 kfree(xattr); 263 } 264 return err; 265 } 266 267 static const struct file_operations evm_xattr_ops = { 268 .read = evm_read_xattrs, 269 .write = evm_write_xattrs, 270 }; 271 272 static int evm_init_xattrs(void) 273 { 274 evm_xattrs = securityfs_create_file("evm_xattrs", 0660, evm_dir, NULL, 275 &evm_xattr_ops); 276 if (!evm_xattrs || IS_ERR(evm_xattrs)) 277 return -EFAULT; 278 279 return 0; 280 } 281 #else 282 static int evm_init_xattrs(void) 283 { 284 return 0; 285 } 286 #endif 287 288 int __init evm_init_secfs(void) 289 { 290 int error = 0; 291 292 evm_dir = securityfs_create_dir("evm", integrity_dir); 293 if (!evm_dir || IS_ERR(evm_dir)) 294 return -EFAULT; 295 296 evm_init_tpm = securityfs_create_file("evm", 0660, 297 evm_dir, NULL, &evm_key_ops); 298 if (!evm_init_tpm || IS_ERR(evm_init_tpm)) { 299 error = -EFAULT; 300 goto out; 301 } 302 303 evm_symlink = securityfs_create_symlink("evm", NULL, 304 "integrity/evm/evm", NULL); 305 if (!evm_symlink || IS_ERR(evm_symlink)) { 306 error = -EFAULT; 307 goto out; 308 } 309 310 if (evm_init_xattrs() != 0) { 311 error = -EFAULT; 312 goto out; 313 } 314 315 return 0; 316 out: 317 securityfs_remove(evm_symlink); 318 securityfs_remove(evm_init_tpm); 319 securityfs_remove(evm_dir); 320 return error; 321 } 322