1 /*
2  * Copyright (C) 2011 IBM Corporation
3  *
4  * Author:
5  * Mimi Zohar <zohar@us.ibm.com>
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License as published by
9  * the Free Software Foundation, version 2 of the License.
10  */
11 #include <linux/module.h>
12 #include <linux/file.h>
13 #include <linux/fs.h>
14 #include <linux/xattr.h>
15 #include <linux/magic.h>
16 #include <linux/ima.h>
17 #include <linux/evm.h>
18 #include <crypto/hash_info.h>
19 
20 #include "ima.h"
21 
22 static int __init default_appraise_setup(char *str)
23 {
24 	if (strncmp(str, "off", 3) == 0)
25 		ima_appraise = 0;
26 	else if (strncmp(str, "fix", 3) == 0)
27 		ima_appraise = IMA_APPRAISE_FIX;
28 	return 1;
29 }
30 
31 __setup("ima_appraise=", default_appraise_setup);
32 
33 /*
34  * ima_must_appraise - set appraise flag
35  *
36  * Return 1 to appraise
37  */
38 int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
39 {
40 	if (!ima_appraise)
41 		return 0;
42 
43 	return ima_match_policy(inode, func, mask, IMA_APPRAISE);
44 }
45 
46 static int ima_fix_xattr(struct dentry *dentry,
47 			 struct integrity_iint_cache *iint)
48 {
49 	int rc, offset;
50 	u8 algo = iint->ima_hash->algo;
51 
52 	if (algo <= HASH_ALGO_SHA1) {
53 		offset = 1;
54 		iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
55 	} else {
56 		offset = 0;
57 		iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
58 		iint->ima_hash->xattr.ng.algo = algo;
59 	}
60 	rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
61 				   &iint->ima_hash->xattr.data[offset],
62 				   (sizeof(iint->ima_hash->xattr) - offset) +
63 				   iint->ima_hash->length, 0);
64 	return rc;
65 }
66 
67 /* Return specific func appraised cached result */
68 enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
69 					   int func)
70 {
71 	switch (func) {
72 	case MMAP_CHECK:
73 		return iint->ima_mmap_status;
74 	case BPRM_CHECK:
75 		return iint->ima_bprm_status;
76 	case MODULE_CHECK:
77 		return iint->ima_module_status;
78 	case FIRMWARE_CHECK:
79 		return iint->ima_firmware_status;
80 	case FILE_CHECK:
81 	default:
82 		return iint->ima_file_status;
83 	}
84 }
85 
86 static void ima_set_cache_status(struct integrity_iint_cache *iint,
87 				 int func, enum integrity_status status)
88 {
89 	switch (func) {
90 	case MMAP_CHECK:
91 		iint->ima_mmap_status = status;
92 		break;
93 	case BPRM_CHECK:
94 		iint->ima_bprm_status = status;
95 		break;
96 	case MODULE_CHECK:
97 		iint->ima_module_status = status;
98 		break;
99 	case FIRMWARE_CHECK:
100 		iint->ima_firmware_status = status;
101 		break;
102 	case FILE_CHECK:
103 	default:
104 		iint->ima_file_status = status;
105 		break;
106 	}
107 }
108 
109 static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
110 {
111 	switch (func) {
112 	case MMAP_CHECK:
113 		iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
114 		break;
115 	case BPRM_CHECK:
116 		iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
117 		break;
118 	case MODULE_CHECK:
119 		iint->flags |= (IMA_MODULE_APPRAISED | IMA_APPRAISED);
120 		break;
121 	case FIRMWARE_CHECK:
122 		iint->flags |= (IMA_FIRMWARE_APPRAISED | IMA_APPRAISED);
123 		break;
124 	case FILE_CHECK:
125 	default:
126 		iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
127 		break;
128 	}
129 }
130 
131 void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len,
132 		       struct ima_digest_data *hash)
133 {
134 	struct signature_v2_hdr *sig;
135 
136 	if (!xattr_value || xattr_len < 2)
137 		return;
138 
139 	switch (xattr_value->type) {
140 	case EVM_IMA_XATTR_DIGSIG:
141 		sig = (typeof(sig))xattr_value;
142 		if (sig->version != 2 || xattr_len <= sizeof(*sig))
143 			return;
144 		hash->algo = sig->hash_algo;
145 		break;
146 	case IMA_XATTR_DIGEST_NG:
147 		hash->algo = xattr_value->digest[0];
148 		break;
149 	case IMA_XATTR_DIGEST:
150 		/* this is for backward compatibility */
151 		if (xattr_len == 21) {
152 			unsigned int zero = 0;
153 			if (!memcmp(&xattr_value->digest[16], &zero, 4))
154 				hash->algo = HASH_ALGO_MD5;
155 			else
156 				hash->algo = HASH_ALGO_SHA1;
157 		} else if (xattr_len == 17)
158 			hash->algo = HASH_ALGO_MD5;
159 		break;
160 	}
161 }
162 
163 int ima_read_xattr(struct dentry *dentry,
164 		   struct evm_ima_xattr_data **xattr_value)
165 {
166 	struct inode *inode = dentry->d_inode;
167 
168 	if (!inode->i_op->getxattr)
169 		return 0;
170 
171 	return vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)xattr_value,
172 				  0, GFP_NOFS);
173 }
174 
175 /*
176  * ima_appraise_measurement - appraise file measurement
177  *
178  * Call evm_verifyxattr() to verify the integrity of 'security.ima'.
179  * Assuming success, compare the xattr hash with the collected measurement.
180  *
181  * Return 0 on success, error code otherwise
182  */
183 int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
184 			     struct file *file, const unsigned char *filename,
185 			     struct evm_ima_xattr_data *xattr_value,
186 			     int xattr_len)
187 {
188 	static const char op[] = "appraise_data";
189 	char *cause = "unknown";
190 	struct dentry *dentry = file->f_dentry;
191 	struct inode *inode = dentry->d_inode;
192 	enum integrity_status status = INTEGRITY_UNKNOWN;
193 	int rc = xattr_len, hash_start = 0;
194 
195 	if (!ima_appraise)
196 		return 0;
197 	if (!inode->i_op->getxattr)
198 		return INTEGRITY_UNKNOWN;
199 
200 	if (rc <= 0) {
201 		if (rc && rc != -ENODATA)
202 			goto out;
203 
204 		cause = "missing-hash";
205 		status =
206 		    (inode->i_size == 0) ? INTEGRITY_PASS : INTEGRITY_NOLABEL;
207 		goto out;
208 	}
209 
210 	status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
211 	if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) {
212 		if ((status == INTEGRITY_NOLABEL)
213 		    || (status == INTEGRITY_NOXATTRS))
214 			cause = "missing-HMAC";
215 		else if (status == INTEGRITY_FAIL)
216 			cause = "invalid-HMAC";
217 		goto out;
218 	}
219 	switch (xattr_value->type) {
220 	case IMA_XATTR_DIGEST_NG:
221 		/* first byte contains algorithm id */
222 		hash_start = 1;
223 	case IMA_XATTR_DIGEST:
224 		if (iint->flags & IMA_DIGSIG_REQUIRED) {
225 			cause = "IMA-signature-required";
226 			status = INTEGRITY_FAIL;
227 			break;
228 		}
229 		if (xattr_len - sizeof(xattr_value->type) - hash_start >=
230 				iint->ima_hash->length)
231 			/* xattr length may be longer. md5 hash in previous
232 			   version occupied 20 bytes in xattr, instead of 16
233 			 */
234 			rc = memcmp(&xattr_value->digest[hash_start],
235 				    iint->ima_hash->digest,
236 				    iint->ima_hash->length);
237 		else
238 			rc = -EINVAL;
239 		if (rc) {
240 			cause = "invalid-hash";
241 			status = INTEGRITY_FAIL;
242 			break;
243 		}
244 		status = INTEGRITY_PASS;
245 		break;
246 	case EVM_IMA_XATTR_DIGSIG:
247 		iint->flags |= IMA_DIGSIG;
248 		rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
249 					     (const char *)xattr_value, rc,
250 					     iint->ima_hash->digest,
251 					     iint->ima_hash->length);
252 		if (rc == -EOPNOTSUPP) {
253 			status = INTEGRITY_UNKNOWN;
254 		} else if (rc) {
255 			cause = "invalid-signature";
256 			status = INTEGRITY_FAIL;
257 		} else {
258 			status = INTEGRITY_PASS;
259 		}
260 		break;
261 	default:
262 		status = INTEGRITY_UNKNOWN;
263 		cause = "unknown-ima-data";
264 		break;
265 	}
266 
267 out:
268 	if (status != INTEGRITY_PASS) {
269 		if ((ima_appraise & IMA_APPRAISE_FIX) &&
270 		    (!xattr_value ||
271 		     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
272 			if (!ima_fix_xattr(dentry, iint))
273 				status = INTEGRITY_PASS;
274 		}
275 		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
276 				    op, cause, rc, 0);
277 	} else {
278 		ima_cache_flags(iint, func);
279 	}
280 	ima_set_cache_status(iint, func, status);
281 	return status;
282 }
283 
284 /*
285  * ima_update_xattr - update 'security.ima' hash value
286  */
287 void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
288 {
289 	struct dentry *dentry = file->f_dentry;
290 	int rc = 0;
291 
292 	/* do not collect and update hash for digital signatures */
293 	if (iint->flags & IMA_DIGSIG)
294 		return;
295 
296 	rc = ima_collect_measurement(iint, file, NULL, NULL);
297 	if (rc < 0)
298 		return;
299 
300 	ima_fix_xattr(dentry, iint);
301 }
302 
303 /**
304  * ima_inode_post_setattr - reflect file metadata changes
305  * @dentry: pointer to the affected dentry
306  *
307  * Changes to a dentry's metadata might result in needing to appraise.
308  *
309  * This function is called from notify_change(), which expects the caller
310  * to lock the inode's i_mutex.
311  */
312 void ima_inode_post_setattr(struct dentry *dentry)
313 {
314 	struct inode *inode = dentry->d_inode;
315 	struct integrity_iint_cache *iint;
316 	int must_appraise, rc;
317 
318 	if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode)
319 	    || !inode->i_op->removexattr)
320 		return;
321 
322 	must_appraise = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR);
323 	iint = integrity_iint_find(inode);
324 	if (iint) {
325 		iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
326 				 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
327 				 IMA_ACTION_FLAGS);
328 		if (must_appraise)
329 			iint->flags |= IMA_APPRAISE;
330 	}
331 	if (!must_appraise)
332 		rc = inode->i_op->removexattr(dentry, XATTR_NAME_IMA);
333 	return;
334 }
335 
336 /*
337  * ima_protect_xattr - protect 'security.ima'
338  *
339  * Ensure that not just anyone can modify or remove 'security.ima'.
340  */
341 static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
342 			     const void *xattr_value, size_t xattr_value_len)
343 {
344 	if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
345 		if (!capable(CAP_SYS_ADMIN))
346 			return -EPERM;
347 		return 1;
348 	}
349 	return 0;
350 }
351 
352 static void ima_reset_appraise_flags(struct inode *inode, int digsig)
353 {
354 	struct integrity_iint_cache *iint;
355 
356 	if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode))
357 		return;
358 
359 	iint = integrity_iint_find(inode);
360 	if (!iint)
361 		return;
362 
363 	iint->flags &= ~IMA_DONE_MASK;
364 	if (digsig)
365 		iint->flags |= IMA_DIGSIG;
366 	return;
367 }
368 
369 int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
370 		       const void *xattr_value, size_t xattr_value_len)
371 {
372 	const struct evm_ima_xattr_data *xvalue = xattr_value;
373 	int result;
374 
375 	result = ima_protect_xattr(dentry, xattr_name, xattr_value,
376 				   xattr_value_len);
377 	if (result == 1) {
378 		ima_reset_appraise_flags(dentry->d_inode,
379 			 (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
380 		result = 0;
381 	}
382 	return result;
383 }
384 
385 int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
386 {
387 	int result;
388 
389 	result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
390 	if (result == 1) {
391 		ima_reset_appraise_flags(dentry->d_inode, 0);
392 		result = 0;
393 	}
394 	return result;
395 }
396