1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2011 IBM Corporation
4  *
5  * Author:
6  * Mimi Zohar <zohar@us.ibm.com>
7  */
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/file.h>
11 #include <linux/fs.h>
12 #include <linux/xattr.h>
13 #include <linux/magic.h>
14 #include <linux/ima.h>
15 #include <linux/evm.h>
16 #include <keys/system_keyring.h>
17 
18 #include "ima.h"
19 
20 #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
21 static char *ima_appraise_cmdline_default __initdata;
22 core_param(ima_appraise, ima_appraise_cmdline_default, charp, 0);
23 
24 void __init ima_appraise_parse_cmdline(void)
25 {
26 	const char *str = ima_appraise_cmdline_default;
27 	bool sb_state = arch_ima_get_secureboot();
28 	int appraisal_state = ima_appraise;
29 
30 	if (!str)
31 		return;
32 
33 	if (strncmp(str, "off", 3) == 0)
34 		appraisal_state = 0;
35 	else if (strncmp(str, "log", 3) == 0)
36 		appraisal_state = IMA_APPRAISE_LOG;
37 	else if (strncmp(str, "fix", 3) == 0)
38 		appraisal_state = IMA_APPRAISE_FIX;
39 	else if (strncmp(str, "enforce", 7) == 0)
40 		appraisal_state = IMA_APPRAISE_ENFORCE;
41 	else
42 		pr_err("invalid \"%s\" appraise option", str);
43 
44 	/* If appraisal state was changed, but secure boot is enabled,
45 	 * keep its default */
46 	if (sb_state) {
47 		if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
48 			pr_info("Secure boot enabled: ignoring ima_appraise=%s option",
49 				str);
50 	} else {
51 		ima_appraise = appraisal_state;
52 	}
53 }
54 #endif
55 
56 /*
57  * is_ima_appraise_enabled - return appraise status
58  *
59  * Only return enabled, if not in ima_appraise="fix" or "log" modes.
60  */
61 bool is_ima_appraise_enabled(void)
62 {
63 	return ima_appraise & IMA_APPRAISE_ENFORCE;
64 }
65 
66 /*
67  * ima_must_appraise - set appraise flag
68  *
69  * Return 1 to appraise or hash
70  */
71 int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
72 {
73 	u32 secid;
74 
75 	if (!ima_appraise)
76 		return 0;
77 
78 	security_task_getsecid(current, &secid);
79 	return ima_match_policy(inode, current_cred(), secid, func, mask,
80 				IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL);
81 }
82 
83 static int ima_fix_xattr(struct dentry *dentry,
84 			 struct integrity_iint_cache *iint)
85 {
86 	int rc, offset;
87 	u8 algo = iint->ima_hash->algo;
88 
89 	if (algo <= HASH_ALGO_SHA1) {
90 		offset = 1;
91 		iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
92 	} else {
93 		offset = 0;
94 		iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
95 		iint->ima_hash->xattr.ng.algo = algo;
96 	}
97 	rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
98 				   &iint->ima_hash->xattr.data[offset],
99 				   (sizeof(iint->ima_hash->xattr) - offset) +
100 				   iint->ima_hash->length, 0);
101 	return rc;
102 }
103 
104 /* Return specific func appraised cached result */
105 enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
106 					   enum ima_hooks func)
107 {
108 	switch (func) {
109 	case MMAP_CHECK:
110 		return iint->ima_mmap_status;
111 	case BPRM_CHECK:
112 		return iint->ima_bprm_status;
113 	case CREDS_CHECK:
114 		return iint->ima_creds_status;
115 	case FILE_CHECK:
116 	case POST_SETATTR:
117 		return iint->ima_file_status;
118 	case MODULE_CHECK ... MAX_CHECK - 1:
119 	default:
120 		return iint->ima_read_status;
121 	}
122 }
123 
124 static void ima_set_cache_status(struct integrity_iint_cache *iint,
125 				 enum ima_hooks func,
126 				 enum integrity_status status)
127 {
128 	switch (func) {
129 	case MMAP_CHECK:
130 		iint->ima_mmap_status = status;
131 		break;
132 	case BPRM_CHECK:
133 		iint->ima_bprm_status = status;
134 		break;
135 	case CREDS_CHECK:
136 		iint->ima_creds_status = status;
137 		break;
138 	case FILE_CHECK:
139 	case POST_SETATTR:
140 		iint->ima_file_status = status;
141 		break;
142 	case MODULE_CHECK ... MAX_CHECK - 1:
143 	default:
144 		iint->ima_read_status = status;
145 		break;
146 	}
147 }
148 
149 static void ima_cache_flags(struct integrity_iint_cache *iint,
150 			     enum ima_hooks func)
151 {
152 	switch (func) {
153 	case MMAP_CHECK:
154 		iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
155 		break;
156 	case BPRM_CHECK:
157 		iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
158 		break;
159 	case CREDS_CHECK:
160 		iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED);
161 		break;
162 	case FILE_CHECK:
163 	case POST_SETATTR:
164 		iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
165 		break;
166 	case MODULE_CHECK ... MAX_CHECK - 1:
167 	default:
168 		iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
169 		break;
170 	}
171 }
172 
173 enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
174 				 int xattr_len)
175 {
176 	struct signature_v2_hdr *sig;
177 	enum hash_algo ret;
178 
179 	if (!xattr_value || xattr_len < 2)
180 		/* return default hash algo */
181 		return ima_hash_algo;
182 
183 	switch (xattr_value->type) {
184 	case EVM_IMA_XATTR_DIGSIG:
185 		sig = (typeof(sig))xattr_value;
186 		if (sig->version != 2 || xattr_len <= sizeof(*sig))
187 			return ima_hash_algo;
188 		return sig->hash_algo;
189 		break;
190 	case IMA_XATTR_DIGEST_NG:
191 		/* first byte contains algorithm id */
192 		ret = xattr_value->data[0];
193 		if (ret < HASH_ALGO__LAST)
194 			return ret;
195 		break;
196 	case IMA_XATTR_DIGEST:
197 		/* this is for backward compatibility */
198 		if (xattr_len == 21) {
199 			unsigned int zero = 0;
200 			if (!memcmp(&xattr_value->data[16], &zero, 4))
201 				return HASH_ALGO_MD5;
202 			else
203 				return HASH_ALGO_SHA1;
204 		} else if (xattr_len == 17)
205 			return HASH_ALGO_MD5;
206 		break;
207 	}
208 
209 	/* return default hash algo */
210 	return ima_hash_algo;
211 }
212 
213 int ima_read_xattr(struct dentry *dentry,
214 		   struct evm_ima_xattr_data **xattr_value)
215 {
216 	ssize_t ret;
217 
218 	ret = vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)xattr_value,
219 				 0, GFP_NOFS);
220 	if (ret == -EOPNOTSUPP)
221 		ret = 0;
222 	return ret;
223 }
224 
225 /*
226  * xattr_verify - verify xattr digest or signature
227  *
228  * Verify whether the hash or signature matches the file contents.
229  *
230  * Return 0 on success, error code otherwise.
231  */
232 static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint,
233 			struct evm_ima_xattr_data *xattr_value, int xattr_len,
234 			enum integrity_status *status, const char **cause)
235 {
236 	int rc = -EINVAL, hash_start = 0;
237 
238 	switch (xattr_value->type) {
239 	case IMA_XATTR_DIGEST_NG:
240 		/* first byte contains algorithm id */
241 		hash_start = 1;
242 		fallthrough;
243 	case IMA_XATTR_DIGEST:
244 		if (iint->flags & IMA_DIGSIG_REQUIRED) {
245 			*cause = "IMA-signature-required";
246 			*status = INTEGRITY_FAIL;
247 			break;
248 		}
249 		clear_bit(IMA_DIGSIG, &iint->atomic_flags);
250 		if (xattr_len - sizeof(xattr_value->type) - hash_start >=
251 				iint->ima_hash->length)
252 			/*
253 			 * xattr length may be longer. md5 hash in previous
254 			 * version occupied 20 bytes in xattr, instead of 16
255 			 */
256 			rc = memcmp(&xattr_value->data[hash_start],
257 				    iint->ima_hash->digest,
258 				    iint->ima_hash->length);
259 		else
260 			rc = -EINVAL;
261 		if (rc) {
262 			*cause = "invalid-hash";
263 			*status = INTEGRITY_FAIL;
264 			break;
265 		}
266 		*status = INTEGRITY_PASS;
267 		break;
268 	case EVM_IMA_XATTR_DIGSIG:
269 		set_bit(IMA_DIGSIG, &iint->atomic_flags);
270 		rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
271 					     (const char *)xattr_value,
272 					     xattr_len,
273 					     iint->ima_hash->digest,
274 					     iint->ima_hash->length);
275 		if (rc == -EOPNOTSUPP) {
276 			*status = INTEGRITY_UNKNOWN;
277 			break;
278 		}
279 		if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
280 		    func == KEXEC_KERNEL_CHECK)
281 			rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM,
282 						     (const char *)xattr_value,
283 						     xattr_len,
284 						     iint->ima_hash->digest,
285 						     iint->ima_hash->length);
286 		if (rc) {
287 			*cause = "invalid-signature";
288 			*status = INTEGRITY_FAIL;
289 		} else {
290 			*status = INTEGRITY_PASS;
291 		}
292 		break;
293 	default:
294 		*status = INTEGRITY_UNKNOWN;
295 		*cause = "unknown-ima-data";
296 		break;
297 	}
298 
299 	return rc;
300 }
301 
302 /*
303  * modsig_verify - verify modsig signature
304  *
305  * Verify whether the signature matches the file contents.
306  *
307  * Return 0 on success, error code otherwise.
308  */
309 static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
310 			 enum integrity_status *status, const char **cause)
311 {
312 	int rc;
313 
314 	rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig);
315 	if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
316 	    func == KEXEC_KERNEL_CHECK)
317 		rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM,
318 					     modsig);
319 	if (rc) {
320 		*cause = "invalid-signature";
321 		*status = INTEGRITY_FAIL;
322 	} else {
323 		*status = INTEGRITY_PASS;
324 	}
325 
326 	return rc;
327 }
328 
329 /*
330  * ima_check_blacklist - determine if the binary is blacklisted.
331  *
332  * Add the hash of the blacklisted binary to the measurement list, based
333  * on policy.
334  *
335  * Returns -EPERM if the hash is blacklisted.
336  */
337 int ima_check_blacklist(struct integrity_iint_cache *iint,
338 			const struct modsig *modsig, int pcr)
339 {
340 	enum hash_algo hash_algo;
341 	const u8 *digest = NULL;
342 	u32 digestsize = 0;
343 	int rc = 0;
344 
345 	if (!(iint->flags & IMA_CHECK_BLACKLIST))
346 		return 0;
347 
348 	if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
349 		ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
350 
351 		rc = is_binary_blacklisted(digest, digestsize);
352 		if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
353 			process_buffer_measurement(NULL, digest, digestsize,
354 						   "blacklisted-hash", NONE,
355 						   pcr, NULL);
356 	}
357 
358 	return rc;
359 }
360 
361 /*
362  * ima_appraise_measurement - appraise file measurement
363  *
364  * Call evm_verifyxattr() to verify the integrity of 'security.ima'.
365  * Assuming success, compare the xattr hash with the collected measurement.
366  *
367  * Return 0 on success, error code otherwise
368  */
369 int ima_appraise_measurement(enum ima_hooks func,
370 			     struct integrity_iint_cache *iint,
371 			     struct file *file, const unsigned char *filename,
372 			     struct evm_ima_xattr_data *xattr_value,
373 			     int xattr_len, const struct modsig *modsig)
374 {
375 	static const char op[] = "appraise_data";
376 	const char *cause = "unknown";
377 	struct dentry *dentry = file_dentry(file);
378 	struct inode *inode = d_backing_inode(dentry);
379 	enum integrity_status status = INTEGRITY_UNKNOWN;
380 	int rc = xattr_len;
381 	bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig;
382 
383 	/* If not appraising a modsig, we need an xattr. */
384 	if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)
385 		return INTEGRITY_UNKNOWN;
386 
387 	/* If reading the xattr failed and there's no modsig, error out. */
388 	if (rc <= 0 && !try_modsig) {
389 		if (rc && rc != -ENODATA)
390 			goto out;
391 
392 		cause = iint->flags & IMA_DIGSIG_REQUIRED ?
393 				"IMA-signature-required" : "missing-hash";
394 		status = INTEGRITY_NOLABEL;
395 		if (file->f_mode & FMODE_CREATED)
396 			iint->flags |= IMA_NEW_FILE;
397 		if ((iint->flags & IMA_NEW_FILE) &&
398 		    (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
399 		     (inode->i_size == 0)))
400 			status = INTEGRITY_PASS;
401 		goto out;
402 	}
403 
404 	status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
405 	switch (status) {
406 	case INTEGRITY_PASS:
407 	case INTEGRITY_PASS_IMMUTABLE:
408 	case INTEGRITY_UNKNOWN:
409 		break;
410 	case INTEGRITY_NOXATTRS:	/* No EVM protected xattrs. */
411 		/* It's fine not to have xattrs when using a modsig. */
412 		if (try_modsig)
413 			break;
414 		fallthrough;
415 	case INTEGRITY_NOLABEL:		/* No security.evm xattr. */
416 		cause = "missing-HMAC";
417 		goto out;
418 	case INTEGRITY_FAIL:		/* Invalid HMAC/signature. */
419 		cause = "invalid-HMAC";
420 		goto out;
421 	default:
422 		WARN_ONCE(true, "Unexpected integrity status %d\n", status);
423 	}
424 
425 	if (xattr_value)
426 		rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
427 				  &cause);
428 
429 	/*
430 	 * If we have a modsig and either no imasig or the imasig's key isn't
431 	 * known, then try verifying the modsig.
432 	 */
433 	if (try_modsig &&
434 	    (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG ||
435 	     rc == -ENOKEY))
436 		rc = modsig_verify(func, modsig, &status, &cause);
437 
438 out:
439 	/*
440 	 * File signatures on some filesystems can not be properly verified.
441 	 * When such filesystems are mounted by an untrusted mounter or on a
442 	 * system not willing to accept such a risk, fail the file signature
443 	 * verification.
444 	 */
445 	if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
446 	    ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) ||
447 	     (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
448 		status = INTEGRITY_FAIL;
449 		cause = "unverifiable-signature";
450 		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
451 				    op, cause, rc, 0);
452 	} else if (status != INTEGRITY_PASS) {
453 		/* Fix mode, but don't replace file signatures. */
454 		if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig &&
455 		    (!xattr_value ||
456 		     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
457 			if (!ima_fix_xattr(dentry, iint))
458 				status = INTEGRITY_PASS;
459 		}
460 
461 		/* Permit new files with file signatures, but without data. */
462 		if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
463 		    xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) {
464 			status = INTEGRITY_PASS;
465 		}
466 
467 		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
468 				    op, cause, rc, 0);
469 	} else {
470 		ima_cache_flags(iint, func);
471 	}
472 
473 	ima_set_cache_status(iint, func, status);
474 	return status;
475 }
476 
477 /*
478  * ima_update_xattr - update 'security.ima' hash value
479  */
480 void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
481 {
482 	struct dentry *dentry = file_dentry(file);
483 	int rc = 0;
484 
485 	/* do not collect and update hash for digital signatures */
486 	if (test_bit(IMA_DIGSIG, &iint->atomic_flags))
487 		return;
488 
489 	if ((iint->ima_file_status != INTEGRITY_PASS) &&
490 	    !(iint->flags & IMA_HASH))
491 		return;
492 
493 	rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL);
494 	if (rc < 0)
495 		return;
496 
497 	inode_lock(file_inode(file));
498 	ima_fix_xattr(dentry, iint);
499 	inode_unlock(file_inode(file));
500 }
501 
502 /**
503  * ima_inode_post_setattr - reflect file metadata changes
504  * @dentry: pointer to the affected dentry
505  *
506  * Changes to a dentry's metadata might result in needing to appraise.
507  *
508  * This function is called from notify_change(), which expects the caller
509  * to lock the inode's i_mutex.
510  */
511 void ima_inode_post_setattr(struct dentry *dentry)
512 {
513 	struct inode *inode = d_backing_inode(dentry);
514 	struct integrity_iint_cache *iint;
515 	int action;
516 
517 	if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)
518 	    || !(inode->i_opflags & IOP_XATTR))
519 		return;
520 
521 	action = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR);
522 	if (!action)
523 		__vfs_removexattr(dentry, XATTR_NAME_IMA);
524 	iint = integrity_iint_find(inode);
525 	if (iint) {
526 		set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags);
527 		if (!action)
528 			clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
529 	}
530 }
531 
532 /*
533  * ima_protect_xattr - protect 'security.ima'
534  *
535  * Ensure that not just anyone can modify or remove 'security.ima'.
536  */
537 static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
538 			     const void *xattr_value, size_t xattr_value_len)
539 {
540 	if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
541 		if (!capable(CAP_SYS_ADMIN))
542 			return -EPERM;
543 		return 1;
544 	}
545 	return 0;
546 }
547 
548 static void ima_reset_appraise_flags(struct inode *inode, int digsig)
549 {
550 	struct integrity_iint_cache *iint;
551 
552 	if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode))
553 		return;
554 
555 	iint = integrity_iint_find(inode);
556 	if (!iint)
557 		return;
558 	iint->measured_pcrs = 0;
559 	set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
560 	if (digsig)
561 		set_bit(IMA_DIGSIG, &iint->atomic_flags);
562 	else
563 		clear_bit(IMA_DIGSIG, &iint->atomic_flags);
564 }
565 
566 int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
567 		       const void *xattr_value, size_t xattr_value_len)
568 {
569 	const struct evm_ima_xattr_data *xvalue = xattr_value;
570 	int result;
571 
572 	result = ima_protect_xattr(dentry, xattr_name, xattr_value,
573 				   xattr_value_len);
574 	if (result == 1) {
575 		if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
576 			return -EINVAL;
577 		ima_reset_appraise_flags(d_backing_inode(dentry),
578 			xvalue->type == EVM_IMA_XATTR_DIGSIG);
579 		result = 0;
580 	}
581 	return result;
582 }
583 
584 int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
585 {
586 	int result;
587 
588 	result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
589 	if (result == 1) {
590 		ima_reset_appraise_flags(d_backing_inode(dentry), 0);
591 		result = 0;
592 	}
593 	return result;
594 }
595