1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2011 IBM Corporation 4 * 5 * Author: 6 * Mimi Zohar <zohar@us.ibm.com> 7 */ 8 #include <linux/module.h> 9 #include <linux/init.h> 10 #include <linux/file.h> 11 #include <linux/fs.h> 12 #include <linux/xattr.h> 13 #include <linux/magic.h> 14 #include <linux/ima.h> 15 #include <linux/evm.h> 16 #include <keys/system_keyring.h> 17 18 #include "ima.h" 19 20 #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM 21 static char *ima_appraise_cmdline_default __initdata; 22 core_param(ima_appraise, ima_appraise_cmdline_default, charp, 0); 23 24 void __init ima_appraise_parse_cmdline(void) 25 { 26 const char *str = ima_appraise_cmdline_default; 27 bool sb_state = arch_ima_get_secureboot(); 28 int appraisal_state = ima_appraise; 29 30 if (!str) 31 return; 32 33 if (strncmp(str, "off", 3) == 0) 34 appraisal_state = 0; 35 else if (strncmp(str, "log", 3) == 0) 36 appraisal_state = IMA_APPRAISE_LOG; 37 else if (strncmp(str, "fix", 3) == 0) 38 appraisal_state = IMA_APPRAISE_FIX; 39 else if (strncmp(str, "enforce", 7) == 0) 40 appraisal_state = IMA_APPRAISE_ENFORCE; 41 else 42 pr_err("invalid \"%s\" appraise option", str); 43 44 /* If appraisal state was changed, but secure boot is enabled, 45 * keep its default */ 46 if (sb_state) { 47 if (!(appraisal_state & IMA_APPRAISE_ENFORCE)) 48 pr_info("Secure boot enabled: ignoring ima_appraise=%s option", 49 str); 50 } else { 51 ima_appraise = appraisal_state; 52 } 53 } 54 #endif 55 56 /* 57 * is_ima_appraise_enabled - return appraise status 58 * 59 * Only return enabled, if not in ima_appraise="fix" or "log" modes. 60 */ 61 bool is_ima_appraise_enabled(void) 62 { 63 return ima_appraise & IMA_APPRAISE_ENFORCE; 64 } 65 66 /* 67 * ima_must_appraise - set appraise flag 68 * 69 * Return 1 to appraise or hash 70 */ 71 int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func) 72 { 73 u32 secid; 74 75 if (!ima_appraise) 76 return 0; 77 78 security_task_getsecid(current, &secid); 79 return ima_match_policy(inode, current_cred(), secid, func, mask, 80 IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL); 81 } 82 83 static int ima_fix_xattr(struct dentry *dentry, 84 struct integrity_iint_cache *iint) 85 { 86 int rc, offset; 87 u8 algo = iint->ima_hash->algo; 88 89 if (algo <= HASH_ALGO_SHA1) { 90 offset = 1; 91 iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST; 92 } else { 93 offset = 0; 94 iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG; 95 iint->ima_hash->xattr.ng.algo = algo; 96 } 97 rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA, 98 &iint->ima_hash->xattr.data[offset], 99 (sizeof(iint->ima_hash->xattr) - offset) + 100 iint->ima_hash->length, 0); 101 return rc; 102 } 103 104 /* Return specific func appraised cached result */ 105 enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, 106 enum ima_hooks func) 107 { 108 switch (func) { 109 case MMAP_CHECK: 110 return iint->ima_mmap_status; 111 case BPRM_CHECK: 112 return iint->ima_bprm_status; 113 case CREDS_CHECK: 114 return iint->ima_creds_status; 115 case FILE_CHECK: 116 case POST_SETATTR: 117 return iint->ima_file_status; 118 case MODULE_CHECK ... MAX_CHECK - 1: 119 default: 120 return iint->ima_read_status; 121 } 122 } 123 124 static void ima_set_cache_status(struct integrity_iint_cache *iint, 125 enum ima_hooks func, 126 enum integrity_status status) 127 { 128 switch (func) { 129 case MMAP_CHECK: 130 iint->ima_mmap_status = status; 131 break; 132 case BPRM_CHECK: 133 iint->ima_bprm_status = status; 134 break; 135 case CREDS_CHECK: 136 iint->ima_creds_status = status; 137 break; 138 case FILE_CHECK: 139 case POST_SETATTR: 140 iint->ima_file_status = status; 141 break; 142 case MODULE_CHECK ... MAX_CHECK - 1: 143 default: 144 iint->ima_read_status = status; 145 break; 146 } 147 } 148 149 static void ima_cache_flags(struct integrity_iint_cache *iint, 150 enum ima_hooks func) 151 { 152 switch (func) { 153 case MMAP_CHECK: 154 iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED); 155 break; 156 case BPRM_CHECK: 157 iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED); 158 break; 159 case CREDS_CHECK: 160 iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED); 161 break; 162 case FILE_CHECK: 163 case POST_SETATTR: 164 iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED); 165 break; 166 case MODULE_CHECK ... MAX_CHECK - 1: 167 default: 168 iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED); 169 break; 170 } 171 } 172 173 enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, 174 int xattr_len) 175 { 176 struct signature_v2_hdr *sig; 177 enum hash_algo ret; 178 179 if (!xattr_value || xattr_len < 2) 180 /* return default hash algo */ 181 return ima_hash_algo; 182 183 switch (xattr_value->type) { 184 case EVM_IMA_XATTR_DIGSIG: 185 sig = (typeof(sig))xattr_value; 186 if (sig->version != 2 || xattr_len <= sizeof(*sig)) 187 return ima_hash_algo; 188 return sig->hash_algo; 189 break; 190 case IMA_XATTR_DIGEST_NG: 191 /* first byte contains algorithm id */ 192 ret = xattr_value->data[0]; 193 if (ret < HASH_ALGO__LAST) 194 return ret; 195 break; 196 case IMA_XATTR_DIGEST: 197 /* this is for backward compatibility */ 198 if (xattr_len == 21) { 199 unsigned int zero = 0; 200 if (!memcmp(&xattr_value->data[16], &zero, 4)) 201 return HASH_ALGO_MD5; 202 else 203 return HASH_ALGO_SHA1; 204 } else if (xattr_len == 17) 205 return HASH_ALGO_MD5; 206 break; 207 } 208 209 /* return default hash algo */ 210 return ima_hash_algo; 211 } 212 213 int ima_read_xattr(struct dentry *dentry, 214 struct evm_ima_xattr_data **xattr_value) 215 { 216 ssize_t ret; 217 218 ret = vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)xattr_value, 219 0, GFP_NOFS); 220 if (ret == -EOPNOTSUPP) 221 ret = 0; 222 return ret; 223 } 224 225 /* 226 * xattr_verify - verify xattr digest or signature 227 * 228 * Verify whether the hash or signature matches the file contents. 229 * 230 * Return 0 on success, error code otherwise. 231 */ 232 static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint, 233 struct evm_ima_xattr_data *xattr_value, int xattr_len, 234 enum integrity_status *status, const char **cause) 235 { 236 int rc = -EINVAL, hash_start = 0; 237 238 switch (xattr_value->type) { 239 case IMA_XATTR_DIGEST_NG: 240 /* first byte contains algorithm id */ 241 hash_start = 1; 242 fallthrough; 243 case IMA_XATTR_DIGEST: 244 if (iint->flags & IMA_DIGSIG_REQUIRED) { 245 *cause = "IMA-signature-required"; 246 *status = INTEGRITY_FAIL; 247 break; 248 } 249 clear_bit(IMA_DIGSIG, &iint->atomic_flags); 250 if (xattr_len - sizeof(xattr_value->type) - hash_start >= 251 iint->ima_hash->length) 252 /* 253 * xattr length may be longer. md5 hash in previous 254 * version occupied 20 bytes in xattr, instead of 16 255 */ 256 rc = memcmp(&xattr_value->data[hash_start], 257 iint->ima_hash->digest, 258 iint->ima_hash->length); 259 else 260 rc = -EINVAL; 261 if (rc) { 262 *cause = "invalid-hash"; 263 *status = INTEGRITY_FAIL; 264 break; 265 } 266 *status = INTEGRITY_PASS; 267 break; 268 case EVM_IMA_XATTR_DIGSIG: 269 set_bit(IMA_DIGSIG, &iint->atomic_flags); 270 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, 271 (const char *)xattr_value, 272 xattr_len, 273 iint->ima_hash->digest, 274 iint->ima_hash->length); 275 if (rc == -EOPNOTSUPP) { 276 *status = INTEGRITY_UNKNOWN; 277 break; 278 } 279 if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc && 280 func == KEXEC_KERNEL_CHECK) 281 rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM, 282 (const char *)xattr_value, 283 xattr_len, 284 iint->ima_hash->digest, 285 iint->ima_hash->length); 286 if (rc) { 287 *cause = "invalid-signature"; 288 *status = INTEGRITY_FAIL; 289 } else { 290 *status = INTEGRITY_PASS; 291 } 292 break; 293 default: 294 *status = INTEGRITY_UNKNOWN; 295 *cause = "unknown-ima-data"; 296 break; 297 } 298 299 return rc; 300 } 301 302 /* 303 * modsig_verify - verify modsig signature 304 * 305 * Verify whether the signature matches the file contents. 306 * 307 * Return 0 on success, error code otherwise. 308 */ 309 static int modsig_verify(enum ima_hooks func, const struct modsig *modsig, 310 enum integrity_status *status, const char **cause) 311 { 312 int rc; 313 314 rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig); 315 if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc && 316 func == KEXEC_KERNEL_CHECK) 317 rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM, 318 modsig); 319 if (rc) { 320 *cause = "invalid-signature"; 321 *status = INTEGRITY_FAIL; 322 } else { 323 *status = INTEGRITY_PASS; 324 } 325 326 return rc; 327 } 328 329 /* 330 * ima_check_blacklist - determine if the binary is blacklisted. 331 * 332 * Add the hash of the blacklisted binary to the measurement list, based 333 * on policy. 334 * 335 * Returns -EPERM if the hash is blacklisted. 336 */ 337 int ima_check_blacklist(struct integrity_iint_cache *iint, 338 const struct modsig *modsig, int pcr) 339 { 340 enum hash_algo hash_algo; 341 const u8 *digest = NULL; 342 u32 digestsize = 0; 343 int rc = 0; 344 345 if (!(iint->flags & IMA_CHECK_BLACKLIST)) 346 return 0; 347 348 if (iint->flags & IMA_MODSIG_ALLOWED && modsig) { 349 ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize); 350 351 rc = is_binary_blacklisted(digest, digestsize); 352 if ((rc == -EPERM) && (iint->flags & IMA_MEASURE)) 353 process_buffer_measurement(NULL, digest, digestsize, 354 "blacklisted-hash", NONE, 355 pcr, NULL); 356 } 357 358 return rc; 359 } 360 361 /* 362 * ima_appraise_measurement - appraise file measurement 363 * 364 * Call evm_verifyxattr() to verify the integrity of 'security.ima'. 365 * Assuming success, compare the xattr hash with the collected measurement. 366 * 367 * Return 0 on success, error code otherwise 368 */ 369 int ima_appraise_measurement(enum ima_hooks func, 370 struct integrity_iint_cache *iint, 371 struct file *file, const unsigned char *filename, 372 struct evm_ima_xattr_data *xattr_value, 373 int xattr_len, const struct modsig *modsig) 374 { 375 static const char op[] = "appraise_data"; 376 const char *cause = "unknown"; 377 struct dentry *dentry = file_dentry(file); 378 struct inode *inode = d_backing_inode(dentry); 379 enum integrity_status status = INTEGRITY_UNKNOWN; 380 int rc = xattr_len; 381 bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig; 382 383 /* If not appraising a modsig, we need an xattr. */ 384 if (!(inode->i_opflags & IOP_XATTR) && !try_modsig) 385 return INTEGRITY_UNKNOWN; 386 387 /* If reading the xattr failed and there's no modsig, error out. */ 388 if (rc <= 0 && !try_modsig) { 389 if (rc && rc != -ENODATA) 390 goto out; 391 392 cause = iint->flags & IMA_DIGSIG_REQUIRED ? 393 "IMA-signature-required" : "missing-hash"; 394 status = INTEGRITY_NOLABEL; 395 if (file->f_mode & FMODE_CREATED) 396 iint->flags |= IMA_NEW_FILE; 397 if ((iint->flags & IMA_NEW_FILE) && 398 (!(iint->flags & IMA_DIGSIG_REQUIRED) || 399 (inode->i_size == 0))) 400 status = INTEGRITY_PASS; 401 goto out; 402 } 403 404 status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint); 405 switch (status) { 406 case INTEGRITY_PASS: 407 case INTEGRITY_PASS_IMMUTABLE: 408 case INTEGRITY_UNKNOWN: 409 break; 410 case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */ 411 /* It's fine not to have xattrs when using a modsig. */ 412 if (try_modsig) 413 break; 414 fallthrough; 415 case INTEGRITY_NOLABEL: /* No security.evm xattr. */ 416 cause = "missing-HMAC"; 417 goto out; 418 case INTEGRITY_FAIL: /* Invalid HMAC/signature. */ 419 cause = "invalid-HMAC"; 420 goto out; 421 default: 422 WARN_ONCE(true, "Unexpected integrity status %d\n", status); 423 } 424 425 if (xattr_value) 426 rc = xattr_verify(func, iint, xattr_value, xattr_len, &status, 427 &cause); 428 429 /* 430 * If we have a modsig and either no imasig or the imasig's key isn't 431 * known, then try verifying the modsig. 432 */ 433 if (try_modsig && 434 (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG || 435 rc == -ENOKEY)) 436 rc = modsig_verify(func, modsig, &status, &cause); 437 438 out: 439 /* 440 * File signatures on some filesystems can not be properly verified. 441 * When such filesystems are mounted by an untrusted mounter or on a 442 * system not willing to accept such a risk, fail the file signature 443 * verification. 444 */ 445 if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) && 446 ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) || 447 (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) { 448 status = INTEGRITY_FAIL; 449 cause = "unverifiable-signature"; 450 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, 451 op, cause, rc, 0); 452 } else if (status != INTEGRITY_PASS) { 453 /* Fix mode, but don't replace file signatures. */ 454 if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig && 455 (!xattr_value || 456 xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { 457 if (!ima_fix_xattr(dentry, iint)) 458 status = INTEGRITY_PASS; 459 } 460 461 /* Permit new files with file signatures, but without data. */ 462 if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE && 463 xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) { 464 status = INTEGRITY_PASS; 465 } 466 467 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, 468 op, cause, rc, 0); 469 } else { 470 ima_cache_flags(iint, func); 471 } 472 473 ima_set_cache_status(iint, func, status); 474 return status; 475 } 476 477 /* 478 * ima_update_xattr - update 'security.ima' hash value 479 */ 480 void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) 481 { 482 struct dentry *dentry = file_dentry(file); 483 int rc = 0; 484 485 /* do not collect and update hash for digital signatures */ 486 if (test_bit(IMA_DIGSIG, &iint->atomic_flags)) 487 return; 488 489 if ((iint->ima_file_status != INTEGRITY_PASS) && 490 !(iint->flags & IMA_HASH)) 491 return; 492 493 rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL); 494 if (rc < 0) 495 return; 496 497 inode_lock(file_inode(file)); 498 ima_fix_xattr(dentry, iint); 499 inode_unlock(file_inode(file)); 500 } 501 502 /** 503 * ima_inode_post_setattr - reflect file metadata changes 504 * @dentry: pointer to the affected dentry 505 * 506 * Changes to a dentry's metadata might result in needing to appraise. 507 * 508 * This function is called from notify_change(), which expects the caller 509 * to lock the inode's i_mutex. 510 */ 511 void ima_inode_post_setattr(struct dentry *dentry) 512 { 513 struct inode *inode = d_backing_inode(dentry); 514 struct integrity_iint_cache *iint; 515 int action; 516 517 if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode) 518 || !(inode->i_opflags & IOP_XATTR)) 519 return; 520 521 action = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR); 522 if (!action) 523 __vfs_removexattr(dentry, XATTR_NAME_IMA); 524 iint = integrity_iint_find(inode); 525 if (iint) { 526 set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags); 527 if (!action) 528 clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); 529 } 530 } 531 532 /* 533 * ima_protect_xattr - protect 'security.ima' 534 * 535 * Ensure that not just anyone can modify or remove 'security.ima'. 536 */ 537 static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name, 538 const void *xattr_value, size_t xattr_value_len) 539 { 540 if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) { 541 if (!capable(CAP_SYS_ADMIN)) 542 return -EPERM; 543 return 1; 544 } 545 return 0; 546 } 547 548 static void ima_reset_appraise_flags(struct inode *inode, int digsig) 549 { 550 struct integrity_iint_cache *iint; 551 552 if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)) 553 return; 554 555 iint = integrity_iint_find(inode); 556 if (!iint) 557 return; 558 iint->measured_pcrs = 0; 559 set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags); 560 if (digsig) 561 set_bit(IMA_DIGSIG, &iint->atomic_flags); 562 else 563 clear_bit(IMA_DIGSIG, &iint->atomic_flags); 564 } 565 566 int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, 567 const void *xattr_value, size_t xattr_value_len) 568 { 569 const struct evm_ima_xattr_data *xvalue = xattr_value; 570 int result; 571 572 result = ima_protect_xattr(dentry, xattr_name, xattr_value, 573 xattr_value_len); 574 if (result == 1) { 575 if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) 576 return -EINVAL; 577 ima_reset_appraise_flags(d_backing_inode(dentry), 578 xvalue->type == EVM_IMA_XATTR_DIGSIG); 579 result = 0; 580 } 581 return result; 582 } 583 584 int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name) 585 { 586 int result; 587 588 result = ima_protect_xattr(dentry, xattr_name, NULL, 0); 589 if (result == 1) { 590 ima_reset_appraise_flags(d_backing_inode(dentry), 0); 591 result = 0; 592 } 593 return result; 594 } 595