1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2011 IBM Corporation
4  *
5  * Author:
6  * Mimi Zohar <zohar@us.ibm.com>
7  */
8 #include <linux/init.h>
9 #include <linux/file.h>
10 #include <linux/fs.h>
11 #include <linux/xattr.h>
12 #include <linux/magic.h>
13 #include <linux/ima.h>
14 #include <linux/evm.h>
15 #include <keys/system_keyring.h>
16 
17 #include "ima.h"
18 
19 static int __init default_appraise_setup(char *str)
20 {
21 #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
22 	if (arch_ima_get_secureboot()) {
23 		pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option",
24 			str);
25 		return 1;
26 	}
27 
28 	if (strncmp(str, "off", 3) == 0)
29 		ima_appraise = 0;
30 	else if (strncmp(str, "log", 3) == 0)
31 		ima_appraise = IMA_APPRAISE_LOG;
32 	else if (strncmp(str, "fix", 3) == 0)
33 		ima_appraise = IMA_APPRAISE_FIX;
34 #endif
35 	return 1;
36 }
37 
38 __setup("ima_appraise=", default_appraise_setup);
39 
40 /*
41  * is_ima_appraise_enabled - return appraise status
42  *
43  * Only return enabled, if not in ima_appraise="fix" or "log" modes.
44  */
45 bool is_ima_appraise_enabled(void)
46 {
47 	return ima_appraise & IMA_APPRAISE_ENFORCE;
48 }
49 
50 /*
51  * ima_must_appraise - set appraise flag
52  *
53  * Return 1 to appraise or hash
54  */
55 int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
56 {
57 	u32 secid;
58 
59 	if (!ima_appraise)
60 		return 0;
61 
62 	security_task_getsecid(current, &secid);
63 	return ima_match_policy(inode, current_cred(), secid, func, mask,
64 				IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL);
65 }
66 
67 static int ima_fix_xattr(struct dentry *dentry,
68 			 struct integrity_iint_cache *iint)
69 {
70 	int rc, offset;
71 	u8 algo = iint->ima_hash->algo;
72 
73 	if (algo <= HASH_ALGO_SHA1) {
74 		offset = 1;
75 		iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
76 	} else {
77 		offset = 0;
78 		iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
79 		iint->ima_hash->xattr.ng.algo = algo;
80 	}
81 	rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
82 				   &iint->ima_hash->xattr.data[offset],
83 				   (sizeof(iint->ima_hash->xattr) - offset) +
84 				   iint->ima_hash->length, 0);
85 	return rc;
86 }
87 
88 /* Return specific func appraised cached result */
89 enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
90 					   enum ima_hooks func)
91 {
92 	switch (func) {
93 	case MMAP_CHECK:
94 		return iint->ima_mmap_status;
95 	case BPRM_CHECK:
96 		return iint->ima_bprm_status;
97 	case CREDS_CHECK:
98 		return iint->ima_creds_status;
99 	case FILE_CHECK:
100 	case POST_SETATTR:
101 		return iint->ima_file_status;
102 	case MODULE_CHECK ... MAX_CHECK - 1:
103 	default:
104 		return iint->ima_read_status;
105 	}
106 }
107 
108 static void ima_set_cache_status(struct integrity_iint_cache *iint,
109 				 enum ima_hooks func,
110 				 enum integrity_status status)
111 {
112 	switch (func) {
113 	case MMAP_CHECK:
114 		iint->ima_mmap_status = status;
115 		break;
116 	case BPRM_CHECK:
117 		iint->ima_bprm_status = status;
118 		break;
119 	case CREDS_CHECK:
120 		iint->ima_creds_status = status;
121 		break;
122 	case FILE_CHECK:
123 	case POST_SETATTR:
124 		iint->ima_file_status = status;
125 		break;
126 	case MODULE_CHECK ... MAX_CHECK - 1:
127 	default:
128 		iint->ima_read_status = status;
129 		break;
130 	}
131 }
132 
133 static void ima_cache_flags(struct integrity_iint_cache *iint,
134 			     enum ima_hooks func)
135 {
136 	switch (func) {
137 	case MMAP_CHECK:
138 		iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
139 		break;
140 	case BPRM_CHECK:
141 		iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
142 		break;
143 	case CREDS_CHECK:
144 		iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED);
145 		break;
146 	case FILE_CHECK:
147 	case POST_SETATTR:
148 		iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
149 		break;
150 	case MODULE_CHECK ... MAX_CHECK - 1:
151 	default:
152 		iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
153 		break;
154 	}
155 }
156 
157 enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
158 				 int xattr_len)
159 {
160 	struct signature_v2_hdr *sig;
161 	enum hash_algo ret;
162 
163 	if (!xattr_value || xattr_len < 2)
164 		/* return default hash algo */
165 		return ima_hash_algo;
166 
167 	switch (xattr_value->type) {
168 	case EVM_IMA_XATTR_DIGSIG:
169 		sig = (typeof(sig))xattr_value;
170 		if (sig->version != 2 || xattr_len <= sizeof(*sig))
171 			return ima_hash_algo;
172 		return sig->hash_algo;
173 		break;
174 	case IMA_XATTR_DIGEST_NG:
175 		/* first byte contains algorithm id */
176 		ret = xattr_value->data[0];
177 		if (ret < HASH_ALGO__LAST)
178 			return ret;
179 		break;
180 	case IMA_XATTR_DIGEST:
181 		/* this is for backward compatibility */
182 		if (xattr_len == 21) {
183 			unsigned int zero = 0;
184 			if (!memcmp(&xattr_value->data[16], &zero, 4))
185 				return HASH_ALGO_MD5;
186 			else
187 				return HASH_ALGO_SHA1;
188 		} else if (xattr_len == 17)
189 			return HASH_ALGO_MD5;
190 		break;
191 	}
192 
193 	/* return default hash algo */
194 	return ima_hash_algo;
195 }
196 
197 int ima_read_xattr(struct dentry *dentry,
198 		   struct evm_ima_xattr_data **xattr_value)
199 {
200 	ssize_t ret;
201 
202 	ret = vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)xattr_value,
203 				 0, GFP_NOFS);
204 	if (ret == -EOPNOTSUPP)
205 		ret = 0;
206 	return ret;
207 }
208 
209 /*
210  * xattr_verify - verify xattr digest or signature
211  *
212  * Verify whether the hash or signature matches the file contents.
213  *
214  * Return 0 on success, error code otherwise.
215  */
216 static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint,
217 			struct evm_ima_xattr_data *xattr_value, int xattr_len,
218 			enum integrity_status *status, const char **cause)
219 {
220 	int rc = -EINVAL, hash_start = 0;
221 
222 	switch (xattr_value->type) {
223 	case IMA_XATTR_DIGEST_NG:
224 		/* first byte contains algorithm id */
225 		hash_start = 1;
226 		fallthrough;
227 	case IMA_XATTR_DIGEST:
228 		if (iint->flags & IMA_DIGSIG_REQUIRED) {
229 			*cause = "IMA-signature-required";
230 			*status = INTEGRITY_FAIL;
231 			break;
232 		}
233 		clear_bit(IMA_DIGSIG, &iint->atomic_flags);
234 		if (xattr_len - sizeof(xattr_value->type) - hash_start >=
235 				iint->ima_hash->length)
236 			/*
237 			 * xattr length may be longer. md5 hash in previous
238 			 * version occupied 20 bytes in xattr, instead of 16
239 			 */
240 			rc = memcmp(&xattr_value->data[hash_start],
241 				    iint->ima_hash->digest,
242 				    iint->ima_hash->length);
243 		else
244 			rc = -EINVAL;
245 		if (rc) {
246 			*cause = "invalid-hash";
247 			*status = INTEGRITY_FAIL;
248 			break;
249 		}
250 		*status = INTEGRITY_PASS;
251 		break;
252 	case EVM_IMA_XATTR_DIGSIG:
253 		set_bit(IMA_DIGSIG, &iint->atomic_flags);
254 		rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
255 					     (const char *)xattr_value,
256 					     xattr_len,
257 					     iint->ima_hash->digest,
258 					     iint->ima_hash->length);
259 		if (rc == -EOPNOTSUPP) {
260 			*status = INTEGRITY_UNKNOWN;
261 			break;
262 		}
263 		if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
264 		    func == KEXEC_KERNEL_CHECK)
265 			rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM,
266 						     (const char *)xattr_value,
267 						     xattr_len,
268 						     iint->ima_hash->digest,
269 						     iint->ima_hash->length);
270 		if (rc) {
271 			*cause = "invalid-signature";
272 			*status = INTEGRITY_FAIL;
273 		} else {
274 			*status = INTEGRITY_PASS;
275 		}
276 		break;
277 	default:
278 		*status = INTEGRITY_UNKNOWN;
279 		*cause = "unknown-ima-data";
280 		break;
281 	}
282 
283 	return rc;
284 }
285 
286 /*
287  * modsig_verify - verify modsig signature
288  *
289  * Verify whether the signature matches the file contents.
290  *
291  * Return 0 on success, error code otherwise.
292  */
293 static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
294 			 enum integrity_status *status, const char **cause)
295 {
296 	int rc;
297 
298 	rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig);
299 	if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
300 	    func == KEXEC_KERNEL_CHECK)
301 		rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM,
302 					     modsig);
303 	if (rc) {
304 		*cause = "invalid-signature";
305 		*status = INTEGRITY_FAIL;
306 	} else {
307 		*status = INTEGRITY_PASS;
308 	}
309 
310 	return rc;
311 }
312 
313 /*
314  * ima_check_blacklist - determine if the binary is blacklisted.
315  *
316  * Add the hash of the blacklisted binary to the measurement list, based
317  * on policy.
318  *
319  * Returns -EPERM if the hash is blacklisted.
320  */
321 int ima_check_blacklist(struct integrity_iint_cache *iint,
322 			const struct modsig *modsig, int pcr)
323 {
324 	enum hash_algo hash_algo;
325 	const u8 *digest = NULL;
326 	u32 digestsize = 0;
327 	int rc = 0;
328 
329 	if (!(iint->flags & IMA_CHECK_BLACKLIST))
330 		return 0;
331 
332 	if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
333 		ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
334 
335 		rc = is_binary_blacklisted(digest, digestsize);
336 		if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
337 			process_buffer_measurement(NULL, digest, digestsize,
338 						   "blacklisted-hash", NONE,
339 						   pcr, NULL);
340 	}
341 
342 	return rc;
343 }
344 
345 /*
346  * ima_appraise_measurement - appraise file measurement
347  *
348  * Call evm_verifyxattr() to verify the integrity of 'security.ima'.
349  * Assuming success, compare the xattr hash with the collected measurement.
350  *
351  * Return 0 on success, error code otherwise
352  */
353 int ima_appraise_measurement(enum ima_hooks func,
354 			     struct integrity_iint_cache *iint,
355 			     struct file *file, const unsigned char *filename,
356 			     struct evm_ima_xattr_data *xattr_value,
357 			     int xattr_len, const struct modsig *modsig)
358 {
359 	static const char op[] = "appraise_data";
360 	const char *cause = "unknown";
361 	struct dentry *dentry = file_dentry(file);
362 	struct inode *inode = d_backing_inode(dentry);
363 	enum integrity_status status = INTEGRITY_UNKNOWN;
364 	int rc = xattr_len;
365 	bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig;
366 
367 	/* If not appraising a modsig, we need an xattr. */
368 	if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)
369 		return INTEGRITY_UNKNOWN;
370 
371 	/* If reading the xattr failed and there's no modsig, error out. */
372 	if (rc <= 0 && !try_modsig) {
373 		if (rc && rc != -ENODATA)
374 			goto out;
375 
376 		cause = iint->flags & IMA_DIGSIG_REQUIRED ?
377 				"IMA-signature-required" : "missing-hash";
378 		status = INTEGRITY_NOLABEL;
379 		if (file->f_mode & FMODE_CREATED)
380 			iint->flags |= IMA_NEW_FILE;
381 		if ((iint->flags & IMA_NEW_FILE) &&
382 		    (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
383 		     (inode->i_size == 0)))
384 			status = INTEGRITY_PASS;
385 		goto out;
386 	}
387 
388 	status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
389 	switch (status) {
390 	case INTEGRITY_PASS:
391 	case INTEGRITY_PASS_IMMUTABLE:
392 	case INTEGRITY_UNKNOWN:
393 		break;
394 	case INTEGRITY_NOXATTRS:	/* No EVM protected xattrs. */
395 		/* It's fine not to have xattrs when using a modsig. */
396 		if (try_modsig)
397 			break;
398 		fallthrough;
399 	case INTEGRITY_NOLABEL:		/* No security.evm xattr. */
400 		cause = "missing-HMAC";
401 		goto out;
402 	case INTEGRITY_FAIL:		/* Invalid HMAC/signature. */
403 		cause = "invalid-HMAC";
404 		goto out;
405 	default:
406 		WARN_ONCE(true, "Unexpected integrity status %d\n", status);
407 	}
408 
409 	if (xattr_value)
410 		rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
411 				  &cause);
412 
413 	/*
414 	 * If we have a modsig and either no imasig or the imasig's key isn't
415 	 * known, then try verifying the modsig.
416 	 */
417 	if (try_modsig &&
418 	    (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG ||
419 	     rc == -ENOKEY))
420 		rc = modsig_verify(func, modsig, &status, &cause);
421 
422 out:
423 	/*
424 	 * File signatures on some filesystems can not be properly verified.
425 	 * When such filesystems are mounted by an untrusted mounter or on a
426 	 * system not willing to accept such a risk, fail the file signature
427 	 * verification.
428 	 */
429 	if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
430 	    ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) ||
431 	     (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
432 		status = INTEGRITY_FAIL;
433 		cause = "unverifiable-signature";
434 		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
435 				    op, cause, rc, 0);
436 	} else if (status != INTEGRITY_PASS) {
437 		/* Fix mode, but don't replace file signatures. */
438 		if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig &&
439 		    (!xattr_value ||
440 		     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
441 			if (!ima_fix_xattr(dentry, iint))
442 				status = INTEGRITY_PASS;
443 		}
444 
445 		/* Permit new files with file signatures, but without data. */
446 		if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
447 		    xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) {
448 			status = INTEGRITY_PASS;
449 		}
450 
451 		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
452 				    op, cause, rc, 0);
453 	} else {
454 		ima_cache_flags(iint, func);
455 	}
456 
457 	ima_set_cache_status(iint, func, status);
458 	return status;
459 }
460 
461 /*
462  * ima_update_xattr - update 'security.ima' hash value
463  */
464 void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
465 {
466 	struct dentry *dentry = file_dentry(file);
467 	int rc = 0;
468 
469 	/* do not collect and update hash for digital signatures */
470 	if (test_bit(IMA_DIGSIG, &iint->atomic_flags))
471 		return;
472 
473 	if ((iint->ima_file_status != INTEGRITY_PASS) &&
474 	    !(iint->flags & IMA_HASH))
475 		return;
476 
477 	rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL);
478 	if (rc < 0)
479 		return;
480 
481 	inode_lock(file_inode(file));
482 	ima_fix_xattr(dentry, iint);
483 	inode_unlock(file_inode(file));
484 }
485 
486 /**
487  * ima_inode_post_setattr - reflect file metadata changes
488  * @dentry: pointer to the affected dentry
489  *
490  * Changes to a dentry's metadata might result in needing to appraise.
491  *
492  * This function is called from notify_change(), which expects the caller
493  * to lock the inode's i_mutex.
494  */
495 void ima_inode_post_setattr(struct dentry *dentry)
496 {
497 	struct inode *inode = d_backing_inode(dentry);
498 	struct integrity_iint_cache *iint;
499 	int action;
500 
501 	if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)
502 	    || !(inode->i_opflags & IOP_XATTR))
503 		return;
504 
505 	action = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR);
506 	if (!action)
507 		__vfs_removexattr(dentry, XATTR_NAME_IMA);
508 	iint = integrity_iint_find(inode);
509 	if (iint) {
510 		set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags);
511 		if (!action)
512 			clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
513 	}
514 }
515 
516 /*
517  * ima_protect_xattr - protect 'security.ima'
518  *
519  * Ensure that not just anyone can modify or remove 'security.ima'.
520  */
521 static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
522 			     const void *xattr_value, size_t xattr_value_len)
523 {
524 	if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
525 		if (!capable(CAP_SYS_ADMIN))
526 			return -EPERM;
527 		return 1;
528 	}
529 	return 0;
530 }
531 
532 static void ima_reset_appraise_flags(struct inode *inode, int digsig)
533 {
534 	struct integrity_iint_cache *iint;
535 
536 	if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode))
537 		return;
538 
539 	iint = integrity_iint_find(inode);
540 	if (!iint)
541 		return;
542 	iint->measured_pcrs = 0;
543 	set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
544 	if (digsig)
545 		set_bit(IMA_DIGSIG, &iint->atomic_flags);
546 	else
547 		clear_bit(IMA_DIGSIG, &iint->atomic_flags);
548 }
549 
550 int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
551 		       const void *xattr_value, size_t xattr_value_len)
552 {
553 	const struct evm_ima_xattr_data *xvalue = xattr_value;
554 	int result;
555 
556 	result = ima_protect_xattr(dentry, xattr_name, xattr_value,
557 				   xattr_value_len);
558 	if (result == 1) {
559 		if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
560 			return -EINVAL;
561 		ima_reset_appraise_flags(d_backing_inode(dentry),
562 			xvalue->type == EVM_IMA_XATTR_DIGSIG);
563 		result = 0;
564 	}
565 	return result;
566 }
567 
568 int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
569 {
570 	int result;
571 
572 	result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
573 	if (result == 1) {
574 		ima_reset_appraise_flags(d_backing_inode(dentry), 0);
575 		result = 0;
576 	}
577 	return result;
578 }
579