1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (C) 2005-2010 IBM Corporation
4 *
5 * Author:
6 * Mimi Zohar <zohar@us.ibm.com>
7 * Kylene Hall <kjhall@us.ibm.com>
8 *
9 * File: evm_main.c
10 * implements evm_inode_setxattr, evm_inode_post_setxattr,
11 * evm_inode_removexattr, and evm_verifyxattr
12 */
13
14 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15
16 #include <linux/init.h>
17 #include <linux/crypto.h>
18 #include <linux/audit.h>
19 #include <linux/xattr.h>
20 #include <linux/integrity.h>
21 #include <linux/evm.h>
22 #include <linux/magic.h>
23
24 #include <crypto/hash.h>
25 #include <crypto/hash_info.h>
26 #include <crypto/algapi.h>
27 #include "evm.h"
28
29 int evm_initialized;
30
31 static const char * const integrity_status_msg[] = {
32 "pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown"
33 };
34 int evm_hmac_attrs;
35
36 static struct xattr_list evm_config_default_xattrnames[] = {
37 #ifdef CONFIG_SECURITY_SELINUX
38 {.name = XATTR_NAME_SELINUX},
39 #endif
40 #ifdef CONFIG_SECURITY_SMACK
41 {.name = XATTR_NAME_SMACK},
42 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
43 {.name = XATTR_NAME_SMACKEXEC},
44 {.name = XATTR_NAME_SMACKTRANSMUTE},
45 {.name = XATTR_NAME_SMACKMMAP},
46 #endif
47 #endif
48 #ifdef CONFIG_SECURITY_APPARMOR
49 {.name = XATTR_NAME_APPARMOR},
50 #endif
51 #ifdef CONFIG_IMA_APPRAISE
52 {.name = XATTR_NAME_IMA},
53 #endif
54 {.name = XATTR_NAME_CAPS},
55 };
56
57 LIST_HEAD(evm_config_xattrnames);
58
59 static int evm_fixmode;
evm_set_fixmode(char * str)60 static int __init evm_set_fixmode(char *str)
61 {
62 if (strncmp(str, "fix", 3) == 0)
63 evm_fixmode = 1;
64 return 0;
65 }
66 __setup("evm=", evm_set_fixmode);
67
evm_init_config(void)68 static void __init evm_init_config(void)
69 {
70 int i, xattrs;
71
72 xattrs = ARRAY_SIZE(evm_config_default_xattrnames);
73
74 pr_info("Initialising EVM extended attributes:\n");
75 for (i = 0; i < xattrs; i++) {
76 pr_info("%s\n", evm_config_default_xattrnames[i].name);
77 list_add_tail(&evm_config_default_xattrnames[i].list,
78 &evm_config_xattrnames);
79 }
80
81 #ifdef CONFIG_EVM_ATTR_FSUUID
82 evm_hmac_attrs |= EVM_ATTR_FSUUID;
83 #endif
84 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
85 }
86
evm_key_loaded(void)87 static bool evm_key_loaded(void)
88 {
89 return (bool)(evm_initialized & EVM_KEY_MASK);
90 }
91
evm_find_protected_xattrs(struct dentry * dentry)92 static int evm_find_protected_xattrs(struct dentry *dentry)
93 {
94 struct inode *inode = d_backing_inode(dentry);
95 struct xattr_list *xattr;
96 int error;
97 int count = 0;
98
99 if (!(inode->i_opflags & IOP_XATTR))
100 return -EOPNOTSUPP;
101
102 list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) {
103 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0,
104 XATTR_NOSECURITY);
105 if (error < 0) {
106 if (error == -ENODATA)
107 continue;
108 return error;
109 }
110 count++;
111 }
112
113 return count;
114 }
115
116 /*
117 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
118 *
119 * Compute the HMAC on the dentry's protected set of extended attributes
120 * and compare it against the stored security.evm xattr.
121 *
122 * For performance:
123 * - use the previoulsy retrieved xattr value and length to calculate the
124 * HMAC.)
125 * - cache the verification result in the iint, when available.
126 *
127 * Returns integrity status
128 */
evm_verify_hmac(struct dentry * dentry,const char * xattr_name,char * xattr_value,size_t xattr_value_len,struct integrity_iint_cache * iint)129 static enum integrity_status evm_verify_hmac(struct dentry *dentry,
130 const char *xattr_name,
131 char *xattr_value,
132 size_t xattr_value_len,
133 struct integrity_iint_cache *iint)
134 {
135 struct evm_ima_xattr_data *xattr_data = NULL;
136 struct signature_v2_hdr *hdr;
137 enum integrity_status evm_status = INTEGRITY_PASS;
138 struct evm_digest digest;
139 struct inode *inode;
140 int rc, xattr_len;
141
142 if (iint && (iint->evm_status == INTEGRITY_PASS ||
143 iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
144 return iint->evm_status;
145
146 /* if status is not PASS, try to check again - against -ENOMEM */
147
148 /* first need to know the sig type */
149 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
150 GFP_NOFS);
151 if (rc <= 0) {
152 evm_status = INTEGRITY_FAIL;
153 if (rc == -ENODATA) {
154 rc = evm_find_protected_xattrs(dentry);
155 if (rc > 0)
156 evm_status = INTEGRITY_NOLABEL;
157 else if (rc == 0)
158 evm_status = INTEGRITY_NOXATTRS; /* new file */
159 } else if (rc == -EOPNOTSUPP) {
160 evm_status = INTEGRITY_UNKNOWN;
161 }
162 goto out;
163 }
164
165 xattr_len = rc;
166
167 /* check value type */
168 switch (xattr_data->type) {
169 case EVM_XATTR_HMAC:
170 if (xattr_len != sizeof(struct evm_xattr)) {
171 evm_status = INTEGRITY_FAIL;
172 goto out;
173 }
174
175 digest.hdr.algo = HASH_ALGO_SHA1;
176 rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
177 xattr_value_len, &digest);
178 if (rc)
179 break;
180 rc = crypto_memneq(xattr_data->data, digest.digest,
181 SHA1_DIGEST_SIZE);
182 if (rc)
183 rc = -EINVAL;
184 break;
185 case EVM_IMA_XATTR_DIGSIG:
186 case EVM_XATTR_PORTABLE_DIGSIG:
187 hdr = (struct signature_v2_hdr *)xattr_data;
188 digest.hdr.algo = hdr->hash_algo;
189 rc = evm_calc_hash(dentry, xattr_name, xattr_value,
190 xattr_value_len, xattr_data->type, &digest);
191 if (rc)
192 break;
193 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
194 (const char *)xattr_data, xattr_len,
195 digest.digest, digest.hdr.length);
196 if (!rc) {
197 inode = d_backing_inode(dentry);
198
199 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
200 if (iint)
201 iint->flags |= EVM_IMMUTABLE_DIGSIG;
202 evm_status = INTEGRITY_PASS_IMMUTABLE;
203 } else if (!IS_RDONLY(inode) &&
204 !(inode->i_sb->s_readonly_remount) &&
205 !IS_IMMUTABLE(inode)) {
206 evm_update_evmxattr(dentry, xattr_name,
207 xattr_value,
208 xattr_value_len);
209 }
210 }
211 break;
212 default:
213 rc = -EINVAL;
214 break;
215 }
216
217 if (rc)
218 evm_status = (rc == -ENODATA) ?
219 INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
220 out:
221 if (iint)
222 iint->evm_status = evm_status;
223 kfree(xattr_data);
224 return evm_status;
225 }
226
evm_protected_xattr(const char * req_xattr_name)227 static int evm_protected_xattr(const char *req_xattr_name)
228 {
229 int namelen;
230 int found = 0;
231 struct xattr_list *xattr;
232
233 namelen = strlen(req_xattr_name);
234 list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) {
235 if ((strlen(xattr->name) == namelen)
236 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
237 found = 1;
238 break;
239 }
240 if (strncmp(req_xattr_name,
241 xattr->name + XATTR_SECURITY_PREFIX_LEN,
242 strlen(req_xattr_name)) == 0) {
243 found = 1;
244 break;
245 }
246 }
247
248 return found;
249 }
250
251 /**
252 * evm_verifyxattr - verify the integrity of the requested xattr
253 * @dentry: object of the verify xattr
254 * @xattr_name: requested xattr
255 * @xattr_value: requested xattr value
256 * @xattr_value_len: requested xattr value length
257 *
258 * Calculate the HMAC for the given dentry and verify it against the stored
259 * security.evm xattr. For performance, use the xattr value and length
260 * previously retrieved to calculate the HMAC.
261 *
262 * Returns the xattr integrity status.
263 *
264 * This function requires the caller to lock the inode's i_mutex before it
265 * is executed.
266 */
evm_verifyxattr(struct dentry * dentry,const char * xattr_name,void * xattr_value,size_t xattr_value_len,struct integrity_iint_cache * iint)267 enum integrity_status evm_verifyxattr(struct dentry *dentry,
268 const char *xattr_name,
269 void *xattr_value, size_t xattr_value_len,
270 struct integrity_iint_cache *iint)
271 {
272 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
273 return INTEGRITY_UNKNOWN;
274
275 if (!iint) {
276 iint = integrity_iint_find(d_backing_inode(dentry));
277 if (!iint)
278 return INTEGRITY_UNKNOWN;
279 }
280 return evm_verify_hmac(dentry, xattr_name, xattr_value,
281 xattr_value_len, iint);
282 }
283 EXPORT_SYMBOL_GPL(evm_verifyxattr);
284
285 /*
286 * evm_verify_current_integrity - verify the dentry's metadata integrity
287 * @dentry: pointer to the affected dentry
288 *
289 * Verify and return the dentry's metadata integrity. The exceptions are
290 * before EVM is initialized or in 'fix' mode.
291 */
evm_verify_current_integrity(struct dentry * dentry)292 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
293 {
294 struct inode *inode = d_backing_inode(dentry);
295
296 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
297 return 0;
298 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
299 }
300
301 /*
302 * evm_protect_xattr - protect the EVM extended attribute
303 *
304 * Prevent security.evm from being modified or removed without the
305 * necessary permissions or when the existing value is invalid.
306 *
307 * The posix xattr acls are 'system' prefixed, which normally would not
308 * affect security.evm. An interesting side affect of writing posix xattr
309 * acls is their modifying of the i_mode, which is included in security.evm.
310 * For posix xattr acls only, permit security.evm, even if it currently
311 * doesn't exist, to be updated unless the EVM signature is immutable.
312 */
evm_protect_xattr(struct dentry * dentry,const char * xattr_name,const void * xattr_value,size_t xattr_value_len)313 static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
314 const void *xattr_value, size_t xattr_value_len)
315 {
316 enum integrity_status evm_status;
317
318 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
319 if (!capable(CAP_SYS_ADMIN))
320 return -EPERM;
321 } else if (!evm_protected_xattr(xattr_name)) {
322 if (!posix_xattr_acl(xattr_name))
323 return 0;
324 evm_status = evm_verify_current_integrity(dentry);
325 if ((evm_status == INTEGRITY_PASS) ||
326 (evm_status == INTEGRITY_NOXATTRS))
327 return 0;
328 goto out;
329 }
330
331 evm_status = evm_verify_current_integrity(dentry);
332 if (evm_status == INTEGRITY_NOXATTRS) {
333 struct integrity_iint_cache *iint;
334
335 iint = integrity_iint_find(d_backing_inode(dentry));
336 if (iint && (iint->flags & IMA_NEW_FILE))
337 return 0;
338
339 /* exception for pseudo filesystems */
340 if (dentry->d_sb->s_magic == TMPFS_MAGIC
341 || dentry->d_sb->s_magic == SYSFS_MAGIC)
342 return 0;
343
344 integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
345 dentry->d_inode, dentry->d_name.name,
346 "update_metadata",
347 integrity_status_msg[evm_status],
348 -EPERM, 0);
349 }
350 out:
351 if (evm_status != INTEGRITY_PASS)
352 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
353 dentry->d_name.name, "appraise_metadata",
354 integrity_status_msg[evm_status],
355 -EPERM, 0);
356 return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
357 }
358
359 /**
360 * evm_inode_setxattr - protect the EVM extended attribute
361 * @dentry: pointer to the affected dentry
362 * @xattr_name: pointer to the affected extended attribute name
363 * @xattr_value: pointer to the new extended attribute value
364 * @xattr_value_len: pointer to the new extended attribute value length
365 *
366 * Before allowing the 'security.evm' protected xattr to be updated,
367 * verify the existing value is valid. As only the kernel should have
368 * access to the EVM encrypted key needed to calculate the HMAC, prevent
369 * userspace from writing HMAC value. Writing 'security.evm' requires
370 * requires CAP_SYS_ADMIN privileges.
371 */
evm_inode_setxattr(struct dentry * dentry,const char * xattr_name,const void * xattr_value,size_t xattr_value_len)372 int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
373 const void *xattr_value, size_t xattr_value_len)
374 {
375 const struct evm_ima_xattr_data *xattr_data = xattr_value;
376
377 /* Policy permits modification of the protected xattrs even though
378 * there's no HMAC key loaded
379 */
380 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
381 return 0;
382
383 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
384 if (!xattr_value_len)
385 return -EINVAL;
386 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
387 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
388 return -EPERM;
389 }
390 return evm_protect_xattr(dentry, xattr_name, xattr_value,
391 xattr_value_len);
392 }
393
394 /**
395 * evm_inode_removexattr - protect the EVM extended attribute
396 * @dentry: pointer to the affected dentry
397 * @xattr_name: pointer to the affected extended attribute name
398 *
399 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
400 * the current value is valid.
401 */
evm_inode_removexattr(struct dentry * dentry,const char * xattr_name)402 int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
403 {
404 /* Policy permits modification of the protected xattrs even though
405 * there's no HMAC key loaded
406 */
407 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
408 return 0;
409
410 return evm_protect_xattr(dentry, xattr_name, NULL, 0);
411 }
412
evm_reset_status(struct inode * inode)413 static void evm_reset_status(struct inode *inode)
414 {
415 struct integrity_iint_cache *iint;
416
417 iint = integrity_iint_find(inode);
418 if (iint)
419 iint->evm_status = INTEGRITY_UNKNOWN;
420 }
421
422 /**
423 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
424 * @dentry: pointer to the affected dentry
425 * @xattr_name: pointer to the affected extended attribute name
426 * @xattr_value: pointer to the new extended attribute value
427 * @xattr_value_len: pointer to the new extended attribute value length
428 *
429 * Update the HMAC stored in 'security.evm' to reflect the change.
430 *
431 * No need to take the i_mutex lock here, as this function is called from
432 * __vfs_setxattr_noperm(). The caller of which has taken the inode's
433 * i_mutex lock.
434 */
evm_inode_post_setxattr(struct dentry * dentry,const char * xattr_name,const void * xattr_value,size_t xattr_value_len)435 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
436 const void *xattr_value, size_t xattr_value_len)
437 {
438 if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name)
439 && !posix_xattr_acl(xattr_name)))
440 return;
441
442 evm_reset_status(dentry->d_inode);
443
444 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
445 }
446
447 /**
448 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
449 * @dentry: pointer to the affected dentry
450 * @xattr_name: pointer to the affected extended attribute name
451 *
452 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
453 *
454 * No need to take the i_mutex lock here, as this function is called from
455 * vfs_removexattr() which takes the i_mutex.
456 */
evm_inode_post_removexattr(struct dentry * dentry,const char * xattr_name)457 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
458 {
459 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
460 return;
461
462 evm_reset_status(dentry->d_inode);
463
464 evm_update_evmxattr(dentry, xattr_name, NULL, 0);
465 }
466
467 /**
468 * evm_inode_setattr - prevent updating an invalid EVM extended attribute
469 * @dentry: pointer to the affected dentry
470 *
471 * Permit update of file attributes when files have a valid EVM signature,
472 * except in the case of them having an immutable portable signature.
473 */
evm_inode_setattr(struct dentry * dentry,struct iattr * attr)474 int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
475 {
476 unsigned int ia_valid = attr->ia_valid;
477 enum integrity_status evm_status;
478
479 /* Policy permits modification of the protected attrs even though
480 * there's no HMAC key loaded
481 */
482 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
483 return 0;
484
485 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
486 return 0;
487 evm_status = evm_verify_current_integrity(dentry);
488 if ((evm_status == INTEGRITY_PASS) ||
489 (evm_status == INTEGRITY_NOXATTRS))
490 return 0;
491 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
492 dentry->d_name.name, "appraise_metadata",
493 integrity_status_msg[evm_status], -EPERM, 0);
494 return -EPERM;
495 }
496
497 /**
498 * evm_inode_post_setattr - update 'security.evm' after modifying metadata
499 * @dentry: pointer to the affected dentry
500 * @ia_valid: for the UID and GID status
501 *
502 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
503 * changes.
504 *
505 * This function is called from notify_change(), which expects the caller
506 * to lock the inode's i_mutex.
507 */
evm_inode_post_setattr(struct dentry * dentry,int ia_valid)508 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
509 {
510 if (!evm_key_loaded())
511 return;
512
513 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
514 evm_update_evmxattr(dentry, NULL, NULL, 0);
515 }
516
517 /*
518 * evm_inode_init_security - initializes security.evm
519 */
evm_inode_init_security(struct inode * inode,const struct xattr * lsm_xattr,struct xattr * evm_xattr)520 int evm_inode_init_security(struct inode *inode,
521 const struct xattr *lsm_xattr,
522 struct xattr *evm_xattr)
523 {
524 struct evm_xattr *xattr_data;
525 int rc;
526
527 if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name))
528 return 0;
529
530 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
531 if (!xattr_data)
532 return -ENOMEM;
533
534 xattr_data->data.type = EVM_XATTR_HMAC;
535 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
536 if (rc < 0)
537 goto out;
538
539 evm_xattr->value = xattr_data;
540 evm_xattr->value_len = sizeof(*xattr_data);
541 evm_xattr->name = XATTR_EVM_SUFFIX;
542 return 0;
543 out:
544 kfree(xattr_data);
545 return rc;
546 }
547 EXPORT_SYMBOL_GPL(evm_inode_init_security);
548
549 #ifdef CONFIG_EVM_LOAD_X509
evm_load_x509(void)550 void __init evm_load_x509(void)
551 {
552 int rc;
553
554 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
555 if (!rc)
556 evm_initialized |= EVM_INIT_X509;
557 }
558 #endif
559
init_evm(void)560 static int __init init_evm(void)
561 {
562 int error;
563 struct list_head *pos, *q;
564
565 evm_init_config();
566
567 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
568 if (error)
569 goto error;
570
571 error = evm_init_secfs();
572 if (error < 0) {
573 pr_info("Error registering secfs\n");
574 goto error;
575 }
576
577 error:
578 if (error != 0) {
579 if (!list_empty(&evm_config_xattrnames)) {
580 list_for_each_safe(pos, q, &evm_config_xattrnames)
581 list_del(pos);
582 }
583 }
584
585 return error;
586 }
587
588 late_initcall(init_evm);
589