1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2005-2010 IBM Corporation 4 * 5 * Author: 6 * Mimi Zohar <zohar@us.ibm.com> 7 * Kylene Hall <kjhall@us.ibm.com> 8 * 9 * File: evm_main.c 10 * implements evm_inode_setxattr, evm_inode_post_setxattr, 11 * evm_inode_removexattr, and evm_verifyxattr 12 */ 13 14 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 15 16 #include <linux/init.h> 17 #include <linux/crypto.h> 18 #include <linux/audit.h> 19 #include <linux/xattr.h> 20 #include <linux/integrity.h> 21 #include <linux/evm.h> 22 #include <linux/magic.h> 23 24 #include <crypto/hash.h> 25 #include <crypto/hash_info.h> 26 #include <crypto/algapi.h> 27 #include "evm.h" 28 29 int evm_initialized; 30 31 static const char * const integrity_status_msg[] = { 32 "pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown" 33 }; 34 int evm_hmac_attrs; 35 36 static struct xattr_list evm_config_default_xattrnames[] = { 37 #ifdef CONFIG_SECURITY_SELINUX 38 {.name = XATTR_NAME_SELINUX}, 39 #endif 40 #ifdef CONFIG_SECURITY_SMACK 41 {.name = XATTR_NAME_SMACK}, 42 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS 43 {.name = XATTR_NAME_SMACKEXEC}, 44 {.name = XATTR_NAME_SMACKTRANSMUTE}, 45 {.name = XATTR_NAME_SMACKMMAP}, 46 #endif 47 #endif 48 #ifdef CONFIG_SECURITY_APPARMOR 49 {.name = XATTR_NAME_APPARMOR}, 50 #endif 51 #ifdef CONFIG_IMA_APPRAISE 52 {.name = XATTR_NAME_IMA}, 53 #endif 54 {.name = XATTR_NAME_CAPS}, 55 }; 56 57 LIST_HEAD(evm_config_xattrnames); 58 59 static int evm_fixmode __ro_after_init; evm_set_fixmode(char * str)60 static int __init evm_set_fixmode(char *str) 61 { 62 if (strncmp(str, "fix", 3) == 0) 63 evm_fixmode = 1; 64 return 0; 65 } 66 __setup("evm=", evm_set_fixmode); 67 evm_init_config(void)68 static void __init evm_init_config(void) 69 { 70 int i, xattrs; 71 72 xattrs = ARRAY_SIZE(evm_config_default_xattrnames); 73 74 pr_info("Initialising EVM extended attributes:\n"); 75 for (i = 0; i < xattrs; i++) { 76 pr_info("%s\n", evm_config_default_xattrnames[i].name); 77 list_add_tail(&evm_config_default_xattrnames[i].list, 78 &evm_config_xattrnames); 79 } 80 81 #ifdef CONFIG_EVM_ATTR_FSUUID 82 evm_hmac_attrs |= EVM_ATTR_FSUUID; 83 #endif 84 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); 85 } 86 evm_key_loaded(void)87 static bool evm_key_loaded(void) 88 { 89 return (bool)(evm_initialized & EVM_KEY_MASK); 90 } 91 evm_find_protected_xattrs(struct dentry * dentry)92 static int evm_find_protected_xattrs(struct dentry *dentry) 93 { 94 struct inode *inode = d_backing_inode(dentry); 95 struct xattr_list *xattr; 96 int error; 97 int count = 0; 98 99 if (!(inode->i_opflags & IOP_XATTR)) 100 return -EOPNOTSUPP; 101 102 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) { 103 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0, 104 XATTR_NOSECURITY); 105 if (error < 0) { 106 if (error == -ENODATA) 107 continue; 108 return error; 109 } 110 count++; 111 } 112 113 return count; 114 } 115 116 /* 117 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr 118 * 119 * Compute the HMAC on the dentry's protected set of extended attributes 120 * and compare it against the stored security.evm xattr. 121 * 122 * For performance: 123 * - use the previoulsy retrieved xattr value and length to calculate the 124 * HMAC.) 125 * - cache the verification result in the iint, when available. 126 * 127 * Returns integrity status 128 */ evm_verify_hmac(struct dentry * dentry,const char * xattr_name,char * xattr_value,size_t xattr_value_len,struct integrity_iint_cache * iint)129 static enum integrity_status evm_verify_hmac(struct dentry *dentry, 130 const char *xattr_name, 131 char *xattr_value, 132 size_t xattr_value_len, 133 struct integrity_iint_cache *iint) 134 { 135 struct evm_ima_xattr_data *xattr_data = NULL; 136 struct signature_v2_hdr *hdr; 137 enum integrity_status evm_status = INTEGRITY_PASS; 138 struct evm_digest digest; 139 struct inode *inode; 140 int rc, xattr_len; 141 142 if (iint && (iint->evm_status == INTEGRITY_PASS || 143 iint->evm_status == INTEGRITY_PASS_IMMUTABLE)) 144 return iint->evm_status; 145 146 /* if status is not PASS, try to check again - against -ENOMEM */ 147 148 /* first need to know the sig type */ 149 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0, 150 GFP_NOFS); 151 if (rc <= 0) { 152 evm_status = INTEGRITY_FAIL; 153 if (rc == -ENODATA) { 154 rc = evm_find_protected_xattrs(dentry); 155 if (rc > 0) 156 evm_status = INTEGRITY_NOLABEL; 157 else if (rc == 0) 158 evm_status = INTEGRITY_NOXATTRS; /* new file */ 159 } else if (rc == -EOPNOTSUPP) { 160 evm_status = INTEGRITY_UNKNOWN; 161 } 162 goto out; 163 } 164 165 xattr_len = rc; 166 167 /* check value type */ 168 switch (xattr_data->type) { 169 case EVM_XATTR_HMAC: 170 if (xattr_len != sizeof(struct evm_xattr)) { 171 evm_status = INTEGRITY_FAIL; 172 goto out; 173 } 174 175 digest.hdr.algo = HASH_ALGO_SHA1; 176 rc = evm_calc_hmac(dentry, xattr_name, xattr_value, 177 xattr_value_len, &digest); 178 if (rc) 179 break; 180 rc = crypto_memneq(xattr_data->data, digest.digest, 181 SHA1_DIGEST_SIZE); 182 if (rc) 183 rc = -EINVAL; 184 break; 185 case EVM_IMA_XATTR_DIGSIG: 186 case EVM_XATTR_PORTABLE_DIGSIG: 187 /* accept xattr with non-empty signature field */ 188 if (xattr_len <= sizeof(struct signature_v2_hdr)) { 189 evm_status = INTEGRITY_FAIL; 190 goto out; 191 } 192 193 hdr = (struct signature_v2_hdr *)xattr_data; 194 digest.hdr.algo = hdr->hash_algo; 195 rc = evm_calc_hash(dentry, xattr_name, xattr_value, 196 xattr_value_len, xattr_data->type, &digest); 197 if (rc) 198 break; 199 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 200 (const char *)xattr_data, xattr_len, 201 digest.digest, digest.hdr.length); 202 if (!rc) { 203 inode = d_backing_inode(dentry); 204 205 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) { 206 if (iint) 207 iint->flags |= EVM_IMMUTABLE_DIGSIG; 208 evm_status = INTEGRITY_PASS_IMMUTABLE; 209 } else if (!IS_RDONLY(inode) && 210 !(inode->i_sb->s_readonly_remount) && 211 !IS_IMMUTABLE(inode)) { 212 evm_update_evmxattr(dentry, xattr_name, 213 xattr_value, 214 xattr_value_len); 215 } 216 } 217 break; 218 default: 219 rc = -EINVAL; 220 break; 221 } 222 223 if (rc) 224 evm_status = (rc == -ENODATA) ? 225 INTEGRITY_NOXATTRS : INTEGRITY_FAIL; 226 out: 227 if (iint) 228 iint->evm_status = evm_status; 229 kfree(xattr_data); 230 return evm_status; 231 } 232 evm_protected_xattr(const char * req_xattr_name)233 static int evm_protected_xattr(const char *req_xattr_name) 234 { 235 int namelen; 236 int found = 0; 237 struct xattr_list *xattr; 238 239 namelen = strlen(req_xattr_name); 240 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) { 241 if ((strlen(xattr->name) == namelen) 242 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) { 243 found = 1; 244 break; 245 } 246 if (strncmp(req_xattr_name, 247 xattr->name + XATTR_SECURITY_PREFIX_LEN, 248 strlen(req_xattr_name)) == 0) { 249 found = 1; 250 break; 251 } 252 } 253 254 return found; 255 } 256 257 /** 258 * evm_verifyxattr - verify the integrity of the requested xattr 259 * @dentry: object of the verify xattr 260 * @xattr_name: requested xattr 261 * @xattr_value: requested xattr value 262 * @xattr_value_len: requested xattr value length 263 * 264 * Calculate the HMAC for the given dentry and verify it against the stored 265 * security.evm xattr. For performance, use the xattr value and length 266 * previously retrieved to calculate the HMAC. 267 * 268 * Returns the xattr integrity status. 269 * 270 * This function requires the caller to lock the inode's i_mutex before it 271 * is executed. 272 */ evm_verifyxattr(struct dentry * dentry,const char * xattr_name,void * xattr_value,size_t xattr_value_len,struct integrity_iint_cache * iint)273 enum integrity_status evm_verifyxattr(struct dentry *dentry, 274 const char *xattr_name, 275 void *xattr_value, size_t xattr_value_len, 276 struct integrity_iint_cache *iint) 277 { 278 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 279 return INTEGRITY_UNKNOWN; 280 281 if (!iint) { 282 iint = integrity_iint_find(d_backing_inode(dentry)); 283 if (!iint) 284 return INTEGRITY_UNKNOWN; 285 } 286 return evm_verify_hmac(dentry, xattr_name, xattr_value, 287 xattr_value_len, iint); 288 } 289 EXPORT_SYMBOL_GPL(evm_verifyxattr); 290 291 /* 292 * evm_verify_current_integrity - verify the dentry's metadata integrity 293 * @dentry: pointer to the affected dentry 294 * 295 * Verify and return the dentry's metadata integrity. The exceptions are 296 * before EVM is initialized or in 'fix' mode. 297 */ evm_verify_current_integrity(struct dentry * dentry)298 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) 299 { 300 struct inode *inode = d_backing_inode(dentry); 301 302 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode) 303 return 0; 304 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); 305 } 306 307 /* 308 * evm_protect_xattr - protect the EVM extended attribute 309 * 310 * Prevent security.evm from being modified or removed without the 311 * necessary permissions or when the existing value is invalid. 312 * 313 * The posix xattr acls are 'system' prefixed, which normally would not 314 * affect security.evm. An interesting side affect of writing posix xattr 315 * acls is their modifying of the i_mode, which is included in security.evm. 316 * For posix xattr acls only, permit security.evm, even if it currently 317 * doesn't exist, to be updated unless the EVM signature is immutable. 318 */ evm_protect_xattr(struct dentry * dentry,const char * xattr_name,const void * xattr_value,size_t xattr_value_len)319 static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, 320 const void *xattr_value, size_t xattr_value_len) 321 { 322 enum integrity_status evm_status; 323 324 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 325 if (!capable(CAP_SYS_ADMIN)) 326 return -EPERM; 327 } else if (!evm_protected_xattr(xattr_name)) { 328 if (!posix_xattr_acl(xattr_name)) 329 return 0; 330 evm_status = evm_verify_current_integrity(dentry); 331 if ((evm_status == INTEGRITY_PASS) || 332 (evm_status == INTEGRITY_NOXATTRS)) 333 return 0; 334 goto out; 335 } 336 337 evm_status = evm_verify_current_integrity(dentry); 338 if (evm_status == INTEGRITY_NOXATTRS) { 339 struct integrity_iint_cache *iint; 340 341 iint = integrity_iint_find(d_backing_inode(dentry)); 342 if (iint && (iint->flags & IMA_NEW_FILE)) 343 return 0; 344 345 /* exception for pseudo filesystems */ 346 if (dentry->d_sb->s_magic == TMPFS_MAGIC 347 || dentry->d_sb->s_magic == SYSFS_MAGIC) 348 return 0; 349 350 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, 351 dentry->d_inode, dentry->d_name.name, 352 "update_metadata", 353 integrity_status_msg[evm_status], 354 -EPERM, 0); 355 } 356 out: 357 if (evm_status != INTEGRITY_PASS) 358 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 359 dentry->d_name.name, "appraise_metadata", 360 integrity_status_msg[evm_status], 361 -EPERM, 0); 362 return evm_status == INTEGRITY_PASS ? 0 : -EPERM; 363 } 364 365 /** 366 * evm_inode_setxattr - protect the EVM extended attribute 367 * @dentry: pointer to the affected dentry 368 * @xattr_name: pointer to the affected extended attribute name 369 * @xattr_value: pointer to the new extended attribute value 370 * @xattr_value_len: pointer to the new extended attribute value length 371 * 372 * Before allowing the 'security.evm' protected xattr to be updated, 373 * verify the existing value is valid. As only the kernel should have 374 * access to the EVM encrypted key needed to calculate the HMAC, prevent 375 * userspace from writing HMAC value. Writing 'security.evm' requires 376 * requires CAP_SYS_ADMIN privileges. 377 */ evm_inode_setxattr(struct dentry * dentry,const char * xattr_name,const void * xattr_value,size_t xattr_value_len)378 int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, 379 const void *xattr_value, size_t xattr_value_len) 380 { 381 const struct evm_ima_xattr_data *xattr_data = xattr_value; 382 383 /* Policy permits modification of the protected xattrs even though 384 * there's no HMAC key loaded 385 */ 386 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 387 return 0; 388 389 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 390 if (!xattr_value_len) 391 return -EINVAL; 392 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG && 393 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) 394 return -EPERM; 395 } 396 return evm_protect_xattr(dentry, xattr_name, xattr_value, 397 xattr_value_len); 398 } 399 400 /** 401 * evm_inode_removexattr - protect the EVM extended attribute 402 * @dentry: pointer to the affected dentry 403 * @xattr_name: pointer to the affected extended attribute name 404 * 405 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that 406 * the current value is valid. 407 */ evm_inode_removexattr(struct dentry * dentry,const char * xattr_name)408 int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) 409 { 410 /* Policy permits modification of the protected xattrs even though 411 * there's no HMAC key loaded 412 */ 413 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 414 return 0; 415 416 return evm_protect_xattr(dentry, xattr_name, NULL, 0); 417 } 418 evm_reset_status(struct inode * inode)419 static void evm_reset_status(struct inode *inode) 420 { 421 struct integrity_iint_cache *iint; 422 423 iint = integrity_iint_find(inode); 424 if (iint) 425 iint->evm_status = INTEGRITY_UNKNOWN; 426 } 427 428 /** 429 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes 430 * @dentry: pointer to the affected dentry 431 * @xattr_name: pointer to the affected extended attribute name 432 * @xattr_value: pointer to the new extended attribute value 433 * @xattr_value_len: pointer to the new extended attribute value length 434 * 435 * Update the HMAC stored in 'security.evm' to reflect the change. 436 * 437 * No need to take the i_mutex lock here, as this function is called from 438 * __vfs_setxattr_noperm(). The caller of which has taken the inode's 439 * i_mutex lock. 440 */ evm_inode_post_setxattr(struct dentry * dentry,const char * xattr_name,const void * xattr_value,size_t xattr_value_len)441 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, 442 const void *xattr_value, size_t xattr_value_len) 443 { 444 if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name) 445 && !posix_xattr_acl(xattr_name))) 446 return; 447 448 evm_reset_status(dentry->d_inode); 449 450 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); 451 } 452 453 /** 454 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr 455 * @dentry: pointer to the affected dentry 456 * @xattr_name: pointer to the affected extended attribute name 457 * 458 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. 459 * 460 * No need to take the i_mutex lock here, as this function is called from 461 * vfs_removexattr() which takes the i_mutex. 462 */ evm_inode_post_removexattr(struct dentry * dentry,const char * xattr_name)463 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) 464 { 465 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 466 return; 467 468 evm_reset_status(dentry->d_inode); 469 470 evm_update_evmxattr(dentry, xattr_name, NULL, 0); 471 } 472 473 /** 474 * evm_inode_setattr - prevent updating an invalid EVM extended attribute 475 * @idmap: idmap of the mount 476 * @dentry: pointer to the affected dentry 477 * @attr: iattr structure containing the new file attributes 478 * 479 * Permit update of file attributes when files have a valid EVM signature, 480 * except in the case of them having an immutable portable signature. 481 */ evm_inode_setattr(struct dentry * dentry,struct iattr * attr)482 int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) 483 { 484 unsigned int ia_valid = attr->ia_valid; 485 enum integrity_status evm_status; 486 487 /* Policy permits modification of the protected attrs even though 488 * there's no HMAC key loaded 489 */ 490 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 491 return 0; 492 493 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) 494 return 0; 495 evm_status = evm_verify_current_integrity(dentry); 496 if ((evm_status == INTEGRITY_PASS) || 497 (evm_status == INTEGRITY_NOXATTRS)) 498 return 0; 499 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 500 dentry->d_name.name, "appraise_metadata", 501 integrity_status_msg[evm_status], -EPERM, 0); 502 return -EPERM; 503 } 504 505 /** 506 * evm_inode_post_setattr - update 'security.evm' after modifying metadata 507 * @dentry: pointer to the affected dentry 508 * @ia_valid: for the UID and GID status 509 * 510 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID 511 * changes. 512 * 513 * This function is called from notify_change(), which expects the caller 514 * to lock the inode's i_mutex. 515 */ evm_inode_post_setattr(struct dentry * dentry,int ia_valid)516 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) 517 { 518 if (!evm_key_loaded()) 519 return; 520 521 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) 522 evm_update_evmxattr(dentry, NULL, NULL, 0); 523 } 524 525 /* 526 * evm_inode_init_security - initializes security.evm HMAC value 527 */ evm_inode_init_security(struct inode * inode,const struct xattr * lsm_xattr,struct xattr * evm_xattr)528 int evm_inode_init_security(struct inode *inode, 529 const struct xattr *lsm_xattr, 530 struct xattr *evm_xattr) 531 { 532 struct evm_xattr *xattr_data; 533 int rc; 534 535 if (!(evm_initialized & EVM_INIT_HMAC) || 536 !evm_protected_xattr(lsm_xattr->name)) 537 return 0; 538 539 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); 540 if (!xattr_data) 541 return -ENOMEM; 542 543 xattr_data->data.type = EVM_XATTR_HMAC; 544 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); 545 if (rc < 0) 546 goto out; 547 548 evm_xattr->value = xattr_data; 549 evm_xattr->value_len = sizeof(*xattr_data); 550 evm_xattr->name = XATTR_EVM_SUFFIX; 551 return 0; 552 out: 553 kfree(xattr_data); 554 return rc; 555 } 556 EXPORT_SYMBOL_GPL(evm_inode_init_security); 557 558 #ifdef CONFIG_EVM_LOAD_X509 evm_load_x509(void)559 void __init evm_load_x509(void) 560 { 561 int rc; 562 563 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH); 564 if (!rc) 565 evm_initialized |= EVM_INIT_X509; 566 } 567 #endif 568 init_evm(void)569 static int __init init_evm(void) 570 { 571 int error; 572 struct list_head *pos, *q; 573 574 evm_init_config(); 575 576 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM); 577 if (error) 578 goto error; 579 580 error = evm_init_secfs(); 581 if (error < 0) { 582 pr_info("Error registering secfs\n"); 583 goto error; 584 } 585 586 error: 587 if (error != 0) { 588 if (!list_empty(&evm_config_xattrnames)) { 589 list_for_each_safe(pos, q, &evm_config_xattrnames) 590 list_del(pos); 591 } 592 } 593 594 return error; 595 } 596 597 late_initcall(init_evm); 598