1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2010 IBM Corporation 4 * 5 * Authors: 6 * Mimi Zohar <zohar@us.ibm.com> 7 * 8 * File: evm_secfs.c 9 * - Used to signal when key is on keyring 10 * - Get the key and enable EVM 11 */ 12 13 #include <linux/audit.h> 14 #include <linux/uaccess.h> 15 #include <linux/init.h> 16 #include <linux/mutex.h> 17 #include "evm.h" 18 19 static struct dentry *evm_dir; 20 static struct dentry *evm_symlink; 21 22 #ifdef CONFIG_EVM_ADD_XATTRS 23 static struct dentry *evm_xattrs; 24 static DEFINE_MUTEX(xattr_list_mutex); 25 static int evm_xattrs_locked; 26 #endif 27 28 /** 29 * evm_read_key - read() for <securityfs>/evm 30 * 31 * @filp: file pointer, not actually used 32 * @buf: where to put the result 33 * @count: maximum to send along 34 * @ppos: where to start 35 * 36 * Returns number of bytes read or error code, as appropriate 37 */ 38 static ssize_t evm_read_key(struct file *filp, char __user *buf, 39 size_t count, loff_t *ppos) 40 { 41 char temp[80]; 42 ssize_t rc; 43 44 if (*ppos != 0) 45 return 0; 46 47 sprintf(temp, "%d", (evm_initialized & ~EVM_SETUP_COMPLETE)); 48 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); 49 50 return rc; 51 } 52 53 /** 54 * evm_write_key - write() for <securityfs>/evm 55 * @file: file pointer, not actually used 56 * @buf: where to get the data from 57 * @count: bytes sent 58 * @ppos: where to start 59 * 60 * Used to signal that key is on the kernel key ring. 61 * - get the integrity hmac key from the kernel key ring 62 * - create list of hmac protected extended attributes 63 * Returns number of bytes written or error code, as appropriate 64 */ 65 static ssize_t evm_write_key(struct file *file, const char __user *buf, 66 size_t count, loff_t *ppos) 67 { 68 unsigned int i; 69 int ret; 70 71 if (!capable(CAP_SYS_ADMIN) || (evm_initialized & EVM_SETUP_COMPLETE)) 72 return -EPERM; 73 74 ret = kstrtouint_from_user(buf, count, 0, &i); 75 76 if (ret) 77 return ret; 78 79 /* Reject invalid values */ 80 if (!i || (i & ~EVM_INIT_MASK) != 0) 81 return -EINVAL; 82 83 /* 84 * Don't allow a request to enable metadata writes if 85 * an HMAC key is loaded. 86 */ 87 if ((i & EVM_ALLOW_METADATA_WRITES) && 88 (evm_initialized & EVM_INIT_HMAC) != 0) 89 return -EPERM; 90 91 if (i & EVM_INIT_HMAC) { 92 ret = evm_init_key(); 93 if (ret != 0) 94 return ret; 95 /* Forbid further writes after the symmetric key is loaded */ 96 i |= EVM_SETUP_COMPLETE; 97 } 98 99 evm_initialized |= i; 100 101 /* Don't allow protected metadata modification if a symmetric key 102 * is loaded 103 */ 104 if (evm_initialized & EVM_INIT_HMAC) 105 evm_initialized &= ~(EVM_ALLOW_METADATA_WRITES); 106 107 return count; 108 } 109 110 static const struct file_operations evm_key_ops = { 111 .read = evm_read_key, 112 .write = evm_write_key, 113 }; 114 115 #ifdef CONFIG_EVM_ADD_XATTRS 116 /** 117 * evm_read_xattrs - read() for <securityfs>/evm_xattrs 118 * 119 * @filp: file pointer, not actually used 120 * @buf: where to put the result 121 * @count: maximum to send along 122 * @ppos: where to start 123 * 124 * Returns number of bytes read or error code, as appropriate 125 */ 126 static ssize_t evm_read_xattrs(struct file *filp, char __user *buf, 127 size_t count, loff_t *ppos) 128 { 129 char *temp; 130 size_t offset = 0, size = 0; 131 ssize_t rc; 132 struct xattr_list *xattr; 133 134 if (*ppos != 0) 135 return 0; 136 137 rc = mutex_lock_interruptible(&xattr_list_mutex); 138 if (rc) 139 return -ERESTARTSYS; 140 141 list_for_each_entry(xattr, &evm_config_xattrnames, list) { 142 if (!xattr->enabled) 143 continue; 144 145 size += strlen(xattr->name) + 1; 146 } 147 148 temp = kmalloc(size + 1, GFP_KERNEL); 149 if (!temp) { 150 mutex_unlock(&xattr_list_mutex); 151 return -ENOMEM; 152 } 153 154 temp[size] = '\0'; 155 156 /* 157 * No truncation possible: size is computed over the same enabled 158 * xattrs under xattr_list_mutex, so offset never exceeds size. 159 */ 160 list_for_each_entry(xattr, &evm_config_xattrnames, list) { 161 if (!xattr->enabled) 162 continue; 163 164 offset += snprintf(temp + offset, size + 1 - offset, "%s\n", 165 xattr->name); 166 } 167 168 mutex_unlock(&xattr_list_mutex); 169 rc = simple_read_from_buffer(buf, count, ppos, temp, offset); 170 171 kfree(temp); 172 173 return rc; 174 } 175 176 /** 177 * evm_write_xattrs - write() for <securityfs>/evm_xattrs 178 * @file: file pointer, not actually used 179 * @buf: where to get the data from 180 * @count: bytes sent 181 * @ppos: where to start 182 * 183 * Returns number of bytes written or error code, as appropriate 184 */ 185 static ssize_t evm_write_xattrs(struct file *file, const char __user *buf, 186 size_t count, loff_t *ppos) 187 { 188 int len, err; 189 struct xattr_list *xattr, *tmp; 190 struct audit_buffer *ab; 191 struct iattr newattrs; 192 struct inode *inode; 193 194 if (!capable(CAP_SYS_ADMIN) || evm_xattrs_locked) 195 return -EPERM; 196 197 if (*ppos != 0) 198 return -EINVAL; 199 200 if (count > XATTR_NAME_MAX) 201 return -E2BIG; 202 203 ab = audit_log_start(audit_context(), GFP_KERNEL, 204 AUDIT_INTEGRITY_EVM_XATTR); 205 if (!ab && IS_ENABLED(CONFIG_AUDIT)) 206 return -ENOMEM; 207 208 xattr = kmalloc_obj(struct xattr_list); 209 if (!xattr) { 210 err = -ENOMEM; 211 goto out; 212 } 213 214 xattr->enabled = true; 215 xattr->name = memdup_user_nul(buf, count); 216 if (IS_ERR(xattr->name)) { 217 err = PTR_ERR(xattr->name); 218 xattr->name = NULL; 219 goto out; 220 } 221 222 /* Remove any trailing newline */ 223 len = strlen(xattr->name); 224 if (len && xattr->name[len-1] == '\n') 225 xattr->name[len-1] = '\0'; 226 227 audit_log_format(ab, "xattr="); 228 audit_log_untrustedstring(ab, xattr->name); 229 230 if (strcmp(xattr->name, ".") == 0) { 231 evm_xattrs_locked = 1; 232 newattrs.ia_mode = S_IFREG | 0440; 233 newattrs.ia_valid = ATTR_MODE; 234 inode = evm_xattrs->d_inode; 235 inode_lock(inode); 236 err = simple_setattr(&nop_mnt_idmap, evm_xattrs, &newattrs); 237 inode_unlock(inode); 238 if (!err) 239 err = count; 240 goto out; 241 } 242 243 if (strncmp(xattr->name, XATTR_SECURITY_PREFIX, 244 XATTR_SECURITY_PREFIX_LEN) != 0) { 245 err = -EINVAL; 246 goto out; 247 } 248 249 /* 250 * xattr_list_mutex guards against races in evm_read_xattrs(). 251 * Entries are only added to the evm_config_xattrnames list 252 * and never deleted. Therefore, the list is traversed 253 * using list_for_each_entry_lockless() without holding 254 * the mutex in evm_calc_hmac_or_hash(), evm_find_protected_xattrs() 255 * and evm_protected_xattr(). 256 */ 257 mutex_lock(&xattr_list_mutex); 258 list_for_each_entry(tmp, &evm_config_xattrnames, list) { 259 if (strcmp(xattr->name, tmp->name) == 0) { 260 err = -EEXIST; 261 if (!tmp->enabled) { 262 tmp->enabled = true; 263 err = count; 264 } 265 mutex_unlock(&xattr_list_mutex); 266 goto out; 267 } 268 } 269 list_add_tail_rcu(&xattr->list, &evm_config_xattrnames); 270 mutex_unlock(&xattr_list_mutex); 271 272 audit_log_format(ab, " res=0"); 273 audit_log_end(ab); 274 return count; 275 out: 276 audit_log_format(ab, " res=%d", (err < 0) ? err : 0); 277 audit_log_end(ab); 278 if (xattr) { 279 kfree(xattr->name); 280 kfree(xattr); 281 } 282 return err; 283 } 284 285 static const struct file_operations evm_xattr_ops = { 286 .read = evm_read_xattrs, 287 .write = evm_write_xattrs, 288 }; 289 290 static int evm_init_xattrs(void) 291 { 292 evm_xattrs = securityfs_create_file("evm_xattrs", 0660, evm_dir, NULL, 293 &evm_xattr_ops); 294 if (IS_ERR(evm_xattrs)) 295 return -EFAULT; 296 297 return 0; 298 } 299 #else 300 static int evm_init_xattrs(void) 301 { 302 return 0; 303 } 304 #endif 305 306 int __init evm_init_secfs(void) 307 { 308 int error = 0; 309 struct dentry *dentry; 310 311 error = integrity_fs_init(); 312 if (error < 0) 313 return -EFAULT; 314 315 evm_dir = securityfs_create_dir("evm", integrity_dir); 316 if (IS_ERR(evm_dir)) { 317 error = -EFAULT; 318 goto out; 319 } 320 321 dentry = securityfs_create_file("evm", 0660, 322 evm_dir, NULL, &evm_key_ops); 323 if (IS_ERR(dentry)) { 324 error = -EFAULT; 325 goto out; 326 } 327 328 evm_symlink = securityfs_create_symlink("evm", NULL, 329 "integrity/evm/evm", NULL); 330 if (IS_ERR(evm_symlink)) { 331 error = -EFAULT; 332 goto out; 333 } 334 335 if (evm_init_xattrs() != 0) { 336 error = -EFAULT; 337 goto out; 338 } 339 340 return 0; 341 out: 342 securityfs_remove(evm_symlink); 343 securityfs_remove(evm_dir); 344 integrity_fs_fini(); 345 return error; 346 } 347