1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2011 IBM Corporation 4 * 5 * Author: 6 * Mimi Zohar <zohar@us.ibm.com> 7 */ 8 #include <linux/module.h> 9 #include <linux/init.h> 10 #include <linux/file.h> 11 #include <linux/binfmts.h> 12 #include <linux/fs.h> 13 #include <linux/xattr.h> 14 #include <linux/magic.h> 15 #include <linux/ima.h> 16 #include <linux/evm.h> 17 #include <linux/fsverity.h> 18 #include <keys/system_keyring.h> 19 #include <uapi/linux/fsverity.h> 20 21 #include "ima.h" 22 23 #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM 24 static char *ima_appraise_cmdline_default __initdata; 25 core_param(ima_appraise, ima_appraise_cmdline_default, charp, 0); 26 27 void __init ima_appraise_parse_cmdline(void) 28 { 29 const char *str = ima_appraise_cmdline_default; 30 bool sb_state = arch_get_secureboot(); 31 int appraisal_state = ima_appraise; 32 33 if (!str) 34 return; 35 36 if (strncmp(str, "off", 3) == 0) 37 appraisal_state = 0; 38 else if (strncmp(str, "log", 3) == 0) 39 appraisal_state = IMA_APPRAISE_LOG; 40 else if (strncmp(str, "fix", 3) == 0) 41 appraisal_state = IMA_APPRAISE_FIX; 42 else if (strncmp(str, "enforce", 7) == 0) 43 appraisal_state = IMA_APPRAISE_ENFORCE; 44 else 45 pr_err("invalid \"%s\" appraise option", str); 46 47 /* If appraisal state was changed, but secure boot is enabled, 48 * keep its default */ 49 if (sb_state) { 50 if (!(appraisal_state & IMA_APPRAISE_ENFORCE)) 51 pr_info("Secure boot enabled: ignoring ima_appraise=%s option", 52 str); 53 } else { 54 ima_appraise = appraisal_state; 55 } 56 } 57 #endif 58 59 /* 60 * is_ima_appraise_enabled - return appraise status 61 * 62 * Only return enabled, if not in ima_appraise="fix" or "log" modes. 63 */ 64 bool is_ima_appraise_enabled(void) 65 { 66 return ima_appraise & IMA_APPRAISE_ENFORCE; 67 } 68 69 /* 70 * ima_must_appraise - set appraise flag 71 * 72 * Return 1 to appraise or hash 73 */ 74 int ima_must_appraise(struct mnt_idmap *idmap, struct inode *inode, 75 int mask, enum ima_hooks func) 76 { 77 struct lsm_prop prop; 78 79 if (!ima_appraise) 80 return 0; 81 82 security_current_getlsmprop_subj(&prop); 83 return ima_match_policy(idmap, inode, current_cred(), &prop, 84 func, mask, IMA_APPRAISE | IMA_HASH, NULL, 85 NULL, NULL, NULL); 86 } 87 88 static int ima_fix_xattr(struct dentry *dentry, struct ima_iint_cache *iint) 89 { 90 int rc, offset; 91 u8 algo = iint->ima_hash->algo; 92 93 if (IS_RDONLY(d_inode(dentry))) 94 return -EROFS; 95 if (IS_IMMUTABLE(d_inode(dentry))) 96 return -EPERM; 97 98 if (algo <= HASH_ALGO_SHA1) { 99 offset = 1; 100 iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST; 101 } else { 102 offset = 0; 103 iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG; 104 iint->ima_hash->xattr.ng.algo = algo; 105 } 106 rc = __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_IMA, 107 &iint->ima_hash->xattr.data[offset], 108 (sizeof(iint->ima_hash->xattr) - offset) + 109 iint->ima_hash->length, 0); 110 return rc; 111 } 112 113 /* Return specific func appraised cached result */ 114 enum integrity_status ima_get_cache_status(struct ima_iint_cache *iint, 115 enum ima_hooks func) 116 { 117 switch (func) { 118 case MMAP_CHECK: 119 case MMAP_CHECK_REQPROT: 120 return iint->ima_mmap_status; 121 case BPRM_CHECK: 122 return iint->ima_bprm_status; 123 case CREDS_CHECK: 124 return iint->ima_creds_status; 125 case FILE_CHECK: 126 case POST_SETATTR: 127 return iint->ima_file_status; 128 case MODULE_CHECK ... MAX_CHECK - 1: 129 default: 130 return iint->ima_read_status; 131 } 132 } 133 134 static void ima_set_cache_status(struct ima_iint_cache *iint, 135 enum ima_hooks func, 136 enum integrity_status status) 137 { 138 switch (func) { 139 case MMAP_CHECK: 140 case MMAP_CHECK_REQPROT: 141 iint->ima_mmap_status = status; 142 break; 143 case BPRM_CHECK: 144 iint->ima_bprm_status = status; 145 break; 146 case CREDS_CHECK: 147 iint->ima_creds_status = status; 148 break; 149 case FILE_CHECK: 150 case POST_SETATTR: 151 iint->ima_file_status = status; 152 break; 153 case MODULE_CHECK ... MAX_CHECK - 1: 154 default: 155 iint->ima_read_status = status; 156 break; 157 } 158 } 159 160 static void ima_cache_flags(struct ima_iint_cache *iint, enum ima_hooks func) 161 { 162 switch (func) { 163 case MMAP_CHECK: 164 case MMAP_CHECK_REQPROT: 165 iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED); 166 break; 167 case BPRM_CHECK: 168 iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED); 169 break; 170 case CREDS_CHECK: 171 iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED); 172 break; 173 case FILE_CHECK: 174 case POST_SETATTR: 175 iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED); 176 break; 177 case MODULE_CHECK ... MAX_CHECK - 1: 178 default: 179 iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED); 180 break; 181 } 182 } 183 184 enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value, 185 int xattr_len) 186 { 187 struct signature_v2_hdr *sig; 188 enum hash_algo ret; 189 190 if (!xattr_value || xattr_len < 2) 191 /* return default hash algo */ 192 return ima_hash_algo; 193 194 switch (xattr_value->type) { 195 case IMA_VERITY_DIGSIG: 196 sig = (typeof(sig))xattr_value; 197 if (sig->version != 3 || xattr_len <= sizeof(*sig) || 198 sig->hash_algo >= HASH_ALGO__LAST) 199 return ima_hash_algo; 200 return sig->hash_algo; 201 case EVM_IMA_XATTR_DIGSIG: 202 sig = (typeof(sig))xattr_value; 203 if ((sig->version != 2 && sig->version != 3) || 204 xattr_len <= sizeof(*sig) || 205 sig->hash_algo >= HASH_ALGO__LAST) 206 return ima_hash_algo; 207 return sig->hash_algo; 208 case IMA_XATTR_DIGEST_NG: 209 /* first byte contains algorithm id */ 210 ret = xattr_value->data[0]; 211 if (ret < HASH_ALGO__LAST) 212 return ret; 213 break; 214 case IMA_XATTR_DIGEST: 215 /* this is for backward compatibility */ 216 if (xattr_len == 21) { 217 unsigned int zero = 0; 218 if (!memcmp(&xattr_value->data[16], &zero, 4)) 219 return HASH_ALGO_MD5; 220 else 221 return HASH_ALGO_SHA1; 222 } else if (xattr_len == 17) 223 return HASH_ALGO_MD5; 224 break; 225 } 226 227 /* return default hash algo */ 228 return ima_hash_algo; 229 } 230 231 int ima_read_xattr(struct dentry *dentry, 232 struct evm_ima_xattr_data **xattr_value, int xattr_len) 233 { 234 int ret; 235 236 ret = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, XATTR_NAME_IMA, 237 (char **)xattr_value, xattr_len, GFP_NOFS); 238 if (ret == -EOPNOTSUPP) 239 ret = 0; 240 return ret; 241 } 242 243 /* 244 * xattr_verify - verify xattr digest or signature 245 * 246 * Verify whether the hash or signature matches the file contents. 247 * 248 * Return 0 on success, error code otherwise. 249 */ 250 static int xattr_verify(enum ima_hooks func, struct ima_iint_cache *iint, 251 struct evm_ima_xattr_data *xattr_value, int xattr_len, 252 enum integrity_status *status, const char **cause) 253 { 254 struct signature_v2_hdr *sig; 255 int rc = -EINVAL, hash_start = 0; 256 int mask; 257 258 switch (xattr_value->type) { 259 case IMA_XATTR_DIGEST_NG: 260 /* first byte contains algorithm id */ 261 hash_start = 1; 262 fallthrough; 263 case IMA_XATTR_DIGEST: 264 if (*status != INTEGRITY_PASS_IMMUTABLE) { 265 if (iint->flags & IMA_DIGSIG_REQUIRED) { 266 if (iint->flags & IMA_VERITY_REQUIRED) 267 *cause = "verity-signature-required"; 268 else 269 *cause = "IMA-signature-required"; 270 *status = INTEGRITY_FAIL; 271 break; 272 } 273 clear_bit(IMA_DIGSIG, &iint->atomic_flags); 274 } else { 275 set_bit(IMA_DIGSIG, &iint->atomic_flags); 276 } 277 if (xattr_len - sizeof(xattr_value->type) - hash_start >= 278 iint->ima_hash->length) 279 /* 280 * xattr length may be longer. md5 hash in previous 281 * version occupied 20 bytes in xattr, instead of 16 282 */ 283 rc = memcmp(&xattr_value->data[hash_start], 284 iint->ima_hash->digest, 285 iint->ima_hash->length); 286 else 287 rc = -EINVAL; 288 if (rc) { 289 *cause = "invalid-hash"; 290 *status = INTEGRITY_FAIL; 291 break; 292 } 293 *status = INTEGRITY_PASS; 294 break; 295 case EVM_IMA_XATTR_DIGSIG: 296 set_bit(IMA_DIGSIG, &iint->atomic_flags); 297 298 mask = IMA_DIGSIG_REQUIRED | IMA_VERITY_REQUIRED; 299 if ((iint->flags & mask) == mask) { 300 *cause = "verity-signature-required"; 301 *status = INTEGRITY_FAIL; 302 break; 303 } 304 305 sig = (typeof(sig))xattr_value; 306 if (sig->version > 3) { 307 *cause = "invalid-signature-version"; 308 *status = INTEGRITY_FAIL; 309 break; 310 } 311 312 if ((iint->flags & IMA_SIGV3_REQUIRED) && sig->version != 3) { 313 *cause = "IMA-sigv3-required"; 314 *status = INTEGRITY_FAIL; 315 break; 316 } 317 318 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, 319 (const char *)xattr_value, 320 xattr_len, 321 iint->ima_hash->digest, 322 iint->ima_hash->length, 323 iint->ima_hash->algo); 324 if (rc == -EOPNOTSUPP) { 325 *status = INTEGRITY_UNKNOWN; 326 break; 327 } 328 if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc && 329 func == KEXEC_KERNEL_CHECK) 330 rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM, 331 (const char *)xattr_value, 332 xattr_len, 333 iint->ima_hash->digest, 334 iint->ima_hash->length, 335 iint->ima_hash->algo); 336 337 if (rc) { 338 *cause = "invalid-signature"; 339 *status = INTEGRITY_FAIL; 340 } else { 341 *status = INTEGRITY_PASS; 342 } 343 break; 344 case IMA_VERITY_DIGSIG: 345 set_bit(IMA_DIGSIG, &iint->atomic_flags); 346 347 if (iint->flags & IMA_DIGSIG_REQUIRED) { 348 if (!(iint->flags & IMA_VERITY_REQUIRED)) { 349 *cause = "IMA-signature-required"; 350 *status = INTEGRITY_FAIL; 351 break; 352 } 353 } 354 355 sig = (typeof(sig))xattr_value; 356 if (sig->version != 3) { 357 *cause = "invalid-signature-version"; 358 *status = INTEGRITY_FAIL; 359 break; 360 } 361 362 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, 363 (const char *)xattr_value, 364 xattr_len, 365 iint->ima_hash->digest, 366 iint->ima_hash->length, 367 iint->ima_hash->algo); 368 if (rc == -EOPNOTSUPP) { 369 *status = INTEGRITY_UNKNOWN; 370 break; 371 } else if (rc) { 372 *cause = "invalid-verity-signature"; 373 *status = INTEGRITY_FAIL; 374 } else { 375 *status = INTEGRITY_PASS; 376 } 377 378 break; 379 default: 380 *status = INTEGRITY_UNKNOWN; 381 *cause = "unknown-ima-data"; 382 break; 383 } 384 385 return rc; 386 } 387 388 /* 389 * modsig_verify - verify modsig signature 390 * 391 * Verify whether the signature matches the file contents. 392 * 393 * Return 0 on success, error code otherwise. 394 */ 395 static int modsig_verify(enum ima_hooks func, const struct modsig *modsig, 396 enum integrity_status *status, const char **cause) 397 { 398 int rc; 399 400 rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig); 401 if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc && 402 func == KEXEC_KERNEL_CHECK) 403 rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM, 404 modsig); 405 if (rc) { 406 *cause = "invalid-signature"; 407 *status = INTEGRITY_FAIL; 408 } else { 409 *status = INTEGRITY_PASS; 410 } 411 412 return rc; 413 } 414 415 /* 416 * ima_check_blacklist - determine if the binary is blacklisted. 417 * 418 * Add the hash of the blacklisted binary to the measurement list, based 419 * on policy. 420 * 421 * Returns -EPERM if the hash is blacklisted. 422 */ 423 int ima_check_blacklist(struct ima_iint_cache *iint, 424 const struct modsig *modsig, int pcr) 425 { 426 enum hash_algo hash_algo; 427 const u8 *digest = NULL; 428 u32 digestsize = 0; 429 int rc = 0; 430 431 if (!(iint->flags & IMA_CHECK_BLACKLIST)) 432 return 0; 433 434 if (iint->flags & IMA_MODSIG_ALLOWED && modsig) { 435 ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize); 436 437 rc = is_binary_blacklisted(digest, digestsize); 438 } else if (iint->flags & IMA_DIGSIG_REQUIRED && iint->ima_hash) 439 rc = is_binary_blacklisted(iint->ima_hash->digest, iint->ima_hash->length); 440 441 if ((rc == -EPERM) && (iint->flags & IMA_MEASURE)) 442 process_buffer_measurement(&nop_mnt_idmap, NULL, digest, digestsize, 443 "blacklisted-hash", NONE, 444 pcr, NULL, false, NULL, 0); 445 446 return rc; 447 } 448 449 /* 450 * ima_appraise_measurement - appraise file measurement 451 * 452 * Call evm_verifyxattr() to verify the integrity of 'security.ima'. 453 * Assuming success, compare the xattr hash with the collected measurement. 454 * 455 * Return 0 on success, error code otherwise 456 */ 457 int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint, 458 struct file *file, const unsigned char *filename, 459 struct evm_ima_xattr_data *xattr_value, 460 int xattr_len, const struct modsig *modsig, 461 bool bprm_is_check) 462 { 463 static const char op[] = "appraise_data"; 464 int audit_msgno = AUDIT_INTEGRITY_DATA; 465 const char *cause = "unknown"; 466 struct dentry *dentry = file_dentry(file); 467 struct inode *inode = d_backing_inode(dentry); 468 enum integrity_status status = INTEGRITY_UNKNOWN; 469 int rc = xattr_len; 470 bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig; 471 472 /* If not appraising a modsig, we need an xattr. */ 473 if (!(inode->i_opflags & IOP_XATTR) && !try_modsig) 474 return INTEGRITY_UNKNOWN; 475 476 /* 477 * Unlike any of the other LSM hooks where the kernel enforces file 478 * integrity, enforcing file integrity for the bprm_creds_for_exec() 479 * LSM hook with the AT_EXECVE_CHECK flag is left up to the discretion 480 * of the script interpreter(userspace). Differentiate kernel and 481 * userspace enforced integrity audit messages. 482 */ 483 if (bprm_is_check) 484 audit_msgno = AUDIT_INTEGRITY_USERSPACE; 485 486 /* If reading the xattr failed and there's no modsig, error out. */ 487 if (rc <= 0 && !try_modsig) { 488 if (rc && rc != -ENODATA) 489 goto out; 490 491 if (iint->flags & IMA_DIGSIG_REQUIRED) { 492 if (iint->flags & IMA_VERITY_REQUIRED) 493 cause = "verity-signature-required"; 494 else 495 cause = "IMA-signature-required"; 496 } else { 497 cause = "missing-hash"; 498 } 499 500 status = INTEGRITY_NOLABEL; 501 if (file->f_mode & FMODE_CREATED) 502 iint->flags |= IMA_NEW_FILE; 503 if ((iint->flags & IMA_NEW_FILE) && 504 (!(iint->flags & IMA_DIGSIG_REQUIRED) || 505 (inode->i_size == 0))) 506 status = INTEGRITY_PASS; 507 goto out; 508 } 509 510 status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, 511 rc < 0 ? 0 : rc); 512 switch (status) { 513 case INTEGRITY_PASS: 514 case INTEGRITY_PASS_IMMUTABLE: 515 case INTEGRITY_UNKNOWN: 516 break; 517 case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */ 518 /* It's fine not to have xattrs when using a modsig. */ 519 if (try_modsig) 520 break; 521 fallthrough; 522 case INTEGRITY_NOLABEL: /* No security.evm xattr. */ 523 cause = "missing-HMAC"; 524 goto out; 525 case INTEGRITY_FAIL_IMMUTABLE: 526 set_bit(IMA_DIGSIG, &iint->atomic_flags); 527 cause = "invalid-fail-immutable"; 528 goto out; 529 case INTEGRITY_FAIL: /* Invalid HMAC/signature. */ 530 cause = "invalid-HMAC"; 531 goto out; 532 default: 533 WARN_ONCE(true, "Unexpected integrity status %d\n", status); 534 } 535 536 if (xattr_value) 537 rc = xattr_verify(func, iint, xattr_value, xattr_len, &status, 538 &cause); 539 540 /* 541 * If we have a modsig and either no imasig or the imasig's key isn't 542 * known, then try verifying the modsig. 543 */ 544 if (try_modsig && 545 (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG || 546 rc == -ENOKEY)) 547 rc = modsig_verify(func, modsig, &status, &cause); 548 549 out: 550 /* 551 * File signatures on some filesystems can not be properly verified. 552 * When such filesystems are mounted by an untrusted mounter or on a 553 * system not willing to accept such a risk, fail the file signature 554 * verification. 555 */ 556 if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) && 557 ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) || 558 (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) { 559 status = INTEGRITY_FAIL; 560 cause = "unverifiable-signature"; 561 integrity_audit_msg(audit_msgno, inode, filename, 562 op, cause, rc, 0); 563 } else if (status != INTEGRITY_PASS) { 564 /* Fix mode, but don't replace file signatures. */ 565 if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig && 566 (!xattr_value || 567 xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { 568 if (!ima_fix_xattr(dentry, iint)) 569 status = INTEGRITY_PASS; 570 } else if (status == INTEGRITY_NOLABEL) { 571 if (!evm_fix_hmac(dentry, XATTR_NAME_IMA, 572 (const char *)xattr_value, 573 xattr_len)) 574 status = INTEGRITY_PASS; 575 } 576 577 /* 578 * Permit new files with file/EVM portable signatures, but 579 * without data. 580 */ 581 if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE && 582 test_bit(IMA_DIGSIG, &iint->atomic_flags)) { 583 status = INTEGRITY_PASS; 584 } 585 586 integrity_audit_msg(audit_msgno, inode, filename, 587 op, cause, rc, 0); 588 } else { 589 ima_cache_flags(iint, func); 590 } 591 592 ima_set_cache_status(iint, func, status); 593 return status; 594 } 595 596 /* 597 * ima_update_xattr - update 'security.ima' hash value 598 */ 599 void ima_update_xattr(struct ima_iint_cache *iint, struct file *file) 600 { 601 struct dentry *dentry = file_dentry(file); 602 int rc = 0; 603 604 /* do not collect and update hash for digital signatures */ 605 if (test_bit(IMA_DIGSIG, &iint->atomic_flags)) 606 return; 607 608 if ((iint->ima_file_status != INTEGRITY_PASS) && 609 !(iint->flags & IMA_HASH)) 610 return; 611 612 rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL); 613 if (rc < 0) 614 return; 615 616 inode_lock(file_inode(file)); 617 ima_fix_xattr(dentry, iint); 618 inode_unlock(file_inode(file)); 619 } 620 621 /** 622 * ima_inode_post_setattr - reflect file metadata changes 623 * @idmap: idmap of the mount the inode was found from 624 * @dentry: pointer to the affected dentry 625 * @ia_valid: for the UID and GID status 626 * 627 * Changes to a dentry's metadata might result in needing to appraise. 628 * 629 * This function is called from notify_change(), which expects the caller 630 * to lock the inode's i_mutex. 631 */ 632 static void ima_inode_post_setattr(struct mnt_idmap *idmap, 633 struct dentry *dentry, int ia_valid) 634 { 635 struct inode *inode = d_backing_inode(dentry); 636 struct ima_iint_cache *iint; 637 int action; 638 639 if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode) 640 || !(inode->i_opflags & IOP_XATTR)) 641 return; 642 643 action = ima_must_appraise(idmap, inode, MAY_ACCESS, POST_SETATTR); 644 iint = ima_iint_find(inode); 645 if (iint) { 646 set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags); 647 if (!action) 648 clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); 649 } 650 } 651 652 /* 653 * ima_protect_xattr - protect 'security.ima' 654 * 655 * Ensure that not just anyone can modify or remove 'security.ima'. 656 */ 657 static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name, 658 const void *xattr_value, size_t xattr_value_len) 659 { 660 if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) { 661 if (!capable(CAP_SYS_ADMIN)) 662 return -EPERM; 663 return 1; 664 } 665 return 0; 666 } 667 668 /* 669 * ima_reset_appraise_flags - reset ima_iint_cache flags 670 * 671 * @digsig: whether to clear/set IMA_DIGSIG flag, tristate values 672 * 0: clear IMA_DIGSIG 673 * 1: set IMA_DIGSIG 674 * -1: don't change IMA_DIGSIG 675 * 676 */ 677 static void ima_reset_appraise_flags(struct inode *inode, int digsig) 678 { 679 struct ima_iint_cache *iint; 680 681 if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)) 682 return; 683 684 iint = ima_iint_find(inode); 685 if (!iint) 686 return; 687 iint->measured_pcrs = 0; 688 set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags); 689 if (digsig == 1) 690 set_bit(IMA_DIGSIG, &iint->atomic_flags); 691 else if (digsig == 0) 692 clear_bit(IMA_DIGSIG, &iint->atomic_flags); 693 } 694 695 /** 696 * validate_hash_algo() - Block setxattr with unsupported hash algorithms 697 * @dentry: object of the setxattr() 698 * @xattr_value: userland supplied xattr value 699 * @xattr_value_len: length of xattr_value 700 * 701 * The xattr value is mapped to its hash algorithm, and this algorithm 702 * must be built in the kernel for the setxattr to be allowed. 703 * 704 * Emit an audit message when the algorithm is invalid. 705 * 706 * Return: 0 on success, else an error. 707 */ 708 static int validate_hash_algo(struct dentry *dentry, 709 const struct evm_ima_xattr_data *xattr_value, 710 size_t xattr_value_len) 711 { 712 char *path = NULL, *pathbuf = NULL; 713 enum hash_algo xattr_hash_algo; 714 const char *errmsg = "unavailable-hash-algorithm"; 715 unsigned int allowed_hashes; 716 717 xattr_hash_algo = ima_get_hash_algo(xattr_value, xattr_value_len); 718 719 allowed_hashes = atomic_read(&ima_setxattr_allowed_hash_algorithms); 720 721 if (allowed_hashes) { 722 /* success if the algorithm is allowed in the ima policy */ 723 if (allowed_hashes & (1U << xattr_hash_algo)) 724 return 0; 725 726 /* 727 * We use a different audit message when the hash algorithm 728 * is denied by a policy rule, instead of not being built 729 * in the kernel image 730 */ 731 errmsg = "denied-hash-algorithm"; 732 } else { 733 if (likely(xattr_hash_algo == ima_hash_algo)) 734 return 0; 735 736 /* allow any xattr using an algorithm built in the kernel */ 737 if (crypto_has_alg(hash_algo_name[xattr_hash_algo], 0, 0)) 738 return 0; 739 } 740 741 pathbuf = kmalloc(PATH_MAX, GFP_KERNEL); 742 if (!pathbuf) 743 return -EACCES; 744 745 path = dentry_path(dentry, pathbuf, PATH_MAX); 746 747 integrity_audit_msg(AUDIT_INTEGRITY_DATA, d_inode(dentry), path, 748 "set_data", errmsg, -EACCES, 0); 749 750 kfree(pathbuf); 751 752 return -EACCES; 753 } 754 755 static int ima_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, 756 const char *xattr_name, const void *xattr_value, 757 size_t xattr_value_len, int flags) 758 { 759 const struct evm_ima_xattr_data *xvalue = xattr_value; 760 int digsig = 0; 761 int result; 762 int err; 763 764 result = ima_protect_xattr(dentry, xattr_name, xattr_value, 765 xattr_value_len); 766 if (result == 1) { 767 if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) 768 return -EINVAL; 769 770 err = validate_hash_algo(dentry, xvalue, xattr_value_len); 771 if (err) 772 return err; 773 774 digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); 775 } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) { 776 digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG); 777 } else { 778 digsig = -1; 779 } 780 if (result == 1 || evm_revalidate_status(xattr_name)) { 781 ima_reset_appraise_flags(d_backing_inode(dentry), digsig); 782 if (result == 1) 783 result = 0; 784 } 785 return result; 786 } 787 788 static int ima_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry, 789 const char *acl_name, struct posix_acl *kacl) 790 { 791 if (evm_revalidate_status(acl_name)) 792 ima_reset_appraise_flags(d_backing_inode(dentry), -1); 793 794 return 0; 795 } 796 797 static int ima_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, 798 const char *xattr_name) 799 { 800 int result, digsig = -1; 801 802 result = ima_protect_xattr(dentry, xattr_name, NULL, 0); 803 if (result == 1 || evm_revalidate_status(xattr_name)) { 804 if (!strcmp(xattr_name, XATTR_NAME_IMA)) 805 digsig = 0; 806 ima_reset_appraise_flags(d_backing_inode(dentry), digsig); 807 if (result == 1) 808 result = 0; 809 } 810 return result; 811 } 812 813 static int ima_inode_remove_acl(struct mnt_idmap *idmap, struct dentry *dentry, 814 const char *acl_name) 815 { 816 return ima_inode_set_acl(idmap, dentry, acl_name, NULL); 817 } 818 819 static struct security_hook_list ima_appraise_hooks[] __ro_after_init = { 820 LSM_HOOK_INIT(inode_post_setattr, ima_inode_post_setattr), 821 LSM_HOOK_INIT(inode_setxattr, ima_inode_setxattr), 822 LSM_HOOK_INIT(inode_set_acl, ima_inode_set_acl), 823 LSM_HOOK_INIT(inode_removexattr, ima_inode_removexattr), 824 LSM_HOOK_INIT(inode_remove_acl, ima_inode_remove_acl), 825 }; 826 827 void __init init_ima_appraise_lsm(const struct lsm_id *lsmid) 828 { 829 security_add_hooks(ima_appraise_hooks, ARRAY_SIZE(ima_appraise_hooks), 830 lsmid); 831 } 832