xref: /linux/security/integrity/evm/evm_main.c (revision 17cfcb68af3bc7d5e8ae08779b1853310a2949f3)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2005-2010 IBM Corporation
4  *
5  * Author:
6  * Mimi Zohar <zohar@us.ibm.com>
7  * Kylene Hall <kjhall@us.ibm.com>
8  *
9  * File: evm_main.c
10  *	implements evm_inode_setxattr, evm_inode_post_setxattr,
11  *	evm_inode_removexattr, and evm_verifyxattr
12  */
13 
14 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15 
16 #include <linux/init.h>
17 #include <linux/crypto.h>
18 #include <linux/audit.h>
19 #include <linux/xattr.h>
20 #include <linux/integrity.h>
21 #include <linux/evm.h>
22 #include <linux/magic.h>
23 
24 #include <crypto/hash.h>
25 #include <crypto/hash_info.h>
26 #include <crypto/algapi.h>
27 #include "evm.h"
28 
29 int evm_initialized;
30 
31 static const char * const integrity_status_msg[] = {
32 	"pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown"
33 };
34 int evm_hmac_attrs;
35 
36 static struct xattr_list evm_config_default_xattrnames[] = {
37 #ifdef CONFIG_SECURITY_SELINUX
38 	{.name = XATTR_NAME_SELINUX},
39 #endif
40 #ifdef CONFIG_SECURITY_SMACK
41 	{.name = XATTR_NAME_SMACK},
42 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
43 	{.name = XATTR_NAME_SMACKEXEC},
44 	{.name = XATTR_NAME_SMACKTRANSMUTE},
45 	{.name = XATTR_NAME_SMACKMMAP},
46 #endif
47 #endif
48 #ifdef CONFIG_SECURITY_APPARMOR
49 	{.name = XATTR_NAME_APPARMOR},
50 #endif
51 #ifdef CONFIG_IMA_APPRAISE
52 	{.name = XATTR_NAME_IMA},
53 #endif
54 	{.name = XATTR_NAME_CAPS},
55 };
56 
57 LIST_HEAD(evm_config_xattrnames);
58 
59 static int evm_fixmode;
60 static int __init evm_set_fixmode(char *str)
61 {
62 	if (strncmp(str, "fix", 3) == 0)
63 		evm_fixmode = 1;
64 	return 0;
65 }
66 __setup("evm=", evm_set_fixmode);
67 
68 static void __init evm_init_config(void)
69 {
70 	int i, xattrs;
71 
72 	xattrs = ARRAY_SIZE(evm_config_default_xattrnames);
73 
74 	pr_info("Initialising EVM extended attributes:\n");
75 	for (i = 0; i < xattrs; i++) {
76 		pr_info("%s\n", evm_config_default_xattrnames[i].name);
77 		list_add_tail(&evm_config_default_xattrnames[i].list,
78 			      &evm_config_xattrnames);
79 	}
80 
81 #ifdef CONFIG_EVM_ATTR_FSUUID
82 	evm_hmac_attrs |= EVM_ATTR_FSUUID;
83 #endif
84 	pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
85 }
86 
87 static bool evm_key_loaded(void)
88 {
89 	return (bool)(evm_initialized & EVM_KEY_MASK);
90 }
91 
92 static int evm_find_protected_xattrs(struct dentry *dentry)
93 {
94 	struct inode *inode = d_backing_inode(dentry);
95 	struct xattr_list *xattr;
96 	int error;
97 	int count = 0;
98 
99 	if (!(inode->i_opflags & IOP_XATTR))
100 		return -EOPNOTSUPP;
101 
102 	list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) {
103 		error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0);
104 		if (error < 0) {
105 			if (error == -ENODATA)
106 				continue;
107 			return error;
108 		}
109 		count++;
110 	}
111 
112 	return count;
113 }
114 
115 /*
116  * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
117  *
118  * Compute the HMAC on the dentry's protected set of extended attributes
119  * and compare it against the stored security.evm xattr.
120  *
121  * For performance:
122  * - use the previoulsy retrieved xattr value and length to calculate the
123  *   HMAC.)
124  * - cache the verification result in the iint, when available.
125  *
126  * Returns integrity status
127  */
128 static enum integrity_status evm_verify_hmac(struct dentry *dentry,
129 					     const char *xattr_name,
130 					     char *xattr_value,
131 					     size_t xattr_value_len,
132 					     struct integrity_iint_cache *iint)
133 {
134 	struct evm_ima_xattr_data *xattr_data = NULL;
135 	struct signature_v2_hdr *hdr;
136 	enum integrity_status evm_status = INTEGRITY_PASS;
137 	struct evm_digest digest;
138 	struct inode *inode;
139 	int rc, xattr_len;
140 
141 	if (iint && (iint->evm_status == INTEGRITY_PASS ||
142 		     iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
143 		return iint->evm_status;
144 
145 	/* if status is not PASS, try to check again - against -ENOMEM */
146 
147 	/* first need to know the sig type */
148 	rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
149 				GFP_NOFS);
150 	if (rc <= 0) {
151 		evm_status = INTEGRITY_FAIL;
152 		if (rc == -ENODATA) {
153 			rc = evm_find_protected_xattrs(dentry);
154 			if (rc > 0)
155 				evm_status = INTEGRITY_NOLABEL;
156 			else if (rc == 0)
157 				evm_status = INTEGRITY_NOXATTRS; /* new file */
158 		} else if (rc == -EOPNOTSUPP) {
159 			evm_status = INTEGRITY_UNKNOWN;
160 		}
161 		goto out;
162 	}
163 
164 	xattr_len = rc;
165 
166 	/* check value type */
167 	switch (xattr_data->type) {
168 	case EVM_XATTR_HMAC:
169 		if (xattr_len != sizeof(struct evm_xattr)) {
170 			evm_status = INTEGRITY_FAIL;
171 			goto out;
172 		}
173 
174 		digest.hdr.algo = HASH_ALGO_SHA1;
175 		rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
176 				   xattr_value_len, &digest);
177 		if (rc)
178 			break;
179 		rc = crypto_memneq(xattr_data->data, digest.digest,
180 				   SHA1_DIGEST_SIZE);
181 		if (rc)
182 			rc = -EINVAL;
183 		break;
184 	case EVM_IMA_XATTR_DIGSIG:
185 	case EVM_XATTR_PORTABLE_DIGSIG:
186 		hdr = (struct signature_v2_hdr *)xattr_data;
187 		digest.hdr.algo = hdr->hash_algo;
188 		rc = evm_calc_hash(dentry, xattr_name, xattr_value,
189 				   xattr_value_len, xattr_data->type, &digest);
190 		if (rc)
191 			break;
192 		rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
193 					(const char *)xattr_data, xattr_len,
194 					digest.digest, digest.hdr.length);
195 		if (!rc) {
196 			inode = d_backing_inode(dentry);
197 
198 			if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
199 				if (iint)
200 					iint->flags |= EVM_IMMUTABLE_DIGSIG;
201 				evm_status = INTEGRITY_PASS_IMMUTABLE;
202 			} else if (!IS_RDONLY(inode) &&
203 				   !(inode->i_sb->s_readonly_remount) &&
204 				   !IS_IMMUTABLE(inode)) {
205 				evm_update_evmxattr(dentry, xattr_name,
206 						    xattr_value,
207 						    xattr_value_len);
208 			}
209 		}
210 		break;
211 	default:
212 		rc = -EINVAL;
213 		break;
214 	}
215 
216 	if (rc)
217 		evm_status = (rc == -ENODATA) ?
218 				INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
219 out:
220 	if (iint)
221 		iint->evm_status = evm_status;
222 	kfree(xattr_data);
223 	return evm_status;
224 }
225 
226 static int evm_protected_xattr(const char *req_xattr_name)
227 {
228 	int namelen;
229 	int found = 0;
230 	struct xattr_list *xattr;
231 
232 	namelen = strlen(req_xattr_name);
233 	list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) {
234 		if ((strlen(xattr->name) == namelen)
235 		    && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
236 			found = 1;
237 			break;
238 		}
239 		if (strncmp(req_xattr_name,
240 			    xattr->name + XATTR_SECURITY_PREFIX_LEN,
241 			    strlen(req_xattr_name)) == 0) {
242 			found = 1;
243 			break;
244 		}
245 	}
246 
247 	return found;
248 }
249 
250 /**
251  * evm_verifyxattr - verify the integrity of the requested xattr
252  * @dentry: object of the verify xattr
253  * @xattr_name: requested xattr
254  * @xattr_value: requested xattr value
255  * @xattr_value_len: requested xattr value length
256  *
257  * Calculate the HMAC for the given dentry and verify it against the stored
258  * security.evm xattr. For performance, use the xattr value and length
259  * previously retrieved to calculate the HMAC.
260  *
261  * Returns the xattr integrity status.
262  *
263  * This function requires the caller to lock the inode's i_mutex before it
264  * is executed.
265  */
266 enum integrity_status evm_verifyxattr(struct dentry *dentry,
267 				      const char *xattr_name,
268 				      void *xattr_value, size_t xattr_value_len,
269 				      struct integrity_iint_cache *iint)
270 {
271 	if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
272 		return INTEGRITY_UNKNOWN;
273 
274 	if (!iint) {
275 		iint = integrity_iint_find(d_backing_inode(dentry));
276 		if (!iint)
277 			return INTEGRITY_UNKNOWN;
278 	}
279 	return evm_verify_hmac(dentry, xattr_name, xattr_value,
280 				 xattr_value_len, iint);
281 }
282 EXPORT_SYMBOL_GPL(evm_verifyxattr);
283 
284 /*
285  * evm_verify_current_integrity - verify the dentry's metadata integrity
286  * @dentry: pointer to the affected dentry
287  *
288  * Verify and return the dentry's metadata integrity. The exceptions are
289  * before EVM is initialized or in 'fix' mode.
290  */
291 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
292 {
293 	struct inode *inode = d_backing_inode(dentry);
294 
295 	if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
296 		return 0;
297 	return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
298 }
299 
300 /*
301  * evm_protect_xattr - protect the EVM extended attribute
302  *
303  * Prevent security.evm from being modified or removed without the
304  * necessary permissions or when the existing value is invalid.
305  *
306  * The posix xattr acls are 'system' prefixed, which normally would not
307  * affect security.evm.  An interesting side affect of writing posix xattr
308  * acls is their modifying of the i_mode, which is included in security.evm.
309  * For posix xattr acls only, permit security.evm, even if it currently
310  * doesn't exist, to be updated unless the EVM signature is immutable.
311  */
312 static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
313 			     const void *xattr_value, size_t xattr_value_len)
314 {
315 	enum integrity_status evm_status;
316 
317 	if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
318 		if (!capable(CAP_SYS_ADMIN))
319 			return -EPERM;
320 	} else if (!evm_protected_xattr(xattr_name)) {
321 		if (!posix_xattr_acl(xattr_name))
322 			return 0;
323 		evm_status = evm_verify_current_integrity(dentry);
324 		if ((evm_status == INTEGRITY_PASS) ||
325 		    (evm_status == INTEGRITY_NOXATTRS))
326 			return 0;
327 		goto out;
328 	}
329 
330 	evm_status = evm_verify_current_integrity(dentry);
331 	if (evm_status == INTEGRITY_NOXATTRS) {
332 		struct integrity_iint_cache *iint;
333 
334 		iint = integrity_iint_find(d_backing_inode(dentry));
335 		if (iint && (iint->flags & IMA_NEW_FILE))
336 			return 0;
337 
338 		/* exception for pseudo filesystems */
339 		if (dentry->d_sb->s_magic == TMPFS_MAGIC
340 		    || dentry->d_sb->s_magic == SYSFS_MAGIC)
341 			return 0;
342 
343 		integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
344 				    dentry->d_inode, dentry->d_name.name,
345 				    "update_metadata",
346 				    integrity_status_msg[evm_status],
347 				    -EPERM, 0);
348 	}
349 out:
350 	if (evm_status != INTEGRITY_PASS)
351 		integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
352 				    dentry->d_name.name, "appraise_metadata",
353 				    integrity_status_msg[evm_status],
354 				    -EPERM, 0);
355 	return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
356 }
357 
358 /**
359  * evm_inode_setxattr - protect the EVM extended attribute
360  * @dentry: pointer to the affected dentry
361  * @xattr_name: pointer to the affected extended attribute name
362  * @xattr_value: pointer to the new extended attribute value
363  * @xattr_value_len: pointer to the new extended attribute value length
364  *
365  * Before allowing the 'security.evm' protected xattr to be updated,
366  * verify the existing value is valid.  As only the kernel should have
367  * access to the EVM encrypted key needed to calculate the HMAC, prevent
368  * userspace from writing HMAC value.  Writing 'security.evm' requires
369  * requires CAP_SYS_ADMIN privileges.
370  */
371 int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
372 		       const void *xattr_value, size_t xattr_value_len)
373 {
374 	const struct evm_ima_xattr_data *xattr_data = xattr_value;
375 
376 	/* Policy permits modification of the protected xattrs even though
377 	 * there's no HMAC key loaded
378 	 */
379 	if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
380 		return 0;
381 
382 	if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
383 		if (!xattr_value_len)
384 			return -EINVAL;
385 		if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
386 		    xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
387 			return -EPERM;
388 	}
389 	return evm_protect_xattr(dentry, xattr_name, xattr_value,
390 				 xattr_value_len);
391 }
392 
393 /**
394  * evm_inode_removexattr - protect the EVM extended attribute
395  * @dentry: pointer to the affected dentry
396  * @xattr_name: pointer to the affected extended attribute name
397  *
398  * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
399  * the current value is valid.
400  */
401 int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
402 {
403 	/* Policy permits modification of the protected xattrs even though
404 	 * there's no HMAC key loaded
405 	 */
406 	if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
407 		return 0;
408 
409 	return evm_protect_xattr(dentry, xattr_name, NULL, 0);
410 }
411 
412 static void evm_reset_status(struct inode *inode)
413 {
414 	struct integrity_iint_cache *iint;
415 
416 	iint = integrity_iint_find(inode);
417 	if (iint)
418 		iint->evm_status = INTEGRITY_UNKNOWN;
419 }
420 
421 /**
422  * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
423  * @dentry: pointer to the affected dentry
424  * @xattr_name: pointer to the affected extended attribute name
425  * @xattr_value: pointer to the new extended attribute value
426  * @xattr_value_len: pointer to the new extended attribute value length
427  *
428  * Update the HMAC stored in 'security.evm' to reflect the change.
429  *
430  * No need to take the i_mutex lock here, as this function is called from
431  * __vfs_setxattr_noperm().  The caller of which has taken the inode's
432  * i_mutex lock.
433  */
434 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
435 			     const void *xattr_value, size_t xattr_value_len)
436 {
437 	if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name)
438 				  && !posix_xattr_acl(xattr_name)))
439 		return;
440 
441 	evm_reset_status(dentry->d_inode);
442 
443 	evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
444 }
445 
446 /**
447  * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
448  * @dentry: pointer to the affected dentry
449  * @xattr_name: pointer to the affected extended attribute name
450  *
451  * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
452  *
453  * No need to take the i_mutex lock here, as this function is called from
454  * vfs_removexattr() which takes the i_mutex.
455  */
456 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
457 {
458 	if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
459 		return;
460 
461 	evm_reset_status(dentry->d_inode);
462 
463 	evm_update_evmxattr(dentry, xattr_name, NULL, 0);
464 }
465 
466 /**
467  * evm_inode_setattr - prevent updating an invalid EVM extended attribute
468  * @dentry: pointer to the affected dentry
469  *
470  * Permit update of file attributes when files have a valid EVM signature,
471  * except in the case of them having an immutable portable signature.
472  */
473 int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
474 {
475 	unsigned int ia_valid = attr->ia_valid;
476 	enum integrity_status evm_status;
477 
478 	/* Policy permits modification of the protected attrs even though
479 	 * there's no HMAC key loaded
480 	 */
481 	if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
482 		return 0;
483 
484 	if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
485 		return 0;
486 	evm_status = evm_verify_current_integrity(dentry);
487 	if ((evm_status == INTEGRITY_PASS) ||
488 	    (evm_status == INTEGRITY_NOXATTRS))
489 		return 0;
490 	integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
491 			    dentry->d_name.name, "appraise_metadata",
492 			    integrity_status_msg[evm_status], -EPERM, 0);
493 	return -EPERM;
494 }
495 
496 /**
497  * evm_inode_post_setattr - update 'security.evm' after modifying metadata
498  * @dentry: pointer to the affected dentry
499  * @ia_valid: for the UID and GID status
500  *
501  * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
502  * changes.
503  *
504  * This function is called from notify_change(), which expects the caller
505  * to lock the inode's i_mutex.
506  */
507 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
508 {
509 	if (!evm_key_loaded())
510 		return;
511 
512 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
513 		evm_update_evmxattr(dentry, NULL, NULL, 0);
514 }
515 
516 /*
517  * evm_inode_init_security - initializes security.evm
518  */
519 int evm_inode_init_security(struct inode *inode,
520 				 const struct xattr *lsm_xattr,
521 				 struct xattr *evm_xattr)
522 {
523 	struct evm_xattr *xattr_data;
524 	int rc;
525 
526 	if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name))
527 		return 0;
528 
529 	xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
530 	if (!xattr_data)
531 		return -ENOMEM;
532 
533 	xattr_data->data.type = EVM_XATTR_HMAC;
534 	rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
535 	if (rc < 0)
536 		goto out;
537 
538 	evm_xattr->value = xattr_data;
539 	evm_xattr->value_len = sizeof(*xattr_data);
540 	evm_xattr->name = XATTR_EVM_SUFFIX;
541 	return 0;
542 out:
543 	kfree(xattr_data);
544 	return rc;
545 }
546 EXPORT_SYMBOL_GPL(evm_inode_init_security);
547 
548 #ifdef CONFIG_EVM_LOAD_X509
549 void __init evm_load_x509(void)
550 {
551 	int rc;
552 
553 	rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
554 	if (!rc)
555 		evm_initialized |= EVM_INIT_X509;
556 }
557 #endif
558 
559 static int __init init_evm(void)
560 {
561 	int error;
562 	struct list_head *pos, *q;
563 
564 	evm_init_config();
565 
566 	error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
567 	if (error)
568 		goto error;
569 
570 	error = evm_init_secfs();
571 	if (error < 0) {
572 		pr_info("Error registering secfs\n");
573 		goto error;
574 	}
575 
576 error:
577 	if (error != 0) {
578 		if (!list_empty(&evm_config_xattrnames)) {
579 			list_for_each_safe(pos, q, &evm_config_xattrnames)
580 				list_del(pos);
581 		}
582 	}
583 
584 	return error;
585 }
586 
587 late_initcall(init_evm);
588