xref: /linux/security/integrity/evm/evm_main.c (revision 92481c7d14b8030418f00c4b4ec65556565d892d)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2005-2010 IBM Corporation
4  *
5  * Author:
6  * Mimi Zohar <zohar@us.ibm.com>
7  * Kylene Hall <kjhall@us.ibm.com>
8  *
9  * File: evm_main.c
10  *	implements evm_inode_setxattr, evm_inode_post_setxattr,
11  *	evm_inode_removexattr, and evm_verifyxattr
12  */
13 
14 #define pr_fmt(fmt) "EVM: "fmt
15 
16 #include <linux/init.h>
17 #include <linux/crypto.h>
18 #include <linux/audit.h>
19 #include <linux/xattr.h>
20 #include <linux/integrity.h>
21 #include <linux/evm.h>
22 #include <linux/magic.h>
23 #include <linux/posix_acl_xattr.h>
24 
25 #include <crypto/hash.h>
26 #include <crypto/hash_info.h>
27 #include <crypto/algapi.h>
28 #include "evm.h"
29 
30 int evm_initialized;
31 
32 static const char * const integrity_status_msg[] = {
33 	"pass", "pass_immutable", "fail", "fail_immutable", "no_label",
34 	"no_xattrs", "unknown"
35 };
36 int evm_hmac_attrs;
37 
38 static struct xattr_list evm_config_default_xattrnames[] = {
39 	{
40 	 .name = XATTR_NAME_SELINUX,
41 	 .enabled = IS_ENABLED(CONFIG_SECURITY_SELINUX)
42 	},
43 	{
44 	 .name = XATTR_NAME_SMACK,
45 	 .enabled = IS_ENABLED(CONFIG_SECURITY_SMACK)
46 	},
47 	{
48 	 .name = XATTR_NAME_SMACKEXEC,
49 	 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
50 	},
51 	{
52 	 .name = XATTR_NAME_SMACKTRANSMUTE,
53 	 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
54 	},
55 	{
56 	 .name = XATTR_NAME_SMACKMMAP,
57 	 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
58 	},
59 	{
60 	 .name = XATTR_NAME_APPARMOR,
61 	 .enabled = IS_ENABLED(CONFIG_SECURITY_APPARMOR)
62 	},
63 	{
64 	 .name = XATTR_NAME_IMA,
65 	 .enabled = IS_ENABLED(CONFIG_IMA_APPRAISE)
66 	},
67 	{
68 	 .name = XATTR_NAME_CAPS,
69 	 .enabled = true
70 	},
71 };
72 
73 LIST_HEAD(evm_config_xattrnames);
74 
75 static int evm_fixmode __ro_after_init;
76 static int __init evm_set_fixmode(char *str)
77 {
78 	if (strncmp(str, "fix", 3) == 0)
79 		evm_fixmode = 1;
80 	else
81 		pr_err("invalid \"%s\" mode", str);
82 
83 	return 1;
84 }
85 __setup("evm=", evm_set_fixmode);
86 
87 static void __init evm_init_config(void)
88 {
89 	int i, xattrs;
90 
91 	xattrs = ARRAY_SIZE(evm_config_default_xattrnames);
92 
93 	pr_info("Initialising EVM extended attributes:\n");
94 	for (i = 0; i < xattrs; i++) {
95 		pr_info("%s%s\n", evm_config_default_xattrnames[i].name,
96 			!evm_config_default_xattrnames[i].enabled ?
97 			" (disabled)" : "");
98 		list_add_tail(&evm_config_default_xattrnames[i].list,
99 			      &evm_config_xattrnames);
100 	}
101 
102 #ifdef CONFIG_EVM_ATTR_FSUUID
103 	evm_hmac_attrs |= EVM_ATTR_FSUUID;
104 #endif
105 	pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
106 }
107 
108 static bool evm_key_loaded(void)
109 {
110 	return (bool)(evm_initialized & EVM_KEY_MASK);
111 }
112 
113 /*
114  * This function determines whether or not it is safe to ignore verification
115  * errors, based on the ability of EVM to calculate HMACs. If the HMAC key
116  * is not loaded, and it cannot be loaded in the future due to the
117  * EVM_SETUP_COMPLETE initialization flag, allowing an operation despite the
118  * attrs/xattrs being found invalid will not make them valid.
119  */
120 static bool evm_hmac_disabled(void)
121 {
122 	if (evm_initialized & EVM_INIT_HMAC)
123 		return false;
124 
125 	if (!(evm_initialized & EVM_SETUP_COMPLETE))
126 		return false;
127 
128 	return true;
129 }
130 
131 static int evm_find_protected_xattrs(struct dentry *dentry)
132 {
133 	struct inode *inode = d_backing_inode(dentry);
134 	struct xattr_list *xattr;
135 	int error;
136 	int count = 0;
137 
138 	if (!(inode->i_opflags & IOP_XATTR))
139 		return -EOPNOTSUPP;
140 
141 	list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
142 		error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0);
143 		if (error < 0) {
144 			if (error == -ENODATA)
145 				continue;
146 			return error;
147 		}
148 		count++;
149 	}
150 
151 	return count;
152 }
153 
154 /*
155  * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
156  *
157  * Compute the HMAC on the dentry's protected set of extended attributes
158  * and compare it against the stored security.evm xattr.
159  *
160  * For performance:
161  * - use the previoulsy retrieved xattr value and length to calculate the
162  *   HMAC.)
163  * - cache the verification result in the iint, when available.
164  *
165  * Returns integrity status
166  */
167 static enum integrity_status evm_verify_hmac(struct dentry *dentry,
168 					     const char *xattr_name,
169 					     char *xattr_value,
170 					     size_t xattr_value_len,
171 					     struct integrity_iint_cache *iint)
172 {
173 	struct evm_ima_xattr_data *xattr_data = NULL;
174 	struct signature_v2_hdr *hdr;
175 	enum integrity_status evm_status = INTEGRITY_PASS;
176 	struct evm_digest digest;
177 	struct inode *inode;
178 	int rc, xattr_len, evm_immutable = 0;
179 
180 	if (iint && (iint->evm_status == INTEGRITY_PASS ||
181 		     iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
182 		return iint->evm_status;
183 
184 	/* if status is not PASS, try to check again - against -ENOMEM */
185 
186 	/* first need to know the sig type */
187 	rc = vfs_getxattr_alloc(&init_user_ns, dentry, XATTR_NAME_EVM,
188 				(char **)&xattr_data, 0, GFP_NOFS);
189 	if (rc <= 0) {
190 		evm_status = INTEGRITY_FAIL;
191 		if (rc == -ENODATA) {
192 			rc = evm_find_protected_xattrs(dentry);
193 			if (rc > 0)
194 				evm_status = INTEGRITY_NOLABEL;
195 			else if (rc == 0)
196 				evm_status = INTEGRITY_NOXATTRS; /* new file */
197 		} else if (rc == -EOPNOTSUPP) {
198 			evm_status = INTEGRITY_UNKNOWN;
199 		}
200 		goto out;
201 	}
202 
203 	xattr_len = rc;
204 
205 	/* check value type */
206 	switch (xattr_data->type) {
207 	case EVM_XATTR_HMAC:
208 		if (xattr_len != sizeof(struct evm_xattr)) {
209 			evm_status = INTEGRITY_FAIL;
210 			goto out;
211 		}
212 
213 		digest.hdr.algo = HASH_ALGO_SHA1;
214 		rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
215 				   xattr_value_len, &digest);
216 		if (rc)
217 			break;
218 		rc = crypto_memneq(xattr_data->data, digest.digest,
219 				   SHA1_DIGEST_SIZE);
220 		if (rc)
221 			rc = -EINVAL;
222 		break;
223 	case EVM_XATTR_PORTABLE_DIGSIG:
224 		evm_immutable = 1;
225 		fallthrough;
226 	case EVM_IMA_XATTR_DIGSIG:
227 		/* accept xattr with non-empty signature field */
228 		if (xattr_len <= sizeof(struct signature_v2_hdr)) {
229 			evm_status = INTEGRITY_FAIL;
230 			goto out;
231 		}
232 
233 		hdr = (struct signature_v2_hdr *)xattr_data;
234 		digest.hdr.algo = hdr->hash_algo;
235 		rc = evm_calc_hash(dentry, xattr_name, xattr_value,
236 				   xattr_value_len, xattr_data->type, &digest);
237 		if (rc)
238 			break;
239 		rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
240 					(const char *)xattr_data, xattr_len,
241 					digest.digest, digest.hdr.length);
242 		if (!rc) {
243 			inode = d_backing_inode(dentry);
244 
245 			if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
246 				if (iint)
247 					iint->flags |= EVM_IMMUTABLE_DIGSIG;
248 				evm_status = INTEGRITY_PASS_IMMUTABLE;
249 			} else if (!IS_RDONLY(inode) &&
250 				   !(inode->i_sb->s_readonly_remount) &&
251 				   !IS_IMMUTABLE(inode)) {
252 				evm_update_evmxattr(dentry, xattr_name,
253 						    xattr_value,
254 						    xattr_value_len);
255 			}
256 		}
257 		break;
258 	default:
259 		rc = -EINVAL;
260 		break;
261 	}
262 
263 	if (rc) {
264 		if (rc == -ENODATA)
265 			evm_status = INTEGRITY_NOXATTRS;
266 		else if (evm_immutable)
267 			evm_status = INTEGRITY_FAIL_IMMUTABLE;
268 		else
269 			evm_status = INTEGRITY_FAIL;
270 	}
271 	pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length, digest.hdr.length,
272 		  digest.digest);
273 out:
274 	if (iint)
275 		iint->evm_status = evm_status;
276 	kfree(xattr_data);
277 	return evm_status;
278 }
279 
280 static int evm_protected_xattr_common(const char *req_xattr_name,
281 				      bool all_xattrs)
282 {
283 	int namelen;
284 	int found = 0;
285 	struct xattr_list *xattr;
286 
287 	namelen = strlen(req_xattr_name);
288 	list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
289 		if (!all_xattrs && !xattr->enabled)
290 			continue;
291 
292 		if ((strlen(xattr->name) == namelen)
293 		    && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
294 			found = 1;
295 			break;
296 		}
297 		if (strncmp(req_xattr_name,
298 			    xattr->name + XATTR_SECURITY_PREFIX_LEN,
299 			    strlen(req_xattr_name)) == 0) {
300 			found = 1;
301 			break;
302 		}
303 	}
304 
305 	return found;
306 }
307 
308 static int evm_protected_xattr(const char *req_xattr_name)
309 {
310 	return evm_protected_xattr_common(req_xattr_name, false);
311 }
312 
313 int evm_protected_xattr_if_enabled(const char *req_xattr_name)
314 {
315 	return evm_protected_xattr_common(req_xattr_name, true);
316 }
317 
318 /**
319  * evm_read_protected_xattrs - read EVM protected xattr names, lengths, values
320  * @dentry: dentry of the read xattrs
321  * @inode: inode of the read xattrs
322  * @buffer: buffer xattr names, lengths or values are copied to
323  * @buffer_size: size of buffer
324  * @type: n: names, l: lengths, v: values
325  * @canonical_fmt: data format (true: little endian, false: native format)
326  *
327  * Read protected xattr names (separated by |), lengths (u32) or values for a
328  * given dentry and return the total size of copied data. If buffer is NULL,
329  * just return the total size.
330  *
331  * Returns the total size on success, a negative value on error.
332  */
333 int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer,
334 			      int buffer_size, char type, bool canonical_fmt)
335 {
336 	struct xattr_list *xattr;
337 	int rc, size, total_size = 0;
338 
339 	list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
340 		rc = __vfs_getxattr(dentry, d_backing_inode(dentry),
341 				    xattr->name, NULL, 0);
342 		if (rc < 0 && rc == -ENODATA)
343 			continue;
344 		else if (rc < 0)
345 			return rc;
346 
347 		switch (type) {
348 		case 'n':
349 			size = strlen(xattr->name) + 1;
350 			if (buffer) {
351 				if (total_size)
352 					*(buffer + total_size - 1) = '|';
353 
354 				memcpy(buffer + total_size, xattr->name, size);
355 			}
356 			break;
357 		case 'l':
358 			size = sizeof(u32);
359 			if (buffer) {
360 				if (canonical_fmt)
361 					rc = (__force int)cpu_to_le32(rc);
362 
363 				*(u32 *)(buffer + total_size) = rc;
364 			}
365 			break;
366 		case 'v':
367 			size = rc;
368 			if (buffer) {
369 				rc = __vfs_getxattr(dentry,
370 					d_backing_inode(dentry), xattr->name,
371 					buffer + total_size,
372 					buffer_size - total_size);
373 				if (rc < 0)
374 					return rc;
375 			}
376 			break;
377 		default:
378 			return -EINVAL;
379 		}
380 
381 		total_size += size;
382 	}
383 
384 	return total_size;
385 }
386 
387 /**
388  * evm_verifyxattr - verify the integrity of the requested xattr
389  * @dentry: object of the verify xattr
390  * @xattr_name: requested xattr
391  * @xattr_value: requested xattr value
392  * @xattr_value_len: requested xattr value length
393  *
394  * Calculate the HMAC for the given dentry and verify it against the stored
395  * security.evm xattr. For performance, use the xattr value and length
396  * previously retrieved to calculate the HMAC.
397  *
398  * Returns the xattr integrity status.
399  *
400  * This function requires the caller to lock the inode's i_mutex before it
401  * is executed.
402  */
403 enum integrity_status evm_verifyxattr(struct dentry *dentry,
404 				      const char *xattr_name,
405 				      void *xattr_value, size_t xattr_value_len,
406 				      struct integrity_iint_cache *iint)
407 {
408 	if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
409 		return INTEGRITY_UNKNOWN;
410 
411 	if (!iint) {
412 		iint = integrity_iint_find(d_backing_inode(dentry));
413 		if (!iint)
414 			return INTEGRITY_UNKNOWN;
415 	}
416 	return evm_verify_hmac(dentry, xattr_name, xattr_value,
417 				 xattr_value_len, iint);
418 }
419 EXPORT_SYMBOL_GPL(evm_verifyxattr);
420 
421 /*
422  * evm_verify_current_integrity - verify the dentry's metadata integrity
423  * @dentry: pointer to the affected dentry
424  *
425  * Verify and return the dentry's metadata integrity. The exceptions are
426  * before EVM is initialized or in 'fix' mode.
427  */
428 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
429 {
430 	struct inode *inode = d_backing_inode(dentry);
431 
432 	if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
433 		return INTEGRITY_PASS;
434 	return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
435 }
436 
437 /*
438  * evm_xattr_acl_change - check if passed ACL changes the inode mode
439  * @mnt_userns: user namespace of the idmapped mount
440  * @dentry: pointer to the affected dentry
441  * @xattr_name: requested xattr
442  * @xattr_value: requested xattr value
443  * @xattr_value_len: requested xattr value length
444  *
445  * Check if passed ACL changes the inode mode, which is protected by EVM.
446  *
447  * Returns 1 if passed ACL causes inode mode change, 0 otherwise.
448  */
449 static int evm_xattr_acl_change(struct user_namespace *mnt_userns,
450 				struct dentry *dentry, const char *xattr_name,
451 				const void *xattr_value, size_t xattr_value_len)
452 {
453 #ifdef CONFIG_FS_POSIX_ACL
454 	umode_t mode;
455 	struct posix_acl *acl = NULL, *acl_res;
456 	struct inode *inode = d_backing_inode(dentry);
457 	int rc;
458 
459 	/*
460 	 * user_ns is not relevant here, ACL_USER/ACL_GROUP don't have impact
461 	 * on the inode mode (see posix_acl_equiv_mode()).
462 	 */
463 	acl = posix_acl_from_xattr(&init_user_ns, xattr_value, xattr_value_len);
464 	if (IS_ERR_OR_NULL(acl))
465 		return 1;
466 
467 	acl_res = acl;
468 	/*
469 	 * Passing mnt_userns is necessary to correctly determine the GID in
470 	 * an idmapped mount, as the GID is used to clear the setgid bit in
471 	 * the inode mode.
472 	 */
473 	rc = posix_acl_update_mode(mnt_userns, inode, &mode, &acl_res);
474 
475 	posix_acl_release(acl);
476 
477 	if (rc)
478 		return 1;
479 
480 	if (inode->i_mode != mode)
481 		return 1;
482 #endif
483 	return 0;
484 }
485 
486 /*
487  * evm_xattr_change - check if passed xattr value differs from current value
488  * @mnt_userns: user namespace of the idmapped mount
489  * @dentry: pointer to the affected dentry
490  * @xattr_name: requested xattr
491  * @xattr_value: requested xattr value
492  * @xattr_value_len: requested xattr value length
493  *
494  * Check if passed xattr value differs from current value.
495  *
496  * Returns 1 if passed xattr value differs from current value, 0 otherwise.
497  */
498 static int evm_xattr_change(struct user_namespace *mnt_userns,
499 			    struct dentry *dentry, const char *xattr_name,
500 			    const void *xattr_value, size_t xattr_value_len)
501 {
502 	char *xattr_data = NULL;
503 	int rc = 0;
504 
505 	if (posix_xattr_acl(xattr_name))
506 		return evm_xattr_acl_change(mnt_userns, dentry, xattr_name,
507 					    xattr_value, xattr_value_len);
508 
509 	rc = vfs_getxattr_alloc(&init_user_ns, dentry, xattr_name, &xattr_data,
510 				0, GFP_NOFS);
511 	if (rc < 0)
512 		return 1;
513 
514 	if (rc == xattr_value_len)
515 		rc = !!memcmp(xattr_value, xattr_data, rc);
516 	else
517 		rc = 1;
518 
519 	kfree(xattr_data);
520 	return rc;
521 }
522 
523 /*
524  * evm_protect_xattr - protect the EVM extended attribute
525  *
526  * Prevent security.evm from being modified or removed without the
527  * necessary permissions or when the existing value is invalid.
528  *
529  * The posix xattr acls are 'system' prefixed, which normally would not
530  * affect security.evm.  An interesting side affect of writing posix xattr
531  * acls is their modifying of the i_mode, which is included in security.evm.
532  * For posix xattr acls only, permit security.evm, even if it currently
533  * doesn't exist, to be updated unless the EVM signature is immutable.
534  */
535 static int evm_protect_xattr(struct user_namespace *mnt_userns,
536 			     struct dentry *dentry, const char *xattr_name,
537 			     const void *xattr_value, size_t xattr_value_len)
538 {
539 	enum integrity_status evm_status;
540 
541 	if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
542 		if (!capable(CAP_SYS_ADMIN))
543 			return -EPERM;
544 	} else if (!evm_protected_xattr(xattr_name)) {
545 		if (!posix_xattr_acl(xattr_name))
546 			return 0;
547 		evm_status = evm_verify_current_integrity(dentry);
548 		if ((evm_status == INTEGRITY_PASS) ||
549 		    (evm_status == INTEGRITY_NOXATTRS))
550 			return 0;
551 		goto out;
552 	}
553 
554 	evm_status = evm_verify_current_integrity(dentry);
555 	if (evm_status == INTEGRITY_NOXATTRS) {
556 		struct integrity_iint_cache *iint;
557 
558 		/* Exception if the HMAC is not going to be calculated. */
559 		if (evm_hmac_disabled())
560 			return 0;
561 
562 		iint = integrity_iint_find(d_backing_inode(dentry));
563 		if (iint && (iint->flags & IMA_NEW_FILE))
564 			return 0;
565 
566 		/* exception for pseudo filesystems */
567 		if (dentry->d_sb->s_magic == TMPFS_MAGIC
568 		    || dentry->d_sb->s_magic == SYSFS_MAGIC)
569 			return 0;
570 
571 		integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
572 				    dentry->d_inode, dentry->d_name.name,
573 				    "update_metadata",
574 				    integrity_status_msg[evm_status],
575 				    -EPERM, 0);
576 	}
577 out:
578 	/* Exception if the HMAC is not going to be calculated. */
579 	if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
580 	    evm_status == INTEGRITY_UNKNOWN))
581 		return 0;
582 
583 	/*
584 	 * Writing other xattrs is safe for portable signatures, as portable
585 	 * signatures are immutable and can never be updated.
586 	 */
587 	if (evm_status == INTEGRITY_FAIL_IMMUTABLE)
588 		return 0;
589 
590 	if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
591 	    !evm_xattr_change(mnt_userns, dentry, xattr_name, xattr_value,
592 			      xattr_value_len))
593 		return 0;
594 
595 	if (evm_status != INTEGRITY_PASS &&
596 	    evm_status != INTEGRITY_PASS_IMMUTABLE)
597 		integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
598 				    dentry->d_name.name, "appraise_metadata",
599 				    integrity_status_msg[evm_status],
600 				    -EPERM, 0);
601 	return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
602 }
603 
604 /**
605  * evm_inode_setxattr - protect the EVM extended attribute
606  * @mnt_userns: user namespace of the idmapped mount
607  * @dentry: pointer to the affected dentry
608  * @xattr_name: pointer to the affected extended attribute name
609  * @xattr_value: pointer to the new extended attribute value
610  * @xattr_value_len: pointer to the new extended attribute value length
611  *
612  * Before allowing the 'security.evm' protected xattr to be updated,
613  * verify the existing value is valid.  As only the kernel should have
614  * access to the EVM encrypted key needed to calculate the HMAC, prevent
615  * userspace from writing HMAC value.  Writing 'security.evm' requires
616  * requires CAP_SYS_ADMIN privileges.
617  */
618 int evm_inode_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry,
619 		       const char *xattr_name, const void *xattr_value,
620 		       size_t xattr_value_len)
621 {
622 	const struct evm_ima_xattr_data *xattr_data = xattr_value;
623 
624 	/* Policy permits modification of the protected xattrs even though
625 	 * there's no HMAC key loaded
626 	 */
627 	if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
628 		return 0;
629 
630 	if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
631 		if (!xattr_value_len)
632 			return -EINVAL;
633 		if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
634 		    xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
635 			return -EPERM;
636 	}
637 	return evm_protect_xattr(mnt_userns, dentry, xattr_name, xattr_value,
638 				 xattr_value_len);
639 }
640 
641 /**
642  * evm_inode_removexattr - protect the EVM extended attribute
643  * @mnt_userns: user namespace of the idmapped mount
644  * @dentry: pointer to the affected dentry
645  * @xattr_name: pointer to the affected extended attribute name
646  *
647  * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
648  * the current value is valid.
649  */
650 int evm_inode_removexattr(struct user_namespace *mnt_userns,
651 			  struct dentry *dentry, const char *xattr_name)
652 {
653 	/* Policy permits modification of the protected xattrs even though
654 	 * there's no HMAC key loaded
655 	 */
656 	if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
657 		return 0;
658 
659 	return evm_protect_xattr(mnt_userns, dentry, xattr_name, NULL, 0);
660 }
661 
662 static void evm_reset_status(struct inode *inode)
663 {
664 	struct integrity_iint_cache *iint;
665 
666 	iint = integrity_iint_find(inode);
667 	if (iint)
668 		iint->evm_status = INTEGRITY_UNKNOWN;
669 }
670 
671 /**
672  * evm_revalidate_status - report whether EVM status re-validation is necessary
673  * @xattr_name: pointer to the affected extended attribute name
674  *
675  * Report whether callers of evm_verifyxattr() should re-validate the
676  * EVM status.
677  *
678  * Return true if re-validation is necessary, false otherwise.
679  */
680 bool evm_revalidate_status(const char *xattr_name)
681 {
682 	if (!evm_key_loaded())
683 		return false;
684 
685 	/* evm_inode_post_setattr() passes NULL */
686 	if (!xattr_name)
687 		return true;
688 
689 	if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name) &&
690 	    strcmp(xattr_name, XATTR_NAME_EVM))
691 		return false;
692 
693 	return true;
694 }
695 
696 /**
697  * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
698  * @dentry: pointer to the affected dentry
699  * @xattr_name: pointer to the affected extended attribute name
700  * @xattr_value: pointer to the new extended attribute value
701  * @xattr_value_len: pointer to the new extended attribute value length
702  *
703  * Update the HMAC stored in 'security.evm' to reflect the change.
704  *
705  * No need to take the i_mutex lock here, as this function is called from
706  * __vfs_setxattr_noperm().  The caller of which has taken the inode's
707  * i_mutex lock.
708  */
709 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
710 			     const void *xattr_value, size_t xattr_value_len)
711 {
712 	if (!evm_revalidate_status(xattr_name))
713 		return;
714 
715 	evm_reset_status(dentry->d_inode);
716 
717 	if (!strcmp(xattr_name, XATTR_NAME_EVM))
718 		return;
719 
720 	if (!(evm_initialized & EVM_INIT_HMAC))
721 		return;
722 
723 	evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
724 }
725 
726 /**
727  * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
728  * @dentry: pointer to the affected dentry
729  * @xattr_name: pointer to the affected extended attribute name
730  *
731  * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
732  *
733  * No need to take the i_mutex lock here, as this function is called from
734  * vfs_removexattr() which takes the i_mutex.
735  */
736 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
737 {
738 	if (!evm_revalidate_status(xattr_name))
739 		return;
740 
741 	evm_reset_status(dentry->d_inode);
742 
743 	if (!strcmp(xattr_name, XATTR_NAME_EVM))
744 		return;
745 
746 	if (!(evm_initialized & EVM_INIT_HMAC))
747 		return;
748 
749 	evm_update_evmxattr(dentry, xattr_name, NULL, 0);
750 }
751 
752 static int evm_attr_change(struct user_namespace *mnt_userns,
753 			   struct dentry *dentry, struct iattr *attr)
754 {
755 	struct inode *inode = d_backing_inode(dentry);
756 	unsigned int ia_valid = attr->ia_valid;
757 
758 	if (!i_uid_needs_update(mnt_userns, attr, inode) &&
759 	    !i_gid_needs_update(mnt_userns, attr, inode) &&
760 	    (!(ia_valid & ATTR_MODE) || attr->ia_mode == inode->i_mode))
761 		return 0;
762 
763 	return 1;
764 }
765 
766 /**
767  * evm_inode_setattr - prevent updating an invalid EVM extended attribute
768  * @dentry: pointer to the affected dentry
769  *
770  * Permit update of file attributes when files have a valid EVM signature,
771  * except in the case of them having an immutable portable signature.
772  */
773 int evm_inode_setattr(struct user_namespace *mnt_userns, struct dentry *dentry,
774 		      struct iattr *attr)
775 {
776 	unsigned int ia_valid = attr->ia_valid;
777 	enum integrity_status evm_status;
778 
779 	/* Policy permits modification of the protected attrs even though
780 	 * there's no HMAC key loaded
781 	 */
782 	if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
783 		return 0;
784 
785 	if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
786 		return 0;
787 	evm_status = evm_verify_current_integrity(dentry);
788 	/*
789 	 * Writing attrs is safe for portable signatures, as portable signatures
790 	 * are immutable and can never be updated.
791 	 */
792 	if ((evm_status == INTEGRITY_PASS) ||
793 	    (evm_status == INTEGRITY_NOXATTRS) ||
794 	    (evm_status == INTEGRITY_FAIL_IMMUTABLE) ||
795 	    (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
796 	     evm_status == INTEGRITY_UNKNOWN)))
797 		return 0;
798 
799 	if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
800 	    !evm_attr_change(mnt_userns, dentry, attr))
801 		return 0;
802 
803 	integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
804 			    dentry->d_name.name, "appraise_metadata",
805 			    integrity_status_msg[evm_status], -EPERM, 0);
806 	return -EPERM;
807 }
808 
809 /**
810  * evm_inode_post_setattr - update 'security.evm' after modifying metadata
811  * @dentry: pointer to the affected dentry
812  * @ia_valid: for the UID and GID status
813  *
814  * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
815  * changes.
816  *
817  * This function is called from notify_change(), which expects the caller
818  * to lock the inode's i_mutex.
819  */
820 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
821 {
822 	if (!evm_revalidate_status(NULL))
823 		return;
824 
825 	evm_reset_status(dentry->d_inode);
826 
827 	if (!(evm_initialized & EVM_INIT_HMAC))
828 		return;
829 
830 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
831 		evm_update_evmxattr(dentry, NULL, NULL, 0);
832 }
833 
834 /*
835  * evm_inode_init_security - initializes security.evm HMAC value
836  */
837 int evm_inode_init_security(struct inode *inode,
838 				 const struct xattr *lsm_xattr,
839 				 struct xattr *evm_xattr)
840 {
841 	struct evm_xattr *xattr_data;
842 	int rc;
843 
844 	if (!(evm_initialized & EVM_INIT_HMAC) ||
845 	    !evm_protected_xattr(lsm_xattr->name))
846 		return 0;
847 
848 	xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
849 	if (!xattr_data)
850 		return -ENOMEM;
851 
852 	xattr_data->data.type = EVM_XATTR_HMAC;
853 	rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
854 	if (rc < 0)
855 		goto out;
856 
857 	evm_xattr->value = xattr_data;
858 	evm_xattr->value_len = sizeof(*xattr_data);
859 	evm_xattr->name = XATTR_EVM_SUFFIX;
860 	return 0;
861 out:
862 	kfree(xattr_data);
863 	return rc;
864 }
865 EXPORT_SYMBOL_GPL(evm_inode_init_security);
866 
867 #ifdef CONFIG_EVM_LOAD_X509
868 void __init evm_load_x509(void)
869 {
870 	int rc;
871 
872 	rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
873 	if (!rc)
874 		evm_initialized |= EVM_INIT_X509;
875 }
876 #endif
877 
878 static int __init init_evm(void)
879 {
880 	int error;
881 	struct list_head *pos, *q;
882 
883 	evm_init_config();
884 
885 	error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
886 	if (error)
887 		goto error;
888 
889 	error = evm_init_secfs();
890 	if (error < 0) {
891 		pr_info("Error registering secfs\n");
892 		goto error;
893 	}
894 
895 error:
896 	if (error != 0) {
897 		if (!list_empty(&evm_config_xattrnames)) {
898 			list_for_each_safe(pos, q, &evm_config_xattrnames)
899 				list_del(pos);
900 		}
901 	}
902 
903 	return error;
904 }
905 
906 late_initcall(init_evm);
907