1 /* 2 * Copyright (C) 2005-2010 IBM Corporation 3 * 4 * Author: 5 * Mimi Zohar <zohar@us.ibm.com> 6 * Kylene Hall <kjhall@us.ibm.com> 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation, version 2 of the License. 11 * 12 * File: evm_main.c 13 * implements evm_inode_setxattr, evm_inode_post_setxattr, 14 * evm_inode_removexattr, and evm_verifyxattr 15 */ 16 17 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 18 19 #include <linux/module.h> 20 #include <linux/crypto.h> 21 #include <linux/audit.h> 22 #include <linux/xattr.h> 23 #include <linux/integrity.h> 24 #include <linux/evm.h> 25 #include <linux/magic.h> 26 27 #include <crypto/hash.h> 28 #include <crypto/algapi.h> 29 #include "evm.h" 30 31 int evm_initialized; 32 33 static const char * const integrity_status_msg[] = { 34 "pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown" 35 }; 36 int evm_hmac_attrs; 37 38 static struct xattr_list evm_config_default_xattrnames[] = { 39 #ifdef CONFIG_SECURITY_SELINUX 40 {.name = XATTR_NAME_SELINUX}, 41 #endif 42 #ifdef CONFIG_SECURITY_SMACK 43 {.name = XATTR_NAME_SMACK}, 44 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS 45 {.name = XATTR_NAME_SMACKEXEC}, 46 {.name = XATTR_NAME_SMACKTRANSMUTE}, 47 {.name = XATTR_NAME_SMACKMMAP}, 48 #endif 49 #endif 50 #ifdef CONFIG_SECURITY_APPARMOR 51 {.name = XATTR_NAME_APPARMOR}, 52 #endif 53 #ifdef CONFIG_IMA_APPRAISE 54 {.name = XATTR_NAME_IMA}, 55 #endif 56 {.name = XATTR_NAME_CAPS}, 57 }; 58 59 LIST_HEAD(evm_config_xattrnames); 60 61 static int evm_fixmode; 62 static int __init evm_set_fixmode(char *str) 63 { 64 if (strncmp(str, "fix", 3) == 0) 65 evm_fixmode = 1; 66 return 0; 67 } 68 __setup("evm=", evm_set_fixmode); 69 70 static void __init evm_init_config(void) 71 { 72 int i, xattrs; 73 74 xattrs = ARRAY_SIZE(evm_config_default_xattrnames); 75 76 pr_info("Initialising EVM extended attributes:\n"); 77 for (i = 0; i < xattrs; i++) { 78 pr_info("%s\n", evm_config_default_xattrnames[i].name); 79 list_add_tail(&evm_config_default_xattrnames[i].list, 80 &evm_config_xattrnames); 81 } 82 83 #ifdef CONFIG_EVM_ATTR_FSUUID 84 evm_hmac_attrs |= EVM_ATTR_FSUUID; 85 #endif 86 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); 87 } 88 89 static bool evm_key_loaded(void) 90 { 91 return (bool)(evm_initialized & EVM_KEY_MASK); 92 } 93 94 static int evm_find_protected_xattrs(struct dentry *dentry) 95 { 96 struct inode *inode = d_backing_inode(dentry); 97 struct xattr_list *xattr; 98 int error; 99 int count = 0; 100 101 if (!(inode->i_opflags & IOP_XATTR)) 102 return -EOPNOTSUPP; 103 104 list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) { 105 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0); 106 if (error < 0) { 107 if (error == -ENODATA) 108 continue; 109 return error; 110 } 111 count++; 112 } 113 114 return count; 115 } 116 117 /* 118 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr 119 * 120 * Compute the HMAC on the dentry's protected set of extended attributes 121 * and compare it against the stored security.evm xattr. 122 * 123 * For performance: 124 * - use the previoulsy retrieved xattr value and length to calculate the 125 * HMAC.) 126 * - cache the verification result in the iint, when available. 127 * 128 * Returns integrity status 129 */ 130 static enum integrity_status evm_verify_hmac(struct dentry *dentry, 131 const char *xattr_name, 132 char *xattr_value, 133 size_t xattr_value_len, 134 struct integrity_iint_cache *iint) 135 { 136 struct evm_ima_xattr_data *xattr_data = NULL; 137 struct evm_ima_xattr_data calc; 138 enum integrity_status evm_status = INTEGRITY_PASS; 139 struct inode *inode; 140 int rc, xattr_len; 141 142 if (iint && (iint->evm_status == INTEGRITY_PASS || 143 iint->evm_status == INTEGRITY_PASS_IMMUTABLE)) 144 return iint->evm_status; 145 146 /* if status is not PASS, try to check again - against -ENOMEM */ 147 148 /* first need to know the sig type */ 149 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0, 150 GFP_NOFS); 151 if (rc <= 0) { 152 evm_status = INTEGRITY_FAIL; 153 if (rc == -ENODATA) { 154 rc = evm_find_protected_xattrs(dentry); 155 if (rc > 0) 156 evm_status = INTEGRITY_NOLABEL; 157 else if (rc == 0) 158 evm_status = INTEGRITY_NOXATTRS; /* new file */ 159 } else if (rc == -EOPNOTSUPP) { 160 evm_status = INTEGRITY_UNKNOWN; 161 } 162 goto out; 163 } 164 165 xattr_len = rc; 166 167 /* check value type */ 168 switch (xattr_data->type) { 169 case EVM_XATTR_HMAC: 170 if (xattr_len != sizeof(struct evm_ima_xattr_data)) { 171 evm_status = INTEGRITY_FAIL; 172 goto out; 173 } 174 rc = evm_calc_hmac(dentry, xattr_name, xattr_value, 175 xattr_value_len, calc.digest); 176 if (rc) 177 break; 178 rc = crypto_memneq(xattr_data->digest, calc.digest, 179 sizeof(calc.digest)); 180 if (rc) 181 rc = -EINVAL; 182 break; 183 case EVM_IMA_XATTR_DIGSIG: 184 case EVM_XATTR_PORTABLE_DIGSIG: 185 rc = evm_calc_hash(dentry, xattr_name, xattr_value, 186 xattr_value_len, xattr_data->type, 187 calc.digest); 188 if (rc) 189 break; 190 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 191 (const char *)xattr_data, xattr_len, 192 calc.digest, sizeof(calc.digest)); 193 if (!rc) { 194 inode = d_backing_inode(dentry); 195 196 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) { 197 if (iint) 198 iint->flags |= EVM_IMMUTABLE_DIGSIG; 199 evm_status = INTEGRITY_PASS_IMMUTABLE; 200 } else if (!IS_RDONLY(inode) && 201 !(inode->i_sb->s_readonly_remount) && 202 !IS_IMMUTABLE(inode)) { 203 evm_update_evmxattr(dentry, xattr_name, 204 xattr_value, 205 xattr_value_len); 206 } 207 } 208 break; 209 default: 210 rc = -EINVAL; 211 break; 212 } 213 214 if (rc) 215 evm_status = (rc == -ENODATA) ? 216 INTEGRITY_NOXATTRS : INTEGRITY_FAIL; 217 out: 218 if (iint) 219 iint->evm_status = evm_status; 220 kfree(xattr_data); 221 return evm_status; 222 } 223 224 static int evm_protected_xattr(const char *req_xattr_name) 225 { 226 int namelen; 227 int found = 0; 228 struct xattr_list *xattr; 229 230 namelen = strlen(req_xattr_name); 231 list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) { 232 if ((strlen(xattr->name) == namelen) 233 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) { 234 found = 1; 235 break; 236 } 237 if (strncmp(req_xattr_name, 238 xattr->name + XATTR_SECURITY_PREFIX_LEN, 239 strlen(req_xattr_name)) == 0) { 240 found = 1; 241 break; 242 } 243 } 244 245 return found; 246 } 247 248 /** 249 * evm_verifyxattr - verify the integrity of the requested xattr 250 * @dentry: object of the verify xattr 251 * @xattr_name: requested xattr 252 * @xattr_value: requested xattr value 253 * @xattr_value_len: requested xattr value length 254 * 255 * Calculate the HMAC for the given dentry and verify it against the stored 256 * security.evm xattr. For performance, use the xattr value and length 257 * previously retrieved to calculate the HMAC. 258 * 259 * Returns the xattr integrity status. 260 * 261 * This function requires the caller to lock the inode's i_mutex before it 262 * is executed. 263 */ 264 enum integrity_status evm_verifyxattr(struct dentry *dentry, 265 const char *xattr_name, 266 void *xattr_value, size_t xattr_value_len, 267 struct integrity_iint_cache *iint) 268 { 269 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 270 return INTEGRITY_UNKNOWN; 271 272 if (!iint) { 273 iint = integrity_iint_find(d_backing_inode(dentry)); 274 if (!iint) 275 return INTEGRITY_UNKNOWN; 276 } 277 return evm_verify_hmac(dentry, xattr_name, xattr_value, 278 xattr_value_len, iint); 279 } 280 EXPORT_SYMBOL_GPL(evm_verifyxattr); 281 282 /* 283 * evm_verify_current_integrity - verify the dentry's metadata integrity 284 * @dentry: pointer to the affected dentry 285 * 286 * Verify and return the dentry's metadata integrity. The exceptions are 287 * before EVM is initialized or in 'fix' mode. 288 */ 289 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) 290 { 291 struct inode *inode = d_backing_inode(dentry); 292 293 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode) 294 return 0; 295 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); 296 } 297 298 /* 299 * evm_protect_xattr - protect the EVM extended attribute 300 * 301 * Prevent security.evm from being modified or removed without the 302 * necessary permissions or when the existing value is invalid. 303 * 304 * The posix xattr acls are 'system' prefixed, which normally would not 305 * affect security.evm. An interesting side affect of writing posix xattr 306 * acls is their modifying of the i_mode, which is included in security.evm. 307 * For posix xattr acls only, permit security.evm, even if it currently 308 * doesn't exist, to be updated unless the EVM signature is immutable. 309 */ 310 static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, 311 const void *xattr_value, size_t xattr_value_len) 312 { 313 enum integrity_status evm_status; 314 315 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 316 if (!capable(CAP_SYS_ADMIN)) 317 return -EPERM; 318 } else if (!evm_protected_xattr(xattr_name)) { 319 if (!posix_xattr_acl(xattr_name)) 320 return 0; 321 evm_status = evm_verify_current_integrity(dentry); 322 if ((evm_status == INTEGRITY_PASS) || 323 (evm_status == INTEGRITY_NOXATTRS)) 324 return 0; 325 goto out; 326 } 327 328 evm_status = evm_verify_current_integrity(dentry); 329 if (evm_status == INTEGRITY_NOXATTRS) { 330 struct integrity_iint_cache *iint; 331 332 iint = integrity_iint_find(d_backing_inode(dentry)); 333 if (iint && (iint->flags & IMA_NEW_FILE)) 334 return 0; 335 336 /* exception for pseudo filesystems */ 337 if (dentry->d_sb->s_magic == TMPFS_MAGIC 338 || dentry->d_sb->s_magic == SYSFS_MAGIC) 339 return 0; 340 341 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, 342 dentry->d_inode, dentry->d_name.name, 343 "update_metadata", 344 integrity_status_msg[evm_status], 345 -EPERM, 0); 346 } 347 out: 348 if (evm_status != INTEGRITY_PASS) 349 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 350 dentry->d_name.name, "appraise_metadata", 351 integrity_status_msg[evm_status], 352 -EPERM, 0); 353 return evm_status == INTEGRITY_PASS ? 0 : -EPERM; 354 } 355 356 /** 357 * evm_inode_setxattr - protect the EVM extended attribute 358 * @dentry: pointer to the affected dentry 359 * @xattr_name: pointer to the affected extended attribute name 360 * @xattr_value: pointer to the new extended attribute value 361 * @xattr_value_len: pointer to the new extended attribute value length 362 * 363 * Before allowing the 'security.evm' protected xattr to be updated, 364 * verify the existing value is valid. As only the kernel should have 365 * access to the EVM encrypted key needed to calculate the HMAC, prevent 366 * userspace from writing HMAC value. Writing 'security.evm' requires 367 * requires CAP_SYS_ADMIN privileges. 368 */ 369 int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, 370 const void *xattr_value, size_t xattr_value_len) 371 { 372 const struct evm_ima_xattr_data *xattr_data = xattr_value; 373 374 /* Policy permits modification of the protected xattrs even though 375 * there's no HMAC key loaded 376 */ 377 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 378 return 0; 379 380 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 381 if (!xattr_value_len) 382 return -EINVAL; 383 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG && 384 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) 385 return -EPERM; 386 } 387 return evm_protect_xattr(dentry, xattr_name, xattr_value, 388 xattr_value_len); 389 } 390 391 /** 392 * evm_inode_removexattr - protect the EVM extended attribute 393 * @dentry: pointer to the affected dentry 394 * @xattr_name: pointer to the affected extended attribute name 395 * 396 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that 397 * the current value is valid. 398 */ 399 int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) 400 { 401 /* Policy permits modification of the protected xattrs even though 402 * there's no HMAC key loaded 403 */ 404 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 405 return 0; 406 407 return evm_protect_xattr(dentry, xattr_name, NULL, 0); 408 } 409 410 static void evm_reset_status(struct inode *inode) 411 { 412 struct integrity_iint_cache *iint; 413 414 iint = integrity_iint_find(inode); 415 if (iint) 416 iint->evm_status = INTEGRITY_UNKNOWN; 417 } 418 419 /** 420 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes 421 * @dentry: pointer to the affected dentry 422 * @xattr_name: pointer to the affected extended attribute name 423 * @xattr_value: pointer to the new extended attribute value 424 * @xattr_value_len: pointer to the new extended attribute value length 425 * 426 * Update the HMAC stored in 'security.evm' to reflect the change. 427 * 428 * No need to take the i_mutex lock here, as this function is called from 429 * __vfs_setxattr_noperm(). The caller of which has taken the inode's 430 * i_mutex lock. 431 */ 432 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, 433 const void *xattr_value, size_t xattr_value_len) 434 { 435 if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name) 436 && !posix_xattr_acl(xattr_name))) 437 return; 438 439 evm_reset_status(dentry->d_inode); 440 441 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); 442 } 443 444 /** 445 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr 446 * @dentry: pointer to the affected dentry 447 * @xattr_name: pointer to the affected extended attribute name 448 * 449 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. 450 * 451 * No need to take the i_mutex lock here, as this function is called from 452 * vfs_removexattr() which takes the i_mutex. 453 */ 454 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) 455 { 456 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) 457 return; 458 459 evm_reset_status(dentry->d_inode); 460 461 evm_update_evmxattr(dentry, xattr_name, NULL, 0); 462 } 463 464 /** 465 * evm_inode_setattr - prevent updating an invalid EVM extended attribute 466 * @dentry: pointer to the affected dentry 467 * 468 * Permit update of file attributes when files have a valid EVM signature, 469 * except in the case of them having an immutable portable signature. 470 */ 471 int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) 472 { 473 unsigned int ia_valid = attr->ia_valid; 474 enum integrity_status evm_status; 475 476 /* Policy permits modification of the protected attrs even though 477 * there's no HMAC key loaded 478 */ 479 if (evm_initialized & EVM_ALLOW_METADATA_WRITES) 480 return 0; 481 482 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) 483 return 0; 484 evm_status = evm_verify_current_integrity(dentry); 485 if ((evm_status == INTEGRITY_PASS) || 486 (evm_status == INTEGRITY_NOXATTRS)) 487 return 0; 488 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), 489 dentry->d_name.name, "appraise_metadata", 490 integrity_status_msg[evm_status], -EPERM, 0); 491 return -EPERM; 492 } 493 494 /** 495 * evm_inode_post_setattr - update 'security.evm' after modifying metadata 496 * @dentry: pointer to the affected dentry 497 * @ia_valid: for the UID and GID status 498 * 499 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID 500 * changes. 501 * 502 * This function is called from notify_change(), which expects the caller 503 * to lock the inode's i_mutex. 504 */ 505 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) 506 { 507 if (!evm_key_loaded()) 508 return; 509 510 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) 511 evm_update_evmxattr(dentry, NULL, NULL, 0); 512 } 513 514 /* 515 * evm_inode_init_security - initializes security.evm 516 */ 517 int evm_inode_init_security(struct inode *inode, 518 const struct xattr *lsm_xattr, 519 struct xattr *evm_xattr) 520 { 521 struct evm_ima_xattr_data *xattr_data; 522 int rc; 523 524 if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name)) 525 return 0; 526 527 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); 528 if (!xattr_data) 529 return -ENOMEM; 530 531 xattr_data->type = EVM_XATTR_HMAC; 532 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); 533 if (rc < 0) 534 goto out; 535 536 evm_xattr->value = xattr_data; 537 evm_xattr->value_len = sizeof(*xattr_data); 538 evm_xattr->name = XATTR_EVM_SUFFIX; 539 return 0; 540 out: 541 kfree(xattr_data); 542 return rc; 543 } 544 EXPORT_SYMBOL_GPL(evm_inode_init_security); 545 546 #ifdef CONFIG_EVM_LOAD_X509 547 void __init evm_load_x509(void) 548 { 549 int rc; 550 551 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH); 552 if (!rc) 553 evm_initialized |= EVM_INIT_X509; 554 } 555 #endif 556 557 static int __init init_evm(void) 558 { 559 int error; 560 struct list_head *pos, *q; 561 struct xattr_list *xattr; 562 563 evm_init_config(); 564 565 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM); 566 if (error) 567 goto error; 568 569 error = evm_init_secfs(); 570 if (error < 0) { 571 pr_info("Error registering secfs\n"); 572 goto error; 573 } 574 575 error: 576 if (error != 0) { 577 if (!list_empty(&evm_config_xattrnames)) { 578 list_for_each_safe(pos, q, &evm_config_xattrnames) { 579 xattr = list_entry(pos, struct xattr_list, 580 list); 581 list_del(pos); 582 } 583 } 584 } 585 586 return error; 587 } 588 589 late_initcall(init_evm); 590 591 MODULE_DESCRIPTION("Extended Verification Module"); 592 MODULE_LICENSE("GPL"); 593