1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18
19#include <linux/module.h>
20#include <linux/crypto.h>
21#include <linux/audit.h>
22#include <linux/xattr.h>
23#include <linux/integrity.h>
24#include <linux/evm.h>
25#include <linux/magic.h>
26
27#include <crypto/hash.h>
28#include <crypto/algapi.h>
29#include "evm.h"
30
31int evm_initialized;
32
33static char *integrity_status_msg[] = {
34 "pass", "fail", "no_label", "no_xattrs", "unknown"
35};
36char *evm_hmac = "hmac(sha1)";
37char *evm_hash = "sha1";
38int evm_hmac_attrs;
39
40char *evm_config_xattrnames[] = {
41#ifdef CONFIG_SECURITY_SELINUX
42 XATTR_NAME_SELINUX,
43#endif
44#ifdef CONFIG_SECURITY_SMACK
45 XATTR_NAME_SMACK,
46#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
47 XATTR_NAME_SMACKEXEC,
48 XATTR_NAME_SMACKTRANSMUTE,
49 XATTR_NAME_SMACKMMAP,
50#endif
51#endif
52#ifdef CONFIG_IMA_APPRAISE
53 XATTR_NAME_IMA,
54#endif
55 XATTR_NAME_CAPS,
56 NULL
57};
58
59static int evm_fixmode;
60static int __init evm_set_fixmode(char *str)
61{
62 if (strncmp(str, "fix", 3) == 0)
63 evm_fixmode = 1;
64 return 0;
65}
66__setup("evm=", evm_set_fixmode);
67
68static void __init evm_init_config(void)
69{
70#ifdef CONFIG_EVM_ATTR_FSUUID
71 evm_hmac_attrs |= EVM_ATTR_FSUUID;
72#endif
73 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
74}
75
76static int evm_find_protected_xattrs(struct dentry *dentry)
77{
78 struct inode *inode = d_backing_inode(dentry);
79 char **xattr;
80 int error;
81 int count = 0;
82
83 if (!(inode->i_opflags & IOP_XATTR))
84 return -EOPNOTSUPP;
85
86 for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) {
87 error = __vfs_getxattr(dentry, inode, *xattr, NULL, 0);
88 if (error < 0) {
89 if (error == -ENODATA)
90 continue;
91 return error;
92 }
93 count++;
94 }
95
96 return count;
97}
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112static enum integrity_status evm_verify_hmac(struct dentry *dentry,
113 const char *xattr_name,
114 char *xattr_value,
115 size_t xattr_value_len,
116 struct integrity_iint_cache *iint)
117{
118 struct evm_ima_xattr_data *xattr_data = NULL;
119 struct evm_ima_xattr_data calc;
120 enum integrity_status evm_status = INTEGRITY_PASS;
121 int rc, xattr_len;
122
123 if (iint && iint->evm_status == INTEGRITY_PASS)
124 return iint->evm_status;
125
126
127
128
129 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
130 GFP_NOFS);
131 if (rc <= 0) {
132 evm_status = INTEGRITY_FAIL;
133 if (rc == -ENODATA) {
134 rc = evm_find_protected_xattrs(dentry);
135 if (rc > 0)
136 evm_status = INTEGRITY_NOLABEL;
137 else if (rc == 0)
138 evm_status = INTEGRITY_NOXATTRS;
139 } else if (rc == -EOPNOTSUPP) {
140 evm_status = INTEGRITY_UNKNOWN;
141 }
142 goto out;
143 }
144
145 xattr_len = rc;
146
147
148 switch (xattr_data->type) {
149 case EVM_XATTR_HMAC:
150 if (xattr_len != sizeof(struct evm_ima_xattr_data)) {
151 evm_status = INTEGRITY_FAIL;
152 goto out;
153 }
154 rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
155 xattr_value_len, calc.digest);
156 if (rc)
157 break;
158 rc = crypto_memneq(xattr_data->digest, calc.digest,
159 sizeof(calc.digest));
160 if (rc)
161 rc = -EINVAL;
162 break;
163 case EVM_IMA_XATTR_DIGSIG:
164 rc = evm_calc_hash(dentry, xattr_name, xattr_value,
165 xattr_value_len, calc.digest);
166 if (rc)
167 break;
168 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
169 (const char *)xattr_data, xattr_len,
170 calc.digest, sizeof(calc.digest));
171 if (!rc) {
172
173
174
175 if (!IS_RDONLY(d_backing_inode(dentry)) &&
176 !IS_IMMUTABLE(d_backing_inode(dentry)))
177 evm_update_evmxattr(dentry, xattr_name,
178 xattr_value,
179 xattr_value_len);
180 }
181 break;
182 default:
183 rc = -EINVAL;
184 break;
185 }
186
187 if (rc)
188 evm_status = (rc == -ENODATA) ?
189 INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
190out:
191 if (iint)
192 iint->evm_status = evm_status;
193 kfree(xattr_data);
194 return evm_status;
195}
196
197static int evm_protected_xattr(const char *req_xattr_name)
198{
199 char **xattrname;
200 int namelen;
201 int found = 0;
202
203 namelen = strlen(req_xattr_name);
204 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
205 if ((strlen(*xattrname) == namelen)
206 && (strncmp(req_xattr_name, *xattrname, namelen) == 0)) {
207 found = 1;
208 break;
209 }
210 if (strncmp(req_xattr_name,
211 *xattrname + XATTR_SECURITY_PREFIX_LEN,
212 strlen(req_xattr_name)) == 0) {
213 found = 1;
214 break;
215 }
216 }
217 return found;
218}
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236enum integrity_status evm_verifyxattr(struct dentry *dentry,
237 const char *xattr_name,
238 void *xattr_value, size_t xattr_value_len,
239 struct integrity_iint_cache *iint)
240{
241 if (!evm_initialized || !evm_protected_xattr(xattr_name))
242 return INTEGRITY_UNKNOWN;
243
244 if (!iint) {
245 iint = integrity_iint_find(d_backing_inode(dentry));
246 if (!iint)
247 return INTEGRITY_UNKNOWN;
248 }
249 return evm_verify_hmac(dentry, xattr_name, xattr_value,
250 xattr_value_len, iint);
251}
252EXPORT_SYMBOL_GPL(evm_verifyxattr);
253
254
255
256
257
258
259
260
261static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
262{
263 struct inode *inode = d_backing_inode(dentry);
264
265 if (!evm_initialized || !S_ISREG(inode->i_mode) || evm_fixmode)
266 return 0;
267 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
268}
269
270
271
272
273
274
275
276
277
278
279
280
281
282static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
283 const void *xattr_value, size_t xattr_value_len)
284{
285 enum integrity_status evm_status;
286
287 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
288 if (!capable(CAP_SYS_ADMIN))
289 return -EPERM;
290 } else if (!evm_protected_xattr(xattr_name)) {
291 if (!posix_xattr_acl(xattr_name))
292 return 0;
293 evm_status = evm_verify_current_integrity(dentry);
294 if ((evm_status == INTEGRITY_PASS) ||
295 (evm_status == INTEGRITY_NOXATTRS))
296 return 0;
297 goto out;
298 }
299 evm_status = evm_verify_current_integrity(dentry);
300 if (evm_status == INTEGRITY_NOXATTRS) {
301 struct integrity_iint_cache *iint;
302
303 iint = integrity_iint_find(d_backing_inode(dentry));
304 if (iint && (iint->flags & IMA_NEW_FILE))
305 return 0;
306
307
308 if (dentry->d_sb->s_magic == TMPFS_MAGIC
309 || dentry->d_sb->s_magic == SYSFS_MAGIC)
310 return 0;
311
312 integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
313 dentry->d_inode, dentry->d_name.name,
314 "update_metadata",
315 integrity_status_msg[evm_status],
316 -EPERM, 0);
317 }
318out:
319 if (evm_status != INTEGRITY_PASS)
320 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
321 dentry->d_name.name, "appraise_metadata",
322 integrity_status_msg[evm_status],
323 -EPERM, 0);
324 return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
325}
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
341 const void *xattr_value, size_t xattr_value_len)
342{
343 const struct evm_ima_xattr_data *xattr_data = xattr_value;
344
345 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
346 if (!xattr_value_len)
347 return -EINVAL;
348 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG)
349 return -EPERM;
350 }
351 return evm_protect_xattr(dentry, xattr_name, xattr_value,
352 xattr_value_len);
353}
354
355
356
357
358
359
360
361
362
363int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
364{
365 return evm_protect_xattr(dentry, xattr_name, NULL, 0);
366}
367
368static void evm_reset_status(struct inode *inode)
369{
370 struct integrity_iint_cache *iint;
371
372 iint = integrity_iint_find(inode);
373 if (iint)
374 iint->evm_status = INTEGRITY_UNKNOWN;
375}
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
391 const void *xattr_value, size_t xattr_value_len)
392{
393 if (!evm_initialized || (!evm_protected_xattr(xattr_name)
394 && !posix_xattr_acl(xattr_name)))
395 return;
396
397 evm_reset_status(dentry->d_inode);
398
399 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
400}
401
402
403
404
405
406
407
408
409
410
411
412void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
413{
414 if (!evm_initialized || !evm_protected_xattr(xattr_name))
415 return;
416
417 evm_reset_status(dentry->d_inode);
418
419 evm_update_evmxattr(dentry, xattr_name, NULL, 0);
420}
421
422
423
424
425
426int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
427{
428 unsigned int ia_valid = attr->ia_valid;
429 enum integrity_status evm_status;
430
431 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
432 return 0;
433 evm_status = evm_verify_current_integrity(dentry);
434 if ((evm_status == INTEGRITY_PASS) ||
435 (evm_status == INTEGRITY_NOXATTRS))
436 return 0;
437 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
438 dentry->d_name.name, "appraise_metadata",
439 integrity_status_msg[evm_status], -EPERM, 0);
440 return -EPERM;
441}
442
443
444
445
446
447
448
449
450
451
452
453
454void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
455{
456 if (!evm_initialized)
457 return;
458
459 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
460 evm_update_evmxattr(dentry, NULL, NULL, 0);
461}
462
463
464
465
466int evm_inode_init_security(struct inode *inode,
467 const struct xattr *lsm_xattr,
468 struct xattr *evm_xattr)
469{
470 struct evm_ima_xattr_data *xattr_data;
471 int rc;
472
473 if (!evm_initialized || !evm_protected_xattr(lsm_xattr->name))
474 return 0;
475
476 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
477 if (!xattr_data)
478 return -ENOMEM;
479
480 xattr_data->type = EVM_XATTR_HMAC;
481 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
482 if (rc < 0)
483 goto out;
484
485 evm_xattr->value = xattr_data;
486 evm_xattr->value_len = sizeof(*xattr_data);
487 evm_xattr->name = XATTR_EVM_SUFFIX;
488 return 0;
489out:
490 kfree(xattr_data);
491 return rc;
492}
493EXPORT_SYMBOL_GPL(evm_inode_init_security);
494
495#ifdef CONFIG_EVM_LOAD_X509
496void __init evm_load_x509(void)
497{
498 int rc;
499
500 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
501 if (!rc)
502 evm_initialized |= EVM_INIT_X509;
503}
504#endif
505
506static int __init init_evm(void)
507{
508 int error;
509
510 evm_init_config();
511
512 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
513 if (error)
514 return error;
515
516 error = evm_init_secfs();
517 if (error < 0) {
518 pr_info("Error registering secfs\n");
519 return error;
520 }
521
522 return 0;
523}
524
525
526
527
528static int __init evm_display_config(void)
529{
530 char **xattrname;
531
532 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++)
533 pr_info("%s\n", *xattrname);
534 return 0;
535}
536
537pure_initcall(evm_display_config);
538late_initcall(init_evm);
539
540MODULE_DESCRIPTION("Extended Verification Module");
541MODULE_LICENSE("GPL");
542