1
2
3
4
5
6
7
8
9
10
11#include <linux/module.h>
12#include <linux/file.h>
13#include <linux/fs.h>
14#include <linux/xattr.h>
15#include <linux/magic.h>
16#include <linux/ima.h>
17#include <linux/evm.h>
18#include <crypto/hash_info.h>
19
20#include "ima.h"
21
22static int __init default_appraise_setup(char *str)
23{
24 if (strncmp(str, "off", 3) == 0)
25 ima_appraise = 0;
26 else if (strncmp(str, "log", 3) == 0)
27 ima_appraise = IMA_APPRAISE_LOG;
28 else if (strncmp(str, "fix", 3) == 0)
29 ima_appraise = IMA_APPRAISE_FIX;
30 return 1;
31}
32
33__setup("ima_appraise=", default_appraise_setup);
34
35
36
37
38
39
40int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
41{
42 if (!ima_appraise)
43 return 0;
44
45 return ima_match_policy(inode, func, mask, IMA_APPRAISE);
46}
47
48static int ima_fix_xattr(struct dentry *dentry,
49 struct integrity_iint_cache *iint)
50{
51 int rc, offset;
52 u8 algo = iint->ima_hash->algo;
53
54 if (algo <= HASH_ALGO_SHA1) {
55 offset = 1;
56 iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
57 } else {
58 offset = 0;
59 iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
60 iint->ima_hash->xattr.ng.algo = algo;
61 }
62 rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
63 &iint->ima_hash->xattr.data[offset],
64 (sizeof(iint->ima_hash->xattr) - offset) +
65 iint->ima_hash->length, 0);
66 return rc;
67}
68
69
70enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
71 int func)
72{
73 switch (func) {
74 case MMAP_CHECK:
75 return iint->ima_mmap_status;
76 case BPRM_CHECK:
77 return iint->ima_bprm_status;
78 case MODULE_CHECK:
79 return iint->ima_module_status;
80 case FIRMWARE_CHECK:
81 return iint->ima_firmware_status;
82 case FILE_CHECK:
83 default:
84 return iint->ima_file_status;
85 }
86}
87
88static void ima_set_cache_status(struct integrity_iint_cache *iint,
89 int func, enum integrity_status status)
90{
91 switch (func) {
92 case MMAP_CHECK:
93 iint->ima_mmap_status = status;
94 break;
95 case BPRM_CHECK:
96 iint->ima_bprm_status = status;
97 break;
98 case MODULE_CHECK:
99 iint->ima_module_status = status;
100 break;
101 case FIRMWARE_CHECK:
102 iint->ima_firmware_status = status;
103 break;
104 case FILE_CHECK:
105 default:
106 iint->ima_file_status = status;
107 break;
108 }
109}
110
111static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
112{
113 switch (func) {
114 case MMAP_CHECK:
115 iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
116 break;
117 case BPRM_CHECK:
118 iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
119 break;
120 case MODULE_CHECK:
121 iint->flags |= (IMA_MODULE_APPRAISED | IMA_APPRAISED);
122 break;
123 case FIRMWARE_CHECK:
124 iint->flags |= (IMA_FIRMWARE_APPRAISED | IMA_APPRAISED);
125 break;
126 case FILE_CHECK:
127 default:
128 iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
129 break;
130 }
131}
132
133void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len,
134 struct ima_digest_data *hash)
135{
136 struct signature_v2_hdr *sig;
137
138 if (!xattr_value || xattr_len < 2)
139 return;
140
141 switch (xattr_value->type) {
142 case EVM_IMA_XATTR_DIGSIG:
143 sig = (typeof(sig))xattr_value;
144 if (sig->version != 2 || xattr_len <= sizeof(*sig))
145 return;
146 hash->algo = sig->hash_algo;
147 break;
148 case IMA_XATTR_DIGEST_NG:
149 hash->algo = xattr_value->digest[0];
150 break;
151 case IMA_XATTR_DIGEST:
152
153 if (xattr_len == 21) {
154 unsigned int zero = 0;
155 if (!memcmp(&xattr_value->digest[16], &zero, 4))
156 hash->algo = HASH_ALGO_MD5;
157 else
158 hash->algo = HASH_ALGO_SHA1;
159 } else if (xattr_len == 17)
160 hash->algo = HASH_ALGO_MD5;
161 break;
162 }
163}
164
165int ima_read_xattr(struct dentry *dentry,
166 struct evm_ima_xattr_data **xattr_value)
167{
168 struct inode *inode = d_backing_inode(dentry);
169
170 if (!inode->i_op->getxattr)
171 return 0;
172
173 return vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)xattr_value,
174 0, GFP_NOFS);
175}
176
177
178
179
180
181
182
183
184
185int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
186 struct file *file, const unsigned char *filename,
187 struct evm_ima_xattr_data *xattr_value,
188 int xattr_len, int opened)
189{
190 static const char op[] = "appraise_data";
191 char *cause = "unknown";
192 struct dentry *dentry = file->f_path.dentry;
193 struct inode *inode = d_backing_inode(dentry);
194 enum integrity_status status = INTEGRITY_UNKNOWN;
195 int rc = xattr_len, hash_start = 0;
196
197 if (!inode->i_op->getxattr)
198 return INTEGRITY_UNKNOWN;
199
200 if (rc <= 0) {
201 if (rc && rc != -ENODATA)
202 goto out;
203
204 cause = "missing-hash";
205 status = INTEGRITY_NOLABEL;
206 if (opened & FILE_CREATED) {
207 iint->flags |= IMA_NEW_FILE;
208 status = INTEGRITY_PASS;
209 }
210 goto out;
211 }
212
213 status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
214 if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) {
215 if ((status == INTEGRITY_NOLABEL)
216 || (status == INTEGRITY_NOXATTRS))
217 cause = "missing-HMAC";
218 else if (status == INTEGRITY_FAIL)
219 cause = "invalid-HMAC";
220 goto out;
221 }
222 switch (xattr_value->type) {
223 case IMA_XATTR_DIGEST_NG:
224
225 hash_start = 1;
226 case IMA_XATTR_DIGEST:
227 if (iint->flags & IMA_DIGSIG_REQUIRED) {
228 cause = "IMA-signature-required";
229 status = INTEGRITY_FAIL;
230 break;
231 }
232 if (xattr_len - sizeof(xattr_value->type) - hash_start >=
233 iint->ima_hash->length)
234
235
236
237 rc = memcmp(&xattr_value->digest[hash_start],
238 iint->ima_hash->digest,
239 iint->ima_hash->length);
240 else
241 rc = -EINVAL;
242 if (rc) {
243 cause = "invalid-hash";
244 status = INTEGRITY_FAIL;
245 break;
246 }
247 status = INTEGRITY_PASS;
248 break;
249 case EVM_IMA_XATTR_DIGSIG:
250 iint->flags |= IMA_DIGSIG;
251 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
252 (const char *)xattr_value, rc,
253 iint->ima_hash->digest,
254 iint->ima_hash->length);
255 if (rc == -EOPNOTSUPP) {
256 status = INTEGRITY_UNKNOWN;
257 } else if (rc) {
258 cause = "invalid-signature";
259 status = INTEGRITY_FAIL;
260 } else {
261 status = INTEGRITY_PASS;
262 }
263 break;
264 default:
265 status = INTEGRITY_UNKNOWN;
266 cause = "unknown-ima-data";
267 break;
268 }
269
270out:
271 if (status != INTEGRITY_PASS) {
272 if ((ima_appraise & IMA_APPRAISE_FIX) &&
273 (!xattr_value ||
274 xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
275 if (!ima_fix_xattr(dentry, iint))
276 status = INTEGRITY_PASS;
277 }
278 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
279 op, cause, rc, 0);
280 } else {
281 ima_cache_flags(iint, func);
282 }
283 ima_set_cache_status(iint, func, status);
284 return status;
285}
286
287
288
289
290void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
291{
292 struct dentry *dentry = file->f_path.dentry;
293 int rc = 0;
294
295
296 if (iint->flags & IMA_DIGSIG)
297 return;
298
299 rc = ima_collect_measurement(iint, file, NULL, NULL);
300 if (rc < 0)
301 return;
302
303 ima_fix_xattr(dentry, iint);
304}
305
306
307
308
309
310
311
312
313
314
315void ima_inode_post_setattr(struct dentry *dentry)
316{
317 struct inode *inode = d_backing_inode(dentry);
318 struct integrity_iint_cache *iint;
319 int must_appraise, rc;
320
321 if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)
322 || !inode->i_op->removexattr)
323 return;
324
325 must_appraise = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR);
326 iint = integrity_iint_find(inode);
327 if (iint) {
328 iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
329 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
330 IMA_ACTION_FLAGS);
331 if (must_appraise)
332 iint->flags |= IMA_APPRAISE;
333 }
334 if (!must_appraise)
335 rc = inode->i_op->removexattr(dentry, XATTR_NAME_IMA);
336 return;
337}
338
339
340
341
342
343
344static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
345 const void *xattr_value, size_t xattr_value_len)
346{
347 if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
348 if (!capable(CAP_SYS_ADMIN))
349 return -EPERM;
350 return 1;
351 }
352 return 0;
353}
354
355static void ima_reset_appraise_flags(struct inode *inode, int digsig)
356{
357 struct integrity_iint_cache *iint;
358
359 if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode))
360 return;
361
362 iint = integrity_iint_find(inode);
363 if (!iint)
364 return;
365
366 iint->flags &= ~IMA_DONE_MASK;
367 if (digsig)
368 iint->flags |= IMA_DIGSIG;
369 return;
370}
371
372int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
373 const void *xattr_value, size_t xattr_value_len)
374{
375 const struct evm_ima_xattr_data *xvalue = xattr_value;
376 int result;
377
378 result = ima_protect_xattr(dentry, xattr_name, xattr_value,
379 xattr_value_len);
380 if (result == 1) {
381 bool digsig;
382
383 if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
384 return -EINVAL;
385 digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
386 if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE))
387 return -EPERM;
388 ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
389 result = 0;
390 }
391 return result;
392}
393
394int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
395{
396 int result;
397
398 result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
399 if (result == 1) {
400 ima_reset_appraise_flags(d_backing_inode(dentry), 0);
401 result = 0;
402 }
403 return result;
404}
405