LXR linux/security/integrity/evm/evm

   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * Copyright (C) 2005-2010 IBM Corporation
   4 *
   5 * Author:
   6 * Mimi Zohar <zohar@us.ibm.com>
   7 * Kylene Hall <kjhall@us.ibm.com>
   8 *
   9 * File: evm_main.c
  10 *      implements evm_inode_setxattr, evm_inode_post_setxattr,
  11 *      evm_inode_removexattr, and evm_verifyxattr
  12 */
  13
  14#include <linux/init.h>
  15#include <linux/crypto.h>
  16#include <linux/audit.h>
  17#include <linux/xattr.h>
  18#include <linux/integrity.h>
  19#include <linux/evm.h>
  20#include <linux/magic.h>
  21
  22#include <crypto/hash.h>
  23#include <crypto/hash_info.h>
  24#include <crypto/algapi.h>
  25#include "evm.h"
  26
  27int evm_initialized;
  28
  29static const char * const integrity_status_msg[] = {
  30        "pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown"
  31};
  32int evm_hmac_attrs;
  33
  34static struct xattr_list evm_config_default_xattrnames[] = {
  35#ifdef CONFIG_SECURITY_SELINUX
  36        {.name = XATTR_NAME_SELINUX},
  37#endif
  38#ifdef CONFIG_SECURITY_SMACK
  39        {.name = XATTR_NAME_SMACK},
  40#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
  41        {.name = XATTR_NAME_SMACKEXEC},
  42        {.name = XATTR_NAME_SMACKTRANSMUTE},
  43        {.name = XATTR_NAME_SMACKMMAP},
  44#endif
  45#endif
  46#ifdef CONFIG_SECURITY_APPARMOR
  47        {.name = XATTR_NAME_APPARMOR},
  48#endif
  49#ifdef CONFIG_IMA_APPRAISE
  50        {.name = XATTR_NAME_IMA},
  51#endif
  52        {.name = XATTR_NAME_CAPS},
  53};
  54
  55LIST_HEAD(evm_config_xattrnames);
  56
  57static int evm_fixmode;
  58static int __init evm_set_fixmode(char *str)
  59{
  60        if (strncmp(str, "fix", 3) == 0)
  61                evm_fixmode = 1;
  62        else
  63                pr_err("invalid \"%s\" mode", str);
  64
  65        return 0;
  66}
  67__setup("evm=", evm_set_fixmode);
  68
  69static void __init evm_init_config(void)
  70{
  71        int i, xattrs;
  72
  73        xattrs = ARRAY_SIZE(evm_config_default_xattrnames);
  74
  75        pr_info("Initialising EVM extended attributes:\n");
  76        for (i = 0; i < xattrs; i++) {
  77                pr_info("%s\n", evm_config_default_xattrnames[i].name);
  78                list_add_tail(&evm_config_default_xattrnames[i].list,
  79                              &evm_config_xattrnames);
  80        }
  81
  82#ifdef CONFIG_EVM_ATTR_FSUUID
  83        evm_hmac_attrs |= EVM_ATTR_FSUUID;
  84#endif
  85        pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
  86}
  87
  88static bool evm_key_loaded(void)
  89{
  90        return (bool)(evm_initialized & EVM_KEY_MASK);
  91}
  92
  93static int evm_find_protected_xattrs(struct dentry *dentry)
  94{
  95        struct inode *inode = d_backing_inode(dentry);
  96        struct xattr_list *xattr;
  97        int error;
  98        int count = 0;
  99
 100        if (!(inode->i_opflags & IOP_XATTR))
 101                return -EOPNOTSUPP;
 102
 103        list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
 104                error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0);
 105                if (error < 0) {
 106                        if (error == -ENODATA)
 107                                continue;
 108                        return error;
 109                }
 110                count++;
 111        }
 112
 113        return count;
 114}
 115
 116/*
 117 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
 118 *
 119 * Compute the HMAC on the dentry's protected set of extended attributes
 120 * and compare it against the stored security.evm xattr.
 121 *
 122 * For performance:
 123 * - use the previoulsy retrieved xattr value and length to calculate the
 124 *   HMAC.)
 125 * - cache the verification result in the iint, when available.
 126 *
 127 * Returns integrity status
 128 */
 129static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 130                                             const char *xattr_name,
 131                                             char *xattr_value,
 132                                             size_t xattr_value_len,
 133                                             struct integrity_iint_cache *iint)
 134{
 135        struct evm_ima_xattr_data *xattr_data = NULL;
 136        struct signature_v2_hdr *hdr;
 137        enum integrity_status evm_status = INTEGRITY_PASS;
 138        struct evm_digest digest;
 139        struct inode *inode;
 140        int rc, xattr_len;
 141
 142        if (iint && (iint->evm_status == INTEGRITY_PASS ||
 143                     iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
 144                return iint->evm_status;
 145
 146        /* if status is not PASS, try to check again - against -ENOMEM */
 147
 148        /* first need to know the sig type */
 149        rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
 150                                GFP_NOFS);
 151        if (rc <= 0) {
 152                evm_status = INTEGRITY_FAIL;
 153                if (rc == -ENODATA) {
 154                        rc = evm_find_protected_xattrs(dentry);
 155                        if (rc > 0)
 156                                evm_status = INTEGRITY_NOLABEL;
 157                        else if (rc == 0)
 158                                evm_status = INTEGRITY_NOXATTRS; /* new file */
 159                } else if (rc == -EOPNOTSUPP) {
 160                        evm_status = INTEGRITY_UNKNOWN;
 161                }
 162                goto out;
 163        }
 164
 165        xattr_len = rc;
 166
 167        /* check value type */
 168        switch (xattr_data->type) {
 169        case EVM_XATTR_HMAC:
 170                if (xattr_len != sizeof(struct evm_xattr)) {
 171                        evm_status = INTEGRITY_FAIL;
 172                        goto out;
 173                }
 174
 175                digest.hdr.algo = HASH_ALGO_SHA1;
 176                rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
 177                                   xattr_value_len, &digest);
 178                if (rc)
 179                        break;
 180                rc = crypto_memneq(xattr_data->data, digest.digest,
 181                                   SHA1_DIGEST_SIZE);
 182                if (rc)
 183                        rc = -EINVAL;
 184                break;
 185        case EVM_IMA_XATTR_DIGSIG:
 186        case EVM_XATTR_PORTABLE_DIGSIG:
 187                /* accept xattr with non-empty signature field */
 188                if (xattr_len <= sizeof(struct signature_v2_hdr)) {
 189                        evm_status = INTEGRITY_FAIL;
 190                        goto out;
 191                }
 192
 193                hdr = (struct signature_v2_hdr *)xattr_data;
 194                digest.hdr.algo = hdr->hash_algo;
 195                rc = evm_calc_hash(dentry, xattr_name, xattr_value,
 196                                   xattr_value_len, xattr_data->type, &digest);
 197                if (rc)
 198                        break;
 199                rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
 200                                        (const char *)xattr_data, xattr_len,
 201                                        digest.digest, digest.hdr.length);
 202                if (!rc) {
 203                        inode = d_backing_inode(dentry);
 204
 205                        if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
 206                                if (iint)
 207                                        iint->flags |= EVM_IMMUTABLE_DIGSIG;
 208                                evm_status = INTEGRITY_PASS_IMMUTABLE;
 209                        } else if (!IS_RDONLY(inode) &&
 210                                   !(inode->i_sb->s_readonly_remount) &&
 211                                   !IS_IMMUTABLE(inode)) {
 212                                evm_update_evmxattr(dentry, xattr_name,
 213                                                    xattr_value,
 214                                                    xattr_value_len);
 215                        }
 216                }
 217                break;
 218        default:
 219                rc = -EINVAL;
 220                break;
 221        }
 222
 223        if (rc)
 224                evm_status = (rc == -ENODATA) ?
 225                                INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
 226out:
 227        if (iint)
 228                iint->evm_status = evm_status;
 229        kfree(xattr_data);
 230        return evm_status;
 231}
 232
 233static int evm_protected_xattr(const char *req_xattr_name)
 234{
 235        int namelen;
 236        int found = 0;
 237        struct xattr_list *xattr;
 238
 239        namelen = strlen(req_xattr_name);
 240        list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
 241                if ((strlen(xattr->name) == namelen)
 242                    && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
 243                        found = 1;
 244                        break;
 245                }
 246                if (strncmp(req_xattr_name,
 247                            xattr->name + XATTR_SECURITY_PREFIX_LEN,
 248                            strlen(req_xattr_name)) == 0) {
 249                        found = 1;
 250                        break;
 251                }
 252        }
 253
 254        return found;
 255}
 256
 257/**
 258 * evm_verifyxattr - verify the integrity of the requested xattr
 259 * @dentry: object of the verify xattr
 260 * @xattr_name: requested xattr
 261 * @xattr_value: requested xattr value
 262 * @xattr_value_len: requested xattr value length
 263 *
 264 * Calculate the HMAC for the given dentry and verify it against the stored
 265 * security.evm xattr. For performance, use the xattr value and length
 266 * previously retrieved to calculate the HMAC.
 267 *
 268 * Returns the xattr integrity status.
 269 *
 270 * This function requires the caller to lock the inode's i_mutex before it
 271 * is executed.
 272 */
 273enum integrity_status evm_verifyxattr(struct dentry *dentry,
 274                                      const char *xattr_name,
 275                                      void *xattr_value, size_t xattr_value_len,
 276                                      struct integrity_iint_cache *iint)
 277{
 278        if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
 279                return INTEGRITY_UNKNOWN;
 280
 281        if (!iint) {
 282                iint = integrity_iint_find(d_backing_inode(dentry));
 283                if (!iint)
 284                        return INTEGRITY_UNKNOWN;
 285        }
 286        return evm_verify_hmac(dentry, xattr_name, xattr_value,
 287                                 xattr_value_len, iint);
 288}
 289EXPORT_SYMBOL_GPL(evm_verifyxattr);
 290
 291/*
 292 * evm_verify_current_integrity - verify the dentry's metadata integrity
 293 * @dentry: pointer to the affected dentry
 294 *
 295 * Verify and return the dentry's metadata integrity. The exceptions are
 296 * before EVM is initialized or in 'fix' mode.
 297 */
 298static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
 299{
 300        struct inode *inode = d_backing_inode(dentry);
 301
 302        if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
 303                return 0;
 304        return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
 305}
 306
 307/*
 308 * evm_protect_xattr - protect the EVM extended attribute
 309 *
 310 * Prevent security.evm from being modified or removed without the
 311 * necessary permissions or when the existing value is invalid.
 312 *
 313 * The posix xattr acls are 'system' prefixed, which normally would not
 314 * affect security.evm.  An interesting side affect of writing posix xattr
 315 * acls is their modifying of the i_mode, which is included in security.evm.
 316 * For posix xattr acls only, permit security.evm, even if it currently
 317 * doesn't exist, to be updated unless the EVM signature is immutable.
 318 */
 319static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
 320                             const void *xattr_value, size_t xattr_value_len)
 321{
 322        enum integrity_status evm_status;
 323
 324        if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
 325                if (!capable(CAP_SYS_ADMIN))
 326                        return -EPERM;
 327        } else if (!evm_protected_xattr(xattr_name)) {
 328                if (!posix_xattr_acl(xattr_name))
 329                        return 0;
 330                evm_status = evm_verify_current_integrity(dentry);
 331                if ((evm_status == INTEGRITY_PASS) ||
 332                    (evm_status == INTEGRITY_NOXATTRS))
 333                        return 0;
 334                goto out;
 335        }
 336
 337        evm_status = evm_verify_current_integrity(dentry);
 338        if (evm_status == INTEGRITY_NOXATTRS) {
 339                struct integrity_iint_cache *iint;
 340
 341                iint = integrity_iint_find(d_backing_inode(dentry));
 342                if (iint && (iint->flags & IMA_NEW_FILE))
 343                        return 0;
 344
 345                /* exception for pseudo filesystems */
 346                if (dentry->d_sb->s_magic == TMPFS_MAGIC
 347                    || dentry->d_sb->s_magic == SYSFS_MAGIC)
 348                        return 0;
 349
 350                integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
 351                                    dentry->d_inode, dentry->d_name.name,
 352                                    "update_metadata",
 353                                    integrity_status_msg[evm_status],
 354                                    -EPERM, 0);
 355        }
 356out:
 357        if (evm_status != INTEGRITY_PASS)
 358                integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
 359                                    dentry->d_name.name, "appraise_metadata",
 360                                    integrity_status_msg[evm_status],
 361                                    -EPERM, 0);
 362        return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
 363}
 364
 365/**
 366 * evm_inode_setxattr - protect the EVM extended attribute
 367 * @dentry: pointer to the affected dentry
 368 * @xattr_name: pointer to the affected extended attribute name
 369 * @xattr_value: pointer to the new extended attribute value
 370 * @xattr_value_len: pointer to the new extended attribute value length
 371 *
 372 * Before allowing the 'security.evm' protected xattr to be updated,
 373 * verify the existing value is valid.  As only the kernel should have
 374 * access to the EVM encrypted key needed to calculate the HMAC, prevent
 375 * userspace from writing HMAC value.  Writing 'security.evm' requires
 376 * requires CAP_SYS_ADMIN privileges.
 377 */
 378int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
 379                       const void *xattr_value, size_t xattr_value_len)
 380{
 381        const struct evm_ima_xattr_data *xattr_data = xattr_value;
 382
 383        /* Policy permits modification of the protected xattrs even though
 384         * there's no HMAC key loaded
 385         */
 386        if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
 387                return 0;
 388
 389        if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
 390                if (!xattr_value_len)
 391                        return -EINVAL;
 392                if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
 393                    xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
 394                        return -EPERM;
 395        }
 396        return evm_protect_xattr(dentry, xattr_name, xattr_value,
 397                                 xattr_value_len);
 398}
 399
 400/**
 401 * evm_inode_removexattr - protect the EVM extended attribute
 402 * @dentry: pointer to the affected dentry
 403 * @xattr_name: pointer to the affected extended attribute name
 404 *
 405 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
 406 * the current value is valid.
 407 */
 408int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
 409{
 410        /* Policy permits modification of the protected xattrs even though
 411         * there's no HMAC key loaded
 412         */
 413        if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
 414                return 0;
 415
 416        return evm_protect_xattr(dentry, xattr_name, NULL, 0);
 417}
 418
 419static void evm_reset_status(struct inode *inode)
 420{
 421        struct integrity_iint_cache *iint;
 422
 423        iint = integrity_iint_find(inode);
 424        if (iint)
 425                iint->evm_status = INTEGRITY_UNKNOWN;
 426}
 427
 428/**
 429 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
 430 * @dentry: pointer to the affected dentry
 431 * @xattr_name: pointer to the affected extended attribute name
 432 * @xattr_value: pointer to the new extended attribute value
 433 * @xattr_value_len: pointer to the new extended attribute value length
 434 *
 435 * Update the HMAC stored in 'security.evm' to reflect the change.
 436 *
 437 * No need to take the i_mutex lock here, as this function is called from
 438 * __vfs_setxattr_noperm().  The caller of which has taken the inode's
 439 * i_mutex lock.
 440 */
 441void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
 442                             const void *xattr_value, size_t xattr_value_len)
 443{
 444        if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name)
 445                                  && !posix_xattr_acl(xattr_name)))
 446                return;
 447
 448        evm_reset_status(dentry->d_inode);
 449
 450        evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
 451}
 452
 453/**
 454 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
 455 * @dentry: pointer to the affected dentry
 456 * @xattr_name: pointer to the affected extended attribute name
 457 *
 458 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
 459 *
 460 * No need to take the i_mutex lock here, as this function is called from
 461 * vfs_removexattr() which takes the i_mutex.
 462 */
 463void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
 464{
 465        if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
 466                return;
 467
 468        evm_reset_status(dentry->d_inode);
 469
 470        evm_update_evmxattr(dentry, xattr_name, NULL, 0);
 471}
 472
 473/**
 474 * evm_inode_setattr - prevent updating an invalid EVM extended attribute
 475 * @dentry: pointer to the affected dentry
 476 *
 477 * Permit update of file attributes when files have a valid EVM signature,
 478 * except in the case of them having an immutable portable signature.
 479 */
 480int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
 481{
 482        unsigned int ia_valid = attr->ia_valid;
 483        enum integrity_status evm_status;
 484
 485        /* Policy permits modification of the protected attrs even though
 486         * there's no HMAC key loaded
 487         */
 488        if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
 489                return 0;
 490
 491        if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
 492                return 0;
 493        evm_status = evm_verify_current_integrity(dentry);
 494        if ((evm_status == INTEGRITY_PASS) ||
 495            (evm_status == INTEGRITY_NOXATTRS))
 496                return 0;
 497        integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
 498                            dentry->d_name.name, "appraise_metadata",
 499                            integrity_status_msg[evm_status], -EPERM, 0);
 500        return -EPERM;
 501}
 502
 503/**
 504 * evm_inode_post_setattr - update 'security.evm' after modifying metadata
 505 * @dentry: pointer to the affected dentry
 506 * @ia_valid: for the UID and GID status
 507 *
 508 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
 509 * changes.
 510 *
 511 * This function is called from notify_change(), which expects the caller
 512 * to lock the inode's i_mutex.
 513 */
 514void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
 515{
 516        if (!evm_key_loaded())
 517                return;
 518
 519        if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
 520                evm_update_evmxattr(dentry, NULL, NULL, 0);
 521}
 522
 523/*
 524 * evm_inode_init_security - initializes security.evm
 525 */
 526int evm_inode_init_security(struct inode *inode,
 527                                 const struct xattr *lsm_xattr,
 528                                 struct xattr *evm_xattr)
 529{
 530        struct evm_xattr *xattr_data;
 531        int rc;
 532
 533        if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name))
 534                return 0;
 535
 536        xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
 537        if (!xattr_data)
 538                return -ENOMEM;
 539
 540        xattr_data->data.type = EVM_XATTR_HMAC;
 541        rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
 542        if (rc < 0)
 543                goto out;
 544
 545        evm_xattr->value = xattr_data;
 546        evm_xattr->value_len = sizeof(*xattr_data);
 547        evm_xattr->name = XATTR_EVM_SUFFIX;
 548        return 0;
 549out:
 550        kfree(xattr_data);
 551        return rc;
 552}
 553EXPORT_SYMBOL_GPL(evm_inode_init_security);
 554
 555#ifdef CONFIG_EVM_LOAD_X509
 556void __init evm_load_x509(void)
 557{
 558        int rc;
 559
 560        rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
 561        if (!rc)
 562                evm_initialized |= EVM_INIT_X509;
 563}
 564#endif
 565
 566static int __init init_evm(void)
 567{
 568        int error;
 569        struct list_head *pos, *q;
 570
 571        evm_init_config();
 572
 573        error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
 574        if (error)
 575                goto error;
 576
 577        error = evm_init_secfs();
 578        if (error < 0) {
 579                pr_info("Error registering secfs\n");
 580                goto error;
 581        }
 582
 583error:
 584        if (error != 0) {
 585                if (!list_empty(&evm_config_xattrnames)) {
 586                        list_for_each_safe(pos, q, &evm_config_xattrnames)
 587                                list_del(pos);
 588                }
 589        }
 590
 591        return error;
 592}
 593
 594late_initcall(init_evm);
 595