1
2
3
4
5
6
7
8#include <linux/module.h>
9#include <linux/init.h>
10#include <linux/file.h>
11#include <linux/fs.h>
12#include <linux/xattr.h>
13#include <linux/magic.h>
14#include <linux/ima.h>
15#include <linux/evm.h>
16#include <keys/system_keyring.h>
17
18#include "ima.h"
19
20#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
21static char *ima_appraise_cmdline_default __initdata;
22core_param(ima_appraise, ima_appraise_cmdline_default, charp, 0);
23
24void __init ima_appraise_parse_cmdline(void)
25{
26 const char *str = ima_appraise_cmdline_default;
27 bool sb_state = arch_ima_get_secureboot();
28 int appraisal_state = ima_appraise;
29
30 if (!str)
31 return;
32
33 if (strncmp(str, "off", 3) == 0)
34 appraisal_state = 0;
35 else if (strncmp(str, "log", 3) == 0)
36 appraisal_state = IMA_APPRAISE_LOG;
37 else if (strncmp(str, "fix", 3) == 0)
38 appraisal_state = IMA_APPRAISE_FIX;
39 else if (strncmp(str, "enforce", 7) == 0)
40 appraisal_state = IMA_APPRAISE_ENFORCE;
41 else
42 pr_err("invalid \"%s\" appraise option", str);
43
44
45
46 if (sb_state) {
47 if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
48 pr_info("Secure boot enabled: ignoring ima_appraise=%s option",
49 str);
50 } else {
51 ima_appraise = appraisal_state;
52 }
53}
54#endif
55
56
57
58
59
60
61bool is_ima_appraise_enabled(void)
62{
63 return ima_appraise & IMA_APPRAISE_ENFORCE;
64}
65
66
67
68
69
70
71int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode,
72 int mask, enum ima_hooks func)
73{
74 u32 secid;
75
76 if (!ima_appraise)
77 return 0;
78
79 security_task_getsecid_subj(current, &secid);
80 return ima_match_policy(mnt_userns, inode, current_cred(), secid, func,
81 mask, IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL);
82}
83
84static int ima_fix_xattr(struct dentry *dentry,
85 struct integrity_iint_cache *iint)
86{
87 int rc, offset;
88 u8 algo = iint->ima_hash->algo;
89
90 if (algo <= HASH_ALGO_SHA1) {
91 offset = 1;
92 iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
93 } else {
94 offset = 0;
95 iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
96 iint->ima_hash->xattr.ng.algo = algo;
97 }
98 rc = __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_IMA,
99 &iint->ima_hash->xattr.data[offset],
100 (sizeof(iint->ima_hash->xattr) - offset) +
101 iint->ima_hash->length, 0);
102 return rc;
103}
104
105
106enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
107 enum ima_hooks func)
108{
109 switch (func) {
110 case MMAP_CHECK:
111 return iint->ima_mmap_status;
112 case BPRM_CHECK:
113 return iint->ima_bprm_status;
114 case CREDS_CHECK:
115 return iint->ima_creds_status;
116 case FILE_CHECK:
117 case POST_SETATTR:
118 return iint->ima_file_status;
119 case MODULE_CHECK ... MAX_CHECK - 1:
120 default:
121 return iint->ima_read_status;
122 }
123}
124
125static void ima_set_cache_status(struct integrity_iint_cache *iint,
126 enum ima_hooks func,
127 enum integrity_status status)
128{
129 switch (func) {
130 case MMAP_CHECK:
131 iint->ima_mmap_status = status;
132 break;
133 case BPRM_CHECK:
134 iint->ima_bprm_status = status;
135 break;
136 case CREDS_CHECK:
137 iint->ima_creds_status = status;
138 break;
139 case FILE_CHECK:
140 case POST_SETATTR:
141 iint->ima_file_status = status;
142 break;
143 case MODULE_CHECK ... MAX_CHECK - 1:
144 default:
145 iint->ima_read_status = status;
146 break;
147 }
148}
149
150static void ima_cache_flags(struct integrity_iint_cache *iint,
151 enum ima_hooks func)
152{
153 switch (func) {
154 case MMAP_CHECK:
155 iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
156 break;
157 case BPRM_CHECK:
158 iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
159 break;
160 case CREDS_CHECK:
161 iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED);
162 break;
163 case FILE_CHECK:
164 case POST_SETATTR:
165 iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
166 break;
167 case MODULE_CHECK ... MAX_CHECK - 1:
168 default:
169 iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
170 break;
171 }
172}
173
174enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
175 int xattr_len)
176{
177 struct signature_v2_hdr *sig;
178 enum hash_algo ret;
179
180 if (!xattr_value || xattr_len < 2)
181
182 return ima_hash_algo;
183
184 switch (xattr_value->type) {
185 case EVM_IMA_XATTR_DIGSIG:
186 sig = (typeof(sig))xattr_value;
187 if (sig->version != 2 || xattr_len <= sizeof(*sig))
188 return ima_hash_algo;
189 return sig->hash_algo;
190 break;
191 case IMA_XATTR_DIGEST_NG:
192
193 ret = xattr_value->data[0];
194 if (ret < HASH_ALGO__LAST)
195 return ret;
196 break;
197 case IMA_XATTR_DIGEST:
198
199 if (xattr_len == 21) {
200 unsigned int zero = 0;
201 if (!memcmp(&xattr_value->data[16], &zero, 4))
202 return HASH_ALGO_MD5;
203 else
204 return HASH_ALGO_SHA1;
205 } else if (xattr_len == 17)
206 return HASH_ALGO_MD5;
207 break;
208 }
209
210
211 return ima_hash_algo;
212}
213
214int ima_read_xattr(struct dentry *dentry,
215 struct evm_ima_xattr_data **xattr_value)
216{
217 ssize_t ret;
218
219 ret = vfs_getxattr_alloc(&init_user_ns, dentry, XATTR_NAME_IMA,
220 (char **)xattr_value, 0, GFP_NOFS);
221 if (ret == -EOPNOTSUPP)
222 ret = 0;
223 return ret;
224}
225
226
227
228
229
230
231
232
233static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint,
234 struct evm_ima_xattr_data *xattr_value, int xattr_len,
235 enum integrity_status *status, const char **cause)
236{
237 int rc = -EINVAL, hash_start = 0;
238
239 switch (xattr_value->type) {
240 case IMA_XATTR_DIGEST_NG:
241
242 hash_start = 1;
243 fallthrough;
244 case IMA_XATTR_DIGEST:
245 if (*status != INTEGRITY_PASS_IMMUTABLE) {
246 if (iint->flags & IMA_DIGSIG_REQUIRED) {
247 *cause = "IMA-signature-required";
248 *status = INTEGRITY_FAIL;
249 break;
250 }
251 clear_bit(IMA_DIGSIG, &iint->atomic_flags);
252 } else {
253 set_bit(IMA_DIGSIG, &iint->atomic_flags);
254 }
255 if (xattr_len - sizeof(xattr_value->type) - hash_start >=
256 iint->ima_hash->length)
257
258
259
260
261 rc = memcmp(&xattr_value->data[hash_start],
262 iint->ima_hash->digest,
263 iint->ima_hash->length);
264 else
265 rc = -EINVAL;
266 if (rc) {
267 *cause = "invalid-hash";
268 *status = INTEGRITY_FAIL;
269 break;
270 }
271 *status = INTEGRITY_PASS;
272 break;
273 case EVM_IMA_XATTR_DIGSIG:
274 set_bit(IMA_DIGSIG, &iint->atomic_flags);
275 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
276 (const char *)xattr_value,
277 xattr_len,
278 iint->ima_hash->digest,
279 iint->ima_hash->length);
280 if (rc == -EOPNOTSUPP) {
281 *status = INTEGRITY_UNKNOWN;
282 break;
283 }
284 if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
285 func == KEXEC_KERNEL_CHECK)
286 rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM,
287 (const char *)xattr_value,
288 xattr_len,
289 iint->ima_hash->digest,
290 iint->ima_hash->length);
291 if (rc) {
292 *cause = "invalid-signature";
293 *status = INTEGRITY_FAIL;
294 } else {
295 *status = INTEGRITY_PASS;
296 }
297 break;
298 default:
299 *status = INTEGRITY_UNKNOWN;
300 *cause = "unknown-ima-data";
301 break;
302 }
303
304 return rc;
305}
306
307
308
309
310
311
312
313
314static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
315 enum integrity_status *status, const char **cause)
316{
317 int rc;
318
319 rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig);
320 if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
321 func == KEXEC_KERNEL_CHECK)
322 rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM,
323 modsig);
324 if (rc) {
325 *cause = "invalid-signature";
326 *status = INTEGRITY_FAIL;
327 } else {
328 *status = INTEGRITY_PASS;
329 }
330
331 return rc;
332}
333
334
335
336
337
338
339
340
341
342int ima_check_blacklist(struct integrity_iint_cache *iint,
343 const struct modsig *modsig, int pcr)
344{
345 enum hash_algo hash_algo;
346 const u8 *digest = NULL;
347 u32 digestsize = 0;
348 int rc = 0;
349
350 if (!(iint->flags & IMA_CHECK_BLACKLIST))
351 return 0;
352
353 if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
354 ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
355
356 rc = is_binary_blacklisted(digest, digestsize);
357 if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
358 process_buffer_measurement(&init_user_ns, NULL, digest, digestsize,
359 "blacklisted-hash", NONE,
360 pcr, NULL, false);
361 }
362
363 return rc;
364}
365
366
367
368
369
370
371
372
373
374int ima_appraise_measurement(enum ima_hooks func,
375 struct integrity_iint_cache *iint,
376 struct file *file, const unsigned char *filename,
377 struct evm_ima_xattr_data *xattr_value,
378 int xattr_len, const struct modsig *modsig)
379{
380 static const char op[] = "appraise_data";
381 const char *cause = "unknown";
382 struct dentry *dentry = file_dentry(file);
383 struct inode *inode = d_backing_inode(dentry);
384 enum integrity_status status = INTEGRITY_UNKNOWN;
385 int rc = xattr_len;
386 bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig;
387
388
389 if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)
390 return INTEGRITY_UNKNOWN;
391
392
393 if (rc <= 0 && !try_modsig) {
394 if (rc && rc != -ENODATA)
395 goto out;
396
397 cause = iint->flags & IMA_DIGSIG_REQUIRED ?
398 "IMA-signature-required" : "missing-hash";
399 status = INTEGRITY_NOLABEL;
400 if (file->f_mode & FMODE_CREATED)
401 iint->flags |= IMA_NEW_FILE;
402 if ((iint->flags & IMA_NEW_FILE) &&
403 (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
404 (inode->i_size == 0)))
405 status = INTEGRITY_PASS;
406 goto out;
407 }
408
409 status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
410 switch (status) {
411 case INTEGRITY_PASS:
412 case INTEGRITY_PASS_IMMUTABLE:
413 case INTEGRITY_UNKNOWN:
414 break;
415 case INTEGRITY_NOXATTRS:
416
417 if (try_modsig)
418 break;
419 fallthrough;
420 case INTEGRITY_NOLABEL:
421 cause = "missing-HMAC";
422 goto out;
423 case INTEGRITY_FAIL_IMMUTABLE:
424 set_bit(IMA_DIGSIG, &iint->atomic_flags);
425 cause = "invalid-fail-immutable";
426 goto out;
427 case INTEGRITY_FAIL:
428 cause = "invalid-HMAC";
429 goto out;
430 default:
431 WARN_ONCE(true, "Unexpected integrity status %d\n", status);
432 }
433
434 if (xattr_value)
435 rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
436 &cause);
437
438
439
440
441
442 if (try_modsig &&
443 (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG ||
444 rc == -ENOKEY))
445 rc = modsig_verify(func, modsig, &status, &cause);
446
447out:
448
449
450
451
452
453
454 if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
455 ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) ||
456 (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
457 status = INTEGRITY_FAIL;
458 cause = "unverifiable-signature";
459 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
460 op, cause, rc, 0);
461 } else if (status != INTEGRITY_PASS) {
462
463 if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig &&
464 (!xattr_value ||
465 xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
466 if (!ima_fix_xattr(dentry, iint))
467 status = INTEGRITY_PASS;
468 }
469
470
471
472
473
474 if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
475 test_bit(IMA_DIGSIG, &iint->atomic_flags)) {
476 status = INTEGRITY_PASS;
477 }
478
479 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
480 op, cause, rc, 0);
481 } else {
482 ima_cache_flags(iint, func);
483 }
484
485 ima_set_cache_status(iint, func, status);
486 return status;
487}
488
489
490
491
492void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
493{
494 struct dentry *dentry = file_dentry(file);
495 int rc = 0;
496
497
498 if (test_bit(IMA_DIGSIG, &iint->atomic_flags))
499 return;
500
501 if ((iint->ima_file_status != INTEGRITY_PASS) &&
502 !(iint->flags & IMA_HASH))
503 return;
504
505 rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL);
506 if (rc < 0)
507 return;
508
509 inode_lock(file_inode(file));
510 ima_fix_xattr(dentry, iint);
511 inode_unlock(file_inode(file));
512}
513
514
515
516
517
518
519
520
521
522
523
524void ima_inode_post_setattr(struct user_namespace *mnt_userns,
525 struct dentry *dentry)
526{
527 struct inode *inode = d_backing_inode(dentry);
528 struct integrity_iint_cache *iint;
529 int action;
530
531 if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)
532 || !(inode->i_opflags & IOP_XATTR))
533 return;
534
535 action = ima_must_appraise(mnt_userns, inode, MAY_ACCESS, POST_SETATTR);
536 iint = integrity_iint_find(inode);
537 if (iint) {
538 set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags);
539 if (!action)
540 clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
541 }
542}
543
544
545
546
547
548
549static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
550 const void *xattr_value, size_t xattr_value_len)
551{
552 if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
553 if (!capable(CAP_SYS_ADMIN))
554 return -EPERM;
555 return 1;
556 }
557 return 0;
558}
559
560static void ima_reset_appraise_flags(struct inode *inode, int digsig)
561{
562 struct integrity_iint_cache *iint;
563
564 if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode))
565 return;
566
567 iint = integrity_iint_find(inode);
568 if (!iint)
569 return;
570 iint->measured_pcrs = 0;
571 set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
572 if (digsig)
573 set_bit(IMA_DIGSIG, &iint->atomic_flags);
574 else
575 clear_bit(IMA_DIGSIG, &iint->atomic_flags);
576}
577
578int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
579 const void *xattr_value, size_t xattr_value_len)
580{
581 const struct evm_ima_xattr_data *xvalue = xattr_value;
582 int digsig = 0;
583 int result;
584
585 result = ima_protect_xattr(dentry, xattr_name, xattr_value,
586 xattr_value_len);
587 if (result == 1) {
588 if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
589 return -EINVAL;
590 digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
591 } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
592 digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
593 }
594 if (result == 1 || evm_revalidate_status(xattr_name)) {
595 ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
596 if (result == 1)
597 result = 0;
598 }
599 return result;
600}
601
602int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
603{
604 int result;
605
606 result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
607 if (result == 1 || evm_revalidate_status(xattr_name)) {
608 ima_reset_appraise_flags(d_backing_inode(dentry), 0);
609 if (result == 1)
610 result = 0;
611 }
612 return result;
613}
614