LXR linux/security/integrity/ima/ima

   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * Copyright (C) 2011 IBM Corporation
   4 *
   5 * Author:
   6 * Mimi Zohar <zohar@us.ibm.com>
   7 */
   8#include <linux/init.h>
   9#include <linux/file.h>
  10#include <linux/fs.h>
  11#include <linux/xattr.h>
  12#include <linux/magic.h>
  13#include <linux/ima.h>
  14#include <linux/evm.h>
  15#include <keys/system_keyring.h>
  16
  17#include "ima.h"
  18
  19static int __init default_appraise_setup(char *str)
  20{
  21#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
  22        if (strncmp(str, "off", 3) == 0)
  23                ima_appraise = 0;
  24        else if (strncmp(str, "log", 3) == 0)
  25                ima_appraise = IMA_APPRAISE_LOG;
  26        else if (strncmp(str, "fix", 3) == 0)
  27                ima_appraise = IMA_APPRAISE_FIX;
  28#endif
  29        return 1;
  30}
  31
  32__setup("ima_appraise=", default_appraise_setup);
  33
  34/*
  35 * is_ima_appraise_enabled - return appraise status
  36 *
  37 * Only return enabled, if not in ima_appraise="fix" or "log" modes.
  38 */
  39bool is_ima_appraise_enabled(void)
  40{
  41        return ima_appraise & IMA_APPRAISE_ENFORCE;
  42}
  43
  44/*
  45 * ima_must_appraise - set appraise flag
  46 *
  47 * Return 1 to appraise or hash
  48 */
  49int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
  50{
  51        u32 secid;
  52
  53        if (!ima_appraise)
  54                return 0;
  55
  56        security_task_getsecid(current, &secid);
  57        return ima_match_policy(inode, current_cred(), secid, func, mask,
  58                                IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL);
  59}
  60
  61static int ima_fix_xattr(struct dentry *dentry,
  62                         struct integrity_iint_cache *iint)
  63{
  64        int rc, offset;
  65        u8 algo = iint->ima_hash->algo;
  66
  67        if (algo <= HASH_ALGO_SHA1) {
  68                offset = 1;
  69                iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
  70        } else {
  71                offset = 0;
  72                iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
  73                iint->ima_hash->xattr.ng.algo = algo;
  74        }
  75        rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
  76                                   &iint->ima_hash->xattr.data[offset],
  77                                   (sizeof(iint->ima_hash->xattr) - offset) +
  78                                   iint->ima_hash->length, 0);
  79        return rc;
  80}
  81
  82/* Return specific func appraised cached result */
  83enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
  84                                           enum ima_hooks func)
  85{
  86        switch (func) {
  87        case MMAP_CHECK:
  88                return iint->ima_mmap_status;
  89        case BPRM_CHECK:
  90                return iint->ima_bprm_status;
  91        case CREDS_CHECK:
  92                return iint->ima_creds_status;
  93        case FILE_CHECK:
  94        case POST_SETATTR:
  95                return iint->ima_file_status;
  96        case MODULE_CHECK ... MAX_CHECK - 1:
  97        default:
  98                return iint->ima_read_status;
  99        }
 100}
 101
 102static void ima_set_cache_status(struct integrity_iint_cache *iint,
 103                                 enum ima_hooks func,
 104                                 enum integrity_status status)
 105{
 106        switch (func) {
 107        case MMAP_CHECK:
 108                iint->ima_mmap_status = status;
 109                break;
 110        case BPRM_CHECK:
 111                iint->ima_bprm_status = status;
 112                break;
 113        case CREDS_CHECK:
 114                iint->ima_creds_status = status;
 115                break;
 116        case FILE_CHECK:
 117        case POST_SETATTR:
 118                iint->ima_file_status = status;
 119                break;
 120        case MODULE_CHECK ... MAX_CHECK - 1:
 121        default:
 122                iint->ima_read_status = status;
 123                break;
 124        }
 125}
 126
 127static void ima_cache_flags(struct integrity_iint_cache *iint,
 128                             enum ima_hooks func)
 129{
 130        switch (func) {
 131        case MMAP_CHECK:
 132                iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
 133                break;
 134        case BPRM_CHECK:
 135                iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
 136                break;
 137        case CREDS_CHECK:
 138                iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED);
 139                break;
 140        case FILE_CHECK:
 141        case POST_SETATTR:
 142                iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
 143                break;
 144        case MODULE_CHECK ... MAX_CHECK - 1:
 145        default:
 146                iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
 147                break;
 148        }
 149}
 150
 151enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
 152                                 int xattr_len)
 153{
 154        struct signature_v2_hdr *sig;
 155        enum hash_algo ret;
 156
 157        if (!xattr_value || xattr_len < 2)
 158                /* return default hash algo */
 159                return ima_hash_algo;
 160
 161        switch (xattr_value->type) {
 162        case EVM_IMA_XATTR_DIGSIG:
 163                sig = (typeof(sig))xattr_value;
 164                if (sig->version != 2 || xattr_len <= sizeof(*sig))
 165                        return ima_hash_algo;
 166                return sig->hash_algo;
 167                break;
 168        case IMA_XATTR_DIGEST_NG:
 169                /* first byte contains algorithm id */
 170                ret = xattr_value->data[0];
 171                if (ret < HASH_ALGO__LAST)
 172                        return ret;
 173                break;
 174        case IMA_XATTR_DIGEST:
 175                /* this is for backward compatibility */
 176                if (xattr_len == 21) {
 177                        unsigned int zero = 0;
 178                        if (!memcmp(&xattr_value->data[16], &zero, 4))
 179                                return HASH_ALGO_MD5;
 180                        else
 181                                return HASH_ALGO_SHA1;
 182                } else if (xattr_len == 17)
 183                        return HASH_ALGO_MD5;
 184                break;
 185        }
 186
 187        /* return default hash algo */
 188        return ima_hash_algo;
 189}
 190
 191int ima_read_xattr(struct dentry *dentry,
 192                   struct evm_ima_xattr_data **xattr_value)
 193{
 194        ssize_t ret;
 195
 196        ret = vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)xattr_value,
 197                                 0, GFP_NOFS);
 198        if (ret == -EOPNOTSUPP)
 199                ret = 0;
 200        return ret;
 201}
 202
 203/*
 204 * xattr_verify - verify xattr digest or signature
 205 *
 206 * Verify whether the hash or signature matches the file contents.
 207 *
 208 * Return 0 on success, error code otherwise.
 209 */
 210static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint,
 211                        struct evm_ima_xattr_data *xattr_value, int xattr_len,
 212                        enum integrity_status *status, const char **cause)
 213{
 214        int rc = -EINVAL, hash_start = 0;
 215
 216        switch (xattr_value->type) {
 217        case IMA_XATTR_DIGEST_NG:
 218                /* first byte contains algorithm id */
 219                hash_start = 1;
 220                /* fall through */
 221        case IMA_XATTR_DIGEST:
 222                if (iint->flags & IMA_DIGSIG_REQUIRED) {
 223                        *cause = "IMA-signature-required";
 224                        *status = INTEGRITY_FAIL;
 225                        break;
 226                }
 227                clear_bit(IMA_DIGSIG, &iint->atomic_flags);
 228                if (xattr_len - sizeof(xattr_value->type) - hash_start >=
 229                                iint->ima_hash->length)
 230                        /*
 231                         * xattr length may be longer. md5 hash in previous
 232                         * version occupied 20 bytes in xattr, instead of 16
 233                         */
 234                        rc = memcmp(&xattr_value->data[hash_start],
 235                                    iint->ima_hash->digest,
 236                                    iint->ima_hash->length);
 237                else
 238                        rc = -EINVAL;
 239                if (rc) {
 240                        *cause = "invalid-hash";
 241                        *status = INTEGRITY_FAIL;
 242                        break;
 243                }
 244                *status = INTEGRITY_PASS;
 245                break;
 246        case EVM_IMA_XATTR_DIGSIG:
 247                set_bit(IMA_DIGSIG, &iint->atomic_flags);
 248                rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
 249                                             (const char *)xattr_value,
 250                                             xattr_len,
 251                                             iint->ima_hash->digest,
 252                                             iint->ima_hash->length);
 253                if (rc == -EOPNOTSUPP) {
 254                        *status = INTEGRITY_UNKNOWN;
 255                        break;
 256                }
 257                if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
 258                    func == KEXEC_KERNEL_CHECK)
 259                        rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM,
 260                                                     (const char *)xattr_value,
 261                                                     xattr_len,
 262                                                     iint->ima_hash->digest,
 263                                                     iint->ima_hash->length);
 264                if (rc) {
 265                        *cause = "invalid-signature";
 266                        *status = INTEGRITY_FAIL;
 267                } else {
 268                        *status = INTEGRITY_PASS;
 269                }
 270                break;
 271        default:
 272                *status = INTEGRITY_UNKNOWN;
 273                *cause = "unknown-ima-data";
 274                break;
 275        }
 276
 277        return rc;
 278}
 279
 280/*
 281 * modsig_verify - verify modsig signature
 282 *
 283 * Verify whether the signature matches the file contents.
 284 *
 285 * Return 0 on success, error code otherwise.
 286 */
 287static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
 288                         enum integrity_status *status, const char **cause)
 289{
 290        int rc;
 291
 292        rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig);
 293        if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
 294            func == KEXEC_KERNEL_CHECK)
 295                rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM,
 296                                             modsig);
 297        if (rc) {
 298                *cause = "invalid-signature";
 299                *status = INTEGRITY_FAIL;
 300        } else {
 301                *status = INTEGRITY_PASS;
 302        }
 303
 304        return rc;
 305}
 306
 307/*
 308 * ima_check_blacklist - determine if the binary is blacklisted.
 309 *
 310 * Add the hash of the blacklisted binary to the measurement list, based
 311 * on policy.
 312 *
 313 * Returns -EPERM if the hash is blacklisted.
 314 */
 315int ima_check_blacklist(struct integrity_iint_cache *iint,
 316                        const struct modsig *modsig, int pcr)
 317{
 318        enum hash_algo hash_algo;
 319        const u8 *digest = NULL;
 320        u32 digestsize = 0;
 321        int rc = 0;
 322
 323        if (!(iint->flags & IMA_CHECK_BLACKLIST))
 324                return 0;
 325
 326        if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
 327                ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
 328
 329                rc = is_binary_blacklisted(digest, digestsize);
 330                if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
 331                        process_buffer_measurement(digest, digestsize,
 332                                                   "blacklisted-hash", NONE,
 333                                                   pcr, NULL);
 334        }
 335
 336        return rc;
 337}
 338
 339/*
 340 * ima_appraise_measurement - appraise file measurement
 341 *
 342 * Call evm_verifyxattr() to verify the integrity of 'security.ima'.
 343 * Assuming success, compare the xattr hash with the collected measurement.
 344 *
 345 * Return 0 on success, error code otherwise
 346 */
 347int ima_appraise_measurement(enum ima_hooks func,
 348                             struct integrity_iint_cache *iint,
 349                             struct file *file, const unsigned char *filename,
 350                             struct evm_ima_xattr_data *xattr_value,
 351                             int xattr_len, const struct modsig *modsig)
 352{
 353        static const char op[] = "appraise_data";
 354        const char *cause = "unknown";
 355        struct dentry *dentry = file_dentry(file);
 356        struct inode *inode = d_backing_inode(dentry);
 357        enum integrity_status status = INTEGRITY_UNKNOWN;
 358        int rc = xattr_len;
 359        bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig;
 360
 361        /* If not appraising a modsig, we need an xattr. */
 362        if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)
 363                return INTEGRITY_UNKNOWN;
 364
 365        /* If reading the xattr failed and there's no modsig, error out. */
 366        if (rc <= 0 && !try_modsig) {
 367                if (rc && rc != -ENODATA)
 368                        goto out;
 369
 370                cause = iint->flags & IMA_DIGSIG_REQUIRED ?
 371                                "IMA-signature-required" : "missing-hash";
 372                status = INTEGRITY_NOLABEL;
 373                if (file->f_mode & FMODE_CREATED)
 374                        iint->flags |= IMA_NEW_FILE;
 375                if ((iint->flags & IMA_NEW_FILE) &&
 376                    (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
 377                     (inode->i_size == 0)))
 378                        status = INTEGRITY_PASS;
 379                goto out;
 380        }
 381
 382        status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
 383        switch (status) {
 384        case INTEGRITY_PASS:
 385        case INTEGRITY_PASS_IMMUTABLE:
 386        case INTEGRITY_UNKNOWN:
 387                break;
 388        case INTEGRITY_NOXATTRS:        /* No EVM protected xattrs. */
 389                /* It's fine not to have xattrs when using a modsig. */
 390                if (try_modsig)
 391                        break;
 392                /* fall through */
 393        case INTEGRITY_NOLABEL:         /* No security.evm xattr. */
 394                cause = "missing-HMAC";
 395                goto out;
 396        case INTEGRITY_FAIL:            /* Invalid HMAC/signature. */
 397                cause = "invalid-HMAC";
 398                goto out;
 399        default:
 400                WARN_ONCE(true, "Unexpected integrity status %d\n", status);
 401        }
 402
 403        if (xattr_value)
 404                rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
 405                                  &cause);
 406
 407        /*
 408         * If we have a modsig and either no imasig or the imasig's key isn't
 409         * known, then try verifying the modsig.
 410         */
 411        if (try_modsig &&
 412            (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG ||
 413             rc == -ENOKEY))
 414                rc = modsig_verify(func, modsig, &status, &cause);
 415
 416out:
 417        /*
 418         * File signatures on some filesystems can not be properly verified.
 419         * When such filesystems are mounted by an untrusted mounter or on a
 420         * system not willing to accept such a risk, fail the file signature
 421         * verification.
 422         */
 423        if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
 424            ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) ||
 425             (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
 426                status = INTEGRITY_FAIL;
 427                cause = "unverifiable-signature";
 428                integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
 429                                    op, cause, rc, 0);
 430        } else if (status != INTEGRITY_PASS) {
 431                /* Fix mode, but don't replace file signatures. */
 432                if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig &&
 433                    (!xattr_value ||
 434                     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
 435                        if (!ima_fix_xattr(dentry, iint))
 436                                status = INTEGRITY_PASS;
 437                }
 438
 439                /* Permit new files with file signatures, but without data. */
 440                if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
 441                    xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) {
 442                        status = INTEGRITY_PASS;
 443                }
 444
 445                integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
 446                                    op, cause, rc, 0);
 447        } else {
 448                ima_cache_flags(iint, func);
 449        }
 450
 451        ima_set_cache_status(iint, func, status);
 452        return status;
 453}
 454
 455/*
 456 * ima_update_xattr - update 'security.ima' hash value
 457 */
 458void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
 459{
 460        struct dentry *dentry = file_dentry(file);
 461        int rc = 0;
 462
 463        /* do not collect and update hash for digital signatures */
 464        if (test_bit(IMA_DIGSIG, &iint->atomic_flags))
 465                return;
 466
 467        if ((iint->ima_file_status != INTEGRITY_PASS) &&
 468            !(iint->flags & IMA_HASH))
 469                return;
 470
 471        rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL);
 472        if (rc < 0)
 473                return;
 474
 475        inode_lock(file_inode(file));
 476        ima_fix_xattr(dentry, iint);
 477        inode_unlock(file_inode(file));
 478}
 479
 480/**
 481 * ima_inode_post_setattr - reflect file metadata changes
 482 * @dentry: pointer to the affected dentry
 483 *
 484 * Changes to a dentry's metadata might result in needing to appraise.
 485 *
 486 * This function is called from notify_change(), which expects the caller
 487 * to lock the inode's i_mutex.
 488 */
 489void ima_inode_post_setattr(struct dentry *dentry)
 490{
 491        struct inode *inode = d_backing_inode(dentry);
 492        struct integrity_iint_cache *iint;
 493        int action;
 494
 495        if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)
 496            || !(inode->i_opflags & IOP_XATTR))
 497                return;
 498
 499        action = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR);
 500        if (!action)
 501                __vfs_removexattr(dentry, XATTR_NAME_IMA);
 502        iint = integrity_iint_find(inode);
 503        if (iint) {
 504                set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags);
 505                if (!action)
 506                        clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
 507        }
 508}
 509
 510/*
 511 * ima_protect_xattr - protect 'security.ima'
 512 *
 513 * Ensure that not just anyone can modify or remove 'security.ima'.
 514 */
 515static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
 516                             const void *xattr_value, size_t xattr_value_len)
 517{
 518        if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
 519                if (!capable(CAP_SYS_ADMIN))
 520                        return -EPERM;
 521                return 1;
 522        }
 523        return 0;
 524}
 525
 526static void ima_reset_appraise_flags(struct inode *inode, int digsig)
 527{
 528        struct integrity_iint_cache *iint;
 529
 530        if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode))
 531                return;
 532
 533        iint = integrity_iint_find(inode);
 534        if (!iint)
 535                return;
 536        iint->measured_pcrs = 0;
 537        set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
 538        if (digsig)
 539                set_bit(IMA_DIGSIG, &iint->atomic_flags);
 540        else
 541                clear_bit(IMA_DIGSIG, &iint->atomic_flags);
 542}
 543
 544int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
 545                       const void *xattr_value, size_t xattr_value_len)
 546{
 547        const struct evm_ima_xattr_data *xvalue = xattr_value;
 548        int result;
 549
 550        result = ima_protect_xattr(dentry, xattr_name, xattr_value,
 551                                   xattr_value_len);
 552        if (result == 1) {
 553                if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
 554                        return -EINVAL;
 555                ima_reset_appraise_flags(d_backing_inode(dentry),
 556                        xvalue->type == EVM_IMA_XATTR_DIGSIG);
 557                result = 0;
 558        }
 559        return result;
 560}
 561
 562int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
 563{
 564        int result;
 565
 566        result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
 567        if (result == 1) {
 568                ima_reset_appraise_flags(d_backing_inode(dentry), 0);
 569                result = 0;
 570        }
 571        return result;
 572}
 573