1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (C) 2005-2010 IBM Corporation
4 *
5 * Author:
6 * Mimi Zohar <zohar@us.ibm.com>
7 * Kylene Hall <kjhall@us.ibm.com>
8 *
9 * File: evm_main.c
10 * implements evm_inode_setxattr, evm_inode_post_setxattr,
11 * evm_inode_removexattr, evm_verifyxattr, and evm_inode_set_acl.
12 */
13
14 #define pr_fmt(fmt) "EVM: "fmt
15
16 #include <linux/init.h>
17 #include <linux/audit.h>
18 #include <linux/xattr.h>
19 #include <linux/integrity.h>
20 #include <linux/evm.h>
21 #include <linux/magic.h>
22 #include <linux/posix_acl_xattr.h>
23 #include <linux/lsm_hooks.h>
24
25 #include <crypto/hash.h>
26 #include <crypto/hash_info.h>
27 #include <crypto/utils.h>
28 #include "evm.h"
29
30 int evm_initialized;
31
32 static const char * const integrity_status_msg[] = {
33 "pass", "pass_immutable", "fail", "fail_immutable", "no_label",
34 "no_xattrs", "unknown"
35 };
36 int evm_hmac_attrs;
37
38 static struct xattr_list evm_config_default_xattrnames[] = {
39 {
40 .name = XATTR_NAME_SELINUX,
41 .enabled = IS_ENABLED(CONFIG_SECURITY_SELINUX)
42 },
43 {
44 .name = XATTR_NAME_SMACK,
45 .enabled = IS_ENABLED(CONFIG_SECURITY_SMACK)
46 },
47 {
48 .name = XATTR_NAME_SMACKEXEC,
49 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
50 },
51 {
52 .name = XATTR_NAME_SMACKTRANSMUTE,
53 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
54 },
55 {
56 .name = XATTR_NAME_SMACKMMAP,
57 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
58 },
59 {
60 .name = XATTR_NAME_APPARMOR,
61 .enabled = IS_ENABLED(CONFIG_SECURITY_APPARMOR)
62 },
63 {
64 .name = XATTR_NAME_IMA,
65 .enabled = IS_ENABLED(CONFIG_IMA_APPRAISE)
66 },
67 {
68 .name = XATTR_NAME_CAPS,
69 .enabled = true
70 },
71 };
72
73 LIST_HEAD(evm_config_xattrnames);
74
75 static int evm_fixmode __ro_after_init;
76 static int __init evm_set_fixmode(char *str)
77 {
78 if (strncmp(str, "fix", 3) == 0)
79 evm_fixmode = 1;
80 else
81 pr_err("invalid \"%s\" mode", str);
82
83 return 1;
84 }
85 __setup("evm=", evm_set_fixmode);
86
87 static void __init evm_init_config(void)
88 {
89 int i, xattrs;
90
91 xattrs = ARRAY_SIZE(evm_config_default_xattrnames);
92
93 pr_info("Initialising EVM extended attributes:\n");
94 for (i = 0; i < xattrs; i++) {
95 pr_info("%s%s\n", evm_config_default_xattrnames[i].name,
96 !evm_config_default_xattrnames[i].enabled ?
97 " (disabled)" : "");
98 list_add_tail(&evm_config_default_xattrnames[i].list,
99 &evm_config_xattrnames);
100 }
101
102 #ifdef CONFIG_EVM_ATTR_FSUUID
103 evm_hmac_attrs |= EVM_ATTR_FSUUID;
104 #endif
105 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
106 }
107
108 static bool evm_key_loaded(void)
109 {
110 return (bool)(evm_initialized & EVM_KEY_MASK);
111 }
112
113 /*
114 * This function determines whether or not it is safe to ignore verification
115 * errors, based on the ability of EVM to calculate HMACs. If the HMAC key
116 * is not loaded, and it cannot be loaded in the future due to the
117 * EVM_SETUP_COMPLETE initialization flag, allowing an operation despite the
118 * attrs/xattrs being found invalid will not make them valid.
119 */
120 static bool evm_hmac_disabled(void)
121 {
122 if (evm_initialized & EVM_INIT_HMAC)
123 return false;
124
125 if (!(evm_initialized & EVM_SETUP_COMPLETE))
126 return false;
127
128 return true;
129 }
130
131 static int evm_find_protected_xattrs(struct dentry *dentry)
132 {
133 struct inode *inode = d_backing_inode(dentry);
134 struct xattr_list *xattr;
135 int error;
136 int count = 0;
137
138 if (!(inode->i_opflags & IOP_XATTR))
139 return -EOPNOTSUPP;
140
141 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
142 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0);
143 if (error < 0) {
144 if (error == -ENODATA)
145 continue;
146 return error;
147 }
148 count++;
149 }
150
151 return count;
152 }
153
154 static int is_unsupported_hmac_fs(struct dentry *dentry)
155 {
156 struct inode *inode = d_backing_inode(dentry);
157
158 if (inode->i_sb->s_iflags & SB_I_EVM_HMAC_UNSUPPORTED) {
159 pr_info_once("%s not supported\n", inode->i_sb->s_type->name);
160 return 1;
161 }
162 return 0;
163 }
164
165 /*
166 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
167 *
168 * Compute the HMAC on the dentry's protected set of extended attributes
169 * and compare it against the stored security.evm xattr.
170 *
171 * For performance:
172 * - use the previoulsy retrieved xattr value and length to calculate the
173 * HMAC.)
174 * - cache the verification result in the iint, when available.
175 *
176 * Returns integrity status
177 */
178 static enum integrity_status evm_verify_hmac(struct dentry *dentry,
179 const char *xattr_name,
180 char *xattr_value,
181 size_t xattr_value_len)
182 {
183 struct evm_ima_xattr_data *xattr_data = NULL;
184 struct signature_v2_hdr *hdr;
185 enum integrity_status evm_status = INTEGRITY_PASS;
186 struct evm_digest digest;
187 struct inode *inode = d_backing_inode(dentry);
188 struct evm_iint_cache *iint = evm_iint_inode(inode);
189 int rc, xattr_len, evm_immutable = 0;
190
191 if (iint && (iint->evm_status == INTEGRITY_PASS ||
192 iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
193 return iint->evm_status;
194
195 /*
196 * On unsupported filesystems without EVM_INIT_X509 enabled, skip
197 * signature verification.
198 */
199 if (!(evm_initialized & EVM_INIT_X509) &&
200 is_unsupported_hmac_fs(dentry))
201 return INTEGRITY_UNKNOWN;
202
203 /* if status is not PASS, try to check again - against -ENOMEM */
204
205 /* first need to know the sig type */
206 rc = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, XATTR_NAME_EVM,
207 (char **)&xattr_data, 0, GFP_NOFS);
208 if (rc <= 0) {
209 evm_status = INTEGRITY_FAIL;
210 if (rc == -ENODATA) {
211 rc = evm_find_protected_xattrs(dentry);
212 if (rc > 0)
213 evm_status = INTEGRITY_NOLABEL;
214 else if (rc == 0)
215 evm_status = INTEGRITY_NOXATTRS; /* new file */
216 } else if (rc == -EOPNOTSUPP) {
217 evm_status = INTEGRITY_UNKNOWN;
218 }
219 goto out;
220 }
221
222 xattr_len = rc;
223
224 /* check value type */
225 switch (xattr_data->type) {
226 case EVM_XATTR_HMAC:
227 if (xattr_len != sizeof(struct evm_xattr)) {
228 evm_status = INTEGRITY_FAIL;
229 goto out;
230 }
231
232 digest.hdr.algo = HASH_ALGO_SHA1;
233 rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
234 xattr_value_len, &digest, iint);
235 if (rc)
236 break;
237 rc = crypto_memneq(xattr_data->data, digest.digest,
238 SHA1_DIGEST_SIZE);
239 if (rc)
240 rc = -EINVAL;
241 break;
242 case EVM_XATTR_PORTABLE_DIGSIG:
243 evm_immutable = 1;
244 fallthrough;
245 case EVM_IMA_XATTR_DIGSIG:
246 /* accept xattr with non-empty signature field */
247 if (xattr_len <= sizeof(struct signature_v2_hdr)) {
248 evm_status = INTEGRITY_FAIL;
249 goto out;
250 }
251
252 hdr = (struct signature_v2_hdr *)xattr_data;
253 digest.hdr.algo = hdr->hash_algo;
254 rc = evm_calc_hash(dentry, xattr_name, xattr_value,
255 xattr_value_len, xattr_data->type, &digest,
256 iint);
257 if (rc)
258 break;
259 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
260 (const char *)xattr_data, xattr_len,
261 digest.digest, digest.hdr.length);
262 if (!rc) {
263 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
264 if (iint)
265 iint->flags |= EVM_IMMUTABLE_DIGSIG;
266 evm_status = INTEGRITY_PASS_IMMUTABLE;
267 } else if (!IS_RDONLY(inode) &&
268 !(inode->i_sb->s_readonly_remount) &&
269 !IS_IMMUTABLE(inode) &&
270 !is_unsupported_hmac_fs(dentry)) {
271 evm_update_evmxattr(dentry, xattr_name,
272 xattr_value,
273 xattr_value_len);
274 }
275 }
276 break;
277 default:
278 rc = -EINVAL;
279 break;
280 }
281
282 if (rc) {
283 if (rc == -ENODATA)
284 evm_status = INTEGRITY_NOXATTRS;
285 else if (evm_immutable)
286 evm_status = INTEGRITY_FAIL_IMMUTABLE;
287 else
288 evm_status = INTEGRITY_FAIL;
289 }
290 pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length, digest.hdr.length,
291 digest.digest);
292 out:
293 if (iint)
294 iint->evm_status = evm_status;
295 kfree(xattr_data);
296 return evm_status;
297 }
298
299 static int evm_protected_xattr_common(const char *req_xattr_name,
300 bool all_xattrs)
301 {
302 int namelen;
303 int found = 0;
304 struct xattr_list *xattr;
305
306 namelen = strlen(req_xattr_name);
307 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
308 if (!all_xattrs && !xattr->enabled)
309 continue;
310
311 if ((strlen(xattr->name) == namelen)
312 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
313 found = 1;
314 break;
315 }
316 if (strncmp(req_xattr_name,
317 xattr->name + XATTR_SECURITY_PREFIX_LEN,
318 strlen(req_xattr_name)) == 0) {
319 found = 1;
320 break;
321 }
322 }
323
324 return found;
325 }
326
327 int evm_protected_xattr(const char *req_xattr_name)
328 {
329 return evm_protected_xattr_common(req_xattr_name, false);
330 }
331
332 int evm_protected_xattr_if_enabled(const char *req_xattr_name)
333 {
334 return evm_protected_xattr_common(req_xattr_name, true);
335 }
336
337 /**
338 * evm_read_protected_xattrs - read EVM protected xattr names, lengths, values
339 * @dentry: dentry of the read xattrs
340 * @buffer: buffer xattr names, lengths or values are copied to
341 * @buffer_size: size of buffer
342 * @type: n: names, l: lengths, v: values
343 * @canonical_fmt: data format (true: little endian, false: native format)
344 *
345 * Read protected xattr names (separated by |), lengths (u32) or values for a
346 * given dentry and return the total size of copied data. If buffer is NULL,
347 * just return the total size.
348 *
349 * Returns the total size on success, a negative value on error.
350 */
351 int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer,
352 int buffer_size, char type, bool canonical_fmt)
353 {
354 struct xattr_list *xattr;
355 int rc, size, total_size = 0;
356
357 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
358 rc = __vfs_getxattr(dentry, d_backing_inode(dentry),
359 xattr->name, NULL, 0);
360 if (rc < 0 && rc == -ENODATA)
361 continue;
362 else if (rc < 0)
363 return rc;
364
365 switch (type) {
366 case 'n':
367 size = strlen(xattr->name) + 1;
368 if (buffer) {
369 if (total_size)
370 *(buffer + total_size - 1) = '|';
371
372 memcpy(buffer + total_size, xattr->name, size);
373 }
374 break;
375 case 'l':
376 size = sizeof(u32);
377 if (buffer) {
378 if (canonical_fmt)
379 rc = (__force int)cpu_to_le32(rc);
380
381 *(u32 *)(buffer + total_size) = rc;
382 }
383 break;
384 case 'v':
385 size = rc;
386 if (buffer) {
387 rc = __vfs_getxattr(dentry,
388 d_backing_inode(dentry), xattr->name,
389 buffer + total_size,
390 buffer_size - total_size);
391 if (rc < 0)
392 return rc;
393 }
394 break;
395 default:
396 return -EINVAL;
397 }
398
399 total_size += size;
400 }
401
402 return total_size;
403 }
404
405 /**
406 * evm_verifyxattr - verify the integrity of the requested xattr
407 * @dentry: object of the verify xattr
408 * @xattr_name: requested xattr
409 * @xattr_value: requested xattr value
410 * @xattr_value_len: requested xattr value length
411 *
412 * Calculate the HMAC for the given dentry and verify it against the stored
413 * security.evm xattr. For performance, use the xattr value and length
414 * previously retrieved to calculate the HMAC.
415 *
416 * Returns the xattr integrity status.
417 *
418 * This function requires the caller to lock the inode's i_mutex before it
419 * is executed.
420 */
421 enum integrity_status evm_verifyxattr(struct dentry *dentry,
422 const char *xattr_name,
423 void *xattr_value, size_t xattr_value_len)
424 {
425 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
426 return INTEGRITY_UNKNOWN;
427
428 return evm_verify_hmac(dentry, xattr_name, xattr_value,
429 xattr_value_len);
430 }
431 EXPORT_SYMBOL_GPL(evm_verifyxattr);
432
433 /*
434 * evm_verify_current_integrity - verify the dentry's metadata integrity
435 * @dentry: pointer to the affected dentry
436 *
437 * Verify and return the dentry's metadata integrity. The exceptions are
438 * before EVM is initialized or in 'fix' mode.
439 */
440 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
441 {
442 struct inode *inode = d_backing_inode(dentry);
443
444 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
445 return INTEGRITY_PASS;
446 return evm_verify_hmac(dentry, NULL, NULL, 0);
447 }
448
449 /*
450 * evm_xattr_change - check if passed xattr value differs from current value
451 * @idmap: idmap of the mount
452 * @dentry: pointer to the affected dentry
453 * @xattr_name: requested xattr
454 * @xattr_value: requested xattr value
455 * @xattr_value_len: requested xattr value length
456 *
457 * Check if passed xattr value differs from current value.
458 *
459 * Returns 1 if passed xattr value differs from current value, 0 otherwise.
460 */
461 static int evm_xattr_change(struct mnt_idmap *idmap,
462 struct dentry *dentry, const char *xattr_name,
463 const void *xattr_value, size_t xattr_value_len)
464 {
465 char *xattr_data = NULL;
466 int rc = 0;
467
468 rc = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, xattr_name, &xattr_data,
469 0, GFP_NOFS);
470 if (rc < 0) {
471 rc = 1;
472 goto out;
473 }
474
475 if (rc == xattr_value_len)
476 rc = !!memcmp(xattr_value, xattr_data, rc);
477 else
478 rc = 1;
479
480 out:
481 kfree(xattr_data);
482 return rc;
483 }
484
485 /*
486 * evm_protect_xattr - protect the EVM extended attribute
487 *
488 * Prevent security.evm from being modified or removed without the
489 * necessary permissions or when the existing value is invalid.
490 *
491 * The posix xattr acls are 'system' prefixed, which normally would not
492 * affect security.evm. An interesting side affect of writing posix xattr
493 * acls is their modifying of the i_mode, which is included in security.evm.
494 * For posix xattr acls only, permit security.evm, even if it currently
495 * doesn't exist, to be updated unless the EVM signature is immutable.
496 */
497 static int evm_protect_xattr(struct mnt_idmap *idmap,
498 struct dentry *dentry, const char *xattr_name,
499 const void *xattr_value, size_t xattr_value_len)
500 {
501 enum integrity_status evm_status;
502
503 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
504 if (!capable(CAP_SYS_ADMIN))
505 return -EPERM;
506 if (is_unsupported_hmac_fs(dentry))
507 return -EPERM;
508 } else if (!evm_protected_xattr(xattr_name)) {
509 if (!posix_xattr_acl(xattr_name))
510 return 0;
511 if (is_unsupported_hmac_fs(dentry))
512 return 0;
513
514 evm_status = evm_verify_current_integrity(dentry);
515 if ((evm_status == INTEGRITY_PASS) ||
516 (evm_status == INTEGRITY_NOXATTRS))
517 return 0;
518 goto out;
519 } else if (is_unsupported_hmac_fs(dentry))
520 return 0;
521
522 evm_status = evm_verify_current_integrity(dentry);
523 if (evm_status == INTEGRITY_NOXATTRS) {
524 struct evm_iint_cache *iint;
525
526 /* Exception if the HMAC is not going to be calculated. */
527 if (evm_hmac_disabled())
528 return 0;
529
530 iint = evm_iint_inode(d_backing_inode(dentry));
531 if (iint && (iint->flags & EVM_NEW_FILE))
532 return 0;
533
534 /* exception for pseudo filesystems */
535 if (dentry->d_sb->s_magic == TMPFS_MAGIC
536 || dentry->d_sb->s_magic == SYSFS_MAGIC)
537 return 0;
538
539 integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
540 dentry->d_inode, dentry->d_name.name,
541 "update_metadata",
542 integrity_status_msg[evm_status],
543 -EPERM, 0);
544 }
545 out:
546 /* Exception if the HMAC is not going to be calculated. */
547 if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
548 evm_status == INTEGRITY_UNKNOWN))
549 return 0;
550
551 /*
552 * Writing other xattrs is safe for portable signatures, as portable
553 * signatures are immutable and can never be updated.
554 */
555 if (evm_status == INTEGRITY_FAIL_IMMUTABLE)
556 return 0;
557
558 if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
559 !evm_xattr_change(idmap, dentry, xattr_name, xattr_value,
560 xattr_value_len))
561 return 0;
562
563 if (evm_status != INTEGRITY_PASS &&
564 evm_status != INTEGRITY_PASS_IMMUTABLE)
565 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
566 dentry->d_name.name, "appraise_metadata",
567 integrity_status_msg[evm_status],
568 -EPERM, 0);
569 return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
570 }
571
572 /**
573 * evm_inode_setxattr - protect the EVM extended attribute
574 * @idmap: idmap of the mount
575 * @dentry: pointer to the affected dentry
576 * @xattr_name: pointer to the affected extended attribute name
577 * @xattr_value: pointer to the new extended attribute value
578 * @xattr_value_len: pointer to the new extended attribute value length
579 * @flags: flags to pass into filesystem operations
580 *
581 * Before allowing the 'security.evm' protected xattr to be updated,
582 * verify the existing value is valid. As only the kernel should have
583 * access to the EVM encrypted key needed to calculate the HMAC, prevent
584 * userspace from writing HMAC value. Writing 'security.evm' requires
585 * requires CAP_SYS_ADMIN privileges.
586 */
587 static int evm_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
588 const char *xattr_name, const void *xattr_value,
589 size_t xattr_value_len, int flags)
590 {
591 const struct evm_ima_xattr_data *xattr_data = xattr_value;
592
593 /* Policy permits modification of the protected xattrs even though
594 * there's no HMAC key loaded
595 */
596 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
597 return 0;
598
599 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
600 if (!xattr_value_len)
601 return -EINVAL;
602 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
603 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
604 return -EPERM;
605 }
606 return evm_protect_xattr(idmap, dentry, xattr_name, xattr_value,
607 xattr_value_len);
608 }
609
610 /**
611 * evm_inode_removexattr - protect the EVM extended attribute
612 * @idmap: idmap of the mount
613 * @dentry: pointer to the affected dentry
614 * @xattr_name: pointer to the affected extended attribute name
615 *
616 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
617 * the current value is valid.
618 */
619 static int evm_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry,
620 const char *xattr_name)
621 {
622 /* Policy permits modification of the protected xattrs even though
623 * there's no HMAC key loaded
624 */
625 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
626 return 0;
627
628 return evm_protect_xattr(idmap, dentry, xattr_name, NULL, 0);
629 }
630
631 #ifdef CONFIG_FS_POSIX_ACL
632 static int evm_inode_set_acl_change(struct mnt_idmap *idmap,
633 struct dentry *dentry, const char *name,
634 struct posix_acl *kacl)
635 {
636 int rc;
637
638 umode_t mode;
639 struct inode *inode = d_backing_inode(dentry);
640
641 if (!kacl)
642 return 1;
643
644 rc = posix_acl_update_mode(idmap, inode, &mode, &kacl);
645 if (rc || (inode->i_mode != mode))
646 return 1;
647
648 return 0;
649 }
650 #else
651 static inline int evm_inode_set_acl_change(struct mnt_idmap *idmap,
652 struct dentry *dentry,
653 const char *name,
654 struct posix_acl *kacl)
655 {
656 return 0;
657 }
658 #endif
659
660 /**
661 * evm_inode_set_acl - protect the EVM extended attribute from posix acls
662 * @idmap: idmap of the idmapped mount
663 * @dentry: pointer to the affected dentry
664 * @acl_name: name of the posix acl
665 * @kacl: pointer to the posix acls
666 *
667 * Prevent modifying posix acls causing the EVM HMAC to be re-calculated
668 * and 'security.evm' xattr updated, unless the existing 'security.evm' is
669 * valid.
670 *
671 * Return: zero on success, -EPERM on failure.
672 */
673 static int evm_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
674 const char *acl_name, struct posix_acl *kacl)
675 {
676 enum integrity_status evm_status;
677
678 /* Policy permits modification of the protected xattrs even though
679 * there's no HMAC key loaded
680 */
681 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
682 return 0;
683
684 evm_status = evm_verify_current_integrity(dentry);
685 if ((evm_status == INTEGRITY_PASS) ||
686 (evm_status == INTEGRITY_NOXATTRS))
687 return 0;
688
689 /* Exception if the HMAC is not going to be calculated. */
690 if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
691 evm_status == INTEGRITY_UNKNOWN))
692 return 0;
693
694 /*
695 * Writing other xattrs is safe for portable signatures, as portable
696 * signatures are immutable and can never be updated.
697 */
698 if (evm_status == INTEGRITY_FAIL_IMMUTABLE)
699 return 0;
700
701 if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
702 !evm_inode_set_acl_change(idmap, dentry, acl_name, kacl))
703 return 0;
704
705 if (evm_status != INTEGRITY_PASS_IMMUTABLE)
706 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
707 dentry->d_name.name, "appraise_metadata",
708 integrity_status_msg[evm_status],
709 -EPERM, 0);
710 return -EPERM;
711 }
712
713 /**
714 * evm_inode_remove_acl - Protect the EVM extended attribute from posix acls
715 * @idmap: idmap of the mount
716 * @dentry: pointer to the affected dentry
717 * @acl_name: name of the posix acl
718 *
719 * Prevent removing posix acls causing the EVM HMAC to be re-calculated
720 * and 'security.evm' xattr updated, unless the existing 'security.evm' is
721 * valid.
722 *
723 * Return: zero on success, -EPERM on failure.
724 */
725 static int evm_inode_remove_acl(struct mnt_idmap *idmap, struct dentry *dentry,
726 const char *acl_name)
727 {
728 return evm_inode_set_acl(idmap, dentry, acl_name, NULL);
729 }
730
731 static void evm_reset_status(struct inode *inode)
732 {
733 struct evm_iint_cache *iint;
734
735 iint = evm_iint_inode(inode);
736 if (iint)
737 iint->evm_status = INTEGRITY_UNKNOWN;
738 }
739
740 /**
741 * evm_metadata_changed: Detect changes to the metadata
742 * @inode: a file's inode
743 * @metadata_inode: metadata inode
744 *
745 * On a stacked filesystem detect whether the metadata has changed. If this is
746 * the case reset the evm_status associated with the inode that represents the
747 * file.
748 */
749 bool evm_metadata_changed(struct inode *inode, struct inode *metadata_inode)
750 {
751 struct evm_iint_cache *iint = evm_iint_inode(inode);
752 bool ret = false;
753
754 if (iint) {
755 ret = (!IS_I_VERSION(metadata_inode) ||
756 integrity_inode_attrs_changed(&iint->metadata_inode,
757 metadata_inode));
758 if (ret)
759 iint->evm_status = INTEGRITY_UNKNOWN;
760 }
761
762 return ret;
763 }
764
765 /**
766 * evm_revalidate_status - report whether EVM status re-validation is necessary
767 * @xattr_name: pointer to the affected extended attribute name
768 *
769 * Report whether callers of evm_verifyxattr() should re-validate the
770 * EVM status.
771 *
772 * Return true if re-validation is necessary, false otherwise.
773 */
774 bool evm_revalidate_status(const char *xattr_name)
775 {
776 if (!evm_key_loaded())
777 return false;
778
779 /* evm_inode_post_setattr() passes NULL */
780 if (!xattr_name)
781 return true;
782
783 if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name) &&
784 strcmp(xattr_name, XATTR_NAME_EVM))
785 return false;
786
787 return true;
788 }
789
790 /**
791 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
792 * @dentry: pointer to the affected dentry
793 * @xattr_name: pointer to the affected extended attribute name
794 * @xattr_value: pointer to the new extended attribute value
795 * @xattr_value_len: pointer to the new extended attribute value length
796 * @flags: flags to pass into filesystem operations
797 *
798 * Update the HMAC stored in 'security.evm' to reflect the change.
799 *
800 * No need to take the i_mutex lock here, as this function is called from
801 * __vfs_setxattr_noperm(). The caller of which has taken the inode's
802 * i_mutex lock.
803 */
804 static void evm_inode_post_setxattr(struct dentry *dentry,
805 const char *xattr_name,
806 const void *xattr_value,
807 size_t xattr_value_len,
808 int flags)
809 {
810 if (!evm_revalidate_status(xattr_name))
811 return;
812
813 evm_reset_status(dentry->d_inode);
814
815 if (!strcmp(xattr_name, XATTR_NAME_EVM))
816 return;
817
818 if (!(evm_initialized & EVM_INIT_HMAC))
819 return;
820
821 if (is_unsupported_hmac_fs(dentry))
822 return;
823
824 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
825 }
826
827 /**
828 * evm_inode_post_set_acl - Update the EVM extended attribute from posix acls
829 * @dentry: pointer to the affected dentry
830 * @acl_name: name of the posix acl
831 * @kacl: pointer to the posix acls
832 *
833 * Update the 'security.evm' xattr with the EVM HMAC re-calculated after setting
834 * posix acls.
835 */
836 static void evm_inode_post_set_acl(struct dentry *dentry, const char *acl_name,
837 struct posix_acl *kacl)
838 {
839 return evm_inode_post_setxattr(dentry, acl_name, NULL, 0, 0);
840 }
841
842 /**
843 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
844 * @dentry: pointer to the affected dentry
845 * @xattr_name: pointer to the affected extended attribute name
846 *
847 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
848 *
849 * No need to take the i_mutex lock here, as this function is called from
850 * vfs_removexattr() which takes the i_mutex.
851 */
852 static void evm_inode_post_removexattr(struct dentry *dentry,
853 const char *xattr_name)
854 {
855 if (!evm_revalidate_status(xattr_name))
856 return;
857
858 evm_reset_status(dentry->d_inode);
859
860 if (!strcmp(xattr_name, XATTR_NAME_EVM))
861 return;
862
863 if (!(evm_initialized & EVM_INIT_HMAC))
864 return;
865
866 evm_update_evmxattr(dentry, xattr_name, NULL, 0);
867 }
868
869 /**
870 * evm_inode_post_remove_acl - Update the EVM extended attribute from posix acls
871 * @idmap: idmap of the mount
872 * @dentry: pointer to the affected dentry
873 * @acl_name: name of the posix acl
874 *
875 * Update the 'security.evm' xattr with the EVM HMAC re-calculated after
876 * removing posix acls.
877 */
878 static inline void evm_inode_post_remove_acl(struct mnt_idmap *idmap,
879 struct dentry *dentry,
880 const char *acl_name)
881 {
882 evm_inode_post_removexattr(dentry, acl_name);
883 }
884
885 static int evm_attr_change(struct mnt_idmap *idmap,
886 struct dentry *dentry, struct iattr *attr)
887 {
888 struct inode *inode = d_backing_inode(dentry);
889 unsigned int ia_valid = attr->ia_valid;
890
891 if (!i_uid_needs_update(idmap, attr, inode) &&
892 !i_gid_needs_update(idmap, attr, inode) &&
893 (!(ia_valid & ATTR_MODE) || attr->ia_mode == inode->i_mode))
894 return 0;
895
896 return 1;
897 }
898
899 /**
900 * evm_inode_setattr - prevent updating an invalid EVM extended attribute
901 * @idmap: idmap of the mount
902 * @dentry: pointer to the affected dentry
903 * @attr: iattr structure containing the new file attributes
904 *
905 * Permit update of file attributes when files have a valid EVM signature,
906 * except in the case of them having an immutable portable signature.
907 */
908 static int evm_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
909 struct iattr *attr)
910 {
911 unsigned int ia_valid = attr->ia_valid;
912 enum integrity_status evm_status;
913
914 /* Policy permits modification of the protected attrs even though
915 * there's no HMAC key loaded
916 */
917 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
918 return 0;
919
920 if (is_unsupported_hmac_fs(dentry))
921 return 0;
922
923 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
924 return 0;
925
926 evm_status = evm_verify_current_integrity(dentry);
927 /*
928 * Writing attrs is safe for portable signatures, as portable signatures
929 * are immutable and can never be updated.
930 */
931 if ((evm_status == INTEGRITY_PASS) ||
932 (evm_status == INTEGRITY_NOXATTRS) ||
933 (evm_status == INTEGRITY_FAIL_IMMUTABLE) ||
934 (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
935 evm_status == INTEGRITY_UNKNOWN)))
936 return 0;
937
938 if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
939 !evm_attr_change(idmap, dentry, attr))
940 return 0;
941
942 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
943 dentry->d_name.name, "appraise_metadata",
944 integrity_status_msg[evm_status], -EPERM, 0);
945 return -EPERM;
946 }
947
948 /**
949 * evm_inode_post_setattr - update 'security.evm' after modifying metadata
950 * @idmap: idmap of the idmapped mount
951 * @dentry: pointer to the affected dentry
952 * @ia_valid: for the UID and GID status
953 *
954 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
955 * changes.
956 *
957 * This function is called from notify_change(), which expects the caller
958 * to lock the inode's i_mutex.
959 */
960 static void evm_inode_post_setattr(struct mnt_idmap *idmap,
961 struct dentry *dentry, int ia_valid)
962 {
963 if (!evm_revalidate_status(NULL))
964 return;
965
966 evm_reset_status(dentry->d_inode);
967
968 if (!(evm_initialized & EVM_INIT_HMAC))
969 return;
970
971 if (is_unsupported_hmac_fs(dentry))
972 return;
973
974 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
975 evm_update_evmxattr(dentry, NULL, NULL, 0);
976 }
977
978 static int evm_inode_copy_up_xattr(struct dentry *src, const char *name)
979 {
980 struct evm_ima_xattr_data *xattr_data = NULL;
981 int rc;
982
983 if (strcmp(name, XATTR_NAME_EVM) != 0)
984 return -EOPNOTSUPP;
985
986 /* first need to know the sig type */
987 rc = vfs_getxattr_alloc(&nop_mnt_idmap, src, XATTR_NAME_EVM,
988 (char **)&xattr_data, 0, GFP_NOFS);
989 if (rc <= 0)
990 return -EPERM;
991
992 if (rc < offsetof(struct evm_ima_xattr_data, type) +
993 sizeof(xattr_data->type))
994 return -EPERM;
995
996 switch (xattr_data->type) {
997 case EVM_XATTR_PORTABLE_DIGSIG:
998 rc = 0; /* allow copy-up */
999 break;
1000 case EVM_XATTR_HMAC:
1001 case EVM_IMA_XATTR_DIGSIG:
1002 default:
1003 rc = 1; /* discard */
1004 }
1005
1006 kfree(xattr_data);
1007 return rc;
1008 }
1009
1010 /*
1011 * evm_inode_init_security - initializes security.evm HMAC value
1012 */
1013 int evm_inode_init_security(struct inode *inode, struct inode *dir,
1014 const struct qstr *qstr, struct xattr *xattrs,
1015 int *xattr_count)
1016 {
1017 struct evm_xattr *xattr_data;
1018 struct xattr *xattr, *evm_xattr;
1019 bool evm_protected_xattrs = false;
1020 int rc;
1021
1022 if (!(evm_initialized & EVM_INIT_HMAC) || !xattrs)
1023 return 0;
1024
1025 /*
1026 * security_inode_init_security() makes sure that the xattrs array is
1027 * contiguous, there is enough space for security.evm, and that there is
1028 * a terminator at the end of the array.
1029 */
1030 for (xattr = xattrs; xattr->name; xattr++) {
1031 if (evm_protected_xattr(xattr->name))
1032 evm_protected_xattrs = true;
1033 }
1034
1035 /* EVM xattr not needed. */
1036 if (!evm_protected_xattrs)
1037 return 0;
1038
1039 evm_xattr = lsm_get_xattr_slot(xattrs, xattr_count);
1040 /*
1041 * Array terminator (xattr name = NULL) must be the first non-filled
1042 * xattr slot.
1043 */
1044 WARN_ONCE(evm_xattr != xattr,
1045 "%s: xattrs terminator is not the first non-filled slot\n",
1046 __func__);
1047
1048 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
1049 if (!xattr_data)
1050 return -ENOMEM;
1051
1052 xattr_data->data.type = EVM_XATTR_HMAC;
1053 rc = evm_init_hmac(inode, xattrs, xattr_data->digest);
1054 if (rc < 0)
1055 goto out;
1056
1057 evm_xattr->value = xattr_data;
1058 evm_xattr->value_len = sizeof(*xattr_data);
1059 evm_xattr->name = XATTR_EVM_SUFFIX;
1060 return 0;
1061 out:
1062 kfree(xattr_data);
1063 return rc;
1064 }
1065 EXPORT_SYMBOL_GPL(evm_inode_init_security);
1066
1067 static int evm_inode_alloc_security(struct inode *inode)
1068 {
1069 struct evm_iint_cache *iint = evm_iint_inode(inode);
1070
1071 /* Called by security_inode_alloc(), it cannot be NULL. */
1072 iint->flags = 0UL;
1073 iint->evm_status = INTEGRITY_UNKNOWN;
1074
1075 return 0;
1076 }
1077
1078 static void evm_file_release(struct file *file)
1079 {
1080 struct inode *inode = file_inode(file);
1081 struct evm_iint_cache *iint = evm_iint_inode(inode);
1082 fmode_t mode = file->f_mode;
1083
1084 if (!S_ISREG(inode->i_mode) || !(mode & FMODE_WRITE))
1085 return;
1086
1087 if (iint && atomic_read(&inode->i_writecount) == 1)
1088 iint->flags &= ~EVM_NEW_FILE;
1089 }
1090
1091 static void evm_post_path_mknod(struct mnt_idmap *idmap, struct dentry *dentry)
1092 {
1093 struct inode *inode = d_backing_inode(dentry);
1094 struct evm_iint_cache *iint = evm_iint_inode(inode);
1095
1096 if (!S_ISREG(inode->i_mode))
1097 return;
1098
1099 if (iint)
1100 iint->flags |= EVM_NEW_FILE;
1101 }
1102
1103 #ifdef CONFIG_EVM_LOAD_X509
1104 void __init evm_load_x509(void)
1105 {
1106 int rc;
1107
1108 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
1109 if (!rc)
1110 evm_initialized |= EVM_INIT_X509;
1111 }
1112 #endif
1113
1114 static int __init init_evm(void)
1115 {
1116 int error;
1117 struct list_head *pos, *q;
1118
1119 evm_init_config();
1120
1121 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
1122 if (error)
1123 goto error;
1124
1125 error = evm_init_secfs();
1126 if (error < 0) {
1127 pr_info("Error registering secfs\n");
1128 goto error;
1129 }
1130
1131 error:
1132 if (error != 0) {
1133 if (!list_empty(&evm_config_xattrnames)) {
1134 list_for_each_safe(pos, q, &evm_config_xattrnames)
1135 list_del(pos);
1136 }
1137 }
1138
1139 return error;
1140 }
1141
1142 static struct security_hook_list evm_hooks[] __ro_after_init = {
1143 LSM_HOOK_INIT(inode_setattr, evm_inode_setattr),
1144 LSM_HOOK_INIT(inode_post_setattr, evm_inode_post_setattr),
1145 LSM_HOOK_INIT(inode_copy_up_xattr, evm_inode_copy_up_xattr),
1146 LSM_HOOK_INIT(inode_setxattr, evm_inode_setxattr),
1147 LSM_HOOK_INIT(inode_post_setxattr, evm_inode_post_setxattr),
1148 LSM_HOOK_INIT(inode_set_acl, evm_inode_set_acl),
1149 LSM_HOOK_INIT(inode_post_set_acl, evm_inode_post_set_acl),
1150 LSM_HOOK_INIT(inode_remove_acl, evm_inode_remove_acl),
1151 LSM_HOOK_INIT(inode_post_remove_acl, evm_inode_post_remove_acl),
1152 LSM_HOOK_INIT(inode_removexattr, evm_inode_removexattr),
1153 LSM_HOOK_INIT(inode_post_removexattr, evm_inode_post_removexattr),
1154 LSM_HOOK_INIT(inode_init_security, evm_inode_init_security),
1155 LSM_HOOK_INIT(inode_alloc_security, evm_inode_alloc_security),
1156 LSM_HOOK_INIT(file_release, evm_file_release),
1157 LSM_HOOK_INIT(path_post_mknod, evm_post_path_mknod),
1158 };
1159
1160 static const struct lsm_id evm_lsmid = {
1161 .name = "evm",
1162 .id = LSM_ID_EVM,
1163 };
1164
1165 static int __init init_evm_lsm(void)
1166 {
1167 security_add_hooks(evm_hooks, ARRAY_SIZE(evm_hooks), &evm_lsmid);
1168 return 0;
1169 }
1170
1171 struct lsm_blob_sizes evm_blob_sizes __ro_after_init = {
1172 .lbs_inode = sizeof(struct evm_iint_cache),
1173 .lbs_xattr_count = 1,
1174 };
1175
1176 DEFINE_LSM(evm) = {
1177 .name = "evm",
1178 .init = init_evm_lsm,
1179 .order = LSM_ORDER_LAST,
1180 .blobs = &evm_blob_sizes,
1181 };
1182
1183 late_initcall(init_evm);
1184
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.