Loading...
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Copyright (C) 2005-2010 IBM Corporation
4 *
5 * Author:
6 * Mimi Zohar <zohar@us.ibm.com>
7 * Kylene Hall <kjhall@us.ibm.com>
8 *
9 * File: evm_main.c
10 * implements evm_inode_setxattr, evm_inode_post_setxattr,
11 * evm_inode_removexattr, and evm_verifyxattr
12 */
13
14#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15
16#include <linux/init.h>
17#include <linux/crypto.h>
18#include <linux/audit.h>
19#include <linux/xattr.h>
20#include <linux/integrity.h>
21#include <linux/evm.h>
22#include <linux/magic.h>
23
24#include <crypto/hash.h>
25#include <crypto/hash_info.h>
26#include <crypto/algapi.h>
27#include "evm.h"
28
29int evm_initialized;
30
31static const char * const integrity_status_msg[] = {
32 "pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown"
33};
34int evm_hmac_attrs;
35
36static struct xattr_list evm_config_default_xattrnames[] = {
37#ifdef CONFIG_SECURITY_SELINUX
38 {.name = XATTR_NAME_SELINUX},
39#endif
40#ifdef CONFIG_SECURITY_SMACK
41 {.name = XATTR_NAME_SMACK},
42#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
43 {.name = XATTR_NAME_SMACKEXEC},
44 {.name = XATTR_NAME_SMACKTRANSMUTE},
45 {.name = XATTR_NAME_SMACKMMAP},
46#endif
47#endif
48#ifdef CONFIG_SECURITY_APPARMOR
49 {.name = XATTR_NAME_APPARMOR},
50#endif
51#ifdef CONFIG_IMA_APPRAISE
52 {.name = XATTR_NAME_IMA},
53#endif
54 {.name = XATTR_NAME_CAPS},
55};
56
57LIST_HEAD(evm_config_xattrnames);
58
59static int evm_fixmode;
60static int __init evm_set_fixmode(char *str)
61{
62 if (strncmp(str, "fix", 3) == 0)
63 evm_fixmode = 1;
64 return 0;
65}
66__setup("evm=", evm_set_fixmode);
67
68static void __init evm_init_config(void)
69{
70 int i, xattrs;
71
72 xattrs = ARRAY_SIZE(evm_config_default_xattrnames);
73
74 pr_info("Initialising EVM extended attributes:\n");
75 for (i = 0; i < xattrs; i++) {
76 pr_info("%s\n", evm_config_default_xattrnames[i].name);
77 list_add_tail(&evm_config_default_xattrnames[i].list,
78 &evm_config_xattrnames);
79 }
80
81#ifdef CONFIG_EVM_ATTR_FSUUID
82 evm_hmac_attrs |= EVM_ATTR_FSUUID;
83#endif
84 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
85}
86
87static bool evm_key_loaded(void)
88{
89 return (bool)(evm_initialized & EVM_KEY_MASK);
90}
91
92static int evm_find_protected_xattrs(struct dentry *dentry)
93{
94 struct inode *inode = d_backing_inode(dentry);
95 struct xattr_list *xattr;
96 int error;
97 int count = 0;
98
99 if (!(inode->i_opflags & IOP_XATTR))
100 return -EOPNOTSUPP;
101
102 list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) {
103 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0);
104 if (error < 0) {
105 if (error == -ENODATA)
106 continue;
107 return error;
108 }
109 count++;
110 }
111
112 return count;
113}
114
115/*
116 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
117 *
118 * Compute the HMAC on the dentry's protected set of extended attributes
119 * and compare it against the stored security.evm xattr.
120 *
121 * For performance:
122 * - use the previoulsy retrieved xattr value and length to calculate the
123 * HMAC.)
124 * - cache the verification result in the iint, when available.
125 *
126 * Returns integrity status
127 */
128static enum integrity_status evm_verify_hmac(struct dentry *dentry,
129 const char *xattr_name,
130 char *xattr_value,
131 size_t xattr_value_len,
132 struct integrity_iint_cache *iint)
133{
134 struct evm_ima_xattr_data *xattr_data = NULL;
135 struct signature_v2_hdr *hdr;
136 enum integrity_status evm_status = INTEGRITY_PASS;
137 struct evm_digest digest;
138 struct inode *inode;
139 int rc, xattr_len;
140
141 if (iint && (iint->evm_status == INTEGRITY_PASS ||
142 iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
143 return iint->evm_status;
144
145 /* if status is not PASS, try to check again - against -ENOMEM */
146
147 /* first need to know the sig type */
148 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
149 GFP_NOFS);
150 if (rc <= 0) {
151 evm_status = INTEGRITY_FAIL;
152 if (rc == -ENODATA) {
153 rc = evm_find_protected_xattrs(dentry);
154 if (rc > 0)
155 evm_status = INTEGRITY_NOLABEL;
156 else if (rc == 0)
157 evm_status = INTEGRITY_NOXATTRS; /* new file */
158 } else if (rc == -EOPNOTSUPP) {
159 evm_status = INTEGRITY_UNKNOWN;
160 }
161 goto out;
162 }
163
164 xattr_len = rc;
165
166 /* check value type */
167 switch (xattr_data->type) {
168 case EVM_XATTR_HMAC:
169 if (xattr_len != sizeof(struct evm_xattr)) {
170 evm_status = INTEGRITY_FAIL;
171 goto out;
172 }
173
174 digest.hdr.algo = HASH_ALGO_SHA1;
175 rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
176 xattr_value_len, &digest);
177 if (rc)
178 break;
179 rc = crypto_memneq(xattr_data->data, digest.digest,
180 SHA1_DIGEST_SIZE);
181 if (rc)
182 rc = -EINVAL;
183 break;
184 case EVM_IMA_XATTR_DIGSIG:
185 case EVM_XATTR_PORTABLE_DIGSIG:
186 hdr = (struct signature_v2_hdr *)xattr_data;
187 digest.hdr.algo = hdr->hash_algo;
188 rc = evm_calc_hash(dentry, xattr_name, xattr_value,
189 xattr_value_len, xattr_data->type, &digest);
190 if (rc)
191 break;
192 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
193 (const char *)xattr_data, xattr_len,
194 digest.digest, digest.hdr.length);
195 if (!rc) {
196 inode = d_backing_inode(dentry);
197
198 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
199 if (iint)
200 iint->flags |= EVM_IMMUTABLE_DIGSIG;
201 evm_status = INTEGRITY_PASS_IMMUTABLE;
202 } else if (!IS_RDONLY(inode) &&
203 !(inode->i_sb->s_readonly_remount) &&
204 !IS_IMMUTABLE(inode)) {
205 evm_update_evmxattr(dentry, xattr_name,
206 xattr_value,
207 xattr_value_len);
208 }
209 }
210 break;
211 default:
212 rc = -EINVAL;
213 break;
214 }
215
216 if (rc)
217 evm_status = (rc == -ENODATA) ?
218 INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
219out:
220 if (iint)
221 iint->evm_status = evm_status;
222 kfree(xattr_data);
223 return evm_status;
224}
225
226static int evm_protected_xattr(const char *req_xattr_name)
227{
228 int namelen;
229 int found = 0;
230 struct xattr_list *xattr;
231
232 namelen = strlen(req_xattr_name);
233 list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) {
234 if ((strlen(xattr->name) == namelen)
235 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
236 found = 1;
237 break;
238 }
239 if (strncmp(req_xattr_name,
240 xattr->name + XATTR_SECURITY_PREFIX_LEN,
241 strlen(req_xattr_name)) == 0) {
242 found = 1;
243 break;
244 }
245 }
246
247 return found;
248}
249
250/**
251 * evm_verifyxattr - verify the integrity of the requested xattr
252 * @dentry: object of the verify xattr
253 * @xattr_name: requested xattr
254 * @xattr_value: requested xattr value
255 * @xattr_value_len: requested xattr value length
256 *
257 * Calculate the HMAC for the given dentry and verify it against the stored
258 * security.evm xattr. For performance, use the xattr value and length
259 * previously retrieved to calculate the HMAC.
260 *
261 * Returns the xattr integrity status.
262 *
263 * This function requires the caller to lock the inode's i_mutex before it
264 * is executed.
265 */
266enum integrity_status evm_verifyxattr(struct dentry *dentry,
267 const char *xattr_name,
268 void *xattr_value, size_t xattr_value_len,
269 struct integrity_iint_cache *iint)
270{
271 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
272 return INTEGRITY_UNKNOWN;
273
274 if (!iint) {
275 iint = integrity_iint_find(d_backing_inode(dentry));
276 if (!iint)
277 return INTEGRITY_UNKNOWN;
278 }
279 return evm_verify_hmac(dentry, xattr_name, xattr_value,
280 xattr_value_len, iint);
281}
282EXPORT_SYMBOL_GPL(evm_verifyxattr);
283
284/*
285 * evm_verify_current_integrity - verify the dentry's metadata integrity
286 * @dentry: pointer to the affected dentry
287 *
288 * Verify and return the dentry's metadata integrity. The exceptions are
289 * before EVM is initialized or in 'fix' mode.
290 */
291static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
292{
293 struct inode *inode = d_backing_inode(dentry);
294
295 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
296 return 0;
297 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
298}
299
300/*
301 * evm_protect_xattr - protect the EVM extended attribute
302 *
303 * Prevent security.evm from being modified or removed without the
304 * necessary permissions or when the existing value is invalid.
305 *
306 * The posix xattr acls are 'system' prefixed, which normally would not
307 * affect security.evm. An interesting side affect of writing posix xattr
308 * acls is their modifying of the i_mode, which is included in security.evm.
309 * For posix xattr acls only, permit security.evm, even if it currently
310 * doesn't exist, to be updated unless the EVM signature is immutable.
311 */
312static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
313 const void *xattr_value, size_t xattr_value_len)
314{
315 enum integrity_status evm_status;
316
317 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
318 if (!capable(CAP_SYS_ADMIN))
319 return -EPERM;
320 } else if (!evm_protected_xattr(xattr_name)) {
321 if (!posix_xattr_acl(xattr_name))
322 return 0;
323 evm_status = evm_verify_current_integrity(dentry);
324 if ((evm_status == INTEGRITY_PASS) ||
325 (evm_status == INTEGRITY_NOXATTRS))
326 return 0;
327 goto out;
328 }
329
330 evm_status = evm_verify_current_integrity(dentry);
331 if (evm_status == INTEGRITY_NOXATTRS) {
332 struct integrity_iint_cache *iint;
333
334 iint = integrity_iint_find(d_backing_inode(dentry));
335 if (iint && (iint->flags & IMA_NEW_FILE))
336 return 0;
337
338 /* exception for pseudo filesystems */
339 if (dentry->d_sb->s_magic == TMPFS_MAGIC
340 || dentry->d_sb->s_magic == SYSFS_MAGIC)
341 return 0;
342
343 integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
344 dentry->d_inode, dentry->d_name.name,
345 "update_metadata",
346 integrity_status_msg[evm_status],
347 -EPERM, 0);
348 }
349out:
350 if (evm_status != INTEGRITY_PASS)
351 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
352 dentry->d_name.name, "appraise_metadata",
353 integrity_status_msg[evm_status],
354 -EPERM, 0);
355 return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
356}
357
358/**
359 * evm_inode_setxattr - protect the EVM extended attribute
360 * @dentry: pointer to the affected dentry
361 * @xattr_name: pointer to the affected extended attribute name
362 * @xattr_value: pointer to the new extended attribute value
363 * @xattr_value_len: pointer to the new extended attribute value length
364 *
365 * Before allowing the 'security.evm' protected xattr to be updated,
366 * verify the existing value is valid. As only the kernel should have
367 * access to the EVM encrypted key needed to calculate the HMAC, prevent
368 * userspace from writing HMAC value. Writing 'security.evm' requires
369 * requires CAP_SYS_ADMIN privileges.
370 */
371int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
372 const void *xattr_value, size_t xattr_value_len)
373{
374 const struct evm_ima_xattr_data *xattr_data = xattr_value;
375
376 /* Policy permits modification of the protected xattrs even though
377 * there's no HMAC key loaded
378 */
379 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
380 return 0;
381
382 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
383 if (!xattr_value_len)
384 return -EINVAL;
385 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
386 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
387 return -EPERM;
388 }
389 return evm_protect_xattr(dentry, xattr_name, xattr_value,
390 xattr_value_len);
391}
392
393/**
394 * evm_inode_removexattr - protect the EVM extended attribute
395 * @dentry: pointer to the affected dentry
396 * @xattr_name: pointer to the affected extended attribute name
397 *
398 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
399 * the current value is valid.
400 */
401int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
402{
403 /* Policy permits modification of the protected xattrs even though
404 * there's no HMAC key loaded
405 */
406 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
407 return 0;
408
409 return evm_protect_xattr(dentry, xattr_name, NULL, 0);
410}
411
412static void evm_reset_status(struct inode *inode)
413{
414 struct integrity_iint_cache *iint;
415
416 iint = integrity_iint_find(inode);
417 if (iint)
418 iint->evm_status = INTEGRITY_UNKNOWN;
419}
420
421/**
422 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
423 * @dentry: pointer to the affected dentry
424 * @xattr_name: pointer to the affected extended attribute name
425 * @xattr_value: pointer to the new extended attribute value
426 * @xattr_value_len: pointer to the new extended attribute value length
427 *
428 * Update the HMAC stored in 'security.evm' to reflect the change.
429 *
430 * No need to take the i_mutex lock here, as this function is called from
431 * __vfs_setxattr_noperm(). The caller of which has taken the inode's
432 * i_mutex lock.
433 */
434void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
435 const void *xattr_value, size_t xattr_value_len)
436{
437 if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name)
438 && !posix_xattr_acl(xattr_name)))
439 return;
440
441 evm_reset_status(dentry->d_inode);
442
443 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
444}
445
446/**
447 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
448 * @dentry: pointer to the affected dentry
449 * @xattr_name: pointer to the affected extended attribute name
450 *
451 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
452 *
453 * No need to take the i_mutex lock here, as this function is called from
454 * vfs_removexattr() which takes the i_mutex.
455 */
456void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
457{
458 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
459 return;
460
461 evm_reset_status(dentry->d_inode);
462
463 evm_update_evmxattr(dentry, xattr_name, NULL, 0);
464}
465
466/**
467 * evm_inode_setattr - prevent updating an invalid EVM extended attribute
468 * @dentry: pointer to the affected dentry
469 *
470 * Permit update of file attributes when files have a valid EVM signature,
471 * except in the case of them having an immutable portable signature.
472 */
473int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
474{
475 unsigned int ia_valid = attr->ia_valid;
476 enum integrity_status evm_status;
477
478 /* Policy permits modification of the protected attrs even though
479 * there's no HMAC key loaded
480 */
481 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
482 return 0;
483
484 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
485 return 0;
486 evm_status = evm_verify_current_integrity(dentry);
487 if ((evm_status == INTEGRITY_PASS) ||
488 (evm_status == INTEGRITY_NOXATTRS))
489 return 0;
490 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
491 dentry->d_name.name, "appraise_metadata",
492 integrity_status_msg[evm_status], -EPERM, 0);
493 return -EPERM;
494}
495
496/**
497 * evm_inode_post_setattr - update 'security.evm' after modifying metadata
498 * @dentry: pointer to the affected dentry
499 * @ia_valid: for the UID and GID status
500 *
501 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
502 * changes.
503 *
504 * This function is called from notify_change(), which expects the caller
505 * to lock the inode's i_mutex.
506 */
507void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
508{
509 if (!evm_key_loaded())
510 return;
511
512 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
513 evm_update_evmxattr(dentry, NULL, NULL, 0);
514}
515
516/*
517 * evm_inode_init_security - initializes security.evm
518 */
519int evm_inode_init_security(struct inode *inode,
520 const struct xattr *lsm_xattr,
521 struct xattr *evm_xattr)
522{
523 struct evm_xattr *xattr_data;
524 int rc;
525
526 if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name))
527 return 0;
528
529 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
530 if (!xattr_data)
531 return -ENOMEM;
532
533 xattr_data->data.type = EVM_XATTR_HMAC;
534 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
535 if (rc < 0)
536 goto out;
537
538 evm_xattr->value = xattr_data;
539 evm_xattr->value_len = sizeof(*xattr_data);
540 evm_xattr->name = XATTR_EVM_SUFFIX;
541 return 0;
542out:
543 kfree(xattr_data);
544 return rc;
545}
546EXPORT_SYMBOL_GPL(evm_inode_init_security);
547
548#ifdef CONFIG_EVM_LOAD_X509
549void __init evm_load_x509(void)
550{
551 int rc;
552
553 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
554 if (!rc)
555 evm_initialized |= EVM_INIT_X509;
556}
557#endif
558
559static int __init init_evm(void)
560{
561 int error;
562 struct list_head *pos, *q;
563
564 evm_init_config();
565
566 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
567 if (error)
568 goto error;
569
570 error = evm_init_secfs();
571 if (error < 0) {
572 pr_info("Error registering secfs\n");
573 goto error;
574 }
575
576error:
577 if (error != 0) {
578 if (!list_empty(&evm_config_xattrnames)) {
579 list_for_each_safe(pos, q, &evm_config_xattrnames)
580 list_del(pos);
581 }
582 }
583
584 return error;
585}
586
587late_initcall(init_evm);
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Copyright (C) 2005-2010 IBM Corporation
4 *
5 * Author:
6 * Mimi Zohar <zohar@us.ibm.com>
7 * Kylene Hall <kjhall@us.ibm.com>
8 *
9 * File: evm_main.c
10 * implements evm_inode_setxattr, evm_inode_post_setxattr,
11 * evm_inode_removexattr, evm_verifyxattr, and evm_inode_set_acl.
12 */
13
14#define pr_fmt(fmt) "EVM: "fmt
15
16#include <linux/init.h>
17#include <linux/audit.h>
18#include <linux/xattr.h>
19#include <linux/integrity.h>
20#include <linux/evm.h>
21#include <linux/magic.h>
22#include <linux/posix_acl_xattr.h>
23#include <linux/lsm_hooks.h>
24
25#include <crypto/hash.h>
26#include <crypto/hash_info.h>
27#include <crypto/utils.h>
28#include "evm.h"
29
30int evm_initialized;
31
32static const char * const integrity_status_msg[] = {
33 "pass", "pass_immutable", "fail", "fail_immutable", "no_label",
34 "no_xattrs", "unknown"
35};
36int evm_hmac_attrs;
37
38static struct xattr_list evm_config_default_xattrnames[] = {
39 {
40 .name = XATTR_NAME_SELINUX,
41 .enabled = IS_ENABLED(CONFIG_SECURITY_SELINUX)
42 },
43 {
44 .name = XATTR_NAME_SMACK,
45 .enabled = IS_ENABLED(CONFIG_SECURITY_SMACK)
46 },
47 {
48 .name = XATTR_NAME_SMACKEXEC,
49 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
50 },
51 {
52 .name = XATTR_NAME_SMACKTRANSMUTE,
53 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
54 },
55 {
56 .name = XATTR_NAME_SMACKMMAP,
57 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
58 },
59 {
60 .name = XATTR_NAME_APPARMOR,
61 .enabled = IS_ENABLED(CONFIG_SECURITY_APPARMOR)
62 },
63 {
64 .name = XATTR_NAME_IMA,
65 .enabled = IS_ENABLED(CONFIG_IMA_APPRAISE)
66 },
67 {
68 .name = XATTR_NAME_CAPS,
69 .enabled = true
70 },
71};
72
73LIST_HEAD(evm_config_xattrnames);
74
75static int evm_fixmode __ro_after_init;
76static int __init evm_set_fixmode(char *str)
77{
78 if (strncmp(str, "fix", 3) == 0)
79 evm_fixmode = 1;
80 else
81 pr_err("invalid \"%s\" mode", str);
82
83 return 1;
84}
85__setup("evm=", evm_set_fixmode);
86
87static void __init evm_init_config(void)
88{
89 int i, xattrs;
90
91 xattrs = ARRAY_SIZE(evm_config_default_xattrnames);
92
93 pr_info("Initialising EVM extended attributes:\n");
94 for (i = 0; i < xattrs; i++) {
95 pr_info("%s%s\n", evm_config_default_xattrnames[i].name,
96 !evm_config_default_xattrnames[i].enabled ?
97 " (disabled)" : "");
98 list_add_tail(&evm_config_default_xattrnames[i].list,
99 &evm_config_xattrnames);
100 }
101
102#ifdef CONFIG_EVM_ATTR_FSUUID
103 evm_hmac_attrs |= EVM_ATTR_FSUUID;
104#endif
105 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
106}
107
108static bool evm_key_loaded(void)
109{
110 return (bool)(evm_initialized & EVM_KEY_MASK);
111}
112
113/*
114 * This function determines whether or not it is safe to ignore verification
115 * errors, based on the ability of EVM to calculate HMACs. If the HMAC key
116 * is not loaded, and it cannot be loaded in the future due to the
117 * EVM_SETUP_COMPLETE initialization flag, allowing an operation despite the
118 * attrs/xattrs being found invalid will not make them valid.
119 */
120static bool evm_hmac_disabled(void)
121{
122 if (evm_initialized & EVM_INIT_HMAC)
123 return false;
124
125 if (!(evm_initialized & EVM_SETUP_COMPLETE))
126 return false;
127
128 return true;
129}
130
131static int evm_find_protected_xattrs(struct dentry *dentry)
132{
133 struct inode *inode = d_backing_inode(dentry);
134 struct xattr_list *xattr;
135 int error;
136 int count = 0;
137
138 if (!(inode->i_opflags & IOP_XATTR))
139 return -EOPNOTSUPP;
140
141 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
142 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0);
143 if (error < 0) {
144 if (error == -ENODATA)
145 continue;
146 return error;
147 }
148 count++;
149 }
150
151 return count;
152}
153
154static int is_unsupported_hmac_fs(struct dentry *dentry)
155{
156 struct inode *inode = d_backing_inode(dentry);
157
158 if (inode->i_sb->s_iflags & SB_I_EVM_HMAC_UNSUPPORTED) {
159 pr_info_once("%s not supported\n", inode->i_sb->s_type->name);
160 return 1;
161 }
162 return 0;
163}
164
165/*
166 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
167 *
168 * Compute the HMAC on the dentry's protected set of extended attributes
169 * and compare it against the stored security.evm xattr.
170 *
171 * For performance:
172 * - use the previoulsy retrieved xattr value and length to calculate the
173 * HMAC.)
174 * - cache the verification result in the iint, when available.
175 *
176 * Returns integrity status
177 */
178static enum integrity_status evm_verify_hmac(struct dentry *dentry,
179 const char *xattr_name,
180 char *xattr_value,
181 size_t xattr_value_len)
182{
183 struct evm_ima_xattr_data *xattr_data = NULL;
184 struct signature_v2_hdr *hdr;
185 enum integrity_status evm_status = INTEGRITY_PASS;
186 struct evm_digest digest;
187 struct inode *inode = d_backing_inode(dentry);
188 struct evm_iint_cache *iint = evm_iint_inode(inode);
189 int rc, xattr_len, evm_immutable = 0;
190
191 if (iint && (iint->evm_status == INTEGRITY_PASS ||
192 iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
193 return iint->evm_status;
194
195 /*
196 * On unsupported filesystems without EVM_INIT_X509 enabled, skip
197 * signature verification.
198 */
199 if (!(evm_initialized & EVM_INIT_X509) &&
200 is_unsupported_hmac_fs(dentry))
201 return INTEGRITY_UNKNOWN;
202
203 /* if status is not PASS, try to check again - against -ENOMEM */
204
205 /* first need to know the sig type */
206 rc = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, XATTR_NAME_EVM,
207 (char **)&xattr_data, 0, GFP_NOFS);
208 if (rc <= 0) {
209 evm_status = INTEGRITY_FAIL;
210 if (rc == -ENODATA) {
211 rc = evm_find_protected_xattrs(dentry);
212 if (rc > 0)
213 evm_status = INTEGRITY_NOLABEL;
214 else if (rc == 0)
215 evm_status = INTEGRITY_NOXATTRS; /* new file */
216 } else if (rc == -EOPNOTSUPP) {
217 evm_status = INTEGRITY_UNKNOWN;
218 }
219 goto out;
220 }
221
222 xattr_len = rc;
223
224 /* check value type */
225 switch (xattr_data->type) {
226 case EVM_XATTR_HMAC:
227 if (xattr_len != sizeof(struct evm_xattr)) {
228 evm_status = INTEGRITY_FAIL;
229 goto out;
230 }
231
232 digest.hdr.algo = HASH_ALGO_SHA1;
233 rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
234 xattr_value_len, &digest, iint);
235 if (rc)
236 break;
237 rc = crypto_memneq(xattr_data->data, digest.digest,
238 SHA1_DIGEST_SIZE);
239 if (rc)
240 rc = -EINVAL;
241 break;
242 case EVM_XATTR_PORTABLE_DIGSIG:
243 evm_immutable = 1;
244 fallthrough;
245 case EVM_IMA_XATTR_DIGSIG:
246 /* accept xattr with non-empty signature field */
247 if (xattr_len <= sizeof(struct signature_v2_hdr)) {
248 evm_status = INTEGRITY_FAIL;
249 goto out;
250 }
251
252 hdr = (struct signature_v2_hdr *)xattr_data;
253 digest.hdr.algo = hdr->hash_algo;
254 rc = evm_calc_hash(dentry, xattr_name, xattr_value,
255 xattr_value_len, xattr_data->type, &digest,
256 iint);
257 if (rc)
258 break;
259 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
260 (const char *)xattr_data, xattr_len,
261 digest.digest, digest.hdr.length);
262 if (!rc) {
263 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
264 if (iint)
265 iint->flags |= EVM_IMMUTABLE_DIGSIG;
266 evm_status = INTEGRITY_PASS_IMMUTABLE;
267 } else if (!IS_RDONLY(inode) &&
268 !(inode->i_sb->s_readonly_remount) &&
269 !IS_IMMUTABLE(inode) &&
270 !is_unsupported_hmac_fs(dentry)) {
271 evm_update_evmxattr(dentry, xattr_name,
272 xattr_value,
273 xattr_value_len);
274 }
275 }
276 break;
277 default:
278 rc = -EINVAL;
279 break;
280 }
281
282 if (rc) {
283 if (rc == -ENODATA)
284 evm_status = INTEGRITY_NOXATTRS;
285 else if (evm_immutable)
286 evm_status = INTEGRITY_FAIL_IMMUTABLE;
287 else
288 evm_status = INTEGRITY_FAIL;
289 }
290 pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length, digest.hdr.length,
291 digest.digest);
292out:
293 if (iint)
294 iint->evm_status = evm_status;
295 kfree(xattr_data);
296 return evm_status;
297}
298
299static int evm_protected_xattr_common(const char *req_xattr_name,
300 bool all_xattrs)
301{
302 int namelen;
303 int found = 0;
304 struct xattr_list *xattr;
305
306 namelen = strlen(req_xattr_name);
307 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
308 if (!all_xattrs && !xattr->enabled)
309 continue;
310
311 if ((strlen(xattr->name) == namelen)
312 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
313 found = 1;
314 break;
315 }
316 if (strncmp(req_xattr_name,
317 xattr->name + XATTR_SECURITY_PREFIX_LEN,
318 strlen(req_xattr_name)) == 0) {
319 found = 1;
320 break;
321 }
322 }
323
324 return found;
325}
326
327int evm_protected_xattr(const char *req_xattr_name)
328{
329 return evm_protected_xattr_common(req_xattr_name, false);
330}
331
332int evm_protected_xattr_if_enabled(const char *req_xattr_name)
333{
334 return evm_protected_xattr_common(req_xattr_name, true);
335}
336
337/**
338 * evm_read_protected_xattrs - read EVM protected xattr names, lengths, values
339 * @dentry: dentry of the read xattrs
340 * @buffer: buffer xattr names, lengths or values are copied to
341 * @buffer_size: size of buffer
342 * @type: n: names, l: lengths, v: values
343 * @canonical_fmt: data format (true: little endian, false: native format)
344 *
345 * Read protected xattr names (separated by |), lengths (u32) or values for a
346 * given dentry and return the total size of copied data. If buffer is NULL,
347 * just return the total size.
348 *
349 * Returns the total size on success, a negative value on error.
350 */
351int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer,
352 int buffer_size, char type, bool canonical_fmt)
353{
354 struct xattr_list *xattr;
355 int rc, size, total_size = 0;
356
357 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
358 rc = __vfs_getxattr(dentry, d_backing_inode(dentry),
359 xattr->name, NULL, 0);
360 if (rc < 0 && rc == -ENODATA)
361 continue;
362 else if (rc < 0)
363 return rc;
364
365 switch (type) {
366 case 'n':
367 size = strlen(xattr->name) + 1;
368 if (buffer) {
369 if (total_size)
370 *(buffer + total_size - 1) = '|';
371
372 memcpy(buffer + total_size, xattr->name, size);
373 }
374 break;
375 case 'l':
376 size = sizeof(u32);
377 if (buffer) {
378 if (canonical_fmt)
379 rc = (__force int)cpu_to_le32(rc);
380
381 *(u32 *)(buffer + total_size) = rc;
382 }
383 break;
384 case 'v':
385 size = rc;
386 if (buffer) {
387 rc = __vfs_getxattr(dentry,
388 d_backing_inode(dentry), xattr->name,
389 buffer + total_size,
390 buffer_size - total_size);
391 if (rc < 0)
392 return rc;
393 }
394 break;
395 default:
396 return -EINVAL;
397 }
398
399 total_size += size;
400 }
401
402 return total_size;
403}
404
405/**
406 * evm_verifyxattr - verify the integrity of the requested xattr
407 * @dentry: object of the verify xattr
408 * @xattr_name: requested xattr
409 * @xattr_value: requested xattr value
410 * @xattr_value_len: requested xattr value length
411 *
412 * Calculate the HMAC for the given dentry and verify it against the stored
413 * security.evm xattr. For performance, use the xattr value and length
414 * previously retrieved to calculate the HMAC.
415 *
416 * Returns the xattr integrity status.
417 *
418 * This function requires the caller to lock the inode's i_mutex before it
419 * is executed.
420 */
421enum integrity_status evm_verifyxattr(struct dentry *dentry,
422 const char *xattr_name,
423 void *xattr_value, size_t xattr_value_len)
424{
425 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
426 return INTEGRITY_UNKNOWN;
427
428 return evm_verify_hmac(dentry, xattr_name, xattr_value,
429 xattr_value_len);
430}
431EXPORT_SYMBOL_GPL(evm_verifyxattr);
432
433/*
434 * evm_verify_current_integrity - verify the dentry's metadata integrity
435 * @dentry: pointer to the affected dentry
436 *
437 * Verify and return the dentry's metadata integrity. The exceptions are
438 * before EVM is initialized or in 'fix' mode.
439 */
440static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
441{
442 struct inode *inode = d_backing_inode(dentry);
443
444 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
445 return INTEGRITY_PASS;
446 return evm_verify_hmac(dentry, NULL, NULL, 0);
447}
448
449/*
450 * evm_xattr_change - check if passed xattr value differs from current value
451 * @idmap: idmap of the mount
452 * @dentry: pointer to the affected dentry
453 * @xattr_name: requested xattr
454 * @xattr_value: requested xattr value
455 * @xattr_value_len: requested xattr value length
456 *
457 * Check if passed xattr value differs from current value.
458 *
459 * Returns 1 if passed xattr value differs from current value, 0 otherwise.
460 */
461static int evm_xattr_change(struct mnt_idmap *idmap,
462 struct dentry *dentry, const char *xattr_name,
463 const void *xattr_value, size_t xattr_value_len)
464{
465 char *xattr_data = NULL;
466 int rc = 0;
467
468 rc = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, xattr_name, &xattr_data,
469 0, GFP_NOFS);
470 if (rc < 0) {
471 rc = 1;
472 goto out;
473 }
474
475 if (rc == xattr_value_len)
476 rc = !!memcmp(xattr_value, xattr_data, rc);
477 else
478 rc = 1;
479
480out:
481 kfree(xattr_data);
482 return rc;
483}
484
485/*
486 * evm_protect_xattr - protect the EVM extended attribute
487 *
488 * Prevent security.evm from being modified or removed without the
489 * necessary permissions or when the existing value is invalid.
490 *
491 * The posix xattr acls are 'system' prefixed, which normally would not
492 * affect security.evm. An interesting side affect of writing posix xattr
493 * acls is their modifying of the i_mode, which is included in security.evm.
494 * For posix xattr acls only, permit security.evm, even if it currently
495 * doesn't exist, to be updated unless the EVM signature is immutable.
496 */
497static int evm_protect_xattr(struct mnt_idmap *idmap,
498 struct dentry *dentry, const char *xattr_name,
499 const void *xattr_value, size_t xattr_value_len)
500{
501 enum integrity_status evm_status;
502
503 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
504 if (!capable(CAP_SYS_ADMIN))
505 return -EPERM;
506 if (is_unsupported_hmac_fs(dentry))
507 return -EPERM;
508 } else if (!evm_protected_xattr(xattr_name)) {
509 if (!posix_xattr_acl(xattr_name))
510 return 0;
511 if (is_unsupported_hmac_fs(dentry))
512 return 0;
513
514 evm_status = evm_verify_current_integrity(dentry);
515 if ((evm_status == INTEGRITY_PASS) ||
516 (evm_status == INTEGRITY_NOXATTRS))
517 return 0;
518 goto out;
519 } else if (is_unsupported_hmac_fs(dentry))
520 return 0;
521
522 evm_status = evm_verify_current_integrity(dentry);
523 if (evm_status == INTEGRITY_NOXATTRS) {
524 struct evm_iint_cache *iint;
525
526 /* Exception if the HMAC is not going to be calculated. */
527 if (evm_hmac_disabled())
528 return 0;
529
530 iint = evm_iint_inode(d_backing_inode(dentry));
531 if (iint && (iint->flags & EVM_NEW_FILE))
532 return 0;
533
534 /* exception for pseudo filesystems */
535 if (dentry->d_sb->s_magic == TMPFS_MAGIC
536 || dentry->d_sb->s_magic == SYSFS_MAGIC)
537 return 0;
538
539 integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
540 dentry->d_inode, dentry->d_name.name,
541 "update_metadata",
542 integrity_status_msg[evm_status],
543 -EPERM, 0);
544 }
545out:
546 /* Exception if the HMAC is not going to be calculated. */
547 if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
548 evm_status == INTEGRITY_UNKNOWN))
549 return 0;
550
551 /*
552 * Writing other xattrs is safe for portable signatures, as portable
553 * signatures are immutable and can never be updated.
554 */
555 if (evm_status == INTEGRITY_FAIL_IMMUTABLE)
556 return 0;
557
558 if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
559 !evm_xattr_change(idmap, dentry, xattr_name, xattr_value,
560 xattr_value_len))
561 return 0;
562
563 if (evm_status != INTEGRITY_PASS &&
564 evm_status != INTEGRITY_PASS_IMMUTABLE)
565 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
566 dentry->d_name.name, "appraise_metadata",
567 integrity_status_msg[evm_status],
568 -EPERM, 0);
569 return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
570}
571
572/**
573 * evm_inode_setxattr - protect the EVM extended attribute
574 * @idmap: idmap of the mount
575 * @dentry: pointer to the affected dentry
576 * @xattr_name: pointer to the affected extended attribute name
577 * @xattr_value: pointer to the new extended attribute value
578 * @xattr_value_len: pointer to the new extended attribute value length
579 * @flags: flags to pass into filesystem operations
580 *
581 * Before allowing the 'security.evm' protected xattr to be updated,
582 * verify the existing value is valid. As only the kernel should have
583 * access to the EVM encrypted key needed to calculate the HMAC, prevent
584 * userspace from writing HMAC value. Writing 'security.evm' requires
585 * requires CAP_SYS_ADMIN privileges.
586 */
587static int evm_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
588 const char *xattr_name, const void *xattr_value,
589 size_t xattr_value_len, int flags)
590{
591 const struct evm_ima_xattr_data *xattr_data = xattr_value;
592
593 /* Policy permits modification of the protected xattrs even though
594 * there's no HMAC key loaded
595 */
596 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
597 return 0;
598
599 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
600 if (!xattr_value_len)
601 return -EINVAL;
602 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
603 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
604 return -EPERM;
605 }
606 return evm_protect_xattr(idmap, dentry, xattr_name, xattr_value,
607 xattr_value_len);
608}
609
610/**
611 * evm_inode_removexattr - protect the EVM extended attribute
612 * @idmap: idmap of the mount
613 * @dentry: pointer to the affected dentry
614 * @xattr_name: pointer to the affected extended attribute name
615 *
616 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
617 * the current value is valid.
618 */
619static int evm_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry,
620 const char *xattr_name)
621{
622 /* Policy permits modification of the protected xattrs even though
623 * there's no HMAC key loaded
624 */
625 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
626 return 0;
627
628 return evm_protect_xattr(idmap, dentry, xattr_name, NULL, 0);
629}
630
631#ifdef CONFIG_FS_POSIX_ACL
632static int evm_inode_set_acl_change(struct mnt_idmap *idmap,
633 struct dentry *dentry, const char *name,
634 struct posix_acl *kacl)
635{
636 int rc;
637
638 umode_t mode;
639 struct inode *inode = d_backing_inode(dentry);
640
641 if (!kacl)
642 return 1;
643
644 rc = posix_acl_update_mode(idmap, inode, &mode, &kacl);
645 if (rc || (inode->i_mode != mode))
646 return 1;
647
648 return 0;
649}
650#else
651static inline int evm_inode_set_acl_change(struct mnt_idmap *idmap,
652 struct dentry *dentry,
653 const char *name,
654 struct posix_acl *kacl)
655{
656 return 0;
657}
658#endif
659
660/**
661 * evm_inode_set_acl - protect the EVM extended attribute from posix acls
662 * @idmap: idmap of the idmapped mount
663 * @dentry: pointer to the affected dentry
664 * @acl_name: name of the posix acl
665 * @kacl: pointer to the posix acls
666 *
667 * Prevent modifying posix acls causing the EVM HMAC to be re-calculated
668 * and 'security.evm' xattr updated, unless the existing 'security.evm' is
669 * valid.
670 *
671 * Return: zero on success, -EPERM on failure.
672 */
673static int evm_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
674 const char *acl_name, struct posix_acl *kacl)
675{
676 enum integrity_status evm_status;
677
678 /* Policy permits modification of the protected xattrs even though
679 * there's no HMAC key loaded
680 */
681 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
682 return 0;
683
684 evm_status = evm_verify_current_integrity(dentry);
685 if ((evm_status == INTEGRITY_PASS) ||
686 (evm_status == INTEGRITY_NOXATTRS))
687 return 0;
688
689 /* Exception if the HMAC is not going to be calculated. */
690 if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
691 evm_status == INTEGRITY_UNKNOWN))
692 return 0;
693
694 /*
695 * Writing other xattrs is safe for portable signatures, as portable
696 * signatures are immutable and can never be updated.
697 */
698 if (evm_status == INTEGRITY_FAIL_IMMUTABLE)
699 return 0;
700
701 if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
702 !evm_inode_set_acl_change(idmap, dentry, acl_name, kacl))
703 return 0;
704
705 if (evm_status != INTEGRITY_PASS_IMMUTABLE)
706 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
707 dentry->d_name.name, "appraise_metadata",
708 integrity_status_msg[evm_status],
709 -EPERM, 0);
710 return -EPERM;
711}
712
713/**
714 * evm_inode_remove_acl - Protect the EVM extended attribute from posix acls
715 * @idmap: idmap of the mount
716 * @dentry: pointer to the affected dentry
717 * @acl_name: name of the posix acl
718 *
719 * Prevent removing posix acls causing the EVM HMAC to be re-calculated
720 * and 'security.evm' xattr updated, unless the existing 'security.evm' is
721 * valid.
722 *
723 * Return: zero on success, -EPERM on failure.
724 */
725static int evm_inode_remove_acl(struct mnt_idmap *idmap, struct dentry *dentry,
726 const char *acl_name)
727{
728 return evm_inode_set_acl(idmap, dentry, acl_name, NULL);
729}
730
731static void evm_reset_status(struct inode *inode)
732{
733 struct evm_iint_cache *iint;
734
735 iint = evm_iint_inode(inode);
736 if (iint)
737 iint->evm_status = INTEGRITY_UNKNOWN;
738}
739
740/**
741 * evm_metadata_changed: Detect changes to the metadata
742 * @inode: a file's inode
743 * @metadata_inode: metadata inode
744 *
745 * On a stacked filesystem detect whether the metadata has changed. If this is
746 * the case reset the evm_status associated with the inode that represents the
747 * file.
748 */
749bool evm_metadata_changed(struct inode *inode, struct inode *metadata_inode)
750{
751 struct evm_iint_cache *iint = evm_iint_inode(inode);
752 bool ret = false;
753
754 if (iint) {
755 ret = (!IS_I_VERSION(metadata_inode) ||
756 integrity_inode_attrs_changed(&iint->metadata_inode,
757 metadata_inode));
758 if (ret)
759 iint->evm_status = INTEGRITY_UNKNOWN;
760 }
761
762 return ret;
763}
764
765/**
766 * evm_revalidate_status - report whether EVM status re-validation is necessary
767 * @xattr_name: pointer to the affected extended attribute name
768 *
769 * Report whether callers of evm_verifyxattr() should re-validate the
770 * EVM status.
771 *
772 * Return true if re-validation is necessary, false otherwise.
773 */
774bool evm_revalidate_status(const char *xattr_name)
775{
776 if (!evm_key_loaded())
777 return false;
778
779 /* evm_inode_post_setattr() passes NULL */
780 if (!xattr_name)
781 return true;
782
783 if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name) &&
784 strcmp(xattr_name, XATTR_NAME_EVM))
785 return false;
786
787 return true;
788}
789
790/**
791 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
792 * @dentry: pointer to the affected dentry
793 * @xattr_name: pointer to the affected extended attribute name
794 * @xattr_value: pointer to the new extended attribute value
795 * @xattr_value_len: pointer to the new extended attribute value length
796 * @flags: flags to pass into filesystem operations
797 *
798 * Update the HMAC stored in 'security.evm' to reflect the change.
799 *
800 * No need to take the i_mutex lock here, as this function is called from
801 * __vfs_setxattr_noperm(). The caller of which has taken the inode's
802 * i_mutex lock.
803 */
804static void evm_inode_post_setxattr(struct dentry *dentry,
805 const char *xattr_name,
806 const void *xattr_value,
807 size_t xattr_value_len,
808 int flags)
809{
810 if (!evm_revalidate_status(xattr_name))
811 return;
812
813 evm_reset_status(dentry->d_inode);
814
815 if (!strcmp(xattr_name, XATTR_NAME_EVM))
816 return;
817
818 if (!(evm_initialized & EVM_INIT_HMAC))
819 return;
820
821 if (is_unsupported_hmac_fs(dentry))
822 return;
823
824 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
825}
826
827/**
828 * evm_inode_post_set_acl - Update the EVM extended attribute from posix acls
829 * @dentry: pointer to the affected dentry
830 * @acl_name: name of the posix acl
831 * @kacl: pointer to the posix acls
832 *
833 * Update the 'security.evm' xattr with the EVM HMAC re-calculated after setting
834 * posix acls.
835 */
836static void evm_inode_post_set_acl(struct dentry *dentry, const char *acl_name,
837 struct posix_acl *kacl)
838{
839 return evm_inode_post_setxattr(dentry, acl_name, NULL, 0, 0);
840}
841
842/**
843 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
844 * @dentry: pointer to the affected dentry
845 * @xattr_name: pointer to the affected extended attribute name
846 *
847 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
848 *
849 * No need to take the i_mutex lock here, as this function is called from
850 * vfs_removexattr() which takes the i_mutex.
851 */
852static void evm_inode_post_removexattr(struct dentry *dentry,
853 const char *xattr_name)
854{
855 if (!evm_revalidate_status(xattr_name))
856 return;
857
858 evm_reset_status(dentry->d_inode);
859
860 if (!strcmp(xattr_name, XATTR_NAME_EVM))
861 return;
862
863 if (!(evm_initialized & EVM_INIT_HMAC))
864 return;
865
866 evm_update_evmxattr(dentry, xattr_name, NULL, 0);
867}
868
869/**
870 * evm_inode_post_remove_acl - Update the EVM extended attribute from posix acls
871 * @idmap: idmap of the mount
872 * @dentry: pointer to the affected dentry
873 * @acl_name: name of the posix acl
874 *
875 * Update the 'security.evm' xattr with the EVM HMAC re-calculated after
876 * removing posix acls.
877 */
878static inline void evm_inode_post_remove_acl(struct mnt_idmap *idmap,
879 struct dentry *dentry,
880 const char *acl_name)
881{
882 evm_inode_post_removexattr(dentry, acl_name);
883}
884
885static int evm_attr_change(struct mnt_idmap *idmap,
886 struct dentry *dentry, struct iattr *attr)
887{
888 struct inode *inode = d_backing_inode(dentry);
889 unsigned int ia_valid = attr->ia_valid;
890
891 if (!i_uid_needs_update(idmap, attr, inode) &&
892 !i_gid_needs_update(idmap, attr, inode) &&
893 (!(ia_valid & ATTR_MODE) || attr->ia_mode == inode->i_mode))
894 return 0;
895
896 return 1;
897}
898
899/**
900 * evm_inode_setattr - prevent updating an invalid EVM extended attribute
901 * @idmap: idmap of the mount
902 * @dentry: pointer to the affected dentry
903 * @attr: iattr structure containing the new file attributes
904 *
905 * Permit update of file attributes when files have a valid EVM signature,
906 * except in the case of them having an immutable portable signature.
907 */
908static int evm_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
909 struct iattr *attr)
910{
911 unsigned int ia_valid = attr->ia_valid;
912 enum integrity_status evm_status;
913
914 /* Policy permits modification of the protected attrs even though
915 * there's no HMAC key loaded
916 */
917 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
918 return 0;
919
920 if (is_unsupported_hmac_fs(dentry))
921 return 0;
922
923 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
924 return 0;
925
926 evm_status = evm_verify_current_integrity(dentry);
927 /*
928 * Writing attrs is safe for portable signatures, as portable signatures
929 * are immutable and can never be updated.
930 */
931 if ((evm_status == INTEGRITY_PASS) ||
932 (evm_status == INTEGRITY_NOXATTRS) ||
933 (evm_status == INTEGRITY_FAIL_IMMUTABLE) ||
934 (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
935 evm_status == INTEGRITY_UNKNOWN)))
936 return 0;
937
938 if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
939 !evm_attr_change(idmap, dentry, attr))
940 return 0;
941
942 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
943 dentry->d_name.name, "appraise_metadata",
944 integrity_status_msg[evm_status], -EPERM, 0);
945 return -EPERM;
946}
947
948/**
949 * evm_inode_post_setattr - update 'security.evm' after modifying metadata
950 * @idmap: idmap of the idmapped mount
951 * @dentry: pointer to the affected dentry
952 * @ia_valid: for the UID and GID status
953 *
954 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
955 * changes.
956 *
957 * This function is called from notify_change(), which expects the caller
958 * to lock the inode's i_mutex.
959 */
960static void evm_inode_post_setattr(struct mnt_idmap *idmap,
961 struct dentry *dentry, int ia_valid)
962{
963 if (!evm_revalidate_status(NULL))
964 return;
965
966 evm_reset_status(dentry->d_inode);
967
968 if (!(evm_initialized & EVM_INIT_HMAC))
969 return;
970
971 if (is_unsupported_hmac_fs(dentry))
972 return;
973
974 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
975 evm_update_evmxattr(dentry, NULL, NULL, 0);
976}
977
978static int evm_inode_copy_up_xattr(struct dentry *src, const char *name)
979{
980 struct evm_ima_xattr_data *xattr_data = NULL;
981 int rc;
982
983 if (strcmp(name, XATTR_NAME_EVM) != 0)
984 return -EOPNOTSUPP;
985
986 /* first need to know the sig type */
987 rc = vfs_getxattr_alloc(&nop_mnt_idmap, src, XATTR_NAME_EVM,
988 (char **)&xattr_data, 0, GFP_NOFS);
989 if (rc <= 0)
990 return -EPERM;
991
992 if (rc < offsetof(struct evm_ima_xattr_data, type) +
993 sizeof(xattr_data->type))
994 return -EPERM;
995
996 switch (xattr_data->type) {
997 case EVM_XATTR_PORTABLE_DIGSIG:
998 rc = 0; /* allow copy-up */
999 break;
1000 case EVM_XATTR_HMAC:
1001 case EVM_IMA_XATTR_DIGSIG:
1002 default:
1003 rc = -ECANCELED; /* discard */
1004 }
1005
1006 kfree(xattr_data);
1007 return rc;
1008}
1009
1010/*
1011 * evm_inode_init_security - initializes security.evm HMAC value
1012 */
1013int evm_inode_init_security(struct inode *inode, struct inode *dir,
1014 const struct qstr *qstr, struct xattr *xattrs,
1015 int *xattr_count)
1016{
1017 struct evm_xattr *xattr_data;
1018 struct xattr *xattr, *evm_xattr;
1019 bool evm_protected_xattrs = false;
1020 int rc;
1021
1022 if (!(evm_initialized & EVM_INIT_HMAC) || !xattrs)
1023 return 0;
1024
1025 /*
1026 * security_inode_init_security() makes sure that the xattrs array is
1027 * contiguous, there is enough space for security.evm, and that there is
1028 * a terminator at the end of the array.
1029 */
1030 for (xattr = xattrs; xattr->name; xattr++) {
1031 if (evm_protected_xattr(xattr->name))
1032 evm_protected_xattrs = true;
1033 }
1034
1035 /* EVM xattr not needed. */
1036 if (!evm_protected_xattrs)
1037 return 0;
1038
1039 evm_xattr = lsm_get_xattr_slot(xattrs, xattr_count);
1040 /*
1041 * Array terminator (xattr name = NULL) must be the first non-filled
1042 * xattr slot.
1043 */
1044 WARN_ONCE(evm_xattr != xattr,
1045 "%s: xattrs terminator is not the first non-filled slot\n",
1046 __func__);
1047
1048 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
1049 if (!xattr_data)
1050 return -ENOMEM;
1051
1052 xattr_data->data.type = EVM_XATTR_HMAC;
1053 rc = evm_init_hmac(inode, xattrs, xattr_data->digest);
1054 if (rc < 0)
1055 goto out;
1056
1057 evm_xattr->value = xattr_data;
1058 evm_xattr->value_len = sizeof(*xattr_data);
1059 evm_xattr->name = XATTR_EVM_SUFFIX;
1060 return 0;
1061out:
1062 kfree(xattr_data);
1063 return rc;
1064}
1065EXPORT_SYMBOL_GPL(evm_inode_init_security);
1066
1067static int evm_inode_alloc_security(struct inode *inode)
1068{
1069 struct evm_iint_cache *iint = evm_iint_inode(inode);
1070
1071 /* Called by security_inode_alloc(), it cannot be NULL. */
1072 iint->flags = 0UL;
1073 iint->evm_status = INTEGRITY_UNKNOWN;
1074
1075 return 0;
1076}
1077
1078static void evm_file_release(struct file *file)
1079{
1080 struct inode *inode = file_inode(file);
1081 struct evm_iint_cache *iint = evm_iint_inode(inode);
1082 fmode_t mode = file->f_mode;
1083
1084 if (!S_ISREG(inode->i_mode) || !(mode & FMODE_WRITE))
1085 return;
1086
1087 if (iint && iint->flags & EVM_NEW_FILE &&
1088 atomic_read(&inode->i_writecount) == 1)
1089 iint->flags &= ~EVM_NEW_FILE;
1090}
1091
1092static void evm_post_path_mknod(struct mnt_idmap *idmap, struct dentry *dentry)
1093{
1094 struct inode *inode = d_backing_inode(dentry);
1095 struct evm_iint_cache *iint = evm_iint_inode(inode);
1096
1097 if (!S_ISREG(inode->i_mode))
1098 return;
1099
1100 if (iint)
1101 iint->flags |= EVM_NEW_FILE;
1102}
1103
1104#ifdef CONFIG_EVM_LOAD_X509
1105void __init evm_load_x509(void)
1106{
1107 int rc;
1108
1109 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
1110 if (!rc)
1111 evm_initialized |= EVM_INIT_X509;
1112}
1113#endif
1114
1115static int __init init_evm(void)
1116{
1117 int error;
1118 struct list_head *pos, *q;
1119
1120 evm_init_config();
1121
1122 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
1123 if (error)
1124 goto error;
1125
1126 error = evm_init_secfs();
1127 if (error < 0) {
1128 pr_info("Error registering secfs\n");
1129 goto error;
1130 }
1131
1132error:
1133 if (error != 0) {
1134 if (!list_empty(&evm_config_xattrnames)) {
1135 list_for_each_safe(pos, q, &evm_config_xattrnames)
1136 list_del(pos);
1137 }
1138 }
1139
1140 return error;
1141}
1142
1143static struct security_hook_list evm_hooks[] __ro_after_init = {
1144 LSM_HOOK_INIT(inode_setattr, evm_inode_setattr),
1145 LSM_HOOK_INIT(inode_post_setattr, evm_inode_post_setattr),
1146 LSM_HOOK_INIT(inode_copy_up_xattr, evm_inode_copy_up_xattr),
1147 LSM_HOOK_INIT(inode_setxattr, evm_inode_setxattr),
1148 LSM_HOOK_INIT(inode_post_setxattr, evm_inode_post_setxattr),
1149 LSM_HOOK_INIT(inode_set_acl, evm_inode_set_acl),
1150 LSM_HOOK_INIT(inode_post_set_acl, evm_inode_post_set_acl),
1151 LSM_HOOK_INIT(inode_remove_acl, evm_inode_remove_acl),
1152 LSM_HOOK_INIT(inode_post_remove_acl, evm_inode_post_remove_acl),
1153 LSM_HOOK_INIT(inode_removexattr, evm_inode_removexattr),
1154 LSM_HOOK_INIT(inode_post_removexattr, evm_inode_post_removexattr),
1155 LSM_HOOK_INIT(inode_init_security, evm_inode_init_security),
1156 LSM_HOOK_INIT(inode_alloc_security, evm_inode_alloc_security),
1157 LSM_HOOK_INIT(file_release, evm_file_release),
1158 LSM_HOOK_INIT(path_post_mknod, evm_post_path_mknod),
1159};
1160
1161static const struct lsm_id evm_lsmid = {
1162 .name = "evm",
1163 .id = LSM_ID_EVM,
1164};
1165
1166static int __init init_evm_lsm(void)
1167{
1168 security_add_hooks(evm_hooks, ARRAY_SIZE(evm_hooks), &evm_lsmid);
1169 return 0;
1170}
1171
1172struct lsm_blob_sizes evm_blob_sizes __ro_after_init = {
1173 .lbs_inode = sizeof(struct evm_iint_cache),
1174 .lbs_xattr_count = 1,
1175};
1176
1177DEFINE_LSM(evm) = {
1178 .name = "evm",
1179 .init = init_evm_lsm,
1180 .order = LSM_ORDER_LAST,
1181 .blobs = &evm_blob_sizes,
1182};
1183
1184late_initcall(init_evm);