Loading...
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Copyright (C) 2005-2010 IBM Corporation
4 *
5 * Author:
6 * Mimi Zohar <zohar@us.ibm.com>
7 * Kylene Hall <kjhall@us.ibm.com>
8 *
9 * File: evm_main.c
10 * implements evm_inode_setxattr, evm_inode_post_setxattr,
11 * evm_inode_removexattr, and evm_verifyxattr
12 */
13
14#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15
16#include <linux/init.h>
17#include <linux/crypto.h>
18#include <linux/audit.h>
19#include <linux/xattr.h>
20#include <linux/integrity.h>
21#include <linux/evm.h>
22#include <linux/magic.h>
23
24#include <crypto/hash.h>
25#include <crypto/hash_info.h>
26#include <crypto/algapi.h>
27#include "evm.h"
28
29int evm_initialized;
30
31static const char * const integrity_status_msg[] = {
32 "pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown"
33};
34int evm_hmac_attrs;
35
36static struct xattr_list evm_config_default_xattrnames[] = {
37#ifdef CONFIG_SECURITY_SELINUX
38 {.name = XATTR_NAME_SELINUX},
39#endif
40#ifdef CONFIG_SECURITY_SMACK
41 {.name = XATTR_NAME_SMACK},
42#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
43 {.name = XATTR_NAME_SMACKEXEC},
44 {.name = XATTR_NAME_SMACKTRANSMUTE},
45 {.name = XATTR_NAME_SMACKMMAP},
46#endif
47#endif
48#ifdef CONFIG_SECURITY_APPARMOR
49 {.name = XATTR_NAME_APPARMOR},
50#endif
51#ifdef CONFIG_IMA_APPRAISE
52 {.name = XATTR_NAME_IMA},
53#endif
54 {.name = XATTR_NAME_CAPS},
55};
56
57LIST_HEAD(evm_config_xattrnames);
58
59static int evm_fixmode;
60static int __init evm_set_fixmode(char *str)
61{
62 if (strncmp(str, "fix", 3) == 0)
63 evm_fixmode = 1;
64 return 0;
65}
66__setup("evm=", evm_set_fixmode);
67
68static void __init evm_init_config(void)
69{
70 int i, xattrs;
71
72 xattrs = ARRAY_SIZE(evm_config_default_xattrnames);
73
74 pr_info("Initialising EVM extended attributes:\n");
75 for (i = 0; i < xattrs; i++) {
76 pr_info("%s\n", evm_config_default_xattrnames[i].name);
77 list_add_tail(&evm_config_default_xattrnames[i].list,
78 &evm_config_xattrnames);
79 }
80
81#ifdef CONFIG_EVM_ATTR_FSUUID
82 evm_hmac_attrs |= EVM_ATTR_FSUUID;
83#endif
84 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
85}
86
87static bool evm_key_loaded(void)
88{
89 return (bool)(evm_initialized & EVM_KEY_MASK);
90}
91
92static int evm_find_protected_xattrs(struct dentry *dentry)
93{
94 struct inode *inode = d_backing_inode(dentry);
95 struct xattr_list *xattr;
96 int error;
97 int count = 0;
98
99 if (!(inode->i_opflags & IOP_XATTR))
100 return -EOPNOTSUPP;
101
102 list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) {
103 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0);
104 if (error < 0) {
105 if (error == -ENODATA)
106 continue;
107 return error;
108 }
109 count++;
110 }
111
112 return count;
113}
114
115/*
116 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
117 *
118 * Compute the HMAC on the dentry's protected set of extended attributes
119 * and compare it against the stored security.evm xattr.
120 *
121 * For performance:
122 * - use the previoulsy retrieved xattr value and length to calculate the
123 * HMAC.)
124 * - cache the verification result in the iint, when available.
125 *
126 * Returns integrity status
127 */
128static enum integrity_status evm_verify_hmac(struct dentry *dentry,
129 const char *xattr_name,
130 char *xattr_value,
131 size_t xattr_value_len,
132 struct integrity_iint_cache *iint)
133{
134 struct evm_ima_xattr_data *xattr_data = NULL;
135 struct signature_v2_hdr *hdr;
136 enum integrity_status evm_status = INTEGRITY_PASS;
137 struct evm_digest digest;
138 struct inode *inode;
139 int rc, xattr_len;
140
141 if (iint && (iint->evm_status == INTEGRITY_PASS ||
142 iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
143 return iint->evm_status;
144
145 /* if status is not PASS, try to check again - against -ENOMEM */
146
147 /* first need to know the sig type */
148 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
149 GFP_NOFS);
150 if (rc <= 0) {
151 evm_status = INTEGRITY_FAIL;
152 if (rc == -ENODATA) {
153 rc = evm_find_protected_xattrs(dentry);
154 if (rc > 0)
155 evm_status = INTEGRITY_NOLABEL;
156 else if (rc == 0)
157 evm_status = INTEGRITY_NOXATTRS; /* new file */
158 } else if (rc == -EOPNOTSUPP) {
159 evm_status = INTEGRITY_UNKNOWN;
160 }
161 goto out;
162 }
163
164 xattr_len = rc;
165
166 /* check value type */
167 switch (xattr_data->type) {
168 case EVM_XATTR_HMAC:
169 if (xattr_len != sizeof(struct evm_xattr)) {
170 evm_status = INTEGRITY_FAIL;
171 goto out;
172 }
173
174 digest.hdr.algo = HASH_ALGO_SHA1;
175 rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
176 xattr_value_len, &digest);
177 if (rc)
178 break;
179 rc = crypto_memneq(xattr_data->data, digest.digest,
180 SHA1_DIGEST_SIZE);
181 if (rc)
182 rc = -EINVAL;
183 break;
184 case EVM_IMA_XATTR_DIGSIG:
185 case EVM_XATTR_PORTABLE_DIGSIG:
186 hdr = (struct signature_v2_hdr *)xattr_data;
187 digest.hdr.algo = hdr->hash_algo;
188 rc = evm_calc_hash(dentry, xattr_name, xattr_value,
189 xattr_value_len, xattr_data->type, &digest);
190 if (rc)
191 break;
192 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
193 (const char *)xattr_data, xattr_len,
194 digest.digest, digest.hdr.length);
195 if (!rc) {
196 inode = d_backing_inode(dentry);
197
198 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
199 if (iint)
200 iint->flags |= EVM_IMMUTABLE_DIGSIG;
201 evm_status = INTEGRITY_PASS_IMMUTABLE;
202 } else if (!IS_RDONLY(inode) &&
203 !(inode->i_sb->s_readonly_remount) &&
204 !IS_IMMUTABLE(inode)) {
205 evm_update_evmxattr(dentry, xattr_name,
206 xattr_value,
207 xattr_value_len);
208 }
209 }
210 break;
211 default:
212 rc = -EINVAL;
213 break;
214 }
215
216 if (rc)
217 evm_status = (rc == -ENODATA) ?
218 INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
219out:
220 if (iint)
221 iint->evm_status = evm_status;
222 kfree(xattr_data);
223 return evm_status;
224}
225
226static int evm_protected_xattr(const char *req_xattr_name)
227{
228 int namelen;
229 int found = 0;
230 struct xattr_list *xattr;
231
232 namelen = strlen(req_xattr_name);
233 list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) {
234 if ((strlen(xattr->name) == namelen)
235 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
236 found = 1;
237 break;
238 }
239 if (strncmp(req_xattr_name,
240 xattr->name + XATTR_SECURITY_PREFIX_LEN,
241 strlen(req_xattr_name)) == 0) {
242 found = 1;
243 break;
244 }
245 }
246
247 return found;
248}
249
250/**
251 * evm_verifyxattr - verify the integrity of the requested xattr
252 * @dentry: object of the verify xattr
253 * @xattr_name: requested xattr
254 * @xattr_value: requested xattr value
255 * @xattr_value_len: requested xattr value length
256 *
257 * Calculate the HMAC for the given dentry and verify it against the stored
258 * security.evm xattr. For performance, use the xattr value and length
259 * previously retrieved to calculate the HMAC.
260 *
261 * Returns the xattr integrity status.
262 *
263 * This function requires the caller to lock the inode's i_mutex before it
264 * is executed.
265 */
266enum integrity_status evm_verifyxattr(struct dentry *dentry,
267 const char *xattr_name,
268 void *xattr_value, size_t xattr_value_len,
269 struct integrity_iint_cache *iint)
270{
271 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
272 return INTEGRITY_UNKNOWN;
273
274 if (!iint) {
275 iint = integrity_iint_find(d_backing_inode(dentry));
276 if (!iint)
277 return INTEGRITY_UNKNOWN;
278 }
279 return evm_verify_hmac(dentry, xattr_name, xattr_value,
280 xattr_value_len, iint);
281}
282EXPORT_SYMBOL_GPL(evm_verifyxattr);
283
284/*
285 * evm_verify_current_integrity - verify the dentry's metadata integrity
286 * @dentry: pointer to the affected dentry
287 *
288 * Verify and return the dentry's metadata integrity. The exceptions are
289 * before EVM is initialized or in 'fix' mode.
290 */
291static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
292{
293 struct inode *inode = d_backing_inode(dentry);
294
295 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
296 return 0;
297 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
298}
299
300/*
301 * evm_protect_xattr - protect the EVM extended attribute
302 *
303 * Prevent security.evm from being modified or removed without the
304 * necessary permissions or when the existing value is invalid.
305 *
306 * The posix xattr acls are 'system' prefixed, which normally would not
307 * affect security.evm. An interesting side affect of writing posix xattr
308 * acls is their modifying of the i_mode, which is included in security.evm.
309 * For posix xattr acls only, permit security.evm, even if it currently
310 * doesn't exist, to be updated unless the EVM signature is immutable.
311 */
312static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
313 const void *xattr_value, size_t xattr_value_len)
314{
315 enum integrity_status evm_status;
316
317 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
318 if (!capable(CAP_SYS_ADMIN))
319 return -EPERM;
320 } else if (!evm_protected_xattr(xattr_name)) {
321 if (!posix_xattr_acl(xattr_name))
322 return 0;
323 evm_status = evm_verify_current_integrity(dentry);
324 if ((evm_status == INTEGRITY_PASS) ||
325 (evm_status == INTEGRITY_NOXATTRS))
326 return 0;
327 goto out;
328 }
329
330 evm_status = evm_verify_current_integrity(dentry);
331 if (evm_status == INTEGRITY_NOXATTRS) {
332 struct integrity_iint_cache *iint;
333
334 iint = integrity_iint_find(d_backing_inode(dentry));
335 if (iint && (iint->flags & IMA_NEW_FILE))
336 return 0;
337
338 /* exception for pseudo filesystems */
339 if (dentry->d_sb->s_magic == TMPFS_MAGIC
340 || dentry->d_sb->s_magic == SYSFS_MAGIC)
341 return 0;
342
343 integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
344 dentry->d_inode, dentry->d_name.name,
345 "update_metadata",
346 integrity_status_msg[evm_status],
347 -EPERM, 0);
348 }
349out:
350 if (evm_status != INTEGRITY_PASS)
351 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
352 dentry->d_name.name, "appraise_metadata",
353 integrity_status_msg[evm_status],
354 -EPERM, 0);
355 return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
356}
357
358/**
359 * evm_inode_setxattr - protect the EVM extended attribute
360 * @dentry: pointer to the affected dentry
361 * @xattr_name: pointer to the affected extended attribute name
362 * @xattr_value: pointer to the new extended attribute value
363 * @xattr_value_len: pointer to the new extended attribute value length
364 *
365 * Before allowing the 'security.evm' protected xattr to be updated,
366 * verify the existing value is valid. As only the kernel should have
367 * access to the EVM encrypted key needed to calculate the HMAC, prevent
368 * userspace from writing HMAC value. Writing 'security.evm' requires
369 * requires CAP_SYS_ADMIN privileges.
370 */
371int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
372 const void *xattr_value, size_t xattr_value_len)
373{
374 const struct evm_ima_xattr_data *xattr_data = xattr_value;
375
376 /* Policy permits modification of the protected xattrs even though
377 * there's no HMAC key loaded
378 */
379 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
380 return 0;
381
382 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
383 if (!xattr_value_len)
384 return -EINVAL;
385 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
386 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
387 return -EPERM;
388 }
389 return evm_protect_xattr(dentry, xattr_name, xattr_value,
390 xattr_value_len);
391}
392
393/**
394 * evm_inode_removexattr - protect the EVM extended attribute
395 * @dentry: pointer to the affected dentry
396 * @xattr_name: pointer to the affected extended attribute name
397 *
398 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
399 * the current value is valid.
400 */
401int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
402{
403 /* Policy permits modification of the protected xattrs even though
404 * there's no HMAC key loaded
405 */
406 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
407 return 0;
408
409 return evm_protect_xattr(dentry, xattr_name, NULL, 0);
410}
411
412static void evm_reset_status(struct inode *inode)
413{
414 struct integrity_iint_cache *iint;
415
416 iint = integrity_iint_find(inode);
417 if (iint)
418 iint->evm_status = INTEGRITY_UNKNOWN;
419}
420
421/**
422 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
423 * @dentry: pointer to the affected dentry
424 * @xattr_name: pointer to the affected extended attribute name
425 * @xattr_value: pointer to the new extended attribute value
426 * @xattr_value_len: pointer to the new extended attribute value length
427 *
428 * Update the HMAC stored in 'security.evm' to reflect the change.
429 *
430 * No need to take the i_mutex lock here, as this function is called from
431 * __vfs_setxattr_noperm(). The caller of which has taken the inode's
432 * i_mutex lock.
433 */
434void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
435 const void *xattr_value, size_t xattr_value_len)
436{
437 if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name)
438 && !posix_xattr_acl(xattr_name)))
439 return;
440
441 evm_reset_status(dentry->d_inode);
442
443 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
444}
445
446/**
447 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
448 * @dentry: pointer to the affected dentry
449 * @xattr_name: pointer to the affected extended attribute name
450 *
451 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
452 *
453 * No need to take the i_mutex lock here, as this function is called from
454 * vfs_removexattr() which takes the i_mutex.
455 */
456void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
457{
458 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
459 return;
460
461 evm_reset_status(dentry->d_inode);
462
463 evm_update_evmxattr(dentry, xattr_name, NULL, 0);
464}
465
466/**
467 * evm_inode_setattr - prevent updating an invalid EVM extended attribute
468 * @dentry: pointer to the affected dentry
469 *
470 * Permit update of file attributes when files have a valid EVM signature,
471 * except in the case of them having an immutable portable signature.
472 */
473int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
474{
475 unsigned int ia_valid = attr->ia_valid;
476 enum integrity_status evm_status;
477
478 /* Policy permits modification of the protected attrs even though
479 * there's no HMAC key loaded
480 */
481 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
482 return 0;
483
484 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
485 return 0;
486 evm_status = evm_verify_current_integrity(dentry);
487 if ((evm_status == INTEGRITY_PASS) ||
488 (evm_status == INTEGRITY_NOXATTRS))
489 return 0;
490 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
491 dentry->d_name.name, "appraise_metadata",
492 integrity_status_msg[evm_status], -EPERM, 0);
493 return -EPERM;
494}
495
496/**
497 * evm_inode_post_setattr - update 'security.evm' after modifying metadata
498 * @dentry: pointer to the affected dentry
499 * @ia_valid: for the UID and GID status
500 *
501 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
502 * changes.
503 *
504 * This function is called from notify_change(), which expects the caller
505 * to lock the inode's i_mutex.
506 */
507void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
508{
509 if (!evm_key_loaded())
510 return;
511
512 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
513 evm_update_evmxattr(dentry, NULL, NULL, 0);
514}
515
516/*
517 * evm_inode_init_security - initializes security.evm
518 */
519int evm_inode_init_security(struct inode *inode,
520 const struct xattr *lsm_xattr,
521 struct xattr *evm_xattr)
522{
523 struct evm_xattr *xattr_data;
524 int rc;
525
526 if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name))
527 return 0;
528
529 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
530 if (!xattr_data)
531 return -ENOMEM;
532
533 xattr_data->data.type = EVM_XATTR_HMAC;
534 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
535 if (rc < 0)
536 goto out;
537
538 evm_xattr->value = xattr_data;
539 evm_xattr->value_len = sizeof(*xattr_data);
540 evm_xattr->name = XATTR_EVM_SUFFIX;
541 return 0;
542out:
543 kfree(xattr_data);
544 return rc;
545}
546EXPORT_SYMBOL_GPL(evm_inode_init_security);
547
548#ifdef CONFIG_EVM_LOAD_X509
549void __init evm_load_x509(void)
550{
551 int rc;
552
553 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
554 if (!rc)
555 evm_initialized |= EVM_INIT_X509;
556}
557#endif
558
559static int __init init_evm(void)
560{
561 int error;
562 struct list_head *pos, *q;
563
564 evm_init_config();
565
566 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
567 if (error)
568 goto error;
569
570 error = evm_init_secfs();
571 if (error < 0) {
572 pr_info("Error registering secfs\n");
573 goto error;
574 }
575
576error:
577 if (error != 0) {
578 if (!list_empty(&evm_config_xattrnames)) {
579 list_for_each_safe(pos, q, &evm_config_xattrnames)
580 list_del(pos);
581 }
582 }
583
584 return error;
585}
586
587late_initcall(init_evm);
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Copyright (C) 2005-2010 IBM Corporation
4 *
5 * Author:
6 * Mimi Zohar <zohar@us.ibm.com>
7 * Kylene Hall <kjhall@us.ibm.com>
8 *
9 * File: evm_main.c
10 * implements evm_inode_setxattr, evm_inode_post_setxattr,
11 * evm_inode_removexattr, evm_verifyxattr, and evm_inode_set_acl.
12 */
13
14#define pr_fmt(fmt) "EVM: "fmt
15
16#include <linux/init.h>
17#include <linux/audit.h>
18#include <linux/xattr.h>
19#include <linux/integrity.h>
20#include <linux/evm.h>
21#include <linux/magic.h>
22#include <linux/posix_acl_xattr.h>
23#include <linux/lsm_hooks.h>
24
25#include <crypto/hash.h>
26#include <crypto/hash_info.h>
27#include <crypto/utils.h>
28#include "evm.h"
29
30int evm_initialized;
31
32static const char * const integrity_status_msg[] = {
33 "pass", "pass_immutable", "fail", "fail_immutable", "no_label",
34 "no_xattrs", "unknown"
35};
36int evm_hmac_attrs;
37
38static struct xattr_list evm_config_default_xattrnames[] = {
39 {
40 .name = XATTR_NAME_SELINUX,
41 .enabled = IS_ENABLED(CONFIG_SECURITY_SELINUX)
42 },
43 {
44 .name = XATTR_NAME_SMACK,
45 .enabled = IS_ENABLED(CONFIG_SECURITY_SMACK)
46 },
47 {
48 .name = XATTR_NAME_SMACKEXEC,
49 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
50 },
51 {
52 .name = XATTR_NAME_SMACKTRANSMUTE,
53 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
54 },
55 {
56 .name = XATTR_NAME_SMACKMMAP,
57 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
58 },
59 {
60 .name = XATTR_NAME_APPARMOR,
61 .enabled = IS_ENABLED(CONFIG_SECURITY_APPARMOR)
62 },
63 {
64 .name = XATTR_NAME_IMA,
65 .enabled = IS_ENABLED(CONFIG_IMA_APPRAISE)
66 },
67 {
68 .name = XATTR_NAME_CAPS,
69 .enabled = true
70 },
71};
72
73LIST_HEAD(evm_config_xattrnames);
74
75static int evm_fixmode __ro_after_init;
76static int __init evm_set_fixmode(char *str)
77{
78 if (strncmp(str, "fix", 3) == 0)
79 evm_fixmode = 1;
80 else
81 pr_err("invalid \"%s\" mode", str);
82
83 return 1;
84}
85__setup("evm=", evm_set_fixmode);
86
87static void __init evm_init_config(void)
88{
89 int i, xattrs;
90
91 xattrs = ARRAY_SIZE(evm_config_default_xattrnames);
92
93 pr_info("Initialising EVM extended attributes:\n");
94 for (i = 0; i < xattrs; i++) {
95 pr_info("%s%s\n", evm_config_default_xattrnames[i].name,
96 !evm_config_default_xattrnames[i].enabled ?
97 " (disabled)" : "");
98 list_add_tail(&evm_config_default_xattrnames[i].list,
99 &evm_config_xattrnames);
100 }
101
102#ifdef CONFIG_EVM_ATTR_FSUUID
103 evm_hmac_attrs |= EVM_ATTR_FSUUID;
104#endif
105 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
106}
107
108static bool evm_key_loaded(void)
109{
110 return (bool)(evm_initialized & EVM_KEY_MASK);
111}
112
113/*
114 * This function determines whether or not it is safe to ignore verification
115 * errors, based on the ability of EVM to calculate HMACs. If the HMAC key
116 * is not loaded, and it cannot be loaded in the future due to the
117 * EVM_SETUP_COMPLETE initialization flag, allowing an operation despite the
118 * attrs/xattrs being found invalid will not make them valid.
119 */
120static bool evm_hmac_disabled(void)
121{
122 if (evm_initialized & EVM_INIT_HMAC)
123 return false;
124
125 if (!(evm_initialized & EVM_SETUP_COMPLETE))
126 return false;
127
128 return true;
129}
130
131static int evm_find_protected_xattrs(struct dentry *dentry)
132{
133 struct inode *inode = d_backing_inode(dentry);
134 struct xattr_list *xattr;
135 int error;
136 int count = 0;
137
138 if (!(inode->i_opflags & IOP_XATTR))
139 return -EOPNOTSUPP;
140
141 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
142 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0);
143 if (error < 0) {
144 if (error == -ENODATA)
145 continue;
146 return error;
147 }
148 count++;
149 }
150
151 return count;
152}
153
154static int is_unsupported_fs(struct dentry *dentry)
155{
156 struct inode *inode = d_backing_inode(dentry);
157
158 if (inode->i_sb->s_iflags & SB_I_EVM_UNSUPPORTED) {
159 pr_info_once("%s not supported\n", inode->i_sb->s_type->name);
160 return 1;
161 }
162 return 0;
163}
164
165/*
166 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
167 *
168 * Compute the HMAC on the dentry's protected set of extended attributes
169 * and compare it against the stored security.evm xattr.
170 *
171 * For performance:
172 * - use the previoulsy retrieved xattr value and length to calculate the
173 * HMAC.)
174 * - cache the verification result in the iint, when available.
175 *
176 * Returns integrity status
177 */
178static enum integrity_status evm_verify_hmac(struct dentry *dentry,
179 const char *xattr_name,
180 char *xattr_value,
181 size_t xattr_value_len,
182 struct integrity_iint_cache *iint)
183{
184 struct evm_ima_xattr_data *xattr_data = NULL;
185 struct signature_v2_hdr *hdr;
186 enum integrity_status evm_status = INTEGRITY_PASS;
187 struct evm_digest digest;
188 struct inode *inode;
189 int rc, xattr_len, evm_immutable = 0;
190
191 if (iint && (iint->evm_status == INTEGRITY_PASS ||
192 iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
193 return iint->evm_status;
194
195 if (is_unsupported_fs(dentry))
196 return INTEGRITY_UNKNOWN;
197
198 /* if status is not PASS, try to check again - against -ENOMEM */
199
200 /* first need to know the sig type */
201 rc = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, XATTR_NAME_EVM,
202 (char **)&xattr_data, 0, GFP_NOFS);
203 if (rc <= 0) {
204 evm_status = INTEGRITY_FAIL;
205 if (rc == -ENODATA) {
206 rc = evm_find_protected_xattrs(dentry);
207 if (rc > 0)
208 evm_status = INTEGRITY_NOLABEL;
209 else if (rc == 0)
210 evm_status = INTEGRITY_NOXATTRS; /* new file */
211 } else if (rc == -EOPNOTSUPP) {
212 evm_status = INTEGRITY_UNKNOWN;
213 }
214 goto out;
215 }
216
217 xattr_len = rc;
218
219 /* check value type */
220 switch (xattr_data->type) {
221 case EVM_XATTR_HMAC:
222 if (xattr_len != sizeof(struct evm_xattr)) {
223 evm_status = INTEGRITY_FAIL;
224 goto out;
225 }
226
227 digest.hdr.algo = HASH_ALGO_SHA1;
228 rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
229 xattr_value_len, &digest);
230 if (rc)
231 break;
232 rc = crypto_memneq(xattr_data->data, digest.digest,
233 SHA1_DIGEST_SIZE);
234 if (rc)
235 rc = -EINVAL;
236 break;
237 case EVM_XATTR_PORTABLE_DIGSIG:
238 evm_immutable = 1;
239 fallthrough;
240 case EVM_IMA_XATTR_DIGSIG:
241 /* accept xattr with non-empty signature field */
242 if (xattr_len <= sizeof(struct signature_v2_hdr)) {
243 evm_status = INTEGRITY_FAIL;
244 goto out;
245 }
246
247 hdr = (struct signature_v2_hdr *)xattr_data;
248 digest.hdr.algo = hdr->hash_algo;
249 rc = evm_calc_hash(dentry, xattr_name, xattr_value,
250 xattr_value_len, xattr_data->type, &digest);
251 if (rc)
252 break;
253 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
254 (const char *)xattr_data, xattr_len,
255 digest.digest, digest.hdr.length);
256 if (!rc) {
257 inode = d_backing_inode(dentry);
258
259 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
260 if (iint)
261 iint->flags |= EVM_IMMUTABLE_DIGSIG;
262 evm_status = INTEGRITY_PASS_IMMUTABLE;
263 } else if (!IS_RDONLY(inode) &&
264 !(inode->i_sb->s_readonly_remount) &&
265 !IS_IMMUTABLE(inode)) {
266 evm_update_evmxattr(dentry, xattr_name,
267 xattr_value,
268 xattr_value_len);
269 }
270 }
271 break;
272 default:
273 rc = -EINVAL;
274 break;
275 }
276
277 if (rc) {
278 if (rc == -ENODATA)
279 evm_status = INTEGRITY_NOXATTRS;
280 else if (evm_immutable)
281 evm_status = INTEGRITY_FAIL_IMMUTABLE;
282 else
283 evm_status = INTEGRITY_FAIL;
284 }
285 pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length, digest.hdr.length,
286 digest.digest);
287out:
288 if (iint)
289 iint->evm_status = evm_status;
290 kfree(xattr_data);
291 return evm_status;
292}
293
294static int evm_protected_xattr_common(const char *req_xattr_name,
295 bool all_xattrs)
296{
297 int namelen;
298 int found = 0;
299 struct xattr_list *xattr;
300
301 namelen = strlen(req_xattr_name);
302 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
303 if (!all_xattrs && !xattr->enabled)
304 continue;
305
306 if ((strlen(xattr->name) == namelen)
307 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
308 found = 1;
309 break;
310 }
311 if (strncmp(req_xattr_name,
312 xattr->name + XATTR_SECURITY_PREFIX_LEN,
313 strlen(req_xattr_name)) == 0) {
314 found = 1;
315 break;
316 }
317 }
318
319 return found;
320}
321
322int evm_protected_xattr(const char *req_xattr_name)
323{
324 return evm_protected_xattr_common(req_xattr_name, false);
325}
326
327int evm_protected_xattr_if_enabled(const char *req_xattr_name)
328{
329 return evm_protected_xattr_common(req_xattr_name, true);
330}
331
332/**
333 * evm_read_protected_xattrs - read EVM protected xattr names, lengths, values
334 * @dentry: dentry of the read xattrs
335 * @buffer: buffer xattr names, lengths or values are copied to
336 * @buffer_size: size of buffer
337 * @type: n: names, l: lengths, v: values
338 * @canonical_fmt: data format (true: little endian, false: native format)
339 *
340 * Read protected xattr names (separated by |), lengths (u32) or values for a
341 * given dentry and return the total size of copied data. If buffer is NULL,
342 * just return the total size.
343 *
344 * Returns the total size on success, a negative value on error.
345 */
346int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer,
347 int buffer_size, char type, bool canonical_fmt)
348{
349 struct xattr_list *xattr;
350 int rc, size, total_size = 0;
351
352 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
353 rc = __vfs_getxattr(dentry, d_backing_inode(dentry),
354 xattr->name, NULL, 0);
355 if (rc < 0 && rc == -ENODATA)
356 continue;
357 else if (rc < 0)
358 return rc;
359
360 switch (type) {
361 case 'n':
362 size = strlen(xattr->name) + 1;
363 if (buffer) {
364 if (total_size)
365 *(buffer + total_size - 1) = '|';
366
367 memcpy(buffer + total_size, xattr->name, size);
368 }
369 break;
370 case 'l':
371 size = sizeof(u32);
372 if (buffer) {
373 if (canonical_fmt)
374 rc = (__force int)cpu_to_le32(rc);
375
376 *(u32 *)(buffer + total_size) = rc;
377 }
378 break;
379 case 'v':
380 size = rc;
381 if (buffer) {
382 rc = __vfs_getxattr(dentry,
383 d_backing_inode(dentry), xattr->name,
384 buffer + total_size,
385 buffer_size - total_size);
386 if (rc < 0)
387 return rc;
388 }
389 break;
390 default:
391 return -EINVAL;
392 }
393
394 total_size += size;
395 }
396
397 return total_size;
398}
399
400/**
401 * evm_verifyxattr - verify the integrity of the requested xattr
402 * @dentry: object of the verify xattr
403 * @xattr_name: requested xattr
404 * @xattr_value: requested xattr value
405 * @xattr_value_len: requested xattr value length
406 * @iint: inode integrity metadata
407 *
408 * Calculate the HMAC for the given dentry and verify it against the stored
409 * security.evm xattr. For performance, use the xattr value and length
410 * previously retrieved to calculate the HMAC.
411 *
412 * Returns the xattr integrity status.
413 *
414 * This function requires the caller to lock the inode's i_mutex before it
415 * is executed.
416 */
417enum integrity_status evm_verifyxattr(struct dentry *dentry,
418 const char *xattr_name,
419 void *xattr_value, size_t xattr_value_len,
420 struct integrity_iint_cache *iint)
421{
422 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
423 return INTEGRITY_UNKNOWN;
424
425 if (is_unsupported_fs(dentry))
426 return INTEGRITY_UNKNOWN;
427
428 if (!iint) {
429 iint = integrity_iint_find(d_backing_inode(dentry));
430 if (!iint)
431 return INTEGRITY_UNKNOWN;
432 }
433 return evm_verify_hmac(dentry, xattr_name, xattr_value,
434 xattr_value_len, iint);
435}
436EXPORT_SYMBOL_GPL(evm_verifyxattr);
437
438/*
439 * evm_verify_current_integrity - verify the dentry's metadata integrity
440 * @dentry: pointer to the affected dentry
441 *
442 * Verify and return the dentry's metadata integrity. The exceptions are
443 * before EVM is initialized or in 'fix' mode.
444 */
445static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
446{
447 struct inode *inode = d_backing_inode(dentry);
448
449 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
450 return INTEGRITY_PASS;
451 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
452}
453
454/*
455 * evm_xattr_change - check if passed xattr value differs from current value
456 * @idmap: idmap of the mount
457 * @dentry: pointer to the affected dentry
458 * @xattr_name: requested xattr
459 * @xattr_value: requested xattr value
460 * @xattr_value_len: requested xattr value length
461 *
462 * Check if passed xattr value differs from current value.
463 *
464 * Returns 1 if passed xattr value differs from current value, 0 otherwise.
465 */
466static int evm_xattr_change(struct mnt_idmap *idmap,
467 struct dentry *dentry, const char *xattr_name,
468 const void *xattr_value, size_t xattr_value_len)
469{
470 char *xattr_data = NULL;
471 int rc = 0;
472
473 rc = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, xattr_name, &xattr_data,
474 0, GFP_NOFS);
475 if (rc < 0) {
476 rc = 1;
477 goto out;
478 }
479
480 if (rc == xattr_value_len)
481 rc = !!memcmp(xattr_value, xattr_data, rc);
482 else
483 rc = 1;
484
485out:
486 kfree(xattr_data);
487 return rc;
488}
489
490/*
491 * evm_protect_xattr - protect the EVM extended attribute
492 *
493 * Prevent security.evm from being modified or removed without the
494 * necessary permissions or when the existing value is invalid.
495 *
496 * The posix xattr acls are 'system' prefixed, which normally would not
497 * affect security.evm. An interesting side affect of writing posix xattr
498 * acls is their modifying of the i_mode, which is included in security.evm.
499 * For posix xattr acls only, permit security.evm, even if it currently
500 * doesn't exist, to be updated unless the EVM signature is immutable.
501 */
502static int evm_protect_xattr(struct mnt_idmap *idmap,
503 struct dentry *dentry, const char *xattr_name,
504 const void *xattr_value, size_t xattr_value_len)
505{
506 enum integrity_status evm_status;
507
508 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
509 if (!capable(CAP_SYS_ADMIN))
510 return -EPERM;
511 if (is_unsupported_fs(dentry))
512 return -EPERM;
513 } else if (!evm_protected_xattr(xattr_name)) {
514 if (!posix_xattr_acl(xattr_name))
515 return 0;
516 if (is_unsupported_fs(dentry))
517 return 0;
518
519 evm_status = evm_verify_current_integrity(dentry);
520 if ((evm_status == INTEGRITY_PASS) ||
521 (evm_status == INTEGRITY_NOXATTRS))
522 return 0;
523 goto out;
524 } else if (is_unsupported_fs(dentry))
525 return 0;
526
527 evm_status = evm_verify_current_integrity(dentry);
528 if (evm_status == INTEGRITY_NOXATTRS) {
529 struct integrity_iint_cache *iint;
530
531 /* Exception if the HMAC is not going to be calculated. */
532 if (evm_hmac_disabled())
533 return 0;
534
535 iint = integrity_iint_find(d_backing_inode(dentry));
536 if (iint && (iint->flags & IMA_NEW_FILE))
537 return 0;
538
539 /* exception for pseudo filesystems */
540 if (dentry->d_sb->s_magic == TMPFS_MAGIC
541 || dentry->d_sb->s_magic == SYSFS_MAGIC)
542 return 0;
543
544 integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
545 dentry->d_inode, dentry->d_name.name,
546 "update_metadata",
547 integrity_status_msg[evm_status],
548 -EPERM, 0);
549 }
550out:
551 /* Exception if the HMAC is not going to be calculated. */
552 if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
553 evm_status == INTEGRITY_UNKNOWN))
554 return 0;
555
556 /*
557 * Writing other xattrs is safe for portable signatures, as portable
558 * signatures are immutable and can never be updated.
559 */
560 if (evm_status == INTEGRITY_FAIL_IMMUTABLE)
561 return 0;
562
563 if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
564 !evm_xattr_change(idmap, dentry, xattr_name, xattr_value,
565 xattr_value_len))
566 return 0;
567
568 if (evm_status != INTEGRITY_PASS &&
569 evm_status != INTEGRITY_PASS_IMMUTABLE)
570 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
571 dentry->d_name.name, "appraise_metadata",
572 integrity_status_msg[evm_status],
573 -EPERM, 0);
574 return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
575}
576
577/**
578 * evm_inode_setxattr - protect the EVM extended attribute
579 * @idmap: idmap of the mount
580 * @dentry: pointer to the affected dentry
581 * @xattr_name: pointer to the affected extended attribute name
582 * @xattr_value: pointer to the new extended attribute value
583 * @xattr_value_len: pointer to the new extended attribute value length
584 *
585 * Before allowing the 'security.evm' protected xattr to be updated,
586 * verify the existing value is valid. As only the kernel should have
587 * access to the EVM encrypted key needed to calculate the HMAC, prevent
588 * userspace from writing HMAC value. Writing 'security.evm' requires
589 * requires CAP_SYS_ADMIN privileges.
590 */
591int evm_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
592 const char *xattr_name, const void *xattr_value,
593 size_t xattr_value_len)
594{
595 const struct evm_ima_xattr_data *xattr_data = xattr_value;
596
597 /* Policy permits modification of the protected xattrs even though
598 * there's no HMAC key loaded
599 */
600 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
601 return 0;
602
603 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
604 if (!xattr_value_len)
605 return -EINVAL;
606 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
607 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
608 return -EPERM;
609 }
610 return evm_protect_xattr(idmap, dentry, xattr_name, xattr_value,
611 xattr_value_len);
612}
613
614/**
615 * evm_inode_removexattr - protect the EVM extended attribute
616 * @idmap: idmap of the mount
617 * @dentry: pointer to the affected dentry
618 * @xattr_name: pointer to the affected extended attribute name
619 *
620 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
621 * the current value is valid.
622 */
623int evm_inode_removexattr(struct mnt_idmap *idmap,
624 struct dentry *dentry, const char *xattr_name)
625{
626 /* Policy permits modification of the protected xattrs even though
627 * there's no HMAC key loaded
628 */
629 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
630 return 0;
631
632 return evm_protect_xattr(idmap, dentry, xattr_name, NULL, 0);
633}
634
635#ifdef CONFIG_FS_POSIX_ACL
636static int evm_inode_set_acl_change(struct mnt_idmap *idmap,
637 struct dentry *dentry, const char *name,
638 struct posix_acl *kacl)
639{
640 int rc;
641
642 umode_t mode;
643 struct inode *inode = d_backing_inode(dentry);
644
645 if (!kacl)
646 return 1;
647
648 rc = posix_acl_update_mode(idmap, inode, &mode, &kacl);
649 if (rc || (inode->i_mode != mode))
650 return 1;
651
652 return 0;
653}
654#else
655static inline int evm_inode_set_acl_change(struct mnt_idmap *idmap,
656 struct dentry *dentry,
657 const char *name,
658 struct posix_acl *kacl)
659{
660 return 0;
661}
662#endif
663
664/**
665 * evm_inode_set_acl - protect the EVM extended attribute from posix acls
666 * @idmap: idmap of the idmapped mount
667 * @dentry: pointer to the affected dentry
668 * @acl_name: name of the posix acl
669 * @kacl: pointer to the posix acls
670 *
671 * Prevent modifying posix acls causing the EVM HMAC to be re-calculated
672 * and 'security.evm' xattr updated, unless the existing 'security.evm' is
673 * valid.
674 */
675int evm_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
676 const char *acl_name, struct posix_acl *kacl)
677{
678 enum integrity_status evm_status;
679
680 /* Policy permits modification of the protected xattrs even though
681 * there's no HMAC key loaded
682 */
683 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
684 return 0;
685
686 evm_status = evm_verify_current_integrity(dentry);
687 if ((evm_status == INTEGRITY_PASS) ||
688 (evm_status == INTEGRITY_NOXATTRS))
689 return 0;
690
691 /* Exception if the HMAC is not going to be calculated. */
692 if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
693 evm_status == INTEGRITY_UNKNOWN))
694 return 0;
695
696 /*
697 * Writing other xattrs is safe for portable signatures, as portable
698 * signatures are immutable and can never be updated.
699 */
700 if (evm_status == INTEGRITY_FAIL_IMMUTABLE)
701 return 0;
702
703 if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
704 !evm_inode_set_acl_change(idmap, dentry, acl_name, kacl))
705 return 0;
706
707 if (evm_status != INTEGRITY_PASS_IMMUTABLE)
708 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
709 dentry->d_name.name, "appraise_metadata",
710 integrity_status_msg[evm_status],
711 -EPERM, 0);
712 return -EPERM;
713}
714
715static void evm_reset_status(struct inode *inode)
716{
717 struct integrity_iint_cache *iint;
718
719 iint = integrity_iint_find(inode);
720 if (iint)
721 iint->evm_status = INTEGRITY_UNKNOWN;
722}
723
724/**
725 * evm_revalidate_status - report whether EVM status re-validation is necessary
726 * @xattr_name: pointer to the affected extended attribute name
727 *
728 * Report whether callers of evm_verifyxattr() should re-validate the
729 * EVM status.
730 *
731 * Return true if re-validation is necessary, false otherwise.
732 */
733bool evm_revalidate_status(const char *xattr_name)
734{
735 if (!evm_key_loaded())
736 return false;
737
738 /* evm_inode_post_setattr() passes NULL */
739 if (!xattr_name)
740 return true;
741
742 if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name) &&
743 strcmp(xattr_name, XATTR_NAME_EVM))
744 return false;
745
746 return true;
747}
748
749/**
750 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
751 * @dentry: pointer to the affected dentry
752 * @xattr_name: pointer to the affected extended attribute name
753 * @xattr_value: pointer to the new extended attribute value
754 * @xattr_value_len: pointer to the new extended attribute value length
755 *
756 * Update the HMAC stored in 'security.evm' to reflect the change.
757 *
758 * No need to take the i_mutex lock here, as this function is called from
759 * __vfs_setxattr_noperm(). The caller of which has taken the inode's
760 * i_mutex lock.
761 */
762void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
763 const void *xattr_value, size_t xattr_value_len)
764{
765 if (!evm_revalidate_status(xattr_name))
766 return;
767
768 evm_reset_status(dentry->d_inode);
769
770 if (!strcmp(xattr_name, XATTR_NAME_EVM))
771 return;
772
773 if (!(evm_initialized & EVM_INIT_HMAC))
774 return;
775
776 if (is_unsupported_fs(dentry))
777 return;
778
779 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
780}
781
782/**
783 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
784 * @dentry: pointer to the affected dentry
785 * @xattr_name: pointer to the affected extended attribute name
786 *
787 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
788 *
789 * No need to take the i_mutex lock here, as this function is called from
790 * vfs_removexattr() which takes the i_mutex.
791 */
792void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
793{
794 if (!evm_revalidate_status(xattr_name))
795 return;
796
797 evm_reset_status(dentry->d_inode);
798
799 if (!strcmp(xattr_name, XATTR_NAME_EVM))
800 return;
801
802 if (!(evm_initialized & EVM_INIT_HMAC))
803 return;
804
805 evm_update_evmxattr(dentry, xattr_name, NULL, 0);
806}
807
808static int evm_attr_change(struct mnt_idmap *idmap,
809 struct dentry *dentry, struct iattr *attr)
810{
811 struct inode *inode = d_backing_inode(dentry);
812 unsigned int ia_valid = attr->ia_valid;
813
814 if (!i_uid_needs_update(idmap, attr, inode) &&
815 !i_gid_needs_update(idmap, attr, inode) &&
816 (!(ia_valid & ATTR_MODE) || attr->ia_mode == inode->i_mode))
817 return 0;
818
819 return 1;
820}
821
822/**
823 * evm_inode_setattr - prevent updating an invalid EVM extended attribute
824 * @idmap: idmap of the mount
825 * @dentry: pointer to the affected dentry
826 * @attr: iattr structure containing the new file attributes
827 *
828 * Permit update of file attributes when files have a valid EVM signature,
829 * except in the case of them having an immutable portable signature.
830 */
831int evm_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
832 struct iattr *attr)
833{
834 unsigned int ia_valid = attr->ia_valid;
835 enum integrity_status evm_status;
836
837 /* Policy permits modification of the protected attrs even though
838 * there's no HMAC key loaded
839 */
840 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
841 return 0;
842
843 if (is_unsupported_fs(dentry))
844 return 0;
845
846 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
847 return 0;
848
849 evm_status = evm_verify_current_integrity(dentry);
850 /*
851 * Writing attrs is safe for portable signatures, as portable signatures
852 * are immutable and can never be updated.
853 */
854 if ((evm_status == INTEGRITY_PASS) ||
855 (evm_status == INTEGRITY_NOXATTRS) ||
856 (evm_status == INTEGRITY_FAIL_IMMUTABLE) ||
857 (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
858 evm_status == INTEGRITY_UNKNOWN)))
859 return 0;
860
861 if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
862 !evm_attr_change(idmap, dentry, attr))
863 return 0;
864
865 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
866 dentry->d_name.name, "appraise_metadata",
867 integrity_status_msg[evm_status], -EPERM, 0);
868 return -EPERM;
869}
870
871/**
872 * evm_inode_post_setattr - update 'security.evm' after modifying metadata
873 * @dentry: pointer to the affected dentry
874 * @ia_valid: for the UID and GID status
875 *
876 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
877 * changes.
878 *
879 * This function is called from notify_change(), which expects the caller
880 * to lock the inode's i_mutex.
881 */
882void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
883{
884 if (!evm_revalidate_status(NULL))
885 return;
886
887 evm_reset_status(dentry->d_inode);
888
889 if (!(evm_initialized & EVM_INIT_HMAC))
890 return;
891
892 if (is_unsupported_fs(dentry))
893 return;
894
895 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
896 evm_update_evmxattr(dentry, NULL, NULL, 0);
897}
898
899int evm_inode_copy_up_xattr(const char *name)
900{
901 if (strcmp(name, XATTR_NAME_EVM) == 0)
902 return 1; /* Discard */
903 return -EOPNOTSUPP;
904}
905
906/*
907 * evm_inode_init_security - initializes security.evm HMAC value
908 */
909int evm_inode_init_security(struct inode *inode, struct inode *dir,
910 const struct qstr *qstr, struct xattr *xattrs,
911 int *xattr_count)
912{
913 struct evm_xattr *xattr_data;
914 struct xattr *xattr, *evm_xattr;
915 bool evm_protected_xattrs = false;
916 int rc;
917
918 if (!(evm_initialized & EVM_INIT_HMAC) || !xattrs)
919 return 0;
920
921 /*
922 * security_inode_init_security() makes sure that the xattrs array is
923 * contiguous, there is enough space for security.evm, and that there is
924 * a terminator at the end of the array.
925 */
926 for (xattr = xattrs; xattr->name; xattr++) {
927 if (evm_protected_xattr(xattr->name))
928 evm_protected_xattrs = true;
929 }
930
931 /* EVM xattr not needed. */
932 if (!evm_protected_xattrs)
933 return 0;
934
935 evm_xattr = lsm_get_xattr_slot(xattrs, xattr_count);
936 /*
937 * Array terminator (xattr name = NULL) must be the first non-filled
938 * xattr slot.
939 */
940 WARN_ONCE(evm_xattr != xattr,
941 "%s: xattrs terminator is not the first non-filled slot\n",
942 __func__);
943
944 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
945 if (!xattr_data)
946 return -ENOMEM;
947
948 xattr_data->data.type = EVM_XATTR_HMAC;
949 rc = evm_init_hmac(inode, xattrs, xattr_data->digest);
950 if (rc < 0)
951 goto out;
952
953 evm_xattr->value = xattr_data;
954 evm_xattr->value_len = sizeof(*xattr_data);
955 evm_xattr->name = XATTR_EVM_SUFFIX;
956 return 0;
957out:
958 kfree(xattr_data);
959 return rc;
960}
961EXPORT_SYMBOL_GPL(evm_inode_init_security);
962
963#ifdef CONFIG_EVM_LOAD_X509
964void __init evm_load_x509(void)
965{
966 int rc;
967
968 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
969 if (!rc)
970 evm_initialized |= EVM_INIT_X509;
971}
972#endif
973
974static int __init init_evm(void)
975{
976 int error;
977 struct list_head *pos, *q;
978
979 evm_init_config();
980
981 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
982 if (error)
983 goto error;
984
985 error = evm_init_secfs();
986 if (error < 0) {
987 pr_info("Error registering secfs\n");
988 goto error;
989 }
990
991error:
992 if (error != 0) {
993 if (!list_empty(&evm_config_xattrnames)) {
994 list_for_each_safe(pos, q, &evm_config_xattrnames)
995 list_del(pos);
996 }
997 }
998
999 return error;
1000}
1001
1002late_initcall(init_evm);