TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / hafnium / third_party / linux.git / 3a0ad55d848b50499b68d7141d4eca997fce28ef / . / security / integrity / evm / evm_main.c
blob: 7f3f54d89a6e7e35cb1cc7ef3d0eb83049c12bea [file] [log] [blame]
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1/*
2 * Copyright (C) 2005-2010 IBM Corporation
3 *
4 * Author:
5 * Mimi Zohar <zohar@us.ibm.com>
6 * Kylene Hall <kjhall@us.ibm.com>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation, version 2 of the License.
11 *
12 * File: evm_main.c
13 * implements evm_inode_setxattr, evm_inode_post_setxattr,
14 * evm_inode_removexattr, and evm_verifyxattr
15 */
16
17#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18
19#include <linux/module.h>
20#include <linux/crypto.h>
21#include <linux/audit.h>
22#include <linux/xattr.h>
23#include <linux/integrity.h>
24#include <linux/evm.h>
25#include <linux/magic.h>
26
27#include <crypto/hash.h>
28#include <crypto/hash_info.h>
29#include <crypto/algapi.h>
30#include "evm.h"
31
32int evm_initialized;
33
34static const char * const integrity_status_msg[] = {
35 "pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown"
36};
37int evm_hmac_attrs;
38
39static struct xattr_list evm_config_default_xattrnames[] = {
40#ifdef CONFIG_SECURITY_SELINUX
41 {.name = XATTR_NAME_SELINUX},
42#endif
43#ifdef CONFIG_SECURITY_SMACK
44 {.name = XATTR_NAME_SMACK},
45#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
46 {.name = XATTR_NAME_SMACKEXEC},
47 {.name = XATTR_NAME_SMACKTRANSMUTE},
48 {.name = XATTR_NAME_SMACKMMAP},
49#endif
50#endif
51#ifdef CONFIG_SECURITY_APPARMOR
52 {.name = XATTR_NAME_APPARMOR},
53#endif
54#ifdef CONFIG_IMA_APPRAISE
55 {.name = XATTR_NAME_IMA},
56#endif
57 {.name = XATTR_NAME_CAPS},
58};
59
60LIST_HEAD(evm_config_xattrnames);
61
62static int evm_fixmode;
63static int __init evm_set_fixmode(char *str)
64{
65 if (strncmp(str, "fix", 3) == 0)
66 evm_fixmode = 1;
67 return 0;
68}
69__setup("evm=", evm_set_fixmode);
70
71static void __init evm_init_config(void)
72{
73 int i, xattrs;
74
75 xattrs = ARRAY_SIZE(evm_config_default_xattrnames);
76
77 pr_info("Initialising EVM extended attributes:\n");
78 for (i = 0; i < xattrs; i++) {
79 pr_info("%s\n", evm_config_default_xattrnames[i].name);
80 list_add_tail(&evm_config_default_xattrnames[i].list,
81 &evm_config_xattrnames);
82 }
83
84#ifdef CONFIG_EVM_ATTR_FSUUID
85 evm_hmac_attrs |= EVM_ATTR_FSUUID;
86#endif
87 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
88}
89
90static bool evm_key_loaded(void)
91{
92 return (bool)(evm_initialized & EVM_KEY_MASK);
93}
94
95static int evm_find_protected_xattrs(struct dentry *dentry)
96{
97 struct inode *inode = d_backing_inode(dentry);
98 struct xattr_list *xattr;
99 int error;
100 int count = 0;
101
102 if (!(inode->i_opflags & IOP_XATTR))
103 return -EOPNOTSUPP;
104
105 list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) {
106 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0);
107 if (error < 0) {
108 if (error == -ENODATA)
109 continue;
110 return error;
111 }
112 count++;
113 }
114
115 return count;
116}
117
118/*
119 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
120 *
121 * Compute the HMAC on the dentry's protected set of extended attributes
122 * and compare it against the stored security.evm xattr.
123 *
124 * For performance:
125 * - use the previoulsy retrieved xattr value and length to calculate the
126 * HMAC.)
127 * - cache the verification result in the iint, when available.
128 *
129 * Returns integrity status
130 */
131static enum integrity_status evm_verify_hmac(struct dentry *dentry,
132 const char *xattr_name,
133 char *xattr_value,
134 size_t xattr_value_len,
135 struct integrity_iint_cache *iint)
136{
137 struct evm_ima_xattr_data *xattr_data = NULL;
138 struct signature_v2_hdr *hdr;
139 enum integrity_status evm_status = INTEGRITY_PASS;
140 struct evm_digest digest;
141 struct inode *inode;
142 int rc, xattr_len;
143
144 if (iint && (iint->evm_status == INTEGRITY_PASS ||
145 iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
146 return iint->evm_status;
147
148 /* if status is not PASS, try to check again - against -ENOMEM */
149
150 /* first need to know the sig type */
151 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
152 GFP_NOFS);
153 if (rc <= 0) {
154 evm_status = INTEGRITY_FAIL;
155 if (rc == -ENODATA) {
156 rc = evm_find_protected_xattrs(dentry);
157 if (rc > 0)
158 evm_status = INTEGRITY_NOLABEL;
159 else if (rc == 0)
160 evm_status = INTEGRITY_NOXATTRS; /* new file */
161 } else if (rc == -EOPNOTSUPP) {
162 evm_status = INTEGRITY_UNKNOWN;
163 }
164 goto out;
165 }
166
167 xattr_len = rc;
168
169 /* check value type */
170 switch (xattr_data->type) {
171 case EVM_XATTR_HMAC:
172 if (xattr_len != sizeof(struct evm_ima_xattr_data)) {
173 evm_status = INTEGRITY_FAIL;
174 goto out;
175 }
176
177 digest.hdr.algo = HASH_ALGO_SHA1;
178 rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
179 xattr_value_len, &digest);
180 if (rc)
181 break;
182 rc = crypto_memneq(xattr_data->digest, digest.digest,
183 SHA1_DIGEST_SIZE);
184 if (rc)
185 rc = -EINVAL;
186 break;
187 case EVM_IMA_XATTR_DIGSIG:
188 case EVM_XATTR_PORTABLE_DIGSIG:
189 hdr = (struct signature_v2_hdr *)xattr_data;
190 digest.hdr.algo = hdr->hash_algo;
191 rc = evm_calc_hash(dentry, xattr_name, xattr_value,
192 xattr_value_len, xattr_data->type, &digest);
193 if (rc)
194 break;
195 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
196 (const char *)xattr_data, xattr_len,
197 digest.digest, digest.hdr.length);
198 if (!rc) {
199 inode = d_backing_inode(dentry);
200
201 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
202 if (iint)
203 iint->flags |= EVM_IMMUTABLE_DIGSIG;
204 evm_status = INTEGRITY_PASS_IMMUTABLE;
205 } else if (!IS_RDONLY(inode) &&
206 !(inode->i_sb->s_readonly_remount) &&
207 !IS_IMMUTABLE(inode)) {
208 evm_update_evmxattr(dentry, xattr_name,
209 xattr_value,
210 xattr_value_len);
211 }
212 }
213 break;
214 default:
215 rc = -EINVAL;
216 break;
217 }
218
219 if (rc)
220 evm_status = (rc == -ENODATA) ?
221 INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
222out:
223 if (iint)
224 iint->evm_status = evm_status;
225 kfree(xattr_data);
226 return evm_status;
227}
228
229static int evm_protected_xattr(const char *req_xattr_name)
230{
231 int namelen;
232 int found = 0;
233 struct xattr_list *xattr;
234
235 namelen = strlen(req_xattr_name);
236 list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) {
237 if ((strlen(xattr->name) == namelen)
238 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
239 found = 1;
240 break;
241 }
242 if (strncmp(req_xattr_name,
243 xattr->name + XATTR_SECURITY_PREFIX_LEN,
244 strlen(req_xattr_name)) == 0) {
245 found = 1;
246 break;
247 }
248 }
249
250 return found;
251}
252
253/**
254 * evm_verifyxattr - verify the integrity of the requested xattr
255 * @dentry: object of the verify xattr
256 * @xattr_name: requested xattr
257 * @xattr_value: requested xattr value
258 * @xattr_value_len: requested xattr value length
259 *
260 * Calculate the HMAC for the given dentry and verify it against the stored
261 * security.evm xattr. For performance, use the xattr value and length
262 * previously retrieved to calculate the HMAC.
263 *
264 * Returns the xattr integrity status.
265 *
266 * This function requires the caller to lock the inode's i_mutex before it
267 * is executed.
268 */
269enum integrity_status evm_verifyxattr(struct dentry *dentry,
270 const char *xattr_name,
271 void *xattr_value, size_t xattr_value_len,
272 struct integrity_iint_cache *iint)
273{
274 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
275 return INTEGRITY_UNKNOWN;
276
277 if (!iint) {
278 iint = integrity_iint_find(d_backing_inode(dentry));
279 if (!iint)
280 return INTEGRITY_UNKNOWN;
281 }
282 return evm_verify_hmac(dentry, xattr_name, xattr_value,
283 xattr_value_len, iint);
284}
285EXPORT_SYMBOL_GPL(evm_verifyxattr);
286
287/*
288 * evm_verify_current_integrity - verify the dentry's metadata integrity
289 * @dentry: pointer to the affected dentry
290 *
291 * Verify and return the dentry's metadata integrity. The exceptions are
292 * before EVM is initialized or in 'fix' mode.
293 */
294static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
295{
296 struct inode *inode = d_backing_inode(dentry);
297
298 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
299 return 0;
300 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
301}
302
303/*
304 * evm_protect_xattr - protect the EVM extended attribute
305 *
306 * Prevent security.evm from being modified or removed without the
307 * necessary permissions or when the existing value is invalid.
308 *
309 * The posix xattr acls are 'system' prefixed, which normally would not
310 * affect security.evm. An interesting side affect of writing posix xattr
311 * acls is their modifying of the i_mode, which is included in security.evm.
312 * For posix xattr acls only, permit security.evm, even if it currently
313 * doesn't exist, to be updated unless the EVM signature is immutable.
314 */
315static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
316 const void *xattr_value, size_t xattr_value_len)
317{
318 enum integrity_status evm_status;
319
320 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
321 if (!capable(CAP_SYS_ADMIN))
322 return -EPERM;
323 } else if (!evm_protected_xattr(xattr_name)) {
324 if (!posix_xattr_acl(xattr_name))
325 return 0;
326 evm_status = evm_verify_current_integrity(dentry);
327 if ((evm_status == INTEGRITY_PASS) ||
328 (evm_status == INTEGRITY_NOXATTRS))
329 return 0;
330 goto out;
331 }
332
333 evm_status = evm_verify_current_integrity(dentry);
334 if (evm_status == INTEGRITY_NOXATTRS) {
335 struct integrity_iint_cache *iint;
336
337 iint = integrity_iint_find(d_backing_inode(dentry));
338 if (iint && (iint->flags & IMA_NEW_FILE))
339 return 0;
340
341 /* exception for pseudo filesystems */
342 if (dentry->d_sb->s_magic == TMPFS_MAGIC
343 || dentry->d_sb->s_magic == SYSFS_MAGIC)
344 return 0;
345
346 integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
347 dentry->d_inode, dentry->d_name.name,
348 "update_metadata",
349 integrity_status_msg[evm_status],
350 -EPERM, 0);
351 }
352out:
353 if (evm_status != INTEGRITY_PASS)
354 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
355 dentry->d_name.name, "appraise_metadata",
356 integrity_status_msg[evm_status],
357 -EPERM, 0);
358 return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
359}
360
361/**
362 * evm_inode_setxattr - protect the EVM extended attribute
363 * @dentry: pointer to the affected dentry
364 * @xattr_name: pointer to the affected extended attribute name
365 * @xattr_value: pointer to the new extended attribute value
366 * @xattr_value_len: pointer to the new extended attribute value length
367 *
368 * Before allowing the 'security.evm' protected xattr to be updated,
369 * verify the existing value is valid. As only the kernel should have
370 * access to the EVM encrypted key needed to calculate the HMAC, prevent
371 * userspace from writing HMAC value. Writing 'security.evm' requires
372 * requires CAP_SYS_ADMIN privileges.
373 */
374int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
375 const void *xattr_value, size_t xattr_value_len)
376{
377 const struct evm_ima_xattr_data *xattr_data = xattr_value;
378
379 /* Policy permits modification of the protected xattrs even though
380 * there's no HMAC key loaded
381 */
382 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
383 return 0;
384
385 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
386 if (!xattr_value_len)
387 return -EINVAL;
388 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
389 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
390 return -EPERM;
391 }
392 return evm_protect_xattr(dentry, xattr_name, xattr_value,
393 xattr_value_len);
394}
395
396/**
397 * evm_inode_removexattr - protect the EVM extended attribute
398 * @dentry: pointer to the affected dentry
399 * @xattr_name: pointer to the affected extended attribute name
400 *
401 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
402 * the current value is valid.
403 */
404int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
405{
406 /* Policy permits modification of the protected xattrs even though
407 * there's no HMAC key loaded
408 */
409 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
410 return 0;
411
412 return evm_protect_xattr(dentry, xattr_name, NULL, 0);
413}
414
415static void evm_reset_status(struct inode *inode)
416{
417 struct integrity_iint_cache *iint;
418
419 iint = integrity_iint_find(inode);
420 if (iint)
421 iint->evm_status = INTEGRITY_UNKNOWN;
422}
423
424/**
425 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
426 * @dentry: pointer to the affected dentry
427 * @xattr_name: pointer to the affected extended attribute name
428 * @xattr_value: pointer to the new extended attribute value
429 * @xattr_value_len: pointer to the new extended attribute value length
430 *
431 * Update the HMAC stored in 'security.evm' to reflect the change.
432 *
433 * No need to take the i_mutex lock here, as this function is called from
434 * __vfs_setxattr_noperm(). The caller of which has taken the inode's
435 * i_mutex lock.
436 */
437void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
438 const void *xattr_value, size_t xattr_value_len)
439{
440 if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name)
441 && !posix_xattr_acl(xattr_name)))
442 return;
443
444 evm_reset_status(dentry->d_inode);
445
446 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
447}
448
449/**
450 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
451 * @dentry: pointer to the affected dentry
452 * @xattr_name: pointer to the affected extended attribute name
453 *
454 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
455 *
456 * No need to take the i_mutex lock here, as this function is called from
457 * vfs_removexattr() which takes the i_mutex.
458 */
459void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
460{
461 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
462 return;
463
464 evm_reset_status(dentry->d_inode);
465
466 evm_update_evmxattr(dentry, xattr_name, NULL, 0);
467}
468
469/**
470 * evm_inode_setattr - prevent updating an invalid EVM extended attribute
471 * @dentry: pointer to the affected dentry
472 *
473 * Permit update of file attributes when files have a valid EVM signature,
474 * except in the case of them having an immutable portable signature.
475 */
476int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
477{
478 unsigned int ia_valid = attr->ia_valid;
479 enum integrity_status evm_status;
480
481 /* Policy permits modification of the protected attrs even though
482 * there's no HMAC key loaded
483 */
484 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
485 return 0;
486
487 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
488 return 0;
489 evm_status = evm_verify_current_integrity(dentry);
490 if ((evm_status == INTEGRITY_PASS) ||
491 (evm_status == INTEGRITY_NOXATTRS))
492 return 0;
493 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
494 dentry->d_name.name, "appraise_metadata",
495 integrity_status_msg[evm_status], -EPERM, 0);
496 return -EPERM;
497}
498
499/**
500 * evm_inode_post_setattr - update 'security.evm' after modifying metadata
501 * @dentry: pointer to the affected dentry
502 * @ia_valid: for the UID and GID status
503 *
504 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
505 * changes.
506 *
507 * This function is called from notify_change(), which expects the caller
508 * to lock the inode's i_mutex.
509 */
510void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
511{
512 if (!evm_key_loaded())
513 return;
514
515 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
516 evm_update_evmxattr(dentry, NULL, NULL, 0);
517}
518
519/*
520 * evm_inode_init_security - initializes security.evm
521 */
522int evm_inode_init_security(struct inode *inode,
523 const struct xattr *lsm_xattr,
524 struct xattr *evm_xattr)
525{
526 struct evm_ima_xattr_data *xattr_data;
527 int rc;
528
529 if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name))
530 return 0;
531
532 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
533 if (!xattr_data)
534 return -ENOMEM;
535
536 xattr_data->type = EVM_XATTR_HMAC;
537 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
538 if (rc < 0)
539 goto out;
540
541 evm_xattr->value = xattr_data;
542 evm_xattr->value_len = sizeof(*xattr_data);
543 evm_xattr->name = XATTR_EVM_SUFFIX;
544 return 0;
545out:
546 kfree(xattr_data);
547 return rc;
548}
549EXPORT_SYMBOL_GPL(evm_inode_init_security);
550
551#ifdef CONFIG_EVM_LOAD_X509
552void __init evm_load_x509(void)
553{
554 int rc;
555
556 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
557 if (!rc)
558 evm_initialized |= EVM_INIT_X509;
559}
560#endif
561
562static int __init init_evm(void)
563{
564 int error;
565 struct list_head *pos, *q;
566 struct xattr_list *xattr;
567
568 evm_init_config();
569
570 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
571 if (error)
572 goto error;
573
574 error = evm_init_secfs();
575 if (error < 0) {
576 pr_info("Error registering secfs\n");
577 goto error;
578 }
579
580error:
581 if (error != 0) {
582 if (!list_empty(&evm_config_xattrnames)) {
583 list_for_each_safe(pos, q, &evm_config_xattrnames) {
584 xattr = list_entry(pos, struct xattr_list,
585 list);
586 list_del(pos);
587 }
588 }
589 }
590
591 return error;
592}
593
594late_initcall(init_evm);
595
596MODULE_DESCRIPTION("Extended Verification Module");
597MODULE_LICENSE("GPL");