security/integrity/evm/evm_main.c

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * Copyright (C) 2005-2010 IBM Corporation
   4  *
   5  * Author:
   6  * Mimi Zohar <zohar@us.ibm.com>
   7  * Kylene Hall <kjhall@us.ibm.com>
   8  *
   9  * File: evm_main.c
  10  *      implements evm_inode_setxattr, evm_inode_post_setxattr,
  11  *      evm_inode_removexattr, and evm_verifyxattr
  12  */
  13
  14 #include <linux/init.h>
  15 #include <linux/crypto.h>
  16 #include <linux/audit.h>
  17 #include <linux/xattr.h>
  18 #include <linux/integrity.h>
  19 #include <linux/evm.h>
  20 #include <linux/magic.h>
  21
  22 #include <crypto/hash.h>
  23 #include <crypto/hash_info.h>
  24 #include <crypto/algapi.h>
  25 #include "evm.h"
  26
  27 int evm_initialized;
  28
  29 static const char * const integrity_status_msg[] = {
  30         "pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown"
  31 };
  32 int evm_hmac_attrs;
  33
  34 static struct xattr_list evm_config_default_xattrnames[] = {
  35 #ifdef CONFIG_SECURITY_SELINUX
  36         {.name = XATTR_NAME_SELINUX},
  37 #endif
  38 #ifdef CONFIG_SECURITY_SMACK
  39         {.name = XATTR_NAME_SMACK},
  40 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
  41         {.name = XATTR_NAME_SMACKEXEC},
  42         {.name = XATTR_NAME_SMACKTRANSMUTE},
  43         {.name = XATTR_NAME_SMACKMMAP},
  44 #endif
  45 #endif
  46 #ifdef CONFIG_SECURITY_APPARMOR
  47         {.name = XATTR_NAME_APPARMOR},
  48 #endif
  49 #ifdef CONFIG_IMA_APPRAISE
  50         {.name = XATTR_NAME_IMA},
  51 #endif
  52         {.name = XATTR_NAME_CAPS},
  53 };
  54
  55 LIST_HEAD(evm_config_xattrnames);
  56
  57 static int evm_fixmode __ro_after_init;
  58 static int __init evm_set_fixmode(char *str)
  59 {
  60         if (strncmp(str, "fix", 3) == 0)
  61                 evm_fixmode = 1;
  62         else
  63                 pr_err("invalid \"%s\" mode", str);
  64
  65         return 1;
  66 }
  67 __setup("evm=", evm_set_fixmode);
  68
  69 static void __init evm_init_config(void)
  70 {
  71         int i, xattrs;
  72
  73         xattrs = ARRAY_SIZE(evm_config_default_xattrnames);
  74
  75         pr_info("Initialising EVM extended attributes:\n");
  76         for (i = 0; i < xattrs; i++) {
  77                 pr_info("%s\n", evm_config_default_xattrnames[i].name);
  78                 list_add_tail(&evm_config_default_xattrnames[i].list,
  79                               &evm_config_xattrnames);
  80         }
  81
  82 #ifdef CONFIG_EVM_ATTR_FSUUID
  83         evm_hmac_attrs |= EVM_ATTR_FSUUID;
  84 #endif
  85         pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
  86 }
  87
  88 static bool evm_key_loaded(void)
  89 {
  90         return (bool)(evm_initialized & EVM_KEY_MASK);
  91 }
  92
  93 static int evm_find_protected_xattrs(struct dentry *dentry)
  94 {
  95         struct inode *inode = d_backing_inode(dentry);
  96         struct xattr_list *xattr;
  97         int error;
  98         int count = 0;
  99
 100         if (!(inode->i_opflags & IOP_XATTR))
 101                 return -EOPNOTSUPP;
 102
 103         list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
 104                 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0);
 105                 if (error < 0) {
 106                         if (error == -ENODATA)
 107                                 continue;
 108                         return error;
 109                 }
 110                 count++;
 111         }
 112
 113         return count;
 114 }
 115
 116 /*
 117  * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
 118  *
 119  * Compute the HMAC on the dentry's protected set of extended attributes
 120  * and compare it against the stored security.evm xattr.
 121  *
 122  * For performance:
 123  * - use the previoulsy retrieved xattr value and length to calculate the
 124  *   HMAC.)
 125  * - cache the verification result in the iint, when available.
 126  *
 127  * Returns integrity status
 128  */
 129 static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 130                                              const char *xattr_name,
 131                                              char *xattr_value,
 132                                              size_t xattr_value_len,
 133                                              struct integrity_iint_cache *iint)
 134 {
 135         struct evm_ima_xattr_data *xattr_data = NULL;
 136         struct signature_v2_hdr *hdr;
 137         enum integrity_status evm_status = INTEGRITY_PASS;
 138         struct evm_digest digest;
 139         struct inode *inode;
 140         int rc, xattr_len;
 141
 142         if (iint && (iint->evm_status == INTEGRITY_PASS ||
 143                      iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
 144                 return iint->evm_status;
 145
 146         /* if status is not PASS, try to check again - against -ENOMEM */
 147
 148         /* first need to know the sig type */
 149         rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
 150                                 GFP_NOFS);
 151         if (rc <= 0) {
 152                 evm_status = INTEGRITY_FAIL;
 153                 if (rc == -ENODATA) {
 154                         rc = evm_find_protected_xattrs(dentry);
 155                         if (rc > 0)
 156                                 evm_status = INTEGRITY_NOLABEL;
 157                         else if (rc == 0)
 158                                 evm_status = INTEGRITY_NOXATTRS; /* new file */
 159                 } else if (rc == -EOPNOTSUPP) {
 160                         evm_status = INTEGRITY_UNKNOWN;
 161                 }
 162                 goto out;
 163         }
 164
 165         xattr_len = rc;
 166
 167         /* check value type */
 168         switch (xattr_data->type) {
 169         case EVM_XATTR_HMAC:
 170                 if (xattr_len != sizeof(struct evm_xattr)) {
 171                         evm_status = INTEGRITY_FAIL;
 172                         goto out;
 173                 }
 174
 175                 digest.hdr.algo = HASH_ALGO_SHA1;
 176                 rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
 177                                    xattr_value_len, &digest);
 178                 if (rc)
 179                         break;
 180                 rc = crypto_memneq(xattr_data->data, digest.digest,
 181                                    SHA1_DIGEST_SIZE);
 182                 if (rc)
 183                         rc = -EINVAL;
 184                 break;
 185         case EVM_IMA_XATTR_DIGSIG:
 186         case EVM_XATTR_PORTABLE_DIGSIG:
 187                 /* accept xattr with non-empty signature field */
 188                 if (xattr_len <= sizeof(struct signature_v2_hdr)) {
 189                         evm_status = INTEGRITY_FAIL;
 190                         goto out;
 191                 }
 192
 193                 hdr = (struct signature_v2_hdr *)xattr_data;
 194                 digest.hdr.algo = hdr->hash_algo;
 195                 rc = evm_calc_hash(dentry, xattr_name, xattr_value,
 196                                    xattr_value_len, xattr_data->type, &digest);
 197                 if (rc)
 198                         break;
 199                 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
 200                                         (const char *)xattr_data, xattr_len,
 201                                         digest.digest, digest.hdr.length);
 202                 if (!rc) {
 203                         inode = d_backing_inode(dentry);
 204
 205                         if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
 206                                 if (iint)
 207                                         iint->flags |= EVM_IMMUTABLE_DIGSIG;
 208                                 evm_status = INTEGRITY_PASS_IMMUTABLE;
 209                         } else if (!IS_RDONLY(inode) &&
 210                                    !(inode->i_sb->s_readonly_remount) &&
 211                                    !IS_IMMUTABLE(inode)) {
 212                                 evm_update_evmxattr(dentry, xattr_name,
 213                                                     xattr_value,
 214                                                     xattr_value_len);
 215                         }
 216                 }
 217                 break;
 218         default:
 219                 rc = -EINVAL;
 220                 break;
 221         }
 222
 223         if (rc)
 224                 evm_status = (rc == -ENODATA) ?
 225                                 INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
 226 out:
 227         if (iint)
 228                 iint->evm_status = evm_status;
 229         kfree(xattr_data);
 230         return evm_status;
 231 }
 232
 233 static int evm_protected_xattr(const char *req_xattr_name)
 234 {
 235         int namelen;
 236         int found = 0;
 237         struct xattr_list *xattr;
 238
 239         namelen = strlen(req_xattr_name);
 240         list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
 241                 if ((strlen(xattr->name) == namelen)
 242                     && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
 243                         found = 1;
 244                         break;
 245                 }
 246                 if (strncmp(req_xattr_name,
 247                             xattr->name + XATTR_SECURITY_PREFIX_LEN,
 248                             strlen(req_xattr_name)) == 0) {
 249                         found = 1;
 250                         break;
 251                 }
 252         }
 253
 254         return found;
 255 }
 256
 257 /**
 258  * evm_verifyxattr - verify the integrity of the requested xattr
 259  * @dentry: object of the verify xattr
 260  * @xattr_name: requested xattr
 261  * @xattr_value: requested xattr value
 262  * @xattr_value_len: requested xattr value length
 263  *
 264  * Calculate the HMAC for the given dentry and verify it against the stored
 265  * security.evm xattr. For performance, use the xattr value and length
 266  * previously retrieved to calculate the HMAC.
 267  *
 268  * Returns the xattr integrity status.
 269  *
 270  * This function requires the caller to lock the inode's i_mutex before it
 271  * is executed.
 272  */
 273 enum integrity_status evm_verifyxattr(struct dentry *dentry,
 274                                       const char *xattr_name,
 275                                       void *xattr_value, size_t xattr_value_len,
 276                                       struct integrity_iint_cache *iint)
 277 {
 278         if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
 279                 return INTEGRITY_UNKNOWN;
 280
 281         if (!iint) {
 282                 iint = integrity_iint_find(d_backing_inode(dentry));
 283                 if (!iint)
 284                         return INTEGRITY_UNKNOWN;
 285         }
 286         return evm_verify_hmac(dentry, xattr_name, xattr_value,
 287                                  xattr_value_len, iint);
 288 }
 289 EXPORT_SYMBOL_GPL(evm_verifyxattr);
 290
 291 /*
 292  * evm_verify_current_integrity - verify the dentry's metadata integrity
 293  * @dentry: pointer to the affected dentry
 294  *
 295  * Verify and return the dentry's metadata integrity. The exceptions are
 296  * before EVM is initialized or in 'fix' mode.
 297  */
 298 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
 299 {
 300         struct inode *inode = d_backing_inode(dentry);
 301
 302         if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
 303                 return 0;
 304         return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
 305 }
 306
 307 /*
 308  * evm_protect_xattr - protect the EVM extended attribute
 309  *
 310  * Prevent security.evm from being modified or removed without the
 311  * necessary permissions or when the existing value is invalid.
 312  *
 313  * The posix xattr acls are 'system' prefixed, which normally would not
 314  * affect security.evm.  An interesting side affect of writing posix xattr
 315  * acls is their modifying of the i_mode, which is included in security.evm.
 316  * For posix xattr acls only, permit security.evm, even if it currently
 317  * doesn't exist, to be updated unless the EVM signature is immutable.
 318  */
 319 static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
 320                              const void *xattr_value, size_t xattr_value_len)
 321 {
 322         enum integrity_status evm_status;
 323
 324         if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
 325                 if (!capable(CAP_SYS_ADMIN))
 326                         return -EPERM;
 327         } else if (!evm_protected_xattr(xattr_name)) {
 328                 if (!posix_xattr_acl(xattr_name))
 329                         return 0;
 330                 evm_status = evm_verify_current_integrity(dentry);
 331                 if ((evm_status == INTEGRITY_PASS) ||
 332                     (evm_status == INTEGRITY_NOXATTRS))
 333                         return 0;
 334                 goto out;
 335         }
 336
 337         evm_status = evm_verify_current_integrity(dentry);
 338         if (evm_status == INTEGRITY_NOXATTRS) {
 339                 struct integrity_iint_cache *iint;
 340
 341                 iint = integrity_iint_find(d_backing_inode(dentry));
 342                 if (iint && (iint->flags & IMA_NEW_FILE))
 343                         return 0;
 344
 345                 /* exception for pseudo filesystems */
 346                 if (dentry->d_sb->s_magic == TMPFS_MAGIC
 347                     || dentry->d_sb->s_magic == SYSFS_MAGIC)
 348                         return 0;
 349
 350                 integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
 351                                     dentry->d_inode, dentry->d_name.name,
 352                                     "update_metadata",
 353                                     integrity_status_msg[evm_status],
 354                                     -EPERM, 0);
 355         }
 356 out:
 357         if (evm_status != INTEGRITY_PASS)
 358                 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
 359                                     dentry->d_name.name, "appraise_metadata",
 360                                     integrity_status_msg[evm_status],
 361                                     -EPERM, 0);
 362         return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
 363 }
 364
 365 /**
 366  * evm_inode_setxattr - protect the EVM extended attribute
 367  * @dentry: pointer to the affected dentry
 368  * @xattr_name: pointer to the affected extended attribute name
 369  * @xattr_value: pointer to the new extended attribute value
 370  * @xattr_value_len: pointer to the new extended attribute value length
 371  *
 372  * Before allowing the 'security.evm' protected xattr to be updated,
 373  * verify the existing value is valid.  As only the kernel should have
 374  * access to the EVM encrypted key needed to calculate the HMAC, prevent
 375  * userspace from writing HMAC value.  Writing 'security.evm' requires
 376  * requires CAP_SYS_ADMIN privileges.
 377  */
 378 int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
 379                        const void *xattr_value, size_t xattr_value_len)
 380 {
 381         const struct evm_ima_xattr_data *xattr_data = xattr_value;
 382
 383         /* Policy permits modification of the protected xattrs even though
 384          * there's no HMAC key loaded
 385          */
 386         if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
 387                 return 0;
 388
 389         if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
 390                 if (!xattr_value_len)
 391                         return -EINVAL;
 392                 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
 393                     xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
 394                         return -EPERM;
 395         }
 396         return evm_protect_xattr(dentry, xattr_name, xattr_value,
 397                                  xattr_value_len);
 398 }
 399
 400 /**
 401  * evm_inode_removexattr - protect the EVM extended attribute
 402  * @dentry: pointer to the affected dentry
 403  * @xattr_name: pointer to the affected extended attribute name
 404  *
 405  * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
 406  * the current value is valid.
 407  */
 408 int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
 409 {
 410         /* Policy permits modification of the protected xattrs even though
 411          * there's no HMAC key loaded
 412          */
 413         if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
 414                 return 0;
 415
 416         return evm_protect_xattr(dentry, xattr_name, NULL, 0);
 417 }
 418
 419 static void evm_reset_status(struct inode *inode)
 420 {
 421         struct integrity_iint_cache *iint;
 422
 423         iint = integrity_iint_find(inode);
 424         if (iint)
 425                 iint->evm_status = INTEGRITY_UNKNOWN;
 426 }
 427
 428 /**
 429  * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
 430  * @dentry: pointer to the affected dentry
 431  * @xattr_name: pointer to the affected extended attribute name
 432  * @xattr_value: pointer to the new extended attribute value
 433  * @xattr_value_len: pointer to the new extended attribute value length
 434  *
 435  * Update the HMAC stored in 'security.evm' to reflect the change.
 436  *
 437  * No need to take the i_mutex lock here, as this function is called from
 438  * __vfs_setxattr_noperm().  The caller of which has taken the inode's
 439  * i_mutex lock.
 440  */
 441 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
 442                              const void *xattr_value, size_t xattr_value_len)
 443 {
 444         if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name)
 445                                   && !posix_xattr_acl(xattr_name)))
 446                 return;
 447
 448         evm_reset_status(dentry->d_inode);
 449
 450         evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
 451 }
 452
 453 /**
 454  * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
 455  * @dentry: pointer to the affected dentry
 456  * @xattr_name: pointer to the affected extended attribute name
 457  *
 458  * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
 459  *
 460  * No need to take the i_mutex lock here, as this function is called from
 461  * vfs_removexattr() which takes the i_mutex.
 462  */
 463 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
 464 {
 465         if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
 466                 return;
 467
 468         evm_reset_status(dentry->d_inode);
 469
 470         evm_update_evmxattr(dentry, xattr_name, NULL, 0);
 471 }
 472
 473 /**
 474  * evm_inode_setattr - prevent updating an invalid EVM extended attribute
 475  * @dentry: pointer to the affected dentry
 476  *
 477  * Permit update of file attributes when files have a valid EVM signature,
 478  * except in the case of them having an immutable portable signature.
 479  */
 480 int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
 481 {
 482         unsigned int ia_valid = attr->ia_valid;
 483         enum integrity_status evm_status;
 484
 485         /* Policy permits modification of the protected attrs even though
 486          * there's no HMAC key loaded
 487          */
 488         if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
 489                 return 0;
 490
 491         if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
 492                 return 0;
 493         evm_status = evm_verify_current_integrity(dentry);
 494         if ((evm_status == INTEGRITY_PASS) ||
 495             (evm_status == INTEGRITY_NOXATTRS))
 496                 return 0;
 497         integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
 498                             dentry->d_name.name, "appraise_metadata",
 499                             integrity_status_msg[evm_status], -EPERM, 0);
 500         return -EPERM;
 501 }
 502
 503 /**
 504  * evm_inode_post_setattr - update 'security.evm' after modifying metadata
 505  * @dentry: pointer to the affected dentry
 506  * @ia_valid: for the UID and GID status
 507  *
 508  * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
 509  * changes.
 510  *
 511  * This function is called from notify_change(), which expects the caller
 512  * to lock the inode's i_mutex.
 513  */
 514 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
 515 {
 516         if (!evm_key_loaded())
 517                 return;
 518
 519         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
 520                 evm_update_evmxattr(dentry, NULL, NULL, 0);
 521 }
 522
 523 /*
 524  * evm_inode_init_security - initializes security.evm HMAC value
 525  */
 526 int evm_inode_init_security(struct inode *inode,
 527                                  const struct xattr *lsm_xattr,
 528                                  struct xattr *evm_xattr)
 529 {
 530         struct evm_xattr *xattr_data;
 531         int rc;
 532
 533         if (!(evm_initialized & EVM_INIT_HMAC) ||
 534             !evm_protected_xattr(lsm_xattr->name))
 535                 return 0;
 536
 537         xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
 538         if (!xattr_data)
 539                 return -ENOMEM;
 540
 541         xattr_data->data.type = EVM_XATTR_HMAC;
 542         rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
 543         if (rc < 0)
 544                 goto out;
 545
 546         evm_xattr->value = xattr_data;
 547         evm_xattr->value_len = sizeof(*xattr_data);
 548         evm_xattr->name = XATTR_EVM_SUFFIX;
 549         return 0;
 550 out:
 551         kfree(xattr_data);
 552         return rc;
 553 }
 554 EXPORT_SYMBOL_GPL(evm_inode_init_security);
 555
 556 #ifdef CONFIG_EVM_LOAD_X509
 557 void __init evm_load_x509(void)
 558 {
 559         int rc;
 560
 561         rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
 562         if (!rc)
 563                 evm_initialized |= EVM_INIT_X509;
 564 }
 565 #endif
 566
 567 static int __init init_evm(void)
 568 {
 569         int error;
 570         struct list_head *pos, *q;
 571
 572         evm_init_config();
 573
 574         error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
 575         if (error)
 576                 goto error;
 577
 578         error = evm_init_secfs();
 579         if (error < 0) {
 580                 pr_info("Error registering secfs\n");
 581                 goto error;
 582         }
 583
 584 error:
 585         if (error != 0) {
 586                 if (!list_empty(&evm_config_xattrnames)) {
 587                         list_for_each_safe(pos, q, &evm_config_xattrnames)
 588                                 list_del(pos);
 589                 }
 590         }
 591
 592         return error;
 593 }
 594
 595 late_initcall(init_evm);