projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
evm: Move to LSM infrastructure
[linux-2.6-block.git] / security / integrity / evm / evm_main.c
CommitLineData
b886d83c 1// SPDX-License-Identifier: GPL-2.0-only
66dbc325
MZ		 2/*
3 * Copyright (C) 2005-2010 IBM Corporation
4 *
5 * Author:
6 * Mimi Zohar <zohar@us.ibm.com>
7 * Kylene Hall <kjhall@us.ibm.com>
8 *
66dbc325
MZ		 9 * File: evm_main.c
10 * implements evm_inode_setxattr, evm_inode_post_setxattr,
e61b135f 11 * evm_inode_removexattr, evm_verifyxattr, and evm_inode_set_acl.
66dbc325
MZ		 12 */
13
87ac3d00
MZ		 14#define pr_fmt(fmt) "EVM: "fmt
15
3aafb1fb 16#include <linux/init.h>
9b97b6cd 17#include <linux/audit.h>
66dbc325
MZ		 18#include <linux/xattr.h>
19#include <linux/integrity.h>
3e1be52d 20#include <linux/evm.h>
50d34394 21#include <linux/magic.h>
1886ab01 22#include <linux/posix_acl_xattr.h>
6db7d1de 23#include <linux/lsm_hooks.h>
50d34394 24
d46eb369 25#include <crypto/hash.h>
5feeb611 26#include <crypto/hash_info.h>
aa7c98b1 27#include <crypto/utils.h>
66dbc325
MZ		 28#include "evm.h"
29
30int evm_initialized;
31
17d7b0af 32static const char * const integrity_status_msg[] = {
cdef685b
RS		 33 "pass", "pass_immutable", "fail", "fail_immutable", "no_label",
34 "no_xattrs", "unknown"
9b97b6cd 35};
d3b33679 36int evm_hmac_attrs;
66dbc325 37
fa516b66 38static struct xattr_list evm_config_default_xattrnames[] = {
c808a6ec
XJ		 39 {
40 .name = XATTR_NAME_SELINUX,
41 .enabled = IS_ENABLED(CONFIG_SECURITY_SELINUX)
8c7a703e 42 },
c808a6ec
XJ		 43 {
44 .name = XATTR_NAME_SMACK,
45 .enabled = IS_ENABLED(CONFIG_SECURITY_SMACK)
8c7a703e 46 },
c808a6ec
XJ		 47 {
48 .name = XATTR_NAME_SMACKEXEC,
49 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
8c7a703e 50 },
c808a6ec
XJ		 51 {
52 .name = XATTR_NAME_SMACKTRANSMUTE,
53 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
8c7a703e 54 },
c808a6ec
XJ		 55 {
56 .name = XATTR_NAME_SMACKMMAP,
57 .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS)
8c7a703e 58 },
c808a6ec
XJ		 59 {
60 .name = XATTR_NAME_APPARMOR,
61 .enabled = IS_ENABLED(CONFIG_SECURITY_APPARMOR)
8c7a703e 62 },
c808a6ec
XJ		 63 {
64 .name = XATTR_NAME_IMA,
65 .enabled = IS_ENABLED(CONFIG_IMA_APPRAISE)
8c7a703e 66 },
c808a6ec
XJ		 67 {
68 .name = XATTR_NAME_CAPS,
8c7a703e
RS		 69 .enabled = true
70 },
66dbc325
MZ		 71};
72
21af7663
MG		 73LIST_HEAD(evm_config_xattrnames);
74
32ba540f 75static int evm_fixmode __ro_after_init;
7102ebcd
MZ		 76static int __init evm_set_fixmode(char *str)
77{
78 if (strncmp(str, "fix", 3) == 0)
79 evm_fixmode = 1;
7fe2bb7e
BM		 80 else
81 pr_err("invalid \"%s\" mode", str);
82
f2544f5e 83 return 1;
7102ebcd
MZ		 84}
85__setup("evm=", evm_set_fixmode);
86
d3b33679
DK		 87static void __init evm_init_config(void)
88{
21af7663
MG		 89 int i, xattrs;
90
91 xattrs = ARRAY_SIZE(evm_config_default_xattrnames);
92
93 pr_info("Initialising EVM extended attributes:\n");
94 for (i = 0; i < xattrs; i++) {
8c7a703e
RS		 95 pr_info("%s%s\n", evm_config_default_xattrnames[i].name,
96 !evm_config_default_xattrnames[i].enabled ?
97 " (disabled)" : "");
21af7663
MG		 98 list_add_tail(&evm_config_default_xattrnames[i].list,
99 &evm_config_xattrnames);
100 }
101
d3b33679
DK		 102#ifdef CONFIG_EVM_ATTR_FSUUID
103 evm_hmac_attrs |= EVM_ATTR_FSUUID;
104#endif
105 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
106}
107
ae1ba167
MG		 108static bool evm_key_loaded(void)
109{
110 return (bool)(evm_initialized & EVM_KEY_MASK);
111}
112
4a804b8a
RS		 113/*
114 * This function determines whether or not it is safe to ignore verification
115 * errors, based on the ability of EVM to calculate HMACs. If the HMAC key
116 * is not loaded, and it cannot be loaded in the future due to the
117 * EVM_SETUP_COMPLETE initialization flag, allowing an operation despite the
118 * attrs/xattrs being found invalid will not make them valid.
119 */
120static bool evm_hmac_disabled(void)
121{
122 if (evm_initialized & EVM_INIT_HMAC)
123 return false;
124
125 if (!(evm_initialized & EVM_SETUP_COMPLETE))
126 return false;
127
128 return true;
129}
130
15647eb3
DK		 131static int evm_find_protected_xattrs(struct dentry *dentry)
132{
c6f493d6 133 struct inode *inode = d_backing_inode(dentry);
21af7663 134 struct xattr_list *xattr;
15647eb3
DK		 135 int error;
136 int count = 0;
137
5d6c3191 138 if (!(inode->i_opflags & IOP_XATTR))
15647eb3
DK		 139 return -EOPNOTSUPP;
140
770f6058 141 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
21af7663 142 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0);
15647eb3
DK		 143 if (error < 0) {
144 if (error == -ENODATA)
145 continue;
146 return error;
147 }
148 count++;
149 }
150
151 return count;
152}
153
cd708c93
MZ		 154static int is_unsupported_fs(struct dentry *dentry)
155{
156 struct inode *inode = d_backing_inode(dentry);
157
158 if (inode->i_sb->s_iflags & SB_I_EVM_UNSUPPORTED) {
159 pr_info_once("%s not supported\n", inode->i_sb->s_type->name);
160 return 1;
161 }
162 return 0;
163}
164
66dbc325
MZ		 165/*
166 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
167 *
168 * Compute the HMAC on the dentry's protected set of extended attributes
7102ebcd
MZ		 169 * and compare it against the stored security.evm xattr.
170 *
171 * For performance:
172 * - use the previoulsy retrieved xattr value and length to calculate the
173 * HMAC.)
174 * - cache the verification result in the iint, when available.
66dbc325
MZ		 175 *
176 * Returns integrity status
177 */
178static enum integrity_status evm_verify_hmac(struct dentry *dentry,
179 const char *xattr_name,
180 char *xattr_value,
181 size_t xattr_value_len,
182 struct integrity_iint_cache *iint)
183{
15647eb3 184 struct evm_ima_xattr_data *xattr_data = NULL;
5feeb611 185 struct signature_v2_hdr *hdr;
566be59a 186 enum integrity_status evm_status = INTEGRITY_PASS;
5feeb611 187 struct evm_digest digest;
70946c4a 188 struct inode *inode;
cdef685b 189 int rc, xattr_len, evm_immutable = 0;
66dbc325 190
50b97748
MG		 191 if (iint && (iint->evm_status == INTEGRITY_PASS ||
192 iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
24e0198e 193 return iint->evm_status;
66dbc325 194
cd708c93
MZ		 195 if (is_unsupported_fs(dentry))
196 return INTEGRITY_UNKNOWN;
197
6d38ca01
DK		 198 /* if status is not PASS, try to check again - against -ENOMEM */
199
15647eb3 200 /* first need to know the sig type */
4609e1f1 201 rc = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, XATTR_NAME_EVM,
c7c7a1a1 202 (char **)&xattr_data, 0, GFP_NOFS);
15647eb3 203 if (rc <= 0) {
1f100979
DK		 204 evm_status = INTEGRITY_FAIL;
205 if (rc == -ENODATA) {
15647eb3
DK		 206 rc = evm_find_protected_xattrs(dentry);
207 if (rc > 0)
208 evm_status = INTEGRITY_NOLABEL;
209 else if (rc == 0)
210 evm_status = INTEGRITY_NOXATTRS; /* new file */
1f100979
DK		 211 } else if (rc == -EOPNOTSUPP) {
212 evm_status = INTEGRITY_UNKNOWN;
15647eb3 213 }
566be59a
MZ		 214 goto out;
215 }
66dbc325 216
b1aaab22 217 xattr_len = rc;
15647eb3
DK		 218
219 /* check value type */
220 switch (xattr_data->type) {
221 case EVM_XATTR_HMAC:
650b29db 222 if (xattr_len != sizeof(struct evm_xattr)) {
b4bfec7f
SF		 223 evm_status = INTEGRITY_FAIL;
224 goto out;
225 }
5feeb611
MG		 226
227 digest.hdr.algo = HASH_ALGO_SHA1;
15647eb3 228 rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
5feeb611 229 xattr_value_len, &digest);
15647eb3
DK		 230 if (rc)
231 break;
650b29db 232 rc = crypto_memneq(xattr_data->data, digest.digest,
5feeb611 233 SHA1_DIGEST_SIZE);
15647eb3
DK		 234 if (rc)
235 rc = -EINVAL;
236 break;
50b97748 237 case EVM_XATTR_PORTABLE_DIGSIG:
cdef685b
RS		 238 evm_immutable = 1;
239 fallthrough;
240 case EVM_IMA_XATTR_DIGSIG:
455b6c91
RS		 241 /* accept xattr with non-empty signature field */
242 if (xattr_len <= sizeof(struct signature_v2_hdr)) {
243 evm_status = INTEGRITY_FAIL;
244 goto out;
245 }
246
5feeb611
MG		 247 hdr = (struct signature_v2_hdr *)xattr_data;
248 digest.hdr.algo = hdr->hash_algo;
15647eb3 249 rc = evm_calc_hash(dentry, xattr_name, xattr_value,
5feeb611 250 xattr_value_len, xattr_data->type, &digest);
15647eb3
DK		 251 if (rc)
252 break;
253 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
b1aaab22 254 (const char *)xattr_data, xattr_len,
5feeb611 255 digest.digest, digest.hdr.length);
15647eb3 256 if (!rc) {
70946c4a
SH		 257 inode = d_backing_inode(dentry);
258
50b97748
MG		 259 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
260 if (iint)
261 iint->flags |= EVM_IMMUTABLE_DIGSIG;
262 evm_status = INTEGRITY_PASS_IMMUTABLE;
70946c4a
SH		 263 } else if (!IS_RDONLY(inode) &&
264 !(inode->i_sb->s_readonly_remount) &&
265 !IS_IMMUTABLE(inode)) {
c2baec7f
DK		 266 evm_update_evmxattr(dentry, xattr_name,
267 xattr_value,
268 xattr_value_len);
50b97748 269 }
15647eb3
DK		 270 }
271 break;
272 default:
273 rc = -EINVAL;
274 break;
275 }
276
cdef685b
RS		 277 if (rc) {
278 if (rc == -ENODATA)
279 evm_status = INTEGRITY_NOXATTRS;
280 else if (evm_immutable)
281 evm_status = INTEGRITY_FAIL_IMMUTABLE;
282 else
283 evm_status = INTEGRITY_FAIL;
284 }
87ac3d00
MZ		 285 pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length, digest.hdr.length,
286 digest.digest);
7102ebcd
MZ		 287out:
288 if (iint)
289 iint->evm_status = evm_status;
15647eb3 290 kfree(xattr_data);
7102ebcd 291 return evm_status;
66dbc325
MZ		 292}
293
8c7a703e
RS		 294static int evm_protected_xattr_common(const char *req_xattr_name,
295 bool all_xattrs)
66dbc325 296{
66dbc325
MZ		 297 int namelen;
298 int found = 0;
21af7663 299 struct xattr_list *xattr;
66dbc325
MZ		 300
301 namelen = strlen(req_xattr_name);
770f6058 302 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
8c7a703e
RS		 303 if (!all_xattrs && !xattr->enabled)
304 continue;
305
21af7663
MG		 306 if ((strlen(xattr->name) == namelen)
307 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
66dbc325
MZ		 308 found = 1;
309 break;
310 }
cb723180 311 if (strncmp(req_xattr_name,
21af7663 312 xattr->name + XATTR_SECURITY_PREFIX_LEN,
cb723180
MZ		 313 strlen(req_xattr_name)) == 0) {
314 found = 1;
315 break;
316 }
66dbc325 317 }
21af7663 318
66dbc325
MZ		 319 return found;
320}
321
c31288e5 322int evm_protected_xattr(const char *req_xattr_name)
8c7a703e
RS		 323{
324 return evm_protected_xattr_common(req_xattr_name, false);
325}
326
327int evm_protected_xattr_if_enabled(const char *req_xattr_name)
328{
329 return evm_protected_xattr_common(req_xattr_name, true);
330}
331
8314b673
RS		 332/**
333 * evm_read_protected_xattrs - read EVM protected xattr names, lengths, values
334 * @dentry: dentry of the read xattrs
8314b673
RS		 335 * @buffer: buffer xattr names, lengths or values are copied to
336 * @buffer_size: size of buffer
337 * @type: n: names, l: lengths, v: values
338 * @canonical_fmt: data format (true: little endian, false: native format)
339 *
340 * Read protected xattr names (separated by |), lengths (u32) or values for a
341 * given dentry and return the total size of copied data. If buffer is NULL,
342 * just return the total size.
343 *
344 * Returns the total size on success, a negative value on error.
345 */
346int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer,
347 int buffer_size, char type, bool canonical_fmt)
348{
349 struct xattr_list *xattr;
350 int rc, size, total_size = 0;
351
352 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
353 rc = __vfs_getxattr(dentry, d_backing_inode(dentry),
354 xattr->name, NULL, 0);
355 if (rc < 0 && rc == -ENODATA)
356 continue;
357 else if (rc < 0)
358 return rc;
359
360 switch (type) {
361 case 'n':
362 size = strlen(xattr->name) + 1;
363 if (buffer) {
364 if (total_size)
365 *(buffer + total_size - 1) = '|';
366
367 memcpy(buffer + total_size, xattr->name, size);
368 }
369 break;
370 case 'l':
371 size = sizeof(u32);
372 if (buffer) {
373 if (canonical_fmt)
6b26285f 374 rc = (__force int)cpu_to_le32(rc);
8314b673
RS		 375
376 *(u32 *)(buffer + total_size) = rc;
377 }
378 break;
379 case 'v':
380 size = rc;
381 if (buffer) {
382 rc = __vfs_getxattr(dentry,
383 d_backing_inode(dentry), xattr->name,
384 buffer + total_size,
385 buffer_size - total_size);
386 if (rc < 0)
387 return rc;
388 }
389 break;
390 default:
391 return -EINVAL;
392 }
393
394 total_size += size;
395 }
396
397 return total_size;
398}
399
66dbc325
MZ		 400/**
401 * evm_verifyxattr - verify the integrity of the requested xattr
402 * @dentry: object of the verify xattr
403 * @xattr_name: requested xattr
404 * @xattr_value: requested xattr value
405 * @xattr_value_len: requested xattr value length
996e0a97 406 * @iint: inode integrity metadata
66dbc325
MZ		 407 *
408 * Calculate the HMAC for the given dentry and verify it against the stored
409 * security.evm xattr. For performance, use the xattr value and length
410 * previously retrieved to calculate the HMAC.
411 *
412 * Returns the xattr integrity status.
413 *
414 * This function requires the caller to lock the inode's i_mutex before it
415 * is executed.
416 */
417enum integrity_status evm_verifyxattr(struct dentry *dentry,
418 const char *xattr_name,
2960e6cb
DK		 419 void *xattr_value, size_t xattr_value_len,
420 struct integrity_iint_cache *iint)
66dbc325 421{
ae1ba167 422 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
66dbc325
MZ		 423 return INTEGRITY_UNKNOWN;
424
cd708c93
MZ		 425 if (is_unsupported_fs(dentry))
426 return INTEGRITY_UNKNOWN;
427
2960e6cb 428 if (!iint) {
c6f493d6 429 iint = integrity_iint_find(d_backing_inode(dentry));
2960e6cb
DK		 430 if (!iint)
431 return INTEGRITY_UNKNOWN;
432 }
433 return evm_verify_hmac(dentry, xattr_name, xattr_value,
66dbc325 434 xattr_value_len, iint);
66dbc325
MZ		 435}
436EXPORT_SYMBOL_GPL(evm_verifyxattr);
437
7102ebcd
MZ		 438/*
439 * evm_verify_current_integrity - verify the dentry's metadata integrity
440 * @dentry: pointer to the affected dentry
441 *
442 * Verify and return the dentry's metadata integrity. The exceptions are
443 * before EVM is initialized or in 'fix' mode.
444 */
445static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
446{
c6f493d6 447 struct inode *inode = d_backing_inode(dentry);
7102ebcd 448
ae1ba167 449 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
e11afdbb 450 return INTEGRITY_PASS;
7102ebcd
MZ		 451 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
452}
453
1886ab01
RS		 454/*
455 * evm_xattr_change - check if passed xattr value differs from current value
39f60c1c 456 * @idmap: idmap of the mount
1886ab01
RS		 457 * @dentry: pointer to the affected dentry
458 * @xattr_name: requested xattr
459 * @xattr_value: requested xattr value
460 * @xattr_value_len: requested xattr value length
461 *
462 * Check if passed xattr value differs from current value.
463 *
464 * Returns 1 if passed xattr value differs from current value, 0 otherwise.
465 */
39f60c1c 466static int evm_xattr_change(struct mnt_idmap *idmap,
1886ab01
RS		 467 struct dentry *dentry, const char *xattr_name,
468 const void *xattr_value, size_t xattr_value_len)
469{
470 char *xattr_data = NULL;
471 int rc = 0;
472
4609e1f1 473 rc = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, xattr_name, &xattr_data,
1886ab01 474 0, GFP_NOFS);
f6fbd8cb
PM		 475 if (rc < 0) {
476 rc = 1;
477 goto out;
478 }
1886ab01
RS		 479
480 if (rc == xattr_value_len)
481 rc = !!memcmp(xattr_value, xattr_data, rc);
482 else
483 rc = 1;
484
f6fbd8cb 485out:
1886ab01
RS		 486 kfree(xattr_data);
487 return rc;
488}
489
a924ce0b
MZ		 490/*
491 * evm_protect_xattr - protect the EVM extended attribute
492 *
bf6d0f5d
MZ		 493 * Prevent security.evm from being modified or removed without the
494 * necessary permissions or when the existing value is invalid.
495 *
496 * The posix xattr acls are 'system' prefixed, which normally would not
497 * affect security.evm. An interesting side affect of writing posix xattr
498 * acls is their modifying of the i_mode, which is included in security.evm.
499 * For posix xattr acls only, permit security.evm, even if it currently
50b97748 500 * doesn't exist, to be updated unless the EVM signature is immutable.
a924ce0b 501 */
39f60c1c 502static int evm_protect_xattr(struct mnt_idmap *idmap,
7e135dc7 503 struct dentry *dentry, const char *xattr_name,
a924ce0b
MZ		 504 const void *xattr_value, size_t xattr_value_len)
505{
506 enum integrity_status evm_status;
507
508 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
509 if (!capable(CAP_SYS_ADMIN))
510 return -EPERM;
cd708c93
MZ		 511 if (is_unsupported_fs(dentry))
512 return -EPERM;
bf6d0f5d
MZ		 513 } else if (!evm_protected_xattr(xattr_name)) {
514 if (!posix_xattr_acl(xattr_name))
515 return 0;
cd708c93
MZ		 516 if (is_unsupported_fs(dentry))
517 return 0;
518
bf6d0f5d
MZ		 519 evm_status = evm_verify_current_integrity(dentry);
520 if ((evm_status == INTEGRITY_PASS) ||
566be59a 521 (evm_status == INTEGRITY_NOXATTRS))
bf6d0f5d 522 return 0;
9b97b6cd 523 goto out;
cd708c93
MZ		 524 } else if (is_unsupported_fs(dentry))
525 return 0;
ae1ba167 526
a924ce0b 527 evm_status = evm_verify_current_integrity(dentry);
3dcbad52
DK		 528 if (evm_status == INTEGRITY_NOXATTRS) {
529 struct integrity_iint_cache *iint;
530
4a804b8a
RS		 531 /* Exception if the HMAC is not going to be calculated. */
532 if (evm_hmac_disabled())
533 return 0;
534
c6f493d6 535 iint = integrity_iint_find(d_backing_inode(dentry));
3dcbad52
DK		 536 if (iint && (iint->flags & IMA_NEW_FILE))
537 return 0;
5101a185
MZ		 538
539 /* exception for pseudo filesystems */
fc64005c
AV		 540 if (dentry->d_sb->s_magic == TMPFS_MAGIC
541 || dentry->d_sb->s_magic == SYSFS_MAGIC)
5101a185
MZ		 542 return 0;
543
544 integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
545 dentry->d_inode, dentry->d_name.name,
546 "update_metadata",
547 integrity_status_msg[evm_status],
548 -EPERM, 0);
3dcbad52 549 }
9b97b6cd 550out:
4a804b8a
RS		 551 /* Exception if the HMAC is not going to be calculated. */
552 if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
553 evm_status == INTEGRITY_UNKNOWN))
554 return 0;
cdef685b
RS		 555
556 /*
557 * Writing other xattrs is safe for portable signatures, as portable
558 * signatures are immutable and can never be updated.
559 */
560 if (evm_status == INTEGRITY_FAIL_IMMUTABLE)
561 return 0;
562
1886ab01 563 if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
39f60c1c 564 !evm_xattr_change(idmap, dentry, xattr_name, xattr_value,
1886ab01
RS		 565 xattr_value_len))
566 return 0;
567
568 if (evm_status != INTEGRITY_PASS &&
569 evm_status != INTEGRITY_PASS_IMMUTABLE)
c6f493d6 570 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
9b97b6cd
MZ		 571 dentry->d_name.name, "appraise_metadata",
572 integrity_status_msg[evm_status],
573 -EPERM, 0);
a924ce0b
MZ		 574 return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
575}
576
66dbc325
MZ		 577/**
578 * evm_inode_setxattr - protect the EVM extended attribute
39f60c1c 579 * @idmap: idmap of the mount
66dbc325
MZ		 580 * @dentry: pointer to the affected dentry
581 * @xattr_name: pointer to the affected extended attribute name
582 * @xattr_value: pointer to the new extended attribute value
583 * @xattr_value_len: pointer to the new extended attribute value length
2b6a4054 584 * @flags: flags to pass into filesystem operations
66dbc325 585 *
2fb1c9a4
MZ		 586 * Before allowing the 'security.evm' protected xattr to be updated,
587 * verify the existing value is valid. As only the kernel should have
588 * access to the EVM encrypted key needed to calculate the HMAC, prevent
589 * userspace from writing HMAC value. Writing 'security.evm' requires
590 * requires CAP_SYS_ADMIN privileges.
66dbc325 591 */
92383111
RS		 592static int evm_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
593 const char *xattr_name, const void *xattr_value,
594 size_t xattr_value_len, int flags)
66dbc325 595{
2fb1c9a4
MZ		 596 const struct evm_ima_xattr_data *xattr_data = xattr_value;
597
ae1ba167
MG		 598 /* Policy permits modification of the protected xattrs even though
599 * there's no HMAC key loaded
600 */
601 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
602 return 0;
603
3b1deef6
DK		 604 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
605 if (!xattr_value_len)
606 return -EINVAL;
50b97748
MG		 607 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
608 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
3b1deef6
DK		 609 return -EPERM;
610 }
39f60c1c 611 return evm_protect_xattr(idmap, dentry, xattr_name, xattr_value,
a924ce0b 612 xattr_value_len);
66dbc325
MZ		 613}
614
615/**
616 * evm_inode_removexattr - protect the EVM extended attribute
39f60c1c 617 * @idmap: idmap of the mount
66dbc325
MZ		 618 * @dentry: pointer to the affected dentry
619 * @xattr_name: pointer to the affected extended attribute name
620 *
7102ebcd
MZ		 621 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
622 * the current value is valid.
66dbc325 623 */
92383111
RS		 624static int evm_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry,
625 const char *xattr_name)
66dbc325 626{
ae1ba167
MG		 627 /* Policy permits modification of the protected xattrs even though
628 * there's no HMAC key loaded
629 */
630 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
631 return 0;
632
39f60c1c 633 return evm_protect_xattr(idmap, dentry, xattr_name, NULL, 0);
66dbc325
MZ		 634}
635
e61b135f 636#ifdef CONFIG_FS_POSIX_ACL
700b7940 637static int evm_inode_set_acl_change(struct mnt_idmap *idmap,
e61b135f
CB		 638 struct dentry *dentry, const char *name,
639 struct posix_acl *kacl)
640{
641 int rc;
642
643 umode_t mode;
644 struct inode *inode = d_backing_inode(dentry);
645
646 if (!kacl)
647 return 1;
648
700b7940 649 rc = posix_acl_update_mode(idmap, inode, &mode, &kacl);
e61b135f
CB		 650 if (rc || (inode->i_mode != mode))
651 return 1;
652
653 return 0;
654}
655#else
700b7940 656static inline int evm_inode_set_acl_change(struct mnt_idmap *idmap,
e61b135f
CB		 657 struct dentry *dentry,
658 const char *name,
659 struct posix_acl *kacl)
660{
661 return 0;
662}
663#endif
664
665/**
666 * evm_inode_set_acl - protect the EVM extended attribute from posix acls
700b7940 667 * @idmap: idmap of the idmapped mount
e61b135f
CB		 668 * @dentry: pointer to the affected dentry
669 * @acl_name: name of the posix acl
670 * @kacl: pointer to the posix acls
671 *
672 * Prevent modifying posix acls causing the EVM HMAC to be re-calculated
673 * and 'security.evm' xattr updated, unless the existing 'security.evm' is
674 * valid.
92383111
RS		 675 *
676 * Return: zero on success, -EPERM on failure.
e61b135f 677 */
92383111
RS		 678static int evm_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
679 const char *acl_name, struct posix_acl *kacl)
e61b135f
CB		 680{
681 enum integrity_status evm_status;
682
683 /* Policy permits modification of the protected xattrs even though
684 * there's no HMAC key loaded
685 */
686 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
687 return 0;
688
689 evm_status = evm_verify_current_integrity(dentry);
690 if ((evm_status == INTEGRITY_PASS) ||
691 (evm_status == INTEGRITY_NOXATTRS))
692 return 0;
693
694 /* Exception if the HMAC is not going to be calculated. */
695 if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
696 evm_status == INTEGRITY_UNKNOWN))
697 return 0;
698
699 /*
700 * Writing other xattrs is safe for portable signatures, as portable
701 * signatures are immutable and can never be updated.
702 */
703 if (evm_status == INTEGRITY_FAIL_IMMUTABLE)
704 return 0;
705
706 if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
700b7940 707 !evm_inode_set_acl_change(idmap, dentry, acl_name, kacl))
e61b135f
CB		 708 return 0;
709
16257cf6 710 if (evm_status != INTEGRITY_PASS_IMMUTABLE)
e61b135f
CB		 711 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
712 dentry->d_name.name, "appraise_metadata",
713 integrity_status_msg[evm_status],
714 -EPERM, 0);
16257cf6 715 return -EPERM;
e61b135f
CB		 716}
717
92383111
RS		 718/**
719 * evm_inode_remove_acl - Protect the EVM extended attribute from posix acls
720 * @idmap: idmap of the mount
721 * @dentry: pointer to the affected dentry
722 * @acl_name: name of the posix acl
723 *
724 * Prevent removing posix acls causing the EVM HMAC to be re-calculated
725 * and 'security.evm' xattr updated, unless the existing 'security.evm' is
726 * valid.
727 *
728 * Return: zero on success, -EPERM on failure.
729 */
730static int evm_inode_remove_acl(struct mnt_idmap *idmap, struct dentry *dentry,
731 const char *acl_name)
732{
733 return evm_inode_set_acl(idmap, dentry, acl_name, NULL);
734}
735
523b74b1
DK		 736static void evm_reset_status(struct inode *inode)
737{
738 struct integrity_iint_cache *iint;
739
740 iint = integrity_iint_find(inode);
741 if (iint)
742 iint->evm_status = INTEGRITY_UNKNOWN;
743}
744
e3ccfe1a
RS		 745/**
746 * evm_revalidate_status - report whether EVM status re-validation is necessary
747 * @xattr_name: pointer to the affected extended attribute name
748 *
749 * Report whether callers of evm_verifyxattr() should re-validate the
750 * EVM status.
751 *
752 * Return true if re-validation is necessary, false otherwise.
753 */
754bool evm_revalidate_status(const char *xattr_name)
755{
756 if (!evm_key_loaded())
757 return false;
758
759 /* evm_inode_post_setattr() passes NULL */
760 if (!xattr_name)
761 return true;
762
763 if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name) &&
764 strcmp(xattr_name, XATTR_NAME_EVM))
765 return false;
766
767 return true;
768}
769
66dbc325
MZ		 770/**
771 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
772 * @dentry: pointer to the affected dentry
773 * @xattr_name: pointer to the affected extended attribute name
774 * @xattr_value: pointer to the new extended attribute value
775 * @xattr_value_len: pointer to the new extended attribute value length
779cb194 776 * @flags: flags to pass into filesystem operations
66dbc325
MZ		 777 *
778 * Update the HMAC stored in 'security.evm' to reflect the change.
779 *
780 * No need to take the i_mutex lock here, as this function is called from
781 * __vfs_setxattr_noperm(). The caller of which has taken the inode's
782 * i_mutex lock.
783 */
92383111
RS		 784static void evm_inode_post_setxattr(struct dentry *dentry,
785 const char *xattr_name,
786 const void *xattr_value,
787 size_t xattr_value_len,
788 int flags)
66dbc325 789{
e3ccfe1a 790 if (!evm_revalidate_status(xattr_name))
66dbc325
MZ		 791 return;
792
523b74b1
DK		 793 evm_reset_status(dentry->d_inode);
794
e3ccfe1a
RS		 795 if (!strcmp(xattr_name, XATTR_NAME_EVM))
796 return;
797
4a804b8a
RS		 798 if (!(evm_initialized & EVM_INIT_HMAC))
799 return;
800
cd708c93
MZ		 801 if (is_unsupported_fs(dentry))
802 return;
803
66dbc325 804 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
66dbc325
MZ		 805}
806
92383111
RS		 807/**
808 * evm_inode_post_set_acl - Update the EVM extended attribute from posix acls
809 * @dentry: pointer to the affected dentry
810 * @acl_name: name of the posix acl
811 * @kacl: pointer to the posix acls
812 *
813 * Update the 'security.evm' xattr with the EVM HMAC re-calculated after setting
814 * posix acls.
815 */
816static void evm_inode_post_set_acl(struct dentry *dentry, const char *acl_name,
817 struct posix_acl *kacl)
818{
819 return evm_inode_post_setxattr(dentry, acl_name, NULL, 0, 0);
820}
821
66dbc325
MZ		 822/**
823 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
824 * @dentry: pointer to the affected dentry
825 * @xattr_name: pointer to the affected extended attribute name
826 *
827 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
7c51bb00
DK		 828 *
829 * No need to take the i_mutex lock here, as this function is called from
830 * vfs_removexattr() which takes the i_mutex.
66dbc325 831 */
92383111
RS		 832static void evm_inode_post_removexattr(struct dentry *dentry,
833 const char *xattr_name)
66dbc325 834{
e3ccfe1a 835 if (!evm_revalidate_status(xattr_name))
66dbc325
MZ		 836 return;
837
523b74b1
DK		 838 evm_reset_status(dentry->d_inode);
839
e3ccfe1a
RS		 840 if (!strcmp(xattr_name, XATTR_NAME_EVM))
841 return;
842
4a804b8a
RS		 843 if (!(evm_initialized & EVM_INIT_HMAC))
844 return;
845
66dbc325 846 evm_update_evmxattr(dentry, xattr_name, NULL, 0);
66dbc325
MZ		 847}
848
92383111
RS		 849/**
850 * evm_inode_post_remove_acl - Update the EVM extended attribute from posix acls
851 * @idmap: idmap of the mount
852 * @dentry: pointer to the affected dentry
853 * @acl_name: name of the posix acl
854 *
855 * Update the 'security.evm' xattr with the EVM HMAC re-calculated after
856 * removing posix acls.
857 */
858static inline void evm_inode_post_remove_acl(struct mnt_idmap *idmap,
859 struct dentry *dentry,
860 const char *acl_name)
861{
862 evm_inode_post_removexattr(dentry, acl_name);
863}
864
c1632a0f 865static int evm_attr_change(struct mnt_idmap *idmap,
0e363cf3 866 struct dentry *dentry, struct iattr *attr)
1886ab01
RS		 867{
868 struct inode *inode = d_backing_inode(dentry);
869 unsigned int ia_valid = attr->ia_valid;
870
0dbe12f2
CB		 871 if (!i_uid_needs_update(idmap, attr, inode) &&
872 !i_gid_needs_update(idmap, attr, inode) &&
1886ab01
RS		 873 (!(ia_valid & ATTR_MODE) || attr->ia_mode == inode->i_mode))
874 return 0;
875
876 return 1;
877}
878
817b54aa
MZ		 879/**
880 * evm_inode_setattr - prevent updating an invalid EVM extended attribute
b1de86d4 881 * @idmap: idmap of the mount
817b54aa 882 * @dentry: pointer to the affected dentry
b1de86d4 883 * @attr: iattr structure containing the new file attributes
50b97748
MG		 884 *
885 * Permit update of file attributes when files have a valid EVM signature,
886 * except in the case of them having an immutable portable signature.
817b54aa 887 */
92383111
RS		 888static int evm_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
889 struct iattr *attr)
817b54aa
MZ		 890{
891 unsigned int ia_valid = attr->ia_valid;
892 enum integrity_status evm_status;
893
ae1ba167
MG		 894 /* Policy permits modification of the protected attrs even though
895 * there's no HMAC key loaded
896 */
897 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
898 return 0;
899
cd708c93
MZ		 900 if (is_unsupported_fs(dentry))
901 return 0;
902
a924ce0b 903 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
817b54aa 904 return 0;
cd708c93 905
817b54aa 906 evm_status = evm_verify_current_integrity(dentry);
cdef685b
RS		 907 /*
908 * Writing attrs is safe for portable signatures, as portable signatures
909 * are immutable and can never be updated.
910 */
566be59a 911 if ((evm_status == INTEGRITY_PASS) ||
4a804b8a 912 (evm_status == INTEGRITY_NOXATTRS) ||
cdef685b 913 (evm_status == INTEGRITY_FAIL_IMMUTABLE) ||
4a804b8a
RS		 914 (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
915 evm_status == INTEGRITY_UNKNOWN)))
566be59a 916 return 0;
1886ab01
RS		 917
918 if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
c1632a0f 919 !evm_attr_change(idmap, dentry, attr))
1886ab01
RS		 920 return 0;
921
c6f493d6 922 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
9b97b6cd
MZ		 923 dentry->d_name.name, "appraise_metadata",
924 integrity_status_msg[evm_status], -EPERM, 0);
566be59a 925 return -EPERM;
817b54aa
MZ		 926}
927
66dbc325
MZ		 928/**
929 * evm_inode_post_setattr - update 'security.evm' after modifying metadata
784111d0 930 * @idmap: idmap of the idmapped mount
66dbc325
MZ		 931 * @dentry: pointer to the affected dentry
932 * @ia_valid: for the UID and GID status
933 *
934 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
935 * changes.
936 *
937 * This function is called from notify_change(), which expects the caller
938 * to lock the inode's i_mutex.
939 */
92383111
RS		 940static void evm_inode_post_setattr(struct mnt_idmap *idmap,
941 struct dentry *dentry, int ia_valid)
66dbc325 942{
e3ccfe1a 943 if (!evm_revalidate_status(NULL))
66dbc325
MZ		 944 return;
945
e3ccfe1a
RS		 946 evm_reset_status(dentry->d_inode);
947
4a804b8a
RS		 948 if (!(evm_initialized & EVM_INIT_HMAC))
949 return;
950
cd708c93
MZ		 951 if (is_unsupported_fs(dentry))
952 return;
953
66dbc325
MZ		 954 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
955 evm_update_evmxattr(dentry, NULL, NULL, 0);
66dbc325
MZ		 956}
957
92383111 958static int evm_inode_copy_up_xattr(const char *name)
40ca4ee3
MZ		 959{
960 if (strcmp(name, XATTR_NAME_EVM) == 0)
961 return 1; /* Discard */
962 return -EOPNOTSUPP;
963}
964
cb723180 965/*
9eea2904 966 * evm_inode_init_security - initializes security.evm HMAC value
cb723180 967 */
6db7d1de
RS		 968int evm_inode_init_security(struct inode *inode, struct inode *dir,
969 const struct qstr *qstr, struct xattr *xattrs,
970 int *xattr_count)
cb723180 971{
650b29db 972 struct evm_xattr *xattr_data;
c31288e5
RS		 973 struct xattr *xattr, *evm_xattr;
974 bool evm_protected_xattrs = false;
cb723180
MZ		 975 int rc;
976
c31288e5
RS		 977 if (!(evm_initialized & EVM_INIT_HMAC) || !xattrs)
978 return 0;
979
980 /*
981 * security_inode_init_security() makes sure that the xattrs array is
982 * contiguous, there is enough space for security.evm, and that there is
983 * a terminator at the end of the array.
984 */
985 for (xattr = xattrs; xattr->name; xattr++) {
986 if (evm_protected_xattr(xattr->name))
987 evm_protected_xattrs = true;
988 }
989
990 /* EVM xattr not needed. */
991 if (!evm_protected_xattrs)
5a4730ba 992 return 0;
cb723180 993
6db7d1de 994 evm_xattr = lsm_get_xattr_slot(xattrs, xattr_count);
c31288e5
RS		 995 /*
996 * Array terminator (xattr name = NULL) must be the first non-filled
997 * xattr slot.
998 */
999 WARN_ONCE(evm_xattr != xattr,
1000 "%s: xattrs terminator is not the first non-filled slot\n",
1001 __func__);
6db7d1de 1002
cb723180
MZ		 1003 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
1004 if (!xattr_data)
1005 return -ENOMEM;
1006
650b29db 1007 xattr_data->data.type = EVM_XATTR_HMAC;
6db7d1de 1008 rc = evm_init_hmac(inode, xattrs, xattr_data->digest);
cb723180
MZ		 1009 if (rc < 0)
1010 goto out;
1011
1012 evm_xattr->value = xattr_data;
1013 evm_xattr->value_len = sizeof(*xattr_data);
9548906b 1014 evm_xattr->name = XATTR_EVM_SUFFIX;
cb723180
MZ		 1015 return 0;
1016out:
1017 kfree(xattr_data);
1018 return rc;
1019}
1020EXPORT_SYMBOL_GPL(evm_inode_init_security);
1021
2ce523eb
DK		 1022#ifdef CONFIG_EVM_LOAD_X509
1023void __init evm_load_x509(void)
1024{
26ddabfe
DK		 1025 int rc;
1026
1027 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
1028 if (!rc)
1029 evm_initialized |= EVM_INIT_X509;
2ce523eb
DK		 1030}
1031#endif
1032
66dbc325
MZ		 1033static int __init init_evm(void)
1034{
1035 int error;
21af7663 1036 struct list_head *pos, *q;
66dbc325 1037
d3b33679
DK		 1038 evm_init_config();
1039
f4dc3778
DK		 1040 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
1041 if (error)
21af7663 1042 goto error;
f4dc3778 1043
66dbc325
MZ		 1044 error = evm_init_secfs();
1045 if (error < 0) {
20ee451f 1046 pr_info("Error registering secfs\n");
21af7663 1047 goto error;
66dbc325 1048 }
15647eb3 1049
21af7663
MG		 1050error:
1051 if (error != 0) {
1052 if (!list_empty(&evm_config_xattrnames)) {
c8b37524 1053 list_for_each_safe(pos, q, &evm_config_xattrnames)
21af7663 1054 list_del(pos);
21af7663
MG		 1055 }
1056 }
66dbc325 1057
21af7663 1058 return error;
66dbc325
MZ		 1059}
1060
92383111
RS		 1061static struct security_hook_list evm_hooks[] __ro_after_init = {
1062 LSM_HOOK_INIT(inode_setattr, evm_inode_setattr),
1063 LSM_HOOK_INIT(inode_post_setattr, evm_inode_post_setattr),
1064 LSM_HOOK_INIT(inode_copy_up_xattr, evm_inode_copy_up_xattr),
1065 LSM_HOOK_INIT(inode_setxattr, evm_inode_setxattr),
1066 LSM_HOOK_INIT(inode_post_setxattr, evm_inode_post_setxattr),
1067 LSM_HOOK_INIT(inode_set_acl, evm_inode_set_acl),
1068 LSM_HOOK_INIT(inode_post_set_acl, evm_inode_post_set_acl),
1069 LSM_HOOK_INIT(inode_remove_acl, evm_inode_remove_acl),
1070 LSM_HOOK_INIT(inode_post_remove_acl, evm_inode_post_remove_acl),
1071 LSM_HOOK_INIT(inode_removexattr, evm_inode_removexattr),
1072 LSM_HOOK_INIT(inode_post_removexattr, evm_inode_post_removexattr),
1073 LSM_HOOK_INIT(inode_init_security, evm_inode_init_security),
1074};
1075
1076static const struct lsm_id evm_lsmid = {
1077 .name = "evm",
1078 .id = LSM_ID_EVM,
1079};
1080
1081static int __init init_evm_lsm(void)
1082{
1083 security_add_hooks(evm_hooks, ARRAY_SIZE(evm_hooks), &evm_lsmid);
1084 return 0;
1085}
1086
1087DEFINE_LSM(evm) = {
1088 .name = "evm",
1089 .init = init_evm_lsm,
1090 .order = LSM_ORDER_LAST,
1091};
1092
66dbc325 1093late_initcall(init_evm);
Linux 6.x block layer and io_uring tree(s)