Commit | Line | Data |
---|---|---|
b886d83c | 1 | // SPDX-License-Identifier: GPL-2.0-only |
66dbc325 MZ |
2 | /* |
3 | * Copyright (C) 2005-2010 IBM Corporation | |
4 | * | |
5 | * Author: | |
6 | * Mimi Zohar <zohar@us.ibm.com> | |
7 | * Kylene Hall <kjhall@us.ibm.com> | |
8 | * | |
66dbc325 MZ |
9 | * File: evm_main.c |
10 | * implements evm_inode_setxattr, evm_inode_post_setxattr, | |
e61b135f | 11 | * evm_inode_removexattr, evm_verifyxattr, and evm_inode_set_acl. |
66dbc325 MZ |
12 | */ |
13 | ||
87ac3d00 MZ |
14 | #define pr_fmt(fmt) "EVM: "fmt |
15 | ||
3aafb1fb | 16 | #include <linux/init.h> |
9b97b6cd | 17 | #include <linux/audit.h> |
66dbc325 MZ |
18 | #include <linux/xattr.h> |
19 | #include <linux/integrity.h> | |
3e1be52d | 20 | #include <linux/evm.h> |
50d34394 | 21 | #include <linux/magic.h> |
1886ab01 | 22 | #include <linux/posix_acl_xattr.h> |
6db7d1de | 23 | #include <linux/lsm_hooks.h> |
50d34394 | 24 | |
d46eb369 | 25 | #include <crypto/hash.h> |
5feeb611 | 26 | #include <crypto/hash_info.h> |
aa7c98b1 | 27 | #include <crypto/utils.h> |
66dbc325 MZ |
28 | #include "evm.h" |
29 | ||
30 | int evm_initialized; | |
31 | ||
17d7b0af | 32 | static const char * const integrity_status_msg[] = { |
cdef685b RS |
33 | "pass", "pass_immutable", "fail", "fail_immutable", "no_label", |
34 | "no_xattrs", "unknown" | |
9b97b6cd | 35 | }; |
d3b33679 | 36 | int evm_hmac_attrs; |
66dbc325 | 37 | |
fa516b66 | 38 | static struct xattr_list evm_config_default_xattrnames[] = { |
c808a6ec XJ |
39 | { |
40 | .name = XATTR_NAME_SELINUX, | |
41 | .enabled = IS_ENABLED(CONFIG_SECURITY_SELINUX) | |
8c7a703e | 42 | }, |
c808a6ec XJ |
43 | { |
44 | .name = XATTR_NAME_SMACK, | |
45 | .enabled = IS_ENABLED(CONFIG_SECURITY_SMACK) | |
8c7a703e | 46 | }, |
c808a6ec XJ |
47 | { |
48 | .name = XATTR_NAME_SMACKEXEC, | |
49 | .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS) | |
8c7a703e | 50 | }, |
c808a6ec XJ |
51 | { |
52 | .name = XATTR_NAME_SMACKTRANSMUTE, | |
53 | .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS) | |
8c7a703e | 54 | }, |
c808a6ec XJ |
55 | { |
56 | .name = XATTR_NAME_SMACKMMAP, | |
57 | .enabled = IS_ENABLED(CONFIG_EVM_EXTRA_SMACK_XATTRS) | |
8c7a703e | 58 | }, |
c808a6ec XJ |
59 | { |
60 | .name = XATTR_NAME_APPARMOR, | |
61 | .enabled = IS_ENABLED(CONFIG_SECURITY_APPARMOR) | |
8c7a703e | 62 | }, |
c808a6ec XJ |
63 | { |
64 | .name = XATTR_NAME_IMA, | |
65 | .enabled = IS_ENABLED(CONFIG_IMA_APPRAISE) | |
8c7a703e | 66 | }, |
c808a6ec XJ |
67 | { |
68 | .name = XATTR_NAME_CAPS, | |
8c7a703e RS |
69 | .enabled = true |
70 | }, | |
66dbc325 MZ |
71 | }; |
72 | ||
21af7663 MG |
73 | LIST_HEAD(evm_config_xattrnames); |
74 | ||
32ba540f | 75 | static int evm_fixmode __ro_after_init; |
7102ebcd MZ |
76 | static int __init evm_set_fixmode(char *str) |
77 | { | |
78 | if (strncmp(str, "fix", 3) == 0) | |
79 | evm_fixmode = 1; | |
7fe2bb7e BM |
80 | else |
81 | pr_err("invalid \"%s\" mode", str); | |
82 | ||
f2544f5e | 83 | return 1; |
7102ebcd MZ |
84 | } |
85 | __setup("evm=", evm_set_fixmode); | |
86 | ||
d3b33679 DK |
87 | static void __init evm_init_config(void) |
88 | { | |
21af7663 MG |
89 | int i, xattrs; |
90 | ||
91 | xattrs = ARRAY_SIZE(evm_config_default_xattrnames); | |
92 | ||
93 | pr_info("Initialising EVM extended attributes:\n"); | |
94 | for (i = 0; i < xattrs; i++) { | |
8c7a703e RS |
95 | pr_info("%s%s\n", evm_config_default_xattrnames[i].name, |
96 | !evm_config_default_xattrnames[i].enabled ? | |
97 | " (disabled)" : ""); | |
21af7663 MG |
98 | list_add_tail(&evm_config_default_xattrnames[i].list, |
99 | &evm_config_xattrnames); | |
100 | } | |
101 | ||
d3b33679 DK |
102 | #ifdef CONFIG_EVM_ATTR_FSUUID |
103 | evm_hmac_attrs |= EVM_ATTR_FSUUID; | |
104 | #endif | |
105 | pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); | |
106 | } | |
107 | ||
ae1ba167 MG |
108 | static bool evm_key_loaded(void) |
109 | { | |
110 | return (bool)(evm_initialized & EVM_KEY_MASK); | |
111 | } | |
112 | ||
4a804b8a RS |
113 | /* |
114 | * This function determines whether or not it is safe to ignore verification | |
115 | * errors, based on the ability of EVM to calculate HMACs. If the HMAC key | |
116 | * is not loaded, and it cannot be loaded in the future due to the | |
117 | * EVM_SETUP_COMPLETE initialization flag, allowing an operation despite the | |
118 | * attrs/xattrs being found invalid will not make them valid. | |
119 | */ | |
120 | static bool evm_hmac_disabled(void) | |
121 | { | |
122 | if (evm_initialized & EVM_INIT_HMAC) | |
123 | return false; | |
124 | ||
125 | if (!(evm_initialized & EVM_SETUP_COMPLETE)) | |
126 | return false; | |
127 | ||
128 | return true; | |
129 | } | |
130 | ||
15647eb3 DK |
131 | static int evm_find_protected_xattrs(struct dentry *dentry) |
132 | { | |
c6f493d6 | 133 | struct inode *inode = d_backing_inode(dentry); |
21af7663 | 134 | struct xattr_list *xattr; |
15647eb3 DK |
135 | int error; |
136 | int count = 0; | |
137 | ||
5d6c3191 | 138 | if (!(inode->i_opflags & IOP_XATTR)) |
15647eb3 DK |
139 | return -EOPNOTSUPP; |
140 | ||
770f6058 | 141 | list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) { |
21af7663 | 142 | error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0); |
15647eb3 DK |
143 | if (error < 0) { |
144 | if (error == -ENODATA) | |
145 | continue; | |
146 | return error; | |
147 | } | |
148 | count++; | |
149 | } | |
150 | ||
151 | return count; | |
152 | } | |
153 | ||
cd708c93 MZ |
154 | static int is_unsupported_fs(struct dentry *dentry) |
155 | { | |
156 | struct inode *inode = d_backing_inode(dentry); | |
157 | ||
158 | if (inode->i_sb->s_iflags & SB_I_EVM_UNSUPPORTED) { | |
159 | pr_info_once("%s not supported\n", inode->i_sb->s_type->name); | |
160 | return 1; | |
161 | } | |
162 | return 0; | |
163 | } | |
164 | ||
66dbc325 MZ |
165 | /* |
166 | * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr | |
167 | * | |
168 | * Compute the HMAC on the dentry's protected set of extended attributes | |
7102ebcd MZ |
169 | * and compare it against the stored security.evm xattr. |
170 | * | |
171 | * For performance: | |
172 | * - use the previoulsy retrieved xattr value and length to calculate the | |
173 | * HMAC.) | |
174 | * - cache the verification result in the iint, when available. | |
66dbc325 MZ |
175 | * |
176 | * Returns integrity status | |
177 | */ | |
178 | static enum integrity_status evm_verify_hmac(struct dentry *dentry, | |
179 | const char *xattr_name, | |
180 | char *xattr_value, | |
181 | size_t xattr_value_len, | |
182 | struct integrity_iint_cache *iint) | |
183 | { | |
15647eb3 | 184 | struct evm_ima_xattr_data *xattr_data = NULL; |
5feeb611 | 185 | struct signature_v2_hdr *hdr; |
566be59a | 186 | enum integrity_status evm_status = INTEGRITY_PASS; |
5feeb611 | 187 | struct evm_digest digest; |
70946c4a | 188 | struct inode *inode; |
cdef685b | 189 | int rc, xattr_len, evm_immutable = 0; |
66dbc325 | 190 | |
50b97748 MG |
191 | if (iint && (iint->evm_status == INTEGRITY_PASS || |
192 | iint->evm_status == INTEGRITY_PASS_IMMUTABLE)) | |
24e0198e | 193 | return iint->evm_status; |
66dbc325 | 194 | |
cd708c93 MZ |
195 | if (is_unsupported_fs(dentry)) |
196 | return INTEGRITY_UNKNOWN; | |
197 | ||
6d38ca01 DK |
198 | /* if status is not PASS, try to check again - against -ENOMEM */ |
199 | ||
15647eb3 | 200 | /* first need to know the sig type */ |
4609e1f1 | 201 | rc = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, XATTR_NAME_EVM, |
c7c7a1a1 | 202 | (char **)&xattr_data, 0, GFP_NOFS); |
15647eb3 | 203 | if (rc <= 0) { |
1f100979 DK |
204 | evm_status = INTEGRITY_FAIL; |
205 | if (rc == -ENODATA) { | |
15647eb3 DK |
206 | rc = evm_find_protected_xattrs(dentry); |
207 | if (rc > 0) | |
208 | evm_status = INTEGRITY_NOLABEL; | |
209 | else if (rc == 0) | |
210 | evm_status = INTEGRITY_NOXATTRS; /* new file */ | |
1f100979 DK |
211 | } else if (rc == -EOPNOTSUPP) { |
212 | evm_status = INTEGRITY_UNKNOWN; | |
15647eb3 | 213 | } |
566be59a MZ |
214 | goto out; |
215 | } | |
66dbc325 | 216 | |
b1aaab22 | 217 | xattr_len = rc; |
15647eb3 DK |
218 | |
219 | /* check value type */ | |
220 | switch (xattr_data->type) { | |
221 | case EVM_XATTR_HMAC: | |
650b29db | 222 | if (xattr_len != sizeof(struct evm_xattr)) { |
b4bfec7f SF |
223 | evm_status = INTEGRITY_FAIL; |
224 | goto out; | |
225 | } | |
5feeb611 MG |
226 | |
227 | digest.hdr.algo = HASH_ALGO_SHA1; | |
15647eb3 | 228 | rc = evm_calc_hmac(dentry, xattr_name, xattr_value, |
5feeb611 | 229 | xattr_value_len, &digest); |
15647eb3 DK |
230 | if (rc) |
231 | break; | |
650b29db | 232 | rc = crypto_memneq(xattr_data->data, digest.digest, |
5feeb611 | 233 | SHA1_DIGEST_SIZE); |
15647eb3 DK |
234 | if (rc) |
235 | rc = -EINVAL; | |
236 | break; | |
50b97748 | 237 | case EVM_XATTR_PORTABLE_DIGSIG: |
cdef685b RS |
238 | evm_immutable = 1; |
239 | fallthrough; | |
240 | case EVM_IMA_XATTR_DIGSIG: | |
455b6c91 RS |
241 | /* accept xattr with non-empty signature field */ |
242 | if (xattr_len <= sizeof(struct signature_v2_hdr)) { | |
243 | evm_status = INTEGRITY_FAIL; | |
244 | goto out; | |
245 | } | |
246 | ||
5feeb611 MG |
247 | hdr = (struct signature_v2_hdr *)xattr_data; |
248 | digest.hdr.algo = hdr->hash_algo; | |
15647eb3 | 249 | rc = evm_calc_hash(dentry, xattr_name, xattr_value, |
5feeb611 | 250 | xattr_value_len, xattr_data->type, &digest); |
15647eb3 DK |
251 | if (rc) |
252 | break; | |
253 | rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, | |
b1aaab22 | 254 | (const char *)xattr_data, xattr_len, |
5feeb611 | 255 | digest.digest, digest.hdr.length); |
15647eb3 | 256 | if (!rc) { |
70946c4a SH |
257 | inode = d_backing_inode(dentry); |
258 | ||
50b97748 MG |
259 | if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) { |
260 | if (iint) | |
261 | iint->flags |= EVM_IMMUTABLE_DIGSIG; | |
262 | evm_status = INTEGRITY_PASS_IMMUTABLE; | |
70946c4a SH |
263 | } else if (!IS_RDONLY(inode) && |
264 | !(inode->i_sb->s_readonly_remount) && | |
265 | !IS_IMMUTABLE(inode)) { | |
c2baec7f DK |
266 | evm_update_evmxattr(dentry, xattr_name, |
267 | xattr_value, | |
268 | xattr_value_len); | |
50b97748 | 269 | } |
15647eb3 DK |
270 | } |
271 | break; | |
272 | default: | |
273 | rc = -EINVAL; | |
274 | break; | |
275 | } | |
276 | ||
cdef685b RS |
277 | if (rc) { |
278 | if (rc == -ENODATA) | |
279 | evm_status = INTEGRITY_NOXATTRS; | |
280 | else if (evm_immutable) | |
281 | evm_status = INTEGRITY_FAIL_IMMUTABLE; | |
282 | else | |
283 | evm_status = INTEGRITY_FAIL; | |
284 | } | |
87ac3d00 MZ |
285 | pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length, digest.hdr.length, |
286 | digest.digest); | |
7102ebcd MZ |
287 | out: |
288 | if (iint) | |
289 | iint->evm_status = evm_status; | |
15647eb3 | 290 | kfree(xattr_data); |
7102ebcd | 291 | return evm_status; |
66dbc325 MZ |
292 | } |
293 | ||
8c7a703e RS |
294 | static int evm_protected_xattr_common(const char *req_xattr_name, |
295 | bool all_xattrs) | |
66dbc325 | 296 | { |
66dbc325 MZ |
297 | int namelen; |
298 | int found = 0; | |
21af7663 | 299 | struct xattr_list *xattr; |
66dbc325 MZ |
300 | |
301 | namelen = strlen(req_xattr_name); | |
770f6058 | 302 | list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) { |
8c7a703e RS |
303 | if (!all_xattrs && !xattr->enabled) |
304 | continue; | |
305 | ||
21af7663 MG |
306 | if ((strlen(xattr->name) == namelen) |
307 | && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) { | |
66dbc325 MZ |
308 | found = 1; |
309 | break; | |
310 | } | |
cb723180 | 311 | if (strncmp(req_xattr_name, |
21af7663 | 312 | xattr->name + XATTR_SECURITY_PREFIX_LEN, |
cb723180 MZ |
313 | strlen(req_xattr_name)) == 0) { |
314 | found = 1; | |
315 | break; | |
316 | } | |
66dbc325 | 317 | } |
21af7663 | 318 | |
66dbc325 MZ |
319 | return found; |
320 | } | |
321 | ||
c31288e5 | 322 | int evm_protected_xattr(const char *req_xattr_name) |
8c7a703e RS |
323 | { |
324 | return evm_protected_xattr_common(req_xattr_name, false); | |
325 | } | |
326 | ||
327 | int evm_protected_xattr_if_enabled(const char *req_xattr_name) | |
328 | { | |
329 | return evm_protected_xattr_common(req_xattr_name, true); | |
330 | } | |
331 | ||
8314b673 RS |
332 | /** |
333 | * evm_read_protected_xattrs - read EVM protected xattr names, lengths, values | |
334 | * @dentry: dentry of the read xattrs | |
8314b673 RS |
335 | * @buffer: buffer xattr names, lengths or values are copied to |
336 | * @buffer_size: size of buffer | |
337 | * @type: n: names, l: lengths, v: values | |
338 | * @canonical_fmt: data format (true: little endian, false: native format) | |
339 | * | |
340 | * Read protected xattr names (separated by |), lengths (u32) or values for a | |
341 | * given dentry and return the total size of copied data. If buffer is NULL, | |
342 | * just return the total size. | |
343 | * | |
344 | * Returns the total size on success, a negative value on error. | |
345 | */ | |
346 | int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer, | |
347 | int buffer_size, char type, bool canonical_fmt) | |
348 | { | |
349 | struct xattr_list *xattr; | |
350 | int rc, size, total_size = 0; | |
351 | ||
352 | list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) { | |
353 | rc = __vfs_getxattr(dentry, d_backing_inode(dentry), | |
354 | xattr->name, NULL, 0); | |
355 | if (rc < 0 && rc == -ENODATA) | |
356 | continue; | |
357 | else if (rc < 0) | |
358 | return rc; | |
359 | ||
360 | switch (type) { | |
361 | case 'n': | |
362 | size = strlen(xattr->name) + 1; | |
363 | if (buffer) { | |
364 | if (total_size) | |
365 | *(buffer + total_size - 1) = '|'; | |
366 | ||
367 | memcpy(buffer + total_size, xattr->name, size); | |
368 | } | |
369 | break; | |
370 | case 'l': | |
371 | size = sizeof(u32); | |
372 | if (buffer) { | |
373 | if (canonical_fmt) | |
6b26285f | 374 | rc = (__force int)cpu_to_le32(rc); |
8314b673 RS |
375 | |
376 | *(u32 *)(buffer + total_size) = rc; | |
377 | } | |
378 | break; | |
379 | case 'v': | |
380 | size = rc; | |
381 | if (buffer) { | |
382 | rc = __vfs_getxattr(dentry, | |
383 | d_backing_inode(dentry), xattr->name, | |
384 | buffer + total_size, | |
385 | buffer_size - total_size); | |
386 | if (rc < 0) | |
387 | return rc; | |
388 | } | |
389 | break; | |
390 | default: | |
391 | return -EINVAL; | |
392 | } | |
393 | ||
394 | total_size += size; | |
395 | } | |
396 | ||
397 | return total_size; | |
398 | } | |
399 | ||
66dbc325 MZ |
400 | /** |
401 | * evm_verifyxattr - verify the integrity of the requested xattr | |
402 | * @dentry: object of the verify xattr | |
403 | * @xattr_name: requested xattr | |
404 | * @xattr_value: requested xattr value | |
405 | * @xattr_value_len: requested xattr value length | |
996e0a97 | 406 | * @iint: inode integrity metadata |
66dbc325 MZ |
407 | * |
408 | * Calculate the HMAC for the given dentry and verify it against the stored | |
409 | * security.evm xattr. For performance, use the xattr value and length | |
410 | * previously retrieved to calculate the HMAC. | |
411 | * | |
412 | * Returns the xattr integrity status. | |
413 | * | |
414 | * This function requires the caller to lock the inode's i_mutex before it | |
415 | * is executed. | |
416 | */ | |
417 | enum integrity_status evm_verifyxattr(struct dentry *dentry, | |
418 | const char *xattr_name, | |
2960e6cb DK |
419 | void *xattr_value, size_t xattr_value_len, |
420 | struct integrity_iint_cache *iint) | |
66dbc325 | 421 | { |
ae1ba167 | 422 | if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) |
66dbc325 MZ |
423 | return INTEGRITY_UNKNOWN; |
424 | ||
cd708c93 MZ |
425 | if (is_unsupported_fs(dentry)) |
426 | return INTEGRITY_UNKNOWN; | |
427 | ||
2960e6cb | 428 | if (!iint) { |
c6f493d6 | 429 | iint = integrity_iint_find(d_backing_inode(dentry)); |
2960e6cb DK |
430 | if (!iint) |
431 | return INTEGRITY_UNKNOWN; | |
432 | } | |
433 | return evm_verify_hmac(dentry, xattr_name, xattr_value, | |
66dbc325 | 434 | xattr_value_len, iint); |
66dbc325 MZ |
435 | } |
436 | EXPORT_SYMBOL_GPL(evm_verifyxattr); | |
437 | ||
7102ebcd MZ |
438 | /* |
439 | * evm_verify_current_integrity - verify the dentry's metadata integrity | |
440 | * @dentry: pointer to the affected dentry | |
441 | * | |
442 | * Verify and return the dentry's metadata integrity. The exceptions are | |
443 | * before EVM is initialized or in 'fix' mode. | |
444 | */ | |
445 | static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) | |
446 | { | |
c6f493d6 | 447 | struct inode *inode = d_backing_inode(dentry); |
7102ebcd | 448 | |
ae1ba167 | 449 | if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode) |
e11afdbb | 450 | return INTEGRITY_PASS; |
7102ebcd MZ |
451 | return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); |
452 | } | |
453 | ||
1886ab01 RS |
454 | /* |
455 | * evm_xattr_change - check if passed xattr value differs from current value | |
39f60c1c | 456 | * @idmap: idmap of the mount |
1886ab01 RS |
457 | * @dentry: pointer to the affected dentry |
458 | * @xattr_name: requested xattr | |
459 | * @xattr_value: requested xattr value | |
460 | * @xattr_value_len: requested xattr value length | |
461 | * | |
462 | * Check if passed xattr value differs from current value. | |
463 | * | |
464 | * Returns 1 if passed xattr value differs from current value, 0 otherwise. | |
465 | */ | |
39f60c1c | 466 | static int evm_xattr_change(struct mnt_idmap *idmap, |
1886ab01 RS |
467 | struct dentry *dentry, const char *xattr_name, |
468 | const void *xattr_value, size_t xattr_value_len) | |
469 | { | |
470 | char *xattr_data = NULL; | |
471 | int rc = 0; | |
472 | ||
4609e1f1 | 473 | rc = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, xattr_name, &xattr_data, |
1886ab01 | 474 | 0, GFP_NOFS); |
f6fbd8cb PM |
475 | if (rc < 0) { |
476 | rc = 1; | |
477 | goto out; | |
478 | } | |
1886ab01 RS |
479 | |
480 | if (rc == xattr_value_len) | |
481 | rc = !!memcmp(xattr_value, xattr_data, rc); | |
482 | else | |
483 | rc = 1; | |
484 | ||
f6fbd8cb | 485 | out: |
1886ab01 RS |
486 | kfree(xattr_data); |
487 | return rc; | |
488 | } | |
489 | ||
a924ce0b MZ |
490 | /* |
491 | * evm_protect_xattr - protect the EVM extended attribute | |
492 | * | |
bf6d0f5d MZ |
493 | * Prevent security.evm from being modified or removed without the |
494 | * necessary permissions or when the existing value is invalid. | |
495 | * | |
496 | * The posix xattr acls are 'system' prefixed, which normally would not | |
497 | * affect security.evm. An interesting side affect of writing posix xattr | |
498 | * acls is their modifying of the i_mode, which is included in security.evm. | |
499 | * For posix xattr acls only, permit security.evm, even if it currently | |
50b97748 | 500 | * doesn't exist, to be updated unless the EVM signature is immutable. |
a924ce0b | 501 | */ |
39f60c1c | 502 | static int evm_protect_xattr(struct mnt_idmap *idmap, |
7e135dc7 | 503 | struct dentry *dentry, const char *xattr_name, |
a924ce0b MZ |
504 | const void *xattr_value, size_t xattr_value_len) |
505 | { | |
506 | enum integrity_status evm_status; | |
507 | ||
508 | if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { | |
509 | if (!capable(CAP_SYS_ADMIN)) | |
510 | return -EPERM; | |
cd708c93 MZ |
511 | if (is_unsupported_fs(dentry)) |
512 | return -EPERM; | |
bf6d0f5d MZ |
513 | } else if (!evm_protected_xattr(xattr_name)) { |
514 | if (!posix_xattr_acl(xattr_name)) | |
515 | return 0; | |
cd708c93 MZ |
516 | if (is_unsupported_fs(dentry)) |
517 | return 0; | |
518 | ||
bf6d0f5d MZ |
519 | evm_status = evm_verify_current_integrity(dentry); |
520 | if ((evm_status == INTEGRITY_PASS) || | |
566be59a | 521 | (evm_status == INTEGRITY_NOXATTRS)) |
bf6d0f5d | 522 | return 0; |
9b97b6cd | 523 | goto out; |
cd708c93 MZ |
524 | } else if (is_unsupported_fs(dentry)) |
525 | return 0; | |
ae1ba167 | 526 | |
a924ce0b | 527 | evm_status = evm_verify_current_integrity(dentry); |
3dcbad52 DK |
528 | if (evm_status == INTEGRITY_NOXATTRS) { |
529 | struct integrity_iint_cache *iint; | |
530 | ||
4a804b8a RS |
531 | /* Exception if the HMAC is not going to be calculated. */ |
532 | if (evm_hmac_disabled()) | |
533 | return 0; | |
534 | ||
c6f493d6 | 535 | iint = integrity_iint_find(d_backing_inode(dentry)); |
3dcbad52 DK |
536 | if (iint && (iint->flags & IMA_NEW_FILE)) |
537 | return 0; | |
5101a185 MZ |
538 | |
539 | /* exception for pseudo filesystems */ | |
fc64005c AV |
540 | if (dentry->d_sb->s_magic == TMPFS_MAGIC |
541 | || dentry->d_sb->s_magic == SYSFS_MAGIC) | |
5101a185 MZ |
542 | return 0; |
543 | ||
544 | integrity_audit_msg(AUDIT_INTEGRITY_METADATA, | |
545 | dentry->d_inode, dentry->d_name.name, | |
546 | "update_metadata", | |
547 | integrity_status_msg[evm_status], | |
548 | -EPERM, 0); | |
3dcbad52 | 549 | } |
9b97b6cd | 550 | out: |
4a804b8a RS |
551 | /* Exception if the HMAC is not going to be calculated. */ |
552 | if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL || | |
553 | evm_status == INTEGRITY_UNKNOWN)) | |
554 | return 0; | |
cdef685b RS |
555 | |
556 | /* | |
557 | * Writing other xattrs is safe for portable signatures, as portable | |
558 | * signatures are immutable and can never be updated. | |
559 | */ | |
560 | if (evm_status == INTEGRITY_FAIL_IMMUTABLE) | |
561 | return 0; | |
562 | ||
1886ab01 | 563 | if (evm_status == INTEGRITY_PASS_IMMUTABLE && |
39f60c1c | 564 | !evm_xattr_change(idmap, dentry, xattr_name, xattr_value, |
1886ab01 RS |
565 | xattr_value_len)) |
566 | return 0; | |
567 | ||
568 | if (evm_status != INTEGRITY_PASS && | |
569 | evm_status != INTEGRITY_PASS_IMMUTABLE) | |
c6f493d6 | 570 | integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), |
9b97b6cd MZ |
571 | dentry->d_name.name, "appraise_metadata", |
572 | integrity_status_msg[evm_status], | |
573 | -EPERM, 0); | |
a924ce0b MZ |
574 | return evm_status == INTEGRITY_PASS ? 0 : -EPERM; |
575 | } | |
576 | ||
66dbc325 MZ |
577 | /** |
578 | * evm_inode_setxattr - protect the EVM extended attribute | |
39f60c1c | 579 | * @idmap: idmap of the mount |
66dbc325 MZ |
580 | * @dentry: pointer to the affected dentry |
581 | * @xattr_name: pointer to the affected extended attribute name | |
582 | * @xattr_value: pointer to the new extended attribute value | |
583 | * @xattr_value_len: pointer to the new extended attribute value length | |
2b6a4054 | 584 | * @flags: flags to pass into filesystem operations |
66dbc325 | 585 | * |
2fb1c9a4 MZ |
586 | * Before allowing the 'security.evm' protected xattr to be updated, |
587 | * verify the existing value is valid. As only the kernel should have | |
588 | * access to the EVM encrypted key needed to calculate the HMAC, prevent | |
589 | * userspace from writing HMAC value. Writing 'security.evm' requires | |
590 | * requires CAP_SYS_ADMIN privileges. | |
66dbc325 | 591 | */ |
92383111 RS |
592 | static int evm_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, |
593 | const char *xattr_name, const void *xattr_value, | |
594 | size_t xattr_value_len, int flags) | |
66dbc325 | 595 | { |
2fb1c9a4 MZ |
596 | const struct evm_ima_xattr_data *xattr_data = xattr_value; |
597 | ||
ae1ba167 MG |
598 | /* Policy permits modification of the protected xattrs even though |
599 | * there's no HMAC key loaded | |
600 | */ | |
601 | if (evm_initialized & EVM_ALLOW_METADATA_WRITES) | |
602 | return 0; | |
603 | ||
3b1deef6 DK |
604 | if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { |
605 | if (!xattr_value_len) | |
606 | return -EINVAL; | |
50b97748 MG |
607 | if (xattr_data->type != EVM_IMA_XATTR_DIGSIG && |
608 | xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) | |
3b1deef6 DK |
609 | return -EPERM; |
610 | } | |
39f60c1c | 611 | return evm_protect_xattr(idmap, dentry, xattr_name, xattr_value, |
a924ce0b | 612 | xattr_value_len); |
66dbc325 MZ |
613 | } |
614 | ||
615 | /** | |
616 | * evm_inode_removexattr - protect the EVM extended attribute | |
39f60c1c | 617 | * @idmap: idmap of the mount |
66dbc325 MZ |
618 | * @dentry: pointer to the affected dentry |
619 | * @xattr_name: pointer to the affected extended attribute name | |
620 | * | |
7102ebcd MZ |
621 | * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that |
622 | * the current value is valid. | |
66dbc325 | 623 | */ |
92383111 RS |
624 | static int evm_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, |
625 | const char *xattr_name) | |
66dbc325 | 626 | { |
ae1ba167 MG |
627 | /* Policy permits modification of the protected xattrs even though |
628 | * there's no HMAC key loaded | |
629 | */ | |
630 | if (evm_initialized & EVM_ALLOW_METADATA_WRITES) | |
631 | return 0; | |
632 | ||
39f60c1c | 633 | return evm_protect_xattr(idmap, dentry, xattr_name, NULL, 0); |
66dbc325 MZ |
634 | } |
635 | ||
e61b135f | 636 | #ifdef CONFIG_FS_POSIX_ACL |
700b7940 | 637 | static int evm_inode_set_acl_change(struct mnt_idmap *idmap, |
e61b135f CB |
638 | struct dentry *dentry, const char *name, |
639 | struct posix_acl *kacl) | |
640 | { | |
641 | int rc; | |
642 | ||
643 | umode_t mode; | |
644 | struct inode *inode = d_backing_inode(dentry); | |
645 | ||
646 | if (!kacl) | |
647 | return 1; | |
648 | ||
700b7940 | 649 | rc = posix_acl_update_mode(idmap, inode, &mode, &kacl); |
e61b135f CB |
650 | if (rc || (inode->i_mode != mode)) |
651 | return 1; | |
652 | ||
653 | return 0; | |
654 | } | |
655 | #else | |
700b7940 | 656 | static inline int evm_inode_set_acl_change(struct mnt_idmap *idmap, |
e61b135f CB |
657 | struct dentry *dentry, |
658 | const char *name, | |
659 | struct posix_acl *kacl) | |
660 | { | |
661 | return 0; | |
662 | } | |
663 | #endif | |
664 | ||
665 | /** | |
666 | * evm_inode_set_acl - protect the EVM extended attribute from posix acls | |
700b7940 | 667 | * @idmap: idmap of the idmapped mount |
e61b135f CB |
668 | * @dentry: pointer to the affected dentry |
669 | * @acl_name: name of the posix acl | |
670 | * @kacl: pointer to the posix acls | |
671 | * | |
672 | * Prevent modifying posix acls causing the EVM HMAC to be re-calculated | |
673 | * and 'security.evm' xattr updated, unless the existing 'security.evm' is | |
674 | * valid. | |
92383111 RS |
675 | * |
676 | * Return: zero on success, -EPERM on failure. | |
e61b135f | 677 | */ |
92383111 RS |
678 | static int evm_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry, |
679 | const char *acl_name, struct posix_acl *kacl) | |
e61b135f CB |
680 | { |
681 | enum integrity_status evm_status; | |
682 | ||
683 | /* Policy permits modification of the protected xattrs even though | |
684 | * there's no HMAC key loaded | |
685 | */ | |
686 | if (evm_initialized & EVM_ALLOW_METADATA_WRITES) | |
687 | return 0; | |
688 | ||
689 | evm_status = evm_verify_current_integrity(dentry); | |
690 | if ((evm_status == INTEGRITY_PASS) || | |
691 | (evm_status == INTEGRITY_NOXATTRS)) | |
692 | return 0; | |
693 | ||
694 | /* Exception if the HMAC is not going to be calculated. */ | |
695 | if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL || | |
696 | evm_status == INTEGRITY_UNKNOWN)) | |
697 | return 0; | |
698 | ||
699 | /* | |
700 | * Writing other xattrs is safe for portable signatures, as portable | |
701 | * signatures are immutable and can never be updated. | |
702 | */ | |
703 | if (evm_status == INTEGRITY_FAIL_IMMUTABLE) | |
704 | return 0; | |
705 | ||
706 | if (evm_status == INTEGRITY_PASS_IMMUTABLE && | |
700b7940 | 707 | !evm_inode_set_acl_change(idmap, dentry, acl_name, kacl)) |
e61b135f CB |
708 | return 0; |
709 | ||
16257cf6 | 710 | if (evm_status != INTEGRITY_PASS_IMMUTABLE) |
e61b135f CB |
711 | integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), |
712 | dentry->d_name.name, "appraise_metadata", | |
713 | integrity_status_msg[evm_status], | |
714 | -EPERM, 0); | |
16257cf6 | 715 | return -EPERM; |
e61b135f CB |
716 | } |
717 | ||
92383111 RS |
718 | /** |
719 | * evm_inode_remove_acl - Protect the EVM extended attribute from posix acls | |
720 | * @idmap: idmap of the mount | |
721 | * @dentry: pointer to the affected dentry | |
722 | * @acl_name: name of the posix acl | |
723 | * | |
724 | * Prevent removing posix acls causing the EVM HMAC to be re-calculated | |
725 | * and 'security.evm' xattr updated, unless the existing 'security.evm' is | |
726 | * valid. | |
727 | * | |
728 | * Return: zero on success, -EPERM on failure. | |
729 | */ | |
730 | static int evm_inode_remove_acl(struct mnt_idmap *idmap, struct dentry *dentry, | |
731 | const char *acl_name) | |
732 | { | |
733 | return evm_inode_set_acl(idmap, dentry, acl_name, NULL); | |
734 | } | |
735 | ||
523b74b1 DK |
736 | static void evm_reset_status(struct inode *inode) |
737 | { | |
738 | struct integrity_iint_cache *iint; | |
739 | ||
740 | iint = integrity_iint_find(inode); | |
741 | if (iint) | |
742 | iint->evm_status = INTEGRITY_UNKNOWN; | |
743 | } | |
744 | ||
e3ccfe1a RS |
745 | /** |
746 | * evm_revalidate_status - report whether EVM status re-validation is necessary | |
747 | * @xattr_name: pointer to the affected extended attribute name | |
748 | * | |
749 | * Report whether callers of evm_verifyxattr() should re-validate the | |
750 | * EVM status. | |
751 | * | |
752 | * Return true if re-validation is necessary, false otherwise. | |
753 | */ | |
754 | bool evm_revalidate_status(const char *xattr_name) | |
755 | { | |
756 | if (!evm_key_loaded()) | |
757 | return false; | |
758 | ||
759 | /* evm_inode_post_setattr() passes NULL */ | |
760 | if (!xattr_name) | |
761 | return true; | |
762 | ||
763 | if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name) && | |
764 | strcmp(xattr_name, XATTR_NAME_EVM)) | |
765 | return false; | |
766 | ||
767 | return true; | |
768 | } | |
769 | ||
66dbc325 MZ |
770 | /** |
771 | * evm_inode_post_setxattr - update 'security.evm' to reflect the changes | |
772 | * @dentry: pointer to the affected dentry | |
773 | * @xattr_name: pointer to the affected extended attribute name | |
774 | * @xattr_value: pointer to the new extended attribute value | |
775 | * @xattr_value_len: pointer to the new extended attribute value length | |
779cb194 | 776 | * @flags: flags to pass into filesystem operations |
66dbc325 MZ |
777 | * |
778 | * Update the HMAC stored in 'security.evm' to reflect the change. | |
779 | * | |
780 | * No need to take the i_mutex lock here, as this function is called from | |
781 | * __vfs_setxattr_noperm(). The caller of which has taken the inode's | |
782 | * i_mutex lock. | |
783 | */ | |
92383111 RS |
784 | static void evm_inode_post_setxattr(struct dentry *dentry, |
785 | const char *xattr_name, | |
786 | const void *xattr_value, | |
787 | size_t xattr_value_len, | |
788 | int flags) | |
66dbc325 | 789 | { |
e3ccfe1a | 790 | if (!evm_revalidate_status(xattr_name)) |
66dbc325 MZ |
791 | return; |
792 | ||
523b74b1 DK |
793 | evm_reset_status(dentry->d_inode); |
794 | ||
e3ccfe1a RS |
795 | if (!strcmp(xattr_name, XATTR_NAME_EVM)) |
796 | return; | |
797 | ||
4a804b8a RS |
798 | if (!(evm_initialized & EVM_INIT_HMAC)) |
799 | return; | |
800 | ||
cd708c93 MZ |
801 | if (is_unsupported_fs(dentry)) |
802 | return; | |
803 | ||
66dbc325 | 804 | evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); |
66dbc325 MZ |
805 | } |
806 | ||
92383111 RS |
807 | /** |
808 | * evm_inode_post_set_acl - Update the EVM extended attribute from posix acls | |
809 | * @dentry: pointer to the affected dentry | |
810 | * @acl_name: name of the posix acl | |
811 | * @kacl: pointer to the posix acls | |
812 | * | |
813 | * Update the 'security.evm' xattr with the EVM HMAC re-calculated after setting | |
814 | * posix acls. | |
815 | */ | |
816 | static void evm_inode_post_set_acl(struct dentry *dentry, const char *acl_name, | |
817 | struct posix_acl *kacl) | |
818 | { | |
819 | return evm_inode_post_setxattr(dentry, acl_name, NULL, 0, 0); | |
820 | } | |
821 | ||
66dbc325 MZ |
822 | /** |
823 | * evm_inode_post_removexattr - update 'security.evm' after removing the xattr | |
824 | * @dentry: pointer to the affected dentry | |
825 | * @xattr_name: pointer to the affected extended attribute name | |
826 | * | |
827 | * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. | |
7c51bb00 DK |
828 | * |
829 | * No need to take the i_mutex lock here, as this function is called from | |
830 | * vfs_removexattr() which takes the i_mutex. | |
66dbc325 | 831 | */ |
92383111 RS |
832 | static void evm_inode_post_removexattr(struct dentry *dentry, |
833 | const char *xattr_name) | |
66dbc325 | 834 | { |
e3ccfe1a | 835 | if (!evm_revalidate_status(xattr_name)) |
66dbc325 MZ |
836 | return; |
837 | ||
523b74b1 DK |
838 | evm_reset_status(dentry->d_inode); |
839 | ||
e3ccfe1a RS |
840 | if (!strcmp(xattr_name, XATTR_NAME_EVM)) |
841 | return; | |
842 | ||
4a804b8a RS |
843 | if (!(evm_initialized & EVM_INIT_HMAC)) |
844 | return; | |
845 | ||
66dbc325 | 846 | evm_update_evmxattr(dentry, xattr_name, NULL, 0); |
66dbc325 MZ |
847 | } |
848 | ||
92383111 RS |
849 | /** |
850 | * evm_inode_post_remove_acl - Update the EVM extended attribute from posix acls | |
851 | * @idmap: idmap of the mount | |
852 | * @dentry: pointer to the affected dentry | |
853 | * @acl_name: name of the posix acl | |
854 | * | |
855 | * Update the 'security.evm' xattr with the EVM HMAC re-calculated after | |
856 | * removing posix acls. | |
857 | */ | |
858 | static inline void evm_inode_post_remove_acl(struct mnt_idmap *idmap, | |
859 | struct dentry *dentry, | |
860 | const char *acl_name) | |
861 | { | |
862 | evm_inode_post_removexattr(dentry, acl_name); | |
863 | } | |
864 | ||
c1632a0f | 865 | static int evm_attr_change(struct mnt_idmap *idmap, |
0e363cf3 | 866 | struct dentry *dentry, struct iattr *attr) |
1886ab01 RS |
867 | { |
868 | struct inode *inode = d_backing_inode(dentry); | |
869 | unsigned int ia_valid = attr->ia_valid; | |
870 | ||
0dbe12f2 CB |
871 | if (!i_uid_needs_update(idmap, attr, inode) && |
872 | !i_gid_needs_update(idmap, attr, inode) && | |
1886ab01 RS |
873 | (!(ia_valid & ATTR_MODE) || attr->ia_mode == inode->i_mode)) |
874 | return 0; | |
875 | ||
876 | return 1; | |
877 | } | |
878 | ||
817b54aa MZ |
879 | /** |
880 | * evm_inode_setattr - prevent updating an invalid EVM extended attribute | |
b1de86d4 | 881 | * @idmap: idmap of the mount |
817b54aa | 882 | * @dentry: pointer to the affected dentry |
b1de86d4 | 883 | * @attr: iattr structure containing the new file attributes |
50b97748 MG |
884 | * |
885 | * Permit update of file attributes when files have a valid EVM signature, | |
886 | * except in the case of them having an immutable portable signature. | |
817b54aa | 887 | */ |
92383111 RS |
888 | static int evm_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, |
889 | struct iattr *attr) | |
817b54aa MZ |
890 | { |
891 | unsigned int ia_valid = attr->ia_valid; | |
892 | enum integrity_status evm_status; | |
893 | ||
ae1ba167 MG |
894 | /* Policy permits modification of the protected attrs even though |
895 | * there's no HMAC key loaded | |
896 | */ | |
897 | if (evm_initialized & EVM_ALLOW_METADATA_WRITES) | |
898 | return 0; | |
899 | ||
cd708c93 MZ |
900 | if (is_unsupported_fs(dentry)) |
901 | return 0; | |
902 | ||
a924ce0b | 903 | if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) |
817b54aa | 904 | return 0; |
cd708c93 | 905 | |
817b54aa | 906 | evm_status = evm_verify_current_integrity(dentry); |
cdef685b RS |
907 | /* |
908 | * Writing attrs is safe for portable signatures, as portable signatures | |
909 | * are immutable and can never be updated. | |
910 | */ | |
566be59a | 911 | if ((evm_status == INTEGRITY_PASS) || |
4a804b8a | 912 | (evm_status == INTEGRITY_NOXATTRS) || |
cdef685b | 913 | (evm_status == INTEGRITY_FAIL_IMMUTABLE) || |
4a804b8a RS |
914 | (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL || |
915 | evm_status == INTEGRITY_UNKNOWN))) | |
566be59a | 916 | return 0; |
1886ab01 RS |
917 | |
918 | if (evm_status == INTEGRITY_PASS_IMMUTABLE && | |
c1632a0f | 919 | !evm_attr_change(idmap, dentry, attr)) |
1886ab01 RS |
920 | return 0; |
921 | ||
c6f493d6 | 922 | integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), |
9b97b6cd MZ |
923 | dentry->d_name.name, "appraise_metadata", |
924 | integrity_status_msg[evm_status], -EPERM, 0); | |
566be59a | 925 | return -EPERM; |
817b54aa MZ |
926 | } |
927 | ||
66dbc325 MZ |
928 | /** |
929 | * evm_inode_post_setattr - update 'security.evm' after modifying metadata | |
784111d0 | 930 | * @idmap: idmap of the idmapped mount |
66dbc325 MZ |
931 | * @dentry: pointer to the affected dentry |
932 | * @ia_valid: for the UID and GID status | |
933 | * | |
934 | * For now, update the HMAC stored in 'security.evm' to reflect UID/GID | |
935 | * changes. | |
936 | * | |
937 | * This function is called from notify_change(), which expects the caller | |
938 | * to lock the inode's i_mutex. | |
939 | */ | |
92383111 RS |
940 | static void evm_inode_post_setattr(struct mnt_idmap *idmap, |
941 | struct dentry *dentry, int ia_valid) | |
66dbc325 | 942 | { |
e3ccfe1a | 943 | if (!evm_revalidate_status(NULL)) |
66dbc325 MZ |
944 | return; |
945 | ||
e3ccfe1a RS |
946 | evm_reset_status(dentry->d_inode); |
947 | ||
4a804b8a RS |
948 | if (!(evm_initialized & EVM_INIT_HMAC)) |
949 | return; | |
950 | ||
cd708c93 MZ |
951 | if (is_unsupported_fs(dentry)) |
952 | return; | |
953 | ||
66dbc325 MZ |
954 | if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) |
955 | evm_update_evmxattr(dentry, NULL, NULL, 0); | |
66dbc325 MZ |
956 | } |
957 | ||
92383111 | 958 | static int evm_inode_copy_up_xattr(const char *name) |
40ca4ee3 MZ |
959 | { |
960 | if (strcmp(name, XATTR_NAME_EVM) == 0) | |
961 | return 1; /* Discard */ | |
962 | return -EOPNOTSUPP; | |
963 | } | |
964 | ||
cb723180 | 965 | /* |
9eea2904 | 966 | * evm_inode_init_security - initializes security.evm HMAC value |
cb723180 | 967 | */ |
6db7d1de RS |
968 | int evm_inode_init_security(struct inode *inode, struct inode *dir, |
969 | const struct qstr *qstr, struct xattr *xattrs, | |
970 | int *xattr_count) | |
cb723180 | 971 | { |
650b29db | 972 | struct evm_xattr *xattr_data; |
c31288e5 RS |
973 | struct xattr *xattr, *evm_xattr; |
974 | bool evm_protected_xattrs = false; | |
cb723180 MZ |
975 | int rc; |
976 | ||
c31288e5 RS |
977 | if (!(evm_initialized & EVM_INIT_HMAC) || !xattrs) |
978 | return 0; | |
979 | ||
980 | /* | |
981 | * security_inode_init_security() makes sure that the xattrs array is | |
982 | * contiguous, there is enough space for security.evm, and that there is | |
983 | * a terminator at the end of the array. | |
984 | */ | |
985 | for (xattr = xattrs; xattr->name; xattr++) { | |
986 | if (evm_protected_xattr(xattr->name)) | |
987 | evm_protected_xattrs = true; | |
988 | } | |
989 | ||
990 | /* EVM xattr not needed. */ | |
991 | if (!evm_protected_xattrs) | |
5a4730ba | 992 | return 0; |
cb723180 | 993 | |
6db7d1de | 994 | evm_xattr = lsm_get_xattr_slot(xattrs, xattr_count); |
c31288e5 RS |
995 | /* |
996 | * Array terminator (xattr name = NULL) must be the first non-filled | |
997 | * xattr slot. | |
998 | */ | |
999 | WARN_ONCE(evm_xattr != xattr, | |
1000 | "%s: xattrs terminator is not the first non-filled slot\n", | |
1001 | __func__); | |
6db7d1de | 1002 | |
cb723180 MZ |
1003 | xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); |
1004 | if (!xattr_data) | |
1005 | return -ENOMEM; | |
1006 | ||
650b29db | 1007 | xattr_data->data.type = EVM_XATTR_HMAC; |
6db7d1de | 1008 | rc = evm_init_hmac(inode, xattrs, xattr_data->digest); |
cb723180 MZ |
1009 | if (rc < 0) |
1010 | goto out; | |
1011 | ||
1012 | evm_xattr->value = xattr_data; | |
1013 | evm_xattr->value_len = sizeof(*xattr_data); | |
9548906b | 1014 | evm_xattr->name = XATTR_EVM_SUFFIX; |
cb723180 MZ |
1015 | return 0; |
1016 | out: | |
1017 | kfree(xattr_data); | |
1018 | return rc; | |
1019 | } | |
1020 | EXPORT_SYMBOL_GPL(evm_inode_init_security); | |
1021 | ||
2ce523eb DK |
1022 | #ifdef CONFIG_EVM_LOAD_X509 |
1023 | void __init evm_load_x509(void) | |
1024 | { | |
26ddabfe DK |
1025 | int rc; |
1026 | ||
1027 | rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH); | |
1028 | if (!rc) | |
1029 | evm_initialized |= EVM_INIT_X509; | |
2ce523eb DK |
1030 | } |
1031 | #endif | |
1032 | ||
66dbc325 MZ |
1033 | static int __init init_evm(void) |
1034 | { | |
1035 | int error; | |
21af7663 | 1036 | struct list_head *pos, *q; |
66dbc325 | 1037 | |
d3b33679 DK |
1038 | evm_init_config(); |
1039 | ||
f4dc3778 DK |
1040 | error = integrity_init_keyring(INTEGRITY_KEYRING_EVM); |
1041 | if (error) | |
21af7663 | 1042 | goto error; |
f4dc3778 | 1043 | |
66dbc325 MZ |
1044 | error = evm_init_secfs(); |
1045 | if (error < 0) { | |
20ee451f | 1046 | pr_info("Error registering secfs\n"); |
21af7663 | 1047 | goto error; |
66dbc325 | 1048 | } |
15647eb3 | 1049 | |
21af7663 MG |
1050 | error: |
1051 | if (error != 0) { | |
1052 | if (!list_empty(&evm_config_xattrnames)) { | |
c8b37524 | 1053 | list_for_each_safe(pos, q, &evm_config_xattrnames) |
21af7663 | 1054 | list_del(pos); |
21af7663 MG |
1055 | } |
1056 | } | |
66dbc325 | 1057 | |
21af7663 | 1058 | return error; |
66dbc325 MZ |
1059 | } |
1060 | ||
92383111 RS |
1061 | static struct security_hook_list evm_hooks[] __ro_after_init = { |
1062 | LSM_HOOK_INIT(inode_setattr, evm_inode_setattr), | |
1063 | LSM_HOOK_INIT(inode_post_setattr, evm_inode_post_setattr), | |
1064 | LSM_HOOK_INIT(inode_copy_up_xattr, evm_inode_copy_up_xattr), | |
1065 | LSM_HOOK_INIT(inode_setxattr, evm_inode_setxattr), | |
1066 | LSM_HOOK_INIT(inode_post_setxattr, evm_inode_post_setxattr), | |
1067 | LSM_HOOK_INIT(inode_set_acl, evm_inode_set_acl), | |
1068 | LSM_HOOK_INIT(inode_post_set_acl, evm_inode_post_set_acl), | |
1069 | LSM_HOOK_INIT(inode_remove_acl, evm_inode_remove_acl), | |
1070 | LSM_HOOK_INIT(inode_post_remove_acl, evm_inode_post_remove_acl), | |
1071 | LSM_HOOK_INIT(inode_removexattr, evm_inode_removexattr), | |
1072 | LSM_HOOK_INIT(inode_post_removexattr, evm_inode_post_removexattr), | |
1073 | LSM_HOOK_INIT(inode_init_security, evm_inode_init_security), | |
1074 | }; | |
1075 | ||
1076 | static const struct lsm_id evm_lsmid = { | |
1077 | .name = "evm", | |
1078 | .id = LSM_ID_EVM, | |
1079 | }; | |
1080 | ||
1081 | static int __init init_evm_lsm(void) | |
1082 | { | |
1083 | security_add_hooks(evm_hooks, ARRAY_SIZE(evm_hooks), &evm_lsmid); | |
1084 | return 0; | |
1085 | } | |
1086 | ||
1087 | DEFINE_LSM(evm) = { | |
1088 | .name = "evm", | |
1089 | .init = init_evm_lsm, | |
1090 | .order = LSM_ORDER_LAST, | |
1091 | }; | |
1092 | ||
66dbc325 | 1093 | late_initcall(init_evm); |