Commit | Line | Data |
---|---|---|
b886d83c | 1 | // SPDX-License-Identifier: GPL-2.0-only |
66dbc325 MZ |
2 | /* |
3 | * Copyright (C) 2005-2010 IBM Corporation | |
4 | * | |
5 | * Author: | |
6 | * Mimi Zohar <zohar@us.ibm.com> | |
7 | * Kylene Hall <kjhall@us.ibm.com> | |
8 | * | |
66dbc325 MZ |
9 | * File: evm_main.c |
10 | * implements evm_inode_setxattr, evm_inode_post_setxattr, | |
11 | * evm_inode_removexattr, and evm_verifyxattr | |
12 | */ | |
13 | ||
3aafb1fb | 14 | #include <linux/init.h> |
66dbc325 | 15 | #include <linux/crypto.h> |
9b97b6cd | 16 | #include <linux/audit.h> |
66dbc325 MZ |
17 | #include <linux/xattr.h> |
18 | #include <linux/integrity.h> | |
3e1be52d | 19 | #include <linux/evm.h> |
50d34394 IM |
20 | #include <linux/magic.h> |
21 | ||
d46eb369 | 22 | #include <crypto/hash.h> |
5feeb611 | 23 | #include <crypto/hash_info.h> |
613317bd | 24 | #include <crypto/algapi.h> |
66dbc325 MZ |
25 | #include "evm.h" |
26 | ||
27 | int evm_initialized; | |
28 | ||
17d7b0af | 29 | static const char * const integrity_status_msg[] = { |
cdef685b RS |
30 | "pass", "pass_immutable", "fail", "fail_immutable", "no_label", |
31 | "no_xattrs", "unknown" | |
9b97b6cd | 32 | }; |
d3b33679 | 33 | int evm_hmac_attrs; |
66dbc325 | 34 | |
fa516b66 | 35 | static struct xattr_list evm_config_default_xattrnames[] = { |
66dbc325 | 36 | #ifdef CONFIG_SECURITY_SELINUX |
21af7663 | 37 | {.name = XATTR_NAME_SELINUX}, |
66dbc325 MZ |
38 | #endif |
39 | #ifdef CONFIG_SECURITY_SMACK | |
21af7663 | 40 | {.name = XATTR_NAME_SMACK}, |
3e38df56 | 41 | #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS |
21af7663 MG |
42 | {.name = XATTR_NAME_SMACKEXEC}, |
43 | {.name = XATTR_NAME_SMACKTRANSMUTE}, | |
44 | {.name = XATTR_NAME_SMACKMMAP}, | |
3e38df56 | 45 | #endif |
2fe5d6de | 46 | #endif |
096b8546 | 47 | #ifdef CONFIG_SECURITY_APPARMOR |
21af7663 | 48 | {.name = XATTR_NAME_APPARMOR}, |
096b8546 | 49 | #endif |
2fe5d6de | 50 | #ifdef CONFIG_IMA_APPRAISE |
21af7663 | 51 | {.name = XATTR_NAME_IMA}, |
66dbc325 | 52 | #endif |
21af7663 | 53 | {.name = XATTR_NAME_CAPS}, |
66dbc325 MZ |
54 | }; |
55 | ||
21af7663 MG |
56 | LIST_HEAD(evm_config_xattrnames); |
57 | ||
7102ebcd MZ |
58 | static int evm_fixmode; |
59 | static int __init evm_set_fixmode(char *str) | |
60 | { | |
61 | if (strncmp(str, "fix", 3) == 0) | |
62 | evm_fixmode = 1; | |
7fe2bb7e BM |
63 | else |
64 | pr_err("invalid \"%s\" mode", str); | |
65 | ||
7102ebcd MZ |
66 | return 0; |
67 | } | |
68 | __setup("evm=", evm_set_fixmode); | |
69 | ||
d3b33679 DK |
70 | static void __init evm_init_config(void) |
71 | { | |
21af7663 MG |
72 | int i, xattrs; |
73 | ||
74 | xattrs = ARRAY_SIZE(evm_config_default_xattrnames); | |
75 | ||
76 | pr_info("Initialising EVM extended attributes:\n"); | |
77 | for (i = 0; i < xattrs; i++) { | |
78 | pr_info("%s\n", evm_config_default_xattrnames[i].name); | |
79 | list_add_tail(&evm_config_default_xattrnames[i].list, | |
80 | &evm_config_xattrnames); | |
81 | } | |
82 | ||
d3b33679 DK |
83 | #ifdef CONFIG_EVM_ATTR_FSUUID |
84 | evm_hmac_attrs |= EVM_ATTR_FSUUID; | |
85 | #endif | |
86 | pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); | |
87 | } | |
88 | ||
ae1ba167 MG |
89 | static bool evm_key_loaded(void) |
90 | { | |
91 | return (bool)(evm_initialized & EVM_KEY_MASK); | |
92 | } | |
93 | ||
4a804b8a RS |
94 | /* |
95 | * This function determines whether or not it is safe to ignore verification | |
96 | * errors, based on the ability of EVM to calculate HMACs. If the HMAC key | |
97 | * is not loaded, and it cannot be loaded in the future due to the | |
98 | * EVM_SETUP_COMPLETE initialization flag, allowing an operation despite the | |
99 | * attrs/xattrs being found invalid will not make them valid. | |
100 | */ | |
101 | static bool evm_hmac_disabled(void) | |
102 | { | |
103 | if (evm_initialized & EVM_INIT_HMAC) | |
104 | return false; | |
105 | ||
106 | if (!(evm_initialized & EVM_SETUP_COMPLETE)) | |
107 | return false; | |
108 | ||
109 | return true; | |
110 | } | |
111 | ||
15647eb3 DK |
112 | static int evm_find_protected_xattrs(struct dentry *dentry) |
113 | { | |
c6f493d6 | 114 | struct inode *inode = d_backing_inode(dentry); |
21af7663 | 115 | struct xattr_list *xattr; |
15647eb3 DK |
116 | int error; |
117 | int count = 0; | |
118 | ||
5d6c3191 | 119 | if (!(inode->i_opflags & IOP_XATTR)) |
15647eb3 DK |
120 | return -EOPNOTSUPP; |
121 | ||
770f6058 | 122 | list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) { |
21af7663 | 123 | error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0); |
15647eb3 DK |
124 | if (error < 0) { |
125 | if (error == -ENODATA) | |
126 | continue; | |
127 | return error; | |
128 | } | |
129 | count++; | |
130 | } | |
131 | ||
132 | return count; | |
133 | } | |
134 | ||
66dbc325 MZ |
135 | /* |
136 | * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr | |
137 | * | |
138 | * Compute the HMAC on the dentry's protected set of extended attributes | |
7102ebcd MZ |
139 | * and compare it against the stored security.evm xattr. |
140 | * | |
141 | * For performance: | |
142 | * - use the previoulsy retrieved xattr value and length to calculate the | |
143 | * HMAC.) | |
144 | * - cache the verification result in the iint, when available. | |
66dbc325 MZ |
145 | * |
146 | * Returns integrity status | |
147 | */ | |
148 | static enum integrity_status evm_verify_hmac(struct dentry *dentry, | |
149 | const char *xattr_name, | |
150 | char *xattr_value, | |
151 | size_t xattr_value_len, | |
152 | struct integrity_iint_cache *iint) | |
153 | { | |
15647eb3 | 154 | struct evm_ima_xattr_data *xattr_data = NULL; |
5feeb611 | 155 | struct signature_v2_hdr *hdr; |
566be59a | 156 | enum integrity_status evm_status = INTEGRITY_PASS; |
5feeb611 | 157 | struct evm_digest digest; |
70946c4a | 158 | struct inode *inode; |
cdef685b | 159 | int rc, xattr_len, evm_immutable = 0; |
66dbc325 | 160 | |
50b97748 MG |
161 | if (iint && (iint->evm_status == INTEGRITY_PASS || |
162 | iint->evm_status == INTEGRITY_PASS_IMMUTABLE)) | |
24e0198e | 163 | return iint->evm_status; |
66dbc325 | 164 | |
6d38ca01 DK |
165 | /* if status is not PASS, try to check again - against -ENOMEM */ |
166 | ||
15647eb3 | 167 | /* first need to know the sig type */ |
c7c7a1a1 TA |
168 | rc = vfs_getxattr_alloc(&init_user_ns, dentry, XATTR_NAME_EVM, |
169 | (char **)&xattr_data, 0, GFP_NOFS); | |
15647eb3 | 170 | if (rc <= 0) { |
1f100979 DK |
171 | evm_status = INTEGRITY_FAIL; |
172 | if (rc == -ENODATA) { | |
15647eb3 DK |
173 | rc = evm_find_protected_xattrs(dentry); |
174 | if (rc > 0) | |
175 | evm_status = INTEGRITY_NOLABEL; | |
176 | else if (rc == 0) | |
177 | evm_status = INTEGRITY_NOXATTRS; /* new file */ | |
1f100979 DK |
178 | } else if (rc == -EOPNOTSUPP) { |
179 | evm_status = INTEGRITY_UNKNOWN; | |
15647eb3 | 180 | } |
566be59a MZ |
181 | goto out; |
182 | } | |
66dbc325 | 183 | |
b1aaab22 | 184 | xattr_len = rc; |
15647eb3 DK |
185 | |
186 | /* check value type */ | |
187 | switch (xattr_data->type) { | |
188 | case EVM_XATTR_HMAC: | |
650b29db | 189 | if (xattr_len != sizeof(struct evm_xattr)) { |
b4bfec7f SF |
190 | evm_status = INTEGRITY_FAIL; |
191 | goto out; | |
192 | } | |
5feeb611 MG |
193 | |
194 | digest.hdr.algo = HASH_ALGO_SHA1; | |
15647eb3 | 195 | rc = evm_calc_hmac(dentry, xattr_name, xattr_value, |
5feeb611 | 196 | xattr_value_len, &digest); |
15647eb3 DK |
197 | if (rc) |
198 | break; | |
650b29db | 199 | rc = crypto_memneq(xattr_data->data, digest.digest, |
5feeb611 | 200 | SHA1_DIGEST_SIZE); |
15647eb3 DK |
201 | if (rc) |
202 | rc = -EINVAL; | |
203 | break; | |
50b97748 | 204 | case EVM_XATTR_PORTABLE_DIGSIG: |
cdef685b RS |
205 | evm_immutable = 1; |
206 | fallthrough; | |
207 | case EVM_IMA_XATTR_DIGSIG: | |
455b6c91 RS |
208 | /* accept xattr with non-empty signature field */ |
209 | if (xattr_len <= sizeof(struct signature_v2_hdr)) { | |
210 | evm_status = INTEGRITY_FAIL; | |
211 | goto out; | |
212 | } | |
213 | ||
5feeb611 MG |
214 | hdr = (struct signature_v2_hdr *)xattr_data; |
215 | digest.hdr.algo = hdr->hash_algo; | |
15647eb3 | 216 | rc = evm_calc_hash(dentry, xattr_name, xattr_value, |
5feeb611 | 217 | xattr_value_len, xattr_data->type, &digest); |
15647eb3 DK |
218 | if (rc) |
219 | break; | |
220 | rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, | |
b1aaab22 | 221 | (const char *)xattr_data, xattr_len, |
5feeb611 | 222 | digest.digest, digest.hdr.length); |
15647eb3 | 223 | if (!rc) { |
70946c4a SH |
224 | inode = d_backing_inode(dentry); |
225 | ||
50b97748 MG |
226 | if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) { |
227 | if (iint) | |
228 | iint->flags |= EVM_IMMUTABLE_DIGSIG; | |
229 | evm_status = INTEGRITY_PASS_IMMUTABLE; | |
70946c4a SH |
230 | } else if (!IS_RDONLY(inode) && |
231 | !(inode->i_sb->s_readonly_remount) && | |
232 | !IS_IMMUTABLE(inode)) { | |
c2baec7f DK |
233 | evm_update_evmxattr(dentry, xattr_name, |
234 | xattr_value, | |
235 | xattr_value_len); | |
50b97748 | 236 | } |
15647eb3 DK |
237 | } |
238 | break; | |
239 | default: | |
240 | rc = -EINVAL; | |
241 | break; | |
242 | } | |
243 | ||
cdef685b RS |
244 | if (rc) { |
245 | if (rc == -ENODATA) | |
246 | evm_status = INTEGRITY_NOXATTRS; | |
247 | else if (evm_immutable) | |
248 | evm_status = INTEGRITY_FAIL_IMMUTABLE; | |
249 | else | |
250 | evm_status = INTEGRITY_FAIL; | |
251 | } | |
7102ebcd MZ |
252 | out: |
253 | if (iint) | |
254 | iint->evm_status = evm_status; | |
15647eb3 | 255 | kfree(xattr_data); |
7102ebcd | 256 | return evm_status; |
66dbc325 MZ |
257 | } |
258 | ||
259 | static int evm_protected_xattr(const char *req_xattr_name) | |
260 | { | |
66dbc325 MZ |
261 | int namelen; |
262 | int found = 0; | |
21af7663 | 263 | struct xattr_list *xattr; |
66dbc325 MZ |
264 | |
265 | namelen = strlen(req_xattr_name); | |
770f6058 | 266 | list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) { |
21af7663 MG |
267 | if ((strlen(xattr->name) == namelen) |
268 | && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) { | |
66dbc325 MZ |
269 | found = 1; |
270 | break; | |
271 | } | |
cb723180 | 272 | if (strncmp(req_xattr_name, |
21af7663 | 273 | xattr->name + XATTR_SECURITY_PREFIX_LEN, |
cb723180 MZ |
274 | strlen(req_xattr_name)) == 0) { |
275 | found = 1; | |
276 | break; | |
277 | } | |
66dbc325 | 278 | } |
21af7663 | 279 | |
66dbc325 MZ |
280 | return found; |
281 | } | |
282 | ||
283 | /** | |
284 | * evm_verifyxattr - verify the integrity of the requested xattr | |
285 | * @dentry: object of the verify xattr | |
286 | * @xattr_name: requested xattr | |
287 | * @xattr_value: requested xattr value | |
288 | * @xattr_value_len: requested xattr value length | |
289 | * | |
290 | * Calculate the HMAC for the given dentry and verify it against the stored | |
291 | * security.evm xattr. For performance, use the xattr value and length | |
292 | * previously retrieved to calculate the HMAC. | |
293 | * | |
294 | * Returns the xattr integrity status. | |
295 | * | |
296 | * This function requires the caller to lock the inode's i_mutex before it | |
297 | * is executed. | |
298 | */ | |
299 | enum integrity_status evm_verifyxattr(struct dentry *dentry, | |
300 | const char *xattr_name, | |
2960e6cb DK |
301 | void *xattr_value, size_t xattr_value_len, |
302 | struct integrity_iint_cache *iint) | |
66dbc325 | 303 | { |
ae1ba167 | 304 | if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) |
66dbc325 MZ |
305 | return INTEGRITY_UNKNOWN; |
306 | ||
2960e6cb | 307 | if (!iint) { |
c6f493d6 | 308 | iint = integrity_iint_find(d_backing_inode(dentry)); |
2960e6cb DK |
309 | if (!iint) |
310 | return INTEGRITY_UNKNOWN; | |
311 | } | |
312 | return evm_verify_hmac(dentry, xattr_name, xattr_value, | |
66dbc325 | 313 | xattr_value_len, iint); |
66dbc325 MZ |
314 | } |
315 | EXPORT_SYMBOL_GPL(evm_verifyxattr); | |
316 | ||
7102ebcd MZ |
317 | /* |
318 | * evm_verify_current_integrity - verify the dentry's metadata integrity | |
319 | * @dentry: pointer to the affected dentry | |
320 | * | |
321 | * Verify and return the dentry's metadata integrity. The exceptions are | |
322 | * before EVM is initialized or in 'fix' mode. | |
323 | */ | |
324 | static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) | |
325 | { | |
c6f493d6 | 326 | struct inode *inode = d_backing_inode(dentry); |
7102ebcd | 327 | |
ae1ba167 | 328 | if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode) |
7102ebcd MZ |
329 | return 0; |
330 | return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); | |
331 | } | |
332 | ||
a924ce0b MZ |
333 | /* |
334 | * evm_protect_xattr - protect the EVM extended attribute | |
335 | * | |
bf6d0f5d MZ |
336 | * Prevent security.evm from being modified or removed without the |
337 | * necessary permissions or when the existing value is invalid. | |
338 | * | |
339 | * The posix xattr acls are 'system' prefixed, which normally would not | |
340 | * affect security.evm. An interesting side affect of writing posix xattr | |
341 | * acls is their modifying of the i_mode, which is included in security.evm. | |
342 | * For posix xattr acls only, permit security.evm, even if it currently | |
50b97748 | 343 | * doesn't exist, to be updated unless the EVM signature is immutable. |
a924ce0b MZ |
344 | */ |
345 | static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, | |
346 | const void *xattr_value, size_t xattr_value_len) | |
347 | { | |
348 | enum integrity_status evm_status; | |
349 | ||
350 | if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { | |
351 | if (!capable(CAP_SYS_ADMIN)) | |
352 | return -EPERM; | |
bf6d0f5d MZ |
353 | } else if (!evm_protected_xattr(xattr_name)) { |
354 | if (!posix_xattr_acl(xattr_name)) | |
355 | return 0; | |
356 | evm_status = evm_verify_current_integrity(dentry); | |
357 | if ((evm_status == INTEGRITY_PASS) || | |
566be59a | 358 | (evm_status == INTEGRITY_NOXATTRS)) |
bf6d0f5d | 359 | return 0; |
9b97b6cd | 360 | goto out; |
bf6d0f5d | 361 | } |
ae1ba167 | 362 | |
a924ce0b | 363 | evm_status = evm_verify_current_integrity(dentry); |
3dcbad52 DK |
364 | if (evm_status == INTEGRITY_NOXATTRS) { |
365 | struct integrity_iint_cache *iint; | |
366 | ||
4a804b8a RS |
367 | /* Exception if the HMAC is not going to be calculated. */ |
368 | if (evm_hmac_disabled()) | |
369 | return 0; | |
370 | ||
c6f493d6 | 371 | iint = integrity_iint_find(d_backing_inode(dentry)); |
3dcbad52 DK |
372 | if (iint && (iint->flags & IMA_NEW_FILE)) |
373 | return 0; | |
5101a185 MZ |
374 | |
375 | /* exception for pseudo filesystems */ | |
fc64005c AV |
376 | if (dentry->d_sb->s_magic == TMPFS_MAGIC |
377 | || dentry->d_sb->s_magic == SYSFS_MAGIC) | |
5101a185 MZ |
378 | return 0; |
379 | ||
380 | integrity_audit_msg(AUDIT_INTEGRITY_METADATA, | |
381 | dentry->d_inode, dentry->d_name.name, | |
382 | "update_metadata", | |
383 | integrity_status_msg[evm_status], | |
384 | -EPERM, 0); | |
3dcbad52 | 385 | } |
9b97b6cd | 386 | out: |
4a804b8a RS |
387 | /* Exception if the HMAC is not going to be calculated. */ |
388 | if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL || | |
389 | evm_status == INTEGRITY_UNKNOWN)) | |
390 | return 0; | |
cdef685b RS |
391 | |
392 | /* | |
393 | * Writing other xattrs is safe for portable signatures, as portable | |
394 | * signatures are immutable and can never be updated. | |
395 | */ | |
396 | if (evm_status == INTEGRITY_FAIL_IMMUTABLE) | |
397 | return 0; | |
398 | ||
9b97b6cd | 399 | if (evm_status != INTEGRITY_PASS) |
c6f493d6 | 400 | integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), |
9b97b6cd MZ |
401 | dentry->d_name.name, "appraise_metadata", |
402 | integrity_status_msg[evm_status], | |
403 | -EPERM, 0); | |
a924ce0b MZ |
404 | return evm_status == INTEGRITY_PASS ? 0 : -EPERM; |
405 | } | |
406 | ||
66dbc325 MZ |
407 | /** |
408 | * evm_inode_setxattr - protect the EVM extended attribute | |
409 | * @dentry: pointer to the affected dentry | |
410 | * @xattr_name: pointer to the affected extended attribute name | |
411 | * @xattr_value: pointer to the new extended attribute value | |
412 | * @xattr_value_len: pointer to the new extended attribute value length | |
413 | * | |
2fb1c9a4 MZ |
414 | * Before allowing the 'security.evm' protected xattr to be updated, |
415 | * verify the existing value is valid. As only the kernel should have | |
416 | * access to the EVM encrypted key needed to calculate the HMAC, prevent | |
417 | * userspace from writing HMAC value. Writing 'security.evm' requires | |
418 | * requires CAP_SYS_ADMIN privileges. | |
66dbc325 MZ |
419 | */ |
420 | int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, | |
421 | const void *xattr_value, size_t xattr_value_len) | |
422 | { | |
2fb1c9a4 MZ |
423 | const struct evm_ima_xattr_data *xattr_data = xattr_value; |
424 | ||
ae1ba167 MG |
425 | /* Policy permits modification of the protected xattrs even though |
426 | * there's no HMAC key loaded | |
427 | */ | |
428 | if (evm_initialized & EVM_ALLOW_METADATA_WRITES) | |
429 | return 0; | |
430 | ||
3b1deef6 DK |
431 | if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { |
432 | if (!xattr_value_len) | |
433 | return -EINVAL; | |
50b97748 MG |
434 | if (xattr_data->type != EVM_IMA_XATTR_DIGSIG && |
435 | xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) | |
3b1deef6 DK |
436 | return -EPERM; |
437 | } | |
a924ce0b MZ |
438 | return evm_protect_xattr(dentry, xattr_name, xattr_value, |
439 | xattr_value_len); | |
66dbc325 MZ |
440 | } |
441 | ||
442 | /** | |
443 | * evm_inode_removexattr - protect the EVM extended attribute | |
444 | * @dentry: pointer to the affected dentry | |
445 | * @xattr_name: pointer to the affected extended attribute name | |
446 | * | |
7102ebcd MZ |
447 | * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that |
448 | * the current value is valid. | |
66dbc325 MZ |
449 | */ |
450 | int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) | |
451 | { | |
ae1ba167 MG |
452 | /* Policy permits modification of the protected xattrs even though |
453 | * there's no HMAC key loaded | |
454 | */ | |
455 | if (evm_initialized & EVM_ALLOW_METADATA_WRITES) | |
456 | return 0; | |
457 | ||
a924ce0b | 458 | return evm_protect_xattr(dentry, xattr_name, NULL, 0); |
66dbc325 MZ |
459 | } |
460 | ||
523b74b1 DK |
461 | static void evm_reset_status(struct inode *inode) |
462 | { | |
463 | struct integrity_iint_cache *iint; | |
464 | ||
465 | iint = integrity_iint_find(inode); | |
466 | if (iint) | |
467 | iint->evm_status = INTEGRITY_UNKNOWN; | |
468 | } | |
469 | ||
e3ccfe1a RS |
470 | /** |
471 | * evm_revalidate_status - report whether EVM status re-validation is necessary | |
472 | * @xattr_name: pointer to the affected extended attribute name | |
473 | * | |
474 | * Report whether callers of evm_verifyxattr() should re-validate the | |
475 | * EVM status. | |
476 | * | |
477 | * Return true if re-validation is necessary, false otherwise. | |
478 | */ | |
479 | bool evm_revalidate_status(const char *xattr_name) | |
480 | { | |
481 | if (!evm_key_loaded()) | |
482 | return false; | |
483 | ||
484 | /* evm_inode_post_setattr() passes NULL */ | |
485 | if (!xattr_name) | |
486 | return true; | |
487 | ||
488 | if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name) && | |
489 | strcmp(xattr_name, XATTR_NAME_EVM)) | |
490 | return false; | |
491 | ||
492 | return true; | |
493 | } | |
494 | ||
66dbc325 MZ |
495 | /** |
496 | * evm_inode_post_setxattr - update 'security.evm' to reflect the changes | |
497 | * @dentry: pointer to the affected dentry | |
498 | * @xattr_name: pointer to the affected extended attribute name | |
499 | * @xattr_value: pointer to the new extended attribute value | |
500 | * @xattr_value_len: pointer to the new extended attribute value length | |
501 | * | |
502 | * Update the HMAC stored in 'security.evm' to reflect the change. | |
503 | * | |
504 | * No need to take the i_mutex lock here, as this function is called from | |
505 | * __vfs_setxattr_noperm(). The caller of which has taken the inode's | |
506 | * i_mutex lock. | |
507 | */ | |
508 | void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, | |
509 | const void *xattr_value, size_t xattr_value_len) | |
510 | { | |
e3ccfe1a | 511 | if (!evm_revalidate_status(xattr_name)) |
66dbc325 MZ |
512 | return; |
513 | ||
523b74b1 DK |
514 | evm_reset_status(dentry->d_inode); |
515 | ||
e3ccfe1a RS |
516 | if (!strcmp(xattr_name, XATTR_NAME_EVM)) |
517 | return; | |
518 | ||
4a804b8a RS |
519 | if (!(evm_initialized & EVM_INIT_HMAC)) |
520 | return; | |
521 | ||
66dbc325 | 522 | evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); |
66dbc325 MZ |
523 | } |
524 | ||
525 | /** | |
526 | * evm_inode_post_removexattr - update 'security.evm' after removing the xattr | |
527 | * @dentry: pointer to the affected dentry | |
528 | * @xattr_name: pointer to the affected extended attribute name | |
529 | * | |
530 | * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. | |
7c51bb00 DK |
531 | * |
532 | * No need to take the i_mutex lock here, as this function is called from | |
533 | * vfs_removexattr() which takes the i_mutex. | |
66dbc325 MZ |
534 | */ |
535 | void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) | |
536 | { | |
e3ccfe1a | 537 | if (!evm_revalidate_status(xattr_name)) |
66dbc325 MZ |
538 | return; |
539 | ||
523b74b1 DK |
540 | evm_reset_status(dentry->d_inode); |
541 | ||
e3ccfe1a RS |
542 | if (!strcmp(xattr_name, XATTR_NAME_EVM)) |
543 | return; | |
544 | ||
4a804b8a RS |
545 | if (!(evm_initialized & EVM_INIT_HMAC)) |
546 | return; | |
547 | ||
66dbc325 | 548 | evm_update_evmxattr(dentry, xattr_name, NULL, 0); |
66dbc325 MZ |
549 | } |
550 | ||
817b54aa MZ |
551 | /** |
552 | * evm_inode_setattr - prevent updating an invalid EVM extended attribute | |
553 | * @dentry: pointer to the affected dentry | |
50b97748 MG |
554 | * |
555 | * Permit update of file attributes when files have a valid EVM signature, | |
556 | * except in the case of them having an immutable portable signature. | |
817b54aa MZ |
557 | */ |
558 | int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) | |
559 | { | |
560 | unsigned int ia_valid = attr->ia_valid; | |
561 | enum integrity_status evm_status; | |
562 | ||
ae1ba167 MG |
563 | /* Policy permits modification of the protected attrs even though |
564 | * there's no HMAC key loaded | |
565 | */ | |
566 | if (evm_initialized & EVM_ALLOW_METADATA_WRITES) | |
567 | return 0; | |
568 | ||
a924ce0b | 569 | if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) |
817b54aa MZ |
570 | return 0; |
571 | evm_status = evm_verify_current_integrity(dentry); | |
cdef685b RS |
572 | /* |
573 | * Writing attrs is safe for portable signatures, as portable signatures | |
574 | * are immutable and can never be updated. | |
575 | */ | |
566be59a | 576 | if ((evm_status == INTEGRITY_PASS) || |
4a804b8a | 577 | (evm_status == INTEGRITY_NOXATTRS) || |
cdef685b | 578 | (evm_status == INTEGRITY_FAIL_IMMUTABLE) || |
4a804b8a RS |
579 | (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL || |
580 | evm_status == INTEGRITY_UNKNOWN))) | |
566be59a | 581 | return 0; |
c6f493d6 | 582 | integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), |
9b97b6cd MZ |
583 | dentry->d_name.name, "appraise_metadata", |
584 | integrity_status_msg[evm_status], -EPERM, 0); | |
566be59a | 585 | return -EPERM; |
817b54aa MZ |
586 | } |
587 | ||
66dbc325 MZ |
588 | /** |
589 | * evm_inode_post_setattr - update 'security.evm' after modifying metadata | |
590 | * @dentry: pointer to the affected dentry | |
591 | * @ia_valid: for the UID and GID status | |
592 | * | |
593 | * For now, update the HMAC stored in 'security.evm' to reflect UID/GID | |
594 | * changes. | |
595 | * | |
596 | * This function is called from notify_change(), which expects the caller | |
597 | * to lock the inode's i_mutex. | |
598 | */ | |
599 | void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) | |
600 | { | |
e3ccfe1a | 601 | if (!evm_revalidate_status(NULL)) |
66dbc325 MZ |
602 | return; |
603 | ||
e3ccfe1a RS |
604 | evm_reset_status(dentry->d_inode); |
605 | ||
4a804b8a RS |
606 | if (!(evm_initialized & EVM_INIT_HMAC)) |
607 | return; | |
608 | ||
66dbc325 MZ |
609 | if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) |
610 | evm_update_evmxattr(dentry, NULL, NULL, 0); | |
66dbc325 MZ |
611 | } |
612 | ||
cb723180 | 613 | /* |
9eea2904 | 614 | * evm_inode_init_security - initializes security.evm HMAC value |
cb723180 MZ |
615 | */ |
616 | int evm_inode_init_security(struct inode *inode, | |
617 | const struct xattr *lsm_xattr, | |
618 | struct xattr *evm_xattr) | |
619 | { | |
650b29db | 620 | struct evm_xattr *xattr_data; |
cb723180 MZ |
621 | int rc; |
622 | ||
9eea2904 RS |
623 | if (!(evm_initialized & EVM_INIT_HMAC) || |
624 | !evm_protected_xattr(lsm_xattr->name)) | |
5a4730ba | 625 | return 0; |
cb723180 MZ |
626 | |
627 | xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); | |
628 | if (!xattr_data) | |
629 | return -ENOMEM; | |
630 | ||
650b29db | 631 | xattr_data->data.type = EVM_XATTR_HMAC; |
cb723180 MZ |
632 | rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); |
633 | if (rc < 0) | |
634 | goto out; | |
635 | ||
636 | evm_xattr->value = xattr_data; | |
637 | evm_xattr->value_len = sizeof(*xattr_data); | |
9548906b | 638 | evm_xattr->name = XATTR_EVM_SUFFIX; |
cb723180 MZ |
639 | return 0; |
640 | out: | |
641 | kfree(xattr_data); | |
642 | return rc; | |
643 | } | |
644 | EXPORT_SYMBOL_GPL(evm_inode_init_security); | |
645 | ||
2ce523eb DK |
646 | #ifdef CONFIG_EVM_LOAD_X509 |
647 | void __init evm_load_x509(void) | |
648 | { | |
26ddabfe DK |
649 | int rc; |
650 | ||
651 | rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH); | |
652 | if (!rc) | |
653 | evm_initialized |= EVM_INIT_X509; | |
2ce523eb DK |
654 | } |
655 | #endif | |
656 | ||
66dbc325 MZ |
657 | static int __init init_evm(void) |
658 | { | |
659 | int error; | |
21af7663 | 660 | struct list_head *pos, *q; |
66dbc325 | 661 | |
d3b33679 DK |
662 | evm_init_config(); |
663 | ||
f4dc3778 DK |
664 | error = integrity_init_keyring(INTEGRITY_KEYRING_EVM); |
665 | if (error) | |
21af7663 | 666 | goto error; |
f4dc3778 | 667 | |
66dbc325 MZ |
668 | error = evm_init_secfs(); |
669 | if (error < 0) { | |
20ee451f | 670 | pr_info("Error registering secfs\n"); |
21af7663 | 671 | goto error; |
66dbc325 | 672 | } |
15647eb3 | 673 | |
21af7663 MG |
674 | error: |
675 | if (error != 0) { | |
676 | if (!list_empty(&evm_config_xattrnames)) { | |
c8b37524 | 677 | list_for_each_safe(pos, q, &evm_config_xattrnames) |
21af7663 | 678 | list_del(pos); |
21af7663 MG |
679 | } |
680 | } | |
66dbc325 | 681 | |
21af7663 | 682 | return error; |
66dbc325 MZ |
683 | } |
684 | ||
66dbc325 | 685 | late_initcall(init_evm); |