projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
evm: Allow xattr/attr operations for portable signatures
[linux-2.6-block.git] / security / integrity / evm / evm_main.c
CommitLineData
b886d83c 1// SPDX-License-Identifier: GPL-2.0-only
66dbc325
MZ		 2/*
3 * Copyright (C) 2005-2010 IBM Corporation
4 *
5 * Author:
6 * Mimi Zohar <zohar@us.ibm.com>
7 * Kylene Hall <kjhall@us.ibm.com>
8 *
66dbc325
MZ		 9 * File: evm_main.c
10 * implements evm_inode_setxattr, evm_inode_post_setxattr,
11 * evm_inode_removexattr, and evm_verifyxattr
12 */
13
3aafb1fb 14#include <linux/init.h>
66dbc325 15#include <linux/crypto.h>
9b97b6cd 16#include <linux/audit.h>
66dbc325
MZ		 17#include <linux/xattr.h>
18#include <linux/integrity.h>
3e1be52d 19#include <linux/evm.h>
50d34394
IM		 20#include <linux/magic.h>
21
d46eb369 22#include <crypto/hash.h>
5feeb611 23#include <crypto/hash_info.h>
613317bd 24#include <crypto/algapi.h>
66dbc325
MZ		 25#include "evm.h"
26
27int evm_initialized;
28
17d7b0af 29static const char * const integrity_status_msg[] = {
cdef685b
RS		 30 "pass", "pass_immutable", "fail", "fail_immutable", "no_label",
31 "no_xattrs", "unknown"
9b97b6cd 32};
d3b33679 33int evm_hmac_attrs;
66dbc325 34
fa516b66 35static struct xattr_list evm_config_default_xattrnames[] = {
66dbc325 36#ifdef CONFIG_SECURITY_SELINUX
21af7663 37 {.name = XATTR_NAME_SELINUX},
66dbc325
MZ		 38#endif
39#ifdef CONFIG_SECURITY_SMACK
21af7663 40 {.name = XATTR_NAME_SMACK},
3e38df56 41#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
21af7663
MG		 42 {.name = XATTR_NAME_SMACKEXEC},
43 {.name = XATTR_NAME_SMACKTRANSMUTE},
44 {.name = XATTR_NAME_SMACKMMAP},
3e38df56 45#endif
2fe5d6de 46#endif
096b8546 47#ifdef CONFIG_SECURITY_APPARMOR
21af7663 48 {.name = XATTR_NAME_APPARMOR},
096b8546 49#endif
2fe5d6de 50#ifdef CONFIG_IMA_APPRAISE
21af7663 51 {.name = XATTR_NAME_IMA},
66dbc325 52#endif
21af7663 53 {.name = XATTR_NAME_CAPS},
66dbc325
MZ		 54};
55
21af7663
MG		 56LIST_HEAD(evm_config_xattrnames);
57
7102ebcd
MZ		 58static int evm_fixmode;
59static int __init evm_set_fixmode(char *str)
60{
61 if (strncmp(str, "fix", 3) == 0)
62 evm_fixmode = 1;
7fe2bb7e
BM		 63 else
64 pr_err("invalid \"%s\" mode", str);
65
7102ebcd
MZ		 66 return 0;
67}
68__setup("evm=", evm_set_fixmode);
69
d3b33679
DK		 70static void __init evm_init_config(void)
71{
21af7663
MG		 72 int i, xattrs;
73
74 xattrs = ARRAY_SIZE(evm_config_default_xattrnames);
75
76 pr_info("Initialising EVM extended attributes:\n");
77 for (i = 0; i < xattrs; i++) {
78 pr_info("%s\n", evm_config_default_xattrnames[i].name);
79 list_add_tail(&evm_config_default_xattrnames[i].list,
80 &evm_config_xattrnames);
81 }
82
d3b33679
DK		 83#ifdef CONFIG_EVM_ATTR_FSUUID
84 evm_hmac_attrs |= EVM_ATTR_FSUUID;
85#endif
86 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
87}
88
ae1ba167
MG		 89static bool evm_key_loaded(void)
90{
91 return (bool)(evm_initialized & EVM_KEY_MASK);
92}
93
4a804b8a
RS		 94/*
95 * This function determines whether or not it is safe to ignore verification
96 * errors, based on the ability of EVM to calculate HMACs. If the HMAC key
97 * is not loaded, and it cannot be loaded in the future due to the
98 * EVM_SETUP_COMPLETE initialization flag, allowing an operation despite the
99 * attrs/xattrs being found invalid will not make them valid.
100 */
101static bool evm_hmac_disabled(void)
102{
103 if (evm_initialized & EVM_INIT_HMAC)
104 return false;
105
106 if (!(evm_initialized & EVM_SETUP_COMPLETE))
107 return false;
108
109 return true;
110}
111
15647eb3
DK		 112static int evm_find_protected_xattrs(struct dentry *dentry)
113{
c6f493d6 114 struct inode *inode = d_backing_inode(dentry);
21af7663 115 struct xattr_list *xattr;
15647eb3
DK		 116 int error;
117 int count = 0;
118
5d6c3191 119 if (!(inode->i_opflags & IOP_XATTR))
15647eb3
DK		 120 return -EOPNOTSUPP;
121
770f6058 122 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
21af7663 123 error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0);
15647eb3
DK		 124 if (error < 0) {
125 if (error == -ENODATA)
126 continue;
127 return error;
128 }
129 count++;
130 }
131
132 return count;
133}
134
66dbc325
MZ		 135/*
136 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
137 *
138 * Compute the HMAC on the dentry's protected set of extended attributes
7102ebcd
MZ		 139 * and compare it against the stored security.evm xattr.
140 *
141 * For performance:
142 * - use the previoulsy retrieved xattr value and length to calculate the
143 * HMAC.)
144 * - cache the verification result in the iint, when available.
66dbc325
MZ		 145 *
146 * Returns integrity status
147 */
148static enum integrity_status evm_verify_hmac(struct dentry *dentry,
149 const char *xattr_name,
150 char *xattr_value,
151 size_t xattr_value_len,
152 struct integrity_iint_cache *iint)
153{
15647eb3 154 struct evm_ima_xattr_data *xattr_data = NULL;
5feeb611 155 struct signature_v2_hdr *hdr;
566be59a 156 enum integrity_status evm_status = INTEGRITY_PASS;
5feeb611 157 struct evm_digest digest;
70946c4a 158 struct inode *inode;
cdef685b 159 int rc, xattr_len, evm_immutable = 0;
66dbc325 160
50b97748
MG		 161 if (iint && (iint->evm_status == INTEGRITY_PASS ||
162 iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
24e0198e 163 return iint->evm_status;
66dbc325 164
6d38ca01
DK		 165 /* if status is not PASS, try to check again - against -ENOMEM */
166
15647eb3 167 /* first need to know the sig type */
c7c7a1a1
TA		 168 rc = vfs_getxattr_alloc(&init_user_ns, dentry, XATTR_NAME_EVM,
169 (char **)&xattr_data, 0, GFP_NOFS);
15647eb3 170 if (rc <= 0) {
1f100979
DK		 171 evm_status = INTEGRITY_FAIL;
172 if (rc == -ENODATA) {
15647eb3
DK		 173 rc = evm_find_protected_xattrs(dentry);
174 if (rc > 0)
175 evm_status = INTEGRITY_NOLABEL;
176 else if (rc == 0)
177 evm_status = INTEGRITY_NOXATTRS; /* new file */
1f100979
DK		 178 } else if (rc == -EOPNOTSUPP) {
179 evm_status = INTEGRITY_UNKNOWN;
15647eb3 180 }
566be59a
MZ		 181 goto out;
182 }
66dbc325 183
b1aaab22 184 xattr_len = rc;
15647eb3
DK		 185
186 /* check value type */
187 switch (xattr_data->type) {
188 case EVM_XATTR_HMAC:
650b29db 189 if (xattr_len != sizeof(struct evm_xattr)) {
b4bfec7f
SF		 190 evm_status = INTEGRITY_FAIL;
191 goto out;
192 }
5feeb611
MG		 193
194 digest.hdr.algo = HASH_ALGO_SHA1;
15647eb3 195 rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
5feeb611 196 xattr_value_len, &digest);
15647eb3
DK		 197 if (rc)
198 break;
650b29db 199 rc = crypto_memneq(xattr_data->data, digest.digest,
5feeb611 200 SHA1_DIGEST_SIZE);
15647eb3
DK		 201 if (rc)
202 rc = -EINVAL;
203 break;
50b97748 204 case EVM_XATTR_PORTABLE_DIGSIG:
cdef685b
RS		 205 evm_immutable = 1;
206 fallthrough;
207 case EVM_IMA_XATTR_DIGSIG:
455b6c91
RS		 208 /* accept xattr with non-empty signature field */
209 if (xattr_len <= sizeof(struct signature_v2_hdr)) {
210 evm_status = INTEGRITY_FAIL;
211 goto out;
212 }
213
5feeb611
MG		 214 hdr = (struct signature_v2_hdr *)xattr_data;
215 digest.hdr.algo = hdr->hash_algo;
15647eb3 216 rc = evm_calc_hash(dentry, xattr_name, xattr_value,
5feeb611 217 xattr_value_len, xattr_data->type, &digest);
15647eb3
DK		 218 if (rc)
219 break;
220 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
b1aaab22 221 (const char *)xattr_data, xattr_len,
5feeb611 222 digest.digest, digest.hdr.length);
15647eb3 223 if (!rc) {
70946c4a
SH		 224 inode = d_backing_inode(dentry);
225
50b97748
MG		 226 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
227 if (iint)
228 iint->flags |= EVM_IMMUTABLE_DIGSIG;
229 evm_status = INTEGRITY_PASS_IMMUTABLE;
70946c4a
SH		 230 } else if (!IS_RDONLY(inode) &&
231 !(inode->i_sb->s_readonly_remount) &&
232 !IS_IMMUTABLE(inode)) {
c2baec7f
DK		 233 evm_update_evmxattr(dentry, xattr_name,
234 xattr_value,
235 xattr_value_len);
50b97748 236 }
15647eb3
DK		 237 }
238 break;
239 default:
240 rc = -EINVAL;
241 break;
242 }
243
cdef685b
RS		 244 if (rc) {
245 if (rc == -ENODATA)
246 evm_status = INTEGRITY_NOXATTRS;
247 else if (evm_immutable)
248 evm_status = INTEGRITY_FAIL_IMMUTABLE;
249 else
250 evm_status = INTEGRITY_FAIL;
251 }
7102ebcd
MZ		 252out:
253 if (iint)
254 iint->evm_status = evm_status;
15647eb3 255 kfree(xattr_data);
7102ebcd 256 return evm_status;
66dbc325
MZ		 257}
258
259static int evm_protected_xattr(const char *req_xattr_name)
260{
66dbc325
MZ		 261 int namelen;
262 int found = 0;
21af7663 263 struct xattr_list *xattr;
66dbc325
MZ		 264
265 namelen = strlen(req_xattr_name);
770f6058 266 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
21af7663
MG		 267 if ((strlen(xattr->name) == namelen)
268 && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
66dbc325
MZ		 269 found = 1;
270 break;
271 }
cb723180 272 if (strncmp(req_xattr_name,
21af7663 273 xattr->name + XATTR_SECURITY_PREFIX_LEN,
cb723180
MZ		 274 strlen(req_xattr_name)) == 0) {
275 found = 1;
276 break;
277 }
66dbc325 278 }
21af7663 279
66dbc325
MZ		 280 return found;
281}
282
283/**
284 * evm_verifyxattr - verify the integrity of the requested xattr
285 * @dentry: object of the verify xattr
286 * @xattr_name: requested xattr
287 * @xattr_value: requested xattr value
288 * @xattr_value_len: requested xattr value length
289 *
290 * Calculate the HMAC for the given dentry and verify it against the stored
291 * security.evm xattr. For performance, use the xattr value and length
292 * previously retrieved to calculate the HMAC.
293 *
294 * Returns the xattr integrity status.
295 *
296 * This function requires the caller to lock the inode's i_mutex before it
297 * is executed.
298 */
299enum integrity_status evm_verifyxattr(struct dentry *dentry,
300 const char *xattr_name,
2960e6cb
DK		 301 void *xattr_value, size_t xattr_value_len,
302 struct integrity_iint_cache *iint)
66dbc325 303{
ae1ba167 304 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
66dbc325
MZ		 305 return INTEGRITY_UNKNOWN;
306
2960e6cb 307 if (!iint) {
c6f493d6 308 iint = integrity_iint_find(d_backing_inode(dentry));
2960e6cb
DK		 309 if (!iint)
310 return INTEGRITY_UNKNOWN;
311 }
312 return evm_verify_hmac(dentry, xattr_name, xattr_value,
66dbc325 313 xattr_value_len, iint);
66dbc325
MZ		 314}
315EXPORT_SYMBOL_GPL(evm_verifyxattr);
316
7102ebcd
MZ		 317/*
318 * evm_verify_current_integrity - verify the dentry's metadata integrity
319 * @dentry: pointer to the affected dentry
320 *
321 * Verify and return the dentry's metadata integrity. The exceptions are
322 * before EVM is initialized or in 'fix' mode.
323 */
324static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
325{
c6f493d6 326 struct inode *inode = d_backing_inode(dentry);
7102ebcd 327
ae1ba167 328 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
7102ebcd
MZ		 329 return 0;
330 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
331}
332
a924ce0b
MZ		 333/*
334 * evm_protect_xattr - protect the EVM extended attribute
335 *
bf6d0f5d
MZ		 336 * Prevent security.evm from being modified or removed without the
337 * necessary permissions or when the existing value is invalid.
338 *
339 * The posix xattr acls are 'system' prefixed, which normally would not
340 * affect security.evm. An interesting side affect of writing posix xattr
341 * acls is their modifying of the i_mode, which is included in security.evm.
342 * For posix xattr acls only, permit security.evm, even if it currently
50b97748 343 * doesn't exist, to be updated unless the EVM signature is immutable.
a924ce0b
MZ		 344 */
345static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
346 const void *xattr_value, size_t xattr_value_len)
347{
348 enum integrity_status evm_status;
349
350 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
351 if (!capable(CAP_SYS_ADMIN))
352 return -EPERM;
bf6d0f5d
MZ		 353 } else if (!evm_protected_xattr(xattr_name)) {
354 if (!posix_xattr_acl(xattr_name))
355 return 0;
356 evm_status = evm_verify_current_integrity(dentry);
357 if ((evm_status == INTEGRITY_PASS) ||
566be59a 358 (evm_status == INTEGRITY_NOXATTRS))
bf6d0f5d 359 return 0;
9b97b6cd 360 goto out;
bf6d0f5d 361 }
ae1ba167 362
a924ce0b 363 evm_status = evm_verify_current_integrity(dentry);
3dcbad52
DK		 364 if (evm_status == INTEGRITY_NOXATTRS) {
365 struct integrity_iint_cache *iint;
366
4a804b8a
RS		 367 /* Exception if the HMAC is not going to be calculated. */
368 if (evm_hmac_disabled())
369 return 0;
370
c6f493d6 371 iint = integrity_iint_find(d_backing_inode(dentry));
3dcbad52
DK		 372 if (iint && (iint->flags & IMA_NEW_FILE))
373 return 0;
5101a185
MZ		 374
375 /* exception for pseudo filesystems */
fc64005c
AV		 376 if (dentry->d_sb->s_magic == TMPFS_MAGIC
377 || dentry->d_sb->s_magic == SYSFS_MAGIC)
5101a185
MZ		 378 return 0;
379
380 integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
381 dentry->d_inode, dentry->d_name.name,
382 "update_metadata",
383 integrity_status_msg[evm_status],
384 -EPERM, 0);
3dcbad52 385 }
9b97b6cd 386out:
4a804b8a
RS		 387 /* Exception if the HMAC is not going to be calculated. */
388 if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
389 evm_status == INTEGRITY_UNKNOWN))
390 return 0;
cdef685b
RS		 391
392 /*
393 * Writing other xattrs is safe for portable signatures, as portable
394 * signatures are immutable and can never be updated.
395 */
396 if (evm_status == INTEGRITY_FAIL_IMMUTABLE)
397 return 0;
398
9b97b6cd 399 if (evm_status != INTEGRITY_PASS)
c6f493d6 400 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
9b97b6cd
MZ		 401 dentry->d_name.name, "appraise_metadata",
402 integrity_status_msg[evm_status],
403 -EPERM, 0);
a924ce0b
MZ		 404 return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
405}
406
66dbc325
MZ		 407/**
408 * evm_inode_setxattr - protect the EVM extended attribute
409 * @dentry: pointer to the affected dentry
410 * @xattr_name: pointer to the affected extended attribute name
411 * @xattr_value: pointer to the new extended attribute value
412 * @xattr_value_len: pointer to the new extended attribute value length
413 *
2fb1c9a4
MZ		 414 * Before allowing the 'security.evm' protected xattr to be updated,
415 * verify the existing value is valid. As only the kernel should have
416 * access to the EVM encrypted key needed to calculate the HMAC, prevent
417 * userspace from writing HMAC value. Writing 'security.evm' requires
418 * requires CAP_SYS_ADMIN privileges.
66dbc325
MZ		 419 */
420int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
421 const void *xattr_value, size_t xattr_value_len)
422{
2fb1c9a4
MZ		 423 const struct evm_ima_xattr_data *xattr_data = xattr_value;
424
ae1ba167
MG		 425 /* Policy permits modification of the protected xattrs even though
426 * there's no HMAC key loaded
427 */
428 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
429 return 0;
430
3b1deef6
DK		 431 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
432 if (!xattr_value_len)
433 return -EINVAL;
50b97748
MG		 434 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
435 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
3b1deef6
DK		 436 return -EPERM;
437 }
a924ce0b
MZ		 438 return evm_protect_xattr(dentry, xattr_name, xattr_value,
439 xattr_value_len);
66dbc325
MZ		 440}
441
442/**
443 * evm_inode_removexattr - protect the EVM extended attribute
444 * @dentry: pointer to the affected dentry
445 * @xattr_name: pointer to the affected extended attribute name
446 *
7102ebcd
MZ		 447 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
448 * the current value is valid.
66dbc325
MZ		 449 */
450int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
451{
ae1ba167
MG		 452 /* Policy permits modification of the protected xattrs even though
453 * there's no HMAC key loaded
454 */
455 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
456 return 0;
457
a924ce0b 458 return evm_protect_xattr(dentry, xattr_name, NULL, 0);
66dbc325
MZ		 459}
460
523b74b1
DK		 461static void evm_reset_status(struct inode *inode)
462{
463 struct integrity_iint_cache *iint;
464
465 iint = integrity_iint_find(inode);
466 if (iint)
467 iint->evm_status = INTEGRITY_UNKNOWN;
468}
469
e3ccfe1a
RS		 470/**
471 * evm_revalidate_status - report whether EVM status re-validation is necessary
472 * @xattr_name: pointer to the affected extended attribute name
473 *
474 * Report whether callers of evm_verifyxattr() should re-validate the
475 * EVM status.
476 *
477 * Return true if re-validation is necessary, false otherwise.
478 */
479bool evm_revalidate_status(const char *xattr_name)
480{
481 if (!evm_key_loaded())
482 return false;
483
484 /* evm_inode_post_setattr() passes NULL */
485 if (!xattr_name)
486 return true;
487
488 if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name) &&
489 strcmp(xattr_name, XATTR_NAME_EVM))
490 return false;
491
492 return true;
493}
494
66dbc325
MZ		 495/**
496 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
497 * @dentry: pointer to the affected dentry
498 * @xattr_name: pointer to the affected extended attribute name
499 * @xattr_value: pointer to the new extended attribute value
500 * @xattr_value_len: pointer to the new extended attribute value length
501 *
502 * Update the HMAC stored in 'security.evm' to reflect the change.
503 *
504 * No need to take the i_mutex lock here, as this function is called from
505 * __vfs_setxattr_noperm(). The caller of which has taken the inode's
506 * i_mutex lock.
507 */
508void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
509 const void *xattr_value, size_t xattr_value_len)
510{
e3ccfe1a 511 if (!evm_revalidate_status(xattr_name))
66dbc325
MZ		 512 return;
513
523b74b1
DK		 514 evm_reset_status(dentry->d_inode);
515
e3ccfe1a
RS		 516 if (!strcmp(xattr_name, XATTR_NAME_EVM))
517 return;
518
4a804b8a
RS		 519 if (!(evm_initialized & EVM_INIT_HMAC))
520 return;
521
66dbc325 522 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
66dbc325
MZ		 523}
524
525/**
526 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
527 * @dentry: pointer to the affected dentry
528 * @xattr_name: pointer to the affected extended attribute name
529 *
530 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
7c51bb00
DK		 531 *
532 * No need to take the i_mutex lock here, as this function is called from
533 * vfs_removexattr() which takes the i_mutex.
66dbc325
MZ		 534 */
535void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
536{
e3ccfe1a 537 if (!evm_revalidate_status(xattr_name))
66dbc325
MZ		 538 return;
539
523b74b1
DK		 540 evm_reset_status(dentry->d_inode);
541
e3ccfe1a
RS		 542 if (!strcmp(xattr_name, XATTR_NAME_EVM))
543 return;
544
4a804b8a
RS		 545 if (!(evm_initialized & EVM_INIT_HMAC))
546 return;
547
66dbc325 548 evm_update_evmxattr(dentry, xattr_name, NULL, 0);
66dbc325
MZ		 549}
550
817b54aa
MZ		 551/**
552 * evm_inode_setattr - prevent updating an invalid EVM extended attribute
553 * @dentry: pointer to the affected dentry
50b97748
MG		 554 *
555 * Permit update of file attributes when files have a valid EVM signature,
556 * except in the case of them having an immutable portable signature.
817b54aa
MZ		 557 */
558int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
559{
560 unsigned int ia_valid = attr->ia_valid;
561 enum integrity_status evm_status;
562
ae1ba167
MG		 563 /* Policy permits modification of the protected attrs even though
564 * there's no HMAC key loaded
565 */
566 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
567 return 0;
568
a924ce0b 569 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
817b54aa
MZ		 570 return 0;
571 evm_status = evm_verify_current_integrity(dentry);
cdef685b
RS		 572 /*
573 * Writing attrs is safe for portable signatures, as portable signatures
574 * are immutable and can never be updated.
575 */
566be59a 576 if ((evm_status == INTEGRITY_PASS) ||
4a804b8a 577 (evm_status == INTEGRITY_NOXATTRS) ||
cdef685b 578 (evm_status == INTEGRITY_FAIL_IMMUTABLE) ||
4a804b8a
RS		 579 (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
580 evm_status == INTEGRITY_UNKNOWN)))
566be59a 581 return 0;
c6f493d6 582 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
9b97b6cd
MZ		 583 dentry->d_name.name, "appraise_metadata",
584 integrity_status_msg[evm_status], -EPERM, 0);
566be59a 585 return -EPERM;
817b54aa
MZ		 586}
587
66dbc325
MZ		 588/**
589 * evm_inode_post_setattr - update 'security.evm' after modifying metadata
590 * @dentry: pointer to the affected dentry
591 * @ia_valid: for the UID and GID status
592 *
593 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
594 * changes.
595 *
596 * This function is called from notify_change(), which expects the caller
597 * to lock the inode's i_mutex.
598 */
599void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
600{
e3ccfe1a 601 if (!evm_revalidate_status(NULL))
66dbc325
MZ		 602 return;
603
e3ccfe1a
RS		 604 evm_reset_status(dentry->d_inode);
605
4a804b8a
RS		 606 if (!(evm_initialized & EVM_INIT_HMAC))
607 return;
608
66dbc325
MZ		 609 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
610 evm_update_evmxattr(dentry, NULL, NULL, 0);
66dbc325
MZ		 611}
612
cb723180 613/*
9eea2904 614 * evm_inode_init_security - initializes security.evm HMAC value
cb723180
MZ		 615 */
616int evm_inode_init_security(struct inode *inode,
617 const struct xattr *lsm_xattr,
618 struct xattr *evm_xattr)
619{
650b29db 620 struct evm_xattr *xattr_data;
cb723180
MZ		 621 int rc;
622
9eea2904
RS		 623 if (!(evm_initialized & EVM_INIT_HMAC) ||
624 !evm_protected_xattr(lsm_xattr->name))
5a4730ba 625 return 0;
cb723180
MZ		 626
627 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
628 if (!xattr_data)
629 return -ENOMEM;
630
650b29db 631 xattr_data->data.type = EVM_XATTR_HMAC;
cb723180
MZ		 632 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
633 if (rc < 0)
634 goto out;
635
636 evm_xattr->value = xattr_data;
637 evm_xattr->value_len = sizeof(*xattr_data);
9548906b 638 evm_xattr->name = XATTR_EVM_SUFFIX;
cb723180
MZ		 639 return 0;
640out:
641 kfree(xattr_data);
642 return rc;
643}
644EXPORT_SYMBOL_GPL(evm_inode_init_security);
645
2ce523eb
DK		 646#ifdef CONFIG_EVM_LOAD_X509
647void __init evm_load_x509(void)
648{
26ddabfe
DK		 649 int rc;
650
651 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
652 if (!rc)
653 evm_initialized |= EVM_INIT_X509;
2ce523eb
DK		 654}
655#endif
656
66dbc325
MZ		 657static int __init init_evm(void)
658{
659 int error;
21af7663 660 struct list_head *pos, *q;
66dbc325 661
d3b33679
DK		 662 evm_init_config();
663
f4dc3778
DK		 664 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
665 if (error)
21af7663 666 goto error;
f4dc3778 667
66dbc325
MZ		 668 error = evm_init_secfs();
669 if (error < 0) {
20ee451f 670 pr_info("Error registering secfs\n");
21af7663 671 goto error;
66dbc325 672 }
15647eb3 673
21af7663
MG		 674error:
675 if (error != 0) {
676 if (!list_empty(&evm_config_xattrnames)) {
c8b37524 677 list_for_each_safe(pos, q, &evm_config_xattrnames)
21af7663 678 list_del(pos);
21af7663
MG		 679 }
680 }
66dbc325 681
21af7663 682 return error;
66dbc325
MZ		 683}
684
66dbc325 685late_initcall(init_evm);
Linux 6.x block layer and io_uring tree(s)