Commit | Line | Data |
---|---|---|
b886d83c | 1 | // SPDX-License-Identifier: GPL-2.0-only |
2fe5d6de MZ |
2 | /* |
3 | * Copyright (C) 2011 IBM Corporation | |
4 | * | |
5 | * Author: | |
6 | * Mimi Zohar <zohar@us.ibm.com> | |
2fe5d6de | 7 | */ |
b000d5cb | 8 | #include <linux/module.h> |
876979c9 | 9 | #include <linux/init.h> |
2fe5d6de MZ |
10 | #include <linux/file.h> |
11 | #include <linux/fs.h> | |
12 | #include <linux/xattr.h> | |
13 | #include <linux/magic.h> | |
14 | #include <linux/ima.h> | |
15 | #include <linux/evm.h> | |
398c42e2 | 16 | #include <linux/fsverity.h> |
273df864 | 17 | #include <keys/system_keyring.h> |
398c42e2 | 18 | #include <uapi/linux/fsverity.h> |
2fe5d6de MZ |
19 | |
20 | #include "ima.h" | |
21 | ||
e1f5e01f | 22 | #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM |
b000d5cb AB |
23 | static char *ima_appraise_cmdline_default __initdata; |
24 | core_param(ima_appraise, ima_appraise_cmdline_default, charp, 0); | |
25 | ||
26 | void __init ima_appraise_parse_cmdline(void) | |
27 | { | |
28 | const char *str = ima_appraise_cmdline_default; | |
e4d7e2df BM |
29 | bool sb_state = arch_ima_get_secureboot(); |
30 | int appraisal_state = ima_appraise; | |
311aa6aa | 31 | |
b000d5cb AB |
32 | if (!str) |
33 | return; | |
34 | ||
2fe5d6de | 35 | if (strncmp(str, "off", 3) == 0) |
e4d7e2df | 36 | appraisal_state = 0; |
2faa6ef3 | 37 | else if (strncmp(str, "log", 3) == 0) |
e4d7e2df | 38 | appraisal_state = IMA_APPRAISE_LOG; |
2fe5d6de | 39 | else if (strncmp(str, "fix", 3) == 0) |
e4d7e2df | 40 | appraisal_state = IMA_APPRAISE_FIX; |
4afb28ab | 41 | else if (strncmp(str, "enforce", 7) == 0) |
e4d7e2df | 42 | appraisal_state = IMA_APPRAISE_ENFORCE; |
7fe2bb7e BM |
43 | else |
44 | pr_err("invalid \"%s\" appraise option", str); | |
e4d7e2df BM |
45 | |
46 | /* If appraisal state was changed, but secure boot is enabled, | |
47 | * keep its default */ | |
48 | if (sb_state) { | |
49 | if (!(appraisal_state & IMA_APPRAISE_ENFORCE)) | |
50 | pr_info("Secure boot enabled: ignoring ima_appraise=%s option", | |
51 | str); | |
52 | } else { | |
53 | ima_appraise = appraisal_state; | |
54 | } | |
2fe5d6de | 55 | } |
b000d5cb | 56 | #endif |
2fe5d6de | 57 | |
6f6723e2 MZ |
58 | /* |
59 | * is_ima_appraise_enabled - return appraise status | |
60 | * | |
61 | * Only return enabled, if not in ima_appraise="fix" or "log" modes. | |
62 | */ | |
63 | bool is_ima_appraise_enabled(void) | |
64 | { | |
e5729f86 | 65 | return ima_appraise & IMA_APPRAISE_ENFORCE; |
6f6723e2 MZ |
66 | } |
67 | ||
2fe5d6de MZ |
68 | /* |
69 | * ima_must_appraise - set appraise flag | |
70 | * | |
da1b0029 | 71 | * Return 1 to appraise or hash |
2fe5d6de | 72 | */ |
a2d2329e CB |
73 | int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode, |
74 | int mask, enum ima_hooks func) | |
2fe5d6de | 75 | { |
d906c10d MG |
76 | u32 secid; |
77 | ||
07f6a794 MZ |
78 | if (!ima_appraise) |
79 | return 0; | |
80 | ||
6326948f | 81 | security_current_getsecid_subj(&secid); |
1624dc00 TS |
82 | return ima_match_policy(mnt_userns, inode, current_cred(), secid, |
83 | func, mask, IMA_APPRAISE | IMA_HASH, NULL, | |
84 | NULL, NULL, NULL); | |
2fe5d6de MZ |
85 | } |
86 | ||
def3e8b9 | 87 | static int ima_fix_xattr(struct dentry *dentry, |
c7c8bb23 | 88 | struct integrity_iint_cache *iint) |
2fe5d6de | 89 | { |
3ea7a560 DK |
90 | int rc, offset; |
91 | u8 algo = iint->ima_hash->algo; | |
92 | ||
93 | if (algo <= HASH_ALGO_SHA1) { | |
94 | offset = 1; | |
95 | iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST; | |
96 | } else { | |
97 | offset = 0; | |
98 | iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG; | |
99 | iint->ima_hash->xattr.ng.algo = algo; | |
100 | } | |
c7c7a1a1 | 101 | rc = __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_IMA, |
3ea7a560 DK |
102 | &iint->ima_hash->xattr.data[offset], |
103 | (sizeof(iint->ima_hash->xattr) - offset) + | |
104 | iint->ima_hash->length, 0); | |
105 | return rc; | |
2fe5d6de MZ |
106 | } |
107 | ||
d79d72e0 MZ |
108 | /* Return specific func appraised cached result */ |
109 | enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, | |
4ad87a3d | 110 | enum ima_hooks func) |
d79d72e0 | 111 | { |
089bc8e9 | 112 | switch (func) { |
d79d72e0 MZ |
113 | case MMAP_CHECK: |
114 | return iint->ima_mmap_status; | |
115 | case BPRM_CHECK: | |
116 | return iint->ima_bprm_status; | |
d906c10d MG |
117 | case CREDS_CHECK: |
118 | return iint->ima_creds_status; | |
d79d72e0 | 119 | case FILE_CHECK: |
c6af8efe | 120 | case POST_SETATTR: |
d79d72e0 | 121 | return iint->ima_file_status; |
c6af8efe MZ |
122 | case MODULE_CHECK ... MAX_CHECK - 1: |
123 | default: | |
124 | return iint->ima_read_status; | |
d79d72e0 MZ |
125 | } |
126 | } | |
127 | ||
128 | static void ima_set_cache_status(struct integrity_iint_cache *iint, | |
4ad87a3d MZ |
129 | enum ima_hooks func, |
130 | enum integrity_status status) | |
d79d72e0 | 131 | { |
089bc8e9 | 132 | switch (func) { |
d79d72e0 MZ |
133 | case MMAP_CHECK: |
134 | iint->ima_mmap_status = status; | |
135 | break; | |
136 | case BPRM_CHECK: | |
137 | iint->ima_bprm_status = status; | |
138 | break; | |
d906c10d MG |
139 | case CREDS_CHECK: |
140 | iint->ima_creds_status = status; | |
09186e50 | 141 | break; |
d79d72e0 | 142 | case FILE_CHECK: |
c6af8efe | 143 | case POST_SETATTR: |
d79d72e0 | 144 | iint->ima_file_status = status; |
c6af8efe MZ |
145 | break; |
146 | case MODULE_CHECK ... MAX_CHECK - 1: | |
147 | default: | |
148 | iint->ima_read_status = status; | |
149 | break; | |
d79d72e0 MZ |
150 | } |
151 | } | |
152 | ||
4ad87a3d MZ |
153 | static void ima_cache_flags(struct integrity_iint_cache *iint, |
154 | enum ima_hooks func) | |
d79d72e0 | 155 | { |
089bc8e9 | 156 | switch (func) { |
d79d72e0 MZ |
157 | case MMAP_CHECK: |
158 | iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED); | |
159 | break; | |
160 | case BPRM_CHECK: | |
161 | iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED); | |
162 | break; | |
d906c10d MG |
163 | case CREDS_CHECK: |
164 | iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED); | |
165 | break; | |
d79d72e0 | 166 | case FILE_CHECK: |
c6af8efe | 167 | case POST_SETATTR: |
d79d72e0 | 168 | iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED); |
c6af8efe MZ |
169 | break; |
170 | case MODULE_CHECK ... MAX_CHECK - 1: | |
171 | default: | |
172 | iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED); | |
173 | break; | |
d79d72e0 MZ |
174 | } |
175 | } | |
176 | ||
50f742dd | 177 | enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value, |
1525b06d | 178 | int xattr_len) |
d3634d0f DK |
179 | { |
180 | struct signature_v2_hdr *sig; | |
b4bfec7f | 181 | enum hash_algo ret; |
d3634d0f | 182 | |
3ea7a560 | 183 | if (!xattr_value || xattr_len < 2) |
1525b06d DK |
184 | /* return default hash algo */ |
185 | return ima_hash_algo; | |
d3634d0f | 186 | |
3ea7a560 | 187 | switch (xattr_value->type) { |
398c42e2 MZ |
188 | case IMA_VERITY_DIGSIG: |
189 | sig = (typeof(sig))xattr_value; | |
190 | if (sig->version != 3 || xattr_len <= sizeof(*sig) || | |
191 | sig->hash_algo >= HASH_ALGO__LAST) | |
192 | return ima_hash_algo; | |
193 | return sig->hash_algo; | |
3ea7a560 DK |
194 | case EVM_IMA_XATTR_DIGSIG: |
195 | sig = (typeof(sig))xattr_value; | |
cb181da1 TS |
196 | if (sig->version != 2 || xattr_len <= sizeof(*sig) |
197 | || sig->hash_algo >= HASH_ALGO__LAST) | |
1525b06d DK |
198 | return ima_hash_algo; |
199 | return sig->hash_algo; | |
3ea7a560 | 200 | case IMA_XATTR_DIGEST_NG: |
650b29db TJB |
201 | /* first byte contains algorithm id */ |
202 | ret = xattr_value->data[0]; | |
b4bfec7f SF |
203 | if (ret < HASH_ALGO__LAST) |
204 | return ret; | |
3ea7a560 DK |
205 | break; |
206 | case IMA_XATTR_DIGEST: | |
207 | /* this is for backward compatibility */ | |
208 | if (xattr_len == 21) { | |
209 | unsigned int zero = 0; | |
650b29db | 210 | if (!memcmp(&xattr_value->data[16], &zero, 4)) |
1525b06d | 211 | return HASH_ALGO_MD5; |
3ea7a560 | 212 | else |
1525b06d | 213 | return HASH_ALGO_SHA1; |
3ea7a560 | 214 | } else if (xattr_len == 17) |
1525b06d | 215 | return HASH_ALGO_MD5; |
3ea7a560 DK |
216 | break; |
217 | } | |
1525b06d DK |
218 | |
219 | /* return default hash algo */ | |
220 | return ima_hash_algo; | |
d3634d0f DK |
221 | } |
222 | ||
223 | int ima_read_xattr(struct dentry *dentry, | |
f6fbd8cb | 224 | struct evm_ima_xattr_data **xattr_value, int xattr_len) |
d3634d0f | 225 | { |
f6fbd8cb | 226 | int ret; |
d3634d0f | 227 | |
4609e1f1 | 228 | ret = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, XATTR_NAME_IMA, |
f6fbd8cb | 229 | (char **)xattr_value, xattr_len, GFP_NOFS); |
5d6c3191 AG |
230 | if (ret == -EOPNOTSUPP) |
231 | ret = 0; | |
232 | return ret; | |
d3634d0f DK |
233 | } |
234 | ||
398c42e2 MZ |
235 | /* |
236 | * calc_file_id_hash - calculate the hash of the ima_file_id struct data | |
237 | * @type: xattr type [enum evm_ima_xattr_type] | |
238 | * @algo: hash algorithm [enum hash_algo] | |
239 | * @digest: pointer to the digest to be hashed | |
240 | * @hash: (out) pointer to the hash | |
241 | * | |
242 | * IMA signature version 3 disambiguates the data that is signed by | |
243 | * indirectly signing the hash of the ima_file_id structure data. | |
244 | * | |
245 | * Signing the ima_file_id struct is currently only supported for | |
246 | * IMA_VERITY_DIGSIG type xattrs. | |
247 | * | |
248 | * Return 0 on success, error code otherwise. | |
249 | */ | |
250 | static int calc_file_id_hash(enum evm_ima_xattr_type type, | |
251 | enum hash_algo algo, const u8 *digest, | |
252 | struct ima_digest_data *hash) | |
253 | { | |
254 | struct ima_file_id file_id = { | |
255 | .hash_type = IMA_VERITY_DIGSIG, .hash_algorithm = algo}; | |
256 | unsigned int unused = HASH_MAX_DIGESTSIZE - hash_digest_size[algo]; | |
257 | ||
258 | if (type != IMA_VERITY_DIGSIG) | |
259 | return -EINVAL; | |
260 | ||
261 | memcpy(file_id.hash, digest, hash_digest_size[algo]); | |
262 | ||
263 | hash->algo = algo; | |
264 | hash->length = hash_digest_size[algo]; | |
265 | ||
266 | return ima_calc_buffer_hash(&file_id, sizeof(file_id) - unused, hash); | |
267 | } | |
268 | ||
a5fbeb61 TJB |
269 | /* |
270 | * xattr_verify - verify xattr digest or signature | |
271 | * | |
272 | * Verify whether the hash or signature matches the file contents. | |
273 | * | |
274 | * Return 0 on success, error code otherwise. | |
275 | */ | |
276 | static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint, | |
277 | struct evm_ima_xattr_data *xattr_value, int xattr_len, | |
278 | enum integrity_status *status, const char **cause) | |
279 | { | |
398c42e2 MZ |
280 | struct ima_max_digest_data hash; |
281 | struct signature_v2_hdr *sig; | |
a5fbeb61 | 282 | int rc = -EINVAL, hash_start = 0; |
398c42e2 | 283 | int mask; |
a5fbeb61 TJB |
284 | |
285 | switch (xattr_value->type) { | |
286 | case IMA_XATTR_DIGEST_NG: | |
287 | /* first byte contains algorithm id */ | |
288 | hash_start = 1; | |
df561f66 | 289 | fallthrough; |
a5fbeb61 | 290 | case IMA_XATTR_DIGEST: |
7aa5783d RS |
291 | if (*status != INTEGRITY_PASS_IMMUTABLE) { |
292 | if (iint->flags & IMA_DIGSIG_REQUIRED) { | |
398c42e2 MZ |
293 | if (iint->flags & IMA_VERITY_REQUIRED) |
294 | *cause = "verity-signature-required"; | |
295 | else | |
296 | *cause = "IMA-signature-required"; | |
7aa5783d RS |
297 | *status = INTEGRITY_FAIL; |
298 | break; | |
299 | } | |
300 | clear_bit(IMA_DIGSIG, &iint->atomic_flags); | |
301 | } else { | |
302 | set_bit(IMA_DIGSIG, &iint->atomic_flags); | |
a5fbeb61 | 303 | } |
a5fbeb61 TJB |
304 | if (xattr_len - sizeof(xattr_value->type) - hash_start >= |
305 | iint->ima_hash->length) | |
306 | /* | |
307 | * xattr length may be longer. md5 hash in previous | |
308 | * version occupied 20 bytes in xattr, instead of 16 | |
309 | */ | |
310 | rc = memcmp(&xattr_value->data[hash_start], | |
311 | iint->ima_hash->digest, | |
312 | iint->ima_hash->length); | |
313 | else | |
314 | rc = -EINVAL; | |
315 | if (rc) { | |
316 | *cause = "invalid-hash"; | |
317 | *status = INTEGRITY_FAIL; | |
318 | break; | |
319 | } | |
320 | *status = INTEGRITY_PASS; | |
321 | break; | |
322 | case EVM_IMA_XATTR_DIGSIG: | |
323 | set_bit(IMA_DIGSIG, &iint->atomic_flags); | |
398c42e2 MZ |
324 | |
325 | mask = IMA_DIGSIG_REQUIRED | IMA_VERITY_REQUIRED; | |
326 | if ((iint->flags & mask) == mask) { | |
327 | *cause = "verity-signature-required"; | |
328 | *status = INTEGRITY_FAIL; | |
329 | break; | |
330 | } | |
331 | ||
332 | sig = (typeof(sig))xattr_value; | |
333 | if (sig->version >= 3) { | |
334 | *cause = "invalid-signature-version"; | |
335 | *status = INTEGRITY_FAIL; | |
336 | break; | |
337 | } | |
a5fbeb61 TJB |
338 | rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, |
339 | (const char *)xattr_value, | |
340 | xattr_len, | |
341 | iint->ima_hash->digest, | |
342 | iint->ima_hash->length); | |
343 | if (rc == -EOPNOTSUPP) { | |
344 | *status = INTEGRITY_UNKNOWN; | |
345 | break; | |
346 | } | |
347 | if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc && | |
348 | func == KEXEC_KERNEL_CHECK) | |
349 | rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM, | |
350 | (const char *)xattr_value, | |
351 | xattr_len, | |
352 | iint->ima_hash->digest, | |
353 | iint->ima_hash->length); | |
354 | if (rc) { | |
355 | *cause = "invalid-signature"; | |
356 | *status = INTEGRITY_FAIL; | |
357 | } else { | |
358 | *status = INTEGRITY_PASS; | |
359 | } | |
398c42e2 MZ |
360 | break; |
361 | case IMA_VERITY_DIGSIG: | |
362 | set_bit(IMA_DIGSIG, &iint->atomic_flags); | |
363 | ||
364 | if (iint->flags & IMA_DIGSIG_REQUIRED) { | |
365 | if (!(iint->flags & IMA_VERITY_REQUIRED)) { | |
366 | *cause = "IMA-signature-required"; | |
367 | *status = INTEGRITY_FAIL; | |
368 | break; | |
369 | } | |
370 | } | |
371 | ||
372 | sig = (typeof(sig))xattr_value; | |
373 | if (sig->version != 3) { | |
374 | *cause = "invalid-signature-version"; | |
375 | *status = INTEGRITY_FAIL; | |
376 | break; | |
377 | } | |
378 | ||
379 | rc = calc_file_id_hash(IMA_VERITY_DIGSIG, iint->ima_hash->algo, | |
380 | iint->ima_hash->digest, &hash.hdr); | |
381 | if (rc) { | |
382 | *cause = "sigv3-hashing-error"; | |
383 | *status = INTEGRITY_FAIL; | |
384 | break; | |
385 | } | |
386 | ||
387 | rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, | |
388 | (const char *)xattr_value, | |
389 | xattr_len, hash.digest, | |
390 | hash.hdr.length); | |
391 | if (rc) { | |
392 | *cause = "invalid-verity-signature"; | |
393 | *status = INTEGRITY_FAIL; | |
394 | } else { | |
395 | *status = INTEGRITY_PASS; | |
396 | } | |
397 | ||
a5fbeb61 TJB |
398 | break; |
399 | default: | |
400 | *status = INTEGRITY_UNKNOWN; | |
401 | *cause = "unknown-ima-data"; | |
402 | break; | |
403 | } | |
404 | ||
405 | return rc; | |
406 | } | |
407 | ||
39b07096 TJB |
408 | /* |
409 | * modsig_verify - verify modsig signature | |
410 | * | |
411 | * Verify whether the signature matches the file contents. | |
412 | * | |
413 | * Return 0 on success, error code otherwise. | |
414 | */ | |
415 | static int modsig_verify(enum ima_hooks func, const struct modsig *modsig, | |
416 | enum integrity_status *status, const char **cause) | |
417 | { | |
418 | int rc; | |
419 | ||
420 | rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig); | |
421 | if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc && | |
422 | func == KEXEC_KERNEL_CHECK) | |
423 | rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM, | |
424 | modsig); | |
425 | if (rc) { | |
426 | *cause = "invalid-signature"; | |
427 | *status = INTEGRITY_FAIL; | |
428 | } else { | |
429 | *status = INTEGRITY_PASS; | |
430 | } | |
431 | ||
432 | return rc; | |
433 | } | |
434 | ||
273df864 NJ |
435 | /* |
436 | * ima_check_blacklist - determine if the binary is blacklisted. | |
437 | * | |
438 | * Add the hash of the blacklisted binary to the measurement list, based | |
439 | * on policy. | |
440 | * | |
441 | * Returns -EPERM if the hash is blacklisted. | |
442 | */ | |
443 | int ima_check_blacklist(struct integrity_iint_cache *iint, | |
444 | const struct modsig *modsig, int pcr) | |
445 | { | |
446 | enum hash_algo hash_algo; | |
447 | const u8 *digest = NULL; | |
448 | u32 digestsize = 0; | |
449 | int rc = 0; | |
450 | ||
451 | if (!(iint->flags & IMA_CHECK_BLACKLIST)) | |
452 | return 0; | |
453 | ||
454 | if (iint->flags & IMA_MODSIG_ALLOWED && modsig) { | |
455 | ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize); | |
456 | ||
457 | rc = is_binary_blacklisted(digest, digestsize); | |
458 | if ((rc == -EPERM) && (iint->flags & IMA_MEASURE)) | |
a2d2329e | 459 | process_buffer_measurement(&init_user_ns, NULL, digest, digestsize, |
273df864 | 460 | "blacklisted-hash", NONE, |
ca3c9bdb | 461 | pcr, NULL, false, NULL, 0); |
273df864 NJ |
462 | } |
463 | ||
464 | return rc; | |
465 | } | |
466 | ||
2fe5d6de MZ |
467 | /* |
468 | * ima_appraise_measurement - appraise file measurement | |
469 | * | |
470 | * Call evm_verifyxattr() to verify the integrity of 'security.ima'. | |
471 | * Assuming success, compare the xattr hash with the collected measurement. | |
472 | * | |
473 | * Return 0 on success, error code otherwise | |
474 | */ | |
4ad87a3d MZ |
475 | int ima_appraise_measurement(enum ima_hooks func, |
476 | struct integrity_iint_cache *iint, | |
d3634d0f DK |
477 | struct file *file, const unsigned char *filename, |
478 | struct evm_ima_xattr_data *xattr_value, | |
39b07096 | 479 | int xattr_len, const struct modsig *modsig) |
2fe5d6de | 480 | { |
52a13284 | 481 | static const char op[] = "appraise_data"; |
f5e51fa3 | 482 | const char *cause = "unknown"; |
e71b9dff | 483 | struct dentry *dentry = file_dentry(file); |
c6f493d6 | 484 | struct inode *inode = d_backing_inode(dentry); |
2fe5d6de | 485 | enum integrity_status status = INTEGRITY_UNKNOWN; |
a5fbeb61 | 486 | int rc = xattr_len; |
39b07096 | 487 | bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig; |
2fe5d6de | 488 | |
39b07096 TJB |
489 | /* If not appraising a modsig, we need an xattr. */ |
490 | if (!(inode->i_opflags & IOP_XATTR) && !try_modsig) | |
2fe5d6de MZ |
491 | return INTEGRITY_UNKNOWN; |
492 | ||
39b07096 TJB |
493 | /* If reading the xattr failed and there's no modsig, error out. */ |
494 | if (rc <= 0 && !try_modsig) { | |
2fe5d6de MZ |
495 | if (rc && rc != -ENODATA) |
496 | goto out; | |
497 | ||
398c42e2 MZ |
498 | if (iint->flags & IMA_DIGSIG_REQUIRED) { |
499 | if (iint->flags & IMA_VERITY_REQUIRED) | |
500 | cause = "verity-signature-required"; | |
501 | else | |
502 | cause = "IMA-signature-required"; | |
503 | } else { | |
504 | cause = "missing-hash"; | |
505 | } | |
506 | ||
b151d6b0 | 507 | status = INTEGRITY_NOLABEL; |
6035a27b | 508 | if (file->f_mode & FMODE_CREATED) |
b151d6b0 | 509 | iint->flags |= IMA_NEW_FILE; |
1ac202e9 | 510 | if ((iint->flags & IMA_NEW_FILE) && |
b7e27bc1 MZ |
511 | (!(iint->flags & IMA_DIGSIG_REQUIRED) || |
512 | (inode->i_size == 0))) | |
b151d6b0 | 513 | status = INTEGRITY_PASS; |
2fe5d6de MZ |
514 | goto out; |
515 | } | |
516 | ||
d2ee2cfc HL |
517 | status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, |
518 | rc < 0 ? 0 : rc, iint); | |
f5e51fa3 TJB |
519 | switch (status) { |
520 | case INTEGRITY_PASS: | |
521 | case INTEGRITY_PASS_IMMUTABLE: | |
522 | case INTEGRITY_UNKNOWN: | |
523 | break; | |
524 | case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */ | |
39b07096 TJB |
525 | /* It's fine not to have xattrs when using a modsig. */ |
526 | if (try_modsig) | |
527 | break; | |
df561f66 | 528 | fallthrough; |
f5e51fa3 TJB |
529 | case INTEGRITY_NOLABEL: /* No security.evm xattr. */ |
530 | cause = "missing-HMAC"; | |
531 | goto out; | |
cdef685b | 532 | case INTEGRITY_FAIL_IMMUTABLE: |
7aa5783d | 533 | set_bit(IMA_DIGSIG, &iint->atomic_flags); |
55748ac6 MZ |
534 | cause = "invalid-fail-immutable"; |
535 | goto out; | |
f5e51fa3 TJB |
536 | case INTEGRITY_FAIL: /* Invalid HMAC/signature. */ |
537 | cause = "invalid-HMAC"; | |
2fe5d6de | 538 | goto out; |
f5e51fa3 TJB |
539 | default: |
540 | WARN_ONCE(true, "Unexpected integrity status %d\n", status); | |
2fe5d6de | 541 | } |
f5e51fa3 | 542 | |
a5fbeb61 TJB |
543 | if (xattr_value) |
544 | rc = xattr_verify(func, iint, xattr_value, xattr_len, &status, | |
545 | &cause); | |
8606404f | 546 | |
39b07096 TJB |
547 | /* |
548 | * If we have a modsig and either no imasig or the imasig's key isn't | |
549 | * known, then try verifying the modsig. | |
550 | */ | |
551 | if (try_modsig && | |
552 | (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG || | |
553 | rc == -ENOKEY)) | |
554 | rc = modsig_verify(func, modsig, &status, &cause); | |
555 | ||
2fe5d6de | 556 | out: |
57b56ac6 MZ |
557 | /* |
558 | * File signatures on some filesystems can not be properly verified. | |
9e67028e MZ |
559 | * When such filesystems are mounted by an untrusted mounter or on a |
560 | * system not willing to accept such a risk, fail the file signature | |
561 | * verification. | |
57b56ac6 | 562 | */ |
9e67028e MZ |
563 | if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) && |
564 | ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) || | |
565 | (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) { | |
57b56ac6 MZ |
566 | status = INTEGRITY_FAIL; |
567 | cause = "unverifiable-signature"; | |
568 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, | |
569 | op, cause, rc, 0); | |
570 | } else if (status != INTEGRITY_PASS) { | |
f5e51fa3 | 571 | /* Fix mode, but don't replace file signatures. */ |
39b07096 | 572 | if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig && |
8606404f DK |
573 | (!xattr_value || |
574 | xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { | |
def3e8b9 DK |
575 | if (!ima_fix_xattr(dentry, iint)) |
576 | status = INTEGRITY_PASS; | |
f5e51fa3 TJB |
577 | } |
578 | ||
7aa5783d RS |
579 | /* |
580 | * Permit new files with file/EVM portable signatures, but | |
581 | * without data. | |
582 | */ | |
f5e51fa3 | 583 | if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE && |
7aa5783d | 584 | test_bit(IMA_DIGSIG, &iint->atomic_flags)) { |
05d1a717 | 585 | status = INTEGRITY_PASS; |
2fe5d6de | 586 | } |
f5e51fa3 | 587 | |
2fe5d6de MZ |
588 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, |
589 | op, cause, rc, 0); | |
8606404f | 590 | } else { |
d79d72e0 | 591 | ima_cache_flags(iint, func); |
2fe5d6de | 592 | } |
57b56ac6 | 593 | |
d79d72e0 | 594 | ima_set_cache_status(iint, func, status); |
2fe5d6de MZ |
595 | return status; |
596 | } | |
597 | ||
598 | /* | |
599 | * ima_update_xattr - update 'security.ima' hash value | |
600 | */ | |
601 | void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) | |
602 | { | |
e71b9dff | 603 | struct dentry *dentry = file_dentry(file); |
2fe5d6de MZ |
604 | int rc = 0; |
605 | ||
8606404f | 606 | /* do not collect and update hash for digital signatures */ |
0d73a552 | 607 | if (test_bit(IMA_DIGSIG, &iint->atomic_flags)) |
8606404f DK |
608 | return; |
609 | ||
da1b0029 MZ |
610 | if ((iint->ima_file_status != INTEGRITY_PASS) && |
611 | !(iint->flags & IMA_HASH)) | |
020aae3e RS |
612 | return; |
613 | ||
15588227 | 614 | rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL); |
2fe5d6de MZ |
615 | if (rc < 0) |
616 | return; | |
8606404f | 617 | |
0d73a552 | 618 | inode_lock(file_inode(file)); |
2fe5d6de | 619 | ima_fix_xattr(dentry, iint); |
0d73a552 | 620 | inode_unlock(file_inode(file)); |
2fe5d6de MZ |
621 | } |
622 | ||
623 | /** | |
624 | * ima_inode_post_setattr - reflect file metadata changes | |
a2d2329e | 625 | * @mnt_userns: user namespace of the mount the inode was found from |
2fe5d6de MZ |
626 | * @dentry: pointer to the affected dentry |
627 | * | |
628 | * Changes to a dentry's metadata might result in needing to appraise. | |
629 | * | |
630 | * This function is called from notify_change(), which expects the caller | |
631 | * to lock the inode's i_mutex. | |
632 | */ | |
a2d2329e CB |
633 | void ima_inode_post_setattr(struct user_namespace *mnt_userns, |
634 | struct dentry *dentry) | |
2fe5d6de | 635 | { |
c6f493d6 | 636 | struct inode *inode = d_backing_inode(dentry); |
2fe5d6de | 637 | struct integrity_iint_cache *iint; |
da1b0029 | 638 | int action; |
2fe5d6de | 639 | |
a756024e | 640 | if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode) |
5d6c3191 | 641 | || !(inode->i_opflags & IOP_XATTR)) |
2fe5d6de MZ |
642 | return; |
643 | ||
a2d2329e | 644 | action = ima_must_appraise(mnt_userns, inode, MAY_ACCESS, POST_SETATTR); |
2fe5d6de MZ |
645 | iint = integrity_iint_find(inode); |
646 | if (iint) { | |
0d73a552 | 647 | set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags); |
da1b0029 | 648 | if (!action) |
0d73a552 | 649 | clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); |
2fe5d6de | 650 | } |
2fe5d6de | 651 | } |
42c63330 MZ |
652 | |
653 | /* | |
654 | * ima_protect_xattr - protect 'security.ima' | |
655 | * | |
656 | * Ensure that not just anyone can modify or remove 'security.ima'. | |
657 | */ | |
658 | static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name, | |
659 | const void *xattr_value, size_t xattr_value_len) | |
660 | { | |
661 | if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) { | |
662 | if (!capable(CAP_SYS_ADMIN)) | |
663 | return -EPERM; | |
664 | return 1; | |
665 | } | |
666 | return 0; | |
667 | } | |
668 | ||
060bdebf | 669 | static void ima_reset_appraise_flags(struct inode *inode, int digsig) |
42c63330 MZ |
670 | { |
671 | struct integrity_iint_cache *iint; | |
672 | ||
a756024e | 673 | if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)) |
42c63330 MZ |
674 | return; |
675 | ||
676 | iint = integrity_iint_find(inode); | |
677 | if (!iint) | |
678 | return; | |
a422638d | 679 | iint->measured_pcrs = 0; |
0d73a552 | 680 | set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags); |
060bdebf | 681 | if (digsig) |
0d73a552 DK |
682 | set_bit(IMA_DIGSIG, &iint->atomic_flags); |
683 | else | |
684 | clear_bit(IMA_DIGSIG, &iint->atomic_flags); | |
42c63330 MZ |
685 | } |
686 | ||
50f742dd TS |
687 | /** |
688 | * validate_hash_algo() - Block setxattr with unsupported hash algorithms | |
689 | * @dentry: object of the setxattr() | |
690 | * @xattr_value: userland supplied xattr value | |
691 | * @xattr_value_len: length of xattr_value | |
692 | * | |
693 | * The xattr value is mapped to its hash algorithm, and this algorithm | |
694 | * must be built in the kernel for the setxattr to be allowed. | |
695 | * | |
696 | * Emit an audit message when the algorithm is invalid. | |
697 | * | |
698 | * Return: 0 on success, else an error. | |
699 | */ | |
700 | static int validate_hash_algo(struct dentry *dentry, | |
701 | const struct evm_ima_xattr_data *xattr_value, | |
702 | size_t xattr_value_len) | |
703 | { | |
704 | char *path = NULL, *pathbuf = NULL; | |
705 | enum hash_algo xattr_hash_algo; | |
4f2946aa TS |
706 | const char *errmsg = "unavailable-hash-algorithm"; |
707 | unsigned int allowed_hashes; | |
50f742dd TS |
708 | |
709 | xattr_hash_algo = ima_get_hash_algo(xattr_value, xattr_value_len); | |
710 | ||
4f2946aa TS |
711 | allowed_hashes = atomic_read(&ima_setxattr_allowed_hash_algorithms); |
712 | ||
713 | if (allowed_hashes) { | |
714 | /* success if the algorithm is allowed in the ima policy */ | |
715 | if (allowed_hashes & (1U << xattr_hash_algo)) | |
716 | return 0; | |
717 | ||
718 | /* | |
719 | * We use a different audit message when the hash algorithm | |
720 | * is denied by a policy rule, instead of not being built | |
721 | * in the kernel image | |
722 | */ | |
723 | errmsg = "denied-hash-algorithm"; | |
724 | } else { | |
725 | if (likely(xattr_hash_algo == ima_hash_algo)) | |
726 | return 0; | |
727 | ||
728 | /* allow any xattr using an algorithm built in the kernel */ | |
729 | if (crypto_has_alg(hash_algo_name[xattr_hash_algo], 0, 0)) | |
730 | return 0; | |
731 | } | |
50f742dd TS |
732 | |
733 | pathbuf = kmalloc(PATH_MAX, GFP_KERNEL); | |
734 | if (!pathbuf) | |
735 | return -EACCES; | |
736 | ||
737 | path = dentry_path(dentry, pathbuf, PATH_MAX); | |
738 | ||
739 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, d_inode(dentry), path, | |
4f2946aa | 740 | "set_data", errmsg, -EACCES, 0); |
50f742dd TS |
741 | |
742 | kfree(pathbuf); | |
743 | ||
744 | return -EACCES; | |
745 | } | |
746 | ||
42c63330 MZ |
747 | int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, |
748 | const void *xattr_value, size_t xattr_value_len) | |
749 | { | |
060bdebf | 750 | const struct evm_ima_xattr_data *xvalue = xattr_value; |
e3ccfe1a | 751 | int digsig = 0; |
42c63330 | 752 | int result; |
5926586f | 753 | int err; |
42c63330 MZ |
754 | |
755 | result = ima_protect_xattr(dentry, xattr_name, xattr_value, | |
756 | xattr_value_len); | |
757 | if (result == 1) { | |
a48fda9d DK |
758 | if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) |
759 | return -EINVAL; | |
5926586f MZ |
760 | |
761 | err = validate_hash_algo(dentry, xvalue, xattr_value_len); | |
762 | if (err) | |
763 | return err; | |
764 | ||
e3ccfe1a | 765 | digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); |
7aa5783d RS |
766 | } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) { |
767 | digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG); | |
e3ccfe1a RS |
768 | } |
769 | if (result == 1 || evm_revalidate_status(xattr_name)) { | |
770 | ima_reset_appraise_flags(d_backing_inode(dentry), digsig); | |
5926586f MZ |
771 | if (result == 1) |
772 | result = 0; | |
42c63330 MZ |
773 | } |
774 | return result; | |
775 | } | |
776 | ||
e61b135f CB |
777 | int ima_inode_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry, |
778 | const char *acl_name, struct posix_acl *kacl) | |
779 | { | |
780 | if (evm_revalidate_status(acl_name)) | |
781 | ima_reset_appraise_flags(d_backing_inode(dentry), 0); | |
782 | ||
783 | return 0; | |
784 | } | |
785 | ||
42c63330 MZ |
786 | int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name) |
787 | { | |
788 | int result; | |
789 | ||
790 | result = ima_protect_xattr(dentry, xattr_name, NULL, 0); | |
e3ccfe1a | 791 | if (result == 1 || evm_revalidate_status(xattr_name)) { |
c6f493d6 | 792 | ima_reset_appraise_flags(d_backing_inode(dentry), 0); |
e3ccfe1a RS |
793 | if (result == 1) |
794 | result = 0; | |
42c63330 MZ |
795 | } |
796 | return result; | |
797 | } |