Commit | Line | Data |
---|---|---|
b886d83c | 1 | // SPDX-License-Identifier: GPL-2.0-only |
2fe5d6de MZ |
2 | /* |
3 | * Copyright (C) 2011 IBM Corporation | |
4 | * | |
5 | * Author: | |
6 | * Mimi Zohar <zohar@us.ibm.com> | |
2fe5d6de | 7 | */ |
b000d5cb | 8 | #include <linux/module.h> |
876979c9 | 9 | #include <linux/init.h> |
2fe5d6de MZ |
10 | #include <linux/file.h> |
11 | #include <linux/fs.h> | |
12 | #include <linux/xattr.h> | |
13 | #include <linux/magic.h> | |
14 | #include <linux/ima.h> | |
15 | #include <linux/evm.h> | |
273df864 | 16 | #include <keys/system_keyring.h> |
2fe5d6de MZ |
17 | |
18 | #include "ima.h" | |
19 | ||
e1f5e01f | 20 | #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM |
b000d5cb AB |
21 | static char *ima_appraise_cmdline_default __initdata; |
22 | core_param(ima_appraise, ima_appraise_cmdline_default, charp, 0); | |
23 | ||
24 | void __init ima_appraise_parse_cmdline(void) | |
25 | { | |
26 | const char *str = ima_appraise_cmdline_default; | |
e4d7e2df BM |
27 | bool sb_state = arch_ima_get_secureboot(); |
28 | int appraisal_state = ima_appraise; | |
311aa6aa | 29 | |
b000d5cb AB |
30 | if (!str) |
31 | return; | |
32 | ||
2fe5d6de | 33 | if (strncmp(str, "off", 3) == 0) |
e4d7e2df | 34 | appraisal_state = 0; |
2faa6ef3 | 35 | else if (strncmp(str, "log", 3) == 0) |
e4d7e2df | 36 | appraisal_state = IMA_APPRAISE_LOG; |
2fe5d6de | 37 | else if (strncmp(str, "fix", 3) == 0) |
e4d7e2df | 38 | appraisal_state = IMA_APPRAISE_FIX; |
4afb28ab | 39 | else if (strncmp(str, "enforce", 7) == 0) |
e4d7e2df | 40 | appraisal_state = IMA_APPRAISE_ENFORCE; |
7fe2bb7e BM |
41 | else |
42 | pr_err("invalid \"%s\" appraise option", str); | |
e4d7e2df BM |
43 | |
44 | /* If appraisal state was changed, but secure boot is enabled, | |
45 | * keep its default */ | |
46 | if (sb_state) { | |
47 | if (!(appraisal_state & IMA_APPRAISE_ENFORCE)) | |
48 | pr_info("Secure boot enabled: ignoring ima_appraise=%s option", | |
49 | str); | |
50 | } else { | |
51 | ima_appraise = appraisal_state; | |
52 | } | |
2fe5d6de | 53 | } |
b000d5cb | 54 | #endif |
2fe5d6de | 55 | |
6f6723e2 MZ |
56 | /* |
57 | * is_ima_appraise_enabled - return appraise status | |
58 | * | |
59 | * Only return enabled, if not in ima_appraise="fix" or "log" modes. | |
60 | */ | |
61 | bool is_ima_appraise_enabled(void) | |
62 | { | |
e5729f86 | 63 | return ima_appraise & IMA_APPRAISE_ENFORCE; |
6f6723e2 MZ |
64 | } |
65 | ||
2fe5d6de MZ |
66 | /* |
67 | * ima_must_appraise - set appraise flag | |
68 | * | |
da1b0029 | 69 | * Return 1 to appraise or hash |
2fe5d6de | 70 | */ |
a2d2329e CB |
71 | int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode, |
72 | int mask, enum ima_hooks func) | |
2fe5d6de | 73 | { |
d906c10d MG |
74 | u32 secid; |
75 | ||
07f6a794 MZ |
76 | if (!ima_appraise) |
77 | return 0; | |
78 | ||
6326948f | 79 | security_current_getsecid_subj(&secid); |
1624dc00 TS |
80 | return ima_match_policy(mnt_userns, inode, current_cred(), secid, |
81 | func, mask, IMA_APPRAISE | IMA_HASH, NULL, | |
82 | NULL, NULL, NULL); | |
2fe5d6de MZ |
83 | } |
84 | ||
def3e8b9 | 85 | static int ima_fix_xattr(struct dentry *dentry, |
c7c8bb23 | 86 | struct integrity_iint_cache *iint) |
2fe5d6de | 87 | { |
3ea7a560 DK |
88 | int rc, offset; |
89 | u8 algo = iint->ima_hash->algo; | |
90 | ||
91 | if (algo <= HASH_ALGO_SHA1) { | |
92 | offset = 1; | |
93 | iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST; | |
94 | } else { | |
95 | offset = 0; | |
96 | iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG; | |
97 | iint->ima_hash->xattr.ng.algo = algo; | |
98 | } | |
c7c7a1a1 | 99 | rc = __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_IMA, |
3ea7a560 DK |
100 | &iint->ima_hash->xattr.data[offset], |
101 | (sizeof(iint->ima_hash->xattr) - offset) + | |
102 | iint->ima_hash->length, 0); | |
103 | return rc; | |
2fe5d6de MZ |
104 | } |
105 | ||
d79d72e0 MZ |
106 | /* Return specific func appraised cached result */ |
107 | enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, | |
4ad87a3d | 108 | enum ima_hooks func) |
d79d72e0 | 109 | { |
089bc8e9 | 110 | switch (func) { |
d79d72e0 MZ |
111 | case MMAP_CHECK: |
112 | return iint->ima_mmap_status; | |
113 | case BPRM_CHECK: | |
114 | return iint->ima_bprm_status; | |
d906c10d MG |
115 | case CREDS_CHECK: |
116 | return iint->ima_creds_status; | |
d79d72e0 | 117 | case FILE_CHECK: |
c6af8efe | 118 | case POST_SETATTR: |
d79d72e0 | 119 | return iint->ima_file_status; |
c6af8efe MZ |
120 | case MODULE_CHECK ... MAX_CHECK - 1: |
121 | default: | |
122 | return iint->ima_read_status; | |
d79d72e0 MZ |
123 | } |
124 | } | |
125 | ||
126 | static void ima_set_cache_status(struct integrity_iint_cache *iint, | |
4ad87a3d MZ |
127 | enum ima_hooks func, |
128 | enum integrity_status status) | |
d79d72e0 | 129 | { |
089bc8e9 | 130 | switch (func) { |
d79d72e0 MZ |
131 | case MMAP_CHECK: |
132 | iint->ima_mmap_status = status; | |
133 | break; | |
134 | case BPRM_CHECK: | |
135 | iint->ima_bprm_status = status; | |
136 | break; | |
d906c10d MG |
137 | case CREDS_CHECK: |
138 | iint->ima_creds_status = status; | |
09186e50 | 139 | break; |
d79d72e0 | 140 | case FILE_CHECK: |
c6af8efe | 141 | case POST_SETATTR: |
d79d72e0 | 142 | iint->ima_file_status = status; |
c6af8efe MZ |
143 | break; |
144 | case MODULE_CHECK ... MAX_CHECK - 1: | |
145 | default: | |
146 | iint->ima_read_status = status; | |
147 | break; | |
d79d72e0 MZ |
148 | } |
149 | } | |
150 | ||
4ad87a3d MZ |
151 | static void ima_cache_flags(struct integrity_iint_cache *iint, |
152 | enum ima_hooks func) | |
d79d72e0 | 153 | { |
089bc8e9 | 154 | switch (func) { |
d79d72e0 MZ |
155 | case MMAP_CHECK: |
156 | iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED); | |
157 | break; | |
158 | case BPRM_CHECK: | |
159 | iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED); | |
160 | break; | |
d906c10d MG |
161 | case CREDS_CHECK: |
162 | iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED); | |
163 | break; | |
d79d72e0 | 164 | case FILE_CHECK: |
c6af8efe | 165 | case POST_SETATTR: |
d79d72e0 | 166 | iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED); |
c6af8efe MZ |
167 | break; |
168 | case MODULE_CHECK ... MAX_CHECK - 1: | |
169 | default: | |
170 | iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED); | |
171 | break; | |
d79d72e0 MZ |
172 | } |
173 | } | |
174 | ||
50f742dd | 175 | enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value, |
1525b06d | 176 | int xattr_len) |
d3634d0f DK |
177 | { |
178 | struct signature_v2_hdr *sig; | |
b4bfec7f | 179 | enum hash_algo ret; |
d3634d0f | 180 | |
3ea7a560 | 181 | if (!xattr_value || xattr_len < 2) |
1525b06d DK |
182 | /* return default hash algo */ |
183 | return ima_hash_algo; | |
d3634d0f | 184 | |
3ea7a560 DK |
185 | switch (xattr_value->type) { |
186 | case EVM_IMA_XATTR_DIGSIG: | |
187 | sig = (typeof(sig))xattr_value; | |
cb181da1 TS |
188 | if (sig->version != 2 || xattr_len <= sizeof(*sig) |
189 | || sig->hash_algo >= HASH_ALGO__LAST) | |
1525b06d DK |
190 | return ima_hash_algo; |
191 | return sig->hash_algo; | |
3ea7a560 DK |
192 | break; |
193 | case IMA_XATTR_DIGEST_NG: | |
650b29db TJB |
194 | /* first byte contains algorithm id */ |
195 | ret = xattr_value->data[0]; | |
b4bfec7f SF |
196 | if (ret < HASH_ALGO__LAST) |
197 | return ret; | |
3ea7a560 DK |
198 | break; |
199 | case IMA_XATTR_DIGEST: | |
200 | /* this is for backward compatibility */ | |
201 | if (xattr_len == 21) { | |
202 | unsigned int zero = 0; | |
650b29db | 203 | if (!memcmp(&xattr_value->data[16], &zero, 4)) |
1525b06d | 204 | return HASH_ALGO_MD5; |
3ea7a560 | 205 | else |
1525b06d | 206 | return HASH_ALGO_SHA1; |
3ea7a560 | 207 | } else if (xattr_len == 17) |
1525b06d | 208 | return HASH_ALGO_MD5; |
3ea7a560 DK |
209 | break; |
210 | } | |
1525b06d DK |
211 | |
212 | /* return default hash algo */ | |
213 | return ima_hash_algo; | |
d3634d0f DK |
214 | } |
215 | ||
216 | int ima_read_xattr(struct dentry *dentry, | |
217 | struct evm_ima_xattr_data **xattr_value) | |
218 | { | |
5d6c3191 | 219 | ssize_t ret; |
d3634d0f | 220 | |
c7c7a1a1 TA |
221 | ret = vfs_getxattr_alloc(&init_user_ns, dentry, XATTR_NAME_IMA, |
222 | (char **)xattr_value, 0, GFP_NOFS); | |
5d6c3191 AG |
223 | if (ret == -EOPNOTSUPP) |
224 | ret = 0; | |
225 | return ret; | |
d3634d0f DK |
226 | } |
227 | ||
a5fbeb61 TJB |
228 | /* |
229 | * xattr_verify - verify xattr digest or signature | |
230 | * | |
231 | * Verify whether the hash or signature matches the file contents. | |
232 | * | |
233 | * Return 0 on success, error code otherwise. | |
234 | */ | |
235 | static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint, | |
236 | struct evm_ima_xattr_data *xattr_value, int xattr_len, | |
237 | enum integrity_status *status, const char **cause) | |
238 | { | |
239 | int rc = -EINVAL, hash_start = 0; | |
240 | ||
241 | switch (xattr_value->type) { | |
242 | case IMA_XATTR_DIGEST_NG: | |
243 | /* first byte contains algorithm id */ | |
244 | hash_start = 1; | |
df561f66 | 245 | fallthrough; |
a5fbeb61 | 246 | case IMA_XATTR_DIGEST: |
7aa5783d RS |
247 | if (*status != INTEGRITY_PASS_IMMUTABLE) { |
248 | if (iint->flags & IMA_DIGSIG_REQUIRED) { | |
249 | *cause = "IMA-signature-required"; | |
250 | *status = INTEGRITY_FAIL; | |
251 | break; | |
252 | } | |
253 | clear_bit(IMA_DIGSIG, &iint->atomic_flags); | |
254 | } else { | |
255 | set_bit(IMA_DIGSIG, &iint->atomic_flags); | |
a5fbeb61 | 256 | } |
a5fbeb61 TJB |
257 | if (xattr_len - sizeof(xattr_value->type) - hash_start >= |
258 | iint->ima_hash->length) | |
259 | /* | |
260 | * xattr length may be longer. md5 hash in previous | |
261 | * version occupied 20 bytes in xattr, instead of 16 | |
262 | */ | |
263 | rc = memcmp(&xattr_value->data[hash_start], | |
264 | iint->ima_hash->digest, | |
265 | iint->ima_hash->length); | |
266 | else | |
267 | rc = -EINVAL; | |
268 | if (rc) { | |
269 | *cause = "invalid-hash"; | |
270 | *status = INTEGRITY_FAIL; | |
271 | break; | |
272 | } | |
273 | *status = INTEGRITY_PASS; | |
274 | break; | |
275 | case EVM_IMA_XATTR_DIGSIG: | |
276 | set_bit(IMA_DIGSIG, &iint->atomic_flags); | |
277 | rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, | |
278 | (const char *)xattr_value, | |
279 | xattr_len, | |
280 | iint->ima_hash->digest, | |
281 | iint->ima_hash->length); | |
282 | if (rc == -EOPNOTSUPP) { | |
283 | *status = INTEGRITY_UNKNOWN; | |
284 | break; | |
285 | } | |
286 | if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc && | |
287 | func == KEXEC_KERNEL_CHECK) | |
288 | rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM, | |
289 | (const char *)xattr_value, | |
290 | xattr_len, | |
291 | iint->ima_hash->digest, | |
292 | iint->ima_hash->length); | |
293 | if (rc) { | |
294 | *cause = "invalid-signature"; | |
295 | *status = INTEGRITY_FAIL; | |
296 | } else { | |
297 | *status = INTEGRITY_PASS; | |
298 | } | |
299 | break; | |
300 | default: | |
301 | *status = INTEGRITY_UNKNOWN; | |
302 | *cause = "unknown-ima-data"; | |
303 | break; | |
304 | } | |
305 | ||
306 | return rc; | |
307 | } | |
308 | ||
39b07096 TJB |
309 | /* |
310 | * modsig_verify - verify modsig signature | |
311 | * | |
312 | * Verify whether the signature matches the file contents. | |
313 | * | |
314 | * Return 0 on success, error code otherwise. | |
315 | */ | |
316 | static int modsig_verify(enum ima_hooks func, const struct modsig *modsig, | |
317 | enum integrity_status *status, const char **cause) | |
318 | { | |
319 | int rc; | |
320 | ||
321 | rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig); | |
322 | if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc && | |
323 | func == KEXEC_KERNEL_CHECK) | |
324 | rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM, | |
325 | modsig); | |
326 | if (rc) { | |
327 | *cause = "invalid-signature"; | |
328 | *status = INTEGRITY_FAIL; | |
329 | } else { | |
330 | *status = INTEGRITY_PASS; | |
331 | } | |
332 | ||
333 | return rc; | |
334 | } | |
335 | ||
273df864 NJ |
336 | /* |
337 | * ima_check_blacklist - determine if the binary is blacklisted. | |
338 | * | |
339 | * Add the hash of the blacklisted binary to the measurement list, based | |
340 | * on policy. | |
341 | * | |
342 | * Returns -EPERM if the hash is blacklisted. | |
343 | */ | |
344 | int ima_check_blacklist(struct integrity_iint_cache *iint, | |
345 | const struct modsig *modsig, int pcr) | |
346 | { | |
347 | enum hash_algo hash_algo; | |
348 | const u8 *digest = NULL; | |
349 | u32 digestsize = 0; | |
350 | int rc = 0; | |
351 | ||
352 | if (!(iint->flags & IMA_CHECK_BLACKLIST)) | |
353 | return 0; | |
354 | ||
355 | if (iint->flags & IMA_MODSIG_ALLOWED && modsig) { | |
356 | ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize); | |
357 | ||
358 | rc = is_binary_blacklisted(digest, digestsize); | |
359 | if ((rc == -EPERM) && (iint->flags & IMA_MEASURE)) | |
a2d2329e | 360 | process_buffer_measurement(&init_user_ns, NULL, digest, digestsize, |
273df864 | 361 | "blacklisted-hash", NONE, |
ca3c9bdb | 362 | pcr, NULL, false, NULL, 0); |
273df864 NJ |
363 | } |
364 | ||
365 | return rc; | |
366 | } | |
367 | ||
2fe5d6de MZ |
368 | /* |
369 | * ima_appraise_measurement - appraise file measurement | |
370 | * | |
371 | * Call evm_verifyxattr() to verify the integrity of 'security.ima'. | |
372 | * Assuming success, compare the xattr hash with the collected measurement. | |
373 | * | |
374 | * Return 0 on success, error code otherwise | |
375 | */ | |
4ad87a3d MZ |
376 | int ima_appraise_measurement(enum ima_hooks func, |
377 | struct integrity_iint_cache *iint, | |
d3634d0f DK |
378 | struct file *file, const unsigned char *filename, |
379 | struct evm_ima_xattr_data *xattr_value, | |
39b07096 | 380 | int xattr_len, const struct modsig *modsig) |
2fe5d6de | 381 | { |
52a13284 | 382 | static const char op[] = "appraise_data"; |
f5e51fa3 | 383 | const char *cause = "unknown"; |
e71b9dff | 384 | struct dentry *dentry = file_dentry(file); |
c6f493d6 | 385 | struct inode *inode = d_backing_inode(dentry); |
2fe5d6de | 386 | enum integrity_status status = INTEGRITY_UNKNOWN; |
a5fbeb61 | 387 | int rc = xattr_len; |
39b07096 | 388 | bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig; |
2fe5d6de | 389 | |
39b07096 TJB |
390 | /* If not appraising a modsig, we need an xattr. */ |
391 | if (!(inode->i_opflags & IOP_XATTR) && !try_modsig) | |
2fe5d6de MZ |
392 | return INTEGRITY_UNKNOWN; |
393 | ||
39b07096 TJB |
394 | /* If reading the xattr failed and there's no modsig, error out. */ |
395 | if (rc <= 0 && !try_modsig) { | |
2fe5d6de MZ |
396 | if (rc && rc != -ENODATA) |
397 | goto out; | |
398 | ||
915d9d25 TJB |
399 | cause = iint->flags & IMA_DIGSIG_REQUIRED ? |
400 | "IMA-signature-required" : "missing-hash"; | |
b151d6b0 | 401 | status = INTEGRITY_NOLABEL; |
6035a27b | 402 | if (file->f_mode & FMODE_CREATED) |
b151d6b0 | 403 | iint->flags |= IMA_NEW_FILE; |
1ac202e9 | 404 | if ((iint->flags & IMA_NEW_FILE) && |
b7e27bc1 MZ |
405 | (!(iint->flags & IMA_DIGSIG_REQUIRED) || |
406 | (inode->i_size == 0))) | |
b151d6b0 | 407 | status = INTEGRITY_PASS; |
2fe5d6de MZ |
408 | goto out; |
409 | } | |
410 | ||
8606404f | 411 | status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint); |
f5e51fa3 TJB |
412 | switch (status) { |
413 | case INTEGRITY_PASS: | |
414 | case INTEGRITY_PASS_IMMUTABLE: | |
415 | case INTEGRITY_UNKNOWN: | |
416 | break; | |
417 | case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */ | |
39b07096 TJB |
418 | /* It's fine not to have xattrs when using a modsig. */ |
419 | if (try_modsig) | |
420 | break; | |
df561f66 | 421 | fallthrough; |
f5e51fa3 TJB |
422 | case INTEGRITY_NOLABEL: /* No security.evm xattr. */ |
423 | cause = "missing-HMAC"; | |
424 | goto out; | |
cdef685b | 425 | case INTEGRITY_FAIL_IMMUTABLE: |
7aa5783d | 426 | set_bit(IMA_DIGSIG, &iint->atomic_flags); |
55748ac6 MZ |
427 | cause = "invalid-fail-immutable"; |
428 | goto out; | |
f5e51fa3 TJB |
429 | case INTEGRITY_FAIL: /* Invalid HMAC/signature. */ |
430 | cause = "invalid-HMAC"; | |
2fe5d6de | 431 | goto out; |
f5e51fa3 TJB |
432 | default: |
433 | WARN_ONCE(true, "Unexpected integrity status %d\n", status); | |
2fe5d6de | 434 | } |
f5e51fa3 | 435 | |
a5fbeb61 TJB |
436 | if (xattr_value) |
437 | rc = xattr_verify(func, iint, xattr_value, xattr_len, &status, | |
438 | &cause); | |
8606404f | 439 | |
39b07096 TJB |
440 | /* |
441 | * If we have a modsig and either no imasig or the imasig's key isn't | |
442 | * known, then try verifying the modsig. | |
443 | */ | |
444 | if (try_modsig && | |
445 | (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG || | |
446 | rc == -ENOKEY)) | |
447 | rc = modsig_verify(func, modsig, &status, &cause); | |
448 | ||
2fe5d6de | 449 | out: |
57b56ac6 MZ |
450 | /* |
451 | * File signatures on some filesystems can not be properly verified. | |
9e67028e MZ |
452 | * When such filesystems are mounted by an untrusted mounter or on a |
453 | * system not willing to accept such a risk, fail the file signature | |
454 | * verification. | |
57b56ac6 | 455 | */ |
9e67028e MZ |
456 | if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) && |
457 | ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) || | |
458 | (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) { | |
57b56ac6 MZ |
459 | status = INTEGRITY_FAIL; |
460 | cause = "unverifiable-signature"; | |
461 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, | |
462 | op, cause, rc, 0); | |
463 | } else if (status != INTEGRITY_PASS) { | |
f5e51fa3 | 464 | /* Fix mode, but don't replace file signatures. */ |
39b07096 | 465 | if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig && |
8606404f DK |
466 | (!xattr_value || |
467 | xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { | |
def3e8b9 DK |
468 | if (!ima_fix_xattr(dentry, iint)) |
469 | status = INTEGRITY_PASS; | |
f5e51fa3 TJB |
470 | } |
471 | ||
7aa5783d RS |
472 | /* |
473 | * Permit new files with file/EVM portable signatures, but | |
474 | * without data. | |
475 | */ | |
f5e51fa3 | 476 | if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE && |
7aa5783d | 477 | test_bit(IMA_DIGSIG, &iint->atomic_flags)) { |
05d1a717 | 478 | status = INTEGRITY_PASS; |
2fe5d6de | 479 | } |
f5e51fa3 | 480 | |
2fe5d6de MZ |
481 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, |
482 | op, cause, rc, 0); | |
8606404f | 483 | } else { |
d79d72e0 | 484 | ima_cache_flags(iint, func); |
2fe5d6de | 485 | } |
57b56ac6 | 486 | |
d79d72e0 | 487 | ima_set_cache_status(iint, func, status); |
2fe5d6de MZ |
488 | return status; |
489 | } | |
490 | ||
491 | /* | |
492 | * ima_update_xattr - update 'security.ima' hash value | |
493 | */ | |
494 | void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) | |
495 | { | |
e71b9dff | 496 | struct dentry *dentry = file_dentry(file); |
2fe5d6de MZ |
497 | int rc = 0; |
498 | ||
8606404f | 499 | /* do not collect and update hash for digital signatures */ |
0d73a552 | 500 | if (test_bit(IMA_DIGSIG, &iint->atomic_flags)) |
8606404f DK |
501 | return; |
502 | ||
da1b0029 MZ |
503 | if ((iint->ima_file_status != INTEGRITY_PASS) && |
504 | !(iint->flags & IMA_HASH)) | |
020aae3e RS |
505 | return; |
506 | ||
15588227 | 507 | rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL); |
2fe5d6de MZ |
508 | if (rc < 0) |
509 | return; | |
8606404f | 510 | |
0d73a552 | 511 | inode_lock(file_inode(file)); |
2fe5d6de | 512 | ima_fix_xattr(dentry, iint); |
0d73a552 | 513 | inode_unlock(file_inode(file)); |
2fe5d6de MZ |
514 | } |
515 | ||
516 | /** | |
517 | * ima_inode_post_setattr - reflect file metadata changes | |
a2d2329e | 518 | * @mnt_userns: user namespace of the mount the inode was found from |
2fe5d6de MZ |
519 | * @dentry: pointer to the affected dentry |
520 | * | |
521 | * Changes to a dentry's metadata might result in needing to appraise. | |
522 | * | |
523 | * This function is called from notify_change(), which expects the caller | |
524 | * to lock the inode's i_mutex. | |
525 | */ | |
a2d2329e CB |
526 | void ima_inode_post_setattr(struct user_namespace *mnt_userns, |
527 | struct dentry *dentry) | |
2fe5d6de | 528 | { |
c6f493d6 | 529 | struct inode *inode = d_backing_inode(dentry); |
2fe5d6de | 530 | struct integrity_iint_cache *iint; |
da1b0029 | 531 | int action; |
2fe5d6de | 532 | |
a756024e | 533 | if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode) |
5d6c3191 | 534 | || !(inode->i_opflags & IOP_XATTR)) |
2fe5d6de MZ |
535 | return; |
536 | ||
a2d2329e | 537 | action = ima_must_appraise(mnt_userns, inode, MAY_ACCESS, POST_SETATTR); |
2fe5d6de MZ |
538 | iint = integrity_iint_find(inode); |
539 | if (iint) { | |
0d73a552 | 540 | set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags); |
da1b0029 | 541 | if (!action) |
0d73a552 | 542 | clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); |
2fe5d6de | 543 | } |
2fe5d6de | 544 | } |
42c63330 MZ |
545 | |
546 | /* | |
547 | * ima_protect_xattr - protect 'security.ima' | |
548 | * | |
549 | * Ensure that not just anyone can modify or remove 'security.ima'. | |
550 | */ | |
551 | static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name, | |
552 | const void *xattr_value, size_t xattr_value_len) | |
553 | { | |
554 | if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) { | |
555 | if (!capable(CAP_SYS_ADMIN)) | |
556 | return -EPERM; | |
557 | return 1; | |
558 | } | |
559 | return 0; | |
560 | } | |
561 | ||
060bdebf | 562 | static void ima_reset_appraise_flags(struct inode *inode, int digsig) |
42c63330 MZ |
563 | { |
564 | struct integrity_iint_cache *iint; | |
565 | ||
a756024e | 566 | if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)) |
42c63330 MZ |
567 | return; |
568 | ||
569 | iint = integrity_iint_find(inode); | |
570 | if (!iint) | |
571 | return; | |
a422638d | 572 | iint->measured_pcrs = 0; |
0d73a552 | 573 | set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags); |
060bdebf | 574 | if (digsig) |
0d73a552 DK |
575 | set_bit(IMA_DIGSIG, &iint->atomic_flags); |
576 | else | |
577 | clear_bit(IMA_DIGSIG, &iint->atomic_flags); | |
42c63330 MZ |
578 | } |
579 | ||
50f742dd TS |
580 | /** |
581 | * validate_hash_algo() - Block setxattr with unsupported hash algorithms | |
582 | * @dentry: object of the setxattr() | |
583 | * @xattr_value: userland supplied xattr value | |
584 | * @xattr_value_len: length of xattr_value | |
585 | * | |
586 | * The xattr value is mapped to its hash algorithm, and this algorithm | |
587 | * must be built in the kernel for the setxattr to be allowed. | |
588 | * | |
589 | * Emit an audit message when the algorithm is invalid. | |
590 | * | |
591 | * Return: 0 on success, else an error. | |
592 | */ | |
593 | static int validate_hash_algo(struct dentry *dentry, | |
594 | const struct evm_ima_xattr_data *xattr_value, | |
595 | size_t xattr_value_len) | |
596 | { | |
597 | char *path = NULL, *pathbuf = NULL; | |
598 | enum hash_algo xattr_hash_algo; | |
4f2946aa TS |
599 | const char *errmsg = "unavailable-hash-algorithm"; |
600 | unsigned int allowed_hashes; | |
50f742dd TS |
601 | |
602 | xattr_hash_algo = ima_get_hash_algo(xattr_value, xattr_value_len); | |
603 | ||
4f2946aa TS |
604 | allowed_hashes = atomic_read(&ima_setxattr_allowed_hash_algorithms); |
605 | ||
606 | if (allowed_hashes) { | |
607 | /* success if the algorithm is allowed in the ima policy */ | |
608 | if (allowed_hashes & (1U << xattr_hash_algo)) | |
609 | return 0; | |
610 | ||
611 | /* | |
612 | * We use a different audit message when the hash algorithm | |
613 | * is denied by a policy rule, instead of not being built | |
614 | * in the kernel image | |
615 | */ | |
616 | errmsg = "denied-hash-algorithm"; | |
617 | } else { | |
618 | if (likely(xattr_hash_algo == ima_hash_algo)) | |
619 | return 0; | |
620 | ||
621 | /* allow any xattr using an algorithm built in the kernel */ | |
622 | if (crypto_has_alg(hash_algo_name[xattr_hash_algo], 0, 0)) | |
623 | return 0; | |
624 | } | |
50f742dd TS |
625 | |
626 | pathbuf = kmalloc(PATH_MAX, GFP_KERNEL); | |
627 | if (!pathbuf) | |
628 | return -EACCES; | |
629 | ||
630 | path = dentry_path(dentry, pathbuf, PATH_MAX); | |
631 | ||
632 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, d_inode(dentry), path, | |
4f2946aa | 633 | "set_data", errmsg, -EACCES, 0); |
50f742dd TS |
634 | |
635 | kfree(pathbuf); | |
636 | ||
637 | return -EACCES; | |
638 | } | |
639 | ||
42c63330 MZ |
640 | int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, |
641 | const void *xattr_value, size_t xattr_value_len) | |
642 | { | |
060bdebf | 643 | const struct evm_ima_xattr_data *xvalue = xattr_value; |
e3ccfe1a | 644 | int digsig = 0; |
42c63330 MZ |
645 | int result; |
646 | ||
647 | result = ima_protect_xattr(dentry, xattr_name, xattr_value, | |
648 | xattr_value_len); | |
649 | if (result == 1) { | |
a48fda9d DK |
650 | if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) |
651 | return -EINVAL; | |
e3ccfe1a | 652 | digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); |
7aa5783d RS |
653 | } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) { |
654 | digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG); | |
e3ccfe1a RS |
655 | } |
656 | if (result == 1 || evm_revalidate_status(xattr_name)) { | |
50f742dd TS |
657 | result = validate_hash_algo(dentry, xvalue, xattr_value_len); |
658 | if (result) | |
659 | return result; | |
660 | ||
e3ccfe1a | 661 | ima_reset_appraise_flags(d_backing_inode(dentry), digsig); |
42c63330 MZ |
662 | } |
663 | return result; | |
664 | } | |
665 | ||
666 | int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name) | |
667 | { | |
668 | int result; | |
669 | ||
670 | result = ima_protect_xattr(dentry, xattr_name, NULL, 0); | |
e3ccfe1a | 671 | if (result == 1 || evm_revalidate_status(xattr_name)) { |
c6f493d6 | 672 | ima_reset_appraise_flags(d_backing_inode(dentry), 0); |
e3ccfe1a RS |
673 | if (result == 1) |
674 | result = 0; | |
42c63330 MZ |
675 | } |
676 | return result; | |
677 | } |