Commit | Line | Data |
---|---|---|
b886d83c | 1 | // SPDX-License-Identifier: GPL-2.0-only |
2fe5d6de MZ |
2 | /* |
3 | * Copyright (C) 2011 IBM Corporation | |
4 | * | |
5 | * Author: | |
6 | * Mimi Zohar <zohar@us.ibm.com> | |
2fe5d6de | 7 | */ |
876979c9 | 8 | #include <linux/init.h> |
2fe5d6de MZ |
9 | #include <linux/file.h> |
10 | #include <linux/fs.h> | |
11 | #include <linux/xattr.h> | |
12 | #include <linux/magic.h> | |
13 | #include <linux/ima.h> | |
14 | #include <linux/evm.h> | |
273df864 | 15 | #include <keys/system_keyring.h> |
2fe5d6de MZ |
16 | |
17 | #include "ima.h" | |
18 | ||
19 | static int __init default_appraise_setup(char *str) | |
20 | { | |
e1f5e01f | 21 | #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM |
311aa6aa BM |
22 | if (arch_ima_get_secureboot()) { |
23 | pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option", | |
24 | str); | |
25 | return 1; | |
26 | } | |
27 | ||
2fe5d6de MZ |
28 | if (strncmp(str, "off", 3) == 0) |
29 | ima_appraise = 0; | |
2faa6ef3 DK |
30 | else if (strncmp(str, "log", 3) == 0) |
31 | ima_appraise = IMA_APPRAISE_LOG; | |
2fe5d6de MZ |
32 | else if (strncmp(str, "fix", 3) == 0) |
33 | ima_appraise = IMA_APPRAISE_FIX; | |
e1f5e01f | 34 | #endif |
2fe5d6de MZ |
35 | return 1; |
36 | } | |
37 | ||
38 | __setup("ima_appraise=", default_appraise_setup); | |
39 | ||
6f6723e2 MZ |
40 | /* |
41 | * is_ima_appraise_enabled - return appraise status | |
42 | * | |
43 | * Only return enabled, if not in ima_appraise="fix" or "log" modes. | |
44 | */ | |
45 | bool is_ima_appraise_enabled(void) | |
46 | { | |
e5729f86 | 47 | return ima_appraise & IMA_APPRAISE_ENFORCE; |
6f6723e2 MZ |
48 | } |
49 | ||
2fe5d6de MZ |
50 | /* |
51 | * ima_must_appraise - set appraise flag | |
52 | * | |
da1b0029 | 53 | * Return 1 to appraise or hash |
2fe5d6de | 54 | */ |
d26e1936 | 55 | int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func) |
2fe5d6de | 56 | { |
d906c10d MG |
57 | u32 secid; |
58 | ||
07f6a794 MZ |
59 | if (!ima_appraise) |
60 | return 0; | |
61 | ||
d906c10d MG |
62 | security_task_getsecid(current, &secid); |
63 | return ima_match_policy(inode, current_cred(), secid, func, mask, | |
e9085e0a | 64 | IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL); |
2fe5d6de MZ |
65 | } |
66 | ||
def3e8b9 | 67 | static int ima_fix_xattr(struct dentry *dentry, |
c7c8bb23 | 68 | struct integrity_iint_cache *iint) |
2fe5d6de | 69 | { |
3ea7a560 DK |
70 | int rc, offset; |
71 | u8 algo = iint->ima_hash->algo; | |
72 | ||
73 | if (algo <= HASH_ALGO_SHA1) { | |
74 | offset = 1; | |
75 | iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST; | |
76 | } else { | |
77 | offset = 0; | |
78 | iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG; | |
79 | iint->ima_hash->xattr.ng.algo = algo; | |
80 | } | |
81 | rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA, | |
82 | &iint->ima_hash->xattr.data[offset], | |
83 | (sizeof(iint->ima_hash->xattr) - offset) + | |
84 | iint->ima_hash->length, 0); | |
85 | return rc; | |
2fe5d6de MZ |
86 | } |
87 | ||
d79d72e0 MZ |
88 | /* Return specific func appraised cached result */ |
89 | enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, | |
4ad87a3d | 90 | enum ima_hooks func) |
d79d72e0 | 91 | { |
089bc8e9 | 92 | switch (func) { |
d79d72e0 MZ |
93 | case MMAP_CHECK: |
94 | return iint->ima_mmap_status; | |
95 | case BPRM_CHECK: | |
96 | return iint->ima_bprm_status; | |
d906c10d MG |
97 | case CREDS_CHECK: |
98 | return iint->ima_creds_status; | |
d79d72e0 | 99 | case FILE_CHECK: |
c6af8efe | 100 | case POST_SETATTR: |
d79d72e0 | 101 | return iint->ima_file_status; |
c6af8efe MZ |
102 | case MODULE_CHECK ... MAX_CHECK - 1: |
103 | default: | |
104 | return iint->ima_read_status; | |
d79d72e0 MZ |
105 | } |
106 | } | |
107 | ||
108 | static void ima_set_cache_status(struct integrity_iint_cache *iint, | |
4ad87a3d MZ |
109 | enum ima_hooks func, |
110 | enum integrity_status status) | |
d79d72e0 | 111 | { |
089bc8e9 | 112 | switch (func) { |
d79d72e0 MZ |
113 | case MMAP_CHECK: |
114 | iint->ima_mmap_status = status; | |
115 | break; | |
116 | case BPRM_CHECK: | |
117 | iint->ima_bprm_status = status; | |
118 | break; | |
d906c10d MG |
119 | case CREDS_CHECK: |
120 | iint->ima_creds_status = status; | |
09186e50 | 121 | break; |
d79d72e0 | 122 | case FILE_CHECK: |
c6af8efe | 123 | case POST_SETATTR: |
d79d72e0 | 124 | iint->ima_file_status = status; |
c6af8efe MZ |
125 | break; |
126 | case MODULE_CHECK ... MAX_CHECK - 1: | |
127 | default: | |
128 | iint->ima_read_status = status; | |
129 | break; | |
d79d72e0 MZ |
130 | } |
131 | } | |
132 | ||
4ad87a3d MZ |
133 | static void ima_cache_flags(struct integrity_iint_cache *iint, |
134 | enum ima_hooks func) | |
d79d72e0 | 135 | { |
089bc8e9 | 136 | switch (func) { |
d79d72e0 MZ |
137 | case MMAP_CHECK: |
138 | iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED); | |
139 | break; | |
140 | case BPRM_CHECK: | |
141 | iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED); | |
142 | break; | |
d906c10d MG |
143 | case CREDS_CHECK: |
144 | iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED); | |
145 | break; | |
d79d72e0 | 146 | case FILE_CHECK: |
c6af8efe | 147 | case POST_SETATTR: |
d79d72e0 | 148 | iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED); |
c6af8efe MZ |
149 | break; |
150 | case MODULE_CHECK ... MAX_CHECK - 1: | |
151 | default: | |
152 | iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED); | |
153 | break; | |
d79d72e0 MZ |
154 | } |
155 | } | |
156 | ||
1525b06d DK |
157 | enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, |
158 | int xattr_len) | |
d3634d0f DK |
159 | { |
160 | struct signature_v2_hdr *sig; | |
b4bfec7f | 161 | enum hash_algo ret; |
d3634d0f | 162 | |
3ea7a560 | 163 | if (!xattr_value || xattr_len < 2) |
1525b06d DK |
164 | /* return default hash algo */ |
165 | return ima_hash_algo; | |
d3634d0f | 166 | |
3ea7a560 DK |
167 | switch (xattr_value->type) { |
168 | case EVM_IMA_XATTR_DIGSIG: | |
169 | sig = (typeof(sig))xattr_value; | |
170 | if (sig->version != 2 || xattr_len <= sizeof(*sig)) | |
1525b06d DK |
171 | return ima_hash_algo; |
172 | return sig->hash_algo; | |
3ea7a560 DK |
173 | break; |
174 | case IMA_XATTR_DIGEST_NG: | |
650b29db TJB |
175 | /* first byte contains algorithm id */ |
176 | ret = xattr_value->data[0]; | |
b4bfec7f SF |
177 | if (ret < HASH_ALGO__LAST) |
178 | return ret; | |
3ea7a560 DK |
179 | break; |
180 | case IMA_XATTR_DIGEST: | |
181 | /* this is for backward compatibility */ | |
182 | if (xattr_len == 21) { | |
183 | unsigned int zero = 0; | |
650b29db | 184 | if (!memcmp(&xattr_value->data[16], &zero, 4)) |
1525b06d | 185 | return HASH_ALGO_MD5; |
3ea7a560 | 186 | else |
1525b06d | 187 | return HASH_ALGO_SHA1; |
3ea7a560 | 188 | } else if (xattr_len == 17) |
1525b06d | 189 | return HASH_ALGO_MD5; |
3ea7a560 DK |
190 | break; |
191 | } | |
1525b06d DK |
192 | |
193 | /* return default hash algo */ | |
194 | return ima_hash_algo; | |
d3634d0f DK |
195 | } |
196 | ||
197 | int ima_read_xattr(struct dentry *dentry, | |
198 | struct evm_ima_xattr_data **xattr_value) | |
199 | { | |
5d6c3191 | 200 | ssize_t ret; |
d3634d0f | 201 | |
5d6c3191 AG |
202 | ret = vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)xattr_value, |
203 | 0, GFP_NOFS); | |
204 | if (ret == -EOPNOTSUPP) | |
205 | ret = 0; | |
206 | return ret; | |
d3634d0f DK |
207 | } |
208 | ||
a5fbeb61 TJB |
209 | /* |
210 | * xattr_verify - verify xattr digest or signature | |
211 | * | |
212 | * Verify whether the hash or signature matches the file contents. | |
213 | * | |
214 | * Return 0 on success, error code otherwise. | |
215 | */ | |
216 | static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint, | |
217 | struct evm_ima_xattr_data *xattr_value, int xattr_len, | |
218 | enum integrity_status *status, const char **cause) | |
219 | { | |
220 | int rc = -EINVAL, hash_start = 0; | |
221 | ||
222 | switch (xattr_value->type) { | |
223 | case IMA_XATTR_DIGEST_NG: | |
224 | /* first byte contains algorithm id */ | |
225 | hash_start = 1; | |
df561f66 | 226 | fallthrough; |
a5fbeb61 TJB |
227 | case IMA_XATTR_DIGEST: |
228 | if (iint->flags & IMA_DIGSIG_REQUIRED) { | |
229 | *cause = "IMA-signature-required"; | |
230 | *status = INTEGRITY_FAIL; | |
231 | break; | |
232 | } | |
233 | clear_bit(IMA_DIGSIG, &iint->atomic_flags); | |
234 | if (xattr_len - sizeof(xattr_value->type) - hash_start >= | |
235 | iint->ima_hash->length) | |
236 | /* | |
237 | * xattr length may be longer. md5 hash in previous | |
238 | * version occupied 20 bytes in xattr, instead of 16 | |
239 | */ | |
240 | rc = memcmp(&xattr_value->data[hash_start], | |
241 | iint->ima_hash->digest, | |
242 | iint->ima_hash->length); | |
243 | else | |
244 | rc = -EINVAL; | |
245 | if (rc) { | |
246 | *cause = "invalid-hash"; | |
247 | *status = INTEGRITY_FAIL; | |
248 | break; | |
249 | } | |
250 | *status = INTEGRITY_PASS; | |
251 | break; | |
252 | case EVM_IMA_XATTR_DIGSIG: | |
253 | set_bit(IMA_DIGSIG, &iint->atomic_flags); | |
254 | rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, | |
255 | (const char *)xattr_value, | |
256 | xattr_len, | |
257 | iint->ima_hash->digest, | |
258 | iint->ima_hash->length); | |
259 | if (rc == -EOPNOTSUPP) { | |
260 | *status = INTEGRITY_UNKNOWN; | |
261 | break; | |
262 | } | |
263 | if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc && | |
264 | func == KEXEC_KERNEL_CHECK) | |
265 | rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM, | |
266 | (const char *)xattr_value, | |
267 | xattr_len, | |
268 | iint->ima_hash->digest, | |
269 | iint->ima_hash->length); | |
270 | if (rc) { | |
271 | *cause = "invalid-signature"; | |
272 | *status = INTEGRITY_FAIL; | |
273 | } else { | |
274 | *status = INTEGRITY_PASS; | |
275 | } | |
276 | break; | |
277 | default: | |
278 | *status = INTEGRITY_UNKNOWN; | |
279 | *cause = "unknown-ima-data"; | |
280 | break; | |
281 | } | |
282 | ||
283 | return rc; | |
284 | } | |
285 | ||
39b07096 TJB |
286 | /* |
287 | * modsig_verify - verify modsig signature | |
288 | * | |
289 | * Verify whether the signature matches the file contents. | |
290 | * | |
291 | * Return 0 on success, error code otherwise. | |
292 | */ | |
293 | static int modsig_verify(enum ima_hooks func, const struct modsig *modsig, | |
294 | enum integrity_status *status, const char **cause) | |
295 | { | |
296 | int rc; | |
297 | ||
298 | rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig); | |
299 | if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc && | |
300 | func == KEXEC_KERNEL_CHECK) | |
301 | rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM, | |
302 | modsig); | |
303 | if (rc) { | |
304 | *cause = "invalid-signature"; | |
305 | *status = INTEGRITY_FAIL; | |
306 | } else { | |
307 | *status = INTEGRITY_PASS; | |
308 | } | |
309 | ||
310 | return rc; | |
311 | } | |
312 | ||
273df864 NJ |
313 | /* |
314 | * ima_check_blacklist - determine if the binary is blacklisted. | |
315 | * | |
316 | * Add the hash of the blacklisted binary to the measurement list, based | |
317 | * on policy. | |
318 | * | |
319 | * Returns -EPERM if the hash is blacklisted. | |
320 | */ | |
321 | int ima_check_blacklist(struct integrity_iint_cache *iint, | |
322 | const struct modsig *modsig, int pcr) | |
323 | { | |
324 | enum hash_algo hash_algo; | |
325 | const u8 *digest = NULL; | |
326 | u32 digestsize = 0; | |
327 | int rc = 0; | |
328 | ||
329 | if (!(iint->flags & IMA_CHECK_BLACKLIST)) | |
330 | return 0; | |
331 | ||
332 | if (iint->flags & IMA_MODSIG_ALLOWED && modsig) { | |
333 | ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize); | |
334 | ||
335 | rc = is_binary_blacklisted(digest, digestsize); | |
336 | if ((rc == -EPERM) && (iint->flags & IMA_MEASURE)) | |
4834177e | 337 | process_buffer_measurement(NULL, digest, digestsize, |
273df864 | 338 | "blacklisted-hash", NONE, |
e9085e0a | 339 | pcr, NULL); |
273df864 NJ |
340 | } |
341 | ||
342 | return rc; | |
343 | } | |
344 | ||
2fe5d6de MZ |
345 | /* |
346 | * ima_appraise_measurement - appraise file measurement | |
347 | * | |
348 | * Call evm_verifyxattr() to verify the integrity of 'security.ima'. | |
349 | * Assuming success, compare the xattr hash with the collected measurement. | |
350 | * | |
351 | * Return 0 on success, error code otherwise | |
352 | */ | |
4ad87a3d MZ |
353 | int ima_appraise_measurement(enum ima_hooks func, |
354 | struct integrity_iint_cache *iint, | |
d3634d0f DK |
355 | struct file *file, const unsigned char *filename, |
356 | struct evm_ima_xattr_data *xattr_value, | |
39b07096 | 357 | int xattr_len, const struct modsig *modsig) |
2fe5d6de | 358 | { |
52a13284 | 359 | static const char op[] = "appraise_data"; |
f5e51fa3 | 360 | const char *cause = "unknown"; |
e71b9dff | 361 | struct dentry *dentry = file_dentry(file); |
c6f493d6 | 362 | struct inode *inode = d_backing_inode(dentry); |
2fe5d6de | 363 | enum integrity_status status = INTEGRITY_UNKNOWN; |
a5fbeb61 | 364 | int rc = xattr_len; |
39b07096 | 365 | bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig; |
2fe5d6de | 366 | |
39b07096 TJB |
367 | /* If not appraising a modsig, we need an xattr. */ |
368 | if (!(inode->i_opflags & IOP_XATTR) && !try_modsig) | |
2fe5d6de MZ |
369 | return INTEGRITY_UNKNOWN; |
370 | ||
39b07096 TJB |
371 | /* If reading the xattr failed and there's no modsig, error out. */ |
372 | if (rc <= 0 && !try_modsig) { | |
2fe5d6de MZ |
373 | if (rc && rc != -ENODATA) |
374 | goto out; | |
375 | ||
915d9d25 TJB |
376 | cause = iint->flags & IMA_DIGSIG_REQUIRED ? |
377 | "IMA-signature-required" : "missing-hash"; | |
b151d6b0 | 378 | status = INTEGRITY_NOLABEL; |
6035a27b | 379 | if (file->f_mode & FMODE_CREATED) |
b151d6b0 | 380 | iint->flags |= IMA_NEW_FILE; |
1ac202e9 | 381 | if ((iint->flags & IMA_NEW_FILE) && |
b7e27bc1 MZ |
382 | (!(iint->flags & IMA_DIGSIG_REQUIRED) || |
383 | (inode->i_size == 0))) | |
b151d6b0 | 384 | status = INTEGRITY_PASS; |
2fe5d6de MZ |
385 | goto out; |
386 | } | |
387 | ||
8606404f | 388 | status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint); |
f5e51fa3 TJB |
389 | switch (status) { |
390 | case INTEGRITY_PASS: | |
391 | case INTEGRITY_PASS_IMMUTABLE: | |
392 | case INTEGRITY_UNKNOWN: | |
393 | break; | |
394 | case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */ | |
39b07096 TJB |
395 | /* It's fine not to have xattrs when using a modsig. */ |
396 | if (try_modsig) | |
397 | break; | |
df561f66 | 398 | fallthrough; |
f5e51fa3 TJB |
399 | case INTEGRITY_NOLABEL: /* No security.evm xattr. */ |
400 | cause = "missing-HMAC"; | |
401 | goto out; | |
402 | case INTEGRITY_FAIL: /* Invalid HMAC/signature. */ | |
403 | cause = "invalid-HMAC"; | |
2fe5d6de | 404 | goto out; |
f5e51fa3 TJB |
405 | default: |
406 | WARN_ONCE(true, "Unexpected integrity status %d\n", status); | |
2fe5d6de | 407 | } |
f5e51fa3 | 408 | |
a5fbeb61 TJB |
409 | if (xattr_value) |
410 | rc = xattr_verify(func, iint, xattr_value, xattr_len, &status, | |
411 | &cause); | |
8606404f | 412 | |
39b07096 TJB |
413 | /* |
414 | * If we have a modsig and either no imasig or the imasig's key isn't | |
415 | * known, then try verifying the modsig. | |
416 | */ | |
417 | if (try_modsig && | |
418 | (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG || | |
419 | rc == -ENOKEY)) | |
420 | rc = modsig_verify(func, modsig, &status, &cause); | |
421 | ||
2fe5d6de | 422 | out: |
57b56ac6 MZ |
423 | /* |
424 | * File signatures on some filesystems can not be properly verified. | |
9e67028e MZ |
425 | * When such filesystems are mounted by an untrusted mounter or on a |
426 | * system not willing to accept such a risk, fail the file signature | |
427 | * verification. | |
57b56ac6 | 428 | */ |
9e67028e MZ |
429 | if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) && |
430 | ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) || | |
431 | (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) { | |
57b56ac6 MZ |
432 | status = INTEGRITY_FAIL; |
433 | cause = "unverifiable-signature"; | |
434 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, | |
435 | op, cause, rc, 0); | |
436 | } else if (status != INTEGRITY_PASS) { | |
f5e51fa3 | 437 | /* Fix mode, but don't replace file signatures. */ |
39b07096 | 438 | if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig && |
8606404f DK |
439 | (!xattr_value || |
440 | xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { | |
def3e8b9 DK |
441 | if (!ima_fix_xattr(dentry, iint)) |
442 | status = INTEGRITY_PASS; | |
f5e51fa3 TJB |
443 | } |
444 | ||
445 | /* Permit new files with file signatures, but without data. */ | |
446 | if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE && | |
447 | xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) { | |
05d1a717 | 448 | status = INTEGRITY_PASS; |
2fe5d6de | 449 | } |
f5e51fa3 | 450 | |
2fe5d6de MZ |
451 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, |
452 | op, cause, rc, 0); | |
8606404f | 453 | } else { |
d79d72e0 | 454 | ima_cache_flags(iint, func); |
2fe5d6de | 455 | } |
57b56ac6 | 456 | |
d79d72e0 | 457 | ima_set_cache_status(iint, func, status); |
2fe5d6de MZ |
458 | return status; |
459 | } | |
460 | ||
461 | /* | |
462 | * ima_update_xattr - update 'security.ima' hash value | |
463 | */ | |
464 | void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) | |
465 | { | |
e71b9dff | 466 | struct dentry *dentry = file_dentry(file); |
2fe5d6de MZ |
467 | int rc = 0; |
468 | ||
8606404f | 469 | /* do not collect and update hash for digital signatures */ |
0d73a552 | 470 | if (test_bit(IMA_DIGSIG, &iint->atomic_flags)) |
8606404f DK |
471 | return; |
472 | ||
da1b0029 MZ |
473 | if ((iint->ima_file_status != INTEGRITY_PASS) && |
474 | !(iint->flags & IMA_HASH)) | |
020aae3e RS |
475 | return; |
476 | ||
15588227 | 477 | rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL); |
2fe5d6de MZ |
478 | if (rc < 0) |
479 | return; | |
8606404f | 480 | |
0d73a552 | 481 | inode_lock(file_inode(file)); |
2fe5d6de | 482 | ima_fix_xattr(dentry, iint); |
0d73a552 | 483 | inode_unlock(file_inode(file)); |
2fe5d6de MZ |
484 | } |
485 | ||
486 | /** | |
487 | * ima_inode_post_setattr - reflect file metadata changes | |
488 | * @dentry: pointer to the affected dentry | |
489 | * | |
490 | * Changes to a dentry's metadata might result in needing to appraise. | |
491 | * | |
492 | * This function is called from notify_change(), which expects the caller | |
493 | * to lock the inode's i_mutex. | |
494 | */ | |
495 | void ima_inode_post_setattr(struct dentry *dentry) | |
496 | { | |
c6f493d6 | 497 | struct inode *inode = d_backing_inode(dentry); |
2fe5d6de | 498 | struct integrity_iint_cache *iint; |
da1b0029 | 499 | int action; |
2fe5d6de | 500 | |
a756024e | 501 | if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode) |
5d6c3191 | 502 | || !(inode->i_opflags & IOP_XATTR)) |
2fe5d6de MZ |
503 | return; |
504 | ||
da1b0029 MZ |
505 | action = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR); |
506 | if (!action) | |
0d73a552 | 507 | __vfs_removexattr(dentry, XATTR_NAME_IMA); |
2fe5d6de MZ |
508 | iint = integrity_iint_find(inode); |
509 | if (iint) { | |
0d73a552 | 510 | set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags); |
da1b0029 | 511 | if (!action) |
0d73a552 | 512 | clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); |
2fe5d6de | 513 | } |
2fe5d6de | 514 | } |
42c63330 MZ |
515 | |
516 | /* | |
517 | * ima_protect_xattr - protect 'security.ima' | |
518 | * | |
519 | * Ensure that not just anyone can modify or remove 'security.ima'. | |
520 | */ | |
521 | static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name, | |
522 | const void *xattr_value, size_t xattr_value_len) | |
523 | { | |
524 | if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) { | |
525 | if (!capable(CAP_SYS_ADMIN)) | |
526 | return -EPERM; | |
527 | return 1; | |
528 | } | |
529 | return 0; | |
530 | } | |
531 | ||
060bdebf | 532 | static void ima_reset_appraise_flags(struct inode *inode, int digsig) |
42c63330 MZ |
533 | { |
534 | struct integrity_iint_cache *iint; | |
535 | ||
a756024e | 536 | if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)) |
42c63330 MZ |
537 | return; |
538 | ||
539 | iint = integrity_iint_find(inode); | |
540 | if (!iint) | |
541 | return; | |
a422638d | 542 | iint->measured_pcrs = 0; |
0d73a552 | 543 | set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags); |
060bdebf | 544 | if (digsig) |
0d73a552 DK |
545 | set_bit(IMA_DIGSIG, &iint->atomic_flags); |
546 | else | |
547 | clear_bit(IMA_DIGSIG, &iint->atomic_flags); | |
42c63330 MZ |
548 | } |
549 | ||
550 | int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, | |
551 | const void *xattr_value, size_t xattr_value_len) | |
552 | { | |
060bdebf | 553 | const struct evm_ima_xattr_data *xvalue = xattr_value; |
42c63330 MZ |
554 | int result; |
555 | ||
556 | result = ima_protect_xattr(dentry, xattr_name, xattr_value, | |
557 | xattr_value_len); | |
558 | if (result == 1) { | |
a48fda9d DK |
559 | if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) |
560 | return -EINVAL; | |
f5acb3dc | 561 | ima_reset_appraise_flags(d_backing_inode(dentry), |
e5729f86 | 562 | xvalue->type == EVM_IMA_XATTR_DIGSIG); |
42c63330 MZ |
563 | result = 0; |
564 | } | |
565 | return result; | |
566 | } | |
567 | ||
568 | int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name) | |
569 | { | |
570 | int result; | |
571 | ||
572 | result = ima_protect_xattr(dentry, xattr_name, NULL, 0); | |
573 | if (result == 1) { | |
c6f493d6 | 574 | ima_reset_appraise_flags(d_backing_inode(dentry), 0); |
42c63330 MZ |
575 | result = 0; |
576 | } | |
577 | return result; | |
578 | } |