projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'pci-v6.16-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci
[linux-block.git] / security / integrity / ima / ima_appraise.c
CommitLineData
b886d83c 1// SPDX-License-Identifier: GPL-2.0-only
2fe5d6de
MZ		 2/*
3 * Copyright (C) 2011 IBM Corporation
4 *
5 * Author:
6 * Mimi Zohar <zohar@us.ibm.com>
2fe5d6de 7 */
b000d5cb 8#include <linux/module.h>
876979c9 9#include <linux/init.h>
2fe5d6de 10#include <linux/file.h>
95b3cdaf 11#include <linux/binfmts.h>
2fe5d6de
MZ		 12#include <linux/fs.h>
13#include <linux/xattr.h>
14#include <linux/magic.h>
15#include <linux/ima.h>
16#include <linux/evm.h>
398c42e2 17#include <linux/fsverity.h>
273df864 18#include <keys/system_keyring.h>
398c42e2 19#include <uapi/linux/fsverity.h>
2fe5d6de
MZ		 20
21#include "ima.h"
22
e1f5e01f 23#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
b000d5cb
AB		 24static char *ima_appraise_cmdline_default __initdata;
25core_param(ima_appraise, ima_appraise_cmdline_default, charp, 0);
26
27void __init ima_appraise_parse_cmdline(void)
28{
29 const char *str = ima_appraise_cmdline_default;
e4d7e2df
BM		 30 bool sb_state = arch_ima_get_secureboot();
31 int appraisal_state = ima_appraise;
311aa6aa 32
b000d5cb
AB		 33 if (!str)
34 return;
35
2fe5d6de 36 if (strncmp(str, "off", 3) == 0)
e4d7e2df 37 appraisal_state = 0;
2faa6ef3 38 else if (strncmp(str, "log", 3) == 0)
e4d7e2df 39 appraisal_state = IMA_APPRAISE_LOG;
2fe5d6de 40 else if (strncmp(str, "fix", 3) == 0)
e4d7e2df 41 appraisal_state = IMA_APPRAISE_FIX;
4afb28ab 42 else if (strncmp(str, "enforce", 7) == 0)
e4d7e2df 43 appraisal_state = IMA_APPRAISE_ENFORCE;
7fe2bb7e
BM		 44 else
45 pr_err("invalid \"%s\" appraise option", str);
e4d7e2df
BM		 46
47 /* If appraisal state was changed, but secure boot is enabled,
48 * keep its default */
49 if (sb_state) {
50 if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
51 pr_info("Secure boot enabled: ignoring ima_appraise=%s option",
52 str);
53 } else {
54 ima_appraise = appraisal_state;
55 }
2fe5d6de 56}
b000d5cb 57#endif
2fe5d6de 58
6f6723e2
MZ		 59/*
60 * is_ima_appraise_enabled - return appraise status
61 *
62 * Only return enabled, if not in ima_appraise="fix" or "log" modes.
63 */
64bool is_ima_appraise_enabled(void)
65{
e5729f86 66 return ima_appraise & IMA_APPRAISE_ENFORCE;
6f6723e2
MZ		 67}
68
2fe5d6de
MZ		 69/*
70 * ima_must_appraise - set appraise flag
71 *
da1b0029 72 * Return 1 to appraise or hash
2fe5d6de 73 */
39f60c1c 74int ima_must_appraise(struct mnt_idmap *idmap, struct inode *inode,
a2d2329e 75 int mask, enum ima_hooks func)
2fe5d6de 76{
37f670aa 77 struct lsm_prop prop;
d906c10d 78
07f6a794
MZ		 79 if (!ima_appraise)
80 return 0;
81
37f670aa
CS		 82 security_current_getlsmprop_subj(&prop);
83 return ima_match_policy(idmap, inode, current_cred(), &prop,
1624dc00
TS		 84 func, mask, IMA_APPRAISE | IMA_HASH, NULL,
85 NULL, NULL, NULL);
2fe5d6de
MZ		 86}
87
4de2f084 88static int ima_fix_xattr(struct dentry *dentry, struct ima_iint_cache *iint)
2fe5d6de 89{
3ea7a560
DK		 90 int rc, offset;
91 u8 algo = iint->ima_hash->algo;
92
93 if (algo <= HASH_ALGO_SHA1) {
94 offset = 1;
95 iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
96 } else {
97 offset = 0;
98 iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
99 iint->ima_hash->xattr.ng.algo = algo;
100 }
39f60c1c 101 rc = __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_IMA,
3ea7a560
DK		 102 &iint->ima_hash->xattr.data[offset],
103 (sizeof(iint->ima_hash->xattr) - offset) +
104 iint->ima_hash->length, 0);
105 return rc;
2fe5d6de
MZ		 106}
107
d79d72e0 108/* Return specific func appraised cached result */
4de2f084 109enum integrity_status ima_get_cache_status(struct ima_iint_cache *iint,
4ad87a3d 110 enum ima_hooks func)
d79d72e0 111{
089bc8e9 112 switch (func) {
d79d72e0 113 case MMAP_CHECK:
4958db32 114 case MMAP_CHECK_REQPROT:
d79d72e0
MZ		 115 return iint->ima_mmap_status;
116 case BPRM_CHECK:
117 return iint->ima_bprm_status;
d906c10d
MG		 118 case CREDS_CHECK:
119 return iint->ima_creds_status;
d79d72e0 120 case FILE_CHECK:
c6af8efe 121 case POST_SETATTR:
d79d72e0 122 return iint->ima_file_status;
c6af8efe
MZ		 123 case MODULE_CHECK ... MAX_CHECK - 1:
124 default:
125 return iint->ima_read_status;
d79d72e0
MZ		 126 }
127}
128
4de2f084 129static void ima_set_cache_status(struct ima_iint_cache *iint,
4ad87a3d
MZ		 130 enum ima_hooks func,
131 enum integrity_status status)
d79d72e0 132{
089bc8e9 133 switch (func) {
d79d72e0 134 case MMAP_CHECK:
4958db32 135 case MMAP_CHECK_REQPROT:
d79d72e0
MZ		 136 iint->ima_mmap_status = status;
137 break;
138 case BPRM_CHECK:
139 iint->ima_bprm_status = status;
140 break;
d906c10d
MG		 141 case CREDS_CHECK:
142 iint->ima_creds_status = status;
09186e50 143 break;
d79d72e0 144 case FILE_CHECK:
c6af8efe 145 case POST_SETATTR:
d79d72e0 146 iint->ima_file_status = status;
c6af8efe
MZ		 147 break;
148 case MODULE_CHECK ... MAX_CHECK - 1:
149 default:
150 iint->ima_read_status = status;
151 break;
d79d72e0
MZ		 152 }
153}
154
4de2f084 155static void ima_cache_flags(struct ima_iint_cache *iint, enum ima_hooks func)
d79d72e0 156{
089bc8e9 157 switch (func) {
d79d72e0 158 case MMAP_CHECK:
4958db32 159 case MMAP_CHECK_REQPROT:
d79d72e0
MZ		 160 iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
161 break;
162 case BPRM_CHECK:
163 iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
164 break;
d906c10d
MG		 165 case CREDS_CHECK:
166 iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED);
167 break;
d79d72e0 168 case FILE_CHECK:
c6af8efe 169 case POST_SETATTR:
d79d72e0 170 iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
c6af8efe
MZ		 171 break;
172 case MODULE_CHECK ... MAX_CHECK - 1:
173 default:
174 iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
175 break;
d79d72e0
MZ		 176 }
177}
178
50f742dd 179enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value,
1525b06d 180 int xattr_len)
d3634d0f
DK		 181{
182 struct signature_v2_hdr *sig;
b4bfec7f 183 enum hash_algo ret;
d3634d0f 184
3ea7a560 185 if (!xattr_value || xattr_len < 2)
1525b06d
DK		 186 /* return default hash algo */
187 return ima_hash_algo;
d3634d0f 188
3ea7a560 189 switch (xattr_value->type) {
398c42e2
MZ		 190 case IMA_VERITY_DIGSIG:
191 sig = (typeof(sig))xattr_value;
192 if (sig->version != 3 || xattr_len <= sizeof(*sig) ||
193 sig->hash_algo >= HASH_ALGO__LAST)
194 return ima_hash_algo;
195 return sig->hash_algo;
3ea7a560
DK		 196 case EVM_IMA_XATTR_DIGSIG:
197 sig = (typeof(sig))xattr_value;
cb181da1
TS		 198 if (sig->version != 2 || xattr_len <= sizeof(*sig)
199 || sig->hash_algo >= HASH_ALGO__LAST)
1525b06d
DK		 200 return ima_hash_algo;
201 return sig->hash_algo;
3ea7a560 202 case IMA_XATTR_DIGEST_NG:
650b29db
TJB		 203 /* first byte contains algorithm id */
204 ret = xattr_value->data[0];
b4bfec7f
SF		 205 if (ret < HASH_ALGO__LAST)
206 return ret;
3ea7a560
DK		 207 break;
208 case IMA_XATTR_DIGEST:
209 /* this is for backward compatibility */
210 if (xattr_len == 21) {
211 unsigned int zero = 0;
650b29db 212 if (!memcmp(&xattr_value->data[16], &zero, 4))
1525b06d 213 return HASH_ALGO_MD5;
3ea7a560 214 else
1525b06d 215 return HASH_ALGO_SHA1;
3ea7a560 216 } else if (xattr_len == 17)
1525b06d 217 return HASH_ALGO_MD5;
3ea7a560
DK		 218 break;
219 }
1525b06d
DK		 220
221 /* return default hash algo */
222 return ima_hash_algo;
d3634d0f
DK		 223}
224
225int ima_read_xattr(struct dentry *dentry,
f6fbd8cb 226 struct evm_ima_xattr_data **xattr_value, int xattr_len)
d3634d0f 227{
f6fbd8cb 228 int ret;
d3634d0f 229
4609e1f1 230 ret = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, XATTR_NAME_IMA,
f6fbd8cb 231 (char **)xattr_value, xattr_len, GFP_NOFS);
5d6c3191
AG		 232 if (ret == -EOPNOTSUPP)
233 ret = 0;
234 return ret;
d3634d0f
DK		 235}
236
398c42e2
MZ		 237/*
238 * calc_file_id_hash - calculate the hash of the ima_file_id struct data
239 * @type: xattr type [enum evm_ima_xattr_type]
240 * @algo: hash algorithm [enum hash_algo]
241 * @digest: pointer to the digest to be hashed
242 * @hash: (out) pointer to the hash
243 *
244 * IMA signature version 3 disambiguates the data that is signed by
245 * indirectly signing the hash of the ima_file_id structure data.
246 *
247 * Signing the ima_file_id struct is currently only supported for
248 * IMA_VERITY_DIGSIG type xattrs.
249 *
250 * Return 0 on success, error code otherwise.
251 */
252static int calc_file_id_hash(enum evm_ima_xattr_type type,
253 enum hash_algo algo, const u8 *digest,
254 struct ima_digest_data *hash)
255{
256 struct ima_file_id file_id = {
257 .hash_type = IMA_VERITY_DIGSIG, .hash_algorithm = algo};
258 unsigned int unused = HASH_MAX_DIGESTSIZE - hash_digest_size[algo];
259
260 if (type != IMA_VERITY_DIGSIG)
261 return -EINVAL;
262
263 memcpy(file_id.hash, digest, hash_digest_size[algo]);
264
265 hash->algo = algo;
266 hash->length = hash_digest_size[algo];
267
268 return ima_calc_buffer_hash(&file_id, sizeof(file_id) - unused, hash);
269}
270
a5fbeb61
TJB		 271/*
272 * xattr_verify - verify xattr digest or signature
273 *
274 * Verify whether the hash or signature matches the file contents.
275 *
276 * Return 0 on success, error code otherwise.
277 */
4de2f084 278static int xattr_verify(enum ima_hooks func, struct ima_iint_cache *iint,
a5fbeb61
TJB		 279 struct evm_ima_xattr_data *xattr_value, int xattr_len,
280 enum integrity_status *status, const char **cause)
281{
398c42e2
MZ		 282 struct ima_max_digest_data hash;
283 struct signature_v2_hdr *sig;
a5fbeb61 284 int rc = -EINVAL, hash_start = 0;
398c42e2 285 int mask;
a5fbeb61
TJB		 286
287 switch (xattr_value->type) {
288 case IMA_XATTR_DIGEST_NG:
289 /* first byte contains algorithm id */
290 hash_start = 1;
df561f66 291 fallthrough;
a5fbeb61 292 case IMA_XATTR_DIGEST:
7aa5783d
RS		 293 if (*status != INTEGRITY_PASS_IMMUTABLE) {
294 if (iint->flags & IMA_DIGSIG_REQUIRED) {
398c42e2
MZ		 295 if (iint->flags & IMA_VERITY_REQUIRED)
296 *cause = "verity-signature-required";
297 else
298 *cause = "IMA-signature-required";
7aa5783d
RS		 299 *status = INTEGRITY_FAIL;
300 break;
301 }
302 clear_bit(IMA_DIGSIG, &iint->atomic_flags);
303 } else {
304 set_bit(IMA_DIGSIG, &iint->atomic_flags);
a5fbeb61 305 }
a5fbeb61
TJB		 306 if (xattr_len - sizeof(xattr_value->type) - hash_start >=
307 iint->ima_hash->length)
308 /*
309 * xattr length may be longer. md5 hash in previous
310 * version occupied 20 bytes in xattr, instead of 16
311 */
312 rc = memcmp(&xattr_value->data[hash_start],
313 iint->ima_hash->digest,
314 iint->ima_hash->length);
315 else
316 rc = -EINVAL;
317 if (rc) {
318 *cause = "invalid-hash";
319 *status = INTEGRITY_FAIL;
320 break;
321 }
322 *status = INTEGRITY_PASS;
323 break;
324 case EVM_IMA_XATTR_DIGSIG:
325 set_bit(IMA_DIGSIG, &iint->atomic_flags);
398c42e2
MZ		 326
327 mask = IMA_DIGSIG_REQUIRED | IMA_VERITY_REQUIRED;
328 if ((iint->flags & mask) == mask) {
329 *cause = "verity-signature-required";
330 *status = INTEGRITY_FAIL;
331 break;
332 }
333
334 sig = (typeof(sig))xattr_value;
335 if (sig->version >= 3) {
336 *cause = "invalid-signature-version";
337 *status = INTEGRITY_FAIL;
338 break;
339 }
a5fbeb61
TJB		 340 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
341 (const char *)xattr_value,
342 xattr_len,
343 iint->ima_hash->digest,
344 iint->ima_hash->length);
345 if (rc == -EOPNOTSUPP) {
346 *status = INTEGRITY_UNKNOWN;
347 break;
348 }
349 if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
350 func == KEXEC_KERNEL_CHECK)
351 rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM,
352 (const char *)xattr_value,
353 xattr_len,
354 iint->ima_hash->digest,
355 iint->ima_hash->length);
356 if (rc) {
357 *cause = "invalid-signature";
358 *status = INTEGRITY_FAIL;
359 } else {
360 *status = INTEGRITY_PASS;
361 }
398c42e2
MZ		 362 break;
363 case IMA_VERITY_DIGSIG:
364 set_bit(IMA_DIGSIG, &iint->atomic_flags);
365
366 if (iint->flags & IMA_DIGSIG_REQUIRED) {
367 if (!(iint->flags & IMA_VERITY_REQUIRED)) {
368 *cause = "IMA-signature-required";
369 *status = INTEGRITY_FAIL;
370 break;
371 }
372 }
373
374 sig = (typeof(sig))xattr_value;
375 if (sig->version != 3) {
376 *cause = "invalid-signature-version";
377 *status = INTEGRITY_FAIL;
378 break;
379 }
380
381 rc = calc_file_id_hash(IMA_VERITY_DIGSIG, iint->ima_hash->algo,
38aa3f5a
GS		 382 iint->ima_hash->digest,
383 container_of(&hash.hdr,
384 struct ima_digest_data, hdr));
398c42e2
MZ		 385 if (rc) {
386 *cause = "sigv3-hashing-error";
387 *status = INTEGRITY_FAIL;
388 break;
389 }
390
391 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
392 (const char *)xattr_value,
393 xattr_len, hash.digest,
394 hash.hdr.length);
395 if (rc) {
396 *cause = "invalid-verity-signature";
397 *status = INTEGRITY_FAIL;
398 } else {
399 *status = INTEGRITY_PASS;
400 }
401
a5fbeb61
TJB		 402 break;
403 default:
404 *status = INTEGRITY_UNKNOWN;
405 *cause = "unknown-ima-data";
406 break;
407 }
408
409 return rc;
410}
411
39b07096
TJB		 412/*
413 * modsig_verify - verify modsig signature
414 *
415 * Verify whether the signature matches the file contents.
416 *
417 * Return 0 on success, error code otherwise.
418 */
419static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
420 enum integrity_status *status, const char **cause)
421{
422 int rc;
423
424 rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig);
425 if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
426 func == KEXEC_KERNEL_CHECK)
427 rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM,
428 modsig);
429 if (rc) {
430 *cause = "invalid-signature";
431 *status = INTEGRITY_FAIL;
432 } else {
433 *status = INTEGRITY_PASS;
434 }
435
436 return rc;
437}
438
273df864
NJ		 439/*
440 * ima_check_blacklist - determine if the binary is blacklisted.
441 *
442 * Add the hash of the blacklisted binary to the measurement list, based
443 * on policy.
444 *
445 * Returns -EPERM if the hash is blacklisted.
446 */
4de2f084 447int ima_check_blacklist(struct ima_iint_cache *iint,
273df864
NJ		 448 const struct modsig *modsig, int pcr)
449{
450 enum hash_algo hash_algo;
451 const u8 *digest = NULL;
452 u32 digestsize = 0;
453 int rc = 0;
454
455 if (!(iint->flags & IMA_CHECK_BLACKLIST))
456 return 0;
457
458 if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
459 ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
460
461 rc = is_binary_blacklisted(digest, digestsize);
f20765fd
ES		 462 } else if (iint->flags & IMA_DIGSIG_REQUIRED && iint->ima_hash)
463 rc = is_binary_blacklisted(iint->ima_hash->digest, iint->ima_hash->length);
464
465 if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
466 process_buffer_measurement(&nop_mnt_idmap, NULL, digest, digestsize,
467 "blacklisted-hash", NONE,
468 pcr, NULL, false, NULL, 0);
273df864
NJ		 469
470 return rc;
471}
472
95b3cdaf
MZ		 473static bool is_bprm_creds_for_exec(enum ima_hooks func, struct file *file)
474{
475 struct linux_binprm *bprm;
476
477 if (func == BPRM_CHECK) {
478 bprm = container_of(&file, struct linux_binprm, file);
479 return bprm->is_check;
480 }
481 return false;
482}
483
2fe5d6de
MZ		 484/*
485 * ima_appraise_measurement - appraise file measurement
486 *
487 * Call evm_verifyxattr() to verify the integrity of 'security.ima'.
488 * Assuming success, compare the xattr hash with the collected measurement.
489 *
490 * Return 0 on success, error code otherwise
491 */
4de2f084 492int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
d3634d0f
DK		 493 struct file *file, const unsigned char *filename,
494 struct evm_ima_xattr_data *xattr_value,
39b07096 495 int xattr_len, const struct modsig *modsig)
2fe5d6de 496{
52a13284 497 static const char op[] = "appraise_data";
95b3cdaf 498 int audit_msgno = AUDIT_INTEGRITY_DATA;
f5e51fa3 499 const char *cause = "unknown";
e71b9dff 500 struct dentry *dentry = file_dentry(file);
c6f493d6 501 struct inode *inode = d_backing_inode(dentry);
2fe5d6de 502 enum integrity_status status = INTEGRITY_UNKNOWN;
a5fbeb61 503 int rc = xattr_len;
39b07096 504 bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig;
2fe5d6de 505
39b07096
TJB		 506 /* If not appraising a modsig, we need an xattr. */
507 if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)
2fe5d6de
MZ		 508 return INTEGRITY_UNKNOWN;
509
95b3cdaf
MZ		 510 /*
511 * Unlike any of the other LSM hooks where the kernel enforces file
512 * integrity, enforcing file integrity for the bprm_creds_for_exec()
513 * LSM hook with the AT_EXECVE_CHECK flag is left up to the discretion
514 * of the script interpreter(userspace). Differentiate kernel and
515 * userspace enforced integrity audit messages.
516 */
517 if (is_bprm_creds_for_exec(func, file))
518 audit_msgno = AUDIT_INTEGRITY_USERSPACE;
519
39b07096
TJB		 520 /* If reading the xattr failed and there's no modsig, error out. */
521 if (rc <= 0 && !try_modsig) {
2fe5d6de
MZ		 522 if (rc && rc != -ENODATA)
523 goto out;
524
398c42e2
MZ		 525 if (iint->flags & IMA_DIGSIG_REQUIRED) {
526 if (iint->flags & IMA_VERITY_REQUIRED)
527 cause = "verity-signature-required";
528 else
529 cause = "IMA-signature-required";
530 } else {
531 cause = "missing-hash";
532 }
533
b151d6b0 534 status = INTEGRITY_NOLABEL;
6035a27b 535 if (file->f_mode & FMODE_CREATED)
b151d6b0 536 iint->flags |= IMA_NEW_FILE;
1ac202e9 537 if ((iint->flags & IMA_NEW_FILE) &&
b7e27bc1
MZ		 538 (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
539 (inode->i_size == 0)))
b151d6b0 540 status = INTEGRITY_PASS;
2fe5d6de
MZ		 541 goto out;
542 }
543
d2ee2cfc 544 status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value,
75a323e6 545 rc < 0 ? 0 : rc);
f5e51fa3
TJB		 546 switch (status) {
547 case INTEGRITY_PASS:
548 case INTEGRITY_PASS_IMMUTABLE:
549 case INTEGRITY_UNKNOWN:
550 break;
551 case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */
39b07096
TJB		 552 /* It's fine not to have xattrs when using a modsig. */
553 if (try_modsig)
554 break;
df561f66 555 fallthrough;
f5e51fa3
TJB		 556 case INTEGRITY_NOLABEL: /* No security.evm xattr. */
557 cause = "missing-HMAC";
558 goto out;
cdef685b 559 case INTEGRITY_FAIL_IMMUTABLE:
7aa5783d 560 set_bit(IMA_DIGSIG, &iint->atomic_flags);
55748ac6
MZ		 561 cause = "invalid-fail-immutable";
562 goto out;
f5e51fa3
TJB		 563 case INTEGRITY_FAIL: /* Invalid HMAC/signature. */
564 cause = "invalid-HMAC";
2fe5d6de 565 goto out;
f5e51fa3
TJB		 566 default:
567 WARN_ONCE(true, "Unexpected integrity status %d\n", status);
2fe5d6de 568 }
f5e51fa3 569
a5fbeb61
TJB		 570 if (xattr_value)
571 rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
572 &cause);
8606404f 573
39b07096
TJB		 574 /*
575 * If we have a modsig and either no imasig or the imasig's key isn't
576 * known, then try verifying the modsig.
577 */
578 if (try_modsig &&
579 (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG ||
580 rc == -ENOKEY))
581 rc = modsig_verify(func, modsig, &status, &cause);
582
2fe5d6de 583out:
57b56ac6
MZ		 584 /*
585 * File signatures on some filesystems can not be properly verified.
9e67028e
MZ		 586 * When such filesystems are mounted by an untrusted mounter or on a
587 * system not willing to accept such a risk, fail the file signature
588 * verification.
57b56ac6 589 */
9e67028e
MZ		 590 if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
591 ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) ||
592 (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
57b56ac6
MZ		 593 status = INTEGRITY_FAIL;
594 cause = "unverifiable-signature";
95b3cdaf 595 integrity_audit_msg(audit_msgno, inode, filename,
57b56ac6
MZ		 596 op, cause, rc, 0);
597 } else if (status != INTEGRITY_PASS) {
f5e51fa3 598 /* Fix mode, but don't replace file signatures. */
39b07096 599 if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig &&
8606404f
DK		 600 (!xattr_value ||
601 xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
def3e8b9
DK		 602 if (!ima_fix_xattr(dentry, iint))
603 status = INTEGRITY_PASS;
f5e51fa3
TJB		 604 }
605
7aa5783d
RS		 606 /*
607 * Permit new files with file/EVM portable signatures, but
608 * without data.
609 */
f5e51fa3 610 if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
7aa5783d 611 test_bit(IMA_DIGSIG, &iint->atomic_flags)) {
05d1a717 612 status = INTEGRITY_PASS;
2fe5d6de 613 }
f5e51fa3 614
95b3cdaf 615 integrity_audit_msg(audit_msgno, inode, filename,
2fe5d6de 616 op, cause, rc, 0);
8606404f 617 } else {
d79d72e0 618 ima_cache_flags(iint, func);
2fe5d6de 619 }
57b56ac6 620
d79d72e0 621 ima_set_cache_status(iint, func, status);
2fe5d6de
MZ		 622 return status;
623}
624
625/*
626 * ima_update_xattr - update 'security.ima' hash value
627 */
4de2f084 628void ima_update_xattr(struct ima_iint_cache *iint, struct file *file)
2fe5d6de 629{
e71b9dff 630 struct dentry *dentry = file_dentry(file);
2fe5d6de
MZ		 631 int rc = 0;
632
8606404f 633 /* do not collect and update hash for digital signatures */
0d73a552 634 if (test_bit(IMA_DIGSIG, &iint->atomic_flags))
8606404f
DK		 635 return;
636
da1b0029
MZ		 637 if ((iint->ima_file_status != INTEGRITY_PASS) &&
638 !(iint->flags & IMA_HASH))
020aae3e
RS		 639 return;
640
15588227 641 rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL);
2fe5d6de
MZ		 642 if (rc < 0)
643 return;
8606404f 644
0d73a552 645 inode_lock(file_inode(file));
2fe5d6de 646 ima_fix_xattr(dentry, iint);
0d73a552 647 inode_unlock(file_inode(file));
2fe5d6de
MZ		 648}
649
650/**
651 * ima_inode_post_setattr - reflect file metadata changes
39f60c1c 652 * @idmap: idmap of the mount the inode was found from
2fe5d6de 653 * @dentry: pointer to the affected dentry
bad5247a 654 * @ia_valid: for the UID and GID status
2fe5d6de
MZ		 655 *
656 * Changes to a dentry's metadata might result in needing to appraise.
657 *
658 * This function is called from notify_change(), which expects the caller
659 * to lock the inode's i_mutex.
660 */
84594c9e
RS		 661static void ima_inode_post_setattr(struct mnt_idmap *idmap,
662 struct dentry *dentry, int ia_valid)
2fe5d6de 663{
c6f493d6 664 struct inode *inode = d_backing_inode(dentry);
4de2f084 665 struct ima_iint_cache *iint;
da1b0029 666 int action;
2fe5d6de 667
a756024e 668 if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)
5d6c3191 669 || !(inode->i_opflags & IOP_XATTR))
2fe5d6de
MZ		 670 return;
671
39f60c1c 672 action = ima_must_appraise(idmap, inode, MAY_ACCESS, POST_SETATTR);
4de2f084 673 iint = ima_iint_find(inode);
2fe5d6de 674 if (iint) {
0d73a552 675 set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags);
da1b0029 676 if (!action)
0d73a552 677 clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
2fe5d6de 678 }
2fe5d6de 679}
42c63330
MZ		 680
681/*
682 * ima_protect_xattr - protect 'security.ima'
683 *
684 * Ensure that not just anyone can modify or remove 'security.ima'.
685 */
686static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
687 const void *xattr_value, size_t xattr_value_len)
688{
689 if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
690 if (!capable(CAP_SYS_ADMIN))
691 return -EPERM;
692 return 1;
693 }
694 return 0;
695}
696
060bdebf 697static void ima_reset_appraise_flags(struct inode *inode, int digsig)
42c63330 698{
4de2f084 699 struct ima_iint_cache *iint;
42c63330 700
a756024e 701 if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode))
42c63330
MZ		 702 return;
703
4de2f084 704 iint = ima_iint_find(inode);
42c63330
MZ		 705 if (!iint)
706 return;
a422638d 707 iint->measured_pcrs = 0;
0d73a552 708 set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
060bdebf 709 if (digsig)
0d73a552
DK		 710 set_bit(IMA_DIGSIG, &iint->atomic_flags);
711 else
712 clear_bit(IMA_DIGSIG, &iint->atomic_flags);
42c63330
MZ		 713}
714
50f742dd
TS		 715/**
716 * validate_hash_algo() - Block setxattr with unsupported hash algorithms
717 * @dentry: object of the setxattr()
718 * @xattr_value: userland supplied xattr value
719 * @xattr_value_len: length of xattr_value
720 *
721 * The xattr value is mapped to its hash algorithm, and this algorithm
722 * must be built in the kernel for the setxattr to be allowed.
723 *
724 * Emit an audit message when the algorithm is invalid.
725 *
726 * Return: 0 on success, else an error.
727 */
728static int validate_hash_algo(struct dentry *dentry,
729 const struct evm_ima_xattr_data *xattr_value,
730 size_t xattr_value_len)
731{
732 char *path = NULL, *pathbuf = NULL;
733 enum hash_algo xattr_hash_algo;
4f2946aa
TS		 734 const char *errmsg = "unavailable-hash-algorithm";
735 unsigned int allowed_hashes;
50f742dd
TS		 736
737 xattr_hash_algo = ima_get_hash_algo(xattr_value, xattr_value_len);
738
4f2946aa
TS		 739 allowed_hashes = atomic_read(&ima_setxattr_allowed_hash_algorithms);
740
741 if (allowed_hashes) {
742 /* success if the algorithm is allowed in the ima policy */
743 if (allowed_hashes & (1U << xattr_hash_algo))
744 return 0;
745
746 /*
747 * We use a different audit message when the hash algorithm
748 * is denied by a policy rule, instead of not being built
749 * in the kernel image
750 */
751 errmsg = "denied-hash-algorithm";
752 } else {
753 if (likely(xattr_hash_algo == ima_hash_algo))
754 return 0;
755
756 /* allow any xattr using an algorithm built in the kernel */
757 if (crypto_has_alg(hash_algo_name[xattr_hash_algo], 0, 0))
758 return 0;
759 }
50f742dd
TS		 760
761 pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
762 if (!pathbuf)
763 return -EACCES;
764
765 path = dentry_path(dentry, pathbuf, PATH_MAX);
766
767 integrity_audit_msg(AUDIT_INTEGRITY_DATA, d_inode(dentry), path,
4f2946aa 768 "set_data", errmsg, -EACCES, 0);
50f742dd
TS		 769
770 kfree(pathbuf);
771
772 return -EACCES;
773}
774
84594c9e
RS		 775static int ima_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
776 const char *xattr_name, const void *xattr_value,
777 size_t xattr_value_len, int flags)
42c63330 778{
060bdebf 779 const struct evm_ima_xattr_data *xvalue = xattr_value;
e3ccfe1a 780 int digsig = 0;
42c63330 781 int result;
5926586f 782 int err;
42c63330
MZ		 783
784 result = ima_protect_xattr(dentry, xattr_name, xattr_value,
785 xattr_value_len);
786 if (result == 1) {
a48fda9d
DK		 787 if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
788 return -EINVAL;
5926586f
MZ		 789
790 err = validate_hash_algo(dentry, xvalue, xattr_value_len);
791 if (err)
792 return err;
793
e3ccfe1a 794 digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
7aa5783d
RS		 795 } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
796 digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
e3ccfe1a
RS		 797 }
798 if (result == 1 || evm_revalidate_status(xattr_name)) {
799 ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
5926586f
MZ		 800 if (result == 1)
801 result = 0;
42c63330
MZ		 802 }
803 return result;
804}
805
84594c9e
RS		 806static int ima_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
807 const char *acl_name, struct posix_acl *kacl)
e61b135f
CB		 808{
809 if (evm_revalidate_status(acl_name))
810 ima_reset_appraise_flags(d_backing_inode(dentry), 0);
811
812 return 0;
813}
814
84594c9e
RS		 815static int ima_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry,
816 const char *xattr_name)
42c63330
MZ		 817{
818 int result;
819
820 result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
e3ccfe1a 821 if (result == 1 || evm_revalidate_status(xattr_name)) {
c6f493d6 822 ima_reset_appraise_flags(d_backing_inode(dentry), 0);
e3ccfe1a
RS		 823 if (result == 1)
824 result = 0;
42c63330
MZ		 825 }
826 return result;
827}
84594c9e
RS		 828
829static int ima_inode_remove_acl(struct mnt_idmap *idmap, struct dentry *dentry,
830 const char *acl_name)
831{
832 return ima_inode_set_acl(idmap, dentry, acl_name, NULL);
833}
834
835static struct security_hook_list ima_appraise_hooks[] __ro_after_init = {
836 LSM_HOOK_INIT(inode_post_setattr, ima_inode_post_setattr),
837 LSM_HOOK_INIT(inode_setxattr, ima_inode_setxattr),
838 LSM_HOOK_INIT(inode_set_acl, ima_inode_set_acl),
839 LSM_HOOK_INIT(inode_removexattr, ima_inode_removexattr),
840 LSM_HOOK_INIT(inode_remove_acl, ima_inode_remove_acl),
841};
842
843void __init init_ima_appraise_lsm(const struct lsm_id *lsmid)
844{
845 security_add_hooks(ima_appraise_hooks, ARRAY_SIZE(ima_appraise_hooks),
846 lsmid);
847}
Linux 6.x block layer and io_uring tree(s)