projects / linux-2.6-block.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 309e2b7)
evm: Store and detect metadata inode attributes changes
authorStefan Berger <stefanb@linux.ibm.com>
Fri, 23 Feb 2024 17:25:09 +0000 (12:25 -0500)
committerMimi Zohar <zohar@linux.ibm.com>
Tue, 9 Apr 2024 21:14:57 +0000 (17:14 -0400)
On stacked filesystem the metadata inode may be different than the one
file data inode and therefore changes to it need to be detected
independently. Therefore, store the i_version, device number, and inode
number associated with the file metadata inode.

Implement a function to detect changes to the inode and if a change is
detected reset the evm_status. This function will be called by IMA when
IMA detects that the metadata inode is different from the file's inode.

Co-developed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
include/linux/evm.h patch | blob | blame | history
security/integrity/evm/evm.h patch | blob | blame | history
security/integrity/evm/evm_crypto.c patch | blob | blame | history
security/integrity/evm/evm_main.c patch | blob | blame | history

diff --git a/include/linux/evm.h b/include/linux/evm.h
index d48d6da323154497060693d26619d7ec7ec3a101..ddece4a6b25d1c6eaafdaeb7adb24c4e9c44c040 100644 (file)
--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -26,6 +26,8 @@ extern int evm_protected_xattr_if_enabled(const char *req_xattr_name);
 extern int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer,
                                     int buffer_size, char type,
                                     bool canonical_fmt);
+extern bool evm_metadata_changed(struct inode *inode,
+                                struct inode *metadata_inode);
 #ifdef CONFIG_FS_POSIX_ACL
 extern int posix_xattr_acl(const char *xattrname);
 #else
@@ -76,5 +78,11 @@ static inline int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer,
        return -EOPNOTSUPP;
 }
 
+static inline bool evm_metadata_changed(struct inode *inode,
+                                       struct inode *metadata_inode)
+{
+       return false;
+}
+
 #endif /* CONFIG_EVM */
 #endif /* LINUX_EVM_H */
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index 72e3341ae6f7bc541bedfea319b907df446756f8..51aba5a542750d33b0435366a369731716f1f291 100644 (file)
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -39,6 +39,7 @@ struct xattr_list {
 struct evm_iint_cache {
        unsigned long flags;
        enum integrity_status evm_status:4;
+       struct integrity_inode_attributes metadata_inode;
 };
 
 extern struct lsm_blob_sizes evm_blob_sizes;
@@ -74,11 +75,12 @@ int evm_update_evmxattr(struct dentry *dentry,
                        size_t req_xattr_value_len);
 int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name,
                  const char *req_xattr_value,
-                 size_t req_xattr_value_len, struct evm_digest *data);
+                 size_t req_xattr_value_len, struct evm_digest *data,
+                 struct evm_iint_cache *iint);
 int evm_calc_hash(struct dentry *dentry, const char *req_xattr_name,
                  const char *req_xattr_value,
                  size_t req_xattr_value_len, char type,
-                 struct evm_digest *data);
+                 struct evm_digest *data, struct evm_iint_cache *iint);
 int evm_init_hmac(struct inode *inode, const struct xattr *xattrs,
                  char *hmac_val);
 int evm_init_secfs(void);
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 35416f55391c0c2c30d83ce70b2e4f02cf81e351..7c06ffd633d24b92be2269505e9c163ce3186f2c 100644 (file)
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -221,7 +221,8 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
                                 const char *req_xattr_name,
                                 const char *req_xattr_value,
                                 size_t req_xattr_value_len,
-                                uint8_t type, struct evm_digest *data)
+                                uint8_t type, struct evm_digest *data,
+                                struct evm_iint_cache *iint)
 {
        struct inode *inode = d_inode(d_real(dentry, D_REAL_METADATA));
        struct xattr_list *xattr;
@@ -231,6 +232,7 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
        int error;
        int size, user_space_size;
        bool ima_present = false;
+       u64 i_version = 0;
 
        if (!(inode->i_opflags & IOP_XATTR) ||
            inode->i_sb->s_user_ns != &init_user_ns)
@@ -294,6 +296,13 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
        }
        hmac_add_misc(desc, inode, type, data->digest);
 
+       if (inode != d_backing_inode(dentry) && iint) {
+               if (IS_I_VERSION(inode))
+                       i_version = inode_query_iversion(inode);
+               integrity_inode_attrs_store(&iint->metadata_inode, i_version,
+                                           inode);
+       }
+
        /* Portable EVM signatures must include an IMA hash */
        if (type == EVM_XATTR_PORTABLE_DIGSIG && !ima_present)
                error = -EPERM;
@@ -305,18 +314,19 @@ out:
 
 int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name,
                  const char *req_xattr_value, size_t req_xattr_value_len,
-                 struct evm_digest *data)
+                 struct evm_digest *data, struct evm_iint_cache *iint)
 {
        return evm_calc_hmac_or_hash(dentry, req_xattr_name, req_xattr_value,
-                                   req_xattr_value_len, EVM_XATTR_HMAC, data);
+                                   req_xattr_value_len, EVM_XATTR_HMAC, data,
+                                   iint);
 }
 
 int evm_calc_hash(struct dentry *dentry, const char *req_xattr_name,
                  const char *req_xattr_value, size_t req_xattr_value_len,
-                 char type, struct evm_digest *data)
+                 char type, struct evm_digest *data, struct evm_iint_cache *iint)
 {
        return evm_calc_hmac_or_hash(dentry, req_xattr_name, req_xattr_value,
-                                    req_xattr_value_len, type, data);
+                                    req_xattr_value_len, type, data, iint);
 }
 
 static int evm_is_immutable(struct dentry *dentry, struct inode *inode)
@@ -357,6 +367,7 @@ int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name,
                        const char *xattr_value, size_t xattr_value_len)
 {
        struct inode *inode = d_backing_inode(dentry);
+       struct evm_iint_cache *iint = evm_iint_inode(inode);
        struct evm_digest data;
        int rc = 0;
 
@@ -372,7 +383,7 @@ int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name,
 
        data.hdr.algo = HASH_ALGO_SHA1;
        rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
-                          xattr_value_len, &data);
+                          xattr_value_len, &data, iint);
        if (rc == 0) {
                data.hdr.xattr.sha1.type = EVM_XATTR_HMAC;
                rc = __vfs_setxattr_noperm(&nop_mnt_idmap, dentry,
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index c658d2f1494bf0ca61cc5cc47d12403215bf51a9..c1ca0894cd8a792d94cb1eef8fb162d8882c8a8f 100644 (file)
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -226,7 +226,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 
                digest.hdr.algo = HASH_ALGO_SHA1;
                rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
-                                  xattr_value_len, &digest);
+                                  xattr_value_len, &digest, iint);
                if (rc)
                        break;
                rc = crypto_memneq(xattr_data->data, digest.digest,
@@ -247,7 +247,8 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
                hdr = (struct signature_v2_hdr *)xattr_data;
                digest.hdr.algo = hdr->hash_algo;
                rc = evm_calc_hash(dentry, xattr_name, xattr_value,
-                                  xattr_value_len, xattr_data->type, &digest);
+                                  xattr_value_len, xattr_data->type, &digest,
+                                  iint);
                if (rc)
                        break;
                rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
@@ -733,6 +734,31 @@ static void evm_reset_status(struct inode *inode)
                iint->evm_status = INTEGRITY_UNKNOWN;
 }
 
+/**
+ * evm_metadata_changed: Detect changes to the metadata
+ * @inode: a file's inode
+ * @metadata_inode: metadata inode
+ *
+ * On a stacked filesystem detect whether the metadata has changed. If this is
+ * the case reset the evm_status associated with the inode that represents the
+ * file.
+ */
+bool evm_metadata_changed(struct inode *inode, struct inode *metadata_inode)
+{
+       struct evm_iint_cache *iint = evm_iint_inode(inode);
+       bool ret = false;
+
+       if (iint) {
+               ret = (!IS_I_VERSION(metadata_inode) ||
+                      integrity_inode_attrs_changed(&iint->metadata_inode,
+                                                    metadata_inode));
+               if (ret)
+                       iint->evm_status = INTEGRITY_UNKNOWN;
+       }
+
+       return ret;
+}
+
 /**
  * evm_revalidate_status - report whether EVM status re-validation is necessary
  * @xattr_name: pointer to the affected extended attribute name
Linux 6.x block layer and io_uring tree(s)