evm_main.c 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509
  1. /*
  2. * Copyright (C) 2005-2010 IBM Corporation
  3. *
  4. * Author:
  5. * Mimi Zohar <zohar@us.ibm.com>
  6. * Kylene Hall <kjhall@us.ibm.com>
  7. *
  8. * This program is free software; you can redistribute it and/or modify
  9. * it under the terms of the GNU General Public License as published by
  10. * the Free Software Foundation, version 2 of the License.
  11. *
  12. * File: evm_main.c
  13. * implements evm_inode_setxattr, evm_inode_post_setxattr,
  14. * evm_inode_removexattr, and evm_verifyxattr
  15. */
  16. #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  17. #include <linux/module.h>
  18. #include <linux/crypto.h>
  19. #include <linux/audit.h>
  20. #include <linux/xattr.h>
  21. #include <linux/integrity.h>
  22. #include <linux/evm.h>
  23. #include <crypto/hash.h>
  24. #include <crypto/algapi.h>
  25. #include "evm.h"
  26. int evm_initialized;
  27. static char *integrity_status_msg[] = {
  28. "pass", "fail", "no_label", "no_xattrs", "unknown"
  29. };
  30. char *evm_hmac = "hmac(sha1)";
  31. char *evm_hash = "sha1";
  32. int evm_hmac_attrs;
  33. char *evm_config_xattrnames[] = {
  34. #ifdef CONFIG_SECURITY_SELINUX
  35. XATTR_NAME_SELINUX,
  36. #endif
  37. #ifdef CONFIG_SECURITY_SMACK
  38. XATTR_NAME_SMACK,
  39. #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
  40. XATTR_NAME_SMACKEXEC,
  41. XATTR_NAME_SMACKTRANSMUTE,
  42. XATTR_NAME_SMACKMMAP,
  43. #endif
  44. #endif
  45. #ifdef CONFIG_IMA_APPRAISE
  46. XATTR_NAME_IMA,
  47. #endif
  48. XATTR_NAME_CAPS,
  49. NULL
  50. };
  51. static int evm_fixmode;
  52. static int __init evm_set_fixmode(char *str)
  53. {
  54. if (strncmp(str, "fix", 3) == 0)
  55. evm_fixmode = 1;
  56. return 0;
  57. }
  58. __setup("evm=", evm_set_fixmode);
  59. static void __init evm_init_config(void)
  60. {
  61. #ifdef CONFIG_EVM_ATTR_FSUUID
  62. evm_hmac_attrs |= EVM_ATTR_FSUUID;
  63. #endif
  64. pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
  65. }
  66. static int evm_find_protected_xattrs(struct dentry *dentry)
  67. {
  68. struct inode *inode = d_backing_inode(dentry);
  69. char **xattr;
  70. int error;
  71. int count = 0;
  72. if (!inode->i_op->getxattr)
  73. return -EOPNOTSUPP;
  74. for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) {
  75. error = inode->i_op->getxattr(dentry, *xattr, NULL, 0);
  76. if (error < 0) {
  77. if (error == -ENODATA)
  78. continue;
  79. return error;
  80. }
  81. count++;
  82. }
  83. return count;
  84. }
  85. /*
  86. * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
  87. *
  88. * Compute the HMAC on the dentry's protected set of extended attributes
  89. * and compare it against the stored security.evm xattr.
  90. *
  91. * For performance:
  92. * - use the previoulsy retrieved xattr value and length to calculate the
  93. * HMAC.)
  94. * - cache the verification result in the iint, when available.
  95. *
  96. * Returns integrity status
  97. */
  98. static enum integrity_status evm_verify_hmac(struct dentry *dentry,
  99. const char *xattr_name,
  100. char *xattr_value,
  101. size_t xattr_value_len,
  102. struct integrity_iint_cache *iint)
  103. {
  104. struct evm_ima_xattr_data *xattr_data = NULL;
  105. struct evm_ima_xattr_data calc;
  106. enum integrity_status evm_status = INTEGRITY_PASS;
  107. int rc, xattr_len;
  108. if (iint && iint->evm_status == INTEGRITY_PASS)
  109. return iint->evm_status;
  110. /* if status is not PASS, try to check again - against -ENOMEM */
  111. /* first need to know the sig type */
  112. rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
  113. GFP_NOFS);
  114. if (rc <= 0) {
  115. evm_status = INTEGRITY_FAIL;
  116. if (rc == -ENODATA) {
  117. rc = evm_find_protected_xattrs(dentry);
  118. if (rc > 0)
  119. evm_status = INTEGRITY_NOLABEL;
  120. else if (rc == 0)
  121. evm_status = INTEGRITY_NOXATTRS; /* new file */
  122. } else if (rc == -EOPNOTSUPP) {
  123. evm_status = INTEGRITY_UNKNOWN;
  124. }
  125. goto out;
  126. }
  127. xattr_len = rc;
  128. /* check value type */
  129. switch (xattr_data->type) {
  130. case EVM_XATTR_HMAC:
  131. rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
  132. xattr_value_len, calc.digest);
  133. if (rc)
  134. break;
  135. rc = crypto_memneq(xattr_data->digest, calc.digest,
  136. sizeof(calc.digest));
  137. if (rc)
  138. rc = -EINVAL;
  139. break;
  140. case EVM_IMA_XATTR_DIGSIG:
  141. rc = evm_calc_hash(dentry, xattr_name, xattr_value,
  142. xattr_value_len, calc.digest);
  143. if (rc)
  144. break;
  145. rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
  146. (const char *)xattr_data, xattr_len,
  147. calc.digest, sizeof(calc.digest));
  148. if (!rc) {
  149. /* Replace RSA with HMAC if not mounted readonly and
  150. * not immutable
  151. */
  152. if (!IS_RDONLY(d_backing_inode(dentry)) &&
  153. !IS_IMMUTABLE(d_backing_inode(dentry)))
  154. evm_update_evmxattr(dentry, xattr_name,
  155. xattr_value,
  156. xattr_value_len);
  157. }
  158. break;
  159. default:
  160. rc = -EINVAL;
  161. break;
  162. }
  163. if (rc)
  164. evm_status = (rc == -ENODATA) ?
  165. INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
  166. out:
  167. if (iint)
  168. iint->evm_status = evm_status;
  169. kfree(xattr_data);
  170. return evm_status;
  171. }
  172. static int evm_protected_xattr(const char *req_xattr_name)
  173. {
  174. char **xattrname;
  175. int namelen;
  176. int found = 0;
  177. namelen = strlen(req_xattr_name);
  178. for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
  179. if ((strlen(*xattrname) == namelen)
  180. && (strncmp(req_xattr_name, *xattrname, namelen) == 0)) {
  181. found = 1;
  182. break;
  183. }
  184. if (strncmp(req_xattr_name,
  185. *xattrname + XATTR_SECURITY_PREFIX_LEN,
  186. strlen(req_xattr_name)) == 0) {
  187. found = 1;
  188. break;
  189. }
  190. }
  191. return found;
  192. }
  193. /**
  194. * evm_verifyxattr - verify the integrity of the requested xattr
  195. * @dentry: object of the verify xattr
  196. * @xattr_name: requested xattr
  197. * @xattr_value: requested xattr value
  198. * @xattr_value_len: requested xattr value length
  199. *
  200. * Calculate the HMAC for the given dentry and verify it against the stored
  201. * security.evm xattr. For performance, use the xattr value and length
  202. * previously retrieved to calculate the HMAC.
  203. *
  204. * Returns the xattr integrity status.
  205. *
  206. * This function requires the caller to lock the inode's i_mutex before it
  207. * is executed.
  208. */
  209. enum integrity_status evm_verifyxattr(struct dentry *dentry,
  210. const char *xattr_name,
  211. void *xattr_value, size_t xattr_value_len,
  212. struct integrity_iint_cache *iint)
  213. {
  214. if (!evm_initialized || !evm_protected_xattr(xattr_name))
  215. return INTEGRITY_UNKNOWN;
  216. if (!iint) {
  217. iint = integrity_iint_find(d_backing_inode(dentry));
  218. if (!iint)
  219. return INTEGRITY_UNKNOWN;
  220. }
  221. return evm_verify_hmac(dentry, xattr_name, xattr_value,
  222. xattr_value_len, iint);
  223. }
  224. EXPORT_SYMBOL_GPL(evm_verifyxattr);
  225. /*
  226. * evm_verify_current_integrity - verify the dentry's metadata integrity
  227. * @dentry: pointer to the affected dentry
  228. *
  229. * Verify and return the dentry's metadata integrity. The exceptions are
  230. * before EVM is initialized or in 'fix' mode.
  231. */
  232. static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
  233. {
  234. struct inode *inode = d_backing_inode(dentry);
  235. if (!evm_initialized || !S_ISREG(inode->i_mode) || evm_fixmode)
  236. return 0;
  237. return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
  238. }
  239. /*
  240. * evm_protect_xattr - protect the EVM extended attribute
  241. *
  242. * Prevent security.evm from being modified or removed without the
  243. * necessary permissions or when the existing value is invalid.
  244. *
  245. * The posix xattr acls are 'system' prefixed, which normally would not
  246. * affect security.evm. An interesting side affect of writing posix xattr
  247. * acls is their modifying of the i_mode, which is included in security.evm.
  248. * For posix xattr acls only, permit security.evm, even if it currently
  249. * doesn't exist, to be updated.
  250. */
  251. static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
  252. const void *xattr_value, size_t xattr_value_len)
  253. {
  254. enum integrity_status evm_status;
  255. if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
  256. if (!capable(CAP_SYS_ADMIN))
  257. return -EPERM;
  258. } else if (!evm_protected_xattr(xattr_name)) {
  259. if (!posix_xattr_acl(xattr_name))
  260. return 0;
  261. evm_status = evm_verify_current_integrity(dentry);
  262. if ((evm_status == INTEGRITY_PASS) ||
  263. (evm_status == INTEGRITY_NOXATTRS))
  264. return 0;
  265. goto out;
  266. }
  267. evm_status = evm_verify_current_integrity(dentry);
  268. if (evm_status == INTEGRITY_NOXATTRS) {
  269. struct integrity_iint_cache *iint;
  270. iint = integrity_iint_find(d_backing_inode(dentry));
  271. if (iint && (iint->flags & IMA_NEW_FILE))
  272. return 0;
  273. /* exception for pseudo filesystems */
  274. if (dentry->d_inode->i_sb->s_magic == TMPFS_MAGIC
  275. || dentry->d_inode->i_sb->s_magic == SYSFS_MAGIC)
  276. return 0;
  277. integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
  278. dentry->d_inode, dentry->d_name.name,
  279. "update_metadata",
  280. integrity_status_msg[evm_status],
  281. -EPERM, 0);
  282. }
  283. out:
  284. if (evm_status != INTEGRITY_PASS)
  285. integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
  286. dentry->d_name.name, "appraise_metadata",
  287. integrity_status_msg[evm_status],
  288. -EPERM, 0);
  289. return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
  290. }
  291. /**
  292. * evm_inode_setxattr - protect the EVM extended attribute
  293. * @dentry: pointer to the affected dentry
  294. * @xattr_name: pointer to the affected extended attribute name
  295. * @xattr_value: pointer to the new extended attribute value
  296. * @xattr_value_len: pointer to the new extended attribute value length
  297. *
  298. * Before allowing the 'security.evm' protected xattr to be updated,
  299. * verify the existing value is valid. As only the kernel should have
  300. * access to the EVM encrypted key needed to calculate the HMAC, prevent
  301. * userspace from writing HMAC value. Writing 'security.evm' requires
  302. * requires CAP_SYS_ADMIN privileges.
  303. */
  304. int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
  305. const void *xattr_value, size_t xattr_value_len)
  306. {
  307. const struct evm_ima_xattr_data *xattr_data = xattr_value;
  308. if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
  309. if (!xattr_value_len)
  310. return -EINVAL;
  311. if (xattr_data->type != EVM_IMA_XATTR_DIGSIG)
  312. return -EPERM;
  313. }
  314. return evm_protect_xattr(dentry, xattr_name, xattr_value,
  315. xattr_value_len);
  316. }
  317. /**
  318. * evm_inode_removexattr - protect the EVM extended attribute
  319. * @dentry: pointer to the affected dentry
  320. * @xattr_name: pointer to the affected extended attribute name
  321. *
  322. * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
  323. * the current value is valid.
  324. */
  325. int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
  326. {
  327. return evm_protect_xattr(dentry, xattr_name, NULL, 0);
  328. }
  329. /**
  330. * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
  331. * @dentry: pointer to the affected dentry
  332. * @xattr_name: pointer to the affected extended attribute name
  333. * @xattr_value: pointer to the new extended attribute value
  334. * @xattr_value_len: pointer to the new extended attribute value length
  335. *
  336. * Update the HMAC stored in 'security.evm' to reflect the change.
  337. *
  338. * No need to take the i_mutex lock here, as this function is called from
  339. * __vfs_setxattr_noperm(). The caller of which has taken the inode's
  340. * i_mutex lock.
  341. */
  342. void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
  343. const void *xattr_value, size_t xattr_value_len)
  344. {
  345. if (!evm_initialized || (!evm_protected_xattr(xattr_name)
  346. && !posix_xattr_acl(xattr_name)))
  347. return;
  348. evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
  349. }
  350. /**
  351. * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
  352. * @dentry: pointer to the affected dentry
  353. * @xattr_name: pointer to the affected extended attribute name
  354. *
  355. * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
  356. *
  357. * No need to take the i_mutex lock here, as this function is called from
  358. * vfs_removexattr() which takes the i_mutex.
  359. */
  360. void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
  361. {
  362. if (!evm_initialized || !evm_protected_xattr(xattr_name))
  363. return;
  364. evm_update_evmxattr(dentry, xattr_name, NULL, 0);
  365. }
  366. /**
  367. * evm_inode_setattr - prevent updating an invalid EVM extended attribute
  368. * @dentry: pointer to the affected dentry
  369. */
  370. int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
  371. {
  372. unsigned int ia_valid = attr->ia_valid;
  373. enum integrity_status evm_status;
  374. if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
  375. return 0;
  376. evm_status = evm_verify_current_integrity(dentry);
  377. if ((evm_status == INTEGRITY_PASS) ||
  378. (evm_status == INTEGRITY_NOXATTRS))
  379. return 0;
  380. integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
  381. dentry->d_name.name, "appraise_metadata",
  382. integrity_status_msg[evm_status], -EPERM, 0);
  383. return -EPERM;
  384. }
  385. /**
  386. * evm_inode_post_setattr - update 'security.evm' after modifying metadata
  387. * @dentry: pointer to the affected dentry
  388. * @ia_valid: for the UID and GID status
  389. *
  390. * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
  391. * changes.
  392. *
  393. * This function is called from notify_change(), which expects the caller
  394. * to lock the inode's i_mutex.
  395. */
  396. void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
  397. {
  398. if (!evm_initialized)
  399. return;
  400. if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
  401. evm_update_evmxattr(dentry, NULL, NULL, 0);
  402. }
  403. /*
  404. * evm_inode_init_security - initializes security.evm
  405. */
  406. int evm_inode_init_security(struct inode *inode,
  407. const struct xattr *lsm_xattr,
  408. struct xattr *evm_xattr)
  409. {
  410. struct evm_ima_xattr_data *xattr_data;
  411. int rc;
  412. if (!evm_initialized || !evm_protected_xattr(lsm_xattr->name))
  413. return 0;
  414. xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
  415. if (!xattr_data)
  416. return -ENOMEM;
  417. xattr_data->type = EVM_XATTR_HMAC;
  418. rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
  419. if (rc < 0)
  420. goto out;
  421. evm_xattr->value = xattr_data;
  422. evm_xattr->value_len = sizeof(*xattr_data);
  423. evm_xattr->name = XATTR_EVM_SUFFIX;
  424. return 0;
  425. out:
  426. kfree(xattr_data);
  427. return rc;
  428. }
  429. EXPORT_SYMBOL_GPL(evm_inode_init_security);
  430. static int __init init_evm(void)
  431. {
  432. int error;
  433. evm_init_config();
  434. error = evm_init_secfs();
  435. if (error < 0) {
  436. pr_info("Error registering secfs\n");
  437. goto err;
  438. }
  439. return 0;
  440. err:
  441. return error;
  442. }
  443. /*
  444. * evm_display_config - list the EVM protected security extended attributes
  445. */
  446. static int __init evm_display_config(void)
  447. {
  448. char **xattrname;
  449. for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++)
  450. pr_info("%s\n", *xattrname);
  451. return 0;
  452. }
  453. pure_initcall(evm_display_config);
  454. late_initcall(init_evm);
  455. MODULE_DESCRIPTION("Extended Verification Module");
  456. MODULE_LICENSE("GPL");