search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
[cris-mirror.git] / security / integrity / evm / evm_main.c
bloba8d5028272702d59bcce310e97a9765d36c78a98
1 /*
2 * Copyright (C) 2005-2010 IBM Corporation
3 *
4 * Author:
5 * Mimi Zohar <zohar@us.ibm.com>
6 * Kylene Hall <kjhall@us.ibm.com>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation, version 2 of the License.
11 *
12 * File: evm_main.c
13 * implements evm_inode_setxattr, evm_inode_post_setxattr,
14 * evm_inode_removexattr, and evm_verifyxattr
15 */
16
17 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18
19 #include <linux/module.h>
20 #include <linux/crypto.h>
21 #include <linux/audit.h>
22 #include <linux/xattr.h>
23 #include <linux/integrity.h>
24 #include <linux/evm.h>
25 #include <linux/magic.h>
26
27 #include <crypto/hash.h>
28 #include <crypto/algapi.h>
29 #include "evm.h"
30
31 int evm_initialized;
32
33 static char *integrity_status_msg[] = {
34 "pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown"
35 };
36 char *evm_hmac = "hmac(sha1)";
37 char *evm_hash = "sha1";
38 int evm_hmac_attrs;
39
40 char *evm_config_xattrnames[] = {
41 #ifdef CONFIG_SECURITY_SELINUX
42 XATTR_NAME_SELINUX,
43 #endif
44 #ifdef CONFIG_SECURITY_SMACK
45 XATTR_NAME_SMACK,
46 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
47 XATTR_NAME_SMACKEXEC,
48 XATTR_NAME_SMACKTRANSMUTE,
49 XATTR_NAME_SMACKMMAP,
50 #endif
51 #endif
52 #ifdef CONFIG_SECURITY_APPARMOR
53 XATTR_NAME_APPARMOR,
54 #endif
55 #ifdef CONFIG_IMA_APPRAISE
56 XATTR_NAME_IMA,
57 #endif
58 XATTR_NAME_CAPS,
59 NULL
60 };
61
62 static int evm_fixmode;
63 static int __init evm_set_fixmode(char *str)
64 {
65 if (strncmp(str, "fix", 3) == 0)
66 evm_fixmode = 1;
67 return 0;
68 }
69 __setup("evm=", evm_set_fixmode);
70
71 static void __init evm_init_config(void)
72 {
73 #ifdef CONFIG_EVM_ATTR_FSUUID
74 evm_hmac_attrs |= EVM_ATTR_FSUUID;
75 #endif
76 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
77 }
78
79 static bool evm_key_loaded(void)
80 {
81 return (bool)(evm_initialized & EVM_KEY_MASK);
82 }
83
84 static int evm_find_protected_xattrs(struct dentry *dentry)
85 {
86 struct inode *inode = d_backing_inode(dentry);
87 char **xattr;
88 int error;
89 int count = 0;
90
91 if (!(inode->i_opflags & IOP_XATTR))
92 return -EOPNOTSUPP;
93
94 for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) {
95 error = __vfs_getxattr(dentry, inode, *xattr, NULL, 0);
96 if (error < 0) {
97 if (error == -ENODATA)
98 continue;
99 return error;
100 }
101 count++;
102 }
103
104 return count;
105 }
106
107 /*
108 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
109 *
110 * Compute the HMAC on the dentry's protected set of extended attributes
111 * and compare it against the stored security.evm xattr.
112 *
113 * For performance:
114 * - use the previoulsy retrieved xattr value and length to calculate the
115 * HMAC.)
116 * - cache the verification result in the iint, when available.
117 *
118 * Returns integrity status
119 */
120 static enum integrity_status evm_verify_hmac(struct dentry *dentry,
121 const char *xattr_name,
122 char *xattr_value,
123 size_t xattr_value_len,
124 struct integrity_iint_cache *iint)
125 {
126 struct evm_ima_xattr_data *xattr_data = NULL;
127 struct evm_ima_xattr_data calc;
128 enum integrity_status evm_status = INTEGRITY_PASS;
129 int rc, xattr_len;
130
131 if (iint && (iint->evm_status == INTEGRITY_PASS ||
132 iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
133 return iint->evm_status;
134
135 /* if status is not PASS, try to check again - against -ENOMEM */
136
137 /* first need to know the sig type */
138 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
139 GFP_NOFS);
140 if (rc <= 0) {
141 evm_status = INTEGRITY_FAIL;
142 if (rc == -ENODATA) {
143 rc = evm_find_protected_xattrs(dentry);
144 if (rc > 0)
145 evm_status = INTEGRITY_NOLABEL;
146 else if (rc == 0)
147 evm_status = INTEGRITY_NOXATTRS; /* new file */
148 } else if (rc == -EOPNOTSUPP) {
149 evm_status = INTEGRITY_UNKNOWN;
150 }
151 goto out;
152 }
153
154 xattr_len = rc;
155
156 /* check value type */
157 switch (xattr_data->type) {
158 case EVM_XATTR_HMAC:
159 if (xattr_len != sizeof(struct evm_ima_xattr_data)) {
160 evm_status = INTEGRITY_FAIL;
161 goto out;
162 }
163 rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
164 xattr_value_len, calc.digest);
165 if (rc)
166 break;
167 rc = crypto_memneq(xattr_data->digest, calc.digest,
168 sizeof(calc.digest));
169 if (rc)
170 rc = -EINVAL;
171 break;
172 case EVM_IMA_XATTR_DIGSIG:
173 case EVM_XATTR_PORTABLE_DIGSIG:
174 rc = evm_calc_hash(dentry, xattr_name, xattr_value,
175 xattr_value_len, xattr_data->type,
176 calc.digest);
177 if (rc)
178 break;
179 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
180 (const char *)xattr_data, xattr_len,
181 calc.digest, sizeof(calc.digest));
182 if (!rc) {
183 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
184 if (iint)
185 iint->flags |= EVM_IMMUTABLE_DIGSIG;
186 evm_status = INTEGRITY_PASS_IMMUTABLE;
187 } else if (!IS_RDONLY(d_backing_inode(dentry)) &&
188 !IS_IMMUTABLE(d_backing_inode(dentry))) {
189 evm_update_evmxattr(dentry, xattr_name,
190 xattr_value,
191 xattr_value_len);
192 }
193 }
194 break;
195 default:
196 rc = -EINVAL;
197 break;
198 }
199
200 if (rc)
201 evm_status = (rc == -ENODATA) ?
202 INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
203 out:
204 if (iint)
205 iint->evm_status = evm_status;
206 kfree(xattr_data);
207 return evm_status;
208 }
209
210 static int evm_protected_xattr(const char *req_xattr_name)
211 {
212 char **xattrname;
213 int namelen;
214 int found = 0;
215
216 namelen = strlen(req_xattr_name);
217 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
218 if ((strlen(*xattrname) == namelen)
219 && (strncmp(req_xattr_name, *xattrname, namelen) == 0)) {
220 found = 1;
221 break;
222 }
223 if (strncmp(req_xattr_name,
224 *xattrname + XATTR_SECURITY_PREFIX_LEN,
225 strlen(req_xattr_name)) == 0) {
226 found = 1;
227 break;
228 }
229 }
230 return found;
231 }
232
233 /**
234 * evm_verifyxattr - verify the integrity of the requested xattr
235 * @dentry: object of the verify xattr
236 * @xattr_name: requested xattr
237 * @xattr_value: requested xattr value
238 * @xattr_value_len: requested xattr value length
239 *
240 * Calculate the HMAC for the given dentry and verify it against the stored
241 * security.evm xattr. For performance, use the xattr value and length
242 * previously retrieved to calculate the HMAC.
243 *
244 * Returns the xattr integrity status.
245 *
246 * This function requires the caller to lock the inode's i_mutex before it
247 * is executed.
248 */
249 enum integrity_status evm_verifyxattr(struct dentry *dentry,
250 const char *xattr_name,
251 void *xattr_value, size_t xattr_value_len,
252 struct integrity_iint_cache *iint)
253 {
254 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
255 return INTEGRITY_UNKNOWN;
256
257 if (!iint) {
258 iint = integrity_iint_find(d_backing_inode(dentry));
259 if (!iint)
260 return INTEGRITY_UNKNOWN;
261 }
262 return evm_verify_hmac(dentry, xattr_name, xattr_value,
263 xattr_value_len, iint);
264 }
265 EXPORT_SYMBOL_GPL(evm_verifyxattr);
266
267 /*
268 * evm_verify_current_integrity - verify the dentry's metadata integrity
269 * @dentry: pointer to the affected dentry
270 *
271 * Verify and return the dentry's metadata integrity. The exceptions are
272 * before EVM is initialized or in 'fix' mode.
273 */
274 static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
275 {
276 struct inode *inode = d_backing_inode(dentry);
277
278 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
279 return 0;
280 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
281 }
282
283 /*
284 * evm_protect_xattr - protect the EVM extended attribute
285 *
286 * Prevent security.evm from being modified or removed without the
287 * necessary permissions or when the existing value is invalid.
288 *
289 * The posix xattr acls are 'system' prefixed, which normally would not
290 * affect security.evm. An interesting side affect of writing posix xattr
291 * acls is their modifying of the i_mode, which is included in security.evm.
292 * For posix xattr acls only, permit security.evm, even if it currently
293 * doesn't exist, to be updated unless the EVM signature is immutable.
294 */
295 static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
296 const void *xattr_value, size_t xattr_value_len)
297 {
298 enum integrity_status evm_status;
299
300 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
301 if (!capable(CAP_SYS_ADMIN))
302 return -EPERM;
303 } else if (!evm_protected_xattr(xattr_name)) {
304 if (!posix_xattr_acl(xattr_name))
305 return 0;
306 evm_status = evm_verify_current_integrity(dentry);
307 if ((evm_status == INTEGRITY_PASS) ||
308 (evm_status == INTEGRITY_NOXATTRS))
309 return 0;
310 goto out;
311 }
312
313 evm_status = evm_verify_current_integrity(dentry);
314 if (evm_status == INTEGRITY_NOXATTRS) {
315 struct integrity_iint_cache *iint;
316
317 iint = integrity_iint_find(d_backing_inode(dentry));
318 if (iint && (iint->flags & IMA_NEW_FILE))
319 return 0;
320
321 /* exception for pseudo filesystems */
322 if (dentry->d_sb->s_magic == TMPFS_MAGIC
323 || dentry->d_sb->s_magic == SYSFS_MAGIC)
324 return 0;
325
326 integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
327 dentry->d_inode, dentry->d_name.name,
328 "update_metadata",
329 integrity_status_msg[evm_status],
330 -EPERM, 0);
331 }
332 out:
333 if (evm_status != INTEGRITY_PASS)
334 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
335 dentry->d_name.name, "appraise_metadata",
336 integrity_status_msg[evm_status],
337 -EPERM, 0);
338 return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
339 }
340
341 /**
342 * evm_inode_setxattr - protect the EVM extended attribute
343 * @dentry: pointer to the affected dentry
344 * @xattr_name: pointer to the affected extended attribute name
345 * @xattr_value: pointer to the new extended attribute value
346 * @xattr_value_len: pointer to the new extended attribute value length
347 *
348 * Before allowing the 'security.evm' protected xattr to be updated,
349 * verify the existing value is valid. As only the kernel should have
350 * access to the EVM encrypted key needed to calculate the HMAC, prevent
351 * userspace from writing HMAC value. Writing 'security.evm' requires
352 * requires CAP_SYS_ADMIN privileges.
353 */
354 int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
355 const void *xattr_value, size_t xattr_value_len)
356 {
357 const struct evm_ima_xattr_data *xattr_data = xattr_value;
358
359 /* Policy permits modification of the protected xattrs even though
360 * there's no HMAC key loaded
361 */
362 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
363 return 0;
364
365 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
366 if (!xattr_value_len)
367 return -EINVAL;
368 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
369 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
370 return -EPERM;
371 }
372 return evm_protect_xattr(dentry, xattr_name, xattr_value,
373 xattr_value_len);
374 }
375
376 /**
377 * evm_inode_removexattr - protect the EVM extended attribute
378 * @dentry: pointer to the affected dentry
379 * @xattr_name: pointer to the affected extended attribute name
380 *
381 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
382 * the current value is valid.
383 */
384 int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
385 {
386 /* Policy permits modification of the protected xattrs even though
387 * there's no HMAC key loaded
388 */
389 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
390 return 0;
391
392 return evm_protect_xattr(dentry, xattr_name, NULL, 0);
393 }
394
395 static void evm_reset_status(struct inode *inode)
396 {
397 struct integrity_iint_cache *iint;
398
399 iint = integrity_iint_find(inode);
400 if (iint)
401 iint->evm_status = INTEGRITY_UNKNOWN;
402 }
403
404 /**
405 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
406 * @dentry: pointer to the affected dentry
407 * @xattr_name: pointer to the affected extended attribute name
408 * @xattr_value: pointer to the new extended attribute value
409 * @xattr_value_len: pointer to the new extended attribute value length
410 *
411 * Update the HMAC stored in 'security.evm' to reflect the change.
412 *
413 * No need to take the i_mutex lock here, as this function is called from
414 * __vfs_setxattr_noperm(). The caller of which has taken the inode's
415 * i_mutex lock.
416 */
417 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
418 const void *xattr_value, size_t xattr_value_len)
419 {
420 if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name)
421 && !posix_xattr_acl(xattr_name)))
422 return;
423
424 evm_reset_status(dentry->d_inode);
425
426 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
427 }
428
429 /**
430 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
431 * @dentry: pointer to the affected dentry
432 * @xattr_name: pointer to the affected extended attribute name
433 *
434 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
435 *
436 * No need to take the i_mutex lock here, as this function is called from
437 * vfs_removexattr() which takes the i_mutex.
438 */
439 void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
440 {
441 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
442 return;
443
444 evm_reset_status(dentry->d_inode);
445
446 evm_update_evmxattr(dentry, xattr_name, NULL, 0);
447 }
448
449 /**
450 * evm_inode_setattr - prevent updating an invalid EVM extended attribute
451 * @dentry: pointer to the affected dentry
452 *
453 * Permit update of file attributes when files have a valid EVM signature,
454 * except in the case of them having an immutable portable signature.
455 */
456 int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
457 {
458 unsigned int ia_valid = attr->ia_valid;
459 enum integrity_status evm_status;
460
461 /* Policy permits modification of the protected attrs even though
462 * there's no HMAC key loaded
463 */
464 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
465 return 0;
466
467 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
468 return 0;
469 evm_status = evm_verify_current_integrity(dentry);
470 if ((evm_status == INTEGRITY_PASS) ||
471 (evm_status == INTEGRITY_NOXATTRS))
472 return 0;
473 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
474 dentry->d_name.name, "appraise_metadata",
475 integrity_status_msg[evm_status], -EPERM, 0);
476 return -EPERM;
477 }
478
479 /**
480 * evm_inode_post_setattr - update 'security.evm' after modifying metadata
481 * @dentry: pointer to the affected dentry
482 * @ia_valid: for the UID and GID status
483 *
484 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
485 * changes.
486 *
487 * This function is called from notify_change(), which expects the caller
488 * to lock the inode's i_mutex.
489 */
490 void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
491 {
492 if (!evm_key_loaded())
493 return;
494
495 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
496 evm_update_evmxattr(dentry, NULL, NULL, 0);
497 }
498
499 /*
500 * evm_inode_init_security - initializes security.evm
501 */
502 int evm_inode_init_security(struct inode *inode,
503 const struct xattr *lsm_xattr,
504 struct xattr *evm_xattr)
505 {
506 struct evm_ima_xattr_data *xattr_data;
507 int rc;
508
509 if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name))
510 return 0;
511
512 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
513 if (!xattr_data)
514 return -ENOMEM;
515
516 xattr_data->type = EVM_XATTR_HMAC;
517 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
518 if (rc < 0)
519 goto out;
520
521 evm_xattr->value = xattr_data;
522 evm_xattr->value_len = sizeof(*xattr_data);
523 evm_xattr->name = XATTR_EVM_SUFFIX;
524 return 0;
525 out:
526 kfree(xattr_data);
527 return rc;
528 }
529 EXPORT_SYMBOL_GPL(evm_inode_init_security);
530
531 #ifdef CONFIG_EVM_LOAD_X509
532 void __init evm_load_x509(void)
533 {
534 int rc;
535
536 rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
537 if (!rc)
538 evm_initialized |= EVM_INIT_X509;
539 }
540 #endif
541
542 static int __init init_evm(void)
543 {
544 int error;
545
546 evm_init_config();
547
548 error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
549 if (error)
550 return error;
551
552 error = evm_init_secfs();
553 if (error < 0) {
554 pr_info("Error registering secfs\n");
555 return error;
556 }
557
558 return 0;
559 }
560
561 /*
562 * evm_display_config - list the EVM protected security extended attributes
563 */
564 static int __init evm_display_config(void)
565 {
566 char **xattrname;
567
568 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++)
569 pr_info("%s\n", *xattrname);
570 return 0;
571 }
572
573 pure_initcall(evm_display_config);
574 late_initcall(init_evm);
575
576 MODULE_DESCRIPTION("Extended Verification Module");
577 MODULE_LICENSE("GPL");
CRIS linux kernel tree