search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
audit: fix dangling keywords in integrity ima message output
[linux/fpc-iii.git] / security / integrity / ima / ima_appraise.c
blob59ac902750703a7d7a74dddfcdeb6b132f270af5
1 /*
2 * Copyright (C) 2011 IBM Corporation
3 *
4 * Author:
5 * Mimi Zohar <zohar@us.ibm.com>
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, version 2 of the License.
10 */
11 #include <linux/module.h>
12 #include <linux/file.h>
13 #include <linux/fs.h>
14 #include <linux/xattr.h>
15 #include <linux/magic.h>
16 #include <linux/ima.h>
17 #include <linux/evm.h>
18 #include <crypto/hash_info.h>
19
20 #include "ima.h"
21
22 static int __init default_appraise_setup(char *str)
23 {
24 if (strncmp(str, "off", 3) == 0)
25 ima_appraise = 0;
26 else if (strncmp(str, "fix", 3) == 0)
27 ima_appraise = IMA_APPRAISE_FIX;
28 return 1;
29 }
30
31 __setup("ima_appraise=", default_appraise_setup);
32
33 /*
34 * ima_must_appraise - set appraise flag
35 *
36 * Return 1 to appraise
37 */
38 int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
39 {
40 if (!ima_appraise)
41 return 0;
42
43 return ima_match_policy(inode, func, mask, IMA_APPRAISE);
44 }
45
46 static int ima_fix_xattr(struct dentry *dentry,
47 struct integrity_iint_cache *iint)
48 {
49 int rc, offset;
50 u8 algo = iint->ima_hash->algo;
51
52 if (algo <= HASH_ALGO_SHA1) {
53 offset = 1;
54 iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
55 } else {
56 offset = 0;
57 iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
58 iint->ima_hash->xattr.ng.algo = algo;
59 }
60 rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
61 &iint->ima_hash->xattr.data[offset],
62 (sizeof(iint->ima_hash->xattr) - offset) +
63 iint->ima_hash->length, 0);
64 return rc;
65 }
66
67 /* Return specific func appraised cached result */
68 enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
69 int func)
70 {
71 switch (func) {
72 case MMAP_CHECK:
73 return iint->ima_mmap_status;
74 case BPRM_CHECK:
75 return iint->ima_bprm_status;
76 case MODULE_CHECK:
77 return iint->ima_module_status;
78 case FILE_CHECK:
79 default:
80 return iint->ima_file_status;
81 }
82 }
83
84 static void ima_set_cache_status(struct integrity_iint_cache *iint,
85 int func, enum integrity_status status)
86 {
87 switch (func) {
88 case MMAP_CHECK:
89 iint->ima_mmap_status = status;
90 break;
91 case BPRM_CHECK:
92 iint->ima_bprm_status = status;
93 break;
94 case MODULE_CHECK:
95 iint->ima_module_status = status;
96 break;
97 case FILE_CHECK:
98 default:
99 iint->ima_file_status = status;
100 break;
101 }
102 }
103
104 static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
105 {
106 switch (func) {
107 case MMAP_CHECK:
108 iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
109 break;
110 case BPRM_CHECK:
111 iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
112 break;
113 case MODULE_CHECK:
114 iint->flags |= (IMA_MODULE_APPRAISED | IMA_APPRAISED);
115 break;
116 case FILE_CHECK:
117 default:
118 iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
119 break;
120 }
121 }
122
123 void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len,
124 struct ima_digest_data *hash)
125 {
126 struct signature_v2_hdr *sig;
127
128 if (!xattr_value || xattr_len < 2)
129 return;
130
131 switch (xattr_value->type) {
132 case EVM_IMA_XATTR_DIGSIG:
133 sig = (typeof(sig))xattr_value;
134 if (sig->version != 2 || xattr_len <= sizeof(*sig))
135 return;
136 hash->algo = sig->hash_algo;
137 break;
138 case IMA_XATTR_DIGEST_NG:
139 hash->algo = xattr_value->digest[0];
140 break;
141 case IMA_XATTR_DIGEST:
142 /* this is for backward compatibility */
143 if (xattr_len == 21) {
144 unsigned int zero = 0;
145 if (!memcmp(&xattr_value->digest[16], &zero, 4))
146 hash->algo = HASH_ALGO_MD5;
147 else
148 hash->algo = HASH_ALGO_SHA1;
149 } else if (xattr_len == 17)
150 hash->algo = HASH_ALGO_MD5;
151 break;
152 }
153 }
154
155 int ima_read_xattr(struct dentry *dentry,
156 struct evm_ima_xattr_data **xattr_value)
157 {
158 struct inode *inode = dentry->d_inode;
159
160 if (!inode->i_op->getxattr)
161 return 0;
162
163 return vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)xattr_value,
164 0, GFP_NOFS);
165 }
166
167 /*
168 * ima_appraise_measurement - appraise file measurement
169 *
170 * Call evm_verifyxattr() to verify the integrity of 'security.ima'.
171 * Assuming success, compare the xattr hash with the collected measurement.
172 *
173 * Return 0 on success, error code otherwise
174 */
175 int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
176 struct file *file, const unsigned char *filename,
177 struct evm_ima_xattr_data *xattr_value,
178 int xattr_len)
179 {
180 static const char op[] = "appraise_data";
181 char *cause = "unknown";
182 struct dentry *dentry = file->f_dentry;
183 struct inode *inode = dentry->d_inode;
184 enum integrity_status status = INTEGRITY_UNKNOWN;
185 int rc = xattr_len, hash_start = 0;
186
187 if (!ima_appraise)
188 return 0;
189 if (!inode->i_op->getxattr)
190 return INTEGRITY_UNKNOWN;
191
192 if (rc <= 0) {
193 if (rc && rc != -ENODATA)
194 goto out;
195
196 cause = "missing-hash";
197 status =
198 (inode->i_size == 0) ? INTEGRITY_PASS : INTEGRITY_NOLABEL;
199 goto out;
200 }
201
202 status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
203 if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) {
204 if ((status == INTEGRITY_NOLABEL)
205 || (status == INTEGRITY_NOXATTRS))
206 cause = "missing-HMAC";
207 else if (status == INTEGRITY_FAIL)
208 cause = "invalid-HMAC";
209 goto out;
210 }
211 switch (xattr_value->type) {
212 case IMA_XATTR_DIGEST_NG:
213 /* first byte contains algorithm id */
214 hash_start = 1;
215 case IMA_XATTR_DIGEST:
216 if (iint->flags & IMA_DIGSIG_REQUIRED) {
217 cause = "IMA-signature-required";
218 status = INTEGRITY_FAIL;
219 break;
220 }
221 if (xattr_len - sizeof(xattr_value->type) - hash_start >=
222 iint->ima_hash->length)
223 /* xattr length may be longer. md5 hash in previous
224 version occupied 20 bytes in xattr, instead of 16
225 */
226 rc = memcmp(&xattr_value->digest[hash_start],
227 iint->ima_hash->digest,
228 iint->ima_hash->length);
229 else
230 rc = -EINVAL;
231 if (rc) {
232 cause = "invalid-hash";
233 status = INTEGRITY_FAIL;
234 break;
235 }
236 status = INTEGRITY_PASS;
237 break;
238 case EVM_IMA_XATTR_DIGSIG:
239 iint->flags |= IMA_DIGSIG;
240 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
241 (const char *)xattr_value, rc,
242 iint->ima_hash->digest,
243 iint->ima_hash->length);
244 if (rc == -EOPNOTSUPP) {
245 status = INTEGRITY_UNKNOWN;
246 } else if (rc) {
247 cause = "invalid-signature";
248 status = INTEGRITY_FAIL;
249 } else {
250 status = INTEGRITY_PASS;
251 }
252 break;
253 default:
254 status = INTEGRITY_UNKNOWN;
255 cause = "unknown-ima-data";
256 break;
257 }
258
259 out:
260 if (status != INTEGRITY_PASS) {
261 if ((ima_appraise & IMA_APPRAISE_FIX) &&
262 (!xattr_value ||
263 xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
264 if (!ima_fix_xattr(dentry, iint))
265 status = INTEGRITY_PASS;
266 }
267 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
268 op, cause, rc, 0);
269 } else {
270 ima_cache_flags(iint, func);
271 }
272 ima_set_cache_status(iint, func, status);
273 return status;
274 }
275
276 /*
277 * ima_update_xattr - update 'security.ima' hash value
278 */
279 void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
280 {
281 struct dentry *dentry = file->f_dentry;
282 int rc = 0;
283
284 /* do not collect and update hash for digital signatures */
285 if (iint->flags & IMA_DIGSIG)
286 return;
287
288 rc = ima_collect_measurement(iint, file, NULL, NULL);
289 if (rc < 0)
290 return;
291
292 ima_fix_xattr(dentry, iint);
293 }
294
295 /**
296 * ima_inode_post_setattr - reflect file metadata changes
297 * @dentry: pointer to the affected dentry
298 *
299 * Changes to a dentry's metadata might result in needing to appraise.
300 *
301 * This function is called from notify_change(), which expects the caller
302 * to lock the inode's i_mutex.
303 */
304 void ima_inode_post_setattr(struct dentry *dentry)
305 {
306 struct inode *inode = dentry->d_inode;
307 struct integrity_iint_cache *iint;
308 int must_appraise, rc;
309
310 if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode)
311 || !inode->i_op->removexattr)
312 return;
313
314 must_appraise = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR);
315 iint = integrity_iint_find(inode);
316 if (iint) {
317 iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
318 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
319 IMA_ACTION_FLAGS);
320 if (must_appraise)
321 iint->flags |= IMA_APPRAISE;
322 }
323 if (!must_appraise)
324 rc = inode->i_op->removexattr(dentry, XATTR_NAME_IMA);
325 return;
326 }
327
328 /*
329 * ima_protect_xattr - protect 'security.ima'
330 *
331 * Ensure that not just anyone can modify or remove 'security.ima'.
332 */
333 static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
334 const void *xattr_value, size_t xattr_value_len)
335 {
336 if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
337 if (!capable(CAP_SYS_ADMIN))
338 return -EPERM;
339 return 1;
340 }
341 return 0;
342 }
343
344 static void ima_reset_appraise_flags(struct inode *inode, int digsig)
345 {
346 struct integrity_iint_cache *iint;
347
348 if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode))
349 return;
350
351 iint = integrity_iint_find(inode);
352 if (!iint)
353 return;
354
355 iint->flags &= ~IMA_DONE_MASK;
356 if (digsig)
357 iint->flags |= IMA_DIGSIG;
358 return;
359 }
360
361 int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
362 const void *xattr_value, size_t xattr_value_len)
363 {
364 const struct evm_ima_xattr_data *xvalue = xattr_value;
365 int result;
366
367 result = ima_protect_xattr(dentry, xattr_name, xattr_value,
368 xattr_value_len);
369 if (result == 1) {
370 ima_reset_appraise_flags(dentry->d_inode,
371 (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
372 result = 0;
373 }
374 return result;
375 }
376
377 int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
378 {
379 int result;
380
381 result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
382 if (result == 1) {
383 ima_reset_appraise_flags(dentry->d_inode, 0);
384 result = 0;
385 }
386 return result;
387 }
Linux with added FPC-III support