security/integrity/ima/ima_appraise.c

   1 /*
   2  * Copyright (C) 2011 IBM Corporation
   3  *
   4  * Author:
   5  * Mimi Zohar <zohar@us.ibm.com>
   6  *
   7  * This program is free software; you can redistribute it and/or modify
   8  * it under the terms of the GNU General Public License as published by
   9  * the Free Software Foundation, version 2 of the License.
  10  */
  11 #include <linux/module.h>
  12 #include <linux/file.h>
  13 #include <linux/fs.h>
  14 #include <linux/xattr.h>
  15 #include <linux/magic.h>
  16 #include <linux/ima.h>
  17 #include <linux/evm.h>
  18
  19 #include "ima.h"
  20
  21 static int __init default_appraise_setup(char *str)
  22 {
  23         if (strncmp(str, "off", 3) == 0)
  24                 ima_appraise = 0;
  25         else if (strncmp(str, "fix", 3) == 0)
  26                 ima_appraise = IMA_APPRAISE_FIX;
  27         return 1;
  28 }
  29
  30 __setup("ima_appraise=", default_appraise_setup);
  31
  32 /*
  33  * ima_must_appraise - set appraise flag
  34  *
  35  * Return 1 to appraise
  36  */
  37 int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
  38 {
  39         if (!ima_appraise)
  40                 return 0;
  41
  42         return ima_match_policy(inode, func, mask, IMA_APPRAISE);
  43 }
  44
  45 static int ima_fix_xattr(struct dentry *dentry,
  46                           struct integrity_iint_cache *iint)
  47 {
  48         iint->ima_xattr.type = IMA_XATTR_DIGEST;
  49         return __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
  50                                      (u8 *)&iint->ima_xattr,
  51                                       sizeof(iint->ima_xattr), 0);
  52 }
  53
  54 /* Return specific func appraised cached result */
  55 enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
  56                                            int func)
  57 {
  58         switch(func) {
  59         case MMAP_CHECK:
  60                 return iint->ima_mmap_status;
  61         case BPRM_CHECK:
  62                 return iint->ima_bprm_status;
  63         case MODULE_CHECK:
  64                 return iint->ima_module_status;
  65         case FILE_CHECK:
  66         default:
  67                 return iint->ima_file_status;
  68         }
  69 }
  70
  71 static void ima_set_cache_status(struct integrity_iint_cache *iint,
  72                                  int func, enum integrity_status status)
  73 {
  74         switch(func) {
  75         case MMAP_CHECK:
  76                 iint->ima_mmap_status = status;
  77                 break;
  78         case BPRM_CHECK:
  79                 iint->ima_bprm_status = status;
  80                 break;
  81         case MODULE_CHECK:
  82                 iint->ima_module_status = status;
  83                 break;
  84         case FILE_CHECK:
  85         default:
  86                 iint->ima_file_status = status;
  87                 break;
  88         }
  89 }
  90
  91 static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
  92 {
  93         switch(func) {
  94         case MMAP_CHECK:
  95                 iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
  96                 break;
  97         case BPRM_CHECK:
  98                 iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
  99                 break;
 100         case MODULE_CHECK:
 101                 iint->flags |= (IMA_MODULE_APPRAISED | IMA_APPRAISED);
 102                 break;
 103         case FILE_CHECK:
 104         default:
 105                 iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
 106                 break;
 107         }
 108 }
 109
 110 /*
 111  * ima_appraise_measurement - appraise file measurement
 112  *
 113  * Call evm_verifyxattr() to verify the integrity of 'security.ima'.
 114  * Assuming success, compare the xattr hash with the collected measurement.
 115  *
 116  * Return 0 on success, error code otherwise
 117  */
 118 int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
 119                              struct file *file, const unsigned char *filename)
 120 {
 121         struct dentry *dentry = file->f_dentry;
 122         struct inode *inode = dentry->d_inode;
 123         struct evm_ima_xattr_data *xattr_value = NULL;
 124         enum integrity_status status = INTEGRITY_UNKNOWN;
 125         const char *op = "appraise_data";
 126         char *cause = "unknown";
 127         int rc;
 128
 129         if (!ima_appraise)
 130                 return 0;
 131         if (!inode->i_op->getxattr)
 132                 return INTEGRITY_UNKNOWN;
 133
 134         rc = vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)&xattr_value,
 135                                 0, GFP_NOFS);
 136         if (rc <= 0) {
 137                 if (rc && rc != -ENODATA)
 138                         goto out;
 139
 140                 cause = "missing-hash";
 141                 status =
 142                     (inode->i_size == 0) ? INTEGRITY_PASS : INTEGRITY_NOLABEL;
 143                 goto out;
 144         }
 145
 146         status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
 147         if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) {
 148                 if ((status == INTEGRITY_NOLABEL)
 149                     || (status == INTEGRITY_NOXATTRS))
 150                         cause = "missing-HMAC";
 151                 else if (status == INTEGRITY_FAIL)
 152                         cause = "invalid-HMAC";
 153                 goto out;
 154         }
 155         switch (xattr_value->type) {
 156         case IMA_XATTR_DIGEST:
 157                 if (iint->flags & IMA_DIGSIG_REQUIRED) {
 158                         cause = "IMA signature required";
 159                         status = INTEGRITY_FAIL;
 160                         break;
 161                 }
 162                 rc = memcmp(xattr_value->digest, iint->ima_xattr.digest,
 163                             IMA_DIGEST_SIZE);
 164                 if (rc) {
 165                         cause = "invalid-hash";
 166                         status = INTEGRITY_FAIL;
 167                         break;
 168                 }
 169                 status = INTEGRITY_PASS;
 170                 break;
 171         case EVM_IMA_XATTR_DIGSIG:
 172                 iint->flags |= IMA_DIGSIG;
 173                 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
 174                                              xattr_value->digest, rc - 1,
 175                                              iint->ima_xattr.digest,
 176                                              IMA_DIGEST_SIZE);
 177                 if (rc == -EOPNOTSUPP) {
 178                         status = INTEGRITY_UNKNOWN;
 179                 } else if (rc) {
 180                         cause = "invalid-signature";
 181                         status = INTEGRITY_FAIL;
 182                 } else {
 183                         status = INTEGRITY_PASS;
 184                 }
 185                 break;
 186         default:
 187                 status = INTEGRITY_UNKNOWN;
 188                 cause = "unknown-ima-data";
 189                 break;
 190         }
 191
 192 out:
 193         if (status != INTEGRITY_PASS) {
 194                 if ((ima_appraise & IMA_APPRAISE_FIX) &&
 195                     (!xattr_value ||
 196                      xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
 197                         if (!ima_fix_xattr(dentry, iint))
 198                                 status = INTEGRITY_PASS;
 199                 }
 200                 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
 201                                     op, cause, rc, 0);
 202         } else {
 203                 ima_cache_flags(iint, func);
 204         }
 205         ima_set_cache_status(iint, func, status);
 206         kfree(xattr_value);
 207         return status;
 208 }
 209
 210 /*
 211  * ima_update_xattr - update 'security.ima' hash value
 212  */
 213 void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
 214 {
 215         struct dentry *dentry = file->f_dentry;
 216         int rc = 0;
 217
 218         /* do not collect and update hash for digital signatures */
 219         if (iint->flags & IMA_DIGSIG)
 220                 return;
 221
 222         rc = ima_collect_measurement(iint, file);
 223         if (rc < 0)
 224                 return;
 225
 226         ima_fix_xattr(dentry, iint);
 227 }
 228
 229 /**
 230  * ima_inode_post_setattr - reflect file metadata changes
 231  * @dentry: pointer to the affected dentry
 232  *
 233  * Changes to a dentry's metadata might result in needing to appraise.
 234  *
 235  * This function is called from notify_change(), which expects the caller
 236  * to lock the inode's i_mutex.
 237  */
 238 void ima_inode_post_setattr(struct dentry *dentry)
 239 {
 240         struct inode *inode = dentry->d_inode;
 241         struct integrity_iint_cache *iint;
 242         int must_appraise, rc;
 243
 244         if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode)
 245             || !inode->i_op->removexattr)
 246                 return;
 247
 248         must_appraise = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR);
 249         iint = integrity_iint_find(inode);
 250         if (iint) {
 251                 iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
 252                                  IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
 253                                  IMA_ACTION_FLAGS);
 254                 if (must_appraise)
 255                         iint->flags |= IMA_APPRAISE;
 256         }
 257         if (!must_appraise)
 258                 rc = inode->i_op->removexattr(dentry, XATTR_NAME_IMA);
 259         return;
 260 }
 261
 262 /*
 263  * ima_protect_xattr - protect 'security.ima'
 264  *
 265  * Ensure that not just anyone can modify or remove 'security.ima'.
 266  */
 267 static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
 268                              const void *xattr_value, size_t xattr_value_len)
 269 {
 270         if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
 271                 if (!capable(CAP_SYS_ADMIN))
 272                         return -EPERM;
 273                 return 1;
 274         }
 275         return 0;
 276 }
 277
 278 static void ima_reset_appraise_flags(struct inode *inode)
 279 {
 280         struct integrity_iint_cache *iint;
 281
 282         if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode))
 283                 return;
 284
 285         iint = integrity_iint_find(inode);
 286         if (!iint)
 287                 return;
 288
 289         iint->flags &= ~IMA_DONE_MASK;
 290         return;
 291 }
 292
 293 int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
 294                        const void *xattr_value, size_t xattr_value_len)
 295 {
 296         int result;
 297
 298         result = ima_protect_xattr(dentry, xattr_name, xattr_value,
 299                                    xattr_value_len);
 300         if (result == 1) {
 301                 ima_reset_appraise_flags(dentry->d_inode);
 302                 result = 0;
 303         }
 304         return result;
 305 }
 306
 307 int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
 308 {
 309         int result;
 310
 311         result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
 312         if (result == 1) {
 313                 ima_reset_appraise_flags(dentry->d_inode);
 314                 result = 0;
 315         }
 316         return result;
 317 }