1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * Copyright (C) 2011 IBM Corporation |
4 | * |
5 | * Author: |
6 | * Mimi Zohar <zohar@us.ibm.com> |
7 | */ |
8 | #include <linux/module.h> |
9 | #include <linux/init.h> |
10 | #include <linux/file.h> |
11 | #include <linux/fs.h> |
12 | #include <linux/xattr.h> |
13 | #include <linux/magic.h> |
14 | #include <linux/ima.h> |
15 | #include <linux/evm.h> |
16 | #include <linux/fsverity.h> |
17 | #include <keys/system_keyring.h> |
18 | #include <uapi/linux/fsverity.h> |
19 | |
20 | #include "ima.h" |
21 | |
22 | #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM |
23 | static char *ima_appraise_cmdline_default __initdata; |
24 | core_param(ima_appraise, ima_appraise_cmdline_default, charp, 0); |
25 | |
26 | void __init ima_appraise_parse_cmdline(void) |
27 | { |
28 | const char *str = ima_appraise_cmdline_default; |
29 | bool sb_state = arch_ima_get_secureboot(); |
30 | int appraisal_state = ima_appraise; |
31 | |
32 | if (!str) |
33 | return; |
34 | |
35 | if (strncmp(str, "off" , 3) == 0) |
36 | appraisal_state = 0; |
37 | else if (strncmp(str, "log" , 3) == 0) |
38 | appraisal_state = IMA_APPRAISE_LOG; |
39 | else if (strncmp(str, "fix" , 3) == 0) |
40 | appraisal_state = IMA_APPRAISE_FIX; |
41 | else if (strncmp(str, "enforce" , 7) == 0) |
42 | appraisal_state = IMA_APPRAISE_ENFORCE; |
43 | else |
44 | pr_err("invalid \"%s\" appraise option" , str); |
45 | |
46 | /* If appraisal state was changed, but secure boot is enabled, |
47 | * keep its default */ |
48 | if (sb_state) { |
49 | if (!(appraisal_state & IMA_APPRAISE_ENFORCE)) |
50 | pr_info("Secure boot enabled: ignoring ima_appraise=%s option" , |
51 | str); |
52 | } else { |
53 | ima_appraise = appraisal_state; |
54 | } |
55 | } |
56 | #endif |
57 | |
58 | /* |
59 | * is_ima_appraise_enabled - return appraise status |
60 | * |
61 | * Only return enabled, if not in ima_appraise="fix" or "log" modes. |
62 | */ |
63 | bool is_ima_appraise_enabled(void) |
64 | { |
65 | return ima_appraise & IMA_APPRAISE_ENFORCE; |
66 | } |
67 | |
68 | /* |
69 | * ima_must_appraise - set appraise flag |
70 | * |
71 | * Return 1 to appraise or hash |
72 | */ |
73 | int ima_must_appraise(struct mnt_idmap *idmap, struct inode *inode, |
74 | int mask, enum ima_hooks func) |
75 | { |
76 | u32 secid; |
77 | |
78 | if (!ima_appraise) |
79 | return 0; |
80 | |
81 | security_current_getsecid_subj(secid: &secid); |
82 | return ima_match_policy(idmap, inode, current_cred(), secid, |
83 | func, mask, IMA_APPRAISE | IMA_HASH, NULL, |
84 | NULL, NULL, NULL); |
85 | } |
86 | |
87 | static int ima_fix_xattr(struct dentry *dentry, struct ima_iint_cache *iint) |
88 | { |
89 | int rc, offset; |
90 | u8 algo = iint->ima_hash->algo; |
91 | |
92 | if (algo <= HASH_ALGO_SHA1) { |
93 | offset = 1; |
94 | iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST; |
95 | } else { |
96 | offset = 0; |
97 | iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG; |
98 | iint->ima_hash->xattr.ng.algo = algo; |
99 | } |
100 | rc = __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_IMA, |
101 | &iint->ima_hash->xattr.data[offset], |
102 | (sizeof(iint->ima_hash->xattr) - offset) + |
103 | iint->ima_hash->length, 0); |
104 | return rc; |
105 | } |
106 | |
107 | /* Return specific func appraised cached result */ |
108 | enum integrity_status ima_get_cache_status(struct ima_iint_cache *iint, |
109 | enum ima_hooks func) |
110 | { |
111 | switch (func) { |
112 | case MMAP_CHECK: |
113 | case MMAP_CHECK_REQPROT: |
114 | return iint->ima_mmap_status; |
115 | case BPRM_CHECK: |
116 | return iint->ima_bprm_status; |
117 | case CREDS_CHECK: |
118 | return iint->ima_creds_status; |
119 | case FILE_CHECK: |
120 | case POST_SETATTR: |
121 | return iint->ima_file_status; |
122 | case MODULE_CHECK ... MAX_CHECK - 1: |
123 | default: |
124 | return iint->ima_read_status; |
125 | } |
126 | } |
127 | |
128 | static void ima_set_cache_status(struct ima_iint_cache *iint, |
129 | enum ima_hooks func, |
130 | enum integrity_status status) |
131 | { |
132 | switch (func) { |
133 | case MMAP_CHECK: |
134 | case MMAP_CHECK_REQPROT: |
135 | iint->ima_mmap_status = status; |
136 | break; |
137 | case BPRM_CHECK: |
138 | iint->ima_bprm_status = status; |
139 | break; |
140 | case CREDS_CHECK: |
141 | iint->ima_creds_status = status; |
142 | break; |
143 | case FILE_CHECK: |
144 | case POST_SETATTR: |
145 | iint->ima_file_status = status; |
146 | break; |
147 | case MODULE_CHECK ... MAX_CHECK - 1: |
148 | default: |
149 | iint->ima_read_status = status; |
150 | break; |
151 | } |
152 | } |
153 | |
154 | static void ima_cache_flags(struct ima_iint_cache *iint, enum ima_hooks func) |
155 | { |
156 | switch (func) { |
157 | case MMAP_CHECK: |
158 | case MMAP_CHECK_REQPROT: |
159 | iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED); |
160 | break; |
161 | case BPRM_CHECK: |
162 | iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED); |
163 | break; |
164 | case CREDS_CHECK: |
165 | iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED); |
166 | break; |
167 | case FILE_CHECK: |
168 | case POST_SETATTR: |
169 | iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED); |
170 | break; |
171 | case MODULE_CHECK ... MAX_CHECK - 1: |
172 | default: |
173 | iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED); |
174 | break; |
175 | } |
176 | } |
177 | |
178 | enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value, |
179 | int xattr_len) |
180 | { |
181 | struct signature_v2_hdr *sig; |
182 | enum hash_algo ret; |
183 | |
184 | if (!xattr_value || xattr_len < 2) |
185 | /* return default hash algo */ |
186 | return ima_hash_algo; |
187 | |
188 | switch (xattr_value->type) { |
189 | case IMA_VERITY_DIGSIG: |
190 | sig = (typeof(sig))xattr_value; |
191 | if (sig->version != 3 || xattr_len <= sizeof(*sig) || |
192 | sig->hash_algo >= HASH_ALGO__LAST) |
193 | return ima_hash_algo; |
194 | return sig->hash_algo; |
195 | case EVM_IMA_XATTR_DIGSIG: |
196 | sig = (typeof(sig))xattr_value; |
197 | if (sig->version != 2 || xattr_len <= sizeof(*sig) |
198 | || sig->hash_algo >= HASH_ALGO__LAST) |
199 | return ima_hash_algo; |
200 | return sig->hash_algo; |
201 | case IMA_XATTR_DIGEST_NG: |
202 | /* first byte contains algorithm id */ |
203 | ret = xattr_value->data[0]; |
204 | if (ret < HASH_ALGO__LAST) |
205 | return ret; |
206 | break; |
207 | case IMA_XATTR_DIGEST: |
208 | /* this is for backward compatibility */ |
209 | if (xattr_len == 21) { |
210 | unsigned int zero = 0; |
211 | if (!memcmp(p: &xattr_value->data[16], q: &zero, size: 4)) |
212 | return HASH_ALGO_MD5; |
213 | else |
214 | return HASH_ALGO_SHA1; |
215 | } else if (xattr_len == 17) |
216 | return HASH_ALGO_MD5; |
217 | break; |
218 | } |
219 | |
220 | /* return default hash algo */ |
221 | return ima_hash_algo; |
222 | } |
223 | |
224 | int ima_read_xattr(struct dentry *dentry, |
225 | struct evm_ima_xattr_data **xattr_value, int xattr_len) |
226 | { |
227 | int ret; |
228 | |
229 | ret = vfs_getxattr_alloc(idmap: &nop_mnt_idmap, dentry, XATTR_NAME_IMA, |
230 | xattr_value: (char **)xattr_value, size: xattr_len, GFP_NOFS); |
231 | if (ret == -EOPNOTSUPP) |
232 | ret = 0; |
233 | return ret; |
234 | } |
235 | |
236 | /* |
237 | * calc_file_id_hash - calculate the hash of the ima_file_id struct data |
238 | * @type: xattr type [enum evm_ima_xattr_type] |
239 | * @algo: hash algorithm [enum hash_algo] |
240 | * @digest: pointer to the digest to be hashed |
241 | * @hash: (out) pointer to the hash |
242 | * |
243 | * IMA signature version 3 disambiguates the data that is signed by |
244 | * indirectly signing the hash of the ima_file_id structure data. |
245 | * |
246 | * Signing the ima_file_id struct is currently only supported for |
247 | * IMA_VERITY_DIGSIG type xattrs. |
248 | * |
249 | * Return 0 on success, error code otherwise. |
250 | */ |
251 | static int calc_file_id_hash(enum evm_ima_xattr_type type, |
252 | enum hash_algo algo, const u8 *digest, |
253 | struct ima_digest_data *hash) |
254 | { |
255 | struct ima_file_id file_id = { |
256 | .hash_type = IMA_VERITY_DIGSIG, .hash_algorithm = algo}; |
257 | unsigned int unused = HASH_MAX_DIGESTSIZE - hash_digest_size[algo]; |
258 | |
259 | if (type != IMA_VERITY_DIGSIG) |
260 | return -EINVAL; |
261 | |
262 | memcpy(file_id.hash, digest, hash_digest_size[algo]); |
263 | |
264 | hash->algo = algo; |
265 | hash->length = hash_digest_size[algo]; |
266 | |
267 | return ima_calc_buffer_hash(buf: &file_id, len: sizeof(file_id) - unused, hash); |
268 | } |
269 | |
270 | /* |
271 | * xattr_verify - verify xattr digest or signature |
272 | * |
273 | * Verify whether the hash or signature matches the file contents. |
274 | * |
275 | * Return 0 on success, error code otherwise. |
276 | */ |
277 | static int xattr_verify(enum ima_hooks func, struct ima_iint_cache *iint, |
278 | struct evm_ima_xattr_data *xattr_value, int xattr_len, |
279 | enum integrity_status *status, const char **cause) |
280 | { |
281 | struct ima_max_digest_data hash; |
282 | struct signature_v2_hdr *sig; |
283 | int rc = -EINVAL, hash_start = 0; |
284 | int mask; |
285 | |
286 | switch (xattr_value->type) { |
287 | case IMA_XATTR_DIGEST_NG: |
288 | /* first byte contains algorithm id */ |
289 | hash_start = 1; |
290 | fallthrough; |
291 | case IMA_XATTR_DIGEST: |
292 | if (*status != INTEGRITY_PASS_IMMUTABLE) { |
293 | if (iint->flags & IMA_DIGSIG_REQUIRED) { |
294 | if (iint->flags & IMA_VERITY_REQUIRED) |
295 | *cause = "verity-signature-required" ; |
296 | else |
297 | *cause = "IMA-signature-required" ; |
298 | *status = INTEGRITY_FAIL; |
299 | break; |
300 | } |
301 | clear_bit(IMA_DIGSIG, addr: &iint->atomic_flags); |
302 | } else { |
303 | set_bit(IMA_DIGSIG, addr: &iint->atomic_flags); |
304 | } |
305 | if (xattr_len - sizeof(xattr_value->type) - hash_start >= |
306 | iint->ima_hash->length) |
307 | /* |
308 | * xattr length may be longer. md5 hash in previous |
309 | * version occupied 20 bytes in xattr, instead of 16 |
310 | */ |
311 | rc = memcmp(p: &xattr_value->data[hash_start], |
312 | q: iint->ima_hash->digest, |
313 | size: iint->ima_hash->length); |
314 | else |
315 | rc = -EINVAL; |
316 | if (rc) { |
317 | *cause = "invalid-hash" ; |
318 | *status = INTEGRITY_FAIL; |
319 | break; |
320 | } |
321 | *status = INTEGRITY_PASS; |
322 | break; |
323 | case EVM_IMA_XATTR_DIGSIG: |
324 | set_bit(IMA_DIGSIG, addr: &iint->atomic_flags); |
325 | |
326 | mask = IMA_DIGSIG_REQUIRED | IMA_VERITY_REQUIRED; |
327 | if ((iint->flags & mask) == mask) { |
328 | *cause = "verity-signature-required" ; |
329 | *status = INTEGRITY_FAIL; |
330 | break; |
331 | } |
332 | |
333 | sig = (typeof(sig))xattr_value; |
334 | if (sig->version >= 3) { |
335 | *cause = "invalid-signature-version" ; |
336 | *status = INTEGRITY_FAIL; |
337 | break; |
338 | } |
339 | rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, |
340 | sig: (const char *)xattr_value, |
341 | siglen: xattr_len, |
342 | digest: iint->ima_hash->digest, |
343 | digestlen: iint->ima_hash->length); |
344 | if (rc == -EOPNOTSUPP) { |
345 | *status = INTEGRITY_UNKNOWN; |
346 | break; |
347 | } |
348 | if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc && |
349 | func == KEXEC_KERNEL_CHECK) |
350 | rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM, |
351 | sig: (const char *)xattr_value, |
352 | siglen: xattr_len, |
353 | digest: iint->ima_hash->digest, |
354 | digestlen: iint->ima_hash->length); |
355 | if (rc) { |
356 | *cause = "invalid-signature" ; |
357 | *status = INTEGRITY_FAIL; |
358 | } else { |
359 | *status = INTEGRITY_PASS; |
360 | } |
361 | break; |
362 | case IMA_VERITY_DIGSIG: |
363 | set_bit(IMA_DIGSIG, addr: &iint->atomic_flags); |
364 | |
365 | if (iint->flags & IMA_DIGSIG_REQUIRED) { |
366 | if (!(iint->flags & IMA_VERITY_REQUIRED)) { |
367 | *cause = "IMA-signature-required" ; |
368 | *status = INTEGRITY_FAIL; |
369 | break; |
370 | } |
371 | } |
372 | |
373 | sig = (typeof(sig))xattr_value; |
374 | if (sig->version != 3) { |
375 | *cause = "invalid-signature-version" ; |
376 | *status = INTEGRITY_FAIL; |
377 | break; |
378 | } |
379 | |
380 | rc = calc_file_id_hash(type: IMA_VERITY_DIGSIG, algo: iint->ima_hash->algo, |
381 | digest: iint->ima_hash->digest, hash: &hash.hdr); |
382 | if (rc) { |
383 | *cause = "sigv3-hashing-error" ; |
384 | *status = INTEGRITY_FAIL; |
385 | break; |
386 | } |
387 | |
388 | rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, |
389 | sig: (const char *)xattr_value, |
390 | siglen: xattr_len, digest: hash.digest, |
391 | digestlen: hash.hdr.length); |
392 | if (rc) { |
393 | *cause = "invalid-verity-signature" ; |
394 | *status = INTEGRITY_FAIL; |
395 | } else { |
396 | *status = INTEGRITY_PASS; |
397 | } |
398 | |
399 | break; |
400 | default: |
401 | *status = INTEGRITY_UNKNOWN; |
402 | *cause = "unknown-ima-data" ; |
403 | break; |
404 | } |
405 | |
406 | return rc; |
407 | } |
408 | |
409 | /* |
410 | * modsig_verify - verify modsig signature |
411 | * |
412 | * Verify whether the signature matches the file contents. |
413 | * |
414 | * Return 0 on success, error code otherwise. |
415 | */ |
416 | static int modsig_verify(enum ima_hooks func, const struct modsig *modsig, |
417 | enum integrity_status *status, const char **cause) |
418 | { |
419 | int rc; |
420 | |
421 | rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig); |
422 | if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc && |
423 | func == KEXEC_KERNEL_CHECK) |
424 | rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM, |
425 | modsig); |
426 | if (rc) { |
427 | *cause = "invalid-signature" ; |
428 | *status = INTEGRITY_FAIL; |
429 | } else { |
430 | *status = INTEGRITY_PASS; |
431 | } |
432 | |
433 | return rc; |
434 | } |
435 | |
436 | /* |
437 | * ima_check_blacklist - determine if the binary is blacklisted. |
438 | * |
439 | * Add the hash of the blacklisted binary to the measurement list, based |
440 | * on policy. |
441 | * |
442 | * Returns -EPERM if the hash is blacklisted. |
443 | */ |
444 | int ima_check_blacklist(struct ima_iint_cache *iint, |
445 | const struct modsig *modsig, int pcr) |
446 | { |
447 | enum hash_algo hash_algo; |
448 | const u8 *digest = NULL; |
449 | u32 digestsize = 0; |
450 | int rc = 0; |
451 | |
452 | if (!(iint->flags & IMA_CHECK_BLACKLIST)) |
453 | return 0; |
454 | |
455 | if (iint->flags & IMA_MODSIG_ALLOWED && modsig) { |
456 | ima_get_modsig_digest(modsig, algo: &hash_algo, digest: &digest, digest_size: &digestsize); |
457 | |
458 | rc = is_binary_blacklisted(hash: digest, hash_len: digestsize); |
459 | } else if (iint->flags & IMA_DIGSIG_REQUIRED && iint->ima_hash) |
460 | rc = is_binary_blacklisted(hash: iint->ima_hash->digest, hash_len: iint->ima_hash->length); |
461 | |
462 | if ((rc == -EPERM) && (iint->flags & IMA_MEASURE)) |
463 | process_buffer_measurement(idmap: &nop_mnt_idmap, NULL, buf: digest, size: digestsize, |
464 | eventname: "blacklisted-hash" , func: NONE, |
465 | pcr, NULL, buf_hash: false, NULL, digest_len: 0); |
466 | |
467 | return rc; |
468 | } |
469 | |
470 | /* |
471 | * ima_appraise_measurement - appraise file measurement |
472 | * |
473 | * Call evm_verifyxattr() to verify the integrity of 'security.ima'. |
474 | * Assuming success, compare the xattr hash with the collected measurement. |
475 | * |
476 | * Return 0 on success, error code otherwise |
477 | */ |
478 | int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint, |
479 | struct file *file, const unsigned char *filename, |
480 | struct evm_ima_xattr_data *xattr_value, |
481 | int xattr_len, const struct modsig *modsig) |
482 | { |
483 | static const char op[] = "appraise_data" ; |
484 | const char *cause = "unknown" ; |
485 | struct dentry *dentry = file_dentry(file); |
486 | struct inode *inode = d_backing_inode(upper: dentry); |
487 | enum integrity_status status = INTEGRITY_UNKNOWN; |
488 | int rc = xattr_len; |
489 | bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig; |
490 | |
491 | /* If not appraising a modsig, we need an xattr. */ |
492 | if (!(inode->i_opflags & IOP_XATTR) && !try_modsig) |
493 | return INTEGRITY_UNKNOWN; |
494 | |
495 | /* If reading the xattr failed and there's no modsig, error out. */ |
496 | if (rc <= 0 && !try_modsig) { |
497 | if (rc && rc != -ENODATA) |
498 | goto out; |
499 | |
500 | if (iint->flags & IMA_DIGSIG_REQUIRED) { |
501 | if (iint->flags & IMA_VERITY_REQUIRED) |
502 | cause = "verity-signature-required" ; |
503 | else |
504 | cause = "IMA-signature-required" ; |
505 | } else { |
506 | cause = "missing-hash" ; |
507 | } |
508 | |
509 | status = INTEGRITY_NOLABEL; |
510 | if (file->f_mode & FMODE_CREATED) |
511 | iint->flags |= IMA_NEW_FILE; |
512 | if ((iint->flags & IMA_NEW_FILE) && |
513 | (!(iint->flags & IMA_DIGSIG_REQUIRED) || |
514 | (inode->i_size == 0))) |
515 | status = INTEGRITY_PASS; |
516 | goto out; |
517 | } |
518 | |
519 | status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, |
520 | xattr_value_len: rc < 0 ? 0 : rc); |
521 | switch (status) { |
522 | case INTEGRITY_PASS: |
523 | case INTEGRITY_PASS_IMMUTABLE: |
524 | case INTEGRITY_UNKNOWN: |
525 | break; |
526 | case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */ |
527 | /* It's fine not to have xattrs when using a modsig. */ |
528 | if (try_modsig) |
529 | break; |
530 | fallthrough; |
531 | case INTEGRITY_NOLABEL: /* No security.evm xattr. */ |
532 | cause = "missing-HMAC" ; |
533 | goto out; |
534 | case INTEGRITY_FAIL_IMMUTABLE: |
535 | set_bit(IMA_DIGSIG, addr: &iint->atomic_flags); |
536 | cause = "invalid-fail-immutable" ; |
537 | goto out; |
538 | case INTEGRITY_FAIL: /* Invalid HMAC/signature. */ |
539 | cause = "invalid-HMAC" ; |
540 | goto out; |
541 | default: |
542 | WARN_ONCE(true, "Unexpected integrity status %d\n" , status); |
543 | } |
544 | |
545 | if (xattr_value) |
546 | rc = xattr_verify(func, iint, xattr_value, xattr_len, status: &status, |
547 | cause: &cause); |
548 | |
549 | /* |
550 | * If we have a modsig and either no imasig or the imasig's key isn't |
551 | * known, then try verifying the modsig. |
552 | */ |
553 | if (try_modsig && |
554 | (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG || |
555 | rc == -ENOKEY)) |
556 | rc = modsig_verify(func, modsig, status: &status, cause: &cause); |
557 | |
558 | out: |
559 | /* |
560 | * File signatures on some filesystems can not be properly verified. |
561 | * When such filesystems are mounted by an untrusted mounter or on a |
562 | * system not willing to accept such a risk, fail the file signature |
563 | * verification. |
564 | */ |
565 | if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) && |
566 | ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) || |
567 | (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) { |
568 | status = INTEGRITY_FAIL; |
569 | cause = "unverifiable-signature" ; |
570 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, fname: filename, |
571 | op, cause, result: rc, info: 0); |
572 | } else if (status != INTEGRITY_PASS) { |
573 | /* Fix mode, but don't replace file signatures. */ |
574 | if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig && |
575 | (!xattr_value || |
576 | xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { |
577 | if (!ima_fix_xattr(dentry, iint)) |
578 | status = INTEGRITY_PASS; |
579 | } |
580 | |
581 | /* |
582 | * Permit new files with file/EVM portable signatures, but |
583 | * without data. |
584 | */ |
585 | if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE && |
586 | test_bit(IMA_DIGSIG, &iint->atomic_flags)) { |
587 | status = INTEGRITY_PASS; |
588 | } |
589 | |
590 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, fname: filename, |
591 | op, cause, result: rc, info: 0); |
592 | } else { |
593 | ima_cache_flags(iint, func); |
594 | } |
595 | |
596 | ima_set_cache_status(iint, func, status); |
597 | return status; |
598 | } |
599 | |
600 | /* |
601 | * ima_update_xattr - update 'security.ima' hash value |
602 | */ |
603 | void ima_update_xattr(struct ima_iint_cache *iint, struct file *file) |
604 | { |
605 | struct dentry *dentry = file_dentry(file); |
606 | int rc = 0; |
607 | |
608 | /* do not collect and update hash for digital signatures */ |
609 | if (test_bit(IMA_DIGSIG, &iint->atomic_flags)) |
610 | return; |
611 | |
612 | if ((iint->ima_file_status != INTEGRITY_PASS) && |
613 | !(iint->flags & IMA_HASH)) |
614 | return; |
615 | |
616 | rc = ima_collect_measurement(iint, file, NULL, size: 0, algo: ima_hash_algo, NULL); |
617 | if (rc < 0) |
618 | return; |
619 | |
620 | inode_lock(inode: file_inode(f: file)); |
621 | ima_fix_xattr(dentry, iint); |
622 | inode_unlock(inode: file_inode(f: file)); |
623 | } |
624 | |
625 | /** |
626 | * ima_inode_post_setattr - reflect file metadata changes |
627 | * @idmap: idmap of the mount the inode was found from |
628 | * @dentry: pointer to the affected dentry |
629 | * @ia_valid: for the UID and GID status |
630 | * |
631 | * Changes to a dentry's metadata might result in needing to appraise. |
632 | * |
633 | * This function is called from notify_change(), which expects the caller |
634 | * to lock the inode's i_mutex. |
635 | */ |
636 | static void ima_inode_post_setattr(struct mnt_idmap *idmap, |
637 | struct dentry *dentry, int ia_valid) |
638 | { |
639 | struct inode *inode = d_backing_inode(upper: dentry); |
640 | struct ima_iint_cache *iint; |
641 | int action; |
642 | |
643 | if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode) |
644 | || !(inode->i_opflags & IOP_XATTR)) |
645 | return; |
646 | |
647 | action = ima_must_appraise(idmap, inode, MAY_ACCESS, func: POST_SETATTR); |
648 | iint = ima_iint_find(inode); |
649 | if (iint) { |
650 | set_bit(IMA_CHANGE_ATTR, addr: &iint->atomic_flags); |
651 | if (!action) |
652 | clear_bit(IMA_UPDATE_XATTR, addr: &iint->atomic_flags); |
653 | } |
654 | } |
655 | |
656 | /* |
657 | * ima_protect_xattr - protect 'security.ima' |
658 | * |
659 | * Ensure that not just anyone can modify or remove 'security.ima'. |
660 | */ |
661 | static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name, |
662 | const void *xattr_value, size_t xattr_value_len) |
663 | { |
664 | if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) { |
665 | if (!capable(CAP_SYS_ADMIN)) |
666 | return -EPERM; |
667 | return 1; |
668 | } |
669 | return 0; |
670 | } |
671 | |
672 | static void ima_reset_appraise_flags(struct inode *inode, int digsig) |
673 | { |
674 | struct ima_iint_cache *iint; |
675 | |
676 | if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)) |
677 | return; |
678 | |
679 | iint = ima_iint_find(inode); |
680 | if (!iint) |
681 | return; |
682 | iint->measured_pcrs = 0; |
683 | set_bit(IMA_CHANGE_XATTR, addr: &iint->atomic_flags); |
684 | if (digsig) |
685 | set_bit(IMA_DIGSIG, addr: &iint->atomic_flags); |
686 | else |
687 | clear_bit(IMA_DIGSIG, addr: &iint->atomic_flags); |
688 | } |
689 | |
690 | /** |
691 | * validate_hash_algo() - Block setxattr with unsupported hash algorithms |
692 | * @dentry: object of the setxattr() |
693 | * @xattr_value: userland supplied xattr value |
694 | * @xattr_value_len: length of xattr_value |
695 | * |
696 | * The xattr value is mapped to its hash algorithm, and this algorithm |
697 | * must be built in the kernel for the setxattr to be allowed. |
698 | * |
699 | * Emit an audit message when the algorithm is invalid. |
700 | * |
701 | * Return: 0 on success, else an error. |
702 | */ |
703 | static int validate_hash_algo(struct dentry *dentry, |
704 | const struct evm_ima_xattr_data *xattr_value, |
705 | size_t xattr_value_len) |
706 | { |
707 | char *path = NULL, *pathbuf = NULL; |
708 | enum hash_algo xattr_hash_algo; |
709 | const char *errmsg = "unavailable-hash-algorithm" ; |
710 | unsigned int allowed_hashes; |
711 | |
712 | xattr_hash_algo = ima_get_hash_algo(xattr_value, xattr_len: xattr_value_len); |
713 | |
714 | allowed_hashes = atomic_read(v: &ima_setxattr_allowed_hash_algorithms); |
715 | |
716 | if (allowed_hashes) { |
717 | /* success if the algorithm is allowed in the ima policy */ |
718 | if (allowed_hashes & (1U << xattr_hash_algo)) |
719 | return 0; |
720 | |
721 | /* |
722 | * We use a different audit message when the hash algorithm |
723 | * is denied by a policy rule, instead of not being built |
724 | * in the kernel image |
725 | */ |
726 | errmsg = "denied-hash-algorithm" ; |
727 | } else { |
728 | if (likely(xattr_hash_algo == ima_hash_algo)) |
729 | return 0; |
730 | |
731 | /* allow any xattr using an algorithm built in the kernel */ |
732 | if (crypto_has_alg(name: hash_algo_name[xattr_hash_algo], type: 0, mask: 0)) |
733 | return 0; |
734 | } |
735 | |
736 | pathbuf = kmalloc(PATH_MAX, GFP_KERNEL); |
737 | if (!pathbuf) |
738 | return -EACCES; |
739 | |
740 | path = dentry_path(dentry, pathbuf, PATH_MAX); |
741 | |
742 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode: d_inode(dentry), fname: path, |
743 | op: "set_data" , cause: errmsg, result: -EACCES, info: 0); |
744 | |
745 | kfree(objp: pathbuf); |
746 | |
747 | return -EACCES; |
748 | } |
749 | |
750 | static int ima_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, |
751 | const char *xattr_name, const void *xattr_value, |
752 | size_t xattr_value_len, int flags) |
753 | { |
754 | const struct evm_ima_xattr_data *xvalue = xattr_value; |
755 | int digsig = 0; |
756 | int result; |
757 | int err; |
758 | |
759 | result = ima_protect_xattr(dentry, xattr_name, xattr_value, |
760 | xattr_value_len); |
761 | if (result == 1) { |
762 | if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) |
763 | return -EINVAL; |
764 | |
765 | err = validate_hash_algo(dentry, xattr_value: xvalue, xattr_value_len); |
766 | if (err) |
767 | return err; |
768 | |
769 | digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); |
770 | } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) { |
771 | digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG); |
772 | } |
773 | if (result == 1 || evm_revalidate_status(xattr_name)) { |
774 | ima_reset_appraise_flags(inode: d_backing_inode(upper: dentry), digsig); |
775 | if (result == 1) |
776 | result = 0; |
777 | } |
778 | return result; |
779 | } |
780 | |
781 | static int ima_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry, |
782 | const char *acl_name, struct posix_acl *kacl) |
783 | { |
784 | if (evm_revalidate_status(xattr_name: acl_name)) |
785 | ima_reset_appraise_flags(inode: d_backing_inode(upper: dentry), digsig: 0); |
786 | |
787 | return 0; |
788 | } |
789 | |
790 | static int ima_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, |
791 | const char *xattr_name) |
792 | { |
793 | int result; |
794 | |
795 | result = ima_protect_xattr(dentry, xattr_name, NULL, xattr_value_len: 0); |
796 | if (result == 1 || evm_revalidate_status(xattr_name)) { |
797 | ima_reset_appraise_flags(inode: d_backing_inode(upper: dentry), digsig: 0); |
798 | if (result == 1) |
799 | result = 0; |
800 | } |
801 | return result; |
802 | } |
803 | |
804 | static int ima_inode_remove_acl(struct mnt_idmap *idmap, struct dentry *dentry, |
805 | const char *acl_name) |
806 | { |
807 | return ima_inode_set_acl(idmap, dentry, acl_name, NULL); |
808 | } |
809 | |
810 | static struct security_hook_list ima_appraise_hooks[] __ro_after_init = { |
811 | LSM_HOOK_INIT(inode_post_setattr, ima_inode_post_setattr), |
812 | LSM_HOOK_INIT(inode_setxattr, ima_inode_setxattr), |
813 | LSM_HOOK_INIT(inode_set_acl, ima_inode_set_acl), |
814 | LSM_HOOK_INIT(inode_removexattr, ima_inode_removexattr), |
815 | LSM_HOOK_INIT(inode_remove_acl, ima_inode_remove_acl), |
816 | }; |
817 | |
818 | void __init init_ima_appraise_lsm(const struct lsm_id *lsmid) |
819 | { |
820 | security_add_hooks(hooks: ima_appraise_hooks, ARRAY_SIZE(ima_appraise_hooks), |
821 | lsmid); |
822 | } |
823 | |