ima_appraise.c 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Copyright (C) 2011 IBM Corporation
  4. *
  5. * Author:
  6. * Mimi Zohar <zohar@us.ibm.com>
  7. */
  8. #include <linux/module.h>
  9. #include <linux/init.h>
  10. #include <linux/file.h>
  11. #include <linux/binfmts.h>
  12. #include <linux/fs.h>
  13. #include <linux/xattr.h>
  14. #include <linux/magic.h>
  15. #include <linux/ima.h>
  16. #include <linux/evm.h>
  17. #include <linux/fsverity.h>
  18. #include <keys/system_keyring.h>
  19. #include <uapi/linux/fsverity.h>
  20. #include "ima.h"
  21. #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
  22. static char *ima_appraise_cmdline_default __initdata;
  23. core_param(ima_appraise, ima_appraise_cmdline_default, charp, 0);
  24. void __init ima_appraise_parse_cmdline(void)
  25. {
  26. const char *str = ima_appraise_cmdline_default;
  27. bool sb_state = arch_ima_get_secureboot();
  28. int appraisal_state = ima_appraise;
  29. if (!str)
  30. return;
  31. if (strncmp(str, "off", 3) == 0)
  32. appraisal_state = 0;
  33. else if (strncmp(str, "log", 3) == 0)
  34. appraisal_state = IMA_APPRAISE_LOG;
  35. else if (strncmp(str, "fix", 3) == 0)
  36. appraisal_state = IMA_APPRAISE_FIX;
  37. else if (strncmp(str, "enforce", 7) == 0)
  38. appraisal_state = IMA_APPRAISE_ENFORCE;
  39. else
  40. pr_err("invalid \"%s\" appraise option", str);
  41. /* If appraisal state was changed, but secure boot is enabled,
  42. * keep its default */
  43. if (sb_state) {
  44. if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
  45. pr_info("Secure boot enabled: ignoring ima_appraise=%s option",
  46. str);
  47. } else {
  48. ima_appraise = appraisal_state;
  49. }
  50. }
  51. #endif
  52. /*
  53. * is_ima_appraise_enabled - return appraise status
  54. *
  55. * Only return enabled, if not in ima_appraise="fix" or "log" modes.
  56. */
  57. bool is_ima_appraise_enabled(void)
  58. {
  59. return ima_appraise & IMA_APPRAISE_ENFORCE;
  60. }
  61. /*
  62. * ima_must_appraise - set appraise flag
  63. *
  64. * Return 1 to appraise or hash
  65. */
  66. int ima_must_appraise(struct mnt_idmap *idmap, struct inode *inode,
  67. int mask, enum ima_hooks func)
  68. {
  69. struct lsm_prop prop;
  70. if (!ima_appraise)
  71. return 0;
  72. security_current_getlsmprop_subj(&prop);
  73. return ima_match_policy(idmap, inode, current_cred(), &prop,
  74. func, mask, IMA_APPRAISE | IMA_HASH, NULL,
  75. NULL, NULL, NULL);
  76. }
  77. static int ima_fix_xattr(struct dentry *dentry, struct ima_iint_cache *iint)
  78. {
  79. int rc, offset;
  80. u8 algo = iint->ima_hash->algo;
  81. if (algo <= HASH_ALGO_SHA1) {
  82. offset = 1;
  83. iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
  84. } else {
  85. offset = 0;
  86. iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
  87. iint->ima_hash->xattr.ng.algo = algo;
  88. }
  89. rc = __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_IMA,
  90. &iint->ima_hash->xattr.data[offset],
  91. (sizeof(iint->ima_hash->xattr) - offset) +
  92. iint->ima_hash->length, 0);
  93. return rc;
  94. }
  95. /* Return specific func appraised cached result */
  96. enum integrity_status ima_get_cache_status(struct ima_iint_cache *iint,
  97. enum ima_hooks func)
  98. {
  99. switch (func) {
  100. case MMAP_CHECK:
  101. case MMAP_CHECK_REQPROT:
  102. return iint->ima_mmap_status;
  103. case BPRM_CHECK:
  104. return iint->ima_bprm_status;
  105. case CREDS_CHECK:
  106. return iint->ima_creds_status;
  107. case FILE_CHECK:
  108. case POST_SETATTR:
  109. return iint->ima_file_status;
  110. case MODULE_CHECK ... MAX_CHECK - 1:
  111. default:
  112. return iint->ima_read_status;
  113. }
  114. }
  115. static void ima_set_cache_status(struct ima_iint_cache *iint,
  116. enum ima_hooks func,
  117. enum integrity_status status)
  118. {
  119. switch (func) {
  120. case MMAP_CHECK:
  121. case MMAP_CHECK_REQPROT:
  122. iint->ima_mmap_status = status;
  123. break;
  124. case BPRM_CHECK:
  125. iint->ima_bprm_status = status;
  126. break;
  127. case CREDS_CHECK:
  128. iint->ima_creds_status = status;
  129. break;
  130. case FILE_CHECK:
  131. case POST_SETATTR:
  132. iint->ima_file_status = status;
  133. break;
  134. case MODULE_CHECK ... MAX_CHECK - 1:
  135. default:
  136. iint->ima_read_status = status;
  137. break;
  138. }
  139. }
  140. static void ima_cache_flags(struct ima_iint_cache *iint, enum ima_hooks func)
  141. {
  142. switch (func) {
  143. case MMAP_CHECK:
  144. case MMAP_CHECK_REQPROT:
  145. iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
  146. break;
  147. case BPRM_CHECK:
  148. iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
  149. break;
  150. case CREDS_CHECK:
  151. iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED);
  152. break;
  153. case FILE_CHECK:
  154. case POST_SETATTR:
  155. iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
  156. break;
  157. case MODULE_CHECK ... MAX_CHECK - 1:
  158. default:
  159. iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
  160. break;
  161. }
  162. }
  163. enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value,
  164. int xattr_len)
  165. {
  166. struct signature_v2_hdr *sig;
  167. enum hash_algo ret;
  168. if (!xattr_value || xattr_len < 2)
  169. /* return default hash algo */
  170. return ima_hash_algo;
  171. switch (xattr_value->type) {
  172. case IMA_VERITY_DIGSIG:
  173. sig = (typeof(sig))xattr_value;
  174. if (sig->version != 3 || xattr_len <= sizeof(*sig) ||
  175. sig->hash_algo >= HASH_ALGO__LAST)
  176. return ima_hash_algo;
  177. return sig->hash_algo;
  178. case EVM_IMA_XATTR_DIGSIG:
  179. sig = (typeof(sig))xattr_value;
  180. if (sig->version != 2 || xattr_len <= sizeof(*sig)
  181. || sig->hash_algo >= HASH_ALGO__LAST)
  182. return ima_hash_algo;
  183. return sig->hash_algo;
  184. case IMA_XATTR_DIGEST_NG:
  185. /* first byte contains algorithm id */
  186. ret = xattr_value->data[0];
  187. if (ret < HASH_ALGO__LAST)
  188. return ret;
  189. break;
  190. case IMA_XATTR_DIGEST:
  191. /* this is for backward compatibility */
  192. if (xattr_len == 21) {
  193. unsigned int zero = 0;
  194. if (!memcmp(&xattr_value->data[16], &zero, 4))
  195. return HASH_ALGO_MD5;
  196. else
  197. return HASH_ALGO_SHA1;
  198. } else if (xattr_len == 17)
  199. return HASH_ALGO_MD5;
  200. break;
  201. }
  202. /* return default hash algo */
  203. return ima_hash_algo;
  204. }
  205. int ima_read_xattr(struct dentry *dentry,
  206. struct evm_ima_xattr_data **xattr_value, int xattr_len)
  207. {
  208. int ret;
  209. ret = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, XATTR_NAME_IMA,
  210. (char **)xattr_value, xattr_len, GFP_NOFS);
  211. if (ret == -EOPNOTSUPP)
  212. ret = 0;
  213. return ret;
  214. }
  215. /*
  216. * calc_file_id_hash - calculate the hash of the ima_file_id struct data
  217. * @type: xattr type [enum evm_ima_xattr_type]
  218. * @algo: hash algorithm [enum hash_algo]
  219. * @digest: pointer to the digest to be hashed
  220. * @hash: (out) pointer to the hash
  221. *
  222. * IMA signature version 3 disambiguates the data that is signed by
  223. * indirectly signing the hash of the ima_file_id structure data.
  224. *
  225. * Signing the ima_file_id struct is currently only supported for
  226. * IMA_VERITY_DIGSIG type xattrs.
  227. *
  228. * Return 0 on success, error code otherwise.
  229. */
  230. static int calc_file_id_hash(enum evm_ima_xattr_type type,
  231. enum hash_algo algo, const u8 *digest,
  232. struct ima_digest_data *hash)
  233. {
  234. struct ima_file_id file_id = {
  235. .hash_type = IMA_VERITY_DIGSIG, .hash_algorithm = algo};
  236. unsigned int unused = HASH_MAX_DIGESTSIZE - hash_digest_size[algo];
  237. if (type != IMA_VERITY_DIGSIG)
  238. return -EINVAL;
  239. memcpy(file_id.hash, digest, hash_digest_size[algo]);
  240. hash->algo = algo;
  241. hash->length = hash_digest_size[algo];
  242. return ima_calc_buffer_hash(&file_id, sizeof(file_id) - unused, hash);
  243. }
  244. /*
  245. * xattr_verify - verify xattr digest or signature
  246. *
  247. * Verify whether the hash or signature matches the file contents.
  248. *
  249. * Return 0 on success, error code otherwise.
  250. */
  251. static int xattr_verify(enum ima_hooks func, struct ima_iint_cache *iint,
  252. struct evm_ima_xattr_data *xattr_value, int xattr_len,
  253. enum integrity_status *status, const char **cause)
  254. {
  255. struct ima_max_digest_data hash;
  256. struct signature_v2_hdr *sig;
  257. int rc = -EINVAL, hash_start = 0;
  258. int mask;
  259. switch (xattr_value->type) {
  260. case IMA_XATTR_DIGEST_NG:
  261. /* first byte contains algorithm id */
  262. hash_start = 1;
  263. fallthrough;
  264. case IMA_XATTR_DIGEST:
  265. if (*status != INTEGRITY_PASS_IMMUTABLE) {
  266. if (iint->flags & IMA_DIGSIG_REQUIRED) {
  267. if (iint->flags & IMA_VERITY_REQUIRED)
  268. *cause = "verity-signature-required";
  269. else
  270. *cause = "IMA-signature-required";
  271. *status = INTEGRITY_FAIL;
  272. break;
  273. }
  274. clear_bit(IMA_DIGSIG, &iint->atomic_flags);
  275. } else {
  276. set_bit(IMA_DIGSIG, &iint->atomic_flags);
  277. }
  278. if (xattr_len - sizeof(xattr_value->type) - hash_start >=
  279. iint->ima_hash->length)
  280. /*
  281. * xattr length may be longer. md5 hash in previous
  282. * version occupied 20 bytes in xattr, instead of 16
  283. */
  284. rc = memcmp(&xattr_value->data[hash_start],
  285. iint->ima_hash->digest,
  286. iint->ima_hash->length);
  287. else
  288. rc = -EINVAL;
  289. if (rc) {
  290. *cause = "invalid-hash";
  291. *status = INTEGRITY_FAIL;
  292. break;
  293. }
  294. *status = INTEGRITY_PASS;
  295. break;
  296. case EVM_IMA_XATTR_DIGSIG:
  297. set_bit(IMA_DIGSIG, &iint->atomic_flags);
  298. mask = IMA_DIGSIG_REQUIRED | IMA_VERITY_REQUIRED;
  299. if ((iint->flags & mask) == mask) {
  300. *cause = "verity-signature-required";
  301. *status = INTEGRITY_FAIL;
  302. break;
  303. }
  304. sig = (typeof(sig))xattr_value;
  305. if (sig->version >= 3) {
  306. *cause = "invalid-signature-version";
  307. *status = INTEGRITY_FAIL;
  308. break;
  309. }
  310. rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
  311. (const char *)xattr_value,
  312. xattr_len,
  313. iint->ima_hash->digest,
  314. iint->ima_hash->length);
  315. if (rc == -EOPNOTSUPP) {
  316. *status = INTEGRITY_UNKNOWN;
  317. break;
  318. }
  319. if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
  320. func == KEXEC_KERNEL_CHECK)
  321. rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM,
  322. (const char *)xattr_value,
  323. xattr_len,
  324. iint->ima_hash->digest,
  325. iint->ima_hash->length);
  326. if (rc) {
  327. *cause = "invalid-signature";
  328. *status = INTEGRITY_FAIL;
  329. } else {
  330. *status = INTEGRITY_PASS;
  331. }
  332. break;
  333. case IMA_VERITY_DIGSIG:
  334. set_bit(IMA_DIGSIG, &iint->atomic_flags);
  335. if (iint->flags & IMA_DIGSIG_REQUIRED) {
  336. if (!(iint->flags & IMA_VERITY_REQUIRED)) {
  337. *cause = "IMA-signature-required";
  338. *status = INTEGRITY_FAIL;
  339. break;
  340. }
  341. }
  342. sig = (typeof(sig))xattr_value;
  343. if (sig->version != 3) {
  344. *cause = "invalid-signature-version";
  345. *status = INTEGRITY_FAIL;
  346. break;
  347. }
  348. rc = calc_file_id_hash(IMA_VERITY_DIGSIG, iint->ima_hash->algo,
  349. iint->ima_hash->digest,
  350. container_of(&hash.hdr,
  351. struct ima_digest_data, hdr));
  352. if (rc) {
  353. *cause = "sigv3-hashing-error";
  354. *status = INTEGRITY_FAIL;
  355. break;
  356. }
  357. rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
  358. (const char *)xattr_value,
  359. xattr_len, hash.digest,
  360. hash.hdr.length);
  361. if (rc) {
  362. *cause = "invalid-verity-signature";
  363. *status = INTEGRITY_FAIL;
  364. } else {
  365. *status = INTEGRITY_PASS;
  366. }
  367. break;
  368. default:
  369. *status = INTEGRITY_UNKNOWN;
  370. *cause = "unknown-ima-data";
  371. break;
  372. }
  373. return rc;
  374. }
  375. /*
  376. * modsig_verify - verify modsig signature
  377. *
  378. * Verify whether the signature matches the file contents.
  379. *
  380. * Return 0 on success, error code otherwise.
  381. */
  382. static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
  383. enum integrity_status *status, const char **cause)
  384. {
  385. int rc;
  386. rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig);
  387. if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
  388. func == KEXEC_KERNEL_CHECK)
  389. rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM,
  390. modsig);
  391. if (rc) {
  392. *cause = "invalid-signature";
  393. *status = INTEGRITY_FAIL;
  394. } else {
  395. *status = INTEGRITY_PASS;
  396. }
  397. return rc;
  398. }
  399. /*
  400. * ima_check_blacklist - determine if the binary is blacklisted.
  401. *
  402. * Add the hash of the blacklisted binary to the measurement list, based
  403. * on policy.
  404. *
  405. * Returns -EPERM if the hash is blacklisted.
  406. */
  407. int ima_check_blacklist(struct ima_iint_cache *iint,
  408. const struct modsig *modsig, int pcr)
  409. {
  410. enum hash_algo hash_algo;
  411. const u8 *digest = NULL;
  412. u32 digestsize = 0;
  413. int rc = 0;
  414. if (!(iint->flags & IMA_CHECK_BLACKLIST))
  415. return 0;
  416. if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
  417. ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
  418. rc = is_binary_blacklisted(digest, digestsize);
  419. } else if (iint->flags & IMA_DIGSIG_REQUIRED && iint->ima_hash)
  420. rc = is_binary_blacklisted(iint->ima_hash->digest, iint->ima_hash->length);
  421. if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
  422. process_buffer_measurement(&nop_mnt_idmap, NULL, digest, digestsize,
  423. "blacklisted-hash", NONE,
  424. pcr, NULL, false, NULL, 0);
  425. return rc;
  426. }
  427. /*
  428. * ima_appraise_measurement - appraise file measurement
  429. *
  430. * Call evm_verifyxattr() to verify the integrity of 'security.ima'.
  431. * Assuming success, compare the xattr hash with the collected measurement.
  432. *
  433. * Return 0 on success, error code otherwise
  434. */
  435. int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
  436. struct file *file, const unsigned char *filename,
  437. struct evm_ima_xattr_data *xattr_value,
  438. int xattr_len, const struct modsig *modsig,
  439. bool bprm_is_check)
  440. {
  441. static const char op[] = "appraise_data";
  442. int audit_msgno = AUDIT_INTEGRITY_DATA;
  443. const char *cause = "unknown";
  444. struct dentry *dentry = file_dentry(file);
  445. struct inode *inode = d_backing_inode(dentry);
  446. enum integrity_status status = INTEGRITY_UNKNOWN;
  447. int rc = xattr_len;
  448. bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig;
  449. /* If not appraising a modsig, we need an xattr. */
  450. if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)
  451. return INTEGRITY_UNKNOWN;
  452. /*
  453. * Unlike any of the other LSM hooks where the kernel enforces file
  454. * integrity, enforcing file integrity for the bprm_creds_for_exec()
  455. * LSM hook with the AT_EXECVE_CHECK flag is left up to the discretion
  456. * of the script interpreter(userspace). Differentiate kernel and
  457. * userspace enforced integrity audit messages.
  458. */
  459. if (bprm_is_check)
  460. audit_msgno = AUDIT_INTEGRITY_USERSPACE;
  461. /* If reading the xattr failed and there's no modsig, error out. */
  462. if (rc <= 0 && !try_modsig) {
  463. if (rc && rc != -ENODATA)
  464. goto out;
  465. if (iint->flags & IMA_DIGSIG_REQUIRED) {
  466. if (iint->flags & IMA_VERITY_REQUIRED)
  467. cause = "verity-signature-required";
  468. else
  469. cause = "IMA-signature-required";
  470. } else {
  471. cause = "missing-hash";
  472. }
  473. status = INTEGRITY_NOLABEL;
  474. if (file->f_mode & FMODE_CREATED)
  475. iint->flags |= IMA_NEW_FILE;
  476. if ((iint->flags & IMA_NEW_FILE) &&
  477. (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
  478. (inode->i_size == 0)))
  479. status = INTEGRITY_PASS;
  480. goto out;
  481. }
  482. status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value,
  483. rc < 0 ? 0 : rc);
  484. switch (status) {
  485. case INTEGRITY_PASS:
  486. case INTEGRITY_PASS_IMMUTABLE:
  487. case INTEGRITY_UNKNOWN:
  488. break;
  489. case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */
  490. /* It's fine not to have xattrs when using a modsig. */
  491. if (try_modsig)
  492. break;
  493. fallthrough;
  494. case INTEGRITY_NOLABEL: /* No security.evm xattr. */
  495. cause = "missing-HMAC";
  496. goto out;
  497. case INTEGRITY_FAIL_IMMUTABLE:
  498. set_bit(IMA_DIGSIG, &iint->atomic_flags);
  499. cause = "invalid-fail-immutable";
  500. goto out;
  501. case INTEGRITY_FAIL: /* Invalid HMAC/signature. */
  502. cause = "invalid-HMAC";
  503. goto out;
  504. default:
  505. WARN_ONCE(true, "Unexpected integrity status %d\n", status);
  506. }
  507. if (xattr_value)
  508. rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
  509. &cause);
  510. /*
  511. * If we have a modsig and either no imasig or the imasig's key isn't
  512. * known, then try verifying the modsig.
  513. */
  514. if (try_modsig &&
  515. (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG ||
  516. rc == -ENOKEY))
  517. rc = modsig_verify(func, modsig, &status, &cause);
  518. out:
  519. /*
  520. * File signatures on some filesystems can not be properly verified.
  521. * When such filesystems are mounted by an untrusted mounter or on a
  522. * system not willing to accept such a risk, fail the file signature
  523. * verification.
  524. */
  525. if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
  526. ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) ||
  527. (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
  528. status = INTEGRITY_FAIL;
  529. cause = "unverifiable-signature";
  530. integrity_audit_msg(audit_msgno, inode, filename,
  531. op, cause, rc, 0);
  532. } else if (status != INTEGRITY_PASS) {
  533. /* Fix mode, but don't replace file signatures. */
  534. if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig &&
  535. (!xattr_value ||
  536. xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
  537. if (!ima_fix_xattr(dentry, iint))
  538. status = INTEGRITY_PASS;
  539. }
  540. /*
  541. * Permit new files with file/EVM portable signatures, but
  542. * without data.
  543. */
  544. if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
  545. test_bit(IMA_DIGSIG, &iint->atomic_flags)) {
  546. status = INTEGRITY_PASS;
  547. }
  548. integrity_audit_msg(audit_msgno, inode, filename,
  549. op, cause, rc, 0);
  550. } else {
  551. ima_cache_flags(iint, func);
  552. }
  553. ima_set_cache_status(iint, func, status);
  554. return status;
  555. }
  556. /*
  557. * ima_update_xattr - update 'security.ima' hash value
  558. */
  559. void ima_update_xattr(struct ima_iint_cache *iint, struct file *file)
  560. {
  561. struct dentry *dentry = file_dentry(file);
  562. int rc = 0;
  563. /* do not collect and update hash for digital signatures */
  564. if (test_bit(IMA_DIGSIG, &iint->atomic_flags))
  565. return;
  566. if ((iint->ima_file_status != INTEGRITY_PASS) &&
  567. !(iint->flags & IMA_HASH))
  568. return;
  569. rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL);
  570. if (rc < 0)
  571. return;
  572. inode_lock(file_inode(file));
  573. ima_fix_xattr(dentry, iint);
  574. inode_unlock(file_inode(file));
  575. }
  576. /**
  577. * ima_inode_post_setattr - reflect file metadata changes
  578. * @idmap: idmap of the mount the inode was found from
  579. * @dentry: pointer to the affected dentry
  580. * @ia_valid: for the UID and GID status
  581. *
  582. * Changes to a dentry's metadata might result in needing to appraise.
  583. *
  584. * This function is called from notify_change(), which expects the caller
  585. * to lock the inode's i_mutex.
  586. */
  587. static void ima_inode_post_setattr(struct mnt_idmap *idmap,
  588. struct dentry *dentry, int ia_valid)
  589. {
  590. struct inode *inode = d_backing_inode(dentry);
  591. struct ima_iint_cache *iint;
  592. int action;
  593. if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)
  594. || !(inode->i_opflags & IOP_XATTR))
  595. return;
  596. action = ima_must_appraise(idmap, inode, MAY_ACCESS, POST_SETATTR);
  597. iint = ima_iint_find(inode);
  598. if (iint) {
  599. set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags);
  600. if (!action)
  601. clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
  602. }
  603. }
  604. /*
  605. * ima_protect_xattr - protect 'security.ima'
  606. *
  607. * Ensure that not just anyone can modify or remove 'security.ima'.
  608. */
  609. static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
  610. const void *xattr_value, size_t xattr_value_len)
  611. {
  612. if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
  613. if (!capable(CAP_SYS_ADMIN))
  614. return -EPERM;
  615. return 1;
  616. }
  617. return 0;
  618. }
  619. /*
  620. * ima_reset_appraise_flags - reset ima_iint_cache flags
  621. *
  622. * @digsig: whether to clear/set IMA_DIGSIG flag, tristate values
  623. * 0: clear IMA_DIGSIG
  624. * 1: set IMA_DIGSIG
  625. * -1: don't change IMA_DIGSIG
  626. *
  627. */
  628. static void ima_reset_appraise_flags(struct inode *inode, int digsig)
  629. {
  630. struct ima_iint_cache *iint;
  631. if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode))
  632. return;
  633. iint = ima_iint_find(inode);
  634. if (!iint)
  635. return;
  636. iint->measured_pcrs = 0;
  637. set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
  638. if (digsig == 1)
  639. set_bit(IMA_DIGSIG, &iint->atomic_flags);
  640. else if (digsig == 0)
  641. clear_bit(IMA_DIGSIG, &iint->atomic_flags);
  642. }
  643. /**
  644. * validate_hash_algo() - Block setxattr with unsupported hash algorithms
  645. * @dentry: object of the setxattr()
  646. * @xattr_value: userland supplied xattr value
  647. * @xattr_value_len: length of xattr_value
  648. *
  649. * The xattr value is mapped to its hash algorithm, and this algorithm
  650. * must be built in the kernel for the setxattr to be allowed.
  651. *
  652. * Emit an audit message when the algorithm is invalid.
  653. *
  654. * Return: 0 on success, else an error.
  655. */
  656. static int validate_hash_algo(struct dentry *dentry,
  657. const struct evm_ima_xattr_data *xattr_value,
  658. size_t xattr_value_len)
  659. {
  660. char *path = NULL, *pathbuf = NULL;
  661. enum hash_algo xattr_hash_algo;
  662. const char *errmsg = "unavailable-hash-algorithm";
  663. unsigned int allowed_hashes;
  664. xattr_hash_algo = ima_get_hash_algo(xattr_value, xattr_value_len);
  665. allowed_hashes = atomic_read(&ima_setxattr_allowed_hash_algorithms);
  666. if (allowed_hashes) {
  667. /* success if the algorithm is allowed in the ima policy */
  668. if (allowed_hashes & (1U << xattr_hash_algo))
  669. return 0;
  670. /*
  671. * We use a different audit message when the hash algorithm
  672. * is denied by a policy rule, instead of not being built
  673. * in the kernel image
  674. */
  675. errmsg = "denied-hash-algorithm";
  676. } else {
  677. if (likely(xattr_hash_algo == ima_hash_algo))
  678. return 0;
  679. /* allow any xattr using an algorithm built in the kernel */
  680. if (crypto_has_alg(hash_algo_name[xattr_hash_algo], 0, 0))
  681. return 0;
  682. }
  683. pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
  684. if (!pathbuf)
  685. return -EACCES;
  686. path = dentry_path(dentry, pathbuf, PATH_MAX);
  687. integrity_audit_msg(AUDIT_INTEGRITY_DATA, d_inode(dentry), path,
  688. "set_data", errmsg, -EACCES, 0);
  689. kfree(pathbuf);
  690. return -EACCES;
  691. }
  692. static int ima_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
  693. const char *xattr_name, const void *xattr_value,
  694. size_t xattr_value_len, int flags)
  695. {
  696. const struct evm_ima_xattr_data *xvalue = xattr_value;
  697. int digsig = 0;
  698. int result;
  699. int err;
  700. result = ima_protect_xattr(dentry, xattr_name, xattr_value,
  701. xattr_value_len);
  702. if (result == 1) {
  703. if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
  704. return -EINVAL;
  705. err = validate_hash_algo(dentry, xvalue, xattr_value_len);
  706. if (err)
  707. return err;
  708. digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
  709. } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
  710. digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
  711. } else {
  712. digsig = -1;
  713. }
  714. if (result == 1 || evm_revalidate_status(xattr_name)) {
  715. ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
  716. if (result == 1)
  717. result = 0;
  718. }
  719. return result;
  720. }
  721. static int ima_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
  722. const char *acl_name, struct posix_acl *kacl)
  723. {
  724. if (evm_revalidate_status(acl_name))
  725. ima_reset_appraise_flags(d_backing_inode(dentry), -1);
  726. return 0;
  727. }
  728. static int ima_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry,
  729. const char *xattr_name)
  730. {
  731. int result, digsig = -1;
  732. result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
  733. if (result == 1 || evm_revalidate_status(xattr_name)) {
  734. if (!strcmp(xattr_name, XATTR_NAME_IMA))
  735. digsig = 0;
  736. ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
  737. if (result == 1)
  738. result = 0;
  739. }
  740. return result;
  741. }
  742. static int ima_inode_remove_acl(struct mnt_idmap *idmap, struct dentry *dentry,
  743. const char *acl_name)
  744. {
  745. return ima_inode_set_acl(idmap, dentry, acl_name, NULL);
  746. }
  747. static struct security_hook_list ima_appraise_hooks[] __ro_after_init = {
  748. LSM_HOOK_INIT(inode_post_setattr, ima_inode_post_setattr),
  749. LSM_HOOK_INIT(inode_setxattr, ima_inode_setxattr),
  750. LSM_HOOK_INIT(inode_set_acl, ima_inode_set_acl),
  751. LSM_HOOK_INIT(inode_removexattr, ima_inode_removexattr),
  752. LSM_HOOK_INIT(inode_remove_acl, ima_inode_remove_acl),
  753. };
  754. void __init init_ima_appraise_lsm(const struct lsm_id *lsmid)
  755. {
  756. security_add_hooks(ima_appraise_hooks, ARRAY_SIZE(ima_appraise_hooks),
  757. lsmid);
  758. }