linux/security/integrity/evm/evm_main.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * Copyright (C) 2005-2010 IBM Corporation
   4 *
   5 * Author:
   6 * Mimi Zohar <zohar@us.ibm.com>
   7 * Kylene Hall <kjhall@us.ibm.com>
   8 *
   9 * File: evm_main.c
  10 *      implements evm_inode_setxattr, evm_inode_post_setxattr,
  11 *      evm_inode_removexattr, and evm_verifyxattr
  12 */
  13
  14#define pr_fmt(fmt) "EVM: "fmt
  15
  16#include <linux/init.h>
  17#include <linux/crypto.h>
  18#include <linux/audit.h>
  19#include <linux/xattr.h>
  20#include <linux/integrity.h>
  21#include <linux/evm.h>
  22#include <linux/magic.h>
  23#include <linux/posix_acl_xattr.h>
  24
  25#include <crypto/hash.h>
  26#include <crypto/hash_info.h>
  27#include <crypto/algapi.h>
  28#include "evm.h"
  29
  30int evm_initialized;
  31
  32static const char * const integrity_status_msg[] = {
  33        "pass", "pass_immutable", "fail", "fail_immutable", "no_label",
  34        "no_xattrs", "unknown"
  35};
  36int evm_hmac_attrs;
  37
  38static struct xattr_list evm_config_default_xattrnames[] = {
  39        {.name = XATTR_NAME_SELINUX,
  40#ifdef CONFIG_SECURITY_SELINUX
  41         .enabled = true
  42#endif
  43        },
  44        {.name = XATTR_NAME_SMACK,
  45#ifdef CONFIG_SECURITY_SMACK
  46         .enabled = true
  47#endif
  48        },
  49        {.name = XATTR_NAME_SMACKEXEC,
  50#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
  51         .enabled = true
  52#endif
  53        },
  54        {.name = XATTR_NAME_SMACKTRANSMUTE,
  55#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
  56         .enabled = true
  57#endif
  58        },
  59        {.name = XATTR_NAME_SMACKMMAP,
  60#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
  61         .enabled = true
  62#endif
  63        },
  64        {.name = XATTR_NAME_APPARMOR,
  65#ifdef CONFIG_SECURITY_APPARMOR
  66         .enabled = true
  67#endif
  68        },
  69        {.name = XATTR_NAME_IMA,
  70#ifdef CONFIG_IMA_APPRAISE
  71         .enabled = true
  72#endif
  73        },
  74        {.name = XATTR_NAME_CAPS,
  75         .enabled = true
  76        },
  77};
  78
  79LIST_HEAD(evm_config_xattrnames);
  80
  81static int evm_fixmode;
  82static int __init evm_set_fixmode(char *str)
  83{
  84        if (strncmp(str, "fix", 3) == 0)
  85                evm_fixmode = 1;
  86        else
  87                pr_err("invalid \"%s\" mode", str);
  88
  89        return 0;
  90}
  91__setup("evm=", evm_set_fixmode);
  92
  93static void __init evm_init_config(void)
  94{
  95        int i, xattrs;
  96
  97        xattrs = ARRAY_SIZE(evm_config_default_xattrnames);
  98
  99        pr_info("Initialising EVM extended attributes:\n");
 100        for (i = 0; i < xattrs; i++) {
 101                pr_info("%s%s\n", evm_config_default_xattrnames[i].name,
 102                        !evm_config_default_xattrnames[i].enabled ?
 103                        " (disabled)" : "");
 104                list_add_tail(&evm_config_default_xattrnames[i].list,
 105                              &evm_config_xattrnames);
 106        }
 107
 108#ifdef CONFIG_EVM_ATTR_FSUUID
 109        evm_hmac_attrs |= EVM_ATTR_FSUUID;
 110#endif
 111        pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
 112}
 113
 114static bool evm_key_loaded(void)
 115{
 116        return (bool)(evm_initialized & EVM_KEY_MASK);
 117}
 118
 119/*
 120 * This function determines whether or not it is safe to ignore verification
 121 * errors, based on the ability of EVM to calculate HMACs. If the HMAC key
 122 * is not loaded, and it cannot be loaded in the future due to the
 123 * EVM_SETUP_COMPLETE initialization flag, allowing an operation despite the
 124 * attrs/xattrs being found invalid will not make them valid.
 125 */
 126static bool evm_hmac_disabled(void)
 127{
 128        if (evm_initialized & EVM_INIT_HMAC)
 129                return false;
 130
 131        if (!(evm_initialized & EVM_SETUP_COMPLETE))
 132                return false;
 133
 134        return true;
 135}
 136
 137static int evm_find_protected_xattrs(struct dentry *dentry)
 138{
 139        struct inode *inode = d_backing_inode(dentry);
 140        struct xattr_list *xattr;
 141        int error;
 142        int count = 0;
 143
 144        if (!(inode->i_opflags & IOP_XATTR))
 145                return -EOPNOTSUPP;
 146
 147        list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
 148                error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0);
 149                if (error < 0) {
 150                        if (error == -ENODATA)
 151                                continue;
 152                        return error;
 153                }
 154                count++;
 155        }
 156
 157        return count;
 158}
 159
 160/*
 161 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
 162 *
 163 * Compute the HMAC on the dentry's protected set of extended attributes
 164 * and compare it against the stored security.evm xattr.
 165 *
 166 * For performance:
 167 * - use the previoulsy retrieved xattr value and length to calculate the
 168 *   HMAC.)
 169 * - cache the verification result in the iint, when available.
 170 *
 171 * Returns integrity status
 172 */
 173static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 174                                             const char *xattr_name,
 175                                             char *xattr_value,
 176                                             size_t xattr_value_len,
 177                                             struct integrity_iint_cache *iint)
 178{
 179        struct evm_ima_xattr_data *xattr_data = NULL;
 180        struct signature_v2_hdr *hdr;
 181        enum integrity_status evm_status = INTEGRITY_PASS;
 182        struct evm_digest digest;
 183        struct inode *inode;
 184        int rc, xattr_len, evm_immutable = 0;
 185
 186        if (iint && (iint->evm_status == INTEGRITY_PASS ||
 187                     iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
 188                return iint->evm_status;
 189
 190        /* if status is not PASS, try to check again - against -ENOMEM */
 191
 192        /* first need to know the sig type */
 193        rc = vfs_getxattr_alloc(&init_user_ns, dentry, XATTR_NAME_EVM,
 194                                (char **)&xattr_data, 0, GFP_NOFS);
 195        if (rc <= 0) {
 196                evm_status = INTEGRITY_FAIL;
 197                if (rc == -ENODATA) {
 198                        rc = evm_find_protected_xattrs(dentry);
 199                        if (rc > 0)
 200                                evm_status = INTEGRITY_NOLABEL;
 201                        else if (rc == 0)
 202                                evm_status = INTEGRITY_NOXATTRS; /* new file */
 203                } else if (rc == -EOPNOTSUPP) {
 204                        evm_status = INTEGRITY_UNKNOWN;
 205                }
 206                goto out;
 207        }
 208
 209        xattr_len = rc;
 210
 211        /* check value type */
 212        switch (xattr_data->type) {
 213        case EVM_XATTR_HMAC:
 214                if (xattr_len != sizeof(struct evm_xattr)) {
 215                        evm_status = INTEGRITY_FAIL;
 216                        goto out;
 217                }
 218
 219                digest.hdr.algo = HASH_ALGO_SHA1;
 220                rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
 221                                   xattr_value_len, &digest);
 222                if (rc)
 223                        break;
 224                rc = crypto_memneq(xattr_data->data, digest.digest,
 225                                   SHA1_DIGEST_SIZE);
 226                if (rc)
 227                        rc = -EINVAL;
 228                break;
 229        case EVM_XATTR_PORTABLE_DIGSIG:
 230                evm_immutable = 1;
 231                fallthrough;
 232        case EVM_IMA_XATTR_DIGSIG:
 233                /* accept xattr with non-empty signature field */
 234                if (xattr_len <= sizeof(struct signature_v2_hdr)) {
 235                        evm_status = INTEGRITY_FAIL;
 236                        goto out;
 237                }
 238
 239                hdr = (struct signature_v2_hdr *)xattr_data;
 240                digest.hdr.algo = hdr->hash_algo;
 241                rc = evm_calc_hash(dentry, xattr_name, xattr_value,
 242                                   xattr_value_len, xattr_data->type, &digest);
 243                if (rc)
 244                        break;
 245                rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
 246                                        (const char *)xattr_data, xattr_len,
 247                                        digest.digest, digest.hdr.length);
 248                if (!rc) {
 249                        inode = d_backing_inode(dentry);
 250
 251                        if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
 252                                if (iint)
 253                                        iint->flags |= EVM_IMMUTABLE_DIGSIG;
 254                                evm_status = INTEGRITY_PASS_IMMUTABLE;
 255                        } else if (!IS_RDONLY(inode) &&
 256                                   !(inode->i_sb->s_readonly_remount) &&
 257                                   !IS_IMMUTABLE(inode)) {
 258                                evm_update_evmxattr(dentry, xattr_name,
 259                                                    xattr_value,
 260                                                    xattr_value_len);
 261                        }
 262                }
 263                break;
 264        default:
 265                rc = -EINVAL;
 266                break;
 267        }
 268
 269        if (rc) {
 270                if (rc == -ENODATA)
 271                        evm_status = INTEGRITY_NOXATTRS;
 272                else if (evm_immutable)
 273                        evm_status = INTEGRITY_FAIL_IMMUTABLE;
 274                else
 275                        evm_status = INTEGRITY_FAIL;
 276        }
 277        pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length, digest.hdr.length,
 278                  digest.digest);
 279out:
 280        if (iint)
 281                iint->evm_status = evm_status;
 282        kfree(xattr_data);
 283        return evm_status;
 284}
 285
 286static int evm_protected_xattr_common(const char *req_xattr_name,
 287                                      bool all_xattrs)
 288{
 289        int namelen;
 290        int found = 0;
 291        struct xattr_list *xattr;
 292
 293        namelen = strlen(req_xattr_name);
 294        list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
 295                if (!all_xattrs && !xattr->enabled)
 296                        continue;
 297
 298                if ((strlen(xattr->name) == namelen)
 299                    && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
 300                        found = 1;
 301                        break;
 302                }
 303                if (strncmp(req_xattr_name,
 304                            xattr->name + XATTR_SECURITY_PREFIX_LEN,
 305                            strlen(req_xattr_name)) == 0) {
 306                        found = 1;
 307                        break;
 308                }
 309        }
 310
 311        return found;
 312}
 313
 314static int evm_protected_xattr(const char *req_xattr_name)
 315{
 316        return evm_protected_xattr_common(req_xattr_name, false);
 317}
 318
 319int evm_protected_xattr_if_enabled(const char *req_xattr_name)
 320{
 321        return evm_protected_xattr_common(req_xattr_name, true);
 322}
 323
 324/**
 325 * evm_read_protected_xattrs - read EVM protected xattr names, lengths, values
 326 * @dentry: dentry of the read xattrs
 327 * @inode: inode of the read xattrs
 328 * @buffer: buffer xattr names, lengths or values are copied to
 329 * @buffer_size: size of buffer
 330 * @type: n: names, l: lengths, v: values
 331 * @canonical_fmt: data format (true: little endian, false: native format)
 332 *
 333 * Read protected xattr names (separated by |), lengths (u32) or values for a
 334 * given dentry and return the total size of copied data. If buffer is NULL,
 335 * just return the total size.
 336 *
 337 * Returns the total size on success, a negative value on error.
 338 */
 339int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer,
 340                              int buffer_size, char type, bool canonical_fmt)
 341{
 342        struct xattr_list *xattr;
 343        int rc, size, total_size = 0;
 344
 345        list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
 346                rc = __vfs_getxattr(dentry, d_backing_inode(dentry),
 347                                    xattr->name, NULL, 0);
 348                if (rc < 0 && rc == -ENODATA)
 349                        continue;
 350                else if (rc < 0)
 351                        return rc;
 352
 353                switch (type) {
 354                case 'n':
 355                        size = strlen(xattr->name) + 1;
 356                        if (buffer) {
 357                                if (total_size)
 358                                        *(buffer + total_size - 1) = '|';
 359
 360                                memcpy(buffer + total_size, xattr->name, size);
 361                        }
 362                        break;
 363                case 'l':
 364                        size = sizeof(u32);
 365                        if (buffer) {
 366                                if (canonical_fmt)
 367                                        rc = (__force int)cpu_to_le32(rc);
 368
 369                                *(u32 *)(buffer + total_size) = rc;
 370                        }
 371                        break;
 372                case 'v':
 373                        size = rc;
 374                        if (buffer) {
 375                                rc = __vfs_getxattr(dentry,
 376                                        d_backing_inode(dentry), xattr->name,
 377                                        buffer + total_size,
 378                                        buffer_size - total_size);
 379                                if (rc < 0)
 380                                        return rc;
 381                        }
 382                        break;
 383                default:
 384                        return -EINVAL;
 385                }
 386
 387                total_size += size;
 388        }
 389
 390        return total_size;
 391}
 392
 393/**
 394 * evm_verifyxattr - verify the integrity of the requested xattr
 395 * @dentry: object of the verify xattr
 396 * @xattr_name: requested xattr
 397 * @xattr_value: requested xattr value
 398 * @xattr_value_len: requested xattr value length
 399 *
 400 * Calculate the HMAC for the given dentry and verify it against the stored
 401 * security.evm xattr. For performance, use the xattr value and length
 402 * previously retrieved to calculate the HMAC.
 403 *
 404 * Returns the xattr integrity status.
 405 *
 406 * This function requires the caller to lock the inode's i_mutex before it
 407 * is executed.
 408 */
 409enum integrity_status evm_verifyxattr(struct dentry *dentry,
 410                                      const char *xattr_name,
 411                                      void *xattr_value, size_t xattr_value_len,
 412                                      struct integrity_iint_cache *iint)
 413{
 414        if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
 415                return INTEGRITY_UNKNOWN;
 416
 417        if (!iint) {
 418                iint = integrity_iint_find(d_backing_inode(dentry));
 419                if (!iint)
 420                        return INTEGRITY_UNKNOWN;
 421        }
 422        return evm_verify_hmac(dentry, xattr_name, xattr_value,
 423                                 xattr_value_len, iint);
 424}
 425EXPORT_SYMBOL_GPL(evm_verifyxattr);
 426
 427/*
 428 * evm_verify_current_integrity - verify the dentry's metadata integrity
 429 * @dentry: pointer to the affected dentry
 430 *
 431 * Verify and return the dentry's metadata integrity. The exceptions are
 432 * before EVM is initialized or in 'fix' mode.
 433 */
 434static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
 435{
 436        struct inode *inode = d_backing_inode(dentry);
 437
 438        if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
 439                return 0;
 440        return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
 441}
 442
 443/*
 444 * evm_xattr_acl_change - check if passed ACL changes the inode mode
 445 * @mnt_userns: user namespace of the idmapped mount
 446 * @dentry: pointer to the affected dentry
 447 * @xattr_name: requested xattr
 448 * @xattr_value: requested xattr value
 449 * @xattr_value_len: requested xattr value length
 450 *
 451 * Check if passed ACL changes the inode mode, which is protected by EVM.
 452 *
 453 * Returns 1 if passed ACL causes inode mode change, 0 otherwise.
 454 */
 455static int evm_xattr_acl_change(struct user_namespace *mnt_userns,
 456                                struct dentry *dentry, const char *xattr_name,
 457                                const void *xattr_value, size_t xattr_value_len)
 458{
 459#ifdef CONFIG_FS_POSIX_ACL
 460        umode_t mode;
 461        struct posix_acl *acl = NULL, *acl_res;
 462        struct inode *inode = d_backing_inode(dentry);
 463        int rc;
 464
 465        /*
 466         * user_ns is not relevant here, ACL_USER/ACL_GROUP don't have impact
 467         * on the inode mode (see posix_acl_equiv_mode()).
 468         */
 469        acl = posix_acl_from_xattr(&init_user_ns, xattr_value, xattr_value_len);
 470        if (IS_ERR_OR_NULL(acl))
 471                return 1;
 472
 473        acl_res = acl;
 474        /*
 475         * Passing mnt_userns is necessary to correctly determine the GID in
 476         * an idmapped mount, as the GID is used to clear the setgid bit in
 477         * the inode mode.
 478         */
 479        rc = posix_acl_update_mode(mnt_userns, inode, &mode, &acl_res);
 480
 481        posix_acl_release(acl);
 482
 483        if (rc)
 484                return 1;
 485
 486        if (inode->i_mode != mode)
 487                return 1;
 488#endif
 489        return 0;
 490}
 491
 492/*
 493 * evm_xattr_change - check if passed xattr value differs from current value
 494 * @mnt_userns: user namespace of the idmapped mount
 495 * @dentry: pointer to the affected dentry
 496 * @xattr_name: requested xattr
 497 * @xattr_value: requested xattr value
 498 * @xattr_value_len: requested xattr value length
 499 *
 500 * Check if passed xattr value differs from current value.
 501 *
 502 * Returns 1 if passed xattr value differs from current value, 0 otherwise.
 503 */
 504static int evm_xattr_change(struct user_namespace *mnt_userns,
 505                            struct dentry *dentry, const char *xattr_name,
 506                            const void *xattr_value, size_t xattr_value_len)
 507{
 508        char *xattr_data = NULL;
 509        int rc = 0;
 510
 511        if (posix_xattr_acl(xattr_name))
 512                return evm_xattr_acl_change(mnt_userns, dentry, xattr_name,
 513                                            xattr_value, xattr_value_len);
 514
 515        rc = vfs_getxattr_alloc(&init_user_ns, dentry, xattr_name, &xattr_data,
 516                                0, GFP_NOFS);
 517        if (rc < 0)
 518                return 1;
 519
 520        if (rc == xattr_value_len)
 521                rc = !!memcmp(xattr_value, xattr_data, rc);
 522        else
 523                rc = 1;
 524
 525        kfree(xattr_data);
 526        return rc;
 527}
 528
 529/*
 530 * evm_protect_xattr - protect the EVM extended attribute
 531 *
 532 * Prevent security.evm from being modified or removed without the
 533 * necessary permissions or when the existing value is invalid.
 534 *
 535 * The posix xattr acls are 'system' prefixed, which normally would not
 536 * affect security.evm.  An interesting side affect of writing posix xattr
 537 * acls is their modifying of the i_mode, which is included in security.evm.
 538 * For posix xattr acls only, permit security.evm, even if it currently
 539 * doesn't exist, to be updated unless the EVM signature is immutable.
 540 */
 541static int evm_protect_xattr(struct user_namespace *mnt_userns,
 542                             struct dentry *dentry, const char *xattr_name,
 543                             const void *xattr_value, size_t xattr_value_len)
 544{
 545        enum integrity_status evm_status;
 546
 547        if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
 548                if (!capable(CAP_SYS_ADMIN))
 549                        return -EPERM;
 550        } else if (!evm_protected_xattr(xattr_name)) {
 551                if (!posix_xattr_acl(xattr_name))
 552                        return 0;
 553                evm_status = evm_verify_current_integrity(dentry);
 554                if ((evm_status == INTEGRITY_PASS) ||
 555                    (evm_status == INTEGRITY_NOXATTRS))
 556                        return 0;
 557                goto out;
 558        }
 559
 560        evm_status = evm_verify_current_integrity(dentry);
 561        if (evm_status == INTEGRITY_NOXATTRS) {
 562                struct integrity_iint_cache *iint;
 563
 564                /* Exception if the HMAC is not going to be calculated. */
 565                if (evm_hmac_disabled())
 566                        return 0;
 567
 568                iint = integrity_iint_find(d_backing_inode(dentry));
 569                if (iint && (iint->flags & IMA_NEW_FILE))
 570                        return 0;
 571
 572                /* exception for pseudo filesystems */
 573                if (dentry->d_sb->s_magic == TMPFS_MAGIC
 574                    || dentry->d_sb->s_magic == SYSFS_MAGIC)
 575                        return 0;
 576
 577                integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
 578                                    dentry->d_inode, dentry->d_name.name,
 579                                    "update_metadata",
 580                                    integrity_status_msg[evm_status],
 581                                    -EPERM, 0);
 582        }
 583out:
 584        /* Exception if the HMAC is not going to be calculated. */
 585        if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
 586            evm_status == INTEGRITY_UNKNOWN))
 587                return 0;
 588
 589        /*
 590         * Writing other xattrs is safe for portable signatures, as portable
 591         * signatures are immutable and can never be updated.
 592         */
 593        if (evm_status == INTEGRITY_FAIL_IMMUTABLE)
 594                return 0;
 595
 596        if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
 597            !evm_xattr_change(mnt_userns, dentry, xattr_name, xattr_value,
 598                              xattr_value_len))
 599                return 0;
 600
 601        if (evm_status != INTEGRITY_PASS &&
 602            evm_status != INTEGRITY_PASS_IMMUTABLE)
 603                integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
 604                                    dentry->d_name.name, "appraise_metadata",
 605                                    integrity_status_msg[evm_status],
 606                                    -EPERM, 0);
 607        return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
 608}
 609
 610/**
 611 * evm_inode_setxattr - protect the EVM extended attribute
 612 * @mnt_userns: user namespace of the idmapped mount
 613 * @dentry: pointer to the affected dentry
 614 * @xattr_name: pointer to the affected extended attribute name
 615 * @xattr_value: pointer to the new extended attribute value
 616 * @xattr_value_len: pointer to the new extended attribute value length
 617 *
 618 * Before allowing the 'security.evm' protected xattr to be updated,
 619 * verify the existing value is valid.  As only the kernel should have
 620 * access to the EVM encrypted key needed to calculate the HMAC, prevent
 621 * userspace from writing HMAC value.  Writing 'security.evm' requires
 622 * requires CAP_SYS_ADMIN privileges.
 623 */
 624int evm_inode_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry,
 625                       const char *xattr_name, const void *xattr_value,
 626                       size_t xattr_value_len)
 627{
 628        const struct evm_ima_xattr_data *xattr_data = xattr_value;
 629
 630        /* Policy permits modification of the protected xattrs even though
 631         * there's no HMAC key loaded
 632         */
 633        if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
 634                return 0;
 635
 636        if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
 637                if (!xattr_value_len)
 638                        return -EINVAL;
 639                if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
 640                    xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
 641                        return -EPERM;
 642        }
 643        return evm_protect_xattr(mnt_userns, dentry, xattr_name, xattr_value,
 644                                 xattr_value_len);
 645}
 646
 647/**
 648 * evm_inode_removexattr - protect the EVM extended attribute
 649 * @mnt_userns: user namespace of the idmapped mount
 650 * @dentry: pointer to the affected dentry
 651 * @xattr_name: pointer to the affected extended attribute name
 652 *
 653 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
 654 * the current value is valid.
 655 */
 656int evm_inode_removexattr(struct user_namespace *mnt_userns,
 657                          struct dentry *dentry, const char *xattr_name)
 658{
 659        /* Policy permits modification of the protected xattrs even though
 660         * there's no HMAC key loaded
 661         */
 662        if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
 663                return 0;
 664
 665        return evm_protect_xattr(mnt_userns, dentry, xattr_name, NULL, 0);
 666}
 667
 668static void evm_reset_status(struct inode *inode)
 669{
 670        struct integrity_iint_cache *iint;
 671
 672        iint = integrity_iint_find(inode);
 673        if (iint)
 674                iint->evm_status = INTEGRITY_UNKNOWN;
 675}
 676
 677/**
 678 * evm_revalidate_status - report whether EVM status re-validation is necessary
 679 * @xattr_name: pointer to the affected extended attribute name
 680 *
 681 * Report whether callers of evm_verifyxattr() should re-validate the
 682 * EVM status.
 683 *
 684 * Return true if re-validation is necessary, false otherwise.
 685 */
 686bool evm_revalidate_status(const char *xattr_name)
 687{
 688        if (!evm_key_loaded())
 689                return false;
 690
 691        /* evm_inode_post_setattr() passes NULL */
 692        if (!xattr_name)
 693                return true;
 694
 695        if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name) &&
 696            strcmp(xattr_name, XATTR_NAME_EVM))
 697                return false;
 698
 699        return true;
 700}
 701
 702/**
 703 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
 704 * @dentry: pointer to the affected dentry
 705 * @xattr_name: pointer to the affected extended attribute name
 706 * @xattr_value: pointer to the new extended attribute value
 707 * @xattr_value_len: pointer to the new extended attribute value length
 708 *
 709 * Update the HMAC stored in 'security.evm' to reflect the change.
 710 *
 711 * No need to take the i_mutex lock here, as this function is called from
 712 * __vfs_setxattr_noperm().  The caller of which has taken the inode's
 713 * i_mutex lock.
 714 */
 715void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
 716                             const void *xattr_value, size_t xattr_value_len)
 717{
 718        if (!evm_revalidate_status(xattr_name))
 719                return;
 720
 721        evm_reset_status(dentry->d_inode);
 722
 723        if (!strcmp(xattr_name, XATTR_NAME_EVM))
 724                return;
 725
 726        if (!(evm_initialized & EVM_INIT_HMAC))
 727                return;
 728
 729        evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
 730}
 731
 732/**
 733 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
 734 * @dentry: pointer to the affected dentry
 735 * @xattr_name: pointer to the affected extended attribute name
 736 *
 737 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
 738 *
 739 * No need to take the i_mutex lock here, as this function is called from
 740 * vfs_removexattr() which takes the i_mutex.
 741 */
 742void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
 743{
 744        if (!evm_revalidate_status(xattr_name))
 745                return;
 746
 747        evm_reset_status(dentry->d_inode);
 748
 749        if (!strcmp(xattr_name, XATTR_NAME_EVM))
 750                return;
 751
 752        if (!(evm_initialized & EVM_INIT_HMAC))
 753                return;
 754
 755        evm_update_evmxattr(dentry, xattr_name, NULL, 0);
 756}
 757
 758static int evm_attr_change(struct dentry *dentry, struct iattr *attr)
 759{
 760        struct inode *inode = d_backing_inode(dentry);
 761        unsigned int ia_valid = attr->ia_valid;
 762
 763        if ((!(ia_valid & ATTR_UID) || uid_eq(attr->ia_uid, inode->i_uid)) &&
 764            (!(ia_valid & ATTR_GID) || gid_eq(attr->ia_gid, inode->i_gid)) &&
 765            (!(ia_valid & ATTR_MODE) || attr->ia_mode == inode->i_mode))
 766                return 0;
 767
 768        return 1;
 769}
 770
 771/**
 772 * evm_inode_setattr - prevent updating an invalid EVM extended attribute
 773 * @dentry: pointer to the affected dentry
 774 *
 775 * Permit update of file attributes when files have a valid EVM signature,
 776 * except in the case of them having an immutable portable signature.
 777 */
 778int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
 779{
 780        unsigned int ia_valid = attr->ia_valid;
 781        enum integrity_status evm_status;
 782
 783        /* Policy permits modification of the protected attrs even though
 784         * there's no HMAC key loaded
 785         */
 786        if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
 787                return 0;
 788
 789        if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
 790                return 0;
 791        evm_status = evm_verify_current_integrity(dentry);
 792        /*
 793         * Writing attrs is safe for portable signatures, as portable signatures
 794         * are immutable and can never be updated.
 795         */
 796        if ((evm_status == INTEGRITY_PASS) ||
 797            (evm_status == INTEGRITY_NOXATTRS) ||
 798            (evm_status == INTEGRITY_FAIL_IMMUTABLE) ||
 799            (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL ||
 800             evm_status == INTEGRITY_UNKNOWN)))
 801                return 0;
 802
 803        if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
 804            !evm_attr_change(dentry, attr))
 805                return 0;
 806
 807        integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
 808                            dentry->d_name.name, "appraise_metadata",
 809                            integrity_status_msg[evm_status], -EPERM, 0);
 810        return -EPERM;
 811}
 812
 813/**
 814 * evm_inode_post_setattr - update 'security.evm' after modifying metadata
 815 * @dentry: pointer to the affected dentry
 816 * @ia_valid: for the UID and GID status
 817 *
 818 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
 819 * changes.
 820 *
 821 * This function is called from notify_change(), which expects the caller
 822 * to lock the inode's i_mutex.
 823 */
 824void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
 825{
 826        if (!evm_revalidate_status(NULL))
 827                return;
 828
 829        evm_reset_status(dentry->d_inode);
 830
 831        if (!(evm_initialized & EVM_INIT_HMAC))
 832                return;
 833
 834        if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
 835                evm_update_evmxattr(dentry, NULL, NULL, 0);
 836}
 837
 838/*
 839 * evm_inode_init_security - initializes security.evm HMAC value
 840 */
 841int evm_inode_init_security(struct inode *inode,
 842                                 const struct xattr *lsm_xattr,
 843                                 struct xattr *evm_xattr)
 844{
 845        struct evm_xattr *xattr_data;
 846        int rc;
 847
 848        if (!(evm_initialized & EVM_INIT_HMAC) ||
 849            !evm_protected_xattr(lsm_xattr->name))
 850                return 0;
 851
 852        xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
 853        if (!xattr_data)
 854                return -ENOMEM;
 855
 856        xattr_data->data.type = EVM_XATTR_HMAC;
 857        rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
 858        if (rc < 0)
 859                goto out;
 860
 861        evm_xattr->value = xattr_data;
 862        evm_xattr->value_len = sizeof(*xattr_data);
 863        evm_xattr->name = XATTR_EVM_SUFFIX;
 864        return 0;
 865out:
 866        kfree(xattr_data);
 867        return rc;
 868}
 869EXPORT_SYMBOL_GPL(evm_inode_init_security);
 870
 871#ifdef CONFIG_EVM_LOAD_X509
 872void __init evm_load_x509(void)
 873{
 874        int rc;
 875
 876        rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
 877        if (!rc)
 878                evm_initialized |= EVM_INIT_X509;
 879}
 880#endif
 881
 882static int __init init_evm(void)
 883{
 884        int error;
 885        struct list_head *pos, *q;
 886
 887        evm_init_config();
 888
 889        error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
 890        if (error)
 891                goto error;
 892
 893        error = evm_init_secfs();
 894        if (error < 0) {
 895                pr_info("Error registering secfs\n");
 896                goto error;
 897        }
 898
 899error:
 900        if (error != 0) {
 901                if (!list_empty(&evm_config_xattrnames)) {
 902                        list_for_each_safe(pos, q, &evm_config_xattrnames)
 903                                list_del(pos);
 904                }
 905        }
 906
 907        return error;
 908}
 909
 910late_initcall(init_evm);
 911