evm_main.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465
  1. /*
  2. * Copyright (C) 2005-2010 IBM Corporation
  3. *
  4. * Author:
  5. * Mimi Zohar <zohar@us.ibm.com>
  6. * Kylene Hall <kjhall@us.ibm.com>
  7. *
  8. * This program is free software; you can redistribute it and/or modify
  9. * it under the terms of the GNU General Public License as published by
  10. * the Free Software Foundation, version 2 of the License.
  11. *
  12. * File: evm_main.c
  13. * implements evm_inode_setxattr, evm_inode_post_setxattr,
  14. * evm_inode_removexattr, and evm_verifyxattr
  15. */
  16. #include <linux/module.h>
  17. #include <linux/crypto.h>
  18. #include <linux/xattr.h>
  19. #include <linux/integrity.h>
  20. #include <linux/evm.h>
  21. #include <crypto/hash.h>
  22. #include <crypto/algapi.h>
  23. #include "evm.h"
  24. int evm_initialized;
  25. char *evm_hmac = "hmac(sha1)";
  26. char *evm_hash = "sha1";
  27. char *evm_config_xattrnames[] = {
  28. #ifdef CONFIG_SECURITY_SELINUX
  29. XATTR_NAME_SELINUX,
  30. #endif
  31. #ifdef CONFIG_SECURITY_SMACK
  32. XATTR_NAME_SMACK,
  33. #endif
  34. XATTR_NAME_CAPS,
  35. NULL
  36. };
  37. static int evm_fixmode;
  38. static int __init evm_set_fixmode(char *str)
  39. {
  40. if (strncmp(str, "fix", 3) == 0)
  41. evm_fixmode = 1;
  42. return 0;
  43. }
  44. __setup("evm=", evm_set_fixmode);
  45. static int evm_find_protected_xattrs(struct dentry *dentry)
  46. {
  47. struct inode *inode = dentry->d_inode;
  48. char **xattr;
  49. int error;
  50. int count = 0;
  51. if (!inode->i_op || !inode->i_op->getxattr)
  52. return -EOPNOTSUPP;
  53. for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) {
  54. error = inode->i_op->getxattr(dentry, *xattr, NULL, 0);
  55. if (error < 0) {
  56. if (error == -ENODATA)
  57. continue;
  58. return error;
  59. }
  60. count++;
  61. }
  62. return count;
  63. }
  64. /*
  65. * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
  66. *
  67. * Compute the HMAC on the dentry's protected set of extended attributes
  68. * and compare it against the stored security.evm xattr.
  69. *
  70. * For performance:
  71. * - use the previoulsy retrieved xattr value and length to calculate the
  72. * HMAC.)
  73. * - cache the verification result in the iint, when available.
  74. *
  75. * Returns integrity status
  76. */
  77. static enum integrity_status evm_verify_hmac(struct dentry *dentry,
  78. const char *xattr_name,
  79. char *xattr_value,
  80. size_t xattr_value_len,
  81. struct integrity_iint_cache *iint)
  82. {
  83. struct evm_ima_xattr_data *xattr_data = NULL;
  84. struct evm_ima_xattr_data calc;
  85. enum integrity_status evm_status = INTEGRITY_PASS;
  86. int rc, xattr_len;
  87. if (iint && iint->evm_status == INTEGRITY_PASS)
  88. return iint->evm_status;
  89. /* if status is not PASS, try to check again - against -ENOMEM */
  90. /* first need to know the sig type */
  91. rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
  92. GFP_NOFS);
  93. if (rc <= 0) {
  94. if (rc == 0)
  95. evm_status = INTEGRITY_FAIL; /* empty */
  96. else if (rc == -ENODATA) {
  97. rc = evm_find_protected_xattrs(dentry);
  98. if (rc > 0)
  99. evm_status = INTEGRITY_NOLABEL;
  100. else if (rc == 0)
  101. evm_status = INTEGRITY_NOXATTRS; /* new file */
  102. }
  103. goto out;
  104. }
  105. xattr_len = rc - 1;
  106. /* check value type */
  107. switch (xattr_data->type) {
  108. case EVM_XATTR_HMAC:
  109. rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
  110. xattr_value_len, calc.digest);
  111. if (rc)
  112. break;
  113. rc = crypto_memneq(xattr_data->digest, calc.digest,
  114. sizeof(calc.digest));
  115. if (rc)
  116. rc = -EINVAL;
  117. break;
  118. case EVM_IMA_XATTR_DIGSIG:
  119. rc = evm_calc_hash(dentry, xattr_name, xattr_value,
  120. xattr_value_len, calc.digest);
  121. if (rc)
  122. break;
  123. rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
  124. xattr_data->digest, xattr_len,
  125. calc.digest, sizeof(calc.digest));
  126. if (!rc) {
  127. /* we probably want to replace rsa with hmac here */
  128. evm_update_evmxattr(dentry, xattr_name, xattr_value,
  129. xattr_value_len);
  130. }
  131. break;
  132. default:
  133. rc = -EINVAL;
  134. break;
  135. }
  136. if (rc)
  137. evm_status = (rc == -ENODATA) ?
  138. INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
  139. out:
  140. if (iint)
  141. iint->evm_status = evm_status;
  142. kfree(xattr_data);
  143. return evm_status;
  144. }
  145. static int evm_protected_xattr(const char *req_xattr_name)
  146. {
  147. char **xattrname;
  148. int namelen;
  149. int found = 0;
  150. namelen = strlen(req_xattr_name);
  151. for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
  152. if ((strlen(*xattrname) == namelen)
  153. && (strncmp(req_xattr_name, *xattrname, namelen) == 0)) {
  154. found = 1;
  155. break;
  156. }
  157. if (strncmp(req_xattr_name,
  158. *xattrname + XATTR_SECURITY_PREFIX_LEN,
  159. strlen(req_xattr_name)) == 0) {
  160. found = 1;
  161. break;
  162. }
  163. }
  164. return found;
  165. }
  166. /**
  167. * evm_verifyxattr - verify the integrity of the requested xattr
  168. * @dentry: object of the verify xattr
  169. * @xattr_name: requested xattr
  170. * @xattr_value: requested xattr value
  171. * @xattr_value_len: requested xattr value length
  172. *
  173. * Calculate the HMAC for the given dentry and verify it against the stored
  174. * security.evm xattr. For performance, use the xattr value and length
  175. * previously retrieved to calculate the HMAC.
  176. *
  177. * Returns the xattr integrity status.
  178. *
  179. * This function requires the caller to lock the inode's i_mutex before it
  180. * is executed.
  181. */
  182. enum integrity_status evm_verifyxattr(struct dentry *dentry,
  183. const char *xattr_name,
  184. void *xattr_value, size_t xattr_value_len,
  185. struct integrity_iint_cache *iint)
  186. {
  187. if (!evm_initialized || !evm_protected_xattr(xattr_name))
  188. return INTEGRITY_UNKNOWN;
  189. if (!iint) {
  190. iint = integrity_iint_find(dentry->d_inode);
  191. if (!iint)
  192. return INTEGRITY_UNKNOWN;
  193. }
  194. return evm_verify_hmac(dentry, xattr_name, xattr_value,
  195. xattr_value_len, iint);
  196. }
  197. EXPORT_SYMBOL_GPL(evm_verifyxattr);
  198. /*
  199. * evm_verify_current_integrity - verify the dentry's metadata integrity
  200. * @dentry: pointer to the affected dentry
  201. *
  202. * Verify and return the dentry's metadata integrity. The exceptions are
  203. * before EVM is initialized or in 'fix' mode.
  204. */
  205. static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
  206. {
  207. struct inode *inode = dentry->d_inode;
  208. if (!evm_initialized || !S_ISREG(inode->i_mode) || evm_fixmode)
  209. return 0;
  210. return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
  211. }
  212. /*
  213. * evm_protect_xattr - protect the EVM extended attribute
  214. *
  215. * Prevent security.evm from being modified or removed without the
  216. * necessary permissions or when the existing value is invalid.
  217. *
  218. * The posix xattr acls are 'system' prefixed, which normally would not
  219. * affect security.evm. An interesting side affect of writing posix xattr
  220. * acls is their modifying of the i_mode, which is included in security.evm.
  221. * For posix xattr acls only, permit security.evm, even if it currently
  222. * doesn't exist, to be updated.
  223. */
  224. static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
  225. const void *xattr_value, size_t xattr_value_len)
  226. {
  227. enum integrity_status evm_status;
  228. if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
  229. if (!capable(CAP_SYS_ADMIN))
  230. return -EPERM;
  231. } else if (!evm_protected_xattr(xattr_name)) {
  232. if (!posix_xattr_acl(xattr_name))
  233. return 0;
  234. evm_status = evm_verify_current_integrity(dentry);
  235. if ((evm_status == INTEGRITY_PASS) ||
  236. (evm_status == INTEGRITY_NOXATTRS))
  237. return 0;
  238. return -EPERM;
  239. }
  240. evm_status = evm_verify_current_integrity(dentry);
  241. return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
  242. }
  243. /**
  244. * evm_inode_setxattr - protect the EVM extended attribute
  245. * @dentry: pointer to the affected dentry
  246. * @xattr_name: pointer to the affected extended attribute name
  247. * @xattr_value: pointer to the new extended attribute value
  248. * @xattr_value_len: pointer to the new extended attribute value length
  249. *
  250. * Before allowing the 'security.evm' protected xattr to be updated,
  251. * verify the existing value is valid. As only the kernel should have
  252. * access to the EVM encrypted key needed to calculate the HMAC, prevent
  253. * userspace from writing HMAC value. Writing 'security.evm' requires
  254. * requires CAP_SYS_ADMIN privileges.
  255. */
  256. int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
  257. const void *xattr_value, size_t xattr_value_len)
  258. {
  259. const struct evm_ima_xattr_data *xattr_data = xattr_value;
  260. if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
  261. if (!xattr_value_len)
  262. return -EINVAL;
  263. if (xattr_data->type != EVM_IMA_XATTR_DIGSIG)
  264. return -EPERM;
  265. }
  266. return evm_protect_xattr(dentry, xattr_name, xattr_value,
  267. xattr_value_len);
  268. }
  269. /**
  270. * evm_inode_removexattr - protect the EVM extended attribute
  271. * @dentry: pointer to the affected dentry
  272. * @xattr_name: pointer to the affected extended attribute name
  273. *
  274. * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
  275. * the current value is valid.
  276. */
  277. int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
  278. {
  279. return evm_protect_xattr(dentry, xattr_name, NULL, 0);
  280. }
  281. /**
  282. * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
  283. * @dentry: pointer to the affected dentry
  284. * @xattr_name: pointer to the affected extended attribute name
  285. * @xattr_value: pointer to the new extended attribute value
  286. * @xattr_value_len: pointer to the new extended attribute value length
  287. *
  288. * Update the HMAC stored in 'security.evm' to reflect the change.
  289. *
  290. * No need to take the i_mutex lock here, as this function is called from
  291. * __vfs_setxattr_noperm(). The caller of which has taken the inode's
  292. * i_mutex lock.
  293. */
  294. void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
  295. const void *xattr_value, size_t xattr_value_len)
  296. {
  297. if (!evm_initialized || (!evm_protected_xattr(xattr_name)
  298. && !posix_xattr_acl(xattr_name)))
  299. return;
  300. evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
  301. return;
  302. }
  303. /**
  304. * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
  305. * @dentry: pointer to the affected dentry
  306. * @xattr_name: pointer to the affected extended attribute name
  307. *
  308. * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
  309. */
  310. void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
  311. {
  312. struct inode *inode = dentry->d_inode;
  313. if (!evm_initialized || !evm_protected_xattr(xattr_name))
  314. return;
  315. mutex_lock(&inode->i_mutex);
  316. evm_update_evmxattr(dentry, xattr_name, NULL, 0);
  317. mutex_unlock(&inode->i_mutex);
  318. return;
  319. }
  320. /**
  321. * evm_inode_setattr - prevent updating an invalid EVM extended attribute
  322. * @dentry: pointer to the affected dentry
  323. */
  324. int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
  325. {
  326. unsigned int ia_valid = attr->ia_valid;
  327. enum integrity_status evm_status;
  328. if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
  329. return 0;
  330. evm_status = evm_verify_current_integrity(dentry);
  331. if ((evm_status == INTEGRITY_PASS) ||
  332. (evm_status == INTEGRITY_NOXATTRS))
  333. return 0;
  334. return -EPERM;
  335. }
  336. /**
  337. * evm_inode_post_setattr - update 'security.evm' after modifying metadata
  338. * @dentry: pointer to the affected dentry
  339. * @ia_valid: for the UID and GID status
  340. *
  341. * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
  342. * changes.
  343. *
  344. * This function is called from notify_change(), which expects the caller
  345. * to lock the inode's i_mutex.
  346. */
  347. void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
  348. {
  349. if (!evm_initialized)
  350. return;
  351. if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
  352. evm_update_evmxattr(dentry, NULL, NULL, 0);
  353. return;
  354. }
  355. /*
  356. * evm_inode_init_security - initializes security.evm
  357. */
  358. int evm_inode_init_security(struct inode *inode,
  359. const struct xattr *lsm_xattr,
  360. struct xattr *evm_xattr)
  361. {
  362. struct evm_ima_xattr_data *xattr_data;
  363. int rc;
  364. if (!evm_initialized || !evm_protected_xattr(lsm_xattr->name))
  365. return 0;
  366. xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
  367. if (!xattr_data)
  368. return -ENOMEM;
  369. xattr_data->type = EVM_XATTR_HMAC;
  370. rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
  371. if (rc < 0)
  372. goto out;
  373. evm_xattr->value = xattr_data;
  374. evm_xattr->value_len = sizeof(*xattr_data);
  375. evm_xattr->name = kstrdup(XATTR_EVM_SUFFIX, GFP_NOFS);
  376. return 0;
  377. out:
  378. kfree(xattr_data);
  379. return rc;
  380. }
  381. EXPORT_SYMBOL_GPL(evm_inode_init_security);
  382. static int __init init_evm(void)
  383. {
  384. int error;
  385. error = evm_init_secfs();
  386. if (error < 0) {
  387. printk(KERN_INFO "EVM: Error registering secfs\n");
  388. goto err;
  389. }
  390. return 0;
  391. err:
  392. return error;
  393. }
  394. static void __exit cleanup_evm(void)
  395. {
  396. evm_cleanup_secfs();
  397. if (hmac_tfm)
  398. crypto_free_shash(hmac_tfm);
  399. if (hash_tfm)
  400. crypto_free_shash(hash_tfm);
  401. }
  402. /*
  403. * evm_display_config - list the EVM protected security extended attributes
  404. */
  405. static int __init evm_display_config(void)
  406. {
  407. char **xattrname;
  408. for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++)
  409. printk(KERN_INFO "EVM: %s\n", *xattrname);
  410. return 0;
  411. }
  412. pure_initcall(evm_display_config);
  413. late_initcall(init_evm);
  414. MODULE_DESCRIPTION("Extended Verification Module");
  415. MODULE_LICENSE("GPL");