security/integrity/ima/ima_appraise.c at v6.4-rc5

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / security / integrity / ima / ima_appraise.c
at v6.4-rc5 800 lines 21 kB view raw
wrap content
  1// SPDX-License-Identifier: GPL-2.0-only
  2/*
  3 * Copyright (C) 2011 IBM Corporation
  4 *
  5 * Author:
  6 * Mimi Zohar <zohar@us.ibm.com>
  7 */
  8#include <linux/module.h>
  9#include <linux/init.h>
 10#include <linux/file.h>
 11#include <linux/fs.h>
 12#include <linux/xattr.h>
 13#include <linux/magic.h>
 14#include <linux/ima.h>
 15#include <linux/evm.h>
 16#include <linux/fsverity.h>
 17#include <keys/system_keyring.h>
 18#include <uapi/linux/fsverity.h>
 19
 20#include "ima.h"
 21
 22#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
 23static char *ima_appraise_cmdline_default __initdata;
 24core_param(ima_appraise, ima_appraise_cmdline_default, charp, 0);
 25
 26void __init ima_appraise_parse_cmdline(void)
 27{
 28	const char *str = ima_appraise_cmdline_default;
 29	bool sb_state = arch_ima_get_secureboot();
 30	int appraisal_state = ima_appraise;
 31
 32	if (!str)
 33		return;
 34
 35	if (strncmp(str, "off", 3) == 0)
 36		appraisal_state = 0;
 37	else if (strncmp(str, "log", 3) == 0)
 38		appraisal_state = IMA_APPRAISE_LOG;
 39	else if (strncmp(str, "fix", 3) == 0)
 40		appraisal_state = IMA_APPRAISE_FIX;
 41	else if (strncmp(str, "enforce", 7) == 0)
 42		appraisal_state = IMA_APPRAISE_ENFORCE;
 43	else
 44		pr_err("invalid \"%s\" appraise option", str);
 45
 46	/* If appraisal state was changed, but secure boot is enabled,
 47	 * keep its default */
 48	if (sb_state) {
 49		if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
 50			pr_info("Secure boot enabled: ignoring ima_appraise=%s option",
 51				str);
 52	} else {
 53		ima_appraise = appraisal_state;
 54	}
 55}
 56#endif
 57
 58/*
 59 * is_ima_appraise_enabled - return appraise status
 60 *
 61 * Only return enabled, if not in ima_appraise="fix" or "log" modes.
 62 */
 63bool is_ima_appraise_enabled(void)
 64{
 65	return ima_appraise & IMA_APPRAISE_ENFORCE;
 66}
 67
 68/*
 69 * ima_must_appraise - set appraise flag
 70 *
 71 * Return 1 to appraise or hash
 72 */
 73int ima_must_appraise(struct mnt_idmap *idmap, struct inode *inode,
 74		      int mask, enum ima_hooks func)
 75{
 76	u32 secid;
 77
 78	if (!ima_appraise)
 79		return 0;
 80
 81	security_current_getsecid_subj(&secid);
 82	return ima_match_policy(idmap, inode, current_cred(), secid,
 83				func, mask, IMA_APPRAISE | IMA_HASH, NULL,
 84				NULL, NULL, NULL);
 85}
 86
 87static int ima_fix_xattr(struct dentry *dentry,
 88			 struct integrity_iint_cache *iint)
 89{
 90	int rc, offset;
 91	u8 algo = iint->ima_hash->algo;
 92
 93	if (algo <= HASH_ALGO_SHA1) {
 94		offset = 1;
 95		iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
 96	} else {
 97		offset = 0;
 98		iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
 99		iint->ima_hash->xattr.ng.algo = algo;
100	}
101	rc = __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_IMA,
102				   &iint->ima_hash->xattr.data[offset],
103				   (sizeof(iint->ima_hash->xattr) - offset) +
104				   iint->ima_hash->length, 0);
105	return rc;
106}
107
108/* Return specific func appraised cached result */
109enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
110					   enum ima_hooks func)
111{
112	switch (func) {
113	case MMAP_CHECK:
114	case MMAP_CHECK_REQPROT:
115		return iint->ima_mmap_status;
116	case BPRM_CHECK:
117		return iint->ima_bprm_status;
118	case CREDS_CHECK:
119		return iint->ima_creds_status;
120	case FILE_CHECK:
121	case POST_SETATTR:
122		return iint->ima_file_status;
123	case MODULE_CHECK ... MAX_CHECK - 1:
124	default:
125		return iint->ima_read_status;
126	}
127}
128
129static void ima_set_cache_status(struct integrity_iint_cache *iint,
130				 enum ima_hooks func,
131				 enum integrity_status status)
132{
133	switch (func) {
134	case MMAP_CHECK:
135	case MMAP_CHECK_REQPROT:
136		iint->ima_mmap_status = status;
137		break;
138	case BPRM_CHECK:
139		iint->ima_bprm_status = status;
140		break;
141	case CREDS_CHECK:
142		iint->ima_creds_status = status;
143		break;
144	case FILE_CHECK:
145	case POST_SETATTR:
146		iint->ima_file_status = status;
147		break;
148	case MODULE_CHECK ... MAX_CHECK - 1:
149	default:
150		iint->ima_read_status = status;
151		break;
152	}
153}
154
155static void ima_cache_flags(struct integrity_iint_cache *iint,
156			     enum ima_hooks func)
157{
158	switch (func) {
159	case MMAP_CHECK:
160	case MMAP_CHECK_REQPROT:
161		iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
162		break;
163	case BPRM_CHECK:
164		iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
165		break;
166	case CREDS_CHECK:
167		iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED);
168		break;
169	case FILE_CHECK:
170	case POST_SETATTR:
171		iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
172		break;
173	case MODULE_CHECK ... MAX_CHECK - 1:
174	default:
175		iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
176		break;
177	}
178}
179
180enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value,
181				 int xattr_len)
182{
183	struct signature_v2_hdr *sig;
184	enum hash_algo ret;
185
186	if (!xattr_value || xattr_len < 2)
187		/* return default hash algo */
188		return ima_hash_algo;
189
190	switch (xattr_value->type) {
191	case IMA_VERITY_DIGSIG:
192		sig = (typeof(sig))xattr_value;
193		if (sig->version != 3 || xattr_len <= sizeof(*sig) ||
194		    sig->hash_algo >= HASH_ALGO__LAST)
195			return ima_hash_algo;
196		return sig->hash_algo;
197	case EVM_IMA_XATTR_DIGSIG:
198		sig = (typeof(sig))xattr_value;
199		if (sig->version != 2 || xattr_len <= sizeof(*sig)
200		    || sig->hash_algo >= HASH_ALGO__LAST)
201			return ima_hash_algo;
202		return sig->hash_algo;
203	case IMA_XATTR_DIGEST_NG:
204		/* first byte contains algorithm id */
205		ret = xattr_value->data[0];
206		if (ret < HASH_ALGO__LAST)
207			return ret;
208		break;
209	case IMA_XATTR_DIGEST:
210		/* this is for backward compatibility */
211		if (xattr_len == 21) {
212			unsigned int zero = 0;
213			if (!memcmp(&xattr_value->data[16], &zero, 4))
214				return HASH_ALGO_MD5;
215			else
216				return HASH_ALGO_SHA1;
217		} else if (xattr_len == 17)
218			return HASH_ALGO_MD5;
219		break;
220	}
221
222	/* return default hash algo */
223	return ima_hash_algo;
224}
225
226int ima_read_xattr(struct dentry *dentry,
227		   struct evm_ima_xattr_data **xattr_value, int xattr_len)
228{
229	int ret;
230
231	ret = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, XATTR_NAME_IMA,
232				 (char **)xattr_value, xattr_len, GFP_NOFS);
233	if (ret == -EOPNOTSUPP)
234		ret = 0;
235	return ret;
236}
237
238/*
239 * calc_file_id_hash - calculate the hash of the ima_file_id struct data
240 * @type: xattr type [enum evm_ima_xattr_type]
241 * @algo: hash algorithm [enum hash_algo]
242 * @digest: pointer to the digest to be hashed
243 * @hash: (out) pointer to the hash
244 *
245 * IMA signature version 3 disambiguates the data that is signed by
246 * indirectly signing the hash of the ima_file_id structure data.
247 *
248 * Signing the ima_file_id struct is currently only supported for
249 * IMA_VERITY_DIGSIG type xattrs.
250 *
251 * Return 0 on success, error code otherwise.
252 */
253static int calc_file_id_hash(enum evm_ima_xattr_type type,
254			     enum hash_algo algo, const u8 *digest,
255			     struct ima_digest_data *hash)
256{
257	struct ima_file_id file_id = {
258		.hash_type = IMA_VERITY_DIGSIG, .hash_algorithm = algo};
259	unsigned int unused = HASH_MAX_DIGESTSIZE - hash_digest_size[algo];
260
261	if (type != IMA_VERITY_DIGSIG)
262		return -EINVAL;
263
264	memcpy(file_id.hash, digest, hash_digest_size[algo]);
265
266	hash->algo = algo;
267	hash->length = hash_digest_size[algo];
268
269	return ima_calc_buffer_hash(&file_id, sizeof(file_id) - unused, hash);
270}
271
272/*
273 * xattr_verify - verify xattr digest or signature
274 *
275 * Verify whether the hash or signature matches the file contents.
276 *
277 * Return 0 on success, error code otherwise.
278 */
279static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint,
280			struct evm_ima_xattr_data *xattr_value, int xattr_len,
281			enum integrity_status *status, const char **cause)
282{
283	struct ima_max_digest_data hash;
284	struct signature_v2_hdr *sig;
285	int rc = -EINVAL, hash_start = 0;
286	int mask;
287
288	switch (xattr_value->type) {
289	case IMA_XATTR_DIGEST_NG:
290		/* first byte contains algorithm id */
291		hash_start = 1;
292		fallthrough;
293	case IMA_XATTR_DIGEST:
294		if (*status != INTEGRITY_PASS_IMMUTABLE) {
295			if (iint->flags & IMA_DIGSIG_REQUIRED) {
296				if (iint->flags & IMA_VERITY_REQUIRED)
297					*cause = "verity-signature-required";
298				else
299					*cause = "IMA-signature-required";
300				*status = INTEGRITY_FAIL;
301				break;
302			}
303			clear_bit(IMA_DIGSIG, &iint->atomic_flags);
304		} else {
305			set_bit(IMA_DIGSIG, &iint->atomic_flags);
306		}
307		if (xattr_len - sizeof(xattr_value->type) - hash_start >=
308				iint->ima_hash->length)
309			/*
310			 * xattr length may be longer. md5 hash in previous
311			 * version occupied 20 bytes in xattr, instead of 16
312			 */
313			rc = memcmp(&xattr_value->data[hash_start],
314				    iint->ima_hash->digest,
315				    iint->ima_hash->length);
316		else
317			rc = -EINVAL;
318		if (rc) {
319			*cause = "invalid-hash";
320			*status = INTEGRITY_FAIL;
321			break;
322		}
323		*status = INTEGRITY_PASS;
324		break;
325	case EVM_IMA_XATTR_DIGSIG:
326		set_bit(IMA_DIGSIG, &iint->atomic_flags);
327
328		mask = IMA_DIGSIG_REQUIRED | IMA_VERITY_REQUIRED;
329		if ((iint->flags & mask) == mask) {
330			*cause = "verity-signature-required";
331			*status = INTEGRITY_FAIL;
332			break;
333		}
334
335		sig = (typeof(sig))xattr_value;
336		if (sig->version >= 3) {
337			*cause = "invalid-signature-version";
338			*status = INTEGRITY_FAIL;
339			break;
340		}
341		rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
342					     (const char *)xattr_value,
343					     xattr_len,
344					     iint->ima_hash->digest,
345					     iint->ima_hash->length);
346		if (rc == -EOPNOTSUPP) {
347			*status = INTEGRITY_UNKNOWN;
348			break;
349		}
350		if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
351		    func == KEXEC_KERNEL_CHECK)
352			rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM,
353						     (const char *)xattr_value,
354						     xattr_len,
355						     iint->ima_hash->digest,
356						     iint->ima_hash->length);
357		if (rc) {
358			*cause = "invalid-signature";
359			*status = INTEGRITY_FAIL;
360		} else {
361			*status = INTEGRITY_PASS;
362		}
363		break;
364	case IMA_VERITY_DIGSIG:
365		set_bit(IMA_DIGSIG, &iint->atomic_flags);
366
367		if (iint->flags & IMA_DIGSIG_REQUIRED) {
368			if (!(iint->flags & IMA_VERITY_REQUIRED)) {
369				*cause = "IMA-signature-required";
370				*status = INTEGRITY_FAIL;
371				break;
372			}
373		}
374
375		sig = (typeof(sig))xattr_value;
376		if (sig->version != 3) {
377			*cause = "invalid-signature-version";
378			*status = INTEGRITY_FAIL;
379			break;
380		}
381
382		rc = calc_file_id_hash(IMA_VERITY_DIGSIG, iint->ima_hash->algo,
383				       iint->ima_hash->digest, &hash.hdr);
384		if (rc) {
385			*cause = "sigv3-hashing-error";
386			*status = INTEGRITY_FAIL;
387			break;
388		}
389
390		rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
391					     (const char *)xattr_value,
392					     xattr_len, hash.digest,
393					     hash.hdr.length);
394		if (rc) {
395			*cause = "invalid-verity-signature";
396			*status = INTEGRITY_FAIL;
397		} else {
398			*status = INTEGRITY_PASS;
399		}
400
401		break;
402	default:
403		*status = INTEGRITY_UNKNOWN;
404		*cause = "unknown-ima-data";
405		break;
406	}
407
408	return rc;
409}
410
411/*
412 * modsig_verify - verify modsig signature
413 *
414 * Verify whether the signature matches the file contents.
415 *
416 * Return 0 on success, error code otherwise.
417 */
418static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
419			 enum integrity_status *status, const char **cause)
420{
421	int rc;
422
423	rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig);
424	if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
425	    func == KEXEC_KERNEL_CHECK)
426		rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM,
427					     modsig);
428	if (rc) {
429		*cause = "invalid-signature";
430		*status = INTEGRITY_FAIL;
431	} else {
432		*status = INTEGRITY_PASS;
433	}
434
435	return rc;
436}
437
438/*
439 * ima_check_blacklist - determine if the binary is blacklisted.
440 *
441 * Add the hash of the blacklisted binary to the measurement list, based
442 * on policy.
443 *
444 * Returns -EPERM if the hash is blacklisted.
445 */
446int ima_check_blacklist(struct integrity_iint_cache *iint,
447			const struct modsig *modsig, int pcr)
448{
449	enum hash_algo hash_algo;
450	const u8 *digest = NULL;
451	u32 digestsize = 0;
452	int rc = 0;
453
454	if (!(iint->flags & IMA_CHECK_BLACKLIST))
455		return 0;
456
457	if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
458		ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
459
460		rc = is_binary_blacklisted(digest, digestsize);
461		if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
462			process_buffer_measurement(&nop_mnt_idmap, NULL, digest, digestsize,
463						   "blacklisted-hash", NONE,
464						   pcr, NULL, false, NULL, 0);
465	}
466
467	return rc;
468}
469
470/*
471 * ima_appraise_measurement - appraise file measurement
472 *
473 * Call evm_verifyxattr() to verify the integrity of 'security.ima'.
474 * Assuming success, compare the xattr hash with the collected measurement.
475 *
476 * Return 0 on success, error code otherwise
477 */
478int ima_appraise_measurement(enum ima_hooks func,
479			     struct integrity_iint_cache *iint,
480			     struct file *file, const unsigned char *filename,
481			     struct evm_ima_xattr_data *xattr_value,
482			     int xattr_len, const struct modsig *modsig)
483{
484	static const char op[] = "appraise_data";
485	const char *cause = "unknown";
486	struct dentry *dentry = file_dentry(file);
487	struct inode *inode = d_backing_inode(dentry);
488	enum integrity_status status = INTEGRITY_UNKNOWN;
489	int rc = xattr_len;
490	bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig;
491
492	/* If not appraising a modsig, we need an xattr. */
493	if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)
494		return INTEGRITY_UNKNOWN;
495
496	/* If reading the xattr failed and there's no modsig, error out. */
497	if (rc <= 0 && !try_modsig) {
498		if (rc && rc != -ENODATA)
499			goto out;
500
501		if (iint->flags & IMA_DIGSIG_REQUIRED) {
502			if (iint->flags & IMA_VERITY_REQUIRED)
503				cause = "verity-signature-required";
504			else
505				cause = "IMA-signature-required";
506		} else {
507			cause = "missing-hash";
508		}
509
510		status = INTEGRITY_NOLABEL;
511		if (file->f_mode & FMODE_CREATED)
512			iint->flags |= IMA_NEW_FILE;
513		if ((iint->flags & IMA_NEW_FILE) &&
514		    (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
515		     (inode->i_size == 0)))
516			status = INTEGRITY_PASS;
517		goto out;
518	}
519
520	status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value,
521				 rc < 0 ? 0 : rc, iint);
522	switch (status) {
523	case INTEGRITY_PASS:
524	case INTEGRITY_PASS_IMMUTABLE:
525	case INTEGRITY_UNKNOWN:
526		break;
527	case INTEGRITY_NOXATTRS:	/* No EVM protected xattrs. */
528		/* It's fine not to have xattrs when using a modsig. */
529		if (try_modsig)
530			break;
531		fallthrough;
532	case INTEGRITY_NOLABEL:		/* No security.evm xattr. */
533		cause = "missing-HMAC";
534		goto out;
535	case INTEGRITY_FAIL_IMMUTABLE:
536		set_bit(IMA_DIGSIG, &iint->atomic_flags);
537		cause = "invalid-fail-immutable";
538		goto out;
539	case INTEGRITY_FAIL:		/* Invalid HMAC/signature. */
540		cause = "invalid-HMAC";
541		goto out;
542	default:
543		WARN_ONCE(true, "Unexpected integrity status %d\n", status);
544	}
545
546	if (xattr_value)
547		rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
548				  &cause);
549
550	/*
551	 * If we have a modsig and either no imasig or the imasig's key isn't
552	 * known, then try verifying the modsig.
553	 */
554	if (try_modsig &&
555	    (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG ||
556	     rc == -ENOKEY))
557		rc = modsig_verify(func, modsig, &status, &cause);
558
559out:
560	/*
561	 * File signatures on some filesystems can not be properly verified.
562	 * When such filesystems are mounted by an untrusted mounter or on a
563	 * system not willing to accept such a risk, fail the file signature
564	 * verification.
565	 */
566	if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
567	    ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) ||
568	     (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
569		status = INTEGRITY_FAIL;
570		cause = "unverifiable-signature";
571		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
572				    op, cause, rc, 0);
573	} else if (status != INTEGRITY_PASS) {
574		/* Fix mode, but don't replace file signatures. */
575		if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig &&
576		    (!xattr_value ||
577		     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
578			if (!ima_fix_xattr(dentry, iint))
579				status = INTEGRITY_PASS;
580		}
581
582		/*
583		 * Permit new files with file/EVM portable signatures, but
584		 * without data.
585		 */
586		if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
587		    test_bit(IMA_DIGSIG, &iint->atomic_flags)) {
588			status = INTEGRITY_PASS;
589		}
590
591		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
592				    op, cause, rc, 0);
593	} else {
594		ima_cache_flags(iint, func);
595	}
596
597	ima_set_cache_status(iint, func, status);
598	return status;
599}
600
601/*
602 * ima_update_xattr - update 'security.ima' hash value
603 */
604void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
605{
606	struct dentry *dentry = file_dentry(file);
607	int rc = 0;
608
609	/* do not collect and update hash for digital signatures */
610	if (test_bit(IMA_DIGSIG, &iint->atomic_flags))
611		return;
612
613	if ((iint->ima_file_status != INTEGRITY_PASS) &&
614	    !(iint->flags & IMA_HASH))
615		return;
616
617	rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL);
618	if (rc < 0)
619		return;
620
621	inode_lock(file_inode(file));
622	ima_fix_xattr(dentry, iint);
623	inode_unlock(file_inode(file));
624}
625
626/**
627 * ima_inode_post_setattr - reflect file metadata changes
628 * @idmap:  idmap of the mount the inode was found from
629 * @dentry: pointer to the affected dentry
630 *
631 * Changes to a dentry's metadata might result in needing to appraise.
632 *
633 * This function is called from notify_change(), which expects the caller
634 * to lock the inode's i_mutex.
635 */
636void ima_inode_post_setattr(struct mnt_idmap *idmap,
637			    struct dentry *dentry)
638{
639	struct inode *inode = d_backing_inode(dentry);
640	struct integrity_iint_cache *iint;
641	int action;
642
643	if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)
644	    || !(inode->i_opflags & IOP_XATTR))
645		return;
646
647	action = ima_must_appraise(idmap, inode, MAY_ACCESS, POST_SETATTR);
648	iint = integrity_iint_find(inode);
649	if (iint) {
650		set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags);
651		if (!action)
652			clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
653	}
654}
655
656/*
657 * ima_protect_xattr - protect 'security.ima'
658 *
659 * Ensure that not just anyone can modify or remove 'security.ima'.
660 */
661static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
662			     const void *xattr_value, size_t xattr_value_len)
663{
664	if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
665		if (!capable(CAP_SYS_ADMIN))
666			return -EPERM;
667		return 1;
668	}
669	return 0;
670}
671
672static void ima_reset_appraise_flags(struct inode *inode, int digsig)
673{
674	struct integrity_iint_cache *iint;
675
676	if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode))
677		return;
678
679	iint = integrity_iint_find(inode);
680	if (!iint)
681		return;
682	iint->measured_pcrs = 0;
683	set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
684	if (digsig)
685		set_bit(IMA_DIGSIG, &iint->atomic_flags);
686	else
687		clear_bit(IMA_DIGSIG, &iint->atomic_flags);
688}
689
690/**
691 * validate_hash_algo() - Block setxattr with unsupported hash algorithms
692 * @dentry: object of the setxattr()
693 * @xattr_value: userland supplied xattr value
694 * @xattr_value_len: length of xattr_value
695 *
696 * The xattr value is mapped to its hash algorithm, and this algorithm
697 * must be built in the kernel for the setxattr to be allowed.
698 *
699 * Emit an audit message when the algorithm is invalid.
700 *
701 * Return: 0 on success, else an error.
702 */
703static int validate_hash_algo(struct dentry *dentry,
704			      const struct evm_ima_xattr_data *xattr_value,
705			      size_t xattr_value_len)
706{
707	char *path = NULL, *pathbuf = NULL;
708	enum hash_algo xattr_hash_algo;
709	const char *errmsg = "unavailable-hash-algorithm";
710	unsigned int allowed_hashes;
711
712	xattr_hash_algo = ima_get_hash_algo(xattr_value, xattr_value_len);
713
714	allowed_hashes = atomic_read(&ima_setxattr_allowed_hash_algorithms);
715
716	if (allowed_hashes) {
717		/* success if the algorithm is allowed in the ima policy */
718		if (allowed_hashes & (1U << xattr_hash_algo))
719			return 0;
720
721		/*
722		 * We use a different audit message when the hash algorithm
723		 * is denied by a policy rule, instead of not being built
724		 * in the kernel image
725		 */
726		errmsg = "denied-hash-algorithm";
727	} else {
728		if (likely(xattr_hash_algo == ima_hash_algo))
729			return 0;
730
731		/* allow any xattr using an algorithm built in the kernel */
732		if (crypto_has_alg(hash_algo_name[xattr_hash_algo], 0, 0))
733			return 0;
734	}
735
736	pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
737	if (!pathbuf)
738		return -EACCES;
739
740	path = dentry_path(dentry, pathbuf, PATH_MAX);
741
742	integrity_audit_msg(AUDIT_INTEGRITY_DATA, d_inode(dentry), path,
743			    "set_data", errmsg, -EACCES, 0);
744
745	kfree(pathbuf);
746
747	return -EACCES;
748}
749
750int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
751		       const void *xattr_value, size_t xattr_value_len)
752{
753	const struct evm_ima_xattr_data *xvalue = xattr_value;
754	int digsig = 0;
755	int result;
756	int err;
757
758	result = ima_protect_xattr(dentry, xattr_name, xattr_value,
759				   xattr_value_len);
760	if (result == 1) {
761		if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
762			return -EINVAL;
763
764		err = validate_hash_algo(dentry, xvalue, xattr_value_len);
765		if (err)
766			return err;
767
768		digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
769	} else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
770		digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
771	}
772	if (result == 1 || evm_revalidate_status(xattr_name)) {
773		ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
774		if (result == 1)
775			result = 0;
776	}
777	return result;
778}
779
780int ima_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
781		      const char *acl_name, struct posix_acl *kacl)
782{
783	if (evm_revalidate_status(acl_name))
784		ima_reset_appraise_flags(d_backing_inode(dentry), 0);
785
786	return 0;
787}
788
789int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
790{
791	int result;
792
793	result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
794	if (result == 1 || evm_revalidate_status(xattr_name)) {
795		ima_reset_appraise_flags(d_backing_inode(dentry), 0);
796		if (result == 1)
797			result = 0;
798	}
799	return result;
800}
Configure Feed

Configure Feed
