[mirror_ubuntu-artful-kernel.git] / security / integrity / evm / evm_main.c

/*
 * Copyright (C) 2005-2010 IBM Corporation
 *
 * Author:
 * Mimi Zohar <zohar@us.ibm.com>
 * Kylene Hall <kjhall@us.ibm.com>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 2 of the License.
 *
 * File: evm_main.c
 *	implements evm_inode_setxattr, evm_inode_post_setxattr,
 *	evm_inode_removexattr, and evm_verifyxattr
 */

#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

#include <linux/module.h>
#include <linux/crypto.h>
#include <linux/audit.h>
#include <linux/xattr.h>
#include <linux/integrity.h>
#include <linux/evm.h>
#include <crypto/hash.h>
#include "evm.h"

int evm_initialized;

static char *integrity_status_msg[] = {
	"pass", "fail", "no_label", "no_xattrs", "unknown"
};
char *evm_hmac = "hmac(sha1)";
char *evm_hash = "sha1";
int evm_hmac_attrs;

char *evm_config_xattrnames[] = {
#ifdef CONFIG_SECURITY_SELINUX
	XATTR_NAME_SELINUX,
#endif
#ifdef CONFIG_SECURITY_SMACK
	XATTR_NAME_SMACK,
#endif
#ifdef CONFIG_IMA_APPRAISE
	XATTR_NAME_IMA,
#endif
	XATTR_NAME_CAPS,
	NULL
};

static int evm_fixmode;
static int __init evm_set_fixmode(char *str)
{
	if (strncmp(str, "fix", 3) == 0)
		evm_fixmode = 1;
	return 0;
}
__setup("evm=", evm_set_fixmode);

static void __init evm_init_config(void)
{
#ifdef CONFIG_EVM_ATTR_FSUUID
	evm_hmac_attrs |= EVM_ATTR_FSUUID;
#endif
	pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
}

static int evm_find_protected_xattrs(struct dentry *dentry)
{
	struct inode *inode = dentry->d_inode;
	char **xattr;
	int error;
	int count = 0;

	if (!inode->i_op->getxattr)
		return -EOPNOTSUPP;

	for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) {
		error = inode->i_op->getxattr(dentry, *xattr, NULL, 0);
		if (error < 0) {
			if (error == -ENODATA)
				continue;
			return error;
		}
		count++;
	}

	return count;
}

/*
 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
 *
 * Compute the HMAC on the dentry's protected set of extended attributes
 * and compare it against the stored security.evm xattr.
 *
 * For performance:
 * - use the previoulsy retrieved xattr value and length to calculate the
 *   HMAC.)
 * - cache the verification result in the iint, when available.
 *
 * Returns integrity status
 */
static enum integrity_status evm_verify_hmac(struct dentry *dentry,
					     const char *xattr_name,
					     char *xattr_value,
					     size_t xattr_value_len,
					     struct integrity_iint_cache *iint)
{
	struct evm_ima_xattr_data *xattr_data = NULL;
	struct evm_ima_xattr_data calc;
	enum integrity_status evm_status = INTEGRITY_PASS;
	int rc, xattr_len;

	if (iint && iint->evm_status == INTEGRITY_PASS)
		return iint->evm_status;

	/* if status is not PASS, try to check again - against -ENOMEM */

	/* first need to know the sig type */
	rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
				GFP_NOFS);
	if (rc <= 0) {
		if (rc == 0)
			evm_status = INTEGRITY_FAIL; /* empty */
		else if (rc == -ENODATA) {
			rc = evm_find_protected_xattrs(dentry);
			if (rc > 0)
				evm_status = INTEGRITY_NOLABEL;
			else if (rc == 0)
				evm_status = INTEGRITY_NOXATTRS; /* new file */
		}
		goto out;
	}

	xattr_len = rc;

	/* check value type */
	switch (xattr_data->type) {
	case EVM_XATTR_HMAC:
		rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
				   xattr_value_len, calc.digest);
		if (rc)
			break;
		rc = memcmp(xattr_data->digest, calc.digest,
			    sizeof(calc.digest));
		if (rc)
			rc = -EINVAL;
		break;
	case EVM_IMA_XATTR_DIGSIG:
		rc = evm_calc_hash(dentry, xattr_name, xattr_value,
				xattr_value_len, calc.digest);
		if (rc)
			break;
		rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
					(const char *)xattr_data, xattr_len,
					calc.digest, sizeof(calc.digest));
		if (!rc) {
			/* we probably want to replace rsa with hmac here */
			evm_update_evmxattr(dentry, xattr_name, xattr_value,
				   xattr_value_len);
		}
		break;
	default:
		rc = -EINVAL;
		break;
	}

	if (rc)
		evm_status = (rc == -ENODATA) ?
				INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
out:
	if (iint)
		iint->evm_status = evm_status;
	kfree(xattr_data);
	return evm_status;
}

static int evm_protected_xattr(const char *req_xattr_name)
{
	char **xattrname;
	int namelen;
	int found = 0;

	namelen = strlen(req_xattr_name);
	for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
		if ((strlen(*xattrname) == namelen)
		    && (strncmp(req_xattr_name, *xattrname, namelen) == 0)) {
			found = 1;
			break;
		}
		if (strncmp(req_xattr_name,
			    *xattrname + XATTR_SECURITY_PREFIX_LEN,
			    strlen(req_xattr_name)) == 0) {
			found = 1;
			break;
		}
	}
	return found;
}

/**
 * evm_verifyxattr - verify the integrity of the requested xattr
 * @dentry: object of the verify xattr
 * @xattr_name: requested xattr
 * @xattr_value: requested xattr value
 * @xattr_value_len: requested xattr value length
 *
 * Calculate the HMAC for the given dentry and verify it against the stored
 * security.evm xattr. For performance, use the xattr value and length
 * previously retrieved to calculate the HMAC.
 *
 * Returns the xattr integrity status.
 *
 * This function requires the caller to lock the inode's i_mutex before it
 * is executed.
 */
enum integrity_status evm_verifyxattr(struct dentry *dentry,
				      const char *xattr_name,
				      void *xattr_value, size_t xattr_value_len,
				      struct integrity_iint_cache *iint)
{
	if (!evm_initialized || !evm_protected_xattr(xattr_name))
		return INTEGRITY_UNKNOWN;

	if (!iint) {
		iint = integrity_iint_find(dentry->d_inode);
		if (!iint)
			return INTEGRITY_UNKNOWN;
	}
	return evm_verify_hmac(dentry, xattr_name, xattr_value,
				 xattr_value_len, iint);
}
EXPORT_SYMBOL_GPL(evm_verifyxattr);

/*
 * evm_verify_current_integrity - verify the dentry's metadata integrity
 * @dentry: pointer to the affected dentry
 *
 * Verify and return the dentry's metadata integrity. The exceptions are
 * before EVM is initialized or in 'fix' mode.
 */
static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
{
	struct inode *inode = dentry->d_inode;

	if (!evm_initialized || !S_ISREG(inode->i_mode) || evm_fixmode)
		return 0;
	return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
}

/*
 * evm_protect_xattr - protect the EVM extended attribute
 *
 * Prevent security.evm from being modified or removed without the
 * necessary permissions or when the existing value is invalid.
 *
 * The posix xattr acls are 'system' prefixed, which normally would not
 * affect security.evm.  An interesting side affect of writing posix xattr
 * acls is their modifying of the i_mode, which is included in security.evm.
 * For posix xattr acls only, permit security.evm, even if it currently
 * doesn't exist, to be updated.
 */
static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
			     const void *xattr_value, size_t xattr_value_len)
{
	enum integrity_status evm_status;

	if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
		if (!capable(CAP_SYS_ADMIN))
			return -EPERM;
	} else if (!evm_protected_xattr(xattr_name)) {
		if (!posix_xattr_acl(xattr_name))
			return 0;
		evm_status = evm_verify_current_integrity(dentry);
		if ((evm_status == INTEGRITY_PASS) ||
		    (evm_status == INTEGRITY_NOXATTRS))
			return 0;
		goto out;
	}
	evm_status = evm_verify_current_integrity(dentry);
out:
	if (evm_status != INTEGRITY_PASS)
		integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode,
				    dentry->d_name.name, "appraise_metadata",
				    integrity_status_msg[evm_status],
				    -EPERM, 0);
	return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
}

/**
 * evm_inode_setxattr - protect the EVM extended attribute
 * @dentry: pointer to the affected dentry
 * @xattr_name: pointer to the affected extended attribute name
 * @xattr_value: pointer to the new extended attribute value
 * @xattr_value_len: pointer to the new extended attribute value length
 *
 * Updating 'security.evm' requires CAP_SYS_ADMIN privileges and that
 * the current value is valid.
 */
int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
		       const void *xattr_value, size_t xattr_value_len)
{
	return evm_protect_xattr(dentry, xattr_name, xattr_value,
				 xattr_value_len);
}

/**
 * evm_inode_removexattr - protect the EVM extended attribute
 * @dentry: pointer to the affected dentry
 * @xattr_name: pointer to the affected extended attribute name
 *
 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
 * the current value is valid.
 */
int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
{
	return evm_protect_xattr(dentry, xattr_name, NULL, 0);
}

/**
 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
 * @dentry: pointer to the affected dentry
 * @xattr_name: pointer to the affected extended attribute name
 * @xattr_value: pointer to the new extended attribute value
 * @xattr_value_len: pointer to the new extended attribute value length
 *
 * Update the HMAC stored in 'security.evm' to reflect the change.
 *
 * No need to take the i_mutex lock here, as this function is called from
 * __vfs_setxattr_noperm().  The caller of which has taken the inode's
 * i_mutex lock.
 */
void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
			     const void *xattr_value, size_t xattr_value_len)
{
	if (!evm_initialized || (!evm_protected_xattr(xattr_name)
				 && !posix_xattr_acl(xattr_name)))
		return;

	evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
	return;
}

/**
 * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
 * @dentry: pointer to the affected dentry
 * @xattr_name: pointer to the affected extended attribute name
 *
 * Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
 */
void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
{
	struct inode *inode = dentry->d_inode;

	if (!evm_initialized || !evm_protected_xattr(xattr_name))
		return;

	mutex_lock(&inode->i_mutex);
	evm_update_evmxattr(dentry, xattr_name, NULL, 0);
	mutex_unlock(&inode->i_mutex);
	return;
}

/**
 * evm_inode_setattr - prevent updating an invalid EVM extended attribute
 * @dentry: pointer to the affected dentry
 */
int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
{
	unsigned int ia_valid = attr->ia_valid;
	enum integrity_status evm_status;

	if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
		return 0;
	evm_status = evm_verify_current_integrity(dentry);
	if ((evm_status == INTEGRITY_PASS) ||
	    (evm_status == INTEGRITY_NOXATTRS))
		return 0;
	integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode,
			    dentry->d_name.name, "appraise_metadata",
			    integrity_status_msg[evm_status], -EPERM, 0);
	return -EPERM;
}

/**
 * evm_inode_post_setattr - update 'security.evm' after modifying metadata
 * @dentry: pointer to the affected dentry
 * @ia_valid: for the UID and GID status
 *
 * For now, update the HMAC stored in 'security.evm' to reflect UID/GID
 * changes.
 *
 * This function is called from notify_change(), which expects the caller
 * to lock the inode's i_mutex.
 */
void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
{
	if (!evm_initialized)
		return;

	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
		evm_update_evmxattr(dentry, NULL, NULL, 0);
	return;
}

/*
 * evm_inode_init_security - initializes security.evm
 */
int evm_inode_init_security(struct inode *inode,
				 const struct xattr *lsm_xattr,
				 struct xattr *evm_xattr)
{
	struct evm_ima_xattr_data *xattr_data;
	int rc;

	if (!evm_initialized || !evm_protected_xattr(lsm_xattr->name))
		return 0;

	xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
	if (!xattr_data)
		return -ENOMEM;

	xattr_data->type = EVM_XATTR_HMAC;
	rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
	if (rc < 0)
		goto out;

	evm_xattr->value = xattr_data;
	evm_xattr->value_len = sizeof(*xattr_data);
	evm_xattr->name = XATTR_EVM_SUFFIX;
	return 0;
out:
	kfree(xattr_data);
	return rc;
}
EXPORT_SYMBOL_GPL(evm_inode_init_security);

static int __init init_evm(void)
{
	int error;

	evm_init_config();

	error = evm_init_secfs();
	if (error < 0) {
		pr_info("Error registering secfs\n");
		goto err;
	}

	return 0;
err:
	return error;
}

/*
 * evm_display_config - list the EVM protected security extended attributes
 */
static int __init evm_display_config(void)
{
	char **xattrname;

	for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++)
		pr_info("%s\n", *xattrname);
	return 0;
}

pure_initcall(evm_display_config);
late_initcall(init_evm);

MODULE_DESCRIPTION("Extended Verification Module");
MODULE_LICENSE("GPL");
Commit	Line	Data
66dbc325 MZ	1	/*
	2	* Copyright (C) 2005-2010 IBM Corporation
	3	*
	4	* Author:
	5	* Mimi Zohar <zohar@us.ibm.com>
	6	* Kylene Hall <kjhall@us.ibm.com>
	7	*
	8	* This program is free software; you can redistribute it and/or modify
	9	* it under the terms of the GNU General Public License as published by
	10	* the Free Software Foundation, version 2 of the License.
	11	*
	12	* File: evm_main.c
	13	* implements evm_inode_setxattr, evm_inode_post_setxattr,
	14	* evm_inode_removexattr, and evm_verifyxattr
	15	*/
	16
20ee451f JP	17	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
20ee451f JP	18
66dbc325 MZ	19	#include <linux/module.h>
66dbc325 MZ	20	#include <linux/crypto.h>
9b97b6cd	21	#include <linux/audit.h>
66dbc325 MZ	22	#include <linux/xattr.h>
66dbc325 MZ	23	#include <linux/integrity.h>
3e1be52d	24	#include <linux/evm.h>
d46eb369	25	#include <crypto/hash.h>
66dbc325 MZ	26	#include "evm.h"
	27
	28	int evm_initialized;
	29
9b97b6cd MZ	30	static char *integrity_status_msg[] = {
	31	"pass", "fail", "no_label", "no_xattrs", "unknown"
	32	};
66dbc325	33	char *evm_hmac = "hmac(sha1)";
15647eb3	34	char *evm_hash = "sha1";
d3b33679	35	int evm_hmac_attrs;
66dbc325 MZ	36
	37	char *evm_config_xattrnames[] = {
	38	#ifdef CONFIG_SECURITY_SELINUX
	39	XATTR_NAME_SELINUX,
	40	#endif
	41	#ifdef CONFIG_SECURITY_SMACK
	42	XATTR_NAME_SMACK,
2fe5d6de MZ	43	#endif
	44	#ifdef CONFIG_IMA_APPRAISE
	45	XATTR_NAME_IMA,
66dbc325 MZ	46	#endif
	47	XATTR_NAME_CAPS,
	48	NULL
	49	};
	50
7102ebcd MZ	51	static int evm_fixmode;
	52	static int __init evm_set_fixmode(char *str)
	53	{
	54	if (strncmp(str, "fix", 3) == 0)
	55	evm_fixmode = 1;
	56	return 0;
	57	}
	58	__setup("evm=", evm_set_fixmode);
	59
d3b33679 DK	60	static void __init evm_init_config(void)
	61	{
	62	#ifdef CONFIG_EVM_ATTR_FSUUID
	63	evm_hmac_attrs \|= EVM_ATTR_FSUUID;
	64	#endif
	65	pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
	66	}
	67
15647eb3 DK	68	static int evm_find_protected_xattrs(struct dentry *dentry)
	69	{
	70	struct inode *inode = dentry->d_inode;
	71	char **xattr;
	72	int error;
	73	int count = 0;
	74
627bf81a	75	if (!inode->i_op->getxattr)
15647eb3 DK	76	return -EOPNOTSUPP;
	77
	78	for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) {
	79	error = inode->i_op->getxattr(dentry, *xattr, NULL, 0);
	80	if (error < 0) {
	81	if (error == -ENODATA)
	82	continue;
	83	return error;
	84	}
	85	count++;
	86	}
	87
	88	return count;
	89	}
	90
66dbc325 MZ	91	/*
	92	* evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
	93	*
	94	* Compute the HMAC on the dentry's protected set of extended attributes
7102ebcd MZ	95	* and compare it against the stored security.evm xattr.
	96	*
	97	* For performance:
	98	* - use the previoulsy retrieved xattr value and length to calculate the
	99	* HMAC.)
	100	* - cache the verification result in the iint, when available.
66dbc325 MZ	101	*
	102	* Returns integrity status
	103	*/
	104	static enum integrity_status evm_verify_hmac(struct dentry *dentry,
	105	const char *xattr_name,
	106	char *xattr_value,
	107	size_t xattr_value_len,
	108	struct integrity_iint_cache *iint)
	109	{
15647eb3 DK	110	struct evm_ima_xattr_data *xattr_data = NULL;
15647eb3 DK	111	struct evm_ima_xattr_data calc;
566be59a	112	enum integrity_status evm_status = INTEGRITY_PASS;
15647eb3	113	int rc, xattr_len;
66dbc325	114
7102ebcd	115	if (iint && iint->evm_status == INTEGRITY_PASS)
24e0198e	116	return iint->evm_status;
66dbc325	117
6d38ca01 DK	118	/* if status is not PASS, try to check again - against -ENOMEM */
6d38ca01 DK	119
15647eb3 DK	120	/* first need to know the sig type */
	121	rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
	122	GFP_NOFS);
	123	if (rc <= 0) {
	124	if (rc == 0)
	125	evm_status = INTEGRITY_FAIL; /* empty */
	126	else if (rc == -ENODATA) {
	127	rc = evm_find_protected_xattrs(dentry);
	128	if (rc > 0)
	129	evm_status = INTEGRITY_NOLABEL;
	130	else if (rc == 0)
	131	evm_status = INTEGRITY_NOXATTRS; /* new file */
	132	}
566be59a MZ	133	goto out;
566be59a MZ	134	}
66dbc325	135
b1aaab22	136	xattr_len = rc;
15647eb3 DK	137
	138	/* check value type */
	139	switch (xattr_data->type) {
	140	case EVM_XATTR_HMAC:
	141	rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
	142	xattr_value_len, calc.digest);
	143	if (rc)
	144	break;
	145	rc = memcmp(xattr_data->digest, calc.digest,
	146	sizeof(calc.digest));
	147	if (rc)
	148	rc = -EINVAL;
	149	break;
	150	case EVM_IMA_XATTR_DIGSIG:
	151	rc = evm_calc_hash(dentry, xattr_name, xattr_value,
	152	xattr_value_len, calc.digest);
	153	if (rc)
	154	break;
	155	rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
b1aaab22	156	(const char *)xattr_data, xattr_len,
15647eb3 DK	157	calc.digest, sizeof(calc.digest));
	158	if (!rc) {
	159	/* we probably want to replace rsa with hmac here */
	160	evm_update_evmxattr(dentry, xattr_name, xattr_value,
	161	xattr_value_len);
	162	}
	163	break;
	164	default:
	165	rc = -EINVAL;
	166	break;
	167	}
	168
	169	if (rc)
	170	evm_status = (rc == -ENODATA) ?
	171	INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
7102ebcd MZ	172	out:
	173	if (iint)
	174	iint->evm_status = evm_status;
15647eb3	175	kfree(xattr_data);
7102ebcd	176	return evm_status;
66dbc325 MZ	177	}
	178
	179	static int evm_protected_xattr(const char *req_xattr_name)
	180	{
	181	char **xattrname;
	182	int namelen;
	183	int found = 0;
	184
	185	namelen = strlen(req_xattr_name);
	186	for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
	187	if ((strlen(*xattrname) == namelen)
	188	&& (strncmp(req_xattr_name, *xattrname, namelen) == 0)) {
	189	found = 1;
	190	break;
	191	}
cb723180 MZ	192	if (strncmp(req_xattr_name,
	193	*xattrname + XATTR_SECURITY_PREFIX_LEN,
	194	strlen(req_xattr_name)) == 0) {
	195	found = 1;
	196	break;
	197	}
66dbc325 MZ	198	}
	199	return found;
	200	}
	201
	202	/**
	203	* evm_verifyxattr - verify the integrity of the requested xattr
	204	* @dentry: object of the verify xattr
	205	* @xattr_name: requested xattr
	206	* @xattr_value: requested xattr value
	207	* @xattr_value_len: requested xattr value length
	208	*
	209	* Calculate the HMAC for the given dentry and verify it against the stored
	210	* security.evm xattr. For performance, use the xattr value and length
	211	* previously retrieved to calculate the HMAC.
	212	*
	213	* Returns the xattr integrity status.
	214	*
	215	* This function requires the caller to lock the inode's i_mutex before it
	216	* is executed.
	217	*/
	218	enum integrity_status evm_verifyxattr(struct dentry *dentry,
	219	const char *xattr_name,
2960e6cb DK	220	void *xattr_value, size_t xattr_value_len,
2960e6cb DK	221	struct integrity_iint_cache *iint)
66dbc325	222	{
66dbc325 MZ	223	if (!evm_initialized \|\| !evm_protected_xattr(xattr_name))
	224	return INTEGRITY_UNKNOWN;
	225
2960e6cb DK	226	if (!iint) {
	227	iint = integrity_iint_find(dentry->d_inode);
	228	if (!iint)
	229	return INTEGRITY_UNKNOWN;
	230	}
	231	return evm_verify_hmac(dentry, xattr_name, xattr_value,
66dbc325	232	xattr_value_len, iint);
66dbc325 MZ	233	}
	234	EXPORT_SYMBOL_GPL(evm_verifyxattr);
	235
7102ebcd MZ	236	/*
	237	* evm_verify_current_integrity - verify the dentry's metadata integrity
	238	* @dentry: pointer to the affected dentry
	239	*
	240	* Verify and return the dentry's metadata integrity. The exceptions are
	241	* before EVM is initialized or in 'fix' mode.
	242	*/
	243	static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
	244	{
	245	struct inode *inode = dentry->d_inode;
	246
	247	if (!evm_initialized \|\| !S_ISREG(inode->i_mode) \|\| evm_fixmode)
	248	return 0;
	249	return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
	250	}
	251
a924ce0b MZ	252	/*
	253	* evm_protect_xattr - protect the EVM extended attribute
	254	*
bf6d0f5d MZ	255	* Prevent security.evm from being modified or removed without the
	256	* necessary permissions or when the existing value is invalid.
	257	*
	258	* The posix xattr acls are 'system' prefixed, which normally would not
	259	* affect security.evm. An interesting side affect of writing posix xattr
	260	* acls is their modifying of the i_mode, which is included in security.evm.
	261	* For posix xattr acls only, permit security.evm, even if it currently
	262	* doesn't exist, to be updated.
a924ce0b MZ	263	*/
	264	static int evm_protect_xattr(struct dentry dentry, const char xattr_name,
	265	const void *xattr_value, size_t xattr_value_len)
	266	{
	267	enum integrity_status evm_status;
	268
	269	if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
	270	if (!capable(CAP_SYS_ADMIN))
	271	return -EPERM;
bf6d0f5d MZ	272	} else if (!evm_protected_xattr(xattr_name)) {
	273	if (!posix_xattr_acl(xattr_name))
	274	return 0;
	275	evm_status = evm_verify_current_integrity(dentry);
	276	if ((evm_status == INTEGRITY_PASS) \|\|
566be59a	277	(evm_status == INTEGRITY_NOXATTRS))
bf6d0f5d	278	return 0;
9b97b6cd	279	goto out;
bf6d0f5d	280	}
a924ce0b	281	evm_status = evm_verify_current_integrity(dentry);
9b97b6cd MZ	282	out:
	283	if (evm_status != INTEGRITY_PASS)
	284	integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode,
	285	dentry->d_name.name, "appraise_metadata",
	286	integrity_status_msg[evm_status],
	287	-EPERM, 0);
a924ce0b MZ	288	return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
	289	}
	290
66dbc325 MZ	291	/**
	292	* evm_inode_setxattr - protect the EVM extended attribute
	293	* @dentry: pointer to the affected dentry
	294	* @xattr_name: pointer to the affected extended attribute name
	295	* @xattr_value: pointer to the new extended attribute value
	296	* @xattr_value_len: pointer to the new extended attribute value length
	297	*
7102ebcd MZ	298	* Updating 'security.evm' requires CAP_SYS_ADMIN privileges and that
7102ebcd MZ	299	* the current value is valid.
66dbc325 MZ	300	*/
	301	int evm_inode_setxattr(struct dentry dentry, const char xattr_name,
	302	const void *xattr_value, size_t xattr_value_len)
	303	{
a924ce0b MZ	304	return evm_protect_xattr(dentry, xattr_name, xattr_value,
a924ce0b MZ	305	xattr_value_len);
66dbc325 MZ	306	}
	307
	308	/**
	309	* evm_inode_removexattr - protect the EVM extended attribute
	310	* @dentry: pointer to the affected dentry
	311	* @xattr_name: pointer to the affected extended attribute name
	312	*
7102ebcd MZ	313	* Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
7102ebcd MZ	314	* the current value is valid.
66dbc325 MZ	315	*/
	316	int evm_inode_removexattr(struct dentry dentry, const char xattr_name)
	317	{
a924ce0b	318	return evm_protect_xattr(dentry, xattr_name, NULL, 0);
66dbc325 MZ	319	}
	320
	321	/**
	322	* evm_inode_post_setxattr - update 'security.evm' to reflect the changes
	323	* @dentry: pointer to the affected dentry
	324	* @xattr_name: pointer to the affected extended attribute name
	325	* @xattr_value: pointer to the new extended attribute value
	326	* @xattr_value_len: pointer to the new extended attribute value length
	327	*
	328	* Update the HMAC stored in 'security.evm' to reflect the change.
	329	*
	330	* No need to take the i_mutex lock here, as this function is called from
	331	* __vfs_setxattr_noperm(). The caller of which has taken the inode's
	332	* i_mutex lock.
	333	*/
	334	void evm_inode_post_setxattr(struct dentry dentry, const char xattr_name,
	335	const void *xattr_value, size_t xattr_value_len)
	336	{
bf6d0f5d MZ	337	if (!evm_initialized \|\| (!evm_protected_xattr(xattr_name)
bf6d0f5d MZ	338	&& !posix_xattr_acl(xattr_name)))
66dbc325 MZ	339	return;
	340
	341	evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
	342	return;
	343	}
	344
	345	/**
	346	* evm_inode_post_removexattr - update 'security.evm' after removing the xattr
	347	* @dentry: pointer to the affected dentry
	348	* @xattr_name: pointer to the affected extended attribute name
	349	*
	350	* Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
	351	*/
	352	void evm_inode_post_removexattr(struct dentry dentry, const char xattr_name)
	353	{
	354	struct inode *inode = dentry->d_inode;
	355
	356	if (!evm_initialized \|\| !evm_protected_xattr(xattr_name))
	357	return;
	358
	359	mutex_lock(&inode->i_mutex);
	360	evm_update_evmxattr(dentry, xattr_name, NULL, 0);
	361	mutex_unlock(&inode->i_mutex);
	362	return;
	363	}
	364
817b54aa MZ	365	/**
	366	* evm_inode_setattr - prevent updating an invalid EVM extended attribute
	367	* @dentry: pointer to the affected dentry
	368	*/
	369	int evm_inode_setattr(struct dentry dentry, struct iattr attr)
	370	{
	371	unsigned int ia_valid = attr->ia_valid;
	372	enum integrity_status evm_status;
	373
a924ce0b	374	if (!(ia_valid & (ATTR_MODE \| ATTR_UID \| ATTR_GID)))
817b54aa MZ	375	return 0;
817b54aa MZ	376	evm_status = evm_verify_current_integrity(dentry);
566be59a MZ	377	if ((evm_status == INTEGRITY_PASS) \|\|
	378	(evm_status == INTEGRITY_NOXATTRS))
	379	return 0;
9b97b6cd MZ	380	integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode,
	381	dentry->d_name.name, "appraise_metadata",
	382	integrity_status_msg[evm_status], -EPERM, 0);
566be59a	383	return -EPERM;
817b54aa MZ	384	}
817b54aa MZ	385
66dbc325 MZ	386	/**
	387	* evm_inode_post_setattr - update 'security.evm' after modifying metadata
	388	* @dentry: pointer to the affected dentry
	389	* @ia_valid: for the UID and GID status
	390	*
	391	* For now, update the HMAC stored in 'security.evm' to reflect UID/GID
	392	* changes.
	393	*
	394	* This function is called from notify_change(), which expects the caller
	395	* to lock the inode's i_mutex.
	396	*/
	397	void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
	398	{
	399	if (!evm_initialized)
	400	return;
	401
	402	if (ia_valid & (ATTR_MODE \| ATTR_UID \| ATTR_GID))
	403	evm_update_evmxattr(dentry, NULL, NULL, 0);
	404	return;
	405	}
	406
cb723180 MZ	407	/*
	408	* evm_inode_init_security - initializes security.evm
	409	*/
	410	int evm_inode_init_security(struct inode *inode,
	411	const struct xattr *lsm_xattr,
	412	struct xattr *evm_xattr)
	413	{
	414	struct evm_ima_xattr_data *xattr_data;
	415	int rc;
	416
	417	if (!evm_initialized \|\| !evm_protected_xattr(lsm_xattr->name))
5a4730ba	418	return 0;
cb723180 MZ	419
	420	xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
	421	if (!xattr_data)
	422	return -ENOMEM;
	423
	424	xattr_data->type = EVM_XATTR_HMAC;
	425	rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
	426	if (rc < 0)
	427	goto out;
	428
	429	evm_xattr->value = xattr_data;
	430	evm_xattr->value_len = sizeof(*xattr_data);
9548906b	431	evm_xattr->name = XATTR_EVM_SUFFIX;
cb723180 MZ	432	return 0;
	433	out:
	434	kfree(xattr_data);
	435	return rc;
	436	}
	437	EXPORT_SYMBOL_GPL(evm_inode_init_security);
	438
66dbc325 MZ	439	static int __init init_evm(void)
	440	{
	441	int error;
	442
d3b33679 DK	443	evm_init_config();
d3b33679 DK	444
66dbc325 MZ	445	error = evm_init_secfs();
66dbc325 MZ	446	if (error < 0) {
20ee451f	447	pr_info("Error registering secfs\n");
66dbc325 MZ	448	goto err;
66dbc325 MZ	449	}
15647eb3 DK	450
15647eb3 DK	451	return 0;
66dbc325 MZ	452	err:
	453	return error;
	454	}
	455
66dbc325 MZ	456	/*
	457	* evm_display_config - list the EVM protected security extended attributes
	458	*/
	459	static int __init evm_display_config(void)
	460	{
	461	char **xattrname;
	462
	463	for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++)
20ee451f	464	pr_info("%s\n", *xattrname);
66dbc325 MZ	465	return 0;
	466	}
	467
	468	pure_initcall(evm_display_config);
	469	late_initcall(init_evm);
	470
	471	MODULE_DESCRIPTION("Extended Verification Module");
	472	MODULE_LICENSE("GPL");