root/security/integrity/ima/ima_appraise.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. default_appraise_setup
  2. is_ima_appraise_enabled
  3. ima_must_appraise
  4. ima_fix_xattr
  5. ima_get_cache_status
  6. ima_set_cache_status
  7. ima_cache_flags
  8. ima_get_hash_algo
  9. ima_read_xattr
  10. xattr_verify
  11. modsig_verify
  12. ima_appraise_measurement
  13. ima_update_xattr
  14. ima_inode_post_setattr
  15. ima_protect_xattr
  16. ima_reset_appraise_flags
  17. ima_inode_setxattr
  18. ima_inode_removexattr

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * Copyright (C) 2011 IBM Corporation
   4  *
   5  * Author:
   6  * Mimi Zohar <zohar@us.ibm.com>
   7  */
   8 #include <linux/init.h>
   9 #include <linux/file.h>
  10 #include <linux/fs.h>
  11 #include <linux/xattr.h>
  12 #include <linux/magic.h>
  13 #include <linux/ima.h>
  14 #include <linux/evm.h>
  15 
  16 #include "ima.h"
  17 
  18 static int __init default_appraise_setup(char *str)
  19 {
  20 #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
  21         if (strncmp(str, "off", 3) == 0)
  22                 ima_appraise = 0;
  23         else if (strncmp(str, "log", 3) == 0)
  24                 ima_appraise = IMA_APPRAISE_LOG;
  25         else if (strncmp(str, "fix", 3) == 0)
  26                 ima_appraise = IMA_APPRAISE_FIX;
  27 #endif
  28         return 1;
  29 }
  30 
  31 __setup("ima_appraise=", default_appraise_setup);
  32 
  33 /*
  34  * is_ima_appraise_enabled - return appraise status
  35  *
  36  * Only return enabled, if not in ima_appraise="fix" or "log" modes.
  37  */
  38 bool is_ima_appraise_enabled(void)
  39 {
  40         return ima_appraise & IMA_APPRAISE_ENFORCE;
  41 }
  42 
  43 /*
  44  * ima_must_appraise - set appraise flag
  45  *
  46  * Return 1 to appraise or hash
  47  */
  48 int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
  49 {
  50         u32 secid;
  51 
  52         if (!ima_appraise)
  53                 return 0;
  54 
  55         security_task_getsecid(current, &secid);
  56         return ima_match_policy(inode, current_cred(), secid, func, mask,
  57                                 IMA_APPRAISE | IMA_HASH, NULL, NULL);
  58 }
  59 
  60 static int ima_fix_xattr(struct dentry *dentry,
  61                          struct integrity_iint_cache *iint)
  62 {
  63         int rc, offset;
  64         u8 algo = iint->ima_hash->algo;
  65 
  66         if (algo <= HASH_ALGO_SHA1) {
  67                 offset = 1;
  68                 iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
  69         } else {
  70                 offset = 0;
  71                 iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
  72                 iint->ima_hash->xattr.ng.algo = algo;
  73         }
  74         rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
  75                                    &iint->ima_hash->xattr.data[offset],
  76                                    (sizeof(iint->ima_hash->xattr) - offset) +
  77                                    iint->ima_hash->length, 0);
  78         return rc;
  79 }
  80 
  81 /* Return specific func appraised cached result */
  82 enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
  83                                            enum ima_hooks func)
  84 {
  85         switch (func) {
  86         case MMAP_CHECK:
  87                 return iint->ima_mmap_status;
  88         case BPRM_CHECK:
  89                 return iint->ima_bprm_status;
  90         case CREDS_CHECK:
  91                 return iint->ima_creds_status;
  92         case FILE_CHECK:
  93         case POST_SETATTR:
  94                 return iint->ima_file_status;
  95         case MODULE_CHECK ... MAX_CHECK - 1:
  96         default:
  97                 return iint->ima_read_status;
  98         }
  99 }
 100 
 101 static void ima_set_cache_status(struct integrity_iint_cache *iint,
 102                                  enum ima_hooks func,
 103                                  enum integrity_status status)
 104 {
 105         switch (func) {
 106         case MMAP_CHECK:
 107                 iint->ima_mmap_status = status;
 108                 break;
 109         case BPRM_CHECK:
 110                 iint->ima_bprm_status = status;
 111                 break;
 112         case CREDS_CHECK:
 113                 iint->ima_creds_status = status;
 114                 break;
 115         case FILE_CHECK:
 116         case POST_SETATTR:
 117                 iint->ima_file_status = status;
 118                 break;
 119         case MODULE_CHECK ... MAX_CHECK - 1:
 120         default:
 121                 iint->ima_read_status = status;
 122                 break;
 123         }
 124 }
 125 
 126 static void ima_cache_flags(struct integrity_iint_cache *iint,
 127                              enum ima_hooks func)
 128 {
 129         switch (func) {
 130         case MMAP_CHECK:
 131                 iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
 132                 break;
 133         case BPRM_CHECK:
 134                 iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
 135                 break;
 136         case CREDS_CHECK:
 137                 iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED);
 138                 break;
 139         case FILE_CHECK:
 140         case POST_SETATTR:
 141                 iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
 142                 break;
 143         case MODULE_CHECK ... MAX_CHECK - 1:
 144         default:
 145                 iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
 146                 break;
 147         }
 148 }
 149 
 150 enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
 151                                  int xattr_len)
 152 {
 153         struct signature_v2_hdr *sig;
 154         enum hash_algo ret;
 155 
 156         if (!xattr_value || xattr_len < 2)
 157                 /* return default hash algo */
 158                 return ima_hash_algo;
 159 
 160         switch (xattr_value->type) {
 161         case EVM_IMA_XATTR_DIGSIG:
 162                 sig = (typeof(sig))xattr_value;
 163                 if (sig->version != 2 || xattr_len <= sizeof(*sig))
 164                         return ima_hash_algo;
 165                 return sig->hash_algo;
 166                 break;
 167         case IMA_XATTR_DIGEST_NG:
 168                 /* first byte contains algorithm id */
 169                 ret = xattr_value->data[0];
 170                 if (ret < HASH_ALGO__LAST)
 171                         return ret;
 172                 break;
 173         case IMA_XATTR_DIGEST:
 174                 /* this is for backward compatibility */
 175                 if (xattr_len == 21) {
 176                         unsigned int zero = 0;
 177                         if (!memcmp(&xattr_value->data[16], &zero, 4))
 178                                 return HASH_ALGO_MD5;
 179                         else
 180                                 return HASH_ALGO_SHA1;
 181                 } else if (xattr_len == 17)
 182                         return HASH_ALGO_MD5;
 183                 break;
 184         }
 185 
 186         /* return default hash algo */
 187         return ima_hash_algo;
 188 }
 189 
 190 int ima_read_xattr(struct dentry *dentry,
 191                    struct evm_ima_xattr_data **xattr_value)
 192 {
 193         ssize_t ret;
 194 
 195         ret = vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)xattr_value,
 196                                  0, GFP_NOFS);
 197         if (ret == -EOPNOTSUPP)
 198                 ret = 0;
 199         return ret;
 200 }
 201 
 202 /*
 203  * xattr_verify - verify xattr digest or signature
 204  *
 205  * Verify whether the hash or signature matches the file contents.
 206  *
 207  * Return 0 on success, error code otherwise.
 208  */
 209 static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint,
 210                         struct evm_ima_xattr_data *xattr_value, int xattr_len,
 211                         enum integrity_status *status, const char **cause)
 212 {
 213         int rc = -EINVAL, hash_start = 0;
 214 
 215         switch (xattr_value->type) {
 216         case IMA_XATTR_DIGEST_NG:
 217                 /* first byte contains algorithm id */
 218                 hash_start = 1;
 219                 /* fall through */
 220         case IMA_XATTR_DIGEST:
 221                 if (iint->flags & IMA_DIGSIG_REQUIRED) {
 222                         *cause = "IMA-signature-required";
 223                         *status = INTEGRITY_FAIL;
 224                         break;
 225                 }
 226                 clear_bit(IMA_DIGSIG, &iint->atomic_flags);
 227                 if (xattr_len - sizeof(xattr_value->type) - hash_start >=
 228                                 iint->ima_hash->length)
 229                         /*
 230                          * xattr length may be longer. md5 hash in previous
 231                          * version occupied 20 bytes in xattr, instead of 16
 232                          */
 233                         rc = memcmp(&xattr_value->data[hash_start],
 234                                     iint->ima_hash->digest,
 235                                     iint->ima_hash->length);
 236                 else
 237                         rc = -EINVAL;
 238                 if (rc) {
 239                         *cause = "invalid-hash";
 240                         *status = INTEGRITY_FAIL;
 241                         break;
 242                 }
 243                 *status = INTEGRITY_PASS;
 244                 break;
 245         case EVM_IMA_XATTR_DIGSIG:
 246                 set_bit(IMA_DIGSIG, &iint->atomic_flags);
 247                 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
 248                                              (const char *)xattr_value,
 249                                              xattr_len,
 250                                              iint->ima_hash->digest,
 251                                              iint->ima_hash->length);
 252                 if (rc == -EOPNOTSUPP) {
 253                         *status = INTEGRITY_UNKNOWN;
 254                         break;
 255                 }
 256                 if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
 257                     func == KEXEC_KERNEL_CHECK)
 258                         rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM,
 259                                                      (const char *)xattr_value,
 260                                                      xattr_len,
 261                                                      iint->ima_hash->digest,
 262                                                      iint->ima_hash->length);
 263                 if (rc) {
 264                         *cause = "invalid-signature";
 265                         *status = INTEGRITY_FAIL;
 266                 } else {
 267                         *status = INTEGRITY_PASS;
 268                 }
 269                 break;
 270         default:
 271                 *status = INTEGRITY_UNKNOWN;
 272                 *cause = "unknown-ima-data";
 273                 break;
 274         }
 275 
 276         return rc;
 277 }
 278 
 279 /*
 280  * modsig_verify - verify modsig signature
 281  *
 282  * Verify whether the signature matches the file contents.
 283  *
 284  * Return 0 on success, error code otherwise.
 285  */
 286 static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
 287                          enum integrity_status *status, const char **cause)
 288 {
 289         int rc;
 290 
 291         rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig);
 292         if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
 293             func == KEXEC_KERNEL_CHECK)
 294                 rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM,
 295                                              modsig);
 296         if (rc) {
 297                 *cause = "invalid-signature";
 298                 *status = INTEGRITY_FAIL;
 299         } else {
 300                 *status = INTEGRITY_PASS;
 301         }
 302 
 303         return rc;
 304 }
 305 
 306 /*
 307  * ima_appraise_measurement - appraise file measurement
 308  *
 309  * Call evm_verifyxattr() to verify the integrity of 'security.ima'.
 310  * Assuming success, compare the xattr hash with the collected measurement.
 311  *
 312  * Return 0 on success, error code otherwise
 313  */
 314 int ima_appraise_measurement(enum ima_hooks func,
 315                              struct integrity_iint_cache *iint,
 316                              struct file *file, const unsigned char *filename,
 317                              struct evm_ima_xattr_data *xattr_value,
 318                              int xattr_len, const struct modsig *modsig)
 319 {
 320         static const char op[] = "appraise_data";
 321         const char *cause = "unknown";
 322         struct dentry *dentry = file_dentry(file);
 323         struct inode *inode = d_backing_inode(dentry);
 324         enum integrity_status status = INTEGRITY_UNKNOWN;
 325         int rc = xattr_len;
 326         bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig;
 327 
 328         /* If not appraising a modsig, we need an xattr. */
 329         if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)
 330                 return INTEGRITY_UNKNOWN;
 331 
 332         /* If reading the xattr failed and there's no modsig, error out. */
 333         if (rc <= 0 && !try_modsig) {
 334                 if (rc && rc != -ENODATA)
 335                         goto out;
 336 
 337                 cause = iint->flags & IMA_DIGSIG_REQUIRED ?
 338                                 "IMA-signature-required" : "missing-hash";
 339                 status = INTEGRITY_NOLABEL;
 340                 if (file->f_mode & FMODE_CREATED)
 341                         iint->flags |= IMA_NEW_FILE;
 342                 if ((iint->flags & IMA_NEW_FILE) &&
 343                     (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
 344                      (inode->i_size == 0)))
 345                         status = INTEGRITY_PASS;
 346                 goto out;
 347         }
 348 
 349         status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
 350         switch (status) {
 351         case INTEGRITY_PASS:
 352         case INTEGRITY_PASS_IMMUTABLE:
 353         case INTEGRITY_UNKNOWN:
 354                 break;
 355         case INTEGRITY_NOXATTRS:        /* No EVM protected xattrs. */
 356                 /* It's fine not to have xattrs when using a modsig. */
 357                 if (try_modsig)
 358                         break;
 359                 /* fall through */
 360         case INTEGRITY_NOLABEL:         /* No security.evm xattr. */
 361                 cause = "missing-HMAC";
 362                 goto out;
 363         case INTEGRITY_FAIL:            /* Invalid HMAC/signature. */
 364                 cause = "invalid-HMAC";
 365                 goto out;
 366         default:
 367                 WARN_ONCE(true, "Unexpected integrity status %d\n", status);
 368         }
 369 
 370         if (xattr_value)
 371                 rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
 372                                   &cause);
 373 
 374         /*
 375          * If we have a modsig and either no imasig or the imasig's key isn't
 376          * known, then try verifying the modsig.
 377          */
 378         if (try_modsig &&
 379             (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG ||
 380              rc == -ENOKEY))
 381                 rc = modsig_verify(func, modsig, &status, &cause);
 382 
 383 out:
 384         /*
 385          * File signatures on some filesystems can not be properly verified.
 386          * When such filesystems are mounted by an untrusted mounter or on a
 387          * system not willing to accept such a risk, fail the file signature
 388          * verification.
 389          */
 390         if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
 391             ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) ||
 392              (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
 393                 status = INTEGRITY_FAIL;
 394                 cause = "unverifiable-signature";
 395                 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
 396                                     op, cause, rc, 0);
 397         } else if (status != INTEGRITY_PASS) {
 398                 /* Fix mode, but don't replace file signatures. */
 399                 if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig &&
 400                     (!xattr_value ||
 401                      xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
 402                         if (!ima_fix_xattr(dentry, iint))
 403                                 status = INTEGRITY_PASS;
 404                 }
 405 
 406                 /* Permit new files with file signatures, but without data. */
 407                 if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
 408                     xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) {
 409                         status = INTEGRITY_PASS;
 410                 }
 411 
 412                 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
 413                                     op, cause, rc, 0);
 414         } else {
 415                 ima_cache_flags(iint, func);
 416         }
 417 
 418         ima_set_cache_status(iint, func, status);
 419         return status;
 420 }
 421 
 422 /*
 423  * ima_update_xattr - update 'security.ima' hash value
 424  */
 425 void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
 426 {
 427         struct dentry *dentry = file_dentry(file);
 428         int rc = 0;
 429 
 430         /* do not collect and update hash for digital signatures */
 431         if (test_bit(IMA_DIGSIG, &iint->atomic_flags))
 432                 return;
 433 
 434         if ((iint->ima_file_status != INTEGRITY_PASS) &&
 435             !(iint->flags & IMA_HASH))
 436                 return;
 437 
 438         rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL);
 439         if (rc < 0)
 440                 return;
 441 
 442         inode_lock(file_inode(file));
 443         ima_fix_xattr(dentry, iint);
 444         inode_unlock(file_inode(file));
 445 }
 446 
 447 /**
 448  * ima_inode_post_setattr - reflect file metadata changes
 449  * @dentry: pointer to the affected dentry
 450  *
 451  * Changes to a dentry's metadata might result in needing to appraise.
 452  *
 453  * This function is called from notify_change(), which expects the caller
 454  * to lock the inode's i_mutex.
 455  */
 456 void ima_inode_post_setattr(struct dentry *dentry)
 457 {
 458         struct inode *inode = d_backing_inode(dentry);
 459         struct integrity_iint_cache *iint;
 460         int action;
 461 
 462         if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)
 463             || !(inode->i_opflags & IOP_XATTR))
 464                 return;
 465 
 466         action = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR);
 467         if (!action)
 468                 __vfs_removexattr(dentry, XATTR_NAME_IMA);
 469         iint = integrity_iint_find(inode);
 470         if (iint) {
 471                 set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags);
 472                 if (!action)
 473                         clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
 474         }
 475 }
 476 
 477 /*
 478  * ima_protect_xattr - protect 'security.ima'
 479  *
 480  * Ensure that not just anyone can modify or remove 'security.ima'.
 481  */
 482 static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
 483                              const void *xattr_value, size_t xattr_value_len)
 484 {
 485         if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
 486                 if (!capable(CAP_SYS_ADMIN))
 487                         return -EPERM;
 488                 return 1;
 489         }
 490         return 0;
 491 }
 492 
 493 static void ima_reset_appraise_flags(struct inode *inode, int digsig)
 494 {
 495         struct integrity_iint_cache *iint;
 496 
 497         if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode))
 498                 return;
 499 
 500         iint = integrity_iint_find(inode);
 501         if (!iint)
 502                 return;
 503         iint->measured_pcrs = 0;
 504         set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
 505         if (digsig)
 506                 set_bit(IMA_DIGSIG, &iint->atomic_flags);
 507         else
 508                 clear_bit(IMA_DIGSIG, &iint->atomic_flags);
 509 }
 510 
 511 int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
 512                        const void *xattr_value, size_t xattr_value_len)
 513 {
 514         const struct evm_ima_xattr_data *xvalue = xattr_value;
 515         int result;
 516 
 517         result = ima_protect_xattr(dentry, xattr_name, xattr_value,
 518                                    xattr_value_len);
 519         if (result == 1) {
 520                 if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
 521                         return -EINVAL;
 522                 ima_reset_appraise_flags(d_backing_inode(dentry),
 523                         xvalue->type == EVM_IMA_XATTR_DIGSIG);
 524                 result = 0;
 525         }
 526         return result;
 527 }
 528 
 529 int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
 530 {
 531         int result;
 532 
 533         result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
 534         if (result == 1) {
 535                 ima_reset_appraise_flags(d_backing_inode(dentry), 0);
 536                 result = 0;
 537         }
 538         return result;
 539 }

/* [<][>][^][v][top][bottom][index][help] */