integrity/ima/ima_appraise.c

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  * Copyright (C) 2011 IBM Corporation
0004  *
0005  * Author:
0006  * Mimi Zohar <zohar@us.ibm.com>
0007  */
0008 #include <linux/module.h>
0009 #include <linux/init.h>
0010 #include <linux/file.h>
0011 #include <linux/fs.h>
0012 #include <linux/xattr.h>
0013 #include <linux/magic.h>
0014 #include <linux/ima.h>
0015 #include <linux/evm.h>
0016 #include <linux/fsverity.h>
0017 #include <keys/system_keyring.h>
0018 #include <uapi/linux/fsverity.h>
0019
0020 #include "ima.h"
0021
0022 #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
0023 static char *ima_appraise_cmdline_default __initdata;
0024 core_param(ima_appraise, ima_appraise_cmdline_default, charp, 0);
0025
0026 void __init ima_appraise_parse_cmdline(void)
0027 {
0028     const char *str = ima_appraise_cmdline_default;
0029     bool sb_state = arch_ima_get_secureboot();
0030     int appraisal_state = ima_appraise;
0031
0032     if (!str)
0033         return;
0034
0035     if (strncmp(str, "off", 3) == 0)
0036         appraisal_state = 0;
0037     else if (strncmp(str, "log", 3) == 0)
0038         appraisal_state = IMA_APPRAISE_LOG;
0039     else if (strncmp(str, "fix", 3) == 0)
0040         appraisal_state = IMA_APPRAISE_FIX;
0041     else if (strncmp(str, "enforce", 7) == 0)
0042         appraisal_state = IMA_APPRAISE_ENFORCE;
0043     else
0044         pr_err("invalid \"%s\" appraise option", str);
0045
0046     /* If appraisal state was changed, but secure boot is enabled,
0047      * keep its default */
0048     if (sb_state) {
0049         if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
0050             pr_info("Secure boot enabled: ignoring ima_appraise=%s option",
0051                 str);
0052     } else {
0053         ima_appraise = appraisal_state;
0054     }
0055 }
0056 #endif
0057
0058 /*
0059  * is_ima_appraise_enabled - return appraise status
0060  *
0061  * Only return enabled, if not in ima_appraise="fix" or "log" modes.
0062  */
0063 bool is_ima_appraise_enabled(void)
0064 {
0065     return ima_appraise & IMA_APPRAISE_ENFORCE;
0066 }
0067
0068 /*
0069  * ima_must_appraise - set appraise flag
0070  *
0071  * Return 1 to appraise or hash
0072  */
0073 int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode,
0074               int mask, enum ima_hooks func)
0075 {
0076     u32 secid;
0077
0078     if (!ima_appraise)
0079         return 0;
0080
0081     security_current_getsecid_subj(&secid);
0082     return ima_match_policy(mnt_userns, inode, current_cred(), secid,
0083                 func, mask, IMA_APPRAISE | IMA_HASH, NULL,
0084                 NULL, NULL, NULL);
0085 }
0086
0087 static int ima_fix_xattr(struct dentry *dentry,
0088              struct integrity_iint_cache *iint)
0089 {
0090     int rc, offset;
0091     u8 algo = iint->ima_hash->algo;
0092
0093     if (algo <= HASH_ALGO_SHA1) {
0094         offset = 1;
0095         iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
0096     } else {
0097         offset = 0;
0098         iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
0099         iint->ima_hash->xattr.ng.algo = algo;
0100     }
0101     rc = __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_IMA,
0102                    &iint->ima_hash->xattr.data[offset],
0103                    (sizeof(iint->ima_hash->xattr) - offset) +
0104                    iint->ima_hash->length, 0);
0105     return rc;
0106 }
0107
0108 /* Return specific func appraised cached result */
0109 enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
0110                        enum ima_hooks func)
0111 {
0112     switch (func) {
0113     case MMAP_CHECK:
0114         return iint->ima_mmap_status;
0115     case BPRM_CHECK:
0116         return iint->ima_bprm_status;
0117     case CREDS_CHECK:
0118         return iint->ima_creds_status;
0119     case FILE_CHECK:
0120     case POST_SETATTR:
0121         return iint->ima_file_status;
0122     case MODULE_CHECK ... MAX_CHECK - 1:
0123     default:
0124         return iint->ima_read_status;
0125     }
0126 }
0127
0128 static void ima_set_cache_status(struct integrity_iint_cache *iint,
0129                  enum ima_hooks func,
0130                  enum integrity_status status)
0131 {
0132     switch (func) {
0133     case MMAP_CHECK:
0134         iint->ima_mmap_status = status;
0135         break;
0136     case BPRM_CHECK:
0137         iint->ima_bprm_status = status;
0138         break;
0139     case CREDS_CHECK:
0140         iint->ima_creds_status = status;
0141         break;
0142     case FILE_CHECK:
0143     case POST_SETATTR:
0144         iint->ima_file_status = status;
0145         break;
0146     case MODULE_CHECK ... MAX_CHECK - 1:
0147     default:
0148         iint->ima_read_status = status;
0149         break;
0150     }
0151 }
0152
0153 static void ima_cache_flags(struct integrity_iint_cache *iint,
0154                  enum ima_hooks func)
0155 {
0156     switch (func) {
0157     case MMAP_CHECK:
0158         iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
0159         break;
0160     case BPRM_CHECK:
0161         iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
0162         break;
0163     case CREDS_CHECK:
0164         iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED);
0165         break;
0166     case FILE_CHECK:
0167     case POST_SETATTR:
0168         iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
0169         break;
0170     case MODULE_CHECK ... MAX_CHECK - 1:
0171     default:
0172         iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
0173         break;
0174     }
0175 }
0176
0177 enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value,
0178                  int xattr_len)
0179 {
0180     struct signature_v2_hdr *sig;
0181     enum hash_algo ret;
0182
0183     if (!xattr_value || xattr_len < 2)
0184         /* return default hash algo */
0185         return ima_hash_algo;
0186
0187     switch (xattr_value->type) {
0188     case IMA_VERITY_DIGSIG:
0189         sig = (typeof(sig))xattr_value;
0190         if (sig->version != 3 || xattr_len <= sizeof(*sig) ||
0191             sig->hash_algo >= HASH_ALGO__LAST)
0192             return ima_hash_algo;
0193         return sig->hash_algo;
0194     case EVM_IMA_XATTR_DIGSIG:
0195         sig = (typeof(sig))xattr_value;
0196         if (sig->version != 2 || xattr_len <= sizeof(*sig)
0197             || sig->hash_algo >= HASH_ALGO__LAST)
0198             return ima_hash_algo;
0199         return sig->hash_algo;
0200     case IMA_XATTR_DIGEST_NG:
0201         /* first byte contains algorithm id */
0202         ret = xattr_value->data[0];
0203         if (ret < HASH_ALGO__LAST)
0204             return ret;
0205         break;
0206     case IMA_XATTR_DIGEST:
0207         /* this is for backward compatibility */
0208         if (xattr_len == 21) {
0209             unsigned int zero = 0;
0210             if (!memcmp(&xattr_value->data[16], &zero, 4))
0211                 return HASH_ALGO_MD5;
0212             else
0213                 return HASH_ALGO_SHA1;
0214         } else if (xattr_len == 17)
0215             return HASH_ALGO_MD5;
0216         break;
0217     }
0218
0219     /* return default hash algo */
0220     return ima_hash_algo;
0221 }
0222
0223 int ima_read_xattr(struct dentry *dentry,
0224            struct evm_ima_xattr_data **xattr_value)
0225 {
0226     ssize_t ret;
0227
0228     ret = vfs_getxattr_alloc(&init_user_ns, dentry, XATTR_NAME_IMA,
0229                  (char **)xattr_value, 0, GFP_NOFS);
0230     if (ret == -EOPNOTSUPP)
0231         ret = 0;
0232     return ret;
0233 }
0234
0235 /*
0236  * calc_file_id_hash - calculate the hash of the ima_file_id struct data
0237  * @type: xattr type [enum evm_ima_xattr_type]
0238  * @algo: hash algorithm [enum hash_algo]
0239  * @digest: pointer to the digest to be hashed
0240  * @hash: (out) pointer to the hash
0241  *
0242  * IMA signature version 3 disambiguates the data that is signed by
0243  * indirectly signing the hash of the ima_file_id structure data.
0244  *
0245  * Signing the ima_file_id struct is currently only supported for
0246  * IMA_VERITY_DIGSIG type xattrs.
0247  *
0248  * Return 0 on success, error code otherwise.
0249  */
0250 static int calc_file_id_hash(enum evm_ima_xattr_type type,
0251                  enum hash_algo algo, const u8 *digest,
0252                  struct ima_digest_data *hash)
0253 {
0254     struct ima_file_id file_id = {
0255         .hash_type = IMA_VERITY_DIGSIG, .hash_algorithm = algo};
0256     unsigned int unused = HASH_MAX_DIGESTSIZE - hash_digest_size[algo];
0257
0258     if (type != IMA_VERITY_DIGSIG)
0259         return -EINVAL;
0260
0261     memcpy(file_id.hash, digest, hash_digest_size[algo]);
0262
0263     hash->algo = algo;
0264     hash->length = hash_digest_size[algo];
0265
0266     return ima_calc_buffer_hash(&file_id, sizeof(file_id) - unused, hash);
0267 }
0268
0269 /*
0270  * xattr_verify - verify xattr digest or signature
0271  *
0272  * Verify whether the hash or signature matches the file contents.
0273  *
0274  * Return 0 on success, error code otherwise.
0275  */
0276 static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint,
0277             struct evm_ima_xattr_data *xattr_value, int xattr_len,
0278             enum integrity_status *status, const char **cause)
0279 {
0280     struct ima_max_digest_data hash;
0281     struct signature_v2_hdr *sig;
0282     int rc = -EINVAL, hash_start = 0;
0283     int mask;
0284
0285     switch (xattr_value->type) {
0286     case IMA_XATTR_DIGEST_NG:
0287         /* first byte contains algorithm id */
0288         hash_start = 1;
0289         fallthrough;
0290     case IMA_XATTR_DIGEST:
0291         if (*status != INTEGRITY_PASS_IMMUTABLE) {
0292             if (iint->flags & IMA_DIGSIG_REQUIRED) {
0293                 if (iint->flags & IMA_VERITY_REQUIRED)
0294                     *cause = "verity-signature-required";
0295                 else
0296                     *cause = "IMA-signature-required";
0297                 *status = INTEGRITY_FAIL;
0298                 break;
0299             }
0300             clear_bit(IMA_DIGSIG, &iint->atomic_flags);
0301         } else {
0302             set_bit(IMA_DIGSIG, &iint->atomic_flags);
0303         }
0304         if (xattr_len - sizeof(xattr_value->type) - hash_start >=
0305                 iint->ima_hash->length)
0306             /*
0307              * xattr length may be longer. md5 hash in previous
0308              * version occupied 20 bytes in xattr, instead of 16
0309              */
0310             rc = memcmp(&xattr_value->data[hash_start],
0311                     iint->ima_hash->digest,
0312                     iint->ima_hash->length);
0313         else
0314             rc = -EINVAL;
0315         if (rc) {
0316             *cause = "invalid-hash";
0317             *status = INTEGRITY_FAIL;
0318             break;
0319         }
0320         *status = INTEGRITY_PASS;
0321         break;
0322     case EVM_IMA_XATTR_DIGSIG:
0323         set_bit(IMA_DIGSIG, &iint->atomic_flags);
0324
0325         mask = IMA_DIGSIG_REQUIRED | IMA_VERITY_REQUIRED;
0326         if ((iint->flags & mask) == mask) {
0327             *cause = "verity-signature-required";
0328             *status = INTEGRITY_FAIL;
0329             break;
0330         }
0331
0332         sig = (typeof(sig))xattr_value;
0333         if (sig->version >= 3) {
0334             *cause = "invalid-signature-version";
0335             *status = INTEGRITY_FAIL;
0336             break;
0337         }
0338         rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
0339                          (const char *)xattr_value,
0340                          xattr_len,
0341                          iint->ima_hash->digest,
0342                          iint->ima_hash->length);
0343         if (rc == -EOPNOTSUPP) {
0344             *status = INTEGRITY_UNKNOWN;
0345             break;
0346         }
0347         if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
0348             func == KEXEC_KERNEL_CHECK)
0349             rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM,
0350                              (const char *)xattr_value,
0351                              xattr_len,
0352                              iint->ima_hash->digest,
0353                              iint->ima_hash->length);
0354         if (rc) {
0355             *cause = "invalid-signature";
0356             *status = INTEGRITY_FAIL;
0357         } else {
0358             *status = INTEGRITY_PASS;
0359         }
0360         break;
0361     case IMA_VERITY_DIGSIG:
0362         set_bit(IMA_DIGSIG, &iint->atomic_flags);
0363
0364         if (iint->flags & IMA_DIGSIG_REQUIRED) {
0365             if (!(iint->flags & IMA_VERITY_REQUIRED)) {
0366                 *cause = "IMA-signature-required";
0367                 *status = INTEGRITY_FAIL;
0368                 break;
0369             }
0370         }
0371
0372         sig = (typeof(sig))xattr_value;
0373         if (sig->version != 3) {
0374             *cause = "invalid-signature-version";
0375             *status = INTEGRITY_FAIL;
0376             break;
0377         }
0378
0379         rc = calc_file_id_hash(IMA_VERITY_DIGSIG, iint->ima_hash->algo,
0380                        iint->ima_hash->digest, &hash.hdr);
0381         if (rc) {
0382             *cause = "sigv3-hashing-error";
0383             *status = INTEGRITY_FAIL;
0384             break;
0385         }
0386
0387         rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
0388                          (const char *)xattr_value,
0389                          xattr_len, hash.digest,
0390                          hash.hdr.length);
0391         if (rc) {
0392             *cause = "invalid-verity-signature";
0393             *status = INTEGRITY_FAIL;
0394         } else {
0395             *status = INTEGRITY_PASS;
0396         }
0397
0398         break;
0399     default:
0400         *status = INTEGRITY_UNKNOWN;
0401         *cause = "unknown-ima-data";
0402         break;
0403     }
0404
0405     return rc;
0406 }
0407
0408 /*
0409  * modsig_verify - verify modsig signature
0410  *
0411  * Verify whether the signature matches the file contents.
0412  *
0413  * Return 0 on success, error code otherwise.
0414  */
0415 static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
0416              enum integrity_status *status, const char **cause)
0417 {
0418     int rc;
0419
0420     rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig);
0421     if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
0422         func == KEXEC_KERNEL_CHECK)
0423         rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM,
0424                          modsig);
0425     if (rc) {
0426         *cause = "invalid-signature";
0427         *status = INTEGRITY_FAIL;
0428     } else {
0429         *status = INTEGRITY_PASS;
0430     }
0431
0432     return rc;
0433 }
0434
0435 /*
0436  * ima_check_blacklist - determine if the binary is blacklisted.
0437  *
0438  * Add the hash of the blacklisted binary to the measurement list, based
0439  * on policy.
0440  *
0441  * Returns -EPERM if the hash is blacklisted.
0442  */
0443 int ima_check_blacklist(struct integrity_iint_cache *iint,
0444             const struct modsig *modsig, int pcr)
0445 {
0446     enum hash_algo hash_algo;
0447     const u8 *digest = NULL;
0448     u32 digestsize = 0;
0449     int rc = 0;
0450
0451     if (!(iint->flags & IMA_CHECK_BLACKLIST))
0452         return 0;
0453
0454     if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
0455         ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
0456
0457         rc = is_binary_blacklisted(digest, digestsize);
0458         if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
0459             process_buffer_measurement(&init_user_ns, NULL, digest, digestsize,
0460                            "blacklisted-hash", NONE,
0461                            pcr, NULL, false, NULL, 0);
0462     }
0463
0464     return rc;
0465 }
0466
0467 /*
0468  * ima_appraise_measurement - appraise file measurement
0469  *
0470  * Call evm_verifyxattr() to verify the integrity of 'security.ima'.
0471  * Assuming success, compare the xattr hash with the collected measurement.
0472  *
0473  * Return 0 on success, error code otherwise
0474  */
0475 int ima_appraise_measurement(enum ima_hooks func,
0476                  struct integrity_iint_cache *iint,
0477                  struct file *file, const unsigned char *filename,
0478                  struct evm_ima_xattr_data *xattr_value,
0479                  int xattr_len, const struct modsig *modsig)
0480 {
0481     static const char op[] = "appraise_data";
0482     const char *cause = "unknown";
0483     struct dentry *dentry = file_dentry(file);
0484     struct inode *inode = d_backing_inode(dentry);
0485     enum integrity_status status = INTEGRITY_UNKNOWN;
0486     int rc = xattr_len;
0487     bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig;
0488
0489     /* If not appraising a modsig, we need an xattr. */
0490     if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)
0491         return INTEGRITY_UNKNOWN;
0492
0493     /* If reading the xattr failed and there's no modsig, error out. */
0494     if (rc <= 0 && !try_modsig) {
0495         if (rc && rc != -ENODATA)
0496             goto out;
0497
0498         if (iint->flags & IMA_DIGSIG_REQUIRED) {
0499             if (iint->flags & IMA_VERITY_REQUIRED)
0500                 cause = "verity-signature-required";
0501             else
0502                 cause = "IMA-signature-required";
0503         } else {
0504             cause = "missing-hash";
0505         }
0506
0507         status = INTEGRITY_NOLABEL;
0508         if (file->f_mode & FMODE_CREATED)
0509             iint->flags |= IMA_NEW_FILE;
0510         if ((iint->flags & IMA_NEW_FILE) &&
0511             (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
0512              (inode->i_size == 0)))
0513             status = INTEGRITY_PASS;
0514         goto out;
0515     }
0516
0517     status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value,
0518                  rc < 0 ? 0 : rc, iint);
0519     switch (status) {
0520     case INTEGRITY_PASS:
0521     case INTEGRITY_PASS_IMMUTABLE:
0522     case INTEGRITY_UNKNOWN:
0523         break;
0524     case INTEGRITY_NOXATTRS:    /* No EVM protected xattrs. */
0525         /* It's fine not to have xattrs when using a modsig. */
0526         if (try_modsig)
0527             break;
0528         fallthrough;
0529     case INTEGRITY_NOLABEL:     /* No security.evm xattr. */
0530         cause = "missing-HMAC";
0531         goto out;
0532     case INTEGRITY_FAIL_IMMUTABLE:
0533         set_bit(IMA_DIGSIG, &iint->atomic_flags);
0534         cause = "invalid-fail-immutable";
0535         goto out;
0536     case INTEGRITY_FAIL:        /* Invalid HMAC/signature. */
0537         cause = "invalid-HMAC";
0538         goto out;
0539     default:
0540         WARN_ONCE(true, "Unexpected integrity status %d\n", status);
0541     }
0542
0543     if (xattr_value)
0544         rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
0545                   &cause);
0546
0547     /*
0548      * If we have a modsig and either no imasig or the imasig's key isn't
0549      * known, then try verifying the modsig.
0550      */
0551     if (try_modsig &&
0552         (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG ||
0553          rc == -ENOKEY))
0554         rc = modsig_verify(func, modsig, &status, &cause);
0555
0556 out:
0557     /*
0558      * File signatures on some filesystems can not be properly verified.
0559      * When such filesystems are mounted by an untrusted mounter or on a
0560      * system not willing to accept such a risk, fail the file signature
0561      * verification.
0562      */
0563     if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
0564         ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) ||
0565          (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
0566         status = INTEGRITY_FAIL;
0567         cause = "unverifiable-signature";
0568         integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
0569                     op, cause, rc, 0);
0570     } else if (status != INTEGRITY_PASS) {
0571         /* Fix mode, but don't replace file signatures. */
0572         if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig &&
0573             (!xattr_value ||
0574              xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
0575             if (!ima_fix_xattr(dentry, iint))
0576                 status = INTEGRITY_PASS;
0577         }
0578
0579         /*
0580          * Permit new files with file/EVM portable signatures, but
0581          * without data.
0582          */
0583         if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
0584             test_bit(IMA_DIGSIG, &iint->atomic_flags)) {
0585             status = INTEGRITY_PASS;
0586         }
0587
0588         integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
0589                     op, cause, rc, 0);
0590     } else {
0591         ima_cache_flags(iint, func);
0592     }
0593
0594     ima_set_cache_status(iint, func, status);
0595     return status;
0596 }
0597
0598 /*
0599  * ima_update_xattr - update 'security.ima' hash value
0600  */
0601 void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
0602 {
0603     struct dentry *dentry = file_dentry(file);
0604     int rc = 0;
0605
0606     /* do not collect and update hash for digital signatures */
0607     if (test_bit(IMA_DIGSIG, &iint->atomic_flags))
0608         return;
0609
0610     if ((iint->ima_file_status != INTEGRITY_PASS) &&
0611         !(iint->flags & IMA_HASH))
0612         return;
0613
0614     rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL);
0615     if (rc < 0)
0616         return;
0617
0618     inode_lock(file_inode(file));
0619     ima_fix_xattr(dentry, iint);
0620     inode_unlock(file_inode(file));
0621 }
0622
0623 /**
0624  * ima_inode_post_setattr - reflect file metadata changes
0625  * @mnt_userns: user namespace of the mount the inode was found from
0626  * @dentry: pointer to the affected dentry
0627  *
0628  * Changes to a dentry's metadata might result in needing to appraise.
0629  *
0630  * This function is called from notify_change(), which expects the caller
0631  * to lock the inode's i_mutex.
0632  */
0633 void ima_inode_post_setattr(struct user_namespace *mnt_userns,
0634                 struct dentry *dentry)
0635 {
0636     struct inode *inode = d_backing_inode(dentry);
0637     struct integrity_iint_cache *iint;
0638     int action;
0639
0640     if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)
0641         || !(inode->i_opflags & IOP_XATTR))
0642         return;
0643
0644     action = ima_must_appraise(mnt_userns, inode, MAY_ACCESS, POST_SETATTR);
0645     iint = integrity_iint_find(inode);
0646     if (iint) {
0647         set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags);
0648         if (!action)
0649             clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
0650     }
0651 }
0652
0653 /*
0654  * ima_protect_xattr - protect 'security.ima'
0655  *
0656  * Ensure that not just anyone can modify or remove 'security.ima'.
0657  */
0658 static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
0659                  const void *xattr_value, size_t xattr_value_len)
0660 {
0661     if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
0662         if (!capable(CAP_SYS_ADMIN))
0663             return -EPERM;
0664         return 1;
0665     }
0666     return 0;
0667 }
0668
0669 static void ima_reset_appraise_flags(struct inode *inode, int digsig)
0670 {
0671     struct integrity_iint_cache *iint;
0672
0673     if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode))
0674         return;
0675
0676     iint = integrity_iint_find(inode);
0677     if (!iint)
0678         return;
0679     iint->measured_pcrs = 0;
0680     set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
0681     if (digsig)
0682         set_bit(IMA_DIGSIG, &iint->atomic_flags);
0683     else
0684         clear_bit(IMA_DIGSIG, &iint->atomic_flags);
0685 }
0686
0687 /**
0688  * validate_hash_algo() - Block setxattr with unsupported hash algorithms
0689  * @dentry: object of the setxattr()
0690  * @xattr_value: userland supplied xattr value
0691  * @xattr_value_len: length of xattr_value
0692  *
0693  * The xattr value is mapped to its hash algorithm, and this algorithm
0694  * must be built in the kernel for the setxattr to be allowed.
0695  *
0696  * Emit an audit message when the algorithm is invalid.
0697  *
0698  * Return: 0 on success, else an error.
0699  */
0700 static int validate_hash_algo(struct dentry *dentry,
0701                   const struct evm_ima_xattr_data *xattr_value,
0702                   size_t xattr_value_len)
0703 {
0704     char *path = NULL, *pathbuf = NULL;
0705     enum hash_algo xattr_hash_algo;
0706     const char *errmsg = "unavailable-hash-algorithm";
0707     unsigned int allowed_hashes;
0708
0709     xattr_hash_algo = ima_get_hash_algo(xattr_value, xattr_value_len);
0710
0711     allowed_hashes = atomic_read(&ima_setxattr_allowed_hash_algorithms);
0712
0713     if (allowed_hashes) {
0714         /* success if the algorithm is allowed in the ima policy */
0715         if (allowed_hashes & (1U << xattr_hash_algo))
0716             return 0;
0717
0718         /*
0719          * We use a different audit message when the hash algorithm
0720          * is denied by a policy rule, instead of not being built
0721          * in the kernel image
0722          */
0723         errmsg = "denied-hash-algorithm";
0724     } else {
0725         if (likely(xattr_hash_algo == ima_hash_algo))
0726             return 0;
0727
0728         /* allow any xattr using an algorithm built in the kernel */
0729         if (crypto_has_alg(hash_algo_name[xattr_hash_algo], 0, 0))
0730             return 0;
0731     }
0732
0733     pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
0734     if (!pathbuf)
0735         return -EACCES;
0736
0737     path = dentry_path(dentry, pathbuf, PATH_MAX);
0738
0739     integrity_audit_msg(AUDIT_INTEGRITY_DATA, d_inode(dentry), path,
0740                 "set_data", errmsg, -EACCES, 0);
0741
0742     kfree(pathbuf);
0743
0744     return -EACCES;
0745 }
0746
0747 int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
0748                const void *xattr_value, size_t xattr_value_len)
0749 {
0750     const struct evm_ima_xattr_data *xvalue = xattr_value;
0751     int digsig = 0;
0752     int result;
0753
0754     result = ima_protect_xattr(dentry, xattr_name, xattr_value,
0755                    xattr_value_len);
0756     if (result == 1) {
0757         if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
0758             return -EINVAL;
0759         digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
0760     } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
0761         digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
0762     }
0763     if (result == 1 || evm_revalidate_status(xattr_name)) {
0764         result = validate_hash_algo(dentry, xvalue, xattr_value_len);
0765         if (result)
0766             return result;
0767
0768         ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
0769     }
0770     return result;
0771 }
0772
0773 int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
0774 {
0775     int result;
0776
0777     result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
0778     if (result == 1 || evm_revalidate_status(xattr_name)) {
0779         ima_reset_appraise_flags(d_backing_inode(dentry), 0);
0780         if (result == 1)
0781             result = 0;
0782     }
0783     return result;
0784 }