1
// SPDX-License-Identifier: GPL-2.0-only
2
/*
3
 * Copyright (C) 2011 IBM Corporation
4
 *
5
 * Author:
6
 * Mimi Zohar <[email protected]>
7
 */
8
#include <linux/module.h>
9
#include <linux/init.h>
10
#include <linux/file.h>
11
#include <linux/binfmts.h>
12
#include <linux/fs.h>
13
#include <linux/xattr.h>
14
#include <linux/magic.h>
15
#include <linux/ima.h>
16
#include <linux/evm.h>
17
#include <linux/fsverity.h>
18
#include <keys/system_keyring.h>
19
#include <uapi/linux/fsverity.h>
20

21
#include "ima.h"
22

23
#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
24
static char *ima_appraise_cmdline_default __initdata;
25
core_param(ima_appraise, ima_appraise_cmdline_default, charp, 0);
26

27
void __init ima_appraise_parse_cmdline(void)
28
{
29
	const char *str = ima_appraise_cmdline_default;
30
	bool sb_state = arch_ima_get_secureboot();
31
	int appraisal_state = ima_appraise;
32

33
	if (!str)
34
		return;
35

36
	if (strncmp(str, "off", 3) == 0)
37
		appraisal_state = 0;
38
	else if (strncmp(str, "log", 3) == 0)
39
		appraisal_state = IMA_APPRAISE_LOG;
40
	else if (strncmp(str, "fix", 3) == 0)
41
		appraisal_state = IMA_APPRAISE_FIX;
42
	else if (strncmp(str, "enforce", 7) == 0)
43
		appraisal_state = IMA_APPRAISE_ENFORCE;
44
	else
45
		pr_err("invalid \"%s\" appraise option", str);
46

47
	/* If appraisal state was changed, but secure boot is enabled,
48
	 * keep its default */
49
	if (sb_state) {
50
		if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
51
			pr_info("Secure boot enabled: ignoring ima_appraise=%s option",
52
				str);
53
	} else {
54
		ima_appraise = appraisal_state;
55
	}
56
}
57
#endif
58

59
/*
60
 * is_ima_appraise_enabled - return appraise status
61
 *
62
 * Only return enabled, if not in ima_appraise="fix" or "log" modes.
63
 */
64
bool is_ima_appraise_enabled(void)
65
{
66
	return ima_appraise & IMA_APPRAISE_ENFORCE;
67
}
68

69
/*
70
 * ima_must_appraise - set appraise flag
71
 *
72
 * Return 1 to appraise or hash
73
 */
74
int ima_must_appraise(struct mnt_idmap *idmap, struct inode *inode,
75
		      int mask, enum ima_hooks func)
76
{
77
	struct lsm_prop prop;
78

79
	if (!ima_appraise)
80
		return 0;
81

82
	security_current_getlsmprop_subj(&prop);
83
	return ima_match_policy(idmap, inode, current_cred(), &prop,
84
				func, mask, IMA_APPRAISE | IMA_HASH, NULL,
85
				NULL, NULL, NULL);
86
}
87

88
static int ima_fix_xattr(struct dentry *dentry, struct ima_iint_cache *iint)
89
{
90
	int rc, offset;
91
	u8 algo = iint->ima_hash->algo;
92

93
	if (algo <= HASH_ALGO_SHA1) {
94
		offset = 1;
95
		iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
96
	} else {
97
		offset = 0;
98
		iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
99
		iint->ima_hash->xattr.ng.algo = algo;
100
	}
101
	rc = __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_IMA,
102
				   &iint->ima_hash->xattr.data[offset],
103
				   (sizeof(iint->ima_hash->xattr) - offset) +
104
				   iint->ima_hash->length, 0);
105
	return rc;
106
}
107

108
/* Return specific func appraised cached result */
109
enum integrity_status ima_get_cache_status(struct ima_iint_cache *iint,
110
					   enum ima_hooks func)
111
{
112
	switch (func) {
113
	case MMAP_CHECK:
114
	case MMAP_CHECK_REQPROT:
115
		return iint->ima_mmap_status;
116
	case BPRM_CHECK:
117
		return iint->ima_bprm_status;
118
	case CREDS_CHECK:
119
		return iint->ima_creds_status;
120
	case FILE_CHECK:
121
	case POST_SETATTR:
122
		return iint->ima_file_status;
123
	case MODULE_CHECK ... MAX_CHECK - 1:
124
	default:
125
		return iint->ima_read_status;
126
	}
127
}
128

129
static void ima_set_cache_status(struct ima_iint_cache *iint,
130
				 enum ima_hooks func,
131
				 enum integrity_status status)
132
{
133
	switch (func) {
134
	case MMAP_CHECK:
135
	case MMAP_CHECK_REQPROT:
136
		iint->ima_mmap_status = status;
137
		break;
138
	case BPRM_CHECK:
139
		iint->ima_bprm_status = status;
140
		break;
141
	case CREDS_CHECK:
142
		iint->ima_creds_status = status;
143
		break;
144
	case FILE_CHECK:
145
	case POST_SETATTR:
146
		iint->ima_file_status = status;
147
		break;
148
	case MODULE_CHECK ... MAX_CHECK - 1:
149
	default:
150
		iint->ima_read_status = status;
151
		break;
152
	}
153
}
154

155
static void ima_cache_flags(struct ima_iint_cache *iint, enum ima_hooks func)
156
{
157
	switch (func) {
158
	case MMAP_CHECK:
159
	case MMAP_CHECK_REQPROT:
160
		iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
161
		break;
162
	case BPRM_CHECK:
163
		iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
164
		break;
165
	case CREDS_CHECK:
166
		iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED);
167
		break;
168
	case FILE_CHECK:
169
	case POST_SETATTR:
170
		iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
171
		break;
172
	case MODULE_CHECK ... MAX_CHECK - 1:
173
	default:
174
		iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
175
		break;
176
	}
177
}
178

179
enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value,
180
				 int xattr_len)
181
{
182
	struct signature_v2_hdr *sig;
183
	enum hash_algo ret;
184

185
	if (!xattr_value || xattr_len < 2)
186
		/* return default hash algo */
187
		return ima_hash_algo;
188

189
	switch (xattr_value->type) {
190
	case IMA_VERITY_DIGSIG:
191
		sig = (typeof(sig))xattr_value;
192
		if (sig->version != 3 || xattr_len <= sizeof(*sig) ||
193
		    sig->hash_algo >= HASH_ALGO__LAST)
194
			return ima_hash_algo;
195
		return sig->hash_algo;
196
	case EVM_IMA_XATTR_DIGSIG:
197
		sig = (typeof(sig))xattr_value;
198
		if (sig->version != 2 || xattr_len <= sizeof(*sig)
199
		    || sig->hash_algo >= HASH_ALGO__LAST)
200
			return ima_hash_algo;
201
		return sig->hash_algo;
202
	case IMA_XATTR_DIGEST_NG:
203
		/* first byte contains algorithm id */
204
		ret = xattr_value->data[0];
205
		if (ret < HASH_ALGO__LAST)
206
			return ret;
207
		break;
208
	case IMA_XATTR_DIGEST:
209
		/* this is for backward compatibility */
210
		if (xattr_len == 21) {
211
			unsigned int zero = 0;
212
			if (!memcmp(&xattr_value->data[16], &zero, 4))
213
				return HASH_ALGO_MD5;
214
			else
215
				return HASH_ALGO_SHA1;
216
		} else if (xattr_len == 17)
217
			return HASH_ALGO_MD5;
218
		break;
219
	}
220

221
	/* return default hash algo */
222
	return ima_hash_algo;
223
}
224

225
int ima_read_xattr(struct dentry *dentry,
226
		   struct evm_ima_xattr_data **xattr_value, int xattr_len)
227
{
228
	int ret;
229

230
	ret = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, XATTR_NAME_IMA,
231
				 (char **)xattr_value, xattr_len, GFP_NOFS);
232
	if (ret == -EOPNOTSUPP)
233
		ret = 0;
234
	return ret;
235
}
236

237
/*
238
 * calc_file_id_hash - calculate the hash of the ima_file_id struct data
239
 * @type: xattr type [enum evm_ima_xattr_type]
240
 * @algo: hash algorithm [enum hash_algo]
241
 * @digest: pointer to the digest to be hashed
242
 * @hash: (out) pointer to the hash
243
 *
244
 * IMA signature version 3 disambiguates the data that is signed by
245
 * indirectly signing the hash of the ima_file_id structure data.
246
 *
247
 * Signing the ima_file_id struct is currently only supported for
248
 * IMA_VERITY_DIGSIG type xattrs.
249
 *
250
 * Return 0 on success, error code otherwise.
251
 */
252
static int calc_file_id_hash(enum evm_ima_xattr_type type,
253
			     enum hash_algo algo, const u8 *digest,
254
			     struct ima_digest_data *hash)
255
{
256
	struct ima_file_id file_id = {
257
		.hash_type = IMA_VERITY_DIGSIG, .hash_algorithm = algo};
258
	unsigned int unused = HASH_MAX_DIGESTSIZE - hash_digest_size[algo];
259

260
	if (type != IMA_VERITY_DIGSIG)
261
		return -EINVAL;
262

263
	memcpy(file_id.hash, digest, hash_digest_size[algo]);
264

265
	hash->algo = algo;
266
	hash->length = hash_digest_size[algo];
267

268
	return ima_calc_buffer_hash(&file_id, sizeof(file_id) - unused, hash);
269
}
270

271
/*
272
 * xattr_verify - verify xattr digest or signature
273
 *
274
 * Verify whether the hash or signature matches the file contents.
275
 *
276
 * Return 0 on success, error code otherwise.
277
 */
278
static int xattr_verify(enum ima_hooks func, struct ima_iint_cache *iint,
279
			struct evm_ima_xattr_data *xattr_value, int xattr_len,
280
			enum integrity_status *status, const char **cause)
281
{
282
	struct ima_max_digest_data hash;
283
	struct signature_v2_hdr *sig;
284
	int rc = -EINVAL, hash_start = 0;
285
	int mask;
286

287
	switch (xattr_value->type) {
288
	case IMA_XATTR_DIGEST_NG:
289
		/* first byte contains algorithm id */
290
		hash_start = 1;
291
		fallthrough;
292
	case IMA_XATTR_DIGEST:
293
		if (*status != INTEGRITY_PASS_IMMUTABLE) {
294
			if (iint->flags & IMA_DIGSIG_REQUIRED) {
295
				if (iint->flags & IMA_VERITY_REQUIRED)
296
					*cause = "verity-signature-required";
297
				else
298
					*cause = "IMA-signature-required";
299
				*status = INTEGRITY_FAIL;
300
				break;
301
			}
302
			clear_bit(IMA_DIGSIG, &iint->atomic_flags);
303
		} else {
304
			set_bit(IMA_DIGSIG, &iint->atomic_flags);
305
		}
306
		if (xattr_len - sizeof(xattr_value->type) - hash_start >=
307
				iint->ima_hash->length)
308
			/*
309
			 * xattr length may be longer. md5 hash in previous
310
			 * version occupied 20 bytes in xattr, instead of 16
311
			 */
312
			rc = memcmp(&xattr_value->data[hash_start],
313
				    iint->ima_hash->digest,
314
				    iint->ima_hash->length);
315
		else
316
			rc = -EINVAL;
317
		if (rc) {
318
			*cause = "invalid-hash";
319
			*status = INTEGRITY_FAIL;
320
			break;
321
		}
322
		*status = INTEGRITY_PASS;
323
		break;
324
	case EVM_IMA_XATTR_DIGSIG:
325
		set_bit(IMA_DIGSIG, &iint->atomic_flags);
326

327
		mask = IMA_DIGSIG_REQUIRED | IMA_VERITY_REQUIRED;
328
		if ((iint->flags & mask) == mask) {
329
			*cause = "verity-signature-required";
330
			*status = INTEGRITY_FAIL;
331
			break;
332
		}
333

334
		sig = (typeof(sig))xattr_value;
335
		if (sig->version >= 3) {
336
			*cause = "invalid-signature-version";
337
			*status = INTEGRITY_FAIL;
338
			break;
339
		}
340
		rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
341
					     (const char *)xattr_value,
342
					     xattr_len,
343
					     iint->ima_hash->digest,
344
					     iint->ima_hash->length);
345
		if (rc == -EOPNOTSUPP) {
346
			*status = INTEGRITY_UNKNOWN;
347
			break;
348
		}
349
		if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
350
		    func == KEXEC_KERNEL_CHECK)
351
			rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM,
352
						     (const char *)xattr_value,
353
						     xattr_len,
354
						     iint->ima_hash->digest,
355
						     iint->ima_hash->length);
356
		if (rc) {
357
			*cause = "invalid-signature";
358
			*status = INTEGRITY_FAIL;
359
		} else {
360
			*status = INTEGRITY_PASS;
361
		}
362
		break;
363
	case IMA_VERITY_DIGSIG:
364
		set_bit(IMA_DIGSIG, &iint->atomic_flags);
365

366
		if (iint->flags & IMA_DIGSIG_REQUIRED) {
367
			if (!(iint->flags & IMA_VERITY_REQUIRED)) {
368
				*cause = "IMA-signature-required";
369
				*status = INTEGRITY_FAIL;
370
				break;
371
			}
372
		}
373

374
		sig = (typeof(sig))xattr_value;
375
		if (sig->version != 3) {
376
			*cause = "invalid-signature-version";
377
			*status = INTEGRITY_FAIL;
378
			break;
379
		}
380

381
		rc = calc_file_id_hash(IMA_VERITY_DIGSIG, iint->ima_hash->algo,
382
				       iint->ima_hash->digest,
383
				       container_of(&hash.hdr,
384
					       struct ima_digest_data, hdr));
385
		if (rc) {
386
			*cause = "sigv3-hashing-error";
387
			*status = INTEGRITY_FAIL;
388
			break;
389
		}
390

391
		rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
392
					     (const char *)xattr_value,
393
					     xattr_len, hash.digest,
394
					     hash.hdr.length);
395
		if (rc) {
396
			*cause = "invalid-verity-signature";
397
			*status = INTEGRITY_FAIL;
398
		} else {
399
			*status = INTEGRITY_PASS;
400
		}
401

402
		break;
403
	default:
404
		*status = INTEGRITY_UNKNOWN;
405
		*cause = "unknown-ima-data";
406
		break;
407
	}
408

409
	return rc;
410
}
411

412
/*
413
 * modsig_verify - verify modsig signature
414
 *
415
 * Verify whether the signature matches the file contents.
416
 *
417
 * Return 0 on success, error code otherwise.
418
 */
419
static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
420
			 enum integrity_status *status, const char **cause)
421
{
422
	int rc;
423

424
	rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig);
425
	if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
426
	    func == KEXEC_KERNEL_CHECK)
427
		rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM,
428
					     modsig);
429
	if (rc) {
430
		*cause = "invalid-signature";
431
		*status = INTEGRITY_FAIL;
432
	} else {
433
		*status = INTEGRITY_PASS;
434
	}
435

436
	return rc;
437
}
438

439
/*
440
 * ima_check_blacklist - determine if the binary is blacklisted.
441
 *
442
 * Add the hash of the blacklisted binary to the measurement list, based
443
 * on policy.
444
 *
445
 * Returns -EPERM if the hash is blacklisted.
446
 */
447
int ima_check_blacklist(struct ima_iint_cache *iint,
448
			const struct modsig *modsig, int pcr)
449
{
450
	enum hash_algo hash_algo;
451
	const u8 *digest = NULL;
452
	u32 digestsize = 0;
453
	int rc = 0;
454

455
	if (!(iint->flags & IMA_CHECK_BLACKLIST))
456
		return 0;
457

458
	if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
459
		ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
460

461
		rc = is_binary_blacklisted(digest, digestsize);
462
	} else if (iint->flags & IMA_DIGSIG_REQUIRED && iint->ima_hash)
463
		rc = is_binary_blacklisted(iint->ima_hash->digest, iint->ima_hash->length);
464

465
	if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
466
		process_buffer_measurement(&nop_mnt_idmap, NULL, digest, digestsize,
467
					   "blacklisted-hash", NONE,
468
					   pcr, NULL, false, NULL, 0);
469

470
	return rc;
471
}
472

473
static bool is_bprm_creds_for_exec(enum ima_hooks func, struct file *file)
474
{
475
	struct linux_binprm *bprm;
476

477
	if (func == BPRM_CHECK) {
478
		bprm = container_of(&file, struct linux_binprm, file);
479
		return bprm->is_check;
480
	}
481
	return false;
482
}
483

484
/*
485
 * ima_appraise_measurement - appraise file measurement
486
 *
487
 * Call evm_verifyxattr() to verify the integrity of 'security.ima'.
488
 * Assuming success, compare the xattr hash with the collected measurement.
489
 *
490
 * Return 0 on success, error code otherwise
491
 */
492
int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
493
			     struct file *file, const unsigned char *filename,
494
			     struct evm_ima_xattr_data *xattr_value,
495
			     int xattr_len, const struct modsig *modsig)
496
{
497
	static const char op[] = "appraise_data";
498
	int audit_msgno = AUDIT_INTEGRITY_DATA;
499
	const char *cause = "unknown";
500
	struct dentry *dentry = file_dentry(file);
501
	struct inode *inode = d_backing_inode(dentry);
502
	enum integrity_status status = INTEGRITY_UNKNOWN;
503
	int rc = xattr_len;
504
	bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig;
505

506
	/* If not appraising a modsig, we need an xattr. */
507
	if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)
508
		return INTEGRITY_UNKNOWN;
509

510
	/*
511
	 * Unlike any of the other LSM hooks where the kernel enforces file
512
	 * integrity, enforcing file integrity for the bprm_creds_for_exec()
513
	 * LSM hook with the AT_EXECVE_CHECK flag is left up to the discretion
514
	 * of the script interpreter(userspace). Differentiate kernel and
515
	 * userspace enforced integrity audit messages.
516
	 */
517
	if (is_bprm_creds_for_exec(func, file))
518
		audit_msgno = AUDIT_INTEGRITY_USERSPACE;
519

520
	/* If reading the xattr failed and there's no modsig, error out. */
521
	if (rc <= 0 && !try_modsig) {
522
		if (rc && rc != -ENODATA)
523
			goto out;
524

525
		if (iint->flags & IMA_DIGSIG_REQUIRED) {
526
			if (iint->flags & IMA_VERITY_REQUIRED)
527
				cause = "verity-signature-required";
528
			else
529
				cause = "IMA-signature-required";
530
		} else {
531
			cause = "missing-hash";
532
		}
533

534
		status = INTEGRITY_NOLABEL;
535
		if (file->f_mode & FMODE_CREATED)
536
			iint->flags |= IMA_NEW_FILE;
537
		if ((iint->flags & IMA_NEW_FILE) &&
538
		    (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
539
		     (inode->i_size == 0)))
540
			status = INTEGRITY_PASS;
541
		goto out;
542
	}
543

544
	status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value,
545
				 rc < 0 ? 0 : rc);
546
	switch (status) {
547
	case INTEGRITY_PASS:
548
	case INTEGRITY_PASS_IMMUTABLE:
549
	case INTEGRITY_UNKNOWN:
550
		break;
551
	case INTEGRITY_NOXATTRS:	/* No EVM protected xattrs. */
552
		/* It's fine not to have xattrs when using a modsig. */
553
		if (try_modsig)
554
			break;
555
		fallthrough;
556
	case INTEGRITY_NOLABEL:		/* No security.evm xattr. */
557
		cause = "missing-HMAC";
558
		goto out;
559
	case INTEGRITY_FAIL_IMMUTABLE:
560
		set_bit(IMA_DIGSIG, &iint->atomic_flags);
561
		cause = "invalid-fail-immutable";
562
		goto out;
563
	case INTEGRITY_FAIL:		/* Invalid HMAC/signature. */
564
		cause = "invalid-HMAC";
565
		goto out;
566
	default:
567
		WARN_ONCE(true, "Unexpected integrity status %d\n", status);
568
	}
569

570
	if (xattr_value)
571
		rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
572
				  &cause);
573

574
	/*
575
	 * If we have a modsig and either no imasig or the imasig's key isn't
576
	 * known, then try verifying the modsig.
577
	 */
578
	if (try_modsig &&
579
	    (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG ||
580
	     rc == -ENOKEY))
581
		rc = modsig_verify(func, modsig, &status, &cause);
582

583
out:
584
	/*
585
	 * File signatures on some filesystems can not be properly verified.
586
	 * When such filesystems are mounted by an untrusted mounter or on a
587
	 * system not willing to accept such a risk, fail the file signature
588
	 * verification.
589
	 */
590
	if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
591
	    ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) ||
592
	     (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
593
		status = INTEGRITY_FAIL;
594
		cause = "unverifiable-signature";
595
		integrity_audit_msg(audit_msgno, inode, filename,
596
				    op, cause, rc, 0);
597
	} else if (status != INTEGRITY_PASS) {
598
		/* Fix mode, but don't replace file signatures. */
599
		if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig &&
600
		    (!xattr_value ||
601
		     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
602
			if (!ima_fix_xattr(dentry, iint))
603
				status = INTEGRITY_PASS;
604
		}
605

606
		/*
607
		 * Permit new files with file/EVM portable signatures, but
608
		 * without data.
609
		 */
610
		if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
611
		    test_bit(IMA_DIGSIG, &iint->atomic_flags)) {
612
			status = INTEGRITY_PASS;
613
		}
614

615
		integrity_audit_msg(audit_msgno, inode, filename,
616
				    op, cause, rc, 0);
617
	} else {
618
		ima_cache_flags(iint, func);
619
	}
620

621
	ima_set_cache_status(iint, func, status);
622
	return status;
623
}
624

625
/*
626
 * ima_update_xattr - update 'security.ima' hash value
627
 */
628
void ima_update_xattr(struct ima_iint_cache *iint, struct file *file)
629
{
630
	struct dentry *dentry = file_dentry(file);
631
	int rc = 0;
632

633
	/* do not collect and update hash for digital signatures */
634
	if (test_bit(IMA_DIGSIG, &iint->atomic_flags))
635
		return;
636

637
	if ((iint->ima_file_status != INTEGRITY_PASS) &&
638
	    !(iint->flags & IMA_HASH))
639
		return;
640

641
	rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL);
642
	if (rc < 0)
643
		return;
644

645
	inode_lock(file_inode(file));
646
	ima_fix_xattr(dentry, iint);
647
	inode_unlock(file_inode(file));
648
}
649

650
/**
651
 * ima_inode_post_setattr - reflect file metadata changes
652
 * @idmap:  idmap of the mount the inode was found from
653
 * @dentry: pointer to the affected dentry
654
 * @ia_valid: for the UID and GID status
655
 *
656
 * Changes to a dentry's metadata might result in needing to appraise.
657
 *
658
 * This function is called from notify_change(), which expects the caller
659
 * to lock the inode's i_mutex.
660
 */
661
static void ima_inode_post_setattr(struct mnt_idmap *idmap,
662
				   struct dentry *dentry, int ia_valid)
663
{
664
	struct inode *inode = d_backing_inode(dentry);
665
	struct ima_iint_cache *iint;
666
	int action;
667

668
	if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)
669
	    || !(inode->i_opflags & IOP_XATTR))
670
		return;
671

672
	action = ima_must_appraise(idmap, inode, MAY_ACCESS, POST_SETATTR);
673
	iint = ima_iint_find(inode);
674
	if (iint) {
675
		set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags);
676
		if (!action)
677
			clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
678
	}
679
}
680

681
/*
682
 * ima_protect_xattr - protect 'security.ima'
683
 *
684
 * Ensure that not just anyone can modify or remove 'security.ima'.
685
 */
686
static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
687
			     const void *xattr_value, size_t xattr_value_len)
688
{
689
	if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
690
		if (!capable(CAP_SYS_ADMIN))
691
			return -EPERM;
692
		return 1;
693
	}
694
	return 0;
695
}
696

697
static void ima_reset_appraise_flags(struct inode *inode, int digsig)
698
{
699
	struct ima_iint_cache *iint;
700

701
	if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode))
702
		return;
703

704
	iint = ima_iint_find(inode);
705
	if (!iint)
706
		return;
707
	iint->measured_pcrs = 0;
708
	set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
709
	if (digsig)
710
		set_bit(IMA_DIGSIG, &iint->atomic_flags);
711
	else
712
		clear_bit(IMA_DIGSIG, &iint->atomic_flags);
713
}
714

715
/**
716
 * validate_hash_algo() - Block setxattr with unsupported hash algorithms
717
 * @dentry: object of the setxattr()
718
 * @xattr_value: userland supplied xattr value
719
 * @xattr_value_len: length of xattr_value
720
 *
721
 * The xattr value is mapped to its hash algorithm, and this algorithm
722
 * must be built in the kernel for the setxattr to be allowed.
723
 *
724
 * Emit an audit message when the algorithm is invalid.
725
 *
726
 * Return: 0 on success, else an error.
727
 */
728
static int validate_hash_algo(struct dentry *dentry,
729
			      const struct evm_ima_xattr_data *xattr_value,
730
			      size_t xattr_value_len)
731
{
732
	char *path = NULL, *pathbuf = NULL;
733
	enum hash_algo xattr_hash_algo;
734
	const char *errmsg = "unavailable-hash-algorithm";
735
	unsigned int allowed_hashes;
736

737
	xattr_hash_algo = ima_get_hash_algo(xattr_value, xattr_value_len);
738

739
	allowed_hashes = atomic_read(&ima_setxattr_allowed_hash_algorithms);
740

741
	if (allowed_hashes) {
742
		/* success if the algorithm is allowed in the ima policy */
743
		if (allowed_hashes & (1U << xattr_hash_algo))
744
			return 0;
745

746
		/*
747
		 * We use a different audit message when the hash algorithm
748
		 * is denied by a policy rule, instead of not being built
749
		 * in the kernel image
750
		 */
751
		errmsg = "denied-hash-algorithm";
752
	} else {
753
		if (likely(xattr_hash_algo == ima_hash_algo))
754
			return 0;
755

756
		/* allow any xattr using an algorithm built in the kernel */
757
		if (crypto_has_alg(hash_algo_name[xattr_hash_algo], 0, 0))
758
			return 0;
759
	}
760

761
	pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
762
	if (!pathbuf)
763
		return -EACCES;
764

765
	path = dentry_path(dentry, pathbuf, PATH_MAX);
766

767
	integrity_audit_msg(AUDIT_INTEGRITY_DATA, d_inode(dentry), path,
768
			    "set_data", errmsg, -EACCES, 0);
769

770
	kfree(pathbuf);
771

772
	return -EACCES;
773
}
774

775
static int ima_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
776
			      const char *xattr_name, const void *xattr_value,
777
			      size_t xattr_value_len, int flags)
778
{
779
	const struct evm_ima_xattr_data *xvalue = xattr_value;
780
	int digsig = 0;
781
	int result;
782
	int err;
783

784
	result = ima_protect_xattr(dentry, xattr_name, xattr_value,
785
				   xattr_value_len);
786
	if (result == 1) {
787
		if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
788
			return -EINVAL;
789

790
		err = validate_hash_algo(dentry, xvalue, xattr_value_len);
791
		if (err)
792
			return err;
793

794
		digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
795
	} else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
796
		digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
797
	}
798
	if (result == 1 || evm_revalidate_status(xattr_name)) {
799
		ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
800
		if (result == 1)
801
			result = 0;
802
	}
803
	return result;
804
}
805

806
static int ima_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
807
			     const char *acl_name, struct posix_acl *kacl)
808
{
809
	if (evm_revalidate_status(acl_name))
810
		ima_reset_appraise_flags(d_backing_inode(dentry), 0);
811

812
	return 0;
813
}
814

815
static int ima_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry,
816
				 const char *xattr_name)
817
{
818
	int result;
819

820
	result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
821
	if (result == 1 || evm_revalidate_status(xattr_name)) {
822
		ima_reset_appraise_flags(d_backing_inode(dentry), 0);
823
		if (result == 1)
824
			result = 0;
825
	}
826
	return result;
827
}
828

829
static int ima_inode_remove_acl(struct mnt_idmap *idmap, struct dentry *dentry,
830
				const char *acl_name)
831
{
832
	return ima_inode_set_acl(idmap, dentry, acl_name, NULL);
833
}
834

835
static struct security_hook_list ima_appraise_hooks[] __ro_after_init = {
836
	LSM_HOOK_INIT(inode_post_setattr, ima_inode_post_setattr),
837
	LSM_HOOK_INIT(inode_setxattr, ima_inode_setxattr),
838
	LSM_HOOK_INIT(inode_set_acl, ima_inode_set_acl),
839
	LSM_HOOK_INIT(inode_removexattr, ima_inode_removexattr),
840
	LSM_HOOK_INIT(inode_remove_acl, ima_inode_remove_acl),
841
};
842

843
void __init init_ima_appraise_lsm(const struct lsm_id *lsmid)
844
{
845
	security_add_hooks(ima_appraise_hooks, ARRAY_SIZE(ima_appraise_hooks),
846
			   lsmid);
847
}
848

849