1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (C) 2011 IBM Corporation
6 * Mimi Zohar <zohar@us.ibm.com>
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/file.h>
12 #include <linux/xattr.h>
13 #include <linux/magic.h>
14 #include <linux/ima.h>
15 #include <linux/evm.h>
16 #include <linux/fsverity.h>
17 #include <keys/system_keyring.h>
18 #include <uapi/linux/fsverity.h>
22 #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
23 static char *ima_appraise_cmdline_default __initdata;
24 core_param(ima_appraise, ima_appraise_cmdline_default, charp, 0);
26 void __init ima_appraise_parse_cmdline(void)
28 const char *str = ima_appraise_cmdline_default;
29 bool sb_state = arch_ima_get_secureboot();
30 int appraisal_state = ima_appraise;
35 if (strncmp(str, "off", 3) == 0)
37 else if (strncmp(str, "log", 3) == 0)
38 appraisal_state = IMA_APPRAISE_LOG;
39 else if (strncmp(str, "fix", 3) == 0)
40 appraisal_state = IMA_APPRAISE_FIX;
41 else if (strncmp(str, "enforce", 7) == 0)
42 appraisal_state = IMA_APPRAISE_ENFORCE;
44 pr_err("invalid \"%s\" appraise option", str);
46 /* If appraisal state was changed, but secure boot is enabled,
49 if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
50 pr_info("Secure boot enabled: ignoring ima_appraise=%s option",
53 ima_appraise = appraisal_state;
59 * is_ima_appraise_enabled - return appraise status
61 * Only return enabled, if not in ima_appraise="fix" or "log" modes.
63 bool is_ima_appraise_enabled(void)
65 return ima_appraise & IMA_APPRAISE_ENFORCE;
69 * ima_must_appraise - set appraise flag
71 * Return 1 to appraise or hash
73 int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode,
74 int mask, enum ima_hooks func)
81 security_current_getsecid_subj(&secid);
82 return ima_match_policy(mnt_userns, inode, current_cred(), secid,
83 func, mask, IMA_APPRAISE | IMA_HASH, NULL,
87 static int ima_fix_xattr(struct dentry *dentry,
88 struct integrity_iint_cache *iint)
91 u8 algo = iint->ima_hash->algo;
93 if (algo <= HASH_ALGO_SHA1) {
95 iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
98 iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
99 iint->ima_hash->xattr.ng.algo = algo;
101 rc = __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_IMA,
102 &iint->ima_hash->xattr.data[offset],
103 (sizeof(iint->ima_hash->xattr) - offset) +
104 iint->ima_hash->length, 0);
108 /* Return specific func appraised cached result */
109 enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
114 return iint->ima_mmap_status;
116 return iint->ima_bprm_status;
118 return iint->ima_creds_status;
121 return iint->ima_file_status;
122 case MODULE_CHECK ... MAX_CHECK - 1:
124 return iint->ima_read_status;
128 static void ima_set_cache_status(struct integrity_iint_cache *iint,
130 enum integrity_status status)
134 iint->ima_mmap_status = status;
137 iint->ima_bprm_status = status;
140 iint->ima_creds_status = status;
144 iint->ima_file_status = status;
146 case MODULE_CHECK ... MAX_CHECK - 1:
148 iint->ima_read_status = status;
153 static void ima_cache_flags(struct integrity_iint_cache *iint,
158 iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
161 iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
164 iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED);
168 iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
170 case MODULE_CHECK ... MAX_CHECK - 1:
172 iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
177 enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value,
180 struct signature_v2_hdr *sig;
183 if (!xattr_value || xattr_len < 2)
184 /* return default hash algo */
185 return ima_hash_algo;
187 switch (xattr_value->type) {
188 case IMA_VERITY_DIGSIG:
189 sig = (typeof(sig))xattr_value;
190 if (sig->version != 3 || xattr_len <= sizeof(*sig) ||
191 sig->hash_algo >= HASH_ALGO__LAST)
192 return ima_hash_algo;
193 return sig->hash_algo;
194 case EVM_IMA_XATTR_DIGSIG:
195 sig = (typeof(sig))xattr_value;
196 if (sig->version != 2 || xattr_len <= sizeof(*sig)
197 || sig->hash_algo >= HASH_ALGO__LAST)
198 return ima_hash_algo;
199 return sig->hash_algo;
200 case IMA_XATTR_DIGEST_NG:
201 /* first byte contains algorithm id */
202 ret = xattr_value->data[0];
203 if (ret < HASH_ALGO__LAST)
206 case IMA_XATTR_DIGEST:
207 /* this is for backward compatibility */
208 if (xattr_len == 21) {
209 unsigned int zero = 0;
210 if (!memcmp(&xattr_value->data[16], &zero, 4))
211 return HASH_ALGO_MD5;
213 return HASH_ALGO_SHA1;
214 } else if (xattr_len == 17)
215 return HASH_ALGO_MD5;
219 /* return default hash algo */
220 return ima_hash_algo;
223 int ima_read_xattr(struct dentry *dentry,
224 struct evm_ima_xattr_data **xattr_value)
228 ret = vfs_getxattr_alloc(&init_user_ns, dentry, XATTR_NAME_IMA,
229 (char **)xattr_value, 0, GFP_NOFS);
230 if (ret == -EOPNOTSUPP)
236 * calc_file_id_hash - calculate the hash of the ima_file_id struct data
237 * @type: xattr type [enum evm_ima_xattr_type]
238 * @algo: hash algorithm [enum hash_algo]
239 * @digest: pointer to the digest to be hashed
240 * @hash: (out) pointer to the hash
242 * IMA signature version 3 disambiguates the data that is signed by
243 * indirectly signing the hash of the ima_file_id structure data.
245 * Signing the ima_file_id struct is currently only supported for
246 * IMA_VERITY_DIGSIG type xattrs.
248 * Return 0 on success, error code otherwise.
250 static int calc_file_id_hash(enum evm_ima_xattr_type type,
251 enum hash_algo algo, const u8 *digest,
252 struct ima_digest_data *hash)
254 struct ima_file_id file_id = {
255 .hash_type = IMA_VERITY_DIGSIG, .hash_algorithm = algo};
256 unsigned int unused = HASH_MAX_DIGESTSIZE - hash_digest_size[algo];
258 if (type != IMA_VERITY_DIGSIG)
261 memcpy(file_id.hash, digest, hash_digest_size[algo]);
264 hash->length = hash_digest_size[algo];
266 return ima_calc_buffer_hash(&file_id, sizeof(file_id) - unused, hash);
270 * xattr_verify - verify xattr digest or signature
272 * Verify whether the hash or signature matches the file contents.
274 * Return 0 on success, error code otherwise.
276 static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint,
277 struct evm_ima_xattr_data *xattr_value, int xattr_len,
278 enum integrity_status *status, const char **cause)
280 struct ima_max_digest_data hash;
281 struct signature_v2_hdr *sig;
282 int rc = -EINVAL, hash_start = 0;
285 switch (xattr_value->type) {
286 case IMA_XATTR_DIGEST_NG:
287 /* first byte contains algorithm id */
290 case IMA_XATTR_DIGEST:
291 if (*status != INTEGRITY_PASS_IMMUTABLE) {
292 if (iint->flags & IMA_DIGSIG_REQUIRED) {
293 if (iint->flags & IMA_VERITY_REQUIRED)
294 *cause = "verity-signature-required";
296 *cause = "IMA-signature-required";
297 *status = INTEGRITY_FAIL;
300 clear_bit(IMA_DIGSIG, &iint->atomic_flags);
302 set_bit(IMA_DIGSIG, &iint->atomic_flags);
304 if (xattr_len - sizeof(xattr_value->type) - hash_start >=
305 iint->ima_hash->length)
307 * xattr length may be longer. md5 hash in previous
308 * version occupied 20 bytes in xattr, instead of 16
310 rc = memcmp(&xattr_value->data[hash_start],
311 iint->ima_hash->digest,
312 iint->ima_hash->length);
316 *cause = "invalid-hash";
317 *status = INTEGRITY_FAIL;
320 *status = INTEGRITY_PASS;
322 case EVM_IMA_XATTR_DIGSIG:
323 set_bit(IMA_DIGSIG, &iint->atomic_flags);
325 mask = IMA_DIGSIG_REQUIRED | IMA_VERITY_REQUIRED;
326 if ((iint->flags & mask) == mask) {
327 *cause = "verity-signature-required";
328 *status = INTEGRITY_FAIL;
332 sig = (typeof(sig))xattr_value;
333 if (sig->version >= 3) {
334 *cause = "invalid-signature-version";
335 *status = INTEGRITY_FAIL;
338 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
339 (const char *)xattr_value,
341 iint->ima_hash->digest,
342 iint->ima_hash->length);
343 if (rc == -EOPNOTSUPP) {
344 *status = INTEGRITY_UNKNOWN;
347 if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
348 func == KEXEC_KERNEL_CHECK)
349 rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM,
350 (const char *)xattr_value,
352 iint->ima_hash->digest,
353 iint->ima_hash->length);
355 *cause = "invalid-signature";
356 *status = INTEGRITY_FAIL;
358 *status = INTEGRITY_PASS;
361 case IMA_VERITY_DIGSIG:
362 set_bit(IMA_DIGSIG, &iint->atomic_flags);
364 if (iint->flags & IMA_DIGSIG_REQUIRED) {
365 if (!(iint->flags & IMA_VERITY_REQUIRED)) {
366 *cause = "IMA-signature-required";
367 *status = INTEGRITY_FAIL;
372 sig = (typeof(sig))xattr_value;
373 if (sig->version != 3) {
374 *cause = "invalid-signature-version";
375 *status = INTEGRITY_FAIL;
379 rc = calc_file_id_hash(IMA_VERITY_DIGSIG, iint->ima_hash->algo,
380 iint->ima_hash->digest, &hash.hdr);
382 *cause = "sigv3-hashing-error";
383 *status = INTEGRITY_FAIL;
387 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
388 (const char *)xattr_value,
389 xattr_len, hash.digest,
392 *cause = "invalid-verity-signature";
393 *status = INTEGRITY_FAIL;
395 *status = INTEGRITY_PASS;
400 *status = INTEGRITY_UNKNOWN;
401 *cause = "unknown-ima-data";
409 * modsig_verify - verify modsig signature
411 * Verify whether the signature matches the file contents.
413 * Return 0 on success, error code otherwise.
415 static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
416 enum integrity_status *status, const char **cause)
420 rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig);
421 if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
422 func == KEXEC_KERNEL_CHECK)
423 rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM,
426 *cause = "invalid-signature";
427 *status = INTEGRITY_FAIL;
429 *status = INTEGRITY_PASS;
436 * ima_check_blacklist - determine if the binary is blacklisted.
438 * Add the hash of the blacklisted binary to the measurement list, based
441 * Returns -EPERM if the hash is blacklisted.
443 int ima_check_blacklist(struct integrity_iint_cache *iint,
444 const struct modsig *modsig, int pcr)
446 enum hash_algo hash_algo;
447 const u8 *digest = NULL;
451 if (!(iint->flags & IMA_CHECK_BLACKLIST))
454 if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
455 ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
457 rc = is_binary_blacklisted(digest, digestsize);
458 if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
459 process_buffer_measurement(&init_user_ns, NULL, digest, digestsize,
460 "blacklisted-hash", NONE,
461 pcr, NULL, false, NULL, 0);
468 * ima_appraise_measurement - appraise file measurement
470 * Call evm_verifyxattr() to verify the integrity of 'security.ima'.
471 * Assuming success, compare the xattr hash with the collected measurement.
473 * Return 0 on success, error code otherwise
475 int ima_appraise_measurement(enum ima_hooks func,
476 struct integrity_iint_cache *iint,
477 struct file *file, const unsigned char *filename,
478 struct evm_ima_xattr_data *xattr_value,
479 int xattr_len, const struct modsig *modsig)
481 static const char op[] = "appraise_data";
482 const char *cause = "unknown";
483 struct dentry *dentry = file_dentry(file);
484 struct inode *inode = d_backing_inode(dentry);
485 enum integrity_status status = INTEGRITY_UNKNOWN;
487 bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig;
489 /* If not appraising a modsig, we need an xattr. */
490 if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)
491 return INTEGRITY_UNKNOWN;
493 /* If reading the xattr failed and there's no modsig, error out. */
494 if (rc <= 0 && !try_modsig) {
495 if (rc && rc != -ENODATA)
498 if (iint->flags & IMA_DIGSIG_REQUIRED) {
499 if (iint->flags & IMA_VERITY_REQUIRED)
500 cause = "verity-signature-required";
502 cause = "IMA-signature-required";
504 cause = "missing-hash";
507 status = INTEGRITY_NOLABEL;
508 if (file->f_mode & FMODE_CREATED)
509 iint->flags |= IMA_NEW_FILE;
510 if ((iint->flags & IMA_NEW_FILE) &&
511 (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
512 (inode->i_size == 0)))
513 status = INTEGRITY_PASS;
517 status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value,
518 rc < 0 ? 0 : rc, iint);
521 case INTEGRITY_PASS_IMMUTABLE:
522 case INTEGRITY_UNKNOWN:
524 case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */
525 /* It's fine not to have xattrs when using a modsig. */
529 case INTEGRITY_NOLABEL: /* No security.evm xattr. */
530 cause = "missing-HMAC";
532 case INTEGRITY_FAIL_IMMUTABLE:
533 set_bit(IMA_DIGSIG, &iint->atomic_flags);
534 cause = "invalid-fail-immutable";
536 case INTEGRITY_FAIL: /* Invalid HMAC/signature. */
537 cause = "invalid-HMAC";
540 WARN_ONCE(true, "Unexpected integrity status %d\n", status);
544 rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
548 * If we have a modsig and either no imasig or the imasig's key isn't
549 * known, then try verifying the modsig.
552 (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG ||
554 rc = modsig_verify(func, modsig, &status, &cause);
558 * File signatures on some filesystems can not be properly verified.
559 * When such filesystems are mounted by an untrusted mounter or on a
560 * system not willing to accept such a risk, fail the file signature
563 if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
564 ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) ||
565 (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
566 status = INTEGRITY_FAIL;
567 cause = "unverifiable-signature";
568 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
570 } else if (status != INTEGRITY_PASS) {
571 /* Fix mode, but don't replace file signatures. */
572 if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig &&
574 xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
575 if (!ima_fix_xattr(dentry, iint))
576 status = INTEGRITY_PASS;
580 * Permit new files with file/EVM portable signatures, but
583 if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
584 test_bit(IMA_DIGSIG, &iint->atomic_flags)) {
585 status = INTEGRITY_PASS;
588 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
591 ima_cache_flags(iint, func);
594 ima_set_cache_status(iint, func, status);
599 * ima_update_xattr - update 'security.ima' hash value
601 void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
603 struct dentry *dentry = file_dentry(file);
606 /* do not collect and update hash for digital signatures */
607 if (test_bit(IMA_DIGSIG, &iint->atomic_flags))
610 if ((iint->ima_file_status != INTEGRITY_PASS) &&
611 !(iint->flags & IMA_HASH))
614 rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL);
618 inode_lock(file_inode(file));
619 ima_fix_xattr(dentry, iint);
620 inode_unlock(file_inode(file));
624 * ima_inode_post_setattr - reflect file metadata changes
625 * @mnt_userns: user namespace of the mount the inode was found from
626 * @dentry: pointer to the affected dentry
628 * Changes to a dentry's metadata might result in needing to appraise.
630 * This function is called from notify_change(), which expects the caller
631 * to lock the inode's i_mutex.
633 void ima_inode_post_setattr(struct user_namespace *mnt_userns,
634 struct dentry *dentry)
636 struct inode *inode = d_backing_inode(dentry);
637 struct integrity_iint_cache *iint;
640 if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)
641 || !(inode->i_opflags & IOP_XATTR))
644 action = ima_must_appraise(mnt_userns, inode, MAY_ACCESS, POST_SETATTR);
645 iint = integrity_iint_find(inode);
647 set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags);
649 clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
654 * ima_protect_xattr - protect 'security.ima'
656 * Ensure that not just anyone can modify or remove 'security.ima'.
658 static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
659 const void *xattr_value, size_t xattr_value_len)
661 if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
662 if (!capable(CAP_SYS_ADMIN))
669 static void ima_reset_appraise_flags(struct inode *inode, int digsig)
671 struct integrity_iint_cache *iint;
673 if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode))
676 iint = integrity_iint_find(inode);
679 iint->measured_pcrs = 0;
680 set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
682 set_bit(IMA_DIGSIG, &iint->atomic_flags);
684 clear_bit(IMA_DIGSIG, &iint->atomic_flags);
688 * validate_hash_algo() - Block setxattr with unsupported hash algorithms
689 * @dentry: object of the setxattr()
690 * @xattr_value: userland supplied xattr value
691 * @xattr_value_len: length of xattr_value
693 * The xattr value is mapped to its hash algorithm, and this algorithm
694 * must be built in the kernel for the setxattr to be allowed.
696 * Emit an audit message when the algorithm is invalid.
698 * Return: 0 on success, else an error.
700 static int validate_hash_algo(struct dentry *dentry,
701 const struct evm_ima_xattr_data *xattr_value,
702 size_t xattr_value_len)
704 char *path = NULL, *pathbuf = NULL;
705 enum hash_algo xattr_hash_algo;
706 const char *errmsg = "unavailable-hash-algorithm";
707 unsigned int allowed_hashes;
709 xattr_hash_algo = ima_get_hash_algo(xattr_value, xattr_value_len);
711 allowed_hashes = atomic_read(&ima_setxattr_allowed_hash_algorithms);
713 if (allowed_hashes) {
714 /* success if the algorithm is allowed in the ima policy */
715 if (allowed_hashes & (1U << xattr_hash_algo))
719 * We use a different audit message when the hash algorithm
720 * is denied by a policy rule, instead of not being built
721 * in the kernel image
723 errmsg = "denied-hash-algorithm";
725 if (likely(xattr_hash_algo == ima_hash_algo))
728 /* allow any xattr using an algorithm built in the kernel */
729 if (crypto_has_alg(hash_algo_name[xattr_hash_algo], 0, 0))
733 pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
737 path = dentry_path(dentry, pathbuf, PATH_MAX);
739 integrity_audit_msg(AUDIT_INTEGRITY_DATA, d_inode(dentry), path,
740 "set_data", errmsg, -EACCES, 0);
747 int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
748 const void *xattr_value, size_t xattr_value_len)
750 const struct evm_ima_xattr_data *xvalue = xattr_value;
754 result = ima_protect_xattr(dentry, xattr_name, xattr_value,
757 if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
759 digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
760 } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
761 digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
763 if (result == 1 || evm_revalidate_status(xattr_name)) {
764 result = validate_hash_algo(dentry, xvalue, xattr_value_len);
768 ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
773 int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
777 result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
778 if (result == 1 || evm_revalidate_status(xattr_name)) {
779 ima_reset_appraise_flags(d_backing_inode(dentry), 0);