mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-28 11:18:45 +07:00
3b1deef6b1
evm_inode_setxattr() can be called with no value. The function does not check the length so that following command can be used to produce the kernel oops: setfattr -n security.evm FOO. This patch fixes it. Changes in v3: * there is no reason to return different error codes for EVM_XATTR_HMAC and non EVM_XATTR_HMAC. Remove unnecessary test then. Changes in v2: * testing for validity of xattr type [ 1106.396921] BUG: unable to handle kernel NULL pointer dereference at (null) [ 1106.398192] IP: [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48 [ 1106.399244] PGD 29048067 PUD 290d7067 PMD 0 [ 1106.399953] Oops: 0000 [#1] SMP [ 1106.400020] Modules linked in: bridge stp llc evdev serio_raw i2c_piix4 button fuse [ 1106.400020] CPU: 0 PID: 3635 Comm: setxattr Not tainted 3.16.0-kds+ #2936 [ 1106.400020] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 1106.400020] task: ffff8800291a0000 ti: ffff88002917c000 task.ti: ffff88002917c000 [ 1106.400020] RIP: 0010:[<ffffffff812af7b8>] [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48 [ 1106.400020] RSP: 0018:ffff88002917fd50 EFLAGS: 00010246 [ 1106.400020] RAX: 0000000000000000 RBX: ffff88002917fdf8 RCX: 0000000000000000 [ 1106.400020] RDX: 0000000000000000 RSI: ffffffff818136d3 RDI: ffff88002917fdf8 [ 1106.400020] RBP: ffff88002917fd68 R08: 0000000000000000 R09: 00000000003ec1df [ 1106.400020] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800438a0a00 [ 1106.400020] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 1106.400020] FS: 00007f7dfa7d7740(0000) GS:ffff88005da00000(0000) knlGS:0000000000000000 [ 1106.400020] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1106.400020] CR2: 0000000000000000 CR3: 000000003763e000 CR4: 00000000000006f0 [ 1106.400020] Stack: [ 1106.400020] ffff8800438a0a00 ffff88002917fdf8 0000000000000000 ffff88002917fd98 [ 1106.400020] ffffffff812a1030 ffff8800438a0a00 ffff88002917fdf8 0000000000000000 [ 1106.400020] 0000000000000000 ffff88002917fde0 ffffffff8116d08a ffff88002917fdc8 [ 1106.400020] Call Trace: [ 1106.400020] [<ffffffff812a1030>] security_inode_setxattr+0x5d/0x6a [ 1106.400020] [<ffffffff8116d08a>] vfs_setxattr+0x6b/0x9f [ 1106.400020] [<ffffffff8116d1e0>] setxattr+0x122/0x16c [ 1106.400020] [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45 [ 1106.400020] [<ffffffff8114d011>] ? __sb_start_write+0x10f/0x143 [ 1106.400020] [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45 [ 1106.400020] [<ffffffff811687c0>] ? __mnt_want_write+0x48/0x4f [ 1106.400020] [<ffffffff8116d3e6>] SyS_setxattr+0x6e/0xb0 [ 1106.400020] [<ffffffff81529da9>] system_call_fastpath+0x16/0x1b [ 1106.400020] Code: c3 0f 1f 44 00 00 55 48 89 e5 41 55 49 89 d5 41 54 49 89 fc 53 48 89 f3 48 c7 c6 d3 36 81 81 48 89 df e8 18 22 04 00 85 c0 75 07 <41> 80 7d 00 02 74 0d 48 89 de 4c 89 e7 e8 5a fe ff ff eb 03 83 [ 1106.400020] RIP [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48 [ 1106.400020] RSP <ffff88002917fd50> [ 1106.400020] CR2: 0000000000000000 [ 1106.428061] ---[ end trace ae08331628ba3050 ]--- Reported-by: Jan Kara <jack@suse.cz> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Cc: stable@vger.kernel.org Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
494 lines
13 KiB
C
494 lines
13 KiB
C
/*
|
|
* Copyright (C) 2005-2010 IBM Corporation
|
|
*
|
|
* Author:
|
|
* Mimi Zohar <zohar@us.ibm.com>
|
|
* Kylene Hall <kjhall@us.ibm.com>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, version 2 of the License.
|
|
*
|
|
* File: evm_main.c
|
|
* implements evm_inode_setxattr, evm_inode_post_setxattr,
|
|
* evm_inode_removexattr, and evm_verifyxattr
|
|
*/
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
#include <linux/module.h>
|
|
#include <linux/crypto.h>
|
|
#include <linux/audit.h>
|
|
#include <linux/xattr.h>
|
|
#include <linux/integrity.h>
|
|
#include <linux/evm.h>
|
|
#include <crypto/hash.h>
|
|
#include "evm.h"
|
|
|
|
int evm_initialized;
|
|
|
|
static char *integrity_status_msg[] = {
|
|
"pass", "fail", "no_label", "no_xattrs", "unknown"
|
|
};
|
|
char *evm_hmac = "hmac(sha1)";
|
|
char *evm_hash = "sha1";
|
|
int evm_hmac_attrs;
|
|
|
|
char *evm_config_xattrnames[] = {
|
|
#ifdef CONFIG_SECURITY_SELINUX
|
|
XATTR_NAME_SELINUX,
|
|
#endif
|
|
#ifdef CONFIG_SECURITY_SMACK
|
|
XATTR_NAME_SMACK,
|
|
#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
|
|
XATTR_NAME_SMACKEXEC,
|
|
XATTR_NAME_SMACKTRANSMUTE,
|
|
XATTR_NAME_SMACKMMAP,
|
|
#endif
|
|
#endif
|
|
#ifdef CONFIG_IMA_APPRAISE
|
|
XATTR_NAME_IMA,
|
|
#endif
|
|
XATTR_NAME_CAPS,
|
|
NULL
|
|
};
|
|
|
|
static int evm_fixmode;
|
|
static int __init evm_set_fixmode(char *str)
|
|
{
|
|
if (strncmp(str, "fix", 3) == 0)
|
|
evm_fixmode = 1;
|
|
return 0;
|
|
}
|
|
__setup("evm=", evm_set_fixmode);
|
|
|
|
static void __init evm_init_config(void)
|
|
{
|
|
#ifdef CONFIG_EVM_ATTR_FSUUID
|
|
evm_hmac_attrs |= EVM_ATTR_FSUUID;
|
|
#endif
|
|
pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
|
|
}
|
|
|
|
static int evm_find_protected_xattrs(struct dentry *dentry)
|
|
{
|
|
struct inode *inode = dentry->d_inode;
|
|
char **xattr;
|
|
int error;
|
|
int count = 0;
|
|
|
|
if (!inode->i_op->getxattr)
|
|
return -EOPNOTSUPP;
|
|
|
|
for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) {
|
|
error = inode->i_op->getxattr(dentry, *xattr, NULL, 0);
|
|
if (error < 0) {
|
|
if (error == -ENODATA)
|
|
continue;
|
|
return error;
|
|
}
|
|
count++;
|
|
}
|
|
|
|
return count;
|
|
}
|
|
|
|
/*
|
|
* evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
|
|
*
|
|
* Compute the HMAC on the dentry's protected set of extended attributes
|
|
* and compare it against the stored security.evm xattr.
|
|
*
|
|
* For performance:
|
|
* - use the previoulsy retrieved xattr value and length to calculate the
|
|
* HMAC.)
|
|
* - cache the verification result in the iint, when available.
|
|
*
|
|
* Returns integrity status
|
|
*/
|
|
static enum integrity_status evm_verify_hmac(struct dentry *dentry,
|
|
const char *xattr_name,
|
|
char *xattr_value,
|
|
size_t xattr_value_len,
|
|
struct integrity_iint_cache *iint)
|
|
{
|
|
struct evm_ima_xattr_data *xattr_data = NULL;
|
|
struct evm_ima_xattr_data calc;
|
|
enum integrity_status evm_status = INTEGRITY_PASS;
|
|
int rc, xattr_len;
|
|
|
|
if (iint && iint->evm_status == INTEGRITY_PASS)
|
|
return iint->evm_status;
|
|
|
|
/* if status is not PASS, try to check again - against -ENOMEM */
|
|
|
|
/* first need to know the sig type */
|
|
rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
|
|
GFP_NOFS);
|
|
if (rc <= 0) {
|
|
evm_status = INTEGRITY_FAIL;
|
|
if (rc == -ENODATA) {
|
|
rc = evm_find_protected_xattrs(dentry);
|
|
if (rc > 0)
|
|
evm_status = INTEGRITY_NOLABEL;
|
|
else if (rc == 0)
|
|
evm_status = INTEGRITY_NOXATTRS; /* new file */
|
|
} else if (rc == -EOPNOTSUPP) {
|
|
evm_status = INTEGRITY_UNKNOWN;
|
|
}
|
|
goto out;
|
|
}
|
|
|
|
xattr_len = rc;
|
|
|
|
/* check value type */
|
|
switch (xattr_data->type) {
|
|
case EVM_XATTR_HMAC:
|
|
rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
|
|
xattr_value_len, calc.digest);
|
|
if (rc)
|
|
break;
|
|
rc = memcmp(xattr_data->digest, calc.digest,
|
|
sizeof(calc.digest));
|
|
if (rc)
|
|
rc = -EINVAL;
|
|
break;
|
|
case EVM_IMA_XATTR_DIGSIG:
|
|
rc = evm_calc_hash(dentry, xattr_name, xattr_value,
|
|
xattr_value_len, calc.digest);
|
|
if (rc)
|
|
break;
|
|
rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
|
|
(const char *)xattr_data, xattr_len,
|
|
calc.digest, sizeof(calc.digest));
|
|
if (!rc) {
|
|
/* we probably want to replace rsa with hmac here */
|
|
evm_update_evmxattr(dentry, xattr_name, xattr_value,
|
|
xattr_value_len);
|
|
}
|
|
break;
|
|
default:
|
|
rc = -EINVAL;
|
|
break;
|
|
}
|
|
|
|
if (rc)
|
|
evm_status = (rc == -ENODATA) ?
|
|
INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
|
|
out:
|
|
if (iint)
|
|
iint->evm_status = evm_status;
|
|
kfree(xattr_data);
|
|
return evm_status;
|
|
}
|
|
|
|
static int evm_protected_xattr(const char *req_xattr_name)
|
|
{
|
|
char **xattrname;
|
|
int namelen;
|
|
int found = 0;
|
|
|
|
namelen = strlen(req_xattr_name);
|
|
for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
|
|
if ((strlen(*xattrname) == namelen)
|
|
&& (strncmp(req_xattr_name, *xattrname, namelen) == 0)) {
|
|
found = 1;
|
|
break;
|
|
}
|
|
if (strncmp(req_xattr_name,
|
|
*xattrname + XATTR_SECURITY_PREFIX_LEN,
|
|
strlen(req_xattr_name)) == 0) {
|
|
found = 1;
|
|
break;
|
|
}
|
|
}
|
|
return found;
|
|
}
|
|
|
|
/**
|
|
* evm_verifyxattr - verify the integrity of the requested xattr
|
|
* @dentry: object of the verify xattr
|
|
* @xattr_name: requested xattr
|
|
* @xattr_value: requested xattr value
|
|
* @xattr_value_len: requested xattr value length
|
|
*
|
|
* Calculate the HMAC for the given dentry and verify it against the stored
|
|
* security.evm xattr. For performance, use the xattr value and length
|
|
* previously retrieved to calculate the HMAC.
|
|
*
|
|
* Returns the xattr integrity status.
|
|
*
|
|
* This function requires the caller to lock the inode's i_mutex before it
|
|
* is executed.
|
|
*/
|
|
enum integrity_status evm_verifyxattr(struct dentry *dentry,
|
|
const char *xattr_name,
|
|
void *xattr_value, size_t xattr_value_len,
|
|
struct integrity_iint_cache *iint)
|
|
{
|
|
if (!evm_initialized || !evm_protected_xattr(xattr_name))
|
|
return INTEGRITY_UNKNOWN;
|
|
|
|
if (!iint) {
|
|
iint = integrity_iint_find(dentry->d_inode);
|
|
if (!iint)
|
|
return INTEGRITY_UNKNOWN;
|
|
}
|
|
return evm_verify_hmac(dentry, xattr_name, xattr_value,
|
|
xattr_value_len, iint);
|
|
}
|
|
EXPORT_SYMBOL_GPL(evm_verifyxattr);
|
|
|
|
/*
|
|
* evm_verify_current_integrity - verify the dentry's metadata integrity
|
|
* @dentry: pointer to the affected dentry
|
|
*
|
|
* Verify and return the dentry's metadata integrity. The exceptions are
|
|
* before EVM is initialized or in 'fix' mode.
|
|
*/
|
|
static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
|
|
{
|
|
struct inode *inode = dentry->d_inode;
|
|
|
|
if (!evm_initialized || !S_ISREG(inode->i_mode) || evm_fixmode)
|
|
return 0;
|
|
return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
|
|
}
|
|
|
|
/*
|
|
* evm_protect_xattr - protect the EVM extended attribute
|
|
*
|
|
* Prevent security.evm from being modified or removed without the
|
|
* necessary permissions or when the existing value is invalid.
|
|
*
|
|
* The posix xattr acls are 'system' prefixed, which normally would not
|
|
* affect security.evm. An interesting side affect of writing posix xattr
|
|
* acls is their modifying of the i_mode, which is included in security.evm.
|
|
* For posix xattr acls only, permit security.evm, even if it currently
|
|
* doesn't exist, to be updated.
|
|
*/
|
|
static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
|
|
const void *xattr_value, size_t xattr_value_len)
|
|
{
|
|
enum integrity_status evm_status;
|
|
|
|
if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
|
|
if (!capable(CAP_SYS_ADMIN))
|
|
return -EPERM;
|
|
} else if (!evm_protected_xattr(xattr_name)) {
|
|
if (!posix_xattr_acl(xattr_name))
|
|
return 0;
|
|
evm_status = evm_verify_current_integrity(dentry);
|
|
if ((evm_status == INTEGRITY_PASS) ||
|
|
(evm_status == INTEGRITY_NOXATTRS))
|
|
return 0;
|
|
goto out;
|
|
}
|
|
evm_status = evm_verify_current_integrity(dentry);
|
|
if (evm_status == INTEGRITY_NOXATTRS) {
|
|
struct integrity_iint_cache *iint;
|
|
|
|
iint = integrity_iint_find(dentry->d_inode);
|
|
if (iint && (iint->flags & IMA_NEW_FILE))
|
|
return 0;
|
|
}
|
|
out:
|
|
if (evm_status != INTEGRITY_PASS)
|
|
integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode,
|
|
dentry->d_name.name, "appraise_metadata",
|
|
integrity_status_msg[evm_status],
|
|
-EPERM, 0);
|
|
return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
|
|
}
|
|
|
|
/**
|
|
* evm_inode_setxattr - protect the EVM extended attribute
|
|
* @dentry: pointer to the affected dentry
|
|
* @xattr_name: pointer to the affected extended attribute name
|
|
* @xattr_value: pointer to the new extended attribute value
|
|
* @xattr_value_len: pointer to the new extended attribute value length
|
|
*
|
|
* Before allowing the 'security.evm' protected xattr to be updated,
|
|
* verify the existing value is valid. As only the kernel should have
|
|
* access to the EVM encrypted key needed to calculate the HMAC, prevent
|
|
* userspace from writing HMAC value. Writing 'security.evm' requires
|
|
* requires CAP_SYS_ADMIN privileges.
|
|
*/
|
|
int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
|
|
const void *xattr_value, size_t xattr_value_len)
|
|
{
|
|
const struct evm_ima_xattr_data *xattr_data = xattr_value;
|
|
|
|
if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
|
|
if (!xattr_value_len)
|
|
return -EINVAL;
|
|
if (xattr_data->type != EVM_IMA_XATTR_DIGSIG)
|
|
return -EPERM;
|
|
}
|
|
return evm_protect_xattr(dentry, xattr_name, xattr_value,
|
|
xattr_value_len);
|
|
}
|
|
|
|
/**
|
|
* evm_inode_removexattr - protect the EVM extended attribute
|
|
* @dentry: pointer to the affected dentry
|
|
* @xattr_name: pointer to the affected extended attribute name
|
|
*
|
|
* Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
|
|
* the current value is valid.
|
|
*/
|
|
int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
|
|
{
|
|
return evm_protect_xattr(dentry, xattr_name, NULL, 0);
|
|
}
|
|
|
|
/**
|
|
* evm_inode_post_setxattr - update 'security.evm' to reflect the changes
|
|
* @dentry: pointer to the affected dentry
|
|
* @xattr_name: pointer to the affected extended attribute name
|
|
* @xattr_value: pointer to the new extended attribute value
|
|
* @xattr_value_len: pointer to the new extended attribute value length
|
|
*
|
|
* Update the HMAC stored in 'security.evm' to reflect the change.
|
|
*
|
|
* No need to take the i_mutex lock here, as this function is called from
|
|
* __vfs_setxattr_noperm(). The caller of which has taken the inode's
|
|
* i_mutex lock.
|
|
*/
|
|
void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
|
|
const void *xattr_value, size_t xattr_value_len)
|
|
{
|
|
if (!evm_initialized || (!evm_protected_xattr(xattr_name)
|
|
&& !posix_xattr_acl(xattr_name)))
|
|
return;
|
|
|
|
evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
|
|
}
|
|
|
|
/**
|
|
* evm_inode_post_removexattr - update 'security.evm' after removing the xattr
|
|
* @dentry: pointer to the affected dentry
|
|
* @xattr_name: pointer to the affected extended attribute name
|
|
*
|
|
* Update the HMAC stored in 'security.evm' to reflect removal of the xattr.
|
|
*/
|
|
void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
|
|
{
|
|
struct inode *inode = dentry->d_inode;
|
|
|
|
if (!evm_initialized || !evm_protected_xattr(xattr_name))
|
|
return;
|
|
|
|
mutex_lock(&inode->i_mutex);
|
|
evm_update_evmxattr(dentry, xattr_name, NULL, 0);
|
|
mutex_unlock(&inode->i_mutex);
|
|
}
|
|
|
|
/**
|
|
* evm_inode_setattr - prevent updating an invalid EVM extended attribute
|
|
* @dentry: pointer to the affected dentry
|
|
*/
|
|
int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
|
|
{
|
|
unsigned int ia_valid = attr->ia_valid;
|
|
enum integrity_status evm_status;
|
|
|
|
if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
|
|
return 0;
|
|
evm_status = evm_verify_current_integrity(dentry);
|
|
if ((evm_status == INTEGRITY_PASS) ||
|
|
(evm_status == INTEGRITY_NOXATTRS))
|
|
return 0;
|
|
integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode,
|
|
dentry->d_name.name, "appraise_metadata",
|
|
integrity_status_msg[evm_status], -EPERM, 0);
|
|
return -EPERM;
|
|
}
|
|
|
|
/**
|
|
* evm_inode_post_setattr - update 'security.evm' after modifying metadata
|
|
* @dentry: pointer to the affected dentry
|
|
* @ia_valid: for the UID and GID status
|
|
*
|
|
* For now, update the HMAC stored in 'security.evm' to reflect UID/GID
|
|
* changes.
|
|
*
|
|
* This function is called from notify_change(), which expects the caller
|
|
* to lock the inode's i_mutex.
|
|
*/
|
|
void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
|
|
{
|
|
if (!evm_initialized)
|
|
return;
|
|
|
|
if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
|
|
evm_update_evmxattr(dentry, NULL, NULL, 0);
|
|
}
|
|
|
|
/*
|
|
* evm_inode_init_security - initializes security.evm
|
|
*/
|
|
int evm_inode_init_security(struct inode *inode,
|
|
const struct xattr *lsm_xattr,
|
|
struct xattr *evm_xattr)
|
|
{
|
|
struct evm_ima_xattr_data *xattr_data;
|
|
int rc;
|
|
|
|
if (!evm_initialized || !evm_protected_xattr(lsm_xattr->name))
|
|
return 0;
|
|
|
|
xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
|
|
if (!xattr_data)
|
|
return -ENOMEM;
|
|
|
|
xattr_data->type = EVM_XATTR_HMAC;
|
|
rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
|
|
if (rc < 0)
|
|
goto out;
|
|
|
|
evm_xattr->value = xattr_data;
|
|
evm_xattr->value_len = sizeof(*xattr_data);
|
|
evm_xattr->name = XATTR_EVM_SUFFIX;
|
|
return 0;
|
|
out:
|
|
kfree(xattr_data);
|
|
return rc;
|
|
}
|
|
EXPORT_SYMBOL_GPL(evm_inode_init_security);
|
|
|
|
static int __init init_evm(void)
|
|
{
|
|
int error;
|
|
|
|
evm_init_config();
|
|
|
|
error = evm_init_secfs();
|
|
if (error < 0) {
|
|
pr_info("Error registering secfs\n");
|
|
goto err;
|
|
}
|
|
|
|
return 0;
|
|
err:
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* evm_display_config - list the EVM protected security extended attributes
|
|
*/
|
|
static int __init evm_display_config(void)
|
|
{
|
|
char **xattrname;
|
|
|
|
for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++)
|
|
pr_info("%s\n", *xattrname);
|
|
return 0;
|
|
}
|
|
|
|
pure_initcall(evm_display_config);
|
|
late_initcall(init_evm);
|
|
|
|
MODULE_DESCRIPTION("Extended Verification Module");
|
|
MODULE_LICENSE("GPL");
|