1 // SPDX-License-Identifier: GPL-2.0-only
3  * Copyright (C) 2005-2010 IBM Corporation
7  * Kylene Hall <kjhall@us.ibm.com>
144 	if (!(inode->i_opflags & IOP_XATTR))  in evm_find_protected_xattrs()
145 		return -EOPNOTSUPP;  in evm_find_protected_xattrs()
148 		error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0);  in evm_find_protected_xattrs()
150 			if (error == -ENODATA)  in evm_find_protected_xattrs()
161  * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
167  * - use the previoulsy retrieved xattr value and length to calculate the
169  * - cache the verification result in the iint, when available.
186 	if (iint && (iint->evm_status == INTEGRITY_PASS ||  in evm_verify_hmac()
187 		     iint->evm_status == INTEGRITY_PASS_IMMUTABLE))  in evm_verify_hmac()
188 		return iint->evm_status;  in evm_verify_hmac()
190 	/* if status is not PASS, try to check again - against -ENOMEM */  in evm_verify_hmac()
197 		if (rc == -ENODATA) {  in evm_verify_hmac()
203 		} else if (rc == -EOPNOTSUPP) {  in evm_verify_hmac()
212 	switch (xattr_data->type) {  in evm_verify_hmac()
224 		rc = crypto_memneq(xattr_data->data, digest.digest,  in evm_verify_hmac()
227 			rc = -EINVAL;  in evm_verify_hmac()
233 		/* accept xattr with non-empty signature field */  in evm_verify_hmac()
240 		digest.hdr.algo = hdr->hash_algo;  in evm_verify_hmac()
242 				   xattr_value_len, xattr_data->type, &digest);  in evm_verify_hmac()
251 			if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {  in evm_verify_hmac()
253 					iint->flags |= EVM_IMMUTABLE_DIGSIG;  in evm_verify_hmac()
256 				   !(inode->i_sb->s_readonly_remount) &&  in evm_verify_hmac()
265 		rc = -EINVAL;  in evm_verify_hmac()
270 		if (rc == -ENODATA)  in evm_verify_hmac()
281 		iint->evm_status = evm_status;  in evm_verify_hmac()
295 		if (!all_xattrs && !xattr->enabled)  in evm_protected_xattr_common()
298 		if ((strlen(xattr->name) == namelen)  in evm_protected_xattr_common()
299 		    && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {  in evm_protected_xattr_common()
304 			    xattr->name + XATTR_SECURITY_PREFIX_LEN,  in evm_protected_xattr_common()
325  * evm_read_protected_xattrs - read EVM protected xattr names, lengths, values
347 				    xattr->name, NULL, 0);  in evm_read_protected_xattrs()
348 		if (rc < 0 && rc == -ENODATA)  in evm_read_protected_xattrs()
353 		switch (type) {  in evm_read_protected_xattrs()
355 			size = strlen(xattr->name) + 1;  in evm_read_protected_xattrs()
358 					*(buffer + total_size - 1) = '|';  in evm_read_protected_xattrs()
360 				memcpy(buffer + total_size, xattr->name, size);  in evm_read_protected_xattrs()
376 					d_backing_inode(dentry), xattr->name,  in evm_read_protected_xattrs()
378 					buffer_size - total_size);  in evm_read_protected_xattrs()
384 			return -EINVAL;  in evm_read_protected_xattrs()
394  * evm_verifyxattr - verify the integrity of the requested xattr
428  * evm_verify_current_integrity - verify the dentry's metadata integrity
438 	if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)  in evm_verify_current_integrity()
444  * evm_xattr_acl_change - check if passed ACL changes the inode mode
486 	if (inode->i_mode != mode)  in evm_xattr_acl_change()
493  * evm_xattr_change - check if passed xattr value differs from current value
530  * evm_protect_xattr - protect the EVM extended attribute
549 			return -EPERM;  in evm_protect_xattr()
569 		if (iint && (iint->flags & IMA_NEW_FILE))  in evm_protect_xattr()
573 		if (dentry->d_sb->s_magic == TMPFS_MAGIC  in evm_protect_xattr()
574 		    || dentry->d_sb->s_magic == SYSFS_MAGIC)  in evm_protect_xattr()
578 				    dentry->d_inode, dentry->d_name.name,  in evm_protect_xattr()
581 				    -EPERM, 0);  in evm_protect_xattr()
604 				    dentry->d_name.name, "appraise_metadata",  in evm_protect_xattr()
606 				    -EPERM, 0);  in evm_protect_xattr()
607 	return evm_status == INTEGRITY_PASS ? 0 : -EPERM;  in evm_protect_xattr()
611  * evm_inode_setxattr - protect the EVM extended attribute
638 			return -EINVAL;  in evm_inode_setxattr()
639 		if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&  in evm_inode_setxattr()
640 		    xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)  in evm_inode_setxattr()
641 			return -EPERM;  in evm_inode_setxattr()
648  * evm_inode_removexattr - protect the EVM extended attribute
674 		iint->evm_status = INTEGRITY_UNKNOWN;  in evm_reset_status()
678  * evm_revalidate_status - report whether EVM status re-validation is necessary
681  * Report whether callers of evm_verifyxattr() should re-validate the
684  * Return true if re-validation is necessary, false otherwise.
703  * evm_inode_post_setxattr - update 'security.evm' to reflect the changes
721 	evm_reset_status(dentry->d_inode);  in evm_inode_post_setxattr()
733  * evm_inode_post_removexattr - update 'security.evm' after removing the xattr
747 	evm_reset_status(dentry->d_inode);  in evm_inode_post_removexattr()
761 	unsigned int ia_valid = attr->ia_valid;  in evm_attr_change()
763 	if ((!(ia_valid & ATTR_UID) || uid_eq(attr->ia_uid, inode->i_uid)) &&  in evm_attr_change()
764 	    (!(ia_valid & ATTR_GID) || gid_eq(attr->ia_gid, inode->i_gid)) &&  in evm_attr_change()
765 	    (!(ia_valid & ATTR_MODE) || attr->ia_mode == inode->i_mode))  in evm_attr_change()
772  * evm_inode_setattr - prevent updating an invalid EVM extended attribute
780 	unsigned int ia_valid = attr->ia_valid;  in evm_inode_setattr()
808 			    dentry->d_name.name, "appraise_metadata",  in evm_inode_setattr()
809 			    integrity_status_msg[evm_status], -EPERM, 0);  in evm_inode_setattr()
810 	return -EPERM;  in evm_inode_setattr()
814  * evm_inode_post_setattr - update 'security.evm' after modifying metadata
829 	evm_reset_status(dentry->d_inode);  in evm_inode_post_setattr()
839  * evm_inode_init_security - initializes security.evm HMAC value
849 	    !evm_protected_xattr(lsm_xattr->name))  in evm_inode_init_security()
854 		return -ENOMEM;  in evm_inode_init_security()
856 	xattr_data->data.type = EVM_XATTR_HMAC;  in evm_inode_init_security()
857 	rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);  in evm_inode_init_security()
861 	evm_xattr->value = xattr_data;  in evm_inode_init_security()
862 	evm_xattr->value_len = sizeof(*xattr_data);  in evm_inode_init_security()
863 	evm_xattr->name = XATTR_EVM_SUFFIX;  in evm_inode_init_security()