Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp663976pxj; Fri, 14 May 2021 12:29:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx9KyGdo5kfGtF8I/uh9obhaw6u07dgxLxIHrmBvex/MYQNuv8RYA1Si2Y2gA0ltKx5c8wT X-Received: by 2002:aa7:cb84:: with SMTP id r4mr57806347edt.187.1621020567160; Fri, 14 May 2021 12:29:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621020567; cv=none; d=google.com; s=arc-20160816; b=tVVgIEHpYMR+Syh8hwHIVh54h4Oxm5KC+kiZb/qGTMzJcqEfjh3UIDtoPDsnHgYuCI 5nQQv81zAV0iBM31S3wi/5AoFPaqaS8rqfjhDBy+81vILG+5yq3hTgzZvvctIu47KL8U bqE/BCs7B44aiCTS8R1Jti0b1nSxvnmD70pQJ3msGm4w8YbGhGeK3v0Li0eh51wiNdB5 JL5TNx54+QFXunTeTszrUa+vyOMbyqYX6ks+/fs4Xtg8Sgkh9250xmn59HQGlWR0nZGv 4EaQCcNiUiqDx8Y1uA+MbtBTV9ybJQCQCpZueS+CMh7qdblH8Z1zuBCkIOwj3xwPBmlB xemg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=O8TtiT3LvQgTszK64MilJg9Us8WiuDDsk0p2UO9Slt0=; b=yCZ1AZEmc7cGEngPiHKH/+6ZiZcZpknZCoIQp14ImQZrW0vI482sl/y4GgU9zu2/jA yk6D76E8gGDzQ6nMZTorZ75CkV0gaz8dKaQvulOcefKueWdcaV7+RbLg2EtUsyF845xF hvsqm4iHw+031bH1YaBBofd2gm66kpg6SF1J0VI5XLKTVVl8fQI17spsisNZ6BrSq6mp GmPZfdpA/w3YIvrRgaH3AU2O+fktDZAWFwRRhLopS8qp+828rEkcfJKqqiIHNE/R+LPO HoZ22kGLWiR7a0ojusbeUWoLxGaq8T1eF4c2am8HKwiyYrD63CuxHf/x4a7JgiC8kJaO fUXA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u12si6303469eda.90.2021.05.14.12.29.04; Fri, 14 May 2021 12:29:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234754AbhENP3f (ORCPT + 99 others); Fri, 14 May 2021 11:29:35 -0400 Received: from frasgout.his.huawei.com ([185.176.79.56]:3072 "EHLO frasgout.his.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234680AbhENP3Y (ORCPT ); Fri, 14 May 2021 11:29:24 -0400 Received: from fraeml714-chm.china.huawei.com (unknown [172.18.147.206]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4FhXDs5kNSz6qmjn; Fri, 14 May 2021 23:16:45 +0800 (CST) Received: from roberto-ThinkStation-P620.huawei.com (10.204.62.217) by fraeml714-chm.china.huawei.com (10.206.15.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2; Fri, 14 May 2021 17:28:11 +0200 From: Roberto Sassu To: , CC: , , , Roberto Sassu Subject: [PATCH v7 04/12] evm: Introduce evm_revalidate_status() Date: Fri, 14 May 2021 17:27:45 +0200 Message-ID: <20210514152753.982958-5-roberto.sassu@huawei.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210514152753.982958-1-roberto.sassu@huawei.com> References: <20210514152753.982958-1-roberto.sassu@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.204.62.217] X-ClientProxiedBy: lhreml753-chm.china.huawei.com (10.201.108.203) To fraeml714-chm.china.huawei.com (10.206.15.33) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When EVM_ALLOW_METADATA_WRITES is set, EVM allows any operation on metadata. Its main purpose is to allow users to freely set metadata when it is protected by a portable signature, until an HMAC key is loaded. However, callers of evm_verifyxattr() are not notified about metadata changes and continue to rely on the last status returned by the function. For example IMA, since it caches the appraisal result, will not call again evm_verifyxattr() until the appraisal flags are cleared, and will grant access to the file even if there was a metadata operation that made the portable signature invalid. This patch introduces evm_revalidate_status(), which callers of evm_verifyxattr() can use in their xattr hooks to determine whether re-validation is necessary and to do the proper actions. IMA calls it in its xattr hooks to reset the appraisal flags, so that the EVM status is re-evaluated after a metadata operation. Lastly, this patch also adds a call to evm_reset_status() in evm_inode_post_setattr() to invalidate the cached EVM status after a setattr operation. Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- include/linux/evm.h | 6 ++++ security/integrity/evm/evm_main.c | 40 ++++++++++++++++++++++++--- security/integrity/ima/ima_appraise.c | 15 ++++++---- 3 files changed, 52 insertions(+), 9 deletions(-) diff --git a/include/linux/evm.h b/include/linux/evm.h index 8302bc29bb35..39bb17a8236b 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -35,6 +35,7 @@ extern void evm_inode_post_removexattr(struct dentry *dentry, extern int evm_inode_init_security(struct inode *inode, const struct xattr *xattr_array, struct xattr *evm); +extern bool evm_revalidate_status(const char *xattr_name); #ifdef CONFIG_FS_POSIX_ACL extern int posix_xattr_acl(const char *xattrname); #else @@ -104,5 +105,10 @@ static inline int evm_inode_init_security(struct inode *inode, return 0; } +static inline bool evm_revalidate_status(const char *xattr_name) +{ + return false; +} + #endif /* CONFIG_EVM */ #endif /* LINUX_EVM_H */ diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 7ac5204c8d1f..782915117175 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -425,6 +425,31 @@ static void evm_reset_status(struct inode *inode) iint->evm_status = INTEGRITY_UNKNOWN; } +/** + * evm_revalidate_status - report whether EVM status re-validation is necessary + * @xattr_name: pointer to the affected extended attribute name + * + * Report whether callers of evm_verifyxattr() should re-validate the + * EVM status. + * + * Return true if re-validation is necessary, false otherwise. + */ +bool evm_revalidate_status(const char *xattr_name) +{ + if (!evm_key_loaded()) + return false; + + /* evm_inode_post_setattr() passes NULL */ + if (!xattr_name) + return true; + + if (!evm_protected_xattr(xattr_name) && !posix_xattr_acl(xattr_name) && + strcmp(xattr_name, XATTR_NAME_EVM)) + return false; + + return true; +} + /** * evm_inode_post_setxattr - update 'security.evm' to reflect the changes * @dentry: pointer to the affected dentry @@ -441,12 +466,14 @@ static void evm_reset_status(struct inode *inode) void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len) { - if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name) - && !posix_xattr_acl(xattr_name))) + if (!evm_revalidate_status(xattr_name)) return; evm_reset_status(dentry->d_inode); + if (!strcmp(xattr_name, XATTR_NAME_EVM)) + return; + evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); } @@ -462,11 +489,14 @@ void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, */ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) { - if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) + if (!evm_revalidate_status(xattr_name)) return; evm_reset_status(dentry->d_inode); + if (!strcmp(xattr_name, XATTR_NAME_EVM)) + return; + evm_update_evmxattr(dentry, xattr_name, NULL, 0); } @@ -513,9 +543,11 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) */ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) { - if (!evm_key_loaded()) + if (!evm_revalidate_status(NULL)) return; + evm_reset_status(dentry->d_inode); + if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) evm_update_evmxattr(dentry, NULL, NULL, 0); } diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 4e5eb0236278..03894769dffa 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -570,6 +570,7 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len) { const struct evm_ima_xattr_data *xvalue = xattr_value; + int digsig = 0; int result; result = ima_protect_xattr(dentry, xattr_name, xattr_value, @@ -577,9 +578,12 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, if (result == 1) { if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) return -EINVAL; - ima_reset_appraise_flags(d_backing_inode(dentry), - xvalue->type == EVM_IMA_XATTR_DIGSIG); - result = 0; + digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); + } + if (result == 1 || evm_revalidate_status(xattr_name)) { + ima_reset_appraise_flags(d_backing_inode(dentry), digsig); + if (result == 1) + result = 0; } return result; } @@ -589,9 +593,10 @@ int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name) int result; result = ima_protect_xattr(dentry, xattr_name, NULL, 0); - if (result == 1) { + if (result == 1 || evm_revalidate_status(xattr_name)) { ima_reset_appraise_flags(d_backing_inode(dentry), 0); - result = 0; + if (result == 1) + result = 0; } return result; } -- 2.25.1