/* * ima_update_xattr - update 'security.ima' hash value */ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) { struct dentry *dentry = file->f_dentry; int rc = 0; /* do not collect and update hash for digital signatures */ if (iint->flags & IMA_DIGSIG) return; rc = ima_collect_measurement(iint, file, NULL, NULL); if (rc < 0) return; ima_fix_xattr(dentry, iint); }
/* * ima_appraise_measurement - appraise file measurement * * Call evm_verifyxattr() to verify the integrity of 'security.ima'. * Assuming success, compare the xattr hash with the collected measurement. * * Return 0 on success, error code otherwise */ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, struct file *file, const unsigned char *filename, struct evm_ima_xattr_data *xattr_value, int xattr_len) { struct dentry *dentry = file->f_dentry; struct inode *inode = dentry->d_inode; enum integrity_status status = INTEGRITY_UNKNOWN; const char *op = "appraise_data"; char *cause = "unknown"; int rc = xattr_len, hash_start = 0; if (!ima_appraise) return 0; if (!inode->i_op->getxattr) return INTEGRITY_UNKNOWN; if (rc <= 0) { if (rc && rc != -ENODATA) goto out; cause = "missing-hash"; status = (inode->i_size == 0) ? INTEGRITY_PASS : INTEGRITY_NOLABEL; goto out; } status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint); if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) { if ((status == INTEGRITY_NOLABEL) || (status == INTEGRITY_NOXATTRS)) cause = "missing-HMAC"; else if (status == INTEGRITY_FAIL) cause = "invalid-HMAC"; goto out; } switch (xattr_value->type) { case IMA_XATTR_DIGEST_NG: /* first byte contains algorithm id */ hash_start = 1; case IMA_XATTR_DIGEST: if (iint->flags & IMA_DIGSIG_REQUIRED) { cause = "IMA signature required"; status = INTEGRITY_FAIL; break; } if (xattr_len - sizeof(xattr_value->type) - hash_start >= iint->ima_hash->length) /* xattr length may be longer. md5 hash in previous version occupied 20 bytes in xattr, instead of 16 */ rc = memcmp(&xattr_value->digest[hash_start], iint->ima_hash->digest, iint->ima_hash->length); else rc = -EINVAL; if (rc) { cause = "invalid-hash"; status = INTEGRITY_FAIL; break; } status = INTEGRITY_PASS; break; case EVM_IMA_XATTR_DIGSIG: iint->flags |= IMA_DIGSIG; rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, (const char *)xattr_value, rc, iint->ima_hash->digest, iint->ima_hash->length); if (rc == -EOPNOTSUPP) { status = INTEGRITY_UNKNOWN; } else if (rc) { cause = "invalid-signature"; status = INTEGRITY_FAIL; } else { status = INTEGRITY_PASS; } break; default: status = INTEGRITY_UNKNOWN; cause = "unknown-ima-data"; break; } out: if (status != INTEGRITY_PASS) { if ((ima_appraise & IMA_APPRAISE_FIX) && (!xattr_value || xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { if (!ima_fix_xattr(dentry, iint)) status = INTEGRITY_PASS; } integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, op, cause, rc, 0); } else { ima_cache_flags(iint, func); } ima_set_cache_status(iint, func, status); return status; }
/* * ima_appraise_measurement - appraise file measurement * * Call evm_verifyxattr() to verify the integrity of 'security.ima'. * Assuming success, compare the xattr hash with the collected measurement. * * Return 0 on success, error code otherwise */ int ima_appraise_measurement(struct integrity_iint_cache *iint, struct file *file, const unsigned char *filename) { struct dentry *dentry = file->f_dentry; struct inode *inode = dentry->d_inode; struct evm_ima_xattr_data *xattr_value = NULL; enum integrity_status status = INTEGRITY_UNKNOWN; const char *op = "appraise_data"; char *cause = "unknown"; int rc; if (!ima_appraise) return 0; if (!inode->i_op->getxattr) return INTEGRITY_UNKNOWN; if (iint->flags & IMA_APPRAISED) return iint->ima_status; rc = vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)&xattr_value, 0, GFP_NOFS); if (rc <= 0) { if (rc && rc != -ENODATA) goto out; cause = "missing-hash"; status = (inode->i_size == 0) ? INTEGRITY_PASS : INTEGRITY_NOLABEL; goto out; } status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint); if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) { if ((status == INTEGRITY_NOLABEL) || (status == INTEGRITY_NOXATTRS)) cause = "missing-HMAC"; else if (status == INTEGRITY_FAIL) cause = "invalid-HMAC"; goto out; } switch (xattr_value->type) { case IMA_XATTR_DIGEST: rc = memcmp(xattr_value->digest, iint->ima_xattr.digest, IMA_DIGEST_SIZE); if (rc) { cause = "invalid-hash"; status = INTEGRITY_FAIL; print_hex_dump_bytes("security.ima: ", DUMP_PREFIX_NONE, xattr_value, sizeof(*xattr_value)); print_hex_dump_bytes("collected: ", DUMP_PREFIX_NONE, (u8 *)&iint->ima_xattr, sizeof iint->ima_xattr); break; } status = INTEGRITY_PASS; break; case EVM_IMA_XATTR_DIGSIG: iint->flags |= IMA_DIGSIG; rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, xattr_value->digest, rc - 1, iint->ima_xattr.digest, IMA_DIGEST_SIZE); if (rc == -EOPNOTSUPP) { status = INTEGRITY_UNKNOWN; } else if (rc) { cause = "invalid-signature"; status = INTEGRITY_FAIL; } else { status = INTEGRITY_PASS; } break; default: status = INTEGRITY_UNKNOWN; cause = "unknown-ima-data"; break; } out: if (status != INTEGRITY_PASS) { if ((ima_appraise & IMA_APPRAISE_FIX) && (!xattr_value || xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { ima_fix_xattr(dentry, iint); status = INTEGRITY_PASS; } integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, op, cause, rc, 0); } else { iint->flags |= IMA_APPRAISED; } iint->ima_status = status; kfree(xattr_value); return status; }