ima: Implement support for module-style appended signatures

#define restrict_link_to_ima restrict_link_by_builtin_trusted

#define restrict_link_to_ima restrict_link_by_builtin_trusted

#endif

#endif

int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,

static struct key *integrity_keyring_from_id(const unsigned int id)

			    const char *digest, int digestlen)

{

{

	if (id >= INTEGRITY_KEYRING_MAX || siglen < 2)

	if (id >= INTEGRITY_KEYRING_MAX)

		return -EINVAL;

		return ERR_PTR(-EINVAL);

	if (!keyring[id]) {

	if (!keyring[id]) {

		keyring[id] =

		keyring[id] =

			int err = PTR_ERR(keyring[id]);

			int err = PTR_ERR(keyring[id]);

			pr_err("no %s keyring: %d\n", keyring_name[id], err);

			pr_err("no %s keyring: %d\n", keyring_name[id], err);

			keyring[id] = NULL;

			keyring[id] = NULL;

			return err;

			return ERR_PTR(err);

		}

		}

	}

	}

	return keyring[id];

}

int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,

			    const char *digest, int digestlen)

{

	struct key *keyring;

	if (siglen < 2)

		return -EINVAL;

	keyring = integrity_keyring_from_id(id);

	if (IS_ERR(keyring))

		return PTR_ERR(keyring);

	switch (sig[1]) {

	switch (sig[1]) {

	case 1:

	case 1:

		/* v1 API expect signature without xattr type */

		/* v1 API expect signature without xattr type */

		return digsig_verify(keyring[id], sig + 1, siglen - 1,

		return digsig_verify(keyring, sig + 1, siglen - 1, digest,

				     digest, digestlen);

				     digestlen);

	case 2:

	case 2:

		return asymmetric_verify(keyring[id], sig, siglen,

		return asymmetric_verify(keyring, sig, siglen, digest,

					 digest, digestlen);

					 digestlen);

	}

	}

	return -EOPNOTSUPP;

	return -EOPNOTSUPP;

}

}

int integrity_modsig_verify(const unsigned int id, const struct modsig *modsig)

{

	struct key *keyring;

	keyring = integrity_keyring_from_id(id);

	if (IS_ERR(keyring))

		return PTR_ERR(keyring);

	return ima_modsig_verify(keyring, modsig);

}

static int __init __integrity_init_keyring(const unsigned int id,

static int __init __integrity_init_keyring(const unsigned int id,

					   key_perm_t perm,

					   key_perm_t perm,

					   struct key_restriction *restriction)

					   struct key_restriction *restriction)

config IMA_APPRAISE_MODSIG

config IMA_APPRAISE_MODSIG

	bool "Support module-style signatures for appraisal"

	bool "Support module-style signatures for appraisal"

	depends on IMA_APPRAISE

	depends on IMA_APPRAISE

	depends on INTEGRITY_ASYMMETRIC_KEYS

	select PKCS7_MESSAGE_PARSER

	select MODULE_SIG_FORMAT

	default n

	default n

	help

	help

	   Adds support for signatures appended to files. The format of the

	   Adds support for signatures appended to files. The format of the

	__ima_hooks(__ima_hook_enumify)

	__ima_hooks(__ima_hook_enumify)

};

};

extern const char *const func_tokens[];

struct modsig;

/* LIM API function definitions */

/* LIM API function definitions */

int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,

int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,

		   int mask, enum ima_hooks func, int *pcr,

		   int mask, enum ima_hooks func, int *pcr,

			     struct integrity_iint_cache *iint,

			     struct integrity_iint_cache *iint,

			     struct file *file, const unsigned char *filename,

			     struct file *file, const unsigned char *filename,

			     struct evm_ima_xattr_data *xattr_value,

			     struct evm_ima_xattr_data *xattr_value,

			     int xattr_len);

			     int xattr_len, const struct modsig *modsig);

int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);

int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);

void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);

void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);

enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,

enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,

					   struct file *file,

					   struct file *file,

					   const unsigned char *filename,

					   const unsigned char *filename,

					   struct evm_ima_xattr_data *xattr_value,

					   struct evm_ima_xattr_data *xattr_value,

					   int xattr_len)

					   int xattr_len,

					   const struct modsig *modsig)

{

{

	return INTEGRITY_UNKNOWN;

	return INTEGRITY_UNKNOWN;

}

}

#ifdef CONFIG_IMA_APPRAISE_MODSIG

#ifdef CONFIG_IMA_APPRAISE_MODSIG

bool ima_hook_supports_modsig(enum ima_hooks func);

bool ima_hook_supports_modsig(enum ima_hooks func);

int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,

		    struct modsig **modsig);

void ima_free_modsig(struct modsig *modsig);

#else

#else

static inline bool ima_hook_supports_modsig(enum ima_hooks func)

static inline bool ima_hook_supports_modsig(enum ima_hooks func)

{

{

	return false;

	return false;

}

}

static inline int ima_read_modsig(enum ima_hooks func, const void *buf,

				  loff_t buf_len, struct modsig **modsig)

{

	return -EOPNOTSUPP;

}

static inline void ima_free_modsig(struct modsig *modsig)

{

}

#endif /* CONFIG_IMA_APPRAISE_MODSIG */

#endif /* CONFIG_IMA_APPRAISE_MODSIG */

/* LSM based policy rules require audit */

/* LSM based policy rules require audit */

	return rc;

	return rc;

}

}

/*

 * modsig_verify - verify modsig signature

 *

 * Verify whether the signature matches the file contents.

 *

 * Return 0 on success, error code otherwise.

 */

static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,

			 enum integrity_status *status, const char **cause)

{

	int rc;

	rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig);

	if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&

	    func == KEXEC_KERNEL_CHECK)

		rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM,

					     modsig);

	if (rc) {

		*cause = "invalid-signature";

		*status = INTEGRITY_FAIL;

	} else {

		*status = INTEGRITY_PASS;

	}

	return rc;

}

/*

/*

 * ima_appraise_measurement - appraise file measurement

 * ima_appraise_measurement - appraise file measurement

 *

 *

			     struct integrity_iint_cache *iint,

			     struct integrity_iint_cache *iint,

			     struct file *file, const unsigned char *filename,

			     struct file *file, const unsigned char *filename,

			     struct evm_ima_xattr_data *xattr_value,

			     struct evm_ima_xattr_data *xattr_value,

			     int xattr_len)

			     int xattr_len, const struct modsig *modsig)

{

{

	static const char op[] = "appraise_data";

	static const char op[] = "appraise_data";

	const char *cause = "unknown";

	const char *cause = "unknown";

	struct inode *inode = d_backing_inode(dentry);

	struct inode *inode = d_backing_inode(dentry);

	enum integrity_status status = INTEGRITY_UNKNOWN;

	enum integrity_status status = INTEGRITY_UNKNOWN;

	int rc = xattr_len;

	int rc = xattr_len;

	bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig;

	if (!(inode->i_opflags & IOP_XATTR))

	/* If not appraising a modsig, we need an xattr. */

	if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)

		return INTEGRITY_UNKNOWN;

		return INTEGRITY_UNKNOWN;

	if (rc <= 0) {

	/* If reading the xattr failed and there's no modsig, error out. */

	if (rc <= 0 && !try_modsig) {

		if (rc && rc != -ENODATA)

		if (rc && rc != -ENODATA)

			goto out;

			goto out;

	case INTEGRITY_UNKNOWN:

	case INTEGRITY_UNKNOWN:

		break;

		break;

	case INTEGRITY_NOXATTRS:	/* No EVM protected xattrs. */

	case INTEGRITY_NOXATTRS:	/* No EVM protected xattrs. */

		/* It's fine not to have xattrs when using a modsig. */

		if (try_modsig)

			break;

		/* fall through */

	case INTEGRITY_NOLABEL:		/* No security.evm xattr. */

	case INTEGRITY_NOLABEL:		/* No security.evm xattr. */

		cause = "missing-HMAC";

		cause = "missing-HMAC";

		goto out;

		goto out;

		rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,

		rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,

				  &cause);

				  &cause);

	/*

	 * If we have a modsig and either no imasig or the imasig's key isn't

	 * known, then try verifying the modsig.

	 */

	if (try_modsig &&

	    (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG ||

	     rc == -ENOKEY))

		rc = modsig_verify(func, modsig, &status, &cause);

out:

out:

	/*

	/*

	 * File signatures on some filesystems can not be properly verified.

	 * File signatures on some filesystems can not be properly verified.

				    op, cause, rc, 0);

				    op, cause, rc, 0);

	} else if (status != INTEGRITY_PASS) {

	} else if (status != INTEGRITY_PASS) {

		/* Fix mode, but don't replace file signatures. */

		/* Fix mode, but don't replace file signatures. */

		if ((ima_appraise & IMA_APPRAISE_FIX) &&

		if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig &&

		    (!xattr_value ||

		    (!xattr_value ||

		     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {

		     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {

			if (!ima_fix_xattr(dentry, iint))

			if (!ima_fix_xattr(dentry, iint))

	int rc = 0, action, must_appraise = 0;

	int rc = 0, action, must_appraise = 0;

	int pcr = CONFIG_IMA_MEASURE_PCR_IDX;

	int pcr = CONFIG_IMA_MEASURE_PCR_IDX;

	struct evm_ima_xattr_data *xattr_value = NULL;

	struct evm_ima_xattr_data *xattr_value = NULL;

	struct modsig *modsig = NULL;

	int xattr_len = 0;

	int xattr_len = 0;

	bool violation_check;

	bool violation_check;

	enum hash_algo hash_algo;

	enum hash_algo hash_algo;

	}

	}

	if ((action & IMA_APPRAISE_SUBMASK) ||

	if ((action & IMA_APPRAISE_SUBMASK) ||

		    strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)

	    strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) {

		/* read 'security.ima' */

		/* read 'security.ima' */

		xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);

		xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);

		/* Read the appended modsig if allowed by the policy. */

		if (iint->flags & IMA_MODSIG_ALLOWED)

			ima_read_modsig(func, buf, size, &modsig);

	}

	hash_algo = ima_get_hash_algo(xattr_value, xattr_len);

	hash_algo = ima_get_hash_algo(xattr_value, xattr_len);

	rc = ima_collect_measurement(iint, file, buf, size, hash_algo);

	rc = ima_collect_measurement(iint, file, buf, size, hash_algo);

	if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {

	if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {

		inode_lock(inode);

		inode_lock(inode);

		rc = ima_appraise_measurement(func, iint, file, pathname,

		rc = ima_appraise_measurement(func, iint, file, pathname,

					      xattr_value, xattr_len);

					      xattr_value, xattr_len, modsig);

		inode_unlock(inode);

		inode_unlock(inode);

		if (!rc)

		if (!rc)

			rc = mmap_violation_check(func, file, &pathbuf,

			rc = mmap_violation_check(func, file, &pathbuf,

		rc = -EACCES;

		rc = -EACCES;

	mutex_unlock(&iint->mutex);

	mutex_unlock(&iint->mutex);

	kfree(xattr_value);

	kfree(xattr_value);

	ima_free_modsig(modsig);

out:

out:

	if (pathbuf)

	if (pathbuf)

		__putname(pathbuf);

		__putname(pathbuf);