evm: Verify portable signatures against all protected xattrs

Currently, the evm_config_default_xattrnames array contains xattr names
only related to LSMs which are enabled in the kernel configuration.
However, EVM portable signatures do not depend on local information and a
vendor might include in the signature calculation xattrs that are not
enabled in the target platform.

Just including all xattrs names in evm_config_default_xattrnames is not a
safe approach, because a target system might have already calculated
signatures or HMACs based only on the enabled xattrs. After applying this
patch, EVM would verify those signatures and HMACs with all xattrs instead.
The non-enabled ones, which could possibly exist, would cause a
verification error.

Thus, this patch adds a new field named enabled to the xattr_list
structure, which is set to true if the LSM associated to a given xattr name
is enabled in the kernel configuration. The non-enabled xattrs are taken
into account only in evm_calc_hmac_or_hash(), if the passed security.evm
type is EVM_XATTR_PORTABLE_DIGSIG.

The new function evm_protected_xattr_if_enabled() has been defined so that
IMA can include all protected xattrs and not only the enabled ones in the
measurement list, if the new template fields xattrnames, xattrlengths or
xattrvalues have been included in the template format.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/include/linux/evm.h b/include/linux/evm.h
index 31ef1dbbb3acdd8802f703d25ea9ed1167b2e893..5011a299c2511fb9153ec34560507aa839d513df 100644 (file)
--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -38,6 +38,7 @@ extern int evm_inode_init_security(struct inode *inode,
                                   const struct xattr *xattr_array,
                                   struct xattr *evm);
 extern bool evm_revalidate_status(const char *xattr_name);
+extern int evm_protected_xattr_if_enabled(const char *req_xattr_name);
 #ifdef CONFIG_FS_POSIX_ACL
 extern int posix_xattr_acl(const char *xattrname);
 #else
@@ -114,5 +115,10 @@ static inline bool evm_revalidate_status(const char *xattr_name)
        return false;
 }
 
+static inline int evm_protected_xattr_if_enabled(const char *req_xattr_name)
+{
+       return false;
+}
+
 #endif /* CONFIG_EVM */
 #endif /* LINUX_EVM_H */

diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index f2fef2b5ed51bbfaa2e1cc3340de742a5c2a1756..0d44f41d16f87088c56a22b4713098bffbb1a059 100644 (file)
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -29,6 +29,7 @@
 struct xattr_list {
        struct list_head list;
        char *name;
+       bool enabled;
 };
 
 extern int evm_initialized;

diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index d76b006cbcc4cb4d75e3eac1862e382cf17458bf..1628e2ca98623a8d38d1fd91cc2856eee406662e 100644 (file)
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -216,6 +216,13 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
                if (strcmp(xattr->name, XATTR_NAME_IMA) == 0)
                        is_ima = true;
 
+               /*
+                * Skip non-enabled xattrs for locally calculated
+                * signatures/HMACs.
+                */
+               if (type != EVM_XATTR_PORTABLE_DIGSIG && !xattr->enabled)
+                       continue;
+
                if ((req_xattr_name && req_xattr_value)
                    && !strcmp(xattr->name, req_xattr_name)) {
                        error = 0;

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 0196168aeb7d5eadc0d22639929461321ed89225..ee4e17a790fbab9430d658b5fee22ed70285ad50 100644 (file)
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -34,24 +34,44 @@ static const char * const integrity_status_msg[] = {
 int evm_hmac_attrs;
 
 static struct xattr_list evm_config_default_xattrnames[] = {
+       {.name = XATTR_NAME_SELINUX,
 #ifdef CONFIG_SECURITY_SELINUX
-       {.name = XATTR_NAME_SELINUX},
+        .enabled = true
 #endif
+       },
+       {.name = XATTR_NAME_SMACK,
 #ifdef CONFIG_SECURITY_SMACK
-       {.name = XATTR_NAME_SMACK},
+        .enabled = true
+#endif
+       },
+       {.name = XATTR_NAME_SMACKEXEC,
+#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
+        .enabled = true
+#endif
+       },
+       {.name = XATTR_NAME_SMACKTRANSMUTE,
 #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
-       {.name = XATTR_NAME_SMACKEXEC},
-       {.name = XATTR_NAME_SMACKTRANSMUTE},
-       {.name = XATTR_NAME_SMACKMMAP},
+        .enabled = true
 #endif
+       },
+       {.name = XATTR_NAME_SMACKMMAP,
+#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
+        .enabled = true
 #endif
+       },
+       {.name = XATTR_NAME_APPARMOR,
 #ifdef CONFIG_SECURITY_APPARMOR
-       {.name = XATTR_NAME_APPARMOR},
+        .enabled = true
 #endif
+       },
+       {.name = XATTR_NAME_IMA,
 #ifdef CONFIG_IMA_APPRAISE
-       {.name = XATTR_NAME_IMA},
+        .enabled = true
 #endif
-       {.name = XATTR_NAME_CAPS},
+       },
+       {.name = XATTR_NAME_CAPS,
+        .enabled = true
+       },
 };
 
 LIST_HEAD(evm_config_xattrnames);
@@ -76,7 +96,9 @@ static void __init evm_init_config(void)
 
        pr_info("Initialising EVM extended attributes:\n");
        for (i = 0; i < xattrs; i++) {
-               pr_info("%s\n", evm_config_default_xattrnames[i].name);
+               pr_info("%s%s\n", evm_config_default_xattrnames[i].name,
+                       !evm_config_default_xattrnames[i].enabled ?
+                       " (disabled)" : "");
                list_add_tail(&evm_config_default_xattrnames[i].list,
                              &evm_config_xattrnames);
        }
@@ -257,7 +279,8 @@ out:
        return evm_status;
 }
 
-static int evm_protected_xattr(const char *req_xattr_name)
+static int evm_protected_xattr_common(const char *req_xattr_name,
+                                     bool all_xattrs)
 {
        int namelen;
        int found = 0;
@@ -265,6 +288,9 @@ static int evm_protected_xattr(const char *req_xattr_name)
 
        namelen = strlen(req_xattr_name);
        list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
+               if (!all_xattrs && !xattr->enabled)
+                       continue;
+
                if ((strlen(xattr->name) == namelen)
                    && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
                        found = 1;
@@ -281,6 +307,16 @@ static int evm_protected_xattr(const char *req_xattr_name)
        return found;
 }
 
+static int evm_protected_xattr(const char *req_xattr_name)
+{
+       return evm_protected_xattr_common(req_xattr_name, false);
+}
+
+int evm_protected_xattr_if_enabled(const char *req_xattr_name)
+{
+       return evm_protected_xattr_common(req_xattr_name, true);
+}
+
 /**
  * evm_verifyxattr - verify the integrity of the requested xattr
  * @dentry: object of the verify xattr

diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c
index 5f0da41bccd076edb595d4b4c719e9f869d40287..a99676eb7f4144dc809c42bc9c9f018815967b50 100644 (file)
--- a/security/integrity/evm/evm_secfs.c
+++ b/security/integrity/evm/evm_secfs.c
@@ -139,8 +139,12 @@ static ssize_t evm_read_xattrs(struct file *filp, char __user *buf,
        if (rc)
                return -ERESTARTSYS;
 
-       list_for_each_entry(xattr, &evm_config_xattrnames, list)
+       list_for_each_entry(xattr, &evm_config_xattrnames, list) {
+               if (!xattr->enabled)
+                       continue;
+
                size += strlen(xattr->name) + 1;
+       }
 
        temp = kmalloc(size + 1, GFP_KERNEL);
        if (!temp) {
@@ -149,6 +153,9 @@ static ssize_t evm_read_xattrs(struct file *filp, char __user *buf,
        }
 
        list_for_each_entry(xattr, &evm_config_xattrnames, list) {
+               if (!xattr->enabled)
+                       continue;
+
                sprintf(temp + offset, "%s\n", xattr->name);
                offset += strlen(xattr->name) + 1;
        }
@@ -199,6 +206,7 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf,
                goto out;
        }
 
+       xattr->enabled = true;
        xattr->name = memdup_user_nul(buf, count);
        if (IS_ERR(xattr->name)) {
                err = PTR_ERR(xattr->name);
@@ -245,6 +253,10 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf,
        list_for_each_entry(tmp, &evm_config_xattrnames, list) {
                if (strcmp(xattr->name, tmp->name) == 0) {
                        err = -EEXIST;
+                       if (!tmp->enabled) {
+                               tmp->enabled = true;
+                               err = count;
+                       }
                        mutex_unlock(&xattr_list_mutex);
                        goto out;
                }
@@ -256,7 +268,7 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf,
        audit_log_end(ab);
        return count;
 out:
-       audit_log_format(ab, " res=%d", err);
+       audit_log_format(ab, " res=%d", (err < 0) ? err : 0);
        audit_log_end(ab);
        if (xattr) {
                kfree(xattr->name);