security/ipe/policy.h at master · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / security / ipe / policy.h
at master 1.9 kB view raw
 1/* SPDX-License-Identifier: GPL-2.0 */
 2/*
 3 * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
 4 */
 5#ifndef _IPE_POLICY_H
 6#define _IPE_POLICY_H
 7
 8#include <linux/list.h>
 9#include <linux/types.h>
10#include <linux/fs.h>
11
12enum ipe_op_type {
13	IPE_OP_EXEC = 0,
14	IPE_OP_FIRMWARE,
15	IPE_OP_KERNEL_MODULE,
16	IPE_OP_KEXEC_IMAGE,
17	IPE_OP_KEXEC_INITRAMFS,
18	IPE_OP_POLICY,
19	IPE_OP_X509,
20	__IPE_OP_MAX,
21};
22
23#define IPE_OP_INVALID __IPE_OP_MAX
24
25enum ipe_action_type {
26	IPE_ACTION_ALLOW = 0,
27	IPE_ACTION_DENY,
28	__IPE_ACTION_MAX
29};
30
31#define IPE_ACTION_INVALID __IPE_ACTION_MAX
32
33enum ipe_prop_type {
34	IPE_PROP_BOOT_VERIFIED_FALSE,
35	IPE_PROP_BOOT_VERIFIED_TRUE,
36	IPE_PROP_DMV_ROOTHASH,
37	IPE_PROP_DMV_SIG_FALSE,
38	IPE_PROP_DMV_SIG_TRUE,
39	IPE_PROP_FSV_DIGEST,
40	IPE_PROP_FSV_SIG_FALSE,
41	IPE_PROP_FSV_SIG_TRUE,
42	__IPE_PROP_MAX
43};
44
45#define IPE_PROP_INVALID __IPE_PROP_MAX
46
47struct ipe_prop {
48	struct list_head next;
49	enum ipe_prop_type type;
50	void *value;
51};
52
53struct ipe_rule {
54	enum ipe_op_type op;
55	enum ipe_action_type action;
56	struct list_head props;
57	struct list_head next;
58};
59
60struct ipe_op_table {
61	struct list_head rules;
62	enum ipe_action_type default_action;
63};
64
65struct ipe_parsed_policy {
66	const char *name;
67	struct {
68		u16 major;
69		u16 minor;
70		u16 rev;
71	} version;
72
73	enum ipe_action_type global_default_action;
74
75	struct ipe_op_table rules[__IPE_OP_MAX];
76};
77
78struct ipe_policy {
79	const char *pkcs7;
80	size_t pkcs7len;
81
82	const char *text;
83	size_t textlen;
84
85	struct ipe_parsed_policy *parsed;
86
87	struct dentry *policyfs;
88};
89
90struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
91				  const char *pkcs7, size_t pkcs7len);
92void ipe_free_policy(struct ipe_policy *pol);
93int ipe_update_policy(struct inode *root, const char *text, size_t textlen,
94		      const char *pkcs7, size_t pkcs7len);
95int ipe_set_active_pol(const struct ipe_policy *p);
96extern struct mutex ipe_policy_lock;
97
98#endif /* _IPE_POLICY_H */