security/ipe/fs.c at v6.16-rc5

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / security / ipe / fs.c
at v6.16-rc5 256 lines 6.0 kB view raw
wrap content
  1// SPDX-License-Identifier: GPL-2.0
  2/*
  3 * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
  4 */
  5
  6#include <linux/dcache.h>
  7#include <linux/security.h>
  8
  9#include "ipe.h"
 10#include "fs.h"
 11#include "eval.h"
 12#include "policy.h"
 13#include "audit.h"
 14
 15static struct dentry *np __ro_after_init;
 16static struct dentry *root __ro_after_init;
 17struct dentry *policy_root __ro_after_init;
 18static struct dentry *audit_node __ro_after_init;
 19static struct dentry *enforce_node __ro_after_init;
 20
 21/**
 22 * setaudit() - Write handler for the securityfs node, "ipe/success_audit"
 23 * @f: Supplies a file structure representing the securityfs node.
 24 * @data: Supplies a buffer passed to the write syscall.
 25 * @len: Supplies the length of @data.
 26 * @offset: unused.
 27 *
 28 * Return:
 29 * * Length of buffer written	- Success
 30 * * %-EPERM			- Insufficient permission
 31 */
 32static ssize_t setaudit(struct file *f, const char __user *data,
 33			size_t len, loff_t *offset)
 34{
 35	int rc = 0;
 36	bool value;
 37
 38	if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN))
 39		return -EPERM;
 40
 41	rc = kstrtobool_from_user(data, len, &value);
 42	if (rc)
 43		return rc;
 44
 45	WRITE_ONCE(success_audit, value);
 46
 47	return len;
 48}
 49
 50/**
 51 * getaudit() - Read handler for the securityfs node, "ipe/success_audit"
 52 * @f: Supplies a file structure representing the securityfs node.
 53 * @data: Supplies a buffer passed to the read syscall.
 54 * @len: Supplies the length of @data.
 55 * @offset: unused.
 56 *
 57 * Return: Length of buffer written
 58 */
 59static ssize_t getaudit(struct file *f, char __user *data,
 60			size_t len, loff_t *offset)
 61{
 62	const char *result;
 63
 64	result = ((READ_ONCE(success_audit)) ? "1" : "0");
 65
 66	return simple_read_from_buffer(data, len, offset, result, 1);
 67}
 68
 69/**
 70 * setenforce() - Write handler for the securityfs node, "ipe/enforce"
 71 * @f: Supplies a file structure representing the securityfs node.
 72 * @data: Supplies a buffer passed to the write syscall.
 73 * @len: Supplies the length of @data.
 74 * @offset: unused.
 75 *
 76 * Return:
 77 * * Length of buffer written	- Success
 78 * * %-EPERM			- Insufficient permission
 79 */
 80static ssize_t setenforce(struct file *f, const char __user *data,
 81			  size_t len, loff_t *offset)
 82{
 83	int rc = 0;
 84	bool new_value, old_value;
 85
 86	if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN))
 87		return -EPERM;
 88
 89	old_value = READ_ONCE(enforce);
 90	rc = kstrtobool_from_user(data, len, &new_value);
 91	if (rc)
 92		return rc;
 93
 94	if (new_value != old_value) {
 95		ipe_audit_enforce(new_value, old_value);
 96		WRITE_ONCE(enforce, new_value);
 97	}
 98
 99	return len;
100}
101
102/**
103 * getenforce() - Read handler for the securityfs node, "ipe/enforce"
104 * @f: Supplies a file structure representing the securityfs node.
105 * @data: Supplies a buffer passed to the read syscall.
106 * @len: Supplies the length of @data.
107 * @offset: unused.
108 *
109 * Return: Length of buffer written
110 */
111static ssize_t getenforce(struct file *f, char __user *data,
112			  size_t len, loff_t *offset)
113{
114	const char *result;
115
116	result = ((READ_ONCE(enforce)) ? "1" : "0");
117
118	return simple_read_from_buffer(data, len, offset, result, 1);
119}
120
121/**
122 * new_policy() - Write handler for the securityfs node, "ipe/new_policy".
123 * @f: Supplies a file structure representing the securityfs node.
124 * @data: Supplies a buffer passed to the write syscall.
125 * @len: Supplies the length of @data.
126 * @offset: unused.
127 *
128 * Return:
129 * * Length of buffer written	- Success
130 * * %-EPERM			- Insufficient permission
131 * * %-ENOMEM			- Out of memory (OOM)
132 * * %-EBADMSG			- Policy is invalid
133 * * %-ERANGE			- Policy version number overflow
134 * * %-EINVAL			- Policy version parsing error
135 * * %-EEXIST			- Same name policy already deployed
136 * * %-ENOKEY			- Policy signing key not found
137 * * %-EKEYREJECTED		- Policy signature verification failed
138 */
139static ssize_t new_policy(struct file *f, const char __user *data,
140			  size_t len, loff_t *offset)
141{
142	struct ipe_policy *p = NULL;
143	char *copy = NULL;
144	int rc = 0;
145
146	if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN)) {
147		rc = -EPERM;
148		goto out;
149	}
150
151	copy = memdup_user_nul(data, len);
152	if (IS_ERR(copy)) {
153		rc = PTR_ERR(copy);
154		copy = NULL;
155		goto out;
156	}
157
158	p = ipe_new_policy(NULL, 0, copy, len);
159	if (IS_ERR(p)) {
160		rc = PTR_ERR(p);
161		goto out;
162	}
163
164	rc = ipe_new_policyfs_node(p);
165	if (rc)
166		goto out;
167
168out:
169	kfree(copy);
170	if (rc < 0) {
171		ipe_free_policy(p);
172		ipe_audit_policy_load(ERR_PTR(rc));
173	} else {
174		ipe_audit_policy_load(p);
175	}
176	return (rc < 0) ? rc : len;
177}
178
179static const struct file_operations np_fops = {
180	.write = new_policy,
181};
182
183static const struct file_operations audit_fops = {
184	.write = setaudit,
185	.read = getaudit,
186};
187
188static const struct file_operations enforce_fops = {
189	.write = setenforce,
190	.read = getenforce,
191};
192
193/**
194 * ipe_init_securityfs() - Initialize IPE's securityfs tree at fsinit.
195 *
196 * Return: %0 on success. If an error occurs, the function will return
197 * the -errno.
198 */
199static int __init ipe_init_securityfs(void)
200{
201	int rc = 0;
202	struct ipe_policy *ap;
203
204	if (!ipe_enabled)
205		return -EOPNOTSUPP;
206
207	root = securityfs_create_dir("ipe", NULL);
208	if (IS_ERR(root)) {
209		rc = PTR_ERR(root);
210		goto err;
211	}
212
213	audit_node = securityfs_create_file("success_audit", 0600, root,
214					    NULL, &audit_fops);
215	if (IS_ERR(audit_node)) {
216		rc = PTR_ERR(audit_node);
217		goto err;
218	}
219
220	enforce_node = securityfs_create_file("enforce", 0600, root, NULL,
221					      &enforce_fops);
222	if (IS_ERR(enforce_node)) {
223		rc = PTR_ERR(enforce_node);
224		goto err;
225	}
226
227	policy_root = securityfs_create_dir("policies", root);
228	if (IS_ERR(policy_root)) {
229		rc = PTR_ERR(policy_root);
230		goto err;
231	}
232
233	ap = rcu_access_pointer(ipe_active_policy);
234	if (ap) {
235		rc = ipe_new_policyfs_node(ap);
236		if (rc)
237			goto err;
238	}
239
240	np = securityfs_create_file("new_policy", 0200, root, NULL, &np_fops);
241	if (IS_ERR(np)) {
242		rc = PTR_ERR(np);
243		goto err;
244	}
245
246	return 0;
247err:
248	securityfs_remove(np);
249	securityfs_remove(policy_root);
250	securityfs_remove(enforce_node);
251	securityfs_remove(audit_node);
252	securityfs_remove(root);
253	return rc;
254}
255
256fs_initcall(ipe_init_securityfs);
Configure Feed

Configure Feed
