Merge tag 'lsm-pr-20240911' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm

+1

Documentation/admin-guide/LSM/index.rst

··· 47 47 tomoyo 48 48 Yama 49 49 SafeSetID 50 + ipe

+790

Documentation/admin-guide/LSM/ipe.rst

··· 1 + .. SPDX-License-Identifier: GPL-2.0 2 + 3 + Integrity Policy Enforcement (IPE) 4 + ================================== 5 + 6 + .. NOTE:: 7 + 8 + This is the documentation for admins, system builders, or individuals 9 + attempting to use IPE. If you're looking for more developer-focused 10 + documentation about IPE please see :doc:`the design docs </security/ipe>`. 11 + 12 + Overview 13 + -------- 14 + 15 + Integrity Policy Enforcement (IPE) is a Linux Security Module that takes a 16 + complementary approach to access control. Unlike traditional access control 17 + mechanisms that rely on labels and paths for decision-making, IPE focuses 18 + on the immutable security properties inherent to system components. These 19 + properties are fundamental attributes or features of a system component 20 + that cannot be altered, ensuring a consistent and reliable basis for 21 + security decisions. 22 + 23 + To elaborate, in the context of IPE, system components primarily refer to 24 + files or the devices these files reside on. However, this is just a 25 + starting point. The concept of system components is flexible and can be 26 + extended to include new elements as the system evolves. The immutable 27 + properties include the origin of a file, which remains constant and 28 + unchangeable over time. For example, IPE policies can be crafted to trust 29 + files originating from the initramfs. Since initramfs is typically verified 30 + by the bootloader, its files are deemed trustworthy; "file is from 31 + initramfs" becomes an immutable property under IPE's consideration. 32 + 33 + The immutable property concept extends to the security features enabled on 34 + a file's origin, such as dm-verity or fs-verity, which provide a layer of 35 + integrity and trust. For example, IPE allows the definition of policies 36 + that trust files from a dm-verity protected device. dm-verity ensures the 37 + integrity of an entire device by providing a verifiable and immutable state 38 + of its contents. Similarly, fs-verity offers filesystem-level integrity 39 + checks, allowing IPE to enforce policies that trust files protected by 40 + fs-verity. These two features cannot be turned off once established, so 41 + they are considered immutable properties. These examples demonstrate how 42 + IPE leverages immutable properties, such as a file's origin and its 43 + integrity protection mechanisms, to make access control decisions. 44 + 45 + For the IPE policy, specifically, it grants the ability to enforce 46 + stringent access controls by assessing security properties against 47 + reference values defined within the policy. This assessment can be based on 48 + the existence of a security property (e.g., verifying if a file originates 49 + from initramfs) or evaluating the internal state of an immutable security 50 + property. The latter includes checking the roothash of a dm-verity 51 + protected device, determining whether dm-verity possesses a valid 52 + signature, assessing the digest of a fs-verity protected file, or 53 + determining whether fs-verity possesses a valid built-in signature. This 54 + nuanced approach to policy enforcement enables a highly secure and 55 + customizable system defense mechanism, tailored to specific security 56 + requirements and trust models. 57 + 58 + To enable IPE, ensure that ``CONFIG_SECURITY_IPE`` (under 59 + :menuselection:`Security -> Integrity Policy Enforcement (IPE)`) config 60 + option is enabled. 61 + 62 + Use Cases 63 + --------- 64 + 65 + IPE works best in fixed-function devices: devices in which their purpose 66 + is clearly defined and not supposed to be changed (e.g. network firewall 67 + device in a data center, an IoT device, etcetera), where all software and 68 + configuration is built and provisioned by the system owner. 69 + 70 + IPE is a long-way off for use in general-purpose computing: the Linux 71 + community as a whole tends to follow a decentralized trust model (known as 72 + the web of trust), which IPE has no support for it yet. Instead, IPE 73 + supports PKI (public key infrastructure), which generally designates a 74 + set of trusted entities that provide a measure of absolute trust. 75 + 76 + Additionally, while most packages are signed today, the files inside 77 + the packages (for instance, the executables), tend to be unsigned. This 78 + makes it difficult to utilize IPE in systems where a package manager is 79 + expected to be functional, without major changes to the package manager 80 + and ecosystem behind it. 81 + 82 + The digest_cache LSM [#digest_cache_lsm]_ is a system that when combined with IPE, 83 + could be used to enable and support general-purpose computing use cases. 84 + 85 + Known Limitations 86 + ----------------- 87 + 88 + IPE cannot verify the integrity of anonymous executable memory, such as 89 + the trampolines created by gcc closures and libffi (<3.4.2), or JIT'd code. 90 + Unfortunately, as this is dynamically generated code, there is no way 91 + for IPE to ensure the integrity of this code to form a trust basis. 92 + 93 + IPE cannot verify the integrity of programs written in interpreted 94 + languages when these scripts are invoked by passing these program files 95 + to the interpreter. This is because the way interpreters execute these 96 + files; the scripts themselves are not evaluated as executable code 97 + through one of IPE's hooks, but they are merely text files that are read 98 + (as opposed to compiled executables) [#interpreters]_. 99 + 100 + Threat Model 101 + ------------ 102 + 103 + IPE specifically targets the risk of tampering with user-space executable 104 + code after the kernel has initially booted, including the kernel modules 105 + loaded from userspace via ``modprobe`` or ``insmod``. 106 + 107 + To illustrate, consider a scenario where an untrusted binary, possibly 108 + malicious, is downloaded along with all necessary dependencies, including a 109 + loader and libc. The primary function of IPE in this context is to prevent 110 + the execution of such binaries and their dependencies. 111 + 112 + IPE achieves this by verifying the integrity and authenticity of all 113 + executable code before allowing them to run. It conducts a thorough 114 + check to ensure that the code's integrity is intact and that they match an 115 + authorized reference value (digest, signature, etc) as per the defined 116 + policy. If a binary does not pass this verification process, either 117 + because its integrity has been compromised or it does not meet the 118 + authorization criteria, IPE will deny its execution. Additionally, IPE 119 + generates audit logs which may be utilized to detect and analyze failures 120 + resulting from policy violation. 121 + 122 + Tampering threat scenarios include modification or replacement of 123 + executable code by a range of actors including: 124 + 125 + - Actors with physical access to the hardware 126 + - Actors with local network access to the system 127 + - Actors with access to the deployment system 128 + - Compromised internal systems under external control 129 + - Malicious end users of the system 130 + - Compromised end users of the system 131 + - Remote (external) compromise of the system 132 + 133 + IPE does not mitigate threats arising from malicious but authorized 134 + developers (with access to a signing certificate), or compromised 135 + developer tools used by them (i.e. return-oriented programming attacks). 136 + Additionally, IPE draws hard security boundary between userspace and 137 + kernelspace. As a result, kernel-level exploits are considered outside 138 + the scope of IPE and mitigation is left to other mechanisms. 139 + 140 + Policy 141 + ------ 142 + 143 + IPE policy is a plain-text [#devdoc]_ policy composed of multiple statements 144 + over several lines. There is one required line, at the top of the 145 + policy, indicating the policy name, and the policy version, for 146 + instance:: 147 + 148 + policy_name=Ex_Policy policy_version=0.0.0 149 + 150 + The policy name is a unique key identifying this policy in a human 151 + readable name. This is used to create nodes under securityfs as well as 152 + uniquely identify policies to deploy new policies vs update existing 153 + policies. 154 + 155 + The policy version indicates the current version of the policy (NOT the 156 + policy syntax version). This is used to prevent rollback of policy to 157 + potentially insecure previous versions of the policy. 158 + 159 + The next portion of IPE policy are rules. Rules are formed by key=value 160 + pairs, known as properties. IPE rules require two properties: ``action``, 161 + which determines what IPE does when it encounters a match against the 162 + rule, and ``op``, which determines when the rule should be evaluated. 163 + The ordering is significant, a rule must start with ``op``, and end with 164 + ``action``. Thus, a minimal rule is:: 165 + 166 + op=EXECUTE action=ALLOW 167 + 168 + This example will allow any execution. Additional properties are used to 169 + assess immutable security properties about the files being evaluated. 170 + These properties are intended to be descriptions of systems within the 171 + kernel that can provide a measure of integrity verification, such that IPE 172 + can determine the trust of the resource based on the value of the property. 173 + 174 + Rules are evaluated top-to-bottom. As a result, any revocation rules, 175 + or denies should be placed early in the file to ensure that these rules 176 + are evaluated before a rule with ``action=ALLOW``. 177 + 178 + IPE policy supports comments. The character '#' will function as a 179 + comment, ignoring all characters to the right of '#' until the newline. 180 + 181 + The default behavior of IPE evaluations can also be expressed in policy, 182 + through the ``DEFAULT`` statement. This can be done at a global level, 183 + or a per-operation level:: 184 + 185 + # Global 186 + DEFAULT action=ALLOW 187 + 188 + # Operation Specific 189 + DEFAULT op=EXECUTE action=ALLOW 190 + 191 + A default must be set for all known operations in IPE. If you want to 192 + preserve older policies being compatible with newer kernels that can introduce 193 + new operations, set a global default of ``ALLOW``, then override the 194 + defaults on a per-operation basis (as above). 195 + 196 + With configurable policy-based LSMs, there's several issues with 197 + enforcing the configurable policies at startup, around reading and 198 + parsing the policy: 199 + 200 + 1. The kernel *should* not read files from userspace, so directly reading 201 + the policy file is prohibited. 202 + 2. The kernel command line has a character limit, and one kernel module 203 + should not reserve the entire character limit for its own 204 + configuration. 205 + 3. There are various boot loaders in the kernel ecosystem, so handing 206 + off a memory block would be costly to maintain. 207 + 208 + As a result, IPE has addressed this problem through a concept of a "boot 209 + policy". A boot policy is a minimal policy which is compiled into the 210 + kernel. This policy is intended to get the system to a state where 211 + userspace is set up and ready to receive commands, at which point a more 212 + complex policy can be deployed via securityfs. The boot policy can be 213 + specified via ``SECURITY_IPE_BOOT_POLICY`` config option, which accepts 214 + a path to a plain-text version of the IPE policy to apply. This policy 215 + will be compiled into the kernel. If not specified, IPE will be disabled 216 + until a policy is deployed and activated through securityfs. 217 + 218 + Deploying Policies 219 + ~~~~~~~~~~~~~~~~~~ 220 + 221 + Policies can be deployed from userspace through securityfs. These policies 222 + are signed through the PKCS#7 message format to enforce some level of 223 + authorization of the policies (prohibiting an attacker from gaining 224 + unconstrained root, and deploying an "allow all" policy). These 225 + policies must be signed by a certificate that chains to the 226 + ``SYSTEM_TRUSTED_KEYRING``. With openssl, the policy can be signed by:: 227 + 228 + openssl smime -sign \ 229 + -in "$MY_POLICY" \ 230 + -signer "$MY_CERTIFICATE" \ 231 + -inkey "$MY_PRIVATE_KEY" \ 232 + -noattr \ 233 + -nodetach \ 234 + -nosmimecap \ 235 + -outform der \ 236 + -out "$MY_POLICY.p7b" 237 + 238 + Deploying the policies is done through securityfs, through the 239 + ``new_policy`` node. To deploy a policy, simply cat the file into the 240 + securityfs node:: 241 + 242 + cat "$MY_POLICY.p7b" > /sys/kernel/security/ipe/new_policy 243 + 244 + Upon success, this will create one subdirectory under 245 + ``/sys/kernel/security/ipe/policies/``. The subdirectory will be the 246 + ``policy_name`` field of the policy deployed, so for the example above, 247 + the directory will be ``/sys/kernel/security/ipe/policies/Ex_Policy``. 248 + Within this directory, there will be seven files: ``pkcs7``, ``policy``, 249 + ``name``, ``version``, ``active``, ``update``, and ``delete``. 250 + 251 + The ``pkcs7`` file is read-only. Reading it returns the raw PKCS#7 data 252 + that was provided to the kernel, representing the policy. If the policy being 253 + read is the boot policy, this will return ``ENOENT``, as it is not signed. 254 + 255 + The ``policy`` file is read only. Reading it returns the PKCS#7 inner 256 + content of the policy, which will be the plain text policy. 257 + 258 + The ``active`` file is used to set a policy as the currently active policy. 259 + This file is rw, and accepts a value of ``"1"`` to set the policy as active. 260 + Since only a single policy can be active at one time, all other policies 261 + will be marked inactive. The policy being marked active must have a policy 262 + version greater or equal to the currently-running version. 263 + 264 + The ``update`` file is used to update a policy that is already present 265 + in the kernel. This file is write-only and accepts a PKCS#7 signed 266 + policy. Two checks will always be performed on this policy: First, the 267 + ``policy_names`` must match with the updated version and the existing 268 + version. Second the updated policy must have a policy version greater than 269 + or equal to the currently-running version. This is to prevent rollback attacks. 270 + 271 + The ``delete`` file is used to remove a policy that is no longer needed. 272 + This file is write-only and accepts a value of ``1`` to delete the policy. 273 + On deletion, the securityfs node representing the policy will be removed. 274 + However, delete the current active policy is not allowed and will return 275 + an operation not permitted error. 276 + 277 + Similarly, writing to both ``update`` and ``new_policy`` could result in 278 + bad message(policy syntax error) or file exists error. The latter error happens 279 + when trying to deploy a policy with a ``policy_name`` while the kernel already 280 + has a deployed policy with the same ``policy_name``. 281 + 282 + Deploying a policy will *not* cause IPE to start enforcing the policy. IPE will 283 + only enforce the policy marked active. Note that only one policy can be active 284 + at a time. 285 + 286 + Once deployment is successful, the policy can be activated, by writing file 287 + ``/sys/kernel/security/ipe/policies/$policy_name/active``. 288 + For example, the ``Ex_Policy`` can be activated by:: 289 + 290 + echo 1 > "/sys/kernel/security/ipe/policies/Ex_Policy/active" 291 + 292 + From above point on, ``Ex_Policy`` is now the enforced policy on the 293 + system. 294 + 295 + IPE also provides a way to delete policies. This can be done via the 296 + ``delete`` securityfs node, 297 + ``/sys/kernel/security/ipe/policies/$policy_name/delete``. 298 + Writing ``1`` to that file deletes the policy:: 299 + 300 + echo 1 > "/sys/kernel/security/ipe/policies/$policy_name/delete" 301 + 302 + There is only one requirement to delete a policy: the policy being deleted 303 + must be inactive. 304 + 305 + .. NOTE:: 306 + 307 + If a traditional MAC system is enabled (SELinux, apparmor, smack), all 308 + writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``. 309 + 310 + Modes 311 + ~~~~~ 312 + 313 + IPE supports two modes of operation: permissive (similar to SELinux's 314 + permissive mode) and enforced. In permissive mode, all events are 315 + checked and policy violations are logged, but the policy is not really 316 + enforced. This allows users to test policies before enforcing them. 317 + 318 + The default mode is enforce, and can be changed via the kernel command 319 + line parameter ``ipe.enforce=(0|1)``, or the securityfs node 320 + ``/sys/kernel/security/ipe/enforce``. 321 + 322 + .. NOTE:: 323 + 324 + If a traditional MAC system is enabled (SELinux, apparmor, smack, etcetera), 325 + all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``. 326 + 327 + Audit Events 328 + ~~~~~~~~~~~~ 329 + 330 + 1420 AUDIT_IPE_ACCESS 331 + ^^^^^^^^^^^^^^^^^^^^^ 332 + Event Examples:: 333 + 334 + type=1420 audit(1653364370.067:61): ipe_op=EXECUTE ipe_hook=MMAP enforcing=1 pid=2241 comm="ld-linux.so" path="/deny/lib/libc.so.6" dev="sda2" ino=14549020 rule="DEFAULT action=DENY" 335 + type=1300 audit(1653364370.067:61): SYSCALL arch=c000003e syscall=9 success=no exit=-13 a0=7f1105a28000 a1=195000 a2=5 a3=812 items=0 ppid=2219 pid=2241 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ld-linux.so" exe="/tmp/ipe-test/lib/ld-linux.so" subj=unconfined key=(null) 336 + type=1327 audit(1653364370.067:61): 707974686F6E3300746573742F6D61696E2E7079002D6E00 337 + 338 + type=1420 audit(1653364735.161:64): ipe_op=EXECUTE ipe_hook=MMAP enforcing=1 pid=2472 comm="mmap_test" path=? dev=? ino=? rule="DEFAULT action=DENY" 339 + type=1300 audit(1653364735.161:64): SYSCALL arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=4 a3=21 items=0 ppid=2219 pid=2472 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="mmap_test" exe="/root/overlake_test/upstream_test/vol_fsverity/bin/mmap_test" subj=unconfined key=(null) 340 + type=1327 audit(1653364735.161:64): 707974686F6E3300746573742F6D61696E2E7079002D6E00 341 + 342 + This event indicates that IPE made an access control decision; the IPE 343 + specific record (1420) is always emitted in conjunction with a 344 + ``AUDITSYSCALL`` record. 345 + 346 + Determining whether IPE is in permissive or enforced mode can be derived 347 + from ``success`` property and exit code of the ``AUDITSYSCALL`` record. 348 + 349 + 350 + Field descriptions: 351 + 352 + +-----------+------------+-----------+---------------------------------------------------------------------------------+ 353 + | Field | Value Type | Optional? | Description of Value | 354 + +===========+============+===========+=================================================================================+ 355 + | ipe_op | string | No | The IPE operation name associated with the log | 356 + +-----------+------------+-----------+---------------------------------------------------------------------------------+ 357 + | ipe_hook | string | No | The name of the LSM hook that triggered the IPE event | 358 + +-----------+------------+-----------+---------------------------------------------------------------------------------+ 359 + | enforcing | integer | No | The current IPE enforcing state 1 is in enforcing mode, 0 is in permissive mode | 360 + +-----------+------------+-----------+---------------------------------------------------------------------------------+ 361 + | pid | integer | No | The pid of the process that triggered the IPE event. | 362 + +-----------+------------+-----------+---------------------------------------------------------------------------------+ 363 + | comm | string | No | The command line program name of the process that triggered the IPE event | 364 + +-----------+------------+-----------+---------------------------------------------------------------------------------+ 365 + | path | string | Yes | The absolute path to the evaluated file | 366 + +-----------+------------+-----------+---------------------------------------------------------------------------------+ 367 + | ino | integer | Yes | The inode number of the evaluated file | 368 + +-----------+------------+-----------+---------------------------------------------------------------------------------+ 369 + | dev | string | Yes | The device name of the evaluated file, e.g. vda | 370 + +-----------+------------+-----------+---------------------------------------------------------------------------------+ 371 + | rule | string | No | The matched policy rule | 372 + +-----------+------------+-----------+---------------------------------------------------------------------------------+ 373 + 374 + 1421 AUDIT_IPE_CONFIG_CHANGE 375 + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 376 + 377 + Event Example:: 378 + 379 + type=1421 audit(1653425583.136:54): old_active_pol_name="Allow_All" old_active_pol_version=0.0.0 old_policy_digest=sha256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 new_active_pol_name="boot_verified" new_active_pol_version=0.0.0 new_policy_digest=sha256:820EEA5B40CA42B51F68962354BA083122A20BB846F26765076DD8EED7B8F4DB auid=4294967295 ses=4294967295 lsm=ipe res=1 380 + type=1300 audit(1653425583.136:54): SYSCALL arch=c000003e syscall=1 success=yes exit=2 a0=3 a1=5596fcae1fb0 a2=2 a3=2 items=0 ppid=184 pid=229 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="python3" exe="/usr/bin/python3.10" key=(null) 381 + type=1327 audit(1653425583.136:54): PROCTITLE proctitle=707974686F6E3300746573742F6D61696E2E7079002D66002E2 382 + 383 + This event indicates that IPE switched the active poliy from one to another 384 + along with the version and the hash digest of the two policies. 385 + Note IPE can only have one policy active at a time, all access decision 386 + evaluation is based on the current active policy. 387 + The normal procedure to deploy a new policy is loading the policy to deploy 388 + into the kernel first, then switch the active policy to it. 389 + 390 + This record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall. 391 + 392 + Field descriptions: 393 + 394 + +------------------------+------------+-----------+---------------------------------------------------+ 395 + | Field | Value Type | Optional? | Description of Value | 396 + +========================+============+===========+===================================================+ 397 + | old_active_pol_name | string | Yes | The name of previous active policy | 398 + +------------------------+------------+-----------+---------------------------------------------------+ 399 + | old_active_pol_version | string | Yes | The version of previous active policy | 400 + +------------------------+------------+-----------+---------------------------------------------------+ 401 + | old_policy_digest | string | Yes | The hash of previous active policy | 402 + +------------------------+------------+-----------+---------------------------------------------------+ 403 + | new_active_pol_name | string | No | The name of current active policy | 404 + +------------------------+------------+-----------+---------------------------------------------------+ 405 + | new_active_pol_version | string | No | The version of current active policy | 406 + +------------------------+------------+-----------+---------------------------------------------------+ 407 + | new_policy_digest | string | No | The hash of current active policy | 408 + +------------------------+------------+-----------+---------------------------------------------------+ 409 + | auid | integer | No | The login user ID | 410 + +------------------------+------------+-----------+---------------------------------------------------+ 411 + | ses | integer | No | The login session ID | 412 + +------------------------+------------+-----------+---------------------------------------------------+ 413 + | lsm | string | No | The lsm name associated with the event | 414 + +------------------------+------------+-----------+---------------------------------------------------+ 415 + | res | integer | No | The result of the audited operation(success/fail) | 416 + +------------------------+------------+-----------+---------------------------------------------------+ 417 + 418 + 1422 AUDIT_IPE_POLICY_LOAD 419 + ^^^^^^^^^^^^^^^^^^^^^^^^^^ 420 + 421 + Event Example:: 422 + 423 + type=1422 audit(1653425529.927:53): policy_name="boot_verified" policy_version=0.0.0 policy_digest=sha256:820EEA5B40CA42B51F68962354BA083122A20BB846F26765076DD8EED7B8F4DB auid=4294967295 ses=4294967295 lsm=ipe res=1 424 + type=1300 audit(1653425529.927:53): arch=c000003e syscall=1 success=yes exit=2567 a0=3 a1=5596fcae1fb0 a2=a07 a3=2 items=0 ppid=184 pid=229 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="python3" exe="/usr/bin/python3.10" key=(null) 425 + type=1327 audit(1653425529.927:53): PROCTITLE proctitle=707974686F6E3300746573742F6D61696E2E7079002D66002E2E 426 + 427 + This record indicates a new policy has been loaded into the kernel with the policy name, policy version and policy hash. 428 + 429 + This record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall. 430 + 431 + Field descriptions: 432 + 433 + +----------------+------------+-----------+---------------------------------------------------+ 434 + | Field | Value Type | Optional? | Description of Value | 435 + +================+============+===========+===================================================+ 436 + | policy_name | string | No | The policy_name | 437 + +----------------+------------+-----------+---------------------------------------------------+ 438 + | policy_version | string | No | The policy_version | 439 + +----------------+------------+-----------+---------------------------------------------------+ 440 + | policy_digest | string | No | The policy hash | 441 + +----------------+------------+-----------+---------------------------------------------------+ 442 + | auid | integer | No | The login user ID | 443 + +----------------+------------+-----------+---------------------------------------------------+ 444 + | ses | integer | No | The login session ID | 445 + +----------------+------------+-----------+---------------------------------------------------+ 446 + | lsm | string | No | The lsm name associated with the event | 447 + +----------------+------------+-----------+---------------------------------------------------+ 448 + | res | integer | No | The result of the audited operation(success/fail) | 449 + +----------------+------------+-----------+---------------------------------------------------+ 450 + 451 + 452 + 1404 AUDIT_MAC_STATUS 453 + ^^^^^^^^^^^^^^^^^^^^^ 454 + 455 + Event Examples:: 456 + 457 + type=1404 audit(1653425689.008:55): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1 458 + type=1300 audit(1653425689.008:55): arch=c000003e syscall=1 success=yes exit=2 a0=1 a1=55c1065e5c60 a2=2 a3=0 items=0 ppid=405 pid=441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=) 459 + type=1327 audit(1653425689.008:55): proctitle="-bash" 460 + 461 + type=1404 audit(1653425689.008:55): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1 462 + type=1300 audit(1653425689.008:55): arch=c000003e syscall=1 success=yes exit=2 a0=1 a1=55c1065e5c60 a2=2 a3=0 items=0 ppid=405 pid=441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=) 463 + type=1327 audit(1653425689.008:55): proctitle="-bash" 464 + 465 + This record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall. 466 + 467 + Field descriptions: 468 + 469 + +---------------+------------+-----------+-------------------------------------------------------------------------------------------------+ 470 + | Field | Value Type | Optional? | Description of Value | 471 + +===============+============+===========+=================================================================================================+ 472 + | enforcing | integer | No | The enforcing state IPE is being switched to, 1 is in enforcing mode, 0 is in permissive mode | 473 + +---------------+------------+-----------+-------------------------------------------------------------------------------------------------+ 474 + | old_enforcing | integer | No | The enforcing state IPE is being switched from, 1 is in enforcing mode, 0 is in permissive mode | 475 + +---------------+------------+-----------+-------------------------------------------------------------------------------------------------+ 476 + | auid | integer | No | The login user ID | 477 + +---------------+------------+-----------+-------------------------------------------------------------------------------------------------+ 478 + | ses | integer | No | The login session ID | 479 + +---------------+------------+-----------+-------------------------------------------------------------------------------------------------+ 480 + | enabled | integer | No | The new TTY audit enabled setting | 481 + +---------------+------------+-----------+-------------------------------------------------------------------------------------------------+ 482 + | old-enabled | integer | No | The old TTY audit enabled setting | 483 + +---------------+------------+-----------+-------------------------------------------------------------------------------------------------+ 484 + | lsm | string | No | The lsm name associated with the event | 485 + +---------------+------------+-----------+-------------------------------------------------------------------------------------------------+ 486 + | res | integer | No | The result of the audited operation(success/fail) | 487 + +---------------+------------+-----------+-------------------------------------------------------------------------------------------------+ 488 + 489 + 490 + Success Auditing 491 + ^^^^^^^^^^^^^^^^ 492 + 493 + IPE supports success auditing. When enabled, all events that pass IPE 494 + policy and are not blocked will emit an audit event. This is disabled by 495 + default, and can be enabled via the kernel command line 496 + ``ipe.success_audit=(0|1)`` or 497 + ``/sys/kernel/security/ipe/success_audit`` securityfs file. 498 + 499 + This is *very* noisy, as IPE will check every userspace binary on the 500 + system, but is useful for debugging policies. 501 + 502 + .. NOTE:: 503 + 504 + If a traditional MAC system is enabled (SELinux, apparmor, smack, etcetera), 505 + all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``. 506 + 507 + Properties 508 + ---------- 509 + 510 + As explained above, IPE properties are ``key=value`` pairs expressed in IPE 511 + policy. Two properties are built-into the policy parser: 'op' and 'action'. 512 + The other properties are used to restrict immutable security properties 513 + about the files being evaluated. Currently those properties are: 514 + '``boot_verified``', '``dmverity_signature``', '``dmverity_roothash``', 515 + '``fsverity_signature``', '``fsverity_digest``'. A description of all 516 + properties supported by IPE are listed below: 517 + 518 + op 519 + ~~ 520 + 521 + Indicates the operation for a rule to apply to. Must be in every rule, 522 + as the first token. IPE supports the following operations: 523 + 524 + ``EXECUTE`` 525 + 526 + Pertains to any file attempting to be executed, or loaded as an 527 + executable. 528 + 529 + ``FIRMWARE``: 530 + 531 + Pertains to firmware being loaded via the firmware_class interface. 532 + This covers both the preallocated buffer and the firmware file 533 + itself. 534 + 535 + ``KMODULE``: 536 + 537 + Pertains to loading kernel modules via ``modprobe`` or ``insmod``. 538 + 539 + ``KEXEC_IMAGE``: 540 + 541 + Pertains to kernel images loading via ``kexec``. 542 + 543 + ``KEXEC_INITRAMFS`` 544 + 545 + Pertains to initrd images loading via ``kexec --initrd``. 546 + 547 + ``POLICY``: 548 + 549 + Controls loading policies via reading a kernel-space initiated read. 550 + 551 + An example of such is loading IMA policies by writing the path 552 + to the policy file to ``$securityfs/ima/policy`` 553 + 554 + ``X509_CERT``: 555 + 556 + Controls loading IMA certificates through the Kconfigs, 557 + ``CONFIG_IMA_X509_PATH`` and ``CONFIG_EVM_X509_PATH``. 558 + 559 + action 560 + ~~~~~~ 561 + 562 + Determines what IPE should do when a rule matches. Must be in every 563 + rule, as the final clause. Can be one of: 564 + 565 + ``ALLOW``: 566 + 567 + If the rule matches, explicitly allow access to the resource to proceed 568 + without executing any more rules. 569 + 570 + ``DENY``: 571 + 572 + If the rule matches, explicitly prohibit access to the resource to 573 + proceed without executing any more rules. 574 + 575 + boot_verified 576 + ~~~~~~~~~~~~~ 577 + 578 + This property can be utilized for authorization of files from initramfs. 579 + The format of this property is:: 580 + 581 + boot_verified=(TRUE|FALSE) 582 + 583 + 584 + .. WARNING:: 585 + 586 + This property will trust files from initramfs(rootfs). It should 587 + only be used during early booting stage. Before mounting the real 588 + rootfs on top of the initramfs, initramfs script will recursively 589 + remove all files and directories on the initramfs. This is typically 590 + implemented by using switch_root(8) [#switch_root]_. Therefore the 591 + initramfs will be empty and not accessible after the real 592 + rootfs takes over. It is advised to switch to a different policy 593 + that doesn't rely on the property after this point. 594 + This ensures that the trust policies remain relevant and effective 595 + throughout the system's operation. 596 + 597 + dmverity_roothash 598 + ~~~~~~~~~~~~~~~~~ 599 + 600 + This property can be utilized for authorization or revocation of 601 + specific dm-verity volumes, identified via their root hashes. It has a 602 + dependency on the DM_VERITY module. This property is controlled by 603 + the ``IPE_PROP_DM_VERITY`` config option, it will be automatically 604 + selected when ``SECURITY_IPE`` and ``DM_VERITY`` are all enabled. 605 + The format of this property is:: 606 + 607 + dmverity_roothash=DigestName:HexadecimalString 608 + 609 + The supported DigestNames for dmverity_roothash are [#dmveritydigests]_ 610 + 611 + + blake2b-512 612 + + blake2s-256 613 + + sha256 614 + + sha384 615 + + sha512 616 + + sha3-224 617 + + sha3-256 618 + + sha3-384 619 + + sha3-512 620 + + sm3 621 + + rmd160 622 + 623 + dmverity_signature 624 + ~~~~~~~~~~~~~~~~~~ 625 + 626 + This property can be utilized for authorization of all dm-verity 627 + volumes that have a signed roothash that validated by a keyring 628 + specified by dm-verity's configuration, either the system trusted 629 + keyring, or the secondary keyring. It depends on 630 + ``DM_VERITY_VERIFY_ROOTHASH_SIG`` config option and is controlled by 631 + the ``IPE_PROP_DM_VERITY_SIGNATURE`` config option, it will be automatically 632 + selected when ``SECURITY_IPE``, ``DM_VERITY`` and 633 + ``DM_VERITY_VERIFY_ROOTHASH_SIG`` are all enabled. 634 + The format of this property is:: 635 + 636 + dmverity_signature=(TRUE|FALSE) 637 + 638 + fsverity_digest 639 + ~~~~~~~~~~~~~~~ 640 + 641 + This property can be utilized for authorization of specific fsverity 642 + enabled files, identified via their fsverity digests. 643 + It depends on ``FS_VERITY`` config option and is controlled by 644 + the ``IPE_PROP_FS_VERITY`` config option, it will be automatically 645 + selected when ``SECURITY_IPE`` and ``FS_VERITY`` are all enabled. 646 + The format of this property is:: 647 + 648 + fsverity_digest=DigestName:HexadecimalString 649 + 650 + The supported DigestNames for fsverity_digest are [#fsveritydigest]_ 651 + 652 + + sha256 653 + + sha512 654 + 655 + fsverity_signature 656 + ~~~~~~~~~~~~~~~~~~ 657 + 658 + This property is used to authorize all fs-verity enabled files that have 659 + been verified by fs-verity's built-in signature mechanism. The signature 660 + verification relies on a key stored within the ".fs-verity" keyring. It 661 + depends on ``FS_VERITY_BUILTIN_SIGNATURES`` config option and 662 + it is controlled by the ``IPE_PROP_FS_VERITY`` config option, 663 + it will be automatically selected when ``SECURITY_IPE``, ``FS_VERITY`` 664 + and ``FS_VERITY_BUILTIN_SIGNATURES`` are all enabled. 665 + The format of this property is:: 666 + 667 + fsverity_signature=(TRUE|FALSE) 668 + 669 + Policy Examples 670 + --------------- 671 + 672 + Allow all 673 + ~~~~~~~~~ 674 + 675 + :: 676 + 677 + policy_name=Allow_All policy_version=0.0.0 678 + DEFAULT action=ALLOW 679 + 680 + Allow only initramfs 681 + ~~~~~~~~~~~~~~~~~~~~ 682 + 683 + :: 684 + 685 + policy_name=Allow_Initramfs policy_version=0.0.0 686 + DEFAULT action=DENY 687 + 688 + op=EXECUTE boot_verified=TRUE action=ALLOW 689 + 690 + Allow any signed and validated dm-verity volume and the initramfs 691 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 692 + 693 + :: 694 + 695 + policy_name=Allow_Signed_DMV_And_Initramfs policy_version=0.0.0 696 + DEFAULT action=DENY 697 + 698 + op=EXECUTE boot_verified=TRUE action=ALLOW 699 + op=EXECUTE dmverity_signature=TRUE action=ALLOW 700 + 701 + Prohibit execution from a specific dm-verity volume 702 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 703 + 704 + :: 705 + 706 + policy_name=Deny_DMV_By_Roothash policy_version=0.0.0 707 + DEFAULT action=DENY 708 + 709 + op=EXECUTE dmverity_roothash=sha256:cd2c5bae7c6c579edaae4353049d58eb5f2e8be0244bf05345bc8e5ed257baff action=DENY 710 + 711 + op=EXECUTE boot_verified=TRUE action=ALLOW 712 + op=EXECUTE dmverity_signature=TRUE action=ALLOW 713 + 714 + Allow only a specific dm-verity volume 715 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 716 + 717 + :: 718 + 719 + policy_name=Allow_DMV_By_Roothash policy_version=0.0.0 720 + DEFAULT action=DENY 721 + 722 + op=EXECUTE dmverity_roothash=sha256:401fcec5944823ae12f62726e8184407a5fa9599783f030dec146938 action=ALLOW 723 + 724 + Allow any fs-verity file with a valid built-in signature 725 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 726 + 727 + :: 728 + 729 + policy_name=Allow_Signed_And_Validated_FSVerity policy_version=0.0.0 730 + DEFAULT action=DENY 731 + 732 + op=EXECUTE fsverity_signature=TRUE action=ALLOW 733 + 734 + Allow execution of a specific fs-verity file 735 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 736 + 737 + :: 738 + 739 + policy_name=ALLOW_FSV_By_Digest policy_version=0.0.0 740 + DEFAULT action=DENY 741 + 742 + op=EXECUTE fsverity_digest=sha256:fd88f2b8824e197f850bf4c5109bea5cf0ee38104f710843bb72da796ba5af9e action=ALLOW 743 + 744 + Additional Information 745 + ---------------------- 746 + 747 + - `Github Repository <https://github.com/microsoft/ipe>`_ 748 + - :doc:`Developer and design docs for IPE </security/ipe>` 749 + 750 + FAQ 751 + --- 752 + 753 + Q: 754 + What's the difference between other LSMs which provide a measure of 755 + trust-based access control? 756 + 757 + A: 758 + 759 + In general, there's two other LSMs that can provide similar functionality: 760 + IMA, and Loadpin. 761 + 762 + IMA and IPE are functionally very similar. The significant difference between 763 + the two is the policy. [#devdoc]_ 764 + 765 + Loadpin and IPE differ fairly dramatically, as Loadpin only covers the IPE's 766 + kernel read operations, whereas IPE is capable of controlling execution 767 + on top of kernel read. The trust model is also different; Loadpin roots its 768 + trust in the initial super-block, whereas trust in IPE is stemmed from kernel 769 + itself (via ``SYSTEM_TRUSTED_KEYS``). 770 + 771 + ----------- 772 + 773 + .. [#digest_cache_lsm] https://lore.kernel.org/lkml/20240415142436.2545003-1-roberto.sassu@huaweicloud.com/ 774 + 775 + .. [#interpreters] There is `some interest in solving this issue <https://lore.kernel.org/lkml/20220321161557.495388-1-mic@digikod.net/>`_. 776 + 777 + .. [#devdoc] Please see :doc:`the design docs </security/ipe>` for more on 778 + this topic. 779 + 780 + .. [#switch_root] https://man7.org/linux/man-pages/man8/switch_root.8.html 781 + 782 + .. [#dmveritydigests] These hash algorithms are based on values accepted by 783 + the Linux crypto API; IPE does not impose any 784 + restrictions on the digest algorithm itself; 785 + thus, this list may be out of date. 786 + 787 + .. [#fsveritydigest] These hash algorithms are based on values accepted by the 788 + kernel's fsverity support; IPE does not impose any 789 + restrictions on the digest algorithm itself; 790 + thus, this list may be out of date.

+12

Documentation/admin-guide/kernel-parameters.txt

··· 2350 2350 ipcmni_extend [KNL,EARLY] Extend the maximum number of unique System V 2351 2351 IPC identifiers from 32,768 to 16,777,216. 2352 2352 2353 + ipe.enforce= [IPE] 2354 + Format: <bool> 2355 + Determine whether IPE starts in permissive (0) or 2356 + enforce (1) mode. The default is enforce. 2357 + 2358 + ipe.success_audit= 2359 + [IPE] 2360 + Format: <bool> 2361 + Start IPE with success auditing enabled, emitting 2362 + an audit event when a binary is allowed. The default 2363 + is 0. 2364 + 2353 2365 irqaffinity= [SMP] Set the default irq affinity mask 2354 2366 The argument is a cpu list, as described above. 2355 2367

+25 -2

Documentation/filesystems/fsverity.rst

··· 86 86 signature in their "security.ima" extended attribute, as controlled 87 87 by the IMA policy. For more information, see the IMA documentation. 88 88 89 + - Integrity Policy Enforcement (IPE). IPE supports enforcing access 90 + control decisions based on immutable security properties of files, 91 + including those protected by fs-verity's built-in signatures. 92 + "IPE policy" specifically allows for the authorization of fs-verity 93 + files using properties ``fsverity_digest`` for identifying 94 + files by their verity digest, and ``fsverity_signature`` to authorize 95 + files with a verified fs-verity's built-in signature. For 96 + details on configuring IPE policies and understanding its operational 97 + modes, please refer to :doc:`IPE admin guide </admin-guide/LSM/ipe>`. 98 + 89 99 - Trusted userspace code in combination with `Built-in signature 90 100 verification`_. This approach should be used only with great care. 91 101 ··· 467 457 On success, the ioctl persists the signature alongside the Merkle 468 458 tree. Then, any time the file is opened, the kernel verifies the 469 459 file's actual digest against this signature, using the certificates 470 - in the ".fs-verity" keyring. 460 + in the ".fs-verity" keyring. This verification happens as long as the 461 + file's signature exists, regardless of the state of the sysctl variable 462 + "fs.verity.require_signatures" described in the next item. The IPE LSM 463 + relies on this behavior to recognize and label fsverity files 464 + that contain a verified built-in fsverity signature. 471 465 472 466 3. A new sysctl "fs.verity.require_signatures" is made available. 473 467 When set to 1, the kernel requires that all verity files have a ··· 495 481 496 482 - Builtin signature verification does *not* make the kernel enforce 497 483 that any files actually have fs-verity enabled. Thus, it is not a 498 - complete authentication policy. Currently, if it is used, the only 484 + complete authentication policy. Currently, if it is used, one 499 485 way to complete the authentication policy is for trusted userspace 500 486 code to explicitly check whether files have fs-verity enabled with a 501 487 signature before they are accessed. (With ··· 503 489 enabled suffices.) But, in this case the trusted userspace code 504 490 could just store the signature alongside the file and verify it 505 491 itself using a cryptographic library, instead of using this feature. 492 + 493 + - Another approach is to utilize fs-verity builtin signature 494 + verification in conjunction with the IPE LSM, which supports defining 495 + a kernel-enforced, system-wide authentication policy that allows only 496 + files with a verified fs-verity builtin signature to perform certain 497 + operations, such as execution. Note that IPE doesn't require 498 + fs.verity.require_signatures=1. 499 + Please refer to :doc:`IPE admin guide </admin-guide/LSM/ipe>` for 500 + more details. 506 501 507 502 - A file's builtin signature can only be set at the same time that 508 503 fs-verity is being enabled on the file. Changing or deleting the

+1

Documentation/security/index.rst

··· 19 19 digsig 20 20 landlock 21 21 secrets/index 22 + ipe

+446

Documentation/security/ipe.rst

··· 1 + .. SPDX-License-Identifier: GPL-2.0 2 + 3 + Integrity Policy Enforcement (IPE) - Kernel Documentation 4 + ========================================================= 5 + 6 + .. NOTE:: 7 + 8 + This is documentation targeted at developers, instead of administrators. 9 + If you're looking for documentation on the usage of IPE, please see 10 + :doc:`IPE admin guide </admin-guide/LSM/ipe>`. 11 + 12 + Historical Motivation 13 + --------------------- 14 + 15 + The original issue that prompted IPE's implementation was the creation 16 + of a locked-down system. This system would be born-secure, and have 17 + strong integrity guarantees over both the executable code, and specific 18 + *data files* on the system, that were critical to its function. These 19 + specific data files would not be readable unless they passed integrity 20 + policy. A mandatory access control system would be present, and 21 + as a result, xattrs would have to be protected. This lead to a selection 22 + of what would provide the integrity claims. At the time, there were two 23 + main mechanisms considered that could guarantee integrity for the system 24 + with these requirements: 25 + 26 + 1. IMA + EVM Signatures 27 + 2. DM-Verity 28 + 29 + Both options were carefully considered, however the choice to use DM-Verity 30 + over IMA+EVM as the *integrity mechanism* in the original use case of IPE 31 + was due to three main reasons: 32 + 33 + 1. Protection of additional attack vectors: 34 + 35 + * With IMA+EVM, without an encryption solution, the system is vulnerable 36 + to offline attack against the aforementioned specific data files. 37 + 38 + Unlike executables, read operations (like those on the protected data 39 + files), cannot be enforced to be globally integrity verified. This means 40 + there must be some form of selector to determine whether a read should 41 + enforce the integrity policy, or it should not. 42 + 43 + At the time, this was done with mandatory access control labels. An IMA 44 + policy would indicate what labels required integrity verification, which 45 + presented an issue: EVM would protect the label, but if an attacker could 46 + modify filesystem offline, the attacker could wipe all the xattrs - 47 + including the SELinux labels that would be used to determine whether the 48 + file should be subject to integrity policy. 49 + 50 + With DM-Verity, as the xattrs are saved as part of the Merkel tree, if 51 + offline mount occurs against the filesystem protected by dm-verity, the 52 + checksum no longer matches and the file fails to be read. 53 + 54 + * As userspace binaries are paged in Linux, dm-verity also offers the 55 + additional protection against a hostile block device. In such an attack, 56 + the block device reports the appropriate content for the IMA hash 57 + initially, passing the required integrity check. Then, on the page fault 58 + that accesses the real data, will report the attacker's payload. Since 59 + dm-verity will check the data when the page fault occurs (and the disk 60 + access), this attack is mitigated. 61 + 62 + 2. Performance: 63 + 64 + * dm-verity provides integrity verification on demand as blocks are 65 + read versus requiring the entire file being read into memory for 66 + validation. 67 + 68 + 3. Simplicity of signing: 69 + 70 + * No need for two signatures (IMA, then EVM): one signature covers 71 + an entire block device. 72 + * Signatures can be stored externally to the filesystem metadata. 73 + * The signature supports an x.509-based signing infrastructure. 74 + 75 + The next step was to choose a *policy* to enforce the integrity mechanism. 76 + The minimum requirements for the policy were: 77 + 78 + 1. The policy itself must be integrity verified (preventing trivial 79 + attack against it). 80 + 2. The policy itself must be resistant to rollback attacks. 81 + 3. The policy enforcement must have a permissive-like mode. 82 + 4. The policy must be able to be updated, in its entirety, without 83 + a reboot. 84 + 5. Policy updates must be atomic. 85 + 6. The policy must support *revocations* of previously authored 86 + components. 87 + 7. The policy must be auditable, at any point-of-time. 88 + 89 + IMA, as the only integrity policy mechanism at the time, was 90 + considered against these list of requirements, and did not fulfill 91 + all of the minimum requirements. Extending IMA to cover these 92 + requirements was considered, but ultimately discarded for a 93 + two reasons: 94 + 95 + 1. Regression risk; many of these changes would result in 96 + dramatic code changes to IMA, which is already present in the 97 + kernel, and therefore might impact users. 98 + 99 + 2. IMA was used in the system for measurement and attestation; 100 + separation of measurement policy from local integrity policy 101 + enforcement was considered favorable. 102 + 103 + Due to these reasons, it was decided that a new LSM should be created, 104 + whose responsibility would be only the local integrity policy enforcement. 105 + 106 + Role and Scope 107 + -------------- 108 + 109 + IPE, as its name implies, is fundamentally an integrity policy enforcement 110 + solution; IPE does not mandate how integrity is provided, but instead 111 + leaves that decision to the system administrator to set the security bar, 112 + via the mechanisms that they select that suit their individual needs. 113 + There are several different integrity solutions that provide a different 114 + level of security guarantees; and IPE allows sysadmins to express policy for 115 + theoretically all of them. 116 + 117 + IPE does not have an inherent mechanism to ensure integrity on its own. 118 + Instead, there are more effective layers available for building systems that 119 + can guarantee integrity. It's important to note that the mechanism for proving 120 + integrity is independent of the policy for enforcing that integrity claim. 121 + 122 + Therefore, IPE was designed around: 123 + 124 + 1. Easy integrations with integrity providers. 125 + 2. Ease of use for platform administrators/sysadmins. 126 + 127 + Design Rationale: 128 + ----------------- 129 + 130 + IPE was designed after evaluating existing integrity policy solutions 131 + in other operating systems and environments. In this survey of other 132 + implementations, there were a few pitfalls identified: 133 + 134 + 1. Policies were not readable by humans, usually requiring a binary 135 + intermediary format. 136 + 2. A single, non-customizable action was implicitly taken as a default. 137 + 3. Debugging the policy required manual steps to determine what rule was violated. 138 + 4. Authoring a policy required an in-depth knowledge of the larger system, 139 + or operating system. 140 + 141 + IPE attempts to avoid all of these pitfalls. 142 + 143 + Policy 144 + ~~~~~~ 145 + 146 + Plain Text 147 + ^^^^^^^^^^ 148 + 149 + IPE's policy is plain-text. This introduces slightly larger policy files than 150 + other LSMs, but solves two major problems that occurs with some integrity policy 151 + solutions on other platforms. 152 + 153 + The first issue is one of code maintenance and duplication. To author policies, 154 + the policy has to be some form of string representation (be it structured, 155 + through XML, JSON, YAML, etcetera), to allow the policy author to understand 156 + what is being written. In a hypothetical binary policy design, a serializer 157 + is necessary to write the policy from the human readable form, to the binary 158 + form, and a deserializer is needed to interpret the binary form into a data 159 + structure in the kernel. 160 + 161 + Eventually, another deserializer will be needed to transform the binary from 162 + back into the human-readable form with as much information preserved. This is because a 163 + user of this access control system will have to keep a lookup table of a checksum 164 + and the original file itself to try to understand what policies have been deployed 165 + on this system and what policies have not. For a single user, this may be alright, 166 + as old policies can be discarded almost immediately after the update takes hold. 167 + For users that manage computer fleets in the thousands, if not hundreds of thousands, 168 + with multiple different operating systems, and multiple different operational needs, 169 + this quickly becomes an issue, as stale policies from years ago may be present, 170 + quickly resulting in the need to recover the policy or fund extensive infrastructure 171 + to track what each policy contains. 172 + 173 + With now three separate serializer/deserializers, maintenance becomes costly. If the 174 + policy avoids the binary format, there is only one required serializer: from the 175 + human-readable form to the data structure in kernel, saving on code maintenance, 176 + and retaining operability. 177 + 178 + The second issue with a binary format is one of transparency. As IPE controls 179 + access based on the trust of the system's resources, it's policy must also be 180 + trusted to be changed. This is done through signatures, resulting in needing 181 + signing as a process. Signing, as a process, is typically done with a 182 + high security bar, as anything signed can be used to attack integrity 183 + enforcement systems. It is also important that, when signing something, that 184 + the signer is aware of what they are signing. A binary policy can cause 185 + obfuscation of that fact; what signers see is an opaque binary blob. A 186 + plain-text policy, on the other hand, the signers see the actual policy 187 + submitted for signing. 188 + 189 + Boot Policy 190 + ~~~~~~~~~~~ 191 + 192 + IPE, if configured appropriately, is able to enforce a policy as soon as a 193 + kernel is booted and usermode starts. That implies some level of storage 194 + of the policy to apply the minute usermode starts. Generally, that storage 195 + can be handled in one of three ways: 196 + 197 + 1. The policy file(s) live on disk and the kernel loads the policy prior 198 + to an code path that would result in an enforcement decision. 199 + 2. The policy file(s) are passed by the bootloader to the kernel, who 200 + parses the policy. 201 + 3. There is a policy file that is compiled into the kernel that is 202 + parsed and enforced on initialization. 203 + 204 + The first option has problems: the kernel reading files from userspace 205 + is typically discouraged and very uncommon in the kernel. 206 + 207 + The second option also has problems: Linux supports a variety of bootloaders 208 + across its entire ecosystem - every bootloader would have to support this 209 + new methodology or there must be an independent source. It would likely 210 + result in more drastic changes to the kernel startup than necessary. 211 + 212 + The third option is the best but it's important to be aware that the policy 213 + will take disk space against the kernel it's compiled in. It's important to 214 + keep this policy generalized enough that userspace can load a new, more 215 + complicated policy, but restrictive enough that it will not overauthorize 216 + and cause security issues. 217 + 218 + The initramfs provides a way that this bootup path can be established. The 219 + kernel starts with a minimal policy, that trusts the initramfs only. Inside 220 + the initramfs, when the real rootfs is mounted, but not yet transferred to, 221 + it deploys and activates a policy that trusts the new root filesystem. 222 + This prevents overauthorization at any step, and keeps the kernel policy 223 + to a minimal size. 224 + 225 + Startup 226 + ^^^^^^^ 227 + 228 + Not every system, however starts with an initramfs, so the startup policy 229 + compiled into the kernel will need some flexibility to express how trust 230 + is established for the next phase of the bootup. To this end, if we just 231 + make the compiled-in policy a full IPE policy, it allows system builders 232 + to express the first stage bootup requirements appropriately. 233 + 234 + Updatable, Rebootless Policy 235 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 236 + 237 + As requirements change over time (vulnerabilities are found in previously 238 + trusted applications, keys roll, etcetera). Updating a kernel to change the 239 + meet those security goals is not always a suitable option, as updates are not 240 + always risk-free, and blocking a security update leaves systems vulnerable. 241 + This means IPE requires a policy that can be completely updated (allowing 242 + revocations of existing policy) from a source external to the kernel (allowing 243 + policies to be updated without updating the kernel). 244 + 245 + Additionally, since the kernel is stateless between invocations, and reading 246 + policy files off the disk from kernel space is a bad idea(tm), then the 247 + policy updates have to be done rebootlessly. 248 + 249 + To allow an update from an external source, it could be potentially malicious, 250 + so this policy needs to have a way to be identified as trusted. This is 251 + done via a signature chained to a trust source in the kernel. Arbitrarily, 252 + this is the ``SYSTEM_TRUSTED_KEYRING``, a keyring that is initially 253 + populated at kernel compile-time, as this matches the expectation that the 254 + author of the compiled-in policy described above is the same entity that can 255 + deploy policy updates. 256 + 257 + Anti-Rollback / Anti-Replay 258 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ 259 + 260 + Over time, vulnerabilities are found and trusted resources may not be 261 + trusted anymore. IPE's policy has no exception to this. There can be 262 + instances where a mistaken policy author deploys an insecure policy, 263 + before correcting it with a secure policy. 264 + 265 + Assuming that as soon as the insecure policy is signed, and an attacker 266 + acquires the insecure policy, IPE needs a way to prevent rollback 267 + from the secure policy update to the insecure policy update. 268 + 269 + Initially, IPE's policy can have a policy_version that states the 270 + minimum required version across all policies that can be active on 271 + the system. This will prevent rollback while the system is live. 272 + 273 + .. WARNING:: 274 + 275 + However, since the kernel is stateless across boots, this policy 276 + version will be reset to 0.0.0 on the next boot. System builders 277 + need to be aware of this, and ensure the new secure policies are 278 + deployed ASAP after a boot to ensure that the window of 279 + opportunity is minimal for an attacker to deploy the insecure policy. 280 + 281 + Implicit Actions: 282 + ~~~~~~~~~~~~~~~~~ 283 + 284 + The issue of implicit actions only becomes visible when you consider 285 + a mixed level of security bars across multiple operations in a system. 286 + For example, consider a system that has strong integrity guarantees 287 + over both the executable code, and specific *data files* on the system, 288 + that were critical to its function. In this system, three types of policies 289 + are possible: 290 + 291 + 1. A policy in which failure to match any rules in the policy results 292 + in the action being denied. 293 + 2. A policy in which failure to match any rules in the policy results 294 + in the action being allowed. 295 + 3. A policy in which the action taken when no rules are matched is 296 + specified by the policy author. 297 + 298 + The first option could make a policy like this:: 299 + 300 + op=EXECUTE integrity_verified=YES action=ALLOW 301 + 302 + In the example system, this works well for the executables, as all 303 + executables should have integrity guarantees, without exception. The 304 + issue becomes with the second requirement about specific data files. 305 + This would result in a policy like this (assuming each line is 306 + evaluated in order):: 307 + 308 + op=EXECUTE integrity_verified=YES action=ALLOW 309 + 310 + op=READ integrity_verified=NO label=critical_t action=DENY 311 + op=READ action=ALLOW 312 + 313 + This is somewhat clear if you read the docs, understand the policy 314 + is executed in order and that the default is a denial; however, the 315 + last line effectively changes that default to an ALLOW. This is 316 + required, because in a realistic system, there are some unverified 317 + reads (imagine appending to a log file). 318 + 319 + The second option, matching no rules results in an allow, is clearer 320 + for the specific data files:: 321 + 322 + op=READ integrity_verified=NO label=critical_t action=DENY 323 + 324 + And, like the first option, falls short with the execution scenario, 325 + effectively needing to override the default:: 326 + 327 + op=EXECUTE integrity_verified=YES action=ALLOW 328 + op=EXECUTE action=DENY 329 + 330 + op=READ integrity_verified=NO label=critical_t action=DENY 331 + 332 + This leaves the third option. Instead of making users be clever 333 + and override the default with an empty rule, force the end-user 334 + to consider what the appropriate default should be for their 335 + scenario and explicitly state it:: 336 + 337 + DEFAULT op=EXECUTE action=DENY 338 + op=EXECUTE integrity_verified=YES action=ALLOW 339 + 340 + DEFAULT op=READ action=ALLOW 341 + op=READ integrity_verified=NO label=critical_t action=DENY 342 + 343 + Policy Debugging: 344 + ~~~~~~~~~~~~~~~~~ 345 + 346 + When developing a policy, it is useful to know what line of the policy 347 + is being violated to reduce debugging costs; narrowing the scope of the 348 + investigation to the exact line that resulted in the action. Some integrity 349 + policy systems do not provide this information, instead providing the 350 + information that was used in the evaluation. This then requires a correlation 351 + with the policy to evaluate what went wrong. 352 + 353 + Instead, IPE just emits the rule that was matched. This limits the scope 354 + of the investigation to the exact policy line (in the case of a specific 355 + rule), or the section (in the case of a DEFAULT). This decreases iteration 356 + and investigation times when policy failures are observed while evaluating 357 + policies. 358 + 359 + IPE's policy engine is also designed in a way that it makes it obvious to 360 + a human of how to investigate a policy failure. Each line is evaluated in 361 + the sequence that is written, so the algorithm is very simple to follow 362 + for humans to recreate the steps and could have caused the failure. In other 363 + surveyed systems, optimizations occur (sorting rules, for instance) when loading 364 + the policy. In those systems, it requires multiple steps to debug, and the 365 + algorithm may not always be clear to the end-user without reading the code first. 366 + 367 + Simplified Policy: 368 + ~~~~~~~~~~~~~~~~~~ 369 + 370 + Finally, IPE's policy is designed for sysadmins, not kernel developers. Instead 371 + of covering individual LSM hooks (or syscalls), IPE covers operations. This means 372 + instead of sysadmins needing to know that the syscalls ``mmap``, ``mprotect``, 373 + ``execve``, and ``uselib`` must have rules protecting them, they must simple know 374 + that they want to restrict code execution. This limits the amount of bypasses that 375 + could occur due to a lack of knowledge of the underlying system; whereas the 376 + maintainers of IPE, being kernel developers can make the correct choice to determine 377 + whether something maps to these operations, and under what conditions. 378 + 379 + Implementation Notes 380 + -------------------- 381 + 382 + Anonymous Memory 383 + ~~~~~~~~~~~~~~~~ 384 + 385 + Anonymous memory isn't treated any differently from any other access in IPE. 386 + When anonymous memory is mapped with ``+X``, it still comes into the ``file_mmap`` 387 + or ``file_mprotect`` hook, but with a ``NULL`` file object. This is submitted to 388 + the evaluation, like any other file. However, all current trust properties will 389 + evaluate to false, as they are all file-based and the operation is not 390 + associated with a file. 391 + 392 + .. WARNING:: 393 + 394 + This also occurs with the ``kernel_load_data`` hook, when the kernel is 395 + loading data from a userspace buffer that is not backed by a file. In this 396 + scenario all current trust properties will also evaluate to false. 397 + 398 + Securityfs Interface 399 + ~~~~~~~~~~~~~~~~~~~~ 400 + 401 + The per-policy securityfs tree is somewhat unique. For example, for 402 + a standard securityfs policy tree:: 403 + 404 + MyPolicy 405 + |- active 406 + |- delete 407 + |- name 408 + |- pkcs7 409 + |- policy 410 + |- update 411 + |- version 412 + 413 + The policy is stored in the ``->i_private`` data of the MyPolicy inode. 414 + 415 + Tests 416 + ----- 417 + 418 + IPE has KUnit Tests for the policy parser. Recommended kunitconfig:: 419 + 420 + CONFIG_KUNIT=y 421 + CONFIG_SECURITY=y 422 + CONFIG_SECURITYFS=y 423 + CONFIG_PKCS7_MESSAGE_PARSER=y 424 + CONFIG_SYSTEM_DATA_VERIFICATION=y 425 + CONFIG_FS_VERITY=y 426 + CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y 427 + CONFIG_BLOCK=y 428 + CONFIG_MD=y 429 + CONFIG_BLK_DEV_DM=y 430 + CONFIG_DM_VERITY=y 431 + CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y 432 + CONFIG_NET=y 433 + CONFIG_AUDIT=y 434 + CONFIG_AUDITSYSCALL=y 435 + CONFIG_BLK_DEV_INITRD=y 436 + 437 + CONFIG_SECURITY_IPE=y 438 + CONFIG_IPE_PROP_DM_VERITY=y 439 + CONFIG_IPE_PROP_DM_VERITY_SIGNATURE=y 440 + CONFIG_IPE_PROP_FS_VERITY=y 441 + CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG=y 442 + CONFIG_SECURITY_IPE_KUNIT_TEST=y 443 + 444 + In addition, IPE has a python based integration 445 + `test suite <https://github.com/microsoft/ipe/tree/test-suite>`_ that 446 + can test both user interfaces and enforcement functionalities.

+10

MAINTAINERS

··· 11166 11166 F: security/integrity/ 11167 11167 F: security/integrity/ima/ 11168 11168 11169 + INTEGRITY POLICY ENFORCEMENT (IPE) 11170 + M: Fan Wu <wufan@linux.microsoft.com> 11171 + L: linux-security-module@vger.kernel.org 11172 + S: Supported 11173 + T: git https://github.com/microsoft/ipe.git 11174 + F: Documentation/admin-guide/LSM/ipe.rst 11175 + F: Documentation/security/ipe.rst 11176 + F: scripts/ipe/ 11177 + F: security/ipe/ 11178 + 11169 11179 INTEL 810/815 FRAMEBUFFER DRIVER 11170 11180 M: Antonino Daplas <adaplas@gmail.com> 11171 11181 L: linux-fbdev@vger.kernel.org

+7

block/bdev.c

··· 24 24 #include <linux/pseudo_fs.h> 25 25 #include <linux/uio.h> 26 26 #include <linux/namei.h> 27 + #include <linux/security.h> 27 28 #include <linux/part_stat.h> 28 29 #include <linux/uaccess.h> 29 30 #include <linux/stat.h> ··· 325 324 if (!ei) 326 325 return NULL; 327 326 memset(&ei->bdev, 0, sizeof(ei->bdev)); 327 + 328 + if (security_bdev_alloc(&ei->bdev)) { 329 + kmem_cache_free(bdev_cachep, ei); 330 + return NULL; 331 + } 328 332 return &ei->vfs_inode; 329 333 } 330 334 ··· 339 333 340 334 free_percpu(bdev->bd_stats); 341 335 kfree(bdev->bd_meta_info); 336 + security_bdev_free(bdev); 342 337 343 338 if (!bdev_is_partition(bdev)) { 344 339 if (bdev->bd_disk && bdev->bd_disk->bdi)

+118

drivers/md/dm-verity-target.c

··· 22 22 #include <linux/scatterlist.h> 23 23 #include <linux/string.h> 24 24 #include <linux/jump_label.h> 25 + #include <linux/security.h> 25 26 26 27 #define DM_MSG_PREFIX "verity" 27 28 ··· 931 930 limits->dma_alignment = limits->logical_block_size - 1; 932 931 } 933 932 933 + #ifdef CONFIG_SECURITY 934 + 935 + static int verity_init_sig(struct dm_verity *v, const void *sig, 936 + size_t sig_size) 937 + { 938 + v->sig_size = sig_size; 939 + 940 + if (sig) { 941 + v->root_digest_sig = kmemdup(sig, v->sig_size, GFP_KERNEL); 942 + if (!v->root_digest_sig) 943 + return -ENOMEM; 944 + } 945 + 946 + return 0; 947 + } 948 + 949 + static void verity_free_sig(struct dm_verity *v) 950 + { 951 + kfree(v->root_digest_sig); 952 + } 953 + 954 + #else 955 + 956 + static inline int verity_init_sig(struct dm_verity *v, const void *sig, 957 + size_t sig_size) 958 + { 959 + return 0; 960 + } 961 + 962 + static inline void verity_free_sig(struct dm_verity *v) 963 + { 964 + } 965 + 966 + #endif /* CONFIG_SECURITY */ 967 + 934 968 static void verity_dtr(struct dm_target *ti) 935 969 { 936 970 struct dm_verity *v = ti->private; ··· 985 949 kfree(v->initial_hashstate); 986 950 kfree(v->root_digest); 987 951 kfree(v->zero_digest); 952 + verity_free_sig(v); 988 953 989 954 if (v->ahash_tfm) { 990 955 static_branch_dec(&ahash_enabled); ··· 1455 1418 ti->error = "Root hash verification failed"; 1456 1419 goto bad; 1457 1420 } 1421 + 1422 + r = verity_init_sig(v, verify_args.sig, verify_args.sig_size); 1423 + if (r < 0) { 1424 + ti->error = "Cannot allocate root digest signature"; 1425 + goto bad; 1426 + } 1427 + 1458 1428 v->hash_per_block_bits = 1459 1429 __fls((1 << v->hash_dev_block_bits) / v->digest_size); 1460 1430 ··· 1603 1559 return 0; 1604 1560 } 1605 1561 1562 + #ifdef CONFIG_SECURITY 1563 + 1564 + #ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG 1565 + 1566 + static int verity_security_set_signature(struct block_device *bdev, 1567 + struct dm_verity *v) 1568 + { 1569 + /* 1570 + * if the dm-verity target is unsigned, v->root_digest_sig will 1571 + * be NULL, and the hook call is still required to let LSMs mark 1572 + * the device as unsigned. This information is crucial for LSMs to 1573 + * block operations such as execution on unsigned files 1574 + */ 1575 + return security_bdev_setintegrity(bdev, 1576 + LSM_INT_DMVERITY_SIG_VALID, 1577 + v->root_digest_sig, 1578 + v->sig_size); 1579 + } 1580 + 1581 + #else 1582 + 1583 + static inline int verity_security_set_signature(struct block_device *bdev, 1584 + struct dm_verity *v) 1585 + { 1586 + return 0; 1587 + } 1588 + 1589 + #endif /* CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG */ 1590 + 1591 + /* 1592 + * Expose verity target's root hash and signature data to LSMs before resume. 1593 + * 1594 + * Returns 0 on success, or -ENOMEM if the system is out of memory. 1595 + */ 1596 + static int verity_preresume(struct dm_target *ti) 1597 + { 1598 + struct block_device *bdev; 1599 + struct dm_verity_digest root_digest; 1600 + struct dm_verity *v; 1601 + int r; 1602 + 1603 + v = ti->private; 1604 + bdev = dm_disk(dm_table_get_md(ti->table))->part0; 1605 + root_digest.digest = v->root_digest; 1606 + root_digest.digest_len = v->digest_size; 1607 + if (static_branch_unlikely(&ahash_enabled) && !v->shash_tfm) 1608 + root_digest.alg = crypto_ahash_alg_name(v->ahash_tfm); 1609 + else 1610 + root_digest.alg = crypto_shash_alg_name(v->shash_tfm); 1611 + 1612 + r = security_bdev_setintegrity(bdev, LSM_INT_DMVERITY_ROOTHASH, &root_digest, 1613 + sizeof(root_digest)); 1614 + if (r) 1615 + return r; 1616 + 1617 + r = verity_security_set_signature(bdev, v); 1618 + if (r) 1619 + goto bad; 1620 + 1621 + return 0; 1622 + 1623 + bad: 1624 + 1625 + security_bdev_setintegrity(bdev, LSM_INT_DMVERITY_ROOTHASH, NULL, 0); 1626 + 1627 + return r; 1628 + } 1629 + 1630 + #endif /* CONFIG_SECURITY */ 1631 + 1606 1632 static struct target_type verity_target = { 1607 1633 .name = "verity", 1634 + /* Note: the LSMs depend on the singleton and immutable features */ 1608 1635 .features = DM_TARGET_SINGLETON | DM_TARGET_IMMUTABLE, 1609 1636 .version = {1, 10, 0}, 1610 1637 .module = THIS_MODULE, ··· 1686 1571 .prepare_ioctl = verity_prepare_ioctl, 1687 1572 .iterate_devices = verity_iterate_devices, 1688 1573 .io_hints = verity_io_hints, 1574 + #ifdef CONFIG_SECURITY 1575 + .preresume = verity_preresume, 1576 + #endif /* CONFIG_SECURITY */ 1689 1577 }; 1690 1578 module_dm(verity); 1691 1579

+4

drivers/md/dm-verity.h

··· 45 45 u8 *salt; /* salt: its size is salt_size */ 46 46 u8 *initial_hashstate; /* salted initial state, if shash_tfm is set */ 47 47 u8 *zero_digest; /* digest for a zero block */ 48 + #ifdef CONFIG_SECURITY 49 + u8 *root_digest_sig; /* signature of the root digest */ 50 + unsigned int sig_size; /* root digest signature size */ 51 + #endif /* CONFIG_SECURITY */ 48 52 unsigned int salt_size; 49 53 sector_t data_start; /* data offset in 512-byte sectors */ 50 54 sector_t hash_start; /* hash start in blocks */

+4 -10

fs/fcntl.c

··· 125 125 } 126 126 } 127 127 128 - static void f_modown(struct file *filp, struct pid *pid, enum pid_type type, 129 - int force) 128 + void __f_setown(struct file *filp, struct pid *pid, enum pid_type type, 129 + int force) 130 130 { 131 131 struct fown_struct *f_owner; 132 132 ··· 142 142 143 143 if (pid) { 144 144 const struct cred *cred = current_cred(); 145 + security_file_set_fowner(filp); 145 146 f_owner->uid = cred->uid; 146 147 f_owner->euid = cred->euid; 147 148 } 148 149 } 149 150 write_unlock_irq(&f_owner->lock); 150 - } 151 - 152 - void __f_setown(struct file *filp, struct pid *pid, enum pid_type type, 153 - int force) 154 - { 155 - security_file_set_fowner(filp); 156 - f_modown(filp, pid, type, force); 157 151 } 158 152 EXPORT_SYMBOL(__f_setown); 159 153 ··· 190 196 191 197 void f_delown(struct file *filp) 192 198 { 193 - f_modown(filp, NULL, PIDTYPE_TGID, 1); 199 + __f_setown(filp, NULL, PIDTYPE_TGID, 1); 194 200 } 195 201 196 202 pid_t f_getown(struct file *filp)

+3 -3

fs/overlayfs/copy_up.c

··· 115 115 continue; 116 116 117 117 error = security_inode_copy_up_xattr(old, name); 118 - if (error < 0 && error != -EOPNOTSUPP) 119 - break; 120 - if (error == 1) { 118 + if (error == -ECANCELED) { 121 119 error = 0; 122 120 continue; /* Discard */ 123 121 } 122 + if (error < 0 && error != -EOPNOTSUPP) 123 + break; 124 124 125 125 if (is_posix_acl_xattr(name)) { 126 126 error = ovl_copy_acl(OVL_FS(sb), oldpath, new, name);

+17 -1

fs/verity/signature.c

··· 17 17 18 18 #include <linux/cred.h> 19 19 #include <linux/key.h> 20 + #include <linux/security.h> 20 21 #include <linux/slab.h> 21 22 #include <linux/verification.h> 22 23 ··· 42 41 * @sig_size: size of signature in bytes, or 0 if no signature 43 42 * 44 43 * If the file includes a signature of its fs-verity file digest, verify it 45 - * against the certificates in the fs-verity keyring. 44 + * against the certificates in the fs-verity keyring. Note that signatures 45 + * are verified regardless of the state of the 'fsverity_require_signatures' 46 + * variable and the LSM subsystem relies on this behavior to help enforce 47 + * file integrity policies. Please discuss changes with the LSM list 48 + * (thank you!). 46 49 * 47 50 * Return: 0 on success (signature valid or not required); -errno on failure 48 51 */ ··· 108 103 else 109 104 fsverity_err(inode, "Error %d verifying file signature", 110 105 err); 106 + return err; 107 + } 108 + 109 + err = security_inode_setintegrity(inode, 110 + LSM_INT_FSVERITY_BUILTINSIG_VALID, 111 + signature, 112 + sig_size); 113 + 114 + if (err) { 115 + fsverity_err(inode, "Error %d exposing file signature to LSMs", 116 + err); 111 117 return err; 112 118 } 113 119

+3 -3

include/linux/args.h

··· 17 17 * that as _n. 18 18 */ 19 19 20 - /* This counts to 12. Any more, it will return 13th argument. */ 21 - #define __COUNT_ARGS(_0, _1, _2, _3, _4, _5, _6, _7, _8, _9, _10, _11, _12, _n, X...) _n 22 - #define COUNT_ARGS(X...) __COUNT_ARGS(, ##X, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0) 20 + /* This counts to 15. Any more, it will return 16th argument. */ 21 + #define __COUNT_ARGS(_0, _1, _2, _3, _4, _5, _6, _7, _8, _9, _10, _11, _12, _13, _14, _15, _n, X...) _n 22 + #define COUNT_ARGS(X...) __COUNT_ARGS(, ##X, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0) 23 23 24 24 /* Concatenate two parameters, but allow them to be expanded beforehand. */ 25 25 #define __CONCAT(a, b) a ## b

+3

include/linux/blk_types.h

··· 71 71 72 72 struct partition_meta_info *bd_meta_info; 73 73 int bd_writers; 74 + #ifdef CONFIG_SECURITY 75 + void *bd_security; 76 + #endif 74 77 /* 75 78 * keep this out-of-line as it's both big and not needed in the fast 76 79 * path

+135

include/linux/lsm_count.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + 3 + /* 4 + * Copyright (C) 2023 Google LLC. 5 + */ 6 + 7 + #ifndef __LINUX_LSM_COUNT_H 8 + #define __LINUX_LSM_COUNT_H 9 + 10 + #include <linux/args.h> 11 + 12 + #ifdef CONFIG_SECURITY 13 + 14 + /* 15 + * Macros to count the number of LSMs enabled in the kernel at compile time. 16 + */ 17 + 18 + /* 19 + * Capabilities is enabled when CONFIG_SECURITY is enabled. 20 + */ 21 + #if IS_ENABLED(CONFIG_SECURITY) 22 + #define CAPABILITIES_ENABLED 1, 23 + #else 24 + #define CAPABILITIES_ENABLED 25 + #endif 26 + 27 + #if IS_ENABLED(CONFIG_SECURITY_SELINUX) 28 + #define SELINUX_ENABLED 1, 29 + #else 30 + #define SELINUX_ENABLED 31 + #endif 32 + 33 + #if IS_ENABLED(CONFIG_SECURITY_SMACK) 34 + #define SMACK_ENABLED 1, 35 + #else 36 + #define SMACK_ENABLED 37 + #endif 38 + 39 + #if IS_ENABLED(CONFIG_SECURITY_APPARMOR) 40 + #define APPARMOR_ENABLED 1, 41 + #else 42 + #define APPARMOR_ENABLED 43 + #endif 44 + 45 + #if IS_ENABLED(CONFIG_SECURITY_TOMOYO) 46 + #define TOMOYO_ENABLED 1, 47 + #else 48 + #define TOMOYO_ENABLED 49 + #endif 50 + 51 + #if IS_ENABLED(CONFIG_SECURITY_YAMA) 52 + #define YAMA_ENABLED 1, 53 + #else 54 + #define YAMA_ENABLED 55 + #endif 56 + 57 + #if IS_ENABLED(CONFIG_SECURITY_LOADPIN) 58 + #define LOADPIN_ENABLED 1, 59 + #else 60 + #define LOADPIN_ENABLED 61 + #endif 62 + 63 + #if IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) 64 + #define LOCKDOWN_ENABLED 1, 65 + #else 66 + #define LOCKDOWN_ENABLED 67 + #endif 68 + 69 + #if IS_ENABLED(CONFIG_SECURITY_SAFESETID) 70 + #define SAFESETID_ENABLED 1, 71 + #else 72 + #define SAFESETID_ENABLED 73 + #endif 74 + 75 + #if IS_ENABLED(CONFIG_BPF_LSM) 76 + #define BPF_LSM_ENABLED 1, 77 + #else 78 + #define BPF_LSM_ENABLED 79 + #endif 80 + 81 + #if IS_ENABLED(CONFIG_SECURITY_LANDLOCK) 82 + #define LANDLOCK_ENABLED 1, 83 + #else 84 + #define LANDLOCK_ENABLED 85 + #endif 86 + 87 + #if IS_ENABLED(CONFIG_IMA) 88 + #define IMA_ENABLED 1, 89 + #else 90 + #define IMA_ENABLED 91 + #endif 92 + 93 + #if IS_ENABLED(CONFIG_EVM) 94 + #define EVM_ENABLED 1, 95 + #else 96 + #define EVM_ENABLED 97 + #endif 98 + 99 + #if IS_ENABLED(CONFIG_SECURITY_IPE) 100 + #define IPE_ENABLED 1, 101 + #else 102 + #define IPE_ENABLED 103 + #endif 104 + 105 + /* 106 + * There is a trailing comma that we need to be accounted for. This is done by 107 + * using a skipped argument in __COUNT_LSMS 108 + */ 109 + #define __COUNT_LSMS(skipped_arg, args...) COUNT_ARGS(args...) 110 + #define COUNT_LSMS(args...) __COUNT_LSMS(args) 111 + 112 + #define MAX_LSM_COUNT \ 113 + COUNT_LSMS( \ 114 + CAPABILITIES_ENABLED \ 115 + SELINUX_ENABLED \ 116 + SMACK_ENABLED \ 117 + APPARMOR_ENABLED \ 118 + TOMOYO_ENABLED \ 119 + YAMA_ENABLED \ 120 + LOADPIN_ENABLED \ 121 + LOCKDOWN_ENABLED \ 122 + SAFESETID_ENABLED \ 123 + BPF_LSM_ENABLED \ 124 + LANDLOCK_ENABLED \ 125 + IMA_ENABLED \ 126 + EVM_ENABLED \ 127 + IPE_ENABLED) 128 + 129 + #else 130 + 131 + #define MAX_LSM_COUNT 0 132 + 133 + #endif /* CONFIG_SECURITY */ 134 + 135 + #endif /* __LINUX_LSM_COUNT_H */

+13 -7

include/linux/lsm_hook_defs.h

··· 48 48 LSM_HOOK(int, 0, syslog, int type) 49 49 LSM_HOOK(int, 0, settime, const struct timespec64 *ts, 50 50 const struct timezone *tz) 51 - LSM_HOOK(int, 1, vm_enough_memory, struct mm_struct *mm, long pages) 51 + LSM_HOOK(int, 0, vm_enough_memory, struct mm_struct *mm, long pages) 52 52 LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm) 53 53 LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, const struct file *file) 54 54 LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm) ··· 114 114 unsigned int obj_type) 115 115 LSM_HOOK(int, 0, inode_alloc_security, struct inode *inode) 116 116 LSM_HOOK(void, LSM_RET_VOID, inode_free_security, struct inode *inode) 117 + LSM_HOOK(void, LSM_RET_VOID, inode_free_security_rcu, void *inode_security) 117 118 LSM_HOOK(int, -EOPNOTSUPP, inode_init_security, struct inode *inode, 118 119 struct inode *dir, const struct qstr *qstr, struct xattr *xattrs, 119 120 int *xattr_count) ··· 180 179 LSM_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new) 181 180 LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, struct dentry *src, 182 181 const char *name) 182 + LSM_HOOK(int, 0, inode_setintegrity, const struct inode *inode, 183 + enum lsm_integrity_type type, const void *value, size_t size) 183 184 LSM_HOOK(int, 0, kernfs_init_security, struct kernfs_node *kn_dir, 184 185 struct kernfs_node *kn) 185 186 LSM_HOOK(int, 0, file_permission, struct file *file, int mask) ··· 356 353 LSM_HOOK(void, LSM_RET_VOID, secmark_refcount_dec, void) 357 354 LSM_HOOK(void, LSM_RET_VOID, req_classify_flow, const struct request_sock *req, 358 355 struct flowi_common *flic) 359 - LSM_HOOK(int, 0, tun_dev_alloc_security, void **security) 360 - LSM_HOOK(void, LSM_RET_VOID, tun_dev_free_security, void *security) 356 + LSM_HOOK(int, 0, tun_dev_alloc_security, void *security) 361 357 LSM_HOOK(int, 0, tun_dev_create, void) 362 358 LSM_HOOK(int, 0, tun_dev_attach_queue, void *security) 363 359 LSM_HOOK(int, 0, tun_dev_attach, struct sock *sk, void *security) ··· 376 374 LSM_HOOK(int, 0, ib_pkey_access, void *sec, u64 subnet_prefix, u16 pkey) 377 375 LSM_HOOK(int, 0, ib_endport_manage_subnet, void *sec, const char *dev_name, 378 376 u8 port_num) 379 - LSM_HOOK(int, 0, ib_alloc_security, void **sec) 380 - LSM_HOOK(void, LSM_RET_VOID, ib_free_security, void *sec) 377 + LSM_HOOK(int, 0, ib_alloc_security, void *sec) 381 378 #endif /* CONFIG_SECURITY_INFINIBAND */ 382 379 383 380 #ifdef CONFIG_SECURITY_NETWORK_XFRM ··· 404 403 #ifdef CONFIG_KEYS 405 404 LSM_HOOK(int, 0, key_alloc, struct key *key, const struct cred *cred, 406 405 unsigned long flags) 407 - LSM_HOOK(void, LSM_RET_VOID, key_free, struct key *key) 408 406 LSM_HOOK(int, 0, key_permission, key_ref_t key_ref, const struct cred *cred, 409 407 enum key_need_perm need_perm) 410 408 LSM_HOOK(int, 0, key_getsecurity, struct key *key, char **buffer) ··· 442 442 #ifdef CONFIG_PERF_EVENTS 443 443 LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type) 444 444 LSM_HOOK(int, 0, perf_event_alloc, struct perf_event *event) 445 - LSM_HOOK(void, LSM_RET_VOID, perf_event_free, struct perf_event *event) 446 445 LSM_HOOK(int, 0, perf_event_read, struct perf_event *event) 447 446 LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) 448 447 #endif /* CONFIG_PERF_EVENTS */ ··· 451 452 LSM_HOOK(int, 0, uring_sqpoll, void) 452 453 LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) 453 454 #endif /* CONFIG_IO_URING */ 455 + 456 + LSM_HOOK(void, LSM_RET_VOID, initramfs_populated, void) 457 + 458 + LSM_HOOK(int, 0, bdev_alloc_security, struct block_device *bdev) 459 + LSM_HOOK(void, LSM_RET_VOID, bdev_free_security, struct block_device *bdev) 460 + LSM_HOOK(int, 0, bdev_setintegrity, struct block_device *bdev, 461 + enum lsm_integrity_type type, const void *value, size_t size)

+84 -45

include/linux/lsm_hooks.h

··· 30 30 #include <linux/init.h> 31 31 #include <linux/rculist.h> 32 32 #include <linux/xattr.h> 33 + #include <linux/static_call.h> 34 + #include <linux/unroll.h> 35 + #include <linux/jump_label.h> 36 + #include <linux/lsm_count.h> 33 37 34 38 union security_list_options { 35 39 #define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__); 36 40 #include "lsm_hook_defs.h" 37 41 #undef LSM_HOOK 42 + void *lsm_func_addr; 38 43 }; 39 44 40 - struct security_hook_heads { 41 - #define LSM_HOOK(RET, DEFAULT, NAME, ...) struct hlist_head NAME; 42 - #include "lsm_hook_defs.h" 43 - #undef LSM_HOOK 45 + /* 46 + * @key: static call key as defined by STATIC_CALL_KEY 47 + * @trampoline: static call trampoline as defined by STATIC_CALL_TRAMP 48 + * @hl: The security_hook_list as initialized by the owning LSM. 49 + * @active: Enabled when the static call has an LSM hook associated. 50 + */ 51 + struct lsm_static_call { 52 + struct static_call_key *key; 53 + void *trampoline; 54 + struct security_hook_list *hl; 55 + /* this needs to be true or false based on what the key defaults to */ 56 + struct static_key_false *active; 44 57 } __randomize_layout; 58 + 59 + /* 60 + * Table of the static calls for each LSM hook. 61 + * Once the LSMs are initialized, their callbacks will be copied to these 62 + * tables such that the calls are filled backwards (from last to first). 63 + * This way, we can jump directly to the first used static call, and execute 64 + * all of them after. This essentially makes the entry point 65 + * dynamic to adapt the number of static calls to the number of callbacks. 66 + */ 67 + struct lsm_static_calls_table { 68 + #define LSM_HOOK(RET, DEFAULT, NAME, ...) \ 69 + struct lsm_static_call NAME[MAX_LSM_COUNT]; 70 + #include <linux/lsm_hook_defs.h> 71 + #undef LSM_HOOK 72 + } __packed __randomize_layout; 45 73 46 74 /** 47 75 * struct lsm_id - Identify a Linux Security Module. ··· 79 51 * Contains the information that identifies the LSM. 80 52 */ 81 53 struct lsm_id { 82 - const char *name; 83 - u64 id; 54 + const char *name; 55 + u64 id; 84 56 }; 85 57 86 58 /* 87 59 * Security module hook list structure. 88 60 * For use with generic list macros for common operations. 61 + * 62 + * struct security_hook_list - Contents of a cacheable, mappable object. 63 + * @scalls: The beginning of the array of static calls assigned to this hook. 64 + * @hook: The callback for the hook. 65 + * @lsm: The name of the lsm that owns this hook. 89 66 */ 90 67 struct security_hook_list { 91 - struct hlist_node list; 92 - struct hlist_head *head; 93 - union security_list_options hook; 94 - const struct lsm_id *lsmid; 68 + struct lsm_static_call *scalls; 69 + union security_list_options hook; 70 + const struct lsm_id *lsmid; 95 71 } __randomize_layout; 96 72 97 73 /* 98 74 * Security blob size or offset data. 99 75 */ 100 76 struct lsm_blob_sizes { 101 - int lbs_cred; 102 - int lbs_file; 103 - int lbs_inode; 104 - int lbs_superblock; 105 - int lbs_ipc; 106 - int lbs_msg_msg; 107 - int lbs_task; 108 - int lbs_xattr_count; /* number of xattr slots in new_xattrs array */ 77 + int lbs_cred; 78 + int lbs_file; 79 + int lbs_ib; 80 + int lbs_inode; 81 + int lbs_sock; 82 + int lbs_superblock; 83 + int lbs_ipc; 84 + int lbs_key; 85 + int lbs_msg_msg; 86 + int lbs_perf_event; 87 + int lbs_task; 88 + int lbs_xattr_count; /* number of xattr slots in new_xattrs array */ 89 + int lbs_tun_dev; 90 + int lbs_bdev; 109 91 }; 110 - 111 - /** 112 - * lsm_get_xattr_slot - Return the next available slot and increment the index 113 - * @xattrs: array storing LSM-provided xattrs 114 - * @xattr_count: number of already stored xattrs (updated) 115 - * 116 - * Retrieve the first available slot in the @xattrs array to fill with an xattr, 117 - * and increment @xattr_count. 118 - * 119 - * Return: The slot to fill in @xattrs if non-NULL, NULL otherwise. 120 - */ 121 - static inline struct xattr *lsm_get_xattr_slot(struct xattr *xattrs, 122 - int *xattr_count) 123 - { 124 - if (unlikely(!xattrs)) 125 - return NULL; 126 - return &xattrs[(*xattr_count)++]; 127 - } 128 92 129 93 /* 130 94 * LSM_RET_VOID is used as the default value in LSM_HOOK definitions for void ··· 130 110 * care of the common case and reduces the amount of 131 111 * text involved. 132 112 */ 133 - #define LSM_HOOK_INIT(HEAD, HOOK) \ 134 - { .head = &security_hook_heads.HEAD, .hook = { .HEAD = HOOK } } 135 - 136 - extern struct security_hook_heads security_hook_heads; 137 - extern char *lsm_names; 113 + #define LSM_HOOK_INIT(NAME, HOOK) \ 114 + { \ 115 + .scalls = static_calls_table.NAME, \ 116 + .hook = { .NAME = HOOK } \ 117 + } 138 118 139 119 extern void security_add_hooks(struct security_hook_list *hooks, int count, 140 120 const struct lsm_id *lsmid); ··· 157 137 struct lsm_blob_sizes *blobs; /* Optional: for blob sharing. */ 158 138 }; 159 139 160 - extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; 161 - extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[]; 162 - 163 140 #define DEFINE_LSM(lsm) \ 164 141 static struct lsm_info __lsm_##lsm \ 165 142 __used __section(".lsm_info.init") \ ··· 167 150 __used __section(".early_lsm_info.init") \ 168 151 __aligned(sizeof(unsigned long)) 169 152 170 - extern int lsm_inode_alloc(struct inode *inode); 153 + /* DO NOT tamper with these variables outside of the LSM framework */ 154 + extern char *lsm_names; 155 + extern struct lsm_static_calls_table static_calls_table __ro_after_init; 156 + extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; 157 + extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[]; 158 + 159 + /** 160 + * lsm_get_xattr_slot - Return the next available slot and increment the index 161 + * @xattrs: array storing LSM-provided xattrs 162 + * @xattr_count: number of already stored xattrs (updated) 163 + * 164 + * Retrieve the first available slot in the @xattrs array to fill with an xattr, 165 + * and increment @xattr_count. 166 + * 167 + * Return: The slot to fill in @xattrs if non-NULL, NULL otherwise. 168 + */ 169 + static inline struct xattr *lsm_get_xattr_slot(struct xattr *xattrs, 170 + int *xattr_count) 171 + { 172 + if (unlikely(!xattrs)) 173 + return NULL; 174 + return &xattrs[(*xattr_count)++]; 175 + } 171 176 172 177 #endif /* ! __LINUX_LSM_HOOKS_H */

+54 -1

include/linux/security.h

··· 83 83 LSM_POLICY_CHANGE, 84 84 }; 85 85 86 + struct dm_verity_digest { 87 + const char *alg; 88 + const u8 *digest; 89 + size_t digest_len; 90 + }; 91 + 92 + enum lsm_integrity_type { 93 + LSM_INT_DMVERITY_SIG_VALID, 94 + LSM_INT_DMVERITY_ROOTHASH, 95 + LSM_INT_FSVERITY_BUILTINSIG_VALID, 96 + }; 97 + 86 98 /* 87 99 * These are reasons that can be passed to the security_locked_down() 88 100 * LSM hook. Lockdown reasons that protect kernel integrity (ie, the ··· 411 399 void security_inode_getsecid(struct inode *inode, u32 *secid); 412 400 int security_inode_copy_up(struct dentry *src, struct cred **new); 413 401 int security_inode_copy_up_xattr(struct dentry *src, const char *name); 402 + int security_inode_setintegrity(const struct inode *inode, 403 + enum lsm_integrity_type type, const void *value, 404 + size_t size); 414 405 int security_kernfs_init_security(struct kernfs_node *kn_dir, 415 406 struct kernfs_node *kn); 416 407 int security_file_permission(struct file *file, int mask); ··· 524 509 int security_locked_down(enum lockdown_reason what); 525 510 int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len, 526 511 void *val, size_t val_len, u64 id, u64 flags); 512 + int security_bdev_alloc(struct block_device *bdev); 513 + void security_bdev_free(struct block_device *bdev); 514 + int security_bdev_setintegrity(struct block_device *bdev, 515 + enum lsm_integrity_type type, const void *value, 516 + size_t size); 527 517 #else /* CONFIG_SECURITY */ 528 518 529 519 static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) ··· 654 634 655 635 static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) 656 636 { 657 - return __vm_enough_memory(mm, pages, cap_vm_enough_memory(mm, pages)); 637 + return __vm_enough_memory(mm, pages, !cap_vm_enough_memory(mm, pages)); 658 638 } 659 639 660 640 static inline int security_bprm_creds_for_exec(struct linux_binprm *bprm) ··· 1026 1006 } 1027 1007 1028 1008 static inline int security_inode_copy_up(struct dentry *src, struct cred **new) 1009 + { 1010 + return 0; 1011 + } 1012 + 1013 + static inline int security_inode_setintegrity(const struct inode *inode, 1014 + enum lsm_integrity_type type, 1015 + const void *value, size_t size) 1029 1016 { 1030 1017 return 0; 1031 1018 } ··· 1510 1483 { 1511 1484 return -EOPNOTSUPP; 1512 1485 } 1486 + 1487 + static inline int security_bdev_alloc(struct block_device *bdev) 1488 + { 1489 + return 0; 1490 + } 1491 + 1492 + static inline void security_bdev_free(struct block_device *bdev) 1493 + { 1494 + } 1495 + 1496 + static inline int security_bdev_setintegrity(struct block_device *bdev, 1497 + enum lsm_integrity_type type, 1498 + const void *value, size_t size) 1499 + { 1500 + return 0; 1501 + } 1502 + 1513 1503 #endif /* CONFIG_SECURITY */ 1514 1504 1515 1505 #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) ··· 2134 2090 const char *target, 2135 2091 const struct inode_operations *iops); 2136 2092 extern void securityfs_remove(struct dentry *dentry); 2093 + extern void securityfs_recursive_remove(struct dentry *dentry); 2137 2094 2138 2095 #else /* CONFIG_SECURITYFS */ 2139 2096 ··· 2300 2255 } 2301 2256 #endif /* CONFIG_SECURITY */ 2302 2257 #endif /* CONFIG_IO_URING */ 2258 + 2259 + #ifdef CONFIG_SECURITY 2260 + extern void security_initramfs_populated(void); 2261 + #else 2262 + static inline void security_initramfs_populated(void) 2263 + { 2264 + } 2265 + #endif /* CONFIG_SECURITY */ 2303 2266 2304 2267 #endif /* ! __LINUX_SECURITY_H */

+36

include/linux/unroll.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + 3 + /* 4 + * Copyright (C) 2023 Google LLC. 5 + */ 6 + 7 + #ifndef __UNROLL_H 8 + #define __UNROLL_H 9 + 10 + #include <linux/args.h> 11 + 12 + #define UNROLL(N, MACRO, args...) CONCATENATE(__UNROLL_, N)(MACRO, args) 13 + 14 + #define __UNROLL_0(MACRO, args...) 15 + #define __UNROLL_1(MACRO, args...) __UNROLL_0(MACRO, args) MACRO(0, args) 16 + #define __UNROLL_2(MACRO, args...) __UNROLL_1(MACRO, args) MACRO(1, args) 17 + #define __UNROLL_3(MACRO, args...) __UNROLL_2(MACRO, args) MACRO(2, args) 18 + #define __UNROLL_4(MACRO, args...) __UNROLL_3(MACRO, args) MACRO(3, args) 19 + #define __UNROLL_5(MACRO, args...) __UNROLL_4(MACRO, args) MACRO(4, args) 20 + #define __UNROLL_6(MACRO, args...) __UNROLL_5(MACRO, args) MACRO(5, args) 21 + #define __UNROLL_7(MACRO, args...) __UNROLL_6(MACRO, args) MACRO(6, args) 22 + #define __UNROLL_8(MACRO, args...) __UNROLL_7(MACRO, args) MACRO(7, args) 23 + #define __UNROLL_9(MACRO, args...) __UNROLL_8(MACRO, args) MACRO(8, args) 24 + #define __UNROLL_10(MACRO, args...) __UNROLL_9(MACRO, args) MACRO(9, args) 25 + #define __UNROLL_11(MACRO, args...) __UNROLL_10(MACRO, args) MACRO(10, args) 26 + #define __UNROLL_12(MACRO, args...) __UNROLL_11(MACRO, args) MACRO(11, args) 27 + #define __UNROLL_13(MACRO, args...) __UNROLL_12(MACRO, args) MACRO(12, args) 28 + #define __UNROLL_14(MACRO, args...) __UNROLL_13(MACRO, args) MACRO(13, args) 29 + #define __UNROLL_15(MACRO, args...) __UNROLL_14(MACRO, args) MACRO(14, args) 30 + #define __UNROLL_16(MACRO, args...) __UNROLL_15(MACRO, args) MACRO(15, args) 31 + #define __UNROLL_17(MACRO, args...) __UNROLL_16(MACRO, args) MACRO(16, args) 32 + #define __UNROLL_18(MACRO, args...) __UNROLL_17(MACRO, args) MACRO(17, args) 33 + #define __UNROLL_19(MACRO, args...) __UNROLL_18(MACRO, args) MACRO(18, args) 34 + #define __UNROLL_20(MACRO, args...) __UNROLL_19(MACRO, args) MACRO(19, args) 35 + 36 + #endif /* __UNROLL_H */

+3

include/uapi/linux/audit.h

··· 143 143 #define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */ 144 144 #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ 145 145 #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ 146 + #define AUDIT_IPE_ACCESS 1420 /* IPE denial or grant */ 147 + #define AUDIT_IPE_CONFIG_CHANGE 1421 /* IPE config change */ 148 + #define AUDIT_IPE_POLICY_LOAD 1422 /* IPE policy load */ 146 149 147 150 #define AUDIT_FIRST_KERN_ANOM_MSG 1700 148 151 #define AUDIT_LAST_KERN_ANOM_MSG 1799

+1

include/uapi/linux/lsm.h

··· 64 64 #define LSM_ID_LANDLOCK 110 65 65 #define LSM_ID_IMA 111 66 66 #define LSM_ID_EVM 112 67 + #define LSM_ID_IPE 113 67 68 68 69 /* 69 70 * LSM_ATTR_XXX definitions identify different LSM attributes

+3

init/initramfs.c

··· 17 17 #include <linux/namei.h> 18 18 #include <linux/init_syscalls.h> 19 19 #include <linux/umh.h> 20 + #include <linux/security.h> 20 21 21 22 #include "do_mounts.h" 22 23 ··· 713 712 } 714 713 715 714 done: 715 + security_initramfs_populated(); 716 + 716 717 /* 717 718 * If the initrd region is overlapped with crashkernel reserved region, 718 719 * free only memory that is not part of crashkernel region.

+4 -2

init/main.c

··· 922 922 boot_cpu_init(); 923 923 page_address_init(); 924 924 pr_notice("%s", linux_banner); 925 - early_security_init(); 926 925 setup_arch(&command_line); 926 + /* Static keys and static calls are needed by LSMs */ 927 + jump_label_init(); 928 + static_call_init(); 929 + early_security_init(); 927 930 setup_boot_config(); 928 931 setup_command_line(command_line); 929 932 setup_nr_cpu_ids(); ··· 937 934 938 935 pr_notice("Kernel command line: %s\n", saved_command_line); 939 936 /* parameters may set static keys */ 940 - jump_label_init(); 941 937 parse_early_param(); 942 938 after_dashes = parse_args("Booting kernel", 943 939 static_command_line, __start___param,

+1

scripts/Makefile

··· 55 55 subdir-$(CONFIG_GCC_PLUGINS) += gcc-plugins 56 56 subdir-$(CONFIG_MODVERSIONS) += genksyms 57 57 subdir-$(CONFIG_SECURITY_SELINUX) += selinux 58 + subdir-$(CONFIG_SECURITY_IPE) += ipe 58 59 59 60 # Let clean descend into subdirs 60 61 subdir- += basic dtc gdb kconfig mod

+2

scripts/ipe/Makefile

··· 1 + # SPDX-License-Identifier: GPL-2.0-only 2 + subdir-y := polgen

+2

scripts/ipe/polgen/.gitignore

··· 1 + # SPDX-License-Identifier: GPL-2.0-only 2 + polgen

+5

scripts/ipe/polgen/Makefile

··· 1 + # SPDX-License-Identifier: GPL-2.0 2 + hostprogs-always-y := polgen 3 + HOST_EXTRACFLAGS += \ 4 + -I$(srctree)/include \ 5 + -I$(srctree)/include/uapi \

+145

scripts/ipe/polgen/polgen.c

··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + 6 + #include <stdlib.h> 7 + #include <stddef.h> 8 + #include <stdio.h> 9 + #include <unistd.h> 10 + #include <errno.h> 11 + 12 + static void usage(const char *const name) 13 + { 14 + printf("Usage: %s OutputFile (PolicyFile)\n", name); 15 + exit(EINVAL); 16 + } 17 + 18 + static int policy_to_buffer(const char *pathname, char **buffer, size_t *size) 19 + { 20 + size_t fsize; 21 + size_t read; 22 + char *lbuf; 23 + int rc = 0; 24 + FILE *fd; 25 + 26 + fd = fopen(pathname, "r"); 27 + if (!fd) { 28 + rc = errno; 29 + goto out; 30 + } 31 + 32 + fseek(fd, 0, SEEK_END); 33 + fsize = ftell(fd); 34 + rewind(fd); 35 + 36 + lbuf = malloc(fsize); 37 + if (!lbuf) { 38 + rc = ENOMEM; 39 + goto out_close; 40 + } 41 + 42 + read = fread((void *)lbuf, sizeof(*lbuf), fsize, fd); 43 + if (read != fsize) { 44 + rc = -1; 45 + goto out_free; 46 + } 47 + 48 + *buffer = lbuf; 49 + *size = fsize; 50 + fclose(fd); 51 + 52 + return rc; 53 + 54 + out_free: 55 + free(lbuf); 56 + out_close: 57 + fclose(fd); 58 + out: 59 + return rc; 60 + } 61 + 62 + static int write_boot_policy(const char *pathname, const char *buf, size_t size) 63 + { 64 + int rc = 0; 65 + FILE *fd; 66 + size_t i; 67 + 68 + fd = fopen(pathname, "w"); 69 + if (!fd) { 70 + rc = errno; 71 + goto err; 72 + } 73 + 74 + fprintf(fd, "/* This file is automatically generated."); 75 + fprintf(fd, " Do not edit. */\n"); 76 + fprintf(fd, "#include <linux/stddef.h>\n"); 77 + fprintf(fd, "\nextern const char *const ipe_boot_policy;\n\n"); 78 + fprintf(fd, "const char *const ipe_boot_policy =\n"); 79 + 80 + if (!buf || size == 0) { 81 + fprintf(fd, "\tNULL;\n"); 82 + fclose(fd); 83 + return 0; 84 + } 85 + 86 + fprintf(fd, "\t\""); 87 + 88 + for (i = 0; i < size; ++i) { 89 + switch (buf[i]) { 90 + case '"': 91 + fprintf(fd, "\\\""); 92 + break; 93 + case '\'': 94 + fprintf(fd, "'"); 95 + break; 96 + case '\n': 97 + fprintf(fd, "\\n\"\n\t\""); 98 + break; 99 + case '\\': 100 + fprintf(fd, "\\\\"); 101 + break; 102 + case '\t': 103 + fprintf(fd, "\\t"); 104 + break; 105 + case '\?': 106 + fprintf(fd, "\\?"); 107 + break; 108 + default: 109 + fprintf(fd, "%c", buf[i]); 110 + } 111 + } 112 + fprintf(fd, "\";\n"); 113 + fclose(fd); 114 + 115 + return 0; 116 + 117 + err: 118 + if (fd) 119 + fclose(fd); 120 + return rc; 121 + } 122 + 123 + int main(int argc, const char *const argv[]) 124 + { 125 + char *policy = NULL; 126 + size_t len = 0; 127 + int rc = 0; 128 + 129 + if (argc < 2) 130 + usage(argv[0]); 131 + 132 + if (argc > 2) { 133 + rc = policy_to_buffer(argv[2], &policy, &len); 134 + if (rc != 0) 135 + goto cleanup; 136 + } 137 + 138 + rc = write_boot_policy(argv[1], policy, len); 139 + cleanup: 140 + if (policy) 141 + free(policy); 142 + if (rc != 0) 143 + perror("An error occurred during policy conversion: "); 144 + return rc; 145 + }

+6 -5

security/Kconfig

··· 224 224 source "security/safesetid/Kconfig" 225 225 source "security/lockdown/Kconfig" 226 226 source "security/landlock/Kconfig" 227 + source "security/ipe/Kconfig" 227 228 228 229 source "security/integrity/Kconfig" 229 230 ··· 264 263 265 264 config LSM 266 265 string "Ordered list of enabled LSMs" 267 - default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK 268 - default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR 269 - default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO 270 - default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC 271 - default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf" 266 + default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK 267 + default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR 268 + default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO 269 + default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC 270 + default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf" 272 271 help 273 272 A comma-separated list of LSMs, in initialization order. 274 273 Any LSMs left off this list, except for those with order

+1

security/Makefile

··· 25 25 obj-$(CONFIG_CGROUPS) += device_cgroup.o 26 26 obj-$(CONFIG_BPF_LSM) += bpf/ 27 27 obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/ 28 + obj-$(CONFIG_SECURITY_IPE) += ipe/ 28 29 29 30 # Object integrity file lists 30 31 obj-$(CONFIG_INTEGRITY) += integrity/

+1 -2

security/apparmor/include/net.h

··· 51 51 struct aa_label *peer; 52 52 }; 53 53 54 - #define SK_CTX(X) ((X)->sk_security) 55 54 static inline struct aa_sk_ctx *aa_sock(const struct sock *sk) 56 55 { 57 - return sk->sk_security; 56 + return sk->sk_security + apparmor_blob_sizes.lbs_sock; 58 57 } 59 58 60 59 #define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \

+1 -16

security/apparmor/lsm.c

··· 1058 1058 return error; 1059 1059 } 1060 1060 1061 - static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags) 1062 - { 1063 - struct aa_sk_ctx *ctx; 1064 - 1065 - ctx = kzalloc(sizeof(*ctx), flags); 1066 - if (!ctx) 1067 - return -ENOMEM; 1068 - 1069 - sk->sk_security = ctx; 1070 - 1071 - return 0; 1072 - } 1073 - 1074 1061 static void apparmor_sk_free_security(struct sock *sk) 1075 1062 { 1076 1063 struct aa_sk_ctx *ctx = aa_sock(sk); 1077 1064 1078 - sk->sk_security = NULL; 1079 1065 aa_put_label(ctx->label); 1080 1066 aa_put_label(ctx->peer); 1081 - kfree(ctx); 1082 1067 } 1083 1068 1084 1069 /** ··· 1418 1433 .lbs_cred = sizeof(struct aa_label *), 1419 1434 .lbs_file = sizeof(struct aa_file_ctx), 1420 1435 .lbs_task = sizeof(struct aa_task_ctx), 1436 + .lbs_sock = sizeof(struct aa_sk_ctx), 1421 1437 }; 1422 1438 1423 1439 static const struct lsm_id apparmor_lsmid = { ··· 1464 1478 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), 1465 1479 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), 1466 1480 1467 - LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security), 1468 1481 LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security), 1469 1482 LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security), 1470 1483

+1 -1

security/apparmor/net.c

··· 151 151 const char *op, u32 request, 152 152 struct sock *sk) 153 153 { 154 - struct aa_sk_ctx *ctx = SK_CTX(sk); 154 + struct aa_sk_ctx *ctx = aa_sock(sk); 155 155 int error = 0; 156 156 157 157 AA_BUG(!label);

+3 -8

security/commoncap.c

··· 1396 1396 * Determine whether the allocation of a new virtual mapping by the current 1397 1397 * task is permitted. 1398 1398 * 1399 - * Return: 1 if permission is granted, 0 if not. 1399 + * Return: 0 if permission granted, negative error code if not. 1400 1400 */ 1401 1401 int cap_vm_enough_memory(struct mm_struct *mm, long pages) 1402 1402 { 1403 - int cap_sys_admin = 0; 1404 - 1405 - if (cap_capable(current_cred(), &init_user_ns, 1406 - CAP_SYS_ADMIN, CAP_OPT_NOAUDIT) == 0) 1407 - cap_sys_admin = 1; 1408 - 1409 - return cap_sys_admin; 1403 + return cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN, 1404 + CAP_OPT_NOAUDIT); 1410 1405 } 1411 1406 1412 1407 /**

+26 -1

security/inode.c

··· 296 296 { 297 297 struct inode *dir; 298 298 299 - if (!dentry || IS_ERR(dentry)) 299 + if (IS_ERR_OR_NULL(dentry)) 300 300 return; 301 301 302 302 dir = d_inode(dentry->d_parent); ··· 312 312 simple_release_fs(&mount, &mount_count); 313 313 } 314 314 EXPORT_SYMBOL_GPL(securityfs_remove); 315 + 316 + static void remove_one(struct dentry *victim) 317 + { 318 + simple_release_fs(&mount, &mount_count); 319 + } 320 + 321 + /** 322 + * securityfs_recursive_remove - recursively removes a file or directory 323 + * 324 + * @dentry: a pointer to a the dentry of the file or directory to be removed. 325 + * 326 + * This function recursively removes a file or directory in securityfs that was 327 + * previously created with a call to another securityfs function (like 328 + * securityfs_create_file() or variants thereof.) 329 + */ 330 + void securityfs_recursive_remove(struct dentry *dentry) 331 + { 332 + if (IS_ERR_OR_NULL(dentry)) 333 + return; 334 + 335 + simple_pin_fs(&fs_type, &mount, &mount_count); 336 + simple_recursive_removal(dentry, remove_one); 337 + simple_release_fs(&mount, &mount_count); 338 + } 339 + EXPORT_SYMBOL_GPL(securityfs_recursive_remove); 315 340 316 341 #ifdef CONFIG_SECURITY 317 342 static struct dentry *lsm_dentry;

+1 -1

security/integrity/evm/evm_main.c

··· 1000 1000 case EVM_XATTR_HMAC: 1001 1001 case EVM_IMA_XATTR_DIGSIG: 1002 1002 default: 1003 - rc = 1; /* discard */ 1003 + rc = -ECANCELED; /* discard */ 1004 1004 } 1005 1005 1006 1006 kfree(xattr_data);

+1 -1

security/integrity/ima/ima.h

··· 223 223 224 224 struct ima_iint_cache *ima_iint_find(struct inode *inode); 225 225 struct ima_iint_cache *ima_inode_get(struct inode *inode); 226 - void ima_inode_free(struct inode *inode); 226 + void ima_inode_free_rcu(void *inode_security); 227 227 void __init ima_iintcache_init(void); 228 228 229 229 extern const int read_idmap[];

+8 -12

security/integrity/ima/ima_iint.c

··· 109 109 } 110 110 111 111 /** 112 - * ima_inode_free - Called on inode free 113 - * @inode: Pointer to the inode 112 + * ima_inode_free_rcu - Called to free an inode via a RCU callback 113 + * @inode_security: The inode->i_security pointer 114 114 * 115 - * Free the iint associated with an inode. 115 + * Free the IMA data associated with an inode. 116 116 */ 117 - void ima_inode_free(struct inode *inode) 117 + void ima_inode_free_rcu(void *inode_security) 118 118 { 119 - struct ima_iint_cache *iint; 119 + struct ima_iint_cache **iint_p = inode_security + ima_blob_sizes.lbs_inode; 120 120 121 - if (!IS_IMA(inode)) 122 - return; 123 - 124 - iint = ima_iint_find(inode); 125 - ima_inode_set_iint(inode, NULL); 126 - 127 - ima_iint_free(iint); 121 + /* *iint_p should be NULL if !IS_IMA(inode) */ 122 + if (*iint_p) 123 + ima_iint_free(*iint_p); 128 124 } 129 125 130 126 static void ima_iint_init_once(void *foo)

+1 -1

security/integrity/ima/ima_main.c

··· 1193 1193 #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS 1194 1194 LSM_HOOK_INIT(kernel_module_request, ima_kernel_module_request), 1195 1195 #endif 1196 - LSM_HOOK_INIT(inode_free_security, ima_inode_free), 1196 + LSM_HOOK_INIT(inode_free_security_rcu, ima_inode_free_rcu), 1197 1197 }; 1198 1198 1199 1199 static const struct lsm_id ima_lsmid = {

+2

security/ipe/.gitignore

··· 1 + # SPDX-License-Identifier: GPL-2.0-only 2 + boot_policy.c

+97

security/ipe/Kconfig

··· 1 + # SPDX-License-Identifier: GPL-2.0-only 2 + # 3 + # Integrity Policy Enforcement (IPE) configuration 4 + # 5 + 6 + menuconfig SECURITY_IPE 7 + bool "Integrity Policy Enforcement (IPE)" 8 + depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL 9 + select PKCS7_MESSAGE_PARSER 10 + select SYSTEM_DATA_VERIFICATION 11 + select IPE_PROP_DM_VERITY if DM_VERITY 12 + select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG 13 + select IPE_PROP_FS_VERITY if FS_VERITY 14 + select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES 15 + help 16 + This option enables the Integrity Policy Enforcement LSM 17 + allowing users to define a policy to enforce a trust-based access 18 + control. A key feature of IPE is a customizable policy to allow 19 + admins to reconfigure trust requirements on the fly. 20 + 21 + If unsure, answer N. 22 + 23 + if SECURITY_IPE 24 + config IPE_BOOT_POLICY 25 + string "Integrity policy to apply on system startup" 26 + help 27 + This option specifies a filepath to an IPE policy that is compiled 28 + into the kernel. This policy will be enforced until a policy update 29 + is deployed via the $securityfs/ipe/policies/$policy_name/active 30 + interface. 31 + 32 + If unsure, leave blank. 33 + 34 + menu "IPE Trust Providers" 35 + 36 + config IPE_PROP_DM_VERITY 37 + bool "Enable support for dm-verity based on root hash" 38 + depends on DM_VERITY 39 + help 40 + This option enables the 'dmverity_roothash' property within IPE 41 + policies. The property evaluates to TRUE when a file from a dm-verity 42 + volume is evaluated, and the volume's root hash matches the value 43 + supplied in the policy. 44 + 45 + config IPE_PROP_DM_VERITY_SIGNATURE 46 + bool "Enable support for dm-verity based on root hash signature" 47 + depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG 48 + help 49 + This option enables the 'dmverity_signature' property within IPE 50 + policies. The property evaluates to TRUE when a file from a dm-verity 51 + volume, which has been mounted with a valid signed root hash, 52 + is evaluated. 53 + 54 + If unsure, answer Y. 55 + 56 + config IPE_PROP_FS_VERITY 57 + bool "Enable support for fs-verity based on file digest" 58 + depends on FS_VERITY 59 + help 60 + This option enables the 'fsverity_digest' property within IPE 61 + policies. The property evaluates to TRUE when a file is fsverity 62 + enabled and its digest matches the supplied digest value in the 63 + policy. 64 + 65 + if unsure, answer Y. 66 + 67 + config IPE_PROP_FS_VERITY_BUILTIN_SIG 68 + bool "Enable support for fs-verity based on builtin signature" 69 + depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES 70 + help 71 + This option enables the 'fsverity_signature' property within IPE 72 + policies. The property evaluates to TRUE when a file is fsverity 73 + enabled and it has a valid builtin signature whose signing cert 74 + is in the .fs-verity keyring. 75 + 76 + if unsure, answer Y. 77 + 78 + endmenu 79 + 80 + config SECURITY_IPE_KUNIT_TEST 81 + bool "Build KUnit tests for IPE" if !KUNIT_ALL_TESTS 82 + depends on KUNIT=y 83 + default KUNIT_ALL_TESTS 84 + help 85 + This builds the IPE KUnit tests. 86 + 87 + KUnit tests run during boot and output the results to the debug log 88 + in TAP format (https://testanything.org/). Only useful for kernel devs 89 + running KUnit test harness and are not for inclusion into a 90 + production build. 91 + 92 + For more information on KUnit and unit tests in general please refer 93 + to the KUnit documentation in Documentation/dev-tools/kunit/. 94 + 95 + If unsure, say N. 96 + 97 + endif

+31

security/ipe/Makefile

··· 1 + # SPDX-License-Identifier: GPL-2.0 2 + # 3 + # Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + # 5 + # Makefile for building the IPE module as part of the kernel tree. 6 + # 7 + 8 + quiet_cmd_polgen = IPE_POL $(2) 9 + cmd_polgen = scripts/ipe/polgen/polgen security/ipe/boot_policy.c $(2) 10 + 11 + targets += boot_policy.c 12 + 13 + $(obj)/boot_policy.c: scripts/ipe/polgen/polgen $(CONFIG_IPE_BOOT_POLICY) FORCE 14 + $(call if_changed,polgen,$(CONFIG_IPE_BOOT_POLICY)) 15 + 16 + obj-$(CONFIG_SECURITY_IPE) += \ 17 + boot_policy.o \ 18 + digest.o \ 19 + eval.o \ 20 + hooks.o \ 21 + fs.o \ 22 + ipe.o \ 23 + policy.o \ 24 + policy_fs.o \ 25 + policy_parser.o \ 26 + audit.o \ 27 + 28 + clean-files := boot_policy.c \ 29 + 30 + obj-$(CONFIG_SECURITY_IPE_KUNIT_TEST) += \ 31 + policy_tests.o \

+292

security/ipe/audit.c

··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + 6 + #include <linux/slab.h> 7 + #include <linux/audit.h> 8 + #include <linux/types.h> 9 + #include <crypto/hash.h> 10 + 11 + #include "ipe.h" 12 + #include "eval.h" 13 + #include "hooks.h" 14 + #include "policy.h" 15 + #include "audit.h" 16 + #include "digest.h" 17 + 18 + #define ACTSTR(x) ((x) == IPE_ACTION_ALLOW ? "ALLOW" : "DENY") 19 + 20 + #define IPE_AUDIT_HASH_ALG "sha256" 21 + 22 + #define AUDIT_POLICY_LOAD_FMT "policy_name=\"%s\" policy_version=%hu.%hu.%hu "\ 23 + "policy_digest=" IPE_AUDIT_HASH_ALG ":" 24 + #define AUDIT_OLD_ACTIVE_POLICY_FMT "old_active_pol_name=\"%s\" "\ 25 + "old_active_pol_version=%hu.%hu.%hu "\ 26 + "old_policy_digest=" IPE_AUDIT_HASH_ALG ":" 27 + #define AUDIT_OLD_ACTIVE_POLICY_NULL_FMT "old_active_pol_name=? "\ 28 + "old_active_pol_version=? "\ 29 + "old_policy_digest=?" 30 + #define AUDIT_NEW_ACTIVE_POLICY_FMT "new_active_pol_name=\"%s\" "\ 31 + "new_active_pol_version=%hu.%hu.%hu "\ 32 + "new_policy_digest=" IPE_AUDIT_HASH_ALG ":" 33 + 34 + static const char *const audit_op_names[__IPE_OP_MAX + 1] = { 35 + "EXECUTE", 36 + "FIRMWARE", 37 + "KMODULE", 38 + "KEXEC_IMAGE", 39 + "KEXEC_INITRAMFS", 40 + "POLICY", 41 + "X509_CERT", 42 + "UNKNOWN", 43 + }; 44 + 45 + static const char *const audit_hook_names[__IPE_HOOK_MAX] = { 46 + "BPRM_CHECK", 47 + "MMAP", 48 + "MPROTECT", 49 + "KERNEL_READ", 50 + "KERNEL_LOAD", 51 + }; 52 + 53 + static const char *const audit_prop_names[__IPE_PROP_MAX] = { 54 + "boot_verified=FALSE", 55 + "boot_verified=TRUE", 56 + "dmverity_roothash=", 57 + "dmverity_signature=FALSE", 58 + "dmverity_signature=TRUE", 59 + "fsverity_digest=", 60 + "fsverity_signature=FALSE", 61 + "fsverity_signature=TRUE", 62 + }; 63 + 64 + /** 65 + * audit_dmv_roothash() - audit the roothash of a dmverity_roothash property. 66 + * @ab: Supplies a pointer to the audit_buffer to append to. 67 + * @rh: Supplies a pointer to the digest structure. 68 + */ 69 + static void audit_dmv_roothash(struct audit_buffer *ab, const void *rh) 70 + { 71 + audit_log_format(ab, "%s", audit_prop_names[IPE_PROP_DMV_ROOTHASH]); 72 + ipe_digest_audit(ab, rh); 73 + } 74 + 75 + /** 76 + * audit_fsv_digest() - audit the digest of a fsverity_digest property. 77 + * @ab: Supplies a pointer to the audit_buffer to append to. 78 + * @d: Supplies a pointer to the digest structure. 79 + */ 80 + static void audit_fsv_digest(struct audit_buffer *ab, const void *d) 81 + { 82 + audit_log_format(ab, "%s", audit_prop_names[IPE_PROP_FSV_DIGEST]); 83 + ipe_digest_audit(ab, d); 84 + } 85 + 86 + /** 87 + * audit_rule() - audit an IPE policy rule. 88 + * @ab: Supplies a pointer to the audit_buffer to append to. 89 + * @r: Supplies a pointer to the ipe_rule to approximate a string form for. 90 + */ 91 + static void audit_rule(struct audit_buffer *ab, const struct ipe_rule *r) 92 + { 93 + const struct ipe_prop *ptr; 94 + 95 + audit_log_format(ab, " rule=\"op=%s ", audit_op_names[r->op]); 96 + 97 + list_for_each_entry(ptr, &r->props, next) { 98 + switch (ptr->type) { 99 + case IPE_PROP_DMV_ROOTHASH: 100 + audit_dmv_roothash(ab, ptr->value); 101 + break; 102 + case IPE_PROP_FSV_DIGEST: 103 + audit_fsv_digest(ab, ptr->value); 104 + break; 105 + default: 106 + audit_log_format(ab, "%s", audit_prop_names[ptr->type]); 107 + break; 108 + } 109 + 110 + audit_log_format(ab, " "); 111 + } 112 + 113 + audit_log_format(ab, "action=%s\"", ACTSTR(r->action)); 114 + } 115 + 116 + /** 117 + * ipe_audit_match() - Audit a rule match in a policy evaluation. 118 + * @ctx: Supplies a pointer to the evaluation context that was used in the 119 + * evaluation. 120 + * @match_type: Supplies the scope of the match: rule, operation default, 121 + * global default. 122 + * @act: Supplies the IPE's evaluation decision, deny or allow. 123 + * @r: Supplies a pointer to the rule that was matched, if possible. 124 + */ 125 + void ipe_audit_match(const struct ipe_eval_ctx *const ctx, 126 + enum ipe_match match_type, 127 + enum ipe_action_type act, const struct ipe_rule *const r) 128 + { 129 + const char *op = audit_op_names[ctx->op]; 130 + char comm[sizeof(current->comm)]; 131 + struct audit_buffer *ab; 132 + struct inode *inode; 133 + 134 + if (act != IPE_ACTION_DENY && !READ_ONCE(success_audit)) 135 + return; 136 + 137 + ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN, 138 + AUDIT_IPE_ACCESS); 139 + if (!ab) 140 + return; 141 + 142 + audit_log_format(ab, "ipe_op=%s ipe_hook=%s enforcing=%d pid=%d comm=", 143 + op, audit_hook_names[ctx->hook], READ_ONCE(enforce), 144 + task_tgid_nr(current)); 145 + audit_log_untrustedstring(ab, get_task_comm(comm, current)); 146 + 147 + if (ctx->file) { 148 + audit_log_d_path(ab, " path=", &ctx->file->f_path); 149 + inode = file_inode(ctx->file); 150 + if (inode) { 151 + audit_log_format(ab, " dev="); 152 + audit_log_untrustedstring(ab, inode->i_sb->s_id); 153 + audit_log_format(ab, " ino=%lu", inode->i_ino); 154 + } else { 155 + audit_log_format(ab, " dev=? ino=?"); 156 + } 157 + } else { 158 + audit_log_format(ab, " path=? dev=? ino=?"); 159 + } 160 + 161 + if (match_type == IPE_MATCH_RULE) 162 + audit_rule(ab, r); 163 + else if (match_type == IPE_MATCH_TABLE) 164 + audit_log_format(ab, " rule=\"DEFAULT op=%s action=%s\"", op, 165 + ACTSTR(act)); 166 + else 167 + audit_log_format(ab, " rule=\"DEFAULT action=%s\"", 168 + ACTSTR(act)); 169 + 170 + audit_log_end(ab); 171 + } 172 + 173 + /** 174 + * audit_policy() - Audit a policy's name, version and thumbprint to @ab. 175 + * @ab: Supplies a pointer to the audit buffer to append to. 176 + * @audit_format: Supplies a pointer to the audit format string 177 + * @p: Supplies a pointer to the policy to audit. 178 + */ 179 + static void audit_policy(struct audit_buffer *ab, 180 + const char *audit_format, 181 + const struct ipe_policy *const p) 182 + { 183 + SHASH_DESC_ON_STACK(desc, tfm); 184 + struct crypto_shash *tfm; 185 + u8 *digest = NULL; 186 + 187 + tfm = crypto_alloc_shash(IPE_AUDIT_HASH_ALG, 0, 0); 188 + if (IS_ERR(tfm)) 189 + return; 190 + 191 + desc->tfm = tfm; 192 + 193 + digest = kzalloc(crypto_shash_digestsize(tfm), GFP_KERNEL); 194 + if (!digest) 195 + goto out; 196 + 197 + if (crypto_shash_init(desc)) 198 + goto out; 199 + 200 + if (crypto_shash_update(desc, p->pkcs7, p->pkcs7len)) 201 + goto out; 202 + 203 + if (crypto_shash_final(desc, digest)) 204 + goto out; 205 + 206 + audit_log_format(ab, audit_format, p->parsed->name, 207 + p->parsed->version.major, p->parsed->version.minor, 208 + p->parsed->version.rev); 209 + audit_log_n_hex(ab, digest, crypto_shash_digestsize(tfm)); 210 + 211 + out: 212 + kfree(digest); 213 + crypto_free_shash(tfm); 214 + } 215 + 216 + /** 217 + * ipe_audit_policy_activation() - Audit a policy being activated. 218 + * @op: Supplies a pointer to the previously activated policy to audit. 219 + * @np: Supplies a pointer to the newly activated policy to audit. 220 + */ 221 + void ipe_audit_policy_activation(const struct ipe_policy *const op, 222 + const struct ipe_policy *const np) 223 + { 224 + struct audit_buffer *ab; 225 + 226 + ab = audit_log_start(audit_context(), GFP_KERNEL, 227 + AUDIT_IPE_CONFIG_CHANGE); 228 + if (!ab) 229 + return; 230 + 231 + if (op) { 232 + audit_policy(ab, AUDIT_OLD_ACTIVE_POLICY_FMT, op); 233 + audit_log_format(ab, " "); 234 + } else { 235 + /* 236 + * old active policy can be NULL if there is no kernel 237 + * built-in policy 238 + */ 239 + audit_log_format(ab, AUDIT_OLD_ACTIVE_POLICY_NULL_FMT); 240 + audit_log_format(ab, " "); 241 + } 242 + audit_policy(ab, AUDIT_NEW_ACTIVE_POLICY_FMT, np); 243 + audit_log_format(ab, " auid=%u ses=%u lsm=ipe res=1", 244 + from_kuid(&init_user_ns, audit_get_loginuid(current)), 245 + audit_get_sessionid(current)); 246 + 247 + audit_log_end(ab); 248 + } 249 + 250 + /** 251 + * ipe_audit_policy_load() - Audit a policy being loaded into the kernel. 252 + * @p: Supplies a pointer to the policy to audit. 253 + */ 254 + void ipe_audit_policy_load(const struct ipe_policy *const p) 255 + { 256 + struct audit_buffer *ab; 257 + 258 + ab = audit_log_start(audit_context(), GFP_KERNEL, 259 + AUDIT_IPE_POLICY_LOAD); 260 + if (!ab) 261 + return; 262 + 263 + audit_policy(ab, AUDIT_POLICY_LOAD_FMT, p); 264 + audit_log_format(ab, " auid=%u ses=%u lsm=ipe res=1", 265 + from_kuid(&init_user_ns, audit_get_loginuid(current)), 266 + audit_get_sessionid(current)); 267 + 268 + audit_log_end(ab); 269 + } 270 + 271 + /** 272 + * ipe_audit_enforce() - Audit a change in IPE's enforcement state. 273 + * @new_enforce: The new value enforce to be set. 274 + * @old_enforce: The old value currently in enforce. 275 + */ 276 + void ipe_audit_enforce(bool new_enforce, bool old_enforce) 277 + { 278 + struct audit_buffer *ab; 279 + 280 + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS); 281 + if (!ab) 282 + return; 283 + 284 + audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS, 285 + "enforcing=%d old_enforcing=%d auid=%u ses=%u" 286 + " enabled=1 old-enabled=1 lsm=ipe res=1", 287 + new_enforce, old_enforce, 288 + from_kuid(&init_user_ns, audit_get_loginuid(current)), 289 + audit_get_sessionid(current)); 290 + 291 + audit_log_end(ab); 292 + }

+19

security/ipe/audit.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + 6 + #ifndef _IPE_AUDIT_H 7 + #define _IPE_AUDIT_H 8 + 9 + #include "policy.h" 10 + 11 + void ipe_audit_match(const struct ipe_eval_ctx *const ctx, 12 + enum ipe_match match_type, 13 + enum ipe_action_type act, const struct ipe_rule *const r); 14 + void ipe_audit_policy_load(const struct ipe_policy *const p); 15 + void ipe_audit_policy_activation(const struct ipe_policy *const op, 16 + const struct ipe_policy *const np); 17 + void ipe_audit_enforce(bool new_enforce, bool old_enforce); 18 + 19 + #endif /* _IPE_AUDIT_H */

+118

security/ipe/digest.c

··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + 6 + #include "digest.h" 7 + 8 + /** 9 + * ipe_digest_parse() - parse a digest in IPE's policy. 10 + * @valstr: Supplies the string parsed from the policy. 11 + * 12 + * Digests in IPE are defined in a standard way: 13 + * <alg_name>:<hex> 14 + * 15 + * Use this function to create a property to parse the digest 16 + * consistently. The parsed digest will be saved in @value in IPE's 17 + * policy. 18 + * 19 + * Return: The parsed digest_info structure on success. If an error occurs, 20 + * the function will return the error value (via ERR_PTR). 21 + */ 22 + struct digest_info *ipe_digest_parse(const char *valstr) 23 + { 24 + struct digest_info *info = NULL; 25 + char *sep, *raw_digest; 26 + size_t raw_digest_len; 27 + u8 *digest = NULL; 28 + char *alg = NULL; 29 + int rc = 0; 30 + 31 + info = kzalloc(sizeof(*info), GFP_KERNEL); 32 + if (!info) 33 + return ERR_PTR(-ENOMEM); 34 + 35 + sep = strchr(valstr, ':'); 36 + if (!sep) { 37 + rc = -EBADMSG; 38 + goto err; 39 + } 40 + 41 + alg = kstrndup(valstr, sep - valstr, GFP_KERNEL); 42 + if (!alg) { 43 + rc = -ENOMEM; 44 + goto err; 45 + } 46 + 47 + raw_digest = sep + 1; 48 + raw_digest_len = strlen(raw_digest); 49 + 50 + info->digest_len = (raw_digest_len + 1) / 2; 51 + digest = kzalloc(info->digest_len, GFP_KERNEL); 52 + if (!digest) { 53 + rc = -ENOMEM; 54 + goto err; 55 + } 56 + 57 + rc = hex2bin(digest, raw_digest, info->digest_len); 58 + if (rc < 0) { 59 + rc = -EINVAL; 60 + goto err; 61 + } 62 + 63 + info->alg = alg; 64 + info->digest = digest; 65 + return info; 66 + 67 + err: 68 + kfree(alg); 69 + kfree(digest); 70 + kfree(info); 71 + return ERR_PTR(rc); 72 + } 73 + 74 + /** 75 + * ipe_digest_eval() - evaluate an IPE digest against another digest. 76 + * @expected: Supplies the policy-provided digest value. 77 + * @digest: Supplies the digest to compare against the policy digest value. 78 + * 79 + * Return: 80 + * * %true - digests match 81 + * * %false - digests do not match 82 + */ 83 + bool ipe_digest_eval(const struct digest_info *expected, 84 + const struct digest_info *digest) 85 + { 86 + return (expected->digest_len == digest->digest_len) && 87 + (!strcmp(expected->alg, digest->alg)) && 88 + (!memcmp(expected->digest, digest->digest, expected->digest_len)); 89 + } 90 + 91 + /** 92 + * ipe_digest_free() - free an IPE digest. 93 + * @info: Supplies a pointer the policy-provided digest to free. 94 + */ 95 + void ipe_digest_free(struct digest_info *info) 96 + { 97 + if (IS_ERR_OR_NULL(info)) 98 + return; 99 + 100 + kfree(info->alg); 101 + kfree(info->digest); 102 + kfree(info); 103 + } 104 + 105 + /** 106 + * ipe_digest_audit() - audit a digest that was sourced from IPE's policy. 107 + * @ab: Supplies the audit_buffer to append the formatted result. 108 + * @info: Supplies a pointer to source the audit record from. 109 + * 110 + * Digests in IPE are audited in this format: 111 + * <alg_name>:<hex> 112 + */ 113 + void ipe_digest_audit(struct audit_buffer *ab, const struct digest_info *info) 114 + { 115 + audit_log_untrustedstring(ab, info->alg); 116 + audit_log_format(ab, ":"); 117 + audit_log_n_hex(ab, info->digest, info->digest_len); 118 + }

+26

security/ipe/digest.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + 6 + #ifndef _IPE_DIGEST_H 7 + #define _IPE_DIGEST_H 8 + 9 + #include <linux/types.h> 10 + #include <linux/audit.h> 11 + 12 + #include "policy.h" 13 + 14 + struct digest_info { 15 + const char *alg; 16 + const u8 *digest; 17 + size_t digest_len; 18 + }; 19 + 20 + struct digest_info *ipe_digest_parse(const char *valstr); 21 + void ipe_digest_free(struct digest_info *digest_info); 22 + void ipe_digest_audit(struct audit_buffer *ab, const struct digest_info *val); 23 + bool ipe_digest_eval(const struct digest_info *expected, 24 + const struct digest_info *digest); 25 + 26 + #endif /* _IPE_DIGEST_H */

+393

security/ipe/eval.c

··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + 6 + #include <linux/fs.h> 7 + #include <linux/types.h> 8 + #include <linux/slab.h> 9 + #include <linux/file.h> 10 + #include <linux/sched.h> 11 + #include <linux/rcupdate.h> 12 + #include <linux/moduleparam.h> 13 + #include <linux/fsverity.h> 14 + 15 + #include "ipe.h" 16 + #include "eval.h" 17 + #include "policy.h" 18 + #include "audit.h" 19 + #include "digest.h" 20 + 21 + struct ipe_policy __rcu *ipe_active_policy; 22 + bool success_audit; 23 + bool enforce = true; 24 + #define INO_BLOCK_DEV(ino) ((ino)->i_sb->s_bdev) 25 + 26 + #define FILE_SUPERBLOCK(f) ((f)->f_path.mnt->mnt_sb) 27 + 28 + /** 29 + * build_ipe_sb_ctx() - Build initramfs field of an ipe evaluation context. 30 + * @ctx: Supplies a pointer to the context to be populated. 31 + * @file: Supplies the file struct of the file triggered IPE event. 32 + */ 33 + static void build_ipe_sb_ctx(struct ipe_eval_ctx *ctx, const struct file *const file) 34 + { 35 + ctx->initramfs = ipe_sb(FILE_SUPERBLOCK(file))->initramfs; 36 + } 37 + 38 + #ifdef CONFIG_IPE_PROP_DM_VERITY 39 + /** 40 + * build_ipe_bdev_ctx() - Build ipe_bdev field of an evaluation context. 41 + * @ctx: Supplies a pointer to the context to be populated. 42 + * @ino: Supplies the inode struct of the file triggered IPE event. 43 + */ 44 + static void build_ipe_bdev_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino) 45 + { 46 + if (INO_BLOCK_DEV(ino)) 47 + ctx->ipe_bdev = ipe_bdev(INO_BLOCK_DEV(ino)); 48 + } 49 + #else 50 + static void build_ipe_bdev_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino) 51 + { 52 + } 53 + #endif /* CONFIG_IPE_PROP_DM_VERITY */ 54 + 55 + #ifdef CONFIG_IPE_PROP_FS_VERITY 56 + #ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG 57 + static void build_ipe_inode_blob_ctx(struct ipe_eval_ctx *ctx, 58 + const struct inode *const ino) 59 + { 60 + ctx->ipe_inode = ipe_inode(ctx->ino); 61 + } 62 + #else 63 + static inline void build_ipe_inode_blob_ctx(struct ipe_eval_ctx *ctx, 64 + const struct inode *const ino) 65 + { 66 + } 67 + #endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ 68 + 69 + /** 70 + * build_ipe_inode_ctx() - Build inode fields of an evaluation context. 71 + * @ctx: Supplies a pointer to the context to be populated. 72 + * @ino: Supplies the inode struct of the file triggered IPE event. 73 + */ 74 + static void build_ipe_inode_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino) 75 + { 76 + ctx->ino = ino; 77 + build_ipe_inode_blob_ctx(ctx, ino); 78 + } 79 + #else 80 + static void build_ipe_inode_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino) 81 + { 82 + } 83 + #endif /* CONFIG_IPE_PROP_FS_VERITY */ 84 + 85 + /** 86 + * ipe_build_eval_ctx() - Build an ipe evaluation context. 87 + * @ctx: Supplies a pointer to the context to be populated. 88 + * @file: Supplies a pointer to the file to associated with the evaluation. 89 + * @op: Supplies the IPE policy operation associated with the evaluation. 90 + * @hook: Supplies the LSM hook associated with the evaluation. 91 + */ 92 + void ipe_build_eval_ctx(struct ipe_eval_ctx *ctx, 93 + const struct file *file, 94 + enum ipe_op_type op, 95 + enum ipe_hook_type hook) 96 + { 97 + struct inode *ino; 98 + 99 + ctx->file = file; 100 + ctx->op = op; 101 + ctx->hook = hook; 102 + 103 + if (file) { 104 + build_ipe_sb_ctx(ctx, file); 105 + ino = d_real_inode(file->f_path.dentry); 106 + build_ipe_bdev_ctx(ctx, ino); 107 + build_ipe_inode_ctx(ctx, ino); 108 + } 109 + } 110 + 111 + /** 112 + * evaluate_boot_verified() - Evaluate @ctx for the boot verified property. 113 + * @ctx: Supplies a pointer to the context being evaluated. 114 + * 115 + * Return: 116 + * * %true - The current @ctx match the @p 117 + * * %false - The current @ctx doesn't match the @p 118 + */ 119 + static bool evaluate_boot_verified(const struct ipe_eval_ctx *const ctx) 120 + { 121 + return ctx->initramfs; 122 + } 123 + 124 + #ifdef CONFIG_IPE_PROP_DM_VERITY 125 + /** 126 + * evaluate_dmv_roothash() - Evaluate @ctx against a dmv roothash property. 127 + * @ctx: Supplies a pointer to the context being evaluated. 128 + * @p: Supplies a pointer to the property being evaluated. 129 + * 130 + * Return: 131 + * * %true - The current @ctx match the @p 132 + * * %false - The current @ctx doesn't match the @p 133 + */ 134 + static bool evaluate_dmv_roothash(const struct ipe_eval_ctx *const ctx, 135 + struct ipe_prop *p) 136 + { 137 + return !!ctx->ipe_bdev && 138 + !!ctx->ipe_bdev->root_hash && 139 + ipe_digest_eval(p->value, 140 + ctx->ipe_bdev->root_hash); 141 + } 142 + #else 143 + static bool evaluate_dmv_roothash(const struct ipe_eval_ctx *const ctx, 144 + struct ipe_prop *p) 145 + { 146 + return false; 147 + } 148 + #endif /* CONFIG_IPE_PROP_DM_VERITY */ 149 + 150 + #ifdef CONFIG_IPE_PROP_DM_VERITY_SIGNATURE 151 + /** 152 + * evaluate_dmv_sig_false() - Evaluate @ctx against a dmv sig false property. 153 + * @ctx: Supplies a pointer to the context being evaluated. 154 + * 155 + * Return: 156 + * * %true - The current @ctx match the property 157 + * * %false - The current @ctx doesn't match the property 158 + */ 159 + static bool evaluate_dmv_sig_false(const struct ipe_eval_ctx *const ctx) 160 + { 161 + return !ctx->ipe_bdev || (!ctx->ipe_bdev->dm_verity_signed); 162 + } 163 + 164 + /** 165 + * evaluate_dmv_sig_true() - Evaluate @ctx against a dmv sig true property. 166 + * @ctx: Supplies a pointer to the context being evaluated. 167 + * 168 + * Return: 169 + * * %true - The current @ctx match the property 170 + * * %false - The current @ctx doesn't match the property 171 + */ 172 + static bool evaluate_dmv_sig_true(const struct ipe_eval_ctx *const ctx) 173 + { 174 + return !evaluate_dmv_sig_false(ctx); 175 + } 176 + #else 177 + static bool evaluate_dmv_sig_false(const struct ipe_eval_ctx *const ctx) 178 + { 179 + return false; 180 + } 181 + 182 + static bool evaluate_dmv_sig_true(const struct ipe_eval_ctx *const ctx) 183 + { 184 + return false; 185 + } 186 + #endif /* CONFIG_IPE_PROP_DM_VERITY_SIGNATURE */ 187 + 188 + #ifdef CONFIG_IPE_PROP_FS_VERITY 189 + /** 190 + * evaluate_fsv_digest() - Evaluate @ctx against a fsv digest property. 191 + * @ctx: Supplies a pointer to the context being evaluated. 192 + * @p: Supplies a pointer to the property being evaluated. 193 + * 194 + * Return: 195 + * * %true - The current @ctx match the @p 196 + * * %false - The current @ctx doesn't match the @p 197 + */ 198 + static bool evaluate_fsv_digest(const struct ipe_eval_ctx *const ctx, 199 + struct ipe_prop *p) 200 + { 201 + enum hash_algo alg; 202 + u8 digest[FS_VERITY_MAX_DIGEST_SIZE]; 203 + struct digest_info info; 204 + 205 + if (!ctx->ino) 206 + return false; 207 + if (!fsverity_get_digest((struct inode *)ctx->ino, 208 + digest, 209 + NULL, 210 + &alg)) 211 + return false; 212 + 213 + info.alg = hash_algo_name[alg]; 214 + info.digest = digest; 215 + info.digest_len = hash_digest_size[alg]; 216 + 217 + return ipe_digest_eval(p->value, &info); 218 + } 219 + #else 220 + static bool evaluate_fsv_digest(const struct ipe_eval_ctx *const ctx, 221 + struct ipe_prop *p) 222 + { 223 + return false; 224 + } 225 + #endif /* CONFIG_IPE_PROP_FS_VERITY */ 226 + 227 + #ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG 228 + /** 229 + * evaluate_fsv_sig_false() - Evaluate @ctx against a fsv sig false property. 230 + * @ctx: Supplies a pointer to the context being evaluated. 231 + * 232 + * Return: 233 + * * %true - The current @ctx match the property 234 + * * %false - The current @ctx doesn't match the property 235 + */ 236 + static bool evaluate_fsv_sig_false(const struct ipe_eval_ctx *const ctx) 237 + { 238 + return !ctx->ino || 239 + !IS_VERITY(ctx->ino) || 240 + !ctx->ipe_inode || 241 + !ctx->ipe_inode->fs_verity_signed; 242 + } 243 + 244 + /** 245 + * evaluate_fsv_sig_true() - Evaluate @ctx against a fsv sig true property. 246 + * @ctx: Supplies a pointer to the context being evaluated. 247 + * 248 + * Return: 249 + * * %true - The current @ctx match the property 250 + * * %false - The current @ctx doesn't match the property 251 + */ 252 + static bool evaluate_fsv_sig_true(const struct ipe_eval_ctx *const ctx) 253 + { 254 + return !evaluate_fsv_sig_false(ctx); 255 + } 256 + #else 257 + static bool evaluate_fsv_sig_false(const struct ipe_eval_ctx *const ctx) 258 + { 259 + return false; 260 + } 261 + 262 + static bool evaluate_fsv_sig_true(const struct ipe_eval_ctx *const ctx) 263 + { 264 + return false; 265 + } 266 + #endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ 267 + 268 + /** 269 + * evaluate_property() - Analyze @ctx against a rule property. 270 + * @ctx: Supplies a pointer to the context to be evaluated. 271 + * @p: Supplies a pointer to the property to be evaluated. 272 + * 273 + * This function Determines whether the specified @ctx 274 + * matches the conditions defined by a rule property @p. 275 + * 276 + * Return: 277 + * * %true - The current @ctx match the @p 278 + * * %false - The current @ctx doesn't match the @p 279 + */ 280 + static bool evaluate_property(const struct ipe_eval_ctx *const ctx, 281 + struct ipe_prop *p) 282 + { 283 + switch (p->type) { 284 + case IPE_PROP_BOOT_VERIFIED_FALSE: 285 + return !evaluate_boot_verified(ctx); 286 + case IPE_PROP_BOOT_VERIFIED_TRUE: 287 + return evaluate_boot_verified(ctx); 288 + case IPE_PROP_DMV_ROOTHASH: 289 + return evaluate_dmv_roothash(ctx, p); 290 + case IPE_PROP_DMV_SIG_FALSE: 291 + return evaluate_dmv_sig_false(ctx); 292 + case IPE_PROP_DMV_SIG_TRUE: 293 + return evaluate_dmv_sig_true(ctx); 294 + case IPE_PROP_FSV_DIGEST: 295 + return evaluate_fsv_digest(ctx, p); 296 + case IPE_PROP_FSV_SIG_FALSE: 297 + return evaluate_fsv_sig_false(ctx); 298 + case IPE_PROP_FSV_SIG_TRUE: 299 + return evaluate_fsv_sig_true(ctx); 300 + default: 301 + return false; 302 + } 303 + } 304 + 305 + /** 306 + * ipe_evaluate_event() - Analyze @ctx against the current active policy. 307 + * @ctx: Supplies a pointer to the context to be evaluated. 308 + * 309 + * This is the loop where all policy evaluations happen against the IPE policy. 310 + * 311 + * Return: 312 + * * %0 - Success 313 + * * %-EACCES - @ctx did not pass evaluation 314 + */ 315 + int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx) 316 + { 317 + const struct ipe_op_table *rules = NULL; 318 + const struct ipe_rule *rule = NULL; 319 + struct ipe_policy *pol = NULL; 320 + struct ipe_prop *prop = NULL; 321 + enum ipe_action_type action; 322 + enum ipe_match match_type; 323 + bool match = false; 324 + int rc = 0; 325 + 326 + rcu_read_lock(); 327 + 328 + pol = rcu_dereference(ipe_active_policy); 329 + if (!pol) { 330 + rcu_read_unlock(); 331 + return 0; 332 + } 333 + 334 + if (ctx->op == IPE_OP_INVALID) { 335 + if (pol->parsed->global_default_action == IPE_ACTION_INVALID) { 336 + WARN(1, "no default rule set for unknown op, ALLOW it"); 337 + action = IPE_ACTION_ALLOW; 338 + } else { 339 + action = pol->parsed->global_default_action; 340 + } 341 + match_type = IPE_MATCH_GLOBAL; 342 + goto eval; 343 + } 344 + 345 + rules = &pol->parsed->rules[ctx->op]; 346 + 347 + list_for_each_entry(rule, &rules->rules, next) { 348 + match = true; 349 + 350 + list_for_each_entry(prop, &rule->props, next) { 351 + match = evaluate_property(ctx, prop); 352 + if (!match) 353 + break; 354 + } 355 + 356 + if (match) 357 + break; 358 + } 359 + 360 + if (match) { 361 + action = rule->action; 362 + match_type = IPE_MATCH_RULE; 363 + } else if (rules->default_action != IPE_ACTION_INVALID) { 364 + action = rules->default_action; 365 + match_type = IPE_MATCH_TABLE; 366 + } else { 367 + action = pol->parsed->global_default_action; 368 + match_type = IPE_MATCH_GLOBAL; 369 + } 370 + 371 + eval: 372 + ipe_audit_match(ctx, match_type, action, rule); 373 + rcu_read_unlock(); 374 + 375 + if (action == IPE_ACTION_DENY) 376 + rc = -EACCES; 377 + 378 + if (!READ_ONCE(enforce)) 379 + rc = 0; 380 + 381 + return rc; 382 + } 383 + 384 + /* Set the right module name */ 385 + #ifdef KBUILD_MODNAME 386 + #undef KBUILD_MODNAME 387 + #define KBUILD_MODNAME "ipe" 388 + #endif 389 + 390 + module_param(success_audit, bool, 0400); 391 + MODULE_PARM_DESC(success_audit, "Start IPE with success auditing enabled"); 392 + module_param(enforce, bool, 0400); 393 + MODULE_PARM_DESC(enforce, "Start IPE in enforce or permissive mode");

+70

security/ipe/eval.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + 6 + #ifndef _IPE_EVAL_H 7 + #define _IPE_EVAL_H 8 + 9 + #include <linux/file.h> 10 + #include <linux/types.h> 11 + 12 + #include "policy.h" 13 + #include "hooks.h" 14 + 15 + #define IPE_EVAL_CTX_INIT ((struct ipe_eval_ctx){ 0 }) 16 + 17 + extern struct ipe_policy __rcu *ipe_active_policy; 18 + extern bool success_audit; 19 + extern bool enforce; 20 + 21 + struct ipe_superblock { 22 + bool initramfs; 23 + }; 24 + 25 + #ifdef CONFIG_IPE_PROP_DM_VERITY 26 + struct ipe_bdev { 27 + #ifdef CONFIG_IPE_PROP_DM_VERITY_SIGNATURE 28 + bool dm_verity_signed; 29 + #endif /* CONFIG_IPE_PROP_DM_VERITY_SIGNATURE */ 30 + struct digest_info *root_hash; 31 + }; 32 + #endif /* CONFIG_IPE_PROP_DM_VERITY */ 33 + 34 + #ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG 35 + struct ipe_inode { 36 + bool fs_verity_signed; 37 + }; 38 + #endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ 39 + 40 + struct ipe_eval_ctx { 41 + enum ipe_op_type op; 42 + enum ipe_hook_type hook; 43 + 44 + const struct file *file; 45 + bool initramfs; 46 + #ifdef CONFIG_IPE_PROP_DM_VERITY 47 + const struct ipe_bdev *ipe_bdev; 48 + #endif /* CONFIG_IPE_PROP_DM_VERITY */ 49 + #ifdef CONFIG_IPE_PROP_FS_VERITY 50 + const struct inode *ino; 51 + #endif /* CONFIG_IPE_PROP_FS_VERITY */ 52 + #ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG 53 + const struct ipe_inode *ipe_inode; 54 + #endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ 55 + }; 56 + 57 + enum ipe_match { 58 + IPE_MATCH_RULE = 0, 59 + IPE_MATCH_TABLE, 60 + IPE_MATCH_GLOBAL, 61 + __IPE_MATCH_MAX 62 + }; 63 + 64 + void ipe_build_eval_ctx(struct ipe_eval_ctx *ctx, 65 + const struct file *file, 66 + enum ipe_op_type op, 67 + enum ipe_hook_type hook); 68 + int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx); 69 + 70 + #endif /* _IPE_EVAL_H */

+247

security/ipe/fs.c

··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + 6 + #include <linux/dcache.h> 7 + #include <linux/security.h> 8 + 9 + #include "ipe.h" 10 + #include "fs.h" 11 + #include "eval.h" 12 + #include "policy.h" 13 + #include "audit.h" 14 + 15 + static struct dentry *np __ro_after_init; 16 + static struct dentry *root __ro_after_init; 17 + struct dentry *policy_root __ro_after_init; 18 + static struct dentry *audit_node __ro_after_init; 19 + static struct dentry *enforce_node __ro_after_init; 20 + 21 + /** 22 + * setaudit() - Write handler for the securityfs node, "ipe/success_audit" 23 + * @f: Supplies a file structure representing the securityfs node. 24 + * @data: Supplies a buffer passed to the write syscall. 25 + * @len: Supplies the length of @data. 26 + * @offset: unused. 27 + * 28 + * Return: 29 + * * Length of buffer written - Success 30 + * * %-EPERM - Insufficient permission 31 + */ 32 + static ssize_t setaudit(struct file *f, const char __user *data, 33 + size_t len, loff_t *offset) 34 + { 35 + int rc = 0; 36 + bool value; 37 + 38 + if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN)) 39 + return -EPERM; 40 + 41 + rc = kstrtobool_from_user(data, len, &value); 42 + if (rc) 43 + return rc; 44 + 45 + WRITE_ONCE(success_audit, value); 46 + 47 + return len; 48 + } 49 + 50 + /** 51 + * getaudit() - Read handler for the securityfs node, "ipe/success_audit" 52 + * @f: Supplies a file structure representing the securityfs node. 53 + * @data: Supplies a buffer passed to the read syscall. 54 + * @len: Supplies the length of @data. 55 + * @offset: unused. 56 + * 57 + * Return: Length of buffer written 58 + */ 59 + static ssize_t getaudit(struct file *f, char __user *data, 60 + size_t len, loff_t *offset) 61 + { 62 + const char *result; 63 + 64 + result = ((READ_ONCE(success_audit)) ? "1" : "0"); 65 + 66 + return simple_read_from_buffer(data, len, offset, result, 1); 67 + } 68 + 69 + /** 70 + * setenforce() - Write handler for the securityfs node, "ipe/enforce" 71 + * @f: Supplies a file structure representing the securityfs node. 72 + * @data: Supplies a buffer passed to the write syscall. 73 + * @len: Supplies the length of @data. 74 + * @offset: unused. 75 + * 76 + * Return: 77 + * * Length of buffer written - Success 78 + * * %-EPERM - Insufficient permission 79 + */ 80 + static ssize_t setenforce(struct file *f, const char __user *data, 81 + size_t len, loff_t *offset) 82 + { 83 + int rc = 0; 84 + bool new_value, old_value; 85 + 86 + if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN)) 87 + return -EPERM; 88 + 89 + old_value = READ_ONCE(enforce); 90 + rc = kstrtobool_from_user(data, len, &new_value); 91 + if (rc) 92 + return rc; 93 + 94 + if (new_value != old_value) { 95 + ipe_audit_enforce(new_value, old_value); 96 + WRITE_ONCE(enforce, new_value); 97 + } 98 + 99 + return len; 100 + } 101 + 102 + /** 103 + * getenforce() - Read handler for the securityfs node, "ipe/enforce" 104 + * @f: Supplies a file structure representing the securityfs node. 105 + * @data: Supplies a buffer passed to the read syscall. 106 + * @len: Supplies the length of @data. 107 + * @offset: unused. 108 + * 109 + * Return: Length of buffer written 110 + */ 111 + static ssize_t getenforce(struct file *f, char __user *data, 112 + size_t len, loff_t *offset) 113 + { 114 + const char *result; 115 + 116 + result = ((READ_ONCE(enforce)) ? "1" : "0"); 117 + 118 + return simple_read_from_buffer(data, len, offset, result, 1); 119 + } 120 + 121 + /** 122 + * new_policy() - Write handler for the securityfs node, "ipe/new_policy". 123 + * @f: Supplies a file structure representing the securityfs node. 124 + * @data: Supplies a buffer passed to the write syscall. 125 + * @len: Supplies the length of @data. 126 + * @offset: unused. 127 + * 128 + * Return: 129 + * * Length of buffer written - Success 130 + * * %-EPERM - Insufficient permission 131 + * * %-ENOMEM - Out of memory (OOM) 132 + * * %-EBADMSG - Policy is invalid 133 + * * %-ERANGE - Policy version number overflow 134 + * * %-EINVAL - Policy version parsing error 135 + * * %-EEXIST - Same name policy already deployed 136 + */ 137 + static ssize_t new_policy(struct file *f, const char __user *data, 138 + size_t len, loff_t *offset) 139 + { 140 + struct ipe_policy *p = NULL; 141 + char *copy = NULL; 142 + int rc = 0; 143 + 144 + if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN)) 145 + return -EPERM; 146 + 147 + copy = memdup_user_nul(data, len); 148 + if (IS_ERR(copy)) 149 + return PTR_ERR(copy); 150 + 151 + p = ipe_new_policy(NULL, 0, copy, len); 152 + if (IS_ERR(p)) { 153 + rc = PTR_ERR(p); 154 + goto out; 155 + } 156 + 157 + rc = ipe_new_policyfs_node(p); 158 + if (rc) 159 + goto out; 160 + 161 + ipe_audit_policy_load(p); 162 + 163 + out: 164 + if (rc < 0) 165 + ipe_free_policy(p); 166 + kfree(copy); 167 + return (rc < 0) ? rc : len; 168 + } 169 + 170 + static const struct file_operations np_fops = { 171 + .write = new_policy, 172 + }; 173 + 174 + static const struct file_operations audit_fops = { 175 + .write = setaudit, 176 + .read = getaudit, 177 + }; 178 + 179 + static const struct file_operations enforce_fops = { 180 + .write = setenforce, 181 + .read = getenforce, 182 + }; 183 + 184 + /** 185 + * ipe_init_securityfs() - Initialize IPE's securityfs tree at fsinit. 186 + * 187 + * Return: %0 on success. If an error occurs, the function will return 188 + * the -errno. 189 + */ 190 + static int __init ipe_init_securityfs(void) 191 + { 192 + int rc = 0; 193 + struct ipe_policy *ap; 194 + 195 + if (!ipe_enabled) 196 + return -EOPNOTSUPP; 197 + 198 + root = securityfs_create_dir("ipe", NULL); 199 + if (IS_ERR(root)) { 200 + rc = PTR_ERR(root); 201 + goto err; 202 + } 203 + 204 + audit_node = securityfs_create_file("success_audit", 0600, root, 205 + NULL, &audit_fops); 206 + if (IS_ERR(audit_node)) { 207 + rc = PTR_ERR(audit_node); 208 + goto err; 209 + } 210 + 211 + enforce_node = securityfs_create_file("enforce", 0600, root, NULL, 212 + &enforce_fops); 213 + if (IS_ERR(enforce_node)) { 214 + rc = PTR_ERR(enforce_node); 215 + goto err; 216 + } 217 + 218 + policy_root = securityfs_create_dir("policies", root); 219 + if (IS_ERR(policy_root)) { 220 + rc = PTR_ERR(policy_root); 221 + goto err; 222 + } 223 + 224 + ap = rcu_access_pointer(ipe_active_policy); 225 + if (ap) { 226 + rc = ipe_new_policyfs_node(ap); 227 + if (rc) 228 + goto err; 229 + } 230 + 231 + np = securityfs_create_file("new_policy", 0200, root, NULL, &np_fops); 232 + if (IS_ERR(np)) { 233 + rc = PTR_ERR(np); 234 + goto err; 235 + } 236 + 237 + return 0; 238 + err: 239 + securityfs_remove(np); 240 + securityfs_remove(policy_root); 241 + securityfs_remove(enforce_node); 242 + securityfs_remove(audit_node); 243 + securityfs_remove(root); 244 + return rc; 245 + } 246 + 247 + fs_initcall(ipe_init_securityfs);

+16

security/ipe/fs.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + 6 + #ifndef _IPE_FS_H 7 + #define _IPE_FS_H 8 + 9 + #include "policy.h" 10 + 11 + extern struct dentry *policy_root __ro_after_init; 12 + 13 + int ipe_new_policyfs_node(struct ipe_policy *p); 14 + void ipe_del_policyfs_node(struct ipe_policy *p); 15 + 16 + #endif /* _IPE_FS_H */

+314

security/ipe/hooks.c

··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + 6 + #include <linux/fs.h> 7 + #include <linux/fs_struct.h> 8 + #include <linux/types.h> 9 + #include <linux/binfmts.h> 10 + #include <linux/mman.h> 11 + #include <linux/blk_types.h> 12 + 13 + #include "ipe.h" 14 + #include "hooks.h" 15 + #include "eval.h" 16 + #include "digest.h" 17 + 18 + /** 19 + * ipe_bprm_check_security() - ipe security hook function for bprm check. 20 + * @bprm: Supplies a pointer to a linux_binprm structure to source the file 21 + * being evaluated. 22 + * 23 + * This LSM hook is called when a binary is loaded through the exec 24 + * family of system calls. 25 + * 26 + * Return: 27 + * * %0 - Success 28 + * * %-EACCES - Did not pass IPE policy 29 + */ 30 + int ipe_bprm_check_security(struct linux_binprm *bprm) 31 + { 32 + struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT; 33 + 34 + ipe_build_eval_ctx(&ctx, bprm->file, IPE_OP_EXEC, IPE_HOOK_BPRM_CHECK); 35 + return ipe_evaluate_event(&ctx); 36 + } 37 + 38 + /** 39 + * ipe_mmap_file() - ipe security hook function for mmap check. 40 + * @f: File being mmap'd. Can be NULL in the case of anonymous memory. 41 + * @reqprot: The requested protection on the mmap, passed from usermode. 42 + * @prot: The effective protection on the mmap, resolved from reqprot and 43 + * system configuration. 44 + * @flags: Unused. 45 + * 46 + * This hook is called when a file is loaded through the mmap 47 + * family of system calls. 48 + * 49 + * Return: 50 + * * %0 - Success 51 + * * %-EACCES - Did not pass IPE policy 52 + */ 53 + int ipe_mmap_file(struct file *f, unsigned long reqprot __always_unused, 54 + unsigned long prot, unsigned long flags) 55 + { 56 + struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT; 57 + 58 + if (prot & PROT_EXEC) { 59 + ipe_build_eval_ctx(&ctx, f, IPE_OP_EXEC, IPE_HOOK_MMAP); 60 + return ipe_evaluate_event(&ctx); 61 + } 62 + 63 + return 0; 64 + } 65 + 66 + /** 67 + * ipe_file_mprotect() - ipe security hook function for mprotect check. 68 + * @vma: Existing virtual memory area created by mmap or similar. 69 + * @reqprot: The requested protection on the mmap, passed from usermode. 70 + * @prot: The effective protection on the mmap, resolved from reqprot and 71 + * system configuration. 72 + * 73 + * This LSM hook is called when a mmap'd region of memory is changing 74 + * its protections via mprotect. 75 + * 76 + * Return: 77 + * * %0 - Success 78 + * * %-EACCES - Did not pass IPE policy 79 + */ 80 + int ipe_file_mprotect(struct vm_area_struct *vma, 81 + unsigned long reqprot __always_unused, 82 + unsigned long prot) 83 + { 84 + struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT; 85 + 86 + /* Already Executable */ 87 + if (vma->vm_flags & VM_EXEC) 88 + return 0; 89 + 90 + if (prot & PROT_EXEC) { 91 + ipe_build_eval_ctx(&ctx, vma->vm_file, IPE_OP_EXEC, IPE_HOOK_MPROTECT); 92 + return ipe_evaluate_event(&ctx); 93 + } 94 + 95 + return 0; 96 + } 97 + 98 + /** 99 + * ipe_kernel_read_file() - ipe security hook function for kernel read. 100 + * @file: Supplies a pointer to the file structure being read in from disk. 101 + * @id: Supplies the enumeration identifying the purpose of the read. 102 + * @contents: Unused. 103 + * 104 + * This LSM hook is called when a file is read from disk in the kernel. 105 + * 106 + * Return: 107 + * * %0 - Success 108 + * * %-EACCES - Did not pass IPE policy 109 + */ 110 + int ipe_kernel_read_file(struct file *file, enum kernel_read_file_id id, 111 + bool contents) 112 + { 113 + struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT; 114 + enum ipe_op_type op; 115 + 116 + switch (id) { 117 + case READING_FIRMWARE: 118 + op = IPE_OP_FIRMWARE; 119 + break; 120 + case READING_MODULE: 121 + op = IPE_OP_KERNEL_MODULE; 122 + break; 123 + case READING_KEXEC_INITRAMFS: 124 + op = IPE_OP_KEXEC_INITRAMFS; 125 + break; 126 + case READING_KEXEC_IMAGE: 127 + op = IPE_OP_KEXEC_IMAGE; 128 + break; 129 + case READING_POLICY: 130 + op = IPE_OP_POLICY; 131 + break; 132 + case READING_X509_CERTIFICATE: 133 + op = IPE_OP_X509; 134 + break; 135 + default: 136 + op = IPE_OP_INVALID; 137 + WARN(1, "no rule setup for kernel_read_file enum %d", id); 138 + } 139 + 140 + ipe_build_eval_ctx(&ctx, file, op, IPE_HOOK_KERNEL_READ); 141 + return ipe_evaluate_event(&ctx); 142 + } 143 + 144 + /** 145 + * ipe_kernel_load_data() - ipe security hook function for kernel load data. 146 + * @id: Supplies the enumeration identifying the purpose of the load. 147 + * @contents: Unused. 148 + * 149 + * This LSM hook is called when a data buffer provided by userspace is loading 150 + * into the kernel. 151 + * 152 + * Return: 153 + * * %0 - Success 154 + * * %-EACCES - Did not pass IPE policy 155 + */ 156 + int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents) 157 + { 158 + struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT; 159 + enum ipe_op_type op; 160 + 161 + switch (id) { 162 + case LOADING_FIRMWARE: 163 + op = IPE_OP_FIRMWARE; 164 + break; 165 + case LOADING_MODULE: 166 + op = IPE_OP_KERNEL_MODULE; 167 + break; 168 + case LOADING_KEXEC_INITRAMFS: 169 + op = IPE_OP_KEXEC_INITRAMFS; 170 + break; 171 + case LOADING_KEXEC_IMAGE: 172 + op = IPE_OP_KEXEC_IMAGE; 173 + break; 174 + case LOADING_POLICY: 175 + op = IPE_OP_POLICY; 176 + break; 177 + case LOADING_X509_CERTIFICATE: 178 + op = IPE_OP_X509; 179 + break; 180 + default: 181 + op = IPE_OP_INVALID; 182 + WARN(1, "no rule setup for kernel_load_data enum %d", id); 183 + } 184 + 185 + ipe_build_eval_ctx(&ctx, NULL, op, IPE_HOOK_KERNEL_LOAD); 186 + return ipe_evaluate_event(&ctx); 187 + } 188 + 189 + /** 190 + * ipe_unpack_initramfs() - Mark the current rootfs as initramfs. 191 + */ 192 + void ipe_unpack_initramfs(void) 193 + { 194 + ipe_sb(current->fs->root.mnt->mnt_sb)->initramfs = true; 195 + } 196 + 197 + #ifdef CONFIG_IPE_PROP_DM_VERITY 198 + /** 199 + * ipe_bdev_free_security() - Free IPE's LSM blob of block_devices. 200 + * @bdev: Supplies a pointer to a block_device that contains the structure 201 + * to free. 202 + */ 203 + void ipe_bdev_free_security(struct block_device *bdev) 204 + { 205 + struct ipe_bdev *blob = ipe_bdev(bdev); 206 + 207 + ipe_digest_free(blob->root_hash); 208 + } 209 + 210 + #ifdef CONFIG_IPE_PROP_DM_VERITY_SIGNATURE 211 + static void ipe_set_dmverity_signature(struct ipe_bdev *blob, 212 + const void *value, 213 + size_t size) 214 + { 215 + blob->dm_verity_signed = size > 0 && value; 216 + } 217 + #else 218 + static inline void ipe_set_dmverity_signature(struct ipe_bdev *blob, 219 + const void *value, 220 + size_t size) 221 + { 222 + } 223 + #endif /* CONFIG_IPE_PROP_DM_VERITY_SIGNATURE */ 224 + 225 + /** 226 + * ipe_bdev_setintegrity() - Save integrity data from a bdev to IPE's LSM blob. 227 + * @bdev: Supplies a pointer to a block_device that contains the LSM blob. 228 + * @type: Supplies the integrity type. 229 + * @value: Supplies the value to store. 230 + * @size: The size of @value. 231 + * 232 + * This hook is currently used to save dm-verity's root hash or the existence 233 + * of a validated signed dm-verity root hash into LSM blob. 234 + * 235 + * Return: %0 on success. If an error occurs, the function will return the 236 + * -errno. 237 + */ 238 + int ipe_bdev_setintegrity(struct block_device *bdev, enum lsm_integrity_type type, 239 + const void *value, size_t size) 240 + { 241 + const struct dm_verity_digest *digest = NULL; 242 + struct ipe_bdev *blob = ipe_bdev(bdev); 243 + struct digest_info *info = NULL; 244 + 245 + if (type == LSM_INT_DMVERITY_SIG_VALID) { 246 + ipe_set_dmverity_signature(blob, value, size); 247 + 248 + return 0; 249 + } 250 + 251 + if (type != LSM_INT_DMVERITY_ROOTHASH) 252 + return -EINVAL; 253 + 254 + if (!value) { 255 + ipe_digest_free(blob->root_hash); 256 + blob->root_hash = NULL; 257 + 258 + return 0; 259 + } 260 + digest = value; 261 + 262 + info = kzalloc(sizeof(*info), GFP_KERNEL); 263 + if (!info) 264 + return -ENOMEM; 265 + 266 + info->digest = kmemdup(digest->digest, digest->digest_len, GFP_KERNEL); 267 + if (!info->digest) 268 + goto err; 269 + 270 + info->alg = kstrdup(digest->alg, GFP_KERNEL); 271 + if (!info->alg) 272 + goto err; 273 + 274 + info->digest_len = digest->digest_len; 275 + 276 + ipe_digest_free(blob->root_hash); 277 + blob->root_hash = info; 278 + 279 + return 0; 280 + err: 281 + ipe_digest_free(info); 282 + 283 + return -ENOMEM; 284 + } 285 + #endif /* CONFIG_IPE_PROP_DM_VERITY */ 286 + 287 + #ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG 288 + /** 289 + * ipe_inode_setintegrity() - save integrity data from a inode to IPE's LSM blob. 290 + * @inode: The inode to source the security blob from. 291 + * @type: Supplies the integrity type. 292 + * @value: The value to be stored. 293 + * @size: The size of @value. 294 + * 295 + * This hook is currently used to save the existence of a validated fs-verity 296 + * builtin signature into LSM blob. 297 + * 298 + * Return: %0 on success. If an error occurs, the function will return the 299 + * -errno. 300 + */ 301 + int ipe_inode_setintegrity(const struct inode *inode, 302 + enum lsm_integrity_type type, 303 + const void *value, size_t size) 304 + { 305 + struct ipe_inode *inode_sec = ipe_inode(inode); 306 + 307 + if (type == LSM_INT_FSVERITY_BUILTINSIG_VALID) { 308 + inode_sec->fs_verity_signed = size > 0 && value; 309 + return 0; 310 + } 311 + 312 + return -EINVAL; 313 + } 314 + #endif /* CONFIG_CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */

+52

security/ipe/hooks.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + #ifndef _IPE_HOOKS_H 6 + #define _IPE_HOOKS_H 7 + 8 + #include <linux/fs.h> 9 + #include <linux/binfmts.h> 10 + #include <linux/security.h> 11 + #include <linux/blk_types.h> 12 + #include <linux/fsverity.h> 13 + 14 + enum ipe_hook_type { 15 + IPE_HOOK_BPRM_CHECK = 0, 16 + IPE_HOOK_MMAP, 17 + IPE_HOOK_MPROTECT, 18 + IPE_HOOK_KERNEL_READ, 19 + IPE_HOOK_KERNEL_LOAD, 20 + __IPE_HOOK_MAX 21 + }; 22 + 23 + #define IPE_HOOK_INVALID __IPE_HOOK_MAX 24 + 25 + int ipe_bprm_check_security(struct linux_binprm *bprm); 26 + 27 + int ipe_mmap_file(struct file *f, unsigned long reqprot, unsigned long prot, 28 + unsigned long flags); 29 + 30 + int ipe_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, 31 + unsigned long prot); 32 + 33 + int ipe_kernel_read_file(struct file *file, enum kernel_read_file_id id, 34 + bool contents); 35 + 36 + int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents); 37 + 38 + void ipe_unpack_initramfs(void); 39 + 40 + #ifdef CONFIG_IPE_PROP_DM_VERITY 41 + void ipe_bdev_free_security(struct block_device *bdev); 42 + 43 + int ipe_bdev_setintegrity(struct block_device *bdev, enum lsm_integrity_type type, 44 + const void *value, size_t len); 45 + #endif /* CONFIG_IPE_PROP_DM_VERITY */ 46 + 47 + #ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG 48 + int ipe_inode_setintegrity(const struct inode *inode, enum lsm_integrity_type type, 49 + const void *value, size_t size); 50 + #endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ 51 + 52 + #endif /* _IPE_HOOKS_H */

+98

security/ipe/ipe.c

··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + #include <uapi/linux/lsm.h> 6 + 7 + #include "ipe.h" 8 + #include "eval.h" 9 + #include "hooks.h" 10 + 11 + extern const char *const ipe_boot_policy; 12 + bool ipe_enabled; 13 + 14 + static struct lsm_blob_sizes ipe_blobs __ro_after_init = { 15 + .lbs_superblock = sizeof(struct ipe_superblock), 16 + #ifdef CONFIG_IPE_PROP_DM_VERITY 17 + .lbs_bdev = sizeof(struct ipe_bdev), 18 + #endif /* CONFIG_IPE_PROP_DM_VERITY */ 19 + #ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG 20 + .lbs_inode = sizeof(struct ipe_inode), 21 + #endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ 22 + }; 23 + 24 + static const struct lsm_id ipe_lsmid = { 25 + .name = "ipe", 26 + .id = LSM_ID_IPE, 27 + }; 28 + 29 + struct ipe_superblock *ipe_sb(const struct super_block *sb) 30 + { 31 + return sb->s_security + ipe_blobs.lbs_superblock; 32 + } 33 + 34 + #ifdef CONFIG_IPE_PROP_DM_VERITY 35 + struct ipe_bdev *ipe_bdev(struct block_device *b) 36 + { 37 + return b->bd_security + ipe_blobs.lbs_bdev; 38 + } 39 + #endif /* CONFIG_IPE_PROP_DM_VERITY */ 40 + 41 + #ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG 42 + struct ipe_inode *ipe_inode(const struct inode *inode) 43 + { 44 + return inode->i_security + ipe_blobs.lbs_inode; 45 + } 46 + #endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ 47 + 48 + static struct security_hook_list ipe_hooks[] __ro_after_init = { 49 + LSM_HOOK_INIT(bprm_check_security, ipe_bprm_check_security), 50 + LSM_HOOK_INIT(mmap_file, ipe_mmap_file), 51 + LSM_HOOK_INIT(file_mprotect, ipe_file_mprotect), 52 + LSM_HOOK_INIT(kernel_read_file, ipe_kernel_read_file), 53 + LSM_HOOK_INIT(kernel_load_data, ipe_kernel_load_data), 54 + LSM_HOOK_INIT(initramfs_populated, ipe_unpack_initramfs), 55 + #ifdef CONFIG_IPE_PROP_DM_VERITY 56 + LSM_HOOK_INIT(bdev_free_security, ipe_bdev_free_security), 57 + LSM_HOOK_INIT(bdev_setintegrity, ipe_bdev_setintegrity), 58 + #endif /* CONFIG_IPE_PROP_DM_VERITY */ 59 + #ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG 60 + LSM_HOOK_INIT(inode_setintegrity, ipe_inode_setintegrity), 61 + #endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ 62 + }; 63 + 64 + /** 65 + * ipe_init() - Entry point of IPE. 66 + * 67 + * This is called at LSM init, which happens occurs early during kernel 68 + * start up. During this phase, IPE registers its hooks and loads the 69 + * builtin boot policy. 70 + * 71 + * Return: 72 + * * %0 - OK 73 + * * %-ENOMEM - Out of memory (OOM) 74 + */ 75 + static int __init ipe_init(void) 76 + { 77 + struct ipe_policy *p = NULL; 78 + 79 + security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), &ipe_lsmid); 80 + ipe_enabled = true; 81 + 82 + if (ipe_boot_policy) { 83 + p = ipe_new_policy(ipe_boot_policy, strlen(ipe_boot_policy), 84 + NULL, 0); 85 + if (IS_ERR(p)) 86 + return PTR_ERR(p); 87 + 88 + rcu_assign_pointer(ipe_active_policy, p); 89 + } 90 + 91 + return 0; 92 + } 93 + 94 + DEFINE_LSM(ipe) = { 95 + .name = "ipe", 96 + .init = ipe_init, 97 + .blobs = &ipe_blobs, 98 + };

+26

security/ipe/ipe.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + 6 + #ifndef _IPE_H 7 + #define _IPE_H 8 + 9 + #ifdef pr_fmt 10 + #undef pr_fmt 11 + #endif 12 + #define pr_fmt(fmt) "ipe: " fmt 13 + 14 + #include <linux/lsm_hooks.h> 15 + struct ipe_superblock *ipe_sb(const struct super_block *sb); 16 + 17 + extern bool ipe_enabled; 18 + 19 + #ifdef CONFIG_IPE_PROP_DM_VERITY 20 + struct ipe_bdev *ipe_bdev(struct block_device *b); 21 + #endif /* CONFIG_IPE_PROP_DM_VERITY */ 22 + #ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG 23 + struct ipe_inode *ipe_inode(const struct inode *inode); 24 + #endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ 25 + 26 + #endif /* _IPE_H */

+227

security/ipe/policy.c

··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + 6 + #include <linux/errno.h> 7 + #include <linux/verification.h> 8 + 9 + #include "ipe.h" 10 + #include "eval.h" 11 + #include "fs.h" 12 + #include "policy.h" 13 + #include "policy_parser.h" 14 + #include "audit.h" 15 + 16 + /* lock for synchronizing writers across ipe policy */ 17 + DEFINE_MUTEX(ipe_policy_lock); 18 + 19 + /** 20 + * ver_to_u64() - Convert an internal ipe_policy_version to a u64. 21 + * @p: Policy to extract the version from. 22 + * 23 + * Bits (LSB is index 0): 24 + * [48,32] -> Major 25 + * [32,16] -> Minor 26 + * [16, 0] -> Revision 27 + * 28 + * Return: u64 version of the embedded version structure. 29 + */ 30 + static inline u64 ver_to_u64(const struct ipe_policy *const p) 31 + { 32 + u64 r; 33 + 34 + r = (((u64)p->parsed->version.major) << 32) 35 + | (((u64)p->parsed->version.minor) << 16) 36 + | ((u64)(p->parsed->version.rev)); 37 + 38 + return r; 39 + } 40 + 41 + /** 42 + * ipe_free_policy() - Deallocate a given IPE policy. 43 + * @p: Supplies the policy to free. 44 + * 45 + * Safe to call on IS_ERR/NULL. 46 + */ 47 + void ipe_free_policy(struct ipe_policy *p) 48 + { 49 + if (IS_ERR_OR_NULL(p)) 50 + return; 51 + 52 + ipe_del_policyfs_node(p); 53 + ipe_free_parsed_policy(p->parsed); 54 + /* 55 + * p->text is allocated only when p->pkcs7 is not NULL 56 + * otherwise it points to the plaintext data inside the pkcs7 57 + */ 58 + if (!p->pkcs7) 59 + kfree(p->text); 60 + kfree(p->pkcs7); 61 + kfree(p); 62 + } 63 + 64 + static int set_pkcs7_data(void *ctx, const void *data, size_t len, 65 + size_t asn1hdrlen __always_unused) 66 + { 67 + struct ipe_policy *p = ctx; 68 + 69 + p->text = (const char *)data; 70 + p->textlen = len; 71 + 72 + return 0; 73 + } 74 + 75 + /** 76 + * ipe_update_policy() - parse a new policy and replace old with it. 77 + * @root: Supplies a pointer to the securityfs inode saved the policy. 78 + * @text: Supplies a pointer to the plain text policy. 79 + * @textlen: Supplies the length of @text. 80 + * @pkcs7: Supplies a pointer to a buffer containing a pkcs7 message. 81 + * @pkcs7len: Supplies the length of @pkcs7len. 82 + * 83 + * @text/@textlen is mutually exclusive with @pkcs7/@pkcs7len - see 84 + * ipe_new_policy. 85 + * 86 + * Context: Requires root->i_rwsem to be held. 87 + * Return: %0 on success. If an error occurs, the function will return 88 + * the -errno. 89 + */ 90 + int ipe_update_policy(struct inode *root, const char *text, size_t textlen, 91 + const char *pkcs7, size_t pkcs7len) 92 + { 93 + struct ipe_policy *old, *ap, *new = NULL; 94 + int rc = 0; 95 + 96 + old = (struct ipe_policy *)root->i_private; 97 + if (!old) 98 + return -ENOENT; 99 + 100 + new = ipe_new_policy(text, textlen, pkcs7, pkcs7len); 101 + if (IS_ERR(new)) 102 + return PTR_ERR(new); 103 + 104 + if (strcmp(new->parsed->name, old->parsed->name)) { 105 + rc = -EINVAL; 106 + goto err; 107 + } 108 + 109 + if (ver_to_u64(old) > ver_to_u64(new)) { 110 + rc = -EINVAL; 111 + goto err; 112 + } 113 + 114 + root->i_private = new; 115 + swap(new->policyfs, old->policyfs); 116 + ipe_audit_policy_load(new); 117 + 118 + mutex_lock(&ipe_policy_lock); 119 + ap = rcu_dereference_protected(ipe_active_policy, 120 + lockdep_is_held(&ipe_policy_lock)); 121 + if (old == ap) { 122 + rcu_assign_pointer(ipe_active_policy, new); 123 + mutex_unlock(&ipe_policy_lock); 124 + ipe_audit_policy_activation(old, new); 125 + } else { 126 + mutex_unlock(&ipe_policy_lock); 127 + } 128 + synchronize_rcu(); 129 + ipe_free_policy(old); 130 + 131 + return 0; 132 + err: 133 + ipe_free_policy(new); 134 + return rc; 135 + } 136 + 137 + /** 138 + * ipe_new_policy() - Allocate and parse an ipe_policy structure. 139 + * 140 + * @text: Supplies a pointer to the plain-text policy to parse. 141 + * @textlen: Supplies the length of @text. 142 + * @pkcs7: Supplies a pointer to a pkcs7-signed IPE policy. 143 + * @pkcs7len: Supplies the length of @pkcs7. 144 + * 145 + * @text/@textlen Should be NULL/0 if @pkcs7/@pkcs7len is set. 146 + * 147 + * Return: 148 + * * a pointer to the ipe_policy structure - Success 149 + * * %-EBADMSG - Policy is invalid 150 + * * %-ENOMEM - Out of memory (OOM) 151 + * * %-ERANGE - Policy version number overflow 152 + * * %-EINVAL - Policy version parsing error 153 + */ 154 + struct ipe_policy *ipe_new_policy(const char *text, size_t textlen, 155 + const char *pkcs7, size_t pkcs7len) 156 + { 157 + struct ipe_policy *new = NULL; 158 + int rc = 0; 159 + 160 + new = kzalloc(sizeof(*new), GFP_KERNEL); 161 + if (!new) 162 + return ERR_PTR(-ENOMEM); 163 + 164 + if (!text) { 165 + new->pkcs7len = pkcs7len; 166 + new->pkcs7 = kmemdup(pkcs7, pkcs7len, GFP_KERNEL); 167 + if (!new->pkcs7) { 168 + rc = -ENOMEM; 169 + goto err; 170 + } 171 + 172 + rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len, NULL, 173 + VERIFYING_UNSPECIFIED_SIGNATURE, 174 + set_pkcs7_data, new); 175 + if (rc) 176 + goto err; 177 + } else { 178 + new->textlen = textlen; 179 + new->text = kstrdup(text, GFP_KERNEL); 180 + if (!new->text) { 181 + rc = -ENOMEM; 182 + goto err; 183 + } 184 + } 185 + 186 + rc = ipe_parse_policy(new); 187 + if (rc) 188 + goto err; 189 + 190 + return new; 191 + err: 192 + ipe_free_policy(new); 193 + return ERR_PTR(rc); 194 + } 195 + 196 + /** 197 + * ipe_set_active_pol() - Make @p the active policy. 198 + * @p: Supplies a pointer to the policy to make active. 199 + * 200 + * Context: Requires root->i_rwsem, which i_private has the policy, to be held. 201 + * Return: 202 + * * %0 - Success 203 + * * %-EINVAL - New active policy version is invalid 204 + */ 205 + int ipe_set_active_pol(const struct ipe_policy *p) 206 + { 207 + struct ipe_policy *ap = NULL; 208 + 209 + mutex_lock(&ipe_policy_lock); 210 + 211 + ap = rcu_dereference_protected(ipe_active_policy, 212 + lockdep_is_held(&ipe_policy_lock)); 213 + if (ap == p) { 214 + mutex_unlock(&ipe_policy_lock); 215 + return 0; 216 + } 217 + if (ap && ver_to_u64(ap) > ver_to_u64(p)) { 218 + mutex_unlock(&ipe_policy_lock); 219 + return -EINVAL; 220 + } 221 + 222 + rcu_assign_pointer(ipe_active_policy, p); 223 + ipe_audit_policy_activation(ap, p); 224 + mutex_unlock(&ipe_policy_lock); 225 + 226 + return 0; 227 + }

+98

security/ipe/policy.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + #ifndef _IPE_POLICY_H 6 + #define _IPE_POLICY_H 7 + 8 + #include <linux/list.h> 9 + #include <linux/types.h> 10 + #include <linux/fs.h> 11 + 12 + enum ipe_op_type { 13 + IPE_OP_EXEC = 0, 14 + IPE_OP_FIRMWARE, 15 + IPE_OP_KERNEL_MODULE, 16 + IPE_OP_KEXEC_IMAGE, 17 + IPE_OP_KEXEC_INITRAMFS, 18 + IPE_OP_POLICY, 19 + IPE_OP_X509, 20 + __IPE_OP_MAX, 21 + }; 22 + 23 + #define IPE_OP_INVALID __IPE_OP_MAX 24 + 25 + enum ipe_action_type { 26 + IPE_ACTION_ALLOW = 0, 27 + IPE_ACTION_DENY, 28 + __IPE_ACTION_MAX 29 + }; 30 + 31 + #define IPE_ACTION_INVALID __IPE_ACTION_MAX 32 + 33 + enum ipe_prop_type { 34 + IPE_PROP_BOOT_VERIFIED_FALSE, 35 + IPE_PROP_BOOT_VERIFIED_TRUE, 36 + IPE_PROP_DMV_ROOTHASH, 37 + IPE_PROP_DMV_SIG_FALSE, 38 + IPE_PROP_DMV_SIG_TRUE, 39 + IPE_PROP_FSV_DIGEST, 40 + IPE_PROP_FSV_SIG_FALSE, 41 + IPE_PROP_FSV_SIG_TRUE, 42 + __IPE_PROP_MAX 43 + }; 44 + 45 + #define IPE_PROP_INVALID __IPE_PROP_MAX 46 + 47 + struct ipe_prop { 48 + struct list_head next; 49 + enum ipe_prop_type type; 50 + void *value; 51 + }; 52 + 53 + struct ipe_rule { 54 + enum ipe_op_type op; 55 + enum ipe_action_type action; 56 + struct list_head props; 57 + struct list_head next; 58 + }; 59 + 60 + struct ipe_op_table { 61 + struct list_head rules; 62 + enum ipe_action_type default_action; 63 + }; 64 + 65 + struct ipe_parsed_policy { 66 + const char *name; 67 + struct { 68 + u16 major; 69 + u16 minor; 70 + u16 rev; 71 + } version; 72 + 73 + enum ipe_action_type global_default_action; 74 + 75 + struct ipe_op_table rules[__IPE_OP_MAX]; 76 + }; 77 + 78 + struct ipe_policy { 79 + const char *pkcs7; 80 + size_t pkcs7len; 81 + 82 + const char *text; 83 + size_t textlen; 84 + 85 + struct ipe_parsed_policy *parsed; 86 + 87 + struct dentry *policyfs; 88 + }; 89 + 90 + struct ipe_policy *ipe_new_policy(const char *text, size_t textlen, 91 + const char *pkcs7, size_t pkcs7len); 92 + void ipe_free_policy(struct ipe_policy *pol); 93 + int ipe_update_policy(struct inode *root, const char *text, size_t textlen, 94 + const char *pkcs7, size_t pkcs7len); 95 + int ipe_set_active_pol(const struct ipe_policy *p); 96 + extern struct mutex ipe_policy_lock; 97 + 98 + #endif /* _IPE_POLICY_H */

+472

security/ipe/policy_fs.c

··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + #include <linux/fs.h> 6 + #include <linux/namei.h> 7 + #include <linux/types.h> 8 + #include <linux/dcache.h> 9 + #include <linux/security.h> 10 + 11 + #include "ipe.h" 12 + #include "policy.h" 13 + #include "eval.h" 14 + #include "fs.h" 15 + 16 + #define MAX_VERSION_SIZE ARRAY_SIZE("65535.65535.65535") 17 + 18 + /** 19 + * ipefs_file - defines a file in securityfs. 20 + */ 21 + struct ipefs_file { 22 + const char *name; 23 + umode_t access; 24 + const struct file_operations *fops; 25 + }; 26 + 27 + /** 28 + * read_pkcs7() - Read handler for "ipe/policies/$name/pkcs7". 29 + * @f: Supplies a file structure representing the securityfs node. 30 + * @data: Supplies a buffer passed to the write syscall. 31 + * @len: Supplies the length of @data. 32 + * @offset: unused. 33 + * 34 + * @data will be populated with the pkcs7 blob representing the policy 35 + * on success. If the policy is unsigned (like the boot policy), this 36 + * will return -ENOENT. 37 + * 38 + * Return: 39 + * * Length of buffer written - Success 40 + * * %-ENOENT - Policy initializing/deleted or is unsigned 41 + */ 42 + static ssize_t read_pkcs7(struct file *f, char __user *data, 43 + size_t len, loff_t *offset) 44 + { 45 + const struct ipe_policy *p = NULL; 46 + struct inode *root = NULL; 47 + int rc = 0; 48 + 49 + root = d_inode(f->f_path.dentry->d_parent); 50 + 51 + inode_lock_shared(root); 52 + p = (struct ipe_policy *)root->i_private; 53 + if (!p) { 54 + rc = -ENOENT; 55 + goto out; 56 + } 57 + 58 + if (!p->pkcs7) { 59 + rc = -ENOENT; 60 + goto out; 61 + } 62 + 63 + rc = simple_read_from_buffer(data, len, offset, p->pkcs7, p->pkcs7len); 64 + 65 + out: 66 + inode_unlock_shared(root); 67 + 68 + return rc; 69 + } 70 + 71 + /** 72 + * read_policy() - Read handler for "ipe/policies/$name/policy". 73 + * @f: Supplies a file structure representing the securityfs node. 74 + * @data: Supplies a buffer passed to the write syscall. 75 + * @len: Supplies the length of @data. 76 + * @offset: unused. 77 + * 78 + * @data will be populated with the plain-text version of the policy 79 + * on success. 80 + * 81 + * Return: 82 + * * Length of buffer written - Success 83 + * * %-ENOENT - Policy initializing/deleted 84 + */ 85 + static ssize_t read_policy(struct file *f, char __user *data, 86 + size_t len, loff_t *offset) 87 + { 88 + const struct ipe_policy *p = NULL; 89 + struct inode *root = NULL; 90 + int rc = 0; 91 + 92 + root = d_inode(f->f_path.dentry->d_parent); 93 + 94 + inode_lock_shared(root); 95 + p = (struct ipe_policy *)root->i_private; 96 + if (!p) { 97 + rc = -ENOENT; 98 + goto out; 99 + } 100 + 101 + rc = simple_read_from_buffer(data, len, offset, p->text, p->textlen); 102 + 103 + out: 104 + inode_unlock_shared(root); 105 + 106 + return rc; 107 + } 108 + 109 + /** 110 + * read_name() - Read handler for "ipe/policies/$name/name". 111 + * @f: Supplies a file structure representing the securityfs node. 112 + * @data: Supplies a buffer passed to the write syscall. 113 + * @len: Supplies the length of @data. 114 + * @offset: unused. 115 + * 116 + * @data will be populated with the policy_name attribute on success. 117 + * 118 + * Return: 119 + * * Length of buffer written - Success 120 + * * %-ENOENT - Policy initializing/deleted 121 + */ 122 + static ssize_t read_name(struct file *f, char __user *data, 123 + size_t len, loff_t *offset) 124 + { 125 + const struct ipe_policy *p = NULL; 126 + struct inode *root = NULL; 127 + int rc = 0; 128 + 129 + root = d_inode(f->f_path.dentry->d_parent); 130 + 131 + inode_lock_shared(root); 132 + p = (struct ipe_policy *)root->i_private; 133 + if (!p) { 134 + rc = -ENOENT; 135 + goto out; 136 + } 137 + 138 + rc = simple_read_from_buffer(data, len, offset, p->parsed->name, 139 + strlen(p->parsed->name)); 140 + 141 + out: 142 + inode_unlock_shared(root); 143 + 144 + return rc; 145 + } 146 + 147 + /** 148 + * read_version() - Read handler for "ipe/policies/$name/version". 149 + * @f: Supplies a file structure representing the securityfs node. 150 + * @data: Supplies a buffer passed to the write syscall. 151 + * @len: Supplies the length of @data. 152 + * @offset: unused. 153 + * 154 + * @data will be populated with the version string on success. 155 + * 156 + * Return: 157 + * * Length of buffer written - Success 158 + * * %-ENOENT - Policy initializing/deleted 159 + */ 160 + static ssize_t read_version(struct file *f, char __user *data, 161 + size_t len, loff_t *offset) 162 + { 163 + char buffer[MAX_VERSION_SIZE] = { 0 }; 164 + const struct ipe_policy *p = NULL; 165 + struct inode *root = NULL; 166 + size_t strsize = 0; 167 + ssize_t rc = 0; 168 + 169 + root = d_inode(f->f_path.dentry->d_parent); 170 + 171 + inode_lock_shared(root); 172 + p = (struct ipe_policy *)root->i_private; 173 + if (!p) { 174 + rc = -ENOENT; 175 + goto out; 176 + } 177 + 178 + strsize = scnprintf(buffer, ARRAY_SIZE(buffer), "%hu.%hu.%hu", 179 + p->parsed->version.major, p->parsed->version.minor, 180 + p->parsed->version.rev); 181 + 182 + rc = simple_read_from_buffer(data, len, offset, buffer, strsize); 183 + 184 + out: 185 + inode_unlock_shared(root); 186 + 187 + return rc; 188 + } 189 + 190 + /** 191 + * setactive() - Write handler for "ipe/policies/$name/active". 192 + * @f: Supplies a file structure representing the securityfs node. 193 + * @data: Supplies a buffer passed to the write syscall. 194 + * @len: Supplies the length of @data. 195 + * @offset: unused. 196 + * 197 + * Return: 198 + * * Length of buffer written - Success 199 + * * %-EPERM - Insufficient permission 200 + * * %-EINVAL - Invalid input 201 + * * %-ENOENT - Policy initializing/deleted 202 + */ 203 + static ssize_t setactive(struct file *f, const char __user *data, 204 + size_t len, loff_t *offset) 205 + { 206 + const struct ipe_policy *p = NULL; 207 + struct inode *root = NULL; 208 + bool value = false; 209 + int rc = 0; 210 + 211 + if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN)) 212 + return -EPERM; 213 + 214 + rc = kstrtobool_from_user(data, len, &value); 215 + if (rc) 216 + return rc; 217 + 218 + if (!value) 219 + return -EINVAL; 220 + 221 + root = d_inode(f->f_path.dentry->d_parent); 222 + inode_lock(root); 223 + 224 + p = (struct ipe_policy *)root->i_private; 225 + if (!p) { 226 + rc = -ENOENT; 227 + goto out; 228 + } 229 + 230 + rc = ipe_set_active_pol(p); 231 + 232 + out: 233 + inode_unlock(root); 234 + return (rc < 0) ? rc : len; 235 + } 236 + 237 + /** 238 + * getactive() - Read handler for "ipe/policies/$name/active". 239 + * @f: Supplies a file structure representing the securityfs node. 240 + * @data: Supplies a buffer passed to the write syscall. 241 + * @len: Supplies the length of @data. 242 + * @offset: unused. 243 + * 244 + * @data will be populated with the 1 or 0 depending on if the 245 + * corresponding policy is active. 246 + * 247 + * Return: 248 + * * Length of buffer written - Success 249 + * * %-ENOENT - Policy initializing/deleted 250 + */ 251 + static ssize_t getactive(struct file *f, char __user *data, 252 + size_t len, loff_t *offset) 253 + { 254 + const struct ipe_policy *p = NULL; 255 + struct inode *root = NULL; 256 + const char *str; 257 + int rc = 0; 258 + 259 + root = d_inode(f->f_path.dentry->d_parent); 260 + 261 + inode_lock_shared(root); 262 + p = (struct ipe_policy *)root->i_private; 263 + if (!p) { 264 + inode_unlock_shared(root); 265 + return -ENOENT; 266 + } 267 + inode_unlock_shared(root); 268 + 269 + str = (p == rcu_access_pointer(ipe_active_policy)) ? "1" : "0"; 270 + rc = simple_read_from_buffer(data, len, offset, str, 1); 271 + 272 + return rc; 273 + } 274 + 275 + /** 276 + * update_policy() - Write handler for "ipe/policies/$name/update". 277 + * @f: Supplies a file structure representing the securityfs node. 278 + * @data: Supplies a buffer passed to the write syscall. 279 + * @len: Supplies the length of @data. 280 + * @offset: unused. 281 + * 282 + * On success this updates the policy represented by $name, 283 + * in-place. 284 + * 285 + * Return: Length of buffer written on success. If an error occurs, 286 + * the function will return the -errno. 287 + */ 288 + static ssize_t update_policy(struct file *f, const char __user *data, 289 + size_t len, loff_t *offset) 290 + { 291 + struct inode *root = NULL; 292 + char *copy = NULL; 293 + int rc = 0; 294 + 295 + if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN)) 296 + return -EPERM; 297 + 298 + copy = memdup_user(data, len); 299 + if (IS_ERR(copy)) 300 + return PTR_ERR(copy); 301 + 302 + root = d_inode(f->f_path.dentry->d_parent); 303 + inode_lock(root); 304 + rc = ipe_update_policy(root, NULL, 0, copy, len); 305 + inode_unlock(root); 306 + 307 + kfree(copy); 308 + if (rc) 309 + return rc; 310 + 311 + return len; 312 + } 313 + 314 + /** 315 + * delete_policy() - write handler for "ipe/policies/$name/delete". 316 + * @f: Supplies a file structure representing the securityfs node. 317 + * @data: Supplies a buffer passed to the write syscall. 318 + * @len: Supplies the length of @data. 319 + * @offset: unused. 320 + * 321 + * On success this deletes the policy represented by $name. 322 + * 323 + * Return: 324 + * * Length of buffer written - Success 325 + * * %-EPERM - Insufficient permission/deleting active policy 326 + * * %-EINVAL - Invalid input 327 + * * %-ENOENT - Policy initializing/deleted 328 + */ 329 + static ssize_t delete_policy(struct file *f, const char __user *data, 330 + size_t len, loff_t *offset) 331 + { 332 + struct ipe_policy *ap = NULL; 333 + struct ipe_policy *p = NULL; 334 + struct inode *root = NULL; 335 + bool value = false; 336 + int rc = 0; 337 + 338 + if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN)) 339 + return -EPERM; 340 + 341 + rc = kstrtobool_from_user(data, len, &value); 342 + if (rc) 343 + return rc; 344 + 345 + if (!value) 346 + return -EINVAL; 347 + 348 + root = d_inode(f->f_path.dentry->d_parent); 349 + inode_lock(root); 350 + p = (struct ipe_policy *)root->i_private; 351 + if (!p) { 352 + inode_unlock(root); 353 + return -ENOENT; 354 + } 355 + 356 + mutex_lock(&ipe_policy_lock); 357 + ap = rcu_dereference_protected(ipe_active_policy, 358 + lockdep_is_held(&ipe_policy_lock)); 359 + if (p == ap) { 360 + mutex_unlock(&ipe_policy_lock); 361 + inode_unlock(root); 362 + return -EPERM; 363 + } 364 + mutex_unlock(&ipe_policy_lock); 365 + 366 + root->i_private = NULL; 367 + inode_unlock(root); 368 + 369 + synchronize_rcu(); 370 + ipe_free_policy(p); 371 + 372 + return len; 373 + } 374 + 375 + static const struct file_operations content_fops = { 376 + .read = read_policy, 377 + }; 378 + 379 + static const struct file_operations pkcs7_fops = { 380 + .read = read_pkcs7, 381 + }; 382 + 383 + static const struct file_operations name_fops = { 384 + .read = read_name, 385 + }; 386 + 387 + static const struct file_operations ver_fops = { 388 + .read = read_version, 389 + }; 390 + 391 + static const struct file_operations active_fops = { 392 + .write = setactive, 393 + .read = getactive, 394 + }; 395 + 396 + static const struct file_operations update_fops = { 397 + .write = update_policy, 398 + }; 399 + 400 + static const struct file_operations delete_fops = { 401 + .write = delete_policy, 402 + }; 403 + 404 + /** 405 + * policy_subdir - files under a policy subdirectory 406 + */ 407 + static const struct ipefs_file policy_subdir[] = { 408 + { "pkcs7", 0444, &pkcs7_fops }, 409 + { "policy", 0444, &content_fops }, 410 + { "name", 0444, &name_fops }, 411 + { "version", 0444, &ver_fops }, 412 + { "active", 0600, &active_fops }, 413 + { "update", 0200, &update_fops }, 414 + { "delete", 0200, &delete_fops }, 415 + }; 416 + 417 + /** 418 + * ipe_del_policyfs_node() - Delete a securityfs entry for @p. 419 + * @p: Supplies a pointer to the policy to delete a securityfs entry for. 420 + */ 421 + void ipe_del_policyfs_node(struct ipe_policy *p) 422 + { 423 + securityfs_recursive_remove(p->policyfs); 424 + p->policyfs = NULL; 425 + } 426 + 427 + /** 428 + * ipe_new_policyfs_node() - Create a securityfs entry for @p. 429 + * @p: Supplies a pointer to the policy to create a securityfs entry for. 430 + * 431 + * Return: %0 on success. If an error occurs, the function will return 432 + * the -errno. 433 + */ 434 + int ipe_new_policyfs_node(struct ipe_policy *p) 435 + { 436 + const struct ipefs_file *f = NULL; 437 + struct dentry *policyfs = NULL; 438 + struct inode *root = NULL; 439 + struct dentry *d = NULL; 440 + size_t i = 0; 441 + int rc = 0; 442 + 443 + if (p->policyfs) 444 + return 0; 445 + 446 + policyfs = securityfs_create_dir(p->parsed->name, policy_root); 447 + if (IS_ERR(policyfs)) 448 + return PTR_ERR(policyfs); 449 + 450 + root = d_inode(policyfs); 451 + 452 + for (i = 0; i < ARRAY_SIZE(policy_subdir); ++i) { 453 + f = &policy_subdir[i]; 454 + 455 + d = securityfs_create_file(f->name, f->access, policyfs, 456 + NULL, f->fops); 457 + if (IS_ERR(d)) { 458 + rc = PTR_ERR(d); 459 + goto err; 460 + } 461 + } 462 + 463 + inode_lock(root); 464 + p->policyfs = policyfs; 465 + root->i_private = p; 466 + inode_unlock(root); 467 + 468 + return 0; 469 + err: 470 + securityfs_recursive_remove(policyfs); 471 + return rc; 472 + }

+559

security/ipe/policy_parser.c

··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + 6 + #include <linux/err.h> 7 + #include <linux/slab.h> 8 + #include <linux/parser.h> 9 + #include <linux/types.h> 10 + #include <linux/ctype.h> 11 + 12 + #include "policy.h" 13 + #include "policy_parser.h" 14 + #include "digest.h" 15 + 16 + #define START_COMMENT '#' 17 + #define IPE_POLICY_DELIM " \t" 18 + #define IPE_LINE_DELIM "\n\r" 19 + 20 + /** 21 + * new_parsed_policy() - Allocate and initialize a parsed policy. 22 + * 23 + * Return: 24 + * * a pointer to the ipe_parsed_policy structure - Success 25 + * * %-ENOMEM - Out of memory (OOM) 26 + */ 27 + static struct ipe_parsed_policy *new_parsed_policy(void) 28 + { 29 + struct ipe_parsed_policy *p = NULL; 30 + struct ipe_op_table *t = NULL; 31 + size_t i = 0; 32 + 33 + p = kzalloc(sizeof(*p), GFP_KERNEL); 34 + if (!p) 35 + return ERR_PTR(-ENOMEM); 36 + 37 + p->global_default_action = IPE_ACTION_INVALID; 38 + 39 + for (i = 0; i < ARRAY_SIZE(p->rules); ++i) { 40 + t = &p->rules[i]; 41 + 42 + t->default_action = IPE_ACTION_INVALID; 43 + INIT_LIST_HEAD(&t->rules); 44 + } 45 + 46 + return p; 47 + } 48 + 49 + /** 50 + * remove_comment() - Truncate all chars following START_COMMENT in a string. 51 + * 52 + * @line: Supplies a policy line string for preprocessing. 53 + */ 54 + static void remove_comment(char *line) 55 + { 56 + line = strchr(line, START_COMMENT); 57 + 58 + if (line) 59 + *line = '\0'; 60 + } 61 + 62 + /** 63 + * remove_trailing_spaces() - Truncate all trailing spaces in a string. 64 + * 65 + * @line: Supplies a policy line string for preprocessing. 66 + * 67 + * Return: The length of truncated string. 68 + */ 69 + static size_t remove_trailing_spaces(char *line) 70 + { 71 + size_t i = 0; 72 + 73 + i = strlen(line); 74 + while (i > 0 && isspace(line[i - 1])) 75 + i--; 76 + 77 + line[i] = '\0'; 78 + 79 + return i; 80 + } 81 + 82 + /** 83 + * parse_version() - Parse policy version. 84 + * @ver: Supplies a version string to be parsed. 85 + * @p: Supplies the partial parsed policy. 86 + * 87 + * Return: 88 + * * %0 - Success 89 + * * %-EBADMSG - Version string is invalid 90 + * * %-ERANGE - Version number overflow 91 + * * %-EINVAL - Parsing error 92 + */ 93 + static int parse_version(char *ver, struct ipe_parsed_policy *p) 94 + { 95 + u16 *const cv[] = { &p->version.major, &p->version.minor, &p->version.rev }; 96 + size_t sep_count = 0; 97 + char *token; 98 + int rc = 0; 99 + 100 + while ((token = strsep(&ver, ".")) != NULL) { 101 + /* prevent overflow */ 102 + if (sep_count >= ARRAY_SIZE(cv)) 103 + return -EBADMSG; 104 + 105 + rc = kstrtou16(token, 10, cv[sep_count]); 106 + if (rc) 107 + return rc; 108 + 109 + ++sep_count; 110 + } 111 + 112 + /* prevent underflow */ 113 + if (sep_count != ARRAY_SIZE(cv)) 114 + return -EBADMSG; 115 + 116 + return 0; 117 + } 118 + 119 + enum header_opt { 120 + IPE_HEADER_POLICY_NAME = 0, 121 + IPE_HEADER_POLICY_VERSION, 122 + __IPE_HEADER_MAX 123 + }; 124 + 125 + static const match_table_t header_tokens = { 126 + {IPE_HEADER_POLICY_NAME, "policy_name=%s"}, 127 + {IPE_HEADER_POLICY_VERSION, "policy_version=%s"}, 128 + {__IPE_HEADER_MAX, NULL} 129 + }; 130 + 131 + /** 132 + * parse_header() - Parse policy header information. 133 + * @line: Supplies header line to be parsed. 134 + * @p: Supplies the partial parsed policy. 135 + * 136 + * Return: 137 + * * %0 - Success 138 + * * %-EBADMSG - Header string is invalid 139 + * * %-ENOMEM - Out of memory (OOM) 140 + * * %-ERANGE - Version number overflow 141 + * * %-EINVAL - Version parsing error 142 + */ 143 + static int parse_header(char *line, struct ipe_parsed_policy *p) 144 + { 145 + substring_t args[MAX_OPT_ARGS]; 146 + char *t, *ver = NULL; 147 + size_t idx = 0; 148 + int rc = 0; 149 + 150 + while ((t = strsep(&line, IPE_POLICY_DELIM)) != NULL) { 151 + int token; 152 + 153 + if (*t == '\0') 154 + continue; 155 + if (idx >= __IPE_HEADER_MAX) { 156 + rc = -EBADMSG; 157 + goto out; 158 + } 159 + 160 + token = match_token(t, header_tokens, args); 161 + if (token != idx) { 162 + rc = -EBADMSG; 163 + goto out; 164 + } 165 + 166 + switch (token) { 167 + case IPE_HEADER_POLICY_NAME: 168 + p->name = match_strdup(&args[0]); 169 + if (!p->name) 170 + rc = -ENOMEM; 171 + break; 172 + case IPE_HEADER_POLICY_VERSION: 173 + ver = match_strdup(&args[0]); 174 + if (!ver) { 175 + rc = -ENOMEM; 176 + break; 177 + } 178 + rc = parse_version(ver, p); 179 + break; 180 + default: 181 + rc = -EBADMSG; 182 + } 183 + if (rc) 184 + goto out; 185 + ++idx; 186 + } 187 + 188 + if (idx != __IPE_HEADER_MAX) 189 + rc = -EBADMSG; 190 + 191 + out: 192 + kfree(ver); 193 + return rc; 194 + } 195 + 196 + /** 197 + * token_default() - Determine if the given token is "DEFAULT". 198 + * @token: Supplies the token string to be compared. 199 + * 200 + * Return: 201 + * * %false - The token is not "DEFAULT" 202 + * * %true - The token is "DEFAULT" 203 + */ 204 + static bool token_default(char *token) 205 + { 206 + return !strcmp(token, "DEFAULT"); 207 + } 208 + 209 + /** 210 + * free_rule() - Free the supplied ipe_rule struct. 211 + * @r: Supplies the ipe_rule struct to be freed. 212 + * 213 + * Free a ipe_rule struct @r. Note @r must be removed from any lists before 214 + * calling this function. 215 + */ 216 + static void free_rule(struct ipe_rule *r) 217 + { 218 + struct ipe_prop *p, *t; 219 + 220 + if (IS_ERR_OR_NULL(r)) 221 + return; 222 + 223 + list_for_each_entry_safe(p, t, &r->props, next) { 224 + list_del(&p->next); 225 + ipe_digest_free(p->value); 226 + kfree(p); 227 + } 228 + 229 + kfree(r); 230 + } 231 + 232 + static const match_table_t operation_tokens = { 233 + {IPE_OP_EXEC, "op=EXECUTE"}, 234 + {IPE_OP_FIRMWARE, "op=FIRMWARE"}, 235 + {IPE_OP_KERNEL_MODULE, "op=KMODULE"}, 236 + {IPE_OP_KEXEC_IMAGE, "op=KEXEC_IMAGE"}, 237 + {IPE_OP_KEXEC_INITRAMFS, "op=KEXEC_INITRAMFS"}, 238 + {IPE_OP_POLICY, "op=POLICY"}, 239 + {IPE_OP_X509, "op=X509_CERT"}, 240 + {IPE_OP_INVALID, NULL} 241 + }; 242 + 243 + /** 244 + * parse_operation() - Parse the operation type given a token string. 245 + * @t: Supplies the token string to be parsed. 246 + * 247 + * Return: The parsed operation type. 248 + */ 249 + static enum ipe_op_type parse_operation(char *t) 250 + { 251 + substring_t args[MAX_OPT_ARGS]; 252 + 253 + return match_token(t, operation_tokens, args); 254 + } 255 + 256 + static const match_table_t action_tokens = { 257 + {IPE_ACTION_ALLOW, "action=ALLOW"}, 258 + {IPE_ACTION_DENY, "action=DENY"}, 259 + {IPE_ACTION_INVALID, NULL} 260 + }; 261 + 262 + /** 263 + * parse_action() - Parse the action type given a token string. 264 + * @t: Supplies the token string to be parsed. 265 + * 266 + * Return: The parsed action type. 267 + */ 268 + static enum ipe_action_type parse_action(char *t) 269 + { 270 + substring_t args[MAX_OPT_ARGS]; 271 + 272 + return match_token(t, action_tokens, args); 273 + } 274 + 275 + static const match_table_t property_tokens = { 276 + {IPE_PROP_BOOT_VERIFIED_FALSE, "boot_verified=FALSE"}, 277 + {IPE_PROP_BOOT_VERIFIED_TRUE, "boot_verified=TRUE"}, 278 + {IPE_PROP_DMV_ROOTHASH, "dmverity_roothash=%s"}, 279 + {IPE_PROP_DMV_SIG_FALSE, "dmverity_signature=FALSE"}, 280 + {IPE_PROP_DMV_SIG_TRUE, "dmverity_signature=TRUE"}, 281 + {IPE_PROP_FSV_DIGEST, "fsverity_digest=%s"}, 282 + {IPE_PROP_FSV_SIG_FALSE, "fsverity_signature=FALSE"}, 283 + {IPE_PROP_FSV_SIG_TRUE, "fsverity_signature=TRUE"}, 284 + {IPE_PROP_INVALID, NULL} 285 + }; 286 + 287 + /** 288 + * parse_property() - Parse a rule property given a token string. 289 + * @t: Supplies the token string to be parsed. 290 + * @r: Supplies the ipe_rule the parsed property will be associated with. 291 + * 292 + * This function parses and associates a property with an IPE rule based 293 + * on a token string. 294 + * 295 + * Return: 296 + * * %0 - Success 297 + * * %-ENOMEM - Out of memory (OOM) 298 + * * %-EBADMSG - The supplied token cannot be parsed 299 + */ 300 + static int parse_property(char *t, struct ipe_rule *r) 301 + { 302 + substring_t args[MAX_OPT_ARGS]; 303 + struct ipe_prop *p = NULL; 304 + int rc = 0; 305 + int token; 306 + char *dup = NULL; 307 + 308 + p = kzalloc(sizeof(*p), GFP_KERNEL); 309 + if (!p) 310 + return -ENOMEM; 311 + 312 + token = match_token(t, property_tokens, args); 313 + 314 + switch (token) { 315 + case IPE_PROP_DMV_ROOTHASH: 316 + case IPE_PROP_FSV_DIGEST: 317 + dup = match_strdup(&args[0]); 318 + if (!dup) { 319 + rc = -ENOMEM; 320 + goto err; 321 + } 322 + p->value = ipe_digest_parse(dup); 323 + if (IS_ERR(p->value)) { 324 + rc = PTR_ERR(p->value); 325 + goto err; 326 + } 327 + fallthrough; 328 + case IPE_PROP_BOOT_VERIFIED_FALSE: 329 + case IPE_PROP_BOOT_VERIFIED_TRUE: 330 + case IPE_PROP_DMV_SIG_FALSE: 331 + case IPE_PROP_DMV_SIG_TRUE: 332 + case IPE_PROP_FSV_SIG_FALSE: 333 + case IPE_PROP_FSV_SIG_TRUE: 334 + p->type = token; 335 + break; 336 + default: 337 + rc = -EBADMSG; 338 + break; 339 + } 340 + if (rc) 341 + goto err; 342 + list_add_tail(&p->next, &r->props); 343 + 344 + out: 345 + kfree(dup); 346 + return rc; 347 + err: 348 + kfree(p); 349 + goto out; 350 + } 351 + 352 + /** 353 + * parse_rule() - parse a policy rule line. 354 + * @line: Supplies rule line to be parsed. 355 + * @p: Supplies the partial parsed policy. 356 + * 357 + * Return: 358 + * * 0 - Success 359 + * * %-ENOMEM - Out of memory (OOM) 360 + * * %-EBADMSG - Policy syntax error 361 + */ 362 + static int parse_rule(char *line, struct ipe_parsed_policy *p) 363 + { 364 + enum ipe_action_type action = IPE_ACTION_INVALID; 365 + enum ipe_op_type op = IPE_OP_INVALID; 366 + bool is_default_rule = false; 367 + struct ipe_rule *r = NULL; 368 + bool first_token = true; 369 + bool op_parsed = false; 370 + int rc = 0; 371 + char *t; 372 + 373 + if (IS_ERR_OR_NULL(line)) 374 + return -EBADMSG; 375 + 376 + r = kzalloc(sizeof(*r), GFP_KERNEL); 377 + if (!r) 378 + return -ENOMEM; 379 + 380 + INIT_LIST_HEAD(&r->next); 381 + INIT_LIST_HEAD(&r->props); 382 + 383 + while (t = strsep(&line, IPE_POLICY_DELIM), line) { 384 + if (*t == '\0') 385 + continue; 386 + if (first_token && token_default(t)) { 387 + is_default_rule = true; 388 + } else { 389 + if (!op_parsed) { 390 + op = parse_operation(t); 391 + if (op == IPE_OP_INVALID) 392 + rc = -EBADMSG; 393 + else 394 + op_parsed = true; 395 + } else { 396 + rc = parse_property(t, r); 397 + } 398 + } 399 + 400 + if (rc) 401 + goto err; 402 + first_token = false; 403 + } 404 + 405 + action = parse_action(t); 406 + if (action == IPE_ACTION_INVALID) { 407 + rc = -EBADMSG; 408 + goto err; 409 + } 410 + 411 + if (is_default_rule) { 412 + if (!list_empty(&r->props)) { 413 + rc = -EBADMSG; 414 + } else if (op == IPE_OP_INVALID) { 415 + if (p->global_default_action != IPE_ACTION_INVALID) 416 + rc = -EBADMSG; 417 + else 418 + p->global_default_action = action; 419 + } else { 420 + if (p->rules[op].default_action != IPE_ACTION_INVALID) 421 + rc = -EBADMSG; 422 + else 423 + p->rules[op].default_action = action; 424 + } 425 + } else if (op != IPE_OP_INVALID && action != IPE_ACTION_INVALID) { 426 + r->op = op; 427 + r->action = action; 428 + } else { 429 + rc = -EBADMSG; 430 + } 431 + 432 + if (rc) 433 + goto err; 434 + if (!is_default_rule) 435 + list_add_tail(&r->next, &p->rules[op].rules); 436 + else 437 + free_rule(r); 438 + 439 + return rc; 440 + err: 441 + free_rule(r); 442 + return rc; 443 + } 444 + 445 + /** 446 + * ipe_free_parsed_policy() - free a parsed policy structure. 447 + * @p: Supplies the parsed policy. 448 + */ 449 + void ipe_free_parsed_policy(struct ipe_parsed_policy *p) 450 + { 451 + struct ipe_rule *pp, *t; 452 + size_t i = 0; 453 + 454 + if (IS_ERR_OR_NULL(p)) 455 + return; 456 + 457 + for (i = 0; i < ARRAY_SIZE(p->rules); ++i) 458 + list_for_each_entry_safe(pp, t, &p->rules[i].rules, next) { 459 + list_del(&pp->next); 460 + free_rule(pp); 461 + } 462 + 463 + kfree(p->name); 464 + kfree(p); 465 + } 466 + 467 + /** 468 + * validate_policy() - validate a parsed policy. 469 + * @p: Supplies the fully parsed policy. 470 + * 471 + * Given a policy structure that was just parsed, validate that all 472 + * operations have their default rules or a global default rule is set. 473 + * 474 + * Return: 475 + * * %0 - Success 476 + * * %-EBADMSG - Policy is invalid 477 + */ 478 + static int validate_policy(const struct ipe_parsed_policy *p) 479 + { 480 + size_t i = 0; 481 + 482 + if (p->global_default_action != IPE_ACTION_INVALID) 483 + return 0; 484 + 485 + for (i = 0; i < ARRAY_SIZE(p->rules); ++i) { 486 + if (p->rules[i].default_action == IPE_ACTION_INVALID) 487 + return -EBADMSG; 488 + } 489 + 490 + return 0; 491 + } 492 + 493 + /** 494 + * ipe_parse_policy() - Given a string, parse the string into an IPE policy. 495 + * @p: partially filled ipe_policy structure to populate with the result. 496 + * it must have text and textlen set. 497 + * 498 + * Return: 499 + * * %0 - Success 500 + * * %-EBADMSG - Policy is invalid 501 + * * %-ENOMEM - Out of Memory 502 + * * %-ERANGE - Policy version number overflow 503 + * * %-EINVAL - Policy version parsing error 504 + */ 505 + int ipe_parse_policy(struct ipe_policy *p) 506 + { 507 + struct ipe_parsed_policy *pp = NULL; 508 + char *policy = NULL, *dup = NULL; 509 + bool header_parsed = false; 510 + char *line = NULL; 511 + size_t len; 512 + int rc = 0; 513 + 514 + if (!p->textlen) 515 + return -EBADMSG; 516 + 517 + policy = kmemdup_nul(p->text, p->textlen, GFP_KERNEL); 518 + if (!policy) 519 + return -ENOMEM; 520 + dup = policy; 521 + 522 + pp = new_parsed_policy(); 523 + if (IS_ERR(pp)) { 524 + rc = PTR_ERR(pp); 525 + goto out; 526 + } 527 + 528 + while ((line = strsep(&policy, IPE_LINE_DELIM)) != NULL) { 529 + remove_comment(line); 530 + len = remove_trailing_spaces(line); 531 + if (!len) 532 + continue; 533 + 534 + if (!header_parsed) { 535 + rc = parse_header(line, pp); 536 + if (rc) 537 + goto err; 538 + header_parsed = true; 539 + } else { 540 + rc = parse_rule(line, pp); 541 + if (rc) 542 + goto err; 543 + } 544 + } 545 + 546 + if (!header_parsed || validate_policy(pp)) { 547 + rc = -EBADMSG; 548 + goto err; 549 + } 550 + 551 + p->parsed = pp; 552 + 553 + out: 554 + kfree(dup); 555 + return rc; 556 + err: 557 + ipe_free_parsed_policy(pp); 558 + goto out; 559 + }

+11

security/ipe/policy_parser.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + #ifndef _IPE_POLICY_PARSER_H 6 + #define _IPE_POLICY_PARSER_H 7 + 8 + int ipe_parse_policy(struct ipe_policy *p); 9 + void ipe_free_parsed_policy(struct ipe_parsed_policy *p); 10 + 11 + #endif /* _IPE_POLICY_PARSER_H */

+296

security/ipe/policy_tests.c

··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. 4 + */ 5 + 6 + #include <linux/slab.h> 7 + #include <linux/types.h> 8 + #include <linux/list.h> 9 + #include <kunit/test.h> 10 + #include "policy.h" 11 + struct policy_case { 12 + const char *const policy; 13 + int errno; 14 + const char *const desc; 15 + }; 16 + 17 + static const struct policy_case policy_cases[] = { 18 + { 19 + "policy_name=allowall policy_version=0.0.0\n" 20 + "DEFAULT action=ALLOW", 21 + 0, 22 + "basic", 23 + }, 24 + { 25 + "policy_name=trailing_comment policy_version=152.0.0 #This is comment\n" 26 + "DEFAULT action=ALLOW", 27 + 0, 28 + "trailing comment", 29 + }, 30 + { 31 + "policy_name=allowallnewline policy_version=0.2.0\n" 32 + "DEFAULT action=ALLOW\n" 33 + "\n", 34 + 0, 35 + "trailing newline", 36 + }, 37 + { 38 + "policy_name=carriagereturnlinefeed policy_version=0.0.1\n" 39 + "DEFAULT action=ALLOW\n" 40 + "\r\n", 41 + 0, 42 + "clrf newline", 43 + }, 44 + { 45 + "policy_name=whitespace policy_version=0.0.0\n" 46 + "DEFAULT\taction=ALLOW\n" 47 + " \t DEFAULT \t op=EXECUTE action=DENY\n" 48 + "op=EXECUTE boot_verified=TRUE action=ALLOW\n" 49 + "# this is a\tcomment\t\t\t\t\n" 50 + "DEFAULT \t op=KMODULE\t\t\t action=DENY\r\n" 51 + "op=KMODULE boot_verified=TRUE action=ALLOW\n", 52 + 0, 53 + "various whitespaces and nested default", 54 + }, 55 + { 56 + "policy_name=boot_verified policy_version=-1236.0.0\n" 57 + "DEFAULT\taction=ALLOW\n", 58 + -EINVAL, 59 + "negative version", 60 + }, 61 + { 62 + "policy_name=$@!*&^%%\\:;{}() policy_version=0.0.0\n" 63 + "DEFAULT action=ALLOW", 64 + 0, 65 + "special characters", 66 + }, 67 + { 68 + "policy_name=test policy_version=999999.0.0\n" 69 + "DEFAULT action=ALLOW", 70 + -ERANGE, 71 + "overflow version", 72 + }, 73 + { 74 + "policy_name=test policy_version=255.0\n" 75 + "DEFAULT action=ALLOW", 76 + -EBADMSG, 77 + "incomplete version", 78 + }, 79 + { 80 + "policy_name=test policy_version=111.0.0.0\n" 81 + "DEFAULT action=ALLOW", 82 + -EBADMSG, 83 + "extra version", 84 + }, 85 + { 86 + "", 87 + -EBADMSG, 88 + "0-length policy", 89 + }, 90 + { 91 + "policy_name=test\0policy_version=0.0.0\n" 92 + "DEFAULT action=ALLOW", 93 + -EBADMSG, 94 + "random null in header", 95 + }, 96 + { 97 + "policy_name=test policy_version=0.0.0\n" 98 + "\0DEFAULT action=ALLOW", 99 + -EBADMSG, 100 + "incomplete policy from NULL", 101 + }, 102 + { 103 + "policy_name=test policy_version=0.0.0\n" 104 + "DEFAULT action=DENY\n\0" 105 + "op=EXECUTE dmverity_signature=TRUE action=ALLOW\n", 106 + 0, 107 + "NULL truncates policy", 108 + }, 109 + { 110 + "policy_name=test policy_version=0.0.0\n" 111 + "DEFAULT action=ALLOW\n" 112 + "op=EXECUTE dmverity_signature=abc action=ALLOW", 113 + -EBADMSG, 114 + "invalid property type", 115 + }, 116 + { 117 + "DEFAULT action=ALLOW", 118 + -EBADMSG, 119 + "missing policy header", 120 + }, 121 + { 122 + "policy_name=test policy_version=0.0.0\n", 123 + -EBADMSG, 124 + "missing default definition", 125 + }, 126 + { 127 + "policy_name=test policy_version=0.0.0\n" 128 + "DEFAULT action=ALLOW\n" 129 + "dmverity_signature=TRUE op=EXECUTE action=ALLOW", 130 + -EBADMSG, 131 + "invalid rule ordering" 132 + }, 133 + { 134 + "policy_name=test policy_version=0.0.0\n" 135 + "DEFAULT action=ALLOW\n" 136 + "action=ALLOW op=EXECUTE dmverity_signature=TRUE", 137 + -EBADMSG, 138 + "invalid rule ordering (2)", 139 + }, 140 + { 141 + "policy_name=test policy_version=0.0\n" 142 + "DEFAULT action=ALLOW\n" 143 + "op=EXECUTE dmverity_signature=TRUE action=ALLOW", 144 + -EBADMSG, 145 + "invalid version", 146 + }, 147 + { 148 + "policy_name=test policy_version=0.0.0\n" 149 + "DEFAULT action=ALLOW\n" 150 + "op=UNKNOWN dmverity_signature=TRUE action=ALLOW", 151 + -EBADMSG, 152 + "unknown operation", 153 + }, 154 + { 155 + "policy_name=asdvpolicy_version=0.0.0\n" 156 + "DEFAULT action=ALLOW\n", 157 + -EBADMSG, 158 + "missing space after policy name", 159 + }, 160 + { 161 + "policy_name=test\xFF\xEF policy_version=0.0.0\n" 162 + "DEFAULT action=ALLOW\n" 163 + "op=EXECUTE dmverity_signature=TRUE action=ALLOW", 164 + 0, 165 + "expanded ascii", 166 + }, 167 + { 168 + "policy_name=test\xFF\xEF policy_version=0.0.0\n" 169 + "DEFAULT action=ALLOW\n" 170 + "op=EXECUTE dmverity_roothash=GOOD_DOG action=ALLOW", 171 + -EBADMSG, 172 + "invalid property value (2)", 173 + }, 174 + { 175 + "policy_name=test policy_version=0.0.0\n" 176 + "policy_name=test policy_version=0.1.0\n" 177 + "DEFAULT action=ALLOW", 178 + -EBADMSG, 179 + "double header" 180 + }, 181 + { 182 + "policy_name=test policy_version=0.0.0\n" 183 + "DEFAULT action=ALLOW\n" 184 + "DEFAULT action=ALLOW\n", 185 + -EBADMSG, 186 + "double default" 187 + }, 188 + { 189 + "policy_name=test policy_version=0.0.0\n" 190 + "DEFAULT action=ALLOW\n" 191 + "DEFAULT op=EXECUTE action=DENY\n" 192 + "DEFAULT op=EXECUTE action=ALLOW\n", 193 + -EBADMSG, 194 + "double operation default" 195 + }, 196 + { 197 + "policy_name=test policy_version=0.0.0\n" 198 + "DEFAULT action=ALLOW\n" 199 + "DEFAULT op=EXECUTE action=DEN\n", 200 + -EBADMSG, 201 + "invalid action value" 202 + }, 203 + { 204 + "policy_name=test policy_version=0.0.0\n" 205 + "DEFAULT action=ALLOW\n" 206 + "DEFAULT op=EXECUTE action\n", 207 + -EBADMSG, 208 + "invalid action value (2)" 209 + }, 210 + { 211 + "policy_name=test policy_version=0.0.0\n" 212 + "DEFAULT action=ALLOW\n" 213 + "UNKNOWN value=true\n", 214 + -EBADMSG, 215 + "unrecognized statement" 216 + }, 217 + { 218 + "policy_name=test policy_version=0.0.0\n" 219 + "DEFAULT action=ALLOW\n" 220 + "op=EXECUTE dmverity_roothash=1c0d7ee1f8343b7fbe418378e8eb22c061d7dec7 action=DENY\n", 221 + -EBADMSG, 222 + "old-style digest" 223 + }, 224 + { 225 + "policy_name=test policy_version=0.0.0\n" 226 + "DEFAULT action=ALLOW\n" 227 + "op=EXECUTE fsverity_digest=1c0d7ee1f8343b7fbe418378e8eb22c061d7dec7 action=DENY\n", 228 + -EBADMSG, 229 + "old-style digest" 230 + } 231 + }; 232 + 233 + static void pol_to_desc(const struct policy_case *c, char *desc) 234 + { 235 + strscpy(desc, c->desc, KUNIT_PARAM_DESC_SIZE); 236 + } 237 + 238 + KUNIT_ARRAY_PARAM(ipe_policies, policy_cases, pol_to_desc); 239 + 240 + /** 241 + * ipe_parser_unsigned_test - Test the parser by passing unsigned policies. 242 + * @test: Supplies a pointer to a kunit structure. 243 + * 244 + * This is called by the kunit harness. This test does not check the correctness 245 + * of the policy, but ensures that errors are handled correctly. 246 + */ 247 + static void ipe_parser_unsigned_test(struct kunit *test) 248 + { 249 + const struct policy_case *p = test->param_value; 250 + struct ipe_policy *pol; 251 + 252 + pol = ipe_new_policy(p->policy, strlen(p->policy), NULL, 0); 253 + 254 + if (p->errno) { 255 + KUNIT_EXPECT_EQ(test, PTR_ERR(pol), p->errno); 256 + return; 257 + } 258 + 259 + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, pol); 260 + KUNIT_EXPECT_NOT_ERR_OR_NULL(test, pol->parsed); 261 + KUNIT_EXPECT_STREQ(test, pol->text, p->policy); 262 + KUNIT_EXPECT_PTR_EQ(test, NULL, pol->pkcs7); 263 + KUNIT_EXPECT_EQ(test, 0, pol->pkcs7len); 264 + 265 + ipe_free_policy(pol); 266 + } 267 + 268 + /** 269 + * ipe_parser_widestring_test - Ensure parser fail on a wide string policy. 270 + * @test: Supplies a pointer to a kunit structure. 271 + * 272 + * This is called by the kunit harness. 273 + */ 274 + static void ipe_parser_widestring_test(struct kunit *test) 275 + { 276 + const unsigned short policy[] = L"policy_name=Test policy_version=0.0.0\n" 277 + L"DEFAULT action=ALLOW"; 278 + struct ipe_policy *pol = NULL; 279 + 280 + pol = ipe_new_policy((const char *)policy, (ARRAY_SIZE(policy) - 1) * 2, NULL, 0); 281 + KUNIT_EXPECT_TRUE(test, IS_ERR_OR_NULL(pol)); 282 + 283 + ipe_free_policy(pol); 284 + } 285 + 286 + static struct kunit_case ipe_parser_test_cases[] = { 287 + KUNIT_CASE_PARAM(ipe_parser_unsigned_test, ipe_policies_gen_params), 288 + KUNIT_CASE(ipe_parser_widestring_test), 289 + }; 290 + 291 + static struct kunit_suite ipe_parser_test_suite = { 292 + .name = "ipe-parser", 293 + .test_cases = ipe_parser_test_cases, 294 + }; 295 + 296 + kunit_test_suite(ipe_parser_test_suite);

+6 -3

security/landlock/fs.c

··· 1207 1207 1208 1208 /* Inode hooks */ 1209 1209 1210 - static void hook_inode_free_security(struct inode *const inode) 1210 + static void hook_inode_free_security_rcu(void *inode_security) 1211 1211 { 1212 + struct landlock_inode_security *inode_sec; 1213 + 1212 1214 /* 1213 1215 * All inodes must already have been untied from their object by 1214 1216 * release_inode() or hook_sb_delete(). 1215 1217 */ 1216 - WARN_ON_ONCE(landlock_inode(inode)->object); 1218 + inode_sec = inode_security + landlock_blob_sizes.lbs_inode; 1219 + WARN_ON_ONCE(inode_sec->object); 1217 1220 } 1218 1221 1219 1222 /* Super-block hooks */ ··· 1640 1637 } 1641 1638 1642 1639 static struct security_hook_list landlock_hooks[] __ro_after_init = { 1643 - LSM_HOOK_INIT(inode_free_security, hook_inode_free_security), 1640 + LSM_HOOK_INIT(inode_free_security_rcu, hook_inode_free_security_rcu), 1644 1641 1645 1642 LSM_HOOK_INIT(sb_delete, hook_sb_delete), 1646 1643 LSM_HOOK_INIT(sb_mount, hook_sb_mount),

+1 -1

security/lockdown/lockdown.c

··· 76 76 LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), 77 77 }; 78 78 79 - const struct lsm_id lockdown_lsmid = { 79 + static const struct lsm_id lockdown_lsmid = { 80 80 .name = "lockdown", 81 81 .id = LSM_ID_LOCKDOWN, 82 82 };

+444 -171

security/security.c

··· 28 28 #include <linux/xattr.h> 29 29 #include <linux/msg.h> 30 30 #include <linux/overflow.h> 31 + #include <linux/perf_event.h> 32 + #include <linux/fs.h> 31 33 #include <net/flow.h> 34 + #include <net/sock.h> 32 35 33 - /* How many LSMs were built into the kernel? */ 34 - #define LSM_COUNT (__end_lsm_info - __start_lsm_info) 36 + #define SECURITY_HOOK_ACTIVE_KEY(HOOK, IDX) security_hook_active_##HOOK##_##IDX 35 37 36 38 /* 37 - * How many LSMs are built into the kernel as determined at 38 - * build time. Used to determine fixed array sizes. 39 - * The capability module is accounted for by CONFIG_SECURITY 39 + * Identifier for the LSM static calls. 40 + * HOOK is an LSM hook as defined in linux/lsm_hookdefs.h 41 + * IDX is the index of the static call. 0 <= NUM < MAX_LSM_COUNT 40 42 */ 41 - #define LSM_CONFIG_COUNT ( \ 42 - (IS_ENABLED(CONFIG_SECURITY) ? 1 : 0) + \ 43 - (IS_ENABLED(CONFIG_SECURITY_SELINUX) ? 1 : 0) + \ 44 - (IS_ENABLED(CONFIG_SECURITY_SMACK) ? 1 : 0) + \ 45 - (IS_ENABLED(CONFIG_SECURITY_TOMOYO) ? 1 : 0) + \ 46 - (IS_ENABLED(CONFIG_SECURITY_APPARMOR) ? 1 : 0) + \ 47 - (IS_ENABLED(CONFIG_SECURITY_YAMA) ? 1 : 0) + \ 48 - (IS_ENABLED(CONFIG_SECURITY_LOADPIN) ? 1 : 0) + \ 49 - (IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \ 50 - (IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) ? 1 : 0) + \ 51 - (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \ 52 - (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0) + \ 53 - (IS_ENABLED(CONFIG_IMA) ? 1 : 0) + \ 54 - (IS_ENABLED(CONFIG_EVM) ? 1 : 0)) 43 + #define LSM_STATIC_CALL(HOOK, IDX) lsm_static_call_##HOOK##_##IDX 44 + 45 + /* 46 + * Call the macro M for each LSM hook MAX_LSM_COUNT times. 47 + */ 48 + #define LSM_LOOP_UNROLL(M, ...) \ 49 + do { \ 50 + UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__) \ 51 + } while (0) 52 + 53 + #define LSM_DEFINE_UNROLL(M, ...) UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__) 55 54 56 55 /* 57 56 * These are descriptions of the reasons that can be passed to the ··· 91 92 [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", 92 93 }; 93 94 94 - struct security_hook_heads security_hook_heads __ro_after_init; 95 95 static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain); 96 96 97 97 static struct kmem_cache *lsm_file_cache; ··· 106 108 static __initconst const char *const builtin_lsm_order = CONFIG_LSM; 107 109 108 110 /* Ordered list of LSMs to initialize. */ 109 - static __initdata struct lsm_info **ordered_lsms; 111 + static __initdata struct lsm_info *ordered_lsms[MAX_LSM_COUNT + 1]; 110 112 static __initdata struct lsm_info *exclusive; 113 + 114 + #ifdef CONFIG_HAVE_STATIC_CALL 115 + #define LSM_HOOK_TRAMP(NAME, NUM) \ 116 + &STATIC_CALL_TRAMP(LSM_STATIC_CALL(NAME, NUM)) 117 + #else 118 + #define LSM_HOOK_TRAMP(NAME, NUM) NULL 119 + #endif 120 + 121 + /* 122 + * Define static calls and static keys for each LSM hook. 123 + */ 124 + #define DEFINE_LSM_STATIC_CALL(NUM, NAME, RET, ...) \ 125 + DEFINE_STATIC_CALL_NULL(LSM_STATIC_CALL(NAME, NUM), \ 126 + *((RET(*)(__VA_ARGS__))NULL)); \ 127 + DEFINE_STATIC_KEY_FALSE(SECURITY_HOOK_ACTIVE_KEY(NAME, NUM)); 128 + 129 + #define LSM_HOOK(RET, DEFAULT, NAME, ...) \ 130 + LSM_DEFINE_UNROLL(DEFINE_LSM_STATIC_CALL, NAME, RET, __VA_ARGS__) 131 + #include <linux/lsm_hook_defs.h> 132 + #undef LSM_HOOK 133 + #undef DEFINE_LSM_STATIC_CALL 134 + 135 + /* 136 + * Initialise a table of static calls for each LSM hook. 137 + * DEFINE_STATIC_CALL_NULL invocation above generates a key (STATIC_CALL_KEY) 138 + * and a trampoline (STATIC_CALL_TRAMP) which are used to call 139 + * __static_call_update when updating the static call. 140 + * 141 + * The static calls table is used by early LSMs, some architectures can fault on 142 + * unaligned accesses and the fault handling code may not be ready by then. 143 + * Thus, the static calls table should be aligned to avoid any unhandled faults 144 + * in early init. 145 + */ 146 + struct lsm_static_calls_table 147 + static_calls_table __ro_after_init __aligned(sizeof(u64)) = { 148 + #define INIT_LSM_STATIC_CALL(NUM, NAME) \ 149 + (struct lsm_static_call) { \ 150 + .key = &STATIC_CALL_KEY(LSM_STATIC_CALL(NAME, NUM)), \ 151 + .trampoline = LSM_HOOK_TRAMP(NAME, NUM), \ 152 + .active = &SECURITY_HOOK_ACTIVE_KEY(NAME, NUM), \ 153 + }, 154 + #define LSM_HOOK(RET, DEFAULT, NAME, ...) \ 155 + .NAME = { \ 156 + LSM_DEFINE_UNROLL(INIT_LSM_STATIC_CALL, NAME) \ 157 + }, 158 + #include <linux/lsm_hook_defs.h> 159 + #undef LSM_HOOK 160 + #undef INIT_LSM_STATIC_CALL 161 + }; 111 162 112 163 static __initdata bool debug; 113 164 #define init_debug(...) \ ··· 218 171 if (exists_ordered_lsm(lsm)) 219 172 return; 220 173 221 - if (WARN(last_lsm == LSM_COUNT, "%s: out of LSM slots!?\n", from)) 174 + if (WARN(last_lsm == MAX_LSM_COUNT, "%s: out of LSM static calls!?\n", from)) 222 175 return; 223 176 224 177 /* Enable this LSM, if it is not already set. */ ··· 265 218 266 219 lsm_set_blob_size(&needed->lbs_cred, &blob_sizes.lbs_cred); 267 220 lsm_set_blob_size(&needed->lbs_file, &blob_sizes.lbs_file); 221 + lsm_set_blob_size(&needed->lbs_ib, &blob_sizes.lbs_ib); 268 222 /* 269 223 * The inode blob gets an rcu_head in addition to 270 224 * what the modules might need. ··· 274 226 blob_sizes.lbs_inode = sizeof(struct rcu_head); 275 227 lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); 276 228 lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); 229 + lsm_set_blob_size(&needed->lbs_key, &blob_sizes.lbs_key); 277 230 lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); 231 + lsm_set_blob_size(&needed->lbs_perf_event, &blob_sizes.lbs_perf_event); 232 + lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock); 278 233 lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock); 279 234 lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); 235 + lsm_set_blob_size(&needed->lbs_tun_dev, &blob_sizes.lbs_tun_dev); 280 236 lsm_set_blob_size(&needed->lbs_xattr_count, 281 237 &blob_sizes.lbs_xattr_count); 238 + lsm_set_blob_size(&needed->lbs_bdev, &blob_sizes.lbs_bdev); 282 239 } 283 240 284 241 /* Prepare LSM for initialization. */ ··· 321 268 * Current index to use while initializing the lsm id list. 322 269 */ 323 270 u32 lsm_active_cnt __ro_after_init; 324 - const struct lsm_id *lsm_idlist[LSM_CONFIG_COUNT]; 271 + const struct lsm_id *lsm_idlist[MAX_LSM_COUNT]; 325 272 326 273 /* Populate ordered LSMs list from comma-separated LSM name list. */ 327 274 static void __init ordered_lsm_parse(const char *order, const char *origin) ··· 403 350 kfree(sep); 404 351 } 405 352 353 + static void __init lsm_static_call_init(struct security_hook_list *hl) 354 + { 355 + struct lsm_static_call *scall = hl->scalls; 356 + int i; 357 + 358 + for (i = 0; i < MAX_LSM_COUNT; i++) { 359 + /* Update the first static call that is not used yet */ 360 + if (!scall->hl) { 361 + __static_call_update(scall->key, scall->trampoline, 362 + hl->hook.lsm_func_addr); 363 + scall->hl = hl; 364 + static_branch_enable(scall->active); 365 + return; 366 + } 367 + scall++; 368 + } 369 + panic("%s - Ran out of static slots.\n", __func__); 370 + } 371 + 406 372 static void __init lsm_early_cred(struct cred *cred); 407 373 static void __init lsm_early_task(struct task_struct *task); 408 374 ··· 450 378 { 451 379 struct lsm_info **lsm; 452 380 453 - ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms), 454 - GFP_KERNEL); 455 - 456 381 if (chosen_lsm_order) { 457 382 if (chosen_major_lsm) { 458 383 pr_warn("security=%s is ignored because it is superseded by lsm=%s\n", ··· 467 398 468 399 init_debug("cred blob size = %d\n", blob_sizes.lbs_cred); 469 400 init_debug("file blob size = %d\n", blob_sizes.lbs_file); 401 + init_debug("ib blob size = %d\n", blob_sizes.lbs_ib); 470 402 init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); 471 403 init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc); 404 + #ifdef CONFIG_KEYS 405 + init_debug("key blob size = %d\n", blob_sizes.lbs_key); 406 + #endif /* CONFIG_KEYS */ 472 407 init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); 408 + init_debug("sock blob size = %d\n", blob_sizes.lbs_sock); 473 409 init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock); 410 + init_debug("perf event blob size = %d\n", blob_sizes.lbs_perf_event); 474 411 init_debug("task blob size = %d\n", blob_sizes.lbs_task); 412 + init_debug("tun device blob size = %d\n", blob_sizes.lbs_tun_dev); 475 413 init_debug("xattr slots = %d\n", blob_sizes.lbs_xattr_count); 414 + init_debug("bdev blob size = %d\n", blob_sizes.lbs_bdev); 476 415 477 416 /* 478 417 * Create any kmem_caches needed for blobs ··· 498 421 lsm_early_task(current); 499 422 for (lsm = ordered_lsms; *lsm; lsm++) 500 423 initialize_lsm(*lsm); 501 - 502 - kfree(ordered_lsms); 503 424 } 504 425 505 426 int __init early_security_init(void) 506 427 { 507 428 struct lsm_info *lsm; 508 - 509 - #define LSM_HOOK(RET, DEFAULT, NAME, ...) \ 510 - INIT_HLIST_HEAD(&security_hook_heads.NAME); 511 - #include "linux/lsm_hook_defs.h" 512 - #undef LSM_HOOK 513 429 514 430 for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) { 515 431 if (!lsm->enabled) ··· 624 554 * Look at the previous entry, if there is one, for duplication. 625 555 */ 626 556 if (lsm_active_cnt == 0 || lsm_idlist[lsm_active_cnt - 1] != lsmid) { 627 - if (lsm_active_cnt >= LSM_CONFIG_COUNT) 557 + if (lsm_active_cnt >= MAX_LSM_COUNT) 628 558 panic("%s Too many LSMs registered.\n", __func__); 629 559 lsm_idlist[lsm_active_cnt++] = lsmid; 630 560 } 631 561 632 562 for (i = 0; i < count; i++) { 633 563 hooks[i].lsmid = lsmid; 634 - hlist_add_tail_rcu(&hooks[i].list, hooks[i].head); 564 + lsm_static_call_init(&hooks[i]); 635 565 } 636 566 637 567 /* ··· 666 596 EXPORT_SYMBOL(unregister_blocking_lsm_notifier); 667 597 668 598 /** 599 + * lsm_blob_alloc - allocate a composite blob 600 + * @dest: the destination for the blob 601 + * @size: the size of the blob 602 + * @gfp: allocation type 603 + * 604 + * Allocate a blob for all the modules 605 + * 606 + * Returns 0, or -ENOMEM if memory can't be allocated. 607 + */ 608 + static int lsm_blob_alloc(void **dest, size_t size, gfp_t gfp) 609 + { 610 + if (size == 0) { 611 + *dest = NULL; 612 + return 0; 613 + } 614 + 615 + *dest = kzalloc(size, gfp); 616 + if (*dest == NULL) 617 + return -ENOMEM; 618 + return 0; 619 + } 620 + 621 + /** 669 622 * lsm_cred_alloc - allocate a composite cred blob 670 623 * @cred: the cred that needs a blob 671 624 * @gfp: allocation type ··· 699 606 */ 700 607 static int lsm_cred_alloc(struct cred *cred, gfp_t gfp) 701 608 { 702 - if (blob_sizes.lbs_cred == 0) { 703 - cred->security = NULL; 704 - return 0; 705 - } 706 - 707 - cred->security = kzalloc(blob_sizes.lbs_cred, gfp); 708 - if (cred->security == NULL) 709 - return -ENOMEM; 710 - return 0; 609 + return lsm_blob_alloc(&cred->security, blob_sizes.lbs_cred, gfp); 711 610 } 712 611 713 612 /** ··· 745 660 * 746 661 * Returns 0, or -ENOMEM if memory can't be allocated. 747 662 */ 748 - int lsm_inode_alloc(struct inode *inode) 663 + static int lsm_inode_alloc(struct inode *inode) 749 664 { 750 665 if (!lsm_inode_cache) { 751 666 inode->i_security = NULL; ··· 768 683 */ 769 684 static int lsm_task_alloc(struct task_struct *task) 770 685 { 771 - if (blob_sizes.lbs_task == 0) { 772 - task->security = NULL; 773 - return 0; 774 - } 775 - 776 - task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL); 777 - if (task->security == NULL) 778 - return -ENOMEM; 779 - return 0; 686 + return lsm_blob_alloc(&task->security, blob_sizes.lbs_task, GFP_KERNEL); 780 687 } 781 688 782 689 /** ··· 781 704 */ 782 705 static int lsm_ipc_alloc(struct kern_ipc_perm *kip) 783 706 { 784 - if (blob_sizes.lbs_ipc == 0) { 785 - kip->security = NULL; 786 - return 0; 787 - } 788 - 789 - kip->security = kzalloc(blob_sizes.lbs_ipc, GFP_KERNEL); 790 - if (kip->security == NULL) 791 - return -ENOMEM; 792 - return 0; 707 + return lsm_blob_alloc(&kip->security, blob_sizes.lbs_ipc, GFP_KERNEL); 793 708 } 709 + 710 + #ifdef CONFIG_KEYS 711 + /** 712 + * lsm_key_alloc - allocate a composite key blob 713 + * @key: the key that needs a blob 714 + * 715 + * Allocate the key blob for all the modules 716 + * 717 + * Returns 0, or -ENOMEM if memory can't be allocated. 718 + */ 719 + static int lsm_key_alloc(struct key *key) 720 + { 721 + return lsm_blob_alloc(&key->security, blob_sizes.lbs_key, GFP_KERNEL); 722 + } 723 + #endif /* CONFIG_KEYS */ 794 724 795 725 /** 796 726 * lsm_msg_msg_alloc - allocate a composite msg_msg blob ··· 809 725 */ 810 726 static int lsm_msg_msg_alloc(struct msg_msg *mp) 811 727 { 812 - if (blob_sizes.lbs_msg_msg == 0) { 813 - mp->security = NULL; 728 + return lsm_blob_alloc(&mp->security, blob_sizes.lbs_msg_msg, 729 + GFP_KERNEL); 730 + } 731 + 732 + /** 733 + * lsm_bdev_alloc - allocate a composite block_device blob 734 + * @bdev: the block_device that needs a blob 735 + * 736 + * Allocate the block_device blob for all the modules 737 + * 738 + * Returns 0, or -ENOMEM if memory can't be allocated. 739 + */ 740 + static int lsm_bdev_alloc(struct block_device *bdev) 741 + { 742 + if (blob_sizes.lbs_bdev == 0) { 743 + bdev->bd_security = NULL; 814 744 return 0; 815 745 } 816 746 817 - mp->security = kzalloc(blob_sizes.lbs_msg_msg, GFP_KERNEL); 818 - if (mp->security == NULL) 747 + bdev->bd_security = kzalloc(blob_sizes.lbs_bdev, GFP_KERNEL); 748 + if (!bdev->bd_security) 819 749 return -ENOMEM; 750 + 820 751 return 0; 821 752 } 822 753 ··· 859 760 */ 860 761 static int lsm_superblock_alloc(struct super_block *sb) 861 762 { 862 - if (blob_sizes.lbs_superblock == 0) { 863 - sb->s_security = NULL; 864 - return 0; 865 - } 866 - 867 - sb->s_security = kzalloc(blob_sizes.lbs_superblock, GFP_KERNEL); 868 - if (sb->s_security == NULL) 869 - return -ENOMEM; 870 - return 0; 763 + return lsm_blob_alloc(&sb->s_security, blob_sizes.lbs_superblock, 764 + GFP_KERNEL); 871 765 } 872 766 873 767 /** ··· 945 853 * call_int_hook: 946 854 * This is a hook that returns a value. 947 855 */ 856 + #define __CALL_STATIC_VOID(NUM, HOOK, ...) \ 857 + do { \ 858 + if (static_branch_unlikely(&SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \ 859 + static_call(LSM_STATIC_CALL(HOOK, NUM))(__VA_ARGS__); \ 860 + } \ 861 + } while (0); 948 862 949 - #define call_void_hook(FUNC, ...) \ 950 - do { \ 951 - struct security_hook_list *P; \ 952 - \ 953 - hlist_for_each_entry(P, &security_hook_heads.FUNC, list) \ 954 - P->hook.FUNC(__VA_ARGS__); \ 863 + #define call_void_hook(HOOK, ...) \ 864 + do { \ 865 + LSM_LOOP_UNROLL(__CALL_STATIC_VOID, HOOK, __VA_ARGS__); \ 955 866 } while (0) 956 867 957 - #define call_int_hook(FUNC, ...) ({ \ 958 - int RC = LSM_RET_DEFAULT(FUNC); \ 959 - do { \ 960 - struct security_hook_list *P; \ 961 - \ 962 - hlist_for_each_entry(P, &security_hook_heads.FUNC, list) { \ 963 - RC = P->hook.FUNC(__VA_ARGS__); \ 964 - if (RC != LSM_RET_DEFAULT(FUNC)) \ 965 - break; \ 966 - } \ 967 - } while (0); \ 968 - RC; \ 868 + 869 + #define __CALL_STATIC_INT(NUM, R, HOOK, LABEL, ...) \ 870 + do { \ 871 + if (static_branch_unlikely(&SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \ 872 + R = static_call(LSM_STATIC_CALL(HOOK, NUM))(__VA_ARGS__); \ 873 + if (R != LSM_RET_DEFAULT(HOOK)) \ 874 + goto LABEL; \ 875 + } \ 876 + } while (0); 877 + 878 + #define call_int_hook(HOOK, ...) \ 879 + ({ \ 880 + __label__ OUT; \ 881 + int RC = LSM_RET_DEFAULT(HOOK); \ 882 + \ 883 + LSM_LOOP_UNROLL(__CALL_STATIC_INT, RC, HOOK, OUT, __VA_ARGS__); \ 884 + OUT: \ 885 + RC; \ 969 886 }) 887 + 888 + #define lsm_for_each_hook(scall, NAME) \ 889 + for (scall = static_calls_table.NAME; \ 890 + scall - static_calls_table.NAME < MAX_LSM_COUNT; scall++) \ 891 + if (static_key_enabled(&scall->active->key)) 970 892 971 893 /* Security operations */ 972 894 ··· 1216 1110 */ 1217 1111 int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) 1218 1112 { 1219 - struct security_hook_list *hp; 1113 + struct lsm_static_call *scall; 1220 1114 int cap_sys_admin = 1; 1221 1115 int rc; 1222 1116 1223 1117 /* 1224 - * The module will respond with a positive value if 1225 - * it thinks the __vm_enough_memory() call should be 1226 - * made with the cap_sys_admin set. If all of the modules 1227 - * agree that it should be set it will. If any module 1228 - * thinks it should not be set it won't. 1118 + * The module will respond with 0 if it thinks the __vm_enough_memory() 1119 + * call should be made with the cap_sys_admin set. If all of the modules 1120 + * agree that it should be set it will. If any module thinks it should 1121 + * not be set it won't. 1229 1122 */ 1230 - hlist_for_each_entry(hp, &security_hook_heads.vm_enough_memory, list) { 1231 - rc = hp->hook.vm_enough_memory(mm, pages); 1232 - if (rc <= 0) { 1123 + lsm_for_each_hook(scall, vm_enough_memory) { 1124 + rc = scall->hl->hook.vm_enough_memory(mm, pages); 1125 + if (rc < 0) { 1233 1126 cap_sys_admin = 0; 1234 1127 break; 1235 1128 } ··· 1374 1269 int security_fs_context_parse_param(struct fs_context *fc, 1375 1270 struct fs_parameter *param) 1376 1271 { 1377 - struct security_hook_list *hp; 1272 + struct lsm_static_call *scall; 1378 1273 int trc; 1379 1274 int rc = -ENOPARAM; 1380 1275 1381 - hlist_for_each_entry(hp, &security_hook_heads.fs_context_parse_param, 1382 - list) { 1383 - trc = hp->hook.fs_context_parse_param(fc, param); 1276 + lsm_for_each_hook(scall, fs_context_parse_param) { 1277 + trc = scall->hl->hook.fs_context_parse_param(fc, param); 1384 1278 if (trc == 0) 1385 1279 rc = 0; 1386 1280 else if (trc != -ENOPARAM) ··· 1609 1505 unsigned long kern_flags, 1610 1506 unsigned long *set_kern_flags) 1611 1507 { 1612 - struct security_hook_list *hp; 1508 + struct lsm_static_call *scall; 1613 1509 int rc = mnt_opts ? -EOPNOTSUPP : LSM_RET_DEFAULT(sb_set_mnt_opts); 1614 1510 1615 - hlist_for_each_entry(hp, &security_hook_heads.sb_set_mnt_opts, 1616 - list) { 1617 - rc = hp->hook.sb_set_mnt_opts(sb, mnt_opts, kern_flags, 1511 + lsm_for_each_hook(scall, sb_set_mnt_opts) { 1512 + rc = scall->hl->hook.sb_set_mnt_opts(sb, mnt_opts, kern_flags, 1618 1513 set_kern_flags); 1619 1514 if (rc != LSM_RET_DEFAULT(sb_set_mnt_opts)) 1620 1515 break; ··· 1699 1596 1700 1597 static void inode_free_by_rcu(struct rcu_head *head) 1701 1598 { 1702 - /* 1703 - * The rcu head is at the start of the inode blob 1704 - */ 1599 + /* The rcu head is at the start of the inode blob */ 1600 + call_void_hook(inode_free_security_rcu, head); 1705 1601 kmem_cache_free(lsm_inode_cache, head); 1706 1602 } 1707 1603 ··· 1708 1606 * security_inode_free() - Free an inode's LSM blob 1709 1607 * @inode: the inode 1710 1608 * 1711 - * Deallocate the inode security structure and set @inode->i_security to NULL. 1609 + * Release any LSM resources associated with @inode, although due to the 1610 + * inode's RCU protections it is possible that the resources will not be 1611 + * fully released until after the current RCU grace period has elapsed. 1612 + * 1613 + * It is important for LSMs to note that despite being present in a call to 1614 + * security_inode_free(), @inode may still be referenced in a VFS path walk 1615 + * and calls to security_inode_permission() may be made during, or after, 1616 + * a call to security_inode_free(). For this reason the inode->i_security 1617 + * field is released via a call_rcu() callback and any LSMs which need to 1618 + * retain inode state for use in security_inode_permission() should only 1619 + * release that state in the inode_free_security_rcu() LSM hook callback. 1712 1620 */ 1713 1621 void security_inode_free(struct inode *inode) 1714 1622 { 1715 1623 call_void_hook(inode_free_security, inode); 1716 - /* 1717 - * The inode may still be referenced in a path walk and 1718 - * a call to security_inode_permission() can be made 1719 - * after inode_free_security() is called. Ideally, the VFS 1720 - * wouldn't do this, but fixing that is a much harder 1721 - * job. For now, simply free the i_security via RCU, and 1722 - * leave the current inode->i_security pointer intact. 1723 - * The inode will be freed after the RCU grace period too. 1724 - */ 1725 - if (inode->i_security) 1726 - call_rcu((struct rcu_head *)inode->i_security, 1727 - inode_free_by_rcu); 1624 + if (!inode->i_security) 1625 + return; 1626 + call_rcu((struct rcu_head *)inode->i_security, inode_free_by_rcu); 1728 1627 } 1729 1628 1730 1629 /** ··· 1808 1705 const struct qstr *qstr, 1809 1706 const initxattrs initxattrs, void *fs_data) 1810 1707 { 1811 - struct security_hook_list *hp; 1708 + struct lsm_static_call *scall; 1812 1709 struct xattr *new_xattrs = NULL; 1813 1710 int ret = -EOPNOTSUPP, xattr_count = 0; 1814 1711 ··· 1826 1723 return -ENOMEM; 1827 1724 } 1828 1725 1829 - hlist_for_each_entry(hp, &security_hook_heads.inode_init_security, 1830 - list) { 1831 - ret = hp->hook.inode_init_security(inode, dir, qstr, new_xattrs, 1726 + lsm_for_each_hook(scall, inode_init_security) { 1727 + ret = scall->hl->hook.inode_init_security(inode, dir, qstr, new_xattrs, 1832 1728 &xattr_count); 1833 1729 if (ret && ret != -EOPNOTSUPP) 1834 1730 goto out; ··· 2763 2661 * lower layer to the union/overlay layer. The caller is responsible for 2764 2662 * reading and writing the xattrs, this hook is merely a filter. 2765 2663 * 2766 - * Return: Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP 2767 - * if the security module does not know about attribute, or a negative 2768 - * error code to abort the copy up. 2664 + * Return: Returns 0 to accept the xattr, -ECANCELED to discard the xattr, 2665 + * -EOPNOTSUPP if the security module does not know about attribute, 2666 + * or a negative error code to abort the copy up. 2769 2667 */ 2770 2668 int security_inode_copy_up_xattr(struct dentry *src, const char *name) 2771 2669 { 2772 2670 int rc; 2773 2671 2774 - /* 2775 - * The implementation can return 0 (accept the xattr), 1 (discard the 2776 - * xattr), -EOPNOTSUPP if it does not know anything about the xattr or 2777 - * any other error code in case of an error. 2778 - */ 2779 2672 rc = call_int_hook(inode_copy_up_xattr, src, name); 2780 2673 if (rc != LSM_RET_DEFAULT(inode_copy_up_xattr)) 2781 2674 return rc; ··· 2778 2681 return LSM_RET_DEFAULT(inode_copy_up_xattr); 2779 2682 } 2780 2683 EXPORT_SYMBOL(security_inode_copy_up_xattr); 2684 + 2685 + /** 2686 + * security_inode_setintegrity() - Set the inode's integrity data 2687 + * @inode: inode 2688 + * @type: type of integrity, e.g. hash digest, signature, etc 2689 + * @value: the integrity value 2690 + * @size: size of the integrity value 2691 + * 2692 + * Register a verified integrity measurement of a inode with LSMs. 2693 + * LSMs should free the previously saved data if @value is NULL. 2694 + * 2695 + * Return: Returns 0 on success, negative values on failure. 2696 + */ 2697 + int security_inode_setintegrity(const struct inode *inode, 2698 + enum lsm_integrity_type type, const void *value, 2699 + size_t size) 2700 + { 2701 + return call_int_hook(inode_setintegrity, inode, type, value, size); 2702 + } 2703 + EXPORT_SYMBOL(security_inode_setintegrity); 2781 2704 2782 2705 /** 2783 2706 * security_kernfs_init_security() - Init LSM context for a kernfs node ··· 3047 2930 * 3048 2931 * Save owner security information (typically from current->security) in 3049 2932 * file->f_security for later use by the send_sigiotask hook. 2933 + * 2934 + * This hook is called with file->f_owner.lock held. 3050 2935 * 3051 2936 * Return: Returns 0 on success. 3052 2937 */ ··· 3676 3557 { 3677 3558 int thisrc; 3678 3559 int rc = LSM_RET_DEFAULT(task_prctl); 3679 - struct security_hook_list *hp; 3560 + struct lsm_static_call *scall; 3680 3561 3681 - hlist_for_each_entry(hp, &security_hook_heads.task_prctl, list) { 3682 - thisrc = hp->hook.task_prctl(option, arg2, arg3, arg4, arg5); 3562 + lsm_for_each_hook(scall, task_prctl) { 3563 + thisrc = scall->hl->hook.task_prctl(option, arg2, arg3, arg4, arg5); 3683 3564 if (thisrc != LSM_RET_DEFAULT(task_prctl)) { 3684 3565 rc = thisrc; 3685 3566 if (thisrc != 0) ··· 4085 3966 int security_getselfattr(unsigned int attr, struct lsm_ctx __user *uctx, 4086 3967 u32 __user *size, u32 flags) 4087 3968 { 4088 - struct security_hook_list *hp; 3969 + struct lsm_static_call *scall; 4089 3970 struct lsm_ctx lctx = { .id = LSM_ID_UNDEF, }; 4090 3971 u8 __user *base = (u8 __user *)uctx; 4091 3972 u32 entrysize; ··· 4123 4004 * In the usual case gather all the data from the LSMs. 4124 4005 * In the single case only get the data from the LSM specified. 4125 4006 */ 4126 - hlist_for_each_entry(hp, &security_hook_heads.getselfattr, list) { 4127 - if (single && lctx.id != hp->lsmid->id) 4007 + lsm_for_each_hook(scall, getselfattr) { 4008 + if (single && lctx.id != scall->hl->lsmid->id) 4128 4009 continue; 4129 4010 entrysize = left; 4130 4011 if (base) 4131 4012 uctx = (struct lsm_ctx __user *)(base + total); 4132 - rc = hp->hook.getselfattr(attr, uctx, &entrysize, flags); 4013 + rc = scall->hl->hook.getselfattr(attr, uctx, &entrysize, flags); 4133 4014 if (rc == -EOPNOTSUPP) { 4134 4015 rc = 0; 4135 4016 continue; ··· 4178 4059 int security_setselfattr(unsigned int attr, struct lsm_ctx __user *uctx, 4179 4060 u32 size, u32 flags) 4180 4061 { 4181 - struct security_hook_list *hp; 4062 + struct lsm_static_call *scall; 4182 4063 struct lsm_ctx *lctx; 4183 4064 int rc = LSM_RET_DEFAULT(setselfattr); 4184 4065 u64 required_len; ··· 4201 4082 goto free_out; 4202 4083 } 4203 4084 4204 - hlist_for_each_entry(hp, &security_hook_heads.setselfattr, list) 4205 - if ((hp->lsmid->id) == lctx->id) { 4206 - rc = hp->hook.setselfattr(attr, lctx, size, flags); 4085 + lsm_for_each_hook(scall, setselfattr) 4086 + if ((scall->hl->lsmid->id) == lctx->id) { 4087 + rc = scall->hl->hook.setselfattr(attr, lctx, size, flags); 4207 4088 break; 4208 4089 } 4209 4090 ··· 4226 4107 int security_getprocattr(struct task_struct *p, int lsmid, const char *name, 4227 4108 char **value) 4228 4109 { 4229 - struct security_hook_list *hp; 4110 + struct lsm_static_call *scall; 4230 4111 4231 - hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) { 4232 - if (lsmid != 0 && lsmid != hp->lsmid->id) 4112 + lsm_for_each_hook(scall, getprocattr) { 4113 + if (lsmid != 0 && lsmid != scall->hl->lsmid->id) 4233 4114 continue; 4234 - return hp->hook.getprocattr(p, name, value); 4115 + return scall->hl->hook.getprocattr(p, name, value); 4235 4116 } 4236 4117 return LSM_RET_DEFAULT(getprocattr); 4237 4118 } ··· 4250 4131 */ 4251 4132 int security_setprocattr(int lsmid, const char *name, void *value, size_t size) 4252 4133 { 4253 - struct security_hook_list *hp; 4134 + struct lsm_static_call *scall; 4254 4135 4255 - hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) { 4256 - if (lsmid != 0 && lsmid != hp->lsmid->id) 4136 + lsm_for_each_hook(scall, setprocattr) { 4137 + if (lsmid != 0 && lsmid != scall->hl->lsmid->id) 4257 4138 continue; 4258 - return hp->hook.setprocattr(name, value, size); 4139 + return scall->hl->hook.setprocattr(name, value, size); 4259 4140 } 4260 4141 return LSM_RET_DEFAULT(setprocattr); 4261 4142 } ··· 4793 4674 EXPORT_SYMBOL(security_socket_getpeersec_dgram); 4794 4675 4795 4676 /** 4677 + * lsm_sock_alloc - allocate a composite sock blob 4678 + * @sock: the sock that needs a blob 4679 + * @gfp: allocation mode 4680 + * 4681 + * Allocate the sock blob for all the modules 4682 + * 4683 + * Returns 0, or -ENOMEM if memory can't be allocated. 4684 + */ 4685 + static int lsm_sock_alloc(struct sock *sock, gfp_t gfp) 4686 + { 4687 + return lsm_blob_alloc(&sock->sk_security, blob_sizes.lbs_sock, gfp); 4688 + } 4689 + 4690 + /** 4796 4691 * security_sk_alloc() - Allocate and initialize a sock's LSM blob 4797 4692 * @sk: sock 4798 4693 * @family: protocol family ··· 4819 4686 */ 4820 4687 int security_sk_alloc(struct sock *sk, int family, gfp_t priority) 4821 4688 { 4822 - return call_int_hook(sk_alloc_security, sk, family, priority); 4689 + int rc = lsm_sock_alloc(sk, priority); 4690 + 4691 + if (unlikely(rc)) 4692 + return rc; 4693 + rc = call_int_hook(sk_alloc_security, sk, family, priority); 4694 + if (unlikely(rc)) 4695 + security_sk_free(sk); 4696 + return rc; 4823 4697 } 4824 4698 4825 4699 /** ··· 4838 4698 void security_sk_free(struct sock *sk) 4839 4699 { 4840 4700 call_void_hook(sk_free_security, sk); 4701 + kfree(sk->sk_security); 4702 + sk->sk_security = NULL; 4841 4703 } 4842 4704 4843 4705 /** ··· 4987 4845 */ 4988 4846 int security_tun_dev_alloc_security(void **security) 4989 4847 { 4990 - return call_int_hook(tun_dev_alloc_security, security); 4848 + int rc; 4849 + 4850 + rc = lsm_blob_alloc(security, blob_sizes.lbs_tun_dev, GFP_KERNEL); 4851 + if (rc) 4852 + return rc; 4853 + 4854 + rc = call_int_hook(tun_dev_alloc_security, *security); 4855 + if (rc) { 4856 + kfree(*security); 4857 + *security = NULL; 4858 + } 4859 + return rc; 4991 4860 } 4992 4861 EXPORT_SYMBOL(security_tun_dev_alloc_security); 4993 4862 ··· 5010 4857 */ 5011 4858 void security_tun_dev_free_security(void *security) 5012 4859 { 5013 - call_void_hook(tun_dev_free_security, security); 4860 + kfree(security); 5014 4861 } 5015 4862 EXPORT_SYMBOL(security_tun_dev_free_security); 5016 4863 ··· 5206 5053 */ 5207 5054 int security_ib_alloc_security(void **sec) 5208 5055 { 5209 - return call_int_hook(ib_alloc_security, sec); 5056 + int rc; 5057 + 5058 + rc = lsm_blob_alloc(sec, blob_sizes.lbs_ib, GFP_KERNEL); 5059 + if (rc) 5060 + return rc; 5061 + 5062 + rc = call_int_hook(ib_alloc_security, *sec); 5063 + if (rc) { 5064 + kfree(*sec); 5065 + *sec = NULL; 5066 + } 5067 + return rc; 5210 5068 } 5211 5069 EXPORT_SYMBOL(security_ib_alloc_security); 5212 5070 ··· 5229 5065 */ 5230 5066 void security_ib_free_security(void *sec) 5231 5067 { 5232 - call_void_hook(ib_free_security, sec); 5068 + kfree(sec); 5233 5069 } 5234 5070 EXPORT_SYMBOL(security_ib_free_security); 5235 5071 #endif /* CONFIG_SECURITY_INFINIBAND */ ··· 5387 5223 struct xfrm_policy *xp, 5388 5224 const struct flowi_common *flic) 5389 5225 { 5390 - struct security_hook_list *hp; 5226 + struct lsm_static_call *scall; 5391 5227 int rc = LSM_RET_DEFAULT(xfrm_state_pol_flow_match); 5392 5228 5393 5229 /* ··· 5399 5235 * For speed optimization, we explicitly break the loop rather than 5400 5236 * using the macro 5401 5237 */ 5402 - hlist_for_each_entry(hp, &security_hook_heads.xfrm_state_pol_flow_match, 5403 - list) { 5404 - rc = hp->hook.xfrm_state_pol_flow_match(x, xp, flic); 5238 + lsm_for_each_hook(scall, xfrm_state_pol_flow_match) { 5239 + rc = scall->hl->hook.xfrm_state_pol_flow_match(x, xp, flic); 5405 5240 break; 5406 5241 } 5407 5242 return rc; ··· 5445 5282 int security_key_alloc(struct key *key, const struct cred *cred, 5446 5283 unsigned long flags) 5447 5284 { 5448 - return call_int_hook(key_alloc, key, cred, flags); 5285 + int rc = lsm_key_alloc(key); 5286 + 5287 + if (unlikely(rc)) 5288 + return rc; 5289 + rc = call_int_hook(key_alloc, key, cred, flags); 5290 + if (unlikely(rc)) 5291 + security_key_free(key); 5292 + return rc; 5449 5293 } 5450 5294 5451 5295 /** ··· 5463 5293 */ 5464 5294 void security_key_free(struct key *key) 5465 5295 { 5466 - call_void_hook(key_free, key); 5296 + kfree(key->security); 5297 + key->security = NULL; 5467 5298 } 5468 5299 5469 5300 /** ··· 5767 5596 } 5768 5597 EXPORT_SYMBOL(security_locked_down); 5769 5598 5599 + /** 5600 + * security_bdev_alloc() - Allocate a block device LSM blob 5601 + * @bdev: block device 5602 + * 5603 + * Allocate and attach a security structure to @bdev->bd_security. The 5604 + * security field is initialized to NULL when the bdev structure is 5605 + * allocated. 5606 + * 5607 + * Return: Return 0 if operation was successful. 5608 + */ 5609 + int security_bdev_alloc(struct block_device *bdev) 5610 + { 5611 + int rc = 0; 5612 + 5613 + rc = lsm_bdev_alloc(bdev); 5614 + if (unlikely(rc)) 5615 + return rc; 5616 + 5617 + rc = call_int_hook(bdev_alloc_security, bdev); 5618 + if (unlikely(rc)) 5619 + security_bdev_free(bdev); 5620 + 5621 + return rc; 5622 + } 5623 + EXPORT_SYMBOL(security_bdev_alloc); 5624 + 5625 + /** 5626 + * security_bdev_free() - Free a block device's LSM blob 5627 + * @bdev: block device 5628 + * 5629 + * Deallocate the bdev security structure and set @bdev->bd_security to NULL. 5630 + */ 5631 + void security_bdev_free(struct block_device *bdev) 5632 + { 5633 + if (!bdev->bd_security) 5634 + return; 5635 + 5636 + call_void_hook(bdev_free_security, bdev); 5637 + 5638 + kfree(bdev->bd_security); 5639 + bdev->bd_security = NULL; 5640 + } 5641 + EXPORT_SYMBOL(security_bdev_free); 5642 + 5643 + /** 5644 + * security_bdev_setintegrity() - Set the device's integrity data 5645 + * @bdev: block device 5646 + * @type: type of integrity, e.g. hash digest, signature, etc 5647 + * @value: the integrity value 5648 + * @size: size of the integrity value 5649 + * 5650 + * Register a verified integrity measurement of a bdev with LSMs. 5651 + * LSMs should free the previously saved data if @value is NULL. 5652 + * Please note that the new hook should be invoked every time the security 5653 + * information is updated to keep these data current. For example, in dm-verity, 5654 + * if the mapping table is reloaded and configured to use a different dm-verity 5655 + * target with a new roothash and signing information, the previously stored 5656 + * data in the LSM blob will become obsolete. It is crucial to re-invoke the 5657 + * hook to refresh these data and ensure they are up to date. This necessity 5658 + * arises from the design of device-mapper, where a device-mapper device is 5659 + * first created, and then targets are subsequently loaded into it. These 5660 + * targets can be modified multiple times during the device's lifetime. 5661 + * Therefore, while the LSM blob is allocated during the creation of the block 5662 + * device, its actual contents are not initialized at this stage and can change 5663 + * substantially over time. This includes alterations from data that the LSMs 5664 + * 'trusts' to those they do not, making it essential to handle these changes 5665 + * correctly. Failure to address this dynamic aspect could potentially allow 5666 + * for bypassing LSM checks. 5667 + * 5668 + * Return: Returns 0 on success, negative values on failure. 5669 + */ 5670 + int security_bdev_setintegrity(struct block_device *bdev, 5671 + enum lsm_integrity_type type, const void *value, 5672 + size_t size) 5673 + { 5674 + return call_int_hook(bdev_setintegrity, bdev, type, value, size); 5675 + } 5676 + EXPORT_SYMBOL(security_bdev_setintegrity); 5677 + 5770 5678 #ifdef CONFIG_PERF_EVENTS 5771 5679 /** 5772 5680 * security_perf_event_open() - Check if a perf event open is allowed ··· 5871 5621 */ 5872 5622 int security_perf_event_alloc(struct perf_event *event) 5873 5623 { 5874 - return call_int_hook(perf_event_alloc, event); 5624 + int rc; 5625 + 5626 + rc = lsm_blob_alloc(&event->security, blob_sizes.lbs_perf_event, 5627 + GFP_KERNEL); 5628 + if (rc) 5629 + return rc; 5630 + 5631 + rc = call_int_hook(perf_event_alloc, event); 5632 + if (rc) { 5633 + kfree(event->security); 5634 + event->security = NULL; 5635 + } 5636 + return rc; 5875 5637 } 5876 5638 5877 5639 /** ··· 5894 5632 */ 5895 5633 void security_perf_event_free(struct perf_event *event) 5896 5634 { 5897 - call_void_hook(perf_event_free, event); 5635 + kfree(event->security); 5636 + event->security = NULL; 5898 5637 } 5899 5638 5900 5639 /** ··· 5966 5703 return call_int_hook(uring_cmd, ioucmd); 5967 5704 } 5968 5705 #endif /* CONFIG_IO_URING */ 5706 + 5707 + /** 5708 + * security_initramfs_populated() - Notify LSMs that initramfs has been loaded 5709 + * 5710 + * Tells the LSMs the initramfs has been unpacked into the rootfs. 5711 + */ 5712 + void security_initramfs_populated(void) 5713 + { 5714 + call_void_hook(initramfs_populated); 5715 + }

+60 -116

security/selinux/hooks.c

··· 2207 2207 } 2208 2208 2209 2209 /* 2210 - * Check that a process has enough memory to allocate a new virtual 2211 - * mapping. 0 means there is enough memory for the allocation to 2212 - * succeed and -ENOMEM implies there is not. 2210 + * Check permission for allocating a new virtual mapping. Returns 2211 + * 0 if permission is granted, negative error code if not. 2213 2212 * 2214 2213 * Do not audit the selinux permission check, as this is applied to all 2215 2214 * processes that allocate mappings. 2216 2215 */ 2217 2216 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2218 2217 { 2219 - int rc, cap_sys_admin = 0; 2220 - 2221 - rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2222 - CAP_OPT_NOAUDIT, true); 2223 - if (rc == 0) 2224 - cap_sys_admin = 1; 2225 - 2226 - return cap_sys_admin; 2218 + return cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2219 + CAP_OPT_NOAUDIT, true); 2227 2220 } 2228 2221 2229 2222 /* binprm security operations */ ··· 3536 3543 * xattrs up. Instead, filter out SELinux-related xattrs following 3537 3544 * policy load. 3538 3545 */ 3539 - if (selinux_initialized() && strcmp(name, XATTR_NAME_SELINUX) == 0) 3540 - return 1; /* Discard */ 3546 + if (selinux_initialized() && !strcmp(name, XATTR_NAME_SELINUX)) 3547 + return -ECANCELED; /* Discard */ 3541 3548 /* 3542 3549 * Any other attribute apart from SELINUX is not claimed, supported 3543 3550 * by selinux. ··· 4592 4599 4593 4600 static int sock_has_perm(struct sock *sk, u32 perms) 4594 4601 { 4595 - struct sk_security_struct *sksec = sk->sk_security; 4602 + struct sk_security_struct *sksec = selinux_sock(sk); 4596 4603 struct common_audit_data ad; 4597 4604 struct lsm_network_audit net; 4598 4605 ··· 4660 4667 isec->initialized = LABEL_INITIALIZED; 4661 4668 4662 4669 if (sock->sk) { 4663 - sksec = sock->sk->sk_security; 4670 + sksec = selinux_sock(sock->sk); 4664 4671 sksec->sclass = sclass; 4665 4672 sksec->sid = sid; 4666 4673 /* Allows detection of the first association on this socket */ ··· 4676 4683 static int selinux_socket_socketpair(struct socket *socka, 4677 4684 struct socket *sockb) 4678 4685 { 4679 - struct sk_security_struct *sksec_a = socka->sk->sk_security; 4680 - struct sk_security_struct *sksec_b = sockb->sk->sk_security; 4686 + struct sk_security_struct *sksec_a = selinux_sock(socka->sk); 4687 + struct sk_security_struct *sksec_b = selinux_sock(sockb->sk); 4681 4688 4682 4689 sksec_a->peer_sid = sksec_b->sid; 4683 4690 sksec_b->peer_sid = sksec_a->sid; ··· 4692 4699 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4693 4700 { 4694 4701 struct sock *sk = sock->sk; 4695 - struct sk_security_struct *sksec = sk->sk_security; 4702 + struct sk_security_struct *sksec = selinux_sock(sk); 4696 4703 u16 family; 4697 4704 int err; 4698 4705 ··· 4832 4839 struct sockaddr *address, int addrlen) 4833 4840 { 4834 4841 struct sock *sk = sock->sk; 4835 - struct sk_security_struct *sksec = sk->sk_security; 4842 + struct sk_security_struct *sksec = selinux_sock(sk); 4836 4843 int err; 4837 4844 4838 4845 err = sock_has_perm(sk, SOCKET__CONNECT); ··· 5010 5017 struct sock *other, 5011 5018 struct sock *newsk) 5012 5019 { 5013 - struct sk_security_struct *sksec_sock = sock->sk_security; 5014 - struct sk_security_struct *sksec_other = other->sk_security; 5015 - struct sk_security_struct *sksec_new = newsk->sk_security; 5020 + struct sk_security_struct *sksec_sock = selinux_sock(sock); 5021 + struct sk_security_struct *sksec_other = selinux_sock(other); 5022 + struct sk_security_struct *sksec_new = selinux_sock(newsk); 5016 5023 struct common_audit_data ad; 5017 5024 struct lsm_network_audit net; 5018 5025 int err; ··· 5041 5048 static int selinux_socket_unix_may_send(struct socket *sock, 5042 5049 struct socket *other) 5043 5050 { 5044 - struct sk_security_struct *ssec = sock->sk->sk_security; 5045 - struct sk_security_struct *osec = other->sk->sk_security; 5051 + struct sk_security_struct *ssec = selinux_sock(sock->sk); 5052 + struct sk_security_struct *osec = selinux_sock(other->sk); 5046 5053 struct common_audit_data ad; 5047 5054 struct lsm_network_audit net; 5048 5055 ··· 5079 5086 u16 family) 5080 5087 { 5081 5088 int err = 0; 5082 - struct sk_security_struct *sksec = sk->sk_security; 5089 + struct sk_security_struct *sksec = selinux_sock(sk); 5083 5090 u32 sk_sid = sksec->sid; 5084 5091 struct common_audit_data ad; 5085 5092 struct lsm_network_audit net; ··· 5108 5115 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5109 5116 { 5110 5117 int err, peerlbl_active, secmark_active; 5111 - struct sk_security_struct *sksec = sk->sk_security; 5118 + struct sk_security_struct *sksec = selinux_sock(sk); 5112 5119 u16 family = sk->sk_family; 5113 5120 u32 sk_sid = sksec->sid; 5114 5121 struct common_audit_data ad; ··· 5176 5183 int err = 0; 5177 5184 char *scontext = NULL; 5178 5185 u32 scontext_len; 5179 - struct sk_security_struct *sksec = sock->sk->sk_security; 5186 + struct sk_security_struct *sksec = selinux_sock(sock->sk); 5180 5187 u32 peer_sid = SECSID_NULL; 5181 5188 5182 5189 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || ··· 5236 5243 5237 5244 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5238 5245 { 5239 - struct sk_security_struct *sksec; 5240 - 5241 - sksec = kzalloc(sizeof(*sksec), priority); 5242 - if (!sksec) 5243 - return -ENOMEM; 5246 + struct sk_security_struct *sksec = selinux_sock(sk); 5244 5247 5245 5248 sksec->peer_sid = SECINITSID_UNLABELED; 5246 5249 sksec->sid = SECINITSID_UNLABELED; 5247 5250 sksec->sclass = SECCLASS_SOCKET; 5248 5251 selinux_netlbl_sk_security_reset(sksec); 5249 - sk->sk_security = sksec; 5250 5252 5251 5253 return 0; 5252 5254 } 5253 5255 5254 5256 static void selinux_sk_free_security(struct sock *sk) 5255 5257 { 5256 - struct sk_security_struct *sksec = sk->sk_security; 5258 + struct sk_security_struct *sksec = selinux_sock(sk); 5257 5259 5258 - sk->sk_security = NULL; 5259 5260 selinux_netlbl_sk_security_free(sksec); 5260 - kfree(sksec); 5261 5261 } 5262 5262 5263 5263 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5264 5264 { 5265 - struct sk_security_struct *sksec = sk->sk_security; 5266 - struct sk_security_struct *newsksec = newsk->sk_security; 5265 + struct sk_security_struct *sksec = selinux_sock(sk); 5266 + struct sk_security_struct *newsksec = selinux_sock(newsk); 5267 5267 5268 5268 newsksec->sid = sksec->sid; 5269 5269 newsksec->peer_sid = sksec->peer_sid; ··· 5270 5284 if (!sk) 5271 5285 *secid = SECINITSID_ANY_SOCKET; 5272 5286 else { 5273 - const struct sk_security_struct *sksec = sk->sk_security; 5287 + const struct sk_security_struct *sksec = selinux_sock(sk); 5274 5288 5275 5289 *secid = sksec->sid; 5276 5290 } ··· 5280 5294 { 5281 5295 struct inode_security_struct *isec = 5282 5296 inode_security_novalidate(SOCK_INODE(parent)); 5283 - struct sk_security_struct *sksec = sk->sk_security; 5297 + struct sk_security_struct *sksec = selinux_sock(sk); 5284 5298 5285 5299 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5286 5300 sk->sk_family == PF_UNIX) ··· 5297 5311 { 5298 5312 struct sock *sk = asoc->base.sk; 5299 5313 u16 family = sk->sk_family; 5300 - struct sk_security_struct *sksec = sk->sk_security; 5314 + struct sk_security_struct *sksec = selinux_sock(sk); 5301 5315 struct common_audit_data ad; 5302 5316 struct lsm_network_audit net; 5303 5317 int err; ··· 5352 5366 static int selinux_sctp_assoc_request(struct sctp_association *asoc, 5353 5367 struct sk_buff *skb) 5354 5368 { 5355 - struct sk_security_struct *sksec = asoc->base.sk->sk_security; 5369 + struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); 5356 5370 u32 conn_sid; 5357 5371 int err; 5358 5372 ··· 5385 5399 static int selinux_sctp_assoc_established(struct sctp_association *asoc, 5386 5400 struct sk_buff *skb) 5387 5401 { 5388 - struct sk_security_struct *sksec = asoc->base.sk->sk_security; 5402 + struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); 5389 5403 5390 5404 if (!selinux_policycap_extsockclass()) 5391 5405 return 0; ··· 5484 5498 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, 5485 5499 struct sock *newsk) 5486 5500 { 5487 - struct sk_security_struct *sksec = sk->sk_security; 5488 - struct sk_security_struct *newsksec = newsk->sk_security; 5501 + struct sk_security_struct *sksec = selinux_sock(sk); 5502 + struct sk_security_struct *newsksec = selinux_sock(newsk); 5489 5503 5490 5504 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5491 5505 * the non-sctp clone version. ··· 5501 5515 5502 5516 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk) 5503 5517 { 5504 - struct sk_security_struct *ssksec = ssk->sk_security; 5505 - struct sk_security_struct *sksec = sk->sk_security; 5518 + struct sk_security_struct *ssksec = selinux_sock(ssk); 5519 + struct sk_security_struct *sksec = selinux_sock(sk); 5506 5520 5507 5521 ssksec->sclass = sksec->sclass; 5508 5522 ssksec->sid = sksec->sid; ··· 5517 5531 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 5518 5532 struct request_sock *req) 5519 5533 { 5520 - struct sk_security_struct *sksec = sk->sk_security; 5534 + struct sk_security_struct *sksec = selinux_sock(sk); 5521 5535 int err; 5522 5536 u16 family = req->rsk_ops->family; 5523 5537 u32 connsid; ··· 5538 5552 static void selinux_inet_csk_clone(struct sock *newsk, 5539 5553 const struct request_sock *req) 5540 5554 { 5541 - struct sk_security_struct *newsksec = newsk->sk_security; 5555 + struct sk_security_struct *newsksec = selinux_sock(newsk); 5542 5556 5543 5557 newsksec->sid = req->secid; 5544 5558 newsksec->peer_sid = req->peer_secid; ··· 5555 5569 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5556 5570 { 5557 5571 u16 family = sk->sk_family; 5558 - struct sk_security_struct *sksec = sk->sk_security; 5572 + struct sk_security_struct *sksec = selinux_sock(sk); 5559 5573 5560 5574 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5561 5575 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) ··· 5586 5600 flic->flowic_secid = req->secid; 5587 5601 } 5588 5602 5589 - static int selinux_tun_dev_alloc_security(void **security) 5603 + static int selinux_tun_dev_alloc_security(void *security) 5590 5604 { 5591 - struct tun_security_struct *tunsec; 5605 + struct tun_security_struct *tunsec = selinux_tun_dev(security); 5592 5606 5593 - tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5594 - if (!tunsec) 5595 - return -ENOMEM; 5596 5607 tunsec->sid = current_sid(); 5597 - 5598 - *security = tunsec; 5599 5608 return 0; 5600 - } 5601 - 5602 - static void selinux_tun_dev_free_security(void *security) 5603 - { 5604 - kfree(security); 5605 5609 } 5606 5610 5607 5611 static int selinux_tun_dev_create(void) ··· 5611 5635 5612 5636 static int selinux_tun_dev_attach_queue(void *security) 5613 5637 { 5614 - struct tun_security_struct *tunsec = security; 5638 + struct tun_security_struct *tunsec = selinux_tun_dev(security); 5615 5639 5616 5640 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5617 5641 TUN_SOCKET__ATTACH_QUEUE, NULL); ··· 5619 5643 5620 5644 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5621 5645 { 5622 - struct tun_security_struct *tunsec = security; 5623 - struct sk_security_struct *sksec = sk->sk_security; 5646 + struct tun_security_struct *tunsec = selinux_tun_dev(security); 5647 + struct sk_security_struct *sksec = selinux_sock(sk); 5624 5648 5625 5649 /* we don't currently perform any NetLabel based labeling here and it 5626 5650 * isn't clear that we would want to do so anyway; while we could apply ··· 5637 5661 5638 5662 static int selinux_tun_dev_open(void *security) 5639 5663 { 5640 - struct tun_security_struct *tunsec = security; 5664 + struct tun_security_struct *tunsec = selinux_tun_dev(security); 5641 5665 u32 sid = current_sid(); 5642 5666 int err; 5643 5667 ··· 5743 5767 return NF_ACCEPT; 5744 5768 5745 5769 /* standard practice, label using the parent socket */ 5746 - sksec = sk->sk_security; 5770 + sksec = selinux_sock(sk); 5747 5771 sid = sksec->sid; 5748 5772 } else 5749 5773 sid = SECINITSID_KERNEL; ··· 5766 5790 sk = skb_to_full_sk(skb); 5767 5791 if (sk == NULL) 5768 5792 return NF_ACCEPT; 5769 - sksec = sk->sk_security; 5793 + sksec = selinux_sock(sk); 5770 5794 5771 5795 ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf); 5772 5796 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto)) ··· 5855 5879 u32 skb_sid; 5856 5880 struct sk_security_struct *sksec; 5857 5881 5858 - sksec = sk->sk_security; 5882 + sksec = selinux_sock(sk); 5859 5883 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5860 5884 return NF_DROP; 5861 5885 /* At this point, if the returned skb peerlbl is SECSID_NULL ··· 5884 5908 } else { 5885 5909 /* Locally generated packet, fetch the security label from the 5886 5910 * associated socket. */ 5887 - struct sk_security_struct *sksec = sk->sk_security; 5911 + struct sk_security_struct *sksec = selinux_sock(sk); 5888 5912 peer_sid = sksec->sid; 5889 5913 secmark_perm = PACKET__SEND; 5890 5914 } ··· 5927 5951 unsigned int data_len = skb->len; 5928 5952 unsigned char *data = skb->data; 5929 5953 struct nlmsghdr *nlh; 5930 - struct sk_security_struct *sksec = sk->sk_security; 5954 + struct sk_security_struct *sksec = selinux_sock(sk); 5931 5955 u16 sclass = sksec->sclass; 5932 5956 u32 perm; 5933 5957 ··· 6661 6685 unsigned long flags) 6662 6686 { 6663 6687 const struct task_security_struct *tsec; 6664 - struct key_security_struct *ksec; 6665 - 6666 - ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6667 - if (!ksec) 6668 - return -ENOMEM; 6688 + struct key_security_struct *ksec = selinux_key(k); 6669 6689 6670 6690 tsec = selinux_cred(cred); 6671 6691 if (tsec->keycreate_sid) ··· 6669 6697 else 6670 6698 ksec->sid = tsec->sid; 6671 6699 6672 - k->security = ksec; 6673 6700 return 0; 6674 - } 6675 - 6676 - static void selinux_key_free(struct key *k) 6677 - { 6678 - struct key_security_struct *ksec = k->security; 6679 - 6680 - k->security = NULL; 6681 - kfree(ksec); 6682 6701 } 6683 6702 6684 6703 static int selinux_key_permission(key_ref_t key_ref, ··· 6712 6749 6713 6750 sid = cred_sid(cred); 6714 6751 key = key_ref_to_ptr(key_ref); 6715 - ksec = key->security; 6752 + ksec = selinux_key(key); 6716 6753 6717 6754 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6718 6755 } 6719 6756 6720 6757 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6721 6758 { 6722 - struct key_security_struct *ksec = key->security; 6759 + struct key_security_struct *ksec = selinux_key(key); 6723 6760 char *context = NULL; 6724 6761 unsigned len; 6725 6762 int rc; ··· 6789 6826 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6790 6827 } 6791 6828 6792 - static int selinux_ib_alloc_security(void **ib_sec) 6829 + static int selinux_ib_alloc_security(void *ib_sec) 6793 6830 { 6794 - struct ib_security_struct *sec; 6831 + struct ib_security_struct *sec = selinux_ib(ib_sec); 6795 6832 6796 - sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6797 - if (!sec) 6798 - return -ENOMEM; 6799 6833 sec->sid = current_sid(); 6800 - 6801 - *ib_sec = sec; 6802 6834 return 0; 6803 - } 6804 - 6805 - static void selinux_ib_free_security(void *ib_sec) 6806 - { 6807 - kfree(ib_sec); 6808 6835 } 6809 6836 #endif 6810 6837 ··· 6961 7008 .lbs_file = sizeof(struct file_security_struct), 6962 7009 .lbs_inode = sizeof(struct inode_security_struct), 6963 7010 .lbs_ipc = sizeof(struct ipc_security_struct), 7011 + .lbs_key = sizeof(struct key_security_struct), 6964 7012 .lbs_msg_msg = sizeof(struct msg_security_struct), 7013 + #ifdef CONFIG_PERF_EVENTS 7014 + .lbs_perf_event = sizeof(struct perf_event_security_struct), 7015 + #endif 7016 + .lbs_sock = sizeof(struct sk_security_struct), 6965 7017 .lbs_superblock = sizeof(struct superblock_security_struct), 6966 7018 .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, 7019 + .lbs_tun_dev = sizeof(struct tun_security_struct), 7020 + .lbs_ib = sizeof(struct ib_security_struct), 6967 7021 }; 6968 7022 6969 7023 #ifdef CONFIG_PERF_EVENTS ··· 6997 7037 { 6998 7038 struct perf_event_security_struct *perfsec; 6999 7039 7000 - perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL); 7001 - if (!perfsec) 7002 - return -ENOMEM; 7003 - 7040 + perfsec = selinux_perf_event(event->security); 7004 7041 perfsec->sid = current_sid(); 7005 - event->security = perfsec; 7006 7042 7007 7043 return 0; 7008 - } 7009 - 7010 - static void selinux_perf_event_free(struct perf_event *event) 7011 - { 7012 - struct perf_event_security_struct *perfsec = event->security; 7013 - 7014 - event->security = NULL; 7015 - kfree(perfsec); 7016 7044 } 7017 7045 7018 7046 static int selinux_perf_event_read(struct perf_event *event) ··· 7270 7322 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7271 7323 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7272 7324 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7273 - LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 7274 7325 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7275 7326 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7276 7327 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), ··· 7278 7331 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7279 7332 LSM_HOOK_INIT(ib_endport_manage_subnet, 7280 7333 selinux_ib_endport_manage_subnet), 7281 - LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 7282 7334 #endif 7283 7335 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7284 7336 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), ··· 7291 7345 #endif 7292 7346 7293 7347 #ifdef CONFIG_KEYS 7294 - LSM_HOOK_INIT(key_free, selinux_key_free), 7295 7348 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7296 7349 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7297 7350 #ifdef CONFIG_KEY_NOTIFICATIONS ··· 7315 7370 7316 7371 #ifdef CONFIG_PERF_EVENTS 7317 7372 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), 7318 - LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free), 7319 7373 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), 7320 7374 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7321 7375 #endif

+28

security/selinux/include/objsec.h

··· 195 195 return superblock->s_security + selinux_blob_sizes.lbs_superblock; 196 196 } 197 197 198 + #ifdef CONFIG_KEYS 199 + static inline struct key_security_struct *selinux_key(const struct key *key) 200 + { 201 + return key->security + selinux_blob_sizes.lbs_key; 202 + } 203 + #endif /* CONFIG_KEYS */ 204 + 205 + static inline struct sk_security_struct *selinux_sock(const struct sock *sock) 206 + { 207 + return sock->sk_security + selinux_blob_sizes.lbs_sock; 208 + } 209 + 210 + static inline struct tun_security_struct *selinux_tun_dev(void *security) 211 + { 212 + return security + selinux_blob_sizes.lbs_tun_dev; 213 + } 214 + 215 + static inline struct ib_security_struct *selinux_ib(void *ib_sec) 216 + { 217 + return ib_sec + selinux_blob_sizes.lbs_ib; 218 + } 219 + 220 + static inline struct perf_event_security_struct * 221 + selinux_perf_event(void *perf_event) 222 + { 223 + return perf_event + selinux_blob_sizes.lbs_perf_event; 224 + } 225 + 198 226 #endif /* _SELINUX_OBJSEC_H_ */

+12 -11

security/selinux/netlabel.c

··· 17 17 #include <linux/gfp.h> 18 18 #include <linux/ip.h> 19 19 #include <linux/ipv6.h> 20 + #include <linux/lsm_hooks.h> 20 21 #include <net/sock.h> 21 22 #include <net/netlabel.h> 22 23 #include <net/ip.h> ··· 69 68 static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk) 70 69 { 71 70 int rc; 72 - struct sk_security_struct *sksec = sk->sk_security; 71 + struct sk_security_struct *sksec = selinux_sock(sk); 73 72 struct netlbl_lsm_secattr *secattr; 74 73 75 74 if (sksec->nlbl_secattr != NULL) ··· 102 101 const struct sock *sk, 103 102 u32 sid) 104 103 { 105 - struct sk_security_struct *sksec = sk->sk_security; 104 + struct sk_security_struct *sksec = selinux_sock(sk); 106 105 struct netlbl_lsm_secattr *secattr = sksec->nlbl_secattr; 107 106 108 107 if (secattr == NULL) ··· 242 241 * being labeled by it's parent socket, if it is just exit */ 243 242 sk = skb_to_full_sk(skb); 244 243 if (sk != NULL) { 245 - struct sk_security_struct *sksec = sk->sk_security; 244 + struct sk_security_struct *sksec = selinux_sock(sk); 246 245 247 246 if (sksec->nlbl_state != NLBL_REQSKB) 248 247 return 0; ··· 279 278 { 280 279 int rc; 281 280 struct netlbl_lsm_secattr secattr; 282 - struct sk_security_struct *sksec = asoc->base.sk->sk_security; 281 + struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); 283 282 struct sockaddr_in addr4; 284 283 struct sockaddr_in6 addr6; 285 284 ··· 358 357 */ 359 358 void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) 360 359 { 361 - struct sk_security_struct *sksec = sk->sk_security; 360 + struct sk_security_struct *sksec = selinux_sock(sk); 362 361 363 362 if (family == PF_INET || family == PF_INET6) 364 363 sksec->nlbl_state = NLBL_LABELED; ··· 376 375 */ 377 376 void selinux_netlbl_sctp_sk_clone(struct sock *sk, struct sock *newsk) 378 377 { 379 - struct sk_security_struct *sksec = sk->sk_security; 380 - struct sk_security_struct *newsksec = newsk->sk_security; 378 + struct sk_security_struct *sksec = selinux_sock(sk); 379 + struct sk_security_struct *newsksec = selinux_sock(newsk); 381 380 382 381 newsksec->nlbl_state = sksec->nlbl_state; 383 382 } ··· 395 394 int selinux_netlbl_socket_post_create(struct sock *sk, u16 family) 396 395 { 397 396 int rc; 398 - struct sk_security_struct *sksec = sk->sk_security; 397 + struct sk_security_struct *sksec = selinux_sock(sk); 399 398 struct netlbl_lsm_secattr *secattr; 400 399 401 400 if (family != PF_INET && family != PF_INET6) ··· 512 511 { 513 512 int rc = 0; 514 513 struct sock *sk = sock->sk; 515 - struct sk_security_struct *sksec = sk->sk_security; 514 + struct sk_security_struct *sksec = selinux_sock(sk); 516 515 struct netlbl_lsm_secattr secattr; 517 516 518 517 if (selinux_netlbl_option(level, optname) && ··· 550 549 struct sockaddr *addr) 551 550 { 552 551 int rc; 553 - struct sk_security_struct *sksec = sk->sk_security; 552 + struct sk_security_struct *sksec = selinux_sock(sk); 554 553 struct netlbl_lsm_secattr *secattr; 555 554 556 555 /* connected sockets are allowed to disconnect when the address family ··· 588 587 int selinux_netlbl_socket_connect_locked(struct sock *sk, 589 588 struct sockaddr *addr) 590 589 { 591 - struct sk_security_struct *sksec = sk->sk_security; 590 + struct sk_security_struct *sksec = selinux_sock(sk); 592 591 593 592 if (sksec->nlbl_state != NLBL_REQSKB && 594 593 sksec->nlbl_state != NLBL_CONNLABELED)

+12

security/smack/smack.h

··· 355 355 return superblock->s_security + smack_blob_sizes.lbs_superblock; 356 356 } 357 357 358 + static inline struct socket_smack *smack_sock(const struct sock *sock) 359 + { 360 + return sock->sk_security + smack_blob_sizes.lbs_sock; 361 + } 362 + 363 + #ifdef CONFIG_KEYS 364 + static inline struct smack_known **smack_key(const struct key *key) 365 + { 366 + return key->security + smack_blob_sizes.lbs_key; 367 + } 368 + #endif /* CONFIG_KEYS */ 369 + 358 370 /* 359 371 * Is the directory transmuting? 360 372 */

+49 -58

security/smack/smack_lsm.c

··· 1606 1606 if (sock == NULL || sock->sk == NULL) 1607 1607 return -EOPNOTSUPP; 1608 1608 1609 - ssp = sock->sk->sk_security; 1609 + ssp = smack_sock(sock->sk); 1610 1610 1611 1611 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1612 1612 isp = ssp->smk_in; ··· 1994 1994 1995 1995 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1996 1996 sock = SOCKET_I(inode); 1997 - ssp = sock->sk->sk_security; 1997 + ssp = smack_sock(sock->sk); 1998 1998 tsp = smack_cred(current_cred()); 1999 1999 /* 2000 2000 * If the receiving process can't write to the ··· 2409 2409 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2410 2410 { 2411 2411 struct smack_known *skp = smk_of_current(); 2412 - struct socket_smack *ssp; 2413 - 2414 - ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2415 - if (ssp == NULL) 2416 - return -ENOMEM; 2412 + struct socket_smack *ssp = smack_sock(sk); 2417 2413 2418 2414 /* 2419 2415 * Sockets created by kernel threads receive web label. ··· 2423 2427 } 2424 2428 ssp->smk_packet = NULL; 2425 2429 2426 - sk->sk_security = ssp; 2427 - 2428 2430 return 0; 2429 2431 } 2430 2432 2433 + #ifdef SMACK_IPV6_PORT_LABELING 2431 2434 /** 2432 2435 * smack_sk_free_security - Free a socket blob 2433 2436 * @sk: the socket ··· 2435 2440 */ 2436 2441 static void smack_sk_free_security(struct sock *sk) 2437 2442 { 2438 - #ifdef SMACK_IPV6_PORT_LABELING 2439 2443 struct smk_port_label *spp; 2440 2444 2441 2445 if (sk->sk_family == PF_INET6) { ··· 2447 2453 } 2448 2454 rcu_read_unlock(); 2449 2455 } 2450 - #endif 2451 - kfree(sk->sk_security); 2452 2456 } 2457 + #endif 2453 2458 2454 2459 /** 2455 2460 * smack_sk_clone_security - Copy security context ··· 2459 2466 */ 2460 2467 static void smack_sk_clone_security(const struct sock *sk, struct sock *newsk) 2461 2468 { 2462 - struct socket_smack *ssp_old = sk->sk_security; 2463 - struct socket_smack *ssp_new = newsk->sk_security; 2469 + struct socket_smack *ssp_old = smack_sock(sk); 2470 + struct socket_smack *ssp_new = smack_sock(newsk); 2464 2471 2465 2472 *ssp_new = *ssp_old; 2466 2473 } ··· 2576 2583 */ 2577 2584 static int smack_netlbl_add(struct sock *sk) 2578 2585 { 2579 - struct socket_smack *ssp = sk->sk_security; 2586 + struct socket_smack *ssp = smack_sock(sk); 2580 2587 struct smack_known *skp = ssp->smk_out; 2581 2588 int rc; 2582 2589 ··· 2609 2616 */ 2610 2617 static void smack_netlbl_delete(struct sock *sk) 2611 2618 { 2612 - struct socket_smack *ssp = sk->sk_security; 2619 + struct socket_smack *ssp = smack_sock(sk); 2613 2620 2614 2621 /* 2615 2622 * Take the label off the socket if one is set. ··· 2641 2648 struct smack_known *skp; 2642 2649 int rc = 0; 2643 2650 struct smack_known *hkp; 2644 - struct socket_smack *ssp = sk->sk_security; 2651 + struct socket_smack *ssp = smack_sock(sk); 2645 2652 struct smk_audit_info ad; 2646 2653 2647 2654 rcu_read_lock(); ··· 2714 2721 { 2715 2722 struct sock *sk = sock->sk; 2716 2723 struct sockaddr_in6 *addr6; 2717 - struct socket_smack *ssp = sock->sk->sk_security; 2724 + struct socket_smack *ssp = smack_sock(sock->sk); 2718 2725 struct smk_port_label *spp; 2719 2726 unsigned short port = 0; 2720 2727 ··· 2802 2809 int act) 2803 2810 { 2804 2811 struct smk_port_label *spp; 2805 - struct socket_smack *ssp = sk->sk_security; 2812 + struct socket_smack *ssp = smack_sock(sk); 2806 2813 struct smack_known *skp = NULL; 2807 2814 unsigned short port; 2808 2815 struct smack_known *object; ··· 2905 2912 if (sock == NULL || sock->sk == NULL) 2906 2913 return -EOPNOTSUPP; 2907 2914 2908 - ssp = sock->sk->sk_security; 2915 + ssp = smack_sock(sock->sk); 2909 2916 2910 2917 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2911 2918 ssp->smk_in = skp; ··· 2953 2960 * Sockets created by kernel threads receive web label. 2954 2961 */ 2955 2962 if (unlikely(current->flags & PF_KTHREAD)) { 2956 - ssp = sock->sk->sk_security; 2963 + ssp = smack_sock(sock->sk); 2957 2964 ssp->smk_in = &smack_known_web; 2958 2965 ssp->smk_out = &smack_known_web; 2959 2966 } ··· 2978 2985 static int smack_socket_socketpair(struct socket *socka, 2979 2986 struct socket *sockb) 2980 2987 { 2981 - struct socket_smack *asp = socka->sk->sk_security; 2982 - struct socket_smack *bsp = sockb->sk->sk_security; 2988 + struct socket_smack *asp = smack_sock(socka->sk); 2989 + struct socket_smack *bsp = smack_sock(sockb->sk); 2983 2990 2984 2991 asp->smk_packet = bsp->smk_out; 2985 2992 bsp->smk_packet = asp->smk_out; ··· 3042 3049 if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) 3043 3050 rsp = smack_ipv6host_label(sip); 3044 3051 if (rsp != NULL) { 3045 - struct socket_smack *ssp = sock->sk->sk_security; 3052 + struct socket_smack *ssp = smack_sock(sock->sk); 3046 3053 3047 3054 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 3048 3055 SMK_CONNECTING); ··· 3837 3844 { 3838 3845 struct smack_known *skp; 3839 3846 struct smack_known *okp; 3840 - struct socket_smack *ssp = sock->sk_security; 3841 - struct socket_smack *osp = other->sk_security; 3842 - struct socket_smack *nsp = newsk->sk_security; 3847 + struct socket_smack *ssp = smack_sock(sock); 3848 + struct socket_smack *osp = smack_sock(other); 3849 + struct socket_smack *nsp = smack_sock(newsk); 3843 3850 struct smk_audit_info ad; 3844 3851 int rc = 0; 3845 3852 #ifdef CONFIG_AUDIT ··· 3891 3898 */ 3892 3899 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3893 3900 { 3894 - struct socket_smack *ssp = sock->sk->sk_security; 3895 - struct socket_smack *osp = other->sk->sk_security; 3901 + struct socket_smack *ssp = smack_sock(sock->sk); 3902 + struct socket_smack *osp = smack_sock(other->sk); 3896 3903 struct smk_audit_info ad; 3897 3904 int rc; 3898 3905 ··· 3929 3936 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3930 3937 #endif 3931 3938 #ifdef SMACK_IPV6_SECMARK_LABELING 3932 - struct socket_smack *ssp = sock->sk->sk_security; 3939 + struct socket_smack *ssp = smack_sock(sock->sk); 3933 3940 struct smack_known *rsp; 3934 3941 #endif 3935 3942 int rc = 0; ··· 4141 4148 netlbl_secattr_init(&secattr); 4142 4149 4143 4150 if (sk) 4144 - ssp = sk->sk_security; 4151 + ssp = smack_sock(sk); 4145 4152 4146 4153 if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) { 4147 4154 skp = smack_from_secattr(&secattr, ssp); ··· 4163 4170 */ 4164 4171 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4165 4172 { 4166 - struct socket_smack *ssp = sk->sk_security; 4173 + struct socket_smack *ssp = smack_sock(sk); 4167 4174 struct smack_known *skp = NULL; 4168 4175 int rc = 0; 4169 4176 struct smk_audit_info ad; ··· 4267 4274 u32 slen = 1; 4268 4275 int rc = 0; 4269 4276 4270 - ssp = sock->sk->sk_security; 4277 + ssp = smack_sock(sock->sk); 4271 4278 if (ssp->smk_packet != NULL) { 4272 4279 rcp = ssp->smk_packet->smk_known; 4273 4280 slen = strlen(rcp) + 1; ··· 4317 4324 4318 4325 switch (family) { 4319 4326 case PF_UNIX: 4320 - ssp = sock->sk->sk_security; 4327 + ssp = smack_sock(sock->sk); 4321 4328 s = ssp->smk_out->smk_secid; 4322 4329 break; 4323 4330 case PF_INET: ··· 4366 4373 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4367 4374 return; 4368 4375 4369 - ssp = sk->sk_security; 4376 + ssp = smack_sock(sk); 4370 4377 ssp->smk_in = skp; 4371 4378 ssp->smk_out = skp; 4372 4379 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ ··· 4386 4393 { 4387 4394 u16 family = sk->sk_family; 4388 4395 struct smack_known *skp; 4389 - struct socket_smack *ssp = sk->sk_security; 4396 + struct socket_smack *ssp = smack_sock(sk); 4390 4397 struct sockaddr_in addr; 4391 4398 struct iphdr *hdr; 4392 4399 struct smack_known *hskp; ··· 4472 4479 static void smack_inet_csk_clone(struct sock *sk, 4473 4480 const struct request_sock *req) 4474 4481 { 4475 - struct socket_smack *ssp = sk->sk_security; 4482 + struct socket_smack *ssp = smack_sock(sk); 4476 4483 struct smack_known *skp; 4477 4484 4478 4485 if (req->peer_secid != 0) { ··· 4504 4511 static int smack_key_alloc(struct key *key, const struct cred *cred, 4505 4512 unsigned long flags) 4506 4513 { 4514 + struct smack_known **blob = smack_key(key); 4507 4515 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4508 4516 4509 - key->security = skp; 4517 + *blob = skp; 4510 4518 return 0; 4511 - } 4512 - 4513 - /** 4514 - * smack_key_free - Clear the key security blob 4515 - * @key: the object 4516 - * 4517 - * Clear the blob pointer 4518 - */ 4519 - static void smack_key_free(struct key *key) 4520 - { 4521 - key->security = NULL; 4522 4519 } 4523 4520 4524 4521 /** ··· 4524 4541 const struct cred *cred, 4525 4542 enum key_need_perm need_perm) 4526 4543 { 4544 + struct smack_known **blob; 4545 + struct smack_known *skp; 4527 4546 struct key *keyp; 4528 4547 struct smk_audit_info ad; 4529 4548 struct smack_known *tkp = smk_of_task(smack_cred(cred)); ··· 4563 4578 * If the key hasn't been initialized give it access so that 4564 4579 * it may do so. 4565 4580 */ 4566 - if (keyp->security == NULL) 4581 + blob = smack_key(keyp); 4582 + skp = *blob; 4583 + if (skp == NULL) 4567 4584 return 0; 4568 4585 /* 4569 4586 * This should not occur ··· 4581 4594 ad.a.u.key_struct.key = keyp->serial; 4582 4595 ad.a.u.key_struct.key_desc = keyp->description; 4583 4596 #endif 4584 - rc = smk_access(tkp, keyp->security, request, &ad); 4585 - rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4597 + rc = smk_access(tkp, skp, request, &ad); 4598 + rc = smk_bu_note("key access", tkp, skp, request, rc); 4586 4599 return rc; 4587 4600 } 4588 4601 ··· 4597 4610 */ 4598 4611 static int smack_key_getsecurity(struct key *key, char **_buffer) 4599 4612 { 4600 - struct smack_known *skp = key->security; 4613 + struct smack_known **blob = smack_key(key); 4614 + struct smack_known *skp = *blob; 4601 4615 size_t length; 4602 4616 char *copy; 4603 4617 4604 - if (key->security == NULL) { 4618 + if (skp == NULL) { 4605 4619 *_buffer = NULL; 4606 4620 return 0; 4607 4621 } ··· 4910 4922 static int smack_inode_copy_up_xattr(struct dentry *src, const char *name) 4911 4923 { 4912 4924 /* 4913 - * Return 1 if this is the smack access Smack attribute. 4925 + * Return -ECANCELED if this is the smack access Smack attribute. 4914 4926 */ 4915 - if (strcmp(name, XATTR_NAME_SMACK) == 0) 4916 - return 1; 4927 + if (!strcmp(name, XATTR_NAME_SMACK)) 4928 + return -ECANCELED; 4917 4929 4918 4930 return -EOPNOTSUPP; 4919 4931 } ··· 5036 5048 .lbs_file = sizeof(struct smack_known *), 5037 5049 .lbs_inode = sizeof(struct inode_smack), 5038 5050 .lbs_ipc = sizeof(struct smack_known *), 5051 + .lbs_key = sizeof(struct smack_known *), 5039 5052 .lbs_msg_msg = sizeof(struct smack_known *), 5053 + .lbs_sock = sizeof(struct socket_smack), 5040 5054 .lbs_superblock = sizeof(struct superblock_smack), 5041 5055 .lbs_xattr_count = SMACK_INODE_INIT_XATTRS, 5042 5056 }; ··· 5163 5173 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 5164 5174 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 5165 5175 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 5176 + #ifdef SMACK_IPV6_PORT_LABELING 5166 5177 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 5178 + #endif 5167 5179 LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security), 5168 5180 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 5169 5181 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), ··· 5174 5182 /* key management security hooks */ 5175 5183 #ifdef CONFIG_KEYS 5176 5184 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 5177 - LSM_HOOK_INIT(key_free, smack_key_free), 5178 5185 LSM_HOOK_INIT(key_permission, smack_key_permission), 5179 5186 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 5180 5187 #ifdef CONFIG_KEY_NOTIFICATIONS

+2 -2

security/smack/smack_netfilter.c

··· 26 26 struct socket_smack *ssp; 27 27 struct smack_known *skp; 28 28 29 - if (sk && sk->sk_security) { 30 - ssp = sk->sk_security; 29 + if (sk) { 30 + ssp = smack_sock(sk); 31 31 skp = ssp->smk_out; 32 32 skb->secmark = skp->smk_secid; 33 33 }

+3

tools/testing/selftests/lsm/lsm_list_modules_test.c

··· 128 128 case LSM_ID_EVM: 129 129 name = "evm"; 130 130 break; 131 + case LSM_ID_IPE: 132 + name = "ipe"; 133 + break; 131 134 default: 132 135 name = "INVALID"; 133 136 break;