Commit a430d95c authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'lsm-pr-20240911' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm

Pull lsm updates from Paul Moore:

 - Move the LSM framework to static calls

   This transitions the vast majority of the LSM callbacks into static
   calls. Those callbacks which haven't been converted were left as-is
   due to the general ugliness of the changes required to support the
   static call conversion; we can revisit those callbacks at a future
   date.

 - Add the Integrity Policy Enforcement (IPE) LSM

   This adds a new LSM, Integrity Policy Enforcement (IPE). There is
   plenty of documentation about IPE in this patches, so I'll refrain
   from going into too much detail here, but the basic motivation behind
   IPE is to provide a mechanism such that administrators can restrict
   execution to only those binaries which come from integrity protected
   storage, e.g. a dm-verity protected filesystem. You will notice that
   IPE requires additional LSM hooks in the initramfs, dm-verity, and
   fs-verity code, with the associated patches carrying ACK/review tags
   from the associated maintainers. We couldn't find an obvious
   maintainer for the initramfs code, but the IPE patchset has been
   widely posted over several years.

   Both Deven Bowers and Fan Wu have contributed to IPE's development
   over the past several years, with Fan Wu agreeing to serve as the IPE
   maintainer moving forward. Once IPE is accepted into your tree, I'll
   start working with Fan to ensure he has the necessary accounts, keys,
   etc. so that he can start submitting IPE pull requests to you
   directly during the next merge window.

 - Move the lifecycle management of the LSM blobs to the LSM framework

   Management of the LSM blobs (the LSM state buffers attached to
   various kernel structs, typically via a void pointer named "security"
   or similar) has been mixed, some blobs were allocated/managed by
   individual LSMs, others were managed by the LSM framework itself.

   Starting with this pull we move management of all the LSM blobs,
   minus the XFRM blob, into the framework itself, improving consistency
   across LSMs, and reducing the amount of duplicated code across LSMs.
   Due to some additional work required to migrate the XFRM blob, it has
   been left as a todo item for a later date; from a practical
   standpoint this omission should have little impact as only SELinux
   provides a XFRM LSM implementation.

 - Fix problems with the LSM's handling of F_SETOWN

   The LSM hook for the fcntl(F_SETOWN) operation had a couple of
   problems: it was racy with itself, and it was disconnected from the
   associated DAC related logic in such a way that the LSM state could
   be updated in cases where the DAC state would not. We fix both of
   these problems by moving the security_file_set_fowner() hook into the
   same section of code where the DAC attributes are updated. Not only
   does this resolve the DAC/LSM synchronization issue, but as that code
   block is protected by a lock, it also resolve the race condition.

 - Fix potential problems with the security_inode_free() LSM hook

   Due to use of RCU to protect inodes and the placement of the LSM hook
   associated with freeing the inode, there is a bit of a challenge when
   it comes to managing any LSM state associated with an inode. The VFS
   folks are not open to relocating the LSM hook so we have to get
   creative when it comes to releasing an inode's LSM state.
   Traditionally we have used a single LSM callback within the hook that
   is triggered when the inode is "marked for death", but not actually
   released due to RCU.

   Unfortunately, this causes problems for LSMs which want to take an
   action when the inode's associated LSM state is actually released; so
   we add an additional LSM callback, inode_free_security_rcu(), that is
   called when the inode's LSM state is released in the RCU free
   callback.

 - Refactor two LSM hooks to better fit the LSM return value patterns

   The vast majority of the LSM hooks follow the "return 0 on success,
   negative values on failure" pattern, however, there are a small
   handful that have unique return value behaviors which has caused
   confusion in the past and makes it difficult for the BPF verifier to
   properly vet BPF LSM programs. This includes patches to
   convert two of these"special" LSM hooks to the common 0/-ERRNO pattern.

 - Various cleanups and improvements

   A handful of patches to remove redundant code, better leverage the
   IS_ERR_OR_NULL() helper, add missing "static" markings, and do some
   minor style fixups.

* tag 'lsm-pr-20240911' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: (40 commits)
  security: Update file_set_fowner documentation
  fs: Fix file_set_fowner LSM hook inconsistencies
  lsm: Use IS_ERR_OR_NULL() helper function
  lsm: remove LSM_COUNT and LSM_CONFIG_COUNT
  ipe: Remove duplicated include in ipe.c
  lsm: replace indirect LSM hook calls with static calls
  lsm: count the LSMs enabled at compile time
  kernel: Add helper macros for loop unrolling
  init/main.c: Initialize early LSMs after arch code, static keys and calls.
  MAINTAINERS: add IPE entry with Fan Wu as maintainer
  documentation: add IPE documentation
  ipe: kunit test for parser
  scripts: add boot policy generation program
  ipe: enable support for fs-verity as a trust provider
  fsverity: expose verified fsverity built-in signatures to LSMs
  lsm: add security_inode_setintegrity() hook
  ipe: add support for dm-verity as a trust provider
  dm-verity: expose root hash digest and signature data to LSMs
  block,lsm: add LSM blob and new LSM hooks for block devices
  ipe: add permissive toggle
  ...
parents ad060dbb 19c9d55d
...@@ -47,3 +47,4 @@ subdirectories. ...@@ -47,3 +47,4 @@ subdirectories.
tomoyo tomoyo
Yama Yama
SafeSetID SafeSetID
ipe
This diff is collapsed.
...@@ -2350,6 +2350,18 @@ ...@@ -2350,6 +2350,18 @@
ipcmni_extend [KNL,EARLY] Extend the maximum number of unique System V ipcmni_extend [KNL,EARLY] Extend the maximum number of unique System V
IPC identifiers from 32,768 to 16,777,216. IPC identifiers from 32,768 to 16,777,216.
ipe.enforce= [IPE]
Format: <bool>
Determine whether IPE starts in permissive (0) or
enforce (1) mode. The default is enforce.
ipe.success_audit=
[IPE]
Format: <bool>
Start IPE with success auditing enabled, emitting
an audit event when a binary is allowed. The default
is 0.
irqaffinity= [SMP] Set the default irq affinity mask irqaffinity= [SMP] Set the default irq affinity mask
The argument is a cpu list, as described above. The argument is a cpu list, as described above.
......
...@@ -86,6 +86,16 @@ authenticating fs-verity file hashes include: ...@@ -86,6 +86,16 @@ authenticating fs-verity file hashes include:
signature in their "security.ima" extended attribute, as controlled signature in their "security.ima" extended attribute, as controlled
by the IMA policy. For more information, see the IMA documentation. by the IMA policy. For more information, see the IMA documentation.
- Integrity Policy Enforcement (IPE). IPE supports enforcing access
control decisions based on immutable security properties of files,
including those protected by fs-verity's built-in signatures.
"IPE policy" specifically allows for the authorization of fs-verity
files using properties ``fsverity_digest`` for identifying
files by their verity digest, and ``fsverity_signature`` to authorize
files with a verified fs-verity's built-in signature. For
details on configuring IPE policies and understanding its operational
modes, please refer to :doc:`IPE admin guide </admin-guide/LSM/ipe>`.
- Trusted userspace code in combination with `Built-in signature - Trusted userspace code in combination with `Built-in signature
verification`_. This approach should be used only with great care. verification`_. This approach should be used only with great care.
...@@ -457,7 +467,11 @@ Enabling this option adds the following: ...@@ -457,7 +467,11 @@ Enabling this option adds the following:
On success, the ioctl persists the signature alongside the Merkle On success, the ioctl persists the signature alongside the Merkle
tree. Then, any time the file is opened, the kernel verifies the tree. Then, any time the file is opened, the kernel verifies the
file's actual digest against this signature, using the certificates file's actual digest against this signature, using the certificates
in the ".fs-verity" keyring. in the ".fs-verity" keyring. This verification happens as long as the
file's signature exists, regardless of the state of the sysctl variable
"fs.verity.require_signatures" described in the next item. The IPE LSM
relies on this behavior to recognize and label fsverity files
that contain a verified built-in fsverity signature.
3. A new sysctl "fs.verity.require_signatures" is made available. 3. A new sysctl "fs.verity.require_signatures" is made available.
When set to 1, the kernel requires that all verity files have a When set to 1, the kernel requires that all verity files have a
...@@ -481,7 +495,7 @@ be carefully considered before using them: ...@@ -481,7 +495,7 @@ be carefully considered before using them:
- Builtin signature verification does *not* make the kernel enforce - Builtin signature verification does *not* make the kernel enforce
that any files actually have fs-verity enabled. Thus, it is not a that any files actually have fs-verity enabled. Thus, it is not a
complete authentication policy. Currently, if it is used, the only complete authentication policy. Currently, if it is used, one
way to complete the authentication policy is for trusted userspace way to complete the authentication policy is for trusted userspace
code to explicitly check whether files have fs-verity enabled with a code to explicitly check whether files have fs-verity enabled with a
signature before they are accessed. (With signature before they are accessed. (With
...@@ -490,6 +504,15 @@ be carefully considered before using them: ...@@ -490,6 +504,15 @@ be carefully considered before using them:
could just store the signature alongside the file and verify it could just store the signature alongside the file and verify it
itself using a cryptographic library, instead of using this feature. itself using a cryptographic library, instead of using this feature.
- Another approach is to utilize fs-verity builtin signature
verification in conjunction with the IPE LSM, which supports defining
a kernel-enforced, system-wide authentication policy that allows only
files with a verified fs-verity builtin signature to perform certain
operations, such as execution. Note that IPE doesn't require
fs.verity.require_signatures=1.
Please refer to :doc:`IPE admin guide </admin-guide/LSM/ipe>` for
more details.
- A file's builtin signature can only be set at the same time that - A file's builtin signature can only be set at the same time that
fs-verity is being enabled on the file. Changing or deleting the fs-verity is being enabled on the file. Changing or deleting the
builtin signature later requires re-creating the file. builtin signature later requires re-creating the file.
......
...@@ -19,3 +19,4 @@ Security Documentation ...@@ -19,3 +19,4 @@ Security Documentation
digsig digsig
landlock landlock
secrets/index secrets/index
ipe
This diff is collapsed.
...@@ -11166,6 +11166,16 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git ...@@ -11166,6 +11166,16 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
F: security/integrity/ F: security/integrity/
F: security/integrity/ima/ F: security/integrity/ima/
INTEGRITY POLICY ENFORCEMENT (IPE)
M: Fan Wu <wufan@linux.microsoft.com>
L: linux-security-module@vger.kernel.org
S: Supported
T: git https://github.com/microsoft/ipe.git
F: Documentation/admin-guide/LSM/ipe.rst
F: Documentation/security/ipe.rst
F: scripts/ipe/
F: security/ipe/
INTEL 810/815 FRAMEBUFFER DRIVER INTEL 810/815 FRAMEBUFFER DRIVER
M: Antonino Daplas <adaplas@gmail.com> M: Antonino Daplas <adaplas@gmail.com>
L: linux-fbdev@vger.kernel.org L: linux-fbdev@vger.kernel.org
......
...@@ -24,6 +24,7 @@ ...@@ -24,6 +24,7 @@
#include <linux/pseudo_fs.h> #include <linux/pseudo_fs.h>
#include <linux/uio.h> #include <linux/uio.h>
#include <linux/namei.h> #include <linux/namei.h>
#include <linux/security.h>
#include <linux/part_stat.h> #include <linux/part_stat.h>
#include <linux/uaccess.h> #include <linux/uaccess.h>
#include <linux/stat.h> #include <linux/stat.h>
...@@ -324,6 +325,11 @@ static struct inode *bdev_alloc_inode(struct super_block *sb) ...@@ -324,6 +325,11 @@ static struct inode *bdev_alloc_inode(struct super_block *sb)
if (!ei) if (!ei)
return NULL; return NULL;
memset(&ei->bdev, 0, sizeof(ei->bdev)); memset(&ei->bdev, 0, sizeof(ei->bdev));
if (security_bdev_alloc(&ei->bdev)) {
kmem_cache_free(bdev_cachep, ei);
return NULL;
}
return &ei->vfs_inode; return &ei->vfs_inode;
} }
...@@ -333,6 +339,7 @@ static void bdev_free_inode(struct inode *inode) ...@@ -333,6 +339,7 @@ static void bdev_free_inode(struct inode *inode)
free_percpu(bdev->bd_stats); free_percpu(bdev->bd_stats);
kfree(bdev->bd_meta_info); kfree(bdev->bd_meta_info);
security_bdev_free(bdev);
if (!bdev_is_partition(bdev)) { if (!bdev_is_partition(bdev)) {
if (bdev->bd_disk && bdev->bd_disk->bdi) if (bdev->bd_disk && bdev->bd_disk->bdi)
......
...@@ -22,6 +22,7 @@ ...@@ -22,6 +22,7 @@
#include <linux/scatterlist.h> #include <linux/scatterlist.h>
#include <linux/string.h> #include <linux/string.h>
#include <linux/jump_label.h> #include <linux/jump_label.h>
#include <linux/security.h>
#define DM_MSG_PREFIX "verity" #define DM_MSG_PREFIX "verity"
...@@ -930,6 +931,41 @@ static void verity_io_hints(struct dm_target *ti, struct queue_limits *limits) ...@@ -930,6 +931,41 @@ static void verity_io_hints(struct dm_target *ti, struct queue_limits *limits)
limits->dma_alignment = limits->logical_block_size - 1; limits->dma_alignment = limits->logical_block_size - 1;
} }
#ifdef CONFIG_SECURITY
static int verity_init_sig(struct dm_verity *v, const void *sig,
size_t sig_size)
{
v->sig_size = sig_size;
if (sig) {
v->root_digest_sig = kmemdup(sig, v->sig_size, GFP_KERNEL);
if (!v->root_digest_sig)
return -ENOMEM;
}
return 0;
}
static void verity_free_sig(struct dm_verity *v)
{
kfree(v->root_digest_sig);
}
#else
static inline int verity_init_sig(struct dm_verity *v, const void *sig,
size_t sig_size)
{
return 0;
}
static inline void verity_free_sig(struct dm_verity *v)
{
}
#endif /* CONFIG_SECURITY */
static void verity_dtr(struct dm_target *ti) static void verity_dtr(struct dm_target *ti)
{ {
struct dm_verity *v = ti->private; struct dm_verity *v = ti->private;
...@@ -949,6 +985,7 @@ static void verity_dtr(struct dm_target *ti) ...@@ -949,6 +985,7 @@ static void verity_dtr(struct dm_target *ti)
kfree(v->initial_hashstate); kfree(v->initial_hashstate);
kfree(v->root_digest); kfree(v->root_digest);
kfree(v->zero_digest); kfree(v->zero_digest);
verity_free_sig(v);
if (v->ahash_tfm) { if (v->ahash_tfm) {
static_branch_dec(&ahash_enabled); static_branch_dec(&ahash_enabled);
...@@ -1418,6 +1455,13 @@ static int verity_ctr(struct dm_target *ti, unsigned int argc, char **argv) ...@@ -1418,6 +1455,13 @@ static int verity_ctr(struct dm_target *ti, unsigned int argc, char **argv)
ti->error = "Root hash verification failed"; ti->error = "Root hash verification failed";
goto bad; goto bad;
} }
r = verity_init_sig(v, verify_args.sig, verify_args.sig_size);
if (r < 0) {
ti->error = "Cannot allocate root digest signature";
goto bad;
}
v->hash_per_block_bits = v->hash_per_block_bits =
__fls((1 << v->hash_dev_block_bits) / v->digest_size); __fls((1 << v->hash_dev_block_bits) / v->digest_size);
...@@ -1559,8 +1603,79 @@ int dm_verity_get_root_digest(struct dm_target *ti, u8 **root_digest, unsigned i ...@@ -1559,8 +1603,79 @@ int dm_verity_get_root_digest(struct dm_target *ti, u8 **root_digest, unsigned i
return 0; return 0;
} }
#ifdef CONFIG_SECURITY
#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
static int verity_security_set_signature(struct block_device *bdev,
struct dm_verity *v)
{
/*
* if the dm-verity target is unsigned, v->root_digest_sig will
* be NULL, and the hook call is still required to let LSMs mark
* the device as unsigned. This information is crucial for LSMs to
* block operations such as execution on unsigned files
*/
return security_bdev_setintegrity(bdev,
LSM_INT_DMVERITY_SIG_VALID,
v->root_digest_sig,
v->sig_size);
}
#else
static inline int verity_security_set_signature(struct block_device *bdev,
struct dm_verity *v)
{
return 0;
}
#endif /* CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG */
/*
* Expose verity target's root hash and signature data to LSMs before resume.
*
* Returns 0 on success, or -ENOMEM if the system is out of memory.
*/
static int verity_preresume(struct dm_target *ti)
{
struct block_device *bdev;
struct dm_verity_digest root_digest;
struct dm_verity *v;
int r;
v = ti->private;
bdev = dm_disk(dm_table_get_md(ti->table))->part0;
root_digest.digest = v->root_digest;
root_digest.digest_len = v->digest_size;
if (static_branch_unlikely(&ahash_enabled) && !v->shash_tfm)
root_digest.alg = crypto_ahash_alg_name(v->ahash_tfm);
else
root_digest.alg = crypto_shash_alg_name(v->shash_tfm);
r = security_bdev_setintegrity(bdev, LSM_INT_DMVERITY_ROOTHASH, &root_digest,
sizeof(root_digest));
if (r)
return r;
r = verity_security_set_signature(bdev, v);
if (r)
goto bad;
return 0;
bad:
security_bdev_setintegrity(bdev, LSM_INT_DMVERITY_ROOTHASH, NULL, 0);
return r;
}
#endif /* CONFIG_SECURITY */
static struct target_type verity_target = { static struct target_type verity_target = {
.name = "verity", .name = "verity",
/* Note: the LSMs depend on the singleton and immutable features */
.features = DM_TARGET_SINGLETON | DM_TARGET_IMMUTABLE, .features = DM_TARGET_SINGLETON | DM_TARGET_IMMUTABLE,
.version = {1, 10, 0}, .version = {1, 10, 0},
.module = THIS_MODULE, .module = THIS_MODULE,
...@@ -1571,6 +1686,9 @@ static struct target_type verity_target = { ...@@ -1571,6 +1686,9 @@ static struct target_type verity_target = {
.prepare_ioctl = verity_prepare_ioctl, .prepare_ioctl = verity_prepare_ioctl,
.iterate_devices = verity_iterate_devices, .iterate_devices = verity_iterate_devices,
.io_hints = verity_io_hints, .io_hints = verity_io_hints,
#ifdef CONFIG_SECURITY
.preresume = verity_preresume,
#endif /* CONFIG_SECURITY */
}; };
module_dm(verity); module_dm(verity);
......
...@@ -45,6 +45,10 @@ struct dm_verity { ...@@ -45,6 +45,10 @@ struct dm_verity {
u8 *salt; /* salt: its size is salt_size */ u8 *salt; /* salt: its size is salt_size */
u8 *initial_hashstate; /* salted initial state, if shash_tfm is set */ u8 *initial_hashstate; /* salted initial state, if shash_tfm is set */
u8 *zero_digest; /* digest for a zero block */ u8 *zero_digest; /* digest for a zero block */
#ifdef CONFIG_SECURITY
u8 *root_digest_sig; /* signature of the root digest */
unsigned int sig_size; /* root digest signature size */
#endif /* CONFIG_SECURITY */
unsigned int salt_size; unsigned int salt_size;
sector_t data_start; /* data offset in 512-byte sectors */ sector_t data_start; /* data offset in 512-byte sectors */
sector_t hash_start; /* hash start in blocks */ sector_t hash_start; /* hash start in blocks */
......
...@@ -125,8 +125,8 @@ void file_f_owner_release(struct file *file) ...@@ -125,8 +125,8 @@ void file_f_owner_release(struct file *file)
} }
} }
static void f_modown(struct file *filp, struct pid *pid, enum pid_type type, void __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
int force) int force)
{ {
struct fown_struct *f_owner; struct fown_struct *f_owner;
...@@ -142,19 +142,13 @@ static void f_modown(struct file *filp, struct pid *pid, enum pid_type type, ...@@ -142,19 +142,13 @@ static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
if (pid) { if (pid) {
const struct cred *cred = current_cred(); const struct cred *cred = current_cred();
security_file_set_fowner(filp);
f_owner->uid = cred->uid; f_owner->uid = cred->uid;
f_owner->euid = cred->euid; f_owner->euid = cred->euid;
} }
} }
write_unlock_irq(&f_owner->lock); write_unlock_irq(&f_owner->lock);
} }
void __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
int force)
{
security_file_set_fowner(filp);
f_modown(filp, pid, type, force);
}
EXPORT_SYMBOL(__f_setown); EXPORT_SYMBOL(__f_setown);
int f_setown(struct file *filp, int who, int force) int f_setown(struct file *filp, int who, int force)
...@@ -196,7 +190,7 @@ EXPORT_SYMBOL(f_setown); ...@@ -196,7 +190,7 @@ EXPORT_SYMBOL(f_setown);
void f_delown(struct file *filp) void f_delown(struct file *filp)
{ {
f_modown(filp, NULL, PIDTYPE_TGID, 1); __f_setown(filp, NULL, PIDTYPE_TGID, 1);
} }
pid_t f_getown(struct file *filp) pid_t f_getown(struct file *filp)
......
...@@ -115,12 +115,12 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de ...@@ -115,12 +115,12 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de
continue; continue;
error = security_inode_copy_up_xattr(old, name); error = security_inode_copy_up_xattr(old, name);
if (error < 0 && error != -EOPNOTSUPP) if (error == -ECANCELED) {
break;
if (error == 1) {
error = 0; error = 0;
continue; /* Discard */ continue; /* Discard */
} }
if (error < 0 && error != -EOPNOTSUPP)
break;
if (is_posix_acl_xattr(name)) { if (is_posix_acl_xattr(name)) {
error = ovl_copy_acl(OVL_FS(sb), oldpath, new, name); error = ovl_copy_acl(OVL_FS(sb), oldpath, new, name);
......
...@@ -17,6 +17,7 @@ ...@@ -17,6 +17,7 @@
#include <linux/cred.h> #include <linux/cred.h>
#include <linux/key.h> #include <linux/key.h>
#include <linux/security.h>
#include <linux/slab.h> #include <linux/slab.h>
#include <linux/verification.h> #include <linux/verification.h>
...@@ -41,7 +42,11 @@ static struct key *fsverity_keyring; ...@@ -41,7 +42,11 @@ static struct key *fsverity_keyring;
* @sig_size: size of signature in bytes, or 0 if no signature * @sig_size: size of signature in bytes, or 0 if no signature
* *
* If the file includes a signature of its fs-verity file digest, verify it * If the file includes a signature of its fs-verity file digest, verify it
* against the certificates in the fs-verity keyring. * against the certificates in the fs-verity keyring. Note that signatures
* are verified regardless of the state of the 'fsverity_require_signatures'
* variable and the LSM subsystem relies on this behavior to help enforce
* file integrity policies. Please discuss changes with the LSM list
* (thank you!).
* *
* Return: 0 on success (signature valid or not required); -errno on failure * Return: 0 on success (signature valid or not required); -errno on failure
*/ */
...@@ -106,6 +111,17 @@ int fsverity_verify_signature(const struct fsverity_info *vi, ...@@ -106,6 +111,17 @@ int fsverity_verify_signature(const struct fsverity_info *vi,
return err; return err;
} }
err = security_inode_setintegrity(inode,
LSM_INT_FSVERITY_BUILTINSIG_VALID,
signature,
sig_size);
if (err) {
fsverity_err(inode, "Error %d exposing file signature to LSMs",
err);
return err;
}
return 0; return 0;
} }
......
...@@ -17,9 +17,9 @@ ...@@ -17,9 +17,9 @@
* that as _n. * that as _n.
*/ */
/* This counts to 12. Any more, it will return 13th argument. */ /* This counts to 15. Any more, it will return 16th argument. */
#define __COUNT_ARGS(_0, _1, _2, _3, _4, _5, _6, _7, _8, _9, _10, _11, _12, _n, X...) _n #define __COUNT_ARGS(_0, _1, _2, _3, _4, _5, _6, _7, _8, _9, _10, _11, _12, _13, _14, _15, _n, X...) _n
#define COUNT_ARGS(X...) __COUNT_ARGS(, ##X, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0) #define COUNT_ARGS(X...) __COUNT_ARGS(, ##X, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0)
/* Concatenate two parameters, but allow them to be expanded beforehand. */ /* Concatenate two parameters, but allow them to be expanded beforehand. */
#define __CONCAT(a, b) a ## b #define __CONCAT(a, b) a ## b
......
...@@ -71,6 +71,9 @@ struct block_device { ...@@ -71,6 +71,9 @@ struct block_device {
struct partition_meta_info *bd_meta_info; struct partition_meta_info *bd_meta_info;
int bd_writers; int bd_writers;
#ifdef CONFIG_SECURITY
void *bd_security;
#endif
/* /*
* keep this out-of-line as it's both big and not needed in the fast * keep this out-of-line as it's both big and not needed in the fast
* path * path
......
/* SPDX-License-Identifier: GPL-2.0 */
/*
* Copyright (C) 2023 Google LLC.
*/
#ifndef __LINUX_LSM_COUNT_H
#define __LINUX_LSM_COUNT_H
#include <linux/args.h>
#ifdef CONFIG_SECURITY
/*
* Macros to count the number of LSMs enabled in the kernel at compile time.
*/
/*
* Capabilities is enabled when CONFIG_SECURITY is enabled.
*/
#if IS_ENABLED(CONFIG_SECURITY)
#define CAPABILITIES_ENABLED 1,
#else
#define CAPABILITIES_ENABLED
#endif
#if IS_ENABLED(CONFIG_SECURITY_SELINUX)
#define SELINUX_ENABLED 1,
#else
#define SELINUX_ENABLED
#endif
#if IS_ENABLED(CONFIG_SECURITY_SMACK)
#define SMACK_ENABLED 1,
#else
#define SMACK_ENABLED
#endif
#if IS_ENABLED(CONFIG_SECURITY_APPARMOR)
#define APPARMOR_ENABLED 1,
#else
#define APPARMOR_ENABLED
#endif
#if IS_ENABLED(CONFIG_SECURITY_TOMOYO)
#define TOMOYO_ENABLED 1,
#else
#define TOMOYO_ENABLED
#endif
#if IS_ENABLED(CONFIG_SECURITY_YAMA)
#define YAMA_ENABLED 1,
#else
#define YAMA_ENABLED
#endif
#if IS_ENABLED(CONFIG_SECURITY_LOADPIN)
#define LOADPIN_ENABLED 1,
#else
#define LOADPIN_ENABLED
#endif
#if IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM)
#define LOCKDOWN_ENABLED 1,
#else
#define LOCKDOWN_ENABLED
#endif
#if IS_ENABLED(CONFIG_SECURITY_SAFESETID)
#define SAFESETID_ENABLED 1,
#else
#define SAFESETID_ENABLED
#endif
#if IS_ENABLED(CONFIG_BPF_LSM)
#define BPF_LSM_ENABLED 1,
#else
#define BPF_LSM_ENABLED
#endif
#if IS_ENABLED(CONFIG_SECURITY_LANDLOCK)
#define LANDLOCK_ENABLED 1,
#else
#define LANDLOCK_ENABLED
#endif
#if IS_ENABLED(CONFIG_IMA)
#define IMA_ENABLED 1,
#else
#define IMA_ENABLED
#endif
#if IS_ENABLED(CONFIG_EVM)
#define EVM_ENABLED 1,
#else
#define EVM_ENABLED
#endif
#if IS_ENABLED(CONFIG_SECURITY_IPE)
#define IPE_ENABLED 1,
#else
#define IPE_ENABLED
#endif
/*
* There is a trailing comma that we need to be accounted for. This is done by
* using a skipped argument in __COUNT_LSMS
*/
#define __COUNT_LSMS(skipped_arg, args...) COUNT_ARGS(args...)
#define COUNT_LSMS(args...) __COUNT_LSMS(args)
#define MAX_LSM_COUNT \
COUNT_LSMS( \
CAPABILITIES_ENABLED \
SELINUX_ENABLED \
SMACK_ENABLED \
APPARMOR_ENABLED \
TOMOYO_ENABLED \
YAMA_ENABLED \
LOADPIN_ENABLED \
LOCKDOWN_ENABLED \
SAFESETID_ENABLED \
BPF_LSM_ENABLED \
LANDLOCK_ENABLED \
IMA_ENABLED \
EVM_ENABLED \
IPE_ENABLED)
#else
#define MAX_LSM_COUNT 0
#endif /* CONFIG_SECURITY */
#endif /* __LINUX_LSM_COUNT_H */
...@@ -48,7 +48,7 @@ LSM_HOOK(int, 0, quota_on, struct dentry *dentry) ...@@ -48,7 +48,7 @@ LSM_HOOK(int, 0, quota_on, struct dentry *dentry)
LSM_HOOK(int, 0, syslog, int type) LSM_HOOK(int, 0, syslog, int type)
LSM_HOOK(int, 0, settime, const struct timespec64 *ts, LSM_HOOK(int, 0, settime, const struct timespec64 *ts,
const struct timezone *tz) const struct timezone *tz)
LSM_HOOK(int, 1, vm_enough_memory, struct mm_struct *mm, long pages) LSM_HOOK(int, 0, vm_enough_memory, struct mm_struct *mm, long pages)
LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm) LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm)
LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, const struct file *file) LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, const struct file *file)
LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm) LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm)
...@@ -114,6 +114,7 @@ LSM_HOOK(int, 0, path_notify, const struct path *path, u64 mask, ...@@ -114,6 +114,7 @@ LSM_HOOK(int, 0, path_notify, const struct path *path, u64 mask,
unsigned int obj_type) unsigned int obj_type)
LSM_HOOK(int, 0, inode_alloc_security, struct inode *inode) LSM_HOOK(int, 0, inode_alloc_security, struct inode *inode)
LSM_HOOK(void, LSM_RET_VOID, inode_free_security, struct inode *inode) LSM_HOOK(void, LSM_RET_VOID, inode_free_security, struct inode *inode)
LSM_HOOK(void, LSM_RET_VOID, inode_free_security_rcu, void *inode_security)
LSM_HOOK(int, -EOPNOTSUPP, inode_init_security, struct inode *inode, LSM_HOOK(int, -EOPNOTSUPP, inode_init_security, struct inode *inode,
struct inode *dir, const struct qstr *qstr, struct xattr *xattrs, struct inode *dir, const struct qstr *qstr, struct xattr *xattrs,
int *xattr_count) int *xattr_count)
...@@ -179,6 +180,8 @@ LSM_HOOK(void, LSM_RET_VOID, inode_getsecid, struct inode *inode, u32 *secid) ...@@ -179,6 +180,8 @@ LSM_HOOK(void, LSM_RET_VOID, inode_getsecid, struct inode *inode, u32 *secid)
LSM_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new) LSM_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new)
LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, struct dentry *src, LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, struct dentry *src,
const char *name) const char *name)
LSM_HOOK(int, 0, inode_setintegrity, const struct inode *inode,
enum lsm_integrity_type type, const void *value, size_t size)
LSM_HOOK(int, 0, kernfs_init_security, struct kernfs_node *kn_dir, LSM_HOOK(int, 0, kernfs_init_security, struct kernfs_node *kn_dir,
struct kernfs_node *kn) struct kernfs_node *kn)
LSM_HOOK(int, 0, file_permission, struct file *file, int mask) LSM_HOOK(int, 0, file_permission, struct file *file, int mask)
...@@ -353,8 +356,7 @@ LSM_HOOK(void, LSM_RET_VOID, secmark_refcount_inc, void) ...@@ -353,8 +356,7 @@ LSM_HOOK(void, LSM_RET_VOID, secmark_refcount_inc, void)
LSM_HOOK(void, LSM_RET_VOID, secmark_refcount_dec, void) LSM_HOOK(void, LSM_RET_VOID, secmark_refcount_dec, void)
LSM_HOOK(void, LSM_RET_VOID, req_classify_flow, const struct request_sock *req, LSM_HOOK(void, LSM_RET_VOID, req_classify_flow, const struct request_sock *req,
struct flowi_common *flic) struct flowi_common *flic)
LSM_HOOK(int, 0, tun_dev_alloc_security, void **security) LSM_HOOK(int, 0, tun_dev_alloc_security, void *security)
LSM_HOOK(void, LSM_RET_VOID, tun_dev_free_security, void *security)
LSM_HOOK(int, 0, tun_dev_create, void) LSM_HOOK(int, 0, tun_dev_create, void)
LSM_HOOK(int, 0, tun_dev_attach_queue, void *security) LSM_HOOK(int, 0, tun_dev_attach_queue, void *security)
LSM_HOOK(int, 0, tun_dev_attach, struct sock *sk, void *security) LSM_HOOK(int, 0, tun_dev_attach, struct sock *sk, void *security)
...@@ -374,8 +376,7 @@ LSM_HOOK(int, 0, mptcp_add_subflow, struct sock *sk, struct sock *ssk) ...@@ -374,8 +376,7 @@ LSM_HOOK(int, 0, mptcp_add_subflow, struct sock *sk, struct sock *ssk)
LSM_HOOK(int, 0, ib_pkey_access, void *sec, u64 subnet_prefix, u16 pkey) LSM_HOOK(int, 0, ib_pkey_access, void *sec, u64 subnet_prefix, u16 pkey)
LSM_HOOK(int, 0, ib_endport_manage_subnet, void *sec, const char *dev_name, LSM_HOOK(int, 0, ib_endport_manage_subnet, void *sec, const char *dev_name,
u8 port_num) u8 port_num)
LSM_HOOK(int, 0, ib_alloc_security, void **sec) LSM_HOOK(int, 0, ib_alloc_security, void *sec)
LSM_HOOK(void, LSM_RET_VOID, ib_free_security, void *sec)
#endif /* CONFIG_SECURITY_INFINIBAND */ #endif /* CONFIG_SECURITY_INFINIBAND */
#ifdef CONFIG_SECURITY_NETWORK_XFRM #ifdef CONFIG_SECURITY_NETWORK_XFRM
...@@ -403,7 +404,6 @@ LSM_HOOK(int, 0, xfrm_decode_session, struct sk_buff *skb, u32 *secid, ...@@ -403,7 +404,6 @@ LSM_HOOK(int, 0, xfrm_decode_session, struct sk_buff *skb, u32 *secid,
#ifdef CONFIG_KEYS #ifdef CONFIG_KEYS
LSM_HOOK(int, 0, key_alloc, struct key *key, const struct cred *cred, LSM_HOOK(int, 0, key_alloc, struct key *key, const struct cred *cred,
unsigned long flags) unsigned long flags)
LSM_HOOK(void, LSM_RET_VOID, key_free, struct key *key)
LSM_HOOK(int, 0, key_permission, key_ref_t key_ref, const struct cred *cred, LSM_HOOK(int, 0, key_permission, key_ref_t key_ref, const struct cred *cred,
enum key_need_perm need_perm) enum key_need_perm need_perm)
LSM_HOOK(int, 0, key_getsecurity, struct key *key, char **buffer) LSM_HOOK(int, 0, key_getsecurity, struct key *key, char **buffer)
...@@ -442,7 +442,6 @@ LSM_HOOK(int, 0, locked_down, enum lockdown_reason what) ...@@ -442,7 +442,6 @@ LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
#ifdef CONFIG_PERF_EVENTS #ifdef CONFIG_PERF_EVENTS
LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type) LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type)
LSM_HOOK(int, 0, perf_event_alloc, struct perf_event *event) LSM_HOOK(int, 0, perf_event_alloc, struct perf_event *event)
LSM_HOOK(void, LSM_RET_VOID, perf_event_free, struct perf_event *event)
LSM_HOOK(int, 0, perf_event_read, struct perf_event *event) LSM_HOOK(int, 0, perf_event_read, struct perf_event *event)
LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) LSM_HOOK(int, 0, perf_event_write, struct perf_event *event)
#endif /* CONFIG_PERF_EVENTS */ #endif /* CONFIG_PERF_EVENTS */
...@@ -452,3 +451,10 @@ LSM_HOOK(int, 0, uring_override_creds, const struct cred *new) ...@@ -452,3 +451,10 @@ LSM_HOOK(int, 0, uring_override_creds, const struct cred *new)
LSM_HOOK(int, 0, uring_sqpoll, void) LSM_HOOK(int, 0, uring_sqpoll, void)
LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd)
#endif /* CONFIG_IO_URING */ #endif /* CONFIG_IO_URING */
LSM_HOOK(void, LSM_RET_VOID, initramfs_populated, void)
LSM_HOOK(int, 0, bdev_alloc_security, struct block_device *bdev)
LSM_HOOK(void, LSM_RET_VOID, bdev_free_security, struct block_device *bdev)
LSM_HOOK(int, 0, bdev_setintegrity, struct block_device *bdev,
enum lsm_integrity_type type, const void *value, size_t size)
...@@ -30,19 +30,47 @@ ...@@ -30,19 +30,47 @@
#include <linux/init.h> #include <linux/init.h>
#include <linux/rculist.h> #include <linux/rculist.h>
#include <linux/xattr.h> #include <linux/xattr.h>
#include <linux/static_call.h>
#include <linux/unroll.h>
#include <linux/jump_label.h>
#include <linux/lsm_count.h>
union security_list_options { union security_list_options {
#define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__); #define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__);
#include "lsm_hook_defs.h" #include "lsm_hook_defs.h"
#undef LSM_HOOK #undef LSM_HOOK
void *lsm_func_addr;
}; };
struct security_hook_heads { /*
#define LSM_HOOK(RET, DEFAULT, NAME, ...) struct hlist_head NAME; * @key: static call key as defined by STATIC_CALL_KEY
#include "lsm_hook_defs.h" * @trampoline: static call trampoline as defined by STATIC_CALL_TRAMP
#undef LSM_HOOK * @hl: The security_hook_list as initialized by the owning LSM.
* @active: Enabled when the static call has an LSM hook associated.
*/
struct lsm_static_call {
struct static_call_key *key;
void *trampoline;
struct security_hook_list *hl;
/* this needs to be true or false based on what the key defaults to */
struct static_key_false *active;
} __randomize_layout; } __randomize_layout;
/*
* Table of the static calls for each LSM hook.
* Once the LSMs are initialized, their callbacks will be copied to these
* tables such that the calls are filled backwards (from last to first).
* This way, we can jump directly to the first used static call, and execute
* all of them after. This essentially makes the entry point
* dynamic to adapt the number of static calls to the number of callbacks.
*/
struct lsm_static_calls_table {
#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
struct lsm_static_call NAME[MAX_LSM_COUNT];
#include <linux/lsm_hook_defs.h>
#undef LSM_HOOK
} __packed __randomize_layout;
/** /**
* struct lsm_id - Identify a Linux Security Module. * struct lsm_id - Identify a Linux Security Module.
* @lsm: name of the LSM, must be approved by the LSM maintainers * @lsm: name of the LSM, must be approved by the LSM maintainers
...@@ -51,53 +79,45 @@ struct security_hook_heads { ...@@ -51,53 +79,45 @@ struct security_hook_heads {
* Contains the information that identifies the LSM. * Contains the information that identifies the LSM.
*/ */
struct lsm_id { struct lsm_id {
const char *name; const char *name;
u64 id; u64 id;
}; };
/* /*
* Security module hook list structure. * Security module hook list structure.
* For use with generic list macros for common operations. * For use with generic list macros for common operations.
*
* struct security_hook_list - Contents of a cacheable, mappable object.
* @scalls: The beginning of the array of static calls assigned to this hook.
* @hook: The callback for the hook.
* @lsm: The name of the lsm that owns this hook.
*/ */
struct security_hook_list { struct security_hook_list {
struct hlist_node list; struct lsm_static_call *scalls;
struct hlist_head *head; union security_list_options hook;
union security_list_options hook; const struct lsm_id *lsmid;
const struct lsm_id *lsmid;
} __randomize_layout; } __randomize_layout;
/* /*
* Security blob size or offset data. * Security blob size or offset data.
*/ */
struct lsm_blob_sizes { struct lsm_blob_sizes {
int lbs_cred; int lbs_cred;
int lbs_file; int lbs_file;
int lbs_inode; int lbs_ib;
int lbs_superblock; int lbs_inode;
int lbs_ipc; int lbs_sock;
int lbs_msg_msg; int lbs_superblock;
int lbs_task; int lbs_ipc;
int lbs_xattr_count; /* number of xattr slots in new_xattrs array */ int lbs_key;
int lbs_msg_msg;
int lbs_perf_event;
int lbs_task;
int lbs_xattr_count; /* number of xattr slots in new_xattrs array */
int lbs_tun_dev;
int lbs_bdev;
}; };
/**
* lsm_get_xattr_slot - Return the next available slot and increment the index
* @xattrs: array storing LSM-provided xattrs
* @xattr_count: number of already stored xattrs (updated)
*
* Retrieve the first available slot in the @xattrs array to fill with an xattr,
* and increment @xattr_count.
*
* Return: The slot to fill in @xattrs if non-NULL, NULL otherwise.
*/
static inline struct xattr *lsm_get_xattr_slot(struct xattr *xattrs,
int *xattr_count)
{
if (unlikely(!xattrs))
return NULL;
return &xattrs[(*xattr_count)++];
}
/* /*
* LSM_RET_VOID is used as the default value in LSM_HOOK definitions for void * LSM_RET_VOID is used as the default value in LSM_HOOK definitions for void
* LSM hooks (in include/linux/lsm_hook_defs.h). * LSM hooks (in include/linux/lsm_hook_defs.h).
...@@ -110,11 +130,11 @@ static inline struct xattr *lsm_get_xattr_slot(struct xattr *xattrs, ...@@ -110,11 +130,11 @@ static inline struct xattr *lsm_get_xattr_slot(struct xattr *xattrs,
* care of the common case and reduces the amount of * care of the common case and reduces the amount of
* text involved. * text involved.
*/ */
#define LSM_HOOK_INIT(HEAD, HOOK) \ #define LSM_HOOK_INIT(NAME, HOOK) \
{ .head = &security_hook_heads.HEAD, .hook = { .HEAD = HOOK } } { \
.scalls = static_calls_table.NAME, \
extern struct security_hook_heads security_hook_heads; .hook = { .NAME = HOOK } \
extern char *lsm_names; }
extern void security_add_hooks(struct security_hook_list *hooks, int count, extern void security_add_hooks(struct security_hook_list *hooks, int count,
const struct lsm_id *lsmid); const struct lsm_id *lsmid);
...@@ -137,9 +157,6 @@ struct lsm_info { ...@@ -137,9 +157,6 @@ struct lsm_info {
struct lsm_blob_sizes *blobs; /* Optional: for blob sharing. */ struct lsm_blob_sizes *blobs; /* Optional: for blob sharing. */
}; };
extern struct lsm_info __start_lsm_info[], __end_lsm_info[];
extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[];
#define DEFINE_LSM(lsm) \ #define DEFINE_LSM(lsm) \
static struct lsm_info __lsm_##lsm \ static struct lsm_info __lsm_##lsm \
__used __section(".lsm_info.init") \ __used __section(".lsm_info.init") \
...@@ -150,6 +167,28 @@ extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[]; ...@@ -150,6 +167,28 @@ extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[];
__used __section(".early_lsm_info.init") \ __used __section(".early_lsm_info.init") \
__aligned(sizeof(unsigned long)) __aligned(sizeof(unsigned long))
extern int lsm_inode_alloc(struct inode *inode); /* DO NOT tamper with these variables outside of the LSM framework */
extern char *lsm_names;
extern struct lsm_static_calls_table static_calls_table __ro_after_init;
extern struct lsm_info __start_lsm_info[], __end_lsm_info[];
extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[];
/**
* lsm_get_xattr_slot - Return the next available slot and increment the index
* @xattrs: array storing LSM-provided xattrs
* @xattr_count: number of already stored xattrs (updated)
*
* Retrieve the first available slot in the @xattrs array to fill with an xattr,
* and increment @xattr_count.
*
* Return: The slot to fill in @xattrs if non-NULL, NULL otherwise.
*/
static inline struct xattr *lsm_get_xattr_slot(struct xattr *xattrs,
int *xattr_count)
{
if (unlikely(!xattrs))
return NULL;
return &xattrs[(*xattr_count)++];
}
#endif /* ! __LINUX_LSM_HOOKS_H */ #endif /* ! __LINUX_LSM_HOOKS_H */
...@@ -83,6 +83,18 @@ enum lsm_event { ...@@ -83,6 +83,18 @@ enum lsm_event {
LSM_POLICY_CHANGE, LSM_POLICY_CHANGE,
}; };
struct dm_verity_digest {
const char *alg;
const u8 *digest;
size_t digest_len;
};
enum lsm_integrity_type {
LSM_INT_DMVERITY_SIG_VALID,
LSM_INT_DMVERITY_ROOTHASH,
LSM_INT_FSVERITY_BUILTINSIG_VALID,
};
/* /*
* These are reasons that can be passed to the security_locked_down() * These are reasons that can be passed to the security_locked_down()
* LSM hook. Lockdown reasons that protect kernel integrity (ie, the * LSM hook. Lockdown reasons that protect kernel integrity (ie, the
...@@ -399,6 +411,9 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer ...@@ -399,6 +411,9 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer
void security_inode_getsecid(struct inode *inode, u32 *secid); void security_inode_getsecid(struct inode *inode, u32 *secid);
int security_inode_copy_up(struct dentry *src, struct cred **new); int security_inode_copy_up(struct dentry *src, struct cred **new);
int security_inode_copy_up_xattr(struct dentry *src, const char *name); int security_inode_copy_up_xattr(struct dentry *src, const char *name);
int security_inode_setintegrity(const struct inode *inode,
enum lsm_integrity_type type, const void *value,
size_t size);
int security_kernfs_init_security(struct kernfs_node *kn_dir, int security_kernfs_init_security(struct kernfs_node *kn_dir,
struct kernfs_node *kn); struct kernfs_node *kn);
int security_file_permission(struct file *file, int mask); int security_file_permission(struct file *file, int mask);
...@@ -509,6 +524,11 @@ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); ...@@ -509,6 +524,11 @@ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
int security_locked_down(enum lockdown_reason what); int security_locked_down(enum lockdown_reason what);
int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len, int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
void *val, size_t val_len, u64 id, u64 flags); void *val, size_t val_len, u64 id, u64 flags);
int security_bdev_alloc(struct block_device *bdev);
void security_bdev_free(struct block_device *bdev);
int security_bdev_setintegrity(struct block_device *bdev,
enum lsm_integrity_type type, const void *value,
size_t size);
#else /* CONFIG_SECURITY */ #else /* CONFIG_SECURITY */
static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
...@@ -634,7 +654,7 @@ static inline int security_settime64(const struct timespec64 *ts, ...@@ -634,7 +654,7 @@ static inline int security_settime64(const struct timespec64 *ts,
static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
{ {
return __vm_enough_memory(mm, pages, cap_vm_enough_memory(mm, pages)); return __vm_enough_memory(mm, pages, !cap_vm_enough_memory(mm, pages));
} }
static inline int security_bprm_creds_for_exec(struct linux_binprm *bprm) static inline int security_bprm_creds_for_exec(struct linux_binprm *bprm)
...@@ -1010,6 +1030,13 @@ static inline int security_inode_copy_up(struct dentry *src, struct cred **new) ...@@ -1010,6 +1030,13 @@ static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
return 0; return 0;
} }
static inline int security_inode_setintegrity(const struct inode *inode,
enum lsm_integrity_type type,
const void *value, size_t size)
{
return 0;
}
static inline int security_kernfs_init_security(struct kernfs_node *kn_dir, static inline int security_kernfs_init_security(struct kernfs_node *kn_dir,
struct kernfs_node *kn) struct kernfs_node *kn)
{ {
...@@ -1483,6 +1510,23 @@ static inline int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, ...@@ -1483,6 +1510,23 @@ static inline int lsm_fill_user_ctx(struct lsm_ctx __user *uctx,
{ {
return -EOPNOTSUPP; return -EOPNOTSUPP;
} }
static inline int security_bdev_alloc(struct block_device *bdev)
{
return 0;
}
static inline void security_bdev_free(struct block_device *bdev)
{
}
static inline int security_bdev_setintegrity(struct block_device *bdev,
enum lsm_integrity_type type,
const void *value, size_t size)
{
return 0;
}
#endif /* CONFIG_SECURITY */ #endif /* CONFIG_SECURITY */
#if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
...@@ -2090,6 +2134,7 @@ struct dentry *securityfs_create_symlink(const char *name, ...@@ -2090,6 +2134,7 @@ struct dentry *securityfs_create_symlink(const char *name,
const char *target, const char *target,
const struct inode_operations *iops); const struct inode_operations *iops);
extern void securityfs_remove(struct dentry *dentry); extern void securityfs_remove(struct dentry *dentry);
extern void securityfs_recursive_remove(struct dentry *dentry);
#else /* CONFIG_SECURITYFS */ #else /* CONFIG_SECURITYFS */
...@@ -2256,4 +2301,12 @@ static inline int security_uring_cmd(struct io_uring_cmd *ioucmd) ...@@ -2256,4 +2301,12 @@ static inline int security_uring_cmd(struct io_uring_cmd *ioucmd)
#endif /* CONFIG_SECURITY */ #endif /* CONFIG_SECURITY */
#endif /* CONFIG_IO_URING */ #endif /* CONFIG_IO_URING */
#ifdef CONFIG_SECURITY
extern void security_initramfs_populated(void);
#else
static inline void security_initramfs_populated(void)
{
}
#endif /* CONFIG_SECURITY */
#endif /* ! __LINUX_SECURITY_H */ #endif /* ! __LINUX_SECURITY_H */
/* SPDX-License-Identifier: GPL-2.0 */
/*
* Copyright (C) 2023 Google LLC.
*/
#ifndef __UNROLL_H
#define __UNROLL_H
#include <linux/args.h>
#define UNROLL(N, MACRO, args...) CONCATENATE(__UNROLL_, N)(MACRO, args)
#define __UNROLL_0(MACRO, args...)
#define __UNROLL_1(MACRO, args...) __UNROLL_0(MACRO, args) MACRO(0, args)
#define __UNROLL_2(MACRO, args...) __UNROLL_1(MACRO, args) MACRO(1, args)
#define __UNROLL_3(MACRO, args...) __UNROLL_2(MACRO, args) MACRO(2, args)
#define __UNROLL_4(MACRO, args...) __UNROLL_3(MACRO, args) MACRO(3, args)
#define __UNROLL_5(MACRO, args...) __UNROLL_4(MACRO, args) MACRO(4, args)
#define __UNROLL_6(MACRO, args...) __UNROLL_5(MACRO, args) MACRO(5, args)
#define __UNROLL_7(MACRO, args...) __UNROLL_6(MACRO, args) MACRO(6, args)
#define __UNROLL_8(MACRO, args...) __UNROLL_7(MACRO, args) MACRO(7, args)
#define __UNROLL_9(MACRO, args...) __UNROLL_8(MACRO, args) MACRO(8, args)
#define __UNROLL_10(MACRO, args...) __UNROLL_9(MACRO, args) MACRO(9, args)
#define __UNROLL_11(MACRO, args...) __UNROLL_10(MACRO, args) MACRO(10, args)
#define __UNROLL_12(MACRO, args...) __UNROLL_11(MACRO, args) MACRO(11, args)
#define __UNROLL_13(MACRO, args...) __UNROLL_12(MACRO, args) MACRO(12, args)
#define __UNROLL_14(MACRO, args...) __UNROLL_13(MACRO, args) MACRO(13, args)
#define __UNROLL_15(MACRO, args...) __UNROLL_14(MACRO, args) MACRO(14, args)
#define __UNROLL_16(MACRO, args...) __UNROLL_15(MACRO, args) MACRO(15, args)
#define __UNROLL_17(MACRO, args...) __UNROLL_16(MACRO, args) MACRO(16, args)
#define __UNROLL_18(MACRO, args...) __UNROLL_17(MACRO, args) MACRO(17, args)
#define __UNROLL_19(MACRO, args...) __UNROLL_18(MACRO, args) MACRO(18, args)
#define __UNROLL_20(MACRO, args...) __UNROLL_19(MACRO, args) MACRO(19, args)
#endif /* __UNROLL_H */
...@@ -143,6 +143,9 @@ ...@@ -143,6 +143,9 @@
#define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */ #define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */
#define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */
#define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */
#define AUDIT_IPE_ACCESS 1420 /* IPE denial or grant */
#define AUDIT_IPE_CONFIG_CHANGE 1421 /* IPE config change */
#define AUDIT_IPE_POLICY_LOAD 1422 /* IPE policy load */
#define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799 #define AUDIT_LAST_KERN_ANOM_MSG 1799
......
...@@ -64,6 +64,7 @@ struct lsm_ctx { ...@@ -64,6 +64,7 @@ struct lsm_ctx {
#define LSM_ID_LANDLOCK 110 #define LSM_ID_LANDLOCK 110
#define LSM_ID_IMA 111 #define LSM_ID_IMA 111
#define LSM_ID_EVM 112 #define LSM_ID_EVM 112
#define LSM_ID_IPE 113
/* /*
* LSM_ATTR_XXX definitions identify different LSM attributes * LSM_ATTR_XXX definitions identify different LSM attributes
......
...@@ -17,6 +17,7 @@ ...@@ -17,6 +17,7 @@
#include <linux/namei.h> #include <linux/namei.h>
#include <linux/init_syscalls.h> #include <linux/init_syscalls.h>
#include <linux/umh.h> #include <linux/umh.h>
#include <linux/security.h>
#include "do_mounts.h" #include "do_mounts.h"
...@@ -712,6 +713,8 @@ static void __init do_populate_rootfs(void *unused, async_cookie_t cookie) ...@@ -712,6 +713,8 @@ static void __init do_populate_rootfs(void *unused, async_cookie_t cookie)
} }
done: done:
security_initramfs_populated();
/* /*
* If the initrd region is overlapped with crashkernel reserved region, * If the initrd region is overlapped with crashkernel reserved region,
* free only memory that is not part of crashkernel region. * free only memory that is not part of crashkernel region.
......
...@@ -922,8 +922,11 @@ void start_kernel(void) ...@@ -922,8 +922,11 @@ void start_kernel(void)
boot_cpu_init(); boot_cpu_init();
page_address_init(); page_address_init();
pr_notice("%s", linux_banner); pr_notice("%s", linux_banner);
early_security_init();
setup_arch(&command_line); setup_arch(&command_line);
/* Static keys and static calls are needed by LSMs */
jump_label_init();
static_call_init();
early_security_init();
setup_boot_config(); setup_boot_config();
setup_command_line(command_line); setup_command_line(command_line);
setup_nr_cpu_ids(); setup_nr_cpu_ids();
...@@ -934,7 +937,6 @@ void start_kernel(void) ...@@ -934,7 +937,6 @@ void start_kernel(void)
pr_notice("Kernel command line: %s\n", saved_command_line); pr_notice("Kernel command line: %s\n", saved_command_line);
/* parameters may set static keys */ /* parameters may set static keys */
jump_label_init();
parse_early_param(); parse_early_param();
after_dashes = parse_args("Booting kernel", after_dashes = parse_args("Booting kernel",
static_command_line, __start___param, static_command_line, __start___param,
......
...@@ -55,6 +55,7 @@ targets += module.lds ...@@ -55,6 +55,7 @@ targets += module.lds
subdir-$(CONFIG_GCC_PLUGINS) += gcc-plugins subdir-$(CONFIG_GCC_PLUGINS) += gcc-plugins
subdir-$(CONFIG_MODVERSIONS) += genksyms subdir-$(CONFIG_MODVERSIONS) += genksyms
subdir-$(CONFIG_SECURITY_SELINUX) += selinux subdir-$(CONFIG_SECURITY_SELINUX) += selinux
subdir-$(CONFIG_SECURITY_IPE) += ipe
# Let clean descend into subdirs # Let clean descend into subdirs
subdir- += basic dtc gdb kconfig mod subdir- += basic dtc gdb kconfig mod
# SPDX-License-Identifier: GPL-2.0-only
subdir-y := polgen
# SPDX-License-Identifier: GPL-2.0-only
polgen
# SPDX-License-Identifier: GPL-2.0
hostprogs-always-y := polgen
HOST_EXTRACFLAGS += \
-I$(srctree)/include \
-I$(srctree)/include/uapi \
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#include <stdlib.h>
#include <stddef.h>
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
static void usage(const char *const name)
{
printf("Usage: %s OutputFile (PolicyFile)\n", name);
exit(EINVAL);
}
static int policy_to_buffer(const char *pathname, char **buffer, size_t *size)
{
size_t fsize;
size_t read;
char *lbuf;
int rc = 0;
FILE *fd;
fd = fopen(pathname, "r");
if (!fd) {
rc = errno;
goto out;
}
fseek(fd, 0, SEEK_END);
fsize = ftell(fd);
rewind(fd);
lbuf = malloc(fsize);
if (!lbuf) {
rc = ENOMEM;
goto out_close;
}
read = fread((void *)lbuf, sizeof(*lbuf), fsize, fd);
if (read != fsize) {
rc = -1;
goto out_free;
}
*buffer = lbuf;
*size = fsize;
fclose(fd);
return rc;
out_free:
free(lbuf);
out_close:
fclose(fd);
out:
return rc;
}
static int write_boot_policy(const char *pathname, const char *buf, size_t size)
{
int rc = 0;
FILE *fd;
size_t i;
fd = fopen(pathname, "w");
if (!fd) {
rc = errno;
goto err;
}
fprintf(fd, "/* This file is automatically generated.");
fprintf(fd, " Do not edit. */\n");
fprintf(fd, "#include <linux/stddef.h>\n");
fprintf(fd, "\nextern const char *const ipe_boot_policy;\n\n");
fprintf(fd, "const char *const ipe_boot_policy =\n");
if (!buf || size == 0) {
fprintf(fd, "\tNULL;\n");
fclose(fd);
return 0;
}
fprintf(fd, "\t\"");
for (i = 0; i < size; ++i) {
switch (buf[i]) {
case '"':
fprintf(fd, "\\\"");
break;
case '\'':
fprintf(fd, "'");
break;
case '\n':
fprintf(fd, "\\n\"\n\t\"");
break;
case '\\':
fprintf(fd, "\\\\");
break;
case '\t':
fprintf(fd, "\\t");
break;
case '\?':
fprintf(fd, "\\?");
break;
default:
fprintf(fd, "%c", buf[i]);
}
}
fprintf(fd, "\";\n");
fclose(fd);
return 0;
err:
if (fd)
fclose(fd);
return rc;
}
int main(int argc, const char *const argv[])
{
char *policy = NULL;
size_t len = 0;
int rc = 0;
if (argc < 2)
usage(argv[0]);
if (argc > 2) {
rc = policy_to_buffer(argv[2], &policy, &len);
if (rc != 0)
goto cleanup;
}
rc = write_boot_policy(argv[1], policy, len);
cleanup:
if (policy)
free(policy);
if (rc != 0)
perror("An error occurred during policy conversion: ");
return rc;
}
...@@ -224,6 +224,7 @@ source "security/yama/Kconfig" ...@@ -224,6 +224,7 @@ source "security/yama/Kconfig"
source "security/safesetid/Kconfig" source "security/safesetid/Kconfig"
source "security/lockdown/Kconfig" source "security/lockdown/Kconfig"
source "security/landlock/Kconfig" source "security/landlock/Kconfig"
source "security/ipe/Kconfig"
source "security/integrity/Kconfig" source "security/integrity/Kconfig"
...@@ -263,11 +264,11 @@ endchoice ...@@ -263,11 +264,11 @@ endchoice
config LSM config LSM
string "Ordered list of enabled LSMs" string "Ordered list of enabled LSMs"
default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK
default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR
default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO
default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC
default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf" default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf"
help help
A comma-separated list of LSMs, in initialization order. A comma-separated list of LSMs, in initialization order.
Any LSMs left off this list, except for those with order Any LSMs left off this list, except for those with order
......
...@@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ ...@@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
obj-$(CONFIG_CGROUPS) += device_cgroup.o obj-$(CONFIG_CGROUPS) += device_cgroup.o
obj-$(CONFIG_BPF_LSM) += bpf/ obj-$(CONFIG_BPF_LSM) += bpf/
obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/ obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
obj-$(CONFIG_SECURITY_IPE) += ipe/
# Object integrity file lists # Object integrity file lists
obj-$(CONFIG_INTEGRITY) += integrity/ obj-$(CONFIG_INTEGRITY) += integrity/
...@@ -51,10 +51,9 @@ struct aa_sk_ctx { ...@@ -51,10 +51,9 @@ struct aa_sk_ctx {
struct aa_label *peer; struct aa_label *peer;
}; };
#define SK_CTX(X) ((X)->sk_security)
static inline struct aa_sk_ctx *aa_sock(const struct sock *sk) static inline struct aa_sk_ctx *aa_sock(const struct sock *sk)
{ {
return sk->sk_security; return sk->sk_security + apparmor_blob_sizes.lbs_sock;
} }
#define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \ #define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \
......
...@@ -1058,27 +1058,12 @@ static int apparmor_userns_create(const struct cred *cred) ...@@ -1058,27 +1058,12 @@ static int apparmor_userns_create(const struct cred *cred)
return error; return error;
} }
static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags)
{
struct aa_sk_ctx *ctx;
ctx = kzalloc(sizeof(*ctx), flags);
if (!ctx)
return -ENOMEM;
sk->sk_security = ctx;
return 0;
}
static void apparmor_sk_free_security(struct sock *sk) static void apparmor_sk_free_security(struct sock *sk)
{ {
struct aa_sk_ctx *ctx = aa_sock(sk); struct aa_sk_ctx *ctx = aa_sock(sk);
sk->sk_security = NULL;
aa_put_label(ctx->label); aa_put_label(ctx->label);
aa_put_label(ctx->peer); aa_put_label(ctx->peer);
kfree(ctx);
} }
/** /**
...@@ -1433,6 +1418,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = { ...@@ -1433,6 +1418,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = {
.lbs_cred = sizeof(struct aa_label *), .lbs_cred = sizeof(struct aa_label *),
.lbs_file = sizeof(struct aa_file_ctx), .lbs_file = sizeof(struct aa_file_ctx),
.lbs_task = sizeof(struct aa_task_ctx), .lbs_task = sizeof(struct aa_task_ctx),
.lbs_sock = sizeof(struct aa_sk_ctx),
}; };
static const struct lsm_id apparmor_lsmid = { static const struct lsm_id apparmor_lsmid = {
...@@ -1478,7 +1464,6 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = { ...@@ -1478,7 +1464,6 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = {
LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security),
LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security), LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security),
LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security), LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security),
......
...@@ -151,7 +151,7 @@ static int aa_label_sk_perm(const struct cred *subj_cred, ...@@ -151,7 +151,7 @@ static int aa_label_sk_perm(const struct cred *subj_cred,
const char *op, u32 request, const char *op, u32 request,
struct sock *sk) struct sock *sk)
{ {
struct aa_sk_ctx *ctx = SK_CTX(sk); struct aa_sk_ctx *ctx = aa_sock(sk);
int error = 0; int error = 0;
AA_BUG(!label); AA_BUG(!label);
......
...@@ -1396,17 +1396,12 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, ...@@ -1396,17 +1396,12 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
* Determine whether the allocation of a new virtual mapping by the current * Determine whether the allocation of a new virtual mapping by the current
* task is permitted. * task is permitted.
* *
* Return: 1 if permission is granted, 0 if not. * Return: 0 if permission granted, negative error code if not.
*/ */
int cap_vm_enough_memory(struct mm_struct *mm, long pages) int cap_vm_enough_memory(struct mm_struct *mm, long pages)
{ {
int cap_sys_admin = 0; return cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
CAP_OPT_NOAUDIT);
if (cap_capable(current_cred(), &init_user_ns,
CAP_SYS_ADMIN, CAP_OPT_NOAUDIT) == 0)
cap_sys_admin = 1;
return cap_sys_admin;
} }
/** /**
......
...@@ -296,7 +296,7 @@ void securityfs_remove(struct dentry *dentry) ...@@ -296,7 +296,7 @@ void securityfs_remove(struct dentry *dentry)
{ {
struct inode *dir; struct inode *dir;
if (!dentry || IS_ERR(dentry)) if (IS_ERR_OR_NULL(dentry))
return; return;
dir = d_inode(dentry->d_parent); dir = d_inode(dentry->d_parent);
...@@ -313,6 +313,31 @@ void securityfs_remove(struct dentry *dentry) ...@@ -313,6 +313,31 @@ void securityfs_remove(struct dentry *dentry)
} }
EXPORT_SYMBOL_GPL(securityfs_remove); EXPORT_SYMBOL_GPL(securityfs_remove);
static void remove_one(struct dentry *victim)
{
simple_release_fs(&mount, &mount_count);
}
/**
* securityfs_recursive_remove - recursively removes a file or directory
*
* @dentry: a pointer to a the dentry of the file or directory to be removed.
*
* This function recursively removes a file or directory in securityfs that was
* previously created with a call to another securityfs function (like
* securityfs_create_file() or variants thereof.)
*/
void securityfs_recursive_remove(struct dentry *dentry)
{
if (IS_ERR_OR_NULL(dentry))
return;
simple_pin_fs(&fs_type, &mount, &mount_count);
simple_recursive_removal(dentry, remove_one);
simple_release_fs(&mount, &mount_count);
}
EXPORT_SYMBOL_GPL(securityfs_recursive_remove);
#ifdef CONFIG_SECURITY #ifdef CONFIG_SECURITY
static struct dentry *lsm_dentry; static struct dentry *lsm_dentry;
static ssize_t lsm_read(struct file *filp, char __user *buf, size_t count, static ssize_t lsm_read(struct file *filp, char __user *buf, size_t count,
......
...@@ -1000,7 +1000,7 @@ static int evm_inode_copy_up_xattr(struct dentry *src, const char *name) ...@@ -1000,7 +1000,7 @@ static int evm_inode_copy_up_xattr(struct dentry *src, const char *name)
case EVM_XATTR_HMAC: case EVM_XATTR_HMAC:
case EVM_IMA_XATTR_DIGSIG: case EVM_IMA_XATTR_DIGSIG:
default: default:
rc = 1; /* discard */ rc = -ECANCELED; /* discard */
} }
kfree(xattr_data); kfree(xattr_data);
......
...@@ -223,7 +223,7 @@ static inline void ima_inode_set_iint(const struct inode *inode, ...@@ -223,7 +223,7 @@ static inline void ima_inode_set_iint(const struct inode *inode,
struct ima_iint_cache *ima_iint_find(struct inode *inode); struct ima_iint_cache *ima_iint_find(struct inode *inode);
struct ima_iint_cache *ima_inode_get(struct inode *inode); struct ima_iint_cache *ima_inode_get(struct inode *inode);
void ima_inode_free(struct inode *inode); void ima_inode_free_rcu(void *inode_security);
void __init ima_iintcache_init(void); void __init ima_iintcache_init(void);
extern const int read_idmap[]; extern const int read_idmap[];
......
...@@ -109,22 +109,18 @@ struct ima_iint_cache *ima_inode_get(struct inode *inode) ...@@ -109,22 +109,18 @@ struct ima_iint_cache *ima_inode_get(struct inode *inode)
} }
/** /**
* ima_inode_free - Called on inode free * ima_inode_free_rcu - Called to free an inode via a RCU callback
* @inode: Pointer to the inode * @inode_security: The inode->i_security pointer
* *
* Free the iint associated with an inode. * Free the IMA data associated with an inode.
*/ */
void ima_inode_free(struct inode *inode) void ima_inode_free_rcu(void *inode_security)
{ {
struct ima_iint_cache *iint; struct ima_iint_cache **iint_p = inode_security + ima_blob_sizes.lbs_inode;
if (!IS_IMA(inode))
return;
iint = ima_iint_find(inode);
ima_inode_set_iint(inode, NULL);
ima_iint_free(iint); /* *iint_p should be NULL if !IS_IMA(inode) */
if (*iint_p)
ima_iint_free(*iint_p);
} }
static void ima_iint_init_once(void *foo) static void ima_iint_init_once(void *foo)
......
...@@ -1193,7 +1193,7 @@ static struct security_hook_list ima_hooks[] __ro_after_init = { ...@@ -1193,7 +1193,7 @@ static struct security_hook_list ima_hooks[] __ro_after_init = {
#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
LSM_HOOK_INIT(kernel_module_request, ima_kernel_module_request), LSM_HOOK_INIT(kernel_module_request, ima_kernel_module_request),
#endif #endif
LSM_HOOK_INIT(inode_free_security, ima_inode_free), LSM_HOOK_INIT(inode_free_security_rcu, ima_inode_free_rcu),
}; };
static const struct lsm_id ima_lsmid = { static const struct lsm_id ima_lsmid = {
......
# SPDX-License-Identifier: GPL-2.0-only
boot_policy.c
# SPDX-License-Identifier: GPL-2.0-only
#
# Integrity Policy Enforcement (IPE) configuration
#
menuconfig SECURITY_IPE
bool "Integrity Policy Enforcement (IPE)"
depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL
select PKCS7_MESSAGE_PARSER
select SYSTEM_DATA_VERIFICATION
select IPE_PROP_DM_VERITY if DM_VERITY
select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
select IPE_PROP_FS_VERITY if FS_VERITY
select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
help
This option enables the Integrity Policy Enforcement LSM
allowing users to define a policy to enforce a trust-based access
control. A key feature of IPE is a customizable policy to allow
admins to reconfigure trust requirements on the fly.
If unsure, answer N.
if SECURITY_IPE
config IPE_BOOT_POLICY
string "Integrity policy to apply on system startup"
help
This option specifies a filepath to an IPE policy that is compiled
into the kernel. This policy will be enforced until a policy update
is deployed via the $securityfs/ipe/policies/$policy_name/active
interface.
If unsure, leave blank.
menu "IPE Trust Providers"
config IPE_PROP_DM_VERITY
bool "Enable support for dm-verity based on root hash"
depends on DM_VERITY
help
This option enables the 'dmverity_roothash' property within IPE
policies. The property evaluates to TRUE when a file from a dm-verity
volume is evaluated, and the volume's root hash matches the value
supplied in the policy.
config IPE_PROP_DM_VERITY_SIGNATURE
bool "Enable support for dm-verity based on root hash signature"
depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
help
This option enables the 'dmverity_signature' property within IPE
policies. The property evaluates to TRUE when a file from a dm-verity
volume, which has been mounted with a valid signed root hash,
is evaluated.
If unsure, answer Y.
config IPE_PROP_FS_VERITY
bool "Enable support for fs-verity based on file digest"
depends on FS_VERITY
help
This option enables the 'fsverity_digest' property within IPE
policies. The property evaluates to TRUE when a file is fsverity
enabled and its digest matches the supplied digest value in the
policy.
if unsure, answer Y.
config IPE_PROP_FS_VERITY_BUILTIN_SIG
bool "Enable support for fs-verity based on builtin signature"
depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
help
This option enables the 'fsverity_signature' property within IPE
policies. The property evaluates to TRUE when a file is fsverity
enabled and it has a valid builtin signature whose signing cert
is in the .fs-verity keyring.
if unsure, answer Y.
endmenu
config SECURITY_IPE_KUNIT_TEST
bool "Build KUnit tests for IPE" if !KUNIT_ALL_TESTS
depends on KUNIT=y
default KUNIT_ALL_TESTS
help
This builds the IPE KUnit tests.
KUnit tests run during boot and output the results to the debug log
in TAP format (https://testanything.org/). Only useful for kernel devs
running KUnit test harness and are not for inclusion into a
production build.
For more information on KUnit and unit tests in general please refer
to the KUnit documentation in Documentation/dev-tools/kunit/.
If unsure, say N.
endif
# SPDX-License-Identifier: GPL-2.0
#
# Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
#
# Makefile for building the IPE module as part of the kernel tree.
#
quiet_cmd_polgen = IPE_POL $(2)
cmd_polgen = scripts/ipe/polgen/polgen security/ipe/boot_policy.c $(2)
targets += boot_policy.c
$(obj)/boot_policy.c: scripts/ipe/polgen/polgen $(CONFIG_IPE_BOOT_POLICY) FORCE
$(call if_changed,polgen,$(CONFIG_IPE_BOOT_POLICY))
obj-$(CONFIG_SECURITY_IPE) += \
boot_policy.o \
digest.o \
eval.o \
hooks.o \
fs.o \
ipe.o \
policy.o \
policy_fs.o \
policy_parser.o \
audit.o \
clean-files := boot_policy.c \
obj-$(CONFIG_SECURITY_IPE_KUNIT_TEST) += \
policy_tests.o \
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#include <linux/slab.h>
#include <linux/audit.h>
#include <linux/types.h>
#include <crypto/hash.h>
#include "ipe.h"
#include "eval.h"
#include "hooks.h"
#include "policy.h"
#include "audit.h"
#include "digest.h"
#define ACTSTR(x) ((x) == IPE_ACTION_ALLOW ? "ALLOW" : "DENY")
#define IPE_AUDIT_HASH_ALG "sha256"
#define AUDIT_POLICY_LOAD_FMT "policy_name=\"%s\" policy_version=%hu.%hu.%hu "\
"policy_digest=" IPE_AUDIT_HASH_ALG ":"
#define AUDIT_OLD_ACTIVE_POLICY_FMT "old_active_pol_name=\"%s\" "\
"old_active_pol_version=%hu.%hu.%hu "\
"old_policy_digest=" IPE_AUDIT_HASH_ALG ":"
#define AUDIT_OLD_ACTIVE_POLICY_NULL_FMT "old_active_pol_name=? "\
"old_active_pol_version=? "\
"old_policy_digest=?"
#define AUDIT_NEW_ACTIVE_POLICY_FMT "new_active_pol_name=\"%s\" "\
"new_active_pol_version=%hu.%hu.%hu "\
"new_policy_digest=" IPE_AUDIT_HASH_ALG ":"
static const char *const audit_op_names[__IPE_OP_MAX + 1] = {
"EXECUTE",
"FIRMWARE",
"KMODULE",
"KEXEC_IMAGE",
"KEXEC_INITRAMFS",
"POLICY",
"X509_CERT",
"UNKNOWN",
};
static const char *const audit_hook_names[__IPE_HOOK_MAX] = {
"BPRM_CHECK",
"MMAP",
"MPROTECT",
"KERNEL_READ",
"KERNEL_LOAD",
};
static const char *const audit_prop_names[__IPE_PROP_MAX] = {
"boot_verified=FALSE",
"boot_verified=TRUE",
"dmverity_roothash=",
"dmverity_signature=FALSE",
"dmverity_signature=TRUE",
"fsverity_digest=",
"fsverity_signature=FALSE",
"fsverity_signature=TRUE",
};
/**
* audit_dmv_roothash() - audit the roothash of a dmverity_roothash property.
* @ab: Supplies a pointer to the audit_buffer to append to.
* @rh: Supplies a pointer to the digest structure.
*/
static void audit_dmv_roothash(struct audit_buffer *ab, const void *rh)
{
audit_log_format(ab, "%s", audit_prop_names[IPE_PROP_DMV_ROOTHASH]);
ipe_digest_audit(ab, rh);
}
/**
* audit_fsv_digest() - audit the digest of a fsverity_digest property.
* @ab: Supplies a pointer to the audit_buffer to append to.
* @d: Supplies a pointer to the digest structure.
*/
static void audit_fsv_digest(struct audit_buffer *ab, const void *d)
{
audit_log_format(ab, "%s", audit_prop_names[IPE_PROP_FSV_DIGEST]);
ipe_digest_audit(ab, d);
}
/**
* audit_rule() - audit an IPE policy rule.
* @ab: Supplies a pointer to the audit_buffer to append to.
* @r: Supplies a pointer to the ipe_rule to approximate a string form for.
*/
static void audit_rule(struct audit_buffer *ab, const struct ipe_rule *r)
{
const struct ipe_prop *ptr;
audit_log_format(ab, " rule=\"op=%s ", audit_op_names[r->op]);
list_for_each_entry(ptr, &r->props, next) {
switch (ptr->type) {
case IPE_PROP_DMV_ROOTHASH:
audit_dmv_roothash(ab, ptr->value);
break;
case IPE_PROP_FSV_DIGEST:
audit_fsv_digest(ab, ptr->value);
break;
default:
audit_log_format(ab, "%s", audit_prop_names[ptr->type]);
break;
}
audit_log_format(ab, " ");
}
audit_log_format(ab, "action=%s\"", ACTSTR(r->action));
}
/**
* ipe_audit_match() - Audit a rule match in a policy evaluation.
* @ctx: Supplies a pointer to the evaluation context that was used in the
* evaluation.
* @match_type: Supplies the scope of the match: rule, operation default,
* global default.
* @act: Supplies the IPE's evaluation decision, deny or allow.
* @r: Supplies a pointer to the rule that was matched, if possible.
*/
void ipe_audit_match(const struct ipe_eval_ctx *const ctx,
enum ipe_match match_type,
enum ipe_action_type act, const struct ipe_rule *const r)
{
const char *op = audit_op_names[ctx->op];
char comm[sizeof(current->comm)];
struct audit_buffer *ab;
struct inode *inode;
if (act != IPE_ACTION_DENY && !READ_ONCE(success_audit))
return;
ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,
AUDIT_IPE_ACCESS);
if (!ab)
return;
audit_log_format(ab, "ipe_op=%s ipe_hook=%s enforcing=%d pid=%d comm=",
op, audit_hook_names[ctx->hook], READ_ONCE(enforce),
task_tgid_nr(current));
audit_log_untrustedstring(ab, get_task_comm(comm, current));
if (ctx->file) {
audit_log_d_path(ab, " path=", &ctx->file->f_path);
inode = file_inode(ctx->file);
if (inode) {
audit_log_format(ab, " dev=");
audit_log_untrustedstring(ab, inode->i_sb->s_id);
audit_log_format(ab, " ino=%lu", inode->i_ino);
} else {
audit_log_format(ab, " dev=? ino=?");
}
} else {
audit_log_format(ab, " path=? dev=? ino=?");
}
if (match_type == IPE_MATCH_RULE)
audit_rule(ab, r);
else if (match_type == IPE_MATCH_TABLE)
audit_log_format(ab, " rule=\"DEFAULT op=%s action=%s\"", op,
ACTSTR(act));
else
audit_log_format(ab, " rule=\"DEFAULT action=%s\"",
ACTSTR(act));
audit_log_end(ab);
}
/**
* audit_policy() - Audit a policy's name, version and thumbprint to @ab.
* @ab: Supplies a pointer to the audit buffer to append to.
* @audit_format: Supplies a pointer to the audit format string
* @p: Supplies a pointer to the policy to audit.
*/
static void audit_policy(struct audit_buffer *ab,
const char *audit_format,
const struct ipe_policy *const p)
{
SHASH_DESC_ON_STACK(desc, tfm);
struct crypto_shash *tfm;
u8 *digest = NULL;
tfm = crypto_alloc_shash(IPE_AUDIT_HASH_ALG, 0, 0);
if (IS_ERR(tfm))
return;
desc->tfm = tfm;
digest = kzalloc(crypto_shash_digestsize(tfm), GFP_KERNEL);
if (!digest)
goto out;
if (crypto_shash_init(desc))
goto out;
if (crypto_shash_update(desc, p->pkcs7, p->pkcs7len))
goto out;
if (crypto_shash_final(desc, digest))
goto out;
audit_log_format(ab, audit_format, p->parsed->name,
p->parsed->version.major, p->parsed->version.minor,
p->parsed->version.rev);
audit_log_n_hex(ab, digest, crypto_shash_digestsize(tfm));
out:
kfree(digest);
crypto_free_shash(tfm);
}
/**
* ipe_audit_policy_activation() - Audit a policy being activated.
* @op: Supplies a pointer to the previously activated policy to audit.
* @np: Supplies a pointer to the newly activated policy to audit.
*/
void ipe_audit_policy_activation(const struct ipe_policy *const op,
const struct ipe_policy *const np)
{
struct audit_buffer *ab;
ab = audit_log_start(audit_context(), GFP_KERNEL,
AUDIT_IPE_CONFIG_CHANGE);
if (!ab)
return;
if (op) {
audit_policy(ab, AUDIT_OLD_ACTIVE_POLICY_FMT, op);
audit_log_format(ab, " ");
} else {
/*
* old active policy can be NULL if there is no kernel
* built-in policy
*/
audit_log_format(ab, AUDIT_OLD_ACTIVE_POLICY_NULL_FMT);
audit_log_format(ab, " ");
}
audit_policy(ab, AUDIT_NEW_ACTIVE_POLICY_FMT, np);
audit_log_format(ab, " auid=%u ses=%u lsm=ipe res=1",
from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current));
audit_log_end(ab);
}
/**
* ipe_audit_policy_load() - Audit a policy being loaded into the kernel.
* @p: Supplies a pointer to the policy to audit.
*/
void ipe_audit_policy_load(const struct ipe_policy *const p)
{
struct audit_buffer *ab;
ab = audit_log_start(audit_context(), GFP_KERNEL,
AUDIT_IPE_POLICY_LOAD);
if (!ab)
return;
audit_policy(ab, AUDIT_POLICY_LOAD_FMT, p);
audit_log_format(ab, " auid=%u ses=%u lsm=ipe res=1",
from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current));
audit_log_end(ab);
}
/**
* ipe_audit_enforce() - Audit a change in IPE's enforcement state.
* @new_enforce: The new value enforce to be set.
* @old_enforce: The old value currently in enforce.
*/
void ipe_audit_enforce(bool new_enforce, bool old_enforce)
{
struct audit_buffer *ab;
ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS);
if (!ab)
return;
audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS,
"enforcing=%d old_enforcing=%d auid=%u ses=%u"
" enabled=1 old-enabled=1 lsm=ipe res=1",
new_enforce, old_enforce,
from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current));
audit_log_end(ab);
}
/* SPDX-License-Identifier: GPL-2.0 */
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#ifndef _IPE_AUDIT_H
#define _IPE_AUDIT_H
#include "policy.h"
void ipe_audit_match(const struct ipe_eval_ctx *const ctx,
enum ipe_match match_type,
enum ipe_action_type act, const struct ipe_rule *const r);
void ipe_audit_policy_load(const struct ipe_policy *const p);
void ipe_audit_policy_activation(const struct ipe_policy *const op,
const struct ipe_policy *const np);
void ipe_audit_enforce(bool new_enforce, bool old_enforce);
#endif /* _IPE_AUDIT_H */
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#include "digest.h"
/**
* ipe_digest_parse() - parse a digest in IPE's policy.
* @valstr: Supplies the string parsed from the policy.
*
* Digests in IPE are defined in a standard way:
* <alg_name>:<hex>
*
* Use this function to create a property to parse the digest
* consistently. The parsed digest will be saved in @value in IPE's
* policy.
*
* Return: The parsed digest_info structure on success. If an error occurs,
* the function will return the error value (via ERR_PTR).
*/
struct digest_info *ipe_digest_parse(const char *valstr)
{
struct digest_info *info = NULL;
char *sep, *raw_digest;
size_t raw_digest_len;
u8 *digest = NULL;
char *alg = NULL;
int rc = 0;
info = kzalloc(sizeof(*info), GFP_KERNEL);
if (!info)
return ERR_PTR(-ENOMEM);
sep = strchr(valstr, ':');
if (!sep) {
rc = -EBADMSG;
goto err;
}
alg = kstrndup(valstr, sep - valstr, GFP_KERNEL);
if (!alg) {
rc = -ENOMEM;
goto err;
}
raw_digest = sep + 1;
raw_digest_len = strlen(raw_digest);
info->digest_len = (raw_digest_len + 1) / 2;
digest = kzalloc(info->digest_len, GFP_KERNEL);
if (!digest) {
rc = -ENOMEM;
goto err;
}
rc = hex2bin(digest, raw_digest, info->digest_len);
if (rc < 0) {
rc = -EINVAL;
goto err;
}
info->alg = alg;
info->digest = digest;
return info;
err:
kfree(alg);
kfree(digest);
kfree(info);
return ERR_PTR(rc);
}
/**
* ipe_digest_eval() - evaluate an IPE digest against another digest.
* @expected: Supplies the policy-provided digest value.
* @digest: Supplies the digest to compare against the policy digest value.
*
* Return:
* * %true - digests match
* * %false - digests do not match
*/
bool ipe_digest_eval(const struct digest_info *expected,
const struct digest_info *digest)
{
return (expected->digest_len == digest->digest_len) &&
(!strcmp(expected->alg, digest->alg)) &&
(!memcmp(expected->digest, digest->digest, expected->digest_len));
}
/**
* ipe_digest_free() - free an IPE digest.
* @info: Supplies a pointer the policy-provided digest to free.
*/
void ipe_digest_free(struct digest_info *info)
{
if (IS_ERR_OR_NULL(info))
return;
kfree(info->alg);
kfree(info->digest);
kfree(info);
}
/**
* ipe_digest_audit() - audit a digest that was sourced from IPE's policy.
* @ab: Supplies the audit_buffer to append the formatted result.
* @info: Supplies a pointer to source the audit record from.
*
* Digests in IPE are audited in this format:
* <alg_name>:<hex>
*/
void ipe_digest_audit(struct audit_buffer *ab, const struct digest_info *info)
{
audit_log_untrustedstring(ab, info->alg);
audit_log_format(ab, ":");
audit_log_n_hex(ab, info->digest, info->digest_len);
}
/* SPDX-License-Identifier: GPL-2.0 */
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#ifndef _IPE_DIGEST_H
#define _IPE_DIGEST_H
#include <linux/types.h>
#include <linux/audit.h>
#include "policy.h"
struct digest_info {
const char *alg;
const u8 *digest;
size_t digest_len;
};
struct digest_info *ipe_digest_parse(const char *valstr);
void ipe_digest_free(struct digest_info *digest_info);
void ipe_digest_audit(struct audit_buffer *ab, const struct digest_info *val);
bool ipe_digest_eval(const struct digest_info *expected,
const struct digest_info *digest);
#endif /* _IPE_DIGEST_H */
This diff is collapsed.
/* SPDX-License-Identifier: GPL-2.0 */
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#ifndef _IPE_EVAL_H
#define _IPE_EVAL_H
#include <linux/file.h>
#include <linux/types.h>
#include "policy.h"
#include "hooks.h"
#define IPE_EVAL_CTX_INIT ((struct ipe_eval_ctx){ 0 })
extern struct ipe_policy __rcu *ipe_active_policy;
extern bool success_audit;
extern bool enforce;
struct ipe_superblock {
bool initramfs;
};
#ifdef CONFIG_IPE_PROP_DM_VERITY
struct ipe_bdev {
#ifdef CONFIG_IPE_PROP_DM_VERITY_SIGNATURE
bool dm_verity_signed;
#endif /* CONFIG_IPE_PROP_DM_VERITY_SIGNATURE */
struct digest_info *root_hash;
};
#endif /* CONFIG_IPE_PROP_DM_VERITY */
#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
struct ipe_inode {
bool fs_verity_signed;
};
#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
struct ipe_eval_ctx {
enum ipe_op_type op;
enum ipe_hook_type hook;
const struct file *file;
bool initramfs;
#ifdef CONFIG_IPE_PROP_DM_VERITY
const struct ipe_bdev *ipe_bdev;
#endif /* CONFIG_IPE_PROP_DM_VERITY */
#ifdef CONFIG_IPE_PROP_FS_VERITY
const struct inode *ino;
#endif /* CONFIG_IPE_PROP_FS_VERITY */
#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
const struct ipe_inode *ipe_inode;
#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
};
enum ipe_match {
IPE_MATCH_RULE = 0,
IPE_MATCH_TABLE,
IPE_MATCH_GLOBAL,
__IPE_MATCH_MAX
};
void ipe_build_eval_ctx(struct ipe_eval_ctx *ctx,
const struct file *file,
enum ipe_op_type op,
enum ipe_hook_type hook);
int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx);
#endif /* _IPE_EVAL_H */
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#include <linux/dcache.h>
#include <linux/security.h>
#include "ipe.h"
#include "fs.h"
#include "eval.h"
#include "policy.h"
#include "audit.h"
static struct dentry *np __ro_after_init;
static struct dentry *root __ro_after_init;
struct dentry *policy_root __ro_after_init;
static struct dentry *audit_node __ro_after_init;
static struct dentry *enforce_node __ro_after_init;
/**
* setaudit() - Write handler for the securityfs node, "ipe/success_audit"
* @f: Supplies a file structure representing the securityfs node.
* @data: Supplies a buffer passed to the write syscall.
* @len: Supplies the length of @data.
* @offset: unused.
*
* Return:
* * Length of buffer written - Success
* * %-EPERM - Insufficient permission
*/
static ssize_t setaudit(struct file *f, const char __user *data,
size_t len, loff_t *offset)
{
int rc = 0;
bool value;
if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN))
return -EPERM;
rc = kstrtobool_from_user(data, len, &value);
if (rc)
return rc;
WRITE_ONCE(success_audit, value);
return len;
}
/**
* getaudit() - Read handler for the securityfs node, "ipe/success_audit"
* @f: Supplies a file structure representing the securityfs node.
* @data: Supplies a buffer passed to the read syscall.
* @len: Supplies the length of @data.
* @offset: unused.
*
* Return: Length of buffer written
*/
static ssize_t getaudit(struct file *f, char __user *data,
size_t len, loff_t *offset)
{
const char *result;
result = ((READ_ONCE(success_audit)) ? "1" : "0");
return simple_read_from_buffer(data, len, offset, result, 1);
}
/**
* setenforce() - Write handler for the securityfs node, "ipe/enforce"
* @f: Supplies a file structure representing the securityfs node.
* @data: Supplies a buffer passed to the write syscall.
* @len: Supplies the length of @data.
* @offset: unused.
*
* Return:
* * Length of buffer written - Success
* * %-EPERM - Insufficient permission
*/
static ssize_t setenforce(struct file *f, const char __user *data,
size_t len, loff_t *offset)
{
int rc = 0;
bool new_value, old_value;
if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN))
return -EPERM;
old_value = READ_ONCE(enforce);
rc = kstrtobool_from_user(data, len, &new_value);
if (rc)
return rc;
if (new_value != old_value) {
ipe_audit_enforce(new_value, old_value);
WRITE_ONCE(enforce, new_value);
}
return len;
}
/**
* getenforce() - Read handler for the securityfs node, "ipe/enforce"
* @f: Supplies a file structure representing the securityfs node.
* @data: Supplies a buffer passed to the read syscall.
* @len: Supplies the length of @data.
* @offset: unused.
*
* Return: Length of buffer written
*/
static ssize_t getenforce(struct file *f, char __user *data,
size_t len, loff_t *offset)
{
const char *result;
result = ((READ_ONCE(enforce)) ? "1" : "0");
return simple_read_from_buffer(data, len, offset, result, 1);
}
/**
* new_policy() - Write handler for the securityfs node, "ipe/new_policy".
* @f: Supplies a file structure representing the securityfs node.
* @data: Supplies a buffer passed to the write syscall.
* @len: Supplies the length of @data.
* @offset: unused.
*
* Return:
* * Length of buffer written - Success
* * %-EPERM - Insufficient permission
* * %-ENOMEM - Out of memory (OOM)
* * %-EBADMSG - Policy is invalid
* * %-ERANGE - Policy version number overflow
* * %-EINVAL - Policy version parsing error
* * %-EEXIST - Same name policy already deployed
*/
static ssize_t new_policy(struct file *f, const char __user *data,
size_t len, loff_t *offset)
{
struct ipe_policy *p = NULL;
char *copy = NULL;
int rc = 0;
if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN))
return -EPERM;
copy = memdup_user_nul(data, len);
if (IS_ERR(copy))
return PTR_ERR(copy);
p = ipe_new_policy(NULL, 0, copy, len);
if (IS_ERR(p)) {
rc = PTR_ERR(p);
goto out;
}
rc = ipe_new_policyfs_node(p);
if (rc)
goto out;
ipe_audit_policy_load(p);
out:
if (rc < 0)
ipe_free_policy(p);
kfree(copy);
return (rc < 0) ? rc : len;
}
static const struct file_operations np_fops = {
.write = new_policy,
};
static const struct file_operations audit_fops = {
.write = setaudit,
.read = getaudit,
};
static const struct file_operations enforce_fops = {
.write = setenforce,
.read = getenforce,
};
/**
* ipe_init_securityfs() - Initialize IPE's securityfs tree at fsinit.
*
* Return: %0 on success. If an error occurs, the function will return
* the -errno.
*/
static int __init ipe_init_securityfs(void)
{
int rc = 0;
struct ipe_policy *ap;
if (!ipe_enabled)
return -EOPNOTSUPP;
root = securityfs_create_dir("ipe", NULL);
if (IS_ERR(root)) {
rc = PTR_ERR(root);
goto err;
}
audit_node = securityfs_create_file("success_audit", 0600, root,
NULL, &audit_fops);
if (IS_ERR(audit_node)) {
rc = PTR_ERR(audit_node);
goto err;
}
enforce_node = securityfs_create_file("enforce", 0600, root, NULL,
&enforce_fops);
if (IS_ERR(enforce_node)) {
rc = PTR_ERR(enforce_node);
goto err;
}
policy_root = securityfs_create_dir("policies", root);
if (IS_ERR(policy_root)) {
rc = PTR_ERR(policy_root);
goto err;
}
ap = rcu_access_pointer(ipe_active_policy);
if (ap) {
rc = ipe_new_policyfs_node(ap);
if (rc)
goto err;
}
np = securityfs_create_file("new_policy", 0200, root, NULL, &np_fops);
if (IS_ERR(np)) {
rc = PTR_ERR(np);
goto err;
}
return 0;
err:
securityfs_remove(np);
securityfs_remove(policy_root);
securityfs_remove(enforce_node);
securityfs_remove(audit_node);
securityfs_remove(root);
return rc;
}
fs_initcall(ipe_init_securityfs);
/* SPDX-License-Identifier: GPL-2.0 */
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#ifndef _IPE_FS_H
#define _IPE_FS_H
#include "policy.h"
extern struct dentry *policy_root __ro_after_init;
int ipe_new_policyfs_node(struct ipe_policy *p);
void ipe_del_policyfs_node(struct ipe_policy *p);
#endif /* _IPE_FS_H */
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#include <linux/fs.h>
#include <linux/fs_struct.h>
#include <linux/types.h>
#include <linux/binfmts.h>
#include <linux/mman.h>
#include <linux/blk_types.h>
#include "ipe.h"
#include "hooks.h"
#include "eval.h"
#include "digest.h"
/**
* ipe_bprm_check_security() - ipe security hook function for bprm check.
* @bprm: Supplies a pointer to a linux_binprm structure to source the file
* being evaluated.
*
* This LSM hook is called when a binary is loaded through the exec
* family of system calls.
*
* Return:
* * %0 - Success
* * %-EACCES - Did not pass IPE policy
*/
int ipe_bprm_check_security(struct linux_binprm *bprm)
{
struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
ipe_build_eval_ctx(&ctx, bprm->file, IPE_OP_EXEC, IPE_HOOK_BPRM_CHECK);
return ipe_evaluate_event(&ctx);
}
/**
* ipe_mmap_file() - ipe security hook function for mmap check.
* @f: File being mmap'd. Can be NULL in the case of anonymous memory.
* @reqprot: The requested protection on the mmap, passed from usermode.
* @prot: The effective protection on the mmap, resolved from reqprot and
* system configuration.
* @flags: Unused.
*
* This hook is called when a file is loaded through the mmap
* family of system calls.
*
* Return:
* * %0 - Success
* * %-EACCES - Did not pass IPE policy
*/
int ipe_mmap_file(struct file *f, unsigned long reqprot __always_unused,
unsigned long prot, unsigned long flags)
{
struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
if (prot & PROT_EXEC) {
ipe_build_eval_ctx(&ctx, f, IPE_OP_EXEC, IPE_HOOK_MMAP);
return ipe_evaluate_event(&ctx);
}
return 0;
}
/**
* ipe_file_mprotect() - ipe security hook function for mprotect check.
* @vma: Existing virtual memory area created by mmap or similar.
* @reqprot: The requested protection on the mmap, passed from usermode.
* @prot: The effective protection on the mmap, resolved from reqprot and
* system configuration.
*
* This LSM hook is called when a mmap'd region of memory is changing
* its protections via mprotect.
*
* Return:
* * %0 - Success
* * %-EACCES - Did not pass IPE policy
*/
int ipe_file_mprotect(struct vm_area_struct *vma,
unsigned long reqprot __always_unused,
unsigned long prot)
{
struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
/* Already Executable */
if (vma->vm_flags & VM_EXEC)
return 0;
if (prot & PROT_EXEC) {
ipe_build_eval_ctx(&ctx, vma->vm_file, IPE_OP_EXEC, IPE_HOOK_MPROTECT);
return ipe_evaluate_event(&ctx);
}
return 0;
}
/**
* ipe_kernel_read_file() - ipe security hook function for kernel read.
* @file: Supplies a pointer to the file structure being read in from disk.
* @id: Supplies the enumeration identifying the purpose of the read.
* @contents: Unused.
*
* This LSM hook is called when a file is read from disk in the kernel.
*
* Return:
* * %0 - Success
* * %-EACCES - Did not pass IPE policy
*/
int ipe_kernel_read_file(struct file *file, enum kernel_read_file_id id,
bool contents)
{
struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
enum ipe_op_type op;
switch (id) {
case READING_FIRMWARE:
op = IPE_OP_FIRMWARE;
break;
case READING_MODULE:
op = IPE_OP_KERNEL_MODULE;
break;
case READING_KEXEC_INITRAMFS:
op = IPE_OP_KEXEC_INITRAMFS;
break;
case READING_KEXEC_IMAGE:
op = IPE_OP_KEXEC_IMAGE;
break;
case READING_POLICY:
op = IPE_OP_POLICY;
break;
case READING_X509_CERTIFICATE:
op = IPE_OP_X509;
break;
default:
op = IPE_OP_INVALID;
WARN(1, "no rule setup for kernel_read_file enum %d", id);
}
ipe_build_eval_ctx(&ctx, file, op, IPE_HOOK_KERNEL_READ);
return ipe_evaluate_event(&ctx);
}
/**
* ipe_kernel_load_data() - ipe security hook function for kernel load data.
* @id: Supplies the enumeration identifying the purpose of the load.
* @contents: Unused.
*
* This LSM hook is called when a data buffer provided by userspace is loading
* into the kernel.
*
* Return:
* * %0 - Success
* * %-EACCES - Did not pass IPE policy
*/
int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents)
{
struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
enum ipe_op_type op;
switch (id) {
case LOADING_FIRMWARE:
op = IPE_OP_FIRMWARE;
break;
case LOADING_MODULE:
op = IPE_OP_KERNEL_MODULE;
break;
case LOADING_KEXEC_INITRAMFS:
op = IPE_OP_KEXEC_INITRAMFS;
break;
case LOADING_KEXEC_IMAGE:
op = IPE_OP_KEXEC_IMAGE;
break;
case LOADING_POLICY:
op = IPE_OP_POLICY;
break;
case LOADING_X509_CERTIFICATE:
op = IPE_OP_X509;
break;
default:
op = IPE_OP_INVALID;
WARN(1, "no rule setup for kernel_load_data enum %d", id);
}
ipe_build_eval_ctx(&ctx, NULL, op, IPE_HOOK_KERNEL_LOAD);
return ipe_evaluate_event(&ctx);
}
/**
* ipe_unpack_initramfs() - Mark the current rootfs as initramfs.
*/
void ipe_unpack_initramfs(void)
{
ipe_sb(current->fs->root.mnt->mnt_sb)->initramfs = true;
}
#ifdef CONFIG_IPE_PROP_DM_VERITY
/**
* ipe_bdev_free_security() - Free IPE's LSM blob of block_devices.
* @bdev: Supplies a pointer to a block_device that contains the structure
* to free.
*/
void ipe_bdev_free_security(struct block_device *bdev)
{
struct ipe_bdev *blob = ipe_bdev(bdev);
ipe_digest_free(blob->root_hash);
}
#ifdef CONFIG_IPE_PROP_DM_VERITY_SIGNATURE
static void ipe_set_dmverity_signature(struct ipe_bdev *blob,
const void *value,
size_t size)
{
blob->dm_verity_signed = size > 0 && value;
}
#else
static inline void ipe_set_dmverity_signature(struct ipe_bdev *blob,
const void *value,
size_t size)
{
}
#endif /* CONFIG_IPE_PROP_DM_VERITY_SIGNATURE */
/**
* ipe_bdev_setintegrity() - Save integrity data from a bdev to IPE's LSM blob.
* @bdev: Supplies a pointer to a block_device that contains the LSM blob.
* @type: Supplies the integrity type.
* @value: Supplies the value to store.
* @size: The size of @value.
*
* This hook is currently used to save dm-verity's root hash or the existence
* of a validated signed dm-verity root hash into LSM blob.
*
* Return: %0 on success. If an error occurs, the function will return the
* -errno.
*/
int ipe_bdev_setintegrity(struct block_device *bdev, enum lsm_integrity_type type,
const void *value, size_t size)
{
const struct dm_verity_digest *digest = NULL;
struct ipe_bdev *blob = ipe_bdev(bdev);
struct digest_info *info = NULL;
if (type == LSM_INT_DMVERITY_SIG_VALID) {
ipe_set_dmverity_signature(blob, value, size);
return 0;
}
if (type != LSM_INT_DMVERITY_ROOTHASH)
return -EINVAL;
if (!value) {
ipe_digest_free(blob->root_hash);
blob->root_hash = NULL;
return 0;
}
digest = value;
info = kzalloc(sizeof(*info), GFP_KERNEL);
if (!info)
return -ENOMEM;
info->digest = kmemdup(digest->digest, digest->digest_len, GFP_KERNEL);
if (!info->digest)
goto err;
info->alg = kstrdup(digest->alg, GFP_KERNEL);
if (!info->alg)
goto err;
info->digest_len = digest->digest_len;
ipe_digest_free(blob->root_hash);
blob->root_hash = info;
return 0;
err:
ipe_digest_free(info);
return -ENOMEM;
}
#endif /* CONFIG_IPE_PROP_DM_VERITY */
#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
/**
* ipe_inode_setintegrity() - save integrity data from a inode to IPE's LSM blob.
* @inode: The inode to source the security blob from.
* @type: Supplies the integrity type.
* @value: The value to be stored.
* @size: The size of @value.
*
* This hook is currently used to save the existence of a validated fs-verity
* builtin signature into LSM blob.
*
* Return: %0 on success. If an error occurs, the function will return the
* -errno.
*/
int ipe_inode_setintegrity(const struct inode *inode,
enum lsm_integrity_type type,
const void *value, size_t size)
{
struct ipe_inode *inode_sec = ipe_inode(inode);
if (type == LSM_INT_FSVERITY_BUILTINSIG_VALID) {
inode_sec->fs_verity_signed = size > 0 && value;
return 0;
}
return -EINVAL;
}
#endif /* CONFIG_CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
/* SPDX-License-Identifier: GPL-2.0 */
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#ifndef _IPE_HOOKS_H
#define _IPE_HOOKS_H
#include <linux/fs.h>
#include <linux/binfmts.h>
#include <linux/security.h>
#include <linux/blk_types.h>
#include <linux/fsverity.h>
enum ipe_hook_type {
IPE_HOOK_BPRM_CHECK = 0,
IPE_HOOK_MMAP,
IPE_HOOK_MPROTECT,
IPE_HOOK_KERNEL_READ,
IPE_HOOK_KERNEL_LOAD,
__IPE_HOOK_MAX
};
#define IPE_HOOK_INVALID __IPE_HOOK_MAX
int ipe_bprm_check_security(struct linux_binprm *bprm);
int ipe_mmap_file(struct file *f, unsigned long reqprot, unsigned long prot,
unsigned long flags);
int ipe_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
unsigned long prot);
int ipe_kernel_read_file(struct file *file, enum kernel_read_file_id id,
bool contents);
int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents);
void ipe_unpack_initramfs(void);
#ifdef CONFIG_IPE_PROP_DM_VERITY
void ipe_bdev_free_security(struct block_device *bdev);
int ipe_bdev_setintegrity(struct block_device *bdev, enum lsm_integrity_type type,
const void *value, size_t len);
#endif /* CONFIG_IPE_PROP_DM_VERITY */
#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
int ipe_inode_setintegrity(const struct inode *inode, enum lsm_integrity_type type,
const void *value, size_t size);
#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
#endif /* _IPE_HOOKS_H */
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#include <uapi/linux/lsm.h>
#include "ipe.h"
#include "eval.h"
#include "hooks.h"
extern const char *const ipe_boot_policy;
bool ipe_enabled;
static struct lsm_blob_sizes ipe_blobs __ro_after_init = {
.lbs_superblock = sizeof(struct ipe_superblock),
#ifdef CONFIG_IPE_PROP_DM_VERITY
.lbs_bdev = sizeof(struct ipe_bdev),
#endif /* CONFIG_IPE_PROP_DM_VERITY */
#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
.lbs_inode = sizeof(struct ipe_inode),
#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
};
static const struct lsm_id ipe_lsmid = {
.name = "ipe",
.id = LSM_ID_IPE,
};
struct ipe_superblock *ipe_sb(const struct super_block *sb)
{
return sb->s_security + ipe_blobs.lbs_superblock;
}
#ifdef CONFIG_IPE_PROP_DM_VERITY
struct ipe_bdev *ipe_bdev(struct block_device *b)
{
return b->bd_security + ipe_blobs.lbs_bdev;
}
#endif /* CONFIG_IPE_PROP_DM_VERITY */
#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
struct ipe_inode *ipe_inode(const struct inode *inode)
{
return inode->i_security + ipe_blobs.lbs_inode;
}
#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
static struct security_hook_list ipe_hooks[] __ro_after_init = {
LSM_HOOK_INIT(bprm_check_security, ipe_bprm_check_security),
LSM_HOOK_INIT(mmap_file, ipe_mmap_file),
LSM_HOOK_INIT(file_mprotect, ipe_file_mprotect),
LSM_HOOK_INIT(kernel_read_file, ipe_kernel_read_file),
LSM_HOOK_INIT(kernel_load_data, ipe_kernel_load_data),
LSM_HOOK_INIT(initramfs_populated, ipe_unpack_initramfs),
#ifdef CONFIG_IPE_PROP_DM_VERITY
LSM_HOOK_INIT(bdev_free_security, ipe_bdev_free_security),
LSM_HOOK_INIT(bdev_setintegrity, ipe_bdev_setintegrity),
#endif /* CONFIG_IPE_PROP_DM_VERITY */
#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
LSM_HOOK_INIT(inode_setintegrity, ipe_inode_setintegrity),
#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
};
/**
* ipe_init() - Entry point of IPE.
*
* This is called at LSM init, which happens occurs early during kernel
* start up. During this phase, IPE registers its hooks and loads the
* builtin boot policy.
*
* Return:
* * %0 - OK
* * %-ENOMEM - Out of memory (OOM)
*/
static int __init ipe_init(void)
{
struct ipe_policy *p = NULL;
security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), &ipe_lsmid);
ipe_enabled = true;
if (ipe_boot_policy) {
p = ipe_new_policy(ipe_boot_policy, strlen(ipe_boot_policy),
NULL, 0);
if (IS_ERR(p))
return PTR_ERR(p);
rcu_assign_pointer(ipe_active_policy, p);
}
return 0;
}
DEFINE_LSM(ipe) = {
.name = "ipe",
.init = ipe_init,
.blobs = &ipe_blobs,
};
/* SPDX-License-Identifier: GPL-2.0 */
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#ifndef _IPE_H
#define _IPE_H
#ifdef pr_fmt
#undef pr_fmt
#endif
#define pr_fmt(fmt) "ipe: " fmt
#include <linux/lsm_hooks.h>
struct ipe_superblock *ipe_sb(const struct super_block *sb);
extern bool ipe_enabled;
#ifdef CONFIG_IPE_PROP_DM_VERITY
struct ipe_bdev *ipe_bdev(struct block_device *b);
#endif /* CONFIG_IPE_PROP_DM_VERITY */
#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
struct ipe_inode *ipe_inode(const struct inode *inode);
#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
#endif /* _IPE_H */
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#include <linux/errno.h>
#include <linux/verification.h>
#include "ipe.h"
#include "eval.h"
#include "fs.h"
#include "policy.h"
#include "policy_parser.h"
#include "audit.h"
/* lock for synchronizing writers across ipe policy */
DEFINE_MUTEX(ipe_policy_lock);
/**
* ver_to_u64() - Convert an internal ipe_policy_version to a u64.
* @p: Policy to extract the version from.
*
* Bits (LSB is index 0):
* [48,32] -> Major
* [32,16] -> Minor
* [16, 0] -> Revision
*
* Return: u64 version of the embedded version structure.
*/
static inline u64 ver_to_u64(const struct ipe_policy *const p)
{
u64 r;
r = (((u64)p->parsed->version.major) << 32)
| (((u64)p->parsed->version.minor) << 16)
| ((u64)(p->parsed->version.rev));
return r;
}
/**
* ipe_free_policy() - Deallocate a given IPE policy.
* @p: Supplies the policy to free.
*
* Safe to call on IS_ERR/NULL.
*/
void ipe_free_policy(struct ipe_policy *p)
{
if (IS_ERR_OR_NULL(p))
return;
ipe_del_policyfs_node(p);
ipe_free_parsed_policy(p->parsed);
/*
* p->text is allocated only when p->pkcs7 is not NULL
* otherwise it points to the plaintext data inside the pkcs7
*/
if (!p->pkcs7)
kfree(p->text);
kfree(p->pkcs7);
kfree(p);
}
static int set_pkcs7_data(void *ctx, const void *data, size_t len,
size_t asn1hdrlen __always_unused)
{
struct ipe_policy *p = ctx;
p->text = (const char *)data;
p->textlen = len;
return 0;
}
/**
* ipe_update_policy() - parse a new policy and replace old with it.
* @root: Supplies a pointer to the securityfs inode saved the policy.
* @text: Supplies a pointer to the plain text policy.
* @textlen: Supplies the length of @text.
* @pkcs7: Supplies a pointer to a buffer containing a pkcs7 message.
* @pkcs7len: Supplies the length of @pkcs7len.
*
* @text/@textlen is mutually exclusive with @pkcs7/@pkcs7len - see
* ipe_new_policy.
*
* Context: Requires root->i_rwsem to be held.
* Return: %0 on success. If an error occurs, the function will return
* the -errno.
*/
int ipe_update_policy(struct inode *root, const char *text, size_t textlen,
const char *pkcs7, size_t pkcs7len)
{
struct ipe_policy *old, *ap, *new = NULL;
int rc = 0;
old = (struct ipe_policy *)root->i_private;
if (!old)
return -ENOENT;
new = ipe_new_policy(text, textlen, pkcs7, pkcs7len);
if (IS_ERR(new))
return PTR_ERR(new);
if (strcmp(new->parsed->name, old->parsed->name)) {
rc = -EINVAL;
goto err;
}
if (ver_to_u64(old) > ver_to_u64(new)) {
rc = -EINVAL;
goto err;
}
root->i_private = new;
swap(new->policyfs, old->policyfs);
ipe_audit_policy_load(new);
mutex_lock(&ipe_policy_lock);
ap = rcu_dereference_protected(ipe_active_policy,
lockdep_is_held(&ipe_policy_lock));
if (old == ap) {
rcu_assign_pointer(ipe_active_policy, new);
mutex_unlock(&ipe_policy_lock);
ipe_audit_policy_activation(old, new);
} else {
mutex_unlock(&ipe_policy_lock);
}
synchronize_rcu();
ipe_free_policy(old);
return 0;
err:
ipe_free_policy(new);
return rc;
}
/**
* ipe_new_policy() - Allocate and parse an ipe_policy structure.
*
* @text: Supplies a pointer to the plain-text policy to parse.
* @textlen: Supplies the length of @text.
* @pkcs7: Supplies a pointer to a pkcs7-signed IPE policy.
* @pkcs7len: Supplies the length of @pkcs7.
*
* @text/@textlen Should be NULL/0 if @pkcs7/@pkcs7len is set.
*
* Return:
* * a pointer to the ipe_policy structure - Success
* * %-EBADMSG - Policy is invalid
* * %-ENOMEM - Out of memory (OOM)
* * %-ERANGE - Policy version number overflow
* * %-EINVAL - Policy version parsing error
*/
struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
const char *pkcs7, size_t pkcs7len)
{
struct ipe_policy *new = NULL;
int rc = 0;
new = kzalloc(sizeof(*new), GFP_KERNEL);
if (!new)
return ERR_PTR(-ENOMEM);
if (!text) {
new->pkcs7len = pkcs7len;
new->pkcs7 = kmemdup(pkcs7, pkcs7len, GFP_KERNEL);
if (!new->pkcs7) {
rc = -ENOMEM;
goto err;
}
rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len, NULL,
VERIFYING_UNSPECIFIED_SIGNATURE,
set_pkcs7_data, new);
if (rc)
goto err;
} else {
new->textlen = textlen;
new->text = kstrdup(text, GFP_KERNEL);
if (!new->text) {
rc = -ENOMEM;
goto err;
}
}
rc = ipe_parse_policy(new);
if (rc)
goto err;
return new;
err:
ipe_free_policy(new);
return ERR_PTR(rc);
}
/**
* ipe_set_active_pol() - Make @p the active policy.
* @p: Supplies a pointer to the policy to make active.
*
* Context: Requires root->i_rwsem, which i_private has the policy, to be held.
* Return:
* * %0 - Success
* * %-EINVAL - New active policy version is invalid
*/
int ipe_set_active_pol(const struct ipe_policy *p)
{
struct ipe_policy *ap = NULL;
mutex_lock(&ipe_policy_lock);
ap = rcu_dereference_protected(ipe_active_policy,
lockdep_is_held(&ipe_policy_lock));
if (ap == p) {
mutex_unlock(&ipe_policy_lock);
return 0;
}
if (ap && ver_to_u64(ap) > ver_to_u64(p)) {
mutex_unlock(&ipe_policy_lock);
return -EINVAL;
}
rcu_assign_pointer(ipe_active_policy, p);
ipe_audit_policy_activation(ap, p);
mutex_unlock(&ipe_policy_lock);
return 0;
}
/* SPDX-License-Identifier: GPL-2.0 */
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#ifndef _IPE_POLICY_H
#define _IPE_POLICY_H
#include <linux/list.h>
#include <linux/types.h>
#include <linux/fs.h>
enum ipe_op_type {
IPE_OP_EXEC = 0,
IPE_OP_FIRMWARE,
IPE_OP_KERNEL_MODULE,
IPE_OP_KEXEC_IMAGE,
IPE_OP_KEXEC_INITRAMFS,
IPE_OP_POLICY,
IPE_OP_X509,
__IPE_OP_MAX,
};
#define IPE_OP_INVALID __IPE_OP_MAX
enum ipe_action_type {
IPE_ACTION_ALLOW = 0,
IPE_ACTION_DENY,
__IPE_ACTION_MAX
};
#define IPE_ACTION_INVALID __IPE_ACTION_MAX
enum ipe_prop_type {
IPE_PROP_BOOT_VERIFIED_FALSE,
IPE_PROP_BOOT_VERIFIED_TRUE,
IPE_PROP_DMV_ROOTHASH,
IPE_PROP_DMV_SIG_FALSE,
IPE_PROP_DMV_SIG_TRUE,
IPE_PROP_FSV_DIGEST,
IPE_PROP_FSV_SIG_FALSE,
IPE_PROP_FSV_SIG_TRUE,
__IPE_PROP_MAX
};
#define IPE_PROP_INVALID __IPE_PROP_MAX
struct ipe_prop {
struct list_head next;
enum ipe_prop_type type;
void *value;
};
struct ipe_rule {
enum ipe_op_type op;
enum ipe_action_type action;
struct list_head props;
struct list_head next;
};
struct ipe_op_table {
struct list_head rules;
enum ipe_action_type default_action;
};
struct ipe_parsed_policy {
const char *name;
struct {
u16 major;
u16 minor;
u16 rev;
} version;
enum ipe_action_type global_default_action;
struct ipe_op_table rules[__IPE_OP_MAX];
};
struct ipe_policy {
const char *pkcs7;
size_t pkcs7len;
const char *text;
size_t textlen;
struct ipe_parsed_policy *parsed;
struct dentry *policyfs;
};
struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
const char *pkcs7, size_t pkcs7len);
void ipe_free_policy(struct ipe_policy *pol);
int ipe_update_policy(struct inode *root, const char *text, size_t textlen,
const char *pkcs7, size_t pkcs7len);
int ipe_set_active_pol(const struct ipe_policy *p);
extern struct mutex ipe_policy_lock;
#endif /* _IPE_POLICY_H */
This diff is collapsed.
This diff is collapsed.
/* SPDX-License-Identifier: GPL-2.0 */
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#ifndef _IPE_POLICY_PARSER_H
#define _IPE_POLICY_PARSER_H
int ipe_parse_policy(struct ipe_policy *p);
void ipe_free_parsed_policy(struct ipe_parsed_policy *p);
#endif /* _IPE_POLICY_PARSER_H */
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#include <linux/slab.h>
#include <linux/types.h>
#include <linux/list.h>
#include <kunit/test.h>
#include "policy.h"
struct policy_case {
const char *const policy;
int errno;
const char *const desc;
};
static const struct policy_case policy_cases[] = {
{
"policy_name=allowall policy_version=0.0.0\n"
"DEFAULT action=ALLOW",
0,
"basic",
},
{
"policy_name=trailing_comment policy_version=152.0.0 #This is comment\n"
"DEFAULT action=ALLOW",
0,
"trailing comment",
},
{
"policy_name=allowallnewline policy_version=0.2.0\n"
"DEFAULT action=ALLOW\n"
"\n",
0,
"trailing newline",
},
{
"policy_name=carriagereturnlinefeed policy_version=0.0.1\n"
"DEFAULT action=ALLOW\n"
"\r\n",
0,
"clrf newline",
},
{
"policy_name=whitespace policy_version=0.0.0\n"
"DEFAULT\taction=ALLOW\n"
" \t DEFAULT \t op=EXECUTE action=DENY\n"
"op=EXECUTE boot_verified=TRUE action=ALLOW\n"
"# this is a\tcomment\t\t\t\t\n"
"DEFAULT \t op=KMODULE\t\t\t action=DENY\r\n"
"op=KMODULE boot_verified=TRUE action=ALLOW\n",
0,
"various whitespaces and nested default",
},
{
"policy_name=boot_verified policy_version=-1236.0.0\n"
"DEFAULT\taction=ALLOW\n",
-EINVAL,
"negative version",
},
{
"policy_name=$@!*&^%%\\:;{}() policy_version=0.0.0\n"
"DEFAULT action=ALLOW",
0,
"special characters",
},
{
"policy_name=test policy_version=999999.0.0\n"
"DEFAULT action=ALLOW",
-ERANGE,
"overflow version",
},
{
"policy_name=test policy_version=255.0\n"
"DEFAULT action=ALLOW",
-EBADMSG,
"incomplete version",
},
{
"policy_name=test policy_version=111.0.0.0\n"
"DEFAULT action=ALLOW",
-EBADMSG,
"extra version",
},
{
"",
-EBADMSG,
"0-length policy",
},
{
"policy_name=test\0policy_version=0.0.0\n"
"DEFAULT action=ALLOW",
-EBADMSG,
"random null in header",
},
{
"policy_name=test policy_version=0.0.0\n"
"\0DEFAULT action=ALLOW",
-EBADMSG,
"incomplete policy from NULL",
},
{
"policy_name=test policy_version=0.0.0\n"
"DEFAULT action=DENY\n\0"
"op=EXECUTE dmverity_signature=TRUE action=ALLOW\n",
0,
"NULL truncates policy",
},
{
"policy_name=test policy_version=0.0.0\n"
"DEFAULT action=ALLOW\n"
"op=EXECUTE dmverity_signature=abc action=ALLOW",
-EBADMSG,
"invalid property type",
},
{
"DEFAULT action=ALLOW",
-EBADMSG,
"missing policy header",
},
{
"policy_name=test policy_version=0.0.0\n",
-EBADMSG,
"missing default definition",
},
{
"policy_name=test policy_version=0.0.0\n"
"DEFAULT action=ALLOW\n"
"dmverity_signature=TRUE op=EXECUTE action=ALLOW",
-EBADMSG,
"invalid rule ordering"
},
{
"policy_name=test policy_version=0.0.0\n"
"DEFAULT action=ALLOW\n"
"action=ALLOW op=EXECUTE dmverity_signature=TRUE",
-EBADMSG,
"invalid rule ordering (2)",
},
{
"policy_name=test policy_version=0.0\n"
"DEFAULT action=ALLOW\n"
"op=EXECUTE dmverity_signature=TRUE action=ALLOW",
-EBADMSG,
"invalid version",
},
{
"policy_name=test policy_version=0.0.0\n"
"DEFAULT action=ALLOW\n"
"op=UNKNOWN dmverity_signature=TRUE action=ALLOW",
-EBADMSG,
"unknown operation",
},
{
"policy_name=asdvpolicy_version=0.0.0\n"
"DEFAULT action=ALLOW\n",
-EBADMSG,
"missing space after policy name",
},
{
"policy_name=test\xFF\xEF policy_version=0.0.0\n"
"DEFAULT action=ALLOW\n"
"op=EXECUTE dmverity_signature=TRUE action=ALLOW",
0,
"expanded ascii",
},
{
"policy_name=test\xFF\xEF policy_version=0.0.0\n"
"DEFAULT action=ALLOW\n"
"op=EXECUTE dmverity_roothash=GOOD_DOG action=ALLOW",
-EBADMSG,
"invalid property value (2)",
},
{
"policy_name=test policy_version=0.0.0\n"
"policy_name=test policy_version=0.1.0\n"
"DEFAULT action=ALLOW",
-EBADMSG,
"double header"
},
{
"policy_name=test policy_version=0.0.0\n"
"DEFAULT action=ALLOW\n"
"DEFAULT action=ALLOW\n",
-EBADMSG,
"double default"
},
{
"policy_name=test policy_version=0.0.0\n"
"DEFAULT action=ALLOW\n"
"DEFAULT op=EXECUTE action=DENY\n"
"DEFAULT op=EXECUTE action=ALLOW\n",
-EBADMSG,
"double operation default"
},
{
"policy_name=test policy_version=0.0.0\n"
"DEFAULT action=ALLOW\n"
"DEFAULT op=EXECUTE action=DEN\n",
-EBADMSG,
"invalid action value"
},
{
"policy_name=test policy_version=0.0.0\n"
"DEFAULT action=ALLOW\n"
"DEFAULT op=EXECUTE action\n",
-EBADMSG,
"invalid action value (2)"
},
{
"policy_name=test policy_version=0.0.0\n"
"DEFAULT action=ALLOW\n"
"UNKNOWN value=true\n",
-EBADMSG,
"unrecognized statement"
},
{
"policy_name=test policy_version=0.0.0\n"
"DEFAULT action=ALLOW\n"
"op=EXECUTE dmverity_roothash=1c0d7ee1f8343b7fbe418378e8eb22c061d7dec7 action=DENY\n",
-EBADMSG,
"old-style digest"
},
{
"policy_name=test policy_version=0.0.0\n"
"DEFAULT action=ALLOW\n"
"op=EXECUTE fsverity_digest=1c0d7ee1f8343b7fbe418378e8eb22c061d7dec7 action=DENY\n",
-EBADMSG,
"old-style digest"
}
};
static void pol_to_desc(const struct policy_case *c, char *desc)
{
strscpy(desc, c->desc, KUNIT_PARAM_DESC_SIZE);
}
KUNIT_ARRAY_PARAM(ipe_policies, policy_cases, pol_to_desc);
/**
* ipe_parser_unsigned_test - Test the parser by passing unsigned policies.
* @test: Supplies a pointer to a kunit structure.
*
* This is called by the kunit harness. This test does not check the correctness
* of the policy, but ensures that errors are handled correctly.
*/
static void ipe_parser_unsigned_test(struct kunit *test)
{
const struct policy_case *p = test->param_value;
struct ipe_policy *pol;
pol = ipe_new_policy(p->policy, strlen(p->policy), NULL, 0);
if (p->errno) {
KUNIT_EXPECT_EQ(test, PTR_ERR(pol), p->errno);
return;
}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, pol);
KUNIT_EXPECT_NOT_ERR_OR_NULL(test, pol->parsed);
KUNIT_EXPECT_STREQ(test, pol->text, p->policy);
KUNIT_EXPECT_PTR_EQ(test, NULL, pol->pkcs7);
KUNIT_EXPECT_EQ(test, 0, pol->pkcs7len);
ipe_free_policy(pol);
}
/**
* ipe_parser_widestring_test - Ensure parser fail on a wide string policy.
* @test: Supplies a pointer to a kunit structure.
*
* This is called by the kunit harness.
*/
static void ipe_parser_widestring_test(struct kunit *test)
{
const unsigned short policy[] = L"policy_name=Test policy_version=0.0.0\n"
L"DEFAULT action=ALLOW";
struct ipe_policy *pol = NULL;
pol = ipe_new_policy((const char *)policy, (ARRAY_SIZE(policy) - 1) * 2, NULL, 0);
KUNIT_EXPECT_TRUE(test, IS_ERR_OR_NULL(pol));
ipe_free_policy(pol);
}
static struct kunit_case ipe_parser_test_cases[] = {
KUNIT_CASE_PARAM(ipe_parser_unsigned_test, ipe_policies_gen_params),
KUNIT_CASE(ipe_parser_widestring_test),
};
static struct kunit_suite ipe_parser_test_suite = {
.name = "ipe-parser",
.test_cases = ipe_parser_test_cases,
};
kunit_test_suite(ipe_parser_test_suite);
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment