From: Deven Bowers <deven.desai@linux.microsoft.com>
To: Casey Schaufler <casey@schaufler-ca.com>,
corbet@lwn.net, axboe@kernel.dk, agk@redhat.com,
snitzer@redhat.com, ebiggers@kernel.org, tytso@mit.edu,
paul@paul-moore.com, eparis@redhat.com, jmorris@namei.org,
serge@hallyn.com
Cc: linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,
jannh@google.com, linux-fscrypt@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-block@vger.kernel.org,
dm-devel@redhat.com, linux-audit@redhat.com
Subject: Re: [RFC PATCH v7 05/16] ipe: add LSM hooks on execution and kernel read
Date: Fri, 15 Oct 2021 12:25:55 -0700 [thread overview]
Message-ID: <3b127720-d486-18da-4f1d-afe402fb39c4@linux.microsoft.com> (raw)
In-Reply-To: <a358e0b0-2fc0-8b03-4bee-141675fdc73e@schaufler-ca.com>
On 10/13/2021 1:04 PM, Casey Schaufler wrote:
> On 10/13/2021 12:06 PM, deven.desai@linux.microsoft.com wrote:
>> From: Deven Bowers <deven.desai@linux.microsoft.com>
>>
>> IPE's initial goal is to control both execution and the loading of
>> kernel modules based on the system's definition of trust. It
>> accomplishes this by plugging into the security hooks for execve,
>> mprotect, mmap, kernel_load_data and kernel_read_data.
>>
>> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
>> ---
>>
>> Relevant changes since v6:
>> * Split up patch 02/12 into four parts:
>> 1. context creation [01/16]
>> 2. audit [07/16]
>> 3. evaluation loop [03/16]
>> 4. access control hooks [05/16] (this patch)
>>
>> ---
>> security/ipe/hooks.c | 149 ++++++++++++++++++++++++++++++++++++++++++
>> security/ipe/hooks.h | 23 ++++++-
>> security/ipe/ipe.c | 5 ++
>> security/ipe/policy.c | 23 +++++++
>> security/ipe/policy.h | 12 +++-
>> 5 files changed, 209 insertions(+), 3 deletions(-)
>>
>> diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c
>> index ed0c886eaa5a..216242408a80 100644
>> --- a/security/ipe/hooks.c
>> +++ b/security/ipe/hooks.c
>> @@ -6,11 +6,15 @@
>> #include "ipe.h"
>> #include "ctx.h"
>> #include "hooks.h"
>> +#include "eval.h"
>>
>> +#include <linux/fs.h>
>> #include <linux/sched.h>
>> #include <linux/types.h>
>> #include <linux/refcount.h>
>> #include <linux/rcupdate.h>
>> +#include <linux/binfmts.h>
>> +#include <linux/mman.h>
>>
>> /**
>> * ipe_task_alloc: Assign a new context for an associated task structure.
>> @@ -56,3 +60,148 @@ void ipe_task_free(struct task_struct *task)
>> ipe_put_ctx(ctx);
>> rcu_read_unlock();
>> }
>> +
>> +/**
>> + * ipe_on_exec: LSM hook called when a process is loaded through the exec
>> + * family of system calls.
>> + * @bprm: Supplies a pointer to a linux_binprm structure to source the file
>> + * being evaluated.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * !0 - Error
>> + */
>> +int ipe_on_exec(struct linux_binprm *bprm)
>> +{
>> + return ipe_process_event(bprm->file, ipe_operation_exec, ipe_hook_exec);
>> +}
>> +
>> +/**
>> + * ipe_on_mmap: LSM hook called when a file is loaded through the mmap
>> + * family of system calls.
>> + * @f: File being mmap'd. Can be NULL in the case of anonymous memory.
>> + * @reqprot: The requested protection on the mmap, passed from usermode.
>> + * @prot: The effective protection on the mmap, resolved from reqprot and
>> + * system configuration.
>> + * @flags: Unused.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * !0 - Error
>> + */
>> +int ipe_on_mmap(struct file *f, unsigned long reqprot, unsigned long prot,
>> + unsigned long flags)
>> +{
>> + if (prot & PROT_EXEC || reqprot & PROT_EXEC)
>> + return ipe_process_event(f, ipe_operation_exec, ipe_hook_mmap);
>> +
>> + return 0;
>> +}
>> +
>> +/**
>> + * ipe_on_mprotect: LSM hook called when a mmap'd region of memory is changing
>> + * its protections via mprotect.
>> + * @vma: Existing virtual memory area created by mmap or similar
>> + * @reqprot: The requested protection on the mmap, passed from usermode.
>> + * @prot: The effective protection on the mmap, resolved from reqprot and
>> + * system configuration.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * !0 - Error
>> + */
>> +int ipe_on_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
>> + unsigned long prot)
>> +{
>> + /* Already Executable */
>> + if (vma->vm_flags & VM_EXEC)
>> + return 0;
>> +
>> + if (((prot & PROT_EXEC) || reqprot & PROT_EXEC))
>> + return ipe_process_event(vma->vm_file, ipe_operation_exec,
>> + ipe_hook_mprotect);
>> +
>> + return 0;
>> +}
>> +
>> +/**
>> + * ipe_on_kernel_read: LSM hook called when a file is being read in from
>> + * disk.
>> + * @file: Supplies a pointer to the file structure being read in from disk
>> + * @id: Supplies the enumeration identifying the purpose of the read.
>> + * @contents: Unused.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * !0 - Error
>> + */
>> +int ipe_on_kernel_read(struct file *file, enum kernel_read_file_id id,
>> + bool contents)
>> +{
>> + enum ipe_operation op;
>> +
>> + switch (id) {
>> + case READING_FIRMWARE:
>> + op = ipe_operation_firmware;
>> + break;
>> + case READING_MODULE:
>> + op = ipe_operation_kernel_module;
>> + break;
>> + case READING_KEXEC_INITRAMFS:
>> + op = ipe_operation_kexec_initramfs;
>> + break;
>> + case READING_KEXEC_IMAGE:
>> + op = ipe_operation_kexec_image;
>> + break;
>> + case READING_POLICY:
>> + op = ipe_operation_ima_policy;
>> + break;
>> + case READING_X509_CERTIFICATE:
>> + op = ipe_operation_ima_x509;
>> + break;
>> + default:
>> + op = ipe_operation_max;
>> + }
>> +
>> + return ipe_process_event(file, op, ipe_hook_kernel_read);
>> +}
>> +
>> +/**
>> + * ipe_on_kernel_load_data: LSM hook called when a buffer is being read in from
>> + * disk.
>> + * @id: Supplies the enumeration identifying the purpose of the read.
>> + * @contents: Unused.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * !0 - Error
>> + */
>> +int ipe_on_kernel_load_data(enum kernel_load_data_id id, bool contents)
>> +{
>> + enum ipe_operation op;
>> +
>> + switch (id) {
>> + case LOADING_FIRMWARE:
>> + op = ipe_operation_firmware;
>> + break;
>> + case LOADING_MODULE:
>> + op = ipe_operation_kernel_module;
>> + break;
>> + case LOADING_KEXEC_INITRAMFS:
>> + op = ipe_operation_kexec_initramfs;
>> + break;
>> + case LOADING_KEXEC_IMAGE:
>> + op = ipe_operation_kexec_image;
>> + break;
>> + case LOADING_POLICY:
>> + op = ipe_operation_ima_policy;
>> + break;
>> + case LOADING_X509_CERTIFICATE:
>> + op = ipe_operation_ima_x509;
>> + break;
>> + default:
>> + op = ipe_operation_max;
>> + }
>> +
>> + return ipe_process_event(NULL, op, ipe_hook_kernel_load);
>> +}
>> diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h
>> index 58ed4a612e26..c99a0b7f45f7 100644
>> --- a/security/ipe/hooks.h
>> +++ b/security/ipe/hooks.h
>> @@ -5,11 +5,19 @@
>> #ifndef IPE_HOOKS_H
>> #define IPE_HOOKS_H
>>
>> +#include <linux/fs.h>
>> #include <linux/types.h>
>> #include <linux/sched.h>
>> +#include <linux/binfmts.h>
>> +#include <linux/security.h>
>>
>> enum ipe_hook {
>> - ipe_hook_max = 0
>> + ipe_hook_exec = 0,
>> + ipe_hook_mmap,
>> + ipe_hook_mprotect,
>> + ipe_hook_kernel_read,
>> + ipe_hook_kernel_load,
>> + ipe_hook_max
>> };
>>
>> int ipe_task_alloc(struct task_struct *task,
>> @@ -17,4 +25,17 @@ int ipe_task_alloc(struct task_struct *task,
>>
>> void ipe_task_free(struct task_struct *task);
>>
>> +int ipe_on_exec(struct linux_binprm *bprm);
>> +
>> +int ipe_on_mmap(struct file *f, unsigned long reqprot, unsigned long prot,
>> + unsigned long flags);
>> +
>> +int ipe_on_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
>> + unsigned long prot);
>> +
>> +int ipe_on_kernel_read(struct file *file, enum kernel_read_file_id id,
>> + bool contents);
>> +
>> +int ipe_on_kernel_load_data(enum kernel_load_data_id id, bool contents);
>> +
>> #endif /* IPE_HOOKS_H */
>> diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
>> index b58b372327a1..3f9d43783293 100644
>> --- a/security/ipe/ipe.c
>> +++ b/security/ipe/ipe.c
>> @@ -25,6 +25,11 @@ struct lsm_blob_sizes ipe_blobs __lsm_ro_after_init = {
>> static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = {
>> LSM_HOOK_INIT(task_alloc, ipe_task_alloc),
>> LSM_HOOK_INIT(task_free, ipe_task_free),
>> + LSM_HOOK_INIT(bprm_check_security, ipe_on_exec),
>> + LSM_HOOK_INIT(mmap_file, ipe_on_mmap),
>> + LSM_HOOK_INIT(file_mprotect, ipe_on_mprotect),
>> + LSM_HOOK_INIT(kernel_read_file, ipe_on_kernel_read),
>> + LSM_HOOK_INIT(kernel_load_data, ipe_on_kernel_load_data),
> Please stick with the lsmname_hook_name convention, as you did
> with ipe_task_alloc and ipe_task_free. Anyone who is looking at
> more than one LSM is going to have a much harder time working
> with your code the way you have it. Think
>
> % find security | xargs grep '_bprm_check_security('
Sure. I'll make this change with the v8 series.
WARNING: multiple messages have this Message-ID (diff)
From: Deven Bowers <deven.desai@linux.microsoft.com>
To: Casey Schaufler <casey@schaufler-ca.com>,
corbet@lwn.net, axboe@kernel.dk, agk@redhat.com,
snitzer@redhat.com, ebiggers@kernel.org, tytso@mit.edu,
paul@paul-moore.com, eparis@redhat.com, jmorris@namei.org,
serge@hallyn.com
Cc: linux-fscrypt@vger.kernel.org, dm-devel@redhat.com,
jannh@google.com, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-block@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-audit@redhat.com
Subject: Re: [dm-devel] [RFC PATCH v7 05/16] ipe: add LSM hooks on execution and kernel read
Date: Fri, 15 Oct 2021 12:25:55 -0700 [thread overview]
Message-ID: <3b127720-d486-18da-4f1d-afe402fb39c4@linux.microsoft.com> (raw)
In-Reply-To: <a358e0b0-2fc0-8b03-4bee-141675fdc73e@schaufler-ca.com>
On 10/13/2021 1:04 PM, Casey Schaufler wrote:
> On 10/13/2021 12:06 PM, deven.desai@linux.microsoft.com wrote:
>> From: Deven Bowers <deven.desai@linux.microsoft.com>
>>
>> IPE's initial goal is to control both execution and the loading of
>> kernel modules based on the system's definition of trust. It
>> accomplishes this by plugging into the security hooks for execve,
>> mprotect, mmap, kernel_load_data and kernel_read_data.
>>
>> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
>> ---
>>
>> Relevant changes since v6:
>> * Split up patch 02/12 into four parts:
>> 1. context creation [01/16]
>> 2. audit [07/16]
>> 3. evaluation loop [03/16]
>> 4. access control hooks [05/16] (this patch)
>>
>> ---
>> security/ipe/hooks.c | 149 ++++++++++++++++++++++++++++++++++++++++++
>> security/ipe/hooks.h | 23 ++++++-
>> security/ipe/ipe.c | 5 ++
>> security/ipe/policy.c | 23 +++++++
>> security/ipe/policy.h | 12 +++-
>> 5 files changed, 209 insertions(+), 3 deletions(-)
>>
>> diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c
>> index ed0c886eaa5a..216242408a80 100644
>> --- a/security/ipe/hooks.c
>> +++ b/security/ipe/hooks.c
>> @@ -6,11 +6,15 @@
>> #include "ipe.h"
>> #include "ctx.h"
>> #include "hooks.h"
>> +#include "eval.h"
>>
>> +#include <linux/fs.h>
>> #include <linux/sched.h>
>> #include <linux/types.h>
>> #include <linux/refcount.h>
>> #include <linux/rcupdate.h>
>> +#include <linux/binfmts.h>
>> +#include <linux/mman.h>
>>
>> /**
>> * ipe_task_alloc: Assign a new context for an associated task structure.
>> @@ -56,3 +60,148 @@ void ipe_task_free(struct task_struct *task)
>> ipe_put_ctx(ctx);
>> rcu_read_unlock();
>> }
>> +
>> +/**
>> + * ipe_on_exec: LSM hook called when a process is loaded through the exec
>> + * family of system calls.
>> + * @bprm: Supplies a pointer to a linux_binprm structure to source the file
>> + * being evaluated.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * !0 - Error
>> + */
>> +int ipe_on_exec(struct linux_binprm *bprm)
>> +{
>> + return ipe_process_event(bprm->file, ipe_operation_exec, ipe_hook_exec);
>> +}
>> +
>> +/**
>> + * ipe_on_mmap: LSM hook called when a file is loaded through the mmap
>> + * family of system calls.
>> + * @f: File being mmap'd. Can be NULL in the case of anonymous memory.
>> + * @reqprot: The requested protection on the mmap, passed from usermode.
>> + * @prot: The effective protection on the mmap, resolved from reqprot and
>> + * system configuration.
>> + * @flags: Unused.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * !0 - Error
>> + */
>> +int ipe_on_mmap(struct file *f, unsigned long reqprot, unsigned long prot,
>> + unsigned long flags)
>> +{
>> + if (prot & PROT_EXEC || reqprot & PROT_EXEC)
>> + return ipe_process_event(f, ipe_operation_exec, ipe_hook_mmap);
>> +
>> + return 0;
>> +}
>> +
>> +/**
>> + * ipe_on_mprotect: LSM hook called when a mmap'd region of memory is changing
>> + * its protections via mprotect.
>> + * @vma: Existing virtual memory area created by mmap or similar
>> + * @reqprot: The requested protection on the mmap, passed from usermode.
>> + * @prot: The effective protection on the mmap, resolved from reqprot and
>> + * system configuration.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * !0 - Error
>> + */
>> +int ipe_on_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
>> + unsigned long prot)
>> +{
>> + /* Already Executable */
>> + if (vma->vm_flags & VM_EXEC)
>> + return 0;
>> +
>> + if (((prot & PROT_EXEC) || reqprot & PROT_EXEC))
>> + return ipe_process_event(vma->vm_file, ipe_operation_exec,
>> + ipe_hook_mprotect);
>> +
>> + return 0;
>> +}
>> +
>> +/**
>> + * ipe_on_kernel_read: LSM hook called when a file is being read in from
>> + * disk.
>> + * @file: Supplies a pointer to the file structure being read in from disk
>> + * @id: Supplies the enumeration identifying the purpose of the read.
>> + * @contents: Unused.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * !0 - Error
>> + */
>> +int ipe_on_kernel_read(struct file *file, enum kernel_read_file_id id,
>> + bool contents)
>> +{
>> + enum ipe_operation op;
>> +
>> + switch (id) {
>> + case READING_FIRMWARE:
>> + op = ipe_operation_firmware;
>> + break;
>> + case READING_MODULE:
>> + op = ipe_operation_kernel_module;
>> + break;
>> + case READING_KEXEC_INITRAMFS:
>> + op = ipe_operation_kexec_initramfs;
>> + break;
>> + case READING_KEXEC_IMAGE:
>> + op = ipe_operation_kexec_image;
>> + break;
>> + case READING_POLICY:
>> + op = ipe_operation_ima_policy;
>> + break;
>> + case READING_X509_CERTIFICATE:
>> + op = ipe_operation_ima_x509;
>> + break;
>> + default:
>> + op = ipe_operation_max;
>> + }
>> +
>> + return ipe_process_event(file, op, ipe_hook_kernel_read);
>> +}
>> +
>> +/**
>> + * ipe_on_kernel_load_data: LSM hook called when a buffer is being read in from
>> + * disk.
>> + * @id: Supplies the enumeration identifying the purpose of the read.
>> + * @contents: Unused.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * !0 - Error
>> + */
>> +int ipe_on_kernel_load_data(enum kernel_load_data_id id, bool contents)
>> +{
>> + enum ipe_operation op;
>> +
>> + switch (id) {
>> + case LOADING_FIRMWARE:
>> + op = ipe_operation_firmware;
>> + break;
>> + case LOADING_MODULE:
>> + op = ipe_operation_kernel_module;
>> + break;
>> + case LOADING_KEXEC_INITRAMFS:
>> + op = ipe_operation_kexec_initramfs;
>> + break;
>> + case LOADING_KEXEC_IMAGE:
>> + op = ipe_operation_kexec_image;
>> + break;
>> + case LOADING_POLICY:
>> + op = ipe_operation_ima_policy;
>> + break;
>> + case LOADING_X509_CERTIFICATE:
>> + op = ipe_operation_ima_x509;
>> + break;
>> + default:
>> + op = ipe_operation_max;
>> + }
>> +
>> + return ipe_process_event(NULL, op, ipe_hook_kernel_load);
>> +}
>> diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h
>> index 58ed4a612e26..c99a0b7f45f7 100644
>> --- a/security/ipe/hooks.h
>> +++ b/security/ipe/hooks.h
>> @@ -5,11 +5,19 @@
>> #ifndef IPE_HOOKS_H
>> #define IPE_HOOKS_H
>>
>> +#include <linux/fs.h>
>> #include <linux/types.h>
>> #include <linux/sched.h>
>> +#include <linux/binfmts.h>
>> +#include <linux/security.h>
>>
>> enum ipe_hook {
>> - ipe_hook_max = 0
>> + ipe_hook_exec = 0,
>> + ipe_hook_mmap,
>> + ipe_hook_mprotect,
>> + ipe_hook_kernel_read,
>> + ipe_hook_kernel_load,
>> + ipe_hook_max
>> };
>>
>> int ipe_task_alloc(struct task_struct *task,
>> @@ -17,4 +25,17 @@ int ipe_task_alloc(struct task_struct *task,
>>
>> void ipe_task_free(struct task_struct *task);
>>
>> +int ipe_on_exec(struct linux_binprm *bprm);
>> +
>> +int ipe_on_mmap(struct file *f, unsigned long reqprot, unsigned long prot,
>> + unsigned long flags);
>> +
>> +int ipe_on_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
>> + unsigned long prot);
>> +
>> +int ipe_on_kernel_read(struct file *file, enum kernel_read_file_id id,
>> + bool contents);
>> +
>> +int ipe_on_kernel_load_data(enum kernel_load_data_id id, bool contents);
>> +
>> #endif /* IPE_HOOKS_H */
>> diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
>> index b58b372327a1..3f9d43783293 100644
>> --- a/security/ipe/ipe.c
>> +++ b/security/ipe/ipe.c
>> @@ -25,6 +25,11 @@ struct lsm_blob_sizes ipe_blobs __lsm_ro_after_init = {
>> static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = {
>> LSM_HOOK_INIT(task_alloc, ipe_task_alloc),
>> LSM_HOOK_INIT(task_free, ipe_task_free),
>> + LSM_HOOK_INIT(bprm_check_security, ipe_on_exec),
>> + LSM_HOOK_INIT(mmap_file, ipe_on_mmap),
>> + LSM_HOOK_INIT(file_mprotect, ipe_on_mprotect),
>> + LSM_HOOK_INIT(kernel_read_file, ipe_on_kernel_read),
>> + LSM_HOOK_INIT(kernel_load_data, ipe_on_kernel_load_data),
> Please stick with the lsmname_hook_name convention, as you did
> with ipe_task_alloc and ipe_task_free. Anyone who is looking at
> more than one LSM is going to have a much harder time working
> with your code the way you have it. Think
>
> % find security | xargs grep '_bprm_check_security('
Sure. I'll make this change with the v8 series.
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
WARNING: multiple messages have this Message-ID (diff)
From: Deven Bowers <deven.desai@linux.microsoft.com>
To: Casey Schaufler <casey@schaufler-ca.com>,
corbet@lwn.net, axboe@kernel.dk, agk@redhat.com,
snitzer@redhat.com, ebiggers@kernel.org, tytso@mit.edu,
paul@paul-moore.com, eparis@redhat.com, jmorris@namei.org,
serge@hallyn.com
Cc: linux-fscrypt@vger.kernel.org, dm-devel@redhat.com,
jannh@google.com, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-block@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-audit@redhat.com
Subject: Re: [RFC PATCH v7 05/16] ipe: add LSM hooks on execution and kernel read
Date: Fri, 15 Oct 2021 12:25:55 -0700 [thread overview]
Message-ID: <3b127720-d486-18da-4f1d-afe402fb39c4@linux.microsoft.com> (raw)
In-Reply-To: <a358e0b0-2fc0-8b03-4bee-141675fdc73e@schaufler-ca.com>
On 10/13/2021 1:04 PM, Casey Schaufler wrote:
> On 10/13/2021 12:06 PM, deven.desai@linux.microsoft.com wrote:
>> From: Deven Bowers <deven.desai@linux.microsoft.com>
>>
>> IPE's initial goal is to control both execution and the loading of
>> kernel modules based on the system's definition of trust. It
>> accomplishes this by plugging into the security hooks for execve,
>> mprotect, mmap, kernel_load_data and kernel_read_data.
>>
>> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
>> ---
>>
>> Relevant changes since v6:
>> * Split up patch 02/12 into four parts:
>> 1. context creation [01/16]
>> 2. audit [07/16]
>> 3. evaluation loop [03/16]
>> 4. access control hooks [05/16] (this patch)
>>
>> ---
>> security/ipe/hooks.c | 149 ++++++++++++++++++++++++++++++++++++++++++
>> security/ipe/hooks.h | 23 ++++++-
>> security/ipe/ipe.c | 5 ++
>> security/ipe/policy.c | 23 +++++++
>> security/ipe/policy.h | 12 +++-
>> 5 files changed, 209 insertions(+), 3 deletions(-)
>>
>> diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c
>> index ed0c886eaa5a..216242408a80 100644
>> --- a/security/ipe/hooks.c
>> +++ b/security/ipe/hooks.c
>> @@ -6,11 +6,15 @@
>> #include "ipe.h"
>> #include "ctx.h"
>> #include "hooks.h"
>> +#include "eval.h"
>>
>> +#include <linux/fs.h>
>> #include <linux/sched.h>
>> #include <linux/types.h>
>> #include <linux/refcount.h>
>> #include <linux/rcupdate.h>
>> +#include <linux/binfmts.h>
>> +#include <linux/mman.h>
>>
>> /**
>> * ipe_task_alloc: Assign a new context for an associated task structure.
>> @@ -56,3 +60,148 @@ void ipe_task_free(struct task_struct *task)
>> ipe_put_ctx(ctx);
>> rcu_read_unlock();
>> }
>> +
>> +/**
>> + * ipe_on_exec: LSM hook called when a process is loaded through the exec
>> + * family of system calls.
>> + * @bprm: Supplies a pointer to a linux_binprm structure to source the file
>> + * being evaluated.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * !0 - Error
>> + */
>> +int ipe_on_exec(struct linux_binprm *bprm)
>> +{
>> + return ipe_process_event(bprm->file, ipe_operation_exec, ipe_hook_exec);
>> +}
>> +
>> +/**
>> + * ipe_on_mmap: LSM hook called when a file is loaded through the mmap
>> + * family of system calls.
>> + * @f: File being mmap'd. Can be NULL in the case of anonymous memory.
>> + * @reqprot: The requested protection on the mmap, passed from usermode.
>> + * @prot: The effective protection on the mmap, resolved from reqprot and
>> + * system configuration.
>> + * @flags: Unused.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * !0 - Error
>> + */
>> +int ipe_on_mmap(struct file *f, unsigned long reqprot, unsigned long prot,
>> + unsigned long flags)
>> +{
>> + if (prot & PROT_EXEC || reqprot & PROT_EXEC)
>> + return ipe_process_event(f, ipe_operation_exec, ipe_hook_mmap);
>> +
>> + return 0;
>> +}
>> +
>> +/**
>> + * ipe_on_mprotect: LSM hook called when a mmap'd region of memory is changing
>> + * its protections via mprotect.
>> + * @vma: Existing virtual memory area created by mmap or similar
>> + * @reqprot: The requested protection on the mmap, passed from usermode.
>> + * @prot: The effective protection on the mmap, resolved from reqprot and
>> + * system configuration.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * !0 - Error
>> + */
>> +int ipe_on_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
>> + unsigned long prot)
>> +{
>> + /* Already Executable */
>> + if (vma->vm_flags & VM_EXEC)
>> + return 0;
>> +
>> + if (((prot & PROT_EXEC) || reqprot & PROT_EXEC))
>> + return ipe_process_event(vma->vm_file, ipe_operation_exec,
>> + ipe_hook_mprotect);
>> +
>> + return 0;
>> +}
>> +
>> +/**
>> + * ipe_on_kernel_read: LSM hook called when a file is being read in from
>> + * disk.
>> + * @file: Supplies a pointer to the file structure being read in from disk
>> + * @id: Supplies the enumeration identifying the purpose of the read.
>> + * @contents: Unused.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * !0 - Error
>> + */
>> +int ipe_on_kernel_read(struct file *file, enum kernel_read_file_id id,
>> + bool contents)
>> +{
>> + enum ipe_operation op;
>> +
>> + switch (id) {
>> + case READING_FIRMWARE:
>> + op = ipe_operation_firmware;
>> + break;
>> + case READING_MODULE:
>> + op = ipe_operation_kernel_module;
>> + break;
>> + case READING_KEXEC_INITRAMFS:
>> + op = ipe_operation_kexec_initramfs;
>> + break;
>> + case READING_KEXEC_IMAGE:
>> + op = ipe_operation_kexec_image;
>> + break;
>> + case READING_POLICY:
>> + op = ipe_operation_ima_policy;
>> + break;
>> + case READING_X509_CERTIFICATE:
>> + op = ipe_operation_ima_x509;
>> + break;
>> + default:
>> + op = ipe_operation_max;
>> + }
>> +
>> + return ipe_process_event(file, op, ipe_hook_kernel_read);
>> +}
>> +
>> +/**
>> + * ipe_on_kernel_load_data: LSM hook called when a buffer is being read in from
>> + * disk.
>> + * @id: Supplies the enumeration identifying the purpose of the read.
>> + * @contents: Unused.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * !0 - Error
>> + */
>> +int ipe_on_kernel_load_data(enum kernel_load_data_id id, bool contents)
>> +{
>> + enum ipe_operation op;
>> +
>> + switch (id) {
>> + case LOADING_FIRMWARE:
>> + op = ipe_operation_firmware;
>> + break;
>> + case LOADING_MODULE:
>> + op = ipe_operation_kernel_module;
>> + break;
>> + case LOADING_KEXEC_INITRAMFS:
>> + op = ipe_operation_kexec_initramfs;
>> + break;
>> + case LOADING_KEXEC_IMAGE:
>> + op = ipe_operation_kexec_image;
>> + break;
>> + case LOADING_POLICY:
>> + op = ipe_operation_ima_policy;
>> + break;
>> + case LOADING_X509_CERTIFICATE:
>> + op = ipe_operation_ima_x509;
>> + break;
>> + default:
>> + op = ipe_operation_max;
>> + }
>> +
>> + return ipe_process_event(NULL, op, ipe_hook_kernel_load);
>> +}
>> diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h
>> index 58ed4a612e26..c99a0b7f45f7 100644
>> --- a/security/ipe/hooks.h
>> +++ b/security/ipe/hooks.h
>> @@ -5,11 +5,19 @@
>> #ifndef IPE_HOOKS_H
>> #define IPE_HOOKS_H
>>
>> +#include <linux/fs.h>
>> #include <linux/types.h>
>> #include <linux/sched.h>
>> +#include <linux/binfmts.h>
>> +#include <linux/security.h>
>>
>> enum ipe_hook {
>> - ipe_hook_max = 0
>> + ipe_hook_exec = 0,
>> + ipe_hook_mmap,
>> + ipe_hook_mprotect,
>> + ipe_hook_kernel_read,
>> + ipe_hook_kernel_load,
>> + ipe_hook_max
>> };
>>
>> int ipe_task_alloc(struct task_struct *task,
>> @@ -17,4 +25,17 @@ int ipe_task_alloc(struct task_struct *task,
>>
>> void ipe_task_free(struct task_struct *task);
>>
>> +int ipe_on_exec(struct linux_binprm *bprm);
>> +
>> +int ipe_on_mmap(struct file *f, unsigned long reqprot, unsigned long prot,
>> + unsigned long flags);
>> +
>> +int ipe_on_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
>> + unsigned long prot);
>> +
>> +int ipe_on_kernel_read(struct file *file, enum kernel_read_file_id id,
>> + bool contents);
>> +
>> +int ipe_on_kernel_load_data(enum kernel_load_data_id id, bool contents);
>> +
>> #endif /* IPE_HOOKS_H */
>> diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
>> index b58b372327a1..3f9d43783293 100644
>> --- a/security/ipe/ipe.c
>> +++ b/security/ipe/ipe.c
>> @@ -25,6 +25,11 @@ struct lsm_blob_sizes ipe_blobs __lsm_ro_after_init = {
>> static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = {
>> LSM_HOOK_INIT(task_alloc, ipe_task_alloc),
>> LSM_HOOK_INIT(task_free, ipe_task_free),
>> + LSM_HOOK_INIT(bprm_check_security, ipe_on_exec),
>> + LSM_HOOK_INIT(mmap_file, ipe_on_mmap),
>> + LSM_HOOK_INIT(file_mprotect, ipe_on_mprotect),
>> + LSM_HOOK_INIT(kernel_read_file, ipe_on_kernel_read),
>> + LSM_HOOK_INIT(kernel_load_data, ipe_on_kernel_load_data),
> Please stick with the lsmname_hook_name convention, as you did
> with ipe_task_alloc and ipe_task_free. Anyone who is looking at
> more than one LSM is going to have a much harder time working
> with your code the way you have it. Think
>
> % find security | xargs grep '_bprm_check_security('
Sure. I'll make this change with the v8 series.
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2021-10-15 19:26 UTC|newest]
Thread overview: 193+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-13 19:06 [RFC PATCH v7 00/16] Integrity Policy Enforcement (IPE) deven.desai
2021-10-13 19:06 ` deven.desai
2021-10-13 19:06 ` [dm-devel] " deven.desai
2021-10-13 19:06 ` [RFC PATCH v7 01/16] security: add ipe lsm & initial context creation deven.desai
2021-10-13 19:06 ` deven.desai
2021-10-13 19:06 ` [dm-devel] " deven.desai
2021-10-27 4:10 ` kernel test robot
2021-10-13 19:06 ` [RFC PATCH v7 02/16] ipe: add policy parser deven.desai
2021-10-13 19:06 ` deven.desai
2021-10-13 19:06 ` [dm-devel] " deven.desai
2021-10-27 5:58 ` kernel test robot
2021-10-13 19:06 ` [RFC PATCH v7 03/16] ipe: add evaluation loop deven.desai
2021-10-13 19:06 ` deven.desai
2021-10-13 19:06 ` [dm-devel] " deven.desai
2021-10-27 8:17 ` kernel test robot
2021-10-13 19:06 ` [RFC PATCH v7 04/16] ipe: add userspace interface deven.desai
2021-10-13 19:06 ` deven.desai
2021-10-13 19:06 ` [dm-devel] " deven.desai
2021-11-03 9:42 ` Roberto Sassu
2021-11-03 9:42 ` Roberto Sassu
2021-11-03 9:42 ` [dm-devel] " Roberto Sassu
2021-11-04 16:50 ` Deven Bowers
2021-11-04 16:50 ` Deven Bowers
2021-11-04 16:50 ` [dm-devel] " Deven Bowers
2021-10-13 19:06 ` [RFC PATCH v7 05/16] ipe: add LSM hooks on execution and kernel read deven.desai
2021-10-13 19:06 ` deven.desai
2021-10-13 19:06 ` [dm-devel] " deven.desai
2021-10-13 20:04 ` Casey Schaufler
2021-10-13 20:04 ` [dm-devel] " Casey Schaufler
2021-10-13 20:04 ` Casey Schaufler
2021-10-15 19:25 ` Deven Bowers [this message]
2021-10-15 19:25 ` Deven Bowers
2021-10-15 19:25 ` [dm-devel] " Deven Bowers
2021-10-25 12:22 ` Roberto Sassu
2021-10-25 12:22 ` Roberto Sassu
2021-10-25 12:22 ` [dm-devel] " Roberto Sassu
2021-10-26 19:03 ` Deven Bowers
2021-10-26 19:03 ` Deven Bowers
2021-10-26 19:03 ` [dm-devel] " Deven Bowers
2021-10-27 8:56 ` Roberto Sassu
2021-10-27 8:56 ` Roberto Sassu
2021-10-27 8:56 ` [dm-devel] " Roberto Sassu
2021-10-13 19:06 ` [RFC PATCH v7 06/16] uapi|audit: add trust audit message definitions deven.desai
2021-10-13 19:06 ` deven.desai
2021-10-13 19:06 ` [dm-devel] " deven.desai
2021-10-13 19:06 ` [RFC PATCH v7 07/16] ipe: add auditing support deven.desai
2021-10-13 19:06 ` deven.desai
2021-10-13 19:06 ` [dm-devel] " deven.desai
2021-10-13 20:02 ` Steve Grubb
2021-10-13 20:02 ` [dm-devel] " Steve Grubb
2021-10-13 20:02 ` Steve Grubb
2021-10-15 19:25 ` Deven Bowers
2021-10-15 19:25 ` Deven Bowers
2021-10-15 19:25 ` [dm-devel] " Deven Bowers
2021-11-02 19:44 ` Steve Grubb
2021-11-02 19:44 ` [dm-devel] " Steve Grubb
2021-11-02 19:44 ` Steve Grubb
2021-11-04 16:59 ` Deven Bowers
2021-11-04 16:59 ` Deven Bowers
2021-11-04 16:59 ` [dm-devel] " Deven Bowers
2021-10-13 22:54 ` Randy Dunlap
2021-10-13 22:54 ` Randy Dunlap
2021-10-13 22:54 ` [dm-devel] " Randy Dunlap
2021-10-15 19:25 ` Deven Bowers
2021-10-15 19:25 ` Deven Bowers
2021-10-15 19:25 ` [dm-devel] " Deven Bowers
2021-10-15 19:50 ` Randy Dunlap
2021-10-15 19:50 ` Randy Dunlap
2021-10-15 19:50 ` [dm-devel] " Randy Dunlap
2021-10-26 19:03 ` Deven Bowers
2021-10-26 19:03 ` Deven Bowers
2021-10-26 19:03 ` [dm-devel] " Deven Bowers
2021-10-13 19:06 ` [RFC PATCH v7 08/16] ipe: add permissive toggle deven.desai
2021-10-13 19:06 ` deven.desai
2021-10-13 19:06 ` [dm-devel] " deven.desai
2021-10-13 19:06 ` [RFC PATCH v7 09/16] ipe: introduce 'boot_verified' as a trust provider deven.desai
2021-10-13 19:06 ` deven.desai
2021-10-13 19:06 ` [dm-devel] " deven.desai
2021-10-13 19:06 ` [RFC PATCH v7 10/16] fs|dm-verity: add block_dev LSM blob and submit dm-verity data deven.desai
2021-10-13 19:06 ` deven.desai
2021-10-13 19:06 ` [dm-devel] " deven.desai
2021-10-13 19:06 ` [RFC PATCH v7 11/16] ipe: add support for dm-verity as a trust provider deven.desai
2021-10-13 19:06 ` deven.desai
2021-10-13 19:06 ` [dm-devel] " deven.desai
2021-11-25 9:37 ` Roberto Sassu
2021-11-25 9:37 ` Roberto Sassu
2021-11-25 9:37 ` [dm-devel] " Roberto Sassu
2021-11-30 18:55 ` Deven Bowers
2021-11-30 18:55 ` Deven Bowers
2021-11-30 18:55 ` [dm-devel] " Deven Bowers
2021-12-01 16:37 ` [RFC][PATCH] device mapper: Add builtin function dm_get_status() Roberto Sassu
2021-12-01 16:37 ` Roberto Sassu
2021-12-01 16:37 ` [dm-devel] " Roberto Sassu
2021-12-01 16:43 ` Roberto Sassu
2021-12-01 16:43 ` Roberto Sassu
2021-12-01 16:43 ` [dm-devel] " Roberto Sassu
2021-12-02 7:20 ` Christoph Hellwig
2021-12-02 7:20 ` Christoph Hellwig
2021-12-02 7:20 ` [dm-devel] " Christoph Hellwig
2021-12-02 7:59 ` Roberto Sassu
2021-12-02 7:59 ` Roberto Sassu
2021-12-02 7:59 ` [dm-devel] " Roberto Sassu
2021-12-02 8:44 ` Christoph Hellwig
2021-12-02 8:44 ` Christoph Hellwig
2021-12-02 8:44 ` [dm-devel] " Christoph Hellwig
2021-12-02 9:29 ` Roberto Sassu
2021-12-02 9:29 ` Roberto Sassu
2021-12-02 9:29 ` [dm-devel] " Roberto Sassu
2021-12-03 6:52 ` Christoph Hellwig
2021-12-03 6:52 ` Christoph Hellwig
2021-12-03 6:52 ` [dm-devel] " Christoph Hellwig
2021-12-03 10:20 ` Roberto Sassu
2021-12-03 10:20 ` Roberto Sassu
2021-12-03 10:20 ` [dm-devel] " Roberto Sassu
2021-12-06 10:57 ` Roberto Sassu
2021-12-06 10:57 ` Roberto Sassu
2021-12-06 10:57 ` [dm-devel] " Roberto Sassu
2021-10-13 19:06 ` [RFC PATCH v7 12/16] fsverity|security: add security hooks to fsverity digest and signature deven.desai
2021-10-13 19:06 ` deven.desai
2021-10-13 19:06 ` [dm-devel] " deven.desai
2021-10-13 19:24 ` Eric Biggers
2021-10-13 19:24 ` Eric Biggers
2021-10-13 19:24 ` [dm-devel] " Eric Biggers
2021-10-15 19:25 ` Deven Bowers
2021-10-15 19:25 ` Deven Bowers
2021-10-15 19:25 ` [dm-devel] " Deven Bowers
2021-10-15 20:11 ` Eric Biggers
2021-10-15 20:11 ` Eric Biggers
2021-10-15 20:11 ` [dm-devel] " Eric Biggers
2021-10-20 15:08 ` Roberto Sassu
2021-10-20 15:08 ` [dm-devel] " Roberto Sassu
2021-10-20 15:08 ` Roberto Sassu
2021-10-22 16:31 ` Roberto Sassu
2021-10-22 16:31 ` Roberto Sassu
2021-10-22 16:31 ` [dm-devel] " Roberto Sassu
2021-10-26 19:03 ` Deven Bowers
2021-10-26 19:03 ` Deven Bowers
2021-10-26 19:03 ` [dm-devel] " Deven Bowers
2021-10-27 8:41 ` Roberto Sassu
2021-10-27 8:41 ` Roberto Sassu
2021-10-27 8:41 ` [dm-devel] " Roberto Sassu
2021-10-26 19:03 ` Deven Bowers
2021-10-26 19:03 ` Deven Bowers
2021-10-26 19:03 ` [dm-devel] " Deven Bowers
2021-10-27 9:34 ` Roberto Sassu
2021-10-27 9:34 ` Roberto Sassu
2021-10-27 9:34 ` [dm-devel] " Roberto Sassu
2021-10-28 3:48 ` Eric Biggers
2021-10-28 3:48 ` Eric Biggers
2021-10-28 3:48 ` [dm-devel] " Eric Biggers
2021-10-28 18:11 ` Deven Bowers
2021-10-28 18:11 ` Deven Bowers
2021-10-28 18:11 ` [dm-devel] " Deven Bowers
2021-11-03 12:28 ` Roberto Sassu
2021-11-03 12:28 ` Roberto Sassu
2021-11-03 12:28 ` [dm-devel] " Roberto Sassu
2021-11-04 17:12 ` Deven Bowers
2021-11-04 17:12 ` [dm-devel] " Deven Bowers
2021-11-04 17:12 ` Deven Bowers
2021-10-13 19:06 ` [RFC PATCH v7 13/16] ipe: enable support for fs-verity as a trust provider deven.desai
2021-10-13 19:06 ` deven.desai
2021-10-13 19:06 ` [dm-devel] " deven.desai
2021-10-27 11:55 ` kernel test robot
2021-10-13 19:06 ` [RFC PATCH v7 14/16] scripts: add boot policy generation program deven.desai
2021-10-13 19:06 ` deven.desai
2021-10-13 19:06 ` [dm-devel] " deven.desai
2021-11-03 16:43 ` Roberto Sassu
2021-11-03 16:43 ` Roberto Sassu
2021-11-03 16:43 ` [dm-devel] " Roberto Sassu
2021-11-03 16:53 ` Roberto Sassu
2021-11-03 16:53 ` Roberto Sassu
2021-11-03 16:53 ` [dm-devel] " Roberto Sassu
2021-11-04 16:52 ` Deven Bowers
2021-11-04 16:52 ` Deven Bowers
2021-11-04 16:52 ` [dm-devel] " Deven Bowers
2021-10-13 19:06 ` [RFC PATCH v7 15/16] ipe: kunit tests deven.desai
2021-10-13 19:06 ` deven.desai
2021-10-13 19:06 ` [dm-devel] " deven.desai
2021-10-13 19:06 ` [RFC PATCH v7 16/16] documentation: add ipe documentation deven.desai
2021-10-13 19:06 ` deven.desai
2021-10-13 19:06 ` [dm-devel] " deven.desai
2021-10-25 11:30 ` [RFC PATCH v7 00/16] Integrity Policy Enforcement (IPE) Roberto Sassu
2021-10-25 11:30 ` Roberto Sassu
2021-10-25 11:30 ` [dm-devel] " Roberto Sassu
2021-10-26 19:03 ` Deven Bowers
2021-10-26 19:03 ` Deven Bowers
2021-10-26 19:03 ` [dm-devel] " Deven Bowers
2021-10-27 8:26 ` Roberto Sassu
2021-10-27 8:26 ` Roberto Sassu
2021-10-27 8:26 ` [dm-devel] " Roberto Sassu
2021-10-28 20:36 ` Deven Bowers
2021-10-28 20:36 ` Deven Bowers
2021-10-28 20:36 ` [dm-devel] " Deven Bowers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3b127720-d486-18da-4f1d-afe402fb39c4@linux.microsoft.com \
--to=deven.desai@linux.microsoft.com \
--cc=agk@redhat.com \
--cc=axboe@kernel.dk \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=dm-devel@redhat.com \
--cc=ebiggers@kernel.org \
--cc=eparis@redhat.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=linux-audit@redhat.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=snitzer@redhat.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.