* [RFC PATCH v2 00/12] Integrity Policy Enforcement LSM (IPE)
@ 2020-04-06 22:14 ` deven.desai
0 siblings, 0 replies; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: tyhicks, pasha.tatashin, sashal, jaskarankhurana, nramas,
mdsakib, linux-kernel
From: Deven Bowers <deven.desai@linux.microsoft.com>
Changelog:
------------------------------------
v1: Introduced
v2:
Split the second patch of the previous series into two.
Minor corrections in the cover-letter and documentation
comments regarding CAP_MAC_ADMIN checks in IPE.
Overview:
------------------------------------
IPE is a Linux Security Module, which allows for a configurable
policy to enforce integrity requirements on the whole system. It
attempts to solve the issue of Code Integrity: that any code being
executed (or files being read), are identical to the version that
was built by a trusted source.
The type of system for which IPE is designed for use is an embedded device
with a specific purpose (e.g. network firewall device in a data center),
where all software and configuration is built and provisioned by the owner.
Specifically, a system which leverages IPE is not intended for general
purpose computing and does not utilize any software or configuration
built by a third party. An ideal system to leverage IPE has both mutable
and immutable components, however, all binary executable code is immutable.
The scope of IPE is constrained to the OS. It is assumed that platform
firmware verifies the the kernel and optionally the root filesystem (e.g.
via U-Boot verified boot). IPE then utilizes LSM hooks to enforce a
flexible, kernel-resident integrity verification policy.
IPE differs from other LSMs which provide integrity checking (for instance,
IMA), as it has no dependency on the filesystem metadata itself. The
attributes that IPE checks are deterministic properties that exist solely
in the kernel. Additionally, IPE provides no additional mechanisms of
verifying these files (e.g. IMA Signatures) - all of the attributes of
verifying files are existing features within the kernel, such as dm-verity
or fsverity.
IPE provides a policy that allows owners of the system to easily specify
integrity requirements and uses dm-verity signatures to simplify the
authentication of allowed objects like authorized code and data.
IPE supports two modes, permissive (similar to SELinux's permissive mode)
and enforce. Permissive mode performs the same checks, and logs policy
violations as enforce mode, but will not enforce the policy. This allows
users to test policies before enforcing them.
The default mode is enforce, and can be changed via the kernel commandline
parameter `ipe.enforce=(0|1)`, or the sysctl `ipe.enforce=(0|1)`. The
ability to switch modes can be compiled out of the LSM via setting the
config CONFIG_SECURITY_IPE_PERMISSIVE_SWITCH to N.
IPE additionally supports success auditing. When enabled, all events
that pass IPE policy and are not blocked will emit an audit event. This
is disabled by default, and can be enabled via the kernel commandline
`ipe.success_audit=(0|1)` or the sysctl `ipe.success_audit=(0|1)`.
Policies can be staged at runtime through securityfs and activated through
sysfs. Please see the Deploying Policies section of this cover letter for
more information.
The IPE LSM is compiled under CONFIG_SECURITY_IPE.
Policy:
------------------------------------
IPE policy is designed to be both forward compatible and backwards
compatible. There is one required line, at the top of the policy,
indicating the policy name, and the policy version, for instance:
policy_name="Ex Policy" policy_version=0.0.0
The policy version indicates the current version of the policy (NOT the
policy syntax version). This is used to prevent roll-back of policy to
potentially insecure previous versions of the policy.
The next portion of IPE policy, are rules. Rules are formed by key=value
pairs, known as properties. IPE rules require two properties: "action",
which determines what IPE does when it encounters a match against the
policy, and "op", which determines when that rule should be evaluated.
Thus, a minimal rule is:
op=EXECUTE action=ALLOW
This example will allow any execution. Additional properties are used to
restrict attributes about the files being evaluated. These properties are
intended to be deterministic attributes that are resident in the kernel.
Available properties for IPE described in the properties section of this
cover-letter, the repository available in Appendix A, and the kernel
documentation page.
Order does not matter for the rule's properties - they can be listed in
any order, however it is encouraged to have the "op" property be first,
and the "action" property be last, for readability.
Additionally, rules are evaluated top-to-bottom. As a result, any
revocation rules, or denies should be placed early in the file to ensure
that these rules are evaluated before a rule with "action=ALLOW" is hit.
IPE policy is designed to be forward compatible and backwards compatible,
thus any failure to parse a rule will result in the line being ignored,
and a warning being emitted. If backwards compatibility is not required,
the kernel commandline parameter and sysctl, ipe.strict_parse can be
enabled, which will cause these warnings to be fatal.
For more information about the policy syntax, please see Appendix A or
the kernel documentation page.
Early Usermode Protection:
--------------------------
IPE can be provided with a policy at startup to load and enforce.
This is intended to be a minimal policy to get the system to a state
where userland is setup and ready to receive commands, at which
point a policy can be deployed via securityfs. This "boot policy" can be
specified via the config, SECURITY_IPE_BOOT_POLICY, which accepts a path
to a plain-text version of the IPE policy to apply. This policy will be
compiled into the kernel. If not specified, IPE will be disabled until a
policy is deployed and activated through the method above.
Policy Examples:
------------------------------------
Allow all:
policy_name="Allow All" policy_version=0.0.0
DEFAULT action=ALLOW
Allow only initial superblock:
policy_name="Allow All Initial SB" policy_version=0.0.0
DEFAULT action=DENY
op=EXECUTE boot_verified=TRUE action=ALLOW
Allow any signed dm-verity volume and the initial superblock:
policy_name="AllowSignedAndInitial" policy_version=0.0.0
DEFAULT action=DENY
op=EXECUTE boot_verified=TRUE action=ALLOW
op=EXECUTE dmverity_signature=TRUE action=ALLOW
Prohibit execution from a specific dm-verity volume:
policy_name="AllowSignedAndInitial" policy_version=0.0.0
DEFAULT action=DENY
op=EXECUTE dmverity_roothash=401fcec5944823ae12f62726e8184407a5fa9599783f030dec146938 action=DENY
op=EXECUTE boot_verified=TRUE action=ALLOW
op=EXECUTE dmverity_signature=TRUE action=ALLOW
Allow only a specific dm-verity volume:
policy_name="AllowSignedAndInitial" policy_version=0.0.0
DEFAULT action=DENY
op=EXECUTE dmverity_roothash=401fcec5944823ae12f62726e8184407a5fa9599783f030dec146938 action=ALLOW
Deploying Policies:
-------------------
Deploying policies is simple. First sign a plain text policy, with a
certificate that is present in the SYSTEM_TRUSTED_KEYRING of your test
machine. Through openssl, the signing can be done via:
openssl smime -sign -in "$MY_POLICY" -signer "$MY_CERTIFICATE" \
-inkey "$MY_PRIVATE_KEY" -binary -outform der -noattr -nodetach \
-out "$MY_POLICY.p7s"
Then, simply cat the file into the IPE's "new_policy" securityfs node:
cat "$MY_POLICY.p7s" > /sys/kernel/security/ipe/new_policy
The policy should now be present under the policies/ subdirectory, under
its "policy_name" attribute.
The policy is now present in the kernel and can be marked as active,
via the sysctl "ipe.active_policy":
sysctl ipe.active_policy="$MY_POLICY_NAME"
This will now mark the policy as active and the system will be enforcing
$MY_POLICY_NAME. At any point the policy can be updated on the provision
that the policy version to be deployed is greater than or equal to the
running version (to prevent roll-back attacks). This update can be done
by redirecting the file into the policy's "raw" node, under the policies
subdirectory:
cat "$MY_UPDATED_POLICY.p7s" > \
"/sys/kernel/security/ipe/policies/$MY_POLICY_NAME/raw"
Additionally, policies can be deleted via the "del_policy" securityfs
node. Simply write the name of the policy to be deleted to that node:
echo -n "$MY_POLICY_NAME" > /sys/kernel/security/ipe/del_policy
There are two requirements to delete policies:
1. The policy being deleted must not be the active policy.
2. The policy being deleted must not be the boot policy.
It's important to know above that the "echo" command will add a newline
to the end of the input, and this will be considered as part of the
filename. You can remove the newline via the -n parameter.
NOTE: If a MAC LSM is enabled, the securityfs commands will require
CAP_MAC_ADMIN. This is due to sysfs supporting fine-grained MAC
attributes, while securityfs at the current moment does not.
Properties:
------------------------------------
This initial patchset introducing IPE adds three properties:
'boot_verified', 'dmverity_signature' and 'dmverity_roothash'.
boot_verified (CONFIG_IPE_BOOT_PROP):
This property can be utilized for authorization of the first
super-block that is mounted on the system, where IPE attempts
to evaluate a file. Typically this is used for systems with
an initramfs or other initial disk, where this is unmounted before
the system becomes available, and is not covered by any other property.
The format of this property is:
boot_verified=(TRUE|FALSE)
WARNING: This property will trust any disk where the first IPE
evaluation occurs. If you do not have a startup disk that is
unpacked and unmounted (like initramfs), then it will automatically
trust the root filesystem and potentially overauthorize the entire
disk.
dmverity_roothash (CONFIG_IPE_DM_VERITY_ROOTHASH):
This property can be utilized for authorization or revocation of
specific dmverity volumes, identified via root hash. It has a
dependency on the DM_VERITY module. The format of this property is:
dmverity_roothash=<HashHexDigest>
dmverity_signature (CONFIG_IPE_DM_VERITY_SIGNATURE):
This property can be utilized for authorization of all dm-verity
volumes that have a signed roothash that chains to the system
trusted keyring. It has a dependency on the
DM_VERITY_VERIFY_ROOTHASH_SIG config. The format of this property is:
dmverity_signature=(TRUE|FALSE)
Testing:
------------------------------------
A test suite is available (Appendix B) for ease of use. For manual
instructions:
Enable IPE through the following Kconfigs:
CONFIG_SECURITY_IPE=y
CONFIG_SECURITY_IPE_BOOT_POLICY="../AllowAllInitialSB.pol"
CONFIG_SECURITY_IPE_AUDIT_SWITCH=y
CONFIG_IPE_BOOT_PROP=y
CONFIG_IPE_DM_VERITY_ROOTHASH=y
CONFIG_IPE_DM_VERITY_SIGNATURE=y
CONFIG_DM_VERITY=y
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS="/path/to/my/cert/list.pem"
Start a test system, that boots directly from the filesystem, without
an initrd. I recommend testing in permissive mode until all tests
pass, then switch to enforce to ensure behavior remains identical.
boot_verified:
If booted correctly, the filesystem mounted on / should be marked as
boot_verified. Verify by turning on success auditing (sysctl
ipe.success_audit=1), and run a binary. In the audit output,
`prop_boot_verified` should be `TRUE`.
To test denials, mount a temporary filesystem (mount -t tmpfs -o
size=4M tmp tmp), and copy a binary (e.g. ls) to this new
filesystem. Disable success auditing and attempt to run the file.
The file should have an audit event, but be allowed to execute in
permissive mode, and prop_boot_verified should be FALSE.
dmverity_roothash:
First, you must create a dm-verity volume. This can be done through
squashfs-tools and veritysetup (provided by cryptsetup).
Creating a squashfs volume:
mksquashfs /path/to/directory/with/executable /path/to/output.squashfs
Format the volume for use with dm-verity & save the root hash:
output_rh=$(veritysetup format output.squashfs output.hashtree | \
tee verity_out.txt | awk "/Root hash/" | \
sed -E "s/Root hash:\s+//g")
echo -n $output_rh > output.roothash
Create a two policies, filling in the appropriate fields below:
Policy 1:
policy_name="roothash-denial" policy_version=0.0.0
DEFAULT action=ALLOW
op=EXECUTE dmverity_roothash=$output_rh action=DENY
Policy 2:
policy_name="roothash-allow" policy_version=0.0.0
DEFAULT action=ALLOW
DEFAULT op=EXECUTE action=DENY
op=EXECUTE boot_verified=TRUE action=ALLOW
op=EXECUTE dmverity_roothash=$output_rh action=ALLOW
Deploy each policy, then mark the first, "roothash-denial" as active,
per the "Deploying Policies" section of this cover letter. Mount the
dm-verity volume:
veritysetup open output.squashfs output.hashtree unverified \
`cat output.roothash`
mount /dev/mapper/unverified /my/mount/point
Attempt to execute a binary in the mount point, and it should emit an
audit event for a match against the rule:
op=EXECUTE dmverity_roothash=$output_rh action=DENY
To test the second policy, perform the same steps, but this time, enable
success auditing before running the executable. The success audit event
should be a match against this rule:
op=EXECUTE dmverity_roothash=$output_rh action=ALLOW
dmverity_signature:
Follow the setup steps for dmverity_roothash. Sign the roothash via:
openssl smime -sign -in "output.roothash" -signer "$MY_CERTIFICATE" \
-inkey "$MY_PRIVATE_KEY" -binary -outform der -noattr \
-out "output.p7s"
Create a policy:
policy_name="verified" policy_version=0.0.0
DEFAULT action=DENY
op=EXECUTE boot_verified=TRUE action=ALLOW
op=EXECUTE dmverity_verified=TRUE action=ALLOW
Deploy the policy, and mark as active, per the "Deploying Policies"
section of this cover letter. Mount the dm-verity volume with
verification:
veritysetup open output.squashfs output.hashtree unverified \
`cat output.roothash` --root-hash-signature=output.p7s
mount /dev/mapper/unverified /my/mount/point
NOTE: The --root-hash-signature option was introduced in veritysetup
2.3.0
Turn on success auditing and attempt to execute a binary in the mount
point, and it should emit an audit event for a match against the rule:
op=EXECUTE dmverity_verified=TRUE action=ALLOW
To test denials, mount the dm-verity volume the same way as the
"dmverity_roothash" section, and attempt to execute a binary. Failure
should occur.
Documentation:
------------------------------------
Full documentation is available on github in IPE's master repository
(Appendix A). This is intended to be an exhaustive source of documentation
around IPE.
Additionally, there is higher level documentation in the admin-guide.
Known Gaps:
------------------------------------
IPE has two known gaps:
1. IPE cannot verify the integrity of anonymous executable memory, such as
the trampolines created by gcc closures and libffi, or JIT'd code.
Unfortunately, as this is dynamically generated code, there is no way for
IPE to detect that this code has not been tampered with in transition
from where it was built, to where it is running. As a result, IPE is
incapable of tackling this problem for dynamically generated code.
However, there is a patch series being prepared that addresses this
problem for libffi and gcc closures by implemeting a safer kernel
trampoline API.
2. IPE cannot verify the integrity of interpreted languages' programs when
these scripts invoked via `<interpreter> <file>`. This is because the way
interpreters execute these files, the scripts themselves are not
evaluated as executable code through one of IPE's hooks. Interpreters
can be enlightened to the usage of IPE by trying to mmap a file into
executable memory (+X), after opening the file and responding to the
error code appropriately. This also applies to included files, or high
value files, such as configuration files of critical system components.
This specific gap is planned on being addressed within IPE. For more
information on how we plan to address this gap, please see the Future
Development section, below.
Future Development:
------------------------------------
Support for filtering signatures by specific certificates. In this case,
our "dmverity_signature" (or a separate property) can be set to a
specific certificate declared in IPE's policy, allowing for more
controlled use-cases determine by a user's PKI structure.
Support for integrity verification for general file reads. This addresses
the script interpreter issue indicated in the "Known Gaps" section, as
these script files are typically opened with O_RDONLY. We are evaluating
whether to do this by comparing the original userland filepath passed into
the open syscall, thereby allowing existing callers to take advantage
without any code changes; the alternate design is to extend the new
openat2(2) syscall, with an new flag, tentatively called "O_VERIFY". While
the second option requires a code change for all the interpreters,
frameworks and languages that wish to leverage it, it is a wholly cleaner
implementation in the kernel.
Onboarding IPE's test suite to KernelCI. Currently we are developing a
test suite in the same vein as SELinux's test suite. Once development
of the test suite is complete, and provided IPE is accepted, we intend
to onboard this test suite onto KernelCI.
Hardened resistance against roll-back attacks. Currently there exists a
window of opportunity between user-mode setup and the user-policy being
deployed, where a prior user-policy can be loaded, that is potentially
insecure. However, with a kernel update, you can revise the boot policy's
version to be the same version as the latest policy, closing this window.
In the future, I would like to close this window of opportunity without
a kernel update, using some persistent storage mechanism.
Open Issues:
------------
For linux-audit/integrity folks:
1. Introduction of new audit definitions in the kernel integrity range - is
this preferred, as opposed to reusing definitions with existing IMA
definitions?
TODOs:
------
linux-audit changes to support the new audit events.
Appendix:
------------------------------------
A. IPE Github Repository: https://github.com/microsoft/ipe
Hosted Documentation: https://microsoft.github.io/ipe
B. IPE Users' Guide: Documentation/admin-guide/LSM/ipe.rst
C. IPE Test Suite: *TBA* (under development)
Deven Bowers (12):
scripts: add ipe tooling to generate boot policy
security: add ipe lsm evaluation loop and audit system
security: add ipe lsm policy parser and policy loading
ipe: add property for trust of boot volume
fs: add security blob and hooks for block_device
dm-verity: move signature check after tree validation
dm-verity: add bdev_setsecurity hook for dm-verity signature
ipe: add property for signed dmverity volumes
dm-verity: add bdev_setsecurity hook for root-hash
ipe: add property for dmverity roothash
documentation: Add IPE Documentation
cleanup: uapi/linux/audit.h
Documentation/admin-guide/LSM/index.rst | 1 +
Documentation/admin-guide/LSM/ipe.rst | 487 ++++++++++
.../admin-guide/kernel-parameters.txt | 20 +
MAINTAINERS | 8 +
drivers/md/dm-verity-target.c | 50 +-
drivers/md/dm-verity-verify-sig.c | 147 ++-
drivers/md/dm-verity-verify-sig.h | 20 +-
drivers/md/dm-verity.h | 2 +-
fs/block_dev.c | 8 +
include/linux/device-mapper.h | 3 +
include/linux/fs.h | 1 +
include/linux/lsm_hook_defs.h | 5 +
include/linux/lsm_hooks.h | 11 +
include/linux/security.h | 22 +
include/uapi/linux/audit.h | 36 +-
scripts/Makefile | 1 +
scripts/ipe/Makefile | 2 +
scripts/ipe/polgen/.gitignore | 1 +
scripts/ipe/polgen/Makefile | 7 +
scripts/ipe/polgen/polgen.c | 136 +++
security/Kconfig | 12 +-
security/Makefile | 2 +
security/ipe/.gitignore | 2 +
security/ipe/Kconfig | 43 +
security/ipe/Makefile | 34 +
security/ipe/ipe-audit.c | 313 ++++++
security/ipe/ipe-audit.h | 76 ++
security/ipe/ipe-blobs.c | 90 ++
security/ipe/ipe-blobs.h | 18 +
security/ipe/ipe-engine.c | 354 +++++++
security/ipe/ipe-engine.h | 61 ++
security/ipe/ipe-hooks.c | 171 ++++
security/ipe/ipe-hooks.h | 159 ++++
security/ipe/ipe-parse.c | 898 ++++++++++++++++++
security/ipe/ipe-parse.h | 35 +
security/ipe/ipe-pin.c | 93 ++
security/ipe/ipe-pin.h | 56 ++
security/ipe/ipe-policy.c | 180 ++++
security/ipe/ipe-policy.h | 116 +++
security/ipe/ipe-prop-internal.h | 43 +
security/ipe/ipe-property.c | 112 +++
security/ipe/ipe-property.h | 159 ++++
security/ipe/ipe-secfs.c | 814 ++++++++++++++++
security/ipe/ipe-secfs.h | 25 +
security/ipe/ipe-sysfs.c | 203 ++++
security/ipe/ipe-sysfs.h | 21 +
security/ipe/ipe.c | 146 +++
security/ipe/ipe.h | 23 +
security/ipe/properties/Kconfig | 35 +
security/ipe/properties/Makefile | 13 +
security/ipe/properties/boot-verified.c | 84 ++
security/ipe/properties/dmverity-roothash.c | 155 +++
security/ipe/properties/dmverity-signature.c | 84 ++
security/ipe/properties/prop-entry.h | 38 +
security/ipe/utility.h | 32 +
security/security.c | 61 ++
56 files changed, 5635 insertions(+), 94 deletions(-)
create mode 100644 Documentation/admin-guide/LSM/ipe.rst
create mode 100644 scripts/ipe/Makefile
create mode 100644 scripts/ipe/polgen/.gitignore
create mode 100644 scripts/ipe/polgen/Makefile
create mode 100644 scripts/ipe/polgen/polgen.c
create mode 100644 security/ipe/.gitignore
create mode 100644 security/ipe/Kconfig
create mode 100644 security/ipe/Makefile
create mode 100644 security/ipe/ipe-audit.c
create mode 100644 security/ipe/ipe-audit.h
create mode 100644 security/ipe/ipe-blobs.c
create mode 100644 security/ipe/ipe-blobs.h
create mode 100644 security/ipe/ipe-engine.c
create mode 100644 security/ipe/ipe-engine.h
create mode 100644 security/ipe/ipe-hooks.c
create mode 100644 security/ipe/ipe-hooks.h
create mode 100644 security/ipe/ipe-parse.c
create mode 100644 security/ipe/ipe-parse.h
create mode 100644 security/ipe/ipe-pin.c
create mode 100644 security/ipe/ipe-pin.h
create mode 100644 security/ipe/ipe-policy.c
create mode 100644 security/ipe/ipe-policy.h
create mode 100644 security/ipe/ipe-prop-internal.h
create mode 100644 security/ipe/ipe-property.c
create mode 100644 security/ipe/ipe-property.h
create mode 100644 security/ipe/ipe-secfs.c
create mode 100644 security/ipe/ipe-secfs.h
create mode 100644 security/ipe/ipe-sysfs.c
create mode 100644 security/ipe/ipe-sysfs.h
create mode 100644 security/ipe/ipe.c
create mode 100644 security/ipe/ipe.h
create mode 100644 security/ipe/properties/Kconfig
create mode 100644 security/ipe/properties/Makefile
create mode 100644 security/ipe/properties/boot-verified.c
create mode 100644 security/ipe/properties/dmverity-roothash.c
create mode 100644 security/ipe/properties/dmverity-signature.c
create mode 100644 security/ipe/properties/prop-entry.h
create mode 100644 security/ipe/utility.h
--
2.26.0
^ permalink raw reply [flat|nested] 27+ messages in thread
* [RFC PATCH v2 00/12] Integrity Policy Enforcement LSM (IPE)
@ 2020-04-06 22:14 ` deven.desai
0 siblings, 0 replies; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: sashal, pasha.tatashin, mdsakib, linux-kernel, nramas, tyhicks,
jaskarankhurana
From: Deven Bowers <deven.desai@linux.microsoft.com>
Changelog:
------------------------------------
v1: Introduced
v2:
Split the second patch of the previous series into two.
Minor corrections in the cover-letter and documentation
comments regarding CAP_MAC_ADMIN checks in IPE.
Overview:
------------------------------------
IPE is a Linux Security Module, which allows for a configurable
policy to enforce integrity requirements on the whole system. It
attempts to solve the issue of Code Integrity: that any code being
executed (or files being read), are identical to the version that
was built by a trusted source.
The type of system for which IPE is designed for use is an embedded device
with a specific purpose (e.g. network firewall device in a data center),
where all software and configuration is built and provisioned by the owner.
Specifically, a system which leverages IPE is not intended for general
purpose computing and does not utilize any software or configuration
built by a third party. An ideal system to leverage IPE has both mutable
and immutable components, however, all binary executable code is immutable.
The scope of IPE is constrained to the OS. It is assumed that platform
firmware verifies the the kernel and optionally the root filesystem (e.g.
via U-Boot verified boot). IPE then utilizes LSM hooks to enforce a
flexible, kernel-resident integrity verification policy.
IPE differs from other LSMs which provide integrity checking (for instance,
IMA), as it has no dependency on the filesystem metadata itself. The
attributes that IPE checks are deterministic properties that exist solely
in the kernel. Additionally, IPE provides no additional mechanisms of
verifying these files (e.g. IMA Signatures) - all of the attributes of
verifying files are existing features within the kernel, such as dm-verity
or fsverity.
IPE provides a policy that allows owners of the system to easily specify
integrity requirements and uses dm-verity signatures to simplify the
authentication of allowed objects like authorized code and data.
IPE supports two modes, permissive (similar to SELinux's permissive mode)
and enforce. Permissive mode performs the same checks, and logs policy
violations as enforce mode, but will not enforce the policy. This allows
users to test policies before enforcing them.
The default mode is enforce, and can be changed via the kernel commandline
parameter `ipe.enforce=(0|1)`, or the sysctl `ipe.enforce=(0|1)`. The
ability to switch modes can be compiled out of the LSM via setting the
config CONFIG_SECURITY_IPE_PERMISSIVE_SWITCH to N.
IPE additionally supports success auditing. When enabled, all events
that pass IPE policy and are not blocked will emit an audit event. This
is disabled by default, and can be enabled via the kernel commandline
`ipe.success_audit=(0|1)` or the sysctl `ipe.success_audit=(0|1)`.
Policies can be staged at runtime through securityfs and activated through
sysfs. Please see the Deploying Policies section of this cover letter for
more information.
The IPE LSM is compiled under CONFIG_SECURITY_IPE.
Policy:
------------------------------------
IPE policy is designed to be both forward compatible and backwards
compatible. There is one required line, at the top of the policy,
indicating the policy name, and the policy version, for instance:
policy_name="Ex Policy" policy_version=0.0.0
The policy version indicates the current version of the policy (NOT the
policy syntax version). This is used to prevent roll-back of policy to
potentially insecure previous versions of the policy.
The next portion of IPE policy, are rules. Rules are formed by key=value
pairs, known as properties. IPE rules require two properties: "action",
which determines what IPE does when it encounters a match against the
policy, and "op", which determines when that rule should be evaluated.
Thus, a minimal rule is:
op=EXECUTE action=ALLOW
This example will allow any execution. Additional properties are used to
restrict attributes about the files being evaluated. These properties are
intended to be deterministic attributes that are resident in the kernel.
Available properties for IPE described in the properties section of this
cover-letter, the repository available in Appendix A, and the kernel
documentation page.
Order does not matter for the rule's properties - they can be listed in
any order, however it is encouraged to have the "op" property be first,
and the "action" property be last, for readability.
Additionally, rules are evaluated top-to-bottom. As a result, any
revocation rules, or denies should be placed early in the file to ensure
that these rules are evaluated before a rule with "action=ALLOW" is hit.
IPE policy is designed to be forward compatible and backwards compatible,
thus any failure to parse a rule will result in the line being ignored,
and a warning being emitted. If backwards compatibility is not required,
the kernel commandline parameter and sysctl, ipe.strict_parse can be
enabled, which will cause these warnings to be fatal.
For more information about the policy syntax, please see Appendix A or
the kernel documentation page.
Early Usermode Protection:
--------------------------
IPE can be provided with a policy at startup to load and enforce.
This is intended to be a minimal policy to get the system to a state
where userland is setup and ready to receive commands, at which
point a policy can be deployed via securityfs. This "boot policy" can be
specified via the config, SECURITY_IPE_BOOT_POLICY, which accepts a path
to a plain-text version of the IPE policy to apply. This policy will be
compiled into the kernel. If not specified, IPE will be disabled until a
policy is deployed and activated through the method above.
Policy Examples:
------------------------------------
Allow all:
policy_name="Allow All" policy_version=0.0.0
DEFAULT action=ALLOW
Allow only initial superblock:
policy_name="Allow All Initial SB" policy_version=0.0.0
DEFAULT action=DENY
op=EXECUTE boot_verified=TRUE action=ALLOW
Allow any signed dm-verity volume and the initial superblock:
policy_name="AllowSignedAndInitial" policy_version=0.0.0
DEFAULT action=DENY
op=EXECUTE boot_verified=TRUE action=ALLOW
op=EXECUTE dmverity_signature=TRUE action=ALLOW
Prohibit execution from a specific dm-verity volume:
policy_name="AllowSignedAndInitial" policy_version=0.0.0
DEFAULT action=DENY
op=EXECUTE dmverity_roothash=401fcec5944823ae12f62726e8184407a5fa9599783f030dec146938 action=DENY
op=EXECUTE boot_verified=TRUE action=ALLOW
op=EXECUTE dmverity_signature=TRUE action=ALLOW
Allow only a specific dm-verity volume:
policy_name="AllowSignedAndInitial" policy_version=0.0.0
DEFAULT action=DENY
op=EXECUTE dmverity_roothash=401fcec5944823ae12f62726e8184407a5fa9599783f030dec146938 action=ALLOW
Deploying Policies:
-------------------
Deploying policies is simple. First sign a plain text policy, with a
certificate that is present in the SYSTEM_TRUSTED_KEYRING of your test
machine. Through openssl, the signing can be done via:
openssl smime -sign -in "$MY_POLICY" -signer "$MY_CERTIFICATE" \
-inkey "$MY_PRIVATE_KEY" -binary -outform der -noattr -nodetach \
-out "$MY_POLICY.p7s"
Then, simply cat the file into the IPE's "new_policy" securityfs node:
cat "$MY_POLICY.p7s" > /sys/kernel/security/ipe/new_policy
The policy should now be present under the policies/ subdirectory, under
its "policy_name" attribute.
The policy is now present in the kernel and can be marked as active,
via the sysctl "ipe.active_policy":
sysctl ipe.active_policy="$MY_POLICY_NAME"
This will now mark the policy as active and the system will be enforcing
$MY_POLICY_NAME. At any point the policy can be updated on the provision
that the policy version to be deployed is greater than or equal to the
running version (to prevent roll-back attacks). This update can be done
by redirecting the file into the policy's "raw" node, under the policies
subdirectory:
cat "$MY_UPDATED_POLICY.p7s" > \
"/sys/kernel/security/ipe/policies/$MY_POLICY_NAME/raw"
Additionally, policies can be deleted via the "del_policy" securityfs
node. Simply write the name of the policy to be deleted to that node:
echo -n "$MY_POLICY_NAME" > /sys/kernel/security/ipe/del_policy
There are two requirements to delete policies:
1. The policy being deleted must not be the active policy.
2. The policy being deleted must not be the boot policy.
It's important to know above that the "echo" command will add a newline
to the end of the input, and this will be considered as part of the
filename. You can remove the newline via the -n parameter.
NOTE: If a MAC LSM is enabled, the securityfs commands will require
CAP_MAC_ADMIN. This is due to sysfs supporting fine-grained MAC
attributes, while securityfs at the current moment does not.
Properties:
------------------------------------
This initial patchset introducing IPE adds three properties:
'boot_verified', 'dmverity_signature' and 'dmverity_roothash'.
boot_verified (CONFIG_IPE_BOOT_PROP):
This property can be utilized for authorization of the first
super-block that is mounted on the system, where IPE attempts
to evaluate a file. Typically this is used for systems with
an initramfs or other initial disk, where this is unmounted before
the system becomes available, and is not covered by any other property.
The format of this property is:
boot_verified=(TRUE|FALSE)
WARNING: This property will trust any disk where the first IPE
evaluation occurs. If you do not have a startup disk that is
unpacked and unmounted (like initramfs), then it will automatically
trust the root filesystem and potentially overauthorize the entire
disk.
dmverity_roothash (CONFIG_IPE_DM_VERITY_ROOTHASH):
This property can be utilized for authorization or revocation of
specific dmverity volumes, identified via root hash. It has a
dependency on the DM_VERITY module. The format of this property is:
dmverity_roothash=<HashHexDigest>
dmverity_signature (CONFIG_IPE_DM_VERITY_SIGNATURE):
This property can be utilized for authorization of all dm-verity
volumes that have a signed roothash that chains to the system
trusted keyring. It has a dependency on the
DM_VERITY_VERIFY_ROOTHASH_SIG config. The format of this property is:
dmverity_signature=(TRUE|FALSE)
Testing:
------------------------------------
A test suite is available (Appendix B) for ease of use. For manual
instructions:
Enable IPE through the following Kconfigs:
CONFIG_SECURITY_IPE=y
CONFIG_SECURITY_IPE_BOOT_POLICY="../AllowAllInitialSB.pol"
CONFIG_SECURITY_IPE_AUDIT_SWITCH=y
CONFIG_IPE_BOOT_PROP=y
CONFIG_IPE_DM_VERITY_ROOTHASH=y
CONFIG_IPE_DM_VERITY_SIGNATURE=y
CONFIG_DM_VERITY=y
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS="/path/to/my/cert/list.pem"
Start a test system, that boots directly from the filesystem, without
an initrd. I recommend testing in permissive mode until all tests
pass, then switch to enforce to ensure behavior remains identical.
boot_verified:
If booted correctly, the filesystem mounted on / should be marked as
boot_verified. Verify by turning on success auditing (sysctl
ipe.success_audit=1), and run a binary. In the audit output,
`prop_boot_verified` should be `TRUE`.
To test denials, mount a temporary filesystem (mount -t tmpfs -o
size=4M tmp tmp), and copy a binary (e.g. ls) to this new
filesystem. Disable success auditing and attempt to run the file.
The file should have an audit event, but be allowed to execute in
permissive mode, and prop_boot_verified should be FALSE.
dmverity_roothash:
First, you must create a dm-verity volume. This can be done through
squashfs-tools and veritysetup (provided by cryptsetup).
Creating a squashfs volume:
mksquashfs /path/to/directory/with/executable /path/to/output.squashfs
Format the volume for use with dm-verity & save the root hash:
output_rh=$(veritysetup format output.squashfs output.hashtree | \
tee verity_out.txt | awk "/Root hash/" | \
sed -E "s/Root hash:\s+//g")
echo -n $output_rh > output.roothash
Create a two policies, filling in the appropriate fields below:
Policy 1:
policy_name="roothash-denial" policy_version=0.0.0
DEFAULT action=ALLOW
op=EXECUTE dmverity_roothash=$output_rh action=DENY
Policy 2:
policy_name="roothash-allow" policy_version=0.0.0
DEFAULT action=ALLOW
DEFAULT op=EXECUTE action=DENY
op=EXECUTE boot_verified=TRUE action=ALLOW
op=EXECUTE dmverity_roothash=$output_rh action=ALLOW
Deploy each policy, then mark the first, "roothash-denial" as active,
per the "Deploying Policies" section of this cover letter. Mount the
dm-verity volume:
veritysetup open output.squashfs output.hashtree unverified \
`cat output.roothash`
mount /dev/mapper/unverified /my/mount/point
Attempt to execute a binary in the mount point, and it should emit an
audit event for a match against the rule:
op=EXECUTE dmverity_roothash=$output_rh action=DENY
To test the second policy, perform the same steps, but this time, enable
success auditing before running the executable. The success audit event
should be a match against this rule:
op=EXECUTE dmverity_roothash=$output_rh action=ALLOW
dmverity_signature:
Follow the setup steps for dmverity_roothash. Sign the roothash via:
openssl smime -sign -in "output.roothash" -signer "$MY_CERTIFICATE" \
-inkey "$MY_PRIVATE_KEY" -binary -outform der -noattr \
-out "output.p7s"
Create a policy:
policy_name="verified" policy_version=0.0.0
DEFAULT action=DENY
op=EXECUTE boot_verified=TRUE action=ALLOW
op=EXECUTE dmverity_verified=TRUE action=ALLOW
Deploy the policy, and mark as active, per the "Deploying Policies"
section of this cover letter. Mount the dm-verity volume with
verification:
veritysetup open output.squashfs output.hashtree unverified \
`cat output.roothash` --root-hash-signature=output.p7s
mount /dev/mapper/unverified /my/mount/point
NOTE: The --root-hash-signature option was introduced in veritysetup
2.3.0
Turn on success auditing and attempt to execute a binary in the mount
point, and it should emit an audit event for a match against the rule:
op=EXECUTE dmverity_verified=TRUE action=ALLOW
To test denials, mount the dm-verity volume the same way as the
"dmverity_roothash" section, and attempt to execute a binary. Failure
should occur.
Documentation:
------------------------------------
Full documentation is available on github in IPE's master repository
(Appendix A). This is intended to be an exhaustive source of documentation
around IPE.
Additionally, there is higher level documentation in the admin-guide.
Known Gaps:
------------------------------------
IPE has two known gaps:
1. IPE cannot verify the integrity of anonymous executable memory, such as
the trampolines created by gcc closures and libffi, or JIT'd code.
Unfortunately, as this is dynamically generated code, there is no way for
IPE to detect that this code has not been tampered with in transition
from where it was built, to where it is running. As a result, IPE is
incapable of tackling this problem for dynamically generated code.
However, there is a patch series being prepared that addresses this
problem for libffi and gcc closures by implemeting a safer kernel
trampoline API.
2. IPE cannot verify the integrity of interpreted languages' programs when
these scripts invoked via `<interpreter> <file>`. This is because the way
interpreters execute these files, the scripts themselves are not
evaluated as executable code through one of IPE's hooks. Interpreters
can be enlightened to the usage of IPE by trying to mmap a file into
executable memory (+X), after opening the file and responding to the
error code appropriately. This also applies to included files, or high
value files, such as configuration files of critical system components.
This specific gap is planned on being addressed within IPE. For more
information on how we plan to address this gap, please see the Future
Development section, below.
Future Development:
------------------------------------
Support for filtering signatures by specific certificates. In this case,
our "dmverity_signature" (or a separate property) can be set to a
specific certificate declared in IPE's policy, allowing for more
controlled use-cases determine by a user's PKI structure.
Support for integrity verification for general file reads. This addresses
the script interpreter issue indicated in the "Known Gaps" section, as
these script files are typically opened with O_RDONLY. We are evaluating
whether to do this by comparing the original userland filepath passed into
the open syscall, thereby allowing existing callers to take advantage
without any code changes; the alternate design is to extend the new
openat2(2) syscall, with an new flag, tentatively called "O_VERIFY". While
the second option requires a code change for all the interpreters,
frameworks and languages that wish to leverage it, it is a wholly cleaner
implementation in the kernel.
Onboarding IPE's test suite to KernelCI. Currently we are developing a
test suite in the same vein as SELinux's test suite. Once development
of the test suite is complete, and provided IPE is accepted, we intend
to onboard this test suite onto KernelCI.
Hardened resistance against roll-back attacks. Currently there exists a
window of opportunity between user-mode setup and the user-policy being
deployed, where a prior user-policy can be loaded, that is potentially
insecure. However, with a kernel update, you can revise the boot policy's
version to be the same version as the latest policy, closing this window.
In the future, I would like to close this window of opportunity without
a kernel update, using some persistent storage mechanism.
Open Issues:
------------
For linux-audit/integrity folks:
1. Introduction of new audit definitions in the kernel integrity range - is
this preferred, as opposed to reusing definitions with existing IMA
definitions?
TODOs:
------
linux-audit changes to support the new audit events.
Appendix:
------------------------------------
A. IPE Github Repository: https://github.com/microsoft/ipe
Hosted Documentation: https://microsoft.github.io/ipe
B. IPE Users' Guide: Documentation/admin-guide/LSM/ipe.rst
C. IPE Test Suite: *TBA* (under development)
Deven Bowers (12):
scripts: add ipe tooling to generate boot policy
security: add ipe lsm evaluation loop and audit system
security: add ipe lsm policy parser and policy loading
ipe: add property for trust of boot volume
fs: add security blob and hooks for block_device
dm-verity: move signature check after tree validation
dm-verity: add bdev_setsecurity hook for dm-verity signature
ipe: add property for signed dmverity volumes
dm-verity: add bdev_setsecurity hook for root-hash
ipe: add property for dmverity roothash
documentation: Add IPE Documentation
cleanup: uapi/linux/audit.h
Documentation/admin-guide/LSM/index.rst | 1 +
Documentation/admin-guide/LSM/ipe.rst | 487 ++++++++++
.../admin-guide/kernel-parameters.txt | 20 +
MAINTAINERS | 8 +
drivers/md/dm-verity-target.c | 50 +-
drivers/md/dm-verity-verify-sig.c | 147 ++-
drivers/md/dm-verity-verify-sig.h | 20 +-
drivers/md/dm-verity.h | 2 +-
fs/block_dev.c | 8 +
include/linux/device-mapper.h | 3 +
include/linux/fs.h | 1 +
include/linux/lsm_hook_defs.h | 5 +
include/linux/lsm_hooks.h | 11 +
include/linux/security.h | 22 +
include/uapi/linux/audit.h | 36 +-
scripts/Makefile | 1 +
scripts/ipe/Makefile | 2 +
scripts/ipe/polgen/.gitignore | 1 +
scripts/ipe/polgen/Makefile | 7 +
scripts/ipe/polgen/polgen.c | 136 +++
security/Kconfig | 12 +-
security/Makefile | 2 +
security/ipe/.gitignore | 2 +
security/ipe/Kconfig | 43 +
security/ipe/Makefile | 34 +
security/ipe/ipe-audit.c | 313 ++++++
security/ipe/ipe-audit.h | 76 ++
security/ipe/ipe-blobs.c | 90 ++
security/ipe/ipe-blobs.h | 18 +
security/ipe/ipe-engine.c | 354 +++++++
security/ipe/ipe-engine.h | 61 ++
security/ipe/ipe-hooks.c | 171 ++++
security/ipe/ipe-hooks.h | 159 ++++
security/ipe/ipe-parse.c | 898 ++++++++++++++++++
security/ipe/ipe-parse.h | 35 +
security/ipe/ipe-pin.c | 93 ++
security/ipe/ipe-pin.h | 56 ++
security/ipe/ipe-policy.c | 180 ++++
security/ipe/ipe-policy.h | 116 +++
security/ipe/ipe-prop-internal.h | 43 +
security/ipe/ipe-property.c | 112 +++
security/ipe/ipe-property.h | 159 ++++
security/ipe/ipe-secfs.c | 814 ++++++++++++++++
security/ipe/ipe-secfs.h | 25 +
security/ipe/ipe-sysfs.c | 203 ++++
security/ipe/ipe-sysfs.h | 21 +
security/ipe/ipe.c | 146 +++
security/ipe/ipe.h | 23 +
security/ipe/properties/Kconfig | 35 +
security/ipe/properties/Makefile | 13 +
security/ipe/properties/boot-verified.c | 84 ++
security/ipe/properties/dmverity-roothash.c | 155 +++
security/ipe/properties/dmverity-signature.c | 84 ++
security/ipe/properties/prop-entry.h | 38 +
security/ipe/utility.h | 32 +
security/security.c | 61 ++
56 files changed, 5635 insertions(+), 94 deletions(-)
create mode 100644 Documentation/admin-guide/LSM/ipe.rst
create mode 100644 scripts/ipe/Makefile
create mode 100644 scripts/ipe/polgen/.gitignore
create mode 100644 scripts/ipe/polgen/Makefile
create mode 100644 scripts/ipe/polgen/polgen.c
create mode 100644 security/ipe/.gitignore
create mode 100644 security/ipe/Kconfig
create mode 100644 security/ipe/Makefile
create mode 100644 security/ipe/ipe-audit.c
create mode 100644 security/ipe/ipe-audit.h
create mode 100644 security/ipe/ipe-blobs.c
create mode 100644 security/ipe/ipe-blobs.h
create mode 100644 security/ipe/ipe-engine.c
create mode 100644 security/ipe/ipe-engine.h
create mode 100644 security/ipe/ipe-hooks.c
create mode 100644 security/ipe/ipe-hooks.h
create mode 100644 security/ipe/ipe-parse.c
create mode 100644 security/ipe/ipe-parse.h
create mode 100644 security/ipe/ipe-pin.c
create mode 100644 security/ipe/ipe-pin.h
create mode 100644 security/ipe/ipe-policy.c
create mode 100644 security/ipe/ipe-policy.h
create mode 100644 security/ipe/ipe-prop-internal.h
create mode 100644 security/ipe/ipe-property.c
create mode 100644 security/ipe/ipe-property.h
create mode 100644 security/ipe/ipe-secfs.c
create mode 100644 security/ipe/ipe-secfs.h
create mode 100644 security/ipe/ipe-sysfs.c
create mode 100644 security/ipe/ipe-sysfs.h
create mode 100644 security/ipe/ipe.c
create mode 100644 security/ipe/ipe.h
create mode 100644 security/ipe/properties/Kconfig
create mode 100644 security/ipe/properties/Makefile
create mode 100644 security/ipe/properties/boot-verified.c
create mode 100644 security/ipe/properties/dmverity-roothash.c
create mode 100644 security/ipe/properties/dmverity-signature.c
create mode 100644 security/ipe/properties/prop-entry.h
create mode 100644 security/ipe/utility.h
--
2.26.0
^ permalink raw reply [flat|nested] 27+ messages in thread
* [RFC PATCH v2 01/12] scripts: add ipe tooling to generate boot policy
2020-04-06 22:14 ` deven.desai
@ 2020-04-06 22:14 ` deven.desai
-1 siblings, 0 replies; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: tyhicks, pasha.tatashin, sashal, jaskarankhurana, nramas,
mdsakib, linux-kernel
From: Deven Bowers <deven.desai@linux.microsoft.com>
Add a tool for the generation of an IPE policy to be compiled into the
kernel. This policy will be enforced until userland deploys and activates
a new policy.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
MAINTAINERS | 6 ++
scripts/Makefile | 1 +
scripts/ipe/Makefile | 2 +
scripts/ipe/polgen/.gitignore | 1 +
scripts/ipe/polgen/Makefile | 7 ++
scripts/ipe/polgen/polgen.c | 136 ++++++++++++++++++++++++++++++++++
6 files changed, 153 insertions(+)
create mode 100644 scripts/ipe/Makefile
create mode 100644 scripts/ipe/polgen/.gitignore
create mode 100644 scripts/ipe/polgen/Makefile
create mode 100644 scripts/ipe/polgen/polgen.c
diff --git a/MAINTAINERS b/MAINTAINERS
index eeff55560759..0462644271aa 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -8437,6 +8437,12 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
S: Supported
F: security/integrity/ima/
+INTEGRITY POLICY ENFORCEMENT (IPE)
+M: Deven Bowers <deven.desai@linux.microsoft.com>
+L: linux-integrity@vger.kernel.org
+S: Supported
+F: scripts/ipe/
+
INTEL 810/815 FRAMEBUFFER DRIVER
M: Antonino Daplas <adaplas@gmail.com>
L: linux-fbdev@vger.kernel.org
diff --git a/scripts/Makefile b/scripts/Makefile
index 5e75802b1a44..9338017a3b6e 100644
--- a/scripts/Makefile
+++ b/scripts/Makefile
@@ -38,6 +38,7 @@ hostprogs += unifdef
subdir-$(CONFIG_GCC_PLUGINS) += gcc-plugins
subdir-$(CONFIG_MODVERSIONS) += genksyms
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
+subdir-$(CONFIG_SECURITY_IPE) += ipe
# Let clean descend into subdirs
subdir- += basic dtc gdb kconfig mod
diff --git a/scripts/ipe/Makefile b/scripts/ipe/Makefile
new file mode 100644
index 000000000000..e87553fbb8d6
--- /dev/null
+++ b/scripts/ipe/Makefile
@@ -0,0 +1,2 @@
+# SPDX-License-Identifier: GPL-2.0-only
+subdir-y := polgen
diff --git a/scripts/ipe/polgen/.gitignore b/scripts/ipe/polgen/.gitignore
new file mode 100644
index 000000000000..80f32f25d200
--- /dev/null
+++ b/scripts/ipe/polgen/.gitignore
@@ -0,0 +1 @@
+polgen
diff --git a/scripts/ipe/polgen/Makefile b/scripts/ipe/polgen/Makefile
new file mode 100644
index 000000000000..a519b594e13c
--- /dev/null
+++ b/scripts/ipe/polgen/Makefile
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: GPL-2.0
+hostprogs-y := polgen
+HOST_EXTRACFLAGS += \
+ -I$(srctree)/include \
+ -I$(srctree)/include/uapi \
+
+always := $(hostprogs-y)
diff --git a/scripts/ipe/polgen/polgen.c b/scripts/ipe/polgen/polgen.c
new file mode 100644
index 000000000000..a80fffe1b27c
--- /dev/null
+++ b/scripts/ipe/polgen/polgen.c
@@ -0,0 +1,136 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include <stdlib.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <errno.h>
+
+static void usage(const char *const name)
+{
+ printf("Usage: %s OutputFile (PolicyFile)\n", name);
+ exit(EINVAL);
+}
+
+static int policy_to_buffer(const char *pathname, char **buffer, size_t *size)
+{
+ int rc = 0;
+ FILE *fd;
+ char *lbuf;
+ size_t fsize;
+ size_t read;
+
+ fd = fopen(pathname, "r");
+ if (!fd) {
+ rc = errno;
+ goto out;
+ }
+
+ fseek(fd, 0, SEEK_END);
+ fsize = ftell(fd);
+ rewind(fd);
+
+ lbuf = malloc(fsize);
+ if (!lbuf) {
+ rc = ENOMEM;
+ goto out_close;
+ }
+
+ read = fread((void *)lbuf, sizeof(*lbuf), fsize, fd);
+ if (read != fsize) {
+ rc = -1;
+ goto out_free;
+ }
+
+ *buffer = lbuf;
+ *size = fsize;
+ fclose(fd);
+
+ return rc;
+
+out_free:
+ free(lbuf);
+out_close:
+ fclose(fd);
+out:
+ return rc;
+}
+
+static int write_boot_policy(const char *pathname, const char *buf, size_t size)
+{
+ FILE *fd;
+ size_t i;
+
+ fd = fopen(pathname, "w");
+ if (!fd)
+ goto err;
+
+ fprintf(fd, "/* This file is automatically generated.");
+ fprintf(fd, " Do not edit. */\n");
+ fprintf(fd, "#include <stddef.h>\n");
+ fprintf(fd, "const char *const ipe_boot_policy =\n");
+
+ if (!buf || size == 0) {
+ fprintf(fd, "\tNULL;\n");
+ fclose(fd);
+ return 0;
+ }
+
+ for (i = 0; i < size; ++i) {
+ if (i == 0)
+ fprintf(fd, "\t\"");
+
+ switch (buf[i]) {
+ case '"':
+ fprintf(fd, "\\\"");
+ break;
+ case '\'':
+ fprintf(fd, "'");
+ break;
+ case '\n':
+ fprintf(fd, "\\n\"\n\t\"");
+ break;
+ case '\\':
+ fprintf(fd, "\\\\");
+ break;
+ default:
+ fprintf(fd, "%c", buf[i]);
+ }
+ }
+ fprintf(fd, "\";\n");
+ fclose(fd);
+
+ return 0;
+
+err:
+ if (fd)
+ fclose(fd);
+ return errno;
+}
+
+int main(int argc, const char *argv[])
+{
+ int rc = 0;
+ size_t len = 0;
+ char *policy = NULL;
+
+ if (argc < 2)
+ usage(argv[0]);
+
+ if (argc > 2) {
+ rc = policy_to_buffer(argv[2], &policy, &len);
+ if (rc != 0)
+ goto cleanup;
+ }
+
+ rc = write_boot_policy(argv[1], policy, len);
+cleanup:
+ if (policy)
+ free(policy);
+ if (rc != 0)
+ perror("An error occurred during policy conversion: ");
+ return rc;
+}
--
2.26.0
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [RFC PATCH v2 01/12] scripts: add ipe tooling to generate boot policy
@ 2020-04-06 22:14 ` deven.desai
0 siblings, 0 replies; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: sashal, pasha.tatashin, mdsakib, linux-kernel, nramas, tyhicks,
jaskarankhurana
From: Deven Bowers <deven.desai@linux.microsoft.com>
Add a tool for the generation of an IPE policy to be compiled into the
kernel. This policy will be enforced until userland deploys and activates
a new policy.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
MAINTAINERS | 6 ++
scripts/Makefile | 1 +
scripts/ipe/Makefile | 2 +
scripts/ipe/polgen/.gitignore | 1 +
scripts/ipe/polgen/Makefile | 7 ++
scripts/ipe/polgen/polgen.c | 136 ++++++++++++++++++++++++++++++++++
6 files changed, 153 insertions(+)
create mode 100644 scripts/ipe/Makefile
create mode 100644 scripts/ipe/polgen/.gitignore
create mode 100644 scripts/ipe/polgen/Makefile
create mode 100644 scripts/ipe/polgen/polgen.c
diff --git a/MAINTAINERS b/MAINTAINERS
index eeff55560759..0462644271aa 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -8437,6 +8437,12 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
S: Supported
F: security/integrity/ima/
+INTEGRITY POLICY ENFORCEMENT (IPE)
+M: Deven Bowers <deven.desai@linux.microsoft.com>
+L: linux-integrity@vger.kernel.org
+S: Supported
+F: scripts/ipe/
+
INTEL 810/815 FRAMEBUFFER DRIVER
M: Antonino Daplas <adaplas@gmail.com>
L: linux-fbdev@vger.kernel.org
diff --git a/scripts/Makefile b/scripts/Makefile
index 5e75802b1a44..9338017a3b6e 100644
--- a/scripts/Makefile
+++ b/scripts/Makefile
@@ -38,6 +38,7 @@ hostprogs += unifdef
subdir-$(CONFIG_GCC_PLUGINS) += gcc-plugins
subdir-$(CONFIG_MODVERSIONS) += genksyms
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
+subdir-$(CONFIG_SECURITY_IPE) += ipe
# Let clean descend into subdirs
subdir- += basic dtc gdb kconfig mod
diff --git a/scripts/ipe/Makefile b/scripts/ipe/Makefile
new file mode 100644
index 000000000000..e87553fbb8d6
--- /dev/null
+++ b/scripts/ipe/Makefile
@@ -0,0 +1,2 @@
+# SPDX-License-Identifier: GPL-2.0-only
+subdir-y := polgen
diff --git a/scripts/ipe/polgen/.gitignore b/scripts/ipe/polgen/.gitignore
new file mode 100644
index 000000000000..80f32f25d200
--- /dev/null
+++ b/scripts/ipe/polgen/.gitignore
@@ -0,0 +1 @@
+polgen
diff --git a/scripts/ipe/polgen/Makefile b/scripts/ipe/polgen/Makefile
new file mode 100644
index 000000000000..a519b594e13c
--- /dev/null
+++ b/scripts/ipe/polgen/Makefile
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: GPL-2.0
+hostprogs-y := polgen
+HOST_EXTRACFLAGS += \
+ -I$(srctree)/include \
+ -I$(srctree)/include/uapi \
+
+always := $(hostprogs-y)
diff --git a/scripts/ipe/polgen/polgen.c b/scripts/ipe/polgen/polgen.c
new file mode 100644
index 000000000000..a80fffe1b27c
--- /dev/null
+++ b/scripts/ipe/polgen/polgen.c
@@ -0,0 +1,136 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include <stdlib.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <errno.h>
+
+static void usage(const char *const name)
+{
+ printf("Usage: %s OutputFile (PolicyFile)\n", name);
+ exit(EINVAL);
+}
+
+static int policy_to_buffer(const char *pathname, char **buffer, size_t *size)
+{
+ int rc = 0;
+ FILE *fd;
+ char *lbuf;
+ size_t fsize;
+ size_t read;
+
+ fd = fopen(pathname, "r");
+ if (!fd) {
+ rc = errno;
+ goto out;
+ }
+
+ fseek(fd, 0, SEEK_END);
+ fsize = ftell(fd);
+ rewind(fd);
+
+ lbuf = malloc(fsize);
+ if (!lbuf) {
+ rc = ENOMEM;
+ goto out_close;
+ }
+
+ read = fread((void *)lbuf, sizeof(*lbuf), fsize, fd);
+ if (read != fsize) {
+ rc = -1;
+ goto out_free;
+ }
+
+ *buffer = lbuf;
+ *size = fsize;
+ fclose(fd);
+
+ return rc;
+
+out_free:
+ free(lbuf);
+out_close:
+ fclose(fd);
+out:
+ return rc;
+}
+
+static int write_boot_policy(const char *pathname, const char *buf, size_t size)
+{
+ FILE *fd;
+ size_t i;
+
+ fd = fopen(pathname, "w");
+ if (!fd)
+ goto err;
+
+ fprintf(fd, "/* This file is automatically generated.");
+ fprintf(fd, " Do not edit. */\n");
+ fprintf(fd, "#include <stddef.h>\n");
+ fprintf(fd, "const char *const ipe_boot_policy =\n");
+
+ if (!buf || size == 0) {
+ fprintf(fd, "\tNULL;\n");
+ fclose(fd);
+ return 0;
+ }
+
+ for (i = 0; i < size; ++i) {
+ if (i == 0)
+ fprintf(fd, "\t\"");
+
+ switch (buf[i]) {
+ case '"':
+ fprintf(fd, "\\\"");
+ break;
+ case '\'':
+ fprintf(fd, "'");
+ break;
+ case '\n':
+ fprintf(fd, "\\n\"\n\t\"");
+ break;
+ case '\\':
+ fprintf(fd, "\\\\");
+ break;
+ default:
+ fprintf(fd, "%c", buf[i]);
+ }
+ }
+ fprintf(fd, "\";\n");
+ fclose(fd);
+
+ return 0;
+
+err:
+ if (fd)
+ fclose(fd);
+ return errno;
+}
+
+int main(int argc, const char *argv[])
+{
+ int rc = 0;
+ size_t len = 0;
+ char *policy = NULL;
+
+ if (argc < 2)
+ usage(argv[0]);
+
+ if (argc > 2) {
+ rc = policy_to_buffer(argv[2], &policy, &len);
+ if (rc != 0)
+ goto cleanup;
+ }
+
+ rc = write_boot_policy(argv[1], policy, len);
+cleanup:
+ if (policy)
+ free(policy);
+ if (rc != 0)
+ perror("An error occurred during policy conversion: ");
+ return rc;
+}
--
2.26.0
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [RFC PATCH v2 02/12] security: add ipe lsm evaluation loop and audit system
2020-04-06 22:14 ` deven.desai
(?)
(?)
@ 2020-04-06 22:14 ` deven.desai
2020-04-07 12:13 ` Jann Horn
-1 siblings, 1 reply; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: tyhicks, pasha.tatashin, sashal, jaskarankhurana, nramas,
mdsakib, linux-kernel
From: Deven Bowers <deven.desai@linux.microsoft.com>
Add the core logic of the IPE LSM, the evaluation loop (engine),
the audit system, and the skeleton of the policy structure.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
MAINTAINERS | 1 +
include/uapi/linux/audit.h | 4 +
security/Kconfig | 12 +-
security/Makefile | 2 +
security/ipe/.gitignore | 2 +
security/ipe/Kconfig | 41 ++++
security/ipe/Makefile | 26 +++
security/ipe/ipe-audit.c | 313 ++++++++++++++++++++++++++++
security/ipe/ipe-audit.h | 76 +++++++
security/ipe/ipe-engine.c | 346 +++++++++++++++++++++++++++++++
security/ipe/ipe-engine.h | 49 +++++
security/ipe/ipe-hooks.c | 151 ++++++++++++++
security/ipe/ipe-hooks.h | 114 ++++++++++
security/ipe/ipe-policy.h | 62 ++++++
security/ipe/ipe-prop-internal.h | 43 ++++
security/ipe/ipe-property.c | 112 ++++++++++
security/ipe/ipe-property.h | 159 ++++++++++++++
security/ipe/ipe-sysfs.c | 115 ++++++++++
security/ipe/ipe-sysfs.h | 21 ++
security/ipe/ipe.c | 99 +++++++++
security/ipe/ipe.h | 20 ++
21 files changed, 1762 insertions(+), 6 deletions(-)
create mode 100644 security/ipe/.gitignore
create mode 100644 security/ipe/Kconfig
create mode 100644 security/ipe/Makefile
create mode 100644 security/ipe/ipe-audit.c
create mode 100644 security/ipe/ipe-audit.h
create mode 100644 security/ipe/ipe-engine.c
create mode 100644 security/ipe/ipe-engine.h
create mode 100644 security/ipe/ipe-hooks.c
create mode 100644 security/ipe/ipe-hooks.h
create mode 100644 security/ipe/ipe-policy.h
create mode 100644 security/ipe/ipe-prop-internal.h
create mode 100644 security/ipe/ipe-property.c
create mode 100644 security/ipe/ipe-property.h
create mode 100644 security/ipe/ipe-sysfs.c
create mode 100644 security/ipe/ipe-sysfs.h
create mode 100644 security/ipe/ipe.c
create mode 100644 security/ipe/ipe.h
diff --git a/MAINTAINERS b/MAINTAINERS
index 0462644271aa..ab9adcd37a0c 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -8442,6 +8442,7 @@ M: Deven Bowers <deven.desai@linux.microsoft.com>
L: linux-integrity@vger.kernel.org
S: Supported
F: scripts/ipe/
+F: security/ipe/
INTEL 810/815 FRAMEBUFFER DRIVER
M: Antonino Daplas <adaplas@gmail.com>
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index a534d71e689a..4e0122a0ed0c 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -153,6 +153,10 @@
#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */
#define AUDIT_INTEGRITY_EVM_XATTR 1806 /* New EVM-covered xattr */
#define AUDIT_INTEGRITY_POLICY_RULE 1807 /* IMA policy rules */
+#define AUDIT_INTEGRITY_POLICY_LOAD 1808 /* IPE Policy Load */
+#define AUDIT_INTEGRITY_POLICY_ACTIVATE 1809 /* IPE Policy Activation */
+#define AUDIT_INTEGRITY_EVENT 1810 /* IPE Evaluation Event */
+#define AUDIT_INTEGRITY_MODE 1811 /* IPE Mode Switch */
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
diff --git a/security/Kconfig b/security/Kconfig
index cd3cc7da3a55..94924556b637 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -238,6 +238,7 @@ source "security/loadpin/Kconfig"
source "security/yama/Kconfig"
source "security/safesetid/Kconfig"
source "security/lockdown/Kconfig"
+source "security/ipe/Kconfig"
source "security/integrity/Kconfig"
@@ -277,11 +278,11 @@ endchoice
config LSM
string "Ordered list of enabled LSMs"
- default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
- default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
- default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
- default "lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
- default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
+ default "lockdown,yama,loadpin,ipe,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
+ default "lockdown,yama,loadpin,ipe,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
+ default "lockdown,yama,loadpin,ipe,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
+ default "lockdown,yama,loadpin,ipe,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
+ default "lockdown,yama,loadpin,ipe,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
help
A comma-separated list of LSMs, in initialization order.
Any LSMs left off this list will be ignored. This can be
@@ -292,4 +293,3 @@ config LSM
source "security/Kconfig.hardening"
endmenu
-
diff --git a/security/Makefile b/security/Makefile
index 22e73a3482bd..f2e1ae9ff64b 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -13,6 +13,7 @@ subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid
subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown
subdir-$(CONFIG_BPF_LSM) += bpf
+subdir-$(CONFIG_SECURITY_IPE) += ipe
# always enable default capabilities
obj-y += commoncap.o
@@ -30,6 +31,7 @@ obj-$(CONFIG_SECURITY_YAMA) += yama/
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/
obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
+obj-$(CONFIG_SECURITY_IPE) += ipe/
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
obj-$(CONFIG_BPF_LSM) += bpf/
diff --git a/security/ipe/.gitignore b/security/ipe/.gitignore
new file mode 100644
index 000000000000..bbf824e665d7
--- /dev/null
+++ b/security/ipe/.gitignore
@@ -0,0 +1,2 @@
+# Generated Boot Policy
+ipe-bp.c
diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
new file mode 100644
index 000000000000..0c67cd049d0c
--- /dev/null
+++ b/security/ipe/Kconfig
@@ -0,0 +1,41 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Integrity Policy Enforcement (IPE) configuration
+#
+
+menuconfig SECURITY_IPE
+ bool "Integrity Policy Enforcement (IPE)"
+ depends on SECURITY && AUDIT
+ select SYSTEM_DATA_VERIFICATION
+ help
+ This option enables the Integrity Policy Enforcement subsystem,
+ allowing systems to enforce integrity requirements on various
+ aspects of user-mode applications. These requirements are
+ controlled by a policy.
+
+ If unsure, answer N.
+
+if SECURITY_IPE
+
+config SECURITY_IPE_BOOT_POLICY
+ string "Integrity policy to apply on system startup"
+ help
+ This option specifies a filepath to a IPE policy that is compiled
+ into the kernel. This policy will be enforced until a policy update
+ is deployed via the "ipe.policy" sysctl.
+
+ If unsure, leave blank.
+
+config SECURITY_IPE_PERMISSIVE_SWITCH
+ bool "Enable the ability to switch IPE to permissive mode"
+ default y
+ help
+ This option enables two ways of switching IPE to permissive mode,
+ a sysctl (if enabled), `ipe.enforce`, or a kernel command line
+ parameter, `ipe.enforce`. If either of these are set to 0, files
+ will be subject to IPE's policy, audit messages will be logged, but
+ the policy will not be enforced.
+
+ If unsure, answer Y.
+
+endif
diff --git a/security/ipe/Makefile b/security/ipe/Makefile
new file mode 100644
index 000000000000..aaa2e2c0b2f4
--- /dev/null
+++ b/security/ipe/Makefile
@@ -0,0 +1,26 @@
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) Microsoft Corporation. All rights reserved.
+#
+# Makefile for building the IPE module as part of the kernel tree.
+#
+
+quiet_cmd_polgen = IPE_POL $(patsubst "%",%,$(2))
+ cmd_polgen = scripts/ipe/polgen/polgen security/ipe/ipe-bp.c $(2)
+
+$(eval $(call config_filename,SECURITY_IPE_BOOT_POLICY))
+
+targets += ipe-bp.c
+$(obj)/ipe-bp.c: scripts/ipe/polgen/polgen $(SECURITY_IPE_BOOT_POLICY_FILENAME) FORCE
+ $(call if_changed,polgen,$(SECURITY_IPE_BOOT_POLICY_FILENAME))
+
+obj-$(CONFIG_SECURITY_IPE) += \
+ ipe.o \
+ ipe-audit.o \
+ ipe-bp.o \
+ ipe-engine.o \
+ ipe-property.o \
+ ipe-hooks.o \
+ ipe-sysfs.o \
+
+clean-files := ipe-bp.c
diff --git a/security/ipe/ipe-audit.c b/security/ipe/ipe-audit.c
new file mode 100644
index 000000000000..f83beff1054f
--- /dev/null
+++ b/security/ipe/ipe-audit.c
@@ -0,0 +1,313 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe.h"
+#include "ipe-audit.h"
+#include "ipe-engine.h"
+#include "ipe-prop-internal.h"
+
+#include <linux/types.h>
+#include <linux/audit.h>
+#include <linux/rcupdate.h>
+#include <linux/lsm_audit.h>
+#include <linux/rbtree.h>
+#include <crypto/hash.h>
+#include <crypto/sha1_base.h>
+
+#define ACTION_STR(a) ((a) == ipe_action_allow ? "ALLOW" : "DENY")
+
+#define POLICY_LOAD_FSTR "IPE policy_name=\"%s\" policy_version=%hu.%hu.%hu sha1="
+#define POLICY_ACTIVATE_STR "IPE policy_name=\"%s\" policy_version=%hu.%hu.%hu"
+#define IPE_UNKNOWN "UNKNOWN"
+
+/* Keep in sync with ipe_op in ipe-hooks.h */
+const char *audit_op_names[] = {
+ IPE_OP_EXECUTE,
+ IPE_OP_FIRMWARE,
+ IPE_OP_KEXEC_IMAGE,
+ IPE_OP_KEXEC_INITRAMFS,
+ IPE_OP_X509_CERTIFICATE,
+ IPE_OP_POLICY,
+ IPE_OP_KMODULE,
+ IPE_OP_KERNEL_READ,
+ IPE_UNKNOWN,
+};
+
+/* Keep in sync with ipe_hook in ipe-hooks.h */
+const char *audit_hook_names[] = {
+ IPE_HOOK_EXEC,
+ IPE_HOOK_MMAP,
+ IPE_HOOK_MPROTECT,
+ IPE_HOOK_KERNEL_READ,
+ IPE_HOOK_KERNEL_LOAD,
+ IPE_UNKNOWN,
+};
+
+/**
+ * ipe_audit_mode: Emit an audit event indicating what mode IPE is currently
+ * in.
+ *
+ * This event is of form "IPE mode=(enforce|audit)"
+ */
+void ipe_audit_mode(void)
+{
+ struct audit_buffer *ab;
+
+ ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,
+ AUDIT_INTEGRITY_MODE);
+ if (!ab)
+ return;
+
+ audit_log_format(ab, "IPE mode=%s", (enforce) ? IPE_MODE_ENFORCE :
+ IPE_MODE_PERMISSIVE);
+
+ audit_log_end(ab);
+}
+
+/**
+ * audit_engine_ctx: Add the string representation of ipe_engine_ctx to the
+ * end of an audit buffer.
+ * @ab: the audit buffer to append the string representation of @ctx
+ * @ctx: the ipe_engine_ctx structure to transform into a string
+ * representation
+ *
+ * This string representation is of form:
+ * "ctx_pid=%d ctx_op=%s ctx_hook=%s ctx_comm=%s ctx_audit_pathname=%s ctx_ino=%ld ctx_dev=%s"
+ *
+ * Certain fields may be omitted or replaced with ERR(%d).
+ *
+ */
+static void audit_engine_ctx(struct audit_buffer *ab,
+ const struct ipe_engine_ctx *ctx)
+{
+ audit_log_format(ab, "ctx_pid=%d ctx_op=%s ctx_hook=%s ctx_comm=",
+ task_tgid_nr(current),
+ audit_op_names[ctx->op],
+ audit_hook_names[ctx->hook]);
+
+ audit_log_untrustedstring(ab, current->comm);
+
+ if (ctx->file) {
+ if (IS_ERR(ctx->audit_pathname)) {
+ audit_log_format(ab, " ctx_audit_pathname=ERR(%ld) ",
+ PTR_ERR(ctx->audit_pathname));
+ } else {
+ audit_log_format(ab, " ctx_audit_pathname=\"%s\" ",
+ ctx->audit_pathname);
+ }
+
+ audit_log_format(ab, "ctx_ino=%ld ctx_dev=%s",
+ ctx->file->f_inode->i_ino,
+ ctx->file->f_inode->i_sb->s_id);
+ }
+}
+
+/**
+ * audit_eval_properties: Append the string representation of evaluated
+ * properties to an audit buffer.
+ * @ab: the audit buffer to append the string representation of the evaluated
+ * properties.
+ * @ctx: the ipe_engine_ctx structure to pass to property audit function.
+ * @vals: The root of the red-black tree that is the per-evaluation
+ * cache for IPE's properties.
+ *
+ * This string representation is of form:
+ * "prop_key1=value1 prop_key2=value2 ... "
+ *
+ * Certain values may be replaced with ERR(%d). Prop may also be empty,
+ * and thus omitted entirely.
+ *
+ */
+static void audit_eval_properties(struct audit_buffer *ab,
+ const struct ipe_engine_ctx *ctx,
+ const struct rb_root *vals)
+{
+ struct rb_node *node;
+ struct ipe_prop_cache *val;
+
+ for (node = rb_first(vals); node; node = rb_next(node)) {
+ val = container_of(node, struct ipe_prop_cache, node);
+
+ audit_log_format(ab, "prop_%s=", val->prop->property_name);
+
+ val->prop->ctx_audit(ab, ctx, val->storage);
+
+ audit_log_format(ab, " ");
+ }
+}
+
+/**
+ * audit_rule: Add the string representation of a non-default IPE rule to the
+ * end of an audit buffer.
+ * @ab: the audit buffer to append the string representation of a rule.
+ * @rule: the ipe_rule structure to transform into a string representation.
+ *
+ * This string representation is of form:
+ * "rule={op=%s key1=value1 key2=value2 ... action=%s}"
+ *
+ * Certain values may be replaced with ERR(%d). Prop may also be empty.
+ *
+ */
+static void audit_rule(struct audit_buffer *ab,
+ const struct ipe_rule *rule)
+{
+ struct ipe_prop_container *ptr;
+
+ audit_log_format(ab, "rule=\"op=%s ", audit_op_names[rule->op]);
+
+ list_for_each_entry(ptr, &rule->props, next) {
+ audit_log_format(ab, "%s=", ptr->prop->property_name);
+
+ ptr->prop->rule_audit(ab, ptr->value);
+
+ audit_log_format(ab, " ");
+ }
+
+ audit_log_format(ab, "action=%s\"", ACTION_STR(rule->action));
+}
+
+/**
+ * ipe_audit_match: Emit an audit event indicating that the IPE engine has
+ * determined a match to a rule in IPE policy.
+ * @ctx: the engine context structure to audit
+ * @vals: The root of the red-black tree that is the per-evaluation
+ * cache for IPE's properties.
+ * @rule: The rule that was matched. If NULL, then assumed to be a default
+ * either operation specific, indicated by table, or global.
+ * @table: the operation-specific rule table. If NULL, then it assumed
+ * that the global default is matched.
+ * @match_type: The type of match that the engine used during evaluation
+ * @action: The action that the engine decided to take
+ * @rule: The rule that was matched. Must be set if @match_type is
+ * ipe_match_rule and NULL otherwise.
+ */
+void ipe_audit_match(const struct ipe_engine_ctx *ctx,
+ const struct rb_root *vals, enum ipe_match match_type,
+ enum ipe_action action, const struct ipe_rule *rule)
+{
+ struct audit_buffer *ab;
+
+ if (!success_audit && action == ipe_action_allow)
+ return;
+
+ ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,
+ AUDIT_INTEGRITY_EVENT);
+ if (!ab)
+ return;
+
+ audit_log_format(ab, "IPE ");
+
+ audit_engine_ctx(ab, ctx);
+
+ audit_log_format(ab, " ");
+
+ audit_eval_properties(ab, ctx, vals);
+
+ if (match_type == ipe_match_rule)
+ audit_rule(ab, rule);
+ else if (match_type == ipe_match_table)
+ audit_log_format(ab, "rule=\"DEFAULT op=%s action=%s\"",
+ audit_op_names[ctx->op], ACTION_STR(action));
+ else if (match_type == ipe_match_global)
+ audit_log_format(ab, "rule=\"DEFAULT action=%s\"",
+ ACTION_STR(action));
+
+ audit_log_end(ab);
+}
+
+/**
+ * ipe_audit_policy_load: Emit an audit event that an IPE policy has been
+ * loaded, with the name of the policy, the policy
+ * version triple, and a flat hash of the content.
+ * @pol: The parsed policy to derive the policy_name and policy_version
+ * triple.
+ * @raw: The raw content that was passed to the ipe.policy sysctl to derive
+ * the sha1 hash.
+ * @raw_size: the length of @raw.
+ * @tfm: shash structure allocated by the caller, used to fingerprint the
+ * policy being deployed
+ */
+void ipe_audit_policy_load(const struct ipe_policy *pol, const uint8_t *raw,
+ size_t raw_size, struct crypto_shash *tfm)
+{
+ int rc = 0;
+ struct audit_buffer *ab;
+ u8 digest[SHA1_DIGEST_SIZE];
+ SHASH_DESC_ON_STACK(desc, tfm);
+
+ ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,
+ AUDIT_INTEGRITY_POLICY_LOAD);
+ if (!ab)
+ return;
+
+ audit_log_format(ab, POLICY_LOAD_FSTR, pol->policy_name,
+ pol->policy_version.major, pol->policy_version.minor,
+ pol->policy_version.rev);
+
+ desc->tfm = tfm;
+
+ if (crypto_shash_init(desc) != 0)
+ goto err;
+
+ if (crypto_shash_update(desc, raw, raw_size) != 0)
+ goto err;
+
+ if (crypto_shash_final(desc, digest) != 0)
+ goto err;
+
+ audit_log_n_hex(ab, digest, crypto_shash_digestsize(tfm));
+
+err:
+ if (rc != 0)
+ audit_log_format(ab, "ERR(%d)", rc);
+
+ audit_log_end(ab);
+}
+
+/**
+ * ipe_audit_unset_remap: Emit an warning indicating that the operation
+ * represented by @op is unset and will implicitly
+ * allow everything under that op.
+ * @op: the operation to emit an audit message for.
+ */
+void ipe_audit_unset_remap(enum ipe_op op)
+{
+ pr_warn("op=%s default was unset, remapping to \"DEFAULT op=%s action=ALLOW\" for compatibility",
+ audit_op_names[op],
+ audit_op_names[op]);
+}
+
+/**
+ * ipe_audit_ignore_line: Emit a warning that the line was not understood by
+ * IPE's parser and the line will be ignored and not
+ * parsed.
+ * @line_num: line number that is being ignored.
+ */
+void ipe_audit_ignore_line(size_t i)
+{
+ pr_warn("failed to parse line number %zu, ignoring", i);
+}
+
+/**
+ * ipe_audit_policy_activation: Emit an audit event that a specific policy
+ * was activated as the active policy.
+ * @pol: policy that is being activated
+ */
+void ipe_audit_policy_activation(const struct ipe_policy *pol)
+{
+ struct audit_buffer *ab;
+
+ ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,
+ AUDIT_INTEGRITY_POLICY_ACTIVATE);
+
+ if (!ab)
+ return;
+
+ audit_log_format(ab, POLICY_ACTIVATE_STR, pol->policy_name,
+ pol->policy_version.major, pol->policy_version.minor,
+ pol->policy_version.rev);
+
+ audit_log_end(ab);
+}
diff --git a/security/ipe/ipe-audit.h b/security/ipe/ipe-audit.h
new file mode 100644
index 000000000000..adb427e0e027
--- /dev/null
+++ b/security/ipe/ipe-audit.h
@@ -0,0 +1,76 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe-engine.h"
+#include "ipe-policy.h"
+
+#ifndef IPE_AUDIT_H
+#define IPE_AUDIT_H
+
+/**
+ * ipe_audit_mode: Emit an audit event indicating what mode IPE is current in.
+ *
+ * This event is of form "IPE mode=(enforce|audit)"
+ */
+void ipe_audit_mode(void);
+
+/**
+ * ipe_audit_match: Emit an audit event indicating that the IPE engine has
+ * determined a match to a rule in IPE policy.
+ * @ctx: the engine context structure to audit
+ * @vals: The root of the red-black tree that is the per-evaluation
+ * cache for IPE's properties.
+ * @rule: The rule that was matched. If NULL, then assumed to be a default
+ * either operation specific, indicated by table, or global.
+ * @table: the operation-specific rule table. If NULL, then it assumed
+ * that the global default is matched.
+ * @match_type: The type of match that the engine used during evaluation
+ * @action: The action that the engine decided to take
+ * @rule: The rule that was matched. Must be set if @match_type is
+ * ipe_match_rule and NULL otherwise.
+ */
+void ipe_audit_match(const struct ipe_engine_ctx *ctx,
+ const struct rb_root *vals, enum ipe_match match_type,
+ enum ipe_action action, const struct ipe_rule *rule);
+
+/**
+ * ipe_audit_policy_load: Emit an audit event that an IPE policy has been
+ * loaded, with the name of the policy, the policy
+ * version triple, and a flat hash of the content.
+ * @pol: The parsed policy to derive the policy_name and policy_version
+ * triple.
+ * @raw: The raw content that was passed to the ipe.policy sysctl to derive
+ * the sha1 hash.
+ * @raw_size: the length of @raw.
+ * @tfm: shash structure allocated by the caller, used to fingerprint the
+ * policy being deployed
+ */
+void ipe_audit_policy_load(const struct ipe_policy *pol, const uint8_t *raw,
+ size_t raw_size, struct crypto_shash *tfm);
+
+/**
+ * ipe_audit_unset_remap: Emit an warning indicating that the operation
+ * represented by @op is unset and will implicitly
+ * allow everything under that op.
+ * @op: the operation to emit an audit message for.
+ */
+void ipe_audit_unset_remap(enum ipe_op op);
+
+/**
+ * ipe_audit_ignore_line: Emit a warning that the line was not understood by
+ * IPE's parser and the line will be ignored and not
+ * parsed.
+ * @line_num: line number that is being ignored.
+ */
+void ipe_audit_ignore_line(size_t line_num);
+
+/**
+ * ipe_audit_policy_activation: Emit an audit event that a specific policy
+ * was activated as the active policy.
+ * @pol: policy that is being activated
+ */
+void ipe_audit_policy_activation(const struct ipe_policy *pol);
+
+#endif /* IPE_AUDIT_H */
diff --git a/security/ipe/ipe-engine.c b/security/ipe/ipe-engine.c
new file mode 100644
index 000000000000..9df17ebc1a01
--- /dev/null
+++ b/security/ipe/ipe-engine.c
@@ -0,0 +1,346 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe.h"
+#include "ipe-property.h"
+#include "ipe-prop-internal.h"
+#include "ipe-policy.h"
+#include "ipe-engine.h"
+#include "ipe-audit.h"
+
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/list.h>
+#include <linux/rbtree.h>
+#include <linux/rcupdate.h>
+#include <linux/security.h>
+
+const struct ipe_policy *ipe_active_policy;
+
+/**
+ * get_audit_pathname: Return the absolute path of the file struct passed in
+ * @file: file to derive an absolute path from.
+ *
+ * This function walks past chroots and mount points.
+ *
+ * Return:
+ * !NULL - OK
+ * ERR_PTR(-ENOENT) - No File
+ * ERR_PTR(-ENOMEM) - No Memory
+ * ERR_PTR(-ENAMETOOLONG) - Path Exceeds PATH_MAX
+ */
+static char *get_audit_pathname(const struct file *file)
+{
+ int rc = 0;
+ char *pos = NULL;
+ char *pathbuf = NULL;
+ struct super_block *sb;
+ char *temp_path = NULL;
+
+ /* No File to get Path From */
+ if (!file) {
+ rc = -ENOENT;
+ goto err;
+ }
+
+ sb = file->f_path.dentry->d_sb;
+
+ pathbuf = __getname();
+ if (!pathbuf) {
+ rc = -ENOMEM;
+ goto err;
+ }
+
+ pos = d_absolute_path(&file->f_path, pathbuf, PATH_MAX);
+ if (IS_ERR(pos)) {
+ rc = PTR_ERR(pos);
+ goto err;
+ }
+
+ temp_path = __getname();
+ if (!temp_path) {
+ rc = -ENOMEM;
+ goto err;
+ }
+
+ strlcpy(temp_path, pos, PATH_MAX);
+
+ if (pathbuf)
+ __putname(pathbuf);
+
+ return temp_path;
+err:
+ if (pathbuf)
+ __putname(pathbuf);
+ if (temp_path)
+ __putname(temp_path);
+
+ return ERR_PTR(rc);
+}
+
+/**
+ * free_ctx: free a previously allocated ipe_engine_ctx struct
+ * @ctx: structure to allocate.
+ *
+ * The caller is required to free @ctx, if previously allocated.
+ */
+static void free_ctx(struct ipe_engine_ctx *ctx)
+{
+ if (IS_ERR_OR_NULL(ctx))
+ return;
+
+ if (!IS_ERR_OR_NULL(ctx->audit_pathname))
+ __putname(ctx->audit_pathname);
+
+ kfree(ctx);
+}
+
+/**
+ * build_ctx: allocate a new ipe_engine_ctx structure
+ * @file: File that is being evaluated against IPE policy.
+ * @op: Operation that the file is being evaluated against.
+ * @hook: Specific hook that the file is being evaluated through.
+ *
+ * Return:
+ * !NULL - OK
+ * ERR_PTR(-ENOMEM) - no memory
+ */
+static struct ipe_engine_ctx *build_ctx(const struct file *file,
+ enum ipe_op op, enum ipe_hook hook)
+{
+ struct ipe_engine_ctx *local;
+
+ local = kzalloc(sizeof(*local), GFP_KERNEL);
+ if (!local)
+ return ERR_PTR(-ENOMEM);
+
+ /* if there's an error here, it's O.K. */
+ local->audit_pathname = get_audit_pathname(file);
+ local->file = file;
+ local->op = op;
+ local->hook = hook;
+
+ return local;
+}
+
+/**
+ * insert_or_find_cache: Create a node in a for a property if it does not exist,
+ * If it does exist, then return that node.
+ * @cache: the red-black tree root to create a tree around.
+ * @prop: the property to create a node for.
+ * @rv: ERR_PTR or the ipe_prop_cache structure that was inserted into the
+ * tree.
+ *
+ * These nodes are used to be as a cache for properties to store expensive
+ * evaluation results
+ *
+ * Return:
+ * -ENOMEM: (No Memory)
+ */
+static
+struct ipe_prop_cache *insert_or_find_cache(struct rb_root *cache,
+ const struct ipe_property *prop)
+{
+ struct rb_node *parent = NULL;
+ struct rb_node **new = &cache->rb_node;
+ struct ipe_prop_cache *new_data = NULL;
+
+ while (*new) {
+ int r;
+ struct ipe_prop_cache *n =
+ container_of(*new, struct ipe_prop_cache, node);
+
+ parent = *new;
+
+ r = strcmp(prop->property_name, n->prop->property_name);
+ if (r == 0)
+ return n;
+ else if (r > 0)
+ new = &((*new)->rb_right);
+ else
+ new = &((*new)->rb_left);
+ }
+
+ new_data = kzalloc(sizeof(*new_data), GFP_KERNEL);
+ if (!new_data)
+ return ERR_PTR(-ENOMEM);
+
+ new_data->prop = prop;
+
+ rb_link_node(&new_data->node, parent, new);
+ rb_insert_color(&new_data->node, cache);
+
+ return new_data;
+}
+
+/**
+ * destroy_cache: dellocate an entire cache tree, where each node was
+ * created via `insert_or_find_cache`.
+ * @cache: the red-black tree root containing the structure to destroy.
+ *
+ * This function invalidates @cache, as the nodes are not removed from
+ * the tree.
+ */
+static void destroy_cache(struct rb_root *cache)
+{
+ struct ipe_prop_cache *ptr, *n;
+
+ rbtree_postorder_for_each_entry_safe(ptr, n, cache, node) {
+ if (ptr->prop->free_storage)
+ ptr->prop->free_storage(&ptr->storage);
+ kfree(ptr);
+ }
+}
+
+/**
+ * prealloc_cache: preallocate the cache tree for all ipe properties, so
+ * that this data maybe used later in the read side critical
+ * section.
+ * @ctx: Ipe engine context structure passed to the property prealloc function.
+ * @cache: Root of the cache tree to insert nodes under.
+ *
+ * Return:
+ * 0 - OK
+ * -ENOMEM - Out of memory
+ * Other - See individual property preallocator functions.
+ */
+static int prealloc_cache(struct ipe_engine_ctx *ctx,
+ struct rb_root *cache)
+{
+ int rc = 0;
+ struct rb_node *node;
+ struct ipe_prop_reg *reg;
+ struct ipe_prop_cache *storage;
+
+ for (node = rb_first(&ipe_registry_root); node; node = rb_next(node)) {
+ reg = container_of(node, struct ipe_prop_reg, node);
+
+ storage = insert_or_find_cache(cache, reg->prop);
+ if (IS_ERR(storage))
+ return PTR_ERR(storage);
+
+ if (reg->prop->prealloc) {
+ rc = reg->prop->prealloc(ctx, &storage->storage);
+ if (rc != 0)
+ return rc;
+ }
+ }
+
+ return rc;
+}
+
+/**
+ * evaluate: Process an @ctx against IPE's current active policy.
+ * @ctx: the engine ctx to perform an evaluation on.
+ * @cache: the red-black tree root that is used for cache storage.
+ *
+ * This uses a preallocated @cache as storage for the properties to avoid
+ * re-evaulation.
+ *
+ * Return:
+ * -EACCES - A match occurred against a "action=DENY" rule
+ * -ENOMEM - Out of memory
+ */
+static int evaluate(struct ipe_engine_ctx *ctx, struct rb_root *cache)
+{
+ int rc = 0;
+ bool match = false;
+ enum ipe_action action;
+ struct ipe_prop_cache *c;
+ enum ipe_match match_type;
+ const struct ipe_rule *rule;
+ const struct ipe_policy *pol;
+ const struct ipe_rule_table *rules;
+ const struct ipe_prop_container *prop;
+
+ if (!ipe_active_policy)
+ return rc;
+
+ rcu_read_lock();
+
+ pol = rcu_dereference(ipe_active_policy);
+
+ rules = &pol->ops[ctx->op];
+
+ list_for_each_entry(rule, &rules->rules, next) {
+ match = true;
+
+ list_for_each_entry(prop, &rule->props, next) {
+ void *cache = NULL;
+
+ if (prop->prop->prealloc) {
+ c = insert_or_find_cache(cache, prop->prop);
+ if (IS_ERR(c))
+ return PTR_ERR(c);
+
+ cache = c->storage;
+ }
+
+ match = match && prop->prop->eval(ctx, prop->value,
+ &cache);
+ }
+
+ if (match)
+ break;
+ }
+
+ if (match) {
+ match_type = ipe_match_rule;
+ action = rule->action;
+ } else if (rules->def != ipe_action_unset) {
+ match_type = ipe_match_table;
+ action = rules->def;
+ rule = NULL;
+ } else {
+ match_type = ipe_match_global;
+ action = pol->def;
+ rule = NULL;
+ }
+
+ ipe_audit_match(ctx, cache, match_type, action, rule);
+
+ if (action == ipe_action_deny)
+ rc = -EACCES;
+
+ if (enforce == 0)
+ rc = 0;
+
+ rcu_read_unlock();
+ return rc;
+}
+
+/**
+ * ipe_process_event: Perform an evaluation of @file, @op, and @hook against
+ * IPE's current active policy.
+ * @file: File that is being evaluated against IPE policy.
+ * @op: Operation that the file is being evaluated against.
+ * @hook: Specific hook that the file is being evaluated through.
+ *
+ * Return:
+ * -ENOMEM: (No Memory)
+ * -EACCES: (A match occurred against a "action=DENY" rule)
+ */
+int ipe_process_event(const struct file *file, enum ipe_op op,
+ enum ipe_hook hook)
+{
+ int rc = 0;
+ struct ipe_engine_ctx *ctx;
+ struct rb_root cache = RB_ROOT;
+
+ ctx = build_ctx(file, op, hook);
+ if (IS_ERR(ctx))
+ goto cleanup;
+
+ rc = prealloc_cache(ctx, &cache);
+ if (rc != 0)
+ goto cleanup;
+
+ rc = evaluate(ctx, &cache);
+
+cleanup:
+ free_ctx(ctx);
+ destroy_cache(&cache);
+ return rc;
+}
diff --git a/security/ipe/ipe-engine.h b/security/ipe/ipe-engine.h
new file mode 100644
index 000000000000..3f7c471929e2
--- /dev/null
+++ b/security/ipe/ipe-engine.h
@@ -0,0 +1,49 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe-hooks.h"
+
+#include <linux/types.h>
+#include <linux/rbtree.h>
+#include <linux/fs.h>
+
+#ifndef IPE_ENGINE_H
+#define IPE_ENGINE_H
+
+struct ipe_engine_ctx {
+ enum ipe_op op;
+ enum ipe_hook hook;
+ const struct file *file;
+ const char *audit_pathname;
+};
+
+struct ipe_prop_cache {
+ struct rb_node node;
+ void *storage;
+ const struct ipe_property *prop;
+};
+
+enum ipe_match {
+ ipe_match_rule = 0,
+ ipe_match_table,
+ ipe_match_global
+};
+
+/**
+ * ipe_process_event: Perform an evaluation of @file, @op, and @hook against
+ * IPE's current active policy.
+ *
+ * @ctx: the engine ctx to perform an evaluation on.
+ * @cache: the red-black tree root that is used for cache storage.
+ * @rv: standard return code.
+ *
+ * Return:
+ * -ENOMEM: (No Memory)
+ * -EACCES: (A match occurred against a "action=DENY" rule)
+ */
+int ipe_process_event(const struct file *file, enum ipe_op op,
+ enum ipe_hook hook);
+
+#endif /* IPE_ENGINE_H */
diff --git a/security/ipe/ipe-hooks.c b/security/ipe/ipe-hooks.c
new file mode 100644
index 000000000000..a5d37b87c0cd
--- /dev/null
+++ b/security/ipe/ipe-hooks.c
@@ -0,0 +1,151 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe.h"
+#include "ipe-hooks.h"
+#include "ipe-engine.h"
+
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/binfmts.h>
+#include <linux/mount.h>
+#include <linux/mman.h>
+#include <linux/mm.h>
+#include <linux/security.h>
+
+#define HAS_EXEC(_p, _rp) (((_rp) & PROT_EXEC) || ((_p) & PROT_EXEC))
+
+/**
+ * ipe_on_exec: LSM hook called on the exec family of system calls.
+ * @bprm: A structure to hold arguments that are used when loading binaries,
+ * used to extract the file being executed.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - see ipe_process_event
+ */
+int ipe_on_exec(struct linux_binprm *bprm)
+{
+ return ipe_process_event(bprm->file, ipe_op_execute, ipe_hook_exec);
+}
+
+/**
+ * ipe_on_mmap: LSM hook called on the mmap system call.
+ * @file: File being mapped into memory.
+ * @reqprot: Usermode requested protections on the memory region.
+ * @prot: A protection mapping of the memory region, calculated based on
+ * @reqprot, and the system configuration.
+ * @flags: Unused.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - see ipe_process_event
+ */
+int ipe_on_mmap(struct file *file, unsigned long reqprot, unsigned long prot,
+ unsigned long flags)
+{
+ if (HAS_EXEC(reqprot, prot))
+ return ipe_process_event(file, ipe_op_execute, ipe_hook_mmap);
+
+ return 0;
+}
+
+/**
+ * ipe_on_mprotect: LSM hook called on the mprotect system call
+ * @vma: A structure representing the existing memory region.
+ * @reqprot: Usermode requested protections on the memory region.
+ * @prot: A protection mapping of the memory region, calculated based on
+ * @reqprot, and the system configuration.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - see ipe_process_event
+ */
+int ipe_on_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
+ unsigned long prot)
+{
+ if (HAS_EXEC(reqprot, prot) && !(vma->vm_flags & VM_EXEC))
+ return ipe_process_event(vma->vm_file, ipe_op_execute,
+ ipe_hook_mprotect);
+
+ return 0;
+}
+
+/**
+ * ipe_on_kernel_read: LSM hook called on kernel_read_file.
+ * @file: File being read by the hook kernel_read_file.
+ * @id: Enumeration indicating the type of file being read.
+ *
+ * For more information, see the LSM hook, kernel_read_file.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - see ipe_process_event
+ */
+int ipe_on_kernel_read(struct file *file, enum kernel_read_file_id id)
+{
+ switch (id) {
+ case READING_FIRMWARE:
+ case READING_FIRMWARE_PREALLOC_BUFFER:
+ return ipe_process_event(file, ipe_op_firmware,
+ ipe_hook_kernel_read);
+ case READING_MODULE:
+ return ipe_process_event(file, ipe_op_kmodule,
+ ipe_hook_kernel_read);
+ case READING_KEXEC_INITRAMFS:
+ return ipe_process_event(file, ipe_op_kexec_initramfs,
+ ipe_hook_kernel_read);
+ case READING_KEXEC_IMAGE:
+ return ipe_process_event(file, ipe_op_kexec_image,
+ ipe_hook_kernel_read);
+ case READING_POLICY:
+ return ipe_process_event(file, ipe_op_policy,
+ ipe_hook_kernel_read);
+ case READING_X509_CERTIFICATE:
+ return ipe_process_event(file, ipe_op_x509,
+ ipe_hook_kernel_read);
+ default:
+ return ipe_process_event(file, ipe_op_kernel_read,
+ ipe_hook_kernel_read);
+ }
+}
+
+/**
+ * ipe_on_kernel_load_data: LSM hook called on kernel_load_data.
+ * @id: Enumeration indicating what type of data is being loaded.
+ *
+ * For more information, see the LSM hook, kernel_load_data.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - see ipe_process_event
+ */
+int ipe_on_kernel_load_data(enum kernel_load_data_id id)
+{
+ switch (id) {
+ case LOADING_FIRMWARE:
+ case LOADING_FIRMWARE_PREALLOC_BUFFER:
+ return ipe_process_event(NULL, ipe_op_firmware,
+ ipe_hook_kernel_load);
+ case LOADING_MODULE:
+ return ipe_process_event(NULL, ipe_op_kmodule,
+ ipe_hook_kernel_load);
+ case LOADING_KEXEC_INITRAMFS:
+ return ipe_process_event(NULL, ipe_op_kexec_initramfs,
+ ipe_hook_kernel_load);
+ case LOADING_KEXEC_IMAGE:
+ return ipe_process_event(NULL, ipe_op_kexec_image,
+ ipe_hook_kernel_load);
+ case LOADING_POLICY:
+ return ipe_process_event(NULL, ipe_op_policy,
+ ipe_hook_kernel_load);
+ case LOADING_X509_CERTIFICATE:
+ return ipe_process_event(NULL, ipe_op_x509,
+ ipe_hook_kernel_load);
+ default:
+ return ipe_process_event(NULL, ipe_op_kernel_read,
+ ipe_hook_kernel_load);
+ }
+}
diff --git a/security/ipe/ipe-hooks.h b/security/ipe/ipe-hooks.h
new file mode 100644
index 000000000000..6af706a130ce
--- /dev/null
+++ b/security/ipe/ipe-hooks.h
@@ -0,0 +1,114 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/mount.h>
+#include <linux/binfmts.h>
+#include <linux/mman.h>
+#include <linux/mm.h>
+#include <linux/security.h>
+
+#ifndef IPE_HOOK_H
+#define IPE_HOOK_H
+
+#define IPE_HOOK_EXEC "EXEC"
+#define IPE_HOOK_MMAP "MMAP"
+#define IPE_HOOK_MPROTECT "MPROTECT"
+#define IPE_HOOK_KERNEL_READ "KERNEL_READ"
+#define IPE_HOOK_KERNEL_LOAD "KERNEL_LOAD"
+
+enum ipe_hook {
+ ipe_hook_exec = 0,
+ ipe_hook_mmap,
+ ipe_hook_mprotect,
+ ipe_hook_kernel_read,
+ ipe_hook_kernel_load,
+ ipe_hook_max
+};
+
+/*
+ * The sequence between ipe_op_firmware and ipe_op_kmodule
+ * must remain the same for ipe_op_kernel read to function
+ * appropriately.
+ */
+enum ipe_op {
+ ipe_op_execute = 0,
+ ipe_op_firmware,
+ ipe_op_kexec_image,
+ ipe_op_kexec_initramfs,
+ ipe_op_x509,
+ ipe_op_policy,
+ ipe_op_kmodule,
+ ipe_op_kernel_read,
+ ipe_op_max
+};
+
+/**
+ * ipe_on_exec: LSM hook called on the exec family of system calls.
+ * @bprm: A structure to hold arguments that are used when loading binaries,
+ * used to extract the file being executed.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - see ipe_process_event
+ */
+int ipe_on_exec(struct linux_binprm *bprm);
+
+/**
+ * ipe_on_mmap: LSM hook called on the mmap system call
+ * @file: File being mapped into memory.
+ * @reqprot: Usermode requested protections on the memory region.
+ * @prot: A protection mapping of the memory region, calculated based on
+ * @reqprot, and the system configuration.
+ * @flags: unused.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - see ipe_process_event
+ */
+int ipe_on_mmap(struct file *file, unsigned long reqprot, unsigned long prot,
+ unsigned long flags);
+
+/**
+ * ipe_on_mprotect: LSM hook called on the mprotect system call
+ * @vma: A structure representing the existing memory region.
+ * @reqprot: Usermode requested protections on the memory region.
+ * @prot: A protection mapping of the memory region, calculated based on
+ * @reqprot, and the system configuration.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - see ipe_process_event
+ */
+int ipe_on_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
+ unsigned long prot);
+
+/**
+ * ipe_on_kernel_read: LSM hook called on kernel_read_file.
+ * @file: File being read by the hook kernel_read_file.
+ * @id: Enumeration indicating the type of file being read.
+ *
+ * For more information, see the LSM hook, kernel_read_file.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - see ipe_process_event
+ */
+int ipe_on_kernel_read(struct file *file, enum kernel_read_file_id id);
+
+/**
+ * ipe_on_kernel_load_data: LSM hook called on kernel_load_data.
+ * @id: Enumeration indicating what type of data is being loaded.
+ *
+ * For more information, see the LSM hook, kernel_load_data.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - see ipe_process_event
+ */
+int ipe_on_kernel_load_data(enum kernel_load_data_id id);
+
+#endif /* IPE_HOOK_H */
diff --git a/security/ipe/ipe-policy.h b/security/ipe/ipe-policy.h
new file mode 100644
index 000000000000..c0c9f2962c92
--- /dev/null
+++ b/security/ipe/ipe-policy.h
@@ -0,0 +1,62 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe-hooks.h"
+#include "ipe-property.h"
+
+#include <linux/types.h>
+#include <linux/list.h>
+#include <linux/mutex.h>
+#include <linux/rcupdate.h>
+
+#ifndef IPE_POLICY_H
+#define IPE_POLICY_H
+
+#define IPE_HEADER_POLICY_NAME "policy_name"
+#define IPE_HEADER_POLICY_VERSION "policy_version"
+
+extern const char *const ipe_boot_policy;
+extern const struct ipe_policy *ipe_active_policy;
+
+enum ipe_action {
+ ipe_action_unset = 0,
+ ipe_action_allow,
+ ipe_action_deny
+};
+
+struct ipe_prop_container {
+ struct list_head next;
+ void *value;
+ const struct ipe_property *prop;
+};
+
+struct ipe_rule {
+ struct list_head props;
+ struct list_head next;
+ enum ipe_action action;
+ enum ipe_op op;
+};
+
+struct ipe_rule_table {
+ struct list_head rules;
+ enum ipe_action def;
+};
+
+struct ipe_pol_ver {
+ u16 major;
+ u16 minor;
+ u16 rev;
+};
+
+struct ipe_policy {
+ char *policy_name;
+ struct ipe_pol_ver policy_version;
+ enum ipe_action def;
+
+ /* KERNEL_READ stores no data itself */
+ struct ipe_rule_table ops[ipe_op_max - 1];
+};
+
+#endif /* IPE_POLICY_H */
diff --git a/security/ipe/ipe-prop-internal.h b/security/ipe/ipe-prop-internal.h
new file mode 100644
index 000000000000..238d31a40169
--- /dev/null
+++ b/security/ipe/ipe-prop-internal.h
@@ -0,0 +1,43 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe-property.h"
+
+#include <linux/types.h>
+
+#ifndef IPE_PROPERTY_INTERNAL_H
+#define IPE_PROPERTY_INTERNAL_H
+
+#define IPE_PROPERTY_OPERATION "op"
+#define IPE_PROPERTY_DEFAULT "DEFAULT"
+#define IPE_PROPERTY_ACTION "action"
+
+#define IPE_OP_EXECUTE "EXECUTE"
+#define IPE_OP_FIRMWARE "FIRMWARE"
+#define IPE_OP_KEXEC_IMAGE "KEXEC_IMAGE"
+#define IPE_OP_KEXEC_INITRAMFS "KEXEC_INITRAMFS"
+#define IPE_OP_X509_CERTIFICATE "X509_CERT"
+#define IPE_OP_POLICY "POLICY"
+#define IPE_OP_KMODULE "KMODULE"
+#define IPE_OP_KERNEL_READ "KERNEL_READ"
+
+struct ipe_prop_reg {
+ struct rb_node node;
+ const struct ipe_property *prop;
+};
+
+extern struct rb_root ipe_registry_root;
+
+/**
+ * ipe_lookup_prop: Attempt to find a ipe_property structure by name @key.
+ * @key: The property_name to look for in the tree.
+ *
+ * Return:
+ * ipe_property structure - OK
+ * NULL - No property exists under @key
+ */
+const struct ipe_property *ipe_lookup_prop(const char *key);
+
+#endif /* IPE_PROPERTY_INTERNAL_H */
diff --git a/security/ipe/ipe-property.c b/security/ipe/ipe-property.c
new file mode 100644
index 000000000000..675265a70327
--- /dev/null
+++ b/security/ipe/ipe-property.c
@@ -0,0 +1,112 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe.h"
+#include "ipe-prop-internal.h"
+#include "ipe-property.h"
+
+#include <linux/types.h>
+#include <linux/rbtree.h>
+#include <linux/slab.h>
+
+/* global root containing all registered properties */
+struct rb_root ipe_registry_root = RB_ROOT;
+
+/**
+ * reg_lookup: Attempt to find a `prop_reg` structure with property_name @key.
+ * @key: The property_name to look for in the tree.
+ *
+ * Return:
+ * ipe_prop_reg structure - OK
+ * NULL - No such property exists
+ */
+static struct ipe_prop_reg *reg_lookup(const char *key)
+{
+ struct rb_node *n = ipe_registry_root.rb_node;
+
+ while (n) {
+ int r;
+ struct ipe_prop_reg *reg =
+ container_of(n, struct ipe_prop_reg, node);
+
+ r = strcmp(reg->prop->property_name, key);
+ if (r == 0)
+ return reg;
+ else if (r > 0)
+ n = n->rb_right;
+ else
+ n = n->rb_left;
+ }
+
+ return NULL;
+}
+
+/**
+ * ipe_lookup_prop: Attempt to find a ipe_property structure by name @key.
+ * @key: The property_name to look for in the tree.
+ *
+ * Return:
+ * ipe_property structure - OK
+ * NULL - No property exists under @key
+ */
+const struct ipe_property *ipe_lookup_prop(const char *key)
+{
+ struct ipe_prop_reg *reg = reg_lookup(key);
+
+ if (!reg)
+ return NULL;
+
+ return reg->prop;
+}
+
+/**
+ * ipe_register_property: Insert a property into the registration system.
+ * @prop: Read-only property structure containing the property_name, as well
+ * as the necessary function pointers for a property.
+ *
+ * The caller needs to maintain the lifetime of @prop throughout the life of
+ * the system, after calling ipe_register_property.
+ *
+ * All necessary properties need to be loaded via this method before
+ * loading a policy, otherwise the properties will be ignored as unknown.
+ *
+ * Return:
+ * 0 - OK
+ * -EEXIST - A key exists with the name @prop->property_name
+ * -ENOMEM - Out of Memory
+ */
+int ipe_register_property(const struct ipe_property *prop)
+{
+ struct rb_node *parent = NULL;
+ struct ipe_prop_reg *new_data = NULL;
+ struct rb_node **new = &ipe_registry_root.rb_node;
+
+ while (*new) {
+ int r;
+ struct ipe_prop_reg *reg =
+ container_of(*new, struct ipe_prop_reg, node);
+
+ parent = *new;
+
+ r = strcmp(reg->prop->property_name, prop->property_name);
+ if (r == 0)
+ return -EEXIST;
+ else if (r > 0)
+ new = &((*new)->rb_right);
+ else
+ new = &((*new)->rb_left);
+ }
+
+ new_data = kzalloc(sizeof(*new_data), GFP_KERNEL);
+ if (!new_data)
+ return -ENOMEM;
+
+ new_data->prop = prop;
+
+ rb_link_node(&new_data->node, parent, new);
+ rb_insert_color(&new_data->node, &ipe_registry_root);
+
+ return 0;
+}
diff --git a/security/ipe/ipe-property.h b/security/ipe/ipe-property.h
new file mode 100644
index 000000000000..c9462d219d43
--- /dev/null
+++ b/security/ipe/ipe-property.h
@@ -0,0 +1,159 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe-engine.h"
+
+#include <linux/types.h>
+#include <linux/lsm_audit.h>
+
+#ifndef IPE_PROPERTY_H
+#define IPE_PROPERTY_H
+
+/**
+ * ipe_property_alloc_storage: Function used to define cache allocations for
+ * individual properties.
+ * @ctx: Context structure of the engine for deriving potential information
+ * to be stored.
+ * @storage: Valid address to space for persistent storage for a
+ * distinct file structure. For the same file structure, this will
+ * be provided to ipe_property_evaluator, ipe_ctx_audit and
+ * ipe_free_storage.
+ *
+ * This is called prior to any evaluation of property, allowing
+ * individual properties to allocate a structure, and potentially
+ * populate a storage space to use during the evaluation.
+ *
+ * An potential example, would be storing the result of a hash or
+ * signature verification operation, such that it does not need to
+ * be done more than once.
+ *
+ * Optional, can be NULL - in which case, this will not be called.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - ERR, use Standard Return Codes
+ */
+typedef int (*ipe_property_alloc_storage)(const struct ipe_engine_ctx *ctx,
+ void **storage);
+
+/**
+ * ipe_property_evaluator: Determines whether a file subject matches the
+ * property.
+ * @value: Value to compare against for a match
+ * @storage: Valid address to space for persistent storage for a
+ * distinct file object.
+ *
+ * NOTE: This is done in an rcu read critical section - sleeping
+ * allocations are prohibited. See ipe_property_alloc_storage
+ * if allocations are required.
+ *
+ * Return:
+ * true - The property matches evaluation
+ * false - The property does not match evaluation
+ */
+typedef bool (*ipe_property_evaluator)(const struct ipe_engine_ctx *ctx,
+ const void *value, void **storage);
+
+/**
+ * ipe_property_audit: Transform a rule value into a string representation.
+ * @ab: Audit buffer to add the string representation of @value to.
+ * @value: Value to transform into a string representation.
+ *
+ * NOTE: This is done in an rcu read critical section - sleeping
+ * allocations are prohibited.
+ */
+typedef void (*ipe_property_audit)(struct audit_buffer *ab, const void *value);
+
+/**
+ * ipe_ctx_audit: Called by the auditing to provide the values
+ * that were evaluated about the subject, @ctx->file, to determine how
+ * a value was evaluated.
+ *
+ * NOTE: This is done in an rcu read critical section - sleeping
+ * allocations are prohibited.
+ *
+ * @ab: Audit buffer to add the string representation of @value to.
+ * @value: Value to transform into a string representation.
+ * @storage: Value that was placed in @storage of the evaluator.
+ *
+ */
+typedef void (*ipe_ctx_audit)(struct audit_buffer *ab,
+ const struct ipe_engine_ctx *ctx,
+ const void *storage);
+
+/**
+ * ipe_parse_value: Transform a string representation of a rule into an
+ * internal ipe data-structure, opaque to the engine.
+ * @val_str: String-value parsed by the policy parser.
+ * @value: Valid-pointer indicating address to store parsed value.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - ERR, use Standard Return Codes
+ */
+typedef int(*ipe_parse_value)(const char *val_str, void **value);
+
+/**
+ * ipe_dup_val: Called by the policy parser to make duplicate properties for
+ * pseudo-properties like "KERNEL_READ".
+ * @src: Value to copy.
+ * @dest: Pointer to the destination where the value should be copied.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - ERR, use Standard Return Codes
+ */
+typedef int (*ipe_dup_val)(const void *src, void **dest);
+
+/**
+ * ipe_free_value: Free a policy value, created by ipe_parse_value.
+ * @value: Valid-pointer to the value to be interpreted and
+ * freed by the property.
+ *
+ * Optional, can be NULL - in which case, this will not be called.
+ */
+typedef void (*ipe_free_value)(void **value);
+
+/**
+ * ipe_free_storage: Free the storage allocated by
+ * ipe_property_prealloc_storage
+ * @storage: Valid-pointer to the value to be interpreted and
+ * freed by the property.
+ *
+ * Optional, can be NULL - in which case, this will not be called.
+ */
+typedef void (*ipe_free_storage)(void **storage);
+
+struct ipe_property {
+ const char *const property_name;
+ ipe_property_alloc_storage prealloc;
+ ipe_property_evaluator eval;
+ ipe_property_audit rule_audit;
+ ipe_ctx_audit ctx_audit;
+ ipe_parse_value parse;
+ ipe_dup_val dup;
+ ipe_free_value free_val;
+ ipe_free_storage free_storage;
+};
+
+/**
+ * ipe_register_property: Insert a property into the registration system.
+ * @prop: Read-only property structure containing the property_name, as well
+ * as the necessary function pointers for a property.
+ *
+ * The caller needs to maintain the lifetime of @prop throughout the life of
+ * the system, after calling ipe_register_property.
+ *
+ * All necessary properties need to be loaded via this method before
+ * loading a policy, otherwise the properties will be ignored as unknown.
+ *
+ * Return:
+ * 0 - OK
+ * -EEXIST - A key exists with the name @prop->property_name
+ * -ENOMEM - Out of memory
+ */
+int ipe_register_property(const struct ipe_property *prop);
+
+#endif /* IPE_PROPERTY_H */
diff --git a/security/ipe/ipe-sysfs.c b/security/ipe/ipe-sysfs.c
new file mode 100644
index 000000000000..c97685a25b6a
--- /dev/null
+++ b/security/ipe/ipe-sysfs.c
@@ -0,0 +1,115 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe.h"
+#include "ipe-audit.h"
+
+#include <linux/sysctl.h>
+#include <linux/fs.h>
+#include <linux/mutex.h>
+#include <linux/slab.h>
+
+#ifdef CONFIG_SYSCTL
+
+#ifdef CONFIG_SECURITY_IPE_PERMISSIVE_SWITCH
+
+/**
+ * ipe_switch_mode: Handler to switch IPE's modes between permissive
+ * and enforce.
+ * @table: Sysctl table entry from the variable, sysctl_table.
+ * @write: Integer indicating whether this is a write or a read.
+ * @buffer: Data passed to sysctl, this should be 1 or 0 for this function.
+ * @lenp: Pointer to the size of @buffer.
+ * @ppos: Offset into @buffer.
+ *
+ * This wraps proc_dointvec_minmax, and if there's a change, emits an
+ * audit event.
+ *
+ * Return:
+ * 0 - OK
+ * Other - See proc_dointvec_minmax
+ */
+static int ipe_switch_mode(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+ int old = enforce;
+ int ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+
+ if (ret == 0 && old != enforce)
+ ipe_audit_mode();
+
+ return ret;
+}
+
+#endif /* CONFIG_SECURITY_IPE_PERMISSIVE_SWITCH */
+
+static struct ctl_table_header *sysctl_header;
+
+static const struct ctl_path sysctl_path[] = {
+ {
+ .procname = "ipe",
+ },
+ {}
+};
+
+static struct ctl_table sysctl_table[] = {
+#ifdef CONFIG_SECURITY_IPE_PERMISSIVE_SWITCH
+ {
+ .procname = "enforce",
+ .data = &enforce,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = ipe_switch_mode,
+ .extra1 = SYSCTL_ZERO,
+ .extra2 = SYSCTL_ONE,
+ },
+#endif /* CONFIG_SECURITY_IPE_PERMISSIVE_SWITCH */
+ {
+ .procname = "success_audit",
+ .data = &success_audit,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = SYSCTL_ZERO,
+ .extra2 = SYSCTL_ONE,
+ },
+ {}
+ /* TODO: Active Policy Selector */
+};
+
+/**
+ * ipe_sysctl_init: Initialize IPE's sysfs entries.
+ *
+ * Return:
+ * 0 - OK
+ * -ENOMEM - Sysctl registration failed
+ */
+int __init ipe_sysctl_init(void)
+{
+ sysctl_header = register_sysctl_paths(sysctl_path, sysctl_table);
+
+ if (!sysctl_header) {
+ pr_err("sysctl registration failed");
+ return -ENOMEM;
+ }
+
+ return 0;
+}
+
+#else /* !CONFIG_SYSCTL */
+
+/**
+ * ipe_sysctl_init: Initialize IPE's sysfs entries.
+ *
+ * Return:
+ * 0 - OK
+ * -ENOMEM - Sysctl registration failed
+ */
+inline int __init ipe_sysctl_init(void)
+{
+ return 0;
+}
+
+#endif /* !CONFIG_SYSCTL */
diff --git a/security/ipe/ipe-sysfs.h b/security/ipe/ipe-sysfs.h
new file mode 100644
index 000000000000..7afd92e8220d
--- /dev/null
+++ b/security/ipe/ipe-sysfs.h
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+#include <linux/types.h>
+
+#include "ipe.h"
+
+#ifndef IPE_SYSFS_H
+#define IPE_SYSFS_H
+
+/**
+ * ipe_sysctl_init: Initialize IPE's sysfs entries.
+ *
+ * Return:
+ * 0 - OK
+ * -ENOMEM - Sysctl registration failed
+ */
+int __init ipe_sysctl_init(void);
+
+#endif /* IPE_SYSFS_H */
diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
new file mode 100644
index 000000000000..0c30d7c629c9
--- /dev/null
+++ b/security/ipe/ipe.c
@@ -0,0 +1,99 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe.h"
+#include "ipe-policy.h"
+#include "ipe-hooks.h"
+#include "ipe-sysfs.h"
+
+#include <linux/module.h>
+#include <linux/lsm_hooks.h>
+#include <linux/sysctl.h>
+#include <linux/rcupdate.h>
+#include <linux/fs.h>
+#include <linux/kernel.h>
+#include <linux/security.h>
+
+static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = {
+ LSM_HOOK_INIT(bprm_check_security, ipe_on_exec),
+ LSM_HOOK_INIT(mmap_file, ipe_on_mmap),
+ LSM_HOOK_INIT(kernel_read_file, ipe_on_kernel_read),
+ LSM_HOOK_INIT(kernel_load_data, ipe_on_kernel_load_data),
+ LSM_HOOK_INIT(file_mprotect, ipe_on_mprotect),
+};
+
+/**
+ * ipe_load_properties: Call the property entry points for all the IPE modules
+ * that were selected at kernel build-time.
+ *
+ * Return:
+ * 0 - OK
+ */
+static int __init ipe_load_properties(void)
+{
+ return 0;
+}
+
+/**
+ * ipe_init: Entry point of IPE.
+ *
+ * This is called at LSM init, which happens occurs early during kernel
+ * start up. During this phase, IPE initializes the sysctls, loads the
+ * properties compiled into the kernel, and register's IPE's hooks.
+ * The boot policy is loaded later, during securityfs init, at which point
+ * IPE will start enforcing its policy.
+ *
+ * Return:
+ * 0 - OK
+ * -ENOMEM - sysctl registration failed.
+ */
+static int __init ipe_init(void)
+{
+ int rc = 0;
+
+ rc = ipe_sysctl_init();
+ if (rc != 0)
+ pr_err("failed to configure sysctl: %d", -rc);
+
+ pr_info("mode=%s", (enforce == 1) ? IPE_MODE_ENFORCE :
+ IPE_MODE_PERMISSIVE);
+
+ RCU_INIT_POINTER(ipe_active_policy, NULL);
+
+ security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), "IPE");
+
+ return rc;
+}
+
+DEFINE_LSM(ipe) = {
+ .name = "ipe",
+ .init = ipe_init,
+};
+
+int enforce = 1;
+
+#ifdef CONFIG_SECURITY_IPE_PERMISSIVE_SWITCH
+
+/**
+ * enforce: Kernel command line parameter to set the permissive mode for IPE
+ * at system startup. By default, this will always be in enforce mode.
+ *
+ * This is also controlled by the sysctl, "ipe.enforce".
+ */
+module_param(enforce, int, 0644);
+MODULE_PARM_DESC(enforce, "enforce/permissive mode switch");
+
+#endif /* CONFIG_SECURITY_IPE_PERMISSIVE_SWITCH */
+
+/**
+ * success_audit: Kernel command line parameter to enable success auditing
+ * (emit an audit event when a file is allowed) at system
+ * startup. By default, this will be off.
+ *
+ * This is also controlled by the sysctl, "ipe.success_audit".
+ */
+int success_audit;
+module_param(success_audit, int, 0644);
+MODULE_PARM_DESC(success_audit, "audit message on allow");
diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
new file mode 100644
index 000000000000..52e5ea0ccaef
--- /dev/null
+++ b/security/ipe/ipe.h
@@ -0,0 +1,20 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#ifndef IPE_H
+#define IPE_H
+
+#define pr_fmt(fmt) "IPE " fmt
+
+#include <linux/types.h>
+#include <linux/fs.h>
+
+#define IPE_MODE_ENFORCE "enforce"
+#define IPE_MODE_PERMISSIVE "permissive"
+
+extern int enforce;
+extern int success_audit;
+
+#endif /* IPE_H */
--
2.26.0
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [RFC PATCH v2 03/12] security: add ipe lsm policy parser and policy loading
2020-04-06 22:14 ` deven.desai
` (2 preceding siblings ...)
(?)
@ 2020-04-06 22:14 ` deven.desai
2020-04-07 15:39 ` Jann Horn
-1 siblings, 1 reply; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: tyhicks, pasha.tatashin, sashal, jaskarankhurana, nramas,
mdsakib, linux-kernel
From: Deven Bowers <deven.desai@linux.microsoft.com>
Adds the policy parser and the policy loading to IPE, along with the
related sysfs and securityfs entries.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
security/ipe/Kconfig | 2 +-
security/ipe/Makefile | 3 +
security/ipe/ipe-parse.c | 898 ++++++++++++++++++++++++++++++++++++++
security/ipe/ipe-parse.h | 35 ++
security/ipe/ipe-policy.c | 180 ++++++++
security/ipe/ipe-policy.h | 54 +++
security/ipe/ipe-secfs.c | 814 ++++++++++++++++++++++++++++++++++
security/ipe/ipe-secfs.h | 25 ++
security/ipe/ipe-sysfs.c | 86 ++++
security/ipe/ipe.c | 13 +
security/ipe/ipe.h | 1 +
11 files changed, 2110 insertions(+), 1 deletion(-)
create mode 100644 security/ipe/ipe-parse.c
create mode 100644 security/ipe/ipe-parse.h
create mode 100644 security/ipe/ipe-policy.c
create mode 100644 security/ipe/ipe-secfs.c
create mode 100644 security/ipe/ipe-secfs.h
diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
index 0c67cd049d0c..ef6fb019be6f 100644
--- a/security/ipe/Kconfig
+++ b/security/ipe/Kconfig
@@ -5,7 +5,7 @@
menuconfig SECURITY_IPE
bool "Integrity Policy Enforcement (IPE)"
- depends on SECURITY && AUDIT
+ depends on SECURITY && AUDIT && SECURITYFS
select SYSTEM_DATA_VERIFICATION
help
This option enables the Integrity Policy Enforcement subsystem,
diff --git a/security/ipe/Makefile b/security/ipe/Makefile
index aaa2e2c0b2f4..4dcfc5b26b58 100644
--- a/security/ipe/Makefile
+++ b/security/ipe/Makefile
@@ -19,8 +19,11 @@ obj-$(CONFIG_SECURITY_IPE) += \
ipe-audit.o \
ipe-bp.o \
ipe-engine.o \
+ ipe-parse.o \
+ ipe-policy.o \
ipe-property.o \
ipe-hooks.o \
+ ipe-secfs.o \
ipe-sysfs.o \
clean-files := ipe-bp.c
diff --git a/security/ipe/ipe-parse.c b/security/ipe/ipe-parse.c
new file mode 100644
index 000000000000..c5e0111b9c8b
--- /dev/null
+++ b/security/ipe/ipe-parse.c
@@ -0,0 +1,898 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe.h"
+#include "ipe-prop-internal.h"
+#include "ipe-hooks.h"
+#include "ipe-parse.h"
+#include "ipe-property.h"
+#include "ipe-audit.h"
+
+#include <linux/types.h>
+#include <linux/list.h>
+#include <linux/list_sort.h>
+#include <linux/slab.h>
+#include <linux/ctype.h>
+#include <linux/parser.h>
+#include <linux/errno.h>
+#include <linux/err.h>
+
+#define ALLOW_ACTION "ALLOW"
+#define DENY_ACTION "DENY"
+#define COMMENT_CHAR '#'
+#define VER_FSTR "%hu.%hu.%hu"
+
+/* Internal Type Definitions */
+enum property_priority {
+ other = 0,
+ action = 1,
+ op = 2,
+ default_action = 3,
+ policy_ver = 4,
+ policy_name = 5,
+};
+
+struct token {
+ struct list_head next_tok;
+ const char *key;
+ enum property_priority key_priority;
+ const char *val;
+};
+
+/* Utility Functions */
+static inline bool is_quote(char c)
+{
+ return c == '"' || c == '\'';
+}
+
+static inline bool valid_token(char *s)
+{
+ return !s || !strpbrk(s, "\"\'");
+}
+
+static inline bool is_default(const struct token *t)
+{
+ return !t->val && t->key_priority == default_action;
+}
+
+static inline bool is_operation(const struct token *t)
+{
+ return t->val && t->key_priority == op;
+}
+
+static inline bool is_action(const struct token *t)
+{
+ return t->val && t->key_priority == action;
+}
+
+static inline bool is_name(const struct token *t)
+{
+ return t->val && t->key_priority == policy_name;
+}
+
+static inline bool is_ver(const struct token *t)
+{
+ return t->val && t->key_priority == policy_ver;
+}
+
+static int cmp_pri(void *priv, struct list_head *a, struct list_head *b)
+{
+ struct token *t_a = container_of(a, struct token, next_tok);
+ struct token *t_b = container_of(b, struct token, next_tok);
+
+ return t_b->key_priority - t_a->key_priority;
+}
+
+static char *trim_quotes(char *str)
+{
+ char s;
+ size_t len;
+
+ if (!str)
+ return str;
+
+ s = *str;
+
+ if (is_quote(s)) {
+ len = strlen(str) - 1;
+
+ if (str[len] != s)
+ return NULL;
+
+ str[len] = '\0';
+ ++str;
+ }
+
+ return str;
+}
+
+/**
+ * ipe_set_action: Set an action with error checking.
+ * @src: Valid pointer to the source location to set wih the result
+ * @set: Value to apply to @src, if valid
+ *
+ * Return:
+ * 0 - OK
+ * -EBADMSG - Attempting to set something that is already set
+ */
+static int ipe_set_action(enum ipe_action *src, enum ipe_action set)
+{
+ if (*src != ipe_action_unset)
+ return -EBADMSG;
+
+ *src = set;
+
+ return 0;
+}
+
+/**
+ * ipe_insert_token: Allocate and append the key=value pair indicated by @val,
+ * to the list represented by @head.
+ * @val: Token to parse, of form "key=val".
+ * @head: Head of the list to insert the token structure into.
+ *
+ * If "=val" is omitted, this function will succeed, and the value set will be
+ * NULL.
+ *
+ * Return:
+ * 0 - OK
+ * -EBADMSG - Invalid policy syntax
+ * -ENOMEM - No Memory
+ */
+static int ipe_insert_token(char *val, struct list_head *head)
+{
+ char *key;
+ substring_t match[MAX_OPT_ARGS];
+ struct token *tok;
+ const match_table_t prop_priorities = {
+ { policy_name, IPE_HEADER_POLICY_NAME },
+ { policy_ver, IPE_HEADER_POLICY_VERSION},
+ { op, IPE_PROPERTY_OPERATION },
+ { default_action, IPE_PROPERTY_DEFAULT },
+ { action, IPE_PROPERTY_ACTION },
+ { other, NULL },
+ };
+
+ key = strsep(&val, "=");
+ if (!key)
+ return -EBADMSG;
+
+ tok = kzalloc(sizeof(*tok), GFP_KERNEL);
+ if (!tok)
+ return -ENOMEM;
+
+ tok->key = key;
+ tok->val = trim_quotes(val);
+ tok->key_priority = match_token(key, prop_priorities, match);
+ INIT_LIST_HEAD(&tok->next_tok);
+
+ list_add_tail(&tok->next_tok, head);
+
+ return 0;
+}
+
+/**
+ * ipe_tokenize_line: Parse a line of text into a list of token structures.
+ * @line: Line to parse.
+ * @list: Head of the list to insert the token structure into.
+ *
+ * The final result will be sorted in the priority order definted by
+ * enum property_priorities to enforce policy structure.
+ *
+ * Return:
+ * 0 - OK
+ * -EBADMSG - Invalid policy syntax
+ * -ENOMEM - No Memory
+ * -ENOENT - No tokens were parsed
+ */
+static int ipe_tokenize_line(char *line, struct list_head *list)
+{
+ int rc = 0;
+ size_t i = 0;
+ size_t len = 0;
+ char *tok = NULL;
+ char quote = '\0';
+
+ len = strlen(line);
+
+ for (i = 0; i < len; ++i) {
+ if (quote == '\0' && is_quote(line[i])) {
+ quote = line[i];
+ continue;
+ }
+
+ if (quote != '\0' && line[i] == quote) {
+ quote = '\0';
+ continue;
+ }
+
+ if (quote == '\0' && line[i] == COMMENT_CHAR) {
+ tok = NULL;
+ break;
+ }
+
+ if (isgraph(line[i]) && !tok)
+ tok = &line[i];
+
+ if (quote == '\0' && isspace(line[i])) {
+ line[i] = '\0';
+
+ if (!tok)
+ continue;
+
+ rc = ipe_insert_token(tok, list);
+ if (rc != 0)
+ return rc;
+
+ tok = NULL;
+ }
+ }
+
+ if (quote != '\0')
+ return -EBADMSG;
+
+ if (tok)
+ ipe_insert_token(tok, list);
+
+ if (list_empty(list))
+ return -ENOENT;
+
+ list_sort(NULL, list, cmp_pri);
+
+ return 0;
+}
+
+static inline int ipe_parse_version(const char *val, struct ipe_pol_ver *ver)
+{
+ if (sscanf(val, VER_FSTR, &ver->major, &ver->minor, &ver->rev) != 3)
+ return -EBADMSG;
+
+ return 0;
+}
+
+/**
+ * ipe_parse_action: Given a token, parse the value as if it were an 'action'
+ * token.
+ * @action: Token to parse to determine the action.
+ *
+ * Action tokens are of the form: action=(ALLOW|DENY) for more information
+ * about IPE policy, please see the documentation.
+ *
+ * Return:
+ * ipe_action_allow - OK
+ * ipe_action_deny - OK
+ * ipe_action_unset - ERR
+ */
+static enum ipe_action ipe_parse_action(struct token *action)
+{
+ if (!action->val)
+ return ipe_action_unset;
+ else if (!strcmp(action->val, ALLOW_ACTION))
+ return ipe_action_allow;
+ else if (!strcmp(action->val, DENY_ACTION))
+ return ipe_action_deny;
+
+ return ipe_action_unset;
+}
+
+/**
+ * ipe_parse_op: Given a token, parse the value as if it were an 'op' token.
+ * @op: Token to parse to determine the operation.
+ *
+ * "op" tokens are of the form: op=(EXECUTE|FIRMWARE|KEXEC_IMAGE|...)
+ * for more information about IPE policy, please see the documentation.
+ *
+ * Return:
+ * ipe_op_max - ERR
+ * otherwise - OK
+ */
+static enum ipe_op ipe_parse_op(struct token *op)
+{
+ substring_t match[MAX_OPT_ARGS];
+ const match_table_t ops = {
+ { ipe_op_execute, IPE_OP_EXECUTE },
+ { ipe_op_firmware, IPE_OP_FIRMWARE },
+ { ipe_op_kexec_image, IPE_OP_KEXEC_IMAGE },
+ { ipe_op_kexec_initramfs, IPE_OP_KEXEC_INITRAMFS },
+ { ipe_op_x509, IPE_OP_X509_CERTIFICATE },
+ { ipe_op_policy, IPE_OP_POLICY },
+ { ipe_op_kmodule, IPE_OP_KMODULE },
+ { ipe_op_kernel_read, IPE_OP_KERNEL_READ },
+ { ipe_op_max, NULL },
+ };
+
+ return match_token((char *)op->val, ops, match);
+}
+
+/**
+ * ipe_set_default: Set the default of the policy, at various scope levels
+ * depending on the value of op.
+ * @op: Operation that was parsed.
+ * @pol: Policy to modify with the newly-parsed default action.
+ * @a: Action token (see parse_action) to parse to determine
+ * the default.
+ *
+ * Return:
+ * 0 - OK
+ * -EBADMSG - Invalid policy format
+ */
+static int ipe_set_default(enum ipe_op op, struct ipe_policy *pol,
+ struct token *a)
+{
+ int rc = 0;
+ size_t i = 0;
+ enum ipe_action act = ipe_parse_action(a);
+
+ if (act == ipe_action_unset)
+ return -EBADMSG;
+
+ if (op == ipe_op_max)
+ return ipe_set_action(&pol->def, act);
+
+ if (op == ipe_op_kernel_read) {
+ for (i = ipe_op_firmware; i <= ipe_op_kmodule; ++i) {
+ rc = ipe_set_action(&pol->ops[i].def, act);
+ if (rc != 0)
+ return rc;
+ }
+ return 0;
+ }
+
+ return ipe_set_action(&pol->ops[op].def, act);
+}
+
+/**
+ * ipe_parse_default: Parse a default statement of an IPE policy modify @pol
+ * with the proper changes
+ * @tokens: List of tokens parsed from the line
+ * @pol: Policy to modify with the newly-parsed default action
+ *
+ *
+ * Return:
+ * 0 - OK
+ * -EBADMSG - Invalid policy format
+ * -ENOENT - Unknown policy structure
+ */
+static int ipe_parse_default(struct list_head *tokens,
+ struct ipe_policy *pol)
+{
+ struct token *f = NULL;
+ struct token *s = NULL;
+ struct token *t = NULL;
+ enum ipe_op i = ipe_op_max;
+
+ f = list_first_entry(tokens, struct token, next_tok);
+ s = list_next_entry(f, next_tok);
+ if (is_action(s))
+ return ipe_set_default(ipe_op_max, pol, s);
+
+ i = ipe_parse_op(s);
+ if (i == ipe_op_max)
+ return -ENOENT;
+
+ t = list_next_entry(s, next_tok);
+ if (is_action(t)) {
+ t = list_next_entry(s, next_tok);
+ return ipe_set_default(i, pol, t);
+ }
+
+ return -ENOENT;
+}
+
+/**
+ * ipe_free_token_list - Free a list of tokens, and then reinitialize @list
+ * dropping all tokens.
+ * @list: List to be freed.
+ */
+static void ipe_free_token_list(struct list_head *list)
+{
+ struct token *ptr, *next;
+
+ list_for_each_entry_safe(ptr, next, list, next_tok)
+ kfree(ptr);
+
+ INIT_LIST_HEAD(list);
+}
+
+/**
+ * ipe_free_prop - Deallocator for an ipe_prop_container structure.
+ * @cont: Object to free.
+ */
+static void ipe_free_prop(struct ipe_prop_container *cont)
+{
+ if (IS_ERR_OR_NULL(cont))
+ return;
+
+ if (cont->prop->free_val)
+ cont->prop->free_val(&cont->value);
+ kfree(cont);
+}
+
+/**
+ * ipe_alloc_prop: Allocator for a ipe_prop_container structure.
+ * @tok: Token structure representing the "key=value" pair of the property.
+ *
+ * Return:
+ * Pointer to ipe_rule - OK
+ * ERR_PTR(-ENOMEM) - Allocation failed
+ */
+static struct ipe_prop_container *ipe_alloc_prop(const struct token *tok)
+{
+ int rc = 0;
+ const struct ipe_property *prop = NULL;
+ struct ipe_prop_container *cont = NULL;
+
+ prop = ipe_lookup_prop(tok->key);
+ if (!prop) {
+ rc = -ENOENT;
+ goto err;
+ }
+
+ cont = kzalloc(sizeof(*cont), GFP_KERNEL);
+ if (!cont) {
+ rc = -ENOMEM;
+ goto err;
+ }
+
+ INIT_LIST_HEAD(&cont->next);
+
+ rc = prop->parse(tok->val, &cont->value);
+ if (rc != 0)
+ goto err;
+
+ cont->prop = prop;
+
+ return cont;
+err:
+ ipe_free_prop(cont);
+ return ERR_PTR(rc);
+}
+
+/**
+ * ipe_free_rule: Deallocator for an ipe_rule structure.
+ * @rule: Object to free.
+ */
+static void ipe_free_rule(struct ipe_rule *rule)
+{
+ struct ipe_prop_container *ptr;
+ struct list_head *l_ptr, *l_next;
+
+ if (IS_ERR_OR_NULL(rule))
+ return;
+
+ list_for_each_safe(l_ptr, l_next, &rule->props) {
+ ptr = container_of(l_ptr, struct ipe_prop_container, next);
+ list_del(l_ptr);
+ ipe_free_prop(ptr);
+ }
+
+ kfree(rule);
+}
+
+/**
+ * ipe_alloc_rule: Allocate a ipe_rule structure, for operation @op, parsed
+ * from the first token in list @head.
+ * @op: Operation parsed from the first token in @head.
+ * @t: The first token in @head that was parsed.
+ * @head: List of remaining tokens to parse.
+ *
+ * Return:
+ * Valid ipe_rule pointer - OK
+ * ERR_PTR(-EBADMSG) - Invalid syntax
+ * ERR_PTR(-ENOMEM) - Out of memory
+ */
+static struct ipe_rule *ipe_alloc_rule(enum ipe_op op, struct token *t,
+ struct list_head *head)
+{
+ int rc = 0;
+ struct token *ptr;
+ enum ipe_action act;
+ struct ipe_rule *rule = NULL;
+ struct ipe_prop_container *prop = NULL;
+
+ ptr = list_next_entry(t, next_tok);
+ if (!is_action(ptr)) {
+ rc = -EBADMSG;
+ goto err;
+ }
+
+ act = ipe_parse_action(ptr);
+ if (act == ipe_action_unset) {
+ rc = -EBADMSG;
+ goto err;
+ }
+
+ rule = kzalloc(sizeof(*rule), GFP_KERNEL);
+ if (!rule) {
+ rc = -ENOMEM;
+ goto err;
+ }
+
+ INIT_LIST_HEAD(&rule->props);
+ INIT_LIST_HEAD(&rule->next);
+ rule->action = act;
+ rule->op = op;
+
+ list_for_each_entry_continue(ptr, head, next_tok) {
+ prop = ipe_alloc_prop(ptr);
+
+ if (IS_ERR(prop)) {
+ rc = PTR_ERR(prop);
+ goto err;
+ }
+
+ list_add_tail(&prop->next, &rule->props);
+ }
+
+ return rule;
+err:
+ ipe_free_prop(prop);
+ ipe_free_rule(rule);
+ return ERR_PTR(rc);
+}
+
+/**
+ * ipe_dup_prop: Duplicate an ipe_prop_container structure
+ * @p: Container to duplicate.
+ *
+ * This function is used to duplicate individual properties within a rule.
+ * It should only be called in operations that actually map to one or more
+ * operations.
+ *
+ * Return:
+ * Valid ipe_prop_container - OK
+ * ERR_PTR(-ENOMEM) - Out of memory
+ * Other Errors - see various property duplicator functions
+ */
+static
+struct ipe_prop_container *ipe_dup_prop(const struct ipe_prop_container *p)
+{
+ int rc = 0;
+ struct ipe_prop_container *dup;
+
+ dup = kzalloc(sizeof(*dup), GFP_KERNEL);
+ if (!dup) {
+ rc = -ENOMEM;
+ goto err;
+ }
+
+ dup->prop = p->prop;
+ INIT_LIST_HEAD(&dup->next);
+
+ rc = p->prop->dup(p->value, &dup->value);
+ if (rc != 0)
+ goto err;
+
+ return dup;
+err:
+ ipe_free_prop(dup);
+ return ERR_PTR(rc);
+}
+
+/**
+ * ipe_dup_rule: Duplicate a policy rule, used for pseudo hooks like
+ * KERNEL_READ to map a policy rule across all hooks.
+ * @r: Rule to duplicate.
+ *
+ * Return:
+ * valid ipe_rule - OK
+ * ERR_PTR(-ENOMEM) - Out of memory
+ * Other Errors - See ipe_dup_prop
+ */
+static struct ipe_rule *ipe_dup_rule(const struct ipe_rule *r)
+{
+ int rc = 0;
+ struct ipe_rule *dup;
+ struct ipe_prop_container *ptr;
+
+ dup = kzalloc(sizeof(*dup), GFP_KERNEL);
+ if (!dup) {
+ rc = -ENOMEM;
+ goto err;
+ }
+
+ dup->op = r->op;
+ dup->action = r->action;
+ INIT_LIST_HEAD(&dup->props);
+ INIT_LIST_HEAD(&dup->next);
+
+ list_for_each_entry(ptr, &r->props, next) {
+ struct ipe_prop_container *prop2;
+
+ prop2 = ipe_dup_prop(ptr);
+ if (IS_ERR(prop2)) {
+ rc = PTR_ERR(prop2);
+ goto err;
+ }
+
+ list_add_tail(&prop2->next, &dup->props);
+ }
+
+ return dup;
+err:
+ ipe_free_rule(dup);
+ return ERR_PTR(rc);
+}
+
+/**
+ * ipe_free_policy: Deallocate an ipe_policy structure.
+ * @pol: Policy to free.
+ */
+void ipe_free_policy(struct ipe_policy *pol)
+{
+ size_t i;
+ struct ipe_rule *ptr;
+ struct ipe_rule_table *op;
+ struct list_head *l_ptr, *l_next;
+
+ if (IS_ERR_OR_NULL(pol))
+ return;
+
+ for (i = 0; i < ARRAY_SIZE(pol->ops); ++i) {
+ op = &pol->ops[i];
+
+ list_for_each_safe(l_ptr, l_next, &op->rules) {
+ ptr = list_entry(l_ptr, struct ipe_rule, next);
+ list_del(l_ptr);
+ ipe_free_rule(ptr);
+ }
+ }
+
+ kfree(pol->policy_name);
+ kfree(pol);
+ pol = NULL;
+}
+
+/**
+ * ipe_alloc_policy: Give a list of tokens representing the first line of the
+ * token, attempt to parse it as an IPE policy header, and
+ * allocate a policy structure based on those values.
+ * @tokens: List of tokens parsed from the first line of the policy
+ *
+ * Return:
+ * Valid ipe_policy pointer - OK
+ * ERR_PTR(-ENOMEM) - Out of memory
+ * ERR_PTR(-EBADMSG) - Invalid policy syntax
+ */
+static struct ipe_policy *ipe_alloc_policy(struct list_head *tokens)
+{
+ size_t i;
+ int rc = 0;
+ struct token *name = NULL;
+ struct token *ver = NULL;
+ struct ipe_policy *lp = NULL;
+
+ name = list_first_entry(tokens, struct token, next_tok);
+ if (!is_name(name)) {
+ rc = -EBADMSG;
+ goto err;
+ }
+
+ if (list_is_singular(tokens)) {
+ rc = -EBADMSG;
+ goto err;
+ }
+
+ ver = list_next_entry(name, next_tok);
+ if (!is_ver(ver)) {
+ rc = -EBADMSG;
+ goto err;
+ }
+
+ lp = kzalloc(sizeof(*lp), GFP_KERNEL);
+ if (!lp) {
+ rc = -ENOMEM;
+ goto err;
+ }
+
+ lp->policy_name = kstrdup(name->val, GFP_KERNEL);
+ if (!lp->policy_name) {
+ rc = -ENOMEM;
+ goto err;
+ }
+
+ rc = ipe_parse_version(ver->val, &lp->policy_version);
+ if (rc != 0)
+ goto err;
+
+ for (i = 0; i < ARRAY_SIZE(lp->ops); ++i) {
+ lp->ops[i].def = ipe_action_unset;
+ INIT_LIST_HEAD(&lp->ops[i].rules);
+ }
+
+ lp->def = ipe_action_unset;
+
+ return lp;
+err:
+ ipe_free_policy(lp);
+ return ERR_PTR(rc);
+}
+
+/**
+ * ipe_add_rule_for_range: Given a ipe_rule @r, duplicate @r and add the rule
+ * to @pol for the operation range @start to @end.
+ * @start: The starting point of the range to add the rule to.
+ * @end: The ending point of the range to add the rule to.
+ * @r: The rule to copy.
+ * @pol: Policy structure to modify with the result.
+ *
+ * This is @start to @end, inclusive. @r is still valid after this function,
+ * and should be freed if appropriate.
+ *
+ * Return:
+ * 0 - OK
+ * Other Errors - See ipe_dup_prop
+ */
+static int ipe_add_rule_for_range(enum ipe_op start, enum ipe_op end,
+ struct ipe_rule *r, struct ipe_policy *pol)
+{
+ enum ipe_op i;
+ struct ipe_rule *cpy = NULL;
+
+ for (i = start; i <= end; ++i) {
+ cpy = ipe_dup_rule(r);
+ if (IS_ERR(cpy))
+ return PTR_ERR(cpy);
+
+ list_add_tail(&cpy->next, &pol->ops[i].rules);
+ }
+
+ return 0;
+}
+
+/**
+ * ipe_parse_line: Given a list of tokens, attempt to parse it into a rule
+ * structure, and add it to the passed-in ipe_policy structure.
+ * @tokens: List of tokens that were parsed.
+ * @pol: Policy structure to modify with the result.
+ *
+ * Return:
+ * 0 - OK
+ * -ENOENT - Unrecognized property
+ * -ENOMEM - Out of memory
+ * Other Errors - See ipe_dup_prop
+ */
+static int ipe_parse_line(struct list_head *tokens,
+ struct ipe_policy *pol)
+{
+ int rc = 0;
+ struct token *f;
+ enum ipe_op i = ipe_op_max;
+ struct ipe_rule *rule = NULL;
+
+ f = list_first_entry(tokens, struct token, next_tok);
+
+ switch (f->key_priority) {
+ case default_action:
+ rc = ipe_parse_default(tokens, pol);
+ break;
+ case op:
+ i = ipe_parse_op(f);
+ if (i == ipe_op_max)
+ return -ENOENT;
+
+ if (list_is_singular(tokens))
+ return -EBADMSG;
+
+ rule = ipe_alloc_rule(i, f, tokens);
+ if (IS_ERR(rule)) {
+ rc = PTR_ERR(rule);
+ goto cleanup;
+ }
+
+ if (i == ipe_op_kernel_read) {
+ rc = ipe_add_rule_for_range(ipe_op_firmware,
+ ipe_op_kmodule, rule, pol);
+ if (rc != 0)
+ goto cleanup;
+ } else {
+ list_add_tail(&rule->next, &pol->ops[i].rules);
+ rule = NULL;
+ }
+ break;
+ default:
+ return -ENOENT;
+ }
+
+cleanup:
+ ipe_free_rule(rule);
+ return rc;
+}
+
+/**
+ * ipe_remap_policy_defaults: Remap all defaults not specified by policy to
+ * 'allow' to preserve compatibility.
+ * @p: Policy to modify.
+ *
+ * This function's behavior changes when strict_parse is set. When the strict
+ * parser is enabled, this function will break backwards policy compatibility,
+ * erroring on an unset default.
+ *
+ * Return:
+ * 0 - OK
+ * -EBADMSG - (Only with strict parse) A default was left unset.
+ */
+static int ipe_remap_policy_defaults(struct ipe_policy *p)
+{
+ size_t i;
+
+ if (p->def == ipe_action_unset) {
+ for (i = 0; i < ARRAY_SIZE(p->ops); ++i) {
+ if (p->ops[i].def == ipe_action_unset) {
+ ipe_audit_unset_remap((enum ipe_op)i);
+ if (strict_parse)
+ return -EBADMSG;
+ p->ops[i].def = ipe_action_allow;
+ }
+ }
+ }
+
+ return 0;
+}
+
+/**
+ * ipe_parse_policy: Given a string, parse the string into an IPE policy
+ * structure.
+ * @policy: NULL terminated string to parse.
+ *
+ * This function's behavior changes when strict_parse is set. When the strict
+ * parser is enabled, this function will break backwards policy compatibility,
+ * erroring on unknown syntax. This function will modify @policy.
+ *
+ * Return:
+ * Valid ipe_policy structure - OK
+ * ERR_PTR(-EBADMSG) - Invalid Policy Syntax (Unrecoverable)
+ * ERR_PTR(-ENOMEM) - Out of Memory
+ */
+struct ipe_policy *ipe_parse_policy(char *policy)
+{
+ int rc = 0;
+ size_t i = 1;
+ char *p = NULL;
+ LIST_HEAD(t_list);
+ struct ipe_policy *local_p = NULL;
+
+ while ((p = strsep(&policy, "\n\0")) != NULL) {
+ rc = ipe_tokenize_line(p, &t_list);
+ if (rc == -ENOENT) {
+ ++i;
+ continue;
+ }
+ if (rc != 0)
+ goto err;
+
+ if (!local_p) {
+ local_p = ipe_alloc_policy(&t_list);
+ if (IS_ERR(local_p)) {
+ rc = PTR_ERR(local_p);
+ goto err;
+ }
+ } else {
+ rc = ipe_parse_line(&t_list, local_p);
+ if (rc == -ENOENT) {
+ ipe_audit_ignore_line(i);
+ if (strict_parse) {
+ rc = -EBADMSG;
+ goto err;
+ }
+ } else if (rc != 0) {
+ goto err;
+ }
+ }
+
+ ipe_free_token_list(&t_list);
+ ++i;
+ }
+
+ rc = ipe_remap_policy_defaults(local_p);
+ if (rc != 0)
+ goto err;
+
+ return local_p;
+err:
+ ipe_free_token_list(&t_list);
+ ipe_free_policy(local_p);
+ return ERR_PTR(rc);
+}
diff --git a/security/ipe/ipe-parse.h b/security/ipe/ipe-parse.h
new file mode 100644
index 000000000000..99310b5c3e00
--- /dev/null
+++ b/security/ipe/ipe-parse.h
@@ -0,0 +1,35 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe-policy.h"
+
+#include <linux/types.h>
+
+#ifndef IPE_PARSE_H
+#define IPE_PARSE_H
+
+/**
+ * ipe_parse_policy: Given a string, parse the string into an IPE policy
+ * structure.
+ * @policy: NULL terminated string to parse.
+ *
+ * This function's behavior changes when strict_parse is set. When the strict
+ * parser is enabled, this function will break backwards policy compatibility,
+ * erroring on unknown syntax. This function will modify @policy.
+ *
+ * Return:
+ * Valid ipe_policy structure - OK
+ * ERR_PTR(-EBADMSG) - Invalid Policy Syntax (Unrecoverable)
+ * ERR_PTR(-ENOMEM) - Out of Memory
+ */
+struct ipe_policy *ipe_parse_policy(char *policy);
+
+/**
+ * ipe_free_policy: Deallocate an ipe_policy structure.
+ * @pol: Policy to free.
+ */
+void ipe_free_policy(struct ipe_policy *pol);
+
+#endif /* IPE_AUDIT_H */
diff --git a/security/ipe/ipe-policy.c b/security/ipe/ipe-policy.c
new file mode 100644
index 000000000000..f39282160095
--- /dev/null
+++ b/security/ipe/ipe-policy.c
@@ -0,0 +1,180 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe.h"
+#include "ipe-secfs.h"
+#include "ipe-policy.h"
+#include "ipe-parse.h"
+#include "ipe-audit.h"
+
+#include <linux/types.h>
+#include <linux/errno.h>
+#include <linux/err.h>
+#include <linux/slab.h>
+#include <linux/list.h>
+#include <linux/mutex.h>
+#include <linux/lockdep.h>
+#include <linux/fs.h>
+#include <linux/security.h>
+#include <linux/rcupdate.h>
+
+static DEFINE_MUTEX(policy_lock);
+
+#define VER_TO_UINT64(_major, _minor, _rev) \
+ ((((((u64)(_major)) << 16) | ((u64)(_minor))) << 16) | ((u64)(_rev)))
+
+/**
+ * ipe_is_version_allowed: Determine if @new has a greater or equal
+ * policy version than @old.
+ * @old: The policy to compare against.
+ * @new: The policy staged to replace @old.
+ *
+ * Return:
+ * true - @new has a policy version >= than @old
+ * false - @new does not have a policy version >= than @old
+ */
+static bool ipe_is_version_allowed(const struct ipe_pol_ver *old,
+ const struct ipe_pol_ver *new)
+{
+ u64 old_ver = VER_TO_UINT64(old->major, old->minor, old->rev);
+ u64 new_ver = VER_TO_UINT64(new->major, new->minor, new->rev);
+
+ return new_ver >= old_ver;
+}
+
+/**
+ * ipe_is_valid_policy: determine if @old is allowed to replace @new.
+ * @old: policy that the @new is supposed to replace. Can be NULL.
+ * @new: the policy that is supposed to replace @new.
+ *
+ * Return:
+ * true - @new can replace @old
+ * false - @new cannot replace @old
+ */
+bool ipe_is_valid_policy(const struct ipe_policy *old,
+ const struct ipe_policy *new)
+{
+ if (old)
+ return ipe_is_version_allowed(&old->policy_version,
+ &new->policy_version);
+ return true;
+}
+
+/**
+ * ipe_is_active_policy: Determine if @policy is the currently active policy.
+ * @policy: Policy to check if it's the active policy.
+ *
+ * NOTE: If this attribute is needed to be consistent over a critical section,
+ * do not use this function, as it does not hold the read lock over the
+ * entirety of the critical section.
+ *
+ * Return:
+ * true - @policy is the active policy
+ * false - @policy is not the active policy
+ */
+bool ipe_is_active_policy(const struct ipe_policy *policy)
+{
+ bool result;
+
+ rcu_read_lock();
+
+ result = rcu_dereference(ipe_active_policy) == policy;
+
+ rcu_read_unlock();
+
+ return result;
+}
+
+/**
+ * ipe_update_active_policy: Determine if @old is the active policy, and update
+ * the active policy if necessary.
+ * @old: The previous policy that the update is trying to replace.
+ * @new: The new policy attempting to replace @old.
+ *
+ * If @old is not the active policy, nothing will be done.
+ *
+ * Return:
+ * 0 - OK
+ * -EBADMSG - Invalid Policy
+ */
+int ipe_update_active_policy(const struct ipe_policy *old,
+ const struct ipe_policy *new)
+{
+ int rc = 0;
+ const struct ipe_policy *curr_policy = NULL;
+
+ /* no active policy, safe to update */
+ if (!ipe_active_policy)
+ return 0;
+
+ mutex_lock(&policy_lock);
+
+ curr_policy = rcu_dereference_protected(ipe_active_policy,
+ lockdep_is_held(&policy_lock));
+
+ if (curr_policy == old) {
+ if (!ipe_is_valid_policy(curr_policy, new)) {
+ rc = -EBADMSG;
+ goto cleanup;
+ }
+
+ ipe_audit_policy_activation(new);
+
+ (void)rcu_replace_pointer(ipe_active_policy, new,
+ lockdep_is_held(&policy_lock));
+ }
+
+ mutex_unlock(&policy_lock);
+ synchronize_rcu();
+
+ return rc;
+cleanup:
+ mutex_unlock(&policy_lock);
+ return rc;
+}
+
+/**
+ * ipe_activate_policy: Set a specific policy as the active policy.
+ * @pol: The policy to set as the active policy.
+ *
+ * This is only called by the sysctl "ipe.active_policy".
+ *
+ * Return:
+ * 0 - OK
+ * -EINVAL - Policy that is being activated is lower in version than
+ * currently running policy.
+ */
+int ipe_activate_policy(const struct ipe_policy *pol)
+{
+ int rc = 0;
+ const struct ipe_policy *curr_policy = NULL;
+
+ mutex_lock(&policy_lock);
+
+ curr_policy = rcu_dereference_protected(ipe_active_policy,
+ lockdep_is_held(&policy_lock));
+
+ /*
+ * User-set policies must be >= to current running policy.
+ */
+ if (!ipe_is_valid_policy(curr_policy, pol)) {
+ rc = -EINVAL;
+ goto cleanup;
+ }
+
+ ipe_audit_policy_activation(pol);
+
+ /* cleanup of this pointer is handled by the secfs removal */
+ (void)rcu_replace_pointer(ipe_active_policy, pol,
+ lockdep_is_held(&policy_lock));
+
+ mutex_unlock(&policy_lock);
+ synchronize_rcu();
+
+ return 0;
+cleanup:
+ mutex_unlock(&policy_lock);
+ return rc;
+}
diff --git a/security/ipe/ipe-policy.h b/security/ipe/ipe-policy.h
index c0c9f2962c92..c9da982ef2d4 100644
--- a/security/ipe/ipe-policy.h
+++ b/security/ipe/ipe-policy.h
@@ -59,4 +59,58 @@ struct ipe_policy {
struct ipe_rule_table ops[ipe_op_max - 1];
};
+/**
+ * ipe_is_valid_policy: determine if @old is allowed to replace @new.
+ * @old: policy that the @new is supposed to replace. Can be NULL.
+ * @new: the policy that is supposed to replace @new.
+ *
+ * Return:
+ * true - @new can replace @old
+ * false - @new cannot replace @old
+ */
+bool ipe_is_valid_policy(const struct ipe_policy *old,
+ const struct ipe_policy *new);
+
+/**
+ * ipe_is_active_policy: Determine if @policy is the currently active policy.
+ * @policy: Policy to check if it's the active policy.
+ *
+ * NOTE: If this attribute is needed to be consistent over a critical section,
+ * do not use this function, as it does not hold the read lock over the
+ * entirety of the critical section.
+ *
+ * Return:
+ * true - @policy is the active policy
+ * false - @policy is not the active policy
+ */
+bool ipe_is_active_policy(const struct ipe_policy *policy);
+
+/**
+ * ipe_update_active_policy: Determine if @old is the active policy, and update
+ * the active policy if necessary.
+ * @old: The previous policy that the update is trying to replace.
+ * @new: The new policy attempting to replace @old.
+ *
+ * If @old is not the active policy, nothing will be done.
+ *
+ * Return:
+ * 0 - OK
+ * -EBADMSG - Invalid Policy
+ */
+int ipe_update_active_policy(const struct ipe_policy *old,
+ const struct ipe_policy *new);
+
+/**
+ * ipe_activate_policy: Set a specific policy as the active policy.
+ * @pol: The policy to set as the active policy.
+ *
+ * This is only called by the sysctl "ipe.active_policy".
+ *
+ * Return:
+ * 0 - OK
+ * -EINVAL - Policy that is being activated is lower in version than
+ * currently running policy.
+ */
+int ipe_activate_policy(const struct ipe_policy *policy);
+
#endif /* IPE_POLICY_H */
diff --git a/security/ipe/ipe-secfs.c b/security/ipe/ipe-secfs.c
new file mode 100644
index 000000000000..1c9c41e143ab
--- /dev/null
+++ b/security/ipe/ipe-secfs.c
@@ -0,0 +1,814 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe.h"
+#include "ipe-parse.h"
+#include "ipe-secfs.h"
+#include "ipe-policy.h"
+#include "ipe-audit.h"
+
+#include <linux/types.h>
+#include <linux/security.h>
+#include <linux/fs.h>
+#include <linux/rcupdate.h>
+#include <linux/mutex.h>
+#include <linux/init.h>
+#include <linux/dcache.h>
+#include <linux/namei.h>
+#include <linux/verification.h>
+#include <linux/capability.h>
+
+#define IPE_ROOT "ipe"
+#define IPE_FULL_CONTENT "raw"
+#define IPE_INNER_CONTENT "content"
+#define IPE_POLICIES "policies"
+#define IPE_NEW_POLICY "new_policy"
+#define IPE_DELETE_POLICY "del_policy"
+
+struct ipe_policy_node {
+ u8 *data;
+ size_t data_len;
+ const u8 *content;
+ size_t content_size;
+
+ struct ipe_policy *parsed;
+};
+
+/* root directory */
+static struct dentry *ipe_secfs_root __ro_after_init;
+
+/* subdirectory containing policies */
+static struct dentry *ipe_policies_root __ro_after_init;
+
+/* boot policy */
+static struct dentry *boot_policy_node __ro_after_init;
+
+/* top-level policy commands */
+static struct dentry *ipe_new_policy __ro_after_init;
+static struct dentry *ipe_del_policy __ro_after_init;
+
+static ssize_t ipe_secfs_new_policy(struct file *f, const char __user *data,
+ size_t len, loff_t *offset);
+
+static ssize_t ipe_secfs_del_policy(struct file *f, const char __user *data,
+ size_t len, loff_t *offset);
+
+static ssize_t ipe_secfs_rd_policy(struct file *f, char __user *data,
+ size_t len, loff_t *offset);
+
+static ssize_t ipe_secfs_ud_policy(struct file *f, const char __user *data,
+ size_t len, loff_t *offset);
+
+static ssize_t ipe_secfs_rd_content(struct file *f, char __user *data,
+ size_t len, loff_t *offset);
+
+const static struct file_operations new_policy_ops = {
+ .write = ipe_secfs_new_policy
+};
+
+const static struct file_operations del_policy_ops = {
+ .write = ipe_secfs_del_policy
+};
+
+const static struct file_operations policy_raw_ops = {
+ .read = ipe_secfs_rd_policy,
+ .write = ipe_secfs_ud_policy
+};
+
+const static struct file_operations policy_content_ops = {
+ .read = ipe_secfs_rd_content
+};
+
+/**
+ * ipe_free_policy_node: Free an ipe_policy_node structure allocated by
+ * ipe_alloc_policy_node.
+ * @n: Ipe_policy_node to free
+ */
+static void ipe_free_policy_node(struct ipe_policy_node *n)
+{
+ if (IS_ERR_OR_NULL(n))
+ return;
+
+ ipe_free_policy(n->parsed);
+ kfree(n->data);
+
+ kfree(n);
+}
+
+/**
+ * alloc_callback: Callback given to verify_pkcs7_signature function to set
+ * the inner content reference and parse the policy.
+ * @ctx: "ipe_policy_node" to set inner content, size and parsed policy of.
+ * @data: Start of PKCS#7 inner content.
+ * @len: Length of @data.
+ * @asn1hdrlen: Unused.
+ *
+ * Return:
+ * 0 - OK
+ * ERR_PTR(-EBADMSG) - Invalid policy syntax
+ * ERR_PTR(-ENOMEM) - Out of memory
+ */
+static int alloc_callback(void *ctx, const void *data, size_t len,
+ size_t asn1hdrlen)
+{
+ char *cpy = NULL;
+ struct ipe_policy *pol = NULL;
+ struct ipe_policy_node *n = (struct ipe_policy_node *)ctx;
+
+ n->content = (const u8 *)data;
+ n->content_size = len;
+
+ if (len == 0)
+ return -EBADMSG;
+
+ cpy = kzalloc(len + 1, GFP_KERNEL);
+ if (!cpy)
+ return -ENOMEM;
+
+ (void)strncpy(cpy, data, len);
+
+ pol = ipe_parse_policy(cpy);
+ if (IS_ERR(pol)) {
+ kfree(cpy);
+ return PTR_ERR(pol);
+ }
+
+ n->parsed = pol;
+ kfree(cpy);
+ return 0;
+}
+
+/**
+ * ipe_alloc_policy_node: Allocate a new ipe_policy_node structure.
+ * @data: Raw enveloped PKCS#7 data that represents the policy.
+ * @len: Length of @data.
+ *
+ * Return:
+ * valid ipe_policy_node - OK
+ * ERR_PTR(-EBADMSG) - Invalid policy syntax
+ * ERR_PTR(-ENOMEM) - Out of memory
+ */
+static struct ipe_policy_node *ipe_alloc_policy_node(const u8 *data,
+ size_t len)
+{
+ int rc = 0;
+ struct ipe_policy_node *node = NULL;
+
+ node = kzalloc(sizeof(*node), GFP_KERNEL);
+ if (!node) {
+ rc = -ENOMEM;
+ goto out;
+ }
+
+ node->data_len = len;
+ node->data = kmemdup(data, len, GFP_KERNEL);
+ if (!node->data) {
+ rc = -ENOMEM;
+ goto out2;
+ }
+
+ rc = verify_pkcs7_signature(node->content, node->content_size,
+ node->data, node->data_len, NULL,
+ VERIFYING_UNSPECIFIED_SIGNATURE,
+ alloc_callback, node);
+ if (rc != 0)
+ goto out2;
+
+ return node;
+out2:
+ ipe_free_policy_node(node);
+out:
+ return ERR_PTR(rc);
+}
+
+/**
+ * ipe_build_policy_secfs_node: Build a new securityfs node for IPE policies.
+ * @data: Raw enveloped PKCS#7 data that represents the policy.
+ * @len: Length of @data.
+ *
+ * Return:
+ * 0 - OK
+ * -EEXIST - Policy already exists
+ * -EBADMSG - Invalid policy syntax
+ * -ENOMEM - Out of memory
+ */
+int ipe_build_policy_secfs_node(const u8 *data, size_t len)
+{
+ int rc = 0;
+ struct dentry *raw = NULL;
+ struct dentry *root = NULL;
+ struct inode *root_i = NULL;
+ struct dentry *content = NULL;
+ struct crypto_shash *tfm = NULL;
+ struct ipe_policy_node *node = NULL;
+
+ tfm = crypto_alloc_shash("sha1", 0, 0);
+ if (IS_ERR(tfm))
+ goto out;
+
+ node = ipe_alloc_policy_node(data, len);
+ if (IS_ERR(node)) {
+ rc = PTR_ERR(node);
+ goto out2;
+ }
+
+ root = securityfs_create_dir(node->parsed->policy_name,
+ ipe_policies_root);
+ if (IS_ERR(root)) {
+ rc = PTR_ERR(root);
+ goto out3;
+ }
+
+ root_i = d_inode(root);
+
+ inode_lock(root_i);
+ root_i->i_private = node;
+ ipe_audit_policy_load(node->parsed, node->data, node->data_len, tfm);
+ inode_unlock(root_i);
+
+ raw = securityfs_create_file(IPE_FULL_CONTENT, 0644, root, NULL,
+ &policy_raw_ops);
+ if (IS_ERR(raw)) {
+ rc = PTR_ERR(raw);
+ goto out4;
+ }
+
+ content = securityfs_create_file(IPE_INNER_CONTENT, 0444, root,
+ NULL, &policy_content_ops);
+ if (IS_ERR(raw)) {
+ rc = PTR_ERR(raw);
+ goto out5;
+ }
+
+ crypto_free_shash(tfm);
+ return rc;
+out5:
+ securityfs_remove(raw);
+out4:
+ securityfs_remove(root);
+out3:
+ ipe_free_policy_node(node);
+out2:
+ crypto_free_shash(tfm);
+out:
+ return rc;
+}
+
+/**
+ * ipe_secfs_new_policy: Entry point of the securityfs node, "ipe/new_policy".
+ * @f: Unused
+ * @data: Raw enveloped PKCS#7 data that represents the policy.
+ * @len: Length of @data.
+ * @offset: Offset for @data.
+ *
+ * Return:
+ * > 0 - OK
+ * -EEXIST - Policy already exists
+ * -EBADMSG - Invalid policy syntax
+ * -ENOMEM - Out of memory
+ * -EPERM - if a MAC subsystem is enabled, missing CAP_MAC_ADMIN
+ */
+static ssize_t ipe_secfs_new_policy(struct file *f, const char __user *data,
+ size_t len, loff_t *offset)
+{
+ ssize_t rc = 0;
+ u8 *cpy = NULL;
+ ssize_t written = 0;
+
+ if (!ns_capable(current_user_ns(), CAP_MAC_ADMIN))
+ return -EPERM;
+
+ cpy = kzalloc(len, GFP_KERNEL);
+ if (!cpy) {
+ rc = -ENOMEM;
+ goto err;
+ }
+
+ written = simple_write_to_buffer(cpy, len, offset, data, len);
+ if (written < 0) {
+ rc = written;
+ goto err;
+ }
+
+ rc = ipe_build_policy_secfs_node(cpy, written);
+err:
+ kfree(cpy);
+ return rc < 0 ? rc : written;
+}
+
+/**
+ * retrieve_backed_dentry: Retrieve a dentry with a backing inode, identified
+ * by @name, under @parent.
+ * @name: Name of the dentry under @parent.
+ * @parent: The parent dentry to search under for @name.
+ * @size: Length of @name.
+ *
+ * This takes a reference to the returned dentry. Caller needs to call dput
+ * to drop the reference.
+ *
+ * Return:
+ * valid dentry - OK
+ * ERR_PTR - Error, see lookup_one_len_unlocked
+ * NULL - No backing inode was found
+ */
+static struct dentry *retrieve_backed_dentry(const char *name,
+ struct dentry *parent,
+ size_t size)
+{
+ int rc = 0;
+ struct dentry *tmp = NULL;
+
+ tmp = lookup_one_len_unlocked(name, parent, size);
+ if (IS_ERR(tmp)) {
+ rc = PTR_ERR(tmp);
+ goto out;
+ }
+
+ if (!d_really_is_positive(tmp))
+ goto out1;
+
+ return tmp;
+out1:
+ tmp = NULL;
+out:
+ return rc == 0 ? NULL : ERR_PTR(rc);
+}
+
+/**
+ * ipe_secfs_del_policy: Delete a policy indicated by the name provided by
+ * @data
+ * @f: Unused.
+ * @data: Buffer containing the policy id to delete.
+ * @len: Length of @data.
+ * @offset: Offset into @data.
+ *
+ * NOTE: Newlines are treated as part of the name, if using echo to test,
+ * use -n to prohibit the silent addition of a newline.
+ *
+ * Return:
+ * > 0 - OK
+ * -ENOMEM - Out of memory
+ * -EPERM - Policy is active
+ * -ENOENT - Policy does not exist
+ * -EPERM - if a MAC subsystem is enabled, missing CAP_MAC_ADMIN
+ * Other - See retrieve_backed_dentry
+ */
+static ssize_t ipe_secfs_del_policy(struct file *f, const char __user *data,
+ size_t len, loff_t *offset)
+{
+ ssize_t rc = 0;
+ char *id = NULL;
+ ssize_t written = 0;
+ struct dentry *raw = NULL;
+ struct dentry *content = NULL;
+ struct inode *policy_i = NULL;
+ struct dentry *policy_root = NULL;
+ struct inode *policies_root = NULL;
+ const struct ipe_policy *target = NULL;
+
+ if (!ns_capable(current_user_ns(), CAP_MAC_ADMIN))
+ return -EPERM;
+
+ id = kzalloc(len, GFP_KERNEL);
+ if (!id) {
+ rc = -ENOMEM;
+ goto out;
+ }
+
+ written = simple_write_to_buffer(id, len, offset, data, len);
+ if (written < 0) {
+ rc = written;
+ goto out;
+ }
+
+ policies_root = d_inode(ipe_policies_root);
+
+ policy_root = retrieve_backed_dentry(id, ipe_policies_root, written);
+ if (IS_ERR_OR_NULL(policy_root)) {
+ rc = IS_ERR(policy_root) ? PTR_ERR(policy_root) : -ENOENT;
+ goto out;
+ }
+
+ policy_i = d_inode(policy_root);
+
+ /* if the found dentry matches boot policy, fail */
+ if (boot_policy_node == policy_root) {
+ rc = -EACCES;
+ goto out1;
+ }
+
+ target = ((struct ipe_policy_node *)policy_i->i_private)->parsed;
+
+ /* fail if it's the active policy */
+ if (ipe_is_active_policy(target)) {
+ rc = -EPERM;
+ goto out1;
+ }
+
+ raw = retrieve_backed_dentry(IPE_FULL_CONTENT, policy_root,
+ strlen(IPE_FULL_CONTENT));
+ if (IS_ERR_OR_NULL(raw)) {
+ rc = IS_ERR(raw) ? PTR_ERR(raw) : -ENOENT;
+ goto out1;
+ }
+
+ content = retrieve_backed_dentry(IPE_INNER_CONTENT, policy_root,
+ strlen(IPE_INNER_CONTENT));
+ if (IS_ERR_OR_NULL(content)) {
+ rc = IS_ERR(content) ? PTR_ERR(content) : -ENOENT;
+ goto out2;
+ }
+
+ inode_lock(policies_root);
+ ipe_free_policy_node(policy_i->i_private);
+ policy_i->i_private = NULL;
+ inode_unlock(policies_root);
+
+ dput(raw);
+ dput(content);
+ dput(policy_root);
+ securityfs_remove(raw);
+ securityfs_remove(content);
+ securityfs_remove(policy_root);
+
+ kfree(id);
+ return written;
+out2:
+ dput(raw);
+out1:
+ dput(policy_root);
+out:
+ kfree(id);
+ return rc;
+}
+
+/**
+ * ipe_secfs_rd_policy: Read the raw content (full enveloped PKCS7) data of
+ * the policy stored within the file's parent inode.
+ * @f: File representing the securityfs entry.
+ * @data: User mode buffer to place the raw pkcs7.
+ * @len: Length of @data.
+ * @offset: Offset into @data.
+ *
+ * Return:
+ * > 0 - OK
+ * -ENOMEM - Out of memory
+ */
+static ssize_t ipe_secfs_rd_policy(struct file *f, char __user *data,
+ size_t size, loff_t *offset)
+{
+ ssize_t rc = 0;
+ size_t avail = 0;
+ u8 *buffer = NULL;
+ struct inode *root = NULL;
+ const struct ipe_policy_node *node = NULL;
+
+ root = d_inode(f->f_path.dentry->d_parent);
+
+ inode_lock_shared(root);
+ node = (const struct ipe_policy_node *)root->i_private;
+
+ avail = node->data_len;
+ buffer = kmemdup(node->data, avail, GFP_KERNEL);
+ if (!buffer) {
+ rc = -ENOMEM;
+ goto cleanup;
+ }
+
+ rc = simple_read_from_buffer(data, size, offset, buffer, avail);
+cleanup:
+ inode_unlock_shared(root);
+
+ return rc;
+}
+
+/**
+ * ipe_secfs_ud_policy: Update a policy in place with a new PKCS7 policy.
+ * @f: File representing the securityfs entry.
+ * @data: Buffer user mode to place the raw pkcs7.
+ * @len: Length of @data.
+ * @offset: Offset into @data.
+ *
+ * Return:
+ * 0 - OK
+ * -EBADMSG - Invalid policy format
+ * -ENOMEM - Out of memory
+ * -EPERM - if a MAC subsystem is enabled, missing CAP_MAC_ADMIN
+ * -EINVAL - Incorrect policy name for this node, or version is < current
+ */
+static ssize_t ipe_secfs_ud_policy(struct file *f, const char __user *data,
+ size_t len, loff_t *offset)
+{
+ ssize_t rc = 0;
+ u8 *cpy = NULL;
+ ssize_t written = 0;
+ struct inode *root = NULL;
+ struct crypto_shash *tfm = NULL;
+ struct ipe_policy_node *new = NULL;
+ struct ipe_policy_node *old = NULL;
+
+ if (!ns_capable(current_user_ns(), CAP_MAC_ADMIN))
+ return -EPERM;
+
+ cpy = kzalloc(len, GFP_KERNEL);
+ if (!cpy) {
+ rc = -ENOMEM;
+ goto out;
+ }
+
+ written = simple_write_to_buffer(cpy, len, offset, data, len);
+ if (written < 0) {
+ rc = written;
+ goto out;
+ }
+
+ new = ipe_alloc_policy_node(cpy, len);
+ if (IS_ERR(new)) {
+ rc = PTR_ERR(new);
+ goto out;
+ }
+
+ tfm = crypto_alloc_shash("sha1", 0, 0);
+ if (IS_ERR(tfm))
+ goto out2;
+
+ root = d_inode(f->f_path.dentry->d_parent);
+ inode_lock(root);
+
+ old = (struct ipe_policy_node *)root->i_private;
+
+ if (strcmp(old->parsed->policy_name, new->parsed->policy_name)) {
+ rc = -EINVAL;
+ goto out3;
+ }
+
+ if (!ipe_is_valid_policy(old->parsed, new->parsed)) {
+ rc = -EINVAL;
+ goto out3;
+ }
+
+ rc = ipe_update_active_policy(old->parsed, new->parsed);
+ if (rc != 0)
+ goto out3;
+
+ ipe_audit_policy_load(new->parsed, new->data, new->data_len, tfm);
+ swap(root->i_private, new);
+
+ inode_unlock(root);
+ kfree(cpy);
+ ipe_free_policy_node(new);
+ crypto_free_shash(tfm);
+
+ return written;
+out3:
+ inode_unlock(root);
+ ipe_free_policy_node(new);
+out2:
+ crypto_free_shash(tfm);
+out:
+ kfree(cpy);
+ return rc;
+}
+
+/**
+ * ipe_secfs_rd_content: Read the inner content of the enveloped PKCS7 data,
+ * representing the IPE policy.
+ * @f: File representing the securityfs entry.
+ * @data: User mode buffer to place the inner content of the pkcs7 data.
+ * @len: Length of @data.
+ * @offset: Offset into @data.
+ *
+ * Return:
+ * > 0 - OK
+ * -ENOMEM - Out of memory
+ */
+static ssize_t ipe_secfs_rd_content(struct file *f, char __user *data,
+ size_t size, loff_t *offset)
+{
+ ssize_t rc = 0;
+ size_t avail = 0;
+ u8 *buffer = NULL;
+ struct inode *root = NULL;
+ const struct ipe_policy_node *node = NULL;
+
+ root = d_inode(f->f_path.dentry->d_parent);
+
+ inode_lock(root);
+ node = (const struct ipe_policy_node *)root->i_private;
+
+ avail = node->content_size;
+ buffer = kmemdup(node->content, avail, GFP_KERNEL);
+ if (!buffer) {
+ rc = -ENOMEM;
+ goto cleanup;
+ }
+
+ rc = simple_read_from_buffer(data, size, offset, buffer, avail);
+cleanup:
+ inode_unlock(root);
+
+ return rc;
+}
+
+/**
+ * ipe_build_secfs_root: Build the root of securityfs for IPE.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - See securityfs_create_dir and securityfs_create_file
+ */
+int __init ipe_build_secfs_root(void)
+{
+ int rc = 0;
+ struct dentry *new = NULL;
+ struct dentry *del = NULL;
+ struct dentry *root = NULL;
+ struct dentry *policies = NULL;
+
+ root = securityfs_create_dir(IPE_ROOT, NULL);
+ if (IS_ERR(root)) {
+ rc = PTR_ERR(root);
+ goto out;
+ }
+
+ new = securityfs_create_file(IPE_NEW_POLICY, 0644, root, NULL,
+ &new_policy_ops);
+ if (IS_ERR(new)) {
+ rc = PTR_ERR(new);
+ goto out1;
+ }
+
+ del = securityfs_create_file(IPE_DELETE_POLICY, 0644, root, NULL,
+ &del_policy_ops);
+ if (IS_ERR(del)) {
+ rc = PTR_ERR(del);
+ goto out2;
+ }
+
+ policies = securityfs_create_dir(IPE_POLICIES, root);
+ if (IS_ERR(policies)) {
+ rc = PTR_ERR(policies);
+ goto out3;
+ }
+
+ ipe_secfs_root = root;
+ ipe_new_policy = new;
+ ipe_del_policy = del;
+ ipe_policies_root = policies;
+
+ return rc;
+
+out3:
+ securityfs_remove(del);
+out2:
+ securityfs_remove(new);
+out1:
+ securityfs_remove(root);
+out:
+ return rc;
+}
+
+/**
+ * ipe_build_secfs_boot_node: Build a policy node for IPE's boot policy.
+ *
+ * This differs from the normal policy nodes, as the IPE boot policy is
+ * read only.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - See securityfs_create_dir and securityfs_create_file
+ */
+static int __init ipe_build_secfs_boot_node(void)
+{
+ int rc = 0;
+ char *cpy = NULL;
+ struct dentry *raw = NULL;
+ struct inode *raw_i = NULL;
+ struct dentry *root = NULL;
+ struct dentry *content = NULL;
+ struct ipe_policy *parsed = NULL;
+ struct ipe_policy_node *node = NULL;
+
+ if (!ipe_boot_policy)
+ return 0;
+
+ node = kzalloc(sizeof(*node), GFP_KERNEL);
+ if (!node) {
+ rc = -ENOMEM;
+ goto out;
+ }
+
+ cpy = kstrdup(ipe_boot_policy, GFP_KERNEL);
+ if (!cpy) {
+ rc = -ENOMEM;
+ goto out;
+ }
+
+ parsed = ipe_parse_policy(cpy);
+ if (IS_ERR(parsed)) {
+ rc = PTR_ERR(parsed);
+ goto out2;
+ }
+
+ node->content = ipe_boot_policy;
+ node->content_size = strlen(cpy);
+ node->parsed = parsed;
+
+ root = securityfs_create_dir(node->parsed->policy_name,
+ ipe_policies_root);
+ if (IS_ERR(root)) {
+ rc = PTR_ERR(root);
+ goto out2;
+ }
+
+ raw_i = d_inode(root);
+
+ inode_lock(raw_i);
+ raw_i->i_private = node;
+ inode_unlock(raw_i);
+
+ content = securityfs_create_file(IPE_INNER_CONTENT, 0444, root, NULL,
+ &policy_content_ops);
+ if (IS_ERR(raw)) {
+ rc = PTR_ERR(raw);
+ goto out3;
+ }
+
+ boot_policy_node = root;
+ rc = ipe_activate_policy(node->parsed);
+ return rc;
+
+out3:
+ securityfs_remove(root);
+out2:
+ ipe_free_policy(parsed);
+out:
+ kfree(cpy);
+ kfree(node);
+ return rc;
+}
+
+/**
+ * ipe_set_active_policy: Set the policy identified by @id as the active
+ * policy.
+ * @id: Policy id represnting the policy to activate.
+ * @id_len: Length of @id.
+ *
+ * Return:
+ * 0 - OK
+ * -ENOENT - Policy identified by @id does not exist
+ * -EINVAL - Policy that is being activated is lower in version than
+ * currently running policy.
+ * Other - See retrieve_backed_dentry
+ */
+int ipe_set_active_policy(const char *id, size_t id_len)
+{
+ int rc = 0;
+ struct dentry *policy_root = NULL;
+ const struct ipe_policy_node *ref = NULL;
+
+ policy_root = retrieve_backed_dentry(id, ipe_policies_root, id_len);
+ if (IS_ERR_OR_NULL(policy_root))
+ return IS_ERR(policy_root) ? PTR_ERR(policy_root) : -ENOENT;
+
+ inode_lock_shared(d_inode(policy_root));
+
+ ref = (const struct ipe_policy_node *)d_inode(policy_root)->i_private;
+ rc = ipe_activate_policy(ref->parsed);
+
+ inode_unlock_shared(d_inode(policy_root));
+ dput(policy_root);
+
+ return rc;
+}
+
+/**
+ * ipe_securityfs_init: Initialize IPE's securityfs entries.
+ *
+ * This is called after the lsm initialization.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - Error
+ */
+int __init ipe_securityfs_init(void)
+{
+ int rc = 0;
+
+ rc = ipe_build_secfs_root();
+ if (rc != 0)
+ goto err;
+
+ rc = ipe_build_secfs_boot_node();
+ if (rc != 0)
+ panic("IPE failed to initialize the boot policy: %d", rc);
+
+ return rc;
+err:
+ pr_err("failed to initialize secfs: %d", -rc);
+ return rc;
+}
+
+core_initcall(ipe_securityfs_init);
diff --git a/security/ipe/ipe-secfs.h b/security/ipe/ipe-secfs.h
new file mode 100644
index 000000000000..714ae70a4c8e
--- /dev/null
+++ b/security/ipe/ipe-secfs.h
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+#include <linux/types.h>
+
+#include "ipe-policy.h"
+
+#ifndef IPE_SECFS_H
+#define IPE_SECFS_H
+
+/**
+ * ipe_set_active_policy: Set the policy identified by @id as the active
+ * policy.
+ * @id: Policy id represnting the policy to activate.
+ * @id_len: Length of @id.
+ *
+ * Return:
+ * 0 - OK
+ * -ENOENT - Policy identified by @id does not exist
+ * Other - See retrieve_backed_dentry
+ */
+int ipe_set_active_policy(const char *id, size_t id_len);
+
+#endif /* IPE_SECFS_H */
diff --git a/security/ipe/ipe-sysfs.c b/security/ipe/ipe-sysfs.c
index c97685a25b6a..a3c998da69da 100644
--- a/security/ipe/ipe-sysfs.c
+++ b/security/ipe/ipe-sysfs.c
@@ -5,6 +5,7 @@
#include "ipe.h"
#include "ipe-audit.h"
+#include "ipe-secfs.h"
#include <linux/sysctl.h>
#include <linux/fs.h>
@@ -45,6 +46,73 @@ static int ipe_switch_mode(struct ctl_table *table, int write,
#endif /* CONFIG_SECURITY_IPE_PERMISSIVE_SWITCH */
+#ifdef CONFIG_SECURITYFS
+
+/**
+ * ipe_switch_active_policy: Handler to switch the policy IPE is enforcing.
+ * @table: Sysctl table entry from the variable, sysctl_table.
+ * @write: Integer indicating whether this is a write or a read.
+ * @buffer: Data passed to sysctl. This is the policy id to activate,
+ * for this function.
+ * @lenp: Pointer to the size of @buffer.
+ * @ppos: Offset into @buffer.
+ *
+ * This wraps proc_dointvec_minmax, and if there's a change, emits an
+ * audit event.
+ *
+ * Return:
+ * 0 - OK
+ * -ENOMEM - Out of memory
+ * -ENOENT - Policy identified by @id does not exist
+ * Other - See proc_dostring and retrieve_backed_dentry
+ */
+static int ipe_switch_active_policy(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp,
+ loff_t *ppos)
+{
+ int rc = 0;
+ char *id = NULL;
+ size_t size = 0;
+
+ if (write) {
+ id = kzalloc((*lenp) + 1, GFP_KERNEL);
+ if (!id)
+ return -ENOMEM;
+
+ table->data = id;
+ table->maxlen = (*lenp) + 1;
+
+ rc = proc_dostring(table, write, buffer, lenp, ppos);
+ if (rc != 0)
+ goto out;
+
+ rc = ipe_set_active_policy(id, strlen(id));
+ } else {
+ rcu_read_lock();
+ size = strlen(rcu_dereference(ipe_active_policy)->policy_name);
+ rcu_read_unlock();
+
+ id = kzalloc(size + 1, GFP_KERNEL);
+ if (!id)
+ return -ENOMEM;
+
+ rcu_read_lock();
+ strncpy(id, rcu_dereference(ipe_active_policy)->policy_name,
+ size);
+ rcu_read_unlock();
+
+ table->data = id;
+ table->maxlen = size;
+
+ rc = proc_dostring(table, write, buffer, lenp, ppos);
+ }
+out:
+ kfree(id);
+ return rc;
+}
+
+#endif /* CONFIG_SECURITYFS */
+
static struct ctl_table_header *sysctl_header;
static const struct ctl_path sysctl_path[] = {
@@ -75,6 +143,24 @@ static struct ctl_table sysctl_table[] = {
.extra1 = SYSCTL_ZERO,
.extra2 = SYSCTL_ONE,
},
+#ifdef CONFIG_SECURITYFS
+ {
+ .procname = "strict_parse",
+ .data = &strict_parse,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = SYSCTL_ZERO,
+ .extra2 = SYSCTL_ONE,
+ },
+ {
+ .procname = "active_policy",
+ .data = NULL,
+ .maxlen = 0,
+ .mode = 0644,
+ .proc_handler = ipe_switch_active_policy,
+ },
+#endif /* CONFIG_SECURITYFS */
{}
/* TODO: Active Policy Selector */
};
diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
index 0c30d7c629c9..4642a0da57e5 100644
--- a/security/ipe/ipe.c
+++ b/security/ipe/ipe.c
@@ -6,6 +6,7 @@
#include "ipe.h"
#include "ipe-policy.h"
#include "ipe-hooks.h"
+#include "ipe-secfs.h"
#include "ipe-sysfs.h"
#include <linux/module.h>
@@ -97,3 +98,15 @@ MODULE_PARM_DESC(enforce, "enforce/permissive mode switch");
int success_audit;
module_param(success_audit, int, 0644);
MODULE_PARM_DESC(success_audit, "audit message on allow");
+
+/**
+ * strict_parse: Kernel command line parameter to enable strict parsing of
+ * IPE policies - causing unrecognized properties to fail
+ * parsing. This breaks backwards compatibility of IPE policies,
+ * when enabled.
+ *
+ * This is also controlled by the sysctl, "ipe.strict_parse".
+ */
+int strict_parse;
+module_param(strict_parse, int, 0644);
+MODULE_PARM_DESC(strict_parse, "parse using strict semantics");
diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
index 52e5ea0ccaef..c016b57aa70b 100644
--- a/security/ipe/ipe.h
+++ b/security/ipe/ipe.h
@@ -16,5 +16,6 @@
extern int enforce;
extern int success_audit;
+extern int strict_parse;
#endif /* IPE_H */
--
2.26.0
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [RFC PATCH v2 04/12] ipe: add property for trust of boot volume
2020-04-06 22:14 ` deven.desai
` (3 preceding siblings ...)
(?)
@ 2020-04-06 22:14 ` deven.desai
-1 siblings, 0 replies; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: tyhicks, pasha.tatashin, sashal, jaskarankhurana, nramas,
mdsakib, linux-kernel
From: Deven Bowers <deven.desai@linux.microsoft.com>
Add a property for IPE policy to express trust of the first superblock
where a file would be evaluated to determine trust.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
security/ipe/Kconfig | 2 +
security/ipe/Makefile | 4 ++
security/ipe/ipe-engine.c | 4 ++
security/ipe/ipe-hooks.c | 19 +++++
security/ipe/ipe-hooks.h | 2 +
security/ipe/ipe-pin.c | 93 +++++++++++++++++++++++++
security/ipe/ipe-pin.h | 56 +++++++++++++++
security/ipe/ipe.c | 14 +++-
security/ipe/properties/Kconfig | 14 ++++
security/ipe/properties/Makefile | 11 +++
security/ipe/properties/boot-verified.c | 84 ++++++++++++++++++++++
security/ipe/properties/prop-entry.h | 20 ++++++
security/ipe/utility.h | 22 ++++++
13 files changed, 344 insertions(+), 1 deletion(-)
create mode 100644 security/ipe/ipe-pin.c
create mode 100644 security/ipe/ipe-pin.h
create mode 100644 security/ipe/properties/Kconfig
create mode 100644 security/ipe/properties/Makefile
create mode 100644 security/ipe/properties/boot-verified.c
create mode 100644 security/ipe/properties/prop-entry.h
create mode 100644 security/ipe/utility.h
diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
index ef6fb019be6f..b1d89244da3e 100644
--- a/security/ipe/Kconfig
+++ b/security/ipe/Kconfig
@@ -38,4 +38,6 @@ config SECURITY_IPE_PERMISSIVE_SWITCH
If unsure, answer Y.
+source "security/ipe/properties/Kconfig"
+
endif
diff --git a/security/ipe/Makefile b/security/ipe/Makefile
index 4dcfc5b26b58..741914ddc338 100644
--- a/security/ipe/Makefile
+++ b/security/ipe/Makefile
@@ -27,3 +27,7 @@ obj-$(CONFIG_SECURITY_IPE) += \
ipe-sysfs.o \
clean-files := ipe-bp.c
+
+obj-$(CONFIG_IPE_BOOT_PROP) += ipe-pin.o
+
+obj-$(CONFIG_SECURITY_IPE) += properties/
diff --git a/security/ipe/ipe-engine.c b/security/ipe/ipe-engine.c
index 9df17ebc1a01..6b1a4ce8c387 100644
--- a/security/ipe/ipe-engine.c
+++ b/security/ipe/ipe-engine.c
@@ -9,6 +9,8 @@
#include "ipe-policy.h"
#include "ipe-engine.h"
#include "ipe-audit.h"
+#include "ipe-pin.h"
+#include "utility.h"
#include <linux/types.h>
#include <linux/fs.h>
@@ -333,6 +335,8 @@ int ipe_process_event(const struct file *file, enum ipe_op op,
if (IS_ERR(ctx))
goto cleanup;
+ ipe_pin_superblock(ctx->file);
+
rc = prealloc_cache(ctx, &cache);
if (rc != 0)
goto cleanup;
diff --git a/security/ipe/ipe-hooks.c b/security/ipe/ipe-hooks.c
index a5d37b87c0cd..43182ba25cc5 100644
--- a/security/ipe/ipe-hooks.c
+++ b/security/ipe/ipe-hooks.c
@@ -6,6 +6,7 @@
#include "ipe.h"
#include "ipe-hooks.h"
#include "ipe-engine.h"
+#include "ipe-pin.h"
#include <linux/types.h>
#include <linux/fs.h>
@@ -149,3 +150,21 @@ int ipe_on_kernel_load_data(enum kernel_load_data_id id)
ipe_hook_kernel_load);
}
}
+
+/**
+ * ipe_sb_free_security: LSM hook called on sb_free_security.
+ * @mnt_sb: Super block that is being freed.
+ *
+ * IPE does not currently utilize the super block security hook,
+ * it utilizes this hook to invalidate the saved super block for
+ * the boot_verified property.
+ *
+ * For more information, see the LSM hook, sb_free_security.
+ *
+ * Return:
+ * 0 - OK
+ */
+void ipe_sb_free_security(struct super_block *mnt_sb)
+{
+ ipe_invalidate_pinned_sb(mnt_sb);
+}
diff --git a/security/ipe/ipe-hooks.h b/security/ipe/ipe-hooks.h
index 6af706a130ce..55e417c72425 100644
--- a/security/ipe/ipe-hooks.h
+++ b/security/ipe/ipe-hooks.h
@@ -111,4 +111,6 @@ int ipe_on_kernel_read(struct file *file, enum kernel_read_file_id id);
*/
int ipe_on_kernel_load_data(enum kernel_load_data_id id);
+void ipe_sb_free_security(struct super_block *mnt_sb);
+
#endif /* IPE_HOOK_H */
diff --git a/security/ipe/ipe-pin.c b/security/ipe/ipe-pin.c
new file mode 100644
index 000000000000..a963be8e5321
--- /dev/null
+++ b/security/ipe/ipe-pin.c
@@ -0,0 +1,93 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * This file has been heavily adapted from the source code of the
+ * loadpin LSM. The source code for loadpin is co-located in the linux
+ * tree under security/loadpin/loadpin.c.
+ *
+ * Please see loadpin.c for up-to-date information about
+ * loadpin.
+ */
+
+#include "ipe.h"
+
+#include <linux/types.h>
+#include <linux/spinlock_types.h>
+#include <linux/fs.h>
+#include <linux/mount.h>
+#include <linux/magic.h>
+#include <linux/mm.h>
+#include <linux/mman.h>
+
+static DEFINE_SPINLOCK(pinned_sb_spinlock);
+
+static struct super_block *pinned_sb;
+
+/**
+ * ipe_is_from_pinned_sb: Determine if @file originates from the initial
+ * super block that a file was executed from.
+ * @file: File to check if it originates from the super block.
+ *
+ * Return:
+ * true - File originates from the initial super block
+ * false - File does not originate from the initial super block
+ */
+bool ipe_is_from_pinned_sb(const struct file *file)
+{
+ bool rv = false;
+
+ spin_lock(&pinned_sb_spinlock);
+
+ /*
+ * Check if pinned_sb is set:
+ * NULL == not set -> exit
+ * ERR == was once set (and has been unmounted) -> exit
+ * AND check that the pinned sb is the same as the file's.
+ */
+ if (!IS_ERR_OR_NULL(pinned_sb) &&
+ file->f_path.mnt->mnt_sb == pinned_sb) {
+ rv = true;
+ goto cleanup;
+ }
+
+cleanup:
+ spin_unlock(&pinned_sb_spinlock);
+ return rv;
+}
+
+/**
+ * ipe_pin_superblock: Attempt to save a file's super block address to later
+ * determine if a file originates from a super block.
+ * @file: File to source the super block from.
+ */
+void ipe_pin_superblock(const struct file *file)
+{
+ spin_lock(&pinned_sb_spinlock);
+
+ /* if set, return */
+ if (pinned_sb || !file)
+ goto cleanup;
+
+ pinned_sb = file->f_path.mnt->mnt_sb;
+cleanup:
+ spin_unlock(&pinned_sb_spinlock);
+}
+
+/**
+ * ipe_invalidate_pinned_sb: Invalidate the saved super block.
+ * @mnt_sb: Super block to compare against the saved super block.
+ *
+ * This avoids authorizing a file when the super block does not exist anymore.
+ */
+void ipe_invalidate_pinned_sb(const struct super_block *mnt_sb)
+{
+ spin_lock(&pinned_sb_spinlock);
+
+ /*
+ * On pinned sb unload - invalidate the pinned address
+ * by setting the pinned_sb to ERR_PTR(-EIO)
+ */
+ if (!IS_ERR_OR_NULL(pinned_sb) && mnt_sb == pinned_sb)
+ pinned_sb = ERR_PTR(-EIO);
+
+ spin_unlock(&pinned_sb_spinlock);
+}
diff --git a/security/ipe/ipe-pin.h b/security/ipe/ipe-pin.h
new file mode 100644
index 000000000000..7c3773d8387d
--- /dev/null
+++ b/security/ipe/ipe-pin.h
@@ -0,0 +1,56 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+#ifndef IPE_PIN_H
+#define IPE_PIN_H
+
+#include <linux/types.h>
+#include <linux/fs.h>
+
+#ifdef CONFIG_IPE_BOOT_PROP
+
+/**
+ * ipe_is_from_pinned_sb: Determine if @file originates from the initial
+ * super block that a file was executed from.
+ * @file: File to check if it originates from the super block.
+ *
+ * Return:
+ * true - File originates from the initial super block
+ * false - File does not originate from the initial super block
+ */
+bool ipe_is_from_pinned_sb(const struct file *file);
+
+/**
+ * ipe_pin_superblock: Attempt to save a file's super block address to later
+ * determine if a file originates from a super block.
+ * @file: File to source the super block from.
+ */
+void ipe_pin_superblock(const struct file *file);
+
+/**
+ * ipe_invalidate_pinned_sb: Invalidate the saved super block.
+ * @mnt_sb: Super block to compare against the saved super block.
+ *
+ * This avoids authorizing a file when the super block does not exist anymore.
+ */
+void ipe_invalidate_pinned_sb(const struct super_block *mnt_sb);
+
+#else /* CONFIG_IPE_BOOT_PROP */
+
+static inline bool ipe_is_from_pinned_sb(const struct file *file)
+{
+ return false;
+}
+
+static inline void ipe_pin_superblock(const struct file *file)
+{
+}
+
+static inline void ipe_invalidate_pinned_sb(const struct super_block *mnt_sb)
+{
+}
+
+#endif /* !CONFIG_IPE_BOOT_PROP */
+
+#endif /* IPE_PIN_H */
diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
index 4642a0da57e5..971c50ecadaf 100644
--- a/security/ipe/ipe.c
+++ b/security/ipe/ipe.c
@@ -8,6 +8,7 @@
#include "ipe-hooks.h"
#include "ipe-secfs.h"
#include "ipe-sysfs.h"
+#include "properties/prop-entry.h"
#include <linux/module.h>
#include <linux/lsm_hooks.h>
@@ -23,6 +24,7 @@ static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(kernel_read_file, ipe_on_kernel_read),
LSM_HOOK_INIT(kernel_load_data, ipe_on_kernel_load_data),
LSM_HOOK_INIT(file_mprotect, ipe_on_mprotect),
+ LSM_HOOK_INIT(sb_free_security, ipe_sb_free_security),
};
/**
@@ -34,7 +36,13 @@ static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = {
*/
static int __init ipe_load_properties(void)
{
- return 0;
+ int rc = 0;
+
+ rc = ipe_init_bootv();
+ if (rc != 0)
+ return rc;
+
+ return rc;
}
/**
@@ -54,6 +62,10 @@ static int __init ipe_init(void)
{
int rc = 0;
+ rc = ipe_load_properties();
+ if (rc != 0)
+ panic("IPE: properties failed to load");
+
rc = ipe_sysctl_init();
if (rc != 0)
pr_err("failed to configure sysctl: %d", -rc);
diff --git a/security/ipe/properties/Kconfig b/security/ipe/properties/Kconfig
new file mode 100644
index 000000000000..9dc0db8817b2
--- /dev/null
+++ b/security/ipe/properties/Kconfig
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Integrity Policy Enforcement (IPE) configuration
+#
+
+config IPE_BOOT_PROP
+ bool "Enable trust for boot volume"
+ help
+ This option enables the property "boot_verified" in IPE policy.
+ This property 'pins' the initial superblock when something is
+ evaluated. This property will evaluate to true when the file
+ being evaluated originates from the initial superblock.
+
+ if unsure, answer N.
diff --git a/security/ipe/properties/Makefile b/security/ipe/properties/Makefile
new file mode 100644
index 000000000000..e3e7fe17cf58
--- /dev/null
+++ b/security/ipe/properties/Makefile
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) Microsoft Corporation. All rights reserved.
+#
+# Makefile for building the properties that IPE uses
+# as part of the kernel tree.
+#
+
+obj-$(CONFIG_SECURITY_IPE) += properties.o
+
+properties-$(CONFIG_IPE_BOOT_PROP) += boot-verified.o
diff --git a/security/ipe/properties/boot-verified.c b/security/ipe/properties/boot-verified.c
new file mode 100644
index 000000000000..07c8ba768ac5
--- /dev/null
+++ b/security/ipe/properties/boot-verified.c
@@ -0,0 +1,84 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "../ipe.h"
+#include "../ipe-pin.h"
+#include "../ipe-property.h"
+#include "../utility.h"
+
+#include <linux/types.h>
+#include <linux/slab.h>
+#include <linux/fs.h>
+#include <linux/mount.h>
+#include <linux/audit.h>
+
+#define PROPERTY_NAME "boot_verified"
+
+static void audit(struct audit_buffer *ab, bool value)
+{
+ audit_log_format(ab, "%s", (value) ? "TRUE" : "FALSE");
+}
+
+static inline void audit_rule_value(struct audit_buffer *ab,
+ const void *value)
+{
+ audit(ab, (bool)value);
+}
+
+static inline void audit_ctx(struct audit_buffer *ab,
+ const struct ipe_engine_ctx *ctx,
+ const void *storage)
+{
+ bool b = has_sb(ctx->file) && ipe_is_from_pinned_sb(ctx->file);
+
+ audit(ab, b);
+}
+
+static bool evaluate(const struct ipe_engine_ctx *ctx,
+ const void *value, void **storage)
+{
+ bool expect = (bool)value;
+
+ if (!ctx->file || !has_sb(ctx->file))
+ return false;
+
+ return ipe_is_from_pinned_sb(ctx->file) == expect;
+}
+
+static int parse(const char *val_str, void **value)
+{
+ if (strcmp("TRUE", val_str) == 0)
+ *value = (void *)true;
+ else if (strcmp("FALSE", val_str) == 0)
+ *value = (void *)false;
+ else
+ return -EBADMSG;
+
+ return 0;
+}
+
+static inline int duplicate(const void *src, void **dest)
+{
+ *dest = (void *)(bool)src;
+
+ return 0;
+}
+
+static const struct ipe_property boot_verified = {
+ .property_name = PROPERTY_NAME,
+ .eval = evaluate,
+ .rule_audit = audit_rule_value,
+ .ctx_audit = audit_ctx,
+ .parse = parse,
+ .dup = duplicate,
+ .prealloc = NULL,
+ .free_val = NULL,
+ .free_storage = NULL,
+};
+
+int ipe_init_bootv(void)
+{
+ return ipe_register_property(&boot_verified);
+}
diff --git a/security/ipe/properties/prop-entry.h b/security/ipe/properties/prop-entry.h
new file mode 100644
index 000000000000..f598dd9608b9
--- /dev/null
+++ b/security/ipe/properties/prop-entry.h
@@ -0,0 +1,20 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include <linux/types.h>
+
+#ifndef IPE_PROP_ENTRY_H
+#define IPE_PROP_ENTRY_H
+
+#ifndef CONFIG_IPE_BOOT_PROP
+static inline int __init ipe_init_bootv(void)
+{
+ return 0;
+}
+#else
+int __init ipe_init_bootv(void);
+#endif /* CONFIG_IPE_BOOT_PROP */
+
+#endif /* IPE_PROP_ENTRY_H */
diff --git a/security/ipe/utility.h b/security/ipe/utility.h
new file mode 100644
index 000000000000..a13089bb0d8f
--- /dev/null
+++ b/security/ipe/utility.h
@@ -0,0 +1,22 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#ifndef IPE_UTILITY_H
+#define IPE_UTILITY_H
+
+#include <linux/types.h>
+#include <linux/fs.h>
+
+static inline bool has_mount(const struct file *file)
+{
+ return file && file->f_path.mnt;
+}
+
+static inline bool has_sb(const struct file *file)
+{
+ return has_mount(file) && file->f_path.mnt->mnt_sb;
+}
+
+#endif /* IPE_UTILITY_H */
--
2.26.0
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [RFC PATCH v2 05/12] fs: add security blob and hooks for block_device
2020-04-06 22:14 ` deven.desai
` (4 preceding siblings ...)
(?)
@ 2020-04-06 22:14 ` deven.desai
-1 siblings, 0 replies; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: tyhicks, pasha.tatashin, sashal, jaskarankhurana, nramas,
mdsakib, linux-kernel
From: Deven Bowers <deven.desai@linux.microsoft.com>
Add a security blob and associated allocation, deallocation and set hooks
for a block_device structure.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
fs/block_dev.c | 8 +++++
include/linux/fs.h | 1 +
include/linux/lsm_hook_defs.h | 5 +++
include/linux/lsm_hooks.h | 11 +++++++
include/linux/security.h | 22 +++++++++++++
security/security.c | 61 +++++++++++++++++++++++++++++++++++
6 files changed, 108 insertions(+)
diff --git a/fs/block_dev.c b/fs/block_dev.c
index 52b6f646cdbd..5dfa25f03208 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -35,6 +35,7 @@
#include <linux/falloc.h>
#include <linux/uaccess.h>
#include <linux/suspend.h>
+#include <linux/security.h>
#include "internal.h"
struct bdev_inode {
@@ -773,11 +774,18 @@ static struct inode *bdev_alloc_inode(struct super_block *sb)
struct bdev_inode *ei = kmem_cache_alloc(bdev_cachep, GFP_KERNEL);
if (!ei)
return NULL;
+
+ if (unlikely(security_bdev_alloc(&ei->bdev))) {
+ kmem_cache_free(bdev_cachep, ei);
+ return NULL;
+ }
+
return &ei->vfs_inode;
}
static void bdev_free_inode(struct inode *inode)
{
+ security_bdev_free(&BDEV_I(inode)->bdev);
kmem_cache_free(bdev_cachep, BDEV_I(inode));
}
diff --git a/include/linux/fs.h b/include/linux/fs.h
index f81c822f4d89..03d089f4a511 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -506,6 +506,7 @@ struct block_device {
int bd_fsfreeze_count;
/* Mutex for freeze */
struct mutex bd_fsfreeze_mutex;
+ void *security;
} __randomize_layout;
/* XArray tags, for tagging dirty and writeback pages in the pagecache. */
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 9cd4455528e5..4782fef7eaf9 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -379,3 +379,8 @@ LSM_HOOK(void, LSM_RET_VOID, perf_event_free, struct perf_event *event)
LSM_HOOK(int, 0, perf_event_read, struct perf_event *event)
LSM_HOOK(int, 0, perf_event_write, struct perf_event *event)
#endif /* CONFIG_PERF_EVENTS */
+
+LSM_HOOK(int, 0, bdev_alloc_security, struct block_device *bdev)
+LSM_HOOK(void, LSM_RET_VOID, bdev_free_security, struct block_device *bdev)
+LSM_HOOK(int, 0, bdev_setsecurity, struct block_device *bdev, const char *name,
+ const void *value, size_t size)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 988ca0df7824..7bf0f82bc5d6 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1476,6 +1476,16 @@
*
* @what: kernel feature being accessed
*
+ * @bdev_alloc_security:
+ * Initialize the security field inside a block_device structure.
+ *
+ * @bdev_free_security:
+ * Cleanup the security information stored inside a block_device structure.
+ *
+ * @bdev_setsecurity:
+ * Set the security property associated with @name for @bdev with
+ * value @value. @size indicates the size of the @value in bytes.
+ *
* Security hooks for perf events
*
* @perf_event_open:
@@ -1522,6 +1532,7 @@ struct lsm_blob_sizes {
int lbs_ipc;
int lbs_msg_msg;
int lbs_task;
+ int lbs_bdev;
};
/*
diff --git a/include/linux/security.h b/include/linux/security.h
index a8d9310472df..714eecc82e08 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -446,6 +446,11 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
int security_locked_down(enum lockdown_reason what);
+int security_bdev_alloc(struct block_device *bdev);
+void security_bdev_free(struct block_device *bdev);
+int security_bdev_setsecurity(struct block_device *bdev,
+ const char *name, const void *value,
+ size_t size);
#else /* CONFIG_SECURITY */
static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
@@ -1273,6 +1278,23 @@ static inline int security_locked_down(enum lockdown_reason what)
{
return 0;
}
+
+static inline int security_bdev_alloc(struct block_device *bdev)
+{
+ return 0;
+}
+
+static inline void security_bdev_free(struct block_device *bdev)
+{
+}
+
+static inline int security_bdev_setsecurity(struct block_device *bdev,
+ const char *name,
+ const void *value, size_t size)
+{
+ return 0;
+}
+
#endif /* CONFIG_SECURITY */
#ifdef CONFIG_SECURITY_NETWORK
diff --git a/security/security.c b/security/security.c
index 7fed24b9d57e..0d1af27711c1 100644
--- a/security/security.c
+++ b/security/security.c
@@ -28,6 +28,7 @@
#include <linux/string.h>
#include <linux/msg.h>
#include <net/flow.h>
+#include <linux/fs.h>
#define MAX_LSM_EVM_XATTR 2
@@ -202,6 +203,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc);
lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg);
lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);
+ lsm_set_blob_size(&needed->lbs_bdev, &blob_sizes.lbs_bdev);
}
/* Prepare LSM for initialization. */
@@ -337,6 +339,7 @@ static void __init ordered_lsm_init(void)
init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc);
init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg);
init_debug("task blob size = %d\n", blob_sizes.lbs_task);
+ init_debug("bdev blob size = %d\n", blob_sizes.lbs_bdev);
/*
* Create any kmem_caches needed for blobs
@@ -654,6 +657,28 @@ static int lsm_msg_msg_alloc(struct msg_msg *mp)
return 0;
}
+/**
+ * lsm_bdev_alloc - allocate a composite block_device blob
+ * @bdev: the block_device that needs a blob
+ *
+ * Allocate the block_device blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+static int lsm_bdev_alloc(struct block_device *bdev)
+{
+ if (blob_sizes.lbs_bdev == 0) {
+ bdev->security = NULL;
+ return 0;
+ }
+
+ bdev->security = kzalloc(blob_sizes.lbs_bdev, GFP_KERNEL);
+ if (!bdev->security)
+ return -ENOMEM;
+
+ return 0;
+}
+
/**
* lsm_early_task - during initialization allocate a composite task blob
* @task: the task that needs a blob
@@ -2456,6 +2481,42 @@ int security_locked_down(enum lockdown_reason what)
}
EXPORT_SYMBOL(security_locked_down);
+int security_bdev_alloc(struct block_device *bdev)
+{
+ int rc = 0;
+
+ rc = lsm_bdev_alloc(bdev);
+ if (unlikely(rc))
+ return rc;
+
+ rc = call_int_hook(bdev_alloc_security, 0, bdev);
+ if (unlikely(rc))
+ security_bdev_free(bdev);
+
+ return 0;
+}
+EXPORT_SYMBOL(security_bdev_alloc);
+
+void security_bdev_free(struct block_device *bdev)
+{
+ if (!bdev->security)
+ return;
+
+ call_void_hook(bdev_free_security, bdev);
+
+ kfree(bdev->security);
+ bdev->security = NULL;
+}
+EXPORT_SYMBOL(security_bdev_free);
+
+int security_bdev_setsecurity(struct block_device *bdev,
+ const char *name, const void *value,
+ size_t size)
+{
+ return call_int_hook(bdev_setsecurity, 0, bdev, name, value, size);
+}
+EXPORT_SYMBOL(security_bdev_setsecurity);
+
#ifdef CONFIG_PERF_EVENTS
int security_perf_event_open(struct perf_event_attr *attr, int type)
{
--
2.26.0
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [RFC PATCH v2 06/12] dm-verity: move signature check after tree validation
2020-04-06 22:14 ` deven.desai
@ 2020-04-06 22:14 ` deven.desai
-1 siblings, 0 replies; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: tyhicks, pasha.tatashin, sashal, jaskarankhurana, nramas,
mdsakib, linux-kernel
From: Deven Bowers <deven.desai@linux.microsoft.com>
The CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG introduced by Jaskaran was
intended to be used to allow an LSM to enforce verifications for all
dm-verity volumes.
However, with it's current implementation, this signature verification
occurs after the merkel-tree is validated, as a result the signature can
pass initial verification by passing a matching root-hash and signature.
This results in an unreadable block_device, but that has passed signature
validation (and subsequently, would be marked as verified).
This change moves the signature verification to after the merkel-tree has
finished validation.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
drivers/md/dm-verity-target.c | 42 ++++-----
drivers/md/dm-verity-verify-sig.c | 140 ++++++++++++++++++++++--------
drivers/md/dm-verity-verify-sig.h | 20 ++---
drivers/md/dm-verity.h | 2 +-
4 files changed, 132 insertions(+), 72 deletions(-)
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index eec9f252e935..c507f3a4e237 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -471,9 +471,9 @@ static int verity_verify_io(struct dm_verity_io *io)
struct bvec_iter start;
unsigned b;
struct crypto_wait wait;
+ int r;
for (b = 0; b < io->n_blocks; b++) {
- int r;
sector_t cur_block = io->block + b;
struct ahash_request *req = verity_io_hash_req(v, io);
@@ -530,6 +530,16 @@ static int verity_verify_io(struct dm_verity_io *io)
return -EIO;
}
+ /*
+ * At this point, the merkel tree has finished validating.
+ * if signature was specified, validate the signature here.
+ */
+ r = verity_verify_root_hash(v);
+ if (r < 0) {
+ DMERR_LIMIT("signature mismatch");
+ return r;
+ }
+
return 0;
}
@@ -728,7 +738,7 @@ static void verity_status(struct dm_target *ti, status_type_t type,
args++;
if (v->validated_blocks)
args++;
- if (v->signature_key_desc)
+ if (v->sig)
args += DM_VERITY_ROOT_HASH_VERIFICATION_OPTS;
if (!args)
return;
@@ -751,9 +761,9 @@ static void verity_status(struct dm_target *ti, status_type_t type,
if (v->validated_blocks)
DMEMIT(" " DM_VERITY_OPT_AT_MOST_ONCE);
sz = verity_fec_status_table(v, sz, result, maxlen);
- if (v->signature_key_desc)
+ if (v->sig)
DMEMIT(" " DM_VERITY_ROOT_HASH_VERIFICATION_OPT_SIG_KEY
- " %s", v->signature_key_desc);
+ " %s", v->sig->signature_key_desc);
break;
}
}
@@ -819,7 +829,7 @@ static void verity_dtr(struct dm_target *ti)
verity_fec_dtr(v);
- kfree(v->signature_key_desc);
+ verity_verify_dtr(v);
kfree(v);
}
@@ -876,8 +886,7 @@ static int verity_alloc_zero_digest(struct dm_verity *v)
return r;
}
-static int verity_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v,
- struct dm_verity_sig_opts *verify_args)
+static int verity_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v)
{
int r;
unsigned argc;
@@ -927,9 +936,7 @@ static int verity_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v,
return r;
continue;
} else if (verity_verify_is_sig_opt_arg(arg_name)) {
- r = verity_verify_sig_parse_opt_args(as, v,
- verify_args,
- &argc, arg_name);
+ r = verity_verify_sig_parse_opt_args(as, v, &argc);
if (r)
return r;
continue;
@@ -960,7 +967,6 @@ static int verity_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v,
static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
{
struct dm_verity *v;
- struct dm_verity_sig_opts verify_args = {0};
struct dm_arg_set as;
unsigned int num;
unsigned long long num_ll;
@@ -1128,20 +1134,11 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
as.argc = argc;
as.argv = argv;
- r = verity_parse_opt_args(&as, v, &verify_args);
+ r = verity_parse_opt_args(&as, v);
if (r < 0)
goto bad;
}
- /* Root hash signature is a optional parameter*/
- r = verity_verify_root_hash(root_hash_digest_to_validate,
- strlen(root_hash_digest_to_validate),
- verify_args.sig,
- verify_args.sig_size);
- if (r < 0) {
- ti->error = "Root hash verification failed";
- goto bad;
- }
v->hash_per_block_bits =
__fls((1 << v->hash_dev_block_bits) / v->digest_size);
@@ -1207,13 +1204,10 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
ti->per_io_data_size = roundup(ti->per_io_data_size,
__alignof__(struct dm_verity_io));
- verity_verify_sig_opts_cleanup(&verify_args);
-
return 0;
bad:
- verity_verify_sig_opts_cleanup(&verify_args);
verity_dtr(ti);
return r;
diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c
index 614e43db93aa..27dac8aa2e5a 100644
--- a/drivers/md/dm-verity-verify-sig.c
+++ b/drivers/md/dm-verity-verify-sig.c
@@ -22,6 +22,16 @@ MODULE_PARM_DESC(require_signatures,
#define DM_VERITY_IS_SIG_FORCE_ENABLED() \
(require_signatures != false)
+static void destroy_verity_sig(struct dm_verity_sig *sig_info)
+{
+ if (!sig_info)
+ return;
+
+ kfree(sig_info->sig);
+ kfree(sig_info->signature_key_desc);
+ kfree(sig_info);
+}
+
bool verity_verify_is_sig_opt_arg(const char *arg_name)
{
return (!strcasecmp(arg_name,
@@ -29,7 +39,7 @@ bool verity_verify_is_sig_opt_arg(const char *arg_name)
}
static int verity_verify_get_sig_from_key(const char *key_desc,
- struct dm_verity_sig_opts *sig_opts)
+ struct dm_verity_sig *sig_info)
{
struct key *key;
const struct user_key_payload *ukp;
@@ -48,14 +58,14 @@ static int verity_verify_get_sig_from_key(const char *key_desc,
goto end;
}
- sig_opts->sig = kmalloc(ukp->datalen, GFP_KERNEL);
- if (!sig_opts->sig) {
+ sig_info->sig = kmalloc(ukp->datalen, GFP_KERNEL);
+ if (!sig_info->sig) {
ret = -ENOMEM;
goto end;
}
- sig_opts->sig_size = ukp->datalen;
+ sig_info->sig_size = ukp->datalen;
- memcpy(sig_opts->sig, ukp->data, sig_opts->sig_size);
+ memcpy(sig_info->sig, ukp->data, sig_info->sig_size);
end:
up_read(&key->sem);
@@ -64,70 +74,128 @@ static int verity_verify_get_sig_from_key(const char *key_desc,
return ret;
}
+/**
+ * Parse any signature verification arguments.
+ * This function will populate v->sig, it is the caller's
+ * responsibility to free this structure via verity_verify_dtr
+ *
+ * @as: argument set passed in to parse
+ * @v: verity context structure. Should have a NULL v->sig member.
+ * @argc: current argument number
+ */
int verity_verify_sig_parse_opt_args(struct dm_arg_set *as,
struct dm_verity *v,
- struct dm_verity_sig_opts *sig_opts,
- unsigned int *argc,
- const char *arg_name)
+ unsigned int *argc)
{
struct dm_target *ti = v->ti;
+ struct dm_verity_sig *sig_info = NULL;
int ret = 0;
const char *sig_key = NULL;
if (!*argc) {
ti->error = DM_VERITY_VERIFY_ERR("Signature key not specified");
- return -EINVAL;
+ ret = -EINVAL;
+ goto cleanup;
+ }
+
+ sig_info = kzalloc(sizeof(*sig_info), GFP_KERNEL);
+ if (!sig_info) {
+ ret = -ENOMEM;
+ goto cleanup;
}
sig_key = dm_shift_arg(as);
(*argc)--;
- ret = verity_verify_get_sig_from_key(sig_key, sig_opts);
- if (ret < 0)
+ ret = verity_verify_get_sig_from_key(sig_key, sig_info);
+ if (ret < 0) {
ti->error = DM_VERITY_VERIFY_ERR("Invalid key specified");
+ goto cleanup;
+ }
- v->signature_key_desc = kstrdup(sig_key, GFP_KERNEL);
- if (!v->signature_key_desc)
- return -ENOMEM;
+ sig_info->signature_key_desc = kstrdup(sig_key, GFP_KERNEL);
+ if (!sig_info->signature_key_desc) {
+ ret = -ENOMEM;
+ goto cleanup;
+ }
+ v->sig = sig_info;
+ sig_info = NULL;
+cleanup:
+ if (sig_info)
+ destroy_verity_sig(sig_info);
return ret;
}
-/*
+/**
* verify_verify_roothash - Verify the root hash of the verity hash device
* using builtin trusted keys.
*
- * @root_hash: For verity, the roothash/data to be verified.
- * @root_hash_len: Size of the roothash/data to be verified.
- * @sig_data: The trusted signature that verifies the roothash/data.
- * @sig_len: Size of the signature.
+ * @v: dm_verity structure containing all context for the dm_verity
+ * operation.
*
*/
-int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
- const void *sig_data, size_t sig_len)
+int verity_verify_root_hash(const struct dm_verity *v)
{
- int ret;
+ int ret = 0;
+ char *root_hash = NULL;
+ size_t root_hash_size = 0;
+ struct dm_verity_sig *sig_target = NULL;
+
+ if (!v || !v->ti || !v->root_digest || v->digest_size == 0) {
+ ret = -EINVAL;
+ goto cleanup;
+ }
+
+ sig_target = v->sig;
+
+ if (!sig_target || !sig_target->sig || sig_target->sig_size == 0) {
+ if (DM_VERITY_IS_SIG_FORCE_ENABLED()) {
+ ret = -ENOKEY;
+ goto cleanup;
+ } else {
+ goto cleanup;
+ }
+ }
- if (!root_hash || root_hash_len == 0)
- return -EINVAL;
+ /*
+ * If signature has passed validation once, assume
+ * that future signatures will pass.
+ */
+ if (sig_target->passed)
+ goto cleanup;
- if (!sig_data || sig_len == 0) {
- if (DM_VERITY_IS_SIG_FORCE_ENABLED())
- return -ENOKEY;
- else
- return 0;
+ root_hash_size = v->digest_size * 2;
+ root_hash = kzalloc(root_hash_size, GFP_KERNEL);
+ if (!root_hash) {
+ ret = -ENOMEM;
+ goto cleanup;
}
- ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
- sig_len, NULL, VERIFYING_UNSPECIFIED_SIGNATURE,
- NULL, NULL);
+ bin2hex(root_hash, v->root_digest, v->digest_size);
+
+ ret = verify_pkcs7_signature(root_hash, root_hash_size, v->sig->sig,
+ v->sig->sig_size, NULL,
+ VERIFYING_UNSPECIFIED_SIGNATURE, NULL,
+ NULL);
+ if (ret != 0)
+ goto cleanup;
+ sig_target->passed = true;
+cleanup:
+ kfree(root_hash);
return ret;
}
-void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts)
+/**
+ * Performs destruction / cleanup of a valid dm_verity_sig struct
+ *
+ * @v: dm_verity structure containing the dm_verity_sig struct to
+ * be freed.
+ */
+
+void verity_verify_dtr(struct dm_verity *v)
{
- kfree(sig_opts->sig);
- sig_opts->sig = NULL;
- sig_opts->sig_size = 0;
+ destroy_verity_sig(v->sig);
+ v->sig = NULL;
}
diff --git a/drivers/md/dm-verity-verify-sig.h b/drivers/md/dm-verity-verify-sig.h
index 19b1547aa741..9d7b34672c80 100644
--- a/drivers/md/dm-verity-verify-sig.h
+++ b/drivers/md/dm-verity-verify-sig.h
@@ -11,31 +11,30 @@
#define DM_VERITY_ROOT_HASH_VERIFICATION "DM Verity Sig Verification"
#define DM_VERITY_ROOT_HASH_VERIFICATION_OPT_SIG_KEY "root_hash_sig_key_desc"
-struct dm_verity_sig_opts {
+struct dm_verity_sig {
+ char *signature_key_desc;
unsigned int sig_size;
u8 *sig;
+ bool passed;
};
#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
#define DM_VERITY_ROOT_HASH_VERIFICATION_OPTS 2
-int verity_verify_root_hash(const void *data, size_t data_len,
- const void *sig_data, size_t sig_len);
+int verity_verify_root_hash(const struct dm_verity *v);
bool verity_verify_is_sig_opt_arg(const char *arg_name);
int verity_verify_sig_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v,
- struct dm_verity_sig_opts *sig_opts,
- unsigned int *argc, const char *arg_name);
+ unsigned int *argc);
-void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts);
+void verity_verify_dtr(struct dm_verity *v);
#else
#define DM_VERITY_ROOT_HASH_VERIFICATION_OPTS 0
-int verity_verify_root_hash(const void *data, size_t data_len,
- const void *sig_data, size_t sig_len)
+int verity_verify_root_hash(const struct dm_verity *v);
{
return 0;
}
@@ -46,13 +45,12 @@ bool verity_verify_is_sig_opt_arg(const char *arg_name)
}
int verity_verify_sig_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v,
- struct dm_verity_sig_opts *sig_opts,
- unsigned int *argc, const char *arg_name)
+ unsigned int *argc)
{
return -EINVAL;
}
-void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts)
+void verity_verify_dtr(struct dm_verity *v)
{
}
diff --git a/drivers/md/dm-verity.h b/drivers/md/dm-verity.h
index 641b9e3a399b..995c495decad 100644
--- a/drivers/md/dm-verity.h
+++ b/drivers/md/dm-verity.h
@@ -64,7 +64,7 @@ struct dm_verity {
struct dm_verity_fec *fec; /* forward error correction */
unsigned long *validated_blocks; /* bitset blocks validated */
- char *signature_key_desc; /* signature keyring reference */
+ struct dm_verity_sig *sig; /* signature verification */
};
struct dm_verity_io {
--
2.26.0
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [RFC PATCH v2 06/12] dm-verity: move signature check after tree validation
@ 2020-04-06 22:14 ` deven.desai
0 siblings, 0 replies; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: sashal, pasha.tatashin, mdsakib, linux-kernel, nramas, tyhicks,
jaskarankhurana
From: Deven Bowers <deven.desai@linux.microsoft.com>
The CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG introduced by Jaskaran was
intended to be used to allow an LSM to enforce verifications for all
dm-verity volumes.
However, with it's current implementation, this signature verification
occurs after the merkel-tree is validated, as a result the signature can
pass initial verification by passing a matching root-hash and signature.
This results in an unreadable block_device, but that has passed signature
validation (and subsequently, would be marked as verified).
This change moves the signature verification to after the merkel-tree has
finished validation.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
drivers/md/dm-verity-target.c | 42 ++++-----
drivers/md/dm-verity-verify-sig.c | 140 ++++++++++++++++++++++--------
drivers/md/dm-verity-verify-sig.h | 20 ++---
drivers/md/dm-verity.h | 2 +-
4 files changed, 132 insertions(+), 72 deletions(-)
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index eec9f252e935..c507f3a4e237 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -471,9 +471,9 @@ static int verity_verify_io(struct dm_verity_io *io)
struct bvec_iter start;
unsigned b;
struct crypto_wait wait;
+ int r;
for (b = 0; b < io->n_blocks; b++) {
- int r;
sector_t cur_block = io->block + b;
struct ahash_request *req = verity_io_hash_req(v, io);
@@ -530,6 +530,16 @@ static int verity_verify_io(struct dm_verity_io *io)
return -EIO;
}
+ /*
+ * At this point, the merkel tree has finished validating.
+ * if signature was specified, validate the signature here.
+ */
+ r = verity_verify_root_hash(v);
+ if (r < 0) {
+ DMERR_LIMIT("signature mismatch");
+ return r;
+ }
+
return 0;
}
@@ -728,7 +738,7 @@ static void verity_status(struct dm_target *ti, status_type_t type,
args++;
if (v->validated_blocks)
args++;
- if (v->signature_key_desc)
+ if (v->sig)
args += DM_VERITY_ROOT_HASH_VERIFICATION_OPTS;
if (!args)
return;
@@ -751,9 +761,9 @@ static void verity_status(struct dm_target *ti, status_type_t type,
if (v->validated_blocks)
DMEMIT(" " DM_VERITY_OPT_AT_MOST_ONCE);
sz = verity_fec_status_table(v, sz, result, maxlen);
- if (v->signature_key_desc)
+ if (v->sig)
DMEMIT(" " DM_VERITY_ROOT_HASH_VERIFICATION_OPT_SIG_KEY
- " %s", v->signature_key_desc);
+ " %s", v->sig->signature_key_desc);
break;
}
}
@@ -819,7 +829,7 @@ static void verity_dtr(struct dm_target *ti)
verity_fec_dtr(v);
- kfree(v->signature_key_desc);
+ verity_verify_dtr(v);
kfree(v);
}
@@ -876,8 +886,7 @@ static int verity_alloc_zero_digest(struct dm_verity *v)
return r;
}
-static int verity_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v,
- struct dm_verity_sig_opts *verify_args)
+static int verity_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v)
{
int r;
unsigned argc;
@@ -927,9 +936,7 @@ static int verity_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v,
return r;
continue;
} else if (verity_verify_is_sig_opt_arg(arg_name)) {
- r = verity_verify_sig_parse_opt_args(as, v,
- verify_args,
- &argc, arg_name);
+ r = verity_verify_sig_parse_opt_args(as, v, &argc);
if (r)
return r;
continue;
@@ -960,7 +967,6 @@ static int verity_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v,
static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
{
struct dm_verity *v;
- struct dm_verity_sig_opts verify_args = {0};
struct dm_arg_set as;
unsigned int num;
unsigned long long num_ll;
@@ -1128,20 +1134,11 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
as.argc = argc;
as.argv = argv;
- r = verity_parse_opt_args(&as, v, &verify_args);
+ r = verity_parse_opt_args(&as, v);
if (r < 0)
goto bad;
}
- /* Root hash signature is a optional parameter*/
- r = verity_verify_root_hash(root_hash_digest_to_validate,
- strlen(root_hash_digest_to_validate),
- verify_args.sig,
- verify_args.sig_size);
- if (r < 0) {
- ti->error = "Root hash verification failed";
- goto bad;
- }
v->hash_per_block_bits =
__fls((1 << v->hash_dev_block_bits) / v->digest_size);
@@ -1207,13 +1204,10 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
ti->per_io_data_size = roundup(ti->per_io_data_size,
__alignof__(struct dm_verity_io));
- verity_verify_sig_opts_cleanup(&verify_args);
-
return 0;
bad:
- verity_verify_sig_opts_cleanup(&verify_args);
verity_dtr(ti);
return r;
diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c
index 614e43db93aa..27dac8aa2e5a 100644
--- a/drivers/md/dm-verity-verify-sig.c
+++ b/drivers/md/dm-verity-verify-sig.c
@@ -22,6 +22,16 @@ MODULE_PARM_DESC(require_signatures,
#define DM_VERITY_IS_SIG_FORCE_ENABLED() \
(require_signatures != false)
+static void destroy_verity_sig(struct dm_verity_sig *sig_info)
+{
+ if (!sig_info)
+ return;
+
+ kfree(sig_info->sig);
+ kfree(sig_info->signature_key_desc);
+ kfree(sig_info);
+}
+
bool verity_verify_is_sig_opt_arg(const char *arg_name)
{
return (!strcasecmp(arg_name,
@@ -29,7 +39,7 @@ bool verity_verify_is_sig_opt_arg(const char *arg_name)
}
static int verity_verify_get_sig_from_key(const char *key_desc,
- struct dm_verity_sig_opts *sig_opts)
+ struct dm_verity_sig *sig_info)
{
struct key *key;
const struct user_key_payload *ukp;
@@ -48,14 +58,14 @@ static int verity_verify_get_sig_from_key(const char *key_desc,
goto end;
}
- sig_opts->sig = kmalloc(ukp->datalen, GFP_KERNEL);
- if (!sig_opts->sig) {
+ sig_info->sig = kmalloc(ukp->datalen, GFP_KERNEL);
+ if (!sig_info->sig) {
ret = -ENOMEM;
goto end;
}
- sig_opts->sig_size = ukp->datalen;
+ sig_info->sig_size = ukp->datalen;
- memcpy(sig_opts->sig, ukp->data, sig_opts->sig_size);
+ memcpy(sig_info->sig, ukp->data, sig_info->sig_size);
end:
up_read(&key->sem);
@@ -64,70 +74,128 @@ static int verity_verify_get_sig_from_key(const char *key_desc,
return ret;
}
+/**
+ * Parse any signature verification arguments.
+ * This function will populate v->sig, it is the caller's
+ * responsibility to free this structure via verity_verify_dtr
+ *
+ * @as: argument set passed in to parse
+ * @v: verity context structure. Should have a NULL v->sig member.
+ * @argc: current argument number
+ */
int verity_verify_sig_parse_opt_args(struct dm_arg_set *as,
struct dm_verity *v,
- struct dm_verity_sig_opts *sig_opts,
- unsigned int *argc,
- const char *arg_name)
+ unsigned int *argc)
{
struct dm_target *ti = v->ti;
+ struct dm_verity_sig *sig_info = NULL;
int ret = 0;
const char *sig_key = NULL;
if (!*argc) {
ti->error = DM_VERITY_VERIFY_ERR("Signature key not specified");
- return -EINVAL;
+ ret = -EINVAL;
+ goto cleanup;
+ }
+
+ sig_info = kzalloc(sizeof(*sig_info), GFP_KERNEL);
+ if (!sig_info) {
+ ret = -ENOMEM;
+ goto cleanup;
}
sig_key = dm_shift_arg(as);
(*argc)--;
- ret = verity_verify_get_sig_from_key(sig_key, sig_opts);
- if (ret < 0)
+ ret = verity_verify_get_sig_from_key(sig_key, sig_info);
+ if (ret < 0) {
ti->error = DM_VERITY_VERIFY_ERR("Invalid key specified");
+ goto cleanup;
+ }
- v->signature_key_desc = kstrdup(sig_key, GFP_KERNEL);
- if (!v->signature_key_desc)
- return -ENOMEM;
+ sig_info->signature_key_desc = kstrdup(sig_key, GFP_KERNEL);
+ if (!sig_info->signature_key_desc) {
+ ret = -ENOMEM;
+ goto cleanup;
+ }
+ v->sig = sig_info;
+ sig_info = NULL;
+cleanup:
+ if (sig_info)
+ destroy_verity_sig(sig_info);
return ret;
}
-/*
+/**
* verify_verify_roothash - Verify the root hash of the verity hash device
* using builtin trusted keys.
*
- * @root_hash: For verity, the roothash/data to be verified.
- * @root_hash_len: Size of the roothash/data to be verified.
- * @sig_data: The trusted signature that verifies the roothash/data.
- * @sig_len: Size of the signature.
+ * @v: dm_verity structure containing all context for the dm_verity
+ * operation.
*
*/
-int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
- const void *sig_data, size_t sig_len)
+int verity_verify_root_hash(const struct dm_verity *v)
{
- int ret;
+ int ret = 0;
+ char *root_hash = NULL;
+ size_t root_hash_size = 0;
+ struct dm_verity_sig *sig_target = NULL;
+
+ if (!v || !v->ti || !v->root_digest || v->digest_size == 0) {
+ ret = -EINVAL;
+ goto cleanup;
+ }
+
+ sig_target = v->sig;
+
+ if (!sig_target || !sig_target->sig || sig_target->sig_size == 0) {
+ if (DM_VERITY_IS_SIG_FORCE_ENABLED()) {
+ ret = -ENOKEY;
+ goto cleanup;
+ } else {
+ goto cleanup;
+ }
+ }
- if (!root_hash || root_hash_len == 0)
- return -EINVAL;
+ /*
+ * If signature has passed validation once, assume
+ * that future signatures will pass.
+ */
+ if (sig_target->passed)
+ goto cleanup;
- if (!sig_data || sig_len == 0) {
- if (DM_VERITY_IS_SIG_FORCE_ENABLED())
- return -ENOKEY;
- else
- return 0;
+ root_hash_size = v->digest_size * 2;
+ root_hash = kzalloc(root_hash_size, GFP_KERNEL);
+ if (!root_hash) {
+ ret = -ENOMEM;
+ goto cleanup;
}
- ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
- sig_len, NULL, VERIFYING_UNSPECIFIED_SIGNATURE,
- NULL, NULL);
+ bin2hex(root_hash, v->root_digest, v->digest_size);
+
+ ret = verify_pkcs7_signature(root_hash, root_hash_size, v->sig->sig,
+ v->sig->sig_size, NULL,
+ VERIFYING_UNSPECIFIED_SIGNATURE, NULL,
+ NULL);
+ if (ret != 0)
+ goto cleanup;
+ sig_target->passed = true;
+cleanup:
+ kfree(root_hash);
return ret;
}
-void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts)
+/**
+ * Performs destruction / cleanup of a valid dm_verity_sig struct
+ *
+ * @v: dm_verity structure containing the dm_verity_sig struct to
+ * be freed.
+ */
+
+void verity_verify_dtr(struct dm_verity *v)
{
- kfree(sig_opts->sig);
- sig_opts->sig = NULL;
- sig_opts->sig_size = 0;
+ destroy_verity_sig(v->sig);
+ v->sig = NULL;
}
diff --git a/drivers/md/dm-verity-verify-sig.h b/drivers/md/dm-verity-verify-sig.h
index 19b1547aa741..9d7b34672c80 100644
--- a/drivers/md/dm-verity-verify-sig.h
+++ b/drivers/md/dm-verity-verify-sig.h
@@ -11,31 +11,30 @@
#define DM_VERITY_ROOT_HASH_VERIFICATION "DM Verity Sig Verification"
#define DM_VERITY_ROOT_HASH_VERIFICATION_OPT_SIG_KEY "root_hash_sig_key_desc"
-struct dm_verity_sig_opts {
+struct dm_verity_sig {
+ char *signature_key_desc;
unsigned int sig_size;
u8 *sig;
+ bool passed;
};
#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
#define DM_VERITY_ROOT_HASH_VERIFICATION_OPTS 2
-int verity_verify_root_hash(const void *data, size_t data_len,
- const void *sig_data, size_t sig_len);
+int verity_verify_root_hash(const struct dm_verity *v);
bool verity_verify_is_sig_opt_arg(const char *arg_name);
int verity_verify_sig_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v,
- struct dm_verity_sig_opts *sig_opts,
- unsigned int *argc, const char *arg_name);
+ unsigned int *argc);
-void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts);
+void verity_verify_dtr(struct dm_verity *v);
#else
#define DM_VERITY_ROOT_HASH_VERIFICATION_OPTS 0
-int verity_verify_root_hash(const void *data, size_t data_len,
- const void *sig_data, size_t sig_len)
+int verity_verify_root_hash(const struct dm_verity *v);
{
return 0;
}
@@ -46,13 +45,12 @@ bool verity_verify_is_sig_opt_arg(const char *arg_name)
}
int verity_verify_sig_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v,
- struct dm_verity_sig_opts *sig_opts,
- unsigned int *argc, const char *arg_name)
+ unsigned int *argc)
{
return -EINVAL;
}
-void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts)
+void verity_verify_dtr(struct dm_verity *v)
{
}
diff --git a/drivers/md/dm-verity.h b/drivers/md/dm-verity.h
index 641b9e3a399b..995c495decad 100644
--- a/drivers/md/dm-verity.h
+++ b/drivers/md/dm-verity.h
@@ -64,7 +64,7 @@ struct dm_verity {
struct dm_verity_fec *fec; /* forward error correction */
unsigned long *validated_blocks; /* bitset blocks validated */
- char *signature_key_desc; /* signature keyring reference */
+ struct dm_verity_sig *sig; /* signature verification */
};
struct dm_verity_io {
--
2.26.0
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [RFC PATCH v2 07/12] dm-verity: add bdev_setsecurity hook for dm-verity signature
2020-04-06 22:14 ` deven.desai
@ 2020-04-06 22:14 ` deven.desai
-1 siblings, 0 replies; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: tyhicks, pasha.tatashin, sashal, jaskarankhurana, nramas,
mdsakib, linux-kernel
From: Deven Bowers <deven.desai@linux.microsoft.com>
Add a security hook call to set a security property of a block_device
in dm-verity with the results of a verified, signed root-hash.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
drivers/md/dm-verity-verify-sig.c | 7 +++++++
include/linux/device-mapper.h | 2 ++
2 files changed, 9 insertions(+)
diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c
index 27dac8aa2e5a..242e2421d3c8 100644
--- a/drivers/md/dm-verity-verify-sig.c
+++ b/drivers/md/dm-verity-verify-sig.c
@@ -8,7 +8,10 @@
#include <linux/device-mapper.h>
#include <linux/verification.h>
#include <keys/user-type.h>
+#include <linux/security.h>
+#include <linux/list.h>
#include <linux/module.h>
+#include "dm-core.h"
#include "dm-verity.h"
#include "dm-verity-verify-sig.h"
@@ -182,6 +185,10 @@ int verity_verify_root_hash(const struct dm_verity *v)
goto cleanup;
sig_target->passed = true;
+
+ ret = security_bdev_setsecurity(dm_table_get_md(v->ti->table)->bdev,
+ DM_VERITY_SIGNATURE_SEC_NAME,
+ v->sig->sig, v->sig->sig_size);
cleanup:
kfree(root_hash);
return ret;
diff --git a/include/linux/device-mapper.h b/include/linux/device-mapper.h
index 475668c69dbc..6bd49aa48186 100644
--- a/include/linux/device-mapper.h
+++ b/include/linux/device-mapper.h
@@ -624,4 +624,6 @@ static inline unsigned long to_bytes(sector_t n)
return (n << SECTOR_SHIFT);
}
+#define DM_VERITY_SIGNATURE_SEC_NAME DM_NAME ".verity-sig"
+
#endif /* _LINUX_DEVICE_MAPPER_H */
--
2.26.0
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [RFC PATCH v2 07/12] dm-verity: add bdev_setsecurity hook for dm-verity signature
@ 2020-04-06 22:14 ` deven.desai
0 siblings, 0 replies; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: sashal, pasha.tatashin, mdsakib, linux-kernel, nramas, tyhicks,
jaskarankhurana
From: Deven Bowers <deven.desai@linux.microsoft.com>
Add a security hook call to set a security property of a block_device
in dm-verity with the results of a verified, signed root-hash.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
drivers/md/dm-verity-verify-sig.c | 7 +++++++
include/linux/device-mapper.h | 2 ++
2 files changed, 9 insertions(+)
diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c
index 27dac8aa2e5a..242e2421d3c8 100644
--- a/drivers/md/dm-verity-verify-sig.c
+++ b/drivers/md/dm-verity-verify-sig.c
@@ -8,7 +8,10 @@
#include <linux/device-mapper.h>
#include <linux/verification.h>
#include <keys/user-type.h>
+#include <linux/security.h>
+#include <linux/list.h>
#include <linux/module.h>
+#include "dm-core.h"
#include "dm-verity.h"
#include "dm-verity-verify-sig.h"
@@ -182,6 +185,10 @@ int verity_verify_root_hash(const struct dm_verity *v)
goto cleanup;
sig_target->passed = true;
+
+ ret = security_bdev_setsecurity(dm_table_get_md(v->ti->table)->bdev,
+ DM_VERITY_SIGNATURE_SEC_NAME,
+ v->sig->sig, v->sig->sig_size);
cleanup:
kfree(root_hash);
return ret;
diff --git a/include/linux/device-mapper.h b/include/linux/device-mapper.h
index 475668c69dbc..6bd49aa48186 100644
--- a/include/linux/device-mapper.h
+++ b/include/linux/device-mapper.h
@@ -624,4 +624,6 @@ static inline unsigned long to_bytes(sector_t n)
return (n << SECTOR_SHIFT);
}
+#define DM_VERITY_SIGNATURE_SEC_NAME DM_NAME ".verity-sig"
+
#endif /* _LINUX_DEVICE_MAPPER_H */
--
2.26.0
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [RFC PATCH v2 08/12] ipe: add property for signed dmverity volumes
2020-04-06 22:14 ` deven.desai
` (7 preceding siblings ...)
(?)
@ 2020-04-06 22:14 ` deven.desai
-1 siblings, 0 replies; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: tyhicks, pasha.tatashin, sashal, jaskarankhurana, nramas,
mdsakib, linux-kernel
From: Deven Bowers <deven.desai@linux.microsoft.com>
Allow IPE to leverage the stacked security blob infrastructure,
and enlighten IPE to the block_device security blob.
This allows IPE to have a property to express rules around a device-mapper
verity volume whose root-hash has been signed, and the signature has been
verified against the system keyring. This is property is also added in
this patch.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
security/ipe/Kconfig | 2 +-
security/ipe/Makefile | 1 +
security/ipe/ipe-blobs.c | 80 +++++++++++++++++++
security/ipe/ipe-blobs.h | 18 +++++
security/ipe/ipe-engine.c | 4 +
security/ipe/ipe-engine.h | 9 +++
security/ipe/ipe-hooks.c | 1 +
security/ipe/ipe-hooks.h | 43 ++++++++++
security/ipe/ipe.c | 18 +++++
security/ipe/ipe.h | 2 +
security/ipe/properties/Kconfig | 10 +++
security/ipe/properties/Makefile | 1 +
security/ipe/properties/dmverity-signature.c | 84 ++++++++++++++++++++
security/ipe/properties/prop-entry.h | 9 +++
security/ipe/utility.h | 10 +++
15 files changed, 291 insertions(+), 1 deletion(-)
create mode 100644 security/ipe/ipe-blobs.c
create mode 100644 security/ipe/ipe-blobs.h
create mode 100644 security/ipe/properties/dmverity-signature.c
diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
index b1d89244da3e..2c3012a6047b 100644
--- a/security/ipe/Kconfig
+++ b/security/ipe/Kconfig
@@ -5,7 +5,7 @@
menuconfig SECURITY_IPE
bool "Integrity Policy Enforcement (IPE)"
- depends on SECURITY && AUDIT && SECURITYFS
+ depends on SECURITY && AUDIT && SECURITYFS && BLOCK
select SYSTEM_DATA_VERIFICATION
help
This option enables the Integrity Policy Enforcement subsystem,
diff --git a/security/ipe/Makefile b/security/ipe/Makefile
index 741914ddc338..615797f4cd38 100644
--- a/security/ipe/Makefile
+++ b/security/ipe/Makefile
@@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_IPE) += \
ipe-hooks.o \
ipe-secfs.o \
ipe-sysfs.o \
+ ipe-blobs.o \
clean-files := ipe-bp.c
diff --git a/security/ipe/ipe-blobs.c b/security/ipe/ipe-blobs.c
new file mode 100644
index 000000000000..a4ee8df02855
--- /dev/null
+++ b/security/ipe/ipe-blobs.c
@@ -0,0 +1,80 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe.h"
+#include "ipe-engine.h"
+#include "ipe-blobs.h"
+
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/device-mapper.h>
+
+/**
+ * ipe_bdev_alloc_security: Performs the initialization of IPE's security blob.
+ * @bdev: The block device to source the security blob from.
+ *
+ * The allocation is performed earlier by the LSM infrastructure,
+ * (on behalf of all LSMs) in lsm_alloc_bdev. At the moment, IPE uses
+ * this time to zero out the region of memory reserved for IPE.
+ *
+ * Return:
+ * 0 - OK
+ */
+int ipe_bdev_alloc_security(struct block_device *bdev)
+{
+ struct ipe_bdev_blob *bdev_sec = ipe_bdev(bdev);
+
+ memset(bdev_sec, 0x0, sizeof(*bdev_sec));
+
+ return 0;
+}
+
+/**
+ * ipe_bdev_free_security: Frees all fields of IPE's block dev security blob.
+ * @bdev: The block device to source the security blob from.
+ *
+ * The deallocation of the blob itself is performed later by the LSM
+ * infrastructure, (on behalf of all LSMs) in lsm_free_bdev.
+ *
+ * Pointers allocated by the bdev_setsecurity hook and alloc_security
+ * hook need to be deallocated here.
+ */
+void ipe_bdev_free_security(struct block_device *bdev)
+{
+ struct ipe_bdev_blob *bdev_sec = ipe_bdev(bdev);
+
+ memset(bdev_sec, 0x0, sizeof(*bdev_sec));
+}
+
+/**
+ * ipe_bdev_setsecurity: Sets the a certain field of a block device security
+ * blob, based on @key.
+ * @bdev: The block device to source the security blob from.
+ * @key: The key representing the information to be stored.
+ * @value: The value to be stored.
+ * @len: The length of @value.
+ *
+ * As block-devices are a generic implementation across specific stacks,
+ * this allows information to be stored from various stacks.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - Error
+ */
+int ipe_bdev_setsecurity(struct block_device *bdev, const char *key,
+ const void *value, size_t len)
+{
+ struct ipe_bdev_blob *bdev_sec = ipe_bdev(bdev);
+
+ if (!strcmp(key, DM_VERITY_SIGNATURE_SEC_NAME)) {
+ bdev_sec->dmverity_rh_sig = kmemdup(value, len, GFP_KERNEL);
+ if (!bdev_sec->dmverity_rh_sig)
+ return -ENOMEM;
+
+ bdev_sec->dmv_rh_sig_len = len;
+ }
+
+ return 0;
+}
diff --git a/security/ipe/ipe-blobs.h b/security/ipe/ipe-blobs.h
new file mode 100644
index 000000000000..7561f4cef558
--- /dev/null
+++ b/security/ipe/ipe-blobs.h
@@ -0,0 +1,18 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+#include <linux/types.h>
+#include <linux/fs.h>
+
+#include "ipe.h"
+
+#ifndef IPE_BLOB_H
+#define IPE_BLOB_H
+
+static inline struct ipe_bdev_blob *ipe_bdev(struct block_device *bdev)
+{
+ return bdev->security + ipe_blobs.lbs_bdev;
+}
+
+#endif /* IPE_BLOB_H */
diff --git a/security/ipe/ipe-engine.c b/security/ipe/ipe-engine.c
index 6b1a4ce8c387..5e33fb5cb9ef 100644
--- a/security/ipe/ipe-engine.c
+++ b/security/ipe/ipe-engine.c
@@ -10,6 +10,7 @@
#include "ipe-engine.h"
#include "ipe-audit.h"
#include "ipe-pin.h"
+#include "ipe-blobs.h"
#include "utility.h"
#include <linux/types.h>
@@ -124,6 +125,9 @@ static struct ipe_engine_ctx *build_ctx(const struct file *file,
local->op = op;
local->hook = hook;
+ if (has_bdev(file))
+ local->sec_bdev = ipe_bdev(bdev(file));
+
return local;
}
diff --git a/security/ipe/ipe-engine.h b/security/ipe/ipe-engine.h
index 3f7c471929e2..be17115861cb 100644
--- a/security/ipe/ipe-engine.h
+++ b/security/ipe/ipe-engine.h
@@ -3,20 +3,29 @@
* Copyright (C) Microsoft Corporation. All rights reserved.
*/
+#include "ipe.h"
#include "ipe-hooks.h"
#include <linux/types.h>
#include <linux/rbtree.h>
#include <linux/fs.h>
+#include <crypto/pkcs7.h>
+
#ifndef IPE_ENGINE_H
#define IPE_ENGINE_H
+struct ipe_bdev_blob {
+ u8 *dmverity_rh_sig;
+ size_t dmv_rh_sig_len;
+};
+
struct ipe_engine_ctx {
enum ipe_op op;
enum ipe_hook hook;
const struct file *file;
const char *audit_pathname;
+ const struct ipe_bdev_blob *sec_bdev;
};
struct ipe_prop_cache {
diff --git a/security/ipe/ipe-hooks.c b/security/ipe/ipe-hooks.c
index 43182ba25cc5..f9728c96d73c 100644
--- a/security/ipe/ipe-hooks.c
+++ b/security/ipe/ipe-hooks.c
@@ -15,6 +15,7 @@
#include <linux/mman.h>
#include <linux/mm.h>
#include <linux/security.h>
+#include <linux/device-mapper.h>
#define HAS_EXEC(_p, _rp) (((_rp) & PROT_EXEC) || ((_p) & PROT_EXEC))
diff --git a/security/ipe/ipe-hooks.h b/security/ipe/ipe-hooks.h
index 55e417c72425..35a7a681b4c6 100644
--- a/security/ipe/ipe-hooks.h
+++ b/security/ipe/ipe-hooks.h
@@ -113,4 +113,47 @@ int ipe_on_kernel_load_data(enum kernel_load_data_id id);
void ipe_sb_free_security(struct super_block *mnt_sb);
+/**
+ * ipe_bdev_alloc_security: Performs the initialization of IPE's security blob.
+ * @bdev: The block device to source the security blob from.
+ *
+ * The allocation is performed earlier by the LSM infrastructure,
+ * (on behalf of all LSMs) in lsm_alloc_bdev. At the moment, IPE uses
+ * this time to zero out the region of memory reserved for IPE.
+ *
+ * Return:
+ * 0 - OK
+ */
+int ipe_bdev_alloc_security(struct block_device *bdev);
+
+/**
+ * ipe_bdev_free_security: Frees all fields of IPE's block dev security blob.
+ * @bdev: The block device to source the security blob from.
+ *
+ * The deallocation of the blob itself is performed later by the LSM
+ * infrastructure, (on behalf of all LSMs) in lsm_free_bdev.
+ *
+ * Pointers allocated by the bdev_setsecurity hook and alloc_security
+ * hook need to be deallocated here.
+ */
+void ipe_bdev_free_security(struct block_device *bdev);
+
+/**
+ * ipe_bdev_setsecurity: Sets the a certain field of a block device security
+ * blob, based on @key.
+ * @bdev: The block device to source the security blob from.
+ * @key: The key representing the information to be stored.
+ * @value: The value to be stored.
+ * @len: The length of @value.
+ *
+ * As block-devices are a generic implementation across specific stacks,
+ * this allows information to be stored from various stacks.
+ *
+ * Return:
+ * 0 - OK
+ * !0 - Error
+ */
+int ipe_bdev_setsecurity(struct block_device *bdev, const char *key,
+ const void *value, size_t len);
+
#endif /* IPE_HOOK_H */
diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
index 971c50ecadaf..924f535c3d32 100644
--- a/security/ipe/ipe.c
+++ b/security/ipe/ipe.c
@@ -25,6 +25,9 @@ static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(kernel_load_data, ipe_on_kernel_load_data),
LSM_HOOK_INIT(file_mprotect, ipe_on_mprotect),
LSM_HOOK_INIT(sb_free_security, ipe_sb_free_security),
+ LSM_HOOK_INIT(bdev_alloc_security, ipe_bdev_alloc_security),
+ LSM_HOOK_INIT(bdev_free_security, ipe_bdev_free_security),
+ LSM_HOOK_INIT(bdev_setsecurity, ipe_bdev_setsecurity),
};
/**
@@ -42,6 +45,10 @@ static int __init ipe_load_properties(void)
if (rc != 0)
return rc;
+ rc = ipe_init_dm_verity_signature();
+ if (rc != 0)
+ return rc;
+
return rc;
}
@@ -80,9 +87,20 @@ static int __init ipe_init(void)
return rc;
}
+struct lsm_blob_sizes ipe_blobs = {
+ .lbs_cred = 0,
+ .lbs_file = 0,
+ .lbs_inode = 0,
+ .lbs_ipc = 0,
+ .lbs_msg_msg = 0,
+ .lbs_task = 0,
+ .lbs_bdev = sizeof(struct ipe_bdev_blob),
+};
+
DEFINE_LSM(ipe) = {
.name = "ipe",
.init = ipe_init,
+ .blobs = &ipe_blobs,
};
int enforce = 1;
diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
index c016b57aa70b..117ee549861c 100644
--- a/security/ipe/ipe.h
+++ b/security/ipe/ipe.h
@@ -10,10 +10,12 @@
#include <linux/types.h>
#include <linux/fs.h>
+#include <linux/lsm_hooks.h>
#define IPE_MODE_ENFORCE "enforce"
#define IPE_MODE_PERMISSIVE "permissive"
+extern struct lsm_blob_sizes ipe_blobs;
extern int enforce;
extern int success_audit;
extern int strict_parse;
diff --git a/security/ipe/properties/Kconfig b/security/ipe/properties/Kconfig
index 9dc0db8817b2..2d8866ee456e 100644
--- a/security/ipe/properties/Kconfig
+++ b/security/ipe/properties/Kconfig
@@ -12,3 +12,13 @@ config IPE_BOOT_PROP
being evaluated originates from the initial superblock.
if unsure, answer N.
+
+config IPE_DM_VERITY_SIGNATURE
+ bool "Enable property for signature verified dm-verity volumes"
+ depends on DM_VERITY_VERIFY_ROOTHASH_SIG
+ help
+ This option enables IPE's integration with Device-Mapper Verity's
+ signed root-hashes. This enables the usage of the property,
+ "dmverity_signature" in IPE's policy.
+
+ if unsure, answer Y.
diff --git a/security/ipe/properties/Makefile b/security/ipe/properties/Makefile
index e3e7fe17cf58..6b67cbe36e31 100644
--- a/security/ipe/properties/Makefile
+++ b/security/ipe/properties/Makefile
@@ -9,3 +9,4 @@
obj-$(CONFIG_SECURITY_IPE) += properties.o
properties-$(CONFIG_IPE_BOOT_PROP) += boot-verified.o
+properties-$(CONFIG_IPE_DM_VERITY_SIGNATURE) += dmverity-signature.o
diff --git a/security/ipe/properties/dmverity-signature.c b/security/ipe/properties/dmverity-signature.c
new file mode 100644
index 000000000000..448e3b8fd43e
--- /dev/null
+++ b/security/ipe/properties/dmverity-signature.c
@@ -0,0 +1,84 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "../ipe.h"
+#include "../ipe-pin.h"
+#include "../ipe-property.h"
+#include "../utility.h"
+
+#include <linux/types.h>
+#include <linux/slab.h>
+#include <linux/fs.h>
+#include <linux/audit.h>
+#include <linux/mount.h>
+
+#define PROPERTY_NAME "dmverity_signature"
+
+static void audit(struct audit_buffer *ab, bool value)
+{
+ audit_log_format(ab, "%s", (value) ? "TRUE" : "FALSE");
+}
+
+static inline void audit_rule_value(struct audit_buffer *ab,
+ const void *value)
+{
+ audit(ab, (bool)value);
+}
+
+static inline void audit_ctx(struct audit_buffer *ab,
+ const struct ipe_engine_ctx *ctx,
+ const void *storage)
+{
+ bool b = has_bdev(ctx->file) && ctx->sec_bdev->dmverity_rh_sig;
+
+ audit(ab, b);
+}
+
+static bool evaluate(const struct ipe_engine_ctx *ctx,
+ const void *value, void **storage)
+{
+ bool expect = (bool)value;
+
+ if (!has_bdev(ctx->file))
+ return false;
+
+ return ((bool)ctx->sec_bdev->dmverity_rh_sig) == expect;
+}
+
+static int parse(const char *val_str, void **value)
+{
+ if (strcmp("TRUE", val_str) == 0)
+ *value = (void *)true;
+ else if (strcmp("FALSE", val_str) == 0)
+ *value = (void *)false;
+ else
+ return -EBADMSG;
+
+ return 0;
+}
+
+static inline int duplicate(const void *src, void **dest)
+{
+ *dest = (void *)(bool)src;
+
+ return 0;
+}
+
+static const struct ipe_property dmv_signature = {
+ .property_name = PROPERTY_NAME,
+ .eval = evaluate,
+ .parse = parse,
+ .rule_audit = audit_rule_value,
+ .ctx_audit = audit_ctx,
+ .dup = duplicate,
+ .prealloc = NULL,
+ .free_val = NULL,
+ .free_storage = NULL,
+};
+
+int ipe_init_dm_verity_signature(void)
+{
+ return ipe_register_property(&dmv_signature);
+}
diff --git a/security/ipe/properties/prop-entry.h b/security/ipe/properties/prop-entry.h
index f598dd9608b9..85366366ff0d 100644
--- a/security/ipe/properties/prop-entry.h
+++ b/security/ipe/properties/prop-entry.h
@@ -17,4 +17,13 @@ static inline int __init ipe_init_bootv(void)
int __init ipe_init_bootv(void);
#endif /* CONFIG_IPE_BOOT_PROP */
+#ifndef CONFIG_IPE_DM_VERITY_SIGNATURE
+static inline int __init ipe_init_dm_verity_signature(void)
+{
+ return 0;
+}
+#else
+int __init ipe_init_dm_verity_signature(void);
+#endif /* CONFIG_IPE_DM_VERITY_SIGNATURE */
+
#endif /* IPE_PROP_ENTRY_H */
diff --git a/security/ipe/utility.h b/security/ipe/utility.h
index a13089bb0d8f..7580f17274a3 100644
--- a/security/ipe/utility.h
+++ b/security/ipe/utility.h
@@ -19,4 +19,14 @@ static inline bool has_sb(const struct file *file)
return has_mount(file) && file->f_path.mnt->mnt_sb;
}
+static inline bool has_bdev(const struct file *file)
+{
+ return has_sb(file) && file->f_path.mnt->mnt_sb->s_bdev;
+}
+
+static inline struct block_device *bdev(const struct file *file)
+{
+ return file->f_path.mnt->mnt_sb->s_bdev;
+}
+
#endif /* IPE_UTILITY_H */
--
2.26.0
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [RFC PATCH v2 09/12] dm-verity: add bdev_setsecurity hook for root-hash
2020-04-06 22:14 ` deven.desai
` (8 preceding siblings ...)
(?)
@ 2020-04-06 22:14 ` deven.desai
-1 siblings, 0 replies; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: tyhicks, pasha.tatashin, sashal, jaskarankhurana, nramas,
mdsakib, linux-kernel
From: Deven Bowers <deven.desai@linux.microsoft.com>
Add a security hook call to set a security property of a block_device
in dm-verity with the root-hash that was verified to match the merkel-tree.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
drivers/md/dm-verity-target.c | 8 ++++++++
include/linux/device-mapper.h | 1 +
2 files changed, 9 insertions(+)
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index c507f3a4e237..225f67ab378d 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -16,8 +16,10 @@
#include "dm-verity.h"
#include "dm-verity-fec.h"
#include "dm-verity-verify-sig.h"
+#include "dm-core.h"
#include <linux/module.h>
#include <linux/reboot.h>
+#include <linux/security.h>
#define DM_MSG_PREFIX "verity"
@@ -530,6 +532,12 @@ static int verity_verify_io(struct dm_verity_io *io)
return -EIO;
}
+ r = security_bdev_setsecurity(dm_table_get_md(v->ti->table)->bdev,
+ DM_VERITY_ROOTHASH_SEC_NAME,
+ v->root_digest, v->digest_size);
+ if (unlikely(r < 0))
+ return r;
+
/*
* At this point, the merkel tree has finished validating.
* if signature was specified, validate the signature here.
diff --git a/include/linux/device-mapper.h b/include/linux/device-mapper.h
index 6bd49aa48186..467db44de194 100644
--- a/include/linux/device-mapper.h
+++ b/include/linux/device-mapper.h
@@ -625,5 +625,6 @@ static inline unsigned long to_bytes(sector_t n)
}
#define DM_VERITY_SIGNATURE_SEC_NAME DM_NAME ".verity-sig"
+#define DM_VERITY_ROOTHASH_SEC_NAME DM_NAME ".verity-rh"
#endif /* _LINUX_DEVICE_MAPPER_H */
--
2.26.0
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [RFC PATCH v2 10/12] ipe: add property for dmverity roothash
2020-04-06 22:14 ` deven.desai
` (9 preceding siblings ...)
(?)
@ 2020-04-06 22:14 ` deven.desai
-1 siblings, 0 replies; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: tyhicks, pasha.tatashin, sashal, jaskarankhurana, nramas,
mdsakib, linux-kernel
From: Deven Bowers <deven.desai@linux.microsoft.com>
Add a property to allow IPE policy to express rules around a specific
root-hash of a dm-verity volume.
This can be used for revocation, (when combined with the previous dm-verity
property) or the authorization of a single dm-verity volume.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
security/ipe/ipe-blobs.c | 10 ++
security/ipe/ipe-engine.h | 3 +
security/ipe/ipe.c | 4 +
security/ipe/properties/Kconfig | 13 +-
security/ipe/properties/Makefile | 1 +
security/ipe/properties/dmverity-roothash.c | 155 ++++++++++++++++++++
security/ipe/properties/prop-entry.h | 9 ++
7 files changed, 194 insertions(+), 1 deletion(-)
create mode 100644 security/ipe/properties/dmverity-roothash.c
diff --git a/security/ipe/ipe-blobs.c b/security/ipe/ipe-blobs.c
index a4ee8df02855..1e054eb13857 100644
--- a/security/ipe/ipe-blobs.c
+++ b/security/ipe/ipe-blobs.c
@@ -45,6 +45,8 @@ void ipe_bdev_free_security(struct block_device *bdev)
{
struct ipe_bdev_blob *bdev_sec = ipe_bdev(bdev);
+ kfree(bdev_sec->dmverity_rh);
+
memset(bdev_sec, 0x0, sizeof(*bdev_sec));
}
@@ -76,5 +78,13 @@ int ipe_bdev_setsecurity(struct block_device *bdev, const char *key,
bdev_sec->dmv_rh_sig_len = len;
}
+ if (!strcmp(key, DM_VERITY_ROOTHASH_SEC_NAME)) {
+ bdev_sec->dmverity_rh = kmemdup(value, len, GFP_KERNEL);
+ if (!bdev_sec->dmverity_rh)
+ return -ENOMEM;
+
+ bdev_sec->rh_size = len;
+ }
+
return 0;
}
diff --git a/security/ipe/ipe-engine.h b/security/ipe/ipe-engine.h
index be17115861cb..d8cdb3cc7af8 100644
--- a/security/ipe/ipe-engine.h
+++ b/security/ipe/ipe-engine.h
@@ -18,6 +18,9 @@
struct ipe_bdev_blob {
u8 *dmverity_rh_sig;
size_t dmv_rh_sig_len;
+
+ u8 *dmverity_rh;
+ size_t rh_size;
};
struct ipe_engine_ctx {
diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
index 924f535c3d32..b398eafa6049 100644
--- a/security/ipe/ipe.c
+++ b/security/ipe/ipe.c
@@ -49,6 +49,10 @@ static int __init ipe_load_properties(void)
if (rc != 0)
return rc;
+ rc = ipe_init_dm_verity_rh();
+ if (rc != 0)
+ return rc;
+
return rc;
}
diff --git a/security/ipe/properties/Kconfig b/security/ipe/properties/Kconfig
index 2d8866ee456e..57b97b2b3877 100644
--- a/security/ipe/properties/Kconfig
+++ b/security/ipe/properties/Kconfig
@@ -13,8 +13,19 @@ config IPE_BOOT_PROP
if unsure, answer N.
+config IPE_DM_VERITY_ROOTHASH
+ bool "Enable property for authorizing dm-verity volumes via root-hash"
+ depends on DM_VERITY
+ help
+ This option enables IPE's integration with Device-Mapper Verity.
+ This enables the usage of the property "dmverity_roothash" in IPE's
+ policy. This property allows authorization or revocation via a
+ a hex-string representing the roothash of a dmverity volume.
+
+ if unsure, answer Y.
+
config IPE_DM_VERITY_SIGNATURE
- bool "Enable property for signature verified dm-verity volumes"
+ bool "Enable property for verified dm-verity volumes"
depends on DM_VERITY_VERIFY_ROOTHASH_SIG
help
This option enables IPE's integration with Device-Mapper Verity's
diff --git a/security/ipe/properties/Makefile b/security/ipe/properties/Makefile
index 6b67cbe36e31..d9a3807797f4 100644
--- a/security/ipe/properties/Makefile
+++ b/security/ipe/properties/Makefile
@@ -10,3 +10,4 @@ obj-$(CONFIG_SECURITY_IPE) += properties.o
properties-$(CONFIG_IPE_BOOT_PROP) += boot-verified.o
properties-$(CONFIG_IPE_DM_VERITY_SIGNATURE) += dmverity-signature.o
+properties-$(CONFIG_IPE_DM_VERITY_ROOTHASH) += dmverity-roothash.o
diff --git a/security/ipe/properties/dmverity-roothash.c b/security/ipe/properties/dmverity-roothash.c
new file mode 100644
index 000000000000..5c575fc275bc
--- /dev/null
+++ b/security/ipe/properties/dmverity-roothash.c
@@ -0,0 +1,155 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "../ipe.h"
+#include "../ipe-pin.h"
+#include "../ipe-property.h"
+#include "../utility.h"
+
+#include <linux/types.h>
+#include <linux/slab.h>
+#include <linux/fs.h>
+#include <linux/mount.h>
+#include <linux/audit.h>
+#include <linux/kernel.h>
+
+#define PROPERTY_NAME "dmverity_roothash"
+
+struct counted_array {
+ u8 *arr;
+ size_t len;
+};
+
+static void audit(struct audit_buffer *ab, const void *value)
+{
+ const struct counted_array *a = (const struct counted_array *)value;
+
+ if (!a || a->len == 0)
+ audit_log_format(ab, "NULL");
+ else
+ audit_log_n_hex(ab, a->arr, a->len);
+}
+
+static inline void audit_rule_value(struct audit_buffer *ab,
+ const void *value)
+{
+ audit(ab, value);
+}
+
+static inline void audit_ctx(struct audit_buffer *ab,
+ const struct ipe_engine_ctx *ctx,
+ const void *storage)
+{
+ struct counted_array a;
+
+ if (!has_bdev(ctx->file))
+ return audit(ab, NULL);
+
+ a.arr = ctx->sec_bdev->dmverity_rh;
+ a.len = ctx->sec_bdev->rh_size;
+
+ return audit(ab, &a);
+}
+
+static bool evaluate(const struct ipe_engine_ctx *ctx,
+ const void *value, void **storage)
+{
+ const struct counted_array *a = (const struct counted_array *)value;
+
+ if (!has_bdev(ctx->file))
+ return false;
+
+ if (a->len != ctx->sec_bdev->rh_size)
+ return false;
+
+ return memcmp(a->arr, ctx->sec_bdev->dmverity_rh, a->len) == 0;
+}
+
+static int parse(const char *val_str, void **value)
+{
+ struct counted_array *arr = NULL;
+ int rv = 0;
+
+ arr = kzalloc(sizeof(*arr), GFP_KERNEL);
+ if (!arr) {
+ rv = -ENOMEM;
+ goto err;
+ }
+
+ arr->len = strlen(val_str) / 2;
+
+ arr->arr = kzalloc(arr->len, GFP_KERNEL);
+ if (!arr->arr) {
+ rv = -ENOMEM;
+ goto err;
+ }
+
+ rv = hex2bin(arr->arr, val_str, arr->len);
+ if (rv != 0)
+ goto err;
+
+ *value = arr;
+ return rv;
+err:
+ if (arr)
+ kfree(arr->arr);
+ kfree(arr);
+ return rv;
+}
+
+static int duplicate(const void *src, void **dest)
+{
+ struct counted_array *arr = NULL;
+ const struct counted_array *src_arr = src;
+ int rv = 0;
+
+ arr = kmemdup(src_arr, sizeof(*arr), GFP_KERNEL);
+ if (!arr) {
+ rv = -ENOMEM;
+ goto err;
+ }
+
+ arr->arr = kmemdup(src_arr->arr, src_arr->len, GFP_KERNEL);
+ if (!arr->arr) {
+ rv = -ENOMEM;
+ goto err;
+ }
+
+ *dest = arr;
+ return rv;
+err:
+ if (arr)
+ kfree(arr->arr);
+ kfree(arr);
+
+ return rv;
+}
+
+static void free_val(void **value)
+{
+ struct counted_array *a = (struct counted_array *)*value;
+
+ if (a)
+ kfree(a->arr);
+ kfree(a);
+ *value = NULL;
+}
+
+static const struct ipe_property dmv_roothash = {
+ .property_name = PROPERTY_NAME,
+ .eval = evaluate,
+ .parse = parse,
+ .rule_audit = audit_rule_value,
+ .ctx_audit = audit_ctx,
+ .dup = duplicate,
+ .free_val = free_val,
+ .prealloc = NULL,
+ .free_storage = NULL,
+};
+
+int ipe_init_dm_verity_rh(void)
+{
+ return ipe_register_property(&dmv_roothash);
+}
diff --git a/security/ipe/properties/prop-entry.h b/security/ipe/properties/prop-entry.h
index 85366366ff0d..86a360570f3b 100644
--- a/security/ipe/properties/prop-entry.h
+++ b/security/ipe/properties/prop-entry.h
@@ -26,4 +26,13 @@ static inline int __init ipe_init_dm_verity_signature(void)
int __init ipe_init_dm_verity_signature(void);
#endif /* CONFIG_IPE_DM_VERITY_SIGNATURE */
+#ifndef CONFIG_IPE_DM_VERITY_ROOTHASH
+static inline int __init ipe_init_dm_verity_rh(void)
+{
+ return 0;
+}
+#else
+int __init ipe_init_dm_verity_rh(void);
+#endif /* CONFIG_IPE_DM_VERITY_ROOTHASH */
+
#endif /* IPE_PROP_ENTRY_H */
--
2.26.0
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [RFC PATCH v2 11/12] documentation: Add IPE Documentation
2020-04-06 22:14 ` deven.desai
` (10 preceding siblings ...)
(?)
@ 2020-04-06 22:14 ` deven.desai
2020-04-14 15:38 ` Jonathan Corbet
-1 siblings, 1 reply; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: tyhicks, pasha.tatashin, sashal, jaskarankhurana, nramas,
mdsakib, linux-kernel
From: Deven Bowers <deven.desai@linux.microsoft.com>
Add IPE's documentation to the kernel tree.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
Documentation/admin-guide/LSM/index.rst | 1 +
Documentation/admin-guide/LSM/ipe.rst | 487 ++++++++++++++++++
.../admin-guide/kernel-parameters.txt | 20 +
MAINTAINERS | 1 +
4 files changed, 509 insertions(+)
create mode 100644 Documentation/admin-guide/LSM/ipe.rst
diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst
index a6ba95fbaa9f..ce63be6d64ad 100644
--- a/Documentation/admin-guide/LSM/index.rst
+++ b/Documentation/admin-guide/LSM/index.rst
@@ -47,3 +47,4 @@ subdirectories.
tomoyo
Yama
SafeSetID
+ ipe
diff --git a/Documentation/admin-guide/LSM/ipe.rst b/Documentation/admin-guide/LSM/ipe.rst
new file mode 100644
index 000000000000..def353e34288
--- /dev/null
+++ b/Documentation/admin-guide/LSM/ipe.rst
@@ -0,0 +1,487 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+Integrity Policy Enforcement (IPE)
+==================================
+
+Overview
+--------
+
+IPE is a Linux Security Module, which allows for a configurable policy
+to enforce integrity requirements on the whole system. It attempts to
+solve the issue of Code Integrity: that any code being executed (or
+files being read), are identical to the version that was built by a
+trusted source.
+
+There are multiple implementations within the Linux kernel that solve
+some measure of integrity verification. For instance, device-mapper
+verity, which ensures integrity for a block device, and fs-verity which
+is a system that ensures integrity for a filesystem. What these
+implementations lack is a measure of run-time verification that binaries
+are sourced from these locations. IPE aims to address this gap.
+
+IPE is separated between two major components: A configurable policy,
+provided by the LSM ("IPE Core"), and deterministic attributes provided
+by the kernel to evaluate files against, ("IPE Properties").
+
+Use Cases
+---------
+
+IPE is designed for use is an embedded device with a specific purpose
+(e.g. network firewall device in a data center), where all software and
+configuration is built and provisioned by the owner.
+
+Ideally, a system which leverages IPE is not intended for general
+purpose computing and does not utilize any software or configuration
+built by a third party. An ideal system to leverage IPE has both mutable
+and immutable components, however, all binary executable code is
+immutable.
+
+For the highest level of security, platform firmware should verify the
+the kernel and optionally the root filesystem (e.g. via U-Boot verified
+boot). This allows the entire system to be integrity verified.
+
+Known Gaps
+----------
+
+IPE cannot verify the integrity of anonymous executable memory, such as
+the trampolines created by gcc closures and libffi, or JIT'd code.
+Unfortunately, as this is dynamically generated code, there is no way
+for IPE to detect that this code has not been tampered with in
+transition from where it was built, to where it is running. As a result,
+IPE is incapable of tackling this problem for dynamically generated
+code.
+
+IPE cannot verify the integrity of interpreted languages' programs when
+these scripts invoked via ``<interpreter> <file>``. This is because the
+way interpreters execute these files, the scripts themselves are not
+evaluated as executable code through one of IPE's hooks. Interpreters
+can be enlightened to the usage of IPE by trying to mmap a file into
+executable memory (+X), after opening the file and responding to the
+error code appropriately. This also applies to included files, or high
+value files, such as configuration files of critical system components.
+This specific gap is planned on being addressed within IPE.
+
+Threat Model
+------------
+
+The threat type addressed by IPE is tampering of executable user-land
+code beyond the initially booted kernel, and the initial verification of
+kernel modules that are loaded in userland through ``modprobe`` or
+``insmod``.
+
+Tampering violates the property of integrity. IPE's role in mitigating
+this threat is to verify the integrity (and authenticity) of all
+executable code and to deny their use if integrity verification fails.
+IPE generates audit logs which may be utilized to detect integrity
+verification failures.
+
+Tampering threat scenarios include modification or replacement of
+executable code by a range of actors including:
+
+- Insiders with physical access to the hardware
+- Insiders with local network access to the system
+- Insiders with access to the deployment system
+- Compromised internal systems under external control
+- Malicious end users of the system
+- Compromised end users of the system
+- Remote (external) compromise of the system
+
+IPE does not mitigate threats arising from malicious authorized
+developers, or compromised developer tools used by authorized
+developers. Additionally, IPE draws hard security boundary between user
+mode and kernel mode. As a result, IPE does not provide any protections
+against a kernel level exploit, and a kernel-level exploit can disable
+or tamper with IPE's protections.
+
+The root of trust for all of IPE's verifications is the
+``SYSTEM_TRUSTED_KEYRING``.
+
+IPE Core
+--------
+
+IPE Policy
+~~~~~~~~~~
+
+IPE policy is designed to be both forward compatible and backwards
+compatible. There is one required line, at the top of the policy,
+indicating the policy name, and the policy version, for instance:
+
+::
+
+ policy_name="Ex Policy" policy_version=0.0.0
+
+The policy name is a unique key identifying this policy in a human
+readable name. This is used to create nodes under securityfs as well as
+uniquely identify policies to deploy new policies vs update existing
+policies.
+
+The policy version indicates the current version of the policy (NOT the
+policy syntax version). This is used to prevent roll-back of policy to
+potentially insecure previous versions of the policy.
+
+The next portion of IPE policy, are rules. Rules are formed by key=value
+pairs, known as properties. IPE rules require two properties: "action",
+which determines what IPE does when it encounters a match against the
+rule, and "op", which determines when that rule should be evaluated.
+Thus, a minimal rule is:
+
+::
+
+ op=EXECUTE action=ALLOW
+
+This example will allow any execution. Additional properties are used to
+restrict attributes about the files being evaluated. These properties
+are intended to be deterministic attributes that are resident in the
+kernel.
+
+Order does not matter for the rule's properties - they can be listed in
+any order, however it is encouraged to have the "op" property be first,
+and the "action" property be last for readability. Rules are evaluated
+top-to-bottom. As a result, any revocation rules, or denies should be
+placed early in the file to ensure that these rules are evaluated before
+as rule with "action=ALLOW" is hit.
+
+IPE policy is designed to be forward compatible and backwards
+compatible, thus any failure to parse a rule will result in the line
+being ignored, and a warning being emitted. If backwards compatibility
+is not required, the kernel command line parameter and sysctl,
+``ipe.strict_parse`` can be enabled, which will cause these warnings to
+be fatal.
+
+IPE policy supports comments. The character '#' will function as a
+comment, ignoring all characters to the right of '#' until the newline.
+
+The default behavior of IPE evaluations can also be expressed in policy,
+through the ``DEFAULT`` statement. This can be done at a global level,
+or a per-operation level:
+
+::
+
+ # Global
+ DEFAULT action=ALLOW
+
+ # Operation Specific
+ DEFAULT op=EXECUTE action=ALLOW
+
+If a global default is unset, and a specific operation default is not
+set for an IPE operation, it will assume that the default action should
+be ``ALLOW``. This is to preserve compatibility between policies and the
+LSM.
+
+With configurable policy-based LSMs, there's several issues with
+enforcing the configurable policies at startup, around reading and
+parsing the policy:
+
+1. The kernel *should* not read files from userland, so directly reading
+ the policy file is prohibited.
+2. The kernel command line has a character limit, and one kernel module
+ should not reserve the entire character limit for its own
+ configuration.
+3. There are various boot loaders in the kernel ecosystem, so handing
+ off a memory block would be costly to maintain.
+
+As a result, IPE has addressed this problem through a concept of a "boot
+policy". A boot policy is a minimal policy, compiled into the kernel.
+This policy is intended to get the system to a state where userland is
+setup and ready to receive commands, at which point a more complex
+policy ("user policies") can be deployed via securityfs. The boot policy
+can be specified via the Kconfig, ``SECURITY_IPE_BOOT_POLICY``, which
+accepts a path to a plain-text version of the IPE policy to apply. This
+policy will be compiled into the kernel. If not specified, IPE will be
+disabled until a policy is deployed through securityfs, and activated
+through sysfs.
+
+Deploying Policies
+^^^^^^^^^^^^^^^^^^
+
+User policies as explained above, are policies that are deployed from
+userland, through securityfs. These policies are signed to enforce some
+level of authorization of the policies (prohibiting an attacker from
+gaining root, and deploying an "allow all" policy), through the PKCS#7
+enveloped data format. These policies must be signed by a certificate
+that chains to the ``SYSTEM_TRUSTED_KEYRING``. Through openssl, the
+signing can be done via:
+
+::
+
+ openssl smime -sign -in "$MY_POLICY" -signer "$MY_CERTIFICATE" \
+ -inkey "$MY_PRIVATE_KEY" -binary -outform der -noattr -nodetach \
+ -out "$MY_POLICY.p7s"
+
+Deploying the policies is done through securityfs, through the
+``new_policy`` node. To deploy a policy, simply cat the file into the
+securityfs node:
+
+::
+
+ cat "$MY_POLICY.p7s" > /sys/kernel/security/ipe/new_policy
+
+Upon success, this will create one subdirectory under
+``/sys/kernel/security/ipe/policies/``. The subdirectory will be the
+``policy_name`` field of the policy deployed, so for the example above,
+the directory will be ``/sys/kernel/security/ipe/policies/Ex\ Policy``.
+Within this directory, there will be two files: ``raw`` and ``content``.
+
+The ``raw`` file is rw, reading will provide the raw PKCS#7 data that
+was provided to the kernel, representing the policy. Writing, will
+deploy an in-place policy update - if this policy is the currently
+running policy, the new updated policy will replace it immediately upon
+success.
+
+The ``content`` file is read only. Reading will provide the PKCS#7 inner
+content of the policy, which will be the plain text policy.
+
+Similarly, the ``cat`` command above will result in an error upon
+syntactically invalid or untrusted policies. It will also error if a
+policy already exists with the same ``policy_name``. The write to the
+``raw`` node will error upon syntactically invalid, untrusted policies,
+or if the payload fails the version check. The write will also fail if
+the ``policy_name`` in the payload does not match the existing policy.
+
+Deploying these policies will *not* cause IPE to start enforcing this
+policy. Once deployment is successful, a policy can be marked as active,
+via the sysctl, ``ipe.active_policy``. IPE will enforce whatever policy
+is marked as active. For our example, we can activate the ``Ex Policy``
+via:
+
+::
+
+ sysctl ipe.active_policy="Ex Policy"
+
+At which point, ``Ex Policy`` will now be the enforced policy on the
+system.
+
+IPE also provides a way to delete policies. This can be done via the
+``del_policy`` securityfs node, ``/sys/kernel/security/ipe/del_policy``.
+Writing the ``policy_name`` of the policy to be deleted will delete that
+node:
+
+::
+
+ echo -n "$MY_POLICY_NAME" > /sys/kernel/security/ipe/del_policy
+
+There are two requirements to delete policies:
+
+1. The policy being deleted must not be the active policy.
+2. The policy being deleted must not be the boot policy.
+
+NOTE: It's important to know above that the "echo" command will add a
+newline to the end of the input, and this will be considered as part of
+the filename. You can remove the newline via the -n parameter.
+
+Modes
+~~~~~
+
+IPE supports two modes of operation: permissive (similar to SELinux's
+permissive mode) and enforce. Permissive mode performs the same checks
+as enforce mode, and logs policy violations, but will not enforce the
+policy. This allows users to test policies before enforcing them.
+
+The default mode is enforce, and can be changed via the kernel command
+line parameter ``ipe.enforce=(0|1)``, or the sysctl
+``ipe.enforce=(0|1)``. The ability to switch modes can be compiled out
+of the LSM via setting the Kconfig
+``CONFIG_SECURITY_IPE_PERMISSIVE_SWITCH`` to N.
+
+Audit Events
+~~~~~~~~~~~~
+
+Success Auditing
+^^^^^^^^^^^^^^^^
+
+IPE supports success auditing. When enabled, all events that pass IPE
+policy and are not blocked will emit an audit event. This is disabled by
+default, and can be enabled via the kernel command line
+``ipe.success_audit=(0|1)`` or the sysctl ``ipe.success_audit=(0|1)``.
+
+This is very noisy, as IPE will check every user-mode binary on the
+system, but is useful for debugging policies.
+
+IPE Properties
+--------------
+
+As explained above, IPE properties are ``key=value`` pairs expressed in
+IPE policy. Two properties are built-into the policy parser: 'op' and
+'action'. The other properties are determinstic attributes to express
+across files. Currently those properties are: 'boot_verified',
+'dmverity_signature', 'dmverity_roothash'. A description of all
+properties supported by IPE are listed below:
+
+op
+~~
+
+Indicates the operation for a rule to apply to. Must be in every rule.
+IPE supports the following operations:
+
+``EXECUTE``
+
+ Pertains to any file attempting to be executed, or loaded as an
+ executable.
+
+``FIRMWARE``:
+
+ Pertains to firmware being loaded via the firmware_class interface.
+ This covers both the preallocated buffer and the firmware file
+ itself.
+
+``KMODULE``:
+
+ Pertains to loading kernel modules via ``modprobe`` or ``insmod``.
+
+``KEXEC_IMAGE``:
+
+ Pertains to kernel images loading via ``kexec``.
+
+``KEXEC_INITRAMFS``
+
+ Pertains to initrd images loading via ``kexec --initrd``.
+
+``POLICY``:
+
+ Controls loading IMA policies through the
+ ``/sys/kernel/security/ima/policy`` securityfs entry.
+
+``X509_CERT``:
+
+ Controls loading IMA certificates through the Kconfigs,
+ ``CONFIG_IMA_X509_PATH`` and ``CONFIG_EVM_X509_PATH``.
+
+action
+~~~~~~
+
+Determines what IPE should do when a rule matches. Must be in every
+rule. Can be one of:
+
+``ALLOW``:
+
+ If the rule matches, explicitly allow the call to proceed without
+ executing any more rules.
+
+``DENY``:
+
+ If the rule matches, explicitly prohibit the call from proceeding
+ without executing any more rules.
+
+boot_verified
+~~~~~~~~~~~~~
+
+This property can be utilized for authorization of the first super-block
+that is mounted on the system, where IPE attempts to evaluate a file.
+Typically this is used for systems with an initramfs or other initial
+disk, where this is unmounted before the system becomes available, and
+is not covered by any other property. This property is controlled by the
+Kconfig, ``CONFIG_IPE_BOOT_PROP``. The format of this property is:
+
+::
+
+ boot_verified=(TRUE|FALSE)
+
+
+.. WARNING::
+
+ This property will trust any disk where the first IPE
+ evaluation occurs. If you do not have a startup disk that is
+ unpacked and unmounted (like initramfs), then it will automatically
+ trust the root filesystem and potentially overauthorize the entire
+ disk.
+
+dmverity_roothash
+~~~~~~~~~~~~~~~~~
+
+This property can be utilized for authorization or revocation of
+specific dm-verity volumes, identified via root hash. It has a
+dependency on the DM_VERITY module. This property is controlled by the
+property: ``CONFIG_IPE_DM_VERITY_ROOTHASH``. The format of this property
+is:
+
+::
+
+ dmverity_roothash=HashHexDigest
+
+dmverity_signature
+~~~~~~~~~~~~~~~~~~
+
+This property can be utilized for authorization of all dm-verity volumes
+that have a signed roothash that chains to the system trusted keyring.
+It has a dependency on the ``DM_VERITY_VERIFY_ROOTHASH_SIG`` Kconfig.
+This property is controlled by the Kconfig:
+``CONFIG_IPE_DM_VERITY_SIGNATURE``. The format of this property is:
+
+::
+
+ dmverity_signature=(TRUE|FALSE)
+
+Policy Examples
+---------------
+
+Allow all
+~~~~~~~~~
+
+::
+
+ policy_name="Allow All" policy_version=0.0.0
+ DEFAULT action=ALLOW
+
+Allow only initial superblock
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+ policy_name="Allow All Initial SB" policy_version=0.0.0
+ DEFAULT action=DENY
+
+ op=EXECUTE boot_verified=TRUE action=ALLOW
+
+Allow any signed dm-verity volume and the initial superblock
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+ policy_name="AllowSignedAndInitial" policy_version=0.0.0
+ DEFAULT action=DENY
+
+ op=EXECUTE boot_verified=TRUE action=ALLOW
+ op=EXECUTE dmverity_signature=TRUE action=ALLOW
+
+Prohibit execution from a specific dm-verity volume
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+ policy_name="AllowSignedAndInitial" policy_version=0.0.0
+ DEFAULT action=DENY
+
+ op=EXECUTE dmverity_roothash=401fcec5944823ae12f62726e8184407a5fa9599783f030dec146938 action=DENY
+ op=EXECUTE boot_verified=TRUE action=ALLOW
+ op=EXECUTE dmverity_signature=TRUE action=ALLOW
+
+Allow only a specific dm-verity volume
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+ policy_name="AllowSignedAndInitial" policy_version=0.0.0
+ DEFAULT action=DENY
+
+ op=EXECUTE dmverity_roothash=401fcec5944823ae12f62726e8184407a5fa9599783f030dec146938 action=ALLOW
+
+External Information
+--------------------
+
+Please see the github repository at: https://github.com/microsoft/Integrity-Policy-Enforcement-LSM
+
+FAQ
+---
+
+Q: What's the difference between other LSMs which provide integrity
+verification (i.e. IMA)?
+
+A: IPE differs from other LSMs which provide integrity checking, as it
+has no dependency on the filesystem metadata itself. The attributes that
+IPE checks are deterministic properties that exist solely in the kernel.
+Additionally, IPE provides no additional mechanisms of verifying these
+files (e.g. IMA Signatures) - all of the attributes of verifying files
+are existing features within the kernel.
+
+Additionally, IPE is completely restricted to integrity. It offers no
+measurement or attestation features, which IMA addresses.
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 4d5a4fe22703..9eb8b19fe9db 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1913,6 +1913,26 @@
ip= [IP_PNP]
See Documentation/admin-guide/nfs/nfsroot.rst.
+ ipe.enforce= [IPE]
+ Format: { "0" | "1" }
+ 0 - Start IPE in audit mode
+ 1 - Start IPE in enforce mode (default).
+ See Documentation/security/ipe.rst
+
+ ipe.success_audit=
+ [IPE] Start IPE with success auditing
+ Format: { "0" | "1" }
+ 0 - Disable success auditing (default)
+ 1 - Enable success auditing
+ See Documentation/security/ipe.rst
+
+ ipe.strict_parse=
+ [IPE] Start IPE with strict policy parsing enabled
+ Format: { "0" | "1" }
+ 0 - Disable strict parsing (default)
+ 1 - Enable strict parsing
+ See Documentation/security/ipe.rst
+
ipcmni_extend [KNL] Extend the maximum number of unique System V
IPC identifiers from 32,768 to 16,777,216.
diff --git a/MAINTAINERS b/MAINTAINERS
index ab9adcd37a0c..897da80af3f8 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -8441,6 +8441,7 @@ INTEGRITY POLICY ENFORCEMENT (IPE)
M: Deven Bowers <deven.desai@linux.microsoft.com>
L: linux-integrity@vger.kernel.org
S: Supported
+F: Documentation/admin-guide/LSM/ipe.rst
F: scripts/ipe/
F: security/ipe/
--
2.26.0
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [RFC PATCH v2 12/12] cleanup: uapi/linux/audit.h
2020-04-06 22:14 ` deven.desai
@ 2020-04-06 22:14 ` deven.desai
-1 siblings, 0 replies; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: tyhicks, pasha.tatashin, sashal, jaskarankhurana, nramas,
mdsakib, linux-kernel
From: Deven Bowers <deven.desai@linux.microsoft.com>
Remove trailing whitespaces and align the integrity #defines in
linux/uapi/audit.h
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
include/uapi/linux/audit.h | 32 ++++++++++++++++----------------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e0122a0ed0c..d642ade068b5 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -48,7 +48,7 @@
* 2500 - 2999 future user space (maybe integrity labels and related events)
*
* Messages from 1000-1199 are bi-directional. 1200-1299 & 2100 - 2999 are
- * exclusively user space. 1300-2099 is kernel --> user space
+ * exclusively user space. 1300-2099 is kernel --> user space
* communication.
*/
#define AUDIT_GET 1000 /* Get status */
@@ -78,7 +78,7 @@
#define AUDIT_LAST_USER_MSG 1199
#define AUDIT_FIRST_USER_MSG2 2100 /* More user space messages */
#define AUDIT_LAST_USER_MSG2 2999
-
+
#define AUDIT_DAEMON_START 1200 /* Daemon startup record */
#define AUDIT_DAEMON_END 1201 /* Daemon normal stop record */
#define AUDIT_DAEMON_ABORT 1202 /* Daemon error stop record */
@@ -139,20 +139,20 @@
#define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */
#define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */
-#define AUDIT_FIRST_KERN_ANOM_MSG 1700
-#define AUDIT_LAST_KERN_ANOM_MSG 1799
-#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
-#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */
-#define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */
-#define AUDIT_ANOM_CREAT 1703 /* Suspicious file creation */
-#define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */
-#define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */
-#define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
-#define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */
-#define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */
-#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */
-#define AUDIT_INTEGRITY_EVM_XATTR 1806 /* New EVM-covered xattr */
-#define AUDIT_INTEGRITY_POLICY_RULE 1807 /* IMA policy rules */
+#define AUDIT_FIRST_KERN_ANOM_MSG 1700
+#define AUDIT_LAST_KERN_ANOM_MSG 1799
+#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
+#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */
+#define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */
+#define AUDIT_ANOM_CREAT 1703 /* Suspicious file creation */
+#define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */
+#define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */
+#define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
+#define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */
+#define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */
+#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */
+#define AUDIT_INTEGRITY_EVM_XATTR 1806 /* New EVM-covered xattr */
+#define AUDIT_INTEGRITY_POLICY_RULE 1807 /* IMA policy rules */
#define AUDIT_INTEGRITY_POLICY_LOAD 1808 /* IPE Policy Load */
#define AUDIT_INTEGRITY_POLICY_ACTIVATE 1809 /* IPE Policy Activation */
#define AUDIT_INTEGRITY_EVENT 1810 /* IPE Evaluation Event */
--
2.26.0
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [RFC PATCH v2 12/12] cleanup: uapi/linux/audit.h
@ 2020-04-06 22:14 ` deven.desai
0 siblings, 0 replies; 27+ messages in thread
From: deven.desai @ 2020-04-06 22:14 UTC (permalink / raw)
To: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block
Cc: sashal, pasha.tatashin, mdsakib, linux-kernel, nramas, tyhicks,
jaskarankhurana
From: Deven Bowers <deven.desai@linux.microsoft.com>
Remove trailing whitespaces and align the integrity #defines in
linux/uapi/audit.h
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
include/uapi/linux/audit.h | 32 ++++++++++++++++----------------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e0122a0ed0c..d642ade068b5 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -48,7 +48,7 @@
* 2500 - 2999 future user space (maybe integrity labels and related events)
*
* Messages from 1000-1199 are bi-directional. 1200-1299 & 2100 - 2999 are
- * exclusively user space. 1300-2099 is kernel --> user space
+ * exclusively user space. 1300-2099 is kernel --> user space
* communication.
*/
#define AUDIT_GET 1000 /* Get status */
@@ -78,7 +78,7 @@
#define AUDIT_LAST_USER_MSG 1199
#define AUDIT_FIRST_USER_MSG2 2100 /* More user space messages */
#define AUDIT_LAST_USER_MSG2 2999
-
+
#define AUDIT_DAEMON_START 1200 /* Daemon startup record */
#define AUDIT_DAEMON_END 1201 /* Daemon normal stop record */
#define AUDIT_DAEMON_ABORT 1202 /* Daemon error stop record */
@@ -139,20 +139,20 @@
#define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */
#define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */
-#define AUDIT_FIRST_KERN_ANOM_MSG 1700
-#define AUDIT_LAST_KERN_ANOM_MSG 1799
-#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
-#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */
-#define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */
-#define AUDIT_ANOM_CREAT 1703 /* Suspicious file creation */
-#define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */
-#define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */
-#define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
-#define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */
-#define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */
-#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */
-#define AUDIT_INTEGRITY_EVM_XATTR 1806 /* New EVM-covered xattr */
-#define AUDIT_INTEGRITY_POLICY_RULE 1807 /* IMA policy rules */
+#define AUDIT_FIRST_KERN_ANOM_MSG 1700
+#define AUDIT_LAST_KERN_ANOM_MSG 1799
+#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
+#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */
+#define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */
+#define AUDIT_ANOM_CREAT 1703 /* Suspicious file creation */
+#define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */
+#define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */
+#define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
+#define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */
+#define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */
+#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */
+#define AUDIT_INTEGRITY_EVM_XATTR 1806 /* New EVM-covered xattr */
+#define AUDIT_INTEGRITY_POLICY_RULE 1807 /* IMA policy rules */
#define AUDIT_INTEGRITY_POLICY_LOAD 1808 /* IPE Policy Load */
#define AUDIT_INTEGRITY_POLICY_ACTIVATE 1809 /* IPE Policy Activation */
#define AUDIT_INTEGRITY_EVENT 1810 /* IPE Evaluation Event */
--
2.26.0
^ permalink raw reply related [flat|nested] 27+ messages in thread
* Re: [RFC PATCH v2 06/12] dm-verity: move signature check after tree validation
2020-04-06 22:14 ` deven.desai
(?)
@ 2020-04-07 2:25 ` kbuild test robot
-1 siblings, 0 replies; 27+ messages in thread
From: kbuild test robot @ 2020-04-07 2:25 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 2211 bytes --]
Hi,
[FYI, it's a private test report for your RFC patch.]
[auto build test ERROR on kbuild/for-next]
[also build test ERROR on linus/master next-20200406]
[cannot apply to security/next-testing dm/for-next v5.6]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system. BTW, we also suggest to use '--base' option to specify the
base tree in git format-patch, please see https://stackoverflow.com/a/37406982]
url: https://github.com/0day-ci/linux/commits/deven-desai-linux-microsoft-com/Integrity-Policy-Enforcement-LSM-IPE/20200407-061828
base: https://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild.git for-next
config: sparc64-randconfig-a001-20200407 (attached as .config)
compiler: sparc64-linux-gcc (GCC) 9.3.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
GCC_VERSION=9.3.0 make.cross ARCH=sparc64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kbuild test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
In file included from drivers/md/dm-verity-target.c:18:
>> drivers/md/dm-verity-verify-sig.h:38:1: error: expected identifier or '(' before '{' token
38 | {
| ^
vim +38 drivers/md/dm-verity-verify-sig.h
88cd3e6cfac915 Jaskaran Khurana 2019-07-17 36
6a8bbd6bb3b982 Deven Bowers 2020-04-06 37 int verity_verify_root_hash(const struct dm_verity *v);
88cd3e6cfac915 Jaskaran Khurana 2019-07-17 @38 {
88cd3e6cfac915 Jaskaran Khurana 2019-07-17 39 return 0;
88cd3e6cfac915 Jaskaran Khurana 2019-07-17 40 }
88cd3e6cfac915 Jaskaran Khurana 2019-07-17 41
:::::: The code at line 38 was first introduced by commit
:::::: 88cd3e6cfac915f50f7aa7b699bdf053afec866e dm verity: add root hash pkcs#7 signature verification
:::::: TO: Jaskaran Khurana <jaskarankhurana@linux.microsoft.com>
:::::: CC: Mike Snitzer <snitzer@redhat.com>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 25392 bytes --]
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [RFC PATCH v2 02/12] security: add ipe lsm evaluation loop and audit system
2020-04-06 22:14 ` [RFC PATCH v2 02/12] security: add ipe lsm evaluation loop and audit system deven.desai
@ 2020-04-07 12:13 ` Jann Horn
2020-04-09 16:27 ` Deven Bowers
0 siblings, 1 reply; 27+ messages in thread
From: Jann Horn @ 2020-04-07 12:13 UTC (permalink / raw)
To: deven.desai
Cc: agk, Jens Axboe, snitzer, James Morris, Serge E. Hallyn,
Mimi Zohar, linux-integrity, linux-security-module, dm-devel,
linux-block, tyhicks, Pavel Tatashin, Sasha Levin,
jaskarankhurana, nramas, mdsakib, kernel list
On Tue, Apr 7, 2020 at 12:14 AM <deven.desai@linux.microsoft.com> wrote:
> Add the core logic of the IPE LSM, the evaluation loop (engine),
> the audit system, and the skeleton of the policy structure.
Here's a first review pass for this patch without really understanding
your data structures yet:
[...]
> diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
> new file mode 100644
> index 000000000000..0c67cd049d0c
> --- /dev/null
> +++ b/security/ipe/Kconfig
> @@ -0,0 +1,41 @@
> +# SPDX-License-Identifier: GPL-2.0-only
> +#
> +# Integrity Policy Enforcement (IPE) configuration
> +#
> +
> +menuconfig SECURITY_IPE
> + bool "Integrity Policy Enforcement (IPE)"
> + depends on SECURITY && AUDIT
> + select SYSTEM_DATA_VERIFICATION
> + help
> + This option enables the Integrity Policy Enforcement subsystem,
> + allowing systems to enforce integrity requirements on various
> + aspects of user-mode applications. These requirements are
> + controlled by a policy.
This text is very generic and doesn't really make it clear how IPE is
different from other LSMs; could you perhaps add some more text here
on the parts of IPE that distinguish it from other LSMs?
In the cover letter, you have this stuff at the top:
"""
The type of system for which IPE is designed for use is an embedded device
with a specific purpose (e.g. network firewall device in a data center),
where all software and configuration is built and provisioned by the owner.
Specifically, a system which leverages IPE is not intended for general
purpose computing and does not utilize any software or configuration
built by a third party. An ideal system to leverage IPE has both mutable
and immutable components, however, all binary executable code is immutable.
The scope of IPE is constrained to the OS. It is assumed that platform
firmware verifies the the kernel and optionally the root filesystem (e.g.
via U-Boot verified boot). IPE then utilizes LSM hooks to enforce a
flexible, kernel-resident integrity verification policy.
IPE differs from other LSMs which provide integrity checking (for instance,
IMA), as it has no dependency on the filesystem metadata itself. The
attributes that IPE checks are deterministic properties that exist solely
in the kernel. Additionally, IPE provides no additional mechanisms of
verifying these files (e.g. IMA Signatures) - all of the attributes of
verifying files are existing features within the kernel, such as dm-verity
or fsverity.
IPE provides a policy that allows owners of the system to easily specify
integrity requirements and uses dm-verity signatures to simplify the
authentication of allowed objects like authorized code and data.
"""
Perhaps you could add a summary of that here?
[...]
> diff --git a/security/ipe/ipe-audit.c b/security/ipe/ipe-audit.c
[...]
> +void ipe_audit_mode(void)
> +{
> + struct audit_buffer *ab;
> +
> + ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,
> + AUDIT_INTEGRITY_MODE);
Why is this GFP_ATOMIC? ipe_audit_mode() is used from
ipe_switch_mode(), which is allowed to sleep, right?
> + if (!ab)
> + return;
> +
> + audit_log_format(ab, "IPE mode=%s", (enforce) ? IPE_MODE_ENFORCE :
> + IPE_MODE_PERMISSIVE);
> +
> + audit_log_end(ab);
> +}
[...]
> +/**
> + * ipe_audit_ignore_line: Emit a warning that the line was not understood by
> + * IPE's parser and the line will be ignored and not
> + * parsed.
> + * @line_num: line number that is being ignored.
> + */
> +void ipe_audit_ignore_line(size_t i)
> +{
> + pr_warn("failed to parse line number %zu, ignoring", i);
> +}
It seems a bit silly to have an extra method just for this?
> +/**
> + * ipe_audit_policy_activation: Emit an audit event that a specific policy
> + * was activated as the active policy.
> + * @pol: policy that is being activated
> + */
> +void ipe_audit_policy_activation(const struct ipe_policy *pol)
> +{
> + struct audit_buffer *ab;
> +
> + ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,
> + AUDIT_INTEGRITY_POLICY_ACTIVATE);
Again, this runs in sleepable context and GFP_ATOMIC is unnecessary, right?
> + if (!ab)
> + return;
> +
> + audit_log_format(ab, POLICY_ACTIVATE_STR, pol->policy_name,
> + pol->policy_version.major, pol->policy_version.minor,
> + pol->policy_version.rev);
> +
> + audit_log_end(ab);
> +}
[...]
> diff --git a/security/ipe/ipe-engine.c b/security/ipe/ipe-engine.c
[...]
> +/**
> + * get_audit_pathname: Return the absolute path of the file struct passed in
> + * @file: file to derive an absolute path from.
> + *
> + * This function walks past chroots and mount points.
[...]
> + */
> +static char *get_audit_pathname(const struct file *file)
> +{
[...]
> + sb = file->f_path.dentry->d_sb;
> +
> + pathbuf = __getname();
> + if (!pathbuf) {
> + rc = -ENOMEM;
> + goto err;
> + }
> +
> + pos = d_absolute_path(&file->f_path, pathbuf, PATH_MAX);
Just as an FYI, no change required: d_absolute_path() will also
succeed for files that are not contained within the filesystem root of
the current process; in that case, you'll get stuff like paths rooted
in a different mount namespace.
> + if (IS_ERR(pos)) {
> + rc = PTR_ERR(pos);
> + goto err;
> + }
> +
> + temp_path = __getname();
> + if (!temp_path) {
> + rc = -ENOMEM;
> + goto err;
> + }
> +
> + strlcpy(temp_path, pos, PATH_MAX);
> +
> + if (pathbuf)
This check seems superfluous.
> + __putname(pathbuf);
> +
> + return temp_path;
> +err:
> + if (pathbuf)
> + __putname(pathbuf);
> + if (temp_path)
> + __putname(temp_path);
> +
> + return ERR_PTR(rc);
> +}
[...]
> +/**
> + * prealloc_cache: preallocate the cache tree for all ipe properties, so
> + * that this data maybe used later in the read side critical
s/maybe/may be/
> + * section.
> + * @ctx: Ipe engine context structure passed to the property prealloc function.
> + * @cache: Root of the cache tree to insert nodes under.
> + *
> + * Return:
> + * 0 - OK
> + * -ENOMEM - Out of memory
> + * Other - See individual property preallocator functions.
> + */
> +static int prealloc_cache(struct ipe_engine_ctx *ctx,
> + struct rb_root *cache)
> +{
> + int rc = 0;
> + struct rb_node *node;
> + struct ipe_prop_reg *reg;
> + struct ipe_prop_cache *storage;
> +
> + for (node = rb_first(&ipe_registry_root); node; node = rb_next(node)) {
> + reg = container_of(node, struct ipe_prop_reg, node);
> +
> + storage = insert_or_find_cache(cache, reg->prop);
> + if (IS_ERR(storage))
> + return PTR_ERR(storage);
> +
> + if (reg->prop->prealloc) {
> + rc = reg->prop->prealloc(ctx, &storage->storage);
> + if (rc != 0)
> + return rc;
> + }
> + }
> +
> + return rc;
> +}
> +
> +/**
> + * evaluate: Process an @ctx against IPE's current active policy.
> + * @ctx: the engine ctx to perform an evaluation on.
> + * @cache: the red-black tree root that is used for cache storage.
> + *
> + * This uses a preallocated @cache as storage for the properties to avoid
> + * re-evaulation.
> + *
> + * Return:
> + * -EACCES - A match occurred against a "action=DENY" rule
> + * -ENOMEM - Out of memory
> + */
> +static int evaluate(struct ipe_engine_ctx *ctx, struct rb_root *cache)
> +{
> + int rc = 0;
> + bool match = false;
> + enum ipe_action action;
> + struct ipe_prop_cache *c;
> + enum ipe_match match_type;
> + const struct ipe_rule *rule;
> + const struct ipe_policy *pol;
> + const struct ipe_rule_table *rules;
> + const struct ipe_prop_container *prop;
> +
> + if (!ipe_active_policy)
Please use rcu_access_pointer() here.
> + return rc;
> +
> + rcu_read_lock();
> +
> + pol = rcu_dereference(ipe_active_policy);
> +
> + rules = &pol->ops[ctx->op];
> +
> + list_for_each_entry(rule, &rules->rules, next) {
> + match = true;
> +
> + list_for_each_entry(prop, &rule->props, next) {
> + void *cache = NULL;
> +
> + if (prop->prop->prealloc) {
> + c = insert_or_find_cache(cache, prop->prop);
What's going on with the `cache` pointer here? We give
insert_or_find_cache() a NULL cache, and then in
insert_or_find_cache() `new` will be a near-NULL pointer, and it'll
crash immediately at `while (*new)`? Am I missing something?
Also, I think the intent here is that the preceding call to
prealloc_cache() should have allocated memory for us. If so, can you
please add a short comment here, something like "/* won't sleep
because of preceding prealloc_cache() */"?
> + if (IS_ERR(c))
> + return PTR_ERR(c);
> +
> + cache = c->storage;
> + }
> +
> + match = match && prop->prop->eval(ctx, prop->value,
> + &cache);
> + }
> +
> + if (match)
> + break;
> + }
> +
> + if (match) {
> + match_type = ipe_match_rule;
> + action = rule->action;
> + } else if (rules->def != ipe_action_unset) {
> + match_type = ipe_match_table;
> + action = rules->def;
> + rule = NULL;
> + } else {
> + match_type = ipe_match_global;
> + action = pol->def;
> + rule = NULL;
> + }
> +
> + ipe_audit_match(ctx, cache, match_type, action, rule);
> +
> + if (action == ipe_action_deny)
> + rc = -EACCES;
> +
> + if (enforce == 0)
> + rc = 0;
> +
> + rcu_read_unlock();
> + return rc;
> +}
> +
> +/**
> + * ipe_process_event: Perform an evaluation of @file, @op, and @hook against
> + * IPE's current active policy.
> + * @file: File that is being evaluated against IPE policy.
> + * @op: Operation that the file is being evaluated against.
> + * @hook: Specific hook that the file is being evaluated through.
> + *
> + * Return:
> + * -ENOMEM: (No Memory)
> + * -EACCES: (A match occurred against a "action=DENY" rule)
> + */
> +int ipe_process_event(const struct file *file, enum ipe_op op,
> + enum ipe_hook hook)
> +{
> + int rc = 0;
> + struct ipe_engine_ctx *ctx;
> + struct rb_root cache = RB_ROOT;
> +
> + ctx = build_ctx(file, op, hook);
> + if (IS_ERR(ctx))
> + goto cleanup;
> +
> + rc = prealloc_cache(ctx, &cache);
> + if (rc != 0)
> + goto cleanup;
> +
> + rc = evaluate(ctx, &cache);
> +
> +cleanup:
> + free_ctx(ctx);
> + destroy_cache(&cache);
> + return rc;
> +}
[...]
> diff --git a/security/ipe/ipe-hooks.c b/security/ipe/ipe-hooks.c
[..]
> +#define HAS_EXEC(_p, _rp) (((_rp) & PROT_EXEC) || ((_p) & PROT_EXEC))
This should be unnecessary; reqprot are the protections requested by
userspace, prot are the possibly expanded protections the kernel is
applying. I think you just want to use prot and ignore reqprot.
[...]
> diff --git a/security/ipe/ipe-policy.h b/security/ipe/ipe-policy.h
[...]
> +extern const char *const ipe_boot_policy;
I don't see anything in the entire patch series that actually sets
this variable. Am I missing something?
> +extern const struct ipe_policy *ipe_active_policy;
[...]
> diff --git a/security/ipe/ipe-property.c b/security/ipe/ipe-property.c
[...]
> +/* global root containing all registered properties */
> +struct rb_root ipe_registry_root = RB_ROOT;
[...]
> +static struct ipe_prop_reg *reg_lookup(const char *key)
> +{
> + struct rb_node *n = ipe_registry_root.rb_node;
> +
> + while (n) {
> + int r;
> + struct ipe_prop_reg *reg =
> + container_of(n, struct ipe_prop_reg, node);
> +
> + r = strcmp(reg->prop->property_name, key);
> + if (r == 0)
> + return reg;
> + else if (r > 0)
> + n = n->rb_right;
> + else
> + n = n->rb_left;
> + }
> +
> + return NULL;
> +}
Where is the locking for ipe_registry_root? I've looked through the
callers and can't find it. Also, please add a lockdep assertion
(`lockdep_assert_held(...)`) here if possible to ensure that when the
kernel is buildt with appropriate debugging options turned on
(CONFIG_LOCKDEP), it will warn about calling this method with
inappropriate locking.
[...]
> +/**
> + * ipe_register_property: Insert a property into the registration system.
> + * @prop: Read-only property structure containing the property_name, as well
> + * as the necessary function pointers for a property.
> + *
> + * The caller needs to maintain the lifetime of @prop throughout the life of
> + * the system, after calling ipe_register_property.
> + *
> + * All necessary properties need to be loaded via this method before
> + * loading a policy, otherwise the properties will be ignored as unknown.
> + *
> + * Return:
> + * 0 - OK
> + * -EEXIST - A key exists with the name @prop->property_name
> + * -ENOMEM - Out of memory
> + */
> +int ipe_register_property(const struct ipe_property *prop);
Normal Linux kernel style is to have comments on the definitions of
methods (in the .c files), not in the headers. It looks like you
duplicated the same comment between the header and the .c file -
please don't do that. Same thing in a bunch of other places.
> +#endif /* IPE_PROPERTY_H */
> diff --git a/security/ipe/ipe-sysfs.c b/security/ipe/ipe-sysfs.c
[...]
> +#else /* !CONFIG_SYSCTL */
> +
> +/**
> + * ipe_sysctl_init: Initialize IPE's sysfs entries.
> + *
> + * Return:
> + * 0 - OK
> + * -ENOMEM - Sysctl registration failed
> + */
> +inline int __init ipe_sysctl_init(void)
"inline" doesn't make sense to me if the caller is in a different
compilation unit
[...]
> diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
[...]
> +/**
> + * ipe_load_properties: Call the property entry points for all the IPE modules
> + * that were selected at kernel build-time.
> + *
> + * Return:
> + * 0 - OK
> + */
> +static int __init ipe_load_properties(void)
> +{
> + return 0;
> +}
this belongs in patch 4 ("ipe: add property for trust of boot volume")
[...]
> +static int __init ipe_init(void)
> +{
> + int rc = 0;
useless initialization
> + rc = ipe_sysctl_init();
> + if (rc != 0)
> + pr_err("failed to configure sysctl: %d", -rc);
pr_err() needs to have an explicit \n at the end of the message unless
you're planning to continue printing more text on the same line via
pr_cont(). Same issue in many other places.
> +
> + pr_info("mode=%s", (enforce == 1) ? IPE_MODE_ENFORCE :
> + IPE_MODE_PERMISSIVE);
> +
> + RCU_INIT_POINTER(ipe_active_policy, NULL);
Why? Statically allocated variables are zero-initialized by default in C.
> + security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), "IPE");
> +
> + return rc;
> +}
[...]
> +/**
> + * enforce: Kernel command line parameter to set the permissive mode for IPE
> + * at system startup. By default, this will always be in enforce mode.
> + *
> + * This is also controlled by the sysctl, "ipe.enforce".
> + */
> +module_param(enforce, int, 0644);
> +MODULE_PARM_DESC(enforce, "enforce/permissive mode switch");
[...]
> +/**
> + * success_audit: Kernel command line parameter to enable success auditing
> + * (emit an audit event when a file is allowed) at system
> + * startup. By default, this will be off.
> + *
> + * This is also controlled by the sysctl, "ipe.success_audit".
> + */
> +int success_audit;
> +module_param(success_audit, int, 0644);
> +MODULE_PARM_DESC(success_audit, "audit message on allow");
There is a pending patch series that will allow setting arbitrary
sysctls from the kernel command line
(https://lore.kernel.org/lkml/20200330115535.3215-1-vbabka@suse.cz/);
if that also works for your usecase, you should probably avoid
explicitly adding module parameters here, unless that is necessary
because the pending series sets the sysctls too late.
> diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
[...]
> +extern int enforce;
> +extern int success_audit;
You probably shouldn't be defining global symbols with such broad
names to avoid colliding with global symbols defined elsewhere in the
kernel. Consider adding "ipe_" prefixes to the variable names, or
something like that.
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [RFC PATCH v2 03/12] security: add ipe lsm policy parser and policy loading
2020-04-06 22:14 ` [RFC PATCH v2 03/12] security: add ipe lsm policy parser and policy loading deven.desai
@ 2020-04-07 15:39 ` Jann Horn
2020-04-09 16:41 ` Deven Bowers
0 siblings, 1 reply; 27+ messages in thread
From: Jann Horn @ 2020-04-07 15:39 UTC (permalink / raw)
To: deven.desai
Cc: agk, Jens Axboe, snitzer, James Morris, Serge E. Hallyn,
Mimi Zohar, linux-integrity, linux-security-module, dm-devel,
linux-block, tyhicks, Pavel Tatashin, Sasha Levin,
jaskarankhurana, nramas, mdsakib, kernel list
On Tue, Apr 7, 2020 at 12:14 AM <deven.desai@linux.microsoft.com> wrote:
[...]
> Adds the policy parser and the policy loading to IPE, along with the
> related sysfs and securityfs entries.
[...]
> diff --git a/security/ipe/ipe-parse.c b/security/ipe/ipe-parse.c
[...]
> +/* Internal Type Definitions */
> +enum property_priority {
> + other = 0,
> + action = 1,
> + op = 2,
> + default_action = 3,
> + policy_ver = 4,
> + policy_name = 5,
> +};
> +
> +struct token {
> + struct list_head next_tok;
> + const char *key;
> + enum property_priority key_priority;
> + const char *val;
> +};
> +
[...]
> +/**
> + * ipe_free_policy: Deallocate an ipe_policy structure.
> + * @pol: Policy to free.
> + */
> +void ipe_free_policy(struct ipe_policy *pol)
> +{
> + size_t i;
> + struct ipe_rule *ptr;
> + struct ipe_rule_table *op;
> + struct list_head *l_ptr, *l_next;
> +
> + if (IS_ERR_OR_NULL(pol))
> + return;
> +
> + for (i = 0; i < ARRAY_SIZE(pol->ops); ++i) {
> + op = &pol->ops[i];
> +
> + list_for_each_safe(l_ptr, l_next, &op->rules) {
> + ptr = list_entry(l_ptr, struct ipe_rule, next);
> + list_del(l_ptr);
> + ipe_free_rule(ptr);
> + }
> + }
> +
> + kfree(pol->policy_name);
> + kfree(pol);
> + pol = NULL;
What is this assignment supposed to do?
> +}
[...]
> diff --git a/security/ipe/ipe-policy.c b/security/ipe/ipe-policy.c
[...]
> +/**
> + * ipe_is_active_policy: Determine if @policy is the currently active policy.
> + * @policy: Policy to check if it's the active policy.
> + *
> + * NOTE: If this attribute is needed to be consistent over a critical section,
> + * do not use this function, as it does not hold the read lock over the
> + * entirety of the critical section.
> + *
> + * Return:
> + * true - @policy is the active policy
> + * false - @policy is not the active policy
> + */
> +bool ipe_is_active_policy(const struct ipe_policy *policy)
> +{
> + bool result;
> +
> + rcu_read_lock();
> +
> + result = rcu_dereference(ipe_active_policy) == policy;
> +
> + rcu_read_unlock();
You're not actually accessing the pointer, so you can use rcu_access_pointer()
and get rid of the rcu_read_lock()/rcu_read_unlock(). Then this helper turns
into a one-liner.
> + return result;
> +}
> +
> +/**
> + * ipe_update_active_policy: Determine if @old is the active policy, and update
> + * the active policy if necessary.
> + * @old: The previous policy that the update is trying to replace.
> + * @new: The new policy attempting to replace @old.
> + *
> + * If @old is not the active policy, nothing will be done.
> + *
> + * Return:
> + * 0 - OK
> + * -EBADMSG - Invalid Policy
> + */
> +int ipe_update_active_policy(const struct ipe_policy *old,
> + const struct ipe_policy *new)
> +{
> + int rc = 0;
> + const struct ipe_policy *curr_policy = NULL;
> +
> + /* no active policy, safe to update */
> + if (!ipe_active_policy)
This should be rcu_access_pointer().
> + return 0;
[...]
> +}
[...]
> diff --git a/security/ipe/ipe-secfs.c b/security/ipe/ipe-secfs.c
[...]
> +/**
> + * alloc_callback: Callback given to verify_pkcs7_signature function to set
> + * the inner content reference and parse the policy.
> + * @ctx: "ipe_policy_node" to set inner content, size and parsed policy of.
> + * @data: Start of PKCS#7 inner content.
> + * @len: Length of @data.
> + * @asn1hdrlen: Unused.
> + *
> + * Return:
> + * 0 - OK
> + * ERR_PTR(-EBADMSG) - Invalid policy syntax
> + * ERR_PTR(-ENOMEM) - Out of memory
> + */
> +static int alloc_callback(void *ctx, const void *data, size_t len,
> + size_t asn1hdrlen)
> +{
> + char *cpy = NULL;
> + struct ipe_policy *pol = NULL;
> + struct ipe_policy_node *n = (struct ipe_policy_node *)ctx;
> +
> + n->content = (const u8 *)data;
> + n->content_size = len;
> +
> + if (len == 0)
> + return -EBADMSG;
> +
> + cpy = kzalloc(len + 1, GFP_KERNEL);
> + if (!cpy)
> + return -ENOMEM;
> +
> + (void)strncpy(cpy, data, len);
Shouldn't this just be memcpy()?
> + pol = ipe_parse_policy(cpy);
> + if (IS_ERR(pol)) {
> + kfree(cpy);
> + return PTR_ERR(pol);
> + }
> +
> + n->parsed = pol;
> + kfree(cpy);
> + return 0;
> +}
[...]
> +static ssize_t ipe_secfs_new_policy(struct file *f, const char __user *data,
> + size_t len, loff_t *offset)
> +{
> + ssize_t rc = 0;
> + u8 *cpy = NULL;
> + ssize_t written = 0;
> +
> + if (!ns_capable(current_user_ns(), CAP_MAC_ADMIN))
> + return -EPERM;
Use file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN) instead, both here and
elsewhere.
> + cpy = kzalloc(len, GFP_KERNEL);
> + if (!cpy) {
> + rc = -ENOMEM;
> + goto err;
> + }
> +
> + written = simple_write_to_buffer(cpy, len, offset, data, len);
> + if (written < 0) {
> + rc = written;
> + goto err;
> + }
This should probably be memdup_user() instead of
kzalloc()+simple_write_to_buffer()?
> + rc = ipe_build_policy_secfs_node(cpy, written);
> +err:
> + kfree(cpy);
> + return rc < 0 ? rc : written;
> +}
> +
> +/**
> + * retrieve_backed_dentry: Retrieve a dentry with a backing inode, identified
> + * by @name, under @parent.
> + * @name: Name of the dentry under @parent.
> + * @parent: The parent dentry to search under for @name.
> + * @size: Length of @name.
> + *
> + * This takes a reference to the returned dentry. Caller needs to call dput
> + * to drop the reference.
> + *
> + * Return:
> + * valid dentry - OK
> + * ERR_PTR - Error, see lookup_one_len_unlocked
> + * NULL - No backing inode was found
> + */
> +static struct dentry *retrieve_backed_dentry(const char *name,
> + struct dentry *parent,
> + size_t size)
> +{
> + int rc = 0;
> + struct dentry *tmp = NULL;
> +
> + tmp = lookup_one_len_unlocked(name, parent, size);
> + if (IS_ERR(tmp)) {
> + rc = PTR_ERR(tmp);
> + goto out;
> + }
You could just "return tmp;" here.
> +
> + if (!d_really_is_positive(tmp))
> + goto out1;
And here "return NULL;".
> + return tmp;
> +out1:
> + tmp = NULL;
This just sets a variable that is never read again to NULL?
> +out:
> + return rc == 0 ? NULL : ERR_PTR(rc);
> +}
> +
> +/**
> + * ipe_secfs_del_policy: Delete a policy indicated by the name provided by
> + * @data
> + * @f: Unused.
> + * @data: Buffer containing the policy id to delete.
> + * @len: Length of @data.
> + * @offset: Offset into @data.
> + *
> + * NOTE: Newlines are treated as part of the name, if using echo to test,
> + * use -n to prohibit the silent addition of a newline.
> + *
> + * Return:
> + * > 0 - OK
> + * -ENOMEM - Out of memory
> + * -EPERM - Policy is active
> + * -ENOENT - Policy does not exist
> + * -EPERM - if a MAC subsystem is enabled, missing CAP_MAC_ADMIN
> + * Other - See retrieve_backed_dentry
> + */
> +static ssize_t ipe_secfs_del_policy(struct file *f, const char __user *data,
> + size_t len, loff_t *offset)
> +{
> + ssize_t rc = 0;
> + char *id = NULL;
> + ssize_t written = 0;
> + struct dentry *raw = NULL;
> + struct dentry *content = NULL;
> + struct inode *policy_i = NULL;
> + struct dentry *policy_root = NULL;
> + struct inode *policies_root = NULL;
> + const struct ipe_policy *target = NULL;
> +
> + if (!ns_capable(current_user_ns(), CAP_MAC_ADMIN))
> + return -EPERM;
> +
> + id = kzalloc(len, GFP_KERNEL);
> + if (!id) {
> + rc = -ENOMEM;
> + goto out;
> + }
> +
> + written = simple_write_to_buffer(id, len, offset, data, len);
> + if (written < 0) {
> + rc = written;
> + goto out;
> + }
> +
> + policies_root = d_inode(ipe_policies_root);
> +
> + policy_root = retrieve_backed_dentry(id, ipe_policies_root, written);
> + if (IS_ERR_OR_NULL(policy_root)) {
> + rc = IS_ERR(policy_root) ? PTR_ERR(policy_root) : -ENOENT;
> + goto out;
> + }
> +
> + policy_i = d_inode(policy_root);
> +
> + /* if the found dentry matches boot policy, fail */
> + if (boot_policy_node == policy_root) {
> + rc = -EACCES;
> + goto out1;
> + }
> +
> + target = ((struct ipe_policy_node *)policy_i->i_private)->parsed;
> +
> + /* fail if it's the active policy */
> + if (ipe_is_active_policy(target)) {
> + rc = -EPERM;
> + goto out1;
> + }
Why can it not become the active policy after this check?
> + raw = retrieve_backed_dentry(IPE_FULL_CONTENT, policy_root,
> + strlen(IPE_FULL_CONTENT));
> + if (IS_ERR_OR_NULL(raw)) {
> + rc = IS_ERR(raw) ? PTR_ERR(raw) : -ENOENT;
> + goto out1;
> + }
> +
> + content = retrieve_backed_dentry(IPE_INNER_CONTENT, policy_root,
> + strlen(IPE_INNER_CONTENT));
> + if (IS_ERR_OR_NULL(content)) {
> + rc = IS_ERR(content) ? PTR_ERR(content) : -ENOENT;
> + goto out2;
> + }
> +
> + inode_lock(policies_root);
> + ipe_free_policy_node(policy_i->i_private);
> + policy_i->i_private = NULL;
> + inode_unlock(policies_root);
> +
> + dput(raw);
> + dput(content);
> + dput(policy_root);
> + securityfs_remove(raw);
> + securityfs_remove(content);
> + securityfs_remove(policy_root);
> +
> + kfree(id);
> + return written;
> +out2:
> + dput(raw);
> +out1:
> + dput(policy_root);
> +out:
> + kfree(id);
> + return rc;
> +}
> +
> +/**
> + * ipe_secfs_rd_policy: Read the raw content (full enveloped PKCS7) data of
> + * the policy stored within the file's parent inode.
> + * @f: File representing the securityfs entry.
> + * @data: User mode buffer to place the raw pkcs7.
> + * @len: Length of @data.
> + * @offset: Offset into @data.
> + *
> + * Return:
> + * > 0 - OK
> + * -ENOMEM - Out of memory
> + */
> +static ssize_t ipe_secfs_rd_policy(struct file *f, char __user *data,
> + size_t size, loff_t *offset)
> +{
> + ssize_t rc = 0;
> + size_t avail = 0;
> + u8 *buffer = NULL;
> + struct inode *root = NULL;
> + const struct ipe_policy_node *node = NULL;
> +
> + root = d_inode(f->f_path.dentry->d_parent);
> +
> + inode_lock_shared(root);
> + node = (const struct ipe_policy_node *)root->i_private;
> +
> + avail = node->data_len;
> + buffer = kmemdup(node->data, avail, GFP_KERNEL);
> + if (!buffer) {
> + rc = -ENOMEM;
> + goto cleanup;
> + }
> +
> + rc = simple_read_from_buffer(data, size, offset, buffer, avail);
> +cleanup:
> + inode_unlock_shared(root);
Same thing as in ipe_secfs_rd_content(): simple_read_from_buffer() needlessly
within locked section, buffer not freed.
> +
> + return rc;
> +}
> +
> +/**
> + * ipe_secfs_ud_policy: Update a policy in place with a new PKCS7 policy.
> + * @f: File representing the securityfs entry.
> + * @data: Buffer user mode to place the raw pkcs7.
> + * @len: Length of @data.
> + * @offset: Offset into @data.
> + *
> + * Return:
> + * 0 - OK
> + * -EBADMSG - Invalid policy format
> + * -ENOMEM - Out of memory
> + * -EPERM - if a MAC subsystem is enabled, missing CAP_MAC_ADMIN
> + * -EINVAL - Incorrect policy name for this node, or version is < current
> + */
> +static ssize_t ipe_secfs_ud_policy(struct file *f, const char __user *data,
> + size_t len, loff_t *offset)
> +{
> + ssize_t rc = 0;
> + u8 *cpy = NULL;
> + ssize_t written = 0;
> + struct inode *root = NULL;
> + struct crypto_shash *tfm = NULL;
> + struct ipe_policy_node *new = NULL;
> + struct ipe_policy_node *old = NULL;
> +
> + if (!ns_capable(current_user_ns(), CAP_MAC_ADMIN))
> + return -EPERM;
> +
> + cpy = kzalloc(len, GFP_KERNEL);
> + if (!cpy) {
> + rc = -ENOMEM;
> + goto out;
> + }
> +
> + written = simple_write_to_buffer(cpy, len, offset, data, len);
> + if (written < 0) {
> + rc = written;
> + goto out;
> + }
You'd probably be better off just doing memdup_user() here.
simple_write_to_buffer() only makes sense if you have a buffer that can be
continuously updated with multiple writes.
> + new = ipe_alloc_policy_node(cpy, len);
> + if (IS_ERR(new)) {
> + rc = PTR_ERR(new);
> + goto out;
> + }
> +
> + tfm = crypto_alloc_shash("sha1", 0, 0);
> + if (IS_ERR(tfm))
> + goto out2;
> +
> + root = d_inode(f->f_path.dentry->d_parent);
> + inode_lock(root);
> +
> + old = (struct ipe_policy_node *)root->i_private;
> +
> + if (strcmp(old->parsed->policy_name, new->parsed->policy_name)) {
> + rc = -EINVAL;
> + goto out3;
> + }
> +
> + if (!ipe_is_valid_policy(old->parsed, new->parsed)) {
> + rc = -EINVAL;
> + goto out3;
> + }
> +
> + rc = ipe_update_active_policy(old->parsed, new->parsed);
> + if (rc != 0)
> + goto out3;
> +
> + ipe_audit_policy_load(new->parsed, new->data, new->data_len, tfm);
> + swap(root->i_private, new);
> +
> + inode_unlock(root);
> + kfree(cpy);
> + ipe_free_policy_node(new);
> + crypto_free_shash(tfm);
> +
> + return written;
> +out3:
> + inode_unlock(root);
> + ipe_free_policy_node(new);
> +out2:
> + crypto_free_shash(tfm);
> +out:
> + kfree(cpy);
> + return rc;
> +}
[...]
> +static ssize_t ipe_secfs_rd_content(struct file *f, char __user *data,
> + size_t size, loff_t *offset)
> +{
> + ssize_t rc = 0;
> + size_t avail = 0;
> + u8 *buffer = NULL;
> + struct inode *root = NULL;
> + const struct ipe_policy_node *node = NULL;
> +
> + root = d_inode(f->f_path.dentry->d_parent);
> +
> + inode_lock(root);
> + node = (const struct ipe_policy_node *)root->i_private;
> +
> + avail = node->content_size;
> + buffer = kmemdup(node->content, avail, GFP_KERNEL);
> + if (!buffer) {
> + rc = -ENOMEM;
> + goto cleanup;
> + }
> +
> + rc = simple_read_from_buffer(data, size, offset, buffer, avail);
> +cleanup:
> + inode_unlock(root);
Why are you nod doing the simple_read_from_buffer() after inode_unlock()?
The way you're doing it now, there isn't really a point in the kmemdup() at
all...
Also, you'll have to free the buffer before returning.
> + return rc;
> +}
[...]
> diff --git a/security/ipe/ipe-sysfs.c b/security/ipe/ipe-sysfs.c
[...]
> +static int ipe_switch_active_policy(struct ctl_table *table, int write,
> + void __user *buffer, size_t *lenp,
> + loff_t *ppos)
> +{
> + int rc = 0;
> + char *id = NULL;
> + size_t size = 0;
> +
> + if (write) {
> + id = kzalloc((*lenp) + 1, GFP_KERNEL);
> + if (!id)
> + return -ENOMEM;
> +
> + table->data = id;
> + table->maxlen = (*lenp) + 1;
> +
> + rc = proc_dostring(table, write, buffer, lenp, ppos);
> + if (rc != 0)
> + goto out;
> +
> + rc = ipe_set_active_policy(id, strlen(id));
> + } else {
> + rcu_read_lock();
> + size = strlen(rcu_dereference(ipe_active_policy)->policy_name);
Can't `ipe_active_policy` be NULL here?
> + rcu_read_unlock();
> +
> + id = kzalloc(size + 1, GFP_KERNEL);
The `+ 1` seems unnecessary.
> + if (!id)
> + return -ENOMEM;
> +
> + rcu_read_lock();
> + strncpy(id, rcu_dereference(ipe_active_policy)->policy_name,
> + size);
> + rcu_read_unlock();
> +
> + table->data = id;
> + table->maxlen = size;
> +
> + rc = proc_dostring(table, write, buffer, lenp, ppos);
> + }
> +out:
> + kfree(id);
> + return rc;
> +}
> +
> +#endif /* CONFIG_SECURITYFS */
[...]
> diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
[...]
> +
> +/**
> + * strict_parse: Kernel command line parameter to enable strict parsing of
> + * IPE policies - causing unrecognized properties to fail
> + * parsing. This breaks backwards compatibility of IPE policies,
> + * when enabled.
I guess the backwards compatibility stuff is referring to an out-of-tree version
of this series that you've already shipped?
> + * This is also controlled by the sysctl, "ipe.strict_parse".
> + */
(Also, same thing as in the other patch re sysctls and kernel command line
parameters for the same feature.)
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [RFC PATCH v2 00/12] Integrity Policy Enforcement LSM (IPE)
2020-04-06 22:14 ` deven.desai
` (12 preceding siblings ...)
(?)
@ 2020-04-07 21:31 ` Nayna
2020-04-09 16:25 ` Deven Bowers
-1 siblings, 1 reply; 27+ messages in thread
From: Nayna @ 2020-04-07 21:31 UTC (permalink / raw)
To: deven.desai
Cc: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block, tyhicks,
pasha.tatashin, sashal, jaskarankhurana, nramas, mdsakib,
linux-kernel
On 4/6/20 6:14 PM, deven.desai@linux.microsoft.com wrote:
> From: Deven Bowers <deven.desai@linux.microsoft.com>
>
> Changelog:
> ------------------------------------
>
> v1: Introduced
>
> v2:
> Split the second patch of the previous series into two.
> Minor corrections in the cover-letter and documentation
> comments regarding CAP_MAC_ADMIN checks in IPE.
>
> Overview:
> ------------------------------------
> IPE is a Linux Security Module, which allows for a configurable
> policy to enforce integrity requirements on the whole system. It
> attempts to solve the issue of Code Integrity: that any code being
> executed (or files being read), are identical to the version that
> was built by a trusted source.
Can you please clarify the "motivation" for this patch set more clearly?
It seems to define a policy layer on top of dm-verity, which may be
compiled into the kernel. In the motivation, can you please also make it
explicit why existing mechanisms cannot be extended to achieve your purpose?
Also, AFIK, the changelog should be moved to the end of the patch
description.
Thanks & Regards,
- Nayna
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [RFC PATCH v2 00/12] Integrity Policy Enforcement LSM (IPE)
2020-04-07 21:31 ` [RFC PATCH v2 00/12] Integrity Policy Enforcement LSM (IPE) Nayna
@ 2020-04-09 16:25 ` Deven Bowers
0 siblings, 0 replies; 27+ messages in thread
From: Deven Bowers @ 2020-04-09 16:25 UTC (permalink / raw)
To: Nayna
Cc: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block, tyhicks,
pasha.tatashin, sashal, jaskarankhurana, nramas, mdsakib,
linux-kernel
On 4/7/2020 2:31 PM, Nayna wrote:
>
> On 4/6/20 6:14 PM, deven.desai@linux.microsoft.com wrote:
>> From: Deven Bowers <deven.desai@linux.microsoft.com>
>>
>> Changelog:
>> ------------------------------------
>>
>> v1: Introduced
>>
>> v2:
>> Split the second patch of the previous series into two.
>> Minor corrections in the cover-letter and documentation
>> comments regarding CAP_MAC_ADMIN checks in IPE.
>>
>> Overview:
>> ------------------------------------
>> IPE is a Linux Security Module, which allows for a configurable
>> policy to enforce integrity requirements on the whole system. It
>> attempts to solve the issue of Code Integrity: that any code being
>> executed (or files being read), are identical to the version that
>> was built by a trusted source.
>
> Can you please clarify the "motivation" for this patch set more
> clearly? It seems to define a policy layer on top of dm-verity, which
> may be compiled into the kernel. In the motivation, can you please
> also make it explicit why existing mechanisms cannot be extended to
> achieve your purpose?
>
This LSM was born out of a motivation to provide strong integrity
guarantees without a dependency on file-metadata, allow the integrity
claims to be configurable on a hot system, and allow for the mechanisms
for ensuring integrity to be extendable.
This naturally had to be an LSM, as controlling execution at the block
or filesystem layer does not make sense. Existing LSM implementations
use filesystem metadata, and since one of IPE's goals is to secure file
metadata, it is circular to depend on the file metadata itself to make
decisions about whether the file has been modified.
Additionally, IPE while IPE currently provides dm-verity support and the
trust root support, it can be easily extended to other implementations
such as fs-verity. At it's core, IPE is attempting to separate mechanism
(dm-verity, fs-verity, etc.) from policy (IPE).
> Also, AFIK, the changelog should be moved to the end of the patch
> description.
>
Thanks! I'll move the changelog.
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [RFC PATCH v2 02/12] security: add ipe lsm evaluation loop and audit system
2020-04-07 12:13 ` Jann Horn
@ 2020-04-09 16:27 ` Deven Bowers
0 siblings, 0 replies; 27+ messages in thread
From: Deven Bowers @ 2020-04-09 16:27 UTC (permalink / raw)
To: Jann Horn
Cc: agk, Jens Axboe, snitzer, James Morris, Serge E. Hallyn,
Mimi Zohar, linux-integrity, linux-security-module, dm-devel,
linux-block, tyhicks, Pavel Tatashin, Sasha Levin,
jaskarankhurana, nramas, mdsakib, kernel list
On 4/7/2020 5:13 AM, Jann Horn wrote:
> On Tue, Apr 7, 2020 at 12:14 AM<deven.desai@linux.microsoft.com> wrote:
>> Add the core logic of the IPE LSM, the evaluation loop (engine),
>> the audit system, and the skeleton of the policy structure.
> Here's a first review pass for this patch without really understanding
> your data structures yet:
>
> [...]
>> diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
>> new file mode 100644
>> index 000000000000..0c67cd049d0c
>> --- /dev/null
>> +++ b/security/ipe/Kconfig
>> @@ -0,0 +1,41 @@
>> +# SPDX-License-Identifier: GPL-2.0-only
>> +#
>> +# Integrity Policy Enforcement (IPE) configuration
>> +#
>> +
>> +menuconfig SECURITY_IPE
>> + bool "Integrity Policy Enforcement (IPE)"
>> + depends on SECURITY && AUDIT
>> + select SYSTEM_DATA_VERIFICATION
>> + help
>> + This option enables the Integrity Policy Enforcement subsystem,
>> + allowing systems to enforce integrity requirements on various
>> + aspects of user-mode applications. These requirements are
>> + controlled by a policy.
> This text is very generic and doesn't really make it clear how IPE is
> different from other LSMs; could you perhaps add some more text here
> on the parts of IPE that distinguish it from other LSMs?
>
> In the cover letter, you have this stuff at the top:
>
> """
> The type of system for which IPE is designed for use is an embedded device
> with a specific purpose (e.g. network firewall device in a data center),
> where all software and configuration is built and provisioned by the owner.
>
> Specifically, a system which leverages IPE is not intended for general
> purpose computing and does not utilize any software or configuration
> built by a third party. An ideal system to leverage IPE has both mutable
> and immutable components, however, all binary executable code is immutable.
>
> The scope of IPE is constrained to the OS. It is assumed that platform
> firmware verifies the the kernel and optionally the root filesystem (e.g.
> via U-Boot verified boot). IPE then utilizes LSM hooks to enforce a
> flexible, kernel-resident integrity verification policy.
>
> IPE differs from other LSMs which provide integrity checking (for instance,
> IMA), as it has no dependency on the filesystem metadata itself. The
> attributes that IPE checks are deterministic properties that exist solely
> in the kernel. Additionally, IPE provides no additional mechanisms of
> verifying these files (e.g. IMA Signatures) - all of the attributes of
> verifying files are existing features within the kernel, such as dm-verity
> or fsverity.
>
> IPE provides a policy that allows owners of the system to easily specify
> integrity requirements and uses dm-verity signatures to simplify the
> authentication of allowed objects like authorized code and data.
> """
>
> Perhaps you could add a summary of that here?
Sure, no problem. I'll add a bit more detail to the Kconfig in v3,
something
like:
"""
This option enables the Integrity Policy Enforcement subsystem
allowing systems to enforce integrity requirements on user land
binaries. IPE differs from other LSMs by removing dependencies
on filesystem metadata, making its decisions based off of kernel-
resident features and data structures. A key feature of IPE is a
customizable policy to allow admins to reconfigure integrity
requirements on the fly.
"""
> [...]
>> diff --git a/security/ipe/ipe-audit.c b/security/ipe/ipe-audit.c
> [...]
>> +void ipe_audit_mode(void)
>> +{
>> + struct audit_buffer *ab;
>> +
>> + ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,
>> + AUDIT_INTEGRITY_MODE);
> Why is this GFP_ATOMIC? ipe_audit_mode() is used from
> ipe_switch_mode(), which is allowed to sleep, right?
Yeah, that's a fair point. I had originally based _all_ of these audit
functions off of common_lsm_audit which utilizes these two flags.
We chose not to use that specific function for several reasons, but
there's no reason to keep these allocator flags. I'll move it to
GFP_KERNEL.
>> + if (!ab)
>> + return;
>> +
>> + audit_log_format(ab, "IPE mode=%s", (enforce) ? IPE_MODE_ENFORCE :
>> + IPE_MODE_PERMISSIVE);
>> +
>> + audit_log_end(ab);
>> +}
> [...]
>> +/**
>> + * ipe_audit_ignore_line: Emit a warning that the line was not understood by
>> + * IPE's parser and the line will be ignored and not
>> + * parsed.
>> + * @line_num: line number that is being ignored.
>> + */
>> +void ipe_audit_ignore_line(size_t i)
>> +{
>> + pr_warn("failed to parse line number %zu, ignoring", i);
>> +}
> It seems a bit silly to have an extra method just for this?
Fair point. I wanted to collapse as much of the *common* user-facing
strings
into one file, and I was trying to adhere to the 80-character limit.
I'll remove the function and inline it.
>> +/**
>> + * ipe_audit_policy_activation: Emit an audit event that a specific policy
>> + * was activated as the active policy.
>> + * @pol: policy that is being activated
>> + */
>> +void ipe_audit_policy_activation(const struct ipe_policy *pol)
>> +{
>> + struct audit_buffer *ab;
>> +
>> + ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,
>> + AUDIT_INTEGRITY_POLICY_ACTIVATE);
> Again, this runs in sleepable context and GFP_ATOMIC is unnecessary, right?
Yep. I'll fix it in v3. Same with ipe_audit_policy_activation, below.
The only one
that runs in non-sleepable context is ipe_audit_match.
>> + if (!ab)
>> + return;
>> +
>> + audit_log_format(ab, POLICY_ACTIVATE_STR, pol->policy_name,
>> + pol->policy_version.major, pol->policy_version.minor,
>> + pol->policy_version.rev);
>> +
>> + audit_log_end(ab);
>> +}
> [...]
>> diff --git a/security/ipe/ipe-engine.c b/security/ipe/ipe-engine.c
> [...]
>> +/**
>> + * get_audit_pathname: Return the absolute path of the file struct passed in
>> + * @file: file to derive an absolute path from.
>> + *
>> + * This function walks past chroots and mount points.
> [...]
>> + */
>> +static char *get_audit_pathname(const struct file *file)
>> +{
> [...]
>> + sb = file->f_path.dentry->d_sb;
>> +
>> + pathbuf = __getname();
>> + if (!pathbuf) {
>> + rc = -ENOMEM;
>> + goto err;
>> + }
>> +
>> + pos = d_absolute_path(&file->f_path, pathbuf, PATH_MAX);
> Just as an FYI, no change required: d_absolute_path() will also
> succeed for files that are not contained within the filesystem root of
> the current process; in that case, you'll get stuff like paths rooted
> in a different mount namespace.
>
>> + if (IS_ERR(pos)) {
>> + rc = PTR_ERR(pos);
>> + goto err;
>> + }
>> +
>> + temp_path = __getname();
>> + if (!temp_path) {
>> + rc = -ENOMEM;
>> + goto err;
>> + }
>> +
>> + strlcpy(temp_path, pos, PATH_MAX);
>> +
>> + if (pathbuf)
> This check seems superfluous.
I'll remove it.
>> + __putname(pathbuf);
>> +
>> + return temp_path;
>> +err:
>> + if (pathbuf)
>> + __putname(pathbuf);
>> + if (temp_path)
>> + __putname(temp_path);
>> +
>> + return ERR_PTR(rc);
>> +}
> [...]
>> +/**
>> + * prealloc_cache: preallocate the cache tree for all ipe properties, so
>> + * that this data maybe used later in the read side critical
> s/maybe/may be/
Thanks!
>> + * section.
>> + * @ctx: Ipe engine context structure passed to the property prealloc function.
>> + * @cache: Root of the cache tree to insert nodes under.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * -ENOMEM - Out of memory
>> + * Other - See individual property preallocator functions.
>> + */
>> +static int prealloc_cache(struct ipe_engine_ctx *ctx,
>> + struct rb_root *cache)
>> +{
>> + int rc = 0;
>> + struct rb_node *node;
>> + struct ipe_prop_reg *reg;
>> + struct ipe_prop_cache *storage;
>> +
>> + for (node = rb_first(&ipe_registry_root); node; node = rb_next(node)) {
>> + reg = container_of(node, struct ipe_prop_reg, node);
>> +
>> + storage = insert_or_find_cache(cache, reg->prop);
>> + if (IS_ERR(storage))
>> + return PTR_ERR(storage);
>> +
>> + if (reg->prop->prealloc) {
>> + rc = reg->prop->prealloc(ctx, &storage->storage);
>> + if (rc != 0)
>> + return rc;
>> + }
>> + }
>> +
>> + return rc;
>> +}
>> +
>> +/**
>> + * evaluate: Process an @ctx against IPE's current active policy.
>> + * @ctx: the engine ctx to perform an evaluation on.
>> + * @cache: the red-black tree root that is used for cache storage.
>> + *
>> + * This uses a preallocated @cache as storage for the properties to avoid
>> + * re-evaulation.
>> + *
>> + * Return:
>> + * -EACCES - A match occurred against a "action=DENY" rule
>> + * -ENOMEM - Out of memory
>> + */
>> +static int evaluate(struct ipe_engine_ctx *ctx, struct rb_root *cache)
>> +{
>> + int rc = 0;
>> + bool match = false;
>> + enum ipe_action action;
>> + struct ipe_prop_cache *c;
>> + enum ipe_match match_type;
>> + const struct ipe_rule *rule;
>> + const struct ipe_policy *pol;
>> + const struct ipe_rule_table *rules;
>> + const struct ipe_prop_container *prop;
>> +
>> + if (!ipe_active_policy)
> Please use rcu_access_pointer() here.
Thanks. I'm still new to rcu - any comments or corrections regarding it
are greatly appreciated.
>> + return rc;
>> +
>> + rcu_read_lock();
>> +
>> + pol = rcu_dereference(ipe_active_policy);
>> +
>> + rules = &pol->ops[ctx->op];
>> +
>> + list_for_each_entry(rule, &rules->rules, next) {
>> + match = true;
>> +
>> + list_for_each_entry(prop, &rule->props, next) {
>> + void *cache = NULL;
>> +
>> + if (prop->prop->prealloc) {
>> + c = insert_or_find_cache(cache, prop->prop);
> What's going on with the `cache` pointer here? We give
> insert_or_find_cache() a NULL cache, and then in
> insert_or_find_cache() `new` will be a near-NULL pointer, and it'll
> crash immediately at `while (*new)`? Am I missing something?
>
> Also, I think the intent here is that the preceding call to
> prealloc_cache() should have allocated memory for us. If so, can you
> please add a short comment here, something like "/* won't sleep
> because of preceding prealloc_cache() */"?
Well, this is embarrassing. This is supposed to be the argument, cache,
not the variable, cache. The variable shadowing does indeed do what you
describe.
This didn't come up in any of my testing because none of the
properties introduced in this patch series utilize the cache. It's kept in
to facilitate the storage of potentially expensive operations.
I'm just going to cut out all of this code. It'll be re-added
if something actually needs it.
>> + if (IS_ERR(c))
>> + return PTR_ERR(c);
>> +
>> + cache = c->storage;
>> + }
>> +
>> + match = match && prop->prop->eval(ctx, prop->value,
>> + &cache);
>> + }
>> +
>> + if (match)
>> + break;
>> + }
>> +
>> + if (match) {
>> + match_type = ipe_match_rule;
>> + action = rule->action;
>> + } else if (rules->def != ipe_action_unset) {
>> + match_type = ipe_match_table;
>> + action = rules->def;
>> + rule = NULL;
>> + } else {
>> + match_type = ipe_match_global;
>> + action = pol->def;
>> + rule = NULL;
>> + }
>> +
>> + ipe_audit_match(ctx, cache, match_type, action, rule);
>> +
>> + if (action == ipe_action_deny)
>> + rc = -EACCES;
>> +
>> + if (enforce == 0)
>> + rc = 0;
>> +
>> + rcu_read_unlock();
>> + return rc;
>> +}
>> +
>> +/**
>> + * ipe_process_event: Perform an evaluation of @file, @op, and @hook against
>> + * IPE's current active policy.
>> + * @file: File that is being evaluated against IPE policy.
>> + * @op: Operation that the file is being evaluated against.
>> + * @hook: Specific hook that the file is being evaluated through.
>> + *
>> + * Return:
>> + * -ENOMEM: (No Memory)
>> + * -EACCES: (A match occurred against a "action=DENY" rule)
>> + */
>> +int ipe_process_event(const struct file *file, enum ipe_op op,
>> + enum ipe_hook hook)
>> +{
>> + int rc = 0;
>> + struct ipe_engine_ctx *ctx;
>> + struct rb_root cache = RB_ROOT;
>> +
>> + ctx = build_ctx(file, op, hook);
>> + if (IS_ERR(ctx))
>> + goto cleanup;
>> +
>> + rc = prealloc_cache(ctx, &cache);
>> + if (rc != 0)
>> + goto cleanup;
>> +
>> + rc = evaluate(ctx, &cache);
>> +
>> +cleanup:
>> + free_ctx(ctx);
>> + destroy_cache(&cache);
>> + return rc;
>> +}
> [...]
>> diff --git a/security/ipe/ipe-hooks.c b/security/ipe/ipe-hooks.c
> [..]
>> +#define HAS_EXEC(_p, _rp) (((_rp) & PROT_EXEC) || ((_p) & PROT_EXEC))
> This should be unnecessary; reqprot are the protections requested by
> userspace, prot are the possibly expanded protections the kernel is
> applying. I think you just want to use prot and ignore reqprot.
Thanks, I'll correct it.
> [...]
>> diff --git a/security/ipe/ipe-policy.h b/security/ipe/ipe-policy.h
> [...]
>> +extern const char *const ipe_boot_policy;
> I don't see anything in the entire patch series that actually sets
> this variable. Am I missing something?
This variable is set by an auto-generated file, invoked by the tool created
in the first patch of this series. It creates a file called "ipe-bp.c"
whose
only purpose is to set this variable.
>> +extern const struct ipe_policy *ipe_active_policy;
> [...]
>> diff --git a/security/ipe/ipe-property.c b/security/ipe/ipe-property.c
> [...]
>> +/* global root containing all registered properties */
>> +struct rb_root ipe_registry_root = RB_ROOT;
> [...]
>> +static struct ipe_prop_reg *reg_lookup(const char *key)
>> +{
>> + struct rb_node *n = ipe_registry_root.rb_node;
>> +
>> + while (n) {
>> + int r;
>> + struct ipe_prop_reg *reg =
>> + container_of(n, struct ipe_prop_reg, node);
>> +
>> + r = strcmp(reg->prop->property_name, key);
>> + if (r == 0)
>> + return reg;
>> + else if (r > 0)
>> + n = n->rb_right;
>> + else
>> + n = n->rb_left;
>> + }
>> +
>> + return NULL;
>> +}
> Where is the locking for ipe_registry_root? I've looked through the
> callers and can't find it. Also, please add a lockdep assertion
> (`lockdep_assert_held(...)`) here if possible to ensure that when the
> kernel is buildt with appropriate debugging options turned on
> (CONFIG_LOCKDEP), it will warn about calling this method with
> inappropriate locking.
I'm not sure why locking is necessary on this structure? This structure is
only added to, synchronously, at lsm_init. The first time it's queried
after
that is core_init with ipe_securityfs_init. Every subsequent time is when
user mode is setup and 1.) IPE is evaluating a binary, or 2.) IPE is
loading
a policy. We don't support the run time loading of properties, nor do we
support the removal of policies, so the tree should be stable without locks?
> [...]
>> +/**
>> + * ipe_register_property: Insert a property into the registration system.
>> + * @prop: Read-only property structure containing the property_name, as well
>> + * as the necessary function pointers for a property.
>> + *
>> + * The caller needs to maintain the lifetime of @prop throughout the life of
>> + * the system, after calling ipe_register_property.
>> + *
>> + * All necessary properties need to be loaded via this method before
>> + * loading a policy, otherwise the properties will be ignored as unknown.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * -EEXIST - A key exists with the name @prop->property_name
>> + * -ENOMEM - Out of memory
>> + */
>> +int ipe_register_property(const struct ipe_property *prop);
> Normal Linux kernel style is to have comments on the definitions of
> methods (in the .c files), not in the headers. It looks like you
> duplicated the same comment between the header and the .c file -
> please don't do that. Same thing in a bunch of other places.
Thanks, I'll strip the header comments.
>> +#endif /* IPE_PROPERTY_H */
>> diff --git a/security/ipe/ipe-sysfs.c b/security/ipe/ipe-sysfs.c
> [...]
>> +#else /* !CONFIG_SYSCTL */
>> +
>> +/**
>> + * ipe_sysctl_init: Initialize IPE's sysfs entries.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * -ENOMEM - Sysctl registration failed
>> + */
>> +inline int __init ipe_sysctl_init(void)
> "inline" doesn't make sense to me if the caller is in a different
> compilation unit
I'll remove it.
> [...]
>> diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
> [...]
>> +/**
>> + * ipe_load_properties: Call the property entry points for all the IPE modules
>> + * that were selected at kernel build-time.
>> + *
>> + * Return:
>> + * 0 - OK
>> + */
>> +static int __init ipe_load_properties(void)
>> +{
>> + return 0;
>> +}
> this belongs in patch 4 ("ipe: add property for trust of boot volume")
I'll move it forward.
> [...]
>> +static int __init ipe_init(void)
>> +{
>> + int rc = 0;
> useless initialization
I'll fix it.
>> + rc = ipe_sysctl_init();
>> + if (rc != 0)
>> + pr_err("failed to configure sysctl: %d", -rc);
> pr_err() needs to have an explicit \n at the end of the message unless
> you're planning to continue printing more text on the same line via
> pr_cont(). Same issue in many other places.
Easily fixed by adding a \n to pr_fmt. Will be fixed in next iteration.
>> +
>> + pr_info("mode=%s", (enforce == 1) ? IPE_MODE_ENFORCE :
>> + IPE_MODE_PERMISSIVE);
>> +
>> + RCU_INIT_POINTER(ipe_active_policy, NULL);
> Why? Statically allocated variables are zero-initialized by default in C.
This is my inexperience with rcu. I recognize statically allocated
variables
are zero-initialized, however, I thought that the rcu system needed to set
things up with the pointer through this method before it can be used.
I'll remove it.
>> + security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), "IPE");
>> +
>> + return rc;
>> +}
> [...]
>> +/**
>> + * enforce: Kernel command line parameter to set the permissive mode for IPE
>> + * at system startup. By default, this will always be in enforce mode.
>> + *
>> + * This is also controlled by the sysctl, "ipe.enforce".
>> + */
>> +module_param(enforce, int, 0644);
>> +MODULE_PARM_DESC(enforce, "enforce/permissive mode switch");
> [...]
>> +/**
>> + * success_audit: Kernel command line parameter to enable success auditing
>> + * (emit an audit event when a file is allowed) at system
>> + * startup. By default, this will be off.
>> + *
>> + * This is also controlled by the sysctl, "ipe.success_audit".
>> + */
>> +int success_audit;
>> +module_param(success_audit, int, 0644);
>> +MODULE_PARM_DESC(success_audit, "audit message on allow");
> There is a pending patch series that will allow setting arbitrary
> sysctls from the kernel command line
> (https://lore.kernel.org/lkml/20200330115535.3215-1-vbabka@suse.cz/);
> if that also works for your usecase, you should probably avoid
> explicitly adding module parameters here, unless that is necessary
> because the pending series sets the sysctls too late.
Ah, this is great! It's not a problem with the sysctls being set too
late - the
enforce and success_audit sysctls only come into play once user land is
setup
after kernel boot,
>> diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
> [...]
>> +extern int enforce;
>> +extern int success_audit;
> You probably shouldn't be defining global symbols with such broad
> names to avoid colliding with global symbols defined elsewhere in the
> kernel. Consider adding "ipe_" prefixes to the variable names, or
> something like that.
I'll add the prefixes. Thanks.
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [RFC PATCH v2 03/12] security: add ipe lsm policy parser and policy loading
2020-04-07 15:39 ` Jann Horn
@ 2020-04-09 16:41 ` Deven Bowers
0 siblings, 0 replies; 27+ messages in thread
From: Deven Bowers @ 2020-04-09 16:41 UTC (permalink / raw)
To: Jann Horn
Cc: agk, Jens Axboe, snitzer, James Morris, Serge E. Hallyn,
Mimi Zohar, linux-integrity, linux-security-module, dm-devel,
linux-block, tyhicks, Pavel Tatashin, Sasha Levin,
jaskarankhurana, nramas, mdsakib, kernel list
On 4/7/2020 8:39 AM, Jann Horn wrote:
> On Tue, Apr 7, 2020 at 12:14 AM<deven.desai@linux.microsoft.com> wrote:
> [...]
>> Adds the policy parser and the policy loading to IPE, along with the
>> related sysfs and securityfs entries.
> [...]
>> diff --git a/security/ipe/ipe-parse.c b/security/ipe/ipe-parse.c
> [...]
>> +/* Internal Type Definitions */
>> +enum property_priority {
>> + other = 0,
>> + action = 1,
>> + op = 2,
>> + default_action = 3,
>> + policy_ver = 4,
>> + policy_name = 5,
>> +};
>> +
>> +struct token {
>> + struct list_head next_tok;
>> + const char *key;
>> + enum property_priority key_priority;
>> + const char *val;
>> +};
>> +
> [...]
>> +/**
>> + * ipe_free_policy: Deallocate an ipe_policy structure.
>> + * @pol: Policy to free.
>> + */
>> +void ipe_free_policy(struct ipe_policy *pol)
>> +{
>> + size_t i;
>> + struct ipe_rule *ptr;
>> + struct ipe_rule_table *op;
>> + struct list_head *l_ptr, *l_next;
>> +
>> + if (IS_ERR_OR_NULL(pol))
>> + return;
>> +
>> + for (i = 0; i < ARRAY_SIZE(pol->ops); ++i) {
>> + op = &pol->ops[i];
>> +
>> + list_for_each_safe(l_ptr, l_next, &op->rules) {
>> + ptr = list_entry(l_ptr, struct ipe_rule, next);
>> + list_del(l_ptr);
>> + ipe_free_rule(ptr);
>> + }
>> + }
>> +
>> + kfree(pol->policy_name);
>> + kfree(pol);
>> + pol = NULL;
> What is this assignment supposed to do?
Apologies, it's a useless statement. I occasionally forget to strip this
pattern throughout my code. It's supposed to help avoid double-free
but ultimately it's useless.
>> +}
> [...]
>> diff --git a/security/ipe/ipe-policy.c b/security/ipe/ipe-policy.c
> [...]
>> +/**
>> + * ipe_is_active_policy: Determine if @policy is the currently active policy.
>> + * @policy: Policy to check if it's the active policy.
>> + *
>> + * NOTE: If this attribute is needed to be consistent over a critical section,
>> + * do not use this function, as it does not hold the read lock over the
>> + * entirety of the critical section.
>> + *
>> + * Return:
>> + * true - @policy is the active policy
>> + * false - @policy is not the active policy
>> + */
>> +bool ipe_is_active_policy(const struct ipe_policy *policy)
>> +{
>> + bool result;
>> +
>> + rcu_read_lock();
>> +
>> + result = rcu_dereference(ipe_active_policy) == policy;
>> +
>> + rcu_read_unlock();
> You're not actually accessing the pointer, so you can use rcu_access_pointer()
> and get rid of the rcu_read_lock()/rcu_read_unlock(). Then this helper turns
> into a one-liner.
Got it. There's several places it looks like I did this. I'll fix it all.
>> + return result;
>> +}
>> +
>> +/**
>> + * ipe_update_active_policy: Determine if @old is the active policy, and update
>> + * the active policy if necessary.
>> + * @old: The previous policy that the update is trying to replace.
>> + * @new: The new policy attempting to replace @old.
>> + *
>> + * If @old is not the active policy, nothing will be done.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * -EBADMSG - Invalid Policy
>> + */
>> +int ipe_update_active_policy(const struct ipe_policy *old,
>> + const struct ipe_policy *new)
>> +{
>> + int rc = 0;
>> + const struct ipe_policy *curr_policy = NULL;
>> +
>> + /* no active policy, safe to update */
>> + if (!ipe_active_policy)
> This should be rcu_access_pointer().
Got it.
>> + return 0;
> [...]
>> +}
> [...]
>> diff --git a/security/ipe/ipe-secfs.c b/security/ipe/ipe-secfs.c
> [...]
>> +/**
>> + * alloc_callback: Callback given to verify_pkcs7_signature function to set
>> + * the inner content reference and parse the policy.
>> + * @ctx: "ipe_policy_node" to set inner content, size and parsed policy of.
>> + * @data: Start of PKCS#7 inner content.
>> + * @len: Length of @data.
>> + * @asn1hdrlen: Unused.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * ERR_PTR(-EBADMSG) - Invalid policy syntax
>> + * ERR_PTR(-ENOMEM) - Out of memory
>> + */
>> +static int alloc_callback(void *ctx, const void *data, size_t len,
>> + size_t asn1hdrlen)
>> +{
>> + char *cpy = NULL;
>> + struct ipe_policy *pol = NULL;
>> + struct ipe_policy_node *n = (struct ipe_policy_node *)ctx;
>> +
>> + n->content = (const u8 *)data;
>> + n->content_size = len;
>> +
>> + if (len == 0)
>> + return -EBADMSG;
>> +
>> + cpy = kzalloc(len + 1, GFP_KERNEL);
>> + if (!cpy)
>> + return -ENOMEM;
>> +
>> + (void)strncpy(cpy, data, len);
> Shouldn't this just be memcpy()?
Good point. It won't ever be null terminated because of the
signature format, so it's effectively memcpy. I'll change it.
>> + pol = ipe_parse_policy(cpy);
>> + if (IS_ERR(pol)) {
>> + kfree(cpy);
>> + return PTR_ERR(pol);
>> + }
>> +
>> + n->parsed = pol;
>> + kfree(cpy);
>> + return 0;
>> +}
> [...]
>> +static ssize_t ipe_secfs_new_policy(struct file *f, const char __user *data,
>> + size_t len, loff_t *offset)
>> +{
>> + ssize_t rc = 0;
>> + u8 *cpy = NULL;
>> + ssize_t written = 0;
>> +
>> + if (!ns_capable(current_user_ns(), CAP_MAC_ADMIN))
>> + return -EPERM;
> Use file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN) instead, both here and
> elsewhere.
Thanks.
>> + cpy = kzalloc(len, GFP_KERNEL);
>> + if (!cpy) {
>> + rc = -ENOMEM;
>> + goto err;
>> + }
>> +
>> + written = simple_write_to_buffer(cpy, len, offset, data, len);
>> + if (written < 0) {
>> + rc = written;
>> + goto err;
>> + }
> This should probably be memdup_user() instead of
> kzalloc()+simple_write_to_buffer()?
I wasn't aware of memdup_user. I'll change it next iteration.
>> + rc = ipe_build_policy_secfs_node(cpy, written);
>> +err:
>> + kfree(cpy);
>> + return rc < 0 ? rc : written;
>> +}
>> +
>> +/**
>> + * retrieve_backed_dentry: Retrieve a dentry with a backing inode, identified
>> + * by @name, under @parent.
>> + * @name: Name of the dentry under @parent.
>> + * @parent: The parent dentry to search under for @name.
>> + * @size: Length of @name.
>> + *
>> + * This takes a reference to the returned dentry. Caller needs to call dput
>> + * to drop the reference.
>> + *
>> + * Return:
>> + * valid dentry - OK
>> + * ERR_PTR - Error, see lookup_one_len_unlocked
>> + * NULL - No backing inode was found
>> + */
>> +static struct dentry *retrieve_backed_dentry(const char *name,
>> + struct dentry *parent,
>> + size_t size)
>> +{
>> + int rc = 0;
>> + struct dentry *tmp = NULL;
>> +
>> + tmp = lookup_one_len_unlocked(name, parent, size);
>> + if (IS_ERR(tmp)) {
>> + rc = PTR_ERR(tmp);
>> + goto out;
>> + }
> You could just "return tmp;" here.
>
>> +
>> + if (!d_really_is_positive(tmp))
>> + goto out1;
> And here "return NULL;".
>
>> + return tmp;
>> +out1:
>> + tmp = NULL;
> This just sets a variable that is never read again to NULL?
Thanks, I'll fix these up.
>> +out:
>> + return rc == 0 ? NULL : ERR_PTR(rc);
>> +}
>> +
>> +/**
>> + * ipe_secfs_del_policy: Delete a policy indicated by the name provided by
>> + * @data
>> + * @f: Unused.
>> + * @data: Buffer containing the policy id to delete.
>> + * @len: Length of @data.
>> + * @offset: Offset into @data.
>> + *
>> + * NOTE: Newlines are treated as part of the name, if using echo to test,
>> + * use -n to prohibit the silent addition of a newline.
>> + *
>> + * Return:
>> + * > 0 - OK
>> + * -ENOMEM - Out of memory
>> + * -EPERM - Policy is active
>> + * -ENOENT - Policy does not exist
>> + * -EPERM - if a MAC subsystem is enabled, missing CAP_MAC_ADMIN
>> + * Other - See retrieve_backed_dentry
>> + */
>> +static ssize_t ipe_secfs_del_policy(struct file *f, const char __user *data,
>> + size_t len, loff_t *offset)
>> +{
>> + ssize_t rc = 0;
>> + char *id = NULL;
>> + ssize_t written = 0;
>> + struct dentry *raw = NULL;
>> + struct dentry *content = NULL;
>> + struct inode *policy_i = NULL;
>> + struct dentry *policy_root = NULL;
>> + struct inode *policies_root = NULL;
>> + const struct ipe_policy *target = NULL;
>> +
>> + if (!ns_capable(current_user_ns(), CAP_MAC_ADMIN))
>> + return -EPERM;
>> +
>> + id = kzalloc(len, GFP_KERNEL);
>> + if (!id) {
>> + rc = -ENOMEM;
>> + goto out;
>> + }
>> +
>> + written = simple_write_to_buffer(id, len, offset, data, len);
>> + if (written < 0) {
>> + rc = written;
>> + goto out;
>> + }
>> +
>> + policies_root = d_inode(ipe_policies_root);
>> +
>> + policy_root = retrieve_backed_dentry(id, ipe_policies_root, written);
>> + if (IS_ERR_OR_NULL(policy_root)) {
>> + rc = IS_ERR(policy_root) ? PTR_ERR(policy_root) : -ENOENT;
>> + goto out;
>> + }
>> +
>> + policy_i = d_inode(policy_root);
>> +
>> + /* if the found dentry matches boot policy, fail */
>> + if (boot_policy_node == policy_root) {
>> + rc = -EACCES;
>> + goto out1;
>> + }
>> +
>> + target = ((struct ipe_policy_node *)policy_i->i_private)->parsed;
>> +
>> + /* fail if it's the active policy */
>> + if (ipe_is_active_policy(target)) {
>> + rc = -EPERM;
>> + goto out1;
>> + }
> Why can it not become the active policy after this check?
Ah, good catch. (The test suite just caught this as well). So this needs to
be synchronized with the active policy functions. I'm pretty sure I should
just move the policy lock from the activation functions to be locked &
unlocked here. That'll enforce that both are checked in blocking sections.
>> + raw = retrieve_backed_dentry(IPE_FULL_CONTENT, policy_root,
>> + strlen(IPE_FULL_CONTENT));
>> + if (IS_ERR_OR_NULL(raw)) {
>> + rc = IS_ERR(raw) ? PTR_ERR(raw) : -ENOENT;
>> + goto out1;
>> + }
>> +
>> + content = retrieve_backed_dentry(IPE_INNER_CONTENT, policy_root,
>> + strlen(IPE_INNER_CONTENT));
>> + if (IS_ERR_OR_NULL(content)) {
>> + rc = IS_ERR(content) ? PTR_ERR(content) : -ENOENT;
>> + goto out2;
>> + }
>> +
>> + inode_lock(policies_root);
>> + ipe_free_policy_node(policy_i->i_private);
>> + policy_i->i_private = NULL;
>> + inode_unlock(policies_root);
>> +
>> + dput(raw);
>> + dput(content);
>> + dput(policy_root);
>> + securityfs_remove(raw);
>> + securityfs_remove(content);
>> + securityfs_remove(policy_root);
>> +
>> + kfree(id);
>> + return written;
>> +out2:
>> + dput(raw);
>> +out1:
>> + dput(policy_root);
>> +out:
>> + kfree(id);
>> + return rc;
>> +}
>> +
>> +/**
>> + * ipe_secfs_rd_policy: Read the raw content (full enveloped PKCS7) data of
>> + * the policy stored within the file's parent inode.
>> + * @f: File representing the securityfs entry.
>> + * @data: User mode buffer to place the raw pkcs7.
>> + * @len: Length of @data.
>> + * @offset: Offset into @data.
>> + *
>> + * Return:
>> + * > 0 - OK
>> + * -ENOMEM - Out of memory
>> + */
>> +static ssize_t ipe_secfs_rd_policy(struct file *f, char __user *data,
>> + size_t size, loff_t *offset)
>> +{
>> + ssize_t rc = 0;
>> + size_t avail = 0;
>> + u8 *buffer = NULL;
>> + struct inode *root = NULL;
>> + const struct ipe_policy_node *node = NULL;
>> +
>> + root = d_inode(f->f_path.dentry->d_parent);
>> +
>> + inode_lock_shared(root);
>> + node = (const struct ipe_policy_node *)root->i_private;
>> +
>> + avail = node->data_len;
>> + buffer = kmemdup(node->data, avail, GFP_KERNEL);
>> + if (!buffer) {
>> + rc = -ENOMEM;
>> + goto cleanup;
>> + }
>> +
>> + rc = simple_read_from_buffer(data, size, offset, buffer, avail);
>> +cleanup:
>> + inode_unlock_shared(root);
> Same thing as in ipe_secfs_rd_content(): simple_read_from_buffer() needlessly
> within locked section, buffer not freed.
I don't know how I missed such an obvious memleak. I'll remove the
unnecessary
kmemdup.
>> +
>> + return rc;
>> +}
>> +
>> +/**
>> + * ipe_secfs_ud_policy: Update a policy in place with a new PKCS7 policy.
>> + * @f: File representing the securityfs entry.
>> + * @data: Buffer user mode to place the raw pkcs7.
>> + * @len: Length of @data.
>> + * @offset: Offset into @data.
>> + *
>> + * Return:
>> + * 0 - OK
>> + * -EBADMSG - Invalid policy format
>> + * -ENOMEM - Out of memory
>> + * -EPERM - if a MAC subsystem is enabled, missing CAP_MAC_ADMIN
>> + * -EINVAL - Incorrect policy name for this node, or version is < current
>> + */
>> +static ssize_t ipe_secfs_ud_policy(struct file *f, const char __user *data,
>> + size_t len, loff_t *offset)
>> +{
>> + ssize_t rc = 0;
>> + u8 *cpy = NULL;
>> + ssize_t written = 0;
>> + struct inode *root = NULL;
>> + struct crypto_shash *tfm = NULL;
>> + struct ipe_policy_node *new = NULL;
>> + struct ipe_policy_node *old = NULL;
>> +
>> + if (!ns_capable(current_user_ns(), CAP_MAC_ADMIN))
>> + return -EPERM;
>> +
>> + cpy = kzalloc(len, GFP_KERNEL);
>> + if (!cpy) {
>> + rc = -ENOMEM;
>> + goto out;
>> + }
>> +
>> + written = simple_write_to_buffer(cpy, len, offset, data, len);
>> + if (written < 0) {
>> + rc = written;
>> + goto out;
>> + }
> You'd probably be better off just doing memdup_user() here.
> simple_write_to_buffer() only makes sense if you have a buffer that can be
> continuously updated with multiple writes.
Thanks, I'll fix it.
>> + new = ipe_alloc_policy_node(cpy, len);
>> + if (IS_ERR(new)) {
>> + rc = PTR_ERR(new);
>> + goto out;
>> + }
>> +
>> + tfm = crypto_alloc_shash("sha1", 0, 0);
>> + if (IS_ERR(tfm))
>> + goto out2;
>> +
>> + root = d_inode(f->f_path.dentry->d_parent);
>> + inode_lock(root);
>> +
>> + old = (struct ipe_policy_node *)root->i_private;
>> +
>> + if (strcmp(old->parsed->policy_name, new->parsed->policy_name)) {
>> + rc = -EINVAL;
>> + goto out3;
>> + }
>> +
>> + if (!ipe_is_valid_policy(old->parsed, new->parsed)) {
>> + rc = -EINVAL;
>> + goto out3;
>> + }
>> +
>> + rc = ipe_update_active_policy(old->parsed, new->parsed);
>> + if (rc != 0)
>> + goto out3;
>> +
>> + ipe_audit_policy_load(new->parsed, new->data, new->data_len, tfm);
>> + swap(root->i_private, new);
>> +
>> + inode_unlock(root);
>> + kfree(cpy);
>> + ipe_free_policy_node(new);
>> + crypto_free_shash(tfm);
>> +
>> + return written;
>> +out3:
>> + inode_unlock(root);
>> + ipe_free_policy_node(new);
>> +out2:
>> + crypto_free_shash(tfm);
>> +out:
>> + kfree(cpy);
>> + return rc;
>> +}
> [...]
>> +static ssize_t ipe_secfs_rd_content(struct file *f, char __user *data,
>> + size_t size, loff_t *offset)
>> +{
>> + ssize_t rc = 0;
>> + size_t avail = 0;
>> + u8 *buffer = NULL;
>> + struct inode *root = NULL;
>> + const struct ipe_policy_node *node = NULL;
>> +
>> + root = d_inode(f->f_path.dentry->d_parent);
>> +
>> + inode_lock(root);
>> + node = (const struct ipe_policy_node *)root->i_private;
>> +
>> + avail = node->content_size;
>> + buffer = kmemdup(node->content, avail, GFP_KERNEL);
>> + if (!buffer) {
>> + rc = -ENOMEM;
>> + goto cleanup;
>> + }
>> +
>> + rc = simple_read_from_buffer(data, size, offset, buffer, avail);
>> +cleanup:
>> + inode_unlock(root);
> Why are you nod doing the simple_read_from_buffer() after inode_unlock()?
> The way you're doing it now, there isn't really a point in the kmemdup() at
> all...
> Also, you'll have to free the buffer before returning.
I don't know how I missed such an obvious memleak. I'll remove the
unnecessary
kmemdup.
>
>> + return rc;
>> +}
> [...]
>> diff --git a/security/ipe/ipe-sysfs.c b/security/ipe/ipe-sysfs.c
> [...]
>> +static int ipe_switch_active_policy(struct ctl_table *table, int write,
>> + void __user *buffer, size_t *lenp,
>> + loff_t *ppos)
>> +{
>> + int rc = 0;
>> + char *id = NULL;
>> + size_t size = 0;
>> +
>> + if (write) {
>> + id = kzalloc((*lenp) + 1, GFP_KERNEL);
>> + if (!id)
>> + return -ENOMEM;
>> +
>> + table->data = id;
>> + table->maxlen = (*lenp) + 1;
>> +
>> + rc = proc_dostring(table, write, buffer, lenp, ppos);
>> + if (rc != 0)
>> + goto out;
>> +
>> + rc = ipe_set_active_policy(id, strlen(id));
>> + } else {
>> + rcu_read_lock();
>> + size = strlen(rcu_dereference(ipe_active_policy)->policy_name);
> Can't `ipe_active_policy` be NULL here?
>
>> + rcu_read_unlock();
>> +
>> + id = kzalloc(size + 1, GFP_KERNEL);
> The `+ 1` seems unnecessary.
This is actually necessary. size would point to the string without
nullterm. strncpy
below is due to if the active policy changes: if it's bigger, then we
truncate, if it's
smaller, we'll exit early. Either way, it's guaranteed to be null
terminated.
Later, in proc_dostring, strlen is called, and as a result KASAN catches
an OOB
read without the +1.
>
>> + if (!id)
>> + return -ENOMEM;
>> +
>> + rcu_read_lock();
>> + strncpy(id, rcu_dereference(ipe_active_policy)->policy_name,
>> + size);
>> + rcu_read_unlock();
>> +
>> + table->data = id;
>> + table->maxlen = size;
>> +
>> + rc = proc_dostring(table, write, buffer, lenp, ppos);
>> + }
>> +out:
>> + kfree(id);
>> + return rc;
>> +}
>> +
>> +#endif /* CONFIG_SECURITYFS */
> [...]
>> diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
> [...]
>> +
>> +/**
>> + * strict_parse: Kernel command line parameter to enable strict parsing of
>> + * IPE policies - causing unrecognized properties to fail
>> + * parsing. This breaks backwards compatibility of IPE policies,
>> + * when enabled.
> I guess the backwards compatibility stuff is referring to an out-of-tree version
> of this series that you've already shipped?
Actually no. The backwards compatibility stuff is intended to help
divorcing kernel updates from policy updates.
At the moment, the default behavior of IPE is to ignore any lines that
do not parse successfully. This allows policies
written for newer versions of IPE to parse and apply successfully. Thus,
policy can be updated without a dependency
on the kernel being updated.
If that behavior isn't desirable, then you can enable this sysctl /
kernel command line parameter to cause the
unrecognized lines to error fatally. Operationally, I see merits to
both methods, at the cost of what boils down
to an if statement, so I kept this as a configurable option.
>
>> + * This is also controlled by the sysctl, "ipe.strict_parse".
>> + */
> (Also, same thing as in the other patch re sysctls and kernel command line
> parameters for the same feature.)
Yes, I am going to strip out all this.
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [RFC PATCH v2 11/12] documentation: Add IPE Documentation
2020-04-06 22:14 ` [RFC PATCH v2 11/12] documentation: Add IPE Documentation deven.desai
@ 2020-04-14 15:38 ` Jonathan Corbet
2020-04-14 21:18 ` Deven Bowers
0 siblings, 1 reply; 27+ messages in thread
From: Jonathan Corbet @ 2020-04-14 15:38 UTC (permalink / raw)
To: deven.desai
Cc: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block, tyhicks,
pasha.tatashin, sashal, jaskarankhurana, nramas, mdsakib,
linux-kernel
On Mon, 6 Apr 2020 15:14:38 -0700
deven.desai@linux.microsoft.com wrote:
> From: Deven Bowers <deven.desai@linux.microsoft.com>
>
> Add IPE's documentation to the kernel tree.
>
> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Thanks for including this nice documentation from the outset! I have a
couple of tiny nits to pick, but nothing really substantive to complain
about, so:
Acked-by: Jonathan Corbet <corbet@lwn.net>
[...]
> +IPE is a Linux Security Module, which allows for a configurable policy
I'd drop the comma (I told you these were nits!)
[...]
> +IPE Policy
> +~~~~~~~~~~
> +
> +IPE policy is designed to be both forward compatible and backwards
> +compatible. There is one required line, at the top of the policy,
> +indicating the policy name, and the policy version, for instance:
> +
> +::
> +
> + policy_name="Ex Policy" policy_version=0.0.0
This pattern can be compressed a bit by just putting the "::" at the end of
the last line of text:
indicating the policy name, and the policy version, for instance::
policy_name="Ex Policy" policy_version=0.0.0
The result is a bit more readable in the plain-text format, IMO, and
renders exactly the same in Sphinx.
Thanks,
jon
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [RFC PATCH v2 11/12] documentation: Add IPE Documentation
2020-04-14 15:38 ` Jonathan Corbet
@ 2020-04-14 21:18 ` Deven Bowers
0 siblings, 0 replies; 27+ messages in thread
From: Deven Bowers @ 2020-04-14 21:18 UTC (permalink / raw)
To: Jonathan Corbet
Cc: agk, axboe, snitzer, jmorris, serge, zohar, linux-integrity,
linux-security-module, dm-devel, linux-block, tyhicks,
pasha.tatashin, sashal, jaskarankhurana, nramas, mdsakib,
linux-kernel
On 4/14/2020 8:38 AM, Jonathan Corbet wrote:
> On Mon, 6 Apr 2020 15:14:38 -0700
> deven.desai@linux.microsoft.com wrote:
>
>> From: Deven Bowers <deven.desai@linux.microsoft.com>
>>
>> Add IPE's documentation to the kernel tree.
>>
>> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
> Thanks for including this nice documentation from the outset! I have a
> couple of tiny nits to pick, but nothing really substantive to complain
> about, so:
>
> Acked-by: Jonathan Corbet <corbet@lwn.net>
Thanks!
> [...]
>
>> +IPE is a Linux Security Module, which allows for a configurable policy
> I'd drop the comma (I told you these were nits!)
Got it, thanks!
>
> [...]
>
>> +IPE Policy
>> +~~~~~~~~~~
>> +
>> +IPE policy is designed to be both forward compatible and backwards
>> +compatible. There is one required line, at the top of the policy,
>> +indicating the policy name, and the policy version, for instance:
>> +
>> +::
>> +
>> + policy_name="Ex Policy" policy_version=0.0.0
> This pattern can be compressed a bit by just putting the "::" at the end of
> the last line of text:
>
> indicating the policy name, and the policy version, for instance::
>
> policy_name="Ex Policy" policy_version=0.0.0
>
> The result is a bit more readable in the plain-text format, IMO, and
> renders exactly the same in Sphinx.
Awesome. I'll address this feedback in v3.
^ permalink raw reply [flat|nested] 27+ messages in thread
end of thread, other threads:[~2020-04-14 21:18 UTC | newest]
Thread overview: 27+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-06 22:14 [RFC PATCH v2 00/12] Integrity Policy Enforcement LSM (IPE) deven.desai
2020-04-06 22:14 ` deven.desai
2020-04-06 22:14 ` [RFC PATCH v2 01/12] scripts: add ipe tooling to generate boot policy deven.desai
2020-04-06 22:14 ` deven.desai
2020-04-06 22:14 ` [RFC PATCH v2 02/12] security: add ipe lsm evaluation loop and audit system deven.desai
2020-04-07 12:13 ` Jann Horn
2020-04-09 16:27 ` Deven Bowers
2020-04-06 22:14 ` [RFC PATCH v2 03/12] security: add ipe lsm policy parser and policy loading deven.desai
2020-04-07 15:39 ` Jann Horn
2020-04-09 16:41 ` Deven Bowers
2020-04-06 22:14 ` [RFC PATCH v2 04/12] ipe: add property for trust of boot volume deven.desai
2020-04-06 22:14 ` [RFC PATCH v2 05/12] fs: add security blob and hooks for block_device deven.desai
2020-04-06 22:14 ` [RFC PATCH v2 06/12] dm-verity: move signature check after tree validation deven.desai
2020-04-06 22:14 ` deven.desai
2020-04-07 2:25 ` kbuild test robot
2020-04-06 22:14 ` [RFC PATCH v2 07/12] dm-verity: add bdev_setsecurity hook for dm-verity signature deven.desai
2020-04-06 22:14 ` deven.desai
2020-04-06 22:14 ` [RFC PATCH v2 08/12] ipe: add property for signed dmverity volumes deven.desai
2020-04-06 22:14 ` [RFC PATCH v2 09/12] dm-verity: add bdev_setsecurity hook for root-hash deven.desai
2020-04-06 22:14 ` [RFC PATCH v2 10/12] ipe: add property for dmverity roothash deven.desai
2020-04-06 22:14 ` [RFC PATCH v2 11/12] documentation: Add IPE Documentation deven.desai
2020-04-14 15:38 ` Jonathan Corbet
2020-04-14 21:18 ` Deven Bowers
2020-04-06 22:14 ` [RFC PATCH v2 12/12] cleanup: uapi/linux/audit.h deven.desai
2020-04-06 22:14 ` deven.desai
2020-04-07 21:31 ` [RFC PATCH v2 00/12] Integrity Policy Enforcement LSM (IPE) Nayna
2020-04-09 16:25 ` Deven Bowers
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.