From: Fan Wu <wufan@linux.microsoft.com>
To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org,
serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org,
axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org,
eparis@redhat.com, paul@paul-moore.com
Cc: Fan Wu <wufan@linux.microsoft.com>,
dm-devel@redhat.com, linux-doc@vger.kernel.org,
Deven Bowers <deven.desai@linux.microsoft.com>,
roberto.sassu@huawei.com, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-block@vger.kernel.org,
linux-fscrypt@vger.kernel.org, linux-audit@redhat.com,
linux-integrity@vger.kernel.org
Subject: [RFC PATCH v9 01/16] security: add ipe lsm
Date: Mon, 30 Jan 2023 14:57:16 -0800 [thread overview]
Message-ID: <1675119451-23180-2-git-send-email-wufan@linux.microsoft.com> (raw)
In-Reply-To: <1675119451-23180-1-git-send-email-wufan@linux.microsoft.com>
From: Deven Bowers <deven.desai@linux.microsoft.com>
Integrity Policy Enforcement (IPE) is an LSM that provides an
complimentary approach to Mandatory Access Control than existing LSMs
today.
Existing LSMs have centered around the concept of access to a resource
should be controlled by the current user's credentials. IPE's approach,
is that access to a resource should be controlled by the system's trust
of a current resource.
The basis of this approach is defining a global policy to specify which
resource can be trusted.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
---
v2:
+ Split evaluation loop, access control hooks,
and evaluation loop from policy parser and userspace
interface to pass mailing list character limit
v3:
+ Move ipe_load_properties to patch 04.
+ Remove useless 0-initializations
+ Prefix extern variables with ipe_
+ Remove kernel module parameters, as these are
exposed through sysctls.
+ Add more prose to the IPE base config option
help text.
+ Use GFP_KERNEL for audit_log_start.
+ Remove unnecessary caching system.
+ Remove comments from headers
+ Use rcu_access_pointer for rcu-pointer null check
+ Remove usage of reqprot; use prot only.
+ Move policy load and activation audit event to 03/12
v4:
+ Remove sysctls in favor of securityfs nodes
+ Re-add kernel module parameters, as these are now
exposed through securityfs.
+ Refactor property audit loop to a separate function.
v5:
+ fix minor grammatical errors
+ do not group rule by curly-brace in audit record,
reconstruct the exact rule.
v6:
+ No changes
v7:
+ Further split lsm creation into a separate commit from the
evaluation loop and audit system, for easier review.
+ Introduce the concept of an ipe_context, a scoped way to
introduce execution policies, used initially for allowing for
kunit tests in isolation.
v8:
+ Follow lsmname_hook_name convention for lsm hooks.
+ Move LSM blob accessors to ipe.c and mark LSM blobs as static.
v9:
+ Remove ipe_context for simplification
---
MAINTAINERS | 5 +++++
security/Kconfig | 11 ++++++-----
security/Makefile | 1 +
security/ipe/Kconfig | 17 +++++++++++++++++
security/ipe/Makefile | 10 ++++++++++
security/ipe/ipe.c | 40 ++++++++++++++++++++++++++++++++++++++++
security/ipe/ipe.h | 13 +++++++++++++
7 files changed, 92 insertions(+), 5 deletions(-)
create mode 100644 security/ipe/Kconfig
create mode 100644 security/ipe/Makefile
create mode 100644 security/ipe/ipe.c
create mode 100644 security/ipe/ipe.h
diff --git a/MAINTAINERS b/MAINTAINERS
index 8a5c25c20d00..5e27e84763cc 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -10273,6 +10273,11 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
F: security/integrity/ima/
F: security/integrity/
+INTEGRITY POLICY ENFORCEMENT (IPE)
+M: Fan Wu <wufan@linux.microsoft.com>
+S: Supported
+F: security/ipe/
+
INTEL 810/815 FRAMEBUFFER DRIVER
M: Antonino Daplas <adaplas@gmail.com>
L: linux-fbdev@vger.kernel.org
diff --git a/security/Kconfig b/security/Kconfig
index e6db09a779b7..9f59add2d16c 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -207,6 +207,7 @@ source "security/yama/Kconfig"
source "security/safesetid/Kconfig"
source "security/lockdown/Kconfig"
source "security/landlock/Kconfig"
+source "security/ipe/Kconfig"
source "security/integrity/Kconfig"
@@ -246,11 +247,11 @@ endchoice
config LSM
string "Ordered list of enabled LSMs"
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,bpf" if DEFAULT_SECURITY_DAC
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,selinux,smack,tomoyo,apparmor,bpf"
help
A comma-separated list of LSMs, in initialization order.
Any LSMs left off this list will be ignored. This can be
diff --git a/security/Makefile b/security/Makefile
index 18121f8f85cd..527b1864d96c 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -24,6 +24,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
obj-$(CONFIG_CGROUPS) += device_cgroup.o
obj-$(CONFIG_BPF_LSM) += bpf/
obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
+obj-$(CONFIG_SECURITY_IPE) += ipe/
# Object integrity file lists
obj-$(CONFIG_INTEGRITY) += integrity/
diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
new file mode 100644
index 000000000000..e4875fb04883
--- /dev/null
+++ b/security/ipe/Kconfig
@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Integrity Policy Enforcement (IPE) configuration
+#
+
+menuconfig SECURITY_IPE
+ bool "Integrity Policy Enforcement (IPE)"
+ depends on SECURITY && SECURITYFS
+ select PKCS7_MESSAGE_PARSER
+ select SYSTEM_DATA_VERIFICATION
+ help
+ This option enables the Integrity Policy Enforcement LSM
+ allowing users to define a policy to enforce a trust-based access
+ control. A key feature of IPE is a customizable policy to allow
+ admins to reconfigure trust requirements on the fly.
+
+ If unsure, answer N.
diff --git a/security/ipe/Makefile b/security/ipe/Makefile
new file mode 100644
index 000000000000..571648579991
--- /dev/null
+++ b/security/ipe/Makefile
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) Microsoft Corporation. All rights reserved.
+#
+# Makefile for building the IPE module as part of the kernel tree.
+#
+
+obj-$(CONFIG_SECURITY_IPE) += \
+ hooks.o \
+ ipe.o \
diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
new file mode 100644
index 000000000000..9ed3bf4dcc04
--- /dev/null
+++ b/security/ipe/ipe.c
@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe.h"
+
+static struct lsm_blob_sizes ipe_blobs __lsm_ro_after_init = {
+};
+
+static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = {
+};
+
+/**
+ * ipe_init - Entry point of IPE.
+ *
+ * This is called at LSM init, which happens occurs early during kernel
+ * start up. During this phase, IPE loads the properties compiled into
+ * the kernel, and register's IPE's hooks. The boot policy is loaded
+ * later, during securityfs init, at which point IPE will start
+ * enforcing its policy.
+ *
+ * Return:
+ * * 0 - OK
+ * * -ENOMEM - Context creation failed.
+ */
+static int __init ipe_init(void)
+{
+ int rc = 0;
+
+ security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), "ipe");
+
+ return rc;
+}
+
+DEFINE_LSM(ipe) = {
+ .name = "ipe",
+ .init = ipe_init,
+ .blobs = &ipe_blobs,
+};
diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
new file mode 100644
index 000000000000..ee7ec3f3b55d
--- /dev/null
+++ b/security/ipe/ipe.h
@@ -0,0 +1,13 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#ifndef IPE_H
+#define IPE_H
+
+#define pr_fmt(fmt) "IPE " fmt "\n"
+
+#include <linux/lsm_hooks.h>
+
+#endif /* IPE_H */
--
2.39.0
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2023-01-31 13:51 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-30 22:57 [RFC PATCH v9 00/16] Integrity Policy Enforcement LSM (IPE) Fan Wu
2023-01-30 22:57 ` Fan Wu [this message]
2023-03-02 19:00 ` [RFC PATCH v9 01/16] security: add ipe lsm Paul Moore
2023-04-06 19:20 ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 02/16] ipe: add policy parser Fan Wu
2023-01-31 10:53 ` Roberto Sassu
2023-02-01 22:38 ` Fan Wu
2023-03-02 19:02 ` Paul Moore
2023-04-06 20:00 ` Fan Wu
2023-04-11 19:13 ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 03/16] ipe: add evaluation loop and introduce 'boot_verified' as a trust provider Fan Wu
2023-01-31 10:29 ` Roberto Sassu
2023-01-31 15:49 ` Roberto Sassu
2023-02-10 23:21 ` Fan Wu
2023-03-02 2:33 ` Paul Moore
2023-03-02 19:03 ` Paul Moore
2023-04-10 18:53 ` Fan Wu
2023-04-11 20:32 ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 04/16] security: add new securityfs delete function Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 05/16] ipe: add userspace interface Fan Wu
2023-01-31 10:49 ` Roberto Sassu
2023-02-01 19:46 ` Fan Wu
2023-03-02 19:04 ` Paul Moore
2023-04-10 19:10 ` Fan Wu
2023-04-11 21:45 ` Paul Moore
2023-04-12 23:36 ` Fan Wu
2023-04-13 18:45 ` Paul Moore
2023-04-17 18:06 ` Fan Wu
2023-04-17 20:16 ` Paul Moore
2023-04-17 21:18 ` Fan Wu
2023-04-17 21:31 ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 06/16] ipe: add LSM hooks on execution and kernel read Fan Wu
2023-01-31 12:51 ` Roberto Sassu
2023-02-09 22:42 ` Fan Wu
2023-03-02 19:05 ` Paul Moore
2023-04-10 21:22 ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 07/16] uapi|audit|ipe: add ipe auditing support Fan Wu
2023-01-31 12:57 ` Roberto Sassu
2023-01-31 17:10 ` Steve Grubb
2023-03-02 19:05 ` Paul Moore
2023-03-16 22:53 ` Fan Wu
2023-04-11 23:07 ` Paul Moore
2023-04-11 23:21 ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 08/16] ipe: add permissive toggle Fan Wu
2023-03-02 19:06 ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 09/16] block|security: add LSM blob to block_device Fan Wu
2023-01-31 8:53 ` Christoph Hellwig
2023-01-31 23:01 ` Fan Wu
2023-03-02 19:07 ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 10/16] dm-verity: consume root hash digest and signature data via LSM hook Fan Wu
2023-01-31 13:22 ` Roberto Sassu
2023-02-01 23:26 ` Fan Wu
2023-02-02 8:21 ` Roberto Sassu
2023-02-07 23:52 ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 11/16] ipe: add support for dm-verity as a trust provider Fan Wu
2023-03-02 19:08 ` Paul Moore
2023-03-16 22:10 ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 12/16] fsverity: consume builtin signature via LSM hook Fan Wu
2023-02-09 3:30 ` Eric Biggers
2023-02-09 22:21 ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 13/16] ipe: enable support for fs-verity as a trust provider Fan Wu
2023-01-31 14:00 ` Roberto Sassu
2023-02-01 23:50 ` Fan Wu
2023-02-02 9:51 ` Roberto Sassu
2023-02-08 0:16 ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 14/16] scripts: add boot policy generation program Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 15/16] ipe: kunit test for parser Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 16/16] documentation: add ipe documentation Fan Wu
2023-01-31 3:59 ` Bagas Sanjaya
2023-02-02 0:19 ` Fan Wu
2023-01-31 14:22 ` [RFC PATCH v9 00/16] Integrity Policy Enforcement LSM (IPE) Roberto Sassu
2023-02-01 0:48 ` Fan Wu
2023-02-02 10:48 ` Roberto Sassu
2023-02-08 0:31 ` Fan Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1675119451-23180-2-git-send-email-wufan@linux.microsoft.com \
--to=wufan@linux.microsoft.com \
--cc=agk@redhat.com \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@redhat.com \
--cc=ebiggers@kernel.org \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-audit@redhat.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=tytso@mit.edu \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).