From: Fan Wu <wufan@linux.microsoft.com>
To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org,
serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org,
axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org,
eparis@redhat.com, paul@paul-moore.com
Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org,
dm-devel@redhat.com, linux-audit@redhat.com,
roberto.sassu@huawei.com, linux-kernel@vger.kernel.org,
Deven Bowers <deven.desai@linux.microsoft.com>,
Fan Wu <wufan@linux.microsoft.com>
Subject: [RFC PATCH v9 01/16] security: add ipe lsm
Date: Mon, 30 Jan 2023 14:57:16 -0800 [thread overview]
Message-ID: <1675119451-23180-2-git-send-email-wufan@linux.microsoft.com> (raw)
In-Reply-To: <1675119451-23180-1-git-send-email-wufan@linux.microsoft.com>
From: Deven Bowers <deven.desai@linux.microsoft.com>
Integrity Policy Enforcement (IPE) is an LSM that provides an
complimentary approach to Mandatory Access Control than existing LSMs
today.
Existing LSMs have centered around the concept of access to a resource
should be controlled by the current user's credentials. IPE's approach,
is that access to a resource should be controlled by the system's trust
of a current resource.
The basis of this approach is defining a global policy to specify which
resource can be trusted.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
---
v2:
+ Split evaluation loop, access control hooks,
and evaluation loop from policy parser and userspace
interface to pass mailing list character limit
v3:
+ Move ipe_load_properties to patch 04.
+ Remove useless 0-initializations
+ Prefix extern variables with ipe_
+ Remove kernel module parameters, as these are
exposed through sysctls.
+ Add more prose to the IPE base config option
help text.
+ Use GFP_KERNEL for audit_log_start.
+ Remove unnecessary caching system.
+ Remove comments from headers
+ Use rcu_access_pointer for rcu-pointer null check
+ Remove usage of reqprot; use prot only.
+ Move policy load and activation audit event to 03/12
v4:
+ Remove sysctls in favor of securityfs nodes
+ Re-add kernel module parameters, as these are now
exposed through securityfs.
+ Refactor property audit loop to a separate function.
v5:
+ fix minor grammatical errors
+ do not group rule by curly-brace in audit record,
reconstruct the exact rule.
v6:
+ No changes
v7:
+ Further split lsm creation into a separate commit from the
evaluation loop and audit system, for easier review.
+ Introduce the concept of an ipe_context, a scoped way to
introduce execution policies, used initially for allowing for
kunit tests in isolation.
v8:
+ Follow lsmname_hook_name convention for lsm hooks.
+ Move LSM blob accessors to ipe.c and mark LSM blobs as static.
v9:
+ Remove ipe_context for simplification
---
MAINTAINERS | 5 +++++
security/Kconfig | 11 ++++++-----
security/Makefile | 1 +
security/ipe/Kconfig | 17 +++++++++++++++++
security/ipe/Makefile | 10 ++++++++++
security/ipe/ipe.c | 40 ++++++++++++++++++++++++++++++++++++++++
security/ipe/ipe.h | 13 +++++++++++++
7 files changed, 92 insertions(+), 5 deletions(-)
create mode 100644 security/ipe/Kconfig
create mode 100644 security/ipe/Makefile
create mode 100644 security/ipe/ipe.c
create mode 100644 security/ipe/ipe.h
diff --git a/MAINTAINERS b/MAINTAINERS
index 8a5c25c20d00..5e27e84763cc 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -10273,6 +10273,11 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
F: security/integrity/ima/
F: security/integrity/
+INTEGRITY POLICY ENFORCEMENT (IPE)
+M: Fan Wu <wufan@linux.microsoft.com>
+S: Supported
+F: security/ipe/
+
INTEL 810/815 FRAMEBUFFER DRIVER
M: Antonino Daplas <adaplas@gmail.com>
L: linux-fbdev@vger.kernel.org
diff --git a/security/Kconfig b/security/Kconfig
index e6db09a779b7..9f59add2d16c 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -207,6 +207,7 @@ source "security/yama/Kconfig"
source "security/safesetid/Kconfig"
source "security/lockdown/Kconfig"
source "security/landlock/Kconfig"
+source "security/ipe/Kconfig"
source "security/integrity/Kconfig"
@@ -246,11 +247,11 @@ endchoice
config LSM
string "Ordered list of enabled LSMs"
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,bpf" if DEFAULT_SECURITY_DAC
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,selinux,smack,tomoyo,apparmor,bpf"
help
A comma-separated list of LSMs, in initialization order.
Any LSMs left off this list will be ignored. This can be
diff --git a/security/Makefile b/security/Makefile
index 18121f8f85cd..527b1864d96c 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -24,6 +24,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
obj-$(CONFIG_CGROUPS) += device_cgroup.o
obj-$(CONFIG_BPF_LSM) += bpf/
obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
+obj-$(CONFIG_SECURITY_IPE) += ipe/
# Object integrity file lists
obj-$(CONFIG_INTEGRITY) += integrity/
diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
new file mode 100644
index 000000000000..e4875fb04883
--- /dev/null
+++ b/security/ipe/Kconfig
@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Integrity Policy Enforcement (IPE) configuration
+#
+
+menuconfig SECURITY_IPE
+ bool "Integrity Policy Enforcement (IPE)"
+ depends on SECURITY && SECURITYFS
+ select PKCS7_MESSAGE_PARSER
+ select SYSTEM_DATA_VERIFICATION
+ help
+ This option enables the Integrity Policy Enforcement LSM
+ allowing users to define a policy to enforce a trust-based access
+ control. A key feature of IPE is a customizable policy to allow
+ admins to reconfigure trust requirements on the fly.
+
+ If unsure, answer N.
diff --git a/security/ipe/Makefile b/security/ipe/Makefile
new file mode 100644
index 000000000000..571648579991
--- /dev/null
+++ b/security/ipe/Makefile
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) Microsoft Corporation. All rights reserved.
+#
+# Makefile for building the IPE module as part of the kernel tree.
+#
+
+obj-$(CONFIG_SECURITY_IPE) += \
+ hooks.o \
+ ipe.o \
diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
new file mode 100644
index 000000000000..9ed3bf4dcc04
--- /dev/null
+++ b/security/ipe/ipe.c
@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe.h"
+
+static struct lsm_blob_sizes ipe_blobs __lsm_ro_after_init = {
+};
+
+static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = {
+};
+
+/**
+ * ipe_init - Entry point of IPE.
+ *
+ * This is called at LSM init, which happens occurs early during kernel
+ * start up. During this phase, IPE loads the properties compiled into
+ * the kernel, and register's IPE's hooks. The boot policy is loaded
+ * later, during securityfs init, at which point IPE will start
+ * enforcing its policy.
+ *
+ * Return:
+ * * 0 - OK
+ * * -ENOMEM - Context creation failed.
+ */
+static int __init ipe_init(void)
+{
+ int rc = 0;
+
+ security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), "ipe");
+
+ return rc;
+}
+
+DEFINE_LSM(ipe) = {
+ .name = "ipe",
+ .init = ipe_init,
+ .blobs = &ipe_blobs,
+};
diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
new file mode 100644
index 000000000000..ee7ec3f3b55d
--- /dev/null
+++ b/security/ipe/ipe.h
@@ -0,0 +1,13 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#ifndef IPE_H
+#define IPE_H
+
+#define pr_fmt(fmt) "IPE " fmt "\n"
+
+#include <linux/lsm_hooks.h>
+
+#endif /* IPE_H */
--
2.39.0
WARNING: multiple messages have this Message-ID (diff)
From: Fan Wu <wufan@linux.microsoft.com>
To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org,
serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org,
axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org,
eparis@redhat.com, paul@paul-moore.com
Cc: Fan Wu <wufan@linux.microsoft.com>,
dm-devel@redhat.com, linux-doc@vger.kernel.org,
Deven Bowers <deven.desai@linux.microsoft.com>,
roberto.sassu@huawei.com, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-block@vger.kernel.org,
linux-fscrypt@vger.kernel.org, linux-audit@redhat.com,
linux-integrity@vger.kernel.org
Subject: [dm-devel] [RFC PATCH v9 01/16] security: add ipe lsm
Date: Mon, 30 Jan 2023 14:57:16 -0800 [thread overview]
Message-ID: <1675119451-23180-2-git-send-email-wufan@linux.microsoft.com> (raw)
In-Reply-To: <1675119451-23180-1-git-send-email-wufan@linux.microsoft.com>
From: Deven Bowers <deven.desai@linux.microsoft.com>
Integrity Policy Enforcement (IPE) is an LSM that provides an
complimentary approach to Mandatory Access Control than existing LSMs
today.
Existing LSMs have centered around the concept of access to a resource
should be controlled by the current user's credentials. IPE's approach,
is that access to a resource should be controlled by the system's trust
of a current resource.
The basis of this approach is defining a global policy to specify which
resource can be trusted.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
---
v2:
+ Split evaluation loop, access control hooks,
and evaluation loop from policy parser and userspace
interface to pass mailing list character limit
v3:
+ Move ipe_load_properties to patch 04.
+ Remove useless 0-initializations
+ Prefix extern variables with ipe_
+ Remove kernel module parameters, as these are
exposed through sysctls.
+ Add more prose to the IPE base config option
help text.
+ Use GFP_KERNEL for audit_log_start.
+ Remove unnecessary caching system.
+ Remove comments from headers
+ Use rcu_access_pointer for rcu-pointer null check
+ Remove usage of reqprot; use prot only.
+ Move policy load and activation audit event to 03/12
v4:
+ Remove sysctls in favor of securityfs nodes
+ Re-add kernel module parameters, as these are now
exposed through securityfs.
+ Refactor property audit loop to a separate function.
v5:
+ fix minor grammatical errors
+ do not group rule by curly-brace in audit record,
reconstruct the exact rule.
v6:
+ No changes
v7:
+ Further split lsm creation into a separate commit from the
evaluation loop and audit system, for easier review.
+ Introduce the concept of an ipe_context, a scoped way to
introduce execution policies, used initially for allowing for
kunit tests in isolation.
v8:
+ Follow lsmname_hook_name convention for lsm hooks.
+ Move LSM blob accessors to ipe.c and mark LSM blobs as static.
v9:
+ Remove ipe_context for simplification
---
MAINTAINERS | 5 +++++
security/Kconfig | 11 ++++++-----
security/Makefile | 1 +
security/ipe/Kconfig | 17 +++++++++++++++++
security/ipe/Makefile | 10 ++++++++++
security/ipe/ipe.c | 40 ++++++++++++++++++++++++++++++++++++++++
security/ipe/ipe.h | 13 +++++++++++++
7 files changed, 92 insertions(+), 5 deletions(-)
create mode 100644 security/ipe/Kconfig
create mode 100644 security/ipe/Makefile
create mode 100644 security/ipe/ipe.c
create mode 100644 security/ipe/ipe.h
diff --git a/MAINTAINERS b/MAINTAINERS
index 8a5c25c20d00..5e27e84763cc 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -10273,6 +10273,11 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
F: security/integrity/ima/
F: security/integrity/
+INTEGRITY POLICY ENFORCEMENT (IPE)
+M: Fan Wu <wufan@linux.microsoft.com>
+S: Supported
+F: security/ipe/
+
INTEL 810/815 FRAMEBUFFER DRIVER
M: Antonino Daplas <adaplas@gmail.com>
L: linux-fbdev@vger.kernel.org
diff --git a/security/Kconfig b/security/Kconfig
index e6db09a779b7..9f59add2d16c 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -207,6 +207,7 @@ source "security/yama/Kconfig"
source "security/safesetid/Kconfig"
source "security/lockdown/Kconfig"
source "security/landlock/Kconfig"
+source "security/ipe/Kconfig"
source "security/integrity/Kconfig"
@@ -246,11 +247,11 @@ endchoice
config LSM
string "Ordered list of enabled LSMs"
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,bpf" if DEFAULT_SECURITY_DAC
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,selinux,smack,tomoyo,apparmor,bpf"
help
A comma-separated list of LSMs, in initialization order.
Any LSMs left off this list will be ignored. This can be
diff --git a/security/Makefile b/security/Makefile
index 18121f8f85cd..527b1864d96c 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -24,6 +24,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
obj-$(CONFIG_CGROUPS) += device_cgroup.o
obj-$(CONFIG_BPF_LSM) += bpf/
obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
+obj-$(CONFIG_SECURITY_IPE) += ipe/
# Object integrity file lists
obj-$(CONFIG_INTEGRITY) += integrity/
diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
new file mode 100644
index 000000000000..e4875fb04883
--- /dev/null
+++ b/security/ipe/Kconfig
@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Integrity Policy Enforcement (IPE) configuration
+#
+
+menuconfig SECURITY_IPE
+ bool "Integrity Policy Enforcement (IPE)"
+ depends on SECURITY && SECURITYFS
+ select PKCS7_MESSAGE_PARSER
+ select SYSTEM_DATA_VERIFICATION
+ help
+ This option enables the Integrity Policy Enforcement LSM
+ allowing users to define a policy to enforce a trust-based access
+ control. A key feature of IPE is a customizable policy to allow
+ admins to reconfigure trust requirements on the fly.
+
+ If unsure, answer N.
diff --git a/security/ipe/Makefile b/security/ipe/Makefile
new file mode 100644
index 000000000000..571648579991
--- /dev/null
+++ b/security/ipe/Makefile
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) Microsoft Corporation. All rights reserved.
+#
+# Makefile for building the IPE module as part of the kernel tree.
+#
+
+obj-$(CONFIG_SECURITY_IPE) += \
+ hooks.o \
+ ipe.o \
diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
new file mode 100644
index 000000000000..9ed3bf4dcc04
--- /dev/null
+++ b/security/ipe/ipe.c
@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe.h"
+
+static struct lsm_blob_sizes ipe_blobs __lsm_ro_after_init = {
+};
+
+static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = {
+};
+
+/**
+ * ipe_init - Entry point of IPE.
+ *
+ * This is called at LSM init, which happens occurs early during kernel
+ * start up. During this phase, IPE loads the properties compiled into
+ * the kernel, and register's IPE's hooks. The boot policy is loaded
+ * later, during securityfs init, at which point IPE will start
+ * enforcing its policy.
+ *
+ * Return:
+ * * 0 - OK
+ * * -ENOMEM - Context creation failed.
+ */
+static int __init ipe_init(void)
+{
+ int rc = 0;
+
+ security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), "ipe");
+
+ return rc;
+}
+
+DEFINE_LSM(ipe) = {
+ .name = "ipe",
+ .init = ipe_init,
+ .blobs = &ipe_blobs,
+};
diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
new file mode 100644
index 000000000000..ee7ec3f3b55d
--- /dev/null
+++ b/security/ipe/ipe.h
@@ -0,0 +1,13 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#ifndef IPE_H
+#define IPE_H
+
+#define pr_fmt(fmt) "IPE " fmt "\n"
+
+#include <linux/lsm_hooks.h>
+
+#endif /* IPE_H */
--
2.39.0
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
WARNING: multiple messages have this Message-ID (diff)
From: Fan Wu <wufan@linux.microsoft.com>
To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org,
serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org,
axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org,
eparis@redhat.com, paul@paul-moore.com
Cc: Fan Wu <wufan@linux.microsoft.com>,
dm-devel@redhat.com, linux-doc@vger.kernel.org,
Deven Bowers <deven.desai@linux.microsoft.com>,
roberto.sassu@huawei.com, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-block@vger.kernel.org,
linux-fscrypt@vger.kernel.org, linux-audit@redhat.com,
linux-integrity@vger.kernel.org
Subject: [RFC PATCH v9 01/16] security: add ipe lsm
Date: Mon, 30 Jan 2023 14:57:16 -0800 [thread overview]
Message-ID: <1675119451-23180-2-git-send-email-wufan@linux.microsoft.com> (raw)
In-Reply-To: <1675119451-23180-1-git-send-email-wufan@linux.microsoft.com>
From: Deven Bowers <deven.desai@linux.microsoft.com>
Integrity Policy Enforcement (IPE) is an LSM that provides an
complimentary approach to Mandatory Access Control than existing LSMs
today.
Existing LSMs have centered around the concept of access to a resource
should be controlled by the current user's credentials. IPE's approach,
is that access to a resource should be controlled by the system's trust
of a current resource.
The basis of this approach is defining a global policy to specify which
resource can be trusted.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
---
v2:
+ Split evaluation loop, access control hooks,
and evaluation loop from policy parser and userspace
interface to pass mailing list character limit
v3:
+ Move ipe_load_properties to patch 04.
+ Remove useless 0-initializations
+ Prefix extern variables with ipe_
+ Remove kernel module parameters, as these are
exposed through sysctls.
+ Add more prose to the IPE base config option
help text.
+ Use GFP_KERNEL for audit_log_start.
+ Remove unnecessary caching system.
+ Remove comments from headers
+ Use rcu_access_pointer for rcu-pointer null check
+ Remove usage of reqprot; use prot only.
+ Move policy load and activation audit event to 03/12
v4:
+ Remove sysctls in favor of securityfs nodes
+ Re-add kernel module parameters, as these are now
exposed through securityfs.
+ Refactor property audit loop to a separate function.
v5:
+ fix minor grammatical errors
+ do not group rule by curly-brace in audit record,
reconstruct the exact rule.
v6:
+ No changes
v7:
+ Further split lsm creation into a separate commit from the
evaluation loop and audit system, for easier review.
+ Introduce the concept of an ipe_context, a scoped way to
introduce execution policies, used initially for allowing for
kunit tests in isolation.
v8:
+ Follow lsmname_hook_name convention for lsm hooks.
+ Move LSM blob accessors to ipe.c and mark LSM blobs as static.
v9:
+ Remove ipe_context for simplification
---
MAINTAINERS | 5 +++++
security/Kconfig | 11 ++++++-----
security/Makefile | 1 +
security/ipe/Kconfig | 17 +++++++++++++++++
security/ipe/Makefile | 10 ++++++++++
security/ipe/ipe.c | 40 ++++++++++++++++++++++++++++++++++++++++
security/ipe/ipe.h | 13 +++++++++++++
7 files changed, 92 insertions(+), 5 deletions(-)
create mode 100644 security/ipe/Kconfig
create mode 100644 security/ipe/Makefile
create mode 100644 security/ipe/ipe.c
create mode 100644 security/ipe/ipe.h
diff --git a/MAINTAINERS b/MAINTAINERS
index 8a5c25c20d00..5e27e84763cc 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -10273,6 +10273,11 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
F: security/integrity/ima/
F: security/integrity/
+INTEGRITY POLICY ENFORCEMENT (IPE)
+M: Fan Wu <wufan@linux.microsoft.com>
+S: Supported
+F: security/ipe/
+
INTEL 810/815 FRAMEBUFFER DRIVER
M: Antonino Daplas <adaplas@gmail.com>
L: linux-fbdev@vger.kernel.org
diff --git a/security/Kconfig b/security/Kconfig
index e6db09a779b7..9f59add2d16c 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -207,6 +207,7 @@ source "security/yama/Kconfig"
source "security/safesetid/Kconfig"
source "security/lockdown/Kconfig"
source "security/landlock/Kconfig"
+source "security/ipe/Kconfig"
source "security/integrity/Kconfig"
@@ -246,11 +247,11 @@ endchoice
config LSM
string "Ordered list of enabled LSMs"
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
- default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,bpf" if DEFAULT_SECURITY_DAC
+ default "landlock,lockdown,yama,loadpin,safesetid,integrity,ipe,selinux,smack,tomoyo,apparmor,bpf"
help
A comma-separated list of LSMs, in initialization order.
Any LSMs left off this list will be ignored. This can be
diff --git a/security/Makefile b/security/Makefile
index 18121f8f85cd..527b1864d96c 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -24,6 +24,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
obj-$(CONFIG_CGROUPS) += device_cgroup.o
obj-$(CONFIG_BPF_LSM) += bpf/
obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
+obj-$(CONFIG_SECURITY_IPE) += ipe/
# Object integrity file lists
obj-$(CONFIG_INTEGRITY) += integrity/
diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
new file mode 100644
index 000000000000..e4875fb04883
--- /dev/null
+++ b/security/ipe/Kconfig
@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Integrity Policy Enforcement (IPE) configuration
+#
+
+menuconfig SECURITY_IPE
+ bool "Integrity Policy Enforcement (IPE)"
+ depends on SECURITY && SECURITYFS
+ select PKCS7_MESSAGE_PARSER
+ select SYSTEM_DATA_VERIFICATION
+ help
+ This option enables the Integrity Policy Enforcement LSM
+ allowing users to define a policy to enforce a trust-based access
+ control. A key feature of IPE is a customizable policy to allow
+ admins to reconfigure trust requirements on the fly.
+
+ If unsure, answer N.
diff --git a/security/ipe/Makefile b/security/ipe/Makefile
new file mode 100644
index 000000000000..571648579991
--- /dev/null
+++ b/security/ipe/Makefile
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) Microsoft Corporation. All rights reserved.
+#
+# Makefile for building the IPE module as part of the kernel tree.
+#
+
+obj-$(CONFIG_SECURITY_IPE) += \
+ hooks.o \
+ ipe.o \
diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
new file mode 100644
index 000000000000..9ed3bf4dcc04
--- /dev/null
+++ b/security/ipe/ipe.c
@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe.h"
+
+static struct lsm_blob_sizes ipe_blobs __lsm_ro_after_init = {
+};
+
+static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = {
+};
+
+/**
+ * ipe_init - Entry point of IPE.
+ *
+ * This is called at LSM init, which happens occurs early during kernel
+ * start up. During this phase, IPE loads the properties compiled into
+ * the kernel, and register's IPE's hooks. The boot policy is loaded
+ * later, during securityfs init, at which point IPE will start
+ * enforcing its policy.
+ *
+ * Return:
+ * * 0 - OK
+ * * -ENOMEM - Context creation failed.
+ */
+static int __init ipe_init(void)
+{
+ int rc = 0;
+
+ security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), "ipe");
+
+ return rc;
+}
+
+DEFINE_LSM(ipe) = {
+ .name = "ipe",
+ .init = ipe_init,
+ .blobs = &ipe_blobs,
+};
diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
new file mode 100644
index 000000000000..ee7ec3f3b55d
--- /dev/null
+++ b/security/ipe/ipe.h
@@ -0,0 +1,13 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#ifndef IPE_H
+#define IPE_H
+
+#define pr_fmt(fmt) "IPE " fmt "\n"
+
+#include <linux/lsm_hooks.h>
+
+#endif /* IPE_H */
--
2.39.0
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2023-01-30 22:58 UTC|newest]
Thread overview: 225+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-30 22:57 [RFC PATCH v9 00/16] Integrity Policy Enforcement LSM (IPE) Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` Fan Wu [this message]
2023-01-30 22:57 ` [RFC PATCH v9 01/16] security: add ipe lsm Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-03-02 19:00 ` Paul Moore
2023-03-02 19:00 ` Paul Moore
2023-03-02 19:00 ` [dm-devel] " Paul Moore
2023-04-06 19:20 ` Fan Wu
2023-04-06 19:20 ` Fan Wu
2023-04-06 19:20 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 02/16] ipe: add policy parser Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 10:53 ` Roberto Sassu
2023-01-31 10:53 ` [dm-devel] " Roberto Sassu
2023-01-31 10:53 ` Roberto Sassu
2023-02-01 22:38 ` Fan Wu
2023-02-01 22:38 ` Fan Wu
2023-02-01 22:38 ` [dm-devel] " Fan Wu
2023-03-02 19:02 ` Paul Moore
2023-03-02 19:02 ` Paul Moore
2023-03-02 19:02 ` [dm-devel] " Paul Moore
2023-04-06 20:00 ` Fan Wu
2023-04-06 20:00 ` Fan Wu
2023-04-06 20:00 ` [dm-devel] " Fan Wu
2023-04-11 19:13 ` Paul Moore
2023-04-11 19:13 ` Paul Moore
2023-04-11 19:13 ` [dm-devel] " Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 03/16] ipe: add evaluation loop and introduce 'boot_verified' as a trust provider Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 10:29 ` Roberto Sassu
2023-01-31 10:29 ` [dm-devel] " Roberto Sassu
2023-01-31 10:29 ` Roberto Sassu
2023-01-31 15:49 ` Roberto Sassu
2023-01-31 15:49 ` [dm-devel] " Roberto Sassu
2023-01-31 15:49 ` Roberto Sassu
2023-02-10 23:21 ` Fan Wu
2023-02-10 23:21 ` Fan Wu
2023-02-10 23:21 ` [dm-devel] " Fan Wu
2023-03-02 2:33 ` Paul Moore
2023-03-02 2:33 ` Paul Moore
2023-03-02 2:33 ` [dm-devel] " Paul Moore
2023-03-02 19:03 ` Paul Moore
2023-03-02 19:03 ` Paul Moore
2023-03-02 19:03 ` Paul Moore
2023-04-10 18:53 ` Fan Wu
2023-04-10 18:53 ` Fan Wu
2023-04-10 18:53 ` [dm-devel] " Fan Wu
2023-04-11 20:32 ` Paul Moore
2023-04-11 20:32 ` Paul Moore
2023-04-11 20:32 ` [dm-devel] " Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 04/16] security: add new securityfs delete function Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 05/16] ipe: add userspace interface Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 10:49 ` Roberto Sassu
2023-01-31 10:49 ` [dm-devel] " Roberto Sassu
2023-01-31 10:49 ` Roberto Sassu
2023-02-01 19:46 ` Fan Wu
2023-02-01 19:46 ` [dm-devel] " Fan Wu
2023-02-01 19:46 ` Fan Wu
2023-02-05 8:42 ` kernel test robot
2023-03-02 19:04 ` Paul Moore
2023-03-02 19:04 ` Paul Moore
2023-03-02 19:04 ` [dm-devel] " Paul Moore
2023-04-10 19:10 ` Fan Wu
2023-04-10 19:10 ` Fan Wu
2023-04-10 19:10 ` [dm-devel] " Fan Wu
2023-04-11 21:45 ` Paul Moore
2023-04-11 21:45 ` Paul Moore
2023-04-11 21:45 ` [dm-devel] " Paul Moore
2023-04-12 23:36 ` Fan Wu
2023-04-12 23:36 ` Fan Wu
2023-04-12 23:36 ` [dm-devel] " Fan Wu
2023-04-13 18:45 ` Paul Moore
2023-04-13 18:45 ` Paul Moore
2023-04-13 18:45 ` [dm-devel] " Paul Moore
2023-04-17 18:06 ` Fan Wu
2023-04-17 18:06 ` Fan Wu
2023-04-17 18:06 ` [dm-devel] " Fan Wu
2023-04-17 20:16 ` Paul Moore
2023-04-17 20:16 ` Paul Moore
2023-04-17 20:16 ` [dm-devel] " Paul Moore
2023-04-17 21:18 ` Fan Wu
2023-04-17 21:18 ` Fan Wu
2023-04-17 21:18 ` [dm-devel] " Fan Wu
2023-04-17 21:31 ` Paul Moore
2023-04-17 21:31 ` Paul Moore
2023-04-17 21:31 ` [dm-devel] " Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 06/16] ipe: add LSM hooks on execution and kernel read Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 12:51 ` Roberto Sassu
2023-01-31 12:51 ` [dm-devel] " Roberto Sassu
2023-01-31 12:51 ` Roberto Sassu
2023-02-09 22:42 ` Fan Wu
2023-02-09 22:42 ` Fan Wu
2023-02-09 22:42 ` [dm-devel] " Fan Wu
2023-03-02 19:05 ` Paul Moore
2023-03-02 19:05 ` Paul Moore
2023-03-02 19:05 ` [dm-devel] " Paul Moore
2023-04-10 21:22 ` Fan Wu
2023-04-10 21:22 ` Fan Wu
2023-04-10 21:22 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 07/16] uapi|audit|ipe: add ipe auditing support Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 12:57 ` Roberto Sassu
2023-01-31 12:57 ` [dm-devel] " Roberto Sassu
2023-01-31 12:57 ` Roberto Sassu
2023-01-31 17:10 ` Steve Grubb
2023-01-31 17:10 ` [dm-devel] " Steve Grubb
2023-01-31 17:10 ` Steve Grubb
2023-03-02 19:05 ` [dm-devel] " Paul Moore
2023-03-02 19:05 ` Paul Moore
2023-03-02 19:05 ` Paul Moore
2023-03-16 22:53 ` Fan Wu
2023-03-16 22:53 ` Fan Wu
2023-03-16 22:53 ` [dm-devel] " Fan Wu
2023-04-11 23:07 ` Paul Moore
2023-04-11 23:07 ` Paul Moore
2023-04-11 23:07 ` [dm-devel] " Paul Moore
2023-04-11 23:21 ` Paul Moore
2023-04-11 23:21 ` Paul Moore
2023-04-11 23:21 ` [dm-devel] " Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 08/16] ipe: add permissive toggle Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-03-02 19:06 ` Paul Moore
2023-03-02 19:06 ` Paul Moore
2023-03-02 19:06 ` [dm-devel] " Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 09/16] block|security: add LSM blob to block_device Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 8:53 ` Christoph Hellwig
2023-01-31 8:53 ` Christoph Hellwig
2023-01-31 8:53 ` [dm-devel] " Christoph Hellwig
2023-01-31 23:01 ` Fan Wu
2023-01-31 23:01 ` Fan Wu
2023-01-31 23:01 ` [dm-devel] " Fan Wu
2023-03-02 19:07 ` Paul Moore
2023-03-02 19:07 ` Paul Moore
2023-03-02 19:07 ` [dm-devel] " Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 10/16] dm-verity: consume root hash digest and signature data via LSM hook Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 13:22 ` Roberto Sassu
2023-01-31 13:22 ` [dm-devel] " Roberto Sassu
2023-01-31 13:22 ` Roberto Sassu
2023-02-01 23:26 ` Fan Wu
2023-02-01 23:26 ` Fan Wu
2023-02-01 23:26 ` [dm-devel] " Fan Wu
2023-02-02 8:21 ` Roberto Sassu
2023-02-02 8:21 ` [dm-devel] " Roberto Sassu
2023-02-02 8:21 ` Roberto Sassu
2023-02-07 23:52 ` Fan Wu
2023-02-07 23:52 ` Fan Wu
2023-02-07 23:52 ` [dm-devel] " Fan Wu
2023-02-01 4:10 ` kernel test robot
2023-01-30 22:57 ` [RFC PATCH v9 11/16] ipe: add support for dm-verity as a trust provider Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 1:42 ` kernel test robot
2023-03-02 19:08 ` Paul Moore
2023-03-02 19:08 ` Paul Moore
2023-03-02 19:08 ` [dm-devel] " Paul Moore
2023-03-16 22:10 ` Fan Wu
2023-03-16 22:10 ` Fan Wu
2023-03-16 22:10 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 12/16] fsverity: consume builtin signature via LSM hook Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-02-09 3:30 ` Eric Biggers
2023-02-09 3:30 ` Eric Biggers
2023-02-09 3:30 ` [dm-devel] " Eric Biggers
2023-02-09 22:21 ` Fan Wu
2023-02-09 22:21 ` Fan Wu
2023-02-09 22:21 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 13/16] ipe: enable support for fs-verity as a trust provider Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 14:00 ` Roberto Sassu
2023-01-31 14:00 ` [dm-devel] " Roberto Sassu
2023-01-31 14:00 ` Roberto Sassu
2023-02-01 23:50 ` Fan Wu
2023-02-01 23:50 ` Fan Wu
2023-02-01 23:50 ` [dm-devel] " Fan Wu
2023-02-02 9:51 ` Roberto Sassu
2023-02-02 9:51 ` [dm-devel] " Roberto Sassu
2023-02-02 9:51 ` Roberto Sassu
2023-02-08 0:16 ` Fan Wu
2023-02-08 0:16 ` Fan Wu
2023-02-08 0:16 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 14/16] scripts: add boot policy generation program Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 15/16] ipe: kunit test for parser Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 16/16] documentation: add ipe documentation Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 3:59 ` Bagas Sanjaya
2023-01-31 3:59 ` Bagas Sanjaya
2023-01-31 3:59 ` [dm-devel] " Bagas Sanjaya
2023-02-02 0:19 ` Fan Wu
2023-02-02 0:19 ` Fan Wu
2023-02-02 0:19 ` [dm-devel] " Fan Wu
2023-01-31 14:22 ` [RFC PATCH v9 00/16] Integrity Policy Enforcement LSM (IPE) Roberto Sassu
2023-01-31 14:22 ` [dm-devel] " Roberto Sassu
2023-01-31 14:22 ` Roberto Sassu
2023-02-01 0:48 ` Fan Wu
2023-02-01 0:48 ` Fan Wu
2023-02-01 0:48 ` [dm-devel] " Fan Wu
2023-02-02 10:48 ` Roberto Sassu
2023-02-02 10:48 ` [dm-devel] " Roberto Sassu
2023-02-02 10:48 ` Roberto Sassu
2023-02-08 0:31 ` Fan Wu
2023-02-08 0:31 ` Fan Wu
2023-02-08 0:31 ` [dm-devel] " Fan Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1675119451-23180-2-git-send-email-wufan@linux.microsoft.com \
--to=wufan@linux.microsoft.com \
--cc=agk@redhat.com \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@redhat.com \
--cc=ebiggers@kernel.org \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-audit@redhat.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=tytso@mit.edu \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.