[RFC,v14,01/19] security: add ipe lsm

Message ID	1709768084-22539-2-git-send-email-wufan@linux.microsoft.com (mailing list archive)
State	New
Headers	show Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6294E1C6A3; Wed, 6 Mar 2024 23:34:52 +0000 (UTC) From: Fan Wu <wufan@linux.microsoft.com> To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@lists.linux.dev, audit@vger.kernel.org, linux-kernel@vger.kernel.org, Deven Bowers <deven.desai@linux.microsoft.com>, Fan Wu <wufan@linux.microsoft.com> Subject: [RFC PATCH v14 01/19] security: add ipe lsm Date: Wed, 6 Mar 2024 15:34:26 -0800 Message-Id: <1709768084-22539-2-git-send-email-wufan@linux.microsoft.com> In-Reply-To: <1709768084-22539-1-git-send-email-wufan@linux.microsoft.com> References: <1709768084-22539-1-git-send-email-wufan@linux.microsoft.com> Precedence: bulk
Series	Integrity Policy Enforcement LSM (IPE) \| expand [RFC,v14,00/19] Integrity Policy Enforcement LSM (IPE) [RFC,v14,01/19] security: add ipe lsm [RFC,v14,02/19] ipe: add policy parser [RFC,v14,03/19] ipe: add evaluation loop [RFC,v14,04/19] ipe: add LSM hooks on execution and kernel read [RFC,v14,05/19] initramfs\|security: Add a security hook to do_populate_rootfs() [RFC,v14,06/19] ipe: introduce 'boot_verified' as a trust provider [RFC,v14,07/19] security: add new securityfs delete function [RFC,v14,08/19] ipe: add userspace interface [RFC,v14,09/19] uapi\|audit\|ipe: add ipe auditing support [RFC,v14,10/19] ipe: add permissive toggle [RFC,v14,11/19] block\|security: add LSM blob to block_device [RFC,v14,12/19] dm: add finalize hook to target_type [RFC,v14,13/19] dm verity: consume root hash digest and signature data via LSM hook [RFC,v14,14/19] ipe: add support for dm-verity as a trust provider [RFC,v14,15/19] fsverity: consume builtin signature via LSM hook [RFC,v14,16/19] ipe: enable support for fs-verity as a trust provider [RFC,v14,17/19] scripts: add boot policy generation program [RFC,v14,18/19] ipe: kunit test for parser [RFC,v14,19/19] documentation: add ipe documentation

Message ID

1709768084-22539-2-git-send-email-wufan@linux.microsoft.com (mailing list archive)

State

New

Headers

From: Fan Wu <wufan@linux.microsoft.com>
To: corbet@lwn.net,
	zohar@linux.ibm.com,
	jmorris@namei.org,
	serge@hallyn.com,
	tytso@mit.edu,
	ebiggers@kernel.org,
	axboe@kernel.dk,
	agk@redhat.com,
	snitzer@kernel.org,
	eparis@redhat.com,
	paul@paul-moore.com
Cc: linux-doc@vger.kernel.org,
	linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-fscrypt@vger.kernel.org,
	linux-block@vger.kernel.org,
	dm-devel@lists.linux.dev,
	audit@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Deven Bowers <deven.desai@linux.microsoft.com>,
	Fan Wu <wufan@linux.microsoft.com>
Subject: [RFC PATCH v14 01/19] security: add ipe lsm
Date: Wed,  6 Mar 2024 15:34:26 -0800
Message-Id: <1709768084-22539-2-git-send-email-wufan@linux.microsoft.com>
In-Reply-To: <1709768084-22539-1-git-send-email-wufan@linux.microsoft.com>
References: <1709768084-22539-1-git-send-email-wufan@linux.microsoft.com>
Precedence: bulk

Series

Integrity Policy Enforcement LSM (IPE) | expand

Commit Message

Fan Wu March 6, 2024, 11:34 p.m. UTC

From: Deven Bowers <deven.desai@linux.microsoft.com>

Integrity Policy Enforcement (IPE) is an LSM that provides an
complimentary approach to Mandatory Access Control than existing LSMs
today.

Existing LSMs have centered around the concept of access to a resource
should be controlled by the current user's credentials. IPE's approach,
is that access to a resource should be controlled by the system's trust
of a current resource.

The basis of this approach is defining a global policy to specify which
resource can be trusted.

Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
---
v2:
  + Split evaluation loop, access control hooks,
    and evaluation loop from policy parser and userspace
    interface to pass mailing list character limit

v3:
  + Move ipe_load_properties to patch 04.
  + Remove useless 0-initializations
  + Prefix extern variables with ipe_
  + Remove kernel module parameters, as these are
    exposed through sysctls.
  + Add more prose to the IPE base config option
    help text.
  + Use GFP_KERNEL for audit_log_start.
  + Remove unnecessary caching system.
  + Remove comments from headers
  + Use rcu_access_pointer for rcu-pointer null check
  + Remove usage of reqprot; use prot only.
  + Move policy load and activation audit event to 03/12

v4:
  + Remove sysctls in favor of securityfs nodes
  + Re-add kernel module parameters, as these are now
    exposed through securityfs.
  + Refactor property audit loop to a separate function.

v5:
  + fix minor grammatical errors
  + do not group rule by curly-brace in audit record,
    reconstruct the exact rule.

v6:
  + No changes

v7:
  + Further split lsm creation into a separate commit from the
    evaluation loop and audit system, for easier review.

  + Introduce the concept of an ipe_context, a scoped way to
    introduce execution policies, used initially for allowing for
    kunit tests in isolation.

v8:
  + Follow lsmname_hook_name convention for lsm hooks.
  + Move LSM blob accessors to ipe.c and mark LSM blobs as static.

v9:
  + Remove ipe_context for simplification

v10:
  + Add github url

v11:
  + Correct github url
  + Move ipe before bpf

v12:
  + Switch to use lsm_id instead of string for lsm name

v13:
  + No changes

v14:
  + No changes
---
 MAINTAINERS              |  7 +++++++
 include/uapi/linux/lsm.h |  1 +
 security/Kconfig         | 11 ++++++-----
 security/Makefile        |  1 +
 security/ipe/Kconfig     | 17 +++++++++++++++++
 security/ipe/Makefile    |  9 +++++++++
 security/ipe/ipe.c       | 41 ++++++++++++++++++++++++++++++++++++++++
 security/ipe/ipe.h       | 16 ++++++++++++++++
 security/security.c      |  3 ++-
 9 files changed, 100 insertions(+), 6 deletions(-)
 create mode 100644 security/ipe/Kconfig
 create mode 100644 security/ipe/Makefile
 create mode 100644 security/ipe/ipe.c
 create mode 100644 security/ipe/ipe.h

Comments

Roberto Sassu March 11, 2024, 2:25 p.m. UTC | #1

On Wed, 2024-03-06 at 15:34 -0800, Fan Wu wrote:
> From: Deven Bowers <deven.desai@linux.microsoft.com>
> 
> Integrity Policy Enforcement (IPE) is an LSM that provides an
> complimentary approach to Mandatory Access Control than existing LSMs
> today.
> 
> Existing LSMs have centered around the concept of access to a resource
> should be controlled by the current user's credentials. IPE's approach,
> is that access to a resource should be controlled by the system's trust
> of a current resource.
> 
> The basis of this approach is defining a global policy to specify which
> resource can be trusted.
> 
> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
> Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
> ---
> v2:
>   + Split evaluation loop, access control hooks,
>     and evaluation loop from policy parser and userspace
>     interface to pass mailing list character limit
> 
> v3:
>   + Move ipe_load_properties to patch 04.
>   + Remove useless 0-initializations
>   + Prefix extern variables with ipe_
>   + Remove kernel module parameters, as these are
>     exposed through sysctls.
>   + Add more prose to the IPE base config option
>     help text.
>   + Use GFP_KERNEL for audit_log_start.
>   + Remove unnecessary caching system.
>   + Remove comments from headers
>   + Use rcu_access_pointer for rcu-pointer null check
>   + Remove usage of reqprot; use prot only.
>   + Move policy load and activation audit event to 03/12
> 
> v4:
>   + Remove sysctls in favor of securityfs nodes
>   + Re-add kernel module parameters, as these are now
>     exposed through securityfs.
>   + Refactor property audit loop to a separate function.
> 
> v5:
>   + fix minor grammatical errors
>   + do not group rule by curly-brace in audit record,
>     reconstruct the exact rule.
> 
> v6:
>   + No changes
> 
> v7:
>   + Further split lsm creation into a separate commit from the
>     evaluation loop and audit system, for easier review.
> 
>   + Introduce the concept of an ipe_context, a scoped way to
>     introduce execution policies, used initially for allowing for
>     kunit tests in isolation.
> 
> v8:
>   + Follow lsmname_hook_name convention for lsm hooks.
>   + Move LSM blob accessors to ipe.c and mark LSM blobs as static.
> 
> v9:
>   + Remove ipe_context for simplification
> 
> v10:
>   + Add github url
> 
> v11:
>   + Correct github url
>   + Move ipe before bpf
> 
> v12:
>   + Switch to use lsm_id instead of string for lsm name
> 
> v13:
>   + No changes
> 
> v14:
>   + No changes
> ---
>  MAINTAINERS              |  7 +++++++
>  include/uapi/linux/lsm.h |  1 +
>  security/Kconfig         | 11 ++++++-----
>  security/Makefile        |  1 +
>  security/ipe/Kconfig     | 17 +++++++++++++++++
>  security/ipe/Makefile    |  9 +++++++++
>  security/ipe/ipe.c       | 41 ++++++++++++++++++++++++++++++++++++++++
>  security/ipe/ipe.h       | 16 ++++++++++++++++
>  security/security.c      |  3 ++-
>  9 files changed, 100 insertions(+), 6 deletions(-)
>  create mode 100644 security/ipe/Kconfig
>  create mode 100644 security/ipe/Makefile
>  create mode 100644 security/ipe/ipe.c
>  create mode 100644 security/ipe/ipe.h
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 13158047f2af..8517011f88ff 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -10650,6 +10650,13 @@ T:	git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
>  F:	security/integrity/
>  F:	security/integrity/ima/
>  
> +INTEGRITY POLICY ENFORCEMENT (IPE)
> +M:	Fan Wu <wufan@linux.microsoft.com>
> +L:	linux-security-module@vger.kernel.org
> +S:	Supported
> +T:	git https://github.com/microsoft/ipe.git
> +F:	security/ipe/
> +
>  INTEL 810/815 FRAMEBUFFER DRIVER
>  M:	Antonino Daplas <adaplas@gmail.com>
>  L:	linux-fbdev@vger.kernel.org
> diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
> index f8aef9ade549..43e2fb32745a 100644
> --- a/include/uapi/linux/lsm.h
> +++ b/include/uapi/linux/lsm.h
> @@ -62,6 +62,7 @@ struct lsm_ctx {
>  #define LSM_ID_LOCKDOWN		108
>  #define LSM_ID_BPF		109
>  #define LSM_ID_LANDLOCK		110
> +#define LSM_ID_IPE		111
>  
>  /*
>   * LSM_ATTR_XXX definitions identify different LSM attributes
> diff --git a/security/Kconfig b/security/Kconfig
> index 52c9af08ad35..cc7adfbb6b96 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -194,6 +194,7 @@ source "security/yama/Kconfig"
>  source "security/safesetid/Kconfig"
>  source "security/lockdown/Kconfig"
>  source "security/landlock/Kconfig"
> +source "security/ipe/Kconfig"
>  
>  source "security/integrity/Kconfig"
>  
> @@ -233,11 +234,11 @@ endchoice
>  
>  config LSM
>  	string "Ordered list of enabled LSMs"
> -	default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
> -	default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
> -	default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
> -	default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC
> -	default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf"
> +	default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK
> +	default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR
> +	default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO
> +	default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC
> +	default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf"
>  	help
>  	  A comma-separated list of LSMs, in initialization order.
>  	  Any LSMs left off this list, except for those with order
> diff --git a/security/Makefile b/security/Makefile
> index 59f238490665..cc0982214b84 100644
> --- a/security/Makefile
> +++ b/security/Makefile
> @@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown/
>  obj-$(CONFIG_CGROUPS)			+= device_cgroup.o
>  obj-$(CONFIG_BPF_LSM)			+= bpf/
>  obj-$(CONFIG_SECURITY_LANDLOCK)		+= landlock/
> +obj-$(CONFIG_SECURITY_IPE)		+= ipe/
>  
>  # Object integrity file lists
>  obj-$(CONFIG_INTEGRITY)			+= integrity/
> diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
> new file mode 100644
> index 000000000000..e4875fb04883
> --- /dev/null
> +++ b/security/ipe/Kconfig
> @@ -0,0 +1,17 @@
> +# SPDX-License-Identifier: GPL-2.0-only
> +#
> +# Integrity Policy Enforcement (IPE) configuration
> +#
> +
> +menuconfig SECURITY_IPE
> +	bool "Integrity Policy Enforcement (IPE)"
> +	depends on SECURITY && SECURITYFS
> +	select PKCS7_MESSAGE_PARSER
> +	select SYSTEM_DATA_VERIFICATION
> +	help
> +	  This option enables the Integrity Policy Enforcement LSM
> +	  allowing users to define a policy to enforce a trust-based access
> +	  control. A key feature of IPE is a customizable policy to allow
> +	  admins to reconfigure trust requirements on the fly.
> +
> +	  If unsure, answer N.
> diff --git a/security/ipe/Makefile b/security/ipe/Makefile
> new file mode 100644
> index 000000000000..f7a80d0f18f8
> --- /dev/null
> +++ b/security/ipe/Makefile
> @@ -0,0 +1,9 @@
> +# SPDX-License-Identifier: GPL-2.0
> +#
> +# Copyright (C) Microsoft Corporation. All rights reserved.
> +#
> +# Makefile for building the IPE module as part of the kernel tree.
> +#
> +
> +obj-$(CONFIG_SECURITY_IPE) += \
> +	ipe.o \
> diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
> new file mode 100644
> index 000000000000..b013aed15e73
> --- /dev/null
> +++ b/security/ipe/ipe.c
> @@ -0,0 +1,41 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright (C) Microsoft Corporation. All rights reserved.
> + */
> +#include <uapi/linux/lsm.h>
> +
> +#include "ipe.h"
> +
> +static struct lsm_blob_sizes ipe_blobs __ro_after_init = {
> +};
> +
> +static const struct lsm_id ipe_lsmid = {
> +	.name = "ipe",
> +	.id = LSM_ID_IPE,
> +};
> +
> +static struct security_hook_list ipe_hooks[] __ro_after_init = {
> +};
> +
> +/**
> + * ipe_init - Entry point of IPE.
> + *
> + * This is called at LSM init, which happens occurs early during kernel
> + * start up. During this phase, IPE registers its hooks and loads the
> + * builtin boot policy.
> + * Return:
> + * * 0		- OK
> + * * -ENOMEM	- Out of memory
> + */
> +static int __init ipe_init(void)
> +{
> +	security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), &ipe_lsmid);
> +
> +	return 0;
> +}
> +
> +DEFINE_LSM(ipe) = {
> +	.name = "ipe",
> +	.init = ipe_init,
> +	.blobs = &ipe_blobs,
> +};
> diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
> new file mode 100644
> index 000000000000..a1c68d0fc2e0
> --- /dev/null
> +++ b/security/ipe/ipe.h
> @@ -0,0 +1,16 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Copyright (C) Microsoft Corporation. All rights reserved.
> + */
> +
> +#ifndef _IPE_H
> +#define _IPE_H
> +
> +#ifdef pr_fmt
> +#undef pr_fmt
> +#endif
> +#define pr_fmt(fmt) "IPE: " fmt
> +
> +#include <linux/lsm_hooks.h>
> +
> +#endif /* _IPE_H */
> diff --git a/security/security.c b/security/security.c
> index 7035ee35a393..f168bc30a60d 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -51,7 +51,8 @@
>  	(IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \
>  	(IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) ? 1 : 0) + \
>  	(IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \
> -	(IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0))
> +	(IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0) + \
> +	(IS_ENABLED(CONFIG_SECURITY_IPE) ? 1 : 0))

Hi Fan

you would also need to update
tools/testing/selftests/lsm/lsm_list_modules_test.c.

Roberto
 
>  /*
>   * These are descriptions of the reasons that can be passed to the

Fan Wu March 11, 2024, 6:10 p.m. UTC | #2

On 3/11/2024 7:25 AM, Roberto Sassu wrote:
> On Wed, 2024-03-06 at 15:34 -0800, Fan Wu wrote:
>> From: Deven Bowers <deven.desai@linux.microsoft.com>
>>
>> Integrity Policy Enforcement (IPE) is an LSM that provides an
>> complimentary approach to Mandatory Access Control than existing LSMs
>> today.
>>
>> Existing LSMs have centered around the concept of access to a resource
>> should be controlled by the current user's credentials. IPE's approach,
>> is that access to a resource should be controlled by the system's trust
>> of a current resource.
>>
>> The basis of this approach is defining a global policy to specify which
>> resource can be trusted.
>>
>> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
>> Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
>> ---
>> v2:
>>    + Split evaluation loop, access control hooks,
>>      and evaluation loop from policy parser and userspace
>>      interface to pass mailing list character limit
>>
>> v3:
>>    + Move ipe_load_properties to patch 04.
>>    + Remove useless 0-initializations
>>    + Prefix extern variables with ipe_
>>    + Remove kernel module parameters, as these are
>>      exposed through sysctls.
>>    + Add more prose to the IPE base config option
>>      help text.
>>    + Use GFP_KERNEL for audit_log_start.
>>    + Remove unnecessary caching system.
>>    + Remove comments from headers
>>    + Use rcu_access_pointer for rcu-pointer null check
>>    + Remove usage of reqprot; use prot only.
>>    + Move policy load and activation audit event to 03/12
>>
>> v4:
>>    + Remove sysctls in favor of securityfs nodes
>>    + Re-add kernel module parameters, as these are now
>>      exposed through securityfs.
>>    + Refactor property audit loop to a separate function.
>>
>> v5:
>>    + fix minor grammatical errors
>>    + do not group rule by curly-brace in audit record,
>>      reconstruct the exact rule.
>>
>> v6:
>>    + No changes
>>
>> v7:
>>    + Further split lsm creation into a separate commit from the
>>      evaluation loop and audit system, for easier review.
>>
>>    + Introduce the concept of an ipe_context, a scoped way to
>>      introduce execution policies, used initially for allowing for
>>      kunit tests in isolation.
>>
>> v8:
>>    + Follow lsmname_hook_name convention for lsm hooks.
>>    + Move LSM blob accessors to ipe.c and mark LSM blobs as static.
>>
>> v9:
>>    + Remove ipe_context for simplification
>>
>> v10:
>>    + Add github url
>>
>> v11:
>>    + Correct github url
>>    + Move ipe before bpf
>>
>> v12:
>>    + Switch to use lsm_id instead of string for lsm name
>>
>> v13:
>>    + No changes
>>
>> v14:
>>    + No changes
>> ---
>>   MAINTAINERS              |  7 +++++++
>>   include/uapi/linux/lsm.h |  1 +
>>   security/Kconfig         | 11 ++++++-----
>>   security/Makefile        |  1 +
>>   security/ipe/Kconfig     | 17 +++++++++++++++++
>>   security/ipe/Makefile    |  9 +++++++++
>>   security/ipe/ipe.c       | 41 ++++++++++++++++++++++++++++++++++++++++
>>   security/ipe/ipe.h       | 16 ++++++++++++++++
>>   security/security.c      |  3 ++-
>>   9 files changed, 100 insertions(+), 6 deletions(-)
>>   create mode 100644 security/ipe/Kconfig
>>   create mode 100644 security/ipe/Makefile
>>   create mode 100644 security/ipe/ipe.c
>>   create mode 100644 security/ipe/ipe.h
>>
>> diff --git a/MAINTAINERS b/MAINTAINERS
>> index 13158047f2af..8517011f88ff 100644
>> --- a/MAINTAINERS
>> +++ b/MAINTAINERS
>> @@ -10650,6 +10650,13 @@ T:	git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
>>   F:	security/integrity/
>>   F:	security/integrity/ima/
>>   
>> +INTEGRITY POLICY ENFORCEMENT (IPE)
>> +M:	Fan Wu <wufan@linux.microsoft.com>
>> +L:	linux-security-module@vger.kernel.org
>> +S:	Supported
>> +T:	git https://github.com/microsoft/ipe.git
>> +F:	security/ipe/
>> +
>>   INTEL 810/815 FRAMEBUFFER DRIVER
>>   M:	Antonino Daplas <adaplas@gmail.com>
>>   L:	linux-fbdev@vger.kernel.org
>> diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
>> index f8aef9ade549..43e2fb32745a 100644
>> --- a/include/uapi/linux/lsm.h
>> +++ b/include/uapi/linux/lsm.h
>> @@ -62,6 +62,7 @@ struct lsm_ctx {
>>   #define LSM_ID_LOCKDOWN		108
>>   #define LSM_ID_BPF		109
>>   #define LSM_ID_LANDLOCK		110
>> +#define LSM_ID_IPE		111
>>   
>>   /*
>>    * LSM_ATTR_XXX definitions identify different LSM attributes
>> diff --git a/security/Kconfig b/security/Kconfig
>> index 52c9af08ad35..cc7adfbb6b96 100644
>> --- a/security/Kconfig
>> +++ b/security/Kconfig
>> @@ -194,6 +194,7 @@ source "security/yama/Kconfig"
>>   source "security/safesetid/Kconfig"
>>   source "security/lockdown/Kconfig"
>>   source "security/landlock/Kconfig"
>> +source "security/ipe/Kconfig"
>>   
>>   source "security/integrity/Kconfig"
>>   
>> @@ -233,11 +234,11 @@ endchoice
>>   
>>   config LSM
>>   	string "Ordered list of enabled LSMs"
>> -	default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
>> -	default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
>> -	default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
>> -	default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC
>> -	default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf"
>> +	default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK
>> +	default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR
>> +	default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO
>> +	default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC
>> +	default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf"
>>   	help
>>   	  A comma-separated list of LSMs, in initialization order.
>>   	  Any LSMs left off this list, except for those with order
>> diff --git a/security/Makefile b/security/Makefile
>> index 59f238490665..cc0982214b84 100644
>> --- a/security/Makefile
>> +++ b/security/Makefile
>> @@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown/
>>   obj-$(CONFIG_CGROUPS)			+= device_cgroup.o
>>   obj-$(CONFIG_BPF_LSM)			+= bpf/
>>   obj-$(CONFIG_SECURITY_LANDLOCK)		+= landlock/
>> +obj-$(CONFIG_SECURITY_IPE)		+= ipe/
>>   
>>   # Object integrity file lists
>>   obj-$(CONFIG_INTEGRITY)			+= integrity/
>> diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
>> new file mode 100644
>> index 000000000000..e4875fb04883
>> --- /dev/null
>> +++ b/security/ipe/Kconfig
>> @@ -0,0 +1,17 @@
>> +# SPDX-License-Identifier: GPL-2.0-only
>> +#
>> +# Integrity Policy Enforcement (IPE) configuration
>> +#
>> +
>> +menuconfig SECURITY_IPE
>> +	bool "Integrity Policy Enforcement (IPE)"
>> +	depends on SECURITY && SECURITYFS
>> +	select PKCS7_MESSAGE_PARSER
>> +	select SYSTEM_DATA_VERIFICATION
>> +	help
>> +	  This option enables the Integrity Policy Enforcement LSM
>> +	  allowing users to define a policy to enforce a trust-based access
>> +	  control. A key feature of IPE is a customizable policy to allow
>> +	  admins to reconfigure trust requirements on the fly.
>> +
>> +	  If unsure, answer N.
>> diff --git a/security/ipe/Makefile b/security/ipe/Makefile
>> new file mode 100644
>> index 000000000000..f7a80d0f18f8
>> --- /dev/null
>> +++ b/security/ipe/Makefile
>> @@ -0,0 +1,9 @@
>> +# SPDX-License-Identifier: GPL-2.0
>> +#
>> +# Copyright (C) Microsoft Corporation. All rights reserved.
>> +#
>> +# Makefile for building the IPE module as part of the kernel tree.
>> +#
>> +
>> +obj-$(CONFIG_SECURITY_IPE) += \
>> +	ipe.o \
>> diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
>> new file mode 100644
>> index 000000000000..b013aed15e73
>> --- /dev/null
>> +++ b/security/ipe/ipe.c
>> @@ -0,0 +1,41 @@
>> +// SPDX-License-Identifier: GPL-2.0
>> +/*
>> + * Copyright (C) Microsoft Corporation. All rights reserved.
>> + */
>> +#include <uapi/linux/lsm.h>
>> +
>> +#include "ipe.h"
>> +
>> +static struct lsm_blob_sizes ipe_blobs __ro_after_init = {
>> +};
>> +
>> +static const struct lsm_id ipe_lsmid = {
>> +	.name = "ipe",
>> +	.id = LSM_ID_IPE,
>> +};
>> +
>> +static struct security_hook_list ipe_hooks[] __ro_after_init = {
>> +};
>> +
>> +/**
>> + * ipe_init - Entry point of IPE.
>> + *
>> + * This is called at LSM init, which happens occurs early during kernel
>> + * start up. During this phase, IPE registers its hooks and loads the
>> + * builtin boot policy.
>> + * Return:
>> + * * 0		- OK
>> + * * -ENOMEM	- Out of memory
>> + */
>> +static int __init ipe_init(void)
>> +{
>> +	security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), &ipe_lsmid);
>> +
>> +	return 0;
>> +}
>> +
>> +DEFINE_LSM(ipe) = {
>> +	.name = "ipe",
>> +	.init = ipe_init,
>> +	.blobs = &ipe_blobs,
>> +};
>> diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
>> new file mode 100644
>> index 000000000000..a1c68d0fc2e0
>> --- /dev/null
>> +++ b/security/ipe/ipe.h
>> @@ -0,0 +1,16 @@
>> +/* SPDX-License-Identifier: GPL-2.0 */
>> +/*
>> + * Copyright (C) Microsoft Corporation. All rights reserved.
>> + */
>> +
>> +#ifndef _IPE_H
>> +#define _IPE_H
>> +
>> +#ifdef pr_fmt
>> +#undef pr_fmt
>> +#endif
>> +#define pr_fmt(fmt) "IPE: " fmt
>> +
>> +#include <linux/lsm_hooks.h>
>> +
>> +#endif /* _IPE_H */
>> diff --git a/security/security.c b/security/security.c
>> index 7035ee35a393..f168bc30a60d 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -51,7 +51,8 @@
>>   	(IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \
>>   	(IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) ? 1 : 0) + \
>>   	(IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \
>> -	(IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0))
>> +	(IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0) + \
>> +	(IS_ENABLED(CONFIG_SECURITY_IPE) ? 1 : 0))
> 
> Hi Fan
> 
> you would also need to update
> tools/testing/selftests/lsm/lsm_list_modules_test.c.
> 
> Roberto
>   
>>   /*
>>    * These are descriptions of the reasons that can be passed to the

Hi Roberto,

Thanks for the info. I will also update that file.

-Fan

diff --git a/MAINTAINERS b/MAINTAINERS
index 13158047f2af..8517011f88ff 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -10650,6 +10650,13 @@  T:	git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
 F:	security/integrity/
 F:	security/integrity/ima/
 
+INTEGRITY POLICY ENFORCEMENT (IPE)
+M:	Fan Wu <wufan@linux.microsoft.com>
+L:	linux-security-module@vger.kernel.org
+S:	Supported
+T:	git https://github.com/microsoft/ipe.git
+F:	security/ipe/
+
 INTEL 810/815 FRAMEBUFFER DRIVER
 M:	Antonino Daplas <adaplas@gmail.com>
 L:	linux-fbdev@vger.kernel.org
diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
index f8aef9ade549..43e2fb32745a 100644
--- a/include/uapi/linux/lsm.h
+++ b/include/uapi/linux/lsm.h
@@ -62,6 +62,7 @@  struct lsm_ctx {
 #define LSM_ID_LOCKDOWN		108
 #define LSM_ID_BPF		109
 #define LSM_ID_LANDLOCK		110
+#define LSM_ID_IPE		111
 
 /*
  * LSM_ATTR_XXX definitions identify different LSM attributes
diff --git a/security/Kconfig b/security/Kconfig
index 52c9af08ad35..cc7adfbb6b96 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -194,6 +194,7 @@  source "security/yama/Kconfig"
 source "security/safesetid/Kconfig"
 source "security/lockdown/Kconfig"
 source "security/landlock/Kconfig"
+source "security/ipe/Kconfig"
 
 source "security/integrity/Kconfig"
 
@@ -233,11 +234,11 @@  endchoice
 
 config LSM
 	string "Ordered list of enabled LSMs"
-	default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
-	default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
-	default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
-	default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC
-	default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf"
+	default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK
+	default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR
+	default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO
+	default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC
+	default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf"
 	help
 	  A comma-separated list of LSMs, in initialization order.
 	  Any LSMs left off this list, except for those with order
diff --git a/security/Makefile b/security/Makefile
index 59f238490665..cc0982214b84 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -25,6 +25,7 @@  obj-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown/
 obj-$(CONFIG_CGROUPS)			+= device_cgroup.o
 obj-$(CONFIG_BPF_LSM)			+= bpf/
 obj-$(CONFIG_SECURITY_LANDLOCK)		+= landlock/
+obj-$(CONFIG_SECURITY_IPE)		+= ipe/
 
 # Object integrity file lists
 obj-$(CONFIG_INTEGRITY)			+= integrity/
diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
new file mode 100644
index 000000000000..e4875fb04883
--- /dev/null
+++ b/security/ipe/Kconfig
@@ -0,0 +1,17 @@ 
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Integrity Policy Enforcement (IPE) configuration
+#
+
+menuconfig SECURITY_IPE
+	bool "Integrity Policy Enforcement (IPE)"
+	depends on SECURITY && SECURITYFS
+	select PKCS7_MESSAGE_PARSER
+	select SYSTEM_DATA_VERIFICATION
+	help
+	  This option enables the Integrity Policy Enforcement LSM
+	  allowing users to define a policy to enforce a trust-based access
+	  control. A key feature of IPE is a customizable policy to allow
+	  admins to reconfigure trust requirements on the fly.
+
+	  If unsure, answer N.
diff --git a/security/ipe/Makefile b/security/ipe/Makefile
new file mode 100644
index 000000000000..f7a80d0f18f8
--- /dev/null
+++ b/security/ipe/Makefile
@@ -0,0 +1,9 @@ 
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) Microsoft Corporation. All rights reserved.
+#
+# Makefile for building the IPE module as part of the kernel tree.
+#
+
+obj-$(CONFIG_SECURITY_IPE) += \
+	ipe.o \
diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
new file mode 100644
index 000000000000..b013aed15e73
--- /dev/null
+++ b/security/ipe/ipe.c
@@ -0,0 +1,41 @@ 
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+#include <uapi/linux/lsm.h>
+
+#include "ipe.h"
+
+static struct lsm_blob_sizes ipe_blobs __ro_after_init = {
+};
+
+static const struct lsm_id ipe_lsmid = {
+	.name = "ipe",
+	.id = LSM_ID_IPE,
+};
+
+static struct security_hook_list ipe_hooks[] __ro_after_init = {
+};
+
+/**
+ * ipe_init - Entry point of IPE.
+ *
+ * This is called at LSM init, which happens occurs early during kernel
+ * start up. During this phase, IPE registers its hooks and loads the
+ * builtin boot policy.
+ * Return:
+ * * 0		- OK
+ * * -ENOMEM	- Out of memory
+ */
+static int __init ipe_init(void)
+{
+	security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), &ipe_lsmid);
+
+	return 0;
+}
+
+DEFINE_LSM(ipe) = {
+	.name = "ipe",
+	.init = ipe_init,
+	.blobs = &ipe_blobs,
+};
diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
new file mode 100644
index 000000000000..a1c68d0fc2e0
--- /dev/null
+++ b/security/ipe/ipe.h
@@ -0,0 +1,16 @@ 
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#ifndef _IPE_H
+#define _IPE_H
+
+#ifdef pr_fmt
+#undef pr_fmt
+#endif
+#define pr_fmt(fmt) "IPE: " fmt
+
+#include <linux/lsm_hooks.h>
+
+#endif /* _IPE_H */
diff --git a/security/security.c b/security/security.c
index 7035ee35a393..f168bc30a60d 100644
--- a/security/security.c
+++ b/security/security.c
@@ -51,7 +51,8 @@ 
 	(IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \
 	(IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) ? 1 : 0) + \
 	(IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \
-	(IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0))
+	(IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0) + \
+	(IS_ENABLED(CONFIG_SECURITY_IPE) ? 1 : 0))
 
 /*
  * These are descriptions of the reasons that can be passed to the

[RFC,v14,01/19] security: add ipe lsm

Commit Message

Comments

Patch