[RFC,v15,04/21] ipe: add LSM hooks on execution and kernel read

Message ID	1710560151-28904-5-git-send-email-wufan@linux.microsoft.com (mailing list archive)
State	Changes Requested
Delegated to:	Paul Moore
Headers	show Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0518246BA; Sat, 16 Mar 2024 03:35:53 +0000 (UTC) From: Fan Wu <wufan@linux.microsoft.com> To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, fsverity@lists.linux.dev, linux-block@vger.kernel.org, dm-devel@lists.linux.dev, audit@vger.kernel.org, linux-kernel@vger.kernel.org, Deven Bowers <deven.desai@linux.microsoft.com>, Fan Wu <wufan@linux.microsoft.com> Subject: [RFC PATCH v15 04/21] ipe: add LSM hooks on execution and kernel read Date: Fri, 15 Mar 2024 20:35:34 -0700 Message-Id: <1710560151-28904-5-git-send-email-wufan@linux.microsoft.com> In-Reply-To: <1710560151-28904-1-git-send-email-wufan@linux.microsoft.com> References: <1710560151-28904-1-git-send-email-wufan@linux.microsoft.com> Precedence: bulk
Series	Integrity Policy Enforcement LSM (IPE) \| expand [RFC,v15,00/21] Integrity Policy Enforcement LSM (IPE) [RFC,v15,01/21] security: add ipe lsm [RFC,v15,02/21] ipe: add policy parser [RFC,v15,03/21] ipe: add evaluation loop [RFC,v15,04/21] ipe: add LSM hooks on execution and kernel read [RFC,v15,05/21] initramfs\|security: Add a security hook to do_populate_rootfs() [RFC,v15,06/21] ipe: introduce 'boot_verified' as a trust provider [RFC,v15,07/21] security: add new securityfs delete function [RFC,v15,08/21] ipe: add userspace interface [RFC,v15,09/21] uapi\|audit\|ipe: add ipe auditing support [RFC,v15,10/21] ipe: add permissive toggle [RFC,v15,11/21] block\|security: add LSM blob to block_device [RFC,v15,12/21] security: add security_bdev_setintegrity() hook [RFC,v15,13/21] dm: add finalize hook to target_type [RFC,v15,14/21] dm verity: consume root hash digest and signature data via LSM hook [RFC,v15,15/21] ipe: add support for dm-verity as a trust provider [RFC,v15,16/21] security: add security_inode_setintegrity() hook [RFC,v15,17/21] fsverity: consume builtin signature via LSM hook [RFC,v15,18/21] ipe: enable support for fs-verity as a trust provider [RFC,v15,19/21] scripts: add boot policy generation program [RFC,v15,20/21] ipe: kunit test for parser [RFC,v15,21/21] documentation: add ipe documentation

diff --git a/security/ipe/Makefile b/security/ipe/Makefile index 57fe922cf1fc..d7f2870d7c09 100644 --- a/security/ipe/Makefile +++ b/security/ipe/Makefile @@ -7,6 +7,7 @@ obj-$(CONFIG_SECURITY_IPE) += \ eval.o \ + hooks.o \ ipe.o \ policy.o \ policy_parser.o \ diff --git a/security/ipe/eval.c b/security/ipe/eval.c index af56815ed0fa..4f425afffcad 100644 --- a/security/ipe/eval.c +++ b/security/ipe/eval.c @@ -16,6 +16,20 @@ struct ipe_policy __rcu *ipe_active_policy; +/** + * build_eval_ctx - Build an evaluation context. + * @ctx: Supplies a pointer to the context to be populated. + * @file: Supplies a pointer to the file to associated with the evaluation. + * @op: Supplies the IPE policy operation associated with the evaluation. + */ +void build_eval_ctx(struct ipe_eval_ctx *ctx, + const struct file *file, + enum ipe_op_type op) +{ + ctx->file = file; + ctx->op = op; +} + /** * evaluate_property - Analyze @ctx against a property. * @ctx: Supplies a pointer to the context to be evaluated. diff --git a/security/ipe/eval.h b/security/ipe/eval.h index 6b434515968f..cfdf3c8dfe8a 100644 --- a/security/ipe/eval.h +++ b/security/ipe/eval.h @@ -11,6 +11,8 @@ #include "policy.h" +#define IPE_EVAL_CTX_INIT ((struct ipe_eval_ctx){ 0 }) + extern struct ipe_policy __rcu *ipe_active_policy; struct ipe_eval_ctx { @@ -19,6 +21,7 @@ struct ipe_eval_ctx { const struct file *file; }; +void build_eval_ctx(struct ipe_eval_ctx *ctx, const struct file *file, enum ipe_op_type op); int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx); #endif /* _IPE_EVAL_H */ diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c new file mode 100644 index 000000000000..3aec88c074e1 --- /dev/null +++ b/security/ipe/hooks.c @@ -0,0 +1,183 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include <linux/fs.h> +#include <linux/types.h> +#include <linux/binfmts.h> +#include <linux/mman.h> + +#include "ipe.h" +#include "hooks.h" +#include "eval.h" + +/** + * ipe_bprm_check_security - ipe security hook function for bprm check. + * @bprm: Supplies a pointer to a linux_binprm structure to source the file + * being evaluated. + * + * This LSM hook is called when a binary is loaded through the exec + * family of system calls. + * Return: + * *0 - OK + * *!0 - Error + */ +int ipe_bprm_check_security(struct linux_binprm *bprm) +{ + struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT; + + build_eval_ctx(&ctx, bprm->file, IPE_OP_EXEC); + return ipe_evaluate_event(&ctx); +} + +/** + * ipe_mmap_file - ipe security hook function for mmap check. + * @f: File being mmap'd. Can be NULL in the case of anonymous memory. + * @reqprot: The requested protection on the mmap, passed from usermode. + * @prot: The effective protection on the mmap, resolved from reqprot and + * system configuration. + * @flags: Unused. + * + * This hook is called when a file is loaded through the mmap + * family of system calls. + * + * Return: + * * 0 - OK + * * !0 - Error + */ +int ipe_mmap_file(struct file *f, unsigned long reqprot __always_unused, + unsigned long prot, unsigned long flags) +{ + struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT; + + if (prot & PROT_EXEC) { + build_eval_ctx(&ctx, f, IPE_OP_EXEC); + return ipe_evaluate_event(&ctx); + } + + return 0; +} + +/** + * ipe_file_mprotect - ipe security hook function for mprotect check. + * @vma: Existing virtual memory area created by mmap or similar. + * @reqprot: The requested protection on the mmap, passed from usermode. + * @prot: The effective protection on the mmap, resolved from reqprot and + * system configuration. + * + * This LSM hook is called when a mmap'd region of memory is changing + * its protections via mprotect. + * + * Return: + * * 0 - OK + * * !0 - Error + */ +int ipe_file_mprotect(struct vm_area_struct *vma, + unsigned long reqprot __always_unused, + unsigned long prot) +{ + struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT; + + /* Already Executable */ + if (vma->vm_flags & VM_EXEC) + return 0; + + if (prot & PROT_EXEC) { + build_eval_ctx(&ctx, vma->vm_file, IPE_OP_EXEC); + return ipe_evaluate_event(&ctx); + } + + return 0; +} + +/** + * ipe_kernel_read_file - ipe security hook function for kernel read. + * @file: Supplies a pointer to the file structure being read in from disk. + * @id: Supplies the enumeration identifying the purpose of the read. + * @contents: Unused. + * + * This LSM hook is called when a file is being read in from disk from + * the kernel. + * + * Return: + * 0 - OK + * !0 - Error + */ +int ipe_kernel_read_file(struct file *file, enum kernel_read_file_id id, + bool contents) +{ + enum ipe_op_type op; + struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT; + + switch (id) { + case READING_FIRMWARE: + op = IPE_OP_FIRMWARE; + break; + case READING_MODULE: + op = IPE_OP_KERNEL_MODULE; + break; + case READING_KEXEC_INITRAMFS: + op = IPE_OP_KEXEC_INITRAMFS; + break; + case READING_KEXEC_IMAGE: + op = IPE_OP_KEXEC_IMAGE; + break; + case READING_POLICY: + op = IPE_OP_POLICY; + break; + case READING_X509_CERTIFICATE: + op = IPE_OP_X509; + break; + default: + op = IPE_OP_INVALID; + WARN(1, "no rule setup for kernel_read_file enum %d", id); + } + + build_eval_ctx(&ctx, file, op); + return ipe_evaluate_event(&ctx); +} + +/** + * ipe_kernel_load_data - ipe security hook function for kernel load data. + * @id: Supplies the enumeration identifying the purpose of the read. + * @contents: Unused. + * + * This LSM hook is called when a buffer is being read in from disk. + * + * Return: + * * 0 - OK + * * !0 - Error + */ +int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents) +{ + enum ipe_op_type op; + struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT; + + switch (id) { + case LOADING_FIRMWARE: + op = IPE_OP_FIRMWARE; + break; + case LOADING_MODULE: + op = IPE_OP_KERNEL_MODULE; + break; + case LOADING_KEXEC_INITRAMFS: + op = IPE_OP_KEXEC_INITRAMFS; + break; + case LOADING_KEXEC_IMAGE: + op = IPE_OP_KEXEC_IMAGE; + break; + case LOADING_POLICY: + op = IPE_OP_POLICY; + break; + case LOADING_X509_CERTIFICATE: + op = IPE_OP_X509; + break; + default: + op = IPE_OP_INVALID; + WARN(1, "no rule setup for kernel_load_data enum %d", id); + } + + build_eval_ctx(&ctx, NULL, op); + return ipe_evaluate_event(&ctx); +} diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h new file mode 100644 index 000000000000..23205452f758 --- /dev/null +++ b/security/ipe/hooks.h @@ -0,0 +1,25 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ +#ifndef _IPE_HOOKS_H +#define _IPE_HOOKS_H + +#include <linux/fs.h> +#include <linux/binfmts.h> +#include <linux/security.h> + +int ipe_bprm_check_security(struct linux_binprm *bprm); + +int ipe_mmap_file(struct file *f, unsigned long reqprot, unsigned long prot, + unsigned long flags); + +int ipe_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, + unsigned long prot); + +int ipe_kernel_read_file(struct file *file, enum kernel_read_file_id id, + bool contents); + +int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents); + +#endif /* _IPE_HOOKS_H */ diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c index b013aed15e73..22bd95116087 100644 --- a/security/ipe/ipe.c +++ b/security/ipe/ipe.c @@ -5,6 +5,7 @@ #include <uapi/linux/lsm.h> #include "ipe.h" +#include "hooks.h" static struct lsm_blob_sizes ipe_blobs __ro_after_init = { }; @@ -15,6 +16,11 @@ static const struct lsm_id ipe_lsmid = { }; static struct security_hook_list ipe_hooks[] __ro_after_init = { + LSM_HOOK_INIT(bprm_check_security, ipe_bprm_check_security), + LSM_HOOK_INIT(mmap_file, ipe_mmap_file), + LSM_HOOK_INIT(file_mprotect, ipe_file_mprotect), + LSM_HOOK_INIT(kernel_read_file, ipe_kernel_read_file), + LSM_HOOK_INIT(kernel_load_data, ipe_kernel_load_data), }; /**

[RFC,v15,04/21] ipe: add LSM hooks on execution and kernel read

Commit Message

Patch