From patchwork Wed Jun 8 19:01:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deven Bowers X-Patchwork-Id: 12874542 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B1541CCA47B for ; Wed, 8 Jun 2022 19:01:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233196AbiFHTBr (ORCPT ); Wed, 8 Jun 2022 15:01:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51486 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229496AbiFHTBp (ORCPT ); Wed, 8 Jun 2022 15:01:45 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 30D8714009; Wed, 8 Jun 2022 12:01:44 -0700 (PDT) Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id DAA5620BE667; Wed, 8 Jun 2022 12:01:43 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com DAA5620BE667 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1654714903; bh=1SiiYimQcqYRBp1qt8JULwbnP1Gb1rebprFnuMnL+V4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IH62JZdmU7Q943+JIx4WoNXPBzoXhpUvPyP0gd441zvbM5nXsBFXmc7Xa2qiN2c+7 yPZHd7ArSjRwCRPxkhlq7JM7hwqpe0YweKbaQsQRlNdIFGrP70jOjZ3ubgIS0hqs3I Bet06BpeXlaXNWdyjLDGYsgTM4naiYc6O3ZPG8ZE= From: Deven Bowers To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org Subject: [RFC PATCH v8 01/17] security: add ipe lsm & initial context creation Date: Wed, 8 Jun 2022 12:01:13 -0700 Message-Id: <1654714889-26728-2-git-send-email-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> References: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org Integrity Policy Enforcement (IPE) is an LSM that provides an complimentary approach to Mandatory Access Control than existing LSMs today. Existing LSMs have centered around the concept of access to a resource should be controlled by the current user's credentials. IPE's approach, is that access to a resource should be controlled by the system's trust of a current resource. The basis of this approach is that every process in the kernel is associated with a context that determines the policy for what is trusted by said process and its descendents, starting with 'init'. Signed-off-by: Deven Bowers --- v2: + Split evaluation loop, access control hooks, and evaluation loop from policy parser and userspace interface to pass mailing list character limit v3: + Move ipe_load_properties to patch 04. + Remove useless 0-initializations + Prefix extern variables with ipe_ + Remove kernel module parameters, as these are exposed through sysctls. + Add more prose to the IPE base config option help text. + Use GFP_KERNEL for audit_log_start. + Remove unnecessary caching system. + Remove comments from headers + Use rcu_access_pointer for rcu-pointer null check + Remove usage of reqprot; use prot only. + Move policy load and activation audit event to 03/12 v4: + Remove sysctls in favor of securityfs nodes + Re-add kernel module parameters, as these are now exposed through securityfs. + Refactor property audit loop to a separate function. v5: + fix minor grammatical errors + do not group rule by curly-brace in audit record, reconstruct the exact rule. v6: + No changes v7: + Further split lsm creation into a separate commit from the evaluation loop and audit system, for easier review. + Introduce the concept of an ipe_context, a scoped way to introduce execution policies, used initially for allowing for kunit tests in isolation. v8: + Follow lsmname_hook_name convention for lsm hooks. + Move LSM blob accessors to ipe.c and mark LSM blobs as static. --- MAINTAINERS | 6 ++ security/Kconfig | 11 ++-- security/Makefile | 1 + security/ipe/Kconfig | 17 +++++ security/ipe/Makefile | 11 ++++ security/ipe/ctx.c | 145 ++++++++++++++++++++++++++++++++++++++++++ security/ipe/ctx.h | 28 ++++++++ security/ipe/hooks.c | 54 ++++++++++++++++ security/ipe/hooks.h | 16 +++++ security/ipe/ipe.c | 73 +++++++++++++++++++++ security/ipe/ipe.h | 17 +++++ 11 files changed, 374 insertions(+), 5 deletions(-) create mode 100644 security/ipe/Kconfig create mode 100644 security/ipe/Makefile create mode 100644 security/ipe/ctx.c create mode 100644 security/ipe/ctx.h create mode 100644 security/ipe/hooks.c create mode 100644 security/ipe/hooks.h create mode 100644 security/ipe/ipe.c create mode 100644 security/ipe/ipe.h diff --git a/MAINTAINERS b/MAINTAINERS index a6d3bd9d2a8d..965fdac6d609 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -9793,6 +9793,12 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git F: security/integrity/ima/ F: security/integrity/ +INTEGRITY POLICY ENFORCEMENT (IPE) +M: Deven Bowers +M: Fan Wu +S: Supported +F: security/ipe/ + INTEL 810/815 FRAMEBUFFER DRIVER M: Antonino Daplas L: linux-fbdev@vger.kernel.org diff --git a/security/Kconfig b/security/Kconfig index f29e4c656983..7d4c641313ca 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -218,6 +218,7 @@ source "security/yama/Kconfig" source "security/safesetid/Kconfig" source "security/lockdown/Kconfig" source "security/landlock/Kconfig" +source "security/ipe/Kconfig" source "security/integrity/Kconfig" @@ -257,11 +258,11 @@ endchoice config LSM string "Ordered list of enabled LSMs" - default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK - default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR - default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO - default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC - default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" + default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf,ipe" if DEFAULT_SECURITY_SMACK + default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf,ipe" if DEFAULT_SECURITY_APPARMOR + default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf,ipe" if DEFAULT_SECURITY_TOMOYO + default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf,ipe" if DEFAULT_SECURITY_DAC + default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf,ipe" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be ignored. This can be diff --git a/security/Makefile b/security/Makefile index 18121f8f85cd..527b1864d96c 100644 --- a/security/Makefile +++ b/security/Makefile @@ -24,6 +24,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ obj-$(CONFIG_CGROUPS) += device_cgroup.o obj-$(CONFIG_BPF_LSM) += bpf/ obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/ +obj-$(CONFIG_SECURITY_IPE) += ipe/ # Object integrity file lists obj-$(CONFIG_INTEGRITY) += integrity/ diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig new file mode 100644 index 000000000000..e4875fb04883 --- /dev/null +++ b/security/ipe/Kconfig @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: GPL-2.0-only +# +# Integrity Policy Enforcement (IPE) configuration +# + +menuconfig SECURITY_IPE + bool "Integrity Policy Enforcement (IPE)" + depends on SECURITY && SECURITYFS + select PKCS7_MESSAGE_PARSER + select SYSTEM_DATA_VERIFICATION + help + This option enables the Integrity Policy Enforcement LSM + allowing users to define a policy to enforce a trust-based access + control. A key feature of IPE is a customizable policy to allow + admins to reconfigure trust requirements on the fly. + + If unsure, answer N. diff --git a/security/ipe/Makefile b/security/ipe/Makefile new file mode 100644 index 000000000000..ba3df729e252 --- /dev/null +++ b/security/ipe/Makefile @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: GPL-2.0 +# +# Copyright (C) Microsoft Corporation. All rights reserved. +# +# Makefile for building the IPE module as part of the kernel tree. +# + +obj-$(CONFIG_SECURITY_IPE) += \ + ctx.o \ + hooks.o \ + ipe.o \ diff --git a/security/ipe/ctx.c b/security/ipe/ctx.c new file mode 100644 index 000000000000..d51fe2e13ad9 --- /dev/null +++ b/security/ipe/ctx.c @@ -0,0 +1,145 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include "ipe.h" +#include "ctx.h" + +#include +#include +#include +#include +#include + +/** + * ipe_current_ctx: Helper to retrieve the ipe_context for the current task. + * + * Return: + * See ipe_get_ctx_rcu + */ +struct ipe_context *ipe_current_ctx(void) +{ + return ipe_get_ctx_rcu(*ipe_tsk_ctx(current)); +} + +/** + * ipe_get_ctx_rcu: Retrieve the underlying ipe_context in an rcu protected + * address space. + * @ctx: Context to dereference. + * + * This function will increment the reference count of the dereferenced + * ctx, ensuring that it is valid outside of the rcu_read_lock. + * + * However, if a context has a reference count of 0 (and thus being) + * freed, this API will return NULL. + * + * Return: + * !NULL - Valid context + * NULL - the dereferenced context will not exist outside after the + * next grace period. + */ +struct ipe_context *ipe_get_ctx_rcu(struct ipe_context __rcu *ctx) +{ + struct ipe_context *rv = NULL; + + rcu_read_lock(); + + rv = rcu_dereference(ctx); + if (!rv || !refcount_inc_not_zero(&rv->refcount)) + rv = NULL; + + rcu_read_unlock(); + + return rv; +} + +/** + * free_ctx_work: Worker function to deallocate a context structure. + * @work: work_struct passed to schedule_work + */ +static void free_ctx_work(struct work_struct *const work) +{ + struct ipe_context *ctx = NULL; + + ctx = container_of(work, struct ipe_context, free_work); + + kfree(ctx); +} + +/** + * create_ctx: Allocate a context structure. + * + * The reference count at this point will be set to 1. + * + * Return: + * !IS_ERR - OK + * ERR_PTR(-ENOMEM) - Lack of memory. + */ +static struct ipe_context *create_ctx(void) +{ + int rc = 0; + struct ipe_context *ctx = NULL; + + ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); + if (!ctx) { + rc = -ENOMEM; + goto err; + } + + INIT_WORK(&ctx->free_work, free_ctx_work); + refcount_set(&ctx->refcount, 1); + spin_lock_init(&ctx->lock); + + return ctx; + +err: + ipe_put_ctx(ctx); + return ERR_PTR(rc); +} + +/** + * ipe_put_ctx: Decrement the reference of an ipe_context structure, + * scheduling a free as necessary. + * @ctx: Structure to free + * + * This function no-ops on error and null values for @ctx, and the + * deallocation will only occur if the refcount is 0. + */ +void ipe_put_ctx(struct ipe_context *ctx) +{ + if (IS_ERR_OR_NULL(ctx) || !refcount_dec_and_test(&ctx->refcount)) + return; + + schedule_work(&ctx->free_work); +} + +/** + * ipe_init_ctx: Initialize the init context. + * + * This is called at LSM init, and marks the kernel init process + * with a context. All processes descendent from kernel + * init will inherit this context. + * + * Return: + * 0 - OK + * -ENOMEM: Not enough memory to allocate the init context. + */ +int __init ipe_init_ctx(void) +{ + int rc = 0; + struct ipe_context *lns = NULL; + + lns = create_ctx(); + if (IS_ERR(lns)) { + rc = PTR_ERR(lns); + goto err; + } + + rcu_assign_pointer(*ipe_tsk_ctx(current), lns); + + return 0; +err: + ipe_put_ctx(lns); + return rc; +} diff --git a/security/ipe/ctx.h b/security/ipe/ctx.h new file mode 100644 index 000000000000..69a2c92c0a8c --- /dev/null +++ b/security/ipe/ctx.h @@ -0,0 +1,28 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ +#ifndef IPE_CONTEXT_H +#define IPE_CONTEXT_H + +#include +#include +#include +#include +#include + +struct ipe_context { + refcount_t refcount; + /* Protects concurrent writers */ + spinlock_t lock; + + struct work_struct free_work; +}; + +int __init ipe_init_ctx(void); +struct ipe_context __rcu **ipe_tsk_ctx(struct task_struct *tsk); +struct ipe_context *ipe_current_ctx(void); +struct ipe_context *ipe_get_ctx_rcu(struct ipe_context __rcu *ctx); +void ipe_put_ctx(struct ipe_context *ctx); + +#endif /* IPE_CONTEXT_H */ diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c new file mode 100644 index 000000000000..dd9606962fa5 --- /dev/null +++ b/security/ipe/hooks.c @@ -0,0 +1,54 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include "ipe.h" +#include "ctx.h" +#include "hooks.h" + +#include +#include +#include +#include + +/** + * ipe_task_alloc: Assign a new context for an associated task structure. + * @task: Supplies the task structure to assign a context to. + * @clone_flags: unused. + * + * The context assigned is always the context of the current task. + * Reference counts are dropped by ipe_task_free + * + * Return: + * 0 - OK + * -ENOMEM - Out of Memory + */ +int ipe_task_alloc(struct task_struct *task, unsigned long clone_flags) +{ + struct ipe_context __rcu **ctx = NULL; + struct ipe_context *current_ctx = NULL; + + current_ctx = ipe_current_ctx(); + ctx = ipe_tsk_ctx(task); + rcu_assign_pointer(*ctx, current_ctx); + refcount_inc(¤t_ctx->refcount); + + ipe_put_ctx(current_ctx); + return 0; +} + +/** + * ipe_task_free: Drop a reference to an ipe_context associated with @task. + * If there are no tasks remaining, the context is freed. + * @task: Supplies the task to drop an ipe_context reference to. + */ +void ipe_task_free(struct task_struct *task) +{ + struct ipe_context *ctx; + + rcu_read_lock(); + ctx = rcu_dereference(*ipe_tsk_ctx(task)); + ipe_put_ctx(ctx); + rcu_read_unlock(); +} diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h new file mode 100644 index 000000000000..e0ae3c7dfb5b --- /dev/null +++ b/security/ipe/hooks.h @@ -0,0 +1,16 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ +#ifndef IPE_HOOKS_H +#define IPE_HOOKS_H + +#include +#include + +int ipe_task_alloc(struct task_struct *task, + unsigned long clone_flags); + +void ipe_task_free(struct task_struct *task); + +#endif /* IPE_HOOKS_H */ diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c new file mode 100644 index 000000000000..8a1e0b1c7240 --- /dev/null +++ b/security/ipe/ipe.c @@ -0,0 +1,73 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include "ipe.h" +#include "ctx.h" +#include "hooks.h" + +#include +#include +#include +#include +#include +#include +#include + +static struct lsm_blob_sizes ipe_blobs __lsm_ro_after_init = { + .lbs_task = sizeof(struct ipe_context __rcu *), +}; + +static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(task_alloc, ipe_task_alloc), + LSM_HOOK_INIT(task_free, ipe_task_free), +}; + +/** + * ipe_tsk_ctx: Retrieve the RCU-protected address of the task + * that contains the ipe_context. + * @tsk: Task to retrieve the address from. + * + * Callers need to use the rcu* family functions to interact with + * the ipe_context, or ipe_get_ctx_rcu. + * + * Return: + * Valid Address to a location containing an RCU-protected ipe_context. + */ +struct ipe_context __rcu **ipe_tsk_ctx(struct task_struct *tsk) +{ + return tsk->security + ipe_blobs.lbs_task; +} + +/** + * ipe_init: Entry point of IPE. + * + * This is called at LSM init, which happens occurs early during kernel + * start up. During this phase, IPE loads the properties compiled into + * the kernel, and register's IPE's hooks. The boot policy is loaded + * later, during securityfs init, at which point IPE will start + * enforcing its policy. + * + * Return: + * 0 - OK + * -ENOMEM - Context creation failed. + */ +static int __init ipe_init(void) +{ + int rc = 0; + + rc = ipe_init_ctx(); + if (rc) + return rc; + + security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), "ipe"); + + return rc; +} + +DEFINE_LSM(ipe) = { + .name = "ipe", + .init = ipe_init, + .blobs = &ipe_blobs, +}; diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h new file mode 100644 index 000000000000..152ae28f3cdd --- /dev/null +++ b/security/ipe/ipe.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#ifndef IPE_H +#define IPE_H + +#define pr_fmt(fmt) "IPE " fmt "\n" + +#include "ctx.h" + +#include +#include +#include + +#endif /* IPE_H */ From patchwork Wed Jun 8 19:01:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deven Bowers X-Patchwork-Id: 12874550 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38E50CCA481 for ; Wed, 8 Jun 2022 19:01:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234621AbiFHTBw (ORCPT ); Wed, 8 Jun 2022 15:01:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51760 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234239AbiFHTBs (ORCPT ); Wed, 8 Jun 2022 15:01:48 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 706B413CC9; Wed, 8 Jun 2022 12:01:44 -0700 (PDT) Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id 03BD420BE669; Wed, 8 Jun 2022 12:01:44 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 03BD420BE669 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1654714904; bh=+sjWW2ZCd97S3Wfvkqgb1CGW5UMnxZfSx3Y3nUeVW+s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AiaHqh8VT42LiKULJ/vEFaVmXT5PemKL1/aJLXQkbhMnHHSn9tT/8YyFnXZ3HiBHt J5jKuUG4iZo1ghV7YR8ez3WpA7FyEVyS49wR1jAMF2tR+aZjRbfCj0DGPX7owI3QOD dFFKyyA+4Pd2FUBj61dWtV/M4mB+my62bDiYWTQ0= From: Deven Bowers To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org Subject: [RFC PATCH v8 02/17] ipe: add policy parser Date: Wed, 8 Jun 2022 12:01:14 -0700 Message-Id: <1654714889-26728-3-git-send-email-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> References: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org IPE's interpretation of the what the user trusts is accomplished through its policy. IPE's design is to not provide support for a single trust provider, but to support multiple providers to enable the end-user to choose the best one to seek their needs. This requires the policy to be rather flexible and modular so that integrity providers, like fs-verity, dm-verity, dm-integrity, or some other system, can plug into the policy with minimal code changes, and IPE can Signed-off-by: Deven Bowers --- v2: + Split evaluation loop, access control hooks, and evaluation loop from policy parser and userspace interface to pass mailing list character limit v3: + Move policy load and activation audit event to 03/12 + Fix a potential panic when a policy failed to load. + use pr_warn for a failure to parse instead of an audit record + Remove comments from headers + Add lockdep assertions to ipe_update_active_policy and ipe_activate_policy + Fix up warnings with checkpatch --strict + Use file_ns_capable for CAP_MAC_ADMIN for securityfs nodes. + Use memdup_user instead of kzalloc+simple_write_to_buffer. + Remove strict_parse command line parameter, as it is added by the sysctl command line. + Prefix extern variables with ipe_ v4: + Remove securityfs to reverse-dependency + Add SHA1 reverse dependency. + Add versioning scheme for IPE properties, and associated interface to query the versioning scheme. + Cause a parser to always return an error on unknown syntax. + Remove strict_parse option + Change active_policy interface from sysctl, to securityfs, and change scheme. v5: + Cause an error if a default action is not defined for each operaiton. + Minor function renames v6: + No changes v7: + Further split parser and userspace interface into two separate commits, for easier review. + Refactor policy parser to make code cleaner via introducing a more modular design, for easier extension of policy, and easier review. v8: + remove unnecessary pr_info emission on parser loading + add explicit newline to the pr_err emitted when a parser fails to load. --- include/asm-generic/vmlinux.lds.h | 16 + security/ipe/Makefile | 6 + security/ipe/ipe.c | 61 ++ security/ipe/ipe.h | 5 + security/ipe/ipe_parser.h | 59 ++ security/ipe/modules.c | 109 +++ security/ipe/modules.h | 17 + security/ipe/modules/ipe_module.h | 33 + security/ipe/parsers.c | 143 ++++ security/ipe/parsers/Makefile | 12 + security/ipe/parsers/default.c | 106 +++ security/ipe/parsers/policy_header.c | 126 ++++ security/ipe/policy.c | 946 +++++++++++++++++++++++++++ security/ipe/policy.h | 97 +++ 14 files changed, 1736 insertions(+) create mode 100644 security/ipe/ipe_parser.h create mode 100644 security/ipe/modules.c create mode 100644 security/ipe/modules.h create mode 100644 security/ipe/modules/ipe_module.h create mode 100644 security/ipe/parsers.c create mode 100644 security/ipe/parsers/Makefile create mode 100644 security/ipe/parsers/default.c create mode 100644 security/ipe/parsers/policy_header.c create mode 100644 security/ipe/policy.c create mode 100644 security/ipe/policy.h diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h index 7515a465ec03..8549b98d0cf6 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -284,6 +284,20 @@ #define EARLY_LSM_TABLE() #endif +#ifdef CONFIG_SECURITY_IPE +#define IPE_PARSER_TABLE() . = ALIGN(8); \ + __start_ipe_parsers = .; \ + KEEP(*(.ipe_parsers)) \ + __end_ipe_parsers = .; +#define IPE_MODULE_TABLE() . = ALIGN(8); \ + __start_ipe_modules = .; \ + KEEP(*(.ipe_modules)) \ + __end_ipe_modules = .; +#else +#define IPE_PARSER_TABLE() +#define IPE_MODULE_TABLE() +#endif + #define ___OF_TABLE(cfg, name) _OF_TABLE_##cfg(name) #define __OF_TABLE(cfg, name) ___OF_TABLE(cfg, name) #define OF_TABLE(cfg, name) __OF_TABLE(IS_ENABLED(cfg), name) @@ -436,6 +450,8 @@ KEEP(*(__tracepoints_ptrs)) /* Tracepoints: pointer array */ \ __stop___tracepoints_ptrs = .; \ *(__tracepoints_strings)/* Tracepoints: strings */ \ + IPE_PARSER_TABLE() \ + IPE_MODULE_TABLE() \ } \ \ .rodata1 : AT(ADDR(.rodata1) - LOAD_OFFSET) { \ diff --git a/security/ipe/Makefile b/security/ipe/Makefile index ba3df729e252..9a97efd8a190 100644 --- a/security/ipe/Makefile +++ b/security/ipe/Makefile @@ -5,7 +5,13 @@ # Makefile for building the IPE module as part of the kernel tree. # +ccflags-y := -I$(srctree)/security/ipe/modules + obj-$(CONFIG_SECURITY_IPE) += \ ctx.o \ hooks.o \ ipe.o \ + modules.o \ + parsers/ \ + parsers.o \ + policy.o \ diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c index 8a1e0b1c7240..3f387f4ab38a 100644 --- a/security/ipe/ipe.c +++ b/security/ipe/ipe.c @@ -6,6 +6,9 @@ #include "ipe.h" #include "ctx.h" #include "hooks.h" +#include "ipe_parser.h" +#include "modules/ipe_module.h" +#include "modules.h" #include #include @@ -40,6 +43,56 @@ struct ipe_context __rcu **ipe_tsk_ctx(struct task_struct *tsk) return tsk->security + ipe_blobs.lbs_task; } +/* + * load_parsers: Load all the parsers compiled into IPE. This needs + * to be called prior to the boot policy being loaded. + * + * Return: + * 0 - OK + * !0 - Error + */ +static int load_parsers(void) +{ + int rc = 0; + struct ipe_parser *parser; + + for (parser = __start_ipe_parsers; parser < __end_ipe_parsers; ++parser) { + rc = ipe_register_parser(parser); + if (rc) { + pr_err("failed to initialize '%s'", parser->first_token); + return rc; + } + + pr_info("initialized parser module '%s'", parser->first_token); + } + + return 0; +} + +/** + * load_modules: Load all the modules compiled into IPE. This needs + * to be called prior to the boot policy being loaded. + * + * Return: + * 0 - OK + * !0 - Error + */ +static int load_modules(void) +{ + int rc = 0; + struct ipe_module *m; + + for (m = __start_ipe_modules; m < __end_ipe_modules; ++m) { + rc = ipe_register_module(m); + if (rc) { + pr_err("failed to initialize '%s'\n", m->name); + return rc; + } + } + + return 0; +} + /** * ipe_init: Entry point of IPE. * @@ -57,6 +110,14 @@ static int __init ipe_init(void) { int rc = 0; + rc = load_parsers(); + if (rc) + return rc; + + rc = load_modules(); + if (rc) + return rc; + rc = ipe_init_ctx(); if (rc) return rc; diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h index 152ae28f3cdd..417b474e0543 100644 --- a/security/ipe/ipe.h +++ b/security/ipe/ipe.h @@ -9,9 +9,14 @@ #define pr_fmt(fmt) "IPE " fmt "\n" #include "ctx.h" +#include "ipe_parser.h" +#include "modules/ipe_module.h" #include #include #include +extern struct ipe_parser __start_ipe_parsers[], __end_ipe_parsers[]; +extern struct ipe_module __start_ipe_modules[], __end_ipe_modules[]; + #endif /* IPE_H */ diff --git a/security/ipe/ipe_parser.h b/security/ipe/ipe_parser.h new file mode 100644 index 000000000000..f7c5c11bde44 --- /dev/null +++ b/security/ipe/ipe_parser.h @@ -0,0 +1,59 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ +#ifndef IPE_PARSER_H +#define IPE_PARSER_H + +#include "policy.h" + +#include +#include + +/* + * Struct used to define internal parsers that effect the policy, + * but do not belong as policy modules, as they are not used to make + * decisions in the event loop, and only effect the internal workings + * of IPE. + * + * These structures are used in pass2, and policy deallocation. + */ +struct ipe_parser { + u8 version; + const char *first_token; + + int (*parse)(const struct ipe_policy_line *line, + struct ipe_parsed_policy *pol); + int (*free)(struct ipe_parsed_policy *pol); + int (*validate)(const struct ipe_parsed_policy *pol); +}; + +int ipe_parse_op(const struct ipe_policy_token *tok, + enum ipe_operation *op); + +int ipe_parse_action(const struct ipe_policy_token *tok, + enum ipe_action *action); + +/* + * Optional struct to make structured parsers easier. + */ +struct ipe_token_parser { + const char *key; + int (*parse_token)(const struct ipe_policy_token *t, + struct ipe_parsed_policy *p); +}; + +const struct ipe_parser *ipe_lookup_parser(const char *first_token); + +int ipe_for_each_parser(int (*view)(const struct ipe_parser *parser, + void *ctx), + void *ctx); + +int ipe_register_parser(struct ipe_parser *p); + +#define IPE_PARSER(parser) \ + static struct ipe_parser __ipe_parser_##parser \ + __used __section(".ipe_parsers") \ + __aligned(sizeof(unsigned long)) + +#endif /* IPE_PARSER_MODULE_H */ diff --git a/security/ipe/modules.c b/security/ipe/modules.c new file mode 100644 index 000000000000..fb100c14cce5 --- /dev/null +++ b/security/ipe/modules.c @@ -0,0 +1,109 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include "ipe.h" +#include "modules.h" + +#include +#include +#include + +static struct rb_root module_root = RB_ROOT; + +struct module_container { + struct rb_node node; + const struct ipe_module *mod; +}; + +/** + * cmp_node: Comparator for a node in the module lookup tree. + * @n: First node to compare + * @nn: Second node to compare + * + * Return: + * <0 - @n's key is lexigraphically before @nn. + * 0 - n's key is identical to @nn + * >0 - n's key is legxigraphically after @nn + */ +static int cmp_node(struct rb_node *n, const struct rb_node *nn) +{ + const struct module_container *c1; + const struct module_container *c2; + + c1 = container_of(n, struct module_container, node); + c2 = container_of(nn, struct module_container, node); + + return strcmp(c1->mod->name, c2->mod->name); +} + +/** + * cmp_key: Comparator to find a module in the tree by key. + * @key: Supplies a pointer to a null-terminated string key + * @n: Node to compare @key against + * + * Return: + * <0 - Desired node is to the left of @n + * 0 - @n is the desired node + * >0 - Desired node is to the right of @n + */ +static int cmp_key(const void *key, const struct rb_node *n) +{ + struct module_container *mod; + + mod = container_of(n, struct module_container, node); + + return strcmp((const char *)key, mod->mod->name); +} + +/** + * ipe_lookup_module: Attempt to find a ipe_pmodule structure by @key. + * @key: The key to look for in the tree. + * + * Return: + * !NULL - OK + * NULL - No property exists under @key + */ +const struct ipe_module *ipe_lookup_module(const char *key) +{ + struct rb_node *n; + + n = rb_find(key, &module_root, cmp_key); + if (!n) + return NULL; + + return container_of(n, struct module_container, node)->mod; +} + +/** + * ipe_register_module: Register a policy module to be used in IPE's policy. + * @m: Module to register. + * + * This function allows parsers (policy constructs that represent integrations + * with other subsystems, to be leveraged in rules) to be leveraged in IPE policy. + * This must be called prior to any policies being loaded. + * + * Return: + * 0 - OK + * !0 - Error + */ +int ipe_register_module(struct ipe_module *m) +{ + struct rb_node *n = NULL; + struct module_container *c = NULL; + + c = kzalloc(sizeof(*c), GFP_KERNEL); + if (!c) + return -ENOMEM; + + c->mod = m; + + n = rb_find_add(&c->node, &module_root, cmp_node); + if (n) { + kfree(c); + return -EEXIST; + } + + return 0; +} diff --git a/security/ipe/modules.h b/security/ipe/modules.h new file mode 100644 index 000000000000..7b897bdd870b --- /dev/null +++ b/security/ipe/modules.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ +#ifndef IPE_MODULES_H +#define IPE_MODULES_H + +#include "ipe.h" +#include "ipe_module.h" + +#include +#include + +const struct ipe_module *ipe_lookup_module(const char *key); +int ipe_register_module(struct ipe_module *m); + +#endif /* IPE_MODULES_H */ diff --git a/security/ipe/modules/ipe_module.h b/security/ipe/modules/ipe_module.h new file mode 100644 index 000000000000..c4e98b548df3 --- /dev/null +++ b/security/ipe/modules/ipe_module.h @@ -0,0 +1,33 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ +#ifndef IPE_MODULE_H +#define IPE_MODULE_H + +#include + +/** + * ipe_module: definition of an extensible module for IPE properties. + * These structures are used to implement 'key=value' pairs + * in IPE policy, which will be evaluated on every IPE policy + * evaluation. + * + * Integrity mechanisms should be define as a module, and modules + * should manage their own dependencies via KConfig. @name is both + * the key half of the key=value pair in the policy, and the unique + * identifier for the module. + */ +struct ipe_module { + const char *const name; /* required */ + u16 version; /* required */ + int (*parse)(const char *valstr, void **value); /* required */ + void (*free)(void **value); /* optional */ +}; + +#define IPE_MODULE(parser) \ + static struct ipe_module __ipe_module_##parser \ + __used __section(".ipe_modules") \ + __aligned(sizeof(unsigned long)) + +#endif /* IPE_MODULE_H */ diff --git a/security/ipe/parsers.c b/security/ipe/parsers.c new file mode 100644 index 000000000000..87006270b9cd --- /dev/null +++ b/security/ipe/parsers.c @@ -0,0 +1,143 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include "policy.h" +#include "ipe_parser.h" + +#include +#include +#include + +/* + * locking unnecessary, this is called by lsm_init, + * and is read-only after that point. + */ +static struct rb_root ipe_parser_root = RB_ROOT; + +struct parser_container { + struct rb_node node; + const struct ipe_parser *parser; +}; + +/** + * cmp_key: Comparator for the nodes within the parser tree by key + * @key: Supplies a the key to evaluate nodes against + * @n: Supplies a pointer to the node to compare. + * + * Return: + * <0 - @key is to the left of @n + * 0 - @key identifies @n + * >0 - @key is to the right of @n + */ +static int cmp_key(const void *key, const struct rb_node *n) +{ + const struct parser_container *node; + + node = container_of(n, struct parser_container, node); + + return strcmp((const char *)key, node->parser->first_token); +} + +/** + * cmp_node: Comparator for the nodes within the parser tree + * @n: Supplies a pointer to the node to compare + * @nn: Supplies a pointer to the another node to compare. + * + * Return: + * <0 - @n is lexigraphically before @nn + * 0 - @n is identical @nn + * >0 - @n is lexigraphically after @nn + */ +static int cmp_node(struct rb_node *n, const struct rb_node *nn) +{ + const struct parser_container *c1; + const struct parser_container *c2; + + c1 = container_of(n, struct parser_container, node); + c2 = container_of(nn, struct parser_container, node); + + return strcmp(c1->parser->first_token, c2->parser->first_token); +} + +/** + * ipe_lookup_parser: Attempt to find a ipe_property structure by @first_token. + * @first_token: The key to look for in the tree. + * + * Return: + * !NULL - OK + * NULL - No property exists under @key + */ +const struct ipe_parser *ipe_lookup_parser(const char *first_token) +{ + struct rb_node *n; + + n = rb_find(first_token, &ipe_parser_root, cmp_key); + if (!n) + return NULL; + + return container_of(n, struct parser_container, node)->parser; +} + +/** + * ipe_for_each_parser: Iterate over all currently-registered parsers + * calling @fn on the values, and providing @view @ctx. + * @view: The function to call for each property. This is given the property + * structure as the first argument, and @ctx as the second. + * @ctx: caller-specified context that is passed to the function. Can be NULL. + * + * Return: + * 0 - OK + * !0 - Proper errno as returned by @view. + */ +int ipe_for_each_parser(int (*view)(const struct ipe_parser *parser, + void *ctx), + void *ctx) +{ + int rc = 0; + struct rb_node *node; + struct parser_container *val; + + for (node = rb_first(&ipe_parser_root); node; node = rb_next(node)) { + val = container_of(node, struct parser_container, node); + + rc = view(val->parser, ctx); + if (rc) + return rc; + } + + return rc; +} + +/** + * ipe_register_parser: Register a parser to be used in IPE's policy. + * @p: Parser to register. + * + * This function allows parsers (policy constructs that effect IPE's + * internal functionality) to be leveraged in IPE policy. This must + * be called prior to any policies being loaded. + * + * Return: + * 0 - OK + * !0 - Error + */ +int ipe_register_parser(struct ipe_parser *p) +{ + struct rb_node *n = NULL; + struct parser_container *c = NULL; + + c = kzalloc(sizeof(*c), GFP_KERNEL); + if (!c) + return -ENOMEM; + + c->parser = p; + + n = rb_find_add(&c->node, &ipe_parser_root, cmp_node); + if (n) { + kfree(c); + return -EEXIST; + } + + return 0; +} diff --git a/security/ipe/parsers/Makefile b/security/ipe/parsers/Makefile new file mode 100644 index 000000000000..1a19a094724f --- /dev/null +++ b/security/ipe/parsers/Makefile @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: GPL-2.0 +# +# Copyright (C) Microsoft Corporation. All rights reserved. +# +# Makefile for building the IPE module as part of the kernel tree. +# + +ccflags-y := -I$(srctree)/security/ipe + +obj-$(CONFIG_SECURITY_IPE) += \ + default.o \ + policy_header.o \ diff --git a/security/ipe/parsers/default.c b/security/ipe/parsers/default.c new file mode 100644 index 000000000000..30181d2cc4ed --- /dev/null +++ b/security/ipe/parsers/default.c @@ -0,0 +1,106 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include +#include +#include +#include + +#include "ipe_parser.h" + +static int set_op_default(enum ipe_operation op, enum ipe_action act, + struct ipe_parsed_policy *pol) +{ + size_t i, remap_len; + const enum ipe_operation *remap; + + if (!ipe_is_op_alias(op, &remap, &remap_len)) { + if (pol->rules[op].default_action != ipe_action_max) + return -EBADMSG; + + pol->rules[op].default_action = act; + return 0; + } + + for (i = 0; i < remap_len; ++i) { + if (pol->rules[remap[i]].default_action != ipe_action_max) + return -EBADMSG; + + pol->rules[remap[i]].default_action = act; + } + + return 0; +} + +static int parse_default(const struct ipe_policy_line *line, + struct ipe_parsed_policy *pol) +{ + int rc = 0; + size_t idx = 0; + struct ipe_policy_token *tok = NULL; + enum ipe_operation op = ipe_operation_max; + enum ipe_action act = ipe_action_max; + + list_for_each_entry(tok, &line->tokens, next) { + switch (idx) { + case 0: + if (strcmp("DEFAULT", tok->key) || tok->value) + return -EBADMSG; + break; + case 1: + /* schema 1 - operation, followed by action */ + rc = ipe_parse_op(tok, &op); + if (!rc) { + ++idx; + continue; + } + + if (pol->global_default != ipe_action_max) + return -EBADMSG; + + /* schema 2 - action */ + rc = ipe_parse_action(tok, &pol->global_default); + if (!rc) + return rc; + + return -EBADMSG; + case 2: + rc = ipe_parse_action(tok, &act); + if (rc) + return rc; + + return set_op_default(op, act, pol); + default: + return -EBADMSG; + } + ++idx; + } + + /* met no schema */ + return -EBADMSG; +} + +static int validate_defaults(const struct ipe_parsed_policy *p) +{ + size_t i = 0; + + if (p->global_default != ipe_action_max) + return 0; + + for (i = 0; i < ARRAY_SIZE(p->rules); ++i) { + if (p->rules[i].default_action == ipe_action_max) + return -EBADMSG; + } + + return 0; +} + +IPE_PARSER(default_decl) = { + .first_token = "DEFAULT", + .version = 1, + .parse = parse_default, + .free = NULL, + .validate = validate_defaults, +}; diff --git a/security/ipe/parsers/policy_header.c b/security/ipe/parsers/policy_header.c new file mode 100644 index 000000000000..4d3c1a42c915 --- /dev/null +++ b/security/ipe/parsers/policy_header.c @@ -0,0 +1,126 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include "ipe.h" +#include "ipe_parser.h" + +#include +#include +#include +#include + +#include "ipe_parser.h" + +static int parse_name(const struct ipe_policy_token *t, + struct ipe_parsed_policy *p) +{ + if (p->name) + return -EBADMSG; + + p->name = kstrdup_const(t->value, GFP_KERNEL); + if (!p->name) + return -ENOMEM; + + return 0; +} + +static int parse_ver(const struct ipe_policy_token *t, + struct ipe_parsed_policy *p) +{ + int rc = 0; + char *dup = NULL; + char *dup2 = NULL; + char *token = NULL; + size_t sep_count = 0; + u16 *const cv[] = { &p->version.major, &p->version.minor, &p->version.rev }; + + dup = kstrdup(t->value, GFP_KERNEL); + if (!dup) { + rc = -ENOMEM; + goto err; + } + + dup2 = dup; + + while ((token = strsep(&dup, ".\n")) != NULL) { + /* prevent overflow */ + if (sep_count >= ARRAY_SIZE(cv)) { + rc = -EBADMSG; + goto err; + } + + rc = kstrtou16(token, 10, cv[sep_count]); + if (rc) + goto err; + + ++sep_count; + } + + /* prevent underflow */ + if (sep_count != ARRAY_SIZE(cv)) + rc = -EBADMSG; + +err: + kfree(dup2); + return rc; +} + +static const struct ipe_token_parser parsers[] = { + { .key = "policy_name", .parse_token = parse_name }, + { .key = "policy_version", .parse_token = parse_ver }, +}; + +static int parse_policy_hdr(const struct ipe_policy_line *line, + struct ipe_parsed_policy *pol) +{ + int rc = 0; + size_t idx = 0; + struct ipe_policy_token *tok = NULL; + const struct ipe_token_parser *p = NULL; + + list_for_each_entry(tok, &line->tokens, next) { + if (!tok->value || idx >= sizeof(parsers)) { + rc = -EBADMSG; + goto err; + } + + p = &parsers[idx]; + + if (strcmp(p->key, tok->key)) { + rc = -EBADMSG; + goto err; + } + + rc = p->parse_token(tok, pol); + if (rc) + goto err; + + ++idx; + } + + return 0; + +err: + return rc; +} + +static int free_policy_hdr(struct ipe_parsed_policy *pol) +{ + kfree(pol->name); + return 0; +} + +static int validate_policy_hdr(const struct ipe_parsed_policy *p) +{ + return !p->name ? -EBADMSG : 0; +} + +IPE_PARSER(policy_header) = { + .first_token = "policy_name", + .version = 1, + .parse = parse_policy_hdr, + .free = free_policy_hdr, + .validate = validate_policy_hdr, +}; diff --git a/security/ipe/policy.c b/security/ipe/policy.c new file mode 100644 index 000000000000..6381fa7c2ec6 --- /dev/null +++ b/security/ipe/policy.c @@ -0,0 +1,946 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include "ipe.h" +#include "policy.h" +#include "ipe_parser.h" +#include "modules.h" + +#include +#include +#include +#include +#include +#include + +#define START_COMMENT '#' +#define KEYVAL_DELIMIT '=' + +static inline bool is_quote(char ch) +{ + return ch == '\'' || ch == '\"'; +} + +/** + * is_key_char: Determine whether @ch is an acceptable character for a + * key type + * @ch: Supplies the character to evaluate. + * + * Return: + * true - Character is acceptable. + * false - Character is not acceptable. + */ +static inline bool is_key_char(char ch) +{ + return isalnum(ch) || ch == '_'; +} + +/** + * is_val_char: Determine whether @ch is an acceptable character for a + * value type + * @ch: Supplies the character to evaluate. + * + * Return: + * true - Character is acceptable. + * false - Character is not acceptable. + */ +static inline bool is_val_char(char ch) +{ + return isgraph(ch) || ch == ' ' || ch == '\t'; +} + +/** + * free_parser: Callback to invoke, freeing data allocated by parsers. + * @parser: parser to free data. + * @ctx: ctx object passed to ipe_for_each_parser. + * + * This function is intended to be used with ipe_for_each_parser only. + * + * Return: + * 0 - Always + */ +static int free_parser(const struct ipe_parser *parser, void *ctx) +{ + struct ipe_parsed_policy *pol = ctx; + + if (parser->free) + parser->free(pol); + + return 0; +} + +/** + * free_rule: free an ipe_rule. + * @r: Supplies the rule to free. + * + * This function is safe to call if @r is NULL or ERR_PTR. + */ +static void free_rule(struct ipe_rule *r) +{ + struct ipe_policy_mod *p, *t; + + if (IS_ERR_OR_NULL(r)) + return; + + list_for_each_entry_safe(p, t, &r->modules, next) { + if (p->mod->free) + p->mod->free(&p->mod_value); + + kfree(p); + } + + kfree(r); +} + +static void free_parsed_policy(struct ipe_parsed_policy *p) +{ + size_t i = 0; + struct ipe_rule *pp, *t; + + if (IS_ERR_OR_NULL(p)) + return; + + for (i = 0; i < ARRAY_SIZE(p->rules); ++i) + list_for_each_entry_safe(pp, t, &p->rules[i].rules, next) + free_rule(pp); + + (void)ipe_for_each_parser(free_parser, p); + kfree(p); +} + +/** + * free_parsed_line: free a single parsed line of tokens. + * @line: Supplies the line to free. + * + * This function is safe to call if @line is NULL or ERR_PTR. + */ +static void free_parsed_line(struct ipe_policy_line *line) +{ + struct ipe_policy_token *p, *t; + + if (IS_ERR_OR_NULL(line)) + return; + + list_for_each_entry_safe(p, t, &line->tokens, next) + kfree(p); +} + +/** + * free_parsed_text: free a 2D list representing a tokenized policy. + * @parsed: Supplies the policy to free. + * + * This function is safe to call if @parsed is NULL or ERR_PTR. + */ +static void free_parsed_text(struct list_head *parsed) +{ + struct ipe_policy_line *p, *t; + + if (IS_ERR_OR_NULL(parsed)) + return; + + list_for_each_entry_safe(p, t, parsed, next) + free_parsed_line(p); +} + +/** + * trim_quotes: Edit @str to remove a single instance of a trailing and + * leading quotes. + * @str: Supplies the string to edit. + * + * If the string is not quoted, @str will be returned. This function is + * safe to call if @str is NULL. + * + * Return: + * !0 - OK + * ERR_PTR(-EBADMSG) - Quote mismatch. + */ +static char *trim_quotes(char *str) +{ + char s; + size_t len; + + if (!str) + return str; + + s = *str; + + if (is_quote(s)) { + len = strlen(str) - 1; + + if (str[len] != s) + return ERR_PTR(-EBADMSG); + + str[len] = '\0'; + ++str; + } + + return str; +} + +/** + * parse_token: Parse a string into a proper token representation. + * @token: Supplies the token string to parse. + * + * @token will be edited destructively. Pass a copy if you wish to retain + * the state of the original. + * + * This function will emit an error to pr_err when a parsing error occurs. + * + * Return: + * !0 - OK + * ERR_PTR(-EBADMSG) - An invalid character was encountered while parsing. + * ERR_PTR(-ENOMEM) - No Memory + */ +static struct ipe_policy_token *parse_token(char *token) +{ + size_t i, len = 0; + char *key = token; + char *value = NULL; + struct ipe_policy_token *local = NULL; + + len = strlen(token); + + for (i = 0; (i < len) && token[i] != KEYVAL_DELIMIT; ++i) + if (!is_key_char(token[i])) + return ERR_PTR(-EBADMSG); + + token[i] = '\0'; + ++i; + + /* there is a value */ + if (i < len) { + value = trim_quotes(&token[i]); + if (IS_ERR(value)) + return ERR_PTR(-EBADMSG); + + len = strlen(value); + + for (i = 0; i < len; ++i) + if (!is_val_char(value[i])) + return ERR_PTR(-EBADMSG); + } + + local = kzalloc(sizeof(*local), GFP_KERNEL); + if (!local) + return ERR_PTR(-ENOMEM); + + INIT_LIST_HEAD(&local->next); + local->key = key; + local->value = value; + + return local; +} + +/** + * append_token: Parse and append a token into an ipe_policy_line structure. + * @p: Supplies the ipe_policy_line structure to append to. + * @token: Supplies the token to parse and append to. + * + * @token will be edited during the parsing destructively. Pass a copy if you + * wish to retain the original. + * + * Return: + * 0 - OK + * -EBADMSG - Parsing error of @token + */ +static int append_token(struct ipe_policy_line *p, char *token) +{ + struct ipe_policy_token *t = NULL; + + t = parse_token(token); + if (IS_ERR(t)) + return PTR_ERR(t); + + list_add_tail(&t->next, &p->tokens); + + return 0; +} + +/** + * alloc_line: Allocate an ipe_policy_line structure. + * + * Return: + * !0 - OK + * -EBADMSG - Parsing error of @token + */ +static struct ipe_policy_line *alloc_line(void) +{ + struct ipe_policy_line *l = NULL; + + l = kzalloc(sizeof(*l), GFP_KERNEL); + if (!l) + return ERR_PTR(-ENOMEM); + + INIT_LIST_HEAD(&l->next); + INIT_LIST_HEAD(&l->tokens); + + return l; +} + +/** + * insert_token: Append a token to @line. + * @token: Supplies the token to append to @line. + * @line: Supplies a pointer to the ipe_policy_line structure to append to. + * + * If @line is NULL, it will be allocated on behalf of the caller. + * + * Return: + * 0 - OK + * -ENOMEM - No Memory + * -EBADMSG - Parsing error of @token + */ +static int insert_token(char *token, struct ipe_policy_line **line) +{ + int rc = 0; + struct ipe_policy_line *local = *line; + + if (!local) { + local = alloc_line(); + if (IS_ERR(local)) + return PTR_ERR(local); + + *line = local; + } + + rc = append_token(local, token); + if (rc) + return rc; + + return 0; +} + +/** + * ipe_tokenize_line: Parse a line of text into a list of token structures. + * @line: Supplies the line to parse. + * + * The final result can be NULL, which represents no tokens were parsed. + * + * Return: + * !0 - OK + * NULL - OK, no tokens were parsed. + * ERR_PTR(-EBADMSG) - Invalid policy syntax + * ERR_PTR(-ENOMEM) - No Memory + */ +static struct ipe_policy_line *tokenize_line(char *line) +{ + int rc = 0; + size_t i = 0; + size_t len = 0; + char *tok = NULL; + char quote = '\0'; + struct ipe_policy_line *p = NULL; + + /* nullterm guaranteed by strsep */ + len = strlen(line); + + for (i = 0; i < len; ++i) { + if (quote == '\0' && is_quote(line[i])) { + quote = line[i]; + continue; + } + + if (quote != '\0' && line[i] == quote) { + quote = '\0'; + continue; + } + + if (quote == '\0' && line[i] == START_COMMENT) { + tok = NULL; + break; + } + + if (isgraph(line[i]) && !tok) + tok = &line[i]; + + if (quote == '\0' && isspace(line[i])) { + line[i] = '\0'; + + if (!tok) + continue; + + rc = insert_token(tok, &p); + if (rc) + goto err; + + tok = NULL; + } + } + + if (quote != '\0') { + rc = -EBADMSG; + goto err; + } + + if (tok) { + rc = insert_token(tok, &p); + if (rc) + goto err; + } + + return p; + +err: + free_parsed_line(p); + return ERR_PTR(rc); +} + +/** + * parse_pass1: parse @policy into a 2D list, representing tokens on each line. + * @policy: Supplies the policy to parse. Must be nullterminated, and is + * edited. + * + * In pass1 of the parser, the policy is tokenized. Minor structure checks + * are done (mismatching quotes, invalid characters). + * + * Caller must maintain the lifetime of @policy while the return value is + * alive. + * + * Return: + * !0 - OK + * ERR_PTR(-ENOMEM) - Out of Memory + * ERR_PTR(-EBADMSG) - Parsing Error + */ +static int parse_pass1(char *policy, struct list_head *tokens) +{ + int rc = 0; + char *p = NULL; + + while ((p = strsep(&policy, "\n\0")) != NULL) { + struct ipe_policy_line *t = NULL; + + t = tokenize_line(p); + if (IS_ERR(t)) { + rc = PTR_ERR(t); + goto err_free_parsed; + } + + if (!t) + continue; + + list_add_tail(&t->next, tokens); + } + + return 0; + +err_free_parsed: + free_parsed_text(tokens); + return rc; +} + +/** + * parse_pass2: Take the 2D list of tokens generated from pass1, and transform + * it into a partial ipe_policy. + * @parsed: Supplies the list of tokens generated from pass1. + * @p: Policy to manipulate with parsed tokens. + * + * This function is where various declarations and references are parsed into + * policy. All declarations and references required to parse rules should be + * done here as a parser, and then in pass3 these can be utilized. + * + * Return: + * !0 - OK + * -EBADMSG - Syntax Parsing Errors + * -ENOENT - No handler for a token. + * -ENOMEM - Out of memory + */ +static int parse_pass2(struct list_head *parsed, struct ipe_parsed_policy *pol) +{ + int rc = 0; + const struct ipe_parser *p = NULL; + struct ipe_policy_line *line = NULL; + const struct ipe_policy_token *token = NULL; + + list_for_each_entry(line, parsed, next) { + token = list_first_entry(&line->tokens, struct ipe_policy_token, next); + p = ipe_lookup_parser(token->key); + if (!p) + continue; + + rc = p->parse(line, pol); + if (rc) + return rc; + + line->consumed = true; + } + + return rc; +} + +/** + * ipe_parse_op: parse a token to an operation value. + * @tok: Token to parse + * @op: Operation Parsed. + * + * Return: + * 0 - OK + * -EINVAL - Invalid key or value. + */ +int ipe_parse_op(const struct ipe_policy_token *tok, + enum ipe_operation *op) +{ + substring_t match[MAX_OPT_ARGS] = { 0 }; + const match_table_t ops = { + { ipe_op_alias_max, NULL }, + }; + + if (strcmp(tok->key, "op") || !tok->value) + return -EINVAL; + + *op = match_token((char *)tok->value, ops, match); + if ((*op) == (int)ipe_op_alias_max) + return -ENOENT; + + return 0; +} + +/** + * ipe_parse_action: parse a token to an operation value. + * @tok: Token to parse + * @action: action parsed. + * + * Return: + * 0 - OK + * -EINVAL - Invalid key or value. + */ +int ipe_parse_action(const struct ipe_policy_token *tok, + enum ipe_action *action) +{ + substring_t match[MAX_OPT_ARGS] = { 0 }; + const match_table_t actions = { + { ipe_action_allow, "ALLOW" }, + { ipe_action_deny, "DENY" }, + { ipe_action_max, NULL }, + }; + + if (strcmp(tok->key, "action") || !tok->value) + return -EINVAL; + + *action = match_token((char *)tok->value, actions, match); + + if (*action == ipe_action_max) + return -EINVAL; + + return 0; +} + +/** + * parse_mod_to_rule: Parse a module token and append the values to the + * provided rule. + * @t: Supplies the token to parse. + * @r: Supplies the rule to modify with the result. + * + * Return: + * 0 - OK + * -ENOENT - No such module to handle @t. + * -ENOMEM - No memory. + * Others - Module defined errors. + */ +static int parse_mod_to_rule(const struct ipe_policy_token *t, struct ipe_rule *r) +{ + int rc = 0; + struct ipe_policy_mod *p = NULL; + const struct ipe_module *m = NULL; + + m = ipe_lookup_module(t->key); + if (IS_ERR_OR_NULL(m)) { + rc = (m) ? PTR_ERR(m) : -ENOENT; + goto err; + } + + p = kzalloc(sizeof(*p), GFP_KERNEL); + if (!p) { + rc = -ENOMEM; + goto err; + } + INIT_LIST_HEAD(&p->next); + p->mod = m; + + rc = m->parse(t->value, &p->mod_value); + if (rc) + goto err2; + + list_add_tail(&p->next, &r->modules); + return 0; +err2: + kfree(p); +err: + return rc; +} + +/** + * parse_rule: Parse a policy line into an ipe_rule structure. + * @line: Supplies the line to parse. + * + * Return: + * Valid ipe_rule - OK + * ERR_PTR(-ENOMEM) - Out of Memory + * ERR_PTR(-ENOENT) - No such module to handle a token + * ERR_PTR(-EINVAL) - An unacceptable value has been encountered. + * ERR_PTR(...) - Module defined errors. + */ +static struct ipe_rule *parse_rule(const struct ipe_policy_line *line) +{ + int rc = 0; + struct ipe_rule *r = NULL; + const struct list_head *node = NULL; + + r = kzalloc(sizeof(*r), GFP_KERNEL); + if (!r) { + rc = -ENOMEM; + goto err; + } + + INIT_LIST_HEAD(&r->next); + INIT_LIST_HEAD(&r->modules); + r->op = (int)ipe_op_alias_max; + r->action = ipe_action_max; + + list_for_each(node, &line->tokens) { + const struct ipe_policy_token *token = NULL; + + token = container_of(node, struct ipe_policy_token, next); + + if (list_is_first(node, &line->tokens)) { + enum ipe_operation op; + + rc = ipe_parse_op(token, &op); + if (rc) + goto err; + + r->op = op; + continue; + } + + if (list_is_last(node, &line->tokens)) { + enum ipe_action action; + + rc = ipe_parse_action(token, &action); + if (rc) + goto err; + + r->action = action; + continue; + } + + rc = parse_mod_to_rule(token, r); + if (rc) + goto err; + } + + if (r->action == ipe_action_max || r->op == (int)ipe_op_alias_max) { + rc = -EBADMSG; + goto err; + } + + return r; +err: + free_rule(r); + return ERR_PTR(rc); +} + +/** + * parse_pass3: Take the partially parsed list of tokens from pass 1 and the + * parial policy from pass 2, and finalize the policy. + * @parsed: Supplies the tokens parsed from pass 1. + * @p: Supplies the partial policy from pass 2. + * + * This function finalizes the IPE policy by parsing all rules in the + * policy. This must occur in pass3, as in pass2, references are resolved + * that can be used in pass3. + * + * Return: + * 0 - OK + * !0 - Standard errno + */ +static int parse_pass3(struct list_head *parsed, + struct ipe_parsed_policy *p) +{ + int rc = 0; + size_t i = 0; + size_t remap_len = 0; + struct ipe_rule *rule = NULL; + struct ipe_policy_line *line = NULL; + const enum ipe_operation *remap; + + list_for_each_entry(line, parsed, next) { + if (line->consumed) + continue; + + rule = parse_rule(line); + if (IS_ERR(rule)) { + rc = PTR_ERR(rule); + goto err; + } + + if (ipe_is_op_alias(rule->op, &remap, &remap_len)) { + for (i = 0; i < remap_len; ++i) { + rule->op = remap[i]; + list_add_tail(&rule->next, &p->rules[rule->op].rules); + rule = parse_rule(line); + } + + free_rule(rule); + } else { + list_add_tail(&rule->next, &p->rules[rule->op].rules); + } + + line->consumed = true; + } + + return 0; +err: + free_rule(rule); + return rc; +} + +/** + * parser_validate: Callback to invoke, validating parsers as necessary + * @parser: parser to call to validate data. + * @ctx: ctx object passed to ipe_for_each_parser. + * + * This function is intended to be used with ipe_for_each_parser only. + * + * Return: + * 0 - OK + * !0 - Validation failed. + */ +static int parser_validate(const struct ipe_parser *parser, void *ctx) +{ + int rc = 0; + const struct ipe_parsed_policy *pol = ctx; + + if (parser->validate) + rc = parser->validate(pol); + + return rc; +} + +/** + * validate_policy: Given a policy structure that was just parsed, validate + * that all necessary fields are present, initialized + * correctly, and all lines parsed are have been consumed. + * @parsed: Supplies the policy lines that were parsed in pass1. + * @policy: Supplies the fully parsed policy. + * + * A parsed policy can be an invalid state for use (a default was undefined, + * a header was undefined) by just parsing the policy. + * + * Return: + * 0 - OK + * -EBADMSG - Policy is invalid. + */ +static int validate_policy(const struct list_head *parsed, + const struct ipe_parsed_policy *p) +{ + int rc = 0; + const struct ipe_policy_line *line = NULL; + + list_for_each_entry(line, parsed, next) { + if (!line->consumed) + return -EBADMSG; + } + + rc = ipe_for_each_parser(parser_validate, + (struct ipe_parsed_policy *)p); + + return rc; +} + +/** + * new_parsed_policy: Allocate and initialize a parsed policy to its default + * values. + * + * Return: + * !IS_ERR - OK + */ +static struct ipe_parsed_policy *new_parsed_policy(void) +{ + size_t i = 0; + struct ipe_parsed_policy *p = NULL; + struct ipe_operation_table *t = NULL; + + p = kzalloc(sizeof(*p), GFP_KERNEL); + if (!p) + return ERR_PTR(-ENOMEM); + + p->global_default = ipe_action_max; + + for (i = 0; i < ARRAY_SIZE(p->rules); ++i) { + t = &p->rules[i]; + + t->default_action = ipe_action_max; + INIT_LIST_HEAD(&t->rules); + } + + return p; +} + +/** + * parse_policy: Given a string, parse the string into an IPE policy + * structure. + * @p: partially filled ipe_policy structure to populate with the result. + * + * @p must have text and textlen set. + * + * Return: + * Valid ipe_policy structure - OK + * ERR_PTR(-EBADMSG) - Invalid Policy Syntax (Unrecoverable) + * ERR_PTR(-ENOMEM) - Out of Memory + */ +static int parse_policy(struct ipe_policy *p) +{ + int rc = 0; + char *dup = NULL; + LIST_HEAD(parsed); + struct ipe_parsed_policy *pp = NULL; + + if (!p->textlen) + return -EBADMSG; + + dup = kmemdup_nul(p->text, p->textlen, GFP_KERNEL); + if (!dup) + return -ENOMEM; + + pp = new_parsed_policy(); + if (IS_ERR(pp)) { + rc = PTR_ERR(pp); + goto out; + } + + rc = parse_pass1(dup, &parsed); + if (rc) + goto err; + + rc = parse_pass2(&parsed, pp); + if (rc) + goto err; + + rc = parse_pass3(&parsed, pp); + if (rc) + goto err; + + rc = validate_policy(&parsed, pp); + if (rc) + goto err; + + p->parsed = pp; + + goto out; +err: + free_parsed_policy(pp); +out: + free_parsed_text(&parsed); + kfree(dup); + + return rc; +} + +/** + * ipe_is_op_alias: Determine if @op is an alias for one or more operations + * @op: Supplies the operation to check. Should be either ipe_operation or + * ipe_op_alias. + * @map: Supplies a pointer to populate with the mapping if @op is an alias + * @size: Supplies the size of @map if @op is an alias. + * + * Return: + * true - @op is an alias + * false - @op is not an alias + */ +bool ipe_is_op_alias(int op, const enum ipe_operation **map, size_t *size) +{ + switch (op) { + default: + return false; + } +} + +/** + * ipe_put_policy: Deallocate a given IPE policy. + * @p: Supplies the policy to free. + * + * Safe to call on IS_ERR/NULL. + */ +void ipe_put_policy(struct ipe_policy *p) +{ + if (IS_ERR_OR_NULL(p) || !refcount_dec_and_test(&p->refcount)) + return; + + free_parsed_policy(p->parsed); + if (!p->pkcs7) + kfree(p->text); + kfree(p->pkcs7); + kfree(p); +} + +static int set_pkcs7_data(void *ctx, const void *data, size_t len, + size_t asn1hdrlen) +{ + struct ipe_policy *p = ctx; + + p->text = (const char *)data; + p->textlen = len; + + return 0; +} + +/** + * ipe_new_policy: allocate and parse an ipe_policy structure. + * + * @text: Supplies a pointer to the plain-text policy to parse. + * @textlen: Supplies the length of @text. + * @pkcs7: Supplies a pointer to a pkcs7-signed IPE policy. + * @pkcs7len: Supplies the length of @pkcs7. + * + * @text/@textlen Should be NULL/0 if @pkcs7/@pkcs7len is set. + * + * The result will still need to be associated with a context via + * ipe_add_policy. + * + * Return: + * !IS_ERR - Success + */ +struct ipe_policy *ipe_new_policy(const char *text, size_t textlen, + const char *pkcs7, size_t pkcs7len) +{ + int rc = 0; + struct ipe_policy *new = NULL; + + new = kzalloc(sizeof(*new), GFP_KERNEL); + if (!new) + return ERR_PTR(-ENOMEM); + + refcount_set(&new->refcount, 1); + + if (!text) { + new->pkcs7len = pkcs7len; + new->pkcs7 = kmemdup(pkcs7, pkcs7len, GFP_KERNEL); + if (!new->pkcs7) { + rc = -ENOMEM; + goto err; + } + + rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len, NULL, + VERIFYING_UNSPECIFIED_SIGNATURE, + set_pkcs7_data, new); + if (rc) + goto err; + } else { + new->textlen = textlen; + new->text = kstrndup(text, textlen, GFP_KERNEL); + if (!new->text) { + rc = -ENOMEM; + goto err; + } + } + + rc = parse_policy(new); + if (rc) + goto err; + + return new; +err: + ipe_put_policy(new); + return ERR_PTR(rc); +} diff --git a/security/ipe/policy.h b/security/ipe/policy.h new file mode 100644 index 000000000000..d78788db238c --- /dev/null +++ b/security/ipe/policy.h @@ -0,0 +1,97 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ +#ifndef IPE_POLICY_H +#define IPE_POLICY_H + +#include +#include +#include + +struct ipe_policy_token { + struct list_head next; /* type: policy_token */ + + const char *key; + const char *value; +}; + +struct ipe_policy_line { + struct list_head next; /* type: policy_line */ + struct list_head tokens; /* type: policy_token */ + + bool consumed; +}; + +struct ipe_module; + +enum ipe_operation { + ipe_operation_max = 0, +}; + +/* + * Extension to ipe_operation, representing operations + * that are just one or more operations under the hood + */ +enum ipe_op_alias { + ipe_op_alias_max = ipe_operation_max, +}; + +enum ipe_action { + ipe_action_allow = 0, + ipe_action_deny, + ipe_action_max, +}; + +struct ipe_policy_mod { + const struct ipe_module *mod; + void *mod_value; + + struct list_head next; +}; + +struct ipe_rule { + enum ipe_operation op; + enum ipe_action action; + + struct list_head modules; + + struct list_head next; +}; + +struct ipe_operation_table { + struct list_head rules; + enum ipe_action default_action; +}; + +struct ipe_parsed_policy { + const char *name; + struct { + u16 major; + u16 minor; + u16 rev; + } version; + + enum ipe_action global_default; + + struct ipe_operation_table rules[ipe_operation_max]; +}; + +struct ipe_policy { + const char *pkcs7; + size_t pkcs7len; + + const char *text; + size_t textlen; + + struct ipe_parsed_policy *parsed; + + refcount_t refcount; +}; + +struct ipe_policy *ipe_new_policy(const char *text, size_t textlen, + const char *pkcs7, size_t pkcs7len); +void ipe_put_policy(struct ipe_policy *pol); +bool ipe_is_op_alias(int op, const enum ipe_operation **map, size_t *size); + +#endif /* IPE_POLICY_H */ From patchwork Wed Jun 8 19:01:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deven Bowers X-Patchwork-Id: 12874559 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7DDB6C2BBE5 for ; Wed, 8 Jun 2022 19:02:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234853AbiFHTCO (ORCPT ); Wed, 8 Jun 2022 15:02:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51584 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230299AbiFHTBr (ORCPT ); Wed, 8 Jun 2022 15:01:47 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7070E240AE; Wed, 8 Jun 2022 12:01:44 -0700 (PDT) Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id 1E8C120BE66A; Wed, 8 Jun 2022 12:01:44 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 1E8C120BE66A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1654714904; bh=2b8HuOG8BVNMy1w23YvuM/hVRaYJ5XUAH+1E3XT5hFU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hxcnL3QpNY/zBhtegD4cuEcjCvGoth93i5xsg3YjITRoXc6PFW+GTZS93Wg+9iWow 6BO26dutRiU2XMy8lAGWUCy9xH80leLR4nIm/w1r9I5eeVr5zs/pYhW1msHLhvc+0e iZ8jRKiaIq8u2C6zv37iTY4bgUse1XVM754SXfWM= From: Deven Bowers To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org Subject: [RFC PATCH v8 03/17] ipe: add evaluation loop Date: Wed, 8 Jun 2022 12:01:15 -0700 Message-Id: <1654714889-26728-4-git-send-email-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> References: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org IPE must have a centralized function to evaluate incoming callers against IPE's policy. This iteration of the policy for against the rules for that specific caller is known as the evaluation loop. Signed-off-by: Deven Bowers --- v2: + Split evaluation loop, access control hooks, and evaluation loop from policy parser and userspace interface to pass mailing list character limit v3: + Move ipe_load_properties to patch 04. + Remove useless 0-initializations + Prefix extern variables with ipe_ + Remove kernel module parameters, as these are exposed through sysctls. + Add more prose to the IPE base config option help text. + Use GFP_KERNEL for audit_log_start. + Remove unnecessary caching system. + Remove comments from headers + Use rcu_access_pointer for rcu-pointer null check + Remove usage of reqprot; use prot only. + Move policy load and activation audit event to 03/12 v4: + Remove sysctls in favor of securityfs nodes + Re-add kernel module parameters, as these are now exposed through securityfs. + Refactor property audit loop to a separate function. v5: + fix minor grammatical errors + do not group rule by curly-brace in audit record, reconstruct the exact rule. v6: + No changes v7: + Further split lsm creation into a separate commit from the evaluation loop and audit system, for easier review. + Propogating changes to support the new ipe_context structure in the evaluation loop. Introduced in v8: + Remove ipe_hook enumeration; hooks can be correlated via syscall record. --- security/ipe/Makefile | 1 + security/ipe/ctx.c | 59 +++++++++++- security/ipe/ctx.h | 6 ++ security/ipe/eval.c | 144 ++++++++++++++++++++++++++++++ security/ipe/eval.h | 24 +++++ security/ipe/modules/ipe_module.h | 3 + security/ipe/policy.c | 27 ++++++ security/ipe/policy.h | 4 + 8 files changed, 267 insertions(+), 1 deletion(-) create mode 100644 security/ipe/eval.c create mode 100644 security/ipe/eval.h diff --git a/security/ipe/Makefile b/security/ipe/Makefile index 9a97efd8a190..0db69f13e82a 100644 --- a/security/ipe/Makefile +++ b/security/ipe/Makefile @@ -9,6 +9,7 @@ ccflags-y := -I$(srctree)/security/ipe/modules obj-$(CONFIG_SECURITY_IPE) += \ ctx.o \ + eval.o \ hooks.o \ ipe.o \ modules.o \ diff --git a/security/ipe/ctx.c b/security/ipe/ctx.c index d51fe2e13ad9..97305ddc2ff7 100644 --- a/security/ipe/ctx.c +++ b/security/ipe/ctx.c @@ -5,6 +5,7 @@ #include "ipe.h" #include "ctx.h" +#include "policy.h" #include #include @@ -60,10 +61,25 @@ struct ipe_context *ipe_get_ctx_rcu(struct ipe_context __rcu *ctx) */ static void free_ctx_work(struct work_struct *const work) { + struct ipe_policy *p = NULL; struct ipe_context *ctx = NULL; ctx = container_of(work, struct ipe_context, free_work); + /* Make p->ctx no longer have any references */ + spin_lock(&ctx->lock); + list_for_each_entry(p, &ctx->policies, next) + rcu_assign_pointer(p->ctx, NULL); + spin_unlock(&ctx->lock); + synchronize_rcu(); + + /* + * locking no longer necessary - nothing can get a reference to ctx, + * so list is guaranteed stable. + */ + list_for_each_entry(p, &ctx->policies, next) + ipe_put_policy(p); + kfree(ctx); } @@ -88,6 +104,7 @@ static struct ipe_context *create_ctx(void) } INIT_WORK(&ctx->free_work, free_ctx_work); + INIT_LIST_HEAD(&ctx->policies); refcount_set(&ctx->refcount, 1); spin_lock_init(&ctx->lock); @@ -98,9 +115,49 @@ static struct ipe_context *create_ctx(void) return ERR_PTR(rc); } +/** + * remove_policy: Remove a policy from its context + * @p: Supplies a pointer to a policy that will be removed from its context + * + * Decrements @p's reference by 1. + */ +void ipe_remove_policy(struct ipe_policy *p) +{ + struct ipe_context *ctx; + + ctx = ipe_get_ctx_rcu(p->ctx); + if (!ctx) + return; + + spin_lock(&ctx->lock); + list_del_init(&p->next); + rcu_assign_pointer(p->ctx, NULL); + spin_unlock(&ctx->lock); + synchronize_rcu(); + + ipe_put_ctx(ctx); + /* drop the reference representing the list */ + ipe_put_policy(p); +} + +/** + * ipe_add_policy: Associate @p with @ctx + * @ctx: Supplies a pointer to the ipe_context structure to associate @p with. + * @p: Supplies a pointer to the ipe_policy structure to associate. + */ +void ipe_add_policy(struct ipe_context *ctx, struct ipe_policy *p) +{ + spin_lock(&ctx->lock); + rcu_assign_pointer(p->ctx, ctx); + list_add_tail(&p->next, &ctx->policies); + refcount_inc(&p->refcount); + spin_unlock(&ctx->lock); + synchronize_rcu(); +} + /** * ipe_put_ctx: Decrement the reference of an ipe_context structure, - * scheduling a free as necessary. + * scheduling a free as necessary.s * @ctx: Structure to free * * This function no-ops on error and null values for @ctx, and the diff --git a/security/ipe/ctx.h b/security/ipe/ctx.h index 69a2c92c0a8c..a0da92da818c 100644 --- a/security/ipe/ctx.h +++ b/security/ipe/ctx.h @@ -12,10 +12,14 @@ #include struct ipe_context { + struct ipe_policy __rcu *active_policy; + refcount_t refcount; /* Protects concurrent writers */ spinlock_t lock; + struct list_head policies; /* type: ipe_policy */ + struct work_struct free_work; }; @@ -24,5 +28,7 @@ struct ipe_context __rcu **ipe_tsk_ctx(struct task_struct *tsk); struct ipe_context *ipe_current_ctx(void); struct ipe_context *ipe_get_ctx_rcu(struct ipe_context __rcu *ctx); void ipe_put_ctx(struct ipe_context *ctx); +void ipe_add_policy(struct ipe_context *ctx, struct ipe_policy *p); +void ipe_remove_policy(struct ipe_policy *p); #endif /* IPE_CONTEXT_H */ diff --git a/security/ipe/eval.c b/security/ipe/eval.c new file mode 100644 index 000000000000..b3e4277fe6bd --- /dev/null +++ b/security/ipe/eval.c @@ -0,0 +1,144 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include "ipe.h" +#include "ctx.h" +#include "eval.h" +#include "hooks.h" +#include "policy.h" +#include "modules/ipe_module.h" + +#include +#include +#include +#include + +/** + * build_ctx: Build an evaluation context. + * @file: Supplies a pointer to the file to associated with the evaluation + * @op: Supplies the IPE policy operation associated with the evaluation + * @hook: Supplies the LSM hook associated with the evaluation. + * + * The current IPE Context will have a reference count increased by one until + * this is deallocated. + * + * Return: + * !IS_ERR - OK + */ +static struct ipe_eval_ctx *build_ctx(const struct file *file, + enum ipe_operation op) +{ + struct ipe_eval_ctx *ctx = NULL; + + ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); + if (!ctx) + return ERR_PTR(-ENOMEM); + + ctx->file = file; + ctx->op = op; + ctx->ci_ctx = ipe_current_ctx(); + + return ctx; +} + +/** + * free_ctx: Deallocate a previously-allocated ipe_eval_ctx + * @ctx: Supplies a pointer to the evaluation context to free. + */ +static void free_ctx(struct ipe_eval_ctx *ctx) +{ + if (IS_ERR_OR_NULL(ctx)) + return; + + ipe_put_ctx(ctx->ci_ctx); + kfree(ctx); +} + +/** + * evaluate: Analyze @ctx against the active policy and return the result. + * @ctx: Supplies a pointer to the context being evaluated. + * + * This is the loop where all policy evaluation happens against IPE policy. + * + * Return: + * 0 - OK + * -EACCES - @ctx did not pass evaluation. + * !0 - Error + */ +static int evaluate(const struct ipe_eval_ctx *const ctx) +{ + int rc = 0; + bool match = false; + enum ipe_action action; + struct ipe_policy *pol = NULL; + const struct ipe_rule *rule = NULL; + const struct ipe_policy_mod *module = NULL; + const struct ipe_operation_table *rules = NULL; + + pol = ipe_get_policy_rcu(ctx->ci_ctx->active_policy); + if (!pol) + goto out; + + if (ctx->op == ipe_operation_max) { + action = pol->parsed->global_default; + goto eval; + } + + rules = &pol->parsed->rules[ctx->op]; + + list_for_each_entry(rule, &rules->rules, next) { + match = true; + + list_for_each_entry(module, &rule->modules, next) + match = match && module->mod->eval(ctx, module->mod_value); + + if (match) + break; + } + + if (match) { + action = rule->action; + } else if (rules->default_action != ipe_action_max) { + action = rules->default_action; + } else { + action = pol->parsed->global_default; + } + +eval: + if (action == ipe_action_deny) + rc = -EACCES; + +out: + ipe_put_policy(pol); + return rc; +} + +/** + * ipe_process_event: Submit @file for verification against IPE's policy + * @file: Supplies an optional pointer to the file being submitted. + * @op: IPE Policy Operation to associate with @file + * + * @file can be NULL and will be submitted for evaluation like a non-NULL + * file. + * + * Return: + * 0 - OK + * -EACCES - @file did not pass verification + * !0 - Error + */ +int ipe_process_event(const struct file *file, enum ipe_operation op) +{ + int rc = 0; + struct ipe_eval_ctx *ctx = NULL; + + ctx = build_ctx(file, op); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + + rc = evaluate(ctx); + + free_ctx(ctx); + return rc; +} diff --git a/security/ipe/eval.h b/security/ipe/eval.h new file mode 100644 index 000000000000..bc3a5da3badc --- /dev/null +++ b/security/ipe/eval.h @@ -0,0 +1,24 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#ifndef IPE_EVAL_H +#define IPE_EVAL_H + +#include + +#include "ctx.h" +#include "hooks.h" +#include "policy.h" + +struct ipe_eval_ctx { + enum ipe_operation op; + + const struct file *file; + struct ipe_context *ci_ctx; +}; + +int ipe_process_event(const struct file *file, enum ipe_operation op); + +#endif /* IPE_EVAL_H */ diff --git a/security/ipe/modules/ipe_module.h b/security/ipe/modules/ipe_module.h index c4e98b548df3..1157c5363048 100644 --- a/security/ipe/modules/ipe_module.h +++ b/security/ipe/modules/ipe_module.h @@ -6,6 +6,7 @@ #define IPE_MODULE_H #include +#include "../eval.h" /** * ipe_module: definition of an extensible module for IPE properties. @@ -23,6 +24,8 @@ struct ipe_module { u16 version; /* required */ int (*parse)(const char *valstr, void **value); /* required */ void (*free)(void **value); /* optional */ + bool (*eval)(const struct ipe_eval_ctx *ctx, /* required */ + const void *val); }; #define IPE_MODULE(parser) \ diff --git a/security/ipe/policy.c b/security/ipe/policy.c index 6381fa7c2ec6..d68f9bf72f72 100644 --- a/security/ipe/policy.c +++ b/security/ipe/policy.c @@ -874,6 +874,32 @@ void ipe_put_policy(struct ipe_policy *p) kfree(p); } +/** + * ipe_get_policy_rcu: Dereference rcu-protected @p and increase the reference + * count. + * @p: rcu-protected pointer to dereference + * + * Not safe to call on IS_ERR. + * + * Return: + * !NULL - reference count of @p was valid, and increased by one. + * NULL - reference count of @p is not valid. + */ +struct ipe_policy *ipe_get_policy_rcu(struct ipe_policy __rcu *p) +{ + struct ipe_policy *rv = NULL; + + rcu_read_lock(); + + rv = rcu_dereference(p); + if (!rv || !refcount_inc_not_zero(&rv->refcount)) + rv = NULL; + + rcu_read_unlock(); + + return rv; +} + static int set_pkcs7_data(void *ctx, const void *data, size_t len, size_t asn1hdrlen) { @@ -912,6 +938,7 @@ struct ipe_policy *ipe_new_policy(const char *text, size_t textlen, return ERR_PTR(-ENOMEM); refcount_set(&new->refcount, 1); + INIT_LIST_HEAD(&new->next); if (!text) { new->pkcs7len = pkcs7len; diff --git a/security/ipe/policy.h b/security/ipe/policy.h index d78788db238c..2b5041c5a75a 100644 --- a/security/ipe/policy.h +++ b/security/ipe/policy.h @@ -87,11 +87,15 @@ struct ipe_policy { struct ipe_parsed_policy *parsed; refcount_t refcount; + + struct list_head next; /* type: ipe_policy */ + struct ipe_context __rcu *ctx; }; struct ipe_policy *ipe_new_policy(const char *text, size_t textlen, const char *pkcs7, size_t pkcs7len); void ipe_put_policy(struct ipe_policy *pol); bool ipe_is_op_alias(int op, const enum ipe_operation **map, size_t *size); +struct ipe_policy *ipe_get_policy_rcu(struct ipe_policy __rcu *p); #endif /* IPE_POLICY_H */ From patchwork Wed Jun 8 19:01:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deven Bowers X-Patchwork-Id: 12874546 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 231F5C433EF for ; Wed, 8 Jun 2022 19:01:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234453AbiFHTBt (ORCPT ); Wed, 8 Jun 2022 15:01:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51684 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233969AbiFHTBr (ORCPT ); Wed, 8 Jun 2022 15:01:47 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9F2CE26AEB; Wed, 8 Jun 2022 12:01:44 -0700 (PDT) Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id 3903020BE66B; Wed, 8 Jun 2022 12:01:44 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 3903020BE66B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1654714904; bh=1t7ivXQFS30Fj0skR0pPUwmpriienCWFxoezZkp2dME=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MP015LAW56vLW/bylWfAXInyAy/bHILAeFbLA49VIp6DxR74Quhw+uMT8MFbLMvPK F3tR7DcltfTlA4HuRtwAHS40ZjXh0NvFYSfHG78B0b6vEJgYOBz+docl5JRiqQjFTg bcE1II5ibQPPeMZyP9SyyUWnsY7SBWbShIWPuES4= From: Deven Bowers To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org Subject: [RFC PATCH v8 04/17] ipe: add userspace interface Date: Wed, 8 Jun 2022 12:01:16 -0700 Message-Id: <1654714889-26728-5-git-send-email-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> References: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org As is typical with LSMs, IPE uses securityfs as its interface with userspace. for a complete list of the interfaces and the respective inputs/outputs, please see the documentation under admin-guide/LSM/ipe.rst Signed-off-by: Deven Bowers --- v2: + Split evaluation loop, access control hooks, and evaluation loop from policy parser and userspace interface to pass mailing list character limit v3: + Move policy load and activation audit event to 03/12 + Fix a potential panic when a policy failed to load. + use pr_warn for a failure to parse instead of an audit record + Remove comments from headers + Add lockdep assertions to ipe_update_active_policy and ipe_activate_policy + Fix up warnings with checkpatch --strict + Use file_ns_capable for CAP_MAC_ADMIN for securityfs nodes. + Use memdup_user instead of kzalloc+simple_write_to_buffer. + Remove strict_parse command line parameter, as it is added by the sysctl command line. + Prefix extern variables with ipe_ v4: + Remove securityfs to reverse-dependency + Add SHA1 reverse dependency. + Add versioning scheme for IPE properties, and associated interface to query the versioning scheme. + Cause a parser to always return an error on unknown syntax. + Remove strict_parse option + Change active_policy interface from sysctl, to securityfs, and change scheme. v5: + Cause an error if a default action is not defined for each operaiton. + Minor function renames v6: + No changes v7: + Propogating changes to support the new ipe_context structure in the evaluation loop. + Further split the parser and userspace interface changes into separate commits. + "raw" was renamed to "pkcs7" and made read only + "raw"'s write functionality (update a policy) moved to "update" + introduced "version", "policy_name" nodes. + "content" renamed to "policy" + changes to allow the compiled-in policy to be treated identical to deployed-after-the-fact policies. Introduced in v8: + Prevent securityfs initialization if the LSM is disabled --- security/ipe/Makefile | 2 + security/ipe/ctx.c | 121 +++++++++ security/ipe/ctx.h | 6 + security/ipe/fs.c | 173 +++++++++++++ security/ipe/fs.h | 13 + security/ipe/ipe.c | 3 + security/ipe/ipe.h | 2 + security/ipe/policy.c | 41 ++++ security/ipe/policy.h | 4 + security/ipe/policyfs.c | 528 ++++++++++++++++++++++++++++++++++++++++ 10 files changed, 893 insertions(+) create mode 100644 security/ipe/fs.c create mode 100644 security/ipe/fs.h create mode 100644 security/ipe/policyfs.c diff --git a/security/ipe/Makefile b/security/ipe/Makefile index 0db69f13e82a..d5660a17364c 100644 --- a/security/ipe/Makefile +++ b/security/ipe/Makefile @@ -10,9 +10,11 @@ ccflags-y := -I$(srctree)/security/ipe/modules obj-$(CONFIG_SECURITY_IPE) += \ ctx.o \ eval.o \ + fs.o \ hooks.o \ ipe.o \ modules.o \ parsers/ \ parsers.o \ policy.o \ + policyfs.o \ diff --git a/security/ipe/ctx.c b/security/ipe/ctx.c index 97305ddc2ff7..177f60f02ed4 100644 --- a/security/ipe/ctx.c +++ b/security/ipe/ctx.c @@ -13,6 +13,29 @@ #include #include +/** + * ver_to_u64: convert an internal ipe_policy_version to a u64 + * @p: Policy to extract the version from + * + * Bits (LSB is index 0): + * [48,32] -> Major + * [32,16] -> Minor + * [16, 0] -> Revision + * + * Return: + * u64 version of the embedded version structure. + */ +static inline u64 ver_to_u64(const struct ipe_policy *const p) +{ + u64 r = 0; + + r = (((u64)p->parsed->version.major) << 32) + | (((u64)p->parsed->version.minor) << 16) + | ((u64)(p->parsed->version.rev)); + + return r; +} + /** * ipe_current_ctx: Helper to retrieve the ipe_context for the current task. * @@ -80,6 +103,7 @@ static void free_ctx_work(struct work_struct *const work) list_for_each_entry(p, &ctx->policies, next) ipe_put_policy(p); + securityfs_remove(ctx->policy_root); kfree(ctx); } @@ -144,6 +168,9 @@ void ipe_remove_policy(struct ipe_policy *p) * ipe_add_policy: Associate @p with @ctx * @ctx: Supplies a pointer to the ipe_context structure to associate @p with. * @p: Supplies a pointer to the ipe_policy structure to associate. + * + * This will increase @p's reference count by one. + * */ void ipe_add_policy(struct ipe_context *ctx, struct ipe_policy *p) { @@ -152,7 +179,101 @@ void ipe_add_policy(struct ipe_context *ctx, struct ipe_policy *p) list_add_tail(&p->next, &ctx->policies); refcount_inc(&p->refcount); spin_unlock(&ctx->lock); +} + +/** + * ipe_replace_policy: Replace @old with @new in the list of policies in @ctx + * @ctx: Supplies the context object to manipulate. + * @old: Supplies a pointer to the ipe_policy to replace with @new + * @new: Supplies a pointer to the ipe_policy structure to replace @old with + */ +int ipe_replace_policy(struct ipe_policy *old, struct ipe_policy *new) +{ + int rc = -EINVAL; + struct ipe_context *ctx; + struct ipe_policy *cursor; + struct ipe_policy *p = NULL; + + ctx = ipe_get_ctx_rcu(old->ctx); + if (!ctx) + return -ENOENT; + + spin_lock(&ctx->lock); + list_for_each_entry(cursor, &ctx->policies, next) { + if (!strcmp(old->parsed->name, cursor->parsed->name)) { + if (ipe_is_policy_active(old)) { + if (ver_to_u64(old) > ver_to_u64(new)) + break; + rcu_assign_pointer(ctx->active_policy, new); + } + list_replace_init(&cursor->next, &new->next); + refcount_inc(&new->refcount); + rcu_assign_pointer(new->ctx, old->ctx); + p = cursor; + rc = 0; + break; + } + } + spin_unlock(&ctx->lock); + synchronize_rcu(); + + ipe_put_policy(p); + ipe_put_ctx(ctx); + return rc; +} + +/** + * ipe_set_active_pol: Make @p the active policy. + * @p: Supplies a pointer to the policy to make active. + */ +int ipe_set_active_pol(const struct ipe_policy *p) +{ + int rc = 0; + struct ipe_policy *ap = NULL; + struct ipe_context *ctx = NULL; + + ctx = ipe_get_ctx_rcu(p->ctx); + if (!ctx) { + rc = -ENOENT; + goto out; + } + + ap = ipe_get_policy_rcu(ctx->active_policy); + if (ap && ver_to_u64(ap) > ver_to_u64(p)) { + rc = -EINVAL; + goto out; + } + + spin_lock(&ctx->lock); + rcu_assign_pointer(ctx->active_policy, p); + spin_unlock(&ctx->lock); synchronize_rcu(); + +out: + ipe_put_policy(ap); + ipe_put_ctx(ctx); + return rc; +} + +/** + * ipe_is_policy_active: Determine wehther @p is the active policy + * @p: Supplies a pointer to the policy to check. + * + * Return: + * true - @p is the active policy of @ctx + * false - @p is not the active policy of @ctx + */ +bool ipe_is_policy_active(const struct ipe_policy *p) +{ + bool rv; + struct ipe_context *ctx; + + rcu_read_lock(); + ctx = rcu_dereference(p->ctx); + rv = !IS_ERR_OR_NULL(ctx) && rcu_access_pointer(ctx->active_policy) == p; + rcu_read_unlock(); + + return rv; } /** diff --git a/security/ipe/ctx.h b/security/ipe/ctx.h index a0da92da818c..fe11fb767788 100644 --- a/security/ipe/ctx.h +++ b/security/ipe/ctx.h @@ -7,6 +7,7 @@ #include #include +#include #include #include #include @@ -20,6 +21,8 @@ struct ipe_context { struct list_head policies; /* type: ipe_policy */ + struct dentry *policy_root; + struct work_struct free_work; }; @@ -30,5 +33,8 @@ struct ipe_context *ipe_get_ctx_rcu(struct ipe_context __rcu *ctx); void ipe_put_ctx(struct ipe_context *ctx); void ipe_add_policy(struct ipe_context *ctx, struct ipe_policy *p); void ipe_remove_policy(struct ipe_policy *p); +int ipe_replace_policy(struct ipe_policy *old, struct ipe_policy *new); +int ipe_set_active_pol(const struct ipe_policy *p); +bool ipe_is_policy_active(const struct ipe_policy *p); #endif /* IPE_CONTEXT_H */ diff --git a/security/ipe/fs.c b/security/ipe/fs.c new file mode 100644 index 000000000000..18100cfbd8d5 --- /dev/null +++ b/security/ipe/fs.c @@ -0,0 +1,173 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ +#include "ipe.h" +#include "fs.h" +#include "policy.h" + +#include +#include + +static struct dentry *np __ro_after_init; +static struct dentry *root __ro_after_init; +static struct dentry *config __ro_after_init; + +/** + * new_policy: Write handler for the securityfs node, "ipe/new_policy" + * @f: Supplies a file structure representing the securityfs node. + * @data: Suppleis a buffer passed to the write syscall + * @len: Supplies the length of @data + * @offset: unused. + * + * Return: + * >0 - Success, Length of buffer written + * <0 - Error + */ +static ssize_t new_policy(struct file *f, const char __user *data, + size_t len, loff_t *offset) +{ + int rc = 0; + char *copy = NULL; + struct ipe_policy *p = NULL; + struct ipe_context *ctx = NULL; + + if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN)) + return -EPERM; + + ctx = ipe_current_ctx(); + + copy = memdup_user_nul(data, len); + if (IS_ERR(copy)) { + rc = PTR_ERR(copy); + goto err; + } + + p = ipe_new_policy(NULL, 0, copy, len); + if (IS_ERR(p)) { + rc = PTR_ERR(p); + goto err; + } + + rc = ipe_new_policyfs_node(ctx, p); + if (rc) + goto err; + + ipe_add_policy(ctx, p); +err: + ipe_put_policy(p); + ipe_put_ctx(ctx); + return (rc < 0) ? rc : len; +} + +/** + * get_config: Read handler for the securityfs node, "ipe/config" + * @f: Supplies a file structure representing the securityfs node. + * @data: Supplies a buffer passed to the read syscall + * @len: Supplies the length of @data + * @offset: unused. + * + * Return: + * >0 - Success, Length of buffer written + * <0 - Error + */ +static ssize_t get_config(struct file *f, char __user *data, size_t len, + loff_t *offset) +{ + int rc = 0; + char *buf = NULL; + size_t buflen = 0; + char tmp[30] = { 0 }; + struct ipe_parser *p = NULL; + struct ipe_module *m = NULL; + + for (p = __start_ipe_parsers; p < __end_ipe_parsers; ++p) + buflen += snprintf(NULL, 0, "%s=%d\n", p->first_token, p->version); + for (m = __start_ipe_modules; m < __end_ipe_modules; ++m) + buflen += snprintf(NULL, 0, "%s=%d\n", m->name, m->version); + + ++buflen; + buf = kzalloc(buflen, GFP_KERNEL); + if (!buf) { + rc = -ENOMEM; + goto out; + } + + for (p = __start_ipe_parsers; p < __end_ipe_parsers; ++p) { + memset(tmp, 0x0, ARRAY_SIZE(tmp)); + scnprintf(tmp, ARRAY_SIZE(tmp), "%s=%d\n", p->first_token, p->version); + strcat(buf, tmp); + } + + for (m = __start_ipe_modules; m < __end_ipe_modules; ++m) { + memset(tmp, 0x0, ARRAY_SIZE(tmp)); + scnprintf(tmp, ARRAY_SIZE(tmp), "%s=%d\n", m->name, m->version); + strcat(buf, tmp); + } + + rc = simple_read_from_buffer(data, len, offset, buf, buflen); +out: + kfree(buf); + return rc; +} + +static const struct file_operations cfg_fops = { + .read = get_config, +}; + +static const struct file_operations np_fops = { + .write = new_policy, +}; + +/** + * ipe_init_securityfs: Initialize IPE's securityfs tree at fsinit + * + * Return: + * !0 - Error + * 0 - OK + */ +static int __init ipe_init_securityfs(void) +{ + int rc = 0; + struct ipe_context *ctx = NULL; + + if (!ipe_enabled) + return -EOPNOTSUPP; + + ctx = ipe_current_ctx(); + + root = securityfs_create_dir("ipe", NULL); + if (IS_ERR(root)) { + rc = PTR_ERR(root); + goto err; + } + + np = securityfs_create_file("new_policy", 0200, root, NULL, &np_fops); + if (IS_ERR(np)) { + rc = PTR_ERR(np); + goto err; + } + + config = securityfs_create_file("config", 0400, root, NULL, + &cfg_fops); + if (IS_ERR(config)) { + rc = PTR_ERR(config); + goto err; + } + + ctx->policy_root = securityfs_create_dir("policies", root); + if (IS_ERR(ctx->policy_root)) { + rc = PTR_ERR(ctx->policy_root); + goto err; + } + + return 0; +err: + securityfs_remove(np); + securityfs_remove(root); + securityfs_remove(config); + securityfs_remove(ctx->policy_root); + return rc; +} + +fs_initcall(ipe_init_securityfs); diff --git a/security/ipe/fs.h b/security/ipe/fs.h new file mode 100644 index 000000000000..4ab2f4e8c454 --- /dev/null +++ b/security/ipe/fs.h @@ -0,0 +1,13 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#ifndef IPE_FS_H +#define IPE_FS_H + +void ipe_soft_del_policyfs(struct ipe_policy *p); +int ipe_new_policyfs_node(struct ipe_context *ctx, struct ipe_policy *p); +void ipe_del_policyfs_node(struct ipe_policy *p); + +#endif /* IPE_FS_H */ diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c index 3f387f4ab38a..edeb354765dd 100644 --- a/security/ipe/ipe.c +++ b/security/ipe/ipe.c @@ -18,6 +18,8 @@ #include #include +bool ipe_enabled; + static struct lsm_blob_sizes ipe_blobs __lsm_ro_after_init = { .lbs_task = sizeof(struct ipe_context __rcu *), }; @@ -123,6 +125,7 @@ static int __init ipe_init(void) return rc; security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), "ipe"); + ipe_enabled = true; return rc; } diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h index 417b474e0543..de0629bd7061 100644 --- a/security/ipe/ipe.h +++ b/security/ipe/ipe.h @@ -16,6 +16,8 @@ #include #include +extern bool ipe_enabled; + extern struct ipe_parser __start_ipe_parsers[], __end_ipe_parsers[]; extern struct ipe_module __start_ipe_modules[], __end_ipe_modules[]; diff --git a/security/ipe/policy.c b/security/ipe/policy.c index d68f9bf72f72..d4bd06e4a19b 100644 --- a/security/ipe/policy.c +++ b/security/ipe/policy.c @@ -4,6 +4,7 @@ */ #include "ipe.h" +#include "fs.h" #include "policy.h" #include "ipe_parser.h" #include "modules.h" @@ -867,6 +868,8 @@ void ipe_put_policy(struct ipe_policy *p) if (IS_ERR_OR_NULL(p) || !refcount_dec_and_test(&p->refcount)) return; + ipe_del_policyfs_node(p); + securityfs_remove(p->policyfs); free_parsed_policy(p->parsed); if (!p->pkcs7) kfree(p->text); @@ -911,6 +914,44 @@ static int set_pkcs7_data(void *ctx, const void *data, size_t len, return 0; } +/** + * ipe_update_policy: parse a new policy and replace @old with it. + * @old: Supplies a pointer to the policy to replace + * @text: Supplies a pointer to the plain text policy + * @textlen: Supplies the length of @text + * @pkcs7: Supplies a pointer to a buffer containing a pkcs7 message. + * @pkcs7len: Supplies the length of @pkcs7len + * + * @text/@textlen is mutually exclusive with @pkcs7/@pkcs7len - see + * ipe_new_policy. + * + * Return: + * !IS_ERR - OK + */ +struct ipe_policy *ipe_update_policy(struct ipe_policy *old, + const char *text, size_t textlen, + const char *pkcs7, size_t pkcs7len) +{ + int rc = 0; + struct ipe_policy *new; + + new = ipe_new_policy(text, textlen, pkcs7, pkcs7len); + if (IS_ERR(new)) { + rc = PTR_ERR(new); + goto err; + } + + if (strcmp(new->parsed->name, old->parsed->name)) { + rc = -EINVAL; + goto err; + } + + rc = ipe_replace_policy(old, new); +err: + ipe_put_policy(new); + return (rc < 0) ? ERR_PTR(rc) : new; +} + /** * ipe_new_policy: allocate and parse an ipe_policy structure. * diff --git a/security/ipe/policy.h b/security/ipe/policy.h index 2b5041c5a75a..6818f6405dd0 100644 --- a/security/ipe/policy.h +++ b/security/ipe/policy.h @@ -88,12 +88,16 @@ struct ipe_policy { refcount_t refcount; + struct dentry *policyfs; struct list_head next; /* type: ipe_policy */ struct ipe_context __rcu *ctx; }; struct ipe_policy *ipe_new_policy(const char *text, size_t textlen, const char *pkcs7, size_t pkcs7len); +struct ipe_policy *ipe_update_policy(struct ipe_policy *old, const char *text, + size_t textlen, const char *pkcs7, + size_t pkcs7len); void ipe_put_policy(struct ipe_policy *pol); bool ipe_is_op_alias(int op, const enum ipe_operation **map, size_t *size); struct ipe_policy *ipe_get_policy_rcu(struct ipe_policy __rcu *p); diff --git a/security/ipe/policyfs.c b/security/ipe/policyfs.c new file mode 100644 index 000000000000..d34c22e99225 --- /dev/null +++ b/security/ipe/policyfs.c @@ -0,0 +1,528 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ +#include "ipe.h" +#include "policy.h" +#include "fs.h" + +#include +#include +#include +#include +#include + +#define MAX_VERSION_SIZE ARRAY_SIZE("65535.65535.65535") + +/** + * find_policy: Follow the i_private field of a dentry, returning the address + * of the resulting policy structure. + * @f: Securityfs object that contains a link to the dentry containing the + * policy structure. + * + * Return: + * Always-Valid Address Pointer + */ +static inline struct ipe_policy __rcu **find_policy(struct file *f) +{ + struct dentry *link; + + link = d_inode(f->f_path.dentry)->i_private; + + return (struct ipe_policy __rcu **)&(d_inode(link)->i_private); +} + +/** + * ipefs_file: defines a file in securityfs + */ +struct ipefs_file { + const char *name; + umode_t access; + const struct file_operations *fops; +}; + +/** + * read_pkcs7: Read handler for the securityfs node, + * "ipe/policies/$name/pkcs7" + * @f: Supplies a file structure representing the securityfs node. + * @data: Suppleis a buffer passed to the write syscall + * @len: Supplies the length of @data + * @offset: unused. + * + * @data will be populated with the pkcs7 blob representing the policy + * on success. If the policy is unsigned (like the boot policy), this + * will return -ENOENT. + * + * Return: + * >0 - Success, Length of buffer written + * <0 - Error + */ +static ssize_t read_pkcs7(struct file *f, char __user *data, + size_t len, loff_t *offset) +{ + int rc = 0; + struct ipe_policy *p = NULL; + + p = ipe_get_policy_rcu(*find_policy(f)); + if (!p) + return -ENOENT; + + if (!p->pkcs7) { + rc = -ENOENT; + goto out; + } + + rc = simple_read_from_buffer(data, len, offset, p->pkcs7, p->pkcs7len); + +out: + ipe_put_policy(p); + return rc; +} + +/** + * read_policy: Read handler for the securityfs node, + * "ipe/policies/$name/policy" + * @f: Supplies a file structure representing the securityfs node. + * @data: Suppleis a buffer passed to the write syscall + * @len: Supplies the length of @data + * @offset: unused. + * + * @data will be populated with the plain-text version of the policy + * on success. + * + * Return: + * >0 - Success, Length of buffer written + * <0 - Error + */ +static ssize_t read_policy(struct file *f, char __user *data, + size_t len, loff_t *offset) +{ + int rc = 0; + struct ipe_policy *p = NULL; + + p = ipe_get_policy_rcu(*find_policy(f)); + if (!p) + return -ENOENT; + + rc = simple_read_from_buffer(data, len, offset, p->text, p->textlen); + + ipe_put_policy(p); + return rc; +} + +/** + * read_name: Read handler for the securityfs node, + * "ipe/policies/$name/name" + * @f: Supplies a file structure representing the securityfs node. + * @data: Suppleis a buffer passed to the write syscall + * @len: Supplies the length of @data + * @offset: unused. + * + * @data will be populated with the policy_name attribute on success + * + * Return: + * >0 - Success, Length of buffer written + * <0 - Error + */ +static ssize_t read_name(struct file *f, char __user *data, + size_t len, loff_t *offset) +{ + int rc = 0; + struct ipe_policy *p = NULL; + + p = ipe_get_policy_rcu(*find_policy(f)); + if (!p) + return -ENOENT; + + rc = simple_read_from_buffer(data, len, offset, p->parsed->name, + strlen(p->parsed->name)); + + ipe_put_policy(p); + return rc; +} + +/** + * read_version: Read handler for the securityfs node, + * "ipe/policies/$name/version" + * @f: Supplies a file structure representing the securityfs node. + * @data: Suppleis a buffer passed to the write syscall + * @len: Supplies the length of @data + * @offset: unused. + * + * @data will be populated with the version string on success. + * + * Return: + * >0 - Success, Length of buffer written + * <0 - Error + */ +static ssize_t read_version(struct file *f, char __user *data, + size_t len, loff_t *offset) +{ + ssize_t rc = 0; + size_t bufsize = 0; + struct ipe_policy *p = NULL; + char buffer[MAX_VERSION_SIZE] = { 0 }; + + p = ipe_get_policy_rcu(*find_policy(f)); + if (!p) + return -ENOENT; + + bufsize = scnprintf(buffer, ARRAY_SIZE(buffer), "%hu.%hu.%hu", + p->parsed->version.major, p->parsed->version.minor, + p->parsed->version.rev); + + rc = simple_read_from_buffer(data, len, offset, buffer, bufsize); + + ipe_put_policy(p); + return rc; +} + +/** + * setactive: Write handler for the securityfs node, + * "ipe/policies/$name/active" + * @f: Supplies a file structure representing the securityfs node. + * @data: Supplies a buffer passed to the write syscall + * @len: Supplies the length of @data + * @offset: unused. + * + * Return: + * >0 - Success, Length of buffer written + * <0 - Error + */ +static ssize_t setactive(struct file *f, const char __user *data, + size_t len, loff_t *offset) +{ + int rc = 0; + bool value = false; + struct ipe_policy *p = NULL; + struct ipe_context *ctx = NULL; + + if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN)) + return -EPERM; + + rc = kstrtobool_from_user(data, len, &value); + if (rc) + goto out; + + if (!value) { + rc = -EINVAL; + goto out; + } + + p = ipe_get_policy_rcu(*find_policy(f)); + if (!p) { + rc = -ENOENT; + goto out; + } + + ctx = ipe_get_ctx_rcu(p->ctx); + if (!ctx) { + rc = -ENOENT; + goto out; + } + + rc = ipe_set_active_pol(p); + +out: + ipe_put_ctx(ctx); + ipe_put_policy(p); + return (rc < 0) ? rc : len; +} + +/** + * getactive: Read handler for the securityfs node, + * "ipe/policies/$name/active" + * @f: Supplies a file structure representing the securityfs node. + * @data: Suppleis a buffer passed to the write syscall + * @len: Supplies the length of @data + * @offset: unused. + * + * @data will be populated with the 1 or 0 depending on if the + * corresponding policy is active. + * + * Return: + * >0 - Success, Length of buffer written + * <0 - Error + */ +static ssize_t getactive(struct file *f, char __user *data, + size_t len, loff_t *offset) +{ + int rc = 0; + const char *str; + struct ipe_policy *p = NULL; + + p = ipe_get_policy_rcu(*find_policy(f)); + if (!p) { + rc = -ENOENT; + goto out; + } + + str = ipe_is_policy_active(p) ? "1" : "0"; + rc = simple_read_from_buffer(data, len, offset, str, 2); + +out: + ipe_put_policy(p); + return rc; +} + +/** + * update_policy: Write handler for the securityfs node, + * "ipe/policies/$name/active" + * @f: Supplies a file structure representing the securityfs node. + * @data: Supplies a buffer passed to the write syscall + * @len: Supplies the length of @data + * @offset: unused. + * + * On success this updates the policy represented by $name, + * in-place. + * + * Return: + * >0 - Success, Length of buffer written + * <0 - Error + */ +static ssize_t update_policy(struct file *f, const char __user *data, + size_t len, loff_t *offset) +{ + int rc = 0; + char *copy = NULL; + struct ipe_policy *new = NULL; + struct ipe_policy *old = NULL; + struct ipe_context *ctx = NULL; + struct ipe_policy __rcu **addr = NULL; + + if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN)) + return -EPERM; + + ctx = ipe_current_ctx(); + if (!ctx) + return -ENOENT; + + addr = find_policy(f); + old = ipe_get_policy_rcu(*addr); + if (!old) { + rc = -ENOENT; + goto err; + } + + copy = memdup_user(data, len); + if (IS_ERR(copy)) { + rc = PTR_ERR(copy); + goto err; + } + + new = ipe_update_policy(old, NULL, 0, copy, len); + if (IS_ERR(new)) { + rc = PTR_ERR(new); + goto err; + } + + spin_lock(&ctx->lock); + rcu_assign_pointer(*addr, new); + spin_unlock(&ctx->lock); + synchronize_rcu(); + + swap(new->policyfs, old->policyfs); + + kfree(copy); + ipe_put_ctx(ctx); + ipe_put_policy(old); + return len; +err: + kfree(copy); + ipe_put_ctx(ctx); + ipe_put_policy(new); + ipe_put_policy(old); + return rc; +} + +/** + * delete_policy: write handler for securityfs dir, "ipe/policies/$name/delete" + * @f: Supplies a file structure representing the securityfs node. + * @data: Supplies a buffer passed to the write syscall + * @len: Supplies the length of @data + * @offset: unused. + * + * On success this deletes the policy represented by $name. + * + * Return: + * >0 - Success, Length of buffer written + * <0 - Error + */ +static ssize_t delete_policy(struct file *f, const char __user *data, + size_t len, loff_t *offset) +{ + int rc = 0; + bool value = false; + struct ipe_policy *p = NULL; + struct ipe_context *ctx = NULL; + + if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN)) + return -EPERM; + + rc = kstrtobool_from_user(data, len, &value); + if (rc) + goto out; + + if (!value) { + rc = -EINVAL; + goto out; + } + + p = ipe_get_policy_rcu(*find_policy(f)); + if (!p) { + rc = -ENOENT; + goto out; + } + + if (ipe_is_policy_active(p)) { + rc = -EPERM; + goto out; + } + + ctx = ipe_get_ctx_rcu(p->ctx); + if (!ctx) { + rc = -ENOENT; + goto out; + } + + ipe_remove_policy(p); +out: + ipe_put_ctx(ctx); + ipe_put_policy(p); + return (rc < 0) ? rc : len; +} + +static const struct file_operations content_fops = { + .read = read_policy, +}; + +static const struct file_operations pkcs7_fops = { + .read = read_pkcs7, +}; + +static const struct file_operations name_fops = { + .read = read_name, +}; + +static const struct file_operations ver_fops = { + .read = read_version, +}; + +static const struct file_operations active_fops = { + .write = setactive, + .read = getactive, +}; + +static const struct file_operations update_fops = { + .write = update_policy, +}; + +static const struct file_operations delete_fops = { + .write = delete_policy, +}; + +/** + * policy_subdir: files under a policy subdirectory + */ +static const struct ipefs_file policy_subdir[] = { + { "pkcs7", 0444, &pkcs7_fops }, + { "policy", 0444, &content_fops }, + { "name", 0444, &name_fops }, + { "version", 0444, &ver_fops }, + { "active", 0600, &active_fops }, + { "update", 0200, &update_fops }, + { "delete", 0200, &delete_fops }, +}; + +/** + * soft_del_policyfs - soft delete the policyfs tree, preventing new + * accesses to the interfaces for this policy. + * @p - Policy to soft delete the tree for. + */ +static void soft_del_policyfs(struct ipe_policy *p) +{ + struct inode *ino = NULL; + struct ipe_policy __rcu **addr = NULL; + + ino = d_inode(p->policyfs); + addr = (struct ipe_policy __rcu **)&ino->i_private; + + inode_lock(ino); + rcu_assign_pointer(*addr, NULL); + inode_unlock(ino); + synchronize_rcu(); +} + +/** + * ipe_del_policyfs_node: Delete a securityfs entry for @p + * @p: Supplies a pointer to the policy to delete a securityfs entry for. + */ +void ipe_del_policyfs_node(struct ipe_policy *p) +{ + size_t i = 0; + struct dentry *d = NULL; + const struct ipefs_file *f = NULL; + + if (IS_ERR_OR_NULL(p->policyfs)) + return; + + soft_del_policyfs(p); + + for (i = 0; i < ARRAY_SIZE(policy_subdir); ++i) { + f = &policy_subdir[i]; + + d = lookup_positive_unlocked(f->name, p->policyfs, + strlen(f->name)); + if (IS_ERR(d)) + continue; + + securityfs_remove(d); + dput(d); + } + + securityfs_remove(p->policyfs); +} + +/** + * ipe_new_policyfs_node: Create a securityfs entry for @p + * @ctx: Supplies a pointer to a context structure that contains the root of + * the policy tree. + * @p: Supplies a pointer to the policy to create a securityfs entry for. + * + * Return: + * 0 - OK + * !0 - Error + */ +int ipe_new_policyfs_node(struct ipe_context *ctx, struct ipe_policy *p) +{ + int rc = 0; + size_t i = 0; + struct dentry *d = NULL; + struct ipe_policy **addr = NULL; + const struct ipefs_file *f = NULL; + + p->policyfs = securityfs_create_dir(p->parsed->name, ctx->policy_root); + if (IS_ERR(p->policyfs)) { + rc = PTR_ERR(p->policyfs); + goto err; + } + + addr = (struct ipe_policy **)&(d_inode(p->policyfs)->i_private); + *addr = p; + + for (i = 0; i < ARRAY_SIZE(policy_subdir); ++i) { + f = &policy_subdir[i]; + + d = securityfs_create_file(f->name, f->access, p->policyfs, p->policyfs, + f->fops); + if (IS_ERR(d)) { + rc = PTR_ERR(d); + goto err; + } + } + + return 0; +err: + ipe_del_policyfs_node(p); + return rc; +} From patchwork Wed Jun 8 19:01:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deven Bowers X-Patchwork-Id: 12874558 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F5F5CCA480 for ; Wed, 8 Jun 2022 19:02:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234837AbiFHTCN (ORCPT ); Wed, 8 Jun 2022 15:02:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51586 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231754AbiFHTBr (ORCPT ); Wed, 8 Jun 2022 15:01:47 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C4B2F27CC8; Wed, 8 Jun 2022 12:01:45 -0700 (PDT) Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id 529E620BE66D; Wed, 8 Jun 2022 12:01:44 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 529E620BE66D DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1654714904; bh=ZUxZBYZW8RxJhh/xTeek6eUhn4hppVGKZXv/5L5vDbA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aaLdnhKU6eF3snvyXOSVrtylEb30HqI7ylgMQ9DyIROC5NmuhnhfOvtz/91IPRVjn LWaaS+PtMUJMKRMiJPDo5jJUj6WpA5QN7SWK4gTnlchDPoyVV9zeO1cSn/E6HON/a6 c5BUVMVVNFSZsXLkA84l4fzTwZTuihCVnN3AyCps= From: Deven Bowers To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org Subject: [RFC PATCH v8 05/17] ipe: add LSM hooks on execution and kernel read Date: Wed, 8 Jun 2022 12:01:17 -0700 Message-Id: <1654714889-26728-6-git-send-email-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> References: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org IPE's initial goal is to control both execution and the loading of kernel modules based on the system's definition of trust. It accomplishes this by plugging into the security hooks for bprm_check_security, file_mprotect, mmap_file, kernel_load_data, and kernel_read_data. Signed-off-by: Deven Bowers --- v2: + Split evaluation loop, access control hooks, and evaluation loop from policy parser and userspace interface to pass mailing list character limit v3: + Move ipe_load_properties to patch 04. + Remove useless 0-initializations + Prefix extern variables with ipe_ + Remove kernel module parameters, as these are exposed through sysctls. + Add more prose to the IPE base config option help text. + Use GFP_KERNEL for audit_log_start. + Remove unnecessary caching system. + Remove comments from headers + Use rcu_access_pointer for rcu-pointer null check + Remove usage of reqprot; use prot only. + Move policy load and activation audit event to 03/12 v4: + Remove sysctls in favor of securityfs nodes + Re-add kernel module parameters, as these are now exposed through securityfs. + Refactor property audit loop to a separate function. v5: + fix minor grammatical errors + do not group rule by curly-brace in audit record, reconstruct the exact rule. v6: + No changes v7: + Further split lsm creation, the audit system, the evaluation loop and access control hooks into separate commits. v8: + Rename hook functions to follow the lsmname_hook_name convention + Remove ipe_hook enumeration, can be derived from correlation with syscall audit record. --- security/ipe/hooks.c | 150 ++++++++++++++++++++++++++++++++++++++++++ security/ipe/hooks.h | 16 +++++ security/ipe/ipe.c | 5 ++ security/ipe/policy.c | 23 +++++++ security/ipe/policy.h | 12 +++- 5 files changed, 204 insertions(+), 2 deletions(-) diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c index dd9606962fa5..d20de25bbd40 100644 --- a/security/ipe/hooks.c +++ b/security/ipe/hooks.c @@ -6,11 +6,15 @@ #include "ipe.h" #include "ctx.h" #include "hooks.h" +#include "eval.h" +#include #include #include #include #include +#include +#include /** * ipe_task_alloc: Assign a new context for an associated task structure. @@ -52,3 +56,149 @@ void ipe_task_free(struct task_struct *task) ipe_put_ctx(ctx); rcu_read_unlock(); } + +/** + * ipe_bprm_check_security: LSM hook called when a process is loaded through the exec + * family of system calls. + * @bprm: Supplies a pointer to a linux_binprm structure to source the file + * being evaluated. + * + * Return: + * 0 - OK + * !0 - Error + */ +int ipe_bprm_check_security(struct linux_binprm *bprm) +{ + return ipe_process_event(bprm->file, ipe_operation_exec); +} + +/** + * ipe_mmap_file: LSM hook called when a file is loaded through the mmap + * family of system calls. + * @f: File being mmap'd. Can be NULL in the case of anonymous memory. + * @reqprot: The requested protection on the mmap, passed from usermode. + * @prot: The effective protection on the mmap, resolved from reqprot and + * system configuration. + * @flags: Unused. + * + * Return: + * 0 - OK + * !0 - Error + */ +int ipe_mmap_file(struct file *f, unsigned long reqprot, unsigned long prot, + unsigned long flags) +{ + if (prot & PROT_EXEC || reqprot & PROT_EXEC) + return ipe_process_event(f, ipe_operation_exec); + + return 0; +} + +/** + * ipe_file_mprotect: LSM hook called when a mmap'd region of memory is changing + * its protections via mprotect. + * @vma: Existing virtual memory area created by mmap or similar + * @reqprot: The requested protection on the mmap, passed from usermode. + * @prot: The effective protection on the mmap, resolved from reqprot and + * system configuration. + * + * Return: + * 0 - OK + * !0 - Error + */ +int ipe_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, + unsigned long prot) +{ + /* Already Executable */ + if (vma->vm_flags & VM_EXEC) + return 0; + + if (prot & PROT_EXEC) + return ipe_process_event(vma->vm_file, ipe_operation_exec); + + return 0; +} + +/** + * ipe_kernel_read_file: LSM hook called when a file is being read in from + * disk. + * @file: Supplies a pointer to the file structure being read in from disk + * @id: Supplies the enumeration identifying the purpose of the read. + * @contents: Unused. + * + * Return: + * 0 - OK + * !0 - Error + */ +int ipe_kernel_read_file(struct file *file, enum kernel_read_file_id id, + bool contents) +{ + enum ipe_operation op; + + switch (id) { + case READING_FIRMWARE: + op = ipe_operation_firmware; + break; + case READING_MODULE: + op = ipe_operation_kernel_module; + break; + case READING_KEXEC_INITRAMFS: + op = ipe_operation_kexec_initramfs; + break; + case READING_KEXEC_IMAGE: + op = ipe_operation_kexec_image; + break; + case READING_POLICY: + op = ipe_operation_ima_policy; + break; + case READING_X509_CERTIFICATE: + op = ipe_operation_ima_x509; + break; + default: + op = ipe_operation_max; + } + + WARN(op == ipe_operation_max, "no rule setup for enum %d", id); + return ipe_process_event(file, op); +} + +/** + * ipe_kernel_load_data: LSM hook called when a buffer is being read in from + * disk. + * @id: Supplies the enumeration identifying the purpose of the read. + * @contents: Unused. + * + * Return: + * 0 - OK + * !0 - Error + */ +int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents) +{ + enum ipe_operation op; + + switch (id) { + case LOADING_FIRMWARE: + op = ipe_operation_firmware; + break; + case LOADING_MODULE: + op = ipe_operation_kernel_module; + break; + case LOADING_KEXEC_INITRAMFS: + op = ipe_operation_kexec_initramfs; + break; + case LOADING_KEXEC_IMAGE: + op = ipe_operation_kexec_image; + break; + case LOADING_POLICY: + op = ipe_operation_ima_policy; + break; + case LOADING_X509_CERTIFICATE: + op = ipe_operation_ima_x509; + break; + default: + op = ipe_operation_max; + } + + WARN(op == ipe_operation_max, "no rule setup for enum %d", id); + return ipe_process_event(NULL, op); +} diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h index e0ae3c7dfb5b..fa9e0657bd64 100644 --- a/security/ipe/hooks.h +++ b/security/ipe/hooks.h @@ -5,12 +5,28 @@ #ifndef IPE_HOOKS_H #define IPE_HOOKS_H +#include #include #include +#include +#include int ipe_task_alloc(struct task_struct *task, unsigned long clone_flags); void ipe_task_free(struct task_struct *task); +int ipe_bprm_check_security(struct linux_binprm *bprm); + +int ipe_mmap_file(struct file *f, unsigned long reqprot, unsigned long prot, + unsigned long flags); + +int ipe_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, + unsigned long prot); + +int ipe_kernel_read_file(struct file *file, enum kernel_read_file_id id, + bool contents); + +int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents); + #endif /* IPE_HOOKS_H */ diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c index edeb354765dd..fca7019ca53c 100644 --- a/security/ipe/ipe.c +++ b/security/ipe/ipe.c @@ -27,6 +27,11 @@ static struct lsm_blob_sizes ipe_blobs __lsm_ro_after_init = { static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(task_alloc, ipe_task_alloc), LSM_HOOK_INIT(task_free, ipe_task_free), + LSM_HOOK_INIT(bprm_check_security, ipe_bprm_check_security), + LSM_HOOK_INIT(mmap_file, ipe_mmap_file), + LSM_HOOK_INIT(file_mprotect, ipe_file_mprotect), + LSM_HOOK_INIT(kernel_read_file, ipe_kernel_read_file), + LSM_HOOK_INIT(kernel_load_data, ipe_kernel_load_data), }; /** diff --git a/security/ipe/policy.c b/security/ipe/policy.c index d4bd06e4a19b..8309f9270000 100644 --- a/security/ipe/policy.c +++ b/security/ipe/policy.c @@ -483,6 +483,14 @@ int ipe_parse_op(const struct ipe_policy_token *tok, { substring_t match[MAX_OPT_ARGS] = { 0 }; const match_table_t ops = { + { ipe_operation_exec, "EXECUTE" }, + { ipe_operation_firmware, "FIRMWARE" }, + { ipe_operation_kernel_module, "KMODULE" }, + { ipe_operation_kexec_image, "KEXEC_IMAGE" }, + { ipe_operation_kexec_initramfs, "KEXEC_INITRAMFS"}, + { ipe_operation_ima_policy, "IMA_POLICY" }, + { ipe_operation_ima_x509, "IMA_X509_CERT" }, + { ipe_op_alias_kernel_read, "KERNEL_READ" }, { ipe_op_alias_max, NULL }, }; @@ -838,6 +846,15 @@ static int parse_policy(struct ipe_policy *p) return rc; } +static const enum ipe_operation alias_kread[] = { + ipe_operation_firmware, + ipe_operation_kernel_module, + ipe_operation_ima_policy, + ipe_operation_ima_x509, + ipe_operation_kexec_image, + ipe_operation_kexec_initramfs, +}; + /** * ipe_is_op_alias: Determine if @op is an alias for one or more operations * @op: Supplies the operation to check. Should be either ipe_operation or @@ -852,9 +869,15 @@ static int parse_policy(struct ipe_policy *p) bool ipe_is_op_alias(int op, const enum ipe_operation **map, size_t *size) { switch (op) { + case ipe_op_alias_kernel_read: + *map = alias_kread; + *size = ARRAY_SIZE(alias_kread); + break; default: return false; } + + return true; } /** diff --git a/security/ipe/policy.h b/security/ipe/policy.h index 6818f6405dd0..ca37af46e5af 100644 --- a/security/ipe/policy.h +++ b/security/ipe/policy.h @@ -26,7 +26,14 @@ struct ipe_policy_line { struct ipe_module; enum ipe_operation { - ipe_operation_max = 0, + ipe_operation_exec = 0, + ipe_operation_firmware, + ipe_operation_kernel_module, + ipe_operation_kexec_image, + ipe_operation_kexec_initramfs, + ipe_operation_ima_policy, + ipe_operation_ima_x509, + ipe_operation_max }; /* @@ -34,7 +41,8 @@ enum ipe_operation { * that are just one or more operations under the hood */ enum ipe_op_alias { - ipe_op_alias_max = ipe_operation_max, + ipe_op_alias_kernel_read = ipe_operation_max, + ipe_op_alias_max, }; enum ipe_action { From patchwork Wed Jun 8 19:01:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deven Bowers X-Patchwork-Id: 12874543 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3C927CCA47B for ; Wed, 8 Jun 2022 19:01:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234270AbiFHTBs (ORCPT ); Wed, 8 Jun 2022 15:01:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51588 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231942AbiFHTBr (ORCPT ); Wed, 8 Jun 2022 15:01:47 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C50E328E32; Wed, 8 Jun 2022 12:01:45 -0700 (PDT) Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id 6C2EB20BE66F; Wed, 8 Jun 2022 12:01:44 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 6C2EB20BE66F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1654714904; bh=euocF9AshgwQ/HeYq7HRbOZg4Tix9Q9xWo3qeMMR15k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IHdxECteh9neNFSBOclwX21THPS3ic9bHRX+Ye+TCJMt7oOmkpb1d7ruCO4BkQsk6 IdaBTt5YNhaP61aEbp8MHywRIwm34JRjmW+3f0ervXfsfpXstn/ihu8Y9Jff2lNDf2 UND/dV8qiyo/UzBqmo5QKgaSCeQoGh0TJKjWZUOU= From: Deven Bowers To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org Subject: [RFC PATCH v8 06/17] uapi|audit: add ipe audit message definitions Date: Wed, 8 Jun 2022 12:01:18 -0700 Message-Id: <1654714889-26728-7-git-send-email-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> References: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org Introduce new definitions to audit.h centered around trust decisions and policy loading and activation, as an extension of the mandatory access control fields. Signed-off-by: Deven Bowers --- v2: + Split evaluation loop, access control hooks, and evaluation loop from policy parser and userspace interface to pass mailing list character limit v3: + Move ipe_load_properties to patch 04. + Remove useless 0-initializations + Prefix extern variables with ipe_ + Remove kernel module parameters, as these are exposed through sysctls. + Add more prose to the IPE base config option help text. + Use GFP_KERNEL for audit_log_start. + Remove unnecessary caching system. + Remove comments from headers + Use rcu_access_pointer for rcu-pointer null check + Remove usage of reqprot; use prot only. + Move policy load and activation audit event to 03/12 v4: + Remove sysctls in favor of securityfs nodes + Re-add kernel module parameters, as these are now exposed through securityfs. + Refactor property audit loop to a separate function. v5: + fix minor grammatical errors + do not group rule by curly-brace in audit record, reconstruct the exact rule. v6: + No changes v7: + Further split audit system patch into two separate patches; one for include/uapi, and the usage of the new defines. + Change audit records to MAC region (14XX) from Integrity region (18XX), as IPE is an effectively a MAC system around authenticity versus an extension to the integrity subsystem. + Generalize the #defines to support the class of trust-based access-control LSMs. v8: + Change audit type: + AUDIT_TRUST_RESULT -> AUDIT_IPE_ACCESS + Remove audit types (replaced by existing types): + AUDIT_TRUST_POLICY_LOAD + AUDIT_TRUST_POLICY_ACTIVATE + AUDIT_TRUST_STATUS --- include/uapi/linux/audit.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 7c1dc818b1d5..78b9a04d5b41 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -143,6 +143,7 @@ #define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */ #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ +#define AUDIT_IPE_ACCESS 1420 /* IPE Denial or Grant */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 From patchwork Wed Jun 8 19:01:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deven Bowers X-Patchwork-Id: 12874545 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D9349CCA48F for ; Wed, 8 Jun 2022 19:01:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234526AbiFHTBu (ORCPT ); Wed, 8 Jun 2022 15:01:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51736 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234083AbiFHTBs (ORCPT ); Wed, 8 Jun 2022 15:01:48 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 1610735242; Wed, 8 Jun 2022 12:01:46 -0700 (PDT) Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id 860D220BE670; Wed, 8 Jun 2022 12:01:44 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 860D220BE670 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1654714904; bh=097dEATcWhLqRc/23Y/0yKACK1hWd9dewZKfKYQTbIo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=R6FdjkgOU1LC1lDib0oDwbnNYP8XgpDgI51UsngPDnC2EdZt8MMt8KjJPLxWptdkz 9NX5lqmBhBa6KASF6O6O6P3/ejubKLjyGeBeA9IE0lZ6N+RWHDOV/0SAM/MeMwuUYd gUEWBmHZE6FHRqxX7qVKyGhan5vNjY/ewjTJQciE= From: Deven Bowers To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org Subject: [RFC PATCH v8 07/17] ipe: add auditing support Date: Wed, 8 Jun 2022 12:01:19 -0700 Message-Id: <1654714889-26728-8-git-send-email-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> References: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org Users of IPE require a way to identify when and why an operation fails, allowing them to both respond to violations of policy and be notified of potentially malicious actions on their systens with respect to IPE itself. The new 1420 audit, AUDIT_IPE_ACCESS indicates the result of a policy evaulation of a resource. The other two events, AUDIT_MAC_POLICY_LOAD, and AUDIT_MAC_CONFIG_CHANGE represent a new policy was loaded into the kernel and the currently active policy changed, respectively. This patch also adds support for success auditing, allowing users to identify how a resource passed policy. It is recommended to use this option with caution, as it is quite noisy. Signed-off-by: Deven Bowers --- This patch adds the following audit records: type=1420 audit(1653364735.161:64): rule="DEFAULT op=EXECUTE action=DENY" type=1420 audit(1653364370.067:61): path="/root/fs/rw/plain/execve" dev="vdc1" ino=16 rule="DEFAULT op=EXECUTE action=DENY" type=1405 audit(1653425583.136:54): policy_name="dmverity_roothash" policy_version=0.0.0 sha256=A9C5803309F80D2B84D7C047534BE8B60EF121C8E1F351F2A8EFFA617B7F0686 type=1403 audit(1653425529.927:53): policy_name="dmverity_roothash" policy_version=0.0.0 sha256=A9C5803309F80D2B84D7C047534BE8B60EF121C8E1F351F2A8EFFA617B7F0686 This results in the following events (the audit records are always prior to a SYSCALL record): type=1420 audit(1653364735.161:64): rule="DEFAULT op=EXECUTE action=DENY" type=1300 audit(1653364735.161:64): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=4 a3=20 items=0 ppid=455 pid=774 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=3 comm="mmap" exe="/root/host/mmap" subj=kernel key=(null) audit: type=1327 audit(1653364735.161:64): proctitle=686F73742F6D6D617000410058 type=1420 audit(1653364370.067:61): path="/root/fs/rw/plain/execve" dev="vdc1" ino=16 rule="DEFAULT op=EXECUTE action=DENY" type=1300 audit(1653364370.067:61): arch=c000003e syscall=10 success=no exit=-13 a0=7f0bf0644000 a1=4f80 a2=5 a3=7f0bf043d300 items=0 ppid=455 pid=737 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=3 comm="mprotect" exe="/root/host/mprotect" subj=kernel key=(null) type=1327 audit(1653364370.067:61): proctitle=686F73742F6D70726F7465637400534800527C5700527C5800706C61696E2F657865637665 type=1403 audit(1653425529.927:53): policy_name="dmverity_roothash" policy_version=0.0.0 sha256=A9C5803309F80D2B84D7C047534BE8B60EF121C8E1F351F2A8EFFA617B7F0686 type=1300 audit(1653425529.927:53): arch=c000003e syscall=1 success=yes exit=6215 a0=1 a1=7f07adfe4000 a2=1847 a3=22 items=0 ppid=441 pid=445 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=) type=1327 audit(1653425529.927:53): proctitle=63617400706F6C69636965732F646D7665726974795F726F6F74686173682E706F6C2E703762 type=1405 audit(1653425583.136:54): policy_name="dmverity_roothash" policy_version=0.0.0 sha256=A9C5803309F80D2B84D7C047534BE8B60EF121C8E1F351F2A8EFFA617B7F0686 type=1300 audit(1653425583.136:54): arch=c000003e syscall=1 success=yes exit=2 a0=1 a1=55c1065e5c60 a2=2 a3=7fe683990020 items=0 ppid=405 pid=441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 e) type=1327 audit(1653425583.136:54): proctitle="-bash" --- v2: + Split evaluation loop, access control hooks, and evaluation loop from policy parser and userspace interface to pass mailing list character limit v3: + Move ipe_load_properties to patch 04. + Remove useless 0-initializations + Prefix extern variables with ipe_ + Remove kernel module parameters, as these are exposed through sysctls. + Add more prose to the IPE base config option help text. + Use GFP_KERNEL for audit_log_start. + Remove unnecessary caching system. + Remove comments from headers + Use rcu_access_pointer for rcu-pointer null check + Remove usage of reqprot; use prot only. + Move policy load and activation audit event to 03/12 v4: + Remove sysctls in favor of securityfs nodes + Re-add kernel module parameters, as these are now exposed through securityfs. + Refactor property audit loop to a separate function. v5: + fix minor grammatical errors + do not group rule by curly-brace in audit record, reconstruct the exact rule. v6: + No changes v7: + Further split lsm creation, the audit system, the evaluation loop, and access control hooks into separate patches. + Further split audit system patch into two separate patches; one for include/uapi, and the usage of the new defines. + Split out the permissive functionality into another separate patch, for easier review. + Correct misuse of audit_log_n_untrusted string to audit_log_format + Use get_task_comm instead of comm directly. + Quote certain audit values + Remove unnecessary help text on choice options - these were previously idented at the wrong level + Correct a stale string constant (ctx_ns_enforce to ctx_enforce) v8: + Change dependency for CONFIG_AUDIT to CONFIG_AUDITSYSCALL + Drop ctx_* prefix + Reuse, where appropriate, the audit fields from the field dictionary. This transforms: ctx_pathname -> path ctx_ino -> ino ctx_dev -> dev + Add audit records and event examples to commit description. + Remove new_audit_ctx, replace with audit_log_start. All data that would provided by new_audit_ctx is already present in the syscall audit record, that is always emitted on these actions. The audit records should be correlated as such. + Change audit types: + AUDIT_TRUST_RESULT -> AUDIT_IPE_ACCESS + This prevents overloading of the AVC type. + AUDIT_TRUST_POLICY_ACTIVATE -> AUDIT_MAC_CONFIG_CHANGE + AUDIT_TRUST_POLICY_LOAD -> AUDIT_MAC_POLICY_LOAD + There were no significant difference in meaning between these types. + Remove enforcing parameter passed from the context structure for AUDIT_IPE_ACCESS. + This field can be inferred from the SYSCALL audit event, based on the success field. + Remove all fields already captured in the syscall record. "hook", an IPE specific field, can be determined via the syscall field in the syscall record itself, so it has been removed. + ino, path, and dev in IPE's record refer to the subject of the syscall, while the syscall record refers to the calling process. + remove IPE prefix from policy load/policy activation events + fix a bug wherein a policy change audit record was not fired when updating a policy --- security/ipe/Kconfig | 55 +++++++++ security/ipe/Makefile | 2 + security/ipe/audit.c | 184 ++++++++++++++++++++++++++++++ security/ipe/audit.h | 34 ++++++ security/ipe/ctx.c | 21 ++++ security/ipe/ctx.h | 2 + security/ipe/eval.c | 9 ++ security/ipe/eval.h | 7 ++ security/ipe/fs.c | 79 +++++++++++++ security/ipe/modules/ipe_module.h | 2 + 10 files changed, 395 insertions(+) create mode 100644 security/ipe/audit.c create mode 100644 security/ipe/audit.h diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig index e4875fb04883..1ad2f34b98ec 100644 --- a/security/ipe/Kconfig +++ b/security/ipe/Kconfig @@ -15,3 +15,58 @@ menuconfig SECURITY_IPE admins to reconfigure trust requirements on the fly. If unsure, answer N. + +if SECURITY_IPE + +config IPE_AUDIT + bool "Enable IPE's audit events" + depends on AUDIT && AUDITSYSCALL + help + This option causes IPE to emit audit records on certain key + events during IPE's normal operation. Examples include: + when an action is denied by IPE policy, when a new policy is + loaded, and when a new policy is active. This allows system + admins to analyze what is happening on their systems, and + validate through audit records that IPE is responsible for + certain behaviors. + + if unsure, answer Y. + +choice + prompt "Hash algorithm used in auditing policies" + default IPE_AUDIT_HASH_SHA1 + depends on IPE_AUDIT + help + Specify the hash algorithm used when auditing policies. + The hash is used to uniquely identify a policy from other + policies on the system. + + If unsure, leave default. + + config IPE_AUDIT_HASH_SHA1 + bool "sha1" + select CRYPTO_SHA1 + + config IPE_AUDIT_HASH_SHA256 + bool "sha256" + select CRYPTO_SHA256 + + config IPE_AUDIT_HASH_SHA384 + bool "sha384" + select CRYPTO_SHA512 + + config IPE_AUDIT_HASH_SHA512 + bool "sha512" + select CRYPTO_SHA512 + +endchoice + +config IPE_AUDIT_HASH_ALG + string + depends on IPE_AUDIT + default "sha1" if IPE_AUDIT_HASH_SHA1 + default "sha256" if IPE_AUDIT_HASH_SHA256 + default "sha384" if IPE_AUDIT_HASH_SHA384 + default "sha512" if IPE_AUDIT_HASH_SHA512 + +endif diff --git a/security/ipe/Makefile b/security/ipe/Makefile index d5660a17364c..25a7d7c8f07c 100644 --- a/security/ipe/Makefile +++ b/security/ipe/Makefile @@ -18,3 +18,5 @@ obj-$(CONFIG_SECURITY_IPE) += \ parsers.o \ policy.o \ policyfs.o \ + +obj-$(CONFIG_IPE_AUDIT) += audit.o diff --git a/security/ipe/audit.c b/security/ipe/audit.c new file mode 100644 index 000000000000..0442cc51a4bd --- /dev/null +++ b/security/ipe/audit.c @@ -0,0 +1,184 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include "ipe.h" +#include "eval.h" +#include "hooks.h" +#include "policy.h" +#include "audit.h" +#include "modules/ipe_module.h" + +#include +#include +#include +#include + +#define ACTSTR(x) ((x) == ipe_action_allow ? "ALLOW" : "DENY") + +#define POLICY_LOAD_FMT "policy_name=\"%s\" policy_version=%hu.%hu.%hu "\ + CONFIG_IPE_AUDIT_HASH_ALG "=" + +static const char *const audit_op_names[ipe_operation_max] = { + "EXECUTE", + "FIRMWARE", + "KMODULE", + "KEXEC_IMAGE", + "KEXEC_INITRAMFS", + "IMA_POLICY", + "IMA_X509_CERT", +}; + +/** + * audit_rule: audit an IPE policy rule approximation. + * @ab: Supplies a poniter to the audit_buffer to append to. + * @r: Supplies a pointer to the ipe_rule to approximate a string form for. + * + * This is an approximation because aliases like "KERNEL_READ" will be + * emitted in their expanded form. + */ +static void audit_rule(struct audit_buffer *ab, const struct ipe_rule *r) +{ + const struct ipe_policy_mod *ptr; + + audit_log_format(ab, "rule=\"op=%s ", audit_op_names[r->op]); + + list_for_each_entry(ptr, &r->modules, next) { + audit_log_format(ab, "%s=", ptr->mod->name); + + ptr->mod->audit(ab, ptr->mod_value); + + audit_log_format(ab, " "); + } + + audit_log_format(ab, "action=%s\"", ACTSTR(r->action)); +} + +/** + * ipe_audit_match: audit a match for IPE policy. + * @ctx: Supplies a poniter to the evaluation context that was used in the + * evaluation. + * @match_type: Supplies the scope of the match: rule, operation default, + * global default. + * @act: Supplies the IPE's evaluation decision, deny or allow. + * @r: Supplies a pointer to the rule that was matched, if possible. + * @enforce: Supplies the enforcement/permissive state at the point + * the enforcement decision was made. + */ +void ipe_audit_match(const struct ipe_eval_ctx *const ctx, + enum ipe_match match_type, + enum ipe_action act, const struct ipe_rule *const r) +{ + bool success_audit; + struct inode *inode; + struct audit_buffer *ab; + const char *op = audit_op_names[ctx->op]; + + rcu_read_lock(); + success_audit = READ_ONCE(ctx->ci_ctx->success_audit); + rcu_read_unlock(); + + if (act != ipe_action_deny && !success_audit) + return; + + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_IPE_ACCESS); + if (!ab) + return; + + if (ctx->file) { + audit_log_d_path(ab, "path=", &ctx->file->f_path); + inode = file_inode(ctx->file); + if (inode) { + audit_log_format(ab, " dev="); + audit_log_untrustedstring(ab, inode->i_sb->s_id); + audit_log_format(ab, " ino=%lu ", inode->i_ino); + } + } + + if (match_type == ipe_match_rule) + audit_rule(ab, r); + else if (match_type == ipe_match_table) + audit_log_format(ab, "rule=\"DEFAULT op=%s action=%s\"", op, + ACTSTR(act)); + else + audit_log_format(ab, "rule=\"DEFAULT action=%s\"", + ACTSTR(act)); + + audit_log_end(ab); +} + +/** + * audit_policy: Audit a policy's name, version and thumprint to @ab + * @ab: Supplies a pointer to the audit buffer to append to. + * @p: Supplies a pointer to the policy to audit + */ +static void audit_policy(struct audit_buffer *ab, + const struct ipe_policy *const p) +{ + u8 *digest = NULL; + struct crypto_shash *tfm; + SHASH_DESC_ON_STACK(desc, tfm); + + tfm = crypto_alloc_shash(CONFIG_IPE_AUDIT_HASH_ALG, 0, 0); + if (IS_ERR(tfm)) + return; + + desc->tfm = tfm; + + digest = kzalloc(crypto_shash_digestsize(tfm), GFP_KERNEL); + if (!digest) + goto out; + + if (crypto_shash_init(desc)) + goto out; + + if (crypto_shash_update(desc, p->pkcs7, p->pkcs7len)) + goto out; + + if (crypto_shash_final(desc, digest)) + goto out; + + audit_log_format(ab, POLICY_LOAD_FMT, p->parsed->name, + p->parsed->version.major, p->parsed->version.minor, + p->parsed->version.rev); + audit_log_n_hex(ab, digest, crypto_shash_digestsize(tfm)); + +out: + kfree(digest); + crypto_free_shash(tfm); +} + +/** + * ipe_audit_policy_activation: Audit a policy being made the active policy. + * @p: Supplies a pointer to the policy to audit + */ +void ipe_audit_policy_activation(const struct ipe_policy *const p) +{ + struct audit_buffer *ab; + + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_MAC_CONFIG_CHANGE); + if (!ab) + return; + + audit_policy(ab, p); + + audit_log_end(ab); +} + +/** + * ipe_audit_policy_load: Audit a policy being loaded into the kernel. + * @p: Supplies a pointer to the policy to audit + */ +void ipe_audit_policy_load(const struct ipe_policy *const p) +{ + struct audit_buffer *ab; + + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_MAC_POLICY_LOAD); + if (!ab) + return; + + audit_policy(ab, p); + + audit_log_end(ab); +} diff --git a/security/ipe/audit.h b/security/ipe/audit.h new file mode 100644 index 000000000000..bec03208042d --- /dev/null +++ b/security/ipe/audit.h @@ -0,0 +1,34 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#ifndef IPE_AUDIT_H +#define IPE_AUDIT_H + +#include "ipe.h" +#include "eval.h" + +#ifdef CONFIG_IPE_AUDIT +void ipe_audit_match(const struct ipe_eval_ctx *const ctx, + enum ipe_match match_type, + enum ipe_action act, const struct ipe_rule *const r); +void ipe_audit_policy_load(const struct ipe_policy *const p); +void ipe_audit_policy_activation(const struct ipe_policy *const p); +#else +static inline void ipe_audit_match(const struct ipe_eval_ctx *const ctx, + enum ipe_match match_type, + enum ipe_action act, const struct ipe_rule *const r) +{ +} + +static inline void ipe_audit_policy_load(const struct ipe_policy *const p) +{ +} + +static inline void ipe_audit_policy_activation(const struct ipe_policy *const p) +{ +} +#endif /* CONFIG_IPE_AUDIT */ + +#endif /* IPE_AUDIT_H */ diff --git a/security/ipe/ctx.c b/security/ipe/ctx.c index 177f60f02ed4..391c7102e08d 100644 --- a/security/ipe/ctx.c +++ b/security/ipe/ctx.c @@ -6,12 +6,16 @@ #include "ipe.h" #include "ctx.h" #include "policy.h" +#include "audit.h" #include #include #include #include #include +#include + +static bool success_audit; /** * ver_to_u64: convert an internal ipe_policy_version to a u64 @@ -217,6 +221,9 @@ int ipe_replace_policy(struct ipe_policy *old, struct ipe_policy *new) spin_unlock(&ctx->lock); synchronize_rcu(); + if (!rc) + ipe_audit_policy_load(new); + ipe_put_policy(p); ipe_put_ctx(ctx); return rc; @@ -249,6 +256,7 @@ int ipe_set_active_pol(const struct ipe_policy *p) spin_unlock(&ctx->lock); synchronize_rcu(); + ipe_audit_policy_activation(p); out: ipe_put_policy(ap); ipe_put_ctx(ctx); @@ -314,6 +322,10 @@ int __init ipe_init_ctx(void) goto err; } + spin_lock(&lns->lock); + WRITE_ONCE(lns->success_audit, success_audit); + spin_unlock(&lns->lock); + rcu_assign_pointer(*ipe_tsk_ctx(current), lns); return 0; @@ -321,3 +333,12 @@ int __init ipe_init_ctx(void) ipe_put_ctx(lns); return rc; } + +/* Set the right module name */ +#ifdef KBUILD_MODNAME +#undef KBUILD_MODNAME +#define KBUILD_MODNAME "ipe" +#endif + +module_param(success_audit, bool, 0400); +MODULE_PARM_DESC(success_audit, "Start IPE with success auditing enabled"); diff --git a/security/ipe/ctx.h b/security/ipe/ctx.h index fe11fb767788..31aea2fb9e49 100644 --- a/security/ipe/ctx.h +++ b/security/ipe/ctx.h @@ -15,6 +15,8 @@ struct ipe_context { struct ipe_policy __rcu *active_policy; + bool __rcu success_audit; + refcount_t refcount; /* Protects concurrent writers */ spinlock_t lock; diff --git a/security/ipe/eval.c b/security/ipe/eval.c index b3e4277fe6bd..fcfa3a37b0ed 100644 --- a/security/ipe/eval.c +++ b/security/ipe/eval.c @@ -9,6 +9,7 @@ #include "hooks.h" #include "policy.h" #include "modules/ipe_module.h" +#include "audit.h" #include #include @@ -71,7 +72,9 @@ static int evaluate(const struct ipe_eval_ctx *const ctx) { int rc = 0; bool match = false; + bool enforcing = true; enum ipe_action action; + enum ipe_match match_type; struct ipe_policy *pol = NULL; const struct ipe_rule *rule = NULL; const struct ipe_policy_mod *module = NULL; @@ -83,6 +86,7 @@ static int evaluate(const struct ipe_eval_ctx *const ctx) if (ctx->op == ipe_operation_max) { action = pol->parsed->global_default; + match_type = ipe_match_global; goto eval; } @@ -100,13 +104,18 @@ static int evaluate(const struct ipe_eval_ctx *const ctx) if (match) { action = rule->action; + match_type = ipe_match_rule; } else if (rules->default_action != ipe_action_max) { action = rules->default_action; + match_type = ipe_match_table; } else { action = pol->parsed->global_default; + match_type = ipe_match_global; } eval: + ipe_audit_match(ctx, match_type, action, rule); + if (action == ipe_action_deny) rc = -EACCES; diff --git a/security/ipe/eval.h b/security/ipe/eval.h index bc3a5da3badc..50bc16b0be25 100644 --- a/security/ipe/eval.h +++ b/security/ipe/eval.h @@ -19,6 +19,13 @@ struct ipe_eval_ctx { struct ipe_context *ci_ctx; }; +enum ipe_match { + ipe_match_rule = 0, + ipe_match_table, + ipe_match_global, + ipe_match_max +}; + int ipe_process_event(const struct file *file, enum ipe_operation op); #endif /* IPE_EVAL_H */ diff --git a/security/ipe/fs.c b/security/ipe/fs.c index 18100cfbd8d5..6e28807780c0 100644 --- a/security/ipe/fs.c +++ b/security/ipe/fs.c @@ -5,6 +5,7 @@ #include "ipe.h" #include "fs.h" #include "policy.h" +#include "audit.h" #include #include @@ -12,6 +13,70 @@ static struct dentry *np __ro_after_init; static struct dentry *root __ro_after_init; static struct dentry *config __ro_after_init; +static struct dentry *success_audit __ro_after_init; + +/** + * setaudit: Write handler for the securityfs node, "ipe/success_audit" + * @f: Supplies a file structure representing the securityfs node. + * @data: Supplies a buffer passed to the write syscall + * @len: Supplies the length of @data + * @offset: unused. + * + * Return: + * >0 - Success, Length of buffer written + * <0 - Error + */ +static ssize_t setaudit(struct file *f, const char __user *data, + size_t len, loff_t *offset) +{ + int rc = 0; + bool value; + struct ipe_context *ctx; + + if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN)) + return -EPERM; + + rc = kstrtobool_from_user(data, len, &value); + if (rc) + return rc; + + ctx = ipe_current_ctx(); + + spin_lock(&ctx->lock); + WRITE_ONCE(ctx->success_audit, value); + spin_unlock(&ctx->lock); + synchronize_rcu(); + + ipe_put_ctx(ctx); + return len; +} + +/** + * getaudit: Read handler for the securityfs node, "ipe/success_audit" + * @f: Supplies a file structure representing the securityfs node. + * @data: Supplies a buffer passed to the read syscall + * @len: Supplies the length of @data + * @offset: unused. + * + * Return: + * >0 - Success, Length of buffer written + * <0 - Error + */ +static ssize_t getaudit(struct file *f, char __user *data, + size_t len, loff_t *offset) +{ + const char *result; + struct ipe_context *ctx; + + ctx = ipe_current_ctx(); + + rcu_read_lock(); + result = ((READ_ONCE(ctx->success_audit)) ? "1" : "0"); + rcu_read_unlock(); + + ipe_put_ctx(ctx); + return simple_read_from_buffer(data, len, offset, result, 2); +} /** * new_policy: Write handler for the securityfs node, "ipe/new_policy" @@ -54,6 +119,7 @@ static ssize_t new_policy(struct file *f, const char __user *data, goto err; ipe_add_policy(ctx, p); + ipe_audit_policy_load(p); err: ipe_put_policy(p); ipe_put_ctx(ctx); @@ -119,6 +185,11 @@ static const struct file_operations np_fops = { .write = new_policy, }; +static const struct file_operations audit_fops = { + .write = setaudit, + .read = getaudit, +}; + /** * ipe_init_securityfs: Initialize IPE's securityfs tree at fsinit * @@ -155,6 +226,13 @@ static int __init ipe_init_securityfs(void) goto err; } + success_audit = securityfs_create_file("success_audit", 0600, root, + NULL, &audit_fops); + if (IS_ERR(success_audit)) { + rc = PTR_ERR(success_audit); + goto err; + } + ctx->policy_root = securityfs_create_dir("policies", root); if (IS_ERR(ctx->policy_root)) { rc = PTR_ERR(ctx->policy_root); @@ -166,6 +244,7 @@ static int __init ipe_init_securityfs(void) securityfs_remove(np); securityfs_remove(root); securityfs_remove(config); + securityfs_remove(success_audit); securityfs_remove(ctx->policy_root); return rc; } diff --git a/security/ipe/modules/ipe_module.h b/security/ipe/modules/ipe_module.h index 1157c5363048..1381ab977da5 100644 --- a/security/ipe/modules/ipe_module.h +++ b/security/ipe/modules/ipe_module.h @@ -6,6 +6,7 @@ #define IPE_MODULE_H #include +#include #include "../eval.h" /** @@ -26,6 +27,7 @@ struct ipe_module { void (*free)(void **value); /* optional */ bool (*eval)(const struct ipe_eval_ctx *ctx, /* required */ const void *val); + void (*audit)(struct audit_buffer *ab, const void *val); /* required */ }; #define IPE_MODULE(parser) \ From patchwork Wed Jun 8 19:01:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deven Bowers X-Patchwork-Id: 12874547 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 59A7DCCA493 for ; Wed, 8 Jun 2022 19:01:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234586AbiFHTBv (ORCPT ); Wed, 8 Jun 2022 15:01:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51696 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233980AbiFHTBs (ORCPT ); Wed, 8 Jun 2022 15:01:48 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 15C2530565; Wed, 8 Jun 2022 12:01:46 -0700 (PDT) Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id 9FA0820BE672; Wed, 8 Jun 2022 12:01:44 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 9FA0820BE672 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1654714904; bh=tZ0tEV78U4XYhZBbLbR3cTHG9gHVuXD3NQAKNEzNx7M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YeMPHkDt4bj55xtTxzPIYAM5Kuo2SoOVbyr87vnk3y6zKZkbmmHYE1XH4MHiA36k9 f7cxoLWX5oachgv44CfUQVjxIPKwHPvL+Jba6cZKhs0pIDleR6rsfA/pfr1DY5Vn6A ogyap4DaiG1yFJVYlbtTj0nTnlnLLDYub3ROrc5g= From: Deven Bowers To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org Subject: [RFC PATCH v8 08/17] ipe: add permissive toggle Date: Wed, 8 Jun 2022 12:01:20 -0700 Message-Id: <1654714889-26728-9-git-send-email-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> References: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org IPE, like SELinux, supports a permissive mode. This mode allows policy authors to test and evaluate IPE policy without it effecting their programs. When the mode is changed, a 1423 AUDIT_TRUST_STATUS will be reported. Signed-off-by: Deven Bowers --- This patch adds the following audit records: type=1404 audit(1653425689.008:55): permissive=1 type=1404 audit(1653425689.008:55): permissive=0 These records are emitted within the following events: type=1404 audit(1653425689.008:55): permissive=1 type=1300 audit(1653425689.008:55): arch=c000003e syscall=1 success=yes exit=2 a0=1 a1=55c1065e5c60 a2=2 a3=0 items=0 ppid=405 pid=441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=) type=1327 audit(1653425689.008:55): proctitle="-bash" --- v2: + Split evaluation loop, access control hooks, and evaluation loop from policy parser and userspace interface to pass mailing list character limit v3: + Move ipe_load_properties to patch 04. + Remove useless 0-initializations + Prefix extern variables with ipe_ + Remove kernel module parameters, as these are exposed through sysctls. + Add more prose to the IPE base config option help text. + Use GFP_KERNEL for audit_log_start. + Remove unnecessary caching system. + Remove comments from headers + Use rcu_access_pointer for rcu-pointer null check + Remove usage of reqprot; use prot only. + Move policy load and activation audit event to 03/12 v4: + Remove sysctls in favor of securityfs nodes + Re-add kernel module parameters, as these are now exposed through securityfs. + Refactor property audit loop to a separate function. v5: + fix minor grammatical errors + do not group rule by curly-brace in audit record, reconstruct the exact rule. v6: + No changes v7: + Further split lsm creation into a separate commit from the evaluation loop and audit system, for easier review. + Propogating changes to support the new ipe_context structure in the evaluation loop. + Split out permissive functionality into a separate patch for easier review. + Remove permissive switch compile-time configuration option - this is trivial to add later. v8: + Remove "IPE" prefix from permissive audit record + align fields to the linux-audit field dictionary. This causes the following fields to change: enforce -> permissive + Remove duplicated information correlated with syscall record, that will always be present in the audit event. + Change audit types: + AUDIT_TRUST_STATUS -> AUDIT_MAC_STATUS + There is no significant difference in meaning between these types. --- security/ipe/audit.c | 43 ++++++++++++++++++++++++ security/ipe/audit.h | 5 +++ security/ipe/ctx.c | 6 ++++ security/ipe/ctx.h | 1 + security/ipe/eval.c | 6 ++++ security/ipe/fs.c | 78 ++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 139 insertions(+) diff --git a/security/ipe/audit.c b/security/ipe/audit.c index 0442cc51a4bd..cf0ccea32c90 100644 --- a/security/ipe/audit.c +++ b/security/ipe/audit.c @@ -182,3 +182,46 @@ void ipe_audit_policy_load(const struct ipe_policy *const p) audit_log_end(ab); } + +/** + * ipe_audit_enforce: Audit a change in IPE's enforcement state + * @ctx: Supplies a pointer to the contexts whose state changed. + */ +void ipe_audit_enforce(const struct ipe_context *const ctx) +{ + struct audit_buffer *ab; + bool enforcing = false; + + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS); + if (!ab) + return; + + rcu_read_lock(); + enforcing = READ_ONCE(ctx->enforce); + rcu_read_unlock(); + + audit_log_format(ab, "permissive=%d", !enforcing); + + audit_log_end(ab); +} + +/** + * emit_enforcement: Emit the enforcement state of IPE started with. + * + * Return: + * 0 - Always + */ +static int emit_enforcement(void) +{ + struct ipe_context *ctx = NULL; + + if (!ipe_enabled) + return -EOPNOTSUPP; + + ctx = ipe_current_ctx(); + ipe_audit_enforce(ctx); + ipe_put_ctx(ctx); + return 0; +} + +late_initcall(emit_enforcement); diff --git a/security/ipe/audit.h b/security/ipe/audit.h index bec03208042d..daff9c801a8e 100644 --- a/security/ipe/audit.h +++ b/security/ipe/audit.h @@ -15,6 +15,7 @@ void ipe_audit_match(const struct ipe_eval_ctx *const ctx, enum ipe_action act, const struct ipe_rule *const r); void ipe_audit_policy_load(const struct ipe_policy *const p); void ipe_audit_policy_activation(const struct ipe_policy *const p); +void ipe_audit_enforce(const struct ipe_context *const ctx); #else static inline void ipe_audit_match(const struct ipe_eval_ctx *const ctx, enum ipe_match match_type, @@ -29,6 +30,10 @@ static inline void ipe_audit_policy_load(const struct ipe_policy *const p) static inline void ipe_audit_policy_activation(const struct ipe_policy *const p) { } + +static inline void ipe_audit_enforce(const struct ipe_context *const ctx) +{ +} #endif /* CONFIG_IPE_AUDIT */ #endif /* IPE_AUDIT_H */ diff --git a/security/ipe/ctx.c b/security/ipe/ctx.c index 391c7102e08d..ee3cb2bd6028 100644 --- a/security/ipe/ctx.c +++ b/security/ipe/ctx.c @@ -16,6 +16,7 @@ #include static bool success_audit; +static bool enforce = true; /** * ver_to_u64: convert an internal ipe_policy_version to a u64 @@ -135,6 +136,7 @@ static struct ipe_context *create_ctx(void) INIT_LIST_HEAD(&ctx->policies); refcount_set(&ctx->refcount, 1); spin_lock_init(&ctx->lock); + WRITE_ONCE(ctx->enforce, true); return ctx; @@ -324,6 +326,7 @@ int __init ipe_init_ctx(void) spin_lock(&lns->lock); WRITE_ONCE(lns->success_audit, success_audit); + WRITE_ONCE(lns->enforce, enforce); spin_unlock(&lns->lock); rcu_assign_pointer(*ipe_tsk_ctx(current), lns); @@ -342,3 +345,6 @@ int __init ipe_init_ctx(void) module_param(success_audit, bool, 0400); MODULE_PARM_DESC(success_audit, "Start IPE with success auditing enabled"); + +module_param(enforce, bool, 0400); +MODULE_PARM_DESC(enforce, "Start IPE in enforce or permissive mode"); diff --git a/security/ipe/ctx.h b/security/ipe/ctx.h index 31aea2fb9e49..d7bf9fc6426a 100644 --- a/security/ipe/ctx.h +++ b/security/ipe/ctx.h @@ -14,6 +14,7 @@ struct ipe_context { struct ipe_policy __rcu *active_policy; + bool __rcu enforce; bool __rcu success_audit; diff --git a/security/ipe/eval.c b/security/ipe/eval.c index fcfa3a37b0ed..eafa670558e3 100644 --- a/security/ipe/eval.c +++ b/security/ipe/eval.c @@ -84,6 +84,10 @@ static int evaluate(const struct ipe_eval_ctx *const ctx) if (!pol) goto out; + rcu_read_lock(); + enforcing = READ_ONCE(ctx->ci_ctx->enforce); + rcu_read_unlock(); + if (ctx->op == ipe_operation_max) { action = pol->parsed->global_default; match_type = ipe_match_global; @@ -119,6 +123,8 @@ static int evaluate(const struct ipe_eval_ctx *const ctx) if (action == ipe_action_deny) rc = -EACCES; + if (!enforcing) + rc = 0; out: ipe_put_policy(pol); return rc; diff --git a/security/ipe/fs.c b/security/ipe/fs.c index 6e28807780c0..f4d32f84c945 100644 --- a/security/ipe/fs.c +++ b/security/ipe/fs.c @@ -13,8 +13,73 @@ static struct dentry *np __ro_after_init; static struct dentry *root __ro_after_init; static struct dentry *config __ro_after_init; +static struct dentry *enforce __ro_after_init; static struct dentry *success_audit __ro_after_init; +/** + * setenforce: Write handler for the securityfs node, "ipe/enforce" + * @f: Supplies a file structure representing the securityfs node. + * @data: Supplies a buffer passed to the write syscall + * @len: Supplies the length of @data + * @offset: unused. + * + * Return: + * >0 - Success, Length of buffer written + * <0 - Error + */ +static ssize_t setenforce(struct file *f, const char __user *data, + size_t len, loff_t *offset) +{ + int rc = 0; + bool value; + struct ipe_context *ctx; + + if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN)) + return -EPERM; + + rc = kstrtobool_from_user(data, len, &value); + if (rc) + return rc; + + ctx = ipe_current_ctx(); + + spin_lock(&ctx->lock); + WRITE_ONCE(ctx->enforce, value); + spin_unlock(&ctx->lock); + synchronize_rcu(); + + ipe_audit_enforce(ctx); + ipe_put_ctx(ctx); + return len; +} + +/** + * getenforce: Read handler for the securityfs node, "ipe/enforce" + * @f: Supplies a file structure representing the securityfs node. + * @data: Supplies a buffer passed to the read syscall + * @len: Supplies the length of @data + * @offset: unused. + * + * Return: + * >0 - Success, Length of buffer written + * <0 - Error + */ +static ssize_t getenforce(struct file *f, char __user *data, + size_t len, loff_t *offset) +{ + const char *result; + struct ipe_context *ctx; + + ctx = ipe_current_ctx(); + + rcu_read_lock(); + result = ((READ_ONCE(ctx->enforce)) ? "1" : "0"); + rcu_read_unlock(); + + ipe_put_ctx(ctx); + return simple_read_from_buffer(data, len, offset, result, 2); +} + /** * setaudit: Write handler for the securityfs node, "ipe/success_audit" * @f: Supplies a file structure representing the securityfs node. @@ -185,6 +250,11 @@ static const struct file_operations np_fops = { .write = new_policy, }; +static const struct file_operations enforce_fops = { + .write = setenforce, + .read = getenforce, +}; + static const struct file_operations audit_fops = { .write = setaudit, .read = getaudit, @@ -233,6 +303,13 @@ static int __init ipe_init_securityfs(void) goto err; } + enforce = securityfs_create_file("enforce", 0600, root, NULL, + &enforce_fops); + if (IS_ERR(enforce)) { + rc = PTR_ERR(enforce); + goto err; + } + ctx->policy_root = securityfs_create_dir("policies", root); if (IS_ERR(ctx->policy_root)) { rc = PTR_ERR(ctx->policy_root); @@ -244,6 +321,7 @@ static int __init ipe_init_securityfs(void) securityfs_remove(np); securityfs_remove(root); securityfs_remove(config); + securityfs_remove(enforce); securityfs_remove(success_audit); securityfs_remove(ctx->policy_root); return rc; From patchwork Wed Jun 8 19:01:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deven Bowers X-Patchwork-Id: 12874551 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0CDE8CCA49E for ; Wed, 8 Jun 2022 19:01:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234611AbiFHTBv (ORCPT ); Wed, 8 Jun 2022 15:01:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51702 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234053AbiFHTBs (ORCPT ); Wed, 8 Jun 2022 15:01:48 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B33E814009; Wed, 8 Jun 2022 12:01:46 -0700 (PDT) Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id B9A3F20BE675; Wed, 8 Jun 2022 12:01:44 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com B9A3F20BE675 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1654714904; bh=f0vSpS6anSX7AZBsr6faYd1/rpmG95KXroudjr7PV6o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=O7EUIS91Bk1e6w8uIHqQVaQpsJ5HVw0zHbWUobt7AK9lGhTOHrfL2xwqZFAdIuGZz HDrGxcoYFxEwbniLrOeDU4NFz1vGMlOD52yDgD5W/+GSNWHH+f46+PO9A0BHleLvuW aLPNxlo6d4HD2bEfxyXIRafPqy9URPxYWWTtEOWQ= From: Deven Bowers To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org Subject: [RFC PATCH v8 09/17] ipe: introduce 'boot_verified' as a trust provider Date: Wed, 8 Jun 2022 12:01:21 -0700 Message-Id: <1654714889-26728-10-git-send-email-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> References: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org IPE is designed to provide system level trust guarantees, this usually implies that trust starts from bootup with a hardware root of trust, which validates the bootloader. After this, the bootloader verifies the kernel and the initramfs. As there's no currently supported integrity method for initramfs, and it's typically already verified by the bootloader, introduce a property that causes the first superblock to have an execution to be "pinned", which is typically initramfs. Signed-off-by: Deven Bowers --- v2: + No Changes v3: + Remove useless caching system + Move ipe_load_properties to this match + Minor changes from checkpatch --strict warnings v4: + Remove comments from headers that was missed previously. + Grammatical corrections. v5: + No significant changes v6: + No changes v7: + Reword and refactor patch 04/12 to [09/16], based on changes in the underlying system. + Add common audit function for boolean values + Use common audit function as implementation. v8: + No changes --- security/ipe/Kconfig | 2 + security/ipe/Makefile | 1 + security/ipe/eval.c | 71 ++++++++++++++++++++++++++++ security/ipe/eval.h | 5 ++ security/ipe/hooks.c | 14 ++++++ security/ipe/hooks.h | 2 + security/ipe/ipe.c | 1 + security/ipe/modules.c | 30 ++++++++++++ security/ipe/modules/Kconfig | 20 ++++++++ security/ipe/modules/Makefile | 8 ++++ security/ipe/modules/boot_verified.c | 26 ++++++++++ security/ipe/modules/ipe_module.h | 3 ++ 12 files changed, 183 insertions(+) create mode 100644 security/ipe/modules/Kconfig create mode 100644 security/ipe/modules/Makefile create mode 100644 security/ipe/modules/boot_verified.c diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig index 1ad2f34b98ec..69345fa49be5 100644 --- a/security/ipe/Kconfig +++ b/security/ipe/Kconfig @@ -69,4 +69,6 @@ config IPE_AUDIT_HASH_ALG default "sha384" if IPE_AUDIT_HASH_SHA384 default "sha512" if IPE_AUDIT_HASH_SHA512 +source "security/ipe/modules/Kconfig" + endif diff --git a/security/ipe/Makefile b/security/ipe/Makefile index 25a7d7c8f07c..0d970236efc4 100644 --- a/security/ipe/Makefile +++ b/security/ipe/Makefile @@ -13,6 +13,7 @@ obj-$(CONFIG_SECURITY_IPE) += \ fs.o \ hooks.o \ ipe.o \ + modules/ \ modules.o \ parsers/ \ parsers.o \ diff --git a/security/ipe/eval.c b/security/ipe/eval.c index eafa670558e3..ccf9b843040b 100644 --- a/security/ipe/eval.c +++ b/security/ipe/eval.c @@ -11,10 +11,62 @@ #include "modules/ipe_module.h" #include "audit.h" +#include +#include #include #include #include #include +#include + +static struct super_block *pinned_sb; +static DEFINE_SPINLOCK(pin_lock); + +#define FILE_SUPERBLOCK(f) ((f)->f_path.mnt->mnt_sb) + +/** + * pin_sb: pin the underlying superblock of @f, marking it as trusted + * @f: Supplies a file structure to source the super_block from. + */ +static void pin_sb(const struct file *f) +{ + if (!f) + return; + + spin_lock(&pin_lock); + + if (pinned_sb) + goto out; + + pinned_sb = FILE_SUPERBLOCK(f); + +out: + spin_unlock(&pin_lock); +} + +/** + * from_pinned: determine whether @f is source from the pinned super_block. + * @f: Supplies a file structure to check against the pinned super_block. + * + * Return: + * true - @f is sourced from the pinned super_block + * false - @f is not sourced from the pinned super_block + */ +static bool from_pinned(const struct file *f) +{ + bool rv; + + if (!f) + return false; + + spin_lock(&pin_lock); + + rv = !IS_ERR_OR_NULL(pinned_sb) && pinned_sb == FILE_SUPERBLOCK(f); + + spin_unlock(&pin_lock); + + return rv; +} /** * build_ctx: Build an evaluation context. @@ -40,6 +92,7 @@ static struct ipe_eval_ctx *build_ctx(const struct file *file, ctx->file = file; ctx->op = op; ctx->ci_ctx = ipe_current_ctx(); + ctx->from_init_sb = from_pinned(file); return ctx; } @@ -148,6 +201,9 @@ int ipe_process_event(const struct file *file, enum ipe_operation op) int rc = 0; struct ipe_eval_ctx *ctx = NULL; + if (op == ipe_operation_exec) + pin_sb(file); + ctx = build_ctx(file, op); if (IS_ERR(ctx)) return PTR_ERR(ctx); @@ -157,3 +213,18 @@ int ipe_process_event(const struct file *file, enum ipe_operation op) free_ctx(ctx); return rc; } + +/** + * ipe_invalidate_pinned_sb: if @mnt_sb is the pinned superblock, ensure + * nothing can match it again. + * @mnt_sb: super_block to check against the pinned super_block + */ +void ipe_invalidate_pinned_sb(const struct super_block *mnt_sb) +{ + spin_lock(&pin_lock); + + if (!IS_ERR_OR_NULL(pinned_sb) && mnt_sb == pinned_sb) + pinned_sb = ERR_PTR(-EIO); + + spin_unlock(&pin_lock); +} diff --git a/security/ipe/eval.h b/security/ipe/eval.h index 50bc16b0be25..f195671eaa8f 100644 --- a/security/ipe/eval.h +++ b/security/ipe/eval.h @@ -7,6 +7,7 @@ #define IPE_EVAL_H #include +#include #include "ctx.h" #include "hooks.h" @@ -17,6 +18,8 @@ struct ipe_eval_ctx { const struct file *file; struct ipe_context *ci_ctx; + + bool from_init_sb; }; enum ipe_match { @@ -28,4 +31,6 @@ enum ipe_match { int ipe_process_event(const struct file *file, enum ipe_operation op); +void ipe_invalidate_pinned_sb(const struct super_block *mnt_sb); + #endif /* IPE_EVAL_H */ diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c index d20de25bbd40..4dc7b0c0fd31 100644 --- a/security/ipe/hooks.c +++ b/security/ipe/hooks.c @@ -202,3 +202,17 @@ int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents) WARN(op == ipe_operation_max, "no rule setup for enum %d", id); return ipe_process_event(NULL, op); } + +/** + * ipe_bdev_free_security: free nested structures within IPE's LSM blob + * in super_blocks + * @mnt_sb: Supplies a pointer to a super_block that contains the structure + * to free. + * + * IPE does not have any structures with mnt_sb, but uses this hook to + * invalidate a pinned super_block. + */ +void ipe_sb_free_security(struct super_block *mnt_sb) +{ + ipe_invalidate_pinned_sb(mnt_sb); +} diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h index fa9e0657bd64..43d5b2fe67fd 100644 --- a/security/ipe/hooks.h +++ b/security/ipe/hooks.h @@ -29,4 +29,6 @@ int ipe_kernel_read_file(struct file *file, enum kernel_read_file_id id, int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents); +void ipe_sb_free_security(struct super_block *mnt_sb); + #endif /* IPE_HOOKS_H */ diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c index fca7019ca53c..d52ad248dfd3 100644 --- a/security/ipe/ipe.c +++ b/security/ipe/ipe.c @@ -32,6 +32,7 @@ static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(file_mprotect, ipe_file_mprotect), LSM_HOOK_INIT(kernel_read_file, ipe_kernel_read_file), LSM_HOOK_INIT(kernel_load_data, ipe_kernel_load_data), + LSM_HOOK_INIT(sb_free_security, ipe_sb_free_security), }; /** diff --git a/security/ipe/modules.c b/security/ipe/modules.c index fb100c14cce5..30346f7ad35c 100644 --- a/security/ipe/modules.c +++ b/security/ipe/modules.c @@ -107,3 +107,33 @@ int ipe_register_module(struct ipe_module *m) return 0; } + +/** + * ipe_bool_parse: parse a boolean in IPE's policy and associate + * it as @value in IPE's policy. + * @valstr: Supplies the string parsed from the policy + * @value: Supplies a pointer to be populated with the result. + * + * Modules can use this function for simple true/false values + * instead of defining their own. + * + * Return: + * 0 - OK + * !0 - Error + */ +int ipe_bool_parse(const char *valstr, void **value) +{ + if (!strcmp(valstr, "TRUE")) + *value = (void *)true; + else if (!strcmp(valstr, "FALSE")) + *value = (void *)false; + else + return -EBADMSG; + + return 0; +} + +void ipe_bool_audit(struct audit_buffer *ab, const void *val) +{ + audit_log_format(ab, "%s", ((bool)val) ? "TRUE" : "FALSE"); +} diff --git a/security/ipe/modules/Kconfig b/security/ipe/modules/Kconfig new file mode 100644 index 000000000000..fad96ba534e2 --- /dev/null +++ b/security/ipe/modules/Kconfig @@ -0,0 +1,20 @@ + +menu "IPE Trust Providers" + +config IPE_PROP_BOOT_VERIFIED + bool "Enable trust for initramfs" + depends on SECURITY_IPE + default N + help + This option enables the property 'boot_verified' in IPE policy. + This property 'pins' the initial superblock when something + is evaluated as an execution. This property will evaluate + to true when the file being evaluated originates from this + superblock. + + This property is useful to authorize a signed initramfs. + + If unsure, answer N. + + +endmenu diff --git a/security/ipe/modules/Makefile b/security/ipe/modules/Makefile new file mode 100644 index 000000000000..e0045ec65434 --- /dev/null +++ b/security/ipe/modules/Makefile @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: GPL-2.0 +# +# Copyright (C) Microsoft Corporation. All rights reserved. +# +# Makefile for building the IPE module as part of the kernel tree. +# + +obj-$(CONFIG_IPE_PROP_BOOT_VERIFIED) += boot_verified.o diff --git a/security/ipe/modules/boot_verified.c b/security/ipe/modules/boot_verified.c new file mode 100644 index 000000000000..6b12146263af --- /dev/null +++ b/security/ipe/modules/boot_verified.c @@ -0,0 +1,26 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include "ipe_module.h" + +#include +#include +#include + +static bool bv_eval(const struct ipe_eval_ctx *ctx, const void *val) +{ + bool expect = (bool)val; + + return expect == ctx->from_init_sb; +} + +IPE_MODULE(bv) = { + .name = "boot_verified", + .version = 1, + .parse = ipe_bool_parse, + .free = NULL, + .eval = bv_eval, + .audit = ipe_bool_audit, +}; diff --git a/security/ipe/modules/ipe_module.h b/security/ipe/modules/ipe_module.h index 1381ab977da5..5255a57c4784 100644 --- a/security/ipe/modules/ipe_module.h +++ b/security/ipe/modules/ipe_module.h @@ -9,6 +9,9 @@ #include #include "../eval.h" +int ipe_bool_parse(const char *valstr, void **value); +void ipe_bool_audit(struct audit_buffer *ab, const void *val); + /** * ipe_module: definition of an extensible module for IPE properties. * These structures are used to implement 'key=value' pairs From patchwork Wed Jun 8 19:01:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deven Bowers X-Patchwork-Id: 12874553 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5C03CC04E88 for ; Wed, 8 Jun 2022 19:02:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234481AbiFHTBt (ORCPT ); Wed, 8 Jun 2022 15:01:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51738 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234120AbiFHTBs (ORCPT ); Wed, 8 Jun 2022 15:01:48 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B35073AA5A; Wed, 8 Jun 2022 12:01:46 -0700 (PDT) Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id D439320BE676; Wed, 8 Jun 2022 12:01:44 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com D439320BE676 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1654714904; bh=oxcl4VWDjkQJJLUJyWVlObluHCw+WnAyBzJSnSbo5Wo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lJDMB5uQ6vPGJXTjSq9o9osNKOSh8UJPSZQoLi2AkXYWEmNtTIhtJ9oB02s+3XFno C+hAPTo2p2AUdKXJCsKSQh141aDytqF+vPzToYg33NXO9VWsWcE08CuELX+6GLrBHx 9ALvKVoYb19eg4cntYIazz/KqAcgHhORTmHPXynE= From: Deven Bowers To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org Subject: [RFC PATCH v8 10/17] block|security: add LSM blob to block_device Date: Wed, 8 Jun 2022 12:01:22 -0700 Message-Id: <1654714889-26728-11-git-send-email-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> References: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org block_device structures can have valuable security properties, based on how they are created, and what subsystem manages them. By adding LSM storage to this structure, this data can be accessed at the LSM layer. Signed-off-by: Deven Bowers Reviewed-by: Casey Schaufler --- v2: + No Changes v3: + Minor style changes from checkpatch --strict v4: + No Changes v5: + Allow multiple callers to call security_bdev_setsecurity v6: + Simplify security_bdev_setsecurity break condition v7: + Squash all dm-verity related patches to two patches, the additions to dm-verity/fs, and the consumption of the additions. v8: + Split dm-verity related patches squashed in v7 to 3 commits based on topic: + New LSM hook + Consumption of hook outside LSM + Consumption of hook inside LSM. + change return of security_bdev_alloc / security_bdev_setsecurity to LSM_RET_DEFAULT instead of 0. + Change return code to -EOPNOTSUPP, bring inline with other setsecurity hooks. --- block/bdev.c | 7 ++++ include/linux/blk_types.h | 1 + include/linux/lsm_hook_defs.h | 5 +++ include/linux/lsm_hooks.h | 12 ++++++ include/linux/security.h | 22 +++++++++++ security/security.c | 70 +++++++++++++++++++++++++++++++++++ 6 files changed, 117 insertions(+) diff --git a/block/bdev.c b/block/bdev.c index 5fe06c1f2def..e7ef2c7a22c9 100644 --- a/block/bdev.c +++ b/block/bdev.c @@ -24,6 +24,7 @@ #include #include #include +#include #include #include #include "../fs/internal.h" @@ -397,6 +398,11 @@ static struct inode *bdev_alloc_inode(struct super_block *sb) if (!ei) return NULL; memset(&ei->bdev, 0, sizeof(ei->bdev)); + + if (unlikely(security_bdev_alloc(&ei->bdev))) { + kmem_cache_free(bdev_cachep, ei); + return NULL; + } return &ei->vfs_inode; } @@ -406,6 +412,7 @@ static void bdev_free_inode(struct inode *inode) free_percpu(bdev->bd_stats); kfree(bdev->bd_meta_info); + security_bdev_free(bdev); if (!bdev_is_partition(bdev)) { if (bdev->bd_disk && bdev->bd_disk->bdi) diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h index a24d4078fb21..a014ffa14b2d 100644 --- a/include/linux/blk_types.h +++ b/include/linux/blk_types.h @@ -68,6 +68,7 @@ struct block_device { #ifdef CONFIG_FAIL_MAKE_REQUEST bool bd_make_it_fail; #endif + void *security; } __randomize_layout; #define bdev_whole(_bdev) \ diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index eafa1d2489fd..3449c004bd84 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -407,3 +407,8 @@ LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) LSM_HOOK(int, 0, uring_override_creds, const struct cred *new) LSM_HOOK(int, 0, uring_sqpoll, void) #endif /* CONFIG_IO_URING */ + +LSM_HOOK(int, 0, bdev_alloc_security, struct block_device *bdev) +LSM_HOOK(void, LSM_RET_VOID, bdev_free_security, struct block_device *bdev) +LSM_HOOK(int, 0, bdev_setsecurity, struct block_device *bdev, const char *name, + const void *value, size_t size) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 91c8146649f5..9f011d705ea8 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1550,6 +1550,17 @@ * * @what: kernel feature being accessed * + * @bdev_alloc_security: + * Initialize the security field inside a block_device structure. + * + * @bdev_free_security: + * Cleanup the security information stored inside a block_device structure. + * + * @bdev_setsecurity: + * Set a security property associated with @name for @bdev with + * value @value. @size indicates the size of @value in bytes. + * If a @name is not implemented, return -EOPNOTSUPP. + * * Security hooks for perf events * * @perf_event_open: @@ -1610,6 +1621,7 @@ struct lsm_blob_sizes { int lbs_ipc; int lbs_msg_msg; int lbs_task; + int lbs_bdev; }; /* diff --git a/include/linux/security.h b/include/linux/security.h index 7fc4e9f49f54..30b663de301f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -473,6 +473,11 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); int security_locked_down(enum lockdown_reason what); +int security_bdev_alloc(struct block_device *bdev); +void security_bdev_free(struct block_device *bdev); +int security_bdev_setsecurity(struct block_device *bdev, + const char *name, const void *value, + size_t size); #else /* CONFIG_SECURITY */ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) @@ -1349,6 +1354,23 @@ static inline int security_locked_down(enum lockdown_reason what) { return 0; } + +static inline int security_bdev_alloc(struct block_device *bdev) +{ + return 0; +} + +static inline void security_bdev_free(struct block_device *bdev) +{ +} + +static inline int security_bdev_setsecurity(struct block_device *bdev, + const char *name, + const void *value, size_t size) +{ + return 0; +} + #endif /* CONFIG_SECURITY */ #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) diff --git a/security/security.c b/security/security.c index 188b8f782220..59ec336788e8 100644 --- a/security/security.c +++ b/security/security.c @@ -29,6 +29,7 @@ #include #include #include +#include #define MAX_LSM_EVM_XATTR 2 @@ -208,6 +209,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock); lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); + lsm_set_blob_size(&needed->lbs_bdev, &blob_sizes.lbs_bdev); } /* Prepare LSM for initialization. */ @@ -344,6 +346,7 @@ static void __init ordered_lsm_init(void) init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock); init_debug("task blob size = %d\n", blob_sizes.lbs_task); + init_debug("bdev blob size = %d\n", blob_sizes.lbs_bdev); /* * Create any kmem_caches needed for blobs @@ -660,6 +663,28 @@ static int lsm_msg_msg_alloc(struct msg_msg *mp) return 0; } +/** + * lsm_bdev_alloc - allocate a composite block_device blob + * @bdev: the block_device that needs a blob + * + * Allocate the block_device blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +static int lsm_bdev_alloc(struct block_device *bdev) +{ + if (blob_sizes.lbs_bdev == 0) { + bdev->security = NULL; + return 0; + } + + bdev->security = kzalloc(blob_sizes.lbs_bdev, GFP_KERNEL); + if (!bdev->security) + return -ENOMEM; + + return 0; +} + /** * lsm_early_task - during initialization allocate a composite task blob * @task: the task that needs a blob @@ -2617,6 +2642,51 @@ int security_locked_down(enum lockdown_reason what) } EXPORT_SYMBOL(security_locked_down); +int security_bdev_alloc(struct block_device *bdev) +{ + int rc = 0; + + rc = lsm_bdev_alloc(bdev); + if (unlikely(rc)) + return rc; + + rc = call_int_hook(bdev_alloc_security, 0, bdev); + if (unlikely(rc)) + security_bdev_free(bdev); + + return LSM_RET_DEFAULT(bdev_alloc_security); +} +EXPORT_SYMBOL(security_bdev_alloc); + +void security_bdev_free(struct block_device *bdev) +{ + if (!bdev->security) + return; + + call_void_hook(bdev_free_security, bdev); + + kfree(bdev->security); + bdev->security = NULL; +} +EXPORT_SYMBOL(security_bdev_free); + +int security_bdev_setsecurity(struct block_device *bdev, + const char *name, const void *value, + size_t size) +{ + int rc = 0; + struct security_hook_list *p; + + hlist_for_each_entry(p, &security_hook_heads.bdev_setsecurity, list) { + rc = p->hook.bdev_setsecurity(bdev, name, value, size); + if (rc && rc != -EOPNOTSUPP) + return rc; + } + + return LSM_RET_DEFAULT(bdev_setsecurity); +} +EXPORT_SYMBOL(security_bdev_setsecurity); + #ifdef CONFIG_PERF_EVENTS int security_perf_event_open(struct perf_event_attr *attr, int type) { From patchwork Wed Jun 8 19:01:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deven Bowers X-Patchwork-Id: 12874554 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 51FDCCCA491 for ; Wed, 8 Jun 2022 19:02:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234763AbiFHTCG (ORCPT ); Wed, 8 Jun 2022 15:02:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51708 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234081AbiFHTBs (ORCPT ); Wed, 8 Jun 2022 15:01:48 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B44923BA48; Wed, 8 Jun 2022 12:01:46 -0700 (PDT) Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id EF38820BE677; Wed, 8 Jun 2022 12:01:44 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com EF38820BE677 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1654714905; bh=kPFvFwy5rv6zynUD5O1h6656hbbVzKlThWvASen5gEU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IOJ+jZj2c7tidhGPgAd4abo3AYr7i/Pw23pGY7qNqz6ekO4leWmx8NcZG1nhq66hC MdSg66XD52aLQCCYtI2yL6XRYOOvhxd4cjO7zuU66jkRuHPMLrg7YisVcaspKZa7dC gG0CVchSFsrQ08cow8Z92C5Cuq87aT0dfdCQRwAE= From: Deven Bowers To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org Subject: [RFC PATCH v8 11/17] dm-verity: consume root hash digest and signature data via LSM hook Date: Wed, 8 Jun 2022 12:01:23 -0700 Message-Id: <1654714889-26728-12-git-send-email-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> References: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org dm-verity provides a strong guarantee of a block device's integrity. As a generic way to check the integrity of a block device, it provides those integrity guarantees to its lower layers, including the filesystem level. An LSM that control access to a resource on the system based on the available integrity claims can use this transitive property of dm-verity, by querying the underlying block_device of a particular file. The digest and signature information need to be stored in the block device to fulfill the next requirement of authorization via LSM policy. This will enable the LSM being able to perform revocation of devices that are still mounted, prohibiting execution of files that are no longer authorized by the LSM in question. Signed-off-by: Deven Bowers --- v2: + No Changes v3: + No changes v4: + No changes v5: + No changes v6: + Fix an improper cleanup that can result in a leak v7: + Squash patch 08/12, 10/12 to [11/16] + Use part0 for block_device, to retrieve the block_device, when calling security_bdev_setsecurity v8: + Undo squash of 08/12, 10/12 - separating drivers/md/ from security/ & block/ + Use common-audit function for dmverity_signature. + Change implementation for storing the dm-verity digest to use the newly introduced dm_verity_digest structure introduced in patch 14/20. + Create new structure, dm_verity_digest, containing digest algorithm, size, and digest itself to pass to the LSM layer. V7 was missing the algorithm. + Create an associated public header containing this new structure and the key values for the LSM hook, specific to dm-verity. + Additional information added to commit, discussing the layering of the changes and how the information passed will be used. --- drivers/md/dm-verity-target.c | 25 +++++++++++++++++++++++-- drivers/md/dm-verity-verify-sig.c | 16 +++++++++++++--- drivers/md/dm-verity-verify-sig.h | 10 ++++++---- include/linux/dm-verity.h | 19 +++++++++++++++++++ 4 files changed, 61 insertions(+), 9 deletions(-) create mode 100644 include/linux/dm-verity.h diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c index d6dbd47492a8..0d499441e780 100644 --- a/drivers/md/dm-verity-target.c +++ b/drivers/md/dm-verity-target.c @@ -13,12 +13,16 @@ * access behavior. */ +#include "dm-core.h" #include "dm-verity.h" #include "dm-verity-fec.h" #include "dm-verity-verify-sig.h" #include #include #include +#include +#include +#include #define DM_MSG_PREFIX "verity" @@ -1060,6 +1064,8 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv) sector_t hash_position; char dummy; char *root_hash_digest_to_validate; + struct block_device *bdev; + struct dm_verity_digest root_digest; v = kzalloc(sizeof(struct dm_verity), GFP_KERNEL); if (!v) { @@ -1093,6 +1099,13 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv) } v->version = num; + bdev = dm_table_get_md(ti->table)->disk->part0; + if (!bdev) { + ti->error = "Mapped device lookup failed"; + r = -ENOMEM; + goto bad; + } + r = dm_get_device(ti, argv[1], FMODE_READ, &v->data_dev); if (r) { ti->error = "Data device lookup failed"; @@ -1225,7 +1238,7 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv) } /* Root hash signature is a optional parameter*/ - r = verity_verify_root_hash(root_hash_digest_to_validate, + r = verity_verify_root_hash(bdev, root_hash_digest_to_validate, strlen(root_hash_digest_to_validate), verify_args.sig, verify_args.sig_size); @@ -1298,12 +1311,20 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv) ti->per_io_data_size = roundup(ti->per_io_data_size, __alignof__(struct dm_verity_io)); + root_digest.digest = v->root_digest; + root_digest.digest_len = v->digest_size; + root_digest.algo = v->alg_name; + + r = security_bdev_setsecurity(bdev, DM_VERITY_ROOTHASH_SEC_NAME, &root_digest, + sizeof(root_digest)); + if (r) + goto bad; + verity_verify_sig_opts_cleanup(&verify_args); return 0; bad: - verity_verify_sig_opts_cleanup(&verify_args); verity_dtr(ti); diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c index db61a1f43ae9..06c15c555a4b 100644 --- a/drivers/md/dm-verity-verify-sig.c +++ b/drivers/md/dm-verity-verify-sig.c @@ -9,6 +9,9 @@ #include #include #include +#include +#include +#include "dm-core.h" #include "dm-verity.h" #include "dm-verity-verify-sig.h" @@ -97,14 +100,17 @@ int verity_verify_sig_parse_opt_args(struct dm_arg_set *as, * verify_verify_roothash - Verify the root hash of the verity hash device * using builtin trusted keys. * + * @bdev: block_device representing the device-mapper created block device. + * Used by the security hook, to set information about the block_device. * @root_hash: For verity, the roothash/data to be verified. * @root_hash_len: Size of the roothash/data to be verified. * @sig_data: The trusted signature that verifies the roothash/data. * @sig_len: Size of the signature. * */ -int verity_verify_root_hash(const void *root_hash, size_t root_hash_len, - const void *sig_data, size_t sig_len) +int verity_verify_root_hash(struct block_device *bdev, const void *root_hash, + size_t root_hash_len, const void *sig_data, + size_t sig_len) { int ret; @@ -126,8 +132,12 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len, NULL, #endif VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL); + if (ret) + return ret; - return ret; + return security_bdev_setsecurity(bdev, + DM_VERITY_SIGNATURE_SEC_NAME, + sig_data, sig_len); } void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts) diff --git a/drivers/md/dm-verity-verify-sig.h b/drivers/md/dm-verity-verify-sig.h index 3987c7141f79..31692fff92e4 100644 --- a/drivers/md/dm-verity-verify-sig.h +++ b/drivers/md/dm-verity-verify-sig.h @@ -20,8 +20,9 @@ struct dm_verity_sig_opts { #define DM_VERITY_ROOT_HASH_VERIFICATION_OPTS 2 -int verity_verify_root_hash(const void *data, size_t data_len, - const void *sig_data, size_t sig_len); +int verity_verify_root_hash(struct block_device *bdev, const void *data, + size_t data_len, const void *sig_data, + size_t sig_len); bool verity_verify_is_sig_opt_arg(const char *arg_name); int verity_verify_sig_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v, @@ -34,8 +35,9 @@ void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts); #define DM_VERITY_ROOT_HASH_VERIFICATION_OPTS 0 -static inline int verity_verify_root_hash(const void *data, size_t data_len, - const void *sig_data, size_t sig_len) +int verity_verify_root_hash(struct block_device *bdev, const void *data, + size_t data_len, const void *sig_data, + size_t sig_len) { return 0; } diff --git a/include/linux/dm-verity.h b/include/linux/dm-verity.h new file mode 100644 index 000000000000..bb0413d55d72 --- /dev/null +++ b/include/linux/dm-verity.h @@ -0,0 +1,19 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + +#ifndef _LINUX_DM_VERITY_H +#define _LINUX_DM_VERITY_H + +#include +#include +#include + +struct dm_verity_digest { + const char *algo; + const u8 *digest; + size_t digest_len; +}; + +#define DM_VERITY_SIGNATURE_SEC_NAME DM_NAME ".verity-signature" +#define DM_VERITY_ROOTHASH_SEC_NAME DM_NAME ".verity-roothash" + +#endif /* _LINUX_DM_VERITY_H */ From patchwork Wed Jun 8 19:01:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deven Bowers X-Patchwork-Id: 12874555 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 908CEC43334 for ; Wed, 8 Jun 2022 19:02:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234745AbiFHTCE (ORCPT ); Wed, 8 Jun 2022 15:02:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51790 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234435AbiFHTBt (ORCPT ); Wed, 8 Jun 2022 15:01:49 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C186C3BBCD; Wed, 8 Jun 2022 12:01:46 -0700 (PDT) Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id 15F0E20BE67A; Wed, 8 Jun 2022 12:01:45 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 15F0E20BE67A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1654714905; bh=oeE34hsi22VsTSnTBMX6qjlgjST1eR6y3tPGNEqqWQI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HNsXqHwbMwOALbJFvt/MLvJHIWrtaMJyB0gqqAZbQM8HiYhan3RMmL/iaUTzdW2Cv FVL9P6f/64BBCLyNW/gJpb1ipngMkIjmJWxBrMPQei3/NbiLNnVQgAWv42nD+TiDdx 25L5e4lKRVltBXOuOMb4povlXNLuyl0QxSvZW4Lg= From: Deven Bowers To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org Subject: [RFC PATCH v8 12/17] ipe: add support for dm-verity as a trust provider Date: Wed, 8 Jun 2022 12:01:24 -0700 Message-Id: <1654714889-26728-13-git-send-email-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> References: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org Allows author of IPE policy to indicate trust for a singular dm-verity volume, identified by roothash, through "dmverity_roothash" and all signed dm-verity volumes, through "dmverity_signature". Signed-off-by: Deven Bowers --- v2: + No Changes v3: + No changes v4: + No changes v5: + No changes v6: + Fix an improper cleanup that can result in a leak v7: + Squash patch 08/12, 10/12 to [11/16] v8: + Undo squash of 08/12, 10/12 - separating drivers/md/ from security/ & block/ + Use common-audit function for dmverity_signature. + Change implementation for storing the dm-verity digest to use the newly introduced dm_verity_digest structure introduced in patch 14/20. --- security/ipe/eval.c | 5 + security/ipe/eval.h | 11 ++ security/ipe/hooks.c | 51 +++++++++ security/ipe/hooks.h | 6 + security/ipe/ipe.c | 9 ++ security/ipe/ipe.h | 3 + security/ipe/modules.c | 133 ++++++++++++++++++++++ security/ipe/modules/Kconfig | 23 ++++ security/ipe/modules/Makefile | 2 + security/ipe/modules/dmverity_roothash.c | 31 +++++ security/ipe/modules/dmverity_signature.c | 26 +++++ security/ipe/modules/ipe_module.h | 5 + 12 files changed, 305 insertions(+) create mode 100644 security/ipe/modules/dmverity_roothash.c create mode 100644 security/ipe/modules/dmverity_signature.c diff --git a/security/ipe/eval.c b/security/ipe/eval.c index ccf9b843040b..9b29d83cd466 100644 --- a/security/ipe/eval.c +++ b/security/ipe/eval.c @@ -23,6 +23,7 @@ static struct super_block *pinned_sb; static DEFINE_SPINLOCK(pin_lock); #define FILE_SUPERBLOCK(f) ((f)->f_path.mnt->mnt_sb) +#define FILE_BLOCK_DEV(f) (FILE_SUPERBLOCK(f)->s_bdev) /** * pin_sb: pin the underlying superblock of @f, marking it as trusted @@ -93,6 +94,10 @@ static struct ipe_eval_ctx *build_ctx(const struct file *file, ctx->op = op; ctx->ci_ctx = ipe_current_ctx(); ctx->from_init_sb = from_pinned(file); + if (file) { + if (FILE_BLOCK_DEV(file)) + ctx->ipe_bdev = ipe_bdev(FILE_BLOCK_DEV(file)); + } return ctx; } diff --git a/security/ipe/eval.h b/security/ipe/eval.h index f195671eaa8f..57b7b2b424f8 100644 --- a/security/ipe/eval.h +++ b/security/ipe/eval.h @@ -8,17 +8,28 @@ #include #include +#include #include "ctx.h" #include "hooks.h" #include "policy.h" +struct ipe_bdev { + bool dm_verity_signed; + + const u8 *digest; + size_t digest_len; + const char *digest_algo; +}; + struct ipe_eval_ctx { enum ipe_operation op; const struct file *file; struct ipe_context *ci_ctx; + const struct ipe_bdev *ipe_bdev; + bool from_init_sb; }; diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c index 4dc7b0c0fd31..1072ee5bb8f6 100644 --- a/security/ipe/hooks.c +++ b/security/ipe/hooks.c @@ -13,8 +13,11 @@ #include #include #include +#include #include #include +#include +#include /** * ipe_task_alloc: Assign a new context for an associated task structure. @@ -216,3 +219,51 @@ void ipe_sb_free_security(struct super_block *mnt_sb) { ipe_invalidate_pinned_sb(mnt_sb); } + +/** + * ipe_bdev_free_security: free nested structures within IPE's LSM blob + * in block_devices + * @bdev: Supplies a pointer to a block_device that contains the structure + * to free. + */ +void ipe_bdev_free_security(struct block_device *bdev) +{ + struct ipe_bdev *blob = ipe_bdev(bdev); + + kfree(blob->digest); + kfree(blob->digest_algo); +} + +/** + * ipe_bdev_setsecurity: associate some data from the block device layer + * with IPE's LSM blob. + * @bdev: Supplies a pointer to a block_device that contains the LSM blob. + * @key: Supplies the string key that uniquely identifies the value. + * @value: Supplies the value to store. + * @len: The length of @value. + */ +int ipe_bdev_setsecurity(struct block_device *bdev, const char *key, + const void *value, size_t len) +{ + struct ipe_bdev *blob = ipe_bdev(bdev); + + if (!strcmp(key, DM_VERITY_ROOTHASH_SEC_NAME)) { + const struct dm_verity_digest *digest = value; + + blob->digest = kmemdup(digest->digest, digest->digest_len, GFP_KERNEL); + if (!blob->digest) + return -ENOMEM; + + blob->digest_algo = kstrdup_const(digest->algo, GFP_KERNEL); + if (!blob->digest_algo) + return -ENOMEM; + + blob->digest_len = digest->digest_len; + return 0; + } else if (!strcmp(key, DM_VERITY_SIGNATURE_SEC_NAME)) { + blob->dm_verity_signed = true; + return 0; + } + + return -EOPNOTSUPP; +} diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h index 43d5b2fe67fd..0d1589e47f8f 100644 --- a/security/ipe/hooks.h +++ b/security/ipe/hooks.h @@ -10,6 +10,7 @@ #include #include #include +#include int ipe_task_alloc(struct task_struct *task, unsigned long clone_flags); @@ -31,4 +32,9 @@ int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents); void ipe_sb_free_security(struct super_block *mnt_sb); +void ipe_bdev_free_security(struct block_device *bdev); + +int ipe_bdev_setsecurity(struct block_device *bdev, const char *key, + const void *value, size_t len); + #endif /* IPE_HOOKS_H */ diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c index d52ad248dfd3..398014ac6004 100644 --- a/security/ipe/ipe.c +++ b/security/ipe/ipe.c @@ -9,6 +9,7 @@ #include "ipe_parser.h" #include "modules/ipe_module.h" #include "modules.h" +#include "eval.h" #include #include @@ -22,8 +23,14 @@ bool ipe_enabled; static struct lsm_blob_sizes ipe_blobs __lsm_ro_after_init = { .lbs_task = sizeof(struct ipe_context __rcu *), + .lbs_bdev = sizeof(struct ipe_bdev), }; +struct ipe_bdev *ipe_bdev(struct block_device *b) +{ + return b->security + ipe_blobs.lbs_bdev; +} + static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(task_alloc, ipe_task_alloc), LSM_HOOK_INIT(task_free, ipe_task_free), @@ -33,6 +40,8 @@ static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(kernel_read_file, ipe_kernel_read_file), LSM_HOOK_INIT(kernel_load_data, ipe_kernel_load_data), LSM_HOOK_INIT(sb_free_security, ipe_sb_free_security), + LSM_HOOK_INIT(bdev_free_security, ipe_bdev_free_security), + LSM_HOOK_INIT(bdev_setsecurity, ipe_bdev_setsecurity), }; /** diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h index de0629bd7061..df2b56d8b5e9 100644 --- a/security/ipe/ipe.h +++ b/security/ipe/ipe.h @@ -14,6 +14,7 @@ #include #include +#include #include extern bool ipe_enabled; @@ -21,4 +22,6 @@ extern bool ipe_enabled; extern struct ipe_parser __start_ipe_parsers[], __end_ipe_parsers[]; extern struct ipe_module __start_ipe_modules[], __end_ipe_modules[]; +struct ipe_bdev *ipe_bdev(struct block_device *b); + #endif /* IPE_H */ diff --git a/security/ipe/modules.c b/security/ipe/modules.c index 30346f7ad35c..673752a58505 100644 --- a/security/ipe/modules.c +++ b/security/ipe/modules.c @@ -9,6 +9,7 @@ #include #include #include +#include static struct rb_root module_root = RB_ROOT; @@ -108,6 +109,12 @@ int ipe_register_module(struct ipe_module *m) return 0; } +struct digest_info { + const char *alg; + const u8 *digest; + size_t digest_len; +}; + /** * ipe_bool_parse: parse a boolean in IPE's policy and associate * it as @value in IPE's policy. @@ -137,3 +144,129 @@ void ipe_bool_audit(struct audit_buffer *ab, const void *val) { audit_log_format(ab, "%s", ((bool)val) ? "TRUE" : "FALSE"); } + +/** + * ipe_digest_parse: parse a digest in IPE's policy and associate + * it as @value in IPE's policy. + * @valstr: Supplies the string parsed from the policy + * @value: Supplies a pointer to be populated with the result. + * + * Digests in IPE are defined in a standard way: + * : + * + * Use this function to create a property to parse the digest + * consistently. + * + * Return: + * 0 - OK + * !0 - Error + */ +int ipe_digest_parse(const char *valstr, void **value) +{ + char *sep; + int rc = 0; + u8 *digest = NULL; + struct digest_info *info; + + info = kzalloc(sizeof(*info), GFP_KERNEL); + if (!info) { + rc = -ENOMEM; + goto err; + } + + sep = strchr(valstr, ':'); + if (!sep) { + rc = -EBADMSG; + goto err; + } + + info->alg = kstrndup(valstr, sep - valstr, GFP_KERNEL); + if (!info->alg) { + rc = -ENOMEM; + goto err; + } + + info->digest_len = strlen(sep) / 2; + digest = kzalloc(info->digest_len, GFP_KERNEL); + if (!digest) { + rc = -ENOMEM; + goto err_free_info; + } + + rc = hex2bin(digest, ++sep, info->digest_len); + if (rc < 0) { + rc = -EINVAL; + goto err_free_info; + } + + info->digest = digest; + *value = info; + return 0; + +err_free_info: + kfree(info->alg); +err: + kfree(digest); + kfree(info); + return rc; +} + +/** + * ipe_digest_audit: audit a digest that was sourced from IPE's + * policy. + * @ab: Supplies the audit_buffer to append the formatted result. + * @val: Supplies a pointer to source the audit record from. + * + * Digests in IPE are defined in a standard way: + * : + * + * Use this function to create a property to audit the digest + * consistently. + * + * Return: + * 0 - OK + * !0 - Error + */ +void ipe_digest_audit(struct audit_buffer *ab, const void *val) +{ + const struct digest_info *info = (struct digest_info *)val; + + audit_log_format(ab, "%s:", info->alg); + audit_log_n_hex(ab, info->digest, info->digest_len); +} + +/** + * ipe_digest_eval: evaluate an IPE digest against another digest. + * @expect: Supplies the policy-provided digest value. + * @digest: Supplies the digest to compare against the policy digest value. + * @digest_len: The length of @digest + * @alg: Supplies the name of the algorithm used to calculated @digest. + * + * Return: + * true - digests match + * false - digests do not match + */ +bool ipe_digest_eval(const void *expect, const u8 *digest, size_t digest_len, + const char *alg) +{ + const struct digest_info *info = (struct digest_info *)expect; + + return (digest_len == info->digest_len) && !strcmp(alg, info->alg) && + (!memcmp(info->digest, digest, info->digest_len)); +} + +/** + * ipe_digest_free: evaluate an IPE digest against another digest. + * @value: Supplies a pointer the policy-provided digest value to free. + */ +void ipe_digest_free(void **value) +{ + struct digest_info *info = (struct digest_info *)(*value); + + if (IS_ERR_OR_NULL(info)) + return; + + kfree(info->alg); + kfree(info->digest); + kfree(info); +} diff --git a/security/ipe/modules/Kconfig b/security/ipe/modules/Kconfig index fad96ba534e2..a6ea06cf0737 100644 --- a/security/ipe/modules/Kconfig +++ b/security/ipe/modules/Kconfig @@ -16,5 +16,28 @@ config IPE_PROP_BOOT_VERIFIED If unsure, answer N. +config IPE_PROP_DM_VERITY_SIGNATURE + bool "Enable support for signed dm-verity volumes" + depends on DM_VERITY_VERIFY_ROOTHASH_SIG + default Y + help + This option enables the property 'dmverity_signature' in + IPE policy. This property evaluates to TRUE when a file + is evaluated against a dm-verity volume that was mounted + with a signed root-hash. + + If unsure, answer Y. + +config IPE_PROP_DM_VERITY_ROOTHASH + bool "Enable support for dm-verity volumes" + depends on DM_VERITY + default Y + help + This option enables the property 'dmverity_roothash' in + IPE policy. This property evaluates to TRUE when a file + is evaluated against a dm-verity volume whose root hash + matches the supplied value. + + If unsure, answer Y. endmenu diff --git a/security/ipe/modules/Makefile b/security/ipe/modules/Makefile index e0045ec65434..84fadce85193 100644 --- a/security/ipe/modules/Makefile +++ b/security/ipe/modules/Makefile @@ -6,3 +6,5 @@ # obj-$(CONFIG_IPE_PROP_BOOT_VERIFIED) += boot_verified.o +obj-$(CONFIG_IPE_PROP_DM_VERITY_SIGNATURE) += dmverity_signature.o +obj-$(CONFIG_IPE_PROP_DM_VERITY_ROOTHASH) += dmverity_roothash.o diff --git a/security/ipe/modules/dmverity_roothash.c b/security/ipe/modules/dmverity_roothash.c new file mode 100644 index 000000000000..abf3ec0a1448 --- /dev/null +++ b/security/ipe/modules/dmverity_roothash.c @@ -0,0 +1,31 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include "ipe_module.h" + +#include +#include +#include +#include + +static bool dvrh_eval(const struct ipe_eval_ctx *ctx, const void *val) +{ + const struct ipe_bdev *bdev; + + if (!ctx->ipe_bdev) + return false; + + bdev = ctx->ipe_bdev; + return ipe_digest_eval(val, bdev->digest, bdev->digest_len, bdev->digest_algo); +} + +IPE_MODULE(dvrh) = { + .name = "dmverity_roothash", + .version = 1, + .parse = ipe_digest_parse, + .free = ipe_digest_free, + .eval = dvrh_eval, + .audit = ipe_digest_audit, +}; diff --git a/security/ipe/modules/dmverity_signature.c b/security/ipe/modules/dmverity_signature.c new file mode 100644 index 000000000000..4f74cd82254b --- /dev/null +++ b/security/ipe/modules/dmverity_signature.c @@ -0,0 +1,26 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include "ipe_module.h" + +#include +#include + +static bool dvv_eval(const struct ipe_eval_ctx *ctx, const void *val) +{ + bool expect = (bool)val; + bool eval = ctx->ipe_bdev && (!!ctx->ipe_bdev->dm_verity_signed); + + return expect == eval; +} + +IPE_MODULE(dvv) = { + .name = "dmverity_signature", + .version = 1, + .parse = ipe_bool_parse, + .free = NULL, + .eval = dvv_eval, + .audit = ipe_bool_audit, +}; diff --git a/security/ipe/modules/ipe_module.h b/security/ipe/modules/ipe_module.h index 5255a57c4784..58e5cdd94448 100644 --- a/security/ipe/modules/ipe_module.h +++ b/security/ipe/modules/ipe_module.h @@ -11,6 +11,11 @@ int ipe_bool_parse(const char *valstr, void **value); void ipe_bool_audit(struct audit_buffer *ab, const void *val); +int ipe_digest_parse(const char *valstr, void **value); +void ipe_digest_audit(struct audit_buffer *ab, const void *val); +bool ipe_digest_eval(const void *expect, const u8 *digest, size_t digest_len, + const char *algo); +void ipe_digest_free(void **value); /** * ipe_module: definition of an extensible module for IPE properties. From patchwork Wed Jun 8 19:01:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deven Bowers X-Patchwork-Id: 12874552 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10E0ECCA499 for ; Wed, 8 Jun 2022 19:01:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234690AbiFHTBz (ORCPT ); Wed, 8 Jun 2022 15:01:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51738 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234341AbiFHTBs (ORCPT ); Wed, 8 Jun 2022 15:01:48 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E5446644C; Wed, 8 Jun 2022 12:01:46 -0700 (PDT) Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id 300DD20BE67B; Wed, 8 Jun 2022 12:01:45 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 300DD20BE67B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1654714905; bh=qquP/5U04fx5jdHvG3QdvIEHIN6lVrpH6iQj5il7/BE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=e6kWX/RoZstlrx6ix6Nma3KFO+Ebg4LNx2kDZe13goN0MqgJCCsoj5fu0zVD3hmo0 9vcuESvVd3EOjfb23cSGIE04dHAF7G8Gd0gxA9gED6KyFKZSWDiEaOiUmN/NlfIb0w hO0+6Ak/2gBSp360cpBECfMSI+Izqhlxn8N9SDBU= From: Deven Bowers To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org Subject: [RFC PATCH v8 13/17] fsverity: consume builtin signature via LSM hook Date: Wed, 8 Jun 2022 12:01:25 -0700 Message-Id: <1654714889-26728-14-git-send-email-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> References: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org From: Fan Wu fsverity represents a mechanism to support both integrity and authenticity protection of a file, supporting both signed and unsigned digests. An LSM which controls access to a resource based on authenticity and integrity of said resource, can then use this data to make an informed decision on the authorization (provided by the LSM's policy) of said claim. This effectively allows the extension of a policy enforcement layer in LSM for fsverity, allowing for more granular control of how a particular authenticity claim can be used. For example, "all (built-in) signed fsverity files should be allowed to execute, but only these hashes are allowed to be loaded as kernel modules". This enforcement must be done in kernel space, as a userspace only solution would fail a simple litmus test: Download a self-contained malicious binary that never touches the userspace stack. This binary would still be able to execute. Signed-off-by: Fan Wu Signed-off-by: Deven Bowers --- v1-v6: + Not present v7: Introduced v8: + Split fs/verity/ changes and security/ changes into separate patches + Change signature of fsverity_create_info to accept non-const inode + Change signature of fsverity_verify_signature to accept non-const inode + Don't cast-away const from inode. + Digest functionality dropped in favor of: ("fs-verity: define a function to return the integrity protected file digest") + Reworded commit description and title to match changes. + Fix a bug wherein no LSM implements the particular fsverity @name (or LSM is disabled), and returns -EOPNOTSUPP, causing errors. --- fs/verity/fsverity_private.h | 2 +- fs/verity/open.c | 13 ++++++++++++- fs/verity/signature.c | 1 + include/linux/fsverity.h | 2 ++ 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/fs/verity/fsverity_private.h b/fs/verity/fsverity_private.h index 629785c95007..e0d70235bbdc 100644 --- a/fs/verity/fsverity_private.h +++ b/fs/verity/fsverity_private.h @@ -114,7 +114,7 @@ int fsverity_init_merkle_tree_params(struct merkle_tree_params *params, unsigned int log_blocksize, const u8 *salt, size_t salt_size); -struct fsverity_info *fsverity_create_info(const struct inode *inode, +struct fsverity_info *fsverity_create_info(struct inode *inode, struct fsverity_descriptor *desc); void fsverity_set_info(struct inode *inode, struct fsverity_info *vi); diff --git a/fs/verity/open.c b/fs/verity/open.c index 81ff94442f7b..7e6fa52c0e9c 100644 --- a/fs/verity/open.c +++ b/fs/verity/open.c @@ -7,7 +7,9 @@ #include "fsverity_private.h" +#include #include +#include static struct kmem_cache *fsverity_info_cachep; @@ -146,7 +148,7 @@ static int compute_file_digest(struct fsverity_hash_alg *hash_alg, * appended signature), and check the signature if present. The * fsverity_descriptor must have already undergone basic validation. */ -struct fsverity_info *fsverity_create_info(const struct inode *inode, +struct fsverity_info *fsverity_create_info(struct inode *inode, struct fsverity_descriptor *desc) { struct fsverity_info *vi; @@ -182,6 +184,15 @@ struct fsverity_info *fsverity_create_info(const struct inode *inode, err = fsverity_verify_signature(vi, desc->signature, le32_to_cpu(desc->sig_size)); + if (err) { + fsverity_err(inode, "Error %d verifying signature", err); + goto out; + } + + err = security_inode_setsecurity(inode, FS_VERITY_INODE_SEC_NAME, desc->signature, + le32_to_cpu(desc->sig_size), 0); + if (err == -EOPNOTSUPP) + err = 0; out: if (err) { fsverity_free_info(vi); diff --git a/fs/verity/signature.c b/fs/verity/signature.c index 143a530a8008..5d7b9496f9c4 100644 --- a/fs/verity/signature.c +++ b/fs/verity/signature.c @@ -9,6 +9,7 @@ #include #include +#include #include #include diff --git a/include/linux/fsverity.h b/include/linux/fsverity.h index 7af030fa3c36..f37936b56150 100644 --- a/include/linux/fsverity.h +++ b/include/linux/fsverity.h @@ -251,4 +251,6 @@ static inline bool fsverity_active(const struct inode *inode) return fsverity_get_info(inode) != NULL; } +#define FS_VERITY_INODE_SEC_NAME "fsverity.inode-info" + #endif /* _LINUX_FSVERITY_H */ From patchwork Wed Jun 8 19:01:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deven Bowers X-Patchwork-Id: 12874548 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78179CCA49A for ; Wed, 8 Jun 2022 19:01:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234638AbiFHTBx (ORCPT ); Wed, 8 Jun 2022 15:01:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51736 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234378AbiFHTBs (ORCPT ); Wed, 8 Jun 2022 15:01:48 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 1F4193BF8B; Wed, 8 Jun 2022 12:01:47 -0700 (PDT) Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id 4E5E020BE67D; Wed, 8 Jun 2022 12:01:45 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 4E5E020BE67D DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1654714905; bh=bcDRvwHkQ7mJMK4bMPPQgcu3F/EDdN8MgVfDEjoCLjw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GkH0rJDZX9JJsdeC5dqLATtZa0w7zH2aKUwQ459Jmmql7evTSGwFSe9UGs/nDiDez Izo0olK9+gmPd1bxX49O/gm6nW8ETxBYEeLFnXdluukj3qbbZm5OPnNLIunIjtfP+N OxaYkhMyKE6yYxv1IKGkhGR/LWy+ruKVpIZDJXpE= From: Deven Bowers To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org Subject: [RFC PATCH v8 14/17] ipe: enable support for fs-verity as a trust provider Date: Wed, 8 Jun 2022 12:01:26 -0700 Message-Id: <1654714889-26728-15-git-send-email-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> References: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org From: Fan Wu Enable IPE policy authors to indicate trust for a singular fsverity file, identified by the digest information, through "fsverity_digest" and all files using fsverity's builtin signatures via "fsverity_signature". This enables file-level integrity claims to be expressed in IPE, allowing individual files to be authorized, giving some flexibility for policy authors. Such file-level claims are important to be expressed for enforcing the integrity of packages, as well as address some of the scalability issues in a sole dm-verity based solution (# of loop back devices, etc). This solution cannot be done in userspace as the minimum threat that IPE should mitigate is an attacker downloads malicious payload with all required dependencies. These dependencies can lack the userspace check, bypassing the protection entirely. A similar attack succeeds if the userspace component is replaced with a version that does not perform the check. As a result, this can only be done in the common entry point - the kernel. Signed-off-by: Fan Wu Signed-off-by: Deven Bowers --- v1-v6: + Not present v7: Introduced v8: * Undo squash of 08/12, 10/12 - separating drivers/md/ from security/ * Use common-audit function for fsverity_signature. + Change fsverity implementation to use fsverity_get_digest + prevent unnecessary copy of fs-verity signature data, instead just check for presence of signature data. + Remove free_inode_security hook, as the digest is now acquired at runtime instead of via LSM blob. --- security/ipe/eval.c | 1 + security/ipe/eval.h | 5 +++ security/ipe/hooks.c | 29 +++++++++++++++++ security/ipe/hooks.h | 5 +++ security/ipe/ipe.c | 7 ++++ security/ipe/ipe.h | 1 + security/ipe/modules/Kconfig | 23 +++++++++++++ security/ipe/modules/Makefile | 2 ++ security/ipe/modules/fsverity_digest.c | 39 +++++++++++++++++++++++ security/ipe/modules/fsverity_signature.c | 34 ++++++++++++++++++++ 10 files changed, 146 insertions(+) create mode 100644 security/ipe/modules/fsverity_digest.c create mode 100644 security/ipe/modules/fsverity_signature.c diff --git a/security/ipe/eval.c b/security/ipe/eval.c index 9b29d83cd466..e8205a6fce44 100644 --- a/security/ipe/eval.c +++ b/security/ipe/eval.c @@ -95,6 +95,7 @@ static struct ipe_eval_ctx *build_ctx(const struct file *file, ctx->ci_ctx = ipe_current_ctx(); ctx->from_init_sb = from_pinned(file); if (file) { + ctx->ipe_inode = ipe_inode(file->f_inode); if (FILE_BLOCK_DEV(file)) ctx->ipe_bdev = ipe_bdev(FILE_BLOCK_DEV(file)); } diff --git a/security/ipe/eval.h b/security/ipe/eval.h index 57b7b2b424f8..541251125e8e 100644 --- a/security/ipe/eval.h +++ b/security/ipe/eval.h @@ -22,6 +22,10 @@ struct ipe_bdev { const char *digest_algo; }; +struct ipe_inode { + bool fs_verity_signed; +}; + struct ipe_eval_ctx { enum ipe_operation op; @@ -29,6 +33,7 @@ struct ipe_eval_ctx { struct ipe_context *ci_ctx; const struct ipe_bdev *ipe_bdev; + const struct ipe_inode *ipe_inode; bool from_init_sb; }; diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c index 1072ee5bb8f6..7c99afad4924 100644 --- a/security/ipe/hooks.c +++ b/security/ipe/hooks.c @@ -267,3 +267,32 @@ int ipe_bdev_setsecurity(struct block_device *bdev, const char *key, return -EOPNOTSUPP; } + +/** + * ipe_inode_setsecurity: Sets the a certain field of a inode security + * blob, based on @key. + * @inode: The inode to source the security blob from. + * @name: The name representing the information to be stored. + * @value: The value to be stored. + * @size: The size of @value. + * @flags: unused + * + * Saves fsverity signature & digest into inode security blob + * + * Return: + * 0 - OK + * !0 - Error + */ +int ipe_inode_setsecurity(struct inode *inode, const char *name, + const void *value, size_t size, + int flags) +{ + struct ipe_inode *inode_sec = ipe_inode(inode); + + if (!strcmp(name, FS_VERITY_INODE_SEC_NAME)) { + inode_sec->fs_verity_signed = size > 0 && value; + return 0; + } + + return -EOPNOTSUPP; +} diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h index 0d1589e47f8f..1edcc91d6d33 100644 --- a/security/ipe/hooks.h +++ b/security/ipe/hooks.h @@ -10,6 +10,7 @@ #include #include #include +#include #include int ipe_task_alloc(struct task_struct *task, @@ -37,4 +38,8 @@ void ipe_bdev_free_security(struct block_device *bdev); int ipe_bdev_setsecurity(struct block_device *bdev, const char *key, const void *value, size_t len); +int ipe_inode_setsecurity(struct inode *inode, const char *name, + const void *value, size_t size, + int flags); + #endif /* IPE_HOOKS_H */ diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c index 398014ac6004..caf0ebf8381a 100644 --- a/security/ipe/ipe.c +++ b/security/ipe/ipe.c @@ -24,6 +24,7 @@ bool ipe_enabled; static struct lsm_blob_sizes ipe_blobs __lsm_ro_after_init = { .lbs_task = sizeof(struct ipe_context __rcu *), .lbs_bdev = sizeof(struct ipe_bdev), + .lbs_inode = sizeof(struct ipe_inode), }; struct ipe_bdev *ipe_bdev(struct block_device *b) @@ -31,6 +32,11 @@ struct ipe_bdev *ipe_bdev(struct block_device *b) return b->security + ipe_blobs.lbs_bdev; } +struct ipe_inode *ipe_inode(const struct inode *inode) +{ + return inode->i_security + ipe_blobs.lbs_inode; +} + static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(task_alloc, ipe_task_alloc), LSM_HOOK_INIT(task_free, ipe_task_free), @@ -42,6 +48,7 @@ static struct security_hook_list ipe_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(sb_free_security, ipe_sb_free_security), LSM_HOOK_INIT(bdev_free_security, ipe_bdev_free_security), LSM_HOOK_INIT(bdev_setsecurity, ipe_bdev_setsecurity), + LSM_HOOK_INIT(inode_setsecurity, ipe_inode_setsecurity), }; /** diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h index df2b56d8b5e9..cd7e5c1bb343 100644 --- a/security/ipe/ipe.h +++ b/security/ipe/ipe.h @@ -23,5 +23,6 @@ extern struct ipe_parser __start_ipe_parsers[], __end_ipe_parsers[]; extern struct ipe_module __start_ipe_modules[], __end_ipe_modules[]; struct ipe_bdev *ipe_bdev(struct block_device *b); +struct ipe_inode *ipe_inode(const struct inode *inode); #endif /* IPE_H */ diff --git a/security/ipe/modules/Kconfig b/security/ipe/modules/Kconfig index a6ea06cf0737..8f823a1edf96 100644 --- a/security/ipe/modules/Kconfig +++ b/security/ipe/modules/Kconfig @@ -40,4 +40,27 @@ config IPE_PROP_DM_VERITY_ROOTHASH If unsure, answer Y. +config IPE_PROP_FS_VERITY_SIGNATURE + bool "Enable property for signed fs-verity files" + depends on FS_VERITY_BUILTIN_SIGNATURES + help + This option enables IPE's integration with FSVerity's + signed hashes. This enables the usage of the property, + "fsverity_signature" in IPE's policy. + + if unsure, answer Y. + +config IPE_PROP_FS_VERITY_DIGEST + bool "Enable property for authorizing fs-verity files via digest" + depends on FS_VERITY + help + This option enables IPE's integration with FSVerity. + This enables the usage of the property "fsverity_digest" in IPE's + policy. This property allows authorization or revocation via a + a hex-string representing the digest of a fsverity file. + + if unsure, answer Y. + + + endmenu diff --git a/security/ipe/modules/Makefile b/security/ipe/modules/Makefile index 84fadce85193..890440b9050f 100644 --- a/security/ipe/modules/Makefile +++ b/security/ipe/modules/Makefile @@ -8,3 +8,5 @@ obj-$(CONFIG_IPE_PROP_BOOT_VERIFIED) += boot_verified.o obj-$(CONFIG_IPE_PROP_DM_VERITY_SIGNATURE) += dmverity_signature.o obj-$(CONFIG_IPE_PROP_DM_VERITY_ROOTHASH) += dmverity_roothash.o +obj-$(CONFIG_IPE_PROP_FS_VERITY_SIGNATURE) += fsverity_signature.o +obj-$(CONFIG_IPE_PROP_FS_VERITY_DIGEST) += fsverity_digest.o diff --git a/security/ipe/modules/fsverity_digest.c b/security/ipe/modules/fsverity_digest.c new file mode 100644 index 000000000000..c3e7998393f5 --- /dev/null +++ b/security/ipe/modules/fsverity_digest.c @@ -0,0 +1,39 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include "ipe_module.h" + +#include +#include +#include +#include + +static bool evaluate(const struct ipe_eval_ctx *ctx, const void *val) +{ + enum hash_algo alg; + u8 digest[FS_VERITY_MAX_DIGEST_SIZE]; + struct inode *ino; + + if (!ctx->file) + return false; + + ino = file_inode(ctx->file); + if (!ino) + return false; + + if (fsverity_get_digest(ino, digest, &alg)) + return false; + + return ipe_digest_eval(val, digest, hash_digest_size[alg], hash_algo_name[alg]); +} + +IPE_MODULE(fsv_digest) = { + .name = "fsverity_digest", + .version = 1, + .parse = ipe_digest_parse, + .free = ipe_digest_free, + .eval = evaluate, + .audit = ipe_digest_audit, +}; diff --git a/security/ipe/modules/fsverity_signature.c b/security/ipe/modules/fsverity_signature.c new file mode 100644 index 000000000000..26442af0a2ba --- /dev/null +++ b/security/ipe/modules/fsverity_signature.c @@ -0,0 +1,34 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include "ipe_module.h" + +#include +#include +#include +#include +#include + +static bool evaluate(const struct ipe_eval_ctx *ctx, const void *value) +{ + bool expect = (bool)value; + + if (!ctx->file || !IS_VERITY(ctx->file->f_inode)) + return false; + + if (!ctx->ipe_inode) + return false; + + return (!!ctx->ipe_inode->fs_verity_signed) == expect; +} + +IPE_MODULE(fsvs) = { + .name = "fsverity_signature", + .version = 1, + .parse = ipe_bool_parse, + .free = NULL, + .eval = evaluate, + .audit = ipe_bool_audit, +}; From patchwork Wed Jun 8 19:01:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deven Bowers X-Patchwork-Id: 12874549 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D44ACCA49D for ; Wed, 8 Jun 2022 19:01:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234677AbiFHTBy (ORCPT ); Wed, 8 Jun 2022 15:01:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51738 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234436AbiFHTBt (ORCPT ); Wed, 8 Jun 2022 15:01:49 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D4B48240AE; Wed, 8 Jun 2022 12:01:47 -0700 (PDT) Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id 69EF620BE67F; Wed, 8 Jun 2022 12:01:45 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 69EF620BE67F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1654714905; bh=uJl99er7g1z1c12B6jDcGNKvJHQVDd0gHzCmetM8LIE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ft0Aaqoz8TMdmEvtj694amzsqacEffCg8BmfyI9uW+Tt3OAp3gkm27XsIYBKxgpRd JTosSBifxtOx/AhwarbCcBRyFpql5zsp1Dlg2eXAsG0xcvmXIshX8br9U2MUApB7G5 4kZdNIK+7nSgUZJtLnERU8uLilBN1kAqH2/uZsss= From: Deven Bowers To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org Subject: [RFC PATCH v8 15/17] scripts: add boot policy generation program Date: Wed, 8 Jun 2022 12:01:27 -0700 Message-Id: <1654714889-26728-16-git-send-email-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> References: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org Enables an IPE policy to be enforced from kernel start, enabling access control based on trust from kernel startup. This is accomplished by transforming an IPE policy indicated by CONFIG_IPE_BOOT_POLICY into a c-string literal that is parsed at kernel startup as an unsigned policy. Signed-off-by: Deven Bowers --- v2: + No Changes v3: + No Changes v4: + No Changes v5: + No Changes v6: + No Changes v7: + Move from 01/11 to 14/16 + Don't return errno directly. + Make output of script more user-friendly + Add escaping for tab and '?' + Mark argv pointer const + Invert return code check in the boot policy parsing code path. v8: + No signfiicant chances. --- MAINTAINERS | 1 + scripts/Makefile | 1 + scripts/ipe/Makefile | 2 + scripts/ipe/polgen/.gitignore | 1 + scripts/ipe/polgen/Makefile | 6 ++ scripts/ipe/polgen/polgen.c | 145 ++++++++++++++++++++++++++++++++++ security/ipe/.gitignore | 1 + security/ipe/Kconfig | 10 +++ security/ipe/Makefile | 11 +++ security/ipe/ctx.c | 18 +++++ security/ipe/fs.c | 10 +++ 11 files changed, 206 insertions(+) create mode 100644 scripts/ipe/Makefile create mode 100644 scripts/ipe/polgen/.gitignore create mode 100644 scripts/ipe/polgen/Makefile create mode 100644 scripts/ipe/polgen/polgen.c create mode 100644 security/ipe/.gitignore diff --git a/MAINTAINERS b/MAINTAINERS index 965fdac6d609..f7333d07a9df 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -9797,6 +9797,7 @@ INTEGRITY POLICY ENFORCEMENT (IPE) M: Deven Bowers M: Fan Wu S: Supported +F: scripts/ipe/ F: security/ipe/ INTEL 810/815 FRAMEBUFFER DRIVER diff --git a/scripts/Makefile b/scripts/Makefile index f084f08ed176..4f1a8f37a83f 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -38,6 +38,7 @@ targets += module.lds subdir-$(CONFIG_GCC_PLUGINS) += gcc-plugins subdir-$(CONFIG_MODVERSIONS) += genksyms subdir-$(CONFIG_SECURITY_SELINUX) += selinux +subdir-$(CONFIG_SECURITY_IPE) += ipe # Let clean descend into subdirs subdir- += basic dtc gdb kconfig mod diff --git a/scripts/ipe/Makefile b/scripts/ipe/Makefile new file mode 100644 index 000000000000..e87553fbb8d6 --- /dev/null +++ b/scripts/ipe/Makefile @@ -0,0 +1,2 @@ +# SPDX-License-Identifier: GPL-2.0-only +subdir-y := polgen diff --git a/scripts/ipe/polgen/.gitignore b/scripts/ipe/polgen/.gitignore new file mode 100644 index 000000000000..80f32f25d200 --- /dev/null +++ b/scripts/ipe/polgen/.gitignore @@ -0,0 +1 @@ +polgen diff --git a/scripts/ipe/polgen/Makefile b/scripts/ipe/polgen/Makefile new file mode 100644 index 000000000000..066060c22b4a --- /dev/null +++ b/scripts/ipe/polgen/Makefile @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: GPL-2.0 +hostprogs-always-y := polgen +HOST_EXTRACFLAGS += \ + -I$(srctree)/include \ + -I$(srctree)/include/uapi \ + diff --git a/scripts/ipe/polgen/polgen.c b/scripts/ipe/polgen/polgen.c new file mode 100644 index 000000000000..40b6fe07f47b --- /dev/null +++ b/scripts/ipe/polgen/polgen.c @@ -0,0 +1,145 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include +#include +#include +#include +#include + +static void usage(const char *const name) +{ + printf("Usage: %s OutputFile (PolicyFile)\n", name); + exit(EINVAL); +} + +static int policy_to_buffer(const char *pathname, char **buffer, size_t *size) +{ + int rc = 0; + FILE *fd; + char *lbuf; + size_t fsize; + size_t read; + + fd = fopen(pathname, "r"); + if (!fd) { + rc = errno; + goto out; + } + + fseek(fd, 0, SEEK_END); + fsize = ftell(fd); + rewind(fd); + + lbuf = malloc(fsize); + if (!lbuf) { + rc = ENOMEM; + goto out_close; + } + + read = fread((void *)lbuf, sizeof(*lbuf), fsize, fd); + if (read != fsize) { + rc = -1; + goto out_free; + } + + *buffer = lbuf; + *size = fsize; + fclose(fd); + + return rc; + +out_free: + free(lbuf); +out_close: + fclose(fd); +out: + return rc; +} + +static int write_boot_policy(const char *pathname, const char *buf, size_t size) +{ + int rc = 0; + FILE *fd; + size_t i; + + fd = fopen(pathname, "w"); + if (!fd) { + rc = errno; + goto err; + } + + fprintf(fd, "/* This file is automatically generated."); + fprintf(fd, " Do not edit. */\n"); + fprintf(fd, "#include \n"); + fprintf(fd, "\nextern const char *const ipe_boot_policy;\n\n"); + fprintf(fd, "const char *const ipe_boot_policy =\n"); + + if (!buf || size == 0) { + fprintf(fd, "\tNULL;\n"); + fclose(fd); + return 0; + } + + fprintf(fd, "\t\""); + + for (i = 0; i < size; ++i) { + switch (buf[i]) { + case '"': + fprintf(fd, "\\\""); + break; + case '\'': + fprintf(fd, "'"); + break; + case '\n': + fprintf(fd, "\\n\"\n\t\""); + break; + case '\\': + fprintf(fd, "\\\\"); + break; + case '\t': + fprintf(fd, "\\t"); + break; + case '\?': + fprintf(fd, "\\?"); + break; + default: + fprintf(fd, "%c", buf[i]); + } + } + fprintf(fd, "\";\n"); + fclose(fd); + + return 0; + +err: + if (fd) + fclose(fd); + return rc; +} + +int main(int argc, const char *const argv[]) +{ + int rc = 0; + size_t len = 0; + char *policy = NULL; + + if (argc < 2) + usage(argv[0]); + + if (argc > 2) { + rc = policy_to_buffer(argv[2], &policy, &len); + if (rc != 0) + goto cleanup; + } + + rc = write_boot_policy(argv[1], policy, len); +cleanup: + if (policy) + free(policy); + if (rc != 0) + perror("An error occurred during policy conversion: "); + return rc; +} diff --git a/security/ipe/.gitignore b/security/ipe/.gitignore new file mode 100644 index 000000000000..eca22ad5ed22 --- /dev/null +++ b/security/ipe/.gitignore @@ -0,0 +1 @@ +boot-policy.c \ No newline at end of file diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig index 69345fa49be5..619bf179af43 100644 --- a/security/ipe/Kconfig +++ b/security/ipe/Kconfig @@ -18,6 +18,16 @@ menuconfig SECURITY_IPE if SECURITY_IPE +config IPE_BOOT_POLICY + string "Integrity policy to apply on system startup" + help + This option specifies a filepath to a IPE policy that is compiled + into the kernel. This policy will be enforced until a policy update + is deployed via the $securityfs/ipe/policies/$policy_name/active + interface. + + If unsure, leave blank. + config IPE_AUDIT bool "Enable IPE's audit events" depends on AUDIT && AUDITSYSCALL diff --git a/security/ipe/Makefile b/security/ipe/Makefile index 0d970236efc4..1a1f7484caee 100644 --- a/security/ipe/Makefile +++ b/security/ipe/Makefile @@ -7,7 +7,16 @@ ccflags-y := -I$(srctree)/security/ipe/modules +quiet_cmd_polgen = IPE_POL $(2) + cmd_polgen = scripts/ipe/polgen/polgen security/ipe/boot-policy.c $(2) + +targets += boot-policy.c + +$(obj)/boot-policy.c: scripts/ipe/polgen/polgen $(CONFIG_IPE_BOOT_POLICY) FORCE + $(call if_changed,polgen,$(CONFIG_IPE_BOOT_POLICY)) + obj-$(CONFIG_SECURITY_IPE) += \ + boot-policy.o \ ctx.o \ eval.o \ fs.o \ @@ -21,3 +30,5 @@ obj-$(CONFIG_SECURITY_IPE) += \ policyfs.o \ obj-$(CONFIG_IPE_AUDIT) += audit.o + +clean-files := boot-policy.c \ diff --git a/security/ipe/ctx.c b/security/ipe/ctx.c index ee3cb2bd6028..979027570c2c 100644 --- a/security/ipe/ctx.c +++ b/security/ipe/ctx.c @@ -15,6 +15,7 @@ #include #include +extern const char *const ipe_boot_policy; static bool success_audit; static bool enforce = true; @@ -316,6 +317,7 @@ void ipe_put_ctx(struct ipe_context *ctx) int __init ipe_init_ctx(void) { int rc = 0; + struct ipe_policy *p = NULL; struct ipe_context *lns = NULL; lns = create_ctx(); @@ -329,10 +331,26 @@ int __init ipe_init_ctx(void) WRITE_ONCE(lns->enforce, enforce); spin_unlock(&lns->lock); + if (ipe_boot_policy) { + p = ipe_new_policy(ipe_boot_policy, strlen(ipe_boot_policy), + NULL, 0); + if (IS_ERR(p)) { + rc = PTR_ERR(p); + goto err; + } + + ipe_add_policy(lns, p); + rc = ipe_set_active_pol(p); + if (rc) + goto err; + } + rcu_assign_pointer(*ipe_tsk_ctx(current), lns); + ipe_put_policy(p); return 0; err: + ipe_put_policy(p); ipe_put_ctx(lns); return rc; } diff --git a/security/ipe/fs.c b/security/ipe/fs.c index f4d32f84c945..eb8738373a64 100644 --- a/security/ipe/fs.c +++ b/security/ipe/fs.c @@ -270,6 +270,7 @@ static const struct file_operations audit_fops = { static int __init ipe_init_securityfs(void) { int rc = 0; + struct ipe_policy *p = NULL; struct ipe_context *ctx = NULL; if (!ipe_enabled) @@ -316,8 +317,17 @@ static int __init ipe_init_securityfs(void) goto err; } + p = ipe_get_policy_rcu(ctx->active_policy); + if (p) { + rc = ipe_new_policyfs_node(ctx, p); + if (rc) + goto err; + } + + ipe_put_policy(p); return 0; err: + ipe_put_policy(p); securityfs_remove(np); securityfs_remove(root); securityfs_remove(config); From patchwork Wed Jun 8 19:01:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deven Bowers X-Patchwork-Id: 12874557 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D794ECCA48C for ; Wed, 8 Jun 2022 19:02:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234733AbiFHTCC (ORCPT ); Wed, 8 Jun 2022 15:02:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51918 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234542AbiFHTBv (ORCPT ); Wed, 8 Jun 2022 15:01:51 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E145527CC8; Wed, 8 Jun 2022 12:01:47 -0700 (PDT) Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id 8498220BE680; Wed, 8 Jun 2022 12:01:45 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 8498220BE680 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1654714905; bh=s8Qi5v7a9dEsjwgM9arAyv56ehrckJ/twHvRNNAJ8wQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EoU9sbRHvb6P6n2Eoaqx+0eU4yOBWjRJtOPBpK9MQDw7mC55gY5bmHRe1AsMK7U+q B+8lEt6b2fb+FqD75Y15dd6BRNuWDt00V5YcoNAfyY+/hHwum0vgZMuIcrYrk9x5mx gMa5MsxhkIFLLgVk+OVtW1GAjNIf0Hv31KswI7lE= From: Deven Bowers To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org Subject: [RFC PATCH v8 16/17] ipe: kunit tests Date: Wed, 8 Jun 2022 12:01:28 -0700 Message-Id: <1654714889-26728-17-git-send-email-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> References: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org Add various happy/unhappy unit tests for both IPE's parser and evaluation loop, testing the core of IPE. The missing test gap remains the interface with userspace. Signed-off-by: Deven Bowers --- v1-v6: + Not present v7: Introduced v8: + Remove the kunit tests with respect to the fsverity digest, as these require significant changes to work with the new method of acquiring the digest at runtime. --- security/ipe/Kconfig | 17 + security/ipe/Makefile | 3 + security/ipe/ctx_test.c | 718 +++++++++++++++++++++++++++++ security/ipe/eval.c | 4 + security/ipe/policy_parser_tests.c | 313 +++++++++++++ 5 files changed, 1055 insertions(+) create mode 100644 security/ipe/ctx_test.c create mode 100644 security/ipe/policy_parser_tests.c diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig index 619bf179af43..8746022f147b 100644 --- a/security/ipe/Kconfig +++ b/security/ipe/Kconfig @@ -81,4 +81,21 @@ config IPE_AUDIT_HASH_ALG source "security/ipe/modules/Kconfig" +config SECURITY_IPE_KUNIT_TEST + bool "Build KUnit tests for IPE" if !KUNIT_ALL_TESTS + depends on KUNIT=y + default KUNIT_ALL_TESTS + help + This builds the IPE KUnit tests. + + KUnit tests run during boot and output the results to the debug log + in TAP format (https://testanything.org/). Only useful for kernel devs + running KUnit test harness and are not for inclusion into a + production build. + + For more information on KUnit and unit tests in general please refer + to the KUnit documentation in Documentation/dev-tools/kunit/. + + If unsure, say N. + endif diff --git a/security/ipe/Makefile b/security/ipe/Makefile index 1a1f7484caee..c91672a05d5f 100644 --- a/security/ipe/Makefile +++ b/security/ipe/Makefile @@ -31,4 +31,7 @@ obj-$(CONFIG_SECURITY_IPE) += \ obj-$(CONFIG_IPE_AUDIT) += audit.o +obj-$(CONFIG_SECURITY_IPE_KUNIT_TEST) += \ + policy_parser_tests.o \ + clean-files := boot-policy.c \ diff --git a/security/ipe/ctx_test.c b/security/ipe/ctx_test.c new file mode 100644 index 000000000000..1bbf5d5320e0 --- /dev/null +++ b/security/ipe/ctx_test.c @@ -0,0 +1,718 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ +#include +#include +#include +#include +#include "ctx.h" +#include "policy.h" +#include "hooks.h" + +struct eval_case { + const char *const desc; + const char *const policy; + int errno; + + const struct file *fake_file; + const struct ipe_bdev *bdev_sec; + const struct ipe_inode *inode_sec; + bool initsb; +}; + +static const u8 fake_digest[] = { 0xDE, 0xAD, 0xBE, 0xEF }; + +static const struct ipe_bdev fake_bdev_no_data = {}; +static const struct ipe_bdev fake_bdev_no_sig = { + .digest = fake_digest, + .digest_len = ARRAY_SIZE(fake_digest), + .digest_algo = "test", +}; + +static const struct ipe_bdev fake_bdev_signed = { + .dm_verity_signed = true, + .digest = fake_digest, + .digest_len = ARRAY_SIZE(fake_digest), + .digest_algo = "test", +}; + +static const struct ipe_inode fake_ino_no_data = {}; +static const struct ipe_inode fake_ino_signed = { + .fs_verity_signed = true, +}; + +static struct inode fake_inode = { + .i_flags = S_VERITY +}; + +static const struct file fake_verity = { + .f_inode = &fake_inode, +}; + +static const struct eval_case cases[] = { + { + "boot_verified_trust_no_source", + "policy_name='Test' policy_version=0.0.0\n" + "DEFAULT action=DENY\n" + "op=EXECUTE boot_verified=TRUE action=ALLOW\n" + "op=KERNEL_READ boot_verified=TRUE action=ALLOW\n", + -EACCES, NULL, NULL, NULL, false + }, + { + "boot_verified_distrust", + "policy_name='Test' policy_version=0.0.0\n" + "DEFAULT action=DENY\n" + "op=EXECUTE boot_verified=FALSE action=ALLOW\n" + "op=KERNEL_READ boot_verified=FALSE action=ALLOW\n", + 0, NULL, NULL, NULL, false + }, + { + "boot_verified_trust", + "policy_name='Test' policy_version=0.0.0\n" + "DEFAULT action=DENY\n" + "op=EXECUTE boot_verified=TRUE action=ALLOW\n" + "op=KERNEL_READ boot_verified=TRUE action=ALLOW\n", + 0, NULL, NULL, NULL, true + }, + { + "boot_verified_trust", + "policy_name='Test' policy_version=0.0.0\n" + "DEFAULT action=DENY\n" + "op=EXECUTE boot_verified=FALSE action=ALLOW\n" + "op=KERNEL_READ boot_verified=FALSE action=ALLOW\n", + -EACCES, NULL, NULL, NULL, true + }, + { + "dmverity_signature_trust_no_bdev", + "policy_name='Test' policy_version=0.0.0\n" + "DEFAULT action=DENY\n" + "op=EXECUTE dmverity_signature=FALSE action=ALLOW\n" + "op=KERNEL_READ dmverity_signature=FALSE action=ALLOW\n", + 0, NULL, NULL, NULL, true + }, + { + "dmverity_signature_distrust_no_bdev", + "policy_name='Test' policy_version=0.0.0\n" + "DEFAULT action=DENY\n" + "op=EXECUTE dmverity_signature=TRUE action=ALLOW\n" + "op=KERNEL_READ dmverity_signature=TRUE action=ALLOW\n", + -EACCES, NULL, NULL, NULL, false + }, + { + "dmverity_signature_distrust_sigdata", + "policy_name='Test' policy_version=0.0.0\n" + "DEFAULT action=DENY\n" + "op=EXECUTE dmverity_signature=FALSE action=ALLOW\n" + "op=KERNEL_READ dmverity_signature=FALSE action=ALLOW\n", + -EACCES, NULL, &fake_bdev_signed, &fake_ino_no_data, false + }, + { + "dmverity_signature_trust_sigdata", + "policy_name='Test' policy_version=0.0.0\n" + "DEFAULT action=DENY\n" + "op=EXECUTE dmverity_signature=TRUE action=ALLOW\n" + "op=KERNEL_READ dmverity_signature=TRUE action=ALLOW\n", + 0, NULL, &fake_bdev_signed, &fake_ino_no_data, true + }, + { + "dmverity_roothash_trust_no_bdev", + "policy_name='Test' policy_version=0.0.0\n" + "DEFAULT action=DENY\n" + "op=EXECUTE dmverity_roothash=test:DEADBEEF action=ALLOW\n" + "op=KERNEL_READ dmverity_roothash=test:DEADBEEF action=ALLOW\n", + -EACCES, NULL, NULL, NULL, true + }, + { + "dmverity_roothash_distrust_no_bdev", + "policy_name='Test' policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "op=EXECUTE dmverity_roothash=test:deadbeef action=DENY\n" + "op=KERNEL_READ dmverity_roothash=test:deadbeef action=DENY\n", + 0, NULL, NULL, NULL, false + }, + { + "dmverity_roothash_trust_hash", + "policy_name='Test' policy_version=0.0.0\n" + "DEFAULT action=DENY\n" + "op=EXECUTE dmverity_roothash=test:DEADBEEF action=ALLOW\n" + "op=KERNEL_READ dmverity_roothash=test:DEADBEEF action=ALLOW\n", + 0, NULL, &fake_bdev_no_sig, &fake_ino_no_data, false + }, + { + "dmverity_roothash_distrust_hash", + "policy_name='Test' policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "op=EXECUTE dmverity_roothash=test:DEADBEEF action=DENY\n" + "op=KERNEL_READ dmverity_roothash=test:DEADBEEF action=DENY\n", + -EACCES, NULL, &fake_bdev_no_sig, &fake_ino_no_data, false + }, + { + "dmverity_signature_revoke_hash", + "policy_name='Test' policy_version=0.0.0\n" + "DEFAULT action=DENY\n" + "op=EXECUTE dmverity_roothash=test:DEADBEEF action=DENY\n" + "op=EXECUTE dmverity_signature=TRUE action=ALLOW\n" + "op=KERNEL_READ dmverity_roothash=test:DEADBEEF action=DENY\n" + "op=KERNEL_READ dmverity_signature=TRUE action=ALLOW\n", + -EACCES, NULL, &fake_bdev_signed, &fake_ino_no_data, false + }, + { + "fsverity_signature_trust_sigdata", + "policy_name='Test' policy_version=0.0.0\n" + "DEFAULT action=DENY\n" + "op=EXECUTE fsverity_signature=TRUE action=ALLOW\n" + "op=KERNEL_READ fsverity_signature=TRUE action=ALLOW\n", + 0, &fake_verity, &fake_bdev_no_data, &fake_ino_signed, false + }, + { + "fsverity_signature_distrust_sigdata", + "policy_name='Test' policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "op=EXECUTE fsverity_signature=TRUE action=DENY\n" + "op=KERNEL_READ fsverity_signature=TRUE action=DENY\n", + -EACCES, &fake_verity, &fake_bdev_no_data, &fake_ino_signed, false + }, + { + "fsverity_signature_trust_no_sigdata", + "policy_name='Test' policy_version=0.0.0\n" + "DEFAULT action=DENY\n" + "op=EXECUTE fsverity_signature=FALSE action=ALLOW\n" + "op=KERNEL_READ fsverity_signature=FALSE action=ALLOW\n", + 0, &fake_verity, &fake_bdev_signed, &fake_ino_no_data, true + }, + { + "fsverity_signature_distrust_no_sigdata", + "policy_name='Test' policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "op=EXECUTE fsverity_signature=FALSE action=DENY\n" + "op=KERNEL_READ fsverity_signature=FALSE action=DENY\n", + -EACCES, &fake_verity, &fake_bdev_signed, &fake_ino_no_data, true + } +}; + +static void case_to_desc(const struct eval_case *c, char *desc) +{ + strncpy(desc, c->desc, KUNIT_PARAM_DESC_SIZE); +} + +KUNIT_ARRAY_PARAM(ipe_eval, cases, case_to_desc); + +/** + * fake_free_ctx: Fake function to deallocate a context structure. + */ +static void fake_free_ctx(struct ipe_context *ctx) +{ + struct ipe_policy *p = NULL; + + if (!IS_ERR_OR_NULL(ctx) || !refcount_dec_and_test(&ctx->refcount)) + return; + + list_for_each_entry(p, &ctx->policies, next) + ipe_put_policy(p); + + kfree(ctx); +} + +/** + * create_fake_ctx: Build a fake ipe_context for use + * in a test. + * Return: + * !IS_ERR - OK + */ +static struct ipe_context *create_fake_ctx(void) +{ + struct ipe_context *ctx = NULL; + + ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); + if (!ctx) + return ERR_PTR(-ENOMEM); + + INIT_LIST_HEAD(&ctx->policies); + refcount_set(&ctx->refcount, 1); + spin_lock_init(&ctx->lock); + WRITE_ONCE(ctx->enforce, true); + + return ctx; +} + +/** + * ipe_ctx_eval_test: Parse a policy, and run a mock through the + * evaluation loop to check the functional result. + * @test: Supplies a pointer to a kunit structure. + * + * This is called by the kunit harness. + */ +static void ipe_ctx_eval_test(struct kunit *test) +{ + int rc = 0; + enum ipe_operation i = ipe_operation_exec; + struct ipe_policy *pol = NULL; + struct ipe_context *ctx = NULL; + struct ipe_eval_ctx eval = { 0 }; + const struct eval_case *t = test->param_value; + + ctx = create_fake_ctx(); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx); + + pol = ipe_new_policy(t->policy, strlen(t->policy), NULL, 0); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, pol); + + ipe_add_policy(ctx, pol); + KUNIT_ASSERT_EQ(test, 0, ipe_set_active_pol(pol)); + KUNIT_EXPECT_EQ(test, refcount_read(&pol->refcount), 2); + KUNIT_EXPECT_PTR_EQ(test, pol->policyfs, NULL); + KUNIT_EXPECT_PTR_EQ(test, pol->pkcs7, NULL); + + eval.ipe_bdev = t->bdev_sec; + eval.ipe_inode = t->inode_sec; + eval.from_init_sb = t->initsb; + eval.ci_ctx = ctx; + eval.file = t->fake_file; + + for (i = ipe_operation_exec; i < ipe_operation_max; ++i) { + eval.op = i; + rc = evaluate(&eval); + KUNIT_EXPECT_EQ(test, rc, t->errno); + } + + fake_free_ctx(ctx); + ipe_put_policy(pol); +} + +/** + * ipe_ctx_eval_permissive_test: Parse a policy, and run a mock through the + * evaluation loop to with permissive on, + * checking the functional result. + * @test: Supplies a pointer to a kunit structure. + * + * This is called by the kunit harness. + */ +static void ipe_ctx_eval_permissive_test(struct kunit *test) +{ + int rc = 0; + enum ipe_operation i = ipe_operation_exec; + struct ipe_policy *pol = NULL; + struct ipe_context *ctx = NULL; + struct ipe_eval_ctx eval = { 0 }; + const struct eval_case *t = test->param_value; + + ctx = create_fake_ctx(); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx); + WRITE_ONCE(ctx->enforce, false); + + pol = ipe_new_policy(t->policy, strlen(t->policy), NULL, 0); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, pol); + + ipe_add_policy(ctx, pol); + KUNIT_ASSERT_EQ(test, 0, ipe_set_active_pol(pol)); + KUNIT_EXPECT_EQ(test, refcount_read(&pol->refcount), 2); + KUNIT_EXPECT_PTR_EQ(test, pol->policyfs, NULL); + KUNIT_EXPECT_PTR_EQ(test, pol->pkcs7, NULL); + + eval.ipe_bdev = t->bdev_sec; + eval.ipe_inode = t->inode_sec; + eval.from_init_sb = t->initsb; + eval.ci_ctx = ctx; + eval.file = t->fake_file; + + for (i = ipe_operation_exec; i < ipe_operation_max; ++i) { + eval.op = i; + rc = evaluate(&eval); + KUNIT_EXPECT_EQ(test, rc, 0); + } + + fake_free_ctx(ctx); + ipe_put_policy(pol); +} + +/** + * ipe_ctx_default_eval_test: Ensure an operation-level default + * is taken over a global-level default. + * @test: Supplies a pointer to a kunit structure. + * + * This is called by the kunit harness. + */ +static void ipe_ctx_default_eval_test(struct kunit *test) +{ + int rc = 0; + struct ipe_policy *pol = NULL; + struct ipe_context *ctx = NULL; + struct ipe_eval_ctx eval = { 0 }; + const char *const policy = + "policy_name=Test policy_version=0.0.0\n" + "DEFAULT action=DENY\n" + "DEFAULT op=EXECUTE action=ALLOW"; + + ctx = create_fake_ctx(); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx); + + pol = ipe_new_policy(policy, strlen(policy), NULL, 0); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, pol); + KUNIT_EXPECT_EQ(test, pol->parsed->global_default, ipe_action_deny); + KUNIT_EXPECT_EQ(test, pol->parsed->rules[ipe_operation_exec].default_action, + ipe_action_allow); + + ipe_add_policy(ctx, pol); + KUNIT_ASSERT_EQ(test, 0, ipe_set_active_pol(pol)); + KUNIT_EXPECT_EQ(test, refcount_read(&pol->refcount), 2); + KUNIT_EXPECT_PTR_EQ(test, pol->policyfs, NULL); + KUNIT_EXPECT_PTR_EQ(test, pol->pkcs7, NULL); + + eval.ipe_bdev = NULL; + eval.ipe_inode = NULL; + eval.from_init_sb = NULL; + eval.ci_ctx = ctx; + eval.file = NULL; + eval.op = ipe_operation_exec; + + rc = evaluate(&eval); + KUNIT_EXPECT_EQ(test, rc, 0); + + eval.op = ipe_operation_kexec_image; + rc = evaluate(&eval); + KUNIT_EXPECT_EQ(test, rc, -EACCES); + + fake_free_ctx(ctx); + ipe_put_policy(pol); +} + +/** + * ipe_ctx_replace_policy - Associate a policy with a context, then replace it. + * @test: Supplies a pointer to a kunit structure. + * + * This is called by the kunit harness. + */ +static void ipe_ctx_replace_policy(struct kunit *test) +{ + struct ipe_policy *p1 = NULL; + struct ipe_policy *p2 = NULL; + struct ipe_policy *pp = NULL; + struct ipe_context *ctx = NULL; + const char *const policy1 = "policy_name=t policy_version=0.0.0\n" + "DEFAULT action=ALLOW"; + const char *const policy2 = "policy_name=t policy_version=0.0.1\n" + "DEFAULT action=DENY\n"; + + ctx = create_fake_ctx(); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx); + + p1 = ipe_new_policy(policy1, strlen(policy1), NULL, 0); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p1); + p2 = ipe_new_policy(policy2, strlen(policy2), NULL, 0); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p2); + + ipe_add_policy(ctx, p1); + KUNIT_EXPECT_TRUE(test, list_is_singular(&ctx->policies)); + + pp = list_first_entry(&ctx->policies, struct ipe_policy, next); + KUNIT_EXPECT_PTR_EQ(test, pp, p1); + + ipe_replace_policy(p1, p2); + KUNIT_EXPECT_TRUE(test, list_is_singular(&ctx->policies)); + pp = list_first_entry(&ctx->policies, struct ipe_policy, next); + KUNIT_EXPECT_PTR_EQ(test, pp, p2); + + fake_free_ctx(ctx); + ipe_put_policy(p1); + ipe_put_policy(p2); +} + +/** + * ipe_ctx_replace_policy - Associate a policy with a context, mark the policy active, + * then replace it. + * @test: Supplies a pointer to a kunit structure. + * + * This is called by the kunit harness. + */ +static void ipe_ctx_replace_active_policy(struct kunit *test) +{ + struct ipe_policy *p1 = NULL; + struct ipe_policy *p2 = NULL; + struct ipe_policy *pp = NULL; + struct ipe_context *ctx = NULL; + const char *const policy1 = "policy_name=t policy_version=0.0.0\n" + "DEFAULT action=ALLOW"; + const char *const policy2 = "policy_name=t policy_version=0.0.1\n" + "DEFAULT action=DENY\n"; + + ctx = create_fake_ctx(); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx); + + p1 = ipe_new_policy(policy1, strlen(policy1), NULL, 0); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p1); + p2 = ipe_new_policy(policy2, strlen(policy2), NULL, 0); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p2); + + ipe_add_policy(ctx, p1); + KUNIT_ASSERT_EQ(test, 0, ipe_set_active_pol(p1)); + + rcu_read_lock(); + pp = ipe_get_policy_rcu(ctx->active_policy); + rcu_read_unlock(); + KUNIT_EXPECT_PTR_EQ(test, pp, p1); + ipe_put_policy(pp); + + ipe_replace_policy(p1, p2); + + rcu_read_lock(); + pp = ipe_get_policy_rcu(ctx->active_policy); + rcu_read_unlock(); + KUNIT_EXPECT_PTR_EQ(test, pp, p2); + ipe_put_policy(pp); + + fake_free_ctx(ctx); + ipe_put_policy(p1); + ipe_put_policy(p2); +} + +/** + * ipe_ctx_update_policy - Associate a policy with a context, then update it. + * @test: Supplies a pointer to a kunit structure. + * + * This is called by the kunit harness. This function differs from replace above, + * as it performs additional error checking. + */ +static void ipe_ctx_update_policy(struct kunit *test) +{ + struct ipe_policy *p1 = NULL; + struct ipe_policy *p2 = NULL; + struct ipe_policy *pp = NULL; + struct ipe_context *ctx = NULL; + const char *const policy1 = "policy_name=t policy_version=0.0.0\n" + "DEFAULT action=ALLOW"; + const char *const policy2 = "policy_name=t policy_version=0.0.1\n" + "DEFAULT action=DENY\n"; + + ctx = create_fake_ctx(); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx); + + p1 = ipe_new_policy(policy1, strlen(policy1), NULL, 0); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p1); + + ipe_add_policy(ctx, p1); + ipe_set_active_pol(p1); + + rcu_read_lock(); + pp = ipe_get_policy_rcu(ctx->active_policy); + rcu_read_unlock(); + KUNIT_EXPECT_PTR_EQ(test, pp, p1); + ipe_put_policy(pp); + + p2 = ipe_update_policy(p1, policy2, strlen(policy2), NULL, 0); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p2); + + rcu_read_lock(); + pp = ipe_get_policy_rcu(ctx->active_policy); + rcu_read_unlock(); + KUNIT_EXPECT_PTR_EQ(test, pp, p2); + ipe_put_policy(pp); + + fake_free_ctx(ctx); + ipe_put_policy(p1); + ipe_put_policy(p2); +} + +/** + * ipe_ctx_update_wrong_policy - Associate a policy with a context, then + * attempt update it with the wrong policy. + * @test: Supplies a pointer to a kunit structure. + * + * This is called by the kunit harness. + */ +static void ipe_ctx_update_wrong_policy(struct kunit *test) +{ + struct ipe_policy *p1 = NULL; + struct ipe_policy *p2 = NULL; + struct ipe_policy *pp = NULL; + struct ipe_context *ctx = NULL; + const char *const policy1 = "policy_name=t policy_version=0.0.0\n" + "DEFAULT action=ALLOW"; + const char *const policy2 = "policy_name=t2 policy_version=0.0.0\n" + "DEFAULT action=DENY\n"; + + ctx = create_fake_ctx(); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx); + + p1 = ipe_new_policy(policy1, strlen(policy1), NULL, 0); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p1); + + ipe_add_policy(ctx, p1); + ipe_set_active_pol(p1); + + rcu_read_lock(); + pp = ipe_get_policy_rcu(ctx->active_policy); + rcu_read_unlock(); + KUNIT_EXPECT_PTR_EQ(test, pp, p1); + ipe_put_policy(pp); + + p2 = ipe_update_policy(p1, policy2, strlen(policy2), NULL, 0); + KUNIT_EXPECT_EQ(test, PTR_ERR(p2), -EINVAL); + + rcu_read_lock(); + pp = ipe_get_policy_rcu(ctx->active_policy); + rcu_read_unlock(); + KUNIT_EXPECT_PTR_EQ(test, pp, p1); + ipe_put_policy(pp); + + fake_free_ctx(ctx); + ipe_put_policy(p1); + ipe_put_policy(p2); +} + +/** + * ipe_ctx_update_wrong_policy - Associate a policy with a context, mark it active, + * then attempt update it with a stale policy. + * @test: Supplies a pointer to a kunit structure. + * + * This is called by the kunit harness. + */ +static void ipe_ctx_update_rollback_policy(struct kunit *test) +{ + struct ipe_policy *p1 = NULL; + struct ipe_policy *p2 = NULL; + struct ipe_policy *pp = NULL; + struct ipe_context *ctx = NULL; + const char *const policy1 = "policy_name=t policy_version=0.0.1\n" + "DEFAULT action=ALLOW"; + const char *const policy2 = "policy_name=t policy_version=0.0.0\n" + "DEFAULT action=DENY\n"; + + ctx = create_fake_ctx(); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx); + + p1 = ipe_new_policy(policy1, strlen(policy1), NULL, 0); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p1); + + ipe_add_policy(ctx, p1); + KUNIT_ASSERT_EQ(test, 0, ipe_set_active_pol(p1)); + + rcu_read_lock(); + pp = ipe_get_policy_rcu(ctx->active_policy); + rcu_read_unlock(); + KUNIT_EXPECT_PTR_EQ(test, pp, p1); + ipe_put_policy(pp); + + p2 = ipe_update_policy(p1, policy2, strlen(policy2), NULL, 0); + KUNIT_EXPECT_EQ(test, PTR_ERR(p2), -EINVAL); + + rcu_read_lock(); + pp = ipe_get_policy_rcu(ctx->active_policy); + rcu_read_unlock(); + KUNIT_EXPECT_PTR_EQ(test, pp, p1); + ipe_put_policy(pp); + + fake_free_ctx(ctx); + ipe_put_policy(p1); + ipe_put_policy(p2); +} + +/** + * ipe_ctx_rollback - Associate two policies with a context, then + * attempt rollback the active policy. + * @test: Supplies a pointer to a kunit structure. + * + * This is called by the kunit harness. + */ +static void ipe_ctx_rollback(struct kunit *test) +{ + struct ipe_policy *p1 = NULL; + struct ipe_policy *p2 = NULL; + struct ipe_context *ctx = NULL; + const char *const policy1 = "policy_name=t policy_version=0.0.1\n" + "DEFAULT action=ALLOW"; + const char *const policy2 = "policy_name=t2 policy_version=0.0.0\n" + "DEFAULT action=DENY\n"; + + ctx = create_fake_ctx(); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx); + + p1 = ipe_new_policy(policy1, strlen(policy1), NULL, 0); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p1); + ipe_add_policy(ctx, p1); + KUNIT_ASSERT_EQ(test, 0, ipe_set_active_pol(p1)); + + p2 = ipe_new_policy(policy2, strlen(policy2), NULL, 0); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p2); + ipe_add_policy(ctx, p2); + KUNIT_ASSERT_EQ(test, -EINVAL, ipe_set_active_pol(p2)); + + fake_free_ctx(ctx); + ipe_put_policy(p1); + ipe_put_policy(p2); +} + +/** + * ipe_ctx_update_rollback_inactive - Associate a policy with a context, then + * attempt update it with a stale policy. + * @test: Supplies a pointer to a kunit structure. + * + * This is called by the kunit harness. + */ +static void ipe_ctx_update_rollback_inactive(struct kunit *test) +{ + struct ipe_policy *p1 = NULL; + struct ipe_policy *p2 = NULL; + struct ipe_context *ctx = NULL; + const char *const policy1 = "policy_name=t policy_version=0.0.1\n" + "DEFAULT action=ALLOW"; + const char *const policy2 = "policy_name=t policy_version=0.0.0\n" + "DEFAULT action=DENY\n"; + + ctx = create_fake_ctx(); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx); + + p1 = ipe_new_policy(policy1, strlen(policy1), NULL, 0); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p1); + + ipe_add_policy(ctx, p1); + + p2 = ipe_update_policy(p1, policy2, strlen(policy2), NULL, 0); + KUNIT_EXPECT_NOT_ERR_OR_NULL(test, p2); + + fake_free_ctx(ctx); + ipe_put_policy(p1); + ipe_put_policy(p2); +} + +static void ipe_ctx_oob_enum(struct kunit *test) +{ + struct ipe_policy *p = NULL; + struct ipe_context *ctx = NULL; + const char *const policy = "policy_name=t policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "DEFAULT op=KERNEL_READ action=DENY\n"; + + ctx = create_fake_ctx(); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx); + + p = ipe_new_policy(policy, strlen(policy), NULL, 0); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p); + + ipe_add_policy(ctx, p); + ipe_set_active_pol(p); + + KUNIT_EXPECT_EQ(test, 0, ipe_kernel_read_file(NULL, READING_MAX_ID + 1, false)); + KUNIT_EXPECT_EQ(test, 0, ipe_kernel_load_data(LOADING_MAX_ID + 1, false)); +} + +static struct kunit_case ipe_ctx_test_cases[] = { + KUNIT_CASE_PARAM(ipe_ctx_eval_test, ipe_eval_gen_params), + KUNIT_CASE_PARAM(ipe_ctx_eval_permissive_test, ipe_eval_gen_params), + KUNIT_CASE(ipe_ctx_default_eval_test), + KUNIT_CASE(ipe_ctx_replace_active_policy), + KUNIT_CASE(ipe_ctx_replace_policy), + KUNIT_CASE(ipe_ctx_update_policy), + KUNIT_CASE(ipe_ctx_update_wrong_policy), + KUNIT_CASE(ipe_ctx_update_rollback_policy), + KUNIT_CASE(ipe_ctx_update_rollback_inactive), + KUNIT_CASE(ipe_ctx_rollback), + KUNIT_CASE(ipe_ctx_oob_enum), +}; + +static struct kunit_suite ipe_ctx_test_suite = { + .name = "ipe-context", + .test_cases = ipe_ctx_test_cases, +}; + +kunit_test_suite(ipe_ctx_test_suite); diff --git a/security/ipe/eval.c b/security/ipe/eval.c index e8205a6fce44..ce67b5e1afd7 100644 --- a/security/ipe/eval.c +++ b/security/ipe/eval.c @@ -234,3 +234,7 @@ void ipe_invalidate_pinned_sb(const struct super_block *mnt_sb) spin_unlock(&pin_lock); } + +#ifdef CONFIG_SECURITY_IPE_KUNIT_TEST +#include "ctx_test.c" +#endif /* CONFIG_SECURITY_IPE_KUNIT_TEST */ diff --git a/security/ipe/policy_parser_tests.c b/security/ipe/policy_parser_tests.c new file mode 100644 index 000000000000..38d5fb7d785a --- /dev/null +++ b/security/ipe/policy_parser_tests.c @@ -0,0 +1,313 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include +#include +#include +#include +#include "policy.h" + +struct policy_case { + const char *const policy; + int errno; + const char *const desc; +}; + +static const struct policy_case policy_cases[] = { + { + "policy_name=\"allowall\" policy_version=0.0.0\n" + "DEFAULT action=ALLOW", + 0, + "basic", + }, + { + "policy_name='trailing comment' policy_version=152.0.0 #This is comment\n" + "DEFAULT action=ALLOW", + 0, + "trailing comment", + }, + { + "policy_name=allowallnewline policy_version=0.2.0\n" + "DEFAULT action=ALLOW\n" + "\n", + 0, + "trailing newline", + }, + { + "policy_name=\"carriage return\tline feed\" policy_version=0.0.1\n" + "DEFAULT action=ALLOW\n" + "\r\n", + 0, + "clrf newline", + }, + { + "policy_name='whitespace' policy_version=0.0.0\n" + "DEFAULT\taction=ALLOW\n" + " \t DEFAULT \t op=EXECUTE action=DENY\n" + "op=EXECUTE boot_verified=TRUE action=ALLOW\n" + "# this is a\tcomment\t\t\t\t\n" + "DEFAULT \t op=KERNEL_READ\t\t\t action=DENY\r\n" + "op=KERNEL_READ boot_verified=TRUE action=ALLOW\n", + 0, + "various whitespaces and nested default", + }, + { + "policy_name='boot verified' policy_version=-1236.0.0\n" + "DEFAULT\taction=ALLOW\n", + -EINVAL, + "negative version", + }, + { + "policy_name=\"# this is not a comment\" policy_version=0.0.0\n" + "DEFAULT action=ALLOW", + 0, + "quoted comment character", + }, + { + "policy_name=$@!*&^%%\\:;{}() policy_version=0.0.0\n" + "DEFAULT action=ALLOW", + 0, + "special characters", + }, + { + "policy_name=test policy_version=999999.0.0\n" + "DEFAULT action=ALLOW", + -ERANGE, + "overflow version", + }, + { + "policy_name=test policy_version=255.0\n" + "DEFAULT action=ALLOW", + -EBADMSG, + "incomplete version", + }, + { + "policy_name=test policy_version=111.0.0.0\n" + "DEFAULT action=ALLOW", + -EBADMSG, + "extra version", + }, + { + "", + -EBADMSG, + "0-length policy", + }, + { + "policy_name=\"test\"\0policy_version=0.0.0\n" + "DEFAULT action=ALLOW", + -EBADMSG, + "random null in header", + }, + { + "policy_name=\"test\" policy_version=0.0.0\n" + "\0DEFAULT action=ALLOW", + -EBADMSG, + "incomplete policy from NULL", + }, + { + "policy_name=\"test\" policy_version=0.0.0\n" + "DEFAULT action=DENY\n\0" + "op=EXECUTE dmverity_signature=TRUE action=ALLOW\n", + 0, + "NULL truncates policy", + }, + { + "policy_name=\"test\" policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "op=EXECUTE dmverity_signature=abc action=ALLOW", + -EBADMSG, + "invalid property type", + }, + { + "DEFAULT action=ALLOW", + -EBADMSG, + "missing policy header", + }, + { + "policy_name=\"test\" policy_version=0.0.0\n", + -EBADMSG, + "missing default definition", + }, + { + "policy_name=\"test\" policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "op=KERNEL_READ dmverity_signature=TRUE action=ALLOW", + 0, + "aliased operation", + }, + { + "policy_name=\"test\" policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "dmverity_signature=TRUE op=EXECUTE action=ALLOW", + -EINVAL, + "invalid rule ordering" + }, + { + "policy_name=\"test\" policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "action=ALLOW op=EXECUTE dmverity_signature=TRUE", + -EINVAL, + "invalid rule ordering (2)", + }, + { + "policy_name=\"test\" policy_version=0.0\n" + "DEFAULT action=ALLOW\n" + "op=EXECUTE dmverity_signature=TRUE action=ALLOW", + -EBADMSG, + "invalid version", + }, + { + "policy_name=\"test\" policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "op=UNKNOWN dmverity_signature=TRUE action=ALLOW", + -ENOENT, + "unknown operation", + }, + { + "policy_name=\"asdv\"policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n", + -EBADMSG, + "missing space after quote", + }, + { + "policy_name=\"test\xFF\xEF\" policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "op=EXECUTE dmverity_signature=TRUE action=ALLOW", + 0, + "expanded ascii", + }, + { + "policy_name=\"test\xFF\xEF\" policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "op=EXECUTE dmverity_roothash=\"GOOD DOG\" action=ALLOW", + -EBADMSG, + "invalid property value (2)", + }, + { + "policy_name='test' policy_version=0.0.0\n" + "policy_name='test' policy_version=0.1.0\n" + "DEFAULT action=ALLOW", + -EBADMSG, + "double header" + }, + { + "policy_name='test' policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "DEFAULT action=ALLOW\n", + -EBADMSG, + "double default" + }, + { + "policy_name='test' policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "DEFAULT op=EXECUTE action=DENY\n" + "DEFAULT op=EXECUTE action=ALLOW\n", + -EBADMSG, + "double operation default" + }, + { + "policy_name='test' policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "DEFAULT op=EXECUTE action=DEN\n", + -EINVAL, + "invalid allow value" + }, + { + "policy_name='test' policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "DEFAULT op=EXECUTE action\n", + -EINVAL, + "invalid allow value (2)" + }, + { + "policy_name='test' policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "UNKNOWN value=true\n", + -EINVAL, + "unrecognized statement" + }, + { + "policy_name='test' policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "op=EXECUTE dmverity_roothash=1c0d7ee1f8343b7fbe418378e8eb22c061d7dec7 action=DENY\n", + -EBADMSG, + "old-style digest" + }, + { + "policy_name='test' policy_version=0.0.0\n" + "DEFAULT action=ALLOW\n" + "op=EXECUTE fsverity_digest=1c0d7ee1f8343b7fbe418378e8eb22c061d7dec7 action=DENY\n", + -EBADMSG, + "old-style digest" + } +}; + +static void pol_to_desc(const struct policy_case *c, char *desc) +{ + strncpy(desc, c->desc, KUNIT_PARAM_DESC_SIZE); +} + +KUNIT_ARRAY_PARAM(ipe_policies, policy_cases, pol_to_desc); + +/** + * ipe_parser_unsigned_test: Throw policies at the parser and check the result. + * @test: Supplies a pointer to a kunit structure. + * + * This is called by the kunit harness. This test does not check the correctness + * of the policy, but ensures that errors are handled correctly. Functional + * validation of correctly-parsed policies are done in the evaluation unit tests. + */ +static void ipe_parser_unsigned_test(struct kunit *test) +{ + const struct policy_case *p = test->param_value; + struct ipe_policy *pol = ipe_new_policy(p->policy, strlen(p->policy), NULL, 0); + + if (p->errno) { + KUNIT_EXPECT_EQ(test, PTR_ERR(pol), p->errno); + return; + } + + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, pol); + KUNIT_EXPECT_EQ(test, 1, refcount_read(&pol->refcount)); + KUNIT_EXPECT_PTR_EQ(test, NULL, pol->ctx); + KUNIT_EXPECT_NOT_ERR_OR_NULL(test, pol->parsed); + KUNIT_EXPECT_PTR_EQ(test, NULL, pol->policyfs); + KUNIT_EXPECT_STREQ(test, pol->text, p->policy); + KUNIT_EXPECT_PTR_EQ(test, NULL, pol->pkcs7); + KUNIT_EXPECT_EQ(test, 0, pol->pkcs7len); + KUNIT_EXPECT_TRUE(test, list_empty(&pol->next)); + + ipe_put_policy(pol); +} + +/** + * ipe_parser_widestring_test: Ensure a wide string policy causes a failure. + * @test: Supplies a pointer to a kunit structure. + * + * This is called by the kunit harness. + */ +static void ipe_parser_widestring_test(struct kunit *test) +{ + struct ipe_policy *pol = NULL; + const unsigned short policy[] = L"policy_name=Test policy_version=0.0.0\n" + L"DEFAULT action=ALLOW"; + + pol = ipe_new_policy((const char *)policy, (ARRAY_SIZE(policy) - 1) * 2, NULL, 0); + KUNIT_EXPECT_TRUE(test, IS_ERR_OR_NULL(pol)); + + ipe_put_policy(pol); +} + +static struct kunit_case ipe_parser_test_cases[] = { + KUNIT_CASE_PARAM(ipe_parser_unsigned_test, ipe_policies_gen_params), + KUNIT_CASE(ipe_parser_widestring_test), +}; + +static struct kunit_suite ipe_parser_test_suite = { + .name = "ipe-parser", + .test_cases = ipe_parser_test_cases, +}; + +kunit_test_suite(ipe_parser_test_suite); From patchwork Wed Jun 8 19:01:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Deven Bowers X-Patchwork-Id: 12874556 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62486CCA483 for ; Wed, 8 Jun 2022 19:01:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234700AbiFHTB4 (ORCPT ); Wed, 8 Jun 2022 15:01:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51988 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234612AbiFHTBv (ORCPT ); Wed, 8 Jun 2022 15:01:51 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E22B628E32; Wed, 8 Jun 2022 12:01:47 -0700 (PDT) Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id 9F78620BE683; Wed, 8 Jun 2022 12:01:45 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 9F78620BE683 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1654714905; bh=3hrlO9BitIIphG+kmOMckWbFvMRQr1Dorp6RVUCHHIk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tMWKr+BMCiPMpAXhFVPvccgZw6AiRbBNxeT7CHfxTubsP+OO2B3J5ltdG2t6yUEvN HIvIGgTL5S1hbCGu8t4hT4+h7Vw2xhTgHAzdHWihTVBBike9YttiLYm0rLgMoZFD97 bg3oaZscstIHxLLVSse2mtRphNtP5I3guiPoG+74= From: Deven Bowers To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org Subject: [RFC PATCH v8 17/17] documentation: add ipe documentation Date: Wed, 8 Jun 2022 12:01:29 -0700 Message-Id: <1654714889-26728-18-git-send-email-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> References: <1654714889-26728-1-git-send-email-deven.desai@linux.microsoft.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org Add IPE's admin and developer documentation to the kernel tree. Co-developed-by: Fan Wu Signed-off-by: Fan Wu Signed-off-by: Deven Bowers --- v2: + No Changes v3: + Add Acked-by + Fixup code block syntax + Fix a minor grammatical issue. v4: + Update documentation with the results of other code changes. v5: + No changes v6: + No changes v7: + Add additional developer-level documentation + Update admin-guide docs to reflect changes. + Drop Acked-by due to significant changes + Added section about audit events in admin-guide v8: + Correct terminology from "audit event" to "audit record" + Add associated documentation with the correct "audit event" terminology. + Add some context to the historical motivation for IPE and design philosophy. + Add some content about the securityfs layout in the policies directory. + Various spelling and grammatical corrections. --- Documentation/admin-guide/LSM/index.rst | 1 + Documentation/admin-guide/LSM/ipe.rst | 739 ++++++++++++++++++ .../admin-guide/kernel-parameters.txt | 12 + Documentation/security/index.rst | 1 + Documentation/security/ipe.rst | 559 +++++++++++++ MAINTAINERS | 2 + 6 files changed, 1314 insertions(+) create mode 100644 Documentation/admin-guide/LSM/ipe.rst create mode 100644 Documentation/security/ipe.rst diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst index a6ba95fbaa9f..ce63be6d64ad 100644 --- a/Documentation/admin-guide/LSM/index.rst +++ b/Documentation/admin-guide/LSM/index.rst @@ -47,3 +47,4 @@ subdirectories. tomoyo Yama SafeSetID + ipe diff --git a/Documentation/admin-guide/LSM/ipe.rst b/Documentation/admin-guide/LSM/ipe.rst new file mode 100644 index 000000000000..58335ce4f85b --- /dev/null +++ b/Documentation/admin-guide/LSM/ipe.rst @@ -0,0 +1,739 @@ +.. SPDX-License-Identifier: GPL-2.0 + +Integrity Policy Enforcement (IPE) +================================== + +.. NOTE:: + + This is the documentation for admins, system builders, or individuals + attempting to use IPE. If you're looking for more developer-focused + documentation about IPE please see `Documentation/security/ipe.rst` + +Overview +-------- + +IPE is a Linux Security Module which takes a complimentary approach to +access control. Whereas existing mandatory access control mechanisms +base their decisions on labels and paths, IPE instead determines +whether or not an operation should be allowed based on immutable +security properties of the system component the operation is being +performed on. + +IPE itself does not mandate how the security property should be +evaluated, but relies on an extensible set of external property providers +to evaluate the component. IPE makes its decision based on reference +values for the selected properties, specified in the IPE policy. + +The reference values represent the value that the policy writer and the +local system administrator (based on the policy signature) trust for the +system to accomplish the desired tasks. + +One such provider is for example dm-verity, which is able to represent +the integrity property of a partition (its immutable state) with a digest. + +IPE is compiled under ``CONFIG_SECURITY_IPE`` (Security -> Integrity Policy Enforcement (IPE)). + +Use Cases +--------- + +IPE works best in fixed-function devices: devices in which their purpose +is clearly defined and not supposed to be changed (e.g. network firewall +device in a data center, an IoT device, etcetera), where all software and +configuration is built and provisioned by the system owner. + +IPE is a long-way off for use in general-purpose computing: the Linux +community as a whole tends to follow a decentralized trust model, +known as the web of trust, which IPE has no support for as of yet. + +IPE, instead of supporting web of trust, supports PKI, which generally +designates a set of entities that provide a measure of absolute trust. + +Additionally, while most packages are signed today, the files inside +the packages (for instance, the executables), tend to be unsigned. This +makes it difficult to utilize IPE in systems where a package manager is +expected to be functional, without major changes to the package manager +and ecosystem behind it. + +DIGLIM [#diglim]_ is a system that when combined with IPE, could be used to +enable general purpose computing scenarios. + +Known Gaps +---------- + +IPE cannot verify the integrity of anonymous executable memory, such as +the trampolines created by gcc closures and libffi (<3.4.2), or JIT'd code. +Unfortunately, as this is dynamically generated code, there is no way +for IPE to ensure the integrity of this code to form a trust basis. In all +cases, the return result for these operations will be whatever the admin +configures as the ``DEFAULT`` action for ``EXECUTE``. + +IPE cannot verify the integrity of interpreted languages' programs when +these scripts are invoked via `` ``. This is because +the way interpreters execute these files, the scripts themselves are not +evaluated as executable code through one of IPE's hooks, as they are merely +files that are read (as opposed to executable code) [#interpreters]_. + +Threat Model +------------ + +The threat type addressed by IPE is tampering of executable userland +code beyond the initially booted kernel, and the initial verification of +kernel modules that are loaded in userland through ``modprobe`` or +``insmod``. + +A bare-minimum example of a threat that should be mitigated by IPE, is +a hostile binary is downloaded with all required binaries (including +a loader, libc, etc). With IPE, this hostile binary should not able to +be executed, nor any of the downloaded binaries. + +Tampering violates integrity, and being unable to verify the integrity, +results in a lack of trust. IPE's role in mitigating this threat is to +verify the integrity (and authenticity) of all executable code and to +deny their use if they cannot be trusted (as integrity verification fails, +or the authorization check fails against the reference value in the policy). +IPE generates audit logs which may be utilized to detect failures resulting +from failure to pass policy. + +Tampering threat scenarios include modification or replacement of +executable code by a range of actors including: + +- Actors with physical access to the hardware +- Actors with local network access to the system +- Actors with access to the deployment system +- Compromised internal systems under external control +- Malicious end users of the system +- Compromised end users of the system +- Remote (external) compromise of the system + +IPE does not mitigate threats arising from malicious authorized +developers (with access to a signing certificate), or compromised +developer tools used by authorized developers (i.e. Return Oriented +Programming attacks). Additionally, IPE draws hard security boundary +between user mode and kernel mode. As a result, IPE does not provide +any protections against a kernel level exploit, and a kernel-level +exploit can disable or tamper with IPE's protections. + +Policy +------ + +IPE policy is a plain-text [#devdoc]_ policy composed of multiple statements +over several lines. There is one required line, at the top of the +policy, indicating the policy name, and the policy version, for +instance:: + + policy_name="Ex Policy" policy_version=0.0.0 + +The policy name is a unique key identifying this policy in a human +readable name. This is used to create nodes under securityfs as well as +uniquely identify policies to deploy new policies vs update existing +policies. + +The policy version indicates the current version of the policy (NOT the +policy syntax version). This is used to prevent rollback of policy to +potentially insecure previous versions of the policy. + +The next portion of IPE policy are rules. Rules are formed by key=value +pairs, known as properties. IPE rules require two properties: "action", +which determines what IPE does when it encounters a match against the +rule, and "op", which determines when that rule should be evaluated. +The ordering is significant, a rule must start with "op", and end with +"action". Thus, a minimal rule is:: + + op=EXECUTE action=ALLOW + +This example will allow any execution. Additional properties are used to +restrict attributes about the files being evaluated. These properties +are intended to be descriptions of systems within the kernel that can +provide a measure of integrity verification, such that IPE can determine +the trust of the resource based on the "value" half of the property. + +Rules are evaluated top-to-bottom. As a result, any revocation rules, +or denies should be placed early in the file to ensure that these rules +are evaluated before a rule with "action=ALLOW" is hit. + +IPE policy is designed to be only forward compatible. Userspace can read +what the parser's current configuration (supported statements, properties, +etcetera) via reading the securityfs entry, 'ipe/config'. + +IPE policy supports comments. The character '#' will function as a +comment, ignoring all characters to the right of '#' until the newline. + +The default behavior of IPE evaluations can also be expressed in policy, +through the ``DEFAULT`` statement. This can be done at a global level, +or a per-operation level:: + + # Global + DEFAULT action=ALLOW + + # Operation Specific + DEFAULT op=EXECUTE action=ALLOW + +A default must be set for all known operations in IPE. If you want to +preserve older policies being compatible with newer kernels that can introduce +new operations, please set a global default of 'ALLOW', and override the +defaults on a per-operation basis. + +With configurable policy-based LSMs, there's several issues with +enforcing the configurable policies at startup, around reading and +parsing the policy: + +1. The kernel *should* not read files from userland, so directly reading + the policy file is prohibited. +2. The kernel command line has a character limit, and one kernel module + should not reserve the entire character limit for its own + configuration. +3. There are various boot loaders in the kernel ecosystem, so handing + off a memory block would be costly to maintain. + +As a result, IPE has addressed this problem through a concept of a "boot +policy". A boot policy is a minimal policy, compiled into the kernel. +This policy is intended to get the system to a state where userland is +set up and ready to receive commands, at which point a more complex +policy can be deployed via securityfs. The boot policy can be specified +via the Kconfig, ``SECURITY_IPE_BOOT_POLICY``, which accepts a path to +a plain-text version of the IPE policy to apply. This policy will be +compiled into the kernel. If not specified, IPE will be disabled until +a policy is deployed and activated through securityfs. + +Deploying Policies +~~~~~~~~~~~~~~~~~~ + +Policies can be deployed from userland through securityfs. These policies +are signed through the PKCS#7 message format to enforce some level of +authorization of the policies (prohibiting an attacker from gaining +unconstrained root, and deploying an "allow all" policy). These +policies must be signed by a certificate that chains to the +``SYSTEM_TRUSTED_KEYRING``. Through openssl, the signing can be done via:: + + openssl smime -sign \ + -in "$MY_POLICY" \ + -signer "$MY_CERTIFICATE" \ + -inkey "$MY_PRIVATE_KEY" \ + -noattr \ + -nodetach \ + -nosmimecap \ + -outform der \ + -out "$MY_POLICY.p7b" + +Deploying the policies is done through securityfs, through the +``new_policy`` node. To deploy a policy, simply cat the file into the +securityfs node:: + + cat "$MY_POLICY.p7b" > /sys/kernel/security/ipe/new_policy + +Upon success, this will create one subdirectory under +``/sys/kernel/security/ipe/policies/``. The subdirectory will be the +``policy_name`` field of the policy deployed, so for the example above, +the directory will be ``/sys/kernel/security/ipe/policies/Ex\ Policy``. +Within this directory, there will be five files: ``pkcs7``, ``policy``, +``active``, ``update``, and ``delete``. + +The ``pkcs7`` file is read only. Reading will provide the raw PKCS#7 data +that was provided to the kernel, representing the policy. Writing, will +deploy an in-place policy update.If the policy being read is the boot +policy, when read, this will return ENOENT, as this policy is not signed. + +The ``policy`` file is read only. Reading will provide the PKCS#7 inner +content of the policy, which will be the plain text policy. + +The ``active`` file is used to set a policy as the currently active policy. +This file is rw, and accepts a value of ``"1"`` to set the policy as active. +Since only a single policy can be active at one time, all other policies +will be marked inactive. The policy being marked active must have a policy +version greater or equal to the currently-running version. + +The ``update`` file is used to update a policy that is already present in +the kernel. This file is write-only and accepts a PKCS#7 signed policy. +One check will always be performed on this policy: the policy_names must +match with the updated version and the existing version. One additional check +may be made: If the policy being updated is the active policy, the updated +policy must have a policy version greater than or equal to the currently-running +version; This is to prevent rollback attacks. + +The ``delete`` file is used to remove a policy that is no longer needed. +This file is write-only and accepts a value of ``1`` to delete the policy. +On deletion, the securityfs node representing the policy will be removed. +The policy that is currently active cannot be deleted. + +Similarly, the writes to both ``update`` and ``new_policy`` above will +result in an error upon syntactically invalid or untrusted policies. +In the case of ``new_policy``, it will also error if a policy already +exists with the same ``policy_name``. + +Deploying these policies will *not* cause IPE to start enforcing this +policy. Once deployment is successful, a policy can be marked as active, +via ``/sys/kernel/security/ipe/$policy_name/active``. IPE will enforce +whatever policy is marked as active. For our example, we can activate +the ``Ex Policy`` via:: + + echo 1 > "/sys/kernel/security/ipe/Ex Policy/active" + +At which point, ``Ex Policy`` will now be the enforced policy on the +system. + +IPE also provides a way to delete policies. This can be done via the +``delete`` securityfs node, ``/sys/kernel/security/ipe/$policy_name/delete``. +Writing ``1`` to that file will delete that node:: + + echo 1 > "/sys/kernel/security/ipe/$policy_name/delete" + +There is only one requirement to delete a policy: + +1. The policy being deleted must not be the active policy. + +.. NOTE:: + + If a traditional MAC system is enabled (SELinux, apparmor, smack), all + writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``. + +Modes +~~~~~ + +IPE supports two modes of operation: permissive (similar to SELinux's +permissive mode) and enforce. Permissive mode performs the same checks +as enforce mode, and logs policy violations, but will not enforce the +policy. This allows users to test policies before enforcing them. + +The default mode is enforce, and can be changed via the kernel command +line parameter ``ipe.enforce=(0|1)``, or the securityfs node +``/sys/kernel/security/ipe/enforce``. + +.. NOTE:: + + If a traditional MAC system is enabled (SELinux, apparmor, smack, etcetera), + all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``. + +Audit Events +~~~~~~~~~~~~ + +1420 AUDIT_IPE_ACCESS +^^^^^^^^^^^^^^^^^^^^^ +Event Examples:: + + type=1420 audit(1653364370.067:61): path="/root/fs/rw/plain/execve" dev="vdc1" ino=16 rule="DEFAULT op=EXECUTE action=DENY" + type=1300 audit(1653364370.067:61): arch=c000003e syscall=10 success=no exit=-13 a0=7f0bf0644000 a1=4f80 a2=5 a3=7f0bf043d300 items=0 ppid=455 pid=737 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=3 comm="mprotect" exe="/root/host/mprotect" subj=kernel key=(null) + type=1327 audit(1653364370.067:61): proctitle=686F73742F6D70726F7465637400534800527C5700527C5800706C61696E2F657865637665 + + type=1420 audit(1653364735.161:64): rule="DEFAULT op=EXECUTE action=DENY" + type=1300 audit(1653364735.161:64): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=4 a3=20 items=0 ppid=455 pid=774 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=3 comm="mmap" exe="/root/host/mmap" subj=kernel key=(null) + type=1327 audit(1653364735.161:64): proctitle=686F73742F6D6D617000410058⏎ + +This event indicates that IPE made an access control decision; the IPE specific +record (1420) will always be emitted in conjunction with a ``AUDITSYSCALL`` record. + +Determining whether IPE is in permissive can be derived from the success and exit +field of the AUDITSYSCALL record + + + +Field descriptions: + ++---------------+------------+-----------+-------------------------------------------------------------------------+ +| Field | Value Type | Optional? | Description of Value | ++===============+============+===========+=========================================================================+ +| path | string | Yes | The absolute path to the file that was the subject of the evaluation | ++---------------+------------+-----------+-------------------------------------------------------------------------+ +| ino | integer | Yes | The inode number of the file that was the subject of the evaluation | ++---------------+------------+-----------+-------------------------------------------------------------------------+ +| dev | string | Yes | The device name that the file under evaluation belongs to, e.g. vda | ++---------------+------------+-----------+-------------------------------------------------------------------------+ +| rule | string | No | The exact rule in IPE's policy that the evaluation matched | ++---------------+------------+-----------+-------------------------------------------------------------------------+ + +1403 AUDIT_MAC_POLICY_LOAD +^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Event Example:: + + type=1403 audit(1653425529.927:53): policy_name="dmverity_roothash" policy_version=0.0.0 sha256=A9C5803309F80D2B84D7C047534BE8B60EF121C8E1F351F2A8EFFA617B7F0686 + type=1300 audit(1653425529.927:53): arch=c000003e syscall=1 success=yes exit=6215 a0=1 a1=7f07adfe4000 a2=1847 a3=22 items=0 ppid=441 pid=445 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=) + type=1327 audit(1653425529.927:53): proctitle=63617400706F6C69636965732F646D7665726974795F726F6F74686173682E706F6C2E703762 + +This record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall. + ++----------------+------------+-----------+--------------------------------------------------------------+ +| Field | Value Type | Optional? | Description of Value | ++================+============+===========+==============================================================+ +| policy_name | string | No | The policy_name field of the policy. | ++----------------+------------+-----------+--------------------------------------------------------------+ +| policy_version | string | No | The policy_version field of the policy | ++----------------+------------+-----------+--------------------------------------------------------------+ +| sha1 | string | Yes* | A flat hash of the policy. Can be used to identify a policy. | ++----------------+------------+-----------+--------------------------------------------------------------+ +| sha256 | string | Yes* | A flat hash of the policy. Can be used to identify a policy. | ++----------------+------------+-----------+--------------------------------------------------------------+ +| sha384 | string | Yes* | A flat hash of the policy. Can be used to identify a policy. | ++----------------+------------+-----------+--------------------------------------------------------------+ +| sha512 | string | Yes* | A flat hash of the policy. Can be used to identify a policy. | ++----------------+------------+-----------+--------------------------------------------------------------+ + +1405 AUDIT_MAC_CONFIG_CHANGE +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Event Example:: + + type=1405 audit(1653425583.136:54): policy_name="dmverity_roothash" policy_version=0.0.0 sha256=A9C5803309F80D2B84D7C047534BE8B60EF121C8E1F351F2A8EFFA617B7F0686 + type=1300 audit(1653425583.136:54): arch=c000003e syscall=1 success=yes exit=2 a0=1 a1=55c1065e5c60 a2=2 a3=7fe683990020 items=0 ppid=405 pid=441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 e) + type=1327 audit(1653425583.136:54): proctitle="-bash" + +This record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall. + ++----------------+------------+-----------+--------------------------------------------------------------+ +| Field | Value Type | Optional? | Description of Value | ++================+============+===========+==============================================================+ +| policy_name | string | No | The policy_name field of the policy. | ++----------------+------------+-----------+--------------------------------------------------------------+ +| policy_version | string | No | The policy_version field of the policy | ++----------------+------------+-----------+--------------------------------------------------------------+ +| sha1 | string | Yes* | A flat hash of the policy. Can be used to identify a policy. | ++----------------+------------+-----------+--------------------------------------------------------------+ +| sha256 | string | Yes* | A flat hash of the policy. Can be used to identify a policy. | ++----------------+------------+-----------+--------------------------------------------------------------+ +| sha384 | string | Yes* | A flat hash of the policy. Can be used to identify a policy. | ++----------------+------------+-----------+--------------------------------------------------------------+ +| sha512 | string | Yes* | A flat hash of the policy. Can be used to identify a policy. | ++----------------+------------+-----------+--------------------------------------------------------------+ + +1404 AUDIT_MAC_STATUS +^^^^^^^^^^^^^^^^^^^^^ + +Event Examples:: + + type=1404 audit(1653425689.008:55): permissive=1 + type=1300 audit(1653425689.008:55): arch=c000003e syscall=1 success=yes exit=2 a0=1 a1=55c1065e5c60 a2=2 a3=0 items=0 ppid=405 pid=441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=) + type=1327 audit(1653425689.008:55): proctitle="-bash" + + type=1404 audit(1653425689.008:55): permissive=0 + type=1300 audit(1653425689.008:55): arch=c000003e syscall=1 success=yes exit=2 a0=1 a1=55c1065e5c60 a2=2 a3=0 items=0 ppid=405 pid=441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=) + type=1327 audit(1653425689.008:55): proctitle="-bash" + +This record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall. + ++------------+------------+-----------+-------------------------------------------------------------------+ +| Field | Value Type | Optional? | Description of Value | ++============+============+===========+===================================================================+ +| permissive | integer | No | The state IPE is being switched to. 1 is permissive, 0 is enforce | ++------------+------------+-----------+-------------------------------------------------------------------+ + + +\* These fields are mutually exclusive with each other depending on the value of ``CONFIG_IPE_AUDIT_HASH_ALG``, + but at least one will be present. + +Success Auditing +^^^^^^^^^^^^^^^^ + +IPE supports success auditing. When enabled, all events that pass IPE +policy and are not blocked will emit an audit event. This is disabled by +default, and can be enabled via the kernel command line +``ipe.success_audit=(0|1)`` or the securityfs node, +``/sys/kernel/security/ipe/success_audit``. + +This is *very* noisy, as IPE will check every user-mode binary on the +system, but is useful for debugging policies. + +.. NOTE:: + + If a traditional MAC system is enabled (SELinux, apparmor, smack, etcetera), + all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``. + +Properties +---------- + +As explained above, IPE properties are ``key=value`` pairs expressed in +IPE policy. Two properties are built-into the policy parser: 'op' and +'action'. The other properties are determinstic attributes to express +across files. Currently those properties are: '``boot_verified``', +'``dmverity_signature``', '``dmverity_roothash``', '``fsverity_signature``', +'``fsverity_digest``'. A description of all properties supported by IPE +are listed below: + +op +~~ + +Indicates the operation for a rule to apply to. Must be in every rule, +as the first token. IPE supports the following operations: + +Version 1 + + ``EXECUTE`` + + Pertains to any file attempting to be executed, or loaded as an + executable. + + ``FIRMWARE``: + + Pertains to firmware being loaded via the firmware_class interface. + This covers both the preallocated buffer and the firmware file + itself. + + ``KMODULE``: + + Pertains to loading kernel modules via ``modprobe`` or ``insmod``. + + ``KEXEC_IMAGE``: + + Pertains to kernel images loading via ``kexec``. + + ``KEXEC_INITRAMFS`` + + Pertains to initrd images loading via ``kexec --initrd``. + + ``POLICY``: + + Controls loading polcies via reading a kernel-space initiated read. + + An example of such is loading IMA policies by writing the path + to the policy file to ``$securityfs/ima/policy`` + + ``X509_CERT``: + + Controls loading IMA certificates through the Kconfigs, + ``CONFIG_IMA_X509_PATH`` and ``CONFIG_EVM_X509_PATH``. + + ``KERNEL_READ``: + + Short hand for all of the following: ``FIRMWARE``, ``KMODULE``, + ``KEXEC_IMAGE``, ``KEXEC_INITRAMFS``, ``POLICY``, and ``X509_CERT``. + + This effectively maps to any kernel-space initiated read. + +action +~~~~~~ + +Version 1 + + Determines what IPE should do when a rule matches. Must be in every + rule, as the final clause. Can be one of: + + ``ALLOW``: + + If the rule matches, explicitly allow access to the resource to proceed + without executing any more rules. + + ``DENY``: + + If the rule matches, explicitly prohibit access to the resource to + proceed without executing any more rules. + +boot_verified +~~~~~~~~~~~~~ + +Version 1 + + This property can be utilized for authorization of the first super-block + that executes a file. This is almost always init. Typically this is used + for systems with an initramfs or other initial disk, where this is unmounted + before the system becomes available, and is not covered by any other property. + This property is controlled by the Kconfig, ``CONFIG_IPE_PROP_BOOT_VERIFIED``. + The format of this property is:: + + boot_verified=(TRUE|FALSE) + + + .. WARNING:: + + This property will trust any disk where the first execution evaluation + occurs. If you do *NOT* have a startup disk that is unpacked and unmounted + (like initramfs), then it will automatically trust the root filesystem and + potentially overauthorize the entire disk. + +dmverity_roothash +~~~~~~~~~~~~~~~~~ + +Version 1 + + This property can be utilized for authorization or revocation of + specific dm-verity volumes, identified via root hash. It has a + dependency on the DM_VERITY module. This property is controlled by the + Kconfig ``CONFIG_IPE_PROP_DM_VERITY_ROOTHASH``. The format of this property + is:: + + dmverity_roothash=DigestName:HexadecimalString + + The supported DigestNames for dmverity_roothash are [#dmveritydigests]_ [#securedigest]_ : + + + blake2b-512 + + blake2s-256 + + sha1 + + sha256 + + sha384 + + sha512 + + sha3-224 + + sha3-256 + + sha3-384 + + sha3-512 + + md4 + + md5 + + sm3 + + rmd160 + +dmverity_signature +~~~~~~~~~~~~~~~~~~ + +Version 1 + + This property can be utilized for authorization of all dm-verity volumes + that have a signed roothash that chains to a keyring specified by dm-verity's + configuration, either the system trusted keyring, or the secondary keyring. + It has an additional dependency on the ``DM_VERITY_VERIFY_ROOTHASH_SIG`` + Kconfig. This property is controlled by the Kconfig + ``CONFIG_IPE_PROP_DM_VERITY_SIGNATURE``. The format of this property is:: + + dmverity_signature=(TRUE|FALSE) + +fsverity_digest +~~~~~~~~~~~~~~~ + +Version 1 + + This property can be utilized for authorization or revocation of + specific fsverity enabled file, identified via its fsverity digest. + It has a dependency on the FS_VERITY module. This property is + controlled by the Kconfig ``CONFIG_IPE_PROP_FS_VERITY_DIGEST``. + The format of this property is:: + + fsverity_digest=DigestName:HexadecimalString + + The supported DigestNames for dmverity_roothash are [#fsveritydigest] [#securedigest]_ : + + + sha256 + + sha512 + +fsverity_signature +~~~~~~~~~~~~~~~~~~ + +Version 1 + + This property can be utilized for authorization of all fsverity enabled + files that is verified by fsverity. The keyring that the signature is + verified against is subject to fsverity's configuration, typically the fsverity + keyring. It has a dependency on the ``CONFIG_FS_VERITY_BUILTIN_SIGNATURES`` + Kconfig. This property is controlled by the Kconfig + ``CONFIG_IPE_PROP_FS_VERITY_SIGNATURE``. The format of this property is:: + + fsverity_signature=(TRUE|FALSE) + +Policy Examples +--------------- + +Allow all +~~~~~~~~~ + +:: + + policy_name="Allow All" policy_version=0.0.0 + DEFAULT action=ALLOW + +Allow only initial superblock +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name="Allow All Initial SB" policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE boot_verified=TRUE action=ALLOW + +Allow any signed dm-verity volume and the initial superblock +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name="AllowSignedAndInitial" policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE boot_verified=TRUE action=ALLOW + op=EXECUTE dmverity_signature=TRUE action=ALLOW + +Prohibit execution from a specific dm-verity volume +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name="AllowSignedAndInitial" policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE dmverity_roothash=sha256:cd2c5bae7c6c579edaae4353049d58eb5f2e8be0244bf05345bc8e5ed257baff action=DENY + + op=EXECUTE boot_verified=TRUE action=ALLOW + op=EXECUTE dmverity_signature=TRUE action=ALLOW + +Allow only a specific dm-verity volume +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name="AllowSignedAndInitial" policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE dmverity_roothash=sha256:401fcec5944823ae12f62726e8184407a5fa9599783f030dec146938 action=ALLOW + +Allow any signed fs-verity file +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name="AllowSignedFSVerity" policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE fsverity_signature=TRUE action=ALLOW + +Prohibit execution of a specific fs-verity file +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name="ProhibitSpecificFSVF" policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE fsverity_digest=sha256:fd88f2b8824e197f850bf4c5109bea5cf0ee38104f710843bb72da796ba5af9e action=DENY + op=EXECUTE boot_verified=TRUE action=ALLOW + op=EXECUTE dmverity_signature=TRUE action=ALLOW + +Additional Information +---------------------- + +- `Github Repository `_ +- `Design Documentation `_ + +FAQ +--- + +Q: + What's the difference between other LSMs which provide a measure of + trust-based access control? + +A: + + In general, there's two other LSMs that can provide similar functionality: + IMA, and Loadpin. + + IMA and IPE are functionally very similar. The significant difference between + the two is the policy. [#devdoc]_ + + Loadpin and IPE differ fairly dramatically, as Loadpin controls only the IPE + equivalent of ``KERNEL_READ``, whereas IPE is capable of controlling execution, + on top of ``KERNEL_READ``. The trust model is also different; Loadpin roots its + trust in the initial super-block, instead, IPE roots its trust in the kernel + itself (via ``SYSTEM_TRUSTED_KEYS``). + +----------- + +.. [#diglim] 1: https://lore.kernel.org/bpf/4d6932e96d774227b42721d9f645ba51@huawei.com/T/ + +.. [#interpreters] There is `some interest in solving this issue `_. + +.. [#devdoc] Please see `Documentation/security/ipe.rst` for more on this topic. + +.. [#fsveritydigest] These hash algorithms are based on values accepted by fsverity-utils; + IPE does not impose any restrictions on the digest algorithm itself; + thus, this list may be out of date. + +.. [#dmveritydigests] These hash algorithms are based on values accepted by dm-verity, + specifically ``crypto_alloc_ahash`` in ``verity_ctr``; ``veritysetup`` + does support more algorithms than the list above. IPE does not impose + any restrictions on the digest algorithm itself; thus, this list + may be out of date. + +.. [#securedigest] Please ensure you are using cryptographically secure hash functions; + just because something is *supported* does not mean it is *secure*. diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 8090130b544b..d5a23ca0a1b4 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2164,6 +2164,18 @@ ipcmni_extend [KNL] Extend the maximum number of unique System V IPC identifiers from 32,768 to 16,777,216. + ipe.enforce= [IPE] + Format: + Determine whether IPE starts in permissive (0) or + enforce (1) mode. The default is enforce. + + ipe.success_audit= + [IPE] + Format: + Start IPE with success auditing enabled, emitting + an audit event when a binary is allowed. The default + is 0. + irqaffinity= [SMP] Set the default irq affinity mask The argument is a cpu list, as described above. diff --git a/Documentation/security/index.rst b/Documentation/security/index.rst index 6ed8d2fa6f9e..a5248d4fd510 100644 --- a/Documentation/security/index.rst +++ b/Documentation/security/index.rst @@ -18,3 +18,4 @@ Security Documentation digsig landlock secrets/index + ipe diff --git a/Documentation/security/ipe.rst b/Documentation/security/ipe.rst new file mode 100644 index 000000000000..d043a95cd73e --- /dev/null +++ b/Documentation/security/ipe.rst @@ -0,0 +1,559 @@ +.. SPDX-License-Identifier: GPL-2.0 + +Integrity Policy Enforcement (IPE) - Kernel Documentation +========================================================= + +.. NOTE:: + + This is documentation targeted at developers, instead of administrators. + If you're looking for documentation on the usage of IPE, please see + `Documentation/admin-guide/LSM/ipe.rst` + +Historical Motivation +--------------------- + +The original issue that prompted IPE's implementation was the creation +of a locked-down system. This system would be born-secure, and have +strong integrity guarantees over both the executable code, and specific +*data files* on the system, that were critical to its function. These +specific data files would not be readable unless they passed integrity +policy. A mandatory access control system would be present, and +as a result, xattrs would have to be protected. This lead to a selection +of what would provide the integrity claims. At the time, there were two +main mechanisms considered that could guarantee integrity for the system +with these requirements: + + 1. IMA + EVM Signatures + 2. DM-Verity + +Both options were carefully considered, however the choice to use DM-Verity +over IMA+EVM as the *integrity mechanism* in the original use case of IPE +was due to three main reasons: + + 1. Protection of additional attack vectors: + + * With IMA+EVM, without an encryption solution, the system is vulnerable + to offline attack against the aforemetioned specific data files. + + Unlike executables, read operations (like those on the protected data + files), cannot be enforced to be globally integrtiy verified. This means + there must be some form of selector to determine whether a read should + enforce the integrity policy, or it should not. + + At the time, this was done with mandatory access control labels. An IMA + policy would indicate what labels required integrity verification, which + presented an issue: EVM would protect the label, but if an attacker could + modify filesystem offline, the attacker could wipe all the xattrs - + including the SELinux labels that would be used to determine whether the + file should be subject to integrity policy. + + With DM-Verity, as the xattrs are saved as part of the merkel tree, if + offline mount occurs against the filesystem protected by dm-verity, the + checksum no longer matches and the file fails to be read. + + * As user-mode binaries are paged in Linux, dm-verity also offers the + additional protection against a hostile block device. In such an attack, + the block device reports the appropriate content for the IMA hash + initially, passing the required integrity check. Then, on the page fault + that accesses the real data, will report the attacker's payload. Since + dm-verity will check the data when the page fault occurs (and the disk + access), this attack is mitigated. + + 2. Performance: + + * dm-verity provides integrity verification on demand as blocks are + read versus requiring the entire file being read into memory for + validation. + + 3. Simplicity of signing: + + * No need for two signatures (IMA, then EVM): one signature covers + an entire block device. + * Signatures can be stored externally to the filesystem metadata. + * The signature supports an x.509-based signing infrastructure. + +The next step was to choose a *policy* to enforce the integrity mechanism. +The minimum requirements for the policy were: + + 1. The policy itself must be integrity verified (preventing trivial + attack against it). + 2. The policy itself must be resistant to rollback attacks. + 3. The policy enforcement must have a permissive-like mode. + 4. The policy must be able to be updated, in its entirety, without + a reboot. + 5. Policy updates must be atomic. + 6. The policy must support *revocations* of previously authored + components. + 7. The policy must be auditable, at any point-of-time. + +IMA, as the only integrity policy mechanism at the time, was +considered against these list of requirements, and did not fulfill +all of the minimum requirements. Extending IMA to cover these +requirements was considered, but ultimately discarded for a +two reasons: + + 1. Regression risk; many of these changes would result in + dramatic code changes to IMA, which is already present in the + kernel, and therefore might impact users. + + 2. IMA was used in the system for measurement and attestation; + separation of measurement policy from local integrity policy + enforcement was considered favorable. + +Due to these reasons, it was decided that a new LSM should be created, +whose responsibility would be only the local integrity policy enforcement. + +Role and Scope +-------------- + +IPE, as its name implies, is fundamentally an integrity policy enforcement +solution; IPE does not mandate how integrity is provided, but instead +leaves that decision to the system administrator to set the security bar, +via the mechanisms that they select that suit their individual needs. +There are several different integrity solutions that provide a different +level of security guarantees; and IPE allows sysadmins to express policy for +theoretically all of them. + +IPE additionally does not provide a mechanism that provides integrity +by itself: there are better layers to create such systems, and a mechanism +of proving integrity has next to nothing to do with the policy of enforcing +that integrity claim. + +Therefore, IPE was designed around: + + 1. Easy integrations with integrity providers. + 2. Ease of use for platform administrators/sysadmins. + +Design Rationale: +----------------- + +IPE was designed after evluating existing integrity policy solutions +in other operating systems and environments. In this survey of other +implementations, there were a few pitfalls identified: + + 1. Policies were not readable by humans, usually requiring a binary + intermediary format. + 2. A single, non-customizable action was implicitly taken as a default. + 3. Debugging the policy required manual steps to determine what rule was violated. + 4. Authoring a policy required an in-depth knowledge of the larger system, + or operating system. + +IPE attempts to avoid all of these pifalls. + +Policy +~~~~~~ + +Plain Text +^^^^^^^^^^ + +IPE's policy is plain-text. This introduces slightly larger policy files than +other LSMs, but solves two major problems that occurs with some integrity policy +solutions on other platforms. + +The first issue is one of code maintenance and duplication. To author policies, +the policy has to be some form of string representation (be it structured, +through XML, JSON, YAML, etcetera), to allow the policy author to understand +what is being written. In a hypothetical binary policy design, a serializer +is necessary to write the policy from the human readable form, to the binary +form, and a deserializer is needed to interpret the binary form into a data +structure in the kernel. + +Eventually, another deserializer will be needed to transform the binary from +back into the human-readable form with as much information preserved. This is because a +user of this access control system will have to keep a lookup table of a checksum +and the original file itself to try to understand what policies have been deployed +on this system and what policies have not. For a single user, this may be alright, +as old policies can be discarded almost immediately after the update takes hold. +For users that manage computer fleets in the thousands, if not hundreds of thousands, +with multiple different operating systems, and multiple different operational needs, +this quickly becomes an issue, as stale policies from years ago may be present, +quickly resulting in the need to recover the policy or fund extensive infrastructure +to track what each policy contains. + +With now three separate serializer/deserializers, maintenance becomes costly. If the +policy avoids the binary format, there is only one required serializer: from the +human-readable form to the data structure ine kernel, saving on code maintenance, +and retaining operability. + +The second issue with a binary format is one of transparency. As IPE controls +access based on the trust of the system's resources, it's policy must also be +trusted to be changed. This is done through signatures, resulting in needing +signing as a process. Signing, as a process, is typically done with a +high security bar, as anything signed can be used to attack integrity +enforcement systems. It is also important that, when signing something, that +the signer is aware of what they are signing. A binary policy can cause +obfuscation of that fact; what signers see is an opaque binary blob. A +plain-text policy, on the other hand, the signers see the actual policy +submitted for signing. + +Boot Policy +~~~~~~~~~~~ + +IPE, if configured appropriately, is able to enforce a policy as soon as a +kernel is booted and usermode starts. That implies some level of storage +of the policy to apply the minute usermode starts. Generally, that storage +can be handled in one of three ways: + + 1. The policy file(s) live on disk and the kernel loads the policy prior + to an code path that would result in an enforcement decision. + 2. The policy file(s) are passed by the bootloader to the kernel, who + parses the policy. + 3. There is a policy file that is compiled into the kernel that is + parsed and enforced on initialization. + +The first option has problems: the kernel reading files from userspace +is typically discouraged and very uncommon in the kernel. + +The second option also has problems: Linux supports a variety of bootloaders +across its entire ecosystem - every bootloader would have to support this +new methodology or there must be an independent source. It would likely +result in more drastic changes to the kernel startup than necessary. + +The third option is the best but it's important to be aware that the policy +will take disk space against the kernel it's compiled in. It's important to +keep this policy generalized enough that userspace can load a new, more +complicated policy, but restrictive enough that it will not overauthorize +and cause security issues. + +The initramfs provides a way that this bootup path can be established. The +kernel starts with a minimal policy, that trusts the initramfs only. Inside +the initramfs, when the real rootfs is mounted, but not yet transferred to, +it deploys and activates a policy that trusts the new root filesystem. +This prevents overauthorization at any step, and keeps the kernel policy +to a minimal size. + +Startup +^^^^^^^ + +Not every system, however starts with an initramfs, so the startup policy +compiled into the kernel will need some flexibility to express how trust +is established for the next phase of the bootup. To this end, if we just +make the compiled-in policy a full IPE policy, it allows system builders +to express the first stage bootup requirements appropriately. + +Updatable, Rebootless Policy +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +As requirements change over time (vulnerabilities are found in previously +trusted applcations, keys roll, etcetera). Updating a kernel to change the +meet those security goals is not always a suitable option, as updates are not +always risk-free, and blocking a security update leaves systems vulnerable. +This means IPE requires a policy that can be completely updated (allowing +revocations of existing policy) from a source external to the kernel (allowing +policies to be updated without updating the kernel). + +Additionally, since the kernel is stateless between invocations, and reading +policy files off the disk from kernel space is a bad idea(tm), then the +policy updates have to be done rebootlessly. + +To allow an update from an external source, it could be potentially malicious, +so this policy needs to have a way to be identified as trusted. This is +done via a signature chained to a trust source in the kernel. Arbitrarily, +this is the ``SYSTEM_TRUSTED_KEYRING``, a keyring that is initially +populated at kernel compile-time, as this matches the expectation that the +author of the compiled-in policy described above is the same entity that can +deploy policy updates. + +Anti-Rollback / Anti-Replay +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Over time, vulnerabilities are found and trusted resources may not be +trusted anymore. IPE's policy has no exception to this. There can be +instances where a mistaken policy author deploys an insecure policy, +before correcting it with a secure policy. + +Assuming that as soon as the insecure policy is signed, and an attacker +acquires the insecure policy, IPE needs a way to prevent rollback +from the secure policy update to the insecure policy update. + +Initially, IPE's policy can have a policy_version that states the +minimum required version across all policies that can be active on +the system. This will prevent rollback while the system is live. + +.. WARNING:: + + However, since the kernel is stateless across boots, this policy + version will be reset to 0.0.0 on the next boot. System builders + need to be aware of this, and ensure the new secure policies are + deployed ASAP after a boot to ensure that the window of + opportunity is minimal for an attacker to deploy the insecure policy. + +Implicit Actions: +~~~~~~~~~~~~~~~~~ + +The issue of impicit actions only becomes visible when you consider +a mixed level of security bars across multiple operations in a system. +For example, consider a system that has strong integrity guarantees +over both the executable code, and specific *data files* on the system, +that were critical to its function. In this system, three types of policies +are possible: + + 1. A policy in which failure to match any rules in the policy results + in the action being denied. + 2. A policy in which failure to match any rules in the policy results + in the action being allowed. + 3. A policy in which the action taken when no rules are matched is + specified by the policy author. + +The first option could make a policy like this:: + + op=EXECUTE integrity_verified=YES action=DENY + +In the example system, this works well for the executables, as all +executables should have integrity guarantees, without exception. The +issue becomes with the second requirement about specific data files. +This would result in a policy like this (assuming each line is +evaluated in order):: + + op=EXECUTE integrity_verified=YES action=DENY + + op=READ integrity_verified=NO label=critical_t action=DENY + op=READ action=ALLOW + +This is somewhat clear if you read the docs, understand the policy +is executed in order and that the default is a denial; however, the +last line effectively changes that default to an ALLOW. This is +required, because in a realistic system, there are some unverified +reads (imagine appending to a log file). + +The second option, matching no rules results in an allow, is clearer +for the specific data files:: + + op=READ integrity_verified=NO label=critical_t action=DENY + +And, like the first option, falls short with the opposite scenario, +effectively needing to override the default:: + + op=EXECUTE integrity_verified=YES action=ALLOW + op=EXECUTE action=DENY + + op=READ integrity_verified=NO label=critical_t action=DENY + +This leaves the third option. Instead of making users be clever +and override the default with an empty rule, force the end-user +to consider what the appropriate default should be for their +scenario and explicitly state it:: + + DEFAULT op=EXECUTE action=DENY + op=EXECUTE integrity_verified=YES action=ALLOW + + DEFAULT op=READ action=ALLOW + op=READ integrity_verified=NO label=critical_t action=DENY + +Policy Debugging: +~~~~~~~~~~~~~~~~~ + +When developing a policy, it is useful to know what line of the policy +is being violated to reduce debugging costs; narrowing the scope of the +investigation to the exact line that resulted in the action. Some integrity +policy systems do not provide this information, instead providing the +information that was used in the evaluation. This then requires a correlation +with the policy to evaluate what went wrong. + +Instead, IPE just emits the rule that was matched. This limits the scope +of the investigation to the exact policy line (in the case of a specific +rule), or the section (in the case of a DEFAULT). This decreases iteration +and investigation times when policy failures are observed while evaluating +policies. + +IPE's policy engine is also designed in a way that it makes it obvious to +a human of how to investigate a policy failure. Each line is evaluated in +the sequence that is written, so the algorithm is very simple to follow +for humans to recreate the steps and could have caused the failure. In other +surveyed systems, optimizations occur (sorting rules, for instance) when loading +the policy. In those systems, it requires multiple steps to debug, and the +algorithm may not always be clear to the end-user without reading the code first. + +Simplified Policy: +~~~~~~~~~~~~~~~~~~ + +Finally, IPE's policy is designed for sysadmins, not kernel developers. Instead +of covering individual LSM hooks (or syscalls), IPE covers operations. This means +instead of sysadmins needing to know that the syscalls ``mmap``, ``mprotect``, +``execve``, and ``uselib`` must have rules protecting them, they must simple know +that they want to restrict code execution. This limits the amount of bypasses that +could occur due to a lack of knowledge of the underlying system; whereas the +maintainers of IPE, being kernel developers can make the correct choice to determine +whether something maps to these operations, and under what conditions. + +Implementation Notes +-------------------- + +Context +~~~~~~~ + +An ``ipe_context`` structure represent a context in which IPE can be enforced. +It contains all the typical values that one would expect to be global: + + 1. Enforce/Permissive State + 2. Active Policy + 3. List of Policies + 4. Success Auditing State + +A context is created at boot time and attached to the ``task_struct`` as a +security blob. All new ``task_struct`` will inherit the original ``ipe_context`` +that the system boots with. This structure is reference counted. + +Initially, a system will only ever have one context; for ``init``, and since +all userspace processes are descendents of ``init``, all of usermode will have +this execution context. + +This architecture has some advantages - namely, it allows for a natural +extension for IPE to create new contexts, such as applying a different +active policy to a descendent process. + +Anonymous Memory +~~~~~~~~~~~~~~~~ + +Anonymous memory isn't treated any differently from any other access in IPE. +When anonymous memory is mapped with ``+X``, it still comes into the ``file_mmap`` +or ``file_mprotect`` hook, but with a ``NULL`` file object. This is submitted to +the evaluation, like any other file, however, all current trust mechanisms will +return false as there is nothing to evaluate. This means anonymous memory +execution is subject to whatever the ``DEFAULT`` is for ``EXECUTE``. + +.. WARNING:: + + This also occurs with the ``kernel_load_data`` hook, which is used by signed + and compressed kernel modules. Using signed and compressed kernel modules with + IPE will always result in the ``DEFAULT`` action for ``KMODULE``. + +Policy Parser +~~~~~~~~~~~~~ + +The policy parser is the staple of IPE's functionality, providing a +modular way to introduce new integrations. As such, it's functionality +is divided into 3 passes. This has the benefit of clearly defined pre +and post-condition states after each pass, providing debugging benefits +when something goes wrong. + +In pass1, the policy is transformed into a 2D, jagged, array of tokens, +where a token is defined as a "key=value" pair, or a singular token, +for example, "DEFAULT". Quoted values are parsed as a single value-pair, +which is why ```` is insufficient - it does not +understand quoted values. + +In pass2, the jagged array produced in pass1 is partially ingested, +creating a partial policy where no rules have been parsed. Metadata +and references are available within that partial policy that can +be consumed in pass3. + +Examples of parsing that would be done in pass2:: + + policy_name="my-policy" policy_version=0.0.0 + DEFAULT action=DENY + +In pass3, the remaining lines in the jagged array produced in pass1 and +partially consumed in pass2 are consumed completely. This results in +parsing all the rules in the policy. Pass3 can leverage the data created +in pass2. + +Example lines parsed in pass3:: + + op=EXECUTE dmverity_signature=TRUE action=DENY + +A rule is strictly defined as: starts with the ``op`` token and ends with +the ``action`` token. + +After this pass, a policy is deemed fully constructed but not yet valid, +as there could be missing elements (such as a required DEFAULT for all +actions, missing a policy_name), etcetera. + +The purpose in the division of pass2 and pass3 is to allow for +declarations in IPE's syntax. For example, in the future, if we were +to introduce this syntax:: + + CERTIFICATE=FakeCert thumbprint=DEADBEEF CN="Contoso" + +And use it like so:: + + op=EXECUTE dmverity_signature=FakeCert action=ALLOW + +The ``CERTIFICATE`` lines can be grouped together at any place in the policy. + +After pass3, an IPE policy can still be technically invalid for use, as +a policy can be lacking required elements to eliminated the possibility +of undefined or unknown behavior. + +A concrete example is when a policy does not define a default action for +all possibilities:: + + DEFAULT op=EXECUTE action=ALLOW + +At this point, while the policy is syntactically valid, it is not +semantically valid - it does not contain enough information to +determine what should be done for an operation other than +``EXECUTE``. As IPE's design explicitly prohibits the implicit +setting of a ``DEFAULT``, it is important to avoid cases like these. + +To resolve all these cases, a final check on the policy is done to ensure +it valid for use. + +In all cases, the parser is the number one bottleneck when it comes to +IPE's performance, but has the benefit of executing infrequently, and +as a direct consequence of user-input. + +Module vs Parser +~~~~~~~~~~~~~~~~ + +A "module", "trust provider", or "property" as defined in IPE's code is an +integration with an external subsystem that provides a way to identify a +resource as trusted. It's the code that powers the key=value pairs in between +the ``op`` token and the ``action`` token. These are called in pass3 when +parsing a policy (via the ``parse`` method), and during evaluation when +evaluating a access attempt (via the ``eval`` method). These discrete modules +are single files in ``security/ipe/modules`` and are versioned independently. +The documentation in the admin guide can be used to cross reference which +version supports which syntax. + +A "parser", on the other hand is a discrete unit of code that is *only* +used when parsing a policy in pass2. The intention is to make it easy +to introduce statements, like the ``DEFAULT`` statement:: + + DEFAULT op=EXECUTE action=ALLOW + DEFAULT action=ALLOW + +or, the policy header:: + + policy_name="MyPolicy" policy_version=0.0.0 + +These individual fragments of code gain access to manipulating IPE's policy +structure directly, as opposed to the opaque ``void *`` given to modules. + +Securityfs Interface +~~~~~~~~~~~~~~~~~~~~ + +The per-policy securityfs tree is somewhat unique. For example, for +a standard securityfs policy tree:: + + MyPolicy + |- active + |- raw + |- policy + |- name + |- version + |- update + +The policy is stored in the ``->i_private`` data of the MyPolicy inode, +while each child's ``->i_private``, it stores the MyPolicy inode. This +simplifies policy updates massively, as the alternative designs are to: + + 1. Use d_parent, which has potential issues with flexibility, if there + eventually becomes a subdirectory underneath MyPolicy; as it's unclear + how many levels of ``d_parent`` you have to iterate up to. + + 2. Store the policy data in each inode's ``->i_private``. This has issues + when it comes to updating a policy - every update needs to cascade to + each ``->i_private``, and if it fails, for whatever reason, the + operation has to be reverted on each inode. + +With this implementation, you can solve the flexibility problem of 1, as +now when you create a theoretical subdirectory you just set the +``->i_private`` data appropriately. You also solve the update problem of +two, as you simply update or revert on the one inode that all other inodes +reference. + +Tests +----- + +IPE has KUnit Tests, testing primarily the parser and the context structures. diff --git a/MAINTAINERS b/MAINTAINERS index f7333d07a9df..e03b6c413baf 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -9797,6 +9797,8 @@ INTEGRITY POLICY ENFORCEMENT (IPE) M: Deven Bowers M: Fan Wu S: Supported +F: Documentation/admin-guide/LSM/ipe.rst +F: Documentation/security/ipe.rst F: scripts/ipe/ F: security/ipe/