summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorDeven Bowers <deven.desai@linux.microsoft.com>2024-08-03 08:08:17 +0200
committerPaul Moore <paul@paul-moore.com>2024-08-20 20:01:13 +0200
commit05a351630b7463ce58668095f5683669c1295f65 (patch)
tree92482f2c77171b1564954f3ceafed3f7233a6e28 /security
parentipe: add policy parser (diff)
downloadlinux-05a351630b7463ce58668095f5683669c1295f65.tar.xz
linux-05a351630b7463ce58668095f5683669c1295f65.zip
ipe: add evaluation loop
Introduce a core evaluation function in IPE that will be triggered by various security hooks (e.g., mmap, bprm_check, kexec). This function systematically assesses actions against the defined IPE policy, by iterating over rules specific to the action being taken. This critical addition enables IPE to enforce its security policies effectively, ensuring that actions intercepted by these hooks are scrutinized for policy compliance before they are allowed to proceed. Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com> Signed-off-by: Fan Wu <wufan@linux.microsoft.com> Reviewed-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/ipe/Makefile1
-rw-r--r--security/ipe/eval.c102
-rw-r--r--security/ipe/eval.h24
3 files changed, 127 insertions, 0 deletions
diff --git a/security/ipe/Makefile b/security/ipe/Makefile
index 3093de1afd3e..4cc17eb92060 100644
--- a/security/ipe/Makefile
+++ b/security/ipe/Makefile
@@ -6,6 +6,7 @@
#
obj-$(CONFIG_SECURITY_IPE) += \
+ eval.o \
ipe.o \
policy.o \
policy_parser.o \
diff --git a/security/ipe/eval.c b/security/ipe/eval.c
new file mode 100644
index 000000000000..f6a681ca49f6
--- /dev/null
+++ b/security/ipe/eval.c
@@ -0,0 +1,102 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
+ */
+
+#include <linux/fs.h>
+#include <linux/types.h>
+#include <linux/slab.h>
+#include <linux/file.h>
+#include <linux/sched.h>
+#include <linux/rcupdate.h>
+
+#include "ipe.h"
+#include "eval.h"
+#include "policy.h"
+
+struct ipe_policy __rcu *ipe_active_policy;
+
+/**
+ * evaluate_property() - Analyze @ctx against a rule property.
+ * @ctx: Supplies a pointer to the context to be evaluated.
+ * @p: Supplies a pointer to the property to be evaluated.
+ *
+ * This is a placeholder. The actual function will be introduced in the
+ * latter commits.
+ *
+ * Return:
+ * * %true - The current @ctx match the @p
+ * * %false - The current @ctx doesn't match the @p
+ */
+static bool evaluate_property(const struct ipe_eval_ctx *const ctx,
+ struct ipe_prop *p)
+{
+ return false;
+}
+
+/**
+ * ipe_evaluate_event() - Analyze @ctx against the current active policy.
+ * @ctx: Supplies a pointer to the context to be evaluated.
+ *
+ * This is the loop where all policy evaluations happen against the IPE policy.
+ *
+ * Return:
+ * * %0 - Success
+ * * %-EACCES - @ctx did not pass evaluation
+ */
+int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx)
+{
+ const struct ipe_op_table *rules = NULL;
+ const struct ipe_rule *rule = NULL;
+ struct ipe_policy *pol = NULL;
+ struct ipe_prop *prop = NULL;
+ enum ipe_action_type action;
+ bool match = false;
+
+ rcu_read_lock();
+
+ pol = rcu_dereference(ipe_active_policy);
+ if (!pol) {
+ rcu_read_unlock();
+ return 0;
+ }
+
+ if (ctx->op == IPE_OP_INVALID) {
+ if (pol->parsed->global_default_action == IPE_ACTION_DENY) {
+ rcu_read_unlock();
+ return -EACCES;
+ }
+ if (pol->parsed->global_default_action == IPE_ACTION_INVALID)
+ WARN(1, "no default rule set for unknown op, ALLOW it");
+ rcu_read_unlock();
+ return 0;
+ }
+
+ rules = &pol->parsed->rules[ctx->op];
+
+ list_for_each_entry(rule, &rules->rules, next) {
+ match = true;
+
+ list_for_each_entry(prop, &rule->props, next) {
+ match = evaluate_property(ctx, prop);
+ if (!match)
+ break;
+ }
+
+ if (match)
+ break;
+ }
+
+ if (match)
+ action = rule->action;
+ else if (rules->default_action != IPE_ACTION_INVALID)
+ action = rules->default_action;
+ else
+ action = pol->parsed->global_default_action;
+
+ rcu_read_unlock();
+ if (action == IPE_ACTION_DENY)
+ return -EACCES;
+
+ return 0;
+}
diff --git a/security/ipe/eval.h b/security/ipe/eval.h
new file mode 100644
index 000000000000..b137f2107852
--- /dev/null
+++ b/security/ipe/eval.h
@@ -0,0 +1,24 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
+ */
+
+#ifndef _IPE_EVAL_H
+#define _IPE_EVAL_H
+
+#include <linux/file.h>
+#include <linux/types.h>
+
+#include "policy.h"
+
+extern struct ipe_policy __rcu *ipe_active_policy;
+
+struct ipe_eval_ctx {
+ enum ipe_op_type op;
+
+ const struct file *file;
+};
+
+int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx);
+
+#endif /* _IPE_EVAL_H */