2024-03-06 23:35:37

by Fan Wu

[permalink] [raw]
Subject: [RFC PATCH v14 01/19] security: add ipe lsm

From: Deven Bowers <[email protected]>

Integrity Policy Enforcement (IPE) is an LSM that provides an
complimentary approach to Mandatory Access Control than existing LSMs
today.

Existing LSMs have centered around the concept of access to a resource
should be controlled by the current user's credentials. IPE's approach,
is that access to a resource should be controlled by the system's trust
of a current resource.

The basis of this approach is defining a global policy to specify which
resource can be trusted.

Signed-off-by: Deven Bowers <[email protected]>
Signed-off-by: Fan Wu <[email protected]>
---
v2:
+ Split evaluation loop, access control hooks,
and evaluation loop from policy parser and userspace
interface to pass mailing list character limit

v3:
+ Move ipe_load_properties to patch 04.
+ Remove useless 0-initializations
+ Prefix extern variables with ipe_
+ Remove kernel module parameters, as these are
exposed through sysctls.
+ Add more prose to the IPE base config option
help text.
+ Use GFP_KERNEL for audit_log_start.
+ Remove unnecessary caching system.
+ Remove comments from headers
+ Use rcu_access_pointer for rcu-pointer null check
+ Remove usage of reqprot; use prot only.
+ Move policy load and activation audit event to 03/12

v4:
+ Remove sysctls in favor of securityfs nodes
+ Re-add kernel module parameters, as these are now
exposed through securityfs.
+ Refactor property audit loop to a separate function.

v5:
+ fix minor grammatical errors
+ do not group rule by curly-brace in audit record,
reconstruct the exact rule.

v6:
+ No changes

v7:
+ Further split lsm creation into a separate commit from the
evaluation loop and audit system, for easier review.

+ Introduce the concept of an ipe_context, a scoped way to
introduce execution policies, used initially for allowing for
kunit tests in isolation.

v8:
+ Follow lsmname_hook_name convention for lsm hooks.
+ Move LSM blob accessors to ipe.c and mark LSM blobs as static.

v9:
+ Remove ipe_context for simplification

v10:
+ Add github url

v11:
+ Correct github url
+ Move ipe before bpf

v12:
+ Switch to use lsm_id instead of string for lsm name

v13:
+ No changes

v14:
+ No changes
---
MAINTAINERS | 7 +++++++
include/uapi/linux/lsm.h | 1 +
security/Kconfig | 11 ++++++-----
security/Makefile | 1 +
security/ipe/Kconfig | 17 +++++++++++++++++
security/ipe/Makefile | 9 +++++++++
security/ipe/ipe.c | 41 ++++++++++++++++++++++++++++++++++++++++
security/ipe/ipe.h | 16 ++++++++++++++++
security/security.c | 3 ++-
9 files changed, 100 insertions(+), 6 deletions(-)
create mode 100644 security/ipe/Kconfig
create mode 100644 security/ipe/Makefile
create mode 100644 security/ipe/ipe.c
create mode 100644 security/ipe/ipe.h

diff --git a/MAINTAINERS b/MAINTAINERS
index 13158047f2af..8517011f88ff 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -10650,6 +10650,13 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
F: security/integrity/
F: security/integrity/ima/

+INTEGRITY POLICY ENFORCEMENT (IPE)
+M: Fan Wu <[email protected]>
+L: [email protected]
+S: Supported
+T: git https://github.com/microsoft/ipe.git
+F: security/ipe/
+
INTEL 810/815 FRAMEBUFFER DRIVER
M: Antonino Daplas <[email protected]>
L: [email protected]
diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
index f8aef9ade549..43e2fb32745a 100644
--- a/include/uapi/linux/lsm.h
+++ b/include/uapi/linux/lsm.h
@@ -62,6 +62,7 @@ struct lsm_ctx {
#define LSM_ID_LOCKDOWN 108
#define LSM_ID_BPF 109
#define LSM_ID_LANDLOCK 110
+#define LSM_ID_IPE 111

/*
* LSM_ATTR_XXX definitions identify different LSM attributes
diff --git a/security/Kconfig b/security/Kconfig
index 52c9af08ad35..cc7adfbb6b96 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -194,6 +194,7 @@ source "security/yama/Kconfig"
source "security/safesetid/Kconfig"
source "security/lockdown/Kconfig"
source "security/landlock/Kconfig"
+source "security/ipe/Kconfig"

source "security/integrity/Kconfig"

@@ -233,11 +234,11 @@ endchoice

config LSM
string "Ordered list of enabled LSMs"
- default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
- default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
- default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
- default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC
- default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf"
+ default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK
+ default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR
+ default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO
+ default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC
+ default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf"
help
A comma-separated list of LSMs, in initialization order.
Any LSMs left off this list, except for those with order
diff --git a/security/Makefile b/security/Makefile
index 59f238490665..cc0982214b84 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
obj-$(CONFIG_CGROUPS) += device_cgroup.o
obj-$(CONFIG_BPF_LSM) += bpf/
obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
+obj-$(CONFIG_SECURITY_IPE) += ipe/

# Object integrity file lists
obj-$(CONFIG_INTEGRITY) += integrity/
diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
new file mode 100644
index 000000000000..e4875fb04883
--- /dev/null
+++ b/security/ipe/Kconfig
@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Integrity Policy Enforcement (IPE) configuration
+#
+
+menuconfig SECURITY_IPE
+ bool "Integrity Policy Enforcement (IPE)"
+ depends on SECURITY && SECURITYFS
+ select PKCS7_MESSAGE_PARSER
+ select SYSTEM_DATA_VERIFICATION
+ help
+ This option enables the Integrity Policy Enforcement LSM
+ allowing users to define a policy to enforce a trust-based access
+ control. A key feature of IPE is a customizable policy to allow
+ admins to reconfigure trust requirements on the fly.
+
+ If unsure, answer N.
diff --git a/security/ipe/Makefile b/security/ipe/Makefile
new file mode 100644
index 000000000000..f7a80d0f18f8
--- /dev/null
+++ b/security/ipe/Makefile
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) Microsoft Corporation. All rights reserved.
+#
+# Makefile for building the IPE module as part of the kernel tree.
+#
+
+obj-$(CONFIG_SECURITY_IPE) += \
+ ipe.o \
diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
new file mode 100644
index 000000000000..b013aed15e73
--- /dev/null
+++ b/security/ipe/ipe.c
@@ -0,0 +1,41 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+#include <uapi/linux/lsm.h>
+
+#include "ipe.h"
+
+static struct lsm_blob_sizes ipe_blobs __ro_after_init = {
+};
+
+static const struct lsm_id ipe_lsmid = {
+ .name = "ipe",
+ .id = LSM_ID_IPE,
+};
+
+static struct security_hook_list ipe_hooks[] __ro_after_init = {
+};
+
+/**
+ * ipe_init - Entry point of IPE.
+ *
+ * This is called at LSM init, which happens occurs early during kernel
+ * start up. During this phase, IPE registers its hooks and loads the
+ * builtin boot policy.
+ * Return:
+ * * 0 - OK
+ * * -ENOMEM - Out of memory
+ */
+static int __init ipe_init(void)
+{
+ security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), &ipe_lsmid);
+
+ return 0;
+}
+
+DEFINE_LSM(ipe) = {
+ .name = "ipe",
+ .init = ipe_init,
+ .blobs = &ipe_blobs,
+};
diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
new file mode 100644
index 000000000000..a1c68d0fc2e0
--- /dev/null
+++ b/security/ipe/ipe.h
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#ifndef _IPE_H
+#define _IPE_H
+
+#ifdef pr_fmt
+#undef pr_fmt
+#endif
+#define pr_fmt(fmt) "IPE: " fmt
+
+#include <linux/lsm_hooks.h>
+
+#endif /* _IPE_H */
diff --git a/security/security.c b/security/security.c
index 7035ee35a393..f168bc30a60d 100644
--- a/security/security.c
+++ b/security/security.c
@@ -51,7 +51,8 @@
(IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \
(IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) ? 1 : 0) + \
(IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \
- (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0))
+ (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_IPE) ? 1 : 0))

/*
* These are descriptions of the reasons that can be passed to the
--
2.43.1



2024-03-11 14:43:29

by Roberto Sassu

[permalink] [raw]
Subject: Re: [RFC PATCH v14 01/19] security: add ipe lsm

On Wed, 2024-03-06 at 15:34 -0800, Fan Wu wrote:
> From: Deven Bowers <[email protected]>
>
> Integrity Policy Enforcement (IPE) is an LSM that provides an
> complimentary approach to Mandatory Access Control than existing LSMs
> today.
>
> Existing LSMs have centered around the concept of access to a resource
> should be controlled by the current user's credentials. IPE's approach,
> is that access to a resource should be controlled by the system's trust
> of a current resource.
>
> The basis of this approach is defining a global policy to specify which
> resource can be trusted.
>
> Signed-off-by: Deven Bowers <[email protected]>
> Signed-off-by: Fan Wu <[email protected]>
> ---
> v2:
> + Split evaluation loop, access control hooks,
> and evaluation loop from policy parser and userspace
> interface to pass mailing list character limit
>
> v3:
> + Move ipe_load_properties to patch 04.
> + Remove useless 0-initializations
> + Prefix extern variables with ipe_
> + Remove kernel module parameters, as these are
> exposed through sysctls.
> + Add more prose to the IPE base config option
> help text.
> + Use GFP_KERNEL for audit_log_start.
> + Remove unnecessary caching system.
> + Remove comments from headers
> + Use rcu_access_pointer for rcu-pointer null check
> + Remove usage of reqprot; use prot only.
> + Move policy load and activation audit event to 03/12
>
> v4:
> + Remove sysctls in favor of securityfs nodes
> + Re-add kernel module parameters, as these are now
> exposed through securityfs.
> + Refactor property audit loop to a separate function.
>
> v5:
> + fix minor grammatical errors
> + do not group rule by curly-brace in audit record,
> reconstruct the exact rule.
>
> v6:
> + No changes
>
> v7:
> + Further split lsm creation into a separate commit from the
> evaluation loop and audit system, for easier review.
>
> + Introduce the concept of an ipe_context, a scoped way to
> introduce execution policies, used initially for allowing for
> kunit tests in isolation.
>
> v8:
> + Follow lsmname_hook_name convention for lsm hooks.
> + Move LSM blob accessors to ipe.c and mark LSM blobs as static.
>
> v9:
> + Remove ipe_context for simplification
>
> v10:
> + Add github url
>
> v11:
> + Correct github url
> + Move ipe before bpf
>
> v12:
> + Switch to use lsm_id instead of string for lsm name
>
> v13:
> + No changes
>
> v14:
> + No changes
> ---
> MAINTAINERS | 7 +++++++
> include/uapi/linux/lsm.h | 1 +
> security/Kconfig | 11 ++++++-----
> security/Makefile | 1 +
> security/ipe/Kconfig | 17 +++++++++++++++++
> security/ipe/Makefile | 9 +++++++++
> security/ipe/ipe.c | 41 ++++++++++++++++++++++++++++++++++++++++
> security/ipe/ipe.h | 16 ++++++++++++++++
> security/security.c | 3 ++-
> 9 files changed, 100 insertions(+), 6 deletions(-)
> create mode 100644 security/ipe/Kconfig
> create mode 100644 security/ipe/Makefile
> create mode 100644 security/ipe/ipe.c
> create mode 100644 security/ipe/ipe.h
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 13158047f2af..8517011f88ff 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -10650,6 +10650,13 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
> F: security/integrity/
> F: security/integrity/ima/
>
> +INTEGRITY POLICY ENFORCEMENT (IPE)
> +M: Fan Wu <[email protected]>
> +L: [email protected]
> +S: Supported
> +T: git https://github.com/microsoft/ipe.git
> +F: security/ipe/
> +
> INTEL 810/815 FRAMEBUFFER DRIVER
> M: Antonino Daplas <[email protected]>
> L: [email protected]
> diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
> index f8aef9ade549..43e2fb32745a 100644
> --- a/include/uapi/linux/lsm.h
> +++ b/include/uapi/linux/lsm.h
> @@ -62,6 +62,7 @@ struct lsm_ctx {
> #define LSM_ID_LOCKDOWN 108
> #define LSM_ID_BPF 109
> #define LSM_ID_LANDLOCK 110
> +#define LSM_ID_IPE 111
>
> /*
> * LSM_ATTR_XXX definitions identify different LSM attributes
> diff --git a/security/Kconfig b/security/Kconfig
> index 52c9af08ad35..cc7adfbb6b96 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -194,6 +194,7 @@ source "security/yama/Kconfig"
> source "security/safesetid/Kconfig"
> source "security/lockdown/Kconfig"
> source "security/landlock/Kconfig"
> +source "security/ipe/Kconfig"
>
> source "security/integrity/Kconfig"
>
> @@ -233,11 +234,11 @@ endchoice
>
> config LSM
> string "Ordered list of enabled LSMs"
> - default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
> - default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
> - default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
> - default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC
> - default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf"
> + default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK
> + default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR
> + default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO
> + default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC
> + default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf"
> help
> A comma-separated list of LSMs, in initialization order.
> Any LSMs left off this list, except for those with order
> diff --git a/security/Makefile b/security/Makefile
> index 59f238490665..cc0982214b84 100644
> --- a/security/Makefile
> +++ b/security/Makefile
> @@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
> obj-$(CONFIG_CGROUPS) += device_cgroup.o
> obj-$(CONFIG_BPF_LSM) += bpf/
> obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
> +obj-$(CONFIG_SECURITY_IPE) += ipe/
>
> # Object integrity file lists
> obj-$(CONFIG_INTEGRITY) += integrity/
> diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
> new file mode 100644
> index 000000000000..e4875fb04883
> --- /dev/null
> +++ b/security/ipe/Kconfig
> @@ -0,0 +1,17 @@
> +# SPDX-License-Identifier: GPL-2.0-only
> +#
> +# Integrity Policy Enforcement (IPE) configuration
> +#
> +
> +menuconfig SECURITY_IPE
> + bool "Integrity Policy Enforcement (IPE)"
> + depends on SECURITY && SECURITYFS
> + select PKCS7_MESSAGE_PARSER
> + select SYSTEM_DATA_VERIFICATION
> + help
> + This option enables the Integrity Policy Enforcement LSM
> + allowing users to define a policy to enforce a trust-based access
> + control. A key feature of IPE is a customizable policy to allow
> + admins to reconfigure trust requirements on the fly.
> +
> + If unsure, answer N.
> diff --git a/security/ipe/Makefile b/security/ipe/Makefile
> new file mode 100644
> index 000000000000..f7a80d0f18f8
> --- /dev/null
> +++ b/security/ipe/Makefile
> @@ -0,0 +1,9 @@
> +# SPDX-License-Identifier: GPL-2.0
> +#
> +# Copyright (C) Microsoft Corporation. All rights reserved.
> +#
> +# Makefile for building the IPE module as part of the kernel tree.
> +#
> +
> +obj-$(CONFIG_SECURITY_IPE) += \
> + ipe.o \
> diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
> new file mode 100644
> index 000000000000..b013aed15e73
> --- /dev/null
> +++ b/security/ipe/ipe.c
> @@ -0,0 +1,41 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright (C) Microsoft Corporation. All rights reserved.
> + */
> +#include <uapi/linux/lsm.h>
> +
> +#include "ipe.h"
> +
> +static struct lsm_blob_sizes ipe_blobs __ro_after_init = {
> +};
> +
> +static const struct lsm_id ipe_lsmid = {
> + .name = "ipe",
> + .id = LSM_ID_IPE,
> +};
> +
> +static struct security_hook_list ipe_hooks[] __ro_after_init = {
> +};
> +
> +/**
> + * ipe_init - Entry point of IPE.
> + *
> + * This is called at LSM init, which happens occurs early during kernel
> + * start up. During this phase, IPE registers its hooks and loads the
> + * builtin boot policy.
> + * Return:
> + * * 0 - OK
> + * * -ENOMEM - Out of memory
> + */
> +static int __init ipe_init(void)
> +{
> + security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), &ipe_lsmid);
> +
> + return 0;
> +}
> +
> +DEFINE_LSM(ipe) = {
> + .name = "ipe",
> + .init = ipe_init,
> + .blobs = &ipe_blobs,
> +};
> diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
> new file mode 100644
> index 000000000000..a1c68d0fc2e0
> --- /dev/null
> +++ b/security/ipe/ipe.h
> @@ -0,0 +1,16 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Copyright (C) Microsoft Corporation. All rights reserved.
> + */
> +
> +#ifndef _IPE_H
> +#define _IPE_H
> +
> +#ifdef pr_fmt
> +#undef pr_fmt
> +#endif
> +#define pr_fmt(fmt) "IPE: " fmt
> +
> +#include <linux/lsm_hooks.h>
> +
> +#endif /* _IPE_H */
> diff --git a/security/security.c b/security/security.c
> index 7035ee35a393..f168bc30a60d 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -51,7 +51,8 @@
> (IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \
> (IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) ? 1 : 0) + \
> (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \
> - (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0))
> + (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0) + \
> + (IS_ENABLED(CONFIG_SECURITY_IPE) ? 1 : 0))

Hi Fan

you would also need to update
tools/testing/selftests/lsm/lsm_list_modules_test.c.

Roberto

> /*
> * These are descriptions of the reasons that can be passed to the


2024-03-11 18:11:15

by Fan Wu

[permalink] [raw]
Subject: Re: [RFC PATCH v14 01/19] security: add ipe lsm



On 3/11/2024 7:25 AM, Roberto Sassu wrote:
> On Wed, 2024-03-06 at 15:34 -0800, Fan Wu wrote:
>> From: Deven Bowers <[email protected]>
>>
>> Integrity Policy Enforcement (IPE) is an LSM that provides an
>> complimentary approach to Mandatory Access Control than existing LSMs
>> today.
>>
>> Existing LSMs have centered around the concept of access to a resource
>> should be controlled by the current user's credentials. IPE's approach,
>> is that access to a resource should be controlled by the system's trust
>> of a current resource.
>>
>> The basis of this approach is defining a global policy to specify which
>> resource can be trusted.
>>
>> Signed-off-by: Deven Bowers <[email protected]>
>> Signed-off-by: Fan Wu <[email protected]>
>> ---
>> v2:
>> + Split evaluation loop, access control hooks,
>> and evaluation loop from policy parser and userspace
>> interface to pass mailing list character limit
>>
>> v3:
>> + Move ipe_load_properties to patch 04.
>> + Remove useless 0-initializations
>> + Prefix extern variables with ipe_
>> + Remove kernel module parameters, as these are
>> exposed through sysctls.
>> + Add more prose to the IPE base config option
>> help text.
>> + Use GFP_KERNEL for audit_log_start.
>> + Remove unnecessary caching system.
>> + Remove comments from headers
>> + Use rcu_access_pointer for rcu-pointer null check
>> + Remove usage of reqprot; use prot only.
>> + Move policy load and activation audit event to 03/12
>>
>> v4:
>> + Remove sysctls in favor of securityfs nodes
>> + Re-add kernel module parameters, as these are now
>> exposed through securityfs.
>> + Refactor property audit loop to a separate function.
>>
>> v5:
>> + fix minor grammatical errors
>> + do not group rule by curly-brace in audit record,
>> reconstruct the exact rule.
>>
>> v6:
>> + No changes
>>
>> v7:
>> + Further split lsm creation into a separate commit from the
>> evaluation loop and audit system, for easier review.
>>
>> + Introduce the concept of an ipe_context, a scoped way to
>> introduce execution policies, used initially for allowing for
>> kunit tests in isolation.
>>
>> v8:
>> + Follow lsmname_hook_name convention for lsm hooks.
>> + Move LSM blob accessors to ipe.c and mark LSM blobs as static.
>>
>> v9:
>> + Remove ipe_context for simplification
>>
>> v10:
>> + Add github url
>>
>> v11:
>> + Correct github url
>> + Move ipe before bpf
>>
>> v12:
>> + Switch to use lsm_id instead of string for lsm name
>>
>> v13:
>> + No changes
>>
>> v14:
>> + No changes
>> ---
>> MAINTAINERS | 7 +++++++
>> include/uapi/linux/lsm.h | 1 +
>> security/Kconfig | 11 ++++++-----
>> security/Makefile | 1 +
>> security/ipe/Kconfig | 17 +++++++++++++++++
>> security/ipe/Makefile | 9 +++++++++
>> security/ipe/ipe.c | 41 ++++++++++++++++++++++++++++++++++++++++
>> security/ipe/ipe.h | 16 ++++++++++++++++
>> security/security.c | 3 ++-
>> 9 files changed, 100 insertions(+), 6 deletions(-)
>> create mode 100644 security/ipe/Kconfig
>> create mode 100644 security/ipe/Makefile
>> create mode 100644 security/ipe/ipe.c
>> create mode 100644 security/ipe/ipe.h
>>
>> diff --git a/MAINTAINERS b/MAINTAINERS
>> index 13158047f2af..8517011f88ff 100644
>> --- a/MAINTAINERS
>> +++ b/MAINTAINERS
>> @@ -10650,6 +10650,13 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
>> F: security/integrity/
>> F: security/integrity/ima/
>>
>> +INTEGRITY POLICY ENFORCEMENT (IPE)
>> +M: Fan Wu <[email protected]>
>> +L: [email protected]
>> +S: Supported
>> +T: git https://github.com/microsoft/ipe.git
>> +F: security/ipe/
>> +
>> INTEL 810/815 FRAMEBUFFER DRIVER
>> M: Antonino Daplas <[email protected]>
>> L: [email protected]
>> diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
>> index f8aef9ade549..43e2fb32745a 100644
>> --- a/include/uapi/linux/lsm.h
>> +++ b/include/uapi/linux/lsm.h
>> @@ -62,6 +62,7 @@ struct lsm_ctx {
>> #define LSM_ID_LOCKDOWN 108
>> #define LSM_ID_BPF 109
>> #define LSM_ID_LANDLOCK 110
>> +#define LSM_ID_IPE 111
>>
>> /*
>> * LSM_ATTR_XXX definitions identify different LSM attributes
>> diff --git a/security/Kconfig b/security/Kconfig
>> index 52c9af08ad35..cc7adfbb6b96 100644
>> --- a/security/Kconfig
>> +++ b/security/Kconfig
>> @@ -194,6 +194,7 @@ source "security/yama/Kconfig"
>> source "security/safesetid/Kconfig"
>> source "security/lockdown/Kconfig"
>> source "security/landlock/Kconfig"
>> +source "security/ipe/Kconfig"
>>
>> source "security/integrity/Kconfig"
>>
>> @@ -233,11 +234,11 @@ endchoice
>>
>> config LSM
>> string "Ordered list of enabled LSMs"
>> - default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
>> - default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
>> - default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
>> - default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC
>> - default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf"
>> + default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK
>> + default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR
>> + default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO
>> + default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC
>> + default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf"
>> help
>> A comma-separated list of LSMs, in initialization order.
>> Any LSMs left off this list, except for those with order
>> diff --git a/security/Makefile b/security/Makefile
>> index 59f238490665..cc0982214b84 100644
>> --- a/security/Makefile
>> +++ b/security/Makefile
>> @@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
>> obj-$(CONFIG_CGROUPS) += device_cgroup.o
>> obj-$(CONFIG_BPF_LSM) += bpf/
>> obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
>> +obj-$(CONFIG_SECURITY_IPE) += ipe/
>>
>> # Object integrity file lists
>> obj-$(CONFIG_INTEGRITY) += integrity/
>> diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
>> new file mode 100644
>> index 000000000000..e4875fb04883
>> --- /dev/null
>> +++ b/security/ipe/Kconfig
>> @@ -0,0 +1,17 @@
>> +# SPDX-License-Identifier: GPL-2.0-only
>> +#
>> +# Integrity Policy Enforcement (IPE) configuration
>> +#
>> +
>> +menuconfig SECURITY_IPE
>> + bool "Integrity Policy Enforcement (IPE)"
>> + depends on SECURITY && SECURITYFS
>> + select PKCS7_MESSAGE_PARSER
>> + select SYSTEM_DATA_VERIFICATION
>> + help
>> + This option enables the Integrity Policy Enforcement LSM
>> + allowing users to define a policy to enforce a trust-based access
>> + control. A key feature of IPE is a customizable policy to allow
>> + admins to reconfigure trust requirements on the fly.
>> +
>> + If unsure, answer N.
>> diff --git a/security/ipe/Makefile b/security/ipe/Makefile
>> new file mode 100644
>> index 000000000000..f7a80d0f18f8
>> --- /dev/null
>> +++ b/security/ipe/Makefile
>> @@ -0,0 +1,9 @@
>> +# SPDX-License-Identifier: GPL-2.0
>> +#
>> +# Copyright (C) Microsoft Corporation. All rights reserved.
>> +#
>> +# Makefile for building the IPE module as part of the kernel tree.
>> +#
>> +
>> +obj-$(CONFIG_SECURITY_IPE) += \
>> + ipe.o \
>> diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
>> new file mode 100644
>> index 000000000000..b013aed15e73
>> --- /dev/null
>> +++ b/security/ipe/ipe.c
>> @@ -0,0 +1,41 @@
>> +// SPDX-License-Identifier: GPL-2.0
>> +/*
>> + * Copyright (C) Microsoft Corporation. All rights reserved.
>> + */
>> +#include <uapi/linux/lsm.h>
>> +
>> +#include "ipe.h"
>> +
>> +static struct lsm_blob_sizes ipe_blobs __ro_after_init = {
>> +};
>> +
>> +static const struct lsm_id ipe_lsmid = {
>> + .name = "ipe",
>> + .id = LSM_ID_IPE,
>> +};
>> +
>> +static struct security_hook_list ipe_hooks[] __ro_after_init = {
>> +};
>> +
>> +/**
>> + * ipe_init - Entry point of IPE.
>> + *
>> + * This is called at LSM init, which happens occurs early during kernel
>> + * start up. During this phase, IPE registers its hooks and loads the
>> + * builtin boot policy.
>> + * Return:
>> + * * 0 - OK
>> + * * -ENOMEM - Out of memory
>> + */
>> +static int __init ipe_init(void)
>> +{
>> + security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), &ipe_lsmid);
>> +
>> + return 0;
>> +}
>> +
>> +DEFINE_LSM(ipe) = {
>> + .name = "ipe",
>> + .init = ipe_init,
>> + .blobs = &ipe_blobs,
>> +};
>> diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
>> new file mode 100644
>> index 000000000000..a1c68d0fc2e0
>> --- /dev/null
>> +++ b/security/ipe/ipe.h
>> @@ -0,0 +1,16 @@
>> +/* SPDX-License-Identifier: GPL-2.0 */
>> +/*
>> + * Copyright (C) Microsoft Corporation. All rights reserved.
>> + */
>> +
>> +#ifndef _IPE_H
>> +#define _IPE_H
>> +
>> +#ifdef pr_fmt
>> +#undef pr_fmt
>> +#endif
>> +#define pr_fmt(fmt) "IPE: " fmt
>> +
>> +#include <linux/lsm_hooks.h>
>> +
>> +#endif /* _IPE_H */
>> diff --git a/security/security.c b/security/security.c
>> index 7035ee35a393..f168bc30a60d 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -51,7 +51,8 @@
>> (IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \
>> (IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) ? 1 : 0) + \
>> (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \
>> - (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0))
>> + (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0) + \
>> + (IS_ENABLED(CONFIG_SECURITY_IPE) ? 1 : 0))
>
> Hi Fan
>
> you would also need to update
> tools/testing/selftests/lsm/lsm_list_modules_test.c.
>
> Roberto
>
>> /*
>> * These are descriptions of the reasons that can be passed to the

Hi Roberto,

Thanks for the info. I will also update that file.

-Fan