Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp32803311rwd; Fri, 7 Jul 2023 22:39:26 -0700 (PDT) X-Google-Smtp-Source: APBJJlHbgo2mFTTJZUvDxg3PVIml0g8hsBlwuS+QVCBBtpyXfEs8hrfe6wgctyfT3unFNMwnwsG8 X-Received: by 2002:a05:6870:1f8f:b0:1b0:7078:5889 with SMTP id go15-20020a0568701f8f00b001b070785889mr9490378oac.12.1688794765968; Fri, 07 Jul 2023 22:39:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688794765; cv=none; d=google.com; s=arc-20160816; b=J+8/uazkzH7WW1EQAf3pfqWzUfQ3dVHZ4oM1NkBTNRrz1Whg2dRJspKwkYbrMT34Mt lGf0noPpTLd9ZLSFp89qEyhubO3v/e1sXkF2qtGCQPDGStK3GUBXMkw9xGVx4YSc8/Ju 5Wg63PTZgDRQxuzeiynOm+sxWKGY8Vnf5r8zW6BXwYr734YOVcKBCu3a7FMSGjl4Y60B hssx9kWlDNFvBYJLVjxk+/SaPHuJ7yNEBgwy1lPV1TJR0/fkBH67YpljrLt1qiMXhEXO 0RvYD3FQ53F0Kb/2CZByKpgV/FUSz7dztyoJT9DO6Vf60BWFcF7b51IL/HaR/DwXZVCB 6dyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:references:subject:cc:to:from :message-id:date:dkim-signature; bh=mRTut3OlHqKCWiM81ta7SjbBbT2KSyk5zN+hB2sD2J4=; fh=Vmgb78f+UWtIut1Oluhwx2oDAe4UZFJl5iee0zHKAXI=; b=HF5ucwHvmmXrDeXKTAAAER1CdfQMi0XmhcvgAUkaxE5oCveI2PLPVeFB6Ew5GsqCh6 kJfaWRxZx819a9TEFXrUZclCPQK1Gl5KIY2THRQFDpPSBtHSb+tVQDz7UHX2ChlNikra lOyQkQRrsYQ03W79Zy5SxYp4Z5EAN6SRBIque3Ui41hZvJ3gDYs7Uu7eeQ8TDulPZEvr BlZ1iF0q7ikuxWsnd/j9XyADvyZi+ZIHpVhLp+Rd6HjXbTo3dYPxu1TlokqGJChHb8qu MkbUb9NcnPlQTP1f3LLqGIWzKW/peK/f2a5q1Rz7X84oq1KhcdNIE7kXok7P9zAltsRo eeCg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=T8iQ+ddd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z22-20020a17090acb1600b00263eb5054f2si3406856pjt.105.2023.07.07.22.39.13; Fri, 07 Jul 2023 22:39:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=T8iQ+ddd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233020AbjGHFiE (ORCPT + 99 others); Sat, 8 Jul 2023 01:38:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44260 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233019AbjGHFha (ORCPT ); Sat, 8 Jul 2023 01:37:30 -0400 Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com [IPv6:2607:f8b0:4864:20::f31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9538C2698 for ; Fri, 7 Jul 2023 22:37:01 -0700 (PDT) Received: by mail-qv1-xf31.google.com with SMTP id 6a1803df08f44-63770af327fso16994166d6.2 for ; Fri, 07 Jul 2023 22:37:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1688794620; x=1691386620; h=in-reply-to:references:subject:cc:to:from:message-id:date:from:to :cc:subject:date:message-id:reply-to; bh=mRTut3OlHqKCWiM81ta7SjbBbT2KSyk5zN+hB2sD2J4=; b=T8iQ+dddv8itdTsndAZ+8dqj8A1P6zmK/5ww1ffgNYZFJ8N7sPBE5Okd3UWfpL9P6U DCnZOtUOvhUqObSjP4bjybp5PUZ0RU8Lu/cbXMHhKXLWXOv+Inevf67blcKSyvzfcnvW 78TNHLHpSVvTATjOIB44tQoYi+HjS+oaxzw5FJJQtLj8V5rzDhFIPv/o98BKw5a7knP6 NB74vkK9ig1S7erKdH3Emo1Jj9Hpmm7WDiWLF2+khj1l9MEJXd+bYaRWWNz6RSacqfFx USFTaGnlXZ3M//ahGa8v0t7KFWdbbL20SunCGMC+HG0KOt8qOrEN7yj3fe7SB5VOeo/q RMxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688794620; x=1691386620; h=in-reply-to:references:subject:cc:to:from:message-id:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mRTut3OlHqKCWiM81ta7SjbBbT2KSyk5zN+hB2sD2J4=; b=SxkiRn3OFnmino/GkdDx5Wk2CQ8uPJzaZe7k/13ZL2tW2lynHN4HjRXwHUIkdvWRZ5 +j4rr9QxP8sv83r8rB9vliX9jEWZdlOaT2CiSjyVBmuo8BdAzesaO3H8IjnPzW8AiyQZ sIhe9BsLLC59EgOw5lpHskd6qqT0uggndeuydSUA2i1m7EGdp8jP2uUaVEM4OfZPeWTg bK2l7CJTtffk8mh6gwcPkOxBSgbYNtjNQif7C82janJz6ExcDSIENjSXkxoENIwCGEJX LUmFCm8ueIj3IuQqskKbXboyROYCDkUNkwYuZnoZ8IQviMeY5380oZqSlpquYtHJeFjf 69KQ== X-Gm-Message-State: ABy/qLZJMdVOJJ7Q08GG2utuMG4oDaG0lW+T5BlGRzjelehPWwZcNuXT oXrsNqRn1CXlGlYZ92JOYC2k X-Received: by 2002:a0c:dc87:0:b0:62d:efa2:f19f with SMTP id n7-20020a0cdc87000000b0062defa2f19fmr6824435qvk.54.1688794620221; Fri, 07 Jul 2023 22:37:00 -0700 (PDT) Received: from localhost ([70.22.175.108]) by smtp.gmail.com with ESMTPSA id m6-20020a0cdb86000000b006362c5760f8sm2952625qvk.139.2023.07.07.22.36.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Jul 2023 22:36:59 -0700 (PDT) Date: Sat, 08 Jul 2023 01:36:59 -0400 Message-ID: <59d0824741118eb63b8ced046f1741f4.paul@paul-moore.com> From: Paul Moore To: Fan Wu , corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, audit@vger.kernel.org, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org, Deven Bowers , Fan Wu Subject: Re: [PATCH RFC v10 7/17] ipe: add userspace interface References: <1687986571-16823-8-git-send-email-wufan@linux.microsoft.com> In-Reply-To: <1687986571-16823-8-git-send-email-wufan@linux.microsoft.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Jun 28, 2023 Fan Wu wrote: > > As is typical with LSMs, IPE uses securityfs as its interface with > userspace. for a complete list of the interfaces and the respective > inputs/outputs, please see the documentation under > admin-guide/LSM/ipe.rst > > Signed-off-by: Deven Bowers > Signed-off-by: Fan Wu > --- > security/ipe/Makefile | 2 + > security/ipe/fs.c | 101 ++++++++ > security/ipe/fs.h | 16 ++ > security/ipe/ipe.c | 3 + > security/ipe/ipe.h | 2 + > security/ipe/policy.c | 111 +++++++++ > security/ipe/policy.h | 9 + > security/ipe/policy_fs.c | 481 +++++++++++++++++++++++++++++++++++++++ > 8 files changed, 725 insertions(+) > create mode 100644 security/ipe/fs.c > create mode 100644 security/ipe/fs.h > create mode 100644 security/ipe/policy_fs.c ... > diff --git a/security/ipe/policy.c b/security/ipe/policy.c > index 4069ff075093..3e8e4a06a044 100644 > --- a/security/ipe/policy.c > +++ b/security/ipe/policy.c > @@ -7,9 +7,36 @@ > #include > > #include "ipe.h" > +#include "eval.h" > +#include "fs.h" > #include "policy.h" > #include "policy_parser.h" > > +/* lock for synchronizing writers across ipe policy */ > +DEFINE_MUTEX(ipe_policy_lock); > + > +/** > + * ver_to_u64 - Convert an internal ipe_policy_version to a u64. > + * @p: Policy to extract the version from. > + * > + * Bits (LSB is index 0): > + * [48,32] -> Major > + * [32,16] -> Minor > + * [16, 0] -> Revision > + * > + * Return: u64 version of the embedded version structure. > + */ > +static inline u64 ver_to_u64(const struct ipe_policy *const p) > +{ > + u64 r; > + > + r = (((u64)p->parsed->version.major) << 32) > + | (((u64)p->parsed->version.minor) << 16) > + | ((u64)(p->parsed->version.rev)); > + > + return r; > +} > + > /** > * ipe_free_policy - Deallocate a given IPE policy. > * @p: Supplies the policy to free. > @@ -21,6 +48,7 @@ void ipe_free_policy(struct ipe_policy *p) > if (IS_ERR_OR_NULL(p)) > return; > > + ipe_del_policyfs_node(p); > free_parsed_policy(p->parsed); > if (!p->pkcs7) > kfree(p->text); > @@ -39,6 +67,65 @@ static int set_pkcs7_data(void *ctx, const void *data, size_t len, > return 0; > } > > +/** > + * ipe_update_policy - parse a new policy and replace @old with it. What does "@old" refer to? I'm guessing you want to drop the "@". > + * @root: Supplies a pointer to the securityfs inode saved the policy. > + * @text: Supplies a pointer to the plain text policy. > + * @textlen: Supplies the length of @text. > + * @pkcs7: Supplies a pointer to a buffer containing a pkcs7 message. > + * @pkcs7len: Supplies the length of @pkcs7len. > + * > + * @text/@textlen is mutually exclusive with @pkcs7/@pkcs7len - see > + * ipe_new_policy. > + * > + * Return: > + * * !IS_ERR - The old policy "The old policy" is what? > + * * -ENOENT - Policy doesn't exist > + * * -EINVAL - New policy is invalid > + */ > +struct ipe_policy *ipe_update_policy(struct inode *root, > + const char *text, size_t textlen, > + const char *pkcs7, size_t pkcs7len) > +{ > + int rc = 0; > + struct ipe_policy *old, *ap, *new = NULL; > + > + lockdep_assert_held(&ipe_policy_lock); > + > + old = (struct ipe_policy *)root->i_private; > + if (!old) > + return ERR_PTR(-ENOENT); > + > + new = ipe_new_policy(text, textlen, pkcs7, pkcs7len); > + if (IS_ERR(new)) > + return new; > + > + if (strcmp(new->parsed->name, old->parsed->name)) { > + rc = -EINVAL; > + goto err; > + } > + > + if (ver_to_u64(old) > ver_to_u64(new)) { > + rc = -EINVAL; > + goto err; > + } > + > + root->i_private = new; > + > + ap = rcu_dereference_protected(ipe_active_policy, > + lockdep_is_held(&ipe_policy_lock)); > + if (old == ap) > + rcu_assign_pointer(ipe_active_policy, new); > + > + swap(new->policyfs, old->policyfs); We don't have to worry about @new, but is there a guarantee that this function is the only one attempting to modify @old? *EDIT*: I found that @root is locked by the caller, that's good. I would suggest adding this assumption/requirement to the function's description. In general whenever a function requires something from a caller it should be documented in the function's description. > +out: > + return (rc < 0) ? ERR_PTR(rc) : old; > +err: > + ipe_free_policy(new); > + goto out; > +} > + ... > diff --git a/security/ipe/policy_fs.c b/security/ipe/policy_fs.c > new file mode 100644 > index 000000000000..52a120118cda > --- /dev/null > +++ b/security/ipe/policy_fs.c > @@ -0,0 +1,481 @@ ... > +/** > + * getactive - Read handler for "ipe/policies/$name/active". > + * @f: Supplies a file structure representing the securityfs node. > + * @data: Suppleis a buffer passed to the write syscall. > + * @len: Supplies the length of @data. > + * @offset: unused. > + * > + * @data will be populated with the 1 or 0 depending on if the > + * corresponding policy is active. > + * > + * Return: > + * * >0 - Success, Length of buffer written > + * * <0 - Error > + */ > +static ssize_t getactive(struct file *f, char __user *data, > + size_t len, loff_t *offset) > +{ > + int rc = 0; > + const char *str; > + struct inode *root = NULL; > + const struct ipe_policy *p = NULL; > + > + root = d_inode(f->f_path.dentry->d_parent); > + > + inode_lock_shared(root); > + p = (struct ipe_policy *)root->i_private; > + if (!p) { > + inode_unlock_shared(root); > + return -ENOENT; > + } > + inode_unlock_shared(root); > + > + str = (p == rcu_access_pointer(ipe_active_policy)) ? "1" : "0"; The line above should be wrapped with a RCU lock. > + rc = simple_read_from_buffer(data, len, offset, str, 1); > + > + return rc; > +} -- paul-moore.com