Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp2939598rwp; Fri, 14 Jul 2023 14:06:06 -0700 (PDT) X-Google-Smtp-Source: APBJJlFFGm6LvxJ4P4RuQr+tLFenLUL654zPTZ9uFSgLJuBnvHoEUvLlb93Jy1S6mj6m09O87nk1 X-Received: by 2002:a17:90a:5411:b0:262:df1d:4535 with SMTP id z17-20020a17090a541100b00262df1d4535mr3898695pjh.31.1689368765868; Fri, 14 Jul 2023 14:06:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689368765; cv=none; d=google.com; s=arc-20160816; b=Tt23RakmNBx9M3GxjD2QpDhlrVGeYbshRdKZkPfZH2/ZDglMcVL7r0Va1lgdxqbS9r IHFLNvpen6uifJqHMCDa9+dIPH8x2VZgr+YvQZoTsiCkTDRoYH0zFxo+MizE1XFVjgA/ xepBDBSxCSKUcBAX5jfO4SioAYODUZlmJqTkAi9npGDllflB54iI93GHxZn3TsZ80XlU o6BPoxlNoyDejx7sKMjAY7rTRYqaHhubEzYcGm/aFV1BpvqNDVb7Cal3rHr46njxgHcc oqwgMfdASD6UZumumjFcgS26YV8I4spBzmnHqBHYdXfecr0QjmkWXDPF30bdPRZg74Xd WAFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature:dkim-filter; bh=P3inuFi0gMXqoY/7xlKkhztUrimCDUfNFGSqCXwgTfw=; fh=ZLm+m0bKilpEZSow3dfgU0uOjS/KJOkX+0i74K9YeEc=; b=KAVBxEIEEv4rpyac0v9X43MD4YYvQNdN7EQJD2/AdyxoC/qRlTvyUnJsb82mgq4TkF OoluklPW+j45j9oTFZMlhZZ8KeDMtZLHjkHWz7fij4TPzak8VR/PeXcRXz4BydOXZYwL TUwiciLP0Xl1LgLGP7+axxyM5IN/1Hf7w3ywBUBGV9ef+AxXJgrWefOeq+ygJDOyoZ9m /XLjEIPsCmBO7uN8oQ6Nyan9oFD1KtsJdhK5/HMwrExbnk2qSIrvrh4I0rxZrtf+oNIm Q6qOYcGvZSTAzk99ntV+g5+x/jwLpb9g8M3UrdMRFMmHn7B/XJ2mOjwpHjiWaowth+Ai AUpg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=Y9xCGTHA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c23-20020a17090a8d1700b00262f7dccaecsi1709080pjo.170.2023.07.14.14.05.52; Fri, 14 Jul 2023 14:06:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=Y9xCGTHA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236115AbjGNU2t (ORCPT + 99 others); Fri, 14 Jul 2023 16:28:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58636 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235472AbjGNU2r (ORCPT ); Fri, 14 Jul 2023 16:28:47 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D57831995; Fri, 14 Jul 2023 13:28:45 -0700 (PDT) Received: by linux.microsoft.com (Postfix, from userid 1052) id 353B820ABD64; Fri, 14 Jul 2023 13:28:45 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 353B820ABD64 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1689366525; bh=P3inuFi0gMXqoY/7xlKkhztUrimCDUfNFGSqCXwgTfw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Y9xCGTHAMzWx55C7H1MErPQE+n5ghx5PbMvaBnwI0vs8CCBaJ5VU9tOOqs/Jg36+p wycIU9OWZ8tR0M5Yitid06KA4Yk3IPi5PSM32luz0EIsXBdKDL1X3jGYf4zsWPrIvt JpNuiSLgROZLx0DdvUXKjEhBMKE7PX/6muWF71q4= Date: Fri, 14 Jul 2023 13:28:45 -0700 From: Fan Wu To: Paul Moore Cc: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, audit@vger.kernel.org, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org, Deven Bowers Subject: Re: [PATCH RFC v10 3/17] ipe: add evaluation loop Message-ID: <20230714202845.GB15267@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net> References: <1687986571-16823-4-git-send-email-wufan@linux.microsoft.com> <309cfd62a474a7e93be6a0886a3d5aa8.paul@paul-moore.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <309cfd62a474a7e93be6a0886a3d5aa8.paul@paul-moore.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=-17.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jul 08, 2023 at 12:23:01AM -0400, Paul Moore wrote: > On Jun 28, 2023 Fan Wu wrote: > > > > IPE must have a centralized function to evaluate incoming callers > > against IPE's policy. This iteration of the policy for against the rules > > for that specific caller is known as the evaluation loop. > > Can you rewrite that second sentence, it reads a bit awkward and I'm > unclear as to the meaning. > Sure, it is indeed not clear, I might rewrite the whole message in the next version. > > Signed-off-by: Deven Bowers > > Signed-off-by: Fan Wu > > --- > > security/ipe/Makefile | 1 + > > security/ipe/eval.c | 94 +++++++++++++++++++++++++++++++++++++++++++ > > security/ipe/eval.h | 25 ++++++++++++ > > 3 files changed, 120 insertions(+) > > create mode 100644 security/ipe/eval.c > > create mode 100644 security/ipe/eval.h > > ... > > > diff --git a/security/ipe/eval.c b/security/ipe/eval.c > > new file mode 100644 > > index 000000000000..59144b2ecdda > > --- /dev/null > > +++ b/security/ipe/eval.c > > @@ -0,0 +1,94 @@ > > +// SPDX-License-Identifier: GPL-2.0 > > +/* > > + * Copyright (C) Microsoft Corporation. All rights reserved. > > + */ > > + > > +#include > > +#include > > +#include > > +#include > > +#include > > +#include > > + > > +#include "ipe.h" > > +#include "eval.h" > > +#include "hooks.h" > > There is no "hooks.h" at this point in the patchset. > > In order for 'git bisect' to remain useful (and it can be a very handy > tool), we need to ensure that each point in the patchset compiles > cleanly. > Sorry for the mistake here, I will avoid this kind of problems in the future. > > +#include "policy.h" > > + > > +struct ipe_policy __rcu *ipe_active_policy; > > + > > +/** > > + * evaluate_property - Analyze @ctx against a property. > > + * @ctx: Supplies a pointer to the context to be evaluated. > > + * @p: Supplies a pointer to the property to be evaluated. > > + * > > + * Return: > > + * * true - The current @ctx match the @p > > + * * false - The current @ctx doesn't match the @p > > + */ > > +static bool evaluate_property(const struct ipe_eval_ctx *const ctx, > > + struct ipe_prop *p) > > +{ > > + return false; > > +} > > + > > +/** > > + * ipe_evaluate_event - Analyze @ctx against the current active policy. > > + * @ctx: Supplies a pointer to the context to be evaluated. > > + * > > + * This is the loop where all policy evaluation happens against IPE policy. > > + * > > + * Return: > > + * * 0 - OK > > + * * -EACCES - @ctx did not pass evaluation. > > + * * !0 - Error > > + */ > > +int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx) > > +{ > > + int rc = 0; > > + bool match = false; > > + enum ipe_action_type action; > > + struct ipe_policy *pol = NULL; > > + const struct ipe_rule *rule = NULL; > > + const struct ipe_op_table *rules = NULL; > > + struct ipe_prop *prop = NULL; > > + > > + rcu_read_lock(); > > + > > + pol = rcu_dereference(ipe_active_policy); > > + if (!pol) { > > + rcu_read_unlock(); > > + return 0; > > + } > > + > > + if (ctx->op == __IPE_OP_INVALID) { > > + action = pol->parsed->global_default_action; > > + goto eval; > > It looks like you are missing a rcu_read_unlock() in this case. > Thanks for pointing that out. I will add the unlock. > Also, given how simplistic the evaluation is in this case, why not > just do it here, saving the assignment, jump, etc.? > > if (ctx->op == INVALID) { > rcu_read_unlock() > if (global_action == DENY) > return -EACCES; > return 0; > } > The jump is actually for auditing the decision in the next patch, while it does make more sense to not jump when the auditing is not introduced. I will make the return here then switch to jump in the auditing patch. > > + } > > + > > + rules = &pol->parsed->rules[ctx->op]; > > + > > + list_for_each_entry(rule, &rules->rules, next) { > > + match = true; > > + > > + list_for_each_entry(prop, &rule->props, next) > > + match = match && evaluate_property(ctx, prop); > > Why not break from this loop once evaluate_property() returns false? > Yes we can break when one property evals to false, thanks for the advice. > > + > > + if (match) > > + break; > > + } > > + > > + if (match) > > + action = rule->action; > > + else if (rules->default_action != __IPE_ACTION_INVALID) > > + action = rules->default_action; > > + else > > + action = pol->parsed->global_default_action; > > + > > + rcu_read_unlock(); > > +eval: > > + if (action == __IPE_ACTION_DENY) > > + rc = -EACCES; > > + > > + return rc; > > This can just be 'return 0;' right? > For this patch, if we just return on error, then yes the end of the function could just return 0. But when auditing(audit rc) and permissive switch(overwrite rc) are introduced then return on error might not be the clean way. So I kept the rc variable in this patch. I can change the style in this patch then switch to use rc when auditing and permissive switch are introduced. -Fan > > +} > > -- > paul-moore.com