Received: by 2002:a05:7412:251c:b0:e2:908c:2ebd with SMTP id w28csp1637702rda; Mon, 23 Oct 2023 20:53:11 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEBEGPC3KFRWeYAqZVg8e0zieVHG19yu4uO5mqgh70W6AwtI3MUApyMxI/yKhOiZD4gq/xs X-Received: by 2002:a05:6808:17a3:b0:3b2:e3b5:b94 with SMTP id bg35-20020a05680817a300b003b2e3b50b94mr13991235oib.16.1698119591657; Mon, 23 Oct 2023 20:53:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698119591; cv=none; d=google.com; s=arc-20160816; b=tEkOD+DA/nPx7ow5W8VdNZ2KZhfVDc1Hc5FWwN3q31t647h9azkLEiVh+JNaW6A04X JuSZQToaNmyf17neSleE89FQXcxZHBc5jaEKbQN6ohob5hJpvaxQDLo2X1D3CHDk4Pbb oi3pJmL2A49KHRXgMd/LQvWaKdk9tlVTK9J/UAIFaXeJAsOilY/g676As8Y5mN22dnDs mfQewcMe3xHe/I9/JmIMEd/I0wXGAo+x4yTXERicBTgcZ/RvABH5UDLDWSt1wvng+5lT pAK7wSk6GhDyP7kBNadKmd4d+JzuX381qAOhRnbN+iNcnj+onP4hRZUc2ITfhWVZo4By l1Lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:references:subject:cc:to:from :message-id:date:dkim-signature; bh=pxmiAw9v0MVA3JaImbhJkd/ZdwTT2GQ+ukfNRy8bQak=; fh=fHHNkGg+NzKoJxHGMh0JSMLpg18Ht1OPApOBL8ui3GA=; b=u2coe0JdVxtSNd1bMjwqCqBcSUc9uMzm8K4iyFmkyLFlZ0PruC9Tdh92HVbY8nonxJ tGYLeWV8VE0G84bLJdj1ZjUfDoJod3u5j0s/hFYf+N/1CLxcmLA8qisMEF/WPSeW/Da0 lD4CipBTSkl+qXcN8wfFRQOiA7+qj6oui8m+g97XdSGIPoifIcqlkqbKiQ8HSrq6L09R YqgzpXVVAdH1ruNpjSUbUO9jtp/rGrlbhV/8T9Uo2QcbnbP6JuOdplL3REWRNm5+UOdy 7tdGVrNjHm6naYyouzF4bPduUAJWhKyU54nnXuWj380Y/fk/achmKSPsgrUGOUGK3Hxp pCxw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b="F3/vT25h"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id bz39-20020a056a02062700b00588fa0def2asi7810766pgb.778.2023.10.23.20.53.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Oct 2023 20:53:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b="F3/vT25h"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id A960E802FA3D; Mon, 23 Oct 2023 20:53:07 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232317AbjJXDwr (ORCPT + 99 others); Mon, 23 Oct 2023 23:52:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51656 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232149AbjJXDwa (ORCPT ); Mon, 23 Oct 2023 23:52:30 -0400 Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 18A9C10C8 for ; Mon, 23 Oct 2023 20:52:26 -0700 (PDT) Received: by mail-qv1-xf2e.google.com with SMTP id 6a1803df08f44-66d190a8f87so25649706d6.0 for ; Mon, 23 Oct 2023 20:52:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1698119545; x=1698724345; darn=vger.kernel.org; h=in-reply-to:references:subject:cc:to:from:message-id:date:from:to :cc:subject:date:message-id:reply-to; bh=pxmiAw9v0MVA3JaImbhJkd/ZdwTT2GQ+ukfNRy8bQak=; b=F3/vT25hmHA76WeDtuGfbPgSaAHSq/UEQQQWZOr1F7Z3nly0BylwsIcgJVh1r9wUEz CNdNa3twMJZ64Aow2/1mGEsTbfpuQaGnWpoPjUJJsbU+Op9n4EkXQgfZcj4q9uPNzE5X URUmcC113w1MHpjnIAwcfW5ZV6W0LdAT+C35BJzg6cFVhr8ifvciiPJruJDvmMM0NNvU QTXgaVCcyXy/qODEAQH/EbV9oxVOyhh1oYm+bFAxIgbvIK3Ub6Nkz8RXmWydrIzbw3G+ LoRfb/6MTk3xtttBwtBLSHUapQizVCwWqQi4gD+U31h1TTua0ZnSeDnl/P7ggxOfpDmM 6itg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698119545; x=1698724345; h=in-reply-to:references:subject:cc:to:from:message-id:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=pxmiAw9v0MVA3JaImbhJkd/ZdwTT2GQ+ukfNRy8bQak=; b=uf3yTWMmfCo00IG7JI0e3Ccs6t45pxIWEgTEUPMbKb5mwPjON/Veb7iLDqEN7EqwMj aEGRXcHbRd8uXofwaBSRIrnhUVkqgAdjf+vA56FdzqaADPnGs6OiF7KMtfufJuMki48/ jpoC2mhkGzDb6O0vI4AQGv8Iem7upJnPUBideHPX+1utqSNYrA+PzZnYINQjWdpuLF/L DHu1qLY0C6hztbEKiGcdIBXm7NGPT4u0CV78f2S+hX6T0ScfBax90nLD7gnMz7yYsrXz UNV2eHuhyoBQIKffueKJyxmSu3v+MxjsjIjQ4IAueUvhRMSWEwBZ+XPqPRs2IYjCkvqh 7UkA== X-Gm-Message-State: AOJu0YxmKFvasl1bBByxpY50vDmX559OAExwBF7OFbOB3plPZqeM/9kA CiarPV08dF+trENJCT+YOnlc X-Received: by 2002:ad4:4ee1:0:b0:656:4a21:2c5a with SMTP id dv1-20020ad44ee1000000b006564a212c5amr15142920qvb.9.1698119545121; Mon, 23 Oct 2023 20:52:25 -0700 (PDT) Received: from localhost ([70.22.175.108]) by smtp.gmail.com with ESMTPSA id ep5-20020a05621418e500b0065afedf3aabsm3342527qvb.48.2023.10.23.20.52.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Oct 2023 20:52:24 -0700 (PDT) Date: Mon, 23 Oct 2023 23:52:24 -0400 Message-ID: <46922873bd020f8cd443b7fca59ef802.paul@paul-moore.com> From: Paul Moore To: Fan Wu , corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, audit@vger.kernel.org, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org, Deven Bowers , Fan Wu Subject: Re: [PATCH RFC v11 4/19] ipe: add LSM hooks on execution and kernel read References: <1696457386-3010-5-git-send-email-wufan@linux.microsoft.com> In-Reply-To: <1696457386-3010-5-git-send-email-wufan@linux.microsoft.com> X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Mon, 23 Oct 2023 20:53:07 -0700 (PDT) On Oct 4, 2023 Fan Wu wrote: > > IPE's initial goal is to control both execution and the loading of > kernel modules based on the system's definition of trust. It > accomplishes this by plugging into the security hooks for > bprm_check_security, file_mprotect, mmap_file, kernel_load_data, > and kernel_read_data. > > Signed-off-by: Deven Bowers > Signed-off-by: Fan Wu > --- > v2: > + Split evaluation loop, access control hooks, > and evaluation loop from policy parser and userspace > interface to pass mailing list character limit > > v3: > + Move ipe_load_properties to patch 04. > + Remove useless 0-initializations > + Prefix extern variables with ipe_ > + Remove kernel module parameters, as these are > exposed through sysctls. > + Add more prose to the IPE base config option > help text. > + Use GFP_KERNEL for audit_log_start. > + Remove unnecessary caching system. > + Remove comments from headers > + Use rcu_access_pointer for rcu-pointer null check > + Remove usage of reqprot; use prot only. > + Move policy load and activation audit event to 03/12 > > v4: > + Remove sysctls in favor of securityfs nodes > + Re-add kernel module parameters, as these are now > exposed through securityfs. > + Refactor property audit loop to a separate function. > > v5: > + fix minor grammatical errors > + do not group rule by curly-brace in audit record, > reconstruct the exact rule. > > v6: > + No changes > > v7: > + Further split lsm creation, the audit system, the evaluation loop > and access control hooks into separate commits. > > v8: > + Rename hook functions to follow the lsmname_hook_name convention > + Remove ipe_hook enumeration, can be derived from correlation with > syscall audit record. > > v9: > + Minor changes for adapting to the new parser > > v10: > + Remove @reqprot part > > v11: > + Fix code style issues > --- > security/ipe/Makefile | 1 + > security/ipe/eval.c | 14 ++++ > security/ipe/eval.h | 3 + > security/ipe/hooks.c | 183 ++++++++++++++++++++++++++++++++++++++++++ > security/ipe/hooks.h | 25 ++++++ > security/ipe/ipe.c | 6 ++ > 6 files changed, 232 insertions(+) > create mode 100644 security/ipe/hooks.c > create mode 100644 security/ipe/hooks.h ... > diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c > new file mode 100644 > index 000000000000..6164a9b53361 > --- /dev/null > +++ b/security/ipe/hooks.c > @@ -0,0 +1,183 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * Copyright (C) Microsoft Corporation. All rights reserved. > + */ ... > +/** > + * ipe_kernel_read_file - ipe security hook function for kernel read. > + * @file: Supplies a pointer to the file structure being read in from disk. > + * @id: Supplies the enumeration identifying the purpose of the read. > + * @contents: Unused. > + * > + * This LSM hook is called when a file is being read in from disk from > + * the kernel. > + * > + * Return: > + * 0 - OK > + * !0 - Error > + */ > +int ipe_kernel_read_file(struct file *file, enum kernel_read_file_id id, > + bool contents) > +{ > + enum ipe_op_type op; > + struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT; > + > + switch (id) { > + case READING_FIRMWARE: > + op = IPE_OP_FIRMWARE; > + break; > + case READING_MODULE: > + op = IPE_OP_KERNEL_MODULE; > + break; > + case READING_KEXEC_INITRAMFS: > + op = IPE_OP_KEXEC_INITRAMFS; > + break; > + case READING_KEXEC_IMAGE: > + op = IPE_OP_KEXEC_IMAGE; > + break; > + case READING_POLICY: > + op = IPE_OP_IMA_POLICY; > + break; > + case READING_X509_CERTIFICATE: > + op = IPE_OP_IMA_X509; > + break; > + default: > + op = IPE_OP_INVALID; > + WARN(op == IPE_OP_INVALID, "no rule setup for enum %d", id); I'm not sure you need to test @op above since you set @op on the line above, just use true/1 to simplify things. It also seems like it might be helpful to provice some context for the enum above in the WARN() message. For example: WARN(1, "no rule setup for kernel_read_file %d", id); > + } > + > + build_eval_ctx(&ctx, file, op); > + return ipe_evaluate_event(&ctx); > +} > + > +/** > + * ipe_kernel_load_data - ipe security hook function for kernel load data. > + * @id: Supplies the enumeration identifying the purpose of the read. > + * @contents: Unused. > + * > + * This LSM hook is called when a buffer is being read in from disk. > + * > + * Return: > + * * 0 - OK > + * * !0 - Error > + */ > +int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents) > +{ > + enum ipe_op_type op; > + struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT; > + > + switch (id) { > + case LOADING_FIRMWARE: > + op = IPE_OP_FIRMWARE; > + break; > + case LOADING_MODULE: > + op = IPE_OP_KERNEL_MODULE; > + break; > + case LOADING_KEXEC_INITRAMFS: > + op = IPE_OP_KEXEC_INITRAMFS; > + break; > + case LOADING_KEXEC_IMAGE: > + op = IPE_OP_KEXEC_IMAGE; > + break; > + case LOADING_POLICY: > + op = IPE_OP_IMA_POLICY; > + break; > + case LOADING_X509_CERTIFICATE: > + op = IPE_OP_IMA_X509; > + break; > + default: > + op = IPE_OP_INVALID; > + WARN(op == IPE_OP_INVALID, "no rule setup for enum %d", id); See my comments in ipe_kernel_read_file(), they also apply here. > + } > + > + build_eval_ctx(&ctx, NULL, op); > + return ipe_evaluate_event(&ctx); > +} -- paul-moore.com