Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp1353748lqz; Mon, 1 Apr 2024 03:53:18 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUXWvC1xm/32GYQnT8Cm5rItAsWy2O0AGzOwQDI3qhPvwQAzVL5hnS7L8Daz8g9Ia5fmoPjiI3I84f5Zwa+ODUcpXgi602xlpNao4A1Cg== X-Google-Smtp-Source: AGHT+IFeF6duLHcMBQn6tPXHbJhQNQ9eUkZ8vHI9D4jd6p8RlKe6R2VS062bDbAxzLfXhTwEe8gW X-Received: by 2002:a50:d714:0:b0:566:624a:9e3f with SMTP id t20-20020a50d714000000b00566624a9e3fmr11380550edi.3.1711968797996; Mon, 01 Apr 2024 03:53:17 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711968797; cv=pass; d=google.com; s=arc-20160816; b=dKmFOVqNNlcWP2zbQQxiIyPsxYtxZ/jjH53Vl7VlCJyVhVA/MeWMzbGi10qKHnzxRX 2FG2P+0jwgUbQ3ZLthhRHE6sOZyyYl6bpdxsChSE0gvFBcgx3SA7sFbJQX255AT0rAmw 3nzCA7Bm8mK4a2Xdvi6ZnPNjcnTjqvITY66EHUr7X3xGKLZdO0FrXdqKlN+rL6rqsxbY 46B52gzX2V6Q/3/wNTomummykwMBJUiX0NjF3lUnTXN/2awMK8ceG2d8ykNzwYYGyV8Z cRw8IGvblytWdZxhwfJHx8YK6LGUmEXwEWpFW9pivBLQFWtnMXWpxmWs4kMg/grs1pcH OYqg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from; bh=o7iQ8reWHaVy8aybFz3MRwp1K6Uk4vI6o8BGExjMCB8=; fh=QBq47c/v9OqEJdHm/xocM5+SPuKkZ+ZOBMGF7GNO3sQ=; b=mHFCCwhjf2bgBt8u7E9xDp2d9YUk4dXxjVUcrK23oCU9FfuNHxs2If+riGHRBHUtmN PCY3TVPw27+ak6tJGJ9fVgM0Da4O5VmMx88oCkT/DcoYI0tsxxzTTOlNmKkyuTObThm0 WyNa7C83tH40J1GuJfHiFTgvrhl9N2oxi4s3De3tqACCbYiPe2Yxvwr+FLE5mUUJp/Bv 6/GQE3Bej6JPWrSVzbKXdch4679ojdPZWZgIQsut46F1VyIkPGYbeJjSpgGFCDDMW122 WXlpB9hCPVxZbUc9PNNYB9N129M9O7X3/ZxMQKHUNIdMcO2qWdIwR4EvZgpLABG6ZHTR uWMw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=enjellic.com); spf=pass (google.com: domain of linux-kernel+bounces-126616-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-126616-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id ev24-20020a056402541800b0056c29d62306si4563948edb.585.2024.04.01.03.53.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Apr 2024 03:53:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-126616-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=enjellic.com); spf=pass (google.com: domain of linux-kernel+bounces-126616-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-126616-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 655AC1F2230C for ; Mon, 1 Apr 2024 10:53:17 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B37173E494; Mon, 1 Apr 2024 10:50:53 +0000 (UTC) Received: from blizzard.enjellic.com (wind.enjellic.com [76.10.64.91]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AB699200A9; Mon, 1 Apr 2024 10:50:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=76.10.64.91 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711968645; cv=none; b=B6kbFNvCllyZazMKkmvfQSzadoXU2rXpJuL/+4e2el2pPOx6pw2vum4pjSXY0L5++qisJEwJvlHZJy8hR6oEwZqAYbhPD8T6I4YSUbg/rhU/YaEhPAQj19KIukvKCdQ4cQNO9kC3sm3LMsjp6F5bBNwnL2oubx+TuYr2U8Rv5ow= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711968645; c=relaxed/simple; bh=kiSKeVm/R4Y473bOeXjaGQ9tsGFKlry+yxf6taSv4pU=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=glDpjDiEXYAebkSNhFrKq8qdNvYFYTszBrVdX2A9xSCI9zvgtyPK/gfJl0p+Sc/jgqJAX2Tz7iUnGpXtBle+ynZfc2EkUFJdyimCFN9eJHnrSq7NRV00dfaOZaQJzLR8DtV/2MB9J9EWhK8lgYZwow8qird+iLB4BuFmC93GmGk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=enjellic.com; spf=pass smtp.mailfrom=enjellic.com; arc=none smtp.client-ip=76.10.64.91 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=enjellic.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=enjellic.com Received: from blizzard.enjellic.com (localhost [127.0.0.1]) by blizzard.enjellic.com (8.15.2/8.15.2) with ESMTP id 431AoK66027663; Mon, 1 Apr 2024 05:50:20 -0500 Received: (from greg@localhost) by blizzard.enjellic.com (8.15.2/8.15.2/Submit) id 431AoKQq027661; Mon, 1 Apr 2024 05:50:20 -0500 X-Authentication-Warning: blizzard.enjellic.com: greg set sender to greg@enjellic.com using -f From: Greg Wettstein To: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Cc: jmorris@namei.org Subject: [PATCH v3 03/12] TSEM global declarations. Date: Mon, 1 Apr 2024 05:50:06 -0500 Message-Id: <20240401105015.27614-4-greg@enjellic.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20240401105015.27614-1-greg@enjellic.com> References: <20240401105015.27614-1-greg@enjellic.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: "Dr. Greg" TSEM is designed, from a functional perspective, to be entirely contained in its own directory. TSEM uses a single global header file, tsem.h, to define the enumeration types, structure definitions and functions that are referenced across all of the compilation units that implement the LSM. --- security/tsem/tsem.h | 2278 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2278 insertions(+) create mode 100644 security/tsem/tsem.h diff --git a/security/tsem/tsem.h b/security/tsem/tsem.h new file mode 100644 index 000000000000..d1d3e847a550 --- /dev/null +++ b/security/tsem/tsem.h @@ -0,0 +1,2278 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ + +/* + * Copyright (C) 2024 Enjellic Systems Development, LLC + * Author: Dr. Greg Wettstein + * + * This is the single include file that documents all of the externally + * visible types and functions that are used by TSEM. This file is + * currently organized into four major sections in the following order; + * + * includes used by all compilation units + * CPP definitions + * enumeration types + * structure definitions + * function declarations + * inline encapsulation functions. + * + * Include files that are referenced by more than a single compilation + * should be included in this file. Includes that are needed to + * satisfy compilation requirements for only a single file should be + * included in the file needing that include. + * + * Understanding the overall implementation and architecture of TSEM + * will be facilitated by reviewing the documentation in this file. + */ + +#include +#include +#include +#include +#include +#include +#include + +/* + * The number of 'slots' in the structure magazines that are used to + * satisfy modeling of security events that are called in atomic context. + */ +#define TSEM_ROOT_MAGAZINE_SIZE 128 +#define TSEM_MAGAZINE_SIZE_INTERNAL 32 +#define TSEM_MAGAZINE_SIZE_EXTERNAL 128 + +/** + * enum tsem_event_type - Ordinal value for a security event. + * @TSEM_BPRM_COMMITTED_CREDS: Ordinal value for bprm_committed_creds. + * @TSEM_TASK_KILL: Ordinal value for task kill. + * @....: Remainder follows with a similar naming format that has + * TSEM_ prep ended to the raw LSM security hook name. + * @TSEM_EVENT_CNT: The final ordinal value is used to define the + * length of the following arrays that are indexed + * by the ordinal value of the hook: + * + * This enumeration is used to designate an ordinal value for each + * security event, ie. LSM hook/event handler, that TSEM is + * implementing modeling for. This value is used to identify the + * handler that is either having its event description being exported + * to an external trust orchestrator or modeled by the internal TMA + * implementation. + * + * The primary use of this enumeration is to conditionalize code paths + * based on the security hook being processed and to index the + * tsem_names array and the array that defines the action that is to + * be taken in response to an event that generates a permissions + * violation. + */ +enum tsem_event_type { + TSEM_BPRM_COMMITTING_CREDS = 1, + TSEM_TASK_KILL, + TSEM_TASK_SETPGID, + TSEM_TASK_GETPGID, + TSEM_TASK_GETSID, + TSEM_TASK_SETNICE, + TSEM_TASK_SETIOPRIO, + TSEM_TASK_GETIOPRIO, + TSEM_TASK_PRLIMIT, + TSEM_TASK_SETRLIMIT, + TSEM_TASK_SETSCHEDULER, + TSEM_TASK_GETSCHEDULER, + TSEM_TASK_PRCTL, + TSEM_FILE_OPEN, + TSEM_MMAP_FILE, + TSEM_FILE_IOCTL, + TSEM_FILE_LOCK, + TSEM_FILE_FCNTL, + TSEM_FILE_RECEIVE, + TSEM_UNIX_STREAM_CONNECT, + TSEM_UNIX_MAY_SEND, + TSEM_SOCKET_CREATE, + TSEM_SOCKET_CONNECT, + TSEM_SOCKET_BIND, + TSEM_SOCKET_ACCEPT, + TSEM_SOCKET_LISTEN, + TSEM_SOCKET_SOCKETPAIR, + TSEM_SOCKET_SENDMSG, + TSEM_SOCKET_RECVMSG, + TSEM_SOCKET_GETSOCKNAME, + TSEM_SOCKET_GETPEERNAME, + TSEM_SOCKET_SETSOCKOPT, + TSEM_SOCKET_SHUTDOWN, + TSEM_PTRACE_TRACEME, + TSEM_KERNEL_MODULE_REQUEST, + TSEM_KERNEL_LOAD_DATA, + TSEM_KERNEL_READ_FILE, + TSEM_SB_MOUNT, + TSEM_SB_UMOUNT, + TSEM_SB_REMOUNT, + TSEM_SB_PIVOTROOT, + TSEM_SB_STATFS, + TSEM_MOVE_MOUNT, + TSEM_SHM_ASSOCIATE, + TSEM_SHM_SHMCTL, + TSEM_SHM_SHMAT, + TSEM_SEM_ASSOCIATE, + TSEM_SEM_SEMCTL, + TSEM_SEM_SEMOP, + TSEM_SYSLOG, + TSEM_SETTIME, + TSEM_QUOTACTL, + TSEM_QUOTA_ON, + TSEM_MSG_QUEUE_ASSOCIATE, + TSEM_MSG_QUEUE_MSGCTL, + TSEM_MSG_QUEUE_MSGSND, + TSEM_MSG_QUEUE_MSGRCV, + TSEM_IPC_PERMISSION, + TSEM_KEY_ALLOC, + TSEM_KEY_PERMISSION, + TSEM_NETLINK_SEND, + TSEM_INODE_CREATE, + TSEM_INODE_LINK, + TSEM_INODE_UNLINK, + TSEM_INODE_SYMLINK, + TSEM_INODE_MKDIR, + TSEM_INODE_RMDIR, + TSEM_INODE_MKNOD, + TSEM_INODE_RENAME, + TSEM_INODE_SETATTR, + TSEM_INODE_GETATTR, + TSEM_INODE_SETXATTR, + TSEM_INODE_GETXATTR, + TSEM_INODE_LISTXATTR, + TSEM_INODE_REMOVEXATTR, + TSEM_INODE_KILLPRIV, + TSEM_TUN_DEV_CREATE, + TSEM_TUN_DEV_ATTACH_QUEUE, + TSEM_TUN_DEV_ATTACH, + TSEM_TUN_DEV_OPEN, + TSEM_BPF, + TSEM_BPF_MAP, + TSEM_BPF_PROG, + TSEM_PTRACE_ACCESS_CHECK, + TSEM_CAPABLE, + TSEM_CAPGET, + TSEM_CAPSET, + TSEM_EVENT_CNT +}; + +/** + * enum tsem_action_type - Ordinal value for security responses. + * @TSEM_ACTION_LOG: Ordinal value to indicate that a security event + * that results in a model permissions violation + * should be logged. + * @TSEM_ACTION_EPERM: Ordinal value to indicate that a security event + * generating a model permissions violation should + * return -EPERM to the caller. + * + * This enumeration type is used to designate what type of action is + * to be taken when the processing of a security event hook results in + * a model violation. The TSEM_ACTION_LOG and TSEM_ACTION_EPERM + * translate into the classical concepts of logging or enforcing + * actions used by other mandatory access control architectures. + */ +enum tsem_action_type { + TSEM_ACTION_LOG = 0, + TSEM_ACTION_EPERM, + TSEM_ACTION_CNT +}; + +/** + * enum tsem_control_type - Ordinal values for TSEM control actions. + * @TSEM_CONTROL_INTERNAL: This ordinal value is set when the first + * word of an argument string written to the + * control file is the word 'internal'. This + * designates that the security namespace will + * be modeled by the internal TMA. + * @TSEM_CONTROL_EXTERNAL: This ordinal value is set when the first + * word of an argument string written to the + * control file is the word 'external'. This + * designates that the security namespace will + * be model by an external TMA. + * @TSEM_CONTROL_ENFORCE: This ordinal value is set when the word + * 'enforce' is written to the control file. + * This indicates that model is to be placed + * in 'enforcing' mode and security events that + * result in model violations will return EPERM. + * @TSEM_CONTROL_SEAL: This ordinal value is set when the word 'seal' + * is written to the control file. This indicates + * that the model for security domain will treat + * all security events that do not conform to the + * model as 'forensics' events. + * @TSEM_CONTROL_TRUSTED: This ordinal value is used when the first + * word of an argument string written to the + * control file is the word 'trusted'. This + * is interpreted as a directive to set the + * trust status of the task that executed the + * security event to be trusted. + * @TSEM_CONTROL_UNTRUSTED: This ordinal value is used when the first + * word of an argument string written to the + * control file is the word 'untrusted'. + * This is interpreted as a directive to set + * the trust status of the task that executed + * the security event to be untrusted. + * @TSEM_CONTROL_MAP_STATE: This ordinal value is used when the first + * word of an argument string written to the + * control file is the word 'state'. The + * argument to this directive will be an + * ASCII hexadecimally encoded string of the + * current model's digest size that will be + * treated as a security state point for + * inclusion in the security model for the + * security domain/namespace. + * @TSEM_CONTROL_MAP_PSEUDONYM: This ordinal value is used when the + * first word of an argument string + * written to the control file is the + * word 'pseudonym'. The argument to + * this directive will be an ASCII + * hexadecimally encoded string of the + * current model's digest size that will + * be treated as a pseudonym directive + * for the security domain/namespace. + * TSEM_CONTROL_MAP_BASE: This ordinal value is used when the first + * word of an argument string written to the + * control file is the word 'base'. The + * argument to this directive will be an ASCII + * hexadecimally encoded string of the current + * model's digest size that will be treated as + * the base value for the computation of the + * functional values (measurement and state) of + * the security domain/namespace. + + * This enumeration type is used to designate what type of control + * action is to be implemented when arguments are written to the TSEM + * control file (/sys/kernel/security/tsem/control). The ordinal + * values govern the processing of the command and the interpretation + * of the rest of the command argument string. + */ +enum tsem_control_type { + TSEM_CONTROL_INTERNAL = 0, + TSEM_CONTROL_EXTERNAL, + TSEM_CONTROL_EXPORT, + TSEM_CONTROL_ENFORCE, + TSEM_CONTROL_SEAL, + TSEM_CONTROL_TRUSTED, + TSEM_CONTROL_UNTRUSTED, + TSEM_CONTROL_MAP_STATE, + TSEM_CONTROL_MAP_PSEUDONYM, + TSEM_CONTROL_MAP_BASE +}; + +/** + * enum tsem_ns_reference - Ordinal value for DAC namespace reference. + * @TSEM_NS_INITIAL: This ordinal value indicates that the uid/gid + * values should be interpreted against the initial + * user namespace. + * @TSEM_NS_CURRENT: This ordinal value indicates that the uid/gid + * values should be interpreted against the user + * namespace that is in effect for the process being + * modeled. + * + * This enumeration type is used to indicate what user namespace + * should be referenced when the uid/gid values are interpreted for + * the creation of either the COE or CELL identities. The enumeration + * ordinal passed to the tsem_ns_create() function, to configure the + * security domain/namespace, is set by the nsref argument to either + * the 'internal' or 'external' control commands. + */ +enum tsem_ns_reference { + TSEM_NS_INITIAL = 1, + TSEM_NS_CURRENT +}; + +/** + * enum tsem_task_trust - Ordinal value describing task trust status. + * @TSEM_TASK_TRUSTED: This ordinal value indicates that the task has + * not executed a security event that has resulted + * in a security behavior not described by the + * security model the task is being governed by. + * @TSEM_TASK_UNTRUSTED: This ordinal value indicates that the task + * has requested the execution of a security event + * that resulted in a security behavior not + * permitted by the security model the task is + * being governed by. + * @TSEM_TASK_TRUST_PENDING: This ordinal value indicates that the setting + * of the task trust status is pending a response + * from an external TMA. + * + * This enumeration type is used to specify the three different trust + * states that a task can be in. The trust status of a task is + * regulated by the trust_status member of struct tsem_task. A task + * carrying the status of TSEM_TASK_TRUSTED means that it has + * not requested the execution of any security events that are + * inconsistent with the security model that the task is running in. + * + * If a task requests execution of a security event that is + * inconsistent with the security model it is operating in, and the + * domain is running in 'sealed' mode, the task trust status is set to + * TSEM_TASK_UNTRUSTED. This value is 'sticky' in that it will be + * propagated to any child tasks that are spawned from an untrusted + * task. + * + * In the case of an externally modeled security domain/namespace, the + * task trust status cannot be determined until the modeling of the + * security event has been completed. The tsem_export_event() + * function sets the trust status TSEM_TASK_TRUST_PENDING and then + * places the task into an interruptible sleep state. + * + * Only two events will cause the task to be removed from sleep state. + * Either the task is killed or a control message is written to the + * TSEM control file that specifies the trust status of the task. See + * the description of the TSEM_CONTROL_TRUSTED and + * TSEM_CONTROL_UNTRUSTED enumeration types. + */ +enum tsem_task_trust { + TSEM_TASK_TRUSTED = 1, + TSEM_TASK_UNTRUSTED = 2, + TSEM_TASK_TRUST_PENDING = 4 +}; + +/** + * enum tsem_inode_state - Ordinal value for inode reference state. + * @TSEM_INODE_COLLECTING: This ordinal value indicates that the inode + * is being opened in order to compute the + * digest of the file. + * @TSEM_INODE_COLLECTED: This ordinal value indicates that the digest + * file for the contents of the file referenced + * by the inode has been collected and is + * available in the digest cache attached to + * the inode. + * @TSEM_INODE_CONTROL_PLANE: The associated inode represents a TSEM + * control plane file that should be + * bypassed for security tests such as + * the TSEM_FILE_OPEN event. + * + * This enumeration type is used to specify the status of the inode. + * The primary purpose of this enumeration is so that the recursive + * call to the TSEM_FILE_OPEN hook, caused by the kernel opening the + * file to compute the checksum, can be bypassed when the digest + * value of the file is being computed for inclusion in an event + * description. + * + * The state value of the inode is carried in struct tsem_inode and is + * set and interrogated by the event.c:add_file_digest() function. If + * the status of the inode is TSEM_INODE_COLLECTED and the iversion of + * the inode is the same as it was at collection time, the cached + * value for the currently active namespace digest function is + * returned. + * + * If the test for the relevancy of the cached digest value fails the + * status of the inode is set to TSEM_INODE_COLLECTING. The + * tsem_file_open() function will check the inode status when it is + * invoked by the integrity_kernel_read() function and if it is + * set to 'COLLECTING', a successful permissions check is returned so + * that the kernel can open the file and compute its digest. + * + * The TSEM_INODE_CONTROL_PLANE value is used to indicate that the + * attached inode is part of the TSEM control plane. This allows + * security events referencing this inode to bypass event processing + * in order to avoid a 'Heisenberg deadlock' situation. + */ +enum tsem_inode_state { + TSEM_INODE_COLLECTING = 1, + TSEM_INODE_COLLECTED, + TSEM_INODE_CONTROL_PLANE +}; + +/** + * struct tsem_task - TSEM task control structure. + * @tma_for_ns: The context identity number of the namespace that + * the task has control over if any. + * @instance: The instance number of the task. The global task + * instance number is incremented each time the + * bprm_committed_creds handler is invoked to compute the + * TASK_ID of a process. This instance number represents + * the total number of unique instances of a specific body + * of executable code has been requested. + * @p_instance: The instance number of the parent process to the + * process represented by an instance of this structure. + * This value allows an execution heirarchy of executable + * code to be established. + * @trust_status: The enumeration type that specifies the trust state of + * the process. + * @task_id: The TSEM task identity (TASK_ID) of the process. + * @p_task_id: The TASK_ID of the parent process to the process + * represented by an instance of this structure. + * @task_key: A security model specific digest value that is used to + * authenticate a task that is running as a trust + * orchestrator to a task that is under the control of the + * orchestrator. + * @context: A pointer to the tsem_context structure that defines the + * modeling context that the task is running under. + + * This structure is represents the TSEM security state of a task. It + * is automatically created when the task control structure is + * allocated for the creation of a new task. + * + * The trust_status member of structure determines whether or not the + * task is in a condition to be trusted. It represents whether or not + * the task has requested execution of a security event that is + * inconsistent with the security model that the task is running + * under. Reference the tsem_trust_status enumeration type for more + * information on this member. The trust status value is propagated + * to any child tasks that are spawned from a task. + * + * The value of task_id member is generated by the + * tsem_bprm_committed_creds() function that computes the task + * identity based TSEM TASK_ID generative function. This task_id + * value is used in the computation of the security state point values + * in combination with the COE and CELL mappings for this event. + * The task_id digest creates security state points that are specific + * to the executable code that was used to initiate the task. + * + * The instance member of the structure is used to temporally + * disambiguate instances of the same task_id. A single 64-bit + * counter is used to generate the instance. This counter is + * incremented and assigned to the instance member of the structure + * at the same tame the TASK_ID value is computed. + * + * The task_key member holds the authentication key that will be used + * to authenticate a process that is requesting the ability to set the + * trust status of a process. This value is generated for the task + * structure of the trust orchestrator when a security modeling + * namespace is created by the orchestrator. + * + * The context member of the structure contains a pointer to the + * tsem_context structure allocated when a security modeling namespace + * is created by the tsem_ns_create() function. This structure will + * contain all of the information needed to define how the task is to + * have its security behavior modeled. + */ +struct tsem_task { + u64 tma_for_ns; + u64 instance; + u64 p_instance; + enum tsem_task_trust trust_status; + u8 task_id[HASH_MAX_DIGESTSIZE]; + u8 p_task_id[HASH_MAX_DIGESTSIZE]; + u8 task_key[HASH_MAX_DIGESTSIZE]; + struct tsem_context *context; +}; + +/** + * struct tsem_context - TSEM modeling context description. + * @kref: Reference count for the context. + * @work: Work structure for asynchronous release of the context. + * @id: The index number of the context. + * @sealed: A status variable indicating whether or not the + * modeling context can be modified. + * @use_current_ns: Status variable indicating which user namespace + * should be used for resolution of uid/gid values. + * A true value indicates that the user namespace + * the process is running under should be used. + * @actions: An array of enum tsem_action_type variables indicating + * the type of response that should be returned in + * response to the modeling of a security event that + * is inconsistent with the model being used for the + * security context. + * @digestname: A pointer to a null-terminated buffer containing the + * name of the digest function that is to be used for + * this security context. + * @zero_digest: The digest value for a 'zero-length' digest value. + * @tfm: A pointer to the digest transformation structure that is to + * generate cryptographic checksums for the modeling context. + * @inode_mutex: The lock that protects the inode_list that tracks + * inodes created in the context of a security modeling + * namespace. + * @inode_list: The list of inodes created in a security modeling + * namespace protected by the inode_mutex member of + * this structure. + * @magazine_size: The number of struct tsem_event structures that + * are held in reserve for security event handlers that + * are called in atomic context. + * @magazine_lock: The spinlock that protects access to the event + * magazine. + * @magazine_index: The bitmap that is used to track the magazine slots + * that have been allocated. + * @ws: An array of work structures that are used to refill the event + * magazine slots. + * @magazine: An array of pointers to tsem_event structures that are + * pre-allocated for security handlers that are called in + * atomic context. + * @model: If the modeling context is implemented with a kernel based + * trusted model agent this pointer will point to the struct + * tsem_model structure that maintains the state of the + * security model. + * @external: If the modeling context is implemented with an external + * modeling agent this pointer will point to the + * tsem_external structure that implements the interface to + * the trust orchestrator that is managing the security + * modeling namespace represented by this structure. + * + * This structure is used to represent the state of a TSEM security + * modeling namespace. A pointer to this structure is stored in the + * struct tsem_task structure. + * + * This structure is allocated by the tsem_ns_create() function in + * response to a TSEM control request. This structure maintains all + * of the information that describes the security modeling namespace + * that is not specific to the type of namespace, ie. external or + * internal that is being implemented. + * + * The id member is a 64-bit counter that cannot feasibly be + * overflowed and that is incremented for each namespace that is + * created. The root modeling namespace has a value of zero so the + * TSEM code uses a pattern of testing this value for non-zero status + * as an indication of whether or not the task is running in a + * subordinate modeling namespace. + * + * Each security modeling namespace can have an independent + * cryptographic digest function that is used as the compression + * function for generating the security coefficients, and other + * entities, that are used to model security events that occur in a + * namespace. A single struct tfm is allocated for this digest + * function at the time that the tsem_context structure is created and + * is maintained in this structure for subsequent use during event + * processing. + * + * Each cryptographic digest function has a 'zero message' value that + * is the result of the initialization and closure of a hash function + * that has no other input. This zero digest value is computed at the + * time of the creation of the array. This digest value is returned + * for files with zero sizes, have pseudonyms declared for them or + * that reside on pseudo-filesystems. + + * The actions array contains a specification of how each security + * event should be handled in the event that a TMA detects a + * security event inconsistent with the model designated for the + * security modeling namespace. This array allows the specification + * of whether the events should be enforcing or logging. + * + * Each security event that is processed requires a struct tsem_event + * structure that drives either the internal modeling of an event or + * its export to an external modeling agent. Some security event + * hooks are called while a task is running in atomic context. Since + * memory cannot be allocated while a process is in atomic context, a + * magazine of these structures is maintained by this structure for + * security events that run in atomic context. The size of this + * magazine is dynamic and is configurable for each security modeling + * + * When a tsem_event structure is allocated for an atomic event a + * request for the refill of the slot that is vacated is dispatched to + * an asynchronous workqueue. The ws member of this structure points + * to an array of work structures for this refill capability, one for + * each slot in the magazine. + * + * All of this infrastructure is generic for each security modeling + * namespace. How the security modeling is done is governed by the + * model and externally defined members of this structure. These + * members point to data structures that either maintain the security + * model state for an in kernel trusted modeling agent or handle the + * export of the event to an external trust orchestrator. + * + * Each task that is created in a non-root security modeling namespace + * increments the reference count maintained in the kref member of + * this structure in the tsem_task_alloc() function. The + * tsem_task_free() function decrements this reference count. When + * the reference count expires, ie. when the last task using the + * modeling namespace exits, an asynchronous workqueue request is + * dispatched to dispose of the context. The work member of this + * structure is used to reference that workqueue. + */ +struct tsem_context { + struct kref kref; + struct work_struct work; + + u64 id; + bool sealed; + bool use_current_ns; + + enum tsem_action_type actions[TSEM_EVENT_CNT]; + + char *digestname; + u8 zero_digest[HASH_MAX_DIGESTSIZE]; + struct crypto_shash *tfm; + + struct mutex inode_mutex; + struct list_head inode_list; + + unsigned int magazine_size; + spinlock_t magazine_lock; + unsigned long *magazine_index; + struct tsem_work *ws; + struct tsem_event **magazine; + + struct tsem_model *model; + struct tsem_external *external; +}; + +/** + * struct tsem_model - TSEM internal TMA description. + * @have_aggregate: Flag variable to indicate whether or not the + * hardware aggregate value has been injected into + * the model. + * @base: The base value that is to be used in computing the + * security state coefficients for the model. + * @measurement: The time dependent linear extension state of the + * security state coefficients that have been + * experienced in the model. + * @state: The time independent functional description of the security + * model. + * @point_lock: The spinlock that protects access to the list of + * security state coefficients in the model. + * @point_list: A pointer to the list of security state coefficients + * in the model protected by the point_lock. + * @point_end_mutex: The mutex that is used to protect the end of the + * list of security state coefficients that will + * be exported. + * @point_end: A pointer to the end of the list of security state + * coefficients that will be traversed by a call to the + * control plane. + * @trajectory_lock: The spinlock used to protect the list of security + * event descriptions in the model. + * @trajectory_list: A pointer to the list of descriptions of the + * security events that have been recorded in this + * model. + * @trajectory_end_mutex: The mutex that protects the end of the list + * of security event descriptions. + * @trajectory_end: A pointer to the end of the list of security event + * descriptions that will be traversed by a call to + * the control plane. + * @forensics_lock: The spinlock used to protect the list of security + * event descriptions that are considered invalid by + * the model being enforced. + * @forensics_list: A pointer to the list of descriptions of security + * events that are considered invalid by the security + * model being enforced. + * @forensics_end_mutex: The mutex that protects the end of the list + * of security event descriptions that are + * considered invalid by the current model. + * @forensics_end: A pointer to the end of the list of security event + * descriptions, that are considered invalid, that are + * to be traversed by a call to the control plane. + * @pseudonym_mutex: The mutex lock that protects the list of file + * digest pseudonyms for the current model. + * @pseudonum_list: A pointer to the list of file digest pseudonyms + * that have been declared for the current model. + * @magazine_size: The number of struct tsem_event_point structures that + * are held in reserve for security event hooks that + * are called in atomic context. + * @magazine_lock: The spinlock that protects access to the event + * magazine for the security context. + * @magazine_index: The bitmap that is used to track the magazine slots + * that have been allocated. + * @ws: An array of work structures that are used to refill the magazine + * slots. + * @magazine: An array of pointers to struct tsem_event_point structures that + * are pre-allocated for security hooks called in atomic + * context. + * + * If a call to the tsem_ns_create() function specifies that a kernel + * based trusted modeling agent is to be used to implement the + * security namespace model, a pointer to this structure is placed in + * the struct tsem_context structure. This structure is used to + * maintain the state of the kernel based model. + * + * There are two primary functional values that are maintained by the + * model. The measurement member of this structure represents the + * time dependent linear extension sum of the security state + * coefficients that have been assigned to security events that have + * occurred in the context of the model. This is a measurement + * that has been classically maintained by a Trusted Platform Module. + * + * This classic integrity measurement is subject to scheduling + * dependencies and may be invariant from run to run of the model. It + * is of primary use in verifying the order of security events that + * have occurred in the model. + * + * The state member of this structure represents a time independent + * linear extension sum of the security state coefficients that have + * been generated in the model. It represents a functional value + * for the security state of the model being enforced. + * + * Both of these measurements are dependent on the platform hardware + * aggregate value and the base point that has been defined for the + * define. + * + * A non-NULL representation of the hardware aggregate value is only + * available if the platform has a TPM. The have_aggregate member of + * this structure is a flag variable that indicates whether or not the + * aggregate value has been injected into the model. + * + * The base member of this structure contains a model specific + * coefficient that is used to perturb each security state coefficient + * generated in the model. This value is designed to serve as a + * 'freshness' value for a verifying party to the model. + * + * There are three primary model lists maintain by this structure: + * + * * security state points + * * security trajectory events + * * security forensics events + * + * Similar members are maintained in this structure to support each of + * these lists. + * + * All three lists are extension only and are protected by a spinlock + * that can be held in atomic context. This spinlock is only held for + * the period of time required to extend the list. + * + * Calls by the control plane to interrogate the lists require the + * traversal of the list that is ill-suited for a spinlock. As a + * result each list type has a mutex associated with it that protects + * a pointer to the end of the list, an endpoint that is determined at + * the start of a call to the control plane. + * + * The list spinlock is used at the start of the control plane call to + * capture the end of the list that is then protected by the mutex. + * In essence this is used to transition protection of the list from + * the spinlock to the mutex. + * + * The kernel based modeling agent has support for maintaining a + * constant digest value for files, that by function, do not have a + * fixed digest value, such as log files or files residing on a + * pseudo-filesystem. The pseudonym_list member of this structure + * points to the list of these designations. The pseudonym_mutex + * structure protects this list. + * + * Like the struct tsem_context structure the tsem_model structure + * maintains a magazine of structures that are used to service + * security events that are called in atomic context. The magazine + * maintained by this structure is a list of struct tsem_event_point + * structures that are used to describe the security state + * coefficients held by the model. + * + * The description of struct tsem_context details the implementation + * of the magazine which is identical to the implementation for this + * structure, with the exception of the type of structures that are + * held in reserve. + */ +struct tsem_model { + bool have_aggregate; + + u8 base[HASH_MAX_DIGESTSIZE]; + u8 measurement[HASH_MAX_DIGESTSIZE]; + u8 state[HASH_MAX_DIGESTSIZE]; + + spinlock_t point_lock; + struct list_head point_list; + struct mutex point_end_mutex; + struct list_head *point_end; + unsigned int point_count; + + spinlock_t trajectory_lock; + struct list_head trajectory_list; + struct mutex trajectory_end_mutex; + struct list_head *trajectory_end; + + spinlock_t forensics_lock; + struct list_head forensics_list; + struct mutex forensics_end_mutex; + struct list_head *forensics_end; + + struct mutex pseudonym_mutex; + struct list_head pseudonym_list; + + struct mutex mount_mutex; + struct list_head mount_list; + + unsigned int magazine_size; + spinlock_t magazine_lock; + unsigned long *magazine_index; + struct tsem_work *ws; + struct tsem_event_point **magazine; +}; + +/** + * struct tsem_external - TSEM external TMA description. + * @export_only: A flag variable used to indicate that the security + * namespace is running in export only mode that + * simply presents the events to the external trust + * orchestrator. + * @export_lock: The spinlock that protects access to the export_list + * member of this structure. + * @export_list: A pointer to the list of events waiting to be + * exported to the trust orchestrator for the security + * modeling namespace. The structure type that is + * linked by this list is the struct export_event + * structure that is private to the export.c compilation + * unit. + * @dentry: A pointer to the dentry describing the pseudo-file in the + * /sys/kernel/security/tsem/external_tma directory that is + * being used to export security event descriptions to the + * external trust orchestrator for the security modeling + * namespace. + * @have_event: A flag variable to indicate that is work queued + * on the export pseudo-file for the security modeling + * namespace. + * @wq: The work queue used to implement polling for the security + * event export file. + * @magazine_size: The number of struct export_event structures that + * are held in reserve for security event hooks that + * are called in atomic context. + * @magazine_lock: The spinlock that protects access to the event + * magazine for the security modeling domain. + * @magazine_index: The bitmap that is used to track the magazine slots + * that have been allocated. + * @ws: An array of work structures that are used to refill the magazine + * slots. + * @magazine: An array of pointers to struct export_event structures that + * are pre-allocated for security hooks called in atomic + * context. + * + * If an externally modeled security modeling namespace is created + * a structure of this type is allocated for the namespace and placed + * in the struct tsem_context structure. + * + * The primary purpose of this structure is to manage event + * descriptions that are being transmitted to the trust orchestrator + * associated with the security modeling namespace. The pseudo-file + * will be as follows: + * + * /sys/kernel/security/tsem/external_tma/N + * + * Where N is the context id number of the modeling namespace. + * + * The dentry member of this structure is used to represent the + * pseudo-file that is created when the external modeled namespace is + * created. + * + * This list of events waiting to be received by the trust + * orchestrator is maintained in the export_list member of this + * structure. Additions or removals from the list hold the spinlock + * described by the export_lock member of this structure. + * + * The wq member of this structure is used to implement a workqueue + * to support polling for events on the export control file. The + * have_event flag is set to indicate to the polling call that + * security events are available for export. + * + * When a security event description is exported the calling task is + * scheduled away to allow the trust orchestrator to process the + * event. This obviously creates issues for security events that are + * called in atomic context. + * + * Security events in atomic context are exported as an async_event + * rather than a simple event. The trust orchestrator has the option + * of killing the workload that deviated from the security model or + * signaling a violation of the model. + * + * To support the export of asynchronous events, magazine + * infrastructure, similar to the event and model structure magazines, + * is maintained by this structure for the external modeling + * namespace. + */ +struct tsem_external { + bool export_only; + + spinlock_t export_lock; + struct list_head export_list; + struct dentry *dentry; + bool have_event; + wait_queue_head_t wq; + + unsigned int magazine_size; + spinlock_t magazine_lock; + unsigned long *magazine_index; + struct tsem_work *ws; + struct export_event **magazine; +}; + +/** + * struct tsem_work - TSEM magazine refill work structure. + * @index: The index number of the slot in the structure magazine that + * is being refilled. + * @u: A union that holds pointers to the structure whose magazine is + * being refilled. + * @work: The work structure that manages the workqueue being used to + * refill the magazine entry. + * + * As has been previously documented for the struct tsem_context, + * struct tsem_model and struct tsem_external structures, there is a + * need to maintain a magazine of these structures in order to allow + * the processing of security events that are called in atomic + * context. An array of this structure type is embedded in each of + * those structures to manage the asynchronous refill of the slot in + * the magazine that was used to handle an atomic security event. + * + * The index member of this structure points to the slot in the + * magazine that this work item is referencing. + * + * The structure that the refill work is being done for is maintained + * in the respective structure pointer in the u member of this + * structure. + * + * The work member of this structure is used to reference the + * asynchronous work request that is being submitted for the refill. + */ +struct tsem_work { + unsigned int index; + union { + struct tsem_context *ctx; + struct tsem_model *model; + struct tsem_external *ext; + } u; + struct work_struct work; +}; + +/** + * struct tsem_COE - TSEM context of execution definition structure. + * @uid: The numeric user identity that the COE is running with. + * @euid: The effective user identity that the COE is running with. + * @suid: The saved user identity possessed by the COE. + * @gid: The group identity that the COE is running with. + * @egid: The effective group identity that the COE possesses. + * @sgid: The saved group identity of the COE. + * @fsuid: The filesystem user identity that the COE is running with. + * @fsgid: The filesystem group identity that the COE is running with. + * @capeff: This union is used to implement access to the effective + * capability set the COE is running with. The mask value + * is used to assign to the structure with the value member + * used to extract the 64 bit value for export and + * computation. + * @securebits: In a file capabilities implementation this value + * specifies potential handling for process running with + * a UID value of 0. + * + * A security state coefficient is computed from two primary entities: + * the COE and the CELL identities. This structure is used to carry + * and encapsulate the characteristics of the context of execution + * (COE) that will be used to generate the COE identity. + * + * The numeric values for discretionary access controls, ie. uid, gid, + * are determined by which user namespace the security modeling + * namespace is configured to reference. The reference will be either + * the initial user namespace or the user namespace that the context + * of execution is running in. This reference can be set on a per + * security model namespace basis. + */ +struct tsem_COE { + uid_t uid; + uid_t euid; + uid_t suid; + + gid_t gid; + gid_t egid; + gid_t sgid; + + uid_t fsuid; + gid_t fsgid; + + union { + kernel_cap_t mask; + u64 value; + } capeff; + + unsigned int securebits; +}; + +/** + * struct tsem_inode_cell - TSEM inode information. + * @uid: The numeric user identity assigned to the inode. + * @gid: The numeric group identity assigned to the inode. + * @mode: The discretionary access mode for the file. + * @s_magic: The magic number of the filesystem that the file resides + * in. + * @s_id: The name of the block device supporting the filesystem the + * inode is on. + * @s_uuid: The uuid of the filesystem that contains the inode. + * + * This structure defines the characteristics of an inode that is + * referenced by a security event. + */ +struct tsem_inode_cell { + uid_t uid; + gid_t gid; + umode_t mode; + u32 s_magic; + u8 s_id[32]; + u8 s_uuid[16]; +}; + +/** + * struct tsem_inode_entry - Reference to a directory inode with temp files. + * @list: List of directory inodes for a security modeling namespace + * that have had an inode created under the directory. + * @tsip: A pointer to the TSEM security description of a temporary + * file that was createdunder a directory entry. + * + * This structure is used to implement a list of directory inodes that + * have had temporary files created under them in a security modeling + * namespace. This list is used to allow the instance identifiers + * for inodes to be removed when the security modeling namespace + * terminates or when the directory in which temporary files had been + * created is removed. + */ + +struct tsem_inode_entry { + struct list_head list; + struct tsem_inode *tsip; +}; + +/** + * struct tsem_inode_instance - Instance information for a created inode. + * @list: List of inode owners. + * @creator: The id number of the security modeling namespace that is + * creating an inode. + * @instance: The instance number of an inode being created under a + * given directory. + * @owner: The TASK_ID of the process creating the inode. + * @pathname: A pointer to allocated memory holding the null-terminated + * pathname for the inode. + * + * This structure is used to convey information about the owner and + * instance number of an inode created in a security modeling namespace. + * + * This structure serves three distinct purposes. + * + * A linked list of these structures is used to convey ownership and + * instance information about a created inode from the + * tsem_inode_create() function to the tsem_inode_init_security() + * function, so that this information can be attached to the inode via + * the tsem_inode structure. + * + * Secondly, a linked list of inode ownership information is + * maintained for inodes that are created in a security modeling + * namespace and used as mountpoints. This list is maintained in the + * security model description for the namespace. Since the inode that + * is 'covering' the mountpoint is different than the inode describing + * the directory created for the mountpoint, the ownership information + * for the inode needs to carried as a characteristic of the model. + * + * The final use of this structure is to track the instance numbers of + * an inode created by a TASK_ID. This list is carried by the + * directory in which temporary files and directories are created. + * + */ +struct tsem_inode_instance { + struct list_head list; + + u64 creator; + u64 instance; + u8 owner[HASH_MAX_DIGESTSIZE]; + char *pathname; +}; + +/** + * struct tsem_path - TSEM path information. + * @created: A flag to indicate that the path was created in the + * context of the current security modeling namespace. + * @creator: The id of the security modeling namespace that created + * the path. + * @instance: The instance number of an inode that was created. + * @owner: The TASK_ID of the process that created the path. + * @dev: The device number that the filesystem is mounted on. + * @pathname: An allocated and null-terminated buffer containing the + * path from the root directory to the file. + * + * The tsem_path structure is used to carry information about the + * pathname and ownership of a filesystem object that is an argument + * to a security event handler. + */ +struct tsem_path { + bool created; + u64 creator; + u64 instance; + u8 owner[HASH_MAX_DIGESTSIZE]; + + dev_t dev; + char *pathname; +}; + +/** + * struct tsem_dentry - TSEM dentry definition. + * @have_inode: A flag variable to indicate that the dentry has an + * inode associated with it. + * @inode: The TSEM characteristics of the inode associated with a dentry. + * @path: The path definition for the dentry. + * + * This structure is used to contain the TSEM representation of a + * dentry. + */ +struct tsem_dentry { + bool have_inode; + struct tsem_inode_cell inode; + struct tsem_path path; +}; + +/** + * struct tsem_inode_args - Arguments for inode security handlers. + * @mode: The access mode requested for an inode being created. + * @dev: For the inode_mknod handler, the device specification for + * device node being created. + * @in.old_name: In the case of the tsem_inode_symlink handler, this + * member contains a pointer to the filename of the target + * of the symbolic link. + * @in.dir: For handlers processing rename or movement of an inode, + * the inode of the directory that contains the inode to be moved. + * @in.new_dir: For handlers processing the rename or movement of an + * inode, the inode of the directory that will contain + * the destination inode. + * @in.dentry: The dentry argument to inode event handlers that take + * a dentry. + * @in.new_dentry: In the case of handlers that result in a new dentry + * a pointer to that dentry. + * @out.old_name: In the case of the tsem_inode_symlink handler this + * member contains a pointer to a copy of the name of + * the target of symbolic link. This second + * representation is used to avoid warnings about the + * use of a constant character pointer in the arguments + * to the handler. + * @out.dir: The TSEM representation of the inode representing a directory + * that the security handler is acting on. + * @out.new_dir: For inode movements or renames, the TSEM representation + * of the new_dir argument. + * @out.dentry: The TSEM representation of the dentry argument to a + * security handler. + * @out.new_dentry: For inode movements or renames, the + * representation of the new location of the inode. + * + * This structure is used to carry input parameters and their + * retained and translated TSEM equivalent for LSM security handlers + * that are acting on inodes and/or dentries. + */ +struct tsem_inode_args { + umode_t mode; + dev_t dev; + + union { + struct { + const char *old_name; + struct inode *dir; + struct inode *new_dir; + struct dentry *dentry; + struct dentry *new_dentry; + } in; + + struct { + char *old_name; + struct tsem_inode_cell dir; + struct tsem_inode_cell new_dir; + struct tsem_dentry dentry; + struct tsem_dentry new_dentry; + } out; + }; +}; + +/** + * struct tsem_file_args - TSEM file argument description. + * @cmd: The command argument for security handlers that take a + * command type arguement, ie. file_ioctl, file_fcntl, file_lock + * handlers. + * @in.pseudo_file: A flag indicating that the file was on a + * pseudo-filesystem and will not have a digest value. + * @in.file: A structure to the file that will be modeled. + * @out.path: The TSEM representation of the pathname to a file. + * @out.inode: The TSEM representation of the inode that backs a file + * description + * @out.flags: The flags value from the file structure. + * @out.digest: The cryptographic checksum of the contents of the file. + * + * This structure is used to carry the input file description and + * their TSEM retention values for security event handles that are + * provided with a struct file pointer. + */ +struct tsem_file_args { + unsigned int cmd; + + union { + struct { + bool pseudo_file; + struct file *file; + } in; + + struct { + struct tsem_path path; + struct tsem_inode_cell inode; + unsigned int flags; + u8 digest[HASH_MAX_DIGESTSIZE]; + } out; + + }; +}; + +/** + * struct tsem_mmap_file_args - TSEM memory mapping arguments. + * @anonymous: A flag variable to indicate whether or not the mapping + * is file backed or anonymous. + * @file: If the handler is being called for a file backed mapping this + * structure will be populated with the TSEM description of the + * file. + * @prot: The protections that are being requested for the mapping. + * @flags: The control flags to the memory mapping call. + * + * This structure is used to encapsulate the arguments provided to the + * tsem_mmap_file security event handler. The anonymous member of + * this structure is used internally by TSEM to indicate that the + * file pointer to the call was NULL, thus indicating that the mapping + * is for anonymous memory. + */ +struct tsem_mmap_file_args { + u32 anonymous; + struct tsem_file_args file; + u32 prot; + u32 flags; +}; + +/** + * struct tsem_socket - TSEM socket information + * @family: The family name of the socket whose creation is being + * requested. + * @type: The type of the socket being created. + * @protocol: The protocol family of the socket being created. + * @kern: A flag variable to indicate whether or not the socket being + * created is kernel or userspace based. + * @owner: The TASK_ID of the task that created the socket. + * + * This structure is used to encapsulate socket information for + * security handlers that take a socket description as an argument. + */ +struct tsem_socket { + int family; + int type; + int protocol; + int kern; + u8 owner[HASH_MAX_DIGESTSIZE]; +}; + +/** + * struct tsem_socket_args - TSEM socket arguments + * @value: Possible numeric values passed to event handlers. + * @optname: The option name for the tsem_socket_setsockopt call. + * @in.socka: A pointer to the socket argument of a security handler. + * @in.sockb: A pointer to a second socket argument that may be supplied + * to the handler. + * @in.addr: In the case of handlers that accept an address + * description a pointer to that description. + * @out.socka: The TSEM representation of the first socket argument. + * @out.sockb: The TSEM representation of the second socket argument. + * @out.have_addr: A boolean flag used to indicate that either the + * ipv6 or ipv6 union members have been populated. + * @out.ipv4: The IPV4 address of an AF_INET socket. + * @out.ipv6: The IPV6 address of an AF_INET6 socket. + * @out.path: The path of an AF_UNIX socket. + * @out.mapping: The checksum of the socket address if the socket type + * is other than AF_INET, AF_INET6 or AF_UNIX. + * + * This structure is used to maintain arguments provided to LSM + * hooks that handle generic socket security events. + */ +struct tsem_socket_args { + int value; + int optname; + + union { + struct { + struct sock *socka; + struct sock *sockb; + void *addr; + } in; + + struct { + struct tsem_socket socka; + struct tsem_socket sockb; + bool have_addr; + union { + struct sockaddr_in ipv4; + struct sockaddr_in6 ipv6; + char path[UNIX_PATH_MAX + 1]; + u8 mapping[HASH_MAX_DIGESTSIZE]; + }; + } out; + }; +}; + +/** + * struct tsem_netlink_args - TSEM netlink event parameters + * @in.sock: The sock argument to the LSM event handler. + * @in.parms: The pointer to the netlink parameters from the sk_buff + * structure that was passed to the LSM hook. + * @out.sock: The TSEM representation of the sock argument. + * @out.uid: The UID, in the TSEM designated namespace of the uid in + * the netlink control block. + * @out.gid: THE GID, in the TSEM designated namespace of the gid in + * the netlink control block. + * @out.portid: The portid member of the netlink_skb_parms structure. + * @out.dst_group: The dst_group member of the netlink_skb_parms structure. + * @out.flags: The flags member of the netlink_skb_parms structure. + * @nsid_set: The nsid_set flag member of the netlink_skb_parms structure. + * @nsid: The nsid member of the netlink_skb_parms structure. + * + * This structure is used to encapsulate and retain the arguments + * provided to the tsem_netlink_send event handler. + * + */ +struct tsem_netlink_args { + union { + struct { + struct sock *sock; + struct netlink_skb_parms *parms; + } in; + + struct { + struct tsem_socket sock; + uid_t uid; + gid_t gid; + __u32 portid; + __u32 dst_group; + __u32 flags; + bool nsid_set; + int nsid; + } out; + }; +}; + +/** + * struct tsem_sb_args - TSEM parameters for superblock security events. + * flags: An integer value that was a component of the LSM argument + * for the sb_mount, sb_umount, sb_remount handlers. + * @in.sb: For the sb_remount handler the pointer to the superblock + * argument passed to the caller. + * @in.dentry: An incoming dentry argument. + * @in.dev_name: The name of the device to be used for the sb_mount + * command. + * @in.path: The path argument passed to the sb_mount commands. + * @in.type: A character pointer to the filesystem type being processed + * by the superblock security handlers. + * @in.path2: The second path argument passed to the move_mount and + * sb_pivotroot security handlers. + * @out.dentry: The TSEM representation of the dentry argument to the + * handler. + * @out.inode: The TSEM representation of the inode backing the dentry + * argument to an LSM handler. + * @out.path: The TSEM representation of the incoming path argument. + * @out.dev_name: A an allocated copy of the dev_name argument. + * @out.type: A allocated copy of the filesystem type. + * @out.path2: The TSEM representation of the second path argument if + * used. + * + * This structure is used to encapsulate and retain the arguments for + * the family of security event handlers that deal with superblocks. The + * list of these handlers is as follows: + * + * tsem_sb_mount + * tsem_sb_umount + * tsem_sb_remount + * tsem_move_mount + * tsem_sb_statfs + */ +struct tsem_sb_args { + unsigned long flags; + + union { + struct { + struct super_block *sb; + struct dentry *dentry; + const char *dev_name; + const char *type; + const struct path *path; + const struct path *path2; + } in; + + struct { + struct tsem_dentry dentry; + char *dev_name; + char *type; + struct tsem_path path; + struct tsem_path path2; + } out; + }; +}; + +/** + * struct tsem_task_kill_args - TSEM task kill arguments. + * @u.value: The signed representation of an integer argument. + * @u.resource: The unsigned representation of an integer argument. + * @cur: The current resource limit for a task_setrlimit call. + * @max: The maximum resource limit for a task_setrlimit call. + * @cross_model: A flag variable used to indicate whether or not the + * signal is originating from a security modeling + * namespace other than the namespace of the target process. + * @signal: The number of the signal being sent. + * @source: The task identifier of the process sending the signal + * @target: The task identifier of the target process. + * + * This structure is used to encapsulate and retain the arguments + * provided to the tsem_task_kill security event handler. + * + */ +struct tsem_task_kill_args { + union { + int value; + unsigned int resource; + } u; + u64 cur; + u64 max; + u32 cross_model; + u32 signal; + u8 source[HASH_MAX_DIGESTSIZE]; + u8 target[HASH_MAX_DIGESTSIZE]; +}; + +/** + * struct tsem_task_prlimit_args - TSEM task prlimit arguments. + * @flags: The flag variable passed to the LSM handler. + * @in.cred: The cred pointer passed to the handler. + * @in.tcred: The tcred pointer passed to the handler. + * @out.cred: The TSEM representation of the in.cred pointer. + * @out.tcred: The TSEM representation of the in.tcred pointer. + * + * This structure is used to hold and retain the arguments provided to + * the tsem_task_prlimit security event handler. + */ +struct tsem_task_prlimit_args { + unsigned int flags; + + union { + struct { + const struct cred *cred; + const struct cred *tcred; + + } in; + + struct { + struct tsem_COE cred; + struct tsem_COE tcred; + } out; + + }; +}; + +/** + * struct tsem_task_prctl - TSEM task prctl arguments. + * @option: The first argument to the task_prctl LSM handler + * specifying the command to be executed. + * @arg2: The first argument to the handler. + * @arg3: The second argument to the handler. + * @arg4: The third argument to the handler. + * @arg5: The fourth and final argument to the handler. + * + * This structure is used to encapsulate the arguments provided to the + * tsem_task_prctl security event handler. The argument model is to + * specify the 'option' value which is the kernel prctl call that is + * to be executed. The remaining positional arguments are without + * specific format and are designed to be interpreted by the prctl + * system call based on the command specified. + */ +struct tsem_task_prctl_args { + int option; + unsigned long arg2; + unsigned long arg3; + unsigned long arg4; + unsigned long arg5; +}; + +/** + * struct tsem_inode_attr_args - TSEM inode manipulation arguments. + * @in.path: In the case of the inode_getattr call the path to the + * inode being referenced. + * @in.dentry: In the case of the inode_setattr call the dentry that + * whose characteristics will be set. + * @in.iattr: A pointer to the iattr structure that was passed to the + * inode_setattr handler. + * @out.dentry: A TSEM dentry definition structure that will retain + * the description of either a dentry or path argument + * to a security handler. + * @out.valid: The ia_valid member from the iattr structure passed to the + * inode_setattr handler + * @out.mode: The ia_mode member from the iattr structure passed to the + * inode_setattr handler. + * @out.uid: The ia_uid member from the iattr structure passed to the + * inode_setattr handler. + * @out.gid: The ia_gid member from the iattr structure passed to the + * inode_setattr handler. + * hook. + * @out.size: The ia_size member from the iattr structure passed to the + * inode_setattr handler. + * + * This structure is used to encapsulate information on the arguments + * passed to the inode_getattr and inode_setattr LSM handler. The in + * structure is used to hold the arguments passed that were passed to + * the handlers. Argument information that is to be held for the life + * of the event description are in the out structure. + */ +struct tsem_inode_attr_args { + union { + struct { + const struct path *path; + struct dentry *dentry; + struct iattr *iattr; + } in; + + struct { + struct tsem_dentry dentry; + unsigned int valid; + umode_t mode; + uid_t uid; + gid_t gid; + loff_t size; + } out; + }; +}; + +/** + * struct tsem_inode_xattr_args - TSEM extended attribute arguments. + * @in.dentry: A pointer to the backing inode for the dentry that was + * passed to the LSM hook. The relevant values from the inode + * will be copied into the tsem_file structure. + * @in.name: A pointer to the name of the extended attribute being + * queried. + * @in.size: The size of an extended attribute that may be set. + * @in.flags: The flag value specifying how an extended attributte is + * to be set. + * @out.dentry: The TSEM representation of the path that is being + * action on. + * @out.name: The name of an attribute to be set or retrieved. + * @out.value: The binary value of the extended attribute that was + * passed to the inode_setxattr handler. For an + * internally modeled namespace this value will be freed + * after the coefficient for the event is mapped. + * @out.encoded_value: The Base64 encoding of the extended attribute + * value that is used for either the export of + * the event or the trajectory history. This + * memory will be allocated in order to support + * encoding of the attribute. + * @out.size: The size of the att + * @out.flags: The flags value that was passed to the inode_setxattr + * handler. + * + * This structure is used to encapsulate information on the arguments + * passed to the LSM hooks that manipulate extended attributes. The + * in structure is used to hold the pointers to the arguments passed + * to the LSM hook while the out structure holds the arguments in + * converted form that will be held for the lifetime of the modeling + * namespace. + */ +struct tsem_inode_xattr_args { + union { + struct { + struct dentry *dentry; + const char *name; + const void *value; + size_t size; + int flags; + } in; + + struct { + struct tsem_dentry dentry; + char *name; + char *value; + char *encoded_value; + size_t size; + int flags; + } out; + }; +}; + +/** + * struct tsem_kernel_args - TSEM event descriptions for kernel requests. + * @id: For the tsem_kernel_load_data handler the indicator of the type + * of data being requested. + * @contents: The boolean flag used to indicate whether or not the + * security_kernel_post_load_data handler should be called. + * @in.file: A pointer to the file structure passwd to the + * tsem_kernel_file_file handler. + * @in.kmod_name: A pointer to the buffer containing the name of the + * module to load. + * @out.kmod_name: The retained copy of the kernel module name. + * @out.file: The TSEM representation of the file structure that was + * passed to the tsem_kernel_read_file handler. + * + * This structure is used to encapsulate information on the arguments + * passed to the following LSM hook handlers: + * + * tsem_kernel_module_request + * tsem_kernel_load_data + * tsem_kernel_read_file + */ +struct tsem_kernel_args { + enum kernel_load_data_id id; + bool contents; + + union { + struct { + struct file *file; + char *kmod_name; + } in; + + struct { + char *kmod_name; + struct tsem_file_args file; + } out; + }; +}; + +/** + * struct tsem_time_args - TSEM event description for setting the time + * @have_ts: A flag variable to indicate if the time in seconds and + * nanoseconds is valid. + * @seconds: The number of seconds passed to the time set function. + * @nsecs: The number of nanoseconds to set the time to. + * @have_tz: A flag variable to indicate if the timezone information + * is valid. + * @minuteswest: The minutes west of GMT for the time being set. + * @dsttime: The daylight savings time offset. + * + * This structure is a simple encapsulation of the arguments passed to + * the TSEM_SETTIME handler. + */ +struct tsem_time_args { + bool have_ts; + long seconds; + long nsecs; + + bool have_tz; + int minuteswest; + int dsttime; +}; + +/** + * struct tsem_quota_args - TSEM arguments for quota security management. + * @cmds: The cmds argument from the security_quotactl handler. + * @type: The type argument from the security_quotactl handler. + * @id: The id argument from the security_quotactl handler. + * @in.dentry: In the case of the quota_on LSM handler the dentry + * argument to the handler. + * @in.sb: The superblock pointer argument from the security_quotactl handler. + * @out.dentry: The TSEM dentry representation of a dentry arguement + * to the quota handlers. + * @out.s_flags: In the case of the quotactl handler the flags from + * the superblock of the filesystem. + * @out.fstype: In the case of the quotactl handler the filesystem + * type of the mountpoint. + * + * This structure is an encapsulation of the arguments and their + * retention values for the LSM security handlers that make security + * decisions relevant to filesystem quota manipulation. + */ +struct tsem_quota_args { + int cmds; + int type; + int id; + + union { + struct { + struct dentry *dentry; + const struct super_block *sb; + } in; + + struct { + struct tsem_dentry dentry; + unsigned long s_flags; + char *fstype; + } out; + }; +}; + +/** + * struct tsem_key_args - TSEM key handler arguments. + * @flags: The flags value passed to the key_alloc handler. + * @in.cred: A pointer to the credential structures passed to the + * security handlers. + * @out.possessed: A flag variable indicating if a key is owned by a + * task. + * @out.uid: The owner id of a key. + * @out.gid: The group id of a key. + * @out.flags: The flags value retained for a key operation. + * @out.cred: The retained credentials of a process attempting to + * access a key. + * @out.perm: The retained permissions value of a key. + * + * This structure is used to hold the arguments to the LSM hooks that + * handle key security event and their retained TSEM equivalents. + */ +struct tsem_key_args { + unsigned long flags; + + union { + struct { + key_ref_t ref; + const struct cred *cred; + + } in; + + struct { + bool possessed; + uid_t uid; + gid_t gid; + unsigned long flags; + struct tsem_COE cred; + u32 perm; + } out; + + }; +}; + +/** + * struct tsem_bpf_args - TSEM bpf security handler arguments. + * @bpf.cmd: For the security_bpf LSM handler the command number passed + * the event handler. + * @bpf.size: For the security_bpf LSM handler the size argument passed + * to the event handler. + * @prog.type: For the security_bpf_prog LSM handler the type member of + * the bpf_prog structure passed to the event handler. + * @prog.attach_type: For the security_bpf LSM handler the attach_type + * member of the bpf_prog structure passed to the + * event handler. + * @map.map_type: For the security_map LSM handler the map_type member + * of the bpf_map structure passed to the event handler. + * @map.fmode: For the security_map LSM handler the fmode argument passed + * to the event handler. + + * This structure is used to hold the arguments to the various LSM + * hooks that handle BPF security management. This structure is a + * union over structures for each of the TSEM bpf handlers. + */ +struct tsem_bpf_args { + union { + struct { + int cmd; + unsigned int size; + } bpf; + + struct { + int type; + int attach_type; + } prog; + + struct { + int map_type; + fmode_t fmode; + } map; + }; +}; + +/** + * struct tsem_ipc_perm - TSEM retained members of an IPC permission + * structure. + * @uid: The uid member of the IPC permission structure translated into + * the namespace reference for the modeling namespace. + * @gid: The gid member of the IPC permission structure translated into + * the namespace reference for the modeling namespace. + * @cuid: The cuid member of the IPC permission structure translated + * into the namespace reference for the modeling namespace. + * @cgid: The cgid member of the IPC permission structure translated + * into the namespace reference for the modeling namespace. + * @mode: The mode member of the IPC permission structure. + * + * This structure is used to hold the translated values from a + * kern_ipc_perm structure that is passed to one of the LSM IPC + * shared memory security handlers. + */ +struct tsem_ipc_perm { + uid_t uid; + gid_t gid; + uid_t cuid; + gid_t cgid; + umode_t mode; +}; + +/** + * struct tsem_ipc_args - TSEM arguments for IPC security handlers. + * @perm_flag: For the tsem_ipc_permission handler the permission flag. + * @value: A signed integer value that serves as an argument type to + * a number of the handlers. + * @nsops: In the came of the tsem_sem_semop handler the nsops argument + * to the handler. + * @type: The type argument to the msg_queue_msgrcv handler. + * @in.perm: The kern_ipc_perm structure that is passed to multiple + * handlers that define the permissions for the IPC + * object whose security status is being checked. + * @in.target: For the msg_queue_msgrc handler the TASK_ID of the + * process ending the message. + * @out.perm: The TSEM translated versions of the perm pointer that + * was passed to a handler. + * @out.owner: The TASK_ID of the task that created the IPC resource. + * @out.target: The retained version of the TASK_ID describing the + * sender of a message. + * + * This structure is an encapsulation of the arguments and their + * retention values for the LSM security handlers that make security + * decisions relevant to IPC objects. + */ +struct tsem_ipc_args { + short perm_flag; + int value; + unsigned int nsops; + long type; + + union { + struct { + struct kern_ipc_perm *perm; + struct task_struct *target; + } in; + + struct { + struct tsem_ipc_perm perm; + u8 owner[HASH_MAX_DIGESTSIZE]; + u8 target[HASH_MAX_DIGESTSIZE]; + } out; + }; +}; + +/** + * struct tsem_capability_args - TSEM arguments for capability handling. + * @cap: A capability specified for an event. + * @opts: Options for handling a capabilities command. + * @effective: The effective capability that is being manipulated. + * @inheritable: The inheritable capability that is being manipulated. + * @permitted: The permitted capability that is being manipulated. + * @target: The TASK_ID of the process whose capabilities are being + * requested. + * + * This structure is an encapsulation of the arguments to be retained + * for security event descriptions that describe security events + * involving process capabilities. + */ +struct tsem_capability_args { + int cap; + unsigned int opts; + + kernel_cap_t effective; + kernel_cap_t inheritable; + kernel_cap_t permitted; + + u8 target[HASH_MAX_DIGESTSIZE]; +}; + +/** + * struct tsem_event - TSEM security event description. + * @kref: Reference count structure to track event lifetime. + * @list: The list of security events in a security modeling namespace. + * @work: The work structure that manages the workqueue being used to + * refill the event magazine structures. + * @event: The enumeration type describing the security event that the + * structure is defining. + * @locked: A boolean flag used to indicate whether or not the + * security event is running in atomic context. + * @instance: The process instance number that is executing the + * event described by the structure. + * @p_instance: The parent process instance number of the process + * executing the event described by the structure. + * @pid: The process id number, in the global pid namespace, of the + * task that is executing the security event. + * @comm: A pointer to a null terminated buffer containing the name of + * the process that is requesting the security event. + * @digestsize: The size in bytes of the cryptographic hash function + * that is being used in the security modeling namespace + * in which the event occurred. + * @task_id: The TSEM TASK_ID of the process that generated the + * security event described by an instance of this + * structure. + * @mapping: The security state coefficient that the event described + * by this structure generates. + * @COE: The tsem_COE structure that describes the Context Of + * Execution that generated the event described by this + * structure. + * @no_params: A boolean value that is set if the security event + * has no characterizing parameters. + * @CELL: The CELL union is used to hold the data structures that + * characterize the CELL mapping of the event. + * @CELL.value: A single numeric value that may be used in + * characterizing an event. + * @CELL.netlink: A structure describing parameters that characterize + * an event inolving a netlink event. + * @CELL.inode: A structure describing characters of security events + * that address inode manipulation operations. + * @CELL.file: A structure characterizing a file used as an arguement + * for a security event. + * @CELL.mmap_file: The structure describing the characteristics of + * a security event involving a memory mapping event. + * @CELL.socket: A structure characterizing security events that + * involve a socket. + * @CELL.kernel: A structure characterizing kernel I/O or memory + * loading opeations. + * @CELL.task_kill: The structure describing the characteristics of an + * event sending a signal to a process. + * @CELL.task_prlimit: A structure describing a security event that + * sets process resource limits. + * @CELL.task_prctl: A structure describing an event involving the + * process control operations. + * @CELL.inode_attr: A structure describing events involving getting + * or setting of inode attributes. + * @CELL.inode_xattr: A structure describing events involving actions + * on inode extended attributes. + * @CELL.key: A structure describing events involving manipulation of + * a kernel key. + * @CELL.sb: A structure describing events that involve the a + * filesystem superblock. + * @CELL.quota: A structure describing events that involve the + * manipulation of filesystem quotas. + * @CELL.time: A structure describing the setting of the system time + * or timezone. + * @CELL.bpf: A structure describing involves involving manipulation + * of BPF functionality + * @CELL.ipc: A structure describing events that are manipulating + * shared memory structures or operations. + * @CELL.capability: A structure describing events that manipulate + * the capabilities of a process. + * + * This structure is the primary data structure for describing + * security events that occur in a security modeling namespace. Each + * unique security coefficient in the namespace will have one of these + * structures associated with it. + * + * This structure encapsulates the following three major sources of + * information about the event: + * + * * A description of the process initiating the event. + * * The characteristics of the COE identity of the event. + * * The characteristics of the CELL identity of the event. + * + * Since one event description has to ultimately characterize any + * security event that can occur, the strategy is to use a union that + * contains security event specific structures that describe the + * characteristics of the event. The event member of the structure + * is used to indicate the structure that should be referenced. + * + * The kref member of this structure is used to track the lifetime of + * an instance of this structure. For example, in the case of an + * externally modeled event, when the export of the event description + * is complete. In the case of an internally modeled namespace the + * structure will be released if it represents a security state + * coefficient that is already present in the model. The structures + * are also released when an internally modeled namespace terminates. + * + * The work member of this structure is used to support asynchronous + * updates to a TPM for the root modeling domain. Asynchronous + * updates are used to improve the performance of modeling and to + * handle security events that are running in atomic context and + * cannot be scheduled away while the TPM transaction completes. + * + * The tsem_event_allocate() function is called by a TSEM security + * event handler to allocate and populate an instance of this + * structure. The locked member of this structure is used to + * determine whether the structure should be allocated from the + * kmem_cache based structure pool or from the magazine of structures + * help for processes running in atomic context. + * + * After the event is mapped this structure is either passed to the + * internal trusted modeling agent or the contents of this structure + * is exported to the trust orchestrator attached to the namespace for + * modeling by an external trusted modeling agent. + */ +struct tsem_event { + struct kref kref; + struct list_head list; + struct work_struct work; + + enum tsem_event_type event; + bool locked; + u64 instance; + u64 p_instance; + u64 timestamp; + pid_t pid; + char comm[TASK_COMM_LEN]; + + unsigned int digestsize; + u8 task_id[HASH_MAX_DIGESTSIZE]; + u8 p_task_id[HASH_MAX_DIGESTSIZE]; + u8 mapping[HASH_MAX_DIGESTSIZE]; + + struct tsem_COE COE; + + bool no_params; + union { + int value; + struct tsem_netlink_args netlink; + struct tsem_inode_args inode; + struct tsem_file_args file; + struct tsem_mmap_file_args mmap_file; + struct tsem_socket_args socket; + struct tsem_kernel_args kernel; + struct tsem_task_kill_args task_kill; + struct tsem_task_prlimit_args task_prlimit; + struct tsem_task_prctl_args task_prctl; + struct tsem_inode_attr_args inode_attr; + struct tsem_inode_xattr_args inode_xattr; + struct tsem_key_args key; + struct tsem_sb_args sb; + struct tsem_quota_args quota; + struct tsem_time_args time; + struct tsem_bpf_args bpf; + struct tsem_ipc_args ipc; + struct tsem_capability_args capability; + + } CELL; +}; + +/** + * struct tsem_event_point - TSEM security coefficient characteristics. + * @list: The list of all the security state coefficients for a + * modeling namespace. + * @valid: A boolean value use to indicate whether or not the security + * state point is a valid coefficient in the model. + * @count: The number of times this coefficient has been expressed by + * the security modeling namespace. + * @point: The security state coefficient for a security event. + * + * This structure is used by internal trusted modeling agents to + * represent each unique security coefficient in a security model. + * Security state coefficients are unique within a model so only one + * struct tsem_event_point structure will be generated regardless of + * how many times the security event that generates the point occurs. + * The count member of this structure represents the total number of + * security events that have occurred generated this point. + * + * The valid member of this structure is used to flag whether this + * is consistent with the model for the namespace or was generated by + * a 'forensic', ie. out of model, event. + * + * Within each security namespace these structures are linked together + * in a list that describes the functional security value of the + * namespace. Entries are only added to this list and never removed. + * + * The desired state of a security model is created by using the TSEM + * control plane to inject a list of acceptable security state + * coefficients into the model. Sealing a model causes any security + * events that produce a coefficient different from those already in + * the model to be rejected as an invalid security event and logged as + * a forensic event for the model. + */ +struct tsem_event_point { + struct list_head list; + bool valid; + u64 count; + u8 point[HASH_MAX_DIGESTSIZE]; +}; + +/** + * struct tsem_inode - TSEM inode status structure. + * @create_mutex: The mutex that protects the create_list. + * @create_list: The list of structures that contain ownership and instance + * information for inodes created under a directory. + * @instance_mutex: The mutex protecting the instance_list. + * @instance_list: The list of task identities that have created inodes + * under a directory and the instance count of inodes + * for each TASK_ID. + * @digest_mutex: The mutex protecting the digest_list. + * @digest_list: A list of structures containing the digest values that + * have been calculated for the inode. + * @status: The status of the inode. See the discussion of enum + * tsem_inode_state for the information that is conveyed + * by this member. + * @created: A boolean flag to indicate that this inode was created + * in the context of a security modeling namespace. + * @creator: The context identity of the security modeling namespace that + * created the inode. + * @instance: The inode instance number for the TASK_ID that created + * the inode. + * @owner: The TASK_ID of the process that created the inode. + * + * This structure is used to contain the TSEM security state of an + * inode. + * + * Three lists are managed by this structure: + * + * An inode that is a directory will have inodes that are create under + * it added to the create_list. This list will be traversed when the + * inode is instantiated so creation information about the inode can + * be registered in the tsem_inode structure attached to that inode. + * + * The instance_list is also maintained by a directory inode and is + * used to track the instances of an inode that is created under the + * directory by specific TASK_ID's. + * + * The digest_list is used for inodes that are backing files and is + * used to track the various cryptographic digest values that have + * been computed for the file. This supports the use of multiple + * simultaneous digest values across multiple security modeling + * namespaces. + * + * The status member of this function serves two purposes: + * + * For file based inodes the status member is used to indicate + * whether or not the digest value is being computed. The + * tsem_file_open handler uses this status variable to determine + * whether or not the modeling of an event should be bypassed if the + * file is being opened by the kernel to compute the digest value of + * the file. + * + * The second role of the status member is to indicate that the inode + * is one of the TSEM control plane files. This allows modeling of + * events involving this inode to be bypassed in order to avoid a + * 'Heisenberg Deadlock' situation. + */ +struct tsem_inode { + struct mutex create_mutex; + struct list_head create_list; + + struct mutex instance_mutex; + struct list_head instance_list; + + struct mutex digest_mutex; + struct list_head digest_list; + + enum tsem_inode_state status; + bool created; + u64 creator; + u64 instance; + u8 owner[HASH_MAX_DIGESTSIZE]; +}; + +/** + * struct tsem_ipc - TSEM IPC security structure. + * @owner: The identity of the task that created the IPC resource. + * + * This structure is used to track the TASK_ID of the process that + * created the IPC memory resource so that information can be + * integrated into security coefficients that are generated for + * shared memory events. + */ +struct tsem_ipc { + u8 owner[HASH_MAX_DIGESTSIZE]; +}; + +/** + * struct tsem_inode_digest - Digest specific file checksum. + * @list: The list structure used to link multiple digest values + * for an inode. + * @name: A pointer to an allocated null-terminated character + * buffer containing the name of the hash function that + * generated the digest value represented by an instance + * of this structure. + * @version: The version number of the inode that generated the digest + * value that is currently represented. + * @value: The digest value of the file represented by the inode.. + * + * A linked list of these structures is maintained for each inode that + * is modeled by TSEM and is used to support multiple hash specific + * digest values for a file represented by the inode. The tsem_inode + * structure that represents the TSEM security status of the inode + * contains a list of these structures. + * + * The name member of structure contains the name of the hash function + * that generated the checksum value. This name is used to locate the + * correct structure by comparing its value against the hash function + * that is being used by the security modeling namespace that is + * traversing the list attempting to locate a previously computed + * digest value. + * + * The version member of the structure contains the inode version number + * that was in effect when the last digest value of this type was computed. + * This version number value is used to detect changes and to trigger an + * update of the digest value. + */ +struct tsem_inode_digest { + struct list_head list; + char *name; + u64 version; + u8 value[HASH_MAX_DIGESTSIZE]; +}; + +/* + * The following three variables are the only globally visible + * variables used in the TSEM implementation. + * + * The tsem_blob_sizes variable is used by the LSM infrastructure to + * describe the amount of space that will be needed by the TSEM + * security structures. + * + * The tsem_names array is defined in the tsem.c file and contains an + * array of pointers to the strings that define the names for each of + * the TSEM security event handlers. The enum tsem_event_type + * enumeration indexes this array. + * + * The tsem_root_actions array is also indexed by the tsem_event_type + * enumeration and is used to determine the type of response that a + * TSEM security event handler is to return to the caller, ie. either + * logging or enforcing. The contents of this array is inherited by + * copying the array into the struct tsem_context structure for + * modeling namespaces that are subordinate to the root model. + */ +extern struct lsm_blob_sizes tsem_blob_sizes; +extern const char * const tsem_names[TSEM_EVENT_CNT]; +extern enum tsem_action_type tsem_root_actions[TSEM_EVENT_CNT]; + +/* + * The following section of the file contains the definitions for the + * externally visible functions in each of the TSEM compilation units. + */ +extern struct dentry *tsem_fs_create_external(const char *name); +extern void tsem_fs_show_trajectory(struct seq_file *c, struct tsem_event *ep); +extern void tsem_fs_show_field(struct seq_file *c, const char *field); +extern void tsem_fs_show_key(struct seq_file *c, char *term, char *key, + char *fmt, ...); +extern int tsem_fs_init(void); + +extern struct tsem_model *tsem_model_allocate(size_t size); +extern void tsem_model_free(struct tsem_context *ctx); +extern int tsem_model_event(struct tsem_event *ep); +extern int tsem_model_load_point(u8 *point); +extern int tsem_model_load_pseudonym(u8 *mapping); +extern int tsem_model_has_pseudonym(struct tsem_inode *tsip, char *pathname); +extern void tsem_model_load_base(u8 *mapping); +extern int tsem_model_add_aggregate(void); +extern void tsem_model_compute_state(void); +extern void tsem_model_magazine_free(struct tsem_model *model); +extern int tsem_model_cache_init(struct tsem_model *model, size_t size); + +extern void tsem_ns_put(struct tsem_context *ctx); +extern int tsem_ns_event_key(u8 *task_key, const char *keystr, u8 *key); +extern int tsem_ns_create(const enum tsem_control_type type, + const char *digest, const enum tsem_ns_reference ns, + const char *key, const unsigned int cache_size); +extern int tsem_ns_export_root(unsigned int magazine_size); + +extern int tsem_export_show(struct seq_file *m, void *v); +extern int tsem_export_event(struct tsem_event *ep); +extern int tsem_export_action(enum tsem_event_type event, bool locked); +extern int tsem_export_aggregate(void); +extern int tsem_export_magazine_allocate(struct tsem_external *ext, + size_t size); +extern void tsem_export_magazine_free(struct tsem_external *ext); +extern int tsem_export_cache_init(void); + +extern int tsem_map_task(struct file *file, u8 *mapping); +int tsem_map_event(struct tsem_event *ep); + +extern struct tsem_event *tsem_event_allocate(enum tsem_event_type event, + bool locked); +extern int tsem_event_init(struct tsem_event *ep); +extern void tsem_event_put(struct tsem_event *ep); +extern void tsem_event_get(struct tsem_event *ep); +extern int tsem_event_magazine_allocate(struct tsem_context *ctx, size_t size); +extern void tsem_event_magazine_free(struct tsem_context *ctx); +extern int tsem_event_cache_init(void); + +extern u8 *tsem_trust_aggregate(void); +extern int tsem_trust_add_event(struct tsem_event *ep); + +/* + * The remaining inline function declarations follow the design + * pattern of the other LSM's and implement functions that return + * various TSEM characteristics of tasks, modeling contexts and + * inodes. + */ +static inline struct tsem_task *tsem_task(const struct task_struct *task) +{ + return task->security + tsem_blob_sizes.lbs_task; +} + +static inline bool tsem_task_trusted(struct task_struct *task) +{ + return tsem_task(task)->trust_status & TSEM_TASK_TRUSTED; +} + +static inline bool tsem_task_untrusted(struct task_struct *task) +{ + return tsem_task(task)->trust_status & ~TSEM_TASK_TRUSTED; +} + +static inline struct tsem_context *tsem_context(struct task_struct *task) +{ + return tsem_task(task)->context; +} + +static inline struct tsem_model *tsem_model(struct task_struct *task) +{ + return tsem_task(task)->context->model; +} + +static inline struct tsem_inode *tsem_inode(struct inode *inode) +{ + return inode->i_security + tsem_blob_sizes.lbs_inode; +} + +static inline struct tsem_ipc *tsem_ipc(struct kern_ipc_perm *kipc) +{ + return kipc->security + tsem_blob_sizes.lbs_ipc; +} + +static inline struct crypto_shash *tsem_digest(void) +{ + return tsem_context(current)->tfm; +} + +static inline unsigned int tsem_digestsize(void) +{ + return crypto_shash_digestsize(tsem_digest()); +} -- 2.39.1