From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "Fan Wu" <wufan@linux.microsoft.com>, <corbet@lwn.net>,
<zohar@linux.ibm.com>, <jmorris@namei.org>, <serge@hallyn.com>,
<tytso@mit.edu>, <ebiggers@kernel.org>, <axboe@kernel.dk>,
<agk@redhat.com>, <snitzer@kernel.org>, <eparis@redhat.com>,
<paul@paul-moore.com>
Cc: <linux-doc@vger.kernel.org>, <linux-integrity@vger.kernel.org>,
<linux-security-module@vger.kernel.org>,
<fsverity@lists.linux.dev>, <linux-block@vger.kernel.org>,
<dm-devel@lists.linux.dev>, <audit@vger.kernel.org>,
<linux-kernel@vger.kernel.org>,
"Deven Bowers" <deven.desai@linux.microsoft.com>
Subject: Re: [PATCH v16 01/20] security: add ipe lsm
Date: Thu, 28 Mar 2024 22:45:28 +0200 [thread overview]
Message-ID: <D05ODONHFJ9O.3VG0HLFPA1OB0@kernel.org> (raw)
In-Reply-To: <1711657047-10526-2-git-send-email-wufan@linux.microsoft.com>
On Thu Mar 28, 2024 at 10:17 PM EET, Fan Wu wrote:
> From: Deven Bowers <deven.desai@linux.microsoft.com>
>
> Integrity Policy Enforcement (IPE) is an LSM that provides an
> complimentary approach to Mandatory Access Control than existing LSMs
> today.
>
> Existing LSMs have centered around the concept of access to a resource
> should be controlled by the current user's credentials. IPE's approach,
> is that access to a resource should be controlled by the system's trust
> of a current resource.
>
> The basis of this approach is defining a global policy to specify which
> resource can be trusted.
>
> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
> Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
> ---
> v2:
> + Split evaluation loop, access control hooks,
> and evaluation loop from policy parser and userspace
> interface to pass mailing list character limit
>
> v3:
> + Move ipe_load_properties to patch 04.
> + Remove useless 0-initializations
> + Prefix extern variables with ipe_
> + Remove kernel module parameters, as these are
> exposed through sysctls.
> + Add more prose to the IPE base config option
> help text.
> + Use GFP_KERNEL for audit_log_start.
> + Remove unnecessary caching system.
> + Remove comments from headers
> + Use rcu_access_pointer for rcu-pointer null check
> + Remove usage of reqprot; use prot only.
> + Move policy load and activation audit event to 03/12
>
> v4:
> + Remove sysctls in favor of securityfs nodes
> + Re-add kernel module parameters, as these are now
> exposed through securityfs.
> + Refactor property audit loop to a separate function.
>
> v5:
> + fix minor grammatical errors
> + do not group rule by curly-brace in audit record,
> reconstruct the exact rule.
>
> v6:
> + No changes
>
> v7:
> + Further split lsm creation into a separate commit from the
> evaluation loop and audit system, for easier review.
>
> + Introduce the concept of an ipe_context, a scoped way to
> introduce execution policies, used initially for allowing for
> kunit tests in isolation.
>
> v8:
> + Follow lsmname_hook_name convention for lsm hooks.
> + Move LSM blob accessors to ipe.c and mark LSM blobs as static.
>
> v9:
> + Remove ipe_context for simplification
>
> v10:
> + Add github url
>
> v11:
> + Correct github url
> + Move ipe before bpf
>
> v12:
> + Switch to use lsm_id instead of string for lsm name
>
> v13:
> + No changes
>
> v14:
> + No changes
>
> v15:
> + Add missing code in tools/testing/selftests/lsm/lsm_list_modules_test.c
>
> v16:
> + No changes
> ---
> MAINTAINERS | 7 ++++
> include/uapi/linux/lsm.h | 1 +
> security/Kconfig | 11 ++---
> security/Makefile | 1 +
> security/ipe/Kconfig | 17 ++++++++
> security/ipe/Makefile | 9 ++++
> security/ipe/ipe.c | 41 +++++++++++++++++++
> security/ipe/ipe.h | 16 ++++++++
> security/security.c | 3 +-
> .../selftests/lsm/lsm_list_modules_test.c | 3 ++
> 10 files changed, 103 insertions(+), 6 deletions(-)
> create mode 100644 security/ipe/Kconfig
> create mode 100644 security/ipe/Makefile
> create mode 100644 security/ipe/ipe.c
> create mode 100644 security/ipe/ipe.h
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 079a86e680bc..16e29f2361c9 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -10744,6 +10744,13 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
> F: security/integrity/
> F: security/integrity/ima/
>
> +INTEGRITY POLICY ENFORCEMENT (IPE)
> +M: Fan Wu <wufan@linux.microsoft.com>
> +L: linux-security-module@vger.kernel.org
> +S: Supported
> +T: git https://github.com/microsoft/ipe.git
> +F: security/ipe/
> +
> INTEL 810/815 FRAMEBUFFER DRIVER
> M: Antonino Daplas <adaplas@gmail.com>
> L: linux-fbdev@vger.kernel.org
MAINTAINER updates should be split into separate commits, preferably to
the tail of the series because it is stamp for the full feature not a
subportion of it.
> diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
> index 33d8c9f4aa6b..938593dfd5da 100644
> --- a/include/uapi/linux/lsm.h
> +++ b/include/uapi/linux/lsm.h
> @@ -64,6 +64,7 @@ struct lsm_ctx {
> #define LSM_ID_LANDLOCK 110
> #define LSM_ID_IMA 111
> #define LSM_ID_EVM 112
> +#define LSM_ID_IPE 113
>
> /*
> * LSM_ATTR_XXX definitions identify different LSM attributes
> diff --git a/security/Kconfig b/security/Kconfig
> index 412e76f1575d..9fb8f9b14972 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -192,6 +192,7 @@ source "security/yama/Kconfig"
> source "security/safesetid/Kconfig"
> source "security/lockdown/Kconfig"
> source "security/landlock/Kconfig"
> +source "security/ipe/Kconfig"
>
> source "security/integrity/Kconfig"
>
> @@ -231,11 +232,11 @@ endchoice
>
> config LSM
> string "Ordered list of enabled LSMs"
> - default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
> - default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
> - default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
> - default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC
> - default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf"
> + default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK
> + default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR
> + default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO
> + default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC
> + default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf"
> help
> A comma-separated list of LSMs, in initialization order.
> Any LSMs left off this list, except for those with order
> diff --git a/security/Makefile b/security/Makefile
> index 59f238490665..cc0982214b84 100644
> --- a/security/Makefile
> +++ b/security/Makefile
> @@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
> obj-$(CONFIG_CGROUPS) += device_cgroup.o
> obj-$(CONFIG_BPF_LSM) += bpf/
> obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
> +obj-$(CONFIG_SECURITY_IPE) += ipe/
>
> # Object integrity file lists
> obj-$(CONFIG_INTEGRITY) += integrity/
> diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
> new file mode 100644
> index 000000000000..e4875fb04883
> --- /dev/null
> +++ b/security/ipe/Kconfig
> @@ -0,0 +1,17 @@
> +# SPDX-License-Identifier: GPL-2.0-only
> +#
> +# Integrity Policy Enforcement (IPE) configuration
> +#
> +
> +menuconfig SECURITY_IPE
> + bool "Integrity Policy Enforcement (IPE)"
> + depends on SECURITY && SECURITYFS
> + select PKCS7_MESSAGE_PARSER
> + select SYSTEM_DATA_VERIFICATION
> + help
> + This option enables the Integrity Policy Enforcement LSM
> + allowing users to define a policy to enforce a trust-based access
> + control. A key feature of IPE is a customizable policy to allow
> + admins to reconfigure trust requirements on the fly.
> +
> + If unsure, answer N.
> diff --git a/security/ipe/Makefile b/security/ipe/Makefile
> new file mode 100644
> index 000000000000..f7a80d0f18f8
> --- /dev/null
> +++ b/security/ipe/Makefile
> @@ -0,0 +1,9 @@
> +# SPDX-License-Identifier: GPL-2.0
> +#
> +# Copyright (C) Microsoft Corporation. All rights reserved.
> +#
> +# Makefile for building the IPE module as part of the kernel tree.
> +#
> +
> +obj-$(CONFIG_SECURITY_IPE) += \
> + ipe.o \
> diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
> new file mode 100644
> index 000000000000..b013aed15e73
> --- /dev/null
> +++ b/security/ipe/ipe.c
> @@ -0,0 +1,41 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright (C) Microsoft Corporation. All rights reserved.
> + */
> +#include <uapi/linux/lsm.h>
> +
Not sure if this new line adds any clarity but you can keep it if you
want I neither mind that much.
> +#include "ipe.h"
> +
> +static struct lsm_blob_sizes ipe_blobs __ro_after_init = {
> +};
> +
> +static const struct lsm_id ipe_lsmid = {
> + .name = "ipe",
> + .id = LSM_ID_IPE,
> +};
> +
> +static struct security_hook_list ipe_hooks[] __ro_after_init = {
> +};
> +
> +/**
> + * ipe_init - Entry point of IPE.
> + *
> + * This is called at LSM init, which happens occurs early during kernel
> + * start up. During this phase, IPE registers its hooks and loads the
> + * builtin boot policy.
> + * Return:
> + * * 0 - OK
> + * * -ENOMEM - Out of memory
Just a suggestion:
* 0: OK
* -ENOMEM: Out of memory (OOM)
Rationale being more readable (less convoluted).
And also sort of symmetrical how parameters are formatted in kdoc.
> + */
> +static int __init ipe_init(void)
> +{
> + security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), &ipe_lsmid);
> +
> + return 0;
> +}
> +
> +DEFINE_LSM(ipe) = {
> + .name = "ipe",
> + .init = ipe_init,
> + .blobs = &ipe_blobs,
> +};
> diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
> new file mode 100644
> index 000000000000..a1c68d0fc2e0
> --- /dev/null
> +++ b/security/ipe/ipe.h
> @@ -0,0 +1,16 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Copyright (C) Microsoft Corporation. All rights reserved.
> + */
> +
> +#ifndef _IPE_H
> +#define _IPE_H
> +
> +#ifdef pr_fmt
> +#undef pr_fmt
> +#endif
> +#define pr_fmt(fmt) "IPE: " fmt
s/IPE/ipe/
> +
> +#include <linux/lsm_hooks.h>
> +
> +#endif /* _IPE_H */
> diff --git a/security/security.c b/security/security.c
> index 7e118858b545..287bfac6b471 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -51,7 +51,8 @@
> (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \
> (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0) + \
> (IS_ENABLED(CONFIG_IMA) ? 1 : 0) + \
> - (IS_ENABLED(CONFIG_EVM) ? 1 : 0))
> + (IS_ENABLED(CONFIG_EVM) ? 1 : 0) + \
> + (IS_ENABLED(CONFIG_SECURITY_IPE) ? 1 : 0))
>
> /*
> * These are descriptions of the reasons that can be passed to the
> diff --git a/tools/testing/selftests/lsm/lsm_list_modules_test.c b/tools/testing/selftests/lsm/lsm_list_modules_test.c
> index 06d24d4679a6..1cc8a977c711 100644
> --- a/tools/testing/selftests/lsm/lsm_list_modules_test.c
> +++ b/tools/testing/selftests/lsm/lsm_list_modules_test.c
> @@ -128,6 +128,9 @@ TEST(correct_lsm_list_modules)
> case LSM_ID_EVM:
> name = "evm";
> break;
> + case LSM_ID_IPE:
> + name = "ipe";
> + break;
> default:
> name = "INVALID";
> break;
BR, Jarkko
next prev parent reply other threads:[~2024-03-28 20:45 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-28 20:17 [PATCH v16 00/20] Integrity Policy Enforcement LSM (IPE) Fan Wu
2024-03-28 20:17 ` [PATCH v16 01/20] security: add ipe lsm Fan Wu
2024-03-28 20:45 ` Jarkko Sakkinen [this message]
2024-03-28 22:11 ` Randy Dunlap
2024-03-30 11:11 ` Jarkko Sakkinen
2024-03-28 20:17 ` [PATCH v16 02/20] ipe: add policy parser Fan Wu
2024-03-28 20:46 ` Jarkko Sakkinen
2024-03-28 20:47 ` Jarkko Sakkinen
2024-03-28 20:17 ` [PATCH v16 03/20] ipe: add evaluation loop Fan Wu
2024-03-28 20:49 ` Jarkko Sakkinen
2024-03-28 20:17 ` [PATCH v16 04/20] ipe: add LSM hooks on execution and kernel read Fan Wu
2024-03-28 20:17 ` [PATCH v16 05/20] initramfs|security: Add a security hook to do_populate_rootfs() Fan Wu
2024-03-28 20:17 ` [PATCH v16 06/20] ipe: introduce 'boot_verified' as a trust provider Fan Wu
2024-03-28 20:17 ` [PATCH v16 07/20] security: add new securityfs delete function Fan Wu
2024-03-28 20:17 ` [PATCH v16 08/20] ipe: add userspace interface Fan Wu
2024-03-28 20:17 ` [PATCH v16 09/20] uapi|audit|ipe: add ipe auditing support Fan Wu
2024-03-28 20:17 ` [PATCH v16 10/20] ipe: add permissive toggle Fan Wu
2024-03-28 20:17 ` [PATCH v16 11/20] block|security: add LSM blob to block_device Fan Wu
2024-03-30 11:26 ` kernel test robot
2024-04-02 1:26 ` Paul Moore
2024-03-28 20:17 ` [PATCH v16 12/20] dm: add finalize hook to target_type Fan Wu
2024-03-28 20:17 ` [PATCH v16 13/20] dm verity: consume root hash digest and signature data via LSM hook Fan Wu
2024-04-02 1:26 ` Paul Moore
2024-03-28 20:17 ` [PATCH v16 14/20] ipe: add support for dm-verity as a trust provider Fan Wu
2024-04-02 1:26 ` Paul Moore
2024-03-28 20:17 ` [PATCH v16 15/20] security: add security_inode_setintegrity() hook Fan Wu
2024-04-02 1:26 ` Paul Moore
2024-03-28 20:17 ` [PATCH v16 16/20] fsverity: consume fsverity built-in signatures via LSM hook Fan Wu
2024-04-03 5:02 ` Eric Biggers
2024-03-28 20:17 ` [PATCH v16 17/20] ipe: enable support for fs-verity as a trust provider Fan Wu
2024-04-03 5:10 ` Eric Biggers
2024-03-28 20:17 ` [PATCH v16 18/20] scripts: add boot policy generation program Fan Wu
2024-03-28 20:17 ` [PATCH v16 19/20] ipe: kunit test for parser Fan Wu
2024-03-28 20:17 ` [PATCH v16 20/20] documentation: add ipe documentation Fan Wu
2024-03-28 20:36 ` [PATCH v16 00/20] Integrity Policy Enforcement LSM (IPE) Jarkko Sakkinen
2024-03-28 20:38 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D05ODONHFJ9O.3VG0HLFPA1OB0@kernel.org \
--to=jarkko@kernel.org \
--cc=agk@redhat.com \
--cc=audit@vger.kernel.org \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@lists.linux.dev \
--cc=ebiggers@kernel.org \
--cc=eparis@redhat.com \
--cc=fsverity@lists.linux.dev \
--cc=jmorris@namei.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=tytso@mit.edu \
--cc=wufan@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.