From: Paul Moore <paul@paul-moore.com>
To: Fan Wu <wufan@linux.microsoft.com>,
corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org,
serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org,
axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org,
eparis@redhat.com
Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org,
dm-devel@redhat.com, audit@vger.kernel.org,
roberto.sassu@huawei.com, linux-kernel@vger.kernel.org,
Deven Bowers <deven.desai@linux.microsoft.com>,
Fan Wu <wufan@linux.microsoft.com>
Subject: Re: [PATCH RFC v10 4/17] ipe: add LSM hooks on execution and kernel read
Date: Sat, 08 Jul 2023 01:36:57 -0400 [thread overview]
Message-ID: <007992aec442cda5d5866e89b0ed5c69.paul@paul-moore.com> (raw)
In-Reply-To: <1687986571-16823-5-git-send-email-wufan@linux.microsoft.com>
On Jun 28, 2023 Fan Wu <wufan@linux.microsoft.com> wrote:
>
> IPE's initial goal is to control both execution and the loading of
> kernel modules based on the system's definition of trust. It
> accomplishes this by plugging into the security hooks for
> bprm_check_security, file_mprotect, mmap_file, kernel_load_data,
> and kernel_read_data.
>
> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
> Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
> ---
> security/ipe/eval.c | 14 ++++
> security/ipe/eval.h | 1 +
> security/ipe/hooks.c | 182 +++++++++++++++++++++++++++++++++++++++++++
> security/ipe/hooks.h | 25 ++++++
> security/ipe/ipe.c | 6 ++
> 5 files changed, 228 insertions(+)
> create mode 100644 security/ipe/hooks.c
> create mode 100644 security/ipe/hooks.h
Adding the 'hooks.h' header allows for much of code added in the
previous patches to finally compile and there are a number of errors,
too many to include here. Please fix those and ensure that each
point in the patchset compiles cleanly.
> diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c
> new file mode 100644
> index 000000000000..d896a5a474bc
> --- /dev/null
> +++ b/security/ipe/hooks.c
> @@ -0,0 +1,182 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright (C) Microsoft Corporation. All rights reserved.
> + */
> +
> +#include <linux/fs.h>
> +#include <linux/types.h>
> +#include <linux/binfmts.h>
> +#include <linux/mman.h>
> +
> +#include "ipe.h"
> +#include "hooks.h"
> +#include "eval.h"
> +
> +/**
> + * ipe_bprm_check_security - ipe security hook function for bprm check.
> + * @bprm: Supplies a pointer to a linux_binprm structure to source the file
> + * being evaluated.
> + *
> + * This LSM hook is called when a binary is loaded through the exec
> + * family of system calls.
> + * Return:
> + * *0 - OK
> + * *!0 - Error
> + */
> +int ipe_bprm_check_security(struct linux_binprm *bprm)
> +{
> + struct ipe_eval_ctx ctx = { 0 };
It's up to you, but when you have a fequently used initializer like
this it is often wrapped in a macro:
#define IPE_EVAL_CTX_INIT ((struct ipe_eval_ctx){ 0 })
... so that you can write the variable decalaration like this:
struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
It's not a requirement, it just tends to look a little cleaner and
should you ever need to change the initializer it makes your life
a lot easier.
> + build_eval_ctx(&ctx, bprm->file, __IPE_OP_EXEC);
> + return ipe_evaluate_event(&ctx);
> +}
> +
> +/**
> + * ipe_mmap_file - ipe security hook function for mmap check.
> + * @f: File being mmap'd. Can be NULL in the case of anonymous memory.
> + * @reqprot: The requested protection on the mmap, passed from usermode.
> + * @prot: The effective protection on the mmap, resolved from reqprot and
> + * system configuration.
> + * @flags: Unused.
> + *
> + * This hook is called when a file is loaded through the mmap
> + * family of system calls.
> + *
> + * Return:
> + * * 0 - OK
> + * * !0 - Error
> + */
> +int ipe_mmap_file(struct file *f, unsigned long reqprot, unsigned long prot,
> + unsigned long flags)
Since @reqprot is always going to be unused in this function, you
might want to mark it as such to help prevent compiler
warnings/errors, for example:
unsigned long reqprot __always_unused
> +{
> + struct ipe_eval_ctx ctx = { 0 };
> +
> + if (prot & PROT_EXEC) {
> + build_eval_ctx(&ctx, f, __IPE_OP_EXEC);
> + return ipe_evaluate_event(&ctx);
> + }
> +
> + return 0;
> +}
> +
> +/**
> + * ipe_file_mprotect - ipe security hook function for mprotect check.
> + * @vma: Existing virtual memory area created by mmap or similar.
> + * @reqprot: The requested protection on the mmap, passed from usermode.
> + * @prot: The effective protection on the mmap, resolved from reqprot and
> + * system configuration.
> + *
> + * This LSM hook is called when a mmap'd region of memory is changing
> + * its protections via mprotect.
> + *
> + * Return:
> + * * 0 - OK
> + * * !0 - Error
> + */
> +int ipe_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
See my comment above about @reqprot.
> + unsigned long prot)
> +{
> + struct ipe_eval_ctx ctx = { 0 };
> +
> + /* Already Executable */
> + if (vma->vm_flags & VM_EXEC)
> + return 0;
> +
> + if (prot & PROT_EXEC) {
> + build_eval_ctx(&ctx, vma->vm_file, __IPE_OP_EXEC);
> + return ipe_evaluate_event(&ctx);
> + }
> +
> + return 0;
> +}
--
paul-moore.com
next prev parent reply other threads:[~2023-07-08 5:37 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-28 21:09 [RFC PATCH v10 00/17] Integrity Policy Enforcement LSM (IPE) Fan Wu
2023-06-28 21:09 ` [RFC PATCH v10 01/17] security: add ipe lsm Fan Wu
2023-07-08 5:36 ` [PATCH RFC v10 1/17] " Paul Moore
[not found] ` <ffd5c67f4a9bf45df0ce95a8fe0932a3.paul@paul-moore.com>
2023-07-13 23:31 ` Fan Wu
2023-06-28 21:09 ` [RFC PATCH v10 02/17] ipe: add policy parser Fan Wu
2023-07-08 5:36 ` [PATCH RFC v10 2/17] " Paul Moore
[not found] ` <b2abfd3883dce682ee911413fea2ec66.paul@paul-moore.com>
2023-07-14 4:18 ` Fan Wu
2023-06-28 21:09 ` [RFC PATCH v10 03/17] ipe: add evaluation loop Fan Wu
2023-07-08 5:36 ` [PATCH RFC v10 3/17] " Paul Moore
[not found] ` <309cfd62a474a7e93be6a0886a3d5aa8.paul@paul-moore.com>
2023-07-14 20:28 ` Fan Wu
2023-06-28 21:09 ` [RFC PATCH v10 04/17] ipe: add LSM hooks on execution and kernel read Fan Wu
2023-07-08 5:36 ` Paul Moore [this message]
[not found] ` <cbe877b3905033d2b8c7c92e6d0cad4e.paul@paul-moore.com>
2023-07-14 21:47 ` [PATCH RFC v10 4/17] " Fan Wu
2023-06-28 21:09 ` [RFC PATCH v10 05/17] ipe: introduce 'boot_verified' as a trust provider Fan Wu
2023-07-08 5:36 ` [PATCH RFC v10 5/17] " Paul Moore
[not found] ` <7b0f16fd49fb3490af1018eba986d0e4.paul@paul-moore.com>
2023-07-14 23:56 ` Fan Wu
2023-06-28 21:09 ` [RFC PATCH v10 06/17] security: add new securityfs delete function Fan Wu
2023-07-08 5:36 ` [PATCH RFC v10 6/17] " Paul Moore
[not found] ` <80ae988288d2ac277a4429e85524a9bb.paul@paul-moore.com>
2023-07-14 23:59 ` Fan Wu
2023-06-28 21:09 ` [RFC PATCH v10 07/17] ipe: add userspace interface Fan Wu
2023-07-08 5:36 ` [PATCH RFC v10 7/17] " Paul Moore
[not found] ` <fcc5de3f153eb60b5acf799c159e6ec8.paul@paul-moore.com>
2023-07-15 3:26 ` Fan Wu
2023-08-01 19:29 ` Paul Moore
2023-06-28 21:09 ` [RFC PATCH v10 08/17] uapi|audit|ipe: add ipe auditing support Fan Wu
2023-07-08 5:37 ` [PATCH RFC v10 8/17] " Paul Moore
[not found] ` <ec09144af7c7109d8b457ceccd50ba7a.paul@paul-moore.com>
2023-07-15 3:57 ` Fan Wu
2023-08-01 19:24 ` Paul Moore
2023-06-28 21:09 ` [RFC PATCH v10 09/17] ipe: add permissive toggle Fan Wu
2023-07-08 5:37 ` [PATCH RFC v10 9/17] " Paul Moore
[not found] ` <85af33c02638ebb501b40fd0f3785b12.paul@paul-moore.com>
2023-07-15 4:00 ` Fan Wu
2023-06-28 21:09 ` [RFC PATCH v10 10/17] block|security: add LSM blob to block_device Fan Wu
2023-06-28 21:09 ` [RFC PATCH v10 11/17] dm-verity: consume root hash digest and signature data via LSM hook Fan Wu
2023-07-07 14:53 ` Mike Snitzer
2023-07-12 3:43 ` Fan Wu
2023-07-25 20:43 ` Paul Moore
2023-08-08 22:45 ` Fan Wu
2023-08-08 23:40 ` Alasdair G Kergon
2023-08-09 18:02 ` Fan Wu
2023-06-28 21:09 ` [RFC PATCH v10 12/17] ipe: add support for dm-verity as a trust provider Fan Wu
2023-07-08 5:37 ` [PATCH RFC " Paul Moore
2023-06-28 21:09 ` [RFC PATCH v10 13/17] fsverity: consume builtin signature via LSM hook Fan Wu
2023-06-28 21:09 ` [RFC PATCH v10 14/17] ipe: enable support for fs-verity as a trust provider Fan Wu
2023-06-28 21:09 ` [RFC PATCH v10 15/17] scripts: add boot policy generation program Fan Wu
2023-06-28 21:09 ` [RFC PATCH v10 16/17] ipe: kunit test for parser Fan Wu
2023-06-28 21:09 ` [RFC PATCH v10 17/17] documentation: add ipe documentation Fan Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=007992aec442cda5d5866e89b0ed5c69.paul@paul-moore.com \
--to=paul@paul-moore.com \
--cc=agk@redhat.com \
--cc=audit@vger.kernel.org \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@redhat.com \
--cc=ebiggers@kernel.org \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=tytso@mit.edu \
--cc=wufan@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).