On Fri, Aug 02, 2024 at 11:08:17PM -0700, Fan Wu wrote: > From: Deven Bowers <deven.desai@xxxxxxxxxxxxxxxxxxx> > > Introduce a core evaluation function in IPE that will be triggered by > various security hooks (e.g., mmap, bprm_check, kexec). This function > systematically assesses actions against the defined IPE policy, by > iterating over rules specific to the action being taken. This critical > addition enables IPE to enforce its security policies effectively, > ensuring that actions intercepted by these hooks are scrutinized for policy > compliance before they are allowed to proceed. > > Signed-off-by: Deven Bowers <deven.desai@xxxxxxxxxxxxxxxxxxx> > Signed-off-by: Fan Wu <wufan@xxxxxxxxxxxxxxxxxxx> (started at this longer than I care to admit) Reviewed-by: Serge Hallyn <serge@xxxxxxxxxx> > > --- > v2: > + Split evaluation loop, access control hooks, and evaluation loop from policy parser and userspace interface to pass mailing list character limit > > v3: > + Move ipe_load_properties to patch 04. > + Remove useless 0-initializations Prefix extern variables with ipe_ > + Remove kernel module parameters, as these are exposed through sysctls. > + Add more prose to the IPE base config option help text. > + Use GFP_KERNEL for audit_log_start. > + Remove unnecessary caching system. > + Remove comments from headers > + Use rcu_access_pointer for rcu-pointer null check > + Remove usage of reqprot; use prot only. > +Move policy load and activation audit event to 03/12 > > v4: > + Remove sysctls in favor of securityfs nodes > + Re-add kernel module parameters, as these are now exposed through securityfs. > + Refactor property audit loop to a separate function. > > v5: > + fix minor grammatical errors > + do not group rule by curly-brace in audit record, > + reconstruct the exact rule. > > v6: > + No changes > > v7: > + Further split lsm creation into a separate commit from the evaluation loop and audit system, for easier review. > + Propagating changes to support the new ipe_context structure in the evaluation loop. > > v8: > + Remove ipe_hook enumeration; hooks can be correlated via syscall record. > > v9: > + Remove ipe_context related code and simplify the evaluation loop. > > v10: > + Split eval part and boot_verified part > > v11: > + Fix code style issues > > v12: > + Correct an rcu_read_unlock usage > + Add a WARN to unknown op during evaluation > > v13: > + No changes > > v14: > + No changes > > v15: > + No changes > > v16: > + No changes > > v17: > + Add years to license header > + Fix code and documentation style issues > > v18: > + No changes > > v19: > + No changes > > v20: > + No changes > --- > security/ipe/Makefile | 1 + > security/ipe/eval.c | 102 ++++++++++++++++++++++++++++++++++++++++++ > security/ipe/eval.h | 24 ++++++++++ > 3 files changed, 127 insertions(+) > create mode 100644 security/ipe/eval.c > create mode 100644 security/ipe/eval.h > > diff --git a/security/ipe/Makefile b/security/ipe/Makefile > index 3093de1afd3e..4cc17eb92060 100644 > --- a/security/ipe/Makefile > +++ b/security/ipe/Makefile > @@ -6,6 +6,7 @@ > # > > obj-$(CONFIG_SECURITY_IPE) += \ > + eval.o \ > ipe.o \ > policy.o \ > policy_parser.o \ > diff --git a/security/ipe/eval.c b/security/ipe/eval.c > new file mode 100644 > index 000000000000..f6a681ca49f6 > --- /dev/null > +++ b/security/ipe/eval.c > @@ -0,0 +1,102 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. > + */ > + > +#include <linux/fs.h> > +#include <linux/types.h> > +#include <linux/slab.h> > +#include <linux/file.h> > +#include <linux/sched.h> > +#include <linux/rcupdate.h> > + > +#include "ipe.h" > +#include "eval.h" > +#include "policy.h" > + > +struct ipe_policy __rcu *ipe_active_policy; > + > +/** > + * evaluate_property() - Analyze @ctx against a rule property. > + * @ctx: Supplies a pointer to the context to be evaluated. > + * @p: Supplies a pointer to the property to be evaluated. > + * > + * This is a placeholder. The actual function will be introduced in the > + * latter commits. > + * > + * Return: > + * * %true - The current @ctx match the @p > + * * %false - The current @ctx doesn't match the @p > + */ > +static bool evaluate_property(const struct ipe_eval_ctx *const ctx, > + struct ipe_prop *p) > +{ > + return false; > +} > + > +/** > + * ipe_evaluate_event() - Analyze @ctx against the current active policy. > + * @ctx: Supplies a pointer to the context to be evaluated. > + * > + * This is the loop where all policy evaluations happen against the IPE policy. > + * > + * Return: > + * * %0 - Success > + * * %-EACCES - @ctx did not pass evaluation > + */ > +int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx) > +{ > + const struct ipe_op_table *rules = NULL; > + const struct ipe_rule *rule = NULL; > + struct ipe_policy *pol = NULL; > + struct ipe_prop *prop = NULL; > + enum ipe_action_type action; > + bool match = false; > + > + rcu_read_lock(); > + > + pol = rcu_dereference(ipe_active_policy); > + if (!pol) { > + rcu_read_unlock(); > + return 0; > + } > + > + if (ctx->op == IPE_OP_INVALID) { > + if (pol->parsed->global_default_action == IPE_ACTION_DENY) { > + rcu_read_unlock(); > + return -EACCES; > + } > + if (pol->parsed->global_default_action == IPE_ACTION_INVALID) > + WARN(1, "no default rule set for unknown op, ALLOW it"); > + rcu_read_unlock(); > + return 0; > + } > + > + rules = &pol->parsed->rules[ctx->op]; > + > + list_for_each_entry(rule, &rules->rules, next) { > + match = true; > + > + list_for_each_entry(prop, &rule->props, next) { > + match = evaluate_property(ctx, prop); > + if (!match) > + break; > + } > + > + if (match) > + break; > + } > + > + if (match) > + action = rule->action; > + else if (rules->default_action != IPE_ACTION_INVALID) > + action = rules->default_action; > + else > + action = pol->parsed->global_default_action; > + > + rcu_read_unlock(); > + if (action == IPE_ACTION_DENY) > + return -EACCES; > + > + return 0; > +} > diff --git a/security/ipe/eval.h b/security/ipe/eval.h > new file mode 100644 > index 000000000000..b137f2107852 > --- /dev/null > +++ b/security/ipe/eval.h > @@ -0,0 +1,24 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +/* > + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. > + */ > + > +#ifndef _IPE_EVAL_H > +#define _IPE_EVAL_H > + > +#include <linux/file.h> > +#include <linux/types.h> > + > +#include "policy.h" > + > +extern struct ipe_policy __rcu *ipe_active_policy; > + > +struct ipe_eval_ctx { > + enum ipe_op_type op; > + > + const struct file *file; > +}; > + > +int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx); > + > +#endif /* _IPE_EVAL_H */ > -- > 2.44.0