| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342 |
- // SPDX-License-Identifier: GPL-2.0
- /*
- * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
- */
- #include <linux/fs.h>
- #include <linux/fs_struct.h>
- #include <linux/types.h>
- #include <linux/binfmts.h>
- #include <linux/mman.h>
- #include <linux/blk_types.h>
- #include "ipe.h"
- #include "hooks.h"
- #include "eval.h"
- #include "digest.h"
- /**
- * ipe_bprm_check_security() - ipe security hook function for bprm check.
- * @bprm: Supplies a pointer to a linux_binprm structure to source the file
- * being evaluated.
- *
- * This LSM hook is called when a binary is loaded through the exec
- * family of system calls.
- *
- * Return:
- * * %0 - Success
- * * %-EACCES - Did not pass IPE policy
- */
- int ipe_bprm_check_security(struct linux_binprm *bprm)
- {
- struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
- ipe_build_eval_ctx(&ctx, bprm->file, IPE_OP_EXEC, IPE_HOOK_BPRM_CHECK);
- return ipe_evaluate_event(&ctx);
- }
- /**
- * ipe_bprm_creds_for_exec() - ipe security hook function for bprm creds check.
- * @bprm: Supplies a pointer to a linux_binprm structure to source the file
- * being evaluated.
- *
- * This LSM hook is called when userspace signals the kernel to check a file
- * for execution through the execveat syscall with the AT_EXECVE_CHECK flag.
- * The hook triggers IPE policy evaluation on the script file and returns
- * the policy decision to userspace. The userspace program receives the
- * return code and can decide whether to proceed with script execution.
- *
- * Return:
- * * %0 - Success
- * * %-EACCES - Did not pass IPE policy
- */
- int ipe_bprm_creds_for_exec(struct linux_binprm *bprm)
- {
- struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
- if (!bprm->is_check)
- return 0;
- ipe_build_eval_ctx(&ctx, bprm->file, IPE_OP_EXEC,
- IPE_HOOK_BPRM_CREDS_FOR_EXEC);
- return ipe_evaluate_event(&ctx);
- }
- /**
- * ipe_mmap_file() - ipe security hook function for mmap check.
- * @f: File being mmap'd. Can be NULL in the case of anonymous memory.
- * @reqprot: The requested protection on the mmap, passed from usermode.
- * @prot: The effective protection on the mmap, resolved from reqprot and
- * system configuration.
- * @flags: Unused.
- *
- * This hook is called when a file is loaded through the mmap
- * family of system calls.
- *
- * Return:
- * * %0 - Success
- * * %-EACCES - Did not pass IPE policy
- */
- int ipe_mmap_file(struct file *f, unsigned long reqprot __always_unused,
- unsigned long prot, unsigned long flags)
- {
- struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
- if (prot & PROT_EXEC) {
- ipe_build_eval_ctx(&ctx, f, IPE_OP_EXEC, IPE_HOOK_MMAP);
- return ipe_evaluate_event(&ctx);
- }
- return 0;
- }
- /**
- * ipe_file_mprotect() - ipe security hook function for mprotect check.
- * @vma: Existing virtual memory area created by mmap or similar.
- * @reqprot: The requested protection on the mmap, passed from usermode.
- * @prot: The effective protection on the mmap, resolved from reqprot and
- * system configuration.
- *
- * This LSM hook is called when a mmap'd region of memory is changing
- * its protections via mprotect.
- *
- * Return:
- * * %0 - Success
- * * %-EACCES - Did not pass IPE policy
- */
- int ipe_file_mprotect(struct vm_area_struct *vma,
- unsigned long reqprot __always_unused,
- unsigned long prot)
- {
- struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
- /* Already Executable */
- if (vma->vm_flags & VM_EXEC)
- return 0;
- if (prot & PROT_EXEC) {
- ipe_build_eval_ctx(&ctx, vma->vm_file, IPE_OP_EXEC, IPE_HOOK_MPROTECT);
- return ipe_evaluate_event(&ctx);
- }
- return 0;
- }
- /**
- * ipe_kernel_read_file() - ipe security hook function for kernel read.
- * @file: Supplies a pointer to the file structure being read in from disk.
- * @id: Supplies the enumeration identifying the purpose of the read.
- * @contents: Unused.
- *
- * This LSM hook is called when a file is read from disk in the kernel.
- *
- * Return:
- * * %0 - Success
- * * %-EACCES - Did not pass IPE policy
- */
- int ipe_kernel_read_file(struct file *file, enum kernel_read_file_id id,
- bool contents)
- {
- struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
- enum ipe_op_type op;
- switch (id) {
- case READING_FIRMWARE:
- op = IPE_OP_FIRMWARE;
- break;
- case READING_MODULE:
- case READING_MODULE_COMPRESSED:
- op = IPE_OP_KERNEL_MODULE;
- break;
- case READING_KEXEC_INITRAMFS:
- op = IPE_OP_KEXEC_INITRAMFS;
- break;
- case READING_KEXEC_IMAGE:
- op = IPE_OP_KEXEC_IMAGE;
- break;
- case READING_POLICY:
- op = IPE_OP_POLICY;
- break;
- case READING_X509_CERTIFICATE:
- op = IPE_OP_X509;
- break;
- default:
- op = IPE_OP_INVALID;
- WARN(1, "no rule setup for kernel_read_file enum %d", id);
- }
- ipe_build_eval_ctx(&ctx, file, op, IPE_HOOK_KERNEL_READ);
- return ipe_evaluate_event(&ctx);
- }
- /**
- * ipe_kernel_load_data() - ipe security hook function for kernel load data.
- * @id: Supplies the enumeration identifying the purpose of the load.
- * @contents: Unused.
- *
- * This LSM hook is called when a data buffer provided by userspace is loading
- * into the kernel.
- *
- * Return:
- * * %0 - Success
- * * %-EACCES - Did not pass IPE policy
- */
- int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents)
- {
- struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
- enum ipe_op_type op;
- switch (id) {
- case LOADING_FIRMWARE:
- op = IPE_OP_FIRMWARE;
- break;
- case LOADING_MODULE:
- op = IPE_OP_KERNEL_MODULE;
- break;
- case LOADING_KEXEC_INITRAMFS:
- op = IPE_OP_KEXEC_INITRAMFS;
- break;
- case LOADING_KEXEC_IMAGE:
- op = IPE_OP_KEXEC_IMAGE;
- break;
- case LOADING_POLICY:
- op = IPE_OP_POLICY;
- break;
- case LOADING_X509_CERTIFICATE:
- op = IPE_OP_X509;
- break;
- default:
- op = IPE_OP_INVALID;
- WARN(1, "no rule setup for kernel_load_data enum %d", id);
- }
- ipe_build_eval_ctx(&ctx, NULL, op, IPE_HOOK_KERNEL_LOAD);
- return ipe_evaluate_event(&ctx);
- }
- /**
- * ipe_unpack_initramfs() - Mark the current rootfs as initramfs.
- */
- void ipe_unpack_initramfs(void)
- {
- ipe_sb(current->fs->root.mnt->mnt_sb)->initramfs = true;
- }
- #ifdef CONFIG_IPE_PROP_DM_VERITY
- /**
- * ipe_bdev_free_security() - Free IPE's LSM blob of block_devices.
- * @bdev: Supplies a pointer to a block_device that contains the structure
- * to free.
- */
- void ipe_bdev_free_security(struct block_device *bdev)
- {
- struct ipe_bdev *blob = ipe_bdev(bdev);
- ipe_digest_free(blob->root_hash);
- }
- #ifdef CONFIG_IPE_PROP_DM_VERITY_SIGNATURE
- static void ipe_set_dmverity_signature(struct ipe_bdev *blob,
- const void *value,
- size_t size)
- {
- blob->dm_verity_signed = size > 0 && value;
- }
- #else
- static inline void ipe_set_dmverity_signature(struct ipe_bdev *blob,
- const void *value,
- size_t size)
- {
- }
- #endif /* CONFIG_IPE_PROP_DM_VERITY_SIGNATURE */
- /**
- * ipe_bdev_setintegrity() - Save integrity data from a bdev to IPE's LSM blob.
- * @bdev: Supplies a pointer to a block_device that contains the LSM blob.
- * @type: Supplies the integrity type.
- * @value: Supplies the value to store.
- * @size: The size of @value.
- *
- * This hook is currently used to save dm-verity's root hash or the existence
- * of a validated signed dm-verity root hash into LSM blob.
- *
- * Return: %0 on success. If an error occurs, the function will return the
- * -errno.
- */
- int ipe_bdev_setintegrity(struct block_device *bdev, enum lsm_integrity_type type,
- const void *value, size_t size)
- {
- const struct dm_verity_digest *digest = NULL;
- struct ipe_bdev *blob = ipe_bdev(bdev);
- struct digest_info *info = NULL;
- if (type == LSM_INT_DMVERITY_SIG_VALID) {
- ipe_set_dmverity_signature(blob, value, size);
- return 0;
- }
- if (type != LSM_INT_DMVERITY_ROOTHASH)
- return -EINVAL;
- if (!value) {
- ipe_digest_free(blob->root_hash);
- blob->root_hash = NULL;
- return 0;
- }
- digest = value;
- info = kzalloc_obj(*info);
- if (!info)
- return -ENOMEM;
- info->digest = kmemdup(digest->digest, digest->digest_len, GFP_KERNEL);
- if (!info->digest)
- goto err;
- info->alg = kstrdup(digest->alg, GFP_KERNEL);
- if (!info->alg)
- goto err;
- info->digest_len = digest->digest_len;
- ipe_digest_free(blob->root_hash);
- blob->root_hash = info;
- return 0;
- err:
- ipe_digest_free(info);
- return -ENOMEM;
- }
- #endif /* CONFIG_IPE_PROP_DM_VERITY */
- #ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
- /**
- * ipe_inode_setintegrity() - save integrity data from a inode to IPE's LSM blob.
- * @inode: The inode to source the security blob from.
- * @type: Supplies the integrity type.
- * @value: The value to be stored.
- * @size: The size of @value.
- *
- * This hook is currently used to save the existence of a validated fs-verity
- * builtin signature into LSM blob.
- *
- * Return: %0 on success. If an error occurs, the function will return the
- * -errno.
- */
- int ipe_inode_setintegrity(const struct inode *inode,
- enum lsm_integrity_type type,
- const void *value, size_t size)
- {
- struct ipe_inode *inode_sec = ipe_inode(inode);
- if (type == LSM_INT_FSVERITY_BUILTINSIG_VALID) {
- inode_sec->fs_verity_signed = size > 0 && value;
- return 0;
- }
- return -EINVAL;
- }
- #endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
|