From patchwork Thu Feb 29 00:54:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fan Wu X-Patchwork-Id: 208121 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2097:b0:108:e6aa:91d0 with SMTP id gs23csp102490dyb; Wed, 28 Feb 2024 16:58:50 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVNtCDk6VmmNpEfIZpI6CoYe+b8ytS9PayZa9raWJGsNQf3AK2HXSNkqzLVo90tNEgqgvuOfJ9Jh53ERKcOwV5/gOlFxw== X-Google-Smtp-Source: AGHT+IEN6vsuEclIJIKK23otrJjNV3/cPX4/0uRpSHp53IBnf5bdmy0p/7fliizH6eKVB49K26UW X-Received: by 2002:a05:620a:1927:b0:787:3ddf:8bff with SMTP id bj39-20020a05620a192700b007873ddf8bffmr958941qkb.51.1709168329898; Wed, 28 Feb 2024 16:58:49 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709168329; cv=pass; d=google.com; s=arc-20160816; b=Fuvc4Uy8BcjkcwkceG+2Z9ppZjH6oPhXCl4vAEGIj/ICphHEaX61LzCbnbl8SrL8kp ADSkeuxvSwvZvV+hF//LiN6bC7Aqayk6ZkiKLUnscC5r3ZSudtZREl9B4NRd5Y1ikuEO qqfKaTQZdbH1mCtD1xztrJbJezrHaOcR9HefmDKptPwuZa6q3E16+r2Im4DVDefKPiFp /Jbs5PmWBU2p4B3wkulKH62JdPt6waMyZR2M38X0N3jc5CvTPfSqkp5u4uZgGy445H0J BSqutv3K+ULD03KW4XtyINUJzQ3AjTog7XWcWl7htBfpj0aJHLStjt587tAGIR4RDAiu Fwsw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-id:precedence:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :dkim-filter; bh=qpUQv5FsjVpLkqLS/8t1gBK9jhliQJJnWQAR0DeWBEo=; fh=Q42/clUBOZrwwSqzjyRTOGm2jeCjyUvOMLmpjCF4fbE=; b=wPv4m5BBHu14gxYQUHq+PKpxWUvBsUpHYQA0ty0jIBNcaSh74RLFnKyqHzoiY0WnRk pgbzyl9Q8XvaviGwWIQYyXumBhLzhFRC6rSnZ9un5VqR+y5feFyFXFMusDcJROTEpMR7 Swl63iDuFl8EYjmqh6JDBdbE3d6iz1kd5WxFLIBmxL32NCQk9zhla6l1CMuvqRguxveA CNC1H/eler2hhTJwIhq8ipwcXgdW5Gob9Blx0xCs4RpC+4K3GsYciarE5HW6qwgPEgG2 3jFJOIjnGrgAproGzUSXG8arJigEPfpBhKcUZRFZ553C1i1IE8o2BV5qKITN8A2NRQCK FOFQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=EAQYZele; arc=pass (i=1 spf=pass spfdomain=linux.microsoft.com dkim=pass dkdomain=linux.microsoft.com dmarc=pass fromdomain=linux.microsoft.com); spf=pass (google.com: domain of linux-kernel+bounces-85946-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-85946-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id u20-20020a05620a085400b00787d4c64080si347835qku.381.2024.02.28.16.58.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 Feb 2024 16:58:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-85946-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=EAQYZele; arc=pass (i=1 spf=pass spfdomain=linux.microsoft.com dkim=pass dkdomain=linux.microsoft.com dmarc=pass fromdomain=linux.microsoft.com); spf=pass (google.com: domain of linux-kernel+bounces-85946-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-85946-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 9FFCF1C23C68 for ; Thu, 29 Feb 2024 00:58:49 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 26B3047796; Thu, 29 Feb 2024 00:55:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="EAQYZele" Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B95832C85D; Thu, 29 Feb 2024 00:55:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=13.77.154.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709168123; cv=none; b=nmjjn6mLVU1R0Px/m3yTegRvHzWyM7B2E/FVma6H4aLhOU7gs93uMIKkIvsk0VOBh+MdnYdlQKITh//jA8VLO3tMn5Lf1taPUMhG4glg0Sxk2oWR6DtWbcGZ2O70lrkuHRpGuwz/jNcvBZvVMBSd60qcUMqanTJz+DzJDaBIckk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709168123; c=relaxed/simple; bh=6HdozH6iZ0HYFb5kEcVjBqmPZOczSZ1qU8NKOKplQrA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References; b=SOEkpwCuC+qBRFj+met+hDGhRpsBKN1P0NUT75AefswFnpnxxCgimREoZREN/0z96YJXCWbNlxpArQopWid2cS4FJG7JGGJUYLRpRCNmme/89KIS9eX/ojGDmiQYOX08c4n1qNCvDRZKs3m9B5xly18Z+A/z8wWdTStHREqZ7yc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com; spf=pass smtp.mailfrom=linux.microsoft.com; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b=EAQYZele; arc=none smtp.client-ip=13.77.154.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.microsoft.com Received: by linux.microsoft.com (Postfix, from userid 1052) id 6F46220B74C1; Wed, 28 Feb 2024 16:55:18 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 6F46220B74C1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1709168118; bh=qpUQv5FsjVpLkqLS/8t1gBK9jhliQJJnWQAR0DeWBEo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EAQYZelerqKOzlThHWRCJR0ScdyKW2IVFYAd5I5O9iZtZsykMMJNX0fsh78vIV7u3 YNEzFG66Spp+Wy3KB6DR09JbFlxGrj44Mabi2fI91ceVv2CfXw83er/vUeIJPlz3tj F7Hk5sD0AzusvW/qMZSOBlRrFZUTVKM1khJw2FTs= From: Fan Wu To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@lists.linux.dev, audit@vger.kernel.org, linux-kernel@vger.kernel.org, Deven Bowers , Fan Wu Subject: [RFC PATCH v13 01/20] security: add ipe lsm Date: Wed, 28 Feb 2024 16:54:43 -0800 Message-Id: <1709168102-7677-2-git-send-email-wufan@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1709168102-7677-1-git-send-email-wufan@linux.microsoft.com> References: <1709168102-7677-1-git-send-email-wufan@linux.microsoft.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1792192890656892997 X-GMAIL-MSGID: 1792192890656892997 From: Deven Bowers Integrity Policy Enforcement (IPE) is an LSM that provides an complimentary approach to Mandatory Access Control than existing LSMs today. Existing LSMs have centered around the concept of access to a resource should be controlled by the current user's credentials. IPE's approach, is that access to a resource should be controlled by the system's trust of a current resource. The basis of this approach is defining a global policy to specify which resource can be trusted. Signed-off-by: Deven Bowers Signed-off-by: Fan Wu --- v2: + Split evaluation loop, access control hooks, and evaluation loop from policy parser and userspace interface to pass mailing list character limit v3: + Move ipe_load_properties to patch 04. + Remove useless 0-initializations + Prefix extern variables with ipe_ + Remove kernel module parameters, as these are exposed through sysctls. + Add more prose to the IPE base config option help text. + Use GFP_KERNEL for audit_log_start. + Remove unnecessary caching system. + Remove comments from headers + Use rcu_access_pointer for rcu-pointer null check + Remove usage of reqprot; use prot only. + Move policy load and activation audit event to 03/12 v4: + Remove sysctls in favor of securityfs nodes + Re-add kernel module parameters, as these are now exposed through securityfs. + Refactor property audit loop to a separate function. v5: + fix minor grammatical errors + do not group rule by curly-brace in audit record, reconstruct the exact rule. v6: + No changes v7: + Further split lsm creation into a separate commit from the evaluation loop and audit system, for easier review. + Introduce the concept of an ipe_context, a scoped way to introduce execution policies, used initially for allowing for kunit tests in isolation. v8: + Follow lsmname_hook_name convention for lsm hooks. + Move LSM blob accessors to ipe.c and mark LSM blobs as static. v9: + Remove ipe_context for simplification v10: + Add github url v11: + Correct github url + Move ipe before bpf v12: + Switch to use lsm_id instead of string for lsm name v13: + No changes --- MAINTAINERS | 7 +++++++ include/uapi/linux/lsm.h | 1 + security/Kconfig | 11 ++++++----- security/Makefile | 1 + security/ipe/Kconfig | 17 +++++++++++++++++ security/ipe/Makefile | 9 +++++++++ security/ipe/ipe.c | 41 ++++++++++++++++++++++++++++++++++++++++ security/ipe/ipe.h | 16 ++++++++++++++++ security/security.c | 3 ++- 9 files changed, 100 insertions(+), 6 deletions(-) create mode 100644 security/ipe/Kconfig create mode 100644 security/ipe/Makefile create mode 100644 security/ipe/ipe.c create mode 100644 security/ipe/ipe.h diff --git a/MAINTAINERS b/MAINTAINERS index 2ecaaec6a6bf..834601f158c9 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -10649,6 +10649,13 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git F: security/integrity/ F: security/integrity/ima/ +INTEGRITY POLICY ENFORCEMENT (IPE) +M: Fan Wu +L: linux-security-module@vger.kernel.org +S: Supported +T: git https://github.com/microsoft/ipe.git +F: security/ipe/ + INTEL 810/815 FRAMEBUFFER DRIVER M: Antonino Daplas L: linux-fbdev@vger.kernel.org diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h index f8aef9ade549..43e2fb32745a 100644 --- a/include/uapi/linux/lsm.h +++ b/include/uapi/linux/lsm.h @@ -62,6 +62,7 @@ struct lsm_ctx { #define LSM_ID_LOCKDOWN 108 #define LSM_ID_BPF 109 #define LSM_ID_LANDLOCK 110 +#define LSM_ID_IPE 111 /* * LSM_ATTR_XXX definitions identify different LSM attributes diff --git a/security/Kconfig b/security/Kconfig index 52c9af08ad35..cc7adfbb6b96 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -194,6 +194,7 @@ source "security/yama/Kconfig" source "security/safesetid/Kconfig" source "security/lockdown/Kconfig" source "security/landlock/Kconfig" +source "security/ipe/Kconfig" source "security/integrity/Kconfig" @@ -233,11 +234,11 @@ endchoice config LSM string "Ordered list of enabled LSMs" - default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK - default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR - default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO - default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC - default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf" + default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK + default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR + default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO + default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC + default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list, except for those with order diff --git a/security/Makefile b/security/Makefile index 59f238490665..cc0982214b84 100644 --- a/security/Makefile +++ b/security/Makefile @@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ obj-$(CONFIG_CGROUPS) += device_cgroup.o obj-$(CONFIG_BPF_LSM) += bpf/ obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/ +obj-$(CONFIG_SECURITY_IPE) += ipe/ # Object integrity file lists obj-$(CONFIG_INTEGRITY) += integrity/ diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig new file mode 100644 index 000000000000..e4875fb04883 --- /dev/null +++ b/security/ipe/Kconfig @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: GPL-2.0-only +# +# Integrity Policy Enforcement (IPE) configuration +# + +menuconfig SECURITY_IPE + bool "Integrity Policy Enforcement (IPE)" + depends on SECURITY && SECURITYFS + select PKCS7_MESSAGE_PARSER + select SYSTEM_DATA_VERIFICATION + help + This option enables the Integrity Policy Enforcement LSM + allowing users to define a policy to enforce a trust-based access + control. A key feature of IPE is a customizable policy to allow + admins to reconfigure trust requirements on the fly. + + If unsure, answer N. diff --git a/security/ipe/Makefile b/security/ipe/Makefile new file mode 100644 index 000000000000..f7a80d0f18f8 --- /dev/null +++ b/security/ipe/Makefile @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: GPL-2.0 +# +# Copyright (C) Microsoft Corporation. All rights reserved. +# +# Makefile for building the IPE module as part of the kernel tree. +# + +obj-$(CONFIG_SECURITY_IPE) += \ + ipe.o \ diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c new file mode 100644 index 000000000000..b013aed15e73 --- /dev/null +++ b/security/ipe/ipe.c @@ -0,0 +1,41 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ +#include + +#include "ipe.h" + +static struct lsm_blob_sizes ipe_blobs __ro_after_init = { +}; + +static const struct lsm_id ipe_lsmid = { + .name = "ipe", + .id = LSM_ID_IPE, +}; + +static struct security_hook_list ipe_hooks[] __ro_after_init = { +}; + +/** + * ipe_init - Entry point of IPE. + * + * This is called at LSM init, which happens occurs early during kernel + * start up. During this phase, IPE registers its hooks and loads the + * builtin boot policy. + * Return: + * * 0 - OK + * * -ENOMEM - Out of memory + */ +static int __init ipe_init(void) +{ + security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), &ipe_lsmid); + + return 0; +} + +DEFINE_LSM(ipe) = { + .name = "ipe", + .init = ipe_init, + .blobs = &ipe_blobs, +}; diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h new file mode 100644 index 000000000000..a1c68d0fc2e0 --- /dev/null +++ b/security/ipe/ipe.h @@ -0,0 +1,16 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#ifndef _IPE_H +#define _IPE_H + +#ifdef pr_fmt +#undef pr_fmt +#endif +#define pr_fmt(fmt) "IPE: " fmt + +#include + +#endif /* _IPE_H */ diff --git a/security/security.c b/security/security.c index 7035ee35a393..f168bc30a60d 100644 --- a/security/security.c +++ b/security/security.c @@ -51,7 +51,8 @@ (IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \ (IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) ? 1 : 0) + \ (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \ - (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0)) + (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_IPE) ? 1 : 0)) /* * These are descriptions of the reasons that can be passed to the