1 // SPDX-License-Identifier: GPL-2.0 1 // SPDX-License-Identifier: GPL-2.0
2 /* 2 /*
3 * Copyright (C) 2020-2024 Microsoft Corporati 3 * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
4 */ 4 */
5 5
6 #include <linux/dcache.h> 6 #include <linux/dcache.h>
7 #include <linux/security.h> 7 #include <linux/security.h>
8 8
9 #include "ipe.h" 9 #include "ipe.h"
10 #include "fs.h" 10 #include "fs.h"
11 #include "eval.h" 11 #include "eval.h"
12 #include "policy.h" 12 #include "policy.h"
13 #include "audit.h" 13 #include "audit.h"
14 14
15 static struct dentry *np __ro_after_init; 15 static struct dentry *np __ro_after_init;
16 static struct dentry *root __ro_after_init; 16 static struct dentry *root __ro_after_init;
17 struct dentry *policy_root __ro_after_init; 17 struct dentry *policy_root __ro_after_init;
18 static struct dentry *audit_node __ro_after_in 18 static struct dentry *audit_node __ro_after_init;
19 static struct dentry *enforce_node __ro_after_ 19 static struct dentry *enforce_node __ro_after_init;
20 20
21 /** 21 /**
22 * setaudit() - Write handler for the security 22 * setaudit() - Write handler for the securityfs node, "ipe/success_audit"
23 * @f: Supplies a file structure representing 23 * @f: Supplies a file structure representing the securityfs node.
24 * @data: Supplies a buffer passed to the writ 24 * @data: Supplies a buffer passed to the write syscall.
25 * @len: Supplies the length of @data. 25 * @len: Supplies the length of @data.
26 * @offset: unused. 26 * @offset: unused.
27 * 27 *
28 * Return: 28 * Return:
29 * * Length of buffer written - Success 29 * * Length of buffer written - Success
30 * * %-EPERM - Insufficient 30 * * %-EPERM - Insufficient permission
31 */ 31 */
32 static ssize_t setaudit(struct file *f, const 32 static ssize_t setaudit(struct file *f, const char __user *data,
33 size_t len, loff_t *of 33 size_t len, loff_t *offset)
34 { 34 {
35 int rc = 0; 35 int rc = 0;
36 bool value; 36 bool value;
37 37
38 if (!file_ns_capable(f, &init_user_ns, 38 if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN))
39 return -EPERM; 39 return -EPERM;
40 40
41 rc = kstrtobool_from_user(data, len, & 41 rc = kstrtobool_from_user(data, len, &value);
42 if (rc) 42 if (rc)
43 return rc; 43 return rc;
44 44
45 WRITE_ONCE(success_audit, value); 45 WRITE_ONCE(success_audit, value);
46 46
47 return len; 47 return len;
48 } 48 }
49 49
50 /** 50 /**
51 * getaudit() - Read handler for the securityf 51 * getaudit() - Read handler for the securityfs node, "ipe/success_audit"
52 * @f: Supplies a file structure representing 52 * @f: Supplies a file structure representing the securityfs node.
53 * @data: Supplies a buffer passed to the read 53 * @data: Supplies a buffer passed to the read syscall.
54 * @len: Supplies the length of @data. 54 * @len: Supplies the length of @data.
55 * @offset: unused. 55 * @offset: unused.
56 * 56 *
57 * Return: Length of buffer written 57 * Return: Length of buffer written
58 */ 58 */
59 static ssize_t getaudit(struct file *f, char _ 59 static ssize_t getaudit(struct file *f, char __user *data,
60 size_t len, loff_t *of 60 size_t len, loff_t *offset)
61 { 61 {
62 const char *result; 62 const char *result;
63 63
64 result = ((READ_ONCE(success_audit)) ? 64 result = ((READ_ONCE(success_audit)) ? "1" : "");
65 65
66 return simple_read_from_buffer(data, l 66 return simple_read_from_buffer(data, len, offset, result, 1);
67 } 67 }
68 68
69 /** 69 /**
70 * setenforce() - Write handler for the securi 70 * setenforce() - Write handler for the securityfs node, "ipe/enforce"
71 * @f: Supplies a file structure representing 71 * @f: Supplies a file structure representing the securityfs node.
72 * @data: Supplies a buffer passed to the writ 72 * @data: Supplies a buffer passed to the write syscall.
73 * @len: Supplies the length of @data. 73 * @len: Supplies the length of @data.
74 * @offset: unused. 74 * @offset: unused.
75 * 75 *
76 * Return: 76 * Return:
77 * * Length of buffer written - Success 77 * * Length of buffer written - Success
78 * * %-EPERM - Insufficient 78 * * %-EPERM - Insufficient permission
79 */ 79 */
80 static ssize_t setenforce(struct file *f, cons 80 static ssize_t setenforce(struct file *f, const char __user *data,
81 size_t len, loff_t * 81 size_t len, loff_t *offset)
82 { 82 {
83 int rc = 0; 83 int rc = 0;
84 bool new_value, old_value; 84 bool new_value, old_value;
85 85
86 if (!file_ns_capable(f, &init_user_ns, 86 if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN))
87 return -EPERM; 87 return -EPERM;
88 88
89 old_value = READ_ONCE(enforce); 89 old_value = READ_ONCE(enforce);
90 rc = kstrtobool_from_user(data, len, & 90 rc = kstrtobool_from_user(data, len, &new_value);
91 if (rc) 91 if (rc)
92 return rc; 92 return rc;
93 93
94 if (new_value != old_value) { 94 if (new_value != old_value) {
95 ipe_audit_enforce(new_value, o 95 ipe_audit_enforce(new_value, old_value);
96 WRITE_ONCE(enforce, new_value) 96 WRITE_ONCE(enforce, new_value);
97 } 97 }
98 98
99 return len; 99 return len;
100 } 100 }
101 101
102 /** 102 /**
103 * getenforce() - Read handler for the securit 103 * getenforce() - Read handler for the securityfs node, "ipe/enforce"
104 * @f: Supplies a file structure representing 104 * @f: Supplies a file structure representing the securityfs node.
105 * @data: Supplies a buffer passed to the read 105 * @data: Supplies a buffer passed to the read syscall.
106 * @len: Supplies the length of @data. 106 * @len: Supplies the length of @data.
107 * @offset: unused. 107 * @offset: unused.
108 * 108 *
109 * Return: Length of buffer written 109 * Return: Length of buffer written
110 */ 110 */
111 static ssize_t getenforce(struct file *f, char 111 static ssize_t getenforce(struct file *f, char __user *data,
112 size_t len, loff_t * 112 size_t len, loff_t *offset)
113 { 113 {
114 const char *result; 114 const char *result;
115 115
116 result = ((READ_ONCE(enforce)) ? "1" : 116 result = ((READ_ONCE(enforce)) ? "1" : "");
117 117
118 return simple_read_from_buffer(data, l 118 return simple_read_from_buffer(data, len, offset, result, 1);
119 } 119 }
120 120
121 /** 121 /**
122 * new_policy() - Write handler for the securi 122 * new_policy() - Write handler for the securityfs node, "ipe/new_policy".
123 * @f: Supplies a file structure representing 123 * @f: Supplies a file structure representing the securityfs node.
124 * @data: Supplies a buffer passed to the writ 124 * @data: Supplies a buffer passed to the write syscall.
125 * @len: Supplies the length of @data. 125 * @len: Supplies the length of @data.
126 * @offset: unused. 126 * @offset: unused.
127 * 127 *
128 * Return: 128 * Return:
129 * * Length of buffer written - Success 129 * * Length of buffer written - Success
130 * * %-EPERM - Insufficient 130 * * %-EPERM - Insufficient permission
131 * * %-ENOMEM - Out of memor 131 * * %-ENOMEM - Out of memory (OOM)
132 * * %-EBADMSG - Policy is in 132 * * %-EBADMSG - Policy is invalid
133 * * %-ERANGE - Policy versi 133 * * %-ERANGE - Policy version number overflow
134 * * %-EINVAL - Policy versi 134 * * %-EINVAL - Policy version parsing error
135 * * %-EEXIST - Same name po 135 * * %-EEXIST - Same name policy already deployed
136 */ 136 */
137 static ssize_t new_policy(struct file *f, cons 137 static ssize_t new_policy(struct file *f, const char __user *data,
138 size_t len, loff_t * 138 size_t len, loff_t *offset)
139 { 139 {
140 struct ipe_policy *p = NULL; 140 struct ipe_policy *p = NULL;
141 char *copy = NULL; 141 char *copy = NULL;
142 int rc = 0; 142 int rc = 0;
143 143
144 if (!file_ns_capable(f, &init_user_ns, 144 if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN))
145 return -EPERM; 145 return -EPERM;
146 146
147 copy = memdup_user_nul(data, len); 147 copy = memdup_user_nul(data, len);
148 if (IS_ERR(copy)) 148 if (IS_ERR(copy))
149 return PTR_ERR(copy); 149 return PTR_ERR(copy);
150 150
151 p = ipe_new_policy(NULL, 0, copy, len) 151 p = ipe_new_policy(NULL, 0, copy, len);
152 if (IS_ERR(p)) { 152 if (IS_ERR(p)) {
153 rc = PTR_ERR(p); 153 rc = PTR_ERR(p);
154 goto out; 154 goto out;
155 } 155 }
156 156
157 rc = ipe_new_policyfs_node(p); 157 rc = ipe_new_policyfs_node(p);
158 if (rc) 158 if (rc)
159 goto out; 159 goto out;
160 160
161 ipe_audit_policy_load(p); 161 ipe_audit_policy_load(p);
162 162
163 out: 163 out:
164 if (rc < 0) 164 if (rc < 0)
165 ipe_free_policy(p); 165 ipe_free_policy(p);
166 kfree(copy); 166 kfree(copy);
167 return (rc < 0) ? rc : len; 167 return (rc < 0) ? rc : len;
168 } 168 }
169 169
170 static const struct file_operations np_fops = 170 static const struct file_operations np_fops = {
171 .write = new_policy, 171 .write = new_policy,
172 }; 172 };
173 173
174 static const struct file_operations audit_fops 174 static const struct file_operations audit_fops = {
175 .write = setaudit, 175 .write = setaudit,
176 .read = getaudit, 176 .read = getaudit,
177 }; 177 };
178 178
179 static const struct file_operations enforce_fo 179 static const struct file_operations enforce_fops = {
180 .write = setenforce, 180 .write = setenforce,
181 .read = getenforce, 181 .read = getenforce,
182 }; 182 };
183 183
184 /** 184 /**
185 * ipe_init_securityfs() - Initialize IPE's se 185 * ipe_init_securityfs() - Initialize IPE's securityfs tree at fsinit.
186 * 186 *
187 * Return: %0 on success. If an error occurs, 187 * Return: %0 on success. If an error occurs, the function will return
188 * the -errno. 188 * the -errno.
189 */ 189 */
190 static int __init ipe_init_securityfs(void) 190 static int __init ipe_init_securityfs(void)
191 { 191 {
192 int rc = 0; 192 int rc = 0;
193 struct ipe_policy *ap; 193 struct ipe_policy *ap;
194 194
195 if (!ipe_enabled) 195 if (!ipe_enabled)
196 return -EOPNOTSUPP; 196 return -EOPNOTSUPP;
197 197
198 root = securityfs_create_dir("ipe", NU 198 root = securityfs_create_dir("ipe", NULL);
199 if (IS_ERR(root)) { 199 if (IS_ERR(root)) {
200 rc = PTR_ERR(root); 200 rc = PTR_ERR(root);
201 goto err; 201 goto err;
202 } 202 }
203 203
204 audit_node = securityfs_create_file("s 204 audit_node = securityfs_create_file("success_audit", 0600, root,
205 NU 205 NULL, &audit_fops);
206 if (IS_ERR(audit_node)) { 206 if (IS_ERR(audit_node)) {
207 rc = PTR_ERR(audit_node); 207 rc = PTR_ERR(audit_node);
208 goto err; 208 goto err;
209 } 209 }
210 210
211 enforce_node = securityfs_create_file( 211 enforce_node = securityfs_create_file("enforce", 0600, root, NULL,
212 212 &enforce_fops);
213 if (IS_ERR(enforce_node)) { 213 if (IS_ERR(enforce_node)) {
214 rc = PTR_ERR(enforce_node); 214 rc = PTR_ERR(enforce_node);
215 goto err; 215 goto err;
216 } 216 }
217 217
218 policy_root = securityfs_create_dir("p 218 policy_root = securityfs_create_dir("policies", root);
219 if (IS_ERR(policy_root)) { 219 if (IS_ERR(policy_root)) {
220 rc = PTR_ERR(policy_root); 220 rc = PTR_ERR(policy_root);
221 goto err; 221 goto err;
222 } 222 }
223 223
224 ap = rcu_access_pointer(ipe_active_pol 224 ap = rcu_access_pointer(ipe_active_policy);
225 if (ap) { 225 if (ap) {
226 rc = ipe_new_policyfs_node(ap) 226 rc = ipe_new_policyfs_node(ap);
227 if (rc) 227 if (rc)
228 goto err; 228 goto err;
229 } 229 }
230 230
231 np = securityfs_create_file("new_polic 231 np = securityfs_create_file("new_policy", 0200, root, NULL, &np_fops);
232 if (IS_ERR(np)) { 232 if (IS_ERR(np)) {
233 rc = PTR_ERR(np); 233 rc = PTR_ERR(np);
234 goto err; 234 goto err;
235 } 235 }
236 236
237 return 0; 237 return 0;
238 err: 238 err:
239 securityfs_remove(np); 239 securityfs_remove(np);
240 securityfs_remove(policy_root); 240 securityfs_remove(policy_root);
241 securityfs_remove(enforce_node); 241 securityfs_remove(enforce_node);
242 securityfs_remove(audit_node); 242 securityfs_remove(audit_node);
243 securityfs_remove(root); 243 securityfs_remove(root);
244 return rc; 244 return rc;
245 } 245 }
246 246
247 fs_initcall(ipe_init_securityfs); 247 fs_initcall(ipe_init_securityfs);
248 248
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.