1 // SPDX-License-Identifier: GPL-2.0 1
2 /*
3 * Copyright (C) 2020-2024 Microsoft Corporati
4 */
5
6 #include <linux/fs.h>
7 #include <linux/fs_struct.h>
8 #include <linux/types.h>
9 #include <linux/binfmts.h>
10 #include <linux/mman.h>
11 #include <linux/blk_types.h>
12
13 #include "ipe.h"
14 #include "hooks.h"
15 #include "eval.h"
16 #include "digest.h"
17
18 /**
19 * ipe_bprm_check_security() - ipe security ho
20 * @bprm: Supplies a pointer to a linux_binprm
21 * being evaluated.
22 *
23 * This LSM hook is called when a binary is lo
24 * family of system calls.
25 *
26 * Return:
27 * * %0 - Success
28 * * %-EACCES - Did not pass IPE policy
29 */
30 int ipe_bprm_check_security(struct linux_binpr
31 {
32 struct ipe_eval_ctx ctx = IPE_EVAL_CTX
33
34 ipe_build_eval_ctx(&ctx, bprm->file, I
35 return ipe_evaluate_event(&ctx);
36 }
37
38 /**
39 * ipe_mmap_file() - ipe security hook functio
40 * @f: File being mmap'd. Can be NULL in the c
41 * @reqprot: The requested protection on the m
42 * @prot: The effective protection on the mmap
43 * system configuration.
44 * @flags: Unused.
45 *
46 * This hook is called when a file is loaded t
47 * family of system calls.
48 *
49 * Return:
50 * * %0 - Success
51 * * %-EACCES - Did not pass IPE policy
52 */
53 int ipe_mmap_file(struct file *f, unsigned lon
54 unsigned long prot, unsigned
55 {
56 struct ipe_eval_ctx ctx = IPE_EVAL_CTX
57
58 if (prot & PROT_EXEC) {
59 ipe_build_eval_ctx(&ctx, f, IP
60 return ipe_evaluate_event(&ctx
61 }
62
63 return 0;
64 }
65
66 /**
67 * ipe_file_mprotect() - ipe security hook fun
68 * @vma: Existing virtual memory area created
69 * @reqprot: The requested protection on the m
70 * @prot: The effective protection on the mmap
71 * system configuration.
72 *
73 * This LSM hook is called when a mmap'd regio
74 * its protections via mprotect.
75 *
76 * Return:
77 * * %0 - Success
78 * * %-EACCES - Did not pass IPE policy
79 */
80 int ipe_file_mprotect(struct vm_area_struct *v
81 unsigned long reqprot __
82 unsigned long prot)
83 {
84 struct ipe_eval_ctx ctx = IPE_EVAL_CTX
85
86 /* Already Executable */
87 if (vma->vm_flags & VM_EXEC)
88 return 0;
89
90 if (prot & PROT_EXEC) {
91 ipe_build_eval_ctx(&ctx, vma->
92 return ipe_evaluate_event(&ctx
93 }
94
95 return 0;
96 }
97
98 /**
99 * ipe_kernel_read_file() - ipe security hook
100 * @file: Supplies a pointer to the file struc
101 * @id: Supplies the enumeration identifying t
102 * @contents: Unused.
103 *
104 * This LSM hook is called when a file is read
105 *
106 * Return:
107 * * %0 - Success
108 * * %-EACCES - Did not pass IPE policy
109 */
110 int ipe_kernel_read_file(struct file *file, en
111 bool contents)
112 {
113 struct ipe_eval_ctx ctx = IPE_EVAL_CTX
114 enum ipe_op_type op;
115
116 switch (id) {
117 case READING_FIRMWARE:
118 op = IPE_OP_FIRMWARE;
119 break;
120 case READING_MODULE:
121 op = IPE_OP_KERNEL_MODULE;
122 break;
123 case READING_KEXEC_INITRAMFS:
124 op = IPE_OP_KEXEC_INITRAMFS;
125 break;
126 case READING_KEXEC_IMAGE:
127 op = IPE_OP_KEXEC_IMAGE;
128 break;
129 case READING_POLICY:
130 op = IPE_OP_POLICY;
131 break;
132 case READING_X509_CERTIFICATE:
133 op = IPE_OP_X509;
134 break;
135 default:
136 op = IPE_OP_INVALID;
137 WARN(1, "no rule setup for ker
138 }
139
140 ipe_build_eval_ctx(&ctx, file, op, IPE
141 return ipe_evaluate_event(&ctx);
142 }
143
144 /**
145 * ipe_kernel_load_data() - ipe security hook
146 * @id: Supplies the enumeration identifying t
147 * @contents: Unused.
148 *
149 * This LSM hook is called when a data buffer
150 * into the kernel.
151 *
152 * Return:
153 * * %0 - Success
154 * * %-EACCES - Did not pass IPE policy
155 */
156 int ipe_kernel_load_data(enum kernel_load_data
157 {
158 struct ipe_eval_ctx ctx = IPE_EVAL_CTX
159 enum ipe_op_type op;
160
161 switch (id) {
162 case LOADING_FIRMWARE:
163 op = IPE_OP_FIRMWARE;
164 break;
165 case LOADING_MODULE:
166 op = IPE_OP_KERNEL_MODULE;
167 break;
168 case LOADING_KEXEC_INITRAMFS:
169 op = IPE_OP_KEXEC_INITRAMFS;
170 break;
171 case LOADING_KEXEC_IMAGE:
172 op = IPE_OP_KEXEC_IMAGE;
173 break;
174 case LOADING_POLICY:
175 op = IPE_OP_POLICY;
176 break;
177 case LOADING_X509_CERTIFICATE:
178 op = IPE_OP_X509;
179 break;
180 default:
181 op = IPE_OP_INVALID;
182 WARN(1, "no rule setup for ker
183 }
184
185 ipe_build_eval_ctx(&ctx, NULL, op, IPE
186 return ipe_evaluate_event(&ctx);
187 }
188
189 /**
190 * ipe_unpack_initramfs() - Mark the current r
191 */
192 void ipe_unpack_initramfs(void)
193 {
194 ipe_sb(current->fs->root.mnt->mnt_sb)-
195 }
196
197 #ifdef CONFIG_IPE_PROP_DM_VERITY
198 /**
199 * ipe_bdev_free_security() - Free IPE's LSM b
200 * @bdev: Supplies a pointer to a block_device
201 * to free.
202 */
203 void ipe_bdev_free_security(struct block_devic
204 {
205 struct ipe_bdev *blob = ipe_bdev(bdev)
206
207 ipe_digest_free(blob->root_hash);
208 }
209
210 #ifdef CONFIG_IPE_PROP_DM_VERITY_SIGNATURE
211 static void ipe_set_dmverity_signature(struct
212 const v
213 size_t
214 {
215 blob->dm_verity_signed = size > 0 && v
216 }
217 #else
218 static inline void ipe_set_dmverity_signature(
219
220
221 {
222 }
223 #endif /* CONFIG_IPE_PROP_DM_VERITY_SIGNATURE
224
225 /**
226 * ipe_bdev_setintegrity() - Save integrity da
227 * @bdev: Supplies a pointer to a block_device
228 * @type: Supplies the integrity type.
229 * @value: Supplies the value to store.
230 * @size: The size of @value.
231 *
232 * This hook is currently used to save dm-veri
233 * of a validated signed dm-verity root hash i
234 *
235 * Return: %0 on success. If an error occurs,
236 * -errno.
237 */
238 int ipe_bdev_setintegrity(struct block_device
239 const void *value, s
240 {
241 const struct dm_verity_digest *digest
242 struct ipe_bdev *blob = ipe_bdev(bdev)
243 struct digest_info *info = NULL;
244
245 if (type == LSM_INT_DMVERITY_SIG_VALID
246 ipe_set_dmverity_signature(blo
247
248 return 0;
249 }
250
251 if (type != LSM_INT_DMVERITY_ROOTHASH)
252 return -EINVAL;
253
254 if (!value) {
255 ipe_digest_free(blob->root_has
256 blob->root_hash = NULL;
257
258 return 0;
259 }
260 digest = value;
261
262 info = kzalloc(sizeof(*info), GFP_KERN
263 if (!info)
264 return -ENOMEM;
265
266 info->digest = kmemdup(digest->digest,
267 if (!info->digest)
268 goto err;
269
270 info->alg = kstrdup(digest->alg, GFP_K
271 if (!info->alg)
272 goto err;
273
274 info->digest_len = digest->digest_len;
275
276 ipe_digest_free(blob->root_hash);
277 blob->root_hash = info;
278
279 return 0;
280 err:
281 ipe_digest_free(info);
282
283 return -ENOMEM;
284 }
285 #endif /* CONFIG_IPE_PROP_DM_VERITY */
286
287 #ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
288 /**
289 * ipe_inode_setintegrity() - save integrity d
290 * @inode: The inode to source the security bl
291 * @type: Supplies the integrity type.
292 * @value: The value to be stored.
293 * @size: The size of @value.
294 *
295 * This hook is currently used to save the exi
296 * builtin signature into LSM blob.
297 *
298 * Return: %0 on success. If an error occurs,
299 * -errno.
300 */
301 int ipe_inode_setintegrity(const struct inode
302 enum lsm_integrity_
303 const void *value,
304 {
305 struct ipe_inode *inode_sec = ipe_inod
306
307 if (type == LSM_INT_FSVERITY_BUILTINSI
308 inode_sec->fs_verity_signed =
309 return 0;
310 }
311
312 return -EINVAL;
313 }
314 #endif /* CONFIG_CONFIG_IPE_PROP_FS_VERITY_BUI
315
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.