Re: [PATCH RFC v11 4/19] ipe: add LSM hooks on execution and kernel read

From: Paul Moore
Date: Mon Oct 23 2023 - 23:52:50 EST

Next message: Paul Moore: "Re: [PATCH RFC v11 5/19] ipe: introduce 'boot_verified' as a trust provider"
Previous message: Paul Moore: "Re: [PATCH RFC v11 2/19] ipe: add policy parser"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Oct 4, 2023 Fan Wu <wufan@xxxxxxxxxxxxxxxxxxx> wrote:
>
> IPE's initial goal is to control both execution and the loading of
> kernel modules based on the system's definition of trust. It
> accomplishes this by plugging into the security hooks for
> bprm_check_security, file_mprotect, mmap_file, kernel_load_data,
> and kernel_read_data.
>
> Signed-off-by: Deven Bowers <deven.desai@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Fan Wu <wufan@xxxxxxxxxxxxxxxxxxx>
> ---
> v2:
> + Split evaluation loop, access control hooks,
> and evaluation loop from policy parser and userspace
> interface to pass mailing list character limit
>
> v3:
> + Move ipe_load_properties to patch 04.
> + Remove useless 0-initializations
> + Prefix extern variables with ipe_
> + Remove kernel module parameters, as these are
> exposed through sysctls.
> + Add more prose to the IPE base config option
> help text.
> + Use GFP_KERNEL for audit_log_start.
> + Remove unnecessary caching system.
> + Remove comments from headers
> + Use rcu_access_pointer for rcu-pointer null check
> + Remove usage of reqprot; use prot only.
> + Move policy load and activation audit event to 03/12
>
> v4:
> + Remove sysctls in favor of securityfs nodes
> + Re-add kernel module parameters, as these are now
> exposed through securityfs.
> + Refactor property audit loop to a separate function.
>
> v5:
> + fix minor grammatical errors
> + do not group rule by curly-brace in audit record,
> reconstruct the exact rule.
>
> v6:
> + No changes
>
> v7:
> + Further split lsm creation, the audit system, the evaluation loop
> and access control hooks into separate commits.
>
> v8:
> + Rename hook functions to follow the lsmname_hook_name convention
> + Remove ipe_hook enumeration, can be derived from correlation with
> syscall audit record.
>
> v9:
> + Minor changes for adapting to the new parser
>
> v10:
> + Remove @reqprot part
>
> v11:
> + Fix code style issues
> ---
> security/ipe/Makefile | 1 +
> security/ipe/eval.c | 14 ++++
> security/ipe/eval.h | 3 +
> security/ipe/hooks.c | 183 ++++++++++++++++++++++++++++++++++++++++++
> security/ipe/hooks.h | 25 ++++++
> security/ipe/ipe.c | 6 ++
> 6 files changed, 232 insertions(+)
> create mode 100644 security/ipe/hooks.c
> create mode 100644 security/ipe/hooks.h

...

> diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c
> new file mode 100644
> index 000000000000..6164a9b53361
> --- /dev/null
> +++ b/security/ipe/hooks.c
> @@ -0,0 +1,183 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright (C) Microsoft Corporation. All rights reserved.
> + */

...

> +/**
> + * ipe_kernel_read_file - ipe security hook function for kernel read.
> + * @file: Supplies a pointer to the file structure being read in from disk.
> + * @id: Supplies the enumeration identifying the purpose of the read.
> + * @contents: Unused.
> + *
> + * This LSM hook is called when a file is being read in from disk from
> + * the kernel.
> + *
> + * Return:
> + * 0 - OK
> + * !0 - Error
> + */
> +int ipe_kernel_read_file(struct file *file, enum kernel_read_file_id id,
> + bool contents)
> +{
> + enum ipe_op_type op;
> + struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
> +
> + switch (id) {
> + case READING_FIRMWARE:
> + op = IPE_OP_FIRMWARE;
> + break;
> + case READING_MODULE:
> + op = IPE_OP_KERNEL_MODULE;
> + break;
> + case READING_KEXEC_INITRAMFS:
> + op = IPE_OP_KEXEC_INITRAMFS;
> + break;
> + case READING_KEXEC_IMAGE:
> + op = IPE_OP_KEXEC_IMAGE;
> + break;
> + case READING_POLICY:
> + op = IPE_OP_IMA_POLICY;
> + break;
> + case READING_X509_CERTIFICATE:
> + op = IPE_OP_IMA_X509;
> + break;
> + default:
> + op = IPE_OP_INVALID;
> + WARN(op == IPE_OP_INVALID, "no rule setup for enum %d", id);

I'm not sure you need to test @op above since you set @op on the line
above, just use true/1 to simplify things. It also seems like it
might be helpful to provice some context for the enum above in the
WARN() message. For example:

WARN(1, "no rule setup for kernel_read_file %d", id);

> + }
> +
> + build_eval_ctx(&ctx, file, op);
> + return ipe_evaluate_event(&ctx);
> +}
> +
> +/**
> + * ipe_kernel_load_data - ipe security hook function for kernel load data.
> + * @id: Supplies the enumeration identifying the purpose of the read.
> + * @contents: Unused.
> + *
> + * This LSM hook is called when a buffer is being read in from disk.
> + *
> + * Return:
> + * * 0 - OK
> + * * !0 - Error
> + */
> +int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents)
> +{
> + enum ipe_op_type op;
> + struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
> +
> + switch (id) {
> + case LOADING_FIRMWARE:
> + op = IPE_OP_FIRMWARE;
> + break;
> + case LOADING_MODULE:
> + op = IPE_OP_KERNEL_MODULE;
> + break;
> + case LOADING_KEXEC_INITRAMFS:
> + op = IPE_OP_KEXEC_INITRAMFS;
> + break;
> + case LOADING_KEXEC_IMAGE:
> + op = IPE_OP_KEXEC_IMAGE;
> + break;
> + case LOADING_POLICY:
> + op = IPE_OP_IMA_POLICY;
> + break;
> + case LOADING_X509_CERTIFICATE:
> + op = IPE_OP_IMA_X509;
> + break;
> + default:
> + op = IPE_OP_INVALID;
> + WARN(op == IPE_OP_INVALID, "no rule setup for enum %d", id);

See my comments in ipe_kernel_read_file(), they also apply here.

> + }
> +
> + build_eval_ctx(&ctx, NULL, op);
> + return ipe_evaluate_event(&ctx);
> +}

--
paul-moore.com

Next message: Paul Moore: "Re: [PATCH RFC v11 5/19] ipe: introduce 'boot_verified' as a trust provider"
Previous message: Paul Moore: "Re: [PATCH RFC v11 2/19] ipe: add policy parser"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]