[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1634151995-16266-4-git-send-email-deven.desai@linux.microsoft.com>
Date: Wed, 13 Oct 2021 12:06:22 -0700
From: deven.desai@...ux.microsoft.com
To: corbet@....net, axboe@...nel.dk, agk@...hat.com,
snitzer@...hat.com, ebiggers@...nel.org, tytso@....edu,
paul@...l-moore.com, eparis@...hat.com, jmorris@...ei.org,
serge@...lyn.com
Cc: jannh@...gle.com, dm-devel@...hat.com, linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-block@...r.kernel.org,
linux-fscrypt@...r.kernel.org, linux-audit@...hat.com,
linux-security-module@...r.kernel.org
Subject: [RFC PATCH v7 03/16] ipe: add evaluation loop
From: Deven Bowers <deven.desai@...ux.microsoft.com>
IPE must have a centralized function to evaluate incoming callers
against IPE's policy. This iteration of the policy for against the rules
for that specific caller is known as the evaluation loop.
Signed-off-by: Deven Bowers <deven.desai@...ux.microsoft.com>
---
Relevant changes since v6:
* Refactor patch to support a context structure,
enabling easier testing
* Split up patch 02/12 into four parts:
1. context creation [01/16]
2. audit [07/16]
3. evaluation loop [03/16] (this patch)
4. access control hooks [05/16]
---
security/ipe/Makefile | 1 +
security/ipe/ctx.c | 57 ++++++++++++
security/ipe/ctx.h | 6 ++
security/ipe/eval.c | 142 ++++++++++++++++++++++++++++++
security/ipe/eval.h | 26 ++++++
security/ipe/hooks.h | 4 +
security/ipe/modules/ipe_module.h | 3 +
security/ipe/policy.c | 27 ++++++
security/ipe/policy.h | 4 +
9 files changed, 270 insertions(+)
create mode 100644 security/ipe/eval.c
create mode 100644 security/ipe/eval.h
diff --git a/security/ipe/Makefile b/security/ipe/Makefile
index 9a97efd8a190..0db69f13e82a 100644
--- a/security/ipe/Makefile
+++ b/security/ipe/Makefile
@@ -9,6 +9,7 @@ ccflags-y := -I$(srctree)/security/ipe/modules
obj-$(CONFIG_SECURITY_IPE) += \
ctx.o \
+ eval.o \
hooks.o \
ipe.o \
modules.o \
diff --git a/security/ipe/ctx.c b/security/ipe/ctx.c
index c24f5d1d41bd..9274e51eff52 100644
--- a/security/ipe/ctx.c
+++ b/security/ipe/ctx.c
@@ -5,6 +5,7 @@
#include "ipe.h"
#include "ctx.h"
+#include "policy.h"
#include <linux/slab.h>
#include <linux/types.h>
@@ -76,10 +77,25 @@ struct ipe_context *ipe_get_ctx_rcu(struct ipe_context __rcu *ctx)
*/
static void free_ctx_work(struct work_struct *const work)
{
+ struct ipe_policy *p = NULL;
struct ipe_context *ctx = NULL;
ctx = container_of(work, struct ipe_context, free_work);
+ /* Make p->ctx no longer have any references */
+ spin_lock(&ctx->lock);
+ list_for_each_entry(p, &ctx->policies, next)
+ rcu_assign_pointer(p->ctx, NULL);
+ spin_unlock(&ctx->lock);
+ synchronize_rcu();
+
+ /*
+ * locking no longer necessary - nothing can get a reference to ctx,
+ * so list is guaranteed stable.
+ */
+ list_for_each_entry(p, &ctx->policies, next)
+ ipe_put_policy(p);
+
kfree(ctx);
}
@@ -104,6 +120,7 @@ static struct ipe_context *create_ctx(void)
}
INIT_WORK(&ctx->free_work, free_ctx_work);
+ INIT_LIST_HEAD(&ctx->policies);
refcount_set(&ctx->refcount, 1);
spin_lock_init(&ctx->lock);
@@ -114,6 +131,46 @@ static struct ipe_context *create_ctx(void)
return ERR_PTR(rc);
}
+/**
+ * remove_policy: Remove a policy from its context
+ * @p: Supplies a pointer to a policy that will be removed from its context
+ *
+ * Decrements @p's reference by 1.
+ */
+void ipe_remove_policy(struct ipe_policy *p)
+{
+ struct ipe_context *ctx;
+
+ ctx = ipe_get_ctx_rcu(p->ctx);
+ if (!ctx)
+ return;
+
+ spin_lock(&ctx->lock);
+ list_del_init(&p->next);
+ rcu_assign_pointer(p->ctx, NULL);
+ spin_unlock(&ctx->lock);
+ synchronize_rcu();
+
+ ipe_put_ctx(ctx);
+ /* drop the reference representing the list */
+ ipe_put_policy(p);
+}
+
+/**
+ * ipe_add_policy: Associate @p with @ctx
+ * @ctx: Supplies a pointer to the ipe_context structure to associate @p with.
+ * @p: Supplies a pointer to the ipe_policy structure to associate.
+ */
+void ipe_add_policy(struct ipe_context *ctx, struct ipe_policy *p)
+{
+ spin_lock(&ctx->lock);
+ rcu_assign_pointer(p->ctx, ctx);
+ list_add_tail(&p->next, &ctx->policies);
+ refcount_inc(&p->refcount);
+ spin_unlock(&ctx->lock);
+ synchronize_rcu();
+}
+
/**
* ipe_put_ns: Decrement the reference of an ipe_context structure,
* scheduling a free as necessary.s
diff --git a/security/ipe/ctx.h b/security/ipe/ctx.h
index 69a2c92c0a8c..a0da92da818c 100644
--- a/security/ipe/ctx.h
+++ b/security/ipe/ctx.h
@@ -12,10 +12,14 @@
#include <linux/workqueue.h>
struct ipe_context {
+ struct ipe_policy __rcu *active_policy;
+
refcount_t refcount;
/* Protects concurrent writers */
spinlock_t lock;
+ struct list_head policies; /* type: ipe_policy */
+
struct work_struct free_work;
};
@@ -24,5 +28,7 @@ struct ipe_context __rcu **ipe_tsk_ctx(struct task_struct *tsk);
struct ipe_context *ipe_current_ctx(void);
struct ipe_context *ipe_get_ctx_rcu(struct ipe_context __rcu *ctx);
void ipe_put_ctx(struct ipe_context *ctx);
+void ipe_add_policy(struct ipe_context *ctx, struct ipe_policy *p);
+void ipe_remove_policy(struct ipe_policy *p);
#endif /* IPE_CONTEXT_H */
diff --git a/security/ipe/eval.c b/security/ipe/eval.c
new file mode 100644
index 000000000000..b732f76cfd05
--- /dev/null
+++ b/security/ipe/eval.c
@@ -0,0 +1,142 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe.h"
+#include "ctx.h"
+#include "eval.h"
+#include "hooks.h"
+#include "policy.h"
+#include "modules/ipe_module.h"
+
+#include <linux/slab.h>
+#include <linux/file.h>
+#include <linux/sched.h>
+#include <linux/rcupdate.h>
+
+/**
+ * build_ctx: Build an evaluation context.
+ * @file: Supplies a pointer to the file to associated with the evaluation
+ * @op: Supplies the IPE policy operation associated with the evaluation
+ * @hook: Supplies the LSM hook associated with the evaluation.
+ *
+ * The current IPE Context will have a reference count increased by one until
+ * this is deallocated.
+ *
+ * Return:
+ * !IS_ERR - OK
+ */
+static struct ipe_eval_ctx *build_ctx(const struct file *file,
+ enum ipe_operation op,
+ enum ipe_hook hook)
+{
+ struct ipe_eval_ctx *ctx = NULL;
+
+ ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
+ if (!ctx)
+ return ERR_PTR(-ENOMEM);
+
+ ctx->file = file;
+ ctx->op = op;
+ ctx->hook = hook;
+ ctx->ci_ctx = ipe_current_ctx();
+
+ return ctx;
+}
+
+/**
+ * free_ctx: Deallocate a previously-allocated ipe_eval_ctx
+ * @ctx: Supplies a pointer to the evaluation context to free.
+ */
+static void free_ctx(struct ipe_eval_ctx *ctx)
+{
+ if (IS_ERR_OR_NULL(ctx))
+ return;
+
+ ipe_put_ctx(ctx->ci_ctx);
+ kfree(ctx);
+}
+
+/**
+ * evaluate: Analyze @ctx against the active policy and return the result.
+ * @ctx: Supplies a pointer to the context being evaluated.
+ *
+ * This is the loop where all policy evaluation happens against IPE policy.
+ *
+ * Return:
+ * 0 - OK
+ * -EACCES - @ctx did not pass evaluation.
+ * !0 - Error
+ */
+static int evaluate(const struct ipe_eval_ctx *const ctx)
+{
+ int rc = 0;
+ bool match = false;
+ enum ipe_action action;
+ struct ipe_policy *pol = NULL;
+ const struct ipe_rule *rule = NULL;
+ const struct ipe_policy_mod *module = NULL;
+ const struct ipe_operation_table *rules = NULL;
+
+ pol = ipe_get_policy_rcu(ctx->ci_ctx->active_policy);
+ if (!pol)
+ goto out;
+
+ rules = &pol->parsed->rules[ctx->op];
+
+ list_for_each_entry(rule, &rules->rules, next) {
+ match = true;
+
+ list_for_each_entry(module, &rule->modules, next)
+ match = match && module->mod->eval(ctx, module->mod_value);
+
+ if (match)
+ break;
+ }
+
+ if (match) {
+ action = rule->action;
+ } else if (rules->default_action != ipe_action_max) {
+ action = rules->default_action;
+ } else {
+ action = pol->parsed->global_default;
+ }
+
+ if (action == ipe_action_deny)
+ rc = -EACCES;
+
+out:
+ ipe_put_policy(pol);
+ return rc;
+}
+
+/**
+ * ipe_process_event: Submit @file for verification against IPE's policy
+ * @file: Supplies an optional pointer to the file being submitted.
+ * @op: IPE Policy Operation to associate with @file
+ * @hook: LSM Hook to associate with @file
+ *
+ * @file can be NULL and will be submitted for evaluation like a non-NULL
+ * file.
+ *
+ * Return:
+ * 0 - OK
+ * -EACCES - @file did not pass verification
+ * !0 - Error
+ */
+int ipe_process_event(const struct file *file, enum ipe_operation op,
+ enum ipe_hook hook)
+{
+ int rc = 0;
+ struct ipe_eval_ctx *ctx = NULL;
+
+ ctx = build_ctx(file, op, hook);
+ if (IS_ERR(ctx))
+ return PTR_ERR(ctx);
+
+ rc = evaluate(ctx);
+
+ free_ctx(ctx);
+ return rc;
+}
diff --git a/security/ipe/eval.h b/security/ipe/eval.h
new file mode 100644
index 000000000000..db6da2998a20
--- /dev/null
+++ b/security/ipe/eval.h
@@ -0,0 +1,26 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#ifndef IPE_EVAL_H
+#define IPE_EVAL_H
+
+#include <linux/file.h>
+
+#include "ctx.h"
+#include "hooks.h"
+#include "policy.h"
+
+struct ipe_eval_ctx {
+ enum ipe_hook hook;
+ enum ipe_operation op;
+
+ const struct file *file;
+ struct ipe_context *ci_ctx;
+};
+
+int ipe_process_event(const struct file *file, enum ipe_operation op,
+ enum ipe_hook hook);
+
+#endif /* IPE_EVAL_H */
diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h
index e0ae3c7dfb5b..58ed4a612e26 100644
--- a/security/ipe/hooks.h
+++ b/security/ipe/hooks.h
@@ -8,6 +8,10 @@
#include <linux/types.h>
#include <linux/sched.h>
+enum ipe_hook {
+ ipe_hook_max = 0
+};
+
int ipe_task_alloc(struct task_struct *task,
unsigned long clone_flags);
diff --git a/security/ipe/modules/ipe_module.h b/security/ipe/modules/ipe_module.h
index 397a54cbc4db..b4f975e9218a 100644
--- a/security/ipe/modules/ipe_module.h
+++ b/security/ipe/modules/ipe_module.h
@@ -6,6 +6,7 @@
#define IPE_MODULE_H
#include <linux/types.h>
+#include "../eval.h"
/**
* ipe_module: definition of an extensible module for IPE properties.
@@ -23,6 +24,8 @@ struct ipe_module {
u16 version; /* required */
int (*parse)(const char *valstr, void **value); /* required */
int (*free)(void **value); /* optional */
+ bool (*eval)(const struct ipe_eval_ctx *ctx, /* required */
+ const void *val);
};
#define IPE_MODULE(parser) \
diff --git a/security/ipe/policy.c b/security/ipe/policy.c
index 9dd60dd34477..8970f96453d6 100644
--- a/security/ipe/policy.c
+++ b/security/ipe/policy.c
@@ -874,6 +874,32 @@ void ipe_put_policy(struct ipe_policy *p)
kfree(p);
}
+/**
+ * ipe_get_policy_rcu: Dereference rcu-protected @p and increase the reference
+ * count.
+ * @p: rcu-protected pointer to dereference
+ *
+ * Not safe to call on IS_ERR.
+ *
+ * Return:
+ * !NULL - reference count of @p was valid, and increased by one.
+ * NULL - reference count of @p is not valid.
+ */
+struct ipe_policy *ipe_get_policy_rcu(struct ipe_policy __rcu *p)
+{
+ struct ipe_policy *rv = NULL;
+
+ rcu_read_lock();
+
+ rv = rcu_dereference(p);
+ if (!rv || !refcount_inc_not_zero(&rv->refcount))
+ rv = NULL;
+
+ rcu_read_unlock();
+
+ return rv;
+}
+
static int set_pkcs7_data(void *ctx, const void *data, size_t len,
size_t asn1hdrlen)
{
@@ -912,6 +938,7 @@ struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
return ERR_PTR(-ENOMEM);
refcount_set(&new->refcount, 1);
+ INIT_LIST_HEAD(&new->next);
if (!text) {
new->pkcs7len = pkcs7len;
diff --git a/security/ipe/policy.h b/security/ipe/policy.h
index d78788db238c..2b5041c5a75a 100644
--- a/security/ipe/policy.h
+++ b/security/ipe/policy.h
@@ -87,11 +87,15 @@ struct ipe_policy {
struct ipe_parsed_policy *parsed;
refcount_t refcount;
+
+ struct list_head next; /* type: ipe_policy */
+ struct ipe_context __rcu *ctx;
};
struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
const char *pkcs7, size_t pkcs7len);
void ipe_put_policy(struct ipe_policy *pol);
bool ipe_is_op_alias(int op, const enum ipe_operation **map, size_t *size);
+struct ipe_policy *ipe_get_policy_rcu(struct ipe_policy __rcu *p);
#endif /* IPE_POLICY_H */
--
2.33.0
Powered by blists - more mailing lists