[RFC PATCH v8 03/17] ipe: add evaluation loop
From: Deven Bowers
Date: Wed Jun 08 2022 - 15:03:48 EST
IPE must have a centralized function to evaluate incoming callers
against IPE's policy. This iteration of the policy for against the rules
for that specific caller is known as the evaluation loop.
Signed-off-by: Deven Bowers <deven.desai@xxxxxxxxxxxxxxxxxxx>
---
v2:
+ Split evaluation loop, access control hooks,
and evaluation loop from policy parser and userspace
interface to pass mailing list character limit
v3:
+ Move ipe_load_properties to patch 04.
+ Remove useless 0-initializations
+ Prefix extern variables with ipe_
+ Remove kernel module parameters, as these are
exposed through sysctls.
+ Add more prose to the IPE base config option
help text.
+ Use GFP_KERNEL for audit_log_start.
+ Remove unnecessary caching system.
+ Remove comments from headers
+ Use rcu_access_pointer for rcu-pointer null check
+ Remove usage of reqprot; use prot only.
+ Move policy load and activation audit event to 03/12
v4:
+ Remove sysctls in favor of securityfs nodes
+ Re-add kernel module parameters, as these are now
exposed through securityfs.
+ Refactor property audit loop to a separate function.
v5:
+ fix minor grammatical errors
+ do not group rule by curly-brace in audit record,
reconstruct the exact rule.
v6:
+ No changes
v7:
+ Further split lsm creation into a separate commit from the
evaluation loop and audit system, for easier review.
+ Propogating changes to support the new ipe_context structure in the
evaluation loop.
Introduced in v8:
+ Remove ipe_hook enumeration; hooks can be correlated via syscall
record.
---
security/ipe/Makefile | 1 +
security/ipe/ctx.c | 59 +++++++++++-
security/ipe/ctx.h | 6 ++
security/ipe/eval.c | 144 ++++++++++++++++++++++++++++++
security/ipe/eval.h | 24 +++++
security/ipe/modules/ipe_module.h | 3 +
security/ipe/policy.c | 27 ++++++
security/ipe/policy.h | 4 +
8 files changed, 267 insertions(+), 1 deletion(-)
create mode 100644 security/ipe/eval.c
create mode 100644 security/ipe/eval.h
diff --git a/security/ipe/Makefile b/security/ipe/Makefile
index 9a97efd8a190..0db69f13e82a 100644
--- a/security/ipe/Makefile
+++ b/security/ipe/Makefile
@@ -9,6 +9,7 @@ ccflags-y := -I$(srctree)/security/ipe/modules
obj-$(CONFIG_SECURITY_IPE) += \
ctx.o \
+ eval.o \
hooks.o \
ipe.o \
modules.o \
diff --git a/security/ipe/ctx.c b/security/ipe/ctx.c
index d51fe2e13ad9..97305ddc2ff7 100644
--- a/security/ipe/ctx.c
+++ b/security/ipe/ctx.c
@@ -5,6 +5,7 @@
#include "ipe.h"
#include "ctx.h"
+#include "policy.h"
#include <linux/slab.h>
#include <linux/types.h>
@@ -60,10 +61,25 @@ struct ipe_context *ipe_get_ctx_rcu(struct ipe_context __rcu *ctx)
*/
static void free_ctx_work(struct work_struct *const work)
{
+ struct ipe_policy *p = NULL;
struct ipe_context *ctx = NULL;
ctx = container_of(work, struct ipe_context, free_work);
+ /* Make p->ctx no longer have any references */
+ spin_lock(&ctx->lock);
+ list_for_each_entry(p, &ctx->policies, next)
+ rcu_assign_pointer(p->ctx, NULL);
+ spin_unlock(&ctx->lock);
+ synchronize_rcu();
+
+ /*
+ * locking no longer necessary - nothing can get a reference to ctx,
+ * so list is guaranteed stable.
+ */
+ list_for_each_entry(p, &ctx->policies, next)
+ ipe_put_policy(p);
+
kfree(ctx);
}
@@ -88,6 +104,7 @@ static struct ipe_context *create_ctx(void)
}
INIT_WORK(&ctx->free_work, free_ctx_work);
+ INIT_LIST_HEAD(&ctx->policies);
refcount_set(&ctx->refcount, 1);
spin_lock_init(&ctx->lock);
@@ -98,9 +115,49 @@ static struct ipe_context *create_ctx(void)
return ERR_PTR(rc);
}
+/**
+ * remove_policy: Remove a policy from its context
+ * @p: Supplies a pointer to a policy that will be removed from its context
+ *
+ * Decrements @p's reference by 1.
+ */
+void ipe_remove_policy(struct ipe_policy *p)
+{
+ struct ipe_context *ctx;
+
+ ctx = ipe_get_ctx_rcu(p->ctx);
+ if (!ctx)
+ return;
+
+ spin_lock(&ctx->lock);
+ list_del_init(&p->next);
+ rcu_assign_pointer(p->ctx, NULL);
+ spin_unlock(&ctx->lock);
+ synchronize_rcu();
+
+ ipe_put_ctx(ctx);
+ /* drop the reference representing the list */
+ ipe_put_policy(p);
+}
+
+/**
+ * ipe_add_policy: Associate @p with @ctx
+ * @ctx: Supplies a pointer to the ipe_context structure to associate @p with.
+ * @p: Supplies a pointer to the ipe_policy structure to associate.
+ */
+void ipe_add_policy(struct ipe_context *ctx, struct ipe_policy *p)
+{
+ spin_lock(&ctx->lock);
+ rcu_assign_pointer(p->ctx, ctx);
+ list_add_tail(&p->next, &ctx->policies);
+ refcount_inc(&p->refcount);
+ spin_unlock(&ctx->lock);
+ synchronize_rcu();
+}
+
/**
* ipe_put_ctx: Decrement the reference of an ipe_context structure,
- * scheduling a free as necessary.
+ * scheduling a free as necessary.s
* @ctx: Structure to free
*
* This function no-ops on error and null values for @ctx, and the
diff --git a/security/ipe/ctx.h b/security/ipe/ctx.h
index 69a2c92c0a8c..a0da92da818c 100644
--- a/security/ipe/ctx.h
+++ b/security/ipe/ctx.h
@@ -12,10 +12,14 @@
#include <linux/workqueue.h>
struct ipe_context {
+ struct ipe_policy __rcu *active_policy;
+
refcount_t refcount;
/* Protects concurrent writers */
spinlock_t lock;
+ struct list_head policies; /* type: ipe_policy */
+
struct work_struct free_work;
};
@@ -24,5 +28,7 @@ struct ipe_context __rcu **ipe_tsk_ctx(struct task_struct *tsk);
struct ipe_context *ipe_current_ctx(void);
struct ipe_context *ipe_get_ctx_rcu(struct ipe_context __rcu *ctx);
void ipe_put_ctx(struct ipe_context *ctx);
+void ipe_add_policy(struct ipe_context *ctx, struct ipe_policy *p);
+void ipe_remove_policy(struct ipe_policy *p);
#endif /* IPE_CONTEXT_H */
diff --git a/security/ipe/eval.c b/security/ipe/eval.c
new file mode 100644
index 000000000000..b3e4277fe6bd
--- /dev/null
+++ b/security/ipe/eval.c
@@ -0,0 +1,144 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#include "ipe.h"
+#include "ctx.h"
+#include "eval.h"
+#include "hooks.h"
+#include "policy.h"
+#include "modules/ipe_module.h"
+
+#include <linux/slab.h>
+#include <linux/file.h>
+#include <linux/sched.h>
+#include <linux/rcupdate.h>
+
+/**
+ * build_ctx: Build an evaluation context.
+ * @file: Supplies a pointer to the file to associated with the evaluation
+ * @op: Supplies the IPE policy operation associated with the evaluation
+ * @hook: Supplies the LSM hook associated with the evaluation.
+ *
+ * The current IPE Context will have a reference count increased by one until
+ * this is deallocated.
+ *
+ * Return:
+ * !IS_ERR - OK
+ */
+static struct ipe_eval_ctx *build_ctx(const struct file *file,
+ enum ipe_operation op)
+{
+ struct ipe_eval_ctx *ctx = NULL;
+
+ ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
+ if (!ctx)
+ return ERR_PTR(-ENOMEM);
+
+ ctx->file = file;
+ ctx->op = op;
+ ctx->ci_ctx = ipe_current_ctx();
+
+ return ctx;
+}
+
+/**
+ * free_ctx: Deallocate a previously-allocated ipe_eval_ctx
+ * @ctx: Supplies a pointer to the evaluation context to free.
+ */
+static void free_ctx(struct ipe_eval_ctx *ctx)
+{
+ if (IS_ERR_OR_NULL(ctx))
+ return;
+
+ ipe_put_ctx(ctx->ci_ctx);
+ kfree(ctx);
+}
+
+/**
+ * evaluate: Analyze @ctx against the active policy and return the result.
+ * @ctx: Supplies a pointer to the context being evaluated.
+ *
+ * This is the loop where all policy evaluation happens against IPE policy.
+ *
+ * Return:
+ * 0 - OK
+ * -EACCES - @ctx did not pass evaluation.
+ * !0 - Error
+ */
+static int evaluate(const struct ipe_eval_ctx *const ctx)
+{
+ int rc = 0;
+ bool match = false;
+ enum ipe_action action;
+ struct ipe_policy *pol = NULL;
+ const struct ipe_rule *rule = NULL;
+ const struct ipe_policy_mod *module = NULL;
+ const struct ipe_operation_table *rules = NULL;
+
+ pol = ipe_get_policy_rcu(ctx->ci_ctx->active_policy);
+ if (!pol)
+ goto out;
+
+ if (ctx->op == ipe_operation_max) {
+ action = pol->parsed->global_default;
+ goto eval;
+ }
+
+ rules = &pol->parsed->rules[ctx->op];
+
+ list_for_each_entry(rule, &rules->rules, next) {
+ match = true;
+
+ list_for_each_entry(module, &rule->modules, next)
+ match = match && module->mod->eval(ctx, module->mod_value);
+
+ if (match)
+ break;
+ }
+
+ if (match) {
+ action = rule->action;
+ } else if (rules->default_action != ipe_action_max) {
+ action = rules->default_action;
+ } else {
+ action = pol->parsed->global_default;
+ }
+
+eval:
+ if (action == ipe_action_deny)
+ rc = -EACCES;
+
+out:
+ ipe_put_policy(pol);
+ return rc;
+}
+
+/**
+ * ipe_process_event: Submit @file for verification against IPE's policy
+ * @file: Supplies an optional pointer to the file being submitted.
+ * @op: IPE Policy Operation to associate with @file
+ *
+ * @file can be NULL and will be submitted for evaluation like a non-NULL
+ * file.
+ *
+ * Return:
+ * 0 - OK
+ * -EACCES - @file did not pass verification
+ * !0 - Error
+ */
+int ipe_process_event(const struct file *file, enum ipe_operation op)
+{
+ int rc = 0;
+ struct ipe_eval_ctx *ctx = NULL;
+
+ ctx = build_ctx(file, op);
+ if (IS_ERR(ctx))
+ return PTR_ERR(ctx);
+
+ rc = evaluate(ctx);
+
+ free_ctx(ctx);
+ return rc;
+}
diff --git a/security/ipe/eval.h b/security/ipe/eval.h
new file mode 100644
index 000000000000..bc3a5da3badc
--- /dev/null
+++ b/security/ipe/eval.h
@@ -0,0 +1,24 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) Microsoft Corporation. All rights reserved.
+ */
+
+#ifndef IPE_EVAL_H
+#define IPE_EVAL_H
+
+#include <linux/file.h>
+
+#include "ctx.h"
+#include "hooks.h"
+#include "policy.h"
+
+struct ipe_eval_ctx {
+ enum ipe_operation op;
+
+ const struct file *file;
+ struct ipe_context *ci_ctx;
+};
+
+int ipe_process_event(const struct file *file, enum ipe_operation op);
+
+#endif /* IPE_EVAL_H */
diff --git a/security/ipe/modules/ipe_module.h b/security/ipe/modules/ipe_module.h
index c4e98b548df3..1157c5363048 100644
--- a/security/ipe/modules/ipe_module.h
+++ b/security/ipe/modules/ipe_module.h
@@ -6,6 +6,7 @@
#define IPE_MODULE_H
#include <linux/types.h>
+#include "../eval.h"
/**
* ipe_module: definition of an extensible module for IPE properties.
@@ -23,6 +24,8 @@ struct ipe_module {
u16 version; /* required */
int (*parse)(const char *valstr, void **value); /* required */
void (*free)(void **value); /* optional */
+ bool (*eval)(const struct ipe_eval_ctx *ctx, /* required */
+ const void *val);
};
#define IPE_MODULE(parser) \
diff --git a/security/ipe/policy.c b/security/ipe/policy.c
index 6381fa7c2ec6..d68f9bf72f72 100644
--- a/security/ipe/policy.c
+++ b/security/ipe/policy.c
@@ -874,6 +874,32 @@ void ipe_put_policy(struct ipe_policy *p)
kfree(p);
}
+/**
+ * ipe_get_policy_rcu: Dereference rcu-protected @p and increase the reference
+ * count.
+ * @p: rcu-protected pointer to dereference
+ *
+ * Not safe to call on IS_ERR.
+ *
+ * Return:
+ * !NULL - reference count of @p was valid, and increased by one.
+ * NULL - reference count of @p is not valid.
+ */
+struct ipe_policy *ipe_get_policy_rcu(struct ipe_policy __rcu *p)
+{
+ struct ipe_policy *rv = NULL;
+
+ rcu_read_lock();
+
+ rv = rcu_dereference(p);
+ if (!rv || !refcount_inc_not_zero(&rv->refcount))
+ rv = NULL;
+
+ rcu_read_unlock();
+
+ return rv;
+}
+
static int set_pkcs7_data(void *ctx, const void *data, size_t len,
size_t asn1hdrlen)
{
@@ -912,6 +938,7 @@ struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
return ERR_PTR(-ENOMEM);
refcount_set(&new->refcount, 1);
+ INIT_LIST_HEAD(&new->next);
if (!text) {
new->pkcs7len = pkcs7len;
diff --git a/security/ipe/policy.h b/security/ipe/policy.h
index d78788db238c..2b5041c5a75a 100644
--- a/security/ipe/policy.h
+++ b/security/ipe/policy.h
@@ -87,11 +87,15 @@ struct ipe_policy {
struct ipe_parsed_policy *parsed;
refcount_t refcount;
+
+ struct list_head next; /* type: ipe_policy */
+ struct ipe_context __rcu *ctx;
};
struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
const char *pkcs7, size_t pkcs7len);
void ipe_put_policy(struct ipe_policy *pol);
bool ipe_is_op_alias(int op, const enum ipe_operation **map, size_t *size);
+struct ipe_policy *ipe_get_policy_rcu(struct ipe_policy __rcu *p);
#endif /* IPE_POLICY_H */
--
2.25.1