1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
4 */
5
6 #include <linux/fs.h>
7 #include <linux/fs_struct.h>
8 #include <linux/types.h>
9 #include <linux/binfmts.h>
10 #include <linux/mman.h>
11 #include <linux/blk_types.h>
12
13 #include "ipe.h"
14 #include "hooks.h"
15 #include "eval.h"
16 #include "digest.h"
17
18 /**
19 * ipe_bprm_check_security() - ipe security hook function for bprm check.
20 * @bprm: Supplies a pointer to a linux_binprm structure to source the file
21 * being evaluated.
22 *
23 * This LSM hook is called when a binary is loaded through the exec
24 * family of system calls.
25 *
26 * Return:
27 * * %0 - Success
28 * * %-EACCES - Did not pass IPE policy
29 */
ipe_bprm_check_security(struct linux_binprm * bprm)30 int ipe_bprm_check_security(struct linux_binprm *bprm)
31 {
32 struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
33
34 ipe_build_eval_ctx(&ctx, bprm->file, IPE_OP_EXEC, IPE_HOOK_BPRM_CHECK);
35 return ipe_evaluate_event(&ctx);
36 }
37
38 /**
39 * ipe_mmap_file() - ipe security hook function for mmap check.
40 * @f: File being mmap'd. Can be NULL in the case of anonymous memory.
41 * @reqprot: The requested protection on the mmap, passed from usermode.
42 * @prot: The effective protection on the mmap, resolved from reqprot and
43 * system configuration.
44 * @flags: Unused.
45 *
46 * This hook is called when a file is loaded through the mmap
47 * family of system calls.
48 *
49 * Return:
50 * * %0 - Success
51 * * %-EACCES - Did not pass IPE policy
52 */
ipe_mmap_file(struct file * f,unsigned long reqprot __always_unused,unsigned long prot,unsigned long flags)53 int ipe_mmap_file(struct file *f, unsigned long reqprot __always_unused,
54 unsigned long prot, unsigned long flags)
55 {
56 struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
57
58 if (prot & PROT_EXEC) {
59 ipe_build_eval_ctx(&ctx, f, IPE_OP_EXEC, IPE_HOOK_MMAP);
60 return ipe_evaluate_event(&ctx);
61 }
62
63 return 0;
64 }
65
66 /**
67 * ipe_file_mprotect() - ipe security hook function for mprotect check.
68 * @vma: Existing virtual memory area created by mmap or similar.
69 * @reqprot: The requested protection on the mmap, passed from usermode.
70 * @prot: The effective protection on the mmap, resolved from reqprot and
71 * system configuration.
72 *
73 * This LSM hook is called when a mmap'd region of memory is changing
74 * its protections via mprotect.
75 *
76 * Return:
77 * * %0 - Success
78 * * %-EACCES - Did not pass IPE policy
79 */
ipe_file_mprotect(struct vm_area_struct * vma,unsigned long reqprot __always_unused,unsigned long prot)80 int ipe_file_mprotect(struct vm_area_struct *vma,
81 unsigned long reqprot __always_unused,
82 unsigned long prot)
83 {
84 struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
85
86 /* Already Executable */
87 if (vma->vm_flags & VM_EXEC)
88 return 0;
89
90 if (prot & PROT_EXEC) {
91 ipe_build_eval_ctx(&ctx, vma->vm_file, IPE_OP_EXEC, IPE_HOOK_MPROTECT);
92 return ipe_evaluate_event(&ctx);
93 }
94
95 return 0;
96 }
97
98 /**
99 * ipe_kernel_read_file() - ipe security hook function for kernel read.
100 * @file: Supplies a pointer to the file structure being read in from disk.
101 * @id: Supplies the enumeration identifying the purpose of the read.
102 * @contents: Unused.
103 *
104 * This LSM hook is called when a file is read from disk in the kernel.
105 *
106 * Return:
107 * * %0 - Success
108 * * %-EACCES - Did not pass IPE policy
109 */
ipe_kernel_read_file(struct file * file,enum kernel_read_file_id id,bool contents)110 int ipe_kernel_read_file(struct file *file, enum kernel_read_file_id id,
111 bool contents)
112 {
113 struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
114 enum ipe_op_type op;
115
116 switch (id) {
117 case READING_FIRMWARE:
118 op = IPE_OP_FIRMWARE;
119 break;
120 case READING_MODULE:
121 op = IPE_OP_KERNEL_MODULE;
122 break;
123 case READING_KEXEC_INITRAMFS:
124 op = IPE_OP_KEXEC_INITRAMFS;
125 break;
126 case READING_KEXEC_IMAGE:
127 op = IPE_OP_KEXEC_IMAGE;
128 break;
129 case READING_POLICY:
130 op = IPE_OP_POLICY;
131 break;
132 case READING_X509_CERTIFICATE:
133 op = IPE_OP_X509;
134 break;
135 default:
136 op = IPE_OP_INVALID;
137 WARN(1, "no rule setup for kernel_read_file enum %d", id);
138 }
139
140 ipe_build_eval_ctx(&ctx, file, op, IPE_HOOK_KERNEL_READ);
141 return ipe_evaluate_event(&ctx);
142 }
143
144 /**
145 * ipe_kernel_load_data() - ipe security hook function for kernel load data.
146 * @id: Supplies the enumeration identifying the purpose of the load.
147 * @contents: Unused.
148 *
149 * This LSM hook is called when a data buffer provided by userspace is loading
150 * into the kernel.
151 *
152 * Return:
153 * * %0 - Success
154 * * %-EACCES - Did not pass IPE policy
155 */
ipe_kernel_load_data(enum kernel_load_data_id id,bool contents)156 int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents)
157 {
158 struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
159 enum ipe_op_type op;
160
161 switch (id) {
162 case LOADING_FIRMWARE:
163 op = IPE_OP_FIRMWARE;
164 break;
165 case LOADING_MODULE:
166 op = IPE_OP_KERNEL_MODULE;
167 break;
168 case LOADING_KEXEC_INITRAMFS:
169 op = IPE_OP_KEXEC_INITRAMFS;
170 break;
171 case LOADING_KEXEC_IMAGE:
172 op = IPE_OP_KEXEC_IMAGE;
173 break;
174 case LOADING_POLICY:
175 op = IPE_OP_POLICY;
176 break;
177 case LOADING_X509_CERTIFICATE:
178 op = IPE_OP_X509;
179 break;
180 default:
181 op = IPE_OP_INVALID;
182 WARN(1, "no rule setup for kernel_load_data enum %d", id);
183 }
184
185 ipe_build_eval_ctx(&ctx, NULL, op, IPE_HOOK_KERNEL_LOAD);
186 return ipe_evaluate_event(&ctx);
187 }
188
189 /**
190 * ipe_unpack_initramfs() - Mark the current rootfs as initramfs.
191 */
ipe_unpack_initramfs(void)192 void ipe_unpack_initramfs(void)
193 {
194 ipe_sb(current->fs->root.mnt->mnt_sb)->initramfs = true;
195 }
196
197 #ifdef CONFIG_IPE_PROP_DM_VERITY
198 /**
199 * ipe_bdev_free_security() - Free IPE's LSM blob of block_devices.
200 * @bdev: Supplies a pointer to a block_device that contains the structure
201 * to free.
202 */
ipe_bdev_free_security(struct block_device * bdev)203 void ipe_bdev_free_security(struct block_device *bdev)
204 {
205 struct ipe_bdev *blob = ipe_bdev(bdev);
206
207 ipe_digest_free(blob->root_hash);
208 }
209
210 #ifdef CONFIG_IPE_PROP_DM_VERITY_SIGNATURE
ipe_set_dmverity_signature(struct ipe_bdev * blob,const void * value,size_t size)211 static void ipe_set_dmverity_signature(struct ipe_bdev *blob,
212 const void *value,
213 size_t size)
214 {
215 blob->dm_verity_signed = size > 0 && value;
216 }
217 #else
ipe_set_dmverity_signature(struct ipe_bdev * blob,const void * value,size_t size)218 static inline void ipe_set_dmverity_signature(struct ipe_bdev *blob,
219 const void *value,
220 size_t size)
221 {
222 }
223 #endif /* CONFIG_IPE_PROP_DM_VERITY_SIGNATURE */
224
225 /**
226 * ipe_bdev_setintegrity() - Save integrity data from a bdev to IPE's LSM blob.
227 * @bdev: Supplies a pointer to a block_device that contains the LSM blob.
228 * @type: Supplies the integrity type.
229 * @value: Supplies the value to store.
230 * @size: The size of @value.
231 *
232 * This hook is currently used to save dm-verity's root hash or the existence
233 * of a validated signed dm-verity root hash into LSM blob.
234 *
235 * Return: %0 on success. If an error occurs, the function will return the
236 * -errno.
237 */
ipe_bdev_setintegrity(struct block_device * bdev,enum lsm_integrity_type type,const void * value,size_t size)238 int ipe_bdev_setintegrity(struct block_device *bdev, enum lsm_integrity_type type,
239 const void *value, size_t size)
240 {
241 const struct dm_verity_digest *digest = NULL;
242 struct ipe_bdev *blob = ipe_bdev(bdev);
243 struct digest_info *info = NULL;
244
245 if (type == LSM_INT_DMVERITY_SIG_VALID) {
246 ipe_set_dmverity_signature(blob, value, size);
247
248 return 0;
249 }
250
251 if (type != LSM_INT_DMVERITY_ROOTHASH)
252 return -EINVAL;
253
254 if (!value) {
255 ipe_digest_free(blob->root_hash);
256 blob->root_hash = NULL;
257
258 return 0;
259 }
260 digest = value;
261
262 info = kzalloc(sizeof(*info), GFP_KERNEL);
263 if (!info)
264 return -ENOMEM;
265
266 info->digest = kmemdup(digest->digest, digest->digest_len, GFP_KERNEL);
267 if (!info->digest)
268 goto err;
269
270 info->alg = kstrdup(digest->alg, GFP_KERNEL);
271 if (!info->alg)
272 goto err;
273
274 info->digest_len = digest->digest_len;
275
276 ipe_digest_free(blob->root_hash);
277 blob->root_hash = info;
278
279 return 0;
280 err:
281 ipe_digest_free(info);
282
283 return -ENOMEM;
284 }
285 #endif /* CONFIG_IPE_PROP_DM_VERITY */
286
287 #ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
288 /**
289 * ipe_inode_setintegrity() - save integrity data from a inode to IPE's LSM blob.
290 * @inode: The inode to source the security blob from.
291 * @type: Supplies the integrity type.
292 * @value: The value to be stored.
293 * @size: The size of @value.
294 *
295 * This hook is currently used to save the existence of a validated fs-verity
296 * builtin signature into LSM blob.
297 *
298 * Return: %0 on success. If an error occurs, the function will return the
299 * -errno.
300 */
ipe_inode_setintegrity(const struct inode * inode,enum lsm_integrity_type type,const void * value,size_t size)301 int ipe_inode_setintegrity(const struct inode *inode,
302 enum lsm_integrity_type type,
303 const void *value, size_t size)
304 {
305 struct ipe_inode *inode_sec = ipe_inode(inode);
306
307 if (type == LSM_INT_FSVERITY_BUILTINSIG_VALID) {
308 inode_sec->fs_verity_signed = size > 0 && value;
309 return 0;
310 }
311
312 return -EINVAL;
313 }
314 #endif /* CONFIG_CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
315