xref: /linux/security/ipe/hooks.c (revision 777f8171602d5954cac024b66afa1b5b030641a4) 
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
4  */
5 
6 #include <linux/fs.h>
7 #include <linux/fs_struct.h>
8 #include <linux/types.h>
9 #include <linux/binfmts.h>
10 #include <linux/mman.h>
11 #include <linux/blk_types.h>
12 
13 #include "ipe.h"
14 #include "hooks.h"
15 #include "eval.h"
16 #include "digest.h"
17 
18 /**
19  * ipe_bprm_check_security() - ipe security hook function for bprm check.
20  * @bprm: Supplies a pointer to a linux_binprm structure to source the file
21  *	  being evaluated.
22  *
23  * This LSM hook is called when a binary is loaded through the exec
24  * family of system calls.
25  *
26  * Return:
27  * * %0		- Success
28  * * %-EACCES	- Did not pass IPE policy
29  */
30 int ipe_bprm_check_security(struct linux_binprm *bprm)
31 {
32 	struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
33 
34 	ipe_build_eval_ctx(&ctx, bprm->file, IPE_OP_EXEC, IPE_HOOK_BPRM_CHECK);
35 	return ipe_evaluate_event(&ctx);
36 }
37 
38 /**
39  * ipe_mmap_file() - ipe security hook function for mmap check.
40  * @f: File being mmap'd. Can be NULL in the case of anonymous memory.
41  * @reqprot: The requested protection on the mmap, passed from usermode.
42  * @prot: The effective protection on the mmap, resolved from reqprot and
43  *	  system configuration.
44  * @flags: Unused.
45  *
46  * This hook is called when a file is loaded through the mmap
47  * family of system calls.
48  *
49  * Return:
50  * * %0		- Success
51  * * %-EACCES	- Did not pass IPE policy
52  */
53 int ipe_mmap_file(struct file *f, unsigned long reqprot __always_unused,
54 		  unsigned long prot, unsigned long flags)
55 {
56 	struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
57 
58 	if (prot & PROT_EXEC) {
59 		ipe_build_eval_ctx(&ctx, f, IPE_OP_EXEC, IPE_HOOK_MMAP);
60 		return ipe_evaluate_event(&ctx);
61 	}
62 
63 	return 0;
64 }
65 
66 /**
67  * ipe_file_mprotect() - ipe security hook function for mprotect check.
68  * @vma: Existing virtual memory area created by mmap or similar.
69  * @reqprot: The requested protection on the mmap, passed from usermode.
70  * @prot: The effective protection on the mmap, resolved from reqprot and
71  *	  system configuration.
72  *
73  * This LSM hook is called when a mmap'd region of memory is changing
74  * its protections via mprotect.
75  *
76  * Return:
77  * * %0		- Success
78  * * %-EACCES	- Did not pass IPE policy
79  */
80 int ipe_file_mprotect(struct vm_area_struct *vma,
81 		      unsigned long reqprot __always_unused,
82 		      unsigned long prot)
83 {
84 	struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
85 
86 	/* Already Executable */
87 	if (vma->vm_flags & VM_EXEC)
88 		return 0;
89 
90 	if (prot & PROT_EXEC) {
91 		ipe_build_eval_ctx(&ctx, vma->vm_file, IPE_OP_EXEC, IPE_HOOK_MPROTECT);
92 		return ipe_evaluate_event(&ctx);
93 	}
94 
95 	return 0;
96 }
97 
98 /**
99  * ipe_kernel_read_file() - ipe security hook function for kernel read.
100  * @file: Supplies a pointer to the file structure being read in from disk.
101  * @id: Supplies the enumeration identifying the purpose of the read.
102  * @contents: Unused.
103  *
104  * This LSM hook is called when a file is read from disk in the kernel.
105  *
106  * Return:
107  * * %0		- Success
108  * * %-EACCES	- Did not pass IPE policy
109  */
110 int ipe_kernel_read_file(struct file *file, enum kernel_read_file_id id,
111 			 bool contents)
112 {
113 	struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
114 	enum ipe_op_type op;
115 
116 	switch (id) {
117 	case READING_FIRMWARE:
118 		op = IPE_OP_FIRMWARE;
119 		break;
120 	case READING_MODULE:
121 	case READING_MODULE_COMPRESSED:
122 		op = IPE_OP_KERNEL_MODULE;
123 		break;
124 	case READING_KEXEC_INITRAMFS:
125 		op = IPE_OP_KEXEC_INITRAMFS;
126 		break;
127 	case READING_KEXEC_IMAGE:
128 		op = IPE_OP_KEXEC_IMAGE;
129 		break;
130 	case READING_POLICY:
131 		op = IPE_OP_POLICY;
132 		break;
133 	case READING_X509_CERTIFICATE:
134 		op = IPE_OP_X509;
135 		break;
136 	default:
137 		op = IPE_OP_INVALID;
138 		WARN(1, "no rule setup for kernel_read_file enum %d", id);
139 	}
140 
141 	ipe_build_eval_ctx(&ctx, file, op, IPE_HOOK_KERNEL_READ);
142 	return ipe_evaluate_event(&ctx);
143 }
144 
145 /**
146  * ipe_kernel_load_data() - ipe security hook function for kernel load data.
147  * @id: Supplies the enumeration identifying the purpose of the load.
148  * @contents: Unused.
149  *
150  * This LSM hook is called when a data buffer provided by userspace is loading
151  * into the kernel.
152  *
153  * Return:
154  * * %0		- Success
155  * * %-EACCES	- Did not pass IPE policy
156  */
157 int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents)
158 {
159 	struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
160 	enum ipe_op_type op;
161 
162 	switch (id) {
163 	case LOADING_FIRMWARE:
164 		op = IPE_OP_FIRMWARE;
165 		break;
166 	case LOADING_MODULE:
167 		op = IPE_OP_KERNEL_MODULE;
168 		break;
169 	case LOADING_KEXEC_INITRAMFS:
170 		op = IPE_OP_KEXEC_INITRAMFS;
171 		break;
172 	case LOADING_KEXEC_IMAGE:
173 		op = IPE_OP_KEXEC_IMAGE;
174 		break;
175 	case LOADING_POLICY:
176 		op = IPE_OP_POLICY;
177 		break;
178 	case LOADING_X509_CERTIFICATE:
179 		op = IPE_OP_X509;
180 		break;
181 	default:
182 		op = IPE_OP_INVALID;
183 		WARN(1, "no rule setup for kernel_load_data enum %d", id);
184 	}
185 
186 	ipe_build_eval_ctx(&ctx, NULL, op, IPE_HOOK_KERNEL_LOAD);
187 	return ipe_evaluate_event(&ctx);
188 }
189 
190 /**
191  * ipe_unpack_initramfs() - Mark the current rootfs as initramfs.
192  */
193 void ipe_unpack_initramfs(void)
194 {
195 	ipe_sb(current->fs->root.mnt->mnt_sb)->initramfs = true;
196 }
197 
198 #ifdef CONFIG_IPE_PROP_DM_VERITY
199 /**
200  * ipe_bdev_free_security() - Free IPE's LSM blob of block_devices.
201  * @bdev: Supplies a pointer to a block_device that contains the structure
202  *	  to free.
203  */
204 void ipe_bdev_free_security(struct block_device *bdev)
205 {
206 	struct ipe_bdev *blob = ipe_bdev(bdev);
207 
208 	ipe_digest_free(blob->root_hash);
209 }
210 
211 #ifdef CONFIG_IPE_PROP_DM_VERITY_SIGNATURE
212 static void ipe_set_dmverity_signature(struct ipe_bdev *blob,
213 				       const void *value,
214 				       size_t size)
215 {
216 	blob->dm_verity_signed = size > 0 && value;
217 }
218 #else
219 static inline void ipe_set_dmverity_signature(struct ipe_bdev *blob,
220 					      const void *value,
221 					      size_t size)
222 {
223 }
224 #endif /* CONFIG_IPE_PROP_DM_VERITY_SIGNATURE */
225 
226 /**
227  * ipe_bdev_setintegrity() - Save integrity data from a bdev to IPE's LSM blob.
228  * @bdev: Supplies a pointer to a block_device that contains the LSM blob.
229  * @type: Supplies the integrity type.
230  * @value: Supplies the value to store.
231  * @size: The size of @value.
232  *
233  * This hook is currently used to save dm-verity's root hash or the existence
234  * of a validated signed dm-verity root hash into LSM blob.
235  *
236  * Return: %0 on success. If an error occurs, the function will return the
237  * -errno.
238  */
239 int ipe_bdev_setintegrity(struct block_device *bdev, enum lsm_integrity_type type,
240 			  const void *value, size_t size)
241 {
242 	const struct dm_verity_digest *digest = NULL;
243 	struct ipe_bdev *blob = ipe_bdev(bdev);
244 	struct digest_info *info = NULL;
245 
246 	if (type == LSM_INT_DMVERITY_SIG_VALID) {
247 		ipe_set_dmverity_signature(blob, value, size);
248 
249 		return 0;
250 	}
251 
252 	if (type != LSM_INT_DMVERITY_ROOTHASH)
253 		return -EINVAL;
254 
255 	if (!value) {
256 		ipe_digest_free(blob->root_hash);
257 		blob->root_hash = NULL;
258 
259 		return 0;
260 	}
261 	digest = value;
262 
263 	info = kzalloc(sizeof(*info), GFP_KERNEL);
264 	if (!info)
265 		return -ENOMEM;
266 
267 	info->digest = kmemdup(digest->digest, digest->digest_len, GFP_KERNEL);
268 	if (!info->digest)
269 		goto err;
270 
271 	info->alg = kstrdup(digest->alg, GFP_KERNEL);
272 	if (!info->alg)
273 		goto err;
274 
275 	info->digest_len = digest->digest_len;
276 
277 	ipe_digest_free(blob->root_hash);
278 	blob->root_hash = info;
279 
280 	return 0;
281 err:
282 	ipe_digest_free(info);
283 
284 	return -ENOMEM;
285 }
286 #endif /* CONFIG_IPE_PROP_DM_VERITY */
287 
288 #ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
289 /**
290  * ipe_inode_setintegrity() - save integrity data from a inode to IPE's LSM blob.
291  * @inode: The inode to source the security blob from.
292  * @type: Supplies the integrity type.
293  * @value: The value to be stored.
294  * @size: The size of @value.
295  *
296  * This hook is currently used to save the existence of a validated fs-verity
297  * builtin signature into LSM blob.
298  *
299  * Return: %0 on success. If an error occurs, the function will return the
300  * -errno.
301  */
302 int ipe_inode_setintegrity(const struct inode *inode,
303 			   enum lsm_integrity_type type,
304 			   const void *value, size_t size)
305 {
306 	struct ipe_inode *inode_sec = ipe_inode(inode);
307 
308 	if (type == LSM_INT_FSVERITY_BUILTINSIG_VALID) {
309 		inode_sec->fs_verity_signed = size > 0 && value;
310 		return 0;
311 	}
312 
313 	return -EINVAL;
314 }
315 #endif /* CONFIG_CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
316