1

lsm: add IPE lsm

Integrity Policy Enforcement (IPE) is an LSM that provides an
complimentary approach to Mandatory Access Control than existing LSMs
today.

Existing LSMs have centered around the concept of access to a resource
should be controlled by the current user's credentials. IPE's approach,
is that access to a resource should be controlled by the system's trust
of a current resource.

The basis of this approach is defining a global policy to specify which
resource can be trusted.

Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Deven Bowers 2024-08-02 23:08:15 -07:00 committed by Paul Moore
parent 9ee6881454
commit 0311507792
9 changed files with 97 additions and 6 deletions

View File

@ -64,6 +64,7 @@ struct lsm_ctx {
#define LSM_ID_LANDLOCK 110
#define LSM_ID_IMA 111
#define LSM_ID_EVM 112
#define LSM_ID_IPE 113
/*
* LSM_ATTR_XXX definitions identify different LSM attributes

View File

@ -192,6 +192,7 @@ source "security/yama/Kconfig"
source "security/safesetid/Kconfig"
source "security/lockdown/Kconfig"
source "security/landlock/Kconfig"
source "security/ipe/Kconfig"
source "security/integrity/Kconfig"
@ -231,11 +232,11 @@ endchoice
config LSM
string "Ordered list of enabled LSMs"
default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC
default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf"
default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK
default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR
default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO
default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC
default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf"
help
A comma-separated list of LSMs, in initialization order.
Any LSMs left off this list, except for those with order

View File

@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
obj-$(CONFIG_CGROUPS) += device_cgroup.o
obj-$(CONFIG_BPF_LSM) += bpf/
obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
obj-$(CONFIG_SECURITY_IPE) += ipe/
# Object integrity file lists
obj-$(CONFIG_INTEGRITY) += integrity/

17
security/ipe/Kconfig Normal file
View File

@ -0,0 +1,17 @@
# SPDX-License-Identifier: GPL-2.0-only
#
# Integrity Policy Enforcement (IPE) configuration
#
menuconfig SECURITY_IPE
bool "Integrity Policy Enforcement (IPE)"
depends on SECURITY && SECURITYFS
select PKCS7_MESSAGE_PARSER
select SYSTEM_DATA_VERIFICATION
help
This option enables the Integrity Policy Enforcement LSM
allowing users to define a policy to enforce a trust-based access
control. A key feature of IPE is a customizable policy to allow
admins to reconfigure trust requirements on the fly.
If unsure, answer N.

9
security/ipe/Makefile Normal file
View File

@ -0,0 +1,9 @@
# SPDX-License-Identifier: GPL-2.0
#
# Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
#
# Makefile for building the IPE module as part of the kernel tree.
#
obj-$(CONFIG_SECURITY_IPE) += \
ipe.o \

42
security/ipe/ipe.c Normal file
View File

@ -0,0 +1,42 @@
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#include <uapi/linux/lsm.h>
#include "ipe.h"
static struct lsm_blob_sizes ipe_blobs __ro_after_init = {
};
static const struct lsm_id ipe_lsmid = {
.name = "ipe",
.id = LSM_ID_IPE,
};
static struct security_hook_list ipe_hooks[] __ro_after_init = {
};
/**
* ipe_init() - Entry point of IPE.
*
* This is called at LSM init, which happens occurs early during kernel
* start up. During this phase, IPE registers its hooks and loads the
* builtin boot policy.
*
* Return:
* * %0 - OK
* * %-ENOMEM - Out of memory (OOM)
*/
static int __init ipe_init(void)
{
security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), &ipe_lsmid);
return 0;
}
DEFINE_LSM(ipe) = {
.name = "ipe",
.init = ipe_init,
.blobs = &ipe_blobs,
};

16
security/ipe/ipe.h Normal file
View File

@ -0,0 +1,16 @@
/* SPDX-License-Identifier: GPL-2.0 */
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#ifndef _IPE_H
#define _IPE_H
#ifdef pr_fmt
#undef pr_fmt
#endif
#define pr_fmt(fmt) "ipe: " fmt
#include <linux/lsm_hooks.h>
#endif /* _IPE_H */

View File

@ -53,7 +53,8 @@
(IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \
(IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0) + \
(IS_ENABLED(CONFIG_IMA) ? 1 : 0) + \
(IS_ENABLED(CONFIG_EVM) ? 1 : 0))
(IS_ENABLED(CONFIG_EVM) ? 1 : 0) + \
(IS_ENABLED(CONFIG_SECURITY_IPE) ? 1 : 0))
/*
* These are descriptions of the reasons that can be passed to the

View File

@ -128,6 +128,9 @@ TEST(correct_lsm_list_modules)
case LSM_ID_EVM:
name = "evm";
break;
case LSM_ID_IPE:
name = "ipe";
break;
default:
name = "INVALID";
break;