diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig index 8279dddf92ad..6bc487b689e0 100644 --- a/security/ipe/Kconfig +++ b/security/ipe/Kconfig @@ -10,6 +10,8 @@ menuconfig SECURITY_IPE select SYSTEM_DATA_VERIFICATION select IPE_PROP_DM_VERITY if DM_VERITY select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG + select IPE_PROP_FS_VERITY if FS_VERITY + select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES help This option enables the Integrity Policy Enforcement LSM allowing users to define a policy to enforce a trust-based access @@ -39,6 +41,30 @@ config IPE_PROP_DM_VERITY_SIGNATURE volume, which has been mounted with a valid signed root hash, is evaluated. + If unsure, answer Y. + +config IPE_PROP_FS_VERITY + bool "Enable support for fs-verity based on file digest" + depends on FS_VERITY + help + This option enables the 'fsverity_digest' property within IPE + policies. The property evaluates to TRUE when a file is fsverity + enabled and its digest matches the supplied digest value in the + policy. + + if unsure, answer Y. + +config IPE_PROP_FS_VERITY_BUILTIN_SIG + bool "Enable support for fs-verity based on builtin signature" + depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES + help + This option enables the 'fsverity_signature' property within IPE + policies. The property evaluates to TRUE when a file is fsverity + enabled and it has a valid builtin signature whose signing cert + is in the .fs-verity keyring. + + if unsure, answer Y. + endmenu endif diff --git a/security/ipe/audit.c b/security/ipe/audit.c index 8e21879e96c7..f05f0caa4850 100644 --- a/security/ipe/audit.c +++ b/security/ipe/audit.c @@ -56,6 +56,9 @@ static const char *const audit_prop_names[__IPE_PROP_MAX] = { "dmverity_roothash=", "dmverity_signature=FALSE", "dmverity_signature=TRUE", + "fsverity_digest=", + "fsverity_signature=FALSE", + "fsverity_signature=TRUE", }; /** @@ -69,6 +72,17 @@ static void audit_dmv_roothash(struct audit_buffer *ab, const void *rh) ipe_digest_audit(ab, rh); } +/** + * audit_fsv_digest() - audit the digest of a fsverity_digest property. + * @ab: Supplies a pointer to the audit_buffer to append to. + * @d: Supplies a pointer to the digest structure. + */ +static void audit_fsv_digest(struct audit_buffer *ab, const void *d) +{ + audit_log_format(ab, "%s", audit_prop_names[IPE_PROP_FSV_DIGEST]); + ipe_digest_audit(ab, d); +} + /** * audit_rule() - audit an IPE policy rule. * @ab: Supplies a pointer to the audit_buffer to append to. @@ -85,6 +99,9 @@ static void audit_rule(struct audit_buffer *ab, const struct ipe_rule *r) case IPE_PROP_DMV_ROOTHASH: audit_dmv_roothash(ab, ptr->value); break; + case IPE_PROP_FSV_DIGEST: + audit_fsv_digest(ab, ptr->value); + break; default: audit_log_format(ab, "%s", audit_prop_names[ptr->type]); break; diff --git a/security/ipe/eval.c b/security/ipe/eval.c index 2b80cc399ac3..21439c5be336 100644 --- a/security/ipe/eval.c +++ b/security/ipe/eval.c @@ -10,6 +10,7 @@ #include #include #include +#include #include "ipe.h" #include "eval.h" @@ -51,6 +52,36 @@ static void build_ipe_bdev_ctx(struct ipe_eval_ctx *ctx, const struct inode *con } #endif /* CONFIG_IPE_PROP_DM_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY +#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG +static void build_ipe_inode_blob_ctx(struct ipe_eval_ctx *ctx, + const struct inode *const ino) +{ + ctx->ipe_inode = ipe_inode(ctx->ino); +} +#else +static inline void build_ipe_inode_blob_ctx(struct ipe_eval_ctx *ctx, + const struct inode *const ino) +{ +} +#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ + +/** + * build_ipe_inode_ctx() - Build inode fields of an evaluation context. + * @ctx: Supplies a pointer to the context to be populated. + * @ino: Supplies the inode struct of the file triggered IPE event. + */ +static void build_ipe_inode_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino) +{ + ctx->ino = ino; + build_ipe_inode_blob_ctx(ctx, ino); +} +#else +static void build_ipe_inode_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino) +{ +} +#endif /* CONFIG_IPE_PROP_FS_VERITY */ + /** * ipe_build_eval_ctx() - Build an ipe evaluation context. * @ctx: Supplies a pointer to the context to be populated. @@ -63,13 +94,17 @@ void ipe_build_eval_ctx(struct ipe_eval_ctx *ctx, enum ipe_op_type op, enum ipe_hook_type hook) { + struct inode *ino; + ctx->file = file; ctx->op = op; ctx->hook = hook; if (file) { build_ipe_sb_ctx(ctx, file); - build_ipe_bdev_ctx(ctx, d_real_inode(file->f_path.dentry)); + ino = d_real_inode(file->f_path.dentry); + build_ipe_bdev_ctx(ctx, ino); + build_ipe_inode_ctx(ctx, ino); } } @@ -150,6 +185,86 @@ static bool evaluate_dmv_sig_true(const struct ipe_eval_ctx *const ctx) } #endif /* CONFIG_IPE_PROP_DM_VERITY_SIGNATURE */ +#ifdef CONFIG_IPE_PROP_FS_VERITY +/** + * evaluate_fsv_digest() - Evaluate @ctx against a fsv digest property. + * @ctx: Supplies a pointer to the context being evaluated. + * @p: Supplies a pointer to the property being evaluated. + * + * Return: + * * %true - The current @ctx match the @p + * * %false - The current @ctx doesn't match the @p + */ +static bool evaluate_fsv_digest(const struct ipe_eval_ctx *const ctx, + struct ipe_prop *p) +{ + enum hash_algo alg; + u8 digest[FS_VERITY_MAX_DIGEST_SIZE]; + struct digest_info info; + + if (!ctx->ino) + return false; + if (!fsverity_get_digest((struct inode *)ctx->ino, + digest, + NULL, + &alg)) + return false; + + info.alg = hash_algo_name[alg]; + info.digest = digest; + info.digest_len = hash_digest_size[alg]; + + return ipe_digest_eval(p->value, &info); +} +#else +static bool evaluate_fsv_digest(const struct ipe_eval_ctx *const ctx, + struct ipe_prop *p) +{ + return false; +} +#endif /* CONFIG_IPE_PROP_FS_VERITY */ + +#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG +/** + * evaluate_fsv_sig_false() - Evaluate @ctx against a fsv sig false property. + * @ctx: Supplies a pointer to the context being evaluated. + * + * Return: + * * %true - The current @ctx match the property + * * %false - The current @ctx doesn't match the property + */ +static bool evaluate_fsv_sig_false(const struct ipe_eval_ctx *const ctx) +{ + return !ctx->ino || + !IS_VERITY(ctx->ino) || + !ctx->ipe_inode || + !ctx->ipe_inode->fs_verity_signed; +} + +/** + * evaluate_fsv_sig_true() - Evaluate @ctx against a fsv sig true property. + * @ctx: Supplies a pointer to the context being evaluated. + * + * Return: + * * %true - The current @ctx match the property + * * %false - The current @ctx doesn't match the property + */ +static bool evaluate_fsv_sig_true(const struct ipe_eval_ctx *const ctx) +{ + return !evaluate_fsv_sig_false(ctx); +} +#else +static bool evaluate_fsv_sig_false(const struct ipe_eval_ctx *const ctx) +{ + return false; +} + +static bool evaluate_fsv_sig_true(const struct ipe_eval_ctx *const ctx) +{ + return false; +} +#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ + /** * evaluate_property() - Analyze @ctx against a rule property. * @ctx: Supplies a pointer to the context to be evaluated. @@ -176,6 +291,12 @@ static bool evaluate_property(const struct ipe_eval_ctx *const ctx, return evaluate_dmv_sig_false(ctx); case IPE_PROP_DMV_SIG_TRUE: return evaluate_dmv_sig_true(ctx); + case IPE_PROP_FSV_DIGEST: + return evaluate_fsv_digest(ctx, p); + case IPE_PROP_FSV_SIG_FALSE: + return evaluate_fsv_sig_false(ctx); + case IPE_PROP_FSV_SIG_TRUE: + return evaluate_fsv_sig_true(ctx); default: return false; } diff --git a/security/ipe/eval.h b/security/ipe/eval.h index 4901df0e1369..fef65a36468c 100644 --- a/security/ipe/eval.h +++ b/security/ipe/eval.h @@ -31,6 +31,12 @@ struct ipe_bdev { }; #endif /* CONFIG_IPE_PROP_DM_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG +struct ipe_inode { + bool fs_verity_signed; +}; +#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ + struct ipe_eval_ctx { enum ipe_op_type op; enum ipe_hook_type hook; @@ -40,6 +46,12 @@ struct ipe_eval_ctx { #ifdef CONFIG_IPE_PROP_DM_VERITY const struct ipe_bdev *ipe_bdev; #endif /* CONFIG_IPE_PROP_DM_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY + const struct inode *ino; +#endif /* CONFIG_IPE_PROP_FS_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG + const struct ipe_inode *ipe_inode; +#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ }; enum ipe_match { diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c index 0b7c66dc15d3..d0323b81cd8f 100644 --- a/security/ipe/hooks.c +++ b/security/ipe/hooks.c @@ -283,3 +283,32 @@ err: return -ENOMEM; } #endif /* CONFIG_IPE_PROP_DM_VERITY */ + +#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG +/** + * ipe_inode_setintegrity() - save integrity data from a inode to IPE's LSM blob. + * @inode: The inode to source the security blob from. + * @type: Supplies the integrity type. + * @value: The value to be stored. + * @size: The size of @value. + * + * This hook is currently used to save the existence of a validated fs-verity + * builtin signature into LSM blob. + * + * Return: %0 on success. If an error occurs, the function will return the + * -errno. + */ +int ipe_inode_setintegrity(const struct inode *inode, + enum lsm_integrity_type type, + const void *value, size_t size) +{ + struct ipe_inode *inode_sec = ipe_inode(inode); + + if (type == LSM_INT_FSVERITY_BUILTINSIG_VALID) { + inode_sec->fs_verity_signed = size > 0 && value; + return 0; + } + + return -EINVAL; +} +#endif /* CONFIG_CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h index 4d585fb6ada3..38d4a387d039 100644 --- a/security/ipe/hooks.h +++ b/security/ipe/hooks.h @@ -9,6 +9,7 @@ #include #include #include +#include enum ipe_hook_type { IPE_HOOK_BPRM_CHECK = 0, @@ -43,4 +44,9 @@ int ipe_bdev_setintegrity(struct block_device *bdev, enum lsm_integrity_type typ const void *value, size_t len); #endif /* CONFIG_IPE_PROP_DM_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG +int ipe_inode_setintegrity(const struct inode *inode, enum lsm_integrity_type type, + const void *value, size_t size); +#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ + #endif /* _IPE_HOOKS_H */ diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c index 03c82a80744a..b410db0b486c 100644 --- a/security/ipe/ipe.c +++ b/security/ipe/ipe.c @@ -16,6 +16,9 @@ static struct lsm_blob_sizes ipe_blobs __ro_after_init = { #ifdef CONFIG_IPE_PROP_DM_VERITY .lbs_bdev = sizeof(struct ipe_bdev), #endif /* CONFIG_IPE_PROP_DM_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG + .lbs_inode = sizeof(struct ipe_inode), +#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ }; static const struct lsm_id ipe_lsmid = { @@ -35,6 +38,13 @@ struct ipe_bdev *ipe_bdev(struct block_device *b) } #endif /* CONFIG_IPE_PROP_DM_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG +struct ipe_inode *ipe_inode(const struct inode *inode) +{ + return inode->i_security + ipe_blobs.lbs_inode; +} +#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ + static struct security_hook_list ipe_hooks[] __ro_after_init = { LSM_HOOK_INIT(bprm_check_security, ipe_bprm_check_security), LSM_HOOK_INIT(mmap_file, ipe_mmap_file), @@ -46,6 +56,9 @@ static struct security_hook_list ipe_hooks[] __ro_after_init = { LSM_HOOK_INIT(bdev_free_security, ipe_bdev_free_security), LSM_HOOK_INIT(bdev_setintegrity, ipe_bdev_setintegrity), #endif /* CONFIG_IPE_PROP_DM_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG + LSM_HOOK_INIT(inode_setintegrity, ipe_inode_setintegrity), +#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ }; /** diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h index 01f46286e383..fb37513812dd 100644 --- a/security/ipe/ipe.h +++ b/security/ipe/ipe.h @@ -19,5 +19,8 @@ extern bool ipe_enabled; #ifdef CONFIG_IPE_PROP_DM_VERITY struct ipe_bdev *ipe_bdev(struct block_device *b); #endif /* CONFIG_IPE_PROP_DM_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG +struct ipe_inode *ipe_inode(const struct inode *inode); +#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ #endif /* _IPE_H */ diff --git a/security/ipe/policy.h b/security/ipe/policy.h index 26776092c710..5bfbdbddeef8 100644 --- a/security/ipe/policy.h +++ b/security/ipe/policy.h @@ -36,6 +36,9 @@ enum ipe_prop_type { IPE_PROP_DMV_ROOTHASH, IPE_PROP_DMV_SIG_FALSE, IPE_PROP_DMV_SIG_TRUE, + IPE_PROP_FSV_DIGEST, + IPE_PROP_FSV_SIG_FALSE, + IPE_PROP_FSV_SIG_TRUE, __IPE_PROP_MAX }; diff --git a/security/ipe/policy_parser.c b/security/ipe/policy_parser.c index c3b7639df532..7f27e39931d6 100644 --- a/security/ipe/policy_parser.c +++ b/security/ipe/policy_parser.c @@ -278,6 +278,9 @@ static const match_table_t property_tokens = { {IPE_PROP_DMV_ROOTHASH, "dmverity_roothash=%s"}, {IPE_PROP_DMV_SIG_FALSE, "dmverity_signature=FALSE"}, {IPE_PROP_DMV_SIG_TRUE, "dmverity_signature=TRUE"}, + {IPE_PROP_FSV_DIGEST, "fsverity_digest=%s"}, + {IPE_PROP_FSV_SIG_FALSE, "fsverity_signature=FALSE"}, + {IPE_PROP_FSV_SIG_TRUE, "fsverity_signature=TRUE"}, {IPE_PROP_INVALID, NULL} }; @@ -310,6 +313,7 @@ static int parse_property(char *t, struct ipe_rule *r) switch (token) { case IPE_PROP_DMV_ROOTHASH: + case IPE_PROP_FSV_DIGEST: dup = match_strdup(&args[0]); if (!dup) { rc = -ENOMEM; @@ -325,6 +329,8 @@ static int parse_property(char *t, struct ipe_rule *r) case IPE_PROP_BOOT_VERIFIED_TRUE: case IPE_PROP_DMV_SIG_FALSE: case IPE_PROP_DMV_SIG_TRUE: + case IPE_PROP_FSV_SIG_FALSE: + case IPE_PROP_FSV_SIG_TRUE: p->type = token; break; default: