f5dafb8909
The header files eval.h is included twice in ipe.c, so one inclusion of each can be removed. Reported-by: Abaci Robot <abaci@linux.alibaba.com> Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=9796 Signed-off-by: Yang Li <yang.lee@linux.alibaba.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
99 lines
2.6 KiB
C
99 lines
2.6 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
|
|
*/
|
|
#include <uapi/linux/lsm.h>
|
|
|
|
#include "ipe.h"
|
|
#include "eval.h"
|
|
#include "hooks.h"
|
|
|
|
extern const char *const ipe_boot_policy;
|
|
bool ipe_enabled;
|
|
|
|
static struct lsm_blob_sizes ipe_blobs __ro_after_init = {
|
|
.lbs_superblock = sizeof(struct ipe_superblock),
|
|
#ifdef CONFIG_IPE_PROP_DM_VERITY
|
|
.lbs_bdev = sizeof(struct ipe_bdev),
|
|
#endif /* CONFIG_IPE_PROP_DM_VERITY */
|
|
#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
|
|
.lbs_inode = sizeof(struct ipe_inode),
|
|
#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
|
|
};
|
|
|
|
static const struct lsm_id ipe_lsmid = {
|
|
.name = "ipe",
|
|
.id = LSM_ID_IPE,
|
|
};
|
|
|
|
struct ipe_superblock *ipe_sb(const struct super_block *sb)
|
|
{
|
|
return sb->s_security + ipe_blobs.lbs_superblock;
|
|
}
|
|
|
|
#ifdef CONFIG_IPE_PROP_DM_VERITY
|
|
struct ipe_bdev *ipe_bdev(struct block_device *b)
|
|
{
|
|
return b->bd_security + ipe_blobs.lbs_bdev;
|
|
}
|
|
#endif /* CONFIG_IPE_PROP_DM_VERITY */
|
|
|
|
#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
|
|
struct ipe_inode *ipe_inode(const struct inode *inode)
|
|
{
|
|
return inode->i_security + ipe_blobs.lbs_inode;
|
|
}
|
|
#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
|
|
|
|
static struct security_hook_list ipe_hooks[] __ro_after_init = {
|
|
LSM_HOOK_INIT(bprm_check_security, ipe_bprm_check_security),
|
|
LSM_HOOK_INIT(mmap_file, ipe_mmap_file),
|
|
LSM_HOOK_INIT(file_mprotect, ipe_file_mprotect),
|
|
LSM_HOOK_INIT(kernel_read_file, ipe_kernel_read_file),
|
|
LSM_HOOK_INIT(kernel_load_data, ipe_kernel_load_data),
|
|
LSM_HOOK_INIT(initramfs_populated, ipe_unpack_initramfs),
|
|
#ifdef CONFIG_IPE_PROP_DM_VERITY
|
|
LSM_HOOK_INIT(bdev_free_security, ipe_bdev_free_security),
|
|
LSM_HOOK_INIT(bdev_setintegrity, ipe_bdev_setintegrity),
|
|
#endif /* CONFIG_IPE_PROP_DM_VERITY */
|
|
#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
|
|
LSM_HOOK_INIT(inode_setintegrity, ipe_inode_setintegrity),
|
|
#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
|
|
};
|
|
|
|
/**
|
|
* ipe_init() - Entry point of IPE.
|
|
*
|
|
* This is called at LSM init, which happens occurs early during kernel
|
|
* start up. During this phase, IPE registers its hooks and loads the
|
|
* builtin boot policy.
|
|
*
|
|
* Return:
|
|
* * %0 - OK
|
|
* * %-ENOMEM - Out of memory (OOM)
|
|
*/
|
|
static int __init ipe_init(void)
|
|
{
|
|
struct ipe_policy *p = NULL;
|
|
|
|
security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), &ipe_lsmid);
|
|
ipe_enabled = true;
|
|
|
|
if (ipe_boot_policy) {
|
|
p = ipe_new_policy(ipe_boot_policy, strlen(ipe_boot_policy),
|
|
NULL, 0);
|
|
if (IS_ERR(p))
|
|
return PTR_ERR(p);
|
|
|
|
rcu_assign_pointer(ipe_active_policy, p);
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
DEFINE_LSM(ipe) = {
|
|
.name = "ipe",
|
|
.init = ipe_init,
|
|
.blobs = &ipe_blobs,
|
|
};
|