// SPDX-License-Identifier: GPL-2.0 /* * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. */ #include <linux/fs.h> #include <linux/types.h> #include <linux/slab.h> #include <linux/file.h> #include <linux/sched.h> #include <linux/rcupdate.h> #include <linux/moduleparam.h> #include <linux/fsverity.h> #include "ipe.h" #include "eval.h" #include "policy.h" #include "audit.h" #include "digest.h" struct ipe_policy __rcu *ipe_active_policy; bool success_audit; bool enforce = …; #define INO_BLOCK_DEV(ino) … #define FILE_SUPERBLOCK(f) … /** * build_ipe_sb_ctx() - Build initramfs field of an ipe evaluation context. * @ctx: Supplies a pointer to the context to be populated. * @file: Supplies the file struct of the file triggered IPE event. */ static void build_ipe_sb_ctx(struct ipe_eval_ctx *ctx, const struct file *const file) { … } #ifdef CONFIG_IPE_PROP_DM_VERITY /** * build_ipe_bdev_ctx() - Build ipe_bdev field of an evaluation context. * @ctx: Supplies a pointer to the context to be populated. * @ino: Supplies the inode struct of the file triggered IPE event. */ static void build_ipe_bdev_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino) { … } #else static void build_ipe_bdev_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino) { } #endif /* CONFIG_IPE_PROP_DM_VERITY */ #ifdef CONFIG_IPE_PROP_FS_VERITY #ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG static void build_ipe_inode_blob_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino) { … } #else static inline void build_ipe_inode_blob_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino) { } #endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ /** * build_ipe_inode_ctx() - Build inode fields of an evaluation context. * @ctx: Supplies a pointer to the context to be populated. * @ino: Supplies the inode struct of the file triggered IPE event. */ static void build_ipe_inode_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino) { … } #else static void build_ipe_inode_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino) { } #endif /* CONFIG_IPE_PROP_FS_VERITY */ /** * ipe_build_eval_ctx() - Build an ipe evaluation context. * @ctx: Supplies a pointer to the context to be populated. * @file: Supplies a pointer to the file to associated with the evaluation. * @op: Supplies the IPE policy operation associated with the evaluation. * @hook: Supplies the LSM hook associated with the evaluation. */ void ipe_build_eval_ctx(struct ipe_eval_ctx *ctx, const struct file *file, enum ipe_op_type op, enum ipe_hook_type hook) { … } /** * evaluate_boot_verified() - Evaluate @ctx for the boot verified property. * @ctx: Supplies a pointer to the context being evaluated. * * Return: * * %true - The current @ctx match the @p * * %false - The current @ctx doesn't match the @p */ static bool evaluate_boot_verified(const struct ipe_eval_ctx *const ctx) { … } #ifdef CONFIG_IPE_PROP_DM_VERITY /** * evaluate_dmv_roothash() - Evaluate @ctx against a dmv roothash property. * @ctx: Supplies a pointer to the context being evaluated. * @p: Supplies a pointer to the property being evaluated. * * Return: * * %true - The current @ctx match the @p * * %false - The current @ctx doesn't match the @p */ static bool evaluate_dmv_roothash(const struct ipe_eval_ctx *const ctx, struct ipe_prop *p) { … } #else static bool evaluate_dmv_roothash(const struct ipe_eval_ctx *const ctx, struct ipe_prop *p) { return false; } #endif /* CONFIG_IPE_PROP_DM_VERITY */ #ifdef CONFIG_IPE_PROP_DM_VERITY_SIGNATURE /** * evaluate_dmv_sig_false() - Evaluate @ctx against a dmv sig false property. * @ctx: Supplies a pointer to the context being evaluated. * * Return: * * %true - The current @ctx match the property * * %false - The current @ctx doesn't match the property */ static bool evaluate_dmv_sig_false(const struct ipe_eval_ctx *const ctx) { … } /** * evaluate_dmv_sig_true() - Evaluate @ctx against a dmv sig true property. * @ctx: Supplies a pointer to the context being evaluated. * * Return: * * %true - The current @ctx match the property * * %false - The current @ctx doesn't match the property */ static bool evaluate_dmv_sig_true(const struct ipe_eval_ctx *const ctx) { … } #else static bool evaluate_dmv_sig_false(const struct ipe_eval_ctx *const ctx) { return false; } static bool evaluate_dmv_sig_true(const struct ipe_eval_ctx *const ctx) { return false; } #endif /* CONFIG_IPE_PROP_DM_VERITY_SIGNATURE */ #ifdef CONFIG_IPE_PROP_FS_VERITY /** * evaluate_fsv_digest() - Evaluate @ctx against a fsv digest property. * @ctx: Supplies a pointer to the context being evaluated. * @p: Supplies a pointer to the property being evaluated. * * Return: * * %true - The current @ctx match the @p * * %false - The current @ctx doesn't match the @p */ static bool evaluate_fsv_digest(const struct ipe_eval_ctx *const ctx, struct ipe_prop *p) { … } #else static bool evaluate_fsv_digest(const struct ipe_eval_ctx *const ctx, struct ipe_prop *p) { return false; } #endif /* CONFIG_IPE_PROP_FS_VERITY */ #ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG /** * evaluate_fsv_sig_false() - Evaluate @ctx against a fsv sig false property. * @ctx: Supplies a pointer to the context being evaluated. * * Return: * * %true - The current @ctx match the property * * %false - The current @ctx doesn't match the property */ static bool evaluate_fsv_sig_false(const struct ipe_eval_ctx *const ctx) { … } /** * evaluate_fsv_sig_true() - Evaluate @ctx against a fsv sig true property. * @ctx: Supplies a pointer to the context being evaluated. * * Return: * * %true - The current @ctx match the property * * %false - The current @ctx doesn't match the property */ static bool evaluate_fsv_sig_true(const struct ipe_eval_ctx *const ctx) { … } #else static bool evaluate_fsv_sig_false(const struct ipe_eval_ctx *const ctx) { return false; } static bool evaluate_fsv_sig_true(const struct ipe_eval_ctx *const ctx) { return false; } #endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ /** * evaluate_property() - Analyze @ctx against a rule property. * @ctx: Supplies a pointer to the context to be evaluated. * @p: Supplies a pointer to the property to be evaluated. * * This function Determines whether the specified @ctx * matches the conditions defined by a rule property @p. * * Return: * * %true - The current @ctx match the @p * * %false - The current @ctx doesn't match the @p */ static bool evaluate_property(const struct ipe_eval_ctx *const ctx, struct ipe_prop *p) { … } /** * ipe_evaluate_event() - Analyze @ctx against the current active policy. * @ctx: Supplies a pointer to the context to be evaluated. * * This is the loop where all policy evaluations happen against the IPE policy. * * Return: * * %0 - Success * * %-EACCES - @ctx did not pass evaluation */ int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx) { … } /* Set the right module name */ #ifdef KBUILD_MODNAME #undef KBUILD_MODNAME #define KBUILD_MODNAME … #endif module_param(success_audit, bool, 0400); MODULE_PARM_DESC(…) …; module_param(enforce, bool, 0400); MODULE_PARM_DESC(…) …;
Codebase Browser
linux