// SPDX-License-Identifier: GPL-2.0 /* * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. */ #include <linux/dcache.h> #include <linux/security.h> #include "ipe.h" #include "fs.h" #include "eval.h" #include "policy.h" #include "audit.h" static struct dentry *np __ro_after_init; static struct dentry *root __ro_after_init; struct dentry *policy_root __ro_after_init; static struct dentry *audit_node __ro_after_init; static struct dentry *enforce_node __ro_after_init; /** * setaudit() - Write handler for the securityfs node, "ipe/success_audit" * @f: Supplies a file structure representing the securityfs node. * @data: Supplies a buffer passed to the write syscall. * @len: Supplies the length of @data. * @offset: unused. * * Return: * * Length of buffer written - Success * * %-EPERM - Insufficient permission */ static ssize_t setaudit(struct file *f, const char __user *data, size_t len, loff_t *offset) { … } /** * getaudit() - Read handler for the securityfs node, "ipe/success_audit" * @f: Supplies a file structure representing the securityfs node. * @data: Supplies a buffer passed to the read syscall. * @len: Supplies the length of @data. * @offset: unused. * * Return: Length of buffer written */ static ssize_t getaudit(struct file *f, char __user *data, size_t len, loff_t *offset) { … } /** * setenforce() - Write handler for the securityfs node, "ipe/enforce" * @f: Supplies a file structure representing the securityfs node. * @data: Supplies a buffer passed to the write syscall. * @len: Supplies the length of @data. * @offset: unused. * * Return: * * Length of buffer written - Success * * %-EPERM - Insufficient permission */ static ssize_t setenforce(struct file *f, const char __user *data, size_t len, loff_t *offset) { … } /** * getenforce() - Read handler for the securityfs node, "ipe/enforce" * @f: Supplies a file structure representing the securityfs node. * @data: Supplies a buffer passed to the read syscall. * @len: Supplies the length of @data. * @offset: unused. * * Return: Length of buffer written */ static ssize_t getenforce(struct file *f, char __user *data, size_t len, loff_t *offset) { … } /** * new_policy() - Write handler for the securityfs node, "ipe/new_policy". * @f: Supplies a file structure representing the securityfs node. * @data: Supplies a buffer passed to the write syscall. * @len: Supplies the length of @data. * @offset: unused. * * Return: * * Length of buffer written - Success * * %-EPERM - Insufficient permission * * %-ENOMEM - Out of memory (OOM) * * %-EBADMSG - Policy is invalid * * %-ERANGE - Policy version number overflow * * %-EINVAL - Policy version parsing error * * %-EEXIST - Same name policy already deployed */ static ssize_t new_policy(struct file *f, const char __user *data, size_t len, loff_t *offset) { … } static const struct file_operations np_fops = …; static const struct file_operations audit_fops = …; static const struct file_operations enforce_fops = …; /** * ipe_init_securityfs() - Initialize IPE's securityfs tree at fsinit. * * Return: %0 on success. If an error occurs, the function will return * the -errno. */ static int __init ipe_init_securityfs(void) { … } fs_initcall(ipe_init_securityfs);