ipe: add permissive toggle (a68916ea) · Commits · git / linux-net

security/ipe/audit.c

+25 −2

Original line number	Diff line number	Diff line
		@@ -97,8 +97,8 @@ void ipe_audit_match(const struct ipe_eval_ctx *const ctx,
		if (!ab)
		return;

		audit_log_format(ab, "ipe_op=%s ipe_hook=%s pid=%d comm=",
		op, audit_hook_names[ctx->hook],
		audit_log_format(ab, "ipe_op=%s ipe_hook=%s enforcing=%d pid=%d comm=",
		op, audit_hook_names[ctx->hook], READ_ONCE(enforce),
		task_tgid_nr(current));
		audit_log_untrustedstring(ab, get_task_comm(comm, current));

		@@ -225,3 +225,26 @@ void ipe_audit_policy_load(const struct ipe_policy *const p)

		audit_log_end(ab);
		}

		/**
		* ipe_audit_enforce() - Audit a change in IPE's enforcement state.
		* @new_enforce: The new value enforce to be set.
		* @old_enforce: The old value currently in enforce.
		*/
		void ipe_audit_enforce(bool new_enforce, bool old_enforce)
		{
		struct audit_buffer *ab;

		ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS);
		if (!ab)
		return;

		audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS,
		"enforcing=%d old_enforcing=%d auid=%u ses=%u"
		" enabled=1 old-enabled=1 lsm=ipe res=1",
		new_enforce, old_enforce,
		from_kuid(&init_user_ns, audit_get_loginuid(current)),
		audit_get_sessionid(current));

		audit_log_end(ab);
		}

security/ipe/audit.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -14,5 +14,6 @@ void ipe_audit_match(const struct ipe_eval_ctx *const ctx,
		void ipe_audit_policy_load(const struct ipe_policy *const p);
		void ipe_audit_policy_activation(const struct ipe_policy *const op,
		const struct ipe_policy *const np);
		void ipe_audit_enforce(bool new_enforce, bool old_enforce);

		#endif /* _IPE_AUDIT_H */

security/ipe/eval.c

+9 −2

Original line number	Diff line number	Diff line
		@@ -18,6 +18,7 @@

		struct ipe_policy __rcu *ipe_active_policy;
		bool success_audit;
		bool enforce = true;

		#define FILE_SUPERBLOCK(f) ((f)->f_path.mnt->mnt_sb)

		@@ -108,6 +109,7 @@ int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx)
		enum ipe_action_type action;
		enum ipe_match match_type;
		bool match = false;
		int rc = 0;

		rcu_read_lock();

		@@ -159,9 +161,12 @@ int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx)
		rcu_read_unlock();

		if (action == IPE_ACTION_DENY)
		return -EACCES;
		rc = -EACCES;

		return 0;
		if (!READ_ONCE(enforce))
		rc = 0;

		return rc;
		}

		/* Set the right module name */
		@@ -172,3 +177,5 @@ int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx)

		module_param(success_audit, bool, 0400);
		MODULE_PARM_DESC(success_audit, "Start IPE with success auditing enabled");
		module_param(enforce, bool, 0400);
		MODULE_PARM_DESC(enforce, "Start IPE in enforce or permissive mode");

security/ipe/eval.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -16,6 +16,7 @@

		extern struct ipe_policy __rcu *ipe_active_policy;
		extern bool success_audit;
		extern bool enforce;

		struct ipe_superblock {
		bool initramfs;

security/ipe/fs.c

+66 −0

Original line number	Diff line number	Diff line
		@@ -16,6 +16,7 @@ static struct dentry *np __ro_after_init;
		static struct dentry *root __ro_after_init;
		struct dentry *policy_root __ro_after_init;
		static struct dentry *audit_node __ro_after_init;
		static struct dentry *enforce_node __ro_after_init;

		/**
		* setaudit() - Write handler for the securityfs node, "ipe/success_audit"
		@@ -65,6 +66,58 @@ static ssize_t getaudit(struct file f, char __user data,
		return simple_read_from_buffer(data, len, offset, result, 1);
		}

		/**
		* setenforce() - Write handler for the securityfs node, "ipe/enforce"
		* @f: Supplies a file structure representing the securityfs node.
		* @data: Supplies a buffer passed to the write syscall.
		* @len: Supplies the length of @data.
		* @offset: unused.
		*
		* Return:
		* * Length of buffer written - Success
		* * %-EPERM - Insufficient permission
		*/
		static ssize_t setenforce(struct file f, const char __user data,
		size_t len, loff_t *offset)
		{
		int rc = 0;
		bool new_value, old_value;

		if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN))
		return -EPERM;

		old_value = READ_ONCE(enforce);
		rc = kstrtobool_from_user(data, len, &new_value);
		if (rc)
		return rc;

		if (new_value != old_value) {
		ipe_audit_enforce(new_value, old_value);
		WRITE_ONCE(enforce, new_value);
		}

		return len;
		}

		/**
		* getenforce() - Read handler for the securityfs node, "ipe/enforce"
		* @f: Supplies a file structure representing the securityfs node.
		* @data: Supplies a buffer passed to the read syscall.
		* @len: Supplies the length of @data.
		* @offset: unused.
		*
		* Return: Length of buffer written
		*/
		static ssize_t getenforce(struct file f, char __user data,
		size_t len, loff_t *offset)
		{
		const char *result;

		result = ((READ_ONCE(enforce)) ? "1" : "0");

		return simple_read_from_buffer(data, len, offset, result, 1);
		}

		/**
		* new_policy() - Write handler for the securityfs node, "ipe/new_policy".
		* @f: Supplies a file structure representing the securityfs node.
		@@ -123,6 +176,11 @@ static const struct file_operations audit_fops = {
		.read = getaudit,
		};

		static const struct file_operations enforce_fops = {
		.write = setenforce,
		.read = getenforce,
		};

		/**
		* ipe_init_securityfs() - Initialize IPE's securityfs tree at fsinit.
		*
		@@ -149,6 +207,13 @@ static int __init ipe_init_securityfs(void)
		goto err;
		}

		enforce_node = securityfs_create_file("enforce", 0600, root, NULL,
		&enforce_fops);
		if (IS_ERR(enforce_node)) {
		rc = PTR_ERR(enforce_node);
		goto err;
		}

		policy_root = securityfs_create_dir("policies", root);
		if (IS_ERR(policy_root)) {
		rc = PTR_ERR(policy_root);
		@@ -165,6 +230,7 @@ static int __init ipe_init_securityfs(void)
		err:
		securityfs_remove(np);
		securityfs_remove(policy_root);
		securityfs_remove(enforce_node);
		securityfs_remove(audit_node);
		securityfs_remove(root);
		return rc;