RD_Software
/
ark1668ed-bsp


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393
							// SPDX-License-Identifier: GPL-2.0
/*
 * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
 */

#include <linux/fs.h>
#include <linux/types.h>
#include <linux/slab.h>
#include <linux/file.h>
#include <linux/sched.h>
#include <linux/rcupdate.h>
#include <linux/moduleparam.h>
#include <linux/fsverity.h>

#include "ipe.h"
#include "eval.h"
#include "policy.h"
#include "audit.h"
#include "digest.h"

struct ipe_policy __rcu *ipe_active_policy;
bool success_audit;
bool enforce = true;
#define INO_BLOCK_DEV(ino) ((ino)->i_sb->s_bdev)

#define FILE_SUPERBLOCK(f) ((f)->f_path.mnt->mnt_sb)

/**
 * build_ipe_sb_ctx() - Build initramfs field of an ipe evaluation context.
 * @ctx: Supplies a pointer to the context to be populated.
 * @file: Supplies the file struct of the file triggered IPE event.
 */
static void build_ipe_sb_ctx(struct ipe_eval_ctx *ctx, const struct file *const file)
{
	ctx->initramfs = ipe_sb(FILE_SUPERBLOCK(file))->initramfs;
}

#ifdef CONFIG_IPE_PROP_DM_VERITY
/**
 * build_ipe_bdev_ctx() - Build ipe_bdev field of an evaluation context.
 * @ctx: Supplies a pointer to the context to be populated.
 * @ino: Supplies the inode struct of the file triggered IPE event.
 */
static void build_ipe_bdev_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino)
{
	if (INO_BLOCK_DEV(ino))
		ctx->ipe_bdev = ipe_bdev(INO_BLOCK_DEV(ino));
}
#else
static void build_ipe_bdev_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino)
{
}
#endif /* CONFIG_IPE_PROP_DM_VERITY */

#ifdef CONFIG_IPE_PROP_FS_VERITY
#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
static void build_ipe_inode_blob_ctx(struct ipe_eval_ctx *ctx,
				     const struct inode *const ino)
{
	ctx->ipe_inode = ipe_inode(ctx->ino);
}
#else
static inline void build_ipe_inode_blob_ctx(struct ipe_eval_ctx *ctx,
					    const struct inode *const ino)
{
}
#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */

/**
 * build_ipe_inode_ctx() - Build inode fields of an evaluation context.
 * @ctx: Supplies a pointer to the context to be populated.
 * @ino: Supplies the inode struct of the file triggered IPE event.
 */
static void build_ipe_inode_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino)
{
	ctx->ino = ino;
	build_ipe_inode_blob_ctx(ctx, ino);
}
#else
static void build_ipe_inode_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino)
{
}
#endif /* CONFIG_IPE_PROP_FS_VERITY */

/**
 * ipe_build_eval_ctx() - Build an ipe evaluation context.
 * @ctx: Supplies a pointer to the context to be populated.
 * @file: Supplies a pointer to the file to associated with the evaluation.
 * @op: Supplies the IPE policy operation associated with the evaluation.
 * @hook: Supplies the LSM hook associated with the evaluation.
 */
void ipe_build_eval_ctx(struct ipe_eval_ctx *ctx,
			const struct file *file,
			enum ipe_op_type op,
			enum ipe_hook_type hook)
{
	struct inode *ino;

	ctx->file = file;
	ctx->op = op;
	ctx->hook = hook;

	if (file) {
		build_ipe_sb_ctx(ctx, file);
		ino = d_real_inode(file->f_path.dentry);
		build_ipe_bdev_ctx(ctx, ino);
		build_ipe_inode_ctx(ctx, ino);
	}
}

/**
 * evaluate_boot_verified() - Evaluate @ctx for the boot verified property.
 * @ctx: Supplies a pointer to the context being evaluated.
 *
 * Return:
 * * %true	- The current @ctx match the @p
 * * %false	- The current @ctx doesn't match the @p
 */
static bool evaluate_boot_verified(const struct ipe_eval_ctx *const ctx)
{
	return ctx->initramfs;
}

#ifdef CONFIG_IPE_PROP_DM_VERITY
/**
 * evaluate_dmv_roothash() - Evaluate @ctx against a dmv roothash property.
 * @ctx: Supplies a pointer to the context being evaluated.
 * @p: Supplies a pointer to the property being evaluated.
 *
 * Return:
 * * %true	- The current @ctx match the @p
 * * %false	- The current @ctx doesn't match the @p
 */
static bool evaluate_dmv_roothash(const struct ipe_eval_ctx *const ctx,
				  struct ipe_prop *p)
{
	return !!ctx->ipe_bdev &&
	       !!ctx->ipe_bdev->root_hash &&
	       ipe_digest_eval(p->value,
			       ctx->ipe_bdev->root_hash);
}
#else
static bool evaluate_dmv_roothash(const struct ipe_eval_ctx *const ctx,
				  struct ipe_prop *p)
{
	return false;
}
#endif /* CONFIG_IPE_PROP_DM_VERITY */

#ifdef CONFIG_IPE_PROP_DM_VERITY_SIGNATURE
/**
 * evaluate_dmv_sig_false() - Evaluate @ctx against a dmv sig false property.
 * @ctx: Supplies a pointer to the context being evaluated.
 *
 * Return:
 * * %true	- The current @ctx match the property
 * * %false	- The current @ctx doesn't match the property
 */
static bool evaluate_dmv_sig_false(const struct ipe_eval_ctx *const ctx)
{
	return !ctx->ipe_bdev || (!ctx->ipe_bdev->dm_verity_signed);
}

/**
 * evaluate_dmv_sig_true() - Evaluate @ctx against a dmv sig true property.
 * @ctx: Supplies a pointer to the context being evaluated.
 *
 * Return:
 * * %true	- The current @ctx match the property
 * * %false	- The current @ctx doesn't match the property
 */
static bool evaluate_dmv_sig_true(const struct ipe_eval_ctx *const ctx)
{
	return !evaluate_dmv_sig_false(ctx);
}
#else
static bool evaluate_dmv_sig_false(const struct ipe_eval_ctx *const ctx)
{
	return false;
}

static bool evaluate_dmv_sig_true(const struct ipe_eval_ctx *const ctx)
{
	return false;
}
#endif /* CONFIG_IPE_PROP_DM_VERITY_SIGNATURE */

#ifdef CONFIG_IPE_PROP_FS_VERITY
/**
 * evaluate_fsv_digest() - Evaluate @ctx against a fsv digest property.
 * @ctx: Supplies a pointer to the context being evaluated.
 * @p: Supplies a pointer to the property being evaluated.
 *
 * Return:
 * * %true	- The current @ctx match the @p
 * * %false	- The current @ctx doesn't match the @p
 */
static bool evaluate_fsv_digest(const struct ipe_eval_ctx *const ctx,
				struct ipe_prop *p)
{
	enum hash_algo alg;
	u8 digest[FS_VERITY_MAX_DIGEST_SIZE];
	struct digest_info info;

	if (!ctx->ino)
		return false;
	if (!fsverity_get_digest((struct inode *)ctx->ino,
				 digest,
				 NULL,
				 &alg))
		return false;

	info.alg = hash_algo_name[alg];
	info.digest = digest;
	info.digest_len = hash_digest_size[alg];

	return ipe_digest_eval(p->value, &info);
}
#else
static bool evaluate_fsv_digest(const struct ipe_eval_ctx *const ctx,
				struct ipe_prop *p)
{
	return false;
}
#endif /* CONFIG_IPE_PROP_FS_VERITY */

#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
/**
 * evaluate_fsv_sig_false() - Evaluate @ctx against a fsv sig false property.
 * @ctx: Supplies a pointer to the context being evaluated.
 *
 * Return:
 * * %true	- The current @ctx match the property
 * * %false	- The current @ctx doesn't match the property
 */
static bool evaluate_fsv_sig_false(const struct ipe_eval_ctx *const ctx)
{
	return !ctx->ino ||
	       !IS_VERITY(ctx->ino) ||
	       !ctx->ipe_inode ||
	       !ctx->ipe_inode->fs_verity_signed;
}

/**
 * evaluate_fsv_sig_true() - Evaluate @ctx against a fsv sig true property.
 * @ctx: Supplies a pointer to the context being evaluated.
 *
 * Return:
 * * %true - The current @ctx match the property
 * * %false - The current @ctx doesn't match the property
 */
static bool evaluate_fsv_sig_true(const struct ipe_eval_ctx *const ctx)
{
	return !evaluate_fsv_sig_false(ctx);
}
#else
static bool evaluate_fsv_sig_false(const struct ipe_eval_ctx *const ctx)
{
	return false;
}

static bool evaluate_fsv_sig_true(const struct ipe_eval_ctx *const ctx)
{
	return false;
}
#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */

/**
 * evaluate_property() - Analyze @ctx against a rule property.
 * @ctx: Supplies a pointer to the context to be evaluated.
 * @p: Supplies a pointer to the property to be evaluated.
 *
 * This function Determines whether the specified @ctx
 * matches the conditions defined by a rule property @p.
 *
 * Return:
 * * %true	- The current @ctx match the @p
 * * %false	- The current @ctx doesn't match the @p
 */
static bool evaluate_property(const struct ipe_eval_ctx *const ctx,
			      struct ipe_prop *p)
{
	switch (p->type) {
	case IPE_PROP_BOOT_VERIFIED_FALSE:
		return !evaluate_boot_verified(ctx);
	case IPE_PROP_BOOT_VERIFIED_TRUE:
		return evaluate_boot_verified(ctx);
	case IPE_PROP_DMV_ROOTHASH:
		return evaluate_dmv_roothash(ctx, p);
	case IPE_PROP_DMV_SIG_FALSE:
		return evaluate_dmv_sig_false(ctx);
	case IPE_PROP_DMV_SIG_TRUE:
		return evaluate_dmv_sig_true(ctx);
	case IPE_PROP_FSV_DIGEST:
		return evaluate_fsv_digest(ctx, p);
	case IPE_PROP_FSV_SIG_FALSE:
		return evaluate_fsv_sig_false(ctx);
	case IPE_PROP_FSV_SIG_TRUE:
		return evaluate_fsv_sig_true(ctx);
	default:
		return false;
	}
}

/**
 * ipe_evaluate_event() - Analyze @ctx against the current active policy.
 * @ctx: Supplies a pointer to the context to be evaluated.
 *
 * This is the loop where all policy evaluations happen against the IPE policy.
 *
 * Return:
 * * %0		- Success
 * * %-EACCES	- @ctx did not pass evaluation
 */
int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx)
{
	const struct ipe_op_table *rules = NULL;
	const struct ipe_rule *rule = NULL;
	struct ipe_policy *pol = NULL;
	struct ipe_prop *prop = NULL;
	enum ipe_action_type action;
	enum ipe_match match_type;
	bool match = false;
	int rc = 0;

	rcu_read_lock();

	pol = rcu_dereference(ipe_active_policy);
	if (!pol) {
		rcu_read_unlock();
		return 0;
	}

	if (ctx->op == IPE_OP_INVALID) {
		if (pol->parsed->global_default_action == IPE_ACTION_INVALID) {
			WARN(1, "no default rule set for unknown op, ALLOW it");
			action = IPE_ACTION_ALLOW;
		} else {
			action = pol->parsed->global_default_action;
		}
		match_type = IPE_MATCH_GLOBAL;
		goto eval;
	}

	rules = &pol->parsed->rules[ctx->op];

	list_for_each_entry(rule, &rules->rules, next) {
		match = true;

		list_for_each_entry(prop, &rule->props, next) {
			match = evaluate_property(ctx, prop);
			if (!match)
				break;
		}

		if (match)
			break;
	}

	if (match) {
		action = rule->action;
		match_type = IPE_MATCH_RULE;
	} else if (rules->default_action != IPE_ACTION_INVALID) {
		action = rules->default_action;
		match_type = IPE_MATCH_TABLE;
	} else {
		action = pol->parsed->global_default_action;
		match_type = IPE_MATCH_GLOBAL;
	}

eval:
	ipe_audit_match(ctx, match_type, action, rule);
	rcu_read_unlock();

	if (action == IPE_ACTION_DENY)
		rc = -EACCES;

	if (!READ_ONCE(enforce))
		rc = 0;

	return rc;
}

/* Set the right module name */
#ifdef KBUILD_MODNAME
#undef KBUILD_MODNAME
#define KBUILD_MODNAME "ipe"
#endif

module_param(success_audit, bool, 0400);
MODULE_PARM_DESC(success_audit, "Start IPE with success auditing enabled");
module_param(enforce, bool, 0400);
MODULE_PARM_DESC(enforce, "Start IPE in enforce or permissive mode");