lsm: add IPE lsm

Integrity Policy Enforcement (IPE) is an LSM that provides an
complimentary approach to Mandatory Access Control than existing LSMs
today.

Existing LSMs have centered around the concept of access to a resource
should be controlled by the current user's credentials. IPE's approach,
is that access to a resource should be controlled by the system's trust
of a current resource.

The basis of this approach is defining a global policy to specify which
resource can be trusted.

Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
index 33d8c9f4aa6b7fc91249d9df7589da8afa4bcd79..938593dfd5daf46e81011e1e69845c10bd89bc1b 100644 (file)
--- a/include/uapi/linux/lsm.h
+++ b/include/uapi/linux/lsm.h
@@ -64,6 +64,7 @@ struct lsm_ctx {
 #define LSM_ID_LANDLOCK                110
 #define LSM_ID_IMA             111
 #define LSM_ID_EVM             112
+#define LSM_ID_IPE             113
 
 /*
  * LSM_ATTR_XXX definitions identify different LSM attributes

diff --git a/security/Kconfig b/security/Kconfig
index 412e76f1575d0db570027bdfdcafedd0029a5c62..9fb8f9b149725c05fdcbb8f8311aaa41f59c3ee2 100644 (file)
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -192,6 +192,7 @@ source "security/yama/Kconfig"
 source "security/safesetid/Kconfig"
 source "security/lockdown/Kconfig"
 source "security/landlock/Kconfig"
+source "security/ipe/Kconfig"
 
 source "security/integrity/Kconfig"
 
@@ -231,11 +232,11 @@ endchoice
 
 config LSM
        string "Ordered list of enabled LSMs"
-       default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
-       default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
-       default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
-       default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC
-       default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf"
+       default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK
+       default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR
+       default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO
+       default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC
+       default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf"
        help
          A comma-separated list of LSMs, in initialization order.
          Any LSMs left off this list, except for those with order

diff --git a/security/Makefile b/security/Makefile
index 59f23849066500bc45a2ce064320035ae6ddb486..cc0982214b84ccc3924f9e562d60596833321604 100644 (file)
--- a/security/Makefile
+++ b/security/Makefile
@@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM)   += lockdown/
 obj-$(CONFIG_CGROUPS)                  += device_cgroup.o
 obj-$(CONFIG_BPF_LSM)                  += bpf/
 obj-$(CONFIG_SECURITY_LANDLOCK)                += landlock/
+obj-$(CONFIG_SECURITY_IPE)             += ipe/
 
 # Object integrity file lists
 obj-$(CONFIG_INTEGRITY)                        += integrity/

diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
new file mode 100644 (file)
index 0000000..e4875fb
--- /dev/null
+++ b/security/ipe/Kconfig
@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Integrity Policy Enforcement (IPE) configuration
+#
+
+menuconfig SECURITY_IPE
+       bool "Integrity Policy Enforcement (IPE)"
+       depends on SECURITY && SECURITYFS
+       select PKCS7_MESSAGE_PARSER
+       select SYSTEM_DATA_VERIFICATION
+       help
+         This option enables the Integrity Policy Enforcement LSM
+         allowing users to define a policy to enforce a trust-based access
+         control. A key feature of IPE is a customizable policy to allow
+         admins to reconfigure trust requirements on the fly.
+
+         If unsure, answer N.

diff --git a/security/ipe/Makefile b/security/ipe/Makefile
new file mode 100644 (file)
index 0000000..5486398
--- /dev/null
+++ b/security/ipe/Makefile
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
+#
+# Makefile for building the IPE module as part of the kernel tree.
+#
+
+obj-$(CONFIG_SECURITY_IPE) += \
+       ipe.o \

diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
new file mode 100644 (file)
index 0000000..8d4ea37
--- /dev/null
+++ b/security/ipe/ipe.c
@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
+ */
+#include <uapi/linux/lsm.h>
+
+#include "ipe.h"
+
+static struct lsm_blob_sizes ipe_blobs __ro_after_init = {
+};
+
+static const struct lsm_id ipe_lsmid = {
+       .name = "ipe",
+       .id = LSM_ID_IPE,
+};
+
+static struct security_hook_list ipe_hooks[] __ro_after_init = {
+};
+
+/**
+ * ipe_init() - Entry point of IPE.
+ *
+ * This is called at LSM init, which happens occurs early during kernel
+ * start up. During this phase, IPE registers its hooks and loads the
+ * builtin boot policy.
+ *
+ * Return:
+ * * %0                - OK
+ * * %-ENOMEM  - Out of memory (OOM)
+ */
+static int __init ipe_init(void)
+{
+       security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), &ipe_lsmid);
+
+       return 0;
+}
+
+DEFINE_LSM(ipe) = {
+       .name = "ipe",
+       .init = ipe_init,
+       .blobs = &ipe_blobs,
+};

diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
new file mode 100644 (file)
index 0000000..adc3c45
--- /dev/null
+++ b/security/ipe/ipe.h
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
+ */
+
+#ifndef _IPE_H
+#define _IPE_H
+
+#ifdef pr_fmt
+#undef pr_fmt
+#endif
+#define pr_fmt(fmt) "ipe: " fmt
+
+#include <linux/lsm_hooks.h>
+
+#endif /* _IPE_H */

diff --git a/security/security.c b/security/security.c
index 611d3c124ba6195c9d8740d1d8c34bcb9958c1ad..645a660320cbf89939a53a7dbc7145c373cefc8b 100644 (file)
--- a/security/security.c
+++ b/security/security.c
@@ -53,7 +53,8 @@
        (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \
        (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0) + \
        (IS_ENABLED(CONFIG_IMA) ? 1 : 0) + \
-       (IS_ENABLED(CONFIG_EVM) ? 1 : 0))
+       (IS_ENABLED(CONFIG_EVM) ? 1 : 0) + \
+       (IS_ENABLED(CONFIG_SECURITY_IPE) ? 1 : 0))
 
 /*
  * These are descriptions of the reasons that can be passed to the

diff --git a/tools/testing/selftests/lsm/lsm_list_modules_test.c b/tools/testing/selftests/lsm/lsm_list_modules_test.c
index 06d24d4679a6a8dc5b70f9e86ec0dce3e1888542..1cc8a977c7119fc06983b618eb1b1f9f87f4923f 100644 (file)
--- a/tools/testing/selftests/lsm/lsm_list_modules_test.c
+++ b/tools/testing/selftests/lsm/lsm_list_modules_test.c
@@ -128,6 +128,9 @@ TEST(correct_lsm_list_modules)
                case LSM_ID_EVM:
                        name = "evm";
                        break;
+               case LSM_ID_IPE:
+                       name = "ipe";
+                       break;
                default:
                        name = "INVALID";
                        break;