struct ipe_policy __rcu *ipe_active_policy;
+#define FILE_SUPERBLOCK(f) ((f)->f_path.mnt->mnt_sb)
+
+/**
+ * build_ipe_sb_ctx() - Build initramfs field of an ipe evaluation context.
+ * @ctx: Supplies a pointer to the context to be populated.
+ * @file: Supplies the file struct of the file triggered IPE event.
+ */
+static void build_ipe_sb_ctx(struct ipe_eval_ctx *ctx, const struct file *const file)
+{
+ ctx->initramfs = ipe_sb(FILE_SUPERBLOCK(file))->initramfs;
+}
+
/**
* ipe_build_eval_ctx() - Build an ipe evaluation context.
* @ctx: Supplies a pointer to the context to be populated.
{
ctx->file = file;
ctx->op = op;
+
+ if (file)
+ build_ipe_sb_ctx(ctx, file);
+}
+
+/**
+ * evaluate_boot_verified() - Evaluate @ctx for the boot verified property.
+ * @ctx: Supplies a pointer to the context being evaluated.
+ *
+ * Return:
+ * * %true - The current @ctx match the @p
+ * * %false - The current @ctx doesn't match the @p
+ */
+static bool evaluate_boot_verified(const struct ipe_eval_ctx *const ctx)
+{
+ return ctx->initramfs;
}
/**
* @ctx: Supplies a pointer to the context to be evaluated.
* @p: Supplies a pointer to the property to be evaluated.
*
- * This is a placeholder. The actual function will be introduced in the
- * latter commits.
+ * This function Determines whether the specified @ctx
+ * matches the conditions defined by a rule property @p.
*
* Return:
* * %true - The current @ctx match the @p
static bool evaluate_property(const struct ipe_eval_ctx *const ctx,
struct ipe_prop *p)
{
- return false;
+ switch (p->type) {
+ case IPE_PROP_BOOT_VERIFIED_FALSE:
+ return !evaluate_boot_verified(ctx);
+ case IPE_PROP_BOOT_VERIFIED_TRUE:
+ return evaluate_boot_verified(ctx);
+ default:
+ return false;
+ }
}
/**
extern struct ipe_policy __rcu *ipe_active_policy;
+struct ipe_superblock {
+ bool initramfs;
+};
+
struct ipe_eval_ctx {
enum ipe_op_type op;
const struct file *file;
+ bool initramfs;
};
void ipe_build_eval_ctx(struct ipe_eval_ctx *ctx,
*/
#include <linux/fs.h>
+#include <linux/fs_struct.h>
#include <linux/types.h>
#include <linux/binfmts.h>
#include <linux/mman.h>
ipe_build_eval_ctx(&ctx, NULL, op);
return ipe_evaluate_event(&ctx);
}
+
+/**
+ * ipe_unpack_initramfs() - Mark the current rootfs as initramfs.
+ */
+void ipe_unpack_initramfs(void)
+{
+ ipe_sb(current->fs->root.mnt->mnt_sb)->initramfs = true;
+}
int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents);
+void ipe_unpack_initramfs(void);
+
#endif /* _IPE_HOOKS_H */
#include <uapi/linux/lsm.h>
#include "ipe.h"
+#include "eval.h"
#include "hooks.h"
static struct lsm_blob_sizes ipe_blobs __ro_after_init = {
+ .lbs_superblock = sizeof(struct ipe_superblock),
};
static const struct lsm_id ipe_lsmid = {
.id = LSM_ID_IPE,
};
+struct ipe_superblock *ipe_sb(const struct super_block *sb)
+{
+ return sb->s_security + ipe_blobs.lbs_superblock;
+}
+
static struct security_hook_list ipe_hooks[] __ro_after_init = {
LSM_HOOK_INIT(bprm_check_security, ipe_bprm_check_security),
LSM_HOOK_INIT(mmap_file, ipe_mmap_file),
LSM_HOOK_INIT(file_mprotect, ipe_file_mprotect),
LSM_HOOK_INIT(kernel_read_file, ipe_kernel_read_file),
LSM_HOOK_INIT(kernel_load_data, ipe_kernel_load_data),
+ LSM_HOOK_INIT(initramfs_populated, ipe_unpack_initramfs),
};
/**
#define pr_fmt(fmt) "ipe: " fmt
#include <linux/lsm_hooks.h>
+struct ipe_superblock *ipe_sb(const struct super_block *sb);
#endif /* _IPE_H */
#define IPE_ACTION_INVALID __IPE_ACTION_MAX
enum ipe_prop_type {
+ IPE_PROP_BOOT_VERIFIED_FALSE,
+ IPE_PROP_BOOT_VERIFIED_TRUE,
__IPE_PROP_MAX
};
return match_token(t, action_tokens, args);
}
+static const match_table_t property_tokens = {
+ {IPE_PROP_BOOT_VERIFIED_FALSE, "boot_verified=FALSE"},
+ {IPE_PROP_BOOT_VERIFIED_TRUE, "boot_verified=TRUE"},
+ {IPE_PROP_INVALID, NULL}
+};
+
/**
* parse_property() - Parse a rule property given a token string.
* @t: Supplies the token string to be parsed.
* @r: Supplies the ipe_rule the parsed property will be associated with.
*
- * This is a placeholder. The actual function will be introduced in the
- * latter commits.
+ * This function parses and associates a property with an IPE rule based
+ * on a token string.
*
* Return:
* * %0 - Success
*/
static int parse_property(char *t, struct ipe_rule *r)
{
- return -EBADMSG;
+ substring_t args[MAX_OPT_ARGS];
+ struct ipe_prop *p = NULL;
+ int rc = 0;
+ int token;
+
+ p = kzalloc(sizeof(*p), GFP_KERNEL);
+ if (!p)
+ return -ENOMEM;
+
+ token = match_token(t, property_tokens, args);
+
+ switch (token) {
+ case IPE_PROP_BOOT_VERIFIED_FALSE:
+ case IPE_PROP_BOOT_VERIFIED_TRUE:
+ p->type = token;
+ break;
+ default:
+ rc = -EBADMSG;
+ break;
+ }
+ if (rc)
+ goto err;
+ list_add_tail(&p->next, &r->props);
+
+ return rc;
+err:
+ kfree(p);
+ return rc;
}
/**
projects / thirdparty / kernel / linux.git / commitdiff
