policy_fs.c source code [linux/security/ipe/policy_fs.c]

1	// SPDX-License-Identifier: GPL-2.0
2	/*
3	* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
4	*/
5	#include <linux/fs.h>
6	#include <linux/namei.h>
7	#include <linux/types.h>
8	#include <linux/dcache.h>
9	#include <linux/security.h>
10
11	#include "ipe.h"
12	#include "policy.h"
13	#include "eval.h"
14	#include "fs.h"
15	#include "audit.h"
16
17	#define MAX_VERSION_SIZE ARRAY_SIZE("65535.65535.65535")
18
19	/**
20	* struct ipefs_file - defines a file in securityfs.
21	*
22	* @name: file name inside the policy subdirectory
23	* @access: file permissions
24	* @fops: &file_operations specific to this file
25	*/
26	struct ipefs_file {
27	const char *name;
28	umode_t access;
29	const struct file_operations *fops;
30	};
31
32	/**
33	* read_pkcs7() - Read handler for "ipe/policies/$name/pkcs7".
34	* @f: Supplies a file structure representing the securityfs node.
35	* @data: Supplies a buffer passed to the write syscall.
36	* @len: Supplies the length of @data.
37	* @offset: unused.
38	*
39	* @data will be populated with the pkcs7 blob representing the policy
40	* on success. If the policy is unsigned (like the boot policy), this
41	* will return -ENOENT.
42	*
43	* Return:
44	* * Length of buffer written - Success
45	* * %-ENOENT - Policy initializing/deleted or is unsigned
46	*/
47	static ssize_t read_pkcs7(struct file f, char* __user *data,
48	size_t len, loff_t *offset)
49	{
50	const struct ipe_policy *p = NULL;
51	struct inode *root = NULL;
52	int rc = `0`;
53
54	root = d_inode(dentry: f->f_path.dentry->d_parent);
55
56	inode_lock_shared(inode: root);
57	p = (struct ipe_policy *)root->i_private;
58	if (!p) {
59	rc = -ENOENT;
60	goto out;
61	}
62
63	if (!p->pkcs7) {
64	rc = -ENOENT;
65	goto out;
66	}
67
68	rc = simple_read_from_buffer(to: data, count: len, ppos: offset, from: p->pkcs7, available: p->pkcs7len);
69
70	out:
71	inode_unlock_shared(inode: root);
72
73	return rc;
74	}
75
76	/**
77	* read_policy() - Read handler for "ipe/policies/$name/policy".
78	* @f: Supplies a file structure representing the securityfs node.
79	* @data: Supplies a buffer passed to the write syscall.
80	* @len: Supplies the length of @data.
81	* @offset: unused.
82	*
83	* @data will be populated with the plain-text version of the policy
84	* on success.
85	*
86	* Return:
87	* * Length of buffer written - Success
88	* * %-ENOENT - Policy initializing/deleted
89	*/
90	static ssize_t read_policy(struct file f, char* __user *data,
91	size_t len, loff_t *offset)
92	{
93	const struct ipe_policy *p = NULL;
94	struct inode *root = NULL;
95	int rc = `0`;
96
97	root = d_inode(dentry: f->f_path.dentry->d_parent);
98
99	inode_lock_shared(inode: root);
100	p = (struct ipe_policy *)root->i_private;
101	if (!p) {
102	rc = -ENOENT;
103	goto out;
104	}
105
106	rc = simple_read_from_buffer(to: data, count: len, ppos: offset, from: p->text, available: p->textlen);
107
108	out:
109	inode_unlock_shared(inode: root);
110
111	return rc;
112	}
113
114	/**
115	* read_name() - Read handler for "ipe/policies/$name/name".
116	* @f: Supplies a file structure representing the securityfs node.
117	* @data: Supplies a buffer passed to the write syscall.
118	* @len: Supplies the length of @data.
119	* @offset: unused.
120	*
121	* @data will be populated with the policy_name attribute on success.
122	*
123	* Return:
124	* * Length of buffer written - Success
125	* * %-ENOENT - Policy initializing/deleted
126	*/
127	static ssize_t read_name(struct file f, char* __user *data,
128	size_t len, loff_t *offset)
129	{
130	const struct ipe_policy *p = NULL;
131	struct inode *root = NULL;
132	int rc = `0`;
133
134	root = d_inode(dentry: f->f_path.dentry->d_parent);
135
136	inode_lock_shared(inode: root);
137	p = (struct ipe_policy *)root->i_private;
138	if (!p) {
139	rc = -ENOENT;
140	goto out;
141	}
142
143	rc = simple_read_from_buffer(to: data, count: len, ppos: offset, from: p->parsed->name,
144	strlen(p->parsed->name));
145
146	out:
147	inode_unlock_shared(inode: root);
148
149	return rc;
150	}
151
152	/**
153	* read_version() - Read handler for "ipe/policies/$name/version".
154	* @f: Supplies a file structure representing the securityfs node.
155	* @data: Supplies a buffer passed to the write syscall.
156	* @len: Supplies the length of @data.
157	* @offset: unused.
158	*
159	* @data will be populated with the version string on success.
160	*
161	* Return:
162	* * Length of buffer written - Success
163	* * %-ENOENT - Policy initializing/deleted
164	*/
165	static ssize_t read_version(struct file f, char* __user *data,
166	size_t len, loff_t *offset)
167	{
168	char buffer[MAX_VERSION_SIZE] = { `0` };
169	const struct ipe_policy *p = NULL;
170	struct inode *root = NULL;
171	size_t strsize = `0`;
172	ssize_t rc = `0`;
173
174	root = d_inode(dentry: f->f_path.dentry->d_parent);
175
176	inode_lock_shared(inode: root);
177	p = (struct ipe_policy *)root->i_private;
178	if (!p) {
179	rc = -ENOENT;
180	goto out;
181	}
182
183	strsize = scnprintf(buf: buffer, ARRAY_SIZE(buffer), fmt: "%hu.%hu.%hu",
184	p->parsed->version.major, p->parsed->version.minor,
185	p->parsed->version.rev);
186
187	rc = simple_read_from_buffer(to: data, count: len, ppos: offset, from: buffer, available: strsize);
188
189	out:
190	inode_unlock_shared(inode: root);
191
192	return rc;
193	}
194
195	/**
196	* setactive() - Write handler for "ipe/policies/$name/active".
197	* @f: Supplies a file structure representing the securityfs node.
198	* @data: Supplies a buffer passed to the write syscall.
199	* @len: Supplies the length of @data.
200	* @offset: unused.
201	*
202	* Return:
203	* * Length of buffer written - Success
204	* * %-EPERM - Insufficient permission
205	* * %-EINVAL - Invalid input
206	* * %-ENOENT - Policy initializing/deleted
207	*/
208	static ssize_t setactive(struct file f, const* char __user *data,
209	size_t len, loff_t *offset)
210	{
211	const struct ipe_policy *p = NULL;
212	struct inode *root = NULL;
213	bool value = false;
214	int rc = `0`;
215
216	if (!file_ns_capable(file: f, ns: &init_user_ns, CAP_MAC_ADMIN))
217	return -EPERM;
218
219	rc = kstrtobool_from_user(s: data, count: len, res: &value);
220	if (rc)
221	return rc;
222
223	if (!value)
224	return -EINVAL;
225
226	root = d_inode(dentry: f->f_path.dentry->d_parent);
227	inode_lock(inode: root);
228
229	p = (struct ipe_policy *)root->i_private;
230	if (!p) {
231	rc = -ENOENT;
232	goto out;
233	}
234
235	rc = ipe_set_active_pol(p);
236
237	out:
238	inode_unlock(inode: root);
239	return (rc < `0`) ? rc : len;
240	}
241
242	/**
243	* getactive() - Read handler for "ipe/policies/$name/active".
244	* @f: Supplies a file structure representing the securityfs node.
245	* @data: Supplies a buffer passed to the write syscall.
246	* @len: Supplies the length of @data.
247	* @offset: unused.
248	*
249	* @data will be populated with the 1 or 0 depending on if the
250	* corresponding policy is active.
251	*
252	* Return:
253	* * Length of buffer written - Success
254	* * %-ENOENT - Policy initializing/deleted
255	*/
256	static ssize_t getactive(struct file f, char* __user *data,
257	size_t len, loff_t *offset)
258	{
259	const struct ipe_policy *p = NULL;
260	struct inode *root = NULL;
261	const char *str;
262	int rc = `0`;
263
264	root = d_inode(dentry: f->f_path.dentry->d_parent);
265
266	inode_lock_shared(inode: root);
267	p = (struct ipe_policy *)root->i_private;
268	if (!p) {
269	inode_unlock_shared(inode: root);
270	return -ENOENT;
271	}
272	inode_unlock_shared(inode: root);
273
274	str = (p == rcu_access_pointer(ipe_active_policy)) ? "1" : "0";
275	rc = simple_read_from_buffer(to: data, count: len, ppos: offset, from: str, available: `1`);
276
277	return rc;
278	}
279
280	/**
281	* update_policy() - Write handler for "ipe/policies/$name/update".
282	* @f: Supplies a file structure representing the securityfs node.
283	* @data: Supplies a buffer passed to the write syscall.
284	* @len: Supplies the length of @data.
285	* @offset: unused.
286	*
287	* On success this updates the policy represented by $name,
288	* in-place.
289	*
290	* Return:
291	* * Length of buffer written - Success
292	* * %-EPERM - Insufficient permission
293	* * %-ENOMEM - Out of memory (OOM)
294	* * %-ENOENT - Policy was deleted while updating
295	* * %-EINVAL - Policy name mismatch
296	* * %-ESTALE - Policy version too old
297	*/
298	static ssize_t update_policy(struct file f, const* char __user *data,
299	size_t len, loff_t *offset)
300	{
301	struct inode *root = NULL;
302	char *copy = NULL;
303	int rc = `0`;
304
305	if (!file_ns_capable(file: f, ns: &init_user_ns, CAP_MAC_ADMIN)) {
306	rc = -EPERM;
307	goto out;
308	}
309
310	copy = memdup_user(data, len);
311	if (IS_ERR(ptr: copy)) {
312	rc = PTR_ERR(ptr: copy);
313	copy = NULL;
314	goto out;
315	}
316
317	root = d_inode(dentry: f->f_path.dentry->d_parent);
318	inode_lock(inode: root);
319	rc = ipe_update_policy(root, NULL, textlen: `0`, pkcs7: copy, pkcs7len: len);
320	inode_unlock(inode: root);
321
322	out:
323	kfree(objp: copy);
324	if (rc) {
325	ipe_audit_policy_load(p: ERR_PTR(error: rc));
326	return rc;
327	}
328
329	return len;
330	}
331
332	/**
333	* delete_policy() - write handler for "ipe/policies/$name/delete".
334	* @f: Supplies a file structure representing the securityfs node.
335	* @data: Supplies a buffer passed to the write syscall.
336	* @len: Supplies the length of @data.
337	* @offset: unused.
338	*
339	* On success this deletes the policy represented by $name.
340	*
341	* Return:
342	* * Length of buffer written - Success
343	* * %-EPERM - Insufficient permission/deleting active policy
344	* * %-EINVAL - Invalid input
345	* * %-ENOENT - Policy initializing/deleted
346	*/
347	static ssize_t delete_policy(struct file f, const* char __user *data,
348	size_t len, loff_t *offset)
349	{
350	struct ipe_policy *ap = NULL;
351	struct ipe_policy *p = NULL;
352	struct inode *root = NULL;
353	bool value = false;
354	int rc = `0`;
355
356	if (!file_ns_capable(file: f, ns: &init_user_ns, CAP_MAC_ADMIN))
357	return -EPERM;
358
359	rc = kstrtobool_from_user(s: data, count: len, res: &value);
360	if (rc)
361	return rc;
362
363	if (!value)
364	return -EINVAL;
365
366	root = d_inode(dentry: f->f_path.dentry->d_parent);
367	inode_lock(inode: root);
368	p = (struct ipe_policy *)root->i_private;
369	if (!p) {
370	inode_unlock(inode: root);
371	return -ENOENT;
372	}
373
374	mutex_lock(&ipe_policy_lock);
375	ap = rcu_dereference_protected(ipe_active_policy,
376	lockdep_is_held(&ipe_policy_lock));
377	if (p == ap) {
378	mutex_unlock(lock: &ipe_policy_lock);
379	inode_unlock(inode: root);
380	return -EPERM;
381	}
382	mutex_unlock(lock: &ipe_policy_lock);
383
384	root->i_private = NULL;
385	inode_unlock(inode: root);
386
387	synchronize_rcu();
388	ipe_free_policy(pol: p);
389
390	return len;
391	}
392
393	static const struct file_operations content_fops = {
394	.read = read_policy,
395	};
396
397	static const struct file_operations pkcs7_fops = {
398	.read = read_pkcs7,
399	};
400
401	static const struct file_operations name_fops = {
402	.read = read_name,
403	};
404
405	static const struct file_operations ver_fops = {
406	.read = read_version,
407	};
408
409	static const struct file_operations active_fops = {
410	.write = setactive,
411	.read = getactive,
412	};
413
414	static const struct file_operations update_fops = {
415	.write = update_policy,
416	};
417
418	static const struct file_operations delete_fops = {
419	.write = delete_policy,
420	};
421
422	/*
423	* policy_subdir - files under a policy subdirectory
424	*/
425	static const struct ipefs_file policy_subdir[] = {
426	{ "pkcs7", `0444`, &pkcs7_fops },
427	{ "policy", `0444`, &content_fops },
428	{ "name", `0444`, &name_fops },
429	{ "version", `0444`, &ver_fops },
430	{ "active", `0600`, &active_fops },
431	{ "update", `0200`, &update_fops },
432	{ "delete", `0200`, &delete_fops },
433	};
434
435	/**
436	* ipe_del_policyfs_node() - Delete a securityfs entry for @p.
437	* @p: Supplies a pointer to the policy to delete a securityfs entry for.
438	*/
439	void ipe_del_policyfs_node(struct ipe_policy *p)
440	{
441	securityfs_remove(dentry: p->policyfs);
442	p->policyfs = NULL;
443	}
444
445	/**
446	* ipe_new_policyfs_node() - Create a securityfs entry for @p.
447	* @p: Supplies a pointer to the policy to create a securityfs entry for.
448	*
449	* Return: %0 on success. If an error occurs, the function will return
450	* the -errno.
451	*/
452	int ipe_new_policyfs_node(struct ipe_policy *p)
453	{
454	const struct ipefs_file *f = NULL;
455	struct dentry *policyfs = NULL;
456	struct inode *root = NULL;
457	struct dentry *d = NULL;
458	size_t i = `0`;
459	int rc = `0`;
460
461	if (p->policyfs)
462	return `0`;
463
464	policyfs = securityfs_create_dir(name: p->parsed->name, parent: policy_root);
465	if (IS_ERR(ptr: policyfs))
466	return PTR_ERR(ptr: policyfs);
467
468	root = d_inode(dentry: policyfs);
469
470	for (i = `0`; i < ARRAY_SIZE(policy_subdir); ++i) {
471	f = &policy_subdir[i];
472
473	d = securityfs_create_file(name: f->name, mode: f->access, parent: policyfs,
474	NULL, fops: f->fops);
475	if (IS_ERR(ptr: d)) {
476	rc = PTR_ERR(ptr: d);
477	goto err;
478	}
479	}
480
481	inode_lock(inode: root);
482	p->policyfs = policyfs;
483	root->i_private = p;
484	inode_unlock(inode: root);
485
486	return `0`;
487	err:
488	securityfs_remove(dentry: policyfs);
489	return rc;
490	}
491

source code of linux/security/ipe/policy_fs.c