ipe: add evaluation loop

Introduce a core evaluation function in IPE that will be triggered by
various security hooks (e.g., mmap, bprm_check, kexec). This function
systematically assesses actions against the defined IPE policy, by
iterating over rules specific to the action being taken. This critical
addition enables IPE to enforce its security policies effectively,
ensuring that actions intercepted by these hooks are scrutinized for policy
compliance before they are allowed to proceed.

Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/security/ipe/Makefile b/security/ipe/Makefile
index 3093de1afd3e531f7fae61820fdf916f4256e2a9..4cc17eb920608df1c037fec7a407727f9e2d2121 100644 (file)
--- a/security/ipe/Makefile
+++ b/security/ipe/Makefile
@@ -6,6 +6,7 @@
 #
 
 obj-$(CONFIG_SECURITY_IPE) += \
+       eval.o \
        ipe.o \
        policy.o \
        policy_parser.o \

diff --git a/security/ipe/eval.c b/security/ipe/eval.c
new file mode 100644 (file)
index 0000000..f6a681c
--- /dev/null
+++ b/security/ipe/eval.c
@@ -0,0 +1,102 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
+ */
+
+#include <linux/fs.h>
+#include <linux/types.h>
+#include <linux/slab.h>
+#include <linux/file.h>
+#include <linux/sched.h>
+#include <linux/rcupdate.h>
+
+#include "ipe.h"
+#include "eval.h"
+#include "policy.h"
+
+struct ipe_policy __rcu *ipe_active_policy;
+
+/**
+ * evaluate_property() - Analyze @ctx against a rule property.
+ * @ctx: Supplies a pointer to the context to be evaluated.
+ * @p: Supplies a pointer to the property to be evaluated.
+ *
+ * This is a placeholder. The actual function will be introduced in the
+ * latter commits.
+ *
+ * Return:
+ * * %true     - The current @ctx match the @p
+ * * %false    - The current @ctx doesn't match the @p
+ */
+static bool evaluate_property(const struct ipe_eval_ctx *const ctx,
+                             struct ipe_prop *p)
+{
+       return false;
+}
+
+/**
+ * ipe_evaluate_event() - Analyze @ctx against the current active policy.
+ * @ctx: Supplies a pointer to the context to be evaluated.
+ *
+ * This is the loop where all policy evaluations happen against the IPE policy.
+ *
+ * Return:
+ * * %0                - Success
+ * * %-EACCES  - @ctx did not pass evaluation
+ */
+int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx)
+{
+       const struct ipe_op_table *rules = NULL;
+       const struct ipe_rule *rule = NULL;
+       struct ipe_policy *pol = NULL;
+       struct ipe_prop *prop = NULL;
+       enum ipe_action_type action;
+       bool match = false;
+
+       rcu_read_lock();
+
+       pol = rcu_dereference(ipe_active_policy);
+       if (!pol) {
+               rcu_read_unlock();
+               return 0;
+       }
+
+       if (ctx->op == IPE_OP_INVALID) {
+               if (pol->parsed->global_default_action == IPE_ACTION_DENY) {
+                       rcu_read_unlock();
+                       return -EACCES;
+               }
+               if (pol->parsed->global_default_action == IPE_ACTION_INVALID)
+                       WARN(1, "no default rule set for unknown op, ALLOW it");
+               rcu_read_unlock();
+               return 0;
+       }
+
+       rules = &pol->parsed->rules[ctx->op];
+
+       list_for_each_entry(rule, &rules->rules, next) {
+               match = true;
+
+               list_for_each_entry(prop, &rule->props, next) {
+                       match = evaluate_property(ctx, prop);
+                       if (!match)
+                               break;
+               }
+
+               if (match)
+                       break;
+       }
+
+       if (match)
+               action = rule->action;
+       else if (rules->default_action != IPE_ACTION_INVALID)
+               action = rules->default_action;
+       else
+               action = pol->parsed->global_default_action;
+
+       rcu_read_unlock();
+       if (action == IPE_ACTION_DENY)
+               return -EACCES;
+
+       return 0;
+}

diff --git a/security/ipe/eval.h b/security/ipe/eval.h
new file mode 100644 (file)
index 0000000..b137f21
--- /dev/null
+++ b/security/ipe/eval.h
@@ -0,0 +1,24 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
+ */
+
+#ifndef _IPE_EVAL_H
+#define _IPE_EVAL_H
+
+#include <linux/file.h>
+#include <linux/types.h>
+
+#include "policy.h"
+
+extern struct ipe_policy __rcu *ipe_active_policy;
+
+struct ipe_eval_ctx {
+       enum ipe_op_type op;
+
+       const struct file *file;
+};
+
+int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx);
+
+#endif /* _IPE_EVAL_H */