diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/ipe/.gitignore | 2 | ||||
| -rw-r--r-- | security/ipe/Kconfig | 10 | ||||
| -rw-r--r-- | security/ipe/Makefile | 11 | ||||
| -rw-r--r-- | security/ipe/fs.c | 8 | ||||
| -rw-r--r-- | security/ipe/ipe.c | 12 |
5 files changed, 43 insertions, 0 deletions
diff --git a/security/ipe/.gitignore b/security/ipe/.gitignore new file mode 100644 index 000000000000..6e9939be1cb7 --- /dev/null +++ b/security/ipe/.gitignore @@ -0,0 +1,2 @@ +# SPDX-License-Identifier: GPL-2.0-only +boot_policy.c diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig index 6bc487b689e0..fccc69e66af1 100644 --- a/security/ipe/Kconfig +++ b/security/ipe/Kconfig @@ -21,6 +21,16 @@ menuconfig SECURITY_IPE If unsure, answer N. if SECURITY_IPE +config IPE_BOOT_POLICY + string "Integrity policy to apply on system startup" + help + This option specifies a filepath to an IPE policy that is compiled + into the kernel. This policy will be enforced until a policy update + is deployed via the $securityfs/ipe/policies/$policy_name/active + interface. + + If unsure, leave blank. + menu "IPE Trust Providers" config IPE_PROP_DM_VERITY diff --git a/security/ipe/Makefile b/security/ipe/Makefile index e1019bb9f0f3..70eea140306b 100644 --- a/security/ipe/Makefile +++ b/security/ipe/Makefile @@ -5,7 +5,16 @@ # Makefile for building the IPE module as part of the kernel tree. # +quiet_cmd_polgen = IPE_POL $(2) + cmd_polgen = scripts/ipe/polgen/polgen security/ipe/boot_policy.c $(2) + +targets += boot_policy.c + +$(obj)/boot_policy.c: scripts/ipe/polgen/polgen $(CONFIG_IPE_BOOT_POLICY) FORCE + $(call if_changed,polgen,$(CONFIG_IPE_BOOT_POLICY)) + obj-$(CONFIG_SECURITY_IPE) += \ + boot_policy.o \ digest.o \ eval.o \ hooks.o \ @@ -15,3 +24,5 @@ obj-$(CONFIG_SECURITY_IPE) += \ policy_fs.o \ policy_parser.o \ audit.o \ + +clean-files := boot_policy.c \ diff --git a/security/ipe/fs.c b/security/ipe/fs.c index b52fb6023904..5b6d19fb844a 100644 --- a/security/ipe/fs.c +++ b/security/ipe/fs.c @@ -190,6 +190,7 @@ static const struct file_operations enforce_fops = { static int __init ipe_init_securityfs(void) { int rc = 0; + struct ipe_policy *ap; if (!ipe_enabled) return -EOPNOTSUPP; @@ -220,6 +221,13 @@ static int __init ipe_init_securityfs(void) goto err; } + ap = rcu_access_pointer(ipe_active_policy); + if (ap) { + rc = ipe_new_policyfs_node(ap); + if (rc) + goto err; + } + np = securityfs_create_file("new_policy", 0200, root, NULL, &np_fops); if (IS_ERR(np)) { rc = PTR_ERR(np); diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c index b410db0b486c..e19a18078cf3 100644 --- a/security/ipe/ipe.c +++ b/security/ipe/ipe.c @@ -9,6 +9,7 @@ #include "hooks.h" #include "eval.h" +extern const char *const ipe_boot_policy; bool ipe_enabled; static struct lsm_blob_sizes ipe_blobs __ro_after_init = { @@ -74,9 +75,20 @@ static struct security_hook_list ipe_hooks[] __ro_after_init = { */ static int __init ipe_init(void) { + struct ipe_policy *p = NULL; + security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), &ipe_lsmid); ipe_enabled = true; + if (ipe_boot_policy) { + p = ipe_new_policy(ipe_boot_policy, strlen(ipe_boot_policy), + NULL, 0); + if (IS_ERR(p)) + return PTR_ERR(p); + + rcu_assign_pointer(ipe_active_policy, p); + } + return 0; } |