security/ipe/hooks.c

Source file repositories/reference/linux-study-clean/security/ipe/hooks.c

File Facts

System
Linux kernel
Corpus path
security/ipe/hooks.c
Extension
.c
Size
8973 bytes
Lines
343
Domain
Core OS
Bucket
Security And Isolation
Inferred role
Core OS: implementation source
Status
source implementation candidate

Why This File Exists

Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.

Dependency Surface

Detected Declarations

Annotated Snippet

// SPDX-License-Identifier: GPL-2.0
/*
 * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
 */

#include <linux/fs.h>
#include <linux/fs_struct.h>
#include <linux/types.h>
#include <linux/binfmts.h>
#include <linux/mman.h>
#include <linux/blk_types.h>

#include "ipe.h"
#include "hooks.h"
#include "eval.h"
#include "digest.h"

/**
 * ipe_bprm_check_security() - ipe security hook function for bprm check.
 * @bprm: Supplies a pointer to a linux_binprm structure to source the file
 *	  being evaluated.
 *
 * This LSM hook is called when a binary is loaded through the exec
 * family of system calls.
 *
 * Return:
 * * %0		- Success
 * * %-EACCES	- Did not pass IPE policy
 */
int ipe_bprm_check_security(struct linux_binprm *bprm)
{
	struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;

	ipe_build_eval_ctx(&ctx, bprm->file, IPE_OP_EXEC, IPE_HOOK_BPRM_CHECK);
	return ipe_evaluate_event(&ctx);
}

/**
 * ipe_bprm_creds_for_exec() - ipe security hook function for bprm creds check.
 * @bprm: Supplies a pointer to a linux_binprm structure to source the file
 *	  being evaluated.
 *
 * This LSM hook is called when userspace signals the kernel to check a file
 * for execution through the execveat syscall with the AT_EXECVE_CHECK flag.
 * The hook triggers IPE policy evaluation on the script file and returns
 * the policy decision to userspace. The userspace program receives the
 * return code and can decide whether to proceed with script execution.
 *
 * Return:
 * * %0		- Success
 * * %-EACCES	- Did not pass IPE policy
 */
int ipe_bprm_creds_for_exec(struct linux_binprm *bprm)
{
	struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;

	if (!bprm->is_check)
		return 0;

	ipe_build_eval_ctx(&ctx, bprm->file, IPE_OP_EXEC,
			   IPE_HOOK_BPRM_CREDS_FOR_EXEC);
	return ipe_evaluate_event(&ctx);
}

/**
 * ipe_mmap_file() - ipe security hook function for mmap check.
 * @f: File being mmap'd. Can be NULL in the case of anonymous memory.
 * @reqprot: The requested protection on the mmap, passed from usermode.
 * @prot: The effective protection on the mmap, resolved from reqprot and
 *	  system configuration.
 * @flags: Unused.
 *
 * This hook is called when a file is loaded through the mmap
 * family of system calls.
 *
 * Return:
 * * %0		- Success
 * * %-EACCES	- Did not pass IPE policy
 */
int ipe_mmap_file(struct file *f, unsigned long reqprot __always_unused,
		  unsigned long prot, unsigned long flags)
{
	struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;

	if (prot & PROT_EXEC) {
		ipe_build_eval_ctx(&ctx, f, IPE_OP_EXEC, IPE_HOOK_MMAP);
		return ipe_evaluate_event(&ctx);
	}

	return 0;

Annotation

Implementation Notes