From e1f0960bbe293875772b8476e5cb6bfe246e5ab2 Mon Sep 17 00:00:00 2001 From: maliang Date: Fri, 26 Jul 2024 21:10:02 +0800 Subject: [PATCH] Add dec policy configure interfaces: (1) add misc device "/dev/dec"; (2) provide ioctl interface entry without actual function. Change-Id: Ia5051934550d174414f423ae60f124c7b2701d81 Signed-off-by: maliang --- security/Kconfig | 2 +- security/Makefile | 2 + security/dec/Kconfig | 15 ++++ security/dec/Makefile | 8 ++ security/dec/dec_misc.c | 174 ++++++++++++++++++++++++++++++++++++++++ security/dec/dec_misc.h | 61 ++++++++++++++ 6 files changed, 261 insertions(+), 1 deletion(-) create mode 100644 security/dec/Kconfig create mode 100644 security/dec/Makefile create mode 100644 security/dec/dec_misc.c create mode 100644 security/dec/dec_misc.h diff --git a/security/Kconfig b/security/Kconfig index 3f6bf7650924..49fa63fee3a8 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -232,7 +232,7 @@ source "security/safesetid/Kconfig" source "security/lockdown/Kconfig" source "security/xpm/Kconfig" source "security/container_escape_detection/Kconfig" - +source "security/dec/Kconfig" source "security/integrity/Kconfig" choice diff --git a/security/Makefile b/security/Makefile index 4042bbb68d34..40daa7c62f83 100644 --- a/security/Makefile +++ b/security/Makefile @@ -15,6 +15,7 @@ subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown subdir-$(CONFIG_BPF_LSM) += bpf subdir-$(CONFIG_SECURITY_XPM) += xpm subdir-$(CONFIG_SECURITY_CONTAINER_ESCAPE_DETECTION) += container_escape_detection +subdir-$(CONFIG_SECURITY_DEC) += dec # always enable default capabilities obj-y += commoncap.o @@ -36,6 +37,7 @@ obj-$(CONFIG_CGROUPS) += device_cgroup.o obj-$(CONFIG_BPF_LSM) += bpf/ obj-$(CONFIG_SECURITY_XPM) += xpm/ obj-$(CONFIG_SECURITY_CONTAINER_ESCAPE_DETECTION) += container_escape_detection/ +obj-$(CONFIG_SECURITY_DEC) += dec/ # Object integrity file lists subdir-$(CONFIG_INTEGRITY) += integrity diff --git a/security/dec/Kconfig b/security/dec/Kconfig new file mode 100644 index 000000000000..07864547fcd0 --- /dev/null +++ b/security/dec/Kconfig @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: GPL-2.0-only +# +# Copyright (c) 2024 Huawei Device Co., Ltd +# +# Dec policy configuration +# + +menu "Dec policy" + +config SECURITY_DEC + bool "dec feature" + depends on CONFIG_ACCESS_TOKENID + default y + +endmenu diff --git a/security/dec/Makefile b/security/dec/Makefile new file mode 100644 index 000000000000..f203311c36d5 --- /dev/null +++ b/security/dec/Makefile @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: GPL-2.0-only +# +# Copyright (c) 2024 Huawei Device Co., Ltd +# +# Makefile for dec module +# + +obj-$(CONFIG_SECURITY_DEC) += dec_misc.o diff --git a/security/dec/dec_misc.c b/security/dec/dec_misc.c new file mode 100644 index 000000000000..084c91ac95c7 --- /dev/null +++ b/security/dec/dec_misc.c @@ -0,0 +1,174 @@ +/* SPDX-License-Identifier: GPL-2.0-only +* +* Copyright (c) 2024 Huawei Device Co., Ltd +* +* source for dec misc +* +*/ + +#include +#include +#include +#include +#include + +#include "dec_misc.h" + +#define PATH_MAX_LEN 4096 +#define DEC_FUNC_MAX 8 + +typedef int (*dec_func)(void __user *arg); +static dec_fun g_dec_func_array[8] = { + NULL, + set_dec_policy, + del_dec_policy, + query_dec_policy, + check_dec_policy, + destroy_dec_policy, + constraint_dec_policy, + deny_dec_policy, +}; + +static long dec_ioctl(struct file *file, unsigned int cmd, unsigned long arg) +{ + void __user *uarg = (void __user *)arg; + unsigned int func_idx = _IOC_NR(cmd); + + if (uarg == NULL) { + pr_err("[dec]%s: invalid user uarg\n", __func__); + return -EINVAL; + } + + if (_IOC_TYPE(cmd) != DEC_IOCTL_BASE) { + pr_err("[dec]%s: invalid magic, TYPE: %u\n", __func__, + _IOC_TYPE(cmd)); + return -EINVAL; + } + + if (func_cmd >= DEC_FUNC_MAX) { + pr_err("[dec]%s: invalid magic type: %u\n", __func__, func_idx); + return -EINVAL; + } + + if (g_dec_func_array[fun_idx]) + return (*g_dec_func_array[func_idx])(uarg); + + return -EINVAL; +} + +static int dec_open(struct inode *inode, struct file *filp) +{ + return 0; +} + +static int dec_release(struct inode *inode, struct file *filp) +{ + return 0; +} + +static struct const file_operations dec_fops = { + .owner = THIS_MODULE, + .open = dec_open, + .release = dec_release, + .unlocked_ioctl = dec_ioctl, + .compat_ioctl = dec_ioctl, +}; + +static struct miscdevice dec_misc = { + .minor = MISC_DYNAMIC_MINOR, + .name = "dec", + .fops = &dec_fops, +}; + +static int __init dec_init(void) +{ + int err = 0; + + err = misc_register(&dec_misc); + if (err < 0) { + pr_err("[dec]dec device init failed\n"); + return err; + } + + pr_err("[dec]dec device init success\n"); + return 0; +} + +static void __exit dec_exit(void) +{ + misc_deregister(&dec_misc); + pr_info("[dec]dec exited"); +} + +/* module entry points */ +module_init(dec_init); +module_exit(dec_exit); + +static int do_configure(void __user *arg) +{ + /* receive dec_info and print key infomation */ + struct dec_policy_info info = { 0 }; + if (arg == NULL) { + pr_err("Input arg invalid\n"); + return -EINVAL; + } + if (copy_from_user(&info, (struct dec_policy_info __user *)arg, + sizeof(info)) != 0) { + hm_error("[dec]Receive dec_policy_info failed!\n"); + return -EFAULT; + } + pr_err("[dec]Received data: tokenid=%lu, path_num=%u\n", info.tokenid, + info.path_num); + return 0; +} + +static int set_dec_policy(void __user *arg) +{ + pr_info("[dec]set_dec_policy\n"); + return do_configure(arg); +} + +static int del_dec_policy(void __user *arg) +{ + pr_info("[dec]del_dec_policy\n"); + return do_configure(arg); +} +static int query_dec_policy(void __user *arg) +{ + pr_info("[dec]query_dec_policy\n"); + return do_configure(arg); +} + +static int check_dec_policy(void __user *arg) +{ + pr_info("[dec]check_dec_policy\n"); + return do_configure(arg); +} + +static int destroy_dec_policy(void __user *arg) +{ + uint64_t tokenid = 0; + + if (arg == NULL) { + pr_err("Input arg invalid\n"); + return -EINVAL; + } + if (copy_from_user(&tokenid, arg, sizeof(tokenid)) != 0) { + pr_err("[dec]destroy_dec_policy receive tokenid failed!\n"); + return -EFAULT; + } + pr_info("[dec]destroy_dec_policy with tokenid: %lu\n", tokenid); + return 0; +} + +static int constraint_dec_policy(void __user *arg) +{ + pr_info("[dec]constraint_dec_policy\n"); + return do_configure(arg); +} + +static int deny_dec_policy(void __user *arg) +{ + pr_info("[dec]deny_dec_policy\n"); + return do_configure(arg); +} \ No newline at end of file diff --git a/security/dec/dec_misc.h b/security/dec/dec_misc.h new file mode 100644 index 000000000000..50767a0f401b --- /dev/null +++ b/security/dec/dec_misc.h @@ -0,0 +1,61 @@ +/* SPDX-License-Identifier: GPL-2.0-only +* +* Copyright (c) 2024 Huawei Device Co., Ltd +* +* hearder for dec misc +* +*/ + +#ifndef _DEC_MISC_H +#define _DEC_MISC_H + +#include +#include +#include +#include + +#define MAX_PATH_NUM 32 + +#define DEV_DEC_MINOR 0x25 +#define DEC_IOCTL_BASE 's' +#define SET_POLICY_ID 1 +#define DEL_POLICY_ID 2 +#define QUERY_POLICY_ID 3 +#define CHECK_POLICY_ID 4 +#define DESTROY_POLICY_ID 5 +#define CONSTRAINT_POLICY_ID 6 +#define DENY_POLICY_ID 7 + +struct path_info; +struct dec_policy_info; + +#define SET_DEC_POLICY_CMD \ + _IOWR(DEC_IOCTL_BASE, SET_POLICY_ID, struct dec_policy_info) +#define DEL_DEC_POLICY_CMD \ + _IOWR(DEC_IOCTL_BASE, DEL_POLICY_ID, struct dec_policy_info) +#define QUERY_DEC_POLICY_CMD \ + _IOWR(DEC_IOCTL_BASE, QUERY_POLICY_ID, struct dec_policy_info) +#define CHECK_DEC_POLICY_CMD \ + _IOWR(DEC_IOCTL_BASE, CHECK_POLICY_ID, struct dec_policy_info) +#define DESTROY_DEC_POLICY_CMD \ + _IOWR(DEC_IOCTL_BASE, DESTROY_POLICY_ID, uint64_t) +#define CONSTRAINT_DEC_POLICY_CMD \ + _IOWR(DEC_IOCTL_BASE, CONSTRAINT_POLICY_ID, struct dec_policy_info) +#define DENY_DEC_POLICY_CMD \ + _IOWR(DEC_IOCTL_BASE, DENY_POLICY_ID, struct dec_policy_info) + +struct path_info { + char *path; + uint32_t path_len; + uint32_t mode; + bool ret_flag; +}; + +struct dec_policy_info { + uint64_t tokenid; + struct path_info path[MAX_PATH_NUM]; + uint32_t path_num; + bool persist_flag; +}; + +#endif /* _DEC_MISC_H */ \ No newline at end of file -- Gitee