diff options
| author |   Deven Bowers <deven.desai@linux.microsoft.com> | 2024-08-02 23:08:18 -0700 |
|---|---|---|
| committer |   Paul Moore <paul@paul-moore.com> | 2024-08-20 14:01:33 -0400 |
| commit | 52443cb60c356707df494910fa134bbb0a8b1a66 (patch) | |
| tree | b53fe558511f276f891ecce8da6aa34b0d5e3ae1 /security/ipe/hooks.h | |
| parent | ipe: add evaluation loop (diff) | |
| download | wireguard-linux-52443cb60c356707df494910fa134bbb0a8b1a66.tar.xz wireguard-linux-52443cb60c356707df494910fa134bbb0a8b1a66.zip | |
ipe: add LSM hooks on execution and kernel read
IPE's initial goal is to control both execution and the loading of
kernel modules based on the system's definition of trust. It
accomplishes this by plugging into the security hooks for
bprm_check_security, file_mprotect, mmap_file, kernel_load_data,
and kernel_read_data.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/ipe/hooks.h')
| -rw-r--r-- | security/ipe/hooks.h | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h new file mode 100644 index 000000000000..c22c3336d27c --- /dev/null +++ b/security/ipe/hooks.h @@ -0,0 +1,25 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. + */ +#ifndef _IPE_HOOKS_H +#define _IPE_HOOKS_H + +#include <linux/fs.h> +#include <linux/binfmts.h> +#include <linux/security.h> + +int ipe_bprm_check_security(struct linux_binprm *bprm); + +int ipe_mmap_file(struct file *f, unsigned long reqprot, unsigned long prot, + unsigned long flags); + +int ipe_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, + unsigned long prot); + +int ipe_kernel_read_file(struct file *file, enum kernel_read_file_id id, + bool contents); + +int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents); + +#endif /* _IPE_HOOKS_H */ |