ipe: add LSM hooks on execution and kernel read

IPE's initial goal is to control both execution and the loading of kernel modules based on the system's definition of trust. It accomplishes this by plugging into the security hooks for bprm_check_security, file_mprotect, mmap_file, kernel_load_data, and kernel_read_data. Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com> Signed-off-by: Fan Wu <wufan@linux.microsoft.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Deven Bowers <deven.desai@linux.microsoft.com> 2024-08-02 23:08:18 -0700
committer: Paul Moore <paul@paul-moore.com> 2024-08-20 14:01:33 -0400
commit: 52443cb60c356707df494910fa134bbb0a8b1a66 (patch)
tree: b53fe558511f276f891ecce8da6aa34b0d5e3ae1 /security/ipe/eval.h
parent: 05a351630b7463ce58668095f5683669c1295f65 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/security/ipe/eval.h b/security/ipe/eval.h
index b137f2107852..00ed8ceca10e 100644
--- a/security/ipe/eval.h
+++ b/security/ipe/eval.h
@@ -11,6 +11,8 @@
 
 #include "policy.h"
 
+#define IPE_EVAL_CTX_INIT ((struct ipe_eval_ctx){ 0 })
+
 extern struct ipe_policy __rcu *ipe_active_policy;
 
 struct ipe_eval_ctx {
@@ -19,6 +21,9 @@ struct ipe_eval_ctx {
 	const struct file *file;
 };
 
+void ipe_build_eval_ctx(struct ipe_eval_ctx *ctx,
+			const struct file *file,
+			enum ipe_op_type op);
 int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx);
 
 #endif /* _IPE_EVAL_H */
author	Deven Bowers <deven.desai@linux.microsoft.com>	2024-08-02 23:08:18 -0700
committer	Paul Moore <paul@paul-moore.com>	2024-08-20 14:01:33 -0400
commit	52443cb60c356707df494910fa134bbb0a8b1a66 (patch)
tree	b53fe558511f276f891ecce8da6aa34b0d5e3ae1 /security/ipe/eval.h
parent	05a351630b7463ce58668095f5683669c1295f65 (diff)