xref: /security/ipe/eval.c

33 static void build_ipe_sb_ctx(struct ipe_eval_ctx *ctx, const struct file *const file)  in build_ipe_sb_ctx()  argument
35 	ctx->initramfs = ipe_sb(FILE_SUPERBLOCK(file))->initramfs;  in build_ipe_sb_ctx()
44 static void build_ipe_bdev_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino)  in build_ipe_bdev_ctx()  argument
47 		ctx->ipe_bdev = ipe_bdev(INO_BLOCK_DEV(ino));  in build_ipe_bdev_ctx()
50 static void build_ipe_bdev_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino)  in build_ipe_bdev_ctx()  argument
57 static void build_ipe_inode_blob_ctx(struct ipe_eval_ctx *ctx,  in build_ipe_inode_blob_ctx()  argument
60 	ctx->ipe_inode = ipe_inode(ctx->ino);  in build_ipe_inode_blob_ctx()
63 static inline void build_ipe_inode_blob_ctx(struct ipe_eval_ctx *ctx,  in build_ipe_inode_blob_ctx()  argument
74 static void build_ipe_inode_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino)  in build_ipe_inode_ctx()  argument
76 	ctx->ino = ino;  in build_ipe_inode_ctx()
77 	build_ipe_inode_blob_ctx(ctx, ino);  in build_ipe_inode_ctx()
80 static void build_ipe_inode_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino)  in build_ipe_inode_ctx()  argument
92 void ipe_build_eval_ctx(struct ipe_eval_ctx *ctx,  in ipe_build_eval_ctx()  argument
99 	ctx->file = file;  in ipe_build_eval_ctx()
100 	ctx->op = op;  in ipe_build_eval_ctx()
101 	ctx->hook = hook;  in ipe_build_eval_ctx()
104 		build_ipe_sb_ctx(ctx, file);  in ipe_build_eval_ctx()
106 		build_ipe_bdev_ctx(ctx, ino);  in ipe_build_eval_ctx()
107 		build_ipe_inode_ctx(ctx, ino);  in ipe_build_eval_ctx()
119 static bool evaluate_boot_verified(const struct ipe_eval_ctx *const ctx)  in evaluate_boot_verified()  argument
121 	return ctx->initramfs;  in evaluate_boot_verified()
134 static bool evaluate_dmv_roothash(const struct ipe_eval_ctx *const ctx,  in evaluate_dmv_roothash()  argument
137 	return !!ctx->ipe_bdev &&  in evaluate_dmv_roothash()
138 	       !!ctx->ipe_bdev->root_hash &&  in evaluate_dmv_roothash()
140 			       ctx->ipe_bdev->root_hash);  in evaluate_dmv_roothash()
143 static bool evaluate_dmv_roothash(const struct ipe_eval_ctx *const ctx,  in evaluate_dmv_roothash()  argument
159 static bool evaluate_dmv_sig_false(const struct ipe_eval_ctx *const ctx)  in evaluate_dmv_sig_false()  argument
161 	return !ctx->ipe_bdev || (!ctx->ipe_bdev->dm_verity_signed);  in evaluate_dmv_sig_false()
172 static bool evaluate_dmv_sig_true(const struct ipe_eval_ctx *const ctx)  in evaluate_dmv_sig_true()  argument
174 	return !evaluate_dmv_sig_false(ctx);  in evaluate_dmv_sig_true()
177 static bool evaluate_dmv_sig_false(const struct ipe_eval_ctx *const ctx)  in evaluate_dmv_sig_false()  argument
182 static bool evaluate_dmv_sig_true(const struct ipe_eval_ctx *const ctx)  in evaluate_dmv_sig_true()  argument
198 static bool evaluate_fsv_digest(const struct ipe_eval_ctx *const ctx,  in evaluate_fsv_digest()  argument
205 	if (!ctx->ino)  in evaluate_fsv_digest()
207 	if (!fsverity_get_digest((struct inode *)ctx->ino,  in evaluate_fsv_digest()
220 static bool evaluate_fsv_digest(const struct ipe_eval_ctx *const ctx,  in evaluate_fsv_digest()  argument
236 static bool evaluate_fsv_sig_false(const struct ipe_eval_ctx *const ctx)  in evaluate_fsv_sig_false()  argument
238 	return !ctx->ino ||  in evaluate_fsv_sig_false()
239 	       !IS_VERITY(ctx->ino) ||  in evaluate_fsv_sig_false()
240 	       !ctx->ipe_inode ||  in evaluate_fsv_sig_false()
241 	       !ctx->ipe_inode->fs_verity_signed;  in evaluate_fsv_sig_false()
252 static bool evaluate_fsv_sig_true(const struct ipe_eval_ctx *const ctx)  in evaluate_fsv_sig_true()  argument
254 	return !evaluate_fsv_sig_false(ctx);  in evaluate_fsv_sig_true()
257 static bool evaluate_fsv_sig_false(const struct ipe_eval_ctx *const ctx)  in evaluate_fsv_sig_false()  argument
262 static bool evaluate_fsv_sig_true(const struct ipe_eval_ctx *const ctx)  in evaluate_fsv_sig_true()  argument
280 static bool evaluate_property(const struct ipe_eval_ctx *const ctx,  in evaluate_property()  argument
285 		return !evaluate_boot_verified(ctx);  in evaluate_property()
287 		return evaluate_boot_verified(ctx);  in evaluate_property()
289 		return evaluate_dmv_roothash(ctx, p);  in evaluate_property()
291 		return evaluate_dmv_sig_false(ctx);  in evaluate_property()
293 		return evaluate_dmv_sig_true(ctx);  in evaluate_property()
295 		return evaluate_fsv_digest(ctx, p);  in evaluate_property()
297 		return evaluate_fsv_sig_false(ctx);  in evaluate_property()
299 		return evaluate_fsv_sig_true(ctx);  in evaluate_property()
315 int ipe_evaluate_event(const struct ipe_eval_ctx *const ctx)  in ipe_evaluate_event()  argument
334 	if (ctx->op == IPE_OP_INVALID) {  in ipe_evaluate_event()
345 	rules = &pol->parsed->rules[ctx->op];  in ipe_evaluate_event()
351 			match = evaluate_property(ctx, prop);  in ipe_evaluate_event()
372 	ipe_audit_match(ctx, match_type, action, rule);  in ipe_evaluate_event()

Last Index update Fri Aug 22 10:33:58 CST 2025