Lines Matching +full:build +full:- +full:rules
1 // SPDX-License-Identifier: GPL-2.0
3 * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
24 #define INO_BLOCK_DEV(ino) ((ino)->i_sb->s_bdev)
26 #define FILE_SUPERBLOCK(f) ((f)->f_path.mnt->mnt_sb)
29 * build_ipe_sb_ctx() - Build initramfs field of an ipe evaluation context.
35 ctx->initramfs = ipe_sb(FILE_SUPERBLOCK(file))->initramfs; in build_ipe_sb_ctx()
40 * build_ipe_bdev_ctx() - Build ipe_bdev field of an evaluation context.
47 ctx->ipe_bdev = ipe_bdev(INO_BLOCK_DEV(ino)); in build_ipe_bdev_ctx()
60 ctx->ipe_inode = ipe_inode(ctx->ino); in build_ipe_inode_blob_ctx()
70 * build_ipe_inode_ctx() - Build inode fields of an evaluation context.
76 ctx->ino = ino; in build_ipe_inode_ctx()
86 * ipe_build_eval_ctx() - Build an ipe evaluation context.
99 ctx->file = file; in ipe_build_eval_ctx()
100 ctx->op = op; in ipe_build_eval_ctx()
101 ctx->hook = hook; in ipe_build_eval_ctx()
105 ino = d_real_inode(file->f_path.dentry); in ipe_build_eval_ctx()
112 * evaluate_boot_verified() - Evaluate @ctx for the boot verified property.
116 * * %true - The current @ctx match the @p
117 * * %false - The current @ctx doesn't match the @p
121 return ctx->initramfs; in evaluate_boot_verified()
126 * evaluate_dmv_roothash() - Evaluate @ctx against a dmv roothash property.
131 * * %true - The current @ctx match the @p
132 * * %false - The current @ctx doesn't match the @p
137 return !!ctx->ipe_bdev && in evaluate_dmv_roothash()
138 !!ctx->ipe_bdev->root_hash && in evaluate_dmv_roothash()
139 ipe_digest_eval(p->value, in evaluate_dmv_roothash()
140 ctx->ipe_bdev->root_hash); in evaluate_dmv_roothash()
152 * evaluate_dmv_sig_false() - Evaluate @ctx against a dmv sig false property.
156 * * %true - The current @ctx match the property
157 * * %false - The current @ctx doesn't match the property
161 return !ctx->ipe_bdev || (!ctx->ipe_bdev->dm_verity_signed); in evaluate_dmv_sig_false()
165 * evaluate_dmv_sig_true() - Evaluate @ctx against a dmv sig true property.
169 * * %true - The current @ctx match the property
170 * * %false - The current @ctx doesn't match the property
190 * evaluate_fsv_digest() - Evaluate @ctx against a fsv digest property.
195 * * %true - The current @ctx match the @p
196 * * %false - The current @ctx doesn't match the @p
205 if (!ctx->ino) in evaluate_fsv_digest()
207 if (!fsverity_get_digest((struct inode *)ctx->ino, in evaluate_fsv_digest()
217 return ipe_digest_eval(p->value, &info); in evaluate_fsv_digest()
229 * evaluate_fsv_sig_false() - Evaluate @ctx against a fsv sig false property.
233 * * %true - The current @ctx match the property
234 * * %false - The current @ctx doesn't match the property
238 return !ctx->ino || in evaluate_fsv_sig_false()
239 !IS_VERITY(ctx->ino) || in evaluate_fsv_sig_false()
240 !ctx->ipe_inode || in evaluate_fsv_sig_false()
241 !ctx->ipe_inode->fs_verity_signed; in evaluate_fsv_sig_false()
245 * evaluate_fsv_sig_true() - Evaluate @ctx against a fsv sig true property.
249 * * %true - The current @ctx match the property
250 * * %false - The current @ctx doesn't match the property
269 * evaluate_property() - Analyze @ctx against a rule property.
277 * * %true - The current @ctx match the @p
278 * * %false - The current @ctx doesn't match the @p
283 switch (p->type) { in evaluate_property()
306 * ipe_evaluate_event() - Analyze @ctx against the current active policy.
312 * * %0 - Success
313 * * %-EACCES - @ctx did not pass evaluation
317 const struct ipe_op_table *rules = NULL; in ipe_evaluate_event() local
334 if (ctx->op == IPE_OP_INVALID) { in ipe_evaluate_event()
335 if (pol->parsed->global_default_action == IPE_ACTION_INVALID) { in ipe_evaluate_event()
339 action = pol->parsed->global_default_action; in ipe_evaluate_event()
345 rules = &pol->parsed->rules[ctx->op]; in ipe_evaluate_event()
347 list_for_each_entry(rule, &rules->rules, next) { in ipe_evaluate_event()
350 list_for_each_entry(prop, &rule->props, next) { in ipe_evaluate_event()
361 action = rule->action; in ipe_evaluate_event()
363 } else if (rules->default_action != IPE_ACTION_INVALID) { in ipe_evaluate_event()
364 action = rules->default_action; in ipe_evaluate_event()
367 action = pol->parsed->global_default_action; in ipe_evaluate_event()
376 rc = -EACCES; in ipe_evaluate_event()