Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
1/* SPDX-License-Identifier: GPL-2.0-only */
2/*
3 * Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux security data structures for kernel objects.
6 *
7 * Author(s): Stephen Smalley, <stephen.smalley.work@gmail.com>
8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Copyright (C) 2016 Mellanox Technologies
15 */
16
17#ifndef _SELINUX_OBJSEC_H_
18#define _SELINUX_OBJSEC_H_
19
20#include <linux/list.h>
21#include <linux/sched.h>
22#include <linux/fs.h>
23#include <linux/binfmts.h>
24#include <linux/in.h>
25#include <linux/spinlock.h>
26#include <linux/lsm_hooks.h>
27#include <linux/msg.h>
28#include <net/net_namespace.h>
29#include <linux/bpf.h>
30#include "flask.h"
31#include "avc.h"
32
33struct avdc_entry {
34 u32 isid; /* inode SID */
35 u32 allowed; /* allowed permission bitmask */
36 u32 audited; /* audited permission bitmask */
37 bool permissive; /* AVC permissive flag */
38};
39
40struct cred_security_struct {
41 u32 osid; /* SID prior to last execve */
42 u32 sid; /* current SID */
43 u32 exec_sid; /* exec SID */
44 u32 create_sid; /* fscreate SID */
45 u32 keycreate_sid; /* keycreate SID */
46 u32 sockcreate_sid; /* fscreate SID */
47} __randomize_layout;
48
49struct task_security_struct {
50#define TSEC_AVDC_DIR_SIZE (1 << 2)
51 struct {
52 u32 sid; /* current SID for cached entries */
53 u32 seqno; /* AVC sequence number */
54 unsigned int dir_spot; /* dir cache index to check first */
55 struct avdc_entry dir[TSEC_AVDC_DIR_SIZE]; /* dir entries */
56 bool permissive_neveraudit; /* permissive and neveraudit */
57 } avdcache;
58} __randomize_layout;
59
60static inline bool task_avdcache_permnoaudit(struct task_security_struct *tsec,
61 u32 sid)
62{
63 return (tsec->avdcache.permissive_neveraudit &&
64 sid == tsec->avdcache.sid &&
65 tsec->avdcache.seqno == avc_policy_seqno());
66}
67
68enum label_initialized {
69 LABEL_INVALID, /* invalid or not initialized */
70 LABEL_INITIALIZED, /* initialized */
71 LABEL_PENDING
72};
73
74struct inode_security_struct {
75 struct inode *inode; /* back pointer to inode object */
76 struct list_head list; /* list of inode_security_struct */
77 u32 task_sid; /* SID of creating task */
78 u32 sid; /* SID of this object */
79 u16 sclass; /* security class of this object */
80 unsigned char initialized; /* initialization flag */
81 spinlock_t lock;
82};
83
84struct file_security_struct {
85 u32 sid; /* SID of open file description */
86 u32 fown_sid; /* SID of file owner (for SIGIO) */
87 u32 isid; /* SID of inode at the time of file open */
88 u32 pseqno; /* Policy seqno at the time of file open */
89};
90
91struct superblock_security_struct {
92 u32 sid; /* SID of file system superblock */
93 u32 def_sid; /* default SID for labeling */
94 u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */
95 unsigned short behavior; /* labeling behavior */
96 unsigned short flags; /* which mount options were specified */
97 struct mutex lock;
98 struct list_head isec_head;
99 spinlock_t isec_lock;
100};
101
102struct msg_security_struct {
103 u32 sid; /* SID of message */
104};
105
106struct ipc_security_struct {
107 u16 sclass; /* security class of this object */
108 u32 sid; /* SID of IPC resource */
109};
110
111struct netif_security_struct {
112 const struct net *ns; /* network namespace */
113 int ifindex; /* device index */
114 u32 sid; /* SID for this interface */
115};
116
117struct netnode_security_struct {
118 union {
119 __be32 ipv4; /* IPv4 node address */
120 struct in6_addr ipv6; /* IPv6 node address */
121 } addr;
122 u32 sid; /* SID for this node */
123 u16 family; /* address family */
124};
125
126struct netport_security_struct {
127 u32 sid; /* SID for this node */
128 u16 port; /* port number */
129 u8 protocol; /* transport protocol */
130};
131
132struct sk_security_struct {
133#ifdef CONFIG_NETLABEL
134 enum { /* NetLabel state */
135 NLBL_UNSET = 0,
136 NLBL_REQUIRE,
137 NLBL_LABELED,
138 NLBL_REQSKB,
139 NLBL_CONNLABELED,
140 } nlbl_state;
141 struct netlbl_lsm_secattr *nlbl_secattr; /* NetLabel sec attributes */
142#endif
143 u32 sid; /* SID of this object */
144 u32 peer_sid; /* SID of peer */
145 u16 sclass; /* sock security class */
146 enum { /* SCTP association state */
147 SCTP_ASSOC_UNSET = 0,
148 SCTP_ASSOC_SET,
149 } sctp_assoc_state;
150};
151
152struct tun_security_struct {
153 u32 sid; /* SID for the tun device sockets */
154};
155
156struct key_security_struct {
157 u32 sid; /* SID of key */
158};
159
160struct ib_security_struct {
161 u32 sid; /* SID of the queue pair or MAD agent */
162};
163
164struct pkey_security_struct {
165 u64 subnet_prefix; /* Port subnet prefix */
166 u16 pkey; /* PKey number */
167 u32 sid; /* SID of pkey */
168};
169
170struct bpf_security_struct {
171 u32 sid; /* SID of bpf obj creator */
172};
173
174struct perf_event_security_struct {
175 u32 sid; /* SID of perf_event obj creator */
176};
177
178extern struct lsm_blob_sizes selinux_blob_sizes;
179static inline struct cred_security_struct *selinux_cred(const struct cred *cred)
180{
181 return cred->security + selinux_blob_sizes.lbs_cred;
182}
183
184static inline struct task_security_struct *
185selinux_task(const struct task_struct *task)
186{
187 return task->security + selinux_blob_sizes.lbs_task;
188}
189
190static inline struct file_security_struct *selinux_file(const struct file *file)
191{
192 return file->f_security + selinux_blob_sizes.lbs_file;
193}
194
195static inline struct inode_security_struct *
196selinux_inode(const struct inode *inode)
197{
198 if (unlikely(!inode->i_security))
199 return NULL;
200 return inode->i_security + selinux_blob_sizes.lbs_inode;
201}
202
203static inline struct msg_security_struct *
204selinux_msg_msg(const struct msg_msg *msg_msg)
205{
206 return msg_msg->security + selinux_blob_sizes.lbs_msg_msg;
207}
208
209static inline struct ipc_security_struct *
210selinux_ipc(const struct kern_ipc_perm *ipc)
211{
212 return ipc->security + selinux_blob_sizes.lbs_ipc;
213}
214
215/*
216 * get the subjective security ID of the current task
217 */
218static inline u32 current_sid(void)
219{
220 const struct cred_security_struct *crsec = selinux_cred(current_cred());
221
222 return crsec->sid;
223}
224
225static inline struct superblock_security_struct *
226selinux_superblock(const struct super_block *superblock)
227{
228 return superblock->s_security + selinux_blob_sizes.lbs_superblock;
229}
230
231#ifdef CONFIG_KEYS
232static inline struct key_security_struct *selinux_key(const struct key *key)
233{
234 return key->security + selinux_blob_sizes.lbs_key;
235}
236#endif /* CONFIG_KEYS */
237
238static inline struct sk_security_struct *selinux_sock(const struct sock *sock)
239{
240 return sock->sk_security + selinux_blob_sizes.lbs_sock;
241}
242
243static inline struct tun_security_struct *selinux_tun_dev(void *security)
244{
245 return security + selinux_blob_sizes.lbs_tun_dev;
246}
247
248static inline struct ib_security_struct *selinux_ib(void *ib_sec)
249{
250 return ib_sec + selinux_blob_sizes.lbs_ib;
251}
252
253static inline struct perf_event_security_struct *
254selinux_perf_event(void *perf_event)
255{
256 return perf_event + selinux_blob_sizes.lbs_perf_event;
257}
258
259#ifdef CONFIG_BPF_SYSCALL
260static inline struct bpf_security_struct *
261selinux_bpf_map_security(struct bpf_map *map)
262{
263 return map->security + selinux_blob_sizes.lbs_bpf_map;
264}
265
266static inline struct bpf_security_struct *
267selinux_bpf_prog_security(struct bpf_prog *prog)
268{
269 return prog->aux->security + selinux_blob_sizes.lbs_bpf_prog;
270}
271
272static inline struct bpf_security_struct *
273selinux_bpf_token_security(struct bpf_token *token)
274{
275 return token->security + selinux_blob_sizes.lbs_bpf_token;
276}
277#endif /* CONFIG_BPF_SYSCALL */
278#endif /* _SELINUX_OBJSEC_H_ */