tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1/* SPDX-License-Identifier: GPL-2.0-only */
2/*
3 * Landlock LSM - Filesystem management and hooks
4 *
5 * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
6 * Copyright © 2018-2020 ANSSI
7 */
8
9#ifndef _SECURITY_LANDLOCK_FS_H
10#define _SECURITY_LANDLOCK_FS_H
11
12#include <linux/fs.h>
13#include <linux/init.h>
14#include <linux/rcupdate.h>
15
16#include "access.h"
17#include "ruleset.h"
18#include "setup.h"
19
20/**
21 * struct landlock_inode_security - Inode security blob
22 *
23 * Enable to reference a &struct landlock_object tied to an inode (i.e.
24 * underlying object).
25 */
26struct landlock_inode_security {
27 /**
28 * @object: Weak pointer to an allocated object. All assignments of a
29 * new object are protected by the underlying inode->i_lock. However,
30 * atomically disassociating @object from the inode is only protected
31 * by @object->lock, from the time @object's usage refcount drops to
32 * zero to the time this pointer is nulled out (cf. release_inode() and
33 * hook_sb_delete()). Indeed, such disassociation doesn't require
34 * inode->i_lock thanks to the careful rcu_access_pointer() check
35 * performed by get_inode_object().
36 */
37 struct landlock_object __rcu *object;
38};
39
40/**
41 * struct landlock_file_security - File security blob
42 *
43 * This information is populated when opening a file in hook_file_open, and
44 * tracks the relevant Landlock access rights that were available at the time
45 * of opening the file. Other LSM hooks use these rights in order to authorize
46 * operations on already opened files.
47 */
48struct landlock_file_security {
49 /**
50 * @allowed_access: Access rights that were available at the time of
51 * opening the file. This is not necessarily the full set of access
52 * rights available at that time, but it's the necessary subset as
53 * needed to authorize later operations on the open file.
54 */
55 access_mask_t allowed_access;
56 /**
57 * @fown_domain: Domain of the task that set the PID that may receive a
58 * signal e.g., SIGURG when writing MSG_OOB to the related socket.
59 * This pointer is protected by the related file->f_owner->lock, as for
60 * fown_struct's members: pid, uid, and euid.
61 */
62 struct landlock_ruleset *fown_domain;
63};
64
65/**
66 * struct landlock_superblock_security - Superblock security blob
67 *
68 * Enable hook_sb_delete() to wait for concurrent calls to release_inode().
69 */
70struct landlock_superblock_security {
71 /**
72 * @inode_refs: Number of pending inodes (from this superblock) that
73 * are being released by release_inode().
74 * Cf. struct super_block->s_fsnotify_inode_refs .
75 */
76 atomic_long_t inode_refs;
77};
78
79static inline struct landlock_file_security *
80landlock_file(const struct file *const file)
81{
82 return file->f_security + landlock_blob_sizes.lbs_file;
83}
84
85static inline struct landlock_inode_security *
86landlock_inode(const struct inode *const inode)
87{
88 return inode->i_security + landlock_blob_sizes.lbs_inode;
89}
90
91static inline struct landlock_superblock_security *
92landlock_superblock(const struct super_block *const superblock)
93{
94 return superblock->s_security + landlock_blob_sizes.lbs_superblock;
95}
96
97__init void landlock_add_fs_hooks(void);
98
99int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
100 const struct path *const path,
101 access_mask_t access_hierarchy);
102
103#endif /* _SECURITY_LANDLOCK_FS_H */