1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3 * Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux security data structures for kernel objects.
6 *
7 * Author(s): Stephen Smalley, <stephen.smalley.work@gmail.com>
8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Copyright (C) 2016 Mellanox Technologies
15 */
16
17 #ifndef _SELINUX_OBJSEC_H_
18 #define _SELINUX_OBJSEC_H_
19
20 #include <linux/list.h>
21 #include <linux/sched.h>
22 #include <linux/fs.h>
23 #include <linux/binfmts.h>
24 #include <linux/in.h>
25 #include <linux/spinlock.h>
26 #include <linux/lsm_hooks.h>
27 #include <linux/msg.h>
28 #include <net/net_namespace.h>
29 #include <linux/bpf.h>
30 #include "flask.h"
31 #include "avc.h"
32
33 struct avdc_entry {
34 u32 isid; /* inode SID */
35 struct av_decision avd; /* av decision */
36 };
37
38 struct cred_security_struct {
39 u32 osid; /* SID prior to last execve */
40 u32 sid; /* current SID */
41 u32 exec_sid; /* exec SID */
42 u32 create_sid; /* fscreate SID */
43 u32 keycreate_sid; /* keycreate SID */
44 u32 sockcreate_sid; /* fscreate SID */
45 } __randomize_layout;
46
47 struct task_security_struct {
48 #define TSEC_AVDC_DIR_SIZE (1 << 2)
49 struct {
50 u32 sid; /* current SID for cached entries */
51 u32 seqno; /* AVC sequence number */
52 unsigned int dir_spot; /* dir cache index to check first */
53 struct avdc_entry dir[TSEC_AVDC_DIR_SIZE]; /* dir entries */
54 bool permissive_neveraudit; /* permissive and neveraudit */
55 } avdcache;
56 } __randomize_layout;
57
task_avdcache_permnoaudit(struct task_security_struct * tsec,u32 sid)58 static inline bool task_avdcache_permnoaudit(struct task_security_struct *tsec,
59 u32 sid)
60 {
61 return (tsec->avdcache.permissive_neveraudit &&
62 sid == tsec->avdcache.sid &&
63 tsec->avdcache.seqno == avc_policy_seqno());
64 }
65
66 enum label_initialized {
67 LABEL_INVALID, /* invalid or not initialized */
68 LABEL_INITIALIZED, /* initialized */
69 LABEL_PENDING
70 };
71
72 struct inode_security_struct {
73 struct inode *inode; /* back pointer to inode object */
74 struct list_head list; /* list of inode_security_struct */
75 u32 task_sid; /* SID of creating task */
76 u32 sid; /* SID of this object */
77 u16 sclass; /* security class of this object */
78 unsigned char initialized; /* initialization flag */
79 spinlock_t lock;
80 };
81
82 struct file_security_struct {
83 u32 sid; /* SID of open file description */
84 u32 fown_sid; /* SID of file owner (for SIGIO) */
85 u32 isid; /* SID of inode at the time of file open */
86 u32 pseqno; /* Policy seqno at the time of file open */
87 };
88
89 struct backing_file_security_struct {
90 u32 uf_sid; /* associated user file fsec->sid */
91 };
92
93 struct superblock_security_struct {
94 u32 sid; /* SID of file system superblock */
95 u32 def_sid; /* default SID for labeling */
96 u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */
97 u32 creator_sid; /* SID of privileged process */
98 unsigned short behavior; /* labeling behavior */
99 unsigned short flags; /* which mount options were specified */
100 struct mutex lock;
101 struct list_head isec_head;
102 spinlock_t isec_lock;
103 };
104
105 struct msg_security_struct {
106 u32 sid; /* SID of message */
107 };
108
109 struct ipc_security_struct {
110 u16 sclass; /* security class of this object */
111 u32 sid; /* SID of IPC resource */
112 };
113
114 struct netif_security_struct {
115 const struct net *ns; /* network namespace */
116 int ifindex; /* device index */
117 u32 sid; /* SID for this interface */
118 };
119
120 struct netnode_security_struct {
121 union {
122 __be32 ipv4; /* IPv4 node address */
123 struct in6_addr ipv6; /* IPv6 node address */
124 } addr;
125 u32 sid; /* SID for this node */
126 u16 family; /* address family */
127 };
128
129 struct netport_security_struct {
130 u32 sid; /* SID for this node */
131 u16 port; /* port number */
132 u8 protocol; /* transport protocol */
133 };
134
135 struct sk_security_struct {
136 #ifdef CONFIG_NETLABEL
137 enum { /* NetLabel state */
138 NLBL_UNSET = 0,
139 NLBL_REQUIRE,
140 NLBL_LABELED,
141 NLBL_REQSKB,
142 NLBL_CONNLABELED,
143 } nlbl_state;
144 struct netlbl_lsm_secattr *nlbl_secattr; /* NetLabel sec attributes */
145 #endif
146 u32 sid; /* SID of this object */
147 u32 peer_sid; /* SID of peer */
148 u16 sclass; /* sock security class */
149 enum { /* SCTP association state */
150 SCTP_ASSOC_UNSET = 0,
151 SCTP_ASSOC_SET,
152 } sctp_assoc_state;
153 };
154
155 struct tun_security_struct {
156 u32 sid; /* SID for the tun device sockets */
157 };
158
159 struct key_security_struct {
160 u32 sid; /* SID of key */
161 };
162
163 struct ib_security_struct {
164 u32 sid; /* SID of the queue pair or MAD agent */
165 };
166
167 struct pkey_security_struct {
168 u64 subnet_prefix; /* Port subnet prefix */
169 u16 pkey; /* PKey number */
170 u32 sid; /* SID of pkey */
171 };
172
173 struct bpf_security_struct {
174 u32 sid; /* SID of bpf obj creator */
175 u32 perms; /* permissions for allowed bpf token commands */
176 u32 grantor_sid; /* SID of token grantor */
177 };
178
179 struct perf_event_security_struct {
180 u32 sid; /* SID of perf_event obj creator */
181 };
182
183 extern struct lsm_blob_sizes selinux_blob_sizes;
selinux_cred(const struct cred * cred)184 static inline struct cred_security_struct *selinux_cred(const struct cred *cred)
185 {
186 return cred->security + selinux_blob_sizes.lbs_cred;
187 }
188
189 static inline struct task_security_struct *
selinux_task(const struct task_struct * task)190 selinux_task(const struct task_struct *task)
191 {
192 return task->security + selinux_blob_sizes.lbs_task;
193 }
194
selinux_file(const struct file * file)195 static inline struct file_security_struct *selinux_file(const struct file *file)
196 {
197 return file->f_security + selinux_blob_sizes.lbs_file;
198 }
199
200 static inline struct backing_file_security_struct *
selinux_backing_file(const struct file * backing_file)201 selinux_backing_file(const struct file *backing_file)
202 {
203 void *blob = backing_file_security(backing_file);
204 return blob + selinux_blob_sizes.lbs_backing_file;
205 }
206
207 static inline struct inode_security_struct *
selinux_inode(const struct inode * inode)208 selinux_inode(const struct inode *inode)
209 {
210 if (unlikely(!inode->i_security))
211 return NULL;
212 return inode->i_security + selinux_blob_sizes.lbs_inode;
213 }
214
215 static inline struct msg_security_struct *
selinux_msg_msg(const struct msg_msg * msg_msg)216 selinux_msg_msg(const struct msg_msg *msg_msg)
217 {
218 return msg_msg->security + selinux_blob_sizes.lbs_msg_msg;
219 }
220
221 static inline struct ipc_security_struct *
selinux_ipc(const struct kern_ipc_perm * ipc)222 selinux_ipc(const struct kern_ipc_perm *ipc)
223 {
224 return ipc->security + selinux_blob_sizes.lbs_ipc;
225 }
226
227 /*
228 * get the subjective security ID of the current task
229 */
current_sid(void)230 static inline u32 current_sid(void)
231 {
232 const struct cred_security_struct *crsec = selinux_cred(current_cred());
233
234 return crsec->sid;
235 }
236
237 static inline struct superblock_security_struct *
selinux_superblock(const struct super_block * superblock)238 selinux_superblock(const struct super_block *superblock)
239 {
240 return superblock->s_security + selinux_blob_sizes.lbs_superblock;
241 }
242
243 #ifdef CONFIG_KEYS
selinux_key(const struct key * key)244 static inline struct key_security_struct *selinux_key(const struct key *key)
245 {
246 return key->security + selinux_blob_sizes.lbs_key;
247 }
248 #endif /* CONFIG_KEYS */
249
selinux_sock(const struct sock * sock)250 static inline struct sk_security_struct *selinux_sock(const struct sock *sock)
251 {
252 return sock->sk_security + selinux_blob_sizes.lbs_sock;
253 }
254
selinux_tun_dev(void * security)255 static inline struct tun_security_struct *selinux_tun_dev(void *security)
256 {
257 return security + selinux_blob_sizes.lbs_tun_dev;
258 }
259
selinux_ib(void * ib_sec)260 static inline struct ib_security_struct *selinux_ib(void *ib_sec)
261 {
262 return ib_sec + selinux_blob_sizes.lbs_ib;
263 }
264
265 static inline struct perf_event_security_struct *
selinux_perf_event(void * perf_event)266 selinux_perf_event(void *perf_event)
267 {
268 return perf_event + selinux_blob_sizes.lbs_perf_event;
269 }
270
271 #ifdef CONFIG_BPF_SYSCALL
272 static inline struct bpf_security_struct *
selinux_bpf_map_security(struct bpf_map * map)273 selinux_bpf_map_security(struct bpf_map *map)
274 {
275 return map->security + selinux_blob_sizes.lbs_bpf_map;
276 }
277
278 static inline struct bpf_security_struct *
selinux_bpf_prog_security(struct bpf_prog * prog)279 selinux_bpf_prog_security(struct bpf_prog *prog)
280 {
281 return prog->aux->security + selinux_blob_sizes.lbs_bpf_prog;
282 }
283
284 static inline struct bpf_security_struct *
selinux_bpf_token_security(struct bpf_token * token)285 selinux_bpf_token_security(struct bpf_token *token)
286 {
287 return token->security + selinux_blob_sizes.lbs_bpf_token;
288 }
289 #endif /* CONFIG_BPF_SYSCALL */
290 #endif /* _SELINUX_OBJSEC_H_ */
291