xref: /linux/rust/kernel/security.rs (revision 5bb6ba448fe3598a7668838942db1f008beb581b) 
1 // SPDX-License-Identifier: GPL-2.0
2 
3 // Copyright (C) 2024 Google LLC.
4 
5 //! Linux Security Modules (LSM).
6 //!
7 //! C header: [`include/linux/security.h`](srctree/include/linux/security.h).
8 
9 use crate::{
10     bindings,
11     error::{to_result, Result},
12 };
13 
14 /// A security context string.
15 ///
16 /// # Invariants
17 ///
18 /// The `secdata` and `seclen` fields correspond to a valid security context as returned by a
19 /// successful call to `security_secid_to_secctx`, that has not yet been destroyed by calling
20 /// `security_release_secctx`.
21 pub struct SecurityCtx {
22     secdata: *mut core::ffi::c_char,
23     seclen: usize,
24 }
25 
26 impl SecurityCtx {
27     /// Get the security context given its id.
28     pub fn from_secid(secid: u32) -> Result<Self> {
29         let mut secdata = core::ptr::null_mut();
30         let mut seclen = 0u32;
31         // SAFETY: Just a C FFI call. The pointers are valid for writes.
32         to_result(unsafe { bindings::security_secid_to_secctx(secid, &mut secdata, &mut seclen) })?;
33 
34         // INVARIANT: If the above call did not fail, then we have a valid security context.
35         Ok(Self {
36             secdata,
37             seclen: seclen as usize,
38         })
39     }
40 
41     /// Returns whether the security context is empty.
42     pub fn is_empty(&self) -> bool {
43         self.seclen == 0
44     }
45 
46     /// Returns the length of this security context.
47     pub fn len(&self) -> usize {
48         self.seclen
49     }
50 
51     /// Returns the bytes for this security context.
52     pub fn as_bytes(&self) -> &[u8] {
53         let ptr = self.secdata;
54         if ptr.is_null() {
55             debug_assert_eq!(self.seclen, 0);
56             // We can't pass a null pointer to `slice::from_raw_parts` even if the length is zero.
57             return &[];
58         }
59 
60         // SAFETY: The call to `security_secid_to_secctx` guarantees that the pointer is valid for
61         // `seclen` bytes. Furthermore, if the length is zero, then we have ensured that the
62         // pointer is not null.
63         unsafe { core::slice::from_raw_parts(ptr.cast(), self.seclen) }
64     }
65 }
66 
67 impl Drop for SecurityCtx {
68     fn drop(&mut self) {
69         // SAFETY: By the invariant of `Self`, this frees a pointer that came from a successful
70         // call to `security_secid_to_secctx` and has not yet been destroyed by
71         // `security_release_secctx`.
72         unsafe { bindings::security_release_secctx(self.secdata, self.seclen as u32) };
73     }
74 }
75