1 // SPDX-License-Identifier: GPL-2.0 2 3 // Copyright (C) 2024 Google LLC. 4 5 //! Linux Security Modules (LSM). 6 //! 7 //! C header: [`include/linux/security.h`](srctree/include/linux/security.h). 8 9 use crate::{ 10 bindings, 11 cred::Credential, 12 error::{to_result, Result}, 13 fs::File, 14 }; 15 16 /// Calls the security modules to determine if the given task can become the manager of a binder 17 /// context. 18 #[inline] 19 pub fn binder_set_context_mgr(mgr: &Credential) -> Result { 20 // SAFETY: `mrg.0` is valid because the shared reference guarantees a nonzero refcount. 21 to_result(unsafe { bindings::security_binder_set_context_mgr(mgr.as_ptr()) }) 22 } 23 24 /// Calls the security modules to determine if binder transactions are allowed from task `from` to 25 /// task `to`. 26 #[inline] 27 pub fn binder_transaction(from: &Credential, to: &Credential) -> Result { 28 // SAFETY: `from` and `to` are valid because the shared references guarantee nonzero refcounts. 29 to_result(unsafe { bindings::security_binder_transaction(from.as_ptr(), to.as_ptr()) }) 30 } 31 32 /// Calls the security modules to determine if task `from` is allowed to send binder objects 33 /// (owned by itself or other processes) to task `to` through a binder transaction. 34 #[inline] 35 pub fn binder_transfer_binder(from: &Credential, to: &Credential) -> Result { 36 // SAFETY: `from` and `to` are valid because the shared references guarantee nonzero refcounts. 37 to_result(unsafe { bindings::security_binder_transfer_binder(from.as_ptr(), to.as_ptr()) }) 38 } 39 40 /// Calls the security modules to determine if task `from` is allowed to send the given file to 41 /// task `to` (which would get its own file descriptor) through a binder transaction. 42 #[inline] 43 pub fn binder_transfer_file(from: &Credential, to: &Credential, file: &File) -> Result { 44 // SAFETY: `from`, `to` and `file` are valid because the shared references guarantee nonzero 45 // refcounts. 46 to_result(unsafe { 47 bindings::security_binder_transfer_file(from.as_ptr(), to.as_ptr(), file.as_ptr()) 48 }) 49 } 50 51 /// A security context string. 52 /// 53 /// # Invariants 54 /// 55 /// The `ctx` field corresponds to a valid security context as returned by a successful call to 56 /// `security_secid_to_secctx`, that has not yet been released by `security_release_secctx`. 57 pub struct SecurityCtx { 58 ctx: bindings::lsm_context, 59 } 60 61 impl SecurityCtx { 62 /// Get the security context given its id. 63 #[inline] 64 pub fn from_secid(secid: u32) -> Result<Self> { 65 // SAFETY: `struct lsm_context` can be initialized to all zeros. 66 let mut ctx: bindings::lsm_context = unsafe { core::mem::zeroed() }; 67 68 // SAFETY: Just a C FFI call. The pointer is valid for writes. 69 to_result(unsafe { bindings::security_secid_to_secctx(secid, &mut ctx) })?; 70 71 // INVARIANT: If the above call did not fail, then we have a valid security context. 72 Ok(Self { ctx }) 73 } 74 75 /// Returns whether the security context is empty. 76 #[inline] 77 pub fn is_empty(&self) -> bool { 78 self.ctx.len == 0 79 } 80 81 /// Returns the length of this security context. 82 #[inline] 83 pub fn len(&self) -> usize { 84 self.ctx.len as usize 85 } 86 87 /// Returns the bytes for this security context. 88 #[inline] 89 pub fn as_bytes(&self) -> &[u8] { 90 let ptr = self.ctx.context; 91 if ptr.is_null() { 92 debug_assert_eq!(self.len(), 0); 93 // We can't pass a null pointer to `slice::from_raw_parts` even if the length is zero. 94 return &[]; 95 } 96 97 // SAFETY: The call to `security_secid_to_secctx` guarantees that the pointer is valid for 98 // `self.len()` bytes. Furthermore, if the length is zero, then we have ensured that the 99 // pointer is not null. 100 unsafe { core::slice::from_raw_parts(ptr.cast(), self.len()) } 101 } 102 } 103 104 impl Drop for SecurityCtx { 105 #[inline] 106 fn drop(&mut self) { 107 // SAFETY: By the invariant of `Self`, this releases an lsm context that came from a 108 // successful call to `security_secid_to_secctx` and has not yet been released. 109 unsafe { bindings::security_release_secctx(&mut self.ctx) }; 110 } 111 } 112