xref: /linux/security/landlock/fs.h (revision e814f3fd16acfb7f9966773953de8f740a1e3202) 
1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3  * Landlock LSM - Filesystem management and hooks
4  *
5  * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
6  * Copyright © 2018-2020 ANSSI
7  */
8 
9 #ifndef _SECURITY_LANDLOCK_FS_H
10 #define _SECURITY_LANDLOCK_FS_H
11 
12 #include <linux/fs.h>
13 #include <linux/init.h>
14 #include <linux/rcupdate.h>
15 
16 #include "access.h"
17 #include "ruleset.h"
18 #include "setup.h"
19 
20 /**
21  * struct landlock_inode_security - Inode security blob
22  *
23  * Enable to reference a &struct landlock_object tied to an inode (i.e.
24  * underlying object).
25  */
26 struct landlock_inode_security {
27 	/**
28 	 * @object: Weak pointer to an allocated object.  All assignments of a
29 	 * new object are protected by the underlying inode->i_lock.  However,
30 	 * atomically disassociating @object from the inode is only protected
31 	 * by @object->lock, from the time @object's usage refcount drops to
32 	 * zero to the time this pointer is nulled out (cf. release_inode() and
33 	 * hook_sb_delete()).  Indeed, such disassociation doesn't require
34 	 * inode->i_lock thanks to the careful rcu_access_pointer() check
35 	 * performed by get_inode_object().
36 	 */
37 	struct landlock_object __rcu *object;
38 };
39 
40 /**
41  * struct landlock_file_security - File security blob
42  *
43  * This information is populated when opening a file in hook_file_open, and
44  * tracks the relevant Landlock access rights that were available at the time
45  * of opening the file. Other LSM hooks use these rights in order to authorize
46  * operations on already opened files.
47  */
48 struct landlock_file_security {
49 	/**
50 	 * @allowed_access: Access rights that were available at the time of
51 	 * opening the file. This is not necessarily the full set of access
52 	 * rights available at that time, but it's the necessary subset as
53 	 * needed to authorize later operations on the open file.
54 	 */
55 	access_mask_t allowed_access;
56 	/**
57 	 * @fown_domain: Domain of the task that set the PID that may receive a
58 	 * signal e.g., SIGURG when writing MSG_OOB to the related socket.
59 	 * This pointer is protected by the related file->f_owner->lock, as for
60 	 * fown_struct's members: pid, uid, and euid.
61 	 */
62 	struct landlock_ruleset *fown_domain;
63 };
64 
65 /**
66  * struct landlock_superblock_security - Superblock security blob
67  *
68  * Enable hook_sb_delete() to wait for concurrent calls to release_inode().
69  */
70 struct landlock_superblock_security {
71 	/**
72 	 * @inode_refs: Number of pending inodes (from this superblock) that
73 	 * are being released by release_inode().
74 	 * Cf. struct super_block->s_fsnotify_inode_refs .
75 	 */
76 	atomic_long_t inode_refs;
77 };
78 
79 static inline struct landlock_file_security *
80 landlock_file(const struct file *const file)
81 {
82 	return file->f_security + landlock_blob_sizes.lbs_file;
83 }
84 
85 static inline struct landlock_inode_security *
86 landlock_inode(const struct inode *const inode)
87 {
88 	return inode->i_security + landlock_blob_sizes.lbs_inode;
89 }
90 
91 static inline struct landlock_superblock_security *
92 landlock_superblock(const struct super_block *const superblock)
93 {
94 	return superblock->s_security + landlock_blob_sizes.lbs_superblock;
95 }
96 
97 __init void landlock_add_fs_hooks(void);
98 
99 int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
100 			    const struct path *const path,
101 			    access_mask_t access_hierarchy);
102 
103 #endif /* _SECURITY_LANDLOCK_FS_H */
104