1d2912cb1SThomas Gleixner /* SPDX-License-Identifier: GPL-2.0-only */ 21da177e4SLinus Torvalds /* 3*90aa4f5eSStephen Smalley * Security-Enhanced Linux (SELinux) security module 41da177e4SLinus Torvalds * 51da177e4SLinus Torvalds * This file contains the SELinux security data structures for kernel objects. 61da177e4SLinus Torvalds * 77efbb60bSStephen Smalley * Author(s): Stephen Smalley, <sds@tycho.nsa.gov> 81da177e4SLinus Torvalds * Chris Vance, <cvance@nai.com> 91da177e4SLinus Torvalds * Wayne Salamon, <wsalamon@nai.com> 101da177e4SLinus Torvalds * James Morris <jmorris@redhat.com> 111da177e4SLinus Torvalds * 121da177e4SLinus Torvalds * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 131da177e4SLinus Torvalds * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 143a976fa6SDaniel Jurgens * Copyright (C) 2016 Mellanox Technologies 151da177e4SLinus Torvalds */ 161da177e4SLinus Torvalds #ifndef _SELINUX_OBJSEC_H_ 171da177e4SLinus Torvalds #define _SELINUX_OBJSEC_H_ 181da177e4SLinus Torvalds 191da177e4SLinus Torvalds #include <linux/list.h> 201da177e4SLinus Torvalds #include <linux/sched.h> 211da177e4SLinus Torvalds #include <linux/fs.h> 221da177e4SLinus Torvalds #include <linux/binfmts.h> 231da177e4SLinus Torvalds #include <linux/in.h> 249f2ad665SPaul Moore #include <linux/spinlock.h> 25bbd3662aSCasey Schaufler #include <linux/lsm_hooks.h> 267c653828SCasey Schaufler #include <linux/msg.h> 27cbe0d6e8SPaul Moore #include <net/net_namespace.h> 281da177e4SLinus Torvalds #include "flask.h" 291da177e4SLinus Torvalds #include "avc.h" 301da177e4SLinus Torvalds 311da177e4SLinus Torvalds struct task_security_struct { 321da177e4SLinus Torvalds u32 osid; /* SID prior to last execve */ 331da177e4SLinus Torvalds u32 sid; /* current SID */ 341da177e4SLinus Torvalds u32 exec_sid; /* exec SID */ 351da177e4SLinus Torvalds u32 create_sid; /* fscreate SID */ 364eb582cfSMichael LeMay u32 keycreate_sid; /* keycreate SID */ 3742c3e03eSEric Paris u32 sockcreate_sid; /* fscreate SID */ 385c108d4eSStephen Smalley } __randomize_layout; 391da177e4SLinus Torvalds 406f3be9f5SAndreas Gruenbacher enum label_initialized { 414b57d6bcSPaul Moore LABEL_INVALID, /* invalid or not initialized */ 429287aed2SAndreas Gruenbacher LABEL_INITIALIZED, /* initialized */ 439287aed2SAndreas Gruenbacher LABEL_PENDING 446f3be9f5SAndreas Gruenbacher }; 456f3be9f5SAndreas Gruenbacher 461da177e4SLinus Torvalds struct inode_security_struct { 471da177e4SLinus Torvalds struct inode *inode; /* back pointer to inode object */ 481da177e4SLinus Torvalds struct list_head list; /* list of inode_security_struct */ 491da177e4SLinus Torvalds u32 task_sid; /* SID of creating task */ 501da177e4SLinus Torvalds u32 sid; /* SID of this object */ 511da177e4SLinus Torvalds u16 sclass; /* security class of this object */ 521da177e4SLinus Torvalds unsigned char initialized; /* initialization flag */ 539287aed2SAndreas Gruenbacher spinlock_t lock; 541da177e4SLinus Torvalds }; 551da177e4SLinus Torvalds 561da177e4SLinus Torvalds struct file_security_struct { 571da177e4SLinus Torvalds u32 sid; /* SID of open file description */ 581da177e4SLinus Torvalds u32 fown_sid; /* SID of file owner (for SIGIO) */ 59788e7dd4SYuichi Nakamura u32 isid; /* SID of inode at the time of file open */ 60788e7dd4SYuichi Nakamura u32 pseqno; /* Policy seqno at the time of file open */ 611da177e4SLinus Torvalds }; 621da177e4SLinus Torvalds 631da177e4SLinus Torvalds struct superblock_security_struct { 64c312feb2SEric Paris u32 sid; /* SID of file system superblock */ 651da177e4SLinus Torvalds u32 def_sid; /* default SID for labeling */ 66c312feb2SEric Paris u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ 67f936c6e5SEric Paris unsigned short behavior; /* labeling behavior */ 68cfca0303SEric Paris unsigned short flags; /* which mount options were specified */ 69bc7e982bSEric Paris struct mutex lock; 701da177e4SLinus Torvalds struct list_head isec_head; 711da177e4SLinus Torvalds spinlock_t isec_lock; 721da177e4SLinus Torvalds }; 731da177e4SLinus Torvalds 741da177e4SLinus Torvalds struct msg_security_struct { 751da177e4SLinus Torvalds u32 sid; /* SID of message */ 761da177e4SLinus Torvalds }; 771da177e4SLinus Torvalds 781da177e4SLinus Torvalds struct ipc_security_struct { 791da177e4SLinus Torvalds u16 sclass; /* security class of this object */ 801da177e4SLinus Torvalds u32 sid; /* SID of IPC resource */ 811da177e4SLinus Torvalds }; 821da177e4SLinus Torvalds 831da177e4SLinus Torvalds struct netif_security_struct { 84cbe0d6e8SPaul Moore struct net *ns; /* network namespace */ 85e8bfdb9dSPaul Moore int ifindex; /* device index */ 86e8bfdb9dSPaul Moore u32 sid; /* SID for this interface */ 871da177e4SLinus Torvalds }; 881da177e4SLinus Torvalds 89224dfbd8SPaul Moore struct netnode_security_struct { 90224dfbd8SPaul Moore union { 91224dfbd8SPaul Moore __be32 ipv4; /* IPv4 node address */ 92224dfbd8SPaul Moore struct in6_addr ipv6; /* IPv6 node address */ 93224dfbd8SPaul Moore } addr; 94224dfbd8SPaul Moore u32 sid; /* SID for this node */ 95224dfbd8SPaul Moore u16 family; /* address family */ 96224dfbd8SPaul Moore }; 97224dfbd8SPaul Moore 983e112172SPaul Moore struct netport_security_struct { 993e112172SPaul Moore u32 sid; /* SID for this node */ 1003e112172SPaul Moore u16 port; /* port number */ 1013e112172SPaul Moore u8 protocol; /* transport protocol */ 1023e112172SPaul Moore }; 1033e112172SPaul Moore 1041da177e4SLinus Torvalds struct sk_security_struct { 105220deb96SPaul Moore #ifdef CONFIG_NETLABEL 1067420ed23SVenkat Yekkirala enum { /* NetLabel state */ 1077420ed23SVenkat Yekkirala NLBL_UNSET = 0, 1087420ed23SVenkat Yekkirala NLBL_REQUIRE, 1097420ed23SVenkat Yekkirala NLBL_LABELED, 110948bf85cSPaul Moore NLBL_REQSKB, 111014ab19aSPaul Moore NLBL_CONNLABELED, 1127420ed23SVenkat Yekkirala } nlbl_state; 1136c5b3fc0SPaul Moore struct netlbl_lsm_secattr *nlbl_secattr; /* NetLabel sec attributes */ 1147420ed23SVenkat Yekkirala #endif 1156c5b3fc0SPaul Moore u32 sid; /* SID of this object */ 1166c5b3fc0SPaul Moore u32 peer_sid; /* SID of peer */ 1176c5b3fc0SPaul Moore u16 sclass; /* sock security class */ 118d452930fSRichard Haines enum { /* SCTP association state */ 119d452930fSRichard Haines SCTP_ASSOC_UNSET = 0, 120d452930fSRichard Haines SCTP_ASSOC_SET, 121d452930fSRichard Haines } sctp_assoc_state; 1221da177e4SLinus Torvalds }; 1231da177e4SLinus Torvalds 1245dbbaf2dSPaul Moore struct tun_security_struct { 1255dbbaf2dSPaul Moore u32 sid; /* SID for the tun device sockets */ 1265dbbaf2dSPaul Moore }; 1275dbbaf2dSPaul Moore 128d720024eSMichael LeMay struct key_security_struct { 129d720024eSMichael LeMay u32 sid; /* SID of key */ 130d720024eSMichael LeMay }; 131d720024eSMichael LeMay 1323a976fa6SDaniel Jurgens struct ib_security_struct { 1333a976fa6SDaniel Jurgens u32 sid; /* SID of the queue pair or MAD agent */ 1343a976fa6SDaniel Jurgens }; 1353a976fa6SDaniel Jurgens 136409dcf31SDaniel Jurgens struct pkey_security_struct { 137409dcf31SDaniel Jurgens u64 subnet_prefix; /* Port subnet prefix */ 138409dcf31SDaniel Jurgens u16 pkey; /* PKey number */ 139409dcf31SDaniel Jurgens u32 sid; /* SID of pkey */ 140409dcf31SDaniel Jurgens }; 141409dcf31SDaniel Jurgens 142ec27c356SChenbo Feng struct bpf_security_struct { 143da97e184SJoel Fernandes (Google) u32 sid; /* SID of bpf obj creator */ 144da97e184SJoel Fernandes (Google) }; 145da97e184SJoel Fernandes (Google) 146da97e184SJoel Fernandes (Google) struct perf_event_security_struct { 147da97e184SJoel Fernandes (Google) u32 sid; /* SID of perf_event obj creator */ 148ec27c356SChenbo Feng }; 149ec27c356SChenbo Feng 150bbd3662aSCasey Schaufler extern struct lsm_blob_sizes selinux_blob_sizes; 1510c6cfa62SCasey Schaufler static inline struct task_security_struct *selinux_cred(const struct cred *cred) 1520c6cfa62SCasey Schaufler { 153bbd3662aSCasey Schaufler return cred->security + selinux_blob_sizes.lbs_cred; 1540c6cfa62SCasey Schaufler } 1550c6cfa62SCasey Schaufler 156bb6c6b02SCasey Schaufler static inline struct file_security_struct *selinux_file(const struct file *file) 157bb6c6b02SCasey Schaufler { 15833bf60caSCasey Schaufler return file->f_security + selinux_blob_sizes.lbs_file; 159bb6c6b02SCasey Schaufler } 160bb6c6b02SCasey Schaufler 16180788c22SCasey Schaufler static inline struct inode_security_struct *selinux_inode( 16280788c22SCasey Schaufler const struct inode *inode) 16380788c22SCasey Schaufler { 164afb1cbe3SCasey Schaufler if (unlikely(!inode->i_security)) 165afb1cbe3SCasey Schaufler return NULL; 166afb1cbe3SCasey Schaufler return inode->i_security + selinux_blob_sizes.lbs_inode; 16780788c22SCasey Schaufler } 16880788c22SCasey Schaufler 1697c653828SCasey Schaufler static inline struct msg_security_struct *selinux_msg_msg( 1707c653828SCasey Schaufler const struct msg_msg *msg_msg) 1717c653828SCasey Schaufler { 172ecd5f82eSCasey Schaufler return msg_msg->security + selinux_blob_sizes.lbs_msg_msg; 1737c653828SCasey Schaufler } 1747c653828SCasey Schaufler 1757c653828SCasey Schaufler static inline struct ipc_security_struct *selinux_ipc( 1767c653828SCasey Schaufler const struct kern_ipc_perm *ipc) 1777c653828SCasey Schaufler { 178ecd5f82eSCasey Schaufler return ipc->security + selinux_blob_sizes.lbs_ipc; 1797c653828SCasey Schaufler } 1807c653828SCasey Schaufler 181169ce0c0SStephen Smalley /* 182169ce0c0SStephen Smalley * get the subjective security ID of the current task 183169ce0c0SStephen Smalley */ 184169ce0c0SStephen Smalley static inline u32 current_sid(void) 185169ce0c0SStephen Smalley { 186169ce0c0SStephen Smalley const struct task_security_struct *tsec = selinux_cred(current_cred()); 187169ce0c0SStephen Smalley 188169ce0c0SStephen Smalley return tsec->sid; 189169ce0c0SStephen Smalley } 190169ce0c0SStephen Smalley 1911aea7808SCasey Schaufler static inline struct superblock_security_struct *selinux_superblock( 1921aea7808SCasey Schaufler const struct super_block *superblock) 1931aea7808SCasey Schaufler { 1941aea7808SCasey Schaufler return superblock->s_security + selinux_blob_sizes.lbs_superblock; 1951aea7808SCasey Schaufler } 1961aea7808SCasey Schaufler 1971da177e4SLinus Torvalds #endif /* _SELINUX_OBJSEC_H_ */ 198