Commit | Line | Data |
---|---|---|
cb2c7d1a MS |
1 | /* SPDX-License-Identifier: GPL-2.0-only */ |
2 | /* | |
3 | * Landlock LSM - Filesystem management and hooks | |
4 | * | |
5 | * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> | |
6 | * Copyright © 2018-2020 ANSSI | |
7 | */ | |
8 | ||
9 | #ifndef _SECURITY_LANDLOCK_FS_H | |
10 | #define _SECURITY_LANDLOCK_FS_H | |
11 | ||
12 | #include <linux/fs.h> | |
13 | #include <linux/init.h> | |
14 | #include <linux/rcupdate.h> | |
15 | ||
16 | #include "ruleset.h" | |
17 | #include "setup.h" | |
18 | ||
19 | /** | |
20 | * struct landlock_inode_security - Inode security blob | |
21 | * | |
22 | * Enable to reference a &struct landlock_object tied to an inode (i.e. | |
23 | * underlying object). | |
24 | */ | |
25 | struct landlock_inode_security { | |
26 | /** | |
27 | * @object: Weak pointer to an allocated object. All assignments of a | |
28 | * new object are protected by the underlying inode->i_lock. However, | |
29 | * atomically disassociating @object from the inode is only protected | |
30 | * by @object->lock, from the time @object's usage refcount drops to | |
31 | * zero to the time this pointer is nulled out (cf. release_inode() and | |
32 | * hook_sb_delete()). Indeed, such disassociation doesn't require | |
33 | * inode->i_lock thanks to the careful rcu_access_pointer() check | |
34 | * performed by get_inode_object(). | |
35 | */ | |
36 | struct landlock_object __rcu *object; | |
37 | }; | |
38 | ||
b9f5ce27 GN |
39 | /** |
40 | * struct landlock_file_security - File security blob | |
41 | * | |
42 | * This information is populated when opening a file in hook_file_open, and | |
43 | * tracks the relevant Landlock access rights that were available at the time | |
44 | * of opening the file. Other LSM hooks use these rights in order to authorize | |
45 | * operations on already opened files. | |
46 | */ | |
47 | struct landlock_file_security { | |
48 | /** | |
49 | * @allowed_access: Access rights that were available at the time of | |
50 | * opening the file. This is not necessarily the full set of access | |
51 | * rights available at that time, but it's the necessary subset as | |
52 | * needed to authorize later operations on the open file. | |
53 | */ | |
54 | access_mask_t allowed_access; | |
55 | }; | |
56 | ||
cb2c7d1a MS |
57 | /** |
58 | * struct landlock_superblock_security - Superblock security blob | |
59 | * | |
60 | * Enable hook_sb_delete() to wait for concurrent calls to release_inode(). | |
61 | */ | |
62 | struct landlock_superblock_security { | |
63 | /** | |
64 | * @inode_refs: Number of pending inodes (from this superblock) that | |
65 | * are being released by release_inode(). | |
66 | * Cf. struct super_block->s_fsnotify_inode_refs . | |
67 | */ | |
68 | atomic_long_t inode_refs; | |
69 | }; | |
70 | ||
b9f5ce27 GN |
71 | static inline struct landlock_file_security * |
72 | landlock_file(const struct file *const file) | |
73 | { | |
74 | return file->f_security + landlock_blob_sizes.lbs_file; | |
75 | } | |
76 | ||
06a1c40a MS |
77 | static inline struct landlock_inode_security * |
78 | landlock_inode(const struct inode *const inode) | |
cb2c7d1a MS |
79 | { |
80 | return inode->i_security + landlock_blob_sizes.lbs_inode; | |
81 | } | |
82 | ||
06a1c40a MS |
83 | static inline struct landlock_superblock_security * |
84 | landlock_superblock(const struct super_block *const superblock) | |
cb2c7d1a MS |
85 | { |
86 | return superblock->s_security + landlock_blob_sizes.lbs_superblock; | |
87 | } | |
88 | ||
89 | __init void landlock_add_fs_hooks(void); | |
90 | ||
91 | int landlock_append_fs_rule(struct landlock_ruleset *const ruleset, | |
06a1c40a | 92 | const struct path *const path, |
5f2ff33e | 93 | access_mask_t access_hierarchy); |
cb2c7d1a MS |
94 | |
95 | #endif /* _SECURITY_LANDLOCK_FS_H */ |