92 lines
2.8 KiB
C
92 lines
2.8 KiB
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
/*
|
|
* Landlock LSM - Object management
|
|
*
|
|
* Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
|
|
* Copyright © 2018-2020 ANSSI
|
|
*/
|
|
|
|
#ifndef _SECURITY_LANDLOCK_OBJECT_H
|
|
#define _SECURITY_LANDLOCK_OBJECT_H
|
|
|
|
#include <linux/compiler_types.h>
|
|
#include <linux/refcount.h>
|
|
#include <linux/spinlock.h>
|
|
|
|
struct landlock_object;
|
|
|
|
/**
|
|
* struct landlock_object_underops - Operations on an underlying object
|
|
*/
|
|
struct landlock_object_underops {
|
|
/**
|
|
* @release: Releases the underlying object (e.g. iput() for an inode).
|
|
*/
|
|
void (*release)(struct landlock_object *const object)
|
|
__releases(object->lock);
|
|
};
|
|
|
|
/**
|
|
* struct landlock_object - Security blob tied to a kernel object
|
|
*
|
|
* The goal of this structure is to enable to tie a set of ephemeral access
|
|
* rights (pertaining to different domains) to a kernel object (e.g an inode)
|
|
* in a safe way. This implies to handle concurrent use and modification.
|
|
*
|
|
* The lifetime of a &struct landlock_object depends on the rules referring to
|
|
* it.
|
|
*/
|
|
struct landlock_object {
|
|
/**
|
|
* @usage: This counter is used to tie an object to the rules matching
|
|
* it or to keep it alive while adding a new rule. If this counter
|
|
* reaches zero, this struct must not be modified, but this counter can
|
|
* still be read from within an RCU read-side critical section. When
|
|
* adding a new rule to an object with a usage counter of zero, we must
|
|
* wait until the pointer to this object is set to NULL (or recycled).
|
|
*/
|
|
refcount_t usage;
|
|
/**
|
|
* @lock: Protects against concurrent modifications. This lock must be
|
|
* held from the time @usage drops to zero until any weak references
|
|
* from @underobj to this object have been cleaned up.
|
|
*
|
|
* Lock ordering: inode->i_lock nests inside this.
|
|
*/
|
|
spinlock_t lock;
|
|
/**
|
|
* @underobj: Used when cleaning up an object and to mark an object as
|
|
* tied to its underlying kernel structure. This pointer is protected
|
|
* by @lock. Cf. landlock_release_inodes() and release_inode().
|
|
*/
|
|
void *underobj;
|
|
union {
|
|
/**
|
|
* @rcu_free: Enables lockless use of @usage, @lock and
|
|
* @underobj from within an RCU read-side critical section.
|
|
* @rcu_free and @underops are only used by
|
|
* landlock_put_object().
|
|
*/
|
|
struct rcu_head rcu_free;
|
|
/**
|
|
* @underops: Enables landlock_put_object() to release the
|
|
* underlying object (e.g. inode).
|
|
*/
|
|
const struct landlock_object_underops *underops;
|
|
};
|
|
};
|
|
|
|
struct landlock_object *landlock_create_object(
|
|
const struct landlock_object_underops *const underops,
|
|
void *const underobj);
|
|
|
|
void landlock_put_object(struct landlock_object *const object);
|
|
|
|
static inline void landlock_get_object(struct landlock_object *const object)
|
|
{
|
|
if (object)
|
|
refcount_inc(&object->usage);
|
|
}
|
|
|
|
#endif /* _SECURITY_LANDLOCK_OBJECT_H */
|