xref: /linux/rust/kernel/security.rs (revision 7362b5b493102c6b71827c2da22117b475528f6d) 
1 // SPDX-License-Identifier: GPL-2.0
2 
3 // Copyright (C) 2024 Google LLC.
4 
5 //! Linux Security Modules (LSM).
6 //!
7 //! C header: [`include/linux/security.h`](srctree/include/linux/security.h).
8 
9 use crate::{
10     bindings,
11     cred::Credential,
12     error::{to_result, Result},
13     fs::File,
14 };
15 
16 /// Calls the security modules to determine if the given task can become the manager of a binder
17 /// context.
18 #[inline]
binder_set_context_mgr(mgr: &Credential) -> Result19 pub fn binder_set_context_mgr(mgr: &Credential) -> Result {
20     // SAFETY: `mrg.0` is valid because the shared reference guarantees a nonzero refcount.
21     to_result(unsafe { bindings::security_binder_set_context_mgr(mgr.as_ptr()) })
22 }
23 
24 /// Calls the security modules to determine if binder transactions are allowed from task `from` to
25 /// task `to`.
26 #[inline]
binder_transaction(from: &Credential, to: &Credential) -> Result27 pub fn binder_transaction(from: &Credential, to: &Credential) -> Result {
28     // SAFETY: `from` and `to` are valid because the shared references guarantee nonzero refcounts.
29     to_result(unsafe { bindings::security_binder_transaction(from.as_ptr(), to.as_ptr()) })
30 }
31 
32 /// Calls the security modules to determine if task `from` is allowed to send binder objects
33 /// (owned by itself or other processes) to task `to` through a binder transaction.
34 #[inline]
binder_transfer_binder(from: &Credential, to: &Credential) -> Result35 pub fn binder_transfer_binder(from: &Credential, to: &Credential) -> Result {
36     // SAFETY: `from` and `to` are valid because the shared references guarantee nonzero refcounts.
37     to_result(unsafe { bindings::security_binder_transfer_binder(from.as_ptr(), to.as_ptr()) })
38 }
39 
40 /// Calls the security modules to determine if task `from` is allowed to send the given file to
41 /// task `to` (which would get its own file descriptor) through a binder transaction.
42 #[inline]
binder_transfer_file(from: &Credential, to: &Credential, file: &File) -> Result43 pub fn binder_transfer_file(from: &Credential, to: &Credential, file: &File) -> Result {
44     // SAFETY: `from`, `to` and `file` are valid because the shared references guarantee nonzero
45     // refcounts.
46     to_result(unsafe {
47         bindings::security_binder_transfer_file(from.as_ptr(), to.as_ptr(), file.as_ptr())
48     })
49 }
50 
51 /// A security context string.
52 ///
53 /// # Invariants
54 ///
55 /// The `ctx` field corresponds to a valid security context as returned by a successful call to
56 /// `security_secid_to_secctx`, that has not yet been released by `security_release_secctx`.
57 pub struct SecurityCtx {
58     ctx: bindings::lsm_context,
59 }
60 
61 impl SecurityCtx {
62     /// Get the security context given its id.
63     #[inline]
from_secid(secid: u32) -> Result<Self>64     pub fn from_secid(secid: u32) -> Result<Self> {
65         // SAFETY: `struct lsm_context` can be initialized to all zeros.
66         let mut ctx: bindings::lsm_context = unsafe { core::mem::zeroed() };
67 
68         // SAFETY: Just a C FFI call. The pointer is valid for writes.
69         to_result(unsafe { bindings::security_secid_to_secctx(secid, &mut ctx) })?;
70 
71         // INVARIANT: If the above call did not fail, then we have a valid security context.
72         Ok(Self { ctx })
73     }
74 
75     /// Returns whether the security context is empty.
76     #[inline]
is_empty(&self) -> bool77     pub fn is_empty(&self) -> bool {
78         self.ctx.len == 0
79     }
80 
81     /// Returns the length of this security context.
82     #[inline]
len(&self) -> usize83     pub fn len(&self) -> usize {
84         self.ctx.len as usize
85     }
86 
87     /// Returns the bytes for this security context.
88     #[inline]
as_bytes(&self) -> &[u8]89     pub fn as_bytes(&self) -> &[u8] {
90         let ptr = self.ctx.context;
91         if ptr.is_null() {
92             debug_assert_eq!(self.len(), 0);
93             // We can't pass a null pointer to `slice::from_raw_parts` even if the length is zero.
94             return &[];
95         }
96 
97         // SAFETY: The call to `security_secid_to_secctx` guarantees that the pointer is valid for
98         // `self.len()` bytes. Furthermore, if the length is zero, then we have ensured that the
99         // pointer is not null.
100         unsafe { core::slice::from_raw_parts(ptr.cast(), self.len()) }
101     }
102 }
103 
104 impl Drop for SecurityCtx {
105     #[inline]
drop(&mut self)106     fn drop(&mut self) {
107         // SAFETY: By the invariant of `Self`, this releases an lsm context that came from a
108         // successful call to `security_secid_to_secctx` and has not yet been released.
109         unsafe { bindings::security_release_secctx(&mut self.ctx) };
110     }
111 }
112