1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 /* 3 * Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux security data structures for kernel objects. 6 * 7 * Author(s): Stephen Smalley, <stephen.smalley.work@gmail.com> 8 * Chris Vance, <cvance@nai.com> 9 * Wayne Salamon, <wsalamon@nai.com> 10 * James Morris <jmorris@redhat.com> 11 * 12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 13 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 14 * Copyright (C) 2016 Mellanox Technologies 15 */ 16 17 #ifndef _SELINUX_OBJSEC_H_ 18 #define _SELINUX_OBJSEC_H_ 19 20 #include <linux/list.h> 21 #include <linux/sched.h> 22 #include <linux/fs.h> 23 #include <linux/binfmts.h> 24 #include <linux/in.h> 25 #include <linux/spinlock.h> 26 #include <linux/lsm_hooks.h> 27 #include <linux/msg.h> 28 #include <net/net_namespace.h> 29 #include "flask.h" 30 #include "avc.h" 31 32 struct avdc_entry { 33 u32 isid; /* inode SID */ 34 u32 allowed; /* allowed permission bitmask */ 35 u32 audited; /* audited permission bitmask */ 36 bool permissive; /* AVC permissive flag */ 37 }; 38 39 struct task_security_struct { 40 u32 osid; /* SID prior to last execve */ 41 u32 sid; /* current SID */ 42 u32 exec_sid; /* exec SID */ 43 u32 create_sid; /* fscreate SID */ 44 u32 keycreate_sid; /* keycreate SID */ 45 u32 sockcreate_sid; /* fscreate SID */ 46 #define TSEC_AVDC_DIR_SIZE (1 << 2) 47 struct { 48 u32 sid; /* current SID for cached entries */ 49 u32 seqno; /* AVC sequence number */ 50 unsigned int dir_spot; /* dir cache index to check first */ 51 struct avdc_entry dir[TSEC_AVDC_DIR_SIZE]; /* dir entries */ 52 } avdcache; 53 } __randomize_layout; 54 55 enum label_initialized { 56 LABEL_INVALID, /* invalid or not initialized */ 57 LABEL_INITIALIZED, /* initialized */ 58 LABEL_PENDING 59 }; 60 61 struct inode_security_struct { 62 struct inode *inode; /* back pointer to inode object */ 63 struct list_head list; /* list of inode_security_struct */ 64 u32 task_sid; /* SID of creating task */ 65 u32 sid; /* SID of this object */ 66 u16 sclass; /* security class of this object */ 67 unsigned char initialized; /* initialization flag */ 68 spinlock_t lock; 69 }; 70 71 struct file_security_struct { 72 u32 sid; /* SID of open file description */ 73 u32 fown_sid; /* SID of file owner (for SIGIO) */ 74 u32 isid; /* SID of inode at the time of file open */ 75 u32 pseqno; /* Policy seqno at the time of file open */ 76 }; 77 78 struct superblock_security_struct { 79 u32 sid; /* SID of file system superblock */ 80 u32 def_sid; /* default SID for labeling */ 81 u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ 82 unsigned short behavior; /* labeling behavior */ 83 unsigned short flags; /* which mount options were specified */ 84 struct mutex lock; 85 struct list_head isec_head; 86 spinlock_t isec_lock; 87 }; 88 89 struct msg_security_struct { 90 u32 sid; /* SID of message */ 91 }; 92 93 struct ipc_security_struct { 94 u16 sclass; /* security class of this object */ 95 u32 sid; /* SID of IPC resource */ 96 }; 97 98 struct netif_security_struct { 99 const struct net *ns; /* network namespace */ 100 int ifindex; /* device index */ 101 u32 sid; /* SID for this interface */ 102 }; 103 104 struct netnode_security_struct { 105 union { 106 __be32 ipv4; /* IPv4 node address */ 107 struct in6_addr ipv6; /* IPv6 node address */ 108 } addr; 109 u32 sid; /* SID for this node */ 110 u16 family; /* address family */ 111 }; 112 113 struct netport_security_struct { 114 u32 sid; /* SID for this node */ 115 u16 port; /* port number */ 116 u8 protocol; /* transport protocol */ 117 }; 118 119 struct sk_security_struct { 120 #ifdef CONFIG_NETLABEL 121 enum { /* NetLabel state */ 122 NLBL_UNSET = 0, 123 NLBL_REQUIRE, 124 NLBL_LABELED, 125 NLBL_REQSKB, 126 NLBL_CONNLABELED, 127 } nlbl_state; 128 struct netlbl_lsm_secattr *nlbl_secattr; /* NetLabel sec attributes */ 129 #endif 130 u32 sid; /* SID of this object */ 131 u32 peer_sid; /* SID of peer */ 132 u16 sclass; /* sock security class */ 133 enum { /* SCTP association state */ 134 SCTP_ASSOC_UNSET = 0, 135 SCTP_ASSOC_SET, 136 } sctp_assoc_state; 137 }; 138 139 struct tun_security_struct { 140 u32 sid; /* SID for the tun device sockets */ 141 }; 142 143 struct key_security_struct { 144 u32 sid; /* SID of key */ 145 }; 146 147 struct ib_security_struct { 148 u32 sid; /* SID of the queue pair or MAD agent */ 149 }; 150 151 struct pkey_security_struct { 152 u64 subnet_prefix; /* Port subnet prefix */ 153 u16 pkey; /* PKey number */ 154 u32 sid; /* SID of pkey */ 155 }; 156 157 struct bpf_security_struct { 158 u32 sid; /* SID of bpf obj creator */ 159 }; 160 161 struct perf_event_security_struct { 162 u32 sid; /* SID of perf_event obj creator */ 163 }; 164 165 extern struct lsm_blob_sizes selinux_blob_sizes; 166 static inline struct task_security_struct *selinux_cred(const struct cred *cred) 167 { 168 return cred->security + selinux_blob_sizes.lbs_cred; 169 } 170 171 static inline struct file_security_struct *selinux_file(const struct file *file) 172 { 173 return file->f_security + selinux_blob_sizes.lbs_file; 174 } 175 176 static inline struct inode_security_struct * 177 selinux_inode(const struct inode *inode) 178 { 179 if (unlikely(!inode->i_security)) 180 return NULL; 181 return inode->i_security + selinux_blob_sizes.lbs_inode; 182 } 183 184 static inline struct msg_security_struct * 185 selinux_msg_msg(const struct msg_msg *msg_msg) 186 { 187 return msg_msg->security + selinux_blob_sizes.lbs_msg_msg; 188 } 189 190 static inline struct ipc_security_struct * 191 selinux_ipc(const struct kern_ipc_perm *ipc) 192 { 193 return ipc->security + selinux_blob_sizes.lbs_ipc; 194 } 195 196 /* 197 * get the subjective security ID of the current task 198 */ 199 static inline u32 current_sid(void) 200 { 201 const struct task_security_struct *tsec = selinux_cred(current_cred()); 202 203 return tsec->sid; 204 } 205 206 static inline struct superblock_security_struct * 207 selinux_superblock(const struct super_block *superblock) 208 { 209 return superblock->s_security + selinux_blob_sizes.lbs_superblock; 210 } 211 212 #ifdef CONFIG_KEYS 213 static inline struct key_security_struct *selinux_key(const struct key *key) 214 { 215 return key->security + selinux_blob_sizes.lbs_key; 216 } 217 #endif /* CONFIG_KEYS */ 218 219 static inline struct sk_security_struct *selinux_sock(const struct sock *sock) 220 { 221 return sock->sk_security + selinux_blob_sizes.lbs_sock; 222 } 223 224 static inline struct tun_security_struct *selinux_tun_dev(void *security) 225 { 226 return security + selinux_blob_sizes.lbs_tun_dev; 227 } 228 229 static inline struct ib_security_struct *selinux_ib(void *ib_sec) 230 { 231 return ib_sec + selinux_blob_sizes.lbs_ib; 232 } 233 234 static inline struct perf_event_security_struct * 235 selinux_perf_event(void *perf_event) 236 { 237 return perf_event + selinux_blob_sizes.lbs_perf_event; 238 } 239 240 #endif /* _SELINUX_OBJSEC_H_ */ 241