selinux/include/objsec.h

0001 /* SPDX-License-Identifier: GPL-2.0-only */
0002 /*
0003  *  NSA Security-Enhanced Linux (SELinux) security module
0004  *
0005  *  This file contains the SELinux security data structures for kernel objects.
0006  *
0007  *  Author(s):  Stephen Smalley, <sds@tycho.nsa.gov>
0008  *      Chris Vance, <cvance@nai.com>
0009  *      Wayne Salamon, <wsalamon@nai.com>
0010  *      James Morris <jmorris@redhat.com>
0011  *
0012  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
0013  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
0014  *  Copyright (C) 2016 Mellanox Technologies
0015  */
0016 #ifndef _SELINUX_OBJSEC_H_
0017 #define _SELINUX_OBJSEC_H_
0018
0019 #include <linux/list.h>
0020 #include <linux/sched.h>
0021 #include <linux/fs.h>
0022 #include <linux/binfmts.h>
0023 #include <linux/in.h>
0024 #include <linux/spinlock.h>
0025 #include <linux/lsm_hooks.h>
0026 #include <linux/msg.h>
0027 #include <net/net_namespace.h>
0028 #include "flask.h"
0029 #include "avc.h"
0030
0031 struct task_security_struct {
0032     u32 osid;       /* SID prior to last execve */
0033     u32 sid;        /* current SID */
0034     u32 exec_sid;       /* exec SID */
0035     u32 create_sid;     /* fscreate SID */
0036     u32 keycreate_sid;  /* keycreate SID */
0037     u32 sockcreate_sid; /* fscreate SID */
0038 } __randomize_layout;
0039
0040 enum label_initialized {
0041     LABEL_INVALID,      /* invalid or not initialized */
0042     LABEL_INITIALIZED,  /* initialized */
0043     LABEL_PENDING
0044 };
0045
0046 struct inode_security_struct {
0047     struct inode *inode;    /* back pointer to inode object */
0048     struct list_head list;  /* list of inode_security_struct */
0049     u32 task_sid;       /* SID of creating task */
0050     u32 sid;        /* SID of this object */
0051     u16 sclass;     /* security class of this object */
0052     unsigned char initialized;  /* initialization flag */
0053     spinlock_t lock;
0054 };
0055
0056 struct file_security_struct {
0057     u32 sid;        /* SID of open file description */
0058     u32 fown_sid;       /* SID of file owner (for SIGIO) */
0059     u32 isid;       /* SID of inode at the time of file open */
0060     u32 pseqno;     /* Policy seqno at the time of file open */
0061 };
0062
0063 struct superblock_security_struct {
0064     u32 sid;            /* SID of file system superblock */
0065     u32 def_sid;            /* default SID for labeling */
0066     u32 mntpoint_sid;       /* SECURITY_FS_USE_MNTPOINT context for files */
0067     unsigned short behavior;    /* labeling behavior */
0068     unsigned short flags;       /* which mount options were specified */
0069     struct mutex lock;
0070     struct list_head isec_head;
0071     spinlock_t isec_lock;
0072 };
0073
0074 struct msg_security_struct {
0075     u32 sid;    /* SID of message */
0076 };
0077
0078 struct ipc_security_struct {
0079     u16 sclass; /* security class of this object */
0080     u32 sid;    /* SID of IPC resource */
0081 };
0082
0083 struct netif_security_struct {
0084     struct net *ns;         /* network namespace */
0085     int ifindex;            /* device index */
0086     u32 sid;            /* SID for this interface */
0087 };
0088
0089 struct netnode_security_struct {
0090     union {
0091         __be32 ipv4;        /* IPv4 node address */
0092         struct in6_addr ipv6;   /* IPv6 node address */
0093     } addr;
0094     u32 sid;            /* SID for this node */
0095     u16 family;         /* address family */
0096 };
0097
0098 struct netport_security_struct {
0099     u32 sid;            /* SID for this node */
0100     u16 port;           /* port number */
0101     u8 protocol;            /* transport protocol */
0102 };
0103
0104 struct sk_security_struct {
0105 #ifdef CONFIG_NETLABEL
0106     enum {              /* NetLabel state */
0107         NLBL_UNSET = 0,
0108         NLBL_REQUIRE,
0109         NLBL_LABELED,
0110         NLBL_REQSKB,
0111         NLBL_CONNLABELED,
0112     } nlbl_state;
0113     struct netlbl_lsm_secattr *nlbl_secattr; /* NetLabel sec attributes */
0114 #endif
0115     u32 sid;            /* SID of this object */
0116     u32 peer_sid;           /* SID of peer */
0117     u16 sclass;         /* sock security class */
0118     enum {              /* SCTP association state */
0119         SCTP_ASSOC_UNSET = 0,
0120         SCTP_ASSOC_SET,
0121     } sctp_assoc_state;
0122 };
0123
0124 struct tun_security_struct {
0125     u32 sid;            /* SID for the tun device sockets */
0126 };
0127
0128 struct key_security_struct {
0129     u32 sid;    /* SID of key */
0130 };
0131
0132 struct ib_security_struct {
0133     u32 sid;        /* SID of the queue pair or MAD agent */
0134 };
0135
0136 struct pkey_security_struct {
0137     u64 subnet_prefix; /* Port subnet prefix */
0138     u16 pkey;   /* PKey number */
0139     u32 sid;    /* SID of pkey */
0140 };
0141
0142 struct bpf_security_struct {
0143     u32 sid;  /* SID of bpf obj creator */
0144 };
0145
0146 struct perf_event_security_struct {
0147     u32 sid;  /* SID of perf_event obj creator */
0148 };
0149
0150 extern struct lsm_blob_sizes selinux_blob_sizes;
0151 static inline struct task_security_struct *selinux_cred(const struct cred *cred)
0152 {
0153     return cred->security + selinux_blob_sizes.lbs_cred;
0154 }
0155
0156 static inline struct file_security_struct *selinux_file(const struct file *file)
0157 {
0158     return file->f_security + selinux_blob_sizes.lbs_file;
0159 }
0160
0161 static inline struct inode_security_struct *selinux_inode(
0162                         const struct inode *inode)
0163 {
0164     if (unlikely(!inode->i_security))
0165         return NULL;
0166     return inode->i_security + selinux_blob_sizes.lbs_inode;
0167 }
0168
0169 static inline struct msg_security_struct *selinux_msg_msg(
0170                         const struct msg_msg *msg_msg)
0171 {
0172     return msg_msg->security + selinux_blob_sizes.lbs_msg_msg;
0173 }
0174
0175 static inline struct ipc_security_struct *selinux_ipc(
0176                         const struct kern_ipc_perm *ipc)
0177 {
0178     return ipc->security + selinux_blob_sizes.lbs_ipc;
0179 }
0180
0181 /*
0182  * get the subjective security ID of the current task
0183  */
0184 static inline u32 current_sid(void)
0185 {
0186     const struct task_security_struct *tsec = selinux_cred(current_cred());
0187
0188     return tsec->sid;
0189 }
0190
0191 static inline struct superblock_security_struct *selinux_superblock(
0192                     const struct super_block *superblock)
0193 {
0194     return superblock->s_security + selinux_blob_sizes.lbs_superblock;
0195 }
0196
0197 #endif /* _SELINUX_OBJSEC_H_ */