18c2ecf20Sopenharmony_ci/* SPDX-License-Identifier: GPL-2.0 */ 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * SafeSetID Linux Security Module 48c2ecf20Sopenharmony_ci * 58c2ecf20Sopenharmony_ci * Author: Micah Morton <mortonm@chromium.org> 68c2ecf20Sopenharmony_ci * 78c2ecf20Sopenharmony_ci * Copyright (C) 2018 The Chromium OS Authors. 88c2ecf20Sopenharmony_ci * 98c2ecf20Sopenharmony_ci * This program is free software; you can redistribute it and/or modify 108c2ecf20Sopenharmony_ci * it under the terms of the GNU General Public License version 2, as 118c2ecf20Sopenharmony_ci * published by the Free Software Foundation. 128c2ecf20Sopenharmony_ci * 138c2ecf20Sopenharmony_ci */ 148c2ecf20Sopenharmony_ci#ifndef _SAFESETID_H 158c2ecf20Sopenharmony_ci#define _SAFESETID_H 168c2ecf20Sopenharmony_ci 178c2ecf20Sopenharmony_ci#include <linux/types.h> 188c2ecf20Sopenharmony_ci#include <linux/uidgid.h> 198c2ecf20Sopenharmony_ci#include <linux/hashtable.h> 208c2ecf20Sopenharmony_ci 218c2ecf20Sopenharmony_ci/* Flag indicating whether initialization completed */ 228c2ecf20Sopenharmony_ciextern int safesetid_initialized; 238c2ecf20Sopenharmony_ci 248c2ecf20Sopenharmony_cienum sid_policy_type { 258c2ecf20Sopenharmony_ci SIDPOL_DEFAULT, /* source ID is unaffected by policy */ 268c2ecf20Sopenharmony_ci SIDPOL_CONSTRAINED, /* source ID is affected by policy */ 278c2ecf20Sopenharmony_ci SIDPOL_ALLOWED /* target ID explicitly allowed */ 288c2ecf20Sopenharmony_ci}; 298c2ecf20Sopenharmony_ci 308c2ecf20Sopenharmony_citypedef union { 318c2ecf20Sopenharmony_ci kuid_t uid; 328c2ecf20Sopenharmony_ci kgid_t gid; 338c2ecf20Sopenharmony_ci} kid_t; 348c2ecf20Sopenharmony_ci 358c2ecf20Sopenharmony_cienum setid_type { 368c2ecf20Sopenharmony_ci UID, 378c2ecf20Sopenharmony_ci GID 388c2ecf20Sopenharmony_ci}; 398c2ecf20Sopenharmony_ci 408c2ecf20Sopenharmony_ci/* 418c2ecf20Sopenharmony_ci * Hash table entry to store safesetid policy signifying that 'src_id' 428c2ecf20Sopenharmony_ci * can set*id to 'dst_id'. 438c2ecf20Sopenharmony_ci */ 448c2ecf20Sopenharmony_cistruct setid_rule { 458c2ecf20Sopenharmony_ci struct hlist_node next; 468c2ecf20Sopenharmony_ci kid_t src_id; 478c2ecf20Sopenharmony_ci kid_t dst_id; 488c2ecf20Sopenharmony_ci 498c2ecf20Sopenharmony_ci /* Flag to signal if rule is for UID's or GID's */ 508c2ecf20Sopenharmony_ci enum setid_type type; 518c2ecf20Sopenharmony_ci}; 528c2ecf20Sopenharmony_ci 538c2ecf20Sopenharmony_ci#define SETID_HASH_BITS 8 /* 256 buckets in hash table */ 548c2ecf20Sopenharmony_ci 558c2ecf20Sopenharmony_ci/* Extension of INVALID_UID/INVALID_GID for kid_t type */ 568c2ecf20Sopenharmony_ci#define INVALID_ID (kid_t){.uid = INVALID_UID} 578c2ecf20Sopenharmony_ci 588c2ecf20Sopenharmony_cistruct setid_ruleset { 598c2ecf20Sopenharmony_ci DECLARE_HASHTABLE(rules, SETID_HASH_BITS); 608c2ecf20Sopenharmony_ci char *policy_str; 618c2ecf20Sopenharmony_ci struct rcu_head rcu; 628c2ecf20Sopenharmony_ci 638c2ecf20Sopenharmony_ci //Flag to signal if ruleset is for UID's or GID's 648c2ecf20Sopenharmony_ci enum setid_type type; 658c2ecf20Sopenharmony_ci}; 668c2ecf20Sopenharmony_ci 678c2ecf20Sopenharmony_cienum sid_policy_type _setid_policy_lookup(struct setid_ruleset *policy, 688c2ecf20Sopenharmony_ci kid_t src, kid_t dst); 698c2ecf20Sopenharmony_ci 708c2ecf20Sopenharmony_ciextern struct setid_ruleset __rcu *safesetid_setuid_rules; 718c2ecf20Sopenharmony_ciextern struct setid_ruleset __rcu *safesetid_setgid_rules; 728c2ecf20Sopenharmony_ci 738c2ecf20Sopenharmony_ci#endif /* _SAFESETID_H */ 74