162306a36Sopenharmony_ci/* SPDX-License-Identifier: GPL-2.0-only */ 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * Security-Enhanced Linux (SELinux) security module 462306a36Sopenharmony_ci * 562306a36Sopenharmony_ci * This file contains the SELinux security data structures for kernel objects. 662306a36Sopenharmony_ci * 762306a36Sopenharmony_ci * Author(s): Stephen Smalley, <stephen.smalley.work@gmail.com> 862306a36Sopenharmony_ci * Chris Vance, <cvance@nai.com> 962306a36Sopenharmony_ci * Wayne Salamon, <wsalamon@nai.com> 1062306a36Sopenharmony_ci * James Morris <jmorris@redhat.com> 1162306a36Sopenharmony_ci * 1262306a36Sopenharmony_ci * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 1362306a36Sopenharmony_ci * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 1462306a36Sopenharmony_ci * Copyright (C) 2016 Mellanox Technologies 1562306a36Sopenharmony_ci */ 1662306a36Sopenharmony_ci#ifndef _SELINUX_OBJSEC_H_ 1762306a36Sopenharmony_ci#define _SELINUX_OBJSEC_H_ 1862306a36Sopenharmony_ci 1962306a36Sopenharmony_ci#include <linux/list.h> 2062306a36Sopenharmony_ci#include <linux/sched.h> 2162306a36Sopenharmony_ci#include <linux/fs.h> 2262306a36Sopenharmony_ci#include <linux/binfmts.h> 2362306a36Sopenharmony_ci#include <linux/in.h> 2462306a36Sopenharmony_ci#include <linux/spinlock.h> 2562306a36Sopenharmony_ci#include <linux/lsm_hooks.h> 2662306a36Sopenharmony_ci#include <linux/msg.h> 2762306a36Sopenharmony_ci#include <net/net_namespace.h> 2862306a36Sopenharmony_ci#include "flask.h" 2962306a36Sopenharmony_ci#include "avc.h" 3062306a36Sopenharmony_ci 3162306a36Sopenharmony_cistruct task_security_struct { 3262306a36Sopenharmony_ci u32 osid; /* SID prior to last execve */ 3362306a36Sopenharmony_ci u32 sid; /* current SID */ 3462306a36Sopenharmony_ci u32 exec_sid; /* exec SID */ 3562306a36Sopenharmony_ci u32 create_sid; /* fscreate SID */ 3662306a36Sopenharmony_ci u32 keycreate_sid; /* keycreate SID */ 3762306a36Sopenharmony_ci u32 sockcreate_sid; /* fscreate SID */ 3862306a36Sopenharmony_ci} __randomize_layout; 3962306a36Sopenharmony_ci 4062306a36Sopenharmony_cienum label_initialized { 4162306a36Sopenharmony_ci LABEL_INVALID, /* invalid or not initialized */ 4262306a36Sopenharmony_ci LABEL_INITIALIZED, /* initialized */ 4362306a36Sopenharmony_ci LABEL_PENDING 4462306a36Sopenharmony_ci}; 4562306a36Sopenharmony_ci 4662306a36Sopenharmony_cistruct inode_security_struct { 4762306a36Sopenharmony_ci struct inode *inode; /* back pointer to inode object */ 4862306a36Sopenharmony_ci struct list_head list; /* list of inode_security_struct */ 4962306a36Sopenharmony_ci u32 task_sid; /* SID of creating task */ 5062306a36Sopenharmony_ci u32 sid; /* SID of this object */ 5162306a36Sopenharmony_ci u16 sclass; /* security class of this object */ 5262306a36Sopenharmony_ci unsigned char initialized; /* initialization flag */ 5362306a36Sopenharmony_ci spinlock_t lock; 5462306a36Sopenharmony_ci}; 5562306a36Sopenharmony_ci 5662306a36Sopenharmony_cistruct file_security_struct { 5762306a36Sopenharmony_ci u32 sid; /* SID of open file description */ 5862306a36Sopenharmony_ci u32 fown_sid; /* SID of file owner (for SIGIO) */ 5962306a36Sopenharmony_ci u32 isid; /* SID of inode at the time of file open */ 6062306a36Sopenharmony_ci u32 pseqno; /* Policy seqno at the time of file open */ 6162306a36Sopenharmony_ci}; 6262306a36Sopenharmony_ci 6362306a36Sopenharmony_cistruct superblock_security_struct { 6462306a36Sopenharmony_ci u32 sid; /* SID of file system superblock */ 6562306a36Sopenharmony_ci u32 def_sid; /* default SID for labeling */ 6662306a36Sopenharmony_ci u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ 6762306a36Sopenharmony_ci unsigned short behavior; /* labeling behavior */ 6862306a36Sopenharmony_ci unsigned short flags; /* which mount options were specified */ 6962306a36Sopenharmony_ci struct mutex lock; 7062306a36Sopenharmony_ci struct list_head isec_head; 7162306a36Sopenharmony_ci spinlock_t isec_lock; 7262306a36Sopenharmony_ci}; 7362306a36Sopenharmony_ci 7462306a36Sopenharmony_cistruct msg_security_struct { 7562306a36Sopenharmony_ci u32 sid; /* SID of message */ 7662306a36Sopenharmony_ci}; 7762306a36Sopenharmony_ci 7862306a36Sopenharmony_cistruct ipc_security_struct { 7962306a36Sopenharmony_ci u16 sclass; /* security class of this object */ 8062306a36Sopenharmony_ci u32 sid; /* SID of IPC resource */ 8162306a36Sopenharmony_ci}; 8262306a36Sopenharmony_ci 8362306a36Sopenharmony_cistruct netif_security_struct { 8462306a36Sopenharmony_ci struct net *ns; /* network namespace */ 8562306a36Sopenharmony_ci int ifindex; /* device index */ 8662306a36Sopenharmony_ci u32 sid; /* SID for this interface */ 8762306a36Sopenharmony_ci}; 8862306a36Sopenharmony_ci 8962306a36Sopenharmony_cistruct netnode_security_struct { 9062306a36Sopenharmony_ci union { 9162306a36Sopenharmony_ci __be32 ipv4; /* IPv4 node address */ 9262306a36Sopenharmony_ci struct in6_addr ipv6; /* IPv6 node address */ 9362306a36Sopenharmony_ci } addr; 9462306a36Sopenharmony_ci u32 sid; /* SID for this node */ 9562306a36Sopenharmony_ci u16 family; /* address family */ 9662306a36Sopenharmony_ci}; 9762306a36Sopenharmony_ci 9862306a36Sopenharmony_cistruct netport_security_struct { 9962306a36Sopenharmony_ci u32 sid; /* SID for this node */ 10062306a36Sopenharmony_ci u16 port; /* port number */ 10162306a36Sopenharmony_ci u8 protocol; /* transport protocol */ 10262306a36Sopenharmony_ci}; 10362306a36Sopenharmony_ci 10462306a36Sopenharmony_cistruct sk_security_struct { 10562306a36Sopenharmony_ci#ifdef CONFIG_NETLABEL 10662306a36Sopenharmony_ci enum { /* NetLabel state */ 10762306a36Sopenharmony_ci NLBL_UNSET = 0, 10862306a36Sopenharmony_ci NLBL_REQUIRE, 10962306a36Sopenharmony_ci NLBL_LABELED, 11062306a36Sopenharmony_ci NLBL_REQSKB, 11162306a36Sopenharmony_ci NLBL_CONNLABELED, 11262306a36Sopenharmony_ci } nlbl_state; 11362306a36Sopenharmony_ci struct netlbl_lsm_secattr *nlbl_secattr; /* NetLabel sec attributes */ 11462306a36Sopenharmony_ci#endif 11562306a36Sopenharmony_ci u32 sid; /* SID of this object */ 11662306a36Sopenharmony_ci u32 peer_sid; /* SID of peer */ 11762306a36Sopenharmony_ci u16 sclass; /* sock security class */ 11862306a36Sopenharmony_ci enum { /* SCTP association state */ 11962306a36Sopenharmony_ci SCTP_ASSOC_UNSET = 0, 12062306a36Sopenharmony_ci SCTP_ASSOC_SET, 12162306a36Sopenharmony_ci } sctp_assoc_state; 12262306a36Sopenharmony_ci}; 12362306a36Sopenharmony_ci 12462306a36Sopenharmony_cistruct tun_security_struct { 12562306a36Sopenharmony_ci u32 sid; /* SID for the tun device sockets */ 12662306a36Sopenharmony_ci}; 12762306a36Sopenharmony_ci 12862306a36Sopenharmony_cistruct key_security_struct { 12962306a36Sopenharmony_ci u32 sid; /* SID of key */ 13062306a36Sopenharmony_ci}; 13162306a36Sopenharmony_ci 13262306a36Sopenharmony_cistruct ib_security_struct { 13362306a36Sopenharmony_ci u32 sid; /* SID of the queue pair or MAD agent */ 13462306a36Sopenharmony_ci}; 13562306a36Sopenharmony_ci 13662306a36Sopenharmony_cistruct pkey_security_struct { 13762306a36Sopenharmony_ci u64 subnet_prefix; /* Port subnet prefix */ 13862306a36Sopenharmony_ci u16 pkey; /* PKey number */ 13962306a36Sopenharmony_ci u32 sid; /* SID of pkey */ 14062306a36Sopenharmony_ci}; 14162306a36Sopenharmony_ci 14262306a36Sopenharmony_cistruct bpf_security_struct { 14362306a36Sopenharmony_ci u32 sid; /* SID of bpf obj creator */ 14462306a36Sopenharmony_ci}; 14562306a36Sopenharmony_ci 14662306a36Sopenharmony_cistruct perf_event_security_struct { 14762306a36Sopenharmony_ci u32 sid; /* SID of perf_event obj creator */ 14862306a36Sopenharmony_ci}; 14962306a36Sopenharmony_ci 15062306a36Sopenharmony_ciextern struct lsm_blob_sizes selinux_blob_sizes; 15162306a36Sopenharmony_cistatic inline struct task_security_struct *selinux_cred(const struct cred *cred) 15262306a36Sopenharmony_ci{ 15362306a36Sopenharmony_ci return cred->security + selinux_blob_sizes.lbs_cred; 15462306a36Sopenharmony_ci} 15562306a36Sopenharmony_ci 15662306a36Sopenharmony_cistatic inline struct file_security_struct *selinux_file(const struct file *file) 15762306a36Sopenharmony_ci{ 15862306a36Sopenharmony_ci return file->f_security + selinux_blob_sizes.lbs_file; 15962306a36Sopenharmony_ci} 16062306a36Sopenharmony_ci 16162306a36Sopenharmony_cistatic inline struct inode_security_struct *selinux_inode( 16262306a36Sopenharmony_ci const struct inode *inode) 16362306a36Sopenharmony_ci{ 16462306a36Sopenharmony_ci if (unlikely(!inode->i_security)) 16562306a36Sopenharmony_ci return NULL; 16662306a36Sopenharmony_ci return inode->i_security + selinux_blob_sizes.lbs_inode; 16762306a36Sopenharmony_ci} 16862306a36Sopenharmony_ci 16962306a36Sopenharmony_cistatic inline struct msg_security_struct *selinux_msg_msg( 17062306a36Sopenharmony_ci const struct msg_msg *msg_msg) 17162306a36Sopenharmony_ci{ 17262306a36Sopenharmony_ci return msg_msg->security + selinux_blob_sizes.lbs_msg_msg; 17362306a36Sopenharmony_ci} 17462306a36Sopenharmony_ci 17562306a36Sopenharmony_cistatic inline struct ipc_security_struct *selinux_ipc( 17662306a36Sopenharmony_ci const struct kern_ipc_perm *ipc) 17762306a36Sopenharmony_ci{ 17862306a36Sopenharmony_ci return ipc->security + selinux_blob_sizes.lbs_ipc; 17962306a36Sopenharmony_ci} 18062306a36Sopenharmony_ci 18162306a36Sopenharmony_ci/* 18262306a36Sopenharmony_ci * get the subjective security ID of the current task 18362306a36Sopenharmony_ci */ 18462306a36Sopenharmony_cistatic inline u32 current_sid(void) 18562306a36Sopenharmony_ci{ 18662306a36Sopenharmony_ci const struct task_security_struct *tsec = selinux_cred(current_cred()); 18762306a36Sopenharmony_ci 18862306a36Sopenharmony_ci return tsec->sid; 18962306a36Sopenharmony_ci} 19062306a36Sopenharmony_ci 19162306a36Sopenharmony_cistatic inline struct superblock_security_struct *selinux_superblock( 19262306a36Sopenharmony_ci const struct super_block *superblock) 19362306a36Sopenharmony_ci{ 19462306a36Sopenharmony_ci return superblock->s_security + selinux_blob_sizes.lbs_superblock; 19562306a36Sopenharmony_ci} 19662306a36Sopenharmony_ci 19762306a36Sopenharmony_ci#endif /* _SELINUX_OBJSEC_H_ */ 198