selinux/ss/sidtab.h

62306a36Sopenharmony_ci/* SPDX-License-Identifier: GPL-2.0 */
62306a36Sopenharmony_ci/*
62306a36Sopenharmony_ci * A security identifier table (sidtab) is a lookup table
62306a36Sopenharmony_ci * of security context structures indexed by SID value.
62306a36Sopenharmony_ci *
62306a36Sopenharmony_ci * Original author: Stephen Smalley, <stephen.smalley.work@gmail.com>
62306a36Sopenharmony_ci * Author: Ondrej Mosnacek, <omosnacek@gmail.com>
62306a36Sopenharmony_ci *
62306a36Sopenharmony_ci * Copyright (C) 2018 Red Hat, Inc.
62306a36Sopenharmony_ci */
62306a36Sopenharmony_ci#ifndef _SS_SIDTAB_H_
62306a36Sopenharmony_ci#define _SS_SIDTAB_H_
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci#include <linux/spinlock_types.h>
62306a36Sopenharmony_ci#include <linux/log2.h>
62306a36Sopenharmony_ci#include <linux/hashtable.h>
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci#include "context.h"
62306a36Sopenharmony_ci
62306a36Sopenharmony_cistruct sidtab_entry {
62306a36Sopenharmony_ci	u32 sid;
62306a36Sopenharmony_ci	u32 hash;
62306a36Sopenharmony_ci	struct context context;
62306a36Sopenharmony_ci#if CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0
62306a36Sopenharmony_ci	struct sidtab_str_cache __rcu *cache;
62306a36Sopenharmony_ci#endif
62306a36Sopenharmony_ci	struct hlist_node list;
62306a36Sopenharmony_ci};
62306a36Sopenharmony_ci
62306a36Sopenharmony_ciunion sidtab_entry_inner {
62306a36Sopenharmony_ci	struct sidtab_node_inner *ptr_inner;
62306a36Sopenharmony_ci	struct sidtab_node_leaf  *ptr_leaf;
62306a36Sopenharmony_ci};
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci/* align node size to page boundary */
62306a36Sopenharmony_ci#define SIDTAB_NODE_ALLOC_SHIFT PAGE_SHIFT
62306a36Sopenharmony_ci#define SIDTAB_NODE_ALLOC_SIZE  PAGE_SIZE
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci#define size_to_shift(size) ((size) == 1 ? 1 : (const_ilog2((size) - 1) + 1))
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci#define SIDTAB_INNER_SHIFT \
62306a36Sopenharmony_ci	(SIDTAB_NODE_ALLOC_SHIFT - size_to_shift(sizeof(union sidtab_entry_inner)))
62306a36Sopenharmony_ci#define SIDTAB_INNER_ENTRIES ((size_t)1 << SIDTAB_INNER_SHIFT)
62306a36Sopenharmony_ci#define SIDTAB_LEAF_ENTRIES \
62306a36Sopenharmony_ci	(SIDTAB_NODE_ALLOC_SIZE / sizeof(struct sidtab_entry))
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci#define SIDTAB_MAX_BITS 32
62306a36Sopenharmony_ci#define SIDTAB_MAX U32_MAX
62306a36Sopenharmony_ci/* ensure enough tree levels for SIDTAB_MAX entries */
62306a36Sopenharmony_ci#define SIDTAB_MAX_LEVEL \
62306a36Sopenharmony_ci	DIV_ROUND_UP(SIDTAB_MAX_BITS - size_to_shift(SIDTAB_LEAF_ENTRIES), \
62306a36Sopenharmony_ci		     SIDTAB_INNER_SHIFT)
62306a36Sopenharmony_ci
62306a36Sopenharmony_cistruct sidtab_node_leaf {
62306a36Sopenharmony_ci	struct sidtab_entry entries[SIDTAB_LEAF_ENTRIES];
62306a36Sopenharmony_ci};
62306a36Sopenharmony_ci
62306a36Sopenharmony_cistruct sidtab_node_inner {
62306a36Sopenharmony_ci	union sidtab_entry_inner entries[SIDTAB_INNER_ENTRIES];
62306a36Sopenharmony_ci};
62306a36Sopenharmony_ci
62306a36Sopenharmony_cistruct sidtab_isid_entry {
62306a36Sopenharmony_ci	int set;
62306a36Sopenharmony_ci	struct sidtab_entry entry;
62306a36Sopenharmony_ci};
62306a36Sopenharmony_ci
62306a36Sopenharmony_cistruct sidtab_convert_params {
62306a36Sopenharmony_ci	struct convert_context_args *args;
62306a36Sopenharmony_ci	struct sidtab *target;
62306a36Sopenharmony_ci};
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci#define SIDTAB_HASH_BITS CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS
62306a36Sopenharmony_ci#define SIDTAB_HASH_BUCKETS (1 << SIDTAB_HASH_BITS)
62306a36Sopenharmony_ci
62306a36Sopenharmony_cistruct sidtab {
62306a36Sopenharmony_ci	/*
62306a36Sopenharmony_ci	 * lock-free read access only for as many items as a prior read of
62306a36Sopenharmony_ci	 * 'count'
62306a36Sopenharmony_ci	 */
62306a36Sopenharmony_ci	union sidtab_entry_inner roots[SIDTAB_MAX_LEVEL + 1];
62306a36Sopenharmony_ci	/*
62306a36Sopenharmony_ci	 * access atomically via {READ|WRITE}_ONCE(); only increment under
62306a36Sopenharmony_ci	 * spinlock
62306a36Sopenharmony_ci	 */
62306a36Sopenharmony_ci	u32 count;
62306a36Sopenharmony_ci	/* access only under spinlock */
62306a36Sopenharmony_ci	struct sidtab_convert_params *convert;
62306a36Sopenharmony_ci	bool frozen;
62306a36Sopenharmony_ci	spinlock_t lock;
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci#if CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0
62306a36Sopenharmony_ci	/* SID -> context string cache */
62306a36Sopenharmony_ci	u32 cache_free_slots;
62306a36Sopenharmony_ci	struct list_head cache_lru_list;
62306a36Sopenharmony_ci	spinlock_t cache_lock;
62306a36Sopenharmony_ci#endif
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	/* index == SID - 1 (no entry for SECSID_NULL) */
62306a36Sopenharmony_ci	struct sidtab_isid_entry isids[SECINITSID_NUM];
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	/* Hash table for fast reverse context-to-sid lookups. */
62306a36Sopenharmony_ci	DECLARE_HASHTABLE(context_to_sid, SIDTAB_HASH_BITS);
62306a36Sopenharmony_ci};
62306a36Sopenharmony_ci
62306a36Sopenharmony_ciint sidtab_init(struct sidtab *s);
62306a36Sopenharmony_ciint sidtab_set_initial(struct sidtab *s, u32 sid, struct context *context);
62306a36Sopenharmony_cistruct sidtab_entry *sidtab_search_entry(struct sidtab *s, u32 sid);
62306a36Sopenharmony_cistruct sidtab_entry *sidtab_search_entry_force(struct sidtab *s, u32 sid);
62306a36Sopenharmony_ci
62306a36Sopenharmony_cistatic inline struct context *sidtab_search(struct sidtab *s, u32 sid)
62306a36Sopenharmony_ci{
62306a36Sopenharmony_ci	struct sidtab_entry *entry = sidtab_search_entry(s, sid);
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	return entry ? &entry->context : NULL;
62306a36Sopenharmony_ci}
62306a36Sopenharmony_ci
62306a36Sopenharmony_cistatic inline struct context *sidtab_search_force(struct sidtab *s, u32 sid)
62306a36Sopenharmony_ci{
62306a36Sopenharmony_ci	struct sidtab_entry *entry = sidtab_search_entry_force(s, sid);
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	return entry ? &entry->context : NULL;
62306a36Sopenharmony_ci}
62306a36Sopenharmony_ci
62306a36Sopenharmony_ciint sidtab_convert(struct sidtab *s, struct sidtab_convert_params *params);
62306a36Sopenharmony_ci
62306a36Sopenharmony_civoid sidtab_cancel_convert(struct sidtab *s);
62306a36Sopenharmony_ci
62306a36Sopenharmony_civoid sidtab_freeze_begin(struct sidtab *s, unsigned long *flags) __acquires(&s->lock);
62306a36Sopenharmony_civoid sidtab_freeze_end(struct sidtab *s, unsigned long *flags) __releases(&s->lock);
62306a36Sopenharmony_ci
62306a36Sopenharmony_ciint sidtab_context_to_sid(struct sidtab *s, struct context *context, u32 *sid);
62306a36Sopenharmony_ci
62306a36Sopenharmony_civoid sidtab_destroy(struct sidtab *s);
62306a36Sopenharmony_ci
62306a36Sopenharmony_ciint sidtab_hash_stats(struct sidtab *sidtab, char *page);
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci#if CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0
62306a36Sopenharmony_civoid sidtab_sid2str_put(struct sidtab *s, struct sidtab_entry *entry,
62306a36Sopenharmony_ci			const char *str, u32 str_len);
62306a36Sopenharmony_ciint sidtab_sid2str_get(struct sidtab *s, struct sidtab_entry *entry,
62306a36Sopenharmony_ci		       char **out, u32 *out_len);
62306a36Sopenharmony_ci#else
62306a36Sopenharmony_cistatic inline void sidtab_sid2str_put(struct sidtab *s,
62306a36Sopenharmony_ci				      struct sidtab_entry *entry,
62306a36Sopenharmony_ci				      const char *str, u32 str_len)
62306a36Sopenharmony_ci{
62306a36Sopenharmony_ci}
62306a36Sopenharmony_cistatic inline int sidtab_sid2str_get(struct sidtab *s,
62306a36Sopenharmony_ci				     struct sidtab_entry *entry,
62306a36Sopenharmony_ci				     char **out, u32 *out_len)
62306a36Sopenharmony_ci{
62306a36Sopenharmony_ci	return -ENOENT;
62306a36Sopenharmony_ci}
62306a36Sopenharmony_ci#endif /* CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0 */
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci#endif	/* _SS_SIDTAB_H_ */
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci