xref: /openbmc/linux/security/landlock/cred.c (revision 7e24a55b2122746c2eef192296fc84624354f895)
1385975dcSMickaël Salaün // SPDX-License-Identifier: GPL-2.0-only
2385975dcSMickaël Salaün /*
3385975dcSMickaël Salaün  * Landlock LSM - Credential hooks
4385975dcSMickaël Salaün  *
5385975dcSMickaël Salaün  * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
6385975dcSMickaël Salaün  * Copyright © 2018-2020 ANSSI
7385975dcSMickaël Salaün  */
8385975dcSMickaël Salaün 
9385975dcSMickaël Salaün #include <linux/cred.h>
10385975dcSMickaël Salaün #include <linux/lsm_hooks.h>
11385975dcSMickaël Salaün 
12385975dcSMickaël Salaün #include "common.h"
13385975dcSMickaël Salaün #include "cred.h"
14385975dcSMickaël Salaün #include "ruleset.h"
15385975dcSMickaël Salaün #include "setup.h"
16385975dcSMickaël Salaün 
hook_cred_transfer(struct cred * const new,const struct cred * const old)17*16896914SJann Horn static void hook_cred_transfer(struct cred *const new,
18*16896914SJann Horn 			       const struct cred *const old)
19385975dcSMickaël Salaün {
20385975dcSMickaël Salaün 	struct landlock_ruleset *const old_dom = landlock_cred(old)->domain;
21385975dcSMickaël Salaün 
22385975dcSMickaël Salaün 	if (old_dom) {
23385975dcSMickaël Salaün 		landlock_get_ruleset(old_dom);
24385975dcSMickaël Salaün 		landlock_cred(new)->domain = old_dom;
25385975dcSMickaël Salaün 	}
26*16896914SJann Horn }
27*16896914SJann Horn 
hook_cred_prepare(struct cred * const new,const struct cred * const old,const gfp_t gfp)28*16896914SJann Horn static int hook_cred_prepare(struct cred *const new,
29*16896914SJann Horn 			     const struct cred *const old, const gfp_t gfp)
30*16896914SJann Horn {
31*16896914SJann Horn 	hook_cred_transfer(new, old);
32385975dcSMickaël Salaün 	return 0;
33385975dcSMickaël Salaün }
34385975dcSMickaël Salaün 
hook_cred_free(struct cred * const cred)35385975dcSMickaël Salaün static void hook_cred_free(struct cred *const cred)
36385975dcSMickaël Salaün {
37385975dcSMickaël Salaün 	struct landlock_ruleset *const dom = landlock_cred(cred)->domain;
38385975dcSMickaël Salaün 
39385975dcSMickaël Salaün 	if (dom)
40385975dcSMickaël Salaün 		landlock_put_ruleset_deferred(dom);
41385975dcSMickaël Salaün }
42385975dcSMickaël Salaün 
43f22f9aafSPaul Moore static struct security_hook_list landlock_hooks[] __ro_after_init = {
44385975dcSMickaël Salaün 	LSM_HOOK_INIT(cred_prepare, hook_cred_prepare),
45*16896914SJann Horn 	LSM_HOOK_INIT(cred_transfer, hook_cred_transfer),
46385975dcSMickaël Salaün 	LSM_HOOK_INIT(cred_free, hook_cred_free),
47385975dcSMickaël Salaün };
48385975dcSMickaël Salaün 
landlock_add_cred_hooks(void)49385975dcSMickaël Salaün __init void landlock_add_cred_hooks(void)
50385975dcSMickaël Salaün {
51385975dcSMickaël Salaün 	security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
52385975dcSMickaël Salaün 			   LANDLOCK_NAME);
53385975dcSMickaël Salaün }
54