190945448SMickaël Salaün /* SPDX-License-Identifier: GPL-2.0-only */ 290945448SMickaël Salaün /* 390945448SMickaël Salaün * Landlock LSM - Object management 490945448SMickaël Salaün * 590945448SMickaël Salaün * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net> 690945448SMickaël Salaün * Copyright © 2018-2020 ANSSI 790945448SMickaël Salaün */ 890945448SMickaël Salaün 990945448SMickaël Salaün #ifndef _SECURITY_LANDLOCK_OBJECT_H 1090945448SMickaël Salaün #define _SECURITY_LANDLOCK_OBJECT_H 1190945448SMickaël Salaün 1290945448SMickaël Salaün #include <linux/compiler_types.h> 1390945448SMickaël Salaün #include <linux/refcount.h> 1490945448SMickaël Salaün #include <linux/spinlock.h> 1590945448SMickaël Salaün 1690945448SMickaël Salaün struct landlock_object; 1790945448SMickaël Salaün 1890945448SMickaël Salaün /** 1990945448SMickaël Salaün * struct landlock_object_underops - Operations on an underlying object 2090945448SMickaël Salaün */ 2190945448SMickaël Salaün struct landlock_object_underops { 2290945448SMickaël Salaün /** 2390945448SMickaël Salaün * @release: Releases the underlying object (e.g. iput() for an inode). 2490945448SMickaël Salaün */ 2590945448SMickaël Salaün void (*release)(struct landlock_object *const object) 2690945448SMickaël Salaün __releases(object->lock); 2790945448SMickaël Salaün }; 2890945448SMickaël Salaün 2990945448SMickaël Salaün /** 3090945448SMickaël Salaün * struct landlock_object - Security blob tied to a kernel object 3190945448SMickaël Salaün * 3290945448SMickaël Salaün * The goal of this structure is to enable to tie a set of ephemeral access 3390945448SMickaël Salaün * rights (pertaining to different domains) to a kernel object (e.g an inode) 3490945448SMickaël Salaün * in a safe way. This implies to handle concurrent use and modification. 3590945448SMickaël Salaün * 3690945448SMickaël Salaün * The lifetime of a &struct landlock_object depends on the rules referring to 3790945448SMickaël Salaün * it. 3890945448SMickaël Salaün */ 3990945448SMickaël Salaün struct landlock_object { 4090945448SMickaël Salaün /** 4190945448SMickaël Salaün * @usage: This counter is used to tie an object to the rules matching 4290945448SMickaël Salaün * it or to keep it alive while adding a new rule. If this counter 4390945448SMickaël Salaün * reaches zero, this struct must not be modified, but this counter can 4490945448SMickaël Salaün * still be read from within an RCU read-side critical section. When 4590945448SMickaël Salaün * adding a new rule to an object with a usage counter of zero, we must 4690945448SMickaël Salaün * wait until the pointer to this object is set to NULL (or recycled). 4790945448SMickaël Salaün */ 4890945448SMickaël Salaün refcount_t usage; 4990945448SMickaël Salaün /** 5090945448SMickaël Salaün * @lock: Protects against concurrent modifications. This lock must be 5190945448SMickaël Salaün * held from the time @usage drops to zero until any weak references 5290945448SMickaël Salaün * from @underobj to this object have been cleaned up. 5390945448SMickaël Salaün * 5490945448SMickaël Salaün * Lock ordering: inode->i_lock nests inside this. 5590945448SMickaël Salaün */ 5690945448SMickaël Salaün spinlock_t lock; 5790945448SMickaël Salaün /** 5890945448SMickaël Salaün * @underobj: Used when cleaning up an object and to mark an object as 5990945448SMickaël Salaün * tied to its underlying kernel structure. This pointer is protected 6090945448SMickaël Salaün * by @lock. Cf. landlock_release_inodes() and release_inode(). 6190945448SMickaël Salaün */ 6290945448SMickaël Salaün void *underobj; 6390945448SMickaël Salaün union { 6490945448SMickaël Salaün /** 6590945448SMickaël Salaün * @rcu_free: Enables lockless use of @usage, @lock and 6690945448SMickaël Salaün * @underobj from within an RCU read-side critical section. 6790945448SMickaël Salaün * @rcu_free and @underops are only used by 6890945448SMickaël Salaün * landlock_put_object(). 6990945448SMickaël Salaün */ 7090945448SMickaël Salaün struct rcu_head rcu_free; 7190945448SMickaël Salaün /** 7290945448SMickaël Salaün * @underops: Enables landlock_put_object() to release the 7390945448SMickaël Salaün * underlying object (e.g. inode). 7490945448SMickaël Salaün */ 7590945448SMickaël Salaün const struct landlock_object_underops *underops; 7690945448SMickaël Salaün }; 7790945448SMickaël Salaün }; 7890945448SMickaël Salaün 79*06a1c40aSMickaël Salaün struct landlock_object * 80*06a1c40aSMickaël Salaün landlock_create_object(const struct landlock_object_underops *const underops, 8190945448SMickaël Salaün void *const underobj); 8290945448SMickaël Salaün 8390945448SMickaël Salaün void landlock_put_object(struct landlock_object *const object); 8490945448SMickaël Salaün landlock_get_object(struct landlock_object * const object)8590945448SMickaël Salaünstatic inline void landlock_get_object(struct landlock_object *const object) 8690945448SMickaël Salaün { 8790945448SMickaël Salaün if (object) 8890945448SMickaël Salaün refcount_inc(&object->usage); 8990945448SMickaël Salaün } 9090945448SMickaël Salaün 9190945448SMickaël Salaün #endif /* _SECURITY_LANDLOCK_OBJECT_H */ 92