xref: /openbmc/linux/security/landlock/object.h (revision 06a1c40a09a8dded4bf0e7e3ccbda6bddcccd7c8)
190945448SMickaël Salaün /* SPDX-License-Identifier: GPL-2.0-only */
290945448SMickaël Salaün /*
390945448SMickaël Salaün  * Landlock LSM - Object management
490945448SMickaël Salaün  *
590945448SMickaël Salaün  * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
690945448SMickaël Salaün  * Copyright © 2018-2020 ANSSI
790945448SMickaël Salaün  */
890945448SMickaël Salaün 
990945448SMickaël Salaün #ifndef _SECURITY_LANDLOCK_OBJECT_H
1090945448SMickaël Salaün #define _SECURITY_LANDLOCK_OBJECT_H
1190945448SMickaël Salaün 
1290945448SMickaël Salaün #include <linux/compiler_types.h>
1390945448SMickaël Salaün #include <linux/refcount.h>
1490945448SMickaël Salaün #include <linux/spinlock.h>
1590945448SMickaël Salaün 
1690945448SMickaël Salaün struct landlock_object;
1790945448SMickaël Salaün 
1890945448SMickaël Salaün /**
1990945448SMickaël Salaün  * struct landlock_object_underops - Operations on an underlying object
2090945448SMickaël Salaün  */
2190945448SMickaël Salaün struct landlock_object_underops {
2290945448SMickaël Salaün 	/**
2390945448SMickaël Salaün 	 * @release: Releases the underlying object (e.g. iput() for an inode).
2490945448SMickaël Salaün 	 */
2590945448SMickaël Salaün 	void (*release)(struct landlock_object *const object)
2690945448SMickaël Salaün 		__releases(object->lock);
2790945448SMickaël Salaün };
2890945448SMickaël Salaün 
2990945448SMickaël Salaün /**
3090945448SMickaël Salaün  * struct landlock_object - Security blob tied to a kernel object
3190945448SMickaël Salaün  *
3290945448SMickaël Salaün  * The goal of this structure is to enable to tie a set of ephemeral access
3390945448SMickaël Salaün  * rights (pertaining to different domains) to a kernel object (e.g an inode)
3490945448SMickaël Salaün  * in a safe way.  This implies to handle concurrent use and modification.
3590945448SMickaël Salaün  *
3690945448SMickaël Salaün  * The lifetime of a &struct landlock_object depends on the rules referring to
3790945448SMickaël Salaün  * it.
3890945448SMickaël Salaün  */
3990945448SMickaël Salaün struct landlock_object {
4090945448SMickaël Salaün 	/**
4190945448SMickaël Salaün 	 * @usage: This counter is used to tie an object to the rules matching
4290945448SMickaël Salaün 	 * it or to keep it alive while adding a new rule.  If this counter
4390945448SMickaël Salaün 	 * reaches zero, this struct must not be modified, but this counter can
4490945448SMickaël Salaün 	 * still be read from within an RCU read-side critical section.  When
4590945448SMickaël Salaün 	 * adding a new rule to an object with a usage counter of zero, we must
4690945448SMickaël Salaün 	 * wait until the pointer to this object is set to NULL (or recycled).
4790945448SMickaël Salaün 	 */
4890945448SMickaël Salaün 	refcount_t usage;
4990945448SMickaël Salaün 	/**
5090945448SMickaël Salaün 	 * @lock: Protects against concurrent modifications.  This lock must be
5190945448SMickaël Salaün 	 * held from the time @usage drops to zero until any weak references
5290945448SMickaël Salaün 	 * from @underobj to this object have been cleaned up.
5390945448SMickaël Salaün 	 *
5490945448SMickaël Salaün 	 * Lock ordering: inode->i_lock nests inside this.
5590945448SMickaël Salaün 	 */
5690945448SMickaël Salaün 	spinlock_t lock;
5790945448SMickaël Salaün 	/**
5890945448SMickaël Salaün 	 * @underobj: Used when cleaning up an object and to mark an object as
5990945448SMickaël Salaün 	 * tied to its underlying kernel structure.  This pointer is protected
6090945448SMickaël Salaün 	 * by @lock.  Cf. landlock_release_inodes() and release_inode().
6190945448SMickaël Salaün 	 */
6290945448SMickaël Salaün 	void *underobj;
6390945448SMickaël Salaün 	union {
6490945448SMickaël Salaün 		/**
6590945448SMickaël Salaün 		 * @rcu_free: Enables lockless use of @usage, @lock and
6690945448SMickaël Salaün 		 * @underobj from within an RCU read-side critical section.
6790945448SMickaël Salaün 		 * @rcu_free and @underops are only used by
6890945448SMickaël Salaün 		 * landlock_put_object().
6990945448SMickaël Salaün 		 */
7090945448SMickaël Salaün 		struct rcu_head rcu_free;
7190945448SMickaël Salaün 		/**
7290945448SMickaël Salaün 		 * @underops: Enables landlock_put_object() to release the
7390945448SMickaël Salaün 		 * underlying object (e.g. inode).
7490945448SMickaël Salaün 		 */
7590945448SMickaël Salaün 		const struct landlock_object_underops *underops;
7690945448SMickaël Salaün 	};
7790945448SMickaël Salaün };
7890945448SMickaël Salaün 
79*06a1c40aSMickaël Salaün struct landlock_object *
80*06a1c40aSMickaël Salaün landlock_create_object(const struct landlock_object_underops *const underops,
8190945448SMickaël Salaün 		       void *const underobj);
8290945448SMickaël Salaün 
8390945448SMickaël Salaün void landlock_put_object(struct landlock_object *const object);
8490945448SMickaël Salaün 
8590945448SMickaël Salaün static inline void landlock_get_object(struct landlock_object *const object)
8690945448SMickaël Salaün {
8790945448SMickaël Salaün 	if (object)
8890945448SMickaël Salaün 		refcount_inc(&object->usage);
8990945448SMickaël Salaün }
9090945448SMickaël Salaün 
9190945448SMickaël Salaün #endif /* _SECURITY_LANDLOCK_OBJECT_H */
92