1*90945448SMickaël Salaün /* SPDX-License-Identifier: GPL-2.0-only */ 2*90945448SMickaël Salaün /* 3*90945448SMickaël Salaün * Landlock LSM - Object management 4*90945448SMickaël Salaün * 5*90945448SMickaël Salaün * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net> 6*90945448SMickaël Salaün * Copyright © 2018-2020 ANSSI 7*90945448SMickaël Salaün */ 8*90945448SMickaël Salaün 9*90945448SMickaël Salaün #ifndef _SECURITY_LANDLOCK_OBJECT_H 10*90945448SMickaël Salaün #define _SECURITY_LANDLOCK_OBJECT_H 11*90945448SMickaël Salaün 12*90945448SMickaël Salaün #include <linux/compiler_types.h> 13*90945448SMickaël Salaün #include <linux/refcount.h> 14*90945448SMickaël Salaün #include <linux/spinlock.h> 15*90945448SMickaël Salaün 16*90945448SMickaël Salaün struct landlock_object; 17*90945448SMickaël Salaün 18*90945448SMickaël Salaün /** 19*90945448SMickaël Salaün * struct landlock_object_underops - Operations on an underlying object 20*90945448SMickaël Salaün */ 21*90945448SMickaël Salaün struct landlock_object_underops { 22*90945448SMickaël Salaün /** 23*90945448SMickaël Salaün * @release: Releases the underlying object (e.g. iput() for an inode). 24*90945448SMickaël Salaün */ 25*90945448SMickaël Salaün void (*release)(struct landlock_object *const object) 26*90945448SMickaël Salaün __releases(object->lock); 27*90945448SMickaël Salaün }; 28*90945448SMickaël Salaün 29*90945448SMickaël Salaün /** 30*90945448SMickaël Salaün * struct landlock_object - Security blob tied to a kernel object 31*90945448SMickaël Salaün * 32*90945448SMickaël Salaün * The goal of this structure is to enable to tie a set of ephemeral access 33*90945448SMickaël Salaün * rights (pertaining to different domains) to a kernel object (e.g an inode) 34*90945448SMickaël Salaün * in a safe way. This implies to handle concurrent use and modification. 35*90945448SMickaël Salaün * 36*90945448SMickaël Salaün * The lifetime of a &struct landlock_object depends on the rules referring to 37*90945448SMickaël Salaün * it. 38*90945448SMickaël Salaün */ 39*90945448SMickaël Salaün struct landlock_object { 40*90945448SMickaël Salaün /** 41*90945448SMickaël Salaün * @usage: This counter is used to tie an object to the rules matching 42*90945448SMickaël Salaün * it or to keep it alive while adding a new rule. If this counter 43*90945448SMickaël Salaün * reaches zero, this struct must not be modified, but this counter can 44*90945448SMickaël Salaün * still be read from within an RCU read-side critical section. When 45*90945448SMickaël Salaün * adding a new rule to an object with a usage counter of zero, we must 46*90945448SMickaël Salaün * wait until the pointer to this object is set to NULL (or recycled). 47*90945448SMickaël Salaün */ 48*90945448SMickaël Salaün refcount_t usage; 49*90945448SMickaël Salaün /** 50*90945448SMickaël Salaün * @lock: Protects against concurrent modifications. This lock must be 51*90945448SMickaël Salaün * held from the time @usage drops to zero until any weak references 52*90945448SMickaël Salaün * from @underobj to this object have been cleaned up. 53*90945448SMickaël Salaün * 54*90945448SMickaël Salaün * Lock ordering: inode->i_lock nests inside this. 55*90945448SMickaël Salaün */ 56*90945448SMickaël Salaün spinlock_t lock; 57*90945448SMickaël Salaün /** 58*90945448SMickaël Salaün * @underobj: Used when cleaning up an object and to mark an object as 59*90945448SMickaël Salaün * tied to its underlying kernel structure. This pointer is protected 60*90945448SMickaël Salaün * by @lock. Cf. landlock_release_inodes() and release_inode(). 61*90945448SMickaël Salaün */ 62*90945448SMickaël Salaün void *underobj; 63*90945448SMickaël Salaün union { 64*90945448SMickaël Salaün /** 65*90945448SMickaël Salaün * @rcu_free: Enables lockless use of @usage, @lock and 66*90945448SMickaël Salaün * @underobj from within an RCU read-side critical section. 67*90945448SMickaël Salaün * @rcu_free and @underops are only used by 68*90945448SMickaël Salaün * landlock_put_object(). 69*90945448SMickaël Salaün */ 70*90945448SMickaël Salaün struct rcu_head rcu_free; 71*90945448SMickaël Salaün /** 72*90945448SMickaël Salaün * @underops: Enables landlock_put_object() to release the 73*90945448SMickaël Salaün * underlying object (e.g. inode). 74*90945448SMickaël Salaün */ 75*90945448SMickaël Salaün const struct landlock_object_underops *underops; 76*90945448SMickaël Salaün }; 77*90945448SMickaël Salaün }; 78*90945448SMickaël Salaün 79*90945448SMickaël Salaün struct landlock_object *landlock_create_object( 80*90945448SMickaël Salaün const struct landlock_object_underops *const underops, 81*90945448SMickaël Salaün void *const underobj); 82*90945448SMickaël Salaün 83*90945448SMickaël Salaün void landlock_put_object(struct landlock_object *const object); 84*90945448SMickaël Salaün 85*90945448SMickaël Salaün static inline void landlock_get_object(struct landlock_object *const object) 86*90945448SMickaël Salaün { 87*90945448SMickaël Salaün if (object) 88*90945448SMickaël Salaün refcount_inc(&object->usage); 89*90945448SMickaël Salaün } 90*90945448SMickaël Salaün 91*90945448SMickaël Salaün #endif /* _SECURITY_LANDLOCK_OBJECT_H */ 92