/* SPDX-License-Identifier: GPL-2.0-only */ /* * Landlock LSM - Ruleset management * * Copyright © 2016-2020 Mickaël Salaün <[email protected]> * Copyright © 2018-2020 ANSSI */ #ifndef _SECURITY_LANDLOCK_RULESET_H #define _SECURITY_LANDLOCK_RULESET_H #include <linux/bitops.h> #include <linux/build_bug.h> #include <linux/mutex.h> #include <linux/rbtree.h> #include <linux/refcount.h> #include <linux/workqueue.h> #include <uapi/linux/landlock.h> #include "limits.h" #include "object.h" /* * All access rights that are denied by default whether they are handled or not * by a ruleset/layer. This must be ORed with all ruleset->access_masks[] * entries when we need to get the absolute handled access masks. */ /* clang-format off */ #define LANDLOCK_ACCESS_FS_INITIALLY_DENIED … /* clang-format on */ access_mask_t; /* Makes sure all filesystem access rights can be stored. */ static_assert(…); /* Makes sure all network access rights can be stored. */ static_assert(…); /* Makes sure for_each_set_bit() and for_each_clear_bit() calls are OK. */ static_assert(…); /* Ruleset access masks. */ struct access_masks { … }; layer_mask_t; /* Makes sure all layers can be checked. */ static_assert(…); /** * struct landlock_layer - Access rights for a given layer */ struct landlock_layer { … }; /** * union landlock_key - Key of a ruleset's red-black tree */ landlock_key; /** * enum landlock_key_type - Type of &union landlock_key */ enum landlock_key_type { … }; /** * struct landlock_id - Unique rule identifier for a ruleset */ struct landlock_id { … }; /** * struct landlock_rule - Access rights tied to an object */ struct landlock_rule { … }; /** * struct landlock_hierarchy - Node in a ruleset hierarchy */ struct landlock_hierarchy { … }; /** * struct landlock_ruleset - Landlock ruleset * * This data structure must contain unique entries, be updatable, and quick to * match an object. */ struct landlock_ruleset { … }; struct landlock_ruleset * landlock_create_ruleset(const access_mask_t access_mask_fs, const access_mask_t access_mask_net); void landlock_put_ruleset(struct landlock_ruleset *const ruleset); void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset); int landlock_insert_rule(struct landlock_ruleset *const ruleset, const struct landlock_id id, const access_mask_t access); struct landlock_ruleset * landlock_merge_ruleset(struct landlock_ruleset *const parent, struct landlock_ruleset *const ruleset); const struct landlock_rule * landlock_find_rule(const struct landlock_ruleset *const ruleset, const struct landlock_id id); static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset) { … } static inline void landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset, const access_mask_t fs_access_mask, const u16 layer_level) { … } static inline void landlock_add_net_access_mask(struct landlock_ruleset *const ruleset, const access_mask_t net_access_mask, const u16 layer_level) { … } static inline access_mask_t landlock_get_raw_fs_access_mask(const struct landlock_ruleset *const ruleset, const u16 layer_level) { … } static inline access_mask_t landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset, const u16 layer_level) { … } static inline access_mask_t landlock_get_net_access_mask(const struct landlock_ruleset *const ruleset, const u16 layer_level) { … } bool landlock_unmask_layers(const struct landlock_rule *const rule, const access_mask_t access_request, layer_mask_t (*const layer_masks)[], const size_t masks_array_size); access_mask_t landlock_init_layer_masks(const struct landlock_ruleset *const domain, const access_mask_t access_request, layer_mask_t (*const layer_masks)[], const enum landlock_key_type key_type); #endif /* _SECURITY_LANDLOCK_RULESET_H */
Codebase Browser
linux