/* SPDX-License-Identifier: GPL-2.0-only */
/*
* Landlock LSM - Object management
*
* Copyright © 2016-2020 Mickaël Salaün <[email protected]>
* Copyright © 2018-2020 ANSSI
*/
#ifndef _SECURITY_LANDLOCK_OBJECT_H
#define _SECURITY_LANDLOCK_OBJECT_H
#include <linux/compiler_types.h>
#include <linux/refcount.h>
#include <linux/spinlock.h>
struct landlock_object;
/**
* struct landlock_object_underops - Operations on an underlying object
*/
struct landlock_object_underops {
/**
* @release: Releases the underlying object (e.g. iput() for an inode).
*/
void (*release)(struct landlock_object *const object)
__releases(object->lock);
};
/**
* struct landlock_object - Security blob tied to a kernel object
*
* The goal of this structure is to enable to tie a set of ephemeral access
* rights (pertaining to different domains) to a kernel object (e.g an inode)
* in a safe way. This implies to handle concurrent use and modification.
*
* The lifetime of a &struct landlock_object depends on the rules referring to
* it.
*/
struct landlock_object {
/**
* @usage: This counter is used to tie an object to the rules matching
* it or to keep it alive while adding a new rule. If this counter
* reaches zero, this struct must not be modified, but this counter can
* still be read from within an RCU read-side critical section. When
* adding a new rule to an object with a usage counter of zero, we must
* wait until the pointer to this object is set to NULL (or recycled).
*/
refcount_t usage;
/**
* @lock: Protects against concurrent modifications. This lock must be
* held from the time @usage drops to zero until any weak references
* from @underobj to this object have been cleaned up.
*
* Lock ordering: inode->i_lock nests inside this.
*/
spinlock_t lock;
/**
* @underobj: Used when cleaning up an object and to mark an object as
* tied to its underlying kernel structure. This pointer is protected
* by @lock. Cf. landlock_release_inodes() and release_inode().
*/
void *underobj;
union {
/**
* @rcu_free: Enables lockless use of @usage, @lock and
* @underobj from within an RCU read-side critical section.
* @rcu_free and @underops are only used by
* landlock_put_object().
*/
struct rcu_head rcu_free;
/**
* @underops: Enables landlock_put_object() to release the
* underlying object (e.g. inode).
*/
const struct landlock_object_underops *underops;
};
};
struct landlock_object *
landlock_create_object(const struct landlock_object_underops *const underops,
void *const underobj);
void landlock_put_object(struct landlock_object *const object);
static inline void landlock_get_object(struct landlock_object *const object)
{
if (object)
refcount_inc(&object->usage);
}
#endif /* _SECURITY_LANDLOCK_OBJECT_H */