1 | /* SPDX-License-Identifier: GPL-2.0 */ |
2 | /* |
3 | * SafeSetID Linux Security Module |
4 | * |
5 | * Author: Micah Morton <mortonm@chromium.org> |
6 | * |
7 | * Copyright (C) 2018 The Chromium OS Authors. |
8 | * |
9 | * This program is free software; you can redistribute it and/or modify |
10 | * it under the terms of the GNU General Public License version 2, as |
11 | * published by the Free Software Foundation. |
12 | * |
13 | */ |
14 | #ifndef _SAFESETID_H |
15 | #define _SAFESETID_H |
16 | |
17 | #include <linux/types.h> |
18 | #include <linux/uidgid.h> |
19 | #include <linux/hashtable.h> |
20 | |
21 | /* Flag indicating whether initialization completed */ |
22 | extern int safesetid_initialized __initdata; |
23 | |
24 | enum sid_policy_type { |
25 | SIDPOL_DEFAULT, /* source ID is unaffected by policy */ |
26 | SIDPOL_CONSTRAINED, /* source ID is affected by policy */ |
27 | SIDPOL_ALLOWED /* target ID explicitly allowed */ |
28 | }; |
29 | |
30 | typedef union { |
31 | kuid_t uid; |
32 | kgid_t gid; |
33 | } kid_t; |
34 | |
35 | enum setid_type { |
36 | UID, |
37 | GID |
38 | }; |
39 | |
40 | /* |
41 | * Hash table entry to store safesetid policy signifying that 'src_id' |
42 | * can set*id to 'dst_id'. |
43 | */ |
44 | struct setid_rule { |
45 | struct hlist_node next; |
46 | kid_t src_id; |
47 | kid_t dst_id; |
48 | |
49 | /* Flag to signal if rule is for UID's or GID's */ |
50 | enum setid_type type; |
51 | }; |
52 | |
53 | #define SETID_HASH_BITS 8 /* 256 buckets in hash table */ |
54 | |
55 | /* Extension of INVALID_UID/INVALID_GID for kid_t type */ |
56 | #define INVALID_ID (kid_t){.uid = INVALID_UID} |
57 | |
58 | struct setid_ruleset { |
59 | DECLARE_HASHTABLE(rules, SETID_HASH_BITS); |
60 | char *policy_str; |
61 | struct rcu_head rcu; |
62 | |
63 | //Flag to signal if ruleset is for UID's or GID's |
64 | enum setid_type type; |
65 | }; |
66 | |
67 | enum sid_policy_type _setid_policy_lookup(struct setid_ruleset *policy, |
68 | kid_t src, kid_t dst); |
69 | |
70 | extern struct setid_ruleset __rcu *safesetid_setuid_rules; |
71 | extern struct setid_ruleset __rcu *safesetid_setgid_rules; |
72 | |
73 | #endif /* _SAFESETID_H */ |
74 | |