1/* SPDX-License-Identifier: GPL-2.0 */
2/*
3 * SafeSetID Linux Security Module
4 *
5 * Author: Micah Morton <mortonm@chromium.org>
6 *
7 * Copyright (C) 2018 The Chromium OS Authors.
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License version 2, as
11 * published by the Free Software Foundation.
12 *
13 */
14#ifndef _SAFESETID_H
15#define _SAFESETID_H
16
17#include <linux/types.h>
18#include <linux/uidgid.h>
19#include <linux/hashtable.h>
20
21/* Flag indicating whether initialization completed */
22extern int safesetid_initialized __initdata;
23
24enum sid_policy_type {
25 SIDPOL_DEFAULT, /* source ID is unaffected by policy */
26 SIDPOL_CONSTRAINED, /* source ID is affected by policy */
27 SIDPOL_ALLOWED /* target ID explicitly allowed */
28};
29
30typedef union {
31 kuid_t uid;
32 kgid_t gid;
33} kid_t;
34
35enum setid_type {
36 UID,
37 GID
38};
39
40/*
41 * Hash table entry to store safesetid policy signifying that 'src_id'
42 * can set*id to 'dst_id'.
43 */
44struct setid_rule {
45 struct hlist_node next;
46 kid_t src_id;
47 kid_t dst_id;
48
49 /* Flag to signal if rule is for UID's or GID's */
50 enum setid_type type;
51};
52
53#define SETID_HASH_BITS 8 /* 256 buckets in hash table */
54
55/* Extension of INVALID_UID/INVALID_GID for kid_t type */
56#define INVALID_ID (kid_t){.uid = INVALID_UID}
57
58struct setid_ruleset {
59 DECLARE_HASHTABLE(rules, SETID_HASH_BITS);
60 char *policy_str;
61 struct rcu_head rcu;
62
63 //Flag to signal if ruleset is for UID's or GID's
64 enum setid_type type;
65};
66
67enum sid_policy_type _setid_policy_lookup(struct setid_ruleset *policy,
68 kid_t src, kid_t dst);
69
70extern struct setid_ruleset __rcu *safesetid_setuid_rules;
71extern struct setid_ruleset __rcu *safesetid_setgid_rules;
72
73#endif /* _SAFESETID_H */
74

source code of linux/security/safesetid/lsm.h