root/security/selinux/ss/sidtab.h

INCLUDED FROM

   1 /* SPDX-License-Identifier: GPL-2.0 */
   2 /*
   3  * A security identifier table (sidtab) is a lookup table
   4  * of security context structures indexed by SID value.
   5  *
   6  * Original author: Stephen Smalley, <sds@tycho.nsa.gov>
   7  * Author: Ondrej Mosnacek, <omosnacek@gmail.com>
   8  *
   9  * Copyright (C) 2018 Red Hat, Inc.
  10  */
  11 #ifndef _SS_SIDTAB_H_
  12 #define _SS_SIDTAB_H_
  13 
  14 #include <linux/spinlock_types.h>
  15 #include <linux/log2.h>
  16 
  17 #include "context.h"
  18 
  19 struct sidtab_entry_leaf {
  20         struct context context;
  21 };
  22 
  23 struct sidtab_node_inner;
  24 struct sidtab_node_leaf;
  25 
  26 union sidtab_entry_inner {
  27         struct sidtab_node_inner *ptr_inner;
  28         struct sidtab_node_leaf  *ptr_leaf;
  29 };
  30 
  31 /* align node size to page boundary */
  32 #define SIDTAB_NODE_ALLOC_SHIFT PAGE_SHIFT
  33 #define SIDTAB_NODE_ALLOC_SIZE  PAGE_SIZE
  34 
  35 #define size_to_shift(size) ((size) == 1 ? 1 : (const_ilog2((size) - 1) + 1))
  36 
  37 #define SIDTAB_INNER_SHIFT \
  38         (SIDTAB_NODE_ALLOC_SHIFT - size_to_shift(sizeof(union sidtab_entry_inner)))
  39 #define SIDTAB_INNER_ENTRIES ((size_t)1 << SIDTAB_INNER_SHIFT)
  40 #define SIDTAB_LEAF_ENTRIES \
  41         (SIDTAB_NODE_ALLOC_SIZE / sizeof(struct sidtab_entry_leaf))
  42 
  43 #define SIDTAB_MAX_BITS 32
  44 #define SIDTAB_MAX U32_MAX
  45 /* ensure enough tree levels for SIDTAB_MAX entries */
  46 #define SIDTAB_MAX_LEVEL \
  47         DIV_ROUND_UP(SIDTAB_MAX_BITS - size_to_shift(SIDTAB_LEAF_ENTRIES), \
  48                      SIDTAB_INNER_SHIFT)
  49 
  50 struct sidtab_node_leaf {
  51         struct sidtab_entry_leaf entries[SIDTAB_LEAF_ENTRIES];
  52 };
  53 
  54 struct sidtab_node_inner {
  55         union sidtab_entry_inner entries[SIDTAB_INNER_ENTRIES];
  56 };
  57 
  58 struct sidtab_isid_entry {
  59         int set;
  60         struct context context;
  61 };
  62 
  63 struct sidtab_convert_params {
  64         int (*func)(struct context *oldc, struct context *newc, void *args);
  65         void *args;
  66         struct sidtab *target;
  67 };
  68 
  69 #define SIDTAB_RCACHE_SIZE 3
  70 
  71 struct sidtab {
  72         /*
  73          * lock-free read access only for as many items as a prior read of
  74          * 'count'
  75          */
  76         union sidtab_entry_inner roots[SIDTAB_MAX_LEVEL + 1];
  77         /*
  78          * access atomically via {READ|WRITE}_ONCE(); only increment under
  79          * spinlock
  80          */
  81         u32 count;
  82         /* access only under spinlock */
  83         struct sidtab_convert_params *convert;
  84         spinlock_t lock;
  85 
  86         /* reverse lookup cache - access atomically via {READ|WRITE}_ONCE() */
  87         u32 rcache[SIDTAB_RCACHE_SIZE];
  88 
  89         /* index == SID - 1 (no entry for SECSID_NULL) */
  90         struct sidtab_isid_entry isids[SECINITSID_NUM];
  91 };
  92 
  93 int sidtab_init(struct sidtab *s);
  94 int sidtab_set_initial(struct sidtab *s, u32 sid, struct context *context);
  95 struct context *sidtab_search(struct sidtab *s, u32 sid);
  96 struct context *sidtab_search_force(struct sidtab *s, u32 sid);
  97 
  98 int sidtab_convert(struct sidtab *s, struct sidtab_convert_params *params);
  99 
 100 int sidtab_context_to_sid(struct sidtab *s, struct context *context, u32 *sid);
 101 
 102 void sidtab_destroy(struct sidtab *s);
 103 
 104 #endif  /* _SS_SIDTAB_H_ */
 105 
 106