Mickaël Salaün | 385975d | 2021-04-22 17:41:13 +0200 | [diff] [blame] | 1 | /* SPDX-License-Identifier: GPL-2.0-only */ |
| 2 | /* |
| 3 | * Landlock LSM - Credential hooks |
| 4 | * |
| 5 | * Copyright © 2019-2020 Mickaël Salaün <mic@digikod.net> |
| 6 | * Copyright © 2019-2020 ANSSI |
| 7 | */ |
| 8 | |
| 9 | #ifndef _SECURITY_LANDLOCK_CRED_H |
| 10 | #define _SECURITY_LANDLOCK_CRED_H |
| 11 | |
| 12 | #include <linux/cred.h> |
| 13 | #include <linux/init.h> |
| 14 | #include <linux/rcupdate.h> |
| 15 | |
| 16 | #include "ruleset.h" |
| 17 | #include "setup.h" |
| 18 | |
| 19 | struct landlock_cred_security { |
| 20 | struct landlock_ruleset *domain; |
| 21 | }; |
| 22 | |
| 23 | static inline struct landlock_cred_security *landlock_cred( |
| 24 | const struct cred *cred) |
| 25 | { |
| 26 | return cred->security + landlock_blob_sizes.lbs_cred; |
| 27 | } |
| 28 | |
| 29 | static inline const struct landlock_ruleset *landlock_get_current_domain(void) |
| 30 | { |
| 31 | return landlock_cred(current_cred())->domain; |
| 32 | } |
| 33 | |
| 34 | /* |
| 35 | * The call needs to come from an RCU read-side critical section. |
| 36 | */ |
| 37 | static inline const struct landlock_ruleset *landlock_get_task_domain( |
| 38 | const struct task_struct *const task) |
| 39 | { |
| 40 | return landlock_cred(__task_cred(task))->domain; |
| 41 | } |
| 42 | |
| 43 | static inline bool landlocked(const struct task_struct *const task) |
| 44 | { |
| 45 | bool has_dom; |
| 46 | |
| 47 | if (task == current) |
| 48 | return !!landlock_get_current_domain(); |
| 49 | |
| 50 | rcu_read_lock(); |
| 51 | has_dom = !!landlock_get_task_domain(task); |
| 52 | rcu_read_unlock(); |
| 53 | return has_dom; |
| 54 | } |
| 55 | |
| 56 | __init void landlock_add_cred_hooks(void); |
| 57 | |
| 58 | #endif /* _SECURITY_LANDLOCK_CRED_H */ |