security/selinux/ss/sidtab.h

   1 /* SPDX-License-Identifier: GPL-2.0 */
   2 /*
   3  * A security identifier table (sidtab) is a lookup table
   4  * of security context structures indexed by SID value.
   5  *
   6  * Original author: Stephen Smalley, <sds@tycho.nsa.gov>
   7  * Author: Ondrej Mosnacek, <omosnacek@gmail.com>
   8  *
   9  * Copyright (C) 2018 Red Hat, Inc.
  10  */
  11 #ifndef _SS_SIDTAB_H_
  12 #define _SS_SIDTAB_H_
  13
  14 #include <linux/spinlock_types.h>
  15 #include <linux/log2.h>
  16
  17 #include "context.h"
  18
  19 struct sidtab_entry_leaf {
  20         struct context context;
  21 };
  22
  23 struct sidtab_node_inner;
  24 struct sidtab_node_leaf;
  25
  26 union sidtab_entry_inner {
  27         struct sidtab_node_inner *ptr_inner;
  28         struct sidtab_node_leaf  *ptr_leaf;
  29 };
  30
  31 /* align node size to page boundary */
  32 #define SIDTAB_NODE_ALLOC_SHIFT PAGE_SHIFT
  33 #define SIDTAB_NODE_ALLOC_SIZE  PAGE_SIZE
  34
  35 #define size_to_shift(size) ((size) == 1 ? 1 : (const_ilog2((size) - 1) + 1))
  36
  37 #define SIDTAB_INNER_SHIFT \
  38         (SIDTAB_NODE_ALLOC_SHIFT - size_to_shift(sizeof(union sidtab_entry_inner)))
  39 #define SIDTAB_INNER_ENTRIES ((size_t)1 << SIDTAB_INNER_SHIFT)
  40 #define SIDTAB_LEAF_ENTRIES \
  41         (SIDTAB_NODE_ALLOC_SIZE / sizeof(struct sidtab_entry_leaf))
  42
  43 #define SIDTAB_MAX_BITS 31 /* limited to INT_MAX due to atomic_t range */
  44 #define SIDTAB_MAX (((u32)1 << SIDTAB_MAX_BITS) - 1)
  45 /* ensure enough tree levels for SIDTAB_MAX entries */
  46 #define SIDTAB_MAX_LEVEL \
  47         DIV_ROUND_UP(SIDTAB_MAX_BITS - size_to_shift(SIDTAB_LEAF_ENTRIES), \
  48                      SIDTAB_INNER_SHIFT)
  49
  50 struct sidtab_node_leaf {
  51         struct sidtab_entry_leaf entries[SIDTAB_LEAF_ENTRIES];
  52 };
  53
  54 struct sidtab_node_inner {
  55         union sidtab_entry_inner entries[SIDTAB_INNER_ENTRIES];
  56 };
  57
  58 struct sidtab_isid_entry {
  59         int set;
  60         struct context context;
  61 };
  62
  63 struct sidtab_convert_params {
  64         int (*func)(struct context *oldc, struct context *newc, void *args);
  65         void *args;
  66         struct sidtab *target;
  67 };
  68
  69 #define SIDTAB_RCACHE_SIZE 3
  70
  71 struct sidtab {
  72         union sidtab_entry_inner roots[SIDTAB_MAX_LEVEL + 1];
  73         atomic_t count;
  74         struct sidtab_convert_params *convert;
  75         spinlock_t lock;
  76
  77         /* reverse lookup cache */
  78         atomic_t rcache[SIDTAB_RCACHE_SIZE];
  79
  80         /* index == SID - 1 (no entry for SECSID_NULL) */
  81         struct sidtab_isid_entry isids[SECINITSID_NUM];
  82 };
  83
  84 int sidtab_init(struct sidtab *s);
  85 int sidtab_set_initial(struct sidtab *s, u32 sid, struct context *context);
  86 struct context *sidtab_search(struct sidtab *s, u32 sid);
  87 struct context *sidtab_search_force(struct sidtab *s, u32 sid);
  88
  89 int sidtab_convert(struct sidtab *s, struct sidtab_convert_params *params);
  90
  91 int sidtab_context_to_sid(struct sidtab *s, struct context *context, u32 *sid);
  92
  93 void sidtab_destroy(struct sidtab *s);
  94
  95 #endif  /* _SS_SIDTAB_H_ */
  96
  97