• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3  * A security identifier table (sidtab) is a lookup table
4  * of security context structures indexed by SID value.
5  *
6  * Original author: Stephen Smalley, <sds@tycho.nsa.gov>
7  * Author: Ondrej Mosnacek, <omosnacek@gmail.com>
8  *
9  * Copyright (C) 2018 Red Hat, Inc.
10  */
11 #ifndef _SS_SIDTAB_H_
12 #define _SS_SIDTAB_H_
13 
14 #include <linux/spinlock_types.h>
15 #include <linux/log2.h>
16 #include <linux/hashtable.h>
17 
18 #include "context.h"
19 
20 struct sidtab_entry_leaf {
21 	u32 sid;
22 	struct context context;
23 	struct hlist_node list;
24 };
25 
26 struct sidtab_node_inner;
27 struct sidtab_node_leaf;
28 
29 union sidtab_entry_inner {
30 	struct sidtab_node_inner *ptr_inner;
31 	struct sidtab_node_leaf  *ptr_leaf;
32 };
33 
34 /* align node size to page boundary */
35 #define SIDTAB_NODE_ALLOC_SHIFT PAGE_SHIFT
36 #define SIDTAB_NODE_ALLOC_SIZE  PAGE_SIZE
37 
38 #define size_to_shift(size) ((size) == 1 ? 1 : (const_ilog2((size) - 1) + 1))
39 
40 #define SIDTAB_INNER_SHIFT \
41 	(SIDTAB_NODE_ALLOC_SHIFT - size_to_shift(sizeof(union sidtab_entry_inner)))
42 #define SIDTAB_INNER_ENTRIES ((size_t)1 << SIDTAB_INNER_SHIFT)
43 #define SIDTAB_LEAF_ENTRIES \
44 	(SIDTAB_NODE_ALLOC_SIZE / sizeof(struct sidtab_entry_leaf))
45 
46 #define SIDTAB_MAX_BITS 32
47 #define SIDTAB_MAX U32_MAX
48 /* ensure enough tree levels for SIDTAB_MAX entries */
49 #define SIDTAB_MAX_LEVEL \
50 	DIV_ROUND_UP(SIDTAB_MAX_BITS - size_to_shift(SIDTAB_LEAF_ENTRIES), \
51 		     SIDTAB_INNER_SHIFT)
52 
53 struct sidtab_node_leaf {
54 	struct sidtab_entry_leaf entries[SIDTAB_LEAF_ENTRIES];
55 };
56 
57 struct sidtab_node_inner {
58 	union sidtab_entry_inner entries[SIDTAB_INNER_ENTRIES];
59 };
60 
61 struct sidtab_isid_entry {
62 	int set;
63 	struct sidtab_entry_leaf leaf;
64 };
65 
66 struct sidtab_convert_params {
67 	int (*func)(struct context *oldc, struct context *newc, void *args);
68 	void *args;
69 	struct sidtab *target;
70 };
71 
72 #define SIDTAB_HASH_BITS CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS
73 #define SIDTAB_HASH_BUCKETS (1 << SIDTAB_HASH_BITS)
74 
75 struct sidtab {
76 	/*
77 	 * lock-free read access only for as many items as a prior read of
78 	 * 'count'
79 	 */
80 	union sidtab_entry_inner roots[SIDTAB_MAX_LEVEL + 1];
81 	/*
82 	 * access atomically via {READ|WRITE}_ONCE(); only increment under
83 	 * spinlock
84 	 */
85 	u32 count;
86 	/* access only under spinlock */
87 	struct sidtab_convert_params *convert;
88 	spinlock_t lock;
89 
90 	/* index == SID - 1 (no entry for SECSID_NULL) */
91 	struct sidtab_isid_entry isids[SECINITSID_NUM];
92 
93 	/* Hash table for fast reverse context-to-sid lookups. */
94 	DECLARE_HASHTABLE(context_to_sid, SIDTAB_HASH_BITS);
95 };
96 
97 int sidtab_init(struct sidtab *s);
98 int sidtab_set_initial(struct sidtab *s, u32 sid, struct context *context);
99 struct context *sidtab_search(struct sidtab *s, u32 sid);
100 struct context *sidtab_search_force(struct sidtab *s, u32 sid);
101 
102 int sidtab_convert(struct sidtab *s, struct sidtab_convert_params *params);
103 
104 int sidtab_context_to_sid(struct sidtab *s, struct context *context, u32 *sid);
105 
106 void sidtab_destroy(struct sidtab *s);
107 
108 int sidtab_hash_stats(struct sidtab *sidtab, char *page);
109 
110 #endif	/* _SS_SIDTAB_H_ */
111 
112 
113