1 // SPDX-License-Identifier: GPL-2.0
2
3 // Copyright (C) 2024 Google LLC.
4
5 //! Linux Security Modules (LSM).
6 //!
7 //! C header: [`include/linux/security.h`](srctree/include/linux/security.h).
8
9 use crate::{
10 bindings,
11 cred::Credential,
12 error::{to_result, Result},
13 fs::File,
14 };
15
16 /// Calls the security modules to determine if the given task can become the manager of a binder
17 /// context.
18 #[inline]
binder_set_context_mgr(mgr: &Credential) -> Result19 pub fn binder_set_context_mgr(mgr: &Credential) -> Result {
20 // SAFETY: `mrg.0` is valid because the shared reference guarantees a nonzero refcount.
21 to_result(unsafe { bindings::security_binder_set_context_mgr(mgr.as_ptr()) })
22 }
23
24 /// Calls the security modules to determine if binder transactions are allowed from task `from` to
25 /// task `to`.
26 #[inline]
binder_transaction(from: &Credential, to: &Credential) -> Result27 pub fn binder_transaction(from: &Credential, to: &Credential) -> Result {
28 // SAFETY: `from` and `to` are valid because the shared references guarantee nonzero refcounts.
29 to_result(unsafe { bindings::security_binder_transaction(from.as_ptr(), to.as_ptr()) })
30 }
31
32 /// Calls the security modules to determine if task `from` is allowed to send binder objects
33 /// (owned by itself or other processes) to task `to` through a binder transaction.
34 #[inline]
binder_transfer_binder(from: &Credential, to: &Credential) -> Result35 pub fn binder_transfer_binder(from: &Credential, to: &Credential) -> Result {
36 // SAFETY: `from` and `to` are valid because the shared references guarantee nonzero refcounts.
37 to_result(unsafe { bindings::security_binder_transfer_binder(from.as_ptr(), to.as_ptr()) })
38 }
39
40 /// Calls the security modules to determine if task `from` is allowed to send the given file to
41 /// task `to` (which would get its own file descriptor) through a binder transaction.
42 #[inline]
binder_transfer_file(from: &Credential, to: &Credential, file: &File) -> Result43 pub fn binder_transfer_file(from: &Credential, to: &Credential, file: &File) -> Result {
44 // SAFETY: `from`, `to` and `file` are valid because the shared references guarantee nonzero
45 // refcounts.
46 to_result(unsafe {
47 bindings::security_binder_transfer_file(from.as_ptr(), to.as_ptr(), file.as_ptr())
48 })
49 }
50
51 /// A security context string.
52 ///
53 /// # Invariants
54 ///
55 /// The `secdata` and `seclen` fields correspond to a valid security context as returned by a
56 /// successful call to `security_secid_to_secctx`, that has not yet been destroyed by calling
57 /// `security_release_secctx`.
58 pub struct SecurityCtx {
59 secdata: *mut crate::ffi::c_char,
60 seclen: usize,
61 }
62
63 impl SecurityCtx {
64 /// Get the security context given its id.
65 #[inline]
from_secid(secid: u32) -> Result<Self>66 pub fn from_secid(secid: u32) -> Result<Self> {
67 let mut secdata = core::ptr::null_mut();
68 let mut seclen = 0u32;
69 // SAFETY: Just a C FFI call. The pointers are valid for writes.
70 to_result(unsafe { bindings::security_secid_to_secctx(secid, &mut secdata, &mut seclen) })?;
71
72 // INVARIANT: If the above call did not fail, then we have a valid security context.
73 Ok(Self {
74 secdata,
75 seclen: seclen as usize,
76 })
77 }
78
79 /// Returns whether the security context is empty.
80 #[inline]
is_empty(&self) -> bool81 pub fn is_empty(&self) -> bool {
82 self.seclen == 0
83 }
84
85 /// Returns the length of this security context.
86 #[inline]
len(&self) -> usize87 pub fn len(&self) -> usize {
88 self.seclen
89 }
90
91 /// Returns the bytes for this security context.
92 #[inline]
as_bytes(&self) -> &[u8]93 pub fn as_bytes(&self) -> &[u8] {
94 let ptr = self.secdata;
95 if ptr.is_null() {
96 debug_assert_eq!(self.seclen, 0);
97 // We can't pass a null pointer to `slice::from_raw_parts` even if the length is zero.
98 return &[];
99 }
100
101 // SAFETY: The call to `security_secid_to_secctx` guarantees that the pointer is valid for
102 // `seclen` bytes. Furthermore, if the length is zero, then we have ensured that the
103 // pointer is not null.
104 unsafe { core::slice::from_raw_parts(ptr.cast(), self.seclen) }
105 }
106 }
107
108 impl Drop for SecurityCtx {
109 #[inline]
drop(&mut self)110 fn drop(&mut self) {
111 // SAFETY: By the invariant of `Self`, this frees a pointer that came from a successful
112 // call to `security_secid_to_secctx` and has not yet been destroyed by
113 // `security_release_secctx`.
114 unsafe { bindings::security_release_secctx(self.secdata, self.seclen as u32) };
115 }
116 }
117