1 /* SPDX-License-Identifier: GPL-2.0 */ 2 /* 3 * SafeSetID Linux Security Module 4 * 5 * Author: Micah Morton <mortonm@chromium.org> 6 * 7 * Copyright (C) 2018 The Chromium OS Authors. 8 * 9 * This program is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU General Public License version 2, as 11 * published by the Free Software Foundation. 12 * 13 */ 14 #ifndef _SAFESETID_H 15 #define _SAFESETID_H 16 17 #include <linux/types.h> 18 #include <linux/uidgid.h> 19 #include <linux/hashtable.h> 20 21 /* Flag indicating whether initialization completed */ 22 extern int safesetid_initialized __initdata; 23 24 enum sid_policy_type { 25 SIDPOL_DEFAULT, /* source ID is unaffected by policy */ 26 SIDPOL_CONSTRAINED, /* source ID is affected by policy */ 27 SIDPOL_ALLOWED /* target ID explicitly allowed */ 28 }; 29 30 typedef union { 31 kuid_t uid; 32 kgid_t gid; 33 } kid_t; 34 35 enum setid_type { 36 UID, 37 GID 38 }; 39 40 /* 41 * Hash table entry to store safesetid policy signifying that 'src_id' 42 * can set*id to 'dst_id'. 43 */ 44 struct setid_rule { 45 struct hlist_node next; 46 kid_t src_id; 47 kid_t dst_id; 48 49 /* Flag to signal if rule is for UID's or GID's */ 50 enum setid_type type; 51 }; 52 53 #define SETID_HASH_BITS 8 /* 256 buckets in hash table */ 54 55 /* Extension of INVALID_UID/INVALID_GID for kid_t type */ 56 #define INVALID_ID (kid_t){.uid = INVALID_UID} 57 58 struct setid_ruleset { 59 DECLARE_HASHTABLE(rules, SETID_HASH_BITS); 60 char *policy_str; 61 struct rcu_head rcu; 62 63 //Flag to signal if ruleset is for UID's or GID's 64 enum setid_type type; 65 }; 66 67 enum sid_policy_type _setid_policy_lookup(struct setid_ruleset *policy, 68 kid_t src, kid_t dst); 69 70 extern struct setid_ruleset __rcu *safesetid_setuid_rules; 71 extern struct setid_ruleset __rcu *safesetid_setgid_rules; 72 73 #endif /* _SAFESETID_H */ 74
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.