1/* SPDX-License-Identifier: GPL-2.0 */ 2/* 3 * A security identifier table (sidtab) is a lookup table 4 * of security context structures indexed by SID value. 5 * 6 * Original author: Stephen Smalley, <stephen.smalley.work@gmail.com> 7 * Author: Ondrej Mosnacek, <omosnacek@gmail.com> 8 * 9 * Copyright (C) 2018 Red Hat, Inc. 10 */ 11 12#ifndef _SS_SIDTAB_H_ 13#define _SS_SIDTAB_H_ 14 15#include <linux/spinlock_types.h> 16#include <linux/log2.h> 17#include <linux/hashtable.h> 18 19#include "context.h" 20 21struct sidtab_entry { 22 u32 sid; 23 u32 hash; 24 struct context context; 25#if CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0 26 struct sidtab_str_cache __rcu *cache; 27#endif 28 struct hlist_node list; 29}; 30 31union sidtab_entry_inner { 32 struct sidtab_node_inner *ptr_inner; 33 struct sidtab_node_leaf *ptr_leaf; 34}; 35 36/* align node size to page boundary */ 37#define SIDTAB_NODE_ALLOC_SHIFT PAGE_SHIFT 38#define SIDTAB_NODE_ALLOC_SIZE PAGE_SIZE 39 40#define size_to_shift(size) ((size) == 1 ? 1 : (const_ilog2((size)-1) + 1)) 41 42#define SIDTAB_INNER_SHIFT \ 43 (SIDTAB_NODE_ALLOC_SHIFT - \ 44 size_to_shift(sizeof(union sidtab_entry_inner))) 45#define SIDTAB_INNER_ENTRIES ((size_t)1 << SIDTAB_INNER_SHIFT) 46#define SIDTAB_LEAF_ENTRIES \ 47 (SIDTAB_NODE_ALLOC_SIZE / sizeof(struct sidtab_entry)) 48 49#define SIDTAB_MAX_BITS 32 50#define SIDTAB_MAX U32_MAX 51/* ensure enough tree levels for SIDTAB_MAX entries */ 52#define SIDTAB_MAX_LEVEL \ 53 DIV_ROUND_UP(SIDTAB_MAX_BITS - size_to_shift(SIDTAB_LEAF_ENTRIES), \ 54 SIDTAB_INNER_SHIFT) 55 56struct sidtab_node_leaf { 57 struct sidtab_entry entries[SIDTAB_LEAF_ENTRIES]; 58}; 59 60struct sidtab_node_inner { 61 union sidtab_entry_inner entries[SIDTAB_INNER_ENTRIES]; 62}; 63 64struct sidtab_isid_entry { 65 int set; 66 struct sidtab_entry entry; 67}; 68 69struct sidtab_convert_params { 70 struct convert_context_args *args; 71 struct sidtab *target; 72}; 73 74#define SIDTAB_HASH_BITS CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS 75#define SIDTAB_HASH_BUCKETS (1 << SIDTAB_HASH_BITS) 76 77struct sidtab { 78 /* 79 * lock-free read access only for as many items as a prior read of 80 * 'count' 81 */ 82 union sidtab_entry_inner roots[SIDTAB_MAX_LEVEL + 1]; 83 /* 84 * access atomically via {READ|WRITE}_ONCE(); only increment under 85 * spinlock 86 */ 87 u32 count; 88 /* access only under spinlock */ 89 struct sidtab_convert_params *convert; 90 bool frozen; 91 spinlock_t lock; 92 93#if CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0 94 /* SID -> context string cache */ 95 u32 cache_free_slots; 96 struct list_head cache_lru_list; 97 spinlock_t cache_lock; 98#endif 99 100 /* index == SID - 1 (no entry for SECSID_NULL) */ 101 struct sidtab_isid_entry isids[SECINITSID_NUM]; 102 103 /* Hash table for fast reverse context-to-sid lookups. */ 104 DECLARE_HASHTABLE(context_to_sid, SIDTAB_HASH_BITS); 105}; 106 107int sidtab_init(struct sidtab *s); 108int sidtab_set_initial(struct sidtab *s, u32 sid, struct context *context); 109struct sidtab_entry *sidtab_search_entry(struct sidtab *s, u32 sid); 110struct sidtab_entry *sidtab_search_entry_force(struct sidtab *s, u32 sid); 111 112static inline struct context *sidtab_search(struct sidtab *s, u32 sid) 113{ 114 struct sidtab_entry *entry = sidtab_search_entry(s, sid); 115 116 return entry ? &entry->context : NULL; 117} 118 119static inline struct context *sidtab_search_force(struct sidtab *s, u32 sid) 120{ 121 struct sidtab_entry *entry = sidtab_search_entry_force(s, sid); 122 123 return entry ? &entry->context : NULL; 124} 125 126int sidtab_convert(struct sidtab *s, struct sidtab_convert_params *params); 127 128void sidtab_cancel_convert(struct sidtab *s); 129 130void sidtab_freeze_begin(struct sidtab *s, unsigned long *flags) 131 __acquires(&s->lock); 132void sidtab_freeze_end(struct sidtab *s, unsigned long *flags) 133 __releases(&s->lock); 134 135int sidtab_context_to_sid(struct sidtab *s, struct context *context, u32 *sid); 136 137void sidtab_destroy(struct sidtab *s); 138 139int sidtab_hash_stats(struct sidtab *sidtab, char *page); 140 141#if CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0 142void sidtab_sid2str_put(struct sidtab *s, struct sidtab_entry *entry, 143 const char *str, u32 str_len); 144int sidtab_sid2str_get(struct sidtab *s, struct sidtab_entry *entry, char **out, 145 u32 *out_len); 146#else 147static inline void sidtab_sid2str_put(struct sidtab *s, 148 struct sidtab_entry *entry, 149 const char *str, u32 str_len) 150{ 151} 152static inline int sidtab_sid2str_get(struct sidtab *s, 153 struct sidtab_entry *entry, char **out, 154 u32 *out_len) 155{ 156 return -ENOENT; 157} 158#endif /* CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0 */ 159 160#endif /* _SS_SIDTAB_H_ */ 161