/* SPDX-License-Identifier: GPL-2.0-only */1/*2* Landlock - Filesystem management and hooks3*4* Copyright © 2017-2020 Mickaël Salaün <[email protected]>5* Copyright © 2018-2020 ANSSI6* Copyright © 2024-2025 Microsoft Corporation7*/89#ifndef _SECURITY_LANDLOCK_FS_H10#define _SECURITY_LANDLOCK_FS_H1112#include <linux/build_bug.h>13#include <linux/fs.h>14#include <linux/init.h>15#include <linux/rcupdate.h>1617#include "access.h"18#include "cred.h"19#include "ruleset.h"20#include "setup.h"2122/**23* struct landlock_inode_security - Inode security blob24*25* Enable to reference a &struct landlock_object tied to an inode (i.e.26* underlying object).27*/28struct landlock_inode_security {29/**30* @object: Weak pointer to an allocated object. All assignments of a31* new object are protected by the underlying inode->i_lock. However,32* atomically disassociating @object from the inode is only protected33* by @object->lock, from the time @object's usage refcount drops to34* zero to the time this pointer is nulled out (cf. release_inode() and35* hook_sb_delete()). Indeed, such disassociation doesn't require36* inode->i_lock thanks to the careful rcu_access_pointer() check37* performed by get_inode_object().38*/39struct landlock_object __rcu *object;40};4142/**43* struct landlock_file_security - File security blob44*45* This information is populated when opening a file in hook_file_open, and46* tracks the relevant Landlock access rights that were available at the time47* of opening the file. Other LSM hooks use these rights in order to authorize48* operations on already opened files.49*/50struct landlock_file_security {51/**52* @allowed_access: Access rights that were available at the time of53* opening the file. This is not necessarily the full set of access54* rights available at that time, but it's the necessary subset as55* needed to authorize later operations on the open file.56*/57access_mask_t allowed_access;5859#ifdef CONFIG_AUDIT60/**61* @deny_masks: Domain layer levels that deny an optional access (see62* _LANDLOCK_ACCESS_FS_OPTIONAL).63*/64deny_masks_t deny_masks;65/**66* @fown_layer: Layer level of @fown_subject->domain with67* LANDLOCK_SCOPE_SIGNAL.68*/69u8 fown_layer;70#endif /* CONFIG_AUDIT */7172/**73* @fown_subject: Landlock credential of the task that set the PID that74* may receive a signal e.g., SIGURG when writing MSG_OOB to the75* related socket. This pointer is protected by the related76* file->f_owner->lock, as for fown_struct's members: pid, uid, and77* euid.78*/79struct landlock_cred_security fown_subject;80};8182#ifdef CONFIG_AUDIT8384/* Makes sure all layers can be identified. */85/* clang-format off */86static_assert((typeof_member(struct landlock_file_security, fown_layer))~0 >=87LANDLOCK_MAX_NUM_LAYERS);88/* clang-format off */8990#endif /* CONFIG_AUDIT */9192/**93* struct landlock_superblock_security - Superblock security blob94*95* Enable hook_sb_delete() to wait for concurrent calls to release_inode().96*/97struct landlock_superblock_security {98/**99* @inode_refs: Number of pending inodes (from this superblock) that100* are being released by release_inode().101* Cf. struct super_block->s_fsnotify_inode_refs .102*/103atomic_long_t inode_refs;104};105106static inline struct landlock_file_security *107landlock_file(const struct file *const file)108{109return file->f_security + landlock_blob_sizes.lbs_file;110}111112static inline struct landlock_inode_security *113landlock_inode(const struct inode *const inode)114{115return inode->i_security + landlock_blob_sizes.lbs_inode;116}117118static inline struct landlock_superblock_security *119landlock_superblock(const struct super_block *const superblock)120{121return superblock->s_security + landlock_blob_sizes.lbs_superblock;122}123124__init void landlock_add_fs_hooks(void);125126int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,127const struct path *const path,128access_mask_t access_hierarchy);129130#endif /* _SECURITY_LANDLOCK_FS_H */131132133