summaryrefslogtreecommitdiffstats
path: root/security/selinux/include/objsec.h
blob: cc5e26b0161b462108e6261a4e4a87cfafccf934 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161

/*
 *  NSA Security-Enhanced Linux (SELinux) security module
 *
 *  This file contains the SELinux security data structures for kernel objects.
 *
 *  Author(s):  Stephen Smalley, <sds@tycho.nsa.gov>
 *		Chris Vance, <cvance@nai.com>
 *		Wayne Salamon, <wsalamon@nai.com>
 *		James Morris <jmorris@redhat.com>
 *
 *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
 *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
 *  Copyright (C) 2016 Mellanox Technologies
 *
 *	This program is free software; you can redistribute it and/or modify
 *	it under the terms of the GNU General Public License version 2,
 *	as published by the Free Software Foundation.
 */
#ifndef _SELINUX_OBJSEC_H_
#define _SELINUX_OBJSEC_H_

#include <linux/list.h>
#include <linux/sched.h>
#include <linux/fs.h>
#include <linux/binfmts.h>
#include <linux/in.h>
#include <linux/spinlock.h>
#include <net/net_namespace.h>
#include "flask.h"
#include "avc.h"

struct task_security_struct {
	u32 osid;		/* SID prior to last execve */
	u32 sid;		/* current SID */
	u32 exec_sid;		/* exec SID */
	u32 create_sid;		/* fscreate SID */
	u32 keycreate_sid;	/* keycreate SID */
	u32 sockcreate_sid;	/* fscreate SID */
};

/*
 * get the subjective security ID of the current task
 */
static inline u32 current_sid(void)
{
	const struct task_security_struct *tsec = current_security();

	return tsec->sid;
}

enum label_initialized {
	LABEL_INVALID,		/* invalid or not initialized */
	LABEL_INITIALIZED,	/* initialized */
	LABEL_PENDING
};

struct inode_security_struct {
	struct inode *inode;	/* back pointer to inode object */
	union {
		struct list_head list;	/* list of inode_security_struct */
		struct rcu_head rcu;	/* for freeing the inode_security_struct */
	};
	u32 task_sid;		/* SID of creating task */
	u32 sid;		/* SID of this object */
	u16 sclass;		/* security class of this object */
	unsigned char initialized;	/* initialization flag */
	spinlock_t lock;
};

struct file_security_struct {
	u32 sid;		/* SID of open file description */
	u32 fown_sid;		/* SID of file owner (for SIGIO) */
	u32 isid;		/* SID of inode at the time of file open */
	u32 pseqno;		/* Policy seqno at the time of file open */
};

struct superblock_security_struct {
	struct super_block *sb;		/* back pointer to sb object */
	u32 sid;			/* SID of file system superblock */
	u32 def_sid;			/* default SID for labeling */
	u32 mntpoint_sid;		/* SECURITY_FS_USE_MNTPOINT context for files */
	unsigned short behavior;	/* labeling behavior */
	unsigned short flags;		/* which mount options were specified */
	struct mutex lock;
	struct list_head isec_head;
	spinlock_t isec_lock;
};

struct msg_security_struct {
	u32 sid;	/* SID of message */
};

struct ipc_security_struct {
	u16 sclass;	/* security class of this object */
	u32 sid;	/* SID of IPC resource */
};

struct netif_security_struct {
	struct net *ns;			/* network namespace */
	int ifindex;			/* device index */
	u32 sid;			/* SID for this interface */
};

struct netnode_security_struct {
	union {
		__be32 ipv4;		/* IPv4 node address */
		struct in6_addr ipv6;	/* IPv6 node address */
	} addr;
	u32 sid;			/* SID for this node */
	u16 family;			/* address family */
};

struct netport_security_struct {
	u32 sid;			/* SID for this node */
	u16 port;			/* port number */
	u8 protocol;			/* transport protocol */
};

struct sk_security_struct {
#ifdef CONFIG_NETLABEL
	enum {				/* NetLabel state */
		NLBL_UNSET = 0,
		NLBL_REQUIRE,
		NLBL_LABELED,
		NLBL_REQSKB,
		NLBL_CONNLABELED,
	} nlbl_state;
	struct netlbl_lsm_secattr *nlbl_secattr; /* NetLabel sec attributes */
#endif
	u32 sid;			/* SID of this object */
	u32 peer_sid;			/* SID of peer */
	u16 sclass;			/* sock security class */
	enum {				/* SCTP association state */
		SCTP_ASSOC_UNSET = 0,
		SCTP_ASSOC_SET,
	} sctp_assoc_state;
};

struct tun_security_struct {
	u32 sid;			/* SID for the tun device sockets */
};

struct key_security_struct {
	u32 sid;	/* SID of key */
};

struct ib_security_struct {
	u32 sid;        /* SID of the queue pair or MAD agent */
};

struct pkey_security_struct {
	u64	subnet_prefix; /* Port subnet prefix */
	u16	pkey;	/* PKey number */
	u32	sid;	/* SID of pkey */
};

struct bpf_security_struct {
	u32 sid;  /*SID of bpf obj creater*/
};

#endif /* _SELINUX_OBJSEC_H_ */
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-28 14:14:41 +0000
DR, ARB_ERR_CAP_STATUS, ARB_ERR_CAP_MASTER, }; static const int gisb_offsets_bcm7038[] = { [ARB_TIMER] = 0x00c, [ARB_ERR_CAP_CLR] = 0x0c4, [ARB_ERR_CAP_HI_ADDR] = -1, [ARB_ERR_CAP_ADDR] = 0x0c8, [ARB_ERR_CAP_STATUS] = 0x0d0, [ARB_ERR_CAP_MASTER] = -1, }; static const int gisb_offsets_bcm7278[] = { [ARB_TIMER] = 0x008, [ARB_ERR_CAP_CLR] = 0x7f8, [ARB_ERR_CAP_HI_ADDR] = -1, [ARB_ERR_CAP_ADDR] = 0x7e0, [ARB_ERR_CAP_STATUS] = 0x7f0, [ARB_ERR_CAP_MASTER] = 0x7f4, }; static const int gisb_offsets_bcm7400[] = { [ARB_TIMER] = 0x00c, [ARB_ERR_CAP_CLR] = 0x0c8, [ARB_ERR_CAP_HI_ADDR] = -1, [ARB_ERR_CAP_ADDR] = 0x0cc, [ARB_ERR_CAP_STATUS] = 0x0d4, [ARB_ERR_CAP_MASTER] = 0x0d8, }; static const int gisb_offsets_bcm7435[] = { [ARB_TIMER] = 0x00c, [ARB_ERR_CAP_CLR] = 0x168, [ARB_ERR_CAP_HI_ADDR] = -1, [ARB_ERR_CAP_ADDR] = 0x16c, [ARB_ERR_CAP_STATUS] = 0x174, [ARB_ERR_CAP_MASTER] = 0x178, }; static const int gisb_offsets_bcm7445[] = { [ARB_TIMER] = 0x008, [ARB_ERR_CAP_CLR] = 0x7e4, [ARB_ERR_CAP_HI_ADDR] = 0x7e8, [ARB_ERR_CAP_ADDR] = 0x7ec, [ARB_ERR_CAP_STATUS] = 0x7f4, [ARB_ERR_CAP_MASTER] = 0x7f8, }; struct brcmstb_gisb_arb_device { void __iomem *base; const int *gisb_offsets; bool big_endian; struct mutex lock; struct list_head next; u32 valid_mask; const char *master_names[sizeof(u32) * BITS_PER_BYTE]; u32 saved_timeout; }; static LIST_HEAD(brcmstb_gisb_arb_device_list); static u32 gisb_read(struct brcmstb_gisb_arb_device *gdev, int reg) { int offset = gdev->gisb_offsets[reg]; if (offset < 0) { /* return 1 if the hardware doesn't have ARB_ERR_CAP_MASTER */ if (reg == ARB_ERR_CAP_MASTER) return 1; else return 0; } if (gdev->big_endian) return ioread32be(gdev->base + offset); else return ioread32(gdev->base + offset); } static u64 gisb_read_address(struct brcmstb_gisb_arb_device *gdev) { u64 value; value = gisb_read(gdev, ARB_ERR_CAP_ADDR); value |= (u64)gisb_read(gdev, ARB_ERR_CAP_HI_ADDR) << 32; return value; } static void gisb_write(struct brcmstb_gisb_arb_device *gdev, u32 val, int reg) { int offset = gdev->gisb_offsets[reg]; if (offset == -1) return; if (gdev->big_endian) iowrite32be(val, gdev->base + offset); else iowrite32(val, gdev->base + offset); } static ssize_t gisb_arb_get_timeout(struct device *dev, struct device_attribute *attr, char *buf) { struct platform_device *pdev = to_platform_device(dev); struct brcmstb_gisb_arb_device *gdev = platform_get_drvdata(pdev); u32 timeout; mutex_lock(&gdev->lock); timeout = gisb_read(gdev, ARB_TIMER); mutex_unlock(&gdev->lock); return sprintf(buf, "%d", timeout); } static ssize_t gisb_arb_set_timeout(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) { struct platform_device *pdev = to_platform_device(dev); struct brcmstb_gisb_arb_device *gdev = platform_get_drvdata(pdev); int val, ret; ret = kstrtoint(buf, 10, &val); if (ret < 0) return ret; if (val == 0 || val >= 0xffffffff) return -EINVAL; mutex_lock(&gdev->lock); gisb_write(gdev, val, ARB_TIMER); mutex_unlock(&gdev->lock); return count; } static const char * brcmstb_gisb_master_to_str(struct brcmstb_gisb_arb_device *gdev, u32 masters) { u32 mask = gdev->valid_mask & masters; if (hweight_long(mask) != 1) return NULL; return gdev->master_names[ffs(mask) - 1]; } static int brcmstb_gisb_arb_decode_addr(struct brcmstb_gisb_arb_device *gdev, const char *reason) { u32 cap_status; u64 arb_addr; u32 master; const char *m_name; char m_fmt[11]; cap_status = gisb_read(gdev, ARB_ERR_CAP_STATUS); /* Invalid captured address, bail out */ if (!(cap_status & ARB_ERR_CAP_STATUS_VALID)) return 1; /* Read the address and master */ arb_addr = gisb_read_address(gdev); master = gisb_read(gdev, ARB_ERR_CAP_MASTER); m_name = brcmstb_gisb_master_to_str(gdev, master); if (!m_name) { snprintf(m_fmt, sizeof(m_fmt), "0x%08x", master); m_name = m_fmt; } pr_crit("%s: %s at 0x%llx [%c %s], core: %s\n", __func__, reason, arb_addr, cap_status & ARB_ERR_CAP_STATUS_WRITE ? 'W' : 'R', cap_status & ARB_ERR_CAP_STATUS_TIMEOUT ? "timeout" : "", m_name); /* clear the GISB error */ gisb_write(gdev, ARB_ERR_CAP_CLEAR, ARB_ERR_CAP_CLR); return 0; } #ifdef CONFIG_MIPS static int brcmstb_bus_error_handler(struct pt_regs *regs, int is_fixup) { int ret = 0; struct brcmstb_gisb_arb_device *gdev; u32 cap_status; list_for_each_entry(gdev, &brcmstb_gisb_arb_device_list, next) { cap_status = gisb_read(gdev, ARB_ERR_CAP_STATUS); /* Invalid captured address, bail out */ if (!(cap_status & ARB_ERR_CAP_STATUS_VALID)) { is_fixup = 1; goto out; } ret |= brcmstb_gisb_arb_decode_addr(gdev, "bus error"); } out: return is_fixup ? MIPS_BE_FIXUP : MIPS_BE_FATAL; } #endif static irqreturn_t brcmstb_gisb_timeout_handler(int irq, void *dev_id) { brcmstb_gisb_arb_decode_addr(dev_id, "timeout"); return IRQ_HANDLED; } static irqreturn_t brcmstb_gisb_tea_handler(int irq, void *dev_id) { brcmstb_gisb_arb_decode_addr(dev_id, "target abort"); return IRQ_HANDLED; } /* * Dump out gisb errors on die or panic. */ static int dump_gisb_error(struct notifier_block *self, unsigned long v, void *p); static struct notifier_block gisb_die_notifier = { .notifier_call = dump_gisb_error, }; static struct notifier_block gisb_panic_notifier = { .notifier_call = dump_gisb_error, }; static int dump_gisb_error(struct notifier_block *self, unsigned long v, void *p) { struct brcmstb_gisb_arb_device *gdev; const char *reason = "panic"; if (self == &gisb_die_notifier) reason = "die"; /* iterate over each GISB arb registered handlers */ list_for_each_entry(gdev, &brcmstb_gisb_arb_device_list, next) brcmstb_gisb_arb_decode_addr(gdev, reason); return NOTIFY_DONE; } static DEVICE_ATTR(gisb_arb_timeout, S_IWUSR | S_IRUGO, gisb_arb_get_timeout, gisb_arb_set_timeout); static struct attribute *gisb_arb_sysfs_attrs[] = { &dev_attr_gisb_arb_timeout.attr, NULL, }; static struct attribute_group gisb_arb_sysfs_attr_group = { .attrs = gisb_arb_sysfs_attrs, }; static const struct of_device_id brcmstb_gisb_arb_of_match[] = { { .compatible = "brcm,gisb-arb", .data = gisb_offsets_bcm7445 }, { .compatible = "brcm,bcm7445-gisb-arb", .data = gisb_offsets_bcm7445 }, { .compatible = "brcm,bcm7435-gisb-arb", .data = gisb_offsets_bcm7435 }, { .compatible = "brcm,bcm7400-gisb-arb", .data = gisb_offsets_bcm7400 }, { .compatible = "brcm,bcm7278-gisb-arb", .data = gisb_offsets_bcm7278 }, { .compatible = "brcm,bcm7038-gisb-arb", .data = gisb_offsets_bcm7038 }, { }, }; static int __init brcmstb_gisb_arb_probe(struct platform_device *pdev) { struct device_node *dn = pdev->dev.of_node; struct brcmstb_gisb_arb_device *gdev; const struct of_device_id *of_id; struct resource *r; int err, timeout_irq, tea_irq; unsigned int num_masters, j = 0; int i, first, last; r = platform_get_resource(pdev, IORESOURCE_MEM, 0); timeout_irq = platform_get_irq(pdev, 0); tea_irq = platform_get_irq(pdev, 1); gdev = devm_kzalloc(&pdev->dev, sizeof(*gdev), GFP_KERNEL); if (!gdev) return -ENOMEM; mutex_init(&gdev->lock); INIT_LIST_HEAD(&gdev->next); gdev->base = devm_ioremap_resource(&pdev->dev, r); if (IS_ERR(gdev->base)) return PTR_ERR(gdev->base); of_id = of_match_node(brcmstb_gisb_arb_of_match, dn); if (!of_id) { pr_err("failed to look up compatible string\n"); return -EINVAL; } gdev->gisb_offsets = of_id->data; gdev->big_endian = of_device_is_big_endian(dn); err = devm_request_irq(&pdev->dev, timeout_irq, brcmstb_gisb_timeout_handler, 0, pdev->name, gdev); if (err < 0) return err; err = devm_request_irq(&pdev->dev, tea_irq, brcmstb_gisb_tea_handler, 0, pdev->name, gdev); if (err < 0) return err; /* If we do not have a valid mask, assume all masters are enabled */ if (of_property_read_u32(dn, "brcm,gisb-arb-master-mask", &gdev->valid_mask)) gdev->valid_mask = 0xffffffff; /* Proceed with reading the litteral names if we agree on the * number of masters */ num_masters = of_property_count_strings(dn, "brcm,gisb-arb-master-names"); if (hweight_long(gdev->valid_mask) == num_masters) { first = ffs(gdev->valid_mask) - 1; last = fls(gdev->valid_mask) - 1; for (i = first; i < last; i++) { if (!(gdev->valid_mask & BIT(i))) continue; of_property_read_string_index(dn, "brcm,gisb-arb-master-names", j, &gdev->master_names[i]); j++; } } err = sysfs_create_group(&pdev->dev.kobj, &gisb_arb_sysfs_attr_group); if (err) return err; platform_set_drvdata(pdev, gdev); list_add_tail(&gdev->next, &brcmstb_gisb_arb_device_list); #ifdef CONFIG_MIPS board_be_handler = brcmstb_bus_error_handler; #endif if (list_is_singular(&brcmstb_gisb_arb_device_list)) { register_die_notifier(&gisb_die_notifier); atomic_notifier_chain_register(&panic_notifier_list, &gisb_panic_notifier); } dev_info(&pdev->dev, "registered mem: %p, irqs: %d, %d\n", gdev->base, timeout_irq, tea_irq); return 0; } #ifdef CONFIG_PM_SLEEP static int brcmstb_gisb_arb_suspend(struct device *dev) { struct platform_device *pdev = to_platform_device(dev); struct brcmstb_gisb_arb_device *gdev = platform_get_drvdata(pdev); gdev->saved_timeout = gisb_read(gdev, ARB_TIMER); return 0; } /* Make sure we provide the same timeout value that was configured before, and * do this before the GISB timeout interrupt handler has any chance to run. */ static int brcmstb_gisb_arb_resume_noirq(struct device *dev) { struct platform_device *pdev = to_platform_device(dev); struct brcmstb_gisb_arb_device *gdev = platform_get_drvdata(pdev); gisb_write(gdev, gdev->saved_timeout, ARB_TIMER); return 0; } #else #define brcmstb_gisb_arb_suspend NULL #define brcmstb_gisb_arb_resume_noirq NULL #endif static const struct dev_pm_ops brcmstb_gisb_arb_pm_ops = { .suspend = brcmstb_gisb_arb_suspend, .resume_noirq = brcmstb_gisb_arb_resume_noirq, }; static struct platform_driver brcmstb_gisb_arb_driver = { .driver = { .name = "brcm-gisb-arb", .of_match_table = brcmstb_gisb_arb_of_match, .pm = &brcmstb_gisb_arb_pm_ops, }, }; static int __init brcm_gisb_driver_init(void) { return platform_driver_probe(&brcmstb_gisb_arb_driver, brcmstb_gisb_arb_probe); } module_init(brcm_gisb_driver_init);
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-28 14:14:41 +0000