kernel/security.rs
1// SPDX-License-Identifier: GPL-2.0
2
3// Copyright (C) 2024 Google LLC.
4
5//! Linux Security Modules (LSM).
6//!
7//! C header: [`include/linux/security.h`](srctree/include/linux/security.h).
8
9use crate::{
10 bindings,
11 cred::Credential,
12 error::{to_result, Result},
13 fs::File,
14};
15
16/// Calls the security modules to determine if the given task can become the manager of a binder
17/// context.
18#[inline]
19pub fn binder_set_context_mgr(mgr: &Credential) -> Result {
20 // SAFETY: `mrg.0` is valid because the shared reference guarantees a nonzero refcount.
21 to_result(unsafe { bindings::security_binder_set_context_mgr(mgr.as_ptr()) })
22}
23
24/// Calls the security modules to determine if binder transactions are allowed from task `from` to
25/// task `to`.
26#[inline]
27pub fn binder_transaction(from: &Credential, to: &Credential) -> Result {
28 // SAFETY: `from` and `to` are valid because the shared references guarantee nonzero refcounts.
29 to_result(unsafe { bindings::security_binder_transaction(from.as_ptr(), to.as_ptr()) })
30}
31
32/// Calls the security modules to determine if task `from` is allowed to send binder objects
33/// (owned by itself or other processes) to task `to` through a binder transaction.
34#[inline]
35pub fn binder_transfer_binder(from: &Credential, to: &Credential) -> Result {
36 // SAFETY: `from` and `to` are valid because the shared references guarantee nonzero refcounts.
37 to_result(unsafe { bindings::security_binder_transfer_binder(from.as_ptr(), to.as_ptr()) })
38}
39
40/// Calls the security modules to determine if task `from` is allowed to send the given file to
41/// task `to` (which would get its own file descriptor) through a binder transaction.
42#[inline]
43pub fn binder_transfer_file(from: &Credential, to: &Credential, file: &File) -> Result {
44 // SAFETY: `from`, `to` and `file` are valid because the shared references guarantee nonzero
45 // refcounts.
46 to_result(unsafe {
47 bindings::security_binder_transfer_file(from.as_ptr(), to.as_ptr(), file.as_ptr())
48 })
49}
50
51/// A security context string.
52///
53/// # Invariants
54///
55/// The `ctx` field corresponds to a valid security context as returned by a successful call to
56/// `security_secid_to_secctx`, that has not yet been released by `security_release_secctx`.
57pub struct SecurityCtx {
58 ctx: bindings::lsm_context,
59}
60
61impl SecurityCtx {
62 /// Get the security context given its id.
63 #[inline]
64 pub fn from_secid(secid: u32) -> Result<Self> {
65 // SAFETY: `struct lsm_context` can be initialized to all zeros.
66 let mut ctx: bindings::lsm_context = unsafe { core::mem::zeroed() };
67
68 // SAFETY: Just a C FFI call. The pointer is valid for writes.
69 to_result(unsafe { bindings::security_secid_to_secctx(secid, &mut ctx) })?;
70
71 // INVARIANT: If the above call did not fail, then we have a valid security context.
72 Ok(Self { ctx })
73 }
74
75 /// Returns whether the security context is empty.
76 #[inline]
77 pub fn is_empty(&self) -> bool {
78 self.ctx.len == 0
79 }
80
81 /// Returns the length of this security context.
82 #[inline]
83 pub fn len(&self) -> usize {
84 self.ctx.len as usize
85 }
86
87 /// Returns the bytes for this security context.
88 #[inline]
89 pub fn as_bytes(&self) -> &[u8] {
90 let ptr = self.ctx.context;
91 if ptr.is_null() {
92 debug_assert_eq!(self.len(), 0);
93 // We can't pass a null pointer to `slice::from_raw_parts` even if the length is zero.
94 return &[];
95 }
96
97 // SAFETY: The call to `security_secid_to_secctx` guarantees that the pointer is valid for
98 // `self.len()` bytes. Furthermore, if the length is zero, then we have ensured that the
99 // pointer is not null.
100 unsafe { core::slice::from_raw_parts(ptr.cast(), self.len()) }
101 }
102}
103
104impl Drop for SecurityCtx {
105 #[inline]
106 fn drop(&mut self) {
107 // SAFETY: By the invariant of `Self`, this releases an lsm context that came from a
108 // successful call to `security_secid_to_secctx` and has not yet been released.
109 unsafe { bindings::security_release_secctx(&mut self.ctx) };
110 }
111}