mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2024-12-28 16:52:18 +00:00
8ad1a41f7e
Adds a wrapper around `kuid_t` called `Kuid`. This allows us to define various operations on kuids such as equality and current_euid. It also lets us provide conversions from kuid into userspace values. Rust Binder needs these operations because it needs to compare kuids for equality, and it needs to tell userspace about the pid and uid of incoming transactions. To read kuids from a `struct task_struct`, you must currently use various #defines that perform the appropriate field access under an RCU read lock. Currently, we do not have a Rust wrapper for rcu_read_lock, which means that for this patch, there are two ways forward: 1. Inline the methods into Rust code, and use __rcu_read_lock directly rather than the rcu_read_lock wrapper. This gives up lockdep for these usages of RCU. 2. Wrap the various #defines in helpers and call the helpers from Rust. This patch uses the second option. One possible disadvantage of the second option is the possible introduction of speculation gadgets, but as discussed in [1], the risk appears to be acceptable. Of course, once a wrapper for rcu_read_lock is available, it is preferable to use that over either of the two above approaches. Link: https://lore.kernel.org/all/202312080947.674CD2DC7@keescook/ [1] Reviewed-by: Benno Lossin <benno.lossin@proton.me> Reviewed-by: Martin Rodriguez Reboredo <yakoyoku@gmail.com> Reviewed-by: Trevor Gross <tmgross@umich.edu> Signed-off-by: Alice Ryhl <aliceryhl@google.com> Link: https://lore.kernel.org/r/20240915-alice-file-v10-7-88484f7a3dcf@google.com Signed-off-by: Christian Brauner <brauner@kernel.org>
86 lines
3.2 KiB
Rust
86 lines
3.2 KiB
Rust
// SPDX-License-Identifier: GPL-2.0
|
|
|
|
// Copyright (C) 2024 Google LLC.
|
|
|
|
//! Credentials management.
|
|
//!
|
|
//! C header: [`include/linux/cred.h`](srctree/include/linux/cred.h).
|
|
//!
|
|
//! Reference: <https://www.kernel.org/doc/html/latest/security/credentials.html>
|
|
|
|
use crate::{
|
|
bindings,
|
|
task::Kuid,
|
|
types::{AlwaysRefCounted, Opaque},
|
|
};
|
|
|
|
/// Wraps the kernel's `struct cred`.
|
|
///
|
|
/// Credentials are used for various security checks in the kernel.
|
|
///
|
|
/// Most fields of credentials are immutable. When things have their credentials changed, that
|
|
/// happens by replacing the credential instead of changing an existing credential. See the [kernel
|
|
/// documentation][ref] for more info on this.
|
|
///
|
|
/// # Invariants
|
|
///
|
|
/// Instances of this type are always ref-counted, that is, a call to `get_cred` ensures that the
|
|
/// allocation remains valid at least until the matching call to `put_cred`.
|
|
///
|
|
/// [ref]: https://www.kernel.org/doc/html/latest/security/credentials.html
|
|
#[repr(transparent)]
|
|
pub struct Credential(Opaque<bindings::cred>);
|
|
|
|
// SAFETY:
|
|
// - `Credential::dec_ref` can be called from any thread.
|
|
// - It is okay to send ownership of `Credential` across thread boundaries.
|
|
unsafe impl Send for Credential {}
|
|
|
|
// SAFETY: It's OK to access `Credential` through shared references from other threads because
|
|
// we're either accessing properties that don't change or that are properly synchronised by C code.
|
|
unsafe impl Sync for Credential {}
|
|
|
|
impl Credential {
|
|
/// Creates a reference to a [`Credential`] from a valid pointer.
|
|
///
|
|
/// # Safety
|
|
///
|
|
/// The caller must ensure that `ptr` is valid and remains valid for the lifetime of the
|
|
/// returned [`Credential`] reference.
|
|
pub unsafe fn from_ptr<'a>(ptr: *const bindings::cred) -> &'a Credential {
|
|
// SAFETY: The safety requirements guarantee the validity of the dereference, while the
|
|
// `Credential` type being transparent makes the cast ok.
|
|
unsafe { &*ptr.cast() }
|
|
}
|
|
|
|
/// Get the id for this security context.
|
|
pub fn get_secid(&self) -> u32 {
|
|
let mut secid = 0;
|
|
// SAFETY: The invariants of this type ensures that the pointer is valid.
|
|
unsafe { bindings::security_cred_getsecid(self.0.get(), &mut secid) };
|
|
secid
|
|
}
|
|
|
|
/// Returns the effective UID of the given credential.
|
|
pub fn euid(&self) -> Kuid {
|
|
// SAFETY: By the type invariant, we know that `self.0` is valid. Furthermore, the `euid`
|
|
// field of a credential is never changed after initialization, so there is no potential
|
|
// for data races.
|
|
Kuid::from_raw(unsafe { (*self.0.get()).euid })
|
|
}
|
|
}
|
|
|
|
// SAFETY: The type invariants guarantee that `Credential` is always ref-counted.
|
|
unsafe impl AlwaysRefCounted for Credential {
|
|
fn inc_ref(&self) {
|
|
// SAFETY: The existence of a shared reference means that the refcount is nonzero.
|
|
unsafe { bindings::get_cred(self.0.get()) };
|
|
}
|
|
|
|
unsafe fn dec_ref(obj: core::ptr::NonNull<Credential>) {
|
|
// SAFETY: The safety requirements guarantee that the refcount is nonzero. The cast is okay
|
|
// because `Credential` has the same representation as `struct cred`.
|
|
unsafe { bindings::put_cred(obj.cast().as_ptr()) };
|
|
}
|
|
}
|