starnix_core/security/mod.rs
1// Copyright 2024 The Fuchsia Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5//! This module provides types and hook APIs supporting Linux Security Modules
6//! functionality in Starnix. LSM provides a generic set of hooks, and opaque
7//! types, used to decouple the rest of the kernel from the details of any
8//! specific security enforcement subsystem (e.g. SELinux, POSIX.1e, etc).
9//!
10//! Although this module is hard-wired to the SELinux implementation, callers
11//! should treat the types as opaque; hook implementations necessarily have access
12//! to kernel structures, but not the other way around.
13
14use selinux::{SecurityId, SecurityServer};
15use std::sync::Arc;
16
17/// SELinux implementations called by the LSM hooks.
18mod selinux_hooks;
19pub use selinux_hooks::audit::Auditable;
20
21/// Common capabilities hook implementations called by the LSM hooks.
22mod common_cap;
23
24/// YAMA hook implementations used to restirct ptrace access.
25pub mod yama;
26
27/// Linux Security Modules hooks for use within the Starnix kernel.
28mod hooks;
29pub use hooks::*;
30
31/// Audit logging to be used from different kernel components
32mod audit;
33pub use audit::*;
34
35/// Opaque structure encapsulating security subsystem state for the whole system.
36pub struct KernelState {
37 state: Option<selinux_hooks::KernelState>,
38}
39
40impl KernelState {
41 pub fn access_denial_count(&self) -> u64 {
42 self.state.as_ref().map_or(0u64, |state| state.access_denial_count())
43 }
44}
45
46/// The opaque type used by [`crate::vfs::FsNodeInfo`] to store security state.
47#[derive(Debug, Default)]
48pub struct FsNodeState(selinux_hooks::FsNodeState);
49
50/// Opaque structure holding security state for a [`binderfs::BinderConnection`].
51#[derive(Debug)]
52pub struct BinderConnectionState {
53 state: selinux_hooks::BinderConnectionState,
54}
55
56/// Opaque structure holding security state for a [`crate::vfs::socket::Socket`].
57#[derive(Debug, Default)]
58pub struct SocketState {
59 state: selinux_hooks::SocketState,
60}
61
62/// Opaque structure holding security state for a [`crate::vfs::FileObject`].
63#[derive(Debug)]
64pub struct FileObjectState {
65 state: selinux_hooks::FileObjectState,
66}
67
68/// Opaque structure holding security state for a [`crate::vfs::FileSystem`].
69#[derive(Debug)]
70pub struct FileSystemState {
71 state: selinux_hooks::FileSystemState,
72}
73
74/// Opaque structure holding security state for a bpf [`ebpf_api::maps::Map`].
75#[derive(Debug)]
76pub struct BpfMapState {
77 state: selinux_hooks::BpfMapState,
78}
79
80/// Opaque structure holding security state for a bpf [`crate::bpf::program::Program`].
81#[derive(Debug)]
82pub struct BpfProgState {
83 state: selinux_hooks::BpfProgState,
84}
85
86/// Opaque structure holding security state for a PerfEventFileState.
87#[derive(Debug)]
88pub struct PerfEventState {
89 state: selinux_hooks::PerfEventState,
90}
91
92/// Opaque structure holding security state for a current task.
93#[derive(Default, Debug)]
94pub struct CurrentTaskState {
95 pub state: selinux_hooks::CurrentTaskState,
96}