security/safesetid/securityfs.c
Source file repositories/reference/linux-study-clean/security/safesetid/securityfs.c
File Facts
- System
- Linux kernel
- Corpus path
security/safesetid/securityfs.c- Extension
.c- Size
- 8775 bytes
- Lines
- 348
- Domain
- Core OS
- Bucket
- Security And Isolation
- Inferred role
- Core OS: operation-table or driver-model contract
- Status
- pattern implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Defines an operation table; this is where Linux turns generic core objects into subsystem-specific behavior.
- Uses kernel synchronization; read lock ordering, sleepability, and interrupt context assumptions before translating.
- Allocates kernel memory; connect allocation flags and lifetime to context constraints.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/security.hlinux/cred.hlsm.h
Detected Declarations
function parse_policy_linefunction __release_rulesetfunction release_rulesetfunction insert_rulefunction verify_rulesetfunction hash_for_eachfunction handle_policy_updatefunction xchgfunction safesetid_uid_file_writefunction safesetid_gid_file_writefunction safesetid_file_readfunction safesetid_uid_file_readfunction safesetid_gid_file_readfunction safesetid_init_securityfs
Annotated Snippet
static const struct file_operations safesetid_uid_file_fops = {
.read = safesetid_uid_file_read,
.write = safesetid_uid_file_write,
};
static const struct file_operations safesetid_gid_file_fops = {
.read = safesetid_gid_file_read,
.write = safesetid_gid_file_write,
};
int __init safesetid_init_securityfs(void)
{
int ret;
struct dentry *policy_dir;
struct dentry *uid_policy_file;
struct dentry *gid_policy_file;
if (!safesetid_initialized)
return 0;
policy_dir = securityfs_create_dir("safesetid", NULL);
if (IS_ERR(policy_dir)) {
ret = PTR_ERR(policy_dir);
goto error;
}
uid_policy_file = securityfs_create_file("uid_allowlist_policy", 0600,
policy_dir, NULL, &safesetid_uid_file_fops);
if (IS_ERR(uid_policy_file)) {
ret = PTR_ERR(uid_policy_file);
goto error;
}
gid_policy_file = securityfs_create_file("gid_allowlist_policy", 0600,
policy_dir, NULL, &safesetid_gid_file_fops);
if (IS_ERR(gid_policy_file)) {
ret = PTR_ERR(gid_policy_file);
goto error;
}
return 0;
error:
securityfs_remove(policy_dir);
return ret;
}
Annotation
- Immediate include surface: `linux/security.h`, `linux/cred.h`, `lsm.h`.
- Detected declarations: `function parse_policy_line`, `function __release_ruleset`, `function release_ruleset`, `function insert_rule`, `function verify_ruleset`, `function hash_for_each`, `function handle_policy_update`, `function xchg`, `function safesetid_uid_file_write`, `function safesetid_gid_file_write`.
- Atlas domain: Core OS / Security And Isolation.
- Implementation status: pattern implementation candidate.
- Synchronization appears in or near this file; preserve lock ordering, sleepability, and interrupt-context constraints.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.