Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
awilliam
GitHub Repository: awilliam/linux-vfio
 Path: blob/master/security/apparmor/include/context.h
10817 views
1
/*

2
 * AppArmor security module

3
 *

4
 * This file contains AppArmor contexts used to associate "labels" to objects.

5
 *

6
 * Copyright (C) 1998-2008 Novell/SUSE

7
 * Copyright 2009-2010 Canonical Ltd.

8
 *

9
 * This program is free software; you can redistribute it and/or

10
 * modify it under the terms of the GNU General Public License as

11
 * published by the Free Software Foundation, version 2 of the

12
 * License.

13
 */

14


15
#ifndef __AA_CONTEXT_H

16
#define __AA_CONTEXT_H

17


18
#include <linux/cred.h>

19
#include <linux/slab.h>

20
#include <linux/sched.h>

21


22
#include "policy.h"

23


24
/* struct aa_file_cxt - the AppArmor context the file was opened in

25
 * @perms: the permission the file was opened with

26
 *

27
 * The file_cxt could currently be directly stored in file->f_security

28
 * as the profile reference is now stored in the f_cred.  However the

29
 * cxt struct will expand in the future so we keep the struct.

30
 */

31
struct aa_file_cxt {

32
	u16 allow;

33
};

34


35
/**

36
 * aa_alloc_file_context - allocate file_cxt

37
 * @gfp: gfp flags for allocation

38
 *

39
 * Returns: file_cxt or NULL on failure

40
 */

41
static inline struct aa_file_cxt *aa_alloc_file_context(gfp_t gfp)

42
{

43
	return kzalloc(sizeof(struct aa_file_cxt), gfp);

44
}

45


46
/**

47
 * aa_free_file_context - free a file_cxt

48
 * @cxt: file_cxt to free  (MAYBE_NULL)

49
 */

50
static inline void aa_free_file_context(struct aa_file_cxt *cxt)

51
{

52
	if (cxt)

53
		kzfree(cxt);

54
}

55


56
/**

57
 * struct aa_task_cxt - primary label for confined tasks

58
 * @profile: the current profile   (NOT NULL)

59
 * @exec: profile to transition to on next exec  (MAYBE NULL)

60
 * @previous: profile the task may return to     (MAYBE NULL)

61
 * @token: magic value the task must know for returning to @previous_profile

62
 *

63
 * Contains the task's current profile (which could change due to

64
 * change_hat).  Plus the hat_magic needed during change_hat.

65
 *

66
 * TODO: make so a task can be confined by a stack of contexts

67
 */

68
struct aa_task_cxt {

69
	struct aa_profile *profile;

70
	struct aa_profile *onexec;

71
	struct aa_profile *previous;

72
	u64 token;

73
};

74


75
struct aa_task_cxt *aa_alloc_task_context(gfp_t flags);

76
void aa_free_task_context(struct aa_task_cxt *cxt);

77
void aa_dup_task_context(struct aa_task_cxt *new,

78
			 const struct aa_task_cxt *old);

79
int aa_replace_current_profile(struct aa_profile *profile);

80
int aa_set_current_onexec(struct aa_profile *profile);

81
int aa_set_current_hat(struct aa_profile *profile, u64 token);

82
int aa_restore_previous_profile(u64 cookie);

83


84
/**

85
 * __aa_task_is_confined - determine if @task has any confinement

86
 * @task: task to check confinement of  (NOT NULL)

87
 *

88
 * If @task != current needs to be called in RCU safe critical section

89
 */

90
static inline bool __aa_task_is_confined(struct task_struct *task)

91
{

92
	struct aa_task_cxt *cxt = __task_cred(task)->security;

93


94
	BUG_ON(!cxt || !cxt->profile);

95
	if (unconfined(aa_newest_version(cxt->profile)))

96
		return 0;

97


98
	return 1;

99
}

100


101
/**

102
 * aa_cred_profile - obtain cred's profiles

103
 * @cred: cred to obtain profiles from  (NOT NULL)

104
 *

105
 * Returns: confining profile

106
 *

107
 * does NOT increment reference count

108
 */

109
static inline struct aa_profile *aa_cred_profile(const struct cred *cred)

110
{

111
	struct aa_task_cxt *cxt = cred->security;

112
	BUG_ON(!cxt || !cxt->profile);

113
	return aa_newest_version(cxt->profile);

114
}

115


116
/**

117
 * __aa_current_profile - find the current tasks confining profile

118
 *

119
 * Returns: up to date confining profile or the ns unconfined profile (NOT NULL)

120
 *

121
 * This fn will not update the tasks cred to the most up to date version

122
 * of the profile so it is safe to call when inside of locks.

123
 */

124
static inline struct aa_profile *__aa_current_profile(void)

125
{

126
	return aa_cred_profile(current_cred());

127
}

128


129
/**

130
 * aa_current_profile - find the current tasks confining profile and do updates

131
 *

132
 * Returns: up to date confining profile or the ns unconfined profile (NOT NULL)

133
 *

134
 * This fn will update the tasks cred structure if the profile has been

135
 * replaced.  Not safe to call inside locks

136
 */

137
static inline struct aa_profile *aa_current_profile(void)

138
{

139
	const struct aa_task_cxt *cxt = current_cred()->security;

140
	struct aa_profile *profile;

141
	BUG_ON(!cxt || !cxt->profile);

142


143
	profile = aa_newest_version(cxt->profile);

144
	/*

145
	 * Whether or not replacement succeeds, use newest profile so

146
	 * there is no need to update it after replacement.

147
	 */

148
	if (unlikely((cxt->profile != profile)))

149
		aa_replace_current_profile(profile);

150


151
	return profile;

152
}

153


154
#endif /* __AA_CONTEXT_H */

155


156