[mirror_ubuntu-zesty-kernel.git] / security / apparmor / include / policy_ns.h

/*
 * AppArmor security module
 *
 * This file contains AppArmor policy definitions.
 *
 * Copyright (C) 1998-2008 Novell/SUSE
 * Copyright 2009-2015 Canonical Ltd.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, version 2 of the
 * License.
 */

#ifndef __AA_NAMESPACE_H
#define __AA_NAMESPACE_H

#include <linux/kref.h>

#include "apparmor.h"
#include "apparmorfs.h"
#include "label.h"
#include "policy.h"


/* struct aa_ns_acct - accounting of profiles in namespace
 * @max_size: maximum space allowed for all profiles in namespace
 * @max_count: maximum number of profiles that can be in this namespace
 * @size: current size of profiles
 * @count: current count of profiles (includes null profiles)
 */
struct aa_ns_acct {
	int max_size;
	int max_count;
	int size;
	int count;
};

/* struct aa_ns - namespace for a set of profiles
 * @base: common policy
 * @parent: parent of namespace
 * @lock: lock for modifying the object
 * @acct: accounting for the namespace
 * @unconfined: special unconfined profile for the namespace
 * @sub_ns: list of namespaces under the current namespace.
 * @uniq_null: uniq value used for null learning profiles
 * @uniq_id: a unique id count for the profiles in the namespace
 * @dents: dentries for the namespaces file entries in apparmorfs
 *
 * An aa_ns defines the set profiles that are searched to determine which
 * profile to attach to a task.  Profiles can not be shared between aa_ns
 * and profile names within a namespace are guaranteed to be unique.  When
 * profiles in separate namespaces have the same name they are NOT considered
 * to be equivalent.
 *
 * Namespaces are hierarchical and only namespaces and profiles below the
 * current namespace are visible.
 *
 * Namespace names must be unique and can not contain the characters :/\0
 */
struct aa_ns {
	struct aa_policy base;
	struct aa_ns *parent;
	struct mutex lock;
	struct aa_ns_acct acct;
	struct aa_profile *unconfined;
	struct list_head sub_ns;
	atomic_t uniq_null;
	long uniq_id;
	int level;
	struct aa_labelset labels;

	struct dentry *dents[AAFS_NS_SIZEOF];
};

extern struct aa_ns *root_ns;

extern const char *aa_hidden_ns_name;

#define ns_unconfined(NS) (&(NS)->unconfined->label)

bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns);
const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child, bool subns);
void aa_free_ns(struct aa_ns *ns);
int aa_alloc_root_ns(void);
void aa_free_root_ns(void);
void aa_free_ns_kref(struct kref *kref);

struct aa_ns *aa_find_ns(struct aa_ns *root, const char *name);
struct aa_ns *aa_findn_ns(struct aa_ns *root, const char *name, size_t n);
struct aa_ns *aa_create_ns(struct aa_ns *parent, const char *name,
			   struct dentry *dir);
struct aa_ns *aa_prepare_ns(struct aa_ns *root, const char *name);
void __aa_remove_ns(struct aa_ns *ns);

static inline struct aa_profile *aa_deref_parent(struct aa_profile *p)
{
	return rcu_dereference_protected(p->parent,
					 mutex_is_locked(&p->ns->lock));
}

/**
 * aa_get_ns - increment references count on @ns
 * @ns: namespace to increment reference count of (MAYBE NULL)
 *
 * Returns: pointer to @ns, if @ns is NULL returns NULL
 * Requires: @ns must be held with valid refcount when called
 */
static inline struct aa_ns *aa_get_ns(struct aa_ns *ns)
{
	if (ns)
		aa_get_profile(ns->unconfined);

	return ns;
}

/**
 * aa_put_ns - decrement refcount on @ns
 * @ns: ns to put reference of
 *
 * Decrement reference count of @ns and if no longer in use free it
 */
static inline void aa_put_ns(struct aa_ns *ns)
{
	if (ns)
		aa_put_profile(ns->unconfined);
}

/**
 * __aa_findn_ns - find a namespace on a list by @name
 * @head: list to search for namespace on  (NOT NULL)
 * @name: name of namespace to look for  (NOT NULL)
 * @n: length of @name
 * Returns: unrefcounted namespace
 *
 * Requires: rcu_read_lock be held
 */
static inline struct aa_ns *__aa_findn_ns(struct list_head *head,
					  const char *name, size_t n)
{
	return (struct aa_ns *)__policy_strn_find(head, name, n);
}

static inline struct aa_ns *__aa_find_ns(struct list_head *head,
					 const char *name)
{
	return __aa_findn_ns(head, name, strlen(name));
}

#endif /* AA_NAMESPACE_H */
Commit	Line	Data
80594fc2 JJ	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor policy definitions.
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2015 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#ifndef __AA_NAMESPACE_H
	16	#define __AA_NAMESPACE_H
	17
	18	#include <linux/kref.h>
	19
	20	#include "apparmor.h"
	21	#include "apparmorfs.h"
	22	#include "label.h"
	23	#include "policy.h"
	24
	25
	26	/* struct aa_ns_acct - accounting of profiles in namespace
	27	* @max_size: maximum space allowed for all profiles in namespace
	28	* @max_count: maximum number of profiles that can be in this namespace
	29	* @size: current size of profiles
	30	* @count: current count of profiles (includes null profiles)
	31	*/
	32	struct aa_ns_acct {
	33	int max_size;
	34	int max_count;
	35	int size;
	36	int count;
	37	};
	38
	39	/* struct aa_ns - namespace for a set of profiles
	40	* @base: common policy
	41	* @parent: parent of namespace
	42	* @lock: lock for modifying the object
	43	* @acct: accounting for the namespace
	44	* @unconfined: special unconfined profile for the namespace
	45	* @sub_ns: list of namespaces under the current namespace.
	46	* @uniq_null: uniq value used for null learning profiles
	47	* @uniq_id: a unique id count for the profiles in the namespace
	48	* @dents: dentries for the namespaces file entries in apparmorfs
	49	*
	50	* An aa_ns defines the set profiles that are searched to determine which
	51	* profile to attach to a task. Profiles can not be shared between aa_ns
	52	* and profile names within a namespace are guaranteed to be unique. When
	53	* profiles in separate namespaces have the same name they are NOT considered
	54	* to be equivalent.
	55	*
	56	* Namespaces are hierarchical and only namespaces and profiles below the
	57	* current namespace are visible.
	58	*
	59	* Namespace names must be unique and can not contain the characters :/\0
	60	*/
	61	struct aa_ns {
	62	struct aa_policy base;
	63	struct aa_ns *parent;
	64	struct mutex lock;
65	struct aa_ns_acct acct;
66	struct aa_profile *unconfined;
67	struct list_head sub_ns;
68	atomic_t uniq_null;
69	long uniq_id;
70	int level;
71	struct aa_labelset labels;
72
73	struct dentry *dents[AAFS_NS_SIZEOF];
74	};
75
76	extern struct aa_ns *root_ns;
77
78	extern const char *aa_hidden_ns_name;
79
80	#define ns_unconfined(NS) (&(NS)->unconfined->label)
81
82	bool aa_ns_visible(struct aa_ns curr, struct aa_ns view, bool subns);
83	const char aa_ns_name(struct aa_ns parent, struct aa_ns *child, bool subns);
84	void aa_free_ns(struct aa_ns *ns);
85	int aa_alloc_root_ns(void);
86	void aa_free_root_ns(void);
87	void aa_free_ns_kref(struct kref *kref);
88
89	struct aa_ns aa_find_ns(struct aa_ns root, const char *name);
90	struct aa_ns aa_findn_ns(struct aa_ns root, const char *name, size_t n);
5c5bd420 TG	91	struct aa_ns aa_create_ns(struct aa_ns parent, const char *name,
5c5bd420 TG	92	struct dentry *dir);
80594fc2 JJ	93	struct aa_ns aa_prepare_ns(struct aa_ns root, const char *name);
	94	void __aa_remove_ns(struct aa_ns *ns);
	95
	96	static inline struct aa_profile aa_deref_parent(struct aa_profile p)
	97	{
	98	return rcu_dereference_protected(p->parent,
	99	mutex_is_locked(&p->ns->lock));
	100	}
	101
	102	/**
	103	* aa_get_ns - increment references count on @ns
	104	* @ns: namespace to increment reference count of (MAYBE NULL)
	105	*
	106	* Returns: pointer to @ns, if @ns is NULL returns NULL
	107	* Requires: @ns must be held with valid refcount when called
	108	*/
	109	static inline struct aa_ns aa_get_ns(struct aa_ns ns)
	110	{
	111	if (ns)
	112	aa_get_profile(ns->unconfined);
	113
	114	return ns;
	115	}
	116
	117	/**
	118	* aa_put_ns - decrement refcount on @ns
	119	* @ns: ns to put reference of
	120	*
	121	* Decrement reference count of @ns and if no longer in use free it
	122	*/
	123	static inline void aa_put_ns(struct aa_ns *ns)
	124	{
	125	if (ns)
	126	aa_put_profile(ns->unconfined);
	127	}
	128
ec25af4b JJ	129	/**
	130	* __aa_findn_ns - find a namespace on a list by @name
	131	* @head: list to search for namespace on (NOT NULL)
	132	* @name: name of namespace to look for (NOT NULL)
	133	* @n: length of @name
	134	* Returns: unrefcounted namespace
	135	*
	136	* Requires: rcu_read_lock be held
	137	*/
	138	static inline struct aa_ns __aa_findn_ns(struct list_head head,
	139	const char *name, size_t n)
	140	{
	141	return (struct aa_ns *)__policy_strn_find(head, name, n);
	142	}
	143
	144	static inline struct aa_ns __aa_find_ns(struct list_head head,
	145	const char *name)
	146	{
	147	return __aa_findn_ns(head, name, strlen(name));
	148	}
	149
80594fc2	150	#endif /* AA_NAMESPACE_H */