]>
Commit | Line | Data |
---|---|---|
80594fc2 JJ |
1 | /* |
2 | * AppArmor security module | |
3 | * | |
4 | * This file contains AppArmor policy definitions. | |
5 | * | |
6 | * Copyright (C) 1998-2008 Novell/SUSE | |
7 | * Copyright 2009-2015 Canonical Ltd. | |
8 | * | |
9 | * This program is free software; you can redistribute it and/or | |
10 | * modify it under the terms of the GNU General Public License as | |
11 | * published by the Free Software Foundation, version 2 of the | |
12 | * License. | |
13 | */ | |
14 | ||
15 | #ifndef __AA_NAMESPACE_H | |
16 | #define __AA_NAMESPACE_H | |
17 | ||
18 | #include <linux/kref.h> | |
19 | ||
20 | #include "apparmor.h" | |
21 | #include "apparmorfs.h" | |
22 | #include "label.h" | |
23 | #include "policy.h" | |
24 | ||
25 | ||
26 | /* struct aa_ns_acct - accounting of profiles in namespace | |
27 | * @max_size: maximum space allowed for all profiles in namespace | |
28 | * @max_count: maximum number of profiles that can be in this namespace | |
29 | * @size: current size of profiles | |
30 | * @count: current count of profiles (includes null profiles) | |
31 | */ | |
32 | struct aa_ns_acct { | |
33 | int max_size; | |
34 | int max_count; | |
35 | int size; | |
36 | int count; | |
37 | }; | |
38 | ||
39 | /* struct aa_ns - namespace for a set of profiles | |
40 | * @base: common policy | |
41 | * @parent: parent of namespace | |
42 | * @lock: lock for modifying the object | |
43 | * @acct: accounting for the namespace | |
44 | * @unconfined: special unconfined profile for the namespace | |
45 | * @sub_ns: list of namespaces under the current namespace. | |
46 | * @uniq_null: uniq value used for null learning profiles | |
47 | * @uniq_id: a unique id count for the profiles in the namespace | |
48 | * @dents: dentries for the namespaces file entries in apparmorfs | |
49 | * | |
50 | * An aa_ns defines the set profiles that are searched to determine which | |
51 | * profile to attach to a task. Profiles can not be shared between aa_ns | |
52 | * and profile names within a namespace are guaranteed to be unique. When | |
53 | * profiles in separate namespaces have the same name they are NOT considered | |
54 | * to be equivalent. | |
55 | * | |
56 | * Namespaces are hierarchical and only namespaces and profiles below the | |
57 | * current namespace are visible. | |
58 | * | |
59 | * Namespace names must be unique and can not contain the characters :/\0 | |
60 | */ | |
61 | struct aa_ns { | |
62 | struct aa_policy base; | |
63 | struct aa_ns *parent; | |
64 | struct mutex lock; | |
65 | struct aa_ns_acct acct; | |
66 | struct aa_profile *unconfined; | |
67 | struct list_head sub_ns; | |
68 | atomic_t uniq_null; | |
69 | long uniq_id; | |
70 | int level; | |
71 | struct aa_labelset labels; | |
72 | ||
73 | struct dentry *dents[AAFS_NS_SIZEOF]; | |
74 | }; | |
75 | ||
76 | extern struct aa_ns *root_ns; | |
77 | ||
78 | extern const char *aa_hidden_ns_name; | |
79 | ||
80 | #define ns_unconfined(NS) (&(NS)->unconfined->label) | |
81 | ||
82 | bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns); | |
83 | const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child, bool subns); | |
84 | void aa_free_ns(struct aa_ns *ns); | |
85 | int aa_alloc_root_ns(void); | |
86 | void aa_free_root_ns(void); | |
87 | void aa_free_ns_kref(struct kref *kref); | |
88 | ||
89 | struct aa_ns *aa_find_ns(struct aa_ns *root, const char *name); | |
90 | struct aa_ns *aa_findn_ns(struct aa_ns *root, const char *name, size_t n); | |
5c5bd420 TG |
91 | struct aa_ns *aa_create_ns(struct aa_ns *parent, const char *name, |
92 | struct dentry *dir); | |
80594fc2 JJ |
93 | struct aa_ns *aa_prepare_ns(struct aa_ns *root, const char *name); |
94 | void __aa_remove_ns(struct aa_ns *ns); | |
95 | ||
96 | static inline struct aa_profile *aa_deref_parent(struct aa_profile *p) | |
97 | { | |
98 | return rcu_dereference_protected(p->parent, | |
99 | mutex_is_locked(&p->ns->lock)); | |
100 | } | |
101 | ||
102 | /** | |
103 | * aa_get_ns - increment references count on @ns | |
104 | * @ns: namespace to increment reference count of (MAYBE NULL) | |
105 | * | |
106 | * Returns: pointer to @ns, if @ns is NULL returns NULL | |
107 | * Requires: @ns must be held with valid refcount when called | |
108 | */ | |
109 | static inline struct aa_ns *aa_get_ns(struct aa_ns *ns) | |
110 | { | |
111 | if (ns) | |
112 | aa_get_profile(ns->unconfined); | |
113 | ||
114 | return ns; | |
115 | } | |
116 | ||
117 | /** | |
118 | * aa_put_ns - decrement refcount on @ns | |
119 | * @ns: ns to put reference of | |
120 | * | |
121 | * Decrement reference count of @ns and if no longer in use free it | |
122 | */ | |
123 | static inline void aa_put_ns(struct aa_ns *ns) | |
124 | { | |
125 | if (ns) | |
126 | aa_put_profile(ns->unconfined); | |
127 | } | |
128 | ||
ec25af4b JJ |
129 | /** |
130 | * __aa_findn_ns - find a namespace on a list by @name | |
131 | * @head: list to search for namespace on (NOT NULL) | |
132 | * @name: name of namespace to look for (NOT NULL) | |
133 | * @n: length of @name | |
134 | * Returns: unrefcounted namespace | |
135 | * | |
136 | * Requires: rcu_read_lock be held | |
137 | */ | |
138 | static inline struct aa_ns *__aa_findn_ns(struct list_head *head, | |
139 | const char *name, size_t n) | |
140 | { | |
141 | return (struct aa_ns *)__policy_strn_find(head, name, n); | |
142 | } | |
143 | ||
144 | static inline struct aa_ns *__aa_find_ns(struct list_head *head, | |
145 | const char *name) | |
146 | { | |
147 | return __aa_findn_ns(head, name, strlen(name)); | |
148 | } | |
149 | ||
80594fc2 | 150 | #endif /* AA_NAMESPACE_H */ |