[mirror_ubuntu-bionic-kernel.git] / security / apparmor / include / context.h

/*
 * AppArmor security module
 *
 * This file contains AppArmor contexts used to associate "labels" to objects.
 *
 * Copyright (C) 1998-2008 Novell/SUSE
 * Copyright 2009-2010 Canonical Ltd.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, version 2 of the
 * License.
 */

#ifndef __AA_CONTEXT_H
#define __AA_CONTEXT_H

#include <linux/cred.h>
#include <linux/slab.h>
#include <linux/sched.h>
#include <linux/lsm_hooks.h>

#include "label.h"
#include "policy_ns.h"

#define cred_ctx(X) apparmor_cred(X)
#define current_ctx() cred_ctx(current_cred())

/**
 * struct aa_task_ctx - primary label for confined tasks
 * @label: the current label   (NOT NULL)
 * @exec: label to transition to on next exec  (MAYBE NULL)
 * @previous: label the task may return to     (MAYBE NULL)
 * @token: magic value the task must know for returning to @previous
 *
 * Contains the task's current label (which could change due to
 * change_hat).  Plus the hat_magic needed during change_hat.
 *
 * TODO: make so a task can be confined by a stack of contexts
 */
struct aa_task_ctx {
	struct aa_label *label;
	struct aa_label *onexec;
	struct aa_label *previous;
	u64 token;
};

void aa_free_task_context(struct aa_task_ctx *ctx);
void aa_dup_task_context(struct aa_task_ctx *new,
			 const struct aa_task_ctx *old);
int aa_replace_current_label(struct aa_label *label);
int aa_set_current_onexec(struct aa_label *label, bool stack);
int aa_set_current_hat(struct aa_label *label, u64 token);
int aa_restore_previous_label(u64 cookie);
struct aa_label *aa_get_task_label(struct task_struct *task);

extern struct lsm_blob_sizes apparmor_blob_sizes;

static inline struct aa_task_ctx *apparmor_cred(const struct cred *cred)
{
#ifdef CONFIG_SECURITY_STACKING
	return cred->security + apparmor_blob_sizes.lbs_cred;
#else
	return cred->security;
#endif
}

/**
 * aa_cred_raw_label - obtain cred's label
 * @cred: cred to obtain label from  (NOT NULL)
 *
 * Returns: confining label
 *
 * does NOT increment reference count
 */
static inline struct aa_label *aa_cred_raw_label(const struct cred *cred)
{
	struct aa_task_ctx *ctx = apparmor_cred(cred);

	AA_BUG(!ctx || !ctx->label);
	return ctx->label;
}

/**
 * aa_get_newest_cred_label - obtain the newest label on a cred
 * @cred: cred to obtain label from (NOT NULL)
 *
 * Returns: newest version of confining label
 */
static inline struct aa_label *aa_get_newest_cred_label(const struct cred *cred)
{
	return aa_get_newest_label(aa_cred_raw_label(cred));
}

static inline struct aa_file_ctx *apparmor_file(const struct file *file)
{
#ifdef CONFIG_SECURITY_STACKING
	return file->f_security + apparmor_blob_sizes.lbs_file;
#else
	return file->f_security;
#endif
}

/**
 * __aa_task_raw_label - retrieve another task's label
 * @task: task to query  (NOT NULL)
 *
 * Returns: @task's label without incrementing its ref count
 *
 * If @task != current needs to be called in RCU safe critical section
 */
static inline struct aa_label *__aa_task_raw_label(struct task_struct *task)
{
	return aa_cred_raw_label(__task_cred(task));
}

/**
 * __aa_task_is_confined - determine if @task has any confinement
 * @task: task to check confinement of  (NOT NULL)
 *
 * If @task != current needs to be called in RCU safe critical section
 */
static inline bool __aa_task_is_confined(struct task_struct *task)
{
	return !unconfined(__aa_task_raw_label(task));
}

/**
 * aa_current_raw_label - find the current tasks confining label
 *
 * Returns: up to date confining label or the ns unconfined label (NOT NULL)
 *
 * This fn will not update the tasks cred to the most up to date version
 * of the label so it is safe to call when inside of locks.
 */
static inline struct aa_label *aa_current_raw_label(void)
{
	return aa_cred_raw_label(current_cred());
}

/**
 * aa_get_current_label - get the newest version of the current tasks label
 *
 * Returns: newest version of confining label (NOT NULL)
 *
 * This fn will not update the tasks cred, so it is safe inside of locks
 *
 * The returned reference must be put with aa_put_label()
 */
static inline struct aa_label *aa_get_current_label(void)
{
	struct aa_label *l = aa_current_raw_label();

	if (label_is_stale(l))
		return aa_get_newest_label(l);
	return aa_get_label(l);
}

#define __end_current_label_crit_section(X) end_current_label_crit_section(X)

/**
 * end_label_crit_section - put a reference found with begin_current_label..
 * @label: label reference to put
 *
 * Should only be used with a reference obtained with
 * begin_current_label_crit_section and never used in situations where the
 * task cred may be updated
 */
static inline void end_current_label_crit_section(struct aa_label *label)
{
	if (label != aa_current_raw_label())
		aa_put_label(label);
}

/**
 * __begin_current_label_crit_section - current's confining label
 *
 * Returns: up to date confining label or the ns unconfined label (NOT NULL)
 *
 * safe to call inside locks
 *
 * The returned reference must be put with __end_current_label_crit_section()
 * This must NOT be used if the task cred could be updated within the
 * critical section between __begin_current_label_crit_section() ..
 * __end_current_label_crit_section()
 */
static inline struct aa_label *__begin_current_label_crit_section(void)
{
	struct aa_label *label = aa_current_raw_label();

	if (label_is_stale(label))
		label = aa_get_newest_label(label);

	return label;
}

/**
 * begin_current_label_crit_section - current's confining label and update it
 *
 * Returns: up to date confining label or the ns unconfined label (NOT NULL)
 *
 * Not safe to call inside locks
 *
 * The returned reference must be put with end_current_label_crit_section()
 * This must NOT be used if the task cred could be updated within the
 * critical section between begin_current_label_crit_section() ..
 * end_current_label_crit_section()
 */
static inline struct aa_label *begin_current_label_crit_section(void)
{
	struct aa_label *label = aa_current_raw_label();

	if (label_is_stale(label)) {
		label = aa_get_newest_label(label);
		if (aa_replace_current_label(label) == 0)
			/* task cred will keep the reference */
			aa_put_label(label);
	}

	return label;
}

static inline struct aa_ns *aa_get_current_ns(void)
{
	struct aa_label *label;
	struct aa_ns *ns;

	label  = __begin_current_label_crit_section();
	ns = aa_get_ns(labels_ns(label));
	__end_current_label_crit_section(label);

	return ns;
}

/**
 * aa_clear_task_ctx_trans - clear transition tracking info from the ctx
 * @ctx: task context to clear (NOT NULL)
 */
static inline void aa_clear_task_ctx_trans(struct aa_task_ctx *ctx)
{
	aa_put_label(ctx->previous);
	aa_put_label(ctx->onexec);
	ctx->previous = NULL;
	ctx->onexec = NULL;
	ctx->token = 0;
}

#endif /* __AA_CONTEXT_H */
Commit	Line	Data
c75afcd1 JJ	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor contexts used to associate "labels" to objects.
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#ifndef __AA_CONTEXT_H
	16	#define __AA_CONTEXT_H
	17
	18	#include <linux/cred.h>
	19	#include <linux/slab.h>
	20	#include <linux/sched.h>
f1efc8c4	21	#include <linux/lsm_hooks.h>
c75afcd1	22
637f688d	23	#include "label.h"
2bd8dbbf	24	#include "policy_ns.h"
c75afcd1	25
f1efc8c4	26	#define cred_ctx(X) apparmor_cred(X)
55a26ebf	27	#define current_ctx() cred_ctx(current_cred())
214beaca	28
c75afcd1	29	/**
55a26ebf	30	* struct aa_task_ctx - primary label for confined tasks
637f688d JJ	31	* @label: the current label (NOT NULL)
	32	* @exec: label to transition to on next exec (MAYBE NULL)
	33	* @previous: label the task may return to (MAYBE NULL)
	34	* @token: magic value the task must know for returning to @previous
c75afcd1	35	*
637f688d	36	* Contains the task's current label (which could change due to
c75afcd1 JJ	37	* change_hat). Plus the hat_magic needed during change_hat.
	38	*
	39	* TODO: make so a task can be confined by a stack of contexts
	40	*/
55a26ebf	41	struct aa_task_ctx {
637f688d JJ	42	struct aa_label *label;
	43	struct aa_label *onexec;
	44	struct aa_label *previous;
c75afcd1 JJ	45	u64 token;
	46	};
	47
55a26ebf JJ	48	void aa_free_task_context(struct aa_task_ctx *ctx);
	49	void aa_dup_task_context(struct aa_task_ctx *new,
	50	const struct aa_task_ctx *old);
637f688d JJ	51	int aa_replace_current_label(struct aa_label *label);
	52	int aa_set_current_onexec(struct aa_label *label, bool stack);
	53	int aa_set_current_hat(struct aa_label *label, u64 token);
	54	int aa_restore_previous_label(u64 cookie);
	55	struct aa_label aa_get_task_label(struct task_struct task);
c75afcd1	56
54f4b36b CS	57	extern struct lsm_blob_sizes apparmor_blob_sizes;
54f4b36b CS	58
f1efc8c4 CS	59	static inline struct aa_task_ctx apparmor_cred(const struct cred cred)
f1efc8c4 CS	60	{
54f4b36b CS	61	#ifdef CONFIG_SECURITY_STACKING
	62	return cred->security + apparmor_blob_sizes.lbs_cred;
	63	#else
f1efc8c4	64	return cred->security;
54f4b36b	65	#endif
f1efc8c4	66	}
c75afcd1 JJ	67
c75afcd1 JJ	68	/**
637f688d JJ	69	* aa_cred_raw_label - obtain cred's label
637f688d JJ	70	* @cred: cred to obtain label from (NOT NULL)
c75afcd1	71	*
637f688d	72	* Returns: confining label
c75afcd1 JJ	73	*
	74	* does NOT increment reference count
	75	*/
637f688d	76	static inline struct aa_label aa_cred_raw_label(const struct cred cred)
c75afcd1	77	{
f1efc8c4	78	struct aa_task_ctx *ctx = apparmor_cred(cred);
55a26ebf	79
637f688d JJ	80	AA_BUG(!ctx \|\| !ctx->label);
637f688d JJ	81	return ctx->label;
c75afcd1 JJ	82	}
c75afcd1 JJ	83
3cfcc19e	84	/**
637f688d JJ	85	* aa_get_newest_cred_label - obtain the newest label on a cred
637f688d JJ	86	* @cred: cred to obtain label from (NOT NULL)
cf797c0e	87	*
637f688d	88	* Returns: newest version of confining label
cf797c0e	89	*/
637f688d	90	static inline struct aa_label aa_get_newest_cred_label(const struct cred cred)
cf797c0e	91	{
637f688d	92	return aa_get_newest_label(aa_cred_raw_label(cred));
cf797c0e JJ	93	}
cf797c0e JJ	94
ab9b110b CS	95	static inline struct aa_file_ctx apparmor_file(const struct file file)
ab9b110b CS	96	{
54f4b36b CS	97	#ifdef CONFIG_SECURITY_STACKING
	98	return file->f_security + apparmor_blob_sizes.lbs_file;
	99	#else
ab9b110b	100	return file->f_security;
54f4b36b	101	#endif
ab9b110b CS	102	}
ab9b110b CS	103
cf797c0e	104	/**
637f688d	105	* __aa_task_raw_label - retrieve another task's label
3cfcc19e JJ	106	* @task: task to query (NOT NULL)
3cfcc19e JJ	107	*
637f688d	108	* Returns: @task's label without incrementing its ref count
3cfcc19e JJ	109	*
	110	* If @task != current needs to be called in RCU safe critical section
	111	*/
637f688d	112	static inline struct aa_label __aa_task_raw_label(struct task_struct task)
3cfcc19e	113	{
637f688d	114	return aa_cred_raw_label(__task_cred(task));
3cfcc19e JJ	115	}
	116
	117	/**
	118	* __aa_task_is_confined - determine if @task has any confinement
	119	* @task: task to check confinement of (NOT NULL)
	120	*
	121	* If @task != current needs to be called in RCU safe critical section
	122	*/
	123	static inline bool __aa_task_is_confined(struct task_struct *task)
	124	{
637f688d	125	return !unconfined(__aa_task_raw_label(task));
3cfcc19e JJ	126	}
3cfcc19e JJ	127
c75afcd1	128	/**
637f688d	129	* aa_current_raw_label - find the current tasks confining label
c75afcd1	130	*
637f688d	131	* Returns: up to date confining label or the ns unconfined label (NOT NULL)
c75afcd1 JJ	132	*
c75afcd1 JJ	133	* This fn will not update the tasks cred to the most up to date version
637f688d	134	* of the label so it is safe to call when inside of locks.
c75afcd1	135	*/
637f688d	136	static inline struct aa_label *aa_current_raw_label(void)
c75afcd1	137	{
637f688d	138	return aa_cred_raw_label(current_cred());
c75afcd1 JJ	139	}
	140
	141	/**
637f688d	142	* aa_get_current_label - get the newest version of the current tasks label
c75afcd1	143	*
637f688d	144	* Returns: newest version of confining label (NOT NULL)
cf797c0e JJ	145	*
cf797c0e JJ	146	* This fn will not update the tasks cred, so it is safe inside of locks
c75afcd1	147	*
637f688d	148	* The returned reference must be put with aa_put_label()
c75afcd1	149	*/
637f688d	150	static inline struct aa_label *aa_get_current_label(void)
c75afcd1	151	{
637f688d	152	struct aa_label *l = aa_current_raw_label();
c75afcd1	153
637f688d JJ	154	if (label_is_stale(l))
	155	return aa_get_newest_label(l);
	156	return aa_get_label(l);
cf797c0e	157	}
55a26ebf	158
637f688d	159	#define __end_current_label_crit_section(X) end_current_label_crit_section(X)
cf797c0e JJ	160
cf797c0e JJ	161	/**
637f688d JJ	162	* end_label_crit_section - put a reference found with begin_current_label..
637f688d JJ	163	* @label: label reference to put
cf797c0e JJ	164	*
cf797c0e JJ	165	* Should only be used with a reference obtained with
637f688d	166	* begin_current_label_crit_section and never used in situations where the
cf797c0e JJ	167	* task cred may be updated
cf797c0e JJ	168	*/
637f688d	169	static inline void end_current_label_crit_section(struct aa_label *label)
cf797c0e	170	{
637f688d JJ	171	if (label != aa_current_raw_label())
637f688d JJ	172	aa_put_label(label);
cf797c0e JJ	173	}
	174
	175	/**
637f688d	176	* __begin_current_label_crit_section - current's confining label
cf797c0e	177	*
637f688d	178	* Returns: up to date confining label or the ns unconfined label (NOT NULL)
cf797c0e JJ	179	*
	180	* safe to call inside locks
	181	*
637f688d	182	* The returned reference must be put with __end_current_label_crit_section()
cf797c0e	183	* This must NOT be used if the task cred could be updated within the
637f688d JJ	184	* critical section between __begin_current_label_crit_section() ..
637f688d JJ	185	* __end_current_label_crit_section()
cf797c0e	186	*/
637f688d	187	static inline struct aa_label *__begin_current_label_crit_section(void)
cf797c0e	188	{
637f688d	189	struct aa_label *label = aa_current_raw_label();
cf797c0e	190
637f688d JJ	191	if (label_is_stale(label))
637f688d JJ	192	label = aa_get_newest_label(label);
cf797c0e	193
637f688d	194	return label;
cf797c0e JJ	195	}
	196
	197	/**
637f688d	198	* begin_current_label_crit_section - current's confining label and update it
cf797c0e	199	*
637f688d	200	* Returns: up to date confining label or the ns unconfined label (NOT NULL)
cf797c0e JJ	201	*
	202	* Not safe to call inside locks
	203	*
637f688d	204	* The returned reference must be put with end_current_label_crit_section()
cf797c0e	205	* This must NOT be used if the task cred could be updated within the
637f688d JJ	206	* critical section between begin_current_label_crit_section() ..
637f688d JJ	207	* end_current_label_crit_section()
cf797c0e	208	*/
637f688d	209	static inline struct aa_label *begin_current_label_crit_section(void)
cf797c0e	210	{
637f688d	211	struct aa_label *label = aa_current_raw_label();
cf797c0e	212
637f688d JJ	213	if (label_is_stale(label)) {
	214	label = aa_get_newest_label(label);
	215	if (aa_replace_current_label(label) == 0)
cf797c0e	216	/* task cred will keep the reference */
637f688d	217	aa_put_label(label);
77b071b3	218	}
c75afcd1	219
637f688d	220	return label;
c75afcd1 JJ	221	}
c75afcd1 JJ	222
2bd8dbbf JJ	223	static inline struct aa_ns *aa_get_current_ns(void)
2bd8dbbf JJ	224	{
637f688d	225	struct aa_label *label;
cf797c0e JJ	226	struct aa_ns *ns;
cf797c0e JJ	227
637f688d JJ	228	label = __begin_current_label_crit_section();
	229	ns = aa_get_ns(labels_ns(label));
	230	__end_current_label_crit_section(label);
cf797c0e JJ	231
cf797c0e JJ	232	return ns;
2bd8dbbf JJ	233	}
2bd8dbbf JJ	234
7a2871b5	235	/**
55a26ebf JJ	236	* aa_clear_task_ctx_trans - clear transition tracking info from the ctx
55a26ebf JJ	237	* @ctx: task context to clear (NOT NULL)
7a2871b5	238	*/
55a26ebf	239	static inline void aa_clear_task_ctx_trans(struct aa_task_ctx *ctx)
7a2871b5	240	{
637f688d JJ	241	aa_put_label(ctx->previous);
637f688d JJ	242	aa_put_label(ctx->onexec);
55a26ebf JJ	243	ctx->previous = NULL;
	244	ctx->onexec = NULL;
	245	ctx->token = 0;
7a2871b5 JJ	246	}
7a2871b5 JJ	247
c75afcd1	248	#endif /* __AA_CONTEXT_H */