]>
Commit | Line | Data |
---|---|---|
c75afcd1 JJ |
1 | /* |
2 | * AppArmor security module | |
3 | * | |
4 | * This file contains AppArmor contexts used to associate "labels" to objects. | |
5 | * | |
6 | * Copyright (C) 1998-2008 Novell/SUSE | |
7 | * Copyright 2009-2010 Canonical Ltd. | |
8 | * | |
9 | * This program is free software; you can redistribute it and/or | |
10 | * modify it under the terms of the GNU General Public License as | |
11 | * published by the Free Software Foundation, version 2 of the | |
12 | * License. | |
13 | */ | |
14 | ||
15 | #ifndef __AA_CONTEXT_H | |
16 | #define __AA_CONTEXT_H | |
17 | ||
18 | #include <linux/cred.h> | |
19 | #include <linux/slab.h> | |
20 | #include <linux/sched.h> | |
f1efc8c4 | 21 | #include <linux/lsm_hooks.h> |
c75afcd1 | 22 | |
637f688d | 23 | #include "label.h" |
2bd8dbbf | 24 | #include "policy_ns.h" |
c75afcd1 | 25 | |
f1efc8c4 | 26 | #define cred_ctx(X) apparmor_cred(X) |
55a26ebf | 27 | #define current_ctx() cred_ctx(current_cred()) |
214beaca | 28 | |
c75afcd1 | 29 | /** |
55a26ebf | 30 | * struct aa_task_ctx - primary label for confined tasks |
637f688d JJ |
31 | * @label: the current label (NOT NULL) |
32 | * @exec: label to transition to on next exec (MAYBE NULL) | |
33 | * @previous: label the task may return to (MAYBE NULL) | |
34 | * @token: magic value the task must know for returning to @previous | |
c75afcd1 | 35 | * |
637f688d | 36 | * Contains the task's current label (which could change due to |
c75afcd1 JJ |
37 | * change_hat). Plus the hat_magic needed during change_hat. |
38 | * | |
39 | * TODO: make so a task can be confined by a stack of contexts | |
40 | */ | |
55a26ebf | 41 | struct aa_task_ctx { |
637f688d JJ |
42 | struct aa_label *label; |
43 | struct aa_label *onexec; | |
44 | struct aa_label *previous; | |
c75afcd1 JJ |
45 | u64 token; |
46 | }; | |
47 | ||
55a26ebf JJ |
48 | void aa_free_task_context(struct aa_task_ctx *ctx); |
49 | void aa_dup_task_context(struct aa_task_ctx *new, | |
50 | const struct aa_task_ctx *old); | |
637f688d JJ |
51 | int aa_replace_current_label(struct aa_label *label); |
52 | int aa_set_current_onexec(struct aa_label *label, bool stack); | |
53 | int aa_set_current_hat(struct aa_label *label, u64 token); | |
54 | int aa_restore_previous_label(u64 cookie); | |
55 | struct aa_label *aa_get_task_label(struct task_struct *task); | |
c75afcd1 | 56 | |
54f4b36b CS |
57 | extern struct lsm_blob_sizes apparmor_blob_sizes; |
58 | ||
f1efc8c4 CS |
59 | static inline struct aa_task_ctx *apparmor_cred(const struct cred *cred) |
60 | { | |
54f4b36b CS |
61 | #ifdef CONFIG_SECURITY_STACKING |
62 | return cred->security + apparmor_blob_sizes.lbs_cred; | |
63 | #else | |
f1efc8c4 | 64 | return cred->security; |
54f4b36b | 65 | #endif |
f1efc8c4 | 66 | } |
c75afcd1 JJ |
67 | |
68 | /** | |
637f688d JJ |
69 | * aa_cred_raw_label - obtain cred's label |
70 | * @cred: cred to obtain label from (NOT NULL) | |
c75afcd1 | 71 | * |
637f688d | 72 | * Returns: confining label |
c75afcd1 JJ |
73 | * |
74 | * does NOT increment reference count | |
75 | */ | |
637f688d | 76 | static inline struct aa_label *aa_cred_raw_label(const struct cred *cred) |
c75afcd1 | 77 | { |
f1efc8c4 | 78 | struct aa_task_ctx *ctx = apparmor_cred(cred); |
55a26ebf | 79 | |
637f688d JJ |
80 | AA_BUG(!ctx || !ctx->label); |
81 | return ctx->label; | |
c75afcd1 JJ |
82 | } |
83 | ||
3cfcc19e | 84 | /** |
637f688d JJ |
85 | * aa_get_newest_cred_label - obtain the newest label on a cred |
86 | * @cred: cred to obtain label from (NOT NULL) | |
cf797c0e | 87 | * |
637f688d | 88 | * Returns: newest version of confining label |
cf797c0e | 89 | */ |
637f688d | 90 | static inline struct aa_label *aa_get_newest_cred_label(const struct cred *cred) |
cf797c0e | 91 | { |
637f688d | 92 | return aa_get_newest_label(aa_cred_raw_label(cred)); |
cf797c0e JJ |
93 | } |
94 | ||
ab9b110b CS |
95 | static inline struct aa_file_ctx *apparmor_file(const struct file *file) |
96 | { | |
54f4b36b CS |
97 | #ifdef CONFIG_SECURITY_STACKING |
98 | return file->f_security + apparmor_blob_sizes.lbs_file; | |
99 | #else | |
ab9b110b | 100 | return file->f_security; |
54f4b36b | 101 | #endif |
ab9b110b CS |
102 | } |
103 | ||
cf797c0e | 104 | /** |
637f688d | 105 | * __aa_task_raw_label - retrieve another task's label |
3cfcc19e JJ |
106 | * @task: task to query (NOT NULL) |
107 | * | |
637f688d | 108 | * Returns: @task's label without incrementing its ref count |
3cfcc19e JJ |
109 | * |
110 | * If @task != current needs to be called in RCU safe critical section | |
111 | */ | |
637f688d | 112 | static inline struct aa_label *__aa_task_raw_label(struct task_struct *task) |
3cfcc19e | 113 | { |
637f688d | 114 | return aa_cred_raw_label(__task_cred(task)); |
3cfcc19e JJ |
115 | } |
116 | ||
117 | /** | |
118 | * __aa_task_is_confined - determine if @task has any confinement | |
119 | * @task: task to check confinement of (NOT NULL) | |
120 | * | |
121 | * If @task != current needs to be called in RCU safe critical section | |
122 | */ | |
123 | static inline bool __aa_task_is_confined(struct task_struct *task) | |
124 | { | |
637f688d | 125 | return !unconfined(__aa_task_raw_label(task)); |
3cfcc19e JJ |
126 | } |
127 | ||
c75afcd1 | 128 | /** |
637f688d | 129 | * aa_current_raw_label - find the current tasks confining label |
c75afcd1 | 130 | * |
637f688d | 131 | * Returns: up to date confining label or the ns unconfined label (NOT NULL) |
c75afcd1 JJ |
132 | * |
133 | * This fn will not update the tasks cred to the most up to date version | |
637f688d | 134 | * of the label so it is safe to call when inside of locks. |
c75afcd1 | 135 | */ |
637f688d | 136 | static inline struct aa_label *aa_current_raw_label(void) |
c75afcd1 | 137 | { |
637f688d | 138 | return aa_cred_raw_label(current_cred()); |
c75afcd1 JJ |
139 | } |
140 | ||
141 | /** | |
637f688d | 142 | * aa_get_current_label - get the newest version of the current tasks label |
c75afcd1 | 143 | * |
637f688d | 144 | * Returns: newest version of confining label (NOT NULL) |
cf797c0e JJ |
145 | * |
146 | * This fn will not update the tasks cred, so it is safe inside of locks | |
c75afcd1 | 147 | * |
637f688d | 148 | * The returned reference must be put with aa_put_label() |
c75afcd1 | 149 | */ |
637f688d | 150 | static inline struct aa_label *aa_get_current_label(void) |
c75afcd1 | 151 | { |
637f688d | 152 | struct aa_label *l = aa_current_raw_label(); |
c75afcd1 | 153 | |
637f688d JJ |
154 | if (label_is_stale(l)) |
155 | return aa_get_newest_label(l); | |
156 | return aa_get_label(l); | |
cf797c0e | 157 | } |
55a26ebf | 158 | |
637f688d | 159 | #define __end_current_label_crit_section(X) end_current_label_crit_section(X) |
cf797c0e JJ |
160 | |
161 | /** | |
637f688d JJ |
162 | * end_label_crit_section - put a reference found with begin_current_label.. |
163 | * @label: label reference to put | |
cf797c0e JJ |
164 | * |
165 | * Should only be used with a reference obtained with | |
637f688d | 166 | * begin_current_label_crit_section and never used in situations where the |
cf797c0e JJ |
167 | * task cred may be updated |
168 | */ | |
637f688d | 169 | static inline void end_current_label_crit_section(struct aa_label *label) |
cf797c0e | 170 | { |
637f688d JJ |
171 | if (label != aa_current_raw_label()) |
172 | aa_put_label(label); | |
cf797c0e JJ |
173 | } |
174 | ||
175 | /** | |
637f688d | 176 | * __begin_current_label_crit_section - current's confining label |
cf797c0e | 177 | * |
637f688d | 178 | * Returns: up to date confining label or the ns unconfined label (NOT NULL) |
cf797c0e JJ |
179 | * |
180 | * safe to call inside locks | |
181 | * | |
637f688d | 182 | * The returned reference must be put with __end_current_label_crit_section() |
cf797c0e | 183 | * This must NOT be used if the task cred could be updated within the |
637f688d JJ |
184 | * critical section between __begin_current_label_crit_section() .. |
185 | * __end_current_label_crit_section() | |
cf797c0e | 186 | */ |
637f688d | 187 | static inline struct aa_label *__begin_current_label_crit_section(void) |
cf797c0e | 188 | { |
637f688d | 189 | struct aa_label *label = aa_current_raw_label(); |
cf797c0e | 190 | |
637f688d JJ |
191 | if (label_is_stale(label)) |
192 | label = aa_get_newest_label(label); | |
cf797c0e | 193 | |
637f688d | 194 | return label; |
cf797c0e JJ |
195 | } |
196 | ||
197 | /** | |
637f688d | 198 | * begin_current_label_crit_section - current's confining label and update it |
cf797c0e | 199 | * |
637f688d | 200 | * Returns: up to date confining label or the ns unconfined label (NOT NULL) |
cf797c0e JJ |
201 | * |
202 | * Not safe to call inside locks | |
203 | * | |
637f688d | 204 | * The returned reference must be put with end_current_label_crit_section() |
cf797c0e | 205 | * This must NOT be used if the task cred could be updated within the |
637f688d JJ |
206 | * critical section between begin_current_label_crit_section() .. |
207 | * end_current_label_crit_section() | |
cf797c0e | 208 | */ |
637f688d | 209 | static inline struct aa_label *begin_current_label_crit_section(void) |
cf797c0e | 210 | { |
637f688d | 211 | struct aa_label *label = aa_current_raw_label(); |
cf797c0e | 212 | |
637f688d JJ |
213 | if (label_is_stale(label)) { |
214 | label = aa_get_newest_label(label); | |
215 | if (aa_replace_current_label(label) == 0) | |
cf797c0e | 216 | /* task cred will keep the reference */ |
637f688d | 217 | aa_put_label(label); |
77b071b3 | 218 | } |
c75afcd1 | 219 | |
637f688d | 220 | return label; |
c75afcd1 JJ |
221 | } |
222 | ||
2bd8dbbf JJ |
223 | static inline struct aa_ns *aa_get_current_ns(void) |
224 | { | |
637f688d | 225 | struct aa_label *label; |
cf797c0e JJ |
226 | struct aa_ns *ns; |
227 | ||
637f688d JJ |
228 | label = __begin_current_label_crit_section(); |
229 | ns = aa_get_ns(labels_ns(label)); | |
230 | __end_current_label_crit_section(label); | |
cf797c0e JJ |
231 | |
232 | return ns; | |
2bd8dbbf JJ |
233 | } |
234 | ||
7a2871b5 | 235 | /** |
55a26ebf JJ |
236 | * aa_clear_task_ctx_trans - clear transition tracking info from the ctx |
237 | * @ctx: task context to clear (NOT NULL) | |
7a2871b5 | 238 | */ |
55a26ebf | 239 | static inline void aa_clear_task_ctx_trans(struct aa_task_ctx *ctx) |
7a2871b5 | 240 | { |
637f688d JJ |
241 | aa_put_label(ctx->previous); |
242 | aa_put_label(ctx->onexec); | |
55a26ebf JJ |
243 | ctx->previous = NULL; |
244 | ctx->onexec = NULL; | |
245 | ctx->token = 0; | |
7a2871b5 JJ |
246 | } |
247 | ||
c75afcd1 | 248 | #endif /* __AA_CONTEXT_H */ |