Commit | Line | Data |
---|---|---|
c75afcd1 JJ |
1 | /* |
2 | * AppArmor security module | |
3 | * | |
4 | * This file contains AppArmor contexts used to associate "labels" to objects. | |
5 | * | |
6 | * Copyright (C) 1998-2008 Novell/SUSE | |
7 | * Copyright 2009-2010 Canonical Ltd. | |
8 | * | |
9 | * This program is free software; you can redistribute it and/or | |
10 | * modify it under the terms of the GNU General Public License as | |
11 | * published by the Free Software Foundation, version 2 of the | |
12 | * License. | |
13 | */ | |
14 | ||
15 | #ifndef __AA_CONTEXT_H | |
16 | #define __AA_CONTEXT_H | |
17 | ||
18 | #include <linux/cred.h> | |
19 | #include <linux/slab.h> | |
20 | #include <linux/sched.h> | |
21 | ||
637f688d | 22 | #include "label.h" |
2bd8dbbf | 23 | #include "policy_ns.h" |
de62de59 | 24 | #include "task.h" |
c75afcd1 | 25 | |
d9087c49 | 26 | #define cred_label(X) ((X)->security) |
3b529a76 | 27 | |
c75afcd1 JJ |
28 | |
29 | /** | |
637f688d JJ |
30 | * aa_cred_raw_label - obtain cred's label |
31 | * @cred: cred to obtain label from (NOT NULL) | |
c75afcd1 | 32 | * |
637f688d | 33 | * Returns: confining label |
c75afcd1 JJ |
34 | * |
35 | * does NOT increment reference count | |
36 | */ | |
637f688d | 37 | static inline struct aa_label *aa_cred_raw_label(const struct cred *cred) |
c75afcd1 | 38 | { |
d9087c49 | 39 | struct aa_label *label = cred_label(cred); |
55a26ebf | 40 | |
d9087c49 JJ |
41 | AA_BUG(!label); |
42 | return label; | |
c75afcd1 JJ |
43 | } |
44 | ||
3cfcc19e | 45 | /** |
637f688d JJ |
46 | * aa_get_newest_cred_label - obtain the newest label on a cred |
47 | * @cred: cred to obtain label from (NOT NULL) | |
cf797c0e | 48 | * |
637f688d | 49 | * Returns: newest version of confining label |
cf797c0e | 50 | */ |
637f688d | 51 | static inline struct aa_label *aa_get_newest_cred_label(const struct cred *cred) |
cf797c0e | 52 | { |
637f688d | 53 | return aa_get_newest_label(aa_cred_raw_label(cred)); |
cf797c0e JJ |
54 | } |
55 | ||
56 | /** | |
637f688d | 57 | * __aa_task_raw_label - retrieve another task's label |
3cfcc19e JJ |
58 | * @task: task to query (NOT NULL) |
59 | * | |
637f688d | 60 | * Returns: @task's label without incrementing its ref count |
3cfcc19e JJ |
61 | * |
62 | * If @task != current needs to be called in RCU safe critical section | |
63 | */ | |
637f688d | 64 | static inline struct aa_label *__aa_task_raw_label(struct task_struct *task) |
3cfcc19e | 65 | { |
637f688d | 66 | return aa_cred_raw_label(__task_cred(task)); |
3cfcc19e JJ |
67 | } |
68 | ||
c75afcd1 | 69 | /** |
637f688d | 70 | * aa_current_raw_label - find the current tasks confining label |
c75afcd1 | 71 | * |
637f688d | 72 | * Returns: up to date confining label or the ns unconfined label (NOT NULL) |
c75afcd1 JJ |
73 | * |
74 | * This fn will not update the tasks cred to the most up to date version | |
637f688d | 75 | * of the label so it is safe to call when inside of locks. |
c75afcd1 | 76 | */ |
637f688d | 77 | static inline struct aa_label *aa_current_raw_label(void) |
c75afcd1 | 78 | { |
637f688d | 79 | return aa_cred_raw_label(current_cred()); |
c75afcd1 JJ |
80 | } |
81 | ||
82 | /** | |
637f688d | 83 | * aa_get_current_label - get the newest version of the current tasks label |
c75afcd1 | 84 | * |
637f688d | 85 | * Returns: newest version of confining label (NOT NULL) |
cf797c0e JJ |
86 | * |
87 | * This fn will not update the tasks cred, so it is safe inside of locks | |
c75afcd1 | 88 | * |
637f688d | 89 | * The returned reference must be put with aa_put_label() |
c75afcd1 | 90 | */ |
637f688d | 91 | static inline struct aa_label *aa_get_current_label(void) |
c75afcd1 | 92 | { |
637f688d | 93 | struct aa_label *l = aa_current_raw_label(); |
c75afcd1 | 94 | |
637f688d JJ |
95 | if (label_is_stale(l)) |
96 | return aa_get_newest_label(l); | |
97 | return aa_get_label(l); | |
cf797c0e | 98 | } |
55a26ebf | 99 | |
637f688d | 100 | #define __end_current_label_crit_section(X) end_current_label_crit_section(X) |
cf797c0e JJ |
101 | |
102 | /** | |
637f688d JJ |
103 | * end_label_crit_section - put a reference found with begin_current_label.. |
104 | * @label: label reference to put | |
cf797c0e JJ |
105 | * |
106 | * Should only be used with a reference obtained with | |
637f688d | 107 | * begin_current_label_crit_section and never used in situations where the |
cf797c0e JJ |
108 | * task cred may be updated |
109 | */ | |
637f688d | 110 | static inline void end_current_label_crit_section(struct aa_label *label) |
cf797c0e | 111 | { |
637f688d JJ |
112 | if (label != aa_current_raw_label()) |
113 | aa_put_label(label); | |
cf797c0e JJ |
114 | } |
115 | ||
116 | /** | |
637f688d | 117 | * __begin_current_label_crit_section - current's confining label |
cf797c0e | 118 | * |
637f688d | 119 | * Returns: up to date confining label or the ns unconfined label (NOT NULL) |
cf797c0e JJ |
120 | * |
121 | * safe to call inside locks | |
122 | * | |
637f688d | 123 | * The returned reference must be put with __end_current_label_crit_section() |
cf797c0e | 124 | * This must NOT be used if the task cred could be updated within the |
637f688d JJ |
125 | * critical section between __begin_current_label_crit_section() .. |
126 | * __end_current_label_crit_section() | |
cf797c0e | 127 | */ |
637f688d | 128 | static inline struct aa_label *__begin_current_label_crit_section(void) |
cf797c0e | 129 | { |
637f688d | 130 | struct aa_label *label = aa_current_raw_label(); |
cf797c0e | 131 | |
637f688d JJ |
132 | if (label_is_stale(label)) |
133 | label = aa_get_newest_label(label); | |
cf797c0e | 134 | |
637f688d | 135 | return label; |
cf797c0e JJ |
136 | } |
137 | ||
138 | /** | |
637f688d | 139 | * begin_current_label_crit_section - current's confining label and update it |
cf797c0e | 140 | * |
637f688d | 141 | * Returns: up to date confining label or the ns unconfined label (NOT NULL) |
cf797c0e JJ |
142 | * |
143 | * Not safe to call inside locks | |
144 | * | |
637f688d | 145 | * The returned reference must be put with end_current_label_crit_section() |
cf797c0e | 146 | * This must NOT be used if the task cred could be updated within the |
637f688d JJ |
147 | * critical section between begin_current_label_crit_section() .. |
148 | * end_current_label_crit_section() | |
cf797c0e | 149 | */ |
637f688d | 150 | static inline struct aa_label *begin_current_label_crit_section(void) |
cf797c0e | 151 | { |
637f688d | 152 | struct aa_label *label = aa_current_raw_label(); |
cf797c0e | 153 | |
637f688d JJ |
154 | if (label_is_stale(label)) { |
155 | label = aa_get_newest_label(label); | |
156 | if (aa_replace_current_label(label) == 0) | |
cf797c0e | 157 | /* task cred will keep the reference */ |
637f688d | 158 | aa_put_label(label); |
77b071b3 | 159 | } |
c75afcd1 | 160 | |
637f688d | 161 | return label; |
c75afcd1 JJ |
162 | } |
163 | ||
2bd8dbbf JJ |
164 | static inline struct aa_ns *aa_get_current_ns(void) |
165 | { | |
637f688d | 166 | struct aa_label *label; |
cf797c0e JJ |
167 | struct aa_ns *ns; |
168 | ||
637f688d JJ |
169 | label = __begin_current_label_crit_section(); |
170 | ns = aa_get_ns(labels_ns(label)); | |
171 | __end_current_label_crit_section(label); | |
cf797c0e JJ |
172 | |
173 | return ns; | |
2bd8dbbf JJ |
174 | } |
175 | ||
c75afcd1 | 176 | #endif /* __AA_CONTEXT_H */ |