projects / linux-2.6-block.git / blame
| Commit | Line | Data |
|---|---|---|
| c75afcd1 JJ |
1 | /* |
| 2 | * AppArmor security module | |
| 3 | * | |
| 4 | * This file contains AppArmor contexts used to associate "labels" to objects. | |
| 5 | * | |
| 6 | * Copyright (C) 1998-2008 Novell/SUSE | |
| 7 | * Copyright 2009-2010 Canonical Ltd. | |
| 8 | * | |
| 9 | * This program is free software; you can redistribute it and/or | |
| 10 | * modify it under the terms of the GNU General Public License as | |
| 11 | * published by the Free Software Foundation, version 2 of the | |
| 12 | * License. | |
| 13 | */ | |
| 14 | ||
| 15 | #ifndef __AA_CONTEXT_H | |
| 16 | #define __AA_CONTEXT_H | |
| 17 | ||
| 18 | #include <linux/cred.h> | |
| 19 | #include <linux/slab.h> | |
| 20 | #include <linux/sched.h> | |
| 21 | ||
| 637f688d | 22 | #include "label.h" |
| 2bd8dbbf | 23 | #include "policy_ns.h" |
| de62de59 | 24 | #include "task.h" |
| c75afcd1 | 25 | |
| d9087c49 | 26 | #define cred_label(X) ((X)->security) |
| 3b529a76 | 27 | |
| c75afcd1 JJ |
28 | |
| 29 | /** | |
| 637f688d JJ |
30 | * aa_cred_raw_label - obtain cred's label |
| 31 | * @cred: cred to obtain label from (NOT NULL) | |
| c75afcd1 | 32 | * |
| 637f688d | 33 | * Returns: confining label |
| c75afcd1 JJ |
34 | * |
| 35 | * does NOT increment reference count | |
| 36 | */ | |
| 637f688d | 37 | static inline struct aa_label *aa_cred_raw_label(const struct cred *cred) |
| c75afcd1 | 38 | { |
| d9087c49 | 39 | struct aa_label *label = cred_label(cred); |
| 55a26ebf | 40 | |
| d9087c49 JJ |
41 | AA_BUG(!label); |
| 42 | return label; | |
| c75afcd1 JJ |
43 | } |
| 44 | ||
| 3cfcc19e | 45 | /** |
| 637f688d JJ |
46 | * aa_get_newest_cred_label - obtain the newest label on a cred |
| 47 | * @cred: cred to obtain label from (NOT NULL) | |
| cf797c0e | 48 | * |
| 637f688d | 49 | * Returns: newest version of confining label |
| cf797c0e | 50 | */ |
| 637f688d | 51 | static inline struct aa_label *aa_get_newest_cred_label(const struct cred *cred) |
| cf797c0e | 52 | { |
| 637f688d | 53 | return aa_get_newest_label(aa_cred_raw_label(cred)); |
| cf797c0e JJ |
54 | } |
| 55 | ||
| 56 | /** | |
| 637f688d | 57 | * __aa_task_raw_label - retrieve another task's label |
| 3cfcc19e JJ |
58 | * @task: task to query (NOT NULL) |
| 59 | * | |
| 637f688d | 60 | * Returns: @task's label without incrementing its ref count |
| 3cfcc19e JJ |
61 | * |
| 62 | * If @task != current needs to be called in RCU safe critical section | |
| 63 | */ | |
| 637f688d | 64 | static inline struct aa_label *__aa_task_raw_label(struct task_struct *task) |
| 3cfcc19e | 65 | { |
| 637f688d | 66 | return aa_cred_raw_label(__task_cred(task)); |
| 3cfcc19e JJ |
67 | } |
| 68 | ||
| c75afcd1 | 69 | /** |
| 637f688d | 70 | * aa_current_raw_label - find the current tasks confining label |
| c75afcd1 | 71 | * |
| 637f688d | 72 | * Returns: up to date confining label or the ns unconfined label (NOT NULL) |
| c75afcd1 JJ |
73 | * |
| 74 | * This fn will not update the tasks cred to the most up to date version | |
| 637f688d | 75 | * of the label so it is safe to call when inside of locks. |
| c75afcd1 | 76 | */ |
| 637f688d | 77 | static inline struct aa_label *aa_current_raw_label(void) |
| c75afcd1 | 78 | { |
| 637f688d | 79 | return aa_cred_raw_label(current_cred()); |
| c75afcd1 JJ |
80 | } |
| 81 | ||
| 82 | /** | |
| 637f688d | 83 | * aa_get_current_label - get the newest version of the current tasks label |
| c75afcd1 | 84 | * |
| 637f688d | 85 | * Returns: newest version of confining label (NOT NULL) |
| cf797c0e JJ |
86 | * |
| 87 | * This fn will not update the tasks cred, so it is safe inside of locks | |
| c75afcd1 | 88 | * |
| 637f688d | 89 | * The returned reference must be put with aa_put_label() |
| c75afcd1 | 90 | */ |
| 637f688d | 91 | static inline struct aa_label *aa_get_current_label(void) |
| c75afcd1 | 92 | { |
| 637f688d | 93 | struct aa_label *l = aa_current_raw_label(); |
| c75afcd1 | 94 | |
| 637f688d JJ |
95 | if (label_is_stale(l)) |
| 96 | return aa_get_newest_label(l); | |
| 97 | return aa_get_label(l); | |
| cf797c0e | 98 | } |
| 55a26ebf | 99 | |
| 637f688d | 100 | #define __end_current_label_crit_section(X) end_current_label_crit_section(X) |
| cf797c0e JJ |
101 | |
| 102 | /** | |
| 637f688d JJ |
103 | * end_label_crit_section - put a reference found with begin_current_label.. |
| 104 | * @label: label reference to put | |
| cf797c0e JJ |
105 | * |
| 106 | * Should only be used with a reference obtained with | |
| 637f688d | 107 | * begin_current_label_crit_section and never used in situations where the |
| cf797c0e JJ |
108 | * task cred may be updated |
| 109 | */ | |
| 637f688d | 110 | static inline void end_current_label_crit_section(struct aa_label *label) |
| cf797c0e | 111 | { |
| 637f688d JJ |
112 | if (label != aa_current_raw_label()) |
| 113 | aa_put_label(label); | |
| cf797c0e JJ |
114 | } |
| 115 | ||
| 116 | /** | |
| 637f688d | 117 | * __begin_current_label_crit_section - current's confining label |
| cf797c0e | 118 | * |
| 637f688d | 119 | * Returns: up to date confining label or the ns unconfined label (NOT NULL) |
| cf797c0e JJ |
120 | * |
| 121 | * safe to call inside locks | |
| 122 | * | |
| 637f688d | 123 | * The returned reference must be put with __end_current_label_crit_section() |
| cf797c0e | 124 | * This must NOT be used if the task cred could be updated within the |
| 637f688d JJ |
125 | * critical section between __begin_current_label_crit_section() .. |
| 126 | * __end_current_label_crit_section() | |
| cf797c0e | 127 | */ |
| 637f688d | 128 | static inline struct aa_label *__begin_current_label_crit_section(void) |
| cf797c0e | 129 | { |
| 637f688d | 130 | struct aa_label *label = aa_current_raw_label(); |
| cf797c0e | 131 | |
| 637f688d JJ |
132 | if (label_is_stale(label)) |
| 133 | label = aa_get_newest_label(label); | |
| cf797c0e | 134 | |
| 637f688d | 135 | return label; |
| cf797c0e JJ |
136 | } |
| 137 | ||
| 138 | /** | |
| 637f688d | 139 | * begin_current_label_crit_section - current's confining label and update it |
| cf797c0e | 140 | * |
| 637f688d | 141 | * Returns: up to date confining label or the ns unconfined label (NOT NULL) |
| cf797c0e JJ |
142 | * |
| 143 | * Not safe to call inside locks | |
| 144 | * | |
| 637f688d | 145 | * The returned reference must be put with end_current_label_crit_section() |
| cf797c0e | 146 | * This must NOT be used if the task cred could be updated within the |
| 637f688d JJ |
147 | * critical section between begin_current_label_crit_section() .. |
| 148 | * end_current_label_crit_section() | |
| cf797c0e | 149 | */ |
| 637f688d | 150 | static inline struct aa_label *begin_current_label_crit_section(void) |
| cf797c0e | 151 | { |
| 637f688d | 152 | struct aa_label *label = aa_current_raw_label(); |
| cf797c0e | 153 | |
| 637f688d JJ |
154 | if (label_is_stale(label)) { |
| 155 | label = aa_get_newest_label(label); | |
| 156 | if (aa_replace_current_label(label) == 0) | |
| cf797c0e | 157 | /* task cred will keep the reference */ |
| 637f688d | 158 | aa_put_label(label); |
| 77b071b3 | 159 | } |
| c75afcd1 | 160 | |
| 637f688d | 161 | return label; |
| c75afcd1 JJ |
162 | } |
| 163 | ||
| 2bd8dbbf JJ |
164 | static inline struct aa_ns *aa_get_current_ns(void) |
| 165 | { | |
| 637f688d | 166 | struct aa_label *label; |
| cf797c0e JJ |
167 | struct aa_ns *ns; |
| 168 | ||
| 637f688d JJ |
169 | label = __begin_current_label_crit_section(); |
| 170 | ns = aa_get_ns(labels_ns(label)); | |
| 171 | __end_current_label_crit_section(label); | |
| cf797c0e JJ |
172 | |
| 173 | return ns; | |
| 2bd8dbbf JJ |
174 | } |
| 175 | ||
| c75afcd1 | 176 | #endif /* __AA_CONTEXT_H */ |