2
* AppArmor security module
4
* This file contains AppArmor contexts used to associate "labels" to objects.
6
* Copyright (C) 1998-2008 Novell/SUSE
7
* Copyright 2009 Canonical Ltd.
9
* This program is free software; you can redistribute it and/or
10
* modify it under the terms of the GNU General Public License as
11
* published by the Free Software Foundation, version 2 of the
15
#ifndef __AA_CONTEXT_H
16
#define __AA_CONTEXT_H
18
#include <linux/cred.h>
19
#include <linux/slab.h>
20
#include <linux/sched.h>
25
/* struct aa_file_cxt - the AppArmor context the file was opened in
26
* @profile: the profile the file was opened under
27
* @perms: the permission the file was opened with
30
struct aa_profile *profile;
34
static inline struct aa_file_cxt *aa_alloc_file_context(gfp_t gfp)
36
return kzalloc(sizeof(struct aa_file_cxt), gfp);
39
static inline void aa_free_file_context(struct aa_file_cxt *cxt)
41
aa_put_profile(cxt->profile);
42
memset(cxt, 0, sizeof(struct aa_file_cxt));
50
/* struct aa_task_cxt_group - a grouping label data for confined tasks
51
* @profile: the current profile
52
* @exec: profile to transition to on next exec
53
* @previous: profile the task may return to
54
* @token: magic value the task must know for returning to @previous_profile
56
* Contains the task's current profile (which could change due to
57
* change_hat). Plus the hat_magic needed during change_hat.
59
struct aa_task_cxt_group {
60
struct aa_profile *profile;
61
struct aa_profile *onexec;
62
struct aa_profile *previous;
67
* struct aa_task_context - primary label for confined tasks
68
* @sys: the system labeling for the task
70
* A task is confined by the intersection of its system and user profiles
72
struct aa_task_context {
73
struct aa_task_cxt_group sys;
76
struct aa_task_context *aa_alloc_task_context(gfp_t flags);
77
void aa_free_task_context(struct aa_task_context *cxt);
78
struct aa_task_context *aa_dup_task_context(struct aa_task_context *old_cxt,
80
void aa_cred_policy(const struct cred *cred, struct aa_profile **sys);
81
struct cred *aa_get_task_policy(const struct task_struct *task,
82
struct aa_profile **sys);
83
int aa_replace_current_profiles(struct aa_profile *sys);
84
void aa_put_task_policy(struct cred *cred);
85
int aa_set_current_onexec(struct aa_profile *sys);
86
int aa_set_current_hat(struct aa_profile *profile, u64 token);
87
int aa_restore_previous_profile(u64 cookie);
90
static inline struct aa_task_context *__aa_task_cxt(struct task_struct *task)
92
return __task_cred(task)->security;
96
* __aa_task_is_confined - determine if @task has any confinement
97
* @task: task to check confinement of
99
* If @task != current needs to be in RCU safe critical section
101
static inline int __aa_task_is_confined(struct task_struct *task)
103
struct aa_task_context *cxt;
106
cxt = __aa_task_cxt(task);
107
if (!cxt || (cxt->sys.profile->flags & PFLAG_UNCONFINED))
113
static inline const struct cred *aa_current_policy(struct aa_profile **sys)
115
const struct cred *cred = current_cred();
116
struct aa_task_context *cxt = cred->security;
118
*sys = aa_filtered_profile(aa_profile_newest(cxt->sys.profile));
123
static inline const struct cred *aa_current_policy_wupd(struct aa_profile **sys)
125
const struct cred *cred = current_cred();
126
struct aa_task_context *cxt = cred->security;
129
*sys = aa_profile_newest(cxt->sys.profile);
130
if (unlikely((cxt->sys.profile != *sys)))
131
aa_replace_current_profiles(*sys);
132
*sys = aa_filtered_profile(*sys);
137
static inline struct aa_profile *aa_current_profile(void)
139
const struct cred *cred = current_cred();
140
struct aa_task_context *cxt = cred->security;
142
return aa_filtered_profile(aa_profile_newest(cxt->sys.profile));
145
static inline struct aa_profile *aa_current_profile_wupd(void)
147
struct aa_profile *p;
148
aa_current_policy_wupd(&p);
153
#endif /* __AA_CONTEXT_H */