Merge tag 'v3.3.7' into 3.3/master
[zen-stable.git] / security / apparmor / include / context.h
bloba9cbee4d9e48de15a972ea8ce292323283459c73
1 /*
2 * AppArmor security module
4 * This file contains AppArmor contexts used to associate "labels" to objects.
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
15 #ifndef __AA_CONTEXT_H
16 #define __AA_CONTEXT_H
18 #include <linux/cred.h>
19 #include <linux/slab.h>
20 #include <linux/sched.h>
22 #include "policy.h"
24 /* struct aa_file_cxt - the AppArmor context the file was opened in
25 * @perms: the permission the file was opened with
27 * The file_cxt could currently be directly stored in file->f_security
28 * as the profile reference is now stored in the f_cred. However the
29 * cxt struct will expand in the future so we keep the struct.
31 struct aa_file_cxt {
32 u16 allow;
35 /**
36 * aa_alloc_file_context - allocate file_cxt
37 * @gfp: gfp flags for allocation
39 * Returns: file_cxt or NULL on failure
41 static inline struct aa_file_cxt *aa_alloc_file_context(gfp_t gfp)
43 return kzalloc(sizeof(struct aa_file_cxt), gfp);
46 /**
47 * aa_free_file_context - free a file_cxt
48 * @cxt: file_cxt to free (MAYBE_NULL)
50 static inline void aa_free_file_context(struct aa_file_cxt *cxt)
52 if (cxt)
53 kzfree(cxt);
56 /**
57 * struct aa_task_cxt - primary label for confined tasks
58 * @profile: the current profile (NOT NULL)
59 * @exec: profile to transition to on next exec (MAYBE NULL)
60 * @previous: profile the task may return to (MAYBE NULL)
61 * @token: magic value the task must know for returning to @previous_profile
63 * Contains the task's current profile (which could change due to
64 * change_hat). Plus the hat_magic needed during change_hat.
66 * TODO: make so a task can be confined by a stack of contexts
68 struct aa_task_cxt {
69 struct aa_profile *profile;
70 struct aa_profile *onexec;
71 struct aa_profile *previous;
72 u64 token;
75 struct aa_task_cxt *aa_alloc_task_context(gfp_t flags);
76 void aa_free_task_context(struct aa_task_cxt *cxt);
77 void aa_dup_task_context(struct aa_task_cxt *new,
78 const struct aa_task_cxt *old);
79 int aa_replace_current_profile(struct aa_profile *profile);
80 int aa_set_current_onexec(struct aa_profile *profile);
81 int aa_set_current_hat(struct aa_profile *profile, u64 token);
82 int aa_restore_previous_profile(u64 cookie);
84 /**
85 * __aa_task_is_confined - determine if @task has any confinement
86 * @task: task to check confinement of (NOT NULL)
88 * If @task != current needs to be called in RCU safe critical section
90 static inline bool __aa_task_is_confined(struct task_struct *task)
92 struct aa_task_cxt *cxt = __task_cred(task)->security;
94 BUG_ON(!cxt || !cxt->profile);
95 if (unconfined(aa_newest_version(cxt->profile)))
96 return 0;
98 return 1;
102 * aa_cred_profile - obtain cred's profiles
103 * @cred: cred to obtain profiles from (NOT NULL)
105 * Returns: confining profile
107 * does NOT increment reference count
109 static inline struct aa_profile *aa_cred_profile(const struct cred *cred)
111 struct aa_task_cxt *cxt = cred->security;
112 BUG_ON(!cxt || !cxt->profile);
113 return aa_newest_version(cxt->profile);
117 * __aa_current_profile - find the current tasks confining profile
119 * Returns: up to date confining profile or the ns unconfined profile (NOT NULL)
121 * This fn will not update the tasks cred to the most up to date version
122 * of the profile so it is safe to call when inside of locks.
124 static inline struct aa_profile *__aa_current_profile(void)
126 return aa_cred_profile(current_cred());
130 * aa_current_profile - find the current tasks confining profile and do updates
132 * Returns: up to date confining profile or the ns unconfined profile (NOT NULL)
134 * This fn will update the tasks cred structure if the profile has been
135 * replaced. Not safe to call inside locks
137 static inline struct aa_profile *aa_current_profile(void)
139 const struct aa_task_cxt *cxt = current_cred()->security;
140 struct aa_profile *profile;
141 BUG_ON(!cxt || !cxt->profile);
143 profile = aa_newest_version(cxt->profile);
145 * Whether or not replacement succeeds, use newest profile so
146 * there is no need to update it after replacement.
148 if (unlikely((cxt->profile != profile)))
149 aa_replace_current_profile(profile);
151 return profile;
154 #endif /* __AA_CONTEXT_H */