tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor policy definitions.
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2017 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
15#ifndef __AA_NAMESPACE_H
16#define __AA_NAMESPACE_H
17
18#include <linux/kref.h>
19
20#include "apparmor.h"
21#include "apparmorfs.h"
22#include "policy.h"
23
24
25/* struct aa_ns_acct - accounting of profiles in namespace
26 * @max_size: maximum space allowed for all profiles in namespace
27 * @max_count: maximum number of profiles that can be in this namespace
28 * @size: current size of profiles
29 * @count: current count of profiles (includes null profiles)
30 */
31struct aa_ns_acct {
32 int max_size;
33 int max_count;
34 int size;
35 int count;
36};
37
38/* struct aa_ns - namespace for a set of profiles
39 * @base: common policy
40 * @parent: parent of namespace
41 * @lock: lock for modifying the object
42 * @acct: accounting for the namespace
43 * @unconfined: special unconfined profile for the namespace
44 * @sub_ns: list of namespaces under the current namespace.
45 * @uniq_null: uniq value used for null learning profiles
46 * @uniq_id: a unique id count for the profiles in the namespace
47 * @level: level of ns within the tree hierarchy
48 * @dents: dentries for the namespaces file entries in apparmorfs
49 *
50 * An aa_ns defines the set profiles that are searched to determine which
51 * profile to attach to a task. Profiles can not be shared between aa_ns
52 * and profile names within a namespace are guaranteed to be unique. When
53 * profiles in separate namespaces have the same name they are NOT considered
54 * to be equivalent.
55 *
56 * Namespaces are hierarchical and only namespaces and profiles below the
57 * current namespace are visible.
58 *
59 * Namespace names must be unique and can not contain the characters :/\0
60 */
61struct aa_ns {
62 struct aa_policy base;
63 struct aa_ns *parent;
64 struct mutex lock;
65 struct aa_ns_acct acct;
66 struct aa_profile *unconfined;
67 struct list_head sub_ns;
68 atomic_t uniq_null;
69 long uniq_id;
70 int level;
71
72 struct dentry *dents[AAFS_NS_SIZEOF];
73};
74
75extern struct aa_ns *root_ns;
76
77extern const char *aa_hidden_ns_name;
78
79bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns);
80const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child, bool subns);
81void aa_free_ns(struct aa_ns *ns);
82int aa_alloc_root_ns(void);
83void aa_free_root_ns(void);
84void aa_free_ns_kref(struct kref *kref);
85
86struct aa_ns *aa_find_ns(struct aa_ns *root, const char *name);
87struct aa_ns *aa_findn_ns(struct aa_ns *root, const char *name, size_t n);
88struct aa_ns *__aa_find_or_create_ns(struct aa_ns *parent, const char *name,
89 struct dentry *dir);
90struct aa_ns *aa_prepare_ns(struct aa_ns *root, const char *name);
91void __aa_remove_ns(struct aa_ns *ns);
92
93static inline struct aa_profile *aa_deref_parent(struct aa_profile *p)
94{
95 return rcu_dereference_protected(p->parent,
96 mutex_is_locked(&p->ns->lock));
97}
98
99/**
100 * aa_get_ns - increment references count on @ns
101 * @ns: namespace to increment reference count of (MAYBE NULL)
102 *
103 * Returns: pointer to @ns, if @ns is NULL returns NULL
104 * Requires: @ns must be held with valid refcount when called
105 */
106static inline struct aa_ns *aa_get_ns(struct aa_ns *ns)
107{
108 if (ns)
109 aa_get_profile(ns->unconfined);
110
111 return ns;
112}
113
114/**
115 * aa_put_ns - decrement refcount on @ns
116 * @ns: namespace to put reference of
117 *
118 * Decrement reference count of @ns and if no longer in use free it
119 */
120static inline void aa_put_ns(struct aa_ns *ns)
121{
122 if (ns)
123 aa_put_profile(ns->unconfined);
124}
125
126/**
127 * __aa_findn_ns - find a namespace on a list by @name
128 * @head: list to search for namespace on (NOT NULL)
129 * @name: name of namespace to look for (NOT NULL)
130 * @n: length of @name
131 * Returns: unrefcounted namespace
132 *
133 * Requires: rcu_read_lock be held
134 */
135static inline struct aa_ns *__aa_findn_ns(struct list_head *head,
136 const char *name, size_t n)
137{
138 return (struct aa_ns *)__policy_strn_find(head, name, n);
139}
140
141static inline struct aa_ns *__aa_find_ns(struct list_head *head,
142 const char *name)
143{
144 return __aa_findn_ns(head, name, strlen(name));
145}
146
147#endif /* AA_NAMESPACE_H */