tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

kernel / security / apparmor / include / policy_ns.h
at v4.14-rc6 168 lines 4.9 kB view raw
1/* 2 * AppArmor security module 3 * 4 * This file contains AppArmor policy definitions. 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2017 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15#ifndef __AA_NAMESPACE_H 16#define __AA_NAMESPACE_H 17 18#include <linux/kref.h> 19 20#include "apparmor.h" 21#include "apparmorfs.h" 22#include "label.h" 23#include "policy.h" 24 25 26/* struct aa_ns_acct - accounting of profiles in namespace 27 * @max_size: maximum space allowed for all profiles in namespace 28 * @max_count: maximum number of profiles that can be in this namespace 29 * @size: current size of profiles 30 * @count: current count of profiles (includes null profiles) 31 */ 32struct aa_ns_acct { 33 int max_size; 34 int max_count; 35 int size; 36 int count; 37}; 38 39/* struct aa_ns - namespace for a set of profiles 40 * @base: common policy 41 * @parent: parent of namespace 42 * @lock: lock for modifying the object 43 * @acct: accounting for the namespace 44 * @unconfined: special unconfined profile for the namespace 45 * @sub_ns: list of namespaces under the current namespace. 46 * @uniq_null: uniq value used for null learning profiles 47 * @uniq_id: a unique id count for the profiles in the namespace 48 * @level: level of ns within the tree hierarchy 49 * @dents: dentries for the namespaces file entries in apparmorfs 50 * 51 * An aa_ns defines the set profiles that are searched to determine which 52 * profile to attach to a task. Profiles can not be shared between aa_ns 53 * and profile names within a namespace are guaranteed to be unique. When 54 * profiles in separate namespaces have the same name they are NOT considered 55 * to be equivalent. 56 * 57 * Namespaces are hierarchical and only namespaces and profiles below the 58 * current namespace are visible. 59 * 60 * Namespace names must be unique and can not contain the characters :/\0 61 */ 62struct aa_ns { 63 struct aa_policy base; 64 struct aa_ns *parent; 65 struct mutex lock; 66 struct aa_ns_acct acct; 67 struct aa_profile *unconfined; 68 struct list_head sub_ns; 69 atomic_t uniq_null; 70 long uniq_id; 71 int level; 72 long revision; 73 wait_queue_head_t wait; 74 75 struct aa_labelset labels; 76 struct list_head rawdata_list; 77 78 struct dentry *dents[AAFS_NS_SIZEOF]; 79}; 80 81extern struct aa_ns *root_ns; 82 83extern const char *aa_hidden_ns_name; 84 85#define ns_unconfined(NS) (&(NS)->unconfined->label) 86 87bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns); 88const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child, bool subns); 89void aa_free_ns(struct aa_ns *ns); 90int aa_alloc_root_ns(void); 91void aa_free_root_ns(void); 92void aa_free_ns_kref(struct kref *kref); 93 94struct aa_ns *aa_find_ns(struct aa_ns *root, const char *name); 95struct aa_ns *aa_findn_ns(struct aa_ns *root, const char *name, size_t n); 96struct aa_ns *__aa_lookupn_ns(struct aa_ns *view, const char *hname, size_t n); 97struct aa_ns *aa_lookupn_ns(struct aa_ns *view, const char *name, size_t n); 98struct aa_ns *__aa_find_or_create_ns(struct aa_ns *parent, const char *name, 99 struct dentry *dir); 100struct aa_ns *aa_prepare_ns(struct aa_ns *root, const char *name); 101void __aa_remove_ns(struct aa_ns *ns); 102 103static inline struct aa_profile *aa_deref_parent(struct aa_profile *p) 104{ 105 return rcu_dereference_protected(p->parent, 106 mutex_is_locked(&p->ns->lock)); 107} 108 109/** 110 * aa_get_ns - increment references count on @ns 111 * @ns: namespace to increment reference count of (MAYBE NULL) 112 * 113 * Returns: pointer to @ns, if @ns is NULL returns NULL 114 * Requires: @ns must be held with valid refcount when called 115 */ 116static inline struct aa_ns *aa_get_ns(struct aa_ns *ns) 117{ 118 if (ns) 119 aa_get_profile(ns->unconfined); 120 121 return ns; 122} 123 124/** 125 * aa_put_ns - decrement refcount on @ns 126 * @ns: namespace to put reference of 127 * 128 * Decrement reference count of @ns and if no longer in use free it 129 */ 130static inline void aa_put_ns(struct aa_ns *ns) 131{ 132 if (ns) 133 aa_put_profile(ns->unconfined); 134} 135 136/** 137 * __aa_findn_ns - find a namespace on a list by @name 138 * @head: list to search for namespace on (NOT NULL) 139 * @name: name of namespace to look for (NOT NULL) 140 * @n: length of @name 141 * Returns: unrefcounted namespace 142 * 143 * Requires: rcu_read_lock be held 144 */ 145static inline struct aa_ns *__aa_findn_ns(struct list_head *head, 146 const char *name, size_t n) 147{ 148 return (struct aa_ns *)__policy_strn_find(head, name, n); 149} 150 151static inline struct aa_ns *__aa_find_ns(struct list_head *head, 152 const char *name) 153{ 154 return __aa_findn_ns(head, name, strlen(name)); 155} 156 157static inline struct aa_ns *__aa_lookup_ns(struct aa_ns *base, 158 const char *hname) 159{ 160 return __aa_lookupn_ns(base, hname, strlen(hname)); 161} 162 163static inline struct aa_ns *aa_lookup_ns(struct aa_ns *view, const char *name) 164{ 165 return aa_lookupn_ns(view, name, strlen(name)); 166} 167 168#endif /* AA_NAMESPACE_H */