LXR linux/security/apparmor/include/apparmor.h

   1/*
   2 * AppArmor security module
   3 *
   4 * This file contains AppArmor basic global and lib definitions
   5 *
   6 * Copyright (C) 1998-2008 Novell/SUSE
   7 * Copyright 2009-2010 Canonical Ltd.
   8 *
   9 * This program is free software; you can redistribute it and/or
  10 * modify it under the terms of the GNU General Public License as
  11 * published by the Free Software Foundation, version 2 of the
  12 * License.
  13 */
  14
  15#ifndef __APPARMOR_H
  16#define __APPARMOR_H
  17
  18#include <linux/slab.h>
  19#include <linux/fs.h>
  20
  21#include "match.h"
  22
  23/*
  24 * Class of mediation types in the AppArmor policy db
  25 */
  26#define AA_CLASS_ENTRY          0
  27#define AA_CLASS_UNKNOWN        1
  28#define AA_CLASS_FILE           2
  29#define AA_CLASS_CAP            3
  30#define AA_CLASS_NET            4
  31#define AA_CLASS_RLIMITS        5
  32#define AA_CLASS_DOMAIN         6
  33
  34#define AA_CLASS_LAST           AA_CLASS_DOMAIN
  35
  36/* Control parameters settable through module/boot flags */
  37extern enum audit_mode aa_g_audit;
  38extern bool aa_g_audit_header;
  39extern bool aa_g_debug;
  40extern bool aa_g_lock_policy;
  41extern bool aa_g_logsyscall;
  42extern bool aa_g_paranoid_load;
  43extern unsigned int aa_g_path_max;
  44
  45/*
  46 * DEBUG remains global (no per profile flag) since it is mostly used in sysctl
  47 * which is not related to profile accesses.
  48 */
  49
  50#define AA_DEBUG(fmt, args...)                                          \
  51        do {                                                            \
  52                if (aa_g_debug && printk_ratelimit())                   \
  53                        printk(KERN_DEBUG "AppArmor: " fmt, ##args);    \
  54        } while (0)
  55
  56#define AA_ERROR(fmt, args...)                                          \
  57        do {                                                            \
  58                if (printk_ratelimit())                                 \
  59                        printk(KERN_ERR "AppArmor: " fmt, ##args);      \
  60        } while (0)
  61
  62/* Flag indicating whether initialization completed */
  63extern int apparmor_initialized __initdata;
  64
  65/* fn's in lib */
  66char *aa_split_fqname(char *args, char **ns_name);
  67void aa_info_message(const char *str);
  68void *__aa_kvmalloc(size_t size, gfp_t flags);
  69void kvfree(void *buffer);
  70
  71static inline void *kvmalloc(size_t size)
  72{
  73        return __aa_kvmalloc(size, 0);
  74}
  75
  76static inline void *kvzalloc(size_t size)
  77{
  78        return __aa_kvmalloc(size, __GFP_ZERO);
  79}
  80
  81/**
  82 * aa_strneq - compare null terminated @str to a non null terminated substring
  83 * @str: a null terminated string
  84 * @sub: a substring, not necessarily null terminated
  85 * @len: length of @sub to compare
  86 *
  87 * The @str string must be full consumed for this to be considered a match
  88 */
  89static inline bool aa_strneq(const char *str, const char *sub, int len)
  90{
  91        return !strncmp(str, sub, len) && !str[len];
  92}
  93
  94/**
  95 * aa_dfa_null_transition - step to next state after null character
  96 * @dfa: the dfa to match against
  97 * @start: the state of the dfa to start matching in
  98 *
  99 * aa_dfa_null_transition transitions to the next state after a null
 100 * character which is not used in standard matching and is only
 101 * used to separate pairs.
 102 */
 103static inline unsigned int aa_dfa_null_transition(struct aa_dfa *dfa,
 104                                                  unsigned int start)
 105{
 106        /* the null transition only needs the string's null terminator byte */
 107        return aa_dfa_next(dfa, start, 0);
 108}
 109
 110static inline bool mediated_filesystem(struct inode *inode)
 111{
 112        return !(inode->i_sb->s_flags & MS_NOUSER);
 113}
 114
 115#endif /* __APPARMOR_H */
 116