LXR linux/security/apparmor/include/policy

   1/*
   2 * AppArmor security module
   3 *
   4 * This file contains AppArmor policy definitions.
   5 *
   6 * Copyright (C) 1998-2008 Novell/SUSE
   7 * Copyright 2009-2017 Canonical Ltd.
   8 *
   9 * This program is free software; you can redistribute it and/or
  10 * modify it under the terms of the GNU General Public License as
  11 * published by the Free Software Foundation, version 2 of the
  12 * License.
  13 */
  14
  15#ifndef __AA_NAMESPACE_H
  16#define __AA_NAMESPACE_H
  17
  18#include <linux/kref.h>
  19
  20#include "apparmor.h"
  21#include "apparmorfs.h"
  22#include "label.h"
  23#include "policy.h"
  24
  25
  26/* struct aa_ns_acct - accounting of profiles in namespace
  27 * @max_size: maximum space allowed for all profiles in namespace
  28 * @max_count: maximum number of profiles that can be in this namespace
  29 * @size: current size of profiles
  30 * @count: current count of profiles (includes null profiles)
  31 */
  32struct aa_ns_acct {
  33        int max_size;
  34        int max_count;
  35        int size;
  36        int count;
  37};
  38
  39/* struct aa_ns - namespace for a set of profiles
  40 * @base: common policy
  41 * @parent: parent of namespace
  42 * @lock: lock for modifying the object
  43 * @acct: accounting for the namespace
  44 * @unconfined: special unconfined profile for the namespace
  45 * @sub_ns: list of namespaces under the current namespace.
  46 * @uniq_null: uniq value used for null learning profiles
  47 * @uniq_id: a unique id count for the profiles in the namespace
  48 * @level: level of ns within the tree hierarchy
  49 * @dents: dentries for the namespaces file entries in apparmorfs
  50 *
  51 * An aa_ns defines the set profiles that are searched to determine which
  52 * profile to attach to a task.  Profiles can not be shared between aa_ns
  53 * and profile names within a namespace are guaranteed to be unique.  When
  54 * profiles in separate namespaces have the same name they are NOT considered
  55 * to be equivalent.
  56 *
  57 * Namespaces are hierarchical and only namespaces and profiles below the
  58 * current namespace are visible.
  59 *
  60 * Namespace names must be unique and can not contain the characters :/\0
  61 */
  62struct aa_ns {
  63        struct aa_policy base;
  64        struct aa_ns *parent;
  65        struct mutex lock;
  66        struct aa_ns_acct acct;
  67        struct aa_profile *unconfined;
  68        struct list_head sub_ns;
  69        atomic_t uniq_null;
  70        long uniq_id;
  71        int level;
  72        long revision;
  73        wait_queue_head_t wait;
  74
  75        struct aa_labelset labels;
  76        struct list_head rawdata_list;
  77
  78        struct dentry *dents[AAFS_NS_SIZEOF];
  79};
  80
  81extern struct aa_ns *root_ns;
  82
  83extern const char *aa_hidden_ns_name;
  84
  85#define ns_unconfined(NS) (&(NS)->unconfined->label)
  86
  87bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns);
  88const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child, bool subns);
  89void aa_free_ns(struct aa_ns *ns);
  90int aa_alloc_root_ns(void);
  91void aa_free_root_ns(void);
  92void aa_free_ns_kref(struct kref *kref);
  93
  94struct aa_ns *aa_find_ns(struct aa_ns *root, const char *name);
  95struct aa_ns *aa_findn_ns(struct aa_ns *root, const char *name, size_t n);
  96struct aa_ns *__aa_lookupn_ns(struct aa_ns *view, const char *hname, size_t n);
  97struct aa_ns *aa_lookupn_ns(struct aa_ns *view, const char *name, size_t n);
  98struct aa_ns *__aa_find_or_create_ns(struct aa_ns *parent, const char *name,
  99                                     struct dentry *dir);
 100struct aa_ns *aa_prepare_ns(struct aa_ns *root, const char *name);
 101void __aa_remove_ns(struct aa_ns *ns);
 102
 103static inline struct aa_profile *aa_deref_parent(struct aa_profile *p)
 104{
 105        return rcu_dereference_protected(p->parent,
 106                                         mutex_is_locked(&p->ns->lock));
 107}
 108
 109/**
 110 * aa_get_ns - increment references count on @ns
 111 * @ns: namespace to increment reference count of (MAYBE NULL)
 112 *
 113 * Returns: pointer to @ns, if @ns is NULL returns NULL
 114 * Requires: @ns must be held with valid refcount when called
 115 */
 116static inline struct aa_ns *aa_get_ns(struct aa_ns *ns)
 117{
 118        if (ns)
 119                aa_get_profile(ns->unconfined);
 120
 121        return ns;
 122}
 123
 124/**
 125 * aa_put_ns - decrement refcount on @ns
 126 * @ns: namespace to put reference of
 127 *
 128 * Decrement reference count of @ns and if no longer in use free it
 129 */
 130static inline void aa_put_ns(struct aa_ns *ns)
 131{
 132        if (ns)
 133                aa_put_profile(ns->unconfined);
 134}
 135
 136/**
 137 * __aa_findn_ns - find a namespace on a list by @name
 138 * @head: list to search for namespace on  (NOT NULL)
 139 * @name: name of namespace to look for  (NOT NULL)
 140 * @n: length of @name
 141 * Returns: unrefcounted namespace
 142 *
 143 * Requires: rcu_read_lock be held
 144 */
 145static inline struct aa_ns *__aa_findn_ns(struct list_head *head,
 146                                          const char *name, size_t n)
 147{
 148        return (struct aa_ns *)__policy_strn_find(head, name, n);
 149}
 150
 151static inline struct aa_ns *__aa_find_ns(struct list_head *head,
 152                                         const char *name)
 153{
 154        return __aa_findn_ns(head, name, strlen(name));
 155}
 156
 157static inline struct aa_ns *__aa_lookup_ns(struct aa_ns *base,
 158                                           const char *hname)
 159{
 160        return __aa_lookupn_ns(base, hname, strlen(hname));
 161}
 162
 163static inline struct aa_ns *aa_lookup_ns(struct aa_ns *view, const char *name)
 164{
 165        return aa_lookupn_ns(view, name, strlen(name));
 166}
 167
 168#endif /* AA_NAMESPACE_H */
 169