apparmor: move task related defines and fns to task.X files

Signed-off-by: John Johansen <john.johansen@canonical.com>

6 files changed, 105 insertions, 98 deletions

diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
index 9a6b4033d52b..380c8e08174a 100644
--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
@@ -3,7 +3,7 @@
 #
 obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
 
-apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+apparmor-y := apparmorfs.o audit.o capability.o task.o ipc.o lib.o match.o \
               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
               resource.o secid.o file.o policy_ns.o label.o mount.o
 apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index b180e10f2b86..56d080a6d774 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -794,7 +794,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
         if (bprm->called_set_creds)
                 return 0;
 
-        ctx = current_task_ctx();
+        ctx = task_ctx(current);
         AA_BUG(!cred_label(bprm->cred));
         AA_BUG(!ctx);
 
@@ -1067,7 +1067,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
 
         /* released below */
         cred = get_current_cred();
-        ctx = current_task_ctx();
+        ctx = task_ctx(current);
         label = aa_get_newest_cred_label(cred);
         previous = aa_get_newest_label(ctx->previous);
 
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index b2aeb1da7e77..e287b7d0d4be 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -21,33 +21,10 @@
 
 #include "label.h"
 #include "policy_ns.h"
+#include "task.h"
 
-#define task_ctx(X) ((X)->security)
-#define current_task_ctx() (task_ctx(current))
 #define cred_label(X) ((X)->security)
 
-/*
- * struct aa_task_ctx - information for current task label change
- * @onexec: profile to transition to on next exec  (MAY BE NULL)
- * @previous: profile the task may return to     (MAY BE NULL)
- * @token: magic value the task must know for returning to @previous_profile
- */
-struct aa_task_ctx {
-        struct aa_label *onexec;
-        struct aa_label *previous;
-        u64 token;
-};
-
-struct aa_task_ctx *aa_alloc_task_ctx(gfp_t flags);
-void aa_free_task_ctx(struct aa_task_ctx *ctx);
-void aa_dup_task_ctx(struct aa_task_ctx *new, const struct aa_task_ctx *old);
-
-int aa_replace_current_label(struct aa_label *label);
-int aa_set_current_onexec(struct aa_label *label, bool stack);
-int aa_set_current_hat(struct aa_label *label, u64 token);
-int aa_restore_previous_label(u64 cookie);
-struct aa_label *aa_get_task_label(struct task_struct *task);
-
 
 /**
  * aa_cred_raw_label - obtain cred's label
@@ -196,19 +173,4 @@ static inline struct aa_ns *aa_get_current_ns(void)
         return ns;
 }
 
-/**
- * aa_clear_task_ctx_trans - clear transition tracking info from the ctx
- * @ctx: task context to clear (NOT NULL)
- */
-static inline void aa_clear_task_ctx_trans(struct aa_task_ctx *ctx)
-{
-        AA_BUG(!ctx);
-
-        aa_put_label(ctx->previous);
-        aa_put_label(ctx->onexec);
-        ctx->previous = NULL;
-        ctx->onexec = NULL;
-        ctx->token = 0;
-}
-
 #endif /* __AA_CONTEXT_H */
diff --git a/security/apparmor/include/task.h b/security/apparmor/include/task.h
new file mode 100644
index 000000000000..d222197db299
--- /dev/null
+++ b/security/apparmor/include/task.h
@@ -0,0 +1,90 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor task related definitions and mediation
+ *
+ * Copyright 2017 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#ifndef __AA_TASK_H
+#define __AA_TASK_H
+
+#define task_ctx(X) ((X)->security)
+
+/*
+ * struct aa_task_ctx - information for current task label change
+ * @onexec: profile to transition to on next exec  (MAY BE NULL)
+ * @previous: profile the task may return to     (MAY BE NULL)
+ * @token: magic value the task must know for returning to @previous_profile
+ */
+struct aa_task_ctx {
+        struct aa_label *onexec;
+        struct aa_label *previous;
+        u64 token;
+};
+
+int aa_replace_current_label(struct aa_label *label);
+int aa_set_current_onexec(struct aa_label *label, bool stack);
+int aa_set_current_hat(struct aa_label *label, u64 token);
+int aa_restore_previous_label(u64 cookie);
+struct aa_label *aa_get_task_label(struct task_struct *task);
+
+/**
+ * aa_alloc_task_ctx - allocate a new task_ctx
+ * @flags: gfp flags for allocation
+ *
+ * Returns: allocated buffer or NULL on failure
+ */
+static inline struct aa_task_ctx *aa_alloc_task_ctx(gfp_t flags)
+{
+        return kzalloc(sizeof(struct aa_task_ctx), flags);
+}
+
+/**
+ * aa_free_task_ctx - free a task_ctx
+ * @ctx: task_ctx to free (MAYBE NULL)
+ */
+static inline void aa_free_task_ctx(struct aa_task_ctx *ctx)
+{
+        if (ctx) {
+                aa_put_label(ctx->previous);
+                aa_put_label(ctx->onexec);
+
+                kzfree(ctx);
+        }
+}
+
+/**
+ * aa_dup_task_ctx - duplicate a task context, incrementing reference counts
+ * @new: a blank task context      (NOT NULL)
+ * @old: the task context to copy  (NOT NULL)
+ */
+static inline void aa_dup_task_ctx(struct aa_task_ctx *new,
+                                   const struct aa_task_ctx *old)
+{
+        *new = *old;
+        aa_get_label(new->previous);
+        aa_get_label(new->onexec);
+}
+
+/**
+ * aa_clear_task_ctx_trans - clear transition tracking info from the ctx
+ * @ctx: task context to clear (NOT NULL)
+ */
+static inline void aa_clear_task_ctx_trans(struct aa_task_ctx *ctx)
+{
+        AA_BUG(!ctx);
+
+        aa_put_label(ctx->previous);
+        aa_put_label(ctx->onexec);
+        ctx->previous = NULL;
+        ctx->onexec = NULL;
+        ctx->token = 0;
+}
+
+#endif /* __AA_TASK_H */
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index fda36f3e3820..7577cd982230 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -101,7 +101,7 @@ static int apparmor_task_alloc(struct task_struct *task,
         if (!new)
                 return -ENOMEM;
 
-        aa_dup_task_ctx(new, current_task_ctx());
+        aa_dup_task_ctx(new, task_ctx(current));
         task_ctx(task) = new;
 
         return 0;
@@ -582,7 +582,7 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
         int error = -ENOENT;
         /* released below */
         const struct cred *cred = get_task_cred(task);
-        struct aa_task_ctx *ctx = current_task_ctx();
+        struct aa_task_ctx *ctx = task_ctx(current);
         struct aa_label *label = NULL;
 
         if (strcmp(name, "current") == 0)
@@ -705,7 +705,7 @@ static void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
 static void apparmor_bprm_committed_creds(struct linux_binprm *bprm)
 {
         /* clear out temporary/transitional state from the context */
-        aa_clear_task_ctx_trans(current_task_ctx());
+        aa_clear_task_ctx_trans(task_ctx(current));
 
         return;
 }
diff --git a/security/apparmor/context.c b/security/apparmor/task.c
index d95a3d47cb92..36eb8707ad89 100644
--- a/security/apparmor/context.c
+++ b/security/apparmor/task.c
@@ -1,32 +1,23 @@
 /*
  * AppArmor security module
  *
- * This file contains AppArmor functions used to manipulate object security
- * contexts.
+ * This file contains AppArmor task related definitions and mediation
  *
- * Copyright (C) 1998-2008 Novell/SUSE
- * Copyright 2009-2010 Canonical Ltd.
+ * Copyright 2017 Canonical Ltd.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License as
  * published by the Free Software Foundation, version 2 of the
  * License.
  *
- *
- * AppArmor sets confinement on every task, via the cred_label() which
- * is required and are not allowed to be NULL.  The cred_label is
- * reference counted.
- *
  * TODO
  * If a task uses change_hat it currently does not return to the old
  * cred or task context but instead creates a new one.  Ideally the task
  * should return to the previous cred if it has not been modified.
- *
  */
 
 #include "include/context.h"
-#include "include/policy.h"
-
+#include "include/task.h"
 
 /**
  * aa_get_task_label - Get another task's label
@@ -46,43 +37,6 @@ struct aa_label *aa_get_task_label(struct task_struct *task)
 }
 
 /**
- * aa_alloc_task_ctx - allocate a new task_ctx
- * @flags: gfp flags for allocation
- *
- * Returns: allocated buffer or NULL on failure
- */
-struct aa_task_ctx *aa_alloc_task_ctx(gfp_t flags)
-{
-        return kzalloc(sizeof(struct aa_task_ctx), flags);
-}
-
-/**
- * aa_free_task_ctx - free a task_ctx
- * @ctx: task_ctx to free (MAYBE NULL)
- */
-void aa_free_task_ctx(struct aa_task_ctx *ctx)
-{
-        if (ctx) {
-                aa_put_label(ctx->previous);
-                aa_put_label(ctx->onexec);
-
-                kzfree(ctx);
-        }
-}
-
-/**
- * aa_dup_task_ctx - duplicate a task context, incrementing reference counts
- * @new: a blank task context      (NOT NULL)
- * @old: the task context to copy  (NOT NULL)
- */
-void aa_dup_task_ctx(struct aa_task_ctx *new, const struct aa_task_ctx *old)
-{
-        *new = *old;
-        aa_get_label(new->previous);
-        aa_get_label(new->onexec);
-}
-
-/**
  * aa_replace_current_label - replace the current tasks label
  * @label: new label  (NOT NULL)
  *
@@ -110,7 +64,7 @@ int aa_replace_current_label(struct aa_label *label)
                  * if switching to unconfined or a different label namespace
                  * clear out context state
                  */
-                aa_clear_task_ctx_trans(current_task_ctx());
+                aa_clear_task_ctx_trans(task_ctx(current));
 
         /*
          * be careful switching cred label, when racing replacement it
@@ -126,6 +80,7 @@ int aa_replace_current_label(struct aa_label *label)
         return 0;
 }
 
+
 /**
  * aa_set_current_onexec - set the tasks change_profile to happen onexec
  * @label: system label to set at exec  (MAYBE NULL to clear value)
@@ -134,7 +89,7 @@ int aa_replace_current_label(struct aa_label *label)
  */
 int aa_set_current_onexec(struct aa_label *label, bool stack)
 {
-        struct aa_task_ctx *ctx = current_task_ctx();
+        struct aa_task_ctx *ctx = task_ctx(current);
 
         aa_get_label(label);
         aa_put_label(ctx->onexec);
@@ -156,7 +111,7 @@ int aa_set_current_onexec(struct aa_label *label, bool stack)
  */
 int aa_set_current_hat(struct aa_label *label, u64 token)
 {
-        struct aa_task_ctx *ctx = current_task_ctx();
+        struct aa_task_ctx *ctx = task_ctx(current);
         struct cred *new;
 
         new = prepare_creds();
@@ -196,7 +151,7 @@ int aa_set_current_hat(struct aa_label *label, u64 token)
  */
 int aa_restore_previous_label(u64 token)
 {
-        struct aa_task_ctx *ctx = current_task_ctx();
+        struct aa_task_ctx *ctx = task_ctx(current);
         struct cred *new;
 
         if (ctx->token != token)