aboutsummaryrefslogtreecommitdiffstats
path: root/security/apparmor/include/policy.h
diff options
context:
space:
mode:
Diffstat (limited to 'security/apparmor/include/policy.h')
-rw-r--r--security/apparmor/include/policy.h21
1 files changed, 19 insertions, 2 deletions
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 65662e3c75cf..5c72231d1c42 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -29,8 +29,8 @@
29#include "file.h" 29#include "file.h"
30#include "resource.h" 30#include "resource.h"
31 31
32extern const char *const profile_mode_names[]; 32extern const char *const aa_profile_mode_names[];
33#define APPARMOR_NAMES_MAX_INDEX 3 33#define APPARMOR_MODE_NAMES_MAX_INDEX 4
34 34
35#define PROFILE_MODE(_profile, _mode) \ 35#define PROFILE_MODE(_profile, _mode) \
36 ((aa_g_profile_mode == (_mode)) || \ 36 ((aa_g_profile_mode == (_mode)) || \
@@ -110,6 +110,8 @@ struct aa_ns_acct {
110 * @unconfined: special unconfined profile for the namespace 110 * @unconfined: special unconfined profile for the namespace
111 * @sub_ns: list of namespaces under the current namespace. 111 * @sub_ns: list of namespaces under the current namespace.
112 * @uniq_null: uniq value used for null learning profiles 112 * @uniq_null: uniq value used for null learning profiles
113 * @uniq_id: a unique id count for the profiles in the namespace
114 * @dents: dentries for the namespaces file entries in apparmorfs
113 * 115 *
114 * An aa_namespace defines the set profiles that are searched to determine 116 * An aa_namespace defines the set profiles that are searched to determine
115 * which profile to attach to a task. Profiles can not be shared between 117 * which profile to attach to a task. Profiles can not be shared between
@@ -133,6 +135,9 @@ struct aa_namespace {
133 struct aa_profile *unconfined; 135 struct aa_profile *unconfined;
134 struct list_head sub_ns; 136 struct list_head sub_ns;
135 atomic_t uniq_null; 137 atomic_t uniq_null;
138 long uniq_id;
139
140 struct dentry *dents[AAFS_NS_SIZEOF];
136}; 141};
137 142
138/* struct aa_policydb - match engine for a policy 143/* struct aa_policydb - match engine for a policy
@@ -172,6 +177,9 @@ struct aa_replacedby {
172 * @caps: capabilities for the profile 177 * @caps: capabilities for the profile
173 * @rlimits: rlimits for the profile 178 * @rlimits: rlimits for the profile
174 * 179 *
180 * @dents: dentries for the profiles file entries in apparmorfs
181 * @dirname: name of the profile dir in apparmorfs
182 *
175 * The AppArmor profile contains the basic confinement data. Each profile 183 * The AppArmor profile contains the basic confinement data. Each profile
176 * has a name, and exists in a namespace. The @name and @exec_match are 184 * has a name, and exists in a namespace. The @name and @exec_match are
177 * used to determine profile attachment against unconfined tasks. All other 185 * used to determine profile attachment against unconfined tasks. All other
@@ -208,6 +216,9 @@ struct aa_profile {
208 struct aa_file_rules file; 216 struct aa_file_rules file;
209 struct aa_caps caps; 217 struct aa_caps caps;
210 struct aa_rlimit rlimits; 218 struct aa_rlimit rlimits;
219
220 char *dirname;
221 struct dentry *dents[AAFS_PROF_SIZEOF];
211}; 222};
212 223
213extern struct aa_namespace *root_ns; 224extern struct aa_namespace *root_ns;
@@ -243,6 +254,12 @@ ssize_t aa_remove_profiles(char *name, size_t size);
243#define unconfined(X) ((X)->mode == APPARMOR_UNCONFINED) 254#define unconfined(X) ((X)->mode == APPARMOR_UNCONFINED)
244 255
245 256
257static inline struct aa_profile *aa_deref_parent(struct aa_profile *p)
258{
259 return rcu_dereference_protected(p->parent,
260 mutex_is_locked(&p->ns->lock));
261}
262
246/** 263/**
247 * aa_get_profile - increment refcount on profile @p 264 * aa_get_profile - increment refcount on profile @p
248 * @p: profile (MAYBE NULL) 265 * @p: profile (MAYBE NULL)
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-20 22:37:25 -0500