diff options
Diffstat (limited to 'security/apparmor/include/context.h')
| -rw-r--r-- | security/apparmor/include/context.h | 61 |
1 files changed, 43 insertions, 18 deletions
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h index a9cbee4d9e48..d44ba5802e3d 100644 --- a/security/apparmor/include/context.h +++ b/security/apparmor/include/context.h | |||
| @@ -21,6 +21,9 @@ | |||
| 21 | 21 | ||
| 22 | #include "policy.h" | 22 | #include "policy.h" |
| 23 | 23 | ||
| 24 | #define cred_cxt(X) (X)->security | ||
| 25 | #define current_cxt() cred_cxt(current_cred()) | ||
| 26 | |||
| 24 | /* struct aa_file_cxt - the AppArmor context the file was opened in | 27 | /* struct aa_file_cxt - the AppArmor context the file was opened in |
| 25 | * @perms: the permission the file was opened with | 28 | * @perms: the permission the file was opened with |
| 26 | * | 29 | * |
| @@ -80,23 +83,8 @@ int aa_replace_current_profile(struct aa_profile *profile); | |||
| 80 | int aa_set_current_onexec(struct aa_profile *profile); | 83 | int aa_set_current_onexec(struct aa_profile *profile); |
| 81 | int aa_set_current_hat(struct aa_profile *profile, u64 token); | 84 | int aa_set_current_hat(struct aa_profile *profile, u64 token); |
| 82 | int aa_restore_previous_profile(u64 cookie); | 85 | int aa_restore_previous_profile(u64 cookie); |
| 86 | struct aa_profile *aa_get_task_profile(struct task_struct *task); | ||
| 83 | 87 | ||
| 84 | /** | ||
| 85 | * __aa_task_is_confined - determine if @task has any confinement | ||
| 86 | * @task: task to check confinement of (NOT NULL) | ||
| 87 | * | ||
| 88 | * If @task != current needs to be called in RCU safe critical section | ||
| 89 | */ | ||
| 90 | static inline bool __aa_task_is_confined(struct task_struct *task) | ||
| 91 | { | ||
| 92 | struct aa_task_cxt *cxt = __task_cred(task)->security; | ||
| 93 | |||
| 94 | BUG_ON(!cxt || !cxt->profile); | ||
| 95 | if (unconfined(aa_newest_version(cxt->profile))) | ||
| 96 | return 0; | ||
| 97 | |||
| 98 | return 1; | ||
| 99 | } | ||
| 100 | 88 | ||
| 101 | /** | 89 | /** |
| 102 | * aa_cred_profile - obtain cred's profiles | 90 | * aa_cred_profile - obtain cred's profiles |
| @@ -108,12 +96,36 @@ static inline bool __aa_task_is_confined(struct task_struct *task) | |||
| 108 | */ | 96 | */ |
| 109 | static inline struct aa_profile *aa_cred_profile(const struct cred *cred) | 97 | static inline struct aa_profile *aa_cred_profile(const struct cred *cred) |
| 110 | { | 98 | { |
| 111 | struct aa_task_cxt *cxt = cred->security; | 99 | struct aa_task_cxt *cxt = cred_cxt(cred); |
| 112 | BUG_ON(!cxt || !cxt->profile); | 100 | BUG_ON(!cxt || !cxt->profile); |
| 113 | return aa_newest_version(cxt->profile); | 101 | return aa_newest_version(cxt->profile); |
| 114 | } | 102 | } |
| 115 | 103 | ||
| 116 | /** | 104 | /** |
| 105 | * __aa_task_profile - retrieve another task's profile | ||
| 106 | * @task: task to query (NOT NULL) | ||
| 107 | * | ||
| 108 | * Returns: @task's profile without incrementing its ref count | ||
| 109 | * | ||
| 110 | * If @task != current needs to be called in RCU safe critical section | ||
| 111 | */ | ||
| 112 | static inline struct aa_profile *__aa_task_profile(struct task_struct *task) | ||
| 113 | { | ||
| 114 | return aa_cred_profile(__task_cred(task)); | ||
| 115 | } | ||
| 116 | |||
| 117 | /** | ||
| 118 | * __aa_task_is_confined - determine if @task has any confinement | ||
| 119 | * @task: task to check confinement of (NOT NULL) | ||
| 120 | * | ||
| 121 | * If @task != current needs to be called in RCU safe critical section | ||
| 122 | */ | ||
| 123 | static inline bool __aa_task_is_confined(struct task_struct *task) | ||
| 124 | { | ||
| 125 | return !unconfined(__aa_task_profile(task)); | ||
| 126 | } | ||
| 127 | |||
| 128 | /** | ||
| 117 | * __aa_current_profile - find the current tasks confining profile | 129 | * __aa_current_profile - find the current tasks confining profile |
| 118 | * | 130 | * |
| 119 | * Returns: up to date confining profile or the ns unconfined profile (NOT NULL) | 131 | * Returns: up to date confining profile or the ns unconfined profile (NOT NULL) |
| @@ -136,7 +148,7 @@ static inline struct aa_profile *__aa_current_profile(void) | |||
| 136 | */ | 148 | */ |
| 137 | static inline struct aa_profile *aa_current_profile(void) | 149 | static inline struct aa_profile *aa_current_profile(void) |
| 138 | { | 150 | { |
| 139 | const struct aa_task_cxt *cxt = current_cred()->security; | 151 | const struct aa_task_cxt *cxt = current_cxt(); |
| 140 | struct aa_profile *profile; | 152 | struct aa_profile *profile; |
| 141 | BUG_ON(!cxt || !cxt->profile); | 153 | BUG_ON(!cxt || !cxt->profile); |
| 142 | 154 | ||
| @@ -151,4 +163,17 @@ static inline struct aa_profile *aa_current_profile(void) | |||
| 151 | return profile; | 163 | return profile; |
| 152 | } | 164 | } |
| 153 | 165 | ||
| 166 | /** | ||
| 167 | * aa_clear_task_cxt_trans - clear transition tracking info from the cxt | ||
| 168 | * @cxt: task context to clear (NOT NULL) | ||
| 169 | */ | ||
| 170 | static inline void aa_clear_task_cxt_trans(struct aa_task_cxt *cxt) | ||
| 171 | { | ||
| 172 | aa_put_profile(cxt->previous); | ||
| 173 | aa_put_profile(cxt->onexec); | ||
| 174 | cxt->previous = NULL; | ||
| 175 | cxt->onexec = NULL; | ||
| 176 | cxt->token = 0; | ||
| 177 | } | ||
| 178 | |||
| 154 | #endif /* __AA_CONTEXT_H */ | 179 | #endif /* __AA_CONTEXT_H */ |