2 files changed, 370 insertions, 0 deletions
diff --git a/security/apparmor/context.c b/security/apparmor/context.c
new file mode 100644
index 000000000000..8a9b5027c813
--- /dev/null
+++ b/security/apparmor/context.c
@@ -0,0 +1,216 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor functions used to manipulate object security
+ * contexts.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ *
+ * AppArmor sets confinement on every task, via the the aa_task_cxt and
+ * the aa_task_cxt.profile, both of which are required and are not allowed
+ * to be NULL.  The aa_task_cxt is not reference counted and is unique
+ * to each cred (which is reference count).  The profile pointed to by
+ * the task_cxt is reference counted.
+ *
+ * TODO
+ * If a task uses change_hat it currently does not return to the old
+ * cred or task context but instead creates a new one.  Ideally the task
+ * should return to the previous cred if it has not been modified.
+ *
+ */
+#include "include/context.h"
+#include "include/policy.h"
+/**
+ * aa_alloc_task_context - allocate a new task_cxt
+ * @flags: gfp flags for allocation
+ *
+ * Returns: allocated buffer or NULL on failure
+ */
+struct aa_task_cxt *aa_alloc_task_context(gfp_t flags)
+{
+        return kzalloc(sizeof(struct aa_task_cxt), flags);
+}
+/**
+ * aa_free_task_context - free a task_cxt
+ * @cxt: task_cxt to free (MAYBE NULL)
+ */
+void aa_free_task_context(struct aa_task_cxt *cxt)
+{
+        if (cxt) {
+                aa_put_profile(cxt->profile);
+                aa_put_profile(cxt->previous);
+                aa_put_profile(cxt->onexec);
+                kzfree(cxt);
+        }
+}
+/**
+ * aa_dup_task_context - duplicate a task context, incrementing reference counts
+ * @new: a blank task context      (NOT NULL)
+ * @old: the task context to copy  (NOT NULL)
+ */
+void aa_dup_task_context(struct aa_task_cxt *new, const struct aa_task_cxt *old)
+{
+        *new = *old;
+        aa_get_profile(new->profile);
+        aa_get_profile(new->previous);
+        aa_get_profile(new->onexec);
+}
+/**
+ * aa_replace_current_profile - replace the current tasks profiles
+ * @profile: new profile  (NOT NULL)
+ *
+ * Returns: 0 or error on failure
+ */
+int aa_replace_current_profile(struct aa_profile *profile)
+{
+        struct aa_task_cxt *cxt = current_cred()->security;
+        struct cred *new;
+        BUG_ON(!profile);
+        if (cxt->profile == profile)
+                return 0;
+        new  = prepare_creds();
+        if (!new)
+                return -ENOMEM;
+        cxt = new->security;
+        if (unconfined(profile) || (cxt->profile->ns != profile->ns)) {
+                /* if switching to unconfined or a different profile namespace
+                 * clear out context state
+                 */
+                aa_put_profile(cxt->previous);
+                aa_put_profile(cxt->onexec);
+                cxt->previous = NULL;
+                cxt->onexec = NULL;
+                cxt->token = 0;
+        }
+        /* be careful switching cxt->profile, when racing replacement it
+         * is possible that cxt->profile->replacedby is the reference keeping
+         * @profile valid, so make sure to get its reference before dropping
+         * the reference on cxt->profile */
+        aa_get_profile(profile);
+        aa_put_profile(cxt->profile);
+        cxt->profile = profile;
+        commit_creds(new);
+        return 0;
+}
+/**
+ * aa_set_current_onexec - set the tasks change_profile to happen onexec
+ * @profile: system profile to set at exec  (MAYBE NULL to clear value)
+ *
+ * Returns: 0 or error on failure
+ */
+int aa_set_current_onexec(struct aa_profile *profile)
+{
+        struct aa_task_cxt *cxt;
+        struct cred *new = prepare_creds();
+        if (!new)
+                return -ENOMEM;
+        cxt = new->security;
+        aa_get_profile(profile);
+        aa_put_profile(cxt->onexec);
+        cxt->onexec = profile;
+        commit_creds(new);
+        return 0;
+}
+/**
+ * aa_set_current_hat - set the current tasks hat
+ * @profile: profile to set as the current hat  (NOT NULL)
+ * @token: token value that must be specified to change from the hat
+ *
+ * Do switch of tasks hat.  If the task is currently in a hat
+ * validate the token to match.
+ *
+ * Returns: 0 or error on failure
+ */
+int aa_set_current_hat(struct aa_profile *profile, u64 token)
+{
+        struct aa_task_cxt *cxt;
+        struct cred *new = prepare_creds();
+        if (!new)
+                return -ENOMEM;
+        BUG_ON(!profile);
+        cxt = new->security;
+        if (!cxt->previous) {
+                /* transfer refcount */
+                cxt->previous = cxt->profile;
+                cxt->token = token;
+        } else if (cxt->token == token) {
+                aa_put_profile(cxt->profile);
+        } else {
+                /* previous_profile && cxt->token != token */
+                abort_creds(new);
+                return -EACCES;
+        }
+        cxt->profile = aa_get_profile(aa_newest_version(profile));
+        /* clear exec on switching context */
+        aa_put_profile(cxt->onexec);
+        cxt->onexec = NULL;
+        commit_creds(new);
+        return 0;
+}
+/**
+ * aa_restore_previous_profile - exit from hat context restoring the profile
+ * @token: the token that must be matched to exit hat context
+ *
+ * Attempt to return out of a hat to the previous profile.  The token
+ * must match the stored token value.
+ *
+ * Returns: 0 or error of failure
+ */
+int aa_restore_previous_profile(u64 token)
+{
+        struct aa_task_cxt *cxt;
+        struct cred *new = prepare_creds();
+        if (!new)
+                return -ENOMEM;
+        cxt = new->security;
+        if (cxt->token != token) {
+                abort_creds(new);
+                return -EACCES;
+        }
+        /* ignore restores when there is no saved profile */
+        if (!cxt->previous) {
+                abort_creds(new);
+                return 0;
+        }
+        aa_put_profile(cxt->profile);
+        cxt->profile = aa_newest_version(cxt->previous);
+        BUG_ON(!cxt->profile);
+        if (unlikely(cxt->profile != cxt->previous)) {
+                aa_get_profile(cxt->profile);
+                aa_put_profile(cxt->previous);
+        }
+        /* clear exec && prev information when restoring to previous context */
+        cxt->previous = NULL;
+        cxt->token = 0;
+        aa_put_profile(cxt->onexec);
+        cxt->onexec = NULL;
+        commit_creds(new);
+        return 0;
+}
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
new file mode 100644
index 000000000000..a9cbee4d9e48
--- /dev/null
+++ b/security/apparmor/include/context.h
@@ -0,0 +1,154 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor contexts used to associate "labels" to objects.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+#ifndef __AA_CONTEXT_H
+#define __AA_CONTEXT_H
+#include <linux/cred.h>
+#include <linux/slab.h>
+#include <linux/sched.h>
+#include "policy.h"
+/* struct aa_file_cxt - the AppArmor context the file was opened in
+ * @perms: the permission the file was opened with
+ *
+ * The file_cxt could currently be directly stored in file->f_security
+ * as the profile reference is now stored in the f_cred.  However the
+ * cxt struct will expand in the future so we keep the struct.
+ */
+struct aa_file_cxt {
+        u16 allow;
+};
+/**
+ * aa_alloc_file_context - allocate file_cxt
+ * @gfp: gfp flags for allocation
+ *
+ * Returns: file_cxt or NULL on failure
+ */
+static inline struct aa_file_cxt *aa_alloc_file_context(gfp_t gfp)
+{
+        return kzalloc(sizeof(struct aa_file_cxt), gfp);
+}
+/**
+ * aa_free_file_context - free a file_cxt
+ * @cxt: file_cxt to free  (MAYBE_NULL)
+ */
+static inline void aa_free_file_context(struct aa_file_cxt *cxt)
+{
+        if (cxt)
+                kzfree(cxt);
+}
+/**
+ * struct aa_task_cxt - primary label for confined tasks
+ * @profile: the current profile   (NOT NULL)
+ * @exec: profile to transition to on next exec  (MAYBE NULL)
+ * @previous: profile the task may return to     (MAYBE NULL)
+ * @token: magic value the task must know for returning to @previous_profile
+ *
+ * Contains the task's current profile (which could change due to
+ * change_hat).  Plus the hat_magic needed during change_hat.
+ *
+ * TODO: make so a task can be confined by a stack of contexts
+ */
+struct aa_task_cxt {
+        struct aa_profile *profile;
+        struct aa_profile *onexec;
+        struct aa_profile *previous;
+        u64 token;
+};
+struct aa_task_cxt *aa_alloc_task_context(gfp_t flags);
+void aa_free_task_context(struct aa_task_cxt *cxt);
+void aa_dup_task_context(struct aa_task_cxt *new,
+                         const struct aa_task_cxt *old);
+int aa_replace_current_profile(struct aa_profile *profile);
+int aa_set_current_onexec(struct aa_profile *profile);
+int aa_set_current_hat(struct aa_profile *profile, u64 token);
+int aa_restore_previous_profile(u64 cookie);
+/**
+ * __aa_task_is_confined - determine if @task has any confinement
+ * @task: task to check confinement of  (NOT NULL)
+ *
+ * If @task != current needs to be called in RCU safe critical section
+ */
+static inline bool __aa_task_is_confined(struct task_struct *task)
+{
+        struct aa_task_cxt *cxt = __task_cred(task)->security;
+        BUG_ON(!cxt || !cxt->profile);
+        if (unconfined(aa_newest_version(cxt->profile)))
+                return 0;
+        return 1;
+}
+/**
+ * aa_cred_profile - obtain cred's profiles
+ * @cred: cred to obtain profiles from  (NOT NULL)
+ *
+ * Returns: confining profile
+ *
+ * does NOT increment reference count
+ */
+static inline struct aa_profile *aa_cred_profile(const struct cred *cred)
+{
+        struct aa_task_cxt *cxt = cred->security;
+        BUG_ON(!cxt || !cxt->profile);
+        return aa_newest_version(cxt->profile);
+}
+/**
+ * __aa_current_profile - find the current tasks confining profile
+ *
+ * Returns: up to date confining profile or the ns unconfined profile (NOT NULL)
+ *
+ * This fn will not update the tasks cred to the most up to date version
+ * of the profile so it is safe to call when inside of locks.
+ */
+static inline struct aa_profile *__aa_current_profile(void)
+{
+        return aa_cred_profile(current_cred());
+}
+/**
+ * aa_current_profile - find the current tasks confining profile and do updates
+ *
+ * Returns: up to date confining profile or the ns unconfined profile (NOT NULL)
+ *
+ * This fn will update the tasks cred structure if the profile has been
+ * replaced.  Not safe to call inside locks
+ */
+static inline struct aa_profile *aa_current_profile(void)
+{
+        const struct aa_task_cxt *cxt = current_cred()->security;
+        struct aa_profile *profile;
+        BUG_ON(!cxt || !cxt->profile);
+        profile = aa_newest_version(cxt->profile);
+        /*
+         * Whether or not replacement succeeds, use newest profile so
+         * there is no need to update it after replacement.
+         */
+        if (unlikely((cxt->profile != profile)))
+                aa_replace_current_profile(profile);
+        return profile;
+}
+#endif /* __AA_CONTEXT_H */

diff --git a/security/apparmor/context.c b/security/apparmor/context.c new file mode 100644 index 000000000000..8a9b5027c813 --- /dev/null +++ b/security/apparmor/context.c
@@ -0,0 +1,216 @@
	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor functions used to manipulate object security
	5	* contexts.
	6	*
	7	* Copyright (C) 1998-2008 Novell/SUSE
	8	* Copyright 2009-2010 Canonical Ltd.
	9	*
	10	* This program is free software; you can redistribute it and/or
	11	* modify it under the terms of the GNU General Public License as
	12	* published by the Free Software Foundation, version 2 of the
	13	* License.
	14	*
	15	*
	16	* AppArmor sets confinement on every task, via the the aa_task_cxt and
	17	* the aa_task_cxt.profile, both of which are required and are not allowed
	18	* to be NULL. The aa_task_cxt is not reference counted and is unique
	19	* to each cred (which is reference count). The profile pointed to by
	20	* the task_cxt is reference counted.
	21	*
	22	* TODO
	23	* If a task uses change_hat it currently does not return to the old
	24	* cred or task context but instead creates a new one. Ideally the task
	25	* should return to the previous cred if it has not been modified.
	26	*
	27	*/
	28
	29	#include "include/context.h"
	30	#include "include/policy.h"
	31
	32	/**
	33	* aa_alloc_task_context - allocate a new task_cxt
	34	* @flags: gfp flags for allocation
	35	*
	36	* Returns: allocated buffer or NULL on failure
	37	*/
	38	struct aa_task_cxt *aa_alloc_task_context(gfp_t flags)
	39	{
	40	return kzalloc(sizeof(struct aa_task_cxt), flags);
	41	}
	42
	43	/**
	44	* aa_free_task_context - free a task_cxt
	45	* @cxt: task_cxt to free (MAYBE NULL)
	46	*/
	47	void aa_free_task_context(struct aa_task_cxt *cxt)
	48	{
	49	if (cxt) {
	50	aa_put_profile(cxt->profile);
	51	aa_put_profile(cxt->previous);
	52	aa_put_profile(cxt->onexec);
	53
	54	kzfree(cxt);
	55	}
	56	}
	57
	58	/**
	59	* aa_dup_task_context - duplicate a task context, incrementing reference counts
	60	* @new: a blank task context (NOT NULL)
	61	* @old: the task context to copy (NOT NULL)
	62	*/
	63	void aa_dup_task_context(struct aa_task_cxt new, const struct aa_task_cxt old)
	64	{
	65	new = old;
	66	aa_get_profile(new->profile);
	67	aa_get_profile(new->previous);
	68	aa_get_profile(new->onexec);
	69	}
	70
	71	/**
	72	* aa_replace_current_profile - replace the current tasks profiles
	73	* @profile: new profile (NOT NULL)
	74	*
	75	* Returns: 0 or error on failure
	76	*/
	77	int aa_replace_current_profile(struct aa_profile *profile)
	78	{
	79	struct aa_task_cxt *cxt = current_cred()->security;
	80	struct cred *new;
	81	BUG_ON(!profile);
	82
	83	if (cxt->profile == profile)
	84	return 0;
	85
	86	new = prepare_creds();
	87	if (!new)
	88	return -ENOMEM;
	89
	90	cxt = new->security;
	91	if (unconfined(profile) \|\| (cxt->profile->ns != profile->ns)) {
	92	/* if switching to unconfined or a different profile namespace
	93	* clear out context state
	94	*/
	95	aa_put_profile(cxt->previous);
	96	aa_put_profile(cxt->onexec);
	97	cxt->previous = NULL;
	98	cxt->onexec = NULL;
	99	cxt->token = 0;
	100	}
	101	/* be careful switching cxt->profile, when racing replacement it
	102	* is possible that cxt->profile->replacedby is the reference keeping
	103	* @profile valid, so make sure to get its reference before dropping
	104	* the reference on cxt->profile */
	105	aa_get_profile(profile);
	106	aa_put_profile(cxt->profile);
	107	cxt->profile = profile;
	108
	109	commit_creds(new);
	110	return 0;
	111	}
	112
	113	/**
	114	* aa_set_current_onexec - set the tasks change_profile to happen onexec
	115	* @profile: system profile to set at exec (MAYBE NULL to clear value)
	116	*
	117	* Returns: 0 or error on failure
	118	*/
	119	int aa_set_current_onexec(struct aa_profile *profile)
	120	{
	121	struct aa_task_cxt *cxt;
	122	struct cred *new = prepare_creds();
	123	if (!new)
	124	return -ENOMEM;
	125
	126	cxt = new->security;
	127	aa_get_profile(profile);
	128	aa_put_profile(cxt->onexec);
	129	cxt->onexec = profile;
	130
	131	commit_creds(new);
	132	return 0;
	133	}
	134
	135	/**
	136	* aa_set_current_hat - set the current tasks hat
	137	* @profile: profile to set as the current hat (NOT NULL)
	138	* @token: token value that must be specified to change from the hat
	139	*
	140	* Do switch of tasks hat. If the task is currently in a hat
	141	* validate the token to match.
	142	*
	143	* Returns: 0 or error on failure
	144	*/
	145	int aa_set_current_hat(struct aa_profile *profile, u64 token)
	146	{
	147	struct aa_task_cxt *cxt;
	148	struct cred *new = prepare_creds();
	149	if (!new)
	150	return -ENOMEM;
	151	BUG_ON(!profile);
	152
	153	cxt = new->security;
	154	if (!cxt->previous) {
	155	/* transfer refcount */
	156	cxt->previous = cxt->profile;
	157	cxt->token = token;
	158	} else if (cxt->token == token) {
	159	aa_put_profile(cxt->profile);
	160	} else {
	161	/* previous_profile && cxt->token != token */
	162	abort_creds(new);
	163	return -EACCES;
	164	}
	165	cxt->profile = aa_get_profile(aa_newest_version(profile));
	166	/* clear exec on switching context */
	167	aa_put_profile(cxt->onexec);
	168	cxt->onexec = NULL;
	169
	170	commit_creds(new);
	171	return 0;
	172	}
	173
	174	/**
	175	* aa_restore_previous_profile - exit from hat context restoring the profile
	176	* @token: the token that must be matched to exit hat context
	177	*
	178	* Attempt to return out of a hat to the previous profile. The token
	179	* must match the stored token value.
	180	*
	181	* Returns: 0 or error of failure
	182	*/
	183	int aa_restore_previous_profile(u64 token)
	184	{
	185	struct aa_task_cxt *cxt;
	186	struct cred *new = prepare_creds();
	187	if (!new)
	188	return -ENOMEM;
	189
	190	cxt = new->security;
	191	if (cxt->token != token) {
	192	abort_creds(new);
	193	return -EACCES;
	194	}
	195	/* ignore restores when there is no saved profile */
	196	if (!cxt->previous) {
	197	abort_creds(new);
	198	return 0;
	199	}
	200
	201	aa_put_profile(cxt->profile);
	202	cxt->profile = aa_newest_version(cxt->previous);
	203	BUG_ON(!cxt->profile);
	204	if (unlikely(cxt->profile != cxt->previous)) {
	205	aa_get_profile(cxt->profile);
	206	aa_put_profile(cxt->previous);
	207	}
	208	/* clear exec && prev information when restoring to previous context */
	209	cxt->previous = NULL;
	210	cxt->token = 0;
	211	aa_put_profile(cxt->onexec);
	212	cxt->onexec = NULL;
	213
	214	commit_creds(new);
	215	return 0;
	216	}


diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h new file mode 100644 index 000000000000..a9cbee4d9e48 --- /dev/null +++ b/security/apparmor/include/context.h
@@ -0,0 +1,154 @@
	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor contexts used to associate "labels" to objects.
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#ifndef __AA_CONTEXT_H
	16	#define __AA_CONTEXT_H
	17
	18	#include <linux/cred.h>
	19	#include <linux/slab.h>
	20	#include <linux/sched.h>
	21
	22	#include "policy.h"
	23
	24	/* struct aa_file_cxt - the AppArmor context the file was opened in
	25	* @perms: the permission the file was opened with
	26	*
	27	* The file_cxt could currently be directly stored in file->f_security
	28	* as the profile reference is now stored in the f_cred. However the
	29	* cxt struct will expand in the future so we keep the struct.
	30	*/
	31	struct aa_file_cxt {
	32	u16 allow;
	33	};
	34
	35	/**
	36	* aa_alloc_file_context - allocate file_cxt
	37	* @gfp: gfp flags for allocation
	38	*
	39	* Returns: file_cxt or NULL on failure
	40	*/
	41	static inline struct aa_file_cxt *aa_alloc_file_context(gfp_t gfp)
	42	{
	43	return kzalloc(sizeof(struct aa_file_cxt), gfp);
	44	}
	45
	46	/**
	47	* aa_free_file_context - free a file_cxt
	48	* @cxt: file_cxt to free (MAYBE_NULL)
	49	*/
	50	static inline void aa_free_file_context(struct aa_file_cxt *cxt)
	51	{
	52	if (cxt)
	53	kzfree(cxt);
	54	}
	55
	56	/**
	57	* struct aa_task_cxt - primary label for confined tasks
	58	* @profile: the current profile (NOT NULL)
	59	* @exec: profile to transition to on next exec (MAYBE NULL)
	60	* @previous: profile the task may return to (MAYBE NULL)
	61	* @token: magic value the task must know for returning to @previous_profile
	62	*
	63	* Contains the task's current profile (which could change due to
	64	* change_hat). Plus the hat_magic needed during change_hat.
	65	*
	66	* TODO: make so a task can be confined by a stack of contexts
	67	*/
	68	struct aa_task_cxt {
	69	struct aa_profile *profile;
	70	struct aa_profile *onexec;
	71	struct aa_profile *previous;
	72	u64 token;
	73	};
	74
	75	struct aa_task_cxt *aa_alloc_task_context(gfp_t flags);
	76	void aa_free_task_context(struct aa_task_cxt *cxt);
	77	void aa_dup_task_context(struct aa_task_cxt *new,
	78	const struct aa_task_cxt *old);
	79	int aa_replace_current_profile(struct aa_profile *profile);
	80	int aa_set_current_onexec(struct aa_profile *profile);
	81	int aa_set_current_hat(struct aa_profile *profile, u64 token);
	82	int aa_restore_previous_profile(u64 cookie);
	83
	84	/**
	85	* __aa_task_is_confined - determine if @task has any confinement
	86	* @task: task to check confinement of (NOT NULL)
	87	*
	88	* If @task != current needs to be called in RCU safe critical section
	89	*/
	90	static inline bool __aa_task_is_confined(struct task_struct *task)
	91	{
	92	struct aa_task_cxt *cxt = __task_cred(task)->security;
	93
	94	BUG_ON(!cxt \|\| !cxt->profile);
	95	if (unconfined(aa_newest_version(cxt->profile)))
	96	return 0;
	97
	98	return 1;
	99	}
	100
	101	/**
	102	* aa_cred_profile - obtain cred's profiles
	103	* @cred: cred to obtain profiles from (NOT NULL)
	104	*
	105	* Returns: confining profile
	106	*
	107	* does NOT increment reference count
	108	*/
	109	static inline struct aa_profile aa_cred_profile(const struct cred cred)
	110	{
	111	struct aa_task_cxt *cxt = cred->security;
	112	BUG_ON(!cxt \|\| !cxt->profile);
	113	return aa_newest_version(cxt->profile);
	114	}
	115
	116	/**
	117	* __aa_current_profile - find the current tasks confining profile
	118	*
	119	* Returns: up to date confining profile or the ns unconfined profile (NOT NULL)
	120	*
	121	* This fn will not update the tasks cred to the most up to date version
	122	* of the profile so it is safe to call when inside of locks.
	123	*/
	124	static inline struct aa_profile *__aa_current_profile(void)
	125	{
	126	return aa_cred_profile(current_cred());
	127	}
	128
	129	/**
	130	* aa_current_profile - find the current tasks confining profile and do updates
	131	*
	132	* Returns: up to date confining profile or the ns unconfined profile (NOT NULL)
	133	*
	134	* This fn will update the tasks cred structure if the profile has been
	135	* replaced. Not safe to call inside locks
	136	*/
	137	static inline struct aa_profile *aa_current_profile(void)
	138	{
	139	const struct aa_task_cxt *cxt = current_cred()->security;
	140	struct aa_profile *profile;
	141	BUG_ON(!cxt \|\| !cxt->profile);
	142
	143	profile = aa_newest_version(cxt->profile);
	144	/*
	145	* Whether or not replacement succeeds, use newest profile so
	146	* there is no need to update it after replacement.
	147	*/
	148	if (unlikely((cxt->profile != profile)))
	149	aa_replace_current_profile(profile);
	150
	151	return profile;
	152	}
	153
	154	#endif /* __AA_CONTEXT_H */