^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) /* SPDX-License-Identifier: GPL-2.0-only */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * AppArmor security module
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * This file contains AppArmor contexts used to associate "labels" to objects.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) * Copyright (C) 1998-2008 Novell/SUSE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) * Copyright 2009-2010 Canonical Ltd.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) #ifndef __AA_CONTEXT_H
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) #define __AA_CONTEXT_H
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) #include <linux/cred.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) #include <linux/sched.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) #include "label.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) #include "policy_ns.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) #include "task.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) static inline struct aa_label *cred_label(const struct cred *cred)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) struct aa_label **blob = cred->security + apparmor_blob_sizes.lbs_cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) AA_BUG(!blob);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) return *blob;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) static inline void set_cred_label(const struct cred *cred,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) struct aa_label *label)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) struct aa_label **blob = cred->security + apparmor_blob_sizes.lbs_cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) AA_BUG(!blob);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) *blob = label;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) * aa_cred_raw_label - obtain cred's label
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) * @cred: cred to obtain label from (NOT NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) * Returns: confining label
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) * does NOT increment reference count
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) static inline struct aa_label *aa_cred_raw_label(const struct cred *cred)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) struct aa_label *label = cred_label(cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) AA_BUG(!label);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) return label;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) * aa_get_newest_cred_label - obtain the newest label on a cred
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) * @cred: cred to obtain label from (NOT NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) * Returns: newest version of confining label
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) static inline struct aa_label *aa_get_newest_cred_label(const struct cred *cred)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) return aa_get_newest_label(aa_cred_raw_label(cred));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) * __aa_task_raw_label - retrieve another task's label
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) * @task: task to query (NOT NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) * Returns: @task's label without incrementing its ref count
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) * If @task != current needs to be called in RCU safe critical section
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) static inline struct aa_label *__aa_task_raw_label(struct task_struct *task)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) return aa_cred_raw_label(__task_cred(task));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) * aa_current_raw_label - find the current tasks confining label
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) * Returns: up to date confining label or the ns unconfined label (NOT NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) * This fn will not update the tasks cred to the most up to date version
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) * of the label so it is safe to call when inside of locks.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) static inline struct aa_label *aa_current_raw_label(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) return aa_cred_raw_label(current_cred());
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) * aa_get_current_label - get the newest version of the current tasks label
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) * Returns: newest version of confining label (NOT NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) * This fn will not update the tasks cred, so it is safe inside of locks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) * The returned reference must be put with aa_put_label()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) static inline struct aa_label *aa_get_current_label(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) struct aa_label *l = aa_current_raw_label();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) if (label_is_stale(l))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) return aa_get_newest_label(l);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) return aa_get_label(l);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) #define __end_current_label_crit_section(X) end_current_label_crit_section(X)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) * end_label_crit_section - put a reference found with begin_current_label..
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) * @label: label reference to put
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) * Should only be used with a reference obtained with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) * begin_current_label_crit_section and never used in situations where the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) * task cred may be updated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) static inline void end_current_label_crit_section(struct aa_label *label)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) if (label != aa_current_raw_label())
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) aa_put_label(label);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) * __begin_current_label_crit_section - current's confining label
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) * Returns: up to date confining label or the ns unconfined label (NOT NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) * safe to call inside locks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) * The returned reference must be put with __end_current_label_crit_section()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) * This must NOT be used if the task cred could be updated within the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) * critical section between __begin_current_label_crit_section() ..
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) * __end_current_label_crit_section()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) static inline struct aa_label *__begin_current_label_crit_section(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) struct aa_label *label = aa_current_raw_label();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) if (label_is_stale(label))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) label = aa_get_newest_label(label);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) return label;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) * begin_current_label_crit_section - current's confining label and update it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) * Returns: up to date confining label or the ns unconfined label (NOT NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) * Not safe to call inside locks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) * The returned reference must be put with end_current_label_crit_section()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) * This must NOT be used if the task cred could be updated within the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) * critical section between begin_current_label_crit_section() ..
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) * end_current_label_crit_section()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) static inline struct aa_label *begin_current_label_crit_section(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) struct aa_label *label = aa_current_raw_label();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) might_sleep();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) if (label_is_stale(label)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) label = aa_get_newest_label(label);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) if (aa_replace_current_label(label) == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) /* task cred will keep the reference */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) aa_put_label(label);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) return label;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) static inline struct aa_ns *aa_get_current_ns(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) struct aa_label *label;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) struct aa_ns *ns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) label = __begin_current_label_crit_section();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) ns = aa_get_ns(labels_ns(label));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) __end_current_label_crit_section(label);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) return ns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) #endif /* __AA_CONTEXT_H */
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags