Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/security/apparmor/include/policy.h 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   1) /* SPDX-License-Identifier: GPL-2.0-only */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   3)  * AppArmor security module
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   4)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   5)  * This file contains AppArmor policy definitions.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   6)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   7)  * Copyright (C) 1998-2008 Novell/SUSE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   8)  * Copyright 2009-2010 Canonical Ltd.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   9)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  10) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  11) #ifndef __AA_POLICY_H
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  12) #define __AA_POLICY_H
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  13) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  14) #include <linux/capability.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  15) #include <linux/cred.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  16) #include <linux/kref.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  17) #include <linux/rhashtable.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  18) #include <linux/sched.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  19) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  20) #include <linux/socket.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  21) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  22) #include "apparmor.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  23) #include "audit.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  24) #include "capability.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  25) #include "domain.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  26) #include "file.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  27) #include "lib.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  28) #include "label.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  29) #include "net.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  30) #include "perms.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  31) #include "resource.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  32) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  33) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  34) struct aa_ns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  35) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  36) extern int unprivileged_userns_apparmor_policy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  37) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  38) extern const char *const aa_profile_mode_names[];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  39) #define APPARMOR_MODE_NAMES_MAX_INDEX 4
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  40) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  41) #define PROFILE_MODE(_profile, _mode)		\
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  42) 	((aa_g_profile_mode == (_mode)) ||	\
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  43) 	 ((_profile)->mode == (_mode)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  44) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  45) #define COMPLAIN_MODE(_profile)	PROFILE_MODE((_profile), APPARMOR_COMPLAIN)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  46) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  47) #define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  48) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  49) #define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  50) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  51) #define profile_is_stale(_profile) (label_is_stale(&(_profile)->label))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  52) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  53) #define on_list_rcu(X) (!list_empty(X) && (X)->prev != LIST_POISON2)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  54) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  55) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  56)  * FIXME: currently need a clean way to replace and remove profiles as a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  57)  * set.  It should be done at the namespace level.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  58)  * Either, with a set of profiles loaded at the namespace level or via
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  59)  * a mark and remove marked interface.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  60)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  61) enum profile_mode {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  62) 	APPARMOR_ENFORCE,	/* enforce access rules */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  63) 	APPARMOR_COMPLAIN,	/* allow and log access violations */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  64) 	APPARMOR_KILL,		/* kill task on access violation */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  65) 	APPARMOR_UNCONFINED,	/* profile set to unconfined */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  66) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  67) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  68) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  69) /* struct aa_policydb - match engine for a policy
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  70)  * dfa: dfa pattern match
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  71)  * start: set of start states for the different classes of data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  72)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  73) struct aa_policydb {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  74) 	/* Generic policy DFA specific rule types will be subsections of it */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  75) 	struct aa_dfa *dfa;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  76) 	unsigned int start[AA_CLASS_LAST + 1];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  77) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  78) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  79) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  80) /* struct aa_data - generic data structure
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  81)  * key: name for retrieving this data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  82)  * size: size of data in bytes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  83)  * data: binary data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  84)  * head: reserved for rhashtable
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  85)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  86) struct aa_data {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  87) 	char *key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  88) 	u32 size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  89) 	char *data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  90) 	struct rhash_head head;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  91) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  92) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  93) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  94) /* struct aa_profile - basic confinement data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  95)  * @base - base components of the profile (name, refcount, lists, lock ...)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  96)  * @label - label this profile is an extension of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  97)  * @parent: parent of profile
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  98)  * @ns: namespace the profile is in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  99)  * @rename: optional profile name that this profile renamed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100)  * @attach: human readable attachment string
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101)  * @xmatch: optional extended matching for unconfined executables names
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102)  * @xmatch_len: xmatch prefix len, used to determine xmatch priority
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103)  * @audit: the auditing mode of the profile
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104)  * @mode: the enforcement mode of the profile
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105)  * @path_flags: flags controlling path generation behavior
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106)  * @disconnected: what to prepend if attach_disconnected is specified
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107)  * @size: the memory consumed by this profiles rules
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108)  * @policy: general match rules governing policy
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109)  * @file: The set of rules governing basic file access and domain transitions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110)  * @caps: capabilities for the profile
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)  * @rlimits: rlimits for the profile
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113)  * @dents: dentries for the profiles file entries in apparmorfs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114)  * @dirname: name of the profile dir in apparmorfs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115)  * @data: hashtable for free-form policy aa_data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117)  * The AppArmor profile contains the basic confinement data.  Each profile
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118)  * has a name, and exists in a namespace.  The @name and @exec_match are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119)  * used to determine profile attachment against unconfined tasks.  All other
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120)  * attachments are determined by profile X transition rules.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122)  * Profiles have a hierarchy where hats and children profiles keep
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123)  * a reference to their parent.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125)  * Profile names can not begin with a : and can not contain the \0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126)  * character.  If a profile name begins with / it will be considered when
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127)  * determining profile attachment on "unconfined" tasks.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) struct aa_profile {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) 	struct aa_policy base;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) 	struct aa_profile __rcu *parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) 	struct aa_ns *ns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) 	const char *rename;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) 	const char *attach;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) 	struct aa_dfa *xmatch;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) 	int xmatch_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) 	enum audit_mode audit;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) 	long mode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) 	u32 path_flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) 	const char *disconnected;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) 	int size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) 	struct aa_policydb policy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) 	struct aa_file_rules file;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) 	struct aa_caps caps;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) 	int xattr_count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) 	char **xattrs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) 	struct aa_rlimit rlimits;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) 	int secmark_count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) 	struct aa_secmark *secmark;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) 	struct aa_loaddata *rawdata;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) 	unsigned char *hash;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) 	char *dirname;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) 	struct dentry *dents[AAFS_PROF_SIZEOF];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) 	struct rhashtable *data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) 	struct aa_label label;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) extern enum profile_mode aa_g_profile_mode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) #define AA_MAY_LOAD_POLICY	AA_MAY_APPEND
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) #define AA_MAY_REPLACE_POLICY	AA_MAY_WRITE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) #define AA_MAY_REMOVE_POLICY	AA_MAY_DELETE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) #define profiles_ns(P) ((P)->ns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) #define name_is_shared(A, B) ((A)->hname && (A)->hname == (B)->hname)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) void aa_add_profile(struct aa_policy *common, struct aa_profile *profile);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) void aa_free_proxy_kref(struct kref *kref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) struct aa_profile *aa_alloc_profile(const char *name, struct aa_proxy *proxy,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) 				    gfp_t gfp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) 				       const char *base, gfp_t gfp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) void aa_free_profile(struct aa_profile *profile);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) void aa_free_profile_kref(struct kref *kref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) 				      size_t n);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) 					const char *fqname, size_t n);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) struct aa_profile *aa_match_profile(struct aa_ns *ns, const char *name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_label *label,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) 			    u32 mask, struct aa_loaddata *udata);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) ssize_t aa_remove_profiles(struct aa_ns *view, struct aa_label *label,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) 			   char *name, size_t size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) void __aa_profile_list_release(struct list_head *head);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) #define PROF_ADD 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) #define PROF_REPLACE 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) #define profile_unconfined(X) ((X)->mode == APPARMOR_UNCONFINED)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204)  * aa_get_newest_profile - simple wrapper fn to wrap the label version
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205)  * @p: profile (NOT NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207)  * Returns refcount to newest version of the profile (maybe @p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209)  * Requires: @p must be held with a valid refcount
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) 	return labels_profile(aa_get_newest_label(&p->label));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) static inline unsigned int PROFILE_MEDIATES(struct aa_profile *profile,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) 					    unsigned char class)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) 	if (class <= AA_CLASS_LAST)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) 		return profile->policy.start[class];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) 	else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) 		return aa_dfa_match_len(profile->policy.dfa,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) 					profile->policy.start[0], &class, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) 					       u16 AF) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) 	unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) 	__be16 be_af = cpu_to_be16(AF);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) 	if (!state)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) 	return aa_dfa_match_len(profile->policy.dfa, state, (char *) &be_af, 2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237)  * aa_get_profile - increment refcount on profile @p
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238)  * @p: profile  (MAYBE NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240)  * Returns: pointer to @p if @p is NULL will return NULL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241)  * Requires: @p must be held with valid refcount when called
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) static inline struct aa_profile *aa_get_profile(struct aa_profile *p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) 	if (p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) 		kref_get(&(p->label.count));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) 	return p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252)  * aa_get_profile_not0 - increment refcount on profile @p found via lookup
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253)  * @p: profile  (MAYBE NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255)  * Returns: pointer to @p if @p is NULL will return NULL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256)  * Requires: @p must be held with valid refcount when called
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) static inline struct aa_profile *aa_get_profile_not0(struct aa_profile *p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) 	if (p && kref_get_unless_zero(&p->label.count))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) 		return p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) 	return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267)  * aa_get_profile_rcu - increment a refcount profile that can be replaced
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268)  * @p: pointer to profile that can be replaced (NOT NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270)  * Returns: pointer to a refcounted profile.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271)  *     else NULL if no profile
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) static inline struct aa_profile *aa_get_profile_rcu(struct aa_profile __rcu **p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) 	struct aa_profile *c;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) 	rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) 	do {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) 		c = rcu_dereference(*p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) 	} while (c && !kref_get_unless_zero(&c->label.count));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) 	rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) 	return c;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287)  * aa_put_profile - decrement refcount on profile @p
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288)  * @p: profile  (MAYBE NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) static inline void aa_put_profile(struct aa_profile *p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) 	if (p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) 		kref_put(&p->label.count, aa_label_kref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) static inline int AUDIT_MODE(struct aa_profile *profile)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) 	if (aa_g_audit != AUDIT_NORMAL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) 		return aa_g_audit;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) 	return profile->audit;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) bool policy_view_capable(struct aa_ns *ns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) bool policy_admin_capable(struct aa_ns *ns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) int aa_may_manage_policy(struct aa_label *label, struct aa_ns *ns,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) 			 u32 mask);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) #endif /* __AA_POLICY_H */
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.