root/security/apparmor/include/cred.h

/* [<][>][^][v][top][bottom][index][help] */

INCLUDED FROM


DEFINITIONS

This source file includes following definitions.
  1. cred_label
  2. set_cred_label
  3. aa_cred_raw_label
  4. aa_get_newest_cred_label
  5. __aa_task_raw_label
  6. aa_current_raw_label
  7. aa_get_current_label
  8. end_current_label_crit_section
  9. __begin_current_label_crit_section
  10. begin_current_label_crit_section
  11. aa_get_current_ns

   1 /* SPDX-License-Identifier: GPL-2.0-only */
   2 /*
   3  * AppArmor security module
   4  *
   5  * This file contains AppArmor contexts used to associate "labels" to objects.
   6  *
   7  * Copyright (C) 1998-2008 Novell/SUSE
   8  * Copyright 2009-2010 Canonical Ltd.
   9  */
  10 
  11 #ifndef __AA_CONTEXT_H
  12 #define __AA_CONTEXT_H
  13 
  14 #include <linux/cred.h>
  15 #include <linux/slab.h>
  16 #include <linux/sched.h>
  17 
  18 #include "label.h"
  19 #include "policy_ns.h"
  20 #include "task.h"
  21 
  22 static inline struct aa_label *cred_label(const struct cred *cred)
  23 {
  24         struct aa_label **blob = cred->security + apparmor_blob_sizes.lbs_cred;
  25 
  26         AA_BUG(!blob);
  27         return *blob;
  28 }
  29 
  30 static inline void set_cred_label(const struct cred *cred,
  31                                   struct aa_label *label)
  32 {
  33         struct aa_label **blob = cred->security + apparmor_blob_sizes.lbs_cred;
  34 
  35         AA_BUG(!blob);
  36         *blob = label;
  37 }
  38 
  39 /**
  40  * aa_cred_raw_label - obtain cred's label
  41  * @cred: cred to obtain label from  (NOT NULL)
  42  *
  43  * Returns: confining label
  44  *
  45  * does NOT increment reference count
  46  */
  47 static inline struct aa_label *aa_cred_raw_label(const struct cred *cred)
  48 {
  49         struct aa_label *label = cred_label(cred);
  50 
  51         AA_BUG(!label);
  52         return label;
  53 }
  54 
  55 /**
  56  * aa_get_newest_cred_label - obtain the newest label on a cred
  57  * @cred: cred to obtain label from (NOT NULL)
  58  *
  59  * Returns: newest version of confining label
  60  */
  61 static inline struct aa_label *aa_get_newest_cred_label(const struct cred *cred)
  62 {
  63         return aa_get_newest_label(aa_cred_raw_label(cred));
  64 }
  65 
  66 /**
  67  * __aa_task_raw_label - retrieve another task's label
  68  * @task: task to query  (NOT NULL)
  69  *
  70  * Returns: @task's label without incrementing its ref count
  71  *
  72  * If @task != current needs to be called in RCU safe critical section
  73  */
  74 static inline struct aa_label *__aa_task_raw_label(struct task_struct *task)
  75 {
  76         return aa_cred_raw_label(__task_cred(task));
  77 }
  78 
  79 /**
  80  * aa_current_raw_label - find the current tasks confining label
  81  *
  82  * Returns: up to date confining label or the ns unconfined label (NOT NULL)
  83  *
  84  * This fn will not update the tasks cred to the most up to date version
  85  * of the label so it is safe to call when inside of locks.
  86  */
  87 static inline struct aa_label *aa_current_raw_label(void)
  88 {
  89         return aa_cred_raw_label(current_cred());
  90 }
  91 
  92 /**
  93  * aa_get_current_label - get the newest version of the current tasks label
  94  *
  95  * Returns: newest version of confining label (NOT NULL)
  96  *
  97  * This fn will not update the tasks cred, so it is safe inside of locks
  98  *
  99  * The returned reference must be put with aa_put_label()
 100  */
 101 static inline struct aa_label *aa_get_current_label(void)
 102 {
 103         struct aa_label *l = aa_current_raw_label();
 104 
 105         if (label_is_stale(l))
 106                 return aa_get_newest_label(l);
 107         return aa_get_label(l);
 108 }
 109 
 110 #define __end_current_label_crit_section(X) end_current_label_crit_section(X)
 111 
 112 /**
 113  * end_label_crit_section - put a reference found with begin_current_label..
 114  * @label: label reference to put
 115  *
 116  * Should only be used with a reference obtained with
 117  * begin_current_label_crit_section and never used in situations where the
 118  * task cred may be updated
 119  */
 120 static inline void end_current_label_crit_section(struct aa_label *label)
 121 {
 122         if (label != aa_current_raw_label())
 123                 aa_put_label(label);
 124 }
 125 
 126 /**
 127  * __begin_current_label_crit_section - current's confining label
 128  *
 129  * Returns: up to date confining label or the ns unconfined label (NOT NULL)
 130  *
 131  * safe to call inside locks
 132  *
 133  * The returned reference must be put with __end_current_label_crit_section()
 134  * This must NOT be used if the task cred could be updated within the
 135  * critical section between __begin_current_label_crit_section() ..
 136  * __end_current_label_crit_section()
 137  */
 138 static inline struct aa_label *__begin_current_label_crit_section(void)
 139 {
 140         struct aa_label *label = aa_current_raw_label();
 141 
 142         if (label_is_stale(label))
 143                 label = aa_get_newest_label(label);
 144 
 145         return label;
 146 }
 147 
 148 /**
 149  * begin_current_label_crit_section - current's confining label and update it
 150  *
 151  * Returns: up to date confining label or the ns unconfined label (NOT NULL)
 152  *
 153  * Not safe to call inside locks
 154  *
 155  * The returned reference must be put with end_current_label_crit_section()
 156  * This must NOT be used if the task cred could be updated within the
 157  * critical section between begin_current_label_crit_section() ..
 158  * end_current_label_crit_section()
 159  */
 160 static inline struct aa_label *begin_current_label_crit_section(void)
 161 {
 162         struct aa_label *label = aa_current_raw_label();
 163 
 164         might_sleep();
 165 
 166         if (label_is_stale(label)) {
 167                 label = aa_get_newest_label(label);
 168                 if (aa_replace_current_label(label) == 0)
 169                         /* task cred will keep the reference */
 170                         aa_put_label(label);
 171         }
 172 
 173         return label;
 174 }
 175 
 176 static inline struct aa_ns *aa_get_current_ns(void)
 177 {
 178         struct aa_label *label;
 179         struct aa_ns *ns;
 180 
 181         label  = __begin_current_label_crit_section();
 182         ns = aa_get_ns(labels_ns(label));
 183         __end_current_label_crit_section(label);
 184 
 185         return ns;
 186 }
 187 
 188 #endif /* __AA_CONTEXT_H */

/* [<][>][^][v][top][bottom][index][help] */