root/security/apparmor/include/policy_ns.h

INCLUDED FROM

DEFINITIONS

1. aa_deref_parent
2. aa_get_ns
3. aa_put_ns
4. __aa_findn_ns
5. __aa_find_ns
6. __aa_lookup_ns
7. aa_lookup_ns

   1 /* SPDX-License-Identifier: GPL-2.0-only */
   2 /*
   3  * AppArmor security module
   4  *
   5  * This file contains AppArmor policy definitions.
   6  *
   7  * Copyright (C) 1998-2008 Novell/SUSE
   8  * Copyright 2009-2017 Canonical Ltd.
   9  */
  10 
  11 #ifndef __AA_NAMESPACE_H
  12 #define __AA_NAMESPACE_H
  13 
  14 #include <linux/kref.h>
  15 
  16 #include "apparmor.h"
  17 #include "apparmorfs.h"
  18 #include "label.h"
  19 #include "policy.h"
  20 
  21 
  22 /* struct aa_ns_acct - accounting of profiles in namespace
  23  * @max_size: maximum space allowed for all profiles in namespace
  24  * @max_count: maximum number of profiles that can be in this namespace
  25  * @size: current size of profiles
  26  * @count: current count of profiles (includes null profiles)
  27  */
  28 struct aa_ns_acct {
  29         int max_size;
  30         int max_count;
  31         int size;
  32         int count;
  33 };
  34 
  35 /* struct aa_ns - namespace for a set of profiles
  36  * @base: common policy
  37  * @parent: parent of namespace
  38  * @lock: lock for modifying the object
  39  * @acct: accounting for the namespace
  40  * @unconfined: special unconfined profile for the namespace
  41  * @sub_ns: list of namespaces under the current namespace.
  42  * @uniq_null: uniq value used for null learning profiles
  43  * @uniq_id: a unique id count for the profiles in the namespace
  44  * @level: level of ns within the tree hierarchy
  45  * @dents: dentries for the namespaces file entries in apparmorfs
  46  *
  47  * An aa_ns defines the set profiles that are searched to determine which
  48  * profile to attach to a task.  Profiles can not be shared between aa_ns
  49  * and profile names within a namespace are guaranteed to be unique.  When
  50  * profiles in separate namespaces have the same name they are NOT considered
  51  * to be equivalent.
  52  *
  53  * Namespaces are hierarchical and only namespaces and profiles below the
  54  * current namespace are visible.
  55  *
  56  * Namespace names must be unique and can not contain the characters :/\0
  57  */
  58 struct aa_ns {
  59         struct aa_policy base;
  60         struct aa_ns *parent;
  61         struct mutex lock;
  62         struct aa_ns_acct acct;
  63         struct aa_profile *unconfined;
  64         struct list_head sub_ns;
  65         atomic_t uniq_null;
  66         long uniq_id;
  67         int level;
  68         long revision;
  69         wait_queue_head_t wait;
  70 
  71         struct aa_labelset labels;
  72         struct list_head rawdata_list;
  73 
  74         struct dentry *dents[AAFS_NS_SIZEOF];
  75 };
  76 
  77 extern struct aa_ns *root_ns;
  78 
  79 extern const char *aa_hidden_ns_name;
  80 
  81 #define ns_unconfined(NS) (&(NS)->unconfined->label)
  82 
  83 bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns);
  84 const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child, bool subns);
  85 void aa_free_ns(struct aa_ns *ns);
  86 int aa_alloc_root_ns(void);
  87 void aa_free_root_ns(void);
  88 void aa_free_ns_kref(struct kref *kref);
  89 
  90 struct aa_ns *aa_find_ns(struct aa_ns *root, const char *name);
  91 struct aa_ns *aa_findn_ns(struct aa_ns *root, const char *name, size_t n);
  92 struct aa_ns *__aa_lookupn_ns(struct aa_ns *view, const char *hname, size_t n);
  93 struct aa_ns *aa_lookupn_ns(struct aa_ns *view, const char *name, size_t n);
  94 struct aa_ns *__aa_find_or_create_ns(struct aa_ns *parent, const char *name,
  95                                      struct dentry *dir);
  96 struct aa_ns *aa_prepare_ns(struct aa_ns *root, const char *name);
  97 void __aa_remove_ns(struct aa_ns *ns);
  98 
  99 static inline struct aa_profile *aa_deref_parent(struct aa_profile *p)
 100 {
 101         return rcu_dereference_protected(p->parent,
 102                                          mutex_is_locked(&p->ns->lock));
 103 }
 104 
 105 /**
 106  * aa_get_ns - increment references count on @ns
 107  * @ns: namespace to increment reference count of (MAYBE NULL)
 108  *
 109  * Returns: pointer to @ns, if @ns is NULL returns NULL
 110  * Requires: @ns must be held with valid refcount when called
 111  */
 112 static inline struct aa_ns *aa_get_ns(struct aa_ns *ns)
 113 {
 114         if (ns)
 115                 aa_get_profile(ns->unconfined);
 116 
 117         return ns;
 118 }
 119 
 120 /**
 121  * aa_put_ns - decrement refcount on @ns
 122  * @ns: namespace to put reference of
 123  *
 124  * Decrement reference count of @ns and if no longer in use free it
 125  */
 126 static inline void aa_put_ns(struct aa_ns *ns)
 127 {
 128         if (ns)
 129                 aa_put_profile(ns->unconfined);
 130 }
 131 
 132 /**
 133  * __aa_findn_ns - find a namespace on a list by @name
 134  * @head: list to search for namespace on  (NOT NULL)
 135  * @name: name of namespace to look for  (NOT NULL)
 136  * @n: length of @name
 137  * Returns: unrefcounted namespace
 138  *
 139  * Requires: rcu_read_lock be held
 140  */
 141 static inline struct aa_ns *__aa_findn_ns(struct list_head *head,
 142                                           const char *name, size_t n)
 143 {
 144         return (struct aa_ns *)__policy_strn_find(head, name, n);
 145 }
 146 
 147 static inline struct aa_ns *__aa_find_ns(struct list_head *head,
 148                                          const char *name)
 149 {
 150         return __aa_findn_ns(head, name, strlen(name));
 151 }
 152 
 153 static inline struct aa_ns *__aa_lookup_ns(struct aa_ns *base,
 154                                            const char *hname)
 155 {
 156         return __aa_lookupn_ns(base, hname, strlen(hname));
 157 }
 158 
 159 static inline struct aa_ns *aa_lookup_ns(struct aa_ns *view, const char *name)
 160 {
 161         return aa_lookupn_ns(view, name, strlen(name));
 162 }
 163 
 164 #endif /* AA_NAMESPACE_H */