apparmor/include/cred.h

0001 /* SPDX-License-Identifier: GPL-2.0-only */
0002 /*
0003  * AppArmor security module
0004  *
0005  * This file contains AppArmor contexts used to associate "labels" to objects.
0006  *
0007  * Copyright (C) 1998-2008 Novell/SUSE
0008  * Copyright 2009-2010 Canonical Ltd.
0009  */
0010
0011 #ifndef __AA_CONTEXT_H
0012 #define __AA_CONTEXT_H
0013
0014 #include <linux/cred.h>
0015 #include <linux/slab.h>
0016 #include <linux/sched.h>
0017
0018 #include "label.h"
0019 #include "policy_ns.h"
0020 #include "task.h"
0021
0022 static inline struct aa_label *cred_label(const struct cred *cred)
0023 {
0024     struct aa_label **blob = cred->security + apparmor_blob_sizes.lbs_cred;
0025
0026     AA_BUG(!blob);
0027     return *blob;
0028 }
0029
0030 static inline void set_cred_label(const struct cred *cred,
0031                   struct aa_label *label)
0032 {
0033     struct aa_label **blob = cred->security + apparmor_blob_sizes.lbs_cred;
0034
0035     AA_BUG(!blob);
0036     *blob = label;
0037 }
0038
0039 /**
0040  * aa_cred_raw_label - obtain cred's label
0041  * @cred: cred to obtain label from  (NOT NULL)
0042  *
0043  * Returns: confining label
0044  *
0045  * does NOT increment reference count
0046  */
0047 static inline struct aa_label *aa_cred_raw_label(const struct cred *cred)
0048 {
0049     struct aa_label *label = cred_label(cred);
0050
0051     AA_BUG(!label);
0052     return label;
0053 }
0054
0055 /**
0056  * aa_get_newest_cred_label - obtain the newest label on a cred
0057  * @cred: cred to obtain label from (NOT NULL)
0058  *
0059  * Returns: newest version of confining label
0060  */
0061 static inline struct aa_label *aa_get_newest_cred_label(const struct cred *cred)
0062 {
0063     return aa_get_newest_label(aa_cred_raw_label(cred));
0064 }
0065
0066 /**
0067  * __aa_task_raw_label - retrieve another task's label
0068  * @task: task to query  (NOT NULL)
0069  *
0070  * Returns: @task's label without incrementing its ref count
0071  *
0072  * If @task != current needs to be called in RCU safe critical section
0073  */
0074 static inline struct aa_label *__aa_task_raw_label(struct task_struct *task)
0075 {
0076     return aa_cred_raw_label(__task_cred(task));
0077 }
0078
0079 /**
0080  * aa_current_raw_label - find the current tasks confining label
0081  *
0082  * Returns: up to date confining label or the ns unconfined label (NOT NULL)
0083  *
0084  * This fn will not update the tasks cred to the most up to date version
0085  * of the label so it is safe to call when inside of locks.
0086  */
0087 static inline struct aa_label *aa_current_raw_label(void)
0088 {
0089     return aa_cred_raw_label(current_cred());
0090 }
0091
0092 /**
0093  * aa_get_current_label - get the newest version of the current tasks label
0094  *
0095  * Returns: newest version of confining label (NOT NULL)
0096  *
0097  * This fn will not update the tasks cred, so it is safe inside of locks
0098  *
0099  * The returned reference must be put with aa_put_label()
0100  */
0101 static inline struct aa_label *aa_get_current_label(void)
0102 {
0103     struct aa_label *l = aa_current_raw_label();
0104
0105     if (label_is_stale(l))
0106         return aa_get_newest_label(l);
0107     return aa_get_label(l);
0108 }
0109
0110 #define __end_current_label_crit_section(X) end_current_label_crit_section(X)
0111
0112 /**
0113  * end_label_crit_section - put a reference found with begin_current_label..
0114  * @label: label reference to put
0115  *
0116  * Should only be used with a reference obtained with
0117  * begin_current_label_crit_section and never used in situations where the
0118  * task cred may be updated
0119  */
0120 static inline void end_current_label_crit_section(struct aa_label *label)
0121 {
0122     if (label != aa_current_raw_label())
0123         aa_put_label(label);
0124 }
0125
0126 /**
0127  * __begin_current_label_crit_section - current's confining label
0128  *
0129  * Returns: up to date confining label or the ns unconfined label (NOT NULL)
0130  *
0131  * safe to call inside locks
0132  *
0133  * The returned reference must be put with __end_current_label_crit_section()
0134  * This must NOT be used if the task cred could be updated within the
0135  * critical section between __begin_current_label_crit_section() ..
0136  * __end_current_label_crit_section()
0137  */
0138 static inline struct aa_label *__begin_current_label_crit_section(void)
0139 {
0140     struct aa_label *label = aa_current_raw_label();
0141
0142     if (label_is_stale(label))
0143         label = aa_get_newest_label(label);
0144
0145     return label;
0146 }
0147
0148 /**
0149  * begin_current_label_crit_section - current's confining label and update it
0150  *
0151  * Returns: up to date confining label or the ns unconfined label (NOT NULL)
0152  *
0153  * Not safe to call inside locks
0154  *
0155  * The returned reference must be put with end_current_label_crit_section()
0156  * This must NOT be used if the task cred could be updated within the
0157  * critical section between begin_current_label_crit_section() ..
0158  * end_current_label_crit_section()
0159  */
0160 static inline struct aa_label *begin_current_label_crit_section(void)
0161 {
0162     struct aa_label *label = aa_current_raw_label();
0163
0164     might_sleep();
0165
0166     if (label_is_stale(label)) {
0167         label = aa_get_newest_label(label);
0168         if (aa_replace_current_label(label) == 0)
0169             /* task cred will keep the reference */
0170             aa_put_label(label);
0171     }
0172
0173     return label;
0174 }
0175
0176 static inline struct aa_ns *aa_get_current_ns(void)
0177 {
0178     struct aa_label *label;
0179     struct aa_ns *ns;
0180
0181     label  = __begin_current_label_crit_section();
0182     ns = aa_get_ns(labels_ns(label));
0183     __end_current_label_crit_section(label);
0184
0185     return ns;
0186 }
0187
0188 #endif /* __AA_CONTEXT_H */