apparmor/include/policy_ns.h

0001 /* SPDX-License-Identifier: GPL-2.0-only */
0002 /*
0003  * AppArmor security module
0004  *
0005  * This file contains AppArmor policy definitions.
0006  *
0007  * Copyright (C) 1998-2008 Novell/SUSE
0008  * Copyright 2009-2017 Canonical Ltd.
0009  */
0010
0011 #ifndef __AA_NAMESPACE_H
0012 #define __AA_NAMESPACE_H
0013
0014 #include <linux/kref.h>
0015
0016 #include "apparmor.h"
0017 #include "apparmorfs.h"
0018 #include "label.h"
0019 #include "policy.h"
0020
0021
0022 /* struct aa_ns_acct - accounting of profiles in namespace
0023  * @max_size: maximum space allowed for all profiles in namespace
0024  * @max_count: maximum number of profiles that can be in this namespace
0025  * @size: current size of profiles
0026  * @count: current count of profiles (includes null profiles)
0027  */
0028 struct aa_ns_acct {
0029     int max_size;
0030     int max_count;
0031     int size;
0032     int count;
0033 };
0034
0035 /* struct aa_ns - namespace for a set of profiles
0036  * @base: common policy
0037  * @parent: parent of namespace
0038  * @lock: lock for modifying the object
0039  * @acct: accounting for the namespace
0040  * @unconfined: special unconfined profile for the namespace
0041  * @sub_ns: list of namespaces under the current namespace.
0042  * @uniq_null: uniq value used for null learning profiles
0043  * @uniq_id: a unique id count for the profiles in the namespace
0044  * @level: level of ns within the tree hierarchy
0045  * @dents: dentries for the namespaces file entries in apparmorfs
0046  *
0047  * An aa_ns defines the set profiles that are searched to determine which
0048  * profile to attach to a task.  Profiles can not be shared between aa_ns
0049  * and profile names within a namespace are guaranteed to be unique.  When
0050  * profiles in separate namespaces have the same name they are NOT considered
0051  * to be equivalent.
0052  *
0053  * Namespaces are hierarchical and only namespaces and profiles below the
0054  * current namespace are visible.
0055  *
0056  * Namespace names must be unique and can not contain the characters :/\0
0057  */
0058 struct aa_ns {
0059     struct aa_policy base;
0060     struct aa_ns *parent;
0061     struct mutex lock;
0062     struct aa_ns_acct acct;
0063     struct aa_profile *unconfined;
0064     struct list_head sub_ns;
0065     atomic_t uniq_null;
0066     long uniq_id;
0067     int level;
0068     long revision;
0069     wait_queue_head_t wait;
0070
0071     struct aa_labelset labels;
0072     struct list_head rawdata_list;
0073
0074     struct dentry *dents[AAFS_NS_SIZEOF];
0075 };
0076
0077 extern struct aa_label *kernel_t;
0078 extern struct aa_ns *root_ns;
0079
0080 extern const char *aa_hidden_ns_name;
0081
0082 #define ns_unconfined(NS) (&(NS)->unconfined->label)
0083
0084 bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns);
0085 const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child, bool subns);
0086 void aa_free_ns(struct aa_ns *ns);
0087 int aa_alloc_root_ns(void);
0088 void aa_free_root_ns(void);
0089 void aa_free_ns_kref(struct kref *kref);
0090
0091 struct aa_ns *aa_find_ns(struct aa_ns *root, const char *name);
0092 struct aa_ns *aa_findn_ns(struct aa_ns *root, const char *name, size_t n);
0093 struct aa_ns *__aa_lookupn_ns(struct aa_ns *view, const char *hname, size_t n);
0094 struct aa_ns *aa_lookupn_ns(struct aa_ns *view, const char *name, size_t n);
0095 struct aa_ns *__aa_find_or_create_ns(struct aa_ns *parent, const char *name,
0096                      struct dentry *dir);
0097 struct aa_ns *aa_prepare_ns(struct aa_ns *root, const char *name);
0098 void __aa_remove_ns(struct aa_ns *ns);
0099
0100 static inline struct aa_profile *aa_deref_parent(struct aa_profile *p)
0101 {
0102     return rcu_dereference_protected(p->parent,
0103                      mutex_is_locked(&p->ns->lock));
0104 }
0105
0106 /**
0107  * aa_get_ns - increment references count on @ns
0108  * @ns: namespace to increment reference count of (MAYBE NULL)
0109  *
0110  * Returns: pointer to @ns, if @ns is NULL returns NULL
0111  * Requires: @ns must be held with valid refcount when called
0112  */
0113 static inline struct aa_ns *aa_get_ns(struct aa_ns *ns)
0114 {
0115     if (ns)
0116         aa_get_profile(ns->unconfined);
0117
0118     return ns;
0119 }
0120
0121 /**
0122  * aa_put_ns - decrement refcount on @ns
0123  * @ns: namespace to put reference of
0124  *
0125  * Decrement reference count of @ns and if no longer in use free it
0126  */
0127 static inline void aa_put_ns(struct aa_ns *ns)
0128 {
0129     if (ns)
0130         aa_put_profile(ns->unconfined);
0131 }
0132
0133 /**
0134  * __aa_findn_ns - find a namespace on a list by @name
0135  * @head: list to search for namespace on  (NOT NULL)
0136  * @name: name of namespace to look for  (NOT NULL)
0137  * @n: length of @name
0138  * Returns: unrefcounted namespace
0139  *
0140  * Requires: rcu_read_lock be held
0141  */
0142 static inline struct aa_ns *__aa_findn_ns(struct list_head *head,
0143                       const char *name, size_t n)
0144 {
0145     return (struct aa_ns *)__policy_strn_find(head, name, n);
0146 }
0147
0148 static inline struct aa_ns *__aa_find_ns(struct list_head *head,
0149                      const char *name)
0150 {
0151     return __aa_findn_ns(head, name, strlen(name));
0152 }
0153
0154 static inline struct aa_ns *__aa_lookup_ns(struct aa_ns *base,
0155                        const char *hname)
0156 {
0157     return __aa_lookupn_ns(base, hname, strlen(hname));
0158 }
0159
0160 static inline struct aa_ns *aa_lookup_ns(struct aa_ns *view, const char *name)
0161 {
0162     return aa_lookupn_ns(view, name, strlen(name));
0163 }
0164
0165 #endif /* AA_NAMESPACE_H */