diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2017-02-21 12:49:56 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2017-02-21 12:49:56 -0800 |
| commit | c9341ee0af4df0af8b727873ef851227345defed (patch) | |
| tree | 81a48ed068936afd58a1cb9b6cb65f6e16dcb343 /security/apparmor/include/context.h | |
| parent | 7a771ceac771d009f7203c40b256b0608d7ea2f8 (diff) | |
| parent | 61841be6358c03e864ad4c386c9a102edbba9cb8 (diff) | |
| download | linux-0-day-c9341ee0af4df0af8b727873ef851227345defed.tar.gz linux-0-day-c9341ee0af4df0af8b727873ef851227345defed.tar.xz | |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security layer updates from James Morris:
"Highlights:
- major AppArmor update: policy namespaces & lots of fixes
- add /sys/kernel/security/lsm node for easy detection of loaded LSMs
- SELinux cgroupfs labeling support
- SELinux context mounts on tmpfs, ramfs, devpts within user
namespaces
- improved TPM 2.0 support"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (117 commits)
tpm: declare tpm2_get_pcr_allocation() as static
tpm: Fix expected number of response bytes of TPM1.2 PCR Extend
tpm xen: drop unneeded chip variable
tpm: fix misspelled "facilitate" in module parameter description
tpm_tis: fix the error handling of init_tis()
KEYS: Use memzero_explicit() for secret data
KEYS: Fix an error code in request_master_key()
sign-file: fix build error in sign-file.c with libressl
selinux: allow changing labels for cgroupfs
selinux: fix off-by-one in setprocattr
tpm: silence an array overflow warning
tpm: fix the type of owned field in cap_t
tpm: add securityfs support for TPM 2.0 firmware event log
tpm: enhance read_log_of() to support Physical TPM event log
tpm: enhance TPM 2.0 PCR extend to support multiple banks
tpm: implement TPM 2.0 capability to get active PCR banks
tpm: fix RC value check in tpm2_seal_trusted
tpm_tis: fix iTPM probe via probe_itpm() function
tpm: Begin the process to deprecate user_read_timer
tpm: remove tpm_read_index and tpm_write_index from tpm.h
...
Diffstat (limited to 'security/apparmor/include/context.h')
| -rw-r--r-- | security/apparmor/include/context.h | 84 |
1 files changed, 46 insertions, 38 deletions
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h index 6bf65798e5d14..5b18fedab4c89 100644 --- a/security/apparmor/include/context.h +++ b/security/apparmor/include/context.h @@ -20,44 +20,45 @@ #include <linux/sched.h> #include "policy.h" +#include "policy_ns.h" -#define cred_cxt(X) (X)->security -#define current_cxt() cred_cxt(current_cred()) +#define cred_ctx(X) ((X)->security) +#define current_ctx() cred_ctx(current_cred()) -/* struct aa_file_cxt - the AppArmor context the file was opened in +/* struct aa_file_ctx - the AppArmor context the file was opened in * @perms: the permission the file was opened with * - * The file_cxt could currently be directly stored in file->f_security + * The file_ctx could currently be directly stored in file->f_security * as the profile reference is now stored in the f_cred. However the - * cxt struct will expand in the future so we keep the struct. + * ctx struct will expand in the future so we keep the struct. */ -struct aa_file_cxt { +struct aa_file_ctx { u16 allow; }; /** - * aa_alloc_file_context - allocate file_cxt + * aa_alloc_file_context - allocate file_ctx * @gfp: gfp flags for allocation * - * Returns: file_cxt or NULL on failure + * Returns: file_ctx or NULL on failure */ -static inline struct aa_file_cxt *aa_alloc_file_context(gfp_t gfp) +static inline struct aa_file_ctx *aa_alloc_file_context(gfp_t gfp) { - return kzalloc(sizeof(struct aa_file_cxt), gfp); + return kzalloc(sizeof(struct aa_file_ctx), gfp); } /** - * aa_free_file_context - free a file_cxt - * @cxt: file_cxt to free (MAYBE_NULL) + * aa_free_file_context - free a file_ctx + * @ctx: file_ctx to free (MAYBE_NULL) */ -static inline void aa_free_file_context(struct aa_file_cxt *cxt) +static inline void aa_free_file_context(struct aa_file_ctx *ctx) { - if (cxt) - kzfree(cxt); + if (ctx) + kzfree(ctx); } /** - * struct aa_task_cxt - primary label for confined tasks + * struct aa_task_ctx - primary label for confined tasks * @profile: the current profile (NOT NULL) * @exec: profile to transition to on next exec (MAYBE NULL) * @previous: profile the task may return to (MAYBE NULL) @@ -68,17 +69,17 @@ static inline void aa_free_file_context(struct aa_file_cxt *cxt) * * TODO: make so a task can be confined by a stack of contexts */ -struct aa_task_cxt { +struct aa_task_ctx { struct aa_profile *profile; struct aa_profile *onexec; struct aa_profile *previous; u64 token; }; -struct aa_task_cxt *aa_alloc_task_context(gfp_t flags); -void aa_free_task_context(struct aa_task_cxt *cxt); -void aa_dup_task_context(struct aa_task_cxt *new, - const struct aa_task_cxt *old); +struct aa_task_ctx *aa_alloc_task_context(gfp_t flags); +void aa_free_task_context(struct aa_task_ctx *ctx); +void aa_dup_task_context(struct aa_task_ctx *new, + const struct aa_task_ctx *old); int aa_replace_current_profile(struct aa_profile *profile); int aa_set_current_onexec(struct aa_profile *profile); int aa_set_current_hat(struct aa_profile *profile, u64 token); @@ -96,9 +97,10 @@ struct aa_profile *aa_get_task_profile(struct task_struct *task); */ static inline struct aa_profile *aa_cred_profile(const struct cred *cred) { - struct aa_task_cxt *cxt = cred_cxt(cred); - BUG_ON(!cxt || !cxt->profile); - return cxt->profile; + struct aa_task_ctx *ctx = cred_ctx(cred); + + AA_BUG(!ctx || !ctx->profile); + return ctx->profile; } /** @@ -148,31 +150,37 @@ static inline struct aa_profile *__aa_current_profile(void) */ static inline struct aa_profile *aa_current_profile(void) { - const struct aa_task_cxt *cxt = current_cxt(); + const struct aa_task_ctx *ctx = current_ctx(); struct aa_profile *profile; - BUG_ON(!cxt || !cxt->profile); - if (PROFILE_INVALID(cxt->profile)) { - profile = aa_get_newest_profile(cxt->profile); + AA_BUG(!ctx || !ctx->profile); + + if (profile_is_stale(ctx->profile)) { + profile = aa_get_newest_profile(ctx->profile); aa_replace_current_profile(profile); aa_put_profile(profile); - cxt = current_cxt(); + ctx = current_ctx(); } - return cxt->profile; + return ctx->profile; +} + +static inline struct aa_ns *aa_get_current_ns(void) +{ + return aa_get_ns(__aa_current_profile()->ns); } /** - * aa_clear_task_cxt_trans - clear transition tracking info from the cxt - * @cxt: task context to clear (NOT NULL) + * aa_clear_task_ctx_trans - clear transition tracking info from the ctx + * @ctx: task context to clear (NOT NULL) */ -static inline void aa_clear_task_cxt_trans(struct aa_task_cxt *cxt) +static inline void aa_clear_task_ctx_trans(struct aa_task_ctx *ctx) { - aa_put_profile(cxt->previous); - aa_put_profile(cxt->onexec); - cxt->previous = NULL; - cxt->onexec = NULL; - cxt->token = 0; + aa_put_profile(ctx->previous); + aa_put_profile(ctx->onexec); + ctx->previous = NULL; + ctx->onexec = NULL; + ctx->token = 0; } #endif /* __AA_CONTEXT_H */ |