cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

policy_ns.h (4743B)

      1/* SPDX-License-Identifier: GPL-2.0-only */
      2/*
      3 * AppArmor security module
      4 *
      5 * This file contains AppArmor policy definitions.
      6 *
      7 * Copyright (C) 1998-2008 Novell/SUSE
      8 * Copyright 2009-2017 Canonical Ltd.
      9 */
     10
     11#ifndef __AA_NAMESPACE_H
     12#define __AA_NAMESPACE_H
     13
     14#include <linux/kref.h>
     15
     16#include "apparmor.h"
     17#include "apparmorfs.h"
     18#include "label.h"
     19#include "policy.h"
     20
     21
     22/* struct aa_ns_acct - accounting of profiles in namespace
     23 * @max_size: maximum space allowed for all profiles in namespace
     24 * @max_count: maximum number of profiles that can be in this namespace
     25 * @size: current size of profiles
     26 * @count: current count of profiles (includes null profiles)
     27 */
     28struct aa_ns_acct {
     29	int max_size;
     30	int max_count;
     31	int size;
     32	int count;
     33};
     34
     35/* struct aa_ns - namespace for a set of profiles
     36 * @base: common policy
     37 * @parent: parent of namespace
     38 * @lock: lock for modifying the object
     39 * @acct: accounting for the namespace
     40 * @unconfined: special unconfined profile for the namespace
     41 * @sub_ns: list of namespaces under the current namespace.
     42 * @uniq_null: uniq value used for null learning profiles
     43 * @uniq_id: a unique id count for the profiles in the namespace
     44 * @level: level of ns within the tree hierarchy
     45 * @dents: dentries for the namespaces file entries in apparmorfs
     46 *
     47 * An aa_ns defines the set profiles that are searched to determine which
     48 * profile to attach to a task.  Profiles can not be shared between aa_ns
     49 * and profile names within a namespace are guaranteed to be unique.  When
     50 * profiles in separate namespaces have the same name they are NOT considered
     51 * to be equivalent.
     52 *
     53 * Namespaces are hierarchical and only namespaces and profiles below the
     54 * current namespace are visible.
     55 *
     56 * Namespace names must be unique and can not contain the characters :/\0
     57 */
     58struct aa_ns {
     59	struct aa_policy base;
     60	struct aa_ns *parent;
     61	struct mutex lock;
     62	struct aa_ns_acct acct;
     63	struct aa_profile *unconfined;
     64	struct list_head sub_ns;
     65	atomic_t uniq_null;
     66	long uniq_id;
     67	int level;
     68	long revision;
     69	wait_queue_head_t wait;
     70
     71	struct aa_labelset labels;
     72	struct list_head rawdata_list;
     73
     74	struct dentry *dents[AAFS_NS_SIZEOF];
     75};
     76
     77extern struct aa_ns *root_ns;
     78
     79extern const char *aa_hidden_ns_name;
     80
     81#define ns_unconfined(NS) (&(NS)->unconfined->label)
     82
     83bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns);
     84const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child, bool subns);
     85void aa_free_ns(struct aa_ns *ns);
     86int aa_alloc_root_ns(void);
     87void aa_free_root_ns(void);
     88void aa_free_ns_kref(struct kref *kref);
     89
     90struct aa_ns *aa_find_ns(struct aa_ns *root, const char *name);
     91struct aa_ns *aa_findn_ns(struct aa_ns *root, const char *name, size_t n);
     92struct aa_ns *__aa_lookupn_ns(struct aa_ns *view, const char *hname, size_t n);
     93struct aa_ns *aa_lookupn_ns(struct aa_ns *view, const char *name, size_t n);
     94struct aa_ns *__aa_find_or_create_ns(struct aa_ns *parent, const char *name,
     95				     struct dentry *dir);
     96struct aa_ns *aa_prepare_ns(struct aa_ns *root, const char *name);
     97void __aa_remove_ns(struct aa_ns *ns);
     98
     99static inline struct aa_profile *aa_deref_parent(struct aa_profile *p)
    100{
    101	return rcu_dereference_protected(p->parent,
    102					 mutex_is_locked(&p->ns->lock));
    103}
    104
    105/**
    106 * aa_get_ns - increment references count on @ns
    107 * @ns: namespace to increment reference count of (MAYBE NULL)
    108 *
    109 * Returns: pointer to @ns, if @ns is NULL returns NULL
    110 * Requires: @ns must be held with valid refcount when called
    111 */
    112static inline struct aa_ns *aa_get_ns(struct aa_ns *ns)
    113{
    114	if (ns)
    115		aa_get_profile(ns->unconfined);
    116
    117	return ns;
    118}
    119
    120/**
    121 * aa_put_ns - decrement refcount on @ns
    122 * @ns: namespace to put reference of
    123 *
    124 * Decrement reference count of @ns and if no longer in use free it
    125 */
    126static inline void aa_put_ns(struct aa_ns *ns)
    127{
    128	if (ns)
    129		aa_put_profile(ns->unconfined);
    130}
    131
    132/**
    133 * __aa_findn_ns - find a namespace on a list by @name
    134 * @head: list to search for namespace on  (NOT NULL)
    135 * @name: name of namespace to look for  (NOT NULL)
    136 * @n: length of @name
    137 * Returns: unrefcounted namespace
    138 *
    139 * Requires: rcu_read_lock be held
    140 */
    141static inline struct aa_ns *__aa_findn_ns(struct list_head *head,
    142					  const char *name, size_t n)
    143{
    144	return (struct aa_ns *)__policy_strn_find(head, name, n);
    145}
    146
    147static inline struct aa_ns *__aa_find_ns(struct list_head *head,
    148					 const char *name)
    149{
    150	return __aa_findn_ns(head, name, strlen(name));
    151}
    152
    153static inline struct aa_ns *__aa_lookup_ns(struct aa_ns *base,
    154					   const char *hname)
    155{
    156	return __aa_lookupn_ns(base, hname, strlen(hname));
    157}
    158
    159static inline struct aa_ns *aa_lookup_ns(struct aa_ns *view, const char *name)
    160{
    161	return aa_lookupn_ns(view, name, strlen(name));
    162}
    163
    164#endif /* AA_NAMESPACE_H */