1b886d83cSThomas Gleixner /* SPDX-License-Identifier: GPL-2.0-only */ 2de62de59SJohn Johansen /* 3de62de59SJohn Johansen * AppArmor security module 4de62de59SJohn Johansen * 5de62de59SJohn Johansen * This file contains AppArmor task related definitions and mediation 6de62de59SJohn Johansen * 7de62de59SJohn Johansen * Copyright 2017 Canonical Ltd. 8de62de59SJohn Johansen */ 9de62de59SJohn Johansen 10de62de59SJohn Johansen #ifndef __AA_TASK_H 11de62de59SJohn Johansen #define __AA_TASK_H 12de62de59SJohn Johansen task_ctx(struct task_struct * task)13f4ad8f2cSCasey Schauflerstatic inline struct aa_task_ctx *task_ctx(struct task_struct *task) 14f4ad8f2cSCasey Schaufler { 156c2976b0STetsuo Handa return task->security + apparmor_blob_sizes.lbs_task; 16f4ad8f2cSCasey Schaufler } 17de62de59SJohn Johansen 18de62de59SJohn Johansen /* 19de62de59SJohn Johansen * struct aa_task_ctx - information for current task label change 209fcf78ccSJohn Johansen * @nnp: snapshot of label at time of no_new_privs 21de62de59SJohn Johansen * @onexec: profile to transition to on next exec (MAY BE NULL) 22de62de59SJohn Johansen * @previous: profile the task may return to (MAY BE NULL) 23de62de59SJohn Johansen * @token: magic value the task must know for returning to @previous_profile 24de62de59SJohn Johansen */ 25de62de59SJohn Johansen struct aa_task_ctx { 269fcf78ccSJohn Johansen struct aa_label *nnp; 27de62de59SJohn Johansen struct aa_label *onexec; 28de62de59SJohn Johansen struct aa_label *previous; 29de62de59SJohn Johansen u64 token; 30de62de59SJohn Johansen }; 31de62de59SJohn Johansen 32de62de59SJohn Johansen int aa_replace_current_label(struct aa_label *label); 33de62de59SJohn Johansen int aa_set_current_onexec(struct aa_label *label, bool stack); 34de62de59SJohn Johansen int aa_set_current_hat(struct aa_label *label, u64 token); 35de62de59SJohn Johansen int aa_restore_previous_label(u64 cookie); 36de62de59SJohn Johansen struct aa_label *aa_get_task_label(struct task_struct *task); 37de62de59SJohn Johansen 38de62de59SJohn Johansen /** 39de62de59SJohn Johansen * aa_free_task_ctx - free a task_ctx 40de62de59SJohn Johansen * @ctx: task_ctx to free (MAYBE NULL) 41de62de59SJohn Johansen */ aa_free_task_ctx(struct aa_task_ctx * ctx)42de62de59SJohn Johansenstatic inline void aa_free_task_ctx(struct aa_task_ctx *ctx) 43de62de59SJohn Johansen { 44de62de59SJohn Johansen if (ctx) { 459fcf78ccSJohn Johansen aa_put_label(ctx->nnp); 46de62de59SJohn Johansen aa_put_label(ctx->previous); 47de62de59SJohn Johansen aa_put_label(ctx->onexec); 48de62de59SJohn Johansen } 49de62de59SJohn Johansen } 50de62de59SJohn Johansen 51de62de59SJohn Johansen /** 52de62de59SJohn Johansen * aa_dup_task_ctx - duplicate a task context, incrementing reference counts 53de62de59SJohn Johansen * @new: a blank task context (NOT NULL) 54de62de59SJohn Johansen * @old: the task context to copy (NOT NULL) 55de62de59SJohn Johansen */ aa_dup_task_ctx(struct aa_task_ctx * new,const struct aa_task_ctx * old)56de62de59SJohn Johansenstatic inline void aa_dup_task_ctx(struct aa_task_ctx *new, 57de62de59SJohn Johansen const struct aa_task_ctx *old) 58de62de59SJohn Johansen { 59de62de59SJohn Johansen *new = *old; 609fcf78ccSJohn Johansen aa_get_label(new->nnp); 61de62de59SJohn Johansen aa_get_label(new->previous); 62de62de59SJohn Johansen aa_get_label(new->onexec); 63de62de59SJohn Johansen } 64de62de59SJohn Johansen 65de62de59SJohn Johansen /** 66de62de59SJohn Johansen * aa_clear_task_ctx_trans - clear transition tracking info from the ctx 67de62de59SJohn Johansen * @ctx: task context to clear (NOT NULL) 68de62de59SJohn Johansen */ aa_clear_task_ctx_trans(struct aa_task_ctx * ctx)69de62de59SJohn Johansenstatic inline void aa_clear_task_ctx_trans(struct aa_task_ctx *ctx) 70de62de59SJohn Johansen { 71de62de59SJohn Johansen AA_BUG(!ctx); 72de62de59SJohn Johansen 73de62de59SJohn Johansen aa_put_label(ctx->previous); 74de62de59SJohn Johansen aa_put_label(ctx->onexec); 75de62de59SJohn Johansen ctx->previous = NULL; 76de62de59SJohn Johansen ctx->onexec = NULL; 77de62de59SJohn Johansen ctx->token = 0; 78de62de59SJohn Johansen } 79de62de59SJohn Johansen 80eac93125SJohn Johansen #define AA_PTRACE_TRACE MAY_WRITE 81eac93125SJohn Johansen #define AA_PTRACE_READ MAY_READ 82eac93125SJohn Johansen #define AA_MAY_BE_TRACED AA_MAY_APPEND 83eac93125SJohn Johansen #define AA_MAY_BE_READ AA_MAY_CREATE 84eac93125SJohn Johansen #define PTRACE_PERM_SHIFT 2 85eac93125SJohn Johansen 86eac93125SJohn Johansen #define AA_PTRACE_PERM_MASK (AA_PTRACE_READ | AA_PTRACE_TRACE | \ 87eac93125SJohn Johansen AA_MAY_BE_READ | AA_MAY_BE_TRACED) 88eac93125SJohn Johansen #define AA_SIGNAL_PERM_MASK (MAY_READ | MAY_WRITE) 89eac93125SJohn Johansen 90eac93125SJohn Johansen #define AA_SFS_SIG_MASK "hup int quit ill trap abrt bus fpe kill usr1 " \ 91eac93125SJohn Johansen "segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg " \ 92eac93125SJohn Johansen "xcpu xfsz vtalrm prof winch io pwr sys emt lost" 93eac93125SJohn Johansen 94*690f33e1SJohn Johansen int aa_may_ptrace(const struct cred *tracer_cred, struct aa_label *tracer, 95*690f33e1SJohn Johansen const struct cred *tracee_cred, struct aa_label *tracee, 96eac93125SJohn Johansen u32 request); 97eac93125SJohn Johansen 98eac93125SJohn Johansen 99de62de59SJohn Johansen #endif /* __AA_TASK_H */ 100