1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor policy definitions. 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2017 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15 #ifndef __AA_NAMESPACE_H 16 #define __AA_NAMESPACE_H 17 18 #include <linux/kref.h> 19 20 #include "apparmor.h" 21 #include "apparmorfs.h" 22 #include "label.h" 23 #include "policy.h" 24 25 26 /* struct aa_ns_acct - accounting of profiles in namespace 27 * @max_size: maximum space allowed for all profiles in namespace 28 * @max_count: maximum number of profiles that can be in this namespace 29 * @size: current size of profiles 30 * @count: current count of profiles (includes null profiles) 31 */ 32 struct aa_ns_acct { 33 int max_size; 34 int max_count; 35 int size; 36 int count; 37 }; 38 39 /* struct aa_ns - namespace for a set of profiles 40 * @base: common policy 41 * @parent: parent of namespace 42 * @lock: lock for modifying the object 43 * @acct: accounting for the namespace 44 * @unconfined: special unconfined profile for the namespace 45 * @sub_ns: list of namespaces under the current namespace. 46 * @uniq_null: uniq value used for null learning profiles 47 * @uniq_id: a unique id count for the profiles in the namespace 48 * @level: level of ns within the tree hierarchy 49 * @dents: dentries for the namespaces file entries in apparmorfs 50 * 51 * An aa_ns defines the set profiles that are searched to determine which 52 * profile to attach to a task. Profiles can not be shared between aa_ns 53 * and profile names within a namespace are guaranteed to be unique. When 54 * profiles in separate namespaces have the same name they are NOT considered 55 * to be equivalent. 56 * 57 * Namespaces are hierarchical and only namespaces and profiles below the 58 * current namespace are visible. 59 * 60 * Namespace names must be unique and can not contain the characters :/\0 61 */ 62 struct aa_ns { 63 struct aa_policy base; 64 struct aa_ns *parent; 65 struct mutex lock; 66 struct aa_ns_acct acct; 67 struct aa_profile *unconfined; 68 struct list_head sub_ns; 69 atomic_t uniq_null; 70 long uniq_id; 71 int level; 72 long revision; 73 wait_queue_head_t wait; 74 75 struct aa_labelset labels; 76 struct list_head rawdata_list; 77 78 struct dentry *dents[AAFS_NS_SIZEOF]; 79 }; 80 81 extern struct aa_ns *root_ns; 82 83 extern const char *aa_hidden_ns_name; 84 85 #define ns_unconfined(NS) (&(NS)->unconfined->label) 86 87 bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns); 88 const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child, bool subns); 89 void aa_free_ns(struct aa_ns *ns); 90 int aa_alloc_root_ns(void); 91 void aa_free_root_ns(void); 92 void aa_free_ns_kref(struct kref *kref); 93 94 struct aa_ns *aa_find_ns(struct aa_ns *root, const char *name); 95 struct aa_ns *aa_findn_ns(struct aa_ns *root, const char *name, size_t n); 96 struct aa_ns *__aa_lookupn_ns(struct aa_ns *view, const char *hname, size_t n); 97 struct aa_ns *aa_lookupn_ns(struct aa_ns *view, const char *name, size_t n); 98 struct aa_ns *__aa_find_or_create_ns(struct aa_ns *parent, const char *name, 99 struct dentry *dir); 100 struct aa_ns *aa_prepare_ns(struct aa_ns *root, const char *name); 101 void __aa_remove_ns(struct aa_ns *ns); 102 103 static inline struct aa_profile *aa_deref_parent(struct aa_profile *p) 104 { 105 return rcu_dereference_protected(p->parent, 106 mutex_is_locked(&p->ns->lock)); 107 } 108 109 /** 110 * aa_get_ns - increment references count on @ns 111 * @ns: namespace to increment reference count of (MAYBE NULL) 112 * 113 * Returns: pointer to @ns, if @ns is NULL returns NULL 114 * Requires: @ns must be held with valid refcount when called 115 */ 116 static inline struct aa_ns *aa_get_ns(struct aa_ns *ns) 117 { 118 if (ns) 119 aa_get_profile(ns->unconfined); 120 121 return ns; 122 } 123 124 /** 125 * aa_put_ns - decrement refcount on @ns 126 * @ns: namespace to put reference of 127 * 128 * Decrement reference count of @ns and if no longer in use free it 129 */ 130 static inline void aa_put_ns(struct aa_ns *ns) 131 { 132 if (ns) 133 aa_put_profile(ns->unconfined); 134 } 135 136 /** 137 * __aa_findn_ns - find a namespace on a list by @name 138 * @head: list to search for namespace on (NOT NULL) 139 * @name: name of namespace to look for (NOT NULL) 140 * @n: length of @name 141 * Returns: unrefcounted namespace 142 * 143 * Requires: rcu_read_lock be held 144 */ 145 static inline struct aa_ns *__aa_findn_ns(struct list_head *head, 146 const char *name, size_t n) 147 { 148 return (struct aa_ns *)__policy_strn_find(head, name, n); 149 } 150 151 static inline struct aa_ns *__aa_find_ns(struct list_head *head, 152 const char *name) 153 { 154 return __aa_findn_ns(head, name, strlen(name)); 155 } 156 157 static inline struct aa_ns *__aa_lookup_ns(struct aa_ns *base, 158 const char *hname) 159 { 160 return __aa_lookupn_ns(base, hname, strlen(hname)); 161 } 162 163 static inline struct aa_ns *aa_lookup_ns(struct aa_ns *view, const char *name) 164 { 165 return aa_lookupn_ns(view, name, strlen(name)); 166 } 167 168 #endif /* AA_NAMESPACE_H */ 169