policy_ns.h 4.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153
  1. /* SPDX-License-Identifier: GPL-2.0-only */
  2. /*
  3. * AppArmor security module
  4. *
  5. * This file contains AppArmor policy definitions.
  6. *
  7. * Copyright (C) 1998-2008 Novell/SUSE
  8. * Copyright 2009-2017 Canonical Ltd.
  9. */
  10. #ifndef __AA_NAMESPACE_H
  11. #define __AA_NAMESPACE_H
  12. #include <linux/kref.h>
  13. #include "apparmor.h"
  14. #include "apparmorfs.h"
  15. #include "label.h"
  16. #include "policy.h"
  17. /* Match max depth of user namespaces */
  18. #define MAX_NS_DEPTH 32
  19. /* struct aa_ns_acct - accounting of profiles in namespace
  20. * @max_size: maximum space allowed for all profiles in namespace
  21. * @max_count: maximum number of profiles that can be in this namespace
  22. * @size: current size of profiles
  23. * @count: current count of profiles (includes null profiles)
  24. */
  25. struct aa_ns_acct {
  26. int max_size;
  27. int max_count;
  28. int size;
  29. int count;
  30. };
  31. /* struct aa_ns - namespace for a set of profiles
  32. * @base: common policy
  33. * @parent: parent of namespace
  34. * @lock: lock for modifying the object
  35. * @acct: accounting for the namespace
  36. * @unconfined: special unconfined profile for the namespace
  37. * @sub_ns: list of namespaces under the current namespace.
  38. * @uniq_null: uniq value used for null learning profiles
  39. * @uniq_id: a unique id count for the profiles in the namespace
  40. * @level: level of ns within the tree hierarchy
  41. * @dents: dentries for the namespaces file entries in apparmorfs
  42. *
  43. * An aa_ns defines the set profiles that are searched to determine which
  44. * profile to attach to a task. Profiles can not be shared between aa_ns
  45. * and profile names within a namespace are guaranteed to be unique. When
  46. * profiles in separate namespaces have the same name they are NOT considered
  47. * to be equivalent.
  48. *
  49. * Namespaces are hierarchical and only namespaces and profiles below the
  50. * current namespace are visible.
  51. *
  52. * Namespace names must be unique and can not contain the characters :/\0
  53. */
  54. struct aa_ns {
  55. struct aa_policy base;
  56. struct aa_ns *parent;
  57. struct mutex lock;
  58. struct aa_ns_acct acct;
  59. struct aa_profile *unconfined;
  60. struct list_head sub_ns;
  61. atomic_t uniq_null;
  62. long uniq_id;
  63. int level;
  64. long revision;
  65. wait_queue_head_t wait;
  66. struct aa_labelset labels;
  67. struct list_head rawdata_list;
  68. struct dentry *dents[AAFS_NS_SIZEOF];
  69. };
  70. extern struct aa_label *kernel_t;
  71. extern struct aa_ns *root_ns;
  72. extern const char *aa_hidden_ns_name;
  73. #define ns_unconfined(NS) (&(NS)->unconfined->label)
  74. bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns);
  75. const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child, bool subns);
  76. void aa_free_ns(struct aa_ns *ns);
  77. int aa_alloc_root_ns(void);
  78. void aa_free_root_ns(void);
  79. struct aa_ns *__aa_lookupn_ns(struct aa_ns *view, const char *hname, size_t n);
  80. struct aa_ns *aa_lookupn_ns(struct aa_ns *view, const char *name, size_t n);
  81. struct aa_ns *__aa_find_or_create_ns(struct aa_ns *parent, const char *name,
  82. struct dentry *dir);
  83. struct aa_ns *aa_prepare_ns(struct aa_ns *root, const char *name);
  84. void __aa_remove_ns(struct aa_ns *ns);
  85. static inline struct aa_profile *aa_deref_parent(struct aa_profile *p)
  86. {
  87. return rcu_dereference_protected(p->parent,
  88. mutex_is_locked(&p->ns->lock));
  89. }
  90. /**
  91. * aa_get_ns - increment references count on @ns
  92. * @ns: namespace to increment reference count of (MAYBE NULL)
  93. *
  94. * Returns: pointer to @ns, if @ns is NULL returns NULL
  95. * Requires: @ns must be held with valid refcount when called
  96. */
  97. static inline struct aa_ns *aa_get_ns(struct aa_ns *ns)
  98. {
  99. if (ns)
  100. aa_get_profile(ns->unconfined);
  101. return ns;
  102. }
  103. /**
  104. * aa_put_ns - decrement refcount on @ns
  105. * @ns: namespace to put reference of
  106. *
  107. * Decrement reference count of @ns and if no longer in use free it
  108. */
  109. static inline void aa_put_ns(struct aa_ns *ns)
  110. {
  111. if (ns)
  112. aa_put_profile(ns->unconfined);
  113. }
  114. /**
  115. * __aa_findn_ns - find a namespace on a list by @name
  116. * @head: list to search for namespace on (NOT NULL)
  117. * @name: name of namespace to look for (NOT NULL)
  118. * @n: length of @name
  119. * Returns: unrefcounted namespace
  120. *
  121. * Requires: rcu_read_lock be held
  122. */
  123. static inline struct aa_ns *__aa_findn_ns(struct list_head *head,
  124. const char *name, size_t n)
  125. {
  126. return (struct aa_ns *)__policy_strn_find(head, name, n);
  127. }
  128. static inline struct aa_ns *__aa_find_ns(struct list_head *head,
  129. const char *name)
  130. {
  131. return __aa_findn_ns(head, name, strlen(name));
  132. }
  133. #endif /* AA_NAMESPACE_H */