18c2ecf20Sopenharmony_ci/* SPDX-License-Identifier: GPL-2.0-only */ 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * AppArmor security module 48c2ecf20Sopenharmony_ci * 58c2ecf20Sopenharmony_ci * This file contains AppArmor policy definitions. 68c2ecf20Sopenharmony_ci * 78c2ecf20Sopenharmony_ci * Copyright (C) 1998-2008 Novell/SUSE 88c2ecf20Sopenharmony_ci * Copyright 2009-2017 Canonical Ltd. 98c2ecf20Sopenharmony_ci */ 108c2ecf20Sopenharmony_ci 118c2ecf20Sopenharmony_ci#ifndef __AA_NAMESPACE_H 128c2ecf20Sopenharmony_ci#define __AA_NAMESPACE_H 138c2ecf20Sopenharmony_ci 148c2ecf20Sopenharmony_ci#include <linux/kref.h> 158c2ecf20Sopenharmony_ci 168c2ecf20Sopenharmony_ci#include "apparmor.h" 178c2ecf20Sopenharmony_ci#include "apparmorfs.h" 188c2ecf20Sopenharmony_ci#include "label.h" 198c2ecf20Sopenharmony_ci#include "policy.h" 208c2ecf20Sopenharmony_ci 218c2ecf20Sopenharmony_ci 228c2ecf20Sopenharmony_ci/* struct aa_ns_acct - accounting of profiles in namespace 238c2ecf20Sopenharmony_ci * @max_size: maximum space allowed for all profiles in namespace 248c2ecf20Sopenharmony_ci * @max_count: maximum number of profiles that can be in this namespace 258c2ecf20Sopenharmony_ci * @size: current size of profiles 268c2ecf20Sopenharmony_ci * @count: current count of profiles (includes null profiles) 278c2ecf20Sopenharmony_ci */ 288c2ecf20Sopenharmony_cistruct aa_ns_acct { 298c2ecf20Sopenharmony_ci int max_size; 308c2ecf20Sopenharmony_ci int max_count; 318c2ecf20Sopenharmony_ci int size; 328c2ecf20Sopenharmony_ci int count; 338c2ecf20Sopenharmony_ci}; 348c2ecf20Sopenharmony_ci 358c2ecf20Sopenharmony_ci/* struct aa_ns - namespace for a set of profiles 368c2ecf20Sopenharmony_ci * @base: common policy 378c2ecf20Sopenharmony_ci * @parent: parent of namespace 388c2ecf20Sopenharmony_ci * @lock: lock for modifying the object 398c2ecf20Sopenharmony_ci * @acct: accounting for the namespace 408c2ecf20Sopenharmony_ci * @unconfined: special unconfined profile for the namespace 418c2ecf20Sopenharmony_ci * @sub_ns: list of namespaces under the current namespace. 428c2ecf20Sopenharmony_ci * @uniq_null: uniq value used for null learning profiles 438c2ecf20Sopenharmony_ci * @uniq_id: a unique id count for the profiles in the namespace 448c2ecf20Sopenharmony_ci * @level: level of ns within the tree hierarchy 458c2ecf20Sopenharmony_ci * @dents: dentries for the namespaces file entries in apparmorfs 468c2ecf20Sopenharmony_ci * 478c2ecf20Sopenharmony_ci * An aa_ns defines the set profiles that are searched to determine which 488c2ecf20Sopenharmony_ci * profile to attach to a task. Profiles can not be shared between aa_ns 498c2ecf20Sopenharmony_ci * and profile names within a namespace are guaranteed to be unique. When 508c2ecf20Sopenharmony_ci * profiles in separate namespaces have the same name they are NOT considered 518c2ecf20Sopenharmony_ci * to be equivalent. 528c2ecf20Sopenharmony_ci * 538c2ecf20Sopenharmony_ci * Namespaces are hierarchical and only namespaces and profiles below the 548c2ecf20Sopenharmony_ci * current namespace are visible. 558c2ecf20Sopenharmony_ci * 568c2ecf20Sopenharmony_ci * Namespace names must be unique and can not contain the characters :/\0 578c2ecf20Sopenharmony_ci */ 588c2ecf20Sopenharmony_cistruct aa_ns { 598c2ecf20Sopenharmony_ci struct aa_policy base; 608c2ecf20Sopenharmony_ci struct aa_ns *parent; 618c2ecf20Sopenharmony_ci struct mutex lock; 628c2ecf20Sopenharmony_ci struct aa_ns_acct acct; 638c2ecf20Sopenharmony_ci struct aa_profile *unconfined; 648c2ecf20Sopenharmony_ci struct list_head sub_ns; 658c2ecf20Sopenharmony_ci atomic_t uniq_null; 668c2ecf20Sopenharmony_ci long uniq_id; 678c2ecf20Sopenharmony_ci int level; 688c2ecf20Sopenharmony_ci long revision; 698c2ecf20Sopenharmony_ci wait_queue_head_t wait; 708c2ecf20Sopenharmony_ci 718c2ecf20Sopenharmony_ci struct aa_labelset labels; 728c2ecf20Sopenharmony_ci struct list_head rawdata_list; 738c2ecf20Sopenharmony_ci 748c2ecf20Sopenharmony_ci struct dentry *dents[AAFS_NS_SIZEOF]; 758c2ecf20Sopenharmony_ci}; 768c2ecf20Sopenharmony_ci 778c2ecf20Sopenharmony_ciextern struct aa_ns *root_ns; 788c2ecf20Sopenharmony_ci 798c2ecf20Sopenharmony_ciextern const char *aa_hidden_ns_name; 808c2ecf20Sopenharmony_ci 818c2ecf20Sopenharmony_ci#define ns_unconfined(NS) (&(NS)->unconfined->label) 828c2ecf20Sopenharmony_ci 838c2ecf20Sopenharmony_cibool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns); 848c2ecf20Sopenharmony_ciconst char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child, bool subns); 858c2ecf20Sopenharmony_civoid aa_free_ns(struct aa_ns *ns); 868c2ecf20Sopenharmony_ciint aa_alloc_root_ns(void); 878c2ecf20Sopenharmony_civoid aa_free_root_ns(void); 888c2ecf20Sopenharmony_civoid aa_free_ns_kref(struct kref *kref); 898c2ecf20Sopenharmony_ci 908c2ecf20Sopenharmony_cistruct aa_ns *aa_find_ns(struct aa_ns *root, const char *name); 918c2ecf20Sopenharmony_cistruct aa_ns *aa_findn_ns(struct aa_ns *root, const char *name, size_t n); 928c2ecf20Sopenharmony_cistruct aa_ns *__aa_lookupn_ns(struct aa_ns *view, const char *hname, size_t n); 938c2ecf20Sopenharmony_cistruct aa_ns *aa_lookupn_ns(struct aa_ns *view, const char *name, size_t n); 948c2ecf20Sopenharmony_cistruct aa_ns *__aa_find_or_create_ns(struct aa_ns *parent, const char *name, 958c2ecf20Sopenharmony_ci struct dentry *dir); 968c2ecf20Sopenharmony_cistruct aa_ns *aa_prepare_ns(struct aa_ns *root, const char *name); 978c2ecf20Sopenharmony_civoid __aa_remove_ns(struct aa_ns *ns); 988c2ecf20Sopenharmony_ci 998c2ecf20Sopenharmony_cistatic inline struct aa_profile *aa_deref_parent(struct aa_profile *p) 1008c2ecf20Sopenharmony_ci{ 1018c2ecf20Sopenharmony_ci return rcu_dereference_protected(p->parent, 1028c2ecf20Sopenharmony_ci mutex_is_locked(&p->ns->lock)); 1038c2ecf20Sopenharmony_ci} 1048c2ecf20Sopenharmony_ci 1058c2ecf20Sopenharmony_ci/** 1068c2ecf20Sopenharmony_ci * aa_get_ns - increment references count on @ns 1078c2ecf20Sopenharmony_ci * @ns: namespace to increment reference count of (MAYBE NULL) 1088c2ecf20Sopenharmony_ci * 1098c2ecf20Sopenharmony_ci * Returns: pointer to @ns, if @ns is NULL returns NULL 1108c2ecf20Sopenharmony_ci * Requires: @ns must be held with valid refcount when called 1118c2ecf20Sopenharmony_ci */ 1128c2ecf20Sopenharmony_cistatic inline struct aa_ns *aa_get_ns(struct aa_ns *ns) 1138c2ecf20Sopenharmony_ci{ 1148c2ecf20Sopenharmony_ci if (ns) 1158c2ecf20Sopenharmony_ci aa_get_profile(ns->unconfined); 1168c2ecf20Sopenharmony_ci 1178c2ecf20Sopenharmony_ci return ns; 1188c2ecf20Sopenharmony_ci} 1198c2ecf20Sopenharmony_ci 1208c2ecf20Sopenharmony_ci/** 1218c2ecf20Sopenharmony_ci * aa_put_ns - decrement refcount on @ns 1228c2ecf20Sopenharmony_ci * @ns: namespace to put reference of 1238c2ecf20Sopenharmony_ci * 1248c2ecf20Sopenharmony_ci * Decrement reference count of @ns and if no longer in use free it 1258c2ecf20Sopenharmony_ci */ 1268c2ecf20Sopenharmony_cistatic inline void aa_put_ns(struct aa_ns *ns) 1278c2ecf20Sopenharmony_ci{ 1288c2ecf20Sopenharmony_ci if (ns) 1298c2ecf20Sopenharmony_ci aa_put_profile(ns->unconfined); 1308c2ecf20Sopenharmony_ci} 1318c2ecf20Sopenharmony_ci 1328c2ecf20Sopenharmony_ci/** 1338c2ecf20Sopenharmony_ci * __aa_findn_ns - find a namespace on a list by @name 1348c2ecf20Sopenharmony_ci * @head: list to search for namespace on (NOT NULL) 1358c2ecf20Sopenharmony_ci * @name: name of namespace to look for (NOT NULL) 1368c2ecf20Sopenharmony_ci * @n: length of @name 1378c2ecf20Sopenharmony_ci * Returns: unrefcounted namespace 1388c2ecf20Sopenharmony_ci * 1398c2ecf20Sopenharmony_ci * Requires: rcu_read_lock be held 1408c2ecf20Sopenharmony_ci */ 1418c2ecf20Sopenharmony_cistatic inline struct aa_ns *__aa_findn_ns(struct list_head *head, 1428c2ecf20Sopenharmony_ci const char *name, size_t n) 1438c2ecf20Sopenharmony_ci{ 1448c2ecf20Sopenharmony_ci return (struct aa_ns *)__policy_strn_find(head, name, n); 1458c2ecf20Sopenharmony_ci} 1468c2ecf20Sopenharmony_ci 1478c2ecf20Sopenharmony_cistatic inline struct aa_ns *__aa_find_ns(struct list_head *head, 1488c2ecf20Sopenharmony_ci const char *name) 1498c2ecf20Sopenharmony_ci{ 1508c2ecf20Sopenharmony_ci return __aa_findn_ns(head, name, strlen(name)); 1518c2ecf20Sopenharmony_ci} 1528c2ecf20Sopenharmony_ci 1538c2ecf20Sopenharmony_cistatic inline struct aa_ns *__aa_lookup_ns(struct aa_ns *base, 1548c2ecf20Sopenharmony_ci const char *hname) 1558c2ecf20Sopenharmony_ci{ 1568c2ecf20Sopenharmony_ci return __aa_lookupn_ns(base, hname, strlen(hname)); 1578c2ecf20Sopenharmony_ci} 1588c2ecf20Sopenharmony_ci 1598c2ecf20Sopenharmony_cistatic inline struct aa_ns *aa_lookup_ns(struct aa_ns *view, const char *name) 1608c2ecf20Sopenharmony_ci{ 1618c2ecf20Sopenharmony_ci return aa_lookupn_ns(view, name, strlen(name)); 1628c2ecf20Sopenharmony_ci} 1638c2ecf20Sopenharmony_ci 1648c2ecf20Sopenharmony_ci#endif /* AA_NAMESPACE_H */ 165