summaryrefslogtreecommitdiffstats
path: root/security/apparmor/include/context.h
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2013-07-03 14:04:58 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2013-07-03 14:04:58 -0700
commitf39d420f672f99ad9a0fe7deb951a0030d4f0d9e (patch)
tree450e229a4305362f72cc5461aab8af4f2f5d023e /security/apparmor/include/context.h
parentfe489bf4505ae26d3c6d6a1f1d3064c2a9c5cd85 (diff)
parent572e5b018ba68d634f30aef71cf04d85c884aa05 (diff)
downloadlinux-f39d420f672f99ad9a0fe7deb951a0030d4f0d9e.tar.bz2
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris: "In this update, Smack learns to love IPv6 and to mount a filesystem with a transmutable hierarchy (i.e. security labels are inherited from parent directory upon creation rather than creating process). The rest of the changes are maintenance" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (37 commits) tpm/tpm_i2c_infineon: Remove unused header file tpm: tpm_i2c_infinion: Don't modify i2c_client->driver evm: audit integrity metadata failures integrity: move integrity_audit_msg() evm: calculate HMAC after initializing posix acl on tmpfs maintainers: add Dmitry Kasatkin Smack: Fix the bug smackcipso can't set CIPSO correctly Smack: Fix possible NULL pointer dereference at smk_netlbl_mls() Smack: Add smkfstransmute mount option Smack: Improve access check performance Smack: Local IPv6 port based controls tpm: fix regression caused by section type conflict of tpm_dev_release() in ppc builds maintainers: Remove Kent from maintainers tpm: move TPM_DIGEST_SIZE defintion tpm_tis: missing platform_driver_unregister() on error in init_tis() security: clarify cap_inode_getsecctx description apparmor: no need to delay vfree() apparmor: fix fully qualified name parsing apparmor: fix setprocattr arg processing for onexec apparmor: localize getting the security context to a few macros ...
Diffstat (limited to 'security/apparmor/include/context.h')
-rw-r--r--security/apparmor/include/context.h61
1 files changed, 43 insertions, 18 deletions
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index a9cbee4d9e48..d44ba5802e3d 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -21,6 +21,9 @@
#include "policy.h"
+#define cred_cxt(X) (X)->security
+#define current_cxt() cred_cxt(current_cred())
+
/* struct aa_file_cxt - the AppArmor context the file was opened in
* @perms: the permission the file was opened with
*
@@ -80,23 +83,8 @@ int aa_replace_current_profile(struct aa_profile *profile);
int aa_set_current_onexec(struct aa_profile *profile);
int aa_set_current_hat(struct aa_profile *profile, u64 token);
int aa_restore_previous_profile(u64 cookie);
+struct aa_profile *aa_get_task_profile(struct task_struct *task);
-/**
- * __aa_task_is_confined - determine if @task has any confinement
- * @task: task to check confinement of (NOT NULL)
- *
- * If @task != current needs to be called in RCU safe critical section
- */
-static inline bool __aa_task_is_confined(struct task_struct *task)
-{
- struct aa_task_cxt *cxt = __task_cred(task)->security;
-
- BUG_ON(!cxt || !cxt->profile);
- if (unconfined(aa_newest_version(cxt->profile)))
- return 0;
-
- return 1;
-}
/**
* aa_cred_profile - obtain cred's profiles
@@ -108,12 +96,36 @@ static inline bool __aa_task_is_confined(struct task_struct *task)
*/
static inline struct aa_profile *aa_cred_profile(const struct cred *cred)
{
- struct aa_task_cxt *cxt = cred->security;
+ struct aa_task_cxt *cxt = cred_cxt(cred);
BUG_ON(!cxt || !cxt->profile);
return aa_newest_version(cxt->profile);
}
/**
+ * __aa_task_profile - retrieve another task's profile
+ * @task: task to query (NOT NULL)
+ *
+ * Returns: @task's profile without incrementing its ref count
+ *
+ * If @task != current needs to be called in RCU safe critical section
+ */
+static inline struct aa_profile *__aa_task_profile(struct task_struct *task)
+{
+ return aa_cred_profile(__task_cred(task));
+}
+
+/**
+ * __aa_task_is_confined - determine if @task has any confinement
+ * @task: task to check confinement of (NOT NULL)
+ *
+ * If @task != current needs to be called in RCU safe critical section
+ */
+static inline bool __aa_task_is_confined(struct task_struct *task)
+{
+ return !unconfined(__aa_task_profile(task));
+}
+
+/**
* __aa_current_profile - find the current tasks confining profile
*
* Returns: up to date confining profile or the ns unconfined profile (NOT NULL)
@@ -136,7 +148,7 @@ static inline struct aa_profile *__aa_current_profile(void)
*/
static inline struct aa_profile *aa_current_profile(void)
{
- const struct aa_task_cxt *cxt = current_cred()->security;
+ const struct aa_task_cxt *cxt = current_cxt();
struct aa_profile *profile;
BUG_ON(!cxt || !cxt->profile);
@@ -151,4 +163,17 @@ static inline struct aa_profile *aa_current_profile(void)
return profile;
}
+/**
+ * aa_clear_task_cxt_trans - clear transition tracking info from the cxt
+ * @cxt: task context to clear (NOT NULL)
+ */
+static inline void aa_clear_task_cxt_trans(struct aa_task_cxt *cxt)
+{
+ aa_put_profile(cxt->previous);
+ aa_put_profile(cxt->onexec);
+ cxt->previous = NULL;
+ cxt->onexec = NULL;
+ cxt->token = 0;
+}
+
#endif /* __AA_CONTEXT_H */