linux/security/apparmor/context.c
<<
>>
Prefs
   1/*
   2 * AppArmor security module
   3 *
   4 * This file contains AppArmor functions used to manipulate object security
   5 * contexts.
   6 *
   7 * Copyright (C) 1998-2008 Novell/SUSE
   8 * Copyright 2009-2010 Canonical Ltd.
   9 *
  10 * This program is free software; you can redistribute it and/or
  11 * modify it under the terms of the GNU General Public License as
  12 * published by the Free Software Foundation, version 2 of the
  13 * License.
  14 *
  15 *
  16 * AppArmor sets confinement on every task, via the the aa_task_cxt and
  17 * the aa_task_cxt.profile, both of which are required and are not allowed
  18 * to be NULL.  The aa_task_cxt is not reference counted and is unique
  19 * to each cred (which is reference count).  The profile pointed to by
  20 * the task_cxt is reference counted.
  21 *
  22 * TODO
  23 * If a task uses change_hat it currently does not return to the old
  24 * cred or task context but instead creates a new one.  Ideally the task
  25 * should return to the previous cred if it has not been modified.
  26 *
  27 */
  28
  29#include "include/context.h"
  30#include "include/policy.h"
  31
  32/**
  33 * aa_alloc_task_context - allocate a new task_cxt
  34 * @flags: gfp flags for allocation
  35 *
  36 * Returns: allocated buffer or NULL on failure
  37 */
  38struct aa_task_cxt *aa_alloc_task_context(gfp_t flags)
  39{
  40        return kzalloc(sizeof(struct aa_task_cxt), flags);
  41}
  42
  43/**
  44 * aa_free_task_context - free a task_cxt
  45 * @cxt: task_cxt to free (MAYBE NULL)
  46 */
  47void aa_free_task_context(struct aa_task_cxt *cxt)
  48{
  49        if (cxt) {
  50                aa_put_profile(cxt->profile);
  51                aa_put_profile(cxt->previous);
  52                aa_put_profile(cxt->onexec);
  53
  54                kzfree(cxt);
  55        }
  56}
  57
  58/**
  59 * aa_dup_task_context - duplicate a task context, incrementing reference counts
  60 * @new: a blank task context      (NOT NULL)
  61 * @old: the task context to copy  (NOT NULL)
  62 */
  63void aa_dup_task_context(struct aa_task_cxt *new, const struct aa_task_cxt *old)
  64{
  65        *new = *old;
  66        aa_get_profile(new->profile);
  67        aa_get_profile(new->previous);
  68        aa_get_profile(new->onexec);
  69}
  70
  71/**
  72 * aa_replace_current_profile - replace the current tasks profiles
  73 * @profile: new profile  (NOT NULL)
  74 *
  75 * Returns: 0 or error on failure
  76 */
  77int aa_replace_current_profile(struct aa_profile *profile)
  78{
  79        struct aa_task_cxt *cxt = current_cred()->security;
  80        struct cred *new;
  81        BUG_ON(!profile);
  82
  83        if (cxt->profile == profile)
  84                return 0;
  85
  86        new  = prepare_creds();
  87        if (!new)
  88                return -ENOMEM;
  89
  90        cxt = new->security;
  91        if (unconfined(profile) || (cxt->profile->ns != profile->ns)) {
  92                /* if switching to unconfined or a different profile namespace
  93                 * clear out context state
  94                 */
  95                aa_put_profile(cxt->previous);
  96                aa_put_profile(cxt->onexec);
  97                cxt->previous = NULL;
  98                cxt->onexec = NULL;
  99                cxt->token = 0;
 100        }
 101        /* be careful switching cxt->profile, when racing replacement it
 102         * is possible that cxt->profile->replacedby is the reference keeping
 103         * @profile valid, so make sure to get its reference before dropping
 104         * the reference on cxt->profile */
 105        aa_get_profile(profile);
 106        aa_put_profile(cxt->profile);
 107        cxt->profile = profile;
 108
 109        commit_creds(new);
 110        return 0;
 111}
 112
 113/**
 114 * aa_set_current_onexec - set the tasks change_profile to happen onexec
 115 * @profile: system profile to set at exec  (MAYBE NULL to clear value)
 116 *
 117 * Returns: 0 or error on failure
 118 */
 119int aa_set_current_onexec(struct aa_profile *profile)
 120{
 121        struct aa_task_cxt *cxt;
 122        struct cred *new = prepare_creds();
 123        if (!new)
 124                return -ENOMEM;
 125
 126        cxt = new->security;
 127        aa_get_profile(profile);
 128        aa_put_profile(cxt->onexec);
 129        cxt->onexec = profile;
 130
 131        commit_creds(new);
 132        return 0;
 133}
 134
 135/**
 136 * aa_set_current_hat - set the current tasks hat
 137 * @profile: profile to set as the current hat  (NOT NULL)
 138 * @token: token value that must be specified to change from the hat
 139 *
 140 * Do switch of tasks hat.  If the task is currently in a hat
 141 * validate the token to match.
 142 *
 143 * Returns: 0 or error on failure
 144 */
 145int new
 142 *
 */
  46 armor/context.c#L121" id="L121" class="lie" name="1L47">  47void aa_task_cxt *cxt;
  48{
new = prepare_creds();
  49        if 1(new)
  50           1     1a href="+code=aa_put_pENOMEM" class="sref">ENOMEM;
  51           1     15code=BUG_ON" class="sref">BUG_ON(!profile);
  52           1     15/apparmor/context.c#L113" id="L113" class="lie" name="1L53">  53
BUa> = new->security;
  54           1     1a href="+code= claass="sref">new->previous);
  55        }
<1a hre15 href="+code=aa_put_pr be careful switching cxtrans/spaconsecururity/apparmor/context.c#L145" id="L145" class="lie" name="1L56">  56}
previous = NULLa>->profile =   57
cxt->en = 0;
en = 0;
  58cxt->pen = 0;
en = 0;
  59cxtaa_put_profile(cxt->profile);
  60  61&&an>
  62en="+code=previous" class="sref">previouclass="sref">pent  42<81'163id="L145" class="lie" name="1L50">  50  ACCES    1     1a hreACCES;
en =
 133}

 107        cxt-> 127        aa_get_profile(en="+code=previous" class=  61 * @on    &&an>
 128        aa_put_profile(cxt->onexec);

                cxt->onexec = NULL;1
  891
 131        commit_creds(new);

 132        return 0;

 133}

  531
 135/**

 135/**

 13 it lass=commenL135"> 135/**

 135/**

 135/**

 * validate the token to match.

 * validate the token to match.

 143 * Returns: 0 or error on failure

  62 */1
 *
 */
  64{1
  47void aa_task_cxt *cxt;

  48{
new = prepare_creds();

  87        if (!new)1
  88                return -ENOMEM;1
  891
  90        cxt = new->security;1
cxt->pen = 0;
en = 0
  62en="+code=previous" class
  50  ACCES    1     1a hreACCES;
en =
 133}

  92   gnohe aastores* be can he mment saved1t">         * the reference on cxt->profile */

  54           1     1a href="+code= claass="sref">new->previous);
<
 62en="+code=previous" class
 132        return 0;

 133}2 1302cxtaa_put_profile(cxt->profile);2  90        cxt->aa_put_profile(cxt->previous);2  51           1     15code=BUG_ON" cref">aa_put_profile(cxt->profile);2<new->anlikelr class="sref">cxtaa_put_profile(cxt->aa_put_profile(cxt->previous);
2 127        aa_put_profile(cxt->profile);2<  96                aa_put_profile(cxt->previous);2< 133}2<  61 * @href="+code;&&an>
                cxt->previous = NULL;2  90        cxt->token = 0;2cxtaa_put_profile(cxt->onexec);2  90        cxt->onexec = NULL;2  532 131        commit_creds(new);2 132        return 0;2  56}2


L/div>


eachor ginal LXR software bypan cL56" clashttp://sourcid, ge.net/;LXR hrefunref="+c,panisl> peri61lxr@armux.no="+c.
L/div>

lxr.armux.no kindly hosspan ycL56" clashttp://www.odepill-arm;Rdepill Lrm;