From de62de59c27881c59c7df2e535cb9e1275cd52cc Mon Sep 17 00:00:00 2001 From: John Johansen Date: Sun, 8 Oct 2017 00:43:02 -0700 Subject: [PATCH] apparmor: move task related defines and fns to task.X files Signed-off-by: John Johansen --- security/apparmor/Makefile | 2 +- security/apparmor/domain.c | 4 +- security/apparmor/include/context.h | 40 +-------------- security/apparmor/include/task.h | 90 +++++++++++++++++++++++++++++++++ security/apparmor/lsm.c | 6 +-- security/apparmor/{context.c => task.c} | 61 +++------------------- 6 files changed, 105 insertions(+), 98 deletions(-) create mode 100644 security/apparmor/include/task.h rename security/apparmor/{context.c => task.c} (74%) diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile index 9a6b4033d52b..380c8e08174a 100644 --- a/security/apparmor/Makefile +++ b/security/apparmor/Makefile @@ -3,7 +3,7 @@ # obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o -apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \ +apparmor-y := apparmorfs.o audit.o capability.o task.o ipc.o lib.o match.o \ path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \ resource.o secid.o file.o policy_ns.o label.o mount.o apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index b180e10f2b86..56d080a6d774 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -794,7 +794,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) if (bprm->called_set_creds) return 0; - ctx = current_task_ctx(); + ctx = task_ctx(current); AA_BUG(!cred_label(bprm->cred)); AA_BUG(!ctx); @@ -1067,7 +1067,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags) /* released below */ cred = get_current_cred(); - ctx = current_task_ctx(); + ctx = task_ctx(current); label = aa_get_newest_cred_label(cred); previous = aa_get_newest_label(ctx->previous); diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h index b2aeb1da7e77..e287b7d0d4be 100644 --- a/security/apparmor/include/context.h +++ b/security/apparmor/include/context.h @@ -21,33 +21,10 @@ #include "label.h" #include "policy_ns.h" +#include "task.h" -#define task_ctx(X) ((X)->security) -#define current_task_ctx() (task_ctx(current)) #define cred_label(X) ((X)->security) -/* - * struct aa_task_ctx - information for current task label change - * @onexec: profile to transition to on next exec (MAY BE NULL) - * @previous: profile the task may return to (MAY BE NULL) - * @token: magic value the task must know for returning to @previous_profile - */ -struct aa_task_ctx { - struct aa_label *onexec; - struct aa_label *previous; - u64 token; -}; - -struct aa_task_ctx *aa_alloc_task_ctx(gfp_t flags); -void aa_free_task_ctx(struct aa_task_ctx *ctx); -void aa_dup_task_ctx(struct aa_task_ctx *new, const struct aa_task_ctx *old); - -int aa_replace_current_label(struct aa_label *label); -int aa_set_current_onexec(struct aa_label *label, bool stack); -int aa_set_current_hat(struct aa_label *label, u64 token); -int aa_restore_previous_label(u64 cookie); -struct aa_label *aa_get_task_label(struct task_struct *task); - /** * aa_cred_raw_label - obtain cred's label @@ -196,19 +173,4 @@ static inline struct aa_ns *aa_get_current_ns(void) return ns; } -/** - * aa_clear_task_ctx_trans - clear transition tracking info from the ctx - * @ctx: task context to clear (NOT NULL) - */ -static inline void aa_clear_task_ctx_trans(struct aa_task_ctx *ctx) -{ - AA_BUG(!ctx); - - aa_put_label(ctx->previous); - aa_put_label(ctx->onexec); - ctx->previous = NULL; - ctx->onexec = NULL; - ctx->token = 0; -} - #endif /* __AA_CONTEXT_H */ diff --git a/security/apparmor/include/task.h b/security/apparmor/include/task.h new file mode 100644 index 000000000000..d222197db299 --- /dev/null +++ b/security/apparmor/include/task.h @@ -0,0 +1,90 @@ +/* + * AppArmor security module + * + * This file contains AppArmor task related definitions and mediation + * + * Copyright 2017 Canonical Ltd. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + */ + +#ifndef __AA_TASK_H +#define __AA_TASK_H + +#define task_ctx(X) ((X)->security) + +/* + * struct aa_task_ctx - information for current task label change + * @onexec: profile to transition to on next exec (MAY BE NULL) + * @previous: profile the task may return to (MAY BE NULL) + * @token: magic value the task must know for returning to @previous_profile + */ +struct aa_task_ctx { + struct aa_label *onexec; + struct aa_label *previous; + u64 token; +}; + +int aa_replace_current_label(struct aa_label *label); +int aa_set_current_onexec(struct aa_label *label, bool stack); +int aa_set_current_hat(struct aa_label *label, u64 token); +int aa_restore_previous_label(u64 cookie); +struct aa_label *aa_get_task_label(struct task_struct *task); + +/** + * aa_alloc_task_ctx - allocate a new task_ctx + * @flags: gfp flags for allocation + * + * Returns: allocated buffer or NULL on failure + */ +static inline struct aa_task_ctx *aa_alloc_task_ctx(gfp_t flags) +{ + return kzalloc(sizeof(struct aa_task_ctx), flags); +} + +/** + * aa_free_task_ctx - free a task_ctx + * @ctx: task_ctx to free (MAYBE NULL) + */ +static inline void aa_free_task_ctx(struct aa_task_ctx *ctx) +{ + if (ctx) { + aa_put_label(ctx->previous); + aa_put_label(ctx->onexec); + + kzfree(ctx); + } +} + +/** + * aa_dup_task_ctx - duplicate a task context, incrementing reference counts + * @new: a blank task context (NOT NULL) + * @old: the task context to copy (NOT NULL) + */ +static inline void aa_dup_task_ctx(struct aa_task_ctx *new, + const struct aa_task_ctx *old) +{ + *new = *old; + aa_get_label(new->previous); + aa_get_label(new->onexec); +} + +/** + * aa_clear_task_ctx_trans - clear transition tracking info from the ctx + * @ctx: task context to clear (NOT NULL) + */ +static inline void aa_clear_task_ctx_trans(struct aa_task_ctx *ctx) +{ + AA_BUG(!ctx); + + aa_put_label(ctx->previous); + aa_put_label(ctx->onexec); + ctx->previous = NULL; + ctx->onexec = NULL; + ctx->token = 0; +} + +#endif /* __AA_TASK_H */ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index fda36f3e3820..7577cd982230 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -101,7 +101,7 @@ static int apparmor_task_alloc(struct task_struct *task, if (!new) return -ENOMEM; - aa_dup_task_ctx(new, current_task_ctx()); + aa_dup_task_ctx(new, task_ctx(current)); task_ctx(task) = new; return 0; @@ -582,7 +582,7 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, int error = -ENOENT; /* released below */ const struct cred *cred = get_task_cred(task); - struct aa_task_ctx *ctx = current_task_ctx(); + struct aa_task_ctx *ctx = task_ctx(current); struct aa_label *label = NULL; if (strcmp(name, "current") == 0) @@ -705,7 +705,7 @@ static void apparmor_bprm_committing_creds(struct linux_binprm *bprm) static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) { /* clear out temporary/transitional state from the context */ - aa_clear_task_ctx_trans(current_task_ctx()); + aa_clear_task_ctx_trans(task_ctx(current)); return; } diff --git a/security/apparmor/context.c b/security/apparmor/task.c similarity index 74% rename from security/apparmor/context.c rename to security/apparmor/task.c index d95a3d47cb92..36eb8707ad89 100644 --- a/security/apparmor/context.c +++ b/security/apparmor/task.c @@ -1,32 +1,23 @@ /* * AppArmor security module * - * This file contains AppArmor functions used to manipulate object security - * contexts. + * This file contains AppArmor task related definitions and mediation * - * Copyright (C) 1998-2008 Novell/SUSE - * Copyright 2009-2010 Canonical Ltd. + * Copyright 2017 Canonical Ltd. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation, version 2 of the * License. * - * - * AppArmor sets confinement on every task, via the cred_label() which - * is required and are not allowed to be NULL. The cred_label is - * reference counted. - * * TODO * If a task uses change_hat it currently does not return to the old * cred or task context but instead creates a new one. Ideally the task * should return to the previous cred if it has not been modified. - * */ #include "include/context.h" -#include "include/policy.h" - +#include "include/task.h" /** * aa_get_task_label - Get another task's label @@ -46,43 +37,6 @@ struct aa_label *aa_get_task_label(struct task_struct *task) } /** - * aa_alloc_task_ctx - allocate a new task_ctx - * @flags: gfp flags for allocation - * - * Returns: allocated buffer or NULL on failure - */ -struct aa_task_ctx *aa_alloc_task_ctx(gfp_t flags) -{ - return kzalloc(sizeof(struct aa_task_ctx), flags); -} - -/** - * aa_free_task_ctx - free a task_ctx - * @ctx: task_ctx to free (MAYBE NULL) - */ -void aa_free_task_ctx(struct aa_task_ctx *ctx) -{ - if (ctx) { - aa_put_label(ctx->previous); - aa_put_label(ctx->onexec); - - kzfree(ctx); - } -} - -/** - * aa_dup_task_ctx - duplicate a task context, incrementing reference counts - * @new: a blank task context (NOT NULL) - * @old: the task context to copy (NOT NULL) - */ -void aa_dup_task_ctx(struct aa_task_ctx *new, const struct aa_task_ctx *old) -{ - *new = *old; - aa_get_label(new->previous); - aa_get_label(new->onexec); -} - -/** * aa_replace_current_label - replace the current tasks label * @label: new label (NOT NULL) * @@ -110,7 +64,7 @@ int aa_replace_current_label(struct aa_label *label) * if switching to unconfined or a different label namespace * clear out context state */ - aa_clear_task_ctx_trans(current_task_ctx()); + aa_clear_task_ctx_trans(task_ctx(current)); /* * be careful switching cred label, when racing replacement it @@ -126,6 +80,7 @@ int aa_replace_current_label(struct aa_label *label) return 0; } + /** * aa_set_current_onexec - set the tasks change_profile to happen onexec * @label: system label to set at exec (MAYBE NULL to clear value) @@ -134,7 +89,7 @@ int aa_replace_current_label(struct aa_label *label) */ int aa_set_current_onexec(struct aa_label *label, bool stack) { - struct aa_task_ctx *ctx = current_task_ctx(); + struct aa_task_ctx *ctx = task_ctx(current); aa_get_label(label); aa_put_label(ctx->onexec); @@ -156,7 +111,7 @@ int aa_set_current_onexec(struct aa_label *label, bool stack) */ int aa_set_current_hat(struct aa_label *label, u64 token) { - struct aa_task_ctx *ctx = current_task_ctx(); + struct aa_task_ctx *ctx = task_ctx(current); struct cred *new; new = prepare_creds(); @@ -196,7 +151,7 @@ int aa_set_current_hat(struct aa_label *label, u64 token) */ int aa_restore_previous_label(u64 token) { - struct aa_task_ctx *ctx = current_task_ctx(); + struct aa_task_ctx *ctx = task_ctx(current); struct cred *new; if (ctx->token != token) -- 2.11.0