1 | /* SPDX-License-Identifier: GPL-2.0-only */ |
2 | /* |
3 | * AppArmor security module |
4 | * |
5 | * This file contains AppArmor task related definitions and mediation |
6 | * |
7 | * Copyright 2017 Canonical Ltd. |
8 | */ |
9 | |
10 | #ifndef __AA_TASK_H |
11 | #define __AA_TASK_H |
12 | |
13 | static inline struct aa_task_ctx *task_ctx(struct task_struct *task) |
14 | { |
15 | return task->security + apparmor_blob_sizes.lbs_task; |
16 | } |
17 | |
18 | /* |
19 | * struct aa_task_ctx - information for current task label change |
20 | * @nnp: snapshot of label at time of no_new_privs |
21 | * @onexec: profile to transition to on next exec (MAY BE NULL) |
22 | * @previous: profile the task may return to (MAY BE NULL) |
23 | * @token: magic value the task must know for returning to @previous_profile |
24 | */ |
25 | struct aa_task_ctx { |
26 | struct aa_label *nnp; |
27 | struct aa_label *onexec; |
28 | struct aa_label *previous; |
29 | u64 token; |
30 | }; |
31 | |
32 | int aa_replace_current_label(struct aa_label *label); |
33 | void aa_set_current_onexec(struct aa_label *label, bool stack); |
34 | int aa_set_current_hat(struct aa_label *label, u64 token); |
35 | int aa_restore_previous_label(u64 cookie); |
36 | struct aa_label *aa_get_task_label(struct task_struct *task); |
37 | |
38 | /** |
39 | * aa_free_task_ctx - free a task_ctx |
40 | * @ctx: task_ctx to free (MAYBE NULL) |
41 | */ |
42 | static inline void aa_free_task_ctx(struct aa_task_ctx *ctx) |
43 | { |
44 | if (ctx) { |
45 | aa_put_label(l: ctx->nnp); |
46 | aa_put_label(l: ctx->previous); |
47 | aa_put_label(l: ctx->onexec); |
48 | } |
49 | } |
50 | |
51 | /** |
52 | * aa_dup_task_ctx - duplicate a task context, incrementing reference counts |
53 | * @new: a blank task context (NOT NULL) |
54 | * @old: the task context to copy (NOT NULL) |
55 | */ |
56 | static inline void aa_dup_task_ctx(struct aa_task_ctx *new, |
57 | const struct aa_task_ctx *old) |
58 | { |
59 | *new = *old; |
60 | aa_get_label(l: new->nnp); |
61 | aa_get_label(l: new->previous); |
62 | aa_get_label(l: new->onexec); |
63 | } |
64 | |
65 | /** |
66 | * aa_clear_task_ctx_trans - clear transition tracking info from the ctx |
67 | * @ctx: task context to clear (NOT NULL) |
68 | */ |
69 | static inline void aa_clear_task_ctx_trans(struct aa_task_ctx *ctx) |
70 | { |
71 | AA_BUG(!ctx); |
72 | |
73 | aa_put_label(l: ctx->previous); |
74 | aa_put_label(l: ctx->onexec); |
75 | ctx->previous = NULL; |
76 | ctx->onexec = NULL; |
77 | ctx->token = 0; |
78 | } |
79 | |
80 | #define AA_PTRACE_TRACE MAY_WRITE |
81 | #define AA_PTRACE_READ MAY_READ |
82 | #define AA_MAY_BE_TRACED AA_MAY_APPEND |
83 | #define AA_MAY_BE_READ AA_MAY_CREATE |
84 | #define PTRACE_PERM_SHIFT 2 |
85 | |
86 | #define AA_PTRACE_PERM_MASK (AA_PTRACE_READ | AA_PTRACE_TRACE | \ |
87 | AA_MAY_BE_READ | AA_MAY_BE_TRACED) |
88 | #define AA_SIGNAL_PERM_MASK (MAY_READ | MAY_WRITE) |
89 | |
90 | #define AA_SFS_SIG_MASK "hup int quit ill trap abrt bus fpe kill usr1 " \ |
91 | "segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg " \ |
92 | "xcpu xfsz vtalrm prof winch io pwr sys emt lost" |
93 | |
94 | int aa_may_ptrace(const struct cred *tracer_cred, struct aa_label *tracer, |
95 | const struct cred *tracee_cred, struct aa_label *tracee, |
96 | u32 request); |
97 | |
98 | |
99 | |
100 | #define AA_USERNS_CREATE 8 |
101 | |
102 | int aa_profile_ns_perm(struct aa_profile *profile, |
103 | struct apparmor_audit_data *ad, u32 request); |
104 | |
105 | #endif /* __AA_TASK_H */ |
106 | |