xref: /linux/security/apparmor/include/task.h (revision 881f1bb5e25c8982ed963b2d319fc0fc732e55db)
1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3  * AppArmor security module
4  *
5  * This file contains AppArmor task related definitions and mediation
6  *
7  * Copyright 2017 Canonical Ltd.
8  */
9 
10 #ifndef __AA_TASK_H
11 #define __AA_TASK_H
12 
13 static inline struct aa_task_ctx *task_ctx(struct task_struct *task)
14 {
15 	return task->security + apparmor_blob_sizes.lbs_task;
16 }
17 
18 /*
19  * struct aa_task_ctx - information for current task label change
20  * @nnp: snapshot of label at time of no_new_privs
21  * @onexec: profile to transition to on next exec  (MAY BE NULL)
22  * @previous: profile the task may return to     (MAY BE NULL)
23  * @token: magic value the task must know for returning to @previous_profile
24  */
25 struct aa_task_ctx {
26 	struct aa_label *nnp;
27 	struct aa_label *onexec;
28 	struct aa_label *previous;
29 	u64 token;
30 };
31 
32 int aa_replace_current_label(struct aa_label *label);
33 void aa_set_current_onexec(struct aa_label *label, bool stack);
34 int aa_set_current_hat(struct aa_label *label, u64 token);
35 int aa_restore_previous_label(u64 cookie);
36 struct aa_label *aa_get_task_label(struct task_struct *task);
37 
38 /**
39  * aa_free_task_ctx - free a task_ctx
40  * @ctx: task_ctx to free (MAYBE NULL)
41  */
42 static inline void aa_free_task_ctx(struct aa_task_ctx *ctx)
43 {
44 	if (ctx) {
45 		aa_put_label(ctx->nnp);
46 		aa_put_label(ctx->previous);
47 		aa_put_label(ctx->onexec);
48 	}
49 }
50 
51 /**
52  * aa_dup_task_ctx - duplicate a task context, incrementing reference counts
53  * @new: a blank task context      (NOT NULL)
54  * @old: the task context to copy  (NOT NULL)
55  */
56 static inline void aa_dup_task_ctx(struct aa_task_ctx *new,
57 				   const struct aa_task_ctx *old)
58 {
59 	*new = *old;
60 	aa_get_label(new->nnp);
61 	aa_get_label(new->previous);
62 	aa_get_label(new->onexec);
63 }
64 
65 /**
66  * aa_clear_task_ctx_trans - clear transition tracking info from the ctx
67  * @ctx: task context to clear (NOT NULL)
68  */
69 static inline void aa_clear_task_ctx_trans(struct aa_task_ctx *ctx)
70 {
71 	AA_BUG(!ctx);
72 
73 	aa_put_label(ctx->previous);
74 	aa_put_label(ctx->onexec);
75 	ctx->previous = NULL;
76 	ctx->onexec = NULL;
77 	ctx->token = 0;
78 }
79 
80 #define AA_PTRACE_TRACE		MAY_WRITE
81 #define AA_PTRACE_READ		MAY_READ
82 #define AA_MAY_BE_TRACED	AA_MAY_APPEND
83 #define AA_MAY_BE_READ		AA_MAY_CREATE
84 #define PTRACE_PERM_SHIFT	2
85 
86 #define AA_PTRACE_PERM_MASK (AA_PTRACE_READ | AA_PTRACE_TRACE | \
87 			     AA_MAY_BE_READ | AA_MAY_BE_TRACED)
88 #define AA_SIGNAL_PERM_MASK (MAY_READ | MAY_WRITE)
89 
90 #define AA_SFS_SIG_MASK "hup int quit ill trap abrt bus fpe kill usr1 " \
91 	"segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg " \
92 	"xcpu xfsz vtalrm prof winch io pwr sys emt lost"
93 
94 int aa_may_ptrace(const struct cred *tracer_cred, struct aa_label *tracer,
95 		  const struct cred *tracee_cred, struct aa_label *tracee,
96 		  u32 request);
97 
98 
99 
100 #define AA_USERNS_CREATE	8
101 
102 int aa_profile_ns_perm(struct aa_profile *profile,
103 		       struct apparmor_audit_data *ad, u32 request);
104 
105 #endif /* __AA_TASK_H */
106