xref: /linux-6.15/security/apparmor/include/task.h (revision fa9b63ad) 
1b886d83cSThomas Gleixner /* SPDX-License-Identifier: GPL-2.0-only */
2de62de59SJohn Johansen /*
3de62de59SJohn Johansen  * AppArmor security module
4de62de59SJohn Johansen  *
5de62de59SJohn Johansen  * This file contains AppArmor task related definitions and mediation
6de62de59SJohn Johansen  *
7de62de59SJohn Johansen  * Copyright 2017 Canonical Ltd.
8de62de59SJohn Johansen  */
9de62de59SJohn Johansen 
10de62de59SJohn Johansen #ifndef __AA_TASK_H
11de62de59SJohn Johansen #define __AA_TASK_H
12de62de59SJohn Johansen 
task_ctx(struct task_struct * task)13f4ad8f2cSCasey Schaufler static inline struct aa_task_ctx *task_ctx(struct task_struct *task)
14f4ad8f2cSCasey Schaufler {
156c2976b0STetsuo Handa 	return task->security + apparmor_blob_sizes.lbs_task;
16f4ad8f2cSCasey Schaufler }
17de62de59SJohn Johansen 
18de62de59SJohn Johansen /*
19de62de59SJohn Johansen  * struct aa_task_ctx - information for current task label change
209fcf78ccSJohn Johansen  * @nnp: snapshot of label at time of no_new_privs
21de62de59SJohn Johansen  * @onexec: profile to transition to on next exec  (MAY BE NULL)
22de62de59SJohn Johansen  * @previous: profile the task may return to     (MAY BE NULL)
23de62de59SJohn Johansen  * @token: magic value the task must know for returning to @previous_profile
24de62de59SJohn Johansen  */
25de62de59SJohn Johansen struct aa_task_ctx {
269fcf78ccSJohn Johansen 	struct aa_label *nnp;
27de62de59SJohn Johansen 	struct aa_label *onexec;
28de62de59SJohn Johansen 	struct aa_label *previous;
29de62de59SJohn Johansen 	u64 token;
30de62de59SJohn Johansen };
31de62de59SJohn Johansen 
32de62de59SJohn Johansen int aa_replace_current_label(struct aa_label *label);
330897fcb1SQuanfa Fu void aa_set_current_onexec(struct aa_label *label, bool stack);
34de62de59SJohn Johansen int aa_set_current_hat(struct aa_label *label, u64 token);
35de62de59SJohn Johansen int aa_restore_previous_label(u64 cookie);
36de62de59SJohn Johansen struct aa_label *aa_get_task_label(struct task_struct *task);
37de62de59SJohn Johansen 
38de62de59SJohn Johansen /**
39de62de59SJohn Johansen  * aa_free_task_ctx - free a task_ctx
40de62de59SJohn Johansen  * @ctx: task_ctx to free (MAYBE NULL)
41de62de59SJohn Johansen  */
aa_free_task_ctx(struct aa_task_ctx * ctx)42de62de59SJohn Johansen static inline void aa_free_task_ctx(struct aa_task_ctx *ctx)
43de62de59SJohn Johansen {
44de62de59SJohn Johansen 	if (ctx) {
459fcf78ccSJohn Johansen 		aa_put_label(ctx->nnp);
46de62de59SJohn Johansen 		aa_put_label(ctx->previous);
47de62de59SJohn Johansen 		aa_put_label(ctx->onexec);
48de62de59SJohn Johansen 	}
49de62de59SJohn Johansen }
50de62de59SJohn Johansen 
51de62de59SJohn Johansen /**
52de62de59SJohn Johansen  * aa_dup_task_ctx - duplicate a task context, incrementing reference counts
53de62de59SJohn Johansen  * @new: a blank task context      (NOT NULL)
54de62de59SJohn Johansen  * @old: the task context to copy  (NOT NULL)
55de62de59SJohn Johansen  */
aa_dup_task_ctx(struct aa_task_ctx * new,const struct aa_task_ctx * old)56de62de59SJohn Johansen static inline void aa_dup_task_ctx(struct aa_task_ctx *new,
57de62de59SJohn Johansen 				   const struct aa_task_ctx *old)
58de62de59SJohn Johansen {
59de62de59SJohn Johansen 	*new = *old;
609fcf78ccSJohn Johansen 	aa_get_label(new->nnp);
61de62de59SJohn Johansen 	aa_get_label(new->previous);
62de62de59SJohn Johansen 	aa_get_label(new->onexec);
63de62de59SJohn Johansen }
64de62de59SJohn Johansen 
65de62de59SJohn Johansen /**
66de62de59SJohn Johansen  * aa_clear_task_ctx_trans - clear transition tracking info from the ctx
67de62de59SJohn Johansen  * @ctx: task context to clear (NOT NULL)
68de62de59SJohn Johansen  */
aa_clear_task_ctx_trans(struct aa_task_ctx * ctx)69de62de59SJohn Johansen static inline void aa_clear_task_ctx_trans(struct aa_task_ctx *ctx)
70de62de59SJohn Johansen {
71de62de59SJohn Johansen 	AA_BUG(!ctx);
72de62de59SJohn Johansen 
73de62de59SJohn Johansen 	aa_put_label(ctx->previous);
74de62de59SJohn Johansen 	aa_put_label(ctx->onexec);
75de62de59SJohn Johansen 	ctx->previous = NULL;
76de62de59SJohn Johansen 	ctx->onexec = NULL;
77de62de59SJohn Johansen 	ctx->token = 0;
78de62de59SJohn Johansen }
79de62de59SJohn Johansen 
80eac93125SJohn Johansen #define AA_PTRACE_TRACE		MAY_WRITE
81eac93125SJohn Johansen #define AA_PTRACE_READ		MAY_READ
82eac93125SJohn Johansen #define AA_MAY_BE_TRACED	AA_MAY_APPEND
83eac93125SJohn Johansen #define AA_MAY_BE_READ		AA_MAY_CREATE
84eac93125SJohn Johansen #define PTRACE_PERM_SHIFT	2
85eac93125SJohn Johansen 
86eac93125SJohn Johansen #define AA_PTRACE_PERM_MASK (AA_PTRACE_READ | AA_PTRACE_TRACE | \
87eac93125SJohn Johansen 			     AA_MAY_BE_READ | AA_MAY_BE_TRACED)
88eac93125SJohn Johansen #define AA_SIGNAL_PERM_MASK (MAY_READ | MAY_WRITE)
89eac93125SJohn Johansen 
90eac93125SJohn Johansen #define AA_SFS_SIG_MASK "hup int quit ill trap abrt bus fpe kill usr1 " \
91eac93125SJohn Johansen 	"segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg " \
92eac93125SJohn Johansen 	"xcpu xfsz vtalrm prof winch io pwr sys emt lost"
93eac93125SJohn Johansen 
9490c436a6SJohn Johansen int aa_may_ptrace(const struct cred *tracer_cred, struct aa_label *tracer,
9590c436a6SJohn Johansen 		  const struct cred *tracee_cred, struct aa_label *tracee,
96eac93125SJohn Johansen 		  u32 request);
97eac93125SJohn Johansen 
98eac93125SJohn Johansen 
99*fa9b63adSJohn Johansen 
100*fa9b63adSJohn Johansen #define AA_USERNS_CREATE	8
101*fa9b63adSJohn Johansen 
102*fa9b63adSJohn Johansen int aa_profile_ns_perm(struct aa_profile *profile,
103*fa9b63adSJohn Johansen 		       struct apparmor_audit_data *ad, u32 request);
104*fa9b63adSJohn Johansen 
105de62de59SJohn Johansen #endif /* __AA_TASK_H */
106