d9bf2c268b
Add a policy revision file to find the current revision of a ns's policy. There is a revision file per ns, as well as a virtualized global revision file in the base apparmor fs directory. The global revision file when opened will provide the revision of the opening task namespace. The revision file can be waited on via select/poll to detect apparmor policy changes from the last read revision of the opened file. This means that the revision file must be read after the select/poll other wise update data will remain ready for reading. Signed-off-by: John Johansen <john.johansen@canonical.com>
125 lines
3.3 KiB
C
125 lines
3.3 KiB
C
/*
|
|
* AppArmor security module
|
|
*
|
|
* This file contains AppArmor filesystem definitions.
|
|
*
|
|
* Copyright (C) 1998-2008 Novell/SUSE
|
|
* Copyright 2009-2010 Canonical Ltd.
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License as
|
|
* published by the Free Software Foundation, version 2 of the
|
|
* License.
|
|
*/
|
|
|
|
#ifndef __AA_APPARMORFS_H
|
|
#define __AA_APPARMORFS_H
|
|
|
|
extern struct path aa_null;
|
|
|
|
enum aa_sfs_type {
|
|
AA_SFS_TYPE_BOOLEAN,
|
|
AA_SFS_TYPE_STRING,
|
|
AA_SFS_TYPE_U64,
|
|
AA_SFS_TYPE_FOPS,
|
|
AA_SFS_TYPE_DIR,
|
|
};
|
|
|
|
struct aa_sfs_entry;
|
|
|
|
struct aa_sfs_entry {
|
|
const char *name;
|
|
struct dentry *dentry;
|
|
umode_t mode;
|
|
enum aa_sfs_type v_type;
|
|
union {
|
|
bool boolean;
|
|
char *string;
|
|
unsigned long u64;
|
|
struct aa_sfs_entry *files;
|
|
} v;
|
|
const struct file_operations *file_ops;
|
|
};
|
|
|
|
extern const struct file_operations aa_sfs_seq_file_ops;
|
|
|
|
#define AA_SFS_FILE_BOOLEAN(_name, _value) \
|
|
{ .name = (_name), .mode = 0444, \
|
|
.v_type = AA_SFS_TYPE_BOOLEAN, .v.boolean = (_value), \
|
|
.file_ops = &aa_sfs_seq_file_ops }
|
|
#define AA_SFS_FILE_STRING(_name, _value) \
|
|
{ .name = (_name), .mode = 0444, \
|
|
.v_type = AA_SFS_TYPE_STRING, .v.string = (_value), \
|
|
.file_ops = &aa_sfs_seq_file_ops }
|
|
#define AA_SFS_FILE_U64(_name, _value) \
|
|
{ .name = (_name), .mode = 0444, \
|
|
.v_type = AA_SFS_TYPE_U64, .v.u64 = (_value), \
|
|
.file_ops = &aa_sfs_seq_file_ops }
|
|
#define AA_SFS_FILE_FOPS(_name, _mode, _fops) \
|
|
{ .name = (_name), .v_type = AA_SFS_TYPE_FOPS, \
|
|
.mode = (_mode), .file_ops = (_fops) }
|
|
#define AA_SFS_DIR(_name, _value) \
|
|
{ .name = (_name), .v_type = AA_SFS_TYPE_DIR, .v.files = (_value) }
|
|
|
|
extern void __init aa_destroy_aafs(void);
|
|
|
|
struct aa_profile;
|
|
struct aa_ns;
|
|
|
|
enum aafs_ns_type {
|
|
AAFS_NS_DIR,
|
|
AAFS_NS_PROFS,
|
|
AAFS_NS_NS,
|
|
AAFS_NS_RAW_DATA,
|
|
AAFS_NS_LOAD,
|
|
AAFS_NS_REPLACE,
|
|
AAFS_NS_REMOVE,
|
|
AAFS_NS_REVISION,
|
|
AAFS_NS_COUNT,
|
|
AAFS_NS_MAX_COUNT,
|
|
AAFS_NS_SIZE,
|
|
AAFS_NS_MAX_SIZE,
|
|
AAFS_NS_OWNER,
|
|
AAFS_NS_SIZEOF,
|
|
};
|
|
|
|
enum aafs_prof_type {
|
|
AAFS_PROF_DIR,
|
|
AAFS_PROF_PROFS,
|
|
AAFS_PROF_NAME,
|
|
AAFS_PROF_MODE,
|
|
AAFS_PROF_ATTACH,
|
|
AAFS_PROF_HASH,
|
|
AAFS_PROF_RAW_DATA,
|
|
AAFS_PROF_RAW_HASH,
|
|
AAFS_PROF_RAW_ABI,
|
|
AAFS_PROF_SIZEOF,
|
|
};
|
|
|
|
#define ns_dir(X) ((X)->dents[AAFS_NS_DIR])
|
|
#define ns_subns_dir(X) ((X)->dents[AAFS_NS_NS])
|
|
#define ns_subprofs_dir(X) ((X)->dents[AAFS_NS_PROFS])
|
|
#define ns_subdata_dir(X) ((X)->dents[AAFS_NS_RAW_DATA])
|
|
#define ns_subload(X) ((X)->dents[AAFS_NS_LOAD])
|
|
#define ns_subreplace(X) ((X)->dents[AAFS_NS_REPLACE])
|
|
#define ns_subremove(X) ((X)->dents[AAFS_NS_REMOVE])
|
|
#define ns_subrevision(X) ((X)->dents[AAFS_NS_REVISION])
|
|
|
|
#define prof_dir(X) ((X)->dents[AAFS_PROF_DIR])
|
|
#define prof_child_dir(X) ((X)->dents[AAFS_PROF_PROFS])
|
|
|
|
void __aa_bump_ns_revision(struct aa_ns *ns);
|
|
void __aafs_profile_rmdir(struct aa_profile *profile);
|
|
void __aafs_profile_migrate_dents(struct aa_profile *old,
|
|
struct aa_profile *new);
|
|
int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent);
|
|
void __aafs_ns_rmdir(struct aa_ns *ns);
|
|
int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name,
|
|
struct dentry *dent);
|
|
|
|
struct aa_loaddata;
|
|
void __aa_fs_remove_rawdata(struct aa_loaddata *rawdata);
|
|
int __aa_fs_create_rawdata(struct aa_ns *ns, struct aa_loaddata *rawdata);
|
|
|
|
#endif /* __AA_APPARMORFS_H */
|