/* SPDX-License-Identifier: GPL-2.0-only */ /* * AppArmor security module * * This file contains AppArmor basic permission sets definitions. * * Copyright 2017 Canonical Ltd. */ #ifndef __AA_PERM_H #define __AA_PERM_H #include <linux/fs.h> #include "label.h" #define AA_MAY_EXEC … #define AA_MAY_WRITE … #define AA_MAY_READ … #define AA_MAY_APPEND … #define AA_MAY_CREATE … #define AA_MAY_DELETE … #define AA_MAY_OPEN … #define AA_MAY_RENAME … #define AA_MAY_SETATTR … #define AA_MAY_GETATTR … #define AA_MAY_SETCRED … #define AA_MAY_GETCRED … #define AA_MAY_CHMOD … #define AA_MAY_CHOWN … #define AA_MAY_CHGRP … #define AA_MAY_LOCK … #define AA_EXEC_MMAP … #define AA_MAY_MPROT … #define AA_MAY_LINK … #define AA_MAY_SNAPSHOT … #define AA_MAY_DELEGATE #define AA_CONT_MATCH … #define AA_MAY_STACK … #define AA_MAY_ONEXEC … #define AA_MAY_CHANGE_PROFILE … #define AA_MAY_CHANGEHAT … #define AA_LINK_SUBSET … #define AA_MAY_CREATE_SQPOLL … #define AA_MAY_OVERRIDE_CRED … #define AA_URING_PERM_MASK … #define PERMS_CHRS_MASK … #define PERMS_NAMES_MASK … extern const char aa_file_perm_chrs[]; extern const char *aa_file_perm_names[]; struct aa_perms { … }; /* * Indexes are broken into a 24 bit index and 8 bit flag. * For the index to be valid there must be a value in the flag */ #define AA_INDEX_MASK … #define AA_INDEX_FLAG_MASK … #define AA_INDEX_NONE … #define ALL_PERMS_MASK … extern struct aa_perms nullperms; extern struct aa_perms allperms; /** * aa_perms_accum_raw - accumulate perms with out masking off overlapping perms * @accum - perms struct to accumulate into * @addend - perms struct to add to @accum */ static inline void aa_perms_accum_raw(struct aa_perms *accum, struct aa_perms *addend) { … } /** * aa_perms_accum - accumulate perms, masking off overlapping perms * @accum - perms struct to accumulate into * @addend - perms struct to add to @accum */ static inline void aa_perms_accum(struct aa_perms *accum, struct aa_perms *addend) { … } #define xcheck(FN1, FN2) … /* * TODO: update for labels pointing to labels instead of profiles * TODO: optimize the walk, currently does subwalk of L2 for each P in L1 * gah this doesn't allow for label compound check!!!! */ #define xcheck_ns_profile_profile(P1, P2, FN, args...) … #define xcheck_ns_profile_label(P, L, FN, args...) … #define xcheck_ns_labels(L1, L2, FN, args...) … /* Do the cross check but applying FN at the profiles level */ #define xcheck_labels_profiles(L1, L2, FN, args...) … #define xcheck_labels(L1, L2, P, FN1, FN2) … extern struct aa_perms default_perms; void aa_perm_mask_to_str(char *str, size_t str_size, const char *chrs, u32 mask); void aa_audit_perm_names(struct audit_buffer *ab, const char * const *names, u32 mask); void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs, u32 chrsmask, const char * const *names, u32 namesmask); void aa_apply_modes_to_perms(struct aa_profile *profile, struct aa_perms *perms); void aa_perms_accum(struct aa_perms *accum, struct aa_perms *addend); void aa_perms_accum_raw(struct aa_perms *accum, struct aa_perms *addend); void aa_profile_match_label(struct aa_profile *profile, struct aa_ruleset *rules, struct aa_label *label, int type, u32 request, struct aa_perms *perms); int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target, u32 request, int type, u32 *deny, struct apparmor_audit_data *ad); int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms, u32 request, struct apparmor_audit_data *ad, void (*cb)(struct audit_buffer *, void *)); #endif /* __AA_PERM_H */
Codebase Browser
linux