c88d4c7b04
The basic routines and defines for AppArmor policy. AppArmor policy
is defined by a few basic components.
profiles - the basic unit of confinement contain all the information
to enforce policy on a task
Profiles tend to be named after an executable that they
will attach to but this is not required.
namespaces - a container for a set of profiles that will be used
during attachment and transitions between profiles.
sids - which provide a unique id for each profile
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
55 lines
1.2 KiB
C
55 lines
1.2 KiB
C
/*
|
|
* AppArmor security module
|
|
*
|
|
* This file contains AppArmor security identifier (sid) manipulation fns
|
|
*
|
|
* Copyright 2009-2010 Canonical Ltd.
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License as
|
|
* published by the Free Software Foundation, version 2 of the
|
|
* License.
|
|
*
|
|
*
|
|
* AppArmor allocates a unique sid for every profile loaded. If a profile
|
|
* is replaced it receives the sid of the profile it is replacing.
|
|
*
|
|
* The sid value of 0 is invalid.
|
|
*/
|
|
|
|
#include <linux/spinlock.h>
|
|
#include <linux/errno.h>
|
|
#include <linux/err.h>
|
|
|
|
#include "include/sid.h"
|
|
|
|
/* global counter from which sids are allocated */
|
|
static u32 global_sid;
|
|
static DEFINE_SPINLOCK(sid_lock);
|
|
|
|
/* TODO FIXME: add sid to profile mapping, and sid recycling */
|
|
|
|
/**
|
|
* aa_alloc_sid - allocate a new sid for a profile
|
|
*/
|
|
u32 aa_alloc_sid(void)
|
|
{
|
|
u32 sid;
|
|
|
|
/*
|
|
* TODO FIXME: sid recycling - part of profile mapping table
|
|
*/
|
|
spin_lock(&sid_lock);
|
|
sid = (++global_sid);
|
|
spin_unlock(&sid_lock);
|
|
return sid;
|
|
}
|
|
|
|
/**
|
|
* aa_free_sid - free a sid
|
|
* @sid: sid to free
|
|
*/
|
|
void aa_free_sid(u32 sid)
|
|
{
|
|
; /* NOP ATM */
|
|
}
|