apparmor: move task related defines and fns to task.X files

Signed-off-by: John Johansen <john.johansen@canonical.com>

security/apparmor/Makefile

@@ -3,7 +3,7 @@
 #
 obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
 
-apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+apparmor-y := apparmorfs.o audit.o capability.o task.o ipc.o lib.o match.o \
               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
               resource.o secid.o file.o policy_ns.o label.o mount.o
 apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o

security/apparmor/domain.c

@@ -794,7 +794,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 	if (bprm->called_set_creds)
 		return 0;
 
-	ctx = current_task_ctx();
+	ctx = task_ctx(current);
 	AA_BUG(!cred_label(bprm->cred));
 	AA_BUG(!ctx);
 
@@ -1067,7 +1067,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
 
 	/* released below */
 	cred = get_current_cred();
-	ctx = current_task_ctx();
+	ctx = task_ctx(current);
 	label = aa_get_newest_cred_label(cred);
 	previous = aa_get_newest_label(ctx->previous);
 

security/apparmor/include/context.h

@@ -21,33 +21,10 @@
 
 #include "label.h"
 #include "policy_ns.h"
+#include "task.h"
 
-#define task_ctx(X) ((X)->security)
-#define current_task_ctx() (task_ctx(current))
 #define cred_label(X) ((X)->security)
 
-/*
- * struct aa_task_ctx - information for current task label change
- * @onexec: profile to transition to on next exec  (MAY BE NULL)
- * @previous: profile the task may return to     (MAY BE NULL)
- * @token: magic value the task must know for returning to @previous_profile
- */
-struct aa_task_ctx {
-	struct aa_label *onexec;
-	struct aa_label *previous;
-	u64 token;
-};
-
-struct aa_task_ctx *aa_alloc_task_ctx(gfp_t flags);
-void aa_free_task_ctx(struct aa_task_ctx *ctx);
-void aa_dup_task_ctx(struct aa_task_ctx *new, const struct aa_task_ctx *old);
-
-int aa_replace_current_label(struct aa_label *label);
-int aa_set_current_onexec(struct aa_label *label, bool stack);
-int aa_set_current_hat(struct aa_label *label, u64 token);
-int aa_restore_previous_label(u64 cookie);
-struct aa_label *aa_get_task_label(struct task_struct *task);
-
 
 /**
  * aa_cred_raw_label - obtain cred's label
@@ -196,19 +173,4 @@ static inline struct aa_ns *aa_get_current_ns(void)
 	return ns;
 }
 
-/**
- * aa_clear_task_ctx_trans - clear transition tracking info from the ctx
- * @ctx: task context to clear (NOT NULL)
- */
-static inline void aa_clear_task_ctx_trans(struct aa_task_ctx *ctx)
-{
-	AA_BUG(!ctx);
-
-	aa_put_label(ctx->previous);
-	aa_put_label(ctx->onexec);
-	ctx->previous = NULL;
-	ctx->onexec = NULL;
-	ctx->token = 0;
-}
-
 #endif /* __AA_CONTEXT_H */

security/apparmor/include/task.h

@@ -0,0 +1,90 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor task related definitions and mediation
+ *
+ * Copyright 2017 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#ifndef __AA_TASK_H
+#define __AA_TASK_H
+
+#define task_ctx(X) ((X)->security)
+
+/*
+ * struct aa_task_ctx - information for current task label change
+ * @onexec: profile to transition to on next exec  (MAY BE NULL)
+ * @previous: profile the task may return to     (MAY BE NULL)
+ * @token: magic value the task must know for returning to @previous_profile
+ */
+struct aa_task_ctx {
+	struct aa_label *onexec;
+	struct aa_label *previous;
+	u64 token;
+};
+
+int aa_replace_current_label(struct aa_label *label);
+int aa_set_current_onexec(struct aa_label *label, bool stack);
+int aa_set_current_hat(struct aa_label *label, u64 token);
+int aa_restore_previous_label(u64 cookie);
+struct aa_label *aa_get_task_label(struct task_struct *task);
+
+/**
+ * aa_alloc_task_ctx - allocate a new task_ctx
+ * @flags: gfp flags for allocation
+ *
+ * Returns: allocated buffer or NULL on failure
+ */
+static inline struct aa_task_ctx *aa_alloc_task_ctx(gfp_t flags)
+{
+	return kzalloc(sizeof(struct aa_task_ctx), flags);
+}
+
+/**
+ * aa_free_task_ctx - free a task_ctx
+ * @ctx: task_ctx to free (MAYBE NULL)
+ */
+static inline void aa_free_task_ctx(struct aa_task_ctx *ctx)
+{
+	if (ctx) {
+		aa_put_label(ctx->previous);
+		aa_put_label(ctx->onexec);
+
+		kzfree(ctx);
+	}
+}
+
+/**
+ * aa_dup_task_ctx - duplicate a task context, incrementing reference counts
+ * @new: a blank task context      (NOT NULL)
+ * @old: the task context to copy  (NOT NULL)
+ */
+static inline void aa_dup_task_ctx(struct aa_task_ctx *new,
+				   const struct aa_task_ctx *old)
+{
+	*new = *old;
+	aa_get_label(new->previous);
+	aa_get_label(new->onexec);
+}
+
+/**
+ * aa_clear_task_ctx_trans - clear transition tracking info from the ctx
+ * @ctx: task context to clear (NOT NULL)
+ */
+static inline void aa_clear_task_ctx_trans(struct aa_task_ctx *ctx)
+{
+	AA_BUG(!ctx);
+
+	aa_put_label(ctx->previous);
+	aa_put_label(ctx->onexec);
+	ctx->previous = NULL;
+	ctx->onexec = NULL;
+	ctx->token = 0;
+}
+
+#endif /* __AA_TASK_H */

security/apparmor/lsm.c

@@ -101,7 +101,7 @@ static int apparmor_task_alloc(struct task_struct *task,
 	if (!new)
 		return -ENOMEM;
 
-	aa_dup_task_ctx(new, current_task_ctx());
+	aa_dup_task_ctx(new, task_ctx(current));
 	task_ctx(task) = new;
 
 	return 0;
@@ -582,7 +582,7 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
 	int error = -ENOENT;
 	/* released below */
 	const struct cred *cred = get_task_cred(task);
-	struct aa_task_ctx *ctx = current_task_ctx();
+	struct aa_task_ctx *ctx = task_ctx(current);
 	struct aa_label *label = NULL;
 
 	if (strcmp(name, "current") == 0)
@@ -705,7 +705,7 @@ static void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
 static void apparmor_bprm_committed_creds(struct linux_binprm *bprm)
 {
 	/* clear out temporary/transitional state from the context */
-	aa_clear_task_ctx_trans(current_task_ctx());
+	aa_clear_task_ctx_trans(task_ctx(current));
 
 	return;
 }

security/apparmor/context.c → security/apparmor/task.c

@@ -1,32 +1,23 @@
 /*
  * AppArmor security module
  *
- * This file contains AppArmor functions used to manipulate object security
- * contexts.
+ * This file contains AppArmor task related definitions and mediation
  *
- * Copyright (C) 1998-2008 Novell/SUSE
- * Copyright 2009-2010 Canonical Ltd.
+ * Copyright 2017 Canonical Ltd.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License as
  * published by the Free Software Foundation, version 2 of the
  * License.
  *
- *
- * AppArmor sets confinement on every task, via the cred_label() which
- * is required and are not allowed to be NULL.  The cred_label is
- * reference counted.
- *
  * TODO
  * If a task uses change_hat it currently does not return to the old
  * cred or task context but instead creates a new one.  Ideally the task
  * should return to the previous cred if it has not been modified.
- *
  */
 
 #include "include/context.h"
-#include "include/policy.h"
-
+#include "include/task.h"
 
 /**
  * aa_get_task_label - Get another task's label
@@ -45,43 +36,6 @@ struct aa_label *aa_get_task_label(struct task_struct *task)
 	return p;
 }
 
-/**
- * aa_alloc_task_ctx - allocate a new task_ctx
- * @flags: gfp flags for allocation
- *
- * Returns: allocated buffer or NULL on failure
- */
-struct aa_task_ctx *aa_alloc_task_ctx(gfp_t flags)
-{
-	return kzalloc(sizeof(struct aa_task_ctx), flags);
-}
-
-/**
- * aa_free_task_ctx - free a task_ctx
- * @ctx: task_ctx to free (MAYBE NULL)
- */
-void aa_free_task_ctx(struct aa_task_ctx *ctx)
-{
-	if (ctx) {
-		aa_put_label(ctx->previous);
-		aa_put_label(ctx->onexec);
-
-		kzfree(ctx);
-	}
-}
-
-/**
- * aa_dup_task_ctx - duplicate a task context, incrementing reference counts
- * @new: a blank task context      (NOT NULL)
- * @old: the task context to copy  (NOT NULL)
- */
-void aa_dup_task_ctx(struct aa_task_ctx *new, const struct aa_task_ctx *old)
-{
-	*new = *old;
-	aa_get_label(new->previous);
-	aa_get_label(new->onexec);
-}
-
 /**
  * aa_replace_current_label - replace the current tasks label
  * @label: new label  (NOT NULL)
@@ -110,7 +64,7 @@ int aa_replace_current_label(struct aa_label *label)
 		 * if switching to unconfined or a different label namespace
 		 * clear out context state
 		 */
-		aa_clear_task_ctx_trans(current_task_ctx());
+		aa_clear_task_ctx_trans(task_ctx(current));
 
 	/*
 	 * be careful switching cred label, when racing replacement it
@@ -126,6 +80,7 @@ int aa_replace_current_label(struct aa_label *label)
 	return 0;
 }
 
+
 /**
  * aa_set_current_onexec - set the tasks change_profile to happen onexec
  * @label: system label to set at exec  (MAYBE NULL to clear value)
@@ -134,7 +89,7 @@ int aa_replace_current_label(struct aa_label *label)
  */
 int aa_set_current_onexec(struct aa_label *label, bool stack)
 {
-	struct aa_task_ctx *ctx = current_task_ctx();
+	struct aa_task_ctx *ctx = task_ctx(current);
 
 	aa_get_label(label);
 	aa_put_label(ctx->onexec);
@@ -156,7 +111,7 @@ int aa_set_current_onexec(struct aa_label *label, bool stack)
  */
 int aa_set_current_hat(struct aa_label *label, u64 token)
 {
-	struct aa_task_ctx *ctx = current_task_ctx();
+	struct aa_task_ctx *ctx = task_ctx(current);
 	struct cred *new;
 
 	new = prepare_creds();
@@ -196,7 +151,7 @@ int aa_set_current_hat(struct aa_label *label, u64 token)
  */
 int aa_restore_previous_label(u64 token)
 {
-	struct aa_task_ctx *ctx = current_task_ctx();
+	struct aa_task_ctx *ctx = task_ctx(current);
 	struct cred *new;
 
 	if (ctx->token != token)