55  * to trace the new domain
429 				 * The new match isn't more specific  in __attach_match()
552 	struct aa_label *new = NULL;  in x_to_label()  local
567 			new = x_table_lookup(profile, xindex, lookupname);  in x_to_label()
575 			new = find_attach(bprm, ns, &profile->base.profiles,  in x_to_label()
579 			new = find_attach(bprm, ns, &ns->base.profiles,  in x_to_label()
585 	if (!new) {  in x_to_label()
592 			new = aa_get_newest_label(&profile->label);  in x_to_label()
594 			new = aa_get_newest_label(ns_unconfined(profile->ns));  in x_to_label()
599 	if (new && stack) {  in x_to_label()
601 		struct aa_label *base = new;  in x_to_label()
603 		new = aa_label_parse(base, stack, GFP_ATOMIC, true, false);  in x_to_label()
604 		if (IS_ERR(new))  in x_to_label()
605 			new = NULL;  in x_to_label()
610 	return new;  in x_to_label()
618 	struct aa_label *new = NULL;  in profile_transition()  local
638 			new = aa_get_newest_label(&profile->label);  in profile_transition()
645 		new = find_attach(bprm, profile->ns,  in profile_transition()
647 		if (new) {  in profile_transition()
648 			AA_DEBUG("unconfined attached to new label");  in profile_transition()
649 			return new;  in profile_transition()
659 		new = x_to_label(profile, bprm, name, perms.xindex, &target,  in profile_transition()
661 		if (new && new->proxy == profile->label.proxy && info) {  in profile_transition()
664 		} else if (!new) {  in profile_transition()
673 			label_for_each(i, new, component) {  in profile_transition()
679 					aa_put_label(new);  in profile_transition()
680 					new = NULL;  in profile_transition()
707 			new = &new_profile->label;  in profile_transition()
714 	if (!new)  in profile_transition()
722 			aa_label_printk(new, GFP_ATOMIC);  in profile_transition()
729 	aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name, target, new,  in profile_transition()
731 	if (!new || nonewprivs) {  in profile_transition()
732 		aa_put_label(new);  in profile_transition()
736 	return new;  in profile_transition()
818 	struct aa_label *new;  in handle_onexec()  local
832 		new = fn_label_build_in_ns(label, profile, GFP_ATOMIC,  in handle_onexec()
844 		new = fn_label_build_in_ns(label, profile, GFP_ATOMIC,  in handle_onexec()
851 	if (new)  in handle_onexec()
852 		return new;  in handle_onexec()
864  * apparmor_bprm_set_creds - set the new creds on the bprm struct
874 	struct aa_label *label, *new = NULL;  in apparmor_bprm_set_creds()  local
895 	 * Detect no new privs being set, and store the label it  in apparmor_bprm_set_creds()
909 		new = handle_onexec(label, ctx->onexec, ctx->token,  in apparmor_bprm_set_creds()
912 		new = fn_label_build(label, profile, GFP_ATOMIC,  in apparmor_bprm_set_creds()
916 	AA_BUG(!new);  in apparmor_bprm_set_creds()
917 	if (IS_ERR(new)) {  in apparmor_bprm_set_creds()
918 		error = PTR_ERR(new);  in apparmor_bprm_set_creds()
920 	} else if (!new) {  in apparmor_bprm_set_creds()
927 	 * of the confinement when the task entered no new privs.  in apparmor_bprm_set_creds()
934 	    !unconfined(label) && !aa_label_is_subset(new, ctx->nnp)) {  in apparmor_bprm_set_creds()
936 		info = "no new privs";  in apparmor_bprm_set_creds()
946 		/* TODO: test needs to be profile of label to new */  in apparmor_bprm_set_creds()
947 		error = may_change_ptraced_domain(new, &info);  in apparmor_bprm_set_creds()
956 			aa_label_printk(new, GFP_ATOMIC);  in apparmor_bprm_set_creds()
962 	if (label->proxy != new->proxy) {  in apparmor_bprm_set_creds()
967 			aa_label_printk(new, GFP_ATOMIC);  in apparmor_bprm_set_creds()
974 	set_cred_label(bprm->cred, new);  in apparmor_bprm_set_creds()
985 				      bprm->filename, NULL, new,  in apparmor_bprm_set_creds()
988 	aa_put_label(new);  in apparmor_bprm_set_creds()
1053 	struct aa_label *new;  in change_hat()  local
1133 	new = fn_label_build_in_ns(label, profile, GFP_KERNEL,  in change_hat()
1136 	if (!new) {  in change_hat()
1140 	} /* else if (IS_ERR) build_change_hat has logged error so return new */  in change_hat()
1142 	return new;  in change_hat()
1166 	struct aa_label *label, *previous, *new = NULL, *target = NULL;  in aa_change_hat()  local
1178 	 * Detect no new privs being set, and store the label it  in aa_change_hat()
1194 		new = change_hat(label, hats, count, flags);  in aa_change_hat()
1195 		AA_BUG(!new);  in aa_change_hat()
1196 		if (IS_ERR(new)) {  in aa_change_hat()
1197 			error = PTR_ERR(new);  in aa_change_hat()
1198 			new = NULL;  in aa_change_hat()
1203 		error = may_change_ptraced_domain(new, &info);  in aa_change_hat()
1208 		 * no new privs prevents domain transitions that would  in aa_change_hat()
1212 		    !aa_label_is_subset(new, ctx->nnp)) {  in aa_change_hat()
1222 		target = new;  in aa_change_hat()
1223 		error = aa_set_current_hat(new, token);  in aa_change_hat()
1229 		 * no new privs prevents domain transitions that would  in aa_change_hat()
1253 	aa_put_label(new);  in aa_change_hat()
1299  * Change to new profile @name.  Unlike with hats, there is no way
1309 	struct aa_label *label, *new = NULL, *target = NULL;  in aa_change_profile()  local
1323 	 * Detect no new privs being set, and store the label it  in aa_change_profile()
1421 		new = fn_label_build_in_ns(label, profile, GFP_KERNEL,  in aa_change_profile()
1425 		 * no new privs prevents domain transitions that would  in aa_change_profile()
1429 		    !aa_label_is_subset(new, ctx->nnp)) {  in aa_change_profile()
1440 			new = aa_label_merge(label, target, GFP_KERNEL);  in aa_change_profile()
1441 		if (IS_ERR_OR_NULL(new)) {  in aa_change_profile()
1443 			if (!new)  in aa_change_profile()
1446 				error = PTR_ERR(new);  in aa_change_profile()
1447 			new = NULL;  in aa_change_profile()
1451 		error = aa_replace_current_label(new);  in aa_change_profile()
1453 		if (new) {  in aa_change_profile()
1454 			aa_put_label(new);  in aa_change_profile()
1455 			new = NULL;  in aa_change_profile()
1465 				      NULL, new ? new : target,  in aa_change_profile()
1469 	aa_put_label(new);  in aa_change_profile()