133 				struct aa_label *label, bool stack,  in label_compound_match()  argument
142 	label_for_each(i, label, tp) {  in label_compound_match()
156 	label_for_each_cont(i, label, tp) {  in label_compound_match()
193 				  struct aa_label *label, bool stack,  in label_components_match()  argument
204 	label_for_each(i, label, tp) {  in label_components_match()
220 	label_for_each_cont(i, label, tp) {  in label_components_match()
253 static int label_match(struct aa_profile *profile, struct aa_label *label,  in label_match()  argument
260 	error = label_compound_match(profile, label, stack, state, subns,  in label_match()
266 	return label_components_match(profile, label, stack, state, subns,  in label_match()
392 		if (profile->label.flags & FLAG_NULL &&  in __attach_match()
393 		    &profile->label == ns_unconfined(profile->ns))  in __attach_match()
484 	return profile ? &profile->label : NULL;  in find_attach()
503 	struct aa_label *label = NULL;  in x_table_lookup()  local
513 	for (*name = profile->file.trans.table[index]; !label && *name;  in x_table_lookup()
520 				label = &new_profile->label;  in x_table_lookup()
523 		label = aa_label_parse(&profile->label, *name, GFP_ATOMIC,  in x_table_lookup()
525 		if (IS_ERR(label))  in x_table_lookup()
526 			label = NULL;  in x_table_lookup()
531 	return label;  in x_table_lookup()
592 			new = aa_get_newest_label(&profile->label);  in x_to_label()
635 		    (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {  in profile_transition()
638 			new = aa_get_newest_label(&profile->label);  in profile_transition()
652 		return aa_get_newest_label(&profile->label);  in profile_transition()
661 		if (new && new->proxy == profile->label.proxy && info) {  in profile_transition()
707 			new = &new_profile->label;  in profile_transition()
768 		    (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {  in profile_onexec()
811 static struct aa_label *handle_onexec(struct aa_label *label,  in handle_onexec()  argument
821 	AA_BUG(!label);  in handle_onexec()
827 		error = fn_for_each_in_ns(label, profile,  in handle_onexec()
832 		new = fn_label_build_in_ns(label, profile, GFP_ATOMIC,  in handle_onexec()
839 		error = fn_for_each_in_ns(label, profile,  in handle_onexec()
844 		new = fn_label_build_in_ns(label, profile, GFP_ATOMIC,  in handle_onexec()
845 				aa_label_merge(&profile->label, onexec,  in handle_onexec()
855 	error = fn_for_each_in_ns(label, profile,  in handle_onexec()
874 	struct aa_label *label, *new = NULL;  in apparmor_bprm_set_creds()  local
892 	label = aa_get_newest_label(cred_label(bprm->cred));  in apparmor_bprm_set_creds()
901 	if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) && !unconfined(label) &&  in apparmor_bprm_set_creds()
903 		ctx->nnp = aa_get_label(label);  in apparmor_bprm_set_creds()
909 		new = handle_onexec(label, ctx->onexec, ctx->token,  in apparmor_bprm_set_creds()
912 		new = fn_label_build(label, profile, GFP_ATOMIC,  in apparmor_bprm_set_creds()
934 	    !unconfined(label) && !aa_label_is_subset(new, ctx->nnp)) {  in apparmor_bprm_set_creds()
962 	if (label->proxy != new->proxy) {  in apparmor_bprm_set_creds()
977 	aa_put_label(label);  in apparmor_bprm_set_creds()
983 	error = fn_for_each(label, profile,  in apparmor_bprm_set_creds()
1035 		      hat ? &hat->label : NULL, GLOBAL_ROOT_UID, info,  in build_change_hat()
1042 	return &hat->label;  in build_change_hat()
1049 static struct aa_label *change_hat(struct aa_label *label, const char *hats[],  in change_hat()  argument
1059 	AA_BUG(!label);  in change_hat()
1063 	if (PROFILE_IS_HAT(labels_profile(label)))  in change_hat()
1069 		label_for_each_in_ns(it, labels_ns(label), label, profile) {  in change_hat()
1105 	label_for_each_in_ns(it, labels_ns(label), label, profile) {  in change_hat()
1116 	label_for_each_in_ns(it, labels_ns(label), label, profile) {  in change_hat()
1133 	new = fn_label_build_in_ns(label, profile, GFP_KERNEL,  in change_hat()
1135 				   aa_get_label(&profile->label));  in change_hat()
1166 	struct aa_label *label, *previous, *new = NULL, *target = NULL;  in aa_change_hat()  local
1174 	label = aa_get_newest_cred_label(cred);  in aa_change_hat()
1184 	if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp)  in aa_change_hat()
1185 		ctx->nnp = aa_get_label(label);  in aa_change_hat()
1187 	if (unconfined(label)) {  in aa_change_hat()
1194 		new = change_hat(label, hats, count, flags);  in aa_change_hat()
1211 		if (task_no_new_privs(current) && !unconfined(label) &&  in aa_change_hat()
1232 		if (task_no_new_privs(current) && !unconfined(label) &&  in aa_change_hat()
1255 	aa_put_label(label);  in aa_change_hat()
1265 	fn_for_each_in_ns(label, profile,  in aa_change_hat()
1309 	struct aa_label *label, *new = NULL, *target = NULL;  in aa_change_profile()  local
1320 	label = aa_get_current_label();  in aa_change_profile()
1329 	if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp)  in aa_change_profile()
1330 		ctx->nnp = aa_get_label(label);  in aa_change_profile()
1351 	label = aa_get_current_label();  in aa_change_profile()
1358 	target = aa_label_parse(label, fqname, GFP_KERNEL, true, false);  in aa_change_profile()
1370 		    !COMPLAIN_MODE(labels_profile(label)))  in aa_change_profile()
1373 		tprofile = aa_new_null_profile(labels_profile(label), false,  in aa_change_profile()
1380 		target = &tprofile->label;  in aa_change_profile()
1392 	error = fn_for_each_in_ns(label, profile,  in aa_change_profile()
1405 	if (error && !fn_for_each_in_ns(label, profile,  in aa_change_profile()
1421 		new = fn_label_build_in_ns(label, profile, GFP_KERNEL,  in aa_change_profile()
1423 					   aa_get_label(&profile->label));  in aa_change_profile()
1428 		if (task_no_new_privs(current) && !unconfined(label) &&  in aa_change_profile()
1440 			new = aa_label_merge(label, target, GFP_KERNEL);  in aa_change_profile()
1463 	error = fn_for_each_in_ns(label, profile,  in aa_change_profile()
1471 	aa_put_label(label);  in aa_change_profile()