56  * to trace the new domain
454 				 * The new match isn't more specific  in find_attach()
562 	struct aa_label *new = NULL;  in x_to_label()  local
577 			new = x_table_lookup(profile, xindex, lookupname);  in x_to_label()
585 			new = find_attach(bprm, ns, &profile->base.profiles,  in x_to_label()
589 			new = find_attach(bprm, ns, &ns->base.profiles,  in x_to_label()
595 	if (!new) {  in x_to_label()
602 			new = aa_get_newest_label(&profile->label);  in x_to_label()
604 			new = aa_get_newest_label(ns_unconfined(profile->ns));  in x_to_label()
609 	if (new && stack) {  in x_to_label()
611 		struct aa_label *base = new;  in x_to_label()
613 		new = aa_label_parse(base, stack, GFP_KERNEL, true, false);  in x_to_label()
614 		if (IS_ERR(new))  in x_to_label()
615 			new = NULL;  in x_to_label()
620 	return new;  in x_to_label()
628 	struct aa_label *new = NULL;  in profile_transition()  local
646 			new = aa_get_newest_label(&profile->label);  in profile_transition()
653 		new = find_attach(bprm, profile->ns,  in profile_transition()
655 		if (new) {  in profile_transition()
656 			AA_DEBUG("unconfined attached to new label");  in profile_transition()
657 			return new;  in profile_transition()
667 		new = x_to_label(profile, bprm, name, perms.xindex, &target,  in profile_transition()
669 		if (new && new->proxy == profile->label.proxy && info) {  in profile_transition()
672 		} else if (!new) {  in profile_transition()
689 			new = &new_profile->label;  in profile_transition()
696 	if (!new)  in profile_transition()
704 			aa_label_printk(new, GFP_KERNEL);  in profile_transition()
711 	aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name, target, new,  in profile_transition()
713 	if (!new || nonewprivs) {  in profile_transition()
714 		aa_put_label(new);  in profile_transition()
718 	return new;  in profile_transition()
800 	struct aa_label *new;  in handle_onexec()  local
814 		new = fn_label_build_in_ns(label, profile, GFP_KERNEL,  in handle_onexec()
826 		new = fn_label_build_in_ns(label, profile, GFP_KERNEL,  in handle_onexec()
833 	if (new)  in handle_onexec()
834 		return new;  in handle_onexec()
846  * apparmor_bprm_creds_for_exec - Update the new creds on the bprm struct
856 	struct aa_label *label, *new = NULL;  in apparmor_bprm_creds_for_exec()  local
876 	 * Detect no new privs being set, and store the label it  in apparmor_bprm_creds_for_exec()
895 		new = handle_onexec(label, ctx->onexec, ctx->token,  in apparmor_bprm_creds_for_exec()
898 		new = fn_label_build(label, profile, GFP_KERNEL,  in apparmor_bprm_creds_for_exec()
902 	AA_BUG(!new);  in apparmor_bprm_creds_for_exec()
903 	if (IS_ERR(new)) {  in apparmor_bprm_creds_for_exec()
904 		error = PTR_ERR(new);  in apparmor_bprm_creds_for_exec()
906 	} else if (!new) {  in apparmor_bprm_creds_for_exec()
913 	 * of the confinement when the task entered no new privs.  in apparmor_bprm_creds_for_exec()
921 	    !aa_label_is_unconfined_subset(new, ctx->nnp)) {  in apparmor_bprm_creds_for_exec()
923 		info = "no new privs";  in apparmor_bprm_creds_for_exec()
933 		/* TODO: test needs to be profile of label to new */  in apparmor_bprm_creds_for_exec()
934 		error = may_change_ptraced_domain(new, &info);  in apparmor_bprm_creds_for_exec()
943 			aa_label_printk(new, GFP_KERNEL);  in apparmor_bprm_creds_for_exec()
949 	if (label->proxy != new->proxy) {  in apparmor_bprm_creds_for_exec()
954 			aa_label_printk(new, GFP_KERNEL);  in apparmor_bprm_creds_for_exec()
961 	set_cred_label(bprm->cred, new);  in apparmor_bprm_creds_for_exec()
972 				      bprm->filename, NULL, new,  in apparmor_bprm_creds_for_exec()
974 	aa_put_label(new);  in apparmor_bprm_creds_for_exec()
1039 	struct aa_label *new;  in change_hat()  local
1119 	new = fn_label_build_in_ns(label, profile, GFP_KERNEL,  in change_hat()
1122 	if (!new) {  in change_hat()
1126 	} /* else if (IS_ERR) build_change_hat has logged error so return new */  in change_hat()
1128 	return new;  in change_hat()
1152 	struct aa_label *label, *previous, *new = NULL, *target = NULL;  in aa_change_hat()  local
1164 	 * Detect no new privs being set, and store the label it  in aa_change_hat()
1180 		new = change_hat(label, hats, count, flags);  in aa_change_hat()
1181 		AA_BUG(!new);  in aa_change_hat()
1182 		if (IS_ERR(new)) {  in aa_change_hat()
1183 			error = PTR_ERR(new);  in aa_change_hat()
1184 			new = NULL;  in aa_change_hat()
1189 		error = may_change_ptraced_domain(new, &info);  in aa_change_hat()
1194 		 * no new privs prevents domain transitions that would  in aa_change_hat()
1198 		    !aa_label_is_unconfined_subset(new, ctx->nnp)) {  in aa_change_hat()
1208 		target = new;  in aa_change_hat()
1209 		error = aa_set_current_hat(new, token);  in aa_change_hat()
1215 		 * no new privs prevents domain transitions that would  in aa_change_hat()
1239 	aa_put_label(new);  in aa_change_hat()
1284  * Change to new profile @name.  Unlike with hats, there is no way
1294 	struct aa_label *label, *new = NULL, *target = NULL;  in aa_change_profile()  local
1308 	 * Detect no new privs being set, and store the label it  in aa_change_profile()
1405 		new = fn_label_build_in_ns(label, profile, GFP_KERNEL,  in aa_change_profile()
1409 		 * no new privs prevents domain transitions that would  in aa_change_profile()
1413 		    !aa_label_is_unconfined_subset(new, ctx->nnp)) {  in aa_change_profile()
1424 			new = aa_label_merge(label, target, GFP_KERNEL);  in aa_change_profile()
1425 		if (IS_ERR_OR_NULL(new)) {  in aa_change_profile()
1427 			if (!new)  in aa_change_profile()
1430 				error = PTR_ERR(new);  in aa_change_profile()
1431 			new = NULL;  in aa_change_profile()
1435 		error = aa_replace_current_label(new);  in aa_change_profile()
1437 		if (new) {  in aa_change_profile()
1438 			aa_put_label(new);  in aa_change_profile()
1439 			new = NULL;  in aa_change_profile()
1449 				      NULL, new ? new : target,  in aa_change_profile()
1453 	aa_put_label(new);  in aa_change_profile()