Lines Matching refs:profile
98 static inline unsigned int match_component(struct aa_profile *profile, in match_component() argument
105 state = aa_dfa_match(profile->file.dfa, state, "&"); in match_component()
106 if (profile->ns == tp->ns) in match_component()
107 return aa_dfa_match(profile->file.dfa, state, tp->base.hname); in match_component()
110 ns_name = aa_ns_name(profile->ns, tp->ns, true); in match_component()
111 state = aa_dfa_match_len(profile->file.dfa, state, ":", 1); in match_component()
112 state = aa_dfa_match(profile->file.dfa, state, ns_name); in match_component()
113 state = aa_dfa_match_len(profile->file.dfa, state, ":", 1); in match_component()
114 return aa_dfa_match(profile->file.dfa, state, tp->base.hname); in match_component()
133 static int label_compound_match(struct aa_profile *profile, in label_compound_match() argument
144 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_compound_match()
146 state = match_component(profile, tp, stack, state); in label_compound_match()
158 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_compound_match()
160 state = aa_dfa_match(profile->file.dfa, state, "//&"); in label_compound_match()
161 state = match_component(profile, tp, false, state); in label_compound_match()
165 *perms = aa_compute_fperms(profile->file.dfa, state, &cond); in label_compound_match()
166 aa_apply_modes_to_perms(profile, perms); in label_compound_match()
193 static int label_components_match(struct aa_profile *profile, in label_components_match() argument
206 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_components_match()
208 state = match_component(profile, tp, stack, start); in label_components_match()
218 tmp = aa_compute_fperms(profile->file.dfa, state, &cond); in label_components_match()
219 aa_apply_modes_to_perms(profile, &tmp); in label_components_match()
222 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_components_match()
224 state = match_component(profile, tp, stack, start); in label_components_match()
227 tmp = aa_compute_fperms(profile->file.dfa, state, &cond); in label_components_match()
228 aa_apply_modes_to_perms(profile, &tmp); in label_components_match()
254 static int label_match(struct aa_profile *profile, struct aa_label *label, in label_match() argument
261 error = label_compound_match(profile, label, stack, state, subns, in label_match()
267 return label_components_match(profile, label, stack, state, subns, in label_match()
287 static int change_profile_perms(struct aa_profile *profile, in change_profile_perms() argument
292 if (profile_unconfined(profile)) { in change_profile_perms()
299 return label_match(profile, target, stack, start, true, request, perms); in change_profile_perms()
311 struct aa_profile *profile, unsigned int state) in aa_xattrs_match() argument
317 int value_size = 0, ret = profile->xattr_count; in aa_xattrs_match()
319 if (!bprm || !profile->xattr_count) in aa_xattrs_match()
324 state = aa_dfa_outofband_transition(profile->xmatch, state); in aa_xattrs_match()
327 for (i = 0; i < profile->xattr_count; i++) { in aa_xattrs_match()
328 size = vfs_getxattr_alloc(&init_user_ns, d, profile->xattrs[i], in aa_xattrs_match()
338 state = aa_dfa_null_transition(profile->xmatch, state); in aa_xattrs_match()
340 state = aa_dfa_match_len(profile->xmatch, state, value, in aa_xattrs_match()
342 perm = dfa_user_allow(profile->xmatch, state); in aa_xattrs_match()
349 state = aa_dfa_outofband_transition(profile->xmatch, state); in aa_xattrs_match()
393 struct aa_profile *profile, *candidate = NULL; in find_attach() local
400 list_for_each_entry_rcu(profile, head, base.list) { in find_attach()
401 if (profile->label.flags & FLAG_NULL && in find_attach()
402 &profile->label == ns_unconfined(profile->ns)) in find_attach()
416 if (profile->xmatch) { in find_attach()
420 state = aa_dfa_leftmatch(profile->xmatch, DFA_START, in find_attach()
422 perm = dfa_user_allow(profile->xmatch, state); in find_attach()
430 if (bprm && profile->xattr_count) { in find_attach()
433 if (!aa_get_profile_not0(profile)) in find_attach()
436 ret = aa_xattrs_match(bprm, profile, in find_attach()
439 aa_put_profile(profile); in find_attach()
468 candidate = profile; in find_attach()
469 candidate_len = max(count, profile->xmatch_len); in find_attach()
473 } else if (!strcmp(profile->base.name, name)) { in find_attach()
478 candidate = profile; in find_attach()
510 struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex, in x_table_lookup() argument
523 for (*name = profile->file.trans.table[index]; !label && *name; in x_table_lookup()
528 new_profile = aa_find_child(profile, *name); in x_table_lookup()
533 label = aa_label_parse(&profile->label, *name, GFP_KERNEL, in x_table_lookup()
556 static struct aa_label *x_to_label(struct aa_profile *profile, in x_to_label() argument
563 struct aa_ns *ns = profile->ns; in x_to_label()
574 stack = profile->file.trans.table[xindex & AA_X_INDEX_MASK]; in x_to_label()
577 new = x_table_lookup(profile, xindex, lookupname); in x_to_label()
585 new = find_attach(bprm, ns, &profile->base.profiles, in x_to_label()
602 new = aa_get_newest_label(&profile->label); in x_to_label()
604 new = aa_get_newest_label(ns_unconfined(profile->ns)); in x_to_label()
623 static struct aa_label *profile_transition(struct aa_profile *profile, in profile_transition() argument
630 unsigned int state = profile->file.start; in profile_transition()
635 AA_BUG(!profile); in profile_transition()
639 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer, in profile_transition()
640 &name, &info, profile->disconnected); in profile_transition()
642 if (profile_unconfined(profile) || in profile_transition()
643 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) { in profile_transition()
646 new = aa_get_newest_label(&profile->label); in profile_transition()
652 if (profile_unconfined(profile)) { in profile_transition()
653 new = find_attach(bprm, profile->ns, in profile_transition()
654 &profile->ns->base.profiles, name, &info); in profile_transition()
660 return aa_get_newest_label(&profile->label); in profile_transition()
664 state = aa_str_perms(profile->file.dfa, state, name, cond, &perms); in profile_transition()
667 new = x_to_label(profile, bprm, name, perms.xindex, &target, in profile_transition()
669 if (new && new->proxy == profile->label.proxy && info) { in profile_transition()
678 } else if (COMPLAIN_MODE(profile)) { in profile_transition()
682 new_profile = aa_new_null_profile(profile, false, name, in profile_transition()
711 aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name, target, new, in profile_transition()
721 static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec, in profile_onexec() argument
726 unsigned int state = profile->file.start; in profile_onexec()
731 AA_BUG(!profile); in profile_onexec()
736 if (profile_unconfined(profile)) { in profile_onexec()
746 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer, in profile_onexec()
747 &xname, &info, profile->disconnected); in profile_onexec()
749 if (profile_unconfined(profile) || in profile_onexec()
750 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) { in profile_onexec()
759 state = aa_str_perms(profile->file.dfa, state, xname, cond, &perms); in profile_onexec()
768 state = aa_dfa_null_transition(profile->file.dfa, state); in profile_onexec()
769 error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC, in profile_onexec()
787 return aa_audit_file(profile, &perms, OP_EXEC, AA_MAY_ONEXEC, xname, in profile_onexec()
799 struct aa_profile *profile; in handle_onexec() local
809 error = fn_for_each_in_ns(label, profile, in handle_onexec()
810 profile_onexec(profile, onexec, stack, in handle_onexec()
814 new = fn_label_build_in_ns(label, profile, GFP_KERNEL, in handle_onexec()
816 profile_transition(profile, bprm, buffer, in handle_onexec()
821 error = fn_for_each_in_ns(label, profile, in handle_onexec()
822 profile_onexec(profile, onexec, stack, bprm, in handle_onexec()
826 new = fn_label_build_in_ns(label, profile, GFP_KERNEL, in handle_onexec()
827 aa_label_merge(&profile->label, onexec, in handle_onexec()
829 profile_transition(profile, bprm, buffer, in handle_onexec()
837 error = fn_for_each_in_ns(label, profile, in handle_onexec()
838 aa_audit_file(profile, &nullperms, OP_CHANGE_ONEXEC, in handle_onexec()
857 struct aa_profile *profile; in apparmor_bprm_creds_for_exec() local
898 new = fn_label_build(label, profile, GFP_KERNEL, in apparmor_bprm_creds_for_exec()
899 profile_transition(profile, bprm, buffer, in apparmor_bprm_creds_for_exec()
970 error = fn_for_each(label, profile, in apparmor_bprm_creds_for_exec()
971 aa_audit_file(profile, &nullperms, OP_EXEC, MAY_EXEC, in apparmor_bprm_creds_for_exec()
987 static struct aa_label *build_change_hat(struct aa_profile *profile, in build_change_hat() argument
994 if (sibling && PROFILE_IS_HAT(profile)) { in build_change_hat()
995 root = aa_get_profile_rcu(&profile->parent); in build_change_hat()
996 } else if (!sibling && !PROFILE_IS_HAT(profile)) { in build_change_hat()
997 root = aa_get_profile(profile); in build_change_hat()
1007 if (COMPLAIN_MODE(profile)) { in build_change_hat()
1008 hat = aa_new_null_profile(profile, true, name, in build_change_hat()
1019 aa_audit_file(profile, &nullperms, OP_CHANGE_HAT, AA_MAY_CHANGEHAT, in build_change_hat()
1038 struct aa_profile *profile, *root, *hat = NULL; in change_hat() local
1055 label_for_each_in_ns(it, labels_ns(label), label, profile) { in change_hat()
1056 if (sibling && PROFILE_IS_HAT(profile)) { in change_hat()
1057 root = aa_get_profile_rcu(&profile->parent); in change_hat()
1058 } else if (!sibling && !PROFILE_IS_HAT(profile)) { in change_hat()
1059 root = aa_get_profile(profile); in change_hat()
1068 if (!COMPLAIN_MODE(profile)) in change_hat()
1091 label_for_each_in_ns(it, labels_ns(label), label, profile) { in change_hat()
1092 if (!list_empty(&profile->base.profiles)) { in change_hat()
1102 label_for_each_in_ns(it, labels_ns(label), label, profile) { in change_hat()
1110 if (count > 1 || COMPLAIN_MODE(profile)) { in change_hat()
1111 aa_audit_file(profile, &nullperms, OP_CHANGE_HAT, in change_hat()
1119 new = fn_label_build_in_ns(label, profile, GFP_KERNEL, in change_hat()
1120 build_change_hat(profile, name, sibling), in change_hat()
1121 aa_get_label(&profile->label)); in change_hat()
1153 struct aa_profile *profile; in aa_change_hat() local
1251 fn_for_each_in_ns(label, profile, in aa_change_hat()
1252 aa_audit_file(profile, &perms, OP_CHANGE_HAT, in aa_change_hat()
1261 struct aa_profile *profile, in change_profile_perms_wrapper() argument
1269 error = change_profile_perms(profile, target, stack, request, in change_profile_perms_wrapper()
1270 profile->file.start, perms); in change_profile_perms_wrapper()
1272 error = aa_audit_file(profile, perms, op, request, name, in change_profile_perms_wrapper()
1295 struct aa_profile *profile; in aa_change_profile() local
1376 error = fn_for_each_in_ns(label, profile, in aa_change_profile()
1378 profile, target, stack, in aa_change_profile()
1389 if (error && !fn_for_each_in_ns(label, profile, in aa_change_profile()
1390 COMPLAIN_MODE(profile))) in aa_change_profile()
1405 new = fn_label_build_in_ns(label, profile, GFP_KERNEL, in aa_change_profile()
1407 aa_get_label(&profile->label)); in aa_change_profile()
1447 error = fn_for_each_in_ns(label, profile, in aa_change_profile()
1448 aa_audit_file(profile, &perms, op, request, auditname, in aa_change_profile()