Lines Matching refs:profile
92 static inline aa_state_t match_component(struct aa_profile *profile, in match_component() argument
96 struct aa_ruleset *rules = profile->label.rules[0]; in match_component()
101 if (profile->ns == tp->ns) in match_component()
105 ns_name = aa_ns_name(profile->ns, tp->ns, true); in match_component()
128 static int label_compound_match(struct aa_profile *profile, in label_compound_match() argument
133 struct aa_ruleset *rules = profile->label.rules[0]; in label_compound_match()
140 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_compound_match()
142 state = match_component(profile, tp, stack, state); in label_compound_match()
154 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_compound_match()
157 state = match_component(profile, tp, false, state); in label_compound_match()
163 aa_apply_modes_to_perms(profile, perms); in label_compound_match()
190 static int label_components_match(struct aa_profile *profile, in label_components_match() argument
195 struct aa_ruleset *rules = profile->label.rules[0]; in label_components_match()
204 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_components_match()
206 state = match_component(profile, tp, stack, start); in label_components_match()
218 aa_apply_modes_to_perms(profile, &tmp); in label_components_match()
221 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_components_match()
223 state = match_component(profile, tp, stack, start); in label_components_match()
228 aa_apply_modes_to_perms(profile, &tmp); in label_components_match()
254 static int label_match(struct aa_profile *profile, struct aa_label *label, in label_match() argument
261 error = label_compound_match(profile, label, stack, state, subns, in label_match()
267 return label_components_match(profile, label, stack, state, subns, in label_match()
288 static int change_profile_perms(struct aa_profile *profile, in change_profile_perms() argument
293 if (profile_unconfined(profile)) { in change_profile_perms()
300 return label_match(profile, target, stack, start, true, request, perms); in change_profile_perms()
312 struct aa_profile *profile, aa_state_t state) in aa_xattrs_match() argument
317 struct aa_attachment *attach = &profile->attach; in aa_xattrs_match()
395 struct aa_profile *profile, *candidate = NULL; in find_attach() local
402 list_for_each_entry_rcu(profile, head, base.list) { in find_attach()
403 struct aa_attachment *attach = &profile->attach; in find_attach()
405 if (profile->label.flags & FLAG_NULL && in find_attach()
406 &profile->label == ns_unconfined(profile->ns)) in find_attach()
439 if (!aa_get_profile_not0(profile)) in find_attach()
442 ret = aa_xattrs_match(bprm, profile, in find_attach()
445 aa_put_profile(profile); in find_attach()
474 candidate = profile; in find_attach()
479 } else if (!strcmp(profile->base.name, name)) { in find_attach()
484 candidate = profile; in find_attach()
517 struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex, in x_table_lookup() argument
520 struct aa_ruleset *rules = profile->label.rules[0]; in x_table_lookup()
538 struct aa_profile *new = aa_find_child(profile, lookup); in x_table_lookup()
545 label = aa_label_parse(&profile->label, lookup, GFP_KERNEL, in x_table_lookup()
568 static struct aa_label *x_to_label(struct aa_profile *profile, in x_to_label() argument
576 struct aa_ns *ns = profile->ns; in x_to_label()
591 new = x_table_lookup(profile, xindex, lookupname); in x_to_label()
600 new = find_attach(bprm, ns, &profile->base.profiles, in x_to_label()
623 new = aa_get_newest_label(&profile->label); in x_to_label()
625 new = aa_get_newest_label(ns_unconfined(profile->ns)); in x_to_label()
641 profile->base.hname, old_info); in x_to_label()
660 struct aa_profile *profile, in profile_transition() argument
665 struct aa_ruleset *rules = profile->label.rules[0]; in profile_transition()
674 AA_BUG(!profile); in profile_transition()
678 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer, in profile_transition()
679 &name, &info, profile->disconnected); in profile_transition()
681 if (profile_unconfined(profile) || in profile_transition()
682 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) { in profile_transition()
685 new = aa_get_newest_label(&profile->label); in profile_transition()
691 if (profile_unconfined(profile)) { in profile_transition()
692 new = find_attach(bprm, profile->ns, in profile_transition()
693 &profile->ns->base.profiles, name, &info); in profile_transition()
706 (void) aa_audit_file(subj_cred, profile, &perms, in profile_transition()
715 return aa_get_newest_label(&profile->label); in profile_transition()
722 new = x_to_label(profile, bprm, name, perms.xindex, &target, in profile_transition()
724 if (new && new->proxy == profile->label.proxy && info) { in profile_transition()
738 __func__, profile->base.hname, info); in profile_transition()
743 if (COMPLAIN_MODE(profile)) { in profile_transition()
749 } else if (COMPLAIN_MODE(profile)) { in profile_transition()
752 new_profile = aa_new_learning_profile(profile, false, name, in profile_transition()
781 aa_audit_file(subj_cred, profile, &perms, OP_EXEC, MAY_EXEC, name, in profile_transition()
793 struct aa_profile *profile, struct aa_label *onexec, in profile_onexec() argument
798 struct aa_ruleset *rules = profile->label.rules[0]; in profile_onexec()
804 AA_BUG(!profile); in profile_onexec()
809 if (profile_unconfined(profile)) { in profile_onexec()
819 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer, in profile_onexec()
820 &xname, &info, profile->disconnected); in profile_onexec()
822 if (profile_unconfined(profile) || in profile_onexec()
823 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) { in profile_onexec()
842 error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC, in profile_onexec()
860 return aa_audit_file(subj_cred, profile, &perms, OP_EXEC, in profile_onexec()
874 struct aa_profile *profile; in handle_onexec() local
884 error = fn_for_each_in_ns(label, profile, in handle_onexec()
885 profile_onexec(subj_cred, profile, onexec, stack, in handle_onexec()
890 new = fn_label_build_in_ns(label, profile, GFP_KERNEL, in handle_onexec()
891 stack ? aa_label_merge(&profile->label, onexec, in handle_onexec()
894 profile_transition(subj_cred, profile, bprm, in handle_onexec()
900 error = fn_for_each_in_ns(label, profile, in handle_onexec()
901 aa_audit_file(subj_cred, profile, &nullperms, in handle_onexec()
922 struct aa_profile *profile; in apparmor_bprm_creds_for_exec() local
964 new = fn_label_build(label, profile, GFP_KERNEL, in apparmor_bprm_creds_for_exec()
965 profile_transition(subj_cred, profile, bprm, in apparmor_bprm_creds_for_exec()
1037 error = fn_for_each(label, profile, in apparmor_bprm_creds_for_exec()
1038 aa_audit_file(current_cred(), profile, &nullperms, in apparmor_bprm_creds_for_exec()
1056 struct aa_profile *profile, in build_change_hat() argument
1063 if (sibling && PROFILE_IS_HAT(profile)) { in build_change_hat()
1064 root = aa_get_profile_rcu(&profile->parent); in build_change_hat()
1065 } else if (!sibling && !PROFILE_IS_HAT(profile)) { in build_change_hat()
1066 root = aa_get_profile(profile); in build_change_hat()
1076 if (COMPLAIN_MODE(profile)) { in build_change_hat()
1077 hat = aa_new_learning_profile(profile, true, name, in build_change_hat()
1088 aa_audit_file(subj_cred, profile, &nullperms, OP_CHANGE_HAT, in build_change_hat()
1109 struct aa_profile *profile, *root, *hat = NULL; in change_hat() local
1126 label_for_each_in_ns(it, labels_ns(label), label, profile) { in change_hat()
1127 if (sibling && PROFILE_IS_HAT(profile)) { in change_hat()
1128 root = aa_get_profile_rcu(&profile->parent); in change_hat()
1129 } else if (!sibling && !PROFILE_IS_HAT(profile)) { in change_hat()
1130 root = aa_get_profile(profile); in change_hat()
1139 if (!COMPLAIN_MODE(profile)) in change_hat()
1162 label_for_each_in_ns(it, labels_ns(label), label, profile) { in change_hat()
1163 if (!list_empty(&profile->base.profiles)) { in change_hat()
1173 label_for_each_in_ns(it, labels_ns(label), label, profile) { in change_hat()
1181 if (count > 1 || COMPLAIN_MODE(profile)) { in change_hat()
1182 aa_audit_file(subj_cred, profile, &nullperms, in change_hat()
1191 new = fn_label_build_in_ns(label, profile, GFP_KERNEL, in change_hat()
1192 build_change_hat(subj_cred, profile, name, in change_hat()
1194 aa_get_label(&profile->label)); in change_hat()
1226 struct aa_profile *profile; in aa_change_hat() local
1254 label_for_each_in_ns(i, labels_ns(label), label, profile) { in aa_change_hat()
1255 empty &= list_empty(&profile->base.profiles); in aa_change_hat()
1341 fn_for_each_in_ns(label, profile, in aa_change_hat()
1342 aa_audit_file(subj_cred, profile, &perms, OP_CHANGE_HAT, in aa_change_hat()
1352 struct aa_profile *profile, in change_profile_perms_wrapper() argument
1356 struct aa_ruleset *rules = profile->label.rules[0]; in change_profile_perms_wrapper()
1361 error = change_profile_perms(profile, target, stack, request, in change_profile_perms_wrapper()
1365 error = aa_audit_file(subj_cred, profile, perms, op, request, in change_profile_perms_wrapper()
1391 struct aa_profile *profile; in aa_change_profile() local
1449 (void) fn_for_each_in_ns(label, profile, in aa_change_profile()
1450 aa_audit_file(subj_cred, profile, &perms, op, in aa_change_profile()
1495 error = fn_for_each_in_ns(label, profile, in aa_change_profile()
1498 profile, target, stack, in aa_change_profile()
1509 if (error && !fn_for_each_in_ns(label, profile, in aa_change_profile()
1510 COMPLAIN_MODE(profile))) in aa_change_profile()
1525 new = fn_label_build_in_ns(label, profile, GFP_KERNEL, in aa_change_profile()
1527 aa_get_label(&profile->label)); in aa_change_profile()
1568 error = fn_for_each_in_ns(label, profile, in aa_change_profile()
1570 profile, &perms, op, request, auditname, in aa_change_profile()