| /security/apparmor/include/ |
| A D | perms.h | 70 u32 allow; member
111 accum->allow &= addend->allow & ~addend->deny; in aa_perms_accum_raw()
112 accum->audit |= addend->audit & addend->allow; in aa_perms_accum_raw()
113 accum->quiet &= addend->quiet & ~addend->allow; in aa_perms_accum_raw()
114 accum->kill |= addend->kill & ~addend->allow; in aa_perms_accum_raw()
117 accum->hide &= addend->hide & ~addend->allow; in aa_perms_accum_raw()
138 accum->allow &= addend->allow & ~accum->deny; in aa_perms_accum()
139 accum->audit |= addend->audit & accum->allow; in aa_perms_accum()
140 accum->quiet &= addend->quiet & ~accum->allow; in aa_perms_accum()
141 accum->kill |= addend->kill & ~accum->allow; in aa_perms_accum()
[all …]
|
| A D | file.h | 45 u32 allow; member
72 #define COMBINED_PERM_MASK(X) ((X).allow | (X).audit | (X).quiet | (X).kill)
|
| A D | capability.h | 29 kernel_cap_t allow; member
|
| /security/apparmor/ |
| A D | policy_compat.c | 103 perms->allow |= AA_MAY_GETATTR; in compute_fperms_allow()
107 perms->allow |= AA_MAY_CHANGE_PROFILE; in compute_fperms_allow()
109 perms->allow |= AA_MAY_ONEXEC; in compute_fperms_allow()
117 perms.allow = map_old_perms(dfa_user_allow(dfa, state)); in compute_fperms_user()
132 perms.allow = map_old_perms(dfa_other_allow(dfa, state)); in compute_fperms_other()
192 perms[state].allow = dfa_user_allow(xmatch, state); in compute_xmatch_perms()
216 perms.allow = dfa_user_allow(dfa, state); in compute_perms_entry()
231 perms.allow |= map_other(dfa_other_allow(dfa, state)); in compute_perms_entry()
233 perms.allow |= AA_MAY_LOCK; in compute_perms_entry()
235 perms.allow |= map_xbits(dfa_user_xbits(dfa, state)); in compute_perms_entry()
|
| A D | file.c | 144 ad.denied = ad.request & ~perms->allow; in aa_audit_file()
234 if (request & ~perms->allow) in __aa_path_perm()
352 if (!(lperms.allow & AA_MAY_LINK)) in profile_path_link()
366 if (!(perms.allow & AA_MAY_LINK)) { in profile_path_link()
373 if (!(perms.allow & AA_LINK_SUBSET)) in profile_path_link()
384 lperms.allow &= perms.allow | AA_MAY_LINK; in profile_path_link()
386 request |= AA_AUDIT_FILE_MASK & (lperms.allow & ~perms.allow); in profile_path_link()
387 if (request & ~lperms.allow) { in profile_path_link()
391 lperms.allow &= ~MAY_EXEC; in profile_path_link()
473 fctx->allow |= request; in update_file_ctx()
[all …]
|
| A D | capability.c | 150 if (cap_raised(rules->caps.allow, cap) && in profile_capable()
212 caps.val |= ((u64)(perms.allow)) << (i * 5); in aa_profile_capget()
222 return rules->caps.allow; in aa_profile_capget()
|
| A D | domain.c | 164 if ((perms->allow & request) != request) in label_compound_match()
232 if ((perms->allow & request) != request) in label_components_match()
294 perms->allow = AA_MAY_CHANGE_PROFILE | AA_MAY_ONEXEC; in change_profile_perms()
345 if (!(perms->allow & MAY_EXEC)) { in aa_xattrs_match()
430 if (perms->allow & MAY_EXEC) { in find_attach()
704 perms.allow |= MAY_EXEC; in profile_transition()
720 if (perms.allow & MAY_EXEC) { in profile_transition()
742 perms.allow &= ~MAY_EXEC; in profile_transition()
833 if (!(perms.allow & AA_MAY_ONEXEC)) { in profile_onexec()
845 perms.allow &= ~AA_MAY_ONEXEC; in profile_onexec()
[all …]
|
| A D | mount.c | 158 request = request & ~perms->allow; in audit_mount()
259 if (perms->allow & AA_MAY_MOUNT) in do_match_mnt()
263 if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) { in do_match_mnt()
272 if (perms->allow & AA_MAY_MOUNT) in do_match_mnt()
626 if (AA_MAY_UMOUNT & ~perms.allow) in profile_umount()
702 if (AA_MAY_PIVOTROOT & perms.allow) in build_pivotroot()
|
| A D | policy_unpack.c | 656 aa_unpack_u32(e, &perm->allow, NULL) && in unpack_perm()
978 if (!aa_unpack_cap_low(e, &rules->caps.allow, NULL)) in unpack_profile()
990 if (!aa_unpack_cap_high(e, &rules->caps.allow, NULL)) in unpack_profile()
1227 if (perm->allow & perm->deny) in verify_perm()
1229 if (perm->subtree & ~perm->allow) in verify_perm()
1231 if (perm->cond & (perm->allow | perm->deny)) in verify_perm()
1233 if (perm->kill & perm->allow) in verify_perm()
1235 if (perm->complain & (perm->allow | perm->deny)) in verify_perm()
1237 if (perm->prompt & (perm->allow | perm->deny)) in verify_perm()
1241 if (perm->hide & perm->allow) in verify_perm()
|
| A D | net.c | 194 if (((p->allow & request) != request) && (p->allow & AA_CONT_MATCH)) in early_match()
381 perms.allow = ALL_PERMS_MASK; in aa_secmark_perm()
|
| A D | lib.c | 24 struct aa_perms allperms = { .allow = ALL_PERMS_MASK,
423 u32 denied = request & (~perms->allow | perms->deny); in aa_check_perms()
|
| A D | label.c | 1321 if ((perms->allow & request) != request) in label_compound_match()
1386 if ((perms->allow & request) != request) in label_components_match()
|
| A D | lsm.c | 477 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; in apparmor_file_open()
496 fctx->allow = aa_map_file_to_perms(file); in apparmor_file_open()
|
| A D | apparmorfs.c | 811 perms.allow, perms.deny, perms.audit, perms.quiet); in query_label()
|
| /security/lockdown/ |
| A D | Kconfig | 36 The kernel runs in integrity mode by default. Features that allow
43 allow the kernel to be modified at runtime or that permit userland
|
| /security/ipe/ |
| A D | Kconfig | 19 control. A key feature of IPE is a customizable policy to allow
40 Also allow the secondary trusted keyring to verify IPE policy
50 Also allow the platform keyring to verify IPE policy updates.
|
| /security/loadpin/ |
| A D | Kconfig | 29 If selected LoadPin can allow reading files from filesystems
|
| /security/selinux/ss/ |
| A D | services.c | 1053 goto allow; in security_compute_xperms_decision()
1076 goto allow; in security_compute_xperms_decision()
1107 allow: in security_compute_xperms_decision()
1140 goto allow; in security_compute_av()
1162 goto allow; in security_compute_av()
1174 goto allow; in security_compute_av()
1186 allow: in security_compute_av()
1205 goto allow; in security_compute_av_user()
1227 goto allow; in security_compute_av_user()
1238 goto allow; in security_compute_av_user()
[all …]
|
| /security/integrity/ima/ |
| A D | Kconfig | 243 The modsig keyword can be used in the IMA policy to allow a hook
319 bool "Disable htable to allow measurement of duplicate records"
322 This option disables htable to allow measurement of duplicate records.
|
| /security/selinux/ |
| A D | Kconfig | 20 command line. The purpose of this option is to allow a single
|
| /security/tomoyo/ |
| A D | Kconfig | 49 immediately after loading the fixed part of policy which will allow
|
| /security/integrity/ |
| A D | Kconfig | 28 Different keyrings improves search performance, but also allow
|
| /security/ |
| A D | Kconfig.hardening | 295 It remains after a "make clean" to allow for external modules to
|