| /security/selinux/ss/ |
| A D | services.c | 248 policy = rcu_dereference(selinux_state.policy); in security_mls_enabled()
776 policy = rcu_dereference(selinux_state.policy); in security_compute_validatetrans()
875 policy = rcu_dereference(selinux_state.policy); in security_bounded_transition()
1055 policy = rcu_dereference(selinux_state.policy); in security_compute_xperms_decision()
1136 policy = rcu_dereference(selinux_state.policy); in security_compute_av()
1202 policy = rcu_dereference(selinux_state.policy); in security_compute_av_user()
1342 policy = rcu_dereference(selinux_state.policy); in security_sidtab_hash_stats()
1402 policy = rcu_dereference(selinux_state.policy); in security_sid_to_context_core()
1597 policy = rcu_dereference(selinux_state.policy); in security_context_to_sid_core()
3631 policy = rcu_dereference(state->policy); in selinux_audit_rule_init()
[all …]
|
| /security/apparmor/ |
| A D | policy_compat.c | 296 int aa_compat_map_xmatch(struct aa_policydb *policy) in aa_compat_map_xmatch() argument
298 policy->perms = compute_xmatch_perms(policy->dfa, &policy->size); in aa_compat_map_xmatch()
299 if (!policy->perms) in aa_compat_map_xmatch()
302 remap_dfa_accept(policy->dfa, 1); in aa_compat_map_xmatch()
309 policy->perms = compute_perms(policy->dfa, version, &policy->size); in aa_compat_map_policy()
310 if (!policy->perms) in aa_compat_map_policy()
313 remap_dfa_accept(policy->dfa, 1); in aa_compat_map_policy()
318 int aa_compat_map_file(struct aa_policydb *policy) in aa_compat_map_file() argument
320 policy->perms = compute_fperms(policy->dfa, &policy->size); in aa_compat_map_file()
321 if (!policy->perms) in aa_compat_map_file()
[all …]
|
| A D | Kconfig | 48 bool "Allow loaded policy to be introspected"
52 This option selects whether introspection of loaded policy
55 of loaded policy, and check point and restore support. It
68 checking loaded policy. This option adds to policy load
72 bool "Enable policy hash introspection by default"
80 however it can slow down policy load on some devices. In
81 these cases policy hashing can be disabled by default and
85 bool "Allow exporting the raw binary policy"
97 bool "Perform full verification of loaded policy"
104 includes policy, and has some form of integrity check.
[all …]
|
| A D | mount.c | 233 AA_BUG(!policy); in do_match_mnt()
234 AA_BUG(!policy->dfa); in do_match_mnt()
235 AA_BUG(!policy->perms); in do_match_mnt()
258 *perms = *aa_lookup_perms(policy, state); in do_match_mnt()
271 *perms = *aa_lookup_perms(policy, state); in do_match_mnt()
336 pos = do_match_mnt(rules->policy, in match_mnt_path_str()
337 rules->policy->start[AA_CLASS_MOUNT], in match_mnt_path_str()
622 state = aa_dfa_match(rules->policy->dfa, in profile_umount()
623 rules->policy->start[AA_CLASS_MOUNT], in profile_umount()
695 state = aa_dfa_match(rules->policy->dfa, in build_pivotroot()
[all …]
|
| A D | af_unix.c | 84 static aa_state_t match_to_local(struct aa_policydb *policy, in match_to_local() argument
94 state = match_addr(policy->dfa, state, addr, addrlen); in match_to_local()
97 state = aa_dfa_null_transition(policy->dfa, state); in match_to_local()
122 static aa_state_t match_to_sk(struct aa_policydb *policy, in match_to_sk() argument
145 state = match_to_sk(policy, state, request, u, p, info); in match_to_cmd()
147 state = aa_dfa_match_len(policy->dfa, state, &cmd, 1); in match_to_cmd()
184 state = aa_dfa_match(rule->policy->dfa, state, in match_label()
309 state = aa_dfa_match_len(rules->policy->dfa, state, in profile_listen_perm()
341 state = match_to_sk(rules->policy, state, AA_MAY_ACCEPT, in profile_accept_perm()
375 state = aa_dfa_match_len(rules->policy->dfa, state, in profile_opt_perm()
[all …]
|
| A D | lib.c | 394 state = aa_dfa_next(rules->policy->dfa, in aa_profile_match_label()
395 rules->policy->start[AA_CLASS_LABEL], in aa_profile_match_label()
477 bool aa_policy_init(struct aa_policy *policy, const char *prefix, in aa_policy_init() argument
494 policy->hname = hname; in aa_policy_init()
496 policy->name = basename(policy->hname); in aa_policy_init()
497 INIT_LIST_HEAD(&policy->list); in aa_policy_init()
498 INIT_LIST_HEAD(&policy->profiles); in aa_policy_init()
507 void aa_policy_destroy(struct aa_policy *policy) in aa_policy_destroy() argument
509 AA_BUG(on_list_rcu(&policy->profiles)); in aa_policy_destroy()
510 AA_BUG(on_list_rcu(&policy->list)); in aa_policy_destroy()
[all …]
|
| A D | net.c | 165 int aa_do_perms(struct aa_profile *profile, struct aa_policydb *policy, in aa_do_perms() argument
172 AA_BUG(!policy); in aa_do_perms()
176 p = aa_lookup_perms(policy, state); in aa_do_perms()
188 static struct aa_perms *early_match(struct aa_policydb *policy, in early_match() argument
193 p = aa_lookup_perms(policy, state); in early_match()
228 state = aa_dfa_match_be16(policy->dfa, state, (u16)af); in aa_match_to_prot()
233 state = aa_dfa_match_be16(policy->dfa, state, (u16)type); in aa_match_to_prot()
236 *p = early_match(policy, state, request); in aa_match_to_prot()
238 state = aa_dfa_match_be16(policy->dfa, state, (u16)protocol); in aa_match_to_prot()
267 state = aa_match_to_prot(rules->policy, state, request, family, type, in aa_profile_af_perm()
[all …]
|
| A D | policy.c | 250 aa_put_pdb(rules->policy); in free_ruleset()
480 struct aa_policy *policy; in __lookup_parent() local
484 policy = &ns->base; in __lookup_parent()
491 policy = &profile->base; in __lookup_parent()
515 struct aa_policy *policy; in __create_missing_ancestors() local
522 policy = &ns->base; in __create_missing_ancestors()
540 policy = &profile->base; in __create_missing_ancestors()
1164 struct aa_policy *policy; in aa_replace_profiles() local
1192 if (!policy) { in aa_replace_profiles()
1211 if (!policy) { in aa_replace_profiles()
[all …]
|
| A D | capability.c | 134 state = aa_dfa_next(rules->policy->dfa, state, cap >> 5); in profile_capable()
136 perms = *aa_lookup_perms(rules->policy, state); in profile_capable()
209 tmp = aa_dfa_next(rules->policy->dfa, state, i); in aa_profile_capget()
210 perms = *aa_lookup_perms(rules->policy, tmp); in aa_profile_capget()
|
| A D | policy_unpack.c | 813 *policy = pdb; in unpack_pdb()
1036 if (aa_dfa_next(rules->policy->dfa, rules->policy->start[0], in unpack_profile()
1038 rules->policy->start[AA_CLASS_FILE] = in unpack_profile()
1039 aa_dfa_next(rules->policy->dfa, in unpack_profile()
1040 rules->policy->start[0], in unpack_profile()
1044 if (!rules->policy->perms) { in unpack_profile()
1053 rules->policy = aa_get_pdb(nullpdb); in unpack_profile()
1067 } else if (rules->policy->dfa && in unpack_profile()
1301 if (rules->policy->dfa && in verify_profile()
1302 !verify_dfa_accept_index(rules->policy->dfa, rules->policy->size)) { in verify_profile()
[all …]
|
| /security/ipe/ |
| A D | policy_tests.c | 12 const char *const policy; member
252 pol = ipe_new_policy(p->policy, strlen(p->policy), NULL, 0); in ipe_parser_unsigned_test()
261 KUNIT_EXPECT_STREQ(test, pol->text, p->policy); in ipe_parser_unsigned_test()
276 const unsigned short policy[] = L"policy_name=Test policy_version=0.0.0\n" in ipe_parser_widestring_test() local
280 pol = ipe_new_policy((const char *)policy, (ARRAY_SIZE(policy) - 1) * 2, NULL, 0); in ipe_parser_widestring_test()
|
| A D | Kconfig | 18 allowing users to define a policy to enforce a trust-based access
19 control. A key feature of IPE is a customizable policy to allow
26 string "Integrity policy to apply on system startup"
28 This option specifies a filepath to an IPE policy that is compiled
29 into the kernel. This policy will be enforced until a policy update
36 bool "IPE policy update verification with secondary keyring"
40 Also allow the secondary trusted keyring to verify IPE policy
46 bool "IPE policy update verification with platform keyring"
50 Also allow the platform keyring to verify IPE policy updates.
63 supplied in the policy.
[all …]
|
| A D | policy_parser.c | 508 char *policy = NULL, *dup = NULL; in ipe_parse_policy() local
517 policy = kmemdup_nul(p->text, p->textlen, GFP_KERNEL); in ipe_parse_policy()
518 if (!policy) in ipe_parse_policy()
520 dup = policy; in ipe_parse_policy()
528 while ((line = strsep(&policy, IPE_LINE_DELIM)) != NULL) { in ipe_parse_policy()
|
| /security/tomoyo/ |
| A D | Makefile | 4 targets += builtin-policy.h
14 $(obj)/builtin-policy.h: $(wildcard $(obj)/policy/*.conf $(src)/policy/*.conf.default) FORCE
15 $(call if_changed,policy)
18 $(obj)/common.o: $(obj)/builtin-policy.h
|
| A D | Kconfig | 23 that are automatically appended into policy at "learning mode".
41 bool "Activate without calling userspace policy loader."
46 policy was loaded. This option will be useful for systems where
48 needed before loading the policy. For example, you can activate
49 immediately after loading the fixed part of policy which will allow
51 variant part of policy and verifying (e.g. running GPG check) and
52 loading the variant part of policy. Since you can start using
57 string "Location of userspace policy loader"
62 This is the default pathname of policy loader which is called before
67 string "Trigger for calling userspace policy loader"
[all …]
|
| A D | .gitignore | 2 builtin-policy.h
3 policy/*.conf
|
| /security/apparmor/include/ |
| A D | lib.h | 201 struct aa_policy *policy; in __policy_find() local
203 list_for_each_entry_rcu(policy, head, list) { in __policy_find()
204 if (!strcmp(policy->name, name)) in __policy_find()
205 return policy; in __policy_find()
226 struct aa_policy *policy; in __policy_strn_find() local
228 list_for_each_entry_rcu(policy, head, list) { in __policy_strn_find()
229 if (aa_strneq(policy->name, str, len)) in __policy_strn_find()
230 return policy; in __policy_strn_find()
236 bool aa_policy_init(struct aa_policy *policy, const char *prefix,
238 void aa_policy_destroy(struct aa_policy *policy);
|
| A D | policy.h | 133 static inline struct aa_perms *aa_lookup_perms(struct aa_policydb *policy, in aa_lookup_perms() argument
136 unsigned int index = ACCEPT_TABLE(policy->dfa)[state]; in aa_lookup_perms()
138 if (!(policy->perms)) in aa_lookup_perms()
141 return &(policy->perms[index]); in aa_lookup_perms()
171 struct aa_policydb *policy; member
308 return rules->policy->start[class]; in RULE_MEDIATES()
310 return aa_dfa_match_len(rules->policy->dfa, in RULE_MEDIATES()
311 rules->policy->start[0], &class, 1); in RULE_MEDIATES()
|
| A D | policy_compat.h | 29 int aa_compat_map_xmatch(struct aa_policydb *policy);
30 int aa_compat_map_policy(struct aa_policydb *policy, u32 version);
31 int aa_compat_map_file(struct aa_policydb *policy);
|
| /security/integrity/ima/ |
| A D | Kconfig | 44 Depending on the IMA policy, the measurement list can grow to
61 Disabling this option will disregard LSM based policy rules.
126 bool "Enable multiple writes to the IMA policy"
129 IMA policy can now be updated multiple times. The new rules get
136 bool "Enable reading back the current IMA policy"
159 bool "Enable loading an IMA architecture specific policy"
168 bool "IMA build time configured policy rules"
174 policy name on the boot command line. The build time appraisal
175 policy rules persist after loading a custom policy.
218 bool "Appraise IMA policy signature"
[all …]
|
| /security/selinux/ |
| A D | ima.c | 73 void *policy = NULL; in selinux_ima_measure_state_locked() local
97 rc = security_read_state_kernel(&policy, &policy_len); in selinux_ima_measure_state_locked()
104 policy, policy_len, true, in selinux_ima_measure_state_locked()
107 vfree(policy); in selinux_ima_measure_state_locked()
|
| /security/safesetid/ |
| A D | lsm.c | 33 enum sid_policy_type _setid_policy_lookup(struct setid_ruleset *policy, in _setid_policy_lookup() argument
39 if (policy->type == UID) { in _setid_policy_lookup()
40 hash_for_each_possible(policy->rules, rule, next, __kuid_val(src.uid)) { in _setid_policy_lookup()
47 } else if (policy->type == GID) { in _setid_policy_lookup()
48 hash_for_each_possible(policy->rules, rule, next, __kgid_val(src.gid)) { in _setid_policy_lookup()
|
| /security/selinux/include/ |
| A D | security.h | 104 struct selinux_policy __rcu *policy; member
215 struct selinux_policy *policy; member
329 int security_get_classes(struct selinux_policy *policy, char ***classes,
331 int security_get_permissions(struct selinux_policy *policy, const char *class,
350 int selinux_policy_genfs_sid(struct selinux_policy *policy, const char *fstype,
|
| A D | conditional.h | 16 int security_get_bools(struct selinux_policy *policy, u32 *len, char ***names,
|
| /security/landlock/ |
| A D | Kconfig | 11 tailored access control policies. A Landlock security policy is a
13 directory, etc.) tied to a file hierarchy. Such policy can be
|