Home
last modified time | relevance | path

Searched refs:rules (Results 1 – 25 of 27) sorted by relevance

12

/security/apparmor/
A Dcapability.c72 struct aa_ruleset *rules = profile->label.rules[0]; in audit_caps() local
81 !cap_raised(rules->caps.audit, cap))) in audit_caps()
85 cap_raised(rules->caps.kill, cap)) { in audit_caps()
87 } else if (cap_raised(rules->caps.quiet, cap) && in audit_caps()
124 struct aa_ruleset *rules = profile->label.rules[0]; in profile_capable() local
128 state = RULE_MEDIATES(rules, ad->class); in profile_capable()
150 if (cap_raised(rules->caps.allow, cap) && in profile_capable()
151 !cap_raised(rules->caps.denied, cap)) in profile_capable()
196 struct aa_ruleset *rules = profile->label.rules[0]; in aa_profile_capget() local
199 state = RULE_MEDIATES(rules, AA_CLASS_CAP); in aa_profile_capget()
[all …]
A Dresource.c92 struct aa_ruleset *rules = profile->label.rules[0]; in profile_setrlimit() local
95 if (rules->rlimits.mask & (1 << resource) && new_rlim->rlim_max > in profile_setrlimit()
96 rules->rlimits.limits[resource].rlim_max) in profile_setrlimit()
167 struct aa_ruleset *rules = old->label.rules[0]; in __aa_transition_rlimits() local
168 if (rules->rlimits.mask) { in __aa_transition_rlimits()
173 if (rules->rlimits.mask & mask) { in __aa_transition_rlimits()
185 struct aa_ruleset *rules = new->label.rules[0]; in __aa_transition_rlimits() local
188 if (!rules->rlimits.mask) in __aa_transition_rlimits()
191 if (!(rules->rlimits.mask & mask)) in __aa_transition_rlimits()
196 rules->rlimits.limits[j].rlim_max); in __aa_transition_rlimits()
A Dpolicy_unpack.c578 if (!rules->secmark) in unpack_secmark()
600 if (rules->secmark) { in unpack_secmark()
605 rules->secmark = NULL; in unpack_secmark()
846 struct aa_ruleset *rules; in unpack_profile() local
889 rules = profile->label.rules[0]; in unpack_profile()
1036 if (aa_dfa_next(rules->policy->dfa, rules->policy->start[0], in unpack_profile()
1070 rules->file = aa_get_pdb(rules->policy); in unpack_profile()
1289 struct aa_ruleset *rules = profile->label.rules[0]; in verify_profile() local
1291 if (!rules) in verify_profile()
1294 if (rules->file->dfa && !verify_dfa_accept_index(rules->file->dfa, in verify_profile()
[all …]
A Daf_unix.c205 struct aa_ruleset *rules = profile->label.rules[0]; in profile_create_perm() local
211 state = RULE_MEDIATES_v9NET(rules); in profile_create_perm()
229 struct aa_ruleset *rules = profile->label.rules[0]; in profile_sk_perm() local
237 state = RULE_MEDIATES_v9NET(rules); in profile_sk_perm()
257 struct aa_ruleset *rules = profile->label.rules[0]; in profile_bind_perm() local
266 state = RULE_MEDIATES_v9NET(rules); in profile_bind_perm()
288 struct aa_ruleset *rules = profile->label.rules[0]; in profile_listen_perm() local
297 state = RULE_MEDIATES_v9NET(rules); in profile_listen_perm()
325 struct aa_ruleset *rules = profile->label.rules[0]; in profile_accept_perm() local
355 struct aa_ruleset *rules = profile->label.rules[0]; in profile_opt_perm() local
[all …]
A Dnet.c254 struct aa_ruleset *rules = profile->label.rules[0]; in aa_profile_af_perm() local
264 state = RULE_MEDIATES_NET(rules); in aa_profile_af_perm()
364 struct aa_ruleset *rules = profile->label.rules[0]; in aa_secmark_perm() local
366 if (rules->secmark_count == 0) in aa_secmark_perm()
369 for (i = 0; i < rules->secmark_count; i++) { in aa_secmark_perm()
370 if (!rules->secmark[i].secid) { in aa_secmark_perm()
371 ret = apparmor_secmark_init(&rules->secmark[i]); in aa_secmark_perm()
376 if (rules->secmark[i].secid == secid || in aa_secmark_perm()
377 rules->secmark[i].secid == AA_SECID_WILDCARD) { in aa_secmark_perm()
378 if (rules->secmark[i].deny) in aa_secmark_perm()
[all …]
A Dmount.c314 struct aa_ruleset *rules = profile->label.rules[0]; in match_mnt_path_str() local
321 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) in match_mnt_path_str()
336 pos = do_match_mnt(rules->policy, in match_mnt_path_str()
337 rules->policy->start[AA_CLASS_MOUNT], in match_mnt_path_str()
373 struct aa_ruleset *rules = profile->label.rules[0]; in match_mnt() local
379 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) in match_mnt()
605 struct aa_ruleset *rules = profile->label.rules[0]; in profile_umount() local
614 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) in profile_umount()
622 state = aa_dfa_match(rules->policy->dfa, in profile_umount()
668 struct aa_ruleset *rules = profile->label.rules[0]; in build_pivotroot() local
[all …]
A Dfile.c185 unsigned int index = ACCEPT_TABLE(rules->dfa)[state]; in aa_lookup_condperms()
187 if (!(rules->perms)) in aa_lookup_condperms()
192 return &(rules->perms[index]); in aa_lookup_condperms()
193 return &(rules->perms[index + 1]); in aa_lookup_condperms()
196 return &(rules->perms[index]); in aa_lookup_condperms()
226 struct aa_ruleset *rules = profile->label.rules[0]; in __aa_path_perm() local
232 aa_str_perms(rules->file, rules->file->start[AA_CLASS_FILE], in __aa_path_perm()
325 struct aa_ruleset *rules = profile->label.rules[0]; in profile_path_link() local
348 state = aa_str_perms(rules->file, in profile_path_link()
349 rules->file->start[AA_CLASS_FILE], lname, in profile_path_link()
[all …]
A Dipc.c83 struct aa_ruleset *rules = profile->label.rules[0]; in profile_signal_perm() local
93 state = RULE_MEDIATES(rules, AA_CLASS_SIGNAL); in profile_signal_perm()
96 state = aa_dfa_next(rules->policy->dfa, state, ad->signal); in profile_signal_perm()
97 aa_label_match(profile, rules, peer, state, false, request, &perms); in profile_signal_perm()
A Ddomain.c96 struct aa_ruleset *rules = profile->label.rules[0]; in match_component() local
100 state = aa_dfa_match(rules->file->dfa, state, "&"); in match_component()
133 struct aa_ruleset *rules = profile->label.rules[0]; in label_compound_match() local
156 state = aa_dfa_match(rules->file->dfa, state, "//&"); in label_compound_match()
195 struct aa_ruleset *rules = profile->label.rules[0]; in label_components_match() local
520 struct aa_ruleset *rules = profile->label.rules[0]; in x_table_lookup() local
532 for (next = rules->file->trans.table[index]; next; in x_table_lookup()
665 struct aa_ruleset *rules = profile->label.rules[0]; in profile_transition() local
798 struct aa_ruleset *rules = profile->label.rules[0]; in profile_onexec() local
1356 struct aa_ruleset *rules = profile->label.rules[0]; in change_profile_perms_wrapper() local
[all …]
A Dpolicy.c246 if (!rules) in free_ruleset()
249 aa_put_pdb(rules->file); in free_ruleset()
250 aa_put_pdb(rules->policy); in free_ruleset()
251 aa_free_cap_rules(&rules->caps); in free_ruleset()
257 kfree_sensitive(rules); in free_ruleset()
262 struct aa_ruleset *rules; in aa_alloc_ruleset() local
264 rules = kzalloc(sizeof(*rules), gfp); in aa_alloc_ruleset()
266 return rules; in aa_alloc_ruleset()
349 if (!profile->label.rules[0]) in aa_alloc_profile()
650 struct aa_ruleset *rules; in aa_alloc_null() local
[all …]
A Dtask.c231 struct aa_ruleset *rules = profile->label.rules[0]; in profile_ptrace_perm() local
236 aa_profile_match_label(profile, rules, peer, AA_CLASS_PTRACE, request, in profile_ptrace_perm()
326 struct aa_ruleset *rules = profile->label.rules[0]; in aa_profile_ns_perm() local
329 state = RULE_MEDIATES(rules, ad->class); in aa_profile_ns_perm()
333 perms = *aa_lookup_perms(rules->policy, state); in aa_profile_ns_perm()
A Dlabel.c1254 struct aa_ruleset *rules, in match_component() argument
1288 struct aa_ruleset *rules, in label_compound_match() argument
1300 state = match_component(profile, rules, tp, state); in label_compound_match()
1314 state = aa_dfa_match(rules->policy->dfa, state, "//&"); in label_compound_match()
1315 state = match_component(profile, rules, tp, state); in label_compound_match()
1319 *perms = *aa_lookup_perms(rules->policy, state); in label_compound_match()
1348 struct aa_ruleset *rules, in label_components_match() argument
1362 state = match_component(profile, rules, tp, start); in label_components_match()
1372 tmp = *aa_lookup_perms(rules->policy, state); in label_components_match()
1378 state = match_component(profile, rules, tp, start); in label_components_match()
[all …]
A Dlib.c387 struct aa_ruleset *rules, in aa_profile_match_label() argument
394 state = aa_dfa_next(rules->policy->dfa, in aa_profile_match_label()
395 rules->policy->start[AA_CLASS_LABEL], in aa_profile_match_label()
397 aa_label_match(profile, rules, label, state, false, request, perms); in aa_profile_match_label()
A Dapparmorfs.c615 struct aa_ruleset *rules = profile->label.rules[0]; in profile_query_cb() local
621 if (rules->file->dfa && *match_str == AA_CLASS_FILE) { in profile_query_cb()
622 state = aa_dfa_match_len(rules->file->dfa, in profile_query_cb()
623 rules->file->start[AA_CLASS_FILE], in profile_query_cb()
629 rules->file, state, &cond)); in profile_query_cb()
631 } else if (rules->policy->dfa) { in profile_query_cb()
632 if (!RULE_MEDIATES(rules, *match_str)) in profile_query_cb()
640 !RULE_MEDIATES_v9NET(rules)) in profile_query_cb()
642 state = aa_dfa_match_len(rules->policy->dfa, in profile_query_cb()
643 rules->policy->start[0], in profile_query_cb()
[all …]
/security/ipe/
A Dpolicy_parser.c39 for (i = 0; i < ARRAY_SIZE(p->rules); ++i) { in new_parsed_policy()
40 t = &p->rules[i]; in new_parsed_policy()
43 INIT_LIST_HEAD(&t->rules); in new_parsed_policy()
420 if (p->rules[op].default_action != IPE_ACTION_INVALID) in parse_rule()
423 p->rules[op].default_action = action; in parse_rule()
435 list_add_tail(&r->next, &p->rules[op].rules); in parse_rule()
457 for (i = 0; i < ARRAY_SIZE(p->rules); ++i) in ipe_free_parsed_policy()
458 list_for_each_entry_safe(pp, t, &p->rules[i].rules, next) { in ipe_free_parsed_policy()
485 for (i = 0; i < ARRAY_SIZE(p->rules); ++i) { in validate_policy()
486 if (p->rules[i].default_action == IPE_ACTION_INVALID) in validate_policy()
A Deval.c317 const struct ipe_op_table *rules = NULL; in ipe_evaluate_event() local
345 rules = &pol->parsed->rules[ctx->op]; in ipe_evaluate_event()
347 list_for_each_entry(rule, &rules->rules, next) { in ipe_evaluate_event()
363 } else if (rules->default_action != IPE_ACTION_INVALID) { in ipe_evaluate_event()
364 action = rules->default_action; in ipe_evaluate_event()
A Dpolicy.h61 struct list_head rules; member
75 struct ipe_op_table rules[__IPE_OP_MAX]; member
/security/apparmor/include/
A Dpolicy.h304 static inline aa_state_t RULE_MEDIATES(struct aa_ruleset *rules, in RULE_MEDIATES() argument
308 return rules->policy->start[class]; in RULE_MEDIATES()
310 return aa_dfa_match_len(rules->policy->dfa, in RULE_MEDIATES()
311 rules->policy->start[0], &class, 1); in RULE_MEDIATES()
314 static inline aa_state_t RULE_MEDIATES_v9NET(struct aa_ruleset *rules) in RULE_MEDIATES_v9NET() argument
316 return RULE_MEDIATES(rules, AA_CLASS_NETV9); in RULE_MEDIATES_v9NET()
319 static inline aa_state_t RULE_MEDIATES_NET(struct aa_ruleset *rules) in RULE_MEDIATES_NET() argument
325 aa_state_t state = RULE_MEDIATES(rules, AA_CLASS_NETV9); in RULE_MEDIATES_NET()
329 state = RULE_MEDIATES(rules, AA_CLASS_NET); in RULE_MEDIATES_NET()
A Dlabel.h144 DECLARE_FLEX_ARRAY(struct aa_ruleset *, rules);
345 int aa_label_match(struct aa_profile *profile, struct aa_ruleset *rules,
/security/smack/
A DKconfig17 bool "Reporting on access granted by Smack rules"
21 Enable the bring-up ("b") access mode in Smack rules.
26 rules. The developer can use the information to
27 identify which rules are necessary and what accesses
54 delivering a signal in the Smack rules.
/security/safesetid/
A Dsecurityfs.c78 hash_for_each_safe(pol->rules, bucket, tmp, rule, next) in __release_ruleset()
91 hash_add(pol->rules, &rule->next, __kuid_val(rule->src_id.uid)); in insert_rule()
93 hash_add(pol->rules, &rule->next, __kgid_val(rule->src_id.gid)); in insert_rule()
104 hash_for_each(pol->rules, bucket, rule, next) { in verify_ruleset()
154 hash_init(pol->rules); in handle_policy_update()
A Dlsm.h59 DECLARE_HASHTABLE(rules, SETID_HASH_BITS);
A Dlsm.c40 hash_for_each_possible(policy->rules, rule, next, __kuid_val(src.uid)) { in _setid_policy_lookup()
48 hash_for_each_possible(policy->rules, rule, next, __kgid_val(src.gid)) { in _setid_policy_lookup()
/security/integrity/ima/
A DKconfig61 Disabling this option will disregard LSM based policy rules.
129 IMA policy can now be updated multiple times. The new rules get
130 appended to the original policy. Have in mind that the rules are
142 This option allows the root user to see the current policy rules.
168 bool "IMA build time configured policy rules"
175 policy rules persist after loading a custom policy.
177 Depending on the rules configured, this policy may require kernel
A Dima_policy.c901 const char * const *rules; in ima_init_arch_policy() local
910 for (rules = arch_rules; *rules != NULL; rules++) in ima_init_arch_policy()
919 for (rules = arch_rules, i = 0; *rules != NULL; rules++) { in ima_init_arch_policy()
923 result = strscpy(rule, *rules, sizeof(rule)); in ima_init_arch_policy()

Completed in 74 milliseconds

12