Lines Matching refs:profile
52 * may_change_ptraced_domain - check if can change profile on ptraced task
53 * @task: task we want to change profile of (NOT NULL)
54 * @to_profile: profile to change to (NOT NULL)
93 * @profile: the current profile (NOT NULL)
95 * @name: the name of the profile to change to (NOT NULL)
101 static struct file_perms change_profile_perms(struct aa_profile *profile,
110 if (unconfined(profile)) {
114 } else if (!profile->file.dfa) {
116 } else if ((ns == profile->ns)) {
118 aa_str_perms(profile->file.dfa, start, name, &cond, &perms);
123 /* try matching with namespace name and then profile */
124 state = aa_dfa_match(profile->file.dfa, start, ns->base.name);
125 state = aa_dfa_match_len(profile->file.dfa, state, ":", 1);
126 aa_str_perms(profile->file.dfa, state, name, &cond, &perms);
134 * @head - profile list to walk (NOT NULL)
143 * Returns: profile or NULL if no match found
149 struct aa_profile *profile, *candidate = NULL;
151 list_for_each_entry(profile, head, base.list) {
152 if (profile->flags & PFLAG_NULL)
154 if (profile->xmatch && profile->xmatch_len > len) {
155 unsigned int state = aa_dfa_match(profile->xmatch,
157 u32 perm = dfa_user_allow(profile->xmatch, state);
160 candidate = profile;
161 len = profile->xmatch_len;
163 } else if (!strcmp(profile->base.name, name))
165 return profile;
177 * Returns: profile or NULL if no match found
182 struct aa_profile *profile;
185 profile = aa_get_profile(__attach_match(name, list));
188 return profile;
192 * separate_fqname - separate the namespace and profile names
201 * Either the profile or namespace name may be optional but if the namespace
202 * is specified the profile name termination must be present. This results
210 * Returns: profile name if it is specified else NULL
240 * @profile: current profile (NOT NULL)
243 * Returns: refcounted profile, or NULL on failure (MAYBE NULL)
245 static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
248 struct aa_namespace *ns = profile->ns;
254 for (name = profile->file.trans.table[index]; !new_profile && name;
262 new_profile = aa_find_child(profile, name);
269 /* no name so use profile name */
270 xname = profile->base.hname;
297 * x_to_profile - get target profile for a given xindex
298 * @profile: current profile (NOT NULL)
302 * find profile for a transition index
304 * Returns: refcounted profile or NULL if not found available
306 static struct aa_profile *x_to_profile(struct aa_profile *profile,
310 struct aa_namespace *ns = profile->ns;
320 new_profile = find_attach(ns, &profile->base.profiles,
329 new_profile = x_table_lookup(profile, xindex);
346 struct aa_profile *profile, *new_profile = NULL;
366 profile = aa_get_profile(aa_newest_version(cxt->profile));
368 * get the namespace from the replacement profile as replacement
371 ns = profile->ns;
372 state = profile->file.start;
375 error = aa_get_name(&bprm->file->f_path, profile->path_flags, &buffer,
378 if (profile->flags &
389 if (unconfined(profile)) {
402 state = aa_str_perms(profile->file.dfa, state, name, &cond, &perms);
413 state = aa_dfa_null_transition(profile->file.dfa, state);
414 cp = change_profile_perms(profile, cxt->onexec->ns, name,
425 new_profile = x_to_profile(profile, name, perms.xindex);
428 /* (p|c|n)ix - don't change profile but do
430 * up above when getting profile
433 new_profile = aa_get_profile(profile);
440 info = "profile not found";
443 } else if (COMPLAIN_MODE(profile)) {
445 new_profile = aa_new_null_profile(profile, 0);
448 info = "could not create null profile";
486 AA_DEBUG("scrubbing environment variables for %s profile=%s\n",
496 aa_put_profile(cxt->profile);
497 /* transfer new profile reference will be released when cxt is freed */
498 cxt->profile = new_profile;
508 error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC,
512 aa_put_profile(profile);
543 struct aa_profile *profile = __aa_current_profile();
546 /* bail out if unconfined or not changing profile */
547 if ((new_cxt->profile == profile) ||
548 (unconfined(new_cxt->profile)))
553 /* reset soft limits and set hard limits for the new profile */
554 __aa_transition_rlimits(profile, new_cxt->profile);
568 * Functions for self directed profile change
593 * Change to the first profile specified in @hats that exists, and store
596 * top level profile.
604 struct aa_profile *profile, *previous_profile, *hat = NULL;
614 profile = aa_cred_profile(cred);
617 if (unconfined(profile)) {
626 root = PROFILE_IS_HAT(profile) ? profile->parent : profile;
654 hat = aa_new_null_profile(profile, 1);
656 info = "failed null profile create";
686 /* Return to saved profile. Kill task if restore fails
693 /* ignore restores when there is no saved profile */
698 error = aa_audit_file(profile, &perms, GFP_KERNEL,
711 * aa_change_profile - perform a one-way profile transition
712 * @ns_name: name of the profile namespace to change to (MAYBE NULL)
713 * @hname: name of profile to change to (MAYBE NULL)
717 * Change to new profile @name. Unlike with hats, there is no way
718 * to change back. If @name isn't specified the current profile name is
730 struct aa_profile *profile, *target = NULL;
750 profile = aa_cred_profile(cred);
754 ns = aa_find_namespace(profile->ns, ns_name);
764 ns = aa_get_namespace(profile->ns);
766 /* if the name was not specified, use the name of the current profile */
768 if (unconfined(profile))
771 hname = profile->base.hname;
774 perms = change_profile_perms(profile, ns, hname, request,
775 profile->file.start);
784 info = "profile not found";
786 if (permtest || !COMPLAIN_MODE(profile))
789 target = aa_new_null_profile(profile, 0);
791 info = "failed null profile create";
814 error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request,