33  * may_change_ptraced_domain - check if can change profile on ptraced task
35  * @to_label: profile to change to  (NOT NULL)
82 /* match a profile and its associated ns component if needed
84  * If a subns profile is not to be matched should be prescreened with
87 static inline aa_state_t match_component(struct aa_profile *profile,
91 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
97 	if (profile->ns == tp->ns)
100 	/* try matching with namespace name and then profile */
101 	ns_name = aa_ns_name(profile->ns, tp->ns, true);
110  * @profile: profile to find perms for
124 static int label_compound_match(struct aa_profile *profile,
129 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
137 		if (!aa_ns_visible(profile->ns, tp->ns, subns))
139 		state = match_component(profile, tp, stack, state);
151 		if (!aa_ns_visible(profile->ns, tp->ns, subns))
154 		state = match_component(profile, tp, false, state);
159 	aa_apply_modes_to_perms(profile, perms);
172  * @profile: profile to find perms for
186 static int label_components_match(struct aa_profile *profile,
191 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
201 		if (!aa_ns_visible(profile->ns, tp->ns, subns))
203 		state = match_component(profile, tp, stack, start);
214 	aa_apply_modes_to_perms(profile, &tmp);
217 		if (!aa_ns_visible(profile->ns, tp->ns, subns))
219 		state = match_component(profile, tp, stack, start);
223 		aa_apply_modes_to_perms(profile, &tmp);
239  * @profile: profile to match against (NOT NULL)
249 static int label_match(struct aa_profile *profile, struct aa_label *label,
256 	error = label_compound_match(profile, label, stack, state, subns,
262 	return label_components_match(profile, label, stack, state, subns,
270  * @profile: the current profile  (NOT NULL)
283 static int change_profile_perms(struct aa_profile *profile,
288 	if (profile_unconfined(profile)) {
294 	/* TODO: add profile in ns screening */
295 	return label_match(profile, target, stack, start, true, request, perms);
299  * aa_xattrs_match - check whether a file matches the xattrs defined in profile
301  * @profile: profile to match against (NOT NULL)
307 			   struct aa_profile *profile, aa_state_t state)
312 	struct aa_attachment *attach = &profile->attach;
372  * @head: profile list to walk  (NOT NULL)
391 	struct aa_profile *profile, *candidate = NULL;
398 	list_for_each_entry_rcu(profile, head, base.list) {
399 		struct aa_attachment *attach = &profile->attach;
401 		if (profile->label.flags & FLAG_NULL &&
402 		    &profile->label == ns_unconfined(profile->ns))
405 		/* Find the "best" matching profile. Profiles must
413 		 * as another profile, signal a conflict and refuse to
436 					if (!aa_get_profile_not0(profile))
439 					ret = aa_xattrs_match(bprm, profile,
442 					aa_put_profile(profile);
471 				candidate = profile;
476 		} else if (!strcmp(profile->base.name, name)) {
481 			candidate = profile;
488 			*info = "conflicting profile attachments";
507  * @profile: current profile (NOT NULL)
513 struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex,
516 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
533 			new_profile = aa_find_child(profile, *name);
538 		label = aa_label_parse(&profile->label, *name, GFP_KERNEL,
551  * @profile: current profile  (NOT NULL)
562 static struct aa_label *x_to_label(struct aa_profile *profile,
568 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
571 	struct aa_ns *ns = profile->ns;
585 			new = x_table_lookup(profile, xindex, lookupname);
593 			new = find_attach(bprm, ns, &profile->base.profiles,
605 			/* (p|c|n)ix - don't change profile but do
609 			/* no profile && no error */
610 			new = aa_get_newest_label(&profile->label);
612 			new = aa_get_newest_label(ns_unconfined(profile->ns));
632 					   struct aa_profile *profile,
637 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
646 	AA_BUG(!profile);
650 	error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,
651 			     &name, &info, profile->disconnected);
653 		if (profile_unconfined(profile) ||
654 		    (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
657 			new = aa_get_newest_label(&profile->label);
663 	if (profile_unconfined(profile)) {
664 		new = find_attach(bprm, profile->ns,
665 				  &profile->ns->base.profiles, name, &info);
671 		return aa_get_newest_label(&profile->label);
678 		new = x_to_label(profile, bprm, name, perms.xindex, &target,
680 		if (new && new->proxy == profile->label.proxy && info) {
685 			info = "profile transition not found";
689 	} else if (COMPLAIN_MODE(profile)) {
693 		new_profile = aa_new_learning_profile(profile, false, name,
697 			info = "could not create null profile";
714 				   " for %s profile=", name);
722 	aa_audit_file(subj_cred, profile, &perms, OP_EXEC, MAY_EXEC, name,
734 			  struct aa_profile *profile, struct aa_label *onexec,
739 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
746 	AA_BUG(!profile);
751 	if (profile_unconfined(profile)) {
761 	error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,
762 			     &xname, &info, profile->disconnected);
764 		if (profile_unconfined(profile) ||
765 		    (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
784 	error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC,
802 	return aa_audit_file(subj_cred, profile, &perms, OP_EXEC,
816 	struct aa_profile *profile;
826 		error = fn_for_each_in_ns(label, profile,
827 				profile_onexec(subj_cred, profile, onexec, stack,
831 		new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
833 				profile_transition(subj_cred, profile, bprm,
839 		error = fn_for_each_in_ns(label, profile,
840 				profile_onexec(subj_cred, profile, onexec, stack, bprm,
844 		new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
845 				aa_label_merge(&profile->label, onexec,
847 				profile_transition(subj_cred, profile, bprm,
856 	error = fn_for_each_in_ns(label, profile,
857 			aa_audit_file(subj_cred, profile, &nullperms,
878 	struct aa_profile *profile;
920 		new = fn_label_build(label, profile, GFP_KERNEL,
921 				profile_transition(subj_cred, profile, bprm,
956 		/* TODO: test needs to be profile of label to new */
993 	error = fn_for_each(label, profile,
994 			aa_audit_file(current_cred(), profile, &nullperms,
1003  * Functions for self directed profile change
1012 					 struct aa_profile *profile,
1019 	if (sibling && PROFILE_IS_HAT(profile)) {
1020 		root = aa_get_profile_rcu(&profile->parent);
1021 	} else if (!sibling && !PROFILE_IS_HAT(profile)) {
1022 		root = aa_get_profile(profile);
1032 		if (COMPLAIN_MODE(profile)) {
1033 			hat = aa_new_learning_profile(profile, true, name,
1036 				info = "failed null profile create";
1044 	aa_audit_file(subj_cred, profile, &nullperms, OP_CHANGE_HAT,
1065 	struct aa_profile *profile, *root, *hat = NULL;
1082 		label_for_each_in_ns(it, labels_ns(label), label, profile) {
1083 			if (sibling && PROFILE_IS_HAT(profile)) {
1084 				root = aa_get_profile_rcu(&profile->parent);
1085 			} else if (!sibling && !PROFILE_IS_HAT(profile)) {
1086 				root = aa_get_profile(profile);
1095 				if (!COMPLAIN_MODE(profile))
1118 	label_for_each_in_ns(it, labels_ns(label), label, profile) {
1119 		if (!list_empty(&profile->base.profiles)) {
1129 	label_for_each_in_ns(it, labels_ns(label), label, profile) {
1137 		if (count > 1 || COMPLAIN_MODE(profile)) {
1138 			aa_audit_file(subj_cred, profile, &nullperms,
1147 	new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
1148 				   build_change_hat(subj_cred, profile, name,
1150 				   aa_get_label(&profile->label));
1169  * Change to the first profile specified in @hats that exists, and store
1172  * top level profile.
1174  * change_hat only applies to profiles in the current ns, and each profile
1182 	struct aa_profile *profile;
1266 	} /* else ignore @flags && restores when there is no saved profile */
1281 	fn_for_each_in_ns(label, profile,
1282 		aa_audit_file(subj_cred, profile, &perms, OP_CHANGE_HAT,
1292 					struct aa_profile *profile,
1296 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
1302 		error = change_profile_perms(profile, target, stack, request,
1306 		error = aa_audit_file(subj_cred, profile, perms, op, request,
1317  * aa_change_profile - perform a one-way profile transition
1318  * @fqname: name of profile may include namespace (NOT NULL)
1321  * Change to new profile @name.  Unlike with hats, there is no way
1322  * to change back.  If @name isn't specified the current profile name is
1332 	struct aa_profile *profile;
1357 		AA_DEBUG("no profile name");
1375 	/* This should move to a per profile test. Requires pushing build
1390 		(void) fn_for_each_in_ns(label, profile,
1391 				aa_audit_file(subj_cred, profile, &perms, op,
1410 		 * TODO: fixme using labels_profile is not right - do profile
1411 		 * per complain profile
1420 			info = "failed null profile create";
1436 	error = fn_for_each_in_ns(label, profile,
1439 						     profile, target, stack,
1450 	if (error && !fn_for_each_in_ns(label, profile,
1451 					COMPLAIN_MODE(profile)))
1466 		new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
1468 					   aa_get_label(&profile->label));
1508 	error = fn_for_each_in_ns(label, profile,
1510 				      profile, &perms, op, request, auditname,

Indexes created Wed May 22 12:01:17 MDT 2024