label.c - OpenGrok cross reference for /openbmc/linux/security/apparmor/label.c

Deleted Added

sdiffudifftextold (e844fe9b..)new (33fc95d8..)

label.c (e844fe9b51c984472ea98be3b2d1201ba9ee3213)	label.c (33fc95d8293cfca352ac875668857293e22d7d51)
1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * AppArmor security module 4 * 5 * This file contains AppArmor label definitions 6 * 7 * Copyright 2017 Canonical Ltd. 8 / --- 1251 unchanged lines hidden* (view full) --- 1260 return aa_ns_visible(profile->ns, labels_ns(label), true); 1261} 1262 1263/* match a profile and its associated ns component if needed 1264 * Assumes visibility test has already been done. 1265 * If a subns profile is not to be matched should be prescreened with 1266 * visibility test. 1267 */	1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * AppArmor security module 4 * 5 * This file contains AppArmor label definitions 6 * 7 * Copyright 2017 Canonical Ltd. 8 / --- 1251 unchanged lines hidden* (view full) --- 1260 return aa_ns_visible(profile->ns, labels_ns(label), true); 1261} 1262 1263/* match a profile and its associated ns component if needed 1264 * Assumes visibility test has already been done. 1265 * If a subns profile is not to be matched should be prescreened with 1266 * visibility test. 1267 */
1268static inline unsigned int match_component(struct aa_profile profile, 1269 struct aa_profile tp, 1270 unsigned int state)	1268static inline aa_state_t match_component(struct aa_profile profile, 1269 struct aa_profile tp, 1270 aa_state_t state)
1271{ 1272 const char ns_name; 1273 1274 if (profile->ns == tp->ns) 1275 return aa_dfa_match(profile->policy.dfa, state, tp->base.hname); 1276 1277 / try matching with namespace name and then profile / 1278 ns_name = aa_ns_name(profile->ns, tp->ns, true); --- 15 unchanged lines hidden* (view full) --- 1294 * Returns: 0 on success else ERROR 1295 * 1296 * For the label A//&B//&C this does the perm match for A//&B//&C 1297 * @perms should be preinitialized with allperms OR a previous permission 1298 * check to be stacked. 1299 / 1300static int label_compound_match(struct aa_profile profile, 1301 struct aa_label *label,	1271{ 1272 const char ns_name; 1273 1274 if (profile->ns == tp->ns) 1275 return aa_dfa_match(profile->policy.dfa, state, tp->base.hname); 1276 1277 / try matching with namespace name and then profile / 1278 ns_name = aa_ns_name(profile->ns, tp->ns, true); --- 15 unchanged lines hidden* (view full) --- 1294 * Returns: 0 on success else ERROR 1295 * 1296 * For the label A//&B//&C this does the perm match for A//&B//&C 1297 * @perms should be preinitialized with allperms OR a previous permission 1298 * check to be stacked. 1299 / 1300static int label_compound_match(struct aa_profile profile, 1301 struct aa_label *label,
1302 unsigned int state, bool subns, u32 request,	1302 aa_state_t state, bool subns, u32 request,
1303 struct aa_perms perms) 1304{ 1305 struct aa_profile tp; 1306 struct label_it i; 1307 1308 /* find first subcomponent that is visible / 1309 label_for_each(i, label, tp) { 1310 if (!aa_ns_visible(profile->ns, tp->ns, subns)) --- 40 unchanged lines hidden* (view full) --- 1351 * 1352 * Returns: 0 on success else ERROR 1353 * 1354 * For the label A//&B//&C this does the perm match for each of A and B and C 1355 * @perms should be preinitialized with allperms OR a previous permission 1356 * check to be stacked. 1357 / 1358static int label_components_match(struct aa_profile profile,	1303 struct aa_perms perms) 1304{ 1305 struct aa_profile tp; 1306 struct label_it i; 1307 1308 /* find first subcomponent that is visible / 1309 label_for_each(i, label, tp) { 1310 if (!aa_ns_visible(profile->ns, tp->ns, subns)) --- 40 unchanged lines hidden* (view full) --- 1351 * 1352 * Returns: 0 on success else ERROR 1353 * 1354 * For the label A//&B//&C this does the perm match for each of A and B and C 1355 * @perms should be preinitialized with allperms OR a previous permission 1356 * check to be stacked. 1357 / 1358static int label_components_match(struct aa_profile profile,
1359 struct aa_label *label, unsigned int start,	1359 struct aa_label *label, aa_state_t start,
1360 bool subns, u32 request, 1361 struct aa_perms perms) 1362{ 1363 struct aa_profile tp; 1364 struct label_it i; 1365 struct aa_perms tmp;	1360 bool subns, u32 request, 1361 struct aa_perms perms) 1362{ 1363 struct aa_profile tp; 1364 struct label_it i; 1365 struct aa_perms tmp;
1366 unsigned int state = 0;	1366 aa_state_t state = 0;
1367 1368 /* find first subcomponent to test / 1369 label_for_each(i, label, tp) { 1370 if (!aa_ns_visible(profile->ns, tp->ns, subns)) 1371 continue; 1372 state = match_component(profile, tp, start); 1373 if (!state) 1374 goto fail; --- 35 unchanged lines hidden* (view full) --- 1410 * @state: state to start in 1411 * @subns: whether to match subns components 1412 * @request: permission request 1413 * @perms: Returns computed perms (NOT NULL) 1414 * 1415 * Returns: the state the match finished in, may be the none matching state 1416 / 1417int aa_label_match(struct aa_profile profile, struct aa_label *label,	1367 1368 /* find first subcomponent to test / 1369 label_for_each(i, label, tp) { 1370 if (!aa_ns_visible(profile->ns, tp->ns, subns)) 1371 continue; 1372 state = match_component(profile, tp, start); 1373 if (!state) 1374 goto fail; --- 35 unchanged lines hidden* (view full) --- 1410 * @state: state to start in 1411 * @subns: whether to match subns components 1412 * @request: permission request 1413 * @perms: Returns computed perms (NOT NULL) 1414 * 1415 * Returns: the state the match finished in, may be the none matching state 1416 / 1417int aa_label_match(struct aa_profile profile, struct aa_label *label,
1418 unsigned int state, bool subns, u32 request,	1418 aa_state_t state, bool subns, u32 request,
1419 struct aa_perms perms) 1420{ 1421 int error = label_compound_match(profile, label, state, subns, request, 1422 perms); 1423 if (!error) 1424 return error; 1425 1426 perms = allperms; --- 735 unchanged lines hidden ---	1419 struct aa_perms perms) 1420{ 1421 int error = label_compound_match(profile, label, state, subns, request, 1422 perms); 1423 if (!error) 1424 return error; 1425 1426 perms = allperms; --- 735 unchanged lines hidden ---

label.c (e844fe9b51c984472ea98be3b2d1201ba9ee3213)	label.c (33fc95d8293cfca352ac875668857293e22d7d51)
1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * AppArmor security module 4 * 5 * This file contains AppArmor label definitions 6 * 7 * Copyright 2017 Canonical Ltd. 8 / --- 1251 unchanged lines hidden* (view full) --- 1260 return aa_ns_visible(profile->ns, labels_ns(label), true); 1261} 1262 1263/* match a profile and its associated ns component if needed 1264 * Assumes visibility test has already been done. 1265 * If a subns profile is not to be matched should be prescreened with 1266 * visibility test. 1267 */	1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * AppArmor security module 4 * 5 * This file contains AppArmor label definitions 6 * 7 * Copyright 2017 Canonical Ltd. 8 / --- 1251 unchanged lines hidden* (view full) --- 1260 return aa_ns_visible(profile->ns, labels_ns(label), true); 1261} 1262 1263/* match a profile and its associated ns component if needed 1264 * Assumes visibility test has already been done. 1265 * If a subns profile is not to be matched should be prescreened with 1266 * visibility test. 1267 */
1268static inline unsigned int match_component(struct aa_profile profile, 1269 struct aa_profile tp, 1270 unsigned int state)	1268static inline aa_state_t match_component(struct aa_profile profile, 1269 struct aa_profile tp, 1270 aa_state_t state)
1271{ 1272 const char ns_name; 1273 1274 if (profile->ns == tp->ns) 1275 return aa_dfa_match(profile->policy.dfa, state, tp->base.hname); 1276 1277 / try matching with namespace name and then profile / 1278 ns_name = aa_ns_name(profile->ns, tp->ns, true); --- 15 unchanged lines hidden* (view full) --- 1294 * Returns: 0 on success else ERROR 1295 * 1296 * For the label A//&B//&C this does the perm match for A//&B//&C 1297 * @perms should be preinitialized with allperms OR a previous permission 1298 * check to be stacked. 1299 / 1300static int label_compound_match(struct aa_profile profile, 1301 struct aa_label *label,	1271{ 1272 const char ns_name; 1273 1274 if (profile->ns == tp->ns) 1275 return aa_dfa_match(profile->policy.dfa, state, tp->base.hname); 1276 1277 / try matching with namespace name and then profile / 1278 ns_name = aa_ns_name(profile->ns, tp->ns, true); --- 15 unchanged lines hidden* (view full) --- 1294 * Returns: 0 on success else ERROR 1295 * 1296 * For the label A//&B//&C this does the perm match for A//&B//&C 1297 * @perms should be preinitialized with allperms OR a previous permission 1298 * check to be stacked. 1299 / 1300static int label_compound_match(struct aa_profile profile, 1301 struct aa_label *label,
1302 unsigned int state, bool subns, u32 request,	1302 aa_state_t state, bool subns, u32 request,
1303 struct aa_perms perms) 1304{ 1305 struct aa_profile tp; 1306 struct label_it i; 1307 1308 /* find first subcomponent that is visible / 1309 label_for_each(i, label, tp) { 1310 if (!aa_ns_visible(profile->ns, tp->ns, subns)) --- 40 unchanged lines hidden* (view full) --- 1351 * 1352 * Returns: 0 on success else ERROR 1353 * 1354 * For the label A//&B//&C this does the perm match for each of A and B and C 1355 * @perms should be preinitialized with allperms OR a previous permission 1356 * check to be stacked. 1357 / 1358static int label_components_match(struct aa_profile profile,	1303 struct aa_perms perms) 1304{ 1305 struct aa_profile tp; 1306 struct label_it i; 1307 1308 /* find first subcomponent that is visible / 1309 label_for_each(i, label, tp) { 1310 if (!aa_ns_visible(profile->ns, tp->ns, subns)) --- 40 unchanged lines hidden* (view full) --- 1351 * 1352 * Returns: 0 on success else ERROR 1353 * 1354 * For the label A//&B//&C this does the perm match for each of A and B and C 1355 * @perms should be preinitialized with allperms OR a previous permission 1356 * check to be stacked. 1357 / 1358static int label_components_match(struct aa_profile profile,
1359 struct aa_label *label, unsigned int start,	1359 struct aa_label *label, aa_state_t start,
1360 bool subns, u32 request, 1361 struct aa_perms perms) 1362{ 1363 struct aa_profile tp; 1364 struct label_it i; 1365 struct aa_perms tmp;	1360 bool subns, u32 request, 1361 struct aa_perms perms) 1362{ 1363 struct aa_profile tp; 1364 struct label_it i; 1365 struct aa_perms tmp;
1366 unsigned int state = 0;	1366 aa_state_t state = 0;
1367 1368 /* find first subcomponent to test / 1369 label_for_each(i, label, tp) { 1370 if (!aa_ns_visible(profile->ns, tp->ns, subns)) 1371 continue; 1372 state = match_component(profile, tp, start); 1373 if (!state) 1374 goto fail; --- 35 unchanged lines hidden* (view full) --- 1410 * @state: state to start in 1411 * @subns: whether to match subns components 1412 * @request: permission request 1413 * @perms: Returns computed perms (NOT NULL) 1414 * 1415 * Returns: the state the match finished in, may be the none matching state 1416 / 1417int aa_label_match(struct aa_profile profile, struct aa_label *label,	1367 1368 /* find first subcomponent to test / 1369 label_for_each(i, label, tp) { 1370 if (!aa_ns_visible(profile->ns, tp->ns, subns)) 1371 continue; 1372 state = match_component(profile, tp, start); 1373 if (!state) 1374 goto fail; --- 35 unchanged lines hidden* (view full) --- 1410 * @state: state to start in 1411 * @subns: whether to match subns components 1412 * @request: permission request 1413 * @perms: Returns computed perms (NOT NULL) 1414 * 1415 * Returns: the state the match finished in, may be the none matching state 1416 / 1417int aa_label_match(struct aa_profile profile, struct aa_label *label,
1418 unsigned int state, bool subns, u32 request,	1418 aa_state_t state, bool subns, u32 request,
1419 struct aa_perms perms) 1420{ 1421 int error = label_compound_match(profile, label, state, subns, request, 1422 perms); 1423 if (!error) 1424 return error; 1425 1426 perms = allperms; --- 735 unchanged lines hidden ---	1419 struct aa_perms perms) 1420{ 1421 int error = label_compound_match(profile, label, state, subns, request, 1422 perms); 1423 if (!error) 1424 return error; 1425 1426 perms = allperms; --- 735 unchanged lines hidden ---