Lines Matching defs:label
117 * label_compound_match - find perms for full compound label
119 * @label: label to check access permissions for
128 * For the label A//&B//&C this does the perm match for A//&B//&C
133 struct aa_label *label, bool stack,
142 label_for_each(i, label, tp) {
156 label_for_each_cont(i, label, tp) {
177 * label_components_match - find perms for all subcomponents of a label
179 * @label: label to check access permissions for
188 * For the label A//&B//&C this does the perm match for each of A and B and C
193 struct aa_label *label, bool stack,
204 label_for_each(i, label, tp) {
220 label_for_each_cont(i, label, tp) {
242 * label_match - do a multi-component label match
244 * @label: label to match (NOT NULL)
253 static int label_match(struct aa_profile *profile, struct aa_label *label,
260 error = label_compound_match(profile, label, stack, state, subns,
266 return label_components_match(profile, label, stack, state, subns,
275 * @target: label to transition to (NOT NULL)
283 * currently only matches full label A//&B//&C or individual components A, B, C
384 * Returns: label or NULL if no match found
400 if (profile->label.flags & FLAG_NULL &&
401 &profile->label == ns_unconfined(profile->ns))
493 return &candidate->label;
505 * @name: returns: name tested to find label (NOT NULL)
507 * Returns: refcounted label, or NULL on failure (MAYBE NULL)
512 struct aa_label *label = NULL;
520 * index into the resultant label
522 for (*name = profile->file.trans.table[index]; !label && *name;
529 label = &new_profile->label;
532 label = aa_label_parse(&profile->label, *name, GFP_KERNEL,
534 if (IS_ERR(label))
535 label = NULL;
540 return label;
544 * x_to_label - get target label for a given xindex
551 * find label for a transition index
553 * Returns: refcounted label or NULL if not found available
601 new = aa_get_newest_label(&profile->label);
642 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
645 new = aa_get_newest_label(&profile->label);
655 AA_DEBUG("unconfined attached to new label");
659 return aa_get_newest_label(&profile->label);
668 if (new && new->proxy == profile->label.proxy && info) {
688 new = &new_profile->label;
749 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
778 "variables for %s label=", xname);
792 static struct aa_label *handle_onexec(struct aa_label *label,
802 AA_BUG(!label);
808 error = fn_for_each_in_ns(label, profile,
813 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
820 error = fn_for_each_in_ns(label, profile,
825 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
826 aa_label_merge(&profile->label, onexec,
836 error = fn_for_each_in_ns(label, profile,
840 "failed to build target label", -ENOMEM));
855 struct aa_label *label, *new = NULL;
870 label = aa_get_newest_label(cred_label(bprm->cred));
873 * Detect no new privs being set, and store the label it
879 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) && !unconfined(label) &&
881 ctx->nnp = aa_get_label(label);
892 new = handle_onexec(label, ctx->onexec, ctx->token,
895 new = fn_label_build(label, profile, GFP_KERNEL,
917 !unconfined(label) &&
930 /* TODO: test needs to be profile of label to new */
939 "label=", bprm->filename);
946 if (label->proxy != new->proxy) {
950 "bits. %s label=", bprm->filename);
961 aa_put_label(label);
967 error = fn_for_each(label, profile,
983 * Returns: label for hat transition OR ERR_PTR. Does NOT return NULL
1019 hat ? &hat->label : NULL, GLOBAL_ROOT_UID, info,
1024 * complain mode allow by returning hat->label
1026 return &hat->label;
1031 * Returns: label for hat transition or ERR_PTR. Does not return NULL
1033 static struct aa_label *change_hat(struct aa_label *label, const char *hats[],
1043 AA_BUG(!label);
1047 if (PROFILE_IS_HAT(labels_profile(label)))
1053 label_for_each_in_ns(it, labels_ns(label), label, profile) {
1089 label_for_each_in_ns(it, labels_ns(label), label, profile) {
1100 label_for_each_in_ns(it, labels_ns(label), label, profile) {
1117 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
1119 aa_get_label(&profile->label));
1121 info = "label build failed";
1150 struct aa_label *label, *previous, *new = NULL, *target = NULL;
1158 label = aa_get_newest_cred_label(cred);
1162 * Detect no new privs being set, and store the label it
1168 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp)
1169 ctx->nnp = aa_get_label(label);
1171 if (unconfined(label)) {
1178 new = change_hat(label, hats, count, flags);
1195 if (task_no_new_privs(current) && !unconfined(label) &&
1216 if (task_no_new_privs(current) && !unconfined(label) &&
1224 /* Return to saved label. Kill task if restore fails
1239 aa_put_label(label);
1249 fn_for_each_in_ns(label, profile,
1293 struct aa_label *label, *new = NULL, *target = NULL;
1304 label = aa_get_current_label();
1307 * Detect no new privs being set, and store the label it
1313 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp)
1314 ctx->nnp = aa_get_label(label);
1317 aa_put_label(label);
1341 target = aa_label_parse(label, fqname, GFP_KERNEL, true, false);
1345 info = "label not found";
1353 !COMPLAIN_MODE(labels_profile(label)))
1356 tprofile = aa_new_null_profile(labels_profile(label), false,
1363 target = &tprofile->label;
1375 error = fn_for_each_in_ns(label, profile,
1388 if (error && !fn_for_each_in_ns(label, profile,
1404 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
1406 aa_get_label(&profile->label));
1411 if (task_no_new_privs(current) && !unconfined(label) &&
1423 new = aa_label_merge(label, target, GFP_KERNEL);
1425 info = "failed to build target label";
1446 error = fn_for_each_in_ns(label, profile,
1454 aa_put_label(label);