Lines Matching refs:profile
50 * may_change_ptraced_domain - check if can change profile on ptraced task
51 * @to_label: profile to change to (NOT NULL)
92 /* match a profile and its associated ns component if needed
94 * If a subns profile is not to be matched should be prescreened with
97 static inline unsigned int match_component(struct aa_profile *profile,
104 state = aa_dfa_match(profile->file.dfa, state, "&");
105 if (profile->ns == tp->ns)
106 return aa_dfa_match(profile->file.dfa, state, tp->base.hname);
108 /* try matching with namespace name and then profile */
109 ns_name = aa_ns_name(profile->ns, tp->ns, true);
110 state = aa_dfa_match_len(profile->file.dfa, state, ":", 1);
111 state = aa_dfa_match(profile->file.dfa, state, ns_name);
112 state = aa_dfa_match_len(profile->file.dfa, state, ":", 1);
113 return aa_dfa_match(profile->file.dfa, state, tp->base.hname);
118 * @profile: profile to find perms for
132 static int label_compound_match(struct aa_profile *profile,
143 if (!aa_ns_visible(profile->ns, tp->ns, subns))
145 state = match_component(profile, tp, stack, state);
157 if (!aa_ns_visible(profile->ns, tp->ns, subns))
159 state = aa_dfa_match(profile->file.dfa, state, "//&");
160 state = match_component(profile, tp, false, state);
164 *perms = aa_compute_fperms(profile->file.dfa, state, &cond);
165 aa_apply_modes_to_perms(profile, perms);
178 * @profile: profile to find perms for
192 static int label_components_match(struct aa_profile *profile,
205 if (!aa_ns_visible(profile->ns, tp->ns, subns))
207 state = match_component(profile, tp, stack, start);
217 tmp = aa_compute_fperms(profile->file.dfa, state, &cond);
218 aa_apply_modes_to_perms(profile, &tmp);
221 if (!aa_ns_visible(profile->ns, tp->ns, subns))
223 state = match_component(profile, tp, stack, start);
226 tmp = aa_compute_fperms(profile->file.dfa, state, &cond);
227 aa_apply_modes_to_perms(profile, &tmp);
243 * @profile: profile to match against (NOT NULL)
253 static int label_match(struct aa_profile *profile, struct aa_label *label,
260 error = label_compound_match(profile, label, stack, state, subns,
266 return label_components_match(profile, label, stack, state, subns,
274 * @profile: the current profile (NOT NULL)
286 static int change_profile_perms(struct aa_profile *profile,
291 if (profile_unconfined(profile)) {
297 /* TODO: add profile in ns screening */
298 return label_match(profile, target, stack, start, true, request, perms);
302 * aa_xattrs_match - check whether a file matches the xattrs defined in profile
304 * @profile: profile to match against (NOT NULL)
310 struct aa_profile *profile, unsigned int state)
316 int value_size = 0, ret = profile->xattr_count;
318 if (!bprm || !profile->xattr_count)
323 state = aa_dfa_outofband_transition(profile->xmatch, state);
326 for (i = 0; i < profile->xattr_count; i++) {
327 size = vfs_getxattr_alloc(d, profile->xattrs[i], &value,
337 state = aa_dfa_null_transition(profile->xmatch, state);
339 state = aa_dfa_match_len(profile->xmatch, state, value,
341 perm = dfa_user_allow(profile->xmatch, state);
348 state = aa_dfa_outofband_transition(profile->xmatch, state);
373 * @head - profile list to walk (NOT NULL)
392 struct aa_profile *profile, *candidate = NULL;
399 list_for_each_entry_rcu(profile, head, base.list) {
400 if (profile->label.flags & FLAG_NULL &&
401 &profile->label == ns_unconfined(profile->ns))
404 /* Find the "best" matching profile. Profiles must
412 * as another profile, signal a conflict and refuse to
415 if (profile->xmatch) {
419 state = aa_dfa_leftmatch(profile->xmatch, DFA_START,
421 perm = dfa_user_allow(profile->xmatch, state);
429 if (bprm && profile->xattr_count) {
432 if (!aa_get_profile_not0(profile))
435 ret = aa_xattrs_match(bprm, profile,
438 aa_put_profile(profile);
467 candidate = profile;
468 candidate_len = max(count, profile->xmatch_len);
472 } else if (!strcmp(profile->base.name, name)) {
477 candidate = profile;
484 *info = "conflicting profile attachments";
503 * @profile: current profile (NOT NULL)
509 struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex,
522 for (*name = profile->file.trans.table[index]; !label && *name;
527 new_profile = aa_find_child(profile, *name);
532 label = aa_label_parse(&profile->label, *name, GFP_KERNEL,
545 * @profile: current profile (NOT NULL)
555 static struct aa_label *x_to_label(struct aa_profile *profile,
562 struct aa_ns *ns = profile->ns;
573 stack = profile->file.trans.table[xindex & AA_X_INDEX_MASK];
576 new = x_table_lookup(profile, xindex, lookupname);
584 new = find_attach(bprm, ns, &profile->base.profiles,
596 /* (p|c|n)ix - don't change profile but do
600 /* no profile && no error */
601 new = aa_get_newest_label(&profile->label);
603 new = aa_get_newest_label(ns_unconfined(profile->ns));
622 static struct aa_label *profile_transition(struct aa_profile *profile,
629 unsigned int state = profile->file.start;
634 AA_BUG(!profile);
638 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,
639 &name, &info, profile->disconnected);
641 if (profile_unconfined(profile) ||
642 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
645 new = aa_get_newest_label(&profile->label);
651 if (profile_unconfined(profile)) {
652 new = find_attach(bprm, profile->ns,
653 &profile->ns->base.profiles, name, &info);
659 return aa_get_newest_label(&profile->label);
663 state = aa_str_perms(profile->file.dfa, state, name, cond, &perms);
666 new = x_to_label(profile, bprm, name, perms.xindex, &target,
668 if (new && new->proxy == profile->label.proxy && info) {
673 info = "profile transition not found";
677 } else if (COMPLAIN_MODE(profile)) {
681 new_profile = aa_new_null_profile(profile, false, name,
685 info = "could not create null profile";
702 " for %s profile=", name);
710 aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name, target, new,
720 static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec,
725 unsigned int state = profile->file.start;
730 AA_BUG(!profile);
735 if (profile_unconfined(profile)) {
745 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,
746 &xname, &info, profile->disconnected);
748 if (profile_unconfined(profile) ||
749 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
758 state = aa_str_perms(profile->file.dfa, state, xname, cond, &perms);
767 state = aa_dfa_null_transition(profile->file.dfa, state);
768 error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC,
786 return aa_audit_file(profile, &perms, OP_EXEC, AA_MAY_ONEXEC, xname,
798 struct aa_profile *profile;
808 error = fn_for_each_in_ns(label, profile,
809 profile_onexec(profile, onexec, stack,
813 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
815 profile_transition(profile, bprm, buffer,
820 error = fn_for_each_in_ns(label, profile,
821 profile_onexec(profile, onexec, stack, bprm,
825 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
826 aa_label_merge(&profile->label, onexec,
828 profile_transition(profile, bprm, buffer,
836 error = fn_for_each_in_ns(label, profile,
837 aa_audit_file(profile, &nullperms, OP_CHANGE_ONEXEC,
856 struct aa_profile *profile;
895 new = fn_label_build(label, profile, GFP_KERNEL,
896 profile_transition(profile, bprm, buffer,
930 /* TODO: test needs to be profile of label to new */
967 error = fn_for_each(label, profile,
968 aa_audit_file(profile, &nullperms, OP_EXEC, MAY_EXEC,
977 * Functions for self directed profile change
985 static struct aa_label *build_change_hat(struct aa_profile *profile,
992 if (sibling && PROFILE_IS_HAT(profile)) {
993 root = aa_get_profile_rcu(&profile->parent);
994 } else if (!sibling && !PROFILE_IS_HAT(profile)) {
995 root = aa_get_profile(profile);
1005 if (COMPLAIN_MODE(profile)) {
1006 hat = aa_new_null_profile(profile, true, name,
1009 info = "failed null profile create";
1017 aa_audit_file(profile, &nullperms, OP_CHANGE_HAT, AA_MAY_CHANGEHAT,
1036 struct aa_profile *profile, *root, *hat = NULL;
1053 label_for_each_in_ns(it, labels_ns(label), label, profile) {
1054 if (sibling && PROFILE_IS_HAT(profile)) {
1055 root = aa_get_profile_rcu(&profile->parent);
1056 } else if (!sibling && !PROFILE_IS_HAT(profile)) {
1057 root = aa_get_profile(profile);
1066 if (!COMPLAIN_MODE(profile))
1089 label_for_each_in_ns(it, labels_ns(label), label, profile) {
1090 if (!list_empty(&profile->base.profiles)) {
1100 label_for_each_in_ns(it, labels_ns(label), label, profile) {
1108 if (count > 1 || COMPLAIN_MODE(profile)) {
1109 aa_audit_file(profile, &nullperms, OP_CHANGE_HAT,
1117 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
1118 build_change_hat(profile, name, sibling),
1119 aa_get_label(&profile->label));
1138 * Change to the first profile specified in @hats that exists, and store
1141 * top level profile.
1143 * change_hat only applies to profiles in the current ns, and each profile
1151 struct aa_profile *profile;
1234 } /* else ignore @flags && restores when there is no saved profile */
1249 fn_for_each_in_ns(label, profile,
1250 aa_audit_file(profile, &perms, OP_CHANGE_HAT,
1259 struct aa_profile *profile,
1267 error = change_profile_perms(profile, target, stack, request,
1268 profile->file.start, perms);
1270 error = aa_audit_file(profile, perms, op, request, name,
1278 * aa_change_profile - perform a one-way profile transition
1279 * @fqname: name of profile may include namespace (NOT NULL)
1283 * Change to new profile @name. Unlike with hats, there is no way
1284 * to change back. If @name isn't specified the current profile name is
1294 struct aa_profile *profile;
1318 AA_DEBUG("no profile name");
1349 * TODO: fixme using labels_profile is not right - do profile
1350 * per complain profile
1359 info = "failed null profile create";
1375 error = fn_for_each_in_ns(label, profile,
1377 profile, target, stack,
1388 if (error && !fn_for_each_in_ns(label, profile,
1389 COMPLAIN_MODE(profile)))
1404 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
1406 aa_get_label(&profile->label));
1446 error = fn_for_each_in_ns(label, profile,
1447 aa_audit_file(profile, &perms, op, request, auditname,