xref: /kernel/linux/linux-5.10/security/apparmor/file.c

23 #include "include/label.h"
67 		aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
83  * @tlabel: target label (MAY BE NULL)
155 static int path_name(const char *op, struct aa_label *label,
164 			     labels_profile(label)->disconnected);
166 		fn_for_each_confined(label, profile,
293 	error = path_name(op, &profile->label, path,
305  * @label: profile being enforced  (NOT NULL)
313 int aa_path_perm(const char *op, struct aa_label *label,
327 	error = fn_for_each_confined(label, profile,
368 	error = path_name(OP_LINK, &profile->label, link, profile->path_flags,
374 	error = path_name(OP_LINK, &profile->label, target, profile->path_flags,
439  * @label: the label being enforced  (NOT NULL)
455 int aa_path_link(struct aa_label *label, struct dentry *old_dentry,
475 	error = fn_for_each_confined(label, profile,
484 static void update_file_ctx(struct aa_file_ctx *fctx, struct aa_label *label,
489 	/* update caching of label on file_ctx */
491 	old = rcu_dereference_protected(fctx->label,
493 	l = aa_label_merge(old, label, GFP_ATOMIC);
496 			rcu_assign_pointer(fctx->label, l);
505 static int __file_path_perm(const char *op, struct aa_label *label,
518 	/* revalidation due to label out of date. No revocation at this time */
519 	if (!denied && aa_label_is_subset(flabel, label))
528 	/* check every profile in task label not in current cache */
529 	error = fn_for_each_not_in_set(flabel, label, profile,
534 		 * check every profile in file label that was not tested
541 		if (label == flabel)
542 			error = fn_for_each(label, profile,
547 			error = fn_for_each_not_in_set(label, flabel, profile,
553 		update_file_ctx(file_ctx(file), label, request);
560 static int __file_sock_perm(const char *op, struct aa_label *label,
569 	/* revalidation due to label out of date. No revocation at this time */
570 	if (!denied && aa_label_is_subset(flabel, label))
574 	error = aa_sock_file_perm(label, op, request, sock);
577 		/* check every profile in file label to is cached */
581 		update_file_ctx(file_ctx(file), label, request);
589  * @label: label being enforced   (NOT NULL)
596 int aa_file_perm(const char *op, struct aa_label *label, struct file *file,
604 	AA_BUG(!label);
610 	flabel  = rcu_dereference(fctx->label);
621 	if (unconfined(label) || unconfined(flabel) ||
622 	    (!denied && aa_label_is_subset(flabel, label))) {
629 	/* TODO: label cross check */
632 		error = __file_path_perm(op, label, flabel, file, request,
636 		error = __file_sock_perm(op, label, flabel, file, request,
644 static void revalidate_tty(struct aa_label *label)
662 		if (aa_file_perm(OP_INHERIT, label, file, MAY_READ | MAY_WRITE,
675 	struct aa_label *label = (struct aa_label *)p;
677 	if (aa_file_perm(OP_INHERIT, label, file, aa_map_file_to_perms(file),
687 	struct aa_label *label = aa_get_newest_cred_label(cred);
691 	revalidate_tty(label);
694 	n = iterate_fd(files, 0, match_file, label);
704 	} while ((n = iterate_fd(files, n, match_file, label)) != 0);
708 	aa_put_label(label);

Indexes created Thu Nov 07 10:32:03 CST 2024