Lines Matching defs:label
109 * label_compound_match - find perms for full compound label
111 * @label: label to check access permissions for
120 * For the label A//&B//&C this does the perm match for A//&B//&C
125 struct aa_label *label, bool stack,
136 label_for_each(i, label, tp) {
150 label_for_each_cont(i, label, tp) {
171 * label_components_match - find perms for all subcomponents of a label
173 * @label: label to check access permissions for
182 * For the label A//&B//&C this does the perm match for each of A and B and C
187 struct aa_label *label, bool stack,
200 label_for_each(i, label, tp) {
216 label_for_each_cont(i, label, tp) {
238 * label_match - do a multi-component label match
240 * @label: label to match (NOT NULL)
249 static int label_match(struct aa_profile *profile, struct aa_label *label,
256 error = label_compound_match(profile, label, stack, state, subns,
262 return label_components_match(profile, label, stack, state, subns,
271 * @target: label to transition to (NOT NULL)
279 * currently only matches full label A//&B//&C or individual components A, B, C
382 * Returns: label or NULL if no match found
400 if (profile->label.flags & FLAG_NULL &&
401 &profile->label == ns_unconfined(profile->ns))
496 return &candidate->label;
508 * @name: returns: name tested to find label (NOT NULL)
510 * Returns: refcounted label, or NULL on failure (MAYBE NULL)
517 struct aa_label *label = NULL;
525 * index into the resultant label
527 for (*name = rules->file.trans.table[index]; !label && *name;
534 label = &new_profile->label;
537 label = aa_label_parse(&profile->label, *name, GFP_KERNEL,
539 if (IS_ERR(label))
540 label = NULL;
545 return label;
549 * x_to_label - get target label for a given xindex
556 * find label for a transition index
558 * Returns: refcounted label or NULL if not found available
608 new = aa_get_newest_label(&profile->label);
652 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
655 new = aa_get_newest_label(&profile->label);
665 AA_DEBUG("unconfined attached to new label");
669 return aa_get_newest_label(&profile->label);
678 if (new && new->proxy == profile->label.proxy && info) {
698 new = &new_profile->label;
763 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
792 "variables for %s label=", xname);
808 struct aa_label *label,
818 AA_BUG(!label);
824 error = fn_for_each_in_ns(label, profile,
829 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
837 error = fn_for_each_in_ns(label, profile,
842 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
843 aa_label_merge(&profile->label, onexec,
854 error = fn_for_each_in_ns(label, profile,
859 "failed to build target label", -ENOMEM));
874 struct aa_label *label, *new = NULL;
893 label = aa_get_newest_label(cred_label(bprm->cred));
896 * Detect no new privs being set, and store the label it
902 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) && !unconfined(label) &&
904 ctx->nnp = aa_get_label(label);
915 new = handle_onexec(subj_cred, label, ctx->onexec, ctx->token,
918 new = fn_label_build(label, profile, GFP_KERNEL,
941 !unconfined(label) &&
954 /* TODO: test needs to be profile of label to new */
963 "label=", bprm->filename);
970 if (label->proxy != new->proxy) {
974 "bits. %s label=", bprm->filename);
985 aa_put_label(label);
991 error = fn_for_each(label, profile,
1007 * Returns: label for hat transition OR ERR_PTR. Does NOT return NULL
1045 hat ? &hat->label : NULL, GLOBAL_ROOT_UID, info,
1050 * complain mode allow by returning hat->label
1052 return &hat->label;
1057 * Returns: label for hat transition or ERR_PTR. Does not return NULL
1060 struct aa_label *label, const char *hats[],
1070 AA_BUG(!label);
1074 if (PROFILE_IS_HAT(labels_profile(label)))
1080 label_for_each_in_ns(it, labels_ns(label), label, profile) {
1116 label_for_each_in_ns(it, labels_ns(label), label, profile) {
1127 label_for_each_in_ns(it, labels_ns(label), label, profile) {
1145 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
1148 aa_get_label(&profile->label));
1150 info = "label build failed";
1179 struct aa_label *label, *previous, *new = NULL, *target = NULL;
1187 label = aa_get_newest_cred_label(subj_cred);
1191 * Detect no new privs being set, and store the label it
1197 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp)
1198 ctx->nnp = aa_get_label(label);
1200 if (unconfined(label)) {
1207 new = change_hat(subj_cred, label, hats, count, flags);
1216 /* target cred is the same as current except new label */
1225 if (task_no_new_privs(current) && !unconfined(label) &&
1246 if (task_no_new_privs(current) && !unconfined(label) &&
1254 /* Return to saved label. Kill task if restore fails
1269 aa_put_label(label);
1279 fn_for_each_in_ns(label, profile,
1327 struct aa_label *label, *new = NULL, *target = NULL;
1339 label = aa_get_current_label();
1342 * Detect no new privs being set, and store the label it
1348 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp)
1349 ctx->nnp = aa_get_label(label);
1352 aa_put_label(label);
1376 target = aa_label_parse(label, fqname, GFP_KERNEL, true, false);
1380 info = "label not found";
1388 !COMPLAIN_MODE(labels_profile(label)))
1391 tprofile = aa_new_learning_profile(labels_profile(label), false,
1398 target = &tprofile->label;
1410 error = fn_for_each_in_ns(label, profile,
1424 if (error && !fn_for_each_in_ns(label, profile,
1440 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
1442 aa_get_label(&profile->label));
1447 if (task_no_new_privs(current) && !unconfined(label) &&
1459 new = aa_label_merge(label, target, GFP_KERNEL);
1461 info = "failed to build target label";
1482 error = fn_for_each_in_ns(label, profile,
1491 aa_put_label(label);