xref: /kernel/linux/linux-6.6/security/apparmor/policy.c

102  * __add_profile - add a profiles to list and label tree
122 	l = aa_label_insert(&profile->ns->labels, &profile->label);
123 	AA_BUG(l != &profile->label);
164 	aa_label_remove(&profile->label);
216 		kfree_sensitive(rules->secmark[i].label);
281 	aa_label_destroy(&profile->label);
301 	profile = kzalloc(struct_size(profile, label.vec, 2), gfp);
307 	if (!aa_label_init(&profile->label, 1, gfp))
320 		proxy = aa_alloc_proxy(&profile->label, gfp);
325 	profile->label.proxy = proxy;
327 	profile->label.hname = profile->base.hname;
328 	profile->label.flags |= FLAG_PROFILE;
329 	profile->label.vec[0] = profile;
591 	profile->label.flags |= FLAG_NULL;
675 		profile->label.flags |= FLAG_HAT;
711 		if (profile->label.flags & FLAG_IMMUTIBLE) {
736  * @subj_label: label to check if it can manage policy
766 			     struct aa_label *label,
774 		err = aa_capable(subj_cred, label, cap, CAP_OPT_NONE);
782  * @label: label that is trying to view policy in ns
783  * @ns: namespace being viewed by @label (may be NULL if @label's ns)
791 			     struct aa_label *label, struct aa_ns *ns)
794 	struct aa_ns *view_ns = labels_view(label);
811 			     struct aa_label *label, struct aa_ns *ns)
814 	bool capable = policy_ns_capable(subj_cred, label, user_ns,
820 	return aa_policy_view_capable(subj_cred, label, ns) && capable &&
826 	struct aa_label *label;
829 	label = __begin_current_label_crit_section();
830 	res = aa_policy_view_capable(current_cred(), label, ns);
831 	__end_current_label_crit_section(label);
838 	struct aa_label *label;
841 	label = __begin_current_label_crit_section();
842 	res = aa_policy_admin_capable(current_cred(), label, ns);
843 	__end_current_label_crit_section(label);
851  * @label: label to check if it can manage policy
852  * @ns: namespace being managed by @label (may be NULL if @label's ns)
857 int aa_may_manage_policy(const struct cred *subj_cred, struct aa_label *label,
871 		return audit_policy(label, op, NULL, NULL, "policy_locked",
874 	if (!aa_policy_admin_capable(subj_cred, label, ns))
875 		return audit_policy(label, op, NULL, NULL, "not policy admin",
950 	aa_label_replace(&old->label, &new->label);
951 	/* migrate dents must come after label replacement b/c update */
995 	new->label.hname = old->label.hname;
1022  * @label: label that is attempting to load/replace policy
1033 ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label,
1076 		ns = aa_prepare_ns(policy_ns ? policy_ns : labels_ns(label),
1087 		ns = aa_get_ns(policy_ns ? policy_ns : labels_ns(label));
1206 			audit_policy(label, op, ns_name, ent->new->base.hname,
1210 			aa_put_proxy(ent->new->label.proxy);
1211 			ent->new->label.proxy = NULL;
1219 		audit_policy(label, op, ns_name, ent->new->base.hname, NULL,
1258 	  audit_policy(label, op, ns_name, ent ? ent->new->base.hname : NULL,
1269 		audit_policy(label, op, ns_name, tmp->new->base.hname, info,
1283  * @subj: label attempting to remove policy

Indexes created Thu Nov 07 10:32:03 CST 2024