Lines Matching refs:access
144 /* All access rights that can be tied to files. */
154 * All access rights that are denied by default whether they are handled or not
156 * entries when we need to get the absolute handled access masks.
173 /* Files only get access rights that make sense. */
180 /* Transforms relative access rights to absolute ones. */
225 * @layer_masks is read and may be updated according to the access request and
244 * An access is granted if, for each policy layer, at least one rule
245 * encountered on the pathwalk grants the requested access,
262 * Records in @layer_masks which layer grants access to each
263 * requested access.
268 if (layer->access & BIT_ULL(access_bit))
279 * Allows access to pseudo filesystems that will never be mountable (e.g.
302 * init_layer_masks - Initialize layer masks from an access request
304 * Populates @layer_masks such that for each access right in @access_request,
305 * the bits for all the layers are set where this access right is handled.
308 * @access_request: The requested access rights to check.
311 * Returns: An access mask where each access right bit is set which is handled
323 /* An empty access request can happen because of O_WRONLY | O_RDWR. */
336 * access rights.
375 * superset of the source ones (i.e. inherited access
424 * Returns true if there is at least one access right different than
456 * @layer_masks_parent1: Pointer to a matrix of layer masks per access
457 * masks, identifying the layers that forbid a specific access. Bits from
482 * - true if the access request is granted;
602 /* Stops when a rule from each layer grants access. */
613 * Stops at the real root. Denies access
614 * because not all layers have granted access.
622 * access to internal filesystems (e.g. nsfs, which is
714 * - true if all the domain access rights are allowed for @dir;
770 * (and not only inodes) to tie access rights to files. Being able to link or
776 * To avoid trivial access right bypasses, Landlock first checks if the file or
777 * directory requested to be moved would gain new access rights inherited from
783 * access rights would be greater than the source access rights, then the
793 * The kernel walks through these paths and collects in a matrix the access
801 * required to rely on potentially four matrices of access rights: one for the
809 * - 0 if access is allowed;
810 * - -EXDEV if @old_dentry would inherit new access rights from @new_dir;
850 * The LANDLOCK_ACCESS_FS_REFER access right is not required
881 * To be able to compare source and destination domain access rights,
882 * take into account the @old_dentry access rights aggregated with its
883 * parent access rights. This will be useful to compare with the
884 * destination parent access rights.
1033 * topology (i.e. the mount namespace), changing it may grant access to files
1039 * access-control security policy.
1068 * may then grant access to files, which may have previously been forbidden.
1166 * get_required_file_open_access - Get access needed to open a file
1170 * Returns the access rights that are required for opening the given file,
1176 access_mask_t access = 0;
1182 access = LANDLOCK_ACCESS_FS_READ_FILE;
1185 access |= LANDLOCK_ACCESS_FS_WRITE_FILE;
1188 access |= LANDLOCK_ACCESS_FS_EXECUTE;
1189 return access;
1195 * Grants all access rights, even if most of them are not checked later
1225 * We look up more access than what we immediately need for open(), so
1240 * Calculate the actual allowed access rights from layer_masks.
1241 * Add each access right to allowed_access which has not been
1254 * access rights at the time of open() which decide whether the
1256 * file access rights in the opened struct file.
1270 * opening the file, to get a consistent access check as for read, write
1273 * Note: For checks done based on the file's Landlock allowed access, we