| /kernel/linux/linux-6.6/security/apparmor/ |
| H A D | policy_compat.c | 51 * map old dfa inline permissions to new format
53 #define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \
54 ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
55 #define dfa_user_xbits(dfa, state) (((ACCEPT_TABLE(dfa)[state]) >> 7) & 0x7f)
56 #define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f)
57 #define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[stat
100 compute_fperms_allow(struct aa_perms *perms, struct aa_dfa *dfa, aa_state_t state) compute_fperms_allow() argument
112 compute_fperms_user(struct aa_dfa *dfa, aa_state_t state) compute_fperms_user() argument
127 compute_fperms_other(struct aa_dfa *dfa, aa_state_t state) compute_fperms_other() argument
149 compute_fperms(struct aa_dfa *dfa, u32 *size) compute_fperms() argument
209 compute_perms_entry(struct aa_dfa *dfa, aa_state_t state, u32 version) compute_perms_entry() argument
248 compute_perms(struct aa_dfa *dfa, u32 version, u32 *size) compute_perms() argument
281 remap_dfa_accept(struct aa_dfa *dfa, unsigned int factor) remap_dfa_accept() argument
[all...] |
| H A D | match.c | 5 * This file contains AppArmor dfa based regular expression matching engine
69 * unpack_table - unpack a dfa table (one of accept, default, base, next check)
139 * @tables - array of dfa tables to check (NOT NULL)
142 * Assumes dfa has gone through the first pass verification done by unpacking
190 * @dfa: dfa to test (NOT NULL)
192 * Assumes dfa has gone through the first pass verification done by unpacking
197 static int verify_dfa(struct aa_dfa *dfa) in verify_dfa() argument
202 state_count = dfa->tables[YYTD_ID_BASE]->td_lolen; in verify_dfa()
203 trans_count = dfa in verify_dfa()
271 dfa_free(struct aa_dfa *dfa) dfa_free() argument
290 struct aa_dfa *dfa = container_of(kref, struct aa_dfa, count); aa_dfa_free_kref() local
312 struct aa_dfa *dfa = kzalloc(sizeof(struct aa_dfa), GFP_KERNEL); aa_dfa_unpack() local
439 aa_dfa_match_len(struct aa_dfa *dfa, aa_state_t start, const char *str, int len) aa_dfa_match_len() argument
479 aa_dfa_match(struct aa_dfa *dfa, aa_state_t start, const char *str) aa_dfa_match() argument
517 aa_dfa_next(struct aa_dfa *dfa, aa_state_t state, const char c) aa_dfa_next() argument
535 aa_dfa_outofband_transition(struct aa_dfa *dfa, aa_state_t state) aa_dfa_outofband_transition() argument
565 aa_dfa_match_until(struct aa_dfa *dfa, aa_state_t start, const char *str, const char **retpos) aa_dfa_match_until() argument
626 aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start, const char *str, int n, const char **retpos) aa_dfa_matchn_until() argument
701 leftmatch_fb(struct aa_dfa *dfa, aa_state_t start, const char *str, struct match_workbuf *wb, unsigned int *count) leftmatch_fb() argument
782 aa_dfa_leftmatch(struct aa_dfa *dfa, aa_state_t start, const char *str, unsigned int *count) aa_dfa_leftmatch() argument
[all...] |
| H A D | mount.c | 187 * @dfa: dfa to match against
197 static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state, in match_mnt_flags() argument
204 state = aa_dfa_next(dfa, state, i + 1); in match_mnt_flags()
232 AA_BUG(!policy->dfa); in do_match_mnt()
236 state = aa_dfa_match(policy->dfa, start, mntpnt); in do_match_mnt()
237 state = aa_dfa_null_transition(policy->dfa, state); in do_match_mnt()
242 state = aa_dfa_match(policy->dfa, state, devname); in do_match_mnt()
243 state = aa_dfa_null_transition(policy->dfa, state); in do_match_mnt()
248 state = aa_dfa_match(policy->dfa, stat in do_match_mnt()
[all...] |
| H A D | policy_unpack.c | 418 * unpack_dfa - unpack a file rule dfa
420 * @flags: dfa flags to check
422 * returns dfa or ERR_PTR or NULL if no dfa
428 struct aa_dfa *dfa = NULL; in unpack_dfa() local
433 * The dfa is aligned with in the blob to 8 bytes in unpack_dfa()
435 * alignment adjust needed by dfa unpack in unpack_dfa()
442 dfa = aa_dfa_unpack(blob + pad, size - pad, flags); in unpack_dfa()
444 if (IS_ERR(dfa)) in unpack_dfa()
445 return dfa; in unpack_dfa()
1180 verify_dfa_accept_index(struct aa_dfa *dfa, int table_size) verify_dfa_accept_index() argument
[all...] |
| H A D | domain.c | 77 /**** TODO: dedup to aa_label_match - needs perm and dfa, merging
80 * and policy.dfa with file.dfa
96 state = aa_dfa_match(rules->file.dfa, state, "&"); in match_component()
98 return aa_dfa_match(rules->file.dfa, state, tp->base.hname); in match_component()
102 state = aa_dfa_match_len(rules->file.dfa, state, ":", 1); in match_component()
103 state = aa_dfa_match(rules->file.dfa, state, ns_name); in match_component()
104 state = aa_dfa_match_len(rules->file.dfa, state, ":", 1); in match_component()
105 return aa_dfa_match(rules->file.dfa, state, tp->base.hname); in match_component()
153 state = aa_dfa_match(rules->file.dfa, stat in label_compound_match()
[all...] |
| H A D | ipc.c | 95 state = aa_dfa_next(rules->policy.dfa, in profile_signal_perm()
|
| H A D | file.c | 184 * aa_lookup_fperms - convert dfa compressed perms to internal perms
185 * @dfa: dfa to lookup perms for (NOT NULL)
186 * @state: state in dfa
189 * TODO: convert from dfa + state to permission entry
196 unsigned int index = ACCEPT_TABLE(file_rules->dfa)[state]; in aa_lookup_fperms()
209 * @dfa: to match against (MAYBE NULL)
211 * @name: string to match against dfa (NOT NULL)
215 * Returns: the final state in @dfa when beginning @start and walking @name
222 state = aa_dfa_match(file_rules->dfa, star in aa_str_perms()
[all...] |
| /kernel/linux/linux-5.10/security/apparmor/ |
| H A D | match.c | 5 * This file contains AppArmor dfa based regular expression matching engine
69 * unpack_table - unpack a dfa table (one of accept, default, base, next check)
139 * @tables - array of dfa tables to check (NOT NULL)
142 * Assumes dfa has gone through the first pass verification done by unpacking
190 * @dfa: dfa to test (NOT NULL)
192 * Assumes dfa has gone through the first pass verification done by unpacking
197 static int verify_dfa(struct aa_dfa *dfa) in verify_dfa() argument
202 state_count = dfa->tables[YYTD_ID_BASE]->td_lolen; in verify_dfa()
203 trans_count = dfa in verify_dfa()
271 dfa_free(struct aa_dfa *dfa) dfa_free() argument
290 struct aa_dfa *dfa = container_of(kref, struct aa_dfa, count); aa_dfa_free_kref() local
312 struct aa_dfa *dfa = kzalloc(sizeof(struct aa_dfa), GFP_KERNEL); aa_dfa_unpack() local
439 aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start, const char *str, int len) aa_dfa_match_len() argument
479 aa_dfa_match(struct aa_dfa *dfa, unsigned int start, const char *str) aa_dfa_match() argument
518 aa_dfa_next(struct aa_dfa *dfa, unsigned int state, const char c) aa_dfa_next() argument
537 aa_dfa_outofband_transition(struct aa_dfa *dfa, unsigned int state) aa_dfa_outofband_transition() argument
567 aa_dfa_match_until(struct aa_dfa *dfa, unsigned int start, const char *str, const char **retpos) aa_dfa_match_until() argument
628 aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start, const char *str, int n, const char **retpos) aa_dfa_matchn_until() argument
703 leftmatch_fb(struct aa_dfa *dfa, unsigned int start, const char *str, struct match_workbuf *wb, unsigned int *count) leftmatch_fb() argument
784 aa_dfa_leftmatch(struct aa_dfa *dfa, unsigned int start, const char *str, unsigned int *count) aa_dfa_leftmatch() argument
[all...] |
| H A D | mount.c | 183 * @dfa: dfa to match against
193 static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state, in match_mnt_flags() argument
200 state = aa_dfa_next(dfa, state, i + 1); in match_mnt_flags()
208 * @dfa: dfa to match against (NOT NULL)
213 static struct aa_perms compute_mnt_perms(struct aa_dfa *dfa, in compute_mnt_perms() argument
217 .allow = dfa_user_allow(dfa, state), in compute_mnt_perms()
218 .audit = dfa_user_audit(dfa, state), in compute_mnt_perms()
219 .quiet = dfa_user_quiet(dfa, stat in compute_mnt_perms()
240 do_match_mnt(struct aa_dfa *dfa, unsigned int start, const char *mntpnt, const char *devname, const char *type, unsigned long flags, void *data, bool binary, struct aa_perms *perms) do_match_mnt() argument
[all...] |
| H A D | file.c | 203 * aa_compute_fperms - convert dfa compressed perms to internal perms
204 * @dfa: dfa to compute perms for (NOT NULL)
205 * @state: state in dfa
208 * TODO: convert from dfa + state to permission entry, do computation conversion
213 struct aa_perms aa_compute_fperms(struct aa_dfa *dfa, unsigned int state, in aa_compute_fperms() argument
216 /* FIXME: change over to new dfa format in aa_compute_fperms()
217 * currently file perms are encoded in the dfa, new format in aa_compute_fperms()
218 * splits the permissions from the dfa. This mapping can be in aa_compute_fperms()
224 perms.allow = map_old_perms(dfa_user_allow(dfa, stat in aa_compute_fperms()
255 aa_str_perms(struct aa_dfa *dfa, unsigned int start, const char *name, struct path_cond *cond, struct aa_perms *perms) aa_str_perms() argument
[all...] |
| H A D | policy_unpack.c | 437 * unpack_dfa - unpack a file rule dfa
440 * returns dfa or ERR_PTR or NULL if no dfa
446 struct aa_dfa *dfa = NULL; in unpack_dfa() local
451 * The dfa is aligned with in the blob to 8 bytes in unpack_dfa()
453 * alignment adjust needed by dfa unpack in unpack_dfa()
460 dfa = aa_dfa_unpack(blob + pad, size - pad, flags); in unpack_dfa()
462 if (IS_ERR(dfa)) in unpack_dfa()
463 return dfa; in unpack_dfa()
467 return dfa; in unpack_dfa()
1013 verify_dfa_xindex(struct aa_dfa *dfa, int table_size) verify_dfa_xindex() argument
[all...] |
| H A D | lib.c | 325 void aa_compute_perms(struct aa_dfa *dfa, unsigned int state, in aa_compute_perms() argument
329 .allow = dfa_user_allow(dfa, state), in aa_compute_perms()
330 .audit = dfa_user_audit(dfa, state), in aa_compute_perms()
331 .quiet = dfa_user_quiet(dfa, state), in aa_compute_perms()
337 perms->allow |= map_other(dfa_other_allow(dfa, state)); in aa_compute_perms()
338 perms->audit |= map_other(dfa_other_audit(dfa, state)); in aa_compute_perms()
339 perms->quiet |= map_other(dfa_other_quiet(dfa, state)); in aa_compute_perms()
340 // perms->xindex = dfa_user_xindex(dfa, state); in aa_compute_perms()
387 state = aa_dfa_next(profile->policy.dfa, in aa_profile_match_label()
|
| H A D | domain.c | 87 /**** TODO: dedup to aa_label_match - needs perm and dfa, merging
90 * and policy.dfa with file.dfa
104 state = aa_dfa_match(profile->file.dfa, state, "&"); in match_component()
106 return aa_dfa_match(profile->file.dfa, state, tp->base.hname); in match_component()
110 state = aa_dfa_match_len(profile->file.dfa, state, ":", 1); in match_component()
111 state = aa_dfa_match(profile->file.dfa, state, ns_name); in match_component()
112 state = aa_dfa_match_len(profile->file.dfa, state, ":", 1); in match_component()
113 return aa_dfa_match(profile->file.dfa, state, tp->base.hname); in match_component()
159 state = aa_dfa_match(profile->file.dfa, stat in label_compound_match()
[all...] |
| H A D | net.c | 126 state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer, in aa_profile_af_perm()
128 aa_compute_perms(profile->policy.dfa, state, &perms); in aa_profile_af_perm()
|
| H A D | apparmorfs.c | 612 struct aa_dfa *dfa; in profile_query_cb() local
617 if (profile->file.dfa && *match_str == AA_CLASS_FILE) { in profile_query_cb()
618 dfa = profile->file.dfa; in profile_query_cb()
619 state = aa_dfa_match_len(dfa, profile->file.start, in profile_query_cb()
624 tmp = aa_compute_fperms(dfa, state, &cond); in profile_query_cb()
626 } else if (profile->policy.dfa) { in profile_query_cb()
629 dfa = profile->policy.dfa; in profile_query_cb()
630 state = aa_dfa_match_len(dfa, profil in profile_query_cb()
[all...] |
| H A D | policy_ns.c | 111 ns->unconfined->file.dfa = aa_get_dfa(nulldfa); in alloc_ns()
112 ns->unconfined->policy.dfa = aa_get_dfa(nulldfa); in alloc_ns()
|
| H A D | label.c | 1276 return aa_dfa_match(profile->policy.dfa, state, tp->base.hname); in match_component()
1280 state = aa_dfa_match_len(profile->policy.dfa, state, ":", 1); in match_component()
1281 state = aa_dfa_match(profile->policy.dfa, state, ns_name); in match_component()
1282 state = aa_dfa_match_len(profile->policy.dfa, state, ":", 1); in match_component()
1283 return aa_dfa_match(profile->policy.dfa, state, tp->base.hname); in match_component()
1327 state = aa_dfa_match(profile->policy.dfa, state, "//&"); in label_compound_match()
1332 aa_compute_perms(profile->policy.dfa, state, perms); in label_compound_match()
1383 aa_compute_perms(profile->policy.dfa, state, &tmp); in label_components_match()
1392 aa_compute_perms(profile->policy.dfa, state, &tmp); in label_components_match()
|
| /kernel/linux/linux-5.10/security/apparmor/include/ |
| H A D | file.h | 111 /* FIXME: split perms from dfa and match this to description
141 * map old dfa inline permissions to new format
143 #define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \
144 ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
145 #define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f)
146 #define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f)
147 #define dfa_user_xindex(dfa, stat
177 struct aa_dfa *dfa; global() member
[all...] |
| H A D | match.h | 5 * This file contains AppArmor policy dfa matching engine definitions.
30 * The data in the packed dfa is stored in network byte order, and the tables
34 * The dfa begins with a table set header, and is followed by the actual
129 unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
131 unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
133 unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
135 unsigned int aa_dfa_outofband_transition(struct aa_dfa *dfa,
137 unsigned int aa_dfa_match_until(struct aa_dfa *dfa, unsigned int start,
139 unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start,
159 unsigned int aa_dfa_leftmatch(struct aa_dfa *dfa, unsigne
169 aa_get_dfa(struct aa_dfa *dfa) aa_get_dfa() argument
183 aa_put_dfa(struct aa_dfa *dfa) aa_put_dfa() argument
[all...] |
| H A D | policy.h | 70 * dfa: dfa pattern match
75 struct aa_dfa *dfa; member
222 return aa_dfa_match_len(profile->policy.dfa, in PROFILE_MEDIATES()
233 return aa_dfa_match_len(profile->policy.dfa, state, (char *) &be_af, 2); in PROFILE_MEDIATES_AF()
|
| H A D | lib.h | 78 * @dfa: the dfa to match against
79 * @start: the state of the dfa to start matching in
85 static inline unsigned int aa_dfa_null_transition(struct aa_dfa *dfa, in aa_dfa_null_transition() argument
89 return aa_dfa_next(dfa, start, 0); in aa_dfa_null_transition()
|
| H A D | perms.h | 144 void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
|
| /kernel/linux/linux-6.6/security/apparmor/include/ |
| H A D | match.h | 5 * This file contains AppArmor policy dfa matching engine definitions.
30 * The data in the packed dfa is stored in network byte order, and the tables
34 * The dfa begins with a table set header, and is followed by the actual
131 aa_state_t aa_dfa_match_len(struct aa_dfa *dfa, aa_state_t start,
133 aa_state_t aa_dfa_match(struct aa_dfa *dfa, aa_state_t start,
135 aa_state_t aa_dfa_next(struct aa_dfa *dfa, aa_state_t state, const char c);
136 aa_state_t aa_dfa_outofband_transition(struct aa_dfa *dfa, aa_state_t state);
137 aa_state_t aa_dfa_match_until(struct aa_dfa *dfa, aa_state_t start,
139 aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start,
159 aa_state_t aa_dfa_leftmatch(struct aa_dfa *dfa, aa_state_
169 aa_get_dfa(struct aa_dfa *dfa) aa_get_dfa() argument
183 aa_put_dfa(struct aa_dfa *dfa) aa_put_dfa() argument
[all...] |
| H A D | policy.h | 77 * dfa: dfa pattern match
83 struct aa_dfa *dfa; member
94 aa_put_dfa(policy->dfa); in aa_destroy_policydb()
104 unsigned int index = ACCEPT_TABLE(policy->dfa)[state]; in aa_lookup_perms()
281 return aa_dfa_match_len(rules->policy.dfa, in RULE_MEDIATES()
292 return aa_dfa_match_len(rules->policy.dfa, state, (char *) &be_af, 2); in RULE_MEDIATES_AF()
|
| H A D | lib.h | 83 * @dfa: the dfa to match against
84 * @start: the state of the dfa to start matching in
90 static inline aa_state_t aa_dfa_null_transition(struct aa_dfa *dfa, in aa_dfa_null_transition() argument
94 return aa_dfa_next(dfa, start, 0); in aa_dfa_null_transition()
|