Lines Matching +full:p +full:- +full:state
1 // SPDX-License-Identifier: GPL-2.0-only
30 return &u->sk; in aa_unix_sk()
43 /* if !u->path.dentry socket is being shutdown - implicit delegation in unix_fs_perm()
46 if (path->dentry) { in unix_fs_perm()
48 struct inode *inode = path->dentry->d_inode; in unix_fs_perm()
49 vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_idmap(path->mnt), inode); in unix_fs_perm()
52 .mode = inode->i_mode, in unix_fs_perm()
69 static aa_state_t match_addr(struct aa_dfa *dfa, aa_state_t state, in match_addr() argument
74 state = aa_dfa_match_len(dfa, state, addr->sun_path, in match_addr()
77 state = aa_dfa_match_len(dfa, state, ANONYMOUS_ADDR, 1); in match_addr()
79 state = aa_dfa_null_transition(dfa, state); in match_addr()
81 return state; in match_addr()
85 aa_state_t state, u32 request, in match_to_local() argument
88 struct aa_perms **p, in match_to_local() argument
91 state = aa_match_to_prot(policy, state, request, PF_UNIX, type, in match_to_local()
93 if (state) { in match_to_local()
94 state = match_addr(policy->dfa, state, addr, addrlen); in match_to_local()
95 if (state) { in match_to_local()
97 state = aa_dfa_null_transition(policy->dfa, state); in match_to_local()
98 if (!state) in match_to_local()
105 return state; in match_to_local()
113 addr = smp_load_acquire(&u->addr); in aa_sunaddr()
115 *addrlen = addr->len; in aa_sunaddr()
116 return addr->name; in aa_sunaddr()
123 aa_state_t state, u32 request, in match_to_sk() argument
124 struct unix_sock *u, struct aa_perms **p, in match_to_sk() argument
130 return match_to_local(policy, state, request, u->sk.sk_type, in match_to_sk()
131 u->sk.sk_protocol, addr, addrlen, p, info); in match_to_sk()
138 static aa_state_t match_to_cmd(struct aa_policydb *policy, aa_state_t state, in match_to_cmd() argument
140 char cmd, struct aa_perms **p, in match_to_cmd() argument
143 AA_BUG(!p); in match_to_cmd()
145 state = match_to_sk(policy, state, request, u, p, info); in match_to_cmd()
146 if (state && !*p) { in match_to_cmd()
147 state = aa_dfa_match_len(policy->dfa, state, &cmd, 1); in match_to_cmd()
148 if (!state) in match_to_cmd()
152 return state; in match_to_cmd()
155 static aa_state_t match_to_peer(struct aa_policydb *policy, aa_state_t state, in match_to_peer() argument
158 struct aa_perms **p, const char **info) in match_to_peer() argument
160 AA_BUG(!p); in match_to_peer()
162 state = match_to_cmd(policy, state, request, u, CMD_ADDR, p, info); in match_to_peer()
163 if (state && !*p) { in match_to_peer()
164 state = match_addr(policy->dfa, state, peer_addr, peer_addrlen); in match_to_peer()
165 if (!state) in match_to_peer()
169 return state; in match_to_peer()
173 struct aa_ruleset *rule, aa_state_t state, in match_label() argument
175 struct aa_perms *p, in match_label() argument
181 ad->peer = &peer->label; in match_label()
183 if (state && !p) { in match_label()
184 state = aa_dfa_match(rule->policy->dfa, state, in match_label()
185 peer->base.hname); in match_label()
186 if (!state) in match_label()
187 ad->info = "failed peer label match"; in match_label()
191 return aa_do_perms(profile, rule->policy, state, request, p, ad); in match_label()
197 * v6 - semantics are handled by mapping in profile load
198 * v7 - semantics require sock create for tasks creating an fs socket.
199 * v8 - same as v7
205 struct aa_ruleset *rules = profile->label.rules[0]; in profile_create_perm()
206 aa_state_t state; in profile_create_perm() local
211 state = RULE_MEDIATES_v9NET(rules); in profile_create_perm()
212 if (state) { in profile_create_perm()
213 state = aa_match_to_prot(rules->policy, state, AA_MAY_CREATE, in profile_create_perm()
215 &ad->info); in profile_create_perm()
217 return aa_do_perms(profile, rules->policy, state, AA_MAY_CREATE, in profile_create_perm()
229 struct aa_ruleset *rules = profile->label.rules[0]; in profile_sk_perm()
230 struct aa_perms *p = NULL; in profile_sk_perm() local
231 aa_state_t state; in profile_sk_perm() local
237 state = RULE_MEDIATES_v9NET(rules); in profile_sk_perm()
238 if (state) { in profile_sk_perm()
240 return unix_fs_perm(ad->op, request, ad->subj_cred, in profile_sk_perm()
241 &profile->label, in profile_sk_perm()
242 &unix_sk(sk)->path); in profile_sk_perm()
244 state = match_to_sk(rules->policy, state, request, unix_sk(sk), in profile_sk_perm()
245 &p, &ad->info); in profile_sk_perm()
247 return aa_do_perms(profile, rules->policy, state, request, p, in profile_sk_perm()
257 struct aa_ruleset *rules = profile->label.rules[0]; in profile_bind_perm()
258 struct aa_perms *p = NULL; in profile_bind_perm() local
259 aa_state_t state; in profile_bind_perm() local
266 state = RULE_MEDIATES_v9NET(rules); in profile_bind_perm()
267 if (state) { in profile_bind_perm()
268 if (is_unix_addr_fs(ad->net.addr, ad->net.addrlen)) in profile_bind_perm()
269 /* under v7-9 fs hook handles bind */ in profile_bind_perm()
272 state = match_to_local(rules->policy, state, AA_MAY_BIND, in profile_bind_perm()
273 sk->sk_type, sk->sk_protocol, in profile_bind_perm()
274 unix_addr(ad->net.addr), in profile_bind_perm()
275 ad->net.addrlen, in profile_bind_perm()
276 &p, &ad->info); in profile_bind_perm()
278 return aa_do_perms(profile, rules->policy, state, AA_MAY_BIND, in profile_bind_perm()
279 p, ad); in profile_bind_perm()
288 struct aa_ruleset *rules = profile->label.rules[0]; in profile_listen_perm()
289 struct aa_perms *p = NULL; in profile_listen_perm() local
290 aa_state_t state; in profile_listen_perm() local
297 state = RULE_MEDIATES_v9NET(rules); in profile_listen_perm()
298 if (state) { in profile_listen_perm()
302 return unix_fs_perm(ad->op, AA_MAY_LISTEN, in profile_listen_perm()
303 ad->subj_cred, &profile->label, in profile_listen_perm()
304 &unix_sk(sk)->path); in profile_listen_perm()
306 state = match_to_cmd(rules->policy, state, AA_MAY_LISTEN, in profile_listen_perm()
307 unix_sk(sk), CMD_LISTEN, &p, &ad->info); in profile_listen_perm()
308 if (state && !p) { in profile_listen_perm()
309 state = aa_dfa_match_len(rules->policy->dfa, state, in profile_listen_perm()
311 if (!state) in profile_listen_perm()
312 ad->info = "failed listen backlog match"; in profile_listen_perm()
314 return aa_do_perms(profile, rules->policy, state, AA_MAY_LISTEN, in profile_listen_perm()
315 p, ad); in profile_listen_perm()
325 struct aa_ruleset *rules = profile->label.rules[0]; in profile_accept_perm()
326 struct aa_perms *p = NULL; in profile_accept_perm() local
327 aa_state_t state; in profile_accept_perm() local
334 state = RULE_MEDIATES_v9NET(rules); in profile_accept_perm()
335 if (state) { in profile_accept_perm()
337 return unix_fs_perm(ad->op, AA_MAY_ACCEPT, in profile_accept_perm()
338 ad->subj_cred, &profile->label, in profile_accept_perm()
339 &unix_sk(sk)->path); in profile_accept_perm()
341 state = match_to_sk(rules->policy, state, AA_MAY_ACCEPT, in profile_accept_perm()
342 unix_sk(sk), &p, &ad->info); in profile_accept_perm()
344 return aa_do_perms(profile, rules->policy, state, AA_MAY_ACCEPT, in profile_accept_perm()
345 p, ad); in profile_accept_perm()
355 struct aa_ruleset *rules = profile->label.rules[0]; in profile_opt_perm()
356 struct aa_perms *p = NULL; in profile_opt_perm() local
357 aa_state_t state; in profile_opt_perm() local
364 state = RULE_MEDIATES_v9NET(rules); in profile_opt_perm()
365 if (state) { in profile_opt_perm()
368 return unix_fs_perm(ad->op, request, in profile_opt_perm()
369 ad->subj_cred, &profile->label, in profile_opt_perm()
370 &unix_sk(sk)->path); in profile_opt_perm()
372 state = match_to_cmd(rules->policy, state, request, unix_sk(sk), in profile_opt_perm()
373 CMD_OPT, &p, &ad->info); in profile_opt_perm()
374 if (state && !p) { in profile_opt_perm()
375 state = aa_dfa_match_len(rules->policy->dfa, state, in profile_opt_perm()
377 if (!state) in profile_opt_perm()
378 ad->info = "failed sockopt match"; in profile_opt_perm()
380 return aa_do_perms(profile, rules->policy, state, request, p, in profile_opt_perm()
395 struct aa_ruleset *rules = profile->label.rules[0]; in profile_peer_perm()
396 struct aa_perms *p = NULL; in profile_peer_perm() local
397 aa_state_t state; in profile_peer_perm() local
405 state = RULE_MEDIATES_v9NET(rules); in profile_peer_perm()
406 if (state) { in profile_peer_perm()
410 return unix_fs_perm(ad->op, request, ad->subj_cred, in profile_peer_perm()
411 &profile->label, peer_path); in profile_peer_perm()
413 return unix_fs_perm(ad->op, request, ad->subj_cred, in profile_peer_perm()
414 &profile->label, path); in profile_peer_perm()
415 state = match_to_peer(rules->policy, state, request, in profile_peer_perm()
417 peer_addr, peer_addrlen, &p, &ad->info); in profile_peer_perm()
420 match_label(profile, rules, state, request, in profile_peer_perm()
421 peerp, p, ad)); in profile_peer_perm()
427 /* -------------------------------- */
469 request, sock->sk, in aa_unix_sock_perm()
470 is_unix_fs(sock->sk) ? &unix_sk(sock->sk)->path : NULL); in aa_unix_sock_perm()
483 return -EINVAL; in valid_addr()
501 DEFINE_AUDIT_SK(ad, OP_BIND, current_cred(), sock->sk); in aa_unix_bind_perm()
507 profile_bind_perm(profile, sock->sk, &ad)); in aa_unix_bind_perm()
516 * - unix_stream_connect (stream) and unix_may_send hooks (dgram)
517 * - fs connect is handled by open
535 DEFINE_AUDIT_SK(ad, OP_LISTEN, current_cred(), sock->sk); in aa_unix_listen_perm()
538 profile_listen_perm(profile, sock->sk, in aa_unix_listen_perm()
556 DEFINE_AUDIT_SK(ad, OP_ACCEPT, current_cred(), sock->sk); in aa_unix_accept_perm()
559 profile_accept_perm(profile, sock->sk, &ad)); in aa_unix_accept_perm()
589 DEFINE_AUDIT_SK(ad, op, current_cred(), sock->sk); in aa_unix_opt_perm()
592 profile_opt_perm(profile, request, sock->sk, in aa_unix_opt_perm()
639 is_unix_fs(sk) ? &u->path : NULL, in aa_unix_peer_perm()
641 is_unix_fs(peer_sk) ? &peeru->path : NULL, in aa_unix_peer_perm()
655 (plabel != rcu_access_pointer(ctx->peer_lastupdate) || in update_sk_ctx()
656 !aa_label_is_subset(plabel, rcu_dereference(ctx->peer)))) || in update_sk_ctx()
657 !__aa_subj_label_is_cached(label, rcu_dereference(ctx->label)); in update_sk_ctx()
662 spin_lock(&unix_sk(sk)->lock); in update_sk_ctx()
663 old = rcu_dereference_protected(ctx->label, in update_sk_ctx()
664 lockdep_is_held(&unix_sk(sk)->lock)); in update_sk_ctx()
668 rcu_assign_pointer(ctx->label, l); in update_sk_ctx()
673 if (plabel && rcu_access_pointer(ctx->peer_lastupdate) != plabel) { in update_sk_ctx()
674 old = rcu_dereference_protected(ctx->peer, lockdep_is_held(&unix_sk(sk)->lock)); in update_sk_ctx()
677 rcu_assign_pointer(ctx->peer_lastupdate, plabel); in update_sk_ctx()
679 rcu_assign_pointer(ctx->peer_lastupdate, plabel); in update_sk_ctx()
680 rcu_assign_pointer(ctx->peer, aa_get_label(plabel)); in update_sk_ctx()
682 } /* else race or a subset - don't update */ in update_sk_ctx()
684 spin_unlock(&unix_sk(sk)->lock); in update_sk_ctx()
692 spin_lock(&unix_sk(sk)->lock); in update_peer_ctx()
693 old = rcu_dereference_protected(ctx->peer, in update_peer_ctx()
694 lockdep_is_held(&unix_sk(sk)->lock)); in update_peer_ctx()
698 rcu_assign_pointer(ctx->peer, l); in update_peer_ctx()
703 spin_unlock(&unix_sk(sk)->lock); in update_peer_ctx()
712 struct socket *sock = (struct socket *) file->private_data; in aa_unix_file_perm()
724 AA_BUG(!sock->sk); in aa_unix_file_perm()
725 AA_BUG(sock->sk->sk_family != PF_UNIX); in aa_unix_file_perm()
731 unix_state_lock(sock->sk); in aa_unix_file_perm()
732 peer_sk = unix_peer(sock->sk); in aa_unix_file_perm()
736 is_sk_fs = is_unix_fs(sock->sk); in aa_unix_file_perm()
737 addr = aa_sunaddr(unix_sk(sock->sk), &addrlen); in aa_unix_file_perm()
738 path = unix_sk(sock->sk)->path; in aa_unix_file_perm()
739 unix_state_unlock(sock->sk); in aa_unix_file_perm()
745 sk_req, sock->sk, in aa_unix_file_perm()
755 peer_path = unix_sk(peer_sk)->path; in aa_unix_file_perm()
765 plabel = aa_get_label_rcu(&pctx->label); in aa_unix_file_perm()
772 MAY_READ | MAY_WRITE, sock->sk, in aa_unix_file_perm()
778 unix_peer_perm(file->f_cred, plabel, op, in aa_unix_file_perm()
794 update_sk_ctx(sock->sk, label, plabel); in aa_unix_file_perm()