96 	struct aa_ruleset *rules = profile->label.rules[0];  in match_component()
113  * label_compound_match - find perms for full compound label
115  * @label: label to check access permissions for
124  * For the label A//&B//&C this does the perm match for A//&B//&C
129 				struct aa_label *label, bool stack,  in label_compound_match()  argument
133 	struct aa_ruleset *rules = profile->label.rules[0];  in label_compound_match()
139 	label_for_each(i, label, tp) {  in label_compound_match()
153 	label_for_each_cont(i, label, tp) {  in label_compound_match()
175  * label_components_match - find perms for all subcomponents of a label
177  * @label: label to check access permissions for
186  * For the label A//&B//&C this does the perm match for each of A and B and C
191 				  struct aa_label *label, bool stack,  in label_components_match()  argument
195 	struct aa_ruleset *rules = profile->label.rules[0];  in label_components_match()
203 	label_for_each(i, label, tp) {  in label_components_match()
220 	label_for_each_cont(i, label, tp) {  in label_components_match()
243  * label_match - do a multi-component label match
245  * @label: label to match (NOT NULL)
254 static int label_match(struct aa_profile *profile, struct aa_label *label,  in label_match()  argument
261 	error = label_compound_match(profile, label, stack, state, subns,  in label_match()
267 	return label_components_match(profile, label, stack, state, subns,  in label_match()
276  * @target: label to transition to (NOT NULL)
285  * currently only matches full label A//&B//&C or individual components A, B, C
387  * Returns: label or NULL if no match found
405 		if (profile->label.flags & FLAG_NULL &&  in find_attach()
406 		    &profile->label == ns_unconfined(profile->ns))  in find_attach()
500 	return &candidate->label;  in find_attach()
512  * @name: returns: name tested to find label (NOT NULL)
514  * Returns: refcounted label, or NULL on failure (MAYBE NULL)
520 	struct aa_ruleset *rules = profile->label.rules[0];  in x_table_lookup()
521 	struct aa_label *label = NULL;  in x_table_lookup()  local
530 	 *       index into the resultant label  in x_table_lookup()
542 				return &new->label;  in x_table_lookup()
545 		label = aa_label_parse(&profile->label, lookup, GFP_KERNEL,  in x_table_lookup()
547 		if (!IS_ERR_OR_NULL(label))  in x_table_lookup()
549 			return label;  in x_table_lookup()
556  * x_to_label - get target label for a given xindex
564  * find label for a transition index
566  * Returns: refcounted label or NULL if not found available
623 			new = aa_get_newest_label(&profile->label);  in x_to_label()
665 	struct aa_ruleset *rules = profile->label.rules[0];  in profile_transition()
682 		    (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {  in profile_transition()
685 			new = aa_get_newest_label(&profile->label);  in profile_transition()
711 			AA_DEBUG(DEBUG_DOMAIN, "unconfined attached to new label");  in profile_transition()
715 		return aa_get_newest_label(&profile->label);  in profile_transition()
724 		if (new && new->proxy == profile->label.proxy && info) {  in profile_transition()
759 			new = &new_profile->label;  in profile_transition()
798 	struct aa_ruleset *rules = profile->label.rules[0];  in profile_onexec()
823 		    (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {  in profile_onexec()
851 			dbg_printk("apparmor: setting AT_SECURE for %s label=",  in profile_onexec()
868 				      struct aa_label *label,  in handle_onexec()  argument
878 	AA_BUG(!label);  in handle_onexec()
884 	error = fn_for_each_in_ns(label, profile,  in handle_onexec()
890 	new = fn_label_build_in_ns(label, profile, GFP_KERNEL,  in handle_onexec()
891 			stack ? aa_label_merge(&profile->label, onexec,  in handle_onexec()
900 	error = fn_for_each_in_ns(label, profile,  in handle_onexec()
905 				      "failed to build target label", -ENOMEM));  in handle_onexec()
920 	struct aa_label *label, *new = NULL;  in apparmor_bprm_creds_for_exec()  local
939 	label = aa_get_newest_label(cred_label(bprm->cred));  in apparmor_bprm_creds_for_exec()
942 	 * Detect no new privs being set, and store the label it  in apparmor_bprm_creds_for_exec()
948 	if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) && !unconfined(label) &&  in apparmor_bprm_creds_for_exec()
950 		ctx->nnp = aa_get_label(label);  in apparmor_bprm_creds_for_exec()
961 		new = handle_onexec(subj_cred, label, ctx->onexec, ctx->token,  in apparmor_bprm_creds_for_exec()
964 		new = fn_label_build(label, profile, GFP_KERNEL,  in apparmor_bprm_creds_for_exec()
987 	    !unconfined(label) &&  in apparmor_bprm_creds_for_exec()
1000 		/* TODO: test needs to be profile of label to new */  in apparmor_bprm_creds_for_exec()
1008 			dbg_printk("setting AT_SECURE for %s label=",  in apparmor_bprm_creds_for_exec()
1016 	if (label->proxy != new->proxy) {  in apparmor_bprm_creds_for_exec()
1019 			dbg_printk("apparmor: clearing unsafe personality bits. %s label=",  in apparmor_bprm_creds_for_exec()
1031 	aa_put_label(label);  in apparmor_bprm_creds_for_exec()
1037 	error = fn_for_each(label, profile,  in apparmor_bprm_creds_for_exec()
1053  * Returns: label for hat transition OR ERR_PTR.  Does NOT return NULL
1091 		      hat ? &hat->label : NULL, GLOBAL_ROOT_UID, info,  in build_change_hat()
1096 	 * complain mode allow by returning hat->label  in build_change_hat()
1098 	return &hat->label;  in build_change_hat()
1103  * Returns: label for hat transition or ERR_PTR. Does not return NULL
1106 				   struct aa_label *label, const char *hats[],  in change_hat()  argument
1116 	AA_BUG(!label);  in change_hat()
1120 	if (PROFILE_IS_HAT(labels_profile(label)))  in change_hat()
1126 		label_for_each_in_ns(it, labels_ns(label), label, profile) {  in change_hat()
1162 	label_for_each_in_ns(it, labels_ns(label), label, profile) {  in change_hat()
1173 	label_for_each_in_ns(it, labels_ns(label), label, profile) {  in change_hat()
1191 	new = fn_label_build_in_ns(label, profile, GFP_KERNEL,  in change_hat()
1194 				   aa_get_label(&profile->label));  in change_hat()
1196 		info = "label build failed";  in change_hat()
1225 	struct aa_label *label, *previous, *new = NULL, *target = NULL;  in aa_change_hat()  local
1233 	label = aa_get_newest_cred_label(subj_cred);  in aa_change_hat()
1237 	 * Detect no new privs being set, and store the label it  in aa_change_hat()
1243 	if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp)  in aa_change_hat()
1244 		ctx->nnp = aa_get_label(label);  in aa_change_hat()
1249 	if (unconfined(label)) {  in aa_change_hat()
1254 		label_for_each_in_ns(i, labels_ns(label), label, profile) {  in aa_change_hat()
1267 		new = change_hat(subj_cred, label, hats, count, flags);  in aa_change_hat()
1276 		/* target cred is the same as current except new label */  in aa_change_hat()
1285 		if (task_no_new_privs(current) && !unconfined(label) &&  in aa_change_hat()
1307 		if (task_no_new_privs(current) && !unconfined(label) &&  in aa_change_hat()
1316 		/* Return to saved label.  Kill task if restore fails  in aa_change_hat()
1331 	aa_put_label(label);  in aa_change_hat()
1341 	fn_for_each_in_ns(label, profile,  in aa_change_hat()
1356 	struct aa_ruleset *rules = profile->label.rules[0];  in change_profile_perms_wrapper()
1390 	struct aa_label *label, *new = NULL, *target = NULL;  in aa_change_profile()  local
1402 	label = aa_get_current_label();  in aa_change_profile()
1405 	 * Detect no new privs being set, and store the label it  in aa_change_profile()
1411 	if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp)  in aa_change_profile()
1412 		ctx->nnp = aa_get_label(label);  in aa_change_profile()
1415 		aa_put_label(label);  in aa_change_profile()
1437 	if (!stack && unconfined(label) &&  in aa_change_profile()
1438 	    label == &labels_ns(label)->unconfined->label &&  in aa_change_profile()
1449 		(void) fn_for_each_in_ns(label, profile,  in aa_change_profile()
1461 	target = aa_label_parse(label, fqname, GFP_KERNEL, true, false);  in aa_change_profile()
1465 		info = "label not found";  in aa_change_profile()
1473 		    !COMPLAIN_MODE(labels_profile(label)))  in aa_change_profile()
1476 		tprofile = aa_new_learning_profile(labels_profile(label), false,  in aa_change_profile()
1483 		target = &tprofile->label;  in aa_change_profile()
1495 	error = fn_for_each_in_ns(label, profile,  in aa_change_profile()
1509 	if (error && !fn_for_each_in_ns(label, profile,  in aa_change_profile()
1525 		new = fn_label_build_in_ns(label, profile, GFP_KERNEL,  in aa_change_profile()
1527 					   aa_get_label(&profile->label));  in aa_change_profile()
1532 		if (task_no_new_privs(current) && !unconfined(label) &&  in aa_change_profile()
1545 			new = aa_label_merge(label, target, GFP_KERNEL);  in aa_change_profile()
1547 			info = "failed to build target label";  in aa_change_profile()
1568 	error = fn_for_each_in_ns(label, profile,  in aa_change_profile()
1577 	aa_put_label(label);  in aa_change_profile()