Lines Matching full:new
44 * to trace the new domain
460 * The new match isn't more specific in find_attach()
538 struct aa_profile *new = aa_find_child(profile, lookup); in x_table_lookup() local
540 if (new) in x_table_lookup()
542 return &new->label; in x_table_lookup()
574 struct aa_label *new = NULL; in x_to_label() local
591 new = x_table_lookup(profile, xindex, lookupname); in x_to_label()
592 if (!new || **lookupname != '&') in x_to_label()
594 stack = new; in x_to_label()
595 new = NULL; in x_to_label()
600 new = find_attach(bprm, ns, &profile->base.profiles, in x_to_label()
604 new = find_attach(bprm, ns, &ns->base.profiles, in x_to_label()
611 if (!new) { in x_to_label()
623 new = aa_get_newest_label(&profile->label); in x_to_label()
625 new = aa_get_newest_label(ns_unconfined(profile->ns)); in x_to_label()
645 if (new && stack) { in x_to_label()
647 struct aa_label *base = new; in x_to_label()
649 new = aa_label_merge(base, stack, GFP_KERNEL); in x_to_label()
656 return new; in x_to_label()
666 struct aa_label *new = NULL; in profile_transition() local
685 new = aa_get_newest_label(&profile->label); in profile_transition()
692 new = find_attach(bprm, profile->ns, in profile_transition()
707 OP_EXEC, MAY_EXEC, name, target, new, cond->uid, in profile_transition()
710 if (new) { in profile_transition()
711 AA_DEBUG(DEBUG_DOMAIN, "unconfined attached to new label"); in profile_transition()
712 return new; in profile_transition()
722 new = x_to_label(profile, bprm, name, perms.xindex, &target, in profile_transition()
724 if (new && new->proxy == profile->label.proxy && info) { in profile_transition()
734 } else if (!new) { in profile_transition()
759 new = &new_profile->label; in profile_transition()
766 if (!new) in profile_transition()
774 aa_label_printk(new, GFP_KERNEL); in profile_transition()
782 target, new, in profile_transition()
784 if (!new || nonewprivs) { in profile_transition()
785 aa_put_label(new); in profile_transition()
789 return new; in profile_transition()
875 struct aa_label *new; in handle_onexec() local
890 new = fn_label_build_in_ns(label, profile, GFP_KERNEL, in handle_onexec()
896 if (new) in handle_onexec()
897 return new; in handle_onexec()
910 * apparmor_bprm_creds_for_exec - Update the new creds on the bprm struct
920 struct aa_label *label, *new = NULL; in apparmor_bprm_creds_for_exec() local
942 * Detect no new privs being set, and store the label it in apparmor_bprm_creds_for_exec()
961 new = handle_onexec(subj_cred, label, ctx->onexec, ctx->token, in apparmor_bprm_creds_for_exec()
964 new = fn_label_build(label, profile, GFP_KERNEL, in apparmor_bprm_creds_for_exec()
969 AA_BUG(!new); in apparmor_bprm_creds_for_exec()
970 if (IS_ERR(new)) { in apparmor_bprm_creds_for_exec()
971 error = PTR_ERR(new); in apparmor_bprm_creds_for_exec()
973 } else if (!new) { in apparmor_bprm_creds_for_exec()
980 * of the confinement when the task entered no new privs. in apparmor_bprm_creds_for_exec()
988 !aa_label_is_unconfined_subset(new, ctx->nnp)) { in apparmor_bprm_creds_for_exec()
990 info = "no new privs"; in apparmor_bprm_creds_for_exec()
1000 /* TODO: test needs to be profile of label to new */ in apparmor_bprm_creds_for_exec()
1001 error = may_change_ptraced_domain(bprm->cred, new, &info); in apparmor_bprm_creds_for_exec()
1010 aa_label_printk(new, GFP_KERNEL); in apparmor_bprm_creds_for_exec()
1016 if (label->proxy != new->proxy) { in apparmor_bprm_creds_for_exec()
1021 aa_label_printk(new, GFP_KERNEL); in apparmor_bprm_creds_for_exec()
1028 set_cred_label(bprm->cred, new); in apparmor_bprm_creds_for_exec()
1040 bprm->filename, NULL, new, in apparmor_bprm_creds_for_exec()
1042 aa_put_label(new); in apparmor_bprm_creds_for_exec()
1110 struct aa_label *new; in change_hat() local
1191 new = fn_label_build_in_ns(label, profile, GFP_KERNEL, in change_hat()
1195 if (!new) { in change_hat()
1199 } /* else if (IS_ERR) build_change_hat has logged error so return new */ in change_hat()
1201 return new; in change_hat()
1225 struct aa_label *label, *previous, *new = NULL, *target = NULL; in aa_change_hat() local
1237 * Detect no new privs being set, and store the label it in aa_change_hat()
1267 new = change_hat(subj_cred, label, hats, count, flags); in aa_change_hat()
1268 AA_BUG(!new); in aa_change_hat()
1269 if (IS_ERR(new)) { in aa_change_hat()
1270 error = PTR_ERR(new); in aa_change_hat()
1271 new = NULL; in aa_change_hat()
1276 /* target cred is the same as current except new label */ in aa_change_hat()
1277 error = may_change_ptraced_domain(subj_cred, new, &info); in aa_change_hat()
1282 * no new privs prevents domain transitions that would in aa_change_hat()
1286 !aa_label_is_unconfined_subset(new, ctx->nnp)) { in aa_change_hat()
1297 target = new; in aa_change_hat()
1298 error = aa_set_current_hat(new, token); in aa_change_hat()
1304 * no new privs prevents domain transitions that would in aa_change_hat()
1329 aa_put_label(new); in aa_change_hat()
1380 * Change to new profile @name. Unlike with hats, there is no way
1390 struct aa_label *label, *new = NULL, *target = NULL; in aa_change_profile() local
1405 * Detect no new privs being set, and store the label it in aa_change_profile()
1525 new = fn_label_build_in_ns(label, profile, GFP_KERNEL, in aa_change_profile()
1529 * no new privs prevents domain transitions that would in aa_change_profile()
1533 !aa_label_is_unconfined_subset(new, ctx->nnp)) { in aa_change_profile()
1545 new = aa_label_merge(label, target, GFP_KERNEL); in aa_change_profile()
1546 if (IS_ERR_OR_NULL(new)) { in aa_change_profile()
1548 if (!new) in aa_change_profile()
1551 error = PTR_ERR(new); in aa_change_profile()
1552 new = NULL; in aa_change_profile()
1556 error = aa_replace_current_label(new); in aa_change_profile()
1558 if (new) { in aa_change_profile()
1559 aa_put_label(new); in aa_change_profile()
1560 new = NULL; in aa_change_profile()
1571 NULL, new ? new : target, in aa_change_profile()
1575 aa_put_label(new); in aa_change_profile()