Lines Matching refs:label
97 struct aa_ruleset *rules = profile->label.rules[0];
114 * label_compound_match - find perms for full compound label
116 * @label: label to check access permissions for
125 * For the label A//&B//&C this does the perm match for A//&B//&C
130 struct aa_label *label, bool stack,
134 struct aa_ruleset *rules = profile->label.rules[0];
140 label_for_each(i, label, tp) {
154 label_for_each_cont(i, label, tp) {
176 * label_components_match - find perms for all subcomponents of a label
178 * @label: label to check access permissions for
187 * For the label A//&B//&C this does the perm match for each of A and B and C
192 struct aa_label *label, bool stack,
196 struct aa_ruleset *rules = profile->label.rules[0];
204 label_for_each(i, label, tp) {
221 label_for_each_cont(i, label, tp) {
244 * label_match - do a multi-component label match
246 * @label: label to match (NOT NULL)
255 static int label_match(struct aa_profile *profile, struct aa_label *label,
262 error = label_compound_match(profile, label, stack, state, inview,
268 return label_components_match(profile, label, stack, state, inview,
277 * @target: label to transition to (NOT NULL)
286 * currently only matches full label A//&B//&C or individual components A, B, C
388 * Returns: label or NULL if no match found
406 if (profile->label.flags & FLAG_NULL &&
407 &profile->label == ns_unconfined(profile->ns))
501 return &candidate->label;
513 * @name: returns: name tested to find label (NOT NULL)
515 * Returns: refcounted label, or NULL on failure (MAYBE NULL)
521 struct aa_ruleset *rules = profile->label.rules[0];
522 struct aa_label *label = NULL;
531 * index into the resultant label
543 return &new->label;
546 label = aa_label_parse(&profile->label, lookup, GFP_KERNEL,
548 if (!IS_ERR_OR_NULL(label))
550 return label;
557 * x_to_label - get target label for a given xindex
565 * find label for a transition index
567 * Returns: refcounted label or NULL if not found available
624 new = aa_get_newest_label(&profile->label);
666 struct aa_ruleset *rules = profile->label.rules[0];
683 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
686 new = aa_get_newest_label(&profile->label);
712 AA_DEBUG(DEBUG_DOMAIN, "unconfined attached to new label");
716 return aa_get_newest_label(&profile->label);
725 if (new && new->proxy == profile->label.proxy && info) {
760 new = &new_profile->label;
799 struct aa_ruleset *rules = profile->label.rules[0];
824 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
852 dbg_printk("apparmor: setting AT_SECURE for %s label=",
870 struct aa_label *label = aa_label_merge(a, b, gfp);
872 if (!label)
874 return label;
878 struct aa_label *label,
888 AA_BUG(!label);
896 error = fn_for_each_in_scope(label, profile,
902 new = fn_label_build_in_scope(label, profile, GFP_KERNEL,
903 stack ? label_merge_wrap(&profile->label, onexec,
913 error = fn_for_each_in_scope(label, profile,
918 "failed to build target label",
934 struct aa_label *label, *new = NULL;
953 label = aa_get_newest_label(cred_label(bprm->cred));
956 * Detect no new privs being set, and store the label it
962 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) && !unconfined(label) &&
964 ctx->nnp = aa_get_label(label);
975 new = handle_onexec(subj_cred, label, ctx->onexec, ctx->token,
978 new = fn_label_build(label, profile, GFP_KERNEL,
997 !unconfined(label) &&
1010 /* TODO: test needs to be profile of label to new */
1018 dbg_printk("setting AT_SECURE for %s label=",
1026 if (label->proxy != new->proxy) {
1029 dbg_printk("apparmor: clearing unsafe personality bits. %s label=",
1041 aa_put_label(label);
1047 error = fn_for_each(label, profile,
1063 * Returns: label for hat transition OR ERR_PTR. Does NOT return NULL
1101 hat ? &hat->label : NULL, GLOBAL_ROOT_UID, info,
1106 * complain mode allow by returning hat->label
1108 return &hat->label;
1113 * Returns: label for hat transition or ERR_PTR. Does not return NULL
1116 struct aa_label *label, const char *hats[],
1127 AA_BUG(!label);
1132 * Acquire the newest label and then hold the lock until we choose a
1135 * the profiles and label, we can rely on the namespaces being live
1138 label = aa_get_label(label);
1139 ns = labels_ns(label);
1143 if (label_is_stale(label)) {
1144 new = aa_get_newest_label(label);
1150 label = new;
1153 aa_put_label(label);
1154 label = new;
1157 if (PROFILE_IS_HAT(labels_profile(label)))
1163 label_for_each_in_scope(it, labels_ns(label), label, profile) {
1199 label_for_each_in_scope(it, labels_ns(label), label, profile) {
1210 label_for_each_in_scope(it, labels_ns(label), label, profile) {
1229 new = fn_label_build_in_scope(label, profile, GFP_KERNEL,
1232 aa_get_label(&profile->label));
1235 /* return new label or error ptr */
1261 struct aa_label *label, *previous, *new = NULL, *target = NULL;
1269 label = aa_get_newest_cred_label(subj_cred);
1273 * Detect no new privs being set, and store the label it
1279 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp)
1280 ctx->nnp = aa_get_label(label);
1285 if (unconfined(label)) {
1290 label_for_each_in_scope(i, labels_ns(label), label, profile) {
1303 new = change_hat(subj_cred, label, hats, count, flags);
1312 /* target cred is the same as current except new label */
1321 if (task_no_new_privs(current) && !unconfined(label) &&
1343 if (task_no_new_privs(current) && !unconfined(label) &&
1352 /* Return to saved label. Kill task if restore fails
1367 aa_put_label(label);
1377 fn_for_each_in_scope(label, profile,
1392 struct aa_ruleset *rules = profile->label.rules[0];
1426 struct aa_label *label, *new = NULL, *target = NULL;
1438 label = aa_get_current_label();
1441 * Detect no new privs being set, and store the label it
1447 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp)
1448 ctx->nnp = aa_get_label(label);
1451 aa_put_label(label);
1473 if (!stack && unconfined(label) &&
1474 label == &labels_ns(label)->unconfined->label &&
1485 (void) fn_for_each_in_scope(label, profile,
1497 target = aa_label_parse(label, fqname, GFP_KERNEL, true, false);
1501 info = "label not found";
1509 !COMPLAIN_MODE(labels_profile(label)))
1512 tprofile = aa_new_learning_profile(labels_profile(label), false,
1519 target = &tprofile->label;
1531 error = fn_for_each_in_scope(label, profile,
1545 if (error && !fn_for_each_in_scope(label, profile,
1561 new = fn_label_build_in_scope(label, profile, GFP_KERNEL,
1563 aa_get_label(&profile->label));
1571 if (task_no_new_privs(current) && !unconfined(label) &&
1584 new = aa_label_merge(label, target, GFP_KERNEL);
1600 info = "failed to build target label";
1609 error = fn_for_each_in_scope(label, profile,
1618 aa_put_label(label);