Lines Matching refs:new
38 * to trace the new domain
456 * The new match isn't more specific
569 struct aa_label *new = NULL;
584 new = x_table_lookup(profile, xindex, lookupname);
592 new = find_attach(bprm, ns, &profile->base.profiles,
596 new = find_attach(bprm, ns, &ns->base.profiles,
602 if (!new) {
609 new = aa_get_newest_label(&profile->label);
611 new = aa_get_newest_label(ns_unconfined(profile->ns));
616 if (new && stack) {
618 struct aa_label *base = new;
620 new = aa_label_parse(base, stack, GFP_KERNEL, true, false);
621 if (IS_ERR(new))
622 new = NULL;
627 return new;
638 struct aa_label *new = NULL;
657 new = aa_get_newest_label(&profile->label);
664 new = find_attach(bprm, profile->ns,
666 if (new) {
667 AA_DEBUG("unconfined attached to new label");
668 return new;
678 new = x_to_label(profile, bprm, name, perms.xindex, &target,
680 if (new && new->proxy == profile->label.proxy && info) {
683 } else if (!new) {
703 new = &new_profile->label;
710 if (!new)
718 aa_label_printk(new, GFP_KERNEL);
726 target, new,
728 if (!new || nonewprivs) {
729 aa_put_label(new);
733 return new;
820 struct aa_label *new;
835 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
841 if (new)
842 return new;
855 * apparmor_bprm_creds_for_exec - Update the new creds on the bprm struct
865 struct aa_label *label, *new = NULL;
887 * Detect no new privs being set, and store the label it
906 new = handle_onexec(subj_cred, label, ctx->onexec, ctx->token,
909 new = fn_label_build(label, profile, GFP_KERNEL,
914 AA_BUG(!new);
915 if (IS_ERR(new)) {
916 error = PTR_ERR(new);
918 } else if (!new) {
925 * of the confinement when the task entered no new privs.
933 !aa_label_is_unconfined_subset(new, ctx->nnp)) {
935 info = "no new privs";
945 /* TODO: test needs to be profile of label to new */
946 error = may_change_ptraced_domain(bprm->cred, new, &info);
955 aa_label_printk(new, GFP_KERNEL);
961 if (label->proxy != new->proxy) {
966 aa_label_printk(new, GFP_KERNEL);
973 set_cred_label(bprm->cred, new);
985 bprm->filename, NULL, new,
987 aa_put_label(new);
1055 struct aa_label *new;
1136 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
1140 if (!new) {
1144 } /* else if (IS_ERR) build_change_hat has logged error so return new */
1146 return new;
1170 struct aa_label *label, *previous, *new = NULL, *target = NULL;
1182 * Detect no new privs being set, and store the label it
1198 new = change_hat(subj_cred, label, hats, count, flags);
1199 AA_BUG(!new);
1200 if (IS_ERR(new)) {
1201 error = PTR_ERR(new);
1202 new = NULL;
1207 /* target cred is the same as current except new label */
1208 error = may_change_ptraced_domain(subj_cred, new, &info);
1213 * no new privs prevents domain transitions that would
1217 !aa_label_is_unconfined_subset(new, ctx->nnp)) {
1227 target = new;
1228 error = aa_set_current_hat(new, token);
1234 * no new privs prevents domain transitions that would
1258 aa_put_label(new);
1310 * Change to new profile @name. Unlike with hats, there is no way
1320 struct aa_label *label, *new = NULL, *target = NULL;
1335 * Detect no new privs being set, and store the label it
1455 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
1459 * no new privs prevents domain transitions that would
1463 !aa_label_is_unconfined_subset(new, ctx->nnp)) {
1474 new = aa_label_merge(label, target, GFP_KERNEL);
1475 if (IS_ERR_OR_NULL(new)) {
1477 if (!new)
1480 error = PTR_ERR(new);
1481 new = NULL;
1485 error = aa_replace_current_label(new);
1487 if (new) {
1488 aa_put_label(new);
1489 new = NULL;
1500 NULL, new ? new : target,
1504 aa_put_label(new);