39 #include "include/label.h"
91  * prepare new cred label for modification by prepare_cred block
166 	struct aa_label *label;  in apparmor_capget()  local
171 	label = aa_get_newest_cred_label(cred);  in apparmor_capget()
177 	if (!unconfined(label)) {  in apparmor_capget()
181 		label_for_each_confined(i, label, profile) {  in apparmor_capget()
190 	aa_put_label(label);  in apparmor_capget()
198 	struct aa_label *label;  in apparmor_capable()  local
201 	label = aa_get_newest_cred_label(cred);  in apparmor_capable()
202 	if (!unconfined(label))  in apparmor_capable()
203 		error = aa_capable(cred, label, cap, opts);  in apparmor_capable()
204 	aa_put_label(label);  in apparmor_capable()
221 	struct aa_label *label;  in common_perm()  local
225 	label = __begin_current_label_crit_section(&needput);  in common_perm()
226 	if (!unconfined(label))  in common_perm()
227 		error = aa_path_perm(op, current_cred(), label, path, 0, mask,  in common_perm()
229 	__end_current_label_crit_section(label, needput);  in common_perm()
366 	struct aa_label *label;  in apparmor_path_link()  local
372 	label = begin_current_label_crit_section();  in apparmor_path_link()
373 	if (!unconfined(label))  in apparmor_path_link()
374 		error = aa_path_link(current_cred(), label, old_dentry, new_dir,  in apparmor_path_link()
376 	end_current_label_crit_section(label);  in apparmor_path_link()
385 	struct aa_label *label;  in apparmor_path_rename()  local
393 	label = begin_current_label_crit_section();  in apparmor_path_rename()
394 	if (!unconfined(label)) {  in apparmor_path_rename()
415 					     label, &new_path, 0,  in apparmor_path_rename()
421 						     label, &old_path,  in apparmor_path_rename()
428 					     label, &old_path, 0,  in apparmor_path_rename()
434 					     label, &new_path,  in apparmor_path_rename()
439 	end_current_label_crit_section(label);  in apparmor_path_rename()
462 	struct aa_label *label;  in apparmor_file_open()  local
481 	label = aa_get_newest_cred_label_condref(file->f_cred, &needput);  in apparmor_file_open()
482 	if (!unconfined(label)) {  in apparmor_file_open()
493 				     label, &file->f_path, 0,  in apparmor_file_open()
498 	aa_put_label_condref(label, needput);  in apparmor_file_open()
506 	struct aa_label *label = begin_current_label_crit_section();  in apparmor_file_alloc_security()  local
509 	rcu_assign_pointer(ctx->label, aa_get_label(label));  in apparmor_file_alloc_security()
510 	end_current_label_crit_section(label);  in apparmor_file_alloc_security()
519 		aa_put_label(rcu_access_pointer(ctx->label));  in apparmor_file_free_security()
525 	struct aa_label *label;  in common_file_perm()  local
533 	label = __begin_current_label_crit_section(&needput);  in common_file_perm()
534 	error = aa_file_perm(op, current_cred(), label, file, mask, in_atomic);  in common_file_perm()
535 	__end_current_label_crit_section(label, needput);  in common_file_perm()
637 	rules = profile->label.rules[0];  in profile_uring()
666 	struct aa_label *label;  in apparmor_uring_override_creds()  local
673 	label = __begin_current_label_crit_section(&needput);  in apparmor_uring_override_creds()
674 	error = fn_for_each(label, profile,  in apparmor_uring_override_creds()
677 	__end_current_label_crit_section(label, needput);  in apparmor_uring_override_creds()
691 	struct aa_label *label;  in apparmor_uring_sqpoll()  local
697 	label = __begin_current_label_crit_section(&needput);  in apparmor_uring_sqpoll()
698 	error = fn_for_each(label, profile,  in apparmor_uring_sqpoll()
701 	__end_current_label_crit_section(label, needput);  in apparmor_uring_sqpoll()
710 	struct aa_label *label;  in apparmor_sb_mount()  local
720 	label = __begin_current_label_crit_section(&needput);  in apparmor_sb_mount()
721 	if (!unconfined(label)) {  in apparmor_sb_mount()
723 			error = aa_remount(current_cred(), label, path, flags,  in apparmor_sb_mount()
726 			error = aa_bind_mount(current_cred(), label, path,  in apparmor_sb_mount()
730 			error = aa_mount_change_type(current_cred(), label,  in apparmor_sb_mount()
733 			error = aa_move_mount_old(current_cred(), label, path,  in apparmor_sb_mount()
736 			error = aa_new_mount(current_cred(), label, dev_name,  in apparmor_sb_mount()
739 	__end_current_label_crit_section(label, needput);  in apparmor_sb_mount()
747 	struct aa_label *label;  in apparmor_move_mount()  local
751 	label = __begin_current_label_crit_section(&needput);  in apparmor_move_mount()
752 	if (!unconfined(label))  in apparmor_move_mount()
753 		error = aa_move_mount(current_cred(), label, from_path,  in apparmor_move_mount()
755 	__end_current_label_crit_section(label, needput);  in apparmor_move_mount()
762 	struct aa_label *label;  in apparmor_sb_umount()  local
766 	label = __begin_current_label_crit_section(&needput);  in apparmor_sb_umount()
767 	if (!unconfined(label))  in apparmor_sb_umount()
768 		error = aa_umount(current_cred(), label, mnt, flags);  in apparmor_sb_umount()
769 	__end_current_label_crit_section(label, needput);  in apparmor_sb_umount()
777 	struct aa_label *label;  in apparmor_sb_pivotroot()  local
780 	label = aa_get_current_label();  in apparmor_sb_pivotroot()
781 	if (!unconfined(label))  in apparmor_sb_pivotroot()
782 		error = aa_pivotroot(current_cred(), label, old_path, new_path);  in apparmor_sb_pivotroot()
783 	aa_put_label(label);  in apparmor_sb_pivotroot()
793 	struct aa_label *label = NULL;  in apparmor_getselfattr()  local
798 		label = aa_get_newest_label(cred_label(current_cred()));  in apparmor_getselfattr()
802 			label = aa_get_newest_label(ctx->previous);  in apparmor_getselfattr()
806 			label = aa_get_newest_label(ctx->onexec);  in apparmor_getselfattr()
813 	if (label) {  in apparmor_getselfattr()
814 		error = aa_getprocattr(label, &value, false);  in apparmor_getselfattr()
821 	aa_put_label(label);  in apparmor_getselfattr()
835 	struct aa_label *label = NULL;  in apparmor_getprocattr()  local
838 		label = aa_get_newest_label(cred_label(cred));  in apparmor_getprocattr()
840 		label = aa_get_newest_label(ctx->previous);  in apparmor_getprocattr()
842 		label = aa_get_newest_label(ctx->onexec);  in apparmor_getprocattr()
846 	if (label)  in apparmor_getprocattr()
847 		error = aa_getprocattr(label, value, true);  in apparmor_getprocattr()
849 	aa_put_label(label);  in apparmor_getprocattr()
963 	struct aa_label *label = aa_current_raw_label();  in apparmor_bprm_committing_creds()  local
967 	if ((new_label->proxy == label->proxy) ||  in apparmor_bprm_committing_creds()
975 	/* reset soft limits and set hard limits for the new label */  in apparmor_bprm_committing_creds()
976 	__aa_transition_rlimits(label, new_label);  in apparmor_bprm_committing_creds()
993 	struct aa_label *label;  in apparmor_current_getlsmprop_subj()  local
996 	label = __begin_current_label_crit_section(&needput);  in apparmor_current_getlsmprop_subj()
997 	prop->apparmor.label = label;  in apparmor_current_getlsmprop_subj()
998 	__end_current_label_crit_section(label, needput);  in apparmor_current_getlsmprop_subj()
1004 	struct aa_label *label = aa_get_task_label(p);  in apparmor_task_getlsmprop_obj()  local
1006 	prop->apparmor.label = label;  in apparmor_task_getlsmprop_obj()
1007 	aa_put_label(label);  in apparmor_task_getlsmprop_obj()
1013 	struct aa_label *label;  in apparmor_task_setrlimit()  local
1017 	label = __begin_current_label_crit_section(&needput);  in apparmor_task_setrlimit()
1019 	if (!unconfined(label))  in apparmor_task_setrlimit()
1020 		error = aa_task_setrlimit(current_cred(), label, task,  in apparmor_task_setrlimit()
1022 	__end_current_label_crit_section(label, needput);  in apparmor_task_setrlimit()
1057 	struct aa_label *label;  in apparmor_userns_create()  local
1065 	label = begin_current_label_crit_section();  in apparmor_userns_create()
1066 	if (!unconfined(label)) {  in apparmor_userns_create()
1067 		error = fn_for_each(label, profile,  in apparmor_userns_create()
1071 	end_current_label_crit_section(label);  in apparmor_userns_create()
1079 	struct aa_label *label;  in apparmor_sk_alloc_security()  local
1082 	label = __begin_current_label_crit_section(&needput);  in apparmor_sk_alloc_security()
1084 	rcu_assign_pointer(ctx->label, aa_get_label(label));  in apparmor_sk_alloc_security()
1087 	__end_current_label_crit_section(label, needput);  in apparmor_sk_alloc_security()
1096 	aa_put_label(rcu_dereference_protected(ctx->label, true));  in apparmor_sk_free_security()
1113 	if (rcu_access_pointer(ctx->label) != rcu_access_pointer(new->label)) {  in apparmor_sk_clone_security()
1114 		aa_put_label(rcu_dereference_protected(new->label, true));  in apparmor_sk_clone_security()
1115 		rcu_assign_pointer(new->label, aa_get_label_rcu(&ctx->label));  in apparmor_sk_clone_security()
1130 static int unix_connect_perm(const struct cred *cred, struct aa_label *label,  in unix_connect_perm()  argument
1136 	error = aa_unix_peer_perm(cred, label, OP_CONNECT,  in unix_connect_perm()
1139 				  rcu_dereference_protected(peer_ctx->label,  in unix_connect_perm()
1144 				rcu_dereference_protected(peer_ctx->label,  in unix_connect_perm()
1148 							  peer_sk, sk, label));  in unix_connect_perm()
1159 	struct aa_label *label = rcu_dereference_protected(sk_ctx->label, true);  in unix_connect_peers()  local
1161 	aa_get_label(label);  in unix_connect_peers()
1164 	rcu_assign_pointer(peer_ctx->peer, label);	/* transfer cnt */  in unix_connect_peers()
1166 	label = aa_get_label(rcu_dereference_protected(peer_ctx->label,  in unix_connect_peers()
1176 	rcu_assign_pointer(sk_ctx->peer, aa_get_label(label));  in unix_connect_peers()
1177 	rcu_assign_pointer(sk_ctx->peer_lastupdate, label);     /* transfer cnt */  in unix_connect_peers()
1198 	struct aa_label *label;  in apparmor_unix_stream_connect()  local
1202 	label = __begin_current_label_crit_section(&needput);  in apparmor_unix_stream_connect()
1203 	error = unix_connect_perm(current_cred(), label, sk, peer_sk);  in apparmor_unix_stream_connect()
1204 	__end_current_label_crit_section(label, needput);  in apparmor_unix_stream_connect()
1212 	rcu_assign_pointer(new_ctx->label,  in apparmor_unix_stream_connect()
1213 			   aa_get_label(rcu_dereference_protected(peer_ctx->label,  in apparmor_unix_stream_connect()
1241 	struct aa_label *label;  in apparmor_unix_may_send()  local
1245 	label = __begin_current_label_crit_section(&needput);  in apparmor_unix_may_send()
1247 				label, OP_SENDMSG, AA_MAY_SEND,  in apparmor_unix_may_send()
1249 				rcu_dereference_protected(peer_ctx->label,  in apparmor_unix_may_send()
1252 				rcu_dereference_protected(peer_ctx->label,  in apparmor_unix_may_send()
1255 				sock->sk, label));  in apparmor_unix_may_send()
1256 	__end_current_label_crit_section(label, needput);  in apparmor_unix_may_send()
1263 	struct aa_label *label;  in apparmor_socket_create()  local
1271 	label = begin_current_label_crit_section();  in apparmor_socket_create()
1272 	if (!unconfined(label)) {  in apparmor_socket_create()
1274 			error = aa_unix_create_perm(label, family, type,  in apparmor_socket_create()
1277 			error = aa_af_perm(current_cred(), label, OP_CREATE,  in apparmor_socket_create()
1281 	end_current_label_crit_section(label);  in apparmor_socket_create()
1303 	struct aa_label *label;  in apparmor_socket_post_create()  local
1306 		label = aa_get_label(kernel_t);  in apparmor_socket_post_create()
1308 		label = aa_get_current_label();  in apparmor_socket_post_create()
1314 		aa_put_label(rcu_dereference_protected(ctx->label, true));  in apparmor_socket_post_create()
1315 		rcu_assign_pointer(ctx->label, aa_get_label(label));  in apparmor_socket_post_create()
1317 	aa_put_label(label);  in apparmor_socket_post_create()
1327 	struct aa_label *label;  in apparmor_socket_socketpair()  local
1330 	label = begin_current_label_crit_section();  in apparmor_socket_socketpair()
1331 	if (rcu_access_pointer(a_ctx->label) != label) {  in apparmor_socket_socketpair()
1332 		AA_BUG("a_ctx != label");  in apparmor_socket_socketpair()
1333 		aa_put_label(rcu_dereference_protected(a_ctx->label, true));  in apparmor_socket_socketpair()
1334 		rcu_assign_pointer(a_ctx->label, aa_get_label(label));  in apparmor_socket_socketpair()
1336 	if (rcu_access_pointer(b_ctx->label) != label) {  in apparmor_socket_socketpair()
1337 		AA_BUG("b_ctx != label");  in apparmor_socket_socketpair()
1338 		aa_put_label(rcu_dereference_protected(b_ctx->label, true));  in apparmor_socket_socketpair()
1339 		rcu_assign_pointer(b_ctx->label, aa_get_label(label));  in apparmor_socket_socketpair()
1346 	end_current_label_crit_section(label);  in apparmor_socket_socketpair()
1520 	 * case label is null, drop the packet.  in apparmor_socket_sock_rcv_skb()
1522 	if (!rcu_access_pointer(ctx->label))  in apparmor_socket_sock_rcv_skb()
1526 	error = apparmor_secmark_check(rcu_dereference(ctx->label), OP_RECVMSG,  in apparmor_socket_sock_rcv_skb()
1538 	struct aa_label *label = ERR_PTR(-ENOPROTOOPT);  in sk_peer_get_label()  local
1546 	return label;  in sk_peer_get_label()
1565 	struct aa_label *label;  in apparmor_socket_getpeersec_stream()  local
1573 	label = begin_current_label_crit_section();  in apparmor_socket_getpeersec_stream()
1574 	slen = aa_label_asxprint(&name, labels_ns(label), peer,  in apparmor_socket_getpeersec_stream()
1594 	end_current_label_crit_section(label);  in apparmor_socket_getpeersec_stream()
1602  * apparmor_socket_getpeersec_dgram - get security label of packet
1623  *       just set sk security information off of current creating process label
1633 	if (!rcu_access_pointer(ctx->label))  in apparmor_sock_graft()
1634 		rcu_assign_pointer(ctx->label, aa_get_current_label());  in apparmor_sock_graft()
1648 	error = apparmor_secmark_check(rcu_dereference(ctx->label), OP_CONNECT,  in apparmor_inet_conn_request()
2372 	error = apparmor_secmark_check(rcu_dereference(ctx->label), OP_SENDMSG,  in apparmor_ip_postroute()