1 // SPDX-License-Identifier: GPL-2.0-only
7  * Copyright (C) 1998-2008 Novell/SUSE
8  * Copyright 2009-2017 Canonical Ltd.
83 	} else if (addr->sun_path[0]) {  in audit_unix_addr()
85 		audit_log_untrustedstring(ab, addr->sun_path);  in audit_unix_addr()
88 		if (audit_string_contains_control(&addr->sun_path[1], len - 1))  in audit_unix_addr()
89 			audit_log_n_hex(ab, &addr->sun_path[1], len - 1);  in audit_unix_addr()
91 			audit_log_format(ab, "%.*s", len - 1,  in audit_unix_addr()
92 					 &addr->sun_path[1]);  in audit_unix_addr()
102 	if (u && u->addr) {  in audit_unix_sk_addr()
119 	if (address_family_names[ad->common.u.net->family])  in audit_net_cb()
121 				 address_family_names[ad->common.u.net->family]);  in audit_net_cb()
124 				 ad->common.u.net->family);  in audit_net_cb()
125 	if (sock_type_names[ad->net.type])  in audit_net_cb()
127 				 sock_type_names[ad->net.type]);  in audit_net_cb()
130 				 ad->net.type);  in audit_net_cb()
131 	audit_log_format(ab, " protocol=%d", ad->net.protocol);  in audit_net_cb()
133 	if (ad->request & NET_PERMS_MASK) {  in audit_net_cb()
135 		aa_audit_perm_mask(ab, ad->request, NULL, 0,  in audit_net_cb()
138 		if (ad->denied & NET_PERMS_MASK) {  in audit_net_cb()
140 			aa_audit_perm_mask(ab, ad->denied, NULL, 0,  in audit_net_cb()
144 	if (ad->common.u.net->family == PF_UNIX) {  in audit_net_cb()
145 		if (ad->net.addr || !ad->common.u.net->sk)  in audit_net_cb()
147 					unix_addr(ad->net.addr),  in audit_net_cb()
148 					ad->net.addrlen);  in audit_net_cb()
150 			audit_unix_sk_addr(ab, "addr", ad->common.u.net->sk);  in audit_net_cb()
151 		if (ad->request & NET_PEER_MASK) {  in audit_net_cb()
153 					unix_addr(ad->net.peer.addr),  in audit_net_cb()
154 					ad->net.peer.addrlen);  in audit_net_cb()
157 	if (ad->peer) {  in audit_net_cb()
159 		aa_label_xaudit(ab, labels_ns(ad->subj_label), ad->peer,  in audit_net_cb()
164 /* standard permission lookup pattern - supports early bailout */
194 	if (((p->allow & request) != request) && (p->allow & AA_CONT_MATCH))  in early_match()
208  * aa_match_to_prot - match the af, type, protocol triplet
215  * @p: output - pointer to permission associated with match
216  * @info: output - pointer to string describing failure
228 	state = aa_dfa_match_be16(policy->dfa, state, (u16)af);  in aa_match_to_prot()
233 	state = aa_dfa_match_be16(policy->dfa, state, (u16)type);  in aa_match_to_prot()
238 			state = aa_dfa_match_be16(policy->dfa, state, (u16)protocol);  in aa_match_to_prot()
254 	struct aa_ruleset *rules = profile->label.rules[0];  in aa_profile_af_perm()  local
264 	state = RULE_MEDIATES_NET(rules);  in aa_profile_af_perm()
267 	state = aa_match_to_prot(rules->policy, state, request, family, type,  in aa_profile_af_perm()
268 				 protocol, &p, &ad->info);  in aa_profile_af_perm()
269 	return aa_do_perms(profile, rules->policy, state, request, p, ad);  in aa_profile_af_perm()
294 	if (rcu_access_pointer(ctx->label) != kernel_t && !unconfined(label)) {  in aa_label_sk_perm()
326 	struct socket *sock = (struct socket *) file->private_data;  in aa_sock_file_perm()
330 	AA_BUG(!sock->sk);  in aa_sock_file_perm()
332 	if (sock->sk->sk_family == PF_UNIX)  in aa_sock_file_perm()
334 	return aa_label_sk_perm(subj_cred, label, op, request, sock->sk);  in aa_sock_file_perm()
342 	if (secmark->label[0] == '*') {  in apparmor_secmark_init()
343 		secmark->secid = AA_SECID_WILDCARD;  in apparmor_secmark_init()
347 	label = aa_label_strn_parse(&root_ns->unconfined->label,  in apparmor_secmark_init()
348 				    secmark->label, strlen(secmark->label),  in apparmor_secmark_init()
354 	secmark->secid = label->secid;  in apparmor_secmark_init()
364 	struct aa_ruleset *rules = profile->label.rules[0];  in aa_secmark_perm()  local
366 	if (rules->secmark_count == 0)  in aa_secmark_perm()
369 	for (i = 0; i < rules->secmark_count; i++) {  in aa_secmark_perm()
370 		if (!rules->secmark[i].secid) {  in aa_secmark_perm()
371 			ret = apparmor_secmark_init(&rules->secmark[i]);  in aa_secmark_perm()
376 		if (rules->secmark[i].secid == secid ||  in aa_secmark_perm()
377 		    rules->secmark[i].secid == AA_SECID_WILDCARD) {  in aa_secmark_perm()
378 			if (rules->secmark[i].deny)  in aa_secmark_perm()
383 			if (rules->secmark[i].audit)  in aa_secmark_perm()