1 // SPDX-License-Identifier: GPL-2.0-only
24  * aa_get_task_label - Get another task's label
41  * aa_replace_current_label - replace the current tasks label
58 		return -EBUSY;  in aa_replace_current_label()
62 		return -ENOMEM;  in aa_replace_current_label()
64 	if (ctx->nnp && label_is_stale(ctx->nnp)) {  in aa_replace_current_label()
65 		struct aa_label *tmp = ctx->nnp;  in aa_replace_current_label()
67 		ctx->nnp = aa_get_newest_label(tmp);  in aa_replace_current_label()
79 	 * is possible that the cred labels's->proxy->label is the reference  in aa_replace_current_label()
93  * aa_set_current_onexec - set the tasks change_profile to happen onexec
102 	aa_put_label(ctx->onexec);  in aa_set_current_onexec()
103 	ctx->onexec = label;  in aa_set_current_onexec()
104 	ctx->token = stack;  in aa_set_current_onexec()
108  * aa_set_current_hat - set the current tasks hat
124 		return -ENOMEM;  in aa_set_current_hat()
127 	if (!ctx->previous) {  in aa_set_current_hat()
129 		ctx->previous = cred_label(new);  in aa_set_current_hat()
130 		ctx->token = token;  in aa_set_current_hat()
131 	} else if (ctx->token == token) {  in aa_set_current_hat()
134 		/* previous_profile && ctx->token != token */  in aa_set_current_hat()
136 		return -EACCES;  in aa_set_current_hat()
141 	aa_put_label(ctx->onexec);  in aa_set_current_hat()
142 	ctx->onexec = NULL;  in aa_set_current_hat()
149  * aa_restore_previous_label - exit from hat context restoring previous label
162 	if (ctx->token != token)  in aa_restore_previous_label()
163 		return -EACCES;  in aa_restore_previous_label()
165 	if (!ctx->previous)  in aa_restore_previous_label()
170 		return -ENOMEM;  in aa_restore_previous_label()
173 	set_cred_label(new, aa_get_newest_label(ctx->previous));  in aa_restore_previous_label()
184  * audit_ptrace_mask - convert mask to permission string
210 	if (ad->request & AA_PTRACE_PERM_MASK) {  in audit_ptrace_cb()
212 				 audit_ptrace_mask(ad->request));  in audit_ptrace_cb()
214 		if (ad->denied & AA_PTRACE_PERM_MASK) {  in audit_ptrace_cb()
216 					 audit_ptrace_mask(ad->denied));  in audit_ptrace_cb()
220 	aa_label_xaudit(ab, labels_ns(ad->subj_label), ad->peer,  in audit_ptrace_cb()
231 	struct aa_ruleset *rules = list_first_entry(&profile->rules,  in profile_ptrace_perm()  local
232 						    typeof(*rules), list);  in profile_ptrace_perm()
235 	ad->subj_cred = cred;  in profile_ptrace_perm()
236 	ad->peer = peer;  in profile_ptrace_perm()
237 	aa_profile_match_label(profile, rules, peer, AA_CLASS_PTRACE, request,  in profile_ptrace_perm()
249 	    !ANY_RULE_MEDIATES(&tracee->rules, AA_CLASS_PTRACE))  in profile_tracee_perm()
263 	if (ANY_RULE_MEDIATES(&tracer->rules, AA_CLASS_PTRACE))  in profile_tracer_perm()
267 	if (&tracer->label == tracee)  in profile_tracer_perm()
270 	ad->subj_label = &tracer->label;  in profile_tracer_perm()
271 	ad->peer = tracee;  in profile_tracer_perm()
272 	ad->request = 0;  in profile_tracer_perm()
273 	ad->error = aa_capable(cred, &tracer->label, CAP_SYS_PTRACE,  in profile_tracer_perm()
280  * aa_may_ptrace - test if tracer task can trace the tracee
309 	if (ad->request & AA_USERNS_CREATE)  in audit_ns_cb()
312 	if (ad->denied & AA_USERNS_CREATE)  in audit_ns_cb()
323 	ad->subj_label = &profile->label;  in aa_profile_ns_perm()
324 	ad->request = request;  in aa_profile_ns_perm()
327 		struct aa_ruleset *rules = list_first_entry(&profile->rules,  in aa_profile_ns_perm()  local
328 							    typeof(*rules),  in aa_profile_ns_perm()
332 		state = RULE_MEDIATES(rules, ad->class);  in aa_profile_ns_perm()
336 		perms = *aa_lookup_perms(rules->policy, state);  in aa_profile_ns_perm()