Lines Matching full:profile
32 * may_change_ptraced_domain - check if can change profile on ptraced task
34 * @to_label: profile to change to (NOT NULL)
81 /* match a profile and its associated ns component if needed
83 * If a subns profile is not to be matched should be prescreened with
86 static inline aa_state_t match_component(struct aa_profile *profile, in match_component() argument
90 struct aa_ruleset *rules = list_first_entry(&profile->rules, in match_component()
96 if (profile->ns == tp->ns) in match_component()
99 /* try matching with namespace name and then profile */ in match_component()
100 ns_name = aa_ns_name(profile->ns, tp->ns, true); in match_component()
109 * @profile: profile to find perms for
123 static int label_compound_match(struct aa_profile *profile, in label_compound_match() argument
128 struct aa_ruleset *rules = list_first_entry(&profile->rules, in label_compound_match()
136 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_compound_match()
138 state = match_component(profile, tp, stack, state); in label_compound_match()
150 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_compound_match()
153 state = match_component(profile, tp, false, state); in label_compound_match()
158 aa_apply_modes_to_perms(profile, perms); in label_compound_match()
171 * @profile: profile to find perms for
185 static int label_components_match(struct aa_profile *profile, in label_components_match() argument
190 struct aa_ruleset *rules = list_first_entry(&profile->rules, in label_components_match()
200 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_components_match()
202 state = match_component(profile, tp, stack, start); in label_components_match()
213 aa_apply_modes_to_perms(profile, &tmp); in label_components_match()
216 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_components_match()
218 state = match_component(profile, tp, stack, start); in label_components_match()
222 aa_apply_modes_to_perms(profile, &tmp); in label_components_match()
238 * @profile: profile to match against (NOT NULL)
248 static int label_match(struct aa_profile *profile, struct aa_label *label, in label_match() argument
255 error = label_compound_match(profile, label, stack, state, subns, in label_match()
261 return label_components_match(profile, label, stack, state, subns, in label_match()
269 * @profile: the current profile (NOT NULL)
282 static int change_profile_perms(struct aa_profile *profile, in change_profile_perms() argument
287 if (profile_unconfined(profile)) { in change_profile_perms()
293 /* TODO: add profile in ns screening */ in change_profile_perms()
294 return label_match(profile, target, stack, start, true, request, perms); in change_profile_perms()
298 * aa_xattrs_match - check whether a file matches the xattrs defined in profile
300 * @profile: profile to match against (NOT NULL)
306 struct aa_profile *profile, aa_state_t state) in aa_xattrs_match() argument
311 struct aa_attachment *attach = &profile->attach; in aa_xattrs_match()
371 * @head: profile list to walk (NOT NULL)
390 struct aa_profile *profile, *candidate = NULL; in find_attach() local
397 list_for_each_entry_rcu(profile, head, base.list) { in find_attach()
398 struct aa_attachment *attach = &profile->attach; in find_attach()
400 if (profile->label.flags & FLAG_NULL && in find_attach()
401 &profile->label == ns_unconfined(profile->ns)) in find_attach()
404 /* Find the "best" matching profile. Profiles must in find_attach()
412 * as another profile, signal a conflict and refuse to in find_attach()
435 if (!aa_get_profile_not0(profile)) in find_attach()
438 ret = aa_xattrs_match(bprm, profile, in find_attach()
441 aa_put_profile(profile); in find_attach()
470 candidate = profile; in find_attach()
475 } else if (!strcmp(profile->base.name, name)) { in find_attach()
480 candidate = profile; in find_attach()
487 *info = "conflicting profile attachments"; in find_attach()
506 * @profile: current profile (NOT NULL)
512 struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex, in x_table_lookup() argument
515 struct aa_ruleset *rules = list_first_entry(&profile->rules, in x_table_lookup()
532 new_profile = aa_find_child(profile, *name); in x_table_lookup()
537 label = aa_label_parse(&profile->label, *name, GFP_KERNEL, in x_table_lookup()
550 * @profile: current profile (NOT NULL)
561 static struct aa_label *x_to_label(struct aa_profile *profile, in x_to_label() argument
567 struct aa_ruleset *rules = list_first_entry(&profile->rules, in x_to_label()
570 struct aa_ns *ns = profile->ns; in x_to_label()
584 new = x_table_lookup(profile, xindex, lookupname); in x_to_label()
592 new = find_attach(bprm, ns, &profile->base.profiles, in x_to_label()
604 /* (p|c|n)ix - don't change profile but do in x_to_label()
608 /* no profile && no error */ in x_to_label()
609 new = aa_get_newest_label(&profile->label); in x_to_label()
611 new = aa_get_newest_label(ns_unconfined(profile->ns)); in x_to_label()
631 struct aa_profile *profile, in profile_transition() argument
636 struct aa_ruleset *rules = list_first_entry(&profile->rules, in profile_transition()
646 AA_BUG(!profile); in profile_transition()
650 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer, in profile_transition()
651 &name, &info, profile->disconnected); in profile_transition()
653 if (profile_unconfined(profile) || in profile_transition()
654 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) { in profile_transition()
657 new = aa_get_newest_label(&profile->label); in profile_transition()
663 if (profile_unconfined(profile)) { in profile_transition()
664 new = find_attach(bprm, profile->ns, in profile_transition()
665 &profile->ns->base.profiles, name, &info); in profile_transition()
671 return aa_get_newest_label(&profile->label); in profile_transition()
678 new = x_to_label(profile, bprm, name, perms.xindex, &target, in profile_transition()
680 if (new && new->proxy == profile->label.proxy && info) { in profile_transition()
684 info = "profile transition not found"; in profile_transition()
687 if (COMPLAIN_MODE(profile)) { in profile_transition()
688 /* create null profile instead of failing */ in profile_transition()
693 } else if (COMPLAIN_MODE(profile)) { in profile_transition()
696 new_profile = aa_new_learning_profile(profile, false, name, in profile_transition()
700 info = "could not create null profile"; in profile_transition()
716 dbg_printk("apparmor: setting AT_SECURE for %s profile=", in profile_transition()
725 aa_audit_file(subj_cred, profile, &perms, OP_EXEC, MAY_EXEC, name, in profile_transition()
737 struct aa_profile *profile, struct aa_label *onexec, in profile_onexec() argument
742 struct aa_ruleset *rules = list_first_entry(&profile->rules, in profile_onexec()
749 AA_BUG(!profile); in profile_onexec()
754 if (profile_unconfined(profile)) { in profile_onexec()
764 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer, in profile_onexec()
765 &xname, &info, profile->disconnected); in profile_onexec()
767 if (profile_unconfined(profile) || in profile_onexec()
768 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) { in profile_onexec()
787 error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC, in profile_onexec()
805 return aa_audit_file(subj_cred, profile, &perms, OP_EXEC, in profile_onexec()
819 struct aa_profile *profile; in handle_onexec() local
829 error = fn_for_each_in_ns(label, profile, in handle_onexec()
830 profile_onexec(subj_cred, profile, onexec, stack, in handle_onexec()
835 new = fn_label_build_in_ns(label, profile, GFP_KERNEL, in handle_onexec()
836 stack ? aa_label_merge(&profile->label, onexec, in handle_onexec()
839 profile_transition(subj_cred, profile, bprm, in handle_onexec()
845 error = fn_for_each_in_ns(label, profile, in handle_onexec()
846 aa_audit_file(subj_cred, profile, &nullperms, in handle_onexec()
867 struct aa_profile *profile; in apparmor_bprm_creds_for_exec() local
909 new = fn_label_build(label, profile, GFP_KERNEL, in apparmor_bprm_creds_for_exec()
910 profile_transition(subj_cred, profile, bprm, in apparmor_bprm_creds_for_exec()
945 /* TODO: test needs to be profile of label to new */ in apparmor_bprm_creds_for_exec()
982 error = fn_for_each(label, profile, in apparmor_bprm_creds_for_exec()
983 aa_audit_file(current_cred(), profile, &nullperms, in apparmor_bprm_creds_for_exec()
992 * Functions for self directed profile change
1001 struct aa_profile *profile, in build_change_hat() argument
1008 if (sibling && PROFILE_IS_HAT(profile)) { in build_change_hat()
1009 root = aa_get_profile_rcu(&profile->parent); in build_change_hat()
1010 } else if (!sibling && !PROFILE_IS_HAT(profile)) { in build_change_hat()
1011 root = aa_get_profile(profile); in build_change_hat()
1021 if (COMPLAIN_MODE(profile)) { in build_change_hat()
1022 hat = aa_new_learning_profile(profile, true, name, in build_change_hat()
1025 info = "failed null profile create"; in build_change_hat()
1033 aa_audit_file(subj_cred, profile, &nullperms, OP_CHANGE_HAT, in build_change_hat()
1054 struct aa_profile *profile, *root, *hat = NULL; in change_hat() local
1071 label_for_each_in_ns(it, labels_ns(label), label, profile) { in change_hat()
1072 if (sibling && PROFILE_IS_HAT(profile)) { in change_hat()
1073 root = aa_get_profile_rcu(&profile->parent); in change_hat()
1074 } else if (!sibling && !PROFILE_IS_HAT(profile)) { in change_hat()
1075 root = aa_get_profile(profile); in change_hat()
1084 if (!COMPLAIN_MODE(profile)) in change_hat()
1107 label_for_each_in_ns(it, labels_ns(label), label, profile) { in change_hat()
1108 if (!list_empty(&profile->base.profiles)) { in change_hat()
1118 label_for_each_in_ns(it, labels_ns(label), label, profile) { in change_hat()
1126 if (count > 1 || COMPLAIN_MODE(profile)) { in change_hat()
1127 aa_audit_file(subj_cred, profile, &nullperms, in change_hat()
1136 new = fn_label_build_in_ns(label, profile, GFP_KERNEL, in change_hat()
1137 build_change_hat(subj_cred, profile, name, in change_hat()
1139 aa_get_label(&profile->label)); in change_hat()
1158 * Change to the first profile specified in @hats that exists, and store
1161 * top level profile.
1163 * change_hat only applies to profiles in the current ns, and each profile
1171 struct aa_profile *profile; in aa_change_hat() local
1255 } /* else ignore @flags && restores when there is no saved profile */ in aa_change_hat()
1270 fn_for_each_in_ns(label, profile, in aa_change_hat()
1271 aa_audit_file(subj_cred, profile, &perms, OP_CHANGE_HAT, in aa_change_hat()
1281 struct aa_profile *profile, in change_profile_perms_wrapper() argument
1285 struct aa_ruleset *rules = list_first_entry(&profile->rules, in change_profile_perms_wrapper()
1291 error = change_profile_perms(profile, target, stack, request, in change_profile_perms_wrapper()
1295 error = aa_audit_file(subj_cred, profile, perms, op, request, in change_profile_perms_wrapper()
1306 * aa_change_profile - perform a one-way profile transition
1307 * @fqname: name of profile may include namespace (NOT NULL)
1310 * Change to new profile @name. Unlike with hats, there is no way
1311 * to change back. If @name isn't specified the current profile name is
1321 struct aa_profile *profile; in aa_change_profile() local
1346 AA_DEBUG("no profile name"); in aa_change_profile()
1364 /* This should move to a per profile test. Requires pushing build in aa_change_profile()
1379 (void) fn_for_each_in_ns(label, profile, in aa_change_profile()
1380 aa_audit_file(subj_cred, profile, &perms, op, in aa_change_profile()
1399 * TODO: fixme using labels_profile is not right - do profile in aa_change_profile()
1400 * per complain profile in aa_change_profile()
1409 info = "failed null profile create"; in aa_change_profile()
1425 error = fn_for_each_in_ns(label, profile, in aa_change_profile()
1428 profile, target, stack, in aa_change_profile()
1439 if (error && !fn_for_each_in_ns(label, profile, in aa_change_profile()
1440 COMPLAIN_MODE(profile))) in aa_change_profile()
1455 new = fn_label_build_in_ns(label, profile, GFP_KERNEL, in aa_change_profile()
1457 aa_get_label(&profile->label)); in aa_change_profile()
1497 error = fn_for_each_in_ns(label, profile, in aa_change_profile()
1499 profile, &perms, op, request, auditname, in aa_change_profile()