* @label: label to check access permissions for
* @stack: whether this is a stacking request
* @state: state to start match in
- * @subns: whether to do permission checks on components in a subns
+ * @inview: whether to match labels in view or only in scope
* @request: permissions to request
* @perms: perms struct to set
*
*/
static int label_compound_match(struct aa_profile *profile,
struct aa_label *label, bool stack,
- aa_state_t state, bool subns, u32 request,
+ aa_state_t state, bool inview, u32 request,
struct aa_perms *perms)
{
struct aa_ruleset *rules = profile->label.rules[0];
struct label_it i;
struct path_cond cond = { };
- /* find first subcomponent that is visible */
+ /* find first subcomponent that is in view and going to be interated with */
label_for_each(i, label, tp) {
- if (!aa_ns_visible(profile->ns, tp->ns, subns))
+ if (!aa_ns_visible(profile->ns, tp->ns, inview))
continue;
state = match_component(profile, tp, stack, state);
if (!state)
next:
label_for_each_cont(i, label, tp) {
- if (!aa_ns_visible(profile->ns, tp->ns, subns))
+ if (!aa_ns_visible(profile->ns, tp->ns, inview))
continue;
state = aa_dfa_match(rules->file->dfa, state, "//&");
state = match_component(profile, tp, false, state);
* @label: label to check access permissions for
* @stack: whether this is a stacking request
* @start: state to start match in
- * @subns: whether to do permission checks on components in a subns
+ * @inview: whether to match labels in view or only in scope
* @request: permissions to request
* @perms: an initialized perms struct to add accumulation to
*
*/
static int label_components_match(struct aa_profile *profile,
struct aa_label *label, bool stack,
- aa_state_t start, bool subns, u32 request,
+ aa_state_t start, bool inview, u32 request,
struct aa_perms *perms)
{
struct aa_ruleset *rules = profile->label.rules[0];
/* find first subcomponent to test */
label_for_each(i, label, tp) {
- if (!aa_ns_visible(profile->ns, tp->ns, subns))
+ if (!aa_ns_visible(profile->ns, tp->ns, inview))
continue;
state = match_component(profile, tp, stack, start);
if (!state)
aa_apply_modes_to_perms(profile, &tmp);
aa_perms_accum(perms, &tmp);
label_for_each_cont(i, label, tp) {
- if (!aa_ns_visible(profile->ns, tp->ns, subns))
+ if (!aa_ns_visible(profile->ns, tp->ns, inview))
continue;
state = match_component(profile, tp, stack, start);
if (!state)
* @label: label to match (NOT NULL)
* @stack: whether this is a stacking request
* @state: state to start in
- * @subns: whether to match subns components
+ * @inview: whether to match labels in view or only in scope
* @request: permission request
* @perms: Returns computed perms (NOT NULL)
*
* Returns: the state the match finished in, may be the none matching state
*/
static int label_match(struct aa_profile *profile, struct aa_label *label,
- bool stack, aa_state_t state, bool subns, u32 request,
+ bool stack, aa_state_t state, bool inview, u32 request,
struct aa_perms *perms)
{
int error;
*perms = nullperms;
- error = label_compound_match(profile, label, stack, state, subns,
+ error = label_compound_match(profile, label, stack, state, inview,
request, perms);
if (!error)
return error;
*perms = allperms;
- return label_components_match(profile, label, stack, state, subns,
+ return label_components_match(profile, label, stack, state, inview,
request, perms);
}
AA_BUG(!bprm);
AA_BUG(!buffer);
- /* TODO: determine how much we want to loosen this */
- error = fn_for_each_in_ns(label, profile,
+ /* TODO: determine how much we want to loosen this
+ * only check profiles in scope for permission to change at exec
+ */
+ error = fn_for_each_in_scope(label, profile,
profile_onexec(subj_cred, profile, onexec, stack,
bprm, buffer, cond, unsafe));
if (error)
return ERR_PTR(error);
- new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
+ new = fn_label_build_in_scope(label, profile, GFP_KERNEL,
stack ? aa_label_merge(&profile->label, onexec,
GFP_KERNEL)
: aa_get_newest_label(onexec),
return new;
/* TODO: get rid of GLOBAL_ROOT_UID */
- error = fn_for_each_in_ns(label, profile,
+ error = fn_for_each_in_scope(label, profile,
aa_audit_file(subj_cred, profile, &nullperms,
OP_CHANGE_ONEXEC,
AA_MAY_ONEXEC, bprm->filename, NULL,
/*find first matching hat */
for (i = 0; i < count && !hat; i++) {
name = hats[i];
- label_for_each_in_ns(it, labels_ns(label), label, profile) {
+ label_for_each_in_scope(it, labels_ns(label), label, profile) {
if (sibling && PROFILE_IS_HAT(profile)) {
root = aa_get_profile_rcu(&profile->parent);
} else if (!sibling && !PROFILE_IS_HAT(profile)) {
* change_hat.
*/
name = NULL;
- label_for_each_in_ns(it, labels_ns(label), label, profile) {
+ label_for_each_in_scope(it, labels_ns(label), label, profile) {
if (!list_empty(&profile->base.profiles)) {
info = "hat not found";
error = -ENOENT;
error = -ECHILD;
fail:
- label_for_each_in_ns(it, labels_ns(label), label, profile) {
+ label_for_each_in_scope(it, labels_ns(label), label, profile) {
/*
* no target as it has failed to be found or built
*
return ERR_PTR(error);
build:
- new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
+ new = fn_label_build_in_scope(label, profile, GFP_KERNEL,
build_change_hat(subj_cred, profile, name,
sibling),
aa_get_label(&profile->label));
bool empty = true;
rcu_read_lock();
- label_for_each_in_ns(i, labels_ns(label), label, profile) {
+ label_for_each_in_scope(i, labels_ns(label), label, profile) {
empty &= list_empty(&profile->base.profiles);
}
rcu_read_unlock();
perms.kill = AA_MAY_CHANGEHAT;
fail:
- fn_for_each_in_ns(label, profile,
+ fn_for_each_in_scope(label, profile,
aa_audit_file(subj_cred, profile, &perms, OP_CHANGE_HAT,
AA_MAY_CHANGEHAT, NULL, NULL, target,
GLOBAL_ROOT_UID, info, error));
*/
stack = true;
perms.audit = request;
- (void) fn_for_each_in_ns(label, profile,
+ (void) fn_for_each_in_scope(label, profile,
aa_audit_file(subj_cred, profile, &perms, op,
request, auditname, NULL, target,
GLOBAL_ROOT_UID, stack_msg, 0));
*
* if (!stack) {
*/
- error = fn_for_each_in_ns(label, profile,
+ error = fn_for_each_in_scope(label, profile,
change_profile_perms_wrapper(op, auditname,
subj_cred,
profile, target, stack,
check:
/* check if tracing task is allowed to trace target domain */
error = may_change_ptraced_domain(subj_cred, target, &info);
- if (error && !fn_for_each_in_ns(label, profile,
+ if (error && !fn_for_each_in_scope(label, profile,
COMPLAIN_MODE(profile)))
goto audit;
/* stacking is always a subset, so only check the nonstack case */
if (!stack) {
- new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
+ new = fn_label_build_in_scope(label, profile, GFP_KERNEL,
aa_get_label(target),
aa_get_label(&profile->label));
/*
}
audit:
- error = fn_for_each_in_ns(label, profile,
+ error = fn_for_each_in_scope(label, profile,
aa_audit_file(subj_cred,
profile, &perms, op, request, auditname,
NULL, new ? new : target,
* @rules: ruleset to search
* @label: label to check access permissions for
* @state: state to start match in
- * @subns: whether to do permission checks on components in a subns
+ * @inview: whether to match labels in view or only in scope
* @request: permissions to request
* @perms: perms struct to set
*
static int label_compound_match(struct aa_profile *profile,
struct aa_ruleset *rules,
struct aa_label *label,
- aa_state_t state, bool subns, u32 request,
+ aa_state_t state, bool inview, u32 request,
struct aa_perms *perms)
{
struct aa_profile *tp;
/* find first subcomponent that is visible */
label_for_each(i, label, tp) {
- if (!aa_ns_visible(profile->ns, tp->ns, subns))
+ if (!aa_ns_visible(profile->ns, tp->ns, inview))
continue;
state = match_component(profile, rules, tp, state);
if (!state)
next:
label_for_each_cont(i, label, tp) {
- if (!aa_ns_visible(profile->ns, tp->ns, subns))
+ if (!aa_ns_visible(profile->ns, tp->ns, inview))
continue;
state = aa_dfa_match(rules->policy->dfa, state, "//&");
state = match_component(profile, rules, tp, state);
* @rules: ruleset to search
* @label: label to check access permissions for
* @start: state to start match in
- * @subns: whether to do permission checks on components in a subns
+ * @subns: whether to match labels in view or only in scope
* @request: permissions to request
* @perms: an initialized perms struct to add accumulation to
*
static int label_components_match(struct aa_profile *profile,
struct aa_ruleset *rules,
struct aa_label *label, aa_state_t start,
- bool subns, u32 request,
+ bool inview, u32 request,
struct aa_perms *perms)
{
struct aa_profile *tp;
/* find first subcomponent to test */
label_for_each(i, label, tp) {
- if (!aa_ns_visible(profile->ns, tp->ns, subns))
+ if (!aa_ns_visible(profile->ns, tp->ns, inview))
continue;
state = match_component(profile, rules, tp, start);
if (!state)
tmp = *aa_lookup_perms(rules->policy, state);
aa_perms_accum(perms, &tmp);
label_for_each_cont(i, label, tp) {
- if (!aa_ns_visible(profile->ns, tp->ns, subns))
+ if (!aa_ns_visible(profile->ns, tp->ns, inview))
continue;
state = match_component(profile, rules, tp, start);
if (!state)
* @rules: ruleset to search
* @label: label to match (NOT NULL)
* @state: state to start in
- * @subns: whether to match subns components
+ * @subns: whether to match labels in view or only in scope
* @request: permission request
* @perms: Returns computed perms (NOT NULL)
*
* Returns: the state the match finished in, may be the none matching state
*/
int aa_label_match(struct aa_profile *profile, struct aa_ruleset *rules,
- struct aa_label *label, aa_state_t state, bool subns,
+ struct aa_label *label, aa_state_t state, bool inview,
u32 request, struct aa_perms *perms)
{
- aa_state_t tmp = label_compound_match(profile, rules, label, state, subns,
- request, perms);
+ aa_state_t tmp = label_compound_match(profile, rules, label, state,
+ inview, request, perms);
if ((perms->allow & request) == request)
return 0;
/* failed compound_match try component matches */
*perms = allperms;
- return label_components_match(profile, rules, label, state, subns,
+ return label_components_match(profile, rules, label, state, inview,
request, perms);
}
projects / thirdparty / linux.git / commitdiff
