security/apparmor/af_unix.c

Source file repositories/reference/linux-study-clean/security/apparmor/af_unix.c

File Facts

System
Linux kernel
Corpus path
security/apparmor/af_unix.c
Extension
.c
Size
21297 bytes
Lines
800
Domain
Core OS
Bucket
Security And Isolation
Inferred role
Core OS: implementation source
Status
source implementation candidate

Why This File Exists

Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.

Dependency Surface

Detected Declarations

Annotated Snippet

if (state) {
			/* todo: local label matching */
			state = aa_dfa_null_transition(policy->dfa, state);
			if (!state)
				*info = "failed local label match";
		} else {
			*info = "failed local address match";
		}
	}

	return state;
}

struct sockaddr_un *aa_sunaddr(const struct unix_sock *u, int *addrlen)
{
	struct unix_address *addr;

	/* memory barrier is sufficient see note in net/unix/af_unix.c */
	addr = smp_load_acquire(&u->addr);
	if (addr) {
		*addrlen = addr->len;
		return addr->name;
	}
	*addrlen = 0;
	return NULL;
}

static aa_state_t match_to_sk(struct aa_policydb *policy,
			      aa_state_t state, u32 request,
			      struct unix_sock *u, struct aa_perms **p,
			      const char **info)
{
	int addrlen;
	struct sockaddr_un *addr = aa_sunaddr(u, &addrlen);

	return match_to_local(policy, state, request, u->sk.sk_type,
			      u->sk.sk_protocol, addr, addrlen, p, info);
}

#define CMD_ADDR	1
#define CMD_LISTEN	2
#define CMD_OPT		4

static aa_state_t match_to_cmd(struct aa_policydb *policy, aa_state_t state,
			       u32 request, struct unix_sock *u,
			       char cmd, struct aa_perms **p,
			       const char **info)
{
	AA_BUG(!p);

	state = match_to_sk(policy, state, request, u, p, info);
	if (state && !*p) {
		state = aa_dfa_match_len(policy->dfa, state, &cmd, 1);
		if (!state)
			*info = "failed cmd selection match";
	}

	return state;
}

static aa_state_t match_to_peer(struct aa_policydb *policy, aa_state_t state,
				u32 request, struct unix_sock *u,
				struct sockaddr_un *peer_addr, int peer_addrlen,
				struct aa_perms **p, const char **info)
{
	AA_BUG(!p);

	state = match_to_cmd(policy, state, request, u, CMD_ADDR, p, info);
	if (state && !*p) {
		state = match_addr(policy->dfa, state, peer_addr, peer_addrlen);
		if (!state)
			*info = "failed peer address match";
	}

	return state;
}

static aa_state_t match_label(struct aa_profile *profile,
			      struct aa_ruleset *rule, aa_state_t state,
			      u32 request, struct aa_profile *peer,
			      struct aa_perms *p,
			      struct apparmor_audit_data *ad)
{
	AA_BUG(!profile);
	AA_BUG(!peer);

	ad->peer = &peer->label;

	if (state && !p) {
		state = aa_dfa_match(rule->policy->dfa, state,

Annotation

Implementation Notes