security/apparmor/file.c
Source file repositories/reference/linux-study-clean/security/apparmor/file.c
File Facts
- System
- Linux kernel
- Corpus path
security/apparmor/file.c- Extension
.c- Size
- 21067 bytes
- Lines
- 748
- Domain
- Core OS
- Bucket
- Security And Isolation
- Inferred role
- Core OS: implementation source
- Status
- source implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Uses kernel synchronization; read lock ordering, sleepability, and interrupt context assumptions before translating.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/tty.hlinux/fdtable.hlinux/file.hlinux/fs.hlinux/mount.hinclude/af_unix.hinclude/apparmor.hinclude/audit.hinclude/cred.hinclude/file.hinclude/match.hinclude/net.hinclude/path.hinclude/policy.hinclude/label.h
Detected Declarations
struct cred_labelfunction Copyrightfunction file_audit_cbfunction aa_audit_filefunction path_namefunction aa_str_permsfunction __aa_path_permfunction profile_path_permfunction aa_path_permfunction xindex_is_subsetfunction profile_path_linkfunction matchfunction update_file_ctxfunction __file_path_permfunction __file_sock_permfunction __file_is_delegatedfunction __is_unix_filefunction __unix_needs_revalidationfunction aa_file_permfunction revalidate_ttyfunction match_filefunction aa_inherit_files
Annotated Snippet
struct cred_label {
const struct cred *cred;
struct aa_label *label;
};
static int match_file(const void *p, struct file *file, unsigned int fd)
{
struct cred_label *cl = (struct cred_label *)p;
if (aa_file_perm(OP_INHERIT, cl->cred, cl->label, file,
aa_map_file_to_perms(file), IN_ATOMIC))
return fd + 1;
return 0;
}
/* based on selinux's flush_unauthorized_files */
void aa_inherit_files(const struct cred *cred, struct files_struct *files)
{
struct aa_label *label = aa_get_newest_cred_label(cred);
struct cred_label cl = {
.cred = cred,
.label = label,
};
struct file *devnull = NULL;
unsigned int n;
revalidate_tty(cred, label);
/* Revalidate access to inherited open files. */
n = iterate_fd(files, 0, match_file, &cl);
if (!n) /* none found? */
goto out;
devnull = dentry_open(&aa_null, O_RDWR, cred);
if (IS_ERR(devnull))
devnull = NULL;
/* replace all the matching ones with this */
do {
replace_fd(n - 1, devnull, 0);
} while ((n = iterate_fd(files, n, match_file, &cl)) != 0);
if (devnull)
fput(devnull);
out:
aa_put_label(label);
}
Annotation
- Immediate include surface: `linux/tty.h`, `linux/fdtable.h`, `linux/file.h`, `linux/fs.h`, `linux/mount.h`, `include/af_unix.h`, `include/apparmor.h`, `include/audit.h`.
- Detected declarations: `struct cred_label`, `function Copyright`, `function file_audit_cb`, `function aa_audit_file`, `function path_name`, `function aa_str_perms`, `function __aa_path_perm`, `function profile_path_perm`, `function aa_path_perm`, `function xindex_is_subset`.
- Atlas domain: Core OS / Security And Isolation.
- Implementation status: source implementation candidate.
- Synchronization appears in or near this file; preserve lock ordering, sleepability, and interrupt-context constraints.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.