security/apparmor/include/label.h
Source file repositories/reference/linux-study-clean/security/apparmor/include/label.h
File Facts
- System
- Linux kernel
- Corpus path
security/apparmor/include/label.h- Extension
.h- Size
- 13082 bytes
- Lines
- 460
- Domain
- Core OS
- Bucket
- Security And Isolation
- Inferred role
- Core OS: implementation source
- Status
- source implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Uses kernel synchronization; read lock ordering, sleepability, and interrupt context assumptions before translating.
- Allocates kernel memory; connect allocation flags and lifetime to context constraints.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/atomic.hlinux/audit.hlinux/rbtree.hlinux/rcupdate.happarmor.hlib.h
Detected Declarations
struct aa_nsstruct aa_rulesetstruct aa_profilestruct aa_labelsetstruct aa_labelstruct aa_proxystruct label_itstruct aa_labelstruct aa_permsstruct aa_rulesetenum label_flagsfunction label_mediatesfunction label_mediates_safefunction aa_put_labelfunction __aa_subj_label_is_cachedfunction aa_put_proxy
Annotated Snippet
struct aa_labelset {
rwlock_t lock;
struct rb_root root;
};
#define __labelset_for_each(LS, N) \
for ((N) = rb_first(&(LS)->root); (N); (N) = rb_next(N))
enum label_flags {
FLAG_HAT = 1, /* profile is a hat */
FLAG_UNCONFINED = 2, /* label unconfined only if all */
FLAG_NULL = 4, /* profile is null learning profile */
FLAG_IX_ON_NAME_ERROR = 8, /* fallback to ix on name lookup fail */
FLAG_IMMUTIBLE = 0x10, /* don't allow changes/replacement */
FLAG_USER_DEFINED = 0x20, /* user based profile - lower privs */
FLAG_NO_LIST_REF = 0x40, /* list doesn't keep profile ref */
FLAG_NS_COUNT = 0x80, /* carries NS ref count */
FLAG_IN_TREE = 0x100, /* label is in tree */
FLAG_PROFILE = 0x200, /* label is a profile */
FLAG_EXPLICIT = 0x400, /* explicit static label */
FLAG_STALE = 0x800, /* replaced/removed */
FLAG_RENAMED = 0x1000, /* label has renaming in it */
FLAG_REVOKED = 0x2000, /* label has revocation in it */
FLAG_DEBUG1 = 0x4000,
FLAG_DEBUG2 = 0x8000,
/* These flags must correspond with PATH_flags */
/* TODO: add new path flags */
};
struct aa_label;
struct aa_proxy {
struct aa_common_ref count;
struct aa_label __rcu *label;
};
struct label_it {
int i, j;
};
/* struct aa_label_base - base info of label
* @count: ref count of active users
* @node: rbtree position
* @rcu: rcu callback struct
* @proxy: is set to the label that replaced this label
* @hname: text representation of the label (MAYBE_NULL)
* @flags: stale and other flags - values may change under label set lock
* @secid: secid that references this label
* @size: number of entries in @ent[]
* @mediates: bitmask for label_mediates
* profile: label vec when embedded in a profile FLAG_PROFILE is set
* rules: variable length rules in a profile FLAG_PROFILE is set
* vec: vector of profiles comprising the compound label
*/
struct aa_label {
struct aa_common_ref count;
struct rb_node node;
struct rcu_head rcu;
struct aa_proxy *proxy;
__counted char *hname;
long flags;
u32 secid;
int size;
u64 mediates;
union {
struct {
/* only used is the label is a profile, size of
* rules[] is determined by the profile
* profile[1] is poison or null as guard
*/
struct aa_profile *profile[2];
DECLARE_FLEX_ARRAY(struct aa_ruleset *, rules);
};
DECLARE_FLEX_ARRAY(struct aa_profile *, vec);
};
};
#define last_error(E, FN) \
do { \
int __subE = (FN); \
if (__subE) \
(E) = __subE; \
} while (0)
#define label_isprofile(X) ((X)->flags & FLAG_PROFILE)
#define label_unconfined(X) ((X)->flags & FLAG_UNCONFINED)
#define unconfined(X) label_unconfined(X)
#define label_is_stale(X) ((X)->flags & FLAG_STALE)
#define __label_make_stale(X) ((X)->flags |= FLAG_STALE)
Annotation
- Immediate include surface: `linux/atomic.h`, `linux/audit.h`, `linux/rbtree.h`, `linux/rcupdate.h`, `apparmor.h`, `lib.h`.
- Detected declarations: `struct aa_ns`, `struct aa_ruleset`, `struct aa_profile`, `struct aa_labelset`, `struct aa_label`, `struct aa_proxy`, `struct label_it`, `struct aa_label`, `struct aa_perms`, `struct aa_ruleset`.
- Atlas domain: Core OS / Security And Isolation.
- Implementation status: source implementation candidate.
- Synchronization appears in or near this file; preserve lock ordering, sleepability, and interrupt-context constraints.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.