security/apparmor/include/label.h

Source file repositories/reference/linux-study-clean/security/apparmor/include/label.h

File Facts

System
Linux kernel
Corpus path
security/apparmor/include/label.h
Extension
.h
Size
13082 bytes
Lines
460
Domain
Core OS
Bucket
Security And Isolation
Inferred role
Core OS: implementation source
Status
source implementation candidate

Why This File Exists

Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.

Dependency Surface

Detected Declarations

Annotated Snippet

struct aa_labelset {
	rwlock_t lock;

	struct rb_root root;
};

#define __labelset_for_each(LS, N) \
	for ((N) = rb_first(&(LS)->root); (N); (N) = rb_next(N))

enum label_flags {
	FLAG_HAT = 1,			/* profile is a hat */
	FLAG_UNCONFINED = 2,		/* label unconfined only if all */
	FLAG_NULL = 4,			/* profile is null learning profile */
	FLAG_IX_ON_NAME_ERROR = 8,	/* fallback to ix on name lookup fail */
	FLAG_IMMUTIBLE = 0x10,		/* don't allow changes/replacement */
	FLAG_USER_DEFINED = 0x20,	/* user based profile - lower privs */
	FLAG_NO_LIST_REF = 0x40,	/* list doesn't keep profile ref */
	FLAG_NS_COUNT = 0x80,		/* carries NS ref count */
	FLAG_IN_TREE = 0x100,		/* label is in tree */
	FLAG_PROFILE = 0x200,		/* label is a profile */
	FLAG_EXPLICIT = 0x400,		/* explicit static label */
	FLAG_STALE = 0x800,		/* replaced/removed */
	FLAG_RENAMED = 0x1000,		/* label has renaming in it */
	FLAG_REVOKED = 0x2000,		/* label has revocation in it */
	FLAG_DEBUG1 = 0x4000,
	FLAG_DEBUG2 = 0x8000,

	/* These flags must correspond with PATH_flags */
	/* TODO: add new path flags */
};

struct aa_label;
struct aa_proxy {
	struct aa_common_ref count;
	struct aa_label __rcu *label;
};

struct label_it {
	int i, j;
};

/* struct aa_label_base - base info of label
 * @count: ref count of active users
 * @node: rbtree position
 * @rcu: rcu callback struct
 * @proxy: is set to the label that replaced this label
 * @hname: text representation of the label (MAYBE_NULL)
 * @flags: stale and other flags - values may change under label set lock
 * @secid: secid that references this label
 * @size: number of entries in @ent[]
 * @mediates: bitmask for label_mediates
 * profile: label vec when embedded in a profile FLAG_PROFILE is set
 * rules: variable length rules in a profile FLAG_PROFILE is set
 * vec: vector of profiles comprising the compound label
 */
struct aa_label {
	struct aa_common_ref count;
	struct rb_node node;
	struct rcu_head rcu;
	struct aa_proxy *proxy;
	__counted char *hname;
	long flags;
	u32 secid;
	int size;
	u64 mediates;
	union {
		struct {
			/* only used is the label is a profile, size of
			 * rules[] is determined by the profile
			 * profile[1] is poison or null as guard
			 */
			struct aa_profile *profile[2];
			DECLARE_FLEX_ARRAY(struct aa_ruleset *, rules);
		};
		DECLARE_FLEX_ARRAY(struct aa_profile *, vec);
	};
};

#define last_error(E, FN)				\
do {							\
	int __subE = (FN);				\
	if (__subE)					\
		(E) = __subE;				\
} while (0)

#define label_isprofile(X) ((X)->flags & FLAG_PROFILE)
#define label_unconfined(X) ((X)->flags & FLAG_UNCONFINED)
#define unconfined(X) label_unconfined(X)
#define label_is_stale(X) ((X)->flags & FLAG_STALE)
#define __label_make_stale(X) ((X)->flags |= FLAG_STALE)

Annotation

Implementation Notes