security/apparmor/include/perms.h

Source file repositories/reference/linux-study-clean/security/apparmor/include/perms.h

File Facts

System
Linux kernel
Corpus path
security/apparmor/include/perms.h
Extension
.h
Size
7039 bytes
Lines
220
Domain
Core OS
Bucket
Security And Isolation
Inferred role
Core OS: implementation source
Status
source implementation candidate

Why This File Exists

Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.

Dependency Surface

Detected Declarations

Annotated Snippet

struct aa_perms {
	u32 allow;
	u32 deny;	/* explicit deny, or conflict if allow also set */

	u32 subtree;	/* allow perm on full subtree only when allow is set */
	u32 cond;	/* set only when ~allow and ~deny */

	u32 kill;	/* set only when ~allow | deny */
	u32 complain;	/* accumulates only used when ~allow & ~deny */
	u32 prompt;	/* accumulates only used when ~allow & ~deny */

	u32 audit;	/* set only when allow is set */
	u32 quiet;	/* set only when ~allow | deny */
	u32 hide;	/* set only when  ~allow | deny */


	u32 xindex;
	u32 tag;	/* tag string index, if present */
	u32 label;	/* label string index, if present */
};

/*
 * Indexes are broken into a 24 bit index and 8 bit flag.
 * For the index to be valid there must be a value in the flag
 */
#define AA_INDEX_MASK			0x00ffffff
#define AA_INDEX_FLAG_MASK		0xff000000
#define AA_INDEX_NONE			0

#define ALL_PERMS_MASK 0xffffffff
extern struct aa_perms nullperms;
extern struct aa_perms allperms;

/**
 * aa_perms_accum_raw - accumulate perms with out masking off overlapping perms
 * @accum: perms struct to accumulate into
 * @addend: perms struct to add to @accum
 */
static inline void aa_perms_accum_raw(struct aa_perms *accum,
				      struct aa_perms *addend)
{
	accum->deny |= addend->deny;
	accum->allow &= addend->allow & ~addend->deny;
	accum->audit |= addend->audit & addend->allow;
	accum->quiet &= addend->quiet & ~addend->allow;
	accum->kill |= addend->kill & ~addend->allow;
	accum->complain |= addend->complain & ~addend->allow & ~addend->deny;
	accum->cond |= addend->cond & ~addend->allow & ~addend->deny;
	accum->hide &= addend->hide & ~addend->allow;
	accum->prompt |= addend->prompt & ~addend->allow & ~addend->deny;
	accum->subtree |= addend->subtree & ~addend->deny;

	if (!accum->xindex)
		accum->xindex = addend->xindex;
	if (!accum->tag)
		accum->tag = addend->tag;
	if (!accum->label)
		accum->label = addend->label;
}

/**
 * aa_perms_accum - accumulate perms, masking off overlapping perms
 * @accum: perms struct to accumulate into
 * @addend: perms struct to add to @accum
 */
static inline void aa_perms_accum(struct aa_perms *accum,
				  struct aa_perms *addend)
{
	accum->deny |= addend->deny;
	accum->allow &= addend->allow & ~accum->deny;
	accum->audit |= addend->audit & accum->allow;
	accum->quiet &= addend->quiet & ~accum->allow;
	accum->kill |= addend->kill & ~accum->allow;
	accum->complain |= addend->complain & ~accum->allow & ~accum->deny;
	accum->cond |= addend->cond & ~accum->allow & ~accum->deny;
	accum->hide &= addend->hide & ~accum->allow;
	accum->prompt |= addend->prompt & ~accum->allow & ~accum->deny;
	accum->subtree &= addend->subtree & ~accum->deny;

	if (!accum->xindex)
		accum->xindex = addend->xindex;
	if (!accum->tag)
		accum->tag = addend->tag;
	if (!accum->label)
		accum->label = addend->label;
}

#define xcheck(FN1, FN2)	\
({				\
	int e, error = FN1;	\

Annotation

Implementation Notes