security/apparmor/include/perms.h
Source file repositories/reference/linux-study-clean/security/apparmor/include/perms.h
File Facts
- System
- Linux kernel
- Corpus path
security/apparmor/include/perms.h- Extension
.h- Size
- 7039 bytes
- Lines
- 220
- Domain
- Core OS
- Bucket
- Security And Isolation
- Inferred role
- Core OS: implementation source
- Status
- source implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/fs.hlabel.h
Detected Declarations
struct aa_permsfunction aa_perms_accum_rawfunction aa_perms_accum
Annotated Snippet
struct aa_perms {
u32 allow;
u32 deny; /* explicit deny, or conflict if allow also set */
u32 subtree; /* allow perm on full subtree only when allow is set */
u32 cond; /* set only when ~allow and ~deny */
u32 kill; /* set only when ~allow | deny */
u32 complain; /* accumulates only used when ~allow & ~deny */
u32 prompt; /* accumulates only used when ~allow & ~deny */
u32 audit; /* set only when allow is set */
u32 quiet; /* set only when ~allow | deny */
u32 hide; /* set only when ~allow | deny */
u32 xindex;
u32 tag; /* tag string index, if present */
u32 label; /* label string index, if present */
};
/*
* Indexes are broken into a 24 bit index and 8 bit flag.
* For the index to be valid there must be a value in the flag
*/
#define AA_INDEX_MASK 0x00ffffff
#define AA_INDEX_FLAG_MASK 0xff000000
#define AA_INDEX_NONE 0
#define ALL_PERMS_MASK 0xffffffff
extern struct aa_perms nullperms;
extern struct aa_perms allperms;
/**
* aa_perms_accum_raw - accumulate perms with out masking off overlapping perms
* @accum: perms struct to accumulate into
* @addend: perms struct to add to @accum
*/
static inline void aa_perms_accum_raw(struct aa_perms *accum,
struct aa_perms *addend)
{
accum->deny |= addend->deny;
accum->allow &= addend->allow & ~addend->deny;
accum->audit |= addend->audit & addend->allow;
accum->quiet &= addend->quiet & ~addend->allow;
accum->kill |= addend->kill & ~addend->allow;
accum->complain |= addend->complain & ~addend->allow & ~addend->deny;
accum->cond |= addend->cond & ~addend->allow & ~addend->deny;
accum->hide &= addend->hide & ~addend->allow;
accum->prompt |= addend->prompt & ~addend->allow & ~addend->deny;
accum->subtree |= addend->subtree & ~addend->deny;
if (!accum->xindex)
accum->xindex = addend->xindex;
if (!accum->tag)
accum->tag = addend->tag;
if (!accum->label)
accum->label = addend->label;
}
/**
* aa_perms_accum - accumulate perms, masking off overlapping perms
* @accum: perms struct to accumulate into
* @addend: perms struct to add to @accum
*/
static inline void aa_perms_accum(struct aa_perms *accum,
struct aa_perms *addend)
{
accum->deny |= addend->deny;
accum->allow &= addend->allow & ~accum->deny;
accum->audit |= addend->audit & accum->allow;
accum->quiet &= addend->quiet & ~accum->allow;
accum->kill |= addend->kill & ~accum->allow;
accum->complain |= addend->complain & ~accum->allow & ~accum->deny;
accum->cond |= addend->cond & ~accum->allow & ~accum->deny;
accum->hide &= addend->hide & ~accum->allow;
accum->prompt |= addend->prompt & ~accum->allow & ~accum->deny;
accum->subtree &= addend->subtree & ~accum->deny;
if (!accum->xindex)
accum->xindex = addend->xindex;
if (!accum->tag)
accum->tag = addend->tag;
if (!accum->label)
accum->label = addend->label;
}
#define xcheck(FN1, FN2) \
({ \
int e, error = FN1; \
Annotation
- Immediate include surface: `linux/fs.h`, `label.h`.
- Detected declarations: `struct aa_perms`, `function aa_perms_accum_raw`, `function aa_perms_accum`.
- Atlas domain: Core OS / Security And Isolation.
- Implementation status: source implementation candidate.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.