security/apparmor/include/policy.h
Source file repositories/reference/linux-study-clean/security/apparmor/include/policy.h
File Facts
- System
- Linux kernel
- Corpus path
security/apparmor/include/policy.h- Extension
.h- Size
- 12792 bytes
- Lines
- 451
- Domain
- Core OS
- Bucket
- Security And Isolation
- Inferred role
- Core OS: implementation source
- Status
- source implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Uses kernel synchronization; read lock ordering, sleepability, and interrupt context assumptions before translating.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/capability.hlinux/cred.hlinux/kref.hlinux/rhashtable.hlinux/sched.hlinux/slab.hlinux/socket.happarmor.haudit.hcapability.hdomain.hfile.hlib.hlabel.hnet.hperms.hresource.h
Detected Declarations
struct aa_nsstruct aa_tags_headerstruct aa_tags_structstruct aa_policydbstruct aa_datastruct aa_rulesetstruct aa_attachmentstruct aa_profileenum dfa_accept_flagsenum profile_modefunction aa_put_pdbfunction profilefunction RULE_MEDIATESfunction RULE_MEDIATES_v9NETfunction RULE_MEDIATES_NETfunction profile_mediatesfunction profile_mediates_safefunction aa_put_profilefunction AUDIT_MODE
Annotated Snippet
struct aa_tags_header {
u32 mask; /* bit mask matching permissions */
u32 count; /* number of strings per entry */
u32 size; /* size of all strings covered by count */
u32 tags; /* index into string table */
};
struct aa_tags_struct {
struct {
u32 size; /* number of entries in tagsets */
u32 *table; /* indexes into headers & strs */
} sets;
struct {
u32 size; /* number of headers == num of strs */
struct aa_tags_header *table;
} hdrs;
struct aa_str_table strs;
};
/* struct aa_policydb - match engine for a policy
* @count: refcount for the pdb
* @dfa: dfa pattern match
* @perms: table of permissions
* @size: number of entries in @perms
* @trans: table of strings, index by x
* @tags: table of tags that perms->tag indexes
* @start:_states to start in for each class
* start: set of start states for the different classes of data
*/
struct aa_policydb {
struct kref count;
struct aa_dfa *dfa;
struct {
struct aa_perms *perms;
u32 size;
};
struct aa_str_table trans;
struct aa_tags_struct tags;
aa_state_t start[AA_CLASS_LAST + 1];
};
extern struct aa_policydb *nullpdb;
void aa_destroy_tags(struct aa_tags_struct *tags);
struct aa_policydb *aa_alloc_pdb(gfp_t gfp);
void aa_pdb_free_kref(struct kref *kref);
/**
* aa_get_pdb - increment refcount on @pdb
* @pdb: policydb (MAYBE NULL)
*
* Returns: pointer to @pdb if @pdb is NULL will return NULL
* Requires: @pdb must be held with valid refcount when called
*/
static inline struct aa_policydb *aa_get_pdb(struct aa_policydb *pdb)
{
if (pdb)
kref_get(&(pdb->count));
return pdb;
}
/**
* aa_put_pdb - put a pdb refcount
* @pdb: pdb to put refcount (MAYBE NULL)
*
* Requires: if @pdb != NULL that a valid refcount be held
*/
static inline void aa_put_pdb(struct aa_policydb *pdb)
{
if (pdb)
kref_put(&pdb->count, aa_pdb_free_kref);
}
/* lookup perm that doesn't have and object conditional */
static inline struct aa_perms *aa_lookup_perms(struct aa_policydb *policy,
aa_state_t state)
{
unsigned int index = ACCEPT_TABLE(policy->dfa)[state];
if (!(policy->perms))
return &default_perms;
return &(policy->perms[index]);
}
/* struct aa_data - generic data structure
* key: name for retrieving this data
* size: size of data in bytes
* data: binary data
Annotation
- Immediate include surface: `linux/capability.h`, `linux/cred.h`, `linux/kref.h`, `linux/rhashtable.h`, `linux/sched.h`, `linux/slab.h`, `linux/socket.h`, `apparmor.h`.
- Detected declarations: `struct aa_ns`, `struct aa_tags_header`, `struct aa_tags_struct`, `struct aa_policydb`, `struct aa_data`, `struct aa_ruleset`, `struct aa_attachment`, `struct aa_profile`, `enum dfa_accept_flags`, `enum profile_mode`.
- Atlas domain: Core OS / Security And Isolation.
- Implementation status: source implementation candidate.
- Synchronization appears in or near this file; preserve lock ordering, sleepability, and interrupt-context constraints.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.