security/apparmor/ipc.c
Source file repositories/reference/linux-study-clean/security/apparmor/ipc.c
File Facts
- System
- Linux kernel
- Corpus path
security/apparmor/ipc.c- Extension
.c- Size
- 3157 bytes
- Lines
- 117
- Domain
- Core OS
- Bucket
- Security And Isolation
- Inferred role
- Core OS: implementation source
- Status
- source implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/gfp.hinclude/audit.hinclude/capability.hinclude/cred.hinclude/policy.hinclude/ipc.hinclude/sig_names.h
Detected Declarations
function Copyrightfunction audit_signal_cbfunction profile_signal_permfunction aa_may_signal
Annotated Snippet
if (ad->denied & AA_SIGNAL_PERM_MASK) {
audit_log_format(ab, " denied_mask=\"%s\"",
audit_signal_mask(ad->denied));
}
}
if (ad->signal == SIGUNKNOWN)
audit_log_format(ab, "signal=unknown(%d)",
ad->unmappedsig);
else if (ad->signal < MAXMAPPED_SIGNAME)
audit_log_format(ab, " signal=%s", sig_names[ad->signal]);
else
audit_log_format(ab, " signal=rtmin+%d",
ad->signal - SIGRT_BASE);
audit_log_format(ab, " peer=");
aa_label_xaudit(ab, labels_ns(ad->subj_label), ad->peer,
FLAGS_NONE, GFP_ATOMIC);
}
static int profile_signal_perm(const struct cred *cred,
struct aa_profile *profile,
struct aa_label *peer, u32 request,
struct apparmor_audit_data *ad)
{
struct aa_ruleset *rules = profile->label.rules[0];
struct aa_perms perms;
aa_state_t state;
if (profile_unconfined(profile))
return 0;
ad->subj_cred = cred;
ad->peer = peer;
/* TODO: secondary cache check <profile, profile, perm> */
state = RULE_MEDIATES(rules, AA_CLASS_SIGNAL);
if (!state)
return 0;
state = aa_dfa_next(rules->policy->dfa, state, ad->signal);
aa_label_match(profile, rules, peer, state, false, request, &perms);
aa_apply_modes_to_perms(profile, &perms);
return aa_check_perms(profile, &perms, request, ad, audit_signal_cb);
}
int aa_may_signal(const struct cred *subj_cred, struct aa_label *sender,
const struct cred *target_cred, struct aa_label *target,
int sig)
{
struct aa_profile *profile;
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_SIGNAL, OP_SIGNAL);
ad.signal = map_signal_num(sig);
ad.unmappedsig = sig;
return xcheck_labels(sender, target, profile,
profile_signal_perm(subj_cred, profile, target,
MAY_WRITE, &ad),
profile_signal_perm(target_cred, profile, sender,
MAY_READ, &ad));
}
Annotation
- Immediate include surface: `linux/gfp.h`, `include/audit.h`, `include/capability.h`, `include/cred.h`, `include/policy.h`, `include/ipc.h`, `include/sig_names.h`.
- Detected declarations: `function Copyright`, `function audit_signal_cb`, `function profile_signal_perm`, `function aa_may_signal`.
- Atlas domain: Core OS / Security And Isolation.
- Implementation status: source implementation candidate.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.