security/apparmor/match.c
Source file repositories/reference/linux-study-clean/security/apparmor/match.c
File Facts
- System
- Linux kernel
- Corpus path
security/apparmor/match.c- Extension
.c- Size
- 21346 bytes
- Lines
- 829
- Domain
- Core OS
- Bucket
- Security And Isolation
- Inferred role
- Core OS: implementation source
- Status
- source implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Allocates kernel memory; connect allocation flags and lifetime to context constraints.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/errno.hlinux/kernel.hlinux/mm.hlinux/slab.hlinux/vmalloc.hlinux/err.hlinux/kref.hlinux/unaligned.hinclude/lib.hinclude/match.h
Detected Declarations
function Copyrightfunction verify_table_headersfunction verify_dfafunction dfa_freefunction aa_dfa_free_kreffunction aa_dfa_match_lenfunction aa_dfa_matchfunction aa_dfa_nextfunction aa_dfa_outofband_transitionfunction aa_dfa_match_untilfunction aa_dfa_matchn_untilfunction is_loopfunction leftmatch_fbfunction aa_dfa_leftmatch
Annotated Snippet
if (DEFAULT_TABLE(dfa)[i] >= state_count) {
pr_err("AppArmor DFA default state out of bounds");
goto out;
}
if (BASE_TABLE(dfa)[i] & MATCH_FLAGS_INVALID) {
pr_err("AppArmor DFA state with invalid match flags");
goto out;
}
if ((BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE)) {
if (!(dfa->flags & YYTH_FLAG_DIFF_ENCODE)) {
pr_err("AppArmor DFA diff encoded transition state without header flag");
goto out;
}
}
if ((BASE_TABLE(dfa)[i] & MATCH_FLAG_OOB_TRANSITION)) {
if (base_idx(BASE_TABLE(dfa)[i]) < dfa->max_oob) {
pr_err("AppArmor DFA out of bad transition out of range");
goto out;
}
if (!(dfa->flags & YYTH_FLAG_OOB_TRANS)) {
pr_err("AppArmor DFA out of bad transition state without header flag");
goto out;
}
}
if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) {
pr_err("AppArmor DFA next/check upper bounds error\n");
goto out;
}
}
for (i = 0; i < trans_count; i++) {
if (NEXT_TABLE(dfa)[i] >= state_count)
goto out;
if (CHECK_TABLE(dfa)[i] >= state_count)
goto out;
}
/* Now that all the other tables are verified, verify diffencoding */
for (i = 0; i < state_count; i++) {
size_t j, k;
for (j = i;
((BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE) &&
!(BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE_VERIFIED));
j = k) {
if (BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE)
/* loop in current chain */
goto out;
k = DEFAULT_TABLE(dfa)[j];
if (j == k)
/* self loop */
goto out;
BASE_TABLE(dfa)[j] |= MARK_DIFF_ENCODE;
}
/* move mark to verified */
for (j = i;
(BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE);
j = k) {
k = DEFAULT_TABLE(dfa)[j];
if (j < i)
/* jumps to state/chain that has been
* verified
*/
break;
BASE_TABLE(dfa)[j] &= ~MARK_DIFF_ENCODE;
BASE_TABLE(dfa)[j] |= MARK_DIFF_ENCODE_VERIFIED;
}
}
error = 0;
out:
return error;
}
/**
* dfa_free - free a dfa allocated by aa_dfa_unpack
* @dfa: the dfa to free (MAYBE NULL)
*
* Requires: reference count to dfa == 0
*/
static void dfa_free(struct aa_dfa *dfa)
{
if (dfa) {
int i;
for (i = 0; i < ARRAY_SIZE(dfa->tables); i++) {
kvfree(dfa->tables[i]);
dfa->tables[i] = NULL;
}
kfree(dfa);
Annotation
- Immediate include surface: `linux/errno.h`, `linux/kernel.h`, `linux/mm.h`, `linux/slab.h`, `linux/vmalloc.h`, `linux/err.h`, `linux/kref.h`, `linux/unaligned.h`.
- Detected declarations: `function Copyright`, `function verify_table_headers`, `function verify_dfa`, `function dfa_free`, `function aa_dfa_free_kref`, `function aa_dfa_match_len`, `function aa_dfa_match`, `function aa_dfa_next`, `function aa_dfa_outofband_transition`, `function aa_dfa_match_until`.
- Atlas domain: Core OS / Security And Isolation.
- Implementation status: source implementation candidate.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.