security/apparmor/net.c
Source file repositories/reference/linux-study-clean/security/apparmor/net.c
File Facts
- System
- Linux kernel
- Corpus path
security/apparmor/net.c- Extension
.c- Size
- 9936 bytes
- Lines
- 406
- Domain
- Core OS
- Bucket
- Security And Isolation
- Inferred role
- Core OS: implementation source
- Status
- source implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
include/af_unix.hinclude/apparmor.hinclude/audit.hinclude/cred.hinclude/label.hinclude/net.hinclude/policy.hinclude/secid.hnet_names.h
Detected Declarations
function audit_unix_addrfunction audit_unix_sk_addrfunction audit_net_cbfunction aa_do_permsfunction aa_dfa_match_be16function aa_match_to_protfunction aa_profile_af_permfunction aa_af_permfunction aa_label_sk_permfunction aa_sk_permfunction aa_sock_file_permfunction apparmor_secmark_initfunction aa_secmark_permfunction apparmor_secmark_check
Annotated Snippet
if (ad->denied & NET_PERMS_MASK) {
audit_log_format(ab, " denied_mask=");
aa_audit_perm_mask(ab, ad->denied, NULL, 0,
net_mask_names, NET_PERMS_MASK);
}
}
if (ad->common.u.net->family == PF_UNIX) {
if (ad->net.addr || !ad->common.u.net->sk)
audit_unix_addr(ab, "addr",
unix_addr(ad->net.addr),
ad->net.addrlen);
else
audit_unix_sk_addr(ab, "addr", ad->common.u.net->sk);
if (ad->request & NET_PEER_MASK) {
audit_unix_addr(ab, "peer_addr",
unix_addr(ad->net.peer.addr),
ad->net.peer.addrlen);
}
}
if (ad->peer) {
audit_log_format(ab, " peer=");
aa_label_xaudit(ab, labels_ns(ad->subj_label), ad->peer,
FLAGS_NONE, GFP_ATOMIC);
}
}
/* standard permission lookup pattern - supports early bailout */
int aa_do_perms(struct aa_profile *profile, struct aa_policydb *policy,
aa_state_t state, u32 request,
struct aa_perms *p, struct apparmor_audit_data *ad)
{
struct aa_perms perms;
AA_BUG(!profile);
AA_BUG(!policy);
if (state || !p)
p = aa_lookup_perms(policy, state);
perms = *p;
aa_apply_modes_to_perms(profile, &perms);
return aa_check_perms(profile, &perms, request, ad,
audit_net_cb);
}
/* only continue match if
* insufficient current perms at current state
* indicates there are more perms in later state
* Returns: perms struct if early match
*/
static struct aa_perms *early_match(struct aa_policydb *policy,
aa_state_t state, u32 request)
{
struct aa_perms *p;
p = aa_lookup_perms(policy, state);
if (((p->allow & request) != request) && (p->allow & AA_CONT_MATCH))
return NULL;
return p;
}
static aa_state_t aa_dfa_match_be16(struct aa_dfa *dfa, aa_state_t state,
u16 data)
{
__be16 buffer = cpu_to_be16(data);
return aa_dfa_match_len(dfa, state, (char *) &buffer, 2);
}
/**
* aa_match_to_prot - match the af, type, protocol triplet
* @policy: policy being matched
* @state: state to start in
* @request: permissions being requested, ignored if @p == NULL
* @af: socket address family
* @type: socket type
* @protocol: socket protocol
* @p: output - pointer to permission associated with match
* @info: output - pointer to string describing failure
*
* RETURNS: state match stopped in.
*
* If @(p) is assigned a value the returned state will be the
* corresponding state. Will not set @p on failure or if match completes
* only if an early match occurs
*/
aa_state_t aa_match_to_prot(struct aa_policydb *policy, aa_state_t state,
u32 request, u16 af, int type, int protocol,
struct aa_perms **p, const char **info)
{
Annotation
- Immediate include surface: `include/af_unix.h`, `include/apparmor.h`, `include/audit.h`, `include/cred.h`, `include/label.h`, `include/net.h`, `include/policy.h`, `include/secid.h`.
- Detected declarations: `function audit_unix_addr`, `function audit_unix_sk_addr`, `function audit_net_cb`, `function aa_do_perms`, `function aa_dfa_match_be16`, `function aa_match_to_prot`, `function aa_profile_af_perm`, `function aa_af_perm`, `function aa_label_sk_perm`, `function aa_sk_perm`.
- Atlas domain: Core OS / Security And Isolation.
- Implementation status: source implementation candidate.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.