security/ipe/eval.c

Source file repositories/reference/linux-study-clean/security/ipe/eval.c

File Facts

System
Linux kernel
Corpus path
security/ipe/eval.c
Extension
.c
Size
10566 bytes
Lines
394
Domain
Core OS
Bucket
Security And Isolation
Inferred role
Core OS: implementation source
Status
source implementation candidate

Why This File Exists

Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.

Dependency Surface

Detected Declarations

Annotated Snippet

if (pol->parsed->global_default_action == IPE_ACTION_INVALID) {
			WARN(1, "no default rule set for unknown op, ALLOW it");
			action = IPE_ACTION_ALLOW;
		} else {
			action = pol->parsed->global_default_action;
		}
		match_type = IPE_MATCH_GLOBAL;
		goto eval;
	}

	rules = &pol->parsed->rules[ctx->op];

	list_for_each_entry(rule, &rules->rules, next) {
		match = true;

		list_for_each_entry(prop, &rule->props, next) {
			match = evaluate_property(ctx, prop);
			if (!match)
				break;
		}

		if (match)
			break;
	}

	if (match) {
		action = rule->action;
		match_type = IPE_MATCH_RULE;
	} else if (rules->default_action != IPE_ACTION_INVALID) {
		action = rules->default_action;
		match_type = IPE_MATCH_TABLE;
	} else {
		action = pol->parsed->global_default_action;
		match_type = IPE_MATCH_GLOBAL;
	}

eval:
	ipe_audit_match(ctx, match_type, action, rule);
	rcu_read_unlock();

	if (action == IPE_ACTION_DENY)
		rc = -EACCES;

	if (!READ_ONCE(enforce))
		rc = 0;

	return rc;
}

/* Set the right module name */
#ifdef KBUILD_MODNAME
#undef KBUILD_MODNAME
#define KBUILD_MODNAME "ipe"
#endif

module_param(success_audit, bool, 0400);
MODULE_PARM_DESC(success_audit, "Start IPE with success auditing enabled");
module_param(enforce, bool, 0400);
MODULE_PARM_DESC(enforce, "Start IPE in enforce or permissive mode");

Annotation

Implementation Notes