100 static inline unsigned int match_component(struct aa_profile *profile,  in match_component()  argument
107 		state = aa_dfa_match(profile->file.dfa, state, "&");  in match_component()
108 	if (profile->ns == tp->ns)  in match_component()
109 		return aa_dfa_match(profile->file.dfa, state, tp->base.hname);  in match_component()
112 	ns_name = aa_ns_name(profile->ns, tp->ns, true);  in match_component()
113 	state = aa_dfa_match_len(profile->file.dfa, state, ":", 1);  in match_component()
114 	state = aa_dfa_match(profile->file.dfa, state, ns_name);  in match_component()
115 	state = aa_dfa_match_len(profile->file.dfa, state, ":", 1);  in match_component()
116 	return aa_dfa_match(profile->file.dfa, state, tp->base.hname);  in match_component()
135 static int label_compound_match(struct aa_profile *profile,  in label_compound_match()  argument
146 		if (!aa_ns_visible(profile->ns, tp->ns, subns))  in label_compound_match()
148 		state = match_component(profile, tp, stack, state);  in label_compound_match()
160 		if (!aa_ns_visible(profile->ns, tp->ns, subns))  in label_compound_match()
162 		state = aa_dfa_match(profile->file.dfa, state, "//&");  in label_compound_match()
163 		state = match_component(profile, tp, false, state);  in label_compound_match()
167 	*perms = aa_compute_fperms(profile->file.dfa, state, &cond);  in label_compound_match()
168 	aa_apply_modes_to_perms(profile, perms);  in label_compound_match()
195 static int label_components_match(struct aa_profile *profile,  in label_components_match()  argument
208 		if (!aa_ns_visible(profile->ns, tp->ns, subns))  in label_components_match()
210 		state = match_component(profile, tp, stack, start);  in label_components_match()
220 	tmp = aa_compute_fperms(profile->file.dfa, state, &cond);  in label_components_match()
221 	aa_apply_modes_to_perms(profile, &tmp);  in label_components_match()
224 		if (!aa_ns_visible(profile->ns, tp->ns, subns))  in label_components_match()
226 		state = match_component(profile, tp, stack, start);  in label_components_match()
229 		tmp = aa_compute_fperms(profile->file.dfa, state, &cond);  in label_components_match()
230 		aa_apply_modes_to_perms(profile, &tmp);  in label_components_match()
256 static int label_match(struct aa_profile *profile, struct aa_label *label,  in label_match()  argument
263 	error = label_compound_match(profile, label, stack, state, subns,  in label_match()
269 	return label_components_match(profile, label, stack, state, subns,  in label_match()
289 static int change_profile_perms(struct aa_profile *profile,  in change_profile_perms()  argument
294 	if (profile_unconfined(profile)) {  in change_profile_perms()
301 	return label_match(profile, target, stack, start, true, request, perms);  in change_profile_perms()
322 	struct aa_profile *profile, *candidate = NULL;  in __attach_match()  local
324 	list_for_each_entry_rcu(profile, head, base.list) {  in __attach_match()
325 		if (profile->label.flags & FLAG_NULL)  in __attach_match()
327 		if (profile->xmatch && profile->xmatch_len > len) {  in __attach_match()
328 			unsigned int state = aa_dfa_match(profile->xmatch,  in __attach_match()
330 			u32 perm = dfa_user_allow(profile->xmatch, state);  in __attach_match()
333 				candidate = profile;  in __attach_match()
334 				len = profile->xmatch_len;  in __attach_match()
336 		} else if (!strcmp(profile->base.name, name))  in __attach_match()
338 			return profile;  in __attach_match()
355 	struct aa_profile *profile;  in find_attach()  local
358 	profile = aa_get_profile(__attach_match(name, list));  in find_attach()
361 	return profile ? &profile->label : NULL;  in find_attach()
377 struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex,  in x_table_lookup()  argument
390 	for (*name = profile->file.trans.table[index]; !label && *name;  in x_table_lookup()
395 			new_profile = aa_find_child(profile, *name);  in x_table_lookup()
400 		label = aa_label_parse(&profile->label, *name, GFP_ATOMIC,  in x_table_lookup()
422 static struct aa_label *x_to_label(struct aa_profile *profile,  in x_to_label()  argument
428 	struct aa_ns *ns = profile->ns;  in x_to_label()
439 		stack = profile->file.trans.table[xindex & AA_X_INDEX_MASK];  in x_to_label()
442 			new = x_table_lookup(profile, xindex, lookupname);  in x_to_label()
450 			new = find_attach(ns, &profile->base.profiles,  in x_to_label()
467 			new = aa_get_newest_label(&profile->label);  in x_to_label()
469 			new = aa_get_newest_label(ns_unconfined(profile->ns));  in x_to_label()
488 static struct aa_label *profile_transition(struct aa_profile *profile,  in profile_transition()  argument
495 	unsigned int state = profile->file.start;  in profile_transition()
500 	AA_BUG(!profile);  in profile_transition()
504 	error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,  in profile_transition()
505 			     &name, &info, profile->disconnected);  in profile_transition()
507 		if (profile_unconfined(profile) ||  in profile_transition()
508 		    (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {  in profile_transition()
511 			new = aa_get_newest_label(&profile->label);  in profile_transition()
517 	if (profile_unconfined(profile)) {  in profile_transition()
518 		new = find_attach(profile->ns, &profile->ns->base.profiles,  in profile_transition()
525 		return aa_get_newest_label(&profile->label);  in profile_transition()
529 	state = aa_str_perms(profile->file.dfa, state, name, cond, &perms);  in profile_transition()
532 		new = x_to_label(profile, name, perms.xindex, &target, &info);  in profile_transition()
533 		if (new && new->proxy == profile->label.proxy && info) {  in profile_transition()
542 	} else if (COMPLAIN_MODE(profile)) {  in profile_transition()
544 		struct aa_profile *new_profile = aa_new_null_profile(profile,  in profile_transition()
570 	    !profile_unconfined(profile) &&  in profile_transition()
571 	    !aa_label_is_subset(new, &profile->label)) {  in profile_transition()
590 	aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name, target, new,  in profile_transition()
600 static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec,  in profile_onexec()  argument
605 	unsigned int state = profile->file.start;  in profile_onexec()
610 	AA_BUG(!profile);  in profile_onexec()
615 	if (profile_unconfined(profile)) {  in profile_onexec()
625 	error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,  in profile_onexec()
626 			     &xname, &info, profile->disconnected);  in profile_onexec()
628 		if (profile_unconfined(profile) ||  in profile_onexec()
629 		    (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {  in profile_onexec()
638 	state = aa_str_perms(profile->file.dfa, state, xname, cond, &perms);  in profile_onexec()
647 	state = aa_dfa_null_transition(profile->file.dfa, state);  in profile_onexec()
648 	error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC,  in profile_onexec()
662 	    !profile_unconfined(profile) &&  in profile_onexec()
663 	    !aa_label_is_subset(onexec, &profile->label)) {  in profile_onexec()
681 	return aa_audit_file(profile, &perms, OP_EXEC, AA_MAY_ONEXEC, xname,  in profile_onexec()
693 	struct aa_profile *profile;  in handle_onexec()  local
703 		error = fn_for_each_in_ns(label, profile,  in handle_onexec()
704 				profile_onexec(profile, onexec, stack,  in handle_onexec()
708 		new = fn_label_build_in_ns(label, profile, GFP_ATOMIC,  in handle_onexec()
710 				profile_transition(profile, bprm, buffer,  in handle_onexec()
715 		error = fn_for_each_in_ns(label, profile,  in handle_onexec()
716 				profile_onexec(profile, onexec, stack, bprm,  in handle_onexec()
720 		new = fn_label_build_in_ns(label, profile, GFP_ATOMIC,  in handle_onexec()
721 				aa_label_merge(&profile->label, onexec,  in handle_onexec()
723 				profile_transition(profile, bprm, buffer,  in handle_onexec()
731 	error = fn_for_each_in_ns(label, profile,  in handle_onexec()
732 			aa_audit_file(profile, &nullperms, OP_CHANGE_ONEXEC,  in handle_onexec()
751 	struct aa_profile *profile;  in apparmor_bprm_set_creds()  local
776 		new = fn_label_build(label, profile, GFP_ATOMIC,  in apparmor_bprm_set_creds()
777 				profile_transition(profile, bprm, buffer,  in apparmor_bprm_set_creds()
837 	error = fn_for_each(label, profile,  in apparmor_bprm_set_creds()
838 			aa_audit_file(profile, &nullperms, OP_EXEC, MAY_EXEC,  in apparmor_bprm_set_creds()
855 static struct aa_label *build_change_hat(struct aa_profile *profile,  in build_change_hat()  argument
862 	if (sibling && PROFILE_IS_HAT(profile)) {  in build_change_hat()
863 		root = aa_get_profile_rcu(&profile->parent);  in build_change_hat()
864 	} else if (!sibling && !PROFILE_IS_HAT(profile)) {  in build_change_hat()
865 		root = aa_get_profile(profile);  in build_change_hat()
875 		if (COMPLAIN_MODE(profile)) {  in build_change_hat()
876 			hat = aa_new_null_profile(profile, true, name,  in build_change_hat()
887 	aa_audit_file(profile, &nullperms, OP_CHANGE_HAT, AA_MAY_CHANGEHAT,  in build_change_hat()
906 	struct aa_profile *profile, *root, *hat = NULL;  in change_hat()  local
923 		label_for_each_in_ns(it, labels_ns(label), label, profile) {  in change_hat()
924 			if (sibling && PROFILE_IS_HAT(profile)) {  in change_hat()
925 				root = aa_get_profile_rcu(&profile->parent);  in change_hat()
926 			} else if (!sibling && !PROFILE_IS_HAT(profile)) {  in change_hat()
927 				root = aa_get_profile(profile);  in change_hat()
936 				if (!COMPLAIN_MODE(profile))  in change_hat()
959 	label_for_each_in_ns(it, labels_ns(label), label, profile) {  in change_hat()
960 		if (!list_empty(&profile->base.profiles)) {  in change_hat()
970 	label_for_each_in_ns(it, labels_ns(label), label, profile) {  in change_hat()
978 		if (count > 1 || COMPLAIN_MODE(profile)) {  in change_hat()
979 			aa_audit_file(profile, &nullperms, OP_CHANGE_HAT,  in change_hat()
987 	new = fn_label_build_in_ns(label, profile, GFP_KERNEL,  in change_hat()
988 				   build_change_hat(profile, name, sibling),  in change_hat()
989 				   aa_get_label(&profile->label));  in change_hat()
1021 	struct aa_profile *profile;  in aa_change_hat()  local
1097 	fn_for_each_in_ns(label, profile,  in aa_change_hat()
1098 		aa_audit_file(profile, &perms, OP_CHANGE_HAT,  in aa_change_hat()
1107 					struct aa_profile *profile,  in change_profile_perms_wrapper()  argument
1123 	    !profile_unconfined(profile) &&  in change_profile_perms_wrapper()
1124 	    !aa_label_is_subset(target, &profile->label)) {  in change_profile_perms_wrapper()
1130 		error = change_profile_perms(profile, target, stack, request,  in change_profile_perms_wrapper()
1131 					     profile->file.start, perms);  in change_profile_perms_wrapper()
1133 		error = aa_audit_file(profile, perms, op, request, name,  in change_profile_perms_wrapper()
1157 	struct aa_profile *profile;  in aa_change_profile()  local
1226 	error = fn_for_each_in_ns(label, profile,  in aa_change_profile()
1228 						     profile, target, stack,  in aa_change_profile()
1239 	if (error && !fn_for_each_in_ns(label, profile,  in aa_change_profile()
1240 					COMPLAIN_MODE(profile)))  in aa_change_profile()
1258 			new = fn_label_build_in_ns(label, profile, GFP_KERNEL,  in aa_change_profile()
1260 					aa_get_label(&profile->label));  in aa_change_profile()
1277 	error = fn_for_each_in_ns(label, profile,  in aa_change_profile()
1278 			aa_audit_file(profile, &perms, op, request, auditname,  in aa_change_profile()