Home
last modified time | relevance | path

Searched refs:policy (Results 1 – 25 of 28) sorted by relevance

12

/security/selinux/ss/
Dservices.c247 struct selinux_policy *policy; in security_mls_enabled() local
253 policy = rcu_dereference(state->policy); in security_mls_enabled()
254 mls_enabled = policy->policydb.mls_enabled; in security_mls_enabled()
727 struct selinux_policy *policy, in security_validtrans_handle_fail() argument
733 struct policydb *p = &policy->policydb; in security_validtrans_handle_fail()
734 struct sidtab *sidtab = policy->sidtab; in security_validtrans_handle_fail()
762 struct selinux_policy *policy; in security_compute_validatetrans() local
779 policy = rcu_dereference(state->policy); in security_compute_validatetrans()
780 policydb = &policy->policydb; in security_compute_validatetrans()
781 sidtab = policy->sidtab; in security_compute_validatetrans()
[all …]
/security/tomoyo/
DMakefile4 targets += builtin-policy.h
7 $(objtree)/scripts/bin2c <$(firstword $(wildcard $(obj)/policy/$(1).conf $(srctree)/$(src)/policy/$…
13 $(obj)/builtin-policy.h: $(wildcard $(obj)/policy/*.conf $(srctree)/$(src)/policy/*.conf.default) F…
14 $(call if_changed,policy)
16 $(obj)/common.o: $(obj)/builtin-policy.h
DKconfig25 that are automatically appended into policy at "learning mode".
43 bool "Activate without calling userspace policy loader."
48 policy was loaded. This option will be useful for systems where
50 needed before loading the policy. For example, you can activate
51 immediately after loading the fixed part of policy which will allow
53 variant part of policy and verifying (e.g. running GPG check) and
54 loading the variant part of policy. Since you can start using
59 string "Location of userspace policy loader"
64 This is the default pathname of policy loader which is called before
69 string "Trigger for calling userspace policy loader"
[all …]
D.gitignore2 builtin-policy.h
3 policy/*.conf
/security/apparmor/include/
Dlib.h169 struct aa_policy *policy; in __policy_find() local
171 list_for_each_entry_rcu(policy, head, list) { in __policy_find()
172 if (!strcmp(policy->name, name)) in __policy_find()
173 return policy; in __policy_find()
194 struct aa_policy *policy; in __policy_strn_find() local
196 list_for_each_entry_rcu(policy, head, list) { in __policy_strn_find()
197 if (aa_strneq(policy->name, str, len)) in __policy_strn_find()
198 return policy; in __policy_strn_find()
204 bool aa_policy_init(struct aa_policy *policy, const char *prefix,
206 void aa_policy_destroy(struct aa_policy *policy);
Dpolicy.h145 struct aa_policydb policy; member
220 return profile->policy.start[class]; in PROFILE_MEDIATES()
222 return aa_dfa_match_len(profile->policy.dfa, in PROFILE_MEDIATES()
223 profile->policy.start[0], &class, 1); in PROFILE_MEDIATES()
233 return aa_dfa_match_len(profile->policy.dfa, state, (char *) &be_af, 2); in PROFILE_MEDIATES_AF()
/security/integrity/ima/
DKconfig43 Depending on the IMA policy, the measurement list can grow to
60 Disabling this option will disregard LSM based policy rules.
125 bool "Enable multiple writes to the IMA policy"
128 IMA policy can now be updated multiple times. The new rules get
129 appended to the original policy. Have in mind that the rules are
135 bool "Enable reading back the current IMA policy"
139 It is often useful to be able to read back the IMA policy. It is
141 This option allows the root user to see the current policy rules.
158 bool "Enable loading an IMA architecture specific policy"
163 This option enables loading an IMA architecture specific policy
[all …]
Dima_policy.c897 struct list_head *policy = &ima_policy_rules; in ima_update_policy() local
899 list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); in ima_update_policy()
901 if (ima_rules != policy) { in ima_update_policy()
903 ima_rules = policy; in ima_update_policy()
Dima.h200 hook(POLICY_CHECK, policy) \
/security/apparmor/
Dlib.c387 state = aa_dfa_next(profile->policy.dfa, in aa_profile_match_label()
388 profile->policy.start[AA_CLASS_LABEL], in aa_profile_match_label()
488 bool aa_policy_init(struct aa_policy *policy, const char *prefix, in aa_policy_init() argument
505 policy->hname = hname; in aa_policy_init()
507 policy->name = basename(policy->hname); in aa_policy_init()
508 INIT_LIST_HEAD(&policy->list); in aa_policy_init()
509 INIT_LIST_HEAD(&policy->profiles); in aa_policy_init()
518 void aa_policy_destroy(struct aa_policy *policy) in aa_policy_destroy() argument
520 AA_BUG(on_list_rcu(&policy->profiles)); in aa_policy_destroy()
521 AA_BUG(on_list_rcu(&policy->list)); in aa_policy_destroy()
[all …]
DKconfig27 This option selects whether introspection of loaded policy
31 bool "Enable policy hash introspection by default"
35 This option selects whether sha1 hashing of loaded policy
37 loaded policy provide system administrators a quick way
38 to verify that policy in the kernel matches what is expected,
39 however it can slow down policy load on some devices. In
40 these cases policy hashing can be disabled by default and
Dmount.c345 pos = do_match_mnt(profile->policy.dfa, in match_mnt_path_str()
346 profile->policy.start[AA_CLASS_MOUNT], in match_mnt_path_str()
602 state = aa_dfa_match(profile->policy.dfa, in profile_umount()
603 profile->policy.start[AA_CLASS_MOUNT], in profile_umount()
605 perms = compute_mnt_perms(profile->policy.dfa, state); in profile_umount()
671 state = aa_dfa_match(profile->policy.dfa, in build_pivotroot()
672 profile->policy.start[AA_CLASS_MOUNT], in build_pivotroot()
674 state = aa_dfa_null_transition(profile->policy.dfa, state); in build_pivotroot()
675 state = aa_dfa_match(profile->policy.dfa, state, old_name); in build_pivotroot()
676 perms = compute_mnt_perms(profile->policy.dfa, state); in build_pivotroot()
Dpolicy_unpack.c835 profile->policy.dfa = unpack_dfa(e); in unpack_profile()
836 if (IS_ERR(profile->policy.dfa)) { in unpack_profile()
837 error = PTR_ERR(profile->policy.dfa); in unpack_profile()
838 profile->policy.dfa = NULL; in unpack_profile()
840 } else if (!profile->policy.dfa) { in unpack_profile()
844 if (!unpack_u32(e, &profile->policy.start[0], "start")) in unpack_profile()
846 profile->policy.start[0] = DFA_START; in unpack_profile()
849 profile->policy.start[i] = in unpack_profile()
850 aa_dfa_next(profile->policy.dfa, in unpack_profile()
851 profile->policy.start[0], in unpack_profile()
[all …]
Dpolicy.c234 aa_put_dfa(profile->policy.dfa); in aa_free_profile()
364 struct aa_policy *policy; in __lookup_parent() local
368 policy = &ns->base; in __lookup_parent()
371 profile = __strn_find_child(&policy->profiles, hname, in __lookup_parent()
375 policy = &profile->base; in __lookup_parent()
549 profile->policy.dfa = aa_get_dfa(nulldfa); in aa_new_null_profile()
930 struct aa_policy *policy; in aa_replace_profiles() local
954 policy = __lookup_parent(ns, ent->new->base.hname); in aa_replace_profiles()
955 if (!policy) { in aa_replace_profiles()
964 } else if (policy != &ns->base) { in aa_replace_profiles()
[all …]
Dipc.c200 state = aa_dfa_next(profile->policy.dfa, in profile_signal_perm()
201 profile->policy.start[AA_CLASS_SIGNAL], in profile_signal_perm()
Dnet.c126 state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer, in aa_profile_af_perm()
128 aa_compute_perms(profile->policy.dfa, state, &perms); in aa_profile_af_perm()
Dlabel.c1276 return aa_dfa_match(profile->policy.dfa, state, tp->base.hname); in match_component()
1280 state = aa_dfa_match_len(profile->policy.dfa, state, ":", 1); in match_component()
1281 state = aa_dfa_match(profile->policy.dfa, state, ns_name); in match_component()
1282 state = aa_dfa_match_len(profile->policy.dfa, state, ":", 1); in match_component()
1283 return aa_dfa_match(profile->policy.dfa, state, tp->base.hname); in match_component()
1327 state = aa_dfa_match(profile->policy.dfa, state, "//&"); in label_compound_match()
1332 aa_compute_perms(profile->policy.dfa, state, perms); in label_compound_match()
1383 aa_compute_perms(profile->policy.dfa, state, &tmp); in label_components_match()
1392 aa_compute_perms(profile->policy.dfa, state, &tmp); in label_components_match()
DMakefile7 path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
Dpolicy_ns.c112 ns->unconfined->policy.dfa = aa_get_dfa(nulldfa); in alloc_ns()
/security/safesetid/
Dlsm.c32 enum sid_policy_type _setid_policy_lookup(struct setid_ruleset *policy, in _setid_policy_lookup() argument
38 if (policy->type == UID) { in _setid_policy_lookup()
39 hash_for_each_possible(policy->rules, rule, next, __kuid_val(src.uid)) { in _setid_policy_lookup()
46 } else if (policy->type == GID) { in _setid_policy_lookup()
47 hash_for_each_possible(policy->rules, rule, next, __kgid_val(src.gid)) { in _setid_policy_lookup()
Dlsm.h67 enum sid_policy_type _setid_policy_lookup(struct setid_ruleset *policy,
/security/selinux/include/
Dsecurity.h107 struct selinux_policy __rcu *policy; member
248 struct selinux_policy *policy; member
392 int security_get_classes(struct selinux_policy *policy,
394 int security_get_permissions(struct selinux_policy *policy,
414 int selinux_policy_genfs_sid(struct selinux_policy *policy,
Dconditional.h16 int security_get_bools(struct selinux_policy *policy,
/security/selinux/
DKconfig9 You will also need a policy configuration and a labeled filesystem.
33 allows SELinux to be disabled at runtime prior to the policy load.
61 permissive mode (if permitted by the policy) via
89 via /sys/fs/selinux/checkreqprot if authorized by policy.
/security/loadpin/
DKconfig7 (kernel modules, firmware, kexec images, security policy)

12