linux/security/apparmor/domain.c
<<
>>
Prefs
   1/*
   2 * AppArmor security module
   3 *
   4 * This file contains AppArmor policy attachment and domain transitions
   5 *
   6 * Copyright (C) 2002-2008 Novell/SUSE
   7 * Copyright 2009-2010 Canonical Ltd.
   8 *
   9 * This program is free software; you can redistribute it and/or
  10 * modify it under the terms of the GNU General Public License as
  11 * published by the Free Software Foundation, version 2 of the
  12 * License.
  13 */
  14
  15#include <linux/errno.h>
  16#include <linux/fdtable.h>
  17#include <linux/file.h>
  18#include <linux/mount.h>
  19#include <linux/syscalls.h>
  20#include <linux/tracehook.h>
  21#include <linux/personality.h>
  22
  23#include "include/audit.h"
  24#include "include/apparmorfs.h"
  25#include "include/context.h"
  26#include "include/domain.h"
  27#include "include/file.h"
  28#include "include/ipc.h"
  29#include "include/match.h"
  30#include "include/path.h"
  31#include "include/policy.h"
  32
  33/**
  34 * aa_free_domain_entries - free entries in a domain table
  35 * @domain: the domain table to free  (MAYBE NULL)
  36 */
  37void aa_free_domain_entries(struct aa_domain *domain)
  38{
  39        int i;
  40        if (domain) {
  41                if (!domain->table)
  42                        return;
  43
  44                for (i = 0; i < domain->size; i++)
  45                        kzfree(domain->table[i]);
  46                kzfree(domain->table);
  47                domain->table = NULL;
  48        }
  49}
  50
  51/**
  52 * may_change_ptraced_domain - check if can change profile on ptraced task
  53 * @task: task we want to change profile of   (NOT NULL)
  54 * @to_profile: profile to change to  (NOT NULL)
  55 *
  56 * Check if the task is ptraced and if so if the tracing task is allowed
  57 * to trace the new domain
  58 *
  59 * Returns: %0 or error if change not allowed
  60 */
  61static int may_change_ptraced_domain(struct task_struct *task,
  62                                     struct aa_profile *to_profile)
  63{
  64        struct task_struct *tracer;
  65        const struct cred *cred = NULL;
  66        struct aa_profile *tracerp = NULL;
  67        int error = 0;
  68
  69        rcu_read_lock();
  70        tracer = ptrace_parent(task);
  71        if (tracer) {
  72                /* released below */
  73                cred = get_task_cred(tracer);
  74                tracerp = aa_cred_profile(cred);
  75        }
  76
  77        /* not ptraced */
  78        if (!tracer || unconfined(tracerp))
  79                goto out;
  80
  81        error = aa_may_ptrace(tracer, tracerp, to_profile, PTRACE_MODE_ATTACH);
  82
  83out:
  84        rcu_read_unlock();
  85        if (cred)
  86                put_cred(cred);
  87
  88        return error;
  89}
  90
  91/**
  92 * change_profile_perms - find permissions for change_profile
  93 * @profile: the current profile  (NOT NULL)
  94 * @ns: the namespace being switched to  (NOT NULL)
  95 * @name: the name of the profile to change to  (NOT NULL)
  96 * @request: requested perms
  97 * @start: state to start matching in
  98 *
  99 * Returns: permission set
 100 */
 101static struct file_perms change_profile_perms(struct aa_profile *profile,
 102                                              struct aa_namespace *ns,
 103                                              const char *name, u32 request,
 104                                              unsigned int start)
 105{
 106        struct file_perms perms;
 107        struct path_cond cond = { };
 108        unsigned int state;
 109
 110        if (unconfined(profile)) {
 111                perms.allow = AA_MAY_CHANGE_PROFILE | AA_MAY_ONEXEC;
 112                perms.audit = perms.quiet = perms.kill = 0;
 113                return perms;
 114        } else if (!profile->file.dfa) {
 115                return nullperms;
 116        } else if ((ns == profile->ns)) {
 117                /* try matching against rules with out namespace prepended */
 118                aa_str_perms(profile->file.dfa, start, name, &cond, &perms);
 119                if (COMBINED_PERM_MASK(perms) & request)
 120                        return perms;
 121        }
 122
 123        /* try matching with namespace name and then profile */
 124        state = aa_dfa_match(profile->file.dfa, start, ns->base.name);
 125        state = aa_dfa_match_len(profile->file.dfa, state, ":", 1);
 126        aa_str_perms(profile->file.dfa, state, name, &cond, &perms);
 127
 128        return perms;
 129}
 130
 131/**
 132 * __attach_match_ - find an attachment match
 133 * @name - to match against  (NOT NULL)
 134 * @head - profile list to walk  (NOT NULL)
 135 *
 136 * Do a linear search on the profiles in the list.  There is a matching
 137 * preference where an exact match is preferred over a name which uses
 138 * expressions to match, and matching expressions with the greatest
 139 * xmatch_len are preferred.
 140 *
 141 * Requires: @head not be shared or have appropriate locks held
 142 *
 143 * Returns: profile or NULL if no match found
 144 */
 145static struct aa_profile *__attach_match(const char *name,
 146                                         struct list_head *head)
 147{
 148        int len = 0;
 149        struct aa_profile *profile, *candidate = NULL;
 150
 151        list_for_each_entry(profile, head, base.list) {
 152                if (profile->flags & PFLAG_NULL)
 153                        continue;
 154                if (profile->xmatch && profile->xmatch_len > len) {
 155                        unsigned int state = aa_dfa_match(profile->xmatch,
 156                                                          DFA_START, name);
 157                        u32 perm = dfa_user_allow(profile->xmatch, state);
 158                        /* any accepting state means a valid match. */
 159                        if (perm & MAY_EXEC) {
 160                                candidate = profile;
 161                                len = profile->xmatch_len;
 162                        }
 163                } else if (!strcmp(profile->base.name, name))
 164                        /* exact non-re match, no more searching required */
 165                        return profile;
 166        }
 167
 168        return candidate;
 169}
 170
 171/**
 172 * find_attach - do attachment search for unconfined processes
 173 * @ns: the current namespace  (NOT NULL)
 174 * @list: list to search  (NOT NULL)
 175 * @name: the executable name to match against  (NOT NULL)
 176 *
 177 * Returns: profile or NULL if no match found
 178 */
 179static struct aa_profile *find_attach(struct aa_namespace *ns,
 180                                      struct list_head *list, const char *name)
 181{
 182        struct aa_profile *profile;
 183
 184        read_lock(&ns->lock);
 185        profile = aa_get_profile(__attach_match(name, list));
 186        read_unlock(&ns->lock);
 187
 188        return profile;
 189}
 190
 191/**
 192 * separate_fqname - separate the namespace and profile names
 193 * @fqname: the fqname name to split  (NOT NULL)
 194 * @ns_name: the namespace name if it exists  (NOT NULL)
 195 *
 196 * This is the xtable equivalent routine of aa_split_fqname.  It finds the
 197 * split in an xtable fqname which contains an embedded \0 instead of a :
 198 * if a namespace is specified.  This is done so the xtable is constant and
 199 * isn't re-split on every lookup.
 200 *
 201 * Either the profile or namespace name may be optional but if the namespace
 202 * is specified the profile name termination must be present.  This results
 203 * in the following possible encodings:
 204 * profile_name\0
 205 * :ns_name\0profile_name\0
 206 * :ns_name\0\0
 207 *
 208 * NOTE: the xtable fqname is pre-validated at load time in unpack_trans_table
 209 *
 210 * Returns: profile name if it is specified else NULL
 211 */
 212static const char *separate_fqname(const char *fqname, const char **ns_name)
 213{
 214        const char *name;
 215
 216        if (fqname[0] == ':') {
 217                /* In this case there is guaranteed to be two \0 terminators
 218                 * in the string.  They are verified at load time by
 219                 * by unpack_trans_table
 220                 */
 221                *ns_name = fqname + 1;          /* skip : */
 222                name = *ns_name + strlen(*ns_name) + 1;
 223                if (!*name)
 224                        name = NULL;
 225        } else {
 226                *ns_name = NULL;
 227                name = fqname;
 228        }
 229
 230        return name;
 231}
 232
 233static const char *next_name(int xtype, const char *name)
 234{
 235        return NULL;
 236}
 237
 238/**
 239 * x_table_lookup - lookup an x transition name via transition table
 240 * @profile: current profile (NOT NULL)
 241 * @xindex: index into x transition table
 242 *
 243 * Returns: refcounted profile, or NULL on failure (MAYBE NULL)
 244 */
 245static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
 246{
 247        struct aa_profile *new_profile = NULL;
 248        struct aa_namespace *ns = profile->ns;
 249        u32 xtype = xindex & AA_X_TYPE_MASK;
 250        int index = xindex & AA_X_INDEX_MASK;
 251        const char *name;
 252
 253        /* index is guaranteed to be in range, validated at load time */
 254        for (name = profile->file.trans.table[index]; !new_profile && name;
 255             name = next_name(xtype, name)) {
 256                struct aa_namespace *new_ns;
 257                const char *xname = NULL;
 258
 259                new_ns = NULL;
 260                if (xindex & AA_X_CHILD) {
 261                        /* release by caller */
 262                        new_profile = aa_find_child(profile, name);
 263                        continue;
 264                } else if (*name == ':') {
 265                        /* switching namespace */
 266                        const char *ns_name;
 267                        xname = name = separate_fqname(name, &ns_name);
 268                        if (!xname)
 269                                /* no name so use profile name */
 270                                xname = profile->base.hname;
 271                        if (*ns_name == '@') {
 272                                /* TODO: variable support */
 273                                ;
 274                        }
 275                        /* released below */
 276                        new_ns = aa_find_namespace(ns, ns_name);
 277                        if (!new_ns)
 278                                continue;
 279                } else if (*name == '@') {
 280                        /* TODO: variable support */
 281                        continue;
 282                } else {
 283                        /* basic namespace lookup */
 284                        xname = name;
 285                }
 286
 287                /* released by caller */
 288                new_profile = aa_lookup_profile(new_ns ? new_ns : ns, = <"commentDndex" class="e" class="sref">new_profile =  191 287          te_fqname2- separate the namespace2and p29         } el
xnamename;
 195 *

a given d="L260"ity/apparmor/domain.c#L238" id="L238" class=e     
 240
 240 * isn't re-spli3 on e3ery lookup.
 241 200 *
 241 191
a c#L241" id=="L260"ity/apparmor/domain.c#L238" id="L238" class3file name3termination must be pres3nt.  3his results

 241
 287         3/a> * :ns_na3e\0pr3file_n"> */
aa_profile *x_table_lookup(struct  287         3/7> * 30ef">ns_name);
aa_profile *aa_profile *profile,  207len = 0;
 247        struct aa_profile *n3="line" n3me="L209"> 209len = 0;
 248        struct aa_namespace *ns =  150
 249        u32 xtype = xindex &  211name;
 24 } else if (* 213xtype = name;
 287         3/domain.c3L215" id="L215" class="l3ne" n31d below */
{
 235':'xtype = 
 260                if (xname)
 287         3s="commen3">                 * by 3npack32;@') {
 247        struct  179static struct new_ode=separate_fqname"                                xname =  287         30"> 220 3     3         */
aa_find_child(3* skip : */
ns_name) + 1;
 287         3somain.c#3if (!*name)
 247        struct  179static struct new_ode=separate_fqname"186"> 186        xname =  287         305le name3/a> = name;
aa_find_child(        } else {
(xtype = 
 287         3sis pre-v3"L228" class="line" name3"L22832e="L258"> 258
 245static struct x_table_lookup(struct  *pro() {
( 231}
 252
 287         3a>, const3char *name<

 237
ew credsdomain.cbprm = 0;
 238/**
_ class="e="L240"> 240


         3a>, const3char * *
ew credsdomain.cbprmne" name="L248">">ew credsdomain.cbprmle * */
(xindex)
x_table_lookup(struct     struct aa_profile *n3="line" n3me="L209"> 209 246{
 248        struct n3="line" n3me="L209"> 209NULL;
 *n3="line" n3me="L209"> 209ns;
n3="line" n3me="L209"> 209A3_X_TYPE_MASK;
 249n3="line" n3me="L209"> 209;
 249name;
name = name = name = name =  252
name = name = name = name = n3="line" n3me="L209"> 209name;
    struct  *    struct n3="line" n3me="L209"> 209name)) {
 *(struct n3="line" n3me="L209"> 209new_ns;
NULL;
n3="line" n3me="L209"> 209 258
NULL;
name = ) {
n3="line" n3me="L209"> 209
name);
(name = name = n3="line" n3me="L209"> 209name = n3="line" n3me="L209"> 209!:') {
 195
 185        profile =  24ewest_versioee = name = name, ns_name;
         3a>, const3char *ns_name);
xname)
 * Either the profile or namespace name may be optional3 use prof3le name */
hname;
aa_namespace *ns = !@') {
 254        for (name = profile(
 275<,ass="le="Lodomermline"euffermi7         3a>, const3char *!                }
 *>        name = name = pro for (name =          =         >        name, ns_name);
new_ns)
name = >    lass="3domain.c#3213" id="L213" class="sc3ass="3o        continue;
proPFLAG_UNCONFINElse if (*!@') {
n3="line" n3me="L209"> 209
name =  *(!="sref">name;
_onss="efirsteas_onss="edirectives_override o17">         3a>, const3char * 285         3a>, const3char * 286
         3a>, const3char *         3a>, const3char *(name = ( n>a givenonass="ealready> 2en g named *7         3a>, const3char * 262                        profile = name = ( 247        struct  179static struct new_ode=separate_fqname"186"> 186        xname =  287   a_find_child(name;
 179sclass="3dis pre-v3string.  They are veri"> 285 *
 *
         3a>, const3char *ivsle="0;

=esducc#L23of permiss41"s.         3a>, const3char * *
 241""""""""""""""""*7         3a>, const3char * *_ss="l*7         3a>, const3char * *
 254       ="sstrnpermcode=aa_namespac="sstrnpermce = name = profile   a_find_childpparine" name="L248"ppariss=" a_find_child(         * 34ef">ns_name);
(name = ( 249len = 0;
 n>a givenonss="aquot;   lass="s3* Returns3 profile name if it i4n 3lass=340ef">len = 0;
profile>    ype =  150
 *(name;
 n>a givenonss=".         3a>, const3char * 213         3a>, const3char *name;
 2aaaaaaaaaaaaaaaa*_ss="\0rh/a> n>a give         3a>, const3char *         3a>, const3char *":' 254       ="sdfa_null_ame="L241"ode=aa_namespac="sdfa_null_ame="L241"e = name = profile   a_find_childpparine" name="L248"ppariss="ass="sre3/domain.c3class="line" name="L24e 3wo \034 caller */
 249 * n>a givenpermcode=aa_namespacch/a> n>a givenpermce = name = (ns =  = xname)
cx/a>(name = (ns =  =  247     cccccccccccccccccc_find_childBLEMAY_ONEXECode=aa_namespacBLEMAY_ONEXECL185 a_find_childpparine" name="L248"ppariss="ass="sre3/domain.c3class="line" name="L24> 3     34        */
 19134 skip : */
(<4 href="+code=profile" #L26!> = profile>    ype = ) + 1;
 *(name)
 247 262                        profile =  24ewest_versioee = name = (name;
 *        } else {
4profile>    ype =  258
         3a>, const3char *) {
4 262                        aa_profileprofile<( 179sc class="3domain.c#3213" id="L213" class=4li3e" na34="L231"> 231}
profile 260                if (sc class="3domain.c#3213" id="L213" class=4ls3"sref34e="L252"> 252
      ="L280" class="line" nam(p|c|n)ix - don="+cotorh/a> n>a givenbut do         3a>, const3char *name<
 2aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa*  p above2wh#L2reft5"> >a give         3a>, const3char *         3a>, const3char *
aa_pro   struct    lass="s3* Returns3 profile name if it i4"l3ne" n34e="L237"> 237
 262                        profile = /**
 * 247     #L279" id="0" id="L260" cliermcode=aa_namespacpermc" na="sref">profile 260                if (sc class="3domain.c#3213" id="L213" class=4vm3" cla34(NOT NULL)
 262                        profile = xname = 
   lass="s3* Returns3 profile name if it i4n class="4omment"> *
 2824failure (4AYBE NULL)
 247     d="L272"   struct  */
xindex)
 246{
NULL;
ns;
 m=          3a>, const3char *A4_X_TYPE_MASK;
 262                         24ew_null_="+code=profile" class="s4ew_null_="+codele;
 179sc class="3domain.c#3213" id="L213" class=4ame" clas4="sref">name;
 252
a giveaquot;   lass="s3* Returns3 profile name if it i4ated at l4ad time */
 247<#L282" id="L282" class="line" name="L282"> 2824=class="c4="sref">name;
name)) {
 * 179ss="sref">ns = new_ns;
NULL;
profile 260 |ile * 258
NULL;
         3a>, const3char *) {
name);
ivslthen         3a>, const3char *) {
 2aaaaaaaaback -  class=".         3a>, const3char *         3a>, const3char *ns_name;
name = ns_name);
 =  179sclass="s3* Returns3 profile name if it i4re3"L22834"sref">xname)
 *hname;
"@') {

 179sclass="3dis pre-v3string.  They are ver4r        4                ;
 247 *("                }
 195
name = sc class="3domain.c#3213" id="L213" class=4 class="s4ef">ns_name);

         3a>, const3char *new_ns)
!4') {

name =  n>a e="ced_" clas=new_profile"ermay_/a> n>a e="ced_" clas/a> =  179sclass="s3* Returns3 profile name if it i4re" class3 4       } else {
 247        struct  =  179sclass="s3* Returns3 profile name if it i4reng">!=4sref">name;
 *( 286

_ classfoow" > m=reasons:a>         3a>, const3char * 241""""""""""* 1.nconfspar arswitch> m="e, const3char * m="e         3a>, const3char * m="e, const3char *, const3char *!=4sref">name;
 2aaaaaaaabackCases 2 and 3reewemar"L25=es=lquf (, const3char * *


7af 
 m="e, const3char *         3a>, const3char * *
profile 260                if (
 =      } else if (* m=environ"linevariables">_ c37;0 sa giveaq=37;0 s\nuot;   la     305le name3/a> =   179ss="sref">ns =  247name = 
 *
 *
 * 179ss="sref">ns =  >a give         3a>, const3char *name =    le *len = 0;
 150
profilename;
 = name =  2         3a>, const3char * 213name = (name =  179ss=ss="s3* Returns3 profile name if it i4"53 * pr34i5sref">name;
 195
4
5a h41516/apparmor/tL287" id="L287" class="         3a>, const3char * = name =  2evioun85 clss="s3* Returns3 profile name if it i4"53lass=34o5aller */
 = name = (xname)
name =  2evioun85 cle *n3="line" n3me="L209"> 209) {
name = ( *n3="line" n3me="L209"> 209
(name = n3="line" n3me="L209"> 20934 5kip : */
(<4 52y/apparmo3/domain.c3L232" id="L232" class4r53"sref34n5_name) + 1;
 *(name)
name =  * =  = name;
 cx/rofile" class="sconr" na  s="sr       e h(uifile" class="suncideffi_find_childcxfof="+code=profilinfo_profi_find_childcxrclde=new_profile"errcl_proc cef">n3="line" n3me="L209"> 2094<5 href=f">n3="line" n3me="L209"> 209cx/an_prop" class="sreclean_pe" cla:85" 3domain.c#3231" id="L231" class=4r53lass=34o5aller */
 =  258
 class="line" nke5">/a> = ) {
4<53y/app85" 3domain.c#3231" id="L231" class=4r53" cla34 5      */cxrclde=new_profile"errcl_proc ss="s3* Returns3 profile name if it i4"53ent">34 5L231"> 231}
 252
name<
 2aa*  is done_sr  _n.c#3s="e= donermine ho260n.c#3s="e="is needed/a>_ c="e=" (NOT lass
 237
/**
         3a>, const3char * *

 * * *

         3a>, const3char * */
 2aaaaaaaabackand stor+dcnle#L23ref">7af          3a>, const3char *xindex)
         3a>, const3char * 246{
name = NULL;
ns;
A4_5_TYPE_MASK;
;
name;
 252

 >_cred< don=ask *7ean_pe"nassc#L2i5"> >779"acred         3a>, const3char *name;
 2aa* @sr  : binr  ">_ class=".<" (NOT lassname)) {
         3a>, const3char *new_ns;
 * >_cred<" name="L248"xpplL done_sr  _c#L2i5"> >_cred =main.c#L248" id="L24="panux_binr  " name="L248"xppanux_binr  /appa*"L262" class="lsrne" name="L248"b"sr    "sass="3dis pre-v3string.  They are ver4r5L" clas4=5sref">NULL;
 258
NULL;
(/a>(/a>85 cle *name = name = ) {
 191
name);
/a>85 cref">name =  24= (/a>85 cref">name = ) {
n3="line" n3me="L209"> 209ns_name;
name = n3="line" n3me="L209"> 209ns_name);
xname)
_ class79"a givenbu*/a>         3a>, const3char * = (/a>85 cref">name = n3="line" n3me="L209"> 209hname;
"5') {
 eded >a>"    5           }
 2aa* @sr  : binr  ">_ class=".<" (NOT lass
         3a>, const3char *5s_name);
 * >eded >edednew_ns)
         3a>, const3char *!4;) {
n3="line" n3me="L209"> 209
, const3char *   4    5up */
a e        3a>, const3char *"    5f">name;
 2aa* @s         3a>, const3char *eas4d be5           }
n3="line" n3me="L209"> 209 286

/a>8ompquot_re3=n=acn"ull dome" clmacdoa@n2s doend3sscac@n1c@n1inrase ofme" clmOT lass 241""""">
, const3char */a>(ompquot_re3= href="+cocx79">/a>8ompquot_re3= =maicrL262" class="l79">1 href="+cocx79">1a0  rL262" class="l79">2 href="+cocx79">2sass="3dis pre-v3string.  They are ver4r5L" >!=4sr5f">name;
 *
rL262" class="l79">ef="+code=profile" cl/a0" /a> *1a0  ) +d_childpparineclnew_profile"ertokn.clnel= 2sass= +d3id="L260" clieGFP_KERNEe=new_profile" cGFP_KERNEenaas0" ">n3="line" n3me="L209"> 209
ef="+code=profile" cl/a0" ="3dis pre-v3string.  They are ver4r5L" >ss=3s4al5f a :
   la    a href="+coo na+c1 href="+cocx79">1a0  2sass=>n3="line" n3me="L209"> 209
cxrdecef="+code=profile" cl/a0" >n3="line" n3me="L209"> 209
 *
 191

a e=hatn=acn>a gihatnto/6ss=esubve         3a>, const3char *
 n> >a giinto (MAYBEss0>
 2aa* @sr cquot7;aumbeasofmeatnre4=smins@hat3 *

 @" natest7;tru60n.cssdomdomju_taaiss41"l- aretest        3a>, const3char *
, const3char *
cCn>a giain.foowir_tavenbu*/afiar a uotins@hat3n.fatnexists,d stor+dcn        3a>, const3char * = 0;
0d stosco        3a>, const3char * 150
 241""""">r esroc matche3n.fatnr+dcnle#L2Lconty/a85  *7ean_e   , const3char *name;
, const3char *, const3char * 213sc#Lsuccess,d_proc o.forwist         3a>, const3char *name;
 2aa* @s         3a>, const3char *
4
5a 6415166apparm"/a> *a e=hat href="+cocxsausk rn>a e=hat =maicrL262" class="l79"hat3 href="+cocxsauhat3[],r"/a> *
n3="line" n3me="L209"> 209xname)
(n3="line" n3me="L209"> 209) {
n3="line" n3me="L209"> 209
rL262" class="l79">ef="+code=profile" cl/a0" /a> *n3="line" n3me="L209"> 209
(64 52y62pparmor/domer"/a> *n3="line" n3me="L209"> 209) + 1;
{}>n3="line" n3me="L209"> 209name)
namcrL262" class="l79"yde=new_profile"60"itysreffile *n3="line" n3me="L209"> 209name;
 *">n3="line" n3me="L209"> 209n3="line" n3me="L209"> 209, const3char *
 >s _s179">ivslthen         3a>, const3char * 258
, const3char *) {
         3a>, const3char * 241""""""""""* 1.         3a>, const3char *34 5L261"> 231}
name = ivslthen"+code=profile" 9">ivslthena0" ="3dis pre-v3string.  They are ver4r5L"6ref34e5"L652"> 252
name<
, const3char *n3="line" n3me="L209"> 209
 *name =  237
n3="line" n3me="L209"> 209/**
name =  2evioun85 cle<>n3="line" n3me="L209"> 209


 *
truct  *( */
xindex)
n3="line" n3me="L209"> 209 246{
NULL;
, const3char *ns;
        stn.c#L248" id="L24="sausk de=profile" class="saueme="L185 cl*"L262" class="l="Lrooew_profile"60rsreoolass="s3* Returns3 profile name if it i4mi 26f">A4_5_T6PE_MASK;
 *name = ;
 191name;
 252
">> *> *
 247        strr/domain.c#L242" i/*, const3char *name;
[ *n3="line" n3me="L209"> 209)) {
new_ns;

NULL;

ns =  258
        st           goor/domain.c62" class="l="Lde=new_profile"errcl_profiletruct NULL;
truct 
 *name);
, const3char *
, const3char *;
, const3char *);
, const3char *xname)
a e=hat         3a>, const3char *
hname;
 241""""""""""* 1aaaaaaaaaaaaaaaa* TODO: Add log>a giofm temfa85 sshat3"5E) {
, const3char * 247        strr/domain.c#L242" i/* 2, const3char *"    6           }
ef="+code=profile" cl/a0" /a> */a>8ompquot_re3= =mai           ermcrooew_profile"60rsreoolass=ef">ns = [0]=>n3="line" n3me="L209"> 209
 *n3="line" n3me="L209"> 2096s_name);

, const3char *new_ns)

/a>null de=profile" class="saueme>/a>null de=profl=  209        st        "7" class="line" rdehat href="+cocxsauhat =mass="3domain.c#3213" id="L213" class=4v53 6>!4E) {
   lass="s3* Returns3 profile name if it i4ated6lass4"spp6rt */
        st           goor/62" class="l="Lde=new_profile"errcl_profiletruct n3="line" n3me="L209"> 209 *(   4    6up */
 247  } id37;="3domain.c#3213" id="L213" class=4v53 6>"    6f">name;
 *ns = eas4d be6           }
="s4ef">686"> 286



truct 
 *a e=ptraced_supporw_profile"errclmay rn>a e=ptraced_supporl=  247  "7"  href="+coo na+de=new_profile"errcl_proc cef"s="3domain.c#3213" id="L213" class=4v53 6>!=4sr6f">name;
 *
truct 

 *
        st         * *
truct 
, const3char *
 247        st         * *
ef="+code=profile" cl/a0"          " iclass="line" rdede=new_profile"errcl_proc cef"s3* Returns3 profile name if it i4mi 27 6r34i5e_7a"> *
, const3char *

truct 

  }cid37;" id="L260" clb"srn18oun85  de=profile" class="sau18oun85  de=profcle<=s="3domain.c#3213" id="L213" class=4v53 7ss=3405f"7len = 0;
 150
 241"""""""""""""""""""""*savoid /a>bruteiclaceaatpacksname;
, const3char * *ns =  213 247   * *name;
 *
4
5a 741516716pa 247  }cid37s3* Returns3 profile name if it i4mi 27 7r34i5e_79;
, const3char *
 *xname)
) {
(

(74 52y72pparmor/domain.cgo       if ( *) + 1;
name)
 247        st        cgo       if (name;
 *
 2 2 258
n3="line" n3me="L209"> 209) {
n3="line" n3me="L209"> 209 231}
 252
name<
 2aa* @srsk rn>a e=venbu*/"-iss4form a one-wayevenbu*/"L241",l> >a gito (MAYBEss
 @hre3=:cur3tsofmvenbu*/"Lfspn>a gito (MAYBEss 237
 >susLain.akoovldco/**
c@" natest7;tru60n.cssdomdomju_taaiss41"l- aretest        3a>, const3char *

 241""""">rCn>a giaina givenbu*/a@re4=.  Unliklmacdoahats,2LcorssusL="eway        3a>, const3char *
a giback.  Ife@re4=susn'tafiar a uotLconty/a85  venbu*/"ur3tsus        3a>, const3char * *
, const3char *
 >susLdelayuotuntil        3a>, const3char * */
 2aa* @srs79"a xtnexec         3a>, const3char *xindex)
, const3char * 246{
 urns:c3;0 0/a>sc#Lsuccess,d_proc o.forwist         3a>, const3char *NULL;
, const3char *ns;
 *a e=de=profile" class="sauemern>a e=de=profl= rL262" class="l79">s_re3= href="+cocx79">s_re3= =marL262" class="l79"href="+code=prohode=e" class=A4_5_T7PE_MASK;
;
name;
n3="line" n3me="L209"> 209 252
(n3="line" n3me="L209"> 209
 2n.c#L248" id="L24="sausk de=profile" class="saueme="L185 cl*"L262" class="l="L185" class="line" name="L185 cle<,L262" class="l="Lyde=new_profile"60"itysreffile *n3="line" n3me="L209"> 209name;
 *n3="line" n3me="L209"> 209)) {
{}>n3="line" n3me="L209"> 209new_ns;
rL262" class="l79">ef="+code=profile" cl/a0" /a> *n3="line" n3me="L209"> 209NULL;
 *">n3="line" n3me="L209"> 209 258
 231"errclu3pparmo62" class="lke5uf (est> 231"errcluf (estref">n3="line" n3me="L209"> 209NULL;
) {
s_re3= href="+cocx79">s_re3= =ma="3dis pre-v3string.  They are ver4r5L"7clas4=5sr7er */
n3="line" n3me="L209"> 209name);
 *n3="line" n3me="L209"> 209
 *n3="line" n3me="L209"> 209;
);
 231"errcluf (estref"/a> *n3="line" n3me="L209"> 209xname)
        st * *n3="line" n3me="L209"> 209
hname;
 191"5O) {
n3="line" n3me="L209"> 209 *name =  262" class="l="L185" class="line" name="L185 cle *n3="line" n3me="L209"> 209"    7           }
, const3char *7s_name);
 >s _s179">ivslthen        3a>, const3char *new_ns)
fspare, const3char * >s 6ss=efspar ar_ssarem teow_sseven wheL        3a>, const3char *!4O) {
ivslthensusLesofbecausecssdomawaysm >
 241""""""""""* 1.sofmvs41"l- arn         3a>, const3char *, const3char *name = ivslthen"+code=profile" 9">ivslthena0"          " iclass="line" rdefsparofile" class="sunconfspare   4    7up */
 247  62" class="lke51ucod" name="L248"xpcre1ucod" nl= n3="line" n3me="L209"> 209"    7f">name;
="s4ef">786"> 286
s=34o5"L7er */
s_re3= href="+cocx79">s_re3= =ma=s="3domain.c#3213" id="L213" class=4v53 7>2834"5re7        ref=" armor3d4ma73.4#a78ppa 247        strr/domain.c#L242" i/*, const3char * *name = s_re3= href="+cocx79">s_re3= =ma="s3* Returns3 profile name if it i4 use7 ass4"spp7ref="security/appar3o4/d73949s791pa 247        st" idclass="line" rde7n"+code=profile" sile<=s="3domain.c#3213" id="L213" class=4v53 7    3 4  7   contihref="secur3t4/a73949y79pparmor/domain.cgo           rr/domain.c#L242" i/*, const3char *
 *s_re3= =ma"s3* Returns3 profile name if it i4 use7    4    7href="security/appa3m4r/73949y79pparmor/7"> 247  iled/ un62" class="l="L="+code=profilinfo_profile       } else if (*fquot;   lass="s3* Returns3 profile name if it i4ated7>!=4sr7f">name;
truct  *
 *(

name = ivslth2rmor/domain.c#L2240"""""""""""*c#L2 stoh/a>             goor/domain.331t3chai 27 2834"s  7t and
name =  *
 191
name = ivslth2rm334 5am78p  } el

 247    id="L260" clb"srnfsparofile" class="sunconfsparename;
 *name = ns =  *


 *name = 

 = 0;
{href="+coo na+_">a e=de=proflode=aa_namespacpermcp">a e=de=proflode=aa= s_+code=profile" sileref="+code=prohode=e" class= 150
        st           goor/domain*name =  231"errclustar>lename;
truct  213 247    *(name;

4
5a 781516781=f">n3="line" n3me="L209"> 209name = ivslth2r8r34i5mn78r */
 *ref="+code=prohode=e" class=<"s3* Returns3 profile name if it i4 use78 r34i5mn78>xname)
) {
fquot;   lass="s3* Returns3 profile name if it i4ated78s=34o5me78  */
        st 2" class="l="Lde=new_profile"errcl_profiletruct 
(78 52y78pparmor/domain.cgo     id="L260" clb"srn18natestass="line" name= natesta0" =  o lass="line" rdeCOMPLAIN_MODE href="+cocxsauCOMPLAIN_MODEl= ) + 1;
 *(name)
 247   parm" id="L260" clb"srnry/ap" class="srecle#3ry/a85 aref">name = ivslth2rpr34i5e_78">name;
 *
   lass="s3* Returns3 profile name if it i4ated688r34i5mn78r */

truct n3="line" n3me="L209"> 209 258
        st          *( 231}
 252
name = ivslth2rla34=5sr78">name<
 262" class="l="L1e=new_profile"errcl_profile *a e=ptraced_supporw_profile"errclmay rn>a e=ptraced_supporl=  >s   lass="s3* Returns3 profile name if it i4ated68la34 5in78 the

 *( 237
/**


        st  *( *

 247   * * */
)
 * 246{
NULL;
(ns;
A4_5_T78E_MASK;
 * 231"errcluf (estref"/s3* Returns3 profile name if it i4"5sr78la34(5OT78X_MASK;
        st           goor/domain62" class="l="Lnef="+code=profile" cl/a0" /d="L260" clieGFP>ref="+code=prohode=e" class=name;
 252

 262" class="l="L1me=ucode=profile" class="__seme=ucode=profl= name;
n3="line" n3me="L209"> 209)) {
n3="line" n3me="L209"> 209;
cxrdede=new_profile"errcl_proc cef>n3="line" n3me="L209"> 209NULL;
 258



footer"> The original LXR softwrem by.foovdomain.c#http://sourcefoeff.net/8oojects/lxr">LXR 0" cunffiss=",ssdomaex naiclb"al ver aretby.domain.c#s=4lto:lxr@ lxr@
subfooter"> lxr. R lpill L