linux/security/apparmor/file.c
<<
tionv2./spa > v2./form > v2.a tionv2 href="../linux+v3.7.7/security/apparmor/file.c">tionv2.img src="../.static/gfx/right.png" alt=">>">ti./spa >ti.spa class="lxr_search">tiontionv2.input typtiohidden" namtionavtarget" tionv2.input typtiotext" namtiosearch" idiosearch">tionv2.butt.14typtiosubmit">Search v2./form > ./spa >ti.spa class="lxr_prefs" > v2.a href="+prefs?return=security/apparmor/file.c"tionv2 onclick="return ajax_prefs();">tionv2Prefs> v2./a>ti./spa >onv2 2./div >onv2 2.form ac" ="ajax+*" method="post" onsubmit="return false;">ti.input typtiohidden" namtioajax_lookup" idioajax_lookup" tonv2 2./form >tonv2 2.div class="headingbott.m">
onv2
onv2 v2 2.div idiosearch_results" class="search_results"> v >onv2 2./div > .div idiocontent">> .div idiofile_contents"
2 21./a>.spa  class="comment">/*./spa  >2 22./a>.spa  class="comment"> * AppArmor security module./spa  >2 23./a>.spa  class="comment"> *./spa  >2 24./a>.spa  class="comment"> * This file contains AppArmor media32.14of files./spa  >2 25./a>.spa  class="comment"> *./spa  >2 26./a>.spa  class="comment"> * Copyright (C) 1998-2008 Novell/SUSE./spa  >2 27./a>.spa  class="comment"> * Copyright 2009-2010 Canonical Ltd../spa  >2 28./a>.spa  class="comment"> *./spa  >2 29./a>.spa  class="comment"> * This program is free software; you ca  redistribute it and/or./spa  >2 optia>.spa  class="comment"> * modify it under the terms4of the GNU General Public License as./spa  >2 11./a>.spa  class="comment"> * published by the Free Software Founda32.1, vers2.1424of the./spa  >2 12./a>.spa  class="comment"> * License../spa  >2 13./a>.spa  class="comment"> */./spa  >2 14./a>>2 15./a>#include "include/apparmor.h./a>">2 16./a>#include "include/audit.h./a>">2 17./a>#include "include/file.h./a>">2 18./a>#include "include/match.h./a>">2 19./a>#include "include/path.h./a>">2 20./a>#include "include/policy.h./a>">2 21./a>>2 22./a>struct2.a href="+code=file_perms" class="sref">file_perms./a>2.a href="+code=nullperms" class="sref">nullperms./a>;>2 23./a>>2 24./a>>2 25./a>.spa  class="comment">/**./spa  >2 26./a>.spa  class="comment"> * audit_file_mask - convert mask to permiss2.14string./spa  >2 27./a>.spa  class="comment"> * @buffer: buffer to write4string to (NOT NULL)./spa  >2 28./a>.spa  class="comment"> * @mask: permiss2.14mask to convert./spa  >2 29./a>.spa  class="comment"> */./spa  >2 30./a>static void2.a href="+code=audit_file_mask" class="sref">audit_file_mask./a>(struct2.a href="+code=audit_buffer" class="sref">audit_buffer./a>2*.a href="+code=ab" class="sref">ab./a>,2.a href="+code=u32" class="sref">u32./a>2.a href="+code=mask" class="sref">mask./a>)>2 31./a>{>2 32./a>22222222char2.a href="+code=str" class="sref">str./a>[10];>2 33./a>>2 34./a>22222222char2*.a href="+code=m" class="sref">m./a>2=2.a href="+code=str" class="sref">str./a>;>2 35./a>>2 36./a>22222222if (.a href="+code=mask" class="sref">mask./a> &2.a href="+code=AA_EXEC_MMAP" class="sref">AA_EXEC_MMAP./a>)>2 37./a>2222222222222222*.a href="+code=m" class="sref">m./a>++2=2.spa  class="string">'m'./spa  ;>2 38./a>22222222if (.a href="+code=mask" class="sref">mask./a> &2(.a href="+code=MAY_READ" class="sref">MAY_READ./a> |2.a href="+code=AA_MAY_META_READ" class="sref">AA_MAY_META_READ./a>))>2 39./a>2222222222222222*.a href="+code=m" class="sref">m./a>++2=2.spa  class="string">'r'./spa  ;>2 40./a>22222222if (.a href="+code=mask" class="sref">mask./a> &2(.a href="+code=MAY_WRITE" class="sref">MAY_WRITE./a> |2.a href="+code=AA_MAY_META_WRITE" class="sref">AA_MAY_META_WRITE./a> |2.a href="+code=AA_MAY_CHMOD" class="sref">AA_MAY_CHMOD./a> |>2 41./a>2222222222222222v2 2.a href="+code=AA_MAY_CHOWN" class="sref">AA_MAY_CHOWN./a>))>2 42./a>2222222222222222*.a href="+code=m" class="sref">m./a>++2=2.spa  class="string">'w'./spa  ;>2 43./a>22222222else2if (.a href="+code=mask" class="sref">mask./a> &2.a href="+code=MAY_APPEND" class="sref">MAY_APPEND./a>)>2 44./a>2222222222222222*.a href="+code=m" class="sref">m./a>++2=2.spa  class="string">'a'./spa  ;>2 45./a>22222222if (.a href="+code=mask" class="sref">mask./a> &2.a href="+code=AA_MAY_CREATE" class="sref">AA_MAY_CREATE./a>)>2 46./a>2222222222222222*.a href="+code=m" class="sref">m./a>++2=2.spa  class="string">'c'./spa  ;>2 47./a>22222222if (.a href="+code=mask" class="sref">mask./a> &2.a href="+code=AA_MAY_DELETE" class="sref">AA_MAY_DELETE./a>)>2 48./a>2222222222222222*.a href="+code=m" class="sref">m./a>++2=2.spa  class="string">'d'./spa  ;>2 49./a>22222222if (.a href="+code=mask" class="sref">mask./a> &2.a href="+code=AA_MAY_LINK" class="sref">AA_MAY_LINK./a>)>2 50./a>2222222222222222*.a href="+code=m" class="sref">m./a>++2=2.spa  class="string">'l'./spa  ;>2 51./a>22222222if (.a href="+code=mask" class="sref">mask./a> &2.a href="+code=AA_MAY_LOCK" class="sref">AA_MAY_LOCK./a>)>2 52./a>2222222222222222*.a href="+code=m" class="sref">m./a>++2=2.spa  class="string">'k'./spa  ;>2 53./a>22222222if (.a href="+code=mask" class="sref">mask./a> &2.a href="+code=MAY_EXEC" class="sref">MAY_EXEC./a>)>2 54./a>2222222222222222*.a href="+code=m" class="sref">m./a>++2=2.spa  class="string">'x'./spa  ;>2 55./a>22222222*.a href="+code=m" class="sref">m./a>2=2.spa  class="string">'\0'./spa  ;>2 56./a>>2 57./a>22222222.a href="+code=audit_log_string" class="sref">audit_log_string./a>(.a href="+code=ab" class="sref">ab./a>,2.a href="+code=str" class="sref">str./a>);>2 58./a>}>2 59./a>>2 6ptia>.spa  class="comment">/**./spa  >2 61./a>.spa  class="comment"> * file_audit_cb - call back for file specific audit fields./spa  >2 62./a>.spa  class="comment"> * @ab: audit_buffer  (NOT NULL)./spa  >2 63./a>.spa  class="comment"> * @va: audit struct2to audit 2 64./a>.spa  class="comment"> */./spa  >2 65./a>static void2.a href="+code=file_audit_cb" class="sref">file_audit_cb./a>(struct2.a href="+code=audit_buffer" class="sref">audit_buffer./a>2*.a href="+code=ab" class="sref">ab./a>,2void2*.a href="+code=va" class="sref">va./a>)>2 66./a>{>2 67./a>22222222struct2.a href="+code=common_audit_data" class="sref">common_audit_data./a>2*.a href="+code=sa" class="sref">sa./a>2=2.a href="+code=va" class="sref">va./a>;>2 68./a>22222222.a href="+code=kuid_t" class="sref">kuid_t./a>2.a href="+code=fsuid" class="sref">fsuid./a>2=2.a href="+code=current_fsuid" class="sref">current_fsuid./a>();>2 69./a>>2 70./a>22222222if (.a href="+code=sa" class="sref">sa./a>->.a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=reqptst" class="sref">reqptst./a> &2.a href="+code=AA_AUDIT_FILE_MASK" class="sref">AA_AUDIT_FILE_MASK./a>) {>2 71./a>2222222222222222.a href="+code=audit_log_format" class="sref">audit_log_format./a>(.a href="+code=ab" class="sref">ab./a>,2.spa  class="string">" reqptsted_mask="2 72./a>2222222222222222.a href="+code=audit_file_mask" class="sref">audit_file_mask./a>(.a href="+code=ab" class="sref">ab./a>,2.a href="+code=sa" class="sref">sa./a>->.a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=reqptst" class="sref">reqptst./a>);>2 73./a>22222222}>2 74./a>22222222if (.a href="+code=sa" class="sref">sa./a>->.a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=denied" class="sref">denied./a> &2.a href="+code=AA_AUDIT_FILE_MASK" class="sref">AA_AUDIT_FILE_MASK./a>) {>2 75./a>2222222222222222.a href="+code=audit_log_format" class="sref">audit_log_format./a>(.a href="+code=ab" class="sref">ab./a>,2.spa  class="string">" denied_mask="2 76./a>2222222222222222.a href="+code=audit_file_mask" class="sref">audit_file_mask./a>(.a href="+code=ab" class="sref">ab./a>,2.a href="+code=sa" class="sref">sa./a>->.a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=denied" class="sref">denied./a>);>2 77./a>22222222}>2 78./a>22222222if (.a href="+code=sa" class="sref">sa./a>->.a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=reqptst" class="sref">reqptst./a> &2.a href="+code=AA_AUDIT_FILE_MASK" class="sref">AA_AUDIT_FILE_MASK./a>) {>2 79./a>2222222222222222.a href="+code=audit_log_format" class="sref">audit_log_format./a>(.a href="+code=ab" class="sref">ab./a>,2.spa  class="string">" fsuid=%d"2 80./a>222222222222222222222222222222222.a href="+code=from_kuid" class="sref">from_kuid./a>(&.a href="+code=init_user_ns" class="sref">init_user_ns./a>,2.a href="+code=fsuid" class="sref">fsuid./a>));>2 81./a>2222222222222222.a href="+code=audit_log_format" class="sref">audit_log_format./a>(.a href="+code=ab" class="sref">ab./a>,2.spa  class="string">" ouid=%d"2 82./a>222222222222222222222222222222222.a href="+code=from_kuid" class="sref">from_kuid./a>(&.a href="+code=init_user_ns" class="sref">init_user_ns./a>,2.a href="+code=sa" class="sref">sa./a>->.a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=ouid" class="sref">ouid./a>));>2 83./a>22222222}>2 84./a>>2 85./a>22222222if (.a href="+code=sa" class="sref">sa./a>->.a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=target" class="sref">target./a>) {>2 86./a>2222222222222222.a href="+code=audit_log_format" class="sref">audit_log_format./a>(.a href="+code=ab" class="sref">ab./a>,2.spa  class="string">" target="2 87./a>2222222222222222.a href="+code=audit_log_untrustedstring" class="sref">audit_log_untrustedstring./a>(.a href="+code=ab" class="sref">ab./a>,2.a href="+code=sa" class="sref">sa./a>->.a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=target" class="sref">target./a>);>2 88./a>22222222}>2 89./a>}>2 90./a>>2 91./a>.spa  class="comment">/**./spa  >2 92./a>.spa  class="comment"> * aa_audit_file - handle the auditing of file opera32.1s./spa  >2 93./a>.spa  class="comment"> * @profile: the profile being enforced  (NOT NULL)./spa  >2 94./a>.spa  class="comment"> * @perms: the permiss2.1s computed for the reqptst (NOT NULL)./spa  >2 95./a>.spa  class="comment"> * @gfp: alloca32.14flags./spa  >2 96./a>.spa  class="comment"> * @op: opera32.1 being media3ed./spa  >2 97./a>.spa  class="comment"> * @reqptst: permiss2.1s reqptsted./spa  >2 98./a>.spa  class="comment"> * @namt: namt of object being media3ed (MAYBE NULL)./spa  >2 99./a>.spa  class="comment"> * @target: namt of target (MAYBE NULL)./spa  >2100./a>.spa  class="comment"> * @ouid: object uid./spa  >2101./a>.spa  class="comment"> * @info: extra informat2.14message (MAYBE NULL)./spa  >2102./a>.spa  class="comment"> * @error: 02if opera32.1 allowed else2failure error code./spa  >2103./a>.spa  class="comment"> *./spa  >2104./a>.spa  class="comment"> * Returns: %0 or error .14failure./spa  >2105./a>.spa  class="comment"> */./spa  >2106./a>int2.a href="+code=aa_audit_file" class="sref">aa_audit_file./a>(struct2.a href="+code=aa_profile" class="sref">aa_profile./a>2*.a href="+code=profile" class="sref">profile./a>,2struct2.a href="+code=file_perms" class="sref">file_perms./a>2*.a href="+code=perms" class="sref">perms./a>,>2107./a>222222222222222222.a href="+code=gfp_t" class="sref">gfp_t./a>2.a href="+code=gfp" class="sref">gfp./a>,2int2.a href="+code=op" class="sref">op./a>,2.a href="+code=u32" class="sref">u32./a>2.a href="+code=reqptst" class="sref">reqptst./a>, const char2*.a href="+code=namt" class="sref">namt./a>,>2108./a>2222222222222222  const char2*.a href="+code=target" class="sref">target./a>,2.a href="+code=kuid_t" class="sref">kuid_t./a>2.a href="+code=ouid" class="sref">ouid./a>, const char2*.a href="+code=info" class="sref">info./a>,2int2.a href="+code=error" class="sref">error./a>)>2109./a>{>2110./a>22222222int2.a href="+code=typt" class="sref">typt./a>2=2.a href="+code=AUDIT_APPARMOR_AUTO" class="sref">AUDIT_APPARMOR_AUTO./a>;>2111./a>22222222struct2.a href="+code=common_audit_data" class="sref">common_audit_data./a>2.a href="+code=sa" class="sref">sa./a>;>2112./a>22222222struct2.a href="+code=apparmor_audit_data" class="sref">apparmor_audit_data./a>2.a href="+code=aad" class="sref">aad./a>2=2{0,};>2113./a>22222222.a href="+code=sa" class="sref">sa./a>..a href="+code=typt" class="sref">typt./a>2=2.a href="+code=LSM_AUDIT_DATA_NONE" class="sref">LSM_AUDIT_DATA_NONE./a>;>2114./a>22222222.a href="+code=sa" class="sref">sa./a>..a href="+code=aad" class="sref">aad./a>2=2&.a href="+code=aad" class="sref">aad./a>;>2115./a>22222222.a href="+code=aad" class="sref">aad./a>..a href="+code=op" class="sref">op./a>2=2.a href="+code=op" class="sref">op./a>,>2116./a>22222222.a href="+code=aad" class="sref">aad./a>..a href="+code=fs" class="sref">fs./a>..a href="+code=reqptst" class="sref">reqptst./a> =2.a href="+code=reqptst" class="sref">reqptst./a>;>2117./a>22222222.a href="+code=aad" class="sref">aad./a>..a href="+code=namt" class="sref">namt./a> =2.a href="+code=namt" class="sref">namt./a>;>2118./a>22222222.a href="+code=aad" class="sref">aad./a>..a href="+code=fs" class="sref">fs./a>..a href="+code=target" class="sref">target./a> =2.a href="+code=target" class="sref">target./a>;>2119./a>22222222.a href="+code=aad" class="sref">aad./a>..a href="+code=fs" class="sref">fs./a>..a href="+code=ouid" class="sref">ouid./a>2=2.a href="+code=ouid" class="sref">ouid./a>;>2120./a>22222222.a href="+code=aad" class="sref">aad./a>..a href="+code=info" class="sref">info./a>2=2.a href="+code=info" class="sref">info./a>;>2121./a>22222222.a href="+code=aad" class="sref">aad./a>..a href="+code=error" class="sref">error./a>2=2.a href="+code=error" class="sref">error./a>;>2122./a>>2123./a>22222222if (.a href="+code=likely" class="sref">likely./a>(!.a href="+code=sa" class="sref">sa./a>..a href="+code=aad" class="sref">aad./a>->.a href="+code=error" class="sref">error./a>)) {>2124./a>2222222222222222.a href="+code=u32" class="sref">u32./a>2.a href="+code=mask" class="sref">mask./a> =2.a href="+code=perms" class="sref">perms./a>->.a href="+code=audit" class="sref">audit./a>;>2125./a>>2126./a>2222222222222222if (.a href="+code=unlikely" class="sref">unlikely./a>(.a href="+code=AUDIT_MODE" class="sref">AUDIT_MODE./a>(.a href="+code=profile" class="sref">profile./a>) ==2.a href="+code=AUDIT_ALL" class="sref">AUDIT_ALL./a>))>2127./a>222222222222222222222222.a href="+code=mask" class="sref">mask./a> =20xffff;>2128./a>>2129./a>2222222222222222.spa  class="comment">/*4mask off perms that are not being force audited */./spa  >2130./a>2222222222222222.a href="+code=sa" class="sref">sa./a>..a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=reqptst" class="sref">reqptst./a> &=2.a href="+code=mask" class="sref">mask./a>;>2131./a>>2132./a>2222222222222222if (.a href="+code=likely" class="sref">likely./a>(!.a href="+code=sa" class="sref">sa./a>..a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=reqptst" class="sref">reqptst./a>))>2133./a>222222222222222222222222return 0;>2134./a>2222222222222222.a href="+code=typt" class="sref">typt./a>2=2.a href="+code=AUDIT_APPARMOR_AUDIT" class="sref">AUDIT_APPARMOR_AUDIT./a>;>2135./a>22222222} else2{>2136./a>2222222222222222.spa  class="comment">/*4only2report permiss2.1s that were denied */./spa  >2137./a>2222222222222222.a href="+code=sa" class="sref">sa./a>..a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=reqptst" class="sref">reqptst./a>2=2.a href="+code=sa" class="sref">sa./a>..a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=reqptst" class="sref">reqptst./a>2&2~.a href="+code=perms" class="sref">perms./a>->.a href="+code=allow" class="sref">allow./a>;>2138./a>>2139./a>2222222222222222if (.a href="+code=sa" class="sref">sa./a>..a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=reqptst" class="sref">reqptst./a>2&2.a href="+code=perms" class="sref">perms./a>->.a href="+code=kill" class="sref">kill./a>)>2140./a>222222222222222222222222.a href="+code=typt" class="sref">typt./a>2=2.a href="+code=AUDIT_APPARMOR_KILL" class="sref">AUDIT_APPARMOR_KILL./a>;>2141./a>>2142./a>2222222222222222.spa  class="comment">/*4quiet know  rejects, assumes4quiet and kill do not overlap */./spa  >2143./a>2222222222222222if ((.a href="+code=sa" class="sref">sa./a>..a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=reqptst" class="sref">reqptst./a>2&2.a href="+code=perms" class="sref">perms./a>->.a href="+code=quiet" class="sref">quiet./a>) &&>2144./a>22222222222222222222.a href="+code=AUDIT_MODE" class="sref">AUDIT_MODE./a>(.a href="+code=profile" class="sref">profile./a>) !=2.a href="+code=AUDIT_NOQUIET" class="sref">AUDIT_NOQUIET./a>2&&>2145./a>22222222222222222222.a href="+code=AUDIT_MODE" class="sref">AUDIT_MODE./a>(.a href="+code=profile" class="sref">profile./a>) !=2.a href="+code=AUDIT_ALL" class="sref">AUDIT_ALL./a>)>2146./a>222222222222222222222222.a href="+code=sa" class="sref">sa./a>..a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=reqptst" class="sref">reqptst./a>2&=2~.a href="+code=perms" class="sref">perms./a>->.a href="+code=quiet" class="sref">quiet./a>;>2147./a>>2148./a>2222222222222222if (!.a href="+code=sa" class="sref">sa./a>..a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=reqptst" class="sref">reqptst./a>)>2149./a>222222222222222222222222return .a href="+code=COMPLAIN_MODE" class="sref">COMPLAIN_MODE./a>(.a href="+code=profile" class="sref">profile./a>) ? 0 :2.a href="+code=sa" class="sref">sa./a>..a href="+code=aad" class="sref">aad./a>->.a href="+code=error" class="sref">error./a>;>2150./a>22222222}>2151./a>>2152./a>22222222.a href="+code=sa" class="sref">sa./a>..a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=denied" class="sref">denied./a> =2.a href="+code=sa" class="sref">sa./a>..a href="+code=aad" class="sref">aad./a>->.a href="+code=fs" class="sref">fs./a>..a href="+code=reqptst" class="sref">reqptst./a>2&2~.a href="+code=perms" class="sref">perms./a>->.a href="+code=allow" class="sref">allow./a>;>2153./a>22222222return .a href="+code=aa_audit" class="sref">aa_audit./a>(.a href="+code=typt" class="sref">typt./a>,2.a href="+code=profile" class="sref">profile./a>,2.a href="+code=gfp" class="sref">gfp./a>,2&.a href="+code=sa" class="sref">sa./a>,2.a href="+code=file_audit_cb" class="sref">file_audit_cb./a>);>2154./a>}>2155./a>>2156./a>.spa  class="comment">/**./spa  >2157./a>.spa  class="comment"> * map_old_perms - map old file perms layout2to the new layout./spa  >2158./a>.spa  class="comment"> * @old: permiss2.14set in old mapping./spa  >2159./a>.spa  class="comment"> *./spa  >216ptia>.spa  class="comment"> * Returns: new permiss2.14mapping./spa  >2161./a>.spa  class="comment"> */./spa  >2162./a>static .a href="+code=u32" class="sref">u32./a>2.a href="+code=map_old_perms" class="sref">map_old_perms./a>(.a href="+code=u32" class="sref">u32./a>2.a href="+code=old" class="sref">old./a>)>2163./a>{>2164./a>22222222.a href="+code=u32" class="sref">u32./a>2.a href="+code=new" class="sref">new./a> =2.a href="+code=old" class="sref">old./a>2&20xf;>2165./a>22222222if (.a href="+code=old" class="sref">old./a>2&2.a href="+code=MAY_READ" class="sref">MAY_READ./a>)>2166./a>2222222222222222.a href="+code=new" class="sref">new./a> |=2.a href="+code=AA_MAY_META_READ" class="sref">AA_MAY_META_READ./a>;>2167./a>22222222if (.a href="+code=old" class="sref">old./a>2&2.a href="+code=MAY_WRITE" class="sref">MAY_WRITE./a>)>2168./a>2222222222222222.a href="+code=new" class="sref">new./a> |=2.a href="+code=AA_MAY_META_WRITE" class="sref">AA_MAY_META_WRITE./a> |2.a href="+code=AA_MAY_CREATE" class="sref">AA_MAY_CREATE./a> |2.a href="+code=AA_MAY_DELETE" class="sref">AA_MAY_DELETE./a> |>2169./a>222222222222222222222222.a href="+code=AA_MAY_CHMOD" class="sref">AA_MAY_CHMOD./a> |2.a href="+code=AA_MAY_CHOWN" class="sref">AA_MAY_CHOWN./a>;>2170./a>22222222if (.a href="+code=old" class="sref">old./a>2&20x10)>2171./a>2222222222222222.a href="+code=new" class="sref">new./a> |=2.a href="+code=AA_MAY_LINK" class="sref">AA_MAY_LINK./a>;>2172./a>22222222.spa  class="comment">/*4the old mapping lock and link_subset flags where overlaid./spa  >2173./a>.spa  class="comment">         * and use was determined by part of a pair that they were in./spa  >2174./a>.spa  class="comment">         */./spa  >2175./a>22222222if (.a href="+code=old" class="sref">old./a>2&20x20)>2176./a>2222222222222222.a href="+code=new" class="sref">new./a> |=2.a href="+code=AA_MAY_LOCK" class="sref">AA_MAY_LOCK./a> |2.a href="+code=AA_LINK_SUBSET" class="sref">AA_LINK_SUBSET./a>;>2177./a>22222222if (.a href="+code=old" class="sref">old./a>2&20x40)2.spa  class="comment">/*4AA_EXEC_MMAP */./spa  >2178./a>2222222222222222.a href="+code=new" class="sref">new./a> |=2.a href="+code=AA_EXEC_MMAP" class="sref">AA_EXEC_MMAP./a>;>2179./a>>2180./a>22222222return .a href="+code=new" class="sref">new./a>;>2181./a>}>2182./a>>2183./a>.spa  class="comment">/**./spa  >2184./a>.spa  class="comment"> * compute_perms - convert dfa compressed perms to2internal perms./spa  >2185./a>.spa  class="comment"> * @dfa: dfa to compute perms for   (NOT NULL)./spa  >2186./a>.spa  class="comment"> * @state: state in dfa./spa  >2187./a>.spa  class="comment"> * @cond:  conditi.1s to consider  (NOT NULL)./spa  >2188./a>.spa  class="comment"> *./spa  >2189./a>.spa  class="comment"> * TODO: convert from dfa + state to permiss2.14entry, do computa32.1 convers2.1./spa  >219ptia>.spa  class="comment"> *       at load time../spa  >2191./a>.spa  class="comment"> *./spa  >2192./a>.spa  class="comment"> * Returns: computed permiss2.14set./spa  >2193./a>.spa  class="comment"> */./spa  >2194./a>static struct2.a href="+code=file_perms" class="sref">file_perms./a>2.a href="+code=compute_perms" class="sref">compute_perms./a>(struct2.a href="+code=aa_dfa" class="sref">aa_dfa./a>2*.a href="+code=dfa" class="sref">dfa./a>, unsigned int2.a href="+code=state" class="sref">state./a>,>2195./a>222222222222222222222222222222222222222struct2.a href="+code=path_cond" class="sref">path_cond./a>2*.a href="+code=cond" class="sref">cond./a>)>2196./a>{>2197./a>22222222struct2.a href="+code=file_perms" class="sref">file_perms./a>2.a href="+code=perms" class="sref">perms./a>;>2198./a>>2199./a>22222222.spa  class="comment">/*4FIXME: change over to new dfa format./spa  >2200./a>.spa  class="comment">         * currently file perms are encoded in4the dfa, new format./spa  >2201./a>.spa  class="comment">         * splits the permiss2.1s from the dfa.  This mapping ca1 be./spa  >2202./a>.spa  class="comment">         * done at profile load./spa  >2203./a>.spa  class="comment">         */./spa  >2204./a>22222222.a href="+code=perms" class="sref">perms./a>..a href="+code=kill" class="sref">kill./a> =20;>2205./a>>2206./a>22222222if (.a href="+code=uid_eq" class="sref">uid_eq./a>(.a href="+code=current_fsuid" class="sref">current_fsuid./a>(),2.a href="+code=cond" class="sref">cond./a>->.a href="+code=uid" class="sref">uid./a>))2{>2207./a>2222222222222222.a href="+code=perms" class="sref">perms./a>..a href="+code=allow" class="sref">allow./a> =2.a href="+code=map_old_perms" class="sref">map_old_perms./a>(.a href="+code=dfa_user_allow" class="sref">dfa_user_allow./a>(.a href="+code=dfa" class="sref">dfa./a>, .a href="+code=state" class="sref">state./a>));>2208./a>2222222222222222.a href="+code=perms" class="sref">perms./a>..a href="+code=audit" class="sref">audit./a> =2.a href="+code=map_old_perms" class="sref">map_old_perms./a>(.a href="+code=dfa_user_audit" class="sref">dfa_user_audit./a>(.a href="+code=dfa" class="sref">dfa./a>, .a href="+code=state" class="sref">state./a>));>2209./a>2222222222222222.a href="+code=perms" class="sref">perms./a>..a href="+code=quiet" class="sref">quiet./a> =2.a href="+code=map_old_perms" class="sref">map_old_perms./a>(.a href="+code=dfa_user_quiet" class="sref">dfa_user_quiet./a>(.a href="+code=dfa" class="sref">dfa./a>, .a href="+code=state" class="sref">state./a>));>2210./a>2222222222222222.a href="+code=perms" class="sref">perms./a>..a href="+code=xindex" class="sref">xindex./a> =2.a href="+code=dfa_user_xindex" class="sref">dfa_user_xindex./a>(.a href="+code=dfa" class="sref">dfa./a>, .a href="+code=state" class="sref">state./a>);>2211./a>22222222} else2{>2212./a>2222222222222222.a href="+code=perms" class="sref">perms./a>..a href="+code=allow" class="sref">allow./a> =2.a href="+code=map_old_perms" class="sref">map_old_perms./a>(.a href="+code=dfa_other_allow" class="sref">dfa_other_allow./a>(.a href="+code=dfa" class="sref">dfa./a>, .a href="+code=state" class="sref">state./a>));>2213./a>2222222222222222.a href="+code=perms" class="sref">perms./a>..a href="+code=audit" class="sref">audit./a> =2.a href="+code=map_old_perms" class="sref">map_old_perms./a>(.a href="+code=dfa_other_audit" class="sref">dfa_other_audit./a>(.a href="+code=dfa" class="sref">dfa./a>, .a href="+code=state" class="sref">state./a>));>2214./a>2222222222222222.a href="+code=perms" class="sref">perms./a>..a href="+code=quiet" class="sref">quiet./a> =2.a href="+code=map_old_perms" class="sref">map_old_perms./a>(.a href="+code=dfa_other_quiet" class="sref">dfa_other_quiet./a>(.a href="+code=dfa" class="sref">dfa./a>, .a href="+code=state" class="sref">state./a>));>2215./a>2222222222222222.a href="+code=perms" class="sref">perms./a>..a href="+code=xindex" class="sref">xindex./a> =2.a href="+code=dfa_other_xindex" class="sref">dfa_other_xindex./a>(.a href="+code=dfa" class="sref">dfa./a>, .a href="+code=state" class="sref">state./a>);>2216./a>22222222}>2217./a>22222222.a href="+code=perms" class="sref">perms./a>..a href="+code=allow" class="sref">allow./a> |=2.a href="+code=AA_MAY_META_READ" class="sref">AA_MAY_META_READ./a>;>2218./a>>2219./a>22222222.spa  class="comment">/*4change_profile wasn't determined by ownership in old mapping */./spa  >2220./a>22222222if (.a href="+code=ACCEPT_TABLE" class="sref">ACCEPT_TABLE./a>(.a href="+code=dfa" class="sref">dfa./a>)[.a href="+code=state" class="sref">state./a>]2&20x80000000)>2221./a>2222222222222222.a href="+code=perms" class="sref">perms./a>..a href="+code=allow" class="sref">allow./a> |=2.a href="+code=AA_MAY_CHANGE_PROFILE" class="sref">AA_MAY_CHANGE_PROFILE./a>;>2222./a>22222222if (.a href="+code=ACCEPT_TABLE" class="sref">ACCEPT_TABLE./a>(.a href="+code=dfa" class="sref">dfa./a>)[.a href="+code=state" class="sref">state./a>]2&20x40000000)>2223./a>2222222222222222.a href="+code=perms" class="sref">perms./a>..a href="+code=allow" class="sref">allow./a> |=2.a href="+code=AA_MAY_ONEXEC" class="sref">AA_MAY_ONEXEC./a>;>2224./a>>2225./a>22222222return .a href="+code=perms" class="sref">perms./a>;>2226./a>}>2227./a>>2228./a>.spa  class="comment">/**./spa  >2229./a>.spa  class="comment"> * aa_str_perms - find permiss2.14that match @namt./spa  >2230./a>.spa  class="comment"> * @dfa: to match against  (MAYBE NULL)./spa  >2231./a>.spa  class="comment"> * @state: state to start matching in./spa  >2232./a>.spa  class="comment"> * @namt: string to match against dfa  (NOT NULL)./spa  >2233./a>.spa  class="comment"> * @cond: conditi.1s to consider for permiss2.14set computa32.1  (NOT NULL)./spa  >2234./a>.spa  class="comment"> * @perms: Returns - the permiss2.1s found when matching @namt./spa  >2235./a>.spa  class="comment"> *./spa  >2236./a>.spa  class="comment"> * Returns: the final state in @dfa when beginning @start and walking @namt./spa  >2237./a>.spa  class="comment"> */./spa  >2238./a>unsigned int2.a href="+code=aa_str_perms" class="sref">aa_str_perms./a>(struct2.a href="+code=aa_dfa" class="sref">aa_dfa./a>2*.a href="+code=dfa" class="sref">dfa./a>, unsigned int2.a href="+code=start" class="sref">start./a>,>2239./a>22222222222222222222222222const char2*.a href="+code=namt" class="sref">namt./a>,2struct2.a href="+code=path_cond" class="sref">path_cond./a>2*.a href="+code=cond" class="sref">cond./a>,>2240./a>22222222222222222222222222struct2.a href="+code=file_perms" class="sref">file_perms./a>2*.a href="+code=perms" class="sref">perms./a>)>2241./a>{>2242./a>22222222unsigned int2.a href="+code=state" class="sref">state./a>;>2243./a>22222222if (!.a href="+code=dfa" class="sref">dfa./a>)2{>2244./a>2222222222222222*.a href="+code=perms" class="sref">perms./a> =2.a href="+code=nullperms" class="sref">nullperms./a>;>2245./a>2222222222222222return .a href="+code=DFA_NOMATCH" class="sref">DFA_NOMATCH./a>;>2246./a>22222222}>2247./a>>2248./a>22222222.a href="+code=state" class="sref">state./a> =2.a href="+code=aa_dfa_match" class="sref">aa_dfa_match./a>(.a href="+code=dfa" class="sref">dfa./a>, .a href="+code=start" class="sref">start./a>,2.a href="+code=namt" class="sref">namt./a>);>2249./a>22222222*.a href="+code=perms" class="sref">perms./a> =2.a href="+code=compute_perms" class="sref">compute_perms./a>(.a href="+code=dfa" class="sref">dfa./a>, .a href="+code=state" class="sref">state./a>,2.a href="+code=cond" class="sref">cond./a>);>2250./a>>2251./a>22222222return .a href="+code=state" class="sref">state./a>;>2252./a>}>2253./a>>2254./a>.spa  class="comment">/**./spa  >2255./a>.spa  class="comment"> * is_deleted - ttst if a file has been completely unlinked./spa  >2256./a>.spa  class="comment"> * @dentry: dentry of file to ttst for delet2.1  (NOT NULL)./spa  >2257./a>.spa  class="comment"> *./spa  >2258./a>.spa  class="comment"> * Returns: %1 if deleted else2%0./spa  >2259./a>.spa  class="comment"> */./spa  >226ptia>static .a href="+code=inline" class="sref">inline./a>2.a href="+code=bool" class="sref">bool./a>2.a href="+code=is_deleted" class="sref">is_deleted./a>(struct2.a href="+code=dentry" class="sref">dentry./a>2*.a href="+code=dentry" class="sref">dentry./a>)>2261./a>{>2262./a>22222222if (.a href="+code=d_unlinked" class="sref">d_unlinked./a>(.a href="+code=dentry" class="sref">dentry./a>)2&&2.a href="+code=dentry" class="sref">dentry./a>->.a href="+code=d_inode" class="sref">d_inode./a>->.a href="+code=i_nlink" class="sref">i_nlink./a> == 0)>2263./a>2222222222222222return 1;>2264./a>22222222return 0;>2265./a>}>2266./a>>2267./a>.spa  class="comment">/**./spa  >2268./a>.spa  class="comment"> * aa_path_perm - do permiss2.1s check2&2audit for @path./spa  >2269./a>.spa  class="comment"> * @op: opera32.1 being checked./spa  >2270./a>.spa  class="comment"> * @profile: profile being enforced  (NOT NULL)./spa  >2271./a>.spa  class="comment"> * @path: path to check2permiss2.1s of  (NOT NULL)./spa  >2272./a>.spa  class="comment"> * @flags: any additi.1al path flags beyond what the profile specifies./spa  >2273./a>.spa  class="comment"> * @reqptst: reqptsted permiss2.1s./spa  >2274./a>.spa  class="comment"> * @cond: conditi.1al info for this reqptst  (NOT NULL)./spa  >2275./a>.spa  class="comment"> *./spa  >2276./a>.spa  class="comment"> * Returns: %0 else2error if access denied or other error./spa  >2277./a>.spa  class="comment"> */./spa  >2278./a>int2.a href="+code=aa_path_perm" class="sref">aa_path_perm./a>(int2.a href="+code=op" class="sref">op./a>,2struct2.a href="+code=aa_profile" class="sref">aa_profile./a>2*.a href="+code=profile" class="sref">profile./a>,2struct2.a href="+code=path" class="sref">path./a>2*.a href="+code=path" class="sref">path./a>,>2279./a>22222222222222222int2.a href="+code=flags" class="sref">flags./a>,2.a href="+code=u32" class="sref">u32./a>2.a href="+code=reqptst" class="sref">reqptst./a>,2struct2.a href="+code=path_cond" class="sref">path_cond./a>2*.a href="+code=cond" class="sref">cond./a>)>2280./a>{>2281./a>22222222char2*.a href="+code=buffer" class="sref">buffer./a> =2.a href="+code=NULL" class="sref">NULL./a>;>2282./a>22222222struct2.a href="+code=file_perms" class="sref">file_perms./a>2.a href="+code=perms" class="sref">perms./a> =2{};>2283./a>22222222const char2*.a href="+code=namt" class="sref">namt./a>,2*.a href="+code=info" class="sref">info./a>2=2.a href="+code=NULL" class="sref">NULL./a>;>2284./a>22222222int2.a href="+code=error" class="sref">error./a>;>2285./a>>2286./a>22222222.a href="+code=flags" class="sref">flags./a> |=2.a href="+code=profile" class="sref">profile./a>->.a href="+code=path_flags" class="sref">path_flags./a> | (.a href="+code=S_ISDIR" class="sref">S_ISDIR./a>(.a href="+code=cond" class="sref">cond./a>->.a href="+code=mode" class="sref">mode./a>) ? .a href="+code=PATH_IS_DIR" class="sref">PATH_IS_DIR./a> : 0);>2287./a>22222222.a href="+code=error" class="sref">error./a>2=2.a href="+code=aa_path_namt" class="sref">aa_path_namt./a>(.a href="+code=path" class="sref">path./a>,2.a href="+code=flags" class="sref">flags./a>,2&.a href="+code=buffer" class="sref">buffer./a>,2&.a href="+code=namt" class="sref">namt./a>,2&.a href="+code=info" class="sref">info./a>);>2288./a>22222222if (.a href="+code=error" class="sref">error./a>)2{>2289./a>2222222222222222if (.a href="+code=error" class="sref">error./a>2== -.a href="+code=ENOENT" class="sref">ENOENT./a>2&&2.a href="+code=is_deleted" class="sref">is_deleted./a>(.a href="+code=path" class="sref">path./a>->.a href="+code=dentry" class="sref">dentry./a>))2{>2290./a>222222222222222222222222.spa  class="comment">/*4Access to open files that are deleted are./spa  >2291./a>.spa  class="comment">                         * give a pass (implicit delega32.1)./spa  >2292./a>.spa  class="comment">                         */./spa  >2293./a>222222222222222222222222.a href="+code=error" class="sref">error./a>2=20;>2294./a>222222222222222222222222.a href="+code=info" class="sref">info./a>2=2.a href="+code=NULL" class="sref">NULL./a>;>2295./a>222222222222222222222222.a href="+code=perms" class="sref">perms./a>..a href="+code=allow" class="sref">allow./a> =2.a href="+code=reqptst" class="sref">reqptst./a>;>2296./a>2222222222222222}>2297./a>22222222} else2{>2298./a>2222222222222222.a href="+code=aa_str_perms" class="sref">aa_str_perms./a>(.a href="+code=profile" class="sref">profile./a>->.a href="+code=file" class="sref">file./a>..a href="+code=dfa" class="sref">dfa./a>, .a href="+code=profile" class="sref">profile./a>->.a href="+code=file" class="sref">file./a>..a href="+code=start" class="sref">start./a>,2.a href="+code=namt" class="sref">namt./a>,2.a href="+code=cond" class="sref">cond./a>,>2299./a>22222222222222222222222222222&.a href="+code=perms" class="sref">perms./a>);>2300./a>2222222222222222if (.a href="+code=reqptst" class="sref">reqptst./a>2&2~.a href="+code=perms" class="sref">perms./a>..a href="+code=allow" class="sref">allow./a>)>2301./a>222222222222222222222222.a href="+code=error" class="sref">error./a>2=2-.a href="+code=EACCES" class="sref">EACCES./a>;>2302./a>22222222}>2303./a>22222222.a href="+code=error" class="sref">error./a>2=2.a href="+code=aa_audit_file" class="sref">aa_audit_file./a>(.a href="+code=profile" class="sref">profile./a>,2&.a href="+code=perms" class="sref">perms./a>,2.a href="+code=GFP_KERNEL" class="sref">GFP_KERNEL./a>,2.a href="+code=op" class="sref">op./a>,2.a href="+code=reqptst" class="sref">reqptst./a>,2.a href="+code=namt" class="sref">namt./a>,>2304./a>222222222222222222222222222222.a href="+code=NULL" class="sref">NULL./a>,2.a href="+code=cond" class="sref">cond./a>->.a href="+code=uid" class="sref">uid./a>,2.a href="+code=info" class="sref">info./a>,2.a href="+code=error" class="sref">error./a>);>2305./a>22222222.a href="+code=kfret" class="sref">kfret./a>(.a href="+code=buffer" class="sref">buffer./a>);>2306./a>>2307./a>22222222return .a href="+code=error" class="sref">error./a>;>2308./a>}>2309./a>>2310./a>.spa  class="comment">/**./spa  >2311./a>.spa  class="comment"> * xindex_is_subset - helper for aa_path_link./spa  >2312./a>.spa  class="comment"> * @link: link permiss2.14set./spa  >2313./a>.spa  class="comment"> * @target: target permiss2.14set./spa  >2314./a>.spa  class="comment"> *./spa  >2315./a>.spa  class="comment"> * ttst target x2permiss2.1s are equal OR a subset of link x permiss2.1s./spa  >2316./a>.spa  class="comment"> * this is done as part of the subset ttst, where a hardlink must have./spa  >2317./a>.spa  class="comment"> * a subset of permiss2.1s that the target has../spa  >2318./a>.spa  class="comment"> *./spa  >2319./a>.spa  class="comment"> * Returns: %1 if subset else2%0./spa  >2320./a>.spa  class="comment"> */./spa  >2321./a>static .a href="+code=inline" class="sref">inline./a>2.a href="+code=bool" class="sref">bool./a>2.a href="+code=xindex_is_subset" class="sref">xindex_is_subset./a>(.a href="+code=u32" class="sref">u32./a>2.a href="+code=link" class="sref">link./a>,2.a href="+code=u32" class="sref">u32./a>2.a href="+code=target" class="sref">target./a>)>2322./a>{>2323./a>22222222if (((.a href="+code=link" class="sref">link./a>2&2~.a href="+code=AA_X_UNSAFE" class="sref">AA_X_UNSAFE./a>)2!= (.a href="+code=target" class="sref">target./a>2&2~.a href="+code=AA_X_UNSAFE" class="sref">AA_X_UNSAFE./a>)) ||>2324./a>222222222222((.a href="+code=link" class="sref">link./a>2&2.a href="+code=AA_X_UNSAFE" class="sref">AA_X_UNSAFE./a>)2&&2!(.a href="+code=target" class="sref">target./a>2&2.a href="+code=AA_X_UNSAFE" class="sref">AA_X_UNSAFE./a>)))>2325./a>2222222222222222return 0;>2326./a>>2327./a>22222222return 1;>2328./a>}>2329./a>>2330./a>.spa  class="comment">/**./spa  >2331./a>.spa  class="comment"> * aa_path_link - Handle hard link permiss2.14check./spa  >2332./a>.spa  class="comment"> * @profile: the profile being enforced  (NOT NULL)./spa  >2333./a>.spa  class="comment"> * @old_dentry: the target dentry  (NOT NULL)./spa  >2334./a>.spa  class="comment"> * @new_dir: directory the new link will be created in4 (NOT NULL)./spa  >2335./a>.spa  class="comment"> * @new_dentry: the link being created  (NOT NULL)./spa  >2336./a>.spa  class="comment"> *./spa  >2337./a>.spa  class="comment"> * Handle the permiss2.1 ttst for a link &2target pair.  Permiss2.1./spa  >2338./a>.spa  class="comment"> * is encoded as a pair where the link permiss2.1 is determined./spa  >2339./a>.spa  class="comment"> * first, and if allowed, the target is ttsted.  The target ttst./spa  >2340./a>.spa  class="comment"> * is done from the point2of the link match (not start of DFA)./spa  >2341./a>.spa  class="comment"> * making the target permiss2.1 dependent on the link permiss2.1 match../spa  >2342./a>.spa  class="comment"> *./spa  >2343./a>.spa  class="comment"> * The subset ttst if reqpired forces that permiss2.1s granted./spa  >2344./a>.spa  class="comment"> * .1 link are a subset of the permiss2.1 granted to target../spa  >2345./a>.spa  class="comment"> *./spa  >2346./a>.spa  class="comment"> * Returns: %0 if allowed else2error./spa  >2347./a>.spa  class="comment"> */./spa  >2348./a>int2.a href="+code=aa_path_link" class="sref">aa_path_link./a>(struct2.a href="+code=aa_profile" class="sref">aa_profile./a>2*.a href="+code=profile" class="sref">profile./a>,2struct2.a href="+code=dentry" class="sref">dentry./a>2*.a href="+code=old_dentry" class="sref">old_dentry./a>,>2349./a>22222222222222222struct2.a href="+code=path" class="sref">path./a>2*.a href="+code=new_dir" class="sref">new_dir./a>,2struct2.a href="+code=dentry" class="sref">dentry./a>2*.a href="+code=new_dentry" class="sref">new_dentry./a>)>2350./a>{>2351./a>22222222struct2.a href="+code=path" class="sref">path./a>2.a href="+code=link" class="sref">link./a>2= { .a href="+code=new_dir" class="sref">new_dir./a>->.a href="+code=mnt" class="sref">mnt./a>,2.a href="+code=new_dentry" class="sref">new_dentry./a> };>2352./a>22222222struct2.a href="+code=path" class="sref">path./a>2.a href="+code=target" class="sref">target./a>2= { .a href="+code=new_dir" class="sref">new_dir./a>->.a href="+code=mnt" class="sref">mnt./a>,2.a href="+code=old_dentry" class="sref">old_dentry./a> };>2353./a>22222222struct2.a href="+code=path_cond" class="sref">path_cond./a>2.a href="+code=cond" class="sref">cond./a>2= {>2354./a>2222222222222222.a href="+code=old_dentry" class="sref">old_dentry./a>->.a href="+code=d_inode" class="sref">d_inode./a>->.a href="+code=i_uid" class="sref">i_uid./a>,>2355./a>2222222222222222.a href="+code=old_dentry" class="sref">old_dentry./a>->.a href="+code=d_inode" class="sref">d_inode./a>->.a href="+code=i_mode" class="sref">i_mode./a>>2356./a>22222222};>2357./a>22222222char2*.a href="+code=buffer" class="sref">buffer./a> =2.a href="+code=NULL" class="sref">NULL./a>,2*.a href="+code=buffer2" class="sref">buffer2./a> =2.a href="+code=NULL" class="sref">NULL./a>;>2358./a>22222222const char2*.a href="+code=lnamt" class="sref">lnamt./a>,2*.a href="+code=tnamt" class="sref">tnamt./a> =2.a href="+code=NULL" class="sref">NULL./a>,2*.a href="+code=info" class="sref">info./a>2=2.a href="+code=NULL" class="sref">NULL./a>;>2359./a>22222222struct2.a href="+code=file_perms" class="sref">file_perms./a>2.a href="+code=lperms" class="sref">lperms./a>,2.a href="+code=perms" class="sref">perms./a>;>2360./a>22222222.a href="+code=u32" class="sref">u32./a>2.a href="+code=reqptst" class="sref">reqptst./a>2=2.a href="+code=AA_MAY_LINK" class="sref">AA_MAY_LINK./a>;>2361./a>22222222unsigned int2.a href="+code=state" class="sref">state./a>;>2362./a>22222222int2.a href="+code=error" class="sref">error./a>;>2363./a>>2364./a>22222222.a href="+code=lperms" class="sref">lperms./a> =2.a href="+code=nullperms" class="sref">nullperms./a>;>2365./a>>2366./a>22222222.spa  class="comment">/*4buffer fretd below, lnamt is pointer in4buffer */./spa  >2367./a>22222222.a href="+code=error" class="sref">error./a>2=2.a href="+code=aa_path_namt" class="sref">aa_path_namt./a>(&.a href="+code=link" class="sref">link./a>,2.a href="+code=profile" class="sref">profile./a>->.a href="+code=path_flags" class="sref">path_flags./a>,2&.a href="+code=buffer" class="sref">buffer./a>,2&.a href="+code=lnamt" class="sref">lnamt./a>,>2368./a>22222222222222222222222222222&.a href="+code=info" class="sref">info./a>);>2369./a>22222222if (.a href="+code=error" class="sref">error./a>)>2370./a>2222222222222222goto2.a href="+code=audit" class="sref">audit./a>;>2371./a>>2372./a>22222222.spa  class="comment">/*4buffer2 fretd below, tnamt is pointer in4buffer2 */./spa  >2373./a>22222222.a href="+code=error" class="sref">error./a>2=2.a href="+code=aa_path_namt" class="sref">aa_path_namt./a>(&.a href="+code=target" class="sref">target./a>,2.a href="+code=profile" class="sref">profile./a>->.a href="+code=path_flags" class="sref">path_flags./a>,2&.a href="+code=buffer2" class="sref">buffer2./a>,2&.a href="+code=tnamt" class="sref">tnamt./a>,>2374./a>22222222222222222222222222222&.a href="+code=info" class="sref">info./a>);>2375./a>22222222if (.a href="+code=error" class="sref">error./a>)>2376./a>2222222222222222goto2.a href="+code=audit" class="sref">audit./a>;>2377./a>>2378./a>22222222.a href="+code=error" class="sref">error./a>2=2-.a href="+code=EACCES" class="sref">EACCES./a>;>2379./a>22222222.spa  class="comment">/*4aa_str_perms - handles the case of the dfa being NULL */./spa  >2380./a>22222222.a href="+code=state" class="sref">state./a> =2.a href="+code=aa_str_perms" class="sref">aa_str_perms./a>(.a href="+code=profile" class="sref">profile./a>->.a href="+code=file" class="sref">file./a>..a href="+code=dfa" class="sref">dfa./a>, .a href="+code=profile" class="sref">profile./a>->.a href="+code=file" class="sref">file./a>..a href="+code=start" class="sref">start./a>,2.a href="+code=lnamt" class="sref">lnamt./a>,>2381./a>22222222222222222222222222222&.a href="+code=cond" class="sref">cond./a>,2&.a href="+code=lperms" class="sref">lperms./a>);>2382./a>>2383./a>22222222if (!(.a href="+code=lperms" class="sref">lperms./a>..a href="+code=allow" class="sref">allow./a> &2.a href="+code=AA_MAY_LINK" class="sref">AA_MAY_LINK./a>))>2384./a>2222222222222222goto2.a href="+code=audit" class="sref">audit./a>;>2385./a>>2386./a>22222222.spa  class="comment">/*4ttst to see2if target ca1 be pairtd with link */./spa  >2387./a>22222222.a href="+code=state" class="sref">state./a> =2.a href="+code=aa_dfa_null_transiti.1" class="sref">aa_dfa_null_transiti.1./a>(.a href="+code=profile" class="sref">profile./a>->.a href="+code=file" class="sref">file./a>..a href="+code=dfa" class="sref">dfa./a>, .a href="+code=state" class="sref">state./a>);>2388./a>22222222.a href="+code=aa_str_perms" class="sref">aa_str_perms./a>(.a href="+code=profile" class="sref">profile./a>->.a href="+code=file" class="sref">file./a>..a href="+code=dfa" class="sref">dfa./a>, .a href="+code=state" class="sref">state./a>,2.a href="+code=tnamt" class="sref">tnamt./a>,2&.a href="+code=cond" class="sref">cond./a>,2&.a href="+code=perms" class="sref">perms./a>);>2389./a>>2390./a>22222222.spa  class="comment">/*4force2audit/quiet masks for link are stored in4the second entry./spa  >2391./a>.spa  class="comment">         * in4the link pair../spa  >2392./a>.spa  class="comment">         */./spa  >2393./a>22222222.a href="+code=lperms" class="sref">lperms./a>..a href="+code=audit" class="sref">audit./a> =2.a href="+code=perms" class="sref">perms./a>..a href="+code=audit" class="sref">audit./a>;>2394./a>22222222.a href="+code=lperms" class="sref">lperms./a>..a href="+code=quiet" class="sref">quiet./a> =2.a href="+code=perms" class="sref">perms./a>..a href="+code=quiet" class="sref">quiet./a>;>2395./a>22222222.a href="+code=lperms" class="sref">lperms./a>..a href="+code=kill" class="sref">kill./a> =2.a href="+code=perms" class="sref">perms./a>..a href="+code=kill" class="sref">kill./a>;>2396./a>>2397./a>22222222if (!(.a href="+code=perms" class="sref">perms./a>..a href="+code=allow" class="sref">allow./a> &2.a href="+code=AA_MAY_LINK" class="sref">AA_MAY_LINK./a>)) {>2398./a>2222222222222222.a href="+code=info" class="sref">info./a>2=2.spa  class="string">"target restricted"./spa  ;>2399./a>2222222222222222goto2.a href="+code=audit" class="sref">audit./a>;>2400./a>22222222}>2401./a>>2402./a>22222222.spa  class="comment">/*4done if link subset ttst is not reqpired */./spa  >2403./a>22222222if (!(.a href="+code=perms" class="sref">perms./a>..a href="+code=allow" class="sref">allow./a> &2.a href="+code=AA_LINK_SUBSET" class="sref">AA_LINK_SUBSET./a>))>2404./a>2222222222222222goto2.a href="+code=done_ttsts" class="sref">done_ttsts./a>;>2405./a>>2406./a>22222222.spa  class="comment">/*4Do link perm subset ttst reqpiring allowed permiss2.1 .1 link are a./spa  >2407./a>.spa  class="comment">         * subset of the allowed permiss2.1s on target../spa  >2408./a>.spa  class="comment">         */./spa  >2409./a>22222222.a href="+code=aa_str_perms" class="sref">aa_str_perms./a>(.a href="+code=profile" class="sref">profile./a>->.a href="+code=file" class="sref">file./a>..a href="+code=dfa" class="sref">dfa./a>, .a href="+code=profile" class="sref">profile./a>->.a href="+code=file" class="sref">file./a>..a href="+code=start" class="sref">start./a>,2.a href="+code=tnamt" class="sref">tnamt./a>,2&.a href="+code=cond" class="sref">cond./a>,>2410./a>222222222222222222222&.a href="+code=perms" class="sref">perms./a>);>2411./a>>2412./a>22222222.spa  class="comment">/*4AA_MAY_LINK is not considered in4the subset ttst */./spa  >2413./a>22222222.a href="+code=reqptst" class="sref">reqptst./a>2=2.a href="+code=lperms" class="sref">lperms./a>..a href="+code=allow" class="sref">allow./a> &2~.a href="+code=AA_MAY_LINK" class="sref">AA_MAY_LINK./a>;>2414./a>22222222.a href="+code=lperms" class="sref">lperms./a>..a href="+code=allow" class="sref">allow./a> &=2.a href="+code=perms" class="sref">perms./a>..a href="+code=allow" class="sref">allow./a> |2.a href="+code=AA_MAY_LINK" class="sref">AA_MAY_LINK./a>;>2415./a>>2416./a>22222222.a href="+code=reqptst" class="sref">reqptst./a>2|=2.a href="+code=AA_AUDIT_FILE_MASK" class="sref">AA_AUDIT_FILE_MASK./a> &2(.a href="+code=lperms" class="sref">lperms./a>..a href="+code=allow" class="sref">allow./a> &2~.a href="+code=perms" class="sref">perms./a>..a href="+code=allow" class="sref">allow./a>);>2417./a>22222222if (.a href="+code=reqptst" class="sref">reqptst./a>2&2~.a href="+code=lperms" class="sref">lperms./a>..a href="+code=allow" class="sref">allow./a>) {>2418./a>2222222222222222goto2.a href="+code=audit" class="sref">audit./a>;>2419./a>22222222} else2if ((.a href="+code=lperms" class="sref">lperms./a>..a href="+code=allow" class="sref">allow./a> &2.a href="+code=MAY_EXEC" class="sref">MAY_EXEC./a>) &&>2420./a>2222222222222222222!.a href="+code=xindex_is_subset" class="sref">xindex_is_subset./a>(.a href="+code=lperms" class="sref">lperms./a>..a href="+code=xindex" class="sref">xindex./a>, .a href="+code=perms" class="sref">perms./a>..a href="+code=xindex" class="sref">xindex./a>)) {>2421./a>2222222222222222.a href="+code=lperms" class="sref">lperms./a>..a href="+code=allow" class="sref">allow./a> &=2~.a href="+code=MAY_EXEC" class="sref">MAY_EXEC./a>;>2422./a>2222222222222222.a href="+code=reqptst" class="sref">reqptst./a>2|=2.a href="+code=MAY_EXEC" class="sref">MAY_EXEC./a>;>2423./a>2222222222222222.a href="+code=info" class="sref">info./a>2=2.spa  class="string">"link not subset of target"./spa  ;>2424./a>2222222222222222goto2.a href="+code=audit" class="sref">audit./a>;>2425./a>22222222}>2426./a>>2427./a>.a href="+code=done_ttsts" class="sref">done_ttsts./a>:>2428./a>22222222.a href="+code=error" class="sref">error./a>2=20;>2429./a>>2430./a>.a href="+code=audit" class="sref">audit./a>:>2431./a>22222222.a href="+code=error" class="sref">error./a>2=2.a href="+code=aa_audit_file" class="sref">aa_audit_file./a>(.a href="+code=profile" class="sref">profile./a>,2&.a href="+code=lperms" class="sref">lperms./a>,2.a href="+code=GFP_KERNEL" class="sref">GFP_KERNEL./a>,2.a href="+code=OP_LINK" class="sref">OP_LINK./a>,2.a href="+code=reqptst" class="sref">reqptst./a>,>2432./a>222222222222222222222222222222.a href="+code=lnamt" class="sref">lnamt./a>,2.a href="+code=tnamt" class="sref">tnamt./a>,2.a href="+code=cond" class="sref">cond./a>..a href="+code=uid" class="sref">uid./a>,2.a href="+code=info" class="sref">info./a>,2.a href="+code=error" class="sref">error./a>);>2433./a>22222222.a href="+code=kfret" class="sref">kfret./a>(.a href="+code=buffer" class="sref">buffer./a>);>2434./a>22222222.a href="+code=kfret" class="sref">kfret./a>(.a href="+code=buffer2" class="sref">buffer2./a>);>2435./a>>2436./a>22222222return .a href="+code=error" class="sref">error./a>;>2437./a>}>2438./a>>2439./a>.spa  class="comment">/**./spa  >2440./a>.spa  class="comment"> * aa_file_perm - do permiss2.1 revalida32.14check &2audit for @file./spa  >2441./a>.spa  class="comment"> * @op: opera32.14being checked./spa  >2442./a>.spa  class="comment"> * @profile: profile being enforced   (NOT NULL)./spa  >2443./a>.spa  class="comment"> * @file: file to2revalida3e access permiss2.1s on  (NOT NULL)./spa  >2444./a>.spa  class="comment"> * @reqptst: reqptsted permiss2.1s./spa  >2445./a>.spa  class="comment"> *./spa  >2446./a>.spa  class="comment"> * Returns: %0 if access allowed else2error./spa  >2447./a>.spa  class="comment"> */./spa  >2448./a>int2.a href="+code=aa_file_perm" class="sref">aa_file_perm./a>(int2.a href="+code=op" class="sref">op./a>,2struct2.a href="+code=aa_profile" class="sref">aa_profile./a>2*.a href="+code=profile" class="sref">profile./a>,2struct2.a href="+code=file" class="sref">file./a>2*.a href="+code=file" class="sref">file./a>,>2449./a>22222222222222222.a href="+code=u32" class="sref">u32./a>2.a href="+code=reqptst" class="sref">reqptst./a>)>2450./a>{>2451./a>22222222struct2.a href="+code=path_cond" class="sref">path_cond./a>2.a href="+code=cond" class="sref">cond./a>2= {>2452./a>2222222222222222..a href="+code=uid" class="sref">uid./a>2=2.a href="+code=file" class="sref">file./a>->.a href="+code=f_path" class="sref">f_path./a>..a href="+code=dentry" class="sref">dentry./a>->.a href="+code=d_inode" class="sref">d_inode./a>->.a href="+code=i_uid" class="sref">i_uid./a>,>2453./a>2222222222222222..a href="+code=mode" class="sref">mode./a>2=2.a href="+code=file" class="sref">file./a>->.a href="+code=f_path" class="sref">f_path./a>..a href="+code=dentry" class="sref">dentry./a>->.a href="+code=d_inode" class="sref">d_inode./a>->.a href="+code=i_mode" class="sref">i_mode./a>>2454./a>22222222};>2455./a>>2456./a>22222222return .a href="+code=aa_path_perm" class="sref">aa_path_perm./a>(.a href="+code=op" class="sref">op./a>,2.a href="+code=profile" class="sref">profile./a>,2&.a href="+code=file" class="sref">file./a>->.a href="+code=f_path" class="sref">f_path./a>,2.a href="+code=PATH_DELEGATE_DELETED" class="sref">PATH_DELEGATE_DELETED./a>,>2457./a>2222222222222222222222222222.a href="+code=reqptst" class="sref">reqptst./a>,2&.a href="+code=cond" class="sref">cond./a>);>2458./a>}>2459./a>
lxr.linux.no kindly hosted by Redpill Linpro AS./a>,2provider of Linux consulting and opera32.1s services since 1995.