/* Generic af perm */ int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa, u32 request, u16 family, int type) { struct aa_perms perms = { }; unsigned int state; __be16 buffer[2]; AA_BUG(family >= AF_MAX); AA_BUG(type < 0 || type >= SOCK_MAX); if (profile_unconfined(profile)) return 0; state = PROFILE_MEDIATES(profile, AA_CLASS_NET); if (!state) return 0; buffer[0] = cpu_to_be16(family); buffer[1] = cpu_to_be16((u16) type); state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer, 4); aa_compute_perms(profile->policy.dfa, state, &perms); aa_apply_modes_to_perms(profile, &perms); return aa_check_perms(profile, &perms, request, sa, audit_net_cb); }
/* TODO: update to handle compound name&name2, conditionals */ static void profile_match_signal(struct aa_profile *profile, const char *label, int signal, struct aa_perms *perms) { unsigned int state; if (profile->policy.dfa) { /* TODO: secondary cache check <profile, profile, perm> */ state = aa_dfa_next(profile->policy.dfa, profile->policy.start[AA_CLASS_SIGNAL], signal); state = aa_dfa_match(profile->policy.dfa, state, label); aa_compute_perms(profile->policy.dfa, state, perms); } else memset(perms, 0, sizeof(*perms)); }
void aa_profile_match_label(struct aa_profile *profile, const char *label, int type, struct aa_perms *perms) { /* TODO: doesn't yet handle extended types */ unsigned int state; if (profile->policy.dfa) { state = aa_dfa_next(profile->policy.dfa, profile->policy.start[AA_CLASS_LABEL], type); state = aa_dfa_match(profile->policy.dfa, state, label); aa_compute_perms(profile->policy.dfa, state, perms); } else memset(perms, 0, sizeof(*perms)); }