/** * match_mnt_flags - Do an ordered match on mount flags * @dfa: dfa to match against * @state: state to start in * @flags: mount flags to match against * * Mount flags are encoded as an ordered match. This is done instead of * checking against a simple bitmask, to allow for logical operations * on the flags. * * Returns: next state after flags match */ static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state, unsigned long flags) { unsigned int i; for (i = 0; i <= 31 ; ++i) { if ((1 << i) & flags) state = aa_dfa_next(dfa, state, i + 1); } return state; }
/* TODO: update to handle compound name&name2, conditionals */ static void profile_match_signal(struct aa_profile *profile, const char *label, int signal, struct aa_perms *perms) { unsigned int state; if (profile->policy.dfa) { /* TODO: secondary cache check <profile, profile, perm> */ state = aa_dfa_next(profile->policy.dfa, profile->policy.start[AA_CLASS_SIGNAL], signal); state = aa_dfa_match(profile->policy.dfa, state, label); aa_compute_perms(profile->policy.dfa, state, perms); } else memset(perms, 0, sizeof(*perms)); }
void aa_profile_match_label(struct aa_profile *profile, const char *label, int type, struct aa_perms *perms) { /* TODO: doesn't yet handle extended types */ unsigned int state; if (profile->policy.dfa) { state = aa_dfa_next(profile->policy.dfa, profile->policy.start[AA_CLASS_LABEL], type); state = aa_dfa_match(profile->policy.dfa, state, label); aa_compute_perms(profile->policy.dfa, state, perms); } else memset(perms, 0, sizeof(*perms)); }
static int profile_signal_perm(struct aa_profile *profile, struct aa_label *peer, u32 request, struct common_audit_data *sa) { struct aa_perms perms; unsigned int state; if (profile_unconfined(profile) || !PROFILE_MEDIATES(profile, AA_CLASS_SIGNAL)) return 0; aad(sa)->peer = peer; /* TODO: secondary cache check <profile, profile, perm> */ state = aa_dfa_next(profile->policy.dfa, profile->policy.start[AA_CLASS_SIGNAL], aad(sa)->signal); aa_label_match(profile, peer, state, false, request, &perms); aa_apply_modes_to_perms(profile, &perms); return aa_check_perms(profile, &perms, request, sa, audit_signal_cb); }