Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
Variables
policy.c File Reference
#include <linux/slab.h>
#include <linux/spinlock.h>
#include <linux/string.h>
#include "include/apparmor.h"
#include "include/capability.h"
#include "include/context.h"
#include "include/file.h"
#include "include/ipc.h"
#include "include/match.h"
#include "include/path.h"
#include "include/policy.h"
#include "include/policy_unpack.h"
#include "include/resource.h"
#include "include/sid.h"

Go to the source code of this file.

Functions

: hname to find the base profile name component of (NOT NULL)

hname_tail - find the last component of an hname

Returns: the tail (base profile name) name component of an hname

: name of the policy, init will make a copy of it (NOT NULL)

policy_init - initialize a policy structure : policy to initialize (NOT NULL) : prefix name if any is required. (MAYBE NULL)

Note: this fn creates a copy of strings passed in

Returns: true if policy init successful

: a preallocated name (NOT NULL)

alloc_namespace - allocate, initialize and return a new namespace : parent namespace name (MAYBE NULL)

Returns: refcounted namespace or NULL on failure.

void aa_free_namespace_kref (struct kref *kref)
 
: name of namespace to look for (NOT NULL)

Returns: unrefcounted namespace

Requires: ns lock be held

exists.

refcount released by caller

struct aa_namespaceaa_find_namespace (struct aa_namespace *root, const char *name)
 
: the namespace to find or add (MAYBE NULL)

Returns: refcounted namespace or NULL if failed to create one

int __init aa_alloc_root_ns (void)
 
void __init aa_free_root_ns (void)
 
struct aa_profileaa_alloc_profile (const char *hname)
 
struct aa_profileaa_new_null_profile (struct aa_profile *parent, int hat)
 
void aa_free_profile_kref (struct kref *kref)
 
: name of profile (NOT NULL)

: length of

substring to match

Requires: ns lock protecting list be held

Returns: unrefcounted profile ptr, or NULL if not found

: profile name to search for (NOT NULL)

Returns: a refcounted profile or NULL if not found

struct aa_profileaa_find_child (struct aa_profile *parent, const char *name)
 
struct aa_profileaa_lookup_profile (struct aa_namespace *ns, const char *hname)
 
: name of profile being manipulated (NOT NULL)

aa_audit_policy - Do auditing of policy changes : policy operation being performed : memory allocation flags

: any extra information to be audited (MAYBE NULL) : error code

Returns: the error to be returned after audit is done

bool aa_may_manage_policy (int op)
 
ssize_t aa_replace_profiles (void *udata, size_t size, bool noreplace)
 
ssize_t aa_remove_profiles (char *fqname, size_t size)
 

Variables

struct aa_namespaceroot_ns
 
const char *const profile_mode_names []
 

or NULL if not found

bool aa_ns_visible (struct aa_namespace *curr, struct aa_namespace *view)
 
const charaa_ns_name (struct aa_namespace *curr, struct aa_namespace *view)
 

Function Documentation

struct aa_profile* aa_alloc_profile ( const char hname)
read

aa_alloc_profile - allocate, initialize and return a new profile : name of the profile (NOT NULL)

Returns: refcount profile or NULL on failure

Definition at line 644 of file policy.c.

int __init aa_alloc_root_ns ( void  )

aa_alloc_root_ns - allocate the root profile namespace

Returns: %0 on success else error

Definition at line 616 of file policy.c.

struct aa_profile* aa_find_child ( struct aa_profile parent,
const char name 
)
read

Definition at line 832 of file policy.c.

struct aa_namespace* aa_find_namespace ( struct aa_namespace root,
const char name 
)
read

Definition at line 371 of file policy.c.

void aa_free_namespace_kref ( struct kref kref)

aa_free_namespace_kref - free aa_namespace by kref (see aa_put_namespace) : kref callback for freeing of a namespace (NOT NULL)

Definition at line 341 of file policy.c.

void aa_free_profile_kref ( struct kref kref)

aa_free_profile_kref - free aa_profile by kref (called by aa_put_profile) : kref callback for freeing of a profile (NOT NULL)

Definition at line 785 of file policy.c.

void __init aa_free_root_ns ( void  )

aa_free_root_ns - free the root profile namespace

Definition at line 629 of file policy.c.

struct aa_profile* aa_lookup_profile ( struct aa_namespace ns,
const char hname 
)
read

aa_lookup_profile - find a profile by its full or partial name : the namespace to start from (NOT NULL) : name to do lookup on. Does not contain namespace prefix (NOT NULL)

Returns: refcounted profile or NULL if not found

Definition at line 920 of file policy.c.

bool aa_may_manage_policy ( int  op)

aa_may_manage_policy - can the current task manage policy : the policy manipulation operation being done

Returns: true if the task is allowed to manipulate policy

Definition at line 1011 of file policy.c.

struct aa_profile* aa_new_null_profile ( struct aa_profile parent,
int  hat 
)
read

aa_new_null_profile - create a new null-X learning profile : profile that caused this profile to be created (NOT NULL) : true if the null- learning profile is a hat

Create a null- complain mode profile used in learning mode. The name of the profile is unique and follows the format of parent//null-sid.

null profiles are added to the profile list but the list does not hold a count on them so that they are automatically released when not in use.

Returns: new refcounted profile else NULL on failure

Definition at line 676 of file policy.c.

const char* aa_ns_name ( struct aa_namespace curr,
struct aa_namespace view 
)

aa_na_name - Find the ns name to display for from - current namespace (NOT NULL) - namespace attempting to view (NOT NULL)

Returns: name of visible from

Definition at line 250 of file policy.c.

bool aa_ns_visible ( struct aa_namespace curr,
struct aa_namespace view 
)

aa_ns_visible - test if is visible from : namespace to treat as the parent (NOT NULL) : namespace to test if visible from (NOT NULL)

Returns: true if is visible from else false

Definition at line 231 of file policy.c.

ssize_t aa_remove_profiles ( char fqname,
size_t  size 
)

aa_remove_profiles - remove profile(s) from the system : name of the profile or namespace to remove (NOT NULL) : size of the name

Remove a profile or sub namespace from the current namespace, so that they can not be found anymore and mark them as replaced by unconfined

NOTE: removing confinement does not restore rlimits to preconfinemnet values

Returns: size of data consume else error code if fails

Definition at line 1152 of file policy.c.

ssize_t aa_replace_profiles ( void udata,
size_t  size,
bool  noreplace 
)

aa_replace_profiles - replace profile(s) on the profile list : serialized data stream (NOT NULL) : size of the serialized data stream : true if only doing addition, no replacement allowed

unpack and replace a profile on the profile list and uses of that profile by any aa_task_cxt. If the profile does not exist on the profile list it is added.

Returns: size of data consumed else error code on failure.

Definition at line 1039 of file policy.c.

Variable Documentation

const char* const profile_mode_names[]
Initial value:
= {
"enforce",
"complain",
"kill",
}

Definition at line 96 of file policy.c.

struct aa_namespace* root_ns

Definition at line 94 of file policy.c.

Generated on Thu Jan 10 2013 16:01:58 for Linux Kernel by   doxygen 1.8.2