#include <linux/capability.h>
#include <linux/cred.h>
#include <linux/kref.h>
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/socket.h>
#include "apparmor.h"
#include "audit.h"
#include "capability.h"
#include "domain.h"
#include "file.h"
#include "resource.h"
Go to the source code of this file.
|
| enum | profile_mode { APPARMOR_ENFORCE,
APPARMOR_COMPLAIN,
APPARMOR_KILL
} |
| |
| enum | profile_flags {
PFLAG_HAT = 1,
PFLAG_UNCONFINED = 2,
PFLAG_NULL = 4,
PFLAG_IX_ON_NAME_ERROR = 8,
PFLAG_IMMUTABLE = 0x10,
PFLAG_USER_DEFINED = 0x20,
PFLAG_NO_LIST_REF = 0x40,
PFLAG_OLD_NULL_TRANS = 0x100,
PFLAG_MEDIATE_DELETED = 0x10000
} |
| |
|
| void | aa_add_profile (struct aa_policy *common, struct aa_profile *profile) |
| |
| bool | aa_ns_visible (struct aa_namespace *curr, struct aa_namespace *view) |
| |
| const char * | aa_ns_name (struct aa_namespace *parent, struct aa_namespace *child) |
| |
| int | aa_alloc_root_ns (void) |
| |
| void | aa_free_root_ns (void) |
| |
| void | aa_free_namespace_kref (struct kref *kref) |
| |
| struct aa_namespace * | aa_find_namespace (struct aa_namespace *root, const char *name) |
| |
| struct aa_profile * | aa_alloc_profile (const char *name) |
| |
| struct aa_profile * | aa_new_null_profile (struct aa_profile *parent, int hat) |
| |
| void | aa_free_profile_kref (struct kref *kref) |
| |
| struct aa_profile * | aa_find_child (struct aa_profile *parent, const char *name) |
| |
| struct aa_profile * | aa_lookup_profile (struct aa_namespace *ns, const char *name) |
| |
| struct aa_profile * | aa_match_profile (struct aa_namespace *ns, const char *name) |
| |
| ssize_t | aa_replace_profiles (void *udata, size_t size, bool noreplace) |
| |
| ssize_t | aa_remove_profiles (char *name, size_t size) |
| |
| bool | aa_may_manage_policy (int op) |
| |
| #define APPARMOR_NAMES_MAX_INDEX 3 |
| #define COMPLAIN_MODE |
( |
|
_profile | ) |
|
| #define KILL_MODE |
( |
|
_profile | ) |
|
- Enumerator:
| PFLAG_HAT |
|
| PFLAG_UNCONFINED |
|
| PFLAG_NULL |
|
| PFLAG_IX_ON_NAME_ERROR |
|
| PFLAG_IMMUTABLE |
|
| PFLAG_USER_DEFINED |
|
| PFLAG_NO_LIST_REF |
|
| PFLAG_OLD_NULL_TRANS |
|
| PFLAG_MEDIATE_DELETED |
|
Definition at line 57 of file policy.h.
- Enumerator:
| APPARMOR_ENFORCE |
|
| APPARMOR_COMPLAIN |
|
| APPARMOR_KILL |
|
Definition at line 51 of file policy.h.
aa_alloc_profile - allocate, initialize and return a new profile : name of the profile (NOT NULL)
Returns: refcount profile or NULL on failure
Definition at line 644 of file policy.c.
aa_alloc_root_ns - allocate the root profile namespace
Returns: %0 on success else error
Definition at line 616 of file policy.c.
aa_free_namespace_kref - free aa_namespace by kref (see aa_put_namespace) : kref callback for freeing of a namespace (NOT NULL)
Definition at line 341 of file policy.c.
aa_free_profile_kref - free aa_profile by kref (called by aa_put_profile) : kref callback for freeing of a profile (NOT NULL)
Definition at line 785 of file policy.c.
aa_free_root_ns - free the root profile namespace
Definition at line 629 of file policy.c.
aa_lookup_profile - find a profile by its full or partial name : the namespace to start from (NOT NULL) : name to do lookup on. Does not contain namespace prefix (NOT NULL)
Returns: refcounted profile or NULL if not found
Definition at line 920 of file policy.c.
| bool aa_may_manage_policy |
( |
int |
op | ) |
|
aa_may_manage_policy - can the current task manage policy : the policy manipulation operation being done
Returns: true if the task is allowed to manipulate policy
Definition at line 1011 of file policy.c.
aa_new_null_profile - create a new null-X learning profile : profile that caused this profile to be created (NOT NULL) : true if the null- learning profile is a hat
Create a null- complain mode profile used in learning mode. The name of the profile is unique and follows the format of parent//null-sid.
null profiles are added to the profile list but the list does not hold a count on them so that they are automatically released when not in use.
Returns: new refcounted profile else NULL on failure
Definition at line 676 of file policy.c.
aa_na_name - Find the ns name to display for from - current namespace (NOT NULL) - namespace attempting to view (NOT NULL)
Returns: name of visible from
Definition at line 250 of file policy.c.
aa_ns_visible - test if is visible from : namespace to treat as the parent (NOT NULL) : namespace to test if visible from (NOT NULL)
Returns: true if is visible from else false
Definition at line 231 of file policy.c.
aa_remove_profiles - remove profile(s) from the system : name of the profile or namespace to remove (NOT NULL) : size of the name
Remove a profile or sub namespace from the current namespace, so that they can not be found anymore and mark them as replaced by unconfined
NOTE: removing confinement does not restore rlimits to preconfinemnet values
Returns: size of data consume else error code if fails
Definition at line 1152 of file policy.c.
aa_replace_profiles - replace profile(s) on the profile list : serialized data stream (NOT NULL) : size of the serialized data stream : true if only doing addition, no replacement allowed
unpack and replace a profile on the profile list and uses of that profile by any aa_task_cxt. If the profile does not exist on the profile list it is added.
Returns: size of data consumed else error code on failure.
Definition at line 1039 of file policy.c.
1.8.2