*
* Returns: permission set
*/
-static struct file_perms change_profile_perms(struct aa_profile *profile,
- struct aa_ns *ns,
- const char *name, u32 request,
- unsigned int start)
+static struct aa_perms change_profile_perms(struct aa_profile *profile,
+ struct aa_ns *ns,
+ const char *name, u32 request,
+ unsigned int start)
{
- struct file_perms perms;
+ struct aa_perms perms;
struct path_cond cond = { };
unsigned int state;
struct aa_ns *ns;
char *buffer = NULL;
unsigned int state;
- struct file_perms perms = {};
+ struct aa_perms perms = {};
struct path_cond cond = {
file_inode(bprm->file)->i_uid,
file_inode(bprm->file)->i_mode
/* find exec permissions for name */
state = aa_str_perms(profile->file.dfa, state, name, &cond, &perms);
if (ctx->onexec) {
- struct file_perms cp;
+ struct aa_perms cp;
info = "change_profile onexec";
new_profile = aa_get_newest_profile(ctx->onexec);
if (!(perms.allow & AA_MAY_ONEXEC))
struct aa_profile *profile, *previous_profile, *hat = NULL;
char *name = NULL;
int i;
- struct file_perms perms = {};
+ struct aa_perms perms = {};
const char *target = NULL, *info = NULL;
int error = 0;
{
const struct cred *cred;
struct aa_profile *profile, *target = NULL;
- struct file_perms perms = {};
+ struct aa_perms perms = {};
const char *info = NULL, *op;
int error = 0;
u32 request;
#include "include/path.h"
#include "include/policy.h"
-struct file_perms nullperms;
-
static u32 map_mask_to_chr_mask(u32 mask)
{
u32 m = mask & PERMS_CHRS_MASK;
*
* Returns: %0 or error on failure
*/
-int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
+int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
const char *op, u32 request, const char *name,
const char *target, kuid_t ouid, const char *info, int error)
{
}
/**
- * compute_perms - convert dfa compressed perms to internal perms
+ * aa_compute_fperms - convert dfa compressed perms to internal perms
* @dfa: dfa to compute perms for (NOT NULL)
* @state: state in dfa
* @cond: conditions to consider (NOT NULL)
*
* Returns: computed permission set
*/
-static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
- struct path_cond *cond)
+struct aa_perms aa_compute_fperms(struct aa_dfa *dfa, unsigned int state,
+ struct path_cond *cond)
{
- struct file_perms perms;
+ struct aa_perms perms;
/* FIXME: change over to new dfa format
* currently file perms are encoded in the dfa, new format
* splits the permissions from the dfa. This mapping can be
* done at profile load
*/
- perms.kill = 0;
+ perms.deny = 0;
+ perms.kill = perms.stop = 0;
+ perms.complain = perms.cond = 0;
+ perms.hide = 0;
+ perms.prompt = 0;
if (uid_eq(current_fsuid(), cond->uid)) {
perms.allow = map_old_perms(dfa_user_allow(dfa, state));
*/
unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
const char *name, struct path_cond *cond,
- struct file_perms *perms)
+ struct aa_perms *perms)
{
unsigned int state;
- if (!dfa) {
- *perms = nullperms;
- return DFA_NOMATCH;
- }
-
state = aa_dfa_match(dfa, start, name);
- *perms = compute_perms(dfa, state, cond);
+ *perms = aa_compute_fperms(dfa, state, cond);
return state;
}
struct path_cond *cond)
{
char *buffer = NULL;
- struct file_perms perms = {};
+ struct aa_perms perms = {};
const char *name, *info = NULL;
int error;
};
char *buffer = NULL, *buffer2 = NULL;
const char *lname, *tname = NULL, *info = NULL;
- struct file_perms lperms, perms;
+ struct aa_perms lperms, perms;
u32 request = AA_MAY_LINK;
unsigned int state;
int error;
umode_t mode;
};
-/* struct file_perms - file permission
- * @allow: mask of permissions that are allowed
- * @audit: mask of permissions to force an audit message for
- * @quiet: mask of permissions to quiet audit messages for
- * @kill: mask of permissions that when matched will kill the task
- * @xindex: exec transition index if @allow contains MAY_EXEC
- *
- * The @audit and @queit mask should be mutually exclusive.
- */
-struct file_perms {
- u32 allow;
- u32 audit;
- u32 quiet;
- u32 kill;
- u16 xindex;
-};
-
-extern struct file_perms nullperms;
-
#define COMBINED_PERM_MASK(X) ((X).allow | (X).audit | (X).quiet | (X).kill)
/* FIXME: split perms from dfa and match this to description
#define dfa_other_xindex(dfa, state) \
dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
-int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
+int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
const char *op, u32 request, const char *name,
const char *target, kuid_t ouid, const char *info, int error);
/* TODO: add delegate table */
};
+struct aa_perms aa_compute_fperms(struct aa_dfa *dfa, unsigned int state,
+ struct path_cond *cond);
unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
const char *name, struct path_cond *cond,
- struct file_perms *perms);
+ struct aa_perms *perms);
int aa_path_perm(const char *op, struct aa_profile *profile,
const struct path *path, int flags, u32 request,
};
#define ALL_PERMS_MASK 0xffffffff
-
+extern struct aa_perms nullperms;
extern struct aa_perms allperms;
struct aa_profile;
#include "include/perms.h"
#include "include/policy.h"
+struct aa_perms nullperms;
struct aa_perms allperms = { .allow = ALL_PERMS_MASK,
.quiet = ALL_PERMS_MASK,
.hide = ALL_PERMS_MASK };