函数逻辑报告

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:security\apparmor\domain.c Create Date:2022-07-27 21:31:02
Last Modify:2020-03-12 14:18:49 Copyright©Brick
首页 函数Tree
注解内核,赢得工具下载SCCTEnglish

函数名称:profile_transition

函数原型:static struct aa_label *profile_transition(struct aa_profile *profile, const struct linux_binprm *bprm, char *buffer, struct path_cond *cond, bool *secure_exec)

返回类型:struct aa_label

参数:

类型参数名称
struct aa_profile *profile
const struct linux_binprm *bprm
char *buffer
struct path_cond *cond
bool *secure_exec
622  struct aa_label * new = NULL
625  const char * info = NULL, * name = NULL, * target = NULL
626  state等于start
627  struct aa_perms perms = {}
628  bool nonewprivs = false
629  error等于0
631  AA_BUG(!profile)
632  AA_BUG(!bprm)
633  AA_BUG(!buffer)
635  error等于aa_path_name - get the pathname to a buffer ensure dir / is appended*@path: path the file (NOT NULL)*@flags: flags controlling path name generation*@buffer: buffer to put name in (NOT NULL)*@name: Returns - the generated path name if !error (NOT
637  如果error
638  如果profile_unconfined(profile)或flags按位与 fallback to ix on name lookup fail
640  AA_DEBUG("name lookup ix on error")
641  error等于0
642  new等于aa_get_newest_label - find the newest version of @l*@l: the label to check for newer versions of* Returns: refcounted newest version of @l taking into account* replacement, renames and removals* return @l.
644  name等于Name of binary as seen by procps
645  转到:audit
648  如果profile_unconfined(profile)则
649  new等于d_attach - do attachment search for unconfined processes*@bprm - binprm structure of transitioning task*@ns: the current namespace (NOT NULL)*@head - profile list to walk (NOT NULL)*@name - to match against (NOT NULL)*@info - info message if there was an
651  如果new
652  AA_DEBUG("unconfined attached to new label")
653  返回:new
655  AA_DEBUG("unconfined exec no attachment")
656  返回:aa_get_newest_label - find the newest version of @l*@l: the label to check for newer versions of* Returns: refcounted newest version of @l taking into account* replacement, renames and removals* return @l.
660  state等于aa_str_perms - find permission that match @name*@dfa: to match against (MAYBE NULL)*@state: state to start matching in*@name: string to match against dfa (NOT NULL)*@cond: conditions to consider for permission set computation (NOT NULL)*@perms: Returns -
661  如果allow按位与MAY_EXEC
663  new等于x_to_label - get target label for a given xindex*@profile: current profile (NOT NULL)*@bprm: binprm structure of transitioning task*@name: name to lookup (NOT NULL)*@xindex: index into x transition table*@lookupname: returns: name used in lookup if one
665  如果newproxy恒等于proxyinfo
667  转到:audit
668  否则如果非new
669  error等于负EACCES
670  info等于"profile transition not found"
672  allow与等于MAY_EXEC的反
673  否则
678  如果aa_xattrs_match - check whether a file matches the xattrs defined in profile*@bprm: binprm struct for the process to validate*@profile: profile to match against (NOT NULL)*@state: state to start match in* Returns: number of extended attributes that 小于0则
680  error等于负EACCES
681  info等于"required xattrs not present"
682  allow与等于MAY_EXEC的反
683  aa_put_label(new)
684  new = NULL
685  转到:audit
689  否则如果COMPLAIN_MODE(profile)则
691  struct aa_profile * new_profile = NULL
693  new_profile等于aa_new_null_profile - create or find a null-X learning profile*@parent: profile that caused this profile to be created (NOT NULL)*@hat: true if the null- learning profile is a hat*@base: name to base the null profile off of*@gfp: type of allocation
695  如果非new_profile
696  error等于负ENOMEM
697  info等于"could not create null profile"
698  否则
699  error等于负EACCES
700  new等于label
702  Reserved: * u32 subtree; / * set only when allow is set * /或等于AA_X_UNSAFE
703  否则error等于负EACCES
707  如果非new则转到:audit
711  如果非 Reserved: * u32 subtree; / * set only when allow is set * /按位与AA_X_UNSAFE的值则
712  如果DEBUG remains global (no per profile flag) since it is mostly used in sysctl* which is not related to profile accesses.
713  dbg_printk("apparmor: scrubbing environment variables for %s profile=", name)
715  aa_label_printk(new, GFP_KERNEL)
716  dbg_printk("\n")
718  * secure_exec = true
721  audit :
722  aa_audit_file - handle the auditing of file operations*@profile: the profile being enforced (NOT NULL)*@perms: the permissions computed for the request (NOT NULL)*@op: operation being mediated*@request: permissions requested*@name: name of object being
724  如果非newnonewprivs
725  aa_put_label(new)
726  返回:错误号
729  返回:new
调用者
名称描述
handle_onexecsure none ns domain transitions are correctly applied with onexec
apparmor_bprm_set_credsapparmor_bprm_set_creds - set the new creds on the bprm struct*@bprm: binprm for the exec (NOT NULL)* Returns: %0 or error on failure* TODO: once the other paths are done see if we can't refactor into a fn