profile_transition

Name:profile_transition

Proto:static struct aa_label *profile_transition(struct aa_profile *profile, const struct linux_binprm *bprm, char *buffer, struct path_cond *cond, bool *secure_exec)

Type:struct aa_label

Parameter:

Type	Parameter	Name
struct aa_profile *	profile
const struct linux_binprm *	bprm
char *	buffer
struct path_cond *	cond
bool *	secure_exec

622

struct aa_label * new = NULL

625

const char * info = NULL, * name = NULL, * target = NULL

626

state = start

627

struct aa_perms perms = {}

628

bool nonewprivs = false

629

error = 0

631

AA_BUG(!profile)

632

AA_BUG(!bprm)

633

AA_BUG(!buffer)

635

error = aa_path_name - get the pathname to a buffer ensure dir / is appended*@path: path the file (NOT NULL)*@flags: flags controlling path name generation*@buffer: buffer to put name in (NOT NULL)*@name: Returns - the generated path name if !error (NOT

637

If error Then

638

If profile_unconfined(profile) || flags & fallback to ix on name lookup fail Then

640

AA_DEBUG("name lookup ix on error")

641

error = 0

642

new = aa_get_newest_label - find the newest version of @l*@l: the label to check for newer versions of* Returns: refcounted newest version of @l taking into account* replacement, renames and removals* return @l.

644

name = Name of binary as seen by procps

645

Go to audit

648

If profile_unconfined(profile) Then

649

new = d_attach - do attachment search for unconfined processes*@bprm - binprm structure of transitioning task*@ns: the current namespace (NOT NULL)*@head - profile list to walk (NOT NULL)*@name - to match against (NOT NULL)*@info - info message if there was an

651

If new Then

652

AA_DEBUG("unconfined attached to new label")

653

Return new

655

AA_DEBUG("unconfined exec no attachment")

656

Return aa_get_newest_label - find the newest version of @l*@l: the label to check for newer versions of* Returns: refcounted newest version of @l taking into account* replacement, renames and removals* return @l.

660

state = aa_str_perms - find permission that match @name*@dfa: to match against (MAYBE NULL)*@state: state to start matching in*@name: string to match against dfa (NOT NULL)*@cond: conditions to consider for permission set computation (NOT NULL)*@perms: Returns -

661

If allow & MAY_EXEC Then

663

new = x_to_label - get target label for a given xindex*@profile: current profile (NOT NULL)*@bprm: binprm structure of transitioning task*@name: name to lookup (NOT NULL)*@xindex: index into x transition table*@lookupname: returns: name used in lookup if one

665

If new && proxy == proxy && info Then

667

Go to audit

668

Else if Not new Then

669

error = -EACCES

670

info = "profile transition not found"

672

allow &= ~MAY_EXEC

673

Else

678

If aa_xattrs_match - check whether a file matches the xattrs defined in profile*@bprm: binprm struct for the process to validate*@profile: profile to match against (NOT NULL)*@state: state to start match in* Returns: number of extended attributes that < 0 Then

680

error = -EACCES

681

info = "required xattrs not present"

682

allow &= ~MAY_EXEC

683

aa_put_label(new)

684

new = NULL

685

Go to audit

689

Else if COMPLAIN_MODE(profile) Then

691

struct aa_profile * new_profile = NULL

693

new_profile = aa_new_null_profile - create or find a null-X learning profile*@parent: profile that caused this profile to be created (NOT NULL)*@hat: true if the null- learning profile is a hat*@base: name to base the null profile off of*@gfp: type of allocation

695

If Not new_profile Then

696

error = -ENOMEM

697

info = "could not create null profile"

698

Else

699

error = -EACCES

700

new = label

702

Reserved: * u32 subtree; / * set only when allow is set * / |= AA_X_UNSAFE

703

Else error = -EACCES

707

If Not new Then Go to audit

711

If Not ( Reserved: * u32 subtree; / * set only when allow is set * / & AA_X_UNSAFE) Then

712

If DEBUG remains global (no per profile flag) since it is mostly used in sysctl* which is not related to profile accesses. Then

713

dbg_printk("apparmor: scrubbing environment variables for %s profile=", name)

715

aa_label_printk(new, GFP_KERNEL)

716

dbg_printk("\n")

718

* secure_exec = true

721

audit :

722

aa_audit_file - handle the auditing of file operations*@profile: the profile being enforced (NOT NULL)*@perms: the permissions computed for the request (NOT NULL)*@op: operation being mediated*@request: permissions requested*@name: name of object being

724

If Not new || nonewprivs Then

725

aa_put_label(new)

726

Return ERR_PTR(error)

729

Return new

**Caller**
Name	Describe
handle_onexec	sure none ns domain transitions are correctly applied with onexec
apparmor_bprm_set_creds	apparmor_bprm_set_creds - set the new creds on the bprm struct@bprm: binprm for the exec (NOT NULL) Returns: %0 or error on failure* TODO: once the other paths are done see if we can't refactor into a fn

Source code conversion tool public plug-in interface	X
Support c/c++/esqlc/java Oracle/Informix/Mysql Plug-in can realize: logical Report Code generation and batch code conversion

Function report