函数逻辑报告

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:security\selinux\avc.c Create Date:2022-07-27 20:17:52
Last Modify:2020-03-12 14:18:49 Copyright©Brick
首页 函数Tree
注解内核,赢得工具下载SCCTEnglish

函数名称:avc_has_perm - Check permissions and perform any appropriate auditing

函数原型:int avc_has_perm(struct selinux_state *state, unsigned int ssid, unsigned int tsid, u16 tclass, unsigned int requested, struct common_audit_data *auditdata)

返回类型:int

参数:

类型参数名称
struct selinux_state *state
unsigned intssid
unsigned inttsid
u16tclass
unsigned intrequested
struct common_audit_data *auditdata
1182  rc等于avc_has_perm_noaudit - Check permissions but perform no auditing
1185  rc2等于avc_audit - Audit the granting or denial of permissions
1187  如果rc2则返回:rc2
1189  返回:rc
调用者
名称描述
may_context_mount_sb_relabel
may_context_mount_inode_relabel
inode_has_permCheck whether a task has a particular permission to an inode.The 'adp' parameter is optional and allows other auditdata to be passed (e.g. the dentry).
file_has_permCheck whether a task can use an open file descriptor toaccess an inode in a given way. Check access to thedescriptor itself, and then use dentry_has_perm tocheck a particular permission to the file.Access to the descriptor is implicitly granted if it
may_createCheck whether a task can create a file.
may_linkCheck whether a task can link, unlink, or rmdir a file/directory.
may_rename
superblock_has_permCheck whether a task can perform a filesystem operation.
selinux_binder_set_context_mgrHook functions begin here.
selinux_binder_transaction
selinux_binder_transfer_binder
selinux_binder_transfer_file
selinux_ptrace_access_check
selinux_ptrace_traceme
selinux_capget
selinux_capset
selinux_syslog
check_nnp_nosuid
selinux_bprm_set_creds
selinux_bprm_committing_credsPrepare a process for imminent new credential changes due to exec
selinux_bprm_committed_credsClean up the process immediately after the installation of new credentials* due to exec
selinux_inode_setxattr
ioctl_has_permCheck whether a task has the ioctl permission and cmd* operation to an inode.
file_map_prot_check
selinux_mmap_addr
selinux_file_mprotect
selinux_file_send_sigiotask
selinux_task_allocask security operations
selinux_kernel_act_asset the security data for a kernel service* - all the creation contexts are set to unlabelled
selinux_kernel_create_files_asset the file creation context in a security record to the same as the* objective context of the specified inode
selinux_kernel_module_request
selinux_kernel_module_from_file
selinux_task_setpgid
selinux_task_getpgid
selinux_task_getsid
selinux_task_setnice
selinux_task_setioprio
selinux_task_getioprio
selinux_task_prlimit
selinux_task_setrlimit
selinux_task_setscheduler
selinux_task_getscheduler
selinux_task_movememory
selinux_task_kill
sock_has_perm
selinux_socket_create
selinux_socket_bindRange of port numbers used to automatically bind.Need to determine whether we should perform a name_bindpermission check between the socket and the port number.
selinux_socket_connect_helperThis supports connect(2) and SCTP connect services such as sctp_connectx(3)* and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
selinux_socket_unix_stream_connect
selinux_socket_unix_may_send
selinux_inet_sys_rcv_skb
selinux_sock_rcv_skb_compat
selinux_socket_sock_rcv_skb
selinux_sctp_assoc_requestCalled whenever SCTP receives an INIT chunk. This happens when an incoming* connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association* already present).
selinux_secmark_relabel_packet
selinux_tun_dev_create
selinux_tun_dev_attach_queue
selinux_tun_dev_open
ipc_has_perm
selinux_msg_queue_alloc_securitymessage queue security operations
selinux_msg_queue_associate
selinux_msg_queue_msgctl
selinux_msg_queue_msgsnd
selinux_msg_queue_msgrcv
selinux_shm_alloc_securityShared Memory security operations
selinux_shm_associate
selinux_shm_shmctlNote, at this point, shp is locked down
selinux_sem_alloc_securitySemaphore security operations
selinux_sem_associate
selinux_sem_semctlNote, at this point, sma is locked down
selinux_getprocattr
selinux_setprocattr
selinux_key_permission
sel_open_policy
sel_read_policy
sel_write_load
sel_write_context
sel_write_checkreqprot
sel_write_validatetrans
sel_write_accessRemaining nodes use transaction based IO methods like nfsd/nfsctl.c
sel_write_create
sel_write_relabel
sel_write_user
sel_write_member
sel_write_bool
sel_commit_bools_write
sel_write_avc_cache_threshold
selinux_xfrm_alloc_userAllocates a xfrm_sec_state and populates it using the supplied security* xfrm_user_sec_ctx context.
selinux_xfrm_deleteAuthorize the deletion of a labeled SA or policy rule.
selinux_xfrm_policy_lookupLSM hook implementation that authorizes that a flow can use a xfrm policy* rule.
selinux_xfrm_state_pol_flow_matchLSM hook implementation that authorizes that a state matches* the given policy, flow combo.
selinux_xfrm_sock_rcv_skbLSM hook that controls access to unlabelled packets. If* a xfrm_state is authorizable (defined by macro) then it was* already authorized by the IPSec process. If not, then* we need to check for unlabelled access since this may not have
selinux_xfrm_postroute_lastPOSTROUTE_LAST hook's XFRM processing:* If we have no security association, then we need to determine* whether the socket is allowed to send to an unlabelled destination.* If we do have a authorizable security association, then it has already been
selinux_netlbl_sock_rcv_skbselinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel*@sksec: the sock's sk_security_struct*@skb: the packet*@family: protocol family*@ad: the audit data* Description:* Fetch the NetLabel security attributes from @skb and perform an