Lines Matching defs:profile
52 * may_change_ptraced_domain - check if can change profile on ptraced task
53 * @to_profile: profile to change to (NOT NULL)
87 * @profile: the current profile (NOT NULL)
89 * @name: the name of the profile to change to (NOT NULL)
95 static struct file_perms change_profile_perms(struct aa_profile *profile,
104 if (unconfined(profile)) {
108 } else if (!profile->file.dfa) {
110 } else if ((ns == profile->ns)) {
112 aa_str_perms(profile->file.dfa, start, name, &cond, &perms);
117 /* try matching with namespace name and then profile */
118 state = aa_dfa_match(profile->file.dfa, start, ns->base.name);
119 state = aa_dfa_match_len(profile->file.dfa, state, ":", 1);
120 aa_str_perms(profile->file.dfa, state, name, &cond, &perms);
128 * @head - profile list to walk (NOT NULL)
137 * Returns: profile or NULL if no match found
143 struct aa_profile *profile, *candidate = NULL;
145 list_for_each_entry_rcu(profile, head, base.list) {
146 if (profile->flags & PFLAG_NULL)
148 if (profile->xmatch && profile->xmatch_len > len) {
149 unsigned int state = aa_dfa_match(profile->xmatch,
151 u32 perm = dfa_user_allow(profile->xmatch, state);
154 candidate = profile;
155 len = profile->xmatch_len;
157 } else if (!strcmp(profile->base.name, name))
159 return profile;
171 * Returns: profile or NULL if no match found
176 struct aa_profile *profile;
179 profile = aa_get_profile(__attach_match(name, list));
182 return profile;
186 * separate_fqname - separate the namespace and profile names
195 * Either the profile or namespace name may be optional but if the namespace
196 * is specified the profile name termination must be present. This results
204 * Returns: profile name if it is specified else NULL
234 * @profile: current profile (NOT NULL)
237 * Returns: refcounted profile, or NULL on failure (MAYBE NULL)
239 static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
242 struct aa_namespace *ns = profile->ns;
248 for (name = profile->file.trans.table[index]; !new_profile && name;
256 new_profile = aa_find_child(profile, name);
263 /* no name so use profile name */
264 xname = profile->base.hname;
291 * x_to_profile - get target profile for a given xindex
292 * @profile: current profile (NOT NULL)
296 * find profile for a transition index
298 * Returns: refcounted profile or NULL if not found available
300 static struct aa_profile *x_to_profile(struct aa_profile *profile,
304 struct aa_namespace *ns = profile->ns;
314 new_profile = find_attach(ns, &profile->base.profiles,
323 new_profile = x_table_lookup(profile, xindex);
340 struct aa_profile *profile, *new_profile = NULL;
360 profile = aa_get_newest_profile(cxt->profile);
362 * get the namespace from the replacement profile as replacement
365 ns = profile->ns;
366 state = profile->file.start;
369 error = aa_path_name(&bprm->file->f_path, profile->path_flags, &buffer,
372 if (unconfined(profile) ||
373 (profile->flags & PFLAG_IX_ON_NAME_ERROR))
382 if (unconfined(profile)) {
400 state = aa_str_perms(profile->file.dfa, state, name, &cond, &perms);
411 state = aa_dfa_null_transition(profile->file.dfa, state);
412 cp = change_profile_perms(profile, cxt->onexec->ns,
424 new_profile = x_to_profile(profile, name, perms.xindex);
427 /* (p|c|n)ix - don't change profile but do
429 * up above when getting profile
432 new_profile = aa_get_profile(profile);
439 info = "profile not found";
444 } else if (COMPLAIN_MODE(profile)) {
446 new_profile = aa_new_null_profile(profile, 0);
449 info = "could not create null profile";
498 AA_DEBUG("scrubbing environment variables for %s profile=%s\n",
508 aa_put_profile(cxt->profile);
509 /* transfer new profile reference will be released when cxt is freed */
510 cxt->profile = new_profile;
516 error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC,
520 aa_put_profile(profile);
551 struct aa_profile *profile = __aa_current_profile();
554 /* bail out if unconfined or not changing profile */
555 if ((new_cxt->profile == profile) ||
556 (unconfined(new_cxt->profile)))
561 /* reset soft limits and set hard limits for the new profile */
562 __aa_transition_rlimits(profile, new_cxt->profile);
576 * Functions for self directed profile change
601 * Change to the first profile specified in @hats that exists, and store
604 * top level profile.
612 struct aa_profile *profile, *previous_profile, *hat = NULL;
630 profile = aa_cred_profile(cred);
633 if (unconfined(profile)) {
642 if (PROFILE_IS_HAT(profile))
643 root = aa_get_profile_rcu(&profile->parent);
645 root = aa_get_profile(profile);
675 hat = aa_new_null_profile(profile, 1);
677 info = "failed null profile create";
708 /* Return to saved profile. Kill task if restore fails
715 /* ignore restores when there is no saved profile */
720 error = aa_audit_file(profile, &perms, GFP_KERNEL,
733 * aa_change_profile - perform a one-way profile transition
734 * @ns_name: name of the profile namespace to change to (MAYBE NULL)
735 * @hname: name of profile to change to (MAYBE NULL)
739 * Change to new profile @name. Unlike with hats, there is no way
740 * to change back. If @name isn't specified the current profile name is
751 struct aa_profile *profile, *target = NULL;
770 profile = aa_cred_profile(cred);
779 if (task_no_new_privs(current) && !unconfined(profile)) {
786 ns = aa_find_namespace(profile->ns, ns_name);
796 ns = aa_get_namespace(profile->ns);
798 /* if the name was not specified, use the name of the current profile */
800 if (unconfined(profile))
803 hname = profile->base.hname;
806 perms = change_profile_perms(profile, ns, hname, request,
807 profile->file.start);
816 info = "profile not found";
818 if (permtest || !COMPLAIN_MODE(profile))
821 target = aa_new_null_profile(profile, 0);
823 info = "failed null profile create";
846 error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request,