{
struct aa_perms tmp = { };
struct aa_dfa *dfa;
- unsigned int state = 0;
+ aa_state_t state = DFA_NOMATCH;
if (profile_unconfined(profile))
return;
* If a subns profile is not to be matched should be prescreened with
* visibility test.
*/
-static inline unsigned int match_component(struct aa_profile *profile,
- struct aa_profile *tp,
- bool stack, unsigned int state)
+static inline aa_state_t match_component(struct aa_profile *profile,
+ struct aa_profile *tp,
+ bool stack, aa_state_t state)
{
const char *ns_name;
*/
static int label_compound_match(struct aa_profile *profile,
struct aa_label *label, bool stack,
- unsigned int state, bool subns, u32 request,
+ aa_state_t state, bool subns, u32 request,
struct aa_perms *perms)
{
struct aa_profile *tp;
*/
static int label_components_match(struct aa_profile *profile,
struct aa_label *label, bool stack,
- unsigned int start, bool subns, u32 request,
+ aa_state_t start, bool subns, u32 request,
struct aa_perms *perms)
{
struct aa_profile *tp;
struct label_it i;
struct aa_perms tmp;
struct path_cond cond = { };
- unsigned int state = 0;
+ aa_state_t state = 0;
/* find first subcomponent to test */
label_for_each(i, label, tp) {
* Returns: the state the match finished in, may be the none matching state
*/
static int label_match(struct aa_profile *profile, struct aa_label *label,
- bool stack, unsigned int state, bool subns, u32 request,
+ bool stack, aa_state_t state, bool subns, u32 request,
struct aa_perms *perms)
{
int error;
*/
static int change_profile_perms(struct aa_profile *profile,
struct aa_label *target, bool stack,
- u32 request, unsigned int start,
+ u32 request, aa_state_t start,
struct aa_perms *perms)
{
if (profile_unconfined(profile)) {
* Returns: number of extended attributes that matched, or < 0 on error
*/
static int aa_xattrs_match(const struct linux_binprm *bprm,
- struct aa_profile *profile, unsigned int state)
+ struct aa_profile *profile, aa_state_t state)
{
int i;
ssize_t size;
* match.
*/
if (profile->xmatch.dfa) {
- unsigned int state, count;
+ unsigned int count;
+ aa_state_t state;
u32 index, perm;
state = aa_dfa_leftmatch(profile->xmatch.dfa,
{
struct aa_label *new = NULL;
const char *info = NULL, *name = NULL, *target = NULL;
- unsigned int state = profile->file.start[AA_CLASS_FILE];
+ aa_state_t state = profile->file.start[AA_CLASS_FILE];
struct aa_perms perms = {};
bool nonewprivs = false;
int error = 0;
char *buffer, struct path_cond *cond,
bool *secure_exec)
{
- unsigned int state = profile->file.start[AA_CLASS_FILE];
+ aa_state_t state = profile->file.start[AA_CLASS_FILE];
struct aa_perms perms = {};
const char *xname = NULL, *info = "change_profile onexec";
int error = -EACCES;
*/
struct aa_perms default_perms = {};
struct aa_perms *aa_lookup_fperms(struct aa_policydb *file_rules,
- unsigned int state, struct path_cond *cond)
+ aa_state_t state, struct path_cond *cond)
{
unsigned int index = ACCEPT_TABLE(file_rules->dfa)[state];
*
* Returns: the final state in @dfa when beginning @start and walking @name
*/
-unsigned int aa_str_perms(struct aa_policydb *file_rules, unsigned int start,
- const char *name, struct path_cond *cond,
- struct aa_perms *perms)
+aa_state_t aa_str_perms(struct aa_policydb *file_rules, aa_state_t start,
+ const char *name, struct path_cond *cond,
+ struct aa_perms *perms)
{
- unsigned int state;
+ aa_state_t state;
state = aa_dfa_match(file_rules->dfa, start, name);
*perms = *(aa_lookup_fperms(file_rules, state, cond));
struct aa_perms lperms = {}, perms;
const char *info = NULL;
u32 request = AA_MAY_LINK;
- unsigned int state;
+ aa_state_t state;
int error;
error = path_name(OP_LINK, &profile->label, link, profile->path_flags,
const char *info, int error);
struct aa_perms *aa_lookup_fperms(struct aa_policydb *file_rules,
- unsigned int state, struct path_cond *cond);
-unsigned int aa_str_perms(struct aa_policydb *file_rules, unsigned int start,
- const char *name, struct path_cond *cond,
- struct aa_perms *perms);
+ aa_state_t state, struct path_cond *cond);
+aa_state_t aa_str_perms(struct aa_policydb *file_rules, aa_state_t start,
+ const char *name, struct path_cond *cond,
+ struct aa_perms *perms);
int __aa_path_perm(const char *op, struct aa_profile *profile,
const char *name, u32 request, struct path_cond *cond,
static inline const char *aa_label_strn_split(const char *str, int n)
{
const char *pos;
- unsigned int state;
+ aa_state_t state;
state = aa_dfa_matchn_until(stacksplitdfa, DFA_START, str, n, &pos);
if (!ACCEPT_TABLE(stacksplitdfa)[state])
static inline const char *aa_label_str_split(const char *str)
{
const char *pos;
- unsigned int state;
+ aa_state_t state;
state = aa_dfa_match_until(stacksplitdfa, DFA_START, str, &pos);
if (!ACCEPT_TABLE(stacksplitdfa)[state])
struct aa_perms;
int aa_label_match(struct aa_profile *profile, struct aa_label *label,
- unsigned int state, bool subns, u32 request,
+ aa_state_t state, bool subns, u32 request,
struct aa_perms *perms);
* character which is not used in standard matching and is only
* used to separate pairs.
*/
-static inline unsigned int aa_dfa_null_transition(struct aa_dfa *dfa,
- unsigned int start)
+static inline aa_state_t aa_dfa_null_transition(struct aa_dfa *dfa,
+ aa_state_t start)
{
/* the null transition only needs the string's null terminator byte */
return aa_dfa_next(dfa, start, 0);
int aa_setup_dfa_engine(void);
void aa_teardown_dfa_engine(void);
+#define aa_state_t unsigned int
+
struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags);
-unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
- const char *str, int len);
-unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
- const char *str);
-unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
- const char c);
-unsigned int aa_dfa_outofband_transition(struct aa_dfa *dfa,
- unsigned int state);
-unsigned int aa_dfa_match_until(struct aa_dfa *dfa, unsigned int start,
- const char *str, const char **retpos);
-unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start,
- const char *str, int n, const char **retpos);
+aa_state_t aa_dfa_match_len(struct aa_dfa *dfa, aa_state_t start,
+ const char *str, int len);
+aa_state_t aa_dfa_match(struct aa_dfa *dfa, aa_state_t start,
+ const char *str);
+aa_state_t aa_dfa_next(struct aa_dfa *dfa, aa_state_t state, const char c);
+aa_state_t aa_dfa_outofband_transition(struct aa_dfa *dfa, aa_state_t state);
+aa_state_t aa_dfa_match_until(struct aa_dfa *dfa, aa_state_t start,
+ const char *str, const char **retpos);
+aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start,
+ const char *str, int n, const char **retpos);
void aa_dfa_free_kref(struct kref *kref);
.len = 0, \
}
-unsigned int aa_dfa_leftmatch(struct aa_dfa *dfa, unsigned int start,
- const char *str, unsigned int *count);
+aa_state_t aa_dfa_leftmatch(struct aa_dfa *dfa, aa_state_t start,
+ const char *str, unsigned int *count);
/**
* aa_get_dfa - increment refcount on dfa @p
struct aa_dfa *dfa;
struct aa_perms *perms;
struct aa_domain trans;
- unsigned int start[AA_CLASS_LAST + 1];
+ aa_state_t start[AA_CLASS_LAST + 1];
};
static inline void aa_destroy_policydb(struct aa_policydb *policy)
}
static inline struct aa_perms *aa_lookup_perms(struct aa_policydb *policy,
- unsigned int state)
+ aa_state_t state)
{
unsigned int index = ACCEPT_TABLE(policy->dfa)[state];
return labels_profile(aa_get_newest_label(&p->label));
}
-static inline unsigned int PROFILE_MEDIATES(struct aa_profile *profile,
+static inline aa_state_t PROFILE_MEDIATES(struct aa_profile *profile,
unsigned char class)
{
if (class <= AA_CLASS_LAST)
profile->policy.start[0], &class, 1);
}
-static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile,
- u16 AF) {
- unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
+static inline aa_state_t PROFILE_MEDIATES_AF(struct aa_profile *profile,
+ u16 AF) {
+ aa_state_t state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
__be16 be_af = cpu_to_be16(AF);
if (!state)
- return 0;
+ return DFA_NOMATCH;
return aa_dfa_match_len(profile->policy.dfa, state, (char *) &be_af, 2);
}
struct common_audit_data *sa)
{
struct aa_perms perms;
- unsigned int state;
+ aa_state_t state;
if (profile_unconfined(profile) ||
!PROFILE_MEDIATES(profile, AA_CLASS_SIGNAL))
* If a subns profile is not to be matched should be prescreened with
* visibility test.
*/
-static inline unsigned int match_component(struct aa_profile *profile,
- struct aa_profile *tp,
- unsigned int state)
+static inline aa_state_t match_component(struct aa_profile *profile,
+ struct aa_profile *tp,
+ aa_state_t state)
{
const char *ns_name;
*/
static int label_compound_match(struct aa_profile *profile,
struct aa_label *label,
- unsigned int state, bool subns, u32 request,
+ aa_state_t state, bool subns, u32 request,
struct aa_perms *perms)
{
struct aa_profile *tp;
* check to be stacked.
*/
static int label_components_match(struct aa_profile *profile,
- struct aa_label *label, unsigned int start,
+ struct aa_label *label, aa_state_t start,
bool subns, u32 request,
struct aa_perms *perms)
{
struct aa_profile *tp;
struct label_it i;
struct aa_perms tmp;
- unsigned int state = 0;
+ aa_state_t state = 0;
/* find first subcomponent to test */
label_for_each(i, label, tp) {
* Returns: the state the match finished in, may be the none matching state
*/
int aa_label_match(struct aa_profile *profile, struct aa_label *label,
- unsigned int state, bool subns, u32 request,
+ aa_state_t state, bool subns, u32 request,
struct aa_perms *perms)
{
int error = label_compound_match(profile, label, state, subns, request,
int type, u32 request, struct aa_perms *perms)
{
/* TODO: doesn't yet handle extended types */
- unsigned int state;
+ aa_state_t state;
state = aa_dfa_next(profile->policy.dfa,
profile->policy.start[AA_CLASS_LABEL],
*
* Returns: final state reached after input is consumed
*/
-unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
- const char *str, int len)
+aa_state_t aa_dfa_match_len(struct aa_dfa *dfa, aa_state_t start,
+ const char *str, int len)
{
u16 *def = DEFAULT_TABLE(dfa);
u32 *base = BASE_TABLE(dfa);
u16 *next = NEXT_TABLE(dfa);
u16 *check = CHECK_TABLE(dfa);
- unsigned int state = start;
+ aa_state_t state = start;
- if (state == 0)
- return 0;
+ if (state == DFA_NOMATCH)
+ return DFA_NOMATCH;
/* current state is <state>, matching character *str */
if (dfa->tables[YYTD_ID_EC]) {
*
* Returns: final state reached after input is consumed
*/
-unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
- const char *str)
+aa_state_t aa_dfa_match(struct aa_dfa *dfa, aa_state_t start, const char *str)
{
u16 *def = DEFAULT_TABLE(dfa);
u32 *base = BASE_TABLE(dfa);
u16 *next = NEXT_TABLE(dfa);
u16 *check = CHECK_TABLE(dfa);
- unsigned int state = start;
+ aa_state_t state = start;
- if (state == 0)
- return 0;
+ if (state == DFA_NOMATCH)
+ return DFA_NOMATCH;
/* current state is <state>, matching character *str */
if (dfa->tables[YYTD_ID_EC]) {
*
* Returns: state reach after input @c
*/
-unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
- const char c)
+aa_state_t aa_dfa_next(struct aa_dfa *dfa, aa_state_t state, const char c)
{
u16 *def = DEFAULT_TABLE(dfa);
u32 *base = BASE_TABLE(dfa);
return state;
}
-unsigned int aa_dfa_outofband_transition(struct aa_dfa *dfa, unsigned int state)
+aa_state_t aa_dfa_outofband_transition(struct aa_dfa *dfa, aa_state_t state)
{
u16 *def = DEFAULT_TABLE(dfa);
u32 *base = BASE_TABLE(dfa);
*
* Returns: final state reached after input is consumed
*/
-unsigned int aa_dfa_match_until(struct aa_dfa *dfa, unsigned int start,
+aa_state_t aa_dfa_match_until(struct aa_dfa *dfa, aa_state_t start,
const char *str, const char **retpos)
{
u16 *def = DEFAULT_TABLE(dfa);
u16 *next = NEXT_TABLE(dfa);
u16 *check = CHECK_TABLE(dfa);
u32 *accept = ACCEPT_TABLE(dfa);
- unsigned int state = start, pos;
+ aa_state_t state = start, pos;
- if (state == 0)
- return 0;
+ if (state == DFA_NOMATCH)
+ return DFA_NOMATCH;
/* current state is <state>, matching character *str */
if (dfa->tables[YYTD_ID_EC]) {
*
* Returns: final state reached after input is consumed
*/
-unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start,
+aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start,
const char *str, int n, const char **retpos)
{
u16 *def = DEFAULT_TABLE(dfa);
u16 *next = NEXT_TABLE(dfa);
u16 *check = CHECK_TABLE(dfa);
u32 *accept = ACCEPT_TABLE(dfa);
- unsigned int state = start, pos;
+ aa_state_t state = start, pos;
*retpos = NULL;
- if (state == 0)
- return 0;
+ if (state == DFA_NOMATCH)
+ return DFA_NOMATCH;
/* current state is <state>, matching character *str */
if (dfa->tables[YYTD_ID_EC]) {
} while (0)
/* For DFAs that don't support extended tagging of states */
-static bool is_loop(struct match_workbuf *wb, unsigned int state,
+static bool is_loop(struct match_workbuf *wb, aa_state_t state,
unsigned int *adjust)
{
- unsigned int pos = wb->pos;
- unsigned int i;
+ aa_state_t pos = wb->pos;
+ aa_state_t i;
if (wb->history[pos] < state)
return false;
return true;
}
-static unsigned int leftmatch_fb(struct aa_dfa *dfa, unsigned int start,
+static aa_state_t leftmatch_fb(struct aa_dfa *dfa, aa_state_t start,
const char *str, struct match_workbuf *wb,
unsigned int *count)
{
u32 *base = BASE_TABLE(dfa);
u16 *next = NEXT_TABLE(dfa);
u16 *check = CHECK_TABLE(dfa);
- unsigned int state = start, pos;
+ aa_state_t state = start, pos;
AA_BUG(!dfa);
AA_BUG(!str);
AA_BUG(!count);
*count = 0;
- if (state == 0)
- return 0;
+ if (state == DFA_NOMATCH)
+ return DFA_NOMATCH;
/* current state is <state>, matching character *str */
if (dfa->tables[YYTD_ID_EC]) {
*
* Returns: final state reached after input is consumed
*/
-unsigned int aa_dfa_leftmatch(struct aa_dfa *dfa, unsigned int start,
- const char *str, unsigned int *count)
+aa_state_t aa_dfa_leftmatch(struct aa_dfa *dfa, aa_state_t start,
+ const char *str, unsigned int *count)
{
DEFINE_MATCH_WB(wb);
*
* Returns: next state after flags match
*/
-static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state,
+static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state,
unsigned long flags)
{
unsigned int i;
* Returns 0 on success else element that match failed in, this is the
* index into the mnt_info_table above
*/
-static int do_match_mnt(struct aa_policydb *policy, unsigned int start,
+static int do_match_mnt(struct aa_policydb *policy, aa_state_t start,
const char *mntpnt, const char *devname,
const char *type, unsigned long flags,
void *data, bool binary, struct aa_perms *perms)
{
- unsigned int state;
+ aa_state_t state;
AA_BUG(!policy);
AA_BUG(!policy->dfa);
{
struct aa_perms perms = { };
const char *name = NULL, *info = NULL;
- unsigned int state;
+ aa_state_t state;
int error;
AA_BUG(!profile);
const char *old_name, *new_name = NULL, *info = NULL;
const char *trans_name = NULL;
struct aa_perms perms = { };
- unsigned int state;
+ aa_state_t state;
int error;
AA_BUG(!profile);
u32 request, u16 family, int type)
{
struct aa_perms perms = { };
- unsigned int state;
+ aa_state_t state;
__be16 buffer[2];
AA_BUG(family >= AF_MAX);
}
static void compute_fperms_allow(struct aa_perms *perms, struct aa_dfa *dfa,
- unsigned int state)
+ aa_state_t state)
{
perms->allow |= AA_MAY_GETATTR;
}
static struct aa_perms compute_fperms_user(struct aa_dfa *dfa,
- unsigned int state)
+ aa_state_t state)
{
struct aa_perms perms = { };
}
static struct aa_perms compute_fperms_other(struct aa_dfa *dfa,
- unsigned int state)
+ aa_state_t state)
{
struct aa_perms perms = { };
*/
static struct aa_perms *compute_fperms(struct aa_dfa *dfa)
{
- int state;
- int state_count;
+ aa_state_t state;
+ unsigned int state_count;
struct aa_perms *table;
AA_BUG(!dfa);
}
static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
- unsigned int state)
+ aa_state_t state)
{
struct aa_perms perms = { };
static struct aa_perms *compute_perms(struct aa_dfa *dfa)
{
- int state;
- int state_count;
+ unsigned int state;
+ unsigned int state_count;
struct aa_perms *table;
AA_BUG(!dfa);
projects / platform / kernel / linux-rpi.git / commitdiff