函数逻辑报告

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:security\selinux\avc.c Create Date:2022-07-27 20:17:46
Last Modify:2020-03-12 14:18:49 Copyright©Brick
首页 函数Tree
注解内核,赢得工具下载SCCTEnglish

函数名称:The avc extended permissions logic adds an additional 256 bits of* permissions to an avc node when extended permissions for that node are* specified in the avtab

函数原型:int avc_has_extended_perms(struct selinux_state *state, unsigned int ssid, unsigned int tsid, u16 tclass, unsigned int requested, u8 driver, u8 xperm, struct common_audit_data *ad)

返回类型:int

参数:

类型参数名称
struct selinux_state *state
unsigned intssid
unsigned inttsid
u16tclass
unsigned intrequested
u8driver
u8xperm
struct common_audit_data *ad
1040  struct extended_perms_decision * xpd = NULL
1046  rc等于0
1048  xp_node等于local_xp_node
1049  如果WARN_ON(!requested)则返回:负EACCES
1052  _read_lock() - mark the beginning of an RCU read-side critical section* When synchronize_rcu() is invoked on one CPU while other CPUs* are within RCU read-side critical sections, then the* synchronize_rcu() is guaranteed to block until after all the other
1054  node等于avc_lookup - Look up an AVC entry.*@ssid: source security identifier*@tsid: target security identifier*@tclass: target security class* Look up an AVC entry that is valid for the* (@ssid, @tsid), interpreting the permissions* based on @tclass
1055  如果此条件成立可能性小(为编译器优化)(!node)则
1056  node等于Slow-path helper function for avc_has_perm_noaudit,* when the avc_node lookup fails
1057  否则
1058  memcpy( & avd, & avd, avd的长度)
1059  xp_node等于xp_node
1062  如果非xp_node或非 length associated decision chain 则转到:decision
1065  allowed等于allowed
1066  auditallow等于auditallow
1067  dontaudit等于dontaudit
1069  xpd等于sing a linked list for extended_perms_decision lookup because the list is* always small. i.e. less than 5, typically 1
1070  如果此条件成立可能性小(为编译器优化)(!xpd)则
1075  如果非security_xperm_test(p, driver)则
1076  allowed与等于requested的反
1077  转到:decision
1079  _read_unlock() - marks the end of an RCU read-side critical section.* In most situations, rcu_read_unlock() is immune from deadlock.* However, in kernels built with CONFIG_RCU_BOOST, rcu_read_unlock()
1080  security_compute_xperms_decision(state, ssid, tsid, tclass, driver, & local_xpd)
1082  _read_lock() - mark the beginning of an RCU read-side critical section* When synchronize_rcu() is invoked on one CPU while other CPUs* are within RCU read-side critical sections, then the* synchronize_rcu() is guaranteed to block until after all the other
1083  avc_update_node Update an AVC entry*@event : Updating event*@perms : Permission mask bits*@ssid,@tsid,@tclass : identifier of an AVC entry*@seqno : sequence number when decision was made*@xpd: extended_perms_decision to be added to the node
1086  否则
1087  similar to avc_copy_xperms_decision, but only copy decision* information relevant to this perm
1089  xpd等于local_xpd
1091  如果非avc_xperms_has_perm(xpd, xperm, XPERMS_ALLOWED)则allowed与等于requested的反
1094  decision :
1095  denied等于requested按位与allowed的反
1096  如果此条件成立可能性小(为编译器优化)(denied)则rc等于avc_denied(state, ssid, tsid, tclass, requested, driver, xperm, update extended permissions , & avd)
1100  _read_unlock() - marks the end of an RCU read-side critical section.* In most situations, rcu_read_unlock() is immune from deadlock.* However, in kernels built with CONFIG_RCU_BOOST, rcu_read_unlock()
1102  rc2等于avc_xperms_audit(state, ssid, tsid, tclass, requested, & avd, xpd, xperm, rc, ad)
1104  如果rc2则返回:rc2
1106  返回:rc
调用者
名称描述
ioctl_has_permCheck whether a task has the ioctl permission and cmd* operation to an inode.