Function report

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:security\selinux\avc.c Create Date:2022-07-28 18:44:15
Last Modify:2020-03-12 14:18:49 Copyright©Brick
home page Tree
Annotation kernel can get tool activityDownload SCCTChinese

Name:The avc extended permissions logic adds an additional 256 bits of* permissions to an avc node when extended permissions for that node are* specified in the avtab

Proto:int avc_has_extended_perms(struct selinux_state *state, unsigned int ssid, unsigned int tsid, u16 tclass, unsigned int requested, u8 driver, u8 xperm, struct common_audit_data *ad)

Type:int

Parameter:

TypeParameterName
struct selinux_state *state
unsigned intssid
unsigned inttsid
u16tclass
unsigned intrequested
u8driver
u8xperm
struct common_audit_data *ad
1040  struct extended_perms_decision * xpd = NULL
1046  rc = 0
1048  xp_node = local_xp_node
1049  If WARN_ON(!requested) Then Return -EACCES
1052  _read_lock() - mark the beginning of an RCU read-side critical section* When synchronize_rcu() is invoked on one CPU while other CPUs* are within RCU read-side critical sections, then the* synchronize_rcu() is guaranteed to block until after all the other
1054  node = avc_lookup - Look up an AVC entry.*@ssid: source security identifier*@tsid: target security identifier*@tclass: target security class* Look up an AVC entry that is valid for the* (@ssid, @tsid), interpreting the permissions* based on @tclass
1055  If Value for the false possibility is greater at compile time(!node) Then
1056  node = Slow-path helper function for avc_has_perm_noaudit,* when the avc_node lookup fails
1057  Else
1058  memcpy( & avd, & avd, size of avd )
1059  xp_node = xp_node
1062  If Not xp_node || Not length associated decision chain Then Go to decision
1065  allowed = allowed
1066  auditallow = auditallow
1067  dontaudit = dontaudit
1069  xpd = sing a linked list for extended_perms_decision lookup because the list is* always small. i.e. less than 5, typically 1
1070  If Value for the false possibility is greater at compile time(!xpd) Then
1075  If Not security_xperm_test(p, driver) Then
1076  allowed &= ~requested
1077  Go to decision
1079  _read_unlock() - marks the end of an RCU read-side critical section.* In most situations, rcu_read_unlock() is immune from deadlock.* However, in kernels built with CONFIG_RCU_BOOST, rcu_read_unlock()
1080  security_compute_xperms_decision(state, ssid, tsid, tclass, driver, & local_xpd)
1082  _read_lock() - mark the beginning of an RCU read-side critical section* When synchronize_rcu() is invoked on one CPU while other CPUs* are within RCU read-side critical sections, then the* synchronize_rcu() is guaranteed to block until after all the other
1083  avc_update_node Update an AVC entry*@event : Updating event*@perms : Permission mask bits*@ssid,@tsid,@tclass : identifier of an AVC entry*@seqno : sequence number when decision was made*@xpd: extended_perms_decision to be added to the node
1086  Else
1087  similar to avc_copy_xperms_decision, but only copy decision* information relevant to this perm
1089  xpd = local_xpd
1091  If Not avc_xperms_has_perm(xpd, xperm, XPERMS_ALLOWED) Then allowed &= ~requested
1094  decision :
1095  denied = requested & ~allowed
1096  If Value for the false possibility is greater at compile time(denied) Then rc = avc_denied(state, ssid, tsid, tclass, requested, driver, xperm, update extended permissions , & avd)
1100  _read_unlock() - marks the end of an RCU read-side critical section.* In most situations, rcu_read_unlock() is immune from deadlock.* However, in kernels built with CONFIG_RCU_BOOST, rcu_read_unlock()
1102  rc2 = avc_xperms_audit(state, ssid, tsid, tclass, requested, & avd, xpd, xperm, rc, ad)
1104  If rc2 Then Return rc2
1106  Return rc
Caller
NameDescribe
ioctl_has_permCheck whether a task has the ioctl permission and cmd* operation to an inode.