diff options
Diffstat (limited to 'security/tomoyo/common.h')
| -rw-r--r-- | security/tomoyo/common.h | 68 |
1 files changed, 57 insertions, 11 deletions
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 54db39aa339b..c777c594a00b 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h | |||
| @@ -42,7 +42,8 @@ enum tomoyo_mode_index { | |||
| 42 | TOMOYO_CONFIG_DISABLED, | 42 | TOMOYO_CONFIG_DISABLED, |
| 43 | TOMOYO_CONFIG_LEARNING, | 43 | TOMOYO_CONFIG_LEARNING, |
| 44 | TOMOYO_CONFIG_PERMISSIVE, | 44 | TOMOYO_CONFIG_PERMISSIVE, |
| 45 | TOMOYO_CONFIG_ENFORCING | 45 | TOMOYO_CONFIG_ENFORCING, |
| 46 | TOMOYO_CONFIG_USE_DEFAULT = 255 | ||
| 46 | }; | 47 | }; |
| 47 | 48 | ||
| 48 | /* Keywords for ACLs. */ | 49 | /* Keywords for ACLs. */ |
| @@ -75,14 +76,6 @@ enum tomoyo_mode_index { | |||
| 75 | #define TOMOYO_VALUE_TYPE_HEXADECIMAL 3 | 76 | #define TOMOYO_VALUE_TYPE_HEXADECIMAL 3 |
| 76 | 77 | ||
| 77 | /* Index numbers for Access Controls. */ | 78 | /* Index numbers for Access Controls. */ |
| 78 | enum tomoyo_mac_index { | ||
| 79 | TOMOYO_MAC_FOR_FILE, /* domain_policy.conf */ | ||
| 80 | TOMOYO_MAX_ACCEPT_ENTRY, | ||
| 81 | TOMOYO_VERBOSE, | ||
| 82 | TOMOYO_MAX_CONTROL_INDEX | ||
| 83 | }; | ||
| 84 | |||
| 85 | /* Index numbers for Access Controls. */ | ||
| 86 | enum tomoyo_acl_entry_type_index { | 79 | enum tomoyo_acl_entry_type_index { |
| 87 | TOMOYO_TYPE_PATH_ACL, | 80 | TOMOYO_TYPE_PATH_ACL, |
| 88 | TOMOYO_TYPE_PATH2_ACL, | 81 | TOMOYO_TYPE_PATH2_ACL, |
| @@ -157,6 +150,38 @@ enum tomoyo_securityfs_interface_index { | |||
| 157 | TOMOYO_MANAGER | 150 | TOMOYO_MANAGER |
| 158 | }; | 151 | }; |
| 159 | 152 | ||
| 153 | enum tomoyo_mac_index { | ||
| 154 | TOMOYO_MAC_FILE_EXECUTE, | ||
| 155 | TOMOYO_MAC_FILE_OPEN, | ||
| 156 | TOMOYO_MAC_FILE_CREATE, | ||
| 157 | TOMOYO_MAC_FILE_UNLINK, | ||
| 158 | TOMOYO_MAC_FILE_MKDIR, | ||
| 159 | TOMOYO_MAC_FILE_RMDIR, | ||
| 160 | TOMOYO_MAC_FILE_MKFIFO, | ||
| 161 | TOMOYO_MAC_FILE_MKSOCK, | ||
| 162 | TOMOYO_MAC_FILE_TRUNCATE, | ||
| 163 | TOMOYO_MAC_FILE_SYMLINK, | ||
| 164 | TOMOYO_MAC_FILE_REWRITE, | ||
| 165 | TOMOYO_MAC_FILE_MKBLOCK, | ||
| 166 | TOMOYO_MAC_FILE_MKCHAR, | ||
| 167 | TOMOYO_MAC_FILE_LINK, | ||
| 168 | TOMOYO_MAC_FILE_RENAME, | ||
| 169 | TOMOYO_MAC_FILE_CHMOD, | ||
| 170 | TOMOYO_MAC_FILE_CHOWN, | ||
| 171 | TOMOYO_MAC_FILE_CHGRP, | ||
| 172 | TOMOYO_MAC_FILE_IOCTL, | ||
| 173 | TOMOYO_MAC_FILE_CHROOT, | ||
| 174 | TOMOYO_MAC_FILE_MOUNT, | ||
| 175 | TOMOYO_MAC_FILE_UMOUNT, | ||
| 176 | TOMOYO_MAC_FILE_PIVOT_ROOT, | ||
| 177 | TOMOYO_MAX_MAC_INDEX | ||
| 178 | }; | ||
| 179 | |||
| 180 | enum tomoyo_mac_category_index { | ||
| 181 | TOMOYO_MAC_CATEGORY_FILE, | ||
| 182 | TOMOYO_MAX_MAC_CATEGORY_INDEX | ||
| 183 | }; | ||
| 184 | |||
| 160 | #define TOMOYO_RETRY_REQUEST 1 /* Retry this request. */ | 185 | #define TOMOYO_RETRY_REQUEST 1 /* Retry this request. */ |
| 161 | 186 | ||
| 162 | /********** Structure definitions. **********/ | 187 | /********** Structure definitions. **********/ |
| @@ -174,6 +199,7 @@ struct tomoyo_request_info { | |||
| 174 | u8 retry; | 199 | u8 retry; |
| 175 | u8 profile; | 200 | u8 profile; |
| 176 | u8 mode; /* One of tomoyo_mode_index . */ | 201 | u8 mode; /* One of tomoyo_mode_index . */ |
| 202 | u8 type; | ||
| 177 | }; | 203 | }; |
| 178 | 204 | ||
| 179 | /* | 205 | /* |
| @@ -649,6 +675,23 @@ struct tomoyo_policy_manager_entry { | |||
| 649 | bool is_deleted; /* True if this entry is deleted. */ | 675 | bool is_deleted; /* True if this entry is deleted. */ |
| 650 | }; | 676 | }; |
| 651 | 677 | ||
| 678 | struct tomoyo_preference { | ||
| 679 | unsigned int learning_max_entry; | ||
| 680 | bool enforcing_verbose; | ||
| 681 | bool learning_verbose; | ||
| 682 | bool permissive_verbose; | ||
| 683 | }; | ||
| 684 | |||
| 685 | struct tomoyo_profile { | ||
| 686 | const struct tomoyo_path_info *comment; | ||
| 687 | struct tomoyo_preference *learning; | ||
| 688 | struct tomoyo_preference *permissive; | ||
| 689 | struct tomoyo_preference *enforcing; | ||
| 690 | struct tomoyo_preference preference; | ||
| 691 | u8 default_config; | ||
| 692 | u8 config[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX]; | ||
| 693 | }; | ||
| 694 | |||
| 652 | /********** Function prototypes. **********/ | 695 | /********** Function prototypes. **********/ |
| 653 | 696 | ||
| 654 | extern asmlinkage long sys_getpid(void); | 697 | extern asmlinkage long sys_getpid(void); |
| @@ -685,6 +728,7 @@ bool tomoyo_compare_name_union(const struct tomoyo_path_info *name, | |||
| 685 | /* Check whether the given number matches the given number_union. */ | 728 | /* Check whether the given number matches the given number_union. */ |
| 686 | bool tomoyo_compare_number_union(const unsigned long value, | 729 | bool tomoyo_compare_number_union(const unsigned long value, |
| 687 | const struct tomoyo_number_union *ptr); | 730 | const struct tomoyo_number_union *ptr); |
| 731 | int tomoyo_get_mode(const u8 profile, const u8 index); | ||
| 688 | /* Transactional sprintf() for policy dump. */ | 732 | /* Transactional sprintf() for policy dump. */ |
| 689 | bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) | 733 | bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) |
| 690 | __attribute__ ((format(printf, 2, 3))); | 734 | __attribute__ ((format(printf, 2, 3))); |
| @@ -747,7 +791,8 @@ const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain); | |||
| 747 | const char *tomoyo_path2keyword(const u8 operation); | 791 | const char *tomoyo_path2keyword(const u8 operation); |
| 748 | /* Fill "struct tomoyo_request_info". */ | 792 | /* Fill "struct tomoyo_request_info". */ |
| 749 | int tomoyo_init_request_info(struct tomoyo_request_info *r, | 793 | int tomoyo_init_request_info(struct tomoyo_request_info *r, |
| 750 | struct tomoyo_domain_info *domain); | 794 | struct tomoyo_domain_info *domain, |
| 795 | const u8 index); | ||
| 751 | /* Check permission for mount operation. */ | 796 | /* Check permission for mount operation. */ |
| 752 | int tomoyo_mount_permission(char *dev_name, struct path *path, char *type, | 797 | int tomoyo_mount_permission(char *dev_name, struct path *path, char *type, |
| 753 | unsigned long flags, void *data_page); | 798 | unsigned long flags, void *data_page); |
| @@ -794,6 +839,7 @@ struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname); | |||
| 794 | struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char * | 839 | struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char * |
| 795 | domainname, | 840 | domainname, |
| 796 | const u8 profile); | 841 | const u8 profile); |
| 842 | struct tomoyo_profile *tomoyo_profile(const u8 profile); | ||
| 797 | /* Allocate memory for "struct tomoyo_path_group". */ | 843 | /* Allocate memory for "struct tomoyo_path_group". */ |
| 798 | struct tomoyo_path_group *tomoyo_get_path_group(const char *group_name); | 844 | struct tomoyo_path_group *tomoyo_get_path_group(const char *group_name); |
| 799 | struct tomoyo_number_group *tomoyo_get_number_group(const char *group_name); | 845 | struct tomoyo_number_group *tomoyo_get_number_group(const char *group_name); |
| @@ -844,7 +890,7 @@ int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head); | |||
| 844 | 890 | ||
| 845 | /* Initialize mm related code. */ | 891 | /* Initialize mm related code. */ |
| 846 | void __init tomoyo_mm_init(void); | 892 | void __init tomoyo_mm_init(void); |
| 847 | int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, | 893 | int tomoyo_check_exec_perm(struct tomoyo_request_info *r, |
| 848 | const struct tomoyo_path_info *filename); | 894 | const struct tomoyo_path_info *filename); |
| 849 | int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | 895 | int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, |
| 850 | struct path *path, const int flag); | 896 | struct path *path, const int flag); |