diff options
| author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-07-08 00:21:37 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2011-07-10 21:05:32 -0400 |
| commit | 2066a36125fcbf5220990173b9d8e8bc49ad7538 (patch) | |
| tree | c8ea3a6d92a8b4b68cda986601336e8e8f58553e /security/tomoyo/gc.c | |
| parent | 5c4274f13819b40e726f6ee4ef13b4952cff5010 (diff) | |
TOMOYO: Allow using UID/GID etc. of current thread as conditions.
This patch adds support for permission checks using current thread's UID/GID
etc. in addition to pathnames.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/gc.c')
| -rw-r--r-- | security/tomoyo/gc.c | 39 |
1 files changed, 36 insertions, 3 deletions
diff --git a/security/tomoyo/gc.c b/security/tomoyo/gc.c index 1e1a6c8c832c..21fccd67c255 100644 --- a/security/tomoyo/gc.c +++ b/security/tomoyo/gc.c | |||
| @@ -25,6 +25,7 @@ static const u8 tomoyo_element_size[TOMOYO_MAX_POLICY] = { | |||
| 25 | [TOMOYO_ID_TRANSITION_CONTROL] = | 25 | [TOMOYO_ID_TRANSITION_CONTROL] = |
| 26 | sizeof(struct tomoyo_transition_control), | 26 | sizeof(struct tomoyo_transition_control), |
| 27 | [TOMOYO_ID_MANAGER] = sizeof(struct tomoyo_manager), | 27 | [TOMOYO_ID_MANAGER] = sizeof(struct tomoyo_manager), |
| 28 | /* [TOMOYO_ID_CONDITION] = "struct tomoyo_condition"->size, */ | ||
| 28 | /* [TOMOYO_ID_NAME] = "struct tomoyo_name"->size, */ | 29 | /* [TOMOYO_ID_NAME] = "struct tomoyo_name"->size, */ |
| 29 | /* [TOMOYO_ID_ACL] = | 30 | /* [TOMOYO_ID_ACL] = |
| 30 | tomoyo_acl_size["struct tomoyo_acl_info"->type], */ | 31 | tomoyo_acl_size["struct tomoyo_acl_info"->type], */ |
| @@ -162,6 +163,10 @@ static bool tomoyo_add_to_gc(const int type, struct list_head *element) | |||
| 162 | entry->size = strlen(container_of(element, | 163 | entry->size = strlen(container_of(element, |
| 163 | typeof(struct tomoyo_name), | 164 | typeof(struct tomoyo_name), |
| 164 | head.list)->entry.name) + 1; | 165 | head.list)->entry.name) + 1; |
| 166 | else if (type == TOMOYO_ID_CONDITION) | ||
| 167 | entry->size = | ||
| 168 | container_of(element, typeof(struct tomoyo_condition), | ||
| 169 | head.list)->size; | ||
| 165 | else | 170 | else |
| 166 | entry->size = tomoyo_element_size[type]; | 171 | entry->size = tomoyo_element_size[type]; |
| 167 | entry->element = element; | 172 | entry->element = element; |
| @@ -246,6 +251,7 @@ static void tomoyo_del_acl(struct list_head *element) | |||
| 246 | { | 251 | { |
| 247 | struct tomoyo_acl_info *acl = | 252 | struct tomoyo_acl_info *acl = |
| 248 | container_of(element, typeof(*acl), list); | 253 | container_of(element, typeof(*acl), list); |
| 254 | tomoyo_put_condition(acl->cond); | ||
| 249 | switch (acl->type) { | 255 | switch (acl->type) { |
| 250 | case TOMOYO_TYPE_PATH_ACL: | 256 | case TOMOYO_TYPE_PATH_ACL: |
| 251 | { | 257 | { |
| @@ -338,6 +344,27 @@ static bool tomoyo_del_domain(struct list_head *element) | |||
| 338 | return true; | 344 | return true; |
| 339 | } | 345 | } |
| 340 | 346 | ||
| 347 | /** | ||
| 348 | * tomoyo_del_condition - Delete members in "struct tomoyo_condition". | ||
| 349 | * | ||
| 350 | * @element: Pointer to "struct list_head". | ||
| 351 | * | ||
| 352 | * Returns nothing. | ||
| 353 | */ | ||
| 354 | void tomoyo_del_condition(struct list_head *element) | ||
| 355 | { | ||
| 356 | struct tomoyo_condition *cond = container_of(element, typeof(*cond), | ||
| 357 | head.list); | ||
| 358 | const u16 condc = cond->condc; | ||
| 359 | const u16 numbers_count = cond->numbers_count; | ||
| 360 | unsigned int i; | ||
| 361 | const struct tomoyo_condition_element *condp | ||
| 362 | = (const struct tomoyo_condition_element *) (cond + 1); | ||
| 363 | struct tomoyo_number_union *numbers_p | ||
| 364 | = (struct tomoyo_number_union *) (condp + condc); | ||
| 365 | for (i = 0; i < numbers_count; i++) | ||
| 366 | tomoyo_put_number_union(numbers_p++); | ||
| 367 | } | ||
| 341 | 368 | ||
| 342 | /** | 369 | /** |
| 343 | * tomoyo_del_name - Delete members in "struct tomoyo_name". | 370 | * tomoyo_del_name - Delete members in "struct tomoyo_name". |
| @@ -494,15 +521,18 @@ static void tomoyo_collect_entry(void) | |||
| 494 | } | 521 | } |
| 495 | } | 522 | } |
| 496 | } | 523 | } |
| 497 | for (i = 0; i < TOMOYO_MAX_HASH; i++) { | 524 | id = TOMOYO_ID_CONDITION; |
| 498 | struct list_head *list = &tomoyo_name_list[i]; | 525 | for (i = 0; i < TOMOYO_MAX_HASH + 1; i++) { |
| 526 | struct list_head *list = !i ? | ||
| 527 | &tomoyo_condition_list : &tomoyo_name_list[i - 1]; | ||
| 499 | struct tomoyo_shared_acl_head *ptr; | 528 | struct tomoyo_shared_acl_head *ptr; |
| 500 | list_for_each_entry(ptr, list, list) { | 529 | list_for_each_entry(ptr, list, list) { |
| 501 | if (atomic_read(&ptr->users)) | 530 | if (atomic_read(&ptr->users)) |
| 502 | continue; | 531 | continue; |
| 503 | if (!tomoyo_add_to_gc(TOMOYO_ID_NAME, &ptr->list)) | 532 | if (!tomoyo_add_to_gc(id, &ptr->list)) |
| 504 | goto unlock; | 533 | goto unlock; |
| 505 | } | 534 | } |
| 535 | id = TOMOYO_ID_NAME; | ||
| 506 | } | 536 | } |
| 507 | unlock: | 537 | unlock: |
| 508 | tomoyo_read_unlock(idx); | 538 | tomoyo_read_unlock(idx); |
| @@ -557,6 +587,9 @@ static bool tomoyo_kfree_entry(void) | |||
| 557 | case TOMOYO_ID_MANAGER: | 587 | case TOMOYO_ID_MANAGER: |
| 558 | tomoyo_del_manager(element); | 588 | tomoyo_del_manager(element); |
| 559 | break; | 589 | break; |
| 590 | case TOMOYO_ID_CONDITION: | ||
| 591 | tomoyo_del_condition(element); | ||
| 592 | break; | ||
| 560 | case TOMOYO_ID_NAME: | 593 | case TOMOYO_ID_NAME: |
| 561 | /* | 594 | /* |
| 562 | * Thirdly, defer until all "struct tomoyo_io_buffer" | 595 | * Thirdly, defer until all "struct tomoyo_io_buffer" |