diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2009-12-02 07:09:48 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-12-07 22:58:05 -0500 |
commit | 937bf6133b21b16965f75223085f4314ae32b8eb (patch) | |
tree | 4a042bc9298ffddfaf4017a5796cae46e9594d2c /security/tomoyo/common.c | |
parent | 5d0901a3a0c39c97ca504f73d24030f63cfc9fa2 (diff) |
TOMOYO: Add rest of file operation restrictions.
LSM hooks for chmod()/chown()/chroot() are now ready.
This patch utilizes these hooks.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/common.c')
-rw-r--r-- | security/tomoyo/common.c | 61 |
1 files changed, 18 insertions, 43 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index e0d0354008b..6c606168243 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c | |||
@@ -842,52 +842,27 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain) | |||
842 | if (ptr->type & TOMOYO_ACL_DELETED) | 842 | if (ptr->type & TOMOYO_ACL_DELETED) |
843 | continue; | 843 | continue; |
844 | switch (tomoyo_acl_type2(ptr)) { | 844 | switch (tomoyo_acl_type2(ptr)) { |
845 | struct tomoyo_single_path_acl_record *acl1; | 845 | struct tomoyo_single_path_acl_record *acl; |
846 | struct tomoyo_double_path_acl_record *acl2; | 846 | u32 perm; |
847 | u16 perm; | 847 | u8 i; |
848 | case TOMOYO_TYPE_SINGLE_PATH_ACL: | 848 | case TOMOYO_TYPE_SINGLE_PATH_ACL: |
849 | acl1 = container_of(ptr, | 849 | acl = container_of(ptr, |
850 | struct tomoyo_single_path_acl_record, | 850 | struct tomoyo_single_path_acl_record, |
851 | head); | 851 | head); |
852 | perm = acl1->perm; | 852 | perm = acl->perm | (((u32) acl->perm_high) << 16); |
853 | if (perm & (1 << TOMOYO_TYPE_EXECUTE_ACL)) | 853 | for (i = 0; i < TOMOYO_MAX_SINGLE_PATH_OPERATION; i++) |
854 | count++; | 854 | if (perm & (1 << i)) |
855 | if (perm & | 855 | count++; |
856 | ((1 << TOMOYO_TYPE_READ_ACL) | | 856 | if (perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)) |
857 | (1 << TOMOYO_TYPE_WRITE_ACL))) | 857 | count -= 2; |
858 | count++; | ||
859 | if (perm & (1 << TOMOYO_TYPE_CREATE_ACL)) | ||
860 | count++; | ||
861 | if (perm & (1 << TOMOYO_TYPE_UNLINK_ACL)) | ||
862 | count++; | ||
863 | if (perm & (1 << TOMOYO_TYPE_MKDIR_ACL)) | ||
864 | count++; | ||
865 | if (perm & (1 << TOMOYO_TYPE_RMDIR_ACL)) | ||
866 | count++; | ||
867 | if (perm & (1 << TOMOYO_TYPE_MKFIFO_ACL)) | ||
868 | count++; | ||
869 | if (perm & (1 << TOMOYO_TYPE_MKSOCK_ACL)) | ||
870 | count++; | ||
871 | if (perm & (1 << TOMOYO_TYPE_MKBLOCK_ACL)) | ||
872 | count++; | ||
873 | if (perm & (1 << TOMOYO_TYPE_MKCHAR_ACL)) | ||
874 | count++; | ||
875 | if (perm & (1 << TOMOYO_TYPE_TRUNCATE_ACL)) | ||
876 | count++; | ||
877 | if (perm & (1 << TOMOYO_TYPE_SYMLINK_ACL)) | ||
878 | count++; | ||
879 | if (perm & (1 << TOMOYO_TYPE_REWRITE_ACL)) | ||
880 | count++; | ||
881 | break; | 858 | break; |
882 | case TOMOYO_TYPE_DOUBLE_PATH_ACL: | 859 | case TOMOYO_TYPE_DOUBLE_PATH_ACL: |
883 | acl2 = container_of(ptr, | 860 | perm = container_of(ptr, |
884 | struct tomoyo_double_path_acl_record, | 861 | struct tomoyo_double_path_acl_record, |
885 | head); | 862 | head)->perm; |
886 | perm = acl2->perm; | 863 | for (i = 0; i < TOMOYO_MAX_DOUBLE_PATH_OPERATION; i++) |
887 | if (perm & (1 << TOMOYO_TYPE_LINK_ACL)) | 864 | if (perm & (1 << i)) |
888 | count++; | 865 | count++; |
889 | if (perm & (1 << TOMOYO_TYPE_RENAME_ACL)) | ||
890 | count++; | ||
891 | break; | 866 | break; |
892 | } | 867 | } |
893 | } | 868 | } |
@@ -1426,7 +1401,7 @@ static bool tomoyo_print_single_path_acl(struct tomoyo_io_buffer *head, | |||
1426 | u8 bit; | 1401 | u8 bit; |
1427 | const char *atmark = ""; | 1402 | const char *atmark = ""; |
1428 | const char *filename; | 1403 | const char *filename; |
1429 | const u16 perm = ptr->perm; | 1404 | const u32 perm = ptr->perm | (((u32) ptr->perm_high) << 16); |
1430 | 1405 | ||
1431 | filename = ptr->filename->name; | 1406 | filename = ptr->filename->name; |
1432 | for (bit = head->read_bit; bit < TOMOYO_MAX_SINGLE_PATH_OPERATION; | 1407 | for (bit = head->read_bit; bit < TOMOYO_MAX_SINGLE_PATH_OPERATION; |