aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2009-11-20 12:24:19 -0500
committerEric W. Biederman <ebiederm@xmission.com>2009-11-20 12:37:51 -0500
commitc656ae95d1c5c8ed5763356263ace2d03087efec (patch)
tree41409482c06e8d773a189dcfa8e3351f2a333e1f
parenta4054b6b20e9c2cca63715a319759bf8d37d82fc (diff)
security/tomoyo: Remove now unnecessary handling of security_sysctl.
Now that sys_sysctl is an emulation on top of proc sys all sysctl operations look like normal filesystem operations and we don't need to use the special sysctl hook to authenticate them. Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
-rw-r--r--security/tomoyo/file.c21
-rw-r--r--security/tomoyo/tomoyo.c72
-rw-r--r--security/tomoyo/tomoyo.h2
3 files changed, 0 insertions, 95 deletions
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c
index 5ae3a571559..8346938809b 100644
--- a/security/tomoyo/file.c
+++ b/security/tomoyo/file.c
@@ -1096,27 +1096,6 @@ static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
1096} 1096}
1097 1097
1098/** 1098/**
1099 * tomoyo_check_file_perm - Check permission for sysctl()'s "read" and "write".
1100 *
1101 * @domain: Pointer to "struct tomoyo_domain_info".
1102 * @filename: Filename to check.
1103 * @perm: Mode ("read" or "write" or "read/write").
1104 * Returns 0 on success, negative value otherwise.
1105 */
1106int tomoyo_check_file_perm(struct tomoyo_domain_info *domain,
1107 const char *filename, const u8 perm)
1108{
1109 struct tomoyo_path_info name;
1110 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1111
1112 if (!mode)
1113 return 0;
1114 name.name = filename;
1115 tomoyo_fill_path_info(&name);
1116 return tomoyo_check_file_perm2(domain, &name, perm, "sysctl", mode);
1117}
1118
1119/**
1120 * tomoyo_check_exec_perm - Check permission for "execute". 1099 * tomoyo_check_exec_perm - Check permission for "execute".
1121 * 1100 *
1122 * @domain: Pointer to "struct tomoyo_domain_info". 1101 * @domain: Pointer to "struct tomoyo_domain_info".
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 3f93bb91768..8a00ade8516 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -85,75 +85,6 @@ static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
85 return tomoyo_check_open_permission(domain, &bprm->file->f_path, 1); 85 return tomoyo_check_open_permission(domain, &bprm->file->f_path, 1);
86} 86}
87 87
88#ifdef CONFIG_SYSCTL
89
90static int tomoyo_prepend(char **buffer, int *buflen, const char *str)
91{
92 int namelen = strlen(str);
93
94 if (*buflen < namelen)
95 return -ENOMEM;
96 *buflen -= namelen;
97 *buffer -= namelen;
98 memcpy(*buffer, str, namelen);
99 return 0;
100}
101
102/**
103 * tomoyo_sysctl_path - return the realpath of a ctl_table.
104 * @table: pointer to "struct ctl_table".
105 *
106 * Returns realpath(3) of the @table on success.
107 * Returns NULL on failure.
108 *
109 * This function uses tomoyo_alloc(), so the caller must call tomoyo_free()
110 * if this function didn't return NULL.
111 */
112static char *tomoyo_sysctl_path(struct ctl_table *table)
113{
114 int buflen = TOMOYO_MAX_PATHNAME_LEN;
115 char *buf = tomoyo_alloc(buflen);
116 char *end = buf + buflen;
117 int error = -ENOMEM;
118
119 if (!buf)
120 return NULL;
121
122 *--end = '\0';
123 buflen--;
124 while (table) {
125 if (tomoyo_prepend(&end, &buflen, table->procname) ||
126 tomoyo_prepend(&end, &buflen, "/"))
127 goto out;
128 table = table->parent;
129 }
130 if (tomoyo_prepend(&end, &buflen, "/proc/sys"))
131 goto out;
132 error = tomoyo_encode(buf, end - buf, end);
133 out:
134 if (!error)
135 return buf;
136 tomoyo_free(buf);
137 return NULL;
138}
139
140static int tomoyo_sysctl(struct ctl_table *table, int op)
141{
142 int error;
143 char *name;
144
145 op &= MAY_READ | MAY_WRITE;
146 if (!op)
147 return 0;
148 name = tomoyo_sysctl_path(table);
149 if (!name)
150 return -ENOMEM;
151 error = tomoyo_check_file_perm(tomoyo_domain(), name, op);
152 tomoyo_free(name);
153 return error;
154}
155#endif
156
157static int tomoyo_path_truncate(struct path *path, loff_t length, 88static int tomoyo_path_truncate(struct path *path, loff_t length,
158 unsigned int time_attrs) 89 unsigned int time_attrs)
159{ 90{
@@ -274,9 +205,6 @@ static struct security_operations tomoyo_security_ops = {
274 .cred_transfer = tomoyo_cred_transfer, 205 .cred_transfer = tomoyo_cred_transfer,
275 .bprm_set_creds = tomoyo_bprm_set_creds, 206 .bprm_set_creds = tomoyo_bprm_set_creds,
276 .bprm_check_security = tomoyo_bprm_check_security, 207 .bprm_check_security = tomoyo_bprm_check_security,
277#ifdef CONFIG_SYSCTL
278 .sysctl = tomoyo_sysctl,
279#endif
280 .file_fcntl = tomoyo_file_fcntl, 208 .file_fcntl = tomoyo_file_fcntl,
281 .dentry_open = tomoyo_dentry_open, 209 .dentry_open = tomoyo_dentry_open,
282 .path_truncate = tomoyo_path_truncate, 210 .path_truncate = tomoyo_path_truncate,
diff --git a/security/tomoyo/tomoyo.h b/security/tomoyo/tomoyo.h
index cd6ba0bf706..ed758325b1a 100644
--- a/security/tomoyo/tomoyo.h
+++ b/security/tomoyo/tomoyo.h
@@ -18,8 +18,6 @@ struct inode;
18struct linux_binprm; 18struct linux_binprm;
19struct pt_regs; 19struct pt_regs;
20 20
21int tomoyo_check_file_perm(struct tomoyo_domain_info *domain,
22 const char *filename, const u8 perm);
23int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, 21int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
24 const struct tomoyo_path_info *filename); 22 const struct tomoyo_path_info *filename);
25int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, 23int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,