diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2010-06-23 23:00:25 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2010-08-02 01:34:44 -0400 |
commit | 063821c8160568b3390044390c8328e36c5696ad (patch) | |
tree | 68a61753cdc6b0edaf0358eebdea8c20aaa713b1 | |
parent | 475e6fa3d340e75a454ea09191a29e52e2ee6e71 (diff) |
TOMOYO: Allow reading only execute permission.
Policy editor needs to know allow_execute entries in order to build domain
transition tree. Reading all entries is slow. Thus, allow reading only
allow_execute entries.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/tomoyo/common.c | 8 | ||||
-rw-r--r-- | security/tomoyo/common.h | 2 |
2 files changed, 10 insertions, 0 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 2a5330ec06c9..6c68981c0f5f 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c | |||
@@ -594,6 +594,10 @@ static bool tomoyo_select_one(struct tomoyo_io_buffer *head, const char *data) | |||
594 | struct tomoyo_domain_info *domain = NULL; | 594 | struct tomoyo_domain_info *domain = NULL; |
595 | bool global_pid = false; | 595 | bool global_pid = false; |
596 | 596 | ||
597 | if (!strcmp(data, "allow_execute")) { | ||
598 | head->print_execute_only = true; | ||
599 | return true; | ||
600 | } | ||
597 | if (sscanf(data, "pid=%u", &pid) == 1 || | 601 | if (sscanf(data, "pid=%u", &pid) == 1 || |
598 | (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { | 602 | (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { |
599 | struct task_struct *p; | 603 | struct task_struct *p; |
@@ -759,6 +763,8 @@ static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head, | |||
759 | for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { | 763 | for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { |
760 | if (!(perm & (1 << bit))) | 764 | if (!(perm & (1 << bit))) |
761 | continue; | 765 | continue; |
766 | if (head->print_execute_only && bit != TOMOYO_TYPE_EXECUTE) | ||
767 | continue; | ||
762 | /* Print "read/write" instead of "read" and "write". */ | 768 | /* Print "read/write" instead of "read" and "write". */ |
763 | if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE) | 769 | if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE) |
764 | && (perm & (1 << TOMOYO_TYPE_READ_WRITE))) | 770 | && (perm & (1 << TOMOYO_TYPE_READ_WRITE))) |
@@ -926,6 +932,8 @@ static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, | |||
926 | = container_of(ptr, struct tomoyo_path_acl, head); | 932 | = container_of(ptr, struct tomoyo_path_acl, head); |
927 | return tomoyo_print_path_acl(head, acl); | 933 | return tomoyo_print_path_acl(head, acl); |
928 | } | 934 | } |
935 | if (head->print_execute_only) | ||
936 | return true; | ||
929 | if (acl_type == TOMOYO_TYPE_PATH2_ACL) { | 937 | if (acl_type == TOMOYO_TYPE_PATH2_ACL) { |
930 | struct tomoyo_path2_acl *acl | 938 | struct tomoyo_path2_acl *acl |
931 | = container_of(ptr, struct tomoyo_path2_acl, head); | 939 | = container_of(ptr, struct tomoyo_path2_acl, head); |
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index cdc9ef56fd86..67b9aeae80a7 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h | |||
@@ -571,6 +571,8 @@ struct tomoyo_io_buffer { | |||
571 | bool read_single_domain; | 571 | bool read_single_domain; |
572 | /* Extra variable for reading. */ | 572 | /* Extra variable for reading. */ |
573 | u8 read_bit; | 573 | u8 read_bit; |
574 | /* Read only TOMOYO_TYPE_EXECUTE */ | ||
575 | bool print_execute_only; | ||
574 | /* Bytes available for reading. */ | 576 | /* Bytes available for reading. */ |
575 | int read_avail; | 577 | int read_avail; |
576 | /* Size of read buffer. */ | 578 | /* Size of read buffer. */ |