aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>2011-09-10 02:24:56 -0400
committerJames Morris <jmorris@namei.org>2011-09-13 18:27:06 -0400
commit1f067a682a9bd252107ac6f6946b7332fde42344 (patch)
tree379bbbf02f0a802453e585a2a482192409308fbb
parent059d84dbb3897d4ee494a9c842c5dda54316cb47 (diff)
TOMOYO: Allow controlling generation of access granted logs for per an entry basis.
Add per-entry flag which controls generation of grant logs because Xen and KVM issues ioctl requests so frequently. For example, file ioctl /dev/null 0x5401 grant_log=no will suppress /sys/kernel/security/tomoyo/audit even if preference says grant_log=yes . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--security/tomoyo/audit.c7
-rw-r--r--security/tomoyo/common.c4
-rw-r--r--security/tomoyo/common.h12
-rw-r--r--security/tomoyo/condition.c15
-rw-r--r--security/tomoyo/domain.c1
5 files changed, 38 insertions, 1 deletions
diff --git a/security/tomoyo/audit.c b/security/tomoyo/audit.c
index 5dbb1f7617c0..075c3a6d1649 100644
--- a/security/tomoyo/audit.c
+++ b/security/tomoyo/audit.c
@@ -313,6 +313,7 @@ static unsigned int tomoyo_log_count;
313 */ 313 */
314static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns, 314static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns,
315 const u8 profile, const u8 index, 315 const u8 profile, const u8 index,
316 const struct tomoyo_acl_info *matched_acl,
316 const bool is_granted) 317 const bool is_granted)
317{ 318{
318 u8 mode; 319 u8 mode;
@@ -324,6 +325,9 @@ static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns,
324 p = tomoyo_profile(ns, profile); 325 p = tomoyo_profile(ns, profile);
325 if (tomoyo_log_count >= p->pref[TOMOYO_PREF_MAX_AUDIT_LOG]) 326 if (tomoyo_log_count >= p->pref[TOMOYO_PREF_MAX_AUDIT_LOG])
326 return false; 327 return false;
328 if (is_granted && matched_acl && matched_acl->cond &&
329 matched_acl->cond->grant_log != TOMOYO_GRANTLOG_AUTO)
330 return matched_acl->cond->grant_log == TOMOYO_GRANTLOG_YES;
327 mode = p->config[index]; 331 mode = p->config[index];
328 if (mode == TOMOYO_CONFIG_USE_DEFAULT) 332 if (mode == TOMOYO_CONFIG_USE_DEFAULT)
329 mode = p->config[category]; 333 mode = p->config[category];
@@ -350,7 +354,8 @@ void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt,
350 char *buf; 354 char *buf;
351 struct tomoyo_log *entry; 355 struct tomoyo_log *entry;
352 bool quota_exceeded = false; 356 bool quota_exceeded = false;
353 if (!tomoyo_get_audit(r->domain->ns, r->profile, r->type, r->granted)) 357 if (!tomoyo_get_audit(r->domain->ns, r->profile, r->type,
358 r->matched_acl, r->granted))
354 goto out; 359 goto out;
355 buf = tomoyo_init_log(r, len, fmt, args); 360 buf = tomoyo_init_log(r, len, fmt, args);
356 if (!buf) 361 if (!buf)
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 85d915587a71..2704c384bf1e 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -1272,6 +1272,10 @@ static bool tomoyo_print_condition(struct tomoyo_io_buffer *head,
1272 head->r.cond_step++; 1272 head->r.cond_step++;
1273 /* fall through */ 1273 /* fall through */
1274 case 3: 1274 case 3:
1275 if (cond->grant_log != TOMOYO_GRANTLOG_AUTO)
1276 tomoyo_io_printf(head, " grant_log=%s",
1277 tomoyo_yesno(cond->grant_log ==
1278 TOMOYO_GRANTLOG_YES));
1275 tomoyo_set_lf(head); 1279 tomoyo_set_lf(head);
1276 return true; 1280 return true;
1277 } 1281 }
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index d1c758e7f92b..435b3d869fc5 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -179,6 +179,16 @@ enum tomoyo_domain_info_flags_index {
179 TOMOYO_MAX_DOMAIN_INFO_FLAGS 179 TOMOYO_MAX_DOMAIN_INFO_FLAGS
180}; 180};
181 181
182/* Index numbers for audit type. */
183enum tomoyo_grant_log {
184 /* Follow profile's configuration. */
185 TOMOYO_GRANTLOG_AUTO,
186 /* Do not generate grant log. */
187 TOMOYO_GRANTLOG_NO,
188 /* Generate grant_log. */
189 TOMOYO_GRANTLOG_YES,
190};
191
182/* Index numbers for group entries. */ 192/* Index numbers for group entries. */
183enum tomoyo_group_id { 193enum tomoyo_group_id {
184 TOMOYO_PATH_GROUP, 194 TOMOYO_PATH_GROUP,
@@ -471,6 +481,7 @@ struct tomoyo_request_info {
471 int need_dev; 481 int need_dev;
472 } mount; 482 } mount;
473 } param; 483 } param;
484 struct tomoyo_acl_info *matched_acl;
474 u8 param_type; 485 u8 param_type;
475 bool granted; 486 bool granted;
476 u8 retry; 487 u8 retry;
@@ -635,6 +646,7 @@ struct tomoyo_condition {
635 u16 names_count; /* Number of "struct tomoyo_name_union names". */ 646 u16 names_count; /* Number of "struct tomoyo_name_union names". */
636 u16 argc; /* Number of "struct tomoyo_argv". */ 647 u16 argc; /* Number of "struct tomoyo_argv". */
637 u16 envc; /* Number of "struct tomoyo_envp". */ 648 u16 envc; /* Number of "struct tomoyo_envp". */
649 u8 grant_log; /* One of values in "enum tomoyo_grant_log". */
638 /* 650 /*
639 * struct tomoyo_condition_element condition[condc]; 651 * struct tomoyo_condition_element condition[condc];
640 * struct tomoyo_number_union values[numbers_count]; 652 * struct tomoyo_number_union values[numbers_count];
diff --git a/security/tomoyo/condition.c b/security/tomoyo/condition.c
index 8a05f71eaf67..3a05eb3e2a64 100644
--- a/security/tomoyo/condition.c
+++ b/security/tomoyo/condition.c
@@ -348,6 +348,7 @@ static inline bool tomoyo_same_condition(const struct tomoyo_condition *a,
348 a->numbers_count == b->numbers_count && 348 a->numbers_count == b->numbers_count &&
349 a->names_count == b->names_count && 349 a->names_count == b->names_count &&
350 a->argc == b->argc && a->envc == b->envc && 350 a->argc == b->argc && a->envc == b->envc &&
351 a->grant_log == b->grant_log &&
351 !memcmp(a + 1, b + 1, a->size - sizeof(*a)); 352 !memcmp(a + 1, b + 1, a->size - sizeof(*a));
352} 353}
353 354
@@ -486,6 +487,20 @@ rerun:
486 goto out; 487 goto out;
487 dprintk(KERN_WARNING "%u: <%s>%s=<%s>\n", __LINE__, left_word, 488 dprintk(KERN_WARNING "%u: <%s>%s=<%s>\n", __LINE__, left_word,
488 is_not ? "!" : "", right_word); 489 is_not ? "!" : "", right_word);
490 if (!strcmp(left_word, "grant_log")) {
491 if (entry) {
492 if (is_not ||
493 entry->grant_log != TOMOYO_GRANTLOG_AUTO)
494 goto out;
495 else if (!strcmp(right_word, "yes"))
496 entry->grant_log = TOMOYO_GRANTLOG_YES;
497 else if (!strcmp(right_word, "no"))
498 entry->grant_log = TOMOYO_GRANTLOG_NO;
499 else
500 goto out;
501 }
502 continue;
503 }
489 if (!strncmp(left_word, "exec.argv[", 10)) { 504 if (!strncmp(left_word, "exec.argv[", 10)) {
490 if (!argv) { 505 if (!argv) {
491 e.argc++; 506 e.argc++;
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
index 5931fb1c04d5..498fea732f48 100644
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -157,6 +157,7 @@ retry:
157 continue; 157 continue;
158 if (!tomoyo_condition(r, ptr->cond)) 158 if (!tomoyo_condition(r, ptr->cond))
159 continue; 159 continue;
160 r->matched_acl = ptr;
160 r->granted = true; 161 r->granted = true;
161 return; 162 return;
162 } 163 }