diff options
| author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-09-10 02:24:56 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2011-09-13 18:27:06 -0400 |
| commit | 1f067a682a9bd252107ac6f6946b7332fde42344 (patch) | |
| tree | 379bbbf02f0a802453e585a2a482192409308fbb /security/tomoyo/audit.c | |
| parent | 059d84dbb3897d4ee494a9c842c5dda54316cb47 (diff) | |
TOMOYO: Allow controlling generation of access granted logs for per an entry basis.
Add per-entry flag which controls generation of grant logs because Xen and KVM
issues ioctl requests so frequently. For example,
file ioctl /dev/null 0x5401 grant_log=no
will suppress /sys/kernel/security/tomoyo/audit even if preference says
grant_log=yes .
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/audit.c')
| -rw-r--r-- | security/tomoyo/audit.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/security/tomoyo/audit.c b/security/tomoyo/audit.c index 5dbb1f7617c0..075c3a6d1649 100644 --- a/security/tomoyo/audit.c +++ b/security/tomoyo/audit.c | |||
| @@ -313,6 +313,7 @@ static unsigned int tomoyo_log_count; | |||
| 313 | */ | 313 | */ |
| 314 | static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns, | 314 | static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns, |
| 315 | const u8 profile, const u8 index, | 315 | const u8 profile, const u8 index, |
| 316 | const struct tomoyo_acl_info *matched_acl, | ||
| 316 | const bool is_granted) | 317 | const bool is_granted) |
| 317 | { | 318 | { |
| 318 | u8 mode; | 319 | u8 mode; |
| @@ -324,6 +325,9 @@ static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns, | |||
| 324 | p = tomoyo_profile(ns, profile); | 325 | p = tomoyo_profile(ns, profile); |
| 325 | if (tomoyo_log_count >= p->pref[TOMOYO_PREF_MAX_AUDIT_LOG]) | 326 | if (tomoyo_log_count >= p->pref[TOMOYO_PREF_MAX_AUDIT_LOG]) |
| 326 | return false; | 327 | return false; |
| 328 | if (is_granted && matched_acl && matched_acl->cond && | ||
| 329 | matched_acl->cond->grant_log != TOMOYO_GRANTLOG_AUTO) | ||
| 330 | return matched_acl->cond->grant_log == TOMOYO_GRANTLOG_YES; | ||
| 327 | mode = p->config[index]; | 331 | mode = p->config[index]; |
| 328 | if (mode == TOMOYO_CONFIG_USE_DEFAULT) | 332 | if (mode == TOMOYO_CONFIG_USE_DEFAULT) |
| 329 | mode = p->config[category]; | 333 | mode = p->config[category]; |
| @@ -350,7 +354,8 @@ void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt, | |||
| 350 | char *buf; | 354 | char *buf; |
| 351 | struct tomoyo_log *entry; | 355 | struct tomoyo_log *entry; |
| 352 | bool quota_exceeded = false; | 356 | bool quota_exceeded = false; |
| 353 | if (!tomoyo_get_audit(r->domain->ns, r->profile, r->type, r->granted)) | 357 | if (!tomoyo_get_audit(r->domain->ns, r->profile, r->type, |
| 358 | r->matched_acl, r->granted)) | ||
| 354 | goto out; | 359 | goto out; |
| 355 | buf = tomoyo_init_log(r, len, fmt, args); | 360 | buf = tomoyo_init_log(r, len, fmt, args); |
| 356 | if (!buf) | 361 | if (!buf) |