diff options
| author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-06-26 10:19:52 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2011-06-28 19:31:21 -0400 |
| commit | bd03a3e4c9a9df0c6b007045fa7fc8889111a478 (patch) | |
| tree | 9d78290c878e6466fe3e0bda7ee5989c0dc39e40 /security/tomoyo/audit.c | |
| parent | 32997144fd9925fc4d506a16990a0c405f766526 (diff) | |
TOMOYO: Add policy namespace support.
Mauras Olivier reported that it is difficult to use TOMOYO in LXC environments,
for TOMOYO cannot distinguish between environments outside the container and
environments inside the container since LXC environments are created using
pivot_root(). To address this problem, this patch introduces policy namespace.
Each policy namespace has its own set of domain policy, exception policy and
profiles, which are all independent of other namespaces. This independency
allows users to develop policy without worrying interference among namespaces.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/audit.c')
| -rw-r--r-- | security/tomoyo/audit.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/security/tomoyo/audit.c b/security/tomoyo/audit.c index e882f17065f2..ef2172f29583 100644 --- a/security/tomoyo/audit.c +++ b/security/tomoyo/audit.c | |||
| @@ -151,13 +151,15 @@ static unsigned int tomoyo_log_count; | |||
| 151 | /** | 151 | /** |
| 152 | * tomoyo_get_audit - Get audit mode. | 152 | * tomoyo_get_audit - Get audit mode. |
| 153 | * | 153 | * |
| 154 | * @ns: Pointer to "struct tomoyo_policy_namespace". | ||
| 154 | * @profile: Profile number. | 155 | * @profile: Profile number. |
| 155 | * @index: Index number of functionality. | 156 | * @index: Index number of functionality. |
| 156 | * @is_granted: True if granted log, false otherwise. | 157 | * @is_granted: True if granted log, false otherwise. |
| 157 | * | 158 | * |
| 158 | * Returns true if this request should be audited, false otherwise. | 159 | * Returns true if this request should be audited, false otherwise. |
| 159 | */ | 160 | */ |
| 160 | static bool tomoyo_get_audit(const u8 profile, const u8 index, | 161 | static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns, |
| 162 | const u8 profile, const u8 index, | ||
| 161 | const bool is_granted) | 163 | const bool is_granted) |
| 162 | { | 164 | { |
| 163 | u8 mode; | 165 | u8 mode; |
| @@ -165,7 +167,7 @@ static bool tomoyo_get_audit(const u8 profile, const u8 index, | |||
| 165 | struct tomoyo_profile *p; | 167 | struct tomoyo_profile *p; |
| 166 | if (!tomoyo_policy_loaded) | 168 | if (!tomoyo_policy_loaded) |
| 167 | return false; | 169 | return false; |
| 168 | p = tomoyo_profile(profile); | 170 | p = tomoyo_profile(ns, profile); |
| 169 | if (tomoyo_log_count >= p->pref[TOMOYO_PREF_MAX_AUDIT_LOG]) | 171 | if (tomoyo_log_count >= p->pref[TOMOYO_PREF_MAX_AUDIT_LOG]) |
| 170 | return false; | 172 | return false; |
| 171 | mode = p->config[index]; | 173 | mode = p->config[index]; |
| @@ -194,7 +196,7 @@ void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt, | |||
| 194 | char *buf; | 196 | char *buf; |
| 195 | struct tomoyo_log *entry; | 197 | struct tomoyo_log *entry; |
| 196 | bool quota_exceeded = false; | 198 | bool quota_exceeded = false; |
| 197 | if (!tomoyo_get_audit(r->profile, r->type, r->granted)) | 199 | if (!tomoyo_get_audit(r->domain->ns, r->profile, r->type, r->granted)) |
| 198 | goto out; | 200 | goto out; |
| 199 | buf = tomoyo_init_log(r, len, fmt, args); | 201 | buf = tomoyo_init_log(r, len, fmt, args); |
| 200 | if (!buf) | 202 | if (!buf) |