TOMOYO: Add mount restriction.

mount(2) has three string and one numeric parameters. Split mount restriction code from security/tomoyo/file.c . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2010-05-16 21:10:31 -0400
committer: James Morris <jmorris@namei.org> 2010-08-02 01:33:37 -0400
commit: 2106ccd972dcd9fda7df9b181505fac1741b3508 (patch)
tree: 4361f9498c303cabc20abc85c1b5ee0afa677b0f /security/tomoyo/common.c
parent: a1f9bb6a375a8dbf7797ffbd6739c46b338a77f7 (diff)
1 files changed, 35 insertions, 0 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 0706b175fdb1..0c6f9a5c37a5 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -1075,6 +1075,10 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r)
                                if (perm & (1 << i))
                                        count++;
                        break;
+                case TOMOYO_TYPE_MOUNT_ACL:
+                        if (!container_of(ptr, struct tomoyo_mount_acl, head)->
+                            is_deleted)
+                                count++;
                }
        }
        if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY))
@@ -1576,6 +1580,8 @@ static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
                domain->ignore_global_allow_read = !is_delete;
                return 0;
        }
+        if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_MOUNT))
+                return tomoyo_write_mount_policy(data, domain, is_delete);
        return tomoyo_write_file_policy(data, domain, is_delete);
 }
@@ -1721,6 +1727,30 @@ static bool tomoyo_print_path_number3_acl(struct tomoyo_io_buffer *head,
 }
 /**
+ * tomoyo_print_mount_acl - Print a mount ACL entry.
+ *
+ * @head: Pointer to "struct tomoyo_io_buffer".
+ * @ptr:  Pointer to "struct tomoyo_mount_acl".
+ *
+ * Returns true on success, false otherwise.
+ */
+static bool tomoyo_print_mount_acl(struct tomoyo_io_buffer *head,
+                                   struct tomoyo_mount_acl *ptr)
+{
+        const int pos = head->read_avail;
+        if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_MOUNT) ||
+            !tomoyo_print_name_union(head, &ptr->dev_name) ||
+            !tomoyo_print_name_union(head, &ptr->dir_name) ||
+            !tomoyo_print_name_union(head, &ptr->fs_type) ||
+            !tomoyo_print_number_union(head, &ptr->flags) ||
+            !tomoyo_io_printf(head, "\n")) {
+                head->read_avail = pos;
+                return false;
+        }
+        return true;
+}
+/**
 * tomoyo_print_entry - Print an ACL entry.
 *
 * @head: Pointer to "struct tomoyo_io_buffer".
@@ -1755,6 +1785,11 @@ static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
                                       head);
                return tomoyo_print_path_number3_acl(head, acl);
        }
+        if (acl_type == TOMOYO_TYPE_MOUNT_ACL) {
+                struct tomoyo_mount_acl *acl
+                        = container_of(ptr, struct tomoyo_mount_acl, head);
+                return tomoyo_print_mount_acl(head, acl);
+        }
        BUG(); /* This must not happen. */
        return false;
 }
author	Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>	2010-05-16 21:10:31 -0400
committer	James Morris <jmorris@namei.org>	2010-08-02 01:33:37 -0400
commit	2106ccd972dcd9fda7df9b181505fac1741b3508 (patch)
tree	4361f9498c303cabc20abc85c1b5ee0afa677b0f /security/tomoyo/common.c
parent	a1f9bb6a375a8dbf7797ffbd6739c46b338a77f7 (diff)

diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 0706b175fdb1..0c6f9a5c37a5 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c
@@ -1075,6 +1075,10 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r)
1075	if (perm & (1 << i))	1075	if (perm & (1 << i))
1076	count++;	1076	count++;
1077	break;	1077	break;
		1078	case TOMOYO_TYPE_MOUNT_ACL:
		1079	if (!container_of(ptr, struct tomoyo_mount_acl, head)->
		1080	is_deleted)
		1081	count++;
1078	}	1082	}
1079	}	1083	}
1080	if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY))	1084	if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY))
@@ -1576,6 +1580,8 @@ static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
1576	domain->ignore_global_allow_read = !is_delete;	1580	domain->ignore_global_allow_read = !is_delete;
1577	return 0;	1581	return 0;
1578	}	1582	}
		1583	if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_MOUNT))
		1584	return tomoyo_write_mount_policy(data, domain, is_delete);
1579	return tomoyo_write_file_policy(data, domain, is_delete);	1585	return tomoyo_write_file_policy(data, domain, is_delete);
1580	}	1586	}
1581		1587
@@ -1721,6 +1727,30 @@ static bool tomoyo_print_path_number3_acl(struct tomoyo_io_buffer *head,
1721	}	1727	}
1722		1728
1723	/**	1729	/**
		1730	* tomoyo_print_mount_acl - Print a mount ACL entry.
		1731	*
		1732	* @head: Pointer to "struct tomoyo_io_buffer".
		1733	* @ptr: Pointer to "struct tomoyo_mount_acl".
		1734	*
		1735	* Returns true on success, false otherwise.
		1736	*/
		1737	static bool tomoyo_print_mount_acl(struct tomoyo_io_buffer *head,
		1738	struct tomoyo_mount_acl *ptr)
		1739	{
		1740	const int pos = head->read_avail;
		1741	if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_MOUNT) \|\|
		1742	!tomoyo_print_name_union(head, &ptr->dev_name) \|\|
		1743	!tomoyo_print_name_union(head, &ptr->dir_name) \|\|
		1744	!tomoyo_print_name_union(head, &ptr->fs_type) \|\|
		1745	!tomoyo_print_number_union(head, &ptr->flags) \|\|
		1746	!tomoyo_io_printf(head, "\n")) {
		1747	head->read_avail = pos;
		1748	return false;
		1749	}
		1750	return true;
		1751	}
		1752
		1753	/**
1724	* tomoyo_print_entry - Print an ACL entry.	1754	* tomoyo_print_entry - Print an ACL entry.
1725	*	1755	*
1726	* @head: Pointer to "struct tomoyo_io_buffer".	1756	* @head: Pointer to "struct tomoyo_io_buffer".
@@ -1755,6 +1785,11 @@ static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
1755	head);	1785	head);
1756	return tomoyo_print_path_number3_acl(head, acl);	1786	return tomoyo_print_path_number3_acl(head, acl);
1757	}	1787	}
		1788	if (acl_type == TOMOYO_TYPE_MOUNT_ACL) {
		1789	struct tomoyo_mount_acl *acl
		1790	= container_of(ptr, struct tomoyo_mount_acl, head);
		1791	return tomoyo_print_mount_acl(head, acl);
		1792	}
1758	BUG(); /* This must not happen. */	1793	BUG(); /* This must not happen. */
1759	return false;	1794	return false;
1760	}	1795	}