diff options
| author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-06-26 10:17:46 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2011-06-28 19:31:20 -0400 |
| commit | 0d2171d711cbfca84cc0001121be8a6cc8e4d148 (patch) | |
| tree | 998c6fb0c61e15686a7b70276e17ad9e396741f4 /security/tomoyo/common.c | |
| parent | a238cf5b89ed5285be8de56335665d023972f7d5 (diff) | |
TOMOYO: Rename directives.
Convert "allow_..." style directives to "file ..." style directives.
By converting to the latter style, we can pack policy like
"file read/write/execute /path/to/file".
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/common.c')
| -rw-r--r-- | security/tomoyo/common.c | 147 |
1 files changed, 99 insertions, 48 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 2cfadafd02f5..465df022c211 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c | |||
| @@ -56,7 +56,7 @@ static const char *tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX | |||
| 56 | [TOMOYO_MAC_FILE_IOCTL] = "file::ioctl", | 56 | [TOMOYO_MAC_FILE_IOCTL] = "file::ioctl", |
| 57 | [TOMOYO_MAC_FILE_CHROOT] = "file::chroot", | 57 | [TOMOYO_MAC_FILE_CHROOT] = "file::chroot", |
| 58 | [TOMOYO_MAC_FILE_MOUNT] = "file::mount", | 58 | [TOMOYO_MAC_FILE_MOUNT] = "file::mount", |
| 59 | [TOMOYO_MAC_FILE_UMOUNT] = "file::umount", | 59 | [TOMOYO_MAC_FILE_UMOUNT] = "file::unmount", |
| 60 | [TOMOYO_MAC_FILE_PIVOT_ROOT] = "file::pivot_root", | 60 | [TOMOYO_MAC_FILE_PIVOT_ROOT] = "file::pivot_root", |
| 61 | [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file", | 61 | [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file", |
| 62 | }; | 62 | }; |
| @@ -171,11 +171,25 @@ void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) | |||
| 171 | tomoyo_set_string(head, head->read_buf + pos); | 171 | tomoyo_set_string(head, head->read_buf + pos); |
| 172 | } | 172 | } |
| 173 | 173 | ||
| 174 | /** | ||
| 175 | * tomoyo_set_space - Put a space to "struct tomoyo_io_buffer" structure. | ||
| 176 | * | ||
| 177 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
| 178 | * | ||
| 179 | * Returns nothing. | ||
| 180 | */ | ||
| 174 | static void tomoyo_set_space(struct tomoyo_io_buffer *head) | 181 | static void tomoyo_set_space(struct tomoyo_io_buffer *head) |
| 175 | { | 182 | { |
| 176 | tomoyo_set_string(head, " "); | 183 | tomoyo_set_string(head, " "); |
| 177 | } | 184 | } |
| 178 | 185 | ||
| 186 | /** | ||
| 187 | * tomoyo_set_lf - Put a line feed to "struct tomoyo_io_buffer" structure. | ||
| 188 | * | ||
| 189 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
| 190 | * | ||
| 191 | * Returns nothing. | ||
| 192 | */ | ||
| 179 | static bool tomoyo_set_lf(struct tomoyo_io_buffer *head) | 193 | static bool tomoyo_set_lf(struct tomoyo_io_buffer *head) |
| 180 | { | 194 | { |
| 181 | tomoyo_set_string(head, "\n"); | 195 | tomoyo_set_string(head, "\n"); |
| @@ -183,6 +197,18 @@ static bool tomoyo_set_lf(struct tomoyo_io_buffer *head) | |||
| 183 | } | 197 | } |
| 184 | 198 | ||
| 185 | /** | 199 | /** |
| 200 | * tomoyo_set_slash - Put a shash to "struct tomoyo_io_buffer" structure. | ||
| 201 | * | ||
| 202 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
| 203 | * | ||
| 204 | * Returns nothing. | ||
| 205 | */ | ||
| 206 | static void tomoyo_set_slash(struct tomoyo_io_buffer *head) | ||
| 207 | { | ||
| 208 | tomoyo_set_string(head, "/"); | ||
| 209 | } | ||
| 210 | |||
| 211 | /** | ||
| 186 | * tomoyo_print_name_union - Print a tomoyo_name_union. | 212 | * tomoyo_print_name_union - Print a tomoyo_name_union. |
| 187 | * | 213 | * |
| 188 | * @head: Pointer to "struct tomoyo_io_buffer". | 214 | * @head: Pointer to "struct tomoyo_io_buffer". |
| @@ -913,19 +939,17 @@ static int tomoyo_write_domain(struct tomoyo_io_buffer *head) | |||
| 913 | } | 939 | } |
| 914 | 940 | ||
| 915 | /** | 941 | /** |
| 916 | * tomoyo_fns - Find next set bit. | 942 | * tomoyo_set_group - Print category name. |
| 917 | * | 943 | * |
| 918 | * @perm: 8 bits value. | 944 | * @head: Pointer to "struct tomoyo_io_buffer". |
| 919 | * @bit: First bit to find. | 945 | * @category: Category name. |
| 920 | * | 946 | * |
| 921 | * Returns next on-bit on success, 8 otherwise. | 947 | * Returns nothing. |
| 922 | */ | 948 | */ |
| 923 | static u8 tomoyo_fns(const u8 perm, u8 bit) | 949 | static void tomoyo_set_group(struct tomoyo_io_buffer *head, |
| 950 | const char *category) | ||
| 924 | { | 951 | { |
| 925 | for ( ; bit < 8; bit++) | 952 | tomoyo_set_string(head, category); |
| 926 | if (perm & (1 << bit)) | ||
| 927 | break; | ||
| 928 | return bit; | ||
| 929 | } | 953 | } |
| 930 | 954 | ||
| 931 | /** | 955 | /** |
| @@ -940,58 +964,94 @@ static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, | |||
| 940 | struct tomoyo_acl_info *acl) | 964 | struct tomoyo_acl_info *acl) |
| 941 | { | 965 | { |
| 942 | const u8 acl_type = acl->type; | 966 | const u8 acl_type = acl->type; |
| 967 | bool first = true; | ||
| 943 | u8 bit; | 968 | u8 bit; |
| 944 | 969 | ||
| 945 | if (acl->is_deleted) | 970 | if (acl->is_deleted) |
| 946 | return true; | 971 | return true; |
| 947 | next: | ||
| 948 | bit = head->r.bit; | ||
| 949 | if (!tomoyo_flush(head)) | 972 | if (!tomoyo_flush(head)) |
| 950 | return false; | 973 | return false; |
| 951 | else if (acl_type == TOMOYO_TYPE_PATH_ACL) { | 974 | else if (acl_type == TOMOYO_TYPE_PATH_ACL) { |
| 952 | struct tomoyo_path_acl *ptr = | 975 | struct tomoyo_path_acl *ptr = |
| 953 | container_of(acl, typeof(*ptr), head); | 976 | container_of(acl, typeof(*ptr), head); |
| 954 | const u16 perm = ptr->perm; | 977 | const u16 perm = ptr->perm; |
| 955 | for ( ; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { | 978 | for (bit = 0; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { |
| 956 | if (!(perm & (1 << bit))) | 979 | if (!(perm & (1 << bit))) |
| 957 | continue; | 980 | continue; |
| 958 | if (head->r.print_execute_only && | 981 | if (head->r.print_execute_only && |
| 959 | bit != TOMOYO_TYPE_EXECUTE) | 982 | bit != TOMOYO_TYPE_EXECUTE) |
| 960 | continue; | 983 | continue; |
| 961 | break; | 984 | if (first) { |
| 985 | tomoyo_set_group(head, "file "); | ||
| 986 | first = false; | ||
| 987 | } else { | ||
| 988 | tomoyo_set_slash(head); | ||
| 989 | } | ||
| 990 | tomoyo_set_string(head, tomoyo_path_keyword[bit]); | ||
| 962 | } | 991 | } |
| 963 | if (bit >= TOMOYO_MAX_PATH_OPERATION) | 992 | if (first) |
| 964 | goto done; | 993 | return true; |
| 965 | tomoyo_io_printf(head, "allow_%s", tomoyo_path_keyword[bit]); | ||
| 966 | tomoyo_print_name_union(head, &ptr->name); | 994 | tomoyo_print_name_union(head, &ptr->name); |
| 967 | } else if (head->r.print_execute_only) { | 995 | } else if (head->r.print_execute_only) { |
| 968 | return true; | 996 | return true; |
| 969 | } else if (acl_type == TOMOYO_TYPE_PATH2_ACL) { | 997 | } else if (acl_type == TOMOYO_TYPE_PATH2_ACL) { |
| 970 | struct tomoyo_path2_acl *ptr = | 998 | struct tomoyo_path2_acl *ptr = |
| 971 | container_of(acl, typeof(*ptr), head); | 999 | container_of(acl, typeof(*ptr), head); |
| 972 | bit = tomoyo_fns(ptr->perm, bit); | 1000 | const u8 perm = ptr->perm; |
| 973 | if (bit >= TOMOYO_MAX_PATH2_OPERATION) | 1001 | for (bit = 0; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) { |
| 974 | goto done; | 1002 | if (!(perm & (1 << bit))) |
| 975 | tomoyo_io_printf(head, "allow_%s", tomoyo_path2_keyword[bit]); | 1003 | continue; |
| 1004 | if (first) { | ||
| 1005 | tomoyo_set_group(head, "file "); | ||
| 1006 | first = false; | ||
| 1007 | } else { | ||
| 1008 | tomoyo_set_slash(head); | ||
| 1009 | } | ||
| 1010 | tomoyo_set_string(head, tomoyo_mac_keywords | ||
| 1011 | [tomoyo_pp2mac[bit]]); | ||
| 1012 | } | ||
| 1013 | if (first) | ||
| 1014 | return true; | ||
| 976 | tomoyo_print_name_union(head, &ptr->name1); | 1015 | tomoyo_print_name_union(head, &ptr->name1); |
| 977 | tomoyo_print_name_union(head, &ptr->name2); | 1016 | tomoyo_print_name_union(head, &ptr->name2); |
| 978 | } else if (acl_type == TOMOYO_TYPE_PATH_NUMBER_ACL) { | 1017 | } else if (acl_type == TOMOYO_TYPE_PATH_NUMBER_ACL) { |
| 979 | struct tomoyo_path_number_acl *ptr = | 1018 | struct tomoyo_path_number_acl *ptr = |
| 980 | container_of(acl, typeof(*ptr), head); | 1019 | container_of(acl, typeof(*ptr), head); |
| 981 | bit = tomoyo_fns(ptr->perm, bit); | 1020 | const u8 perm = ptr->perm; |
| 982 | if (bit >= TOMOYO_MAX_PATH_NUMBER_OPERATION) | 1021 | for (bit = 0; bit < TOMOYO_MAX_PATH_NUMBER_OPERATION; bit++) { |
| 983 | goto done; | 1022 | if (!(perm & (1 << bit))) |
| 984 | tomoyo_io_printf(head, "allow_%s", | 1023 | continue; |
| 985 | tomoyo_path_number_keyword[bit]); | 1024 | if (first) { |
| 1025 | tomoyo_set_group(head, "file "); | ||
| 1026 | first = false; | ||
| 1027 | } else { | ||
| 1028 | tomoyo_set_slash(head); | ||
| 1029 | } | ||
| 1030 | tomoyo_set_string(head, tomoyo_mac_keywords | ||
| 1031 | [tomoyo_pn2mac[bit]]); | ||
| 1032 | } | ||
| 1033 | if (first) | ||
| 1034 | return true; | ||
| 986 | tomoyo_print_name_union(head, &ptr->name); | 1035 | tomoyo_print_name_union(head, &ptr->name); |
| 987 | tomoyo_print_number_union(head, &ptr->number); | 1036 | tomoyo_print_number_union(head, &ptr->number); |
| 988 | } else if (acl_type == TOMOYO_TYPE_MKDEV_ACL) { | 1037 | } else if (acl_type == TOMOYO_TYPE_MKDEV_ACL) { |
| 989 | struct tomoyo_mkdev_acl *ptr = | 1038 | struct tomoyo_mkdev_acl *ptr = |
| 990 | container_of(acl, typeof(*ptr), head); | 1039 | container_of(acl, typeof(*ptr), head); |
| 991 | bit = tomoyo_fns(ptr->perm, bit); | 1040 | const u8 perm = ptr->perm; |
| 992 | if (bit >= TOMOYO_MAX_MKDEV_OPERATION) | 1041 | for (bit = 0; bit < TOMOYO_MAX_MKDEV_OPERATION; bit++) { |
| 993 | goto done; | 1042 | if (!(perm & (1 << bit))) |
| 994 | tomoyo_io_printf(head, "allow_%s", tomoyo_mkdev_keyword[bit]); | 1043 | continue; |
| 1044 | if (first) { | ||
| 1045 | tomoyo_set_group(head, "file "); | ||
| 1046 | first = false; | ||
| 1047 | } else { | ||
| 1048 | tomoyo_set_slash(head); | ||
| 1049 | } | ||
| 1050 | tomoyo_set_string(head, tomoyo_mac_keywords | ||
| 1051 | [tomoyo_pnnn2mac[bit]]); | ||
| 1052 | } | ||
| 1053 | if (first) | ||
| 1054 | return true; | ||
| 995 | tomoyo_print_name_union(head, &ptr->name); | 1055 | tomoyo_print_name_union(head, &ptr->name); |
| 996 | tomoyo_print_number_union(head, &ptr->mode); | 1056 | tomoyo_print_number_union(head, &ptr->mode); |
| 997 | tomoyo_print_number_union(head, &ptr->major); | 1057 | tomoyo_print_number_union(head, &ptr->major); |
| @@ -999,18 +1059,13 @@ static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, | |||
| 999 | } else if (acl_type == TOMOYO_TYPE_MOUNT_ACL) { | 1059 | } else if (acl_type == TOMOYO_TYPE_MOUNT_ACL) { |
| 1000 | struct tomoyo_mount_acl *ptr = | 1060 | struct tomoyo_mount_acl *ptr = |
| 1001 | container_of(acl, typeof(*ptr), head); | 1061 | container_of(acl, typeof(*ptr), head); |
| 1002 | tomoyo_io_printf(head, "allow_mount"); | 1062 | tomoyo_set_group(head, "file mount"); |
| 1003 | tomoyo_print_name_union(head, &ptr->dev_name); | 1063 | tomoyo_print_name_union(head, &ptr->dev_name); |
| 1004 | tomoyo_print_name_union(head, &ptr->dir_name); | 1064 | tomoyo_print_name_union(head, &ptr->dir_name); |
| 1005 | tomoyo_print_name_union(head, &ptr->fs_type); | 1065 | tomoyo_print_name_union(head, &ptr->fs_type); |
| 1006 | tomoyo_print_number_union(head, &ptr->flags); | 1066 | tomoyo_print_number_union(head, &ptr->flags); |
| 1007 | } | 1067 | } |
| 1008 | head->r.bit = bit + 1; | 1068 | tomoyo_set_lf(head); |
| 1009 | tomoyo_io_printf(head, "\n"); | ||
| 1010 | if (acl_type != TOMOYO_TYPE_MOUNT_ACL) | ||
| 1011 | goto next; | ||
| 1012 | done: | ||
| 1013 | head->r.bit = 0; | ||
| 1014 | return true; | 1069 | return true; |
| 1015 | } | 1070 | } |
| 1016 | 1071 | ||
| @@ -1316,18 +1371,14 @@ static bool tomoyo_read_policy(struct tomoyo_io_buffer *head, const int idx) | |||
| 1316 | { | 1371 | { |
| 1317 | struct tomoyo_transition_control *ptr = | 1372 | struct tomoyo_transition_control *ptr = |
| 1318 | container_of(acl, typeof(*ptr), head); | 1373 | container_of(acl, typeof(*ptr), head); |
| 1319 | tomoyo_set_string(head, | 1374 | tomoyo_set_string(head, tomoyo_transition_type |
| 1320 | tomoyo_transition_type | ||
| 1321 | [ptr->type]); | 1375 | [ptr->type]); |
| 1322 | if (ptr->program) | 1376 | tomoyo_set_string(head, ptr->program ? |
| 1323 | tomoyo_set_string(head, | 1377 | ptr->program->name : "any"); |
| 1324 | ptr->program->name); | 1378 | tomoyo_set_string(head, " from "); |
| 1325 | if (ptr->program && ptr->domainname) | 1379 | tomoyo_set_string(head, ptr->domainname ? |
| 1326 | tomoyo_set_string(head, " from "); | 1380 | ptr->domainname->name : |
| 1327 | if (ptr->domainname) | 1381 | "any"); |
| 1328 | tomoyo_set_string(head, | ||
| 1329 | ptr->domainname-> | ||
| 1330 | name); | ||
| 1331 | } | 1382 | } |
| 1332 | break; | 1383 | break; |
| 1333 | case TOMOYO_ID_AGGREGATOR: | 1384 | case TOMOYO_ID_AGGREGATOR: |