TOMOYO: Allow controlling generation of access granted logs for per an entry basis.

Add per-entry flag which controls generation of grant logs because Xen and KVM
issues ioctl requests so frequently. For example,

  file ioctl /dev/null 0x5401 grant_log=no

will suppress /sys/kernel/security/tomoyo/audit even if preference says
grant_log=yes .

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>

1 files changed, 12 insertions, 0 deletions

diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index d1c758e7f92b..435b3d869fc5 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -179,6 +179,16 @@ enum tomoyo_domain_info_flags_index {
         TOMOYO_MAX_DOMAIN_INFO_FLAGS
 };
 
+/* Index numbers for audit type. */
+enum tomoyo_grant_log {
+        /* Follow profile's configuration. */
+        TOMOYO_GRANTLOG_AUTO,
+        /* Do not generate grant log. */
+        TOMOYO_GRANTLOG_NO,
+        /* Generate grant_log. */
+        TOMOYO_GRANTLOG_YES,
+};
+
 /* Index numbers for group entries. */
 enum tomoyo_group_id {
         TOMOYO_PATH_GROUP,
@@ -471,6 +481,7 @@ struct tomoyo_request_info {
                         int need_dev;
                 } mount;
         } param;
+        struct tomoyo_acl_info *matched_acl;
         u8 param_type;
         bool granted;
         u8 retry;
@@ -635,6 +646,7 @@ struct tomoyo_condition {
         u16 names_count; /* Number of "struct tomoyo_name_union names". */
         u16 argc; /* Number of "struct tomoyo_argv". */
         u16 envc; /* Number of "struct tomoyo_envp". */
+        u8 grant_log; /* One of values in "enum tomoyo_grant_log". */
         /*
          * struct tomoyo_condition_element condition[condc];
          * struct tomoyo_number_union values[numbers_count];